Active Directory

From RCATs
Revision as of 11:41, 7 September 2023 by Ali3nw3rx (talk | contribs)

EXTERNAL

INTERNAL

AD-Module

Import-Module .\Microsoft.ActiveDirectory.Management.dll

PowerShell LocalAccounts Module

Get-Command -Module Microsoft.PowerShell.LocalAccounts
The list below briefly describes what each of these cmdlets is used for:
Add-LocalGroupMember           # Add a user to the local group
Disable-LocalUser              # Disable a local user account
Enable-LocalUser               # Enable a local user account
Get-LocalGroup                 # View local group preferences
Get-LocalGroupMember           # View the list of all local group members
Get-LocalUser                  # View local user account preferences
New-LocalGroup                 # Create a new local group
New-LocalUser                  # Create a new local user account
Remove-LocalGroup              # Remove a local group
Remove-LocalGroupMember        # Remove a member from a local group
Remove-LocalUser               # Remove local user account
Rename-LocalGroup              # Rename a local group
Rename-LocalUser               # Rename a local user account
Set-LocalGroup                 # Change the settings of a local group
Set-LocalUser                  # Change the account settings of a local user

Example:

Add-LocalGroupMember -Group "Administrators" -Member "Username"

PowerView

# Load PowerView on Disk 
./PowerView.ps1

# Import PowerView
. .\PowerView.ps1 # dot sourcing
IPMO .\PowerView.ps1 # short cut for Import-Module
Import-Module .\PowerView.ps1 # Import-Module

# Load PowerView
Import-Module PowerView

# Load PowerView with Cobalt Strike 
powershell-import /home/user/directory/of/PowerView.ps1

# Check if PowerView has been loaded Successfully
Get-InstalledModule

General PowerView Functions

Export-PowerViewCSV             #  thread-safe CSV append
Set-MacAttribute                #  Sets MAC attributes for a file based on another file or input (from Powersploit)
Copy-ClonedFile                 #  copies a local file to a remote location, matching MAC properties
Get-IPAddress                   #  resolves a hostname to an IP
Test-Server                     #  tests connectivity to a specified server
Convert-NameToSid               #  converts a given user/group name to a security identifier (SID)
Convert-SidToName               #  converts a security identifier (SID) to a group/user name
Convert-NT4toCanonical          #  converts a user/group NT4 name (i.e. dev/john) to canonical format
Get-Proxy                       #  enumerates local proxy settings
Get-PathAcl                     #  get the ACLs for a local/remote file path with optional group recursion
Get-UserProperty                #  returns all properties specified for users, or a set of user:prop names
Get-ComputerProperty            #  returns all properties specified for computers, or a set of computer:prop names
Find-InterestingFile            #  search a local or remote path for files with specific terms in the name
Invoke-CheckLocalAdminAccess    #  check if the current user context has local administrator access to a specified host
Get-DomainSearcher              #  builds a proper ADSI searcher object for a given domain
Get-ObjectAcl                   #  returns the ACLs associated with a specific active directory object
Add-ObjectAcl                   #  adds an ACL to a specified active directory object
Get-LastLoggedOn                #  return the last logged on user for a target host
Get-CachedRDPConnection         #  queries all saved RDP connection entries on a target host
Invoke-ACLScanner               #  enumerate -1000+ modifable ACLs on a specified domain
Get-GUIDMap                     #  returns a hash table of current GUIDs -> display names
Get-DomainSID                   #  return the SID for the specified domain
Invoke-ThreadedFunction         #  helper that wraps threaded invocation for other functions

Net Functions

Get-NetDomain                   #  gets the name of the current user's domain
Get-NetForest                   #  gets the forest associated with the current user's domain
Get-NetForestDomain             #  gets all domains for the current forest
Get-NetDomainController         #  gets the domain controllers for the current computer's domain
Get-NetUser                     #  returns all user objects, or the user specified (wildcard specifiable)
Add-NetUser                     #  adds a local or domain user
Get-NetComputer                 #  gets a list of all current servers in the domain
Get-NetPrinter                  #  gets an array of all current computers objects in a domain
Get-NetOU                       #  gets data for domain organization units
Get-NetSite                     #  gets current sites in a domain
Get-NetSubnet                   #  gets registered subnets for a domain
Get-NetGroup                    #  gets a list of all current groups in a domain
Get-NetGroupMember              #  gets a list of all current users in a specified domain group
Get-NetLocalGroup               #  gets the members of a localgroup on a remote host or hosts
Add-NetGroupUser                #  adds a local or domain user to a local or domain group
Get-NetFileServer               #  get a list of file servers used by current domain users
Get-DFSshare                    #  gets a list of all distribute file system shares on a domain
Get-NetShare                    #  gets share information for a specified server
Get-NetLoggedon                 #  gets users actively logged onto a specified server
Get-NetSession                  #  gets active sessions on a specified server
Get-NetRDPSession               #  gets active RDP sessions for a specified server (like qwinsta)
Get-NetProcess                  #  gets the remote processes and owners on a remote server
Get-UserEvent                   #  returns logon or TGT events from the event log for a specified host
Get-ADObject                    #  takes a domain SID and returns the user, group, or computer object associated with it
Set-ADObject                    #  takes a SID, name, or SamAccountName to query for a specified  domain object, and then sets a pecified 'PropertyName' to a specified 'PropertyValue'

GPO functions

Get-GptTmpl                     #  parses a GptTmpl.inf to a custom object
Get-NetGPO                      #  gets all current GPOs for a given domain
Get-NetGPOGroup                 #  gets all GPOs in a domain that set "Restricted Groups" on on target machines
Find-GPOLocation                #  takes a user/group and makes machines they have effectiverights over through GPO enumeration and correlation
Find-GPOComputerAdmin           #  takes a computer and determines who has admin rights over itthrough GPO enumeration
Get-DomainPolicy                #  returns the default domain or DC policy

User-Hunting Functions

Invoke-UserHunter               #  finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines
Invoke-StealthUserHunter        #  finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users
Invoke-ProcessHunter            #  hunts for processes with a specific name or owned by a specific user on domain machines
Invoke-UserEventHunter          #  hunts for user logon events in domain controller event logs

Domain Trust Functions

Get-NetDomainTrust              #  gets all trusts for the current user's domain
Get-NetForestTrust              #  gets all trusts for the forest associated with the current user's domain
Find-ForeignUser                #  enumerates users who are in groups outside of their principal domain
Find-ForeignGroup               #  enumerates all the members of a domain's groups and finds users that are outside of the queried domain
Invoke-MapDomainTrust           #  try to build a relational mapping of all domain trusts

Meta Functions

Invoke-ShareFinder              #  finds (non-standard) shares on hosts in the local domain
Invoke-FileFinder               #  finds potentially sensitive files on hosts in the local domain
Find-LocalAdminAccess           #  finds machines on the domain that the current user has local admin access to
Find-ManagedSecurityGroups      #  searches for active directory security groups which are managed and identify users who have write access to
                                #  those groups (i.e. the ability to add or remove members)
Find-UserField                  #  searches a user field for a particular term
Find-ComputerField              #  searches a computer field for a particular term
Get-ExploitableSystem           #  finds systems likely vulnerable to common exploits
Invoke-EnumerateLocalAdmin      #  enumerates members of the local Administrators groups across all machines in the domain

Domain Enumeration

Domain
# Get current domain

Get-NetDomain (PowerView)                                  
Get-ADDomain (ActiveDirectory Module)                      

# Get Object of another domain

Get-NetDomain -Domain domain.local                         
Get-ADDomain -Identity domain.local                         

# Get domain SID for the current domain

Get-DomainSID                                              
(Get-ADDomain).DomainSID                                   

# Get domain policy for the current domain

Get-DomainPolicy                                           
(Get-DomainPolicy)."system access"                         

# Get domain policy for another domain

(Get-DomainPolicy -domain domain.local)."system access"     

# Get domain controllers for the current domain

Get-NetDomainController                                   
Get-ADDomainController                                     

# Get domain controllers for another domain

Get-NetDomainController -Domain domain.local                
Get-ADDomainController -DomainName domain.local -Discover
Net User
# Get a list of users in the current domain

Get-NetUser                                                
Get-NetUser -Username student1                              
Get-NetUser | select -ExpandProperty samaccountname         
Get-ADUser -Filter * -Properties *                          
Get-ADUser -Identity student1 -Properties *                

# Get list of all properties for users in the current domain

Get-UserProperty
Get-UserProperty -Properties pwdlastset
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}

# Search for a particular string in a user's attributes

Find-UserField -SearchField Description -SearchTerm "built"
Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,Description
Net Group
# Get a list of computers in the current domain

Get-NetComputer
Get-NetComputer -OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData
Get-ADComputer -Filter * | select Name Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}
Get-ADComputer -Filter * -Properties *

# Get all the groups in the current domain

Get-NetGroup
Get-NetGroup -Domain <targetdomain>
Get-NetGroup -FullData
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *

# Get all groups containing the word "admin" in group name

Get-NetGroup *admin*
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

# Get all the members of the Domain Admins group

Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-NetGroupMember -GroupName "Enterprise Admins" -Domain target.local

# Get the group membership for a user

Get-NetGroup -UserName "john"
Get-ADPrincipalGroupMembership -Identity student1

# List all the local groups on a machine (needs administrator privs on non-dc machines)

Get-NetLocalGroup -ComputerName DC01.enumme.local -ListGroups

# Get members of all the local groups on a machine (needs administrator privs on non-dc machines)

Get-NetLocalGroup -ComputerName DC01.enumme.local -Recurse
Logged Sessions / Users
# Get actively logged users on a computer (needs local admin rights on the target)

Get-NetLoggedon -ComputerName <servername>

# Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)

Get-LoggedonLocal -ComputerName DC01.enumme.local

# Get the last logged user on a computer (needs administrative rights and remote registry on the target)

Get-LastLoggedOn -ComputerName <servername>
Shares
# Find shares on hosts in current domain

Invoke-ShareFinder -Verbose
Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC -Verbose

# Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose

# Get all fileservers of the domain

Get-NetFileServer
GPO
# Get list of GPO in current domain

Get-NetGPO
Get-NetGPO -ComputerName DC01.enumme.local
Get-GPO -All (GroupPolicy module)
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html (Provides RSoP)

# Enumerate ACLs for all the GPOs

Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}

# Enumerate Restricted Groups from GPO

Get-NetGPOGroup -Verbose

# Enumerate GPOs where target user or group have interesting permissions

Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ?{$_.IdentityReference -match "target"}

# Membership of the Group "RDPUsers”

Get-NetGroupMember -GroupName RDPUsers

# Get GPO(s) which use Restricted Groups or groups.xml for interesting users

Get-NetGPOGroup

# Get users which are in a local group of a machine using GPO

Find-GPOComputerAdmin -Computername srv.enumme.local

# Get machines where the given user is member of a specific group

Find-GPOLocation -UserName john -Verbose

# GPO applied on the target OU

(Get-NetOU targetmachine -FullData).gplink[LDAP://cn={x-x-x-x-x},cn=policies,cn=system,DC=target,DC=domain,DC=local;0]
Get-NetGPO -ADSpath 'LDAP://cn={x-x-x-x-x},cn=policies,cn=system,DC=target,DC=domain,DC=local'
OU
# Get OUs in a domain

Get-NetOU -FullData
Get-ADOrganizationalUnit -Filter * -Properties *

# Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU

Get-NetGPO -GPOname "{x-x-x-x-x}"
Get-GPO -Guid x-x-x-x-x (GroupPolicy module)

# List all the computers in the target OU

Get-NetOU targetcomputer | %{Get-NetComputer -ADSPath $_}
ACL
# Get the ACLs associated with the specified object

Get-ObjectAcl -SamAccountName john -ResolveGUIDs
Get-ObjectAcl -SamAccountName "users" -ResolveGUIDs -Verbose
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs -Verbose

# Get the ACLs associated with the specified prefix to be used for search

Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose

# We can also enumerate ACLs using ActiveDirectory module but without resolving GUIDs

(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=domain,DC=local').Access

# Get the ACLs associated with the specified LDAP path to be used for search

Get-ObjectAcl -ADSpath "LDAP://CN=Domain
Admins,CN=Users,DC=domain,DC=local" -ResolveGUIDs -Verbose

# Search for interesting ACEs

Invoke-ACLScanner -ResolveGUIDs
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match "target"}
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match "targetgroup"}

# Get the ACLs associated with the specified path

Get-PathAcl -Path "\\DC01.domain.local\sysvol"
Domain Trusts
# Get a list of all domain trusts for the current domain

Get-NetDomainTrust
Get-NetForestDomain -Verbose
Get-NetDomainTrust -Domain fr.k71.test.local
Get-ADTrust
Get-ADTrust -Identity fr.k71.test.local

# Get details about the current forest

Get-NetForest
Get-NetForest -Forest domain.local
Get-ADForest
Get-ADForest -Identity domain.local

# Get all domains in the current forest

Get-NetForestDomain
Get-NetForestDomain -Forest domain.local
(Get-ADForest).Domains

# Map all the trusts of the domain.local forest

Get-NetForestDomain -Verbose | Get-NetDomainTrust

# Get all global catalogs for the current forest

Get-NetForestCatalog
Get-NetForestCatalog -Forest domain.local
Get-ADForest | select -ExpandProperty GlobalCatalogs

# Map trusts of a forest

Get-NetForestTrust
Get-NetForestTrust -Forest domain.local
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'

# List external trusts

Get-NetForestDomain -Verbose | Get-NetDomainTrust | ?{$_.TrustType -eq 'External'}

Privilege Escalation

https://www.bordergate.co.uk/windows-privilege-escalation/

Kerberoasting

You have an SPN service/user the attack works because by default any domain user can request a Ticket to these user's/services the Kerberos grant's a ticket, this ticket is later stored in memory and you can grab this ticket, save it offline and crack the hash file to gain clear-text credentials.

Tim Medin presented at DerbyCon 2014 a tool called Kerberoast which cracks Kerberoast TGS tickets, He determined that possession of a TGS service ticket encrypted with the RC4 provides the opportunity to take the ticket to a password-cracking computer (or cloud system) and an attempt to crack the service account's password. How does this work? Since the TGS Kerberos ticket is encrypted with RC4 encryption, that means the service account's password hash is used to encrypt the ticket. The cracking system loops through converts to NTLM, and attempts to open the TGS ticket. If the TGS ticket is opened, we know the clear text password and the NTLM password for the account.

In Summary

Kerberoasting abuses traits of the Kerberos protocol to harvest password hashes for Active Directory user accounts with serviceprincipalName (SPN) values (i.e. service accounts). A user is allowed to request a ticket-granting service (TGS) ticket for any SPN, and parts of the TGS may be encrypted with the RC4 using the password hash of the service account assigned the requested SPN as the key.

An adversary who can extract the TGS ticket from memory, or capture them by sniffing network traffic, can extract the service account's password hash and attempt an offline brute force attack to obtain the plaintext password.

Now will use a few methods to search for any Kerberoastable Users. This can be done with any domain user this attack is abused since any domain user can request a ticket for an SPN account we verify our domain account

<screenshot>

I will use Rubeus to locate Kerberoastable user's an OPSEC tactic to consider is using the /stats parameter this will only search for Kerberoastable Users on the current domain without requesting a Ticket to the DC.

Rubeus kerberoast /stats

<screenshot>

We can Enumerate the specific users of the Domain that are available for Kerberoast, the following command will enumerate users with a Service Principal Name.

SharpView.exe Get-DomainUser -SPN

<screenshot>

Now we can request the ticket from the users and choose the format-specific for our cracking tool which this preference would be hashcat

Rubeus kerberoast /domain:DominionCyber.local /user:jnovoa /nowrap

<screenshot>

Now with this available, we can crack the password offline utilizing hashcat, once sent to our cracking rig we can use wordlists to attack this hash and try cracking it with this one we managed to get the password by utilizing the RockYou wordlist with a ruleset.

hashcat.exe -m 13100 -a 0 hashes wordlist

<screenshot>

Unconstrained Delegation

Constrained Delegation

DCSync

Golden Tickets

Silver Tickets

Skeleton Keys

ADCS

NTLMRelay

AS-REPRoasting