Miscellaneous Misconfigurations
Exchange Server
If we can compromise an Exchange server or have any users members of Exchange high privileged group, we may have a direct path to domain admin. Exchange misconfigurations can be leveraged in many way to escalate privileges.
For example, members of the the Exchange Windows Permissions
groups have high privileges over the domain with WriteDACL
permission set. This allow any member of that group to modify the ACL of the domain such as granting any users with the DCSync right.
Testers might also pay attention to the Organization Management
group which has full control over the Microsoft Exchange Security Groups
OU and thus the Exchange Windows Permissions
group.
PrivExchange attack
The PrivExchange attack stems in the Exchange Web Service PushSubscription
feature which supports NTLM HTTP authentication and the WriteDACL
permission of the Exchange server. This combination allows an attacker to relay the Exchange authentication request to the domain controller to change the ACL of the domain and grant a user on our control the DCSync right.
The attack flow is as so:
The attacker starts
ntlmrelayx.py
script on its own attack box with the objective to relay any incoming connection to the domain controller. The attacker can specify the user to escalate privilege to.An attacker subscribe to the Exchange
PushSubscription
using theprivexchange.py
script. This service supports NTLM HTTP authentication, so any authentication attempt can be relayed.The registration to the
PushSubscription
forces the Exchange server to authenticate to the attacker machine. The authentication is then relayed to the Domain Controller.Because the Exchange server has high privileges over the domain, domain ACLs can be modified to grant our user with the DCSync privilege which give us the ability to dump the entire NTDS.dit database.
MS14-068
The TGT holds information about the user and its privileges. This information is contained within the PAC structure of the TGT standing for Privilege Access Certificate. The PAC is signed by the KDC and can not be tampered.
The MS14-068 bugs dates from 2014 (patched in most recent server). It allows an attacker to forge a TGT with arbitrary information within the PAC granting our user with high privileges. This forged ticket will be viewed by the KDC as legitimate due to a flaw in the PAC verification process.
To exploit this vulnerability, the PyKEK (Python Kerberos Exploitation Kit) tool can be used:
Three information are needed to operate this attack: Domain user and password, the user's SIDs.
Printer Bug (MS-RPRN Protocol)
A attacker can coerce any victim host running a print service (such as the DC) to subscribe to the Printer notification services on a compromised host with Unconstrained Delegation set via the RpcRemoteFindFirstPrinterChangeNotificationEx
RPC call. The coerced authentication of the Domain Controller is made over SMB.
When the DC (print server) authenticates to the compromised host (print client), the TGT of the DC is left in memory. Since Unconstrained Delegation is enabled on the compromised host, the compromised host can now acts as the domain controller. It is thus possible to conduct a DCSync attack.
This attack can be used to gain controller over another forest with a two way trust relationship. For example, the compromise of any server with unconstrained delegation in a forest can lead to the compromise of a foreign forest if an attacker coerce the DC controller from the foreign forest to authenticate to the compromise host with unconstrained delegation. By default, domain controller of a forest have the Unconstrained Delegation enabled, but others hosts might have this feature enabled.
Since the PrintSpooler service is available by default on all Windows system (from Windows 8) with a Desktop environment, any domain user can abuse the MS-RPRN Print System Remote Protocol.
This script can be used to identify target vulnerable to the Printer Bug.
Resources
See this blog post about Forest Trust and Printer Bug from HarmJ0y. Here
AdidnsDump
To enumerate all DNS records in a zone. By default, all domain users can query the DNS records of the DNS zone they are in. The tool uses the LDAP protocol to query the DNS records.
The -r
flag is to resolve the A records. The result is saved in a records.csv
file.
Resources
Mollema. Dirk-Jan. (2019). Getting in the Zone: dumping Active Directory DNS using adidnsdump. Here.
Password in description field
Some users passwords might be stored in the description field of domain user accounts. For larger domain, export the results in CSV.
Powerview line:
PASSWD_NOTREQD Field
Check for users with PASSWD_NOTREQD setting enabled. All users with this attribute are not subject to the password policy. Some may have a password left blank.
We can enumerate those users with this attribute set with this PowerView line:
Group Policy Preferences
Search for password in the .XML files such as Groups.xml and Registry.xml file. These passwords can be found in these two cached .XML files located in the SYSVOL share when autologon is enabled on a system or when a Group Policy Preference is applied to computers in a OU. Two CrackMapExec modules exists to hunt for these passwords:
gpp_autologin
gpp_password
Credentials in SMB Shares and SYSVOL Scripts
Check for credentials in scripts in the SYSVOL share.
Group-Policy
Enumerate Group Policy.
Check if the Domain Users group has any control over one or more GPO
GPO can be abused with the SharpGPOAbuse .NET tool.
Last updated