AD + Log4shell + Windows Startup
This commit is contained in:
Swissky
@@ -39,6 +39,7 @@
|
||||
- [Alternatives - modules](#alternatives---modules)
|
||||
- [Using Mimikatz DCSync](#using-mimikatz-dcsync)
|
||||
- [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa)
|
||||
- [Crack NTLM hashes with hashcat](#crack-ntlm-hashes-with-hashcat)
|
||||
- [Password spraying](#password-spraying)
|
||||
- [Kerberos pre-auth bruteforcing](#kerberos-pre-auth-bruteforcing)
|
||||
- [Spray a pre-generated passwords list](#spray-a-pre-generated-passwords-list)
|
||||
@@ -675,6 +676,8 @@ Requirements:
|
||||
|
||||
#### samAccountName spoofing
|
||||
|
||||
> During S4U2Self, the KDC will try to append a '\$' to the computer name specified in the TGT, if the computer name is not found. An attacker can create a new machine account with the sAMAccountName set to a domain controller's sAMAccountName - without the '\$'. For instance, suppose there is a domain controller with a sAMAccountName set to 'DC\$'. An attacker would then create a machine account with the sAMAccountName set to 'DC'. The attacker can then request a TGT for the newly created machine account. After the TGT has been issued by the KDC, the attacker can rename the newly created machine account to something different, e.g. JOHNS-PC. The attacker can then perform S4U2Self and request a TGS to itself as any user. Since the machine account with the sAMAccountName set to 'DC' has been renamed, the KDC will try to find the machine account by appending a '$', which will then match the domain controller. The KDC will then issue a valid TGS for the domain controller.
|
||||
|
||||
**Requirements**
|
||||
* MachineAccountQuota > 0
|
||||
|
||||
|
||||
Reference in New Issue
Block a user