Added couple of tools

2020-03-04 16:51:29 +01:00 · 2020-03-04 16:51:29 +01:00 · 305492a3ee
parent e496a1c449
commit 305492a3ee
5 changed files with 158 additions and 1 deletions
--- a/others/README.md
+++ b/others/README.md
@ -5,6 +5,17 @@

 - **`Contoso-AD-Structure`** - Simple script intended to create a sample AD structure filled out with users and groups.

+- **`correlateCrackedHashes.py`** - Hashcat results correlation utility.
+Takes two files on input. Tries to find every line of the second file within the first file and for every found match - extracts password value from the second file's line. Then prints these correlations.
+In other words - having the following in FileA:
+	 `some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c`
+
+and a line in FileB that would be a result of running hashcat:
+	 `68eacb97d86f0c4621fa2b0e17cabd8c:Test123`
+
+the script will print out:
+	 `some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c,Test123`
+
 - **`encrypt.rb`** - Simple File Encryption utility (with support for Blowfish, GOST, IDEA, AES) capable of encrypting directories. ([gist](https://gist.github.com/mgeeky/751c01c4dac99871f4da))

 - **`forticlientsslvpn-expect.sh`** - Forticlient SSL VPN Client launching script utilizing expect. Useful while working for clients exposing their local networks through a Fortinet SSL VPN. [gist](https://gist.githubusercontent.com/mgeeky/8afc0e32b8b97fd6f96fce6098615a93/raw/cf127be09d02e04c00eb578e4ef1219a773d21cf/forticlientsslvpn-expect.sh)
--- a/others/correlateCrackedHashes.py
+++ b/others/correlateCrackedHashes.py
@ -0,0 +1,65 @@
+#!/usr/bin/python3
+#
+# Takes two files on input. Tries to find every line of the second file within the first file
+# and for every found match - extracts password value from the second file's line. Then prints these correlations.
+#
+# In other words:
+#
+#     FileA:
+#         some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c
+#   
+#     FileB - result of running hashcat:
+#         68eacb97d86f0c4621fa2b0e17cabd8c:Test123
+#
+#     WILL RETURN:
+#         some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c,Test123
+#        
+# Mariusz B. / mgeeky
+#
+
+import sys, os
+
+def main(argv):
+    if len(argv) < 3:
+        print('''
+Usage: ./correlateCrackedHashes.py <fileWithUsernames> <crackedHashesFile> [delimiter]
+
+    <fileWithUsernames> - File containing usernames and their hashes (or just hashes)
+    <crackedHashesFile> - File being a result of running hashcat, in a form of hash:password
+    [delimiter]         - (optional) Delimiter to be prepended to the usernames file line containing password
+                            Default: comma
+        ''')
+        return False
+
+    usernamesFile = argv[1]
+    crackedHashesFile = argv[2]
+    delimiter = ',' if len(argv) < 4 else argv[3]
+
+    if not os.path.isfile(usernamesFile):
+        print(f'[!] Usernames file does not exist: "{usernamesFile}')
+        return False
+
+    if not os.path.isfile(crackedHashesFile):
+        print(f'[!] Cracked passwords file does not exist: "{crackedHashesFile}')
+        return False
+
+    usernames = []
+    cracked = []
+
+    with open(usernamesFile) as f: usernames = [x.strip() for x in f.readlines()]
+    with open(crackedHashesFile) as f: cracked = [x.strip() for x in f.readlines()]
+
+    correlated = []
+
+    for crackedPass in cracked:
+        for user in usernames:
+            posOfLastColon = crackedPass.rfind(':')
+            hashValue = crackedPass[:posOfLastColon]
+            password = crackedPass[posOfLastColon+1:]
+
+            if hashValue in user:
+                print(delimiter.join([user, password]))
+                correlated.append(delimiter.join([user, password]))
+
+if __name__ == "__main__":
+    main(sys.argv)
--- a/red-teaming/Count-PrivilegedGroupMembers.ps1
+++ b/red-teaming/Count-PrivilegedGroupMembers.ps1
@ -0,0 +1,79 @@
+<#
+  This script enumerates privileged groups (Tier-) and counts their users.
+  By knowing how many privileged users are there in examined groups, we can
+  briefly estimate the configuration debt impact on the assessed Active Directory
+  or domain maintenance misconfiguration impact.
+
+  Usage:
+    PS> . .\Count-PrivilegedGroupMembers.ps1
+    PS> Count-PrivilegedGroupMembers
+  
+  Mariusz B. / mgeeky
+#>
+
+# This script requires PowerView 3.0 dev branch
+# Import-Module powerview.ps1 -ErrorAction SilentlyContinue
+
+Function Count-PrivilegedGroupMembers
+{    
+	[CmdletBinding()] Param(
+		[Parameter(Mandatory=$false)]
+        [String]
+        $Domain,
+
+		[Parameter(Mandatory=$false)]
+        [Switch]
+        $Recurse,
+
+		[Parameter(Mandatory=$false)]
+        [String]
+        $AdditionalGroupsFile
+    )
+
+	$PrivilegedGroups = @(
+		"Enterprise Admins"
+		"Domain Admins"
+		"Schema Admin"
+		"Account Operators"
+		"Backup Operators"
+		"Print Operators"
+		"Server Operators"
+		"Domain Controllers"
+		"Read-only Domain Controllers"
+		"Group Policy Creator Owners"
+		"Cryptographic Operators"
+		"Distributed COM Users"
+	)
+
+	$AdditionalGroups = @()
+
+	if($AdditionalGroupsFile.length -gt 0) {
+		[string[]]$AdditionalGroups = Get-Content -Path $AdditionalGroupsFile
+	}
+
+	$groups = $PrivilegedGroups + $AdditionalGroups
+
+	$GroupsMembers = @{}
+	foreach ($group in $groups)
+	{
+		$command = "(Get-DomainGroupMember -Identity '$group'"
+		if ($Recurse)
+		{
+			$command += " -Recurse"
+		}
+
+		if($Domain)
+		{
+			$command += " -Domain $Domain"
+		}
+
+		$command += " ).Count"
+		Write-Verbose "Running '$command'..."
+		$members = (Invoke-Expression $command) -as [int]
+		$GroupsMembers.Add($group, $members)
+
+		Write-Verbose "Got $members members in $group."
+	}
+
+	return $GroupsMembers
+}
--- a/red-teaming/README.md
+++ b/red-teaming/README.md
@ -54,6 +54,8 @@ $s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('H4sIAMkfcloC/3u/e
 IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
 ```

+- **`Count-PrivilegedGroupMembers.ps1`** - Counts number of members in predefined (or augumented from an input file) list of privileged, sensitive groups in Active Directory. Purely for statistics and overview purposes.
+
 - **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c))

 - **`Disable-Amsi.ps1`** - Tries to evade AMSI by leveraging couple of publicly documented techniqus, but in an approach to avoid signatured or otherwise considered harmful keywords. 
--- a/red-teaming/malleable_redirector/proxy2
+++ b/red-teaming/malleable_redirector/proxy2
@ -1 +1 @@
-Subproject commit d367e28c4928544793580a5a381d49699f0752e6
+Subproject commit e9f2fa9f2601097d6247b6a47f285e29b1b982e0