From eb074393df4069eaf1d0429274f8510a17673a4b Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 13 May 2020 23:07:39 +0200 Subject: [PATCH] Windows Persistence - Binary replacing --- .../Cloud - Azure Pentest.md | 15 ++++++++-- .../Windows - Persistence.md | 29 ++++++++++++++++++- 2 files changed, 41 insertions(+), 3 deletions(-) diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md index b84ac81..f8c1857 100644 --- a/Methodology and Resources/Cloud - Azure Pentest.md +++ b/Methodology and Resources/Cloud - Azure Pentest.md @@ -177,6 +177,8 @@ Found Container - hrsecure.blob.core.windows.net/NETSPItest > By default it is possible to query almost all the information about the directory as authenticated user, even when the Azure portal is restricted, using Azure AD Graph. +Check if the compagny is using Azure AD with `https://login.microsoftonline.com/getuserrealm.srf?login=username@target.onmicrosoft.com&xml=1`. + ```powershell $ git clone https://github.com/dirkjanm/ROADtools $ pip install roadrecon @@ -290,6 +292,8 @@ With Microsoft, if you are using any cloud services (Office 365, Exchange Online ## Azure AD - Password Spray +> Default lockout policy of 10 failed attempts, locking out an account for 60 seconds + ```powershell git clone https://github.com/dafthack/MSOLSpray Import-Module .\MSOLSpray.ps1 @@ -357,7 +361,11 @@ Prerequisite: * Compromise a server with Azure AD Connect service * Access to ADSyncAdmins or local Administrators groups -Use the script **azuread_decrypt_msol.ps1** from @xpn : https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545#file-azuread_decrypt_msol-ps1 to recover the decrypted password for the MSOL account +Use the script **azuread_decrypt_msol.ps1** from @xpn to recover the decrypted password for the MSOL account: +* `azuread_decrypt_msol.ps1`: AD Connect Sync Credential Extract POC https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545 +* `azuread_decrypt_msol_v2.ps1`: Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync https://gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c + +Now you can use the retrieved credentials for the MSOL Account to launch a DCSync attack. ## Azure AD Connect - Seamless Single Sign On Silver Ticket @@ -455,6 +463,7 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an https://fws.domain.com/o365/visfed/intrdomain/se/?username=firstname.lastname%40domain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx= ``` +* Validate email : https://github.com/LMGsec/o365creeper `o365creeper.py -f emails.txt -o validemails.txt` * Extract email lists with a valid credentials : https://github.com/nyxgeek/o365recon @@ -473,4 +482,6 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an * [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/) * [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/) * [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/) -* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56) \ No newline at end of file +* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56) +* [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html) +* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index bd4ca44..963d807 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -16,7 +16,12 @@ * [HKLM](#hklm) * [Services](#services) * [Scheduled Task](#scheduled-task) + * [Binary Replacement](#binary-replacement) + * [Binary Replacement on Windows XP+](#binary-replacement-on-windows-xp) + * [Binary Replacement on Windows 10+](#binary-replacement-on-windows-10) * [RDP Backdoor](#rdp-backdoor) + * [utilman.exe](#utilman.exe) + * [sethc.exe](#sethc.exe) * [Skeleton Key](#skeleton-key) * [References](#references) @@ -157,6 +162,27 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S PS C:\> Register-ScheduledTask Backdoor -InputObject $D ``` +### Binary Replacement + +#### Binary Replacement on Windows XP+ + +| Feature | Executable | +|---------------------|---------------------------------------| +| Sticky Keys | C:\Windows\System32\sethc.exe | +| Accessibility Menu | C:\Windows\System32\utilman.exe | +| On-Screen Keyboard | C:\Windows\System32\osk.exe | +| Magnifier | C:\Windows\System32\Magnify.exe | +| Narrator | C:\Windows\System32\Narrator.exe | +| Display Switcher | C:\Windows\System32\DisplaySwitch.exe | +| App Switcher | C:\Windows\System32\AtBroker.exe | + +#### Binary Replacement on Windows 10+ + +Exploit a DLL hijacking vulnerability in the On-Screen Keyboard **osk.exe** executable. + +Create a malicious **HID.dll** in `C:\Program Files\Common Files\microsoft shared\ink\HID.dll`. + + ### RDP Backdoor #### utilman.exe @@ -190,4 +216,5 @@ Enter-PSSession -ComputerName -Credential \Administr * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/) * [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md) * [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo) -* [](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/) \ No newline at end of file +* [IIS Raid – Backdooring IIS Using Native Modules - 19/02/2020](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/) +* [Old Tricks Are Always Useful: Exploiting Arbitrary File Writes with Accessibility Tools - Apr 27, 2020 - @phraaaaaaa](https://iwantmore.pizza/posts/arbitrary-write-accessibility-tools.html) \ No newline at end of file