From 305492a3eef0441ab25d6a56b1ffc07d5cabc618 Mon Sep 17 00:00:00 2001 From: mgeeky Date: Wed, 4 Mar 2020 16:51:29 +0100 Subject: [PATCH] Added couple of tools --- others/README.md | 11 +++ others/correlateCrackedHashes.py | 65 ++++++++++++++++ red-teaming/Count-PrivilegedGroupMembers.ps1 | 79 ++++++++++++++++++++ red-teaming/README.md | 2 + red-teaming/malleable_redirector/proxy2 | 2 +- 5 files changed, 158 insertions(+), 1 deletion(-) create mode 100755 others/correlateCrackedHashes.py create mode 100644 red-teaming/Count-PrivilegedGroupMembers.ps1 diff --git a/others/README.md b/others/README.md index 44be154..922d09e 100644 --- a/others/README.md +++ b/others/README.md @@ -5,6 +5,17 @@ - **`Contoso-AD-Structure`** - Simple script intended to create a sample AD structure filled out with users and groups. +- **`correlateCrackedHashes.py`** - Hashcat results correlation utility. +Takes two files on input. Tries to find every line of the second file within the first file and for every found match - extracts password value from the second file's line. Then prints these correlations. +In other words - having the following in FileA: + `some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c` + +and a line in FileB that would be a result of running hashcat: + `68eacb97d86f0c4621fa2b0e17cabd8c:Test123` + +the script will print out: + `some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c,Test123` + - **`encrypt.rb`** - Simple File Encryption utility (with support for Blowfish, GOST, IDEA, AES) capable of encrypting directories. ([gist](https://gist.github.com/mgeeky/751c01c4dac99871f4da)) - **`forticlientsslvpn-expect.sh`** - Forticlient SSL VPN Client launching script utilizing expect. Useful while working for clients exposing their local networks through a Fortinet SSL VPN. [gist](https://gist.githubusercontent.com/mgeeky/8afc0e32b8b97fd6f96fce6098615a93/raw/cf127be09d02e04c00eb578e4ef1219a773d21cf/forticlientsslvpn-expect.sh) diff --git a/others/correlateCrackedHashes.py b/others/correlateCrackedHashes.py new file mode 100755 index 0000000..05ecbca --- /dev/null +++ b/others/correlateCrackedHashes.py @@ -0,0 +1,65 @@ +#!/usr/bin/python3 +# +# Takes two files on input. Tries to find every line of the second file within the first file +# and for every found match - extracts password value from the second file's line. Then prints these correlations. +# +# In other words: +# +# FileA: +# some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c +# +# FileB - result of running hashcat: +# 68eacb97d86f0c4621fa2b0e17cabd8c:Test123 +# +# WILL RETURN: +# some-user@example.com,68eacb97d86f0c4621fa2b0e17cabd8c,Test123 +# +# Mariusz B. / mgeeky +# + +import sys, os + +def main(argv): + if len(argv) < 3: + print(''' +Usage: ./correlateCrackedHashes.py [delimiter] + + - File containing usernames and their hashes (or just hashes) + - File being a result of running hashcat, in a form of hash:password + [delimiter] - (optional) Delimiter to be prepended to the usernames file line containing password + Default: comma + ''') + return False + + usernamesFile = argv[1] + crackedHashesFile = argv[2] + delimiter = ',' if len(argv) < 4 else argv[3] + + if not os.path.isfile(usernamesFile): + print(f'[!] Usernames file does not exist: "{usernamesFile}') + return False + + if not os.path.isfile(crackedHashesFile): + print(f'[!] Cracked passwords file does not exist: "{crackedHashesFile}') + return False + + usernames = [] + cracked = [] + + with open(usernamesFile) as f: usernames = [x.strip() for x in f.readlines()] + with open(crackedHashesFile) as f: cracked = [x.strip() for x in f.readlines()] + + correlated = [] + + for crackedPass in cracked: + for user in usernames: + posOfLastColon = crackedPass.rfind(':') + hashValue = crackedPass[:posOfLastColon] + password = crackedPass[posOfLastColon+1:] + + if hashValue in user: + print(delimiter.join([user, password])) + correlated.append(delimiter.join([user, password])) + +if __name__ == "__main__": + main(sys.argv) \ No newline at end of file diff --git a/red-teaming/Count-PrivilegedGroupMembers.ps1 b/red-teaming/Count-PrivilegedGroupMembers.ps1 new file mode 100644 index 0000000..d545020 --- /dev/null +++ b/red-teaming/Count-PrivilegedGroupMembers.ps1 @@ -0,0 +1,79 @@ +<# + This script enumerates privileged groups (Tier-) and counts their users. + By knowing how many privileged users are there in examined groups, we can + briefly estimate the configuration debt impact on the assessed Active Directory + or domain maintenance misconfiguration impact. + + Usage: + PS> . .\Count-PrivilegedGroupMembers.ps1 + PS> Count-PrivilegedGroupMembers + + Mariusz B. / mgeeky +#> + +# This script requires PowerView 3.0 dev branch +# Import-Module powerview.ps1 -ErrorAction SilentlyContinue + +Function Count-PrivilegedGroupMembers +{ + [CmdletBinding()] Param( + [Parameter(Mandatory=$false)] + [String] + $Domain, + + [Parameter(Mandatory=$false)] + [Switch] + $Recurse, + + [Parameter(Mandatory=$false)] + [String] + $AdditionalGroupsFile + ) + + $PrivilegedGroups = @( + "Enterprise Admins" + "Domain Admins" + "Schema Admin" + "Account Operators" + "Backup Operators" + "Print Operators" + "Server Operators" + "Domain Controllers" + "Read-only Domain Controllers" + "Group Policy Creator Owners" + "Cryptographic Operators" + "Distributed COM Users" + ) + + $AdditionalGroups = @() + + if($AdditionalGroupsFile.length -gt 0) { + [string[]]$AdditionalGroups = Get-Content -Path $AdditionalGroupsFile + } + + $groups = $PrivilegedGroups + $AdditionalGroups + + $GroupsMembers = @{} + foreach ($group in $groups) + { + $command = "(Get-DomainGroupMember -Identity '$group'" + if ($Recurse) + { + $command += " -Recurse" + } + + if($Domain) + { + $command += " -Domain $Domain" + } + + $command += " ).Count" + Write-Verbose "Running '$command'..." + $members = (Invoke-Expression $command) -as [int] + $GroupsMembers.Add($group, $members) + + Write-Verbose "Got $members members in $group." + } + + return $GroupsMembers +} \ No newline at end of file diff --git a/red-teaming/README.md b/red-teaming/README.md index b7ebe38..39a58d0 100644 --- a/red-teaming/README.md +++ b/red-teaming/README.md @@ -54,6 +54,8 @@ $s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('H4sIAMkfcloC/3u/e IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); ``` +- **`Count-PrivilegedGroupMembers.ps1`** - Counts number of members in predefined (or augumented from an input file) list of privileged, sensitive groups in Active Directory. Purely for statistics and overview purposes. + - **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c)) - **`Disable-Amsi.ps1`** - Tries to evade AMSI by leveraging couple of publicly documented techniqus, but in an approach to avoid signatured or otherwise considered harmful keywords. diff --git a/red-teaming/malleable_redirector/proxy2 b/red-teaming/malleable_redirector/proxy2 index d367e28..e9f2fa9 160000 --- a/red-teaming/malleable_redirector/proxy2 +++ b/red-teaming/malleable_redirector/proxy2 @@ -1 +1 @@ -Subproject commit d367e28c4928544793580a5a381d49699f0752e6 +Subproject commit e9f2fa9f2601097d6247b6a47f285e29b1b982e0