search

S3cur3Th1sSh1t / WinPwn

Automation for internal Windows Penetrationtest / AD-Security
BSD 3-Clause "New" or "Revised" License
3.34k stars 517 forks source link

ADCS ESC8 check Error #23

Closed forensic65x closed 3 years ago

forensic65x commented 3 years ago

I get the following errors when attempting the ADCS ESC8 check:

Import-Module : Attempting to perform the InitializeDefaultDrives operation on the 'ActiveDirectory' provider failed. At line:4 char:1

Get-ADDomain : Entry point was not found. At C:\malware\WinPwn\WinPwn.ps1:2129 char:12

-------> Searching AD for ADCS Servers Exception calling "FindAll" with "0" argument(s): "Unknown error (0x80005000)" At line:4028 char:20

-------> Searching AD for ADCS Templates Exception calling "FindAll" with "0" argument(s): "Unknown error (0x80005000)" At line:4028 char:20

-------> Searching for the active CA-Server and checking for ESC8 (https://posts.specterops.io/certified-pre-owned-d95910965cd2)

Other domain related recon checks work without errors.

Any suggestions?

S3cur3Th1sSh1t commented 3 years ago

Seams like the AdModule Import didn’t work.

Is the system domain joined? Did you use the online or offline version?

forensic65x commented 3 years ago

Yes - the system is domain joined.

cmd /c set .... USERDOMAIN=REDACTED USERDOMAIN_ROAMINGPROFILE=REDACTED

I get this when I run winpwn

[?] Detecting system role ..

   [-] Some features in this script need access to the domain. They can only be run on a domain member machine. Pwn some domain machine for them!

   [+] ----->  Member Workstation

I've tried each of the 3 versions.

powershelll -exec bypass

Import-Module .\Obfus_SecurePS_WinPwn.ps1 Import-Module .\Offline_WinPwn.ps1 Import-Module .\WinPwn.ps1

Running certutil -dump shows the CS server..

S3cur3Th1sSh1t commented 3 years ago

If you import the AD-Module manually via iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/ADModuleImport.ps1') Can you afterwards run functions like Get-ADDomain for example and get the output?

I'm pretty sure that the AD-Module import fails here. Alternatively you could Import it via

Import-Module ActiveDirectory

before running the WinPwn check.

I also found the following articles, which show a similar errors:

https://social.technet.microsoft.com/Forums/en-US/ffea9fd8-3d75-4ada-bb0e-3139653a4b1c/issue-with-commandlet-getaddomaincontroller?forum=winserverDS

https://social.technet.microsoft.com/Forums/lync/en-US/852efaf9-b53b-4cc6-8f25-d49b74ddf66e/new-to-powershell-probably-an-easy-fix-to-my-problem?forum=winserverpowershell

Maybe it's an AD-Module specific known problem. The * as filter didn't work for others as well, already got that as feedback.

I will also look into building a custom AD-search filter here instead of the AD-Module.

forensic65x commented 3 years ago

Got this initially when trying to import the module manually..

Import-Module : A cmdlet named 'Get-ADRootDSE' already exists. Cmdlets must have unique names. At line:4 char:1

exited and restarted powershell..

Got this..

PS C:\WinPwn> iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/ADModuleImport.ps1') PS C:\WinPwn> Get-ADDomain

DomainSID : S-1-5-21-redacted AllowedDNSSuffixes : {} LastLogonReplicationInterval : DomainMode : Windows2012R2Domain ManagedBy : LinkedGroupPolicyObjects : redacted ChildDomains : {} ComputersContainer : CN=Computers,redacted DomainControllersContainer : OU=Domain Controllers,redacted ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,redacted Forest : redacted InfrastructureMaster : redacted NetBIOSName : redacted PDCEmulator : redacted ParentDomain : RIDMaster : redacted SystemsContainer : CN=System,redacted UsersContainer : CN=Users,redacted SubordinateReferences : {DC=ForestDnsZones,redacted LostAndFoundContainer : CN=LostAndFound,redacted DeletedObjectsContainer : CN=Deleted Objects,redacted QuotasContainer : CN=NTDS Quotas,DC=redacted ReadOnlyReplicaDirectoryServers : {} ReplicaDirectoryServers : {redacted...} DistinguishedName : DC=redacted Name : redacted ObjectClass : domainDNS ObjectGuid : redacted PropertyNames : {AllowedDNSSuffixes, ChildDomains, ComputersContainer, DeletedObjectsContainer...} AddedProperties : {} RemovedProperties : {} ModifiedProperties : {} PropertyCount : redacted

PS C:\WinPwn>

S3cur3Th1sSh1t commented 3 years ago

Okay than it’s definitely not the import. The bad thing is I can’t replicate this behaviour. In my environments the queries worked fine so far.

As I said I’m also going to look for alternatives.

S3cur3Th1sSh1t commented 3 years ago

Ok I found something interesting. I was able to replicate the * filter error in another environment. But running the Function from outside of WinPwn ran successfully.

Can you try running the following instead:

iex(new-object net.webclient).downloadstring('https://gist.githubusercontent.com/S3cur3Th1sSh1t/0c9fa7c50e07b4f6708ca9795414e4e8/raw/7f71e7a51500f266a865a0f8bc56d7be86f92794/ADCS.ps1')

Do you get the same error here?

S3cur3Th1sSh1t commented 3 years ago

I think i fixed this one. f5230d24c1b3593f48f4b7587a21c98a4ba2b0d2

It was the Powerview Get-ADObject function which broke the one from AD-Module. Can you re-try?

forensic65x commented 3 years ago

Did you still want me to test this?

iex(new-object net.webclient).downloadstring('https://gist.githubusercontent.com/S3cur3Th1sSh1t/0c9fa7c50e07b4f6708ca9795414e4e8/raw/7f71e7a51500f266a865a0f8bc56d7be86f92794/ADCS.ps1')

S3cur3Th1sSh1t commented 3 years ago

No need for it. But the WinPwn menu works for you now?

S3cur3Th1sSh1t commented 3 years ago

I'll close this now because I think it's fixed. You can re-open if you did further tests and face new issues.