From 2080dc85540f00b4d13707bd63a12de998a5902b Mon Sep 17 00:00:00 2001 From: whx Date: Thu, 24 Mar 2022 00:45:15 +0100 Subject: [PATCH] AD stuff --- exploit/web/xss.md | 7 ++ exploit/windows/docs/llmnr.md | 20 ++++ hashes/password_cracking/colabcat | 2 +- misc/{ => active_directory}/AD_CS.md | 0 misc/active_directory/active_directory.md | 106 ++++++++++++++++++ .../docs/windows/active_directory.md | 30 ----- 6 files changed, 134 insertions(+), 31 deletions(-) create mode 100644 exploit/windows/docs/llmnr.md rename misc/{ => active_directory}/AD_CS.md (100%) create mode 100644 misc/active_directory/active_directory.md delete mode 100644 post_exploitation/docs/windows/active_directory.md diff --git a/exploit/web/xss.md b/exploit/web/xss.md index d2eb8a2..2e78749 100644 --- a/exploit/web/xss.md +++ b/exploit/web/xss.md @@ -121,6 +121,13 @@ document.onkeypress = function (e) { } ``` + +## Tab Nabbing + +* Redirection of source after opening a tab through a provisioned link and back referencing +* [Hacktricks Tabnabbing](https://book.hacktricks.xyz/pentesting-web/reverse-tab-nabbing) + + ## Tricks and Tips * Use Polyglots * [XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html) diff --git a/exploit/windows/docs/llmnr.md b/exploit/windows/docs/llmnr.md new file mode 100644 index 0000000..ae775a1 --- /dev/null +++ b/exploit/windows/docs/llmnr.md @@ -0,0 +1,20 @@ +# Link Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS) + +* __LLMNR__, name resolutions inside the local domain for other hosts +* __NBT-NS__, identifying hosts in the network by NetBIOS names + +* Impersonating the actual service to get credentials + +## Usage + +* From [responder](./responder.md) +```sh +sudo responder -I -rdw -v +``` + +* Dictionary attack on catched password +```sh +hashcat -m 5600 hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -r rules/OneRuleToRuleThemAll.rule --debug-mode=1 --debug-file=matched.rule +``` + + diff --git a/hashes/password_cracking/colabcat b/hashes/password_cracking/colabcat index 8642f3c..3e6dcae 160000 --- a/hashes/password_cracking/colabcat +++ b/hashes/password_cracking/colabcat @@ -1 +1 @@ -Subproject commit 8642f3c3fc588e246a0c6e05697289e65f087a98 +Subproject commit 3e6dcae3fb2b917d16d2cf527c6f4538200fc081 diff --git a/misc/AD_CS.md b/misc/active_directory/AD_CS.md similarity index 100% rename from misc/AD_CS.md rename to misc/active_directory/AD_CS.md diff --git a/misc/active_directory/active_directory.md b/misc/active_directory/active_directory.md new file mode 100644 index 0000000..0d44677 --- /dev/null +++ b/misc/active_directory/active_directory.md @@ -0,0 +1,106 @@ +# Active Directory Enumeration + +* Consists of + * Domain Controller + * Organizational Units + * Users + * Groups + * Trusts + * AD Domains + * AD Forest + * Policies + +* Administrative accounts are + * Domain Admin + * Enterprise Admin + * Schema Admin + * Server Operator + * Account Operator + +## Domain Controller + +* AD Domain Services data store +* Authentication and authorization +* Update replication / sync with other domain controllers in the forest +* Administration of domain resources + +### AD DS Store + +* Database of directory info such as users, groups and services + * `ntdis.dit` contains the information, including password hashes + * `SystemRoot%\NTDS` + +### Forest + +* __Trees__, hierarchy of domains in the AD Domain Services +* __Domains__, groups of objects +* __Organizational Units (OU)__, containers of objects such as groups, users, printers and other resources +* __Trusts__, allows users to access resources in a different domain +* __Objects__ users, groups, printers, computers or shares +* __Domain Services__, DNS, LLMNR, SMB +* __Domain Schema__, Rules for object creation + +### Users + +* __Domain Admin__, DC access +* __Server Accounts__, service maintenance, may have admin permissions +* __Local Admin__, administrative persmission on an object but not the DC +* __Domain Users__, average user account on a local machine which may have admin permissions + + +### Policies + +* Rule sets +* Apply to a domain +* Enable or disables services on a domain basis, like antivirus and malware scanning + * __Disable Windows Defender__ + * Communication signing, e.g. SMB + +### Domain Services + +* __LDAP__ +* __Certificates__ handling for services, CRL +* __DNS, LLMNR, NBT-NS__ + +### Authentication + +* __NTLM__, ticket granting service +* __Kerberos__, challenge/response via hashes + +## Usage + +* Cmdlets on Domain Controller +* Get some help, `Get-Help Get-Command -Examples`, `Get-Command Get-*` + +* From `ActiveDirectory` module +```sh +Import-Module Active-Directory +Get-ADDomain | Select-Object NetBIOSName,DNSRoot,InfrastructureMaster +Get-ADForest | Select-Object Domains +Get-ADTrust -Filter * | Select-Object Direction,Source,Target +``` + +* `systeminfo | findstr Domain` +* `Get-ADUser -filter *` +* Use found CN and DC and specify +* `Get-ADUser -filter * -searchBase "CN=Users,DC=,DC="` + +### Powerview Module + +* [Powerview](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) +```sh +Import-Module .\PowerView.ps1 +Get-NetDomain +Get-NetDomainController +Get-NetForest +Get-NetDomainTrust +``` + +### DNS +* Check ip via `ipconfig` +* `nslookup`, then `server ` and zone transfer via +```sh +ls -d +``` + + diff --git a/post_exploitation/docs/windows/active_directory.md b/post_exploitation/docs/windows/active_directory.md deleted file mode 100644 index c0d8723..0000000 --- a/post_exploitation/docs/windows/active_directory.md +++ /dev/null @@ -1,30 +0,0 @@ -# Active Directory Enumeration - -* Consists of - * Domain Controller - * Organizational Units - * AD Domains - * AD Forest - -* Administrative accounts are - * Domain Admin - * Enterprise Admin - * Schema Admin - * Server Operator - * Account Operator - -## Usage - -* `systeminfo | findstr Domain` -* `Get-ADUser -filter *` -* Use found CN and DC and specify -* `Get-ADUser -filter * -searchBase "CN=Users,DC=,DC="` - -### DNS -* Check ip via `ipconfig` -* `nslookup`, then `server ` and zone transfer via -```sh -ls -d -``` - -