WHP – Microsoft Windows Hacking Pack

M$ Windows Hacking Pack===========Tools here are from different sources. The repo is generally licensed with WTFPL, but some content may be not (eg. sysinternals).”pes" means "PE Scambled". It’s useful sometimes.Remote Exploits===========Windows 2000 / XP SP1MS05-039 Microsoft Plug and Play Service Overflow, Works with SSDP toohttp://www.rapid7.com/db/modules/exploit/windows/smb/ms05_039_pnpWindows XP/NT (beofre SP2)MS03-026 Microsoft RPC DCOM Interface Overflow (kaht2.zip)http://www.securityfocus.com/bid/8205/exploitWindows XP (SP2 and SP3) (can be used also for priv esc)MS08-067 Remote Stack Overflow Vulnerability Exploit (srvscv)https://www.exploit-db.com/exploits/7104/Windows Windows 7 and Server 2008 R2 (x64) All Service PacksMS17-010 aka "Eternal Blue"https://github.com/RiskSense-Ops/MS17-010Windows Server 2016 (DoS, may lead to exec)"Fuzzing SMB" video, showing the crash: https://www.youtube.com/watch?v=yDae5-lIQb8Privilege Escalation===========First, if you have meterpreter, it may be a good idea to try "getsystem".srvcheck3.exe=====Privilege escalation for Windows XP SP2 and beforeThis can exploit vulnerable services. http://seclists.org/fulldisclosure/2006/Feb/231Example: srvcheck3.exe -m upnphost -H -c "cmd.exe /c c:\Inetpub\wwwroot\shell.exe"KiTrap0D.tar=====Privilege escalation for Microsoft Windows NT/2000/XP/2003/Vista/2008/7MS10-015 / CVE-2010-0232 / https://www.exploit-db.com/exploits/11199/Other ways of exploits listed=====Windows XP/2003MS11-080 → Local Privilege Escalation Exploit Afd.syshttps://www.exploit-db.com/exploits/18176/Windows Vista/7 CVE: 2010-4398 Elevation of Privileges (UAC Bypass) http://www.securityfocus.com/bid/45045/exploitWindows 8.1 (and before)MS14-058 → TrackPopupMenu Privilege Escalationhttps://www.exploit-db.com/exploits/37064/Windows 8.1 (and before)MS15-051 Win32k LPE vulnerability used in APT attack "taihou32"https://www.exploit-db.com/exploits/37049/Windows 10 (and before)Hot Potato (nbns spoof + wpad + smb ntlm)http://foxglovesecurity.com/2016/01/16/hot-potato/Windows 10 (and before)Link/URL based exploitation of NetNTLM hashes. Eg. sending link file in email or dropping on file share.Technique presented here: https://www.youtube.com/watch?v=cuF_Ibo-mmMWindows XP SP2 (and before)srvcheck3.exe – upnp service or SSDPSRV service Windows XP/2003MS11-080 → Local Privilege Escalation Exploit Afd.syshttps://www.exploit-db.com/exploits/18176/Windows Vista/7 CVE: 2010-4398 Elevation of Privileges (UAC Bypass) http://www.securityfocus.com/bid/45045/exploitWindows 8.1 (and before)MS14-058 → TrackPopupMenu Privilege Escalationhttps://www.exploit-db.com/exploits/37064/Windows 8.1 (and before)MS15-051 Win32k LPE vulnerability used in APT attack "taihou32"https://www.exploit-db.com/exploits/37049/Windows NT/2K/XP/2K3/Vista/2K8/7/8KiTrap0D – EPATHOBJ Local Ring Exploithttps://www.exploit-db.com/exploits/11199/Windows 10 (and before)Hot Potato (nbns spoof + wpad + smb ntlm)http://foxglovesecurity.com/2016/01/16/hot-potato/Windows XP (and after).lnk exploit for receiving NetNTLM hashes remotely.https://www.youtube.com/watch?v=cuF_Ibo-mmMBackup files if contain samWindows/system32/config/SAM/WINDOWS/repair/SAMregedit.exe HKEY_LOCAL_MACHINE -> SAMTools to get the SAM database if locked: pwdump, samdump, samdump2, Cain&AbelOtherwise just copy.Dump SAM through shadow volumeIf it can be created the database could be copied from this.Vista command: vssadmin create shadowServer 2008 command: diskshadowWindows Credentials EditorWCE / Windows Credentials Editor can recover password hashes from LSASS – http://www.ampliasecurity.com/research/wcefaq.htmlWCE supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit versions). Mimikatz dumpingmimikatz # privilege::debugmimikatz # sekurlsa::logonpasswordsmimikatz # lsadump::samCachedump aka In-memory attacks for SAM hashes / Cached Domain Credentialsfgdump.exe (contains pwdump and cachedump, can read from memory)SAM dump (hive)"A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data."Dump SAM, then spray hasheskeimpx (try hashes with different users, against domain accounts)http://code.google.com/p/keimpx/LSA dumping (memory) / Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XPLSAdump2, LSASecretsDump, pwdumpx, gsecdump or Cain & Abelhttps://github.com/CoreSecurity/impackethttp://packetstormsecurity.org/files/view/10457/lsadump2.ziphttp://www.nirsoft.net/utils/lsa_secrets_dump.htmlhttp://packetstormsecurity.org/files/view/62371/PWDumpX14.zipPassTheHash (before Windows 8.1)pth-winexe –user=pc.local/Administrator%aad3b435b51404eeaad3b435b514t234e:1321ae011e02ab0k26e4edc5012deac8 // cmdPassTheTicket (Kerberos)mimikatz can do itDuplicate Access Tokens (if admin access token can be used, it’s win)http://sourceforge.net/projects/incognito/Token "Kidnapping"MS 09-12, Churrasco.bin shell.bin (runs shell.bin with nt system authority)http://carnal0wnage.attackresearch.com/2010/05/playing-with-ms09-012-windows-local.htmlOther notablelo toolspsexec, smbshell, metasploit’s psexec, etchttps://github.com/BloodHoundAD/BloodHound – It allows to visualize connections in an AD domain and find fast escalation ways.To Be Added===========- http://www.nirsoft.net/ –> Stuff for dumping passwords- openvpn- evilgradeHashes (SHA256) and VirusTotal scans===========8ee65368afcd98ea660f5161f9cbe0c4c08863018f28e5eb024d8db58b234333 AwesomerShell.tar7487ec568b6e2547ef30957610e60df3089d916f043b02da1167959dd9e0c051 KiTrap0D.tar96f17857f3eb28a7d93dad930bc099a3cb65a9a2afb37069bfd1ba5ec5964389 LICENSE.txtb3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e ncat.exeda24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b ncat_pes.exebe4211fe5c1a19ff393a2bcfa21dad8d0a687663263a63789552bda446d9421b nc.exe56580f1eebdccfbc5ce6d75690600225738ddbe8d991a417e56032869b0f43c7 nmap-7.12-setup-gui.exe0cb7c3d9c4a0ce86f44ab4d0db2de264b64abbb83ef453afe05f5fddf330a1c5 nmap-7.12-win32_commandline.zip976c216119d5627afc9ad29fd4f72e38de3711d65419fda6482bc795e0ebf654 plink.exe952aa0bfb7ea58669fb50b945a09e9e69cd178739c5d1281a45ecfc54cc7f92f srvcheck3.execa5214e14ed5e879dd000a8a13895c474c89248386e9d337dd43f105a70f4170 PEScrambler.exeef0f4bf2267b866a00b3e60c0e70f7f37cc5529fee417a625e502b3c93d215d9 SysinternalsSuite.zip8e9bc40efd17a37a4ecf7ada7a3d739f343e207abe4e17f05a531baccc607336 windows-privesc-check.exe6c367696e6cc8e6093426dbd19daf13b2375b0c078387ae6355519522d23b0fd windows-privesc-check.pyffe3808989bdfe986b17023e5d6583d49d644182e81234dc1db604e260ba76c9 fgdump.exec36225d4515a92b905f8337acfd3d365cb813a2654e65067dbdba4fc58e7126a kaht2.zip2951e49efbc9e18d4641c0061f10da021b4bca2bd51247fe80107cbd334c195d mimikatz_2-1.zip0682a92bc96a66cf3e3eca1e44296838b9baad4feef0c391fc48044e039e642a ms08-067_exploit_31874.pycc4b4eceb04142b9e0794be029302feb33cf58c6a0cd1fdca3ff611df9b83827 ms08-067_exploit_7132.py950bbdde2cc92799675c138fd8dfb2b60f0c01759533bc1a6993559508bd131e Responder.tar54bd6cccf4c74604eb9956ce167a3ea94a06fabf4954e691d020023f8827c448 samdump2.exeece925f85dc15b816dacacbb92ad41045f0cc58c2e10c5d3b66723ae11cf65c8 wce_getlsasrvaddr.exec6333c684762ed4b4129c7f9f49c88c33384b66dfb1f100e459ec6f18526dff7 wce_v1_41beta_universal.exeecbac2a6c0bf8dbc7bed2370ed098cd43a56b0d69a0db1d5715751270711f1d6 wce_v1_42beta_x32.exe5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976 sources/nc110.tgz47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9 sources/rdp2tcp-0.1.tar.gz33d109696d22b7e89f4eac6d07f4b4461551247ce2bfcbead09373ce39364f78 sources/srvcheck3.zipf706df25bb061a669b13ff76c121a8d72140406c7b0930bae5dcf713f9520a56 sources/3proxy-0.8.6.tar.gz7e8cfbf10bcc91fa9b9a60d3335d4a52bd6d4b6ca888533dbdd2afc86bebb5cc sources/3proxy-0.9-devel.tgzdec12905822ea64676d0ec58b62c00631ef8ddde2c700ffe74bfcf9026f17d81 sources/fgdump-2.1.0.tar.bz2352888e441be33ae6266cfac1a072d52cfaafd65cc33b07daa51600f1cd803ca sources/impacket_0-9-15.tar21faf49ae9ff08054214675f18d813bcf042798c325d68ae8b2417a119b439f4 sources/keimpx-0.3-dev.tar16136256911c31f7c56eef415b11e14c13abe89cface46df78033456194eddfd sources/mimikatz-2016-06.zip602659af30c565750fa01650e0a223d26355b5df98f2fbc30e3a6c593ed4e526 sources/samdump2-3.0.0.tar.bz2ncat.exeSHA256: b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058ehttps://virustotal.com/en/file/b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e/analysis/1466258994/ncat_pes.exeSHA256: da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b https://virustotal.com/en/file/da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b/analysis/1466259528/nc110.tgzSHA256: 5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976https://virustotal.com/en/file/5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976/analysis/1466258410/rdp2tcp-0.1.tar.gzSHA256: 47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9https://virustotal.com/en/file/47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9/analysis/1466271163/Download WHP

Link: http://feedproxy.google.com/~r/PentestTools/~3/H6Wy8XMjNEc/whp-microsoft-windows-hacking-pack.html

Mitm6 – Pwning IPv4 Via IPv6

Mitm6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server. It does this by replying to DHCPv6 messages, providing victims with a link-local IPv6 address and setting the attackers host as default DNS server. As DNS server, mitm6 will selectively reply to DNS queries of the attackers choosing and redirect the victims traffic to the attacker machine instead of the legitimate server. For a full explanation of the attack, see this blog about mitm6. Mitm6 is designed to work together with ntlmrelayx from impacket for WPAD spoofing and credential relaying.Dependencies and installationmitm6 is compatible with both Python 2.7 and 3.x. You can install the requirements for your version with pip install -r requirements.txt. In both cases, mitm6 uses the following packages:ScapyTwistednetifacesFor python 2.7, it uses the ipaddress backport module. You can install the latest release from PyPI with pip install mitm6, or the latest version from source with python setup.py install after cloning this git repository.UsageAfter installation, mitm6 will be available as a command line program called mitm6. Since it uses raw packet capture with Scapy, it should be run as root. mitm6 should detect your network settings by default and use your primary interface for its spoofing. The only option you will probably need to specify is the AD domain that you are spoofing. For advanced tuning, the following options are available:usage: mitm6.py [-h] [-i INTERFACE] [-l LOCALDOMAIN] [-4 ADDRESS] [-6 ADDRESS] [-m ADDRESS] [-a] [-v] [–debug] [-d DOMAIN] [-b DOMAIN] [-hw DOMAIN] [-hb DOMAIN] [–ignore-nofqnd]mitm6 – pwning IPv4 via IPv6For help or reporting issues, visit https://github.com/fox-it/mitm6optional arguments: -h, –help show this help message and exit -i INTERFACE, –interface INTERFACE Interface to use (default: autodetect) -l LOCALDOMAIN, –localdomain LOCALDOMAIN Domain name to use as DNS search domain (default: use first DNS domain) -4 ADDRESS, –ipv4 ADDRESS IPv4 address to send packets from (default: autodetect) -6 ADDRESS, –ipv6 ADDRESS IPv6 link-local address to send packets from (default: autodetect) -m ADDRESS, –mac ADDRESS Custom mac address – probably breaks stuff (default: mac of selected interface) -a, –no-ra Do not advertise ourselves (useful for networks which detect rogue Router Advertisements) -v, –verbose Show verbose information –debug Show debug informationFiltering options: -d DOMAIN, –domain DOMAIN Domain name to filter DNS queries on (Whitelist principle, multiple can be specified.) -b DOMAIN, –blacklist DOMAIN Domain name to filter DNS queries on (Blacklist principle, multiple can be specified.) -hw DOMAIN, –host-whitelist DOMAIN Hostname (FQDN) to filter DHCPv6 queries on (Whitelist principle, multiple can be specified.) -hb DOMAIN, –host-blacklist DOMAIN Hostname (FQDN) to filter DHCPv6 queries on (Blacklist principle, multiple can be specified.) –ignore-nofqnd Ignore DHCPv6 queries that do not contain the Fully Qualified Domain Name (FQDN) option.You can manually override most of the autodetect options (though overriding the MAC address will break things). If the network has some hardware which blocks or detects rogue Router Advertisement messages, you can add the –no-ra flag to not broadcast those. Router Advertisements are not needed for mitm6 to work since it relies mainly on DHCPv6 messages.Filtering optionsSeveral filtering options are available to select which hosts you want to attack and spoof. First there are the –host-whitelist and –host-blacklist options (or -hw and -hb for short), which take a (partial) domain as argument. Incoming DHCPv6 requests will be filtered against this list. The property checked is the DHCPv6 FQND option, in which the client provides its hostname. The same applies for DNS requests, for this the –domain option (or -d) is available, where you can supply which domain(s) you want to spoof. Blacklisting is also possible with –blacklist/-b.For both the host and DNS filtering, simple string matching is performed. So if you choose to reply to wpad, it will also reply to queries for wpad.corpdomain.com. If you want more specific filtering, use both the whitelist and blacklist options, since the blacklist takes precedence over the whitelist. By default the first domain specified will be used as the DNS search domain, if you explicitliy want to specify this domain yourself use the –localdomain option.About network impact and restoring the networkmitm6 is designed as a penetration testing tool and should thus impact the network as little as possible. This is the main reason mitm6 doesn’t implement a full man-in-the-middle attack currently, like we see in for example the SLAAC attack. To further minimize the impact, the IP addresses assigned have low time-to-live (TTL) values. The lease will expire within 5 minutes when mitm6 is stopped, which will remove the DNS server from the victims configuration. To prevent DNS replies getting cached, all replies are sent with a TTL of 100 seconds, which makes sure the cache is cleared within minutes after the tool exits.Usage with ntlmrelayxmitm6 is designed to be used with ntlmrelayx. You should run the tools next to each other, in this scenario mitm6 will spoof the DNS, causing victims to connect to ntlmrelayx for HTTP and SMB connections. For this you have to make sure to run ntlmrelayx with the -6 option, which will make it listen on both IPv4 and IPv6. To obtain credentials for WPAD, specify the WPAD hostname to spoof with -wh HOSTNAME (any non-existing hostname in the local domain will work since mitm6 is the DNS server). Optionally you can also use the -wa N parameter with a number of attempts to prompt for authentication for the WPAD file itself in case you suspect victims do not have the MS16-077 patch applied.DetectionThe Fox-IT Security Research Team team has released Snort and Suricata signatures to detect rogue DHCPv6 traffic and WPAD replies over IPv6. The signatures are available here: https://gist.github.com/fox-srt/98f29051fe56a1695de8e914c4a2373fDownload mitm6

Link: http://feedproxy.google.com/~r/PentestTools/~3/DI-XOqKc2Vk/mitm6-pwning-ipv4-via-ipv6.html

Findsploit – Find Exploits In Local And Online Databases Instantly

Finsploit is a simple bash script to quickly and easily search both local and online exploit databases. This repository also includes “copysploit" to copy any exploit-db exploit to the current directory and "compilesploit" to automatically compile and run any C exploit (ie. ./copysploit 1337.c && ./compilesploit 1337.c).For updates to this script, type findsploit updateINSTALLATION./install.shUSAGESearch for all exploits and modules using a single search term:* findsploit (ie. findsploit apache)Search multiple search terms:* findsploit <search_term_1> <search_term_2> <search_term_3> …Show all NMap scripts:* findsploit nmap Search for all FTP NMap scripts:* findsploit nmap | grep ftpShow all Metasploit auxiliary modules:* findsploit auxiliaryShow all Metasploit exploits:* findsploit exploitsShow all Metasploit encoder modules:* findsploit encoderShow all Metasploit payloads modules:* findsploit payloadsSearch all Metasploit payloads for windows only payloads:* findsploit payloads | grep windowsDownload Findsploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/E4jCcSg9kJ8/findsploit-find-exploits-in-local-and.html

roxysploit – Penetration Testing Suite

roxysploit is a community-supported, open-source and penetration testing suite that supports attacks for numerous scenarios. conducting attacks in the field.Some containing Plugins in roxysploitScan is a automated Information gathering plugin it gives the user the ability to have a rest while the best Information gathering plugin can be executed.Jailpwn is a useful plugin for any iphone device that has been jailbroken it will attempt to login to the ssh using its default password giving you a full shell.Eternalblue is a recent plugin we added it Exploits a vulnerability on SMBv1/SMBv2 protocols these were collected from the nsa cyberweapons.Internalroute Exploits multiple vulnerabilities in routers this can become very useful such as hotel wifi’s.Aurora this is a old plugin that can become very useful for pen-testers it exploits Internet Explorer 6 URL vulnerability.Doublepulsar is giving you the ability to Remotely inject a malicious dll backdoor into a windows computer.Kodi is a fantastic movie streaming platform but however it runs on linux we have Created a malicious addon(backdoor) via kodi.tvBleed uses a mass vulnerability check on finding any SSL Vulnerabilities.Tresspass is a way of managing your php backdoor and gaining shell or even doing single commands it requires password authentication stopping any lurker.Handler is commonly used to create a listener on a port.Poppy is a mitm plugin allowing you to Arp spoof and sniff unencrypted passwords on all protocals such as ftp and http.Redcarpet is a nice plugin keeping you safe from malicious hackers this will Encrypt a user directory. Picklock is a local bruteforce plugin that you can Picklock/bruteforce Mulitple devices Pincodes such as android usb debugging.Passby can load a usb to steal all credentials from a windows computer in seconds.Dnsspoof is common for man in the middle attacks, it can redirect any http requests to your dns.Smartremote this is more of a funny remote exploit you can Take over a smart tv’s remote control without authentication.Blueborne is a recent Bluetooth memory leak all devices even cars.Credswipe you have to have a card reader to clone them.Rfpwn suitable device to bruteforce a special AM OOK or raw binary signal.Ftpbrute Brute-force attack an ftp(file transfer protocol) server Wifijammer you can Deauth wifi networks around your area, meaning disconnecting all users connected to the network.It is frequently updated Tested on . Arch Linux Working Kali Linux Working Ubuntu Working Debian Working Centos Not Tested MacOSX Needs porting Windows Ha no. How to install$ git clone https://github.com/Eitenne/roxysploit.git; cd roxysploit; sudo /bin/bash installExecuting plugins examplesrsf > use Picklockrsf (plugins/picklock) > helpCore Commands============= Command Description ——- ———– help show help menu execute run the plugin exit exit the current pluginrsf (plugins/picklock) > execute[?] OS :: Select the devices os*0) Android :: Bruteforce 4digit pincode usb debugging 1) Linux :: Bruteforce Encrypted partions[+] device: [0]:rsf > use Poppyrsf (plugins/poppy) > execute[?] Interface :: Your interface[+] interface: [wlan0]: wlp6s0[?] Target :: Enter the targets ip[+] target: [192.326.1.25]:[?] Gateway :: Enter the gateway/router ip[+] router: []:[?] Function :: Would you like to setup dns spoofing?*0) no :: Disable dns spoofing 1) yes :: Enable dns spoofing[+] function: [0]:[?] Configuring PluginName Set Value—- ———-Interface wlp6s0Target plugins/poppy[?] Execute Plugins? [yes]: [*] Enabling IP Forwarding…[*] Poisoning Targets…What operating systems support roxysploit?All Linux distros are currently supported, it is recomended for a prebuilt pentesting os like kali linux although.Credits0x5a Aaronius Witt TDHU Team(InsaneLand) @2017Download roxysploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/kzGLoxuDy-I/roxysploit-penetration-testing-suite.html