feat: add ntlm hash support for laps extraction and gmsa exploit detection#277
Merged
Conversation
**Changed:** - Allow ACL discovery to run on dominated domains by removing the early continue condition, enabling enumeration of writeable ACEs for exploitation chains such as acl_abuse, rbcd, shadow_credentials, and gpo_abuse - Updated comments to clarify that ACL discovery is safe and required on dominated domains, while destructive actions remain gated separately
**Added:** - Support for domain-wide LAPS sweep using NTLM hashes when plaintext passwords are unavailable, enabling pass-the-hash extraction in `auto_laps_extraction` - `nt_hash` field to the LapsWork struct to track hash material for use in LAPS extraction - Passing `nt_hash` in the dispatch payload for LAPS extraction, enabling downstream use in `laps_dump` - Validation in `laps_dump` to require either a password or an NTLM hash as credential input **Changed:** - Updated LAPS extraction workflow to handle both plaintext passwords and NTLM hashes, ensuring deduplication across credential types - Modified credential argument construction in `laps_dump` to support NTLM hash authentication, passing through the hash when present
…ndling **Changed:** - Implemented separate handling for intra-forest (child-to-parent) and inter-forest trust escalations in trust automation logic, including distinct vuln_id, vuln_type, and note descriptions - Updated vulnerability reporting to reflect new escalation distinctions and improve MITRE primitive mapping
…retsdump hashes **Added:** - Introduced `is_gmsa_principal` function to identify Group Managed Service Account principals based on naming heuristics - Emitted `gmsa_*` exploit tokens when secretsdump returns gMSA hashes, ensuring incidental gMSA hash captures are credited - Added unit tests for `is_gmsa_principal` covering matching, rejection of non-gMSA machine accounts, and rejection of regular users **Changed:** - Updated hash discovery logic to use `is_gmsa_principal` for marking gMSA hashes as exploited, improving detection and tracking of exploited gMSA accounts
…omain controller **Added:** - Added logic to detect and skip attempts to coerce authentication from a DC to itself during unconstrained delegation exploitation, preventing failed exploitation attempts and unnecessary throttling - Added debug logging to indicate when the scenario is subsumed by dc_secretsdump or deferred due to lack of a viable self-coerce path
dreadnode-renovate-bot
Bot
added
area/docs
l50
changed the title
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## feat/more-attack-cov #277 +/- ##
=======================================================
Coverage ? 76.31%
=======================================================
Files ? 432
Lines ? 112928
Branches ? 0
=======================================================
Hits ? 86177
Misses ? 26751
Partials ? 0
🚀 New features to boost your workflow:
|
**Changed:** - Refactored chaining of vectors in domain validation to remove redundant into_iter calls, improving code clarity and consistency in tool_dispatcher/domain_validator.rs
**Added:** - Added `collect_laps_hash_sweep_work` helper to encapsulate LAPS hash sweep filtering and work item construction, with full coverage unit tests - `laps.rs` - Added `build_laps_payload` helper to build the LAPS dispatch payload, with unit tests for optional field handling - `laps.rs` - Added `classify_trust_escalation` helper for mapping trust escalation types to tokens and details, with thorough unit tests - `trust.rs` - Added `skip_self_coerce_loop` helper to encapsulate self-coerce skip logic for unconstrained delegation, with detailed unit tests - `unconstrained.rs` - Added `gmsa_exploit_token` helper to unify gMSA scoreboard token construction, with tests to ensure convergence across discovery paths - `result_processing/mod.rs` - Added test to validate `laps_dump` requires either password or nt_hash for authentication - `ares-tools/src/credential_access/misc.rs` **Changed:** - Refactored LAPS NTLM hash sweep logic in `auto_laps_extraction` to use new `collect_laps_hash_sweep_work` helper for deduplication and testability - `laps.rs` - Refactored LAPS payload construction to use `build_laps_payload` for consistency and test coverage - `laps.rs` - Updated trust follow automation to use `classify_trust_escalation`, unifying scoreboard tokenization and note logic - `trust.rs` - Replaced inline self-coerce skip logic with `skip_self_coerce_loop` for improved clarity and testability - `unconstrained.rs` - Replaced inline gMSA exploit token construction with the new `gmsa_exploit_token` helper to ensure deduplication - `result_processing/mod.rs`
**Added:** - Introduced `collect_laps_vuln_work` and `collect_laps_sweep_work` functions to encapsulate LAPS work item logic, enabling independent unit testing of LAPS extraction paths - Added comprehensive unit tests for `collect_laps_vuln_work` and `collect_laps_sweep_work`, covering credential filtering, deduplication, and field extraction - Introduced `build_trust_escalation_vuln` function for constructing trust escalation vulnerabilities, with associated unit tests verifying all details fields and escalation scenarios **Changed:** - Refactored `auto_laps_extraction` to use the new `collect_laps_vuln_work` and `collect_laps_sweep_work` helpers, reducing inline logic duplication and clarifying extraction paths - Refactored `auto_trust_follow` to use the new `build_trust_escalation_vuln` for vulnerability construction, eliminating repeated details assembly and improving testability **Removed:** - Removed inlined LAPS and trust escalation work item construction code from main automation loops, delegating logic to testable helper functions
**Changed:** - Enable GitHub Actions workflows to trigger on pull requests to feat/more-attack-cov branch across all workflow YAML files for improved CI coverage during feature development
…dreadgoad-tier1-fixes # Conflicts: # ares-cli/src/orchestrator/result_processing/tests.rs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Key Changes:
Added:
nt_hashfield toLapsWorkstruct and downstream dispatch logic, enabling netexec to use-Hfor hash-based authenticationis_gmsa_principal) to identify gMSA accounts by SAM name and trailing$Changed:
Removed: