Tunna – Set Of Tools Which Will Wrap And Tunnel Any TCP Communication Over HTTP

Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments.SUMMARYTLDR: Tunnels TCP connections over HTTPIn a fully firewalled (inbound and outbound connections restricted – except the webserver port)The webshell can be used to connect to any service on the remote host. This would be a local connection on a local port at the remote host and should be allowed by the firewall.The webshell will read data from the service port wrap them over HTTP and send it as an HTTP response to the local proxy.The local proxy will unwrap and write the data to it’s local port where the client program would be connected.When the local proxy receives data on the local port, it will send them over to the webshell as an HTTP Post.The webshell will read the data from the HTTP Post and put them on the service portand repeat –^Only the webserver port needs to be open (typically 80/443) The whole communication (Externally) is done over the HTTP protocolUSAGEpython proxy.py -u -l <localport> [options]Options–help, -h show this help message and exit–url=URL, -u URL url of the remote webshell–lport=LOCAL_PORT, -l LOCAL_PORT local listening port–verbose, -v Verbose (outputs packet size)–buffer=BUFFERSIZE, -b BUFFERSIZE* HTTP request size (some webshels have limitations on the size)No SOCKS OptionsOptions are ignored if SOCKS proxy is used–no-socks, -n Do not use Socks Proxy–rport=REMOTE_PORT, -r REMOTE_PORT remote port of service for the webshell to connect to–addr=REMOTE_IP, -a REMOTE_IP address for remote webshell to connect to (default = 127.0.0.1)Upstream Proxy OptionsTunnel connection through a local Proxy–up-proxy=UPPROXY, -x UPPROXY Upstream proxy (http://proxyserver.com:3128)–auth, -A Upstream proxy requires authenticationAdvanced Options–ping-interval=PING_DELAY, -q PING_DELAY webshprx pinging thread interval (default = 0.5)–start-ping, -s Start the pinging thread first – some services send data first (eg. SSH)–cookie, -C Request cookies–authentication, -t Basic authenticationSee limitationsexample usage: python proxy.py -u http://10.3.3.1/conn.aspx -l 8000 -v# This will start a Local SOCKS Proxy Server at port 80000# This connection will be wrapped over HTTP and unwrapped at the remote serverpython proxy.py -u http://10.3.3.1/conn.aspx -l 8000 -x https://192.168.1.100:3128 -A -v# This will start a Local SOCKS Proxy Server at port 80000# It will connect through a Local Proxy (https://192.168.1.100:3128) that requires authentication# to the remote Tunna webshellpython proxy.py -u http://10.3.3.1/conn.aspx -l 4444 -r 3389 -b 8192 -v –no-socks# This will initiate a connection between the webshell and Remote host RDP (3389) service# The RDP client can connect on localhost port 4444# This connection will be wrapped over HTTPPrerequisitesThe ability to upload a webshell on the remote serverLIMITATIONS / KNOWN BUGS / HACKSThis is a POC code and might cause DoS of the server. All efforts to clean up after execution or on error have been made (no promises)Based on local tests: * JSP buffer needs to be limited (buffer option): 4096 worked in Linux Apache Tomcat 1024 worked in XAMPP Apache Tomcat (slow) * More than that created problems with bytes missing at the remote socket eg: ruby proxy.rb -u http://10.3.3.1/conn.jsp -l 4444 -r 3389 -b 1024 -v * Sockets not enabled by default php windows (IIS + PHP) * Return cariages on webshells (outside the code): get sent on responses / get written on local socket –> corrupt the packets * PHP webshell for windows: the loop function DoS’es the remote socket: sleep function added -> works but a bit slow * PHP webshell needs new line characters removed at the end of the file (after “?>") as these will get send in every response and confuse Tunna FILESWebshells: conn.jsp Tested on Apache Tomcat (windows + linux) conn.aspx Tested on IIS 6+8 (windows server 2003/2012) conn.php Tested on LAMP + XAMPP + IIS (windows + linux)WebServer: webserver.py Tested with Python 2.6.5Proxies: proxy.py Tested with Python 2.6.5Technical DetailsArchitecture descisionsData is sent raw in the HTTP Post Body (no post variable)Instructions / configuration is sent to the webshell as URL parameters (HTTP Get)Data is sent in the HTTP body (HTTP Post)Websockets not used: Not supported by default by most of webserversAsyncronous HTTP responses not really possible Proxy queries the server constantly (default 0.5 seconds)INITIATION PHASE1st packet initiates a session with the webshell – gets a cookie back eg: http://webserver/conn.ext?proxy2nd packet sends connection configuration options to the webshell eg: http://webserver/conn.ext?proxy&port=4444&ip=127.0.0.1IP and port for the webshell to connect toThis is a threaded request: In php this request will go into an infinate loop to keep the webshell socket connection alive In other webshells [OK] is received backTUNNA CLIENTA local socket is going to get created where the client program is going to connect to Once the client is connected the pinging thread is initiated and execution starts. Any data on the socket (from the client) get read and get sent as a HTTP Post request Any data on the webshell socket get sent as a response to the POST requestPINGING THREADBecause HTTP responses cannot be asyncronous. This thread will do HTTP Get requests on the webshell based on an interval (default 0.5 sec) If the webshell has data to send, it will (also) send it as a reply to this request Otherwise it sends an empty responseIn general: Data from the local proxy get send with HTTP Post There are Get requests every 0.5 sec to query the webshell for data If there is data on the webshell side get send over as a response to one of these requestsWEBSHELLThe webshell connects to a socket on the local or a remote host. Any data written on the socket get sent back to the proxy as a reply to a request (POST/GET) Any data received with a post get written to the socket.NOTESAll requests need to have the URL parameter "proxy" set to be handled by the webshell (http://webserver/conn.ext?proxy)AT EXIT / AT ERRORKills all threads and closes local socket Sends proxy&close to webshell: Kills remote threads and closes socketSOCKSThe SOCKS support is an addon module for Tunna. Locally is a seperate thread that handles the connection requests and traffic adds a header that specifies the port and the size of the packet and forwards it to Tunna. Tunna sends it over to the remote webserver, removes the HTTP headers and forwards the packet to the remote SOCKS proxy. The remote SOCKS proxy initiates the connection and mapps the received port to the local port. If the remote SOCKS proxy receives data from the service, it looks at the mapping table and finds the port it needs to respond to, adds the port as a header so the local SOCKS proxy will know where to forward the data. Any traffic from the received port will be forwarded to the local port and vice versa.Download Tunna

Link: http://feedproxy.google.com/~r/PentestTools/~3/p4t5NT8McxM/tunna-set-of-tools-which-will-wrap-and.html

APTSimulator – A toolset to make a system look as if it was the victim of an APT attack

APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.Use CasesPOCs: Endpoint detection agents / compromise assessment toolsTest your security monitoring’s detection capabilitiesTest your SOCs response on a threat that isn’t EICAR or a port scanPrepare an environment for digital forensics classesMotivesCustomers tested our scanners in a POC and sent us a complaint that our scanners didn’t report on programs that they had installed on their test systems. They had installed an Nmap, dropped a PsExec.exe in the Downloads folder and placed on EICAR test virus on the user’s Desktop. That was the moment when I decided to build a tool that simulates a real threat in a more appropriate way.Why Batch?Because it’s simple: Everyone can read, modify or extend itIt runs on every Windows system without any prerequisitesIt is closest to a real attacker working on the command lineFocusThe focus of this tool is to simulate adversary activity, not malware.Getting StartedDownload the latest release from the “release" sectionExtract the package on a demo system (Password: apt)Start a cmd.exe as AdministratorNavigate to the extracted program folder and run APTSimulator.batAvoiding Early DetectionThe batch script extracts the tools and shells from an encrypted 7z archive at runtime. Do not download the master repo using the "download as ZIP" button. Instead use the official release from the release section.Extending the Test SetSince version 0.4 it is pretty easy to extend the test sets by adding a single .bat file to one of the test-set category folders.E.g. If you want to write a simple use case for "privilege escalation", that uses a tool named "privesc.exe", clone the repo and do the following:Add you tool to the toolset folderWrite a new batch script privesc-1.bat and add it to the ./test-sets/privilege-escalation folderRun build_pack.batAdd your test to the table and action list in the README.mdCreate a pull requestTool and File ExtractionIf you script includes a tool, web shell, auxiliary or output file, place them in the folders ./toolset or ./workfiles. Running the build script build_pack.bat will include them in the encrypted archives enc-toolset.7z and enc-files.7z.Extract a Tool%ZIP% e -p%PASS% %TOOLARCH% -aoa -o%APTDIR% toolset\tool.exe > NULExtract a File%ZIP% e -p%PASS% %FILEARCH% -aoa -o%APTDIR% workfile\tool-output.txt > NULDetectionThe following table shows the different test cases and the expected detection results.AV = AntivirusNIDS = Network Intrusion Detection SystemEDR = Endpoint Detection and ResponseSM = Security MonitoringCA = Compromise Assessment Test Case AV NIDS EDR SM CA Dumps (Pwdump, Dir Listing) X Recon Activity (Typical Commands) X X X DNS (Cache Injection) (X) X X X Eventlog (WCE entries) X X X Hosts File (AV/Win Update blocks) (X) X X Backdoor (StickyKey file/debugger) X X Obfuscation (RAR with JPG ext) (X) Web Shells (a good selection) X (X) X Ncat Alternative (Drop & Exec) X X X X Remote Execution Tool (Drop) (X) X Mimikatz (Drop & Exec) X X X X PsExec (Drop & Exec) X X X At Job Creation X X X RUN Key Entry Creation X X X System File in Susp Loc (Drop & Exec) X X X Guest User (Activation & Admin) X X X LSASS Dump (with Procdump) X X X C2 Requests (X) X X X Malicious User Agent (Malware, RATs) X X X Scheduled Task Creation X X X Nbtscan Discovery (Scan & Output) X X (X) X Test Cases1. Dumpsdrops pwdump output to the working dirdrops directory listing to the working dir2. ReconExecutes command used by attackers to get information about a target system3. DNSLooks up several well-known C2 addresses to cause DNS requests and get the addresses into the local DNS cache4. EventlogCreates Windwows Eventlog entries that look as if WCE had been executed5. HostsAdds entries to the local hosts file (update blocker, entries caused by malware)6. Sticky Key BackdoorTries to replace sethc.exe with cmd.exe (a backup file is created)Tries to register cmd.exe as debugger for sethc.exe7. ObfuscationDrops a cloaked RAR file with JPG extension8. Web ShellsCreates a standard web root directoryDrops standard web shells to that diretoryDrops GIF obfuscated web shell to that diretory9. Ncat AlternativeDrops a PowerShell Ncat alternative to the working directory10. Remote Execution ToolDrops a remote execution tool to the working directory11. MimikatzDumps mimikatz output to working directory (fallback if other executions fail)Run special version of mimikatz and dump output to working directoryRun Invoke-Mimikatz in memory (github download, reflection)12. PsExecDump a renamed version of PsExec to the working directoryRun PsExec to start a command line in LOCAL_SYSTEM context13. At JobCreates an at job that runs mimikatz and dumps credentials to file14. RUN KeyCreate a suspicious new RUN key entry that dumps "net user" output to a file15. System File Suspicious LocationDrops suspicious executable with system file name (svchost.exe) in %PUBLIC% folderRuns that suspicious program in %PUBLIC% folder16. Guest UserActivates Guest userAdds Guest user to the local administrators17. LSASS DUMPDumps LSASS process memory to a suspicious folder18. C2 RequestsUses Curl to access well-known C2 servers19. Malicious User AgentsUses malicious user agents to access web sites20. Scheduled Task CreationCreates a scheduled task that runs mimikatz and dumps the output to a file21. Nbtscan DiscoveryScanning 3 private IP address class-C subnets and dumping the output to the working directoryWarningThis repo contains tools and executables that can harm your system’s integrity and stability. Do only use them on non-productive test or demo systems.ScreenshotsAdvanced SolutionsThe CALDERA automated adversary emulation system https://github.com/mitre/calderaInfection Monkey – An automated pentest tool https://github.com/guardicore/monkeyFlightsim – A utility to generate malicious network traffic and evaluate controls https://github.com/alphasoc/flightsimIntegrated Projects / SoftwareMimikatzPowerSploitPowerCatPsExecProcDump7ZipcurlDownload APTSimulator

Link: http://feedproxy.google.com/~r/PentestTools/~3/rAND2a8X3zQ/aptsimulator-toolset-to-make-system.html

Parat – Python Based Remote Administration Tool (RAT)

Parat is a simple remote administration tool (RAT) written in python.Also you can read wiki!Change log:Compatible with both python 2 and 3 versions(dont forget that may causes some error.so please share us any error(s))Do you want to try?Copy and paste on your terminal:git clone https://github.com/micle-fm/Parat && cd Parat && python main.pyNote: it may need to install python -m easy_install pypiwin32 on some targets.FeaturesFully UnDetectable(FUD)Compatible with Telegram messangerBypass windows User Account Control(UAC)Memory executationNo any requirments to setupTelegramYou can communicate parat using telegram messanger. For this do steps:Open telegram.service file by an editorInsert your bot token on line 15, replaced on YOUR_BOT_TOKENRun telegram.service by typing: python telegram.serviceNow you can use your bot to control parat 🙂 Download Parat

Link: http://feedproxy.google.com/~r/PentestTools/~3/JA8tIb4xMW4/parat-python-based-remote.html

ReelPhish – A Real-Time Two-Factor Phishing Tool

ReelPhish simplifies the real-time phishing technique. The primary component of the phishing tool is designed to be run on the attacker’s system. It consists of a Python script that listens for data from the attacker’s phishing site and drives a locally installed web browser using the Selenium framework. The tool is able to control the attacker’s web browser by navigating to specified web pages, interacting with HTML objects, and scraping content.The secondary component of ReelPhish resides on the phishing site itself. Code embedded in the phishing site sends data, such as the captured username and password, to the phishing tool running on the attacker’s machine. Once the phishing tool receives information, it uses Selenium to launch a browser and authenticate to the legitimate website. All communication between the phishing web server and the attacker’s system is performed over an encrypted SSH tunnel.Victims are tracked via session tokens, which are included in all communications between the phishing site and ReelPhish. This token allows the phishing tool to maintain states for authentication workflows that involve multiple pages with unique challenges. Because the phishing tool is state-aware, it is able to send information from the victim to the legitimate web authentication portal and vice versa.This tool has been released along with a FireEye blog post. The blog post can be found at the following link: https://www.fireeye.com/blog/threat-research/2018/02/reelphish-real-time-two-factor-phishing-tool.htmlInstallation Steps The latest release of Python 2.7.x is required. Install Selenium, a required dependency to run the browser drivers.pip install -r requirements.txt Download browser drivers for all web browsers you plan to use. Binaries should be placed in this root directory with the following naming scheme.Internet Explorer: www.seleniumhq.org/download/Download the Internet Explorer Driver Server for 32 bit Windows IE. Unzip the file and rename the binary to: IEDriver.exe.In order for the Internet Explorer Driver to work, be sure protected mode is disabled. On IE11 (64 bit Windows), you must create registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BFCACHE". In this key, create a DWORD value named iexplore.exe and set the value to 0.Further information on Internet Explorer requirements can be found on www.github.com/SeleniumHQ/selenium/wiki/InternetExplorerDriverFirefox: www.github.com/mozilla/geckodriver/releases/Download the latest release of the Firefox GeckoDriver for Windows 32 bit. Unzip the file and rename the binary to: FFDriver.exe.On Linux systems, download the Linux version of Firefox GeckoDriver and rename the binary to: FFDriver.bin . Linux support is experimental.Gecko Driver has special requirements. Copy FFDriver.exe to geckodriver.exe and place it into your PATH variable. Additionally, add firefox.exe to your PATH variable.Chrome: https://chromedriver.storage.googleapis.com/index.html?path=2.35/Download the latest release of the Google Chrome Driver for Windows 32 bit. Unzip the file and rename the binary to: ChromeDriver.exe.On Linux systems, download the Linux version of the Chrome Web Driver and rename the binary to: ChromeDriver.bin . Linux support is experimental.Running ReelPhishReelPhish consists of two components: the phishing site handling code and this script. The phishing site can be designed as desired. Sample PHP code is provided in /examplesitecode. The sample code will take a username and password from a HTTP POST request and transmit it to the phishing script.The phishing script listens on a local port and awaits a packet of credentials. Once credentials are received, the phishing script will open a new web browser instance and navigate to the desired URL (the actual site where you will be entering a user’s credentials). Credentials will be submitted by the web browser.The recommended way of handling communication between the phishing site and this script is by using a reverse SSH tunnel. This is why the example PHP phishing site code submits credentials to localhost:2135.ReelPhish ArgumentsYou must specify the browser you will be using with the –browser parameter. Supported browsers include Internet Explorer ("–browser IE"), Firefox ("–browser FF"), and Chrome ("–browser Chrome"). Windows and Linux are both supported. Chrome requires the least amount of setup steps. See above installation instructions for further details.You must specify the URL. The script will navigate to this URL and submit credentials on your behalf.Other optional parameters are available.Set the logging parameter to debug (–logging debug) for verbose event loggingSet the submit parameter (–submit) to customize the element that is "clicked" by the browserSet the override parameter (–override) to ignore missing form elementsSet the numpages parameter (–numpages) to increase the number of authentication pages (see below section)Multi Page Authentication SupportReelPhish supports multiple authentication pages. For example, in some cases a two factor authentication code may be requested on a second page. To implement this feature, be sure that –numpages is set to the number of authentication pages. Also be sure that the session ID is properly tracked on your phishing site. The session ID is used to track users as they proceed through each step of authentication.In some cases, you may need to scrape specific content (such as a challenge code) off of a particular authentication page. Example commented out code is provided in ReelPhish.py to perform a scraping operation.Download ReelPhish

Link: http://feedproxy.google.com/~r/PentestTools/~3/pqO4QKRqGRw/reelphish-real-time-two-factor-phishing.html

DNSspider – Very Fast, Async Mulithreaded Subdomain Scanner

A very fast multithreaded bruteforcer of subdomains that leverages a wordlist and/or character permutation.CHANGELOG:v0.9use async multithreading via concurrent.futures moduleattack while mutating -> don’t generate whole list when using -t 1log only the subdomains to logfile when ‘-r’ was chosenminor code clean-ups / refactoringswitch to tabstop=2 / shiftwidth=2v0.8upgraded to python3v0.7upgraded built-in wordlist (more than 2k)remove annoying timeout warningsremove color output when logging to filev0.6upgraded default wordlistreplaced optionparser with argparseadd version output optionfixed typov0.5fixed extracted ip addresses from rrset answersrenamed file (removed version string)removed trailing whitespacesremoved color outputchanged bannerv0.4fixed a bug for returned listadded postfix optionupgraded wordlist[]colorised outputchanged error messagesv0.3:added verbose/quiet mode default is quiet nowfixed try/catch for domainnamesfixed some tab width (i normally use <= 80 chars per line)v0.2:append DNS and IP output to found listadded diffound list for subdomains resolved to different addressesget right ip address from current used iface to avoid socket problemsfixed socket exception syntax and outputadded usage note for fixed port and multithreaded socket exceptionv0.1:initial release  Download DNSspider

Link: http://feedproxy.google.com/~r/PentestTools/~3/LtSqRCzJviE/dnsspider-very-fast-async-mulithreaded.html

GasMask – Information Gathering Tool (OSINT)

All in one Information gathering tool – OSINTWritten by: maldevel (twitter)DependenciesPython 2.xvalidatorspython-whoisdnspythonrequestsInformation Gatheringaskbingcrtdnsdogpilegithubgooglegoogleplusinstagramlinkedinnetcraftpgpredditreverse dnstwittervhostsvirustotalwhoisyahooyandexyoutubeDependenciespip install -r requirements.txtUsage ______ __ ___ __ __ / ____/___ ______/ |/ /___ ______/ //_/ / / __/ __ `/ ___/ /|_/ / __ `/ ___/ ,

Link: http://feedproxy.google.com/~r/PentestTools/~3/Rtsx6zqgbB8/gasmask-information-gathering-tool-osint.html

Grouper – A PowerShell script for helping to find vulnerable settings in AD Group Policy

Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers (although probably also useful for sysadmins) which sifts through the (usually very noisy) XML output from the Get-GPOReport cmdlet (part of Microsoft’s Group Policy module) and identifies all the settings defined in Group Policy Objects (GPOs) that might prove useful to someone trying to do something fun/evil.Examples of the kinds of stuff it finds in GPOs:GPOs which grant modify permissions on the GPO itself to non-default users.Startup and shutdown scriptsarguments and script themselves often include creds.scripts are often stored with permissions that allow you to modify them.MSI installers being automatically deployedagain, often stored somewhere that will grant you modify permissions.Good old fashioned Group Policy Preferences passwords.Autologon registry entries containing credentials.Other creds being stored in the registry for fun stuff like VNC.Scheduled tasks with stored credentials.Also often run stuff from poorly secured file shares.User RightsHandy to spot where admins accidentally granted ‘Domain Users’ RDP access or those fun rights that let you run mimikatz even without full admin privs.Tweaks to local file permissionsGood for finding those machines where the admins just stamped “Full Control" for "Everyone" on "C:\Program Files".File SharesINI FilesEnvironment Variables… and much more! (well, not very much, but some)Yes it’s pretty rough, but it saves me an enormous amount of time reading through those awful 150MB HTML GPO reports, and if it works for me it might work for you.Note: While some function names might include the word audit, Groper is explicitly NOT meant to be an exhaustive audit for best practice configurations etc. If you want that, you should be using Microsoft SCT and LGPO.exe or something.UsageGenerate a GPO Report on a Windows machine with the Group Policy cmdlets installed. These are installed on Domain Controllers by default, can be installed on Windows clients using RSAT, or can be enabled through the "Add Feature" wizard on Windows servers.Get-GPOReport -All -ReportType xml -Path C:\temp\gporeport.xmlImport the Grouper module.Import-Module grouper.ps1Run Grouper.Invoke-AuditGPOReport -Path C:\temp\gporeport.xmlParametersThere’s also a couple of parameters you can mess with that alter which policy settings Grouper will show you:-showDisabledBy default, Grouper will only show you GPOs that are currently enabled and linked to an OU in AD. This toggles that behaviour.-LevelGrouper has 3 levels of filtering you can apply to its output.Show me all the settings you can.(Default) Show me only settings that seem ‘interesting’ but may or may not be vulnerable.Show me only settings that are definitely a super bad idea and will probably have creds in them or are going to otherwise grant me admin on a host.Usage is straightforward. -Level 3, -Level 2, etc.Frequently Asked QuestionsI’m on a gig and can’t find a domain-joined machine that I have access to with the Group Policy cmdlets installed and I don’t want to install them because that’s noisy and messy!Get-GPOReport works just fine on non-domain-joined machines via runas /netonly. You’ll need some low-priv creds but that’s to be expected.Do like this:runas /netonly /user:domain\user powershell.exeon a non-domain-joined machine that can communicate with a domain controller.Then in the resulting PowerShell session do like this:Get-GpoReport -Domain example.com -All -ReportType xml -Path C:\temp\gporeport.xmlEasy.I don’t trust you so I don’t want to run your skeevy looking script on a domain-joined machine, but I want to try Grouper.All Grouper needs to work is PowerShell 2.0 and the xml file output from Get-GPOReport. You can run it on a VM with no network card if you’re worried and it’ll still work fine.That said, it’s pretty basic code so it shouldn’t be hard to see that it’s not doing anything remotely sketchy.I think it’s dumb that you are relying on the MS Group Policy cmdlets/RSAT for Grouper. You should just write it to directly query the domain or parse the policy files straight out of SYSVOL.Short answer: Yep.Long answer: Yep, doing one of those things would be better, but there are a couple of things that prevented me from doing them YET.Ideally I’d like to parse the policy files straight off SYSVOL, but they are stored in a bunch of different file formats, some are proprietary, they’re a real pain to read, and I have neither the time nor the inclination to write a bunch of parsers for them from scratch when Microsoft already provide cmdlets that do the job very nicely.In the not-too-distant future I’d like to bake Microsoft’s Get-GPOReport into Grouper, so you wouldn’t need RSAT at all, but I need to figure out if that’s going to be some kind of copyright violation. I also need to figure out how to actually do that thing I just said.Questions that I am anticipatingGrouper is showing me all these settings that aren’t vulnerable. WTF BRO FALSE POSITIVE MUCH?Grouper is not a vulnerability scanner. Grouper merely filters the enormous amount of fluff and noise in Group Policy reports to show you only the policy settings that COULD be configured in exploitable ways.To the extent possible I am working through each of the categories of checks to add in some extra filtering to remove obviously non-vulnerable configurations and reduce the noise levels even further, but Group Policy is extremely flexible and it’s pretty difficult to anticipate every possible mistake an admin might make.Grouper didn’t show me a thing that I know is totally vulnerable in Group Policy. WTF BRO FALSE NEGATIVE MUCH?Cool, you just found a way to make Grouper better! Scroll down and you’ll see where I’ve provided a little guide to adding new checks to Grouper.I don’t have a lab environment and I don’t have a GPO report file handy! I’m also very impatient!I got your back, kid. There’s a test_report.xml in the repo that you can try it out with. It’s got a bunch of bad settings in it so you can see what that looks like.You’ll need to run it with the -showDisabled flag because it’s so full of really awful configurations I didn’t even want to enable the GPO in a lab environment.But wait, how do I figure out which users/computers these policies apply to? Your thing is useless!Short Answer: PowerView will do a decent job of this.Longer Answer: I’ll be trying to add this functionality at some point but in the meantime, shut up and use PowerView.I hate one of the checks Grouper does and I never want to see it again.Cool, easily fixed.Pop open grouper.ps1, find the "$polchecks" array and just comment out the line where that check gets added to the array.Done.I want to make Grouper better but I can’t make sense of your awful spaghetti-code. Help me help you.Sure thing, sounds good. Get some GPOReport xml output that includes the type of policy/setting you want Grouper to be able to find. This may require knocking up a suitable policy in a lab environment. Find the xml object that matches your target policy. Find the subsection of the xml that matches the info you want to pull out of the policy. Policy settings are divided into either User or Computer policy, so this will usually be in either: GPO.Computer.ExtensionData.ExtensionorGPO.User.ExtensionData.Extension Now’s the annoying part – the reason this code is such a mess is that each policy setting section is structured differently and they use wildly differing naming conventions, so you’re going to need to figure out how your target policy is structured. Good luck? Here’s a skeleton of a check function you can use to get started. Make sure it either doesn’t return at all or returns $null if nothing interesting is found. Function Get-GPOThing { [cmdletbinding()] Param ( [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()] [System.Xml.XmlElement]$polXML, [Parameter(Mandatory=$true)][ValidateSet(1,2,3)][int]$level ) ###### # Description: Checks for Things. # Vulnerable: Description of what it shows if Level -eq 3 # Interesting: Description of what it shows if Level -eq 2 # Boring: All Things. ###### $settingsThings = ($polXml.Thing.ExtensionData.Extension.Thing | Sort-Object GPOSettingOrder) if ($settingsThings) { foreach ($setting in $settingsThings) { if ($level -eq 1) { $output = @{} $output.Add("Name", $setting.Name) if ($setting.SettingBoolean) { $output.Add("SettingBoolean", $setting.SettingBoolean) } if ($setting.SettingNumber) { $output.Add("SettingNumber", $setting.SettingNumber) } $output.Add("Type", $setting.Type.InnerText) Write-Output $output "" } } }} Ctrl-f your way down to "$polchecks" and add it to the array of checks with the others. Test it out. If it works, submit a pull request! If you get stuck, hit me up. I’ll try to help if I can scrounge a few minutes together. Download Grouper

Link: http://feedproxy.google.com/~r/PentestTools/~3/Ni4ZEIF3aq0/grouper-powershell-script-for-helping.html

LaZagneForensic – Decrypt Windows Credentials From Another Host

LaZagne uses an internal Windows API called CryptUnprotectData to decrypt user passwords. This API should be called on the victim user session, otherwise, it does not work. If the computer has not been started (when the analysis is realized on an offline mounted disk), or if we do not want to drop a binary on the remote host, no passwords can be retrieved.LaZagneForensic has been created to avoid this problem. This work has been mainly inspired by the awesome work done by Jean-Michel Picod for DPAPICK and Francesco Picasso for Windows DPAPI laboratory.Note: The main problem is that to decrypt these passwords, the user Windows passwords is needed.Installationpip install -r requirements.txtUsageFirst way – Dump configuration files from the remote hostUsing the powershell scriptPS C:\Users\test\Desktop> Import-Module .\dump.ps1PS C:\Users\test\Desktop> DumpFolder dump created successfully !Using the python scriptpython dump.pyLaunch Lazagne with password if you have itpython laZagneForensic.py all -remote /tmp/dump -password ‘ZapataVive’Launch Lazagne without passwordpython laZagneForensic.py all -remote /tmp/dumpSecond way – Mount a disk on your filesystemThe file should be mounted on your filesystemtest:~$ ls /tmp/disk/total 769Mdrwxr-xr-x 2 root root 0 fĂ©vr. 1 14:05 ProgramData-rwxr-xr-x 1 root root 256M fĂ©vr. 1 14:05 swapfile.sys-rwxr-xr-x 1 root root 512M fĂ©vr. 1 14:05 pagefile.sysdrwxr-xr-x 2 root root 0 janv. 31 00:35 System Volume Informationdr-xr-xr-x 2 root root 0 janv. 26 10:17 Program Files (x86)dr-xr-xr-x 2 root root 0 janv. 25 18:13 Program Filesdrwxr-xr-x 2 root root 0 janv. 19 10:09 Windowsdrwxr-xr-x 2 root root 0 janv. 16 15:52 Homewaredrwxr-xr-x 2 root root 0 janv. 9 17:33 PerfLogsdrwxr-xr-x 2 root root 0 nov. 22 20:37 Recoverydrwxr-xr-x 2 root root 4,0K nov. 22 20:31 Documents and Settingsdr-xr-xr-x 2 root root 0 nov. 22 20:31 UsersLaunch Lazagne with password if you have itpython laZagneForensic.py all -local /tmp/disk -password ‘ZapataVive’Launch Lazagne without passwordpython laZagneForensic.py all -local /tmp/diskNote: Use -v for verbose mode and -vv for debug mode.Supported softwareNote: Check the following image to understand which passwords you could decrypt without needed the user windows password. All credentials found will be tested as Windows password in case of the user re-uses the same password.Recommended articles related to DPAPIHappy DPAPI!ReVaulting! Decryption and opportunitiesWindows ReVaultingDPAPI exploitation during pentest and password crackingDownload LaZagneForensic

Link: http://feedproxy.google.com/~r/PentestTools/~3/6vBLKvm1ks0/lazagneforensic-decrypt-windows.html