InternalAllTheThings
168 pages
DISCLAIMER
DISCLAIMER The authors and contributors of this repository disclaim any and all responsibility for the misuse of the inf…
Internal All The Things
Internal All The Things Active Directory and Internal Pentest Cheatsheets An alternative display version is available at…
MS14-068 Checksum Validation
MS14-068 Checksum Validation This exploit require to know the user SID, you can use rpcclient to remotely get it or wmi …
NoPAC / samAccountName Spoofing
NoPAC / samAccountName Spoofing During S4U2Self, the KDC will try to append a '\$' to the computer name specified in the…
PrintNightmare
PrintNightmare CVE-2021-1675 / CVE-2021-34527 The DLL will be stored in C:\Windows\System32\spool\drivers\x64\3\ . The e…
PrivExchange
PrivExchange Exchange your privileges for Domain Admin privs by abusing Exchange. :warning: You need a shell on a user a…
ZeroLogon
ZeroLogon CVE-2020-1472 Exploitation : Spoofing the client credential Disabling signing and sealing Spoofing a call Chan…
Active Directory - Certificate Services
Active Directory - Certificate Services Active Directory Certificate Services (AD CS) is a Microsoft Windows server role…
Active Directory - Certificate ESC Attacks
Active Directory - Certificate ESC Attacks ESC1 - Misconfigured Certificate Templates ESC2 - Misconfigured Certificate T…
Active Directory - Certificate ESC1
Active Directory - Certificate ESC1 ESC1 - Misconfigured Certificate Templates Domain Users can enroll in the VulnTempla…
Active Directory - Certificate ESC2
Active Directory - Certificate ESC2 ESC2 - Misconfigured Certificate Templates Requirements Allows requesters to specify…
Active Directory - Certificate ESC3
Active Directory - Certificate ESC3 ESC3 - Misconfigured Enrollment Agent Templates ESC3 is when a certificate template …
Active Directory - Certificate ESC4
Active Directory - Certificate ESC4 ESC4 - Access Control Vulnerabilities Enabling the mspki-certificate-name-flag flag …
Active Directory - Certificate ESC5
Active Directory - Certificate ESC5 ESC5 - Vulnerable PKI Object Access Control Escalate the privileges from Domain Admi…
Active Directory - Certificate ESC6
Active Directory - Certificate ESC6 ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 If this flag is set on the CA, any request (in…
Active Directory - Certificate ESC7
Active Directory - Certificate ESC7 ESC7 - Vulnerable Certificate Authority Access Control Exploitation Detect CAs that …
Active Directory - Certificate ESC8
Active Directory - Certificate ESC8 ESC8 - Web Enrollment Relay An attacker can trigger a Domain Controller using PetitP…
Active Directory - Certificate ESC9
Active Directory - Certificate ESC9 ESC9 - No Security Extension Requirements StrongCertificateBindingEnforcement set to…
Active Directory - Certificate ESC10
Active Directory - Certificate ESC10 ESC10 – Weak Certificate Mapping - StrongCertificateBindingEnforcement Requirements…
Active Directory - Certificate ESC11
Active Directory - Certificate ESC11 ESC11 - Relaying NTLM to ICPR Encryption is not enforced for ICPR requests and Requ…
Active Directory - Certificate ESC12
Active Directory - Certificate ESC12 ESC12 - ADCS CA on YubiHSM The ESC12 vulnerability occurs when a Certificate Author…
Active Directory - Certificate ESC13
Active Directory - Certificate ESC13 ESC13 - Issuance Policy If a principal (user or computer) has enrollment rights on …
Active Directory - Certificate ESC14
Active Directory - Certificate ESC14 ESC14 - altSecurityIdentities ESC14 is an Active Directory Certificate Services (AD…
Active Directory - Certificate ESC15
Active Directory - Certificate ESC15 ESC15 - EKUwu Application Policies - CVE-2024-49019 This technique now has a CVE nu…
Active Directory - Golden Certificate
Active Directory - Golden Certificate A Golden Certificate is a maliciously crafted certificate that an attacker generat…
Active Directory - Access Controls ACL/ACE
Active Directory - Access Controls ACL/ACE An Access Control Entry (ACE) is a specific permission granted or denied to a…
Active Directory - Enumeration
Active Directory - Enumeration Using BloodHound Use the appropriate data collector to gather information for BloodHound …
Active Directory - Group Policy Objects
Active Directory - Group Policy Objects Creators of a GPO are automatically granted explicit Edit settings, delete, modi…
Active Directory - Groups
Active Directory - Groups Dangerous Built-in Groups Usage If you do not want modified ACLs to be overwritten every hour,…
Active Directory - Linux
Active Directory - Linux CCACHE ticket reuse from /tmp When tickets are set to be stored as a file on disk, the standard…
Active Directory - Machine Account Quota
Active Directory - Machine Account Quota In Active Directory (AD), the MachineAccountQuota is a limit set on how many co…
Active Directory - NTDS Dumping
Active Directory - NTDS Dumping You will need the following files to extract the ntds : NTDS.dit file SYSTEM hive ( C:\W…
Active Directory - Recycle Bin
Active Directory - Recycle Bin Details Deleted objects have a default retention time of 180 days Recycle Bin path: CN=Di…
Active Directory - Read Only Domain Controller
Active Directory - Read Only Domain Controller RODCs are an alternative for Domain Controllers in less secure physical l…
Active Directory - Federation Services
Active Directory - Federation Services Active Directory Federation Services (AD FS) is a software component developed by…
Active Directory - Integrated DNS - ADIDNS
Active Directory - Integrated DNS - ADIDNS ADIDNS zone DACL (Discretionary Access Control List) enables regular users to…
Roasting - ASREP Roasting
Roasting - ASREP Roasting If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successful…
Roasting - Kerberoasting
Roasting - Kerberoasting "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by …
Roasting - Timeroasting
Roasting - Timeroasting Timeroasting takes advantage of Windows' NTP authentication mechanism, allowing unauthenticated …
Active Directory - Tricks
Active Directory - Tricks Kerberos Clock Synchronization In Kerberos, time is used to ensure that tickets are valid. To …
Deployment - MDT
Deployment - MDT Microsoft Deployment Toolkit (MDT) is a free tool from Microsoft used to automate the deployment of Win…
Deployment - SCCM
Deployment - SCCM SCCM is a solution from Microsoft to enhance administration in a scalable way across an organisation. …
Deployment - SCOM
Deployment - SCOM Microsoft SCOM (System Center Operations Manager) is a monitoring tool used to oversee the health and …
Deployment - WSUS
Deployment - WSUS Windows Server Update Services (WSUS) enables information technology administrators to deploy the late…
Hash - Capture and Cracking
Hash - Capture and Cracking LmCompatibilityLevel LmCompatibilityLevel is a Windows security setting that determines the …
Hash - OverPass-the-Hash
Hash - OverPass-the-Hash In this technique, instead of passing the hash directly, we use the NT hash of an account to re…
Hash - Pass the Hash
Hash - Pass the Hash The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, atta…
Hash - Pass The Key
Hash - Pass The Key Pass The Key allows attackers to gain access to systems by using a valid session key instead of the …
Internal - DCOM
Internal - DCOM DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and acces…
Internal - PXE Boot Image
Internal - PXE Boot Image PXE allows a workstation to boot from the network by retrieving an operating system image from…
Internal - Coerce
Internal - Coerce Coerce refers to forcing a target machine (usually with SYSTEM privileges) to authenticate to another …
Internal - Kerberos Relay
Internal - Kerberos Relay Kerberos Relay over HTTP Requirements : Kerberos authentication for services without signing H…
Internal - NTLM Relay
Internal - NTLM Relay NTLMv1 and NTLMv2 can be relayed to connect to another machine. Hash Hashcat Attack method LM 3000…
Internal - Shares
Internal - Shares READ Permission Some shares can be accessible without authentication, explore them to find some juicy …
Kerberos - Bronze Bit
Kerberos - Bronze Bit CVE-2020-17049 An attacker can impersonate users which are not allowed to be delegated. This inclu…
Kerberos Delegation - Constrained Delegation
Kerberos Delegation - Constrained Delegation Kerberos Constrained Delegation (KCD) is a security feature in Microsoft's …
Kerberos Delegation - Resource Based Constrained Delegation
Kerberos Delegation - Resource Based Constrained Delegation Resource-based Constrained Delegation was introduced in Wind…
Kerberos Delegation - Unconstrained Delegation
Kerberos Delegation - Unconstrained Delegation The user sends a ST to access the service, along with their TGT, and then…
Kerberos - Service for User Extension
Kerberos - Service for User Extension Service For User To Self which allows a service to obtain a TGS on behalf of anoth…
Kerberos - Tickets
Kerberos - Tickets Tickets are used to grant access to network resources. A ticket is a data structure that contains inf…
Password - AD User Comment
Password - AD User Comment There are 3-4 fields that seem to be common in most Active Directory schemas: UserPassword , …
Password - DSRM Credentials
Password - DSRM Credentials Directory Services Restore Mode (DSRM) is a safe mode boot option for Windows Server domain …
Password - Group Policy Preferences
Password - Group Policy Preferences Find passwords in SYSVOL (MS14-025). SYSVOL is the domain-wide share in Active Direc…
Password - Pre-Created Computer Account
Password - Pre-Created Computer Account When Assign this computer account as a pre-Windows 2000 computer checkmark is ch…
Password - dMSA
Password - dMSA Delegated Managed Service Accounts (dMSAs) BadSuccessor Requirements : Windows Server 2025 Domain Contro…
Password - GMSA
Password - GMSA Reading GMSA Password User accounts created to be used as service accounts rarely have their password ch…
Password - LAPS
Password - LAPS Reading LAPS Password Use LAPS to automatically manage local administrator passwords on domain joined co…
Password - Shadow Credentials
Password - Shadow Credentials Add Key Credentials to the attribute msDS-KeyCredentialLink of the target user/computer ob…
Password - Spraying
Password - Spraying Password spraying refers to the attack method that takes a large number of usernames and loops them …
Trust - Privileged Access Management
Trust - Privileged Access Management PAM (Privileged Access Management) introduces bastion forest for management, Shadow…
Trust - Relationship
Trust - Relationship One-way Domain B trusts A Users in Domain A can access resources in Domain B Users in Domain B cann…
Child Domain to Forest Compromise - SID Hijacking
Child Domain to Forest Compromise - SID Hijacking Most trees are linked with dual sided trust relationships to allow for…
Forest to Forest Compromise - Trust Ticket
Forest to Forest Compromise - Trust Ticket Require: SID filtering disabled From the DC, dump the hash of the currentdoma…
AS400
AS400 AS400 (IBM i) is a midrange computer system developed by IBM, originally released in 1988. Now known as IBM i runn…
Kiosk Escape and Jail Breakout
Kiosk Escape and Jail Breakout Summary Methodology Gaining a command shell Sticky Keys Dialog Boxes Creating new files O…
Hash Cracking
Hash Cracking Summary Hashcat Hashcat Example Hashes Hashcat Install Mask attack Dictionary John Usage Rainbow tables Ti…
Liferay
Liferay Liferay Portal is an open-source enterprise portal platform used for building web applications and digital exper…
Mimikatz
Mimikatz Summary Execute commands Extract passwords LSA Protection Workaround Mini Dump Pass The Hash Golden ticket Skel…
Miscellaneous & Tricks
Miscellaneous & Tricks All the tricks that couldn't be classified somewhere else. Send Messages to Other Users Windo…
Network Discovery
Network Discovery MAC Address mac2vendor.com - OUI Database Lookup oui.is - MAC Address Vendor Lookup MAC Prefix Descrip…
Powershell
Powershell Summary Powershell Summary Execution Policy Encoded Commands Constrained Mode Encoded Commands Download file …
Bind Shell
Bind Shell Summary Bind Shell Perl Python PHP Ruby Netcat Traditional Netcat OpenBsd Ncat Socat Powershell Perl perl - e…
Reverse Shell Cheat Sheet
Reverse Shell Cheat Sheet Summary Tools Reverse Shell Awk Bash TCP Bash UDP C Dart Golang Groovy Alternative 1 Groovy Ja…
AWS - Access Token & Secrets
AWS - Access Token & Secrets URL Services Service URL s3 https://{user_provided}.s3.amazonaws.com cloudfront https:/…
AWS - CLI
AWS - CLI The AWS Command Line Interface (CLI) is a unified tool to manage AWS services from the command line. Using the…
AWS - Service - Cognito
AWS - Service - Cognito AWS Cognito is an AWS-managed service for authentication, authorization, and user management. A …
AWS - Service - DynamoDB
AWS - Service - DynamoDB Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond per…
AWS - Service - EC2
AWS - Service - EC2 dufflebag - Find secrets that are accidentally exposed via Amazon EBS's "public" mode Listing Inform…
AWS - Enumerate
AWS - Enumerate Collectors nccgroup/ScoutSuite - Multi-Cloud Security Auditing Tool $ python scout . py PROVIDER - -help…
AWS - Identity & Access Management
AWS - Identity & Access Management Listing IAM access Keys aws iam list-access-keys Listing IAM Users and Groups aws…
AWS - IOC & Detections
AWS - IOC & Detections CloudTrail Disable CloudTrail aws cloudtrail delete-trail - -name cloudgoat_trail - -profile …
AWS - Service - Lambda & API Gateway
AWS - Service - Lambda & API Gateway List Lambda Functions aws lambda list-functions Invoke a Lambda Function aws la…
AWS - Metadata SSRF
AWS - Metadata SSRF AWS released additional security defences against the attack. :warning: Only working with IMDSv1. En…
AWS - Service - S3 Buckets
AWS - Service - S3 Buckets An AWS S3 bucket is a cloud-based storage container that holds files, known as objects, which…
AWS - Service - SSM
AWS - Service - SSM Command execution :warning: The ssm-user account is not removed from the system when SSM Agent is un…
AWS - Training
AWS - Training bishopfox/CloudFoxable : A Gamified Cloud Hacking Sandbox ine-labs/AWSGoat : A Damn Vulnerable AWS Infras…
aka.ms Shortcuts
aka.ms Shortcuts aka.ms is a URL shortening service used by Microsoft. It is commonly employed to create short, easily s…
Azure AD - Access and Tokens
Azure AD - Access and Tokens Connection When you authenticate to the Microsoft Graph API in PowerShell/CLI, you will be …
Azure AD - Conditional Access Policy
Azure AD - Conditional Access Policy Conditional Access is used to restrict access to resources to compliant devices onl…
Azure AD - AD Connect and Cloud Sync
Azure AD - AD Connect and Cloud Sync Active Directory Azure AD LDAP REST API'S NTLM/Kerberos OAuth/SAML/OpenID Structure…
Azure AD - IAM
Azure AD - IAM Root Management Group (Tenant) > Management Group > Subscription > Resource Group > Resource …
Azure AD - Enumerate
Azure AD - Enumerate Azure AD - Collectors Microsoft Portals - Microsoft Administrator Sites dirkjanm/ROADTool - A colle…
Azure AD - Persistence
Azure AD - Persistence Add Secrets to Application Add secrets with lutzenfried/OffensiveCloud/Add-AzADAppSecret.ps1 PS &…
Azure AD - Phishing
Azure AD - Phishing Illicit Consent Grant The attacker creates an Azure-registered application that requests access to d…
Azure - Requirements
Azure - Requirements Pentest Requirements Users and roles: Global Reader and Security Reader roles in Azure AD Reader pe…
Azure Services - Application Endpoint
Azure Services - Application Endpoint Enumerate Enumerate possible endpoints for applications starting/ending with PREFI…
Azure Services - Application Proxy
Azure Services - Application Proxy Enumerate Enumerate applications that have Proxy PS C :\ Tools > Get-AzureADApplic…
Azure Services - Container Registry
Azure Services - Container Registry Enumerate List container registries in the subscription using Azure CLI az login -u …
Azure Services - Deployment Template
Azure Services - Deployment Template List the deployments PS Az > Get-AzResourceGroup PS Az > Get-AzResourceGroupD…
Azure Services - Azure DevOps
Azure Services - Azure DevOps xforcered/ADOKit - Azure DevOps Services Attack Toolkit zolderio/devops - Azure DevOps Acc…
Azure Services - KeyVault
Azure Services - KeyVault Access Token Keyvault access token curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.…
Azure Services - Microsoft Intune
Azure Services - Microsoft Intune Microsoft Intune is a cloud-based service that provides mobile device management (MDM)…
Azure Services - Office 365
Azure Services - Office 365 Microsoft Teams Messages TokenTacticsV2 > RefreshTo-MSTeamsToken -domain domain . local A…
Azure Services - Runbook and Automation
Azure Services - Runbook and Automation Runbook Runbook must be SAVED and PUBLISHED before running it. List the Runbooks…
Azure Services - Storage Blob
Azure Services - Storage Blob Blobs - *.blob.core.windows.net File Services - *.file.core.windows.net Data Tables - *.ta…
Azure Services - Virtual Machine
Azure Services - Virtual Machine RunCommand Allow anyone with "Contributor" rights to run PowerShell scripts on any Azur…
Azure Services - Web Apps
Azure Services - Web Apps List Web App az webapp list Execute Commands $ARMToken = Get-ARMTokenWithRefreshToken ` -Refre…
Azure Services - DNS Suffix
Azure Services - DNS Suffix DNS table Many Azure services generate custom endpoints with a suffix such as .cloudapp.azur…
IBM Cloud Managed Database Services
IBM Cloud Managed Database Services IBM Cloud offers a variety of managed database services that allow organizations to …
IBM Cloud Object Storage
IBM Cloud Object Storage IBM Cloud Object Storage is a highly scalable, secure, and durable cloud storage service design…
Cobalt Strike - Beacons
Cobalt Strike - Beacons DNS Beacon DNS Configuration Edit the Zone File for the domain Create an A record for Cobalt Str…
Cobalt Strike - Kits
Cobalt Strike - Kits Cobalt Strike Community Kit - Community Kit is a central repository of extensions written by the us…
Cobalt Strike
Cobalt Strike Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonst…
Metasploit
Metasploit Summary Installation Sessions Background handler Meterpreter - Basic Generate a meterpreter Meterpreter Webde…
Mythic C2
Mythic C2 Summary Installation Agents Profiles References Installation sudo apt-get install build-essential git clone ht…
Docker
Docker Docker is a set of platform as a service (PaaS) products that uses OS-level virtualization to deliver software in…
Kubernetes
Kubernetes Kubernetes, often abbreviated as K8s, is an open-source container orchestration platform designed to automate…
MSSQL - Audit Checks
MSSQL - Audit Checks Summary Impersonation Opportunities Exploiting Impersonation Exploiting Nested Impersonation Trustw…
MSSQL - Command Execution
MSSQL - Command Execution Summary Command Execution via xp_cmdshell Extended Stored Procedure Add the extended stored pr…
MSSQL - Credentials
MSSQL - Credentials Summary MSSQL Accounts and Hashes List Credentials on the SQL Server Proxy Account Context MSSQL Acc…
MSSQL - Database Enumeration
MSSQL - Database Enumeration Summary Tools Identify Instances and Databases Discover Local SQL Server Instances Discover…
MSSQL - Linked Database
MSSQL - Linked Database Summary Find Trusted Link Execute Query Through The Link Crawl Links for Instances in the Domain…
CI/CD Attacks
CI/CD Attacks CI/CD pipelines are often triggered by untrusted actions such a forked pull requests and new issue submiss…
CI/CD - Azure DevOps
CI/CD - Azure DevOps Azure Pipelines The configuration files for azure pipelines are normally located in the root direct…
CI/CD - BuildKite
CI/CD - BuildKite The configuration files for BuildKite builds are located in .buildkite/*.yml \ BuildKite build are oft…
CI/CD - CircleCI
CI/CD - CircleCI The configuration files for CircleCI builds are located in .circleci/config.yml \ By default - CircleCI…
CI/CD - Drone CI
CI/CD - Drone CI The configuration files for Drone builds are located in .drone.yml \ Drone build are often self-hosted,…
CI/CD - GitHub Actions
CI/CD - GitHub Actions GitHub Actions is GitHub’s built-in CI/CD automation tool that lets you build, test, and deploy y…
CI/CD - Gitlab CI
CI/CD - Gitlab CI GitLab CI (Continuous Integration) is a built-in feature of GitLab that automates the process of build…
Package Managers and Build Files
Package Managers and Build Files Code injections into build files are CI agnostic and therefore they make great targets …
Hardcoded Secrets Enumeration
Hardcoded Secrets Enumeration Tools synacktiv/nord-stream - List the secrets stored inside CI/CD environments and extrac…
Android Application
Android Application Lab payatu/diva-android - Damn Insecure and vulnerable App for Android HTB VIP - Pinned - Hack The B…
Bug Hunting Methodology
Bug Hunting Methodology Passive Recon Using shodan.io , fofa.info , zoomeye.ai or odin.io to detect similar app # https:…
Source Code Analysis
Source Code Analysis Source code analysis is the process of examining and reviewing the code of a software program to id…
Vulnerability Reports
Vulnerability Reports A pentest vulnerability report documents the findings of a penetration test, detailing identified …
ClickFix
ClickFix ClickFix is a social engineering attack that prompts users to unknowingly execute malicious code, usually throu…
HTML Smuggling
HTML Smuggling Summary Description Executable Storage Description HTML Smuggling consists of making a user to navigate t…
Initial Access
Initial Access Initial Access Files in the context of a Red Team exercise refer to the set of files, scripts, executable…
Office - Attacks
Office - Attacks Summary Office Products Features Office Default Passwords Excel XLSM - Hot Manchego XLM - Macrome XLM E…
Phishing
Phishing Phishing is a cybersecurity attack where malicious actors impersonate legitimate organizations (like banks, soc…
Web Attack Surface
Web Attack Surface Summary Enumerate Subdomains Subdomains Databases Bruteforce Subdomains Certificate Transparency Logs…
Windows - Download and execute methods
Windows - Download and execute methods Downloaded files location C:\Users\ \AppData\Local\Microsoft\Windows\Temporary In…
Windows - Using credentials
Windows - Using credentials Summary Get Credentials Create Credential Looting Credentials Guest Credential Retail Creden…
Linux - Privilege Escalation
Linux - Privilege Escalation Summary Tools Checklist Looting for passwords Files containing passwords Old passwords in /…
Windows - Privilege Escalation
Windows - Privilege Escalation Summary Tools Windows Version and Configuration User Enumeration Network Enumeration Anti…
Endpoint Detection and Response
Endpoint Detection and Response Endpoint Detection and Response (EDR) is a security solution that combines real-time mon…
Elastic EDR
Elastic EDR Elastic EDR (Endpoint Detection and Response) is a component of Elastic Security designed to address cyberse…
Linux - Evasion
Linux - Evasion Summary File Names Command History Hiding Text Timestomping Hiding PID Listings From Non-Root Users File…
OPSEC
OPSEC Infrastructure Use generic name for DNS, avoid company names Use wildcard (*) when issuing certificates to avoid l…
Proxy Bypass
Proxy Bypass An HTTP proxy server acts as an intermediary between a client (like a web browser) and a web server. It pro…
Windows - AMSI Bypass
Windows - AMSI Bypass Summary List AMSI Providers Which Endpoint Protection is Using AMSI Patching amsi.dll AmsiScanBuff…
Windows - Defenses
Windows - Defenses Summary AppLocker User Account Control DPAPI Powershell Execution Policy Anti Malware Scan Interface …
Windows - DPAPI
Windows - DPAPI On Windows, credentials saved in the Windows Credentials Manager are encrypted using Microsoft's Data Pr…
Linux - Persistence
Linux - Persistence Summary Basic Reverse Shell Add a Root User SUID Binary Crontab Bash Configuration File Startup Serv…
RDP - Persistence
RDP - Persistence RDP Backdoor An RDP backdoor is a malicious technique where an attacker replaces the legitimate binary…
Windows - Persistence
Windows - Persistence Summary Tools Hide Your Binary Disable Antivirus and Security Antivirus Removal Disable Windows De…
Network Pivoting Techniques
Network Pivoting Techniques SOCKS Proxy SOCKS Compatibility Table SOCKS Version TCP UDP IPv4 IPv6 Hostname SOCKS v4 ✅ ❌ …
Network Pivoting Tools
Network Pivoting Tools Tools Comparison Comparison table showing platform support (Windows, Linux, macOS), available pol…