Nmap - xml2csv : "Converts Nmap XML output to csv file, and other useful functions. Ignores hosts that are down and ports that are not open."

    A friend showed me this tool the other night and it's kind of funny because I was just looking for something like this but didn't find it when searching.  I normally use the -oN flag to output to a file but I was wishing for a better way to organize the data and poof, here it is...

    According to the description:  "A PowerShell based utility for the creation of malicious Office macro documents. To be used for pentesting or educational purposes only."

    If you've used the Unicorn tool, this is not too dissimilar but instead of providing you with the PowerShell and it being somewhat specific to Metasploit, this allows you to generate Macro payloads and it can directly insert them into Excel for you.  In addition, if you use Invoke-Obfuscation, you can also obfuscate the payloads in a variety of different formats. 

    Mshta.exe executes HTML application files -- and in terms of living off the land, this could be a useful tool in certain situations.  This is becoming less usable as a/v products clue in on the execution but it still works against some a/v products in some scenarios.  Probably a less useful method would involve Metasploit but this is a fairly easy way to show how this works.  There are other ways to generate HTA files, SharpShooter comes to mind, but those methods are becoming extinct as well. 


    I think you need to use your imagination with this tool but it could be quite handy for that right spot. I think the author's description does a fine job of explaining what this tool can do: "What this tool does is taking a file (any type of file), encrypt it, and embed it into an HTML file as resource, along with an automatic download routine simulating a user clicking on the embedded resource."Let's dig into the tool and then I'll add some additional thoughts:

    "Spoof SSDP replies to phish for credentials and NetNTLM challenge/response. Creates a fake UPNP device, tricking users into visiting a malicious phishing page. Also detects and exploits XXE 0-day vulnerabilities in XML parsers for UPNP-enabled apps."

    So what is SSDP?  "The Simple Service Discovery Protocol is a network protocol based on the Internet protocol suite for advertisement and discovery of network services and presence information."

    And if that's unclear to you, it will all make sense in a moment when you see what appears in the Network view. 

    I'm presenting at BSides College Station next month and in my talk, I'm using PowerShell as a method for enumerating the environment while living off the land.  Also in my talk, I give an example of a PowerShell reverse shell in plain form and the same reverse shell in an obfuscated form.  I don't reference it directly but the tool I use to obfuscate the shell is Invoke-Obfuscation created by Daniel Bohannon.  In advance of the talk, I want to do a little write-up on this tool in case I get asked about it -- I can then point them to here...

    Page 2 of 47

    © 2020 sevenlayers.com