Day 11 - "Jingle Bells, Shadow Spells"
The learning objectives of day 11 were :
- Understanding Active Directory
- Introduction to Windows Hello for Business
- Prerequisites for exploiting GenericWrite privilege
- How the Shadow Credentials attack works
- How to exploit the vulnerability
In this task we were provided with access to a user account on AD and we had to answer the questions after exploiting the vulnerability found.
We were briefed with Active Directory, Windows Hello for Business and the authentication process, how to enumerate for misconfigurations, how to abuse the vulnerable privilege, how to generate the certificate required for impersonation and pass-the-hash attack.
So we started by enumerating the privileges for our user, we found that our user had generic write access over another user, then we used a tool called whisker to get the certificate for impersonation of the vulnerable user, after getting the certificate we used another tool called rubeus to get the TGT by providing the certificate we generated earlier, This gave us the NTLM hash , we performed pass-the-hash attack using the Evil-winRM.
Active Directory (AD) is a system mainly used by businesses in Windows environments. It's a centralised authentication system. The Domain Controller (DC) is at the heart of AD and typically manages data storage, authentication, and authorisation within a domain.
Whisker is one helpful tool for abusing the vulnerable privilege, a C# utility created by Elad Shamir.
Rubeus is a C# toolset designed for direct Kerberos interaction and exploitation, was developed by SpecterOps. a pass-the-hash attack!
Evil-winRM, a tool for remotely managing Windows systems abusing the Windows Remote Management (WinRM) protocol.
Click here to see the walkthrough.
No comments:
Post a Comment