0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [master] 9 pages modified

This commit is contained in:
CPol 2020-08-31 12:30:26 +00:00 committed by gitbook-bot
parent bfa5e227e4
commit e366f0d1d9
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
8 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
SUMMARY.md
View File

@ -93,7 +93,7 @@
* [Stealing Credentials](windows/stealing-credentials/README.md)
* [Credentials Protections](windows/stealing-credentials/credentials-protections.md)
* [Mimikatz](windows/stealing-credentials/credentials-mimikatz.md)
* [Authentication, Credentials, UAC and EFS](windows/credentials.md)
* [Authentication, Credentials, UAC and EFS](windows/authentication-credentials-uac-and-efs.md)
* [Basic CMD for Pentesters](windows/basic-cmd-for-pentesters.md)
* [Basic PowerShell for Pentesters](windows/basic-powershell-for-pentesters/README.md)
* [PowerView](windows/basic-powershell-for-pentesters/powerview.md)

2
pentesting-methodology.md
View File

@ -75,7 +75,7 @@ If you are **not root/Administrator** inside the box, you should find a way to *
Here you can find a **guide to escalate privileges locally in** [**Linux**](linux-unix/privilege-escalation/) **and in** [**Windows**](windows/windows-local-privilege-escalation/)**.**
You should also check this pages about how does **Windows work**:
* [**Authentication, Credentials, Token privileges and UAC**](windows/credentials.md)\*\*\*\*
* [**Authentication, Credentials, Token privileges and UAC**](windows/authentication-credentials-uac-and-efs.md)\*\*\*\*
* How does [**NTLM works**](windows/ntlm/)\*\*\*\*
* How to [**steal credentials**](windows/stealing-credentials/) in Windows
* Some tricks about [_**Active Directory**_](windows/active-directory-methodology/)_\*\*\*\*_

2
windows/active-directory-methodology/README.md
View File

@ -222,7 +222,7 @@ The **security descriptors** are used to **store** the **permissions** an **obje
### **Custom SSP**
[Learn what is a SSP \(Security Support Provider\) here.](../credentials.md#security-support-provider-interface-sspi)
[Learn what is a SSP \(Security Support Provider\) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)
You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.
****[**More information about Custom SSP here.**](custom-ssp.md)

2
windows/active-directory-methodology/custom-ssp.md
View File

@ -2,7 +2,7 @@
## Custom SSP
[Learn what is a SSP \(Security Support Provider\) here.](../credentials.md#security-support-provider-interface-sspi)
[Learn what is a SSP \(Security Support Provider\) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)
You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.
#### Mimilib

0
windows/credentials.md → windows/authentication-credentials-uac-and-efs.md
View File

6
windows/windows-local-privilege-escalation/README.md
View File

@ -265,7 +265,7 @@ C:\windows\tracing
### UAC
UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user.
[**More information about UAC here**](../credentials.md#uac).
[**More information about UAC here**](../authentication-credentials-uac-and-efs.md#uac).
```text
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\
@ -300,7 +300,7 @@ If you **belongs to some privileged group you may be able to escalate privileges
### Token manipulation
**Learn more** about what is a **token** in this page: [**Windows Tokens**](../credentials.md#access-tokens).
**Learn more** about what is a **token** in this page: [**Windows Tokens**](../authentication-credentials-uac-and-efs.md#access-tokens).
Check the following page to **learn about interesting tokens** and how to abuse them:
{% page-ref page="privilege-escalation-abusing-tokens.md" %}
@ -1220,7 +1220,7 @@ When a **client writes on a pipe**, the **server** that created the pipe can **i
## From Administrator Medium to High Integrity Level / UAC Bypass
\*\*\*\*[**Read this to learn about Integrity Levels**](integrity-levels.md) **and** [**this to learn what is UAC**](../credentials.md#uac)**, then read how to**[ **bypass it**](../credentials.md#uac)**.**
\*\*\*\*[**Read this to learn about Integrity Levels**](integrity-levels.md) **and** [**this to learn what is UAC**](../authentication-credentials-uac-and-efs.md#uac)**, then read how to**[ **bypass it**](../authentication-credentials-uac-and-efs.md#uac)**.**
## **From High Integrity to System**

2
windows/windows-local-privilege-escalation/access-tokens.md
View File

@ -57,7 +57,7 @@ SeTimeZonePrivilege Change the time zone Disabled
### Local administrator
When a local administrator logins, **two access tokens are created**: One with admin rights and other one with normal rights. **By default**, when this user executes a process the one with **regular** \(non-administrator\) **rights is used**. When this user tries to **execute** anything **as administrator** \("Run as Administrator" for example\) the **UAC** will be used to ask for permission.
If you want to [**learn more about the UAC read this page**](../credentials.md#uac)**.**
If you want to [**learn more about the UAC read this page**](../authentication-credentials-uac-and-efs.md#uac)**.**
### Credentials user impersonation

2
windows/windows-local-privilege-escalation/dll-hijacking.md
View File

@ -103,7 +103,7 @@ Other interesting automated tools to discover this vulnerability are **PowerSplo
### Example
In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **\(bypassing UAC\)**](../credentials.md#uac) or from[ **High Integrity to SYSTEM**](./#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**
In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **\(bypassing UAC\)**](../authentication-credentials-uac-and-efs.md#uac) or from[ **High Integrity to SYSTEM**](./#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**
Moreover, in the **next sectio**n you can find some **basic dll codes** that might be useful as **templates** or to create a **dll with non required functions exported**.
## **Creating and compiling Dlls**