mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
GitBook: [#3575] No subject
This commit is contained in:
parent
4e1e83fadd
commit
cbd40bbf74
5 changed files with 61 additions and 47 deletions
|
@ -170,7 +170,7 @@
|
|||
* [AD information in printers](windows-hardening/active-directory-methodology/ad-information-in-printers.md)
|
||||
* [AD DNS Records](windows-hardening/active-directory-methodology/ad-dns-records.md)
|
||||
* [ASREPRoast](windows-hardening/active-directory-methodology/asreproast.md)
|
||||
* [BloodHound](windows-hardening/active-directory-methodology/bloodhound.md)
|
||||
* [BloodHound & Other AD Enum Tools](windows-hardening/active-directory-methodology/bloodhound.md)
|
||||
* [Constrained Delegation](windows-hardening/active-directory-methodology/constrained-delegation.md)
|
||||
* [Custom SSP](windows-hardening/active-directory-methodology/custom-ssp.md)
|
||||
* [DCShadow](windows-hardening/active-directory-methodology/dcshadow.md)
|
||||
|
|
|
@ -175,7 +175,8 @@ Regarding [**ASREPRoast**](asreproast.md) you can now find every possible vulner
|
|||
* You can also use [**powershell for recon**](../basic-powershell-for-pentesters/) which will be stealthier
|
||||
* You ca also [**use powerview**](../basic-powershell-for-pentesters/powerview.md) to extract more detailed information
|
||||
* Another amazing tool for recon in an active directory is [**BloodHound**](bloodhound.md). It is **not very stealthy** (depending on the collection methods you use), but **if you don't care** about that, you should totally give it a try. Find where users can RDP, find path to other groups, etc.
|
||||
* [**DNS records of the AD**](ad-dns-records.md) **** as they might contain interesting information.
|
||||
* **Other automated AD enumeration tools are:** [**AD Explorer**](bloodhound.md#ad-explorer)**,** [**ADRecon**](bloodhound.md#adrecon)**,** [**Group3r**](bloodhound.md#group3r)**,** [**PingCastle**](bloodhound.md#pingcastle)**.**
|
||||
* ****[**DNS records of the AD**](ad-dns-records.md) **** as they might contain interesting information.
|
||||
* A **tool with GUI** that you can use to enumerate the directory is **AdExplorer.exe** from **SysInternal** Suite.
|
||||
* You can also search in the LDAP database with **ldapsearch** to look for credentials in fields _userPassword_ & _unixUserPassword_, or even for _Description_. cf. [Password in AD User comment on PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#password-in-ad-user-comment) for other methods.
|
||||
* If you are using **Linux**, you could also enumerate the domain using [**pywerview**](https://github.com/the-useless-one/pywerview).
|
||||
|
|
|
@ -1,22 +1,42 @@
|
|||
# BloodHound
|
||||
# BloodHound & Other AD Enum Tools
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
## What is BloodHound
|
||||
## AD Explorer
|
||||
|
||||
[AD Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) is from Sysinternal Suite:
|
||||
|
||||
> An advanced Active Directory (AD) viewer and editor. You can use AD Explorer to navigate an AD database easily, define favorite locations, view object properties, and attributes without opening dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute.
|
||||
|
||||
### Snapshots
|
||||
|
||||
AD Explorer can create snapshots of an AD so you can check it offline.\
|
||||
It can be used to discover vulns offline, or to compare different states of the AD DB across the time.
|
||||
|
||||
You will be requires the username, password, and direction to connect (any AD user is required).
|
||||
|
||||
To take a snapshot of AD, go to `File` --> `Create Snapshot` and enter a name for the snapshot.
|
||||
|
||||
## ADRecon
|
||||
|
||||
****[**ADRecon**](https://github.com/adrecon/ADRecon) is a tool which extracts and combines various artefacts out of an AD environment. The information can be presented in a **specially formatted** Microsoft Excel **report** that includes summary views with metrics to facilitate analysis and provide a holistic picture of the current state of the target AD environment.
|
||||
|
||||
```bash
|
||||
# Run it
|
||||
.\ADRecon.ps1
|
||||
```
|
||||
|
||||
## BloodHound
|
||||
|
||||
> BloodHound is a single page Javascript web application, built on top of [Linkurious](http://linkurio.us), compiled with [Electron](http://electron.atom.io), with a [Neo4j](https://neo4j.com)database fed by a PowerShell ingestor.
|
||||
>
|
||||
|
@ -34,7 +54,7 @@ The **ingestors** are used to **enumerate the domain and extract all the informa
|
|||
|
||||
The **visualisation application uses neo4j** to show how all the information is related and to show different ways to escalate privileges in the domain.
|
||||
|
||||
## Installation
|
||||
### Installation
|
||||
|
||||
1. Bloodhound
|
||||
|
||||
|
@ -67,7 +87,7 @@ Installation process:
|
|||
$ curl -o "~/.config/bloodhound/customqueries.json" "https://raw.githubusercontent.com/CompassSecurity/BloodHoundQueries/master/customqueries.json"
|
||||
```
|
||||
|
||||
## Visualisation app Execution
|
||||
### Visualisation app Execution
|
||||
|
||||
After downloading/installing the required applications, lets start them.\
|
||||
First of all you need to **start the neo4j database**:
|
||||
|
@ -94,8 +114,6 @@ And bloodhound will be ready to ingest data.
|
|||
|
||||
![](<../../.gitbook/assets/image (171) (1).png>)
|
||||
|
||||
## Ingestors
|
||||
|
||||
### SharpHound
|
||||
|
||||
They have several options but if you want to run SharpHound from a PC joined to the domain, using your current user and extract all the information you can do:
|
||||
|
@ -138,18 +156,31 @@ This script will **quietly enumerate an Active Directory Domain via LDAP** parsi
|
|||
|
||||
Check it out in [**SilentHound github**](https://github.com/layer8secure/SilentHound).
|
||||
|
||||
## Group3r
|
||||
|
||||
[**Group3r**](https://github.com/Group3r/Group3r) **** is a tool to find **vulnerabilities** in Active Directory associated **Group Policy**. \
|
||||
You need to **run group3r** from a host inside the domain using **any domain user**.
|
||||
|
||||
```bash
|
||||
group3r.exe -f <filepath-name.log>
|
||||
# -s sends results to stdin
|
||||
# -f send results to file
|
||||
```
|
||||
|
||||
## PingCastle
|
||||
|
||||
****[**PingCastle**](https://www.pingcastle.com/documentation/) **evaluates the security posture of an AD environment** and provides a nice **report** with graphs.
|
||||
|
||||
To run it, can execute the binary `PingCastle.exe` and it will start an **interactive session** presenting a menu of options. The default option to use is **`healthcheck`** which will establish a baseline **overview** of the **domain**, and find **misconfigurations** and **vulnerabilities**. 
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
|
|
@ -42,7 +42,7 @@ MemberDistinguishedName : CN=S-1-5-21-3022719512-2989052766-178205875-1115,CN=Fo
|
|||
|
||||
## Trust Account Attack
|
||||
|
||||
When an Active Directory domain or forest trust is set up from a domain _B_ to a domain _A_ (_**B**_ trusts A), a trust account is created in domain **A**, named **B. Kerberos trust keys**,\_derived from the **trust account’s password**, are used for **encrypting inter-realm TGTs**, when users of domain A request service tickets for services in domain B.
|
||||
When an Active Directory domain or forest trust is set up from a domain _B_ to a domain _A_ (_**B**_\*\* trusts **\_**A**\_), a \_**trust account**\_** is created in domain **\_**A**\_**, named **\_**B$**\_. Kerberos \_**trust keys\*\*,\_ derived from the **trust account’s password**, are used for **encrypting inter-realm TGTs**, when users of domain A request service tickets for services in domain B.
|
||||
|
||||
It's possible to obtain the password and hash of the trusted account from a Domain Controller using:
|
||||
|
||||
|
|
|
@ -74,37 +74,19 @@ In the previous enumeration it was found that the user **`crossuser`** is inside
|
|||
|
||||
If you **couldn't** find any **special** access of your user in the other domain, you can still go back to the AD Methodology and try to **privesc from an unprivileged user** (things like kerberoasting for example):
|
||||
|
||||
You can use **Powerview functions** to **enumerate** the **other domain** using the `-Domain` param like in:
|
||||
|
||||
```powershell
|
||||
Get-DomainUser -SPN -Domain domain_name.local | select SamAccountName
|
||||
```
|
||||
|
||||
{% content-ref url="./" %}
|
||||
[.](./)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Impersonation
|
||||
|
||||
### Logging in
|
||||
|
||||
Using a regular method with the credentials of the users who is has access to the external domain you should be able to access:
|
||||
|
||||
```powershell
|
||||
Enter-PSSession -ComputerName dc.external_domain.local -Credential domain\administrator
|
||||
```
|
||||
|
||||
### SID History Abuse
|
||||
|
||||
You could also abuse [**SID History**](sid-history-injection.md) across a forest trust.
|
||||
|
||||
If a user is migrated **from one forest to another** and **SID Filtering is not enabled**, it becomes possible to **add a SID from the other forest**, and this **SID** will be **added** to the **user's token** when authenticating **across the trust**.
|
||||
### With signing key
|
||||
|
||||
{% hint style="warning" %}
|
||||
As a reminder, you can get the signing key with
|
||||
|
||||
```powershell
|
||||
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.domain.local
|
||||
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
|
||||
```
|
||||
{% endhint %}
|
||||
|
||||
|
|
Loading…
Reference in a new issue