Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3559] No subject

Browse source
This commit is contained in:
CPol 2022-10-04 23:49:59 +00:00 committed by gitbook-bot
parent 1cb8a1dd02
commit 714393c0a0
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
12 changed files with 145 additions and 98 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
SUMMARY.md
View file

@ -205,7 +205,7 @@
* [SmbExec/ScExec](windows-hardening/ntlm/smbexec.md)
* [WinRM](windows-hardening/ntlm/winrm.md)
* [WmicExec](windows-hardening/ntlm/wmicexec.md)
* [Windows Security Controls](windows-hardening/windows-security-controls/README.md)
* [Windows Security Controls](windows-hardening/authentication-credentials-uac-and-efs.md)
* [UAC - User Account Control](windows-hardening/windows-security-controls/uac-user-account-control.md)
* [Stealing Credentials](windows-hardening/stealing-credentials/README.md)
* [Credentials Protections](windows-hardening/stealing-credentials/credentials-protections.md)

2
forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md
View file

@ -144,7 +144,7 @@ The plugin `banners.Banners` can be used in **vol3 to try to find linux banners*
## Hashes/Passwords
Extract SAM hashes, [domain cached credentials](../../../windows-hardening/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows-hardening/windows-security-controls/#lsa-secrets).
Extract SAM hashes, [domain cached credentials](../../../windows-hardening/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows-hardening/authentication-credentials-uac-and-efs.md#lsa-secrets).
{% tabs %}
{% tab title="vol3" %}

2
generic-methodologies-and-resources/pentesting-methodology.md
View file

@ -106,7 +106,7 @@ If you are **not root/Administrator** inside the box, you should find a way to *
Here you can find a **guide to escalate privileges locally in** [**Linux**](../linux-hardening/privilege-escalation/) **and in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)**.**\
You should also check this pages about how does **Windows work**:
* [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/windows-security-controls/)
* [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/authentication-credentials-uac-and-efs.md)
* How does [**NTLM works**](../windows-hardening/ntlm/)
* How to [**steal credentials**](../windows-hardening/stealing-credentials/) in Windows
* Some tricks about [_**Active Directory**_](../windows-hardening/active-directory-methodology/)

127
network-services-pentesting/pentesting-ldap.md
View file

@ -74,57 +74,6 @@ phone: 23627387495
* Lines 10-16 define 2 organizational units: dev and sales
* Lines 18-26 create an object of the domain and assign attributes with values
## Basic Enumeration
### Manual
You can try to **enumerate a LDAP with or without credentials using python**: `pip3 install ldap3`
First try to **connect without** credentials:
```bash
>>> import ldap3
>>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True)
>>> connection = ldap3.Connection(server)
>>> connection.bind()
True
>>> server.info
```
If the response is `True` like in the previous example, you can obtain some **interesting data** of the LDAP (like the **naming context** or **domain name**) server from:
```bash
>>> server.info
DSA info (from DSE):
Supported LDAP versions: 3
Naming contexts:
dc=DOMAIN,dc=DOMAIN
```
Once you have the naming context you can make some more exciting queries. This simply query should show you all the objects in the directory:
```bash
>>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*')
True
>> connection.entries
```
Or **dump** the whole ldap:
```bash
>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword')
True
>>> connection.entries
```
### Automated
Using this you will be able to see the **public information** (like the domain name)**:**
```bash
nmap -n -sV --script "ldap* and not brute" <IP> #Using anonymous credentials
```
## Write data
Note that if you can modify values you could be able to perform really interesting actions. For example, imagine that you **can change the "sshPublicKey" information** of your user or any user. It's highly probable that if this attribute exist, then **ssh is reading the public keys from LDAP**. If you can modify the public key of a user you **will be able to login as that user even if password authentication is not enabled in ssh**.
@ -178,9 +127,81 @@ ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authty
### [Brute Force](../generic-methodologies-and-resources/brute-force.md#ldap)
### Manual
## Enumeration
#### ldapsearch
### Automated
Using this you will be able to see the **public information** (like the domain name)**:**
```bash
nmap -n -sV --script "ldap* and not brute" <IP> #Using anonymous credentials
```
### Python
<details>
<summary>See LDAP enumeration with python</summary>
You can try to **enumerate a LDAP with or without credentials using python**: `pip3 install ldap3`
First try to **connect without** credentials:
```bash
>>> import ldap3
>>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True)
>>> connection = ldap3.Connection(server)
>>> connection.bind()
True
>>> server.info
```
If the response is `True` like in the previous example, you can obtain some **interesting data** of the LDAP (like the **naming context** or **domain name**) server from:
```bash
>>> server.info
DSA info (from DSE):
Supported LDAP versions: 3
Naming contexts:
dc=DOMAIN,dc=DOMAIN
```
Once you have the naming context you can make some more exciting queries. This simply query should show you all the objects in the directory:
```bash
>>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*')
True
>> connection.entries
```
Or **dump** the whole ldap:
```bash
>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword')
True
>>> connection.entries
```
</details>
### windapsearch
[**Windapsearch**](https://github.com/ropnop/windapsearch) **** is a Python script useful to **enumerate users, groups, and computers from a Windows** domain by utilizing LDAP queries.
```bash
# Get computers
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --computers
# Get groups
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --groups
# Get users
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
# Get Domain Admins
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
# Get Privileged Users
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --privileged-users
```
### ldapsearch
Check null credentials or if your credentials are valid:

71
network-services-pentesting/pentesting-smb.md
View file

@ -51,9 +51,13 @@ With an anonymous null session you can access the IPC$ share and interact with s
## What is NTLM
If you don't know what is NTLM or you want to know how it works and how to abuse it, you will find very insteresting this page about [**NTLM** where is explained **how this protocol works and how you can take advantage of it**](../windows-hardening/ntlm/).
If you don't know what is NTLM or you want to know how it works and how to abuse it, you will find very interesting this page about **NTLM** where is explained **how this protocol works and how you can take advantage of it:**
## **Enumeration**
{% content-ref url="../windows-hardening/ntlm/" %}
[ntlm](../windows-hardening/ntlm/)
{% endcontent-ref %}
## **Server Enumeration**
### **Scan** a network searching for hosts:
@ -104,7 +108,9 @@ searchsploit microsoft smb
| backupexec, backup | backupexec, backup, arcada |
| test, lab, demo | password, test, lab, demo |
### Obtain information
### SMB Environment Information
### Obtain Information
```bash
#Dump interesting information
@ -127,16 +133,27 @@ rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbff
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
```
### Enumerate Users
### Enumerate Users, Groups & Logged On Users
```bash
# This info should alerady being gathered from enum4linux and enum4linux-ng
crackmapexec smb 10.10.10.10 --users
crackmapexec smb 10.10.10.10 --users [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups [-u <username> -p <password>]
crackmapexec smb 10.10.10.10 --groups --loggedon-users [-u <username> -p <password>]
ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " "
rpcclient -U "" -N 10.10.10.10
enumdomusers
enumdomgroups
# Impacket - Enumerate local users
lookupsid.py -no-pass hostname.local
# Metasploit - Enumerate local users
use auxiliary/scanner/smb/smb_lookupsid
set rhosts hostname.local
run
```
### **Enumerating LSARPC and SAMR rpcclient**
@ -155,6 +172,8 @@ enumdomusers
`smb://friendzone.htb/general/`
## Shared Folders Enumeration
### List shared folders
It is always recommended to look if you can access to anything, if you don't have credentials try using **null** **credentials/guest user**.
@ -162,9 +181,12 @@ It is always recommended to look if you can access to anything, if you don't hav
```bash
smbclient --no-pass -L //<IP> # Null user
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
smbmap -H <IP> [-P <PORT>] #Null user
smbmap -u "username" -p "password" -H <IP> [-P <PORT>] #Creds
smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] #Pass-the-Hash
smbmap -R -u "username" -p "password" -H <IP> [-P <PORT>] #Recursive list
crackmapexec smb <IP> -u '' -p '' --shares #Null user
crackmapexec smb <IP> -u 'username' -p 'password' --shares #Guest user
crackmapexec smb <IP> -u 'username' -H '<HASH>' --shares #Guest user
@ -269,9 +291,20 @@ Commands:
(_Information from the manpage of smbclient_)
### Read Registry
### Domain Shared Folders Search
You may be able to **read the registry** using some discovered credentials. Impacket `reg.py` allows you to try:
* [**Snaffler**](https://github.com/SnaffCon/Snaffler)****
* Or [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spider.
* `-M spider_plus [--share <share_name>]`
* `--pattern txt`
```bash
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
```
## Read Registry
You may be able to **read the registry** using some discovered credentials. Impacket **`reg.py`** allows you to try:
```bash
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s
@ -279,27 +312,7 @@ sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a87
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s
```
### Local users
Enumerate **local** users with SID brute-forcing:
With `Impacket`:
```
lookupsid.py -no-pass hostname.local
```
With `Metasploit`:
```
use auxiliary/scanner/smb/smb_lookupsid
set rhosts hostname.local
run
```
Note: `rpcclient` command `lookupsids` only translates a SID to a username but doesn't allow enumeration via brute-forcing.
### Post Exploitation
## Post Exploitation
The **default config of** a **Samba** server is usually located in `/etc/samba/smb.conf` and might have some **dangerous configs**:
@ -327,7 +340,7 @@ smbclient --kerberos //ws01win10.domain.com/C$
rpcclient -k ws01win10.domain.com
```
## **Execute**
## **Execute Commands**
### **crackmapexec**

13
network-services-pentesting/pentesting-smb/rpcclient-enumeration.md
View file

@ -12,6 +12,19 @@
</details>
### **What is a RID**
A [Relative Identifier (RID)](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) is a **unique identifier** (represented in hexadecimal format) utilized by Windows to **track and identify objects**. To explain how this fits in, let's look at the examples below:
* The [SID](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) for the NAME\_DOMAIN.LOCAL domain is: `S-1-5-21-1038751438-1834703946-36937684957`.
* When an object is created within a domain, the number above (SID) will be combined with a RID to make a unique value used to represent the object.
* So the domain user `john` with a RID:\[0x457] Hex 0x457 would = decimal `1111`, will have a full user SID of: `S-1-5-21-1038751438-1834703946-36937684957-1111`.
* This is unique to the `john` object in the NAME\_DOMAIN.LOCAL domain and you will never see this paired value tied to another object in this domain or any other.
Definition from [**here**](https://academy.hackthebox.com/module/143/section/1269).
### **Enumeration with rpcclient**
**Pat of this section was extracted from book "**_**Network Security Assesment 3rd Edition**_**"**
You can use the Samba **`rpcclient`** utility to interact with **RPC endpoints via named pipes**. The following lists commands that you can issue to SAMR, LSARPC, and LSARPC-DS interfaces upon **establishing** a **SMB session** (often requiring credentials).

2
windows-hardening/active-directory-methodology/README.md
View file

@ -482,7 +482,7 @@ The **security descriptors** are used to **store** the **permissions** an **obje
### Custom SSP
[Learn what is a SSP (Security Support Provider) here.](../windows-security-controls/#security-support-provider-interface-sspi)\
[Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)\
You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.\\
{% content-ref url="custom-ssp.md" %}

2
windows-hardening/active-directory-methodology/custom-ssp.md
View file

@ -14,7 +14,7 @@
## Custom SSP
[Learn what is a SSP (Security Support Provider) here.](../windows-security-controls/#security-support-provider-interface-sspi)\
[Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)\
You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.
#### Mimilib

12
windows-hardening/windows-security-controls/README.md → windows-hardening/authentication-credentials-uac-and-efs.md
View file

@ -12,7 +12,7 @@
</details>
![](<../../.gitbook/assets/image (9) (1) (2).png>)
![](<../.gitbook/assets/image (9) (1) (2).png>)
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
@ -148,8 +148,8 @@ This way requires the **victim user** to be **running** a **process** inside the
****[**Local Administrator Password Solution (LAPS)**](https://www.microsoft.com/en-us/download/details.aspx?id=46899) allows you to **manage the local Administrator password** (which is **randomised**, unique, and **changed regularly**) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. If your user is given enough permissions you might be able to read the passwords of the local admins.
{% content-ref url="../active-directory-methodology/laps.md" %}
[laps.md](../active-directory-methodology/laps.md)
{% content-ref url="active-directory-methodology/laps.md" %}
[laps.md](active-directory-methodology/laps.md)
{% endcontent-ref %}
## PS Constrained Language Mode
@ -212,13 +212,13 @@ The SSPI will be in charge of finding the adequate protocol for two machines tha
[User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) is a feature that enables a **consent prompt for elevated activities**.&#x20;
{% content-ref url="uac-user-account-control.md" %}
[uac-user-account-control.md](uac-user-account-control.md)
{% content-ref url="windows-security-controls/uac-user-account-control.md" %}
[uac-user-account-control.md](windows-security-controls/uac-user-account-control.md)
{% endcontent-ref %}
![](<../../.gitbook/assets/image (9) (1) (2).png>)
![](<../.gitbook/assets/image (9) (1) (2).png>)
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

6
windows-hardening/windows-local-privilege-escalation/README.md
View file

@ -44,8 +44,8 @@
There are different things in Windows that could **prevent you from enumerating the system**, run executables or even **detect your activities**. You should **read** the following **page** and **enumerate** all these **defenses** **mechanisms** before starting the privilege escalation enumeration:
{% content-ref url="../windows-security-controls/" %}
[windows-security-controls](../windows-security-controls/)
{% content-ref url="../authentication-credentials-uac-and-efs.md" %}
[authentication-credentials-uac-and-efs.md](../authentication-credentials-uac-and-efs.md)
{% endcontent-ref %}
## System Info
@ -386,7 +386,7 @@ If you **belongs to some privileged group you may be able to escalate privileges
### Token manipulation
**Learn more** about what is a **token** in this page: [**Windows Tokens**](../windows-security-controls/#access-tokens).\
**Learn more** about what is a **token** in this page: [**Windows Tokens**](../authentication-credentials-uac-and-efs.md#access-tokens).\
Check the following page to **learn about interesting tokens** and how to abuse them:
{% content-ref url="privilege-escalation-abusing-tokens/" %}

2
windows-hardening/windows-local-privilege-escalation/access-tokens.md
View file

@ -69,7 +69,7 @@ or using _Process Explorer_ from Sysinternals (select process and access"Securit
### Local administrator
When a local administrator logins, **two access tokens are created**: One with admin rights and other one with normal rights. **By default**, when this user executes a process the one with **regular** (non-administrator) **rights is used**. When this user tries to **execute** anything **as administrator** ("Run as Administrator" for example) the **UAC** will be used to ask for permission.\
If you want to [**learn more about the UAC read this page**](../windows-security-controls/#uac)**.**
If you want to [**learn more about the UAC read this page**](../authentication-credentials-uac-and-efs.md#uac)**.**
### Credentials user impersonation

2
windows-hardening/windows-local-privilege-escalation/dll-hijacking.md
View file

@ -121,7 +121,7 @@ Other interesting automated tools to discover this vulnerability are **PowerSplo
### Example
In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../windows-security-controls/#uac) or from[ **High Integrity to SYSTEM**](./#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\
In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../authentication-credentials-uac-and-efs.md#uac) or from[ **High Integrity to SYSTEM**](./#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\
Moreover, in the **next sectio**n you can find some **basic dll codes** that might be useful as **templates** or to create a **dll with non required functions exported**.
## **Creating and compiling Dlls**