foreword
I haven't posted an article for a month. I entered htb college to study CPTS on June 11. With the support of a solid THM foundation, I learned very smoothly. In fact, most of the content is equivalent to review, and the content I learned Just little tricks that might be less common, or very detailed, and that's great too.
Although most of the content is learned throughout the THM study cycle, htb academy still has a considerable number of subtle details that THM may not have, which is worth learning.
As of now, my CPTS study progress is coming to an end, and it has only been about 11 days
Same old way, save time, I only write the parts that are worth reviewing, not all modules
PASSWORD ATTACKS
Password reuse/default password
DefaultCreds-cheat-sheet can directly find the default credentials of some cms
SAM
- The security file contains a cache of domain account credentials
CrackMapExec remote dump
crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa
Of course, in addition to –lsa, there are –sam, –ntds one-key dump
It is worth noting that if it is a local account, the --local-auth parameter must be added
rundll32 dump lsass
PS C:\Windows\system32> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full
Call the MiniDump of comsvcs.dll to dump lsass by rundll32
python version mimikatz - pypykatz
MSV
MSV is an authentication package in Windows called by LSA to authenticate login attempts against the SAM database. Of course, it also includes calling MSV when the NTLM authentication of the domain is performed by the device joining the domain.
DPAPI
The data protection application programming interface is mainly used for password encryption and decryption of some tool software, such as some common browsers. Its key is stored in lsass memory
Win credential collection tool LaZagne
Useful for retrieving large numbers of passwords stored on a local computer. Every piece of software uses a different technique (plaintext, API, custom algorithm, database, etc.) to store its passwords. This tool was developed to find these passwords for the most commonly used software.
LaZagne also has a python version, also available for linux
Lin credential collection tool mimipenguin
It can look for credentials in memory as well as credentials stored in files of some common software tools
The premise is that root is required
Win pth to RDP
A prerequisite for pth login to rdp is to enable the Restricted admin mode, which we can enable by modifying the registry
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
UAC
thm said
UAC (User Account Control) restricts the ability of local users to perform remote administrative operations. When the registry key is set to 0, it means that the built-in local administrator account (RID-500, "Administrator") is the only local account allowed to perform remote administrative tasks. Set it to 1 to allow other local administrators as well.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
PTK
Both NTLM and Kerberos have the same characteristics, they use the hash derived from their passwords to encrypt timestamps and respond to queries, so Kerberos can perform ptk, which is actually the same as NTLM's pth, so you can see that using mimikatz The commands used in ptk are the same as pth
PTT horizontal
Enter-pssession directly after ptt injects ticket
Linux Domain PTT
You can check whether the machine has joined the domain through the realm command
findings
Use kinit to request tgt and store it as keytab
kinit [email protected] -k -t /home/[email protected]/.scripts/svc_workstations.kt
smblent can use the -k parameter to authenticate through kerberos
ccache
The credential cache, or ccache file, is kept while the Kerberos credentials are valid, and typically for the duration of the user's session. After a user authenticates to the domain, a ccache file is created that stores the ticket information. The path to this file is placed in the KRB5CCNAME environment variable.
The ccache file exists in the /tmp directory, not all ccache files will be valid, only the active ccache will be valid
After export, you can check the effective time through klist
KeyTab export
Use KeyTabExtract to extract hash from keytab
ccache to windows kirbi
Convert by impacket's ticketConverter
Linikatz
The tool will extract all credentials, including Kerberos tickets, from different Kerberos implementations such as FreeIPA, SSSD, Samba, Vintella, etc. After extracting the credentials, it places them in a folder whose name starts with . In this folder you will find credentials in different formats available, including ccache and keytab.
BitLocker
For vhb files, you can use bitlocker2john to convert them to hash for blasting