Tim Brown timb-machine

Sarah Edwards (@iamevltwin)
Unified Log
- Howard Oakley @howardnoakley
  - Unified log: 1 why, what and how
  - Unified log: 2 content and extraction
Unified log: 3 finding your way

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

	#include <sys/types.h>
	#include <sys/ptrace.h>
	#include <signal.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <unistd.h>
	#include <openssl/aes.h>

	#define MAXIMUMWIDTH 80
	#define MAXIMUMHEIGHT 20

	$ cat racecar.sh
	#!/bin/sh

	while :
	do
	echo "#!/bin/sh" > /Volumes/USB/a
	chmod u+xs /Volumes/USB/a
	ls -la /Volumes/USB/a \| grep sr \| grep -v 10
	done

	$ sudo yara -r yara/log4j.yara /usr/local
	log4jjavaclass /usr/local/java/ghidra_9.1.2_PUBLIC/Ghidra/Framework/Generic/lib/log4j-api-2.8.2.jar
	log4jjavasrc /usr/local/java/ghidra_9.1.2_PUBLIC/Ghidra/Framework/Generic/lib/log4j-api-2.8.2.jar
	log4jjavaclass /usr/local/java/ghidra_9.1.2_PUBLIC/Ghidra/Framework/Generic/lib/log4j-core-2.8.2.jar
	log4jjavasrc /usr/local/java/ghidra_9.1.2_PUBLIC/Ghidra/Framework/Generic/lib/log4j-core-2.8.2.jar

	$ ./packet-monkey.sh --type all --pcapfilename packets-hostname-xxx.pcap
	_ _ _
	_ __ __ _ ___\| \| _____\| \|_ _ __ ___ ___ _ __ \| \| _____ _ _
	\| '_ \ / _` \|/ __\| \|/ / _ \ __\|____\| '_ ` _ \ / _ \\| '_ \\| \|/ / _ \ \| \| \|
	\| \|_) \| (_\| \| (__\| < __/ \|\|_____\| \| \| \| \| \| (_) \| \| \| \| < __/ \|_\| \|
	\| .__/ \__,_\|\___\|_\|\_\___\|\__\| \|_\| \|_\| \|_\|\___/\|_\| \|_\|_\|\_\___\|\__, \|
	\|_\| \|___/

	=[ @timb_machine ]=

	rule pscan_or_luckscan {
	meta:
	author = "Tim Brown @timb_machine"
	description = "Hunts for references to pscan_or_luckscan"
	strings:
	$getopt = "%s <a-block> <port> [b-block] [c-block]"
	$vulnerable = "Lets try to root the %s"
	condition:
	$getopt or $vulnerable
	}

	# setup webex bot auth token env var - get auth here: https://developer.webex.com/my-apps/new/bot
	export WEBEX_TOKEN="GET_TOKEN_ABOVE"

	# get room id
	WEBEX_ROOMID=$(curl --request GET --header "Authorization: Bearer $WEBEX_TOKEN" https://webexapis.com/v1/rooms \|jq -r '.items[] \| select(.title == "Room Name") \| .id')

	# post message
	WEBEX_MSG="notification here"
	curl --request POST --header "Authorization: Bearer $WEBEX_TOKEN" --form "roomId=$WEBEX_ROOMID" --form "text=$WEBEX_MSG" https://webexapis.com/v1/messages

	$ dig any wearekuiper.com

	; <<>> DiG 9.10.6 <<>> any wearekuiper.com
	;; global options: +cmd
	;; Got answer:
	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11921
	;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 13

	;; OPT PSEUDOSECTION:
	; EDNS: version: 0, flags:; udp: 4000

	$ echo netfilegetsec 'IPC$' /etc/shadow \| rpcclient -U '%' 10.10.10.3
	revision: 1
	type: 0x9004: SEC_DESC_DACL_PRESENT SEC_DESC_DACL_PROTECTED SEC_DESC_SELF_RELATIVE
	DACL
	ACL Num ACEs: 3 revision: 2
	---
	ACE
	type: ACCESS ALLOWED (0) flags: 0x00
	Specific bits: 0x1ff
	Permissions: 0x1e01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS