Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-24 21:03:07 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add files via upload

Browse source
This commit is contained in:
ARZ 2021-12-07 17:41:40 +05:00 committed by GitHub
parent 6844389cc2
commit 394a6629aa
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 437 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
Active Directory/Domain Enumeration/Domain enumeration.md Normal file
View file

@ -0,0 +1,21 @@
# Domain Enumeration - Bloodhound
Bloodhound is useful for gathering AD entities , relationships , it uses graph theory for providing the capability of mapping shortest path for interesting thing , it can find interesting things like `Domain Admins` , it has built-in queries.
https://github.com/BloodHoundAD/BloodHound
## Sharphound
https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
### Generate archive
```
Invoke-BloodHound -CollectionMethod All
```
### Avoiding detection form Advanced Threat Analytics (ATA)
```
Invoke-BloodHound -CollectionMethod All -ExcludeDC
```

180
Active Directory/Enumeration/1-Doman,Group,Users.md Normal file
View file

@ -0,0 +1,180 @@
# Domain Enumeration
`$ADClass=[System.DirectoryServices.ActiveDirectoy.Domain]`
`$ADClass::GetCurrentDomain()`
We can use modules like `PowerView` or `ADModule`
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
https://github.com/samratashok/ADModule
## PowerView Commands
### Get current domain
`Get-NetDomain`
### Get Object of another domain
`Get-NetDomain -Domain <domainname>`
### Get Domain SID for current domain
`Get-DomainSID`
### Get Domain Controller for current domain
`Get-NetDomainController`
### Get Domain Controllers for another domain
`Get=NetDomainController -Domain <domain_name>`
### Get Domain Policy for current domain
```
Get-DomainPolicy`
(Get-DomainPolicy)."system access"
(Get-DomainPolicy)."Kerberos Policy"
```
### Get Domain Policy for another domain
`(Get-DomainPolicy -domain <domainname>). "system access"`
### Get a list of users in the current domain
```
Get-NetUser
Get-NetUser -Username <user>
Get-NetUser | select cn
```
### Get list of all properites for users in current domain
```
Get-UserProperty
Get-UserProperty -Properties pwdlastset
Get-UserProperty -Properties logoncount (user is either not active or it's just a decoy user so we should avoid enumerating these users)
```
### Search for a particular string in a user's attribute
`Find-UserField -SearchField Description -SearchTerm "built"`
### Get list of computers in current domain
```
Get-NetComputer
Get-NetComputer -OperatingSystem "*Server 2016"
Get-NetComputer -Ping
Get-NetComputer -FullData
```
### Get all groups in current domain
```
Get-NetGroup
Get-NetGroup -Domain <targetdomain>
Get-NetGroup -FullData
```
### Get all group containing the word "admin"
```
Get-NetGroup "admin"
Get-NetGroup "admin" -Domain <domainname>
```
### Get all members of Domain Admins group for current domain
```
Get-NetGroupMember -GroupName "Enterprise Admins"
Get-NetGroupMember -GroupName "Domain Admins"
Get-NetGroupMember -GroupName "Administartors"
```
### Get all members of Domain Admins group for all domains
```
Get-NetGroupMember -GroupName "Administartors" -Recurse
```
### Get the group membership of a user
```
Get-NetGroup -Username "<username>"
```
## AD Module
Use the psd1 file for AD module
### Get current domain
`Get-ADDomain`
### Get Object of another domain
`Get-ADDomain -Identity <domainname>`
### Get Domain SID for current domain
`(Get-ADDomain).DomainSID`
### Get Domain Controller for current domain
`Get-ADDomainController`
### Get Domain Controllers for another domain
`Get-ADDomainController -DomainName <domainname> -Discover`
### Get a list of users in the current domain
`Get-ADUser -Filter * -Properties *`
`Get-ADUser -Identity <user> -Properties *`
### Get list of all properties for users in the current domain
`Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType * Property | select Name`
`Get-ADUser -Filter * -Properties * | select name ,@(expression*`
### Search for a particular string in a user's attribute
`Get-ADUser-Filter 'Description' -like "*built"' -Properties Description | select name,Description`
### Get list of computers in current domain
`Get-ADComputer -Filter * | select Name`
`Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name,OperatingSystem`
`Get-ADComputer -Filter * -Properties DNSHostName | %{Test - Connection -Count 1 -ComputerNmae $_ DNSHostName)`
`Get-ADComputer -Filter * -Properties *`
### Get all groups in current domain
```
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties
```
### Get all groups containing word "admin" in group name
```
Get-ADGroup -Filter 'Name -like "*admin" | select Name
```
### Get all members of Domain Admins group
```
Get-ADGroupMember - Identity "Domain Admins" -Recursive
```
### Get the group membership of a user
```
Get-ADPrincipalGroupMembership -Identity <username>
```

21
Active Directory/Enumeration/2- File servers , shares.md Normal file
View file

@ -0,0 +1,21 @@
# Domain Enumeration finding file servers and shares on hosts
## PowerView commands
### Find shares on hosts in current domain
```
Invoke-ShareFinder -verbose
```
### Find sensitive files on computers in the domain
```
Invoke-FileFinder -Verbose
```
### Get all fileservers of the domain
```
Get-NetFileServer
```

63
Active Directory/Enumeration/3-GPO.md Normal file
View file

@ -0,0 +1,63 @@
# Domain Enumeration Group Policy Objects
## PowerView commands
### Get list of GPO in current domain
```
Get-NetGPO
Get-NetGPO -ComputerName computername.domainname
```
### Get GPO(s) which use restricted groups or groups.xml for interesting users
```
Get-NetGPOGroup
```
### Get users which are in a local group of a machine using GPO
```
Find-GPOComputerAdmin -Computername computername.domainname
```
### Get machines where the given user is member of a specific group
```
Find-GPOLocation -Username username -Verbose
```
### Get OUs in a domain
```
Get-NetOU -FullData
```
### Get GPO applied on an OU . Read GPOname from gplink attribute
```
Get-NetGPO -GPOname "{guid_string}"
```
## Group Policy Module commands
### Get list of GPO in current domain
```
Get-GPO -All
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html
```
### Get GPO applied on an OU . Read GPOname from gplink attribute
```
Get-GPO -Guid guid_string
```
## AD Module
### Get OUs in a domain
```
Get-ADOrganizationalUnit -Filter * -Properties *
```

3
Active Directory/Enumeration/4-ACL.md Normal file
View file

@ -0,0 +1,3 @@
# Domain Enumeration - Access Control List
##

102
Active Directory/Enumeration/5-Trusts.md Normal file
View file

@ -0,0 +1,102 @@
# Domain Enumeration - Trusts
In AD , trust is a relationship b/w domains or forest that allows user of one domain or forest to access resources in other domain or forest, trust can be automatic (parent-child).
TDOs (Trusted Domain Objects) represent the trust relationship in a domain
## One way trust
It's an undirectional trust in which users in trusted domain can access resources in trusting domain (resource) but cannot be done in reverse
## Two way trust (bi directional)
Users of both domains can access resources in the other domain
## Trust Transitivity
Trust can be extended to establish trust relationships with othe domains
### Transitive
All default intra-forest trust relationships (tree-root, parent-child) between domains within a same forest are transitive two-way trust
### Non-transitive
Cannot be extended to other domains in forest , can be two-way or one-way, this is the default trust (called external trust) between two domains in different forest do not have a trust realtionship.
## Domain Trusts
### Default/Automatic Trusts
- Parent-child trust , it's created automatically b/w new domain and domain that preceeds it in the namespace hierarrchy , whenever a new domain is added in a tree , for example `dollarcorp.moenycorp.local` is a child of `moneycorp.local`, trust will always be bi-directional
- Tree-root trust , it's created automatically whenever a new domain tree is added to a forest root , this trust is bi-directional as well
### Shortcut Trusts
Used to reduce access time in complex trust scenarios , can be one way or two way transitive
### External Trust
External trust b/w two domains in different forests when forests do not have a trust relationship , can be one way or two way
# Domain Trust mapping
## Powerview commands
### Get list of all domain trusts for current domain
```
Get-NetDomainTrust
Get-NetDomainTrust -Domain domain_name
```
## AD Module
### Get list of all domain trusts for current domain
```
Get-ADTrust
Get-ADTrust- Identity domain_name
```
# Forest Mapping
## Power View
### Get details about current forest
```
Get-NetForest
Get-NetForest -Forest name
```
### Get all domains in current forest
```
Get-NetForestDomain
Get-NetForestDomain -Forest name
```
### Get all global catalogs for current forest
```
Get-NetForestCatalog
Get-NetForestCatalog -Forest name
```
### Map trusts of a forest
```
Get-NetForestTrust
Get-NetForestTrust -Forest name
```
## AD Module
### Get details about current forest
```
Get-ADForest
Get-ADForest -Identity name
```
### Get all domains in current forest
```
(Get-ADForest).Domain
```
### Get all global catalogs for current forest
```
Get-ADForest | select -ExpandPropery GlobalCatalogs
```
### Map trusts of a forest
```
Get-ADTrust -Filter 'msDS0TrustForestTrustInfo -ne "$null$"'
```

47
Active Directory/Enumeration/6-User Hunting.md Normal file
View file

@ -0,0 +1,47 @@
# Domain Enumeration - User Hunting
## Power View commands
### Find all machines on current domain where the current user has local admin access
```
Find-LocalAdminAccess -verbose
Invoke-CheckLocalAdminAccess
```
If `find-localadminaccess` is blocked because it sends `Get-NetComputer` to DC , so we can try to use `Find-WMILocalAdminAccess.ps1`
Save the results of `Get-NetComputer` in a text file then run
```
. .\Find-WMILocalAdminAccess.ps1 -ComputerFile computer.txt -verbose
```
### Find local admins on all machines of the domain (needs administrator on non-dc machines )
```
Invoke-EnumerateLocalAdmin -Verbose
```
this function queries DC of current or provided domain for a list of compters (`Get-NetComputer`) and then use multi-threaded `Get-NetLocalGroup` on each machine.
### Find computers where a domain admin (or specified user/group) has sessions
```
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
```
this function queries DC of current or provided domain for members of the given group (Domain Admins bt default) using `Get-NetGroupMember` , gets a list of computers (`Get-NetComputer`) and list sessions and logged on users (`Get-NetSession/Get-NetLoggedon`)
### To confirm admin access
```
Invoke-UserHunter -CheckAccess
```
### Find computers where a domain admin is logged in
```
Invoke-UserHunter -Stealth
```
This option queries DC of current or provided domain for members of given group (Domain Admins by default) using `Get-NetGroupMember` , gets a list_only of high traffic servers (DC , file servers and Distributed file servers ) for less traffic generation and list sessions and logged on users (`Get-NetSession/Get-NetLoggedon`) from each machine