From 25b60032292f065838d7b4ba19a34e115e132da5 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Wed, 6 Oct 2021 08:29:59 +0200 Subject: [PATCH] Update Active Directory Attack.md --- Methodology and Resources/Active Directory Attack.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 0d7c031..1e321af 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -665,8 +665,8 @@ Requirements: | Error | Message | Debug | |--------|---------------------|------------------------------------------| -| 0x5 | rpc_s_access_denied | Permissions on the file in the SMB share | -| 0x525 | ERROR_NO_SUCH_USER | The specified account does not exist. | +| 0x5 | `rpc_s_access_denied` | Permissions on the file in the SMB share | +| 0x525 | `ERROR_NO_SUCH_USER` | The specified account does not exist. | | 0x180 | unknown error code | Share is not SMB2 | @@ -844,7 +844,7 @@ echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aS cme smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_password ``` -* [Get-GPPPassword](https://github.com/ShutdownRepo/Get-GPPPassword) +* [Get-GPPPassword](https://github.com/SecureAuthCorp/impacket/blob/master/examples/Get-GPPPassword.py) ```powershell # with a NULL session Get-GPPPassword.py -no-pass 'DOMAIN_CONTROLLER' @@ -858,7 +858,7 @@ echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aS #### Mitigations -* Install KB2962486 on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences. +* Install [KB2962486](https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-025) on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences. * Delete existing GPP xml files in SYSVOL containing passwords. * Don’t put passwords in files that are accessible by all authenticated users. @@ -968,7 +968,7 @@ StandIn.exe --gpo --filter Shards --tasktype computer --taskname Liber --author You will need the following files to extract the ntds : - NTDS.dit file -- SYSTEM hive (C:\Windows\System32\SYSTEM) +- SYSTEM hive (`C:\Windows\System32\SYSTEM`) Usually you can find the ntds in two locations : `systemroot\NTDS\ntds.dit` and `systemroot\System32\ntds.dit`. - `systemroot\NTDS\ntds.dit` stores the database that is in use on a domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data).