sn🥶vvcr💥sh Profile picture
Nov 24, 2022 9 tweets 4 min read Read on X
🧵 (1/x) I know you love #pentest stories, so here’s one of those ⬇️

There’s a non-DC computer (Victim) that is a member of the Exchange Trusted Subsytem group and has DCSync privs. The WebClient is ON but the MAQ=0 and domain functional level is 2012 R2 which prevents us ⤵️
(2/x) from abusing Key Credentials. Relaying to AD CS HTTP is not possible either. Here’s when I decided to go for SPN-less RBCD (credits to @tiraniddo) on a prod domain 🤦🏻‍♂️

But first let’s add a DNS record pointing to the attacker’s machine to coerce Victim over WebDav ⤵️
(3/x) Now it’s all ready to go: Printer Bug + ntlmrelayx[.]py and we’re escalating a low privilege user (j.doe) to be trusted for delegation by Victim ⤵️
(4/x) Now we want to request and parse the TGT for j.doe hunting for the ticket’s session key ⤵️
(5/x) At this point all we’ve to do is to set j.doe’s long term RC4 key (NT hash actually) to the value of TGT session key saved earlier ⤵️

tiraniddo.dev/2022/05/exploi…
(6/x) After that some S4U2self+U2U magic brought to #impacket by @_nwodtuhs and now the DC can successfully complete the S4U2proxy phase to give us an ST! ⤵️

thehacker.recipes/ad/movement/ke…
(7/x) Having got a valid ST we can impersonate a privileged user and secretsdump SAM & LSA on Victim looking for the appropriate NT hash ⤵️
(8/x) And finally DCSync ➡️ Overpass-the-Key ➡️ wmiexec[.]py on the DC 😤

P. S. As a final remark, with DA privileges I can directly inject old NT hash into NTDS.dit, thus bypassing password history policy in the domain and revert j.doe’s broken password.
Oops, a typo on the bottom pane - it’s VICTIM[.]corp[.]local when doing Printer Bug, of course, not DC01.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with sn🥶vvcr💥sh

sn🥶vvcr💥sh Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @snovvcrash

Jul 9, 2023
🧶 (1/5) Given an unmanaged offensive binary, I will show how easily it can be adopted for in-memory execution with CSExec[.]py and bin2pwsh without a mature C2. As an example I will take the recent fork of @D1rkMtr’s TakeMyRDP keylogger PoC from NoceraLabs - TakeMyRDP2.0 ⤵️
🧶 (2/5) Firstly, I will clone the project and amend a tiny patch: switch the runtime library from /MD to /MT, get rid of hidden window creation and bring the ability of specifying the log file path on target via a CLI argument ⤵️

🧶 (3/5) Now, as a 1st demo, we can use bin2pwsh manually to create a non-blocking PowerShell loader that can be invoked within CSExec’s agent unmanaged PS runspace. Thus, I’ll spawn an new keylogger thread without resorting to fork-and-run concept (no new process is created) ⤵️
Read 5 tweets
Mar 6, 2023
🧵 (1/7) Sponsorship Thread

I've been getting a lot of DMs asking to share #DInjector after I moved it to a private repo, so I’ve finally decided to give sponsorship a try ⤵️

boosty.to/snovvcrash
🧵 (2/7) For me it’s more of a way to keep some of my projects hidden from prying eyes while still leaving them somewhat public. I do not claim to have super l33t code there, so no 0-days for sure 🤪 At the same time, I got too uncomfortable giving personal links to ppl in DMs ⤵️
🧵 (3/7) Currently there’re two (poorly coded) tools that I’d want to share with sponsors: DInjector and bin2pwsh ⤵️
Read 8 tweets
Feb 6, 2023
🧵 (1/) Bypassing IDS DCSync Signature for #secretsdump

I’ve been asked lately to bypass a private IDS rule for #impacket’s DCSync operation and I’ve immediately remembered this Charlie’s question ⬇️
🧵 (2/) The rule triggers when a bunch of SMB requests are followed by all this DRSUAPI stuff. Unlike #mimikatz or #DSInternals DCSync, the sequence of SMB+DRSUAPI traffic is unique for secretsdump[.]py attack, thus it becomes an IOC and can be fingerprinted ⬇️ Image
🧵 (3/) The second series of the SMB requests is related to the RemoteOperations.connectSamr() call in the NTDSHashes class which is only needed to verify that’s out target is actually a DC, so it can be excluded from the attack with no consequences ⬇️ ImageImage
Read 6 tweets
Oct 2, 2022
🧵 (1/) Forged Tickets Thread

Golden 🔑 tickets are no longer in fashion, so here’s a short memo on using Diamond 💎 (@exploitph) and Sapphire (@_nwodtuhs) tickets with ticketer[.]py from #Impacket. At first let’s recap what we already know about Golden tickets ⤵️

#ad #kerberos
🧵 (2/) Golden tickets are forged privileged TGTs that’re crafted completely offline. Having got krbtgt RC4 (NT hash) or AES key, a TA can specify some params (e.g., group membership, user’s RID, ticket validity period) to create and sign a fake PAC embedded inside the TGT ⤵️
🧵 (3/) Thus, the TA can provide the forged TGT to request an ST to any resource in the domain which will contain a copy of the fake PAC signed by the target service account. Since recently, we cannot use a non-existent account name as a result of CVE-2021-42287 mitigations ⤵️
Read 9 tweets
Aug 26, 2022
🧶 (1/) Reproducing Masky Thread

So it’s a relaxing Friday evening to play with the new awesome #Masky tool by @_ZakSec. I’ll show you here how to reproduce its behavior with #CrackMapExec, #Impacket, #Sliver, #Certify and #Certipy.

Let’s go! ⤵️

#pentest #adcs
🧶 (2/) First things first, I shall enumerate AD CS environment with #CrackMapExec and qwinsta the Victim machine via newly introduced tstool[.]py from #Impacket (thx @nopernik!). For the purpose of this demo I’ll use a DA account to interact with the Victim but any LA will do 👨🏻‍💻
🧶 (3/) I shall now prepare my team server and generate an encrypted Sliver beacon to use it with DInjector 💉
Read 7 tweets
Jul 29, 2022
🧵 (1/x) Reanimating ADCSPwn thread (in a simple way) ⏬

You all know this great tool by @_batsec_, but unfortunately Microsoft broke it with one of those anti-PetitPotam patches a while ago ⏬

github.com/bats3c/ADCSPwn…

#lpe #adcs #petitpotam #webdav
🧵 (2/x) So that now the execution hangs like follows ⏬
🧵 (3/x) But guess what, there’s another super cool tool – Coercer (by @podalirius_) – which can be used to trigger the authentication with a different API that is not affected by the ad-hoc check provided in the patch ⏬
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(