Comments (15)
You give me ideas to improve the tool and I thank you for that :)
When you want to give DCSync rights, you add ACL entries to the Domain object. So the user BIR-ADFS-GMSA$ must have setDCsync right because it is the one that you use to connect (With NTLM auth in your case) to the AD to perform your modifications. If BIR-ADFS-GMSA$t owns the domain object or has GenericAll right on the domain object, you can use autobloody to automate those steps in order to obtain DCSync right.
If I remember correctly you can duplicates ACE, so I don't think that tristan.davies already having those rights is the problem here.
If you don't know what to do with a right on an object, right click on the edge in BloodHound and click on help, you'll have details on it.
from bloodyad.
Great! I assumed having the GenericAll right included being able to add the DCSync right but that is obviously not the case. When I reverse the command above, targeting "BIR-ADFS-GMSA$" using tristan.davies (domain admin), this works. However, when I try to use autobloody to automate this as you suggest I get an error.
from bloodyad.
I think you found a bug!
Try with the latest commit c166caa and tell me if it works.
from bloodyad.
There is some progress but now I get a different error.
from bloodyad.
Can you add print('I've been here')
at line 173 and print(sAMAccountName)
at line 177 of bloodyAD/modules.py and show me the output please?
from bloodyad.
I updated the code but I do not see the added print statements when running it.
from bloodyad.
My bad, I forgot the case, try the latest commit c82bca8, it should work now.
from bloodyad.
New error :)
from bloodyad.
It should be fixed with eb108a9
from bloodyad.
from bloodyad.
And this error should be fixed with 54f1ea7 !
from bloodyad.
Now I no longer get a functional error but it seems tristan.davies is not allowed to change the password of bir-adfs-gmsa despite being a domain administrator. If I try to change the password manually using bloodyAD.py or even more manually using RPCClient (which you use too I think) I get the same result. Is that expected? Perhaps this is the case only for GMSA accounts?
I also have a related question. In actual engagements I would rarely opt to change the password of an existing account. I would instead consider for example setting the "DONT_REQ_PREAUTH" flag on the account and then AS-REP roast it hoping to crack it's password. Is there a way to control the end result of the automation? I know I can do this manually but if the automation can help me with more complex exploit chains that would help.
from bloodyad.
bloodyAD use the SAMR call SamrSetInformationUser2
, that is slightly different from the one of rpcclient if I remember correclty. In the documentation, it's written that it can modify a user object and maybe GMSA accounts like machine accounts are not considered as user objects.
You can still try using LDAPS (if you have an ADCS for your domain) or kerberos (unfortunately you can't use kerberos because ldap3 only supports kerberos authentication and not encryption). Using LDAPS to change the password could be allowed.
The automation doesn't aim for actual engagements but I plan to implement shadowCredentials and use of CVE-2021-42287/CVE-2021-42278 as an alternative to the password change.
from bloodyad.
The domain search.htb actually belongs to Hack The Box. I sometimes use their machines to test things on :) Therefore I do not have access to ADCS in that domain. I do have ADCS in my private lab and I have tested CVE-2021-42287/CVE-2021-42278 (SAM-The-Admin, "https://github.com/WazeHell/sam-the-admin") in that which works. However, these vulnerabilities will likely be patched, if that hasn't been done already.
Thanks for you help! I will keep an eye on your tool.
from bloodyad.
Just a comment for those who read this. What you need in order to use the "setDCSync" command is access to a domain user object or a domain computer object that has WriteDACL rights on the domain root or on a domain controller. For example. By default, unless patched or if the Active Directory Split Permissions model is used, Exchange servers have this right. See "https://support.microsoft.com/en-us/topic/reducing-permissions-required-to-run-exchange-server-when-you-use-the-shared-permissions-model-e1972d47-d714-fd76-1fd5-7cdcb85408ed".
BloodyAD actually grants GenericAll rights to the target object which is more than is needed in order to DCSync. This is good to know if for example Bloodhound is used to verify this.
from bloodyad.
Related Issues (20)
- Issue with pathgen HOT 1
- ldap3.core.exceptions.LDAPNoSuchObjectResult HOT 1
- Bloodhound 4.2.0 released, new edges added HOT 1
- Missing winkerberos HOT 1
- pip install bloodyad error HOT 2
- ldap3.core.exceptions.LDAPStartTLSError HOT 6
- module "setGenericAll" remove permissions does not work HOT 3
- module "addUser" adjust help text HOT 1
- Execute addComputer. An error is reported when executing the new version, but the old version can execute normally HOT 4
- Permission Issues and Constraint Errors even with Bloodhound saying its vuln HOT 3
- "ModuleNotFoundError: No module named 'bloodyAD.cli_modules'" in BloodyAD 0.1.9 HOT 12
- Request: Support for toggling inheritance on containers and OUs HOT 2
- Filtering "get children" on type "user" does not work HOT 5
- "get writable" errors with "Logon failure" in some cases HOT 9
- add computer - LDAPInvalidCredentialsResult - 49 - invalidCredentials - None - ERROR_LOGON_FAILURE: Logon failure: Unknown user name or bad password. - bindResponse - None HOT 12
- Unspecified GSS failure. HOT 3
- improve --resolve-sd output HOT 2
- add authentication test HOT 1
- Cannot add, remove, or modify SPNs HOT 6
- Can I modify a computer sAMAccountName through bloodyAD ? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bloodyad.