API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Dec 15th, 2019
312
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.12 KB | None | 0 0
raw download clone embed print report
  1. Kill Chain 1:
  2. Recon: Joomla Joomscan
  3. Weaponization: acquire the appliance (probably spam filtering), reverse engineering, custom exploit development. Testing against other orgs, building custom firmware with all needed tools.
  4. Delivery: Probably email (assumes the spam filtering device was exploited)
  5. Exploitation: Unknown vector, but assumes email related
  6. Installation: Backdoor is “installed” probably with the custom firmware, likely using the firmware update mechanism for the appliance
  7. C2: VPS was noted in use for communications, but protocol is unknown
  8. AoO: Responder.py in analysis mode, nmap (this leads into recon for Chain #2)
  9.  
  10. Kill Chain 2:
  11. Weaponization: Built tools in chain #1 to allow tunneling through the appliance
  12. Delivery: Tunneling communications, SOCKS proxy server or tgcd
  13. Exploitation: none required because mongo wasn’t configured with security
  14. Installation: N/A
  15. C2: Retrieving data through the tunnel
  16. AoO: Review data, no installation in the mongo DB
  17.  
  18. Kill Chain 3:
  19. Recon: Chain #1 (nmap)
  20. Weaponization: building tgcd
  21. Delivery: Tunneling communications with tgcd
  22. Exploitation: No authentication required, misconfigured iscsi
  23. Installation: N/A
  24. C2: Retrieving data through the tunnel
  25. AoO: Review data, no installation in the backups on Synology NAS. Vmfs-fuse to mount a VMware backup image. Dump LSA Secrets and obtain the password of a service account for BesAdmin.
  26.  
  27. Kill Chain 4:
  28. Recon: Became interested in the Exchange server because of the backups in the synology NAS
  29. Weaponization: proxychains, smbclient
  30. Delivery: smbclient tunneled with tgcd (??)
  31. Exploitation: use of password from backups
  32. Installation: psexec_psh to get meterpreter loaded
  33. C2: Meterpreter communications
  34. AoO: Dump wdigest (plaintext) credentials from memory, including a domain admin
  35.  
  36. Kill Chain 5:
  37. Recon: Scanning (nmap, etc).
  38. Weaponization: using the port forwarding tools and meterpreter already mentioned
  39. Delivery: over port forwarding tools using domain admin creds and SMB
  40. Exploitation: using passwords gained from domain admin
  41. Installation: meterpreter
  42. C2: meterpreter
  43. AoO: Downloading mail and other files
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!