The Black Library

Notes on the Prayer of Shells

This machine is discharged into your care.

Fight with this machine, and guard it from the shame of defeat.

Serve this machine, as you would have it fight for you.

Uknown Adeptus - Ceremony of Commission

This is an attempt to document techniques of practical hacking. Unlike previous writings and blog posts, I am attempting to compound my knowledge into a single location and continue to jot things down in a functional way. Each section will attempt to act as a techniques and tools for the day-to-day activites that are used to please the Omnissiah.

Contents

Password Spraying Theory

Fundamentally, password spraying is conducting authentication attempts to a set of known or potential accounts with likely passwords. It is related to password bruteforcing, but instead of targeting a single or set of user accounts to bruteforce quickly a password spray is conducted over a long campaign with potentially very few authentication attempts per user during the campaign.

Password spraying has 4 core elements; timeline, human nature, positioning, and information gathering.

Timeline informs over what period of time the password sprays can be conducted. There are two main types of campaign timelines; timeboxed and realistic. The differences between these will be the planning of the authentication attempts and how quickly the campaign is conducted. If the campaign is timeboxed to a specific short period of time Such as a 2 week engagement it is important to attempt to figure out what the policy looks like. The client should be able to confirm this and the tester should be able to explain why it's important to know. If the test is realistic then making sure authentication attempts happen over a long period of time, with multiple sources, and focus on distributed attempts becomes more important than the password policy as the test will probably never authenticate often enough in the grace period for it to matter.

Human nature is the fundamental weakness of all people. It's important to take advantage of it as much as possible during a password spraying campaign. This can take many forms, but some critically important and easy to abuse mistakes people make are; password reuse, default IT credentials, incremented passwordsSummer2019!, Winter2019!, Spring2020! are all examples of how sequences are often used in passwords, and simply easily guessable passwords.

Positioning is vitally important to a password spraying campaign. Identification of targets and spray anchors should always be identified. If you are internet facing identify any corporate login portals, VPN endpoints, Citrix servers, mail portals, and any Cloud connected systems. Remember to think like IT, if someone has a business need to access their web mail, try and spray against that before attempting to authenticate to the VPN.

When positioned on an intranet the targets can be the same as the targets identified for internet attacks, but some of the core targets change. Active Directory, NIS+, and LDAP integrated environments fundamentally become core targets for password spraying. If you are password spraying intranet services a your speed of which password spraying and the ease of it is greatly reduced, but on the opposite side it is much easier to accidently reveal your positioning to EDR/IR nerds.

Information gathering is as always a net gain to a campaign. Any common verbiage, user names, titles, email addresses, employee IDs, internet facing documents, and anything that leaks information can be used to inform the password spraying campaign. The exact mechanism that is used for this might be different for every target. Do not confuse OSINT techniques with sources.Some good sources are LinkedIn, GitHub, Google dorks, previous password dumps, etc.

Here is a listing of some of the tooling that is commonly used, with a description of it's use case. Learn your tools:

Password Spraying Examples

Password Spraying Examples: Internet

Password Spraying Examples: Intranet

Password Spraying Examples: Cloud Components

NTLM Force Authentication

Windows KMS Activation

There are a few ways to illegitimately activate Microsoft Windows, but the most consistent way that I've found to activate is to setup a third-party KMSKey Management Service. I have had the best luck with vlmcsd. The code is public, but development repositories are sadly private. So the only code releases are on MyDigitalLife forums as nasty .7z exports. Luckily certain groups mirror it on Github, please be careful with these as they could be infected. The quick guide is as follows, set up a Linux VM or host, install compilers and git.

$ git clone https://github.com/Wind4/vlmcsd
$ cd vlmcsd && make
$ ./bin/vlmcsd -e -v -D

Then on the Windows host you need to use the built-in slmgr.vbs:

PS C:\ > slmgr.vbs /skms 10.13.37.69:1688
PS C:\ > slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872k-2YT43
PS C:\ > slmgr.vbs /ato

The latest KMS keys can be found here: https://docs.microsoft.com/en-us/windows-server/get-started/kmsclientkeys

Tips & Tricks

Mounting Filesystems from Files

Mounting Files: Linux

Mounting Files: OpenBSD

# vnconfig vnd0 /file/img.iso
# disklabel vnd0
# mount /dev/vnd0i /mnt/file/
	

Mounting Files: FreeBSD