HackTheBox - Academy [CPTS] Review 1 - PASSWORD ATTACKS

News 2023-06-25 08:19:42 views: null

foreword

I haven't posted an article for a month. I entered htb college to study CPTS on June 11. With the support of a solid THM foundation, I learned very smoothly. In fact, most of the content is equivalent to review, and the content I learned Just little tricks that might be less common, or very detailed, and that's great too.

Although most of the content is learned throughout the THM study cycle, htb academy still has a considerable number of subtle details that THM may not have, which is worth learning.

As of now, my CPTS study progress is coming to an end, and it has only been about 11 days

insert image description here

Same old way, save time, I only write the parts that are worth reviewing, not all modules

PASSWORD ATTACKS

Password reuse/default password

DefaultCreds-cheat-sheet can directly find the default credentials of some cms

insert image description here

SAM

  • The security file contains a cache of domain account credentials

CrackMapExec remote dump

crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa

Of course, in addition to –lsa, there are –sam, –ntds one-key dump

It is worth noting that if it is a local account, the --local-auth parameter must be added

rundll32 dump lsass

PS C:\Windows\system32> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

Call the MiniDump of comsvcs.dll to dump lsass by rundll32

python version mimikatz - pypykatz

MSV

MSV is an authentication package in Windows called by LSA to authenticate login attempts against the SAM database. Of course, it also includes calling MSV when the NTLM authentication of the domain is performed by the device joining the domain.

DPAPI

The data protection application programming interface is mainly used for password encryption and decryption of some tool software, such as some common browsers. Its key is stored in lsass memory

Win credential collection tool LaZagne

Useful for retrieving large numbers of passwords stored on a local computer. Every piece of software uses a different technique (plaintext, API, custom algorithm, database, etc.) to store its passwords. This tool was developed to find these passwords for the most commonly used software.

LaZagne also has a python version, also available for linux

Lin credential collection tool mimipenguin

It can look for credentials in memory as well as credentials stored in files of some common software tools

The premise is that root is required

Win pth to RDP

A prerequisite for pth login to rdp is to enable the Restricted admin mode, which we can enable by modifying the registry

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

UAC

thm said

UAC (User Account Control) restricts the ability of local users to perform remote administrative operations. When the registry key is set to 0, it means that the built-in local administrator account (RID-500, "Administrator") is the only local account allowed to perform remote administrative tasks. Set it to 1 to allow other local administrators as well.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy

PTK

Both NTLM and Kerberos have the same characteristics, they use the hash derived from their passwords to encrypt timestamps and respond to queries, so Kerberos can perform ptk, which is actually the same as NTLM's pth, so you can see that using mimikatz The commands used in ptk are the same as pth

PTT horizontal

Enter-pssession directly after ptt injects ticket

Linux Domain PTT

You can check whether the machine has joined the domain through the realm command

findings

Use kinit to request tgt and store it as keytab

kinit [email protected] -k -t /home/[email protected]/.scripts/svc_workstations.kt

smblent can use the -k parameter to authenticate through kerberos

ccache

The credential cache, or ccache file, is kept while the Kerberos credentials are valid, and typically for the duration of the user's session. After a user authenticates to the domain, a ccache file is created that stores the ticket information. The path to this file is placed in the KRB5CCNAME environment variable.

The ccache file exists in the /tmp directory, not all ccache files will be valid, only the active ccache will be valid

After export, you can check the effective time through klist

KeyTab export

Use KeyTabExtract to extract hash from keytab

ccache to windows kirbi

Convert by impacket's ticketConverter

Linikatz

The tool will extract all credentials, including Kerberos tickets, from different Kerberos implementations such as FreeIPA, SSSD, Samba, Vintella, etc. After extracting the credentials, it places them in a folder whose name starts with . In this folder you will find credentials in different formats available, including ccache and keytab.

BitLocker

For vhb files, you can use bitlocker2john to convert them to hash for blasting

Guess you like

Origin blog.csdn.net/qq_54704239/article/details/131365282
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com