SCCM Relay Exploit Workflow
- Use the auxiliary/admin/dcerpc/samr_account module to create a new computer account for testing the relay
- Use the auxiliary/gather/ldap_query to enumerate SCCM target information
- Use the new auxiliary/server/relay/relay_get_naa_credentials module to attack SCCM
- For demonstration or testing purposes, use net use to trigger an authentication attempt to Metasploit
SMB to LDAP Relaying Workflow followed by ESC15 exploitation
- Use the auxiliary/server/relay/smb_to_ldap module to start a relaying listener
- For demonstration or testing purposes, use net use to trigger an authentication attempt to Metasploit
- Use the auxiliary/gather/ldap_esc_vulnerable_cert_finder module with the newly opened LDAP session to identify exploitable certificate templates
- Use the auxiliary/admin/dcerpc/icpr_cert to exploit ESC15 by setting the new ADD_CERT_APP_POLICY datastore option a. See: https://docs.metasploit.com/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html#exploiting-esc15
- Use the auxiliary/admin/kerberos/get_ticket module to obtain a TGT from the certificate
Meterpreter with PoolParty
- Use the exploit/windows/smb/psexec to open a Meterpreter session to the target
- Reusing the TGT from the previous demo by setting the SMB::Krb5Ccname option
- Use API Monitor to log NtCreateThreadEx syscalls, showing an instance with a process handle in use
- Switch to the latest version of Metasploit
- Repeat step #1 to open a new, updated session
- Rerun the test to validate that no calls to CreateRemoteThread are taking place