Clone of https://github.com/rmusser01/Infosec_Reference . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

290 lines
20 KiB

  1. ##Privilege Escalation & Post-Exploitation
  2. * [General Privilege Escalation](#generalpriv)
  3. ..* [Linux Privilege Escalation](#linpriv)
  4. ..* [OS X Privilege Escalation](#osxpriv)
  5. ..* [Windows Privilege Escalation](#winpriv)
  6. * [General Post Exploitation](#generalpost)
  7. ..* [Linux Post Exploitation](#linpost)
  8. ..* [OS X Post Exploitation](#osxpost)
  9. ..* [Windows Post Exploitation](#winpost)
  10. ..* [Grabbing Goodies](#grabbing}
  11. ..* [Gaining Awareness](#awareness)
  12. * [Persistence Techniques](#persistence)
  13. * [Pivoting](#pivot)
  14. * [Pass-the-Hash](#pth)
  15. ###CULL
  16. [Learn how to hide your trojans, backdoors, etc from anti virus.](https://www.hellboundhackers.org/articles/read-article.php?article_id=842)
  17. [No one expect command execution!](http://0x90909090.blogspot.fr/2015/07/no-one-expect-command-execution.html)
  18. [Abusing Kerberos](https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don%27t-Get-It-wp.pdf)
  19. [PowerShell-AD-Recon](https://github.com/PyroTek3/PowerShell-AD-Recon)
  20. * AD PowerShell Recon Scripts
  21. http://www.slideshare.net/harmj0y/derbycon-passing-the-torch
  22. https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List#escalating
  23. Group Policy Preferences trick
  24. http://www.leonteale.co.uk/decrypting-windows-2008-gpp-user-passwords-using-gpprefdecrypt-py/
  25. http://carnal0wnage.attackresearch.com/2012/10/group-policy-preferences-and-getting.html
  26. http://blog.securestate.com/how-to-pwn-systems-through-group-policy-preferences/
  27. Article Explaining what the KRBTGT account in AD is:
  28. http://windowsitpro.com/security/q-what-krbtgt-account-used-active-directory-ad-environment
  29. ###<a name="generalpriv">General Privilege Escalation</a>
  30. [Execute ShellCode Using Python](http://www.debasish.in/2012/04/execute-shellcode-using-python.html)
  31. * In this article I am going to show you, how can we use python and its "ctypes" library to execute a "calc.exe" shell code or any other shell code.
  32. ###<a name="linpriv">Privilege Escalation - Linux</a>
  33. [Using the docker command to root the host (totally not a security issue)](http://reventlov.com/advisories/using-the-docker-command-to-root-the-host)
  34. * It is possible to do a few more things more with docker besides working with containers, such as creating a root shell on the host, overwriting system configuration files, reading restricted stuff, etc.
  35. [Linux_Exploit_Suggester](https://github.com/PenturaLabs/Linux_Exploit_Suggester)
  36. * Linux Exploit Suggester; based on operating system release number. This program run without arguments will perform a 'uname -r' to grab the Linux Operating Systems release version, and return a suggestive list of possible exploits. Nothing fancy, so a patched/back-ported patch may fool this script. Additionally possible to provide '-k' flag to manually enter the Kernel Version/Operating System Release Version.
  37. [Basic Linux Privilege Escalation - g0tmi1k](http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
  38. * Not so much a script as a resource, g0tmi1k�s blog post here has led to so many privilege escalations on Linux system�s it�s not funny. Would definitely recommend trying out everything on this post for enumerating systems.
  39. [LinEnum](http://www.rebootuser.com/?p=1758)
  40. * This tool is great at running through a heap of things you should check on a Linux system in the post exploit process. This include file permissions, cron jobs if visible, weak credentials etc. The first thing I run on a newly compromised system.
  41. [LinuxPrivChecker](http://www.securitysift.com/download/linuxprivchecker.py)
  42. * This is a great tool for once again checking a lot of standard things like file permissions etc. The real gem of this script is the recommended privilege escalation exploits given at the conclusion of the script. This is a great starting point for escalation.
  43. [Unix Privilege Escalation Checker](https://code.google.com/p/unix-privesc-check/)
  44. * Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases). It is written as a single shell script so it can be easily uploaded and run (as opposed to un-tarred, compiled and installed). It can run either as a normal user or as root (obviously it does a better job when running as root because it can read more files).
  45. ###<a name="privescwin">Privilege Escalation - Windows</a>
  46. [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
  47. [Windows Exploit Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)
  48. * [Blogpost]https://blog.gdssecurity.com/labs/2014/7/11/introducing-windows-exploit-suggester.html
  49. * This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.
  50. [Some forum posts on Win Priv Esc](https://forums.hak5.org/index.php?/topic/26709-windows-7-now-secure/)
  51. [PowerUp](https://github.com/HarmJ0y/PowerUp) * PowerUp is a powershell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities.
  52. [Windows Privilege Escalation Cheat Sheet/Tricks](http://it-ovid.blogspot.fr/2012/02/windows-privilege-escalation.html)
  53. [How to own any windows network with group policy hijacking attacks](https://labs.mwrinfosecurity.com/blog/2015/04/02/how-to-own-any-windows-network-with-group-policy-hijacking-attacks/)
  54. [Hacking windows through the WIndows API; delves into windows api, how it can break itself](http://www.irongeek.com/i.php?page=videos/derbycon4/t122-getting-windows-to-play-with-itself-a-pen-testers-guide-to-windows-api-abuse-brady-bloxham)
  55. [Analyzing local privilege escalations in win32k](http://uninformed.org/?v=all&a=45&t=sumry)
  56. * This paper analyzes three vulnerabilities that were found in win32k.sys that allow kernel-mode code execution. The win32k.sys driver is a major component of the GUI subsystem in the Windows operating system. These vulnerabilities have been reported by the author and patched in MS08-025. The first vulnerability is a kernel pool overflow with an old communication mechanism called the Dynamic Data Exchange (DDE) protocol. The second vulnerability involves improper use of the ProbeForWrite function within string management functions. The third vulnerability concerns how win32k handles system menu functions. Their discovery and exploitation are covered.
  57. [Exploiting Windows 2008 Group Policy Preferences](http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html)
  58. [Extreme Privelege Escalataion on Windows8 UEFI Systems](https://www.youtube.com/watch?v=UJp_rMwdyyI)
  59. * [Slides](https://www.blackhat.com/docs/us-14/materials/us-14-Kallenberg-Extreme-Privilege-Escalation-On-Windows8-UEFI-Systems.pdf)
  60. * Summary by stormehh from reddit: �In this whitepaper (and accompanying Defcon/Blackhat presentations), the authors demonstrate vulnerabilities in the UEFI "Runtime Service" interface accessible by a privileged userland process on Windows 8. This paper steps through the exploitation process in great detail and demonstrates the ability to obtain code execution in SMM and maintain persistence by means of overwriting SPI flash�
  61. [Old Privilege Escalation Techniques](http://obscuresecurity.blogspot.com/2011/11/old-privilege-escalation-techniques.html)
  62. [PyKEK](https://github.com/bidord/pykek)
  63. * PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data. (Still in development)
  64. [All roads lead to SYSTEM](https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Services_-_All_roads_lead_to_SYSTEM.pdf)
  65. [Dump Windows password hashes efficiently - Part 1](bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html)
  66. ###<a name="osxprivesc">Privilege Escalation - OS X</a>
  67. [Hidden backdoor API to root privileges in Apple OS X](https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/)
  68. * Works on 10.7 -> 10.10.2
  69. [Mac OS X local privilege escalation (IOBluetoothFamily)](http://randomthoughts.greyhats.it/2014/10/osx-local-privilege-escalation.html)
  70. [Privilege Escalation on OS X below 10.0](https://code.google.com/p/google-security-research/issues/detail?id=121)
  71. ###<a name="generalpost">General Post-Exploitation</a>
  72. [File Server Triage on Red Team Engagements](http://www.harmj0y.net/blog/redteaming/file-server-triage-on-red-team-engagements/)
  73. Finding your external IP:
  74. Simply curl any of the following addresses: ident.me, ifconfig.me or whatsmyip.akamai.com
  75. [Egress Buster Reverse Shell](https://www.trustedsec.com/files/egress_buster_revshell.zip)
  76. * Egress Buster Reverse Shell � Brute force egress ports until one if found and execute a reverse shell(from trustedsec)
  77. [Determine Public IP from CLI](http://askubuntu.com/questions/95910/command-for-determining-my-public-ip)
  78. [Pybuild](https://www.trustedsec.com/files/pybuild.zip)
  79. * PyBuild is a tool for automating the pyinstaller method for compiling python code into an executable. This works on Windows, Linux, and OSX (pe and elf formats)(From trustedsec)
  80. ###<a name="linpost">Post-Exploitation Linux</a>
  81. [More on Using Bash's Built-in /dev/tcp File (TCP/IP)](http://www.linuxjournal.com/content/more-using-bashs-built-devtcp-file-tcpip More on Using Bash's Built-in /dev/tcp File (TCP/IP))
  82. ###<a name="winpost">Post-Exploitation Windows</a>
  83. [Dumping user passwords in plaintext on Windows 8.1 and Server 2012](http://www.labofapenetrationtester.com/2015/05/dumping-passwords-in-plain-on-windows-8-1.html)
  84. [PShell Script: Extract All GPO Set Passwords From Domain](http://www.nathanv.com/2012/07/04/pshell-script-extract-all-gpo-set-passwords-from-domain/)
  85. * This script parses the domain�s Policies folder looking for Group.xml files. These files contain either a username change, password setting, or both. This gives you the raw data for local accounts and/or passwords enforced using Group Policy Preferences. Microsoft chose to use a static AES key for encrypting this password. How awesome is that!
  86. [Client Side attacks using Powershell](http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html)
  87. [I Hunt Sysadmins 2.0](http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20)
  88. * It covers various ways to hunt for users in Windows domains, including using PowerView.
  89. [Abusing Active Directory in Post-Exploitation - Carlos Perez - Derbycon 2014](http://www.irongeek.com/i.php?page=videos/derbycon4/t105-abusing-active-directory-in-post-exploitation-carlos-perez)
  90. * Windows APIs are often a blackbox with poor documentation, taking input and spewing output with little visibility on what actually happens in the background. By reverse engineering (and abusing) some of these seemingly benign APIs, we can effectively manipulate Windows into performing stealthy custom attacks using previously unknown persistent and injection techniques. In this talk, we�ll get Windows to play with itself nonstop while revealing 0day persistence, previously unknown DLL injection techniques, and Windows API tips and tricks. To top it all off, a custom HTTP beaconing backdoor will be released leveraging the newly released persistence and injection techniques. So much Windows abuse, so little time.
  91. [15 Ways to bypass Powershell execution-policy settings](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/)
  92. * Does what it says on the tin. Overall, its clear that execution-policy was not meant as a security method. Or if it was, someone was drinking a bit too much.
  93. [Post-Exploitation on Windows using ActiveX Controls](http://uninformed.org/?v=all&a=3&t=sumry)
  94. [WMI Shell Tool](https://github.com/secabstraction/Create-WMIshell)
  95. * The WMI shell tool that we have developed allows us to execute commands and get their output using only the WMI infrastructure, without any help from other services, like the SMB server. With the wmi-shell tool we can execute commands, upload files and recover Windows passwords remotely using only the WMI service available on port 135.
  96. [Dirty Powershell Webserver](http://obscuresecurity.blogspot.com/2014/05/dirty-powershell-webserver.html)
  97. ####<a namee="grabbing">Grabbing Goodies</a>
  98. [Dumping Windows Credentials](https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/
  99. [Dumping hashes from Active Directory for cracking](http://blog.spiderlabs.com/2013/11/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system-.html)
  100. [NTDSXtract - Active Directory Forensics Framework](http://www.ntdsxtract.com/)* Description from the page: This framework was developed by the author in order to provide the community with a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT).
  101. [Post exploitation trick - Phish users for creds on domains, from their own box](https://enigma0x3.wordpress.com/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/)
  102. ####<a name="awareness">Gaining Awarness</a>
  103. [Veil-PowerView](https://github.com/Veil-Framework/Veil-PowerView)
  104. * Veil-PowerView is a powershell tool to gain network situational awareness on Windows domains. It contains a set of pure-powershell replacements for various windows "net *" commands, which utilize powershell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.
  105. [Egress Testing using PowerShell](http://www.labofapenetrationtester.com/2014/04/egress-testing-using-powershell.html)
  106. [Domain Trusts: Why You Should Care](http://www.harmj0y.net/blog/redteaming/domain-trusts-why-you-should-care/)
  107. * [Trusts You Might Have Missed](http://www.harmj0y.net/blog/redteaming/trusts-you-might-have-missed/)
  108. ###<a name="persistence">Persistence Techniques</a>
  109. [Using Alternate Data Streams to Persist on a Compromised Machine](https://enigma0x3.wordpress.com/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/)
  110. [An Introduction to Backdooring Operating Systems for Fun and trolling - Defcon22](https://media.defcon.org/DEF%20CON%2022/DEF%20CON%2022%20video%20and%20slides/DEF%20CON%2022%20Hacking%20Conference%20Presentation%20By%20Nemus%20-%20An%20Introduction%20to%20Back%20Dooring%20Operating%20Systems%20for%20Fun%20and%20Trolling%20-%20Video%20and%20Slides.m4v)
  111. [Windows Event Log Driven Backdoors](http://blakhal0.blogspot.com/2015/03/windows-event-log-driven-back-doors.html)
  112. [List of low-level attacks/persistence techniques. HIGHLY RECOMMENDED!](http://timeglider.com/timeline/5ca2daa6078caaf4)
  113. ###<a name="winpersist">Windows</a>
  114. [Windows Registry Persistence, Part 1: Introduction, Attack Phases and Windows Services](http://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services)
  115. * [Windows Registry Persistence, Part 1: Introduction, Attack Phases and Windows Services](http://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services)
  116. * [Windows Registry Persistence, Part 2: The Run Keys and Search-Order](http://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order)
  117. [Temporal Persistence with bitsadmin and schtasks](http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html)
  118. [Windows Event Log Driven Back Doors](http://blakhal0.blogspot.com/2015/03/windows-event-log-driven-back-doors.html)
  119. [COM Object hijacking: the discreet way of persistence](https://blog.gdatasoftware.com/blog/article/com-object-hijacking-the-discreet-way-of-persistence.html)
  120. [Thousand ways to backdoor a Windows domain (forest)](http://jumpespjump.blogspot.com/2015/03/thousand-ways-to-backdoor-windows.html)
  121. [Windows Firewall Hook Enumeration](https://www.nccgroup.com/en/blog/2015/01/windows-firewall-hook-enumeration/)
  122. * We�re going to look in detail at Microsoft Windows Firewall Hook drivers from Windows 2000, XP and 2003. This functionality was leveraged by the Derusbi family of malicious code to implement port-knocking like functionality. We�re going to discuss the problem we faced, the required reverse engineering to understand how these hooks could be identified and finally how the enumeration tool was developed.
  123. [NTFS Alternate Data Streams for pentesters (part 1)](https://labs.portcullis.co.uk/blog/ntfs-alternate-data-streams-for-pentesters-part-1/)
  124. Windows task scheduler
  125. How to start a hidden process?
  126. Start-Process -WindowStyle hidden -FilePath �path-to-exe-to-be-hidden�
  127. [Windows Startup Application Database](http://www.pacs-portal.co.uk/startup_content.php)
  128. Startup folder on Win8
  129. * C:\Users\YOURUSER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  130. ###<a name="linpersist">Linux</a>
  131. Linux cron tab
  132. ###<a name="osxpersist">OS X</a>
  133. [What's the easiest way to have a script run at boot time in OS X? - Stack Overflow](https://superuser.com/questions/245713/whats-the-easiest-way-to-have-a-script-run-at-boot-time-in-os-x)
  134. [Userland Persistence On Mac Os X "It Just Works" - Shmoocon 2015](http://www.securitytube.net/video/12428?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20SecurityTube%20%28SecurityTube.Net%29)
  135. * Got root on OSX? Do you want to persist between reboots and have access whenever you need it? You do not need plists, new binaries, scripts, or other easily noticeable techniques. Kext programming and kernel patching can be troublesome! Leverage already running daemon processes to guarantee your access. As the presentation will show, if given userland administrative access (read: root), how easy it is to persist between reboots without plists, non-native binaries, scripting, and kexts or kernel patching using the Backdoor Factory.
  136. ###<a name="pivot">Pivoting:</a>
  137. [Socat Cheatsheet](http://www.blackbytes.info/2012/07/socat-cheatsheet/)
  138. [Socat]http://www.dest-unreach.org/socat/)
  139. * socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of these. These modes include generation of "listening" sockets, named pipes, and pseudo terminals.
  140. * [Examples of use](http://www.dest-unreach.org/socat/doc/socat.html#EXAMPLES)
  141. [Pivoting Ssh Reverse Tunnel Gateway](http://blog.oneiroi.co.uk/linux/pivoting-ssh-reverse-tunnel-gateway/)
  142. [Portfwd - Pivot from within meterpreter](http://www.offensive-security.com/metasploit-unleashed/Portfwd)
  143. [SSH Gymnastics and Tunneling with ProxyChains](http://magikh0e.ihtb.org/pubPapers/ssh_gymnastics_tunneling.html)
  144. [SSH Cheat Sheet - pentestmonkey](http://pentestmonkey.net/cheat-sheet/ssh-cheat-sheet)
  145. [Pivoting into a network using PLINK and FPipe](http://exploit.co.il/hacking/pivoting-into-a-network-using-plink-and-fpipe/)
  146. [Reverse SSL backdoor with socat and metasploit (and proxies)](https://funoverip.net/2011/01/reverse-ssl-backdoor-with-socat-and-metasploit/)
  147. ####<a name="pth">Pass-The-Hash</a>
  148. [Pass-the-Hash is Dead: Long Live Pass-the-Hash](http://www.harmj0y.net/blog/penetesting/pass-the-hash-is-dead-long-live-pass-the-hash/)
  149. [Still Passing the Hash 15 Years Later](http://passing-the-hash.blogspot.com/)
  150. [pth-toolkit I.e Portable pass the hash toolkit](https://github.com/byt3bl33d3r/pth-toolkit)
  151. * A modified version of the passing-the-hash tool collection https://code.google.com/p/passing-the-hash/ designed to be portable and work straight out of the box even on the most 'bare bones' systems
  152. [The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1](http://www.alex-ionescu.com/?p=97)
  153. [Et tu Kerberos - Christopher Campbell](https://www.youtube.com/watch?v=RIRQQCM4wz8)
  154. [PsExec and the Nasty Things It Can Do](www.windowsecurity.com/articles-tutorials/misc_network_security/PsExec-Nasty-Things-It-Can-Do.html)
  155. * An overview of what PsExec is and what its capabilities are from an administrative standpoint.
  156. [smbexec](https://github.com/pentestgeek/smbexec)
  157. * A rapid psexec style attack with samba tools
  158. * [Blogpost that inspired it](http://carnal0wnage.attackresearch.com/2012/01/psexec-fail-upload-and-exec-instead.html)
  159. [Still Passing the Hash 15 Years Later: Using Keys to the Kingdom to Access Data - BH 2012](https://www.youtube.com/watch?v=O7WRojkYR00)