Services & Features
LAPS
LAPS allows you to manage the local Administrator password (which is randomised, unique, and changed regularly) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES
When using LAPS, 2 new attributes appear in the computer objects of the domain: ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime. These attributes contains the plain-text admin password and the expiration time. Then, in a domain environment, it could be interesting to check which users can read these attributes.
Commands
Dumping credentials via crackmapexec
Active Directory Certificate Services (ADCS)
Active Directory Certificate Services (AD CS) is a Windows Server role for issuing and managing public key infrastructure (PKI) certificates used in secure communication and authentication protocols.
Enumeration
Here, one should look for services that haven't been discovered before.
Abusing COM & DCOM
Explanation of the technologies
COM
COM is, simply put, a method for sharing binary code across different applications and languages.
COM solves all these problems by defining a binary standard, meaning that COM specifies that the binary modules (the DLLs and EXEs) must be compiled to match a specific structure. The standard also specifies exactly how COM objects must be organized in memory. The binaries must also not depend on any feature of any programming language (such as name decoration in C++).
DCOM
Specifies the Distributed Component Object Model (DCOM) Remote Protocol, which exposes application objects via remote procedure calls (RPCs) and consists of a set of extensions layered on the Microsoft Remote Procedure Call Extensions.
Exploitation
A DCOM application MMC20 allows for snap-in operations. One method withing the application is name ExecuteShellCommand
. As the name suggests this allows for command execution over the network.
POC
One can use Impacket's dcomexec.py
script to obtain RCE.
-silentcommand is needed, as otherwise a cmd window will open up on the victim's screen
References
Last updated