Intro to Windows & AD Hacking - v2
Adam Hassan / October 2024 (1316 Words, 8 Minutes)
This is part 2/3 of my Windows Week series that I did for UFSIT
Transcript:
Windows & AD Hacking Zero to Hero
Windows & AD Hacking Zero to Hero* *Only if you practice
About this talk This is an updated version of my original Windows & AD talk https://hackback.zip/2023/10/02/Windows-AD.html
Changes: Added more intro content about AD Split into 2 parts Add more details about how protocols work
Warning MS Docs have too many TLAs. TMA
Warning (Translation) MS Docs have too many TLAs. TMA Microsoft Documentation has too many three-letter-acronyms. Too many acronyms…
This means you should ask questions!!
NetExec (NXC)
””” The network execution tool Maintained as an open source project by @NeffIsBack, @MJHallenbeck, @_zblurx
For documentation and usage examples, visit: https://www.netexec.wiki/ “””
Protocols: vnc, ssh, ftp, winrm, wmi, smb, mssql, rdp, ldap, nfs NXC
sudo apt install pipx pipx install git+https://github.com/Pennyw0rth/NetExec pipx install git+https://github.com/ThePorgs/impacket
sudo apt install netexec sudo apt install impacket
Impacket Impacket is a collection of Python classes for working with network protocols. This is great for developers, but why do I care?
Example Scripts Tons of scripts that let you do basically anything you want https://github.com/fortra/impacket/tree/master/examples pipx install impacket
Recon
Network Recon
Exploits that don’t need credentials
Eternal Blue (CVE-2017-0144) Remote Code Execution Vulnerability on Windows if SMB is open Can get you NT\Authority System IS VERY UNSTABLE DO NOT RUN IN A PENTEST
Vulnerability in the Netlogon Remote Protocol (MS-NRPC) Lets you bruteforce an AES key that allows you to call a function (NetrServerPasswordSet2) to change the password of the domain admin Will break your whole DC unless you unexploit ZeroLogon (CVE-2020-1472)
SMB
Check SMB Auth Anonymous login lets you: View shares View users (via rid-brute) Null login lets you: View shares View users View groups View password policy
SMB Shares
Impacket’s smbclient.py
SMB Password Spraying First check password policy Then try spraying password, try no password, try username=password Generate custom wordlist for password cracking: https://github.com/p0dalirius/LDAPWordlistHarvester You can also use –local-auth for local account login
Rid Brute
Null Auth
Command Execution??
LLMNR Background When your windows computer can’t find a resource (machine, network share, etc…) it goes “does anyone know where this resource is” And it will believe any response it gets!!!
This means you can just respond to all LLMNR requests with your own IP address to get machines to connect to you.
Intro to Relay: SMB Share Relay with Responder sudo Responder -I tun0
More about Relaying
Sometimes you can capture a hash by getting people to browse to your SMB share
Sometimes you can Coerce authentication (more on this later)
https://github.com/p0dalirius/Coercer
You can also capture a hash by:
Getting a database to request a file on your SMB share
Sending an email with an image that is on your SMB share
Making a website request a file on your SMB share
…
Technically, Relaying is the act of capture a hash AND forwarding (relaying) it to another host to authenticate
nxc smb
Slinky Module You can put an image in a LNK file in a writeable SMB share If someone browses to that share, their user will automatically request the image for the LNK file
Coercion Exploits
PetitPotam Vulnerability that allows you to coerce a windows host to authenticate to other machines Uses RPC functions like (MS-EFSRPC) Microsoft’s Encrypting File System Remote Protocol https://github.com/topotam/PetitPotam
ShadowCoerce (CVE 2022 30154) Exploits MS-FSRVP (File Sever Remote VSS Protocol) This is entirely over SMB Only exists if “File Server VSS Agent Service” is enabled
How to auto-coerce
How to auto-coerce (pt2)
How to receive hashes
How to relay hashes Step 1: Figure out which machines are relayable (the ones with SMB signing disabled)
Step 2: Set up a listener that will relay hashes over to relayable machines
Step 3: Coerce authentication in some way (see prev slides)
Exploits that need credentials
PrintNightmare (CVE-2021-1675, CVE-2021–34527, CVE-2021–34481) Vulnerability that lets you use the print spooler (RPC) to remotely add printer drivers on the system as admin
This means you can execute arbitrary code as admin and become admin
noPac noPac abuses two CVE’s: (CVE-2021-42278 and CVE-2021-42287) CVE-2021-42278: allows the creation of machine accounts without the $ symbol. CVE-2021-42287: A logic flaw in the way Kerberos will access tickets and tokens when an account does not exist.
Abuse Functions
How can we abuse this from Linux?
nxc smb
https://github.com/Ridter/noPac
LDAP
ldapsearch - getting the naming contexts
ldapsearch - searching
ldapsearch + bash magic
How to make it easier
How to make it EVEN easier
BloodHound Uses graph theory to find privilege escalation paths
Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths.
SharpHound & Bloodhound.py Aggregators that use LDAP to collect data about Domain This data can then be uploaded to BloodHound
.\SharpHound.exe -c All -d
Dangerous Privileges: GenericAll - Full rights to the object (add users to a group or reset user’s password) GenericWrite - Update object’s attributes (i.e logon script) WriteOwner - Change object owner to attacker controlled user take over the object WriteDACL - Modify object’s ACEs and give attacker full control right over the object AllExtendedRights - Add user to a group or reset password ForceChangePassword - Change user’s password DCSync - Sync to the DC (can be used to grab domain credentials)
Kerberos
Kerberos Attacks
Two attacks that can let you steal password hashes and (maybe) crack them
ASReproasting
An issue for all users with No Pre-Authentication
impacket-GetNPUsers.py -request
Kerberoasting
An issue for all service accounts that have an SPN (Service Principal Name)
impacket-GetUserSPNs -request␋
Note: Kerberos only works if your clock is synced with the DC
sudo ntpdate
AS-Reproasting (Before and After)
Kerberoasting (Before and After)
ADCS
ADCS Active Directory Certificate Services (ADCS) is a Windows server role that implements public key infrastructure. Certificates (and certificate templates) can be used to access resources
Certipy is a great tool for performing ADCS recon:
certipy find -u @
A certificate template is a blueprint of settings, options and permissions that can specified when generating a certificate. Some Options Include: Enrollment Permissions: Specify who can request a certificate with the template. PkiExtendedKeyUsage: Specifies what the certificate can be used for.
SCCM
SCCM SCCM: System Center Configuration Manager Manages task automation, remote control, and OS deployment
Recently had a whole suite of vulnerabilities released that allow for: Stealing domain credentials Taking over site servers (the thing that can control everyone’s computer) Coercing Authentication https://www.thehacker.recipes/a-d/movement/sccm-mecm
https://github.com/Mayyhem/SharpSCCM
Web
IIS RCE?? Sometimes you can write files to the app’s webroot If you can write an executable file to the app, you can get execution on the app
IIS is also sometimes vulnerable ->
Other web Try common web exploits
You may have to do mssql injection if there is mssql running You might be able to coerce auth from a database or a webpage if it has LFI You might just need to get code execution somehow
Sometimes you might be able to guess usernames/passwords from a website
MSSQL
MSSQL Sometimes you can request a remote file from MSSQL to coerce auth
Sometimes you can execute commands xp_cmdshell Sometimes there is confidential info in the database
Here, –local-auth means we are using SQL auth, not domain auth
RDP: 3389 TCP RDP: Remote Desktop Protocol Lets you remotely access a computer with a GUI
WinRM
evil-winrm Also lets you upload and download files You can also log in with a hash (-H)
Post-Exploitation
Credentials!!!
Password Dumping
Mimikatz.exe
impacketsecretsdump.py
nxc smb
TryHackMe
https://tryhackme.com/room/postexploit
Local Privilege Escalation
Dangerous Privileges SeInstallAlwaysElevated You can install anything as the administrator This means you can install malicious code and make it run as admin (basically means you can be admin) SeDebugPrivilege Let’s you debug (read/write) process memory This means you can dump LSA secrets (domain creds) SeImpersonate This lets you impersonate another client Usually means easy privesc through potato attacks SeBackupPrivilege, SeRestorePrivilege Lets you (read, write) any files
More Privileges
https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e
https://jlajara.gitlab.io/Potatoes_Windows_Privesc
Potato Attacks & SeImpersonatePrivilege Service accounts often have SeImpersonatePrivilege, as they need to impersonate other users to work correctly. This can be used to impersonate any user (including SYSTEM) This essentially works by tricking a higher-privileged process into sending us their security token Coercing is done in many different ways: https://jlajara.gitlab.io/Potatoes_Windows_Privesc
Unquoted Service Path C:\Program.exe␋C:\Program Files\A.exe␋C:\Program Files\A Subfolder\B.exe␋C:\Program Files\A Subfolder\B Subfolder\C.exe␋C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe
Automating Findings winPEAS https://github.com/carlospolop/PEASS-ng SeatBelt https://github.com/GhostPack/Seatbelt PowerView / SharpView https://github.com/tevora-threat/SharpView
Questions?
Resources TCM Security AD Course Netexec Wiki THM Enterprise Room Game of Active Directory TheHackerRecipes VulnLab