Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3580] No subject

Browse source
This commit is contained in:
CPol 2022-10-08 08:34:51 +00:00 committed by gitbook-bot
parent e5213fb8a7
commit dcf87c69db
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
4 changed files with 6 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
c2/cobalt-strike.md
View file

@ -216,7 +216,7 @@ Don't forget to load the aggressive script `ResourceKit\resources.cna` to indica
cd C:\Tools\neo4j\bin
neo4j.bat console
http://localhost:7474/ --> Change password
execute-assembly C:\Tools\SharpHound3\SharpHound3\bin\Debug\SharpHound.exe -c All -d cyberbotic.io
execute-assembly C:\Tools\SharpHound3\SharpHound3\bin\Debug\SharpHound.exe -c All -d DOMAIN.LOCAL

3
network-services-pentesting/pentesting-postgresql.md
View file

@ -61,9 +61,6 @@ SELECT usename, passwd from pg_shadow;
#Check if plpgsql is enabled
SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql'
# Sow installed extensions
SHOW rds.extensions
```
For more information about **how to abuse a PostgreSQL database** check:

2
windows-hardening/active-directory-methodology/README.md
View file

@ -403,7 +403,7 @@ For example you could:
* Grant [**DCSync**](./#dcsync) privileges to a user
```powershell
Add-DomainObjectAcl -TargetIdentity "DC=SUB,DC=DOMAIN,DC=LOCAL" -PrincipalIdentity bfarmer -Rights DCSync
Add-DomainObjectAcl -TargetIdentity "DC=dev,DC=cyberbotic,DC=io" -PrincipalIdentity bfarmer -Rights DCSync
```
### Silver Ticket

8
windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md
View file

@ -33,16 +33,16 @@ WhenChanged : 2/19/2021 10:15:24 PM
Get-DomainForeignGroupMember
GroupDomain : root.local
GroupName : External Users
GroupDistinguishedName : CN=External Users,CN=Users,DC=cyberbotic,DC=io
GroupDistinguishedName : CN=External Users,CN=Users,DC=DOMAIN,DC=LOCAL
MemberDomain : root.io
MemberName : S-1-5-21-3022719512-2989052766-178205875-1115
MemberDistinguishedName : CN=S-1-5-21-3022719512-2989052766-178205875-1115,CN=ForeignSecurityPrincipals,DC=cyberbotic,DC=io
MemberName : S-1-5-21-1028541967-2937615241-1935644758-1115
MemberDistinguishedName : CN=S-1-5-21-1028541967-2937615241-1935644758-1115,CN=ForeignSecurityPrincipals,DC=DOMAIN,DC=LOCAL
## Note how the members aren't from the current domain (ConvertFrom-SID won't work)
```
## Trust Account Attack
When an Active Directory domain or forest trust is set up from a domain _B_ to a domain _A_ (_**B**_\*\* trusts **\_**A**\_), a \_**trust account**\_** is created in domain **\_**A**\_**, named **\_**B$**\_. Kerberos \_**trust keys\*\*,\_ derived from the **trust accounts password**, are used for **encrypting inter-realm TGTs**, when users of domain A request service tickets for services in domain B.
When an Active Directory domain or forest trust is set up from a domain _B_ to a domain _A_ (_**B**_ trusts A), a trust account is created in domain **A**, named **B. Kerberos trust keys**,\_derived from the **trust accounts password**, are used for **encrypting inter-realm TGTs**, when users of domain A request service tickets for services in domain B.
It's possible to obtain the password and hash of the trusted account from a Domain Controller using: