APTSimulator – A toolset to make a system look as if it was the victim of an APT attack

APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.Use CasesPOCs: Endpoint detection agents / compromise assessment toolsTest your security monitoring’s detection capabilitiesTest your SOCs response on a threat that isn’t EICAR or a port scanPrepare an environment for digital forensics classesMotivesCustomers tested our scanners in a POC and sent us a complaint that our scanners didn’t report on programs that they had installed on their test systems. They had installed an Nmap, dropped a PsExec.exe in the Downloads folder and placed on EICAR test virus on the user’s Desktop. That was the moment when I decided to build a tool that simulates a real threat in a more appropriate way.Why Batch?Because it’s simple: Everyone can read, modify or extend itIt runs on every Windows system without any prerequisitesIt is closest to a real attacker working on the command lineFocusThe focus of this tool is to simulate adversary activity, not malware.Getting StartedDownload the latest release from the “release" sectionExtract the package on a demo system (Password: apt)Start a cmd.exe as AdministratorNavigate to the extracted program folder and run APTSimulator.batAvoiding Early DetectionThe batch script extracts the tools and shells from an encrypted 7z archive at runtime. Do not download the master repo using the "download as ZIP" button. Instead use the official release from the release section.Extending the Test SetSince version 0.4 it is pretty easy to extend the test sets by adding a single .bat file to one of the test-set category folders.E.g. If you want to write a simple use case for "privilege escalation", that uses a tool named "privesc.exe", clone the repo and do the following:Add you tool to the toolset folderWrite a new batch script privesc-1.bat and add it to the ./test-sets/privilege-escalation folderRun build_pack.batAdd your test to the table and action list in the README.mdCreate a pull requestTool and File ExtractionIf you script includes a tool, web shell, auxiliary or output file, place them in the folders ./toolset or ./workfiles. Running the build script build_pack.bat will include them in the encrypted archives enc-toolset.7z and enc-files.7z.Extract a Tool%ZIP% e -p%PASS% %TOOLARCH% -aoa -o%APTDIR% toolset\tool.exe > NULExtract a File%ZIP% e -p%PASS% %FILEARCH% -aoa -o%APTDIR% workfile\tool-output.txt > NULDetectionThe following table shows the different test cases and the expected detection results.AV = AntivirusNIDS = Network Intrusion Detection SystemEDR = Endpoint Detection and ResponseSM = Security MonitoringCA = Compromise Assessment Test Case AV NIDS EDR SM CA Dumps (Pwdump, Dir Listing) X Recon Activity (Typical Commands) X X X DNS (Cache Injection) (X) X X X Eventlog (WCE entries) X X X Hosts File (AV/Win Update blocks) (X) X X Backdoor (StickyKey file/debugger) X X Obfuscation (RAR with JPG ext) (X) Web Shells (a good selection) X (X) X Ncat Alternative (Drop & Exec) X X X X Remote Execution Tool (Drop) (X) X Mimikatz (Drop & Exec) X X X X PsExec (Drop & Exec) X X X At Job Creation X X X RUN Key Entry Creation X X X System File in Susp Loc (Drop & Exec) X X X Guest User (Activation & Admin) X X X LSASS Dump (with Procdump) X X X C2 Requests (X) X X X Malicious User Agent (Malware, RATs) X X X Scheduled Task Creation X X X Nbtscan Discovery (Scan & Output) X X (X) X Test Cases1. Dumpsdrops pwdump output to the working dirdrops directory listing to the working dir2. ReconExecutes command used by attackers to get information about a target system3. DNSLooks up several well-known C2 addresses to cause DNS requests and get the addresses into the local DNS cache4. EventlogCreates Windwows Eventlog entries that look as if WCE had been executed5. HostsAdds entries to the local hosts file (update blocker, entries caused by malware)6. Sticky Key BackdoorTries to replace sethc.exe with cmd.exe (a backup file is created)Tries to register cmd.exe as debugger for sethc.exe7. ObfuscationDrops a cloaked RAR file with JPG extension8. Web ShellsCreates a standard web root directoryDrops standard web shells to that diretoryDrops GIF obfuscated web shell to that diretory9. Ncat AlternativeDrops a PowerShell Ncat alternative to the working directory10. Remote Execution ToolDrops a remote execution tool to the working directory11. MimikatzDumps mimikatz output to working directory (fallback if other executions fail)Run special version of mimikatz and dump output to working directoryRun Invoke-Mimikatz in memory (github download, reflection)12. PsExecDump a renamed version of PsExec to the working directoryRun PsExec to start a command line in LOCAL_SYSTEM context13. At JobCreates an at job that runs mimikatz and dumps credentials to file14. RUN KeyCreate a suspicious new RUN key entry that dumps "net user" output to a file15. System File Suspicious LocationDrops suspicious executable with system file name (svchost.exe) in %PUBLIC% folderRuns that suspicious program in %PUBLIC% folder16. Guest UserActivates Guest userAdds Guest user to the local administrators17. LSASS DUMPDumps LSASS process memory to a suspicious folder18. C2 RequestsUses Curl to access well-known C2 servers19. Malicious User AgentsUses malicious user agents to access web sites20. Scheduled Task CreationCreates a scheduled task that runs mimikatz and dumps the output to a file21. Nbtscan DiscoveryScanning 3 private IP address class-C subnets and dumping the output to the working directoryWarningThis repo contains tools and executables that can harm your system’s integrity and stability. Do only use them on non-productive test or demo systems.ScreenshotsAdvanced SolutionsThe CALDERA automated adversary emulation system https://github.com/mitre/calderaInfection Monkey – An automated pentest tool https://github.com/guardicore/monkeyFlightsim – A utility to generate malicious network traffic and evaluate controls https://github.com/alphasoc/flightsimIntegrated Projects / SoftwareMimikatzPowerSploitPowerCatPsExecProcDump7ZipcurlDownload APTSimulator

Link: http://feedproxy.google.com/~r/PentestTools/~3/rAND2a8X3zQ/aptsimulator-toolset-to-make-system.html

Grouper – A PowerShell script for helping to find vulnerable settings in AD Group Policy

Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers (although probably also useful for sysadmins) which sifts through the (usually very noisy) XML output from the Get-GPOReport cmdlet (part of Microsoft’s Group Policy module) and identifies all the settings defined in Group Policy Objects (GPOs) that might prove useful to someone trying to do something fun/evil.Examples of the kinds of stuff it finds in GPOs:GPOs which grant modify permissions on the GPO itself to non-default users.Startup and shutdown scriptsarguments and script themselves often include creds.scripts are often stored with permissions that allow you to modify them.MSI installers being automatically deployedagain, often stored somewhere that will grant you modify permissions.Good old fashioned Group Policy Preferences passwords.Autologon registry entries containing credentials.Other creds being stored in the registry for fun stuff like VNC.Scheduled tasks with stored credentials.Also often run stuff from poorly secured file shares.User RightsHandy to spot where admins accidentally granted ‘Domain Users’ RDP access or those fun rights that let you run mimikatz even without full admin privs.Tweaks to local file permissionsGood for finding those machines where the admins just stamped “Full Control" for "Everyone" on "C:\Program Files".File SharesINI FilesEnvironment Variables… and much more! (well, not very much, but some)Yes it’s pretty rough, but it saves me an enormous amount of time reading through those awful 150MB HTML GPO reports, and if it works for me it might work for you.Note: While some function names might include the word audit, Groper is explicitly NOT meant to be an exhaustive audit for best practice configurations etc. If you want that, you should be using Microsoft SCT and LGPO.exe or something.UsageGenerate a GPO Report on a Windows machine with the Group Policy cmdlets installed. These are installed on Domain Controllers by default, can be installed on Windows clients using RSAT, or can be enabled through the "Add Feature" wizard on Windows servers.Get-GPOReport -All -ReportType xml -Path C:\temp\gporeport.xmlImport the Grouper module.Import-Module grouper.ps1Run Grouper.Invoke-AuditGPOReport -Path C:\temp\gporeport.xmlParametersThere’s also a couple of parameters you can mess with that alter which policy settings Grouper will show you:-showDisabledBy default, Grouper will only show you GPOs that are currently enabled and linked to an OU in AD. This toggles that behaviour.-LevelGrouper has 3 levels of filtering you can apply to its output.Show me all the settings you can.(Default) Show me only settings that seem ‘interesting’ but may or may not be vulnerable.Show me only settings that are definitely a super bad idea and will probably have creds in them or are going to otherwise grant me admin on a host.Usage is straightforward. -Level 3, -Level 2, etc.Frequently Asked QuestionsI’m on a gig and can’t find a domain-joined machine that I have access to with the Group Policy cmdlets installed and I don’t want to install them because that’s noisy and messy!Get-GPOReport works just fine on non-domain-joined machines via runas /netonly. You’ll need some low-priv creds but that’s to be expected.Do like this:runas /netonly /user:domain\user powershell.exeon a non-domain-joined machine that can communicate with a domain controller.Then in the resulting PowerShell session do like this:Get-GpoReport -Domain example.com -All -ReportType xml -Path C:\temp\gporeport.xmlEasy.I don’t trust you so I don’t want to run your skeevy looking script on a domain-joined machine, but I want to try Grouper.All Grouper needs to work is PowerShell 2.0 and the xml file output from Get-GPOReport. You can run it on a VM with no network card if you’re worried and it’ll still work fine.That said, it’s pretty basic code so it shouldn’t be hard to see that it’s not doing anything remotely sketchy.I think it’s dumb that you are relying on the MS Group Policy cmdlets/RSAT for Grouper. You should just write it to directly query the domain or parse the policy files straight out of SYSVOL.Short answer: Yep.Long answer: Yep, doing one of those things would be better, but there are a couple of things that prevented me from doing them YET.Ideally I’d like to parse the policy files straight off SYSVOL, but they are stored in a bunch of different file formats, some are proprietary, they’re a real pain to read, and I have neither the time nor the inclination to write a bunch of parsers for them from scratch when Microsoft already provide cmdlets that do the job very nicely.In the not-too-distant future I’d like to bake Microsoft’s Get-GPOReport into Grouper, so you wouldn’t need RSAT at all, but I need to figure out if that’s going to be some kind of copyright violation. I also need to figure out how to actually do that thing I just said.Questions that I am anticipatingGrouper is showing me all these settings that aren’t vulnerable. WTF BRO FALSE POSITIVE MUCH?Grouper is not a vulnerability scanner. Grouper merely filters the enormous amount of fluff and noise in Group Policy reports to show you only the policy settings that COULD be configured in exploitable ways.To the extent possible I am working through each of the categories of checks to add in some extra filtering to remove obviously non-vulnerable configurations and reduce the noise levels even further, but Group Policy is extremely flexible and it’s pretty difficult to anticipate every possible mistake an admin might make.Grouper didn’t show me a thing that I know is totally vulnerable in Group Policy. WTF BRO FALSE NEGATIVE MUCH?Cool, you just found a way to make Grouper better! Scroll down and you’ll see where I’ve provided a little guide to adding new checks to Grouper.I don’t have a lab environment and I don’t have a GPO report file handy! I’m also very impatient!I got your back, kid. There’s a test_report.xml in the repo that you can try it out with. It’s got a bunch of bad settings in it so you can see what that looks like.You’ll need to run it with the -showDisabled flag because it’s so full of really awful configurations I didn’t even want to enable the GPO in a lab environment.But wait, how do I figure out which users/computers these policies apply to? Your thing is useless!Short Answer: PowerView will do a decent job of this.Longer Answer: I’ll be trying to add this functionality at some point but in the meantime, shut up and use PowerView.I hate one of the checks Grouper does and I never want to see it again.Cool, easily fixed.Pop open grouper.ps1, find the "$polchecks" array and just comment out the line where that check gets added to the array.Done.I want to make Grouper better but I can’t make sense of your awful spaghetti-code. Help me help you.Sure thing, sounds good. Get some GPOReport xml output that includes the type of policy/setting you want Grouper to be able to find. This may require knocking up a suitable policy in a lab environment. Find the xml object that matches your target policy. Find the subsection of the xml that matches the info you want to pull out of the policy. Policy settings are divided into either User or Computer policy, so this will usually be in either: GPO.Computer.ExtensionData.ExtensionorGPO.User.ExtensionData.Extension Now’s the annoying part – the reason this code is such a mess is that each policy setting section is structured differently and they use wildly differing naming conventions, so you’re going to need to figure out how your target policy is structured. Good luck? Here’s a skeleton of a check function you can use to get started. Make sure it either doesn’t return at all or returns $null if nothing interesting is found. Function Get-GPOThing { [cmdletbinding()] Param ( [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()] [System.Xml.XmlElement]$polXML, [Parameter(Mandatory=$true)][ValidateSet(1,2,3)][int]$level ) ###### # Description: Checks for Things. # Vulnerable: Description of what it shows if Level -eq 3 # Interesting: Description of what it shows if Level -eq 2 # Boring: All Things. ###### $settingsThings = ($polXml.Thing.ExtensionData.Extension.Thing | Sort-Object GPOSettingOrder) if ($settingsThings) { foreach ($setting in $settingsThings) { if ($level -eq 1) { $output = @{} $output.Add("Name", $setting.Name) if ($setting.SettingBoolean) { $output.Add("SettingBoolean", $setting.SettingBoolean) } if ($setting.SettingNumber) { $output.Add("SettingNumber", $setting.SettingNumber) } $output.Add("Type", $setting.Type.InnerText) Write-Output $output "" } } }} Ctrl-f your way down to "$polchecks" and add it to the array of checks with the others. Test it out. If it works, submit a pull request! If you get stuck, hit me up. I’ll try to help if I can scrounge a few minutes together. Download Grouper

Link: http://feedproxy.google.com/~r/PentestTools/~3/Ni4ZEIF3aq0/grouper-powershell-script-for-helping.html

LaZagneForensic – Decrypt Windows Credentials From Another Host

LaZagne uses an internal Windows API called CryptUnprotectData to decrypt user passwords. This API should be called on the victim user session, otherwise, it does not work. If the computer has not been started (when the analysis is realized on an offline mounted disk), or if we do not want to drop a binary on the remote host, no passwords can be retrieved.LaZagneForensic has been created to avoid this problem. This work has been mainly inspired by the awesome work done by Jean-Michel Picod for DPAPICK and Francesco Picasso for Windows DPAPI laboratory.Note: The main problem is that to decrypt these passwords, the user Windows passwords is needed.Installationpip install -r requirements.txtUsageFirst way – Dump configuration files from the remote hostUsing the powershell scriptPS C:\Users\test\Desktop> Import-Module .\dump.ps1PS C:\Users\test\Desktop> DumpFolder dump created successfully !Using the python scriptpython dump.pyLaunch Lazagne with password if you have itpython laZagneForensic.py all -remote /tmp/dump -password ‘ZapataVive’Launch Lazagne without passwordpython laZagneForensic.py all -remote /tmp/dumpSecond way – Mount a disk on your filesystemThe file should be mounted on your filesystemtest:~$ ls /tmp/disk/total 769Mdrwxr-xr-x 2 root root 0 févr. 1 14:05 ProgramData-rwxr-xr-x 1 root root 256M févr. 1 14:05 swapfile.sys-rwxr-xr-x 1 root root 512M févr. 1 14:05 pagefile.sysdrwxr-xr-x 2 root root 0 janv. 31 00:35 System Volume Informationdr-xr-xr-x 2 root root 0 janv. 26 10:17 Program Files (x86)dr-xr-xr-x 2 root root 0 janv. 25 18:13 Program Filesdrwxr-xr-x 2 root root 0 janv. 19 10:09 Windowsdrwxr-xr-x 2 root root 0 janv. 16 15:52 Homewaredrwxr-xr-x 2 root root 0 janv. 9 17:33 PerfLogsdrwxr-xr-x 2 root root 0 nov. 22 20:37 Recoverydrwxr-xr-x 2 root root 4,0K nov. 22 20:31 Documents and Settingsdr-xr-xr-x 2 root root 0 nov. 22 20:31 UsersLaunch Lazagne with password if you have itpython laZagneForensic.py all -local /tmp/disk -password ‘ZapataVive’Launch Lazagne without passwordpython laZagneForensic.py all -local /tmp/diskNote: Use -v for verbose mode and -vv for debug mode.Supported softwareNote: Check the following image to understand which passwords you could decrypt without needed the user windows password. All credentials found will be tested as Windows password in case of the user re-uses the same password.Recommended articles related to DPAPIHappy DPAPI!ReVaulting! Decryption and opportunitiesWindows ReVaultingDPAPI exploitation during pentest and password crackingDownload LaZagneForensic

Link: http://feedproxy.google.com/~r/PentestTools/~3/6vBLKvm1ks0/lazagneforensic-decrypt-windows.html

Pupy – Opensource, Cross-Platform (Windows, Linux, OSX, Android) Remote Administration And Post-Exploitation Tool

Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android), multi function RAT (Remote Administration Tool) and post-exploitation tool mainly written in python. It features a all-in-memory execution guideline and leaves very low footprint. Pupy can communicate using various transports, migrate into processes (reflective injection), load remote python code, python packages and python C-extensions from memory.Pupy modules can transparently access remote python objects using rpyc to perform various interactive tasks.Pupy can generate payloads in multiple formats like PE executables, reflective DLLs, pure python files, powershell, apk, … When you package a payload, you can choose a launcher (connect, bind, …), a transport (ssl, http, rsa, obfs3, scramblesuit, …) and a number of “scriptlets". Scriptlets are python scripts meant to be embedded to perform various tasks offline (without requiring a session), like starting a background script, adding persistence, starting a keylogger, detecting a sandbox, …Installationgit clone https://github.com/n1nj4sec/pupy.git pupycd pupygit submodule initgit submodule updatepip install -r pupy/requirements.txtwget https://github.com/n1nj4sec/pupy/releases/download/latest/payload_templates.txztar xvf payload_templates.txz && mv payload_templates/* pupy/payload_templates/ && rm payload_templates.txz && rm -r payload_templatesor Refer to the wikiFeaturesMulti-platform (tested on windows xp, 7, 8, 10, kali linux, ubuntu, osx, android)On windows, the Pupy payload can be compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk :)pupy can also be packed into a single .py file and run without any dependencies other that the python standard library on all OS pycrypto gets replaced by pure python aes && rsa implementations when unavailablePupy can reflectively migrate into other processesPupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd, .so). The imported python modules do not touch the disk.Pupy is easily extensible, modules are quite simple to write, sorted by os and category.A lot of awesome modules are already implemented!Pupy uses rpyc and a module can directly access python objects on the remote client We can also access remote objects interactively from the pupy shell and you even get auto-completion of remote attributes!Communication transports are modular, stackable and awesome. You could exfiltrate data using HTTP over HTTP over AES over XOR. Or any combination of the available transports !Pupy can communicate using obfsproxy pluggable transportsAll the non interactive modules can be dispatched to multiple hosts in one commandCommands and scripts running on remote hosts are interruptibleAuto-completion for commands and argumentsCustom config can be defined: command aliases, modules automatically run at connection, …Interactive python shells with auto-completion on the all in memory remote python interpreter can be openedInteractive shells (cmd.exe, /bin/bash, …) can be opened remotely. Remote shells on Unix & windows clients have a real tty with all keyboard signals working fine just like a ssh shellPupy can execute PE exe remotely and from memory (cf. ex with mimikatz)Pupy can generate payloads in various formats : apk,lin_x86,lin_x64,so_x86,so_x64,exe_x86,exe_x64,dll_x86,dll_x64,py,pyinst,py_oneliner,ps1,ps1_oneliner,rubber_duckyPupy can be deployed in memory, from a single command line using pupygen.py’s python or powershell one-liners."scriptlets" can be embeded in generated payloads to perform some tasks "offline" without needing network connectivity (ex: start keylogger, add persistence, execute custom python script, check_vm …)tons of other features, check out the implemented modulesImplemented TransportsAll transports in pupy are stackable. This mean that by creating a custom transport conf (pupy/network/transport//conf.py), you can make you pupy session looks like anything. For example you could stack HTTP over HTTP over base64 over HTTP over AES over obfs3 :o)rsa A layer with authentication & encryption using RSA and AES256, often stacked with other layersaes layer using a static AES256 keyssl (the default one) TCP transport wrapped with SSLssl_rsa same as ssl but stacked with a rsa layerhttp layer making the traffic look like HTTP traffic. HTTP is stacked with a rsa layerobfs3 A protocol to keep a third party from telling what protocol is in use based on message contentsobfs3 is stacked with a rsa layer for a better securityscramblesuit A Polymorphic Network Protocol to Circumvent Censorshipscramblesuit is stacked with a rsa layer for a better securityudp rsa layer but over UDP (could be buggy, it doesn’t handle packet loss yet)other Other layers doesn’t really have any interest and are given for code examples : (dummy, base64, XOR, …)Implemented Launchers (not up to date, cf. ./pupygen.py -h)Launchers allow pupy to run custom actions before starting the reverse connectionconnect Just connect backbind Bind payload instead of reverseauto_proxy Retrieve a list of possible SOCKS/HTTP proxies and try each one of them. Proxy retrieval methods are: registry, WPAD requests, gnome settings, HTTP_PROXY env variableImplemented Modules (not up to date)All platforms:command executiondownloaduploadinteractive python shell with auto-completioninteractive shell (cmd.exe, powershell.exe, /bin/sh, /bin/bash, …) tty allocation is well supported on both windows and *nix. Just looks like a ssh shellshellcode execpersistencesocks5 proxylocal and remote port forwardingscreenshotkeyloggerrun the awesome credential gathering tool LaZagne from memory !sniff tools, netcredsprocess migration (windows & linux, not osx yet)…a lot of other tools (upnp client, various recon/pivot tools using impacket remotely, …)Windows specific :migrate inter process architecture injection also works (x86->x64 and x64->x86)in memory execution of PE exe both x86 and x64! works very well with mimitakz :-)webcam snapshotmicrophone recordermouselogger: takes small screenshots around the mouse at each click and send them back to the servertoken manipulationgetsystemcreddumptons of useful powershell scripts…Android specificText to speech for Android to say stuff out loudwebcam snapshots (front cam & back cam)GPS tracker !DocumentationRefer to the wikiSome screenshots (not up to date)Screenshot section on the wikiDownload pupy

Link: http://feedproxy.google.com/~r/PentestTools/~3/uZ9sEHcooFA/pupy-opensource-cross-platform-windows.html

FakeImageExploiter – Use a Fake image.jpg (hide known file extensions) to exploit targets

This module takes one existing image.jpg and one payload.ps1 (input by user) and builds a new payload (agent.jpg.exe) that if executed it will trigger the download of the 2 previous files stored into apache2 (image.jpg + payload.ps1) and execute them.This module also changes the agent.exe Icon to match one file.jpg Then uses the spoof ‘Hide extensions for known file types’ method to hidde the agent.exe extension.All payloads (user input) will be downloaded from our apache2 webserver and executed into target RAM. The only extension (payload input by user) that requires to write payload to disk are .exe binaries.Exploitation:FakeImageExploiter stores all files in apache2 webroot, zips (.zip) the agent, starts apache2 and metasploit services(handler), and provides a URL to send to target (triggers agent.zip download). As soon as the victim runs our executable, our picture will be downloaded and opened in the default picture viewer, our malicious payload will be executed, and we will get a meterpreter session.But it also stores the agent (not ziped) into FakeImageExploiter/output folder if we wish to deliver agent.jpg.exe using another diferent attack vector.’This tool also builds a cleaner.rc file to delete payloads left in target’   Payloads accepted (user input):payload.ps1 (default) | payload.bat | payload.txt | payload.exe [Metasploit]”Edit ‘settings’ file before runing tool to use other extensions"Pictures accepted (user input):All pictures with .jpg (default) | .jpeg | .png  extensions (all sizes)"Edit ‘settings’ file before runing tool to use other extensions"Dependencies/Limitations:xterm, zenity, apache2, mingw32[64], ResourceHacker(wine)’Auto-Installs ResourceHacker.exe under ../.wine/Program Files/.. directorys’WARNING: To change icon manually (resource hacker bypass) edit ‘settings’ file.WARNING: Only under windows systems the 2ยบ extension will be hidden (so zip it) WARNING: The agent.jpg.exe requires the inputed files to be in apache2 (local lan hack)WARNING: The agent.jpg.exe uses the powershell interpreter (does not work againts wine).WARNING: This tool will not accept payload (user input) arguments (eg nc.exe -lvp 555)WARNING: The ResourceHacker provided by this tool requires WINE to be set to windows 7Another senarios:If you wish to use your own binary (user input – not metasploit payloads) then:1º – Edit ‘settings’ file before runing tool and select ‘NON_MSF_PAYLOADS=YES’ 2º – Select the binary extension to use ‘Remmenber to save settings file before continue’ …3º – Run FakeImageExploiter to metamorphosis your binary (auto-storage all files in apache) .. 4º – Open new terminal and execute your binary handler to recibe connection. HINT: This funtion will NOT build a cleaner.rcDownload/Install/Config:1° – Download framework from github git clone https://github.com/r00t-3xp10it/FakeImageExploiter.git2° – Set files execution permitions cd FakeImageExploiter sudo chmod +x *.sh3° – Config FakeImageExploiter settings nano settings4° – Run main tool sudo ./FakeImageExploiter.shSettings fileAgent(s) in windows systemsVideo tutorials:FakeImageExploiter [ Official release – Main funtions ]:FakeImageExploiter [ the noob friendly funtion ]:FakeImageExploiter [ bat payload – worddoc.docx agent ]: FakeImageExploiter [ txt payload – msfdb rebuild ]:Download FakeImageExploiter

Link: http://feedproxy.google.com/~r/PentestTools/~3/76OTZLGC-kM/fakeimageexploiter-use-fake-imagejpg.html

Ketshash – A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs

A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs.The tool was published as part of the “Pass-The-Hash detection" research – more details on "Pass-The-Hash detection" are in the blog post: https://www.cyberark.com/threat-research-blog/detecting-pass-the-hash-with-windows-event-viewerRequirementsAccount with the following privileges:Access to remote machines’ security event logsActiveDirectory read permissions (standard domain account)Computers synchronized with the same time, otherwise it can affect the resultsMinimum PowerShell 2.0OverviewKetshash is a tool for detecting suspicious privileged NTLM connections, based on the following information:Security event logs on the monitored machines (Login events)Authentication events from Active DirectoryUsageThere are two options:Basic UsageOpen PowerShell and run:Import-Module .\Ketshash.ps1 or copy & paste Ketshash.ps1 content to PowerShell sessionInvoke-DetectPTH Ketshash RunnerMake sure Ketshash.ps1 is in the same directory of KetshashRunner.exeDouble click on KetshashRunner.exe, change settings if you need and press RunInvoke-DetectPTHParameters:TargetComputers – Array of target computers to detect for NTLM connections.TargetComputersFile – Path to file with list of target computers to detect for NTLM connections.StartTime – Time when the detection starts. The default is the current time.UseKerberosCheck – Checks for TGT\TGS logons on the DCs on the organization. The default is to search for legitimate logon on the source machine. Anyway, with or without this switch there is still a query for event ID 4648 on the source machine.UseNewCredentialsCheck – Checks for logon events with logon type 9 (like Mimikatz). This is optional, the default algorithm already covers it. It exists just to show another option to detect suspicious NTLM connections. On the Windows versions 10 and Server 2016, "Microsoft-Windows-LSA/Operational" should be enabled in event viewer. On Windows 10 and Server 2016, enabling "kernel object auditing" will provide more accurate information such as writing to LSASS.LogFile – Log file path to save the results.MaxHoursOfLegitLogonPriorToNTLMEvent – How many hours to look backwards and search for legitimate logon from the time of the NTLM event. The default is 2 hours backwards.Example (recommended):Invoke-DetectPTH -TargetComputers "MARS-7" -LogFile "C:\tmp\log.txt"Example:Invoke-DetectPTH -TargetComputers "ComputerName" -StartTime ([datetime]"2017-12-14 12:50:00 PM") -LogFile "C:\tmp\log.txt" -UseKerberosCheck -UseNewCredentialsCheckDownload Ketshash

Link: http://feedproxy.google.com/~r/PentestTools/~3/O4KeqstzOtk/ketshash-little-tool-for-detecting.html

SwishDbgExt – Incident Response & Digital Forensics Debugging Extension

SwishDbgExt is a Microsoft WinDbg debugging extension that expands the set of available commands by Microsoft WinDbg, but also fixes and improves existing commands. This extension has been developed by Matt Suiche (@msuiche) – feel free to reach out on support@comae.io ask for more features, offer to contribute and/or report bugs.SwishDbgExt aims at making life easier for kernel developers, troubleshooters and security experts with a series of debugging, incident response and memory forensics commands. Because SwishDbgExt is a WinDbg debugging extension, it means it can be used on local or remote kernel debugging session, live sessions generated by Microsoft LiveKd, but also on Microsoft crash dumps generated to a Blue Screen of Death or hybrid utilities such as Comae DumpIt.InstallationYou can either copy the WinDbg extension in the corresponding (x86 or x64) WinDbg folder or load it manually using the !load command such as below. Please note you can’t have spaces or quotes in the full path to the target dll to be loaded. !load X:\FullPath\SwishDbgExt.dll###Example:kd> !load E:\projects\labs\SwishDbgExt\bin\x64\SwishDbgExt.dll; SwishDbgExt v0.7.0 (Nov 2 2016) – Incident Response & Digital Forensics Debugging Extension SwishDbgExt Copyright (C) 2016 Comae Technologies FZE – http://www.comae.io SwishDbgExt Copyright (C) 2014-2016 Matthieu Suiche (@msuiche) This program comes with ABSOLUTELY NO WARRANTY; for details type `show w’. This is free software, and you are welcome to redistribute it under certain conditions; type `show c’ for details.If you wish to update your WinDbg template with a more DML-friendly template, you can directly import windbg_template.reg file joined to the package.Commands!SwishDbgExt.helpDisplays information on available extension commands.This command will give you the list of all commands if you specify no argument, will give you the list of parameters for an existing command if specified as an argument.!ms_callbacksDisplay callback functions!ms_checkcodecaveLook for used code cave!ms_consolesDisplay console command’s history!ms_credentialsDisplay user’s credentials (based on gentilwiki’s mimikatz)!ms_driversDisplay list of drivers. !ms_drivers will go ahead and display a list of drivers that are currently loaded. In this example, here’s a few of the drivers loaded at the time of the crash in this kernel-dump: With this command, we can also view in-depth IRP information regarding a driver: In the above image we can see the driver-specific I/O stack location within e1cexpress.sys’ IRP. Here we can see function codes such as IRP_MJ_CREATE which opens the target device object, indicating that it is present and available for I/O operations.!ms_dumpDump memory space on disk!ms_exqueueDisplay Ex queued workers.!exqueue doesn’t work properly on Windows 8, so a working version needed to be implemented. Just like the original command this one dispaly the working threads queue.!ms_fixitReset segmentation in WinDbg (Fix “16.kd>")!ms_gdtDisplay GDT.!ms_gdt displays the Global Descriptor Table. Note on x64 that every selector is flat (0x0000000000000000 to 0xFFFFFFFFFFFFFFFF). This command can be extra helpful to check for any suspected hooking of the GDT, as attempting to do so on x64 will call a bug check. This is because x64 forbids hooking of the GDT.!ms_hivelistDisplay list of registry hives.ms_hivelist displays a list of registry hives. We can look directly into a hive (\Registry\Machine\Software for example) to see its subkeys, values, etc:!ms_idtDisplay IDT.!ms_idt displays the Interrupt descriptor table. Very much like the GDT, if the IDT is hooked on an x64 system, it will call a bug check. This is due to the fact that Microsoft implemented (programmatically) a prevention of hooking the IDT with a kernel-mode driver that would normally intercept calls to the IDT and then add in its own processing. This is why in the above image, there is ‘No’ as far as the eye can see.!ms_malscoreAnalyze a memory space and returns a Malware Score Index (MSI) – (based on Frank Boldewin’s work)!ms_mbrScan Master Boot Record (MBR)!ms_netstatDisplay network information (sockets, connections, …)!ms_objectDisplay list of object!ms_processDisplay list of processes. !ms_process is an improved version of !process and !dml_proc.. One of the nice thing as you can notice below is the usage of DML (Debugger Markup Language) with the commands. All the underline commands are in fact links to commands. As an example below, you can see the output of /vads /scan, to scan VAD (Virtual Address Descriptors). You can notice that one column gives the “Malware Score Index” which can be useful to detect shellcodes or heap-spray. In the screenshot below, you can see an abnormally high score in several VADs – due to usage of heap spray. Just by clicking on the score it will run the scanning algorithm. The scanning algorithm is based on Frank Boldewin’s OfficeMalScanner utility. And returns you information about where the shellcode is: /scan option can also be used on exported functions to know if the EAT (Export Address Table) has been patched or if the prolog of the function modified.Similar tests are available for the SSDT (!ms_ssdt).!ms_readkcbRead key control block!ms_readknodeRead key node. !reg WinDbg command has been a frustration for a long time, due to some bugs. This is why SwishDbgExt, has its own registry explorer functions to try to make access to registry data as simple as possible.!ms_readkvalueRead key value!ms_scanndishookScan and display suspicious NDIS hooks!ms_servicesDisplay list of services!ms_ssdtDisplay service descriptor table (SDT) functions. !ms_ssdt displays the System Service Dispatch Table. This command is extremely helpful in the investigation of suspected rootkit hooks through what is known as Direct Kernel Object Manipulation (DKOM). If you see a low level routine here that is hooked (such as nt!NtEnumerateKey), this can aid you in your analysis regarding a possible rootkit infection.!ms_storeDisplay information related to the Store Manager (ReadyBoost).The present command allows to list the current ReadyBoost (requires USB 3.0) cache used by the Operating System, but also to display the logs of the memory pages managed by the store manager. Parameter: /cache!ms_timersDisplay list of KTIMER.!ms_timers displays the KTIMER structure, which is an opaque structure that represents and contains various timer objects. This command can be helpful to figure out what drivers created what timer objects, what drivers called what routines, etc.!ms_vacbsDisplay list of cached VACBs!ms_verboseTurn verbose mode on/off!ms_lxssThe following is based on the research published by Alex Ionescu and available here: https://github.com/ionescu007/lxss/This feature is available on Windows 10+ O.S. as an optional feature installable via the following PowerShell command:Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-LinuxYou can read more about the Windows Subsystem for Linux at the following links:https://blogs.msdn.microsoft.com/wsl/2016/04/22/windows-subsystem-for-linux-overview/https://channel9.msdn.com/Blogs/Seth-Juarez/Windows-Subsystem-for-Linux-Architectural-Overviewhttps://msdn.microsoft.com/en-us/commandline/wsl/install_guide Windows Subsystem for Linux Overview. Instance 0xFFFFE704EEB8F010 GUID: {E29032FD-35D3-4C53-AB68-6BCEBDA7176F} State: (1) [STARTED] Creation Flags: 00000001 GlobalData: 0xFFFFF802ED4138A0 Root Handle: 80000834 Temp Handle: 80000838 Job Handle: 8000083c Token: 80000818 Event Handle: 800008bc Map Paths (0): 0xFFFFE704EF437920 VFS Context: 0xFFFFE704EEFC4710 Memory Flags: 0x2 Last PID: 35 Thread Groups: 3 Session 0xFFFFE704EDB79EC0 Instance: 0xFFFFE704EEB8F010 Console inode: 0x0 Foreground PID: -1 Process Group 0xFFFFE704EDB79AE0 Instance: 0xFFFFE704EEB8F010 Session: 0xFFFFE704EDB79EC0 Thread Group 0xFFFFE704EF4F8000 Binary Path: /init Thread(s): 1 Owner Process Group: 0xFFFFE704EDB79AE0 Flags: 0x00000000 Main Thread: 0xFFFFE704EF5CC010 Arguments (006 bytes): 0x00007FFFC081D6E0 Process 0xFFFFE704EF2F1D70 Instance: 0xFFFFE704EEB8F010 NT Process Object: 0xFFFFAE05E84EF800 NT Process Handle: 0xFFFFFFFF80000F58 VDSO Address: 0x00007FFFC0849000 Stack Address: 0x00007FFFC001E000 Session 0xFFFFE704EF5DB830 Instance: 0xFFFFE704EEB8F010 Console inode: 0xFFFFE704EF32D7A0 Foreground PID: 2 Process Group 0xFFFFE704EF5EF970 Instance: 0xFFFFE704EEB8F010 Session: 0xFFFFE704EF5DB830 Thread Group 0xFFFFE704EF5EE000 Binary Path: /bin/bash Thread(s): 1 Owner Process Group: 0xFFFFE704EF5EF970 Flags: 0x0000000C Main Thread: 0xFFFFE704EF5F8010 Arguments (010 bytes): 0x00007FFFDF34E418 Process 0xFFFFE704EDEF6EC0 Instance: 0xFFFFE704EEB8F010 NT Process Object: 0xFFFFAE05E84E6800 NT Process Handle: 0xFFFFFFFF80000D9C VDSO Address: 0x00007FFFDF883000 Stack Address: 0x00007FFFDEB4F000 Session 0xFFFFE704EF0A8ED0 Instance: 0xFFFFE704EEB8F010 Console inode: 0xFFFFE704EF06B9C0 Foreground PID: 19 Process Group 0xFFFFE704F059CBC0 Instance: 0xFFFFE704EEB8F010 Session: 0xFFFFE704EF0A8ED0 Thread Group 0xFFFFE704EDE51000 Binary Path: /bin/bash Thread(s): 1 Owner Process Group: 0xFFFFE704F059CBC0 Flags: 0x0000000C Main Thread: 0xFFFFE704EDC78090 Arguments (010 bytes): 0x00007FFFF78CFB78 Process 0xFFFFE704F06389B0 Instance: 0xFFFFE704EEB8F010 NT Process Object: 0xFFFFAE05E618D800 NT Process Handle: 0xFFFFFFFF80001650 VDSO Address: 0x00007FFFF7C99000 Stack Address: 0x00007FFFF70D0000ClassesPEFileMsPEImageFile contains the basic common information used by Windows binaries (PE) and has been derivated into three different classes:MsProcessObjectMsDllObjectMsDriverObjectDownload SwishDbgExt

Link: http://feedproxy.google.com/~r/PentestTools/~3/TYBt9kWLzJ0/swishdbgext-incident-response-digital.html