Together with proxychains and tools like Impacket that can take advantage of Kerberos authentication, we can move on into the domain environment. We have a reverse proxy into the domain environment and Kerberos credentials. At this point, the domain is your oyster. Proxychains certipy req -ca caserver -template VulnerableCertificate -k -no-pass -dns-tcp -target-ip 192.168.0.10 -dc-ip 192.168.0.1 -alt command exploits an ESC1 vulnerability as an example. Now with our Kerberos ticket in hand and a reverse proxy tunnel, we can begin lateral enumeration, and escalation with Kerberos credentials from our low privileged shell.Īn example command may look like the following: Using the Cobalt Strike proxy continues to keep us out of sight of EDR. Once this is obtained, we can now set up a Reverse Socks proxy using either the built-in Cobalt Strike socks proxy or another tool of our choice. This will return a Kerberos ticket that we can use for authentication within the domain. This BOF allows us to remain in our current unhooked process and sign a Kerberos ticket with our existing low privilege user shell permissions that can then be used to authenticate to other services on the network. Today, the tgtdelegation BOF is of special interest. With our unhooked stage 1 implant, we can now work within our current process using BOFs (Beacon Object Files). We also need to be careful about generating or injecting into any other processes that have not yet been unhooked. Be able to open a Reverse Socks proxy within its own unhooked process.Īlthough this process is now beyond the reach of our target, we still need to keep a careful eye on what is placed on disk because it will be subject to static analysis.Be able to inject or execute into the current unhooked process for additional exploitation.Have shellcode loaders capable of storing an encrypted payload that is only unencrypted after EDR has been unhooked.Have shellcode loaders capable of being packaged with an EDR unhooking solution, such as Scarecrow.Scarecrow allows us to take shellcode for our Stage 1 implant and overwrite these ntdll hooks, launching our stage 1 payload without the prying eyes of our target. However, this payload obfuscation tool, like all others, will continue to be more and more signatured as time goes on and it becomes more common. As of April 2022, Scarecrow is a great option. There are many tools and techniques to carry this out. By overwriting these hooked ntdll calls with a clean version of ntdll, we can leave the EDR/AV blind to our further actions within this newly created process. This gives the EDR the ability to look for any suspicious Windows API calls, report on them and block them before execution by the operating system. These modern EDR and AV products will hook into any new process created and overwrite Windows API calls to ntdll with their own version of ntdll. Load a later stage 1 obfuscated and unhooked payload.Perform basic local enumeration for stage 1 troubleshooting.Be obscure and fairly unsignatured by common AV, either because it is a less well-known payload, or because you have built it internally.If your target organization is using an EDR ( Endpoint Detection and Response) or next gen AV (Anti-Virus) this will mean creating a new process to unhook this EDR product and inject your stage 1 payload. Our first step after some basic local system enumeration will likely be to conduct this pivot. This stage 0 payload should have just enough features to troubleshoot and pivot to a more fully featured C2 framework in a stage 1 delivery. Using this stage 0 method gives a higher chance of success in obtaining that initial foothold because common C2s (like Cobalt Strike and Metasploit) are much more likely to be alerted on. This is often referred to as a stage 0 payload. Prior to obtaining the internal shell, it’s important that you have been using a less signatured and less well known C2 framework and implant system. The importance of stage 0 and stage 1 payloads The username, IP address, host and operating system information populates your (Command and Control) C2 framework interface, and a new stage of the engagement begins.īut now that you have the shell, where do you go from here? Truth is, you have a lot of options. After hours of OSINT (Open-Source Intelligence) and social engineering campaigns, your Red Team has finally obtained the coveted internal shell.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |