Research and Organization on the go and refinement when time permits
**NOTE I HAVE MY CLOUD DRIVE FOLDER EXCLUDED FROM MY AV SCAN. LOTS OF TOOLS CAN BE USED FOR GOOD OR EVIL**
Here is my process for capturing/organizing the fire hose of tools/ideas/information that people share. I get most of my information from Twitter. Usually I read it on my phone. When I find something that looks helpful or interesting here are the steps I take.
First, I create a folder for the content. I try to categorize it in a way that makes sense to me. I’ll use SharpDump from https://github.com/GhostPack/SharpDump as an example. I would categorize this a “CredentialDumping”. If the Credential Dumping Folder doesn’t exist I create it. I navigate to my “CredentialDumping” folder on my cloud drive (I use OneDrive). I click the “+” button to create the “SharpDump” folder on my Could Drive
I’ll name the folder “SharpDump” (the name of the tool) and select “Create”
Once the folder is created, I will drop in the tool and a PDF of the page where I downloaded the tool. First, I’ll get the tool. I browse to the URL using Edge and scroll down to the bottom of the page. THIS IS IMPORTANT — Click the “Desktop Version” link at the bottom of the page. This will then show the link to download and it also shows the read me page that I download as well.
Click the “Clone or Download” button and select “Download Zip”
Select “Open with”
Select your cloud drive (I use OneDrive)
I browse to my “CredentialDumping” folder
I find the “SharpDump” folder I created and select it.
I select “Upload Here”
It will start uploading
Next, I always take a PDF of the README. Yes, I could unzip it and read it, but I find it very nice for me to quickly get a sense of what the tool is for. This is just my personal preference. I also use this technique in my research folders to store copies of categorized websites with content I can copy/paste.
***NOTE — I ALWAYS USE EDGE BROWSER TO DOWNLOAD PDF’s — I can copy/paste from PDF’s created from Edge. I cannot select/copy the PDF content from other browsers I’ve tried in the past (that may have changed)****
First, I rotate my phone, so the display is wide. This changes the PDF Edge generates to landscape.
Next I’ll select the “upload button” circled here
I select the “PDF” button
This screen comes up and select the “upload button” circled in the bottom left hand corner
I select my cloud drive
I browse to my “CredentialDumping” folder
I browse to my “SharpDump” Folder
When I get to the folder I select “Upload Here” and I get a confirmation that the data was saved
Now I can easily access this from my home lab computer and play with it when time permits. I’ll usually copy the Zip file to my VM before expanding. SharpDump is a C# program so I’ll copy it to my developer machine and open it there.
I’ll expand the compressed file on my Developer VM machine
I’ll open it with a copy of Visual Studio. You could compile it command line without visual studio but that is out of scope for this write up.
When I open it with Visual Studio it says I don’t have .net framework 3.5 installed. For now I’m just going to target and installed framework.
I review the source for anything malicious and I’ll build the solution.
I can see my exe got created here
I’ll run the EXE from an elevated command prompt to dump my LSASS.EXE
At this point, I would use mimikatz to dump the NTLM hashes but this write up is focused on organizing data. My final step is to distill this further into something I can easily use later. I keep a detailed spread sheet with specific commands I need. For example, for SharpDump, I’m storing a sample of how to compile the code from a command line and what the output looks like. Someday I’ll redo this as a web page.
FYI, to make the compile command work, I had to target the .net framework and save my code to a folder targeting .Net Framework 4.5.2.
With a bit of time my collection has grown. Here is a screen shot of tools for Privilege Escalation for Linux and Windows that I’ve collected over the last two years.
I keep a separate folder for research. It is just a collection of organized PDF downloads from websites. You will notice I have a bunch of uncategorized articles in this folder. When time permits, I read through them and organize them further.
Anyway, that’s how I organize the firehose of data that comes at me daily. Feel free to follow me on Twitter @_markmo_ (yes with the underscores). I like to share what I learn.
