Update TTPs/rdp.py
This commit is contained in:
@ -1,53 +0,0 @@
|
||||
from Modules.Imports.protocol_imports import *
|
||||
|
||||
def mongodb_submenu(target_ip, open_ports):
|
||||
actions = {
|
||||
"1": {"description": "Check for Open MongoDB Instances", "function": check_open_instances},
|
||||
"2": {"description": "List Databases", "function": list_databases},
|
||||
"3": {"description": "Dump Collections", "function": dump_collections},
|
||||
"4": {"description": "Check for Authentication Bypass", "function": check_authentication_bypass},
|
||||
"5": {"description": "Test for MongoDB RCE Exploit", "function": test_rce_exploit},
|
||||
}
|
||||
build_submenu("MongoDB Enumeration", target_ip, actions, open_ports)
|
||||
|
||||
def check_open_instances(target_ip, open_ports):
|
||||
title = "Check for Open MongoDB Instances"
|
||||
content = f"nmap -p 27017 --script mongodb-info {target_ip}"
|
||||
run_command(title, content, target_ip, open_ports)
|
||||
|
||||
def list_databases(target_ip, open_ports):
|
||||
title = "List MongoDB Databases"
|
||||
content = (
|
||||
f"Use `mongo` CLI:\n\n"
|
||||
f"1. Connect: mongo {target_ip}:27017\n"
|
||||
f"2. Run: show dbs"
|
||||
)
|
||||
run_command(title, content, target_ip, open_ports)
|
||||
|
||||
def dump_collections(target_ip, open_ports):
|
||||
title = "Dump Collections from MongoDB"
|
||||
content = (
|
||||
f"Use `mongoexport`:\n\n"
|
||||
f"mongoexport --host {target_ip} --db <database_name> --collection <collection_name> --out <output_file.json>"
|
||||
)
|
||||
run_command(title, content, target_ip, open_ports)
|
||||
|
||||
def check_authentication_bypass(target_ip, open_ports):
|
||||
title = "Check for Authentication Bypass"
|
||||
content = (
|
||||
f"Attempt to access the database without credentials:\n\n"
|
||||
f"mongo {target_ip}:27017 --eval \"db.stats()\""
|
||||
)
|
||||
run_command(title, content, target_ip, open_ports)
|
||||
|
||||
def test_rce_exploit(target_ip, open_ports):
|
||||
title = "Test for MongoDB RCE Exploit"
|
||||
content = (
|
||||
f"Use Metasploit or other tools to test RCE vulnerabilities:\n\n"
|
||||
f"msfconsole -q\n"
|
||||
f"search mongodb\n"
|
||||
f"use exploit/linux/misc/mongodb_target_rce\n"
|
||||
f"set RHOSTS {target_ip}\n"
|
||||
f"run"
|
||||
)
|
||||
run_command(title, content, target_ip, open_ports)
|
||||
120
TTPs/rdp.py
Normal file
120
TTPs/rdp.py
Normal file
@ -0,0 +1,120 @@
|
||||
from Modules.Imports.protocol_imports import *
|
||||
|
||||
def rdp_submenu(target_ip, open_ports):
|
||||
actions = {
|
||||
"1": {"description": "Source Event Logs", "function": source_event_logs},
|
||||
"2": {"description": "Destination Event Logs", "function": destination_event_logs},
|
||||
"3": {"description": "Source Registry", "function": source_registry},
|
||||
"4": {"description": "Destination Registry", "function": destination_registry},
|
||||
"5": {"description": "Source Artifacts", "function": source_artifacts},
|
||||
"6": {"description": "Destination Artifacts", "function": destination_artifacts},
|
||||
"7": {"description": "Extra", "function": extra_info},
|
||||
"8": {"description": "All", "function": run_all_rdp_checks},
|
||||
}
|
||||
build_submenu("RDP Persistence", target_ip, actions, open_ports)
|
||||
|
||||
# Individual submenu functions
|
||||
def source_event_logs(target_ip, open_ports):
|
||||
title = "Source Event Logs"
|
||||
content = (
|
||||
f"- `security.evtx`\n"
|
||||
f" - 4648: Logon specifying alternate credentials (NLA enabled)\n"
|
||||
f" - Current logged-on User Name\n"
|
||||
f" - Alternate User Name\n"
|
||||
f" - Destination Host Name/IP\n"
|
||||
f" - Process Name\n"
|
||||
f"- `Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx`\n"
|
||||
f" - 1024: Destination Host Name\n"
|
||||
f" - 1102: Destination IP Address"
|
||||
)
|
||||
run_command(title, content, target_ip, open_ports)
|
||||
|
||||
def destination_event_logs(target_ip, open_ports):
|
||||
title = "Destination Event Logs"
|
||||
content = (
|
||||
f"- **Security Event Log** – `security.evtx`\n"
|
||||
f" - 4624: Logon Type 10\n"
|
||||
f" - Source IP/Logon User Name\n"
|
||||
f" - 4778/4779\n"
|
||||
f" - IP Address of Source/Source System Name\n"
|
||||
f" - Logon User Name\n"
|
||||
f"- `Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx`\n"
|
||||
f" - 131: Connection Attempts (Source IP)\n"
|
||||
f" - 98: Successful Connections\n"
|
||||
f"- `Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx`\n"
|
||||
f" - 1149: Source IP/Logon User Name (Blank user name may indicate Sticky Keys)\n"
|
||||
f"- `Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx`\n"
|
||||
f" - 21, 22, 25: Source IP/Logon User Name\n"
|
||||
f" - 41: Logon User Name"
|
||||
)
|
||||
run_command(title, content, target_ip, open_ports)
|
||||
|
||||
def source_registry(target_ip, open_ports):
|
||||
title = "Source Registry"
|
||||
content = (
|
||||
f"- `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers`: Remote desktop destinations (per-user)\n"
|
||||
f"- `ShimCache` – SYSTEM: Tracks `mstsc.exe` (Remote Desktop Client)\n"
|
||||
f"- `BAM_DAM` – SYSTEM: Last Time Executed (`mstsc.exe`)\n"
|
||||
f"- `AmCache.hve`: First Time Executed (`mstsc.exe`)\n"
|
||||
f"- `UserAssist` – `NTUSER.DAT`\n"
|
||||
f" - Tracks execution of `mstsc.exe` (Remote Desktop Client)\n"
|
||||
f"- `RecentApps` – `NTUSER.DAT`\n"
|
||||
f" - Tracks `mstsc.exe` and connection destinations"
|
||||
)
|
||||
run_command(title, content, target_ip, open_ports)
|
||||
|
||||
def destination_registry(target_ip, open_ports):
|
||||
title = "Destination Registry"
|
||||
content = (
|
||||
f"- `ShimCache` - SYSTEM\n"
|
||||
f" - Tracks `rdpclip.exe` and `tstheme.exe`\n"
|
||||
f"- `AmCache.hve`: First Time Executed\n"
|
||||
f" - Tracks `rdpclip.exe` and `tstheme.exe`"
|
||||
)
|
||||
run_command(title, content, target_ip, open_ports)
|
||||
|
||||
def source_artifacts(target_ip, open_ports):
|
||||
title = "Source File System Artifacts"
|
||||
content = (
|
||||
f"- Jumplists: `C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\`\n"
|
||||
f" - Tracks remote desktop connection destinations and times\n"
|
||||
f"- Prefetch: `C:\\Windows\\Prefetch\\`\n"
|
||||
f" - Tracks execution of `mstsc.exe`\n"
|
||||
f"- Bitmap Cache: `C:\\Users\\<Username>\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache`\n"
|
||||
f"- Default.rdp file: `C:\\Users\\<Username>\\Documents\\`"
|
||||
)
|
||||
run_command(title, content, target_ip, open_ports)
|
||||
|
||||
def destination_artifacts(target_ip, open_ports):
|
||||
title = "Destination File System Artifacts"
|
||||
content = (
|
||||
f"- Prefetch: `C:\\Windows\\Prefetch\\`\n"
|
||||
f" - Tracks execution of `rdpclip.exe` and `tstheme.exe`"
|
||||
)
|
||||
run_command(title, content, target_ip, open_ports)
|
||||
|
||||
def extra_info(target_ip, open_ports):
|
||||
title = "Extra Information"
|
||||
content = (
|
||||
f"- [RDP Authentication vs. Authorization - 13Cubed](https://youtu.be/OlENso8_u7s)\n"
|
||||
f"- Key Concepts:\n"
|
||||
f" - RDP_NLA (Network Level Authentication)\n"
|
||||
f" - RDP_successful_logon event codes\n"
|
||||
f" - 1149 > 4624 type 10 (established) OR 7 (reconnect) > 21 > 22\n"
|
||||
f" - Understand authentication failures vs. authorization successes"
|
||||
)
|
||||
run_command(title, content, target_ip, open_ports)
|
||||
|
||||
def run_all_rdp_checks(target_ip, open_ports):
|
||||
title = "Run All RDP Checks"
|
||||
content = "Executing all RDP persistence checks. Please wait..."
|
||||
run_command(title, content, target_ip, open_ports)
|
||||
|
||||
# Sequentially run all functions
|
||||
source_event_logs(target_ip, open_ports)
|
||||
destination_event_logs(target_ip, open_ports)
|
||||
source_registry(target_ip, open_ports)
|
||||
destination_registry(target_ip, open_ports)
|
||||
source_artifacts(target_ip, open_ports)
|
||||
destination_artifacts(target_ip, open_ports)
|
||||
extra_info(target_ip, open_ports)
|
||||
Reference in New Issue
Block a user