Share this page!

Dominic Chell 👻 Profile picture
Twitter logo
Mar 15 11 tweets 6 min read
As auth coercion is blowing up due to #cve-2023-23397, I've put together a quick thread about how we at @MDSecLabs have been leveraging these techniques in our red team engagements for quite some time. Its timely, but I presented much of this at @FiestaCon_RT last week 🧵
Traditionally if you wanted to abuse SMB auth coercion during a red team & over a c2, you were somewhat limited. It was however achievable using a mix of portbender, rportfwd and socks though. The main limitations were admin rights, dropping a driver and opsec of increased c2
Just over two years ago, we evolved the tradecraft around this by documenting an alternate approach using WebDAV and a number of file primitives to coerce auth mdsec.co.uk/2021/02/farmin…
We have since considerably evolved this concept, building in relaying to our tools with help from @breakfix and @_batsec_. This approach has yielded considerable success during our RT ops. Use cases include, downgrading to netNTLMv1 for easy cracking and NTLM recovery:
Relaying to LDAP, allowing you to add shadow credentials or perform RBCD. In this video a domain admin opens a folder on a share and a searchConnector triggers authentication which we relay to LDAP to obtain a shadow cred
vimeo.com/808300501
Relaying to Exchange EWS. In this video, our domain again opens a folder on a file share and a searchConnector relays his auth to EWS to delegate access to the bob user which we control
vimeo.com/808300586
Relaying to ADCS. In this video, we use our relaytoolkit to scan for the presence of MS_PRN and DAV services on a remote host, trigger authentication via MS_PRN and relay it to ADCS to obtain a certificate for the machine account
vimeo.com/808300642
And last but not least, relaying to SCCM. In this video we trigger MS_PRN locally and relay the local machine account to SCCM to perform a new device enrolment, this is then used to recover policies and extract the often privileged NAA creds:
vimeo.com/808300696
In summary, auth coercion is a powerful escalation primitive for red teams and NTLM needs to die. We've likely only scratched the surface of what can be done and there's likely many more services that can be abused; CyberArk? Citrix? SAP? All spring to mind as good targets
Again massive credits to @breakfix who did most of the heavy lifting on a lot of this 🙏
If you're looking to replicate these attacks, we'd highly recommend looking at SharpSCCM (github.com/Mayyhem/SharpS…) by @_Mayyhem and SharpLdapRelayScan (github.com/klezVirus/Shar…) by @KlezVirus which were both instrumental in our informing out tooling

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Dominic Chell 👻

Dominic Chell 👻 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @domchell

Dominic Chell 👻 Profile picture
Mar 14
Here's some further details on how to exploit CVE-2023-23397 in Outlook; its a pretty interesting one and incredibly easy to exploit...
Just confirmed that this works nicely over WebDAV - Microsoft's mitigation of blocking outbound 445 is insufficient, you can exploit this on any port as long as WebClient is running
Here's a video demo of exploiting this one over a c2, and relaying to LDAP to add a shadow credential using @MDSecLabs' farmer tool: vimeo.com/808160973
Read 6 tweets
Dominic Chell 👻 Profile picture
Mar 22, 2022
Good red teams will blend in with the noise. ETW is a sweet resource for finding out what noise looks like. Here I'm using @FuzzySec's SilkETW to hunt for surrogate processes for hosting my AD post-ex... I see you taskhostw.exe & winword.exe Image
Wanna know which processes make HTTPS connections for your egress beacons? Microsoft-Windows-WinHttp got your back... Image
Microsoft-Windows-WebIO also kicks ass because you get the web request/host... super useful for building realistic malleable profiles for hiding in those surrogates... Image
Read 5 tweets
Dominic Chell 👻 Profile picture
Dec 22, 2021
I didn’t particularly want to name and shame the infosec person who stole $2k from me so tried to give him one last opp to return the money, instead he took to insulting and threatening me. However, I’m concerned about other ppl being scammed...
...as such it’s only right that anyone who is considering taking @ninjaparanoid’s training know what they might have to deal with. It would be unfair to make such an accusation without proof, so I’ve provided evidence below.
I’m always looking to learn new things to sharpen my RT skills and try and do as much mal dev training as I can, having taken the NetSPI and Sek7 courses one of the few remaining was @ninjaparanoid’s MOS; the syllabus looked good so I signed up and paid for this in August
Read 25 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(