From 540d3ca399321618fabb417fa7d5d6aa4eb07ee5 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 5 Mar 2022 18:31:15 +0100 Subject: [PATCH] Vajra + MSSQL hashes --- .../Cloud - Azure Pentest.md | 10 +++++++++- .../MSSQL Server - Cheatsheet.md | 16 ++++++++++++++++ .../Windows - Privilege Escalation.md | 10 ++++++++++ 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md index ca9c9e0..65dc4d7 100644 --- a/Methodology and Resources/Cloud - Azure Pentest.md +++ b/Methodology and Resources/Cloud - Azure Pentest.md @@ -13,6 +13,10 @@ * [Enumeration methodology](#enumeration-methodology) * [Phishing with Evilginx2](#phishing-with-evilginx2) * [Illicit Consent Grant](#illicit-consent-grant) + * [Register Application](#register-application) + * [Configure Application](#configure-application) + * [Setup 365-Stealer (Deprecated)](#setup-365-stealer-deprecated) + * [Setup Vajra](#setup-vajra) * [Device Code Phish](#device-code-phish) * [Token from Managed Identity](#token-from-managed-identity) * [Azure API via Powershell](#azure-api-via-powershell) @@ -396,7 +400,7 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS * User.ReadBasic.All * User.Read -### Setup 365-Stealer +### Setup 365-Stealer (Deprecated) :warning: Default port for 365-Stealer phishing is 443 @@ -425,6 +429,10 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS - `--refresh-token XXX --client-id YYY --client-secret ZZZ`: use a refresh token - Find the Phishing URL: go to `https://:` and click on **Read More** button or in the console. +### Setup Vajra + +> Vajra is a UI-based tool with multiple techniques for attacking and enumerating in the target's Azure environment. It features an intuitive web-based user interface built with the Python Flask module for a better user experience. The primary focus of this tool is to have different attacking techniques all at one place with web UI interfaces. - https://github.com/TROUBLE-1/Vajra + **Mitigation**: Enable `Do not allow user consent` for applications in the "Consent and permissions menu". diff --git a/Methodology and Resources/MSSQL Server - Cheatsheet.md b/Methodology and Resources/MSSQL Server - Cheatsheet.md index 485649a..7c693f0 100644 --- a/Methodology and Resources/MSSQL Server - Cheatsheet.md +++ b/Methodology and Resources/MSSQL Server - Cheatsheet.md @@ -54,6 +54,7 @@ * [Find SQL Server Logins Which can be Impersonated for the Current Database](#find-sql-server-logins-which-can-be-impersonated-for-the-current-database) * [Exploiting Impersonation](#exploiting-impersonation) * [Exploiting Nested Impersonation](#exploiting-nested-impersonation) + * [MSSQL Accounts and Hashes](#mssql-accounts-and-hashes) * [References](#references) ## Identify Instances and Databases @@ -537,6 +538,21 @@ SELECT ORIGINAL_LOGIN() SELECT SYSTEM_USER ``` +### MSSQL Accounts and Hashes + +```sql +SELECT name, password_hash FROM sys.sql_logins +``` + +Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat.txt /usr/share/wordlists/rockyou.txt --force` + +```ps1 +131 MSSQL (2000) 0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578 +132 MSSQL (2005) 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe +1731 MSSQL (2012, 2014) 0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375 +``` + + ## References * [PowerUpSQL Cheat Sheet & SQL Server Queries - Leo Pitt](https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3) diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 8743b0f..7aa2995 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -14,6 +14,7 @@ * [Default Writeable Folders](#default-writeable-folders) * [EoP - Looting for passwords](#eop---looting-for-passwords) * [SAM and SYSTEM files](#sam-and-system-files) + * [LAPS Settings](#laps-settings) * [HiveNightmare](#hivenightmare) * [Search for file contents](#search-for-file-contents) * [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename) @@ -394,6 +395,15 @@ samdump2 SYSTEM SAM -o sam.txt Either crack it with `john -format=NT /root/sam.txt` or use Pass-The-Hash. +### LAPS Settings + +Extract `HKLM\Software\Policies\Microsoft Services\AdmPwd` from Windows Registry. + +* LAPS Enabled: AdmPwdEnabled +* LAPS Admin Account Name: AdminAccountName +* LAPS Password Complexity: PasswordComplexity +* LAPS Password Length: PasswordLength +* LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled ### HiveNightmare