Title: Red Team | Summary of important loopholes in domain penetration

1.MS14-068kerberos certification, no PAC

When a user applies for TGT (identity credentials generated by the ticket authorization service) from the Kerberos Key Distribution Center (KDC), he or she can forge his or her own Kerberos tickets.

Vulnerability effect:

Elevate any domain user to domain management permissions

Conditions of use:

1. Domain control less than 2012R2 does not have patches for MS14-068 (KB3011780)

2. Get a computer that joins the domain

3. Have the domain user password and Sid of the computer in this domain

How to use:

There are detailed explanations in the article 《Kerberos认证及过程中产生的攻击》

This can be found at https://cloud.tencent.com/developer/article/1760132

2.CVE-2020-1472

NetLogon privilege escalation vulnerability (CVE-2020-1472) is a serious remote privilege escalation vulnerability in Windows domain control.

The default vi vector in the AES authentication algorithm used by Netlogon is 0, which causes the attacker to bypass authentication. At the same time, the remote interface that sets the domain control password also uses this function, resulting in

Set the password of the domain control machine user to empty.

In this way, we can guide the domain hash and finally restore the password of the domain control machine user

Vulnerability effect:

This vulnerability can be used to obtain domain management access

Affect version:

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012Windows Server 2012 (Server Core installation)

Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation)

Windows Server 2016Windows Server 2016 (Server Core installation)

Windows Server 2019Windows Server 2019 (Server Core installation)

Windows Server, version 1903 (Server Core installation)

Windows Server, version 1909 (Server Core installation) Windows Server, version 2004 (Server Core installation)

How to use:

Preparation tools:

Impacket Toolkit: https://github.com/SecureAuthCorp/impacket.git

poc: https://github.com/SecuraBV/CVE-2020-1472.git

exp: https://github.com/dirkjanm/CVE-2020-1472

exp: https://github.com/risksense/zerologon

https://cloud.tencent.com/developer/article/1780108

https://cloud.tencent.com/developer/article/1837483

3.CVE-2021-4228742278

The Windows Domain Service Permission Elevation Vulnerability (CVE-2021-42287, CVE-2021-42278) is because the Active Directory Domain Service does not implement appropriate security restrictions, resulting in the permission escalation that can be bypassed by security restrictions. Attackers can exploit this vulnerability to elevate ordinary user rights in the domain to domain administrator rights

Vulnerability effect:

Elevate any domain user to domain management permissions

Affect version:

Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows Server, version 20H2 (Server Core Installation)

Windows Server, version 2004 (Server Core installation)

Windows Server 2022 (Server Core installation)

Windows Server 2022

Windows Server 2019 (Server Core installation)

Windows Server 2019

Conditions of use:

(1) A common domain member account

(2) Domain users have permission to create machine users (general default permissions)

(3) DC has not been patched KB5008380 or KB5008602

How to use:

https://github.com/WazeHell/sam-the-admin

https://github.com/Ridter/noPac

https://blog.csdn.net/FHLZLHQ/article/details/121964692

4.CVE-2021-1675/CVE-2021-34527

PrintNightmare This vulnerability was initially CVE-2021-1675, and then Microsoft assigned the vulnerability to CVE-2021-34527, and mentioned that the two vulnerabilities are very similar, but the attack vectors are different.

Print Spooler is a service in Windows that manages print-related transactions. It is used to manage all local and network printing queues and control all printing work. The Print Spooler service is enabled by default in Windows system, and ordinary users can use this vulnerability to upgrade to SYSTEM management permissions.

Vulnerability effect:

Unauthenticated remote attackers can exploit this vulnerability to execute arbitrary code on the domain controller with SYSTEM permissions, thereby gaining control of the entire domain

Affect version:

Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows RT 8.1

Windows 8.1 for x64-based systems

Windows 8.1 for 32-bit systems

Windows 7 for x64-based Systems Service Pack 1

Windows 7 for 32-bit Systems Service Pack 1

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 for 32-bit Systems

Windows Server, version 20H2 (Server Core Installation)

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for x64-based Systems

Windows Server, version 2004 (Server Core installation)

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows 10 Version 21H1 for 32-bit Systems

Windows 10 Version 21H1 for ARM64-based Systems

Windows 10 Version 21H1 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows Server 2019 (Server Core installation)

Windows Server 2019

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

Utilization scenarios

In the working group environment, the highest system permissions can be obtained through this vulnerability; in the domain environment, the direct attack domain controller can obtain the SYSTEM permissions of the domain control and execute any code; it can be used for persistent operations. After obtaining the domain control, the DLL in the shared directory can be loaded remotely when there is a shared directory and the domain control can be accessed. Conditions of utilization

The target enables the Spooler service; a domain account with ordinary permissions; the created Smb service allows anonymous access, that is, the target can directly obtain the file. How to use

https://github.com/cube0x0/CVE-2021-1675

https://github.com/cube0x0/impacket

https://github.com/3gstudent/Invoke-BuildAnonymousSMBServer

https://bewhale.github.io/posts/29501.html

https://mp.weixin.qq.com/s/1sR0wTyJFf5UnuPjtJ-DWw

5.CVE-2019-1040

In June 2019, Microsoft released a security update. This update fixes the CVE-2019-1040 vulnerability. In this vulnerability, an attacker can bypass NTLM MIC (Message Integrity Check) protection through a man-in-the-middle attack and relay authentication traffic to the target server.

Vulnerability effect

This attack allows an attacker to remotely control any machine in the Windows domain, including a domain control server, if only one ordinary domain account is available.

Affect version

Windows 7 sp1 to Windows 10 1903

Windows Server 2008 to Windows Server 2019

Utilization scenarios

For specific environments, the attack chain of the CVE-2019-1040 vulnerability has been identified in two attack methods:

1. Attack the Exchange Server domain (described in this way below)

2. Attack Domain AD Server (combined with resource-based constraint delegation)

Conditions of utilization

A. Exchange server can be any version (including versions patched for PrivExchange). The only requirement is that Exchange has high permissions by default when installed in shared permissions or RBAC mode. B. Any account in the domain. (Since the only requirement for generating SpoolService errors is any authenticated in-domain account) C. The essence of the CVE-2019-1040 vulnerability is that there are defects in NTLM packet integrity verification, so the NTLM authentication packet can be modified without invalidating the authentication. In this attack chain, the attacker deleted the flag in the packet that prevents forwarding from SMB to LDAP. D. Construct the request to enable Exchange Server to authenticate to the attacker and relay the authentication to the domain controller through LDAP, so that the permissions of the relay victim can be used to perform operations in Active Directory. For example, grant DCSync permissions to the attacker's account. E. If there are users in a trusted but completely different AD forest, you can also perform the exact same attack in the domain. (Because any authenticated user can trigger a SpoolService reverse connection)

Vulnerability Exploit Attack Chain

1. Use any account in the domain to connect to the attacked Exchange Server through SMB, and specify the relay attack server. At the same time, the reverse SMB link must be triggered using the SpoolService error. 2. The relay server returns to the attacker's host through SMB, and then uses ntlmrelayx to relay the SMB request packet after modifying the NTLM authentication data using the CVE-2019-1040 vulnerability to LDAP. 3. Use relayed LDAP authentication. At this time, Exchange Server can grant DCSync permissions to the attacker's account. 4. The attacker's account uses DCSync to dump the hash of all domain user passwords in the AD domain (including the hash of the domain administrator, and the entire domain has been taken down at this time).

How to use:

https://github.com/SecureAuthCorp/impacket

https://github.com/dirkjanm/krbrelayx

https://github.com/Ridter/CVE-2019-1040

https://github.com/Ridter/CVE-2019-1040-dcpwn

In the same network segment: https://www.freebuf.com/vuls/274091.html

Under the tunnel: https://zhuanlan.zhihu.com/p/142080911

CVE-2019-1040+RBCD (Resource-based binding delegation)+PetitPatom

6. Domain delegation attack

https://mp.weixin.qq.com/s/GdmnlsKJJXhElA4GuwxTKQ

7.NTLM Relay

https://www.anquanke.com/post/id/193149https://www.anquanke.com/post/id/193493https://www.anquanke.com/post/id/194069https://www.anquanke.com/post/id/194514

8. ADCS vulnerability-ESC8 (PetitPotam)(ADCS relay)

ESC8 is an http ntlm relay because ADCS authentication supports NTLM authentication.

Vulnerability effect:

Elevate ordinary domain users to domain management permissions

Conditions of use:

1. No patches to adcs 2. There are two domain controls 3. There are adcs services

How to use:

https://blog.csdn.net/qq_43645782/article/details/119322322

https://forum.butian.net/share/1583

9. ADCS vulnerability--CVE-2022–26923

Vulnerability Impact : allows low-privileged users to elevate permissions to domain administrators in a default Active Directory environment with Active Directory Certificate Services (AD CS) server role installed

Vulnerable Component: Active Directory Certificate Services (AD CS)

Brief description of vulnerability: By constructing a machine account and tampering with the dNSHostName attribute, AD CS embeds the dNSHostName attribute into the certificate when applying for the certificate, and the machine account obtains a high-authorized domain control identity.

Affected Windows versions:

Windows 8.1

Windows 10 Version 1607, 1809, 1909, 2004, 20H2, 21H1, 21H2

Windows 11

Windows Server 2008, 2012, 2016, 2019, 2022

Utilization prerequisites:

The CVE-2022-26923/CVE-2022-26931 vulnerability is similar to the 2021 CVE-2021-42278/CVE-2021-42287sAMAccountName spoofing vulnerability. Both use the forged domain controller name identity to perform related privilege raising operations. Its utilization prerequisites are:

The privilege escalation vulnerability applies to all Windows Server Active Directory versions, including Windows Server 2012 R2 to Windows Server 2022 currently within the scope of Microsoft's product support, and older Windows Server versions beyond the scope of the product support. The intruder controls at least one active directory user account that has "Validated write to DNS host name" permission for at least one computer account in the active directory. By default, a single active directory Normal domain user can join or create (including creating an empty account) 10 computer accounts into the active directory and have CREATOR OWNER administrative permissions (including "Validated write to DNShost name" permission) for the computer accounts he has joined/created. Therefore, this permission is easier to obtain. The enterprise certificate service is deployed on the active directory and allows the above controlled computer accounts to apply for a computer authentication certificate. Enterprise Certificate Service is a related basic service that is widely deployed in the Active Directory, and by default, the Enterprise Certificate Service integrated with the Active Directory allows computers within the domain to apply for computer authentication certificates by default. Reproduction reference:

https://forum.butian.net/share/1578

https://forum.butian.net/share/1583

10. Exchange related, can control the Exchange server

Exchange plays an important role in the domain. Generally speaking, getting permissions to the Exchange server is basically equivalent to getting permissions to the domain management. When you get the Exchange server, there is a high probability that the domain manager will log in directly. Or the domain manager has logged in. When you get the Exchange server permissions, you can try to directly dir the domain controlled C drive to see if there is permission. If you don't have permission, try to use mimikatz to catch a wave of passwords. There is a high probability that you can directly catch the domain manager or high-authorized user. Moreover, even a higher version of the server can catch the plaintext password on Exchange.

11.CVE-2018-8581 (use domain control)

Vulnerability description:

This vulnerability exploits SSRF and high-privileged requests for Exchange servers, resulting in users with legitimate mailbox credentials being elevated to domain-managed permissions

Scope of impact:

Exchange Server 2010

Exchange Server 2013

Exchange Server 2016

Conditions of use:

By default, the attacker has legitimate mailbox user credentials. At the same time, the exploit is raising the authority through NTLM Relay, so the attacker needs to already obtain available hosts in the intranet environment.

Vulnerability Introduction:

The vulnerability occurs in several aspects:

First, Exchange allows any user (as long as it is authenticated) to create a push subscription (Push Subscription) through the EWS interface, and can specify any URL as the destination for notification push; secondly, after the notification is subscribed to push, Exchange uses the DefaultCredentials property of the CredentialCache class when push is triggered. Since EWS runs with SYSTEM permission, HTTP requests issued when using DefaultCredentials will use this permission to initiate NTLM authentication; in EWS requests, by using SerializedSecurityContext in the Header, specifying SID can implement identity masquerading, thereby performing EWS call operations as a specified user. In other words, [We can control the Exchange server to initiate an NTLM request for the HTTP protocol to us, so that we can get the Net-Ntlm Hash of the Exchange machine user]

Since this exploit involves replay attacks by NTLM, an easy idea to think of is to replay the credentials to the domain control machine. Since the replayed NTLM credentials come from the machine user permissions of the Exchange server, according to the description in the Relay To LDAP section, we know that the Exchange machine user has write-acl permissions, which can raise permissions to any user and give Dcsync permissions, thereby dumping all password hashes.

Whether the server requires signature:

The server we relay is Ldap. In the previous section [ldap signature], the default policy of the Ldap server is negotiated signature. Whether to sign or not is determined by the client. The client is divided into situations. If it is the SMB protocol, the signature is required by default. If it is the webadv or http protocol, the signature is not required.

The request initiated in this vulnerability is the http protocol, which means we don’t have to do anything and does not require signatures in this vulnerability.

EXP :

https://github.com/Ridter/Exchange2domain

#You can also use ntlmrelayx.py+privexchange.py+secretdump.py

https://github.com/dirkjanm/privexchange

https://github.com/SecureAuthCorp/impacket

For reproduction, please refer to this article:

https://www.jianshu.com/p/e081082cbc73 CVE-2020-0688 (RCE) Vulnerability Description: When an attacker obtains a user account password that can access the Exchange Control Panel (ECP) component through various means, he can execute any code on the attacked exchange and directly obtain server permissions.

Utilization conditions: Exchange Server 2010 SP3/2013/2016/2019, ordinary account.

Attack script:

https://github.com/zcgonvh/CVE-2020-0688

https://github.com/random-robbie/cve-2020-0688

Reappearance:

https://www.anquanke.com/post/id/226543#h3-13

12.CVE-2020-17144 (RCE)

Vulnerability description: Remote attackers can bypass authentication and exploit vulnerabilities by constructing special cmdlet parameters.