A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.
In a lot of engagements I see (in BloodHound) that the group "Everyone" / "Authenticated Users" / "Domain Users" or some other wide group, which contains almost all the users in the domain, has some GenericWrite/GenericAll DACLs over other objects in the domain.
These rights can be abused to add Shadow Credentials on the target object and obtain it's TGT and NT Hash.
It occurred to me that we can just try and spray shadow credentials over the entire domain and see what's sticks (obviously this approach is better suited to non-stealth engagements, don't use this in a red team where stealth is required). When a Shadow Credentials is successfuly added, we simply do the whole PKINIT + UnPACTheHash dance and voilΓ - we get NT Hashes.
Since the process is extremely fast, this can be used at the very start of the engagement, and hopefully you'll have some users and computers owned before you even start.
Note: I recycled a lot of code from my previous tool so AV/EDRs might flag this as KrbRelayUp...
It goes something like this:
ShadowSpray supports CTRL+C so if at any point you wish to stop the execution just hit CTRL+C and ShadowSpray will display the NT Hashes recovered so far before exiting (as shown in the demo below).
__ __ __ __ __ __
/__` |__| /\ | \ / \ | | /__` |__) |__) /\ \ /
.__/ | | /~~\ |__/ \__/ |/\| .__/ | | \ /~~\ |
Usage: ShadowSpray.exe [-d FQDN] [-dc FQDN] [-u USERNAME] [-p PASSWORD] [-r] [-re] [-cp CERT_PASSWORD] [-ssl]
-r (--RestoreShadowCred) Restore "msDS-KeyCredentialLink" attribute after the attack is done. (Optional)
-re (--Recursive) Perform ShadowSpray attack recursivly. (Optional)
-cp (--CertificatePassword) Certificate password. (default = random password)
General Options:
-u (--Username) Username for initial LDAP authentication. (Optional)
-p (--Password) Password for initial LDAP authentication. (Optional)
-d (--Domain) FQDN of domain. (Optional)
-dc (--DomainController) FQDN of domain controller. (Optional)
-ssl Use LDAP over SSL. (Optional)
-y (--AutoY) Don't ask for confirmation to start the ShadowSpray attack. (Optional)
Taken from Elad Shamir's blog post on Shadow Credentials:
If PKINIT authentication is not common in the environment or not common for the target account, the βKerberos authentication ticket (TGT) was requestedβ event (4768) can indicate anomalous behavior when the Certificate Information attributes are not blank.
If a SACL is configured to audit Active Directory object modifications for the targeted account, the βDirectory service object was modifiedβ event (5136) can indicate anomalous behavior if the subject changing the msDS-KeyCredentialLink is not the Azure AD Connect synchronization account or the ADFS service account, which will typically act as the Key Provisioning Server and legitimately modify this attribute for users.
A more specific preventive control is adding an Access Control Entry (ACE) to DENY the principal EVERYONE from modifying the attribute msDS-KeyCredentialLink for any account not meant to be enrolled in Key Trust passwordless authentication, and particularly privileged accounts.
Detecting UnPACing and shadowed credentials by Henri Hambartsumyan of FalconForce
ShadowSpray specific detections:
autoSSRF is your best ally for identifying SSRF vulnerabilities at scale. Different from other ssrf automation tools, this one comes with the two following original features :
Smart fuzzing on relevant SSRF GET parameters
When fuzzing, autoSSRF only focuses on the common parameters related to SSRF (?url=
, ?uri=
, ..) and doesnβt interfere with everything else. This ensures that the original URL is still correctly understood by the tested web-application, something that might doesnβt happen with a tool which is blindly spraying query parameters.
Context-based dynamic payloads generation
For the given URL : https://host.com/?fileURL=https://authorizedhost.com
, autoSSRF would recognize authorizedhost.com as a potentially white-listed host for the web-application, and generate payloads dynamically based on that, attempting to bypass the white-listing validation. It would result to interesting payloads such as : http://authorizedhost.attacker.com
, http://authorizedhost%252F@attacker.com
, etc.
Furthermore, this tool guarantees almost no false-positives. The detection relies on the great ProjectDiscoveryβs interactsh, allowing autoSSRF to confidently identify out-of-band DNS/HTTP interactions.
python3 autossrf.py -h
This displays help for the tool.
usage: autossrf.py [-h] [--file FILE] [--url URL] [--output] [--verbose]
options:
-h, --help show this help message and exit
--file FILE, -f FILE file of all URLs to be tested against SSRF
--url URL, -u URL url to be tested against SSRF
--output, -o output file path
--verbose, -v activate verbose mode
Single URL target:
python3 autossrf.py -u https://www.host.com/?param1=X¶m2=Y¶m2=Z
Multiple URLs target with verbose:
python3 autossrf.py -f urls.txt -v
1 - Clone
git clone https://github.com/Th0h0/autossrf.git
2 - Install requirements
Python libraries :
cd autossrf
pip install -r requirements.txt
Interactsh-Client :
go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest
autoSSRF is distributed underΒ MIT License.
TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts. See the TeamFiltration wiki page for an introduction into how TeamFiltration works and the Quick Start Guide for how to get up and running!
This tool has been used internally since January 2021 and was publicly released in my talk "Taking a Dumb In The Cloud" during DefCON30.
You can download the latest precompiled release for Linux, Windows and MacOSX X64
The releases are precompiled into a single application-dependent binary. The size go up, but you do not need DotNetCore or any other dependencies to run them.
ββ¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β
β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬
β¬β¬β¬β¬β€ ββ¬β¬ββ¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬
β¬β¬β¬β¬β‘ β β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬
β¬β¬β¬β¬β‘ ββ ββ¬β¬ββ ββββ¬β¬β¬β¬β¬β¬
β¬β¬β¬β¬β‘ ββ₯β₯β¬β¬β¬β¬β¬β¬β₯β₯β ββ β β¬β¬β¬β¬β¬
β¬β¬β¬β¬β‘ ββ¬β«β¬βββ ββββ¬β«β¬β ββ ββ ββ¬β¬β¬β¬
β¬β¬β¬β¬β€ β¬β¬βββ©β¬ββ ββ¬β¬β¬ ββ ββ β¬β¬β¬β¬
β¬β¬β¬β¬β€ β¬β ββ¬β«ββ β ββ¬β ββ βββ β¬β¬β¬β¬
β¬β¬β¬β¬β€ β¬β¬ ββ ββ¬β¬β¬β¬β¬β¬β¦ β¬β¬ ββ ββ¬β€ββ ββ¬β¬β¬β¬
β¬β¬β¬β¬β€ ββ¬β€ β¬β¬β¬ β¬β¬β¬β¬β¬β¬β¬β¬ββββ¬β¬β ββ¬β¬β¬β¬β¬β¬β¬β¬β¬β ββ¬β¬β¬β¬β¬
β¬β¬β¬β¬β€ β¬β¬β€ ββ©β ββ¬β¬β¬β¬β¬β© ββ¬β¬ βββββββββββ¬β¬ββββ¦β¬β¬β¬β¬β¬β¬β¬
β¬β¬β¬β¬β€ β¬β¬β€ ββ¬β¬ ββ β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬
β¬β¬β¬β¬β€ β¬β¬ β¦β ββ β¬β¬ ββ β β¬β¬β¬β¬
β¬β¬β¬β¬β€ ββ¬β ββ¬ββ ββ¬β¬β ββ¬β ββ β β¬β¬β¬β¬
β¬β¬β¬β¬β€ ββ¬β ββ©β¨β¬β¬β¬β©β¨ββ ββ¬β¬ ββ β β¬β¬β¬β¬
β¬β¬β¬β¬β€ ββ¬β¬β¬β βββ«β¬ββ ββ β β¬β¬β¬β¬
β¬β¬β¬β¬β€ ββ©β¬β¬β¬β₯β₯β₯β₯β₯β₯β«β¬β¬ββ ββ β β¬β¬β¬β¬
β¬β¬β¬β¬β€ ββββββ ββ β β¬β¬β¬β¬
β¬β¬β¬β¬β€ ββ β βββ¬β¬β¬β¬β¬
β¬β¬β¬β¬β€ ββ β¬β¦β¦β¬β¬β¬β¬β¬β¬β¬β¬β¬
β¬β¬β¬β¬β€ ββ ββ¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬
β¬β¬β¬β¬β€ β¬β¬β¬ββ¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬
β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬
ββ¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β¬β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
[οΏ½] TeamFiltration V0.3.3.7 PUBLIC, created by @Flangvik @TrustedSec
Usage:
--outpath Output path to store database and exfiltrated information (Needed for all modules)
--config Local path to your TeamFiltration.json configuration file, if not provided will load from the current path
--exfil Load the exfiltration module
--username Override to target a given username that does not exist in the database
--password Override to target a given password that does not exist in the database
--cookie-dump Override to target a given account using it's refresk-cookie-collection
--all Exfiltrate information from ALL SSO resources (Graph, OWA, SharePoint, OneDrive, Teams)
--aad Exfiltrate information from Graph API (domain users and groups)
--teams Exfiltrate information from Teams API (files, chatlogs, attachments, contactlist)
--onedrive Exfiltrate information from OneDrive/SharePoint API (accessible SharePoint files and the users entire OneDrive directory)
--owa Exfiltrate information from the Outlook REST API ( The last 2k emails, both sent and received)
--owa-limit Set the max amount of emails to exfiltrate, default is 2k.
--jwt-tokens Exfiltrate JSON formated JTW-tokens for SSO resources (MsGraph,AdGraph, Outlook, SharePoint, OneDrive, Teams)
--spray Load the spraying module
--aad-sso Use SecureWorks recent Azure Active Directory password brute-forcing vuln for spraying
--us-cloud When spraying companies attached to US Tenants (https://login.microsoftonline.us/)
--time-window Defines a time windows where spraying should accour, in the military time format <12:00-19:00>
--passwords Path to a list of passwords, common weak-passwords will be generated if not supplied
--seasons-only Password generated for spraying will only be based on seasons
--months-only Password generated for spraying will only be based on months
--common-only Spray with the top 20 most common passwords
--combo Path to a combolist of username:password
--exclude Path to a list of emails to exclude from spraying
--sleep-min Minimum minutes to sleep between each full rotation of spraying default=60
--sleep-max Maximum minutes to sleep between each full rotation of spraying default=100
--delay Delay in seconds between each individual authentication attempt. default=0
--push Get Pushover notifications when valid credentials are found (requires pushover keys in config)
--push-lo cked Get Pushover notifications when an sprayed account gets locked (requires pushover keys in config)
--force Force the spraying to proceed even if there is less the <sleep> time since the last attempt
--enum Load the enumeration module
--domain Domain to perfom enumeration against, names pulled from statistically-likely-usernames if not provided with --usernames
--usernames Path to a list of usernames to enumerate (emails)
--dehashed Use the dehashed submodule in order to enumerate emails from a basedomain
--validate-msol Validate that the given o365 accounts exists using the public GetCredentialType method (Very RateLimited - Slow 20 e/s)
--validate-teams Validate that the given o365 accounts exists using the Teams API method (Recommended - Super Fast 300 e/s)
--validate-login Validate that the given o365 accounts by attemping to login (Noisy - triggers logins - Fast 100 e/s)
--backdoor Loads the interactive backdoor module
--database Loads the interactive database browser module
--debug Add burp as a proxy on 127.0.0.1:8080
Examples:
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --spray --sleep-min 120 --sleep-max 200 --push
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --spray --push-locked --months-only --exclude C:\Clients\2021\FooBar\Exclude_Emails.txt
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --spray --passwords C:\Clients\2021\FooBar\Generic\Passwords.txt --time-window 13:00-22:00
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --exfil --all
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --exfil --aad
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --exfil --teams --owa --owa-limit 5000
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --debug --exfil --onedrive
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --enum --validate-teams
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --enum --validate-msol --usernames C:\Clients\2021\FooBar\OSINT\Usernames.txt
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --backdoor
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --database