In the new shell, you can test whether you can access the domain controller by listing its C drive.
Success! A golden ticket attack was just performed.
Use the domain name of the resource you want to access, not the IP address. Kerberos tickets are only used when DNS is involved.
Success! A golden ticket attack was just performed.
Use the domain name of the resource you want to access, not the IP address. Kerberos tickets are only used when DNS is involved.
Callback Data Manipulation
When an attacker receives data, we clarify the concept of "information disclosure." Some of this data is used to communicate with the service server to clarify information about the user that may be available in the user's application. Unfortunately, sometimes this data is exchanged over insecure network connections, making it easy for attackers to control, modify, or even delete it.
When an attacker receives data, we clarify the concept of "information disclosure." Some of this data is used to communicate with the service server to clarify information about the user that may be available in the user's application. Unfortunately, sometimes this data is exchanged over insecure network connections, making it easy for attackers to control, modify, or even delete it.
The SQLMap URL command executes SQLMap using the -u and --cookie= information. View the results, which include the parameters, payload, and the location of the output file.
Open the session file. Now we'll go to the terminal and navigate to the output file location. First, we'll use it to view the file we'll be processing. Open the session.sqlite file using sqlitebrowser.
The database browser, in sqlitebrowser, examine the database structure and browse the data tab.
@feijinhsa
Open the session file. Now we'll go to the terminal and navigate to the output file location. First, we'll use it to view the file we'll be processing. Open the session.sqlite file using sqlitebrowser.
The database browser, in sqlitebrowser, examine the database structure and browse the data tab.
@feijinhsa
RPC ETW
Recording RPC request logs via ETW:
The GUID that initiated dcshync is e3514235-4b06-11d1-ab04-00c04fc2dcd2`. Direct packet capture and filtering only records which domain controller machine is dumping, but not who initiated the request. This can be combined with information about high-privilege users in the domain to make a comprehensive judgment.
Recording RPC request logs via ETW:
logman create trace "DRSMonitor" -p "Microsoft-Windows-RPC" -o C:\DRSMonitor.etl -etslogman stop "DRSMonitor" -etsThe GUID that initiated dcshync is e3514235-4b06-11d1-ab04-00c04fc2dcd2`. Direct packet capture and filtering only records which domain controller machine is dumping, but not who initiated the request. This can be combined with information about high-privilege users in the domain to make a comprehensive judgment.
During the penetration phase, Mimikatz and ProcDump were installed, and the ProcDump tool was used to dump the memory of the LSASS process to hijack the credentials of the infected system.
This allowed the theft of NirSoft's WebBrowserPassView and web browser information.
It could extract and display account and history information stored in Google Chrome, Firefox, and Internet Explorer.
This allowed the theft of NirSoft's WebBrowserPassView and web browser information.
It could extract and display account and history information stored in Google Chrome, Firefox, and Internet Explorer.
Damn it! Why did you bring a shady platform here? After I finished editing the video, they refused to pay me. Next time, why don't you just go to a legitimate platform and come back to me after that?
@feijinhsa
@feijinhsa