红队渗透测试提示来源于斯圆安全@vysecurity大佬 @Vincent Yiu的站点Red Team Tips 这篇就当翻译稿。从红蓝角度思考与对抗,补充下自己的不足。
Red Team Tips
101 - 110
Red tip #101: Set up red team infrastructure following @bluscreenofjeff guidelines! https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki
红队提示 #101:建立红队体系,可以参考@bluscreenofjeff的指南。
Red tip #102: Easier DNS redirector!
# YOUR LOCAL BOX
socat -t0 -T0 tcp4-listen:6667,reuseaddr,fork UDP:localhost:53
ssh user@remote_server -R 6667:localhost:6667
# REMOTE MACHINE
socat -t0 -T0 udp4-recvfrom:53,reuseaddr,fork tcp:localhost:6667
for opsec and not hosting C2 on the cloud
红队提示 #102: 比较简单的DNS重定向工具
# YOUR LOCAL BOX
socat -t0 -T0 tcp4-listen:6667,reuseaddr,fork UDP:localhost:53
ssh user@remote_server -R 6667:localhost:6667
# REMOTE MACHINE
socat -t0 -T0 udp4-recvfrom:53,reuseaddr,fork tcp:localhost:6667
for opsec and not hosting C2 on the cloud
Red tip #103: Red team tips are useful but what makes the good red teamer is experience. Rack up that breadth of experience
红队提示 #103: 红队的小贴士是有用的,但是让一个好的红队队员有经验积累丰富的经验。
Red tip #104: SessionGopher does a decent job at retrieving putty and RDP history - https://github.com/fireeye/SessionGopher
红队提示 #104: sessiongopher在检索putty和rdp历史方面做得不错.
Red tip #105: If ping 8.8.8.8 works, try ICMP tunnelling. More info at http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-5.html?m=1 from @fragsh3ll though only on immature network
红队提示 #105: 如果能ping通8.8.8.8,试下ICMP隧道。更多内容参考@fragsh3ll的文章
Red tip #106: Wordlists? https://github.com/berzerk0/Probable-Wordlists I like to use the top probable 297 million list with Deadhobo rules
红队提示 #106: 字典?参考字典项目
我喜欢用无聊的规则生成的2.97亿的字典。
Red tip #107: More of a pentest tip but nslookup google.com if it resolves you may have a DNS tunnelling problem.
红队提示 #107: 更多渗透的提示,但nslookup google.com.如果它解析了你可能的DNS隧道问题。
- 不解
Red tip #108: Post exploitation Asset Discovery https://github.com/vysec/Invoke-DNSDiscovery looks for assets by name that might be good if you are low priv user.
红队提示 #108: 后渗透资产发现。项目用低权限的可能用户名来寻找资产是比较好的。
Red tip #109: Use Invoke-ProcessScan to give some running processes context on a system. This uses EQGRP leaked list- https://github.com/vysec/Invoke-ProcessScan
红队提示 #109: 使用Invoke-ProcessScan列出一些系统运行的进程上下文。可以使用EQGRP列出的信息。git项目貌似已经不在了。
Red tip #110: Mature blue? Be careful and minidump lssas.exe then download it and parse locally。
红队提示 #110: 经验丰富的蓝队?小心,然后下载lssas.exe并在本地解析。
- 不解
111 - 120
Red tip #111: Found an exploitable S4U condition? Use Mistique to attack! https://github.com/machosec/Mystique/blob/master/Mystique.ps1 红队提示 #111: 找到了一个可利用的S4U条件?利用Mistique去攻击!
TIP
S4U攻击原理 该攻击由国外安全研究员Elad Shami提出,他在文章指出,无论服务账号的UserAccountControl属性是否被设为TrustedToAuthForDelegation, 服务自身都可以调用S4U2Self为任意用户请求访问自己的服务票据。但是当没有设置时, 通过S4U2Self请求到的TGS将是不可转发的.
Red tip #112: Need to use VNC as RDP in use? https://github.com/artkond/Invoke-Vnchas been pretty stable for me. Run it then pivot in and connect!
红队提示 #112: 需要利用VNC替换RDP? Invoke-Vnchas该工具十分稳定.支持隧道方式连接。
Red tip #113: Found super secret.doc or master password database.xlsx? Use office2john to get hash and crack in Hashcat!
红队提示 #113: 找到了超级的密码文件或管理员密码本?利用office2john去获取hash,利用Hashcat去破解。
Red tip #114: PowerUp didnt work and you want to autoruns? Dont bother going on disk, use Invoke-AutoRuns to csv- https://github.com/p0w3rsh3ll/AutoRuns
红队提示 #114: 自启动不工作么?不要放在磁盘,利用Invoke-AutoRuns到csv。
Red tip #115: Need to zip up a directory quickly for easy exfiltration? Eg. Home shares https://github.com/thoemmi/7Zip4Powershell use Powershell 红队提示 #115: 需要快速压缩目录以方便渗透?使用由Home分享的工具7Zip4Powershell
Red tip #116: Use CatMyFish to search for categorised domains that could be used in your engagements - https://github.com/Mr-Un1k0d3r/CatMyFish
红队提示 #116: 使用CatMyFish搜索可查询的不同类别的域。
TIP
CatMyFish:搜索可以在红队参与期间使用的分类域。 非常适合Cobalt Strike信标C&C设置列入白名单的域。 它依靠expireddomains.net来获取过期域的列表。 使用checkdomain.com验证域可用性. 为我们选到白名单的“域名”。
Red tip #117: Ran Invoke-MapDomainTrusts from PowerView? Use @harmj0y DomainTrustExplorer to generate a graph https://github.com/sixdub/DomainTrustExplorer
红队提示 #117: PowerView中的Ran Invoke-MapDomainTrusts?使用@harmj0y DomainTrustExplorer 去生成一个图形。
TIP
DomainTrustExplorer:用于分析Veil PowerView生成的“ Trust.csv”文件的Python脚本。 提供基于图的分析和输出。 图形输出将表示访问方向(与信任方向相反)
Red tip #118: FOCA finds some useful information for OSINT and intelligence phases. https://www.elevenpaths.com/labstools/foca/index.html 红队提示 #118: FOCA为OSINT和情报阶段找到了一些有用的信息。参考链接
TIP
FOCA是主要用于在其扫描的文档中查找元数据和隐藏信息的工具。 这些文档可以在网页上,并且可以使用FOCA下载和分析。 它能够分析各种各样的文档,最常见的是Microsoft Office,Open Office或PDF文件,尽管它也可以分析Adobe InDesign或SVG文件。 使用三个可能的搜索引擎搜索这些文档:Google,Bing和DuckDuckGo。 这三个引擎的结果之和等于很多文件。 还可以添加本地文件以从图形文件中提取EXIF信息,甚至在下载文件之前,也要对通过URL发现的信息进行完整的分析。
FOCA项目地址
Red tip #119: GoPhish is a pretty useful tool for spinning up simple phishing campaigns especially for decoys https://getgophish.com
红队提示 #119: GoPhish是一个非常有用的工具,可用于简化简单的网络钓鱼活动,特别是对于诱饵.地址:https://getgophish.com。
GoPhish项目地址
Red tip #120: If you have write access to the orgs shared Office template folders You can privesc by backdooring these trusted documents.
红队提示 #120: 如果您具有对公司共享Office模板文件夹的写访问权,则可以通过对这些受信任文档进行后门操作来获得特权。
121 - 130
Red tip #121: @zwned uses netsh packet tracing to sniff natively from victim host. Save capture and analyze offline!
红队提示 #121: @zwned利用netsh报文跟踪从受害主机本地的嗅探。保存捕获报文并离线分析!
- 不解
Red tip #122: More decoy tips! Scan the external perimeter with tools like Nessus and OpenVAS. More traffic the better just to burn the blue
红队提示 #122: 更多诱饵提示!使用Nessus和OpenVAS等工具扫描外围。流量越多越好混淆蓝队。
Red tip #123: Read Sean Metcalfa blog http://adsecurity.org/ When AD is used in many environments, it vital to at least know techniques
红队提示 #123: 在许多环境中使用AD时,阅读Sean Metcalfa博客http://adsecurity.org/,了解技术至关重要。
Red tip #124: Remember you can generate a golden ticket offline with knowledge of krbtgt and rest offline. Golden ticket gets silver from DC
红队提示 #124: 请记住,您可以根据krbtgt知识离线生成黄金票据,然后离线休息。黄金票据从域控获得银弹。
Red tip #125: Got krbtgt of a child domain? Forest parent trusts you? Use the SID history attack in golden tickets to escalate to Ent Admin
红队提示 #125: 有子域的krbtgt吗?森林父母相信你吗?使用黄金票证中的SID历史记录攻击升级为Ent Admin.
Red tip #126: You dont necessarily need Domain Admin, if you have an account that has Replicating directory changes rights, dcsync to pull hash using that account.
红队提示 #126: 如果您拥有一个具有复制目录更改权限的帐户,则不一定需要Domain Admin,而dcsync可以使用该帐户提取hash。
Red tip #127: Planning to use secretsdump.py? 😃 Try using the DC machine account to authenticate and dump instead of a user! Save hash
红队提示 #127: 准备利用secretsdump.py?尝试DC机器账户去认证或导出取代用户!保存hash。
Red tip #128: Use machine account hashes to generate silver tickets to a host for persistence. Save machine hash for DC incase krbtgt rotate
红队提示 #128: 使用机器帐户hash值生成主机的银票以保持持久性。为防止krbtgt变换,保存DC的机器hash。
Red tip #129: Use PEAS to query shares and emails if using ActiveSync - https://github.com/mwrlabs/peas
红队提示 #129: 如果使用ActiveSync,可通过PEAS查询共享以及emails
TIP
PEAS是Python 2库和命令行应用程序,用于在ActiveSync服务器上运行命令,例如Microsoft Exchange。它基于MWR的Adam Rutherford和David Chismon对Exchange ActiveSync协议的研究。
Red tip #130: (Not red really but useful) Sort IPs: cat IPs.txt | sort -t . -k1,1 -k2,2 -k3,3 -k4,4or even cat IPs.txt | sort -v"
红队提示 #130: (不但用在红队其他也很有用)
排序IP
cat IPs.txt | sort -t . -k1,1 -k2,2 -k3,3 -k4,4
cat IPs.txt | sort -v"
131 - 140
Red tip #131: Learn AWK and general bash scripting. Processing and merging of data sets speeds up our job for discovery and time keeping.
红队提示 #131: (不但用在红队其他也很有用)
学习AWK和常见的bash脚本。数据集的处理和合并提升了工作效率。
Red tip #132: Worth learning to pick locks and the dust can sensor trick if youre going to do some physical. http://www.artofmanliness.com/2014/11/19/how-to-pick-a-lock-pin-tumbler-locks/
红队提示 #132:
值得学习撬锁。如果您打算身体上的锻炼,体验细微的感觉。
参考链接
Red tip #133: Grep has an extract flag -o that can be used to extract from a regex. Good for extracting data from massive blobs.
红队提示 #133:
Grep命令行有个提取flag -o,它只输出符合正则的字符。 非常适合从大量信息中,提取数据
Red tip #134: Victims use wireless? Use KARMA attack to force them onto your network. Use eternalblue, domain creds or other vulns to get in. https://github.com/sensepost/mana
红队提示 #134:
受害者使用无线网络? 利用wifi伪造连入你的网络。再利用永恒之蓝(ms17-100),域认证或其他漏洞进入。
参考链接
Red tip #135: Phishing pages are usually custom. However its always good to have a stash for decoys. Generic Gmail, Office365?
红队提示 #135:
钓鱼网页一般是定制化的。然而,有一个隐藏的诱饵总是好的。通用的Gmail邮件, Office365?
Red tip #136: Keep up to date by watching presentations from conferences on YouTube 😃 Discover useful techniques
红队提示 #136:
观看YouTube会议上的演示文稿以保持最新。可以发现了解有用的技术。
Red tip #137: If youve exhausted all payload types, try sending a Mac user a python one liner and Win PS 1 liner. Ive had people run it.
红队提示 #137:
如果你已经用完了所有的有效载荷类型,试着给一个Mac用户发送一个一行python程序或windows用户一行powershell程序。我让人来运行它。
Red tip #139: If you need to get a clean EXE for file drop and exec, try out @midnite_runr Backdoor Factory - https://github.com/secretsquirrel/the-backdoor-factory
红队提示 #139:
如果你需要一个干净的EXE文件删除和exec,尝试@midnite运行Backdoor Factory。
Red tip #140: If enemy does not use proxy with TLS inspection then you can use https://www.mdsec.co.uk/2017/02/domain-fronting-via-cloudfront-alternate-domains/ to mask your c2 channel further
红队提示 #140:
如果敌人不使用代理进行TLS检查,则可以使用这篇文章介绍的方法进一步隐藏你的的远控
141 - 150
Red tip #141: On a Linux box and want to egress from it over a proxy? Use ProxyTunnel to pipe SSH - https://github.com/proxytunnel/proxytunnel
Red tip #141: 在linux系统想通过代理方式外连?使用ProxyTunnel对SSH进行管道传输。
Red tip #142: Need some OSINT? Keep Spiderfoot running long term to accompany your manual OSINT sources http://www.spiderfoot.net
Red tip #142: 需要一些公开情报?保持Spiderfoot长期运行,以配合您的手动OSINT源.
Red tip #143: OSINTing? TheHarvester does a decent job at subdomains. Though theres better ways to get emails bulk. https://github.com/laramies/theHarvester
Red tip #143: 正在着手OSINT?TheHarvester在子域名做的很好。 虽然更好的方式是获得大量的电子邮件。
Red tip #144: Exploring and want to use WMI? https://www.microsoft.com/en-us/download/details.aspx?id=8572 is pretty useful for exploring the different namespaces and classes.
Red tip #144: 想利用WMI? 这片文章对于发现不同的命名空间和类十分有用。
Red tip #145: Need to reset a password? Do it then quickly dcsync for previous password hash and use NTLMinject - https://github.com/vletoux/NTLMInjector
Red tip #145: 需要重置密码?然后快速对以前的密码哈希进行dcsync并使用NTLMinject
- 备注:DCSync是位于lsadump模块中的Mimikatz中的一项功能。 DCSync模拟域控制器的行为,并从目标域控制器请求帐户密码数据。 DCSync是Internal Pentest中后期开发阶段的攻击技术。
Red tip #146: IDS flagging known payload binary blob? Base64 encode it in your payload and use certutil, PS or VB to decode it!
Red tip #146: IDS标记已知的有效二进制载荷? Base64将其编码到有效载荷中,并使用certutil、PS或VB对其进行解码。
Red tip #147: Test your phishing campaigns before sending!!! Red tip #147: 再发送前先测试你的钓鱼邮件
Red tip #148: If youre sending into Exchange, make sure your SMTP server is not in SPAM list or black lists. Check junk mails mail headers
Red tip #148: 如果你打算发给exchange服务,确保你的SMTP服务器不在SPAM列表或黑名单,检查垃圾邮件的邮件头。
Red tip #149: Use Microsofts Message Header Analyzer to parse and review email headers from Outlook. https://testconnectivity.microsoft.com/MHA/Pages/mha.aspx
Red tip #149: 对来之于Outlook的邮件,使用Microsofts消息头分析器解析和审查邮件头。
Red tip #150: Make sure phishing emails Bounce header matches From. Or else some will flag as malicious.
Red tip #150: 请确保网络钓鱼电子邮件的Bounce标头与发件人匹配。 否则有些将被标记为恶意。
151 - 160
Red tip #151: DomainHunter also looks for good candidate expired domains - https://github.com/minisllc/domainhunter
Red tip #151: DomainHunter这个工具也可以搜集到理想的过期域名。
参考资料
Red tip #152: Want to scrape MetaData in CLI? Use PowerMeta. Linux users can use PowerShell too! https://github.com/dafthack/PowerMeta
Red tip #152: 想在命令行中抓取元数据?可以尝试利用PowerMeta。Linux用户也可以使用PowerShell。
[参考资料](https://github.com/dafthack/PowerMeta)
Red tip #153: RDP in use? Dont want to use VNC? Try mimikatzs ts::multirdp in memory patch by @gentilkiwi Red tip #153: 使用RDP?不使用VNC?尝试通过gentilkiwi介绍的mimikatzs ts::multirdp内存补丁。 [参考资料](http://blog.gentilkiwi.com/mimikatz)
Red tip #154: Admin on a machine with VPN client? certificate extraction using Mimikatz by @gentilkiwi. Dont forget to dl configs. Backdoor Red tip #154: 使用VPN客户端管理一台机器?使用gentilkiwi的Mimikatz提取认证密钥。别忘了处理后门的配置。
Red tip #155: Master all the quick wins to Domain privilege escalation. When youre pressured to get DA in 15 mins, you want to know you can Red tip #155: 掌握所有快速增加域权限的方法。当你有压力要在15分钟内得到数据时,你要知道你能做到.
Red tip #156: @Akijos notes that we should be careful when using silver tickets with scheduled tasks. Author is the user account youre on.
Red tip #156: @Akijos指出,在使用带有计划任务的银色票据时,我们应该小心。认证账户是你的用户帐户。
Red tip #157: If you dont need a golden ticket, dont generate it. Red tip #157: 如果你不需要一张金奖券,就不要去制造它。
Red tip #158: Scan a DNS server for Alexa top 1 million spoofable domains 😃 Ive got a massive list, do you? Red tip #158: 扫描DNS服务器在Alexa前100万中的欺骗域名.我有一个庞大的名单,你呢?
TIP
个人认为作者提示的是某些域名DNS解析被劫持了.
Red tip #159: Scan the internet for a list of domain frontable domains! Ive got a big big list ready for whenever I want to use them. Red tip #159: 扫描互联网以获取有域前端的域名列表! 我有一个很大的清单准备好随时随地使用它们.
TIP
域前端是一种通过混淆HTTPS连接域来绕过互联网审查的技术。在应用层,域前端允许用户连接到服务,否则可能被DNS、IP或深度包检查阻塞。 域前端使用安全的HTTP Web协议(HTTPS)和传输层安全(TLS)标准来帮助欺骗深度数据包检查系统和防火墙规则,这些系统和防火墙规则是关于一个Web请求的目标,并利用内容传递网络(CDNs)的功能。域名出现三次在一个Web请求的一部分DNS查询网站的IP地址,服务器名称指示(SNI)扩展的TLS(告诉一个服务器和多个站点域交通),和Web请求的HTTP“主机”头。对于HTTP流量,所有3个域名的实例都可以被审查者的网络设备看到;当浏览HTTPS网站时,HTTP报头是加密的。
Red tip #160: We all know people share credentials between different services. Try these credentials on other accounts owned by the user!
Red tip #160: 我们都知道人们在不同的服务之间共享凭证。在用户拥有的其他帐户上尝试这些凭据.
161 - 170
Red tip #161: Cant crack a password? Try the users previous passwords from history in AD. They may follow a pattern.
Red tip #161: 不能破解密码?尝试用户AD中的历史密码。他们可能遵循一种模式。
Red tip #162: Cant crack a hash owned by a user? Take all previously discovered passwords from their files and generate a new word list.
Red tip #162: 不能破解用户拥有的散列?从他们的文件中提取所有以前发现的密码并生成一个新的单词列表。
Red tip #163: Cant crack a password? Make sure these are in your word list: name of company, town, capital, country, months! Appear a lot.
Red tip #163: 不能破解密码?确保这些在你的单词列表中:公司、城镇、首都、国家、月份!出现了很多。
Red tip #164: Didier Stevens has SelectMyParent tool that lets you spawn a child process with an arbitrary parent. https://blog.didierstevens.com/2017/03/20/that-is-not-my-child-process/
Red tip #164: Didier Stevens有SelectMyParent工具,它允许您使用任意父进程派生子进程。
参考链接
Red tip #165: Using SelectMyParent stops those detections eg. powershell.exe spawning cmd.exe. @armitagehackers CobaltStrike has ppid cmd! Red tip #165: 使用SelectMyParent可以停止这些检测。powershell.exe附着于cmd.exe。@armitagehackers CobaltStrike有ppid cmd.
TIP
The PPID command tasks Beacon to launch cmd.exe, powershell.exe, and other processes with an alternate parent. This feature takes advantage of an API, introduced with Windows Vista, to enable consent.exe to launch elevated processes with the non-elevated requester as the parent. 链接地址:https://blog.cobaltstrike.com/2017/05/23/cobalt-strike-3-8-whos-your-daddy/
Red tip #166: Use PowerPoint mouse over text to invoke a powershell command one liner. #adversarysimulation - https://www.dodgethissecurity.com/2017/06/02/new-powerpoint-mouseover-based-downloader-analysis-results/ Red tip #166: 在文本上使用PowerPoint鼠标调用powershell命令。 #adversarysimulation
Red tip #167: Follow @mattifestation to keep up to date with blue team advances. Just in case blue is actually up to date with mitigations!
Red tip #167: 关注@mattifestation,了解蓝队最新进展。以防蓝队实际的最新的防御缓解措施.
Red tip #168: Using VBS or JS? Cant stage using PowerShell.exe as blocked? @Cneelis released https://github.com/Cn33liz/StarFighters so you can keep use PS
Red tip #168: 使用VBS还是JS? 会被阻止PowerShell.exe而无法使用?@Cneelis发布了StarFighters,所以你可以继续用PS
参考链接
TIP
StarFighters:一个基于JavaScript和VBScript的Empire Launcher 两个启动器都在它们自己的嵌入式PowerShell主机中运行,因此我们不需要PowerShell.exe。 当公司阻止PowerShell.exe和/或使用应用程序白名单解决方案但不阻止正在运行的JS / VBS文件时,这可能很有用。
Red tip #169: Not sure who uses Wi-Fi webcams but go run a mass deauth attack if youre going to plan on breaking in physically to discon
Red tip #169: 不确定谁在使用Wi-Fi网络摄像头,但如果你打算在物理上破门,那就发动一次大规模的攻击吧.
Red tip #170: @malcomvetter Never use defaults - run Mimikatz with AES and 8 hour tickets to avoid passive detection from NG defense tools!
Red tip #170: @malcomvetter不要使用Mimikatz默认值——使用AES和8小时的票据运行Mimikatz,以避免下一代防御工具的被动检测.
171 - 180
Red tip #171: Win XP doesnt have PowerShell? Try using Unmanaged powershell to keep using your favourite scripts!
Red tip #171: Win XP没有PowerShell? 尝试使用非托管Powershell来继续使用您喜欢的脚本!
Red tip #172: @anthonykasza tells us that the at.exe command takes base64 encoded Params! Eg. at.exe b64::[encoded params]
Red tip #172: @anthonykasza告诉我们,at.exe命令采用base64编码的参数!如at.exe b64::[encoded params].
Red tip #173: Grab cleartext wireless keys: netsh wlan show profile name="ssid" key=clear Red tip #173: 获取明文无线密钥.
netsh wlan show profile name="ssid" key=clear
Red tip #174: Got a shell on a victim without admin? Want their creds? Try Inveigh then rpcping -s 127.0.0.1 -t ncacn_np to leak hash.
Red tip #174: 在没admin账户的情况下对受害者进行攻击?想得到他们的认证?尝试Inveigh然后使用如下命令.
rpcping -s 127.0.0.1 -t ncacn_np
Inveigh:Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool
https://github.com/Kevin-Robertson/Inveigh
Red tip #175: Got a low priv shell and need creds? Use Invoke-LoginPrompt by @enigma0x3 https://raw.githubusercontent.com/enigma0x3/Invoke-LoginPrompt/master/Invoke-LoginPrompt.ps1
Red tip #175: 有一个低权限的shell,那么需要认证信息吗?使用@enigma0x3的Invoke-LoginPrompt
Red tip #176: Get access to shadow admin accounts, they can DCsync and are essentially DA. https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/ Red tip #176: 进入影子管理帐户,他们可以DCsync,本质上是DA(域管理员)。
TIP
Shadow Admin帐户是您网络中具有敏感特权的帐户,通常由于它们不是特权Active Directory(AD,活动目录)组的成员而通常被忽略。 相反,通过直接分配权限(在AD对象上使用ACL)为Shadow Admin帐户授予了特权。 Shadow Admins:https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/
Red tip #177: If blue detects PTH. Try extract Kerberos tickets and PTT. Red tip #177: 如果蓝方检测PTH(pass-the-hash)。尝试提取Kerberos票据和PTT。
TIP
PTT 技术使用 Kerberos ticket 来代替明文密码或 NTLM 散列。大多数的 PtT 都用的是 golden ticket 和 silver ticket。通常来说,通过PtT技术获得一台主机的控制权限是非常容易的。
Red tip #178: @lefterispan wrote https://gist.github.com/leftp/a3330f13ac55f584239baa68a3bb88f2 … which sets up a proxy and forces an auth attempt to it to leak hash. Low priv leak.
Red tip #178: @lefterispan 写了技术文档
设置代理并强制对其进行验证尝试以泄漏hash。低权限泄漏。
Red tip #179: When creating phishing pages, try cloning and modifying parts of the client’s own webpages. For example of their VPN login!
Red tip #179: 在创建钓鱼页面时,请尝试克隆和修改客户端自己的部分网页。例如他们的VPN登录页面.
Red tip #180: Regardless of whether there are known defences. Run your PS scripts through Obfuscation before loading into memory. Red tip #180: 不管是否存在已知的防御。在加载到内存之前,通过混淆来运行PS脚本。
Red tip #181: Stuck trying to find those assets still? Try @424f424f Get-BrowserData https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Get-BrowserData.ps1
Red tip #181:仍在努力寻找这些资产?尝试@424f424f的Get-BrowserData
Red tip #182: Follow @JohnLaTwC as he tweets phishing examples and sometimes with new techniques used in Wild. Good for adversary simulation. Red tip #182: 关注@JohnLaTwC,他会在twitter上发布钓鱼的例子,有时还会使用一些在野外使用的新技术。很适合对手模拟.
Red tip #183: @MrUn1k0d3r released https://github.com/Mr-Un1k0d3r/SCT-obfuscator can probably bypass Gateway signatures when performing SCT delivery for regsvr32!
Red tip #183: @MrUn1k0d3r 发布了Cobalt Strike SCT载荷模糊处理。当regsvr32执行SCT传递时,可能会绕过网关签名.
Red tip #184: We always talk about Windows and AD. But now let’s have a look at Linux and AD with https://medium.com/@br4nsh/from-linux-to-ad-10efb529fae9 Red tip #184: 我们经常讲windows和AD.但是让我们看一下这片文章介绍的linux和AD
Red tip #185: Use WSUS for lateral movement https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 Red tip #185: 使用WSUS横向移动.github站点
Red tip #186: View @jpcert https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf … and look at all those indicators and artefacts left behind. Then hexedit those tools ? Red tip #186: 看下@jpcert这篇文章... 看看那些遗留下来的指标和艺术品。然后hexedit那些工具?
Red tip #187: Found a portal using 2FA? Using RSA SecureID? https://blog.netspi.com/targeting-rsa-emergency-access-tokencodes-fun-profit/ … Pin bruteforce! Red tip #187:找到一个使用双因素认证的入口站点?利用RSA SecureID? https://blog.netspi.com/targeting-rsa-emergency-access-tokencodes-fun-profit/ … Pin bruteforce!
Red tip #188: @pwnagelabs says to avoid bash history on exit using: kill -9 $$ Red tip #188: @pwnagelabs说要避免在退出时使用bash历史:kill -9 $$
Red tip #189: @pwnagelabs teaches us how to avoid wtmp logging with: ssh -l user target -T Red tip #189: @pwnagelabs教我们如何避免wtmp日志:ssh -l user target -T
Red tip #190: @bluscreenofjeff shows us how to use Apache Mod rewrite to randomly serve different payloads https://bluescreenofjeff.com/2017-06-13-serving-random-payloads-with-apache-mod_rewrite/ Red tip #190: @bluscreenofjeff向我们展示了如何使用Apache Mod rewrite随机服务于不同的有效负载.参考文章
Red tip #191: Domain user? Query LDAP for Printers. Attempt default creds or known vulns then read Service account creds, hash or relay. Red tip #191: 域用户?查询LDAP中的打印机。尝试默认凭据或已知vuln,然后读取服务帐户凭据、哈希或中继.
Red tip #192: Get-WmiObject -Class MicrosoftDNS_AType -NameSpace Root\MicrosoftDNS -ComputerName DC001 | Export-CSV -not dns.csv Red tip #192: 通过wmi取DC信息.Get-WmiObject -Class MicrosoftDNS_AType -NameSpace Root\MicrosoftDNS -ComputerName DC001 | Export-CSV -not dns.csv
Red tip #193: Password protected doc in email? For some reason a lot of people send the password separately to the same inbox. #epicfail Red tip #193: 电子邮件中的密码保护文档?出于某种原因,很多人会将密码分别发送到同一个收件箱。#epicfail.
Red tip #194: Can’t see another part of the network and there’s a DC? Pivot off the DC 😃 Red tip #194: 你看不到网络的其它部分,那里有一个DC么?避开DC
Red tip #195: C:\windows\system32\inetsrv\appcmd list site to find IIS bindings. Red tip #196: DA -> Locate DB -> Found MSSQL? https://github.com/NetSPI/PowerUpSQL use PowerUpSQL to enumerate and privesc by stealing tokens. Red tip #197: If ACL doesn’t let you read other users’ home shares, you can try net view \fileserv /all to try other shares and folders! Red tip #198: Username jondoe and jondoe-x? Ones an Admin? Try same password. May be shared ? repeat for entire user list. Red tip #199: Failed to phish? Payloads failing? Mac users? Write an email and ask them to open terminal and paste in python Empyre one line Red tip #200: @_wald0 blessed us with this BH cypher query to skip specific nodes to look for other paths. https://pastebin.com/qAzH9uji