 and also X-Force Red. I'm here to talk to you all about a fantastic chain of vulnerabilities that leads to domain admin. I call this printers to domain admin. So first off, what we're gonna be exploiting is this wonderful feature that Tifkin from SpectraOps discovered called the MSRPRN PrinceBooler book. Basically what it does is it's a feature to have a domain controller tell a client where it's printers are. Now, any user can request this packet to be sent to them. And what it can also do is try and force authentication. Now, if the client says, hey, I only support NTLM version one and the domain controller is trying to authenticate to them, it will authenticate using its machine account. That machine account can then be reversed from NTLM version one to NTLM. And once we've reversed NTLM, we can create a silver ticket and then DC sync the server. So with that, let's begin. The first thing we're gonna need to do is find out the domain SID of the machine we're gonna attack. Now we're gonna specify that we start off with domain user credentials. And so we are already a regular domain user. We would have gotten this through Responder, some other method or being a legit user on the network. So we're running enum for Linux on 192.168.1.3 on my Mog.local domain. Now we're gonna see a whole bunch of stuff. So we're gonna have to scroll up and we're gonna see the domain SID is right here. This is the security identifier for the domain and it did not require any credentials to pull. So we're gonna go export SID equals and quotes, even though these aren't required, I put them around just out of my own safety sake because I've been burned once or twice. So we now have the SID. Fantastic. Next thing we're gonna need is we're gonna need to go use our credentials on the net NTLM SilverTicket repo with a tool called Dementor. So we're now in the repo. So we're gonna go dot slash or Python Dementor.py. So in order to use Dementor, we need a domain username, which is going to be evil Mog. We need a password. In this case, password is password with an exclamation mark. Yes, this is a demo. Yes, it's junk. I'm okay with this. Now we're gonna use a domain, the domain name will be Mog. Next thing we're gonna do is go into another window. We're gonna set up responder. So responder interface of ETH0. Yeah, let's go with that. And now we're gonna fire over to Dementor and fire off the authentication back at us. Next thing we need is the listener IP. So the IP range in this, sorry, it was, yeah, listener target. So dollars attacker IP. I've pre-exported mine because I can't remember what it was. And we're gonna go with the target IP. It's gonna send the attack. We're seeing access denied. Here we'll see an NTLM version one SSP hash. Now we'll see I attempted to go set. This is one, one, two, two, three, three, four, five, five, six, six, seven, seven, eight. For the client challenge, but it's zeroed out these. I could have specified TAC-TAC-LM and it would have gotten me a better result. But in this case, I wanted to demonstrate NTLM version one with SSP on video because it's fun. So we're gonna copy this. I'm now gonna go into my NTLM version one multi-tool. Python, NTLM v1.py. We're specify NTLM and our hash. Now, if you want to use crack.sh and pay $200, you absolutely can. Now the other option is we're gonna do this with HashCat. Now this will normally take you about three to five days with, you know, from 16 to 32 GPUs or cost you about $1,000 in that or AWS time. I haven't timed this up for a while so my numbers might be inaccurate. But on 16 GTX 1080s, it takes about four days, five. So what we're gonna do is we're gonna copy this. We're gonna copy the 14,000 hash because it's already ready to go into HashCat. We're going to go into my HashCat directory, paste that. Just to make sure it's a fresh file, nothing on my sleeve. Now we're gonna take the command it told us to crack it with HashCat. Telling us to use mode 14,000, attack mode three, which is a brute force. Using the DES character set and our attack type. Already feel for you. Now because I have a time machine, it's gonna crack instantly. Perfect, see? It's already cracked instantly. So let's get show these hashes right now. So here we have the portion of the NTLM but it's actually being returned as a DES key. We need to convert these DES keys into a portion of an NTLM. So we're gonna go to get, we're gonna throw up my HashCat, utils, SRC. And we're gonna want the DES key to NTLM portion. So here is part one. We are then going to do part two back over here, part two. Now the most important part, we're also gonna have to calculate the last four characters of the NTLM. Again, there's already a HashCat utility for that. So we're gonna go into get slash HashCat utils, SRC. And then we are going to use a profile CT3 to NTLM. But it already tells us that because we do the paste and there we are, we have our NTLM. So the NTLM is gonna be part one, part three. Fantastic. So now we're going back into our handy dandy utility, export NTLM equals, now to prove there's nothing on my sleeve on this one, crack map exec, SMB192.168.1.3. Username's gonna be DC1 dollar sign because that means it's a machine account. We're gonna use the hash of dollars NTLM. And there we are. We've authenticated as the domain machine account. Now we're going to, there we are. So we're gonna run ticker. Now this command's a little bit complex. So first we're gonna run Python. We're gonna select where our ticker location is. We're gonna use the NTLM hash, which we'll see here is 1D matches right up with what we have here ending in 904C. So it's your NTLM hash for the machine account. There is the domain SID that we captured earlier. That is this S121 here using enum for Linux. The domain name here is Mogbell local. Now the important part is the SPN. SPN is a service principal name. So in this case, we know it's a machine. So we know it's DC1. We know it's in Mog.local. All domain controllers by default will or should in most cases have a host slash DC or a host slash for their SPN. So we can guess that this machine's SPN or look at it in bloodhound, but in this case we guessed host slash DC1.mog.local and then the administrator, guessing it's administrator probably is. A lot of people change it, but that is how we create our silver ticket. Now I'm gonna hit enter. It's gonna create this Kerberosk or cache file for you. Now you need to go run an export. So it means I keep forgetting the syntax, history, grep, export, grep, ccache, hit dash n1. There we go, export. So we've specified here's where our cache file is. Now we're gonna proceed to secrets dump, the domain controller, grep, secrets dump, okay, dash n1, there we go. So we're gonna run secrets dump. The syntax for this one is gonna be, you know, our Python three, secrets dump, dash k means these Kerberosk, techno.pass means don't ask for a password. We're gonna specify MoG at, the main MoG administrator at dc1.mog.local and we're gonna dc sync the interesting. This happens, let's go take a look. There we go, she's the right tool. So we've used our, so the syntax for this one was Python, running secrets dump, our target was administrator at dc1.mog.local, dash k was used Kerberosk, techno.pass was don't ask for us for the password. And here we see our administrator hash, our guest hash, and our machine account, which we just finished extracting. So that is how you silver ticket a domain controller and dc sync it with just a regular domain user. Now for mitigations on this, what you're gonna wind up doing is, there's a setting called the landman compatibility level. I'll include a link to it in the slides for this. There's a setting that we're set for two or lower, which basically means allow NTLM. That's what, if you increase that setting to five, that will completely block this. The other mitigations are disabled, the print spooler service on any sensitive server, such as domain controllers. Now this will cause an impact on some environments as clients will no longer be able to update the printer list, but hopefully you have a better way of pushing printers such as SCCM. So that is the one downside, but it will prevent domain controls from reaching out. This works up until server 2016. I have not seen it work in server 2019, and it again depends on your landman compatibility level. Thank you very much for tuning in. This has been Evilmog from X-Force Red and Team Hashcat.