Change-LockScreen
Abuse the lockscreen image changing functionality to achieve a webdav network authentication as SYSTEM from the given computer. Then relay the authentication to the Active Directory LDAP service in or
Configuring
Login to
WEB01
as theAdministrator
user with passwordWelcome01!
.Open PowerShell and execute the following command to enable WebDav.
2. After the server restarts Open the "Windows Defender Firewall" to open up the SMB port.
3. Click on "Allow an app or feature through Windows Defender Firewall"
4. Select "File and Printer sharing" and click on "OK"
Attacking
How it works
Abuse the lockscreen image changing functionality to achieve a webdav network authentication as SYSTEM from the given computer. Then relay the authentication to the Active Directory LDAP service in order to set up Resource-Based Constrained Delegation to that specific machine.
Tools
Executing the attack
Prerequisite
Low priv shell on a machine
An account with a SPN associated (or able to add new machines accounts (default value this quota is 10))
WebDAV Redirector feature must be installed on the victim machine. (W10 has it by default, but manually installed on server 2016 and later)
A DNS record pointing to the attacker’s machine (By default authenticated users can do this)
Executing the attack
It is expected that a low privileged shell is already gained on
Web01
through the SQL server.
2. Get the machine account Qouta from the domain with crackmapexec:
The machine account qouta is 10, meaning we (all authenticated users) can create our own computerobject in the domain.
2. Create machine account FAKE01
with password 123456
with PowerMad:
3. Create a DNS record for webdav to our attacking machine with Invoke-DNSUpdate. The DNS record is required for webdav connection to work. It won't connect through an IP only with a hostname. We create a DNS record webdav.amsterdam.bank.local to our attacking machine IP.
We now have all our prerequisites. Time to escalate our privileges.
4. Run NTLMRelay on our Kali machine and set it up so it will write the msDS-AllowedToActOnBehalfOfOtherIdentity
attribute that allows our created computerobject FAKE01
to actonbehalf WEB01
:
5. Run the Change-LockScreen tool in the shell of WS01 and check the ntlmrelay output. The Change-LockScreen command will give an error but this doesn't matter:
When we check the ntlmrelay output we see that FAKE01
can now impersonate users on WEB01
.
If we open the attribute editor on DC02 for WEB01 we can see the msDS-AllowedToActOnBehalfOfOtherIdentity
attribute:
6. Create a CIFS service ticket using FAKE01
impersonating the domain admin Administrator
using impackets getST.py. Fill in the password 123456
.
7. Use this ticket and run secretsdump.py
to dump the local admin hashes of WEB01
.
Cleanup
Login to
DC02
asAdministrator
with the passwordWelcome01!
.Execute the following command to remove the
msDS-AllowedToActOnBehalfOfOtherIdentity
attribute fromWEB01
.
3. Execute the following command to remove the FAKE01
computer we created:
4. Open "DNS Manager" and expand DC02 --> Forward Lookup Zones --> and click on Amsterdam.bank.local.
Remove the DNS-record created for webdav:
4. From our Kali machine set the SQL server settings back:
Defending
Recommendations
Change who can add computers to the domain.
Add privileged users to the protected users group.
Add the flag "Account is sensitive and cannot be delegated".
Remove the WebDav client from servers and workstations.
Detection
References
Last updated