GitBook: [#3569] No subject

SUMMARY.md

@@ -175,13 +175,13 @@
   * [DCShadow](windows-hardening/active-directory-methodology/dcshadow.md)
   * [DCSync](windows-hardening/active-directory-methodology/dcsync.md)
   * [Diamond Ticket](windows-hardening/active-directory-methodology/diamond-ticket.md)
-  * [Kerberos Double Hop Problem](windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md)
   * [DSRM Credentials](windows-hardening/active-directory-methodology/dsrm-credentials.md)
   * [External Forest Domain - OneWay (Inbound)](windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md)
   * [External Forest Domain - One-Way (Outbound)](windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md)
   * [Golden Ticket](windows-hardening/active-directory-methodology/golden-ticket.md)
-  * [Kerberos Authentication](windows-hardening/active-directory-methodology/kerberos-authentication.md)
   * [Kerberoast](windows-hardening/active-directory-methodology/kerberoast.md)
+  * [Kerberos Authentication](windows-hardening/active-directory-methodology/kerberos-authentication.md)
+  * [Kerberos Double Hop Problem](windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md)
   * [LAPS](windows-hardening/active-directory-methodology/laps.md)
   * [MSSQL AD Abuse](windows-hardening/active-directory-methodology/abusing-ad-mssql.md)
   * [Over Pass the Hash/Pass the Key](windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md)

generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md

@@ -105,7 +105,7 @@ Thus, after establishing the neighborhood, we know about the existence of these
 
 **I have found that generating and quickly sending out mass EIGRP hello packets overloads the router’s CPU, which in turn can open the door to a DoS attack.** I have developed a little [**helloflooding.py**](https://github.com/in9uz/EIGRPWN/blob/main/helloflooding.py) **** script, but it seems to me that the script lacks the speed of sending out the packets. **It’s caused by GIL**, which prevents the **sprayhello** function from running in multiple threads per second. **Eventually I’ll rewrite the script in C.**
 
-<figure><img src="../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (2) (6).png" alt=""><figcaption></figcaption></figure>
 
 Arguments of the script:
 
@@ -173,7 +173,7 @@ Script arguments:
 
 The essence of this attack is to provoke the sending of a huge number of false routes, which will overflow the routing table. This depletes the computing resources of the router, namely the CPU and RAM, since the injections occur at enormous speed. This attack is implemented [**routingtableoverflow.py**](https://github.com/in9uz/EIGRPWN/blob/main/routingtableoverflow.py) **script**
 
-<figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (3) (4).png" alt=""><figcaption></figcaption></figure>
 
 Script arguments
 
@@ -187,7 +187,7 @@ in9uz@Inguz:~$ sudo python3 routingtableoverflow.py --interface eth0 --as 1 --sr
 
 After running the script, the routing table starts overflowing with routes. The random addresses of the target networks are due to the use of **RandIP()** in [**Scapy**](https://github.com/secdev/scapy).
 
-<figure><img src="../../.gitbook/assets/image (4).png" alt=""><figcaption><p>Routing table overflows on GW1 router</p></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (4) (4).png" alt=""><figcaption><p>Routing table overflows on GW1 router</p></figcaption></figure>
 
 <figure><img src="../../.gitbook/assets/image (21).png" alt=""><figcaption><p>Overloaded router CPU</p></figcaption></figure>
 

network-services-pentesting/8089-splunkd.md

@@ -94,7 +94,7 @@ We need the `.bat` file, which will run when the application is deployed and exe
 
 The next step is to choose `Install app from file` and upload the application.
 
-<figure><img src="../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
 
 Before uploading the malicious custom app, let's start a listener using Netcat or [socat](https://linux.die.net/man/1/socat).
 

pentesting-web/http-request-smuggling/browser-http-request-smuggling.md

@@ -281,7 +281,7 @@ In this case the attacker **won't receive the response timeout until he has send
 
 Amazon's Application Load Balancer (ALB) will **stream the data of the connection as needed**, but if it **receives** the **response** to the half request (the timeout) **before** receiving the **body**, it **won't send the body**, so a **Race Condition** must be exploited here:
 
-<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 There's an additional complication when it comes to **exploiting Apache behind ALB** - **both servers** have a default **timeout of 60 seconds**. This leaves an **extremely small time-window** to send the second part of the request. The RC attack was ultimately successful after 66 hours.
 

windows-hardening/active-directory-methodology/README.md

@@ -159,6 +159,12 @@ If you can **access other PCs or shares** with the **null or guest user** you co
 
 For this phase you need to have **compromised the credentials or a session of a valid domain account.** If you have some valid credentials or a shell as a domain user, **you should remember that the options given before are still options to compromise other users**.
 
+Before start the authenticated enumeration you should know what is the **Kerberos double hop problem.**
+
+{% content-ref url="kerberos-double-hop-problem.md" %}
+[kerberos-double-hop-problem.md](kerberos-double-hop-problem.md)
+{% endcontent-ref %}
+
 ### Enumeration
 
 Having compromised an account is a **big step to start compromising the whole domain**, because you are going to be able to start the **Active Directory Enumeration:**

windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md

@@ -89,7 +89,7 @@ Sometimes when creating a trust relationship, a password must be typed in by the
 
 The cleartext password can be used to perform regular authentication as the trust account, an alternative to requesting a TGT using the Kerberos secret key of the trust account. Here, querying root.local from ext.local for members of Domain Admins:
 
-![](<../../.gitbook/assets/image (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (1) (1) (1) (2).png>)
 
 ## References
 

windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md

@@ -25,13 +25,135 @@ This is because when connecting with Kerberos these are the steps:
 3. User1 **connects** to **Server1** and provides **service ticket**.
 4. **Server1** **doesn't** have **credentials** of User1 cached or the **TGT** of User1. Therefore, when User1 from Server1 tries to login to a second server, he is **not able to authenticate**.
 
+### Unconstrained Delegation
 
+If **unconstrained delegation** is enabled in the PC, this won't happen as the **Server** will **get** a **TGT** of each user accessing it. Moreover, if unconstrained delegation is used you probably can **compromise the Domain Controller** from it.\
+[**More info in the unconstrained delegation page**](unconstrained-delegation.md).
+
+### CredSSP
+
+Another suggested option to **sysadmins** to avoid this problem which is [**notably insecure**](https://docs.microsoft.com/en-us/powershell/module/microsoft.wsman.management/enable-wsmancredssp?view=powershell-7) **** is **Credential Security Support Provider**. Enabling CredSSP has been a solution mentioned on various forums throughout the years. From Microsoft:
+
+_“CredSSP authentication delegates the user credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.”_
+
+If you find **CredSSP enabled** on production systems, sensitive networks, etc it’s recommended they be disabled. A quick way to **check CredSSP status** is by running `Get-WSManCredSSP`. Which can be executed remotely if WinRM is enabled.
+
+```powershell
+Invoke-Command -ComputerName bizintel -Credential ta\redsuit -ScriptBlock {
+    Get-WSManCredSSP
+}
+```
+
+## Workarounds
+
+### Invoke Command <a href="#invoke-command" id="invoke-command"></a>
+
+This method is sort of _“working with”_ the double hop issue, not necessarily solving it. It doesn’t rely on any configurations, and you can simply run it from your attacking box. It’s basically a **nested `Invoke-Command`**.
+
+This’ll **run** **`hostname`** on the **second server:**
+
+```powershell
+$cred = Get-Credential ta\redsuit
+Invoke-Command -ComputerName bizintel -Credential $cred -ScriptBlock {
+    Invoke-Command -ComputerName secdev -Credential $cred -ScriptBlock {hostname}
+}
+```
+
+You could also have a **PS-Session** established with the **first server** and simply **run** the **`Invoke-Command`** with `$cred` from there instead of nesting it. Although, running it from your attacking box centralizes tasking:
+
+```powershell
+# From the WinRM connection
+$pwd = ConvertTo-SecureString 'uiefgyvef$/E3' -AsPlainText -Force
+$cred = New-Object System.Management.Automation.PSCredential('DOMAIN\username', $pwd)
+# Use "-Credential $cred" option in Powerview commands
+```
+
+### Register PSSession Configuration
+
+If instead of using **`evil-winrm`** you can use **`Enter-PSSession`** cmdlet you can then use **`Register-PSSessionConfiguration`** and reconnect to bypass the double hop problem:
+
+```powershell
+# Register a new PS Session configuration
+Register-PSSessionConfiguration -Name doublehopsess -RunAsCredential domain_name\username
+# Restar WinRM
+Restart-Service WinRM
+# Get a PSSession
+Enter-PSSession -ConfigurationName doublehopsess -ComputerName <pc_name> -Credential domain_name\username
+# Check that in this case the TGT was sent and is in memory of the PSSession
+klist
+# In this session you won't have the double hop problem anymore
+```
+
+### PortForwarding <a href="#portproxy" id="portproxy"></a>
+
+Since we have Local Administrator on the intermediate target **bizintel: 10.35.8.17**, you can add a port forwarding rule to send your requests to the final/third server **secdev: 10.35.8.23**.
+
+Can quickly use **netsh** to rip out a one-liner and add the rule.
+
+```bash
+netsh interface portproxy add v4tov4 listenport=5446 listenaddress=10.35.8.17 connectport=5985 connectaddress=10.35.8.23
+```
+
+So **the first server** is listening on port 5446 and will forward requests hitting 5446 off to **the second server** port 5985 (aka WinRM).
+
+Then punch a hole in the Windows firewall, which can also be done with a swift netsh one-liner.
+
+```bash
+netsh advfirewall firewall add rule name=fwd dir=in action=allow protocol=TCP localport=5446
+```
+
+Now establish the session, which will forward us to **the first server**.
+
+<figure><img src="../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
+
+#### winrs.exe <a href="#winrsexe" id="winrsexe"></a>
+
+**Portforwarding WinRM** requests also seems to work when using **`winrs.exe`**. This may be a better options if you’re aware PowerShell is being monitored. The below command brings back “**secdev**” as the result of `hostname`.
+
+```bash
+winrs -r:http://bizintel:5446 -u:ta\redsuit -p:2600leet hostname
+```
+
+Like `Invoke-Command`, this can be easily scripted so the attacker can simply issue system commands as an argument. A generic batch script example _winrm.bat_:
+
+<figure><img src="../../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
+
+### OpenSSH <a href="#openssh" id="openssh"></a>
+
+This method requires [installing OpenSSH](https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH) on the first server box. Installing OpenSSH for Windows can be done **completely via CLI** and doesn’t take much time at all - plus it doesn’t flag as malware!
+
+Of course in certain circumstances it may not be feasible, too cumbersome or may be a general OpSec risk.
+
+This method may be especially useful on a jump box setup - with access to an otherwise inaccessible network. Once the SSH connection is established, the user/attacker can fire-off as many `New-PSSession`’s as needed against the segmented network without blasting into the double-hop issue.
+
+When configured to use **Password Authentication** in OpenSSH (not keys or Kerberos), the **logon type is 8** aka _Network Clear text logon_. This doesn’t mean your password is sent in the clear - it is in fact encrypted by SSH. Upon arrival it’s unencrypted into clear text via its [authentication package](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonusera?redirectedfrom=MSDN) for your session to further request juicy TGT’s!
+
+This allows the intermediary server to request & obtain a TGT on your behalf to store locally on the intermediary server. Your session can then use this TGT to authenticate(PS remote) to additional servers.
+
+#### OpenSSH Install Scenario
+
+Download the latest [OpenSSH Release zip from github](https://github.com/PowerShell/Win32-OpenSSH/releases) onto you attacking box and move it over (or download it directly onto the jump box).
+
+Uncompress the zip to where you’d like. Then, run the install script - `Install-sshd.ps1`
+
+<figure><img src="../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
+
+Lastly, just add a firewall rule to **open port 22**. Verify the SSH services are installed, and start them. Both of these services will need to be running for SSH to work.
+
+<figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
+
+If you receive a `Connection reset` error, update permissions to allow **Everyone: Read & Execute** on the root OpenSSH directory.
+
+```bash
+icacls.exe "C:\Users\redsuit\Documents\ssh\OpenSSH-Win64" /grant Everyone:RX /T
+```
 
 ## References
 
 * [https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/understanding-kerberos-double-hop/ba-p/395463?lightbox-message-images-395463=102145i720503211E78AC20](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/understanding-kerberos-double-hop/ba-p/395463?lightbox-message-images-395463=102145i720503211E78AC20)
-
-
+* [https://posts.slayerlabs.com/double-hop/](https://posts.slayerlabs.com/double-hop/)
+* [https://learn.microsoft.com/en-gb/archive/blogs/sergey\_babkins\_blog/another-solution-to-multi-hop-powershell-remoting](https://learn.microsoft.com/en-gb/archive/blogs/sergey\_babkins\_blog/another-solution-to-multi-hop-powershell-remoting)
+* [https://4sysops.com/archives/solve-the-powershell-multi-hop-problem-without-using-credssp/](https://4sysops.com/archives/solve-the-powershell-multi-hop-problem-without-using-credssp/)
 
 <details>