Red Teaming and Malware Analysis
Red Teaming and Malware Analysis
@sirpedrotavares
seguranca-informatica.pt
0xSI_f33d
About
Red Teaming
Cheat Sheet
Active Directory 101
Fuzzing and Web
Initial Foothold
Privilege Escalation (Privesc)
Lateral Movement (Pivoting)
Persistence
Command and Control (C&C)
Data Exfiltration
CVE & Exploits / CTF
Tools
OSINT
DNS
WEB
Infrastructure and Network
Scan and Discovery
Automated Scanners
Misc
Active Directory
Cloud & Azure
Command and Control (C&C)
(De)serialization
Lateral Movement
Powershell
Privilege Escalation
Exfiltration
Persistence
Password & Cracking
Static Code Analysis
Reporting
Resources
Malware Analysis
Unpacking
Tools
Resources
Mobile
Tools
Reverse iOS ipa
Reverse Android APKs
Basic tips
Resources
IoT / ARM / Firmware
Basic tips
Reverse IoT devices
Tools
Resources
Powered by GitBook

Active Directory

​bloodhound: BloodHound is an application developed with one purpose: to find relationships within an Active Directory (AD) domain to discover attack paths.

​Max: Maximizing BloodHound. Max is a good boy.

​cypheroth: Automated, extensible toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.

./cypheroth.sh -u neo4j -p BloodHound -d TESTLAB.LOCAL -a localhost:7687 -v true -t 10s

​InveighZero: InveighZero is a C# LLMNR/NBNS/mDNS/DNS/DHCPv6 spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. This version shares many features with the PowerShell version of Inveigh.

​CrackMapExec: CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks.

​KerberosUserEnum: Kerberos accounts enumeration taking advantage of AS-REQ, I wrote this script to practice my understanding of Kerberos.

./Enum.py --file=/tmp/usernames --dcip=192.168.88.1 --domain=TESTDOMAIN --port=88

​kerbrute: A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.

Kerbrute has three main commands:

  • bruteuser - Bruteforce a single user's password from a wordlist

  • bruteforce - Read username:password combos from a file or stdin and test them

  • passwordspray - Test a single password against a list of users

  • userenum - Enumerate valid domain usernames via Kerberos

./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
./kerbrute_linux_amd64 bruteforce --dc 192.168.x.x -d domain users.txt --safe -o out.txt

ldapdomaindump: Active Directory information dumper via LDAP.

​ADSearch: A tool written for cobalt-strike's execute-assembly command that allows for more efficent querying of AD.

ADHuntTool: official report for the AdHuntTool. C# Script used for Red Team. It can be used by Cobalt Strike execute-assembly or as a standalone executable.

Usage: ADHuntTool.exe options domain [arguments]
​
ADHuntTool.exe Set
ADHuntTool.exe DumpLocalAdmin RingZer0 *optional*computername
ADHuntTool.exe DumpLocalGroup RingZer0 *optional*computername
ADHuntTool.exe DumpRemoteSession RingZer0 *optional*computername
ADHuntTool.exe DumpWkstaSession RingZer0 *optional*computername
ADHuntTool.exe CheckAdmin RingZer0 *optional*computername
ADHuntTool.exe DumpTrust RingZer0
ADHuntTool.exe DumpAllUsers RingZer0
ADHuntTool.exe DumpUser RingZer0 mr.un1k0d3r
ADHuntTool.exe DumpUsersEmail RingZer0
ADHuntTool.exe DumpAllComputers RingZer0 
ADHuntTool.exe DumpComputer RingZer0 DC01
ADHuntTool.exe DumpAllGroups RingZer0
ADHuntTool.exe DumpGroup RingZer0 "Domain Admins"
ADHuntTool.exe DumpPasswordPolicy Ringzer0,DC=local
ADHuntTool.exe DumpCertificateTemplates Ringzer0,DC=local
ADHuntTool.exe DumpPwdLastSet RingZer0
ADHuntTool.exe DumpLastLogon RingZer0
ADHuntTool.exe CheckManaged RingZer0
ADHuntTool.exe DumpLapsPassword RingZer0 *optional*computername  
ADHuntTool.exe DumpUserPassword RingZer0   
ADHuntTool.exe DumpRemoteSession RingZer0  *optional*computername  
ADHuntTool.exe PasswordBruteForce RingZer0 *optional*username (samaccountname) 
ADHuntTool.exe GetShare target *optional*Domain\Username Password
ADHuntTool.exe GetService target *optional*Domain\Username Password

​

​Talon: Talon is a tool designed to perform automated password guessing attacks while remaining undetected. Talon can enumerate a list of users to identify which users are valid, using Kerberos. Talon can also perform a password guessing attack against the Kerberos and LDAPS (LDAP Secure) services. Talon can either use a single domain controller or multiple ones to perform these attacks, randomizing each attempt, between the domain controllers and services (LDAP or Kerberos).

[email protected]:~# ./Talon -Hostfile DCs -Userfile ValidUsers -D STARLABS.local -P "Password!" -sleep 2
​
  __________  ________  ___       ________  ________
  |\___    _\\\   __  \|\  \     |\   __  \|\   ___  \
  \|___ \  \_\ \  \|\  \ \  \    \ \  \|\  \ \  \\ \  \
       \ \  \ \ \   __  \ \  \    \ \  \\\  \ \  \\ \  \
        \ \  \ \ \  \ \  \ \  \____\ \  \\\  \ \  \\ \  \
         \ \__\ \ \__\ \__\ \_______\ \_______\ \__\\ \__\
          \|__|  \|__|\|__|\|_______|\|_______|\|__| \|__|
					          (@Tyl0us)
​
​
[-]  172.16.144.186 STARLABS.LOCAL\ballen:Password! = Failed
[-]  172.16.144.185 STARLABS.LOCAL\csnow:Password! = Failed
[-]  172.16.144.186 STARLABS.LOCAL\wwest:Password! = User's Account Locked
[*] Account lock out detected - Do you want to continue.[y/n]:

​RemotePotato0: RemotePotato0 is an exploit that allows you to escalate your privileges from a generic User to Domain Admin.

​

Previous
Misc
Next
Cloud & Azure
Last updated 3 weeks ago