Initial Access Tactics, techniques and procedures

From Enlace Hacktivista
Jump to navigation Jump to search

Phishing

Phishing is the most common attack method favored by advanced persistent threat groups and cyber criminal organized gangs. This is because it relies on social engineering to trick the target to either download a malicious email attachment or click on a malicious link.

Tools

Password Attacks

Groups like Lapsus$ show's the world that you don't need to be a great technical hacker to pwn massive corporations and if common password and multi-factor authentication (MFA) attacks work on the likes of Uber, Rockstar games, Okta and so on then they will work on our hacktivist targets!

If your target uses multi-factor authentication you can try either social engineering or MFA fatigue.

Username creation based on recon/osint

Create a bespoke username word list based on OSINT, recon, permutations and your targets employee LinkedIn, website and other social media profiles to aid in your password attacks to develop possible usernames and emails for password spraying.

Passwords

Common and leaked credentials to test login portals and network services.

Default passwords:

Common and leaked passwords:

Password cracking tools

Searching leaks

Services

Please note: DO NOT use intelx[.]io as they have been seen doxing hackers in the past and block the use of Tor. AVOID!

You can use services that compile COMBO lists (leaked credentials) to search for your targets domain, then download the results and use them in a password attack to see whether or not your target recycles their credentials.

Once your leaks have been downloaded you can parse your results in the format, email:pass.

Password spraying

Employees commonly use recycled and weak credentials for convenience. If you already have valid passwords you can try and spray them across different services to test whether they have been recycled on other services or not. You can also take common passwords (Spring2023) and spray them hoping an employee uses a weak and guessable credential.

Hash cracking

Crack password hashes using both online and offline tools!

Identify hash:

Online tools:

Offline tools:

Buying access

You can use the genesis market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an admin account. Any account that allows internal access is always a great start. Invites can be found on forums and markets.

You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).

Spray and pray

As seen by Guacamaya, hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or your target companies IP ranges for critical vulnerabilities and attack protocols with a password attack. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target emails out of their Microsoft exchange email servers and leaked them. You can also do the same! See scanning and recon for tools such as nuclei and the nmap scripting engine (NSE) to then vulnerability scan the IP addresses you discover.

IP Ranges:

Networks

Use the below as an exmaple for how to scan hosts for vulnerabilities and exploit on mass. Do your own research on commonly exploited CVEs along with new CVEs to discover new hosts with different vulnerabilities.

Tool: masscan

1. Scan for Proxyshell:

  • sudo masscan -Pn -sS -iL ranges.txt --rate 50000 -p443 --open-only --excludefile block.txt | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt
  • sed -i 's/$/:443/' results.txt

Exploit Discovered hosts: Proxyshell

2. Scan for CVE-2018-13379:

Exploit Discovered hosts: Fortinet SSL VPN Path Traversal

Tool: zmap

1. Scan for Microsoft Exchange Email Servers: 

sudo zmap -q -p 443 | httpx -silent -s -sd -location \
> | awk '/owa/ { print substr($1,9) }' > owa.txt

2. Vulnerability scan discovered hosts for Proxyshell using NSE 

nmap -p 443 -Pn -n \
> --script http-vuln-exchange-proxyshell.nse -iL owa.txt

Password Attacks

RDP

1. Remote Desktop (RDP) Brute forcing:
Performing a large password spray or brute force campaign could be valuable to you in your operations if you are able to find one of your targets servers who use weak and guessable credentials.

VPN

2. Virtual Private Network (VPN) Brute forcing:
Using common password and username combinations to brute corporate VPNs to gain initial access.

Domains

By either collecting your target websites in a file manually, scanning the internet using zmap and zgrab and then extract only the discovered domains or by downloading a list of domains to scan through we can scan a large amount of domains for vulnerabilities, pull out only the domains that are relevant to us and exploit the discovered vulnerabilities. A manual pen test using both passive/active recon and automated and manually hacking following a good methodology will be better for more targeted attacks but this technique will get good coverage at the start of an operation.

List of domains:

1. Extract domains:

  • user@host:~/sni_ip_ranges$ cat *.txt > all.txt
  • grep -E -o '[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+(\.[a-zA-Z]{2,})' ~/sni_ip_ranges/all.txt > domains.txt
  • grep -i '\.gov$' domains.txt > gov_domains.txt

2. Enumerate domains for their subdomains:

  • subfinder -dL gov_domains.txt -o government_domains.txt

3. Port scan domains:

  • naabu -l government_domains.txt -o government_domains_final.txt

4. Vuln scan domains:

  • nuclei -l government_domains_final.txt -s critical,high -o vuln_gov_domains.txt
Retrieved from "https://enlacehacktivista.org/index.php?title=Initial_Access_Tactics,_techniques_and_procedures&oldid=1467"