๐ฐ Microsoft Extra
๐ Active Directory Certificate Services (ADCS)
The Active Directory Certificate Services (ADCS) are quite a jolly good source of potential vulnerabilities, I must say! ๐ฏ
I didn't have time to redact this properly, but it's a rather splendid source of pwn. Please, do read the following resources. They completely deserve your time:
- Certified Pre-Owned (Post) ๐
- Certified Pre-Owned (Whitpaper) ๐
- AD CS relay attack - practical guide ๐ง
- NTLM relaying to AD CS - On certificates, printers and a little hippo ๐ฆ
Here are the related tools:
- Certify: Ask for certificates and review weaknesses in ADCS configuration. ๐
- ForgeCert: Build custom/golden certificate to impersonate users. ๐
- Kekeo: In this case used to get a TGT or retrieve the NT hash using a certificate. ๐ซ
- Rubeus: In this case used to get a TGT or retrieve the NT hash using a certificate. ๐ซ
- ntlmrelayx.py (ExAndroidDev impacket fork): Perform NTLM relay attacks against ADCS web endpoint. ๐
- PetitPotam: To trigger the NTLM relay attack. โก
- PKINITTools: In this case used to retrieve the NT hash using a certificate, among others. Python tools. ๐
- certi.py: Impacket version of Certify. Ask for certificate and review ADCS configuration. ๐
๐ LAPS (Local Administrator Password Solution)
LAPS is a rather useful utility to manage the passwords of the domain computers' local administrators. LAPS randomises the local administrator passwords in order to avoid reusing credentials and changes them periodically. ๐
For this purpose, LAPS adds two properties to the computer objects of the domain: ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime. ๐
The ms-Mcs-AdmPwd stores the machine local Administrator password, and only can be seen if explicit granted to it is given. If you are able to get the local administrator password, you can connect to the computer (using NTLM authentication) with... well, admin rights. ๐
The other property ms-Mcs-AdmPwdExpirationTime can be read by anyone (by default), so in order to identify computers managed by LAPS, you can search for computer objects that contain that property. ๐
๐ง Exchange
Exchange is a mail server developed by Microsoft that can be installed on the Windows Servers and integrated with Active Directory.
When Exchange is installed, several groups and ACEs are created in the domain.
Perhaps the most relevant thing before the February 2019 update is that the Exchange Windows Permissions group had WriteDacl permission over the domain object by default. That means in outdated installations (that for sure exist in the wild) members of such group can write ACEs that will give the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All permissions to any user in the domain, allowing that account to perform a dcsync attack and then retrieve the domain users' credentials.
Additionally, the Exchange Trusted Subsystem group, to which all the Exchange servers belong, is a member of Exchange Windows Permissions group. Therefore, compromising any Exchange server could allow an attacker to have permissions to compromise the entire domain.
Perhaps the most famous abuse of Exchange permissions was the PrivExchange attack that abuses a vulnerability on Exchange servers that allows a user to force an HTTP authenticated connection from the Exchange Server to another computer. Then by performing an NTLM Relay attack from HTTP to LDAP, the Exchange Server was coerced to give DCsync rights to an arbitrary user account. Microsoft also released the patch for this vulnerability in the February 2019 update. ๐ ๏ธ
Moreover, the Organization Admins group (also added by Exchange) can control the membership of Exchange Windows Permissions and Exchange Trusted Subsystem. Apart from that, the Organization Admins are local administrators in the Exchange servers, so being a member of this group will also allow a user to compromise the entire domain.
.--------.
| Object |
.--WriteDacl-->| domain |
| '--------'
|
|
|
.-----------------------------.
| Group |
.------>| Exchange Windows Permission |
| '-----------------------------'
| ^
| |
.-controls---| member
| | |
| | ^
| | .----------------------------.
| | | Group |
| '------>| Exchange Trusted Subsystem |
^ '----------------------------'
.---------------------. ^ ^
| Group | | |
| Organization Admins | | |
'---------------------' member member
v | |
| .---------|----------------|----------.
| | | Exchange | |
| | | Servers | |
| | | | |
| | .---. .---. |
| | / /| / /| |
| | .---. | .---. | |
| | | | ' | | ' |
| | | |/ | |/ |
| | '---' '---' |
| | exch1 exch2 |
| | ^ ^ |
| '--------|----------------|-----------'
| | |
| '----------------'
| |
'----->>------admin of------>>-----'
๐๏ธ SQL Server
Microsoft SQL Server (MSSQL) is a database management system created by Microsoft. It's usually installed on Windows Server machines, listening on the TCP port 1433, and many web applications use it as a database.
The SQL Server listens on the TCP port 1433 and it's possible to connect to it by using domain credentials, since it uses the https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/b46a581a-39de-4745-b076-ec4dbb7d13ec protocol, which is compatible with NTLM and Kerberos authentication.
To communicate with an SQL server, it's possible to use the TDS protocol directly over TCP or using SMB. In case of using TCP, the default port is 1433, but it's also possible to use a dynamic port.
.------. .----------.
| NTLM | | Kerberos |
'------' '----------'
| |
'------.-------'
|
|
.------'------. .------------
| | |
| .-----. .---
| .-->| SMB |-->| 445/TCP
| | '-----' '---
| | |
| | |
.-----. | .--- SQL
| TDS |---'-----TCP---->| 1433/TCP
'-----' '--- Server
|
|
.------. .---
| SQLR |--------UDP---->| 1434/UDP
'------' '---
|
'------------
When a dynamic port is used, a random TCP port is selected. To allow a remote client to discover this port, the SQL Server Browser must be enabled on the UDP port 1434, waiting for SQLR (SQL Server Resolution) queries. You can use the impacket mssqlinstance.py tool to discover the SQL server dynamic port. ๐
$ mssqlinstance.py 192.168.100.19
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] Instance 0
ServerName:SRV01
InstanceName:SQLEXPRESS
IsClustered:No
Version:15.0.2000.5
[*] Instance 1
ServerName:SRV01
InstanceName:MSSQLSERVER
IsClustered:No
Version:15.0.2000.5
tcp:50377
Here, you can see that the SQL Server port is 50377. Now you can use a SQL Server client like HeidiSQL, SQL Server Management Studio, or PowerUpSQL to connect to the database. ๐ฅ๏ธ
PS C:\> . .\PowerUpSQL.ps1
PS C:\> Get-SQLQuery -Query "Select @@version" -Instance "srv01,50377"
Column1
-------
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) ...
An important aspect of SQL server is the ability to execute commands through the xp_cmdshell command, if it's allowed. ๐ป
Sometimes in misconfigured environments, even if the xp_cmdshell command is disabled, the user has enough privileges to enable it with the
sp_configuredirective. โ๏ธ
Moreover, the xp_dirtree command can be useful to access files on the network (using UNC paths) or for making authenticated requests to other machines, by using the domain computer account in order to collect NTLM hashes to crack or perform NTLM relay. ๐
SQL injection is out of the scope of this post, but if you want more information about how to exploit SQL Injection in SQL Server or other databases, you can check the NetSPI, Pentest Monkey or PortSwigger cheat sheets. ๐
Additionally, an incredibly useful characteristic for an attacker could be the SQL Server links. SQL Server allows creating links with other data sources, like other SQL databases. ๐
The interesting thing about those links is that even if they're created by a privileged user like an administrator, they can be used by any user and will allow executing commands in remote machines with the privileges of the link creator. ๐ฏ
.---. .---.
/ /| SQL link / /|
o .---. | ========================= .---. |
/|\ ---unpriv----> | | ' ---------dbadmin------> | | '
/ \ | |/ ========================= | |/
'---' '---'
db1 db2
Additionally, if you fancy pivoting through SQL Server, you can also convert it into a SOCKS proxy by using mssqlproxy. ๐งฆ
For more ways to abuse SQL Servers, you can use the PowerUpSQL toolkit and definitely, you should check its wiki. ๐