Skip to content

Latest commit

 

History

History
executable file
·
698 lines (588 loc) · 68.5 KB

PrivescPostEx.md

File metadata and controls

executable file
·
698 lines (588 loc) · 68.5 KB
Raw

Privilege Escalation & Post-Exploitation

Table of Contents

Hardware-based Privilege Escalation

  • Writeups
  • Tools
    • Inception
      • Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces.
    • PCILeech
      • PCILeech uses PCIe hardware devices to read and write from the target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target system.
    • physmem
      • physmem is a physical memory inspection tool and local privilege escalation targeting macOS up through 10.12.1. It exploits either CVE-2016-1825 or CVE-2016-7617 depending on the deployment target. These two vulnerabilities are nearly identical, and exploitation can be done exactly the same. They were patched in OS X El Capitan 10.11.5 and macOS Sierra 10.12.2, respectively.
    • rowhammer-test
      • Program for testing for the DRAM "rowhammer" problem
    • Tools for "Another Flip in the Wall"

Post-Exploitation General

Pivoting & Tunneling

  • Articles/Blogposts/Writeups
  • Tools
    • Multiple-Protocols
      • Socat
        • socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of these. These modes include generation of "listening" sockets, named pipes, and pseudo terminals.
        • Examples of use
        • Socat Cheatsheet
      • XFLTReaT
        • XFLTReaT tunnelling framework
      • gost
        • GO Simple Tunnel - a simple tunnel written in golang
    • Discovery
      • nextnet
        • nextnet is a pivot point discovery tool written in Go.
    • DNS
    • HTTP/HTTPS
      • SharpSocks
        • Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
      • Chisel
        • Chisel is a fast TCP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.
      • SharpChisel
      • Crowbar
        • Crowbar is an EXPERIMENTAL tool that allows you to establish a secure circuit with your existing encrypting TCP endpoints (an OpenVPN setup, an SSH server for forwarding...) when your network connection is limited by a Web proxy that only allows basic port 80 HTTP connectivity. Crowbar will tunnel TCP connections over an HTTP session using only GET and POST requests. This is in contrast to most tunneling systems that reuse the CONNECT verb. It also provides basic authentication to make sure nobody who stumbles upon the server steals your proxy to order drugs from Silkroad.
      • A Black Path Toward The Sun(ABPTTS)
        • ABPTTS uses a Python client script and a web application server page/package[1] to tunnel TCP traffic over an HTTP/HTTPS connection to a web application server. In other words, anywhere that one could deploy a web shell, one should now be able to establish a full TCP tunnel. This permits making RDP, interactive SSH, Meterpreter, and other connections through the web application server.
      • pivotnacci
        • Pivot into the internal network by deploying HTTP agents. Pivotnacci allows you to create a socks server which communicates with HTTP agents
      • graftcp
        • graftcp can redirect the TCP connection made by the given program [application, script, shell, etc.] to SOCKS5 or HTTP proxy.
      • Tunna
        • Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments.
      • YARP/Yet Another Reverse Proxy
        • YARP is a reverse proxy toolkit for building fast proxy servers in .NET using the infrastructure from ASP.NET and .NET. The key differentiator for YARP is that it's been designed to be easily customized and tweaked to match the specific needs of each deployment scenario.
    • HTTP2
      • gTunnel
        • A TCP tunneling suite built with golang and gRPC. gTunnel can manage multiple forward and reverse tunnels that are all carried over a single TCP/HTTP2 connection. I wanted to learn a new language, so I picked go and gRPC. Client executables have been tested on windows and linux.
    • ICMP
      • Hans - IP over ICMP - hans
        • Source
        • Hans makes it possible to tunnel IPv4 through ICMP echo packets, so you could call it a ping tunnel. This can be useful when you find yourself in the situation that your Internet access is firewalled, but pings are allowed.
      • icmptx
        • ICMPTX is a program that allows a user with root privledges to create a virtual network link between two computers, encapsulating data inside of ICMP packets.
    • PowerShell
    • RDP
    • SMB
      • Piper
        • Creates a local or remote port forwarding through named pipes.
      • flatpipes
        • A TCP proxy over named pipes. Originally created for maintaining a meterpreter session over 445 for less network alarms.
      • Invoke-PipeShell
        • This script demonstrates a remote command shell running over an SMB Named Pipe. The shell is interactive PowerShell or single PowerShell commands
      • Invoke-Piper
        • Forward local or remote tcp ports through SMB pipes.
    • SSH
      • SSHDog
        • SSHDog is your go-anywhere lightweight SSH server. Written in Go, it aims to be a portable SSH server that you can drop on a system and use for remote access without any additional configuration.
      • MeterSSH
        • MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection. The way it works is by injecting shellcode into memory, then wrapping a port spawned (meterpeter in this case) by the shellcode over SSH back to the attackers machine. Then connecting with meterpreter's listener to localhost will communicate through the SSH proxy, to the victim through the SSH tunnel. All communications are relayed through the SSH tunnel and not through the network.
      • powermole
        • This program will let you perform port forwarding, redirect internet traffic, and transfer files to, and issue commands on, a host without making a direct connection (ie. via one or more intermediate hosts), which would undoubtedly compromise your privacy. This solution can only work when you or your peers own one or more hosts as this program communicates with SSH servers. This program can be viewed as a multi-versatile wrapper around SSH with the ProxyJump directive enabled. Powermole creates automatically a ssh/scp configuration file to enable key-based authentication with the intermediate hosts.
    • SOCKS/TCP/UDP
      • RFC1928: SOCKS Protocol Version 5
      • SOCKS: A protocol for TCP proxy across firewalls
      • shootback
        • shootback is a reverse TCP tunnel let you access target behind NAT or firewall
      • ssf - Secure Socket Funneling
        • Network tool and toolkit. It provides simple and efficient ways to forward data from multiple sockets (TCP or UDP) through a single secure TLS tunnel to a remote computer. SSF is cross platform (Windows, Linux, OSX) and comes as standalone executables.
      • PowerCat
        • A PowerShell TCP/IP swiss army knife that works with Netcat & Ncat
      • Udp2raw-tunnel
        • A Tunnel which tunnels UDP via FakeTCP/UDP/ICMP Traffic by using Raw Socket, helps you Bypass UDP FireWalls(or Unstable UDP Environment). Its Encrypted, Anti-Replay and Multiplexed. It also acts as a Connection Stabilizer.)
      • reGeorg
        • The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
      • redsocks – transparent TCP-to-proxy redirector
        • This tool allows you to redirect any TCP connection to SOCKS or HTTPS proxy using your firewall, so redirection may be system-wide or network-wide.
      • ligolo
        • Ligolo is a simple and lightweight tool for establishing SOCKS5 or TCP tunnels from a reverse connection in complete safety (TLS certificate with elliptical curve). It is comparable to Meterpreter with Autoroute + Socks4a, but more stable and faster.
      • proxychains-windows
        • Windows and Cygwin port of proxychains, based on MinHook and DLL Injection
      • rpivot
        • This tool is Python 2.6-2.7 compatible and has no dependencies beyond the standard library. It has client-server architecture. Just run the client on the machine you want to tunnel the traffic through. Server should be started on pentester's machine and listen to incoming connections from the client.
      • Secure Socket Funneling
        • Secure Socket Funneling (SSF) is a network tool and toolkit. It provides simple and efficient ways to forward data from multiple sockets (TCP or UDP) through a single secure TLS tunnel to a remote computer. SSF is cross platform (Windows, Linux, OSX) and comes as standalone executables.
      • Socks5
        • A full-fledged high-performance socks5 proxy server written in C#. Plugin support included.
    • VNC
      • Invoke-Vnc
        • Invoke-Vnc executes a VNC agent in-memory and initiates a reverse connection, or binds to a specified port. Password authentication is supported.
      • jsmpeg-vnc
        • A low latency, high framerate screen sharing server for Windows and client for browsers
    • VPN
      • ligolo-ng
        • An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.
    • WMI

Secured Environment Breakouts/Escapes