Active Directory

From RCATs
Revision as of 04:45, 21 August 2023 by Ali3nw3rx (talk | contribs)

Enumeration

PowerShell LocalAccounts Module

Get-Command -Module Microsoft.PowerShell.LocalAccounts
The list below briefly describes what each of these cmdlets is used for:
Add-LocalGroupMember: Add a user to the local group
Disable-LocalUser: Disable a local user account
Enable-LocalUser: Enable a local user account
Get-LocalGroup: View local group preferences
Get-LocalGroupMember: View the list of all local group members
Get-LocalUser: View local user account preferences
New-LocalGroup: Create a new local group
New-LocalUser: Create a new local user account
Remove-LocalGroup: Remove a local group
Remove-LocalGroupMember: Remove a member from a local group
Remove-LocalUser: Remove local user account
Rename-LocalGroup: Rename a local group
Rename-LocalUser: Rename a local user account
Set-LocalGroup: Change the settings of a local group
Set-LocalUser: Change the account settings of a local user

Example:

Add-LocalGroupMember -Group "Administrators" -Member "Username"

Privilege Escalation

https://www.bordergate.co.uk/windows-privilege-escalation/

Kerberoasting

You have an SPN service/user the attack works because by default any domain user can request a Ticket to these user's/services the Kerberos grant's a ticket, this ticket is later stored in memory and you can grab this ticket, save it offline and crack the hash file to gain clear-text credentials.

Tim Medin presented at DerbyCon 2014 a tool called Kerberoast which cracks Kerberoast TGS tickets, He determined that possession of a TGS service ticket encrypted with the RC4 provides the opportunity to take the ticket to a password-cracking computer (or cloud system) and an attempt to crack the service account's password. How does this work? Since the TGS Kerberos ticket is encrypted with RC4 encryption, that means the service account's password hash is used to encrypt the ticket. The cracking system loops through converts to NTLM, and attempts to open the TGS ticket. If the TGS ticket is opened, we know the clear text password and the NTLM password for the account.

In Summary

Kerberoasting abuses traits of the Kerberos protocol to harvest password hashes for Active Directory user accounts with serviceprincipalName (SPN) values (i.e. service accounts). A user is allowed to request a ticket-granting service (TGS) ticket for any SPN, and parts of the TGS may be encrypted with the RC4 using the password hash of the service account assigned the requested SPN as the key.

An adversary who can extract the TGS ticket from memory, or capture them by sniffing network traffic, can extract the service account's password hash and attempt an offline brute force attack to obtain the plaintext password.

Now will use a few methods to search for any Kerberoastable Users. This can be done with any domain user this attack is abused since any domain user can request a ticket for an SPN account we verify our domain account

<screenshot>

I will use Rubeus to locate Kerberoastable user's an OPSEC tactic to consider is using the /stats parameter this will only search for Kerberoastable Users on the current domain without requesting a Ticket to the DC.

Rubeus kerberoast /stats

<screenshot>

We can Enumerate the specific users of the Domain that are available for Kerberoast, the following command will enumerate users with a Service Principal Name.

SharpView.exe Get-DomainUser -SPN

<screenshot>

Now we can request the ticket from the users and choose the format-specific for our cracking tool which this preference would be hashcat

Rubeus kerberoast /domain:DominionCyber.local /user:jnovoa /nowrap

<screenshot>

Now with this available, we can crack the password offline utilizing hashcat, once sent to our cracking rig we can use wordlists to attack this hash and try cracking it with this one we managed to get the password by utilizing the RockYou wordlist with a ruleset.

hashcat.exe -m 13100 -a 0 hashes wordlist

<screenshot>

Unconstrained Delegation

Constrained Delegation

DCSync

Golden Tickets

Silver Tickets

Skeleton Keys

ADCS

NTLMRelay

AS-REPRoasting