Domain Password Audit ToolFirst, I will shamefully promote a tool I wrote myself that will generate password usage statistics on an active directory domain. Just how many people are using that weak password of “Winter2017” or “Password1”? Are your domain admins using the same password between their low-privileged and high-privileged accounts? Are the easily cracked LM hashes being stored on your domain controller? Now you know with the Domain Password Audit Tool (DPAT), check out a full demo video here: https://www.youtube.com/watch?v=ehUopNRBqJI
File Metadata Extraction with PowerMetaFiles such as MS Word files and PDF files contain information (metadata) about who created the file. This information is generally set automatically by the operating system. Documents posted on a company’s website are often created by employees of that company. Inspecting the metadata of these files can give you valuable insight into the username format and possibly even the internal Active Directory domain name. PowerMeta by Beau Bullock is a PowerShell script that will locate and download documents posted on a given domain and report on the metadata each contains. A username list proves useful in password spraying attacks used to gain an initial foothold into a network.
Malicious Outlook Rules and FormsJust how could you get a foothold on an internal network when you only have credentials to an external resource? Perhaps you have credentials to access a user’s Outlook Web Access account (web mail). You could generate a malicious Outlook rule or form to gain code execution on a client machine. The rule is automatically synchronized to the victim's Outlook instance running on their machine on the internal network. The rule triggers the execution of a file that you control, resulting in code execution. The Ruler tool from SensePost makes this task easy.
ProxyCannon (Vary the Source IP of your Attack)One last note on password spraying. Password spraying is guessing a few passwords against a large list of usernames in hopes of discovering a valid set of credentials without locking out any accounts. Sometimes this attack is detected when many failed logins are seen coming from one IP address. The attack could subsequently be blocked by blocking traffic from that IP. How cool would it be if your source IP address was constantly changing? This would make the attack very difficult to detect let alone block. Well, this is the exact functionality provided to us by the free tool from shellIntel called ProxyCannon. I’ve used this tool on multiple assessments this year, and I love it. I did a little demo on Security Weekly earlier this year if you would like to see it in action. I’ve also got some helpful hints for using Burp Intruder with ProxyCannon in this blog post as well.
PowerShell DNScat ClientDNScat is a Command and Control (C2) channel over the DNS protocol. It is powerful because it almost always works, even on networks with the tightest egress restrictions. Originally, a client-side executable needed to be run to establish the connection. Wouldn’t it be great to instead run the client-side code in memory, avoiding Anti-virus detections and application whitelisting restrictions? Well, here is an easy solution for that using Luke Bagget’s PowerShell implementation of the DNScat client.
Domain Categorization Take OverSpeaking of getting C2 connections out of tightly restricted networks, here’s another solution. Brian Fehrman from Black Hills Information Security has a nice write-up on Domain Categorization takeover. This technique involves using a domain that is already in a trusted category but has recently become available for purchase and reuse. In this way, your connection is riding out on the trust previously established by the prior domain owner/application. Pentesters love tricks like this; it just makes us feel good inside!