ELEVATE-2 - Client Push
Document Reference
Description
It is possible to coerce NTLM authentication from a site servers push installation account and machine account. The NTLM authentication can either be cracked offline or relayed elsewhere for authentication.
Requirements
SCCM automatic site assignment and automatic client push installation are enabled
PKI certificates aren’t required for client authentication
SMB Signing disabled (If relaying authentication)
Domain user credentials
Local Administrator (If performing from Windows)
Fallback to NTLM authentication is not explicitly disabled (default)
Credential Capture
Setup capture
Setup Inveigh or Invoke-Inveigh to sniff for network traffic (Local Admin Required)
Trigger client push installation
Trigger the client push on the site server, targeting the listening host. This process may take a couple of minutes to capture
hashcat
Relay Authentication
ntlmrelayx Setup
Before setting up ntlmrelayx on Windows we need to divert SMB traffic on port 445 to an alternate port such as 8445 with divertTCPConn (Local Administrator Required)
Configure ntlmrelayx
Trigger Push authentication then wait a minute or two to capture the authentication request.
Getting full shells on Windows
The below page demonstrates how to get full shells on Windows with Amnesiac and ntlmrelayx.
Defensive IDs
Last updated