Powerview v.3.0 Powerview Wiki
Get Current Domain: Get-Domain
Enumerate Other Domains: Get-Domain -Domain <DomainName>
Get Domain SID: Get-DomainSID
Get Domain Policy:
Get Domain Controllers:
Enumerate Domain Users:
Enum Domain Computers:
Enum Groups and Group Members:
Enumerate Shares:
Enum Group Policies:
Enum OUs:
Enum ACLs:
Enum Domain Trust:
Enum Forest Trust:
User Hunting:
Priv Esc to Domain Admin with User Hunting: I have local admin access on a machine -> A Domain Admin has a session on that machine -> I steal his token and impersonate him -> Profit!
Get Current Domain: Get-ADDomain
Enum Other Domains: Get-ADDomain -Identity <Domain>
Get Domain SID: Get-DomainSID
Get Domain Controlers:
Enumerate Domain Users:
Enum Domain Computers:
Enum Domain Trust:
Enum Forest Trust:
Enum Local AppLocker Effective Policy:
Remote BloodHound
Python BloodHound Repository or install it with pip3 install bloodhound
On Site BloodHound
ldapdomaindump Information dumper via LDAP
adidnsdump Integrated DNS dumping by any authenticated user
ACLight Advanced Discovery of Privileged Accounts
ADRecon Detailed Active Directory Recon Tool
Windows Privilege Escalation CheatSheet Cheat Sheet for Windows Local Privilege Escalations
Juicy Potato Abuse SeImpersonate or SeAssignPrimaryToken Privileges for System Impersonation Works only until Windows Server 2016 and Windows 10 until patch 1803
Lovely Potato Automated Juicy Potato Works only until Windows Server 2016 and Windows 10 until patch 1803
PrintSpoofer Exploit the PrinterBug for System Impersonation Works for Windows Server 2019 and Windows 10
RoguePotato Upgraded Juicy Potato Works for Windows Server 2019 and Windows 10
PowerUp Misconfiguration Abuse
BeRoot General Priv Esc Enumeration Tool
Privesc General Priv Esc Enumeration Tool
FullPowers Restore A Service Account’s Privileges
LSA as a Protected Process (Kernel Land Bypass)
LSA as a Protected Process (Userland Land “Fileless” Bypass)
LSA is running as virtualized process (LSAISO) by Credential Guard
If the host we want to lateral move to has “RestrictedAdmin” enabled, we can pass the hash using the RDP protocol and get an interactive session without the plaintext password.
Mimikatz:
xFreeRDP:
If Restricted Admin mode is disabled on the remote machine we can connect on the host using another tool/protocol like psexec or winrm and enable it by creating the following registry key and setting it’s value zero: “HKLM:\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin”.
.url file
.scf file
Putting these files in a writeable share the victim only has to open the file explorer and navigate to the share. Note that the file doesn’t need to be opened or the user to interact with it, but it must be on the top of the file system or just visible in the windows explorer window in order to be rendered. Use responder to capture the hashes.
.scf file attacks won’t work on the latest versions of Windows.
Powercat netcat written in powershell, and provides tunneling, relay and portforward capabilities.
SCShell fileless lateral movement tool that relies on ChangeServiceConfigA to run command
Evil-Winrm the ultimate WinRM shell for hacking/pentesting
RunasCs Csharp and open version of windows builtin runas.exe
ntlm_theft creates all possible file formats for url file attacks
WUT IS DIS?: All standard domain users can request a copy of all service accounts along with their correlating password hashes, so we can ask a TGS for any SPN that is bound to a “user” account, extract the encrypted blob that was encrypted using the user’s password and bruteforce it offline.
PowerView:
AD Module:
Impacket:
Rubeus:
WUT IS DIS?: If a domain user account do not require kerberos preauthentication, we can request a valid TGT for this account without even having domain credentials, extract the encrypted blob and bruteforce it offline.
PowerView: Get-DomainUser -PreauthNotRequired -Verbose
AD Module: Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth
Forcefully Disable Kerberos Preauth on an account i have Write Permissions or more! Check for interesting permissions on accounts:
Hint: We add a filter e.g. RDPUsers to get “User Accounts” not Machine Accounts, because Machine Account hashes are not crackable!
PowerView:
And finally execute the attack using the ASREPRoast tool.
Using Rubeus:
Using Impacket:
If we have harvest some passwords by compromising a user account, we can use this method to try and exploit password reuse on other domain accounts.
Tools:
WUT IS DIS ?: If we have enough permissions -> GenericAll/GenericWrite we can set a SPN on a target account, request a TGS, then grab its blob and bruteforce it.
PowerView:
AD Module:
Finally use any tool from before to grab the hash and kerberoast it!
If you have local administrator access on a machine try to list shadow copies, it’s an easy way for Domain Escalation.
You can dump the backuped SAM database and harvest credentials.
Look for DPAPI stored creds and decrypt them.
Access backuped sensitive files.
Usually encrypted credentials are stored in:
%appdata%\Microsoft\Credentials
%localappdata%\Microsoft\Credentials
Detailed Article: DPAPI all the things
WUT IS DIS ?: If we have Administrative access on a machine that has Unconstrained Delegation enabled, we can wait for a high value target or DA to connect to it, steal his TGT then ptt and impersonate him!
Using PowerView:
Note: We can also use Rubeus!
Using PowerView and Kekeo:
ALTERNATIVE: Using Rubeus:
Now we can access the service as the impersonated user!
What if we have delegation rights for only a spesific SPN? (e.g TIME):
In this case we can still abuse a feature of kerberos called “alternative service”. This allows us to request TGS tickets for other “alternative” services and not only for the one we have rights for. Thats gives us the leverage to request valid tickets for any service we want that the host supports, giving us full access over the target machine.
WUT IS DIS?: TL;DR If we have GenericALL/GenericWrite privileges on a machine account object of a domain, we can abuse it and impersonate ourselves as any user of the domain to it. For example we can impersonate Domain Administrator and have complete access.
Tools we are going to use:
First we need to enter the security context of the user/machine account that has the privileges over the object. If it is a user account we can use Pass the Hash, RDP, PSCredentials etc.
Exploitation Example:
Detailed Articles:
In Constrain and Resource-Based Constrained Delegation if we don’t have the password/hash of the account with TRUSTED_TO_AUTH_FOR_DELEGATION that we try to abuse, we can use the very nice trick “tgt::deleg” from kekeo or “tgtdeleg” from rubeus and fool Kerberos to give us a valid TGT for that account. Then we just use the ticket instead of the hash of the account to perform the attack.
Detailed Article: Rubeus – Now With More Kekeo
WUT IS DIS ?: If a user is a member of the DNSAdmins group, he can possibly load an arbitary DLL with the privileges of dns.exe that runs as SYSTEM. In case the DC serves a DNS, the user can escalate his privileges to DA. This exploitation process needs privileges to restart the DNS service to work.
Enumerate the members of the DNSAdmins group:
PowerView: Get-NetGroupMember -GroupName "DNSAdmins"
AD Module: Get-ADGroupMember -Identiny DNSAdmins
Once we found a member of this group we need to compromise it (There are many ways).
Then by serving a malicious DLL on a SMB share and configuring the dll usage,we can escalate our privileges:
WUT IS DIS ?: If we manage to compromise a user account that is member of the Backup Operators group, we can then abuse it’s SeBackupPrivilege to create a shadow copy of the current state of the DC, extract the ntds.dit database file, dump the hashes and escalate our privileges to DA.
Once we have access on an account that has the SeBackupPrivilege we can access the DC and create a shadow copy using the signed binary diskshadow:
Next we need to access the shadow copy, we may have the SeBackupPrivilege but we cant just simply copy-paste ntds.dit, we need to mimic a backup software and use Win32 API calls to copy it on an accessible folder. For this we are going to use this amazing repo:
Using smbclient.py from impacket or some other tool we copy ntds.dit and the SYSTEM hive on our local machine.
Use secretsdump.py from impacket and dump the hashes.
Use psexec or another tool of your choice to PTH and get Domain Admin access.
PrivExchange Exchange your privileges for Domain Admin privs by abusing Exchange
WUT IS DIS?: If we manage to compromise a child domain of a forest and SID filtering isn’t enabled (most of the times is not), we can abuse it to privilege escalate to Domain Administrator of the root domain of the forest. This is possible because of the SID History field on a kerberos TGT ticket, that defines the “extra” security groups and privileges.
Exploitation example:
Detailed Articles:
CVE-2019-0604 RCE Exploitation PoC
CVE-2019-1257 Code execution through BDC deserialization
CVE-2020-0932 RCE using typeconverters PoC
Zerologon: Unauthenticated domain controller compromise: White paper of the vulnerability.
SharpZeroLogon: C# implementation of the Zerologon exploit.
Invoke-ZeroLogon: Powershell implementation of the Zerologon exploit.
Zer0Dump: Python implementation of the Zerologon exploit using the impacket library.
CVE-2021-34527: Vulnerability details.
Impacket implementation of PrintNightmare: Reliable PoC of PrintNightmare using the impacket library.
C# Implementation of CVE-2021-1675: Reliable PoC of PrintNightmare written in C#.
Check for Vulnerable Certificate Templates with: Certify
Note: Certify can be executed with Cobalt Strike’s execute-assembly
command as well
Make sure the msPKI-Certificates-Name-Flag value is set to “ENROLLEE_SUPPLIES_SUBJECT” and that the Enrollment Rights allow Domain/Authenticated Users. Additionally, check that the pkiextendedkeyusage parameter contains the “Client Authentication” value as well as that the “Authorized Signatures Required” parameter is set to 0.
This exploit only works because these settings enable server/client authentication, meaning an attacker can specify the UPN of a Domain Admin (“DA”) and use the captured certificate with Rubeus to forge authentication.
Note: If a Domain Admin is in a Protected Users group, the exploit may not work as intended. Check before choosing a DA to target.
Request the DA’s Account Certificate with Certify
This should return a valid certificate for the associated DA account.
The exported cert.pem
and cert.key
files must be consolidated into a single cert.pem
file, with one gap of whitespace between the END RSA PRIVATE KEY
and the BEGIN CERTIFICATE
.
Example of cert.pem
:
#Utilize openssl
to Convert to PKCS #12 Format
The openssl
command can be utilized to convert the certificate file into PKCS #12 format (you may be required to enter an export password, which can be anything you like).
Once the cert.pfx
file has been exported, upload it to the compromised host (this can be done in a variety of ways, such as with Powershell, SMB, certutil.exe
, Cobalt Strike’s upload functionality, etc.)
After the cert.pfx
file has been uploaded to the compromised host, Rubeus can be used to request a Kerberos TGT for the DA account which will then be imported into memory.
This should result in a successfully imported ticket, which then enables an attacker to perform various malicious acitivities under DA user context, such as performing a DCSync attack.
sAMAccountname Spoofing Exploitation of CVE-2021-42278 and CVE-2021-42287
Weaponisation of CVE-2021-42287/CVE-2021-42278 Exploitation of CVE-2021-42278 and CVE-2021-42287
noPAC C# tool to exploit CVE-2021-42278 and CVE-2021-42287
sam-the-admin Python automated tool to exploit CVE-2021-42278 and CVE-2021-42287
noPac Evolution of “sam-the-admin” tool
Tip: /ptt -> inject ticket on current running session /ticket -> save the ticket on the system for later use
WUT IS DIS?: Every DC has a local Administrator account, this accounts has the DSRM password which is a SafeBackupPassword. We can get this and then pth its NTLM hash to get local Administrator access to DC!
Then just PTH to get local admin access on DC!
WUT IS DIS?: We can set our on SSP by dropping a custom dll, for example mimilib.dll from mimikatz, that will monitor and capture plaintext passwords from users that logged on!
From powershell:
Now all logons on the DC are logged to -> C:\Windows\System32\kiwissp.log
WUT IS DIS ?: If we have Domain Admin rights on a Domain that has Bidirectional Trust relationship with an other forest we can get the Trust key and forge our own inter-realm TGT.
The access we will have will be limited to what our DA account is configured to have on the other Forest!
Using Mimikatz:
Tickets -> .kirbi format
Then Ask for a TGS to the external Forest for any service using the inter-realm TGT and access the resource!
Using Rubeus:
Enumerate MSSQL Instances: Get-SQLInstanceDomain
Check Accessibility as current user:
Gather Information about the instance: Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
Abusing SQL Database Links: WUT IS DIS?: A database link allows a SQL Server to access other resources like other SQL Server. If we have two linked SQL Servers we can execute stored procedures in them. Database links also works across Forest Trust!
Check for existing Database Links:
Then we can use queries to enumerate other links from the linked Database:
Query execution:
WUT IS DIS?: TL;DR If we have a bidirectional trust with an external forest and we manage to compromise a machine on the local forest that has enabled unconstrained delegation (DCs have this by default), we can use the printerbug to force the DC of the external forest’s root domain to authenticate to us. Then we can capture it’s TGT, inject it into memory and DCsync to dump it’s hashes, giving ous complete access over the whole forest.
Tools we are going to use:
Exploitation example:
Detailed Articles: