AD stuff

2022-03-24 00:45:15 +01:00 · 2022-03-24 00:45:15 +01:00 · 2080dc8554
parent fdb8bacf6d
commit 2080dc8554
6 changed files with 134 additions and 31 deletions
--- a/exploit/web/xss.md
+++ b/exploit/web/xss.md
@ -121,6 +121,13 @@ document.onkeypress = function (e) {
 }
 </script>
 ```
+
+## Tab Nabbing
+
+* Redirection of source after opening a tab through a provisioned link and back referencing 
+* [Hacktricks Tabnabbing](https://book.hacktricks.xyz/pentesting-web/reverse-tab-nabbing)
+
+
 ## Tricks and Tips
 * Use Polyglots
 * [XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)
--- a/exploit/windows/docs/llmnr.md
+++ b/exploit/windows/docs/llmnr.md
@ -0,0 +1,20 @@
+# Link Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS)
+
+* __LLMNR__, name resolutions inside the local domain for other hosts
+* __NBT-NS__, identifying hosts in the network by NetBIOS names
+
+* Impersonating the actual service to get credentials
+
+## Usage
+
+* From [responder](./responder.md)
+```sh
+sudo responder -I <NIC> -rdw -v 
+```
+
+* Dictionary attack on catched password
+```sh
+hashcat -m 5600 hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -r rules/OneRuleToRuleThemAll.rule --debug-mode=1 --debug-file=matched.rule
+```
+
+
--- a/hashes/password_cracking/colabcat
+++ b/hashes/password_cracking/colabcat
@ -1 +1 @@
-Subproject commit 8642f3c3fc588e246a0c6e05697289e65f087a98
+Subproject commit 3e6dcae3fb2b917d16d2cf527c6f4538200fc081
--- a/misc/active_directory/AD_CS.md
+++ b/misc/active_directory/AD_CS.md
--- a/misc/active_directory/active_directory.md
+++ b/misc/active_directory/active_directory.md
@ -0,0 +1,106 @@
+# Active Directory Enumeration
+
+* Consists of
+    * Domain Controller 
+    * Organizational Units
+        * Users
+        * Groups
+    * Trusts
+    * AD Domains
+    * AD Forest
+    * Policies
+
+* Administrative accounts are
+    * Domain Admin
+    * Enterprise Admin
+    * Schema Admin
+    * Server Operator
+    * Account Operator
+
+## Domain Controller
+
+* AD Domain Services data store
+* Authentication and authorization
+* Update replication / sync with other domain controllers in the forest
+* Administration of domain resources
+
+### AD DS Store
+
+* Database of directory info such as users, groups and services
+    * `ntdis.dit` contains the information, including password hashes
+    * `SystemRoot%\NTDS`
+
+### Forest
+
+* __Trees__, hierarchy of domains in the AD Domain Services
+* __Domains__, groups of objects
+* __Organizational Units (OU)__, containers of objects such as groups, users, printers and other resources
+* __Trusts__, allows users to access resources in a different domain
+* __Objects__ users, groups, printers, computers or shares
+* __Domain Services__, DNS, LLMNR, SMB
+* __Domain Schema__, Rules for object creation
+
+### Users
+
+* __Domain Admin__, DC access
+* __Server Accounts__, service maintenance, may have admin permissions
+* __Local Admin__, administrative persmission on an object but not the DC
+* __Domain Users__, average user account on a local machine which may have admin permissions
+
+
+### Policies
+
+* Rule sets
+* Apply to a domain
+* Enable or disables services on a domain basis, like antivirus and malware scanning
+    * __Disable Windows Defender__
+    * Communication signing, e.g. SMB
+
+### Domain Services 
+
+* __LDAP__
+* __Certificates__ handling for services, CRL
+* __DNS, LLMNR, NBT-NS__
+
+### Authentication
+
+* __NTLM__, ticket granting service 
+* __Kerberos__, challenge/response via hashes
+
+## Usage
+
+* Cmdlets on Domain Controller
+* Get some help, `Get-Help Get-Command -Examples`, `Get-Command Get-*`
+
+* From `ActiveDirectory` module
+```sh
+Import-Module Active-Directory
+Get-ADDomain | Select-Object NetBIOSName,DNSRoot,InfrastructureMaster
+Get-ADForest | Select-Object Domains
+Get-ADTrust -Filter * | Select-Object Direction,Source,Target
+```
+
+* `systeminfo | findstr Domain`
+* `Get-ADUser -filter *`
+* Use found CN and DC and specify
+* `Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"`
+
+### Powerview Module
+
+* [Powerview](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
+```sh
+Import-Module .\PowerView.ps1
+Get-NetDomain
+Get-NetDomainController
+Get-NetForest
+Get-NetDomainTrust
+```
+
+### DNS
+* Check ip via `ipconfig`
+* `nslookup`, then `server <LocalIP>` and zone transfer via 
+```sh
+ls -d <Domain>
+```
+
+
--- a/post_exploitation/docs/windows/active_directory.md
+++ b/post_exploitation/docs/windows/active_directory.md
@ -1,30 +0,0 @@
-# Active Directory Enumeration
-
-* Consists of
-    * Domain Controller 
-    * Organizational Units
-    * AD Domains
-    * AD Forest
-
-* Administrative accounts are
-    * Domain Admin
-    * Enterprise Admin
-    * Schema Admin
-    * Server Operator
-    * Account Operator
-
-## Usage
-
-* `systeminfo | findstr Domain`
-* `Get-ADUser -filter *`
-* Use found CN and DC and specify
-* `Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"`
-
-### DNS
-* Check ip via `ipconfig`
-* `nslookup`, then `server <LocalIP>` and zone transfer via 
-```sh
-ls -d <Domain>
-```
-
-