l0gan

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

• Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
• Relaying that machine authentication to LDAPS for configuring RBCD
• RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

l0gan

Keybase proof

I hereby claim:

• I am l0gan on github.
• I am kirkphayes (https://keybase.io/kirkphayes) on keybase.
• I have a public key ASCKGN0rOY-uNcLEXvguW8RG6I-0mXm5-2F90-6QjAb08go

To claim this, I am signing this object:

l0gan

##################################################################
Install live-build 
##################################################################

sudo apt-get install live-build

##################################################################
Git clone the live-build configs
##################################################################
git clone git://git.kali.org/live-build-config.git

l0gan

### Keybase proof

I hereby claim:

  * I am l0gan on github.
  * I am kirkphayes (https://keybase.io/kirkphayes) on keybase.
  * I have a public key whose fingerprint is E2E8 3F20 478A 1D53 D54B  5B5A B2BA 102F 57ED E07D

To claim this, I am signing this object: