mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
GitBook: [master] 4 pages and one asset modified
This commit is contained in:
parent
8bbe345910
commit
a839844adc
3 changed files with 44 additions and 44 deletions
Binary file not shown.
After Width: | Height: | Size: 1.5 KiB |
|
@ -1,12 +1,12 @@
|
||||||
# PostgreSQL injection
|
# PostgreSQL injection
|
||||||
|
|
||||||
**This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)
|
**This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)\*\*\*\*
|
||||||
|
|
||||||
## Network Interaction - Privilege Escalation, Port Scanner, NTLM challenge response disclosure & Exfiltration
|
## Network Interaction - Privilege Escalation, Port Scanner, NTLM challenge response disclosure & Exfiltration
|
||||||
|
|
||||||
**`dblink`** is a **PostgreSQL module** that offers several interesting options from the attacker point of view. It can be used to **connect to other PostgreSQL instances** of perform **TCP connections**.
|
**`dblink`** is a **PostgreSQL module** that offers several interesting options from the attacker point of view. It can be used to **connect to other PostgreSQL instances** of perform **TCP connections**.
|
||||||
**These functionalities** along with the **`COPY FROM`** functionality can be used to **escalate privileges**, perform **port scanning** or grab **NTLM challenge responses**.
|
**These functionalities** along with the **`COPY FROM`** functionality can be used to **escalate privileges**, perform **port scanning** or grab **NTLM challenge responses**.
|
||||||
[**You can read here how to perform these attacked.**](network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md)
|
[**You can read here how to perform these attacked.**](network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md)\*\*\*\*
|
||||||
|
|
||||||
### **Exfiltration example using dblink and large objects**
|
### **Exfiltration example using dblink and large objects**
|
||||||
|
|
||||||
|
@ -15,7 +15,7 @@ You can [**read this example**](dblink-lo_import-data-exfiltration.md) **\*\*to
|
||||||
## PL/pgSQL password bruteforce
|
## PL/pgSQL password bruteforce
|
||||||
|
|
||||||
PL/pgSQL, as a **fully featured programming language**, allows much more procedural control than SQL, including the **ability to use loops and other control structures**. SQL statements and triggers can call functions created in the PL/pgSQL language.
|
PL/pgSQL, as a **fully featured programming language**, allows much more procedural control than SQL, including the **ability to use loops and other control structures**. SQL statements and triggers can call functions created in the PL/pgSQL language.
|
||||||
**You can abuse this language in order to ask PostgreSQL to brute-force the users credentials.** [**Read this to learn how.**](pl-pgsql-password-bruteforce.md)
|
**You can abuse this language in order to ask PostgreSQL to brute-force the users credentials.** [**Read this to learn how.**](pl-pgsql-password-bruteforce.md)\*\*\*\*
|
||||||
|
|
||||||
## File-system actions
|
## File-system actions
|
||||||
|
|
||||||
|
@ -40,7 +40,7 @@ A very important limitation of this technique is that **`copy` cannot be used to
|
||||||
### **Binary files upload**
|
### **Binary files upload**
|
||||||
|
|
||||||
However, there are **other techniques to upload big binary files**.
|
However, there are **other techniques to upload big binary files**.
|
||||||
[**Read this page to learn how to do it.**](big-binary-files-upload-postgresql.md)
|
[**Read this page to learn how to do it.**](big-binary-files-upload-postgresql.md)\*\*\*\*
|
||||||
|
|
||||||
## RCE
|
## RCE
|
||||||
|
|
||||||
|
@ -67,7 +67,7 @@ More information about this vulnerability [**here**](https://medium.com/greenwol
|
||||||
### RCE with PostgreSQL extensions
|
### RCE with PostgreSQL extensions
|
||||||
|
|
||||||
Once you have **learned** from the previous post **how to upload binary files** you could try obtain **RCE uploading a postgresql extension and loading it**.
|
Once you have **learned** from the previous post **how to upload binary files** you could try obtain **RCE uploading a postgresql extension and loading it**.
|
||||||
[**Lear how to abuse this functionality reading this post.**](rce-with-postgresql-extensions.md)
|
[**Lear how to abuse this functionality reading this post.**](rce-with-postgresql-extensions.md)\*\*\*\*
|
||||||
|
|
||||||
### PostgreSQL configuration file RCE
|
### PostgreSQL configuration file RCE
|
||||||
|
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
# Active Directory Methodology
|
# Active Directory Methodology
|
||||||
|
|
||||||
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) [**PEASS & HackTricks telegram group here**](https://t.me/peass)**, or** follow me on Twitter ****[**🐦**](https://emojipedia.org/bird/)\*\*\*\*[**@carlospolopm**](https://twitter.com/carlospolopm).
|
||||||
If you want to **share some tricks with the community** you can also submit **pull requests** to **\*\*\[**[https://github.com/carlospolop/hacktricks\*\*\]\(https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks**]%28https://github.com/carlospolop/hacktricks)\) **\*\*that will be reflected in this book.
|
**If you want to** share some tricks with the community **you can also submit** pull requests **to** [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks**]%28https://github.com/carlospolop/hacktricks]%28https://github.com/carlospolop/hacktricks) **that will be reflected in this book.
|
||||||
Don't forget to** give ⭐ on the github\*\* to motivate me to continue developing this book.
|
Don't forget to** give ⭐ on the github to motivate me to continue developing this book.
|
||||||
|
|
||||||
## Basic overview
|
## Basic overview
|
||||||
|
|
||||||
|
@ -28,12 +28,12 @@ Active Directory provides several different services, which fall under the umbre
|
||||||
6. **DNS Service** – Used to resolve domain names.
|
6. **DNS Service** – Used to resolve domain names.
|
||||||
|
|
||||||
AD DS is included with Windows Server \(including Windows Server 10\) and is designed to manage client systems. While systems running the regular version of Windows do not have the administrative features of AD DS, they do support Active Directory. This means any Windows computer can connect to a Windows workgroup, provided the user has the correct login credentials.
|
AD DS is included with Windows Server \(including Windows Server 10\) and is designed to manage client systems. While systems running the regular version of Windows do not have the administrative features of AD DS, they do support Active Directory. This means any Windows computer can connect to a Windows workgroup, provided the user has the correct login credentials.
|
||||||
**From:** [**https://techterms.com/definition/active\_directory**](https://techterms.com/definition/active_directory)\*\*\*\*
|
**From:** [**https://techterms.com/definition/active\_directory**](https://techterms.com/definition/active_directory)
|
||||||
|
|
||||||
### **Kerberos Authentication**
|
### **Kerberos Authentication**
|
||||||
|
|
||||||
To learn how to **attack an AD** you need to **understand** really good the **Kerberos authentication process**.
|
To learn how to **attack an AD** you need to **understand** really good the **Kerberos authentication process**.
|
||||||
[**Read this page if you still don't know how it works.**](kerberos-authentication.md)\*\*\*\*
|
[**Read this page if you still don't know how it works.**](kerberos-authentication.md)
|
||||||
|
|
||||||
## Cheat Sheet
|
## Cheat Sheet
|
||||||
|
|
||||||
|
@ -43,19 +43,19 @@ You can take a lot to [https://wadcoms.github.io/](https://wadcoms.github.io/) t
|
||||||
|
|
||||||
If you just have access to an AD environment but you don't have any credentials/sessions you could:
|
If you just have access to an AD environment but you don't have any credentials/sessions you could:
|
||||||
|
|
||||||
* **Pentest the network:** Scan the network, find machines and open ports and try to **exploit vulnerabilities** or **extract credentials** from them \(for example, **\*\*\[**printers could be very interesting targets**\]\(ad-information-in-printers.md\)\). Take a look to the General \*\***[**Pentesting Methodology**](../../pentesting-methodology.md) _\*\*_to find more information about how to do this.
|
* **Pentest the network:** Scan the network, find machines and open ports and try to **exploit vulnerabilities** or **extract credentials** from them \(for example, [printers could be very interesting targets](ad-information-in-printers.md)**. Take a look to the General** [**Pentesting Methodology**](../../pentesting-methodology.md) to find more information about how to do this.
|
||||||
* **Check for null and Guest access on smb services** \(this won't work on modern Windows versions\):
|
* **Check for null and Guest access on smb services** \(this won't work on modern Windows versions\):
|
||||||
* `enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>`
|
* `enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>`
|
||||||
* `smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>`
|
* `smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>`
|
||||||
* `smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //`
|
* `smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //`
|
||||||
* [**A more detailed guide on how to enumerate a SMB server can be found here.**](../../pentesting/pentesting-smb.md)\*\*\*\*
|
* [**A more detailed guide on how to enumerate a SMB server can be found here.**](../../pentesting/pentesting-smb.md)
|
||||||
* **Enumerate Ldap**:
|
* **Enumerate Ldap**:
|
||||||
* `nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>`
|
* `nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>`
|
||||||
* [**A more detailed guide on how to enumerate LDAP can be found here.**](../../pentesting/pentesting-ldap.md)\*\*\*\*
|
* [**A more detailed guide on how to enumerate LDAP can be found here.**](../../pentesting/pentesting-ldap.md)
|
||||||
* **Poison the network**
|
* **Poison the network**
|
||||||
* Gather credentials [**impersonating services with Responder**](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)\*\*\*\*
|
* Gather credentials [**impersonating services with Responder**](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
|
||||||
* Access host by **\*\*\[**abusing the relay attack**\]\(../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md\#relay-attack\)**.\*\*
|
* Access host by [abusing the relay attack](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)\*\*\*\*
|
||||||
* Gather credentials **exposing** [**fake UPnP services with evil-S**](../../pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md)\*\*\*\*[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)\*\*\*\*
|
* Gather credentials **exposing** [**fake UPnP services with evil-S**](../../pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md)[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)
|
||||||
* **OSINT**: Try to **extract possible usernames** from services \(mainly web\) inside the domain environments and also from the publicly available web pages of the company. If you find the complete names of company workers, you could try different AD **username conventions \(**[**read this**](https://activedirectorypro.com/active-directory-user-naming-convention/)**\)**. The most common conventions are: _NameSurname_, _Name.Surname_, _NamSur_ \(3letters of each\), _Nam.Sur_, _NSurname_, _N.Surname_, _SurnameName_, _Surname.Name_, _SurnameN_, _Surname.N_, 3 _random letters and 3 random numbers_ \(abc123\). You could also try **statistically most used usernames**: [https://github.com/insidetrust/statistically-likely-usernames](https://github.com/insidetrust/statistically-likely-usernames) **Read the following Username enumeration section to learn how to find if a username is valid or not.**
|
* **OSINT**: Try to **extract possible usernames** from services \(mainly web\) inside the domain environments and also from the publicly available web pages of the company. If you find the complete names of company workers, you could try different AD **username conventions \(**[**read this**](https://activedirectorypro.com/active-directory-user-naming-convention/)**\)**. The most common conventions are: _NameSurname_, _Name.Surname_, _NamSur_ \(3letters of each\), _Nam.Sur_, _NSurname_, _N.Surname_, _SurnameName_, _Surname.Name_, _SurnameN_, _Surname.N_, 3 _random letters and 3 random numbers_ \(abc123\). You could also try **statistically most used usernames**: [https://github.com/insidetrust/statistically-likely-usernames](https://github.com/insidetrust/statistically-likely-usernames) **Read the following Username enumeration section to learn how to find if a username is valid or not.**
|
||||||
|
|
||||||
### User enumeration
|
### User enumeration
|
||||||
|
@ -77,9 +77,9 @@ You could also use the **impacket script of ASREPRoast** to enumerate valid user
|
||||||
|
|
||||||
Ok, so you know you have already a valid username but no passwords...Then try:
|
Ok, so you know you have already a valid username but no passwords...Then try:
|
||||||
|
|
||||||
* \*\*\*\*[**ASREPRoast**](asreproast.md): If a user **doesn't have** the attribute _**DONT\_REQ\_PREAUTH**_ you can **request a AS\_REP message** for that user that will contain some data encrypted by a derivation of the password of the user.
|
* [**ASREPRoast**](asreproast.md): If a user **doesn't have** the attribute _**DONT\_REQ\_PREAUTH**_ you can **request a AS\_REP message** for that user that will contain some data encrypted by a derivation of the password of the user.
|
||||||
* \*\*\*\*[**Password Spraying**](password-spraying.md): Let's **try** the most **common passwords** with each of the discovered users, maybe some user is using a bad password \(keep in mind the password policy\)
|
* [**Password Spraying**](password-spraying.md): Let's **try** the most **common passwords** with each of the discovered users, maybe some user is using a bad password \(keep in mind the password policy\)
|
||||||
* A final option if the accounts cannot be locked is the **\*\*\[**traditional bruteforce**\]\(password-spraying.md\)** \(be careful\)\*\*.
|
* A final option if the accounts cannot be locked is the [**traditional bruteforce**](password-spraying.md)\*\*\*\*
|
||||||
|
|
||||||
## Enumerating Active Directory \(Some creds/Session\)
|
## Enumerating Active Directory \(Some creds/Session\)
|
||||||
|
|
||||||
|
@ -88,14 +88,14 @@ For this phase you need to have **compromised the credentials or a session of a
|
||||||
### Enumeration
|
### Enumeration
|
||||||
|
|
||||||
If you have some valid credentials or a shell as a domain user, **you should remember that the options given before are still options to compromise other users**.
|
If you have some valid credentials or a shell as a domain user, **you should remember that the options given before are still options to compromise other users**.
|
||||||
Regarding [**ASREPRoast**](asreproast.md)you can now find every possible vulnerable user, and regarding [**Password Spraying**](password-spraying.md) you can get a **list of all the usernames** and try the password of the compromised account \(if you know it\). It's very easy to obtain all the domain usernames from Windows \(`net user /domain` ,`Get-DomainUser`or `wmic useraccount get name,sid`\). In** linux\*\* you can use: `GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username`
|
Regarding [**ASREPRoast**](asreproast.md)you can now find every possible vulnerable user, and regarding [**Password Spraying**](password-spraying.md) you can get a **list of all the usernames** and try the password of the compromised account \(if you know it\). It's very easy to obtain all the domain usernames from Windows \(`net user /domain` ,`Get-DomainUser`or `wmic useraccount get name,sid`\). In_\* linux\_\* you can use: `GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username`
|
||||||
|
|
||||||
Having compromised an account is a **big step to start compromising the whole domain**, because you are going to be able to start the **Active Directory Enumeration:**
|
Having compromised an account is a **big step to start compromising the whole domain**, because you are going to be able to start the **Active Directory Enumeration:**
|
||||||
|
|
||||||
* You could use some[ Windows binaries from the CMD to perform a basic recon](../basic-cmd-for-pentesters.md#domain-info), but using [powershell for recon](../basic-powershell-for-pentesters/) will probably be stealthier, and you could even [**use powerview**](../basic-powershell-for-pentesters/powerview.md) **to extract more detailed information**. Always **learn what a CMD or powershell/powerview command does** before executing it, this way you will know **how stealth are you being**.
|
* You could use some[ Windows binaries from the CMD to perform a basic recon](../basic-cmd-for-pentesters.md#domain-info), but using [powershell for recon](../basic-powershell-for-pentesters/) will probably be stealthier, and you could even [**use powerview**](../basic-powershell-for-pentesters/powerview.md) **to extract more detailed information**. Always **learn what a CMD or powershell/powerview command does** before executing it, this way you will know **how stealth are you being**.
|
||||||
* Another amazing tool for recon in an active directory is [**BloodHound**](bloodhound.md). It is **not very stealthy** \(depending on the collection methods you use\), but **if you don't care** about that, you should totally give it a **try**.
|
* Another amazing tool for recon in an active directory is [**BloodHound**](bloodhound.md). It is **not very stealthy** \(depending on the collection methods you use\), but **if you don't care** about that, you should totally give it a **try**.
|
||||||
* If you are using **Linux**, you could also [enumerate the domain using **pywerview**](https://github.com/the-useless-one/pywerview)**.**
|
* If you are using **Linux**, you could also [enumerate the domain using **pywerview**](https://github.com/the-useless-one/pywerview)**.**
|
||||||
* You could also **try** [**https://github.com/tomcarver16/ADSearch**](https://github.com/tomcarver16/ADSearch)\*\*\*\*
|
* You could also **try** [**https://github.com/tomcarver16/ADSearch**](https://github.com/tomcarver16/ADSearch)
|
||||||
|
|
||||||
**Even if this Enumeration section looks small this is the most important part of all. Access the links \(mainly the one of cmd, powershell, powerview and BloodHound\), learn how to enumerate a domain and practice until you feel comfortable. During an assessment, this will be the key moment to find your way to DA or to decide that nothing can be done.**
|
**Even if this Enumeration section looks small this is the most important part of all. Access the links \(mainly the one of cmd, powershell, powerview and BloodHound\), learn how to enumerate a domain and practice until you feel comfortable. During an assessment, this will be the key moment to find your way to DA or to decide that nothing can be done.**
|
||||||
|
|
||||||
|
@ -108,12 +108,12 @@ You can know that a **user account** is being used as a **service** because the
|
||||||
### Local Privilege Escalation
|
### Local Privilege Escalation
|
||||||
|
|
||||||
If you have compromised credentials or a session as a regular domain user and you have **access** with this user to **any machine in the domain** you should try to find your way to **escalate privileges locally**. This is because only with admin privileges you will be able to **dump hashes of other users** in memory \(LSASS\) and locally \(SAM\).
|
If you have compromised credentials or a session as a regular domain user and you have **access** with this user to **any machine in the domain** you should try to find your way to **escalate privileges locally**. This is because only with admin privileges you will be able to **dump hashes of other users** in memory \(LSASS\) and locally \(SAM\).
|
||||||
There is a complete page in this book about [**local privilege escalation in Windows**](../windows-local-privilege-escalation/) and a **\*\*\[**checklist**\]\(../checklist-windows-privilege-escalation.md\). Also, don't forget to try \*\***[**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite).
|
There is a complete page in this book about [**local privilege escalation in Windows**](../windows-local-privilege-escalation/) and a [**checklist**](../checklist-windows-privilege-escalation.md)**. Also, don't forget to use** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite).
|
||||||
|
|
||||||
### Win-RM
|
### Win-RM
|
||||||
|
|
||||||
Once you have obtained some credentials you could check if you have **access** to any **machine** using the **win-rm service**.
|
Once you have obtained some credentials you could check if you have **access** to any **machine** using the **win-rm service**.
|
||||||
[**More information about how to use and abuse win-rm here.**](../../pentesting/5985-5986-pentesting-winrm.md)\*\*\*\*
|
[**More information about how to use and abuse win-rm here.**](../../pentesting/5985-5986-pentesting-winrm.md)
|
||||||
|
|
||||||
## Privesc on Active Directory \(Some "privileged" Creds/Session\)
|
## Privesc on Active Directory \(Some "privileged" Creds/Session\)
|
||||||
|
|
||||||
|
@ -123,53 +123,53 @@ Once you have obtained some credentials you could check if you have **access** t
|
||||||
|
|
||||||
Hopefully you have managed to **compromise some local admin** account using [ASREPROast](asreproast.md), [Password Spraying](password-spraying.md), [Kerberoast](kerberoast.md), [Responder](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md), [EvilSSDP](../../pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md), [Enumerating](./#enumerating-active-directory)... or [escalating privileges locally](../windows-local-privilege-escalation/).
|
Hopefully you have managed to **compromise some local admin** account using [ASREPROast](asreproast.md), [Password Spraying](password-spraying.md), [Kerberoast](kerberoast.md), [Responder](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md), [EvilSSDP](../../pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md), [Enumerating](./#enumerating-active-directory)... or [escalating privileges locally](../windows-local-privilege-escalation/).
|
||||||
Then, its time to dump all the hashes in memory and locally.
|
Then, its time to dump all the hashes in memory and locally.
|
||||||
[**Read this page about different ways to obtain the hashes.**](../stealing-credentials/)\*\*\*\*
|
[**Read this page about different ways to obtain the hashes.**](../stealing-credentials/)
|
||||||
|
|
||||||
### **Pass the Hash**
|
### **Pass the Hash**
|
||||||
|
|
||||||
**Once you have the hash of a user**, you can use it to **impersonate** it.
|
**Once you have the hash of a user**, you can use it to **impersonate** it.
|
||||||
You need to use some **tool** that will **perform** the **NTLM authentication using** that **hash**, **or** you could create a new **sessionlogon** and **inject** that **hash** inside the **LSASS**, so when any **NTLM authentication is performed**, that **hash will be used.** The last option is what mimikatz does.
|
You need to use some **tool** that will **perform** the **NTLM authentication using** that **hash**, **or** you could create a new **sessionlogon** and **inject** that **hash** inside the **LSASS**, so when any **NTLM authentication is performed**, that **hash will be used.** The last option is what mimikatz does.
|
||||||
**\*\*\[**More information about this attack and about how does NTLM works here._\*\]\(../ntlm/\#pass-the-hash\)\_\*\*\*
|
[**More information about this attack and about how does NTLM works here**](../ntlm/#pass-the-hash)**.**
|
||||||
|
|
||||||
### **Over Pass the Hash/Pass the Key**
|
### **Over Pass the Hash/Pass the Key**
|
||||||
|
|
||||||
This attack aims to **use the user NTLM hash to request Kerberos tickets**, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially **useful in networks where NTLM protocol is disabled** and only **Kerberos is allowed** as authentication protocol.
|
This attack aims to **use the user NTLM hash to request Kerberos tickets**, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially **useful in networks where NTLM protocol is disabled** and only **Kerberos is allowed** as authentication protocol.
|
||||||
[**More information about Over Pass the Hash/Pass the Key here.**](over-pass-the-hash-pass-the-key.md)\*\*\*\*
|
[**More information about Over Pass the Hash/Pass the Key here.**](over-pass-the-hash-pass-the-key.md)
|
||||||
|
|
||||||
### **Pass the Ticket**
|
### **Pass the Ticket**
|
||||||
|
|
||||||
This attack is similar to Pass the Key, but instead of using hashes to request a ticket, the **ticket itself is stolen** and used to authenticate as its owner.
|
This attack is similar to Pass the Key, but instead of using hashes to request a ticket, the **ticket itself is stolen** and used to authenticate as its owner.
|
||||||
**\*\*\[**More information about Pass the Ticket here._\*\]\(pass-the-ticket.md\)\_\*\*\*
|
[**More information about Pass the Ticket here**](pass-the-ticket.md)**.**
|
||||||
|
|
||||||
### **MSSQL Trusted Links**
|
### **MSSQL Trusted Links**
|
||||||
|
|
||||||
If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host \(if running as SA\).
|
If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host \(if running as SA\).
|
||||||
Also, if a MSSQL instance is trusted \(database link\) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance**. These trusts can be chained and at some point the user might be able to find a misconfigured database where he can execute commands.
|
Also, if a MSSQL instance is trusted \(database link\) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance**. These trusts can be chained and at some point the user might be able to find a misconfigured database where he can execute commands.
|
||||||
**The links between databases work even across forest trusts.**
|
**The links between databases work even across forest trusts.**
|
||||||
[**More information about this technique here.**](mssql-trusted-links.md)\*\*\*\*
|
[**More information about this technique here.**](mssql-trusted-links.md)
|
||||||
|
|
||||||
### **Unconstrained Delegation**
|
### **Unconstrained Delegation**
|
||||||
|
|
||||||
**If you find any Computer object with the attribute** [ADS\_UF\_TRUSTED\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300%28v=vs.85%29.aspx) and you have domain privileges in the computer, you will be able to dump TGTs from memory of every users that logins onto the computer.
|
**If you find any Computer object with the attribute** [ADS\_UF\_TRUSTED\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300%28v=vs.85%29.aspx) and you have domain privileges in the computer, you will be able to dump TGTs from memory of every users that logins onto the computer.
|
||||||
So, if a **Domain Admin logins onto the computer**, you will be able to dump his TGT and impersonate him using [Pass the Ticket](pass-the-ticket.md).
|
So, if a **Domain Admin logins onto the computer**, you will be able to dump his TGT and impersonate him using [Pass the Ticket](pass-the-ticket.md).
|
||||||
Thanks to constrained delegation you could even **automatically compromise a Print Server** \(hopefully it will be a DC\).
|
Thanks to constrained delegation you could even **automatically compromise a Print Server** \(hopefully it will be a DC\).
|
||||||
[**More information about this technique here.**](unconstrained-delegation.md)\*\*\*\*
|
[**More information about this technique here.**](unconstrained-delegation.md)
|
||||||
|
|
||||||
### **Constrained Delegation**
|
### **Constrained Delegation**
|
||||||
|
|
||||||
If a user or computer is allowed for "Constrained Delegation" it will be able to **impersonate any user to access some services in a computer**.
|
If a user or computer is allowed for "Constrained Delegation" it will be able to **impersonate any user to access some services in a computer**.
|
||||||
Then, if you **compromise the hash** of this user/computer you will be able to **impersonate any user** \(even domain admins\) to access some services.
|
Then, if you **compromise the hash** of this user/computer you will be able to **impersonate any user** \(even domain admins\) to access some services.
|
||||||
[**More information about this attacks and some constrains here.**](constrained-delegation.md)\*\*\*\*
|
[**More information about this attacks and some constrains here.**](constrained-delegation.md)
|
||||||
|
|
||||||
### **ACLs Abuse**
|
### **ACLs Abuse**
|
||||||
|
|
||||||
The compromised user could have some **interesting privileges over some domain objects** that could let you **move** laterally/**escalate** privileges.
|
The compromised user could have some **interesting privileges over some domain objects** that could let you **move** laterally/**escalate** privileges.
|
||||||
[**More information about interesting privileges here.**](acl-persistence-abuse.md)\*\*\*\*
|
[**More information about interesting privileges here.**](acl-persistence-abuse.md)
|
||||||
|
|
||||||
### Printer Spooler service abuse
|
### Printer Spooler service abuse
|
||||||
|
|
||||||
If you can find any **Spool service listening** inside the domain, you may be able to **abuse** is to **obtain new credentials** and **escalate privileges**.
|
If you can find any **Spool service listening** inside the domain, you may be able to **abuse** is to **obtain new credentials** and **escalate privileges**.
|
||||||
[**More information about how to find a abuse Spooler services here.**](printers-spooler-service-abuse.md)\*\*\*\*
|
[**More information about how to find a abuse Spooler services here.**](printers-spooler-service-abuse.md)
|
||||||
|
|
||||||
## **Dumping Domain Credentials**
|
## **Dumping Domain Credentials**
|
||||||
|
|
||||||
|
@ -190,51 +190,51 @@ More information about**[ **how to steal the NTDS.dit \(Domain database\) can be
|
||||||
|
|
||||||
A valid **TGT as any user** can be created **using the NTLM hash of the krbtgt AD account**. The advantage of forging a TGT instead of TGS is being **able to access any service** \(or machine\) in the domain ad the impersonated user.
|
A valid **TGT as any user** can be created **using the NTLM hash of the krbtgt AD account**. The advantage of forging a TGT instead of TGS is being **able to access any service** \(or machine\) in the domain ad the impersonated user.
|
||||||
|
|
||||||
\*\*\*\*[**More information about Golden Ticket here.**](golden-ticket.md)\*\*\*\*
|
[**More information about Golden Ticket here.**](golden-ticket.md)
|
||||||
|
|
||||||
### **Silver Ticket**
|
### **Silver Ticket**
|
||||||
|
|
||||||
The Silver ticket attack is based on **crafting a valid TGS for a service once the NTLM hash of service is owned** \(like the **PC account hash**\). Thus, it is possible to **gain access to that service** by forging a custom TGS **as any user** \(like privileged access to a computer\).
|
The Silver ticket attack is based on **crafting a valid TGS for a service once the NTLM hash of service is owned** \(like the **PC account hash**\). Thus, it is possible to **gain access to that service** by forging a custom TGS **as any user** \(like privileged access to a computer\).
|
||||||
[**More information about Silver Ticket here.**](silver-ticket.md)\*\*\*\*
|
[**More information about Silver Ticket here.**](silver-ticket.md)
|
||||||
|
|
||||||
### **AdminSDHolder Group**
|
### **AdminSDHolder Group**
|
||||||
|
|
||||||
The Access Control List \(ACL\) of the **AdminSDHolder** object is used as a template to **copy** **permissions** to **all “protected groups”** in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.
|
The Access Control List \(ACL\) of the **AdminSDHolder** object is used as a template to **copy** **permissions** to **all “protected groups”** in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.
|
||||||
By default, the ACL of this group is copied inside all the "protected groups". This is done to avoid intentional or accidental changes to these critical groups. However, if an attacker modifies the ACL of the group **AdminSDHolder** for example, giving full permissions to a regular user, this user will have full permissions on all the groups inside the protected group \(in an hour\).
|
By default, the ACL of this group is copied inside all the "protected groups". This is done to avoid intentional or accidental changes to these critical groups. However, if an attacker modifies the ACL of the group **AdminSDHolder** for example, giving full permissions to a regular user, this user will have full permissions on all the groups inside the protected group \(in an hour\).
|
||||||
And if someone tries to delete this user from the Domain Admins \(for example\) in an hour or less, the user will be back in the group.
|
And if someone tries to delete this user from the Domain Admins \(for example\) in an hour or less, the user will be back in the group.
|
||||||
**\*\*\[**More information about AdminSDHolder Group here._\*\]\(privileged-accounts-and-token-privileges.md\#adminsdholder-group\)\_\*\*\*
|
[**More information about AdminSDHolder Group here**](privileged-accounts-and-token-privileges.md)**.**
|
||||||
|
|
||||||
### **DSRM Credentials**
|
### **DSRM Credentials**
|
||||||
|
|
||||||
There is a **local administrator** account inside each **DC**. Having admin privileges in this machine, you can use mimikatz to **dump the local Administrator hash**. Then, modifying a registry to **activate this password** so you can remotely access to this local Administrator user.
|
There is a **local administrator** account inside each **DC**. Having admin privileges in this machine, you can use mimikatz to **dump the local Administrator hash**. Then, modifying a registry to **activate this password** so you can remotely access to this local Administrator user.
|
||||||
**\*\*\[**More information about DSRM Credentials here.\*\*\]\(dsrm-credentials.md\)
|
[**More information about DSRM Credentials here.**](dsrm-credentials.md)\*\*\*\*
|
||||||
|
|
||||||
### **ACL Persistence**
|
### **ACL Persistence**
|
||||||
|
|
||||||
You could **give** some **special permissions** to a **user** over some specific domain objects that will let the user **escalate privileges in the future**.
|
You could **give** some **special permissions** to a **user** over some specific domain objects that will let the user **escalate privileges in the future**.
|
||||||
[**More information about interesting privileges here.**](acl-persistence-abuse.md)\*\*\*\*
|
[**More information about interesting privileges here.**](acl-persistence-abuse.md)
|
||||||
|
|
||||||
### **Security Descriptors**
|
### **Security Descriptors**
|
||||||
|
|
||||||
The **security descriptors** are used to **store** the **permissions** an **object** have **over** an **object**. If you can just **make** a **little change** in the **security descriptor** of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group.
|
The **security descriptors** are used to **store** the **permissions** an **object** have **over** an **object**. If you can just **make** a **little change** in the **security descriptor** of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group.
|
||||||
**\*\*\[**More information about Security Descriptors here._\*\]\(security-descriptors.md\)\_\*\*\*
|
[**More information about Security Descriptors here**](security-descriptors.md)**.**
|
||||||
|
|
||||||
### Skeleton Key
|
### Skeleton Key
|
||||||
|
|
||||||
**Modify LSASS** in memory to create a **master password** that will work for any account in the domain.
|
**Modify LSASS** in memory to create a **master password** that will work for any account in the domain.
|
||||||
[**More information about Skeleton Key here.**](skeleton-key.md)\*\*\*\*
|
[**More information about Skeleton Key here.**](skeleton-key.md)
|
||||||
|
|
||||||
### **Custom SSP**
|
### **Custom SSP**
|
||||||
|
|
||||||
[Learn what is a SSP \(Security Support Provider\) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)
|
[Learn what is a SSP \(Security Support Provider\) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)
|
||||||
You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.
|
You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.
|
||||||
**\*\*\[**More information about Custom SSP here.\*\*\]\(custom-ssp.md\)
|
[**More information about Custom SSP here**](custom-ssp.md)**.**
|
||||||
|
|
||||||
### **DCShadow**
|
### **DCShadow**
|
||||||
|
|
||||||
It registers a **new Domain Controller** in the AD and uses it to **push attributes** \(SIDHistory, SPNs...\) on specified objects **without** leaving any **logs** regarding the **modifications**. You **need DA** privileges and be inside the **root domain**.
|
It registers a **new Domain Controller** in the AD and uses it to **push attributes** \(SIDHistory, SPNs...\) on specified objects **without** leaving any **logs** regarding the **modifications**. You **need DA** privileges and be inside the **root domain**.
|
||||||
Note that if you use wrong data, pretty ugly logs will appear.
|
Note that if you use wrong data, pretty ugly logs will appear.
|
||||||
**\*\*\[**More information about DCShadow here.\*\*\]\(dcshadow.md\)
|
[**More information about DCShadow here.**](dcshadow.md)\*\*\*\*
|
||||||
|
|
||||||
## **Forest Privilege Escalation -** Domain Trusts
|
## **Forest Privilege Escalation -** Domain Trusts
|
||||||
|
|
||||||
|
@ -338,11 +338,11 @@ Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<current
|
||||||
* Selective Authentication
|
* Selective Authentication
|
||||||
* In an inter-forest trust, if Selective Authentication is configured, users between the trusts will not be automatically authenticated. Individual access to domains and servers in the trusting domain/forest should be given.
|
* In an inter-forest trust, if Selective Authentication is configured, users between the trusts will not be automatically authenticated. Individual access to domains and servers in the trusting domain/forest should be given.
|
||||||
|
|
||||||
\*\*\*\*[**More information about domain trusts in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain)\*\*\*\*
|
[**More information about domain trusts in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain)
|
||||||
|
|
||||||
## Some General Defenses
|
## Some General Defenses
|
||||||
|
|
||||||
\*\*\*\*[**Learn more about how to protect credentials here.**](../stealing-credentials/credentials-protections.md)
|
[**Learn more about how to protect credentials here.**](../stealing-credentials/credentials-protections.md)
|
||||||
**Please, find some migrations against each technique in the description of the technique.**
|
**Please, find some migrations against each technique in the description of the technique.**
|
||||||
|
|
||||||
* Not allow Domain Admins to login on any other hosts apart from Domain Controllers
|
* Not allow Domain Admins to login on any other hosts apart from Domain Controllers
|
||||||
|
@ -400,5 +400,5 @@ If you don't execute this from a Domain Controller, ATA is going to catch you, s
|
||||||
|
|
||||||
![](../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%286%29.png)
|
![](../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%286%29.png)
|
||||||
|
|
||||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue