What's new
By:
Filters
Runion

This is a sample guest message. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

Gaining Privileged Access in a Secure Corporate Environment with SSL VPN and EDR/AV?

E

ElektraEmber

Midle Weight
Депозит
$0
What is the most effective method to gain privileged access after successfully authenticating into a corporate environment using SSL VPN (with network-level access on their VPN subnet)? In this scenario, access is limited to 3 user accounts (access type = user), with no admin privileges. The environment also has EDR/AV in place with all windows machines.

How can one escalate privileges to admin level and subsequently move laterally to the DC? The goal is to access the print server, backup server (Veeam), and the DC
 
ElektraEmber said:
ElektraEmber сказал(а):
What is the most effective method to gain privileged access after successfully authenticating into a corporate environment using SSL VPN (with network-level access on their VPN subnet)? In this scenario, access is limited to 3 user accounts (access type = user), with no admin privileges. The environment also has EDR/AV in place with all windows machines.

How can one escalate privileges to admin level and subsequently move laterally to the DC? The goal is to access the print server, backup server (Veeam), and the DC
Нажмите, чтобы раскрыть...
Click to expand...
You could check out "windows coerced authentications" techniques. If you can reach network switches or routers that are running vulnerable firmware where you could get root OS access to them that would be a perfect place to packet capture the network an grab NetV2 hashes or kerberos preauths/asrep's without needing any tools other than tcpdump if the network is busy enough and most of those devices have it installed already. Responder as shook_1 already said would be another easy option to get NetV2 hashes just run it on your VPN interface and wait. Look for server 2008R2/Win7 systems that's a good place to look for unpatched vulns. What build is the DC running? it will probably be the only windows system with smb signing required.

Вы можете ознакомиться с методами принудительной проверки подлинности Windows. Если вы можете связаться с сетевыми коммутаторами или маршрутизаторами, на которых работает уязвимая прошивка, где вы можете получить доступ к корневой ОС, это будет идеальным местом для захвата пакетов, захвата хэшей NetV2 или Kerberos preauths/asrep без необходимости использования каких-либо инструментов, кроме tcpdump, если сеть достаточно загружена и на большинстве этих устройств она уже установлена. Responder, как shook_1 уже сказал, будет еще одним простым вариантом для получения хэшей NetV2, просто запустите его на своем VPN-интерфейсе и подождите. Ищите серверные системы 2008R2/Win7, которые являются хорошим местом для поиска непропатченных уязвимостей. Какую сборку выполняет контроллер домена? Вероятно, это будет единственная система Windows с обязательной подписью SMB.
 
ElektraEmber said:
ElektraEmber сказал(а):
What is the most effective method to gain privileged access after successfully authenticating into a corporate environment using SSL VPN (with network-level access on their VPN subnet)? In this scenario, access is limited to 3 user accounts (access type = user), with no admin privileges. The environment also has EDR/AV in place with all windows machines.

How can one escalate privileges to admin level and subsequently move laterally to the DC? The goal is to access the print server, backup server (Veeam), and the DC
Нажмите, чтобы раскрыть...
Click to expand...
я просто нацеливаюсь на пользовательскую машину с правами администратора, если честно, это просто вопрос навыков 😏
ps: просто используйте bloodhound
 
May I ask what EDR/AV solution they have in place? because what you do next not only depends on this, but you need to do some recon, quietly, because you might even be lucky enough to escalate through a vuln or something that isnt patched...also how aware of your surroundings are you? can you move lateral by simply L.O.T.L? Do you have access to a decent GPU so that is you ran responder and grabbed some Hashes you could crack those hashes and get passwords? I have about 10,000 questions that I need to ask you that should be answered properly so you do not get burned....

Anyways, back to AV/EDR, are we talking like, trend micro (a joke) or are we talking Sent. 1 (not a joke at ALL)??
 
Password Spraying, find a password that have privilege access to a server. Dump lsass and if you are lucky find an Admin cache hash :) Or use some technique to disable EDR and a Prilvilege Escalation vulnerability.
 
shook_1 said:
shook_1 сказал(а):
May I ask what EDR/AV solution they have in place? because what you do next not only depends on this, but you need to do some recon, quietly, because you might even be lucky enough to escalate through a vuln or something that isnt patched...also how aware of your surroundings are you? can you move lateral by simply L.O.T.L? Do you have access to a decent GPU so that is you ran responder and grabbed some Hashes you could crack those hashes and get passwords? I have about 10,000 questions that I need to ask you that should be answered properly so you do not get burned....

Anyways, back to AV/EDR, are we talking like, trend micro (a joke) or are we talking Sent. 1 (not a joke at ALL)??
Нажмите, чтобы раскрыть...
Click to expand...


No GPU, the EDR in place is Fortinet. However, even if we manage to obtain hashes, executing Pass-the-Hash (PTH) proves challenging in a Windows 10 environment. Privilege escalation seems elusive, as NTLM authentication wont be possible with privileged user, barring access to hash authentication unless DA account privileges are obtained.

In this VPN subnet, there are no file or print servers, only VPN users -standard users. Even accessing a helpdesk account may not yield significant results, given the likelihood of varied passwords across workstations.

Considering these limitations, I guess approaches like running another instance of ntdll.dll to evade the EDR might be worth exploring. My primary goal remains learning and understanding lateral movement strategies within this scenario.
 
Why PTH is challenging? Is worth it 90% of times. Btw if you find maybe a Terminal Server you can try too dump with lsassy and maybe find interesting accounts to do Lateral Movement. For me the best way is with wmiexec by impacket.
ElektraEmber said:
ElektraEmber сказал(а):
No GPU, the EDR in place is Fortinet. However, even if we manage to obtain hashes, executing Pass-the-Hash (PTH) proves challenging in a Windows 10 environment. Privilege escalation seems elusive, as NTLM authentication wont be possible with privileged user, barring access to hash authentication unless DA account privileges are obtained.

In this VPN subnet, there are no file or print servers, only VPN users -standard users. Even accessing a helpdesk account may not yield significant results, given the likelihood of varied passwords across workstations.

Considering these limitations, I guess approaches like running another instance of ntdll.dll to evade the EDR might be worth exploring. My primary goal remains learning and understanding lateral movement strategies within this scenario
Нажмите, чтобы раскрыть...
Click to expand...
 
BerlusconiSwaG said:
BerlusconiSwaG сказал(а):
Why PTH is challenging? Is worth it 90% of times. Btw if you find maybe a Terminal Server you can try too dump with lsassy and maybe find interesting accounts to do Lateral Movement. For me the best way is with wmiexec by impacket.
Нажмите, чтобы раскрыть...
Click to expand...


PTH was killed after Windows 7. Local Admin cannot authenticate using NTLM in Windows 10 on workstations. Only the Administrator account can still log in locally using NTLM (but sysprep will make it unique for each host). You cannot log in locally on a local or domain system using an admin or privileged account.


But I'm going to look into impacket, thanks!
 
ElektraEmber said:
ElektraEmber сказал(а):
PTH was killed after Windows 7. Local Admin cannot authenticate using NTLM in Windows 10 on workstations. Only the Administrator account can still log in locally using NTLM (but sysprep will make it unique for each host). You cannot log in locally on a local or domain system using an admin or privileged account.


But I'm going to look into impacket, thanks!
Нажмите, чтобы раскрыть...
Click to expand...

This is 100% false. Local admin accounts may be disabled in a active directory environment but I've never seen there NT hash not work if the accounts are still active in fact it's impossible. The only time it wouldn't allow it is if the network was configured with NTLM authentication turned off then it would only allow krb auth. It will always work because of the way NTLM was designed having the password hashed client side with a non-salted hash so even when an admin account logs in with a password the machine still only receives the NT hash because the remote system hashes the password before sending it to the target system.


Это на 100% неверно. Локальные учетные записи администратора могут быть отключены в среде Active Directory, но я никогда не видел, чтобы хэш NT не работал, если учетные записи все еще активны, на самом деле это невозможно. Единственный случай, когда он не разрешит это, это если сеть была настроена с отключенной аутентификацией NTLM, тогда он разрешит только krb auth. Это всегда будет работать из-за того, что NTLM был спроектирован так, чтобы пароль хэшировался на стороне клиента с несоленым хэшем, поэтому даже когда учетная запись администратора входит в систему с паролем, машина по-прежнему получает только хэш NT, потому что удаленная система хэширует пароль перед отправкой в целевую систему.
 
ElektraEmber said:
ElektraEmber сказал(а):
No GPU, the EDR in place is Fortinet. However, even if we manage to obtain hashes, executing Pass-the-Hash (PTH) proves challenging in a Windows 10 environment. Privilege escalation seems elusive, as NTLM authentication wont be possible with privileged user, barring access to hash authentication unless DA account privileges are obtained.

In this VPN subnet, there are no file or print servers, only VPN users -standard users. Even accessing a helpdesk account may not yield significant results, given the likelihood of varied passwords across workstations.

Considering these limitations, I guess approaches like running another instance of ntdll.dll to evade the EDR might be worth exploring. My primary goal remains learning and understanding lateral movement strategies within this scenario.
Нажмите, чтобы раскрыть...
Click to expand...
ok understood, just live off the land as much as possible so you don't burn your access, and definitely keep paying attention to any other windows environments on the arp table, there could be that 1 windows server 2016 that has vulns, or that one Microsoft exchange server that is vulnerable to Auto-Proxy-Logon which would give you unauthenticated system access....also if you see any non-Microsoft RDP or other Remote access tools/their services running, I have seen system admins accidentally leave behind AnyDesk instances after setup in which that meant to uninstall...I was on an engagement just recently in which there was a normal Microsoft Server that had been stood up and was running for awhile, then improperly promoted to D.C. in which certain trust relationships were able to be abused to get D.A.
 
Of
ElektraEmber said:
ElektraEmber сказал(а):
PTH was killed after Windows 7. Local Admin cannot authenticate using NTLM in Windows 10 on workstations. Only the Administrator account can still log in locally using NTLM (but sysprep will make it unique for each host). You cannot log in locally on a local or domain system using an admin or privileged account.


But I'm going to look into impacket, thanks!
Нажмите, чтобы раскрыть...
Click to expand...
Of course , i mean in a Active Directory environment :)
 
всем привет,подскажите будет ли работать респондер в vpn forti ?
 
You must log in or register to reply here.
Top