홈 랩을 만들어 내부망 관련된 모의해킹을 하려면 실무에서 마주칠 수 있는 잘못된 설정을 홈랩에 "심어야"한다. 대부분의 모의해커들은 공격할 줄은 알지만, 공격이 가능한 잘못된 설정이 어디서 왜 발생한 것인지는 모르는 경우가 많다. 다음은 AD 공격과 관련된 잘못된 설정을 하는 명령어들이다.
다음의 설정들은 자신의 홈랩이 아니라면 절대로 적용해서는 안된다. 이에 따라 발생할 수 있는 피해와 관련해 레드팀 프로젝트는 책임을 지지 않는다.
LDAP Signing on/off
# GPO
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Domain Controller: LDAP Server Signing Requirements
LDAP Channel Binding
# Registry
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\NTDS\Parameters" -Name "LdapEnforceChannelBinding" -Value 3
LDAP Anonymous Bind Enabled
# Powershell
$directoryServicesDN = "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration," + (Get-ADDomain).DistinguishedName
$currentValue = (Get-ADObject -Identity $directoryServicesDN -Properties "dSHeuristics").dSHeuristics
if ($currentValue -ne "0000002") {
Set-ADObject -Identity $directoryServicesDN -Replace @{dSHeuristics="0000002"}
Write-Output "dSHeuristics updated successfully."
} else {
Write-Output "dSHeuristics is already set to the desired value."
}
$domainDN = (Get-ADDomain).DistinguishedName
& dsacls "CN=Users,$domainDN" /G 'ANONYMOUS LOGON:GR'
# --------- GUI -----------
# ADSI and dSHeurstics setting
ADSI Edit > Connection Settings + Select A Well known Naming Context "Configuration >
CN=Services > CN=Windos NT > CN=Directory Services > Properties > dSHeuristics set to 0000002 (seven zeros)
# Anonymous Logon READ permission on Users Container
ADUC > Advanced > Users Container > Properties > Permissions > Add > Anonymous Logon > "READ" permission
# ------- DEBUG --------
crackmapexec ldap <Dc> -u '' -p '' --users
SMB signing off
set-smbserverconfiguration -requiresecuritysignature $False
Defender off
set-mppreference -disablerealtimemonitoring $true -DisableScriptScanning $true -DisableIOAVProtection $true
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -name "DisableAntiSpyware" -value 1 -Type DWORD
Windows update off
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions /t REG_DWORD /d 1 /f
reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /f
sc.exe config wuauserv start= disabled
net.exe stop wuauserv
Firewall off
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
Winrm
Enable-PSRemoting -Force
winrm set winrm/config/Client '@{AllowUnencrypted = "true"}'
Set-Item WSMan:localhost\client\trustedhosts -value * -Force
winrm set winrm/config/client/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
Password Policy
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy
NTLMv1 - server
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ /v lmcompatibilitylevel /t REG_DWORD /d 0 /f
Two-way Trust
1. Allow zone transfer on the DCs (to any server for more misconfiguration!). DNS -> Domain -> Properties -> Zone Transfer -> Allow to any. Do this for both forest's DCs.
2. Create secondary zone for each DCs. DNS -> Forward Lookup Zones -> ?New zones -> secondary zone -> name blahblah -> type in each others' DC ip -> good!
3. Create two-way trust!
- I did selective trust, but more misconfiguration would be forest-wide trust.
- For some reason, creating domain trust from domainA -> domainB worked, but domainB -> domainA resulted in "domain cannot be contacted". Even after dns restart, reboot, etc. ???
ShadowCoerce - FSRVP
File and Storage service -> File and iSCSI service -> File Server VSS Agent Service
DFSCoerce - DFSNM
File and Storage service -> File and iSCSI service -> DFS Replication
ADCS Various ESC
# Create Cert Template
- certtmpl.msc -> Duplicate User -> Subject Name -> Supply in request (required for ESC1,2,3)
- Extensions -> Application Policies -> Edit this for EKU (client auth, any purpose)
- Security -> Give write/enroll permission to Domain Users (various ESC)
- Change the name of the template
# Publish Cert Template
- Use Enterprise admin. Even domain admin doesn't work.
- certsrv.msc -> Certificate Templates -> New -> the template that we created above
-------
# ESC6
- certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
- This requires a reboot.
---
# ESC8
Install Web Enrollment and Web Service.
Make sure to install CA first, separately. When CA is installed and configured, then install Web Enrollment and Web Service.
LLMNR powershell scuffed version
while($true)
{
ls \\doesntexist\share\update.ps1
start-sleep -seconds 5
}
---
# Setting the GPO for batch job rights
Running from a DC -> Assign the user a "Batch job rights" through GPO
Either open domain policy (if not DC) or Default Domain Controller policy (if DC)
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment node > Log on as a batch job > specify the user that's running the task
gpupdate.exe /force
---
# Actually creating Task Scheduler
New Task -> Run whether user is logged on or not -> Change User or group to whatever user to run
Triggers -> At Startup
Actions -> start a program -> powershell.exe (-execution bypass c:\scripts\check.ps1)
DCSync - domain user
# Powerview ez clap
Add-ObjectACL -PrincipalIdentity spotless -Rights DCSync
# Using Active Directory Administrative Center because no internet :sadge:
domain right click -> properties -> scroll down -> security -> Add specific domain user or group -> Allow the following
- Replicating Directory Changes
- Replicating Directory Changes All
- replicating Directory Chagnes in Filtered Set
Sometimes ADAC might just crash, but the change goes through (wtf)
LSA configuration
# Optional (I think)
Default Domain GPO -> Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Log on as a service > specify domain user here
gpupdate.exe /force
# Go to whatever host and just change print spooler because it's easy
services.msc > UPNP Device Host or Print Spooler > properties > logon > domain/user user + password
restart > fails. doens't matter, creds are stored in plaintext in lsa secrets hive.
Disable SMBv1 for no MS17-010 (shikata)
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Shadow Credentials & GenericAll
# Giving permissions on user A to have genericAll rights on user B
ADAC -> Domain -> Users -> user B -> Properties -> scroll down to Extensions -> Security -> Advanced -> user A -> check genericAll rights
# Remember, add rights on user B that will ALLOW user A to genericAll. So edit user B.
Netlogon share
c:\windows\sysvol\sysvol\<domain>\scripts
RBCD
# ty ired.team - spotless
# pre-reqs
1. User has local admin rights on WS02
2. User has WRITE privilege on target WS01
3. WS02 (or other machines) vulnerable to auth coercion and has WebDAV installed
seems like the target need to be a privileged box like DC for RBCD to be useful?
LDAP Signing off
Default Domain Controller Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Domain Controller: LDAP server signing requirements -> None
Default Domain Controller Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Network security: LDAP client signing requirements -> None
gpupdate.exe /force
WebDAV
Features -> IIS -> WebDAV, basic auth, windows auth
IIS -> Default Web site -> WebDAV authoring rules -> *, All Users, read+write+source, then "Enable WebDAV"
IIS -> Default Web Site -> Authentication -> Enable Anonymous, Basic, and Windows auth
IIS -> Default Web site -> Advanced (WebDAV Settings) -> Allow Anonymous Property Queries "True"
IIS -> Default WEb site -> WebDAV authoring rules -> Disable and Enable webdav (restart)
Fingers crossed it works now
# Having WebDAV on CA server with Web Enrollment may not work - need more testing.
MachineAccountQuota - for shared lab environment
Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota
Set-ADDomain -Identity <DomainName> -Replace @{"ms-DS-MachineAccountQuota"="500"}
Adding Users
# Loop this with random passwords from rockyou.txt
New-ADUser -Name "username" -Accountpassword (Read-Host -AsSecureString "password") -Enabled $true -PasswordNeverExpires $true
See my license
slmgr /dlv
Rearm
slmgr.vbs -rearm
Full clone machine Sysprep change SID
# Sometimes, fully cloned machines have duplicate SID, which prevents the machines from joining the domain. Use Sysprep to change that.
c:\windows\system32\sysprep\sysprep.exe /oobe /generalize /reboot
# change the hostname and the static ip address after the sysprep reboot
# get machine sid for sanity check
get-adcomputer computername -prop sid
Allow Anonymous access on shares
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -name "everyoneincludesanonymous" -value 1 -Type DWORD
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -name "restrictanonymous" -value 0 -Type DWORD
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -name "restrictanonymoussam" -value 0 -Type DWORD
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -name "LimitBlankPasswordUse" -value 0 -Type DWORD
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' -name "requiresecuritysignature" -value 0 -Type DWORD
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' -name "restrictnullsessaccess" -value 0 -Type DWORD
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' -name "NullSessionPipes" -value "*" -Type String
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' -name "NullSessionShares" -value "*" -Type String
# Right click on share -> Properties
- "Security" > Add Everyone and add all permissions
- "Sharing" > Advanced Sharing > permissions > Add Everyone and all permissions
# Test it, or use cme
net use \\servername\sharename "" /user:""
Guest/Anonymous access on shares ver.2
# Allow anonymous on Windows 10
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name "AllowInsecureGuestAuth" -Value 1 -Type DWord
# Activate guest account
net user guest /active:yes
# Ensure directory structure for SMB share exists
New-Item -Path "C:\" -ItemType Directory -Force
# Add Everyone full control to the directory
$acl = Get-Acl -Path "C:\"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone", "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.SetAccessRule($accessRule)
Set-Acl -Path "C:\" -AclObject $acl
# Create SMB share
New-SmbShare -Name "C" -Path "C:\" -FullAccess "Everyone" -Description "Entier C Filesystem"
Remove History
echo "hi" >> (Get-PSReadlineOption).HistorySavePath
clear-history
SCCM Server Installation
References:
- https://www.prajwaldesai.com/sccm-1902-install-guide-using-baseline-media/#Step-by-Step-SCCM-1902-Install-Guide
- https://www.prajwal.org/sccm-network-access-account/
The references are pretty straight forward.
- Domain container, user, group configuration
- Install SQL server on the server that SCCM will be also installed. (SQL2017, SCCM 2203 worked)
- If SCCM complains about not finding the correct MSSQL instance,
do NOT do "install primary standalone" option. Just go full manual and specify the SQL server
FQDN and the instance name.
- ENSURE to install the "primary site". DO NOT install the configuration site.
- Ensure current user has a SQL administrator priv - during SQL installation
- Ensure SQL service is running through SQL Server Configuration manager.
- Ensure SQL service has dynamic port <none> and tcp port 1433 via SQL server configuration manager
- If the default MSSQLSERVER instance got messed up during SQL installation, just install another SQL instance like SCCMSQL and use that during SCCM splash installation.
- gl!
Remote Desktop Service for Windows Server machines
Get-WindowsFeature -Name RDS-RD-Server | Select-Object -ExpandProperty Installed
Install-WindowsFeature -Name RDS-RD-Server -IncludeManagementTools
restart-computer -force
(Get-WmiObject -class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)
# Scheduled Task to reset RDS 120 days trial
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$folderPath = 'C:\scripts'
if (-not (Test-Path $folderPath)) { New-Item -Path $folderPath -ItemType Directory }
Invoke-WebRequest 'https://raw.githubusercontent.com/pbv7/reset-rds-grace-period/main/reset-rds-grace-period.ps1' -OutFile "$folderPath\reset-rds-grace-period.ps1"
$Action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument "-NoProfile -File '$folderPath\reset-rds-grace-period.ps1' -Force -RestartTS"
$Trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 9am
Register-ScheduledTask -TaskName 'ResetRDSGracePeriod' -Action $Action -Trigger $Trigger -RunLevel Highest
RDPWrap for Win10/Win11 client machines
https://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
invoke-webrequest -uri "https://github.com/stascorp/rdpwrap/releases/download/v1.6.2/RDPWrap-v1.6.2.zip" -outfile "C:\rdpwrap.zip"
Expand-archive -path "C:\rdpwrap.zip" -destinationpath "C:\rdpwrap"
start-process cmd.exe "/c c:\rdpwrap\install.bat" -Wait -NoNewWindow
Stop-Service termservice -Force
Invoke-WebRequest https://raw.githubusercontent.com/sebaxakerhtc/rdpwrap.ini/master/rdpwrap.ini -outfile "C:\Program Files\RDP Wrapper\rdpwrap.ini"
restart-computer -force
XP_CMDSHELL vulnerable MSSQL server (kobitwave, hello - osint folks! - check git history)
1. Create cmd_shell proxy domain user account
- domain.com\proxy_user:Password123!
2. Enable xp_cmdshell by default, to all users
USE master;
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
GRANT EXEC ON xp_cmdshell TO PUBLIC;
3. Configure proxy user
USE master;
-- Create the credential for the proxy account
CREATE CREDENTIAL [##xp_cmdshell_proxy_account##]
WITH IDENTITY = 'domain.com\user',
SECRET = 'pass';
-- Set the xp_cmdshell proxy account
EXEC sp_xp_cmdshell_proxy_account 'domain.com\proxy_user', 'pass';
4. Test
└─# mssqlclient.py doamin.com/user:[email protected] -windows-auth
xp_cmdshell whoami