whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

AD stuff

This commit is contained in:
Stefan Friese 2022-03-24 00:45:15 +01:00
parent fdb8bacf6d
commit 2080dc8554
6 changed files with 134 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
exploit/web/xss.md
View File

@ -121,6 +121,13 @@ document.onkeypress = function (e) {
} }
</script> </script>
``` ```
## Tab Nabbing
* Redirection of source after opening a tab through a provisioned link and back referencing
* [Hacktricks Tabnabbing](https://book.hacktricks.xyz/pentesting-web/reverse-tab-nabbing)
## Tricks and Tips ## Tricks and Tips
* Use Polyglots * Use Polyglots
* [XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html) * [XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)

20
exploit/windows/docs/llmnr.md Normal file
View File

@ -0,0 +1,20 @@
# Link Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS)
* __LLMNR__, name resolutions inside the local domain for other hosts
* __NBT-NS__, identifying hosts in the network by NetBIOS names
* Impersonating the actual service to get credentials
## Usage
* From [responder](./responder.md)
```sh
sudo responder -I <NIC> -rdw -v
```
* Dictionary attack on catched password
```sh
hashcat -m 5600 hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -r rules/OneRuleToRuleThemAll.rule --debug-mode=1 --debug-file=matched.rule
```

2
hashes/password_cracking/colabcat

@ -1 +1 @@
Subproject commit 8642f3c3fc588e246a0c6e05697289e65f087a98 Subproject commit 3e6dcae3fb2b917d16d2cf527c6f4538200fc081

0
misc/AD_CS.md → misc/active_directory/AD_CS.md
View File

106
misc/active_directory/active_directory.md Normal file
View File

@ -0,0 +1,106 @@
# Active Directory Enumeration
* Consists of
* Domain Controller
* Organizational Units
* Users
* Groups
* Trusts
* AD Domains
* AD Forest
* Policies
* Administrative accounts are
* Domain Admin
* Enterprise Admin
* Schema Admin
* Server Operator
* Account Operator
## Domain Controller
* AD Domain Services data store
* Authentication and authorization
* Update replication / sync with other domain controllers in the forest
* Administration of domain resources
### AD DS Store
* Database of directory info such as users, groups and services
* `ntdis.dit` contains the information, including password hashes
* `SystemRoot%\NTDS`
### Forest
* __Trees__, hierarchy of domains in the AD Domain Services
* __Domains__, groups of objects
* __Organizational Units (OU)__, containers of objects such as groups, users, printers and other resources
* __Trusts__, allows users to access resources in a different domain
* __Objects__ users, groups, printers, computers or shares
* __Domain Services__, DNS, LLMNR, SMB
* __Domain Schema__, Rules for object creation
### Users
* __Domain Admin__, DC access
* __Server Accounts__, service maintenance, may have admin permissions
* __Local Admin__, administrative persmission on an object but not the DC
* __Domain Users__, average user account on a local machine which may have admin permissions
### Policies
* Rule sets
* Apply to a domain
* Enable or disables services on a domain basis, like antivirus and malware scanning
* __Disable Windows Defender__
* Communication signing, e.g. SMB
### Domain Services
* __LDAP__
* __Certificates__ handling for services, CRL
* __DNS, LLMNR, NBT-NS__
### Authentication
* __NTLM__, ticket granting service
* __Kerberos__, challenge/response via hashes
## Usage
* Cmdlets on Domain Controller
* Get some help, `Get-Help Get-Command -Examples`, `Get-Command Get-*`
* From `ActiveDirectory` module
```sh
Import-Module Active-Directory
Get-ADDomain | Select-Object NetBIOSName,DNSRoot,InfrastructureMaster
Get-ADForest | Select-Object Domains
Get-ADTrust -Filter * | Select-Object Direction,Source,Target
```
* `systeminfo | findstr Domain`
* `Get-ADUser -filter *`
* Use found CN and DC and specify
* `Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"`
### Powerview Module
* [Powerview](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
```sh
Import-Module .\PowerView.ps1
Get-NetDomain
Get-NetDomainController
Get-NetForest
Get-NetDomainTrust
```
### DNS
* Check ip via `ipconfig`
* `nslookup`, then `server <LocalIP>` and zone transfer via
```sh
ls -d <Domain>
```

30
post_exploitation/docs/windows/active_directory.md
View File

@ -1,30 +0,0 @@
# Active Directory Enumeration
* Consists of
* Domain Controller
* Organizational Units
* AD Domains
* AD Forest
* Administrative accounts are
* Domain Admin
* Enterprise Admin
* Schema Admin
* Server Operator
* Account Operator
## Usage
* `systeminfo | findstr Domain`
* `Get-ADUser -filter *`
* Use found CN and DC and specify
* `Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"`
### DNS
* Check ip via `ipconfig`
* `nslookup`, then `server <LocalIP>` and zone transfer via
```sh
ls -d <Domain>
```