ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

DPAPI LocalMachine + BitLocker

Browse Source
This commit is contained in:
Swissky 2023-05-08 17:08:25 +02:00
parent 0dd92aa89d
commit 5af6a23a2e
5 changed files with 28 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
API Key Leaks/README.md
View File

@ -45,7 +45,7 @@
python ./badsecrets/examples/telerik_knownkey.py --url http://vulnerablesite/Telerik.Web.UI.DialogHandler.aspx
python ./badsecrets/examples/symfony_knownkey.py --url https://localhost/
```
- [mazen160/secrets-patterns-db](https://github.com/mazen160/secrets-patterns-db) - Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.
## Exploit

4
Methodology and Resources/Active Directory Attack.md
View File

@ -60,7 +60,7 @@
- [Pass-the-Ticket Sapphire Tickets](#pass-the-ticket-sapphire-tickets)
- [Kerberoasting](#kerberoasting)
- [KRB_AS_REP Roasting](#krb_as_rep-roasting)
- [CVE-2022-33679 (RC4 Is Still Considered Harmful)](#cve-2022-33679-rc4-is-still-considered-harmful)
- [CVE-2022-33679](#cve-2022-33679)
- [Timeroasting](#timeroasting)
- [Pass-the-Hash](#pass-the-hash)
- [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
@ -1982,7 +1982,7 @@ C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproa
## CVE-2022-33679 (RC4 Is Still Considered Harmful)
## CVE-2022-33679
> CVE-2022-33679 performs an encryption downgrade attack by forcing the KDC to use the RC4-MD4 algorithm and then brute forcing the session key from the AS-REP using a known plaintext attack, Similar to AS-REP Roasting, it works against accounts that have pre-authentication disabled and the attack is unauthenticated meaning we dont need a clients password..

1
Methodology and Resources/Office - Attacks.md
View File

@ -744,3 +744,4 @@ $ phishery -u https://secure.site.local/docs -i good.docx -o bad.docx
* [One thousand and one ways to copy your shellcode to memory (VBA Macros) - X-C3LL - Feb 18, 2021](https://adepts.of0x.cc/alternatives-copy-shellcode/)
* [Running macros via ActiveX controls - greyhathacker - September 29, 2016](http://www.greyhathacker.net/?p=948)
* [Anti-Analysis Techniques Used in Excel 4.0 Macros - 24 March 2021 - @Jacob_Pimental](https://www.goggleheadedhacker.com/blog/post/23)
* [So you think you can block Macros? - Pieter Ceelen - April 25, 2023](https://outflank.nl/blog/2023/04/25/so-you-think-you-can-block-macros/)

14
Methodology and Resources/Windows - DPAPI.md
View File

@ -6,6 +6,7 @@
* [Data Protection API](#data-protection-api)
* [List Credential Files](#list-credential-files)
* [DPAPI LocalMachine Context](#dpapi-localmachine-context)
* [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi)
* [Hekatomb - Steal all credentials on domain](#hekatomb---steal-all-credentials-on-domain)
* [DonPAPI - Dumping DPAPI credz remotely](#donpapi---dumping-dpapi-credz-remotely)
@ -37,6 +38,19 @@ Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
```
### DPAPI LocalMachine Context
The `LocalMachine` context is used to protect data that is intended to be shared across different users or services on a single machine. This means that any user or service running on the machine can access the protected data with the appropriate credentials.
In contrast, the `CurrentUser` context is used to protect data that is intended to be accessed only by the user who encrypted it, and cannot be accessed by other users or services on the same machine.
```ps1
$a = [System.Convert]::FromBase64String("AQAAANCMnd[...]")
$b = [System.Security.Cryptography.ProtectedData]::Unprotect($a, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
[System.Text.Encoding]::ASCII.GetString($b)
```
### Mimikatz - Credential Manager & DPAPI
```powershell

9
Methodology and Resources/Windows - Defenses.md
View File

@ -365,6 +365,15 @@ The **Enterprise Context** column shows you what each app can do with your enter
* **Exempt**. Shows the text, Exempt. Windows Information Protection policies don't apply to these apps (such as, system components).
## BitLocker Drive Encryption
BitLocker is a full-disk encryption feature included in Microsoft Windows operating systems starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. BitLocker uses AES encryption algorithm to encrypt data on the disk. When enabled, BitLocker requires a user to enter a password or insert a USB flash drive to unlock the encrypted volume before the operating system is loaded, ensuring that data on the disk is protected from unauthorized access. BitLocker is commonly used on laptops, portable storage devices, and other mobile devices to protect sensitive data in case of theft or loss.
When BitLocker is in `Suspended` state, boot the system using a Windows Setup USB, and then decrypt the drive using this command: `manage-bde -off c:`
You can check if it is done decrypting using this command: `manage-bde -status`
## References
* [SNEAKING PAST DEVICE GUARD - Cybereason - Philip Tsukerman](https://troopers.de/downloads/troopers19/TROOPERS19_AR_Sneaking_Past_Device_Guard.pdf)