Hacking

I finally got hashcat running on Docker, with GPU support for NVIDIA cards. First, I needed to install Docker and NVIDIA Container Toolkit on my system, and add my user to the docker group. root $ pacman -S --needed docker nvidia-container-toolkit root $ systemctl enable --now docker.service root $ usermod -aG docker user Then I created a Dockerfile to set up the hashcat environment with NVIDIA support (using a BlackArch image): FROM blackarchlinux/blackarch:latest RUN pacman -Syu --noconfirm && \ pacman -S --noconfirm \ blackarch/cracken \ blackarch/pack \ blackarch/pipal \ extra/hashcat \ extra/hashcat-utils RUN mkdir -p /etc/OpenCL/vendors && \ echo "libnvidia-opencl.so.1" > /etc/OpenCL/vendors/nvidia.icd RUN mkdir /cracking...

These are some scribbles if I ever need to look up how to exploit Kerberoasting or AS-REP Roasting. I might expand on this later…​ Note This is nothing new, most of this stuff can be easily found on the Internet. This is just for my own reference. Please excuse my brevity. Environment For this article, we’re assuming the following (YMMV): user $ echo $SHELL /usr/bin/fish user $ which GetUserSPNs.py /usr/bin/GetUserSPNs.py user $ which GetNPUsers.py /usr/bin/GetNPUsers.py user $ set win_domain company.org user $ set dc_ip 192.168.1.1 user $ set regular_ad_user gijsbert...

These are some scribbles if I ever need to look up how to exploit AD CS misconfigurations, such as ESC1. I might expand on this later…​ Note This is nothing new, most of this stuff can be easily found on the Internet. This is just for my own reference. Please excuse my brevity. Environment For this article, we’re assuming the following (YMMV): user $ echo $SHELL /usr/bin/fish user $ which certipy /usr/bin/certipy user $ which dasel /usr/bin/dasel user $ set win_domain company.org user $ set dc_fqdn dc.{$win_domain} user $ set dc_ip 192.168.1.1 user $ set ca_fqdn ca.{$win_domain} user $ set ca_ip 192.168.1.10 user $ set ca_name COMPANYCA user $ set esc1_template_name ESC1Template user $ set regular_ad_user gijsbert user $ set domain_admin dawilbert user $ set domain_admin_upn {$domain_admin}@{$win_domain}...

I’ve been using Hashcat since I’ve been pentesting at my previous jobs, but I haven’t had the need to use it for a couple of years now. Recently I had another use case for it but I still don’t need to use nearly as often as I once did. I therefore decided to document some of this to easily look things up in the future. Extracting All Hashes from Active Directory To copy all hashes from Active Directory, you need domain administrator credentials. Once acquired, make a copy like so: ...