🧵(1/3) I get so excited every time I contribute to #impacket 🤗 Anyways, here’s an upcoming update to secretsdump[.]py ↪️ There’s now this -ldapfilter option that allows an attacker to #DCSync a bunch of user with a single shot 🧨
🧵 (2/3) Based on an LDAP query you can grab all the DAs, users from a particular OU, all those adminCount=1 accounts, etc. For me that happens to be extremely useful when you’ve exploited a critical low-hanging vulnerability
🧵 (3/3) which has instantly given you replication rights and you don’t even know yet whose hashes you wanna DCSync for persistence 😅
🧶 (1/5) Given an unmanaged offensive binary, I will show how easily it can be adopted for in-memory execution with CSExec[.]py and bin2pwsh without a mature C2. As an example I will take the recent fork of @D1rkMtr’s TakeMyRDP keylogger PoC from NoceraLabs - TakeMyRDP2.0 ⤵️
🧶 (2/5) Firstly, I will clone the project and amend a tiny patch: switch the runtime library from /MD to /MT, get rid of hidden window creation and bring the ability of specifying the log file path on target via a CLI argument ⤵️
🧶 (3/5) Now, as a 1st demo, we can use bin2pwsh manually to create a non-blocking PowerShell loader that can be invoked within CSExec’s agent unmanaged PS runspace. Thus, I’ll spawn an new keylogger thread without resorting to fork-and-run concept (no new process is created) ⤵️
🧵 (2/7) For me it’s more of a way to keep some of my projects hidden from prying eyes while still leaving them somewhat public. I do not claim to have super l33t code there, so no 0-days for sure 🤪 At the same time, I got too uncomfortable giving personal links to ppl in DMs ⤵️
🧵 (3/7) Currently there’re two (poorly coded) tools that I’d want to share with sponsors: DInjector and bin2pwsh ⤵️
🧵 (2/) The rule triggers when a bunch of SMB requests are followed by all this DRSUAPI stuff. Unlike #mimikatz or #DSInternals DCSync, the sequence of SMB+DRSUAPI traffic is unique for secretsdump[.]py attack, thus it becomes an IOC and can be fingerprinted ⬇️
🧵 (3/) The second series of the SMB requests is related to the RemoteOperations.connectSamr() call in the NTDSHashes class which is only needed to verify that’s out target is actually a DC, so it can be excluded from the attack with no consequences ⬇️
🧵 (1/x) I know you love #pentest stories, so here’s one of those ⬇️
There’s a non-DC computer (Victim) that is a member of the Exchange Trusted Subsytem group and has DCSync privs. The WebClient is ON but the MAQ=0 and domain functional level is 2012 R2 which prevents us ⤵️
(2/x) from abusing Key Credentials. Relaying to AD CS HTTP is not possible either. Here’s when I decided to go for SPN-less RBCD (credits to @tiraniddo) on a prod domain 🤦🏻♂️
But first let’s add a DNS record pointing to the attacker’s machine to coerce Victim over WebDav ⤵️
(3/x) Now it’s all ready to go: Printer Bug + ntlmrelayx[.]py and we’re escalating a low privilege user (j.doe) to be trusted for delegation by Victim ⤵️
Golden 🔑 tickets are no longer in fashion, so here’s a short memo on using Diamond 💎 (@exploitph) and Sapphire (@_nwodtuhs) tickets with ticketer[.]py from #Impacket. At first let’s recap what we already know about Golden tickets ⤵️
🧵 (2/) Golden tickets are forged privileged TGTs that’re crafted completely offline. Having got krbtgt RC4 (NT hash) or AES key, a TA can specify some params (e.g., group membership, user’s RID, ticket validity period) to create and sign a fake PAC embedded inside the TGT ⤵️
🧵 (3/) Thus, the TA can provide the forged TGT to request an ST to any resource in the domain which will contain a copy of the fake PAC signed by the target service account. Since recently, we cannot use a non-existent account name as a result of CVE-2021-42287 mitigations ⤵️
🧶 (2/) First things first, I shall enumerate AD CS environment with #CrackMapExec and qwinsta the Victim machine via newly introduced tstool[.]py from #Impacket (thx @nopernik!). For the purpose of this demo I’ll use a DA account to interact with the Victim but any LA will do 👨🏻💻
🧶 (3/) I shall now prepare my team server and generate an encrypted Sliver beacon to use it with DInjector 💉