Skip to content

Half-Pwned

Enumerating Password Policy

Half-Pwned

Home
ActiveDirectory
ActiveDirectory
- ActiveDirectory 101
  ActiveDirectory 101
- ActiveDirectory Hacking
  ActiveDirectory Hacking
  - 101
  - PrivEsc
  - Tools of the Trade
  - 1. Initial Enum
    1. Initial Enum
    
    Domain Enum
    
    External Recon and Enum
  - 2. LLMNR+NBT NS Poisoning
    2. LLMNR+NBT NS Poisoning
    
    LLMNR+NBT NS Linux
    
    LLMNR+NBT NS Windows
  - 3. Password Spraying
    3. Password Spraying
    
    Enumerating Password Policy Enumerating Password Policy
    Table of contents
    
    Linux - Credentialed
    
    CRACKMAPEXEC - Get/Pull domain password policy with creds
    
    Netexec
    
    Linux - SMB NULL Session
    
    RPCCLIENT - to check a DC for SMB Null session access
    
    enum4linux
    
    Linux - LDAP anonymous bind
    
    LDAPSearch
    
    Windows
    
    Windows - NULL Sessions
    
    Other:
    
    net.exe
    
    PowerView
    
    INFORMATIKS
    
    Internal Password Spraying Linux
    
    Internal Password Spraying Windows
    
    Making a target user list
    
    Password Spraying 101
  - 4. Credentialed Enum
    4. Credentialed Enum
    
    Credentialed Enum LINUX
    
    Credentialed Enum Windows
    
    Enumerating Security Controls
    
    Living Off the Land
    
    Mimikatz
  - 5. Kerberoasting
    5. Kerberoasting
    
    Kerberoasting Linux
    
    Manual Method
  - 6. ACL
    6. ACL
    
    ACL Abuse Primer
    
    ACL Abuse Tactis
    
    PowerView
    
    BloodyAD
    
    DCSync
  - 7. Lateral Movement
    7. Lateral Movement
    
    ADCS
    
    ASREPRoasting DU
    
    Bleeding Edge Vulnerabilities
    
    GPO Abuse for Windows Privilege Escalation
    
    Kerberos 'Double Hop' Problem
    
    Miscellaneous Misconfigurations
    
    Privileged Access
    
    Kerberos Delegation
    Kerberos Delegation
    
    Delegation Types
    
    Resource Based Constraint Delegation
  - 8. Domain Trusts
    8. Domain Trusts
    
    Domain Trusts Primer
    
    Cross Forest
    Cross Forest
    
    Attacking CF Trusts Linux
    
    Attacking CF Trusts Windows
    
    Parent Child
    Parent Child
    
    Attacking Domain Trusts Linux
    
    Attacking Domain Trusts Windows
  - 9. Defense
    9. Defense
    
    AD Auditing
    
    Harden AD
  - BloodHound
    BloodHound
    
    GenericAll
Google RedTeaming
Google RedTeaming
- Resources
- Part 1
  Part 1
Network PenTesting
Network PenTesting
- Buffer Overflow
  Buffer Overflow
  - Linux
    Linux
    
    GDB Commands
    
    Prevention
    
    Exploit
    Exploit
    
    Find the Length of the Shellcode
    
    New shellcode & Return Address
    
    Take control of EIP
    
    Intro
    Intro
    
    CPU 101
    
    CPU Registers
    
    Stack Based BOF 101
- Common Services & Ports
  Common Services & Ports
  - Common Services 1
    Common Services 1
    
    Enum
    
    Infrastructure Enum
    
    Host Based Services
    Host Based Services
    
    DNS - 53
    
    FTP - 21
    
    IMAP POP3
    
    IPMI - 623
    
    LDAP - 389, 636,
    
    MSSql - 1433
    
    MySQL - 3306
    
    NFS - 111 or 2049
    
    Oracle TNS - 1521
    
    SMB - 139 or 445
    
    SMTP - 25, 587, 465
    
    SNMP - 161
    
    Remote Management
    Remote Management
    
    Linux Remote Management
    
    Windows Remote Management Protocol
  - Common Services 2
    Common Services 2
    
    101
    
    Attacking AD
    
    Attacking DNS
    
    Attacking FTP
    
    Attacking RDP
    
    Attacking SMB
    
    Attacking SMTP
    
    Attacking SQL DBs
    
    Protocol Specific Attacks
    Protocol Specific Attacks
    
    Concept of attacks
    
    Finding Sensitive Information
    
    Service Misconfig
- File Transfers
  File Transfers
- Linux Privesc
  Linux Privesc
  - Assessment
  - Hardening
  - PreText
  - 1. Information Gathering
    1. Information Gathering
    
    Check What's Running on a Port (Linux)
    
    Credential Hunting
    
    Environment Enumeration
    
    Linux Services & Internal Enum
    
    OTHER
    
    Tcpdump
  - 2. Env based privesc
    2. Env based privesc
    
    Escaping Restricted Shells
    
    Path Abuse
    
    Wildcard Abuse
  - 3. Permission based privesc
    3. Permission based privesc
    
    Capabilities
    
    Privileged Groups
    
    SUDO Right Abuse
    
    Special Permissions
  - 4. Service based privesc
    4. Service based privesc
    
    Docker Escape
    
    Docker
    
    Linux Containers
    
    Logrotate
    
    Passpie Exploitation
    
    Screen & Cron Jobs
    
    Tcpdump NFS tmux
  - 5. Internal based privesc
    5. Internal based privesc
    
    Kernel Exploits
    
    Python Library Hijacking
    
    Shared Libraries
    
    Shared Object Hijacking
  - 6. 0 days
    6. 0 days
    
    Dirty Pipe
    
    Netfilter
    
    Polkit
    
    Sudo
- Password Attacks
  Password Attacks
  - 101
  - Password Mutations
  - Remediation
  - Remote Password Attacks
  - Cracking Files
    Cracking Files
    
    Protected Archives
    
    Protected Files
  - Linux Local PA
    Linux Local PA
    
    Creds Hunting in Linux
    
    Passwd, Shadow, Opasswd
  - Passwords
    Passwords
    
    Password Mutations
    
    Remote Password Attacks
  - Windows Lateral Movement
    Windows Lateral Movement
    
    Kerberos
    
    Pass the Hash (PtH)
    
    Pass the Ticket (PtT) Linux
    
    Pass the Ticket (PtT) Windows
  - Windows Local PA
    Windows Local PA
    
    Attacking AD and NTDS.dit
    
    Attacking LSASS
    
    Attacking SAM SYSTEM NTDS SECURITY
    
    Attacking SAM
    
    Creds Hunting Windows
    
    DPAPI Decryption
- PenTesting Process
  PenTesting Process
  - Basics
  - Intro
  - My Process
  - Service Enum Links
  - Steps
  - Methodology
    Methodology
    
    Penetration Testing Foothold Checklist
    
    Linux
    
    My Process
    
    Windows AD
    
    Windows
- Pivoting
  Pivoting
  - 101
  - RDP and SOCKS Tunneling with SocksOverRDP
  - Ligolo
  - Ping Sweep
  - 1. Starting Tunnels
    1. Starting Tunnels
    
    Dynamic SSH PFW and SOCKS tunneling
    
    Local Port Fwding
    
    Meterpreter Tunneling & Port Forwarding
    
    Remote Port FWDing
  - 2. Socat
    2. Socat
    
    Socat Redirection
  - 3. Pivot Obstacles
    3. Pivot Obstacles
    
    SSH for Windows plink.exe
    
    Sshuttle
  - 4. Branching out Tunnels
    4. Branching out Tunnels
    
    DNS Tunneling with Dnscat2
    
    ICMP Tunneling
    
    SOCKS5 with Chisel
  - Ligolo
    Ligolo
    
    Ligolo Reverse tunnel
    
    Ligolo
- Reporting
  Reporting
- Windows Privesc
  Windows Privesc
  - Assessments
  - Intro
  - 1. Getting a Lay of the Land
    1. Getting a Lay of the Land
    
    Communication with Processes
    
    Initial Enum
    
    NEEDED COMMANDS
    
    Situational Awareness
  - 2. User Privileges
    2. User Privileges
    
    Enable Privileges
    
    Privileges 101
    
    SeDebugPrivilege
    
    SeImpersonate and SeAssignPrimaryToken
    
    SeTakeOwnershipPrivilege
  - 3. Group Privileges
    3. Group Privileges
    
    Backup Operators
    
    DnsAdmins
    
    Event Log Readers
    
    Hyper V Administrators
    
    Print Operators
    
    Server Operators
  - 4. Attacking the OS
    4. Attacking the OS
    
    Kernel Exploits
    
    User Account Control
    
    Vulnerable Services
    
    Weak Permissions
  - 5. Credential Theft
    5. Credential Theft
    
    Creds Hunting
    
    Further Credential Theft
    
    Hunting other Files
  - 6. Restricted Envs
    6. Restricted Envs
    
    Citrix Breakout
  - 7. Additional Techniques
    7. Additional Techniques
    
    Interacting with Users
    
    Misc
    
    Pillaging
  - 8. End of Life Systems
    8. End of Life Systems
    
    Legacy Operating Systems
    
    Windows Desktop
    
    Windows Server
Web Application Pentesting
Web Application Pentesting
- Attacking Common Applications
  Attacking Common Applications
  - 101 common Applications
  - Application Discovery & Enumeration
  - Hardening
  - ASSESSMENTS
    ASSESSMENTS
    
    Assessment 2
  - CMS
    CMS
    
    DNN
    
    Drupal
    Drupal
    
    Attacking Drupal
    
    Discovery & Enum
    
    Joomla
    Joomla
    
    Attacking Joomla
    
    Discovery and Enum
    
    Wordpress
    Wordpress
    
    Attacking Wordpress
    
    Discovery & Enum
  - Common Gateway Interfaces
    Common Gateway Interfaces
    
    Attacking CGI Apps Shellshock
    
    Attacking Tomcat CGI
  - Infra Network Tools
    Infra Network Tools
    
    PRTG Network Monitor
    
    Splunk
  - Other
    Other
    
    Apps connecting to Services
    
    Attacking LDAP
    
    ColdFusion
    
    IIS Tilde
    
    IIS machineKey RCE
    
    Web Mass Assignment
  - Servlet Containers
    Servlet Containers
    
    Jenkins
    Jenkins
    
    Attacking Jenkins
    
    Discovery & Enum
    
    Tomcat
    Tomcat
    
    Attacking Tomcat
    
    Discovery & Enum
  - Thick Client
    Thick Client
    
    PT Steps
    
    Exploiting Web vulns in Thick Client
    
    Thick Client 101
  - osTicket & GitLab
    osTicket & GitLab
    
    GitLab
    
    osTicket
- Attacking Web Apps
  Attacking Web Apps
  - Proxying
  - Brute Forcing Login
    Brute Forcing Login
    
    101
    
    Custom Wordlists Username anarchy, CUPP
    
    Hydra
    
    Medusa
  - Command Injection
    Command Injection
    
    101
    
    Prevention
    
    Filter Evasion
    Filter Evasion
    
    Basic
    
    Bypass Space and slashes
    
    Bypass blacklisted commands
    
    Evasion Tools
    
    Identifying filters
  - File Inclusion
    File Inclusion
    
    Basic Bypasses
    
    LFI 101
    
    LFI
    
    PHP Filters
    
    To do List
    
    What to look for
    
    Automation and Prevention
    Automation and Prevention
    
    Automated Scanning
    
    Prevention
    
    Remote code execution
    Remote code execution
    
    LFI and File Uploads
    
    Log Poisoning
    
    PHP Wrappers
    
    RFI
  - File Uploads
    File Uploads
    
    Prevention
    
    Bypassing Filters
    Bypassing Filters
    
    Basic Exploitation
    
    Limited File Uploads
    
    Main Techniques
    
    Other techniques
  - Fuzzing
    Fuzzing
    
    Domain + VHost Fuzzing
    
    Parameter Fuzzing
    
    Web Fuzzing
  - IDOR
    IDOR
    
    101 IDOR
    
    Bypassing IDOR
    
    IDOR Prevention
  - SQL Injection
    SQL Injection
    
    DB Enumeration
    
    Reading Files
    
    SQL 101
    
    SQL Injections
    
    Writing Files
  - SQLMap
    SQLMap
    
    SQLMap 101
    
    SQLMap outputs
    
    Building attacks
    Building attacks
    
    Handling SQLMap errors + Attack Tuning
    
    SQLMap on HTTP Request
    
    DB Enum
    DB Enum
    
    Advanced DB Enum
    
    DB Enum
    
    Webapps +OS
    Webapps +OS
    
    Bypassing Web Application Protections
    
    OS Exploitation
  - Verb Tampering
    Verb Tampering
    
    101
    
    Bypass
  - XSS
    XSS
    
    DOM XSS
    
    XSS (Stored, Reflected)
    
    XSS Discovery
    
    Xss 101
    
    XSS Attacks
    XSS Attacks
    
    Defacing
    
    Phishing & Session Hijacking
  - XXE
    XXE
    
    Advanced File Disclosure
    
    Blind Data Exfiltration
    
    Bypass XXE
    
    Prevention
    
    XXE 101
- Information Gathering
  Information Gathering
Blog
Blog
- Blog
- GCP
  GCP
  - GCRTP
    GCRTP
    
    Initial Access - Password Spray
    
    GCP-Phishing
    
    Metadata in GCP Instances
    
    Reveal Files Hidden in Google Storage
- Linux
  Linux
  - Agile
  - Alert
  - Builder
  - Chemistry
  - Conversor
  - Crafty
  - Delivery
  - Expressway
  - Giveback
  - Logforge
  - Metatwo
  - Pandora
  - Planning
  - Postman
  - Remote
  - Shoppy
  - Snoopy
  - Soccer
  - Soulmate
  - Trick
  - Underpass
  - Union
- Pro Labs
  Pro Labs
  - AEN
    AEN
    
    10.129.229.147
    
    10.129.229.147
  - POO
    POO
    
    10.13.38.11 - Entrypoint
- Windows
  Windows
  - Active
  - Authority
  - Cicada
  - Driver
  - Escapetwo
  - Fluffy
  - Forest
  - Hospital
  - Jeeves
  - Mailing
  - Manager
  - Media
  - Monitorfour
  - Nanocorp
  - Outdated
  - Pov
  - Redelegate
  - Return
  - Sauna
  - Servmon
  - Streamio
  - Support
  - Timelapse
  - Tombwatcher
  - Voleur
  - Vulncicada
- Archive
  Archive
  - 2023

Linux - Credentialed

With valid domain creds, we can get it using: crackmapexec or rpcclient

CRACKMAPEXEC - Get/Pull domain password policy with creds

crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol

Netexec

nxc smb 172.16.5.5 -u UserNAme -p 'PASSWORDHERE' --pass-pol

Linux - SMB NULL Session

Without credentials, use an SMB NULL session or LDAP anonymous bind
SMB NULL session misconfigs happen when legacy Domain Controllers are updated in place with older configs
- older windows servers allowed anonymous access to certain shares - used for domain enum
- SMB NULL session can be enumerated using enum4linux, CRACKMAPEXEC, rpcclient

RPCCLIENT - to check a DC for SMB Null session access

rpcclient -U "" -N 172.16.5.5 - connect to a DC
querydominfo - in the RPC session, query information
getdompwinfo - get password policy information

enum4linux

build around samba suite of tools - nmblookup ,net, rpcclient, smbclient
enum4linux -P 172.16.5.5 - getting password policy
enum4linux-ng -P 172.16.5.5 -oA ilfreight - using ng to export data
- cat ilfreight.json - displaying output

Linux - LDAP anonymous bind

This can get a complete listing of users, groups, computers, user account attributes, and the domain password policy
Legacy setting. New configs require authentication
Tools - windapsearch.py, ldapsearch, ad-ldapdomaindump.py

LDAPSearch

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
- getting password policy

Windows

Windows - NULL Sessions

net use \\DC01\ipc$ "" /u:"" - DC01 is the host

Other variations - net use \\DC01\ipc$ "" /u:guest - use some username - net use \\DC01\ipc$ "password" /u:guest - credentialed

Other:

net.exe

If we can authenticate into the domain
tools - net.exe, PowerView, CrackMapExec ported to Windows, SharpMapExec, SharpView
net accounts

PowerView

Import-Module .\PowerView.ps1
Get-DomainPolicy

INFORMATIKS

pwdProperties set to 1
- Password complexity is enabled on the particular user
DEFAULT PASSWORD POLICY when a new domain is created