PR Guidelines + User Hunting + HopLa Configuration

This commit is contained in:
Swissky 2022-06-30 16:33:35 +02:00
parent b9e847decb
commit fc8fadbb0c
4 changed files with 2565 additions and 2 deletions

2519
.github/hopla_config.json vendored Normal file

File diff suppressed because it is too large Load Diff

View File

@ -5,6 +5,19 @@ Feel free to improve with your payloads and techniques !
You can also contribute with a :beers: IRL, or using the sponsor button.
## Pull Requests Guidelines
In order to provide the safest payloads for the community, the following rules must be followed for **every** Pull Request.
- Payloads must be sanitized
- Use `id`, and `whoami`, for RCE Proof of Concepts
- Use `[REDACTED]` when the user has to replace a domain for a callback. E.g: XSSHunter, BurpCollaborator etc.
- Use `10.10.10.10` and `10.10.10.11` when the payload require IP addresses
- Use `Administrator` for privileged users and `User` for normal account
- Use `P@ssw0rd`, `Password123`, `password` as default passwords for your examples
- Prefer commonly used name for machines such as `DC01`, `EXCHANGE01`, `WORKSTATION01`, etc
- References must have an `author`, a `title` and a `link`. The `date` is not mandatory but appreciated :)
## Techniques Folder
Every section should contains the following files, you can use the `_template_vuln` folder to create a new technique folder:
@ -40,6 +53,10 @@ Use the following example to create a new technique `README.md` file.
Quick explanation
### Subentry 1
Something about the subentry 1
## References
- [Blog title - Author, Date](https://example.com)

View File

@ -40,6 +40,7 @@
- [Using Mimikatz DCSync](#using-mimikatz-dcsync)
- [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa)
- [Crack NTLM hashes with hashcat](#crack-ntlm-hashes-with-hashcat)
- [User Hunting](#user-hunting)
- [Password spraying](#password-spraying)
- [Kerberos pre-auth bruteforcing](#kerberos-pre-auth-bruteforcing)
- [Spray a pre-generated passwords list](#spray-a-pre-generated-passwords-list)
@ -401,7 +402,7 @@ Replace the customqueries.json file located at `/home/username/.config/bloodhoun
#Find local admins on all machines of the domain:
Invoke-EnumerateLocalAdmin -Verbose
#Find computers were a Domain Admin OR a spesified user has a session
#Find computers were a Domain Admin OR a specified user has a session
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
Invoke-UserHunter -Stealth
@ -1294,6 +1295,32 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.
- [crackstation.net](https://crackstation.net)
- [hashes.com](https://hashes.com/en/decrypt/hash)
### User Hunting
Sometimes you need to find a machine where a specific user is logged in.
You can remotely query every machines on the network to get a list of the users's sessions.
* CrackMapExec
```ps1
cme smb 10.10.10.0/24 -u Administrator -p 'P@ssw0rd' --sessions
SMB 10.10.10.10 445 WIN-8OJFTLMU1IG [+] Enumerated sessions
SMB 10.10.10.10 445 WIN-8OJFTLMU1IG \\10.10.10.10 User:Administrator
```
* Impacket Smbclient
```ps1
$ impacket-smbclient Administrator@10.10.10.10
# who
host: \\10.10.10.10, user: Administrator, active: 1, idle: 0
```
* PowerView Invoke-UserHunter
```ps1
# Find computers were a Domain Admin OR a specified user has a session
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
Invoke-UserHunter -Stealth
```
### Password spraying
Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password.

View File

@ -50,7 +50,7 @@ You want more ? Check the [Books](https://github.com/swisskyrepo/PayloadsAllTheT
👨‍💻 Contributions
-----
Be sure to read [CONTRIBUTING.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CONTRIBUTING.md)
<p align="center">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/graphs/contributors">