some additions for phishing and cleanup
This commit is contained in:
parent
aba2d26776
commit
1e166ee37e
|
|
@ -2,7 +2,6 @@
|
|||
|
||||
* Methods of aquiring the first set of credentials
|
||||
|
||||
|
||||
## Aquire credentials
|
||||
|
||||
### OSINT
|
||||
|
|
@ -14,7 +13,11 @@
|
|||
|
||||
### Phishing
|
||||
|
||||
* Gain credentials via eMail
|
||||
[Create files for using Greenwolf's NTLM theft](https://github.com/Greenwolf/ntlm_theft).
|
||||
|
||||
>ntlm_theft is an Open Source Python3 Tool that generates 21 different types of hash theft documents. These can be used for phishing when either the target allows smb traffic outside their network, or if you are already inside the internal network.
|
||||
|
||||
Gain credentials via eMail, smb write permissions and so on.
|
||||
|
||||
## NTLM Authenticated Services
|
||||
|
||||
|
|
@ -40,29 +43,37 @@
|
|||
* After gaining access to a device's config including LDAP parameters, reroute its IP to your own IP. This may be done via web UIs.
|
||||
* Use an LDAP server to catch the credentials. Only PLAIN and LOGIN authentication must be allowed in order to gain the credentials.
|
||||
* OpenLDAP
|
||||
|
||||
```sh
|
||||
dpkg-reconfigure -p low slapd
|
||||
```
|
||||
* Skip reconfiguration -> No
|
||||
* Insert DNS domain and organisation
|
||||
* Provide password
|
||||
* Select `MDB` as database
|
||||
* No removal when db is purged
|
||||
* Move old database when creating a new one
|
||||
* Downgrade authentication via `*.ldif` file
|
||||
|
||||
* Skip reconfiguration -> No
|
||||
* Insert DNS domain and organisation
|
||||
* Provide password
|
||||
* Select `MDB` as database
|
||||
* No removal when db is purged
|
||||
* Move old database when creating a new one
|
||||
* Downgrade authentication via `*.ldif` file
|
||||
|
||||
```sh
|
||||
dn: cn=config
|
||||
replace: olcSaslSecProps
|
||||
olcSaslSecProps: noanonymous,minssf=0,passcred
|
||||
```
|
||||
* Patch and reload ldap
|
||||
|
||||
Patch and reload ldap
|
||||
|
||||
```sh
|
||||
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
|
||||
```
|
||||
* Check via
|
||||
|
||||
Check via
|
||||
|
||||
```sh
|
||||
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
|
||||
```
|
||||
|
||||
* Make pcap via tcdump
|
||||
|
||||
## Authentication Relay
|
||||
|
|
@ -77,10 +88,13 @@ ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
|
|||
### Capture via responder
|
||||
|
||||
* Run responder on LAN via
|
||||
|
||||
```sh
|
||||
sudo responder -I <interface>
|
||||
```
|
||||
|
||||
* Use `hashcat` to crack the hashes
|
||||
|
||||
```sh
|
||||
hashcat -m 5600 hash.txt rockyout.txt --force
|
||||
```
|
||||
|
|
@ -109,7 +123,6 @@ hashcat -m 5600 hash.txt rockyout.txt --force
|
|||
|
||||
* Use `PowerPXE.ps1` to extract `*.bcd` files
|
||||
|
||||
|
||||
## Configuration Files
|
||||
|
||||
* Configurations of services and applications as well as registry keys
|
||||
|
|
|
|||
Loading…
Reference in New Issue