Enumeration and Harvesting

All the ways to grab the goodies

Enumeration

https://www.ired.team/offensive-security/enumeration-and-discovery
http://pwnwiki.io/#!presence/windows/blind.md - Windows Blind files to search for as an attacker
http://pwnwiki.io/#!presence/linux/blind.md - Linux Blind files
http://pwnwiki.io/#!presence/windows/windows_cmd_config.md - Commands that display information about the configuration of the victim and are usually executed from the context of the cmd.exe or command.exe prompt.
http://pwnwiki.io/#!presence/windows/network.md - Windows commands to help you gather information about the victim system's network connections, devices and capabilities.

Privilege escalation tools can also provide much of the enumeration that you need.

pagePrivilege Escalation

Harvesting and Credential Dumping

iRedTeam blog - https://www.ired.team/offensive-security/credential-access-and-credential-dumping

Endpoint Tools

PassHunt - PassHunt searches drives for documents that contain passwords or any other regular expression. It's designed to be a simple, standalone tool that can be run from a USB stick.
SessionGopher - SessionGopher is a PowerShell tool that finds and decrypts saved session information for remote access tools. It has WMI functionality built in so it can be run remotely. Its best use case is to identify systems that may connect to Unix systems, jump boxes, or point-of-sale terminals.
CredDump - Tool for dumping credentials and secrets from Windows Registry Hives.
- https://www.kali.org/tools/creddump7/
dumpsterdiver - This package contains a tool, which can analyze big volumes of data in search of hardcoded secrets like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords.
polenum - polenum is a Python script which uses the Impacket Library from CORE Security Technologies to extract the password policy information from a windows machine.
powersploit - PowerSploit is a series of Microsoft PowerShell scripts that can be used in post-exploitation scenarios during authorized penetration tests.
pspy - Monitor linux processes without root permissions
swap_digger - swap_digger is a tool used to automate Linux swap analysis during post-exploitation or forensics. It automates swap extraction and searches for Linux user credentials, web forms credentials, web forms emails, http basic authentication, Wifi SSID and keys, etc.
https://highon.coffee/blog/linux-local-enumeration-script/
Masky - Python library with CLI allowing to remotely dump domain user credentials via an ADCS without dumping the LSASS process memory
- https://z4ksec.github.io/posts/masky-release-v0.0.3/
MimiPenguin - A tool to dump the login password from the current linux desktop user.
Internal-Monologue - Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
- Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
GhostPack/Koh - Koh is a C# and Beacon Object File (BOF) toolset that allows for the capture of user credential material via purposeful token/logon session leakage.
- https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6?gi=be2457d740ab
Impacket Tools
- impacket/mimikatz.py
- impacket/secretsdump.py

LaZagne

LaZagne is an open-source tool used in post-exploitation to recover stored passwords on a system. Its modules support Windows, Linux, and OSX, but are primarily intended for Windows systems. Software uses different techniques to save credentials, such as saving them to a plaintext file, local databases or credential managers. LaZagne is able to search for these common methods and retrieve any passwords it finds. LaZagne is capable of extracting passwords from 87 different software applications from the following categories of software: Browsers, Chats, Databases, Games, Git, Mails, Maven, Dumps from memory, Multimedia, PHP, SVN, Sysadmin, WIFI, and Internal mechanism password storage The LaZagne tool along with a full list of software that it supports is available in the public GitHib repository.

https://www.youtube.com/watch?v=AwFyiFOXrd0 Using LaZagne on Windows

LaZagne's ability to retrieve stored credentials for Windows software is extensive and supports a large number of browsers including Chrome and Firefox, chat clients including Skype, databases, and mail clients including Outlook. The tool also supports credential retrieval for many sysadmin utilities like OpenVPN and OpenSSH, and password managers such as KeyPass, which could provide valuable credentials for moving to other hosts in a network. Usage

The Windows version comes with an executable (.exe) file that can be used as a standalone .exe; however, it is not able to detect some credentials such as Google Chrome passwords. Simply double clicking on the executable ‘Lazagne.exe' will cause a warning message which indicates that the executable is malicious.

To run the tool successfully, use the command prompt to execute LaZagne:
- > lazagne.exe
- # Run all modules
  - > lazagne.exe all
- # Run the browser modules
  - lazagne.exe browsers
There is also a Python script in the Windows directory of the LaZagne repository that can run on systems with Python installed. There are a few requirements that may need to be installed first – check the requirements.txt file in the repository for more details.
- #python laZagne.py
- # Run all modules
  - python laZagne.py all
- # Run modules for Google Chrome. Add the -v flag for verbose output
  - python laZagne.py browsers -google -v

Endpoint Techniques

Passwords in AD Attributes

https://xapax.github.io/security/#attacking_active_directory_domain/active_directory_privilege_escalation/passwords_in_active_directory_attributes/

Mining SMB Shares

https://xapax.github.io/security/#attacking_active_directory_domain/active_directory_privilege_escalation/smb_shares_mining/

Scripts stored in SYSVOL

Passwords in GPO

NTDS.DIT Password Extraction

Windows Service Extraction

WCE - Windows Credential Editor
- Lists windows logon sessions and add/change/delete associated credentials
Windows credential manager
- https://github.com/peewpw/Invoke-WCMDump/blob/master/Invoke-WCMDump.p

Password FIlter DLL - used by Windows to enforce password strength policies.

System administrators can create password filter DLLs to ensure all password changes meet a minimum requirement.
New passwords are passed to the DLL in plaintext, allowing attackers to leverage this Windows feature to steal credentials.
Password changes on Windows are handled by the Local Security Authority (LSA). When a password change occurs, the LSA executes each registered password filter to check that the new passwords meets the specified requirements.
Each password filter must return ‘true’ for the password change to occur; if any of the filters return ‘false’, an error is displayed to the user. Password filters can be installed locally or on domain controllers (DCs).
Password filters are created as DLL files and placed in the ‘C:\Windows\System32’ directory.
Once in place, the new file must be registered by adding its name (without the .dll extension) to the registry entry HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages.
The DLL file is comprised of three functions, each of which performs a specific task when executed.
- InitializeChangeNotify is called to notify the filter that a password change has been requested. This function returns true or false to indicate whether if the filter has initialised successfully.
- PasswordFilter is called to validate the new password. This function contains the code to test the provided password and returns true or false to indicate if the password is valid.
- PasswordChangeNotify is called to inform the filter if the password change was made successfully.
Password filter DLLs can be used by malicious actors to harvest account credentials. The PasswordFilter and PasswordChangeNotify functions both have access to the plaintext password and the name of the account whose password is to be changed. By installing a malicious password filter, attackers can exfiltrate every updated password to a remote server, local file or even block every password change by setting their filter’s PasswordFilter function to always return false.
Ensuring that appropriate permissions are set for the HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages key will prevent unauthorized users or groups from being able to register new filter

Misc

Command Reference

General Enumeration
- RTFM: Linux System Info - pg. 5
- BTFM: Linux System Info - pg. 71
- RTFM: Windows System Info - pg. 15
- BTFM: Windows System Info - pg. 60
- RTFM: WMI Info - pg. 20
- RTFM: Powershell Info - pg. 22
- RTFM: Registry Locations - pg. 26
Host Enumeration
- Browser Information
  - PTFM: Browser Information- pg. 46
- Virtual Machine Detection
  - PTFM: Windows VM Detection - pg. 47
  - PTFM: Linux VM Detection - pg. 106
- Searching for cleartext passwords
  - PTFM: Windows Cleartext Passwords - pg. 40
  - PTFM: Linux Cleartext Passwords - pg. 102
- Credential Dumping
  - PTFM: Windows Credential Dumping - pg. 41
  - PTFM: Linux Credential Dumping - pg. 102
- Firewall settings
  - BTFM: Windows Firewall - pg. 22
  - BTFM: Linux Firewall - pg. 35
Active Directory
- BTFM: AD Inventory - pg. 16
Email collection
- PTFM: Email Collection - pg. 59

SlackPirate - Slack Enumeration and Extraction Tool - extract sensitive information from a Slack Workspace
Copy a locked file - https://github.com/GhostPack/Lockless

PreviousDefense Evasion NextFile Transfer

Last updated 1 year ago