Closed albfflk closed 1 year ago
PATH1 sounds good. See genericall abuse info. If "Myuser" is memberof Group1 and Group1 members are members of Group2 and Group2 has GenericAll on Domain you can use bloodyAD setDCSync
. If it doesn't work, could you give me the output for bloodyAD getObjectAttributes 'DomainDN' nTSecurityDescriptor True
? You should see DS-Replication-Get-Changes as well as DS-Replication-Get-Changes-All rights
Thanks for your answer, it ended up that the path was not valid, not sure if someone changes the ACLs... but I got a new dump and it gone. I tried again and found another path, like this:
Muser (user) <---> (GenericAll) SQLSrv2022
SQLSrv2022 (192.168.1.10) is not domain admin but it a server and DC IP is 192.168.1.31, I confirmed that you tool worked.
─$ python3 bloodyAD.py -d company -u MUser -p Passw0Rd --host 192.168.1.31 setGenericAll S-1-5-21-1504728495-0493274895-4372345346-36233 S-1-5-21-1504728495-0493274895-4372345346-9032
[*] S-1-5-21-1504728495-0493274895-4372345346-36233 SID is: S-1-5-21-1504728495-0493274895-4372345346-36233
[!] This right already exists
[+] nTSecurityDescriptor set successfully
[+] S-1-5-21-1504728495-0493274895-4372345346-36233 has now GenericAll on S-1-5-21-1504728495-0493274895-4372345346-9032
└─$ python3 bloodyAD.py -d company -u MUser -p Passw0Rd --host 192.168.1.31 changePassword 'SQLSrv2022$' Passw0Rd
[+] Password changed successfully!
┌──(kali㉿Nkali)-[~/bloodyAD]
└─$ python3 bloodyAD.py -d company -u MUser -p Passw0Rd --host 192.168.1.31 changePassword S-1-5-21-1504728495-0493274895-4372345346-9032 Passw0Rd
[+] Password changed successfully!
I was expecting to be able to change computer account (SQLSrv2022$) password and take control of the machine, it says that password was changed, but do not authenticate.
$ python3 smbexec.py company/'SQLSrv2022$':Passw0Rd@192.168.1.10 query -keyName HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA -s
Impacket v0.10.1.dev1+20221214.172823.8799a1a2 - Copyright 2022 Fortra
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
$ python3 smbexec.py SQLSrv2022/'SQLSrv2022$':Passw0Rd@192.168.1.10 query -keyName HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA -s
Impacket v0.10.1.dev1+20221214.172823.8799a1a2 - Copyright 2022 Fortra
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
$ python3 smbexec.py 'SQLSrv2022$':Passw0Rd@192.168.1.10 query -keyName HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA -s
Impacket v0.10.1.dev1+20221214.172823.8799a1a2 - Copyright 2022 Fortra
[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
Do you know why it says the password was changed if the auth failed?
I was reading the great link that you sent and GenericAll on computers appears to be a bit limited. In my case no LAPS on this server, reset password account of the machines doesnt appear to work.
Do you know any tool that allows to apply the resource based constraint delegation from a linux box? I guess that your tool allows to add a new computer name and define a value for msds-allowedtoactonbehalfofotheridentity, but not sure about the other parts.
Do you know any other attack in such cases?
BTW, do you know any project that allows to easily setup a domain environment vulnerable to test and learn such kind of attacks?
Not big deal, but maybe you are interested...I gave a try at your autobloody and got this error on last Kali version.
[*] Connection to Neo4j
[*] No proxy detected
Traceback (most recent call last):
File "/home/kali/autobloody/autobloody.py", line 6, in <module>
main.main()
File "/home/kali/autobloody/autobloody/main.py", line 31, in main
path_dict = pathgen(args)
File "/home/kali/autobloody/autobloody/main.py", line 50, in pathgen
db = database.Database(args.dburi, args.dbuser, args.dbpassword)
File "/home/kali/autobloody/autobloody/database.py", line 9, in __init__
self._prepareDb()
File "/home/kali/autobloody/autobloody/database.py", line 22, in _prepareDb
session.write_transaction(self._createGraph)
File "/home/kali/.local/lib/python3.10/site-packages/neo4j/_meta.py", line 82, in inner
return f(*args, **kwargs)
File "/home/kali/.local/lib/python3.10/site-packages/neo4j/_sync/work/session.py", line 705, in write_transaction
return self._run_transaction(
File "/home/kali/.local/lib/python3.10/site-packages/neo4j/_sync/work/session.py", line 487, in _run_transaction
result = transaction_function(tx, *args, **kwargs)
File "/home/kali/autobloody/autobloody/database.py", line 64, in _createGraph
graph_exists = tx.run("RETURN gds.graph.exists('autobloody')").single()[0]
File "/home/kali/.local/lib/python3.10/site-packages/neo4j/_sync/work/transaction.py", line 156, in run
result._tx_ready_run(query, parameters)
File "/home/kali/.local/lib/python3.10/site-packages/neo4j/_sync/work/result.py", line 116, in _tx_ready_run
self._run(query, parameters, None, None, None, None)
File "/home/kali/.local/lib/python3.10/site-packages/neo4j/_sync/work/result.py", line 162, in _run
self._attach()
File "/home/kali/.local/lib/python3.10/site-packages/neo4j/_sync/work/result.py", line 270, in
If you want to report issues related to autobloody
please do it on the autobloody github repo. Also I would need the full error (yours is truncated)
Hello CravateRouge
Happy new year and congratulations for your super b tool.
It's my first time trying to exploit a Windows Domain ACL issue, I found your tool linked in a blogpost from DCSync, I discovered bloodyAD and acltoolkit with this blogpost. Well, I failed miserable trying to exploit it, I will be very helpful if you could provide some insights. My case is like the one below (obtained via bloodhound - if you think it helps, I can upload images anywhere or send to your email if you prefer), looks like two paths exist from MyUser to DomainAdmins via ACL issues.
I'm using output from the 3 tools, I hope that you don't mind, I wanted to make sure it was not an specific issue of a specific tool.
My first try as a dumb guy was to use DCSync from the blog post and I failed miserable.
It says that I don't have privilege, my guess was that I had to follow PATH2 for example and add MyUser to Enterprise Key Accounts or give GenericAll to Users Privileged Group and than DCSync, but I also failed miserable.
It says that I have no privilege at all, however bloodhound told that I could AddMember, I was thinking if Bloodhound could have interpreted it wrong, but I guess the error is me. Any advice here?
I moved to give GenericAll to the Privileged group and this time the error was different in both tools which called my attention
Where -target-sid is the value of "Users Privileged Group" and -granted-sid is the SID of Myuser.
One thing that called my attention is that the errors are different from both tools. Curious, not?
Have you seen this before? I searched at Google and it says in some forums that the error from the second tool could be privilege missing (similar to the error of the first tool) and others some crazy stuff about CN / DN names. Any guess?
I was curious if Bloodhound got data wrong, so I used these awesome tools to see the privilege of Myuser and it display the following.
The first thing that called my attention was this "adminCount: True". Does it means that the user was supposed to be Admin?
A bunch of information about groups that I'm member and finally the end (that looks interesting to me):
I got a bit confused here, in this case the ADRights is what I should consider? Or the IsInherited as False means that I dont have this priv?
This AccessMask appears weird to me, I was searching about it and found https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask
But I cant find a value that represent for example 983487, even converting from decimal to hex (983487) it does not match. Do you know any tool or site that may help to convert it properly?
I did with the great bloodyAD as well.
I tried set-objectowner and a lot of other combinations, all with the same errors.
This thing of ACE and ACL is a bit obscure to me yet, just to try learn I got another user and this one was very different and a few things called my attention while enumerating objects and privileges...
First thing, adminCount is False, which is different from my previous user. However below it gets curious
The DS-Replication-Synchronize does not show up. Normal? Is it expected?
However on the DACL part it says:
It says GENERIC_ALL, and for enterprise admins also GENERIC_ALL and IsInherited true this time (come from a groups that this member belongs I guess).
If I try DCsync or for example set GenericAll I get the same error as before, saying INSUFF_ACCESS_RIGHTS...
I tried all kind of stuff, even the ones that are not supposed to work! LOL
Sorry for long post