SANS Workshop – NTLM Relaying 101: How Internal Pentesters Compromise Domains - Zweisprachige Untertitel
All right, hello everyone, welcome to this SANS workshop, NTLM Relaying 101, how internal pen testers compromise domain.
My name is Randall Jones.
I'm the offensive operations product manager here at Sands and I'll be facilitating today's workshop.
I'll mention before we get started that we will be using our workshop slack for discussion and support during today's session.
And you have not already gone through the workshop setup instructions, please go to the Slack channel and check out the walkthrough there.
at sandsurl.com forward slash sands hyphen workshop.
Now you can use any email address to register for access doesn't have to be your sands account email or work email or anything like that.
that.
I'll put that link back in Zoom once we get started and we have most of our attendees in here.
And so please direct all discussion and questions to that Slack space during the workshop.
I'll also mention at the top here,
if you haven't already downloaded the Lab Biles or today's workshop, you likely won't have time to download them all now.
They are quite large.
However, we will have the recording posted for this workshop.
And there is a quite lengthy blog that John has put up on the Trusted Sec website with a walkthrough.
There's a lab walkthrough that is now in the Slack workspace.
There are a lot of resources and you can follow along today, if you'd like, and maybe start downloading and then go through the workshop.
So hopefully you followed the instructions on the email prompt yesterday and downloaded them.
Otherwise, we still will have this available for you to walk through on your own.
So, with that, I'll go ahead and say that our featured instructor here is Jean-Françon Mays.
Jean is a security researcher with the Cobalt Strike team at Fortra and helping them with new features and community engagement.
He's also a security consultant that regularly performs assessments with trusted SEC and other clients.
Here at SANS,
he teaches and is co-author of security 699 purple team tactics for breach prevention and detection and is the author of our new very exciting in depth red team course security 565 red team operations
and adversary emulation.
So if you do have any questions please direct those to the workshop slack and otherwise let's go ahead and take a Thanks, Randall.
I feel like every single time we're doing a workshop together,
my intro gets longer and longer,
so I'm looking forward to what it's going to be like in like five years from now where it takes you like 20 minutes to announce me.
Well, once you start writing purple security 799 then we'll talk.
Yeah, there you go.
And 499 and 399.
Yeah, who knows.
Right, so thank you everyone for joining.
I we're quite a lot of entities, so that's always awesome to see.
I regularly do these workshops,
so it's always nice to see some familiar faces that keep following me around and some new faces, of course, as well.
So without further ado, as Randall already mentioned in the general, channel of the SANS workshop, Slack.
We this lab walkthrough of today.
It's quite lengthy in the sense that we have a manual setup, for example.
So if you have not downloaded the 42 gigabytes of VMs, which is a lot.
It's probably the most ambitious range that we've ever put out there for a workshop,
but if you have not downloaded the VMs yet,
I think you will probably not have the capacity unless you have fiber or something like that to pull them all in and start with.
day.
So if you haven't done so yet,
don't panic, you can still follow along with the presentation, you can with the walkthroughs and it's essentially self-guided.
So I put a lot of effort in this workbook.
There's also the guiding blog post
that addressed it's like
block that should give you all the information you need
in case you want to do this all by yourself after this workshop has been concluded.
Now that being said, let me go ahead and share my screen.
And then we have the angel question, hey, can you all see my slides?
Which would be awesome if I could actually see the slack, because my slack keeps dying on me today for some reason.
So let me bring that back real quick.
Alright.
Cool.
So I think you should all see the first slide.
That's awesome.
Before we actually kick off with the lecture, some to mention.
So essentially, this is a workshop that has a lot of VMs.
The reason for that is because unfortunately,
due to the nature of the workshop,
which NTLM relaying,
it doesn't play well with the cloud,
which is why we opted to give you a pre-built range, and that's also why it's quite large.
Now, the reason why I have taken the virtual box approach and not something else like VMware, for example, is because from my testing experience with both VMware and
VirtualBox, see you in the next the nicest with broadcast traffic.
So that is why I opted into putting the virtual box in there instead of the VMware.
So that being said, I think that we do have a facilitator here as well, so direct all your questions in the help channel.
The discuss channel is more for generic questions with regards to what I'm saying, not really tech support for the workshop.
If you need tech support related questions, please direct them to the help channel.
Alright, with that being said, let's dive into the presentation.
So relaying one-on-one how to make your internal pen test pop or a.k.a.
how internal pen testers compromise your domain.
So some practical information, we already went through this, we got the workbook link that was posted in the general.
In the registration page, you should also have the range, so the VMs that you can download.
And then the reference blog post is on the trust tech website, a comprehensive guide on relaying on 2022.
The slides will be made available after this webcast as well.
So you will have these references and this slide down.
to your disposal after the workshop has been concluded as well.
Now, what is this workshop for or who was this workshop designed?
If you think that this workshop is going to be all about some new leads advanced DTPs,
then I'm sorry to burst your bubble, it really isn't that.
This workshop is really designed for internal pen tests.
So there's not really going to be a focus on any red teaming shenanigans here.
I know I know I know I'm one of the authors of the red teaming course and the purple teaming course.
But this is really a basic.
workshop on how you can compromise domains from the inside.
It's a technique that has been around since, I think, well, pretty much forever.
I got into the NTLM relaying space by reading a blog post by Marcello, a K by bleeder, all the way back in 2017.
And guess what, all the techniques that were posted in 2017 still pretty much work today.
Okay, yes, some tools got upgraded, some command line parameters got switched around, but essentially the same techniques still still work today.
Now, this workshop does not really care about any staff, so we don't really care about detection.
until I'm reeling is very much a jackhammer approach.
It's not really designed to be surgical or to be stealth.
And as I mentioned already, this is not a red teaming workshop.
This is really intended for beginning pen testers or pen testers that are somewhat familiar with it, but won't.
People that are blue teamers, for example, that want to know how internal bed testers or malicious insiders could compromise their domains.
That's really the key audience here.
I see a question on Slack, so let me quickly reply to that one.
It's in a DM that says, Hey, is this workshop already started?
Well, yes, obviously for the people that can hear me.
of course it's already started, but this person apparently doesn't have the link yet, so let me reply to that real quick.
Alright, with that said, let's dive into the agenda of today.
the lab, right?
We're also going to talk about the classic internal pentas scenario, why we should care about relaying a brief look at anti-ilemo.
then broadcast traffic,
why broadcast traffic in our case is the best kind of traffic,
why is really still successful,
we're going to learn how to respond to all the things,
talk a bit more about some specific RPC calls and IPV6,
and then some relay options and gotchas,
then followed if we still have time with some Q&A,
but again, that's going to depend on how fast we blast through all these exercises.
So, once again for the people that just joined us now, we are using Slack for Q&A, we have the help channel for any technical supports, and we got the discuss channel for any comments
you want to address to me during my presentation.
I'll be monitoring the discuss channel primarily and once the exercises start, I'll hope over to help to see.
can help out.
Now, quite a simple setup with regards to the lab, we have one domain.
The domain is called ntlmrange.local.
In this domain,
we essentially have three computers,
three endpoints,
one domain controller,
one file server and one victim server,
Now, if you would ever set this up by yourself, you could set this up with any Windows Server operating system.
For DC and the file server, the victim, you could legitimately use any Windows operating system that you want.
Just to make it simple for this range, I've opted to go for Windows servers.
licensing issues and whatnots as well.
So Windows servers all the way.
And these techniques work on all Windows servers.
So...
even the latest ones are still vulnerable to anti limb really attacks.
Then we also have an attacker control machine that one is, of course, not domain joined.
So that kind of lives separated from the rest that could be any Linux distribution that you want.
Specifically, I recommend Linux could also do Mac could even do Windows, but backwards compatibility and just responder in general doesn't play all too well with Windows.
It does quite okay with Mac, but the best support that you can have is definitely on a Linux distribution.
So hopefully that all makes sense.
Then configuration, so how did I build this lab?
Well, I used some sick machine learning, blockchain, infrastructure as it goes, dockerized server environments.
Well, actually, no, I'm just kidding.
Since relaying doesn't really play well in the clouds, we are going to use our local computer to run the lab.
The can be downloaded, but you can set them up yourself as well.
As I already mentioned in the workbook,
we have a full chapter with a detailed walkthrough and how you can set up your own active directory.
the main join new machines how you could set up your networking stack and how to do that
all without having to download 41 gigabytes of VMs.
Now I did see some questions arise in help before I switched it on to discuss.
I saw one of the questions was, hey, what if my laptop isn't strong enough?
Could I potentially run a few VMs on laptop one and then a few VMs on laptop two.
The answer to that question is is potentially,
yes, I haven't tried it myself yet, but you would have to change the way that the virtual networking is addressed.
So right now I've set up all the VMs to use an internal network in the 10.0.0.0.0 slash 24 range.
But of course, if you're going to switch that around, if you're going to break up the VMs in 10.0.
Then the internal networking will not work anymore.
So we'd have to start bridging your VMs instead.
And then of course, once bridge your VMs, you might run men in the middle attacks on your entire home network.
So you might want to set up some static IP addresses there
and limit yourself to a range that is outside of the range that you're using for your home appliances.
Then another question that I had that I seen pop up is how can I change my keyboard layout while on Windows?
That's very easy actually.
There's just a switch button.
If you go to machine input, through alt and lead here.
There's a switch button here to change from Belgian keyboard to English keyboards.
I apologize,
by the way,
I should have probably got rid of the Belgian keyboard layouts, but when I was building the lab environment, I was using my laptop.
My laptop, unfortunately, has an authority keyboard, so a Belgian layout.
And desktop where I'm in right now has a layout, so I did forget to change that layout back to us only.
So that is why there are two layouts currently available.
But people that are joining me from Belgium might be thankful if they are using a Zerti keyboards,
they will be able to just roll into the lab without any issues.
Now, if you are doing this by yourself, right?
So you didn't download the 41 gigabytes of VMs, then you will have to do some setups.
Here are some pointers.
First of all, make sure that your VMs are in the same sub-nap and can ping each other.
This sounds very trivial, but, I know that this is actually sometimes hard if you forget about this.
So just as a reminder, make sure that they are in the same subnet and can ping each other.
Something that is actually, I think, not on the slides is I recommend setting all the firewalls to off.
Of course, that's not best practice, but this is a lab environment.
So I would recommend you to disable the hose-based firewalls on the Windows operating systems, just to make sure flows through as intended.
Make sure your domain controller can still reach the internet.
That's not really required anymore.
Of course,
if you're doing the initial setup and you want to download some tools on there or some scripts,
then yes, you would probably be best in having your domain controller still been able to reach the internet.
But once everything is set up, you can just remove that internet connection as it won't be needed anymore.
And then when joining the other VMs into the domain,
do not use a secondary DNS,
only set the DNS to the domain controller IP address,
because if you're setting a secondary DNS,
you might fall back to the secondary one and you will not be able to join the domain that way.
So if you're joining the domain,
only set your primary DNS server to your domain controller,
leave everything else as is so you will have the highest possibility to actually join the domain.
Right, now.
Question, right?
This is why the workshop is here.
So imagine the following scenario.
Okay, you have been tasked to assess the internal security posture of insert company here.
I chose tag with the farms.
In this case,
it's until in order to perform this assessment in the LMLab.local has granted your permission to
contest on site as if you were a malicious insider or it allows you to place an attacker control
device in the network with secure remote access.
Now, question to the class would be what would you do, right?
And of course, this is an online setup.
So a bit hard for you guys to end girls, to answer me right now.
So I will give you the answer myself.
And that is the following.
We are going to walk through what is referred to often as the unified kill chain.
And to an extent, the mitral attack frame.
The first step in both the attack framework and the unified kill chain is reconnaissance.
So what are we going to do as a first step?
Well, we are going to do reconnaissance.
Now, if you want to do reconnaissance from a active directory perspective, You will have to use ELOP.
ELOP is the protocol that is used to query Active Directory and return Active Directory objects, right?
So computers, users, group policies, stuff like that.
That's all going to get queried over ELOP.
The problem with ELOP though, is that by default it does require you to authenticate.
in a Windows context at least.
So you are very lucky and your environment is still running outdated domain controllers or outdated LDAP servers,
then you could be very lucky and you could do what is often referred to as a null pines,
also known as anonymous read access,
which allows you to authenticate or to bind with the LDAP server without supplying If you're lucky,
you'll be able to do that and then you'll be able to query active directory directly.
The problem is though that's usually disabled and if you don't have credentials, then can't really do reconnaissance.
Sometimes, again, if you're lucky, that can be, quote unquote, bypassed if they are using
predictable naming conventions,
for example,
very short usernames,
like AA,
and then some numbers are,
for example, the first letter of their first name, the first letter of their last name, and their joint date or their birth year.
Those are all naming conventions that I've seen throughout my engagement.
If you see those kind of naming conventions, it gets rather trivial to get a word list of potential valid usernames.
And you could start a password spraying.
That way you could, for example, compromise a user with recredentials and then use that user to authenticate and perform reconnaissance.
But what if you don't?
have such luck.
So if you don't have no binds authentication and what if they are not using some very obvious easy-to-guess naming convention?
Are you then lost?
Well, no, you are not.
What can we do?
Well, we could start listening on the wire.
But before we start listening on the wire, we first need to learn about the authentication methods in Active Directory.
Now, Active Directory, we have two ways essentially to perform authentication.
First one is Kerberos.
Kerberos is quite complex and it requires, it essentially relies on tickets, which is not something that we are going to focus on today.
The focus of this workshop is going to be the secondary authentication mechanism in Active Directory, which is all about NTLS.
So NTLM,
for the people that are unaware what NTLM is,
NTLM is a challenge response,
authentication mechanism,
where essentially if you want to authenticate to somewhere,
you are going to have to solve a quote unquote puzzle, which normally only you should know the answer.
Then, of course, that answer is going to get validated by a party that knows all the answers.
In this case, the domain controller and the domain controller will validate whether or not the response that you've given to the puzzle is correct.
And so you are indeed who you say you are.
If that is the case, you will get authentication, access, if not That's it.
is the night.
So I see a question on the slack or the slides already available.
No slides are not available yet.
They will be made available after the workshop has been concluded.
So, what is interesting about this authentication mechanism while it's a challenge response mechanism, which means that if we are nefarious, if we are able to intercept these challenges and these responses being sent over the
wire, we could essentially start man in the middling.
Now, what does this mean?
Well, we are going to inject ourselves into the same network as potential workstations of interest, right?
So that is a requirement.
You are going to have to be on the same network.
Now, what we can do then, is
As we can start listening for authentication requests over the wire, we're going to take a look at some of these authentication requests later on.
Essentially, we're going to abuse broadcast messages.
But essentially, if we can see broadcasts over the wire, we could intercept the challenge and respond.
And we can fool the client into thinking that we are the targets and we can fool the target into thinking we are the clients,
because we are going to act like a quote unquote proxy, we're just going to forward the challenges and responses to the appropriate party.
And we're just going to piggyback on that authentication mechanism, because we are just playing a proxy and playing a pass through game.
We, of course, are going to intercept the correct.
solution to the puzzle,
and we will be able to fool people into thinking that we are the client when in reality, of course, we are an attacker.
I hope that all makes sense.
And the reason why this works is because in NTLM authentication,
specifically in this case SMB, for example, There's a check response that is actually not being validated by default.
So by default SMB signing is not enabled is not turned on, which means that there's no there's no handling of potential.
There's no validation.
There's no integrity check.
That was the word I was looking for.
There's no integrity check.
So essentially,
the message could be tampered with and there's no mechanism to validate whether or not the message is coming from the original sender or the original receiver if SMB signing is not enabled.
Of course, that changes when SMB signing is enabled.
We're going to talk about some mitigation.
end of the workshop.
So alert SMB signing would be a nice one to prevent this kind of attacks from happening.
And there are some other protocols as well,
like LDAP,
LPS, HTTP we could potentially relay NTLM authentication to and based on their security settings, which we are going
to talk about later, we will be able to successfully man in the middle those authentication requests or not.
All right.
So, that's essentially what I just said.
We got authentication and session.
And as I already mentioned,
if SMB signing is not enabled,
we will be able to hijack the session, keep it open and piggyback on that session to perform malicious actions on behalf of the client.
Now broadcast traffic in our scenario is the best kind of traffic.
The reason for that is because if we see broadcast traffic,
that means it's going to get sent over the entire subnet,
we could potentially poison that broadcast traffic into thinking that we are a potential target or we are potential clients,
and we will be able to then force people to authenticate to us while in reality they want to authenticate to something else.
Now, what is broadcast traffic or what kind of broadcast traffic?
interested in?
Well, there are two important protocols that we are interested in from an attacker perspective when we are talking about NTLM relay.
The first protocol is called LMNR,
link local multicast name resolution, and NBTNS, which is NetBIOS something, something, and essentially they are fallback mechanisms for DNS.
So essentially,
when you are trying to authenticate to something, you are going to go most of the time over a fully qualified domain name, because people...
are not computers.
They not as good at remembering numbers as they are at remembering names.
So oftentimes about 99.9%
of the times people will authenticate two systems over a name or a URL instead of going over an IP address.
Now, if you're going over a name, then something in the of
will of course be responsible of translating that name into an actual address because otherwise the packets don't have a decision,
don't have a route to actually go to.
So there is a thing that will translate names into IP addresses,
this is called DNS, but what if DNS doesn't have a valid response for your query?
What if you're trying to browse to something, a share or a website or whatever and it's not part of the DNS record?
Well, then if legacy protocols are still enabled in the environment, there is a fallback in the mechanism and that fallback in the mechanism is essentially going to dictate.
Hey, if DNS doesn't know the answer to my query, I'm just going to send out a broadcast message over the entire subnet.
And I'm going to ask, Hey, does anyone know what this specific name is?
Can anyone tell me where I have to go?
If something then answers to that message,
to that query,
to that broadcast,
then the system will think that that specific message to the people,
the person,
the server,
the instant that responded to that query is indeed that specific instance that they are looking for and the authentication request will proxy forward to that specific server workstation person that responded to that message.
Now, how do we actually do this from an adversarial point of view?
How do we actually get in there?
Well, we can get in there.
We can respond to that traffic through tooling and one of the most famous tools out there is called
responder does exactly what you think it does,
it responds,
it essentially just monitors the network for broadcast traffic and it's going to poison that broadcast traffic by responding to all the queries on that broadcast traffic.
So if someone says, Hey, I need to find never.local.
I'm, we are going to say using responder.
Hey, we are never.local.
If someone asks, Hey, Can anyone give me the address of gona.logo?
We're going to say, yeah, we are gona, we are gona.logo.
Give.logo.
Yes, we are.
Give.logo.
You.logo.
Yes, we are.
You.logo.
Up.
Yes, we are up.
So essentially anything that passes through the wire, we're going to respond to.
And of course, a nice little Easter egg there, Rick Ashley, of course.
So I see a question in the discuss channel, photobias.
That's more of a technical question.
So please refer to the help channel for that.
If you have any questions with regards to the lecture, then please put it in the discuss.
If it's technical, please go to the.
help channel,
but to give an answer to your question, the local credentials, you don't actually need them, you could just use the domain admin credentials.
So, NTLMLab, dash domain admin.
QWERTY 123 which is going to allow you to get access to that machine and then you could use
your domain admin access to change the local administrator password if you really choose to do so.
All right, now what if there is no broadcast traffic?
So what if the organization,
already for example had a penetration test before and got compromised by these legacy protocols and they did their due diligence and they disabled the broadcast traffic.
What can we do now?
Are we stuck?
The answer is yes, we are stuck.
Or at least we were stuck until some very smart researchers published some nifty tricks.
One of the tricks is using,
well, actually two of the tricks are using RPC calls, so RPC stands for remote process communication, and essentially there are two RPC calls that we can abuse.
Actually, there are more of them, but two primarily, primarily abused ones.
One is responsible for printing.
So a print RPC call.
The other one is used for file encryption.
So a file encryption RPC call.
There are two tools that are commonly used for coercion over RPC.
One is called spool sample or the printer book depending on whether or not you're using it from a Windows environment or a Linux environment.
The second one is called petite potam and petite potam is the same naming convention both on Windows.
As on Linux, so those are the two.
And the cool thing about Petit Potam,
and that's not really on the slides,
as far as I know,
is when Petit Potam came out,
it was, the research was published, I think, one year ago now, so 2021 could be 2020, but I think it's 2021.
The cool thing about Petit Potam was that when it first came out,
you were actually able to send that RPC call from a completely unauthenticated point.
Which means that you didn't even need any valid credentials to send out this RPC call and to force someone to authenticate you.
This was extremely overpowered from a pen testing perspective and essentially internal pen testing.
Teams had a field day with this.
We're to compromise domains very, very fast from no foothold to domain admin.
It was awesome from a pen test point of view, right?
Obviously, not awesome if you're an organization or a blue team.
So Microsoft patched that quite fast.
And fortunately, they didn't patch it completely.
What did is they patched the, unauthenticated call.
So can still make the call, but this time you need to have valid credentials.
Now, why do I say this?
Why is this relevant?
Well, because the research is still only quote unquote one or
This means that you will likely face environments that still have systems that are vulnerable to this unauthenticated RPC call,
which is going to be very advantageous for you from an internal pen tester point of view,
as you can then leverage those RPC calls to perform Hopefully,
fingers crossed relay to other systems and further establish foot holds or obtain objectives that way.
I hope that all makes sense.
If feel free to interrupt me by posting something in the discuss channel as currently I am monitoring that channel.
I will switch over once again to the help channel once we start doing the exercise.
Now, that was my rambling about RPC, but there is another trick on our sleeves.
So even if RPC is properly secured and we can't make any unauthenticated RPC calls,
we don't have any credentials yet, then we can still leverage one more trick on our sleeve and that is IPv6.
So Microsoft decided to be very smart.
Not really though.
What they did is they enabled ship windows out of the box with IPv6 enabled.
So your NIC adapter on your computer by default has IPv6 enabled.
That is the same on your home computers as on your corporate environment as well.
Now, if you don't use IPv6 internally, then there is actually no problem, right?
Because even if you are configured to receive IPv6 addresses,
there's no DHCPv6 server in your environment, so you're never going to get assigned an IPv6 address.
So essentially, there's not really a problem.
There's no impact on day-to-day operations until there is.
Because IPv6 takes precedence over IPv4.
What do I mean by that?
Well, if your DHCP server gives you an IPv6 address and your DHCP server gives you an IPv4 address,
Your IPv6 address is going to win from your IPv4 address to any system that supports IPv6 authentication.
And the cool thing about DHCP is you could also set a DNS server.
You could also specify a DNS server.
So essentially we could send that.
Poisoned, IPv6 addresses and tell everyone in the environment, hey, by the way, we are now your DNS server.
which essentially means that we can compromise or we can coerce anyone that is using DNS in our environment to authenticate to us,
as we could essentially say, hey, we are everything.
Now, does this have user impact?
Yes and no,
you would not want to run this man in the middle six tool for very long, as indeed it could potentially have user impact.
However, if you do short bursts.
So, for example, running man in the middle six.
for 30 seconds or a minute, then turning it off again, doing it again, turning it off again, then user impact is somewhat limited.
And even if the user would be impacted, if they would reboot their workstation, you are going to clean the lease.
So there would be no trace left over of your IPv6 poisoning attack.
Now, I see some questions.
Can you give the links to the tools you mentioned?
Yes.
You could also Google them, but I will give you the links to the tools.
Currently, I'm, of course, doing the lecture, so I can't really open up a browser and send them right now.
But once you are doing the exercises, I will take some time and post the links in the discuss channel.
So I'll put them in the discuss channel.
All right.
Now, really options and gotchas.
So I already mentioned SMB reeling somewhat swiftly, so SMB will be one of the protocols that we could potentially abuse.
Now, as I already mentioned or alluded to, SMB signing by default is turned off.
There's only not turned off.
So SMB signing will by default be turned on by the on the main controllers,
but on other servers or workstations SMB signing will by default be turned off.
If SMB signing is turned off,
that means that will be intercept authentication requests and relay them to other servers,
other systems that have SMB signing turned off,
and we will be able to authenticate on behalf of the user that we poisoned to those systems.
So if that user has elevated privileges on one of those systems or multiple of those systems,
we will be able to leverage those credentials that access to then compromise those systems.
Now SMB is one of them.
So SMB to SMB is protocol that can be related to at works, but of course there is also the concept of cross protocol.
For example, imagine that we intercept an SMB authentication, and we want to relay that SMB authentication to LOP or LOP S.
Now, the problem is that that is typically not going to work as LOP requires C.
signing.
In 2019, there was a vulnerability that essentially allowed you to drop the message integrity check.
So that message integrity that essentially is okay.
This message has not been modified in transit.
There was an exploit that allowed you to drop that integrity check.
So then it could be used for cross protocol relaying.
Unfortunately or fortunately,
depending on where you are red or blue,
this has been So SMB signing turned on and not vulnerable to that exploit of 2019 means that you won't be able
to forward SMB authentication to the LOP protocol.
However, if we somehow are able to capture HTTP over NTLM.
We will be able to capture that NTLM response and forward that to the ELBOP protocol and HTTP do ELBOP is one of the cross protocol relays that actually work.
There's a very nice blog posts that I had saved somewhere.
Yes, there's a very nice blog post and reference image I'm going to post right now in the discuss channel that shows you all the cross protocol and TLM really options.
I also post the source.
This is an excellent reference.
ever wants to literally move using SMB or using NTLM.
It's an excellent blog post I highly recommend And that will show you which protocols are able to relay to which other protocols.
Now, John asks a question, can I NTLM relay back to the same source server machine?
Excellent question, John.
The answer to that question is you used to be able to do so, but that was long, long, long ago.
So self-relaying used to be a thing, but that's not a thing.
So no, you will not be able to use NTLM reeling to authenticate towards yourself.
That would have been awesome, right?
That would be a very nice local privilege escalation, for example.
And fortunately, that doesn't work anymore, as we will also see when we are going to dive into the exercises.
So, without further ado, let's actually get our hands dirty, right, and the first exercise is very easy.
Just listen.
So option one will be just listen.
And essentially, what we are going to do is we are going to start our environment.
We're going to start up our Linux distribution, our attacker machine.
We're going to start a responder in analysis mode, so we're not going to poison anything.
yet.
In this particular instance, we are only interested to see if there is actually broadcast traffic ongoing in the domain, in the environment.
Of course, if there is no broadcast traffic, then anti-lm reeling attacks using poisoning.
So the first step in your engagement should always be analyzing the environment,
doing your reconnaissance, so responder and analysis mode will be our first option.
Now, this is not a very complex exercise, so I don't estimate that this is going to take you very long.
Now, I do know that this is the first exercise, so there might be some problems with people trying to spin up the
environments, trying to authenticate, etc, etc.
So in order for me to actually have a look in the help channel,
see if I need to help somewhere or with someone, I'm going to give you about 15 50 to 20 minutes for this exercise.
So I'll check back in at 15, see where everyone's at and of course if you need more time.
Then we will see based on how far we get,
I will either grant it to you or I will not because again this is self guided so you will be able to complete these exercises even after this workshop is officially done.
So without further ado,
go ahead and start with exercise one attack one which is listening,
which you will be able to find in that workbook that was posted in the chat.
So, essentially, when you go to that URL, you will see attack zero, which is listening,
and it has a detailed walkthrough of what you can do, and it's ultimately going to end with capturing a NTLM VDU hash.
So I'm going to go off microphone for about 15 minutes,
check in the help channel if I need to help out with someone, and I'll check back in with you guys in about 15.
You Yeah, I see that some people have issues with the attacker machine.
Again, apologies, I should have changed it back to the US, but you guys are hackers, you should be able to figure it out how to change keyboard layouts.
I see that Diego posted a nice little...
screenshots there on how you could get an on-screen keyboard to fill in QWERTY.
After you have logged in though, you should actually land to a QWERTY keyboard layout.
So don't know why it's not there.
re log in, because if you manage to get past the authentication screen, you'll actually land with a QWERTY layout.
But I did see someone mention a command that you could use.
So a shout out to Dan Lee Felton, I hope I pronounced that correctly.
I'm going to post it again, because he posted it as a reply to someone.
But essentially,
if you run this command,
then the next time you log out,
you'll be able to log back in without having to do the on-screen keyboard shenanigans as that should fix your issue with the QWERTY to assert
ease.
So for those of you who want a bit more of an interactive walkthrough, of course, feel free to do this on your own pace.
I hope that everyone can now actually.
could anyone confirm that they are seeing my VM and not just the slides.
Okay, cool.
Thanks.
So essentially what I'm going to do here is I'm going to type IPA.
The reason why I want to do that is because I want to find out the name of my
interface as it's always different based on Linux distributions.
So here I have NPO S3, I think because you're all using my VMs, which should also be NPO S3 could potentially be something else.
So you could check it with IPA, for example.
Then all the tools should be installed in the workshop directory.
So I'm going to go in there.
I'm going to LS and indeed I see that we have a folder called responder.
So then I can do Python tree responder dot pi dash capital I,
which is the switch for Then specify the interface and then dash capital A, dash capital A stands for analyze.
So once I do that, I can start my responder it's going to probably hey you dummy you need roots.
So if you ever need to repeat a command and you are too lazy to type it in.
You could do pseudo exclamation mark exclamation mark.
automatically going to automatically going to use your last command,
but this time with pseudo privileges,
the password for this user is square to 123 with a capital Q,
I know very secure,
and now we have responder in analysis So it says,
hey, responder is in analyze mode, no NBTNS, LMA or our DNS requests will be poisoned.
And essentially because my machines have been running already for quite a while, we're not going to see any traffic hit right away.
So I'm going to give it a notch by.
to one of the machines, which will happen off-screen, because I'm using my second screen, ha ha.
There we go.
And now if I start generating some traffic, there we go.
We see,
that NBTNS is going to get filled in,
and we also leak the internal DNS name, so we leak that the domain is actually NTLM wrap.
Remember that this machine is not domain joined, and we currently don't have any credentials inside.
So just by being on the same subnet as those domain joint machines and listening to broadcast traffic,
we essentially obtained a valuable piece of information.
First of all, we got an IP address.
So 10, 0, 0, 1, we got a host name even.
In this case, the host name is victim.
And we got.
the short name for the domain, which is NTLMLab.
So even just listening is already going to give us some valuable insights.
Now, another thing that I would recommend you do, this is a pro tip.
If you have an internal pen test, for example, and your internal pen test starts on Monday, which is typical.
If you have the option or the capability to already drop your device or your laptop on sites on Friday,
I would recommend you to drop the device on Friday.
day and already starts monitoring the network.
The reason for that is because if your environment that you're pen testing is running some kind of
Schedule tasks or some kind of management tool or infrastructure tool.
There is a chance that your that one of the accounts is going to directly try to authenticate to you.
And we can actually mimic that in our lab ourselves.
So if we would open up a file browser.
specify the IP address,
we don't even need to press enter,
which is very interesting, we only type in this, we don't even press enter, and we actually see a hash flying in on our responder.
This is an NTLM V2 hash,
and unfortunately,
This NTLM V2 hash cannot just be reused in a pasta hash attack,
for example, and because we have not specified or not configured a relay yet, this is essentially somewhat useless to us.
However, This user, in this case, victim, has a weak password, which in this case, know it has, right?
It's QWERTY123.
We could actually take this anti-LMv2 hash and try to brute force it,
for example, in hash cats or a John the Ripper with a word list.
If you're able to brute force this hash,
we will have the plain text credentials of that user, and then we already have authenticated access before the pen test even starts.
It is not uncommon.
I repeat, it is not uncommon that I have had elevated accounts authenticate to me over the weekend.
Not necessarily domain admins, sometimes they are domain admins, but sometimes they would be at least local admin on one or several systems.
So that is why pro tip, if you have the capability to do so, drop your device already on Friday before the weekend.
As usually the weekend is the patch management window or the inventory window or whenever main
So you have a very high chance that if there is some automated tool crawling the network to actually intercept that hash even before your engagement starts,
which is something you might actually This regard or might actually not be picked up on if your pen test is only one week long starts on Monday and on Friday
Well, if that patch window is in the weekend You'd actually miss that entire patch window if you only plug in on Monday, right?
So would not have seen that Vulnerability or misconfiguration in that weekend window.
So again, if you have the option to do so Do so by plugging in your attacker control station in the environment.
In the weekend, please do so.
All right, so I think that's probably about 15 minutes.
keep very close eye on my time.
So where is everyone in the lab?
Let check the help channel.
So I see we can, yep, the Windows server also switched back.
Yeah, nice virus gave a nice command there as well.
What was the workshop directory, location or workshop?
All right.
What is this screenshot?
That's a kernel panic.
That's a that's a juicy one.
I think that might be your one of your virtual box installations that is to alter to new rights.
So I see tk as a question responder work to a net connection.
The answer is no, it's not going to work through a net connection.
how would you plug in your Kali attacker VM to a customer infrastructure for internal print test you ask for a VPN file.
Typically, NTLM relays are not going to work over VPN.
Your mileage may vary.
Sometimes it will, depending on how the VPN is configured.
But oftentimes, VPNs are going to drop broadcast traffic.
So it could be that that's not going to be an option for you.
So what I usually do or how my companies that I previously used to work at do it is they go on sites and they plug in a physical laptop or they ship a VM image.
Kali Linux,
for example,
or Ubuntu,
or sense-thingshots distribution,
and they give that to the client and tell them to deploy it with a reverse SSH access that we can
control then from our home or from our main office.
I hope that makes sense.
How was the NTLM V2 hash grab by responder when you didn't even press enter on the keyboard?
Well, minion, that is how Windows works.
So it has this kind of intelligence, right?
Like, if you're doing a Google search and it does the autocomplete.
That's just just how it is designed.
So it tries to already find the end points on the network before you even hit enter to reduce latency, right?
It tries to be fast for you.
And that is how that works.
So you don't even need to press enter.
It already tries to do the lookup for you.
And by then it's too late, you respond to it and you capture the hash.
So I hope that all makes sense.
Let us take a look at the first, what I like to call, and it is taking a dump, right?
So for this one, it's probably going to take you again about 10 minutes, I would say, taking a dump.
And essentially what we're going to do here is we are going to identify the targets first.
We want to have a successful relay.
I mentioned that cross protocol relay could potentially be blocked if there are some security measures in place,
for example, L up signing channel binding or SMB signing.
So what we want to do as a first step is initialize some reconnaissance, do some initial.
Footprinting and find out if there are servers or workstations in the environments that are vulnerable to an SMB relay attack,
aka an attack or a server that does not have SMB signing enabled.
A tool that we could use to identify these targets is called crack map exec or CME for short and CME takes the SMB parameter,
the subnets that you want to scan, dash, dash, generate relay lists, and then a location where you want to save the relay.
It's then going to crawl the network.
It's to try and probe the open SMB ports and find out whether or not SMB signing is enabled.
If SMB signing is not enabled, it's going to save the IP address in a target file, which we can then use in our relay.
So the relay attack that we are going to use or the relay tool that we are going to use rather is part of the impact suite.
And the tool is called NTLM relay X dot pi.
Note that this should run with pseudo privileges as we are going to bind on port 445, the SMB port, which requires pseudo.
Then this NTLM relay.
tool takes a parameter.
In case, tf, which stands for target file.
So we are feeding it the vulnerable servers that we identify it with crack map exactly.
And then we also do dash SMB2,
so we enable SMB2 support, which is the latest, well, SMB3 is the latest, but which is most commonly used SMB protocol, so SMB2.
Once we enable that, we are now waiting for incoming connections.
And then if we get an incoming connection either directly,
right, so for example, an automated tool that tries to authenticate, us, then we will be able to relay that authentication, and we will be able to piggyback on that session.
If it's an elevated credential that we relayed, what's going to happen is automatically, it's going to dump.
So the local security account manager on your operating system,
on the Windows operating system,
which contains password hashes for local accounts,
also including the local administrator password hash,
which is then a hash that we could use in a subsequent attack to achieve either code execution,
or to dump the else's memory, which of course then holds the main level credentials.
I hope that all makes sense.
And without further ado, go ahead and dive into exercise.
One, the real exercise one as exercise zero was just listening.
I once again estimate is probably going to take you about 10 minutes.
If you need any help, feel free to reach out.
And I'll be monitoring that and then I'll switch back to discuss when I explain attack number two.
I see that virus has a question,
so to touch on my last question,
after you ship your attacker VM to the customer,
to deploy,
do you ask them to whitelist it in their firewall so it can access the internet in case you want to update download tools?
Or is that usually not the case?
So yes,
typically what you want to do is you would have to either ship a physical device like a Raspberry Pi, ship them a vehicle.
Go on sites,
drop a laptop or ship a laptop and you want to establish a reverse SSH connection as typically you don't really need a GUI.
But even if you only have SSH, you could set up a reverse port forward on a VNC server, for example.
So could potentially have GUI access if you wanted to.
So essentially we ask the client to, hey, please, whitelist SSH to our control node, which would, for example, be an AWS managed EC2 instance.
or something that we can remote into and then use that hosts to then pivot into the client's environment.
So, for the people that have kernel panics, if you change the CPUs to two instead of one, that depends.
those issues in case that doesn't resolve your issue could be that you're using a I've tested this on a Windows host,
so if you're using Windows, you should be fine, I tested it both on my desktop and my laptop and it both worked.
If using Mac, it be potentially a different story, so there's where the two CPU trick could help you out.
or Linux, yeah, that could also be a thing as well.
So our attacker controlled machine, what you wanna do is you first want to stop responder as we don't need that anymore.
I already have a targets file, but just for clarity's sake, I can create the new one.
So SMB, CME, Jen, relay lists, Jean targets, for example, it's going to take me to get those systems fingerprinted.
So I get victim right away.
I NTLM right away.
It be that my other system, which is the server, is currently not turned on.
No, that is actually not turned on.
So that's why you only see two.
But if you have server one turned on as well, you should see three.
then if you would open this targets file you only get wait what why do I only get one IP oh yeah
you only get one IP in this case because I only have two
And one of them is the main controller and the domain controller has SMB signing enabled that's just always the case.
As I already mentioned in the target file, only the ones with SMB signing disabled will be present.
So that is why I only have one IP here.
But for one IP, my target is actually this attack is not going to work.
So let me boot up the server.
zero one as well real quick.
Okay, we already went over this.
We are going to respond to the broadcast network queries using responder.
Are we going to use RPC calls?
Are we going to use man in the middle six?
That's how you would do that.
Give me a few.
minutes to boot up this very slow server 0.1 Alright, so now I finally run this again.
I get three entries.
Yeah, there we go.
That was pretty fast.
So now I have two entries because again, the DC is not count.
Then, what we want to do is we want to set up NTLM relay with a target file, so in our
case, home, Jean Dessker targets, we want to enable SMB to support as well.
So, now we should SMB, we are bound to SMB and to HTTP and to all these other ports as well.
And essentially what happens now is if we would.
Covers authentication from our victim machine.
We are going to see that the authentication failed because again you cannot authenticate towards yourself.
So that was one of the questions.
what happens if you try to authenticate to yourself while you'll get this authentication
failed and eventually what's going to happen is we are going to get an authentication succeeded
and because a victim in our case the victim user is local on the file server 01,
the default of NTLM relay X is going to dump the SAM database,
so we do get some nice hashes here,
and one of them is, of course, the local admin hash, which we could then potentially use to compromise server 01.
Now, next thing has a question.
I that the thing you should be on the same broadcast domain to spoof LMN or an NBTNS.
Correct.
This man in the middle six rely on broadcasts.
No, it does require the HCPV six requests to be sent over the wire, which is something that your computer, by default,
will do every once in a while.
to accept IPv6 addresses, which is a default.
So yes,
you could man in the middle six, even if you're not on the same, well, even if you're not on the same broadcast domain.
uh you could be on the same network behind a VPN connection i don't know honestly i never
tried men in the middle six over a VPN connection so i don't know if that would work I guess it depends if your VPN,
like if your firewall allows DHCP requests over a VPN,
which I don't think is going to be the case, as your VPN usually assigns you an IP address upon connection.
So I don't think men in the middle six would work over a VPN, to be honest.
I don't think My slack keeps dying on me.
Let's see the help.
All right.
Then for the next attack, we are going to wear socks.
So essentially what we're going to do is we're going to do a variant on attack.
We're to on attack.
We're going one, but instead of just immediately dumping the SAM database, we are going to do a socks.
So what we're going to do is we are going to specify an additional switch on antilem relay x dot pi,
which is going to be the socks switch.
And what this does is it's going to keep the session of our intercepted SMB connections and then it allows us to then further use those sessions over a SOX proxy.
Now, a caveat is that by default, the port that is being used by impactful for SOX is 1000.
and your proxy change is typically when you install it, it's going to point to a tour node, I think it's port 9000 something.
So we'd have to change the proxy change configuration to point to 1080, which will be the default proxy port of impact it.
And then when you use proxy chains, you will be able to use the proxy or the connect the open connection that we intercepted.
One of the things here is that even if you are using proxy chains, it's still going to ask you for a password.
So if you just leave the password empty, you just press enter.
It's not going to ask you for a password again, and it's going to have the build in logic.
It's smart enough to know, okay, no password was specified.
So going to use the open connection that we intercepted before.
And thus we use the the NTLM authentication that we.
to get there.
So I highly prefer using this approach over the regular by default samdum approach because you get a nice overview if you type socks of all the connections that
are currently established.
So again, imagine the scenario where you are plugging in on domain environment on Friday.
Well, you could use responder in analysis mode.
Or you could also start poisoning already.
So could start using responder in poison modes, and then use this NTLM relay with the socks option.
And then come back on Monday, type socks and potentially have a option.
of keep alive SMB connections that you can then use to your advantage later on.
So question Indefinitely if you're using the socks switch, yes, they will stay open indefinitely until you close down until them relay.
So essentially,
if you want to see this in action,
right, we're going to clear the SAM file you don't have to, but I'm going to do it anyway because sometimes I know that until I'm really is going to say, hey, we already compromised that
so we're not going to do it again.
So now I essentially use the same command, but I introduced the socks variable, right?
And what we can do now is essentially the same thing.
So on the victim machine, we are going to authenticate.
a and it succeeded.
So if we now press socks, we do see one session that is alive, right?
And we could now say,
hey, we want to use secrets dump, for example, secrets dumps.py, until them lap victim at 10, 0, 0, then
Oh yeah,
proxy chains don't forget proxy chains for there we go we don't specify a passwords and that way we will be able to piggyback on that authentication and we will be able to execute this.
Now, another thing, if you would like, for example, command execution, we could do BS exec.
That doesn't work.
Why does that not work?
That's interesting.
Another one you could do is SMB clients.
you see dollar for example and then start browsing the file system.
So those are all things you could potentially do.
I think it doesn't work the PS exact because there might be a antivirus running in the environment.
All right, so with that commands out of the way, the next option is authenticated recon, baby.
So what are we going to do in this one?
Let's take a So, enumeration over LDAP.
What we can do is we could set up NTLM relay,
but this time we are going to not use a target file,
but we are specifically going to set our NTLM relay to the LDAP service on the domain control.
And essentially,
if we're going to try and authenticate over SMB,
we are going to get this very nice little error, right, that says, Hey, really into LOP will not work.
This usually happens when reeling from SMB to LOP, which is exactly what we're trying to do here.
Doesn't work because LOP requires signing.
And this is a.
a pretty up to date system so that drop the mic exploit will not work.
Now, does this mean that we are stuck?
Well, actually, no, it because we have two avenues to explore.
The one is web dev, the second one is IPv6 takeovers.
Now IPv6 takeovers, I've already mentioned before, so I'm not going to talk about anymore, but web dev is a potentially interesting one.
So web dev is a service that is by default installed and running or on Windows servers, but not on workstations.
And essentially,
when web dev,
that web dev service is running,
we could coerce authentication over HTTP We could do that using a tool called Petit Potam,
which we already talked about, or we could potentially even do that using the printer book or the spool sample as well.
Now, how do we do that?
Well, we specify at 80 and then a bogus file name, and that is going to do the authentication for us.
Now, with IPv6, we can do exactly that.
So, for those of you that haven't seen this one in action yet, we can say, hey, man
in middle six,
the domain that we want to poison is ntlmlab.local and essentially we are going to start assigning IPv6 addresses to computers that are requesting DHCP v6 leases over the
wire, which once again happens every few minutes.
Because, by default, your workstations and servers are configured to allow I
- Then once that poison is complete,
what's going to happen is if you're trying to browse to an internal resource,
so something that requires internal DNS resolution, we're going to get this very nice authentication prompt.
This is because of Internet Explorer,
but there are some browsers that do transparent proxying so you're not even going to get a pop up and it's just going to use your NTLM credentials for you,
so no specific pop up.
I think one of them, don't quote me on that, but I think one of them is actually Google.
Chrome that does the transparent proxy.
Again, don't quote me in that, I just think that it's one of them could be wrong though.
Now, in this case, right, so for internet explorer, which is very outdated, but somehow still used by a lot
of people,
especially in corporate environments,
they're going to get this nice pop up,
and it's going to say, hey, we're trying to connect to some internal DNS, right, some internal server, it's going to prompt for credentials.
Now, if the credentials are filled in correctly, we're going to get a successful relay this time.
It's an And HTTP to LDOP is allowed for cross protocol relaying.
There you go.
That was a mouth twister.
So that is actually allowed to And that means that once we are able to successfully relay to LDOP,
the default value or the default behavior of NTLM relay is going to be dumping all the domain information that it can via LDOP,
which means it's going to dump users,
it's going to dump computers, it's going to dump organizational units, the main groups, and the interesting thing about it.
The ELBOP dumping mechanism in Antilam relay spits out HTML files and JSON files and
grabable files and the HTML file potentially is quite nice because it will show you operating systems,
it show you servers and clients by operating systems, So essentially, you will be able to spot using a pretty nice HTML web page.
which any outdated operating system in the environment,
so it's not been common to find,
for example,
Windows XP,
Windows Server 2003 or Windows Server 2008,
which are still for some reason in an environment,
which you can then easily exploit using, for example, eternal blue, and then gets immediate code execution that way.
Men in the middle six approach,
then of course we have that but the bottom approach and essentially what we're going to do here is we're going to need to use the authenticated methods,
because this is a modern operating system that is patched against that unauthenticated RPC call.
we're going to specify our net bios name,
which is in our case attacker,
we're going to say at 80 because 80 is going to be our HTTP port,
and then some bogus page, in this case, AAA, and then the target.
And essentially, we're going to get a incoming request that is coming from the computer account.
And we will be able to relay that HTTP request to all up once again, and dump the directory that way.
I hope that all makes sense.
So further ado, go ahead and perform the exercise.
If you have any questions,
feel free to drop them and discuss or help because I see, even though I said, hey, please keep your discuss for just lecturing topics.
You see questions popping in there as well.
And I see people actively answering those questions.
So that's awesome that there is a bit of a community engagement there.
Awesome people that are helping other people out.
And of course, I'm keeping an eye out as well.
I think this is probably once again, thank you.
about 10 to 15 minutes.
These are all very small exercises just to illustrate what you can actually do with the NTLM relaying.
So I'm going to shut up now for a bit, take a bit of water, and let's you do exercise.
All right,
so for those of you who are following along on my screen,
you did see the derpy-derp, the web server start, the web dev service start, but now it worked.
So essentially what I did.
What is I started the web dev service on the victim machine.
I used the domain admin credentials to do that because to start the local admin privileges.
So once that was done, I could use PTPotam, which of course requires authentication.
So we did, in this case, needs the quality 123 from the victim.
And then we got that HTTP incoming request, which then succeeded.
And the domain info, then got dumped in the loot deer, which is, if I recall correctly.
directory if you didn't specify a loot there where you're currently in,
in my case unfortunately that's responder so I just made a whole mess of my responder folder which is fine as I have this snapshot
anyway so I can revert to a snapshot if I want to but what I want to show you here is the domain
computers by operating system.html access was denied.
Well, yeah, of course, because I'm running this as root.
So let me see the future domain computers by OS.
Okay.
Right, that should be better.
So here you can see the domain computers by operating system.
Obviously, this is a bit anti climactic right because we only have three systems but in a real environment, you would see all of them.
quite nice as well, that you have description fields here.
And if you're lucky,
there could be some passwords in the description fields of users, for example, be wary though, because those could also be honeypot accounts.
So accounts that are basically designed to trap attackers and to alert that something malicious is going on.
So I hope that all makes sense,
you could also do the same attack with Man in the middle six,
if you want to I just performed it with Petit Potam as it's easier to do reliably.
Otherwise, you always have to re-authenticate, type it in manually.
Well, here you can just do it once with Petipotam, then just reuse the same command over and over again.
So I don't see any additional questions with in the help channel.
I don't see any additional questions in the discuss channel.
So I'm guessing everyone is still good.
That's excellent.
So let's take a look at the next attack, which is resource-based constraint delegation.
Now, the cool thing about Windows Active Directory is that,
by default, by default, All users, all authenticated users are allowed to add up to 10 new computer objects in the domain.
This is the default configuration, this be set to zero, this could be set to 1000s, 1 million, but the default is 10.
So that means that any authenticated user can create new computer objects in the domain.
Now if you create a new computer object That doesn't necessarily need to be a physical computer.
It's just a logical object in Active Directory.
So it could just exist without a physical computer actually behind it.
Now, because you created that new computer object, you also have the option to give it a password.
So essentially you could create a new account with a given username,
a given password, and then use that new computer account to perform reconnaissance in Active Directory.
Now why is this relevant to us?
Well, because if we are...
to relay authentication to the albop S service,
so albop secure, of the domain controller, we could use the add computer option of NTLM relay X to add a new computer.
So here, of course, with Petit Potam, this is again anti-climactic because we already need credentials in order for Petit Potam to work.
But as I already mentioned,
in some environments,
you will be able to use Petit Putdown from an unauthenticated point of view,
which would then allow you to use the unauthenticated callback to once again create a new computer.
Another thing you could do is mat in the middle six, right?
So even if you don't have any credentials,
you could poison the DHCPv6 requests and just wait until someone uses either a modern browser that the transparent
proxy or fires up Internet Explorer types in their username and password in a nice little
login prompt that you saw there and then use that authentication to add a new computer as well.
You'll have a new computer account with a displayed,
seemingly random and pretty secure passwords that you can then use because now you have a username and a password for authenticated reconnaissance purposes.
I hope that all makes sense.
So without further ado.
to ahead and perform the exercise.
So has a question, what do you mean attacker at AT-AA?
I understand that part.
Well, Sadiq, attacker is essentially the name that our attacker machine has, right?
So our net byte, here, if you look at the host name, we're going to see that our host name is attacker.
So with the relay on, we bind on HTTP on HTTPS on LLab on all these ports.
So essentially, we are waiting.
on port 80 is one of the ports for incoming authentication requests, right?
And then in the RPC call that this is doing,
so the EFS RPC open file raw RPC call that Petit Potam is using allows us to specify a remote target.
So in this case, And here we want to coerce authentication over HTTP.
Now, if you want to coerce authentication over HTTP, we will have to force the system to authenticate to us over port.
Now, the way this RPC call works is it does not allow you to do that over IP, it requires
you to have a hostname or a fully qualified domain name to authenticate over HTTP instead of a SMB.
It's going to default to SMB.
So we are using our net bios name, because again, guess what?
In this specific scenario, video, we have fallback protocols, right?
So we are going to say, Hey, please authenticate to attacker at 80.
Then of course, the target system is going to ask, Hey, who the hell is attacker?
And we have that host name.
So even without responder, because we have that host name, we are gonna say, hey, we are attacker.
So please authenticate to us.
So that is why the machine account is going to authenticate to us.
Now, if legacy protocols would be disabled, this attack would not work.
Does that make sense?
Sadik, that was especially for you, so hopefully that's a yes.
Nice.
So now, man in the middle six.
That's a tool that we are going to use that does that for us.
You're welcome.
All right.
So, let us add a new computer this time.
My web dev server is still running on victim 01 or victim 01.
So what I'm going to do now is I'm going to start my relay to LBS and I'm going to specify computer.
There we go.
And then I'm going to trigger.
Put it put them once again.
We get this attacker controlled connection.
And hopefully will allow us to add a new computer account.
Yep, there we go, adding a new computer with username.
This password, this result is okay.
So we could now use this computer to then perform authentication.
Reconnaissance in the environment, for example, using the Python version of Bloodhounds.
Now, a follow-up on this would be resource-based constraint litigation.
And research based constraint delegation is going to instead of using the ad computer is going to add a computer but also delegate access towards the server.
Andry does the comment allow you to specify a computer named pattern for use otherwise machine account might stick out.
Yes, it does allow that it allows you to specify a computer name and even a password if you want to, if you leave it default it's just going to randomly generate one for you.
So essentially what we're going to do here is we're going to delegate access this time though.
So we are going to dive a little bit into Kerberos.
So what we have to do is to make sure that sure that we have our hosts file in our attacker machine pointing to the machines that we want
to target.
So essentially,
we want to make sure that the domain controller is pointed to as the general domain name and the victim that we want to perform
research based constraint delegation to also will have to have the fully qualified domain name with the IP address in our host file.
This is because Kerberos requires fully qualified domain names, Kerberos does not work with IP addresses.
And of course,
because we don't have a full fledged DHCP and DNS that is domain joint,
we can use our local hosts file on our operating system to force DNS entries as the host file takes precedence over DNS.
So, once we got that set up and going.
Instead of doing add computer, do delegate access.
There we go.
Trigger that particular time connection again.
We get a new computer accounts.
And we get a password.
We also get delegation rights.
So it says,
hey, this computer can now impersonate users on victim via S for you to And essentially what we can do now with our new computer account is we can start impersonating domain administrators only on the
real aid computer, though.
So it's not like we can we suddenly have domain admin credentials.
No, no, no, this only will work on the real aid machine account.
So the victim computer in this case.
So we can fool the victim now into thinking that we are a domain administrator.
And the way we do that is Another tool in the Impacket Suite, this time called Get ST, which stands for Get Service Tickets.
Then we are going to say, hey, we want to specify the SIFS service, which is a specific service for file systems.
And we want to use our computer that was set up for delegation in order for us to do that.
So we are going to be using that computer.
Do notes that we are using.
uh ticks here, single quotes.
The reason for that is because we are using a dollar sign and a dollar sign is a special character in bash,
so we don't want to upset our command line interpretation, which is why we are escaping it using dollar signs.
Then impersonate domain admin because that is the name of one of our domain admin accounts.
It's going to ask us for a password, which is this string for me.
It's going to be different of course for you.
We're gonna paste in that passwords and it's going to give us a nice error.
This is by design.
Don't worry about it.
I specifically did this to teach you guys a lesson.
So there could be a way,
there could be a small chance that in your penetration testing, you are going to encounter this error, carebapair skew, clock skew too great.
Now this typically means that your attacker machine has a file browsing date, so your NTP, your local system date, your time, is different.
then the domain controller's time.
So the domain controller's time.
Now this is going to authenticate or this is going to conflict with the authentication of Kerberos.
As there is a clock skew mechanism in Kerberos that says,
hey, if the time window is, I think it's five minutes or 10 minutes by default,
If the request is between five or 10 minutes or longer,
I'm going to drop the request as invalid, because it's out of my timing window.
So all authentication requests need to be made within five or 10 minutes of skew or leeway within So essentially,
if you look here,
we see that we are 742, military time, and if we would look at the domain controller, we see that that's 504.
So obviously, these don't add up, right?
So we will have to change the date.
of our attacker control machine to a more suitable dates
that is going to be more in line with the domain controller state
or the alternate way because we have control over the domain controller in this specific case,
we could also do it the other way around, right?
So set the domain controller down time to our attacker control machine,
but in practice,
right, in a real pen test, you wouldn't be able to do that, but you would be able to play around with your time of your attacker control machine.
So let me change the time here.
Is that AM or PM actually?
You can see it.
I have to wait.
Let's take a look.
Yep.
Right.
The keyboard is strolling me.
No.
Why is this resetting?
Damn it.
I want automatic date time.
Stop resetting me.
Yes.
There we go.
So now I changed the.
and this time it works right so I will now be able to change the I will I'm now able to request
a ticket for the domain admin and save it in the ccache file domain admin ccache so what I need
to do now is I need to export this special ticket into my environment and that's a special environment
variable krb5cname if I recall correctly But I do have my cheat sheet here.
So see real quick, yeah, care be five C name.
There we go.
I should hopefully be able to execute the following comment.
And I cannot.
Life demo is, am I right?
Okay, that does work.
Yeah, I have to take a look at what goes wrong here, but that should work.
So I'll take a look afterwards.
and updates the can you use this DC as the NTP time source as you should well yes you can
Do you have to change the time?
Can tool spoof?
You potentially tool spoof if you could, if you want, but it's easier, in my opinion, to change the time.
You could set it to the DC if you want to.
You could also use NTP update as sets on the discuss channel.
As for why this technique or this specific attack doesn't work, I have no idea.
I have to figure that out later,
so let's take a look at the next attack, which is going to be attack five, and that's shadow credentials.
So with shadow credentials, this requires you to have Active Directory certificate services installed in your environment.
You could try a host instead of SIF.
I could, yes, I'll try that later.
So with shadow credentials, you would have to have active directory certificate service installed in the environment.
And if that's installed, we could leverage a new property on active directory objects called the key credentials.
There are references to blog posts in the slides,
so don't worry about that if you want to read up on note and that you will be able to do so.
Essentially, what we can do is we can set dash dash shadow credentials to our antilem relay.
And when we once again do men in the middle six or petite potam to get HTTP.
The and forwarded to the domain controllers LDOP servers,
we will be able to request a certificates on behalf of the machine accounts and will then be able to extract the anti hash from that ticket,
which we can then use to forge a silver ticket towards ourselves,
once again impersonating the domain administrator hash,
or just use the anti hash of that computer account for reconnaissance purposes in case you want to do that.
So, if we set that up, I'll drop the shadow in the credentials.
All there we go.
insufficient access rights or do we need to be domain admin for this one could actually be the case now we're using the computer accounts.
Could be that I did not clear the key credentialing.
So, my previous demonstration, if that's the case, then you could get that error as well.
So, I checked that out.
as well and see if I can update that instruction so let's see systems let me
first try it with another machine And that's going to be faster,
starts the service, I didn't install it on the Okay, maybe I did on the file server, let's see.
.
It did do it on the file server, so let's check if we are able to perform the same attack.
So I'm going to achieve it and use domain credentials.
But this time, I want to target 10, 10, 0, 10, see if that authentication is going to grant us.
key credential certificates or not.
So, Noxin, I do see a yes happen to me when exploring twice without feeling.
What do you mean?
Are you talking about changing the sifts to host?
Are you talking about the pre-credential attack that I'm doing here?
Okay.
Yeah.
Dammit.
Was too fast.
Oh, there we go.
Okay.
So worked.
So instead of.
I'm.
I'm.
Instead of victim,
I used server 01 and the reason why this one worked and the other one did not is because once the MS key credential link has been set once and not cleaned after
You can only set it once.
So if the value is already filled in, you will not be able to override it.
You first have to wipe it again before you can override it.
And I think that I didn't clean it up properly,
which is why the first authentication And now with the second one on server 01 because I've never performed it against server 01 before that actually worked so learning school here right what could potentially go
wrong and pen test scenarios.
Well, we just saw it right we could get that.
No, insufficient access rights.
So could mean two things either you actually do have insufficient access rights as in,
you have the permission to overwrite that property or the property is already filled in.
So now with this certificate, we unpack it.
We could unpack the hash and get the DNT hash for that.
With the PK in it tools.
So if I.
Where did that certificate get saved though.
Again in responder, I guess.
So CD.
Should be a certain there.
Yep, this one.
Let's copy that over to, okay, unit tools.
Okay.
Let's see the into PK in a tools and then use Python tree.
Okay.
Let's see.
get the gt, bk in it, certs, bfx, the certs itself, then pass this, and then the Well, actually we could just legitimately copy this.
Well, it's way easier.
Of course, that very perk.
All right, there we go.
That's taking quite a while.
So that's probably going to work on me for some reason.
Oh, no, it didn't.
There you go.
So we did get a TGT and with that TGT we could then unpack the hash or we could use that TGT to then further exploit by creating a silver ticket
or using the computer account to LDAP, dump the LDAP machines, dump the LDAP information, or maybe even the computer account is misconfigured, right?
And maybe the computer account has local admin privileges somewhere, so that could be another thing there.
Alright, so that's about it in terms of attacks that I wanted to show, and I think we're about right on time.
So again, a classic internal pentas scenario, right, what would you do?
Well, really all the things, right, and with crack map exec, you could do a lot of cool things as well.
you've got authentication.
For example, if you have local admin privileges somewhere, you could use crackmap exec to then dump the LSOS.
You could use crackmap exec for password to use, right?
If they have the local admin passwords,
the same across multiple systems,
you could use crackmap exec to compromise all those systems, the additional hashes, and use the snowball effect to essentially compromise the entire domain.
So I think we're right on the money.
We have about...
So I will look into that one attack that didn't work.
See if I can update the workbook with working instructions, because I don't really know what's going on there.
I have to investigate that a little bit further myself.
Other than that, it could be the host thing that was mentioned.
So instead of using SIFs, use the host could be it.
It could be something more complex.
I have to figure that out.
So hopefully you'll learn something today.
And as for defensive measures.
What can you do?
First of all,
disabling is a B signing,
making sure that your tier 0 and tier 1 assets are patched against that unauthenticated Petit Putam,
make sure that your local admin passwords are unique.
So, if you have the option to do so, use local admin.
What else can you do?
You could disable the protocols that we talked about.
You could disable IPv6 on your network adapters.
If not using it internally and all these things will help you prevent a lot of these quote unquote low hanging fruit attacks.
Rights that help internal pen testers compromise the domain as illustrated in two hours by yours truly.
So hopefully it made sense.
If you didn't have the VMs,
well, you have the instructions now to rebuild the lab on your own if you want to, yeah, I'd like to thank you all for your attention.
I don't know, Randall, if you have any closing words or not.
Yes, absolutely.
I just wanted to say thank you again, John, for bringing this content to us.
This was a really cool workshop.
I'm very excited.
We got to put this on and that we're going to have it available for others to use and reference.
To everyone who joined us, we appreciate you joining and taking the time.
I Let's see any other questions that I might have missed.
What are some indicators you can look for to detect these kind of attacks.
Oh, that's a good one.
Pretty much.
over NTLM, on servers or workstations that users have never logged on to before.
That be a nice one.
Or requests to servers that users normally don't request access to.
Those will be the key indicators.
Yeah, so that's it.
Super informative.
Thanks.
Well, thank you all for joining 200 people attended.
So that's awesome.
If you like this workshop, it's going to stay online.
The workbook isn't going anywhere either.
pass it around with colleagues if you want to or friends posted on LinkedIn posted on socials whatever the more people that know about this stuff the better as that will of course help organizations prevent
this kind of attacks as well.
Yes, and if you are interested in keeping track of the workshops we do have a landing page built for the workshops which is just sans.org forward slash workshops where we post information on upcoming
events.
And for a list of upcoming or on-demand webcasts, you can go to our and see you all in another workshop.
Übersetzungssprache
Auswählen
Freischalten weiterer Funktionen
Installieren Sie die Trancy-Erweiterung, um weitere Funktionen freizuschalten, einschließlich KI-Untertiteln, KI-Wortdefinitionen, KI-Grammatikanalyse, KI-Sprechen usw.
Kompatibel mit den wichtigsten Video-Plattformen
Trancy bietet nicht nur zweisprachige Untertitelunterstützung für Plattformen wie YouTube, Netflix, Udemy, Disney+, TED, edX, Kehan, Coursera, sondern auch KI-Wort-/Satzübersetzung, Volltext-Immersivübersetzung und andere Funktionen für reguläre Webseiten. Es ist ein echter All-in-One-Sprachlernassistent.
Alle Plattform-Browser
Trancy unterstützt alle Plattform-Browser, einschließlich iOS Safari-Browsererweiterung.
Mehrere Anzeigemodi
Unterstützt Theater-, Lese-, gemischte und andere Anzeigemodi für ein umfassendes zweisprachiges Erlebnis.
Mehrere Übungsmodi
Unterstützt Satzdiktat, mündliche Bewertung, Multiple-Choice, Diktat und andere Übungsmodi.
KI-Videozusammenfassung
Verwenden Sie OpenAI, um Videos zusammenzufassen und den Kerninhalt schnell zu erfassen.
KI-Untertitel
Generieren Sie in nur 3-5 Minuten genaue und schnelle YouTube-KI-Untertitel.
KI-Wortdefinitionen
Tippen Sie auf Wörter in den Untertiteln, um Definitionen mit KI-gesteuerten Definitionen nachzuschlagen.
KI-Grammatikanalyse
Analysieren Sie die Satzgrammatik, um Satzbedeutungen schnell zu verstehen und schwierige Grammatikpunkte zu beherrschen.
Weitere Web-Funktionen
Neben zweisprachigen Video-Untertiteln bietet Trancy auch Wortübersetzung und Volltextübersetzung für Webseiten.