Kerberoasting without SPNs by @_mohemiv, spoof any gmail/gsuite customer with a technique from @ezhes_, SharpBlock in memory loading by @_EthicalChaos_, new COM based lateral movement from @El3ct71k, Windows LPE by @RedVuln, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-08-17 to 2020-08-24.
News
- The Confused Mailman: Sending SPF and DMARC passing mail as any Gmail or G Suite customer Due to missing verification when configuring mail routes, both Gmail’s and any G Suite customer’s strict DMARC/SPF policy may be subverted by using G Suite’s mail routing rules to relay and grant authenticity to fraudulent messages. This would have been a phishing goldmine, but luckily was patched quickly following public release.
- Elastic Security 7.9 adds anti-malware, prebuilt cloud protections, and more. While it is "free," any useful service (i.e. alerts) requires a paid license. Interested to see if the agent is supported by Open Distro soon. If you want to test it out in your lab try siem-from-scratch.
- The Current State of Exploit Development, Part 2. Just like part 1, this post walks through some modern exploit mitigations that are making the attacker's life harder. Hungry for more? Check out Exploit Development: Between a Rock and a (Xtended Flow) Guard Place: Examining XFG.
- Chromium’s impact on root DNS traffic. Interesting that nearly 50% of traffic seen by root DNS servers are from Chromium based browsers doing DNS interception checks. This is the consequence of adding 3 DNS requests per startup to an app that is used by 70% of users on the internet.
- Researchers Can Duplicate Keys from the Sounds They Make in Locks. Practical - no, Cool - yes. Another step toward the dystopian super surveillance future where high speed footage of the leaves near your front door can be used to recreate the sounds your key makes and therefore cut a copy of your key.
- Kali Linux 2020.3 Release. The de-facto default penetration testing distro releases its latest update. High DPI support, new icons, bash->ZSH, and cleaner setup process are the highlights, as well as updated packages of course.
Techniques
- Performing Kerberoasting without SPNs adds the -usersfile option to GetUserSPNs.py, which requests tickets for each line from the specified file using the NT-ENTERPRISE type, and changed the default behavior from usage of service principal names to usage of SAM Account Names. This allows the retrieval of a Kerberos ticket in scenarios that otherwise would have failed, and allows mass-checking a list of SAM accounts for Kerberos tickets, not just those accounts that have SPNs!
- Attacking Azure & Azure AD, Part II introduces PowerZure 2.0 which add all kinds of neat features, my favorite being New-AzureIntuneScript which uploads a PowerShell script to Intune which will execute by default against all devices. Hope you have load balancing on your C2 server for all the shells that will call back!
- Windows .Net Core SDK Elevation of Privilege. @RedVuln found the original vulnerability, and @itm4n dug into it. A nice Windows privesc for a user that has the .NET Core SDK installed, and isn't a local admin anymore, or SYSTEM persistence if they are.
- Wireshark Tutorial: Decrypting HTTPS Traffic is a basic but well done tutorial.
- How to contact Google SRE: Dropping a shell in cloud SQL. SQL injection in Cloud SQL! Just when you think the major cloud providers have security on lock, you read something like this. The good news is how fast the SRE responded and the issues were dealt with.
Tools and Exploits
- DumpReparsePoints is a new tool from @tiraniddo that dumps all reparse points of an NTFS drive on Windows. What is a reparse point? Fun things like symbolic links, hard links, and directory junctions, among others. I'm sure this means there are about to be more file-link based attacks/LPEs from James soon.
- SharpBlock. The tool isn't new but the fact you can load binaries via http or over a named pipe and inject them into memory is a huge new feature. Take inspiration from this for your next EDR bypassing loader.
- LNKMod is a C# project to create or modify existing LNKs.
- mapcidr is a small utility program to perform multiple operations for a given subnet/CIDR ranges.
- tracee is a lightweight and easy to use container and system tracing tool. It allows you to observe system calls and other system events in real time. Intended as a debugging tool, tracee has implications for Linux red team tools for process monitoring system side.
- tunshell is billed as a "remote shell into ephemeral environments" and acts a bit like ngrok + a shell. The beauty of tunshell is that its client is a statically-linked, pre-compiled binary which can be installed by downloading it with a one-liner script. It was built for debugging CI environments, but there are obvious red team use cases.
- CmpDoReDoCreateKey Arbitrary Registry Key Creation EoP and CmpDoReadTxRBigLogRecord Memory Corruption EoP were patched and dropped with PoCs that aren't ready for use on an engagement but would be good starting points for weaponization.
- Windows AppX Deployment Service Local Privilege Escalation (CVE-2020-1488). Another AppX bug leads to local privilege escalation that reminds me of CVE-2019-1064.
- DVS - D(COM) V(ulnerability) S(canner) AKA Devious swiss army knife - Lateral movement using DCOM Objects. The DVS framework contains various ways to bypass remote hardening against DCOM by re-enabling DCOM access remotely and automatically grant the required permissions to the attacking user. The framework can also revert changes on the remote machine to their original state, prior to the attack.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- SharpKatz is a C# port if of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands for your C# in memory needs.
- Wizer Training is a freemium phishing training platform. Very interesting model, and I'm excited to try it out. Don't be fooled by wizertraining.com which was briefly redirecting to knowbe4.com. If the competition is playing dirty, you must be doing something right!
- wonitor is a fast, zero config web endpoint change monitor. For comparing responses, a selected list of http headers and the full response body is stored on a local key/value store file. No configuration needed.
- espoofer is an email spoofing testing tool that aims to bypass SPF/DKIM/DMARC and forge DKIM signatures.
This post is cross-posted on SIXGEN's blog.