Intro to Windows & AD Hacking
Adam Hassan / October 2023 (1722 Words, 10 Minutes)
Transcript:
Windows & AD Hacking Zero to Hero
Windows & AD Hacking Zero to Hero* *Only if you practice
Why do I care about AD? Most enterprise networks run Windows (~88% of the operating system market share is Windows according to a random stat I pulled from a random site in 2020) The standard for managing major enterprise networks is Active Directory
About Internal Pentests (aka. Pivot (aka. Assumed Breach)) What? Testing the security posture of the internal networks of the target organization Why? Strong external/perimeter security – Great! Unknown internal network security – Not great.
Goals “Let’s assume that the attackers are inside. What now?” Finding misconfigurations (and vulnerabilities) Layered defense
- The basics
File System
Is similar to Linux
Directories use backslashes () instead though
Root of the filesystem is C:
Paths are case-insensitive and (kinda) don’t require quotes
Registry
A large collection of configurations and environment variables
Includes keys, subkeys, and values
HKEY: Handle to Keys HKCU: Handle Key Current User HKLM: Handle Key Local Machine
Value Types: DWORD/QWORD: 32 / 64 bit numbers (double word / quad word) *_SZ: a string
TryHackMe
https://tryhackme.com/module/windows-fundamentals
Active Directory
TryHackMe
https://tryhackme.com/room/winadbasics
Local vs Domain Accounts Every account on windows has a local admin and local users If an account is on AD, it will also have a domain account This is often associated with a specific machine account Sometimes passwords are re-used
Local System, and NT AUTHORITY\SYSTEM The same thing. Local Admin SYSTEM Also local admin, but slightly different Domain Admin (Admin of all accounts on the domain)
Windows Credentials I LM Old, extremely weak hashing from windows. Mostly unused AAD3B435B51404EEAAD3B435B51404EE NT The equivalent of a password in Windows. Not as weak, but still weak hash. ufsit ⇔ 272AEA395D8D6B05F1BC78E1A7213AEF NTLM LM + NT hash AAD3B435B51404EEAAD3B435B51404EE:272AEA395D8D6B05F1BC78E1A7213AEF For Network Auth: NetNTLMv1: Reversible hash NetNTLMv2: Crackable Hash
Windows Credentials II SAM: Security Access Manager Stored in Registry (HKLM\SAM) HKLM means this stores local passwords Stored in file (C:\Windows\System32\config\SAM) LSASS: Local Security Subsystem Service Handles and stores logon information in memory This happens at boot and stores hashes and Kerberos tickets Crucial for SSO to work NTDS: NT Directory Services AD database that includes hashes of all domain accounts (also has user info, group info, security descriptors…) On the domain controller C:\Windows\NTDS\ntds.dit LAPS: Local Administrator Password Solution Basically a password manager for accounts on a domain (AD) Can be cloud or not cloud
Services Background processes
Usually run as SYSTEM
Windows Identifiers SID: Security Identifier S-1-5-21-2574976019-2108132042-3243833284 Domain SID S-1-5-21-2574976019-2108132042-3243833284-512 Group SID RID: Relative Identifier Last part of the SID. 500-1000 is built-in users and groups 1000+ is users
- Tools
CrackMapExec (CME)
””” A swiss army knife for pentesting networks
Forged by @byt3bl33d3r and @mpgn_x64 using the powah of dank memes “””
Protocols: vnc, ssh, ftp, winrm, wmi, smb, mssql, rdp, ldap CME
NetExec (NXC)
””” The network execution tool Maintained as an open source project by @NeffIsBack, @MJHallenbeck, @_zblurx
For documentation and usage examples, visit: https://www.netexec.wiki/ “””
Protocols: vnc, ssh, ftp, winrm, wmi, smb, mssql, rdp, ldap NXC
Impacket Impacket is a collection of Python classes for working with network protocols. This is great for developers, but why do I care?
Example Scripts Tons of scripts that let you do basically anything you want https://github.com/fortra/impacket/tree/master/examples pipx install impacket
- Recon
Network Recon
- Common Services & Abuses (for initial access)
Common Windows Services Windows Services: IIS - Port 80/443 TCP RPC - Port 135/139 TCP SMB - Port 445 TCP MSSQL - Port 1433 TCP RDP - Port 3389 TCP AD (DC) Services: DNS - Port 53 TCP/UDP Winrm - Port 5985 TCP LDAP - Port 389/636 TCP Kerberos - Port 88 TCP
IIS: 80/443 TCP Is almost never vulnerable by default The vulnerability will often be in the webapp that is being hosted Typically aspx (.NET) files, but can also run PHP
IIS RCE?? Sometimes you can write files to the app’s webroot If you can write an executable file to the app, you can get execution on the app
IIS is also sometimes vulnerable ->
RPC: 135/139 TCP Duct Tape for a lot of Windows backend Is not directly exploitable, but a lot of exploits and windows functionality works using this
SMB: 445 TCP SMB: Server Message Block For sharing files over the network Also for IPC, SYSVOL, NETLOGON SYSVOL stores a domain’s public files, which are replicated to each domain controller. NETLOGON contains logon scripts and group policies that can be used by computers deployed within a domain. Null Authentication No username or password Guest Authentication Username, but no password
SMB Shares
Rid Brute
Intro to Relay: SMB Share Relay with Responder sudo Responder -I tun0
More about Relaying Sometimes you can capture a hash by getting people to browse to your SMB share Sometimes you can Coerce authentication (more on this later) https://github.com/p0dalirius/Coercer
Technically, Relaying is the act of capture a hash AND forwarding (relaying) it to another host to authenticate
nxc smb
Command Execution??
MSSQL: 1433 TCP SQL, but make it Bill Gates Mostly the same as other SQL but if you’re an admin, you can get code execution
Two types of authentication: Windows Authentication Using a Domain Account SQL Authentication Using an account that only works on the SQL Database (On the local computer)
Here, –local-auth means we are using SQL auth, not domain auth
RDP: 3389 TCP RDP: Remote Desktop Protocol Lets you remotely access a computer with a GUI
DNS: 53 TCP/DCP DNS: Domain Name System This is VERY important to get right for a lot of exploitation
nano /etc/hosts
resolvectl dns
Verifying NS with nslookup
Winrm: 5985 TCP winrm: Windows Remote Management Enabled by default on users that are local admin
This is meant for sysadmins, but is abused by attackers
evil-winrm Also lets you upload and download files You can also log in with a hash (-H)
LDAP: 389,636,3268,3269 LDAP: Lightweight Directory Access Protocol
Allows for authorization and identification of AD Objects
“cn=adamhassan,ou=People,dc=ufl,dc=edu”
ldapsearch - getting the naming contexts
ldapsearch - searching
ldapsearch + bash magic
How to make it easier
Kerberos: 88 TCP Authentication protocol Uses tickets instead of hashes Uses hostnames instead of IPs
Done by the krbtgt account on the KDC KDC: Key Distribution Center TGT: Ticket Granting Ticket TGS: Ticket Granting Service ST: Service Ticket
Kerberos Attacks Two attacks that can let you steal password hashes and (maybe) crack them ASReproasting An issue for all users with No Pre-Authentication impacket-GetNPUsers.py -request Kerberoasting An issue for all service accounts that have an SPN (Service Principal Name) impacket-GetUserSPNs -request Note: There are different encryption types (etypes) 23 is rc4-hmac (weak, but default) 18 is aes256-cts-hmac-sha1-96 www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml
AS-Reproasting (Before and After)
Kerberoasting (Before and After)
- Post-Exploitation
Credentials!!!
Password Spraying
Try the passwords you do have for other accounts (people reuse passwords A LOT)
Generate custom wordlist for password cracking:
https://github.com/p0dalirius/LDAPWordlistHarvester
Password Dumping
Mimikatz.exe
impacketsecretsdump.py
nxc smb
TryHackMe
https://tryhackme.com/room/postexploit
- Local Privilege Escalation
Dangerous Privileges SeInstallAlwaysElevated You can install anything as the administrator This means you can install malicious code and make it run as admin (basically means you can be admin) SeDebugPrivilege Let’s you debug (read/write) process memory This means you can dump LSA secrets (domain creds) SeImpersonate This lets you impersonate another client Usually means easy privesc through potato attacks SeBackupPrivilege, SeRestorePrivilege Lets you (read, write) any files
More Privileges
https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e
https://jlajara.gitlab.io/Potatoes_Windows_Privesc
Potato Attacks & SeImpersonatePrivilege Service accounts often have SeImpersonatePrivilege, as they need to impersonate other users to work correctly. This can be used to impersonate any user (including SYSTEM) This essentially works by coercing another user to authenticate to a named pipe controlled by us, which allows us to steal their security token. Coercing is done in many different ways: https://jlajara.gitlab.io/Potatoes_Windows_Privesc
Eternal Blue (CVE-2017-0144) Remote Code Execution Vulnerability on Windows if SMB is open Can get you NT\Authority System
Unquoted Service Path C:\Program.exe C:\Program Files\A.exe C:\Program Files\A Subfolder\B.exe C:\Program Files\A Subfolder\B Subfolder\C.exe C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe
Automating Findings winPEAS https://github.com/carlospolop/PEASS-ng SeatBelt https://github.com/GhostPack/Seatbelt PowerView / SharpView https://github.com/tevora-threat/SharpView
- Domain Privilege Escalation
BloodHound Uses graph theory to find privilege escalation paths
Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths.
SharpHound & Bloodhound.py Aggregators that use LDAP to collect data about Domain This data can then be uploaded to BloodHound
.\SharpHound.exe -c All -d
Dangerous Privileges: GenericAll - Full rights to the object (add users to a group or reset user’s password) GenericWrite - Update object’s attributes (i.e logon script) WriteOwner - Change object owner to attacker controlled user take over the object WriteDACL - Modify object’s ACEs and give attacker full control right over the object AllExtendedRights - Add user to a group or reset password ForceChangePassword - Change user’s password DCSync - Sync to the DC (can be used to grab domain credentials)
Vulnerability in the Netlogon Remote Protocol (MS-NRPC) Lets you bruteforce an AES key that allows you to call a function (NetrServerPasswordSet2) to change the password of the domain admin ZeroLogon (CVE-2020-1472)
PrintNightmare (CVE-2021-1675, CVE-2021–34527, CVE-2021–34481) Vulnerability that lets you use the print spooler (RPC) to remotely add printer drivers on the system as admin
This means you can execute arbitrary code as admin and become admin
PetitPotam Vulnerability that allows you to coerce a windows host to authenticate to other machines Uses RPC functions like (MS-EFSRPC) Microsoft’s Encrypting File System Remote Protocol https://github.com/topotam/PetitPotam
noPac noPac abuses two CVE’s: (CVE-2021-42278 and CVE-2021-42287) CVE-2021-42278: allows the creation of machine accounts without the $ symbol. CVE-2021-42287: A logic flaw in the way Kerberos will access tickets and tokens when an account does not exist.
Abuse Functions
How can we abuse this from Linux?
nxc smb
https://github.com/Ridter/noPac
ADCS Active Directory Certificate Services (ADCS) is a Windows server role that implements public key infrastructure. Certificates (and certificate templates) can be used to access resources
Certipy is a great tool for performing ADCS recon:
certipy find -u @
A certificate template is a blueprint of settings, options and permissions that can specified when generating a certificate. Some Options Include: Enrollment Permissions: Specify who can request a certificate with the template. PkiExtendedKeyUsage: Specifies what the certificate can be used for.
SCCM SCCM: System Center Configuration Manager Manages task automation, remote control, and OS deployment
Recently had a whole suite of vulnerabilities released that allow for: Stealing domain credentials Taking over site servers (the thing that can control everyone’s computer) Coercing Authentication https://www.thehacker.recipes/a-d/movement/sccm-mecm
https://github.com/Mayyhem/SharpSCCM
Lab - TryHackMe Enterprise
https://tryhackme.com/room/enterprise
Thanks to Shikata, Scott Brink, Sung Gwan Choi, and Dylan Tran Much of the content from these slides were adapted from their material
References