From 24fe92663017f8ad651152dd9a048fd4603aec93 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 19 Nov 2023 10:38:58 +0100 Subject: [PATCH] Folder tree update --- .../bind-shell-cheatsheet.md} | 0 .../escape-breakout.md} | 0 .../hash-cracking.md} | 0 .../mimikatz-cheatsheet.md} | 0 .../miscellaneous-tricks.md} | 0 .../mssql-server-cheatsheet.md} | 0 .../network-discovery.md} | 0 .../powershell-cheatsheet.md} | 0 .../reverse-shell-cheatsheet.md} | 0 .../source-code-management-ci.md} | 0 docs/cloud/azure/azure-access-and-token.md | 30 +++++++-------- .../azure/azure-devices-users-services.md | 9 +++++ docs/cloud/azure/azure-enumeration.md | 5 ++- docs/cloud/azure/azure-phishing.md | 9 +++-- docs/cloud/azure/azure-services.md | 37 +++++++++++++++++-- ...trike - Cheatsheet.md => cobalt-strike.md} | 0 ...tasploit - Cheatsheet.md => metasploit.md} | 0 ...Docker Pentest.md => docker-containers.md} | 0 ...es Pentest.md => kubernetes-containers.md} | 0 ...meration.md => bug-hunting-methodology.md} | 2 +- ...ty Reports.md => vulnerability-reports.md} | 0 docs/pentest/.gitkeep | 0 .../attack-surface-enumeration.md | 0 .../html-smuggling.md} | 0 docs/redteam/{ => access}/initial-access.md | 0 .../office-attacks.md} | 0 .../windows-download-execute.md} | 0 .../windows-using-credentials.md} | 0 .../escalation/linux-privilege-escalation.md} | 0 .../windows-privilege-escalation.md} | 0 .../linux-evasion.md} | 0 .../windows-amsi-bypass.md} | 0 .../windows-defenses.md} | 0 .../windows-dpapi.md} | 0 .../linux-persistence.md} | 0 .../windows-persistence.md} | 0 .../pivoting/network-pivoting-techniques.md} | 0 37 files changed, 67 insertions(+), 25 deletions(-) rename docs/{pentest/Bind Shell Cheatsheet.md => cheatsheets/bind-shell-cheatsheet.md} (100%) rename docs/{pentest/Escape Breakout.md => cheatsheets/escape-breakout.md} (100%) rename docs/{pentest/Hash Cracking.md => cheatsheets/hash-cracking.md} (100%) rename docs/{redteam/Windows - Mimikatz.md => cheatsheets/mimikatz-cheatsheet.md} (100%) rename docs/{pentest/Miscellaneous - Tricks.md => cheatsheets/miscellaneous-tricks.md} (100%) rename docs/{pentest/MSSQL Server - Cheatsheet.md => cheatsheets/mssql-server-cheatsheet.md} (100%) rename docs/{pentest/Network Discovery.md => cheatsheets/network-discovery.md} (100%) rename docs/{pentest/Powershell - Cheatsheet.md => cheatsheets/powershell-cheatsheet.md} (100%) rename docs/{pentest/Reverse Shell Cheatsheet.md => cheatsheets/reverse-shell-cheatsheet.md} (100%) rename docs/{pentest/Source Code Management.md => cheatsheets/source-code-management-ci.md} (100%) rename docs/command-control/{Cobalt Strike - Cheatsheet.md => cobalt-strike.md} (100%) rename docs/command-control/{Metasploit - Cheatsheet.md => metasploit.md} (100%) rename docs/containers/{Container - Docker Pentest.md => docker-containers.md} (100%) rename docs/containers/{Container - Kubernetes Pentest.md => kubernetes-containers.md} (100%) rename docs/methodology/{Methodology and enumeration.md => bug-hunting-methodology.md} (99%) rename docs/methodology/{Vulnerability Reports.md => vulnerability-reports.md} (100%) delete mode 100644 docs/pentest/.gitkeep rename docs/redteam/{ => access}/attack-surface-enumeration.md (100%) rename docs/redteam/{HTML Smuggling.md => access/html-smuggling.md} (100%) rename docs/redteam/{ => access}/initial-access.md (100%) rename docs/redteam/{Office - Attacks.md => access/office-attacks.md} (100%) rename docs/redteam/{Windows - Download and Execute.md => access/windows-download-execute.md} (100%) rename docs/redteam/{Windows - Using credentials.md => access/windows-using-credentials.md} (100%) rename docs/{pentest/Linux - Privilege Escalation.md => redteam/escalation/linux-privilege-escalation.md} (100%) rename docs/{pentest/Windows - Privilege Escalation.md => redteam/escalation/windows-privilege-escalation.md} (100%) rename docs/redteam/{Linux - Evasion.md => evasion/linux-evasion.md} (100%) rename docs/redteam/{Windows - AMSI Bypass.md => evasion/windows-amsi-bypass.md} (100%) rename docs/redteam/{Windows - Defenses.md => evasion/windows-defenses.md} (100%) rename docs/redteam/{Windows - DPAPI.md => evasion/windows-dpapi.md} (100%) rename docs/redteam/{Linux - Persistence.md => persistence/linux-persistence.md} (100%) rename docs/redteam/{Windows - Persistence.md => persistence/windows-persistence.md} (100%) rename docs/{pentest/Network Pivoting Techniques.md => redteam/pivoting/network-pivoting-techniques.md} (100%) diff --git a/docs/pentest/Bind Shell Cheatsheet.md b/docs/cheatsheets/bind-shell-cheatsheet.md similarity index 100% rename from docs/pentest/Bind Shell Cheatsheet.md rename to docs/cheatsheets/bind-shell-cheatsheet.md diff --git a/docs/pentest/Escape Breakout.md b/docs/cheatsheets/escape-breakout.md similarity index 100% rename from docs/pentest/Escape Breakout.md rename to docs/cheatsheets/escape-breakout.md diff --git a/docs/pentest/Hash Cracking.md b/docs/cheatsheets/hash-cracking.md similarity index 100% rename from docs/pentest/Hash Cracking.md rename to docs/cheatsheets/hash-cracking.md diff --git a/docs/redteam/Windows - Mimikatz.md b/docs/cheatsheets/mimikatz-cheatsheet.md similarity index 100% rename from docs/redteam/Windows - Mimikatz.md rename to docs/cheatsheets/mimikatz-cheatsheet.md diff --git a/docs/pentest/Miscellaneous - Tricks.md b/docs/cheatsheets/miscellaneous-tricks.md similarity index 100% rename from docs/pentest/Miscellaneous - Tricks.md rename to docs/cheatsheets/miscellaneous-tricks.md diff --git a/docs/pentest/MSSQL Server - Cheatsheet.md b/docs/cheatsheets/mssql-server-cheatsheet.md similarity index 100% rename from docs/pentest/MSSQL Server - Cheatsheet.md rename to docs/cheatsheets/mssql-server-cheatsheet.md diff --git a/docs/pentest/Network Discovery.md b/docs/cheatsheets/network-discovery.md similarity index 100% rename from docs/pentest/Network Discovery.md rename to docs/cheatsheets/network-discovery.md diff --git a/docs/pentest/Powershell - Cheatsheet.md b/docs/cheatsheets/powershell-cheatsheet.md similarity index 100% rename from docs/pentest/Powershell - Cheatsheet.md rename to docs/cheatsheets/powershell-cheatsheet.md diff --git a/docs/pentest/Reverse Shell Cheatsheet.md b/docs/cheatsheets/reverse-shell-cheatsheet.md similarity index 100% rename from docs/pentest/Reverse Shell Cheatsheet.md rename to docs/cheatsheets/reverse-shell-cheatsheet.md diff --git a/docs/pentest/Source Code Management.md b/docs/cheatsheets/source-code-management-ci.md similarity index 100% rename from docs/pentest/Source Code Management.md rename to docs/cheatsheets/source-code-management-ci.md diff --git a/docs/cloud/azure/azure-access-and-token.md b/docs/cloud/azure/azure-access-and-token.md index f072c7d..c322c3c 100644 --- a/docs/cloud/azure/azure-access-and-token.md +++ b/docs/cloud/azure/azure-access-and-token.md @@ -69,21 +69,21 @@ roadtx gettokens --refresh-token -c 04b07795-8ddb-461a-bbee-02f9 ``` ``` -scope resource client -.default 04b07795-8ddb-461a-bbee-02f9e1bf7b46 04b07795-8ddb-461a-bbee-02f9e1bf7b46 - 1950a258-227b-4e31-a9cf-717495945fc2 1950a258-227b-4e31-a9cf-717495945fc2 - https://graph.microsoft.com 00b41c95-dab0-4487-9791-b9d2c32c80f2 - 04b07795-8ddb-461a-bbee-02f9e1bf7b46 - https://graph.windows.net 00b41c95-dab0-4487-9791-b9d2c32c80f2 - 04b07795-8ddb-461a-bbee-02f9e1bf7b46 - https://outlook.office.com 00b41c95-dab0-4487-9791-b9d2c32c80f2 - 04b07795-8ddb-461a-bbee-02f9e1bf7b46 -Files.Read.All d3590ed6-52b3-4102-aeff-aad2292ab01c d3590ed6-52b3-4102-aeff-aad2292ab01c - https://graph.microsoft.com d3590ed6-52b3-4102-aeff-aad2292ab01c - https://outlook.office.com 1fec8e78-bce4-4aaf-ab1b-5451cc387264 -Mail.ReadWrite.All https://graph.microsoft.com 00b41c95-dab0-4487-9791-b9d2c32c80f2 - https://outlook.office.com 00b41c95-dab0-4487-9791-b9d2c32c80f2 - https://outlook.office365.com 00b41c95-dab0-4487-9791-b9d2c32c80f2 +scope resource client +.default 04b07795-8ddb-461a-bbee-02f9e1bf7b46 04b07795-8ddb-461a-bbee-02f9e1bf7b46 + 1950a258-227b-4e31-a9cf-717495945fc2 1950a258-227b-4e31-a9cf-717495945fc2 + https://graph.microsoft.com 00b41c95-dab0-4487-9791-b9d2c32c80f2 + 04b07795-8ddb-461a-bbee-02f9e1bf7b46 + https://graph.windows.net 00b41c95-dab0-4487-9791-b9d2c32c80f2 + 04b07795-8ddb-461a-bbee-02f9e1bf7b46 + https://outlook.office.com 00b41c95-dab0-4487-9791-b9d2c32c80f2 + 04b07795-8ddb-461a-bbee-02f9e1bf7b46 +Files.Read.All d3590ed6-52b3-4102-aeff-aad2292ab01c d3590ed6-52b3-4102-aeff-aad2292ab01c + https://graph.microsoft.com 3590ed6-52b3-4102-aeff-aad2292ab01c + https://outlook.office.com 1fec8e78-bce4-4aaf-ab1b-5451cc387264 +Mail.ReadWrite.All https://graph.microsoft.com 00b41c95-dab0-4487-9791-b9d2c32c80f2 + https://outlook.office.com 00b41c95-dab0-4487-9791-b9d2c32c80f2 + https://outlook.office365.com 00b41c95-dab0-4487-9791-b9d2c32c80f2 ``` diff --git a/docs/cloud/azure/azure-devices-users-services.md b/docs/cloud/azure/azure-devices-users-services.md index 50104b2..0949f17 100644 --- a/docs/cloud/azure/azure-devices-users-services.md +++ b/docs/cloud/azure/azure-devices-users-services.md @@ -11,6 +11,15 @@ ```ps1 ``` +* Add user to a group + ```ps1 + $groupid = "" + $targetmember = "" + $group = Get-MgGroup -GroupId $groupid + $members = Get-MgGroupMember -GroupId $groupid + New-MgGroupMember -GroupId $groupid -DirectoryObjectid $targetmember + ``` + ## Devices diff --git a/docs/cloud/azure/azure-enumeration.md b/docs/cloud/azure/azure-enumeration.md index 2ee8ca0..f2d8ac6 100644 --- a/docs/cloud/azure/azure-enumeration.md +++ b/docs/cloud/azure/azure-enumeration.md @@ -22,10 +22,13 @@ Invoke-AADIntReconAsOutsider -UserName "user@company.com" | Format-Table ``` -## Azure AD - Conditionnal Access +## Azure AD - Conditionnal Access Policy Enumerate Conditionnal Access Policies: `roadrecon plugin policies` + + + ## Azure AD - MFA * [dafthack/MFASweep](https://github.com/dafthack/MFASweep) - A tool for checking if MFA is enabled on multiple Microsoft Services diff --git a/docs/cloud/azure/azure-phishing.md b/docs/cloud/azure/azure-phishing.md index c1de3e0..98b35b0 100644 --- a/docs/cloud/azure/azure-phishing.md +++ b/docs/cloud/azure/azure-phishing.md @@ -5,10 +5,11 @@ > The attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting consent to the application so that the attacker can gain access to the data that the target user has access to. Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMSAuthorizationPolicy).PermissionGrantPolicyIdsAssignedToDefaultUserRole` -* **Disable user consent** : Users cannot grant permissions to applications. -* **Users can consent to apps from verified publishers or your organization, but only for permissions you select** : All users can only consent to apps that were published by a verified publisher and apps that are registered in your tenant -* **Users can consent to all apps** : allows all users to consent to any permission which doesn't require admin consent, -* **Custom app consent policy** + +* **Disable user consent** : Users cannot grant permissions to applications. +* **Users can consent to apps from verified publishers or your organization, but only for permissions you select** : All users can only consent to apps that were published by a verified publisher and apps that are registered in your tenant +* **Users can consent to all apps** : allows all users to consent to any permission which doesn't require admin consent. +* **Custom app consent policy** ### Register Application diff --git a/docs/cloud/azure/azure-services.md b/docs/cloud/azure/azure-services.md index 6bcbb8d..5e43ebd 100644 --- a/docs/cloud/azure/azure-services.md +++ b/docs/cloud/azure/azure-services.md @@ -22,9 +22,27 @@ Runbook must be SAVED and PUBLISHED before running it. ``` +## Microsoft Intune + +* LAPS + ```ps1 + #requires -modules Microsoft.Graph.Authentication + #requires -modules Microsoft.Graph.Intune + #requires -modules LAPS + #requires -modules ImportExcel + + $DaysBack = 30 + Connect-MgGraph + Get-IntuneManagedDevice -Filter "Platform eq 'Windows'" | + Foreach-Object {Get-LapsAADPassword -DevicesIds $_.DisplayName} | + Where-Object {$_.PasswordExpirationTime -lt (Get-Date).AddDays(-$DaysBack)} | + Export-Excel -Path "c:\temp\lapsdata.xlsx" - ClearSheet -AutoSize -Show + ``` + + ## Office 365 -### Extracting Microsoft Teams Messages +### Microsoft Teams Messages ```ps1 TokenTacticsV2> RefreshTo-MSTeamsToken -domain domain.local @@ -32,15 +50,26 @@ AADInternals> Get-AADIntTeamsMessages -AccessToken $MSTeamsToken.access_token | ``` -## Outlook +## Outlook Mails -* Read user messages +* Read user mails ```ps1 Get-MgUserMessage -UserId | ft Get-MgUserMessageContent -OutFile mail.txt -UserId -MessageId ``` +## OneDrive Files + +```ps1 +$userId = "" +Import-Module Microsoft.Graph.Files +Get-MgUserDefaultDrive -UserId $userId +Get-MgUserDrive -UserId $UserId -Debug +Get-MgDrive -top 1 +``` + ## References -* [Microsoft Graph - servicePrincipal: addPassword](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addpassword?view=graph-rest-1.0&tabs=powershell) \ No newline at end of file +* [Microsoft Graph - servicePrincipal: addPassword](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addpassword?view=graph-rest-1.0&tabs=powershell) +* [Microsoft Intune - Microsoft Intune support for Windows LAPS](https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview) \ No newline at end of file diff --git a/docs/command-control/Cobalt Strike - Cheatsheet.md b/docs/command-control/cobalt-strike.md similarity index 100% rename from docs/command-control/Cobalt Strike - Cheatsheet.md rename to docs/command-control/cobalt-strike.md diff --git a/docs/command-control/Metasploit - Cheatsheet.md b/docs/command-control/metasploit.md similarity index 100% rename from docs/command-control/Metasploit - Cheatsheet.md rename to docs/command-control/metasploit.md diff --git a/docs/containers/Container - Docker Pentest.md b/docs/containers/docker-containers.md similarity index 100% rename from docs/containers/Container - Docker Pentest.md rename to docs/containers/docker-containers.md diff --git a/docs/containers/Container - Kubernetes Pentest.md b/docs/containers/kubernetes-containers.md similarity index 100% rename from docs/containers/Container - Kubernetes Pentest.md rename to docs/containers/kubernetes-containers.md diff --git a/docs/methodology/Methodology and enumeration.md b/docs/methodology/bug-hunting-methodology.md similarity index 99% rename from docs/methodology/Methodology and enumeration.md rename to docs/methodology/bug-hunting-methodology.md index e6d2081..8d48514 100644 --- a/docs/methodology/Methodology and enumeration.md +++ b/docs/methodology/bug-hunting-methodology.md @@ -1,4 +1,4 @@ -# Bug Hunting Methodology and Enumeration +# Bug Hunting Methodology ## Summary diff --git a/docs/methodology/Vulnerability Reports.md b/docs/methodology/vulnerability-reports.md similarity index 100% rename from docs/methodology/Vulnerability Reports.md rename to docs/methodology/vulnerability-reports.md diff --git a/docs/pentest/.gitkeep b/docs/pentest/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/docs/redteam/attack-surface-enumeration.md b/docs/redteam/access/attack-surface-enumeration.md similarity index 100% rename from docs/redteam/attack-surface-enumeration.md rename to docs/redteam/access/attack-surface-enumeration.md diff --git a/docs/redteam/HTML Smuggling.md b/docs/redteam/access/html-smuggling.md similarity index 100% rename from docs/redteam/HTML Smuggling.md rename to docs/redteam/access/html-smuggling.md diff --git a/docs/redteam/initial-access.md b/docs/redteam/access/initial-access.md similarity index 100% rename from docs/redteam/initial-access.md rename to docs/redteam/access/initial-access.md diff --git a/docs/redteam/Office - Attacks.md b/docs/redteam/access/office-attacks.md similarity index 100% rename from docs/redteam/Office - Attacks.md rename to docs/redteam/access/office-attacks.md diff --git a/docs/redteam/Windows - Download and Execute.md b/docs/redteam/access/windows-download-execute.md similarity index 100% rename from docs/redteam/Windows - Download and Execute.md rename to docs/redteam/access/windows-download-execute.md diff --git a/docs/redteam/Windows - Using credentials.md b/docs/redteam/access/windows-using-credentials.md similarity index 100% rename from docs/redteam/Windows - Using credentials.md rename to docs/redteam/access/windows-using-credentials.md diff --git a/docs/pentest/Linux - Privilege Escalation.md b/docs/redteam/escalation/linux-privilege-escalation.md similarity index 100% rename from docs/pentest/Linux - Privilege Escalation.md rename to docs/redteam/escalation/linux-privilege-escalation.md diff --git a/docs/pentest/Windows - Privilege Escalation.md b/docs/redteam/escalation/windows-privilege-escalation.md similarity index 100% rename from docs/pentest/Windows - Privilege Escalation.md rename to docs/redteam/escalation/windows-privilege-escalation.md diff --git a/docs/redteam/Linux - Evasion.md b/docs/redteam/evasion/linux-evasion.md similarity index 100% rename from docs/redteam/Linux - Evasion.md rename to docs/redteam/evasion/linux-evasion.md diff --git a/docs/redteam/Windows - AMSI Bypass.md b/docs/redteam/evasion/windows-amsi-bypass.md similarity index 100% rename from docs/redteam/Windows - AMSI Bypass.md rename to docs/redteam/evasion/windows-amsi-bypass.md diff --git a/docs/redteam/Windows - Defenses.md b/docs/redteam/evasion/windows-defenses.md similarity index 100% rename from docs/redteam/Windows - Defenses.md rename to docs/redteam/evasion/windows-defenses.md diff --git a/docs/redteam/Windows - DPAPI.md b/docs/redteam/evasion/windows-dpapi.md similarity index 100% rename from docs/redteam/Windows - DPAPI.md rename to docs/redteam/evasion/windows-dpapi.md diff --git a/docs/redteam/Linux - Persistence.md b/docs/redteam/persistence/linux-persistence.md similarity index 100% rename from docs/redteam/Linux - Persistence.md rename to docs/redteam/persistence/linux-persistence.md diff --git a/docs/redteam/Windows - Persistence.md b/docs/redteam/persistence/windows-persistence.md similarity index 100% rename from docs/redteam/Windows - Persistence.md rename to docs/redteam/persistence/windows-persistence.md diff --git a/docs/pentest/Network Pivoting Techniques.md b/docs/redteam/pivoting/network-pivoting-techniques.md similarity index 100% rename from docs/pentest/Network Pivoting Techniques.md rename to docs/redteam/pivoting/network-pivoting-techniques.md