@sirpedrotavares seguranca-informatica.pt 0xSI_f33d

Exfiltration

DNS

Collabfiltrator: Exfiltrate blind remote code execution output over DNS via Burp Collaborator.

dnsteal: This is a fake DNS server that allows you to stealthily extract files from a victim machine through DNS requests.

Credentials

LaZagne: The LaZagne project is an open-source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software.

LeakedDBParser: Just a quick'n'dirty tool to parse leaked databases (csv-like or sql format).

./leakeddbparser.py <hashfile> [-o <output_file>] [-n max_lines] {csv|sql} [csv or sql options]

pypykatz: Mimikatz implementation in pure Python. At least a part of it.

pypykatz lsa minidump /home/kali/Downloads/lsass.DMP

spraykatz: Credentials gathering tool automating remote procdump and parse of lsass process.

SharpKatz: Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands.

MirrorDump: Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory.

.\MirrorDump.exe -f "NotLSASS.zip" -d "LegitLSAPlugin.dll" -l 1073741824
[+] Generating new LSA DLL LegitLSAPlugin.dll targetting PID 572.....Done.
[+] LSA securiy package loaded, searching current process for duplicated LSASS handle
[+] Found duplicated LSASS process handle 0x3ec
[=] Dumping LSASS memory.........
[+] Minidump successfully saved to memory, size 88.06MB
[+] Minidump compressed and saved to NotLSASS.zip

Tokenvator: A tool to alter privilege with Windows Tokens.

juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.

RottenPotatoNG: New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.

SharpCloud: Simple C# for checking for the existence of credential files related to AWS, Microsoft Azure, and Google Compute.

KeeThief: Methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory.

SharpLAPS: Retrieve LAPS password from LDAP.

SharpLAPS.exe /user:DOMAIN\User /pass:MyP@ssw0rd123! /host:192.168.1.1

PCredz: This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.

# extract credentials from a pcap file
python3 ./Pcredz -f file-to-parse.pcap

# extract credentials from all pcap files in a folder
python3 ./Pcredz -d /tmp/pcap-directory-to-parse/

# extract credentials from a live packet capture on a network interface (need root privileges)
python3 ./Pcredz -i eth0 -v

LSASS dumping in 2021/2022 - from memory - without C2

NTLM Theft

Detection

HoneyCreds: Detect network credentials and poisoners such as responder and MITM attacks.

PreviousPrivilege EscalationNextPersistence

Last updated