FreshRSS

πŸ”’
❌ Secure Planet Training Courses Updated For 2019 - Click Here
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
☐ β˜† βœ‡ The Hacker News

TheMoon Botnet Resurfaces, Exploiting EoL Devices to Power Criminal Proxy

By: Newsroom β€” March 29th 2024 at 12:12
A botnet previously considered to be rendered inert has been observed enslaving end-of-life (EoL) small home/small office (SOHO) routers and IoT devices to fuel a criminal proxy service called Faceless. "TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024," the Black Lotus Labs team at Lumen
☐ β˜† βœ‡ The Hacker News

Key Lesson from Microsoft’s Password Spray Hack: Secure Every Account

By: The Hacker News β€” March 25th 2024 at 11:37
In January 2024, Microsoft discovered they’d been the victim of a hack orchestrated by Russian-state hackers Midnight Blizzard (sometimes known as Nobelium). The concerning detail about this case is how easy it was to breach the software giant. It wasn’t a highly technical hack that exploited a zero-day vulnerability – the hackers used a simple password spray attack to take control of
☐ β˜† βœ‡ The Hacker News

Five Eyes Agencies Expose APT29's Evolving Cloud Attack Tactics

By: Newsroom β€” February 27th 2024 at 10:34
Cybersecurity and intelligence agencies from the Five Eyes nations have released a joint advisory detailing the evolving tactics of the Russian state-sponsored threat actor known as APT29. The hacking outfit, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes, is assessed to be affiliated with the Foreign Intelligence Service (SVR) of the
☐ β˜† βœ‡ The Hacker News

Microsoft Warns of Widening APT29 Espionage Attacks Targeting Global Orgs

By: Newsroom β€” January 26th 2024 at 06:03
Microsoft on Thursday said the Russian state-sponsored threat actors responsible for a cyber attack on its systems in late November 2023 have been targeting other organizations and that it's currently beginning to notify them. The development comes a day after Hewlett Packard Enterprise (HPE) revealed that it had been the victim of an attack perpetrated by a hacking crew
☐ β˜† βœ‡ The Hacker News

Iranian Nation-State Actors Employ Password Spray Attacks Targeting Multiple Sectors

By: THN β€” September 15th 2023 at 04:14
Iranian nation-state actors have been conducting password spray attacks against thousands of organizations globally between February and July 2023, new findings from Microsoft reveal. The tech giant, which is tracking the activity under the nameΒ Peach SandstormΒ (formerly Holmium), said the adversary pursued organizations in the satellite, defense, and pharmaceutical sectors to likely facilitate
☐ β˜† βœ‡ KitPloit - PenTest Tools!

ShadowSpray - A Tool To Spray Shadow Credentials Across An Entire Domain In Hopes Of Abusing Long Forgotten GenericWrite/GenericAll DACLs Over Other Objects In The Domain

By: Zion3R β€” May 15th 2023 at 12:30


A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.

Why this tool

In a lot of engagements I see (in BloodHound) that the group "Everyone" / "Authenticated Users" / "Domain Users" or some other wide group, which contains almost all the users in the domain, has some GenericWrite/GenericAll DACLs over other objects in the domain.


These rights can be abused to add Shadow Credentials on the target object and obtain it's TGT and NT Hash.

It occurred to me that we can just try and spray shadow credentials over the entire domain and see what's sticks (obviously this approach is better suited to non-stealth engagements, don't use this in a red team where stealth is required). When a Shadow Credentials is successfuly added, we simply do the whole PKINIT + UnPACTheHash dance and voilΓ  - we get NT Hashes.

Since the process is extremely fast, this can be used at the very start of the engagement, and hopefully you'll have some users and computers owned before you even start.

Note: I recycled a lot of code from my previous tool so AV/EDRs might flag this as KrbRelayUp...

How this tool works

It goes something like this:

  1. Login to the domain with the supplied credentials (Or use the current session).
  2. Check that the domain functional level is 2016 (Otherwise stop since the Shadow Credentials attack won't work)
  3. Gather a list of all the objects in the domain (users and computers) from LDAP.
  4. For every object in the list do the following:
    1. Try to add KeyCredential to the object's "msDS-KeyCredentialLink" attribute.
    2. If the above is successful, use PKINIT to request a TGT using the added KeyCredential.
    3. If the above is successful, perform an UnPACTheHash attack to reveal the user/computer NT hash.
    4. If --RestoreShadowCred was specified: Remove the added KeyCredential (clean up after yourself...)
  5. If --Recursive was specified: Do the same process using each of the user/computer accounts we successfully owned.

ShadowSpray supports CTRL+C so if at any point you wish to stop the execution just hit CTRL+C and ShadowSpray will display the NT Hashes recovered so far before exiting (as shown in the demo below).

Usage

 __             __   __        __   __   __
/__` |__|  /\  |  \ /  \ |  | /__` |__) |__)  /\  \ /
.__/ |  | /~~\ |__/ \__/ |/\| .__/ |    |  \ /~~\  |


Usage: ShadowSpray.exe [-d FQDN] [-dc FQDN] [-u USERNAME] [-p PASSWORD] [-r] [-re] [-cp CERT_PASSWORD] [-ssl]

    -r   (--RestoreShadowCred)       Restore "msDS-KeyCredentialLink" attribute after the attack is done. (Optional)
    -re  (--Recursive)               Perform ShadowSpray attack recursivly. (Optional)
    -cp  (--CertificatePassword)     Certificate password. (default = random password)


General Options:
    -u  (--Username)                 Username for initial LDAP authentication. (Optional)
    -p  (--Password)                 Password for initial LDAP authentication. (Optional)
    -d  (--Domain)                   FQDN of domain. (Optional)
    -dc (--DomainController)         FQDN of domain controller. (Optional)
    -ssl                                Use LDAP over SSL. (Optional)
    -y  (--AutoY)                    Don't ask for confirmation to start the ShadowSpray attack. (Optional)

TODO

  • Code refactoring and cleanup!!!
  • Add Verbose output option
  • Add option to save KeyCredentials added / TGT requested / NT Hashes gathered to a file on disk
  • Python version ;)
  • Other suggestions will be welcomed

Mitigation and Detection

Taken from Elad Shamir's blog post on Shadow Credentials:

  • If PKINIT authentication is not common in the environment or not common for the target account, the β€œKerberos authentication ticket (TGT) was requested” event (4768) can indicate anomalous behavior when the Certificate Information attributes are not blank.

  • If a SACL is configured to audit Active Directory object modifications for the targeted account, the β€œDirectory service object was modified” event (5136) can indicate anomalous behavior if the subject changing the msDS-KeyCredentialLink is not the Azure AD Connect synchronization account or the ADFS service account, which will typically act as the Key Provisioning Server and legitimately modify this attribute for users.

  • A more specific preventive control is adding an Access Control Entry (ACE) to DENY the principal EVERYONE from modifying the attribute msDS-KeyCredentialLink for any account not meant to be enrolled in Key Trust passwordless authentication, and particularly privileged accounts.

  • Detecting UnPACing and shadowed credentials by Henri Hambartsumyan of FalconForce

ShadowSpray specific detections:

  • This tool attempts to modify every user/computer object in the domain in a very short timeframe, when it fails (most of the time) it generates an LDAP_INSUFFICIENT_ACCESS error. It's possible to build detection around that using the same approach of detecting regular password spray.

Acknowledgements



❌