[thread] A lot of people since this finding are looking for a bit knowledge around that bug. Below is list of links that will help better understand this (attackers-side)
PetitPotam’s MS-EFSR abuse is the equivalent (even better) of the PrinterBug’s MS-RPRN abuse that’s been here for a while now

1️⃣ PrinterBug: thehacker.recipes/active-directo…
2️⃣ PetitPotam: thehacker.recipes/active-directo…
Coercing a machine’s authentication is a technique allows for the capture or relay of that auth.

1️⃣ capture: thehacker.recipes/active-directo…
2️⃣ relay: thehacker.recipes/active-directo…
When capturing an auth, what’s captured is the NTLM ChallengeResponse. It’s derived from the LM or NT hash and with a certain complexity depending on the version of the proto that’s used (LM, LMv2, NTLM, NTLMv2, etc.).

NTLMv1 usually ~= win 🏆

github.com/NotMedic/NetNT…
Relaying an auth is another way to escalate privileges.

You could trigger a first DC’s authentication to relay it to another one for instance. With the PrinterBug or PetitPotam, the NTLM auth comes over SMB, hence limitating relay possibilites (because of signing and MIC)
But if you have DC2 not patched against CVE-2019-1040, LDAPS supported with Channel Binding not enabled, and are in control of a machine account you can: trigger DomainController1, relay to DomainController2 with
- MIC and signing flags removal
- RBCD delegation attack
You’ll allow your controlled machine account to impersonate (almost) anyone on DC1

$ ntlmrelayx -t ldaps://DC2 --escalate-user 'CNTRLED_MACHINE$' --delegate-access
Another technique: if you find a machine admin to another, you could trigger machine1´s NTLM auth and relay it to machine2 to obtain an admin SMB session. That session could be used to dump SAM and LSA secrets for instance. You’re admin to machine2 now
There is a catch though
For this to work, you need to have machine2 to not have SMB signing set to required (which is the case by default on DCs)
Try to find a « machine2 » that actually gives you more possibilities than you already have

$ ntlmrelayx -t smb://Machine2
Another technique: NTLM relay to AD CS HTTP endpoints
I haven’t RTFMed enough on this technique so here you go, @SpecterOps’s article on this

posts.specterops.io/certified-pre-…
NTLM is not available? You’ll have fun with Kerberos

The Kerberos auth has delegation features

If you have control over a machine set with Constrained or, even better, Unconstrained delegations, you’ll be able to work something out
Control over a machine with Unconstrained delegations will usually lead you to full domain compromise, PetitPotam will be of a great help now that the Spooler service is disabled in many orgz, preventing the PrinterBug from being exploited

thehacker.recipes/active-directo…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Shutdown (Charlie Bromberg)

Shutdown (Charlie Bromberg) Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @_nwodtuhs

20 Jul
[thread] Hi hackers! @podalirius_ and I present to you this new tool 🌟🎀 𝖘𝖒𝖆𝖗𝖙𝖇𝖗𝖚𝖙𝖊 🎀🌟

This tool allows for bruteforcing NTLM and Kerberos in Active Directory domains (there are A LOT of features, detailed in the thread below).

➡️ github.com/ShutdownRepo/s…
This tool offers two modes: smart and brute.

1⃣ Brute mode: can be used with a user and password/hash to test (or list of those).

2⃣ Smart mode: given a valid AD account credentials, it fetches the users list and lockout policies to bruteforce wihtout locking accounts.
Authentication attempts can be operated over NTLM (over SMB or LDAP) or Kerberos 🐶 (pre-authentication attacks).

Kerberos pre-authentication attempts can be operated through UDP (faster 🚅) or TCP.
Read 17 tweets
22 Apr
(infosec thread) one of my latest tweets was followed by some questions in my DMs. So let's answer those here and remind some concepts😈

I'll talk about pass-the-hash, pass-the-ticket, pass-the-key, overpass-the-hash, pass-the-cache, silver and golden tickets 👇
Pass-the-Hash (1/4) : NTLM (LM, LMv2, NTLM or NTLMv2 depending on the version) is an authentication protocol used by Windows and AD-DS. Users have passwords, which are stored in a hashed format (LM or NT hash depending on the security settings and version).
Pass-the-Hash (2/4) : when authenticating to a remote service, the password hash is used to compute a ChallengeResponse. The LM hash is used for the LM version of the protocol while the NT hash is used for LMv2, NTLM and NTLMv2.
Read 25 tweets
21 Apr
@podalirius_ and I made GPP Passwords great again. We wrote a Python script, using Impacket, to find and decrypt passwords in Group Policy Preferences, without having to mount the remote share 👇[a thread]

➡️ github.com/SecureAuthCorp…
The script can be directly added to Impacket's examples (like in the PR above) but it can also be run as a standalone tool (clone the repo below)

github.com/ShutdownRepo/G…
Just like all other Impacket examples, the logging is color-less and it can be quite a mess (with the -debug option)

However, grc (github.com/garabik/grc) can bring colors to the output
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(