Inside The Hackers Bag Of Tricks

I Am A Hacker, If I’m Laughing…Hope You Have Backups

 Len noe
▪ Len.Noe@CyberArk.com ▪ Global Corp. SE Manager
￭ Linkedin: linkedin.com/in/len-noe ▪ CyberArk SME PTA/EPM/MFA
￭ GitHub: github.com/hacker213 ▪ Certified Ethical Hacker
￭ YouTube: hacker_213
▪ COMPTIA Sec+
￭ Twitter: @hacker_213
▪ Microsoft Certified
Professional
▪ Solaris Certified Administrator
▪ Citrix Certified Administrator
▪ SANS 560, 570
▪ OWASP
▪ CNA
Inside the hackers bag of tricks

• No uber 1337 H4kz!

• More than one way to skin a cat.
DISCLAIMERS! • So simple a Script-Kiddie can do it!
• Demos will FAIL!!
Inside the hackers bag of tricks

The Cyber Kill Chain

Command &
Recon Weaponization Delivery Exploitation Installation Exfiltration
Control
Inside the hackers bag of tricks
• “If you know the enemy and know yourself, you need
not fear the result of a hundred battles. If you know
yourself but not the enemy, for every victory gained
you will also suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in every
battle.”

― Sun Tzu, The Art of War

6
Inside the hackers bag of tricks
6 Full Attacks In 30 Minutes

1.MouseJack / JackIT
2.SSH-MiTM
3.BashBunny – QuickCreds
4.S.E.T.H.
5.Responder / MulttiRelay
6.WHID Cactus
Inside the hackers bag of tricks
MouseJack / JackIT

• MouseJack is a class of vulnerabilities that affects the vast majority of wireless, non-Bluetooth
keyboards and mice. These peripherals are 'connected' to a host computer using a radio
transceiver, commonly a small USB dongle. Since the connection is wireless, and mouse
movements and keystrokes are sent over the air, it is possible to compromise a victim's computer
by transmitting specially-crafted radio signals using a device which costs as little as $15.

An attacker can launch the attack from up to 100 meters away. The attacker is able to take control
of the target computer, without physically being in front of it, and type arbitrary text or send
scripted commands. It is therefore possible to perform rapidly malicious activities without being
detected.

The MouseJack exploit centers around injecting unencrypted keystrokes into a target computer.
Mouse movements are usually sent unencrypted, and keystrokes are often encrypted (to prevent
eavesdropping what is being typed). However the MouseJack vulnerability takes advantage of
affected receiver dongles, and their associated software, allowing unencrypted keystrokes
transmitted by an attacker to be passed on to the computer's operating system as if the victim
had legitimately typed them.
Inside the hackers bag of tricks
MouseJack // JackIT
MouseJack JackIT
Inside the hackers bag of tricks
SSH-MiTM

• This penetration testing tool allows an auditor to intercept SSH connections. A patch applied to
the OpenSSH v7.5p1 source code causes it to act as a proxy between the victim and their
intended SSH server; all plaintext passwords and sessions are logged to disk.
• The victim's SSH client will complain that the server's key has changed. But because 99.99999% of
the time this is caused by a legitimate action (OS re-install, configuration change, etc), many/most
users will disregard the warning and continue on.
Inside the hackers bag of tricks
SSH-MiTM
Inside the hackers bag of tricks
Hak5 Bash Bunny - QuickCreds

• The Bash Bunny by Hak5 is a simple and powerful multi-function USB attack and automation
platform for penetration testers and systems administrators.

It's easy setup & deployment with a simple "Bunny Script" language, multi-position attack switch
and a centralized repository of payloads.
• It's powerful with multiple attack vectors including HID keyboard, USB Ethernet, Serial and Mass
Storage. Simultaneously perform keystroke injection attacks, bring-your-own-network attacks and
intelligent exfiltration.
Inside the hackers bag of tricks
Hak5 Bash Bunny - QuickCreds
The BashBunny is a device that masquerades as a USB Ethernet adapter and has a computer running linux within the enclosure, it capture
credentials from a system, even when locked.
The hash capturing is done with Laurent Gaffié’s Responder
Because USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed and initialized. There are
restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan),
Ethernet/LAN is on the white list.
Computers are constantly creating traffic, even if there are no browsers or applications open, and most computers trust their local
network by default
Network preference when there are more than gateway or network connection is based on “metrics” on Windows and a combination of
metrics and “preference” on OSX, by default “wired” and “newer/faster” win out.
This means that by plugging in the device it becomes the gateway, DNS server, WPAD server and others due to Responder.
The average time for freshly inserted into a locked workstation and by the time creds have been harvested is approx 13 seconds.
Inside the hackers bag of tricks
Hak5 Bash Bunny - QuickCreds
Inside the hackers bag of tricks
S.E.T.H.

• Seth is a tool written in Python and Bash to MitM RDP connections by attempting to
downgrade the connection in order to extract clear text credentials. It was developed to
raise awareness and educate about the importance of properly configured RDP
connections in the context of pentests, workshops or talks. The author is Adrian Vollmer
(SySS GmbH).
• The shell script performs ARP spoofing to gain a Man-in-the-Middle position and redirects
the traffic such that it runs through an RDP proxy. The proxy can be called separately.
This can be useful if you want use Seth in combination with Responder. Use Responder
to gain a Man-in-the-Middle position and run Seth at the same time..
Inside the hackers bag of tricks
S.E.T.H.

https://github.com/SySS-Research/Seth
Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract
clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP
connections in the context of pentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH)

./seth.sh <INTERFACE> <ATTACKER IP> <VICTIM IP> <GATEWAY IP|HOST IP> [<COMMAND>]

Unless the RDP host is on the same subnet as the victim machine, the last IP address must be that of the gateway.
The last parameter is optional. It can contain a command that is executed on the RDP host
Inside the hackers bag of tricks
S.E.T.H.

Keystroke injection depends on which keyboard layout the victim is using - currently it's only reliable with the
English US layout. I suggest avoiding special characters by using powershell -enc <STRING>, where STRING is
your UTF-16le and Base64 encoded command. However, calc should be pretty universal and gets the job
done.
The shell script performs ARP spoofing to gain a Man-in-the-Middle position and redirects the traffic such that
it runs through an RDP proxy. The proxy can be called separately. This can be useful if you want use Seth in
combination with Responder. Use Responder to gain a Man-in-the-Middle position and run Seth at the same
time. Run seth.py -h for more information:
Inside the hackers bag of tricks
S.E.T.H.
Inside the hackers bag of tricks
Responder / MultiRelay

• Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS
Name Service) queries based on their name suffix
(see: http://support.microsoft.com/kb/163409). By default, the tool will only answer to File
Server Service request, which is for SMB.
• The concept behind this is to target our answers, and be stealthier on the network. This also
helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via
command line if you want to answer to the Workstation Service request name suffix.
Inside the hackers bag of tricks
Responder / MultiRelay

Multi-Relay
Use collected Hash to perform Pass The Hash as opposed to cracking hash\
Hash Harvesting:
{eth0 or the current active connection}
<responder folder>/python Responder.py –I eth0
MultiRelay – Requires 2 Terminal Windows
<responder folder>/python Responder.py –I eth0 -wrFb
Window listening for requests
<responder folder>/tools/python MultiRelay.py –t <Target IP> -u ALL
Window Pointing to target to perform PTH against
Inside the hackers bag of tricks
Responder // MultiRelay
Responder MultiRelay
Inside the hackers bag of tricks
WHID Cactus / Mimikatz

• This device allows keystrokes to be sent via WiFi to a target machine. The target recognises the
Ducky as both a standard HID keyboard and a serial port, allows interactive commands and scripts
to be executed on the target remotely.

Hardware Design Author: Luca Bongiorni

• Third-Party Softwares Compatible with WHID’s Hardware
1.whid.ninja
2.https://github.com/sensepost/USaBUSe
3.https://github.com/spacehuhn/wifi_ducky
4.https://github.com/basic4/WiDucky
5. https://github.com/exploitagency/ESPloitV2
• This demonstration will use “ESPloit”
Inside the hackers bag of tricks
WHID Cactus / Mimikatz
• ESPloit uses its own scripting language and not Ducky Script,
although a Ducky Script to ESPloit converter is available
at: https://exploitagency.github.io/Duckuino/index.html

• Exfiltrating Data
Serial Exfiltration Method
WiFi Exfiltration Methods:
HTTP exfiltration
FTP exfiltration

• ESPortal Credential Harvester(Phisher)

• Live Payload Mode

Here you may type out or copy/paste a payload to run without
uploading.

• Duckuino Mode
Convert Ducky Script to ESPloit Script and then optionally run the
script.
Inside the hackers bag of tricks
WHID Cactus / Mimikatz
• Mimikatz is an open-source utility that enables the viewing of credential
information from the Windows lsass (Local Security Authority Subsystem Service)
through its sekurlsa module which includes plaintext passwords and Kerberos
tickets which could then be used for attacks such as pass-the-hash and pass-the-
ticket.
Inside the hackers bag of tricks
WHID Cactus / Mimikatz
Inside the hackers bag of tricks
Take Aways
• MultiFactor Auth
• Tier Segregation
• Credential Boundaries
• PAS System
Thank You